tl;dr - within the container, the exploit works, and elevates to root (uid 0) within the container - BUT because that namespace actually maps to uid 1000 (the user) outside the container, the escalation does not flow up to the host.
But… does this escape the container? If not (the author seems to indicate it does not) then does it matter if you are in Docker or rootless Podman, right, since the end result is always: you have elevated to root within the container. If the rest of the container filesystem isolation does its job, the end result is the same? Though I guess another chained exploit to escape the container would be worse in Docker? Do I have that right?
This is a problem and most people hadn’t considered it before because the caching is done to speed up build pipeline performance:
“ While rootless containers prevent the attacker from escalating to host root, the page cache is still shared across the host. Containers that re-use the same base image layers share the same cached pages for those layers — if a malicious CI job corrupts a binary in the page cache, other containers launched from that same image could end up executing the poisoned version.”
I'm no expert, but the kernel is shared between all containers and the host.
I don't believe the kernel maintains separate page caches for each container; a malicious CI job could corrupt a binary from any container, or the host.
If any security relevant file from the host is mounted into the container this could be exploited quite easily. It is definitely a viable tool for escaping containers but it would require a bit of an attack chain and some containers may not be vulnerable.
Not exactly. One can be charged with stalking, even though the offender only went to places in public that the victim also went to. If combined with a pattern of behavior that, in aggregate, infringes upon the rights of the target, it can become a crime.
The interesting part, for anyone who actually reads the article - the change was fixed in an RC and then reverted in the final release.
Which implies there was some regression, some issue, some incorrect behavior or negative impact. One has to wonder… what could it have been? What could the issue with having a more accurate clickbox for the corner of the window possibly be?
For example: imagine you have 2 windows, the lower right corner of one window almost touching the upper right corner of the other, so that the bounding rectangles overlap but the graphics don't.
With the inaccurate "false square" corners, you just had to check the bounding rectangles, to know which window to resize, now you have to check the actual graphics (or more likely, a mask).
I am not saying it is the problem, but that's the kind of thing that can happen. Or it may be a simple bug, like a crash, memory corruption, an unhandled exception, the usual stuff, but they couldn't fix it in time and it is better to revert instead of leaving the buggy code or pushing an untested fix.
Just revert the code back to pre-26! This is ridiculous, it can't possibly be this hard and if it is, it just points to the degradation in the quality of Apple software! This is maddening!
This is already the pre-26 bounding box, isn't it? It's the new graphics that don't line up. (Not a great excuse, but the graphics are here to stay at least for a little while.)
> the graphics are here to stay at least for a little while
And that's the reason why I won't buy a new Mac.
Tahoe and Liquid Glass are so horrible that they're going to lose customers because of those. They should realize what they did and just backtrack: it wouldn't be the first time they admit they made a mistake [1].
The magic mouse have been there, almost unchanged, since 2009. That is a lot for a tech product, and retiring a product after 16 years is not admitting to a mistake. For example, the Logitech G5 mouse and its direct evolutions were among the most successful Logitech products, and it didn't last that long.
No, it is not just refusing to admit that the magic mouse was a mistake, it is considering that it is the best ever. That USB port on the underside is still one of the great mysteries though, maybe it is some quirk of evolution, because it is certainly not intelligent design.
In addition to vertical scrolling, the Magic Mouse can do horizontal (or diagonal) scrolling, zooming in and out, and a couple of other tricks. This makes it worthy for the people who need this for their work. There are mice that can do horizontal or vertical scrolling -- but not both at the same time.
People who do their work on large documents (pics in Photoshop, videos, CAD, music, even Excel, etc.) use these capabilities every day, and they like their Magic mice very much. If you are not one of these people (software development, for example, can be done with vertical scroll only, for the most part), it doesn't mean it's a bad product -- all it means it's a product which is not for you.
I don't use Magic Mouse but am very far from expecting Apple to admit "the magic mouse was a mistake" though.
I am using Sequoia and the windows are definitely rounded! Though the radius is pretty small (the curved region is about a quarter of the mouse cursor area), so the fact you can drag it from outside the window doesn't look ridiculous.
I think it shows how difficult it is to ship a seemingly easy thing inside the Apple machine.
I'm more interested in how or why this bug was approved up be worked on so quickly after it was surfaced, rather than other longstanding and arguably more impactful bugs.
It's because the bug got publicity. Apple marketing prioritizes what does and doesn't get built. Someone saw bad publicity on the front page of HN and requested a fix.
The answer is probably a ho-hum combination of different teams work on different issues, and this one having annoyed one of the devs who could work on it.
macOS does have weirdness with windows that span multiple screens. I bet some of that kicked in to an unacceptable level. It can create incoherent moving/snapping, for example. Has been kind of crazy-making for a while, for my set-up where screens are not joined but adjacent in a triangular configuration.
Yeah, that's something that was unambiguously better back in the "Classic MacOS" days (probably starting with the Mac II). Windows could overlap multiple screens and they were always drawn correctly.
At some point in OS X in the switch to hardware acceleration, they started rendering windows on one screen only.
I get that you hardly ever really want a window spanning two screens, but when you accidentally misplace a window it would be handy to be able to see it on each overlapping screen so you can track it down. Right now you can put a few pixels of the title bar on the wrong screen, and the rest of the window just vanishes.
These regressions are weird given that modern hardware is vastly more powerful than a Mac II.
Given that the video is fully interactive and lets you move around (in a “world” if you will) I don’t think it’s a stretch to call it a world model. It must have at least some notion of physics, cause and effect, etc etc in order to achieve what it does.
