Readit News logoReadit News
ones_and_zeros commented on Remote Code Execution as a Service   earthly.dev/blog/remote-c... · Posted by u/dijit
adamgordonbell · 3 years ago
Interesting! What was the service? IN our case we control the container, which is BuildkitD, but it has to be run privileged, which means lots of solutions are off the table.
ones_and_zeros · 3 years ago
Rather not say. Yea building and then running containers where users get to pick the base image is a risk.

We found that privileged is a pretty big hammer and thought we needed it too but we found ways to give us the functionality we needed without all the extra stuff we didn't need the privileged brings in.

ones_and_zeros commented on Remote Code Execution as a Service   earthly.dev/blog/remote-c... · Posted by u/dijit
adamgordonbell · 3 years ago
Thanks for sharing this. One of the authors here.

We built a service that executes arbitrary user-submitted code. An RCE service. It's the thing you're not supposed to build, but we had to do it.

Running arbitrary code means containers weren't a good fit ( container breakouts happen), so we are spinning up and down ec2 instances. This means we have actual infrastructure as code (i.e. not just piles of terraform but go code running in a service that spins up and down VMs based on API calls).

The service spins up and down EC2 instances based on user requests and executes user-submitted build scripts inside them.

It's not the standard web service we were used to building, so we thought we'd write it up and share it with anyone interested.

One cool thing we learned was how quickly you can Hibernate and wake up x86 EC2 instances. That ended up being a game-changer for us.

Corey and Brandon did the building, I'm mainly just the person who wrote things down, but hopefully, people find this interesting.

ones_and_zeros · 3 years ago
Container break outs are rare and they typically require the attacker being able to control either the container creation parameters and/or the actual image being run. If you control those things and apply process isolation best practices (seccomp, cap drops, etc) then you are in pretty good shape.

Source: ran a container based RCE service that ran millions of arbitrary workloads per month. We had sophisticated network and system anomaly detection, high priced pentesters etc and never had a breakout.

ones_and_zeros commented on U.S. annual inflation rate drops to 8.5%   bls.gov/news.release/arch... · Posted by u/ericliuche
Dork1234 · 4 years ago
Heat pumps are 2 to 4 times more efficient, and if you are in MA you can get upto a $10,000 rebate and 0% loan when purchasing a heatpump. Why would you stick with oil heat? Even if it drops to $2 it will be much cheaper to have a heatpump.
ones_and_zeros · 4 years ago
In MA you are paying through the nose on labor to install though. That rebate evaporates pretty quickly, still a 5 figure job.
ones_and_zeros commented on Europe is investing heavily in trains   nytimes.com/2022/04/05/tr... · Posted by u/lxm
monksy · 4 years ago
As someone who just rode in a sleeper car for the second time. I like amtrak when I can do this. It's completely unreasonable for a round trip, but I did Chicago->Seattle and Chicago to Boston (Where I"m currently here.. and will be flying back tomorrow).

It's a mostly great experience... all due to the scenery you're watching, not so much everything else.

What worries me if it becomes more privatized: You'll see the experience drop a lot more, features you need for long distance trips (big seat+power outlet) removed. You'll get a lot more stressed employees who will create conflicts etc.

What I would like to see:

- More prioritization on autonomous cars

- More frequent routes

- Infrastructure improvements for faster service (We could and should have a hub/spoke model for ICE like passenger rail)

- Support with integration into the communities they connect into. (Build the town around it) Create a standard that local rental car companies are working with the passengers arriving and leaving.

- General equipment refreshes (A lot of it is maintenance by schedule rather than reactory.. a lot of the experience is pretty dirty) Also there is an attitude with the coach passengers that the train is a trashcan because it's already pretty dirty. Being in coach is freaking brutal if you have to be on it more than 9 hours or overnight.

Btw Their employees are a lot more helpful about being functionally helpful when something goes wrong. Airline employees just escalate and pull the "screw you, you won't get help" when something goes wrong in person. (Yea I'm looking at you IAH gate agent that just left the desk right before boarding.. the captain was playing secretary). No the empire builder doesn't have WIFI.. but how will dinner work.. they're more than helpful at explaining it, etc.

ones_and_zeros · 4 years ago
I just looked at the Chicago to Boston train and it's 22 hours long? That seems...lengthy?
ones_and_zeros commented on Sounding the alarm: How noise hurts the heart (2021)   knowablemagazine.org/arti... · Posted by u/karlzt
ones_and_zeros · 4 years ago
I live on a very busy road that sees >15,000 vehicles/day, including 18 wheelers, dump trucks, busses, tankers etc. It is noisy (nevermind the air pollution) from 5:30 AM to 10:30 PM and I don't think local officials really appreciate it. I'd like to capture data, I'd even pay for it, but all of the "sound level" measuring devices are all junky and don't give accurate readings and don't store the data really well. I'm happy to pay for the right device or even better some certified service that can take measurements and create reports but I'm lost here. Any advice?
ones_and_zeros commented on Disbelief in human evolution linked to greater prejudice and racism   umass.edu/news/article/di... · Posted by u/Hbruz0
HarryHirsch · 4 years ago
Sure, everyone knows that US-style creationism is part of the evangelical belief system, which clings to a narrow literal interpretation of the Bible to support its awful practices, including slavery. But US-style atheism isn't the answer, it's just a reaction to evangelicalism and not a positive belief system.

UMass Amherst, where the study comes from, is particularly awful, they are terrible hypocrites.

ones_and_zeros · 4 years ago
How is atheism not a positive belief system? And why is a positive belief system the answer?
ones_and_zeros commented on Trump offered to pardon Assange if he provided source for DNC emails – lawyer   reuters.com/article/us-br... · Posted by u/pseudolus
ones_and_zeros · 5 years ago
Based on my evaluation that Trump only does things to further his agenda of sowing distrust in institutions and not out of any sense of justice or progress, here is my take:

He is forcing Assange to say "I will not reveal my sources as I am a journalist". Trump then gets to say he tried. The "media", especially any real journalists that take their profession seriously, will provide analysis that Assange is right for refusing. This gives Trump another opening to smear the media by portraying them as pro Assange, pro hacking and anti DNC.

ones_and_zeros commented on Rust Playground   play.rust-lang.org/... · Posted by u/tosh
dom96 · 6 years ago
I wonder why we're seeing this on HN's front page now. Did something change recently in the playground?
ones_and_zeros · 6 years ago
Kelsey Hightower tweeted about it. https://twitter.com/kelseyhightower/status/12812095507170713...

Dead Comment

Dead Comment

o

u/ones_and_zeros

KarmaCake day1185November 24, 2015View Original