Remix.run Logo
Bender 8 hours ago

A bot will do what a bot can do whether malicious or accidental. One should assume they are giving DOGE shell access on their computer and adapt accordingly. I am trying to imagine the SELinux rules required to make a bot play nice and the more I think about it such rule complexity may even befuddle the NSA. Alternate methodology:

- Give the bot it's own machine and only copy to it that which one would want DOGE having access to. Not a virtual machine, the bot will eventually escape. This applies to all bots or agents of all LLM's. Name the node DOGE to remind anyone using it not to share their crown jewels. Come up with a silly name for the agent. Elonious?

- Give it a little RasPi or mini-PC with maximum power savings enabled and no default network gateway.

- Install a self signed CA cert on the DOGE node and force it's traffic through a Squid SSL Bump MitM proxy on the same private LAN to another node with bandwidth limits enabled so that one can monitor what URL's it goes to and what data it is transferring. Configure Squid Access Control Lists to only permit specific domains and optionally URL's, mime-types, sizes, etc...

- Enable custom AuditD rules to watch anything it touches outside of it's sandbox. Send these events to a remote syslog daemon on the Squid server.

- Install Unbound DNS on the squid proxy and enable the DoH (DNS over HTTPS) listener and force all bot DNS queries to use Unbound with query logging enabled.

When the bot attempts to misbehave there will be forensic data to share with the world.

LetsGetTechnicl 6 hours ago | parent [-]

Sounds like a lot of work just for it to maybe not work anyways

Bender 5 hours ago | parent [-]

Absolutely. Quite a bit of work one time by one person willing to document the steps or even better create automation scripts for Ansible, Docker, Podman, Systemd, etc... and then automation for everyone using agents. As to success I would suggest it may be better than zero visibility or trusting what the agent says it did. Due diligence and a repeatable standard as apposed to running with scissors.

This is probably most important for anyone operating agents on corporate systems. I would suggest corporate security should take interest in this idea so they have a good answer for auditors, insurance companies, investors and customers. A full audit trail of what every agent had access to and ingested.