This cannot be repeated enough.

This makes me more likely to buy Bose.

Why would I buy something that a vendor intends to kill off in an attempt to make me buy again?

This is the extension I use:

https://addons.mozilla.org/en-US/firefox/addon/redirector/

https://chromewebstore.google.com/detail/redirector/

Not only do I translate x.com -> xcancel.com, but

- cnn.com -> text.cnn.com

- youtube.com -> inv.nadeko.net

- instagram.com -> imginn.com

And more.

Regular expressions allow translations of paths for the redirection, so it does not just happen at the top level.

I can't tell you how happy you have made me with this post. This is such a great extension. Instagram, especially, is such a nightmare to navigate.

That looks rather useful. Do you by chance have an export of your current redirects and if so could you sftp them to

    sftp scratch@scratch.newsdump.org
    cd pub
    put _your_redirect_export.json # or whatever the extension is

Why does Redirector fog out the background when you add a new redirect? I can't see their example of how to fill it out. Bad UX.

It's quite simple but unusable on Firefox Mobile :-/ (Cannot edit Sites).

You actually can edit your redirects in Firefox Mobile (at least it works in Nightly). There is a focus bug in the Edit Redirects popup.

Tap the Edit Reditects button. Nothing seems to happen, but then tap the back-arrow at the top. Go to your Firefox tab switcher, and you should now see a "REDIRECTOR" tab. This is the editor.

Thanks for improving my web experience.

Care to share your redirects?

It depends on your threat model, but generally speaking would not trust default container runtimes for a true sandbox.

The kata-containers [1] runtime takes a container and runs it as a virtual host. It works with Docker, podman, k8s, etc.

It's a way to get the convenience of a container, but benefits of a virtual host.

This is not do-all-end-all, (there are more options), but this is a convenient one that is better than typical containers.

[1] - https://katacontainers.io/

This is a well understood and well documented subject. Do your own research.

Start here to help give you ideas for what to research:

https://linuxsecurity.com/features/what-is-a-container-escap...

This kind of response isn't helpful. He's right to ask about the motivations for the claim that containers in general are "not a sandbox" when the design of containers/namespaces/etc. looks like it should support using these things to make a sandbox. He's right to be confused!

If you look at the interface contract, both containers and VMs ought to be about equally secure! Nobody is an idiot for reading about the two concepts and arriving at this conclusion.

What you should have written is something about your belief that the inter-container, intra-kernel attacker surface is larger than the intra-hypervisor, inter-kernel attack surface and so it's less likely that someone will screw up implementing a hypervisor so as to open a security hole. I wouldn't agree with this position, but it would at least be defensible.

Instead, you pulled out the tired old "education yourself" trope. You compounded the error with the weasely "are considered" passive-voice construction that lets you present the superior security of VMs as a law of nature instead of your personal opinion.

In general, there's a lot of alpha in questioning supposedly established "facts" presented this way.

> This is a well understood and well documented subject. Do your own research.

Anything including GNU/Linux kernel can be broken with such security vulnerabilities.

This is not a weakness in the design of containers. `npm install`, on the other hand, is broken by design (due to post-install.

> This is not a weakness in the design of containers.

Partially correct.

Many container escapes are also because the security of the underlying host, container runtime, or container itself was poorly or inconsistently implemented. This creates gaps that allow escapes from the container. There is a much larger potential for mistakes, creating a much larger attack surface. This is in addition to kernel vulnerabilities.

While you can implement effective hardening across all the layers, the potential for misconfiguration is still there, therefore there is still a large attack surface.

While a virtual host can be escaped from, the attack surface is much smaller, leaving less room for potential escapes.

This is why containers are considered riskier for a sandbox than a virtual host. Which one you use, and why, really should depend on your use case and threat model.

Sad to say it, a disappointing amount of people don't put much hardening into their container environments, including production k8s clusters. So it's much easier to say that a virtual host is better for sandboxing than containers, because many people are less likely to get it wrong.

> Many container escapes are also because the security of the underlying host, container runtime, or container itself was poorly or inconsistently implemented.

Sure, so running `npm install` inside the container is no worse than `npm install` on my machine. And in most cases, it is much better.

Containers are more isolation than without. That was never in debate in our conversation.

Escaping a properly set up container is a kernel 0day. Due to how large the kernel attack surface is, such 0days are generally believed to exist. Unless you are a high value target, a container sandbox will likely be sufficient for your needs. If cloud service providers discounted this possibility then a 0day could be burned to attack them at scale.

Also, you can use the runsc (gvisor) runtime for docker, if you are careful not to expose vulnerable protocols to the container there will be nothing escaping it with that runtime.

You start with the assumption of "properly set up container". Also I believe you are oversimplifying the attack surface.

A container escape can be caused by combinations of breakdowns in several layers:

- Kernel implementation - aka, a bug. It's rare, but it happens

- Kernel compile time options selected - This has become more rare, but it can happen

- Host OS misconfiguration - Can be a contributing factor to enabling escapes

- Container runtime vulnerability - A vulnerability in the runtime itself

- Container runtime misconfiguration - Was the runtime configured properly?

- Individual container runtime misconfiguration - Was the individual container configured to run securely?

