zlacker

Virtual machines are treated as a security boundary despite the fact that with enough R&D they are not. Hosting minecraft servers in virtual machines is fine, but not a great idea if they’re cohosted on a machine that has billions of dollars in crypto or military secrets.

Docker is pretty much the same but supposedly more flimsy.

Both have non-obvious configuration weaknesses that can lead to escapes.

>>hsbaua+(OP)
Yeah but why would somebody co-host military secrets or billions of dollars? Its a bit of a stretch

>>hoppp+S4
I think you’re missing the point, which was that high value targets adjacent to soft targets make escapes a legitimate target, but in low value scenarios vm escapes aren’t worth the R&D

>>hsbaua+q5
but if you can do it at scale it might still be worth it, like owning thousands of machines

>>hsbaua+(OP)
> Virtual machines are treated as a security boundary despite the fact that with enough R&D they are not. Hosting minecraft servers in virtual machines is fine, but not a great idea if they’re cohosted on a machine that has billions of dollars in crypto or military secrets.

While I generally agree with the technical argument, I fail to see the threat model here. Is it that some external threat would have prior knowledge that an important target is in close proximity to a less hardened one? It doesn't seem viable to me for nation states to spend the expensive R&D to compromise hobbyist-adjacent services in a hope that they can discover more valuable data on the host hypervisor.

Once such expensive malware is deployed, there's a huge risk that all the R&D money is spent on potentially just reconnaissance.

>>kevinr+eh2
Yes. Docker too.