I changed my mkinitcpio hook from the busybox initencrypt to systemd init sd-encrypt to help with this, as it presents a different way to unlock a LUKS partition. Be sure to read the notes about sd-vconsole if you use this hook. Your mileage may vary since im not sure which OS you’re on.

https://wiki.archlinux.org/title/Mkinitcpio#Common_hooks

I can think of some commercial audio processors that can help with that, but they are super pricey.

I can’t think of a linux application that has this capability. If there is something out there that offers AEC (acoustic echo cancellation) on linux with two mic inputs, id also be interested.

One way to help with this as far as inexpensive hardware is to make sure you’re using cardioid dynamic microphones, and not omnidirectional condenser microphones. Cardioid dynamic mics generally pick up audio directionally, like from the “front”. You have to be right up on the mic in order to have it record any type of audio. They generally wont pick up environmental sound from anything more than a few feet away. You can just point them away from noise you don’t want to pick up.

TPM has solved this now for more than a decade.

Verified boot + TPM encryption key storage is a huge layer of protection for the boot process.

Check out the Arch wiki for TPM. It has some good reading.

https://wiki.archlinux.org/title/Trusted_Platform_Module

Its one or the other. Either Google Play Services will push notifications, or the apps have to have the ability to handle push notifications on their own (which isn’t common).

Google Play Services can be sandboxed in GrapheneOS, but there isn’t an open source Google Play Services since its not included in AOSP. It is very much a proprietary blob.

I think once you give your IP to the satellite, the deapsea cables will start tracking all jellyfin packets

During those rare times that you boot into Windows 11, go ahead and update it.

I wouldn’t go out of your way and boot into it for the sole purpose of keeping it updated tho.

You need VLANs if you want separate networks on the SAME router. But if you have separate routers, then you don’t need VLANs.

You will need two wireless access points. If the router you mentioned has two wireless access points built in, then just set one to connect to the shared network, and the other will act as an AP for your private network. Then the router can be configured to send WAN traffic out of the shared network AP.

If you use a router that only has a single AP built in, then you will need to purchase and additional AP to plug into one of your router’s LAN ports so that it has two total.

Some routers might have the ability to create multiple wireless networks on one router, but be sure the hardware can handle the load. I know my ubiquity UDR can create up to 5 wireless networks on that single device before you run into performance issues.

Honestly, if you’re using your own router, you won’t need to worry about VLANs as long as your router separates your private network from the shared one.

For example, if the shared network is 192.168.0.0/24, you can make your private network 192.168.5.0/24 and have your router’s firewall block incoming traffic from 192.168.0.0/24. Only allow WAN traffic out, and allow return traffic.

Then have your router or connected server act as the authoritative DNS and DHCP servers for the 192.168.5.0/24 private network.

One wireless AP will be used in client mode to connect to the 192.168.0.0/24 shared network. The other wireless AP will be used as an access point for other devices to connect to the 192.168.5.0/24 private network.

Is it on the Arch User Repository?

Seeing as RCS with encryption based on the MLS standard hasnt been deployed yet, can you show exactly what metadata is leaking?

Actually RCS has encryption in the new spec now, and we could see encrypted RCS messages implemented on iOS and Android within a year.

But even so, use Signal.

Not entirely true. There is other sandbox software out there (such as firejail, distrobox, docker, chroot, any VM products, etc) although they should also be cautious about claiming to be more secure. Flatpak, however, is not considered a sandbox by some.

Care to explain?

If your distro doesn’t work unless you use Flatpaks, then stick to flatpaks ig. Its your system.

There are quite a few reasons to avoid flatpaks tbh.

• You have no control over the dependencies. A flatpack can include a very old dependency and there is nothing you can do about it. You are at the mercy of the developer.

• Many Flatpak applications available on flathub are not effectively sandboxed by default. Do not rely on the provided process isolation without first reviewing the related flatpak permission manifest for common sandbox escape issues.

• Running untrusted code is never safe; sandboxing cannot change this. It can be a false sense of security.

• It is generally not a good idea to run unattended updates via systemd, as the applications can get new permissions without the user aware of the changes. See this blogpost for examples

• Flatpak does not run on the linux-hardened kernel unless you do additional kernel modifications that could have negative security implications.

What are the benefits of flatpacks? Like why not just install the actual Tor browser on your system? The one that is released and maintained by The Tor Project?

[edit] Looks like the Tor Project does support this flatpack. Im a silly goose.

Good.

Tor Browser and Mullvad browser also do this.

And technically the key file can just be a plain text password and still work. Just as long as the key file matches the drive’s encryption password.

If its encrypted, you can also decrypt the drive automatically once booted by adding an entry in /etc/crypttab

This will make it so you don’t have to type the password.

You can use their RSS feeds to avoid a lot of their tracking.