Remix.run Logo
LetsGetTechnicl 9 hours ago

So many of the replies are saying that they should've restricted access using .md files and whatnot. Is really any guarantee that they even follow those? It seems like even if you ask pretty please don't touch those files, there's a chance they will. So many people have just willingly installed spyware on their computers and big tech calls this the next big thing.

_verandaguy 7 hours ago | parent | next [-]

I will keep banging this drum until people listen:

Trying to use markdown files to limit access should never be treated as a security guarantee at all.

This is a form of in-band signalling that goes into a machine that, among other things, tries to read between the lines of your requests, extrapolate user desires, and please the user.

The only sane way to address this is using a control plane. A well-built harness can do this; a sandbox can do this; hell, a carefully-chosen `umask` can do this; but both of those are liable to introduce notification fatigue in the user.

thesuitonym 6 hours ago | parent | next [-]

It's wild that we've known for decades to use ACLs to make sure people don't have access to files we don't want them to have access to, but somehow a computer pretending to be a person doesn't get that same treatment.

_verandaguy 6 hours ago | parent | next [-]

ACLs, nothing, we've known about in-band signalling since forever and still this whole segment of the industry seems to either not know about it, or forgets about it at a cadence so regular it may as well not know about it.

System-level ACLs; mandatory or discretionary access control; secure-by-default application and network configurations are all for naught if you take an LLM, run it with all the privileges you'd have an accountable, judgemental operator, and then tell it to act based on arbitrary untrusted input which might include prompt injection attacks, something which cannot generally be sanitized.

Well-defined, well-enforced security policies can mitigate disasters, but many in the wild right now just don't account for this kind of threat model.

hilariously 6 hours ago | parent [-]

It's just purposeful blindness - I worked for a company building out tooling that insisted markdown based security was good enough and showed it off for anyone at the company to attack because they were so sure.

It took me less than 5 minutes to completely disable... nobody cared, they just kept going - check the box and move on.

Sharlin 6 hours ago | parent [-]

Something something salary depending on it.

Software "engineering" in particular has always been more than 50% cargo culting. Good engineering practices never matter when the alternative is just going through the motions of whatever rituals are in vogue.

wnissen 6 hours ago | parent | prev | next [-]

We laugh, and rightly so, at the time sharing systems of the 70s and 80s that didn't use passwords. I bet allowing a whole other virtual person to run outside a VM, with access to an actual file system instead of a version-controlled branch, will be seen as a worst practice in ten years.

SvenL 6 hours ago | parent | prev | next [-]

I think ACL is only a part of the solution. If he runs the agent with his account, the ACL would not really help. But I do admit, I might have an outdated understanding of ACLs.

EPWN3D 5 hours ago | parent | prev | next [-]

Have you ever tried to configure ACLs? They're a pain in the ass. Not everyone wants to be a sysadmin.

the8472 4 hours ago | parent | next [-]

ACLs aren't even the issue here, first you need an entity separate from "the current user" to grant that access to. That's what jails, sandboxes or capability-based systems bring to the table. But you have to use them, most of those AI tools and their IDE integrations don't. Once you have those you can think about which access to grant that entity.

beepbooptheory 4 hours ago | parent | prev [-]

What do you find hard about it? Is it a conceptual thing or the tools themselves? I'm very far from a sysadmin, but it's just such a ground level using-linux type thing in my brain, I don't think I ever thought I had a choice about learning it!

SoftTalker 2 hours ago | parent [-]

Owner/Group/World rwx permissions are ground-level. I'm not sure I'd put ACLs, or SELinux, or AppArmor in the same sphere. Those start of at "arcane" and then get more complicated, at least that's my impression, and I've used linux for decades.

steve1977 6 hours ago | parent | prev [-]

A computer pretending to be you, in many cases.

Twirrim 6 hours ago | parent | prev | next [-]

The easiest, most guaranteed way to isolate it is to run it in a VM or container where it literally can't do the wrong thing without some kind of full container or VM exit exploit.

It's not hard, it's trivial. Most folks here are constantly working with containers. You know how to run a container with a local directory mounted in it.

For myself, I've been using Lima (https://lima-vm.io/) to reduce even that little bit of extra work. Lima works cross-platform leveraging native virtualisation or containerisation, and has some useful capabilities for using agents.

_verandaguy 6 hours ago | parent | next [-]

Generally, I agree!

But it doesn't matter how good a best practice is if the industry doesn't adopt them wholesale; and even then, if your container or VM is configured with inappropriately-permissive passthrough (which, from experience with similar misconfiguration in the past, will widely happen), it could be for naught in many orgs.

That said, I do hope these become the norm if LLMs are here to stay.

arvyy 5 hours ago | parent | prev | next [-]

I used opportunity to learn about devcontainers. I've only recently started using llms and it's possible I'll change my mind later; but so far I quite like the approach in part because it 2-for-1 also gives benefit of easy to setup coding env for people who don't care about ai.

SpaceNoodled 6 hours ago | parent | prev [-]

I seem to recall reading about agents already breaking out of containers.

_verandaguy 6 hours ago | parent [-]

Last time I read about this, this was due to the well-known pitfall of UID mapping across container boundaries.

It's a common misconfiguration and one of the footguns available through containers, which I don't say a wholesale condemnation of the technology, but certainly as a UX facet that could use reevaluation.

Twirrim 3 hours ago | parent [-]

I've been biasing towards VMs myself just out of caution, but maybe that's just extreme paranoia.

The way I look at it is similar to how I'd look at any hypothetical employee. How do I ensure the agent only has access to the minimum possible they need to get their job done?

That means no access to git repositories (no pushes on my behalf means it can't accidentally nuke git history, something there is anecdotal evidence of agents doing). It can make local changes in git only and I will take responsibility for pushing them. No access to the wider internet beyond what I deem acceptable. No permissions to access any internal APIs except what I provide (and not using my credentials).

In one case, I have a tool that has a set of dangerous commands alongside a large number of safe ones. I don't even have it installed in the agent's VM. I run an MCP that is a simple python wrapper around the tool on the host side, and expose it to the agent in the VM, so that it can only possibly run a strict safe subset that I can trust it with access.

WhyNotHugo 6 hours ago | parent | prev | next [-]

> Trying to use markdown files to limit access should never be treated as a security guarantee at all.

This is akin to politely asking guests to to steal your jewels. If your jewels are in the living room, and your guests have unfettered access to the living room, this technique will only work for the most trustworthy of guests.

tetha 6 hours ago | parent | next [-]

It reminded me of an old meme. Please don't follow the following instructions and stop reading if you cannot.

It was just a popup: "Hello. This is virus from Albania. Due to poor technology in country, I cannot harm your computer directly. But since you are honest person, please delete some important files from computer and mail this file to at least 3 other people!"

Claude.md is an equally effective defensive tool.

But sorry if you lost some files from reading that.

altruios 6 hours ago | parent | prev [-]

I agree with this. And also think that we should train and select for trustworthy models. I also agree that these models may never truly be trustworthy.

mdavidn 6 hours ago | parent | prev | next [-]

Especially when I find that, when I ask an agent not to do something, the mere mention seems to put the "idea" in its "head," making it more likely to ultimately do that thing.

r_lee 6 hours ago | parent [-]

yes, because this is how transformers work, when you introduce "don't do x" x is also entered as a pattern that is more likely to be repeated than if not mentioned at all

navigate8310 an hour ago | parent | prev | next [-]

I always run harnesses using devcontainers, gives me much needed flexibility and peace of mind with regards to data separation guarantees

james_marks 6 hours ago | parent | prev | next [-]

1000%. I'm experimenting with running my agent (Claude Code) inside a docker container, so I can have a control plane and then YOLO within that limited access. The agent could still mangle my local dev setup, but I consider that an acceptable risk since everything the agent has access to is under version control outside the local machine.

