Expect Oracles lawyers to send you a bill.

There is an oracle license attached to it

IIRC the extensions pack has a (very limited) free license for personal and educational use, although I'm not sure if the 'pretending to be a sandbox' usecase would be covered.

It’s not much harder to just harden your system to not be vulnerable in the first place, and that protects your from a lot more.

> It’s not much harder to just harden your system

'just' harden the system is not easy.

But installing something like a vmware guest driver is easy, as even a non-technical user can do it following some basic instructions.

Defense in depth

Agreed - like using a non admin account.

How does that protect against ransomware?

Limits the blast radius to only the files that the more limited user has write access to.

The files I normally have write access to are my important files though.

Immutable snapshots/offline backups help with those.

It's more important in a corporate setting. Lateral movement inside the network is much more likely if the attacker has local admin.

Why would local admin have relevance to network movement?

Because every time an account logs onto a computer, it leaves traces. Some ephemeral in memory, some permanent on disk. It can be Kerberos tickets, process tokens, domain cached credentials, hashes or even clear text passwords in memory. It's common practice in a lot of organizations for administrators to log on to random workstations to perform whatever task they need to do.

Or there is a service running in the context of a service user domain account. Or the password of the local administrator account is identical on all systems, which was very common before LAPS became a thing.

Yes, if you do everything perfectly and always go by best practices, none of this should be relevant, but most people aren't doing everything perfectly all of the time.

To access any of these things, you need local admin permissions. Then you can reuse them to log on to other systems.

Got it. So it's less about the account itself, and more about the other account data you can only acquire with admin privileges from the local machine (almost like credential stuffing)

Even if you do everything perfectly there's always a chance one of Microsoft engineers made a mistake somewhere and somebody found it and is now sitting on a zero day. And now with vibe coding the likelihood of that went up by who knows how much. Even air gapped systems get infected if the attacker is sophisticated enough.

As with the other reasons stated... local admin, atleast in the environments I've seen, can still install software. Installing and running something like AngryIPScanner may be possible as local admin

on the flipside i feel like privilege escalations are a dime a dozen

Please tell me what tools you use to receive future zero-day vulnerability patches.

To be fair the vast, vast majority of exploitation that we see (especially in the news) comes from sub-par security setups and poor training/architecture. That’s no even going into security monitoring which most companies don’t or barely have.

Zero days account for very small amount of exploitation in comparison and by definition are unpatched so I think the commenter was right to point out the basics.

Qubes OS should protect you even from unknown vulnerabilities as long as you use its compartmentalization approach. Works for me (or so I hope).

Wikipedia's page on "just intonation" is, oddly, about music.

OK. You've lost me.

And it is so too that “just deserts” are rarely desserts at all.

... as is "Just for Men"

Anticheat might throw a fit

Don't play games on your production hardware. Easy fix.

Or don't play games that behave indistinguishably from ransomware.