Josh talks to Luke Hinds, CEO of Always Further, about MCP and agent security. We start out talking about Luke’s new tool, nono which is a sandboxing tool that has AI agents in mind as a use case. We explain what MCP and agents are doing as well as why it’s so hard to secure them. It’s not impossible, but it’s not simple either. We end the show by discussing some of the more human aspects to security and how history may be repeating itself with security folks laughing at new users who don’t know any better.

This episode is also available as a podcast, search for “Open Source Security” on your favorite podcast player.

Episode Transcript

Josh Bressers (00:01) Today, open source security is talking to Luke Hinds He’s a long-term open source wonk and the CEO of the startup Always Further. I’ve known Luke for a super long time. We’re at Red Hat together. He’s a marvelous person. And I actually had a listener, thank you, Bradbury, who sent me an email and said, hey, it’d be great if you could talk about MCP security. And I was like, I need to find someone who knows about like AI stuff and isn’t a crazy person. And Luke…

You’re the top of my list, man. So welcome to the show.

Luke HindsLuke Hinds (00:28) Thank you for having me. It’s great to be here, Josh. I’ve been a long-term fan of the show, absolutely. And thank you for the nice intro.

Josh Bressers (00:34) Awesome.

Yeah, no, this is

going to be awesome. So let’s start out. Not so much on MCP security, but you have a brand new project that’s kind of lit the world on fire. tell us about, well, guess tell us about your project and tell us about your company, because I think they’re both doing interesting things in the world of open source.

Luke HindsLuke Hinds (00:56) Absolutely. Yeah. So we put out a project called nono. And when I say put out, we put it out by the seat of our pants and it was not exactly polished, but you know, we did it for a good reason. The weekend saw a whole load of carnage around OpenClaw, which I’m sure everybody’s heard of. If you haven’t, it’s effectively an AI project. has a sort of a services component and some agents.

and it can integrate with different services, WhatsApp, Telegram, Gmail. So you can connect to all of these agents and it’s kind of like a personal organizer. And it had a lot of security teething problems. so, okay, I’ve got something that’s useful. Let’s give it a polish and put it out there. And it needed to come up with a name. I’m just awful at names. I hate naming projects. Whenever I get a good name, somebody’s effectively squatting it somewhere.

you know, and then you’ve got to kind of go and beg to the package managers, please release it so I can have that name. But it came up with the name nono because essentially the opposite of yolo you only live once. And, you know, which seems to be the kind of the rallying call of the Vibe Coders. And so, yeah, so we came up with nono and nono was available on Rust Crates, which was actually, no, it wasn’t, but somebody kindly handed it over to me. So it all just kind of slipped into place, really.

And yeah, and so nono is some code that uses kernel-based isolation, sandboxing of a process. So everybody knows you execute a piece of software. It’s spawned as process on an operating system. And so we have a kind of a layer of control around what it can access far-wise. Because with agents, we’ve seen all sorts of…

very familiar things happening to us security folks. Data exfiltration, access of files, secrets, ⁓ destructive actions, deleting somebody’s home directory. And I thought this is classic process isolation, know, and deny by default. And so yeah, so that’s essentially what nono does. We do a little bit more. Keys are protected. So if you’ve got like a Silicon Mac.

you get the security enclave chip thrown in with key chains. So we kind of keep your API secrets in there. They’re loaded safely and then scramble at the end when the process exits and just some protections around the old rm -rf tilde slash home carnage. And yeah, and you know, the projects come out of a startup that I’m a co-founder of always further. We’re quite young. We’ve only been going for a couple of months. Myself and my co-founder.

And yeah, we’re looking at lots of things around model security, agent security, and a lot of experimentation and a lot of fun. And we feel like we’re starting to find some areas where we can alleviate some pains. You know, it’s always good to have a solution to a real problem. And there’s clearly a problem out there. but it’s going to take a, it’s going to take more than just one startup to fix this. Do you see what I mean? So, you know, it’s,

As always, it’s going to be, you know, it’s going to be a concerted wide effort, you know, to to to patch up this one.

