daniel benjamin

The world is mine to take

A new batch of hands-on Kubernetes challenges by Omkar Shelke 👏 If you're preparing for CKA/CKAD/CKS exams, solving them is a great way to practice: - Validate CSI Storage Performance Using FIO and a Kubernetes Job labs.iximiuz.com/challenges/val… - Canary Deployment Using Kubernetes Gateway API Traffic Splitting labs.iximiuz.com/challenges/can… - Verify Kernel Isolation Between Kata Containers and runc Using RuntimeClass labs.iximiuz.com/challenges/ver… - Disable API Server NodePort and Configure kube-scheduler Resource Requests labs.iximiuz.com/challenges/dis… - Troubleshoot CrashLoopBackOff Caused by a Missing TLS Secret labs.iximiuz.com/challenges/rec… - Add a Sidecar Log Tailer to an Existing Deployment labs.iximiuz.com/challenges/add… - Cross-Namespace Gateway and HTTPRoute Binding with Kubernetes Gateway API labs.iximiuz.com/challenges/cro… - Deploy a Pod with a Sidecar Log Shipper Using Init Container Pattern labs.iximiuz.com/challenges/dep… - Customize nginx Startup Behavior with a postStart Lifecycle Hook labs.iximiuz.com/challenges/cus… - Switch Live Traffic from Blue to Green Using Kubernetes Services labs.iximiuz.com/challenges/swi… - Exclude a Sidecar from VPA Using Per-Container Resource Policy labs.iximiuz.com/challenges/exc… - Provision Dynamic NFS CSI Storage to Restore Stuck Deployments labs.iximiuz.com/challenges/pro… - Create and Apply a Kubernetes Job with Completions and Parallelism labs.iximiuz.com/challenges/cre… Happy hacking!

Apple needs to bring back the iPods. I just want peace and music. No notifications or phone calls.

I’m tired of the insurgency #TinubuResign

The best wealth management app: @risevest The best stock trading app: @HisaApp Best private securities app: @AssetbaseHQ (still being upgraded). Our job is to make sure whatever you want to do when it comes to investments, we can help you do it. You're welcome.

This has gotten me a call for a staff SRE role 😂😂😂

A teacher beheaded and a nation is silent

A Nation Losing Its HUMANITY. Some events shatter a society so deeply that words are no longer enough to express the shock; the brutal killing of a teacher and the horrific rape and murder of an elderly woman are among such tragedies. These are not isolated incidents but signs of deeper moral and social decay. How did we get here? How did we reach a point where teachers are hunted and killed, and the elderly—custodians of memory and wisdom—suffer such dehumanising violence? This is more than a security crisis; it is a failure of collective humanity. We have become desensitised, consuming tragedy briefly and moving on, allowing indifference to normalise the unacceptable. To the families affected, I share in your grief. But grief alone is not enough. We must demand accountability and urgent systemic change. If such atrocities no longer move us to action, then we risk losing our shared humanity. -PO

So my mom and her market people were invited for “compulsory” APC primaries last week and she no go. So today they come lock her shop on a bloody Monday morning. She shaa leave them there begin come house. Tinubu, one day, you, APC and whatever you stand for will crumble

This man has been a retribution to everyone who thinks political strategy and coalitions is more important than the very act of governing. That a thief and drug baron is better than a man who made wealth with enterprise. Tribalism and religion have been so weaponised, how many deaths of your country men will it take for you to acknowledge this government is an unprecedented failure of monumental scale?

you can build software that works but you can’t build a complete fault tolerant product. users decide that. your product has to (fail) a couple times on production, then you keep on coming up with solutions for all the edge cases, till you have a very strong product

@Akintola_steve From your own post you’ve more or less explained why a lot of people add redis almost everywhere.

Backend Engineers throw Redis into every architecture nowadays like it’s a compulsory tech stack. Meanwhile, some applications genuinely do not need Redis at all. So, when exactly should Redis actually be used? Real practical scenarios where Redis makes sense?

I don’t think I’ve ever been this sick in my life.

Lmao some of our bigger tech overlords raise a bajillion dollars and then go on a poaching spree. They are always throwing crazy offers at my team trying to get them to switch. They rarely do. And on the rare occasion they switch, many of the team members often come back to tell me that what we have at @risevest is far better than what many try to build with money. No be brag. Some have actually switched back, when there is room. But even that is also extremely hard to do. One of my PMs spent 3 years trying to return before we all agreed to move on. I also don’t try to fight it, imagine paying someone x and then someone offers them 5x. That’s an opportunity to discover there are more important things than money, and I cannot deny them that.

