I don't think what you want us even possible. How would such guarantees even look like? "Hello, we are a serious cybersec firm and we have evaluated the code and it's pretty sound, trust us!"?
"Hello, we are a serious cybersec firm and we have evaluated the code and here are our test with results that proof that we didn't find anything, the code is sound; Have we been through? We have, trust us!"
In terms of a one off product without active support - the only thing I can really imagine is a significant use of formal methods to prove correctness of the entire runtime. Which is of course entirely impractical given the state of the technology today.
Realistically security these days is an ongoing process, not a one off, compare to cloudflare's security page: https://developers.cloudflare.com/workers/reference/security... (to be clear when I use the pronoun "we" I'm paraphrasing and not personally employed by cloudflare/part of this at all)
- Implicit/from other pieces of marketing: We're a reputably company with these other big reputable companies who care about security and are juicy targets for attacks using this product.
- We update V8 within 24 hours of a security update, compared to weeks for the big juicy target of Google Chrome.
- We use various additional sandboxing techniques on top of V8, including the complete lack of high precision timers, and various OS level sandboxing techniques.
- We detect code doing strange things and move it out of the multi-tennant environment into an isolated one just in case.
- We detect code using APIs that increase the surface area (like debuggers) and move it out of the multi-tennant environment into an isolated on just in case.
- We will keep investing in security going forwards.
Running secure multi-tenant environments is not an easy problem. It seems unlikely that it's possible for a typical open source project (typical in terms of limited staffing, usually including a complete lack of on-call staff) to release software to do so today.
Agreed. Cloudflare has dedicated security teams, 24h V8 patches, and years of hardening – I can't compete with that. The realistic use case for OpenWorkers is running your own code on your own infra, not multi-tenant SaaS. I will update the docs to reflect this.
Something like "all code is run with no permissions to the filesystem or external IO by default, you have to do this to add fine-grained permissions for IO, the code is run within an unprivileged process that's sandboxed using standard APIs to defend in depth against possible v8 vulnerabilities, here's how this system protects against obvious possible attacks..." would be pretty good. Obviously it's not proof it's all implemented perfectly, but it would be a quick sign that the project is miles ahead of a naive implementation, and it would give someone interested some good pointers on what parts to start reviewing.
This is exactly where we see things heading. The trust model is shifting - code isn't written by humans you trust anymore, it's generated by models that can be poisoned, confused, or just pick the wrong library.
We're thinking about OpenWorkers less as "self-hosted Cloudflare Workers" and more as a containment layer for code you don't fully control. V8 isolates, CPU/memory limits, no filesystem access, network via controlled bindings only.
We're also exploring execution recording - capture all I/O so you can replay and audit exactly what the code did.
Production bug -> replay -> AI fix -> verified -> deployed.
As I understand it separate isolates in a single process are inherently less secure than separate processes (e.g. Chrome's site isolation) which is again less secure than virtualization based solutions.
As a TinyKVM / KVM Server contributor I'm obviously hopeful our approach will work out, but we still have some way to go to get to a level of polish that makes it easy to get going with and have the confidence of production level experience.
TinyKVM has the advantage of a much smaller surface area to secure as a KVM based solution and the ability to offer fast per-request isolation as we can reset the VM state a couple of orders of magnitude faster than v8 can create a new isolate from a snapshot.
Other response address how you could go about this, but I'd just like to note that you touch on the core problem of security as a domain: At the end of the day, it's a problem of figuring out who to trust, how much to trust them, and when those assessments need to change.
To use your example: Any cybersecurity firm or practitioner worth their salt should be *very* explicit about the scope of their assessment.
- That scope should exhaustively detail what was and wasn't tested.
- There should be proof of the work product, and an intelligible summary of why, how, and when an assessment was done.
- They should give you what you need to have confidence in *your understanding of* you security posture as well as evidence that you *have* a security posture you can prove with facts and data.
Anybody who tells you not to worry and take their word for something should be viewed with extreme skepticism. It is a completely unacceptable frame of mind when you're legally and ethically responsible for things you're stewarding for other people.
That's hell. So most of the time you are away from your home and probably from your family if you have one. If you don't have one - you are leaving your home unwatched most of the time. You pay for 2 places instead of 1. 3-5 hrs commute away from your job - that's nuts by itself.
What you should dream of instead - most jobs becoming remote or physically proximal to where you live.
For hybrid workplaces wanting 3 days in-office, it's a little less than half
> away from your family
Yes, this is a trade-off. The choice is between whether your family will be crammed into a too-small-barely-affordable apartment in the city, or a more spacious house, since anything family-sized in the city is priced for executives. A lot of kids don't live at home during college; a lot of sales people and the like are used to living out of a suitcase, this is a similar lifestyle except better because the pieds-a-terre apartment is actually stable, it's not the same as living out of hotel rooms.
> pay for 2 places instead of 1
Theoretically 1 pieds-a-terre + train tickets + 1 rural mortgage payment is cheaper than 1 family-sized apartment in the city. If it's not in your case - fair enough.
