A paid skillful engineer, who doesn’t think it’s important to make that sort of a change and who knows how the system works, will know that, if success is judged solely by “does it work?” then the effort is doomed for failure. Such an engineer will push to have the requirements written clearly and explicitly - “how does it function?” rather than “what are the results?” - which means that unless the person writing the requirements actually understands the solution, said solution will end up having its requirements written such that even if it’s defeated instantly, it will count as a success. It met the specifications, after all.

You can self-host Bitwarden, too. My understanding is that VaultWarden is much simpler to self-host, though. Note that VaultWarden isn’t a “fork”; it’s a compatible rewrite in Rust (Bitwarden’s codebase, by contrast, is primarily C#).

I also use Bitwarden and strongly prefer it over every other password manager I’ve tried or investigated, for what that’s worth. I’d recommend it to 99% of non-enterprise users (it’s probably great for enterprise use as well, TBF).

The only use case I wouldn’t recommend it for is when you don’t want your passwords stored in the cloud, in which case KeePass is the way to go. To be clear, that recommendation does not apply if you’re syncing your vault with a cloud storage provider - even one you’re hosting, like SyncThing - even if your vault is encrypted. At that point just use Bitwarden or VaultWarden, because they’re at least audited with your use case in mind (Vaultwarden has only been audited once afaik, though).

Sure, but mortgage interest can easily be enough to make that worth it without any other deductions. With $300K principal and a 5% loan, that’s $15K - about the same as a single taxpayer’s standard deduction and roughly half of a married couple’s standard deduction.

I primarily use Standard Notes. It’s a fantastic tool and I can use it anywhere, online or offline. It’s not great for collaboration, though, and it doesn’t have a canvas option. But I use it for scratch pads, for todo lists, for project tracking, for ideas, plans, plotting for my tabletop (Monster of the Week) game, software design and architecture, for drafting comments, etc…

Standard Notes also has a ton of options for automated backups. I get a daily email with a backup of my notes; I can host my notes on my home server and the corporate one; I can also set up automated backups on any desktop.

I don’t use it for saving links. I’m still using Raindrop.io for that, even though I’m self-hosting both Linkding and Linkwarden.

For sharing and collaboration, I either publish to Listed with Standard Notes or use Hedgedoc, which is great for collaboration and does a great job presenting nodes, too.

For canvas notes, I use GoodNotes on a tablet or the Onyx Boox’s default Notes app. I’d love a better FOSS, self-hosted option, especially for the Boox, but my experiences thus far have been negative (especially on the Boox).

I’ve been trying out SilverBullet lately, since I want to try out cross-note querying and all that, but I’m too stuck in my habits and keep going back to Standard Notes. I think I’ll have better luck if I choose one app and go with it.

I also have a collection of Mnemosyne notebooks that I use with fountain pens (mostly the Lamy 2000, but also quite commonly a Platinum 3776 or a Twsbi). Side note: the Lamy 2000 was my first fountain pen and after getting it I went deep into fountain pens. I explored a ton of different options, found a lot of nice pens across a number of brands… and yet how I still haven’t found something that I consistently like more. The Pilot VP is great but deceptive; a fancy clicky pen that only holds 30 minutes of ink (in a converter, at least) is decidedly inconvenient.

I’ve also been checking out Obsidian on my work computer. So far I haven’t seen anything that makes me prefer it over my existing set of tools.

Hedgedoc is fantastic. If you’re okay with your notes app being web-only (without an app or even a PWA) and you don’t need canvas notes or multi-note queries, you should check it out.

First, every note is Markdown, but it supports a ton of things natively. It has native Vim, Emacs, and Sublime (the default) editors and it’s built to be great for collaboration (if you want).

It also has

• syntax highlighting for a ton of languages
• Mermaid.js support
• LaTeX support
• easy drag and drop image uploads
• a solid mobile interface (for a webapp in your browser, at least)
• built in revision history
• support for other diagram tools, like graphviz, flowchart.js
• a bunch of other little Markdown enhancements that make using it feel oddly intuitive

And best of all, they have a Hedgehog for the icon! (I may be biased.)

I’m familiar with SSL in the context of webdev, where SSL (well, TLS) is standard, but there the standard only uses server certificates. Even as a best practice, consumer use cases for client certificates, where each client has a unique certificate, are extremely rare. In an app, I would assume that’s equally true, but that shared client certificates - where every install from Google Play uses the same certificate, possibly rotated from version to version, and likewise with other platforms, like the App Store, the apk you can download from their site, F-Droid, if they were on it, and releases of other apps that use the same servers, like Molly. Other platforms might share the same key or have different keys, but in either case, they’re shared among millions of users.

