Threads for garymoon

  1. 5

    It sounds like it’s only going to impact v3.x. If it also applied to v1.x they’d have announced a patch release for that too right?

    1. 12

      There will also be a bug fix release of OpenSSL 1.1.1s at the same time as they still need to release the fixed fixes from the retracted 1.1.1r version. However, the 1.1.1 branch is not affected by the critical issue.

      1. 1

        Thanks for the link mate! 💙

    1. 1

      Company: AllSpice

      Company site: https://allspice.io/

      Position(s): Rust Backend Engineer (data structures), Rust Software Intern (paid), Vue/JS/TS Software Intern (paid), Infrastructure Consultant (contract)

      Location: REMOTE or Somerville, MA

      Description: At AllSpice, we’re building the future of hardware development and collaboration, applying modern agile design principles to the hardware industry with revision control, design review, and automated test (think GitHub/Bitbucket for hardware). We have a highly-capable, tight-knit, remote-first team with a flex office in Somerville, MA and competitive benefits. We strongly value continuous communication and personal development.

      Tech stack: Depends on the role but we have Rust, Go, Vue, and Docker among others

      Compensation: Competitive salary & equity, health, dental, vision, generous PTO, home office stipend.

      Contact: kyle@allspice.io or jobs@allspice.io with a link to your GitHub/GitLab profile and/or resume

      1. 1

        Docker + debian:oldoldstable would be more straightforward, no?

        1. 2

          Old images is the standard in Python world, yes (usually with CentOS 7-based images). Except when you need more modern toolchains this gets to be a pain. Like, I’m doing cross-language LTO between Rust and C, so I need clang 13, and you can’t get that for really old distros…

          (But the linked technique doesn’t seem viable for Rust, so doesn’t actually help me).

          1. 1

            Yep fair enough, that makes sense.

        1. 1

          I always though that they had a bad name for what they were, and cried out ergonomics from an end-user perspective.

          1. 7

            As long as you’re going to store your TOTP secrets directly on your machine, this feels way “crappier” than just using KeePassXC or similar. Am I missing something?

            1. 6

              It does seem to be missing the point somewhat. TOTP is a protocol for doing crypto with a human in the middle. Putting the human in the middle is there precisely so that the private key can be on a completely different machine to the one that you’re using to log in. The ‘crappy’ authenticator apps (I’ve used the one from F-Droid, which is a fork of the last open-source release of the Google one) manage this for you.

              If you’re willing to store the shared secret on the same machine that you use for logging in, then an attacker who compromises that machine can just exfiltrate it directly. If it’s stored in cyphertext on disk (protected by some key) then you’re not vulnerable to offline attacks if someone steals your computer but you are vulnerable to online attacks. If someone compromises your computer then they can read the secret out of memory and impersonate you.

              With TOTP and a separate device then they need to do online, live attacks: just exfiltrating the one-time password doesn’t help because it’s stops being valid a few seconds later and they need to log into the remote system in that time window.

              You get a small amount of extra security from OTP vs passwords by storing the secret on the same machine. If the attacker is able to compromise your browser then they can leak your password but they can’t leak the secret without a separate sandbox escape that allows them to compromise the credentials manager.

              Both are weaker than using WebAuthn. Now that pretty much all desktop and mobile browsers support WebAuthn with platform authenticators, there’s no excuse for using passwords or TOTP. With a TPM, Windows can protect your credentials with biometrics and require a full OS compromise to gain the ability to fake signatures (but not to . Android and iOS / macOS both provide mechanisms. Android will use a separate hardware store if available, a TrustZone-isolated component if not. iOS and macOS will use the Secure Element, on older Macs there’s an emulator that stores credentials in the Keychain, which is much less good for security, but the best you can do on the older hardware. Not sure what the situation is on Linux / *BSD.

              1. 2

                There is another angle to this which might be of more practical relevance to most people: on some services, enabling 2FA makes it materially harder for support personnel to reset your credentials. I suspect that the vast majority of people are more likely to have their accounts hacked via social engineering than any sort of credential theft, at least if they’re switched-on enough to avoid installing banking trojans. In that light, enabling 2FA is just a way to opt into something like AAA service you don’t have to be an eight-figure customer for, and it doesn’t really matter how secure your TOTP secret is.

                1. 1

                  makes it materially harder for support personnel to reset your credentials

                  Yep, ask microsoft about that if they think you’re not using that account often enough. Fun support call times.

