Most DNS queries are UDP.

I’d do a modified scream test and change old.domain to something like 1.2.3.4. Then run sudo netstat or ss with -tpn, grepping for 1.2.3.4.

Or something like grep -r old.domain /etc.

Yep, that would work fine for the first line of defense. Eventually, you can expand it to copy, replicate, or drive swap the onprem backups offsite somewhere (e.g., cloud, office, or family member) if you want to protect your data from site loss (e.g., house fire).

The only thing missing is a good backup.

If you are storing anything important – especially Immich and Vaultwarden data – you should have a good offsite protection strategy. And even the HASS config should be backed up with versioning because rebuilding from scratch could be painful once you get deep into it.

I’ll let others chime in on possible good backup options because I use Veeam and Azure, which really isn’t in the spirit of this community, and I’d be interested in good open source options myself.

Also, RAID (mirroring) is NOT a backup.

Lol Microsoft is not even close to a walled garden. This is just them removing the password manager feature that nobody used from their authenticator app.

The easiest way that doesn’t affect the main network would be to use a travel router. Its WAN IP would be the private IP it gets from the main network (over wireless since that’s your only option). And it would NAT your network onto that IP and then you can do whatever you want on your network.

I’m not sure if that Mikrotik router will do this but it might. You basically need something that can connect to an SSID and use that interface as its WAN interface. The wireless factor here is really limiting your choices. If you had a wired uplink to the main network you could use any router/gateway/firewall you wanted. You could also use an AP in bridge mode to connect to the main network’s SSID and wire it to the WAN port of any router of your choice.

You don’t really need to use VLANs to separate your network from the main network unless you want to share any of the same layer 2 segments (basically wired Ethernet) while keeping it isolated. But it doesn’t really sound like that applies in your scenario. Of course using VLANs within your network would still make sense if that applies (for example, to separate your server traffic from your IoT traffic).

They’re only killing the crappy store/UWP version that nobody used anyway and only caused confusion. The normal OneNote bundled in Office isn’t going anywhere as far as I know.

That said, I’ve moved a lot of my note taking to Obsidian. It’s not a perfect replacement but it’s a fantastic markdown editor and now I use both for different use cases.

I heavily use both and this is objectively untrue.

I don’t deal with hardware much anymore, but I’d take Aruba over Cisco any day. But for everything else, yeah fuck HP.

Yep that’s how I have Syncthing set up. All global and local discovery disabled, no firewall ports open on the clients, no broadcasting, no relay servers. Just syncing through a central server which maintains versioning and where the backups run. Works like a charm.

And what about taking a nice drive down Jean Baptiste Pointe du Sable Lake Shore Drive?

Not that it’s my first recommendation for security reasons, and I would never do this in prod, but you can just add the self-signed cert to the local trusted root CA store and it should work fine. No reg changes needed.

If you do this, put it in the store of the user running the client, not LocalMachine. Then you just need to make sure you connect as something in the cert’s SAN list. An IP might work (don’t know since I never try to put IPs in the SAN list), but just use a hosts entry if you can’t modify local DNS.

Edit: after reading the full OP post (sorry), I don’t think it’s necessarily the self-signed cert. If the browser is connecting with https:// and presenting a basic auth prompt, then https is working. It almost sounds like there is a 301/302 redirect back to http after login. Check the Network tab of the browser’s dev pane (F12) to see what is going on.

Microsoft uses TPM PCRs 7+11 for BitLocker which is more secure than the Linux implementations mentioned in the article.

PCR 7 is the Secure Boot measurement which means it can’t be unlocked unless every signed boot component has not been tampered with up to the point of unlock by the EFI bootloader. PCR 11 is simply flipped from a 0 to a 1 by the bootloader to protect the keys from being extracted in user land from an already booted system.

The article is correct that most Linux implementations blindly following these kinds of “guides” are not secure. Without additional PCRs, specifically 8 and 9 measuring the grub commands (no single-user bypass) and initrd (which is usually on an unencrypted partition), it is trivial to bypass. But the downside of using these additional PCRs is that you need to manually unlock with a LUKS2 password and reseal the keys in TPM whenever the kernel and or initrd updates.

Of course to be really secure, you want to require a PIN in addition to TPM to unlock the disk under any OS. But Microsoft’s TPM-only implementation is fairly secure with only a few advanced vulnerabilities such as LogoFAIL and cold boot attacks.

Linux on enterprise user endpoints is an insane proposition for most organizations.

You clearly have no experience managing thousands of endpoints securely.

Looks like they found someone.

No, it’s amazing. Especially on the Steam Deck.

This is like the epitome of the XY Problem.

https://xyproblem.info/

If you’re willing to wait 2 weeks for shipping (with an added shipping cost of $0.40) you can just order that stuff directly from Aliexpress and cut out the middle man.

I’d be careful about completely trusting any AV to give you any certainty that you aren’t infected.

As I mentioned in another comment, Pegasus is comprised of many different exploits. So just because Bitdefender can detect some older Pegasus variants, doesn’t mean it can detect all of them.

In fact it’s quite unlikely they can detect the latest variants.

I don’t know the full answer, but Pegasus isn’t one single piece of spyware, but rather a toolkit of many, many zero-day exploits.

A lot of them (the majority maybe?) are non-persistent meaning that they don’t survive a reboot.

That said, aside from keeping your phone up to date with security patches and rebooting frequently, I’m not sure there’s much the average person can do if you’re actively being targeted.

Same. I think Civ 5 was my gateway game.