Dran

Just think, an extra long shirt can cover that hole, and we could embed a flexible display, wifi module, and a camera in the extra space. This could scan the faces of those around you, and display personalized ads! This is an excellent solution to the hole in your pants, and frankly, the only secure one.

You’re correct that nesting namespaces is unlikely to introduce measurable performance degradation. For performance, I was thinking mostly in the nested virtual network stack adding latency. Both docker and lxc run their own virtual interfaces.

There’s also the issue of running nested apparmor, selinux, and/or seccomp checks on processes in the child containers. I know that single instances of those are often enough to kill performance on highly latency sensitive applications (SAP netweaver is the example that comes to mind) so I would imagine two instances of those checks would exacerbate those concerns.

There are security performance and capability concerns with that approach, apparmor on the first layer lxc probably being the most annoying.

If you want to isolate your docker sandbox from your main host, you should use a vm not a container.

This is the way

I’ve always wondered why board partners didn’t just raise to scalper prices and take a $2200 profit per card sold.

And tbh, it’s Nvidia’s fault that the partners don’t have enough dies, I’d much rather a partner take the margin than an unnecessary middleman.

When you’re the size of LMG you don’t hire investigative law firms for PR; you do it for liability. The goal is to limit corporate liability by removing individuals likely to get you sued, and most importantly to distance leadership from it with plausible deniability. The firm also has its own reputation to consider, and wouldn’t let a client get away with materially misrepresenting their results.

I don’t think its unreasonable to suggest that a positive finding from an investigative firm is evidence to support their position that they, materially, did nothing wrong. The fact that no one was fired as a result of that investigation is a good sign externally, as it would open them up to more liability if they knew about it and did nothing.

The source to this compat library is in their sources last I checked, but because it’s not part of their standard repos it doesn’t technically have to be. I suspect this is eventually the end-goal.

A lot of industries are semi-forced into it. Let me give you an example I know of first-hand. Modern SAP stacks support 3 operating systems. Windows Server, RHEL, and SuSE.

You’re probably thinking to yourself: “but rhel is just regular linux, surely you can install it on anything if you have the appropriate dependencies, I’ll bet it even just works on rhel-compatibles like rocky, alma, or centos stream!”

And you would be ~sort of~ right, but wrong in the most dystopian way possible. The installer itself does hardcoded checks for “compatible” operating systems, using /etc/os-release and a few other common system files. Spoofing those to rhel 8.5 or whatever is easy enough, but the one that really gets you is a dependency for compat-glibc-X.Y-ZZZZ.x86_64. This “glibc compatibility library” is conveniently only accessible via a super special redhat repository granted by a super special sap license (which is like ~$2,000/year/cpu). Looking at the redhat sources it is actually just a bog-standard semi-modern glibc compile with nothing special. The only other thing you get with this license as far as I can tell is another metapackage that installs dependencies, and makes a few kernel tweaks recommended by SAP.

So you can install it on alma/rocky by impersonating rhel in /etc/os-release, and then compiling a version of glibc and linking it in a special hardcoded location, but SAP/Redhat put as many roadblocks in your way as possible to do this. It took me weeks of reverse-engineering the installer to get our farm off of the ~100k/yr that redhat wanted to charge us for essentially:

./configure --enable-bootstrap --enable-languages=c,c++,lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --enable-plugin --with-linker-hash-style=gnu --enable-initfini-array --disable-libquadmath --disable-libsanitizer --disable-libvtv --disable-libgomp --disable-libitm --disable-libssp --disable-libatomic --disable-libcilkrts --without-isl --disable-libmpx --enable-gnu-indirect-function --with-tune=generic --with-arch_32=i686 --build=x86_64-redhat-linux
Thread model: posix
gcc version 9.1.1 20190605 (Red Hat 9.1.1-2) (GCC)

definitely worth $100,000/yr… much capitalism, many line go up

Why?

There’s nothing preventing you from forking a Lemmy client or server to prototype this. Depending on how you implement the activitypub backend, you might be able to make it transparent to a user if you present an algorithm as an array of cross posts via a /c/ of a server.

Anything more might require forking a client, which might be easier to implement but may be harder to convince a large userbase to migrate to.

I think you’ve correctly identified their self-interest over altruism, but you’ve misidentified the internal value of discouraging clickbait. YouTube is a treasure trove for building training datasets, and its value increases when metadata like thumbnails, descriptions, titles, and tags can be trusted.

It’s the AI gold rush; notice how this coincides with options to limit or disable third-party training but not first-party training? It coincides but is definitely not a coincidence.

Idk, this was kind of a rare combination of “write secure function; proceed to ignore secure function and rawdog strings instead” + “it can be exploited by entering a string with a semicolon”. Neither of those are anything near as egregious as a use after free or buffer overflow. I get programming is hard but like, yikes. It should have been caught on both ends

Because that bug was so egregious, it demonstrates a rare level of incompetence.

Because $350 couldn’t possibly buy enough hardware to run a modern operating system!

• Microsoft, probably

You might want to check your access permissions; he didn’t even sudo.

This is probably the play they’re making; the only thing that makes me think it might be something else is that they also announced ditching proprietary code in favor of kvm in workstation. Makes me wonder if they instead are deciding to slowly kill the product line, and instead of just stopping development entirely, they’re giving it out as if it’s some huge gift to try and “buy” good will before it becomes an inferior product?

Either way, support costs for the product are now $0 (because you can’t buy it) and development costs are about to be near-zero if they’re forking upstream kvm.

https://www.phoronix.com/news/VMware-Workstation-KVM

The thing about rational actors, is when given the same information they should make the same choices. I would argue that they’re most likely, instead, just at the peak of mt. stupid

We shouldn’t blame the victims that society failed to properly educate. You’re right that if people intimately understood apple the way you probably do, they’d never buy an apple product. I would argue, however, that it’s a failing of education not an informed choice to be corporately cucked.

I don’t think anyone should expect a battery replacement to be free after 10 years, but it shouldn’t cost $100,000

Just because you can’t use it doesn’t mean a hacker can’t. If someone discovered a vulnerability in the 3g handshake or encryption protocol, it could be an avenue for an RCE.