10
Do you know about the one for healthcare on the 25th?
Really appreciate you taking the time to write that. I have a sense of most of that ("defense in depth" and "threat model" are good lenses to think about such things through for sure!) but what I was trying to get a better grasp on was how much risk from automated attack was a normal person without worries of an "advanced persistent threat" taking on by using a device past EOL. Like you say, "Quantifying how much of a difference it makes is not trivial" so I feel less conflicted to know that you're comfortable with your dad taking that risk.
I would think that the main thing at stake for a typical user isn't just browsing history or email though but rather identity theft since a successful attacker can use the device to get through 2FA.
It seems like the attack surface is limited to RF (bluetooth/wifi can be turned off if one is willing to make that compromise), app install (many just use a small selection of well-trusted apps), and messaging/browser which are regularly updated if the device is properly configured. Apps that aren't pulling in random untrusted content are far less of an attack vector (eg. one's bank app isn't connecting to everything, just to the bank, pinterest is hopefully escaping user content, etc.)
Based on helpful details at the other thread (eg. Project Mainline, baseband isolation) I’m beginning to form the opinion that it is not unreasonably foolhardy for someone to continue to use an unsupported device if they are willing to make the compromises necessary to limit their exposure. Which wouldn't necessarily mean "giving up bluetooth entirely", just not using it when you're in bluetooth range of an untrustworthy party eg. if you just use your headset to make zoom calls at home and are fine not having it on the subway.
Thanks for the reply. Definitely appreciate the point that lacklustre updates mean we need to pay attention even if we're vaguely covered by our vendor. I think you've convinced me to subscribe to CVEs for android too, I've only had alerts for my browser. Really too bad they don't make smaller Pixels.
I don’t think they are things that can be fixed on the app level?
Indeed not. So I'm trying to better understand how vulnerabilities at the system level are exploited. It seems like the attack surface is limited to RF (bluetooth/wifi can be turned off if one is willing to make that compromise), app install (many just use a small selection of well-trusted apps), and messaging/browser which are regularly updated if the device is properly configured.
Based on this thread I'm beginning to form the opinion that it is not unreasonably foolhardy for someone to continue to use an unsupported device if they are willing to make the compromises necessary to limit their attack surface.
Aren't you sorta trusting whoever wrote any package you install with root? I mean, you should have that attitude anyhow as packages have a huge attack surface so privilege escalation bugs are way more common than remote execution but still, flatpak and snap at least offer a bit of a sandbox which might improve...
I've enjoyed runbox.com for years but don't think they offer catch-all, at least not when I last checked. You might look at mxroute.com, I heard about it later and might have gone with them first and they somehow seem more likely to support that
I did, because it tries to regulate merely linking to content, something I consider absurd. What I did not say is that it is "ridiculous to ask them to share some of the profit they make from Canadian work with Canada". So I responded as such. I'm not terribly interested in engaging with someone who puts words in my mouth. If you're curious for more of my thoughts on this topic, I intend to respond to the interesting comment by @StaggersAndJags@kbin.social when I have time to be more thoughtful.
The Local has been doing a series of long form articles on candidates:
- Where Has Olivia Chow Been?
- The Chief Concern with Mark Saunders
- The Transformation of Josh Matlow
- Who is Ana Bailão? Depends Who You Ask
They also have a collection of short bios on a broader list of candidates.
Interesting, looks like we are successfully getting more skilled immigrants. Apparently new Canadians are more likely to be employed than people born here (a recent development, see chart 1) and increasingly in better positions. Which makes sense, it's expensive to live here and hard to immigrate, no point bothering with all that just to work in a hotel:
However, other industries, such as food & accommodation and other personal services, have seen little-to-no increase in the numbers of new immigrants in the workforce, which may have contributed to higher-than-average vacancy rates in these areas.
...which also means that the service sector is going to have to pay more, seems like they can't just hope someone will show up willing to work for what they're offering.
I think part of it is the city is pretty much going broke at this point, has no mayor, and the premier has a grudge against it. So unfortunately it makes some sense the patio stuff is understaffed and haphazard. Sad though, it has been a bright spot in an otherwise dismal situation.
Thanks, cancelled for now. I'll keep an eye out for ways to contribute as we get more organised.