Google Compute Engine (GCE) VM Takeover via DHCP Flood

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Wireguard OAuth SSO 2FA VPN

WorkOS
Our great sponsors
  • WorkOS - The modern identity platform for B2B SaaS
  • InfluxDB - Power Real-Time Data Analytics at Scale
  • SaaSHub - Software Alternatives and Reviews
Our great sponsors

  • gcp-dhcp-takeover-code-exec

    Google Compute Engine (GCE) VM takeover via DHCP flood - gain root access by getting SSH keys added by google_guest_agent

    • Same subnet = as another VM in your project? or random GCP user? Seems like pretty different risk levels...

    https://github.com/irsl/gcp-dhcp-takeover-code-exec#attack-s...

  • tailscale

    The easiest, most secure way to use WireGuard and 2FA.

    • Confidential computing (Intel SGX, ARM TrustZone, AMD SEV-SNP) handle this by encrypting the virtual machine memory so that even having full root on the host does not expose vm compute or memory.

    There are plenty of ways to do zero trust networking, a slick commercial implementation is https://tailscale.com/, which you can totally use in the cloud for secure node to node comms if you're worried about those things.

  • WorkOS

    The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

    WorkOS logo

  • security-research

    This project hosts security advisories and their accompanying proof-of-concepts related to research conducted at Google which impact non-Google owned code.

    • Funny thing is I agree with you that Google should hold itself to that bar, but I don't agree as to Project Zero being the reason. I think we very much should distinguish Google from P0, and that P0's policy should be irrelevant here; their entire purpose is to be an independent team of security researchers finding vulnerability in software, indiscriminately. It seems a number of others here feel similarly (judging by the responses), and ironically their support for the position is probably being lost by dragging P0 into the conversation.

    The reason I think Google should hold itself to that bar is something else: Google itself uses that bar for other vendors. From the horse's mouth [1]:

    > This is why Google adheres to a 90-day disclosure deadline. We notify vendors of vulnerabilities immediately, with details shared in public with the defensive community after 90 days, or sooner if the vendor releases a fix.

    If they're going to do this to others as general company policy, they need to do this to themselves.

    [1] https://www.google.com/about/appsecurity/

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts