A large percentage of those hosts with SSH enabled are cloud machines because it’s standard for cloud machines to be only accessible by SSH by default. I’ve never seen a serious security guide that says to set up a VPN and move SSH behind the VPN, although some cloud instances are inherently like this because they’re on a virtual private network managed by the hosting provider for other reasons.

SSH is much simpler and more universal than a VPN. You can often use SSH port forwarding to access services without configuring a VPN. Recommending everyone to set up a VPN for everything makes networking and remote access much more complicated for new users.

Shodan reports that 35,780,216 hosts have SSH exposed to the internet.

Moving SSH to ports other than 22 is not security. The bots trying port 22 on random addresses with random passwords don’t have a chance of getting in unless you’re using password authentication with weak passwords or your SSH is very old.

SSH security updates are very infrequent and it takes practically no effort to keep SSH up to date. If you’re using a stable distribution, just enable automatic security updates.

Having SSH open to the internet is normal. Don’t use password authentication with weak passwords.

It’s also ahead of gitea in some aspects: https://forgejo.org/faq/#is-there-a-roadmap-for-forgejo

Or use Miracast, AKA WiDi, Smart View, SmartShare if you just want to mirror a screen.

Aqara sells one that works with HomeKit and should work offline. They say it will get Matter support later, but Home Assistant can use it through HomeKit without having to buy any Apple devices.

If all you want is to break out the VLANs to NICs using a Linux PC instead of a managed switch, create six bridge interfaces and put in each bridge the VLAN interface and the NIC.

There’s a lot of wrong advice about this subject on this post. Forgejo, and any other Git forge server, have a completely different security model than regular SSH. All authenticated users run with the same PID and are restricted to accessing Git commands. It uses the secure shell protocol but it is not a shell. The threat model is different. Anybody can sign up for a GitHub or Codeberg account and they will be granted SSH access, but that access only allows them to push and pull Git data according to their account permissions.

That sounds like Cloudflare is giving you certificates intended only to be used for talking to Cloudflare.

You might be able to do it if Cloudflare sends a different SNI. It’s probably better if you get real certificates from Let’s Encrypt and just use those.

They have been in the process of rolling it out for what must be a decade now, meaning there are still areas where they don’t offer it.

They don’t allocate you a prefix. The website says they give you 5 addresses.

Some bad still ISPs don’t provide IPv6 connectivity. (Verizon)

https://simple.wikipedia.org/wiki/Corruption

Social media is not the cause. There are so many problems that young people are helpless to do anything about. Congress’s desire to restrict and censor internet access for minors has to be more impactful than social media itself.

We tried nothing and we’re all out of ideas.

Don’t laptops with batteries use slightly more energy than equivalent PCs? The battery will drain because it loses charge over time or because the laptop is designed to draw power from the battery during normal operation, and then energy is lost when recharging the battery because battery charging is not 100% efficient.

I don’t know how searxng works, but if it’s making many requests and aggregating the results, you will probably get much worse performance running it on your phone, even if the phone is with you. Instead of making one request over a bad cell connection, you would be making many requests over a bad cell connection.

I have the Aqara G4 doorbell and supposedly it works with WiFi and Frigate (via go2rtc), but I haven’t set up Frigate and I haven’t verified that it fully functions with the internet turned off. It uses Homekit but supposedly will receive Matter via a software update.

Even if they’re both wrong, it’s worth mentioning. It’s much more common for people to have experience with one than the other. If you think “oh, it’s just like circumcision so it isn’t that bad” then you’re getting the wrong idea.

New action items have been assigned to you:

• Remedial cybersecurity training (4hr): due by Mar 22

My favorite is when IT deploys software that replaces all the links in your e-mails with https://example.com/phishing/YiCdMdsY so you can’t tell whether the e-mail is phishing or not, frequently sends you very obvious fake phishing e-mails that interrupt your work by going straight to your priority inbox, and punishes anyone caught clicking on phishing e-mails. Then HR sends out e-mails that have all the indicators of low effort phishing and you’re supposed to click on those.