upvote

points

by belZaah7 hours ago |
comments
upvoteby giancarlostoro7 hours ago|
next
[-]
> Didn’t delete production database?

I still say if this happens to you with AI tooling, that's both a failure on you and your org for giving a developer prod credentials that could nuke production resources. I don't think I've worked in a place that gave me this level of blind access.

reply
upvoteby nibbleyou6 hours ago|
parent|
next
[-]
I have only worked in startups and I have been an early engineer in both of them. I would always get high privileges within a short time where I would have the access to create and delete resources. I don't think it's that uncommon.
reply
upvoteby indentit6 hours ago|
parent|
next
[-]
But the correct way to do it is to have a separate account with more privileges, and only give AI access to your standard developer account
reply
upvoteby trick-or-treat3 hours ago|
parent|
next
[-]
That's one way to do it, how about backup to a remote location every hour? There's more than one way to be careful.
reply
upvoteby digitaltrees6 hours ago|
parent|
prev|
[-]
I have personally seen AI bypass this multiple times.
reply
upvoteby giancarlostoro5 hours ago|
parent|
next
[-]
Sounds like they're still giving the model the keys to the kingdom, which is my point, stop giving the model the avenue to do catastrophic mistakes, it makes no sense.
reply
upvoteby digitaltrees4 hours ago|
parent|
[-]
If you’re message is in response to me, which I think it is, I deliberately don’t give access to credentials and env variables. I’ve worked to create restrictions and seen AI models use very interesting methods to bypass them.

Even now my prompt says the AI must verify the path of the files it intends to edit, and get permission before editing one file at a time and only after permission. I stop it from ignoring those rules once a day at least.

reply
upvoteby suchar3 hours ago|
parent|
[-]
This is not privilege separation/sandboxing. Separate virtual machine for an agent with limited credentials is reasonably safe approach
reply
upvoteby Terr_6 hours ago|
parent|
prev|
[-]
We kinda need to architect things with the assumption that all token-output from an LLM can be unpredictably sneaky and malicious.

Alas, humans suck at constant vigilance, we're built to avoid it whenever possible, so a "reverse centaur" future of "do what the AI says but only if you see it's good" is going to suck.

reply
upvoteby digitaltrees4 hours ago|
parent|
[-]
I built my own IDE to replace vscode / cursor so I could design the harness and ensure that the model tool access was secure and limited. But the rest of the industry is YOLO
reply
upvoteby eecc6 hours ago|
parent|
prev|
next
[-]
I would never have these privileges granted directly to my account.

Indeed it’s a good practice to use roles where supported (AWS has them) and explicitly switch when needed

reply
upvoteby maccard4 hours ago|
parent|
[-]
The problem with agents is they regularly sidestep the guardrails and do what they want with a script anyway. The number of times I’ve seen Claude try to escape the folder it’s working in, and then for it to write a python script that does exactly what I told it it’s not allowed do supports that.

If you use SSO and have an AWS config that Claude is allowed to see to get the correct role in the first place, it will just pick the role and plough on anyway.

reply
upvoteby bigstrat20034 hours ago|
parent|
[-]
And this is why it is the height of irresponsibility to run LLMs on your system. We know they are unreliable and just make things up; it's extremely foolish to go "yeah I'm going to let that run commands".
reply
upvoteby maccard3 hours ago|
parent|
[-]
It's not _really_ any different to running an undocumented third party binary. Is it the height of irresponsibility to run Windows, or VSCode, or Spotify?

I think the model we've got now is wrong, and the harnesses should be OS-level sandboxed, and the agents should be running in harness managed sandboxes.

reply
upvoteby ramraj076 hours ago|
parent|
prev|
[-]
The first step I do when I do any meaningful side project is to set up rds with snapshots. So any startup that doesnt do this one basic step already deserves to fail in my opinion.

Then next I've used AI agents like crazy, we even have linked mcp servers that let it query on the dev database. Haven't seen it try deleting everything a single time. I haven't seen any agent try to do anything destructive. Ever. Perhaps its just reflecting an outrageously bad engineer and nothing else.

reply
upvoteby belZaah7 hours ago|
parent|
prev|
next
[-]
Exactly. So is that level of obvious hygiene where the bar is or is it somewhere else. What ticks me off is the audacity of blanket claims without an attempt to even remotely state why it’s said this is a list of successful patterns and what does success mean. We’re just supposed to eat it up, because, you know, Claude.
reply
upvoteby digitaltrees6 hours ago|
parent|
prev|
[-]
Dude, AI has been shown to execute queries on coworkers env files, extract master keys, decrypt variables and push to production.
reply
upvoteby cpursley1 hours ago|
parent|
[-]
Why are important push secrets in a dev env config? Btw humans devs make this same mistake all the time.
reply
upvoteby tommy29tmar1 hours ago|
prev|
[-]
[flagged]
reply