More Open Source Security episodes

MCP and Agent security with Luke Hinds thumbnail

MCP and Agent security with Luke Hinds

Published 16 Mar 2026

Duration: 35:36

The text explores AI agent security risks like prompt injection and open-source vulnerabilities, emphasizing the No-NO project's kernel-based sandboxing with a deny-by-default model, hardware enclaves, and Rust-driven efficiency, alongside layered defenses, restricted commands, and collaborative efforts to tackle evolving threats like social engineering and insecure coding practices.

Episode Description

Josh talks to Luke Hinds, CEO of Always Further, about MCP and agent security. We start out talking about Luke's new tool, nono which is a sandboxing...

Overview

The text discusses the development of No-NO, a security tool created by Always Further, a startup focused on addressing vulnerabilities in AI agents and models. No-NO leverages kernel-based sandboxing to isolate processes, preventing data exfiltration, unauthorized file access, and destructive actions like rm -rf, using a deny-by-default model and hardware security enclaves (e.g., Apples Secure Enclave). Designed for speed and simplicity, it contrasts with Docker by enabling near-instant startup times and minimal user configuration, though it is not intended as a replacement but a complementary tool for specific use cases. The tool also incorporates restricted commands, time-based command allocation, and rollback mechanisms to mitigate risks like accidental deletions or unauthorized API interactions.

Broader challenges in AI security are highlighted, including the unpredictability of AI agents (e.g., bypassing sandboxing) and vulnerabilities in MCP servers (Model-Controller-Proxy), which enable AI models to execute external functions. Risks include supply chain vulnerabilities in open-source tools, prompt injection attacks, and the merged control/data architecture of large language models (LLMs), which make them susceptible to social engineering and data leaks. Historical parallels are drawn to early hacking exploits, such as the "2600 Hz" phone fraud, emphasizing the persistent difficulty of securing systems against autonomous, high-dimensional threats. The text also stresses the need for collaborative solutions, education in secure development practices, and tools that balance simplicity for non-experts with customization options for professionals, while addressing the growing gap between rapid AI innovation and robust security frameworks.

Recent Episodes of Open Source Security

22 Jun 2026 Packagist and Composer security with Jordi Boggiano

Strategies for securing open-source ecosystems include malware detection via third-party feeds, transparency logs, rapid incident response, blocking malicious downloads, private registry controls, immutable package releases, standardized workflows, MFA enforcement, and technical proposals like artifact validation and build attestation, while addressing challenges like maintainer hacking, AI risks, usability trade-offs, and the need for ecosystem-wide alignment and human verification.

15 Jun 2026 Sustaining Open VSX with Mike and Thabang

Eclipse Foundation's OpenVSX, a VS Code extension repository, surged to 600M monthly downloads, evolved to a commercial model with enterprise SLAs and security teams, while addressing scalability, open-source balance, and funding challenges for AI expansion.

8 Jun 2026 Hacking your CI/CD with Francois Proulx

Critical vulnerabilities in open source CI/CD pipelines, including hijacking and supply chain attacks via social engineering or compromised builds, are highlighted through incidents like TJ Actions and Ultralytics, with mitigation strategies emphasizing secure credentials, externalized workflows, threat modeling, and tools like *Smoked Meat* and *Bagel* to enhance incident response and supply chain security.

1 Jun 2026 Open source verification with Sal Kimmich

Cybersecurity challenges include complex application ecosystems, overlooked kernel vulnerabilities, supply chain risks, and systemic risks from under-resourced organizations prioritizing surface-level controls, alongside calls for regulatory reforms, proactive threat modeling, secure development practices, and addressing tribal nations' unique legal and sovereignty concerns.

25 May 2026 Vulnerability disclosure with Casey Ellis

The evolution of vulnerability disclosure highlights challenges in prioritizing critical issues, outdated legal frameworks, and the role of initiatives like Disclosed.io in standardizing policies, alongside AI's impact on detection, open-source risks, triage complexities, and the need for collaboration and transparency to address systemic security barriers.

More Open Source Security episodes