[xmcqdpt2]

The author only used rot13 to make a point about the failure mode of inspection. DPI is only there to stop everyday employees from bypassing security policies inadvertently, not to stop an actual attacker. An attacker could use any number of other approaches: hiding payloads in innocuous keywords, using actual encryption, steganography, what have you.

I'm not a security expert but we had those kind of measures at a previous job and AFAIK they are there so that a lazy employee (me) doesn't just skip configuring their tools to go through Artifactory out of laziness and introduce a supply chain vulnerability. If "pip install XYZ" just worked out of the box, how likely would it be that all 10k devs in your organization would bother configuring it to avoid PYPI?

[xchaotic]

I don’t get the scenario he tested where he has access to both sides and can freely install cyphers on the server and what not. If you have just installed vpn endpoint and send whatever packets you feel like.

[largbae]

I think the point is that the perimeter security doesn't provide the security that the client imagined. Gaining root on any endpoint in the network (and then finding an endpoint you can control anywhere else on the internet) gives you a way in and out of the company network.

[anderspitman]

You don't even need root. All the important bits can be done in userspace.