Whenever news breaks of bad decisions from a popular product, there's a flurry of recommendations of various alternatives, and in that mix there's always folks extolling the virtues of hosting your own.
As a person who works on security for an open source project, my spicy take is this: unless you enjoy being your own sysadmin (some folks do!), any hosted solution from a vendor that is currently reputable and currently has acceptable terms is a better, safer option than self-hosting.
BUT folks who are all in on hosting their own stuff are folks who've already accepted all the trade-offs. And the ones who are dogmatic about it to the point of claiming it's the only good option have not just accepted the trade-offs, but have either forgotten them or are intentionally minimizing them.
Even leaving aside time, cost, and convenience: a hosted solution is likely to protect your security and privacy better than you do.
If that's not true of you personally, okay! This recommendation isn't for you! Host your own stuff on your own server in your own basement, where you promptly apply all updates to your entire toolchain and regularly audit your own logs.
Most people are not going to do that, and even if only from a harm reduction standpoint, the best option for security (and by extension, privacy) is the option that will be maintained.
Also not to be all "and yet you participate in society," but a lot of "host your own" folks don't actually host their own. They rent server space from a cloud provider, or from a web host who's renting from a cloud provider, and they often work with multiple vendors for various pieces of their infrastructure.
Which is completely fine, and again usually safer than actually self-hosting. But if someone's calling you a vassal to technocapitalism while hosting on AWS, it's okay to laugh at them.
There is always a risk in putting information in a place where other people can reach it. Those risks don't look the same for everyone—not just in terms of what you have to lose, but in terms of who might try to take it.
The best option for you is the one that best protects you from the threats you, personally, have to worry about. Someone so doesn't know you or your needs can't tell you that any given solution is objectively the best/safest option for you. Security doesn't work like that.
What we can do is tell you what the best options and practices are *for most people,* or for most people with particular risk factors. That's how experts can provide general security guidance, and it's how I can tell you that for most people, hosted options are more secure. Because they're more likely to put your data under the care of someone whose job it is to think about this stuff so you don't have to.
Your mileage may vary - but that's the point.
@Annalee Precisely!
And to avoid #UnderdogBias I'd not choose what I'd use myself but what I'd setup for my mother knowing that I'd be damned in perpetuality [or at least her lifetime] to mainain or at least support it.
And choosing some #SaaS / #ManagedHosting based of #FLOSS of my choice would be the way to go...
https://mstdn.social/@kkarhan/110849693536902509
@[email protected] OR you could just choose a #ManagedHosting provider where someone is being paid for keeping stuff updated and secure. Just like with #Mailservers, #Wordpress or whatever application one wants hosted. It's not as if #SelfHosting is without alternative and choosing a #FLOSS solution that multiple providers offer as #managed / #SaaS offering is my go-to recommendation espechally for SMEs and Users that can't afford personnel hours needed to properly #SelfHost!
Exactly!
Because whilst #OpenBSD is propably the safest Operating System that one can hook up to the Internet out-of-the-box, noone's gonna yeet all their #Linux boxes out and force themselves to migrate everything to it.
Just because I know people who earned their living doing #Mailservers on #OpenBSD doesn't mean it's something I'd recommend to anyone even if on paper that's the "most secure option"...
@Annalee yep, this is a great point that sometimes privacy advocates miss entirely. If someone is determined enough, they WILL get your data. It’s all about what you realistically want to guard against, balanced with convenience.
I COULD run my own email server and secure storage vault, but that would be too much of a pain. It would make my life way too much of a hassle. And since nation states aren’t after me, why put myself through that?
Take the privacy precautions that make sense for you
@Annalee Precisely...
Same goes for other options:
There are several Providers that offer #Managed @nextcloud #Nextcloud and #OpenXchange for very affordable per-user or per-storage quota plans.
Like @Stuxhost [#notSponsored but I've tested their Nextcloud and it's just noice!]...
#ManagedHosting is a valid option - even if one has multiple Sysadmins onsite and in rotating 24/7 on-call standby.
https://mstdn.social/@kkarhan/110849693536902509
@[email protected] OR you could just choose a #ManagedHosting provider where someone is being paid for keeping stuff updated and secure. Just like with #Mailservers, #Wordpress or whatever application one wants hosted. It's not as if #SelfHosting is without alternative and choosing a #FLOSS solution that multiple providers offer as #managed / #SaaS offering is my go-to recommendation espechally for SMEs and Users that can't afford personnel hours needed to properly #SelfHost!
@Annalee I guess where you're going on that take...
Tho can we agree that #CloudFlare are #RentSeekers and that their #Business Model should not exist to begin with?
@Annalee I used to run an IRC bouncer. I think the one incident I know about came from inside the home, but more important part is that anyone who got that had access to the rest of my LAN - and given enough skill, could set up remote access even if they were on the inside.
(they can't have been that good: it crashed and shat the rootfs)
If you don't trust yourself to handle all the updates fast enough the next time something like Heartbleed rolls round - even if you're ill - well, I'm pretty sure I got lucky.
@Annalee OR you could just choose a #ManagedHosting provider where someone is being paid for keeping stuff updated and secure.
Just like with #Mailservers, #Wordpress or whatever application one wants hosted.
It's not as if #SelfHosting is without alternative and choosing a #FLOSS solution that multiple providers offer as #managed / #SaaS offering is my go-to recommendation espechally for SMEs and Users that can't afford personnel hours needed to properly #SelfHost!
@Annalee this is my argument for using SaaS services over managing your own monitoring, alerting, logging, etc. infrastructure. Sure, we can do all those things, but we're not in that business and we're not about to staff up to the point of properly managing and maintaining all of it.
Managing everything yourself may be fine for a small project, but for anything at scale just pay someone else to deal with it.
@jamesiarmes even for a small project, is it really going to be worth the effort to put in all the work yourself?
Someone else commented that their self-hosted data isn't worth stealing so avoiding having to migrate if a hosted solution makes annoying changes is more important. And, well. There are an awful lot of small sites out there hosting someone else's malware (or crypto miner) because the owner didn't think their side project was worth securing.
@Annalee I suppose that depends on what you consider doing it yourself. I thought about this after I sent my last message.
If I were doing it myself, that means running a bunch of terraform I already have written and deploying on AWS, so they're managed services are really handling most of that for me (I enable Security Hub, WAF, etc. as well).
If doing it yourself means managing your own servers at a colo somewhere, count me out. 😅
Annalee
Kevin Karhan 
R. Leigh Hennig
catch
Naomi P
Stefan
Brian Nisbet
Venita
Irina
Philippa Cowderoy
Felis Cat
James Armes 
🍉
🥧 Punkin' Pie 🎮