Josh Bressers (04:21) Yeah, yeah, for sure. mean, so my favorite example right now I use is like, Claude code has a sandbox built into it. And I have a friend who was testing out how to, you know, sandbox these processes because they didn’t want, you know, Claude code running RM-RF on their home directory. And they turned on the Claude code sandbox. And at one point it was working through what it’s trying to do. And it says, I see the sandbox is enabled. Let me turn that off and try again. No.

Luke HindsLuke Hinds (04:47) Yes. Yeah.

I know. I saw the same thing. I saw the same thing. Yeah. Yeah. Very much. You know, and it kind of makes sense because these, these models are heavily trained to reason around any sort of thing that gets in their path that stops them achieving their goal. They’re just repeatedly trained over and over and over to have that propensity to sidestep, to do anything to get to that goal.

And that’s where it makes it a really interesting bedfellow to security.

Josh Bressers (05:18) Yeah, yeah, okay. So I’m gonna ask what I think is the obvious question for a lot of people is why should we use nono instead of just like running in a Docker container or something like that?

Luke HindsLuke Hinds (05:30) Right. Yes. So I would start off with a Docker container provides really good levels of isolation. You know, there’s a little bit of fringe pros and cons to, both technologies. Uh, with a container you have, obviously you’re getting multiple processes that are namespaced. Okay. So you can get good protections around resource utilization. Okay. And, um, of course the username space, the network namespace. So, so container security is, know, very

robust and perhaps if you’re doing something at scale, you know, something like Kubernetes, it’s a logical choice to make. I mean, you know, the, with ⁓ what we’re doing, it is ⁓ a very, very fast startup time. That’s important, I think for some people. So, you know, we, we developed the thing in Rust, so it’s very fast. So there’s no lag within the UX or the start time. ⁓ It is very quick and easy for people to get going with.

Okay. So it’s simply just one command and you literally drop the name of the, agent onto the end of it. And, ⁓ yeah, I mean, but you know, both have got really good attributes. So, you know, this wasn’t in any way, a way of sort of trying to address a gap that containers had left, you know, this, know, and I think you can go belt and braces effectively. You could use nono within a container, you know, very much. Yeah. And the other thing with nono of course, is you get batched in

Josh Bressers (06:53) Peace.

Luke HindsLuke Hinds (06:57) extra things such as, you know, there’s some features outside of the isolation as well. You know, we’re able to sort of, we have certain commands which are nono, DD, RM, et cetera, you know, sort of things you really don’t want an agent to run. And there’s the kind of the key protection. And we’re also looking at things such as sort of time-based allocation of commands and undo, because you know, the old thing of the kind of the…

the agent decides it’s good. I’m just going to delete the database and start again, this sort of stuff. So yeah, we’re able to introduce just a bit more, but this wasn’t really a way of trying to balance up any gaps that containers have. know container security’s come a really long way and it’s very well back all tested.

Josh Bressers (07:45) Yeah, yeah. Well, and I mean, I’ll tell you what my first impression was here, Luke, is just I know a lot of people toying with a lot of this technology that they don’t understand necessarily how containers work. And what happens is they try to do something in a container and they might not be able to figure it out. Because let’s face it, like making containers work correctly is a weird skill. Like it’s a pretty high cliff you have to climb to get that initial skill set. And what happens is they want to they want to do something right now.

And they’re like, screw it, I’ll just do it on my desktop anyway. And so I think that’s the big sell to nono, is it’s just, it’s simple, right? It’s so easy.

Luke HindsLuke Hinds (08:18) Yeah, it’s very easy.

Yeah, very much. Yeah, very much. There is no ⁓ volumes to mount. You know, there’s no networking to set up stuff that, know, that we are comfortable doing from, years of work in the technology. But as you say, people are new to this space, you know, and I think we have to be honest with ourselves. A software developer has changed really, you know, is anybody can generate code now. Everybody is generating code.

