Comment by jryio

Comment by jryio 19 hours ago

94 replies

View on Hacker News

It's so important to remember that unlike code which can be reverted - most file system and application operations cannot.

There's no sandboxing snapshot in revision history, rollbacks, or anything.

I expect to see many stories from parents, non-technical colleagues, and students who irreparably ruined their computer.

Edit: most comments are focused on pointing out that version control & file system snapshot exists: that's wonderful, but Claude Cowork does not use it.

For those of us who have built real systems at low levels I think the alarm bells go off seeing a tool like this - particularly one targeted at non-technical users

Workaccount2 18 hours ago

Frequency vs. convenience will determine how big of a deal this is in practice.

Cars have plenty of horror stories associated with them, but convenience keeps most people happily driving everyday without a second thought.

Google can quarantine your life with an account ban, but plenty of people still use gmail for everything despite the stories.

So even if Claude cowork can go off the rails and turn your digital life upside down, as long as the stories are just online or "friend of a friend of a friend", people won't care much.

Reply View 15 replies
  • soiltype 17 hours ago

    Considering the ubiquity and necessity of driving cars is overwhelmingly a result of intentional policy choices irrespective of what people wanted or was good for the public interest... actually that's quite a decent analogy for integrated LLM assistants.

    People will use AI because other options keep getting worse and because it keeps getting harder to avoid using it. I don't think it's fair to characterize that as convenience though, personally. Like with cars, many people will be well aware of the negative externalities, the risk of harm to themselves, and the lack of personal agency caused by this tool and still use it because avoiding it will become costly to their everyday life.

    I think of convenience as something that is a "bonus" on top of normal life typically. Something that becomes mandatory to avoid being left out of society no longer counts.

    Reply View 7 replies
    • Wowfunhappy 4 hours ago

      What has gotten worse without AI? I don't think writing or coding is inherently harder. Google search may be worse but I've heard Kagi is still pretty great. Apple Intelligence feels like it's easy to get rid of on their platforms, for better and worse. If you're using Windows that might get annoying, personally I just use LTSC.

      Reply View 0 replies
    • lijok 16 hours ago

      People love their cars, what are you talking about

      Reply View 5 replies
      • ehnto 14 hours ago

        I am a car enthusiast so don't think I'm off the deep end here, but I would definitely argue that people love their cars as a tool to work in the society we built with cars in mind. Most people aren't car enthusiasts, they're just driving to get to work, and if they could get to work for a $1 fare in 20 minutes on a clean, safe train they would probably do that instead.

        Reply View 3 replies
      • yard2010 8 hours ago

        I love my car. And yet I really want to see all the cars eradicated from existence. At least from the public space.

        Reply View 0 replies
  • yencabulator 17 hours ago

    I mean, we were there before this Cowork feature started exposing more users to the slot machine:

    "Claude CLI deleted my home directory and wiped my Mac" https://news.ycombinator.com/item?id=46268222

    "Vibe coding service Replit deleted production database, faked data, told fibs" https://news.ycombinator.com/item?id=44632575

    "Google Antigravity just deleted the contents of whole drive" https://news.ycombinator.com/item?id=46103532

    Reply View 5 replies
    • Workaccount2 17 hours ago

      That's what I am saying though. Anecdotes are the wrong thing to focus on, because if we just focused on anecdotes, we would all never leave our beds. People's choices are generally based on their personal experience, not really anecdotes online (although those can be totally crippling if you give in).

      Car crashes are incredibly common and likewise automotive deaths. But our personal experience keeps us driving everyday, regardless of the stories.

      Reply View 4 replies
      • yencabulator 17 hours ago

        We as a society put a whole lot of effort into making cars safer. Seatbelts, ABS, airbags.. Claude Code should have airbags too!

        Reply View 3 replies
  • Quothling 9 hours ago

    > So even if Claude cowork can go off the rails and turn your digital life upside down, as long as the stories are just online or "friend of a friend of a friend", people won't care much.

    This is anecdotal but "people" care quite a lot in the energy sector. I've helped build our own AI Agent pool and roll it out to our employees. It's basically a librechat with our in-house models, where people can easily setup base instruction sets and name their AI's funny things, but are otherwise similar to using claude or chatgpt in a browser.

    I'm not sure we're ever going to allow AI's access to filesystems, we barely allow people access to their own files as it is. Nothing that has happened in the past year has altered the way our C level view the security issues with AI in any other direction than being more restrictive. I imagine any business that cares about security (or is forced to care by leglislation) isn't looking at this as a they do cars. You'd have to be very unlucky (or lucky?) to shut down the entire power grid of Europe with a car. You could basically do it with a well placed AI attack.