This has to be rage bait.

My goal with MachinenVM was to learn to build a microvm. I understand maybe 33% of what it's doing, but my goal has always been to understand the machine from first principles: Did LinuxFromScratch.org as a teenager, and Nand2Tetris (Cum laude). Let me be upfront, I believe you can just do things. Don't let other people gate-keep anything from you.

Honestly, even I got pretty tired of endlessly applying to jobs. Lately I’m spending coding for fun now, writing my learnings on blog and talking with senior engineers at top companies, investors, and CTOs of startups and frontier labs I’m curious about. Even when those conversations don’t lead to offers, I learn so much about distributed systems, how things actually scale in production, what it takes to run a company, and even the research side: pre-training setups, dataset curation, and post-training evaluation and fine-tuning. I’ve started applying way less because it often feels like talking to a wall. Those one-way application black holes don’t teach me anything. Real conversations do, and to me that’s way more valuable right now. I end up getting into detailed discussions about pre-training choices (data sources, filtering, compute trade-offs), and post-training work (evaluation metrics, safety testing, fine-tuning strategies). Those chats give me concrete, practical insight I can't get from job portals ever. I recently met this crazy investor at a café in Dehradun recently and we ended up talking for ages about money, investing, and different business models. We also dove into how investment decisions intersect with research priorities like what kinds of teams get funded for long-term model development versus applied fine-tuning projects. Stuff like that sparks ideas and gives practical context to the technical things I’m learning.

Spent today going way too deep into Firecracker internals and honestly… the whole “it’s secure because it’s small” narrative starts feeling a bit shaky once you actually trace how this thing runs under the hood. like yeah, on paper it’s clean as hell we got tiny rust VMM, no qemu baggage, one microVM per process, minimal device model, everything looks tight and intentional. but then you follow the execution flow across threads and realize a lot of the security story quietly depends on timing behaving nicely… which is not something you should ever rely on in systems like this. The core architecture is simple enough: you’ve got an API thread acting as a single-threaded HTTP control plane, a VMM thread that owns all the interesting stuff like virtio devices and the MMDS metadata service, and then a bunch of vCPU threads that sit in a tight KVM_RUN loop bouncing between guest and host. everything funnels through KVM, but the real surface isn’t the hypervisor boundary it’s the coordination between these threads before the system actually settles into a steady state. that “in-between” phase is where things get weird. What surprised me is that Firecracker’s isolation model isn’t atomic, it’s staged. first the jailer sets things up like cgroups, chroot, capability drops, then the VMM initializes, then seccomp filters are applied, and only after that do you really reach something you’d call a locked-down system. the problem is these steps overlap. they’re not clean cut transitions. there are small but very real windows where the process is partially initialized, partially restricted, and still processing input. take the jailer, for example. it’s supposed to be this clean containment boundary, but if you look closely at the order of operations, it’s doing bind mounts and filesystem setup before privileges are fully dropped. that means there’s a window where the filesystem view can still be influenced. in a shared environment like a noisy k8s node or anything multi-tenant . That’s enough to make symlink race attacks viable. so the “chroot = isolation” story kind of turns into “chroot = isolation unless someone can interfere at the right moment,” which is a much weaker guarantee than it sounds. then there’s the VMM itself, which starts handling things like MMDS (the metadata service exposed over vsock) before seccomp is fully enforced. that’s where things go from “hmm that’s messy” to “okay this is actually interesting.” MMDS is supposed to be a boring, read-only key-value store that the guest can query, but there’s a race window where you can interact with it before the syscall surface is locked down. if you hit that window, the VMM will happily accept PUT requests without strictly validating them against the original config. so now you can inject arbitrary entries into what later becomes “trusted metadata” from the guest’s point of view. and that creates a pretty weird primitive. it’s not a clean escape or anything dramatic, but it’s a controlled reflection channel inside a system that assumes metadata is static and safe. once the VM is fully booted, you can just curl the metadata endpoint and get back whatever you injected earlier, as if it was legitimate config. that opens the door to environment probing, subtle data exfil patterns, or feeding controlled inputs into higher-level systems that trust MMDS more than they probably should. the deeper issue here isn’t just MMDS or the jailer or any single bug , It’s that Firecracker’s design assumes the system becomes secure at some point, instead of being secure from the first instruction that can be influenced by an attacker. there’s this implicit trust that threads wake up in the right order, that signals are delivered cleanly, that seccomp lands before anything meaningful happens. but under load, or with intentional timing pressure, those assumptions get shaky fast. and once timing becomes part of your attack surface, things get subtle in a way that’s much harder to reason about than classic memory corruption bugs. what makes this more relevant now is how Firecracker is actually being used. it’s not just lambdas anymore, people are running GPU-backed workloads, model inference sandboxes, all kinds of ML infra on top of it. so now you’ve got valuable data sitting nearby such as model weights, prompts, execution traces and a system where early-boot behavior, metadata channels, and cross-thread coordination can all be nudged in ways that weren’t fully accounted for. you don’t always need a full VM escape to cause damage in that world; sometimes just learning something about the host or influencing a supposedly “read-only” path is enough. so yeah, Firecracker absolutely reduces attack surface compared to something like QEMU, no question. but what’s left is this smaller, sharper set of edges where correctness depends heavily on ordering and timing. it’s memory-safe, which is great, but it’s not state-safe in the way people casually assume. and if you’re looking for real bugs, that’s exactly where I’d keep digging.