You know, I’ve not got Mrs. Hinds to do it, to do any vibe coding, but I’m pretty sure she could knock something up, you know, and, ⁓ and these people haven’t got this prior art, this prior experience. And so, yeah, so that’s where nono is good. It is, like you say, it’s very simple to use, you know, as long as you can install something with a brew and you can type some commands on a command line, very simple command line and off you go. And we try to make it anti-foot gun. So we really thought about it when we designed this.

you know, let’s try to make it so that you got to go out your way to mess yourself up, you know, try to sort of have the perception here of not the security geek that’s kind of deeply entrenched in this. So, you know, a lot of people when they run will want local access to the folder. Okay. It’s like if it’s a coding agent, of course it’s going to need write permissions to change files, to work with the code and read permissions. And so

There’s a level of the current working directories required. Some of it, such as node requires certain access controls be present when it executes within the folder. But we still say, are you aware this is the folder that you’re going to grant read and write to? Just in case somebody derps and runs within, I don’t know, a root partition or something else outside of where they expect to be. So we’ve really tried to make it sort of as a foot gun.

⁓ protective as we can, but also it’s there for the professionals as well. Those that want to go deep, know, they absolutely can go deep. You know, the policy files are going to be stuff that’s going to be signed and outside of the binary so people can get in and tinker and change and customize to their needs.

Josh Bressers (10:32) sure, for sure. Okay, let’s talk about why. And this is kind of the inception of this episode. It’s things like running MCP servers securely, running agents securely. And I mean, for anyone who doesn’t understand is like what kind of, are these things doing and why are we trying to protect them would be my question or I guess protect ourselves from them maybe is a more accurate statement here, right?

Luke HindsLuke Hinds (10:33) Mmm.

Mmm.

Yes, really good question. And I mean that sincerely. That’s not just me saying really good question while I try to think of an answer. You know, I guess the key thing, of course, is, you know, the probabilistic nature of these things. You know, they are, they they make predictions, but they’re unpredictable beasts, effectively, you know, and you can have the same repeated input and the output varies every time, you know, so they have this propensity to go off course.

Josh Bressers (11:09) Right?

Luke HindsLuke Hinds (11:31) And I think within the security world, we love constraints. We like to, like to nail things down and we like to kind of allow and deny. It’s a very sort of a very binary world effectively. And so these two make very strange, make a strange couple. Okay. And, ⁓ and so yeah, AI has this ⁓ ability to be unpredictable and it is incredibly intelligent.

You know, intelligence is the right word to use, okay, of course, you know, we know this is a neural network. It’s a highly dimensional spaces, vectors, but, know, when you look at it, you know, when you look at these operate, you know, it’s incredible really, you know, what they can do. And again, it’s a case of, you know, this is, you can really go down the rabbit hole with this. It’s really, you know, this kind of fickle thing of trust comes up again.

You know, because you’ve got this autonomous, this thing that seems to have an autonomous nature. So it’s like a human really, you know, and if you think about how we sort of set trust up between ourselves as humans, that’s a kind of a fickle thing that changes on a daily basis. You know, it’s very much, you there’s, you know, this stuff is very difficult to be binary about effectively, you know, to sort of have a specific constraint that can be applied and.

I might’ve wafted off from the question a little bit there, but you you’re saying AI essentially, why is it a security risk? Okay. And I guess I would say because it’s an unknown risk or it’s an unquantifiable risk. You know, it’s not something that we can, that we can build an apparatus around because it’s always going to have the same repeatable results.

Josh Bressers (13:21) I mean, I think that’s a fair point. It’s, I mean, I would compare it almost to like letting the intern run, run away in prod. That would, no one would do that. That would be nuts.

Luke HindsLuke Hinds (13:30) Hmm sure

Absolutely. Yeah. Yeah. Yeah very much. Yeah. Yeah, like some incredibly intelligent intern Just we’ll just absolutely mess up, know, we’ll completely mess up every now and then yeah very much. Yeah.

