Looking at keepassXC doc I couldn’t find such setup. Maybe it’s possible, but maybe it also leads to trouble down the road. The “official way” seems to use cloud storage.

You keep saying external server for syncthing, but again: syncthing does direct data transfers, encrypted end to end, between devices.

I mention that but with a specific context.

• people with certain ISPs will need to use the relay transfer feature because direct connections can’t be established. Similarly, if you work in an office and you use the corporate network, you usually can’t have device-to-device working (can be both from a technical POV and from a policy POV).
• even with 0 data transfers, servers still have some trust in establishing your direct connections. I know that syncthing uses keys to establish connections, but that’s why I mentioned CVEs. If there is one, your sync connection could be hijacked and sent elsewhere. It’s a theoretical case, I don’t think it’s very likely, but it’s possible. The moment you have a server doing anything, you are extending trust.

In those cases then yes, you are extending a bare minimum trust, and you fully encrypted data would temporarily pass on the relay’s RAM

And from my (consumer) PoV this is functionally equivalent to have the data stored on a server. It might not be all the data (at once), it might be that nobody dumps the memory, but I still need to assume that the encrypted data can be disclosed. Exactly the same assumption that should be made if you use bitwarden server.

If this makes you paranoid

Personally it doesn’t. As I said earlier, it’s way more likely that your entire vault can be taken away by compromising your end device, than a sophisticated attack that captures encrypted data. Even in this case, these tools are built to resist to that exact risk, so I am not really worried. However, if someone is worried about this in the case of bitwarden (there is a server, hence your data can be disclosed), then they should be worried also of these corner cases.

I just get nothing from Bitwarden that syncthing and KeePass don’t offer more easily.

You can say many things, but that keepass + syncthing is easier is not one of them. It’s a bespoke configuration that needs to be repeated for each device, involving two tools. bitwarden (especially if you use the managed service) works out of the box, for all your devices with 0 setup + offers all features that keepass doesn’t have (I mentioned a few, maybe you don’t need them, but they exist).

I don’t know how or why you would have vault conflicts, but it really does sound like something fixable

At the time I did not use syncthing, I just used Drive (2014-2017 I think), and it was extremely annoying. The thing is, I don’t want to think about how to sync my password across devices, and since I moved to bitwarden I don’t have to. This way I don’t need to think about it, and also my whole family doesn’t have to. Win-win.

That said, if you are happy with your setup, more power to you. I like keepass, I love syncthing, I have nothing against either of them. I just came here to say that sometimes people overblow the risk of a server when it comes to a password manager. Good, audited code + good crypto standards means that the added risk is mininal. If you get convenience/features, it’s a win.

Agree on the versioning issue. In fact I mentioned that the issue is convenience here. It is also data corruption, but you probably are aware of that if you setup something like this. Manually merging changes is extremely annoying and eventually you end up forgetting it to do it, and you will discover it when you need to login sometime in the future (I used keepass for years in the past, this was constantly an issue for me). With any natively sync’d application this is not a problem at all. Hence +1 for convenience to bitwarden.

However KeePassXC’s sync feature does sync the vault.

How does it work though? From this I see you need to store the database in a cloud storage basically.

For mobile I just give syncthing full permission to run in the background and have never had issues with the syncing on the folders I designate.

I use this method for my notes (logseq). Never had synchronization problem, but a lot of battery drain if I let syncthing running in the background.

Nothing else passes through it unless you opt into using relaying in case you have NAT issues.

I guess this can be very common or even always the case for people using some ISPs. In general though, you are right. There is of course still the overall risk of compromise/CVEs etc. that can lead to your (encrypted) data being sent elsewhere, but if all your devices can establish direct connections between each other, your (encrypted) data is less exposed than using a fixed server.

If you are paranoid, the software is open source and you can host your own relays privately,

This would also defeat basically all the advantages of using keepass (and family) vs bitwarden. You would still have your data in an external server, you still need to manage a service (comparable to vaultwarden), and you don’t get all the extra benefits on bitwarden (like multi-user support etc.).

To be honest I don’t personally think that the disclosure of a password manager encrypted data is a big deal. As long as a proper password is used, and modern ciphers are used, even offline decryption is not going to be feasible, especially for the kind of people going after my passwords. Besides, for most people the risk of their client device(s) being compromised and their vault being accessible (encrypted) is in my opinion way higher than -say- Bitwarden cloud being compromised (the managed one). This means that for me there are no serious reasons to use something like keepass (anymore) and lose all the convenience that bitwarden gives. However, risk perception is personal ultimately.

Few reasons, with the most important being convenience. Syncthing is going to see just a binary blob as the password storage is encrypted. This means it is impossible for syncthing to do proper synchronization of items inside the vault. Generally this is not a problem, but it is if you happen to edit the vault on multiple devices and somehow syncthing didn’t sync yet the changes (this is quite common for me on android, where syncthing would drain the battery quite quickly if it’s always actively working). For bitwarden on the other hand the sync happens within the context of the application, so you can have easy n-way merge of changes because its change is part of a change set with time etc.

Besides that, the moment you use syncthing from a threat model point of view, you are essentially in the same situation: you have a server (in case of syncthing - servers) that sees your encrypted password data. That’s exactly what bitwarden clients do, as the server only has access to encrypted data, the clients do the heavy lifting. If the bitwarden server is too much of a risk, then you should worry also of the (random, public, owned by anybody) servers for syncthing that see your traffic.

Keeshare from my understanding does use hosting, it uses cloud storage as a cloud backend for stateful data (Gdrive, Dropbox etc.), so it’s not very different. The only difference would be if you use your private storage (say, Synology Drive), but then you could use the same device to run the bit/vaultwarden server, so that’s the same once again.

The thing is, from a higher level point of view the security model can only be one of a handful of cases:

• the password data only remains local
• the password data is sync’d with device-to-device (e.g. ssh) connections
• the password data is sync’d using an external connection that acts as a bridge or as a stateful storage, where all the clients connect to.

The more you go down in the list, the more you get convenience but you introduce a bit of risk. Tl;Dr keepass with keyshare/syncthing has the same risks (or more) than a Bitwarden setup with bitwarden server.

In addition to all the above, bitwarden UX is I would say more developed, it has a better browser plugin, nice additional tools and other convenience features that are nice bonuses. It also allows me to have all my family using a password manager (including my tech illiterate mom), without them having to figure out anything, with the ability to share items, perform emergency accesses etc.

Edit: I can’t imagine this comment to be deemed off topic, so if someone downvoted simply to express disagreement, please feel free to correct or dispute what I wrote, as it would certainly make for an interesting conversation! Cheers

Nftables is the modern iptables FYI. Linux firewall.

No, 670k from 42 investors means less than 20k of investment per investor. 670k is already a number ridiculously small for VC funding, but 20k is basically nothing.

Also, after just a few years, 37 employees and 30k users the company became profitable, which is an insanely low period/scale for usual VC funded tech companies.

I am not a fan of some of his ideas either, especially the ones tending towards libertarianism. Some other ideas instead are quite decent, like how he thinks companies should give back to the community. He also built a tech company without VC funding and with a good share of ownership for workers (which I think is nice), without any marketing (which I despise as industry) and generally without the predatory nature that 98% of tech companies have nowadays.

I am sure you are referring to the Brave debacle of months back, and FWIW, I agree with his position on that particular issue. Anyway, considering that I have no ideas about the positions for the CEOs/founders of the alternatives, I think it’s still a very worthy compromise to have a good product (incl. nonfunctional qualities like privacy, ecological impact etc.).

Completely agree, I started seeing business hours popping up lately, I know that they know it’s an area of improvement.

It’s a premium service but it has very nice features and is a good product overall.

I continue to be one of the happiest customers for Kagi, a service that I am so happy to pay (for my family as well).

To be clear, there are some widgets that might be useful in some cases, but it should not be all you see (and it should definitely not include similar stuff as if the focus for any search is just to find more stuff to consume and please advertisers…).

Yes, you could run it in LAN only. You could access it via VPN only.

Obviously this adds friction in addition to security, but if that’s fine with you, you can.

Personally, if I think about reversed roles (I.e. some US newspaper putting an Italian gangster hat - a-la The Godfather to some politician with some offer-related pun) I wouldn’t think of it as racist, I would understand it’s not a statement about Italians in general. This also considering that being a gangster of course has plenty of negative connotations.

The whole thing feels to me like the attitude that is made fun on in Parks and Recreation and the Wamapoke. But anyway, the newspaper is shit and to be honest I find the substance of the article way worse than the image.

Thanks for the head’s up!