Pixel by pixel, time-slice by time-slice, in a 2D+T convolution. You provide enough examples of videos of changing point-of-view, and the model reproduces what it is given.
Yes, it reproduces what it is given by modelling the rules of physics, geometry, etc.
For example, image generators like stable diffusion carry strong representations of depth and geometry, such that performant depth estimation models can be built out of them with minimal retraining. This continues to be true for video generation models.
I’m not sure about “dumb them down”, I suspect it’s more like “subtly influence popular opinion”.
My husbands TickTock feed is full of things like “10 things Americans do that Chinese think are weird”, “10 reasons Chinese cities are in the 22nd century” etc etc.
I personally don’t think that’s propaganda - most of it is factually true and would be pushed to the front of any fair algorithm because it is engaging. But I can kinda see the concern, even though I disagree with the outcome.
if (big if) you trust the execution environment, which is apparently auditable, and if (big if) you trust the TEE merkle hash used to sign the response is computer based on the TEE as claimed (and not a malicious actor spoofing a TEE that lives within an evil environment) and also if you trust the inference engine (vllm / sglanf, what have you) then I guess you can be confident the system is private.
Lots of ifs there, though. I do trust Moxie in terms of execution though. Doesn’t seem like the type of person to take half measures.
the ripgrep codebase is ultimate “pour a drink, settle into your coziest chair, and read some high quality software” codebase. Just click around through it and marvel.
Interesting, how many seconds of 2Gbps transfer do I get before I reach my monthly cap and they start throttling me?
Jokes aside, I'm curious how this is even possible over decades-old cable. I get there's a new DOCSIS standard, but I'm less interested in the protocol and more interested in the simple physics of it. How can a simple coaxial cable cram so much bandwidth?
Happy ex-Comcast customer as well (as much as it pains me to say it, ATT has actually been pretty good to me with their fiber) but your numbers seem to go against a 1 TB limit but even the gigabit pro plan already includes the "unlimited data" option which allows you to go well past that. They never would say what exactly "fair use" was but it was at least above 15 TB/m from what I could tell of not getting kicked off.
Oh interesting. When I was in California, my 1 Gbps plan came with only 1 TB of bandwidth. They did sell "unlimited" as an additional upgrade but IIRC it was $50/month.
> How can a simple coaxial cable cram so much bandwidth?
A large amount of spectrum to work with and a high spectral efficiency. Wikipedia lists DOCSIS 4.0 as having 1.8GHz of bandwidth, and DOCSIS 3.1 as ~10bits/Hz. Assuming DOCSIS 4.0 is as least as efficient, thats about 18Gbps.
The story you're thinking of is about Brian Wilson, the creative force behind the Beach Boys and one of the only real artists of the time who could arguably be considered a peer of The Beatles.
Personally I've never seen a really strong source for that story, only anecdotes. I think it's an oversimplification to say "Strawberry Fields" made Brian Wilson insane. Instead, he was in a mental decline already. The pressure of "Brian Wilson is a genius" was getting to him:
There's a similar story with stronger sources, though. If you want to know about Brian's state of mind around that time, listen to his song Heroes and Villains. Basically, Brian worked on this song like it was his magnum opus, trying to reach the level of Sgt. Pepper. Quoting from Wikipedia (sue me):
> For Wilson, the single's failure came to serve as a pivotal point in his psychological decline, and he adopted the song title as a term for his auditory hallucinations.
> In the September/October 1967 issue of Crawdaddy!, journalist and magazine founder Paul Williams wrote that the song "originally had a chorus of dogs barking, cropped when Brian heard Sergeant Pepper, and was in many ways - the bicycle rider - a far different song."[39]
> Wilson held onto the final mix of the song for about a month. On the evening of July 11, 1967, he was told by his astrologer (a woman named Genevelyn) that the time was right for the record to be heard by the public. Without informing Capitol, Wilson called his bandmates and, accompanied by producer Terry Melcher, traveled by limo to personally deliver a vinyl cut of the record to KHJ Radio.[72] According to Melcher, as Wilson excitedly offered the record for radio play, the DJ refused, citing program directing protocols.[77][78] Melcher recalled: "Brian almost fainted! It was all over. He'd been holding onto the record [and] had astrologers figuring out the correct moment. It really killed him. Finally they played it, but only after a few calls to the program director or someone, who screamed, 'Put it on, you idiot!' But the damage to Brian had already been done."[79]
And this is all the tip of the iceberg. To have an even better understanding, you'd need to listen to the Smile! sessions, and the eventual 2004 "completed" recording of Smile!.
Personally, I think Brian was a genius (well, is; he's still alive, though not looking too good these days, sadly). But unlike The Beatles, who were four friends with an unbelievably tight bond (even after their breakup), Brian had no one else in the Beach Boys who could match him. And I think it was a weight on his shoulders, and that combined with the drug use (and likely a stroke at some point, which is obvious if you ever hear him speak post ~1968) brought his downfall.
to be fair Dennis and Carl could put out some amazing work, like the Carl produced all i wanna do or dennis penned Forever. But I don't think it negates your point just wanted to add to it.
But… does this escape the container? If not (the author seems to indicate it does not) then does it matter if you are in Docker or rootless Podman, right, since the end result is always: you have elevated to root within the container. If the rest of the container filesystem isolation does its job, the end result is the same? Though I guess another chained exploit to escape the container would be worse in Docker? Do I have that right?