Josh Bressers (13:40) Yay.

So why don’t you kind of explain to us then, like, what is an agent, what is an MCP server when we’re talking about it and kind of like, what does it mean to try to secure those things? And again, you know, almost keep, it’s, this is so weird. I don’t, I feel like a lunatic sometimes saying this, but like,

We’re almost protecting ourselves from the software running at this point, which feels almost backwards to how we’ve looked at a lot of security in the past.

Luke HindsLuke Hinds (14:10) Hmm.

Absolutely. Yeah. Yeah. So I mean, it pays to look at what is in an agent. Okay. So two components here, you have the code, which some people consider an agent. ⁓ I would say it’s more the model. Okay. And I think a lot of people would agree that, ⁓ the agent itself is, it’s just typical code is rest interfaces, login, all of the standard components of an application. And then we have the model. That’s really the agent. Cause it’s, you know, it is a, ⁓ it has agency.

It’s got autonomy, okay? And where this interacts with MCP is really interesting, okay? And there’s a bit of history to this. So MCP is a kind of evolution of something that was originally called function calling, which is something that OpenAI came out with, okay? And they figured that they could get a model to linguistically craft a function call, okay? And that is essentially what happens.

The model is typically fed something like a system prompt where it has examples of these functions that it can call. And there’ll be lots of strong language in there like you will use JSON and you will do this and lots of kind of to really try to sort of influence the model to use these functions. So the model will know, right, I’ve got a function called getWeather and within there I can put London. And then that will obviously go off.

to an API, which will reply in a very determined way. And then the code will strip and pass that and then feed the result back to the model. And then the model will go, well, it’s a little bit cold in London today. And that’s essentially how it works. it’s kind of like, you know, I almost imagine like, you know, those brains that you’d get in the vat with the kind of, you know, like the wires in, it’s kind of like giving it some arms to the outside environment. It can actually interact outside of itself, you know? And so you have this kind of a,

this sort of crossover plane of using language which is passed out into a function. Okay, so OpenAI kicked it off and it’s called function calling. And then somewhere along the line, we started calling them tools. Okay, they became tools and then tools became MCP. And MCP is really where there was a specification that was built. It was designed as a protocol by Amphropic. We started to standardize, use the same components.

People could benefit from repeated work, you know, and as we see quite often with software, prior to that, was a little bit of a wild west. Everybody was doing it their own way. And you know, there’s many security aspects to MCP. I think a key one is, and we both come from this world, software supply chain. So of course this is software. A lot of it’s built on open source, okay? And there’s a package ecosystem.

A lot of it is, I’m gonna tread carefully here, JavaScript, TypeScript, okay? And NPM has had its own fair share of software supply chain attacks, which I’m sure they would agree with me. And there’s a lot of other components that we’ve not really addressed around security with MCP servers, okay? And agents in general, because they rely on, again, this language to…

to drive computationally the outcome that you want. So the model is able to kind of, you know, craft these words, characters, okay, to interface with an API somewhere. And this is really problematic because of something called prompt injections, okay. And this is where it gets interesting. you know, a prompt injection is effectively where you manage to sneak in instructions to the model.

Josh Bressers (18:00) Yes.

Luke HindsLuke Hinds (18:12) effectively circumnavigate the guardrails that are trained into the model. So models are heavily trained on certain things you do not do. This is some stuff that we’ve been doing recently. so, you know, if it’s harmful content, the model will push back. If it’s clearly a vulnerability, it’s a security breach, it will push back. And so people find these ways of crafting these prompts that effectively bypass that system. And, you know, with prompt injections, it gets really interesting because

You know, this is where we start to get to a fundamental problem that we have with the architecture of large language models. We’re talking the transformers architecture, which is what drives a lot of large language models. And, know, at present there is a, so we’ve always had, ⁓ we’re used to having like a control plane and a data plane. Okay. And you keep the two separate. Controls is where your instructions are.

