Vatican City /s
I think that there are constraints for certain countries, but the majority probably could. And when they can't, it should be solved by cooperation and trade, IMHO.
sudneo
joined 2 years ago
I mean, it's not a spell, it's a sentence. If reading it will make it spread, as in more people will agree and support it, the problem is already there.
+1 for kagi. I think they have a smaller subscription too. Also not too long ago they changed the 10$ subscription from 700 searches/month to unlimited, which gives hope that they might improve the pricing over time.
As a side note, it is surprising how many searches one does during the month! I thought I did thousands per month, turns out I am always between 200 and 400!
OK :)
So chroot has not been used to isolate processes for decades to a confined view of the filesystem (especially in combo with a restricted shell), and for example the networking namespace is not used to limit the impact on a compromise on the firewall, the user namespace is not used to allow privileged processes to run de-facto unprivileged.
Whatever you say
EDIT: Actually, if you are really convinced of what you are saying we can do the following experiment:
- We spin up a VPS and run a web application with a RCE with a Systemd unit and run the same web app in a
scratchcontainer running under an unprivileged user
Then we can compare the kind of impact that using containers to wrap applications has on the security of the system. My guess, even with a full RCE you will not be able to escape the container.
Half-jokes aside, my stance is that isolation (namespacing and cgroups) allows to greatly reduce the attack surface and contain the blast radius of a compromise, which are security benefits. You can easily have a container with no shell, no binaries at all, no writable paths, read-only filesystem etc. You can do at least some of those things even in a regular Linux box of course, but it is much more uncommon, much harder, much less convenient (for example, no writeable /tmp is going to break a lot of stuff), much more error prone, etc.
Your stance i.e.:
running things inside of a container does not provide any security benefits as opposed to outside of the container
is way too absolute, imo.
Not really true, containers are based on namespaces which have always been also a security feature. Chroot has been a common "system" technique, afterall.
Containers help security if built properly, and it's easier to build a container securely (and run them), compared to proper SystemD unit security.
tl;dr, yes, it does.
Containers are nothing like VMs, and containers in Linux are basically a combination of a feature called Cgroups, which allows to restrict the resources (like memory, etc.) available to a process or group of processes, and namespaces. Namespaces are a construct in which certain namespaced resources are separated from each other, and processes can only see those belonging to their namespace. A simple example is a mount namespace. When you launch a container, you see a / directory which is not the root directory of your system.
Now, the problem is, that not all the resources are namespaced, so there is still quite a lot that processes within containers can do interacting with the main system resources, especially if they are root.
A root process within a container generally can do lots of things that the actual root process can do outside of it. For example, mounting parts of the filesystem (if you run with --privileged), loading kernel modules, etc. Podman can run rootless, in the sense that it uses also User namespaces, meaning a user 0 (root) inside a container is actually mapped to something else outside, but also docker nowadays can do the same.
So yeah, in general, running the applications with the less amount of privileges is a good idea and you should do it whenever you can. Even if you do need some privileges, you should add only the Capabilities needed, not just go straight to root.
Privacy and anonimity are different things. As long as nobody besides you and the indented destination(s) has access to the content of your communication, that communication maintains privacy, even if everyone sees that it's you talking.
Also, and this is something I mention all the time, the only information this gives is that you use signal. Besides that, as soon as anybody else registered your phone in their contact list, your phone number is already known and associated with you considering that many apps (like all the meta ones) gain access to the contact list and the chance that anybody who has your phone number uses one of those is almost 100%.
The points you raise are true, but honestly they are not a deal breaker. There are many hosting companies and domain companies, with different policies. Also, a website can be served by anything, changing domain and hosting is a nuisance, but it is something that can be done almost instantly. Of course this is similar to creating a different account on social media platforms, but the difference is that the website runs on an open protocol, which is not the case for some social media.
Also I assume that when people say that websites enable expressions, it also means that you can customize absolutely every aspect of the website, including the look and feel, which it is still part of your expression.
Same here. Surprisingly stable, I have only had one issue couple of years back!
You don't care until "bigotry" means what you think it means and not what someone else thinks, or until the same principle is pushed by other groups who happen to not care if "songs or artists perpetuating ____ get censored".
There is already a problem with monopoly in terms of which music is available, I can't wait to have those companies decide even more which songs can be published based on totally arbitrary principles and without any accountability. I am pretty sure that articles about this trash song will have the consequences of generaring more listens than if this was just ignored. I, for once, would have never known this song existed without this article, and now I am fairly curious to go check the lyrics to make a better idea about the article itself. Straisand effect and all...
Simple, all it takes is to take the Book of Wrong Ideas, which is notoriously objective and shared across the world.
Sorry for the late answer. My point is that the problem is upstream to the issue of quoting/non quoting. A person who gets convinced by a nazi/antisemitic slogan is already a problem on itself. The quote is one of the N ways that person can be exposed to ideas that underneath they already support, and I don't think this is a good reason to change the way that we talk about some issues. In other words, even if someone "gets recruited" by the quote, this is merely surfacing the problem, it's not creating it.