| ▲ | _verandaguy 6 hours ago | |||||||
ACLs, nothing, we've known about in-band signalling since forever and still this whole segment of the industry seems to either not know about it, or forgets about it at a cadence so regular it may as well not know about it. System-level ACLs; mandatory or discretionary access control; secure-by-default application and network configurations are all for naught if you take an LLM, run it with all the privileges you'd have an accountable, judgemental operator, and then tell it to act based on arbitrary untrusted input which might include prompt injection attacks, something which cannot generally be sanitized. Well-defined, well-enforced security policies can mitigate disasters, but many in the wild right now just don't account for this kind of threat model. | ||||||||
| ▲ | hilariously 6 hours ago | parent [-] | |||||||
It's just purposeful blindness - I worked for a company building out tooling that insisted markdown based security was good enough and showed it off for anyone at the company to attack because they were so sure. It took me less than 5 minutes to completely disable... nobody cared, they just kept going - check the box and move on. | ||||||||
| ||||||||