This is very well explained! Even so, I still find myself having to wrap my head around the permission requests when my agents (like Hermes and Codex) inevitably try to run sudo commands.
Definitely recommend Hermes, I've been using it for about a month and it's great! Check out some of my latest articles about it if you want to learn more, I shared my experience migrating from OpenClaw and my exact stack.
“Sandboxing reduces risk. It doesn’t remove it. A poorly configured sandbox can still expose passwords, leak data, reach internal networks, or read files it shouldn’t.“
very well put. i’m really glad you mention this because i see sandboxing often framed as a silver bullet for security.
this whole article is a great and approachable explanation on the tech.
So helpful Karo!! And love the explanation and visual. VMs used to be one of those “that sounds too technical for me” categories. I ended up having to use it at one point because the infra I was building needed specific package versions.
I hadn’t thought before about using sandboxes and VMs when working with AI, that’s smart!
I love the idea that through your work and this article, now concepts like VMs will go from being “technobabble what?” to “oh yeah, I always set that up, it’s easy.”
And thank you to @ToxSec for promo-ing your article!
Karo, thank you for this! I literally have a note saved on my digital notepad that says "learn about sandboxing" and it's been there for weeks. Saving this one to go through a few times so I can get it locked in my mind.
I'd love to see more like this for those of us who are jumping into vibe coding without the technical background - I am super aware that I have no idea what security issues I might be creating just from pure ignorance!
I've always struggled with technical jargons. It's like talking to someone from another world in another language. Thanks to this article, one thing checked of my list.
"> Virtualization seems to have a lot of security benefits.
You've been smoking something really mind altering, and I think you should share it.
x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit.
You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.
You've seen something on the shelf, and it has all sorts of pretty colours, and you've bought it.
Thanks! This can't be explained enough, and you explained it very clear too!
Thank you for reading Biense! 🤗
This is very well explained! Even so, I still find myself having to wrap my head around the permission requests when my agents (like Hermes and Codex) inevitably try to run sudo commands.
Thanks, Dan, that’s actually a good point. I’ve also been seeing Hermes mentioned on Substack more and more. Would you recommend it?
Definitely recommend Hermes, I've been using it for about a month and it's great! Check out some of my latest articles about it if you want to learn more, I shared my experience migrating from OpenClaw and my exact stack.
“Sandboxing reduces risk. It doesn’t remove it. A poorly configured sandbox can still expose passwords, leak data, reach internal networks, or read files it shouldn’t.“
very well put. i’m really glad you mention this because i see sandboxing often framed as a silver bullet for security.
this whole article is a great and approachable explanation on the tech.
thanks Karo :)
Thank you, Chris, that means a lot! 🤗 And I hope people reach out to you if they have more questions.
absolutely. ill be here for them 😁🔥
You’re really good at making things simple!
Thank you so much Bhargav! That means a lot!
So helpful Karo!! And love the explanation and visual. VMs used to be one of those “that sounds too technical for me” categories. I ended up having to use it at one point because the infra I was building needed specific package versions.
I hadn’t thought before about using sandboxes and VMs when working with AI, that’s smart!
I love the idea that through your work and this article, now concepts like VMs will go from being “technobabble what?” to “oh yeah, I always set that up, it’s easy.”
And thank you to @ToxSec for promo-ing your article!
Karo, thank you for this! I literally have a note saved on my digital notepad that says "learn about sandboxing" and it's been there for weeks. Saving this one to go through a few times so I can get it locked in my mind.
I'd love to see more like this for those of us who are jumping into vibe coding without the technical background - I am super aware that I have no idea what security issues I might be creating just from pure ignorance!
You're baaaaaaaaack Dallas!!! 🤗🤗🤗 So good to see you again!
Thanks Karo! So nice to take a break for a little while and also SO nice to be back 🩷
Great explanation! Hard concept to grasp initially, this made it easier
That's wonderful to hear, thank you so much Richard! 🤗
I've always struggled with technical jargons. It's like talking to someone from another world in another language. Thanks to this article, one thing checked of my list.
This makes me very happy CP! Thank you very much for reading and taking the time to comment 🤗
will keep this one bookmarked! thanks
My pleasure! Thank you for reading Emilie 🤗
Remarkably useful, indeed.
That's wonderful to hear Zenek, thank you for reading!
Nice! Thanks for sharing 💫
My pleasure Ileana 🤗 Thank you for reading!
Thanks! The sandox is just doing its job, and I thought it was me.
Heheh, thank you for reading Mark! 🤗
The connection to vibe coding is the real point.
Shipping AI-generated code straight to prod without sandboxing is how you learn what a sandbox is the hard way.
"> Virtualization seems to have a lot of security benefits.
You've been smoking something really mind altering, and I think you should share it.
x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit.
You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes.
You've seen something on the shelf, and it has all sorts of pretty colours, and you've bought it.
That's all x86 virtualization is."
— Theo de Raadt, lead developer at OpenBSD
https://marc.info/?l=openbsd-misc&m=119318909016582