We should have the ability to run any code we want on hardware we own

The reason is that the desktop PC security model is deeply flawed. In modern desktop operating systems, we protect user A from user B. But any program running on my computer is - for some reason - completely trusted with my data. Any program I run is allowed to silently edit, delete or steal anything I own. Unless you install special software, you can't even tell if any of this is happening. This makes every transitive dependency of every program on your computer a potential attack vector.

I want computers to be hackable. But I don't also want my computer to be able to be hacked so easily. Right now, I have to choose between doing banking on my (maybe - hopefully - safe) computer. Or doing banking on my definitely safe iphone. What a horrible choice.

Personally I think we need to start making computers that provide the best of both worlds. I want much more control over what code can do on my computer. I also want programs to be able to run in a safe, sandboxed way. But I should be the one in charge of that sandbox. Not Google. Definitely not Apple. But there's currently no desktop environment that provides that ability.

I think the argument against locked down computers (like iphones and androids) would be a lot stronger if linux & friends provided a real alternative that was both safe and secure. If big companies are the only ones which provide a safe computing experience, we're asking for trouble.

Purists always forget this point :) What is best for 99% of people.

And dumb Euro bureaucrats.

Main way people around me get scammed by far like 90% is social engineering

The only reason we have convenient banking, gov and streaming apps today is because of guaranteed and enforced mobile security by big boys Apple and Google. (Google being Ad company is another matter, not relevant here).

You can also choose to do your banking at the physical branch.

We already had "best of both worlds", especially on mobile OSes - granular permissions per-app were quite good, and on Android until few years ago root was widely available if you needed it as well; these permissions could be locked or frozen if there is concern about users, just like work devices are provisioned with limitations. It all depends on your threat model.

- If you want to run an alternative operating system, you got to learn how it works. That is a trade off not even many tech savvy people want to make.

- There is a trade-off with a desktop OS. I actually like the fact that it isn't super sand-boxed and locked down. I am willing to trade security & safety for control.

> Personally I think we need to start making computers that provide the best of both worlds. I want much more control over what code can do on my computer. I also want programs to be able to run in a safe, sandboxed way. But I should be the one in charge of that sandbox. Not Google. Definitely not Apple. But there's currently no desktop environment that provides that ability.

The market and demand for that is low.

BTW. This does exist with Qubes OS already. However there are a bunch of trade-offs that most people are unlikely to want to make.

https://www.qubes-os.org/

again, no incentive to improve it. its either unpaid work or the OS vendor has a stake in it being insecure. (both exists)

This stuff is not just for the elderly and computer illiterate. It's for you as well. You think they're going to stop?

You're giving up freedom for safety. You will have neither.

There is no "just works" technical solution for a problem caused mainly by naivete and gullibility. Governments and the private sector know this, of course; as others have said, the real purpose is to control users, not to protect them.

I found my parents to install random crappy adware apps from official stores too. What protects their banking application is granular permissions, not root access.

This was just useful for them.

Get some real sandboxing, let me install whatever I want in my sandbox.

That's a bare minimum.

I also want "I am an adult" mode where I get to do what I want. If Google wants to flag secure net, fine. Not every thing is going to work.

AI voice and video cloning scams are also only going to increase. Why would scammers need to get people to install random APKs when they can just impersonate a family member and tell them what to give directly?

To me it seems very much like the classic "think of the children" type argument. It's not going to really fix anything in the end but it will benefit Google.

Disagree. No banking app can resist root access owned by attacker.

With the iPhone they get the risk of answering to a scam call or scam sms and giving them the access of their bank account.

Ubuntu is almost bullet proof for beginners.

In fact, that's what I've done for my parents and I had to retire the computer and get another one because it's the hardware which became too old after 15 years of running Ubuntu without any problem.

Security for users isn't just about bootloader expoits.

The ones banks that do have physical presence are closing left and right? Also, I don’t think I can money transfers at the physical office of my bank.

like if there are OS utopia exist that has all the advantage without the downside then everybody would use that

but people complaining don't live in reality

Even on an iPhone without a sim card, they can download one of the scam casino games from the appstore and give away a lot of money, on Ubuntu they can't do that.

There's more to security than just bytes.

The threats to your average user isn't a bootloader exploit built by some Israeli firm but privacy breaches, social engineering and scams.

No! Which is why I don't want every npm package I install to have unfettered access to my internet connection and to access all my files. If this is being exploited now, I might not even know! How sloppy is that!

> You're giving up freedom for safety.

At the limit, sure, maybe there are tradeoffs between freedom and security. But there's lots of technical solutions that we could build right now that give a lot more safety without losing any freedom at all.

Like sandboxing applications by default. Applications should by default run on my computer with the same permissions as a browser tab. Occasionally applications need more access than that. But that should require explicit privilege escalation rather than being granted to all programs by default. (Why do I need to trust that spotify and davinci resolve won't install keyloggers on my computer? Our computers are so insecure!)

Personally I'd like to see all access to the OS happen through a capability model. This would require changes in the OS and in programming languages. But the upside is it would mean we could fearlessly install software. And if you do it right, even `npm install` could be entirely safe. Here's how we do it: First, all syscalls need to pass unforgable capability tokens. (Eg SeL4). No more "stringy" syscalls. For safe 3rd party dependencies, inside processes we first make an "application capability" that is passed to main(). 3rd party libraries don't get access to any OS objects at all by default. But - if you want to use a 3rd party library to do something (like talk to redis), your program crafts a capability token with access to that specific thing and then passes it to the library as an argument.

Bad:

    // Stringy API. Redis client can do anything.
    redisClient.connect("127.0.0.1", 6379)

    redisConnCap = systemCap.narrow(TCPConnect, "127.0.0.1", 6379)
    redisClient.connect(redisConnCap)

This would require some PL level changes too. Like, it wouldn't be secure if libraries can access arbitrary memory within your process. In a language like rust we'd need to limit unsafe code. (And maybe other stuff?). In GC languages like C# and javascript its easier - though we might need to tweak the standard libraries. And ban (or sandbox) native modules like napi and cgo.

Like, iOS makes most unsafe actions incredibly clear. Apple pay always requires the user to double tap the power button. The OS makes it impossible for an application to charge you money through apple pay without an explicit user action.

Phone apps also can't take control of my entire device, or steal my cookies or cryptolocker my hard drive. Any program you download and run from the internet on a desktop computer can do all of this stuff and more. We shouldn't allow that stuff by default on desktop computers either.

