@gsuberland wooooo! Congrats
Containers, Security, Kubernetes, Hillwalking
@gsuberland wooooo! Congrats
Costume party
Host: what are you?
Me: a harp
Host: your costume is too small to be a harp
Me: are you calling me a lyre?
oops, I'm a few days late, but MS finally released a patch for the issue I reported last year - CVE-2025-26684
Defender for Linux can be tricked into executing arbitrary code as root. Writeup: https://astr.al/notes/2024-11-28_mdatp_privesc
some reboosts would be much appreciated <3
Datadog is hiring Software Engineer - Kubernetes Networking
π§ #kubernetes #golang #python
π Boston, Massachusetts; Denver, Colorado; New York City, New York
β° Full-time
π’ Datadog
Job details https://jobsfordevelopers.com/jobs/software-engineer-kubernetes-networking-at-datadoghq-com-mar-7-2025-a41eb1?utm_source=mastodon.world&utm_medium=social&utm_campaign=posting
#jobalert #jobsearch #hiring
@gsuberland That is crap but at least Docker containers are just tarballs + some JSON metadata that contains the commands run to create them :D
We are on BlueSky !!!!!
@JoshCGrossman Great post, interesting stuff! Do you have any particular favourite services/approaches to cloud hosted labs for courses?
https://labs.iximiuz.com/ has a lot of interesting points from the hosted route. In the past I've used AWS based inf. which is nice and flexible but requires more management than a SAAS style solution.
@neil boo, Docker's fun, honest!
Mastodon tech and cyber security peeps, what platforms are you using now? Multiple choice! β β β β
So I came across my first example of a company selling "AI SEO" the other day, promising that they could get ChatGPT to recommend your products. Whilst I've no idea if that would work it did make me think about how LLM biases might evolve over time.
On the one hand we've got organizations (often non-profit ones) getting hammered by AI crawlers and finding novel ways to limit or block them. Those organizations information will then be less crawled and likely show up less prominently in newer models.
On the other hand we've got companies actively trying to boost the number of tokens that talk about how their products are great (using AI SEO or whatever to achieve that goal). Those products will show up more prominently in newer models.
The net effect of this will be that LLM models get less reliable over time, unless the companies creating them come up with a good way of countering those forces. The question of course being , do they realise this is a problem and, if so, is there a good way to counter it.
@rsalmond yeah it's an interesting one. There have been CVEs that I've read where being UID 0 allows for access to the vulnerable code path in the Kernel, so they'd be relevant here (although sometimes UID 0 in a user namespace works too).
One example where I did do some looking into it was CVE-2022-0185 where what was needed to exploit it was CAP_SYS_ADMIN
and access to the unshare
syscall. In that case the exploit wouldn't work if you were a non-root user, but would work if you were UID 0 with that syscall either in the root namespace, or a user namespace.
They've also got some in the blog where they're saying user namespaces would mitigate, and that seems plausible as there will be permissions you get as "real" root which wouldn't be available as root in a user namespace.
Overall I would say that running all containers as non-root users is going to have some reduction in breakout risk, bit exactly how much reduction depends on factors like how up to date your kernels are and other hardening that's applied, so it's a pretty tricky thing to quantify :)
I wrote up some more information on the differences between adding SYS_ADMIN and CAP_SYS_ADMIN to pods in Kubernetes.
It highlights some new things I learned about how the CRI you use can affect how pods are run. https://raesene.github.io/blog/2025/04/23/cap-or-no-cap/
@alevsk @cloudvillage_dc cool, I'll check. I've got a speaker pass so I think that'll be ok but I'm sure it'll say somewhere what bits I've got access to.
@alevsk @cloudvillage_dc Cool! I'm attending RSA, just checking do you need an additional ticket for cloud village or is it included in the RSA pass?
@jawnsy So courtesy of iximiuz labs which has a playground with CRI-O, the answer is that SYS_ADMIN and CAP_SYS_ADMIN work with CRI-O
@jawnsy I was wondering that, but I don't have a cluster with CRI-O handy to check. I'll need to see if I can find one :)
TIL that adding CAP_SYS_ADMIN to a #kubernetes pod has different behaviour depending on the backing CRI. With Containerd it does nothing (you need to call it SYS_ADMIN) but on CRI-O it will add ok. Also TIL k8s doesn't validate the capabilities you add to pods!
Datadog Security Research is heading to RSAC next week! Come join us for any of our talks on the main stage, meet our research team at the Datadog booth, or attend some of the leadership events below!
https://www.datadoghq.com/event/rsa2025/?utm_source=frichette
@Marcus hunters fight monsters emerging through gates, and (without spoiling too much) one hunter gains the ability to increase in power.
The first season was ok but a bit slow (although nothing like as slow as some of Dragonball Z's fight scenes!), the second season was good. Really nice animation and sound design, some very nice fight scenes!
@Marcus oh for insane fight scenes and training montages, Solo Leveling's last season was good!