Joe

Apparmor profiles can be applied to an executable - the profile is then (if so configured) inherited by subprocesses. In my case I have a launch script to run lutris in a safe mode. It also changes the effective gid to be matched by some iptables rules (it was easier than creating a new network namespace, which is also possible). The script then checks that the Internet is inaccessible and that reading/writing to secured paths is denied before launching lutris.

Similarly I have a “safe” script to wrap other commands with an apparmor profile that stops most writes to my homedir/reads from some secure locations, which I often use to run scripts/programs from the Internet.

My sudo also requires a password (or a special keyboard combination, thanks to a custom pam configuration).

All that said and done, I’m sure I’ll be caught off guard one day.

I run a particular online windows game in a modded offline mode under Linux in network isolation and with a restricted apparmor profile. So far so good. Logs show no attempts to break out, except for the smoke test I run to ensure the sandbox is working. This is as much because of the random mods I install as the original devs (who could ban my online account).

On Windows, a VM would indeed be safer. GPU passthrough is possible … I guess easier with Windows using an onboard GPU, then passing a discrete GPU to the VM. You’ll lose some performance with a VM regardless, but it’s easy to disable networking, back up and restore from a known good state, and burn it to the ground when needed.

Excellent. Now I don’t have to evacuate for category 5 hurricanes anymore. That will save me some stress.

Who cares?

My company’s 9,000 CentOS machines and over 100,000 containers now mostly run Amazon Linux or Alpine. Rocky Linux was preferred by some, but we led the way and the rest followed. Our final licensed RH systems will also disappear this quarter (legacies of a DC-centric era), and we will be free of them.

It was inertia that kept us with RH, but their bad faith moves kicked us into action. We now have better security tooling and processes all around, too.

Good riddance, Red Hat (and IBM, until your next acquisition and corporate strangling)!

Your advice on ISPs is jurisdiction specific. As an example, in Germany and some other countries, you have private law firms involved, tracking down people with the help of the courts, shaking people down with threats of civil lawsuits. VPNs good, though.

It would have to be a pretty niche project with an involved and dedicated community to get away with that these days.

I understand the patent system very well, albeit in another context. I support much shorter/stricter criteria for patents in general, as well as waivers where it makes sense.

The argument is that nobody (no person, no company, nor government) would have mass produced or distributed cloned/copied covid vaccines to these areas faster at that point in time (even if approval processes were largely waived).

https://www.nytimes.com/2022/03/23/health/covid-africa-deaths.html discusses some of the complexities in Africa, if you are interested. I agree that the response could have been better, but it could also have been worse. Other places had their own issues.

I don’t think the current vaccination % means much, given that most people on the planet have been exposed to it, often multiple times.

Why would anyone who gets a mild case every few months bother to vaccinate? There are reasons, but not many that resonate.

You are still assuming that some third party/parties could/would magic a cheap effective vaccine clone into existence at the time it was most needed and most profitable to do otherwise.

Also, the perceived value of vaccination for immediate personal health has waned now that most people have caught covid, so I expect the number of recent vaccination shots to be consistently lower throughout the world.