Phones have the right idea. I just don't want Apple and Google to be the only ones who can modify the system at the OS level.

All or nothing thinking is counterproductive.

What's wrong with that?

And then no, it's not clear for me (even as a developer!) how data transfer between apps work, how the advertising id works and how much data Apple and Google really have that they shouldn't. If it's not clear to me as a software engineer, it certainly isn't for your average user.

The browser is just a much easier mental model, especially that I can install an ad blocker on it to make them safer, which I can't on mobile apps.

> Phone apps also can't take control of my entire device, or steal my cookies or cryptolocker my hard drive.

It never happened once with my parents in 15 years of running Ubuntu. Even if that stuff somehow existed, I don't think they would have the tech knowledge to mark the downloaded virus as executable anyways.

Everything you have suggested in this post takes away freedom. There is no solution that doesn't take away freedom / your control. There is always a trade off.

> Like sandboxing applications by default. Applications should by default run on my computer with the same permissions as a browser tab. Occasionally applications need more access than that. But that should require explicit privilege escalation rather than being granted to all programs by default. (Why do I need to trust that spotify and davinci resolve won't install keyloggers on my computer? Our computers are so insecure!)

This already exists on Linux.

I run Discord/Slack in Flatpak. Out of the box the folders and clipboard permissions are restricted. Only the ~/Downloads folder on my PC is accessible to Discord/Slack. You can't drag and drop things into these apps. Which makes sharing content a PITA.

If you don't want to worry about things like keyloggers, you should run an open source OS and use open source programs where you can verify that there are no key loggers. You should also make sure you find out what firmware your keyboard is using (many keyboards themselves have complex micro controllers on them that can be programmed).

So what? The lack of perfect security is a terrible argument against better security.

For example, lockpicks exist. Is that a reason to stop locking your house? Our TLS ciphers might eventually be broken. Should we throw away TLS and go back to unencrypted HTTP?

I'm not expecting anything to 100% stop all scams. But modern computer security is a joke. We could do an awful lot better than we are today at keeping people safe from this stuff.

> We already had "best of both worlds", especially on mobile OSes - granular permissions per-app were quite good, and on Android until few years ago root was widely available if you needed it as well

Yes. I want something like this on desktop too - but I want to own the signing keys, of course. It seems strange that this is so controversial.

That doesn't stop scammers. They also keep getting more sophisticated, often using a combination of social engineering and technical skill, and they keep tricking people into giving them money. So unfortunately, while malware is pretty much a non-factor, scammers still thrive.

There are plenty of places where mobile phones don't work, especially in the summer when there are leaves on the trees. This means SMS won't really work. So for this path, SMS, the bank has an alternative -- call a number on your account with a voice reading the 2FA code. Thus, landlines or VOIP work here.

When it comes to an app, forcing Canadians to use a phone OS controlled by US companies, still has pushback. An example being, the concept of "A Canadian having to use software from a US company, to identify themselves to a Canadian company" is still a hotspot. Especially with the US wanting to annex us.

So this lock in has not yet occurred.

Really, the phone call to a phone number on your account, not using SMS is as solid a protection, as an app running on a phone controlled by a foreign country's company. It's an alternate path. And it solves the whole 'rural person' access.

Many people living in rural areas don't even bother with a phone type device. Some have Kindles. But by buy a phone, if it doesn't work where you live?

This logic, combined with them closing rural banks, means they have to be quite sensitive here. EG, closing rural banks, then making it difficult to do online banking is political poison for our banks.

I know angle grinders exist. I still lock up my bike.

It isn't even a freedom vs security. It is usability vs security.

I'd like that security model to be the default for desktop apps on my computer as well. Its weird that davinci resolve and spotify and all the rest have full access to look through all my files.

> It never happened once with my parents in 15 years of running Ubuntu.

Probably just because so few regular people use ubuntu, scammers & malware authors don't bother targeting it. Still good for your parents though!

Don't rewrite history.

Huh? In what way does application sandboxing take away my freedom? What can I do today that I can't do with a sandbox-everything-by-default model?

In my mind, it gives me (the user) more freedom because I can run any program I want without fear.

> I run Discord/Slack in Flatpak. Out of the box the folders and clipboard permissions are restricted. Only the ~/Downloads folder on my PC is accessible to Discord/Slack. You can't drag and drop things into these apps. Which makes sharing content a PITA.

Cool! Yeah this is the sort of thing I want to see more of. The drag & drop problem is technically solvable - it just sounds like they haven't solved it yet. (Capabilities would be a great solution for this.. just sayin!)

I think a lot of it is "nobody has bothered building it yet" vs security.

Eg Qubes runs everything in Xen isolates - which is a wildly complex, performance limiting way to do sandboxing on modern computers. There are much better ways to implement sandboxing that don't limit performance or communication between applications. For example SeL4's OS level capability model. SeL4 still allows arbitrary IPC / shared memory between processes. Or Solaris / Illumos's Zones. But that route would unfortunately require rewriting / changing most modern software.

I've just explained that sand-boxing causes issues with file access, clipboard sharing etc.

Every hoop you add in makes it more difficult for the user to gain back control, even if that is modifying permissions yourself. Most people will just remove permissions out of annoyance.

If you remove control, you remove people's freedom.

> In my mind, it gives me (the user) more freedom because I can run any program I want without fear.

Any security mechanism has a weakness or it will be bypassed by other means. So all this will give you a false sense of security.

The moment you think you are safe. Is when you are most unsafe.

> Cool! Yeah this is the sort of thing I want to see more of. The drag & drop problem is technically solvable - it just sounds like they haven't solved it yet. (Capabilities would be a great solution for this.. just sayin!)

I don't. It is a PITA. Eventually people just turn it off. I did.

The reality is that if you want ultimate security you have to make a trade offs. Pretending you can make some theoretical system where those trade off don't exists just isn't realistic.

All of this takes considerable time, money to build and after that you need to get people to buy into it anyway. Large billion dollar software companies have difficulty doing this. If you think it is so easy, go away and build a proof of concept.

BTW They have implementing sand-boxing in most desktop operating system. It is often a PITA. Phone like permissions model already exist in Windows, Linux and I suspect MacOS in various guises.

For development there are various solutions that already exist.

e.g.

https://code.visualstudio.com/docs/devcontainers/containers

So these things already exist and often people don't use them. The reason for that is that there is usually reduces usability by introducing annoyances.

> Eg Qubes runs everything in Xen isolates - which is a wildly complex, performance limiting way to do sandboxing on modern computers.