Data of course is where your data is. Okay. And with a large language model, they’re all mashed into one. It’s all one lump of data and instructions. So you’re loading the spreadsheet or the code and then the instructions will go in there. And, and that’s where these prompt injections are incredibly difficult to solve. I don’t think we ever really will solve them. We really won’t. And I think like an interesting little,

comparison point to this kind of a Hypothesis of the control and the data plane being mixed together. Do you remember the old Captain Crunch whistle? Yeah, okay. Yeah. Yeah. Yeah. So if everybody’s wondering what I’m talking about, we’re old guys here So, you know, we’re old school old school Gen X hackers So there was Captain Crunch. So cereal was it a popular cereal in the US? Yeah. Oh still is there you go

Josh Bressers (19:50) Yep, that’s right, 2600 Hertz.

yeah, it still is. Awesome.

Luke HindsLuke Hinds (20:09) And they had these little plastic whistles that you could kind of dig out. It’d mixed in with the food, wouldn’t it? You’d kind of pull out a little plastic whistle. And ⁓ somebody, was it Kevin? I don’t know, who was the?

Josh Bressers (20:24) Well, so John Draper was the one who became the most famous, but that guy like, don’t hang out with him, we’ll say.

Luke HindsLuke Hinds (20:26) That’s right. Yeah. Yeah. Yeah. Yeah.

So he figured out that what you could do is like on the old fixed line, you could use the whistle to practically ⁓ emit the frequencies that were the same frequencies that were used by the control system. Okay. So I guess he sold signaling networks. There’s no authentication built into them, stuff like SS7. And so, you you could whistle a certain

set of frequencies and then you’d get a free international call I believe or I can’t remember what some of the exploits were. Do you remember yourself?

Josh Bressers (21:03) So, I mean, I know more about this than I probably should, but so the whistle had like two holes in it. It emitted two tones. And if you covered one of them up, it would emit 2,600 Hertz, which there’s like the 2,600 magazine, that crew in New York. That’s where they get their name from. And what happened was on that old, the old networks, the 2,600 Hertz was like the signal that the phone company would send down the line. They basically said, hey, I’m the phone company. I’m going to send you some instructions.

Luke HindsLuke Hinds (21:06) Okay.

Mmm. Ow.

Josh Bressers (21:30) And that’s where then you’d use, you know, like the blue box to send, cause there, there’s certain, there’s certain tones from touch tone that aren’t on a normal phone, but would be on a blue box. And then you could create the various instructions for the phone signaling equipment that said like, route my call this way, you know, dial this person in this way, kind of whatever. And yes, this is exactly the right thing where the solution to this was to take the control off of the signal network because the, the, the, the freakers

Luke HindsLuke Hinds (21:54) Mm-hmm.

Josh Bressers (21:57) were just like ravaging the phone system. They knew more about it than, you know, AT &T did at the time. And AT &T security was functionally hoping no one had ever figured this out, which didn’t last.

Luke HindsLuke Hinds (22:08) You know, I don’t want to go off and divert too much into the kind of go into that to the into the brush but I used to work in telco security SS7 networks and We had these problems with Same thing again ⁓ used to be able to key in codes to get like your IMEI your international equipment identify like a serial number or and you could change plans and

Josh Bressers (22:20) guys.

Luke HindsLuke Hinds (22:36) And somebody worked out that this SS7 network was wide open. was no authentication. So you could just buy like a modem, plug into it and start changing yourself onto a business package with, you know, unlimited calls and stuff like this. ⁓ so yeah, so, so kind of coming back to where we were, this is a problem that we have large language models and, know, there really is no way of stripping out the control aspect of this. There really isn’t, you know, that’s just, that is just a key intrinsic part of the

the architecture. So, so, you know, so, so we now have this system where there is a kind of a rife exploit. And like I say, one that will never really truly be solved. And I think people are just starting to grapple with this. Some are more ahead of it than others. think the security industry, what I’ve seen is that they are having to catch up very quickly with the problems that are there.

