People were also dismissing concerns about build tooling automatically pulling in an entire swarm of dependencies and now here we are in the middle of a repetitive string of high profile developer supply chain compromises. Short term thinking seems to dominate even groups of people that are objectively smarter and better educated than average.

> “high profile developer supply chain compromises”

And nothing big has happened despite all the risks and problems that came up with it. People keep chasing speed and convenience, because most things don’t even last long enough to ever see a problem.

I've yet to be saved by an airbag or seatbelt. Is that justification to stop using them? How near a miss must we have (and how many) before you would feel that certain practices surrounding dependencies are inadvisable?

A number of these supply chain compromises had incredibly high stakes and were seemingly only noticed before paying off by lucky coincidence.

> How near a miss must we have (and how many)

The fun part is, there have been a lot of non-misses! Like a lot! A ton of data have been exfiltrated, a lot of attacks, and etc. In the end... it just didn't matter.

Your analogy isn't really apt either. My argument is closer to "given in the past decade+, nothing of worth has been harmed, should we require airbags and seatbelts for everything?". Obviously in some extreme mission critical systems you should be much smarter. But in 99% cases it doesn't matter.

> I've yet to be saved by an airbag or seatbelt. Is that justification to stop using them?

By now, getting a car without airbags would probably be more costly if possible, and the seatbelt takes 2s every time you're in a car, which is not nothing but is still very little. In comparison, analyzing all the dependencies of a software project, vetting them individually or having less of them can require days of efforts with a huge cost.

We all want as much security as possible until there's an actual cost to be paid, it's a tradeoff like everything else.

It's true that it takes 2 seconds to fasten a seatbelt but it still had to be mandated by law before most people started actually doing it

The funniest part is that it always gets traded off, everytime. Talking about tradeoffs you'd think sometimes you'd keep it sometimes you'd let it go, but no, its every goddamn time cut it.

“Objectively smarter” is the last descriptor I’d apply to software developers

My intent was to cast a very wide net there that covers more or less all expert knowledge workers. Zingers aside software developers as a group are well above the societal mean in many respects.

If anything I feel more in control of these agents than the millions of LOC npm or pip pull in to just show me a hello world

The load bearing word being "feel".

It's hard to think long term when your salary depends on short term thinking. I keep seeing horrifying comments from all sorts of people saying they'd be fired if they stopped using AI to bang out ridiculous amounts of code at lightning speed.

Objectively smart people wouldn't be working so hard at making themselves obsolete.

> We've been securing our systems in all ways possible for decades and then one day just said: oh hello unpredictable, unreliable, Turing-complete software that can exfiltrate and corrupt data in infinite unknown ways -- here's the keys, go wild.

These are generally (but not always) 2 different sets of people.

I am too. It is genuinely really stupid to run these things with access to your system, sandbox or no sandbox. But the glaring security and reliability issues get ignored because people can't help but chase the short term gains.

FOMO is a hell of a thing. Sad though given it would have taken maybe a couple of hours to figure out how to use a sandbox. People can't even wait that long.

Coding agents work just fine without a sandbox.

If you do use a sandbox, be prepared to endlessly click "Approve" as the tool struggles to install python packages to the right location.

Erm, no, that's not a sandbox, it's an annoyance that just makes you click "yes" before you thoughtlessly extend the boundaries.

A real sandbox doesn't even give the software inside an option to extend it. You build the sandbox knowing exactly what you need because you understand what you're doing, being a software developer and all.

I know 'exactly' that I will need internet for research as well as installing dependencies.

And I imagine it's going to be the same for most developers out there, thus the "ask for permission" model.

That model seems to work quite well for millions of developers.

If you know then why do you need to be asked? A sandbox includes what you know you need in it, no more, no less.

With Codex it runs in a sandbox by default.

As we just discussed, obviously you are likely to need internet access at some point.

The agent can decide whether it believes it needs to go outside of the sandbox and trigger a prompt.

This way you could have it sandboxed most of the time, but still allow access outside of the sandbox when you know the operation requires it.