It exists though today. If I care about security enough, I am willing to sacrifice performance. That is a trade off that some people are willing to make.

> There are much better ways to implement sandboxing that don't limit performance or communication between applications. For example SeL4's OS level capability model. SeL4 still allows arbitrary IPC / shared memory between processes. Or Solaris / Illumos's Zones. But that route would unfortunately require rewriting / changing most modern software.

If you solution starts with "rewriting most modern software". Then it isn't really a solution.

BTW what you are suggesting is a trade off. You have to trade resources (time and money typically) to build the thing and then you will need to spend more resources to get people to buy into using your tech.

Your argument would suggest that virtual memory takes away user freedom, because it's now much harder to access hardware or share data between programs, but that sounds ridiculous from a modern perspective. I think it's better to keep freedom and complexity separate, and speak about loss of freedom only when something becomes practically impossible, not just a bit more complex.

You've explained that flatpak has issues with file access and clipboard sharing. My iphone does sandboxing too, but the clipboard works just fine on my phone.

I don't think "failing clipboards" is a problem specific to sandboxing. I think its a problem specific to flatpak. (And maybe X11 and so on.)

> If you remove control, you remove people's freedom.

Sandboxing gives users more control. Not less. Even if they use that control to turn off sandboxing, they still have more freedom because they get to decide if sandboxing is enabled or disabled.

Maybe you're trying to say that security often comes with the tradeoff of accessibility? I think thats true! Security often makes things less convenient - for example, password prompts, confirmation dialogue boxes, and so on. But I think the sweet spot for inconvenience is somewhere around the iphone. On the desktop, I want to get asked the first time a program tries to mess with the data of another program. Most programs shouldn't be allowed to do that by default.

> Pretending you can make some theoretical system where those trade off don't exists just isn't realistic.

I think you might be arguing with a strawman. I totally agree with you. I don't think a perfect system exists either. Of course there are tradeoffs - especially at the limit.

But there's still often ways to make things better than they are today. For example, before rust existed, lots of people said you had to make a tradeoff between memory safety and performance. Well, rust showed that by making a really complex language & compiler, you could have memory safety and great performance at the same time. SeL4 shows you can have a high performance microkernel based OS. V8 shows you can have decent performance in a dynamically typed language like JS.

Those are the improvements I'm interested in. Give me capabilities and sandboxing. A lot more security in exchange for maybe a little inconvenience? I'd take that deal.

The typical user doesn't know how Windows works, and they can run that. These days, users can run a friendly GNU/Linux distribution not knowing how it works. So, disagree with you here.

Social engineering is really where the threat is at these days.

No I am not arguing that at all.

That's how it works on Ubuntu, proprietary apps are usually distributed through snaps which are sandboxed. And unlike on mobile, the OS doesn't have an advertising ID or built-in ad networks.

Normal apps don't need that though because there's a chain of trust which doesn't exist on mobile.

> Probably just because so few regular people use ubuntu, scammers & malware authors don't bother targeting it. Still good for your parents though!

No, it's because the bar on publishing on Ubuntu is much much higher than on an iPhone. Nobody would ever accept those scam casino games on Ubuntu.

Think user accounts but for task classes.

If I'm doing development work, I want to be able to chain together a Frankenstein of apps, toolchain, API services and so on, with full access to everything else in that specific context.

But that doesn't need visibility of my email, my banking and accounting software should have visibility to/from neither, and random shareware apps, games and movies should run, like you say, with a browser tab level of permission.

Making this work in practice while keeping performance maximised is harder than it sounds, preventing leaks via buffers or timing attacks of one sort or another (if apps can take screenshots, game over).. for now I use user accounts, but this is becoming less convenient as the major desktop OS and browser vendors try to force tying user accounts to a specific online identity.

Putting aside the philosophical issues, that statement isn't true for a few years now. It's not well known, even in very technical circles like HN, but macOS actually sandboxes every app:

• All apps from outside the app store are always sandboxed to a lesser degree, even if they are old and don't opt-in.

• All apps from outside the app store may opt in to stricter sandboxing for security hardening purposes.

• All apps from the app store are forced to opt-in, must declare their permissions in a fine grained way, and Apple reviews them to make sure they make sense.

To see this is true try downloading a terminal emulator you haven't used before, and then use it to navigate into your Downloads, Photos, Documents etc folders and run "ls". You'll get a permission prompt from the OS telling you the app is requesting access to that folder. If you click deny, ls will return a permission error.

Now try using vim to edit the Info.plist file of something in /Applications. ls will tell you that you have UNIX write permissions, but you'll find you can't actually edit the file. The kernel blocks apps from tampering with each other's files.

Finally, go into the settings and privacy/security area. You can now enable full disk access for the terminal emulator, or a finer grained permission like managing apps. Restart the terminal and permissions work like you'd expect for UNIX again.

Note that you won't see any permission popup in a GUI app if you open the file via the file picker dialog box. That's because the dialog box is a "powerbox" controlled by the OS, so the act of picking the file grants the app permission implicitly. Same for drag and drop, opening via the finder, etc. The permission prompt only appears when an app directly uses syscalls to open a file without some OS-controlled GUI interaction taking place.

So, if you want a desktop OS with a strong sandbox that you actually control, and which has good usability, and a high level of security too, then you should be using macOS. It's the only OS that has managed this transition to all-sandboxed-all-the-time.

> I don't think "failing clipboards" is a problem specific to sandboxing. I think its a problem specific to flatpak. (And maybe X11 and so on.)

There are other examples.

e.g. There are other things that become a PITA on the phone. Want to share pictures between apps without them having full access to the everything. You need to manually share each picture between apps.

The point being made is that it causes usability issues. What those usability issues are will vary depending on platform. However they will exist.

> Sandboxing gives users more control. Not less. Even if they use that control to turn off sandboxing, they still have more freedom because they get to decide if sandboxing is enabled or disabled.

Anything that gets in my way is something that taken control away from me. Unfortunately giving me full control comes with dangers. That is a trade off.

> Maybe you're trying to say that security often comes with the tradeoff of accessibility? I think thats true! Security often makes things less convenient - for example, password prompts, confirmation dialogue boxes, and so on. But I think the sweet spot for inconvenience is somewhere around the iphone.

No usability and control.

BTW, Your sweet spot is a platform which is the most locked down.

> On the desktop, I want to get asked the first time a program tries to mess with the data of another program. Most programs shouldn't be allowed to do that by default.