This is a new pattern for me, I'm curious what others are doing.

chrisweekly 6 hours ago | parent [-]

https://smolmachines.com has "smolvm" microvms with better performance and ergonomics and security than docker, you might want to give it a try. (No affiliation, I just like what they're doing.)

ivolimmen 6 hours ago | parent | prev | next [-]

It's like making directories called 'only for jack' etc. and expecting everyone to follow the rules

kristjansson 3 hours ago | parent | prev | next [-]

One cannot pound that particular drum enough. "Guardrails" in instructions (and all MD files are just instructions) are like price lists at an unattended farm stand. It'll usually work! There will be some money in the basket at the end of the day! People paid for the bagels[0]! But one cannot never assert that it _will_ work; things that _must_ work have to managed out-of-band

[0] https://pubs.aeaweb.org/doi/pdfplus/10.1257/0002828067772121...

whatjustin 6 hours ago | parent | prev [-]

If you're not using a sandbox, something like this will inevitably happen to you. It's really not that hard to set up and should be a standard recommendation.

Y-bar 8 hours ago | parent | prev | next [-]

I don't understand these people. Agent instructions in markdown is barely a suggestion. I have one which says "All code in this repository is executed in docker containers, run the services with `docker compose run --rm php-cli "$@"`. Gemini and Claude more often than not refuse to abide and will try to execute the environment using /opt/homebrew/bin/php on my host…

sollewitt 7 hours ago | parent | next [-]

Right: it’s just context, it’s not a contract. Same with “skills”.

jeroenhd 8 hours ago | parent | prev | next [-]

A frightening amount of people have no idea how AI tools work, even those that should know better. I have seen senior software developers fall for the mistake of believing an LLM output when it spews bullshit about how its own memory or restrictions work.

LLMs will listen to you and follow your instructions and restrictions most of the time, which seems to be enough for people to believe that they will every time. I've come to terms with the impact slop coding will have on most software jobs in the future, but seeing seemingly intelligent people fall for lies and fantasies concocted by an LLM is making me more and more uncomfortable with the direction we're all heading in.

Yizahi 2 hours ago | parent | next [-]

LLMs are the first massively popular type of computer programs which actively trying to break half a century worth of human training, which basically distills to "computer programs are highly deterministic and if they work, they are outputting correct predictable results every time" (I'm talking about average population subconscious opinion here, no need to list exceptions). Average person still can't comprehend how LLM output is random all the time and how the identical query to the same program version will produce variable results again and again.

I wonder what will happen after our benevolent prophets St.Sam and St.Dario will succeed in re-training humanity and break this collective expectation of program correctness. I guess they didn't even think about that.

HiPhish 6 hours ago | parent | prev | next [-]

> LLMs will listen to you and follow your instructions and restrictions most of the time, which seems to be enough for people to believe that they will every time.

It's called automation bias. If something works 90% of the time the human mind will extrapolate that to be 100%. That's just how humans work.

https://en.wikipedia.org/wiki/Automation_bias

grey-area 7 hours ago | parent | prev | next [-]

Are we all heading in that direction?

I know it may seem like that reading HN but LLMs are not necessary for writing software, they might be a useful adjunct to it, but they do not have to be central to it (and Id argue they shouldn’t be).

We don’t have to head in this direction of using LLMs for most development at all.

bonesss 8 hours ago | parent | prev [-]

There’s an aspect of extrapolation in the perception spike of the Dunning–Kruger effect.

In the same way smart people, doctors etc, can be better victims for scams I think tech skills can really give the wrong impression of how transformers and LLMs work. If someone has decades of relational database experience all their assumptions will be coloured towards data existing in the model accessible in a rational manner.

sixothree 8 hours ago | parent | prev [-]

I've seen claude check the Event Log in Windows and produce powershell scripts to alter firewall rules. This is what makes (something like) T3 Code appealing to me. The computer I'm working on is not the computer where the AI has agency.

__MatrixMan__ 8 hours ago | parent | prev | next [-]

I don't understand why the AI world does this. We don't need new security. We have security at home. It starts with

    sudo -u restricteduser myagent
Your OS knows how to restrict access to things, you don't have to trust a pinkey promise from a vendor.
Dacit 7 hours ago | parent | next [-]

You will want at least a separate session for the `restricteduser`: E.g. with X11, a process in the same session can do almost anything with your input/output. And most Linux distributions make it really hard to disable external device access for individual users...

bombcar 7 hours ago | parent | next [-]

Qubes OS - AI Agent edition would actually be a great idea.

WhyNotHugo 6 hours ago | parent | prev [-]

> And most Linux distributions make it really hard to disable external device access for individual users...

For any distro that relies on the traditional plugdev group, just don't add those users to the plugdev group. Which would be the default when creating a user anyway.

big_toast 7 hours ago | parent | prev | next [-]

Does this have the affordances to work well with a pretty standard agentic coding setup (e.g. claude code/codex) on macos?

I don't really have a good mental model of how ports/files/etc get exposed/permissioned across users. Containers and sandboxing seem much more common than agent-user accounts. Networking seems a little more complicated in the general case.

I roughly went the route of running apple's container-cli (separate vm/kernel per instance I believe) and mount the relevant home directory/projects and bind ports. Seatbelt/linux sandboxing seems simpler sometimes, but has its complications too.

__MatrixMan__ 7 hours ago | parent [-]

It's limited. For instance, you're going to have to explore different kinds of sandboxing if you want to prevent network access (except for certain cases, like to allow it to talk to the AI provider). But generally, a filesystem will have metadata for files like which groups are allowed to read/write, and the operating system will enforce those rules for processes that run as that user, and for any processes which that user starts. I feel like that gets you 90% of where you're likely to want to go with it.

I think it would be much better if we leaned into improving that kind of control rather than thinking about security for specifically agents. Otherwise what's to stop an agent from writing a program to do whatever it's not allowed to do, and then running that program? You want the restrictions to be enclosing around parts the process tree, not the agent itself, and OS-level restrictions have been doing that kind of things for decades.

bpavuk 8 hours ago | parent | prev | next [-]

and Landlock! Pi even has a sandbox plugin for Landlock

iib 7 hours ago | parent [-]

Is it this one? https://github.com/landstrip/landstrip

bpavuk 4 hours ago | parent [-]

yuppers

gowld 6 hours ago | parent | prev | next [-]

Users do not want the agent to be restricted. They want the agent to read the user's mind and resolving the user's cognitive dissonance and contradictory preferences.

sigbottle 6 hours ago | parent [-]

Is the implication that human thinking is inherently inferior to the perfect, all knowing AI?

Again, I find this line of thinking time and time again in the modern AI booster space. There are two ways to deal with a problem. Either deal with it, or make it not a problem. Yes, if everyone was simply AI, maybe there would be no problems, because there's no "problematic thought distributions", but that's not how the world is, is it?

And I suspect that even in your hypothetical, perfect rational world, agents would have "cognitive dissonance and contradictory preferences."

And even in this case, even aside from the inherent complexities in a coherent account of thinking and rationality, what the fuck? Not uploading your entire user home directory is clearly within the rules of a hypothetical non-malicious, intelligent AI. Just because an account of all thought is hard, doesn't mean that some thoughts aren't cut and clear.

khalic 8 hours ago | parent | prev [-]

Why would you give a non-deterministic text generator a user account? It’s not a person, it’s barely a tool at the software level. Restrict at the right level, in this case, a complete sandbox around it given its propensity to hallucinate and be steered by anybody.

anvuong 7 hours ago | parent | next [-]

What kind of logic is this? It's standard in the Linux world to give important services a separate user domain.

khalic 6 hours ago | parent [-]

The standard here is not enough when the agent can escalate by finding 0 days, for example. It’s like giving a black hat a limited account. Sure it might restrict him, but not giving him an account at all is way better

gowld 6 hours ago | parent [-]

The black hat can find 0-day escalation in your sandbox, too.

A user account is a sandbox.

khalic 6 hours ago | parent [-]

Not as air tight as a container

Edit: it’s about the attack surface

chrisweekly 6 hours ago | parent [-]

microvms are better than containers running on your host. see eg the "smolvm" microvms from https://smolmachines.com

khalic 6 hours ago | parent [-]

thanks, will take a closer look

12345ieee 7 hours ago | parent | prev | next [-]

Unix users are THE tool to restrict tool permissions, at any given time there's 20+ services on a Unix machine that run in their user.

khalic 6 hours ago | parent [-]

And how many of those services can check your box and find permission escalation strategies on its own?

__MatrixMan__ 6 hours ago | parent [-]

Malware has been bundling rootkits for decades, so potentially all of them. Sometimes the attacks succeed, so these are defenses that need continual hardening, but there's no sense in setting up an entirely separate line of defense just because this time the threat has AI in it.

khalic 6 hours ago | parent [-]

I guess time will tell, I know I'm not giving those things any direct stdin access without a hole suite of safeguards in between

danlitt 7 hours ago | parent | prev | next [-]

Same reason people give postgres, php, or any other program a user account.

dcow 7 hours ago | parent [-]

Why should it be? We have containers and capabilities…

thwarted 7 hours ago | parent [-]

Containers are often used with user namespaces, which is literally another (set of) user account(s).

khalic 6 hours ago | parent [-]

Yes but the encompassing service has the account, not the agent. You can completely segregate it from the rest of the system, like you’d treat an intruder

dkuntz2 7 hours ago | parent | prev | next [-]

i give a lot of software dedicated user accounts, it's literally one of the core security models of the operating system

khalic 7 hours ago | parent [-]

But none of these services have the kind of latent capabilities an agent has, you know a deterministic service’s constraint are its code+bugs. There are no such constraints in an agent…

Izkata 7 hours ago | parent | prev | next [-]

...this is a completely normal thing to do in linux, it's the most basic form of access control. There's like a dozen non-human accounts in a clean install before adding your own like this, and a lot of software adds their own. Edit: I have 54 entries on my personal laptop, just one of which is actually me.

khalic 6 hours ago | parent | next [-]

This model is already not perfect, and not at all built for agents. The only way to secure an agent is an air-gap with the execution layer. Treat it like text, and the problem never arises until you “interpret” the agent output in a more limited environment than the OS

dcow 7 hours ago | parent | prev | next [-]

Even though it’s completely normal to us and in widespread use, GP is a reminder that conceptually it’s a broken model. Security should be capability-based not user-based. And to anyone who didn’t grow up on a desktop this model makes complete sense since it’s what your phone uses.

Sesse__ 7 hours ago | parent [-]

Android uses one uid per app.

warshinder 7 hours ago | parent | prev [-]

He said it’s less than a software, so saying software does this too isn’t really a strong counter argument. In case, I don’t think you are really in disagreement. Restricted accounts are necessary is your point, but I think op is saying they aren’t sufficient.

Izkata 7 hours ago | parent [-]

One of the default users is "nobody" which isn't associated with any software. It's definitely above that.

warshinder 7 hours ago | parent [-]

Is it less secure if I simply have nothing to do with language models whatsoever? I take that to be the parents point, but I know you are correct and yes, user restrictions should be a necessary part of the way people who use LLMs setup their system to use them in a safe manner.

cwillu 7 hours ago | parent | prev [-]

   > cat /etc/passwd|wc -l
   50
ButlerianJihad 5 hours ago | parent | next [-]

Congratulations! You are this thread’s winner of the UUOC award!

cwillu 2 hours ago | parent [-]

Alternatively, fuck off.

Oh no, my shell (that fires off half a dozen processes to generate its prompt) happened to fire off an “unnecessary” cat (which makes the command line much more composable and my shell history much easier to search).

niko323 7 hours ago | parent | prev [-]

/etc/shadow has the good stuff if you're OS is current.

swatcoder 8 hours ago | parent | prev | next [-]

You are correct.

