We did it not because it was easy, but because we thought it would be easy.
We did it not because it was easy, but because we thought it would be easy.
To be fair this doesn’t sound much different than your average human using the internet.
The Linux kernel is less secure for running untrusted software than a VM because most hypervisors have a far smaller attack surface.
how many serious organization destroying vulnerabilities have there been? It is pretty solid.
The CVEs differ? The reasons that most organizations don’t get destroyed is that they don’t run untrusted software on the same kernels that process their sensitive information.
whatever proprietary software thing you think is best
This is a ridiculous attack. I never suggested anything about proprietary software. Linux’s KVM is pretty great.
I think assuming that you are safe because you aren’t aware of any vulnerabilities is bad security practice.
Minimizing your attack surface is critical. Defense in depth is just one way to minimize your attack surface (but a very effective one). Putting your container inside a VM is excellent defense in depth. Putting your container inside a non-root user barely is because you still have one Linux kernel sized hole in your swiss-cheese defence model.
I never said it was trivial to escape, I just said it wasn’t a strong security boundary. Nothing is black and white. Docker isn’t going to stop a resourceful attacker but you may not need to worry about attackers who are going to spend >$100k on a 0-day vulnerability.
The Linux kernel isn’t easy to exploit as if it was it wouldn’t be used so heavily in security sensitive environments
If any “security sensitive” environment is relying on Linux kernel isolation I don’t think they are taking their sensitivity very seriously. The most security sensitive environments I am aware of doing this are shared hosting providers. Personally I wouldn’t rely on them to host anything particularly sensitive. But everyone’s risk tolerance is different.
use podman with a dedicated user for sandboxing
This is only every so slightly better. Users have existed in the kernel for a very long time so may be harder to find bugs in but at the end of the day the Linux kernel is just too complex to provide strong isolation.
There isn’t any way to break out of a properly configured docker container right now but if there were it would mean that an attacker has root
I would bet $1k that within 5 years we find out that this is false. Obviously all of the publicly known vulnerabilities have been patched. But more are found all of the time. For hobbyist use this is probably fine, but you should acknowledge the risk. There are almost certainly full kernel-privilege code execution vulnerabilities in the current Linux kernel, and it is very likely that at least one of these is privately known.
It is. Privilege escalation vulnerabilities are common. There is basically a 100% chance of unpatched container escapes in the Linux kernel. Some of these are very likely privately known and available for sale. So even if you are fully patched a resourceful attacker will escape the container.
That being said if you are a low-value regular-joe patching regularly, the risk is relatively low.
Docker (and Linux containers in general) are not a strong security boundary.
The reason is simply that the Linux kernel is far too large and complex of an interface to be vulnerability free. There are regular privilege escalation and container escapes found. There are also frequent Docker-specific container escape vulnerabilities.
If you want strong security boundaries you should use a VM, or even better separate hardware. This is why cloud container services run containers from different clients in different VMs, containers are not good enough to isolate untrusted workloads.
if Gossa were to be a virus, would I have been infected?
I would assume yes. This would require the virus to know an unpatched exploit for Linux or Docker, but these frequently appear. There are likely many for sale right now. If you aren’t a high value target and your OS is fully patched then someone probably won’t burn an exploit on you, but it is entirely possible.
More likely the overlap of “running on Linux” and “needs to run AV software for compliance” is much smaller than “running on Windows” and the latter.
I’m sure people would notice if all of the major online services started crashing.
There are a few reasons. Some of them are in the users’ interest. Lots of people phrase their search like a question. “How do I turn off the wifi on my blue windows 11 laptop?”
While ignoring stopwords like “the” and “a” has been common for a while there is lots of info here that the user probably doesn’t actually care about. “my” is probably not helping the search, “how” may not either. Also in this case “blue” is almost certainly irrelevant. So by allowing near matches search engines can get the most helpful articles even if they don’t contain all of the words.
Secondly search engines often allow stemming and synonym matching. This isn’t really ignoring words but can give the appearance of doing so. For example maybe “windows” gets stemmed to “window” and “laptop” is allowed to match with “notebook”. You may get an article that is talking about a window of opportunity and writing in notebooks and it seems like these words have been ignored. This is generally helpful as often the best result won’t have used the exact same words that you did in the query.
Of course then there are the more negative reasons.
There are some password managers where you need to either manually look up passwords and copy+paste or autotype them or select the correct password from a dropdown. Some of these will come with an optional browser extension which mitigates this but some don’t really tract domain metadata in a concrete way to do this linking.
Some examples would be Pass which doesn’t have any standard metadata for domain/URL info (although some informal schemes are used by various tools including browser-integration extensions) and KeePass which has the metadata but doesn’t come with a browser extension by default.
The reason I say browser password manager is two main reasons:
So yes, if you want to use a different password manager go right ahead, as long as it checks the domain before filling the password.
I don’t think that is quite accurate.
We discovered many more Pluto-or-larger sized things that were closer to the sun than Pluto. It became increasingly obvious that there was nothing special about Pluto and we either needed to add hundreds of planets or “demote” Pluto.
You probably mean TOTP. OTP is a generic term for any one-time-password which includes SMS-based 2FA. The other main standard is HOTP which will use a counter or challenge instead of the time as the input but this is rarely used.
Tips for being secure online:
That’s really all you need. You don’t even need 2FA, it is nice extra security but if you use random passwords and don’t enter your passwords into phishing sites it is largely unnecessary.
I’m not an expert on modern alarm systems but it seems that it is very common and fairly inexpensive to have cellular data backup. Not every system has it, but many do. In that case cutting the main connection will likely result in someone appearing on site fairly quickly.
Many cameras also have some form of local buffering. So even if you are gone before someone does show up you still may find yourself recorded.
But at the end of the day just put a bag over your head and you can be gone by the time anyone shows up without leaving a meaningful trace. Other than the very top-end system security systems just keep the honest people honest.
They added telemetry. 100% of responses had internet access.
Yup, that “what can I start in 10min” question really ruins a lot of productivity.
I don’t think that is true. Not much at Google really bought into the UUID hype. At least not for internal interfaces. But really there is no difference between a UUID v4 and a large random number. UUID just specifies a standard formatting.
I don’t really mean literally to practice asking people out. But there are times in your life where you need to ask people for things. It is hard to get over the anxiety, risk of social embarrassment and practice showing confidence (even if you are not). These are valuable skills in all sort of social circumstances.
It honestly sounds more like someone convincing you that crypto is great than someone convincing you that Greenpeace is great.