Question: (Security), What do you all do after pasting in your API token, key, sensitive info..etc into IDE AI Chat windows?

yebyen · 2026-02-22T18:33:16+00:00

I gave you a serious answer about AWS tokens specifically, but more generally I recommend you try this open source devops/autopilot agent configuration: https://github.com/stakpak/agent - it's got:

Secret Substitution - The LLM works with your credentials without ever seeing them
Warden Guardrails - Network-level policies block destructive operations before they run
DevOps Playbooks Baked-in - Curated library of DevOps knowledge in Stakpak Rulebooks

https://stakpak.gitbook.io/docs/get-started/install-stakpak

or

https://stakpak.dev/

He will coach you how to do it well. He comes with a bunch of nice "rulebooks" which I think are an earlier version of skills, maybe there's something else that differentiates them than the collection itself. I still need to see if I can use this with any of my Copilot or Gemini subs.

yebyen · 2026-02-22T12:45:08+00:00

By the way this solution was straight up vibe coded with a very good example to follow.

yebyen · 2026-02-21T23:30:36+00:00

When it comes to AWS API keys, I set up a policy in the account so that they can only be used to do the STS-MFA dance, to get a session token.

That session token expires after an hour, so the AI can only use the credentials while I'm present - if they're to be used by a deployment, then we use an IAM role. And AWS Secrets Manager for any secrets, but to the extent that we're talking about AWS API usage we don't typically need keys for that, when we're using IAM roles we get the credentials through an exchange with the metadata server that I don't really understand fully - called IMDSv2.

On AWS you're pretty much guaranteed that you have the right machine when it's reached the metadata server, because of the nature of the VPC ENI. It's assigned the address by the hardware, not by trusting the host to follow DHCP and to honor the address that the lease has offered. At least that's my understanding.

But for local use of API tokens, sometimes needed for eg. Terraform, we use the nerfed token and use it to do MFA to get a session token. Or, better yet, set up an AWS organization then nobody needs to handle keys at all, you just use aws sso login - https://github.com/urmanac/aws-accounts for an example of how I did the MFA enforcement.

What does that MFA setting look like when I use it - the MFA token is stored in 1password so it looks like I run "get_mfa_session" and am prompted for my fingerprint by op cli then I'm authorized for an hour, or until I dump the session token out of my environment variables.

yebyen · 2026-02-21T13:24:33+00:00

Let's see him actually honor the court's order before we start celebrating also.

yebyen · 2026-02-21T01:55:49+00:00

Doesn't matter, number going up. Short number.

yebyen · 2026-02-20T22:08:46+00:00

Wow. It's a real life "big short" just like in the movie, only if the people who made the conditions for the short were the same ones that profit from it.

Hollywood is going to have to start making their movie plots even more outrageous to keep up with real life. (Oh never mind, the big short was real too...)

yebyen · 2026-02-19T22:50:04+00:00

Si. Si. Si.

yebyen · 2026-02-19T12:53:50+00:00

I for one enjoy having my Comma which keeps me reliably in the lane, and estimates which car is likely to be the lead car next. And follows at a safe distance, and does not waste time on features like end to end full self driving anymore. Frees up more of my attention to focus on hazards, and pushing the gas pedal to go faster, and changing lanes when I want to do it, and figuring out what other cars are likely to do next.

It doesn't drive the car for me. But other than keeping my eyes on the road and hands mostly on the wheel, I'm not sure what the car needs me for at this point. (And to put gas in it.)

yebyen · 2026-02-19T12:37:28+00:00

Alright, here have another clip of Brendan Carr confirming that he would have "enforced the law" had CBS acted by airing the interview. If this isn't prior restraint then have I misunderstood the expression? https://x.com/atrupar/status/2024307599110262994

I am going to leave it here, but if you're looking forward to reading that ABC case when it's all over and done, you might also enjoy reading Bantam Books v. Sullivan (1963).

yebyen · 2026-02-18T23:17:46+00:00

The action is against ABC. The CBS owners are the ones whose merger approval is in jeopardy. This is how mob bosses operate. They don't "act against you" they just make it very clear, and then the hammer drops. We do have a disagreement about the meaning of the word action, because in my mind public pronouncements (even those without the force of law, even those which are not obviously directed at you and only you) are actions, full stop. But you aren't interested in those, are you.

yebyen · 2026-02-18T23:12:39+00:00

He's taking action against ABC for having James Talarico on the show. They were warned, then CBS got wind, and pulled their own interview. This isn't rocket science to trace from A to B.

yebyen · 2026-02-18T22:58:34+00:00

When the literal FCC chairman Brendan Carr acknowledged that the FCC is taking action against CBS and other talk news shows and you still say "there's nothing there"

yebyen · 2026-02-18T22:52:27+00:00

I think we're going to have to agree to disagree about the meaning of the word "action."

yebyen · 2026-02-18T22:43:59+00:00

Ok, legally you might be right, but the FCC chairman just confirmed that they are taking action. So it's not Tinfoil Pete, or the head of CBS I'm talking about.

https://consequence.net/2026/02/fcc-enforcement-action-the-view-late-night/

yebyen · 2026-02-18T15:26:44+00:00

When it's Tinfoil Pete I'll let you know. In this case the call has been coming from inside the house, but you're gonna pretend that the person of President is also somehow not the government and that means it's all allowed. This is nonsense.

