articles don’t mention mitigation methods.

what to disable in thunderbird to not be vulnerable to “obfuscated JavaScript file that is sent to the victim through emails in archive files.” and prevent that “The JavaScript file drops a self-copy at “C:\Users\<Username>” location with random names like “needlereportcreepy.bat”. The bat file is then executed”?

servers rarely see updates. Maybe it happens in larger firms, but not in smaller shops.

*ouch*

adding PPAs or RPM repos, or installing things from source, I’d say that number is a lot higher than 0.

Nothing wrong with that. Unlike docker that’s cryptographically protected toolchain/buildchain/depchain. Thus, a PPA owner is much less likely to get compromised.

Installing things from source in a secure environment is about as safe as you can get, when obtaining the source securely.

Docker contains that nonsense in a way that’s easy to update.

Really? Ist there already a builtin way to update all installed docker containers?

What’s uneasy about apt full-upgrade?

Package managers don’t provide a sandbox.

I didn’t say that.

average user who doesn’t run updates consistently, may add sketchy dependencies, and doesn’t audit things would be better off with Docker.

That’s false.

but they’re less likely to cause widespread issues since each is in its own sandbox.

Also false. Sandbox evasion is very easy and the next local PE kernel vulnerability only weeks away. Also VM evasion is a thing.

Basically one compromised container giving local execution is enough to pwn your complete host.

in the same way that installing a malware-laden executable isn’t an OS problem

except no one is doing that. Every major distro hast mechanisms for software supply chain security and reproducible builds.

Do your due diligence, especially if you’re not a developer and thus looking at the Dockerfiles is impractical.

You’re on to something here. If you automate that process, you end up with something we call a package manager.

it’s likely blog posts and users that are at fault.

Exactly. And sincer reviewing Dockerfiles is impractical, there’s no way docker prevents you from shooting your own foot. Distros learned that long ago: Insecure default configs or injected dependencies are a thing of the past there. With docker, those get reintroduced.

What you are saying is not new but you don’t seem to grasp the difference in risk when you run someone else’s configured environment on your system vs. manually setting them up yourself. You save a lot of time by using docker images but it comes with a price.

There’s no docker vulnerability

No need to. Like sudo doesn’t need a vulnerability when you let contributors of some repository use it on your box.

Things like snyk exist for a reason but it’s not mitigation, just monitoring.

You should stop telling people that using docker is no security problem because that’s wrong, as it adds attack surface to even the most secure projects. Sure, it saves time but things like OPs news will keep popping up in the future like it did in the past. It can’t be fixed other than just not using it in production. At least build your own containers.

Don’t forget various past issues:

• https://snyk.io/blog/top-ten-most-popular-docker-images-each-contain-at-least-30-vulnerabilities/
• https://osric.com/chris/accidental-developer/2018/12/using-docker-to-get-root-access/
• https://www.bleepingcomputer.com/news/security/docker-hub-database-hack-exposes-sensitive-data-of-190k-users/
• https://blog.alexellis.io/docker-is-deleting-open-source-images/

This entirely misses the point of Docker.

It’s just pointing out the risk of letting someone you don’t know with no legal obligations setup your complete environment.

How likely

Probably as likely as someone cracking your really secure ssh password. Still, any sane expert will recommend disabling password auth.

I only pull containers based on some official project.

How do you know they weren’t compromised?

but I don’t see anything here about Docker itself being a problem

The problem is that rootless docker is a pain and no one does it. Privileged software sideloading other software is a huge risk.

That risk now became an incident. Even if you’re not affected, the risk still remains.

always_has_been.jpg

air gapping doesn’t really help when basically any interface is an attack vector.

evil maid attacks still work.

Time to join the dark side.

You don’t need Windows. You don’t need this job. No one will ever force the Windows upon you *handwave*

Didn’t he prefer theatrical acting & live audience and thus played his TV role like a theater actor would? I vaguely remember reading about it.

Those tend to traditionally exaggerate gesture, mimic and tone so the last row still gets everything even when they’re further away.

What’s surprising? You can basically poke a hole in any living thing and goo will drip out if the hole is large enough.

OP pointed out the fascinating specialty of complete transformation with an intermediate liquid state.

I’m no expert either but I never got the idea of a new universe popping up everytime. Do other universes also cause popups of new universes or just ours? That’d escalate quickly :-)

I thought it goes that there’s already infinite universes existing from the big bang on. Otherwise universes would be created without big bang. (The new universe would just pop up and you’d still believe it was created by the big bang but there never was one)

Also I’m not sure if laws of thermodynamics had to span accross universes. Take two theoretical perfect vacuum/radiation sealed boxes you put an energy source into. There’s no way to communicate between boxes. Each box had it’s own entropy and state of energy. Both would obey the laws of physics while being separate “systems”.

That thought experiment wouldn’t work, if new boxes had to pop up if one of the boxes wanted to.

why would alternative universes share a single source of energy? couldn’t each have their own?

your own fault. get a nuclear reactor next time d’uh…

https://www.zischka-matratzen.de/.cm4all/mediadb/IMG_5804.JPG

I’d like to see the bedbug that survives this. As mentioned elsewhere, this is used by (hopefully) every hospital, elderly home or hotel for worse stuff than bedbugs.

The mattresses leave this thing in a pristine state.

When you refund a mattress they just surface clean it

yuck. I doubt that. It’s manual work and far more expensive than a machine.

but getting them dry would be a challenge

seriously? I mean, there is a chance no such service exists in your town. Bad luck then. But there is close to zero chance it doesn’t exist in your country.

What do you think hospitals do? (Or good hotels, as mentioned). Source: Worked in an elderly home that used such a service regularly.

Here’s an image of such a mattress washing machine.

They work.

That’s not true. All mattresses except the cheapest foam ones are washable (they are, too but they might change properties then). But why get a used cheap one?

There are mattress washing services with giant washing machines that are used by hotels. Ask hotel staff to find one.

You can’t get rid of most of the build-up.

You actually can get rid of all the buildups. Just like with clothes. Also don’t think sellers throw it away when you refund a mattress - they wash it and sell it again.

just ask beforehand if you can test it quickly. while that’s not 100% proof, most people are honest (at least when giving away stuff for cheap/free). There’s a risk, but at worst you get free trash. Never happened to me, tho.

Also most high-quality stuff is always salvageable. Surely it’s more hassle then if you have to order spare parts or such.

lock 'im up already…

Some things basically come for free when they were used. Washing machine, stoves… Disassembling them to fully clean them takes a day or two, but it’s still faster than buying new and chances are good, someone wants to get rid of their high quality stuff near you and will give it away for cheap if you “dispose” it for them.

You can even wash a mattress for a few bucks. If it’s good quality, a decade old used filthy mattress can come out like brand new.

People finding that gross or poorish are the reason, stuff is so cheap