Why LLM Authorization is Hard

https://www.osohq.com/post/why-llm-authorization-is-hard

15•mathewpregasen•7mo ago

Comments

pvg•7mo ago

Ongoing discussion https://news.ycombinator.com/item?id=44502318

forks•7mo ago

Just to make sure I'm following: that's ongoing discussion of the same issue, but not the same post, right?

meghan•7mo ago

Yes, similar discussion across two separate articles: (1) article from General Analysis on "Supabase MCP can leak your entire SQL database" (2) article from Oso talking about why authorization in AI is hard, what to do about it, which references the General Analysis article

pvg•7mo ago

Right, because otherwise you end up with a split discussion and people miss stuff, moderators end up having to merge them, etc. Immediate followups count as dupes (in HN's weird dupery algebra), they're better off linked in the active thread.

gneray•7mo ago

Curious to hear from the community about this, esp in light of article on supabase

gsarjeant•7mo ago

Hi, I'm the post writer. I have a habit of writing like a textbook author, but the things that jumped out at me while I was working on this with Oso were:

1. Least privilege can address a lot of these issues. We all know that, but in practice we don't really apply it because it can be a pain.

2. These applications are interesting because they can interpret meaning instead of rigidly following instructions, but that makes them prone to misunderstanding and manipulation. That breaks a lot of our assumptions about how software responds to input.

3. It's helpful to think of these applications in terms of impersonation. The user's rights should be the upper bound of the LLM's permissions when it acts on their behalf.

4. Ideally, we'd also constrain permissions according to the task being performed, but that's trickier.

The article goes into all that in exhaustive (some might say tedious) detail. It was a difficult write because this space moves so quickly and has so much hype, but it's been a good exercise to try to sift through that and think about it seriously.

(edited because I don't know how to make a legible list)

Trying to make an Automated Ecologist: A first pass through the Biotime dataset

Watch Ukraine's Minigun-Firing, Drone-Hunting Turboprop in Action

Free Trial: AI Interviewer

FDA Intends to Take Action Against Non-FDA-Approved GLP-1 Drugs

Supernote e-ink devices for writing like paper

We are QA Engineers now

Show HN: Measuring how AI agent teams improve issue resolution on SWE-Verified

Adversarial Reasoning: Multiagent World Models for Closing the Simulation Gap

Show HN: Poddley.com – Follow people, not podcasts

Layoffs Surge 118% in January – The Highest Since 2009

Papyrus 114: Homer's Iliad

DicePit – Real-time multiplayer Knucklebones in the browser

Turn-Based Structural Triggers: Prompt-Free Backdoors in Multi-Turn LLMs

Show HN: AI Agent Tool That Keeps You in the Loop

Why Every R Package Wrapping External Tools Needs a Sitrep() Function

Achieving Ultra-Fast AI Chat Widgets

Show HN: Runtime Fence – Kill switch for AI agents

Researchers surprised by the brain benefits of cannabis usage in adults over 40

Peter Thiel warns the Antichrist, apocalypse linked to the 'end of modernity'

USS Preble Used Helios Laser to Zap Four Drones in Expanding Testing

Show HN: Animated beach scene, made with CSS

An update on unredacting select Epstein files – DBC12.pdf liberated

Was going to share my work

Pitchfork: A devilishly good process manager for developers

You Are Here

Why social apps need to become proactive, not reactive

How patient are AI scrapers, anyway? – Random Thoughts

Vouch: A contributor trust management system

I built a terminal monitoring app and custom firmware for a clock with Claude

Tiny C Compiler