I think quite a lot of people are trying to fight with weapons from the old war that no longer work in the new war. see, kind of, you know, we’ve always had this approach of endpoint protection and trust boundaries and, you know, that’s always how we’ve done things. And this is a very different perpendicular world. It’s, you know, it’s, you know, it’s a different, it’s a different war that’s being fought now. And, you know, my own personal views is.

A lot of model really protections need to be in the model really, you know, that that is the, the aspect that needs to be, ⁓ you know, Induced to behave in a certain way that it’s not so prone. It’s not so prone to these attacks effectively, you know, there is of course. Layered defenses that can be put into place. You know, there’s, there’s a, know, this is very much a defense in depth strategy, which is something that we’ve had in security for quite a while.

But I don’t think it’s as simple as just kind of filtering and greping and, you know, checking for certain strings because they’re never going to be the same. And, and it’s very complex as well because it’s, you’ve got these chains, reasoning chains, you know, where you can, you know, the people that are performing these advanced prompt engineering attacks prompt injections, you know, they’re doing these over, they’re cascading these over multiple conversations. It’s really difficult stuff to, to defend against.

And so, yes, so kind of bringing this back to MCP, really, you know, that is the problem is you’ve got this channel that’s there to exploit. It’s kind of like social engineering to a degree against a large language model, you know, and that is really the kind of, I don’t want to say the Achilles heel, because, you know, we’re making some really good progress, but I would say that’s one of the key other aspects.

So we’ve got the software supply chain, we’ve always had. That’s always been problematic, as you know. And then, you know, we’ve got this new sort of component, which is susceptible to social engineering, you know, alongside the humans. And I think, you know, there are some other aspects, but I’d say those are the two key aspects really, you is you have this ⁓ model. Models do…

I don’t know, they just seem to be a little bit foot gunny around leaking secrets and grabbing everything. They like context. They love lots of context models. give me, me, give me, give give me. So anything is fair game that I can get my hands on to understand the environment better. And so a lot of the time that is keys, little files with database passwords, all of these sorts of things are scooped up. And that of course, you know,

That is a very, very significantly large security risk. It really is, you know? Yeah, yeah.

Josh Bressers (26:35) Yeah, yeah.

mean, so, okay, I have ⁓ an adjacent question then, and this is specifically around like MCP and agents, is this feels to me like with a tool like you’ve written, nono is one of the things we need to do is make sure we understand like what an MCP server is supposed to be doing and then restricting it as much as we can into that context. an example being,

Luke HindsLuke Hinds (26:39) Mmm.

Mm.

Josh Bressers (27:02) If I have an MCP server whose job is say reading files off of a file system. And now one of the other challenges though, I think is a lot of these MCP servers have very kitchen sink like functionality. So I might need to say read files somewhere, but it can also delete files, right? Where this is like, I know what I need it to do. And so I’m going to make sure it can’t delete, but then also once it tries to delete, I know it’s gone off the rails. So it’s time to go shoot things in the head because I know bad things are afoot. And that’s kind of this.

Luke HindsLuke Hinds (27:17) Mm-mm.

Mm.

Josh Bressers (27:32) This feels like maybe some traditional security angles that I think are being hand waved away quite often. Cause you you mentioned YOLO security, especially like OpenClaw a great example where people have reported to the, what is the, claw, their repo. I can’t remember the name of it now. ⁓ But like there’s hundreds and hundreds of malicious plugins and the owners were like, ⁓ this is hard to fix. So we just don’t care. Right? Like that’s wild.

Luke HindsLuke Hinds (27:54) Mm-mm.

Yeah, very much. Yeah. Yeah.