I’m not sure Signal does have a client certificate, but I believe they do have a shared API access key that isn’t part of the source code, and which they (at least previously) prohibited the use of by FOSS forks (and refused to grant them their own key)

That said, I reviewed that code, and while I’m not a big fan of Java and I’m not familiar with the Android APIs, I’m familiar with TLS connections in webdev, the terms are pretty similar cross-language, and I did work in Java for about five years, but I didn’t see anything when reviewing that file that makes me think client certificates are being generated or used. Can you elaborate on what I’m missing?

Clearly they’re cosplaying as a Canonical engineer whose internal explanation and pleas for them to not take this approach fell upon deaf ears /j

you’re the only one with your SSL keys. As part of authentication, you are identified. All the information about your device is transmitted. Then you stop identifying yourself in future messages, but your SSL keys tie your messages together. They are discarded once the message is decrypted by the server, so your messages should in theory be anonymised in the case of a leak to a third party. That seems to be what sealed sender is designed for, but it isn’t what I’m concerned about.

Why do you think that Signal uses SSL client keys or that it transmits unique information about your device? Do you have a source for that or is it just an assumption?

I can’t use signal.

Why? Do you not have a phone number? Is it blocked in your country? Are you legally prohibited from using software with end to end encryption?

The sender ('s unique device) can with 100% accuracy be appended to the message by the server after it’s received.

How?

If I share an IP with 100 million other Signal users and I send a sealed sender message, how does Signal distinguish between me and the other 100 million users? My sender certificate is encrypted and only able to be decrypted by the recipient.

If I’m the only user with my IP address, then sure, Signal could identify me. I can use a VPN or similar technology if I’m concerned about this, of course. Signal doesn’t consider obscuring IPs to be in scope for their mission - there was a recent Cloudflare vulnerability that impacted Signal where they mentioned this. From https://www.404media.co/cloudflare-issue-can-leak-chat-app-users-broad-location/

404 Media asked daniel to demonstrate the issue by learning the location of multiple Signal users with their consent. In one case, daniel sent a user an image. Soon after, daniel sent a link to a Google Maps page showing the city the user was likely in.

…

404 Media first asked Signal for comment in early December. The organization did not provide a statement in time for publication, but daniel shared their response to his bug report.

“What you’re describing (observing cache hits and misses) is a generic property of how Content Distribution Networks function. Signal’s use of CDNs is neither unique nor alarming, and also doesn’t impact Signal’s end-to-end encryption. CDNs are utilized by every popular application and website on the internet, and they are essential for high-performance and reliability while serving a global audience,” Signal’s security team wrote.

“There is already a large body of existing work that explores this topic in detail, but if someone needs to completely obscure their network location (especially at a level as coarse and imprecise as the example that appears in your video) a VPN is absolutely necessary. That functionality falls outside of Signal’s scope. Signal protects the privacy of your messages and calls, but it has never attempted to fully replicate the set of network-layer anonymity features that projects like Wireguard, Tor, and other open-source VPN software can provide,” it added.

I saw a post about this recently on Lemmy (and Reddit), so there’s probably more discussion there.

since the sender is identified at the start of every conversation.

What do you mean when you say “conversation” here? Do you mean when you first access a user’s profile key, which is required to send a sealed sender message to them if they haven’t enabled “Allow From Anyone” in their settings? If so, then yes, the sender’s identity when requesting the contact would necessarily be exposed. If the recipient has that option enabled, that’s not necessarily true, but I don’t know for sure.

Even if we trust Signal, with Sealed Sender, without any sort of random delay in message delivery, a nation-state level adversary could observe inbound and outbound network activity and derive high confidence information about who’s contacting whom.

All of that said, my understanding is that contact discovery is a bigger vulnerability than Sealed Sender if we don’t trust Signal’s servers. Here’s the blog post from 2017 where Moxie describe their approach. (See also this blog post where they talk about improvements to “Oblivious RAM,” though it doesn’t have more information on SGX.) He basically said “This solution isn’t great if you don’t trust that the servers are running verified code.”

This method of contact discovery isn’t ideal because of these shortcomings, but at the very least the Signal service’s design does not depend on knowledge of a user’s social graph in order to function. This has meant that if you trust the Signal service to be running the published server source code, then the Signal service has no durable knowledge of a user’s social graph if it is hacked or subpoenaed.

