Security

2039 readers

4 users here now

A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.

Rules :

All instance-wide rules apply.
Keep it totally legal.
Remember the human, be civil.
Be helpful, don't be rude.

Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient

founded 2 years ago

MODERATORS

Vacant@programming.dev

Don’t let A.I. read your .env files (filiphric.com)

submitted 1 week ago by codeinabox@programming.dev to c/security@programming.dev

4 comments fedilink hide all child comments

AI coding assistants like Claude Code, Cursor, and GitHub Copilot are becoming part of our daily workflow. They read our files, understand our codebase, and help us write code faster. But there's a problem - they can also read your .env files.

all 5 comments

sorted by: hot top controversial new old

[–] PokerChips@programming.dev 6 points 6 days ago

How about don't let ai read your anything.

[–] Paragone@lemmy.world 3 points 6 days ago

I'd go further: have a separate user-account, on your own machine, whose entire filesystem is separate from the rest of your machine, for using LLMs in.

NO access to your normal accounts, your email, your browser-history or bookmarks, NOTHING except that-account's stuff.

Machiavellianism is intrinsic to the companies which produce them, we need to be presuming it to be intrinsic to the LLM's, too, as for some of them it is intrinsic, & we don't know which ones, yet.

Zero-Trust.

_ /\ _

[–] infiniteface@programming.dev 3 points 6 days ago

Just sandbox it instead.

[–] AntiBullyRanger@ani.social 2 points 6 days ago

Instead, upload .env poisons.