Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I want this solved so much - across all of the operating systems I use.

Ideally I'd like to never run code I download from the internet outside of a sandbox ever again.

Case in point, just yesterday: https://www.bleepingcomputer.com/news/security/malicious-vsc... - "Malicious VSCode extension in Cursor IDE led to $500K crypto theft" - because the Open VSX alternative to the VS Code marketplace has unreviewed extensions and they don't have a sandbox to stop them from doing anything they like.



It also really bothers me that running a simple utility effectively means I’ve given the developer full access to my system.

It’s even worse when commercial software wants me to add it’s repo to my package manager for updates… (Who audits post install scripts of RPM, etc!!!)

That being said, I’m also too lazy to run every thing inside its own container — especially for browsers, etc.

Feels too cumbersome that I need some automated CI pipeline just to ensure my DIY containers remain updated.

Also a pain to decide what file/directories the container should have access to.

In principle, I should probably use something like Qubes.

However, the prospect of putting my entire security ins small group of people writing somewhat complicated software with no financial disincentive for shenanigans also bothers me. (I realize this is extremely unfair and their work is quite impressive, but theoretically reality could get in the way)


https://invisiblethingslab.com/ is a company. They have a big vested interest in not doing something shady and wasting years of trust, sinking the company, possibly even risk legal problems.


On one hand yes, on the other hand, cut and run is a common startup strategy. Just not in the security space.

Unfortunately nobody cares about further Linux security, everyone's idea of it is to throw docker and kubernetes at it.


Invisible Things has been around for a very long time, with a much better Linux security strategy than docker.


> I want this solved so much - across all of the operating systems I use.

> Ideally I'd like to never run code I download from the internet outside of a sandbox ever again.

isn't this the sort of thing AI could generate from a handful of prompts?

(don't forget to tell it it's an expert developer with a 20 year background in security!)


I don't know about Cursor, but VSCode can be used from Chrome, which has a good sandbox against an attacker's exploiting VSCode to get access to the system you are running Chrome on.


This has been solved for like 15 years. Use virtual machines!


Right now on my Mac I use a messy combination of Docker containers, sandbox-exec, bits and pieces of WebAssembly and mostly don't bother at all.

I want the friction on this to be way lower. I'd like everything to run in a sandbox by default.


> I want the friction on this to be way lower. I'd like everything to run in a sandbox by default.

You've just described Qubes OS: https://qubes-os.org. My daily driver, can't recommend it enough.


Virtual machine escapes exist either due to hypervisor 0day, misconfiguration or lateral attacks.

0day won’t be wasted on low value targets, but it’s worth pointing out that they’re not an effective security boundary in all scenarios.


A bit more, considering I was using HP-UX Virtual Vault in 2000.

Note the windows captions on the screenshot.

https://www.reddit.com/media?url=https%3A%2F%2Fi.redd.it%2F7...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: