It's crazy to me that someone can write a post called "How We Rooted Copilot" when in reality they got root in an ephemeral python sandbox container that was locked down so much that they couldn't do anything.

I read "rooted copilot" and I think they got root on a vm that is core to copilot itself.

A much more accurate title would be "How We Rooted the Copilot Python Sandbox"

▲

stingraycharles 3 days ago | parent | next [-]

“how we escalated privileges from a regular user to a root user in a completely locked sandbox” pretty much sums it up.

it’s a nothing burger, which actually goes to show just how effective sandboxing is for defense in depth.

▲

bravesoul2 3 days ago | parent [-]

Also shows you how shit an LLM is for defence, as it actively helps you look for exploits.

LLM is like an insane quadruple agent and you dont know whose side it is on (if any at all)

	▲	brookst 3 days ago \| parent \| next [-]
		LLMs are on “sides” the same way books are: not at all. Tools don’t have agency.
	▲	arccy 3 days ago \| parent \| prev [-]
		chaotic neutral

▲

username135 3 days ago | parent | prev [-]

Agreed. It feels like Im seeing more of this lately