Greg Castle
LightNews LightNews
gregcastle.bsky.social
Greg Castle
@gregcastle.bsky.social
210 followers 120 following 23 posts
Security for Google Kubernetes Engine. Former pentester, DFIR and OS X security
he/him
Posts Replies Media Videos
Reposted by Greg Castle
paulisci.bsky.social
it was impossible to know what was coming unless you paid even a little bit of attention
February 5, 2025 at 12:52 AM
gregcastle.bsky.social
@evelyndouek.bsky.social @stamos.org I keep refreshing the moderated content podcast page....So much to cover! moderated-content.simplecast.com
January 17, 2025 at 4:14 PM
gregcastle.bsky.social
This story is wild
mmasnick.bsky.social Mike Masnick @mmasnick.bsky.social · Sep 11
Okay. This excerpt from the new book all about how Elon shut down the Sacramento Twitter data center is way more batshit crazy than even I expected. www.cnbc.com/amp/2023/09/...
The facility was costing X more than $100 million a year. Musk wanted to save that money by moving the servers to one of X's other facilities, in Portland, Oregon. Another manager at the meeting said that couldn't be done right away. "We can't get out safely before six to nine months," she said in a matter-of-fact tone. "Sacramento still needs to be around to serve traffic." Over the years, Musk had been faced many times with a choice between what he thought was necessary and what others told him was possible. The result was almost always the same. He paused in silence for a few moments, then announced, "You have 90 days to do it. If you can't make that work, your resignation is accepted." The manager began to explain in detail some of the obstacles to relocating the servers to Portland. "It has different rack densities, different power densities," she said. "So the rooms need to be upgraded." She started to give a lot more details, but after a minute, Musk interrupted. They were somewhere over Las Vegas when James made his suggestion that they could move them now. It was the type of impulsive, impractical, surge-into-the-breach idea that Musk loved. It was already late evening, but he told his pilot to divert, and they made a loop back up to Sacramento. The only rental car they could find when they landed was a Toyota Corolla. They were not sure how they would even get inside the data center at night, but one very surprised X staffer, a guy named Alex from Uzbekistan, was still there. He merrily let them in and showed them around. The facility, which housed rooms of servers for many other companies as well, was very secure, with a retinal scan required for entry into each of the vaults. Alex the Uzbek was able to get them into the X vault, which contained about 5,200 refrigerator-size racks of 30 computers each. "These things do not look that hard to move," Elon announced. It was a reality-distorting assertion, since each rack weighed about 2,500 "You'll have to hire a contractor to lift the floor panels," Alex said. "They need to be lifted with suction cups." Another set of contractors, he said, would then have to go underneath the floor panels and disconnect the electric cables and seismic rods. Musk turned to his security guard and asked to borrow his pocket knife. Using it, he was able to lift one of the air vents in the floor, which allowed him to pry open the floor panels. He then crawled under the server floor himself, used the knife to jimmy open an electrical cabinet, pulled the server plugs, and waited to see what happened. Nothing exploded. The server was ready to be moved. "Well that doesn't seem super hard," he said as Alex the Uzbek and the rest of the gang stared. Musk was totally jazzed by this point. It was, he said with a loud laugh, like a remake of Mission: Impossible, Sacramento edition. The moving contractors that NTT wanted them to use charged $200 an hour. So James went on Yelp and found a company named Extra Care Movers that would do the work at one-tenth the cost. The motley company pushed the ideal of scrappiness to its outer limits. The owner had lived on the streets for a while, then had a kid, and he was trying to turn his life around. He didn't have a bank account, so James ended up using PayPal to pay him. The second day, the crew wanted cash, so James went to a bank and withdrew $13,000 from his personal account. Two of the crew members had no identification, which made it hard for them to sign into the facility. But they made up for it in hustle. "You get a dollar tip for every additional server we move," James announced at one point. From then on, when they got a new one on a truck, the workers would ask how many they were up to.
September 12, 2023 at 5:11 AM
gregcastle.bsky.social
So sorry to hear this 😢
h.olysh.it Joe Beda @h.olysh.it · Aug 20
Last Wednesday evening Kris Nova had a climbing accident and died.

All of us that loved her are heart broken and stunned.  She was an amazing person that lived out loud and built connection and community wherever she went.  She will be horribly missed.
Nova looking awesome wearing sunglasses staring into the distance. Taken at the top of Asgaard Pass.
August 21, 2023 at 3:39 AM
gregcastle.bsky.social
Spotify runs most of their production workloads on GKE and wrote this cool post on memory #forensics. They suck out memory through a privileged pod via kcore and send it to #volatility for analysis.
Analyzing Volatile Memory on a Google Kubernetes Engine Node
TL:DR At Spotify, we run containerized workloads in production across our entire organization in five regions where our main production workloads are in Google Kubernetes Engine (GKE) on Google Cloud ...
engineering.atspotify.com
July 3, 2023 at 3:19 PM
gregcastle.bsky.social
Love it!
June 6, 2023 at 3:05 AM
gregcastle.bsky.social
After a brief hint of summer weather can confirm the PNW forests are back to their resting drip face.
May 22, 2023 at 4:32 AM
gregcastle.bsky.social
“Don’t run containers as root”: we’ve been saying this for a long time. Is it working?

No.

@vinayaklovespizza and I gave a talk at #KubeCon EU about our journey converting GKE system containers to non-root that explains why.

Here’s a summary… (1/8)

https://youtu.be/uouH9fsWVIE
Least Privilege Containers: Keeping a Bad Day from Getting Worse - Greg Castle \u0026 Vinayak Goyal
Least Privilege Containers: Keeping a Bad Day from Getting Worse - Greg Castle \u0026 Vinayak Goyal, Google “Don’t run containers as root”. The K8s security community has been saying this for years. There’s tools that can detect these types of misconfigurations. But detection, and knowing you have a problem, is just the start of the journey. How do you actually fix it? What can you do if those permissions are required for the container to work? We’ve run multiple de-privileging efforts for production containers. In 2020 we focused on converting containers from running as root to running as unprivileged users. In 2021 we moved containers to minimal distroless images. For some containers the solution was as simple as removing unused permissions. But sometimes we needed to do something more drastic, like charge the design of the container to segment out powerful permissions, or split functionality out into initContainers. We’ll share how we approached these tasks, what we learned working through problems with container owners, and describe how we put checks in place to prevent new privileged containers from appearing in the future.
youtu.be
May 19, 2023 at 8:19 PM
gregcastle.bsky.social
Thanks Rory! If you were looking for a firehose to drink from, here it is.
mccune.org.uk Rory McCune @mccune.org.uk · May 18
For anyone interested in Kubernetes and Cloud Native Security, I've put together a site with over 600 talks from past Kubecons/Cloud Native Security cons on the topic https://talks.container-security.site/
May 18, 2023 at 2:02 PM
gregcastle.bsky.social
Love it. Similar vibe: a co-worker set a SQL injection string as his official job title. Spent years having "but your title shouldn't have those characters" discussions with various internal tool authors.
mjg59.eicar-test-file.zip Matthew Garrett @mjg59.eicar-test-file.zip · May 15
Ok how much does this handle break
May 15, 2023 at 8:22 PM
gregcastle.bsky.social
I love this. And that's how bluesky learned about https://en.m.wikipedia.org/wiki/Well-known_URI
May 5, 2023 at 1:29 AM
gregcastle.bsky.social
#introduction My day job is security of all things Kubernetes and containers. But if you want to have a real conversation let's talk about mountains and bikes. Or XC skiing. Or about how great boot dryers are if you live in the PNW.
April 25, 2023 at 9:59 PM