So a lot of the way I’ve come to think about this came from Amy Hoy. If you don’t know her, Amy Hoy, she’s one of the proprietors of the 30×500 e-course and methodology of product making.

Her idea is that if you have a $30 per month product, and you find 500 customers, that that would be enough to build a small business. And the way that she wants you to get towards that product is by creating educational content for the audience that you intend to serve with the product. And then you’re going to, along the way, find your product after having done this educational content.

• Stacking the Bricks (Amy Hoy’s site)
• Write While True Episode 53: Pick a Reader
• Write While True Episode 5: Audience and Message

Transcript

Lou: Oh boy.

Brian: Yeah, yeah. No, this one’s gonna hurt. When you write something and you share it, and then somebody tells you that it’s absolute trash in some manner or another, and there’s really no avoiding it.

Transcript

I think this came up in the last conversation and your example was, I do B2B SaaS. If you’re in gaming, things might be a little different, something like that. I just want to talk more about that because of how useful it is to make those distinctions. 

And I guess the basic point I want to make about reader profile, and we’ll get into what it is and how you do it, but it should make your writing easier to produce.

• Write While True Episode 5: Audience and Message

Transcript

This deals with one leg of the trifecta, which is sufficient, but I don’t ignore the other two.

To limit the chance of an agent being exposed to a prompt injections, I build on an architecture of very limited dependencies. My current project is to build visualizations in JS on D3. I only include D3 on pages in the browser (it’s not on my machine). I don’t use npm, and I have no other dependencies.

The thing I miss most is jest, but I decided to build a minimal testing framework (just need to run functions and make assertions). I run the tests in a browser, so I get access to a DOM too, which I could test against. All of the code for this project only makes sense inside of a web page in the browser, which is another sandbox. It’s like Inception up in here.

My other projects are python based and live in their own VM. I need some dependencies there (pandas, numpy, matplotlib and more). The main thing I am doing is keeping that separate from the visualization project so that any issue in one doesn’t affect the other.

Nothing else that I need for the project (that I didn’t create) lives in that VM.

My main exposure to untrusted text is that I let the agent browse the web. I don’t see how I could avoid this, which is why this leg of the trifecta could never be the one I eliminate.

1. Access to your private data—one of the most common purposes of tools in the first place!
2. Exposure to untrusted content—any mechanism by which text (or images) controlled by a malicious attacker could become available to your LLM
3. The ability to externally communicate in a way that could be used to steal your data (I often call this “exfiltration” but I’m not confident that term is widely understood.)

https://simonwillison.net/2025/Jun/16/the-lethal-trifecta/

You need all three to be vulnerable, but usage of Claw or Coding agents will have them by default. I would say that the second two are almost impossible to stop.

#2 Untrusted content includes all of your incoming email and messages, all documents you didn’t write, all packages you have downloaded (via pip, npm, or whatever) and every web page you let the agent read. I have no idea how to make an agent useful without some of these (especially web searching).

#3 External communication includes any API call you let it make, embedded images in responses, or just letting it read the web. Even if you whitelist domains, agents have found ways to piggyback communication because many URLs/APIs have a way of embedding a follow-up URL inside of them.

For my uses, I find it impossible to avoid these two. Reduce? Yes, but not eliminate.

So, my only chance to escape the trifecta is to not give agents access to my private data. This means that I would never let an agent process my email or messages. I also would never run them on my personal laptop. I would never let them login as me to a service.

This is why I built hardware and software sandboxes to code in. Inside a VM on a dedicated machine, there is no private data at all. I use it while assuming that all code inside that VM is untrusted and that my agent is compromised. I do my best to try to make sure that won’t happen, but my main concern is that there is no harm if it does happen.

Incidentally, this same lethal trifecta also applies to every package you install into your coding projects. If an NPM package can (1) read your secrets (2) is untrusted and (3) can communicate, then you may suffer from a supply chain attack. It’s obvious that code you install and run makes #2 and #3 impossible to safeguard against. Not having secrets in the VM is the best solution for supply chain attacks too.

Tomorrow, I’ll follow up with how I reduce the other two legs of the lethal trifecta.

Brian: Yeah, let’s do it, for sure. And to begin, the assumptions here are that you’re working on a piece of writing that you intend to iterate on. You’re going to revise this writing, you’re going to improve it. It might be a book, newsletter, blog post, something you care enough about to spend time on after you first put it out into the world for feedback.

• Write While True Episode 48: Start a Collaboration

Transcript

• Part I: Intro and Rationale
• Part II: Linux
• Part III: Python/Django
• Part IV: HTMX
• Part V: VSCode and Copilot
• Part VI: Bulma
• Part VII: Sqlite
• Part VIII: uv
• Part IX: tooling
• Part X: networking

My choices were driven by the dangers of AI Coding Agents and Supply Chain attacks (more generally, just running untrusted code).

Getting all development off of my main machine was a big step. Choosing Linux for that machine was driven by cost per computing power for a desktop machine, and that I only need to run VSCode, a browser, and dev tools that are Linux first anyway.

I have been programming on the bare OS, but I was always going to want more isolation between projects and between the projects and the machine. I finally completed that step.

My choice was to use QEMU-KVM, an open-source VM solution. This blog about QEMU-KVM on Ubuntu was the most useful (and accurate) for me.

My general setup:

1. The machine only has Ubuntu, Firefox, Tailscale (see networking), and my KVM setup described above.
2. I built one VM to work on a new project (charting visualizations for Google Sheets), which only needs Ubuntu, VSCode, Git, and Firefox.
3. This project is in Javascript, but I am building it with a dependency on D3 and nothing else. No NPM, not even jest. D3 is only loaded by the browser (not on the machine)
4. For testing, I am building a minimal test harness in JS. It runs in the browser, so it will also be able to do DOM testing.
5. There is no firewall yet, but I will probably do that soon. As a first step, just limiting the ports. I will document that if I go that way. It would be inside the VM.
6. I allow some limited logged in browsing in my outside OS, mostly ChatGPT, but not Google. The main OS is for research. Nothing else can be installed on it (through any means, even trusted). The VM browsers are only for using my software (not the internet).

Other solutions I considered:

1. Cloud based programming (like codespaces): This would definitely work for some projects I have, but I feel like I’d run up against limitations. Long-term, I think this will become the only sane way to program.
2. Docker: I am not that comfortable with it, and it seems like running GUIs (like VSCode) is not trivial. It would be more efficient with sharing installed software, but wasting disk space is just not an issue.
3. No Sandbox: Just putting all development on a dedicated computer is probably enough. I went the VM route mostly out of personal interest. Having done it, one big plus is snapshotting.

And I guess I want to say, Lou, you went through the whole process of blogging for a long time and then taking on a book project or multiple book projects, writing the book, editing the books. Now you’re in the phase where you have to be marketing the book. I hope you’re marketing the book. Talk to me about writing goals in different phases of projects.

Transcript

Lou: Not great, Brian. I did the habit none times.

Brian: Okay, not great. Remind us what you were going to do and tell us what happened.

• Write While True Episode 49: Tiny Habits

Transcript

• Write While True Episode 1: Training to Unblock Yourself
• Write While True Episode 19: Prompt Your Morning Pages
• Tiny Habits [ad] by BJ Fogg

Transcript