miniblog.

I find it odd that people recommend Docker for sandboxing agentic coding tools. Isn't it easier to just create a separate user account on the machine? It's an established security boundary, and viewing output is easy (just make the user's home directory world readable).

I'm intrigued to see that Google has quantified that new code is generally buggier and less secure than code that has existed in your codebase for longer:

I'm a fan of the Software Unscripted podcast, and I particularly enjoyed this recent episode about CrowdStrike and security culture: https://www.youtube.com/watch?v=rzjaZssBEiI The guest (Kelly Shortridge) compares attackers to lawyers trying to find loopholes. This is such a great analogy.