Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

To Intel maybe. It's a loss to the cloud providers and their customers.


I pay by the hour, if I need to provision more servers AWS doesn't take a hit, I do


On EC2 and Lambda and similar, yes. On S3 and other managed services, AWS takes the hit.


Do they really need to apply all mitigation patches if they only execute their own code on machines running S3 and other managed services? (For EC2/... of course they do because they execute customer code.)

I wonder if I can skip the performance penalty for my own (hardware) server too... But I am not smart enough to answer this question myself.


Do you run everything on the machines you only execute your own code on as root?

Most people don’t. It’s a defence in depth thing — if someone hits an exploit in a service you want it to be running the lowest privileged user it can get away with so that it can’t rapidly pull all the data out of other subsystems, roam out into the local network and dump DBs, etc.

With these vulnerabilities unpatched, an attacker running code as the low privilege user account can sniff credentials for other accounts on the machine, or underlying host, private keys that authenticate against this machine and therefore probably others in the network, etc.

I’d say it increases risk quite a bit.


I'm not convinced this is the case for lambda. You get billed for lambda CPU time. If the underlying hardware is unable to provide as much CPU time after mitigations are applied, and AWS hasn't raised their rates, then I'm not the one paying for it.


They could very well optimize only for their own service costs, rather than for the customer.


True, but for S3 the major cost is not CPU-bound.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: