They also have "Defender application guard"  which allows launching websites to Edge running in Sandbox. There should be extensions available for also Firefox and Chrome for launching the sandboxed browser, but the browser running in the sandbox is anyways Edge.
(Disclaimer: 20+ years development in low level windows world, from DRM to reversing malware and writting drivers. Dumped the windows completely and continuing on linux (didnt switch due to linux beeing any better, just windows got worse) and freebsd.)
There are two pieces of software, that I consider a must on windows (and I miss very much on linux), one is totalcommander and second is sandboxie.
Do they do it in a filesystem filter driver or similar? Hooking DLL calls in user mode is not really a secure way to do this.
Windows Sandbox launches an isolated, empty VM on every launch. This allows you to install and test software, but the contents are wiped after you close Windows Sandbox.
Sandboxie allows running arbitrary executable in it's own proprietary sandbox, with it's state being stored (and examineable) between runs.
Using Win Sandbox, Edge sandbox, Defender application guard or Docker for Windows enables Hyper-V system wide and makes your current host Windows runs inside a special VM which incur obviously a small performance impact.
> Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor.
The rest just makes it hard for average people to figure out what exactly the software is and how to download it.
The word 'download' is exactly the same font as everything else. So it's hard to find. Why not have a button that stands out? There are 2 links called 'click here'. So you have the read the surrounding text before knowing where you want to click. I can't think of a good reason not to have a clear call to action button that stands out from the rest of the page.
Compared to almost any modern site, this is really bad.
This site even works perfectly on mobile, because it doesn’t change to simplify itself to the point of being unusable, like many modern web sites do, often even refusing to stop doing so when choosing “request desktop site” in the mobile browser.
I've been conditioned to almost subconsciously ignore "big green download buttons", because the vast majority of them are fake.
The only sites I know of that does that are pirate sites.
I'm on a 55 inch screen and have no problems with this website. In fact, I much prefer it to websites that only fill the center third with content.
Are we talking about people who don't understand that if you want the actual details rather than the summary, that's not going to be on the landing page, but on their own dedicated pages?
As an example, take this Android tool I just downloaded:
Very early on, the copy says: "Lockito allows you to make your phone follow a fake itinerary, with total control over the speed, altitude and GPS signal accuracy. You can also simulate a static location. This is the must-have tool for any Android developers who needs to test geofencing-based apps or just test his app on different locations."
It's a clear, concise description of what the tool does, who needs it, and why.
If you don't have that, will some people still rummage around and download your thing regardless? Sure. But fewer of them. And here, for a product that people may not know they need, it could be a lot fewer.
Or, under the <h1> title "Downloads", the bolded table header "Download from" with the "Download from this site" link.
Good design doesn't require a huge, centred, flashing "DOWNLOAD!" button. This seems clear and uncluttered enough to me.
- The large, bolded "Click to download" text isn't clickable, like pretty much every other "Click to..." prompt you've seen.
- After a moment of confusion you think oh okay, there'll be a list of links to places I can download it from then. But there isn't. There's just the product logo. Download the product from itself, maybe? But why is it written like there's supposed to be a list? Hm.
- Oh wait, after "Download the latest version" there's a separate section called "Downloads", that's where the downloads must be.
- Okay, down there after a while there's bold text that says "Download", but that's not clickable, nor is the text next to it that says "Sandboxie Installer." Keep reading.
- Ah, okay, here's a table with a single row for some reason, with a nice link "Download from this site."
- Wait, why did "Download from this site" take me to a completely different site? The address in the bar is totally different, the design is totally different, I've never heard of this new site before and it wants me to give them my job title, full name, company name, and zip code. Is this a popup ad? Is this a scam? I thought I was downloading it from that site I was just on.
Incidentally it doesn't matter as the form doesn't understand my country's zip code system and won't accept it.
I suppose it may just boil down to a fundamental difference of opinion; I don't really think it's necessary for every website to try to accommodate entirely non-tech savvy users — especially a site offering software that already assumes existing technical ability (if you can't negotiate an antiquated download page, you're probably going to struggle to use a lot of software of that era, including Sandboxie).
