Readit News logoReadit News
esseph commented on Capsudo: Rethinking sudo with object capabilities   ariadne.space/2025/12/12/... · Posted by u/fanf2
charcircuit · 8 hours ago
I'm not saying there can't be an admin who can create roles, or do some extra authentication to gain that privilege. I am saying that it shouldn't require assuming an all powerful user to do it. You should be able to do it from your actual account. This is good for keeping accurate records too since all actions are done by the users themselves. Yes, technically sudo can be logged, but it's bypassable by starting a shell.
esseph · 5 hours ago
Elevated credentials for said users segment access while still allowing the same user to access more administrative function.

Proper group / sudoers mappings can go a long way, but you still want that administrative break between access levels.

esseph commented on Show HN: I audited 500 K8s pods. Java wastes ~48% RAM, Go ~18%   github.com/WozzHQ/wozz... · Posted by u/wozzio
linuxftw · 10 hours ago
Let's do the math:

A 64GB instance in Azure is $156.28/month reserved. That's $2.44/GB/month.

Let's say you use an extra 4GB RAM for a safety margin or laziness, and you have 50 replicas. That's $488.375 per month 'wasted'. Or $5860/year.

You'll never recoup the money it takes to get those replicas perfectly sized. Just give every app 4GB more RAM than you think it needs, and move on with your life.

esseph · 9 hours ago
You have to pay for that ram, which, by the way, is under a giant cost premium right now.

Multiple the number of apps by the number of desired replicas, across the number of clusters, etc. you could easily be paying 2x-3x in pricing tiers.

esseph commented on Show HN: I audited 500 K8s pods. Java wastes ~48% RAM, Go ~18%   github.com/WozzHQ/wozz... · Posted by u/wozzio
PaulKeeble · 11 hours ago
You run these tools and you find all the maximums for weeks of traffic and so you set them down to minimise cost and all is well until the event. The event doesn't really matter, it causes an increase in traffic processing time and suddenly every service needs more memory to hold all transactions, now instead they fail with out of memory and disappear and suddenly all your pods are in restart loops unable to cope and you have an outage.

The company wasting 20% extra memory on the other hand is still selling and copes with the slower transaction speed just fine.

Not sure over provisioning memory is really just waste when we have dynamic memory based languages, which is all modern languages not in real time safety critical environments.

esseph · 9 hours ago
This acts like one app is the only app running on device, which in the case of k8s, clearly isn't the case.

If you want to get scheduled on a node for execution after a node failure, your resource requests need to fit / pack somewhere.

The more accurately modeled application limits are, the better cluster packing gets.

This impacts cost.

esseph commented on Ensuring a National Policy Framework for Artificial Intelligence   whitehouse.gov/presidenti... · Posted by u/andsoitis
A_D_E_P_T · a day ago
> Companies like . . . Anduril are being gifted contracts all over the place - that’s money we taxpayers are losing.

Can you point to a concrete example of this?

esseph · a day ago
It is well known in Defense circles that much of what Anduril does comes in on no-bid black budget contracts. Often short duration or low volume.

Imagine Silicon Valley CEOs pumped full of VC dollars and embedded with units that Don't Exist in places We Were Never At.

esseph commented on Capsudo: Rethinking sudo with object capabilities   ariadne.space/2025/12/12/... · Posted by u/fanf2
charcircuit · a day ago
>how do you set up those permissions without a god object

Let the operating system define default granted permissions for OS apps.

Have the OS let the user grant permissions at install / runtime for apps.

esseph · a day ago
> Letting the operating system define granted permission for OS apps.

We're heading that direction right now, and it will be the OS vendors who decide what programs you have permissions to run and which ones you can't.

That's a concept that HN seems to detest.

esseph commented on Capsudo: Rethinking sudo with object capabilities   ariadne.space/2025/12/12/... · Posted by u/fanf2
charcircuit · a day ago
>JIT access should be the goal.

Individual privileges for specific things should be given access to instead of giving god access to a system.

esseph · a day ago
I hear what you are saying but many, many people who have dedicated their life to this topic disagree with you. Onions have layers for a reason.

RBAC by nature requires a Creator. ZeroTrust networks still require gateways.

esseph commented on Capsudo: Rethinking sudo with object capabilities   ariadne.space/2025/12/12/... · Posted by u/fanf2
charcircuit · a day ago
You could own a microwave, but there doesn't have to be a button that makes it run with the door open. The UI of devices doesn't let just anything happen. Similarly an operating system doesn't need to make accessible a way to do everything to the user.
esseph · a day ago
"an operating system doesn't need to make accessible a way to do everything to the user"

Microsoft and Apple both seem to think this way. Questionable results.

esseph commented on Capsudo: Rethinking sudo with object capabilities   ariadne.space/2025/12/12/... · Posted by u/fanf2
charcircuit · a day ago
The root account shouldn't exist either. Having god accounts is a bad idea security wise. Instead everything should follow the principle of least privilege.
esseph · a day ago
You should read over NIST 800-53 AC-2 and AC-6. They go over why privileged accounts are important, why they are used, and how they protect users and organizations.

JIT access should be the goal.

Scroll down to: Implementation Guidance

https://csf.tools/reference/cloud-controls-matrix/v4-0/iam/i...

esseph commented on Framework Raises DDR5 Memory Prices by 50% for DIY Laptops   phoronix.com/news/Framewo... · Posted by u/mikece
eikenberry · a day ago
What is this estimation based on? I'd think once the bubble pops pricing would start to return to normal levels and the general consensus seems to think the bubble won't last that long.
esseph · a day ago
"once the bubble pops" people probably won't be interested in buying RAM.

If you would have asked me 5 years ago this wouldn't even become a bubble. I'm still amazed it did. It really taught me how much of the modern economy is just grift.

esseph commented on Id Software devs form "wall-to-wall" union   rockpapershotgun.com/id-s... · Posted by u/simjue
esseph · a day ago
Trying to keep alive 30yr old tech stacks and still pass security reviews, while doing stuff like manually compiling and packaging python 2 and jre6 tools. Ouch.
esseph · a day ago
(sorry, replied to wrong comment!)
e

u/esseph

KarmaCake day1471December 26, 2024View Original