← Back to context

Comment by khalic

3 days ago

Why would you give a non-deterministic text generator a user account? It’s not a person, it’s barely a tool at the software level. Restrict at the right level, in this case, a complete sandbox around it given its propensity to hallucinate and be steered by anybody.

What kind of logic is this? It's standard in the Linux world to give important services a separate user domain.

  • The standard here is not enough when the agent can escalate by finding 0 days, for example. It’s like giving a black hat a limited account. Sure it might restrict him, but not giving him an account at all is way better

Unix users are THE tool to restrict tool permissions, at any given time there's 20+ services on a Unix machine that run in their user.

  • And how many of those services can check your box and find permission escalation strategies on its own?

    • Malware has been bundling rootkits for decades, so potentially all of them. Sometimes the attacks succeed, so these are defenses that need continual hardening, but there's no sense in setting up an entirely separate line of defense just because this time the threat has AI in it.

      1 reply →

...this is a completely normal thing to do in linux, it's the most basic form of access control. There's like a dozen non-human accounts in a clean install before adding your own like this, and a lot of software adds their own. Edit: I have 54 entries on my personal laptop, just one of which is actually me.

  • He said it’s less than a software, so saying software does this too isn’t really a strong counter argument. In case, I don’t think you are really in disagreement. Restricted accounts are necessary is your point, but I think op is saying they aren’t sufficient.

  • Even though it’s completely normal to us and in widespread use, GP is a reminder that conceptually it’s a broken model. Security should be capability-based not user-based. And to anyone who didn’t grow up on a desktop this model makes complete sense since it’s what your phone uses.

  • This model is already not perfect, and not at all built for agents. The only way to secure an agent is an air-gap with the execution layer. Treat it like text, and the problem never arises until you “interpret” the agent output in a more limited environment than the OS

i give a lot of software dedicated user accounts, it's literally one of the core security models of the operating system

  • But none of these services have the kind of latent capabilities an agent has, you know a deterministic service’s constraint are its code+bugs. There are no such constraints in an agent…