harporoeder
|
17 days ago
|
on: FreeBSD Capsicum vs. Linux Seccomp Process Sandboxing
A default container seccomp profile will let you do quite a few things but you can use a different profile some json and limit to just a few system calls if you want such as doing IO on open FDs without the ability to open them. I think the runtime opens the FDs before the child process starts and are inherited.
harporoeder
|
17 days ago
|
on: FreeBSD Capsicum vs. Linux Seccomp Process Sandboxing
This is essentially what containers are. Bubblewrap / Docker / Podman. I think the primary issue is very few applications on Desktop systems are actually designed with sandboxing in mind unlike say something on a phone.
harporoeder
|
4 months ago
|
on: OpenMANET Wi-Fi HaLow open-source project for Raspberry Piābased MANET radios
harporoeder
|
1 year ago
|
on: Wayland Apps in WireGuard Docker Containers
I have had pretty good success with steam inside docker. Things like playing counter strike have been pretty seamless. It's cool to see others doing the same. I'm waiting for wayland isolation stuff to actually be integrated into everything (security contexts etc). Even with all this isolation passing in an X socket totally breaks any security guarantees against anything actually malicious. For other apps I can do the dummy X server trick (nxagent etc), however for gaming that is really not an option with the performance requirements.
harporoeder
|
1 year ago
|
on: Types as Interfaces
With dependent types you still end up having to do dynamic checking of invariants for a substantial portion of real world code to construct the value with the properties you want. Anything coming from disk or network or a database etc. In practice I feel that it is far easier to just do manual dynamic checking with the constructor hidden from other modules such as `constructEmail :: string -> Email' which uses normal value level code, a common Haskell pattern. Obviously a little less flexible for the common dependent type examples of such as appending two vectors of a specific length.
harporoeder
|
1 year ago
|
on: Zooming User Interface (ZUI)
harporoeder
|
2 years ago
|
on: Kernel Hardening: Protect Linux user accounts against brute force attacks
There are lots of ways to protect your system from a browser exploit via containers, another user, a vm, etc as brought up by other people responding. However protecting a browser from other applications is basically impossible unless you also sandbox everything else you are doing. Even if you run a browser in a VM some other process run as your user could just automate clicking the UI to do whatever. If you go qubes style and isolate everything from everything then it is fine.
harporoeder
|
2 years ago
|
on: The hunt for the missing data type
Even with direct mutual references between some node type this can be represented in a lazy functional language such as Haskell pretty easily without mutation.
harporoeder
|
2 years ago
|
on: Tell me your most exotic selfhosted solution
Interesting. I had no idea CBRS existed. Can you provide any more information about the base station and what your experience was like?
harporoeder
|
2 years ago
|
on: SpaceX launches first phone service satellites
Line of site transmissions can go massively further than with even minor obstacles. While a different frequency amature radio operators easily contact the ISS on $30 5 watt handheld radios. If I recall Iridium phones are only a couple watts.
harporoeder
|
2 years ago
|
on: OpenBSD Workstation Hardening
Obviously OpenBSD has some limited mechanisms for managing RAM usage and open file descriptors, just like every other system.
harporoeder
|
2 years ago
|
on: OpenBSD Workstation Hardening
Wayland does not stop a process from manipulating the home directory, doing various things on the network, using a ton of memory, recording what other processes exist etc. Once you add all that stuff you start to get something that looks a lot like containers.
harporoeder
|
2 years ago
|
on: OpenBSD Workstation Hardening
A malicious program is going to have a difficult time adding something to your ~/.profile script if it cannot access your home directory. Although I don't doubt that many flatpak programs have too lenient default permissions, and the various XOrg lack of isolation issues are unfortunate somewhat remedied in wayland.
harporoeder
|
2 years ago
|
on: OpenBSD Workstation Hardening
eBPF is used for substantially more than observability.
harporoeder
|
2 years ago
|
on: OpenBSD Workstation Hardening
It is hard to call OpenBSD an OS focused on security. Beyond pledge their primary focus seems to be "just implement everything correctly and don't run malware". If some utility has an implementation error or you do accidentally run something malicious you are hosed. Compare this to Linux with the extensive use of containerization and things like eBPF for dynamic security measures, or portals as part as flatpak for dynamic application permissions.
harporoeder
|
2 years ago
|
on: Blueprint health protocol
I wish blueprint was more public and open about the methodology and data. Johnson is doing so many interventions and it would be interesting to have public data for them beyond a periodic aggregate snapshot on the blueprint websites which basically amounts to a marketing page. In comparison someone like Michael Lustgarten (1) publishes nearly everything, documents what intervention they are about to do, do it, and then publish the results.
https://michaellustgarten.com/
harporoeder
|
2 years ago
|
on: Chinese villagers capture video of falling Long March rocket booster [video]
I'm not sure what large tax bill you are referring to assuming you have been correctly filing? Googling it looks like there is a flat fee of $2,350. There is an exit tax if you have a net worth above 2 million, or a high income, and this appears to be a capital gains tax on assets.
harporoeder
|
2 years ago
|
on: Learn Modern C++
I feel that modern c++ is a game of how many times you can fit `const` in a single declaration. I usually have at least three for the simplest of functions.
harporoeder
|
2 years ago
|
on: Obsidian 1.5 Desktop (Public)
For an opensource alternative to Obsidian checkout Logseq (1). I spent a while thinking obsidian was opensource out of my own ignorance and was disappointed when I learned it was not. I mistook the extensive github presence for the actual product being open.
1: https://logseq.com/
harporoeder
|
2 years ago
|
on: How to Escape a Container
All of these escapes rely on some obvious explicit reduction of the isolation guarantees. If you know how to escape a simple docker container invoked with default parameters such as `docker run --rm -it ubuntu /bin/bash` I'm sure many people would be interested.
