Whether or not you're being overly paranoid depends on your needs.
As I said on another comment, my use can be tracked by volume and timing, but since I'm only connecting to my house or my in-laws', and using an exit node on one of them, I'm not doing anything with it that I wouldn't do openly from my house. If I were hosting Anna's Archive, it would not do.
As noted by others, Headscale works if you want fully self-hosted. The features it doesn't have aren't important to the typical home user. The free tier of Tailscale is really, really easy to set up and a very non-technical user can just use it if someone with even modest skills, like me, sets it up. That's why I use it. I can talk my wife through how to use Tailscale over the phone. I can set up OpenVPN or Wireguard (I set up an OpenBSD firewall and NAT system in the mid-late 1990s for an office and used it with SSH tunnels and VNC to do some remote troubleshooting), but I can't troubleshoot it remotely with a nontechnical user.
You keep saying you don't mind timing and volume information known by Tailscale but much more concerningly compared to that is that they can add peers to your tailnet. In fact that's how their optional open-port scanner service discovery feature works. And even if you trust Tailscale, which I generally do, then there is the concern that they only support login through SSO via identity providers. You have to trust them as well.
I have an iPhone. I pretty much have to trust Apple. If you took that over then yes, you could screw me over pretty hard.
And yes, they could add peers to my tailnet. That’s why every time I have talked about TS I say it’s about your threat model. I’m a home user, and while I wouldn’t just open up my network, there’s nothing here that will get me in prison or dead. If I had that kind of info it would never, ever meet the internet in any form.
I would be more cautious if I ran a large multinational corporation. I don’t. I think I can trust Tailscale not to be the operators of an enormous “residential IP VPN” botnet.
Tailscale has another interesting feature that I figured out entirely by accident: while the SSO planes (at least using Apple as SSO, rather than your own) may be blocked, the data planes and actual control planes usually are not. If your device is connected to your tailnet before joining a given WiFi, it will stay connected afterward.
The guest WiFi at work blocks OpenVPN connections, but established Tailscale slips by. I haven't tried straight Wireguard because I don't consider Tailscale having timing and volume data on me to be all that valuable to them, and they do mitigate the double-NAT situation. I do run a private peer relay for my tailnet but not a full DERP server, nor do I run Headscale.
Obviously, your personal security concerns play a role here, but I'm not doing anything I wouldn't do straight from my home network, so I see no reason to make my life harder. If you need that level of security, you need a different solution.
While waiting for someone in the hospital I recently played the fun game of "how can I work around their firewall stopping me from connecting to tailscale" that they kindly provided.
It was just blocking new connections. Via SNI. Tailscale's control plane turn out not to care if SNI is sent. Tailscale's app let you set a custom control plane... like a local proxy that forwards connections to tailscale's servers without setting SNI.
I've seen this effect in several places, not just my work.
Of note: I do not work in the tech sphere. I suspect that this particular loophole may be used by IT personnel to be able to tell the management "yes, we block VPN use" while letting them continue to use their own VPNs. I see no reason to complain.
I suspect there's less thought put into it than that.
There's probably a firewall vendor that has a product that does SNI inspection for blocking things like pornhub and the product comes with a list of sites that includes VPN control planes.
I understand your point better now, but if that was really a risk I cared about, I wouldn’t have put it on the public Internet to begin with.
The worst they can do to me is make me tether, and my iPad will never hit that allotment. And, like I said, I think they use it themselves. So, no incentive to close their loophole.
Wait, tailscale survives connecting to a locked down wifi? That's insane. I remember not being able to use NordVPN at work. I'd just switch to 4G back then. But if you can't initiate a tailscale connection when connected to the office wifi, what does that mean?
Initiate while on mobile connection or tethered to one (or just leave it connected from home), use while on that WiFi.
EDIT: I figured this out because I brought my laptop from home to do a few things while at work that needed it. I noticed that my Tailscale connection (initially established at home) was working just fine. That's when I realized that it was the initial authentication that was blocked, not the service.
My phone is usually on my tailnet and my iPad is always on it (and using my home exit node), as a result. Using the exit node has a modest but noticeable effect on battery life, but just being connected is maybe 2% of battery a day. Negligible.
I think this is mostly a Wireguard thing and not specifically a Tailscale thing. Wireguard does what they call "cryptokey routing" where if you prove you possess a key that the other peer knows, you get the traffic (subject to firewall, allowed IPs list, etc etc). Wireguard stores the most recent address:port that it heard from a particular cryptokey on, but it natively lets peers roam, as long as only one roams at a time.
When I work at the local coffee shop I cannot SSH to my remote servers for work on their wifi, but if I connect to Tailscale and use my exit node at home I can. Lifesaver
My work guest WiFi network allows only IPv4 HTTPS on port 443 and their their own DNS. Everything else, including ICMP (ping) is blocked. Tailscale barely works as any persistant connection is dropped after 2-3 minutes.
Called this out and the security team said noone complains, that there is no use case and they do not want to deal with security risks.
