I have only made it past the first two paragraphs of this article, but i can tell you that I submit a talk to hackcon (which happens in a week), that sadly was rejected, entitled "keeping secrets: how to loot github secrets" and my technique 100% use…
The only reason I have it still in use is because they are basically un-#DDoS-able and I have 0 spoons nor budget to setup #SelfHosting and use #GitHub merely as a "public publishing fork" like @torvaldsdoes for the #Linux #Kernel…
so when my customers are doing incident response for the stuff I find, and that stuff is 'i have abused the shit out of some of your github actions, you should see what the log artifacts look like so we can write detections for it all' flavored - this is what we collectively grapple with.
microsoft, i remind you, is the company that CHARGES EXTRA FOR LOGS if you want to see if someone is trying password stuffing on your o365 instance
they make it intentionally painful, so they can sell a fix
i cant help but think that this reality we've painted ourselves into is because we gave a bunch of charismatic techbro types the ability to make decisions, big ones, that affected the top-down architecture of big orgs and how they work, and it turns out they had no fucking idea how computers worked, they just learned enough buzzwords to be human mockingbirds, and made chainaw sounds with their mouths and we went butthead_huhuhuh_cool.wav
this is, incidentally, the same angle i have against k8s and docker.
if you build a thing that is supposed to have the ability to do firewalling, natting, do acls, rules, follow policies and whatnot - and its intended use is "on a linux box", and you decide "to reinvent the entire fucking universe as npm, js, and custom shit instead of using the already inbuilt stuff in linux" you have made a serious architectural error and it will haunt you forever.
most kubernetes has this pain everywhere too. One setup I worked on I counted 5 layers of template processing between the config in git and the config the application would read.
@richardstephens and 100% of the layers that exist inside of k8s do not need to exist at all, and function only as performative puffery nonsense so k8s people can gloat to other k8s people about how good they are with k8s.
and 80% of the compute goes to those layers and abstraction, and not 'whatever the actual container is doing'
Neil E. Hodges
in reply to Viss • •Viss
in reply to Neil E. Hodges • • •@tk
https://mastodon.social/@Viss/116019584392180387
Viss (@Viss@mastodon.social)
Viss (Mastodon)Neil E. Hodges likes this.
Kevin Karhan :verified: reshared this.
Kevin Karhan :verified:
in reply to Viss • • •yeah.
The only reason I have it still in use is because they are basically un-#DDoS-able and I have 0 spoons nor budget to setup #SelfHosting and use #GitHub merely as a "public publishing fork" like @torvalds does for the #Linux #Kernel…
GitHub - torvalds/linux: Linux kernel source tree
GitHubViss
in reply to Viss • • •so when my customers are doing incident response for the stuff I find, and that stuff is 'i have abused the shit out of some of your github actions, you should see what the log artifacts look like so we can write detections for it all' flavored - this is what we collectively grapple with.
microsoft, i remind you, is the company that CHARGES EXTRA FOR LOGS if you want to see if someone is trying password stuffing on your o365 instance
they make it intentionally painful, so they can sell a fix
Kevin Karhan :verified:
in reply to Viss • • •Viss
in reply to Viss • • •Viss
in reply to Viss • • •this is, incidentally, the same angle i have against k8s and docker.
if you build a thing that is supposed to have the ability to do firewalling, natting, do acls, rules, follow policies and whatnot - and its intended use is "on a linux box", and you decide "to reinvent the entire fucking universe as npm, js, and custom shit instead of using the already inbuilt stuff in linux" you have made a serious architectural error and it will haunt you forever.
assuming your thing lives that long
Kevin Karhan :verified:
in reply to Viss • • •Viss
in reply to Viss • • •home assistant lives here too
Kevin Karhan :verified:
in reply to Viss • • •#YAML is garbage.
GitHub - greyhat-academy/yadl: YADL Format & Language
GitHubRichard Stephens
in reply to Viss • • •Viss
in reply to Richard Stephens • • •@richardstephens and 100% of the layers that exist inside of k8s do not need to exist at all, and function only as performative puffery nonsense so k8s people can gloat to other k8s people about how good they are with k8s.
and 80% of the compute goes to those layers and abstraction, and not 'whatever the actual container is doing'
Kevin Karhan :verified:
in reply to Viss • • •@richardstephens yeah.
Compared to that, running VirtualBox inside ESXi is high performance computing...
Varx
in reply to Viss • • •Paul_IPv6
in reply to Viss • • •Viss
in reply to Paul_IPv6 • • •Kevin Karhan :verified:
in reply to Viss • • •