uhhh... you're running generated code on your customers' PCs? what kind of sandboxing do you have?

Fair reaction tbh. Right now there's a time watchdog + I'm entirely disabling all I/O and import, But going forward I want to replace it with a proper sandboxing tech... things I looked into are V8 isolates, compilation to WASM, implementing our own gutted python interpreter, spinning up a locked down process, and others. I'm definitely aware of the risk here. The good news is that unless we get pwned, LLMs are very unlikely to write malicious code for the user.

>...LLMs are very unlikely to write malicious code for the user.

Do you have any idea what the actual probability is? Because if millions of people start using the system, 'very unlikely' can turn into 'virtual certainty' pretty quickly.

yikes

> what security researchers call a "Pickle Bomb."

is anyone calling it that? to me, "pickle bomb" would imply abusing compression or serialization for a resource-exhaustion attack, a la zipbombs.

"pickle bomb", the way you're using it, doesn't seem like a useful terminology -- pickles are just (potentially malicious) executables.

Fair point on the terminology overlap with "Zip Bombs" (resource exhaustion). I used "Pickle Bomb" colloquially to describe a serialized payload waiting to detonate upon load, similar to how "Logic Bomb" is used in malware. "Malicious Pickle Stream" is definitely the more precise technical term, but it doesn't quite capture the visceral risk of "I loaded this file and my AWS keys are gone" as well as Bomb does!

this prevents claude from directly reading certain files, but doesn't prevent claude from running a command that dumps the file on stdout and then reading stdout... claude will just try to "cat" the file if it decides it wants to see it.

Yeah - that’s kinda what I was thinking. Unless you’re doing quite granular approvals it gets tricky.

by putting secrets in your environment instead of in your files, and running AI tools in a dedicated environment that has its own set of limited and revocable secrets.

Yes - separate secrets always - but you've still got local or dev secrets. Seems like the above permissions are the right way to go in the end. Thanks.

the minisforum ms-r1 has the same SoC and supports UEFI

my impression was the "pro" is the same board but comes with a framework 13 chassis, but yeah the lack of explicit details does not inspire confidence.

here's the actual listing: https://metacomputing.io/products/metacomputing-arm-aipc

i posted the article instead because it has some details that aren't on the listing.

It also has basically no details. What even is the difference between the Standard and Pro offering at twice the price?

It looks like the pro is the version with the full framework laptop chassis, battery, etc, and the standard is the version in the coolermaster case. (The black one with antennas on top)

the "ownership" framing is because bootloader locks allow vendors to unilaterally make decisions about how your device operates after you purchase the device.

but would you even be considering re-entry if it hadn't improved dramatically?

and if you're hosting on your home network, a DDoS means connectivity problems for your home.

Not just your home, it means connectivity problems for your neighbors. In turn your ISP will shut you down if they figure out what is happening.