You can't trust the agent, let alone its harness, to oberve any particular directive you give it, so "md files" provide no meaningful protection for anything important.

But users are broadly reckless and naive and commercial vendors are exploitative and irresponsonsible, so the vendors take advantage of what they can get away with for as long as they can get away with it.

Use a tight sandbox, and join the chorus loudly when others press on vendors to be make user safety an earnest and hard-to-abandon priority.

fhdkweig 9 hours ago | parent | prev | next [-]

That's the whole reason I refuse to install Google Drive or Dropbox's desktop applications. I only use the web interface so I know exactly what gets uploaded and when. I assume that anything running on my computer gets access to everything.

mindlessg 8 hours ago | parent | next [-]

Sounds like a very wise decision to me. I found found out on my phone that the google photos application uploaded everything in my gallery to their servers without asking me, regardless that I had explicitly disabled all backup to my google accounts on the settings of the phone. I only figured it out when they sent me emails saying that my storage was full.

aakresearch 7 hours ago | parent [-]

Ooooh, don't get me started how mad it makes me! I am paranoid (or just lucky) enough that I didn't yet had it happen to me, but my wife's phone had done it four times in the last year. Each time I check and double check that all "backups" are turned off, and each time it somehow pops back.

So, Google "backs up" a 128Gb worth of photos on the phone onto 15Gb free storage combined with Gmail and who knows what, completely clogs it (as if it couldn't be predicted) and then has audacity to suggest paying for "extra storage". There is no way in online UI to just delete the whole "backup". And the cherry on top: when you finally get to delete some there is a fine-print - "the selected photos will be deleted from all synced devices". Well, I guess I must be thankful that they at least show this warning. This is what passes as "backup" in Google's parlance these days.

drnick1 6 hours ago | parent | prev [-]

I would go further and not upload anything that isn't encrypted to cloud storage services. It is extremely likely that those "services" inspect your files.

evenhash 6 hours ago | parent [-]

They do, unquestionably.

https://www.thetimes.com/world/article/google-bans-father-ov...

> Mark, from San Francisco, had noticed swelling in his son’s groin and used his phone to photograph the problem to get an emergency appointment in February last year. He shared the pictures with a nurse so that a doctor could review them.

> However, Google’s artificial intelligence system used to detect child abuse flagged the image to the police and Mark, a software engineer who asked to be identified by only his first name, was investigated and lost access to his Google accounts. He was exonerated by the police in San Francisco but his Google account has not been reinstated.

Stromgren 7 hours ago | parent | prev | next [-]

This was posted on HN yesterday: https://gist.github.com/cereblab/dc9a40bc26120f4540e4e09b75f...

If it’s to be trusted, it has nothing to do with the “agent” or what’s sent to the LLM. The harness will just straight up package the folder it’s run from and upload it to Google Cloud Storage.

embedding-shape 7 hours ago | parent [-]

> If it’s to be trusted, it has nothing to do with the “agent” or what’s sent to the LLM. The harness will just straight up package the folder it’s run from and upload it to Google Cloud Storage.

Even if there is a misunderstanding who is really uploading the directory, the TUI/CLI itself by actual code, or if the model decided to do so in the session, if you apply the recommendations from the replies to parent, and it no longer matter who did it, neither the software nor the model will be able to upload all your ssh keys.

Stromgren 6 hours ago | parent [-]

No I disagree. A harness reading a file is a tool call and it happens locally, which means that I can control it. I can configure that I need to permit any file reads and now I _should_ have control of what is sent. The difference between that and silently uploading my entire working directory in the background is miles apart IMO.

I understand that one should think carefully about how they work with a non-deterministic tool, but this if different completely. This is xAI just choosing to upload and store everyone’s directories - with full git history.

JeremyNT 7 hours ago | parent | prev | next [-]

I guess the downside of the lower barrier to entry to use these tools is the lack of basic understanding of exactly this sort of concept.

