If I have a bare metal dedicated server, which has only access to IPs contained in my whitelist on a dedicated opnsense, I have less to wory about.

Sure, someone could still find a openbsd/opnsense exploit and get me, but my point is: complex systems break in complex ways, the more complex systems you use, the more attack surface u have, need to know and understand to control and mitigate it.

The way I would frame it is: using complex systems that you are unfamiliar with is risky. In your case, you are familiar with OPNsense and firewalls. So that may be the more secure option for you. But for somebody who isn’t familiar with firewalls, there are a lot of ways to mess up. For example, IP and mac spoofing is very easy. OPNsense and firewalls often don’t have very good defense against IP spoofing, especially if the malware is already inside your LAN (for example, a malicious app running on a smartphone).

Using proxmox and other virtualization platforms has one big advantage: you can experiment and play around and learn, without much risk. With a physical server, if you mess up and get infected, you may have to throw away the whole server. You can’t just re-install the OS, because the malware could have installed a rootkit or infected the bios or other firmware. But with a VM, if the VM gets infected you can just delete the VM and create a new one. One of the main goals of a hypervisor is to sandbox the VM, so that malware is contained.

“best” is of course subjective. Bare metal could be better, but imo the marginally smaller attack surface isn’t worth it. If the Qubes project trusts that a hypervisor is secure enough, then I trust it as well.

I run 10+ VMs all the time, no way am I going to buy 10 bare metal servers. The ability to create new secure environments on-demand is unbeatable.

And bare metal does have security disadvantages too. It has a physical attack surface that a VM does not. For example, defending against usb attacks. Of course for a VM, the hypervisor/host can be attacked physically, but you only need to worry about securing that one. Securing 10 physical servers is a lot more work than securing just one, so you’re more likely to get lazy, slip up, etc.

Big fan of i2p but adoption is low, making network analysis attacks much cheaper. Not to mention i2p has client identifiers that are sent to the destination server (look up “client destinations”, you’ll find info in various i2p forums and also https://www.whonix.org/wiki/I2P), which Tor doesn’t have.

Imo Tor onion services are safer due to how much more expensive network analysis attacks are, but i2p has a better future because anybody can be a peer (Tor has high entry requirements, even for relays). I use I2P to support the network. But I’m not going to fault an open source developer for choosing the more popular option to start with, in this case Tor.

Moonlight/sunshine can be used for remote desktop, and doesn’t have many controversies that I can remember, far less than Rustdesk at least. You just don’t get the free relay servers, which some might call a plus.

Don’t get me wrong, I personally still consider Rustdesk a viable alternative, I just think the controversies are recent enough and concerning enough that they should be brought up for consideration.

As for the forgive/forget bit, don’t mind it that was just me poking at Lemmy’s hypocrisy a bit

Cool video but it’s old and barely relevant. Traffic analysis attacks are extremely difficult to pull off, especially on hidden services (since relay nodes are more distributed than exit nodes). Mixnets are cool but still immature. Tor is the best option here, and will fit the use case of 99% of users. For those who want to defend against traffic analysis, there are ways to do so that take way more time and effort, like breaking up a file into tons of tiny pieces. Up to you if you want to put in the effort.

As usual, Whonix has a great page about this: https://www.whonix.org/wiki/Speculative_Tor_Attacks

in research settings, Tor processes and anonymity protection might be seriously degraded under specific conditions. Therefore, users who are likely to be targeted by advanced adversaries should bear this in mind when undertaking anonymous activities – for a small subset, defaulting to offline activities (whenever possible) might be the only safe course of action in their circumstances.

what’s wrong with Tor?

Yeah what’s with the homegrown repo viewer. Why not just embed a sourcehut page with some custom styling.

I agree with not providing the encryption, and having the user provide it themselves. If the server provides the encryption, then it could be backdoored. If you as the user can’t be bothered to encrypt the files yourself, then you definitely aren’t inspecting the client-side code yourself either.

Just be safe and encrypt the files yourself

They want to be able to scan content for illegal contents, without users needing to report it and provide the decryption key first

CMV burner phones were always questionable in their privacy. How do you know the anonymous seller of your burner phone, isn’t the government in disguise?

Rustdesk did have some massive controversies in the past, like:

• installing root certificates without fully understanding the implications
• ignoring AGPL for their proprietary bits
• and other questionable decisions

Which raises doubts as to how trustworthy the development team is.

And while some other people say “it’s ok that was in the past they fixed it”, keep in mind that most of Brave Browser’s controversies were in the past, and yet lemmy still hasn’t forgiven them yet…so I’d like to know how long it takes for lemmy to forgive past mistakes

Nobody believes virtualization is perfect, it’s just the best we got because:

• smaller attack surface
• security is the priority over adding new features (the opposite of most other development cycles)
• in practice we have seen how secure it is relative to other systems like the kernel

And anyways, even a separate physical computer can be hacked. If it has networking, there could be a vulnerability in the networking stack. Just making an outbound tcp connection can be enough to be pwned.

I think the closest thing we have to an “invincible” system is seL4, but I rarely hear about amybody using them

copy fail allows VMs to infect the host system? I thought it was a kernel vulnerability, not a hypervisor vulnerability. Containers and LXCs share the kernel with the host, full VMs do not. So a kernel exploit allows container escape but not VM escape.

Kernel exploits happen a few times a year. Hypervisor exploits and VM escapes are VERY rare.

Using SSH for clustering is optional. You can just use normal VMs. You don’t have to install SSH into the VM, you can view it through proxmox. The only difference between a VM and a separate physical machine is the hypervisor, so the only security difference is the security of the hypervisor. And as I mentioned, hypervisor exploits are very rare.

Edit: for a sense of perspective, think about this. Almost every major tech company in the world relies on hypervisors for security. Qubes OS, known in the privacy/security world as one of if not the most secure OSes, relies on the hypervisor for security. An easily exploitable hypervisor escape would be a vulnerability on the scale of the XZ utils backdoor (which was unsuccessful). I have not seen a vulnerability of that scale since heartbleed.

Edit2: a word

I recommend proxmox. One VM for sensitive private data and backups, one VM for stuff exposed to the internet