Yeah. Yeah. Very much. I think, you know, you, nailed it there really, which is that with, and I, you know, and I don’t want to, you know, apply this statement to everybody. Okay. You know, there are people that building incredibly good MCP service. They’re aware of coding, secure coding, best practices, least privilege, all of these sorts of things. And, know, the people that we’ve been engineering for years, but there’s a lot of stuff out there that has just been whipped up in a day.

put out there and got and be massively popular because well hey look what it does it can do somersault and you know and it can do it can jiggle around with your calendar and your email and you know and and everybody loves a productivity boost you know and but these things are put out very quickly they are wide open really you know there is no restriction you know there is no least privilege baked in there’s no good

practices that are baked in stuff that we’re, you know, trying to get going in like open source security foundation and you know, various bodies been trying to get people to produce better code, more secure code. And a lot of the time the stuff is just being generated from a prompt. So somebody will have an eye. I mean, that is the thing. You can go from idea to working project in an hour, 30 minutes, even if you don’t really know how to code much. So people have ideas, you know, and they’ll think, well, you know,

Wow, why don’t we get like a, you know, an MCP server to, ⁓ you know, connect to this system and then connect to this system and then bridge the two and, and, they’re kind of thinking of the end result, the kind of, know, the, the, the payload, you know, the productivity boost that everybody’s going to get, and it’s going to go viral and they can just, you know, come up a couple of sentences and bang, it’s sped out and it’s on GitHub and it’s got bazillions of stars, you know, and everybody’s using that, you know, and, and, and so it’s just a

different world now really, you know, it’s, uh, you know, everyone’s a software engineer, you know, like, like we were saying earlier, you know, um, this was actually on the podcast. was me and you chit chatting before, but you know, Mrs. Hinds, I could, I’m sure I could get her to vibe code up a few apps, like an MCP server, you know, it’s, it’s, um, it’s, it really is that easy now. It’s, you know, it’s, that is the thing. And then you, you touched upon

skills. Okay. And this I find incredible as well. I mean, if a few years back, me and you’d sat down and somebody had come back from the future, like a Marty McFly or something like that for software security and gone, markdown files. My God, markdown. We would be like, what? Like just good old wholesome markdown. What do you mean?

Security risk what people are using They’re using markdown to drive application logic and it just you see what I mean and you know and and so so it’s a strange new world it really is and Yeah, so so, know essentially with MCP again another great point there So we got the of course the model and it’s propensity to be creative can’t be constrained We’ve got the good old supply chain, which still isn’t really fixed

And then we’ve got this sort of, you know, people building stuff that haven’t really got that prior art in how to build it securely. And lots of people using it that haven’t really got the experience in how to secure it. Essentially how to do things the secure way really. So I guess it’s a concoction of many different things. And it normally is that, isn’t it? It’s never typically one thing. ⁓ It’s a kind of a mix coming together that creates the lethal bomb. Yeah.

Josh Bressers (31:52) Okay, you know

what you just reminded me of Luke in your description of all of these things is, I’m sure you remember this, but back in the early 2000s, PHP got very popular and it opened web development to a class of people that could not create the kind of anything on the internet prior to that point. Now I remember as a security person back then, we laughed at them and we didn’t help them.

Luke HindsLuke Hinds (31:57) Mm.

yeah. Yeah, yeah.

Hmm.

Mm.

Mm.

Josh Bressers (32:20) And they just

kept developing software and it was awful. And it was full of security bugs. I remember Steve Christie, who was one of the early ⁓ CVE people, he created the project. He had a joke. He would call it PHP golf where anyone who wanted to find a CVE, just pick any PHP application and you’re a hundred percent guaranteed to find security vulnerabilities in it. They were full of cross-site scripting and who knows what else. This feels similar to me.

Luke HindsLuke Hinds (32:23) you

Bye.

Mmm.

Josh Bressers (32:45) And at the same

time, I see a lot of security people laughing at these people instead of trying to help them. history repeats itself,

Luke HindsLuke Hinds (32:52) Absolutely.