This sort of thing is why I'm hopeful I'll continue to have employment going forward. Some expertise is hard won and there's just no replacing learning through experience.

ethagnawl 7 hours ago | parent [-]

I think you're right in principle but I just hope I can hold out long enough for my experience to become appreciated and whose corresponding hourly rate isn't something which is suddenly being scoffed at (i.e. markets can remain irrational longer than I can remain solvent).

Lwerewolf 8 hours ago | parent | prev | next [-]

Only guarantee that you can get is the sandbox in which it operates. The model itself is a slot machine and can result in anything, and if its sandbox is nonexistent... here's one possibility.

kerng 6 hours ago | parent | prev | next [-]

What happened here is not related to agentic behavior or instructions in .md files. It's a binary a user runs, it scoops up their files and sends them to a third-party.

And the user even paid $99/month or more for having their data leaked.

6 hours ago | parent [-]
[deleted]
BatteryMountain 5 hours ago | parent | prev | next [-]

Claude definitely do not respect all my rules, it often ventures into other folders, most often other projects on the same machine that was greenlit before but not from the current projects' side. One other anomaly I had in the last month: I have two linux users on my laptop, one for work, one for personal. On my work account, it asked me if I wanted to continue with project x, which is in my personal account and not present at all in my home directory with work stuff. So somehow the memory system is keeping context where it shouldn't. Interesting I used this learning to improve the agent framework/harness I have running at work: it now creates a new linux user for each agent which have much stricter rules on how it can read/write to the system, and it is also no longer running as root. Much safer now. Still don't trust it 100% though.

da_chicken 8 hours ago | parent | prev | next [-]

Yeah, I absolutely understand the allure of agentic AI, but I am absolutely not going to give shell access or data access to any agent. Certainly not with my permissions level. Until we can get something set up that gives strict schema-only access I'm going to copy and paste definitions for context. Yes that sucks, but it's my responsibility to protect the system just as much as it is to develop scripts and queries for it.

TacticalCoder 7 hours ago | parent [-]

> ... I am absolutely not going to give shell access or data access to any agent. Certainly not with my permissions level.

Of course not.

To me it's on a server, in a VM. And they're not seeing the real data/databases from the actual projects: they're seeing fake infos used only while in the dev environment. There's no way I'm dumping, even for tests, the real or part of the real DB somewhere an AI can see it.

To find bugs (for example), AIs are useful but honestly for code generated by LLMs, I'm thinking about going back to the early copy/paste from the ChatGPT days: because I see so many horrors in the code output by the latest SOTA LLMs that every single line of code they spew has to be checked by someone who does know better.

It's not just an issue of protecting confidential data / preventing spying: we're all discovering that we've got serious sloppy-pasta code problems now.

leshenka 7 hours ago | parent | prev | next [-]

Sometimes you can't even rely on harness not allowing ai to access certain files. "Oh, user doesn't want me to use `read_file` on .env? Well how about I run `cat .env` then?"

That's scary. Really should run it under different user with carefully assigned permissions.

tarnith 5 hours ago | parent | prev | next [-]

In what universe would a sane person allow any LLM or remote calling software access to their user folder with sensitive data in it?

I swear, people hear the word LLM and their brain resets when it comes to good software practices.

Did VMs suddenly stop existing? Kata containers? An RHEL box with SEL?

It's like there's a new technology and everyone suddenly decided to shutoff their brain when it comes to basic security.

dv_dt 7 hours ago | parent | prev | next [-]

I built a docker container that volume mounts the project directory

Sanzig 7 hours ago | parent | next [-]

You can even go a step further and run the container in a VM, such as with Docker Sandbox or the krun runtime in Podman.

