I watched the video. Yes, if your sandbox config is weak then it will allow sandbox escapes. I agree the should default should be a secure sandbox. Bubblewrap offers the opportunity to shoot yourself in the foot. Look into the others tools I mentioned if you want to see different implementations. Sydbox is the one I think is the most interesting.

The only way I know to harden Linux Mint is using the Debian edition. Using LMDE, you can (unofficial) use Kicksecure to harden the base system. This isnt a great solution since the Linux Mint software is untested with Kicksecure and may/will reduce the security of the overall hardening.

Hardening is not useless, but it doesnt fix the architectural issues with Linux and its outdated threat model. That article says the same thing. It isnt an all-or-nothing situation, hardening still improves Linux security. Projects exist like SELinux, Bubblewrap, Crablock, Sydbox, and Landlock. Efforts to harden GNU/Linux have been made, like Kicksecure (Debian) and Secureblue (Fedora Silverblue), which protect against many threat vectors, but not perfect obviously.

If all you want to do is run VMs, Qubes is not what you are looking for. Even virtual machine manager (and other abstractions over libvirt and KVM) need to be hardened to avoid compromising the host.

Example: By default virt-manager uses a NAT bridge to allow for the guest VM to access the host and the LAN. A couple of weeks ago vulnerability was found in CUPS print server, allowing a hacker to do RCE. If a guest VM was compromised (previously or because of the vulnerability), since the host also likely has CUPS the hacker could use the guest system to compromise the host. This is avoided on Qubes because the host has minimal software.

Virt-manager offers no where near the same Security as Qubes. Qubes has a security hardened host and strong Desktop security model. Everything runs in VMs (aka qubes) including different parts of the system to further improve isolation. Sure, you could replace Qubes OS with an off the shelf Linux distro and run VMs, but that is nothing like Qubes, offers none of the convenience, and isn't hardened or debloated (reducing host attack surface).

No Linux distro comes close. Qubes is designed for a specific job. I am not saying Qubes is the "best OS ever" when I say Linux distros dont come close, I specifically mean that no Linux distro is designed with as strong of a focus on Desktop security model and isolation-based workflow.

/e/os is often behind on Android monthly security patches (sometimes up to a month or more!) and the apps they fork I have heard also often lag behind upstream. It also doesnt do much to deblob the ROM if proprietary binary blobs.

Comparison table of Android ROMs: https://eylenburg.github.io/android_comparison.htm

IIRC, they block 3rd Android ROMs (eg GrapheneOS) using Google's Safety net service verification.

That is generally called the principle of least privilege.

Check out Cromite (a continuation of Bromite)

Using a VPN should defeat the attack by having a different data center cache the media file.

Fitejail is a large SETUID binary which weakens security and can aid in privilege escalation. Use Bubblewrap (preinstalled on most Linux systems cus of Flatpak) which runs unpriveleged. Bubblejail is a program that makes it easier to make sandboxes profiles for apps.

Very interesting read.

You dont have to install over the drive. Retrieve any important files from the drive by booting a USB live OS.

People on Snapchat dont give a fuck about cleanliness.

You will still be able to access !onehundredninetysix@lemmy.blahaj.zone

Not exactly. Ironfox is a fork, not a direct continuation of Mull. I'm holding off on using it because I want to verify that the new fork can keep timely security updates. Ironfox is a big unknown.

Also seems to have way too many permissions. Maybe to work around some problem "flatpak"ing virt-manager?

Even if documentation can be time-consuming, it is such a lifesaver and makes the whole process of coding much smoother. It means not as much time wasted backtracking. If you think there is any part of your code you won't understand when you coming back to it, document, document, document.

Sometimes I write some multiline psuedocode comments or/and an explaination of specific choices, especially those invisible choices you make while debugging that aren't apparent when your just reading through your code.

Good thing to do is make code that is generally readable too lol.

Or are you? Try it, just a lil 😼

Legit. Even if documentation can be time-consuming, it is such a lifesaver and makes the whole process of coding much smoother. It means not as much time wasted backtracking. If you think there is any part of your code you won't understand when you coming back to it, document, document, document.

Sometimes I write some multiline psuedocode comments or/and an explaination of specific choices, especially those invisible choices you make while debugging that aren't apparent when your just reading through your code.

Good thing to do is make code that is generally readable too lol.

Is there now a flatpak for virt-manager?