(dotat.at)

257 points todsacerdoti | 1 comments | 22 Oct 24 12:36 UTC | HN request time: 0.978s | source

Show context

ricardo81 ◴[22 Oct 24 13:18 UTC] No.41913941[source]▶

>>41913610 (OP) #

I guess the general gist is shared spaces between users causes security issues.

I recall using 'shared hosting' where instead of using your default IP address for fetching anything from the network, you could do some funky stuff in the shared environment to discover many more IPs that could be used. Useful for scraping and such. Generally any shared hosting that used cpanel would expose all their network interfaces, often a /24 or two.

replies(1): >>41914050 #

deltaburnt ◴[22 Oct 24 13:28 UTC] No.41914050[source]▶

>>41913941 #

Any shared resource seems to give rise to security issues. Extracting data through side channels in the hardware's architecture is what woke me up to this.

replies(3): >>41914109 #>>41914140 #>>41915494 #

stevekemp ◴[22 Oct 24 15:46 UTC] No.41915494[source]▶

>>41914050 #

I recently had to copy a secret which was available in a CI-job to a new repository, but the system was smart enough to filter it if echoed literally.

So "echo $API_TOKEN" failed, but getting the output of the complete environment was as easy as "env | base64".

replies(1): >>41918501 #

TeMPOraL ◴[22 Oct 24 20:43 UTC] No.41918501[source]▶

>>41915494 #

One has to question the premise of such "smartness" in the system in the first place.

replies(1): >>41921998 #

1. pxc ◴[23 Oct 24 05:07 UTC] No.41921998[source]▶

>>41918501 #

I think of it as a form of politeness, basically. It's only a security feature in the sense that it's a tool you can use to make good logging hygiene a little easier for your CI system, not in the sense of helping form any kind of security boundary.

I assume (hope?) that's the intention, that nobody is advertising this as a way to prevent exfiltration of secrets.

↑

Against /tmp