Damus
getbased.health · 1w
Verifiable end-to-end encrypted inference with nostr:nprofile1qyxhwumn8ghj7mn0wvhxcmmvqy2hwumn8ghj7mn0wd68ytn00p68ytnyv4mz7qpq6g4umvwj2pduqc8kt2rv6heq2vhvtulyrsr2a20d4suldwnkl4hq62etsy just landed in ...
Papa Figos profile picture
Great project and great service, but the whole "secure enclave" schpiel does not survive scrutiny. what tinfoil (the provider for "encrypted inference" is attesting to is literally a ubuntu default image with no firewall, no MAC, full systemd, docker running as root (vs rootless podman), local tools to fetch web data (exfiltration risk), rw root filesystem, no MLS, prometheus metrics (more attack surface), debug interfaces enabled, and literally a commit that sees then enabling a console reachable from the hypervisor on one hand, and disabling the root password on the other.

what is attested is the initrd, kernel, and a few more things. what's never mentioned is that this attests the initial environment after boot, not the runtime. nothing prevents the provider from logging in afterwards and swapping a few lines around et voila, now they log everything. it's "trust me bro" in marketing speak.

at the very least they should have gone with rocky and enabled and properly configured selinux.

think about it: the whole idea is a "secure enclave" where "private inference" happens. that means: SEV-SNP so even the hypervisor cannot read the vm's memory, and a nvidia tee (which the processor can attest is enabled). so, ok, the threat model is protecting against attacks from the hypervisor/host.. and then they enable a serial console reachable by the host?

to say nothing of the fact that I could find no evidence that they encrypt the vm block device. so, sure, the host can't read the guest's memory, but it can backdoor binaries in its filesystem.

oh, and also, the gazillion dependencies that are pulled to the vm by virtue of what is being installed (part of the attestation, look it up). spoiler: it's not a minimal install at all.

in short, you're paying a premium to do inference in am "attested private enclave" which amounts to a default ubuntu with a large attack surface, with access from the host (the very same entity the "enclave" is supposedly designed to be protected from), no firewalling at all, debug and logging interfaces enabled, and huge exfiltration risk and supply chain attacks.

No amount of "attestation" is going to change that. Tinfoil's idea is good (for today's tech) but the execution is quite poor.
1
Elkim · 1w
This is unfortunately above my paygrade so I have to assume projects like these do their best for their users and partners. Does Venice do that any better? Any thoughts nostr:nprofile1qyxhwumn8ghj7mn0wvhxcmmvqy2hwumn8ghj7mn0wd68ytn00p68ytnyv4mz7qpq6g4umvwj2pduqc8kt2rv6heq2vhvtulyrsr2a20d4suldwnkl4h...