[sneak]

> However, the build pipeline for compiling the sandbox binary included an automated step that adds security proto files to a binary whenever it detects that the binary might need them to enforce internal rules. In this particular case, that step wasn’t necessary, resulting in the unintended inclusion of highly confidential internal protos in the wild !

Protobufs aren't really these super secret hyper-proprietary things they seem to make them out to be in this breathless article.

[film42]

No, but having the names to the fields, directly from Google, is very helpful for further understanding what's available from within the sandbox.

[kingforaday]

Reminds me of this HN article from a month ago with lots of commentary on whether a database scheme is proprietary.

https://news.ycombinator.com/item?id=43175628

[film42]

Yeah there are some interesting similarities. However, the biggest difference is Google has the right to keep source proprietary, and companies like Unity are allowed to provide source code with a reference only license (still proprietary), but the US has FOIA to help push information into the open. Does a DB schema fall under FOIA scope? I think a better question is, can (or is) a db schema being used to conceal information? Is the law attempting to reinforce this barrier?

In other words, it should not be about the intent of the requester, but the intent of its owner; and in the case of that article, either by bias in narrative, or the fact that it rhymes with events of the past, there is some tomfoolery about.

[ratorx]

Yup, there’s no reason to believe that the proto files (which are definitions rather than data) are any more confidential than the Gemini source code itself.

[daeken]

Yeah, this is honestly super interesting as a journey, but not as a destination. The framing takes away from how cool the work really is.

[ipsum2]

Yes, there's a lot of internal protos from Google that are leaked on the internet. If I recall correctly, it was a hacker News comment that linked to it.

Edit: I don't know why the parent comment was flagged. It is entirely accurate.

[kccqzy]

You are probably thinking of the Google search ranking leak. That leak was the leak of the generated documentation from proto files.

[whatevertrevor]

The protos in question are related to internal authn/z so it's conceivable that having access to that structure would be valuable information to an attacker.

[rurban]

The protos were already available. See above.

A valuable information would be able to run those RPC calls as Principal (their root user)