    Ironically, you could just hack the physical components which probably haven't had their firmware updated for 20 years. If you even need to hack it, because a lot of it frankly has build in backdoors. That's a different story that nobody on the C levels care about though.

    Reply View 0 replies
alwillis 19 hours ago

The first version is for macOS, which has snapshots [1] and file versioning [2] built-in.

[1]: https://eclecticlight.co/2024/04/08/apfs-snapshots/

[2]: https://eclecticlight.co/2021/09/04/explainer-the-macos-vers...

Reply View 4 replies
  • shepherdjerred 17 hours ago

    Are average users likely to be using these features? Most devs at my company don’t even have Time Machine backups

    Reply View 1 reply
    • aixpert 9 hours ago

      snapshots are local Time Machine backups for a few hours which don't need external hard drives and are configured by default I think

      Reply View 0 replies
  • cbm-vic-20 19 hours ago

    RSX-11M for the PDP-11 had filesystem versioning back in the early 1980s, if not earlier.

    Reply View 1 reply
    • TurkTurkleton 18 hours ago

      And if they were releasing Cowork for RSX-11M, that might be relevant.

      Reply View 0 replies
falcor84 16 hours ago

Once upon a time, in the magical days of Windows 7, we had the Volume Shadow Copy Service (aka "Previous Versions") available by default, and it was so nice. I'm not using Windows anymore, and at least part of the reason is that it's just objectively less feature complete than it used to be 15 years ago.

Reply View 1 reply
  • superjose 9 hours ago

    Yeah. I also like Windows, but MS has done a wonderful job to destroy the OS with newer releases.

    I haven't had to tweak an OS like Win 11 ever.

    Reply View 0 replies
toddmorey 19 hours ago

Q: What would prevent them from using git style version control under the hood? User doesn’t have to understand git, Claude can use it for its own purposes.

Reply View 16 replies
  • twosdai 19 hours ago

    Didn't actually check out the app, but some aspects of application state are hard to serialize, some operations are not reversible by the application. EG: sending an email. It doesn't seem naively trivial to accomplish this, for all apps.

    So maybe on some apps, but "all" is a difficult thing.

    Reply View 3 replies
    • CuriouslyC 15 hours ago

      For irreversible stuff I like feeding messages into queues. That keeps the semantics clear, and makes the bounds of the reversibility explicit.

      Reply View 1 reply
      • TeMPOraL 14 hours ago

        Tool calls are the boundary (or at least one of them).

        Reply View 0 replies
  • nikkwong 19 hours ago

    You can’t easily snapshot the current state of an OS and restore to that state like with git.

    Reply View 10 replies
    • madeofpalk 18 hours ago

      Maybe not for very broad definitions of OS state, but for specific files/folders/filesystems, this is trivial with FS-level snapshots and copy-on-write.

      Reply View 0 replies
    • incr_me 10 hours ago

      Let's assume that you can. For disaster recovery, this is probably acceptable, but it's unacceptable for basically any other purpose. Reverting the whole state of the machine because the AI agent (a single tenant in what is effectively a multi-tenant system) did something thing incorrect is unacceptable. Managing undo/redo in a multiplayer environment is horrific.

      Reply View 0 replies
    • alwillis 19 hours ago

      At least on macOS, an OS snapshot is a thing [1]; I suspect Cowork will mostly run in a sandbox, which Claude Code does now.

      [1]: https://www.cleverfiles.com/help/apfs-snapshots.html

      Reply View 3 replies
      • nikkwong 18 hours ago

        Ok, you can "easily", but how quickly can you revert to a snapshot? I would guess creating a snapshot for each turn change with an LLM become too burdensome to allow you to iterate quickly.

        Reply View 1 reply
        • alwillis 17 hours ago

          For the vast majority, this won't be an issue.

          This is essentially a UI on top of Claude Code, which supports running in a sandbox on macOS.

          Reply View 0 replies
      • bigyabai 18 hours ago

        All major OSes support snapshotting, and it's not a panacea on any of them.

        Reply View 0 replies
    • Imustaskforhelp 19 hours ago

      Well there is cri-u for what its worth on linux which can atleast snapshot the state of an application and I suppose something must be similar available for filesystems as well

      Also one can simply run a virtual machine which can do that but then the issue becomes in how apps from outside connect to vm inside

      Reply View 1 reply
      • nicoty 19 hours ago

        Filesystems like zfs, btrfs and bcachefs have snapshot creation and rollbacks as features.

        Reply View 0 replies
    • viraptor 19 hours ago

      Sure you can. Filesystem snapshotting is available on all OSes now.