- Individual Container build - what's in the container, and can be leveraged to attack the host

- Running container attack surface - What's the running container's attack surface

The last two are included to be complete, but in the case of the original article running untrusted python code makes them irrelevant in this circumstance.

My point you must consider the system as a whole to consider its overall attack surface and risk of compromise. There is a lot more that can go wrong to enable a container escape than you implied.

There are some people who are knowledgeable enough to ensure their containers are hardened at every level of the attack surface. Even then, how many are diligent enough to ensure that attention to detail every time? how many automate their configurations?

Most default configurations are not hardened as a compromise to enable usability. Most people who build containers do not consider hardening every possible attack surface. Many don't even know the basics. Most companies don't do a good job hardening their shared container environments - often as a compromise to be "faster".

So yeah, a properly set up container is hard to escape.

Not all containers are set up properly - I'd argue most are not.

> Escaping a properly set up container is a kernel 0day.

Not it is not. In fact many of the container escapes we see are because of bugs in the container runtimes themselves which can be quite different in their various implementations. CVE-2025-31133 was published 2? months ago and had nothing at all do with the kernel - just like many container escapes don't.

If a runtime is vulnerable then it didn't "set up a container properly".

Containers are a kernel technology for isolating and restricting resources for a process and its descendants. Once set up correctly, any escape is a kernel 0day.

For anyone who wants to understand what a container is I would recommend bubblewrap: https://github.com/containers/bubblewrap This is also what flatpak happens to use.

It should not take long to realize that you can set it up in ways that are secure and ways which allow the process inside to reach out in undesired ways. As runtimes go, it's as simple as it gets.

Note CVE-2025-31133 requires one of: (1) persistent container (2) attacker-controlled image. That means that as long as you always use "docker run" on known images (as opposed to "docker start"), you cannot be exploited via that bug even if the service itself is compromised.

I am not saying that you should never update the OS, but a lot of of those container escapes have severe restrictions and may not apply to your specific config.

Note this lists 3 vulnerabilities as an example: CVE-2016-5195 (Dirty COW), CVE-2019-5736 (host runc override) and CVE-2022-0185 (io_uring escape)

Out of those, only first one is actually exploitable in common setups.

CVE-2019-5736 requires either attacker-controlled image or "docker exec". This is not likely to be the case in the "untrusted python" use case, nor in many docker setups.

CVE-2022-0185 is blocked by seccomp filter in default installs, so as long as you don't give your containers --privileged flags, you are OK. (And if you do give this flag, the escape is trivial without any vulnerabilities)

The burden of proof lies with the person making empirically unfalsifiable claims.

There goes my productivity for the weekend. :-D

Gimp is not typically used as background process. It's primary use is as an interactive tool with a UI, therefore it's not typically a daemon. [1]

[1] - https://en.wikipedia.org/wiki/Daemon_(computing)

Thank you for the kind and actually helpful answer, especially in the face of a rant. I will pay more attention next time.

Adding to this frustration is a 25yr registered 501(c)3 non-profit I volunteer for that holds an annual art festival. The festival proceeds go to funding educational materials. They've had an active facebook page for at least 15 years, with thousands of followers from around the world.

When the non-profit tried to advertise the art festival on Facebook. Facebook not only denied them, but when the non-profit asked for a review of the denial they were warned if they asked again their entire facebook page would be flagged and deleted.

Facebook is large enough I cannot imagine their reasoning. They very likely have several conflicting streams of logic depending on teams involved. One thing I think is reasonable is that money is a motivational factor for Facebook.

Put simply, organizations who come in immediately spending money on advertising are more likely to be fast tracked. Organizations who don't spent a lot of money are more likely to be shut down. ("you've been a freeloader all this time who will likely not pay sustainably after this one-time payment. We're focusing on sustainable paying customers, goodbye")

Addition: Now that I think about it, I wouldn't be surprised if there is a literal metric of "money/time" ratio. The more money you spend in less time likely improves your chances of being fast-tracked, thus biasing new accounts who immediately spend on advertising over existing ones who sparsely pay.

Having worked in advertiser support: fb pages are basically an unsupported product and their support channels for advertising are farmed out to the lowest bidder.

They do bucket out support into spend tiers, although when I was there it was overall spend, not frequency

Thanks for the insights! That was helpful.

Bro you may have just been socially engineered to give out the internal workings of Facebook from a neo crime lab.

You don't have to socially engineer someone who already doesn't care ;)

What's your mother's maiden name? (Humor)

My username is a dumb old name, but it's the one I have.

is it really that difficult to conclude support quality is tied to overall advertiser spend?

As a Nuke, Fusion, and formerly MagicMusicVisuals user, I am excited to give TiXL a try. Love node based workflows, but find Blender too heavy for most of my needs. I'm surprised I have not run across it yet. Thanks @nateb2022 for sharing it here!

I can attest at least some of this is true.

My blogging and publishing almost never comes up during an interview. Afterwards, I am openly told it's why they either asked for me, or why they chose me over another candidate. This has happened at almost every job I've accepted.

My writing style or content is not all that special. As the saying goes, 90% of success is simply showing up.

Just being explain complex topics in simple ways can go a long way, even if you're not an amazing author.

---

Addition: This is especially true with topics so expansive that even great LLM often conflates subtopics in weird ways. While this gap is rapidly closing, being able to clearly explain complex interconnected topics in simple ways is absolutely an advantage.