CDK
Pulumi
CDK | Pulumi | |
---|---|---|
5 | 178 | |
3,650 | 19,976 | |
1.9% | 2.9% | |
2.8 | 9.9 | |
6 days ago | about 18 hours ago | |
Go | Go | |
Apache License 2.0 | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
CDK
-
A morning with the Rabbit R1: a fun, funky, unfinished AI gadget
It does show how incompetent the attacker was, I report below what Retr0id wrote in the issue:
"tl;dr: The "leak" seems real, but doesn't prove any of the claims made in the readme.
This statement from Peiyuan Liao, the rabbit CTO, is consistent with what I'm seeing here: https://twitter.com/liaopeiyuan/status/ 1782922595199033662
So the "leak" is a bit of a nothingburger, containing partial code for the relatively boring process of letting users authenticate with online services through a sandboxed browser session, from which auth tokens etc. can be extracted. You can't infer anything about how LAM does or doesn't work from this.
They likely used "kiosk escape" tricks to get code exec within the box that runs the browser. Assuming their sandboxing is all set up correctly, this isn't particularly concerning, but it does expose the code that runs within the sandbox for analysis. That's what we appear to have here.
The attacker left behind a file named cdk.log, which is an artifact of https://github.com/cdk-team/CDK/, a container pentesting tool. They were clearly trying to escape the sandbox and pivot to somewhere more interesting, but I don't think they managed it. I think "part 2" is a bluff, this is all they have (feel free to prove me wrong, lol).
But that doesn't mean there's nothing here. Lets look at what we do have.
The most interesting detail to me is a package name list in repo/ typescript/common/base-tsconfig.json
[...]
The only code actually present is for q-web-minion-
What follows is my speculation based on the names alone:
"q" seems like a codename for the rabbit device (so q-hole rabbit hole). Q might stand for "quantum".
The problem with trying to log into and interface with consumer-facing services from 'the cloud" is that you'll get IP rate limited, blocked as a bot, etc. It would make sense to proxy traffic back out through the user's device, and that's what I'd hope q-proxy is about. The big downside with this is that it ~doubles latency and halves available bandwidth, magnifying any deficiencies of a flaky 4G connection. This is perhaps partly why their doordash demo chugged so hard. (protip to the team; use a caching proxy, with SSL, MitM. Detect CDN URLs and don't proxy those.)
This is a total stab in the dark but my guess is that bunny-host is where the LAM action happens, and bunny-builder is for LAM training.
cm-quantum-peripheral-common might be the wrist-mounted device teased in the launch event.
Addendum:
It's also possible there were some juicy credentials accessible within the container. But if there were, they aren't in this leak. In particular, it looks like they're using GCP "service account keys' (/credentials/ cm-gcp-service-account-quantum-workload/gcp-service-account- quantum-workload.json), which according to google's docs "create a security risk and are not recommended. Unlike the other credential file types, compromised service account keys can be used by a bad actor without any additional information".
There isn't enough information here (and/or my analysis isn't deep enough - "cloud" is not my forte) to determine if that'll cause any issues in practice, but if there really is a "part 2" leak, I'd guess this is how they got it."
I OCR two screenshots that I did so there could be errors.
- A Detailed Talk about K8S Cluster Security from the Perspective of Attackers (Part 1)
-
CDK โ Zero Dependency Container Penetration Toolkit
3. Tools for network actions, probe, tunnel and K8s cluster management (7 tools).
See more in https://github.com/cdk-team/CDK
Pulumi
-
How To Implement AWS SSB Controls in Terraform - Part 4
If you are following this blog series, you should already know the benefits of using Terraform to define and deploy your AWS resources and configuration. Other IaC solutions such as AWS CloudFormation, AWS CDK, and Pulumi work the same way but differs in the programming or configuration language.
-
The 2024 Web Hosting Report
Infrastructure as Code (IaC) is an important part of any true hosting operation in the public cloud. Each of these platforms has their own IaC solution, e.g. AWS CloudFormation. But they also support popular open-source IaC tools like Pulumi or Terraform. A category of tools that also needs to be discussed is API gateways and other app-specific load balancers. There are applications for internal consumption, which can be called microservices if you have a lot of them. And often microservices use advanced networking options such as a service mesh instead of just the native private network offered by a VPC.
-
systemd by example (2021)
funny, to me systemd == no docker, no containers, just a VM.
it's my goto way to keep my programming running and have it be restarted if the vm reboots. I use VMs like "pods". I deploy code directly to the VM and run it there along with other programs. I scale up an scale down with: https://www.pulumi.com/
-
A list of SaaS, PaaS and IaaS offerings that have free tiers of interest to devops and infradev
Pulumi โ Modern infrastructure as a code platform that allows you to use familiar programming languages and tools to build, deploy, and manage cloud infrastructure.
-
Playing devil's advocate with Terraform
A move like this may have an impact in other open source projects. Take Pulumi, for instance, people might avoid choosing it now that the Linux Foundation have its own IaC tool, and for newer, smaller projects it will probably be impossible to compete with a project under the Linux name.
- Pulumi โ open-source Infrastructure as Code in any language
-
Best way to deploy K8s to single VPS for dev environment
Another alternative to writing an operator would be to rely on kustomize or https://www.pulumi.com/.
-
โกโก Level Up Your Cloud Experience with These 7 Open Source Projects ๐ฉ๏ธ
Pulumi
-
Show HN: Togomak โ declarative pipeline orchestrator based on HCL and Terraform
Would it make sense to say Dagger is to Pulumi [1], as Terraform is to Togomak?
[1]: https://www.pulumi.com/
-
The Complete Microservices Guide
Infrastructure as Code (IaC): Define your infrastructure using code (IaC) to automate the provisioning of resources such as virtual machines, load balancers, and databases. Tools like Terraform, Pulumi, and AWS CloudFormation can help.
What are some alternatives?
kubefwd - Bulk port forwarding Kubernetes services for local development.
terraform-cdk - Define infrastructure resources using programming constructs and provision them using HashiCorp Terraform
Modlishka - Modlishka. Reverse Proxy.
cdk8s - Define Kubernetes native apps and abstractions using object-oriented programming
runtime - Kata Containers version 1.x runtime (for version 2.x see https://github.com/kata-containers/kata-containers).
terragrunt - Terragrunt is a thin wrapper for Terraform that provides extra tools for working with multiple Terraform modules.
WeaponizeKali.sh - Automate installation of extra pentest tools on Kali Linux
crossplane - The Cloud Native Control Plane
fx - A Function as a Service tool makes a function as a container-based service in seconds.
bicep - Bicep is a declarative language for describing and deploying Azure resources
kata-containers - Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/
Ansible - Ansible is a radically simple IT automation platform that makes your applications and systems easier to deploy and maintain. Automate everything from code deployment to network configuration to cloud management, in a language that approaches plain English, using SSH, with no agents to install on remote systems. https://docs.ansible.com.