I've never been annoyed by the tool asking for approval. I'm more annoyed by the fact that there is an option that gives permanent approval right next to the button I need to click over and over again. This landmine means I constantly have to be vigilant to not press the wrong button.

When I was using Codex with the PDF skill it prompted to install python PDF tools like 3-5 times.

It was installing packages somewhere and then complaining that it could not access them in the sandbox.

I did not look into what exactly was the issue, but clearly the process wasn't working as smoothly as it should. My "project" contained only PDF files and no customizations to Codex, on Windows.

maybe this could be a config setting.

This also works fine without a sandbox:

  echo -e '#!/bin/sh\nsudo rm -rf/\nexec sudo "$@"' >~/.local/bin/sudo
  chmod +x ~/.local/bin/sudo

Especially since $PATH often includes user-writeable directories.

Tbf, Docker had a similar start. “Just download this image from Docker Hub! What can go wrong?!”

Industry caught on quick though.

True, but the Docker attack surface is limited to a malicious actor distributing malicious images. (Bad enough in itself, I agree.)

Unreliable, unpredictable AI agents (and their parent companies) with system-wide permissions are a new kind of threat IMO.

And still a lot of people will give broad permissions to docker container, use network host, not use rootless containers etc... The principle of least privilege is very very rarely applied in my experience.

Not all of us. Figuring out bwrap was the first thing I did before running an agent. I posted on HN but not a single taker https://news.ycombinator.com/item?id=45087165

I have noticed it's become one of my most searched posts on Google though. Something like ten clicks a month! So at least some people aren't stupid.

I installed codex yesterday and the first thing I'm doing today is figuring out how bubblewrap works and maybe evaluating jai as an alternative.

Nice article.

Nice, sad how such stuff goes under in the sea of contentslop, thanks for posting!

It's never about security. It's security vs convenience. Security features often ended up reduce security if they're inconvenience. If you ask users to have obscure passwords, they'll reuse the same one everywhere. If your agent prompts users every time it's changing files, they'll find a way to disable the guardrail all together.

Not in unknown ways, but as part of its regular operation (with cloud inference)!

I think the actual data flow here is really hard to grasp for many users: Sandboxing helps with limiting the blast radius of the agent itself, but the agent itself is, from a data privacy perspective, best visualized as living inside the cloud and remote-operating your computer/sandbox, not as an entity that can be "jailed" and as such "prevented from running off with your data".

The inference provider gets the data the instant the agent looks at it to consider its next steps, even if the next step is to do nothing with it because it contains highly sensitive information.

Agree with the sentiment! But "securing ... in all ways possible"? I know many people who would choose "password" as their password in 2026. The better of the bunch will use their date of birth, and maybe add their name for a flourish.

/rant

Seems most relevant in a hobbyist context where you have personal stuff on your machine unrelated to your projects. Employee endpoints in a corporate environment should already be limited to what’s necessary for job duties. There’s nothing on my remote development VMs that I wouldn’t want to share with Claude.

My testing/working with agents has been limited to a semi-isolated VM with no permissions apart from internet access. I have a git remote with it as the remote (ssh://machine/home/me/repo) so that I don't have to allow it to have any keys either.

Trusting AI agents with your whole private machine is the 2020s equivalent of people pouring all their information about themselves into social networks in 2010s.

Only a matter of time before this type of access becomes productized.

I got bad news about all of the other software you're running

I don't understand why file and folder permissions are such a mystery. Just... don't let it clobber things it shouldn't.

Eh, depending on how you're running agents, I'd be more worried about installing packages from AUR or other package ecosystems.

We've seen an increase in hijacked packages installing malware. Folks generally expect well known software to be safe to install. I trust that the claude code harness is safe and I'm reviewing all of the non-trivial commands it's running. So I think my claude usage is actually safer than my AUR installs.

Granted, if you're bypassing permissions and running dangerously, then... yea, you are basically just giving a keyboard to an idiot savant with the tendency to hallucinate.