              2. 3

                I think that really comes down to what exactly you’re trying to secure with TOTP or rather 2FA.

                In the original sense: An attacker has to have one more thing than your password and at best more control than only over your PC (with which you’re logging in). Except I don’t trust my phone more than I can throw it and I do use a password manager with long randomized passwords. And I do use a yubikey as 2FA for my password manager. (with this I have probably now leaked everything important about me)

                So TOTP to me is mostly a pain that protects me against websites that counter brute force attacks with 2FA*. And it makes those websites shut up about setting up TOTP (let’s be honest: “please enter your phone number”).

                And then there is the issue with most people logging into websites also on mobile. So you’re down to one device and the hopes that the per-app isolation of iOS/Android is better than on your PC (which may be true). But that doesn’t help the case that an attacker only requires access to your phone now.

                *Except there are backup-codes which are essentially static passwords. Which also highlights the problem of using only your phone for 2FA, I wouldn’t bet on recovering a google account with 2FA after you lost your phone and backup codes - even if you did send them your passport to verify your youtube-over-18-age / bought a lot of stuff with some form of traceable credit card you can verify yourself with. In fact I had to go though multiple hoops because microsoft found my account usage weird and didn’t trust my TOTP to identify myself.

                1. 2

                  I never understood putting 2FA into your primary password manager.

                  This makes it a single point of failure. If your password manager is hacked, leaked, or your database is lost/deleted, then you’ve lost everything all at once.

                  Maybe I’m wrong on this - but I keep my TOTP stuff in a separate app to my password manager (Aegis, in this case). And backup the encrypted keys/database when I add a new TOTP code (which doesn’t happen very often these days).

                  1. 1

                    You’re completely correct here. Some prefer to take the risk in exchange for the convenience.

                    1. 1

                      There is not much convenience in needing to enter a second form, and no added security either, since if your password is already in a password manager, your TOTP code is too.

                      1. 1

                        Well, there is still security against weird unlikely scenarios like “you’ve entered the credentials into a public PC that was keylogged”. (Some would consider the “compromised personal device” scenarios just as unlikely…) And as mentioned in a comment above, recovery policy improvements that happen in some places due to enabling any 2FA. But yeah, TOTP is really unimpressive in terms of what security it can provide.

                  2. 1

                    Sometimes you’re happy with a password but someone else has decided that you have to have 2FA.

                    1. 1

                      I meant to suggest that using oathtool was a “crappier” approach to using TOTP than using KeePassXC or similar. Not that using TOTP altogether was crappy.

                      1. 1

                        Right, and if you think that TOTP altogether is crappy, then it’s just fine to use oathtool :)

                  1. 1

                    As long as you’re going to store your TOTP secrets directly on your machine, this feels way “crappier” than just using KeePassXC or similar. Am I missing something?

                    1. 3

                      Like friendlysock I would deploy this on a VPS since you’ve already got it running in compose. If you select a budget provider who charges by the hour (Vultr is my personal preference), this can be achieved for less than a dollar.

                      On another note, this sounds a lot like a take-home interview assignment. If this is the case, and they’re expecting you to host it at your own expense instead of providing a way for you to do so at theirs, that’s a red flag.

                      1. 5

                        this sounds a lot like a take-home interview assignment.

                        No. It’s voting by SMS application for a local festival. Now a selected jury makes the voting, but everybody is complaining about the outcome every year. So I would like to “democratize” the vote :) It’s a volunteer task.

                        1. 3

                          Good on you mate 👍

                          1. 2

                            Another thing to consider if you haven’t already: I’ve seen several demos and launches of SMS things like this that fell over not because the backend couldn’t scale, but because their SMS gateway didn’t – either it couldn’t handle the traffic, or triggered some throttling or abuse detection or something when the live event sent a sudden surge of traffic.

                            1. 3

                              What are you using to send SMS? I am planning to use Twilio and only to send, every user will get a magic unique link to access the voting poll.

                              1. 1

                                I haven’t had this failure mode hit me fortunately! I’m just speaking from things I’ve seen happen or been on the user side of something failing during an event.

                                I have used Twilio, but for only for a very different usage pattern more like one on one conversation over SMS, so never had to deal with these kind of spiky traffic patterns. Sibling’s comment about 10DLC sounds important, but I don’t have much other detail to add.

                                1. 1

                                  Ah, you might want to look into 10DLC and see if it applies to your use case. Telcos hate people sending URLs.

                                  1. 1

                                    Thank you for this advice. I will investigate about it.

                          1. 10

                            NB: I’m not the author, though the excellent @jvns is!

                            I’ve written numerous tiny scripts and programs to mold my desktop workflow to my wants, one of my favorites a series of scripts that lets me search though files (filtering with rofi/dmenu) in predetermined locations in my homedir, and then pipes the file name to a custom plumber script (written in fennel) that uses file name and mime type to determine a program to open the file, it’s incredibly fast for finding random files! The script also has a few regexen for opening urls, it’s nice for things like opening youtube links directly in mpv.

                            Another one is a screenshotting script that combines slurp (choosing windows/rectangles on screen), grim (wayland screenshotting), and uploading directly to an image pastebin for really fast screenshot sharing.

                            In a similar spirit, I often end up writing many small elisp functions for individual projects to reduce the friction of the development cycle. I’m currently taking an undergraduate operating systems course, and I have a function that lets me quickly choose a user program to boot up the OS under qemu with gdb, of course taking advantage of emacs’ gdb mode. I love how easy emacs makes it to write tiny bits of software to support and integrate my workflows!

                            1. 2

                              That sounds a bit like “godothecorrectthing” (https://github.com/andrewchambers/godothecorrectthing), which acts on the clipboard’s content.

                              1. 1

                                regexen

                                Love this!

                              1. 3

                                Company: CyberArk - Conjur Team

                                Company site: https://www.conjur.org/

                                Position: Senior Software Engineer

                                Location: USA (REMOTE)

                                Description: Our primary product is Conjur, an enterprise secrets vault and privilege engine for DevOps, Cloud and IaaS built upon our open source core. Engineers work on a wide variety of projects, from integrations with DevOps tools to moonshot projects that seek to revolutionize the world of DevOps security.

                                Tech stack: Ruby+Rails, Golang, Postgres, Docker+k8s, AWS

                                Contact: https://careers.cyberark.com/job/Senior-Software-Engineer/708008901/ (big bonus points for completing the puzzle instead of applying directly), or message me.

                                1. 15

                                  Please consider signing the open letter against these changes: https://appleprivacyletter.com/

                                  1. 10

                                    Are you going to post an open letter for Microsoft, Google, DropBox, Facebook, Twitter, and all the other companies who have used the exact same database for this exact purpose for the last decade?

                                    1. 8

                                      Which provider has previously used this list against images that aren’t stored on their infrastructure?

                                      1. 4

                                        Images sent via iMessage are stored on Apple’s infrastructure.

                                        1. 1

                                          I think the question had implied “stored in plain text”. iMessage doesn’t do that.

                                          1. 6

                                            Right. So, every other provider has direct access to your photos, and scans for CSAM with their direct access. Apple, rather than give up their E2E messaging, has devised a privacy-preserving scheme to perform these scans directly on client devices.

                                            I really don’t understand how Apple is the bad guy here.

                                            1. 4

                                              Other providers that scan cleartext images are off the hook, because they’ve never had E2E privacy guarantee.

                                              [smart guy meme]: You can’t have encryption backdoor if you don’t have encryption.

                                              Apple’s E2E used to be a strong guarantee, but this scanning is a hole in it. Countries that have secret courts, gag orders, and national security letters can easily demand that Apple slip in a few more hashes. It’s not possible for anyone else to verify what these hashes actually match and where they came from. This is effectively an encryption backdoor.

                                        2. 3

                                          If I understood what I read, although the private set intersection is done on device, it’s only done for photos that are synced with iCloud Photo Library.

                                          1. 2

                                            Apologies to all in this thread. Like many I originally misunderstood what Apple was doing. This post was based on that misunderstanding, and now I’m not sure what to do about it. Disowning feels like the opposite of acknowledging my mistake, but now I have 8 voted based on being a dumbass 🙁

                                            1. 2

                                              iCloud Photos are stored on Apple infrastructure.

                                          2. 4

                                            This page gets the scope of scanning wrong in the second paragraph, so I’m not sure it’s well researched.

                                            1. 3

                                              how so? can you explain?

                                              “Apple’s proposed technology works by continuously monitoring all photos stored or shared on a user’s iPhone, iPad or Mac, and notifying the authorities if a certain number of objectionable photos is detected.”

