FRESH

Hacker News

Home

Show HN: GhostBox – Borrow a disposable little machine from the Global Free Tier

126 points by keepamovin

by D2OQZG8l5BI1S06

3 subcomments

Weird to have a .charity TLD but promote abusing Github Actions as free compute.

by beardsciences

0 subcomment

This idea is great in concept, and I think it's important to state that, but the GitHub Actions stuff is against TOS iirc + they will need to address that pretty quickly.

by rvz

1 subcomments

So that's why we will see GitHub Actions continuing to go down so frequently every day of the week. From their "terms of service" [0]
> Ghostbox is software for launching short-lived development machines using third-party infrastructure such as GitHub Actions, tunnels, shells, agents, and related developer tools.
So this will go down, just like GitHub Actions since it abuses the subsidised free tier of GitHub Actions to run a service like this and it is likely against the GitHub TOS.
[0] https://www.ghost.charity/terms

by kitchi

2 subcomments

Looks like the Github repo has already been nuked, I'm guessing for violating ToS on Github actions?

by keepamovin

0 subcomment

Wow, this was really a cathartic thread. Was it as good for you as it was for me?

by ctrlmeta

5 subcomments

The multiple levels of abuse here are astounding. That grown adults can think projects like this are acceptable, let alone promote them, is hard to believe. I am 90% sure this is yet another vibecoded project. Has vibecoding really corrupted people?
First, I am fairly certain this violates Github's ToS. Second, it effectively amounts to a denial of service. Third, are people seriously using the .charity TLD to host something this frivolos? Have people got no sense of propriety anymore?

by fhn

2 subcomments

this is exactly what a bad actor would do to temp the greedy. If they are providing free ssh access, why not just use an ssh client instead of curl|sh? That's crazy! And free compute is even crazier. I guess they could make money based off training or selling whatever you put on there.

by orliesaurus

2 subcomments

Things like this are the reason why companies like GitHub then put everything under a paid tier.

by beardsciences

1 subcomments

The repository now appears to be disabled.
https://github.com/DO-SAY-GO/ghostbox-releases
https://github.com/crisdosaygo/ghostbox-home-reveal

by sikozu

0 subcomment

GitHub is going to love this. No wonder Actions keeps getting worse and worse.

by cobertos

2 subcomments

Won't the supply-side incentives misalign with demand-side's desires in this case?
If you choose a specific company's free tier, you can rely on reputation and switch if they misbehave (e.g. they exfiltrate your secrets, log all your activities, build a profile on your workload behavior, etc). But if you don't know where your workload being deployed, the operator has less incentive to treat your compute with respect.
Means this is really only useful for nearly-public workloads, where tampering is not a critical failure mode.

by avaer

1 subcomments

This is interesting, but unfortunately it's a gradient on an infinite game of cat and mouse.
If blocking doesn't work, there will be phone verification. If that doesn't work you're gonna need to get orbed. If that doesn't work, you're gonna need to drink the verification cans. Or they will just kill the free tiers. There is no free lunch.

by Imustaskforhelp

1 subcomments

Thanks, I know exactly something which has been in my mind to build which can be made possible with this.
Basically any golang/any language cli application preferably-static can be dropped and ran in ghostbox plus xterm in browser (and additionally cloudflare tunnels) or perhaps directly to give a web link.
Anyone can then click on that web link to then try out the cli application. Think jujutsu and others too and they can do this upto 90 minutes.
Feel free to pick up on this idea as more importantly than not, I would personally love to see an idea like this, even something with asciinema to finally show how an app feels and looks.
Can you please tell me more about what is the structure behind Ghostbox and on what service does it run upon? Hetzner/OVH or something else? I would be interested to know more about the infrastructural decisions behind it and does it run on firecrackers, quite so many questions!
This is a really cool project, thanks for making this and have a nice day!

by skywhopper

1 subcomments

Nice way to automate the unethical destruction of the commons. Shared space and community standards are for suckers.

