Comments (5)
Blocking repos is ~never useful for keeping out miners. Most miners on mybinder.org use the same images as try.jupyter.org. It's pretty trivial to mine from any compute environment with wide egress access (people ship mining binaries, which can be downloaded from e.g. github.com and launched with a few lines). The only thing that saves mybinder.org is that we don't offer enough compute to be worth spending much time circumventing our modest level of checks. If folks put ~any time into the cat and mouse of mining on mybinder.org, they are working for less than minimum wage.
The only robust way to prevent mining is to have an allow list of egress destinations, instead of a block list. This isn't currently feasible for mybinder.org and the miners that visit us don't put in enough effort to make it worth the switch, but it may be appropriate for pangeo. You do need a good way for legit folks to ask for egress access to be expanded, but once it's set up adding to it isn't much. @yuvipanda can speak to configuring JupyterHub with an https egress allow-list.
If you have any kind of required authentication (i.e. folks need some account), then banning is way easier and more practical, and I think the incentives for miners don't work out. mybinder.org being properly anonymous makes it harder for us.
Also happy to share with you folks the encrypted part of jupyterhub/mybinder.org-deploy#1778. It's pretty basic.
from pangeo-binder.
Thanks so much for staying on top of this Scott!
Do you think the GCS binder is at risk for a similar exploit?
from pangeo-binder.
Here's a related mybinder discussion: jupyterhub/mybinder.org-deploy#1778
from pangeo-binder.
Do you think the GCS binder is at risk for a similar exploit?
Definitely, the config is effectively the same right now.
There are two levels of auth. 1) just require the user (whoever follows a binder link) to input a github user id (+ no need to manage group membership like is done for the hubs, - now requires at a minimum someone has a github account). People could still definitely configure bot accounts or authenticated users could run these programs, but at least there is some level of accountability. 2) require group membership like we're doing on the jupyterhubs via auth0 rules (+/- much more restricted set of users)
from pangeo-binder.
Well, even with Auth (#151 (comment)) we still have bitcoin mining going on. Just checked on things this PM and https://github.com/rx082 is running mining scripts. So it seems @minrk is on point with the suggestion, or it will be necessary to limit access to a specific Organization (github or other)...
for this particular case it was easy to login to the auth0 account, search for the userid under users and there is then an option 'Block User', but this manual intervention isn't sustainable long term.
from pangeo-binder.
Related Issues (20)
- 404 with nbgitpuller on pangeo gallery HOT 4
- New DockerHub Image retention policies will delete unused images after 6 months
- AWS BinderHub deploy failed on staging HOT 8
- Update prometheus-operator deployments HOT 5
- Failing deployment on AWS staging HOT 5
- Dask-Gateway Workers in CrashLoopBackOff HOT 2
- Patch setting of AWS credential file environment variable
- Can't set environment variables for dask-gateway HOT 1
- prod deployment failed on both AWS and GCP HOT 6
- Set cluster limits
- AWS binder failing to launch sessions due to SSL certificate problem HOT 3
- can't launch dask gateway cluster if image has dask-gateway>=0.9 HOT 7
- Redirect problem with static file viewing
- Simple Pangeo binder spin up failing on provision HOT 4
- Launching server fails HOT 11
- Failing to build image (Docker Rate Limit for jupyter/repo2docker) HOT 3
- binder.pangeo.io shut down due to crypto mining HOT 7
- Unable to get AWS pangeo binder to work HOT 4
- Can't get R-based Conda environment to deploy
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pangeo-binder.