In a centralized management scenario, the central controlling service needs the ability to control everything registered with it. So, if the central controlling service is compromised, it is very likely that everything it controlled is also compromised. There are ways to mitigate this at the application level, like role-based and group-based access controls. But, if the service itself is compromised rather than an individual’s credentials, then the application protections can likely all be bypassed. You can mitigate this a bit by giving each tenant their own deployment of the controlling service, with network isolation between tenants. But, even that is still not fool-proof.

Fundamentally, security is not solved by one golden thing. You need layers of protection. If one layer is compromised, others are hopefully still safe.

If we boil this article down to it’s most basic point, it actually has nothing to do with virtualization. The true issue here is actually centralized infra/application management. The article references two ESXi CVE’s that deal with compromised management interfaces. Imagine a scenario where we avoid virtualization by running Kubernetes on bare metal nodes, and each Pod gets exclusive assignment to a Node. If a threat actor has access to the Kubernetes management interface, and can exploit a vulnerability to access that management interface, it can immediately compromise everything within that Kubernetes cluster. We don’t even need to have a container management platform. Imagine a collection of bare-metal nodes managed by Ansible via Ansible Automation Platform (AAP). If a threat actor has access to AAP and exploit it, it then can compromise everything managed by that AAP instance. This author fundamentally misattributes the issue to virtualization. The issue is centralized management and there are significant benefits to using higher-order centralized management solutions.

deleted by creator

Check out minisforum, for example this intel mini-pc. They have a ton of selection, not just that one example.

From the article, “These systems range from ground-based lasers that can blind optical sensors on satellites to devices that can jam signals or conduct cyberattacks to hack into adversary satellite systems.”

Recently LTT built a $100k PC desk for a Minecraft streamer. Sometimes the over the top engineering/materials (and thus cost) around something is the entire point. If they gave it a fair shake, and still called it a bad product, and then returned it. There wouldn’t be an issue. It being a bad product isn’t the issue.

In the LastPass case, I believe it was a native Plex install with a remote code execution vulnerability. But still, even in a Linux container environment, I would not trust them for security isolation. Ultimately, they all share the same kernel. One misconfiguration on the container or an errant privilege escalation exploit and you’re in.

You are not being overly cautious. You should absolutely practice isolation. The LastPass hack happened because one of their engineers had a vulnerable Plex server hosted from his work machine. Honestly, next iteration of my home network is going to probably have 4 segments. Home/Users, IOT, Lab, and Work.

Keep in mind, RAID is fault tolerant, not fault proof. For critical data, keep in mind the 3-2-1 rule. Stored in 3 locations, 2 separate mediums, 1 offsite.

First, let’s assume we’re all intelligent people here and not be condescending.

I am not saying it’s not possible to view high resolution content at 25 mbps. I am saying that certain content just can’t encode at full fidelity at 25 mbps. In my experience, high action scenes with tons of entropy to encode do not compress well. And those scenes degrade and become muddy or pixelated at lower bitrates. Do you need it for the entire stream? No. But sadly, to save on bandwidth many streaming services also severely limit how much buffering their clients will do.

Even all this said. We’re talking about 10’s of megabits of difference. Significant portions of the world have managed to offer gigabit internet to practically everyone in their jurisdiction. And yet, we’re here in the dark ages with 25/3. And sure, you could say “American has significantly more rural areas, those customers are hard to serve.” But, I’ve got family in coal-country West Virginia that have gigabit fiber. There are no technical hurdles. These companies just don’t want to upgrade their infrastructure.

Here are the bitrates Youtube suggests for uploading content: https://support.google.com/youtube/answer/1722171?hl=en#zippy=%2Cbitrate

If you want full fidelity for all types of content, these are the bitrates you need. Yes, modern encodings can handle more fidelity at lower bitrates. But, I guarantee these numbers are for modern encodings. Older school encodings like UHD BluRay range anywhere from 92 to 144 Mbps.

Streaming platforms want to stream at the absolute lowest bitrate possible, and they absolutely compromise quality for lower bitrates to save on bandwidth.

I’ll second this. 4k at 25 mbps might be OK for a sitcom or drama without much action or on-screen movement. But as soon as there’s any action, it’s gonna be a pixelated mess. 25 mbps is kinda the sweet spot for full fidelity 1080p, and I’d much rather watch that than “4K”.

No thanks!

At it’s most basic, a satellite will have two systems. A highly robust command and control system with a fairly omnidirectional antenna. And then the more complex system that handles the payload(s). So yea, if the payload system crashes, you can restart it via C&C.

Annoying yes, but I’d argue that’s likely the simplest and most performant approach. At best (IPTables NAT), you’d be adding in an extra network hop to your SMB connections which would effect latency, and SMB is fairly latency sensitive especially for small files. And at worst (Traefik), you’d adding in a user-space layer 7 application that needs to forward every bit of traffic going over your SMB connection.

PS. Also to confirm since you mention LetsEncrypt, you aren’t planning to expose your smb server over the internet are you?

I have a feeling routing SMB traffic through Traefik is going to be a performance and latency nightmare. Is your TrueNAS VM’s network interface bridged to your home network? If so, use a static IP and just have clients connect directly. If not, your best bet is likely iptables NAT to forward a port from your Proxmox servers IP to the TrueNAS VM.