Also, I can find the download link in maybe 5 seconds, but I bet my father who happens to be an aging software engineer, savvy enough to use this but getting slower, definitely can’t.
I personally have a project that is in it's early stages and the worst thing that could happen right now is that it goes viral and then I won't be able to work on it at my own pace anymore. Having a user base of 3 people is already tiring enough as it is.
A giant "download" button is perfect if your general audience is "everyone". Sandboxie is _nowhere near that level of popular_ nor could it be. Heck, that's literally why it's going open source right now: it's so niche, with such a narrow demographic, that there's isn't even any appreciable amount of money to be made from the people that DO use it.
And I hope you never lose half of your family to cancer within a 2 year period, like I dod. But, should that happen, you might appreciate what that word means. But I wouldn't call you "stupid" just because you don't get it. I'd say that we have different life experiences and assumptions.
nowadays people will probably miss the download link by mistaking it with some advertisements or something similar. they look just like it nowadays...
though back then, the ads where mostly Flash so you it wasnt auto-filtered by your brain like it is now :)
I do not want any product page to do anything more than this. Please.
> Due to requirements of the U.S. government, export compliance is now mandatory when downloading our software. Complete the form to proceed with your download.
That's totally fine by me.
It is not hard to figure out what it is, apart from the news announcement and a download link it says it right there with one sentence.
Want to know how it works. Press "How it works". Want do download it? Press "Download".
Contrast that with today where you have to figure out which filter bubble the author of the page is in. Such niche questions such as: Which OS does this work on? Which language is this library for? Can be quite tiresome to find out...
- it actually loads fast
- it works without scripts.
- it has no ads.
- it has no tracking beyond page analytics.
If those are the benefits, then please, give me more shitty looking websites like this for all the other essential software that should be found on any sane professional's machine, and any "taking personal responsibility" home user's machine.
You're clearly disliking the design to the point that your criticism doesn't even make sense, if that's your complaint then say it outright instead of hiding it behind a lie.
i lived thru that era.
how were they fast on 56kbps modem connections? i clearly remember having to leave my pc on all night to download a single mp3. for websites i would usually grab a book and read a few pages while the site loaded.
Few third party js files
And the fact the site had to actually open on 56k modems
Pages were better before this modern SPA thing that ironically get sold in to improve user experience.
End of discussion I guess..?
Now that I see what things like Angular can do, with lazy-loaded components, and only downloading JSON data and letting the client render the DOM, my pages are actually much faster and the UX is vastly better.
Yes, you need to download the Angular libs, but so many pages use them now they are likely cached, and are negligible in size for a fast connection.
After that, it's client-side routing and downloading mostly just downloading JSON from a REST API. You don't need to server to push a 5,000 row table with all the mark-up, you just grab that data and have the browser construct your table.
And yes, you can still copy/paste the URL. And save the page as HTML. And everything else you can do with a "non-SPA" page.
And no doubt you can do amazing things with it.
But just because I and you can make good pages with it doesn't mean that everyone should do it.
Also, in my experience I guess it will typically
- more than doubles the cost (and I guess this is a conservative number)
- can easily introduce unnecessary problems that prevents cross-browser compatibility
- can often introduce security issues that many developers are unaware of
Then again maybe I should just let the SPA projects keep on coming: I am a consultant.
What I remember from that era is Flash, living through the shit show that was browser quirks and dealing with a front-end stack with no foundation in computer science.
For example, I'd like an easy way to run Firefox in a sandbox under Linux, without the overhead of running a full VM (which is just too resource intensive on my old, slow laptop), I'd like to be able to pull out files that Firefox downloads from the sandbox, and then delete the sandbox when I'm done. Also, Sandboxie can force particular apps to start sandboxed. All that is pretty easy to do from Sandboxie and is 99% of what I use Sandboxie for.
Firejail isn't perfect - but it's at least designed to be a jail/sandbox.
