After Ubuntu for many years I switched to Arch because they packaged a number of things I wanted that Ubuntu did not.

If you are happy with Ubuntu stick with that. I have friends and family that use it and it’s fine.

Good example. It’s true that an even a GET request not designed to mutate data might still fail to validate input, allowing a SQL injection attack or other attack that escalates to the privileges that the running app has.

Immich has a whole set of end-to-end automated tests to ensure they don’t accidentally make public any URLs they went to be private:

https://github.com/immich-app/immich/tree/main/e2e/src/api/specs

As a popular open source project, that would be e glaring security hole.

Using this proxy puts the trust in a far less popular project with fewer eyeballs on it, and introduces new risks that the author’s Github account is hacked or there’s vulnerability in he supply chain of this docker container.

It’s also not true that you “never need to touch it again” . It’s based on Node whose security update expire every two years. New image should be built at least every two years to keep to update with the latest Node security updates, which have often been in their HTTP/HTTPS protocol implementations, so they affect a range of Node apps directly exposed to the internet.

Yes, there are broken uses of the HTTP protocol verbs where filtering to GET won’t work.

A simpler way to protect a private service with a reverse proxy is to only forward HTTP GET requests and only for specific paths.

It’s extremely difficult to attack a service with only GET requests.

The security of which URLS are accessible without authentication would be up to immich.

Although, If I have my own Amazon referral link in my blog post and they replace the referral code in their feed, I would not be happy about that.

They could be injecting their own ads or affiliate links into the content.

For example, if a post links to Amazon.

I have not looked at the source code.

Watching history repeat itself.

Date pickers that assume you have a 5 digit birth year.

Have you tried doing CAD work on a phone or iPad over a Remote Desktop connection?

Seems unpleasant enough to drive someone to buy a proper laptop to travel with.

If you don’t have a proper computer, how will you access this remote server to do your CAD work?

I imagine BitWarden is sufficiently good. The big leap in security comes from having no password manager to a decent password manager.

LastPass does not seem as serious about security so it doesn’t meet my personal bar for decency.

LastPass doesn’t have your password, so it can’t be stolen during a breach.

But 1Password goes a step further, also requiring a “secret key”, which also can’t be stolen.

https://support.1password.com/secret-key-security/

Even if an attacker manages to steal your encrypted data from 1Password and also guess your master password, they still can’t access your data without a secret key.

For that reason, your 1Password account is more likely to compromised through your own device, not their server. And if your own devices are thoroughly compromised, no password manager can save you— the attacker can potentially grab all you type and see all you see.

I evaluated both BitWarden and 1Password for work and 1Password generally won across the board.

If you host yourself make sure backups are rock solid and regularly monitored and tested. Have a plan for your infrastructure being down or compromised.

1Password’s security model guards against this. Even if they are breached, your passwords cannot be decrypted.

You are more likely to screw up your own backups and hosting security than they are.

You could likely have a free initial meeting with a lawyer to confirm a law had been broken and get a general idea of their fees and your odds of success.

Sounds like it would be your brother’s word against the public defenders. Sounds tough.

Yes, you could file paperwork for a lawsuit. Affording the legal help and winning the suit are different matters.

They are common among US tea drinkers, but coffee seems more popular.

I like to manage services maximally with systemd so it was a natural fit for me.

It did not seem difficult to set up web and database quadlets so they are properly networked.

I tried a USB KVM switcher. I only recall there were serious issues and it didn’t last long.

Now I use a high quality USB dock and physically unplug/re-replug a work and personal laptop. That’s been a simple and reliable solution.

For my home server, I ssh into it.

I discovered this more than a year ago, but Fuzzel.

I just wrote about the new release here:

https://mark.stosberg.com/feature-packed-app-launcher-and-fuzzer/