If it was microsoft they would ban github and gitlab account and not give cve.
Google pays $250K for Linux vulnerability allowing guest VM escapes
Submitted 1 day ago by possiblylinux127@lemmy.zip to selfhosted@lemmy.world
Comments
vane@lemmy.world 1 day ago
possiblylinux127@lemmy.zip 1 day ago
I’m not a big Google fan but I will give credit where credit is due
They do put their money where their mouth is
vane@lemmy.world 1 day ago
I hate google but they still pay good money to opensource and take responsibility by organizing google summer of code.
muusemuuse@sh.itjust.works 8 hours ago Well money is all they have anymore.
muusemuuse@sh.itjust.works 8 hours ago Bluehammer guy is going exactly what he needs to do. This is a whole different issue and it’s demonstrating responsible disclosure working exactly the way it’s supposed to.
Evotech@lemmy.world 4 hours ago
Google uses github.com/google/gvisor in GCP. So it’s not affected by most vulnerabilities like this. But still makes sense they want the tech. Vm escapes would be really bad for them.
possiblylinux127@lemmy.zip 1 hour ago
That is for containers not VMs
helix@feddit.org 15 hours ago
ugh shit next week will be awful at work patching all those servers. At least they found it because bad actors did.
rmrf@lemmy.ml 10 hours ago
What KVM based hypervisor do you use that you can’t just use ansible or some first party LCM to do it automatically?
helix@feddit.org 6 hours ago
Using Ansible, but it still means I need to run it and schedule patches etc. – you can’t just patch stuff when people are currently working on it.
muusemuuse@sh.itjust.works 8 hours ago Oh AWS is gonna be spicy this week.
DarkCloud@lemmy.world 1 day ago
Linux’s “security through obscurity” was never going to last.
mnemonicmonkeys@sh.itjust.works 20 hours ago
Linux’s “security through obscurity”
I lost braincells reading this. The entire point of open source software is to have it visible and auditable, aka the exact opposite of security through obscurity.
If you want to bash OS’s for relying on STO, go after iOS and Windows. Those OS’s, being closed source, are the ones relying on it
Ooops@feddit.org 1 day ago There was never an actual notion of “security through obscurity”. LInux runs the complete Internet and most coporate server infrastructure. That’s where the actual money is.
People hallucinating that Linux is something obscure simply have no clue and confused their home desktop for real computing. Windows desktops are constantly targeted not because they are -unlike Linux- so wide-spread but because they are already insanely insecure. They are the low hanging fruit where you can cobble together some cheap shit and will still find million of PCs vulnerable. If you want to find a Linux comparison it’s definitely not server or desktops but cheap IoT devices not having seen an update (or any security to speak of) for many years.
phailhaus@piefed.social 1 day ago
Windows desktops are targeted because any place you have a user, you have a vulnerability. The vast majority of Linux installs are servers with extremely limited user activity, which narrows the attack vectors significantly.
atzanteol@sh.itjust.works 1 day ago
You could have just said that you don’t know what “security through obscurity” is.
lIlIllIlIIIllIlIlII@lemmy.zip 1 day ago
Security through obscurity in OSS lol
Natanox@discuss.tchncs.de 1 day ago I don’t know where you got the notion from that Linux as a whole uses this concept, but it’s nonsense. There’s exactly one place where this definition fits, which is the GRUB bootloader encryption (which merely shifts the target for the Evil Maid attack from the initramfs to GRUB). But this is already adressed with Verified Boot.
Nothing else, let it be LUKS, PAM, SELinux, AppArmor or whatever has any business with STO.
DarkCloud@lemmy.world 1 day ago
From the fact it used to have to smallest user base of the big three. Less users = less probability of a nefarious person.
It’s really not that difficult a concept.
Ptsf@lemmy.world 20 hours ago
I don’t think that word means what you think it means.
Clearwater@lemmy.world 1 day ago
Security through what now?
Well, I guess it is obscure… Though only because the number of people who have a full grasp on how the code works is highly limited.
atzanteol@sh.itjust.works 1 day ago
The self-hosted crowd thinks reverse proxies protect you from the Internet. Don’t expect too much of them.
nibbler@discuss.tchncs.de 1 day ago
The selfhosted guys are correct with that. Of course its not a magic pill, but it can help to minimize the attack surface immensely with little effort.
lIlIllIlIIIllIlIlII@lemmy.zip 1 day ago
You are right about that a reverse proxy does not protect. But I can not relate that with security through obscurity.
This will become more and more common as we use AI to find vulnerabilities faster (hopefully) than bad actors can use AI to find vulnerabilities.
Tangent5280@lemmy.world 1 day ago
If you pay attention you can hear a hundred NSA assholes tear their hair out
20 years of hoarding CVEs down the drain.
Now they’ll never be able to gg ez their way into any countey and will have to actually use their bribery budget to get more implants lol.
chicken@lemmy.dbzer0.com 1 day ago
You don’t think frontier AI models are leaving some out deliberately?
mnemonicmonkeys@sh.itjust.works 20 hours ago
Keep in mind that the rate of errors caught by AI will not be consistent. It will drop off over time.
While I’m no fan of AI, that has nothing to do with it. Adding AI to error detection suites is (mostly) fine so long as you don’t remove more tradional methods like code review, manually set up unit tests, and properly reviewing each failed test instead of just letting the AI slop in a patch.
My point is that any test you add to an existing codebase is going to catch a decent number of issues at first, then over time it will drop off as pre-existing issues get resolved. Then you’ll be left with the lower rate of new issues from updates.
AI isn’t a silver bullet. It (sometimes) is another tool in the toolbox.
I would fully agree with that statement.
lambalicious@lemmy.sdf.org 1 day ago
Oh small, simple child: who do you think has the better access to AI in the first place?
Fedizen@lemmy.world 1 day ago
This is a reminder that US scientists during the cold war thought fish were russian subs because they didn’t have biologists on staff
Judging by the way they’ve treated big companies in the past the NSA is staffed by a bunch of people who use backroom deals with US tech companies to collect their data mostly.
Didn’t downvote you but…
LOL! The level condescension sure is right on point Lemmy.That genuinely got a chuckle. In some ways I enjoy being that simple child. Full of wonderment at this universe around him.
realitaetsverlust@piefed.zip 1 day ago
Well, you know … “them”
pienz@feddit.org 1 day ago
The companies who are training AI… On Linux servers?
Wait no, obviously smaller actors you’re referring to with your mysterious comment.
Or maybe all the follow on tech companies that are the largest customers using AI aaand who also mostly use Linux
No no I’ve got it wrong, US government entities want a backdoor so restrict AI releasing, then during that window exploit non-US companies using Linux