I dunno, why don’t you ask, eg: Russia?

Because by law in certain countries, homosexuality is persona non grata, and a filter needs to be there to legally operate in such countries.

Is this for a family PC?

Yep! Such container breakouts exist even today in Citrix !

Shit like this was what got me into cybersecurity

I learned to program when I was 10 on a Commodore 64. And we would wear an onion on our belt which was the style at the time… Sorry, where was I?

Totally get that, but we live in a much more dangerous and predatory computer landscape these days. It would be foolish not to take some precautions.

Standard Ubuntu should have you covered.

One word of warning though, don’t be too egregious with the parental controls. If your kids are motivated enough, they will find a way around it.

Education really is your best weapon here. Tell them about the dangers of the modern web and computing.

Maybe?

Lots of older games never get updated to 64-bit.

Besides the only operating system to not support 32bit code anymore is macOS, which even Valve treats as not worth bothering with anymore.

What they mean is if you are a affiliated with a national government. You might also be a target if you are very very rich.

If you’re an average Joe, they probably won’t burn it on you.

In the long term it might have a bad effect on the market, as it further helps to cement Microsoft’s control over multimedia APIs, since game developers now have little incentive now to target anything other than DirectX…

However, there are others that would argue that Microsoft’s control over multimedia APIs was fully cemented since decades ago, and developers have never had much incentive to target anything other than DX since then.

Back in 2014, Valve tried to bring Linux gaming to the spotlight by offering solid and targetable APIs for developers to port their games. This approach failed hard, and most games had serious deficiencies because most publishers would rather stick a half-assed DX wrapper (like DXVK only infinitely worse) than actually do the work for a proper port.

So, with only a handful of games and what did appear was usually worse than on Windows, releases stopped coming after a year or so.

This is why we have DXVK and Proton today.

There is no confirmation that this came from Nintendo, nor does it list the actual infringing parts like a normal takedown request should.

PC games. Too much of a worry about malware for that nonsense.

A corrupted password policy might do this

You would think you’d already have problems if someone’s managed to compromise one or more of your containers without you knowing though whether they can get the host or not

True, but the security idea behind being in a containerised environment is that your problems aren’t immediately made worse by the fact that your database server is on the same machine as your web application - since they’d both be on separate but networked containers.

What if anything do people do about anti virus in containers?

The real threat to containers isn’t AV-detectable malware, but Remote Code Execution (RCE) exploits.

Containers are best used as single purpose installations. With that configuration, it isn’t easy to get non-standard executables - including malware - onto a container.

Most RCE exploits also don’t involve the dropping of malware files onto the file system. There are some that do, but that issue is better handled in other ways.

Why? Well AVs only do something about binaries they know or think to be malware. A well crafted, customised Cobalt Strike beacon (aka: malicious remote control software) will blow through any resistance an AV has to offer.

So what do we do? Remember what I said that containers are best used as single purpose installations? Therefore you know exactly what executables should be running, making it trivial to set up executable whitelisting. That means that any executable not on the list will not run.

But even that isn’t completely bulletproof. It won’t do much against web shells, in which case your best detection mechanism is to look for applications calling /bin/bash or /bin/sh that shouldn’t be.

So when people say ‘force a reboot’ there are two things it can mean:

1. a reboot is required for updates to actually take effect. Linux sometimes does this for things like the kernel.

2. the OS forces you to stop everything you are doing and reboots the machine. I have only ever seen Windows do this. Not Linux, not even MacOS.

This might be where the confusion is coming in. @rtxn is referring to number 1 but the rest of us are referring to number 2

I’ve never seen a distro force a reboot, Windows style. Only ever advise people to reboot.

You’re going to to still have problems, owing to the fact that torrent protocol doesn’t download files sequentially (edit: some clients do have this option but it can slow your downloads dramatically). It doesn’t download the first 5 seconds, then the 5 seconds after that, but rather 5 second bits at random parts of the movie.

The security implication from a USB boot are probably more severe but also more the fault of the people configuring your work machine. It is expected that people will plug things like pen drives in, to a degree. It is your job to block it with configurations.

The real problem is that once you start adding or removing internal hardware, that configuration no longer stays a trusted one because they’ve meddled with the components.

Intel IME can snitch on this kind of thing. Completely independent of the OS too.

I mean it likely isn’t an issue for org security (assuming they’re using bitlocker appropriately etc.)

Data loss/leak prevention would vehemently disagree. It’s a potential exfiltration point, especially if the org is blocking USB writes.

Networking might have a thing or two to say about it as well, as it is essentially an untrusted setup on company networks

Sure, people should not use their work computer for personal use.

This isn’t great. But what you’re wanting to do will get you fired.