by o10449366

1 subcomments

As unreliable as GitHub actions are, this is what ruins nice things (free for public repos) for the rest of us.

by rao-v

1 subcomments

Is there a meaningfully useful version of automatically write to an encrypted disk / RAM that could be used with a random cloud instance? Obviously the decryption key would be in RAM somewhere but as a short term best practice it might be somewhat useful

by anonymouscaller

2 subcomments

Couldn't get it working on MacOS or Linux:
$ curl -fsSL https://www.ghost.charity/install.sh | bash Checking for Ghostbox updates... curl: (22) The requested URL returned error: 404 Could not fetch ghost-linux-x64.tar.gz from https://github.com/DO-SAY-GO/ghostbox-releases/releases/late...

by pvitz

1 subcomments

Segfault provides something similar with a direct ssh connection: https://www.thc.org/segfault/

by sbuas

0 subcomment

Where is the source ? This looks fishy, no way I'll run this bin..

by S0y

2 subcomments

This is 100% against githubs TOS lol.
Some years ago I toyed with the idea of running a minecraft server inside github actions, I used tailscale to create a public endpoint and saved the world in an artifact that was re-loaded on the next run. It worked really well, but the point was never to actually use it for real.

by dmsmb

0 subcomment

gh will have to tighten controls or even completely stop providing free minutes. And then the whole community will cry about MS ruining gh. No folks, this is an infrastructure abuse and it will have net negative impact on most fair users

by archargelod

4 subcomments

Was this botted to the top of the front page?
AI=generated article that asks you to download and run some random binary. Github account is just more AI slop. Everything to me just screams that it's a malware. Or this is normal here?

by throwa356262

1 subcomments

@keepamovin this looks cool, but notice that your README and github links are ghosting us (404)

by toraway

2 subcomments

I wish the link for "Global Free Tier" [1] included an actual list of the free tiers GhostBox is using (ideally also including some kind of table/rubric for comparisons and any limitations, benefits, etc unique to each).
It sounds like Github Actions is the first choice, if it's unavailable (or if Github blocks GhostBox in the future), are each of the alternatives viable as a more or less drop-in replacement? Or would there be loss of functionality?
Those are the questions I had when reading through the site so I think some basic technical docs would go a long way to help people understand the project and decide to give it a try. I like the cute/whimsical branding but I'll admit to doing a little internal eye-roll when I clicked that link expecting technical specifics and instead read:
```
  > GitHub Actions is only the first place ghosts come from. There are strange little pockets of temporary compute all over the internet. Ghostbox makes them feel like one small machine. 
```
It's a neat idea though, and I've definitely had moments where I wished I could just spin up a free, temporary VM/container to do something but didn't feel like researching the current free-tier landscape and filling out a sign-up form and stuff.
[1] https://www.ghost.charity/#gft

by colesantiago

2 subcomments

Its great that this is free for disposable use.
We need more of these. There are too many sandboxes that charge insane prices.
Curious what this runs on though and it would be great if this was completely open source.
Great work!

by 6r17

0 subcomment

I'd be worry about security tbf - this sounds cool until it's used to host some weird shenanigans and nobody has any kind way to tell who did what

by arm32

0 subcomment

Just shut this down.

by croemer

1 subcomments

None of the links to Github work because you're pointing at the main branch instead of your default branch ghosts-only

by everyos_

0 subcomment

This is why we can't have nice things. I sure hope this doesn't result in GH disabling actions for everyone.
Also somebody should Ghidra the project, see if they can find malware. I'm not saying anyone has to, just a thought

0 subcomment

by aleksiy123

0 subcomment

[dead]

by peter_d_sherman

1 subcomments

An interesting set of ideas!
The broader concept seems to be "ephemeral environments", which is related to sandboxing, which is in turn is related to testing/debugging...
Related:
https://github.com/topics/ephemeral-environments
https://blog.invisiblethings.org/papers/2015/state_harmful.p...