HackerTrans
TopNewTrendsCommentsPastAskShowJobs

manchicken

no profile record

Submissions

1Password CLI Vulnerability

codeberg.org
119 points·by manchicken·9 maanden geleden·60 comments

comments

manchicken
·6 maanden geleden·discuss
You mention tokens, what else is in your threat model? Is your AI functionality a custom model?

I am concerned that you haven’t adequately explored and mitigated security and reliability risks involved here before asking folks to YOLO your app into their critical infrastructure.
manchicken
·6 maanden geleden·discuss
Who said anything about privacy? Sure, privacy is a concern, but I’m more worried about a vibe-coded app produced by an inexperienced team without the assistance of a security team causing a breach, or an agent-caused outage.

It seems more likely that such a team would have poor security controls, insufficient staff training, and may themselves be threat actors.

For an enterprise tool like this, one which integrates with two or more other sensitive systems, I would expect a vendor to have some manner of independently audited security certification such as ISO-27001.
manchicken
·6 maanden geleden·discuss
You may be mistaken. There is a good (and growing) number of folks who have noticed that vibe-coding isn’t always the right fit. There have also been a number of instances where AI agents have destroyed production environments.

In your 4+ years of “experience,” have you acquired the experience necessary to protect anybody’s GitHub, slack, or any other enterprise systems from the numerous security concerns that you’re just hand-waiving away?

Not all “devs” use AI, and very few companies would trust a fully vibe-coded enterprise system plugin with no security team, no enterprise support, no GDPR documentation, and all fielded by a team with fewer than five years of experience.

That seems like the path to breaches, or to having an agent take destroy sensitive systems, or both.
manchicken
·6 maanden geleden·discuss
Wild how many folks vibe code a thing and then claim to have created something that they ask us to plug into critical infrastructure with the ability to read, write, and execute.

No thanks.
manchicken
·8 maanden geleden·discuss
Privacy for me but not for thee
manchicken
·9 maanden geleden·discuss
I don’t think there’s anything intrinsically awful about sports betting. I do think that the way American corporations have set it up, though, has made it a lot more predatory than many fans want to admit.
manchicken
·9 maanden geleden·discuss
Yes. At least on macOS.