|
| ▲ | hoppp 8 hours ago | parent | next [-] |
| I meant that not everyone is doing it at home. Do you think a person's private computer is a secure workplace? If it was security sensitive space there would be no agents running amuck. |
|
| ▲ | t-writescode 8 hours ago | parent | prev | next [-] |
| Sigh. Anything that isn’t a default is optional by default. Anything that’s toggleable or configurable is optional. Security is, always, a trade off. It is hilariously common for private keys to work as a full identifier for a person, without concern of IP or anything of the sort. Should they? Maybe, maybe not, that’s the calculus of risk management; but victim-blaming the average person who is following best practices is a bad look. |
|
| ▲ | grayhatter 8 hours ago | parent | prev [-] |
| I'm a security eng and I've worked for both a FAANG and TS government contractor. Neither of them bothered with either of the of the stupid suggestions. IP restrictions prevent roaming, the point of working remotely via SSH. passwords are equally defeated by using an ssh agent, something I'd suggest everyone use. Then on top of that there's no reasonable threat model where something would be given unrestricted access to user env, but also be untrusted. If it can read from ~/.ssh neither IP protection nor keyfile password protection will protect you from maleficence. The only reasonable response from a security perspective is don't use grok, then use it sandboxed. Trying to claim it's the users fault for not using password protection and IP restrictions is completely nonsensical. Same energy as telling someone their computer is more secure when it's off. |