@da_667 You don't - you just #airgap a physical machine if not entire network the same way actual #malware analysis and #Antivirus benchmarkers do.

In fact tools like #imvirt exist that detect #sandboxing and #virtualization and then either suicide the malware or just refuse to run entirely to twart forensics experts to the point that there's no off-the-shelf solution to do so.

The #Microsoft cloud #security posture is in rapid decline ever since the Solar Winds disaster.

When one of the most popular IDEs ever, #vscode, has a token #encryption strategy that is laughable, you know things will only get worse.

I understand #sandboxing is difficult, but doing absolutely nothing and let #extensions wreak havoc indiscriminately is just plain #negligence

https://www.bleepingcomputer.com/news/security/microsoft-visual-studio-code-flaw-lets-extensions-steal-passwords/

#GoodGovernance #SecurityByDesign

@LeviKornelsen

Systems: #hyperborea #adnd #odnd #ForbiddenLands - really any #osr
Settings: #SwordAndSorcery #SwordAndPlanet #SwordAndSandal #Mesoamerican #AncientHistoy
Topics: #WorldBuilding #HexCrawl #DungeonDesign #sandboxing

@Seirdy *nodds in agreement*

#SystemD was necessary and so far I think it did solve a lot of issues. OFC for embedded Systems one can still literally use a single shell script as init process...

#Sandboxing is a #Security feature and Tools like #Snap, #FlatPak and #AppImage make it easy to provide cross-distro apps that just run.

Verified Bootchains as implemented with #CensorBoot on #UEFI are just bad #DRM. #Heads as alternative Firmware makes it better.

@TiffyBelle @flaminghohners T/y. That was an interesting read, & ostensibly disturbing. Ostensibly.

My geeky-user-but-NO-expert familiarity with #Firefox [#Nightly, specifically] & chromium-based browsers [on my (#Linux only) pc's that's #VivaldiSnapshot & #Chromium] extends to matters of features, functions & privacy. Security, in the context of that paper & its links, is way beyond my knowledge, so it'd be silly of me to attempt any technical disparagement of that paper.

I shall note, though, that browser development is a pretty fast-paced project, such that i do wonder about the contemporary validity of any paper written several years ago. The paper was last edited March 19th, 2022, so clearly not too bad. However, & IMO most unfortunately, ALL its purportedly supportive links to external references are VERY old, ranging from newest of 2020, to oldest of 2011, with a perceived median around 2016.

For instance, the linked paper's linked paper "Exploiting and Protecting Dynamic Code Generation", says on p10, within "A. Setup", that

>The operating system is the 64-bit Ubuntu 13.04 with kernel 3.8.0-35-generic

That version was released in early 2013.

I suspect this potential "technological aging" makes many or maybe most of the underlying claims rather dubious today, unless & until a contemporary reappraisal by technically competent peeps were done, based on current #Firefox code, not on how it used to be many years ago. Maybe the conclusion would not change? Maybe it would? 🤷‍♀️

Other Thoughts, fwiw.

Even with a generous assumption that all claims in that paper remain technically valid today [tbc], for many browser users in countries / jurisdictions not overtly fascist & dictatorial, who as individuals are unlikely to be targeted by state-actors, i respectively opine that the larger more probable safety hazard to them might come from #privacy, not #security, breaches. To that extent, i note these:

- #uBlockOrigin is more powerful in Firefox than in chromium browsers, due to the latter having no support for CNAME-uncloaking

- Google is actively striving, via its Mv3 replacement for Mv2, & its egregious FLoC / Topics crap, to further weaken uBO & all other #adblockers. Otoh, Mozilla intends indefinite Firefox support for Mv2, albeit also with added Mv3 compatibility.

-- #AddOns / #Extensions like #uBO are far more than "only" adblockers. By running in "hard mode" for instance, & liberally creating a suite of global & per-site dynamic filters, AND having #Javascript globally disabled but allowed by the user on favoured sites, great privacy protection is afforded. Google's plans are to actively weaken this user privacy in Chromium.

- sadly, silly insecure-by-design MS Windows remains the world's dominant OS. Yet for those alert to the Windows hazards & willing to make a change, #Linux provides vastly more security & privacy by design.

- As well, both dominant #Linux #DesktopEnvironments & at least one #WindowManager, now provide stable everyday #Wayland capability instead of the ancient insecure #X11 / #Xorg #DisplayServer -- thus eliminating one classic security vulnerability mentioned in the paper/s.

- Linux users can avail themselves of even more privacy by #sandboxing their apps. There's several choices; i use #Firejail. Therefore browsers [& all other relevant apps] cannot access any of the user's private data beyond the sandbox's bounds.