Well I don't want to be asked. I find it annoying. I assume that this is the case when I install the program. So I don't install software in the first place that I think might be risky. If I need to install something that I might think is iffy then I find a way to mitigate it.

> But there's still often ways to make things better than they are today. For example, before rust existed, lots of people said you had to make a tradeoff between memory safety and performance. Well, rust showed that by making a really complex language & compiler, you could have memory safety and great performance at the same time.

You aren't selling it to me. I got so annoyed by Rust that I didn't complete the tutorial book. Other than the strange decisions. One thing I hate doing is fighting with the compiler. That has a cost associated with it.

I spend a lot of time fighting with the TypeScript compiler (JS ecosystem is a mess) as a result to have some things work with TypeScript you need to faff with tsconfig and transpilers. Then once you are past that you have to keep the compiler happy. Frequently you are forced to write stupid code to keep the compiler happy. That again has a *cost*.

> V8 shows you can have decent performance in a dynamically typed language like JS.

I work with JavaScript a lot. While performance is better, it isn't actually that good.

There was also two secondary effects.

- Websites ballooned up in size. Also application development moved to the browser. This meant you can lock people in your SaaS offering. Which reduces control/freedom.

- There is a lot of software that is now written in JavaScript that really shouldn't be. Discord / Slack are two of the slowest and memory hogging programs on my computer. Both using Electron.

> Those are the improvements I'm interested in. Give me capabilities and sandboxing. A lot more security in exchange for maybe a little inconvenience? I'd take that deal.

Again. It is a trade-off that you are willing to take. I am willing to make the opposite trade-off.

A working permission system would be objectively good. By that I mean one where a program called "image-editor" can only access "~/.config/image-editor", and files that you "File > Open". And if you want to bypass that and give it full permissions, it can be as simple as `$ yolo image-editor` or `# echo /usr/bin/image-editor >> /etc/yololist`.

A permission system that protects /usr/bin and /root, while /home/alex, where all my stuff is is a free-for-all, is bad. I know about chroot and Linux namespaces, and SELinux, and QEMU. None of these are an acceptable way to to day-to-day computing, if you actually want to get work done.

Not always. The app can claim to need filesystem access and it will get it without the user knowing.

I think you could do this with capabilities!

The current model makes of security implicit, where an application can make any syscall it wants and its up to the OS to (somehow) figure out if the request is valid or not. Capabilities - on the other hand - restrict access of a resource to the bearer of a certain token. The OS knows that by invoking capability X, the bearer can make requests to a certain resource / account / file / whatever. (Think of it like unix file descriptors. You just call write(1, ...) and the OS knows what file you're writing to, and what your access to that file is.)

There's lots of ways to use capabilities to build the sort of frankenstein app you're talking about using caps. Eg, you could have a supervisor task (maybe the desktop or a script or something) that has a capability for everything the user cares about. It can create sub-capabilities which just have access to specific network ports / files / accounts / whatever. It launches subprocesses and hands the right capabilities to the right sub processes. The sub processes don't even need to know what the capability they were given connects to. They just need to know - for example - that reading from the capability gives it the data it expects to receive. Then you can do all the routing & configuration from the supervisor task.

Because all the sub processes only have the specific capabilities that were passed to them, the security surface area is automatically minimised.

SeL4 shows that you can do this without losing much performance. (In SeL4, the IPC overhead is tiny.) But as I said upthread, I'm sure there's also ways to design our programming languages to allow within-process isolation. So, for example, you can call the leftpad package without giving it capabilities held by other parts of the same program.

Capabilities can also make it easy to virtualise filesystems, the network, and so on. Or to do interdiction - and snoop on the messages being sent. Its easy because you can just make virtual network / filesystem / whatever capabilities and pass those to subprocesses.

Uhhh are you claiming ubuntu has a stricter app review process than apple has with the iphone app store?

The app review process on the appstore isn't designed for the user's benefit but Apple's benefit. There's no problem publishing a casino game but if your app doesn't pay the tax, be sure that it will be rejected.

> Anything that gets in my way is something that taken control away from me. Unfortunately giving me full control comes with dangers. That is a trade off.

This one isn't even hard to argue against; Apple being a good steward for its storefront was true in 2011. It is no longer true today. I'd consider a tech-illiterate user less likely to randomly lose a lot of cash by using different storefronts from the Apple App Store (or again, the Google Play Store), if only because those different storefronts actually do a bit of curation instead of focusing on quantity over quality.

[0]: Most of the ones listed here apply that aren't "non-free dependency" or are meant to be a category filter like NSFW. I'd also throw in "microtransactions to unlock basic functionality", but F-Droid effectively bars those with other inclusion rules. https://f-droid.org/docs/Anti-Features/

They make you use this separate device to scan a color qr code generated by the app. The details of the transaction you're authorizing are then displayed on this completely decoupled device, no internet, nothing. After keying in your pin you're given an OTP to put back into the app to authorize.

And I haven't checked, but I'm sure the 'payload' the qr code conveys is signed.

There is a big difference between basic memory protections and what was being discussed.

This is the issue with a lot of people that work in software. They take the most ridiculous interpretation because "that is technically" correct while not bothering to try to understand what was said.

Anything that is proposed has a cost associated with it (time, money). That always has to be weighed up against any potential benefit.

You only need to learn how to start a browser. You're a little behind the times, today browser is the OS.

That is because Windows for the most part manages itself and there are enough IT professionals, repairs shops and other third support options (including someone that is good with computers that lives down the road) where people can problems sorted.

This is not the case with Linux.

> These days, users can run a friendly GNU/Linux distribution not knowing how it works. So, disagree with you here.

Sooner or later there will be an issue that will need to be solved with opening up a terminal and entering a set of esoteric commands. I've been using Linux on and off since 2002. I have done a Linux from Scratch build. I have tried most of the distros over the years, everything from Ubuntu to Gentoo.

When people claim that you will never have to know how it works. That is simply incorrect and gives a false impression to new users.

I would rather that other Linux users tell potential users the truth. There is trade off. You get a lot more control over your own computer, but you will need to peek under the hood sooner or later and you maybe be on your own solving problems yourself a lot of the time.

What happens when the browser update fails because the package database got corrupted?

What happens when a lock file stop the whole system updating because of a previous iffy update?

You are going to need to drop to a terminal and fix that issue or reinstall the whole OS.

Either way you are going to need to know something about how the machine works.

So you need to install Qubes OS for them?