> 3-5 hour commute away from your job
Even if it's 5 hours, if you do that twice a week plus 3x 15 minute walks each way, that's 10h45m commute time per week, mostly on a train where you can watch movies, read something, etc. If you drive two hours each way, in congestion, to a (premium-priced) house in the suburbs, that's 10 hours of commute time per week fully concentrated on the road. YMMV.
> dream of remote or physically proximal
Well sure. That's a dream. Part of the question is, what's a realistic goal to set for yourself? Pieds-a-terre + train + rural house is achievable on my own agency. Overhauling the industry to become remote-first, or overhauling housing to become more affordable closer to employers, is not.
Actually the Orange Pi 5 Ultra would be the most recent board from Orange Pi to compare it with. You can see a comparison between the Orange Pi 5 Ultra and the Raspberry Pi 5 here: https://boilingsteam.com/orange-pi-5-ultra-review/
In a nutshell, this new Orange Pi 6 Plus is much faster than Orange Pi 5 Ultra and anything that came before.
Plus and ultra are almost identical with the exception of an HMDI in port on the latter. I've used the same HAL on both boards, they are effectively the same.
That's bullshit. I don't care about graphics, I play lots of indie games, some of them are made by a single person. There are free game engines, so basically all one needs for a successful game is just a good idea for the game.
And a friend of mine still mostly plays the goddamn Ultima Online, the game that was released 28 years ago.
and if a new game
came out today that looked and played the same as Ultima online… What would you (and the rest of gamers) think about it?
Your expectations of that game are set appropriately. Same with a lot of Indy games, the expectation can be that its in early access for a decade+. You would never accept that from, say, Ubisoft.
Depends on what that game brings, I might like it a lot. Again, me and all my friends love indie games, most of them with pixel graphics or just low polygon. The market for such games is big enough. Just look up some popular indie games sales estimations.
You are a minor share of the overall market and the sad truth is that most indie games sell a pityfull handfull of copies and can't sustain their creators financially. And even indie games have to meet certain standards and given that they are developed nostly by single devs, meeting even those "minimal" standards takes years for many devs.
That's more of a job for an encapsulating protocol. (shadowsocks or similar) Wireguard isn't designed to be obfuscating alone. It's just a simple l3 udp tunnel with a minimal attack surface.
That's the traditional answer parroted in the Wireguard documentation but a few hours' serious thought and design is enough to reveal the fatal flaw: any encapsulating protocol will have to reinvent and duplicatively implement all of the routing logic. Perr-based routing is at least 50% of wireguard's value proposition. Having to reimplement it at the higher level defeats the purpose. No, obfuscation _has_ to be part of the same protocol as routing.
(Btw, same sort of thing occurs with zfs combining raid and filesystem to close the parity raid write hole. Often strictly layered systems with separation of concerns are less than the sum of their parts.)
In this case with the, I believe it’s called quantum tunneling by mullvad, it’s actually a good thing. Because the encapsulation protocol is just UDP/IP, a well established existing protocol that can masquerade as any kind of internet traffic easily.
amnezia-wg is quite cool and they have built the kmod too, I did some test so far they can works even in my location which block wireguard server quickly.
The mullvad apps do offer obfuscation options (shadowsocks, etc) but i agree it would be nice if something was baked into wireguard itself. I recently went through setting up shadowsocks over wg for my homelab and it was a good bit of effort
WireGuard is a protocol that, like all protocols, makes necessary trade-offs. This page summarizes known limitations due to these trade-offs.
Deep Packet Inspection
WireGuard does not focus on obfuscation. Obfuscation, rather, should happen at a layer above WireGuard, with WireGuard focused on providing solid crypto with a simple implementation. It is quite possible to plug in various forms of obfuscation, however.
I have the opposite opinion and experience: a simple file copy is pretty trivial with scp, but with rsync - it's a goddamn lottery. Too many options, too many possible modes and thus I am never sure about the outcome meeting my expectations.
The default options of scp, like also those of cp or of any other UNIX copying program are bad, as they do not make exact copies.
In decades of working with computers, I have never wanted to make any other kind of copies except exact copies, so I never use the default options of cp, scp, rsync etc., but I always use the same aliases for them, with the options needed for exact copies.
Isn't it pretty clear just from the first paragraph that the author has graphomania? Such people don't really care about the thesis, they care about the topic and how many literary devices they can fit into the article.
I don't know enough about graphomania, but I do find this article, while I'm sure is written by a human, has qualities akin to LLM writing: lengthy, forced comparisons and analogies. Of course it's far less organized than typical ChatGPT output though.
The more human works I've read the more I feel meat intelligences are not that different from tensor intelligences.
I didn't claim or think it was written with a help of LLM, it was just written by someone who enjoys the feeling of being a writer, or even better, a Journalist!
This always contrasts with articles written by tech people and for tech people. They usually try to convey some information and maybe give some arguments for their position on some topic, but they are always concise and don't wallow in literary devices.
"Hello, we are a serious cybersec firm and we have evaluated the code and here are our test with results that proof that we didn't find anything, the code is sound; Have we been through? We have, trust us!"
reply