Technology

37723 readers

548 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 2 years ago

MODERATORS

[email protected]

‘Significant security loophole’ found in Google software container system (therecord.media)

submitted 9 months ago by [email protected] to c/[email protected]

3 comments fedilink hide all child comments

The issue affected Google Kubernetes Engine (GKE), a system used to deploy, scale and manage how applications are “containerized.” GKE — the tech giant’s implementation of the open-source Kubernetes project — is used widely in healthcare, education, retail and financial services for data processing as well as artificial intelligence and machine learning operations.

Researchers from Orca Security explained that they uncovered an issue in GKE that “could allow an attacker with any Google account to take over a misconfigured Kubernetes cluster, potentially leading to serious security incidents such as cryptomining, denial of service, and sensitive data theft.”

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 8 points 9 months ago (1 children)

We have identified several clusters where users have granted Kubernetes privileges to the system:authenticated group

lol if that's the whole thing, blaming Google is laughable, unless they default to that somewhere or have faulty documentation. That's not a security flaw with their tools.

[–] [email protected] 2 points 9 months ago

Over the past five years infosec has turned into a shitshow of showboating. Every exploit has to have a logo and catchy name. Attacks are widely hyped up despite the conditions for usage being extremely difficult or outright stupid. If you are assigning blanket permissions to a group that shouldn’t have it that is your fault. Obstructing stupidity is not in the scope of the container engine.