Sure, locking down the OS in this way is more secure, but it's also very restrictive and personally I don't think the added security justifies this. Lock picks do exist, but I am still entirely content with a single lock on my front door. I do not need an extra biometric sensor or camera or security representative standing outside my door to check id's of people passing by in order to consider myself reasonably safe.

Maybe this is cultural/geographical, but I've yet to hear of anyone who lost access to their mail or had unauthorized access to their bank account as a result of malware. I'm sure you can find examples, but I do not consider this an attack vector that is prevalent enough to warrant requiring signed apps or preventing manual installation.

I recently requested those rights again because I needed to install something new for a PoC I was working on, and that wasn't allowed anymore. But during onboarding I had those rights and installed homebrew to more easily install dev tools, and homebrew keeps its admin rights to install stuff in a directory owned by admin. So that circumvents this whole security model (and I did, for my PoC).

The problem is that it's all or nothing. Homebrew should have the right only to install in a specific directory. Apps shouldn't automatically get access to potentially sensitive data. Mobile OSs handle that sort of thing more granularly. Desktop OSs should too.

Because the overly restrictive security rules at my work are little more than security theatre when it's so easy to circumvent.

It's like having an automated turret on your lawn because sometimes people bring bad snacks to your dinner parties.

An expensive iPhone ships with iOS and a rigid security model.

If you tap the `about` button 16 times and click a confirmation dialog, you disable certain security mechanisms against arbitrary software installation. Do something else easy but impossible to do accidentally, and you unlock the bootloader. You progressively lose portions of your warranty in doing so.

This is the path I think we should be going down.

Virtual memory probably isn't what you meant, but take something like user privilege separation. It's usually considered a good idea to not run software as root. To interpret the statement generously, privilege separation does restrict immediate freedom: you have to escalate whenever you want to do system-level changes. But I think josephg's statement:

> Sandboxing gives users more control. Not less. Even if they use that control to turn off sandboxing, they still have more freedom because they get to decide if sandboxing is enabled or disabled.

can be directly transposed to user privilege separation. While it's true that escalating to root is more of a hassle than just running everything as root, in another sense it does provide more control because the user can run arbitrary code without being afraid that it will nuke their OS; and more freedom because you could always just run everything as root anyway.

Maybe josephg's sense of freedom and control is what you're saying there is a trade-off between. But the case of privilege separation shows that some trade-offs are such that they provide a lot of security for only a little bit of inconvenience, and that's a trade-off most people are willing to make.

Sometimes the trade-off may seem unacceptable because OS or software support isn't there yet. Like Vista's constant UAC annoyances in the case of privilege separation/escalation. But that doesn't mean that the fundamental idea of privilege levels is bad or that it must necessarily trade off too much convenience for control.

I think that's also what josephg is suggesting about sandboxing. He says that the clipboard problem could probably be fixed; then you say, "but there are other examples". What remains to be shown is whether the examples are inherent to sandboxing and must degrade a capabilities/sandbox approach to a level where the trade-off is unacceptable to most.

Company A gave me sudo access and I could do anything I wanted.

Company B locks down everything, no sudo, no brew, nothing. But I do get a big VM with root to do anything I want. There is an approved "appstore" of many different varieties of IDEs/tools.

TLDR: Not having brew is not a problem, and /can be/ a better experience if done right.

It took a couple weeks to shift the mental model but I have no problems. The dev experience is quite good because they provide all the libraries you need to do your job.

They’ve had something like that for a long time on Android, and I think it’s a reasonable middle ground between making the platform open and closed. But as far as I know, Apple never did something like that on iOS.

It's crazy if you really can't

im a older millennial, so i have older parents and young kids. My father could not bother with a smartphone or does not care about internet at all. My mother uses whatsapp and everything after initial year she is quite handy with it. Im not scared about her, im more scared that she is reading AI slop.

My kids are now at the age where a lot of the pears are getting a smartphone for them im not giving them a smartphone. If i give them a smartphone in a year or i will be using parental controls.

I also don't believe more people get scammed on PC compared to mobile platforms. Scammers go where the most naive people congregate.

A sensibly configured Linux system is very secure compared to your mobile device. No security model can really shield against user stupidity. The people would need completely different devices as they simply aren't fit to use a computer. My parents are the same, but I won't accept a bad compromise of an OS just because they essentially need other devices.

At some point a user will be asked to allow execution of code they got through some fishy mail. There is no defense against that other than for the user sticking to books.

That or the OS settings for said script will need to be handled. That is time and money.

Won't satisfy developers for long though because it cannot work.

The problem is that mobile OS security systems isn't fit to develop anything but shit. It is simply no solution for desktop.

It really wasn't. It isn't hard to understand what was meant.

> Virtual memory probably isn't what you meant,

No it wasn't and there is no need to put "probably". It was obvious it wasn't.

> can be directly transposed to user privilege separation. While it's true that escalating to root is more of a hassle than just running everything as root, in another sense it does provide more control because the user can run arbitrary code without being afraid that it will nuke their OS; and more freedom because you could always just run everything as root anyway.

The difference is that there are very few things I need to run as user directly daily as root on my Desktop Linux box. I can't think of anything.

However having to cut and paste a meme into ~/Downloads so I can share it on Discord or Slack is a constant PITA. If you sandbox apps you have to restrict what they can access. There is no way around this. The iPhone works the same way BTW. I know I used to own one. You either have to say "Discord can have access to this file", or you have to give it all the access.

> Maybe josephg's sense of freedom and control is what you're saying there is a trade-off between. But the case of privilege separation shows that some trade-offs are such that they provide a lot of security for only a little bit of inconvenience, and that's a trade-off most people are willing to make.

No they are a false sense of security with a lot of inconvenience. The inconvenience is inherent and always will be because you will need to restrict resources using a bunch of rules.

> Sometimes the trade-off may seem unacceptable because OS or software support isn't there yet. Like Vista's constant UAC annoyances in the case of privilege separation/escalation. But that doesn't mean that the fundamental idea of privilege levels is bad or that it must necessarily trade off too much convenience for control.

There are many things that seem like they are fundamentally sound ideas on the face of it. However there are always secondary effects that happen. e.g. Often people just ignore the prompts, this is called "prompt fatigue". I've literally seen people do it on streams.

Operating systems are now quite a lot more secure than they were. So instead of going for the OS, most bad actors will use a combination of social engineering to gain initial entry to the system. The OS security often isn't the problem. Most operating systems have either app stores, some active threat management.

If you are running things from npm/PyPI/github without doing some due diligence, that is on you. This is well past what non-savvy user is likely to do.