                                              seems like an appropriate high-level description of what is being done, how is it wrong?

                                              1. 7

                                                I may be wrong but, from what I understood, a team of reviewers is notified to check manually the photos once a certain number of objectionable photos is detected, not the authorities… If (and only if) the team of reviewers agrees with the hashes matches, they notify the authorities.

                                                This is a detail but this introduces a manual verification before notifying the authorities, which is important.

                                                From MacRumors:

                                                Apple’s method works by identifying a known CSAM photo on device and then flagging it when it’s uploaded to ‌iCloud Photos‌ with an attached voucher. After a certain number of vouchers (aka flagged photos) have been uploaded to ‌iCloud Photos‌, Apple can interpret the vouchers and does a manual review. If CSAM content is found, the user account is disabled and the National Center for Missing and Exploited Children is notified.

                                                Link to the resource: https://www.macrumors.com/2021/08/05/apple-csam-detection-disabled-icloud-photos/

                                                1. 1

                                                  Second paragraph of the AP article

                                                  The tool designed to detected known images of child sexual abuse, called “neuralMatch,” will scan images before they are uploaded to iCloud

                                                  This resource from Apple also states that only images uploaded to iCloud are scanned.

                                                  1. 2

                                                    This quote you cite figures nowhere within the page.

                                                  2. 1

                                                    Apple’s proposed technology works by continuously monitoring photos saved or shared on the user’s iPhone, iPad, or Mac.

                                                    Only photos uploaded to iCloud Photos are matched against known hashes.

                                                2. 4

                                                  Or just don’t buy an Apple device. Do you really think a trillion dollar company cares about digital signatures?

                                                  1. 6

                                                    I think this is a good statement of intent though.

                                                    I just bought an iPhone 12 and would be otherwise unlikely to be noticed as a lost sale until the iPhone 14~ since most people don’t upgrade a single minor version.

                                                    Giving them warning that they have lost me as a customer because of this is a good signal for them. If they choose not to listen then that’s fine, they made a choice.

                                                    Also the more noise we make as a community; the more this topic gains attention from those not in the industry.

                                                    1. 4

                                                      I didn’t mean to make some sort of “statement” to Apple. I find that idea laughable. What I meant is that if you are really concerned about your privacy to the point where scanning for illegal images is “threaten[ing] to undermine fundamental privacy protections” (which I think is reasonable), then why buy Apple in the first place? This isn’t the first time they have violated their users’ privacy, and it certainly wont be the last.

                                                      1. 6

                                                        What’s your proposed alternative?

                                                        I think Apple making a stance on privacy, often posturing about it a lot, does cause a lot of good will and generally those who prefer to maintain privacy have been buying their products. (myself included). You can argue that it’s folly but the alternatives are akin to growing your own vegetables on a plot of land in the middle of nowhere connected to no grid (a-la rooted android phones with f-droid) or google owned devices which have a significantly worse privacy track record.

                                                        1. 3

                                                          You oughta update your intel about the “alternative” smartphone space. Things have come a long way from “growing your own vegetables on a plot of land in the middle of nowhere connected to no grid.” The big two user-friendly options are CalyxOS and LineageOS with microG. If you don’t feel like installing an OS yourself, the Calyx Institute, the 501(c)(3) nonprofit which develops CalyxOS, even offers the Pixel 4a with CalyxOS preinstalled for about $600.

                                                          I’m running LineageOS on a OnePlus 6T, and everything works, even banking apps. The experience is somewhere between “nearly identical” and “somewhat improved” relative to that of the operating system which came with the phone. I think the local optimum between privacy-friendliness and user-friendliness in the smartphone world is more obvious than ever, and iOS sure ain’t it these days.

                                                        2. 2

                                                          It does seem folly to make a statement by not buying something, but consider this: When you vote, there are myriad ways that politicians have to dilute your impact (not going to enumerate them here but it’s easy to do). By comparison, when you make an economic choice, ever dollar is counted in full, one way or another. So if you vote, and you should, then there’s every reason to vote with your pocketbook as well.