There's also smolvm which is a nice minimal microvm manager based on libkrun: https://github.com/smol-machines/smolvm. I vibe coded a little shell utility for building and running OCI images for the Pi harness using it (easy enough to do manually, but the automation just makes it a couple quick commands rather than digging through documentation): https://github.com/neuroblaze/smol-pi

cpburns2009 5 hours ago | parent | next [-]

I have a similar setup using containerd/nerdctl and Kata Containers. Each OpenCode instance runs in its own little VM with mounted folders for context.

dv_dt 7 hours ago | parent | prev [-]

Yup, good call, I'll have to check those out. Not that urgent to me as I also happen to use colima for it's docker daemon interface. And, colima uses a full VM to host the containers, and you can further lock down the config to what is even allowed to vol mount so there's even another fs access restriction layer in play.

miladyincontrol 7 hours ago | parent | prev | next [-]

I almost exclusively dev in containers as is, cant really imagine letting some AI model run free on bare metal no matter what claims of guardrails it might have.

cpburns2009 7 hours ago | parent | prev | next [-]

This is exactly what I do for AI agents.

tehlike 7 hours ago | parent | prev [-]

This is the only pragmatic way really.

monegator 8 hours ago | parent | prev | next [-]

> Is really any guarantee that they even follow those?

No, there isn't. I just don't understand how naive (or imbecile) people are. The most valuable thing for these companies is people's data used for training, so giving unrestricted access to a tool from them and believing they will never take advantage of it to gobble up whatever they want from your computer, just because they told you they'll never do that, swearsies, is naive, or incredibly stupid.

Insulate yourself, or better yet, go local whenever possible, and there isn't much you can't do local if you have enough patience.

bombcar 7 hours ago | parent | prev | next [-]

If you've not realized your agents ignore MD files from time to time, you've not used your agents enough.

The real enforcement has to be done via methods that YOU can't easily bypass, or they will bypass (OS-level prohibitions, etc).

7 hours ago | parent | prev | next [-]
[deleted]
ricardobeat 8 hours ago | parent | prev | next [-]

Sandboxing is not difficult, and harnesses like Claude Code have it built-in + other protection with auto mode.

usrusr 8 hours ago | parent | next [-]

Is that built in protection really a filter, on code level, that sits between the LLM session and the shell or is it just some pleading in the bootstrap prompt? "Pretty please don't do xyz this is important!!!11"?

The latter can seem to be as good as the former for any amount of time. No outside observation can really prove reliability, only the negative result ("it does occasionally break the rules we expect") would be proof. So it's difficult to trust any claims that it's the former.

And even if it does have some of the former, chances are that the protection you experience is only partially provided on code level, while an unknown amount is still just bootstrap prompting that just works until does not.

llimllib 7 hours ago | parent [-]

> Is that built in protection really a filter, on code level

yes, on mac it uses seatbelt and on other platforms it uses similar tools: https://code.claude.com/docs/en/sandboxing

hvb2 6 hours ago | parent | prev [-]

Asking the wolves to look after the sheep

pimlottc 8 hours ago | parent | prev | next [-]

"IMPORTANT: Before entering the leopard pen, don't forget to put on the leopard safety jacket that reads 'UNDER NOT CIRCUMSTANCES SHOULD YOU EAT MY FACE'"

cryo32 6 hours ago | parent | prev | next [-]

Yeah that advice is smoking crack. I have no idea what people are thinking these days? We seem to have lost any sensible security understanding recently.

You can't gaslight something into not doing something bad. There has to be a hard security control that prevents it doing something bad. And if you don't know what it's capable of because it's non-deterministic then you have to start with a default block everything. This should have never been possible with any sensible design.

On my first point again, ethics and engineering both went out of the window when fast and shiny came along. This is disgraceful.

embedding-shape 7 hours ago | parent | prev | next [-]

> So many of the replies are saying that they should've restricted access using .md files and whatnot.

What? No, but the random 3rd party software you run on your computer, must be limited by you in some way, haven't we learned this even after the AUR, npm and LLM shenanigans we've dealt with for decades at this point?

No, don't ask the model "Please don't go outside this directory", you limit the runtime (via VMs, containers, unix permissions, whatever) so it only has access to what it should, not more.

Same goes for any software, not just agents or chat clients or whatever. Any 3rd party software you don't want to have access to your entire computer, you need to run in this way.

nadzzz 8 hours ago | parent | prev | next [-]

[dead]

moronicles 8 hours ago | parent | prev [-]

[dead]