BuoyantCitrus

It seems like the attack surface is limited to RF (bluetooth/wifi can be turned off if one is willing to make that compromise), app install (many just use a small selection of well-trusted apps), and messaging/browser which are regularly updated if the device is properly configured. Apps that aren't pulling in random untrusted content are far less of an attack vector (eg. one's bank app isn't connecting to everything, just to the bank, pinterest is hopefully escaping user content, etc.)

Based on helpful details at the other thread (eg. Project Mainline, baseband isolation) I’m beginning to form the opinion that it is not unreasonably foolhardy for someone to continue to use an unsupported device if they are willing to make the compromises necessary to limit their exposure. Which wouldn't necessarily mean "giving up bluetooth entirely", just not using it when you're in bluetooth range of an untrustworthy party eg. if you just use your headset to make zoom calls at home and are fine not having it on the subway.

Thanks for the reply. Definitely appreciate the point that lacklustre updates mean we need to pay attention even if we're vaguely covered by our vendor. I think you've convinced me to subscribe to CVEs for android too, I've only had alerts for my browser. Really too bad they don't make smaller Pixels.

I don’t think they are things that can be fixed on the app level?

Indeed not. So I'm trying to better understand how vulnerabilities at the system level are exploited. It seems like the attack surface is limited to RF (bluetooth/wifi can be turned off if one is willing to make that compromise), app install (many just use a small selection of well-trusted apps), and messaging/browser which are regularly updated if the device is properly configured.

Based on this thread I'm beginning to form the opinion that it is not unreasonably foolhardy for someone to continue to use an unsupported device if they are willing to make the compromises necessary to limit their attack surface.

Thanks, that's encouraging and very relevant. Looks like it was introduced in Android 10 and aside from "Project Mainline" is referred to as "modular system components": https://source.android.com/docs/core/ota/modular-system

Can you shed more light on what someone would be risking by continuing to use an EOL device? You say you don't advise it, but it'd be helpful to elaborate on why.

It seems like the increased vulnerability would be relatively limited: I presume the browser and messaging are by far the most common vectors and those would be as up to date as ever but I can see how exploiting an unpatched vuln there on an unsupported device could have more impact as it would give more options for privilege escalation.

Otherwise it'd be something RF based. Aside from widely publicised things like BlueBorne (that we should be keeping an eye out for anyway), is it a reasonable concern that there are identify theft rings employing people with modified hardware wandering around subway systems trying to exfiltrate credentials from devices with specific vulnerable basebands? Seems like Android also offers some defence in depth there that'd make it unlikely enough to ensure it wouldn't be worth their while?

There are a few technologically disinterested people in my life that I advise (as is no doubt the case for many here) and I don't know how strongly to push for them to get new devices once theirs fall out of support. Most of them are quite content with what they're using and are not in the habit of installing apps (and will reliably ask me first) so they really would be replacing the device solely for the updates. In some cases it's not only the time and effort to decide on a replacement and get things transferred over but the expense can also be a burden. So I don't want to raise the alarm lightly.

Good point! And ya, when I open umatrix on a comment thread I see a whole menagerie of instances serving me images as I guess that goes for the profile image too.

But I find that somehow less concerning as they just know "someone at this IP viewed this thread containing these images" than "the user at this IP wrote this comment (or post)".

Hmmm, but if DMs allow images and they work like this, a user with their own instance who wants to know which IP wrote a comment could perhaps send a message to the author with a unique image...

Thanks for the succinct summary!

Aren't you sorta trusting whoever wrote any package you install with root? I mean, you should have that attitude anyhow as packages have a huge attack surface so privilege escalation bugs are way more common than remote execution but still, flatpak and snap at least offer a bit of a sandbox which might improve...

I've enjoyed runbox.com for years but don't think they offer catch-all, at least not when I last checked. You might look at mxroute.com, I heard about it later and might have gone with them first and they somehow seem more likely to support that

Basically it seems riskier--my understanding was that small caps have a higher volatility which fits my intuition that on top of the additional risk for smaller businesses, a cap-weighted small-cap index like VB is going to get caught up in random faddish shenanigans like GME. I did consider "factor" funds that try to compensate for that like AVSC but wasn't confident it'd be worth the higher MER.

Whereas an equal-weight S&P 500 looks like a bit of a mid-cap tilt and a bit of a value tilt but generally more conservative than funds weighted that way in earnest.

Heh, I think that's a bit of a false dichotomy. What about the option I refer to above eg. two ETFs: VGRO and RSP ie. at no point did I ever contemplate balancing 500 equities:

I’m probably going to use an equal-weight ETF like RSP or EUSA for this portion

The thumbnail and title both link to that (eg. it's a link post rather than a text post), but ya I probably should have also linked it inline in the body text.

Hi! Thanks for getting this going, I looked for it a few weeks ago but no one had made a similar community yet (eg. nothing like r/PersonalFinanceCanada nor r/CanadianInvestor). So for my ETF question I created [email protected] to have at least a placeholder for people wondering where to post such content here but did approximately zero to promote it or populate it with content which worked out like you'd expect. I didn't even pick a funny image for the sidebar.

So I wonder if I should just close that rather than fragment what might be a fairly limited community? Or is it worth having separate subs as they are different yet related topics---at least on Reddit I preferred to subscribe to the investing one as that was my primary interest and PFC is quite a high traffic sub with a lot of questions not relevant to my lifestyle (eg. I have no car, real estate, insurance, children and no specific plans to acquire them).

Just because we want thoughtful regulation does not mean we support Meta and Alphabet. Why is this fascinating or surprising? Do you think the EFF is a huge fan of link taxes or Facebook?