There's also the possibility to use lxc via lxd - if you're running xorg you can forward x11 over ssh to the container (or vm). However access to xorg is problematic (eg shared clipboard, window/screen access).
Wayland supposedly does "everything x does" - but I don't know how you connect displays via the network.
But in the end (even though you requested "not vm") - I'd probably have a look at qubes os: https://www.qubes-os.org/
Afaik it mitigates the "shared xorg server" via using x-in-x nested servers (eg xephyr).
Also came across this, which appears to be a little better than "just" docker - but I'd probably still go with firejail or qubes os:
Edit: hmm apparently there’s also https://firejail.wordpress.com/
There is an entry-level guide at https://blog.simos.info/how-to-easily-run-graphics-accelerat... that describes how to setup a LXD container so that the GUI applications in the container appear on the host. Here, the GUI applications in the container are using the same X11 server as the host, therefore there is no effort for security isolation.
It is possible for those that are interested, to use features from `x11docker` (second X server, xpra, Xephyr) to provide security isolation with LXD containers.
For the Firefox use-case that you describe, you can setup Firefox and then take a snapshot of the container (`lxc snapshot ...`). Every time that you want to run Firefox, you can switch the container back to the snapshot state and start Firefox.
Sandboxie's technology works extremely well for securely isolating all kinds of interactive Windows GUI apps, and might thus be be an interesting alternative to Microsoft's own Windows Container technology which is more focussed on servers and can't really do GUI's.
I'd love to see some experiments using Sandboxie sandboxes as Docker-style images/containers. Packaging a complete GUI app including dependencies and making it easy to run on another Windows machine without polluting it, without noticeable overhead, neatly integrating like you'd expect of a Windows app with things like window management or the clipboard, and all that while being securely isolated from the rest of the machine.
For example: Start with a clean slate, install the software, check that it works correctly, check what it actually installed and what it did to the registry, uninstall, check that everything is gone. It something goes wrong, scrap the sandbox and try again. Do it again with an older version installed in another sandbox, etc...
Maybe I can do it with a VM, but Sandboxie is very convenient and lightweight.
Undoubtably true, although I would add that it hardly promotes free software as a "generally good thing" if the landscape is full of zombie projects like this, devoid of any community that makes open source what it is.
From the news it didn't seem like they are abandoning it.
That's not what GP said, and I'm not sure how you got there from them pointing out this was likely the end of development. From the community guidelines:
> Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith.
onus is a formal word for responsibility or obligation. Until recently, the authors only had a responsibility to their paying customers. Open-sourcing the product instead of abandoning it is also a responsible choice.
How far must somebody take repressibility? Lifetime of unpaid updates seems a bit much.
Let's assume some good faith in those guys too!
Also https://malwaretips.com/threads/sandboxie-should-be-avoided-... and https://techcommunity.microsoft.com/t5/Windows-Kernel-Intern...
From what I can tell, once a privileged process like a kernel driver, starts messing with memory it doesn’t own, like SSDT tables and loaded user-land DLLs, well, game’s over as far as system integrity’s concerned. PatchGuard does integrity checking, but I presume given how common it is, there are known ways to fool it or disable it, perhaps by poisoning whatever it uses to check the SSDT memory.
Interesting variations on this technique might be https://github.com/tandasat/DdiMon and https://github.com/tandasat/SimpleSvmHook
In terms of defense, there’s https://github.com/IgorKorkin/MemoryRanger
And for an organized list of far too many examples for me to feel safe, there’s https://github.com/ExpLife0011/awesome-windows-kernel-securi... (Note: over half of the links I clicked at random had Chinese github commit text or readmes, presumably the list author is either searching Github by function calls or understands Chinese...) Less organized for obvious reasons, but this list of 199 starred projects might also be worth a look https://github.com/dmaynor?tab=stars which in turn pointed me to https://github.com/Hack-with-Github/Awesome-Hacking
And if you like this, you’ll probably also like: https://news.ycombinator.com/item?id=21481598
Alternatively, are there plans for a mac os version?