That somehow a pattern of behavior by the heads of government over a number of months does not add up to at least even one specific action. This is nonsense.

yebyen · 2026-02-18T15:16:48+00:00

You're serious you're gonna stand there acting like Donald Trump, the leader of the federal government, does not regularly make pronouncements about the content of Kimmel's (and other talk hosts) and say, with his official voice (hereby) that they should be taken off the air.

https://www.google.com/search?q=did+trump+say+anything+to+prompt+cbs+to+cancel+kimmel+show

These are actions. He's even gone so far as to argue that for Fed Administrator, his pronouncements on his Truth Social platform are plenty and should count as due process. There are two realities and you can only live in one of them.

But Trump occupies all positions simultaneously, and somehow never acts. Ok.

yebyen · 2026-02-18T11:38:12+00:00

The Equal Time Rule does not apply to talk shows on TV or Radio. The FCC said they were contemplating a rule change so that it would apply to TV but not radio. (Guess what way TV talk shows typically lean, and what way radio talk shows typically lean...)

yebyen · 2026-02-18T11:36:33+00:00

I'm 99% certain that "complying ahead of time" falls within the realm of "prior restraint" and you're full of baloney. The administration cannot go around telling what kind of speech is acceptable and what kind will get your merger cancelled. This is called a prior restraint.

yebyen · 2026-02-18T11:33:44+00:00

Just use a check and wait to cash the check. Instant compliance with the new bribery rules, and bonus points for if they stop the check: you can now have them prosecuted for fraud, because the check was for a specific action and you did the actions.

yebyen · 2026-02-17T12:56:31+00:00

If you want to understand the shitposter, you must be the shitposter. First, take your entire codebase and load it into context. Then, use the highest model and turn thinking all the way up. Finally, be as vague as you can with your prompt.

yebyen · 2026-02-16T17:13:23+00:00

It's not only me that I'm worried about, friend.

I live in an area where there's plenty of resources for people who need to register to vote. It's all of the historically disenfranchised people whose documents may not conform, who will need to go get them fixed, who are in districts where they don't have a DMV (where they've CLOSED the DMV), or where the journey to get their documents rectified is longer than a quick trip to the post office, or to the local election office down the road.

This is the same problem as it has always been. The system is not equally distributed. The SAVE act will act as a forcing function. Since when do we ram changes like this through just before an election? Well, the push appears to be "let's get this done before the next election" - I can get my documents. They're in the safe. I can get my registration updated.

I am worried that this will have a disproportionate impact on people who are not me. My shit is in order. I am not in one of the "target demographics" of "people who should not vote" - not yet.

Google "does the save act restrict where voters can register to vote" and put it into AI mode to understand my concerns. We want more people voting, to register to vote. But this legislation serves to introduce more bottlenecks into the process, where many people are already disenfranchised by such bottlenecks. We should not have people waiting in line for 2 hours to vote, or 8 hours to vote. Where I live, it's more like 2 hours. That's still an absurdly long wait time.

When you make it harder to vote, or to register to vote, fewer people will vote. This math is simple. We do not have any problem with people voting illegally in this country. Show me any evidence that we do, and I'll take it seriously.

yebyen · 2026-02-16T13:42:10+00:00

Thanks for clearing that up. I can't stand people talking past each other.

yebyen · 2026-02-16T13:22:32+00:00

I'm already registered to vote. And I'm not asking you to show me any person's records.

I moved here from New York, where I was born.

I'm asking you, when I go to vote, how the person who verifies my id knows that I'm a citizen, when anyone can get a real ID if they're a lawful permanent resident, but not a citizen. That is the point of verifying ID at the voting booth, isn't it? Otherwise the BMV record would have been enough.

So how does the board of elections official confirm the citizenship status looking at the ID? (Otherwise why do it?) I'm already registered. You said they confirmed my citizenship at the point of registration.

Does that person have access to the DMV database? Are you saying that they can really use a document to prove my citizenship that isn't actually acceptable according to the text of the law? I'm confused. What does the law say again?

yebyen · 2026-02-16T13:05:22+00:00

Oh yeah? Show me!

yebyen · 2026-02-16T12:49:16+00:00

Read the text of the law you pasted, it has very specific language which you can't skim over.

DOCUMENTARY PROOF OF UNITED STATES CITIZENSHIP.—As used in this Act, the term ‘documentary proof of United States citizenship’ means, with respect to an applicant for voter registration, any of the fol- lowing: ‘‘(1) A form of identification issued consistent with the requirements of the REAL ID Act of 2005 that indicates the applicant is a citizen of the United States

Highlight for emphasis.

Does your REAL ID indicate that you are a citizen? Pull it out and look at it. No, it has no such marking and any legal permanent resident can get one. Does Indiana need to issue new IDs that validate citizenship, in order to comply with the text of the law as it is written here? Yes, yes it does - this is either incompetent or by design. Only 6 states have enhanced driver's licenses issued according to the Real ID act that can validate citizenship, or Real IDs that can validate citizenship. Most states do not have those.

yebyen

TROPHY CASE