new | show | ask | jobs Github

esseph 4 days ago

This is a blanket statement, just an anecdote from my career.

Every developer I have ever met that wasn't in the security space underestimates security problems. Every one.

YMMV

▲

mehdibl 4 days ago | parent [-]

I'm in the security space so? And been deep in this MCP thingy.

Did you check where I pointed the root issues?

All I'm trying to say there is shortcuts, and confusing over the hype buzz too that is on going in AI, as MCP took off, I so a lot of of papers with IF IF IF condition to point security issues in MCP, while most of the them expect you to pick random stuff at the start. This is why I'm saying "Supply chain" is not MCP. As you can't blame MCP for issue coming from random code you pick. MCP is a transport protocol, you can do similar without MCP but you have to bake your tools inside the AI app, thus loosing the plug & play ability.

	▲	datadrivenangel 4 days ago \| parent \| next [-]
		You are correct that it is possible to use MCP securely. Like if you build a custom client, and only use trusted third party servers one at a time. But the hype-promise of "AI" is that you can make the commercial off the shelf ClaudeGPT client magically discover MCP servers and automate everything. And if the majority of people's expectations require vulnerability, you're going to have a bad time.
	▲	esseph 4 days ago \| parent \| prev [-]
		Ultimately to use Agentic AI, you have to put faith in the model, the training data, the chain of custody, the authentication, the network discovery and connectivity between components, the other tools themselves that get called, and their chain of custody, etc. It's a massive liability. Maybe future history will prove me wrong.