                                                  1. 5

                                                    Pet peeves:

                                                    #!/usr/bin/env perl

                                                    use strict;

                                                    use warnings;

                                                    1. 4

                                                      or

                                                      #! /usr/bin/env perl                                                            
                                                      use Modern::Perl '2015';
                                                      
                                                      1. 5

                                                        I personally find it clearer to do

                                                        use v5.12; # or whatever
                                                        use warnings;
                                                        

                                                        Versions 5.11 and above automatically activate strict mode. Specifying the exact version number plus a line activating warnings isn’t too much boilerplate, I think.

                                                        1. 2

                                                          I like the Modern::Perl invocation because you get say too.

                                                          But it is an extra dependency for sure.

                                                          1. 2

                                                            use v5.10 and later should also enable say.

                                                            1. 2

                                                              TIL, thanks.

                                                              TBH I just started using Modern::Perl after getting the book. I’ve added the boilerplate as an abbrev in Emacs so I don’t have to bother with remembering it.

                                                        2. 2

                                                          also of note —

                                                          $ perldoc perldelta
                                                           ...
                                                          $ perldoc perl5120delta
                                                          
                                                                  use 5.12.0;
                                                          
                                                              means:
                                                          
                                                                  use strict;
                                                                  use feature ':5.12';
                                                          

                                                          Also learned that 5.12 is Y2038 compliant

                                                          It may not mean much to you, but your kids will love it! :-)

                                                          1. 4

                                                            That’s good to know! My plan to live forever is working so far…

                                                        3. 2

                                                          Hahah, yeah, fair enough. I usually do all that (hm, well, not always env – there are some tradeoffs) but I figured if I was going to go old-school may as well go all the way. Inscrutable runtime errors are the spice of life, right?

                                                          1. 1

                                                            For those of us who haven’t used perl in a long time (and IIRC were taught this way), what should we be doing instead and why?

                                                            1. 1

                                                              I think spetz was saying I /should/ have done those things but didn’t. If you learned to do things that way, I think you’re still good-to-go. Though some folks up-thread mentioned some other options that may have additional benefits if you’re running a recent-enough version of Perl.

                                                              1. 2

                                                                Exactly, my fingers automatic type strict and warnings when starting a new perl file. I read up on the other examples and I like them.

                                                                Personally I don’t care for ‘say’ and use print/printf but there is other benefits. In my world mostly that the script will behave on a server the same way it does when developing it, and that’s a point I will take with me.

                                                                1. 1

                                                                  Oh you’re no doubt correct, my bad, ty.

                                                            1. 5

                                                              I’ve always felt like my usage of strace was very contrived, but this makes me feel much better, thank you!

                                                              1. 1

                                                                I like “junk”, that way it’s clear to others it’s unimportant.

                                                                1. 1

                                                                  For context: https://lobste.rs/s/blhsea

                                                                  The long and short of it is that for ~2 months Backblaze’s usage of a Facebook “pixel” on signed-in pages resulted in Facebook getting the names and sizes of files displayed in the B2 web UI.

                                                                  1. 4

                                                                    Hopefully actually get some writing done. There was a situation over the weekend and it’s left me with not enough motivation to write.

                                                                    1. 1

                                                                      Hope things improve and you feel better soon mate!

                                                                    1. 3

                                                                      Why would I use screen over tmux? Honestly curious, have no experience with screen.

                                                                      1. 7

                                                                        It’s often preinstalled. Many users are familiar with it over tmux for that reason.

                                                                        1. 6

                                                                          There are many reasons, none of them is really general:

                                                                          • Being oldschool and being used to it. tmux is different and even if you change Ctrl-B back to Ctrl-A, it’s not a drop-in replacement.
                                                                          • Missing serial console support in tmux and some other more exotic features missing in tmux (probably on purpose).
                                                                          • IMHO easier to configure (albeit definitely less mighty)

                                                                          (Disclaimer: I’m the author of the linked blog posting and the maintainer of Debian’s screen package, so I’m probably biased. ;-)

                                                                          1. 5

                                                                            Screen is good enough, I know the shortcut keys I need and it does serial ports. There is nothing I need that it doesn’t do, so why change? Not all change is progress…

                                                                            1. 7

                                                                              Good summary, yes. :-)

                                                                              There are admittedly also some downsides: Most of the code of screen is ancient, has only few comments and is not easy to understand. It’s older than the Linux kernel. And despite it’s a GNU project these days, it started as IIRC “BSD Screen Manager” or so on BSDs.

                                                                              1. 1

                                                                                what’s wrong with old code?