He then continued on to describe their use of SGX and remote attestation over a network, which was touched on in the Sealed Sender post. Specifically:

Modern Intel chips support a feature called Software Guard Extensions (SGX). SGX allows applications to provision a “secure enclave” that is isolated from the host operating system and kernel, similar to technologies like ARM’s TrustZone. SGX enclaves also support a feature called remote attestation. Remote attestation provides a cryptographic guarantee of the code that is running in a remote enclave over a network.

Later in that blog post, Moxie says “The enclave code builds reproducibly, so anyone can verify that the published source code corresponds to the MRENCLAVE value of the remote enclave.” But how do we actually perform this remote attestation? And is it as secure and reliable as Signal attests?

In the docs for the “auditee” application, the Examples page provides some additional information and describes how to use their tool to verify the MRENCLAVE value. Note that they also say that the tool is a work in progress and shouldn’t be trusted. The Intel SGX documentation likely has information as well, but most of the links that I found were dead, so I didn’t investigate further.

A blog post titled Enhancing trust for SGX enclaves raised some concerns with SGX’s current implementation, specifically mentioning Signal’s usage, and suggested (and implemented) some improvements.

I haven’t personally verified the MRENCLAVE values for any of Signal’s services and I’m not aware of anyone who has (successfully, at least), but I also haven’t seen any security experts stating that the technology is unsound or doesn’t actually do what’s claimed.

Finally, I recommend you check out https://community.signalusers.org/t/overview-of-third-party-security-audits/13243 - some of the issues noted there involve the social graph and at least one involves Sealed Sender specifically (though the link is dead; I didn’t check to see if the Internet Archive has a backup).

The concern is valid, and it has caused a lot of distrust in many companies due to the Snowden leaks, but that distrust is founded in the leaks.

Snowden explicitly endorsed Signal, too - and as far as I know he’s never walked that endorsement back.

https://signal.org/blog/sealed-sender/ explains the feature.

https://github.com/signalapp/Signal-Android/issues/13842 has some links into the code base showing where sealed sender is implemented.

My immediate reaction: It still looks like this, doesn’t it?

It doesn’t, but I feel like I saw this like a couple weeks ago. Does it still look like this on the website on mobile or something?

You can use a controller. I got further in Dead Cells on my phone with the Backbone One than I did on my Steam Deck. Maybe the same would be true with Hades - it’s a shame the Netflix version doesn’t (or didn’t; I haven’t checked in months) support cross-save.

Liking multiple people at once is super common. The love triangle is a trope for a reason.

If you don’t like her then don’t worry about it (other than to maybe pay attention to how you’re acting around her and avoid flirting unintentionally) but if you’re interested in her, maybe try pursuing that? Flirt with her a bit and see if she reciprocates. If she likes you, there’s a good chance she’s been flirting with you and you’ve just been oblivious.

If you’re too shy to intentionally flirt, you could ask her outright, but it’d probably be better to ask her something that hints at your interest, like “I like this girl but I can’t tell if she’s into me - what sorts of signs should I be looking for?” Should be pretty obvious what you’re both saying and asking.

Learn, understand, challenge, repeat.

Learn as much as you can about all sorts of topics, even if you don’t have specific plans for those topics

Learn enough that you don’t just know the facts, but that you actually understand why things are the way they are. You should be able to predict things you haven’t yet learned if you understand the concepts. If you don’t understand something yet, keep learning.

Learn your fundamentals: language skills, math, logic, statistics, the science of research, history, politics, basic psychology, and the physics of whatever realm you’re operating in (meaning that in today’s day and age, you should learn about both real-world physics and about how information flows on the Internet).

A lot of people don’t know how to teach themselves, so it’s probably important to point out that learning to do so effectively is a big part of thinking for yourself. Learning how information is presented, as well as what’s often left unsaid, is important. Learn how to read graphs and charts and statistics. Improve your information literacy: Learn how to find credible sources, how to judge the credibility of a source, and what “credible” actually means. It doesn’t mean infallible.

As a general rule, don’t accept a fact until you have multiple credible confirmations of it. That might not be possible, but when information comes from untrustworthy sources, remember that. Learn the difference between something that you’ve learned and accepted and something that you’ve just heard on social media a few dozen times. This is easier when you have an understanding of what you’re learning. True things fit in better with other true things.

Don’t assume things are false just because the source isn’t credible, either. Just do extra research to verify. Do your own experiments to confirm, if possible.

Sometimes you’ll realize something you’ve accepted might be wrong, possibly because it conflicts with something else that you learned. When facts don’t add up, challenge them. You’re not infallible. Replacing a fact you accepted long ago isn’t a failure; it’s a victory. Many people are incapable of doing so.

Learn to distinguish between facts, inferences, theories, and opinions. (Note that established, accepted scientific theories often fall into the “fact” category.) Facts are verifiable. Inferences are based on facts; they’re evidence-based conclusions that can help to build theories. Theories are explanations, and they can be disproven but haven’t been proven (else they would be facts). Information presented as facts can be false. Theories and inferences can be poorly formed, even if the facts are sound (and especially when they are not). “Opinion” is a word people use to defend flawed theories. If the opinion isn’t a preference, there’s a good chance it isn’t an opinion at all and is just intentional misinformation. “You can’t argue with my opinion” isn’t applicable when the “opinion” is provably false - then it’s just a failed fact, inference, or theory. And even when it is an opinion, it can still be criticized.

Learn about logical fallacies. Even if you don’t call out the person using them, try to notice them in the wild, both by people you agree with and people you disagree with. But especially by people you agree with. Learn how to notice other ways people are misled.

Good catch, I didn’t realize that with AnyType. That makes my first recommendation to OP just SilverBullet, then. Source available is better than nothing, like with Obsidian, but OP specifically asked for FOSS repos. It looks like their peer to peer sync server is MIT licensed, but their client (and client library) code is licensed under the “Any Source Available License 1.0,” which restricts use other than for “personal, academic, scientific, or research and development use, or evaluating the Software, but does not include uses where the Software facilitates any transaction of economic value.”

I ruled out Logseq’s sync service due to it being both paid ($60/year minimum) and not FOSS, both things OP asked for. For my purposes, since it’s not FOSS and not able to be self hosted, it’s not a good option. But it makes sense to use the same file syncing solution that’s already in use, whether that’s FolderSync (or some equivalent tool) set up to sync to my server, Syncthing (though I just realized its Android client is no longer being developed as of December 2024), or even Cryptomator + some cloud storage service.

Since you’re already using Standard Notes - have you checked out Awesome Standard Notes? You can use the community extensions - editors, themes, etc. - even with the free plan.

It’s my main note-taking app, but I also got the 5 year paid plan for $150 (IIRC) a few years ago, and prices have increased substantially since then. If I weren’t locked into a lower rate, I’m not sure I’d subscribe at the current rates (though I would look into the self-hosted Pro discount before ruling it out). That said, if you don’t need note linking, queries, and those sorts of things, then I think the free plan of Standard Notes + community extensions is a great option. If I self-hosted the server, the main thing I’d be missing over the paid plan is nested tags.

Logseq (repo) might meet your needs if you’re okay setting up a sync service like Syncthing on every client you use. Of course, you could use Dropbox, Google Drive, etc., but I recommend against it without a layer like Cryptomator in between, since your data is store in the clear. IMO it doesn’t really make sense to self-host Logseq - just use the native app that’s available on basically every platform. I find Logseq kinda confusing, honestly, but it has a lot of compelling features.

SilverBullet may be what you’re looking for. It must be self-hosted and has a PWA instead of native apps, but the PWA on mobile at least is quite good. Since it uses Markdown files for its notes, you could use it with some other tool on the machine hosting those files, if you wanted. I have it self hosted myself and it’s the best alternative I’ve found to Notion and Obsidian when it comes to querying my own notes and so on.

Someone else posted about Outline and I think it’s a fantastic, polished option. I know that you said this is for solo use, so you probably don’t care about its collaboration features, but you also mentioned managing personal projects, and its integrations (e.g., Airtable) could be useful for that. I have it self-hosted and it is a bit more complicated than other options, but I don’t think I ran into any particular issues. I’m using it with Authelia as an OIDC provider and can share my docker-compose file and other config if that would be helpful. They also have a paid, hosted option, which you can try out for 30 days if you want to see if it’s right for you before you put the time and effort into self-hosting it. One of my most-used editors in Standard Notes is the Rich Markdown Editor, which is based off the editor used in Outline. However, unlike SilverBullet and Standard Notes,

Hedgedoc is another option that may be worth looking into. It’s my go-to collaborative editor / gist replacement. Personally, I prefer it over Outline. Its main shortcomings are that:

• it must be self-hosted (though you could use HackMD aka CodiMD, which it was forked from, as that does have a hosted version)
• it doesn’t have an app (on any platform - not even a PWA)
• it doesn’t have any sort of querying capabilities, and
• it doesn’t have any sort of Kanban-like tool.