> I think that's also what josephg is suggesting about sandboxing. He says that the clipboard problem could probably be fixed; then you say, "but there are other examples". What remains to be shown is whether the examples are inherent to sandboxing and must degrade a capabilities/sandbox approach to a level where the trade-off is unacceptable to most.

It is inherent. It obvious it is. If you want to share stuff between applications like data, which is something you want to do almost all the time. You will need to give it access at least to your file-system. The more of this you do, you will either have to give more access or having to faff moving stuff around. So either you work with a frustrating system (like I have to do at work), or you disable it.

So what happens is you only have "all or nothing".

That is not true. It is understandable that you believe it because it gets repeated a lot, but those repeaters are doing what you are, namely repeating what they heard (and sometimes what they want to be true) without sufficient actual knowledge of what they are talking about.

At least two independent people understood you in the same way. So just dismissing it isn't productive.

> PITA. If you sandbox apps you have to restrict what they can access. There is no way around this.

This has nothing to do with freedom though.

> You will need to give it access at least to your file-system.

On Qubes, you copy-paste with ctrl+shift+v/c and nothing is shared unless you actively do it yourself. It becomes a habit very quickly (my daily driver). Sharing files is a bit harder (you send them from VM to VM), but it's not as hard as you want it to look.

It isn't fortune cookie wisdom and no it isn't "too generic". It is something that fundamentally wasn't understood by the person I was replying to from their comment. I also don't believe you really understand the concept either.

> But we’re not discussing CS theory 101.

No we are not. We are discussing concepts about security and time / money management.

> In this case in particular, what is the cost exactly? Is it a cost worth paying?

You just accused me of "fortune cookie wisdom" and "being too generic". While asking a question where the answer differs dependant on the person / organisation.

All security is predicated on what you are protected against. So it is unique to your needs. What realistically are your threats. This is known as threat modelling.

e.g. I have a old vehicle. The security on it is a joke. Without additional third party security products, you can literally steal it with a flat blade about two inches long and drive away. You don't even need to hot-wire it. Additionally it is highly desirable by thieves. I can only realistically as a individual without a garage to store it in overnight, protect it from an opportunist. So I have a pedal box, a steering wheel lock, and a secret key switch that turns off the ignition and only I know where it is in the cab. That is like stop an opportunist. However more determined individuals. It will be stolen. Therefore I keep it out of public view when parked overnight. BTW because of the security measures, it takes about a good few minutes to be able to drive anywhere.

Realistically. Operating system security is much better than than it was. It is at the point that many recent large scale hacks in the last few years were initiated via social engineering to bypass the OS security entirely. So I would say it is in the area of diminishing returns already. So the level of threats I face and most people face, it is already sufficient. The rest I can mitigate myself.

Just like my vehicle. If a determined individual wants to get into you computer they are going to do so.

> The moment you think you are safe. Is when you are most unsafe.

This is demonstrably false. Qubes OS has the lowest number of CVEs, even less than that of Xen. Last VM escape in it was found in 2006 by the Qubes founder (it's called "Blue Pill").

Also: https://news.ycombinator.com/item?id=27897975

Sure, it is circumstancial security, but exploits exist for mobile devices as well.

>Sooner or later there will be an issue that will need to be solved with opening up a terminal and entering a set of esoteric commands.

That's what I did to export drivers from previous windows installation in suspicion of regression.

Might be a tough sell for the volunteer open source community ("linux & friends") to work on such an alternative "locked down" computing experience. Free and open source software is usually more focused on unlocking use cases, not locking them up.

That all said, I basically consider macOS to be a locked down computing experience. So that's my solution for older people.

It's not a perfect solution but the Apple closed ecosystem is better designed for the limited use cases of the elderly. Rely on iCloud and built-in Apple approaches to data security as much as possible.

For example, an iMac and an iPhone can get all "adulting" use cases done, including typing/receiving emails, printing documents, online banking, government services, and so on. Apple Passwords plus Face ID helps to simplify password-based security. My biggest issue is getting TOTP-based two-factor adopted. Apple Passwords supports this but I usually have to do remote tech support to get it set up initially. It's also annoying that right now, the current generation of iMacs don't support FaceID, because that would simplify authentication across the two primary platforms (desktop/mobile).

I would never use this setup myself since I like to run F/OSS everywhere as much as possible. But I am realistic about tech expectations for the elderly who just want to live their life with minimal investment in learning about data/software security.

But you're right, along with other commenters, that it's dangerous for society to rely on a monopolist technocorporate overlord (or a pair of overlords forming a de facto duopoly) for the basic administrative tasks of adult living and lawful citizenship.

Two people that we are aware of.

BTW, I often encounter this when talking to other techies. People go to the most ridiculous extremes to be contrarian. Often they don't even know they are doing. I know because I used to engage in this behaviour.

So I feel like I am well withing my rights to dismiss it.

There is nothing and I mean nothing that is completely secure.

Installation is not the same as support and isn't the same as trouble shooting.

That why people distro hop. They keep on installing thinking that distro X will solve there problem. It may do, but it frequently has it own problems.

> That's what I did to export drivers from previous windows installation in suspicion of regression.

Which is unusual situation. It isn't unusual situation in Linux.

You're not wrong, but dismissing security because there are always other threats is just security nihilism. See my link.

The web browser is an important attack vector, and there are no Linux distros that sandboxes the browser anywhere near as effectively as Android and ChromeOS do except maybe Qubes, but Qubes is stuck using X for the display server and using Zen, both of which have been abandoned by their maintainers and aren't receiving enough maintenance attention to fix security vulnerabilities. I.e., Qubes's reputation for security probably comes from the fact that it was relatively secure many years ago.

Android and ChromeOS use selinux to sandbox the browser. Fedora uses selinux, too, but it only sandboxes server software: any program including a web browser started by the user is unconstrained (unaffected) by Fedora's selinux implementation.

The kernel is another important attack vector (and Linus has always been bored by and impatient with security considerations.)

Ditto the C library. Note that GrapheneOS uses a special, hardened C libary (which in the last few years has migrated to at least one security-focused Linux distro, namely, secureblue, but of course none of the people that show up here on HN proudly proclaiming that Linux is more secure than iOS or Android use secureblue, and the lead of the secureblue project freely admits that MacOS iOS Android and ChromeOS are more secure than secureblue is).

You know how one of the arguments for Wayland is the fact that there is no way to prevent any process from reading the contents of any X window? Well, to actually achieve this "window privacy" inherent in Wayland requires active support from the compositor, and Gnome has the only Wayland compositor that actually provides this support.

