The viral X post from an AI security researcher reads like satire. But it's really a word of warning about what can go wrong when handing tasks to an AI agent.
This lady should feel lucky that it only ran amok in her inbox.
I have done that with less than an LLM. Just a typo in my Mutt configuration, and a few hundred e-mails were deleted which shouldn’t have been. After that I decided that removing spam is best done by first sorting into a separate mailbox and then manual revision. Which is an experience of plenty of people.
Which just means that if you use an AI agent (and why not, it appears people do want them), then you should perhaps use many dedicated agents only having access each to its own narrow set of available actions.
It’s more important with things based on fuzzy logic than it is with scripts. But people use Flatpaks and Snaps and AppImages, for isolation among other things, and I have run Skype from separate user under Linux in the olden days (it was such a stupid fashion, everyone wanted Skype, but everyone also considered it proprietary spyware, and nobody thought that an X11 client can spy after the whole display and all keyboard and mouse events anyway ; and that fashion didn’t involve running Skype in Xephyr or Xnest, just from a separate user).
So the thought is not new. These agents should just be used with clear privilege separation, and some uniform way to declare privileges and interfaces for AI agents, and those interfaces simple enough. One can hope.
Almost started to type an angry response to that.
I have done that with less than an LLM. Just a typo in my Mutt configuration, and a few hundred e-mails were deleted which shouldn’t have been. After that I decided that removing spam is best done by first sorting into a separate mailbox and then manual revision. Which is an experience of plenty of people.
Which just means that if you use an AI agent (and why not, it appears people do want them), then you should perhaps use many dedicated agents only having access each to its own narrow set of available actions.
It’s more important with things based on fuzzy logic than it is with scripts. But people use Flatpaks and Snaps and AppImages, for isolation among other things, and I have run Skype from separate user under Linux in the olden days (it was such a stupid fashion, everyone wanted Skype, but everyone also considered it proprietary spyware, and nobody thought that an X11 client can spy after the whole display and all keyboard and mouse events anyway ; and that fashion didn’t involve running Skype in Xephyr or Xnest, just from a separate user).
So the thought is not new. These agents should just be used with clear privilege separation, and some uniform way to declare privileges and interfaces for AI agents, and those interfaces simple enough. One can hope.