alt Hacker NewsI shudder to think about the security implications of everyone rolling thier own software. I trust my OS/browser/file system is secure because thousands of people are invovled in a complex network of interests in keeping it secure, from the kid contributing his first bit of code to the PHds at NSA writing encryption standards. The idea that any one person can replace that network is laughable.
Replies
If they’re hosting network services, sure. I wouldn’t put vibe-coded software outside a home network, ever. But it seems low risk if people are just creating their own desktop software: especially since it’s less likely to be vulnerable to widespread malware.
(Note: I’m not an LLM fan, don’t vibe code myself at all. But I would be unconcerned about security for the kind of things I would create if I did start doing so.)
The article is about desktop software. If it does not accept network connections what is the risk? If it needs to do so you can run restrict it to you LAN or a VPN or over access it an ssh tunnel. If it replaces something you use over the public internet (e.g. SaaS) it might even be more secure.
Rolling your own might make you more vulnerable to targetted attacks, but less vulnerable to automated attacks looking for known weaknesses. Most people will not publish their code. The article says "It’s not an invitation to use my software. Honestly, please don’t. None of it is built for you.".
You can roll your own software and still use libraries for security sensitive things like encryption.
Even the author of this article (who is taking it much further than most people will) still uses Firefox, Weechat, and X11.
Not everyone's "personal software" runs on a publicly accessible host on the internet.
I trust my Browser, OS and file system too.
But I'm also pretty sure none of the bespoke software I have will get any kind of security implications. The chance of my own file manager having a buffer overflow RCE triggered by a random file is practically zero.
That seems like a naive view to me. Most modern software development is gluing vendor code and libraries into a CRUD app, and I don't see why that would change with agents doing the majority of programming. If anything, there's an even bigger market for solid libraries and interoperability, plugging things together like LEGO - only for real this time.
Just to be contrarian, perhaps some measure of risk is reduced by the scale of one.
Identifying a vulnerability that can be exploited against many thousands or millions of targets is perhaps more attractive than a single one of individually low value.
This of course would assume that vulnerabilities are in fact unique (which is admittedly questionable).