You definitely should still check this, but even with proper indexing settings Windows is still garbage at search and has been since XP.

And this is coming from one of the only people who ever defends MS on Lemmy.

Yep, that would work fine for the first line of defense. Eventually, you can expand it to copy, replicate, or drive swap the onprem backups offsite somewhere (e.g., cloud, office, or family member) if you want to protect your data from site loss (e.g., house fire).

The only thing missing is a good backup.

If you are storing anything important – especially Immich and Vaultwarden data – you should have a good offsite protection strategy. And even the HASS config should be backed up with versioning because rebuilding from scratch could be painful once you get deep into it.

I’ll let others chime in on possible good backup options because I use Veeam and Azure, which really isn’t in the spirit of this community, and I’d be interested in good open source options myself.

Also, RAID (mirroring) is NOT a backup.

Lol Microsoft is not even close to a walled garden. This is just them removing the password manager feature that nobody used from their authenticator app.

No that’s not how it works. Handling a larger address space (e.g., 32-bit vs 64-bit) maybe could affect speed between same sized modules on a very old CPU but I’m not sure that’s even the case by any noticeable margin.

The RA in RAM stands for random access; there is no seeking necessary.

Technically at a very low level size probably affects speed, but not to any degree you’d notice. RAM speed is actually positively correlated with size, but that’s more because newer memory modules are both generally both bigger and faster.

Hard disagree. It only applies for things you cannot change but should try to accept rather than stressing over it.

If you say “it is what it is,” in reference to things you could change but choose not to, well that’s on you.

Same here. No issues.

Device information

Sync version: v24.03.26-14:56
Sync flavor: googlePlay

The easiest way that doesn’t affect the main network would be to use a travel router. Its WAN IP would be the private IP it gets from the main network (over wireless since that’s your only option). And it would NAT your network onto that IP and then you can do whatever you want on your network.

I’m not sure if that Mikrotik router will do this but it might. You basically need something that can connect to an SSID and use that interface as its WAN interface. The wireless factor here is really limiting your choices. If you had a wired uplink to the main network you could use any router/gateway/firewall you wanted. You could also use an AP in bridge mode to connect to the main network’s SSID and wire it to the WAN port of any router of your choice.

You don’t really need to use VLANs to separate your network from the main network unless you want to share any of the same layer 2 segments (basically wired Ethernet) while keeping it isolated. But it doesn’t really sound like that applies in your scenario. Of course using VLANs within your network would still make sense if that applies (for example, to separate your server traffic from your IoT traffic).

Definitely malware, as everyone has already said.

https://www.malwarebytes.com/blog/news/2025/03/fake-captcha-websites-hijack-your-clipboard-to-install-information-stealers

They’re only killing the crappy store/UWP version that nobody used anyway and only caused confusion. The normal OneNote bundled in Office isn’t going anywhere as far as I know.

That said, I’ve moved a lot of my note taking to Obsidian. It’s not a perfect replacement but it’s a fantastic markdown editor and now I use both for different use cases.

Multiple monitor support would be nice but that’s probably a ways off.

I heavily use both and this is objectively untrue.

This is a good answer.

To add, for Linux kernels, the maintainer use a shim EFI package with the distro’s keys (e.g., Canonical’s keys for Ubuntu) which loads the maintainer-signed kernel. And Microsoft signs the shim to keep the chain intact.

I don’t deal with hardware much anymore, but I’d take Aruba over Cisco any day. But for everything else, yeah fuck HP.

I’m Ron Burgundy?

As another poster mentioned, QubesOS with anti evil maid will work, but that’s the defense against state actors too and is overkill for this threat model.

BitLocker or any FDE using SecureBoot and PCR 7 will be sufficient for this (with Linux you also need PCRs 8+9 to protect against grub and initramfs attacks). Even if they can replace something in the boot chain with something trusted, it’ll change PCR 7 and you’d be prompted to unlock with a recovery key (don’t blindly enter it without verifying the boot chain and knowing why you’re being prompted).

With Secure Boot alone, the malicious bootloader would still need to be trusted (something like BlackLotus).

Also make sure you have a strong BIOS password and disable boot from USB, PXE, and anything else that isn’t the specific EFI bootloader used by your OS(es).

I will never understand how anyone could come to thinking aspic was a good idea.

https://en.m.wikipedia.org/wiki/Aspic

And what about taking a nice drive down Jean Baptiste Pointe du Sable Lake Shore Drive?

Not that it’s my first recommendation for security reasons, and I would never do this in prod, but you can just add the self-signed cert to the local trusted root CA store and it should work fine. No reg changes needed.

If you do this, put it in the store of the user running the client, not LocalMachine. Then you just need to make sure you connect as something in the cert’s SAN list. An IP might work (don’t know since I never try to put IPs in the SAN list), but just use a hosts entry if you can’t modify local DNS.

Edit: after reading the full OP post (sorry), I don’t think it’s necessarily the self-signed cert. If the browser is connecting with https:// and presenting a basic auth prompt, then https is working. It almost sounds like there is a 301/302 redirect back to http after login. Check the Network tab of the browser’s dev pane (F12) to see what is going on.