惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

N
News and Events Feed by Topic
GbyAI
GbyAI
博客园 - Franky
宝玉的分享
宝玉的分享
Blog — PlanetScale
Blog — PlanetScale
Google DeepMind News
Google DeepMind News
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
人人都是产品经理
人人都是产品经理
Microsoft Azure Blog
Microsoft Azure Blog
The Register - Security
The Register - Security
腾讯CDC
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
I
InfoQ
The Cloudflare Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
MongoDB | Blog
MongoDB | Blog
有赞技术团队
有赞技术团队
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
F
Full Disclosure
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Vercel News
Vercel News
博客园 - 【当耐特】
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Schneier on Security
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Project Zero
Project Zero
量子位
M
MIT News - Artificial intelligence
Stack Overflow Blog
Stack Overflow Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
美团技术团队
Attack and Defense Labs
Attack and Defense Labs
C
Cybersecurity and Infrastructure Security Agency CISA
T
The Blog of Author Tim Ferriss
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
T
Troy Hunt's Blog
Google Online Security Blog
Google Online Security Blog
罗磊的独立博客
P
Proofpoint News Feed
Schneier on Security
Schneier on Security
Spread Privacy
Spread Privacy
S
SegmentFault 最新的问题
L
LINUX DO - 最新话题
Simon Willison's Weblog
Simon Willison's Weblog
爱范儿
爱范儿
博客园 - 聂微东
A
About on SuperTechFans
PCI Perspectives
PCI Perspectives
D
Docker

Sophie Alpert

There are no lossless transformations of natural-language text Deconstructing “services” Materialized views are obviously useful TODOs aren’t for doing Everyone is wrong about that Slack flowchart Hire me to empower and upskill your eng team How React Changed the Web Forever: A Documentary Fast and maintainable patterns for fetching from a database React Conf: “Building a Custom React Renderer” Why review code? Metrics by proxy Yak shaving and fixing Voice React Conf: “React Today and Tomorrow” Why we host conference talk dry runs React Podcast: Inside React Type errors with inference need stacks Observable programming React 16: an API-compatible rewrite Hi, I’m trans. Initializing on the main thread using dispatch_once A near-perfect oninput shim for IE 8 and 9 Using React to speed up the Khan Academy question editor What I did at Khan Academy, 2012 edition Preventing XSS attacks when embedding JSON in HTML Rolling back to an old revision in Mercurial (like git reset)
I don’t want AI agents controlling my laptop
Sophie Alpert · 2025-09-09 · via Sophie Alpert

Part of me is always unnerved when I see people running claude --dangerously-skip-permissions or codex --yolo to give them unfettered ability to run commands on their machine. Admittedly, I do usually hit approve when I’m asked about a specific command, so I certainly understand the temptation to just avoid all that fuss and do a blanket approval. With the next generation of apps that people are building to control everything on your computer via some AI chat interface, it feels perhaps even scarier.

The problem is, modern desktop operating systems are not really designed for strong security boundaries between different things running on your machine. Sure, there are some protections like “you can’t record the screen without the user granting explicit permission”, but if you want AI to be able to take actions on your computer then you need to turn most of this stuff on. Different user accounts act as a security boundary but in practice everyone does all their work under a single user account.

There’s no good way to say “allow access to everything on my computer, except for my password manager, my bank, my ~/.aws/credentials file, and the API keys I left in my environment variables”. Especially with Simon Willison’s lethal trifecta, you don’t really want to be giving access to these things, even if most of the time, nothing bad happens.

Barring a major rearchitecture (which maybe Apple and Microsoft are working on), it’s too hard in practice to grant access to your whole laptop and know exactly what things the AI has access to and feel confident that there’s nothing too sensitive. (I do appreciate Codex’s clever default of running commands in sandboxes that can’t communicate over the network or write files outside the repo directory.)

There are two promising solutions here.

Cloud environments (and VMs in general) are one. A bit more annoying to set up but you also get the bonus of reproducibility across a team, being able to run multiple sessions in parallel, and easier collaboration. I expect most coding agents to move in this direction (Codex already offers this; Claude Code is working on it). In corporate environments, it will make more sense to give AI agents their own credentials that don’t necessarily have all the permissions that are available to the user who spawned them.

The other piece of software on my machine designed to handle isolated environments that don’t leak between each other is the browser. Each site has its own cookies that are protected from other sites, and entire applications are designed to run successfully within this framework. Giving full access is scary — Perplexity has screwed it up, Anthropic knows it doesn’t have a workable solution yet. But if integrated properly into the browser, you actually could plausibly pick and choose which sites to give access to (or not give access to) and have the browser enforce those boundaries. Looking forward to this existing. It’s not really possible to build this properly unless you have control over the browser itself. Atlassian’s bet on using The Browser Company to build (presumably) the new “home” for all business SaaS interaction is persuasive to me in this light. This approach seems more likely to succeed than building a browser that didn’t have a clear value proposition for the consumer space where distribution is king.