Yeah,

absolutely. Yeah, you you’ve nailed it there. And I mean, we are seeing that. mean, you know, I see, you know, we both know frequent LinkedIn a little bit. And yeah, there is lots of people that are just scoffing and roaring over these these amateurs in their OpenClaw And, you know, and yeah, we’re not helping them. You know, we’re not helping them. And, you know, not to try and paint myself as an angel, but I’ve been over in their Discord channel.

the security channel, they got one on OpenClaw. It’s there folks, you know, go and join it. And I don’t, it’s kind of calmed down a little bit, but over the weekend, that was like an accident ward on a kind of inner city hospital. was carnage, you know, it really was. There were people just turning up, just, you know, like it’s just leaked my entire life onto the internet. You know, it’s just, you know, and so yeah, there’s definitely, I’m with you.

You know, this is really not about the kind of smug superiority of being a, you know, who we are. It’s really about kind of chop the wood and carry the water and help really help these people. Do you see what I mean? Or do we want people to fail because it justifies our existence? Maybe it’s that. Yeah. It is that as well. Of course. Yeah, absolutely. Yeah. You know, I mean, everybody’s sort of, you know, it’s

Josh Bressers (34:07) It’s a little funny sometimes, but…

Luke HindsLuke Hinds (34:15) People falling over isn’t funny, but people falling over is funny, really.

Josh Bressers (34:19) Right, right.

But at the same time, our smug, terrible attitudes, I mean, this is something I talk about all the time, is like, I feel like I tell people when I work with them at work and things like that, and I try to help them with security things, like, I am paying for the sins of my past. I was a smug, terrible security person. And so I’ve reached a point, I tell people I work with, I don’t care what you do. Like if you paste…

Luke HindsLuke Hinds (34:26) Yeah.

Sure.

Hmm?

Mm.

Josh Bressers (34:43) passwords into web forums, whatever, like come talk to me. I’m not going to yell at you. I’m going to help you solve your problem. It doesn’t matter how dumb you might think it is. Like it is important and it’s hard. You ha that’s how you have to build trust. If you’re just some smug jerk, people hate you and they’re just not going to talk to you.

Luke HindsLuke Hinds (34:48) Yeah.

Absolutely. absolutely. You know, and security people can have that persona quite often. Maybe not intentionally. Maybe it’s just you become, you know, through the attrition of the work, you just become, you know, a malcontent, you know, and anybody new and shiny that turns up, you just want to bring them down a peg or two, you know, maybe there’s another one of that. but there is that sort of, yeah, that that persona, you know, I just remember, you know, comic book guy.

on Simpsons, the one with the milkshake. Well, actually, you know, that kind of sort of smugness, you know, and I’m with you, you know, it’s, we’re going to be there to help people, to protect people. We’re going to be the kind of, you know, the guardians, you know, the kind of the people looking out for people. Absolutely. Yeah,

Josh Bressers (35:44) Yeah. All right. All

right, Luke, we come to the end, man. So let’s land this plane. I’m going to give you the last word to tell people anything you might want them to go check out or get involved with or care about, or kind of the floor is yours, man.

Luke HindsLuke Hinds (35:57) Absolutely. if you check out nono, it’s very early in, okay, there will be bugs. We have a disclaimer around that, but we’re polishing things up. So nono dot sh. If you’d to learn a bit more about the company, follow what we’re doing. It’s always further. We’re doing lots of stuff around open source as always. We’ve got like a project called Deep Fabric, which is getting quite popular, which generates lots and lots of data that we use for agent evaluations and model testing and

I am typically known as DecodeBytes on sort of different social platforms. And I like to think I’m approachable. I love speaking to people of, contrary to what we were just talking about, I do love speaking to people of all sorts of levels, especially new people. And yeah, it’s been really enjoyable. It’s gone so quick, because we’ve been having such a great time. So I really appreciate you having me on, Josh. Yeah.

Josh Bressers (36:54) Yes, until

next time my friend, I’m sure you’ll be back. Thank you so much.

Luke HindsLuke Hinds (36:56) Yeah, yeah.

Take care. Thank you.