AI Framework Ray Doesn't Include a Single Security Feature
gabetocci.medium.comTL/DR: ray.ai, a parallel job executor expects to be executed in trusted network only, and provides no native authentication. The executor uses common protocols (grpc, http), and developers mention that all nodes should be on private network and that any external access should have 3rd party authentication proxy. All the recommended deployment configs show how to do this.
Security firm discovered that a number of people misconfigured their nodes and put them on public internet, which allowed anyone to run their code there.
The result somehow blames the ray.ai, rather than people who misconfigured servers. I wonder if the same researchers also used to also blame FTP server writers for allowing anonymous uploads...
SkyPilot https://skypilot.readthedocs.io automates the process of configuring cloud instances to run Ray on, transparently for the user. If those instances are all exploitable, that might be quite bad.
(If you install a typical FTP server on an internet-accessible host, does that immediately enable anonymous uploads if you use the default configuration?)
TL/DR; people are still unfamiliar with Zero Trust. The ray.ai security model, or lack there of, relies entirely on being inaccessible by threat actors via network separation. In 2024 this security posture is outdated, ineffective, and downright negligent.