Android is pretty easy, you just add it to the keystore and that's it. I've had my own CA long before Let's Encrypt, but now mostly only use it for non-public devices that can't easily use Let's Encrypt (printers, switches, etc).

You can add it to your user CA store, but no app will trust it since it's treated differently from the system CA store, which you can't modify without root or building your own ROM. In effect it is out of reach for most normal users, as well as people using security focused ROMs like Graphene, when ironically it can improve security in transit in many cases.

It's technically possible to get any Android app to accept user CAs. Unfortunately it requires unpacking it with apktool, adding a networkconfigoverride to the XML assets and pointing the AndroidManifest.xml to use it. Then restitch the APK with apktool, use jarsigner/apksigner and finally use zipalign.

Doesn't need a custom ROM, but it's so goddamn annoying that you might as well not bother. I know how to do these things; most users won't and given the direction the big G is heading in with device freedom, it's not looking all that bright for this approach either.

I mean it works fine for me on Chrome

This is how I explain it. When I first started scuba diving and explained to the instructor that it wasn't an issue to pop my ears, he was kind of horrified and was like no don't yawn underwater to do that. He didn't seem to understand, no matter how many times I explained it, that I can do it without actually yawning. You just like... mimic the start of a yawn. And then can continue it into a full actual yawn if you want to.

How are they accounting for the presumably very high timing advance?

As far as I understand, the timing advance only matters to compensate for differences in distance/latency between different devices (i.e. to avoid uplink transmissions to talk over each other on the same frequency).

The satellites can correct for "global" latency themselves (unless there are higher-level parts of the LTE/E-UTRA radio protocol that can't tolerate such long latencies, e.g. ARQ timers).

For GSM as a half-duplex technology, there's also the matter of devices not being able to transmit and receive at the same time, but I believe the same principle applies: As long as the timing differences between different devices in the same spot beam isn't too large, that's something the satellites could globally correct for.

The same probably applies for doppler corrections.

Yup, I switched to Bitwarden and self host my own instance of it using that container. It works great. I was previously using Keepass (and later keepassxc), but it became a hassle to keep the database file in sync between all of my devices (I lost passwords at times as a result). Also the browser extension didn't work that well, nor did it have as nice of Android integration as Bitwarden.

Self hosted was a nice middle ground. No one else has a copy of my password database, and it's always in sync between devices. Stick nginx as a proxy in front of it for https and easy let's encrypt certificate management. The downside is that Keepass by default allowed me to have copies in multiple locations. Bitwarden is only on the server, but since the database is encrypted it's easy enough to have regularly scheduled backups of it. It just is an added step to find another docker host for it if my home server goes down, during which time I may not have access to my passwords.

> Also the browser extension didn't work that well, nor did it have as nice of Android integration as Bitwarden.

What were your issues? For the browser, I have some extremely minor complaints (not always detecting the correct subdomain for my selfhosted servers mainly), none for Android with Keepass2Android.

Also, no sync issues at all, but that might be related to having only 2 devices ;)

I have my Samsung TV wired to my network only for remote control with Home Assistant (can turn it off if nothing is playing for example). But I force all of its DNS to use a pihole, blocking all Samsung domains. I think I also have firewall rules to also block all internet access on it except NTP, but I don't remember if I still have that enabled or not (there may have been an issue with it disabling something that I needed for Home Assistant to talk to it).

I think being in control of your device's update cycle is pretty important if you're relying on that device for anything. I want to be able to leave my home-automation controller alone for years without maintenance, and no matter how good their release cycle management is this fighting over distro packaging is a bit of a red flag.

You can add some protection by putting it behind a reverse proxy like HAProxy or nginx. It's mostly security through obscurity, but in this case it helps a lot unless you're being specifically targeted by someone.

Basically pick a subdomain on a domain you own and have that and only that forward to HA. So the only way to connect to the HA instance from the internet is to know the exact subdomain you've picked for it. Set the proxy to not pass any port 443 traffic unless the subdomain matches one that you've set.

Pennsylvania (at least at the pharmacies) doesn't verify anything. It's all self certification. You say that you qualify for 1A to make the appointment, and they don't ask you anything when you show up. But Pennsylvania's criteria for 1A is pretty broad, potentially representing 40-60% of the population. So tons of people qualify, but appointments are really hard to come by.

I believe Moderna was also shown to be effective.

Honestly I make pretty heavy use of /tmp. Almost all downloads go there, along with anything that I won't be using again after the next hour. Self-cleanup whenever I reboot (which is rare).

Anything of importance, I have broad directories under Documents, and then sub folders. Or sometimes I'll put them on my fileserver with similar directory structure. The Documents folder is backed up with Spideroak.