Absolute horseshit. Bulbs don't have microphones. If they did, any junior security hacker could sniff out the traffic and post about it for cred. The article quickly pivots to TP-Link and other devices exposing certificates. That has nothing to do with surveillance and everything to do with incompetent programming. Then it swings over to Matter and makes a bunch of incorrect assertion I don't even care to correct. Also, all the links are to articles on the same site, every single one of which is easily refutable crap. Yes, there are privacy tradeoffs with connected devices, but this article is nothing but hot clickbait garbage.

The result now is that no website will load because the rest of the world will have broadband anyway

Clear copyright over reach. News titles or tiny excerpts should not copyrightable - that's just idiotic. If thag stops readers from reading your article then it was never good enough to begin with.

In the end I popped up the terminal and used some pot command with some flag I can't remember to skip the login step on setup. I reckon there is good chance you aren't using windows 11 home though right?

In this year of 2025? No. But it still is basically setting oneself for failure from the perspective of Graphene, IMO. Like, the strongest protection in the world (assuming Graphene even is, which is quite a tall order statement) is useless if it only works on the mornings of a Tuesday that falls in a prime number day that has a blue moon and where there are no ATP tennis matches going on. Everyone else is, like, living in the real world, and the uniqueness of your scenario is going to go down the drain once your users get presented with a $5 wrench, or even cheaper: a waterboard. Because cops, let alone ICE, are not going to stop to ask you if they can make you more comfortable with your privacy being violated.

Realistically, you don't need security, NAT alone is enough since the packets have nowhere to go without port forwarding. But IF you really want to build front end security here is my plan. ISP bridge -> WAN port of openwrt capable router with DSA supported switch (that is almost all of them) Set all ports of the switch to VLAN mirroring mode bridge WAN and LAN sides Fail2Ban IP block list in the bridge LAN PORT 1 toward -> OpenWRT running inside Proxmox LXC (NAT lives here) -> top of rack switch LAN PORT 2 toward -> Snort IDS LAN PORT 3 toward -> combined honeypot and traffic analyzer Port 2&3 detect malicious internet hosts and add them to the block list (and then multiple other openwrt LXCs running many many VPN ports as alternative gateways, I switch LAN host's internet address by changing their default gateway) I run no internal VLAN, all one LAN because convenience is more important than security in my case.

I had to look it up, what I was thinking of was MQA. Looks like they discontinued it last year though.

highly recommend using containerized torrents through a VPN. I have transmission and openvpn containers. when the network goes down transmission can't connect since it's networked through the ovpn container. once the vpn is restored, everything restarts and resumes where it left off. ever since I've had this setup running, I haven't had a nastygram sent to me.