Comment by angry_octet

18 hours ago

Unfortunately that is not what they proposed. To stretch the automotive analogy too far, you could say: if you invite a carjacker in, their seatbelt is not going to stop them from carjacking you.

4 comments

angry_octet

tptacek 18 hours ago

"Avoid shared-kernel attack surfaces" is not an unreasonable proposition in 2026.

angry_octet 12 hours ago

Yes that is reasonable, but dispensing with all on machine controls is not.
__float 17 hours ago

It is very good practical advice.
It also saddens me greatly, imagining what computing could look like if systems evolved differently.
JackSlateur 17 hours ago
Virtual machines are still the best design and has been for something like 20 years
Containers are good, as long as they all share the same purpose (read: same application, no multi-tenant)
We all know that multi-users systems (and thus, containers) have a very wide attack surface, while VM attack surface is very limited ..
This is why I am totally convinced that:
- redhat and friends are a terrible idea (licencing forces collocation which reduces segmentation) - per-instance pricing (read: cloud public, but not only that) are terrible: for the same reason. Paying per consumed CPU/ram is sane, paying per VM unit is damageful