Even if it's public land, you usually need a permit (though an America the Beautiful Pass is not that expensive and covers almost all federally-owned land).
However, the point was about the signs. You can find quite a lot of neat little things that you otherwise would have no easy way of discovering.
Texas has a bunch of state historical markers along even minor routes. They can be hard to catch at speed (most TX highways have a 70 MPH speed limit, even small ones), but there's typically a space where you can pull over and read it.
Windows menu navigation by keyboard allows almost everything to be done with no mouse, and macOS doesn’t. Alt-space, X will maximize a window from 3.0 to 11. Not a direct shortcut, more like the / menu of Visicalc or Lotus 1-2-3. Not as fast, but close, and better because it’s discoverable - if you forget, the menu is open and you can see the next step.
They smell like carrots when you break the fading blooms off, they tolerate high heat and full sun, and they are pretty. Flowers for gardens, not arrangements.
Yeah, but there was no way it was ever going to be cheap the way tapes were. Even portable CD players never got to the point that you would let a child just do what they wanted with one.
A problem that was mostly solved by 1995 or so as RAM got cheap enough for a decent buffer. Still not something you could go running with but they didn't skip in cars any more. A child could play with one. Not a toddler, but a responsible-ish 8-year-old.
I'm sure the app is wonderful. I've gotten pretty good at finding this data from other sources, though, and one huge problem is that a delay isn't a delay until the airline says it is. If you carry on every bag and have no special requirements, and you checked in online ahead of time (so you have your boarding pass), it's very useful info and I could see paying for the app.
But if, say, you are traveling with a pet that has to be verified at the counter, or you need to check a bag, the time windows for accepting those are set by the scheduled departure time. If your plane is still in the air or hasn't even left its origination airport (and, for the sake of argument here, we will assume you are flying from a smaller airport that doesn't have other aircraft that can easily be reassigned to your flight, so you know it will be delayed), it doesn't matter: they still close the check-in and baggage 45 minutes (on American; YMMV by airline) before scheduled departure. So you have no choice but to get there early and wait unless your airline actually declares the flight delayed when they know it will happen.
Thus, the MacBook Neo. For the average user who only occasionally needs a general-purpose computer, it's powerful enough. As the geek in my friends-and-family circle, it's what I will be recommending to most of them if they ask.
It would be ideal if we could come up with a way to get people paid to maintain a community firmware. However, that's a considerably harder problem than "you absolutely must allow community firmware to be flashed".
I agree. It's a harder problem and it's the more critical problem.
Businesses aren't incentivized to maintain it and hoping that the community can support it by opening it is perhaps necessary, but it's far from sufficient.
Either the business or maintainers need to be sufficiently incentivized--whether it's through funding, reputation, or something else (graduate-student torture).
I know NYC doesn't treat their water at all, but LA doesn't either?
My city runs on surface water, so we have treatment and then pump to storage tanks. You would have to be out for quite a while to run the city out of water, though - the tanks are large.
LA definitely treats the water. Both the surface water before consumption (I'd be surprised if any city doesn't do this) and the wastewater, for reclamation for nonportable use like irrigation, and for recycling back into the general clean water supply.
The aqueduct water is specifically purified by the Los Angeles Aqueduct Filtration Plant. That plant is gravity fed, but it doesn't operate without power.
LA just has the advantage of having mountains in the city, so it's cheaper building more elevated water storage so the capacity lasts longer during power interruptions (which are also not as common or extended as they are in the east). They will still eventually run out if they're not replenished by powered pumps.
Where did you get that idea about NYC water being untreated? NYC treats its water. Chlorine is added if and when needed. Testing stations exist to evaluate water quality all around the boroughs, etc.
You can't have a city of millions of people and have the water be potable from the tap without testing and treatment
> New York City’s water (including drinking water) is unfiltered, making it the largest unfiltered water system in the country. Were New York to begin filtering its water, it would cost the city approximately 1 million dollars per day to operate the filtration plant.
They have hundreds of sampling stations to check daily.
He was talking about the drinking water that comes from the faucet, not the sewage.
The untreated NYC water has tiny crustaceans in it, which make it not Kosher, which is why thee bagels from a Jewish deli in NYC are so good. Go figure.
As I said on another comment, my use can be tracked by volume and timing, but since I'm only connecting to my house or my in-laws', and using an exit node on one of them, I'm not doing anything with it that I wouldn't do openly from my house. If I were hosting Anna's Archive, it would not do.
As noted by others, Headscale works if you want fully self-hosted. The features it doesn't have aren't important to the typical home user. The free tier of Tailscale is really, really easy to set up and a very non-technical user can just use it if someone with even modest skills, like me, sets it up. That's why I use it. I can talk my wife through how to use Tailscale over the phone. I can set up OpenVPN or Wireguard (I set up an OpenBSD firewall and NAT system in the mid-late 1990s for an office and used it with SSH tunnels and VNC to do some remote troubleshooting), but I can't troubleshoot it remotely with a nontechnical user.
reply