I don’t want to tell you one way or the other because it’s kinda dubious anyway, but if all services run as the same user the need for root is kinda moot when it comes to crossing between services or expanding the scope of an attack. Of course it is better than all things running as root, but if I popped a machine as some “low privilege” user that still had access to all running services I’m not sure I’d care so much about escalating to root.

Woah, no. Sure escaping via a kernel bug or some issue in the container runtime is unexpected, but I “escape” containers all the time in my job because of configuration issues, poorly considered bind mounts, or the “contained” service itself ends up being designed to manage some things outside of the container.

Might be valid to not consider it with the services you run, but that reasoning is very wrong.

Gonna be even worse now too with the National Park Service cuts: there are so many foreign tourists at the parks. As there should be too! Our National Parks are amazing!

You can unlock the bootloader on a Pixel in about a minute.

I can understand some people finding the whole process a bit daunting, but it’s not actually that difficult with Graphene.

LXC is containerization. Both it and Docker are using the same kernel APIs.

This is also far from my personal experience, you might not even realize what free software you’re depending on?

Your browser is most likely the most complex piece of software you interact with daily and it is most likely FOSS. The Linux kernel is FOSS and is incredibly robust. Most compiler suites, FOSS. Most programming languages, FOSS. These are all incredibly well written and robust tools. AOSP, kinda FOSS, and the forks like Graphene are definitely FOSS. Hell even a lot of macOS programs are actually FOSS. I could go on and on, there is absolutely amazing work being done on FOSS by incredibly talented people.

There is great paid and proprietary software out there, sure, but no it’s not the majority of top quality software in my personal experience and likely a lot of people’s experiences and it is almost guaranteed to rely on a FOSS library somewhere

Sounds like you’re cherry picking both; I’ve seen plenty of garbage that costs money as well.

Oh right, thanks

Am I misunderstanding something? Wouldn’t that just be 7! = 5040 possibilities?

This happened to me in Kansas on the way to college a long time back. The cop pulled out and started tailgating me and I slowly got closer to the car in front of me and then he put his lights on and pulled me over for “following too closely”.

He wanted to search my car and tried to call in a drug dog. Put me in his car and turned the AC to fill blast while I waited for a dog that never came.

Wish I had the courage to have asked if I was being arrested and then demand being let go otherwise

Alternatively, use your shell however you want. And which isn’t POSIX so I wouldn’t use that in a shell script you intend to share.

I have no skin in this game, but IPs are definitely not anonymous data. Also there is a lot of great info out there about de-anonymizing seemingly random data. Interestingly enough, this is similar to the Netflix prize dataset that was one of the more famous ones. Maybe a good introduction to that would be https://www.schneier.com/blog/archives/2007/12/anonymity_and_t_2.html

Nobody is gonna be using a quantum computer to “crack email hashes” of Plex users in a few years… I’m not even sure there is a speedup to hash cracking with quantum computers.

But depending on the hashing algorithm used, it’s likely pretty easy to crack hashes of email addresses today with a normal computer. They’re not particularly high entropy.

Sadly they totally can. There are plenty of face databases already that they could use if they wanted^[1], but if you have friends on Facebook (or Instagram) you might be in their pictures and Facebook run it’s facial recognition on every picture. Whether they can connect that to an identity or not isn’t something I know, but it’s not out of the realm of possibility.

Tangentially related, I remember over ten years ago getting notified that I could tag myself in friends uploaded pictures that I was in, which was also when I started to get really creeped out by Facebook.

I feel seen

Yea, it sounds pretty nice actually. I’m considering doing that as well. Makes it obvious when you’re running in a root shell too which is nice. I’d probably still keep sudo around though.

With a programmable keyboard it can just be one button too!

Oops

Another potential option here is https://www.kernel.org/doc/html/latest/networking/ip-sysctl.html

ip_unprivileged_port_start - INTEGER

    This is a per-namespace sysctl. It defines the first unprivileged port in the network namespace. Privileged ports require root or CAP_NET_BIND_SERVICE in order to bind to them. To disable all privileged ports, set this to 0. They must not overlap with the ip_local_port_range.

    Default: 1024

This is also per namespace so you could use it in combination with network namespaces if you really wanted to keep privileged ports.

I travel a bunch and have lived abroad and I always consistently only ever miss breakfast restaurants/diners and breakfast foods.

It is a fantastic way to make sure things work across a team. We use Linux (bunch of different distro) and macOS at my company and once I started packaging things with nix environment related issues mostly went away. It’s not perfect and it’s not necessarily easy to learn nix, but I prefer it to sharing docker containers or other alternatives.