Container break outs are rare and they typically require the attacker being able to control either the container creation parameters and/or the actual image being run. If you control those things and apply process isolation best practices (seccomp, cap drops, etc) then you are in pretty good shape.
Source: ran a container based RCE service that ran millions of arbitrary workloads per month. We had sophisticated network and system anomaly detection, high priced pentesters etc and never had a breakout.
> We had sophisticated network and system anomaly detection, high priced pentesters
I assume GP wrote that in order to say that they have a high confidence that they never actually had a breakout.
You are technically correct. But your logic applies to everything. Is the isolation provided by VMs good enough? Is airgapping enough to prevent breakout?
There are many things that factor in when you decide what's reasonable. Some are first principle arguments (containers use the same kernel as the host, the kernel has a large surface area, ...). Others are statistical arguments: there have been past breakouts with this stack, it's thus reasonable to expect more in the future, ...
Interesting! What was the service? IN our case we control the container, which is BuildkitD, but it has to be run privileged, which means lots of solutions are off the table.
Rather not say. Yea building and then running containers where users get to pick the base image is a risk.
We found that privileged is a pretty big hammer and thought we needed it too but we found ways to give us the functionality we needed without all the extra stuff we didn't need the privileged brings in.
I am in southern NH and recently went to a cold weather heat pump system.
We had an oil boiler before hand so I had all new duct work added in the basement with an air handler and 3 mini split heads in the rooms upstairs.
I got quotes for mitsubishi systems ranging from 31k to 39K. Ended up going with an LG Red system for 19k. I then installed an heat pump water heat myself so am now fully off of heating oil and it is great.
It starts at 9:30 and arrives at 8:30. So if you're in a sleeper, you're pretty much ready to get to bed when it starts. There's plenty to do on the train if you carry electronics, books, etc.
I live on a very busy road that sees >15,000 vehicles/day, including 18 wheelers, dump trucks, busses, tankers etc. It is noisy (nevermind the air pollution) from 5:30 AM to 10:30 PM and I don't think local officials really appreciate it. I'd like to capture data, I'd even pay for it, but all of the "sound level" measuring devices are all junky and don't give accurate readings and don't store the data really well. I'm happy to pay for the right device or even better some certified service that can take measurements and create reports but I'm lost here. Any advice?
Based on my evaluation that Trump only does things to further his agenda of sowing distrust in institutions and not out of any sense of justice or progress, here is my take:
He is forcing Assange to say "I will not reveal my sources as I am a journalist". Trump then gets to say he tried. The "media", especially any real journalists that take their profession seriously, will provide analysis that Assange is right for refusing. This gives Trump another opening to smear the media by portraying them as pro Assange, pro hacking and anti DNC.
Thankfully people (other than those very into QAnon) have given up on the n-dimensional chess theories for the most part, but if we needed any more proof nearly incriminating himself in a phone call with Bob Woodward (who keep in mind has already written an extremely critical book about Trump) while trying to woo him (in effect) is the most recent disaster.
This misses "having an understanding about the source code and associated actions". Like refactoring helpers, autocompletion, etc. This is what distinguishes an IDE from a text editor for me.
But anyway, the Rust playground has none of those anyway.
Immigration is good for innovation, the H1B system is not. This administrations rollout of the suspension is cruel, which is the point. H1B Reform/Replacement is needed, the status quo is not.
Agreed completely. I feel like this administration exists simply to taunt Congress to take actual action with regards to its wild swings on various issues.
Congress has given way too much power over to the executive, and having the most corrupt real estate developer in a city frankly renowned for the corruption of its real estate developers in charge of the executive should be teaching Congress that they need to actually exercise power rather than just handing it over to whoever is sitting at that desk.
If H1B visas were actually used for rare skilled talent, it would be great for innovation. Unfortunately, the majority of H1B workers are no better than your average run-of-the-mill CRUD programmer.
Yes those salary survey's are just a way for businesses to enhance the information asymmetry in negotiations.
I think if software engineers ever decide to collectively bargain, and they want to include comp as an area to bargain on, the easiest thing to do is buy these same datasets and share with members.
It's not about where you live. It's supply and demand. Those companies artificially limited their supply and provided a ton of demand within their narrow market. They are now opening up to new markets and spreading out the demand accordingly.
Forced analogy time: It's like if I decide I'll only buy peaches from the organic farm down the road. They charge $20/lb. I calculate that I get $21/lb worth of utility. The Farmer is happy.
A few years later I decide that purchasing organic peaches online for $15/lb fits the bill, and utility dropped slightly to $19/lb but still better in comparison. The farmer is no longer happy.
>The part that doesn't make sense though is keeping the employees that live in SF, or paying an employee more if they choose to relocate to SF.
The buyer (Facebook) may not be playing all their cards. They may very well intend to reduce SF employee headcount, but want to experiment, and so saying otherwise will allow them to do it in a slow, controlled manner.
Relocating for most people is actually a bigger deal than it may seem.
I personally have no problem with it and did just that at least once, but after returning I asked around and most if not all of my friends and family would not do the same even for - and this was especially shocking to me - 4x the salary.
Was that 4x the salary truly 4x, after subtracting out the costs of living?
I got an offer for an on-site job in London the other day, that would technically be ~1.5x salary boost - and ~5x the salary I had the last time I worked for a local company. But after subtracting out the costs of living, it turned out it would be effectively a 3x salary decrease, and at the same time a significant degradation in the standards of living. Turns out, London isn't a particularly friendly place for a couple with a toddler to move to.
Given that it was Zürich where CHF = PLN looking at sticker prices(with exceptions), my cost of living as a percentage of salary actually went down since I was renting a room instead of a whole apartment.
In terms of what I could nominally save every month the difference was enormous.
But yeah, with a child on board I would definitely have to get something larger paying somewhere in the order of 25-35% of my salary. But that's just CHF = PLN again, so no increase here.
Right. Bad phrasing. I meant X/3. I.e. after subtracting the essentials, I'd be able to afford 1/3 of good and services equivalent to what I could afford in my current location on previous salary.
The salary I referenced is high for the region in general (and I had it on a remote contract with an US company, though in hindsight, it was under market rate), but not necessarily for our industry, for the position I would be otherwise aiming for locally.
From my calculations, London works out quite well if you're single and willing to sacrifice heavily on the living space. It also works out a-OKish for two-income families with children at kindergarten age. Not so well with a toddler; I was shocked to discover that daycare costs more than rent on a two-bedroom flat west-side.
My friends in Warsaw are pulling anywhere in the range of $55-65k per annum before taxes - that's at corona rates, which knocked close to 8% off our currency's value.
Lowering salaries all of a sudden for a large % of their workforce who are currently very productive, would be a bad move, destroy value instantly that would take long to recover. It makes sense to pay to keep that value, at least for a while, and let market dynamics slowly do their thing.
Source: ran a container based RCE service that ran millions of arbitrary workloads per month. We had sophisticated network and system anomaly detection, high priced pentesters etc and never had a breakout.