The way it works is the user registers / imports MCP (Model Context Protocol) servers they would like to use. All the tools of those servers are imported and then the firewall uses structured LLM calls to decide what types of action the tool performs among:

- read private data (e.g. read a local file or read your emails)

- perform an activity on your behalf (e.g. send an email or update a calendar invite)

- read public data (e.g. search the web)

The idea is that if all 3 types of tool calls are performed in a single context session, the LLM is vulnerable to jailbreak attacks (e.g. reads personal data -> reads poisoned public data with malicious instructions -> LLM gets tricked and posts personal data).

Once all the tools are classified the user can go inside and make any adjustments and then they are given the option to set up the gateway as an MCP server in their LLM client of choice. For each LLM session the gateway keeps track of all tool calls and, in particular, which action types are raised in the session. If a tool call is attempted that raises all action types for a session, it gets blocked and the user gets a notification, which sends them to the firewall UI where they can see the offending tool calls, and decide to either block the most recent one or add the triggering "set" to an allowlist.

Next steps are transitioning from the web UI for the product to a desktop app with a much cleaner and more streamlined UI. We're still working on improving the UX but the backend is solid and we would really like to get some more feedback for it.

1. We are assuming that the user has done their due diligence verifying the authenticity of the MCP server, in the same way they need to verify them when adding an MCP server to Claude code or VSCode. The gateway protects against an attacker exploiting already installed standard MCP servers, not against malicious servers.

2. That's a very good question - while it is indeed non-deterministic, we have not seen a single case of it not showing the message. Sometimes the message gets mangled but it seems like most current LLMs take the MCP output quite seriously since that is their source of truth about the real world. Also, while the message could in theory not be shown, the offending tool call will still be blocked so the worst case is that the user is simply confused.

3. Currently we follow the trifecta very literally, as in every tool is classified into a subset of {reads private data, writes on behalf of user, reads publicly modifiable data}. We have an LLM classify each tool at MCP server load time and we cache these results based on whatever data the MCP server sends us. If there are any issues with the classification, you can go into the gateway dashboard and modify it however you like. We are planning on making a improvements to the classification down the line but we think it is currently solid enough and we would like to get it into users' hands to get some UX feedback before we add extra functionality.

Regarding the second point, that is a very interesting topic that we haven't thought about. It would seem that our approach would work for this usecase too, though. Currently, we're defending against the LLM being gullible but gullible and actively malicious are not properties that are too different. It's definitely a topic on our radar now, thanks for bringing it up!

The idea: instead of connecting an LLM directly to multiple MCP servers, you point them all through a Gateway.

The Gateway:

- Connects to each MCP server and inspects their tools + requirements

- Classifies tools along the "trifecta" axes (private data access, untrusted content, external comms)

- When all three conditions are about to align in a single session, the Gateway blocks the last step and tells the LLM to show a warning instead.

That way, before anything dangerous can happen, the user is nudged to review the situation in a web dashboard.

We'd love for the HN community to try it out: https://github.com/Edison-Watch/open-edison

Any feedback very welcome - we'll be around in the thread to answer questions.

Comments URL: https://news.ycombinator.com/item?id=45223102

Points: 51

# Comments: 22

- A properly written firmware. All Chromebooks are required to use Coreboot and have very strict requirements on the quality of the implementation set by Google. Windows laptops don't have that and very often have very annoying firmware problems, even in the best cases like Thinkpads and Frameworks. Even on samples from those good brands, just the s0ix self-tester has personally given me glaring failures in basic firmware capabilities.

- A properly tuned kernel and OS. ChromeOS is Gentoo under the hood and every core service is afaik recompiled for the CPU architecture with as many optimisations enabled. I'm pretty sure that the kernel is also tweaked for battery life and desktop usage. Default installations of popular distros will struggle to support this because they come pre-compiled and they need to support devices other than ultrabooks.

Unfortunately, it seems like Google is abandoning the project altogether, seeing as they're dropping Steam support and merging ChromeOS into Android. I wish they'd instead make another Pixelbook, work with Adobe and other professional software companies to make their software compatible with Proton + Wine, and we'd have a real competitor to the M1 Macbook Air, which nothing outside of Apple can match still.

But for VR I think we're still closer to the bottom of the curve - Meta and Valve need something to really sell the technology. The gamble for Valve was that it'd be Half Life: Alyx, and for Meta it was portable VR but the former is too techy to set up (and Half Life is already a nerdy IP) while Meta just doesn't have anything that can convince the average person to get a headset (despite me thinking it's a good value just as a Beat Saber machine). But they're getting there - I've convinced a few friends to get a Quest 3S just to practice piano with Virtuoso and I think it's those kinds of apps I hope we see more of that will bring VR out of the slump.

And then LLMs I think their hype cycle is a lot more elevated since even regular people use them extensively now. There will probably be a crash in terms of experimentation with them but I don't see people stopping their usage and I do see them becoming a lot more useful in the long term - how and when is difficult to predict at the top of the hype curve.

> Food has improved dramatically.

Not necessarily. While accessibility is far better, it comes at the cost of having monocultures, mass farming, and heavy importation during off-seasons. This has made, say, the average tomato cheaper and more accessible year-round but substantially worse than the seasonal tomatoes you would have 40 years ago.

> Houses are larger...

But more and more people live in cramped apartments in big cities so that point is moot.

> Healthcare...

And is it more important that a poor 25 year-old young person with their whole productive tax-paying life ahead of them can seek care appropriately Vs the hospitals keeping 80+ year-old fossils alive with their "better healthcare". The only exception is ozempic and the likes but that didn't use to be necessary before cars killed most public spaces.

> Car reliability/safety...

By turning them into huge monstrosities and widening roads, again destroying public spaces and walkability. The only major breakthrough here is lead-free fuel.

> Compute power. The average person has the knowledge of the ENTIRE world at their fingertips. But totally no progress has been made???

I'll give you that one but it's at the cost of turning a computer into an addiction machine. I still think it's a net positive but it isn't so clear cut.

> We have weather satellites

True but now we're have much more extreme weather thanks too climate change.

> We can talk to family whenever we want...

We can but when do we? I keep in touch with family often but it definitely feels less special than how it was even in the 00s.

> We have vastly more free time...

Assuming you have the same sized family and roles. Now's your need both parents in a family to work to make ends meet for the average young person so the freed time has mostly gone to the older generation.

Overall zoomers and gen alpha definitely have it worse than their parents. And this is coming from someone with a middle class background who now gets paid well to program -everyone I know my age feels this way. The main lifestyle change we got recently is cheap travel which is amazing but the basics are definitely harder (and this is why birthrates are down).

Legitimately was a worse and slower service than I would have had at my grandparents' place in Eastern Europe, it's a disgrace. It still makes me angry that it's the experience I get after paying 1000s of £ in NHS contributions.