You could use Firefox and then set the accelerator key to Super, changing all application bindings to use Super instead of Control. This is my setup and it’s great.
This is what Stephen Wolfram concludes in a recent article about ChatGPT:
> The specific engineering of ChatGPT has made it quite compelling. But ultimately (at least until it can use outside tools) ChatGPT is “merely” pulling out some “coherent thread of text” from the “statistics of conventional wisdom” that it’s accumulated. But it’s amazing how human-like the results are. And as I’ve discussed, this suggests something that’s at least scientifically very important: that human language (and the patterns of thinking behind it) are somehow simpler and more “law like” in their structure than we thought.
This is key. ChatGPT/GPT-4 alone are limited to reformulating what they know from their training data. Linked to search engines, databases, and computational tools such as Wolfram Alpha, they acquire much more capability. We're already seeing that with Microsoft Bing.
(Update: what happens as large language models learn Excel?
Especially since Microsoft is already connecting them to Excel.)
What's striking is how fast this field is advancing. Huge advances over months, not years or decades.
We now have a much better idea of how intelligence evolved. It's mostly just more neurons. One of the great philosophical questions has, inadvertently, been answered.
> Linked to search engines, databases, and computational tools such as Wolfram Alpha, they acquire much more capability.
I see this as analogous to the human brain; there are different structures which are particularly good at specific tasks/functions. They all work together.
The only difference between a human brain and an ANN is a difference of degree. A neuron and an artificial neuron are functionally identical. I think as we start interconnecting these models we see surprising emergent properties.
I wonder if different languages lead to different capabilities? If I ask the same question in English, Japanese, and German, will I reliably get “better” answers from one language over another.
Essay writing unconsciously reinforces one’s opinion on a topic. This is an excellent tool for intellectual development when the student is free to argue any sensible position. Unfortunately, teachers often require students to choose orthodox positions, and thus essays become a primary tool for indoctrination.
Cheating has no place in an academic institution, but machine generated essays are an interesting way for students to avoid enforced compliance.
> Layoffs like this can have a more pronounced impact on
marginalized communities, so we were particularly focused on ensuring our layoffs – while a business necessity today – were carried out through an
Anti-Racist/Anti-Oppression lens.
> In the above example how is someone going to send traffic to 172.17.0.2:80 through the Docker host from a box on a different network than the Docker host?
The attacker and host will generally need to be on the same network so that the attacker's packets are not dropped because they are addressed to a non-routable private IP address.
You could access the containers at 106.12.52.111 if you were in the same network (e.g. 106.12.52.0/24) and the packets did not have to traverse a router.
> Also is this still exploitable if you reject everything at the iptables level before you start using Docker?
Yes. Docker appends the FORWARD chain with custom rules that explicitly forward traffic to published ports.
> You could access the containers at 106.12.52.111 if you were in the same network (e.g. 106.12.52.0/24) and the packets did not have to traverse a router.
Ok thanks, that's sort of what I thought (you had to be on the same network) but I wasn't 100% on that because networking has a lot of rabbit holes.
Your gist is very well written and a great find but based on the scope of the vulnerability this wouldn't be classified as a catastrophic event right?
If it's only limited to the attacker and the Docker host being on the same network while packets never go through a router then it's not an issue for the common case of someone hosting their web app or service on a VPS somewhere on the internet and have used 127.0.0.1:XXXX:XXXX to publish a port (perhaps their web app is published to localhost so nginx running directly on the Docker host can reverse proxy it -- this is what I've done for years now).
Docker users on the Mac are not affected by this issue, but they should be aware that the "Automatically allow downloaded signed software to receive incoming connections" option in the firewall settings must be unchecked in order to block incoming connections to container ports published to 0.0.0.0.
This is necessary because Docker Desktop for Mac is presumably signed by Apple.
Publishing ports to '*' is commonly done to allow Mac and Windows users to access containers through their browsers.
The macos firewall is able to block connections to these exposed sockets but:
1. The user has to explicitly turn on the firewall since it is off by default
2. The option "Automatically allow downloaded signed software to receive incoming connections" must be unchecked because Docker Desktop is signed by Apple.
I don't use a Mac, but all of the developers that use Macs at my company either did not have their firewall enabled or did not realize that connections to Docker Desktop were whitelisted.
Yep it's a good call out. Another good habit that you allude to is to publish ports to both an interface and port on the host system, not just a port (which assumes all interfaces, including external ones like wifi). The syntax slightly changes so you do command line option '-p "127.0.0.1:5000:5000"' which means on my host machine's localhost only (127.0.0.1) listen on port 5000 and forward it to port 5000 in the container. That way only a process running on my local machine can connect to my container and not someone else on the network if I forgot to turn on a firewall.