Till the vulnerability started getting exploited some time last year, anyone could upload a theme to KDE's theme store that could run arbitrary code when the user chose to install it. No one was reviewing uploaded themes for malware or warning users of the danger.

Hyprland uses a trampoline (files at a known location in the file system that are occasionally executed by Hyprland) for reasons that are hard to explain if we assume that Hyprland's maintainers care anything about security.

Why round trip it through the file system or Files.app? That seems like extra (annoying) work On my iPhone, I copy the meme onto the clipboard and then I open discord/slack/signal/Whatsapp and find the right channel/chat, and paste right in there.

1. Is the "big VM with root" running macOS itself, or a different OS?

2. Do you do any work on the bare metal version of macOS, or do you just start the VM in the morning and do everything from there?

3. How do you experience the performance/UX of the VM?

4. Do you know why Company B IT has set up this VM solution, instead of a plain old MacBook locked down with Apple's enterprise management tools?

5. Can you explain more about the App Store? Is it the actual Apple App Store but restricted to a curated set of apps, or is it a different system? If so, is the store a custom in-house thing or is it provided by a vendor?

The meme is still alive that windows accumulates garbage and becomes slower with time, so you need to reinstall it periodically. Reinstallation is also how you fix regressions, because ms is busy with cloud services.

>It isn't unusual situation in Linux.

As I remember, on linux I have an ample choice of kernel versions, but I didn't encounter regressions. For windows intel provides only the latest drivers.

Google blesses malware all the time because otherwise they would go bankrupt. They're an ad company, not a security company.

Windows is the least "manage itself" OS out of all OS available today. It needs pretty constant maintenance and esoteric enchantments to keep trucking.

What's even the point of me being alive is I can't do anything that isn't completely idiot-proof and made for goo goo ga ga users?

Look, I get it. Think of the children! Think of the granny!

But I'm not a child, I'm an adult. I would like to be treated as such. Otherwise what the fuck are we even doing here? Why can't I just live in daycare forever? Why am I paying bills?

Today the main problem is social engineering and scams. The disadvantage of mobile OS are too great to justify bad approaches to desktop systems or security in general. And for browsers that means the security threat isn't some arcane media decoder, it is the well made phishing site.

But my argument is more that perhaps I don't want window privacy because it doesn't fit my security needs and reduces functionality and access. And one assumption in that is that one compromised app can compromise the whole system in the worst case and believe risks must be mitigated elsewhere. In case of doubt, I can reasonably sandbox something I execute myself, if the need is warranted.

I would love a good file explorer for my mobile device. But file access is restricted. How many hours wasted to bad security...

If you insist that using software with trampolines means not "caring anything about security", I'm afraid it's a you problem. I'll still be happy to hug my partner when she comes home regardless of what germs might have been on a tram's seat she was sitting on on the way there, regardless of whether someone thinks that this means I don't care anything about health (I'm sure someone does).

In case someone needs it spelled out: I do care, but there are other things I care about too and I won't let some minuscule threats ruin them.

I must admit - I spent about an hour figuring out how to turn off telemetry and other junk after installation. But since then, windows has been trucking along just fine.

We’ve found out about a handful of such attacks over the last few years - like xz. And I’ve seen the number of random dependencies which get pulled in by most nodejs, cargo or python projects. The dependencies just scroll on by. There is no vetting process for putting code in npm or cargo. Nobody signs off on anything. Nobody reads the source code. There are no checks, and you can put anything in there.

If malicious code slipped in, would you even notice? I probably wouldn’t. How terrifying.

Linux’s security model means that any malicious code in a crate can run as me and access all of my files. Or delete them or whatever it wants to do. To me this is crazy. There’s no reason to give arbitrary untrusted code full permissions to all of my files and data - but there we have it.

I worry that it’s only a matter of time before we see more attacks like this. It’s such an obvious attack. And our lax endpoint security makes the vulnerability a way bigger problem than it needs to be. It would be trivial for a remote attacker to install C&C software on my computer. They could grab my SSH certificates and install backdoors in any of my projects on github. Read my email. Impersonate me. Crypto locker my stuff. Install malicious extensions into my web browser. And on and on.

None of this would be possible with proper isolation. There’s no reason a build.rs file needs write access to my whole filesystem. It’s crazy.

But then again, we write and execute our own code, so of course we have to be able to execute unknown code.

The whole thing feels like an exercise in futility to me. It would make more sense to specify what rights a specific application should have. Let me approve the external urls it wants to visit, the folders it wants to access, etc. Shield everything else off.

Why are those the only answers?

If we had free rein to redesign our computers from the ground up, there’s lots of other ways that problem could be solved.

One obvious example is to make copy+paste be an OS level shortcut so apps can’t access the clipboard without the user invoking that chord. Then just copy paste stuff between applications.

Another idea: right now when I invoke a shell script, I say “foo blah.txt”. The argument is passed as a string and I have to trust that the program will open the file I asked - and not look instead at my ssh private keys. Instead of that, my shell program could have access to the filesystem and open the file on behalf of the script. Then the script can be invoked and passed the file descriptor as input. That way, the script doesn’t need access to the rest of my filesystem.

If we’re a little bit creative, there’s probably all sorts of ways to solve these problems. The biggest problem in my mind is that Unix has ossified. It seems that nobody can be bothered making desktop Linux more secure. A pity.

Maybe it’s time to give qubes a try.

(This was at a branch office where every employee worked on very low-level Linux kernel code, so yeah everyone ran their favorite Linux distro.)

I don't understand why people propagate these falsehoods.

I've not needed to worry about this since Windows XP. Which was what? 25 years ago almost.

> Reinstallation is also how you fix regressions, because ms is busy with cloud services.

I've never had hardware regressions with Windows. I've had plenty of weird and annoying bugs return with Linux.

e.g. My Dell 6410 has an issue where the wifi card would die after suspend with kernel 6.1. However it would get fixed by a patch, and then get unfixed the next patch.

> As I remember, on linux I have an ample choice of kernel versions, but I didn't encounter regressions. For windows intel provides only the latest drivers.

"Swings and Roundabout".

Again. It is a pretty niche problem. I've had plenty of weird hardware regressions with the Kernel. Recently there was a AMD HDMI audio bug, IIRC it was kernel related.

One Linux kernel version broke hdmi audio and another fixed it. Recently a change to power management has made my Intel Ethernet controller stop working about an hour after the computer boots up. And so on. Each time I’ve needed to pouring through forums trying to find the right fix. That or pin an older version which worked correctly.

