Readit News logoReadit News
MrDarcy commented on Shai-Hulud compromised a dev machine and raided GitHub org access: a post-mortem   trigger.dev/blog/shai-hul... · Posted by u/nkko
otterley · 15 hours ago
If you have data events enabled for your S3 bucket, CloudTrail will log every access to that bucket along with the identity of the principal used to access it. https://docs.aws.amazon.com/awscloudtrail/latest/userguide/l...
MrDarcy · 14 hours ago
Right and in my example it would be the principal of the service account, not the compromised AWS account.

If you ran a cloud trail query that's essentially "Did Alice access user data in S3 ever?" the answer would be "No"

So that brings us back to the question, what is meant by "trust CloudTrail"

MrDarcy commented on Shai-Hulud compromised a dev machine and raided GitHub org access: a post-mortem   trigger.dev/blog/shai-hul... · Posted by u/nkko
otterley · 2 days ago
It depends on what kind of access we're talking about. If we're talking about AWS resource mutations, one can trust CloudTrail to accurately log those actions. CloudTrail can also log data plane events, though you have to turn it on, and it costs extra. Similarly, RDS access logging is pretty trustworthy, though functionality varies by engine.
MrDarcy · 16 hours ago
What do you mean by “trust cloud trail”

So cloud trail shows the compromised account logging into an EC2 instance every day like normal.

Then service account credentials are used to access user data in S3.

How does cloud trail indicate the compromised credentials were used to access the customer data in S3?

MrDarcy commented on Shai-Hulud compromised a dev machine and raided GitHub org access: a post-mortem   trigger.dev/blog/shai-hul... · Posted by u/nkko
nsonha · 2 days ago
There are logs for accessing aws resources and if you don't see the access before you revoke it then the data is safe
MrDarcy · 2 days ago
Unless the attacker used any one of hundreds of other avenues to access the AWS resource.

Are you sure they didn’t get a service account token from some other service then use that to access customer data?

I’ve never seen anyone claim in writing all permutations are exhaustively checked in the audit logs.

MrDarcy commented on Why Twilio Segment moved from microservices back to a monolith   twilio.com/en-us/blog/dev... · Posted by u/birdculture
MrDarcy · 2 days ago
Reading it with hindsight, their problems have less to do with the technical trade off of micro or monolith services and much more to do with the quality and organizational structure of their engineering department. The decisions and reasons given shine a light on the quality. The repository and test layout shine a light on the structure.

Given the quality and the structure neither approach really matters much. The root problems are elsewhere.

MrDarcy commented on Programmers and software developers lost the plot on naming their tools   larr.net/p/namings.html... · Posted by u/todsacerdoti
mbesto · 4 days ago
"There are only two hard things in Computer Science: cache invalidation and naming things."
MrDarcy · 4 days ago
And off by one errors.
MrDarcy commented on Donating the Model Context Protocol and establishing the Agentic AI Foundation   anthropic.com/news/donati... · Posted by u/meetpateltech
jpmcb · 7 days ago
It feels far too early for a protocol that's barely a year old with so much turbulence to be donated into its own foundation under the LF.

Alot of people don't realize this, but the foundations that wrap up to the LF have revenue pipelines that are supported by those foundations events (like Kubecon brings in ALOT of money for the CNCF), courses, certifications, etc. And, by proxy, the projects support those revenue streams for the foundations they're in. The flywheel is _supposed_ to be that companies donate to the foundation, those companies support the projects with engineering resources, they get a booth at the event for marketing, and the LF can ensure the health and well-being of the ecosystem and foundation through technical oversight committees, elections, a service-desk, owning the domains, etc.

I don't see how MCP supports that revenue stream nor does it seem like a good idea at this stage: why get a certification for "Certified MCP Developer" when the protocol is evolving so quickly and we've yet to figure how OAuth is going to work in a sane manner?

Mature projects like Kuberentes becoming the backbone of a foundation, like it did with CNCF, makes alot of sense: it was a relatively proven technology at Google that had alot of practical use cases for the emerging world of "cloud" and containers. MCP, at least for me, has not yet proven it's robustness as a mature and stable project: I'd put it into the "sandbox" category of projects which are still rapidly evolving and proving their value. I would have much preferred for Anthropic and a small strike team of engaged developers to move fast and fix alot of the issues in the protocol vs. it getting donated and slowing to a crawl.

MrDarcy · 6 days ago
This is a land grab and not much else.
MrDarcy commented on Proximity to coworkers increases long-run development, lowers short-term output (2023)   pallais.scholars.harvard.... · Posted by u/delichon
Aurornis · 14 days ago
New to the company. Being in-person makes it easier to build new relationships, make friends with people you wouldn’t normally run into in your corner of Slack, and pick up more info about how the company works.

> If you trust them enough to hire them, why is there a need to keep earning trust for more privileges.

In person accelerates onboarding for all the reasons I mentioned above. It’s not a game of trust or “carrots”.

MrDarcy · 7 days ago
This is nonsensical. Most F500 companies are globally distributed. Most of onboarding is gaining access to systems.

It’s far easier and more efficient to search slack, find the person you need to talk to and DM them in your first week than it is to pester the person who sits next to you to figure out how to click the right Sailpoint buttons.

MrDarcy commented on Jepsen: NATS 2.12.1   jepsen.io/analyses/nats-2... · Posted by u/aphyr
_zoltan_ · 7 days ago
what's the opposite problem statement?
MrDarcy · 7 days ago
The ivory tower standing in the way of delivering value I think.
MrDarcy commented on Proxmox Datacenter Manager 1.0 available   proxmox.com/en/about/comp... · Posted by u/speckx
written-beyond · 12 days ago
PLEASE DON'T DOWN VOTE ME TO HELL THIS IS A DISCLAIMER I AM JUST SHARING WHAT I'VE READ I AM NOT CLAIMING THEM AS FACTS.

...ahem...

When I was researching about this a few years ago I read some really long in-depth scathing posts about Open stack. One of them explicitly called it a childish set of glued together python scripts that fall apart very quickly when you get off the happy path.

OTH opinions on Proxmox were very measured.

MrDarcy · 8 days ago
This matches my personal experience having worked with OpenStack.
MrDarcy commented on The state of Schleswig-Holstein is consistently relying on open source   heise.de/en/news/Goodbye-... · Posted by u/doener
shermantanktop · 9 days ago
It’s a mini-language that you don’t have to learn unless you work with executive types. But it does mean something. In particular it means “activity at the grassroots is wasted effort when the real decision maker with the money is not aware or in agreement with the direction.”
MrDarcy · 9 days ago
“Show me the incentive, I’ll show you the outcome.” -Charlie Munger
M

u/MrDarcy

KarmaCake day540December 6, 2023View Original