undefined | Better HN

0 points__MatrixMan__11mo ago0 comments

I think that's stating it a big too strongly. You can just run the LLM as an unprivileged user and restrict their behavior like you would any other user.

There are still bad things that can happen, but I wouldn't characterize them as "this security is full of holes". Unless you're trusting the output of the explicitly untrusted process in which case you're the hole.

0 comments

wat1000011mo ago

It doesn’t take much. Let’s say you want an assistant that can tell you about important emails and also take queries to search the web and tell you what it finds. Now you have a system where someone can send you an email and trick your assistant into sending them the contents of other emails.

Basically, an LLM can have the ability to access the web or it can have access to private information but it can’t have both and still be secure.

__MatrixMan__OP11mo ago

I'm not sure I'd characterize those two things as "it doesn't take much," that's quite a lot to give to an untrusted entity.

wat1000011mo ago

My whole point is that you must consider this entity to be untrusted, which is pretty strongly at odds with having it act as an agent. It can’t both have access to private data and the outside world.

1 more reply

j / k navigate · click thread line to collapse

0 points__MatrixMan__11mo ago0 comments

I think that's stating it a big too strongly. You can just run the LLM as an unprivileged user and restrict their behavior like you would any other user.

0 comments

wat1000011mo ago

Basically, an LLM can have the ability to access the web or it can have access to private information but it can’t have both and still be secure.

__MatrixMan__OP11mo ago

I'm not sure I'd characterize those two things as "it doesn't take much," that's quite a lot to give to an untrusted entity.

wat1000011mo ago

1 more reply

j / k navigate · click thread line to collapse