Yes, colonial mindset refers to the refusal of accepting other cultural backgrounds and cultural lenses, possibly due to an inherent belief that your own is superior or absolutely correct. This is not so uncommon in people coming from an imperial and hegemonic culture (like US). Edit: the colonial nature results evident from the fact that such position translates to the desire/pretense to impose a specific cultural lens or perspective even to facts, discussions etc. that belong to completely different contexts. The same attitude that colonizers have over the colonized.

I have already discussed the merits of the conversation, you refused to elaborate your thought in any way and you are limiting yourself to meta-comments that do not add anything to the conversation. In fact, you wasted several replies not saying anything but implying that your opinion is self-evident, which is a consistent symptom of that colonial mindset I was talking about.

You have been provided with a different, context-aware interpretation and you refused to engage with it at all, including challenging it, because being different from your own is automatically wrong and not deserving even of consideration. In fact you are still stuck on “racism against black people and indigenous people”, which means you didn’t even take into consideration that your interpretation of something happening in a cultural context you don’t understand might be wrong. Of course you also refused to elaborate on the way this is racist, or better, you did in another comment in this post with an explanation that has to do with how racial stereotypes have historically been used to discard opinions of minorities, which while being true doesn’t apply at all to this particular event and in general is quite tangential in Italian history, due to a completely different history compared to that of the US, especially when it comes to indigenous people.

So yeah, all in all I think you are showing a classic colonial mindset. Quite common in internet spaces where US culture is dominant, if it is of any consolation.

Or Albanians, Romanians and other people with a history of migration (at least in Italy).

That said, the racist dynamics in Italy are still different from those of a country with a much different history, linked to slavery and colonialism (thankfully Italian empire was a ridiculously failed attempt), with a different racial distribution in population. African migrants are for example a relatively new phenomenon. We are now at the 2nd generation give or take, and I have the feeling things will normalize ad they did for balcan people, as long as right-wing governments will not sabotage immigration on purpose to maintain it as a problem and gather votes…

And lord knows Italy has plenty of its own.

Not when it comes to Native Americans though.

Considering that this is a national newspaper meant for locals, I don’t think other culture’s baggage should necessarily be taken in consideration.

The “hunt” for the white man refers to her search for a white guy as a vice-president that can appeal to the “wasp” population. It’s a reference to western movies. The article is fully on her search for a vice-president and the “real” motivations for her choice.

So you refuse to elaborate, because your opinion is self evident, even though it is based on a lack of cultural context, and lack of understanding of the content of this very page.

My opinion, which I shared and elaborated, which is based on understanding the cultural background, the content of this page, knowing this rag, knowing what newspapers use and do in general, is automatically invalid - without argument - because it doesn’t fit your view. It doesn’t matter that I explicitly shared an interpretation that has nothing to do with race, which is plausible, coherent (I.e. matches the content) and context-aware. You are right by default because your cultural lens is the only thing you ever need to interpret the world.

Colonial mindset. That’s what I get from this.

Cya

Sure, I am very well aware of racism towards immigrants and other symilar dynamics. I am also conscious of fascist history and the consequences of African inferiority in general in culture. I understood the general gist of the source you shared.

Still this doesn’t explain to me how a cultural reference to a group of people as per a popular movie genre, that have absolutely no contact point with Italian culture fits into the same dynamic.

This doesn’t answer the question.

You said “it has everything to do with race”, how?

You can replace it with any “asian martial artist in movies”, it is probably a better comparison to “Native Americans in spaghetti western”. I would say both are not really a statement on asian/native american people in general, and it’s a clear cultural reference. Definitely different from a Yellow Face

Thanks, I don’t have the time to read it all.

I checked the abstract and I read:

This tutorial reviews the built-in systems that undermine life opportunities and outcomes by racial category, with a focus on challenges to Black Americans.

(and more). The focus seems to be very strongly on American culture, and on institutional racism against black people in America.

Then I read:

Unconscious inferences, empirically established from perceptions onward, demonstrate non-Black Americans’ inbuilt associations: pairing Black Americans with negative valences, criminal stereotypes, and low status, including animal rather than human. Implicit racial biases (improving only slightly over time) imbed within non-Black individuals’ systems of racialized beliefs, judgments, and affect that predict racialized behavior.

Considering that in this case there is no association of any characteristic with the race, it doesn’t concern American culture nor black people, I am struggling to adapt this point of view to the case being discussed.