More

sellmesoap · 2026-03-25T09:05:59 1774429559

> Inside the sandbox but not on my machine. Show me how it can access an unmounted directory.

So it says right on the tin of my favorite distro: 'Warning: Beware that the docker group membership is effectively equivalent to being root! Consider using rootless mode below.' So # docker run super-evil-oci-container with a bind mount or two and your would-be attacker doesn't need to guess your sudo password.

ashishb · 2026-03-25T16:29:43 1774456183

> docker run super-evil-oci-container

  1. That super evil OCI container still needs to find a vulnerability in Docker
  2. You can run Docker in rootless mode e.g. Orbstack runs without root

staticassertion · 2026-03-25T21:11:59 1774473119

They're suggesting that the attacker is in a position to `docker run`. Any attacker in that position has privesc to root, trivially.

Rootless mode requires unprivileged user namespaces, disabled on almost any distribution because it's a huge security hole in and of itself.

imtringued · 2026-03-25T11:53:09 1774439589

What's particularly vexing is that there is this agentic sandboxing software called "container-use" and out of the box it requires you to add a user to the docker group because they haven't thought about what that really means and why running docker in that configuration option shouldn't be allowed, but instead they have made it mandatory as a default.

sellmesoap · 2026-03-25T08:07:04 1774426024

Well how many times have we seen the S3 bucket set to public while the customer data piles up and leaks out to space.

sellmesoap · 2026-03-24T17:16:14 1774372574

I agree, but in addition the electrical code needs to be open to the public, not paywalled as it is in so many places!

Avamander · 2026-03-24T17:46:30 1774374390

I'd start by not using self-immolating wires (hardcoded default passwords).

Jokes aside, there's so much low-hanging fruit in IoT it's utterly ridiculous. Having any standards at all would be an improvement.

sellmesoap · 2026-03-09T18:52:04 1773082324

I'll go halfers with you, any other takers? I feel like sharing infrastructure via small online co-ops can take the bite out of the cost. So much cheaper then the cost of being the product via meta/goog etc.

sellmesoap · 2026-03-06T11:40:56 1772797256

GPL Vader license, pray I do not alter the deal any further.

sellmesoap · 2026-02-24T22:04:29 1771970669

I can think if some mac users I know who deny all updates from being burned by feature creep and breakages in the past.

sellmesoap · 2026-02-20T23:17:26 1771629446

I for one welcome our new AI executives, oh lame it's a fallible C suite human again, all hail the monolith!

sellmesoap · 2026-02-20T19:06:14 1771614374

Another way to think about it, many websites the data gets transmitted before you hit submit, between various type ahead reactive frameworks, soft keyboards with networked spell checking, your AI powered mood ring, always listening smart watch/car/home etc. Grandad always said don't say anything on the radio you wouldn't say in public, well we're up to don't think out loud or see how your crazy idea looks in text before you edit the Mel Gibson tones out of it. Tinfoil hats are off, on, locked!

sellmesoap · 2026-02-19T20:57:14 1771534634

That's an illegal tube is what you've got right there... Hay wait _I_ could be an illegal tube at any point, either by choice or at the mercy of a lawmakers writing tools.

sellmesoap · 2026-02-19T20:42:14 1771533734

The 28th amendment: right to keep and bare 3D printers