But it does have several built-in integrations, like Mermaid and multiple other diagramming tools, inline images (just drag and drop), syntax highlighting for code, Gist embeds, Youtube embeds, optional Vim/Emacs keybindings, a slide deck presentation mode, inline CSV tables, etc., and that’s all without needing to mess with plugins or switch between editors.

I hadn’t used AnyType before today, but it’s been on my radar since late 2020, and it’s pretty powerful. It’s not perfect, but it seems to check off everything you’re looking for. It does have a bit of a learning curve, but it’s been easy to jump in and take notes.

It’s hard to know which to recommend you try, though, because your list of criteria don’t all map neatly to features. For example, what do you want from planning vs managing personal projects? What do you mean by “journaling?” Is having a “journal” section where notes get dates sufficient? Do you like the way Standard Notes or Logseq handle journaling, or are you looking for features like what jtxBoard has?

I’m assuming the following for my table below:

• Quick Notes - easy to create a new note and just write some stuff. Needing to fill out any required fields (even “title”) make this a ❌
• To-do lists - checkbox lists. You have to be able to add a new item by pressing enter and mark an item off just by checking the box.
• Managing and planning projects:
  • Kanban / Trello style board - without needing to integrate with a non-FOSS third party service (this is why Outline gets a ❌)
  • Linking to another note in the body of a note (Standard Notes lets you create a link in the tag bar - this doesn’t count)
  • Embedded querying of your other notes, treating notes like objects - really the thing that makes Notion so powerful
  • Easy table editor
  • Diagrams - Mermaid, Excalidraw, or a similar plugin that works natively
• Easy to use - auto-saving of notes, automatic synchronization that “just works,” rich text copy-paste, etc…
• Offline mode - You didn’t mention this, but I’m calling it out since it’s otherwise easy to take for granted.
• Publishing - you mentioned not caring about collaboration, but being able to publish a note is still useful in solo-only workflows, as it gives you a way to reference it directly from a bookmark, some other tool, etc., potentially from a device where you aren’t authenticated.

[1]: For Standard Notes, I’m not assuming that you’re self-hosting the server, but I am assuming that you’re installing community extensions, particularly Rich Markdown Editor or something similar.
[2]: For Silver Bullet, I’m assuming that you’re installing community plugins.

I recommend you try AnyType and/or SilverBullet first, depending on which one looks more appealing to you.

Wouldn’t be a huge change at this point. Israel has been using AI to determine targets for drone-delivered airstrikes for over a year now.

https://en.m.wikipedia.org/wiki/AI-assisted_targeting_in_the_Gaza_Strip gives a high level overview of Gospel and Lavender, and there are news articles in the references if you want to learn more.

This is at least being positioned better than the ways Lavender and Gospel were used, but I have no doubt that it will be used to commit atrocities as well.

For now, OpenAI’s models may help operators make sense of large amounts of incoming data to support faster human decision-making in high-pressure situations.

Yep, that was how they justified Gospel and Lavender, too - “a human presses the button” (even though they’re not doing anywhere near enough due diligence).

But it’s worth pointing out that the type of AI OpenAI is best known for comes from large language models (LLMs)—sometimes called large multimodal models—that are trained on massive datasets of text, images, and audio pulled from many different sources.

Yes, OpenAI is well known for this, but they’ve also created other types of AI models (e.g., Whisper). I suspect an LLM might be part of a solution they would build but that it would not be the full solution.

Both devices have integrated memory, so that 16 GB will look more like a 11/5, 12/4, or maybe even 14/2 split. The Steam Deck is also $400 for an LCD model or $550 for the OLED, not $800. It’s reasonable to expect more performance when you pay more.

Because the Steam Deck has a lower native resolution, that means that less of the RAM will be used for the integrated GPU. Downscaling from 1080p to 720p doesn’t look good, either - and you could downscale to 540p if supported, but if you need to do that (vs choosing to for an emulated game) it probably won’t be pretty, either.

This device is also running Windows, rather than a streamlined Linux-based launcher, meaning that more of that RAM will be taken up by OS processes by default.

The article talks about how the 8840U benefits from more, fast RAM. You won’t get near the 8840U’s full potential gaming with 16 GB. 24 GB, on the other hand, would have been enough that games expecting 16 GB of system RAM would have been able to get it, even while devoting 6-7 GB to the GPU and 1-2 GB to the OS.