Apps are all-sandboxed-all-the-time on iOS and Android, too; right?

For example, right now when you invoke a script - say "cat foo.js" - the arguments are passed as strings, parsed by the script and then the named files are opened via the filesystem. But this implicitly allows cat to open any file on your computer.

Instead, you could achieve something similar with capabilities. So, I assume the shell has full access to the filesystem. When you call "cat foo.js", the shell could open the file and pass the file handle itself to the "cat" program. This way, cat doesn't need to be given access to the filesystem. In fact, literally the only things it can do are read the contents of the file it was passed, and presumably output to stdout.

> It will be much more complex.

Is this more complex? In a sense, its exactly the same as what we're doing now. Just with a new kind of argument for resources. I'm sure some tasks would get more complex. But also, some tasks might get easier too. I think capability based computing is an interesting idea and I hope it gets explored more.

You missed the point the person you were replying to upthread was making. You're technically right - there is always some tradeoff when it comes to engineering choices. But there's a pernicious idea that comes along for the ride when you think too much about "engineering tradeoffs". The idea is that all software exists on some paraeto frontier, where there's no such thing as "better choices", there's only "different choices with different tradeoffs".

This idea is wrong.

The point made upthread was that often the cost of some choice is so negligible that its hardly worth considering. For example, if you refactor a long function by splitting it into two separate functions, this will usually result in more work for the compiler to do. This is an engineering tradeoff - we get more readability in exchange for slower compile times. But the compilation speed difference is usually so miniscule that we don't even talk about it.

"Everything comes with tradeoffs" is technically true if you look hard enough. But "No, not everything is a trade-off. Some things are just good and some are just bad" is also a good point. Some things are better or worse for almost everyone. Writing a huge piece of software using raw assembly? Probably a bad idea. Adding a thorough test suite to a mission-critical piece of software? Probably a good idea. Operating systems? Version control? Yeah those are kinda great. All these things come with tradeoffs. But the juice can still be worth the squeeze.

My larger point in this thread is that perhaps there are ways we can improve security that don't make computing measurably worse in other ways. You might not be clever enough to think of any of them, but that isn't proof that improvements aren't possible. I wasn't smart enough to invent typescript or rust 20 years ago. But I write better software today thanks to their existence.

I would be very sad if, in another 30 years, we're still programming using the same mishmash of tools we're using today. Will there be tradeoffs involved? Yes, for sure. But no matter, the status quo can still be improved.

> Realistically. Operating system security is much better than than it was. [...] So I would say it is in the area of diminishing returns already. So the level of threats I face and most people face, it is already sufficient.

What threat models are you considering? Computers might be secure enough for you, but they are nowhere near secure enough for me. I also don't consider them secure enough for my parents. I won't go into detail of some of the scams people have tried to pull on my parents - but better computer systems could easily have done a better job protecting them from some of this stuff.

If you use programming languages with a lot of dependencies, how do you protect yourself and your work against supply chain attacks? Do you personally audit all the code you pull into a project? Do you continue doing that when those dependencies are updated? Or do you trust someone to do that for you? (Who?). This is the threat model that keeps me up at night. All the tools I have to defend against this threat feel inadequate.

Until recently I didn't either. Windows resizing to 640x480 when display turns off and sound resetting to 100% after a toast notification.

>It is a pretty niche problem.

I think hdmi audio is a niche problem. What do you even use it for? With linux you can at least try a different version, with windows you have to just eat it.

I proposed a solution for that in my original comment - you should be able to trivially bypass the capability system if you trust what you're running ($ yolo my_script.sh).

The existance of such a "yolo" command implies you're running in a shell with the "full capabilities" of your user, and that by default that shell launches child processes only a subset of those. "yolo" would then have to be a shell builtin, that overrides this behavior and launches the child process with the same caps as the shell itself.

Windows rots. Even a few days without a reboot and things will just stop working or be really slow. No idea why.

But if you don't clean install once every few years you'll just have a ton of shit everywhere. Programs don't clean themselves up.

Also every program has its own update mechanism. Great... now I don't just have to manage windows update, but also a few dozen other esoteric update mechanisms.

iOS and Android are self managing. Windows? Can we be for real? Why get on the internet and lie to people?

Depending on how broadly you define [desktop] OS. There are immutable Linux distributions like Fedora Silverblue or Kinoite where all user apps are run from Flatpak, and so have sandboxing. I'd say it's less mature than MacOS but it's catching up.

My experience of windows is that it works pretty well these days. But I don't develop on windows - I just use it for entertainment (steam, vlc, etc). So there's probably a lot of edge cases that I'm not hitting.

(More tech savvy users could instead boot into a different partition.)

Computers are subversive. They have the power to not only wipe out entire sectors of the economy but also defeat governments and militaries. If you let people run software freely, they can give themselves the power to do things like block ads and copy artificially scarce data at zero cost, directly impacting the bottom line of corporations. And that's when they don't run cryptography, cryptocurrency and anonymization software to escape government control.

So these businesses and governments have every reason in the world to usurp control of your computer. They want computers to only run software that's been authorized by them, so that you can do nothing that harms their interests.

It's not your computer, it's theirs, they're just letting you use it, and only if you follow company and government policy. And it's not at all about your security against external attackers in general, it's about their security against you.

It's got nothing at all to do with "capabilities". It's got everything to do with putting you in digital shackles so that you are forced to live in a dystopian cyberpunk technofeudalist digital fiefdom as a serf who pays and consumes in perpetuity.

The latest in my saga of Windows being annoying is applications just randomly killing themselves when I'm not looking. I don't reboot my work computer because I have far too much precious stuff open.

But, every other day or so, an application or two will mysteriously disappear from my taskbar. Silently. I never catch it, then I get the "hey did you see this email??"

Why no, no I did not. Outlook committed suicide at some point and I'm not pocket watching the windows taskbar. My mistake.

For a while I thought I just hallucinated me closing the application, but I don't close applications, like, ever.

To put into perspective, my work has a policy which forcefully reboots windows once every 14 days. It helps, but not much, because by day 2-3 it's already breaking down. My Debian machine has an uptime of a few hundred days. I legitimately still have applications open from last year.

Maybe I use my computer like a psychopath, or maybe my expectations are too high, but I don't consider windows to take care of itself. Its the most babying-an-OS I ever have to do. iOS and Android are much better as well.

You may be interested in Qubes OS then.