If anyone wants to help make MANETs better with TAK… check out opportunities on ditto.com where the team is building crdts and using them to help enable SAR. Say Turner sent you in your application if it looks interesting. Particularly the FDE role.
Can design then export routes from any geospatial tool like CalTopo, AllTrails, or even WinTAK directly to your ATAK device. Then in ATAK you can use it basically as something like AllTrails on steroids, including offline map caching, route guidance, markers, tracking etc... even geotagged photos. This can be synced across multiple devices among friends using a TAK server. It can also be used for off grid communications and tracking between hikers via something like Meshtastic, which I use fairly regularly with my partner out camping well outside of cellular coverage.
ATAK is not necessarily the most intuitive UI, but it's crazy powerful for doing basically anything outdoors.
I have had pretty good success with steam inside docker. Things like playing counter strike have been pretty seamless. It's cool to see others doing the same. I'm waiting for wayland isolation stuff to actually be integrated into everything (security contexts etc). Even with all this isolation passing in an X socket totally breaks any security guarantees against anything actually malicious. For other apps I can do the dummy X server trick (nxagent etc), however for gaming that is really not an option with the performance requirements.
I use sway and I think it supports security-context-v1, though I haven't tried it. That said, my current setup is just to run cage + xwayland inside the container which gives decent enough sandboxing AFAIK. (I used to use Xephyr but the cage approach gives me dynamically resizable windows). At the very least the host clipboard is not shared with the sandboxed process, which is the primary thing I'm concerned about.
With dependent types you still end up having to do dynamic checking of invariants for a substantial portion of real world code to construct the value with the properties you want. Anything coming from disk or network or a database etc. In practice I feel that it is far easier to just do manual dynamic checking with the constructor hidden from other modules such as `constructEmail :: string -> Email' which uses normal value level code, a common Haskell pattern. Obviously a little less flexible for the common dependent type examples of such as appending two vectors of a specific length.
There are lots of ways to protect your system from a browser exploit via containers, another user, a vm, etc as brought up by other people responding. However protecting a browser from other applications is basically impossible unless you also sandbox everything else you are doing. Even if you run a browser in a VM some other process run as your user could just automate clicking the UI to do whatever. If you go qubes style and isolate everything from everything then it is fine.
Protecting the browser from other applications is arguably more important now than protecting applications from the browser; as the browser contains all your security information (cookies, etc) necessary to login (or be logged in) on all your important sites.
People have been hacked by malicious Minecraft mods uploading browser data to nefarious places.
Even with direct mutual references between some node type this can be represented in a lazy functional language such as Haskell pretty easily without mutation.
Line of site transmissions can go massively further than with even minor obstacles. While a different frequency amature radio operators easily contact the ISS on $30 5 watt handheld radios. If I recall Iridium phones are only a couple watts.
It is hard to call OpenBSD an OS focused on security. Beyond pledge their primary focus seems to be "just implement everything correctly and don't run malware". If some utility has an implementation error or you do accidentally run something malicious you are hosed. Compare this to Linux with the extensive use of containerization and things like eBPF for dynamic security measures, or portals as part as flatpak for dynamic application permissions.
> Compare this to Linux with the extensive use of containerization and things like eBPF for dynamic security measures
I think it's an interesting comparison study and I'm not convinced either way of The Right Approach. OpenBSD takes the approach "keep the attack surface as small as possible" while Linux takes the approach "let's bolt a bunch of layers together... good luck making your way through all of it"
So many misconceptions in the same answer. eBPF is for observability, and letting you run privileged programs inside the kernel space (even with protections) can actually increase the potential attack surface. Containerization is not and was never a security measure.
Most of your comment it's bullshit. Containers are not for security, but for convencience and task separation/isolation to avoid the overhead of a vm. eBPF will expose you further more, not less. Also, how can flatpak secure you against a ~/.profile script run at login or an ~/.xprofile one?
A malicious program is going to have a difficult time adding something to your ~/.profile script if it cannot access your home directory. Although I don't doubt that many flatpak programs have too lenient default permissions, and the various XOrg lack of isolation issues are unfortunate somewhat remedied in wayland.
Wayland does not stop a process from manipulating the home directory, doing various things on the network, using a ton of memory, recording what other processes exist etc. Once you add all that stuff you start to get something that looks a lot like containers.
I wish blueprint was more public and open about the methodology and data. Johnson is doing so many interventions and it would be interesting to have public data for them beyond a periodic aggregate snapshot on the blueprint websites which basically amounts to a marketing page. In comparison someone like Michael Lustgarten (1) publishes nearly everything, documents what intervention they are about to do, do it, and then publish the results.
https://en.wikipedia.org/wiki/Android_Team_Awareness_Kit