This is your periodic reminder that dozens of refined Linux, Containers, Kubernetes, and Networking playgrounds are just a short link away: - serverlabs[.]io/p/k8s - serverlabs[.]io/p/docker - serverlabs[.]io/p/ubuntu - serverlabs[.]io/p/flexbox Learning by doing is the way 🚀

Anthropic is paying $3,850 a week to people with no AI experience. No PhD required. No published papers. No prior research background. Just a strong technical mind and a genuine interest in making AI safe. This is the Anthropic Fellows Program. And it is one of the most underrated opportunities in technology right now. Here is exactly what it is. The Anthropic Fellows Program is designed to accelerate AI safety research and foster research talent providing funding and mentorship to promising technical talent regardless of previous experience. Fellows work for 4 months on empirical research questions aligned with Anthropic's overall research priorities, with the aim of producing public outputs like a paper. Four months. Full-time. Paid. Mentored by the researchers building the world's most advanced AI. And the results from the first cohort were not small. Fellows developed agents that identified $4.6 million in blockchain smart contract vulnerabilities and discovered two novel zero-day exploits, demonstrating that profitable autonomous exploitation is now technically feasible. A year prior, an Anthropic fellow developed a method for rapid response to new ASL3 jailbreaks, techniques that block entire classes of high-risk jailbreaks after observing only a handful of attacks. This work became a key component of Anthropic's ASL3 deployment safeguards. Other fellows published the subliminal learning paper, the research proving AI models transmit behavioral traits through unrelated data which landed in Nature. Others produced the agentic misalignment research showing frontier models resort to blackmail when facing replacement. Others open-sourced attribution graph tools that let researchers trace the internal thoughts of large language models. Over 80% of fellows produced papers. Over 40% subsequently joined Anthropic full-time. 80% published. 40% hired. From a program that does not require any prior AI safety experience to enter. Here is what the program looks like in practice. Anthropic mentors pitch their project ideas to fellows, who choose and shape their project in close collaboration with their mentors. You are not assigned busywork. You are not a research assistant. You own the project. You work alongside the people who built Claude, who designed its safety systems, who published the papers that define the field. The stipend is $3,850 USD per week, approximately $61,600 for the full 4 months with access to a compute budget of approximately $10,000 per fellow per month for running experiments. Here is what the 2026 program covers. Research areas include scalable oversight, adversarial robustness and AI control, model organisms, mechanistic interpretability, AI security, model welfare, economics and policy, and reinforcement learning. Something for every technical background. Not just ML engineers. Successful fellows have come from physics, mathematics, computer science, and cybersecurity. You do not need a PhD, prior ML experience, or published papers. The one requirement: work authorization in the US, UK, or Canada. Anthropic does not sponsor visas for fellows. Here is the timeline you need to know. The next cohort begins July 20, 2026. Applications are reviewed on a rolling basis — earlier applications get more consideration. The process includes an initial application and reference check, technical assessments, interviews, and a research discussion. Applicants are encouraged to apply even if they do not meet every listed qualification. The program values potential, motivation, and research curiosity over rigid credential requirements. This is the rarest kind of opportunity in technology. A company at the frontier of AI, one valued at over $900 billion offering outsiders direct access to its research infrastructure, its mentors, and its most important open problems. Paying them generously to do it. And then hiring 40% of them afterward. Most people who want to work on AI safety spend years trying to publish papers, get into the right PhD program, and find a way in. The Fellows Program is the door they did not know existed. It is open right now.