                                                                                1. 3

                                                                                  The rest of the sentence says:

                                                                                  has only few comments and is not easy to understand

                                                                                  So, harder to maintain, fix, improve upon?

                                                                                  1. 1

                                                                                    that would be an issue, but i don’t see what that has to do with the age of the code

                                                                                    1. 2

                                                                                      Different common sense and coding style now and back then.

                                                                                      1. 2

                                                                                        Maybe, but two developers today may differ just as much in their common sense and coding style. It can be a pain to work on a code base written in a fancy IDE, if the author leaned on syntax highlighting and auto-completion to compensate for clunky names. There are a lot of factors that could make old code better or worse than new code.

                                                                                  2. 3

                                                                                    Nothing in general, but it tends to accumulate issues over time:

                                                                                    • Occasionally stops compiling with newer, more strict compilers.
                                                                                    • Does not adhere to current coding standards which usually focus on readability and avoiding common errors → harder to read, more error prone.
                                                                                      • Also might hinder attracting new contributors or maintainers.
                                                                                    • The current maintainers might no more know what the code was for if the original authors are no more around.
                                                                                    • At least Screen is known to have support for quite a few dead operating systems (think SunOS, etc.). These kind of tweaks can cause issues on modern operating systems. The master branch in Screen’s git repo has some cleanup on that, but unfortunately also kicked out some features which are still in use. No release has been made out of that branch anyway. I suspect that it will become version 5 if there will be ever a release out of that branch.
                                                                            2. 2

                                                                              In addition to the other answers… tmux feels generally more vim-like, while screen is more emacs-like. If you already have a preference in that game, that tends to color your perceptions of them.

                                                                              1. 2

                                                                                Any chance you could elaborate on that? I’ve never gone deep into configuring either of them, but by default both feel more emacsy in bindings. What is there beyond that?

                                                                                1. 2

                                                                                  Interesting. Never came to that thought, but at least it seems to fit for me: I’m a GNU Emacs (and GNU Zile) guy. :-)

                                                                                  Then again: I don’t see where Screen is very emacs-ish. So I’d also be interested in a more detailed explanation.

                                                                              1. 1

                                                                                I recently used ubuntu server to make a wired firewall / home router / pihole on an rpi4. Takes a lot of work to figure out but it seems like there is potential for a simple web-gui to configure it all. I’ve had no problem with throughput or resource usage or latency.

                                                                                1. 2

                                                                                  OpenWRT has snapshot support for the rPi4 (and full support for previous models). I use it with two TP-Link UE300s and get full gigabit throughput. The web UI and package ecosystem are fantastic, and configuration from scratch shouldn’t take more than a couple of hours for a new user. Happy to answer any questions 👍

                                                                                  1. 1

                                                                                    This! I haven’t tried OpenWRT on rPi4 yet, but I’m using it on a rPi3 with low bandwidth requirements (due to obvious reasons) and it has been great so far.

                                                                                    I just wished I could run VyOS on a rPi4 at some point.

                                                                                    1. 1

                                                                                      I had looked at openwrt. I previously had really good experience running ddwrt on an old dlink router.

                                                                                      One thing I wanted to do this time was to run pihole and that looked a bit tricky to do with the openwrt setup. Maybe in the future I can virtualized the rpi to make it more possible. At the end of the day I guess I really just needed the FTL instead of dnsmasq.

                                                                                      The ubuntu was also a learning experience for me with ipv6. I struggled a lot trying to get that to work. In fact I’m still stuck with having to manually run dhclient after boot because the network manager didn’t seem to obey they config.

                                                                                    2. 1

                                                                                      Even a rPi3 should have CPU horsepower enough to handle a lot of traffic - but it’s limited by it’s NIC effectively being a USB device, limiting it to ~300 Mbps.

                                                                                      If you try OpenWRT you’ll get the web ui you are thinking of, but not pihole as such. But then you’d have an excuse to buy another rPi4 ;)

                                                                                      1. 2

                                                                                        The rpi4 has the fast usb 3 so I get full gigabit out of the native for lan and usb for wan. I don’t have gigabit internet (150mbps) and my load is basically <1%.

                                                                                    1. 1

                                                                                      I use BlitzMail on Android (also available on Play). Easy enough to compile several versions if you want multiple.

                                                                                      I also use Signal “note to self” for sensitive stuff, and GSConnect on GNOME.