@mikeylikestech @nixCraft @fuchsiii and also do it with #sandboxing because a lot of badly-coded games are notorious for #MemoryLeaks and forcing said wine apps into sandboxes is mitigates security risks of shitty #Win32 apps...

https://mstdn.social/@fuchsiii@oxytodon.com/110108521127626925

#Sandboxing JavaScript Code

https://healeycodes.com/sandboxing-javascript-code

Some question, do you know :

1 how to use bwrap for Xwayland app ?

I try to use some python app who have a gui inside it, and i always finish with :

Authorization required, but no authorization protocol specified

and the prython library of course generate the error:
No available video device

the 2 Display command used on bwrap :

--bind /tmp/.X11-unix/X0 /tmp/.X11-unix/X0
--setenv DISPLAY :0

(have also tried with X1 and another number used by gdm).

It seem i've missed something, and there is no Xauthority file into my home, so i cannot bind it (like some older forum tell).

If anyone can point out what i do miss.

#bubblewrap #bwrap #xwayland #wayland #silverblue #sandboxing

#Sandboxing #JavaScript Code

https://healeycodes.com/sandboxing-javascript-code

#Sandboxing #JavaScript Code

https://healeycodes.com/sandboxing-javascript-code

::: Licks from FOSDEM '23 - "I was wrong about Snaps and Flatpaks"

With Snaps / Flatpaks, one can use older distros to build software for old OR new distros with no issue.

Both Flatpak / Snap build tools are nice for developers. No need to package to 10 distros (and manage them) no more either.

Then there's sandboxing. Canonical has said they'll open the Snap Store backend, too, later on. As they did with Launchpad.

How opinions change as things progress, here's to that.

Richard Brown => https://ftp.fau.de/fosdem/2023/UA2.114%20(Baudoux)/containerised_apps.mp4

#FOSDEM #Linux #packaging #snap #flatpak #sandboxing #developers #software

@derAlff_iot ich weiß nicht. Ich hab mir bisher nur angeguckt, was das Upgrade an Neuem mitbringt - im Wesentlichen #LookAndFeel.

Wenn die Entwickler sich langweilen, könnten sie doch mal anfangen, eine gescheite #Sicherheitsarchtektur umzusetzen - z.B. #Sandboxing, #SafeBoot, wie #Android es vormacht.

Für ein bisschen Kosmetik ein #Upgrade ziehen, nee, das ist mir z.Zt. zu aufwendig.

#Linux
#LinuxMint

「 Additionally, writing parts in a memory safe language does not necessarily improve security and may even degrade security by allowing for bypasses of exploit mitigations.

Some security features are geared towards a particular language, and in an environment where different languages are mixed, those features may be bypassed by abusing the other language 」
#Firefox
#Chrome
#VulnerabilityAssesment
#Sandboxing
#infosec
#Rustlang

「 Firefox does have some parts written in Rust, a memory safe language, but the majority of the browser is still written in memory unsafe languages, and the parts that are memory safe do not include important attack surfaces, so this isn't anything substantial, and Chromium is working on switching to memory safe languages too 」
#Firefox
#Chrome
#VulnerabilityAssesment
#Sandboxing
#Infosec
#Rustlang

Firefox 110.0 Beta 2 enables GPU #sandboxing on Windows only

https://www.mozilla.org/en-US/firefox/110.0beta/releasenotes/

Great talk by @qwertyoruiopz on iOS / MacOS / Darwin security and exploitation. https://www.youtube.com/watch?v=8mQAYeozl5I Really interesting from an OS / systems perspective, wrt to sandboxing. Stumbled upon it while reading about OpenBSD's new mimutable() syscall. https://lwn.net/Articles/915640/ #infosec #apple #sandboxing #OS #systems

Hoy a las 17:00 doy la charla:
Reforzando la seguridad de Kubernetes con #gvisor y #falco en la Kubernetes Community Days Spain.

¿te apuntas? 👉🏼 https://buff.ly/3sFRqdx

#CloudNative #sandboxing

https://gitea.angry.im/PeterCxy/Shelter

The Shelter app for android looks quite useful for sandboxing.

https://www.makeuseof.com/shelter-sandbox-android-apps/

#android #sandboxing #foss #free #app #privacy

Now On Peertube:
(Tor friendly)

#Peertube #Video #privacy #sandboxing #Firejail #flatpak #flatseal #Tor #anonymity #anonymous
https://tube.tchncs.de/w/3KtNGjBPtETqSL42mP5BVa

:tor: Tor Browser User Deanonymization Example: careful downloading files + Easy GUI Sandboxing Solutions Featuring Firetools, Flatpaks + Flatseal

(post now public)

#Blog #sandboxing #Firejail #Flatpak #Flatseal #TorBrowser #Anonymity #privacy
https://www.buymeacoffee.com/politictech/deanonymization-example-solution-isolation-for-security-privacy-members-early-release-a-thank