      Reply View 0 replies
    • Analemma_ 17 hours ago

      I wonder if in the long run this will lead to the ascent of NixOS. They seem perfect for each other: if you have git and/or a snapshotting filesystem, together with the entire system state being downstram of your .nix file, then go ahead and let the LLM make changes willy-nilly, you can always roll back to a known good version.

      NixOS still isn't ready for this world, but if it becomes the natural counterpart to LLM OS tooling, maybe that will speed up development.

      Reply View 0 replies
  • samuelstros 17 hours ago

    Git only works for text files. Everything else is a binary blob which, among other things, leads to merge conflicts, storage explosion, and slow git operations

    Reply View 0 replies
y42 19 hours ago

Indeed there are and this is no rocket science. Like Word Documents offer a change history, deleted files go to the trash first, there are undo functions, TimeMachine on MacOs, similar features on Windows, even sandbox features.

Reply View 14 replies
  • fuzzy2 19 hours ago

    Trash is a shell feature. Unless a program explicitly "moves to trash", deleting is final. Same for Word documents.

    So, no, there is no undo in general. There could be under certain circumstances for certain things.

    Reply View 10 replies
    • NewsaHackO 18 hours ago

      I mean, I'm pretty sure it would be trivial to tell it to move files to the trash instead of deleting them. Honestly, I thought that on Windows and Mac, the default is to move files to the trash unless you explicitly say to permanently delete them.

      Reply View 2 replies
      • fuzzy2 4 hours ago

        Yes, it is (relatively, [1]) trivial. However, even though it is the shell default (Finder, Windows Explorer, whatever Linux file manager), it is not the operating system default. If you call unlink or DeleteFile or use a utility that does (like rm), the file isn’t going to trash.

        [1]: https://github.com/arsenetar/send2trash (random find, not mine)

        Reply View 0 replies
      • johnisgood 17 hours ago

        Because it is the default. Heck, it is the default for most DEs and many programs on Linux, too.

        Reply View 0 replies
    • Ajedi32 19 hours ago

      Everything on a ZFS/BTRFS partition with snapshots every minute/hour/day? I suppose depending on what level of access the AI has it could wipe that too but seems like there's probably a way to make this work.

      Reply View 4 replies
      • literalAardvark 19 hours ago

        I guess it depends on what its goals at the time are. And access controls.

        May just trash some extra files due to a fuzzy prompt, may go full psychotic and decide to self destruct while looping "I've been a bad Claude" and intentionally delete everything or the partitions to "limit the damage".

        Wacky fun

        Reply View 0 replies
      • antinomicus 19 hours ago

        The topic of the discussion is something that parents, grandmas, and non technical colleagues would realistically be able to use.

        Reply View 2 replies
    • OJFord 18 hours ago

      Shell? You meant Finder I think?

      Reply View 1 reply
      • Alphaeus 14 hours ago

        GUI shell (as opposed to a text-based shell).

        Reply View 0 replies
  • [removed] 18 hours ago
    [deleted]
    Reply View 0 replies
  • cush 19 hours ago

    State isn't always local too

    Reply View 0 replies
  • [removed] 19 hours ago
    [deleted]
    Reply View 0 replies
Aeolun 6 hours ago

If this is like Claude Code for everyone else, shouldn’t it be snapshotting anything it changes so that you can go back to the previous state?

Reply View 0 replies
bob1029 17 hours ago

In theory the risk is immense and incalculable, but in practice I've never found any real danger. I've run wide open powershell with an OAI agent and just walked away for a few hours. It's a bit of a rush at first but then you realize it's never going to do anything crazy.

The base model itself is biased away from actions that would lead to large scale destruction. Compound over time and you probably never get anywhere too scary.

Reply View 0 replies
hans0l074 9 hours ago

IIUC, this is a preview for Claude Max subscribers - I'm not sure we'll find many teachers or students there (unless institutions are offering Max-level enterprise/team subscriptions to such groups). I speculate that most of those who will bother to try this out will be software engineering people. And perhaps they will strengthen this after enough feedback and use cases?

Reply View 0 replies
matt3D 8 hours ago

Pretty much every company I work with uses the desktop sync tools for OneDrive/GoogleDrive/Dropbox etc.

It would be madness to work completely offline these days, and all of these systems have version history and document recovery built in.

Reply View 0 replies
Helmut10001 7 hours ago

I would never use what is proposed by OP. But, in any case, Linux on ZFS that is automatically snapshotted every minute might be (part of) a solution to this dilemma.

Reply View 0 replies
seunosewa 19 hours ago

There's no reason why Claude can't use git to manage the folders that it controls.

Reply View 4 replies
  • binarymax 19 hours ago

    Most of these files are binary and are not a good fit for git’s graph based diff tracker…you’re basically ending up with a new full sized binary for every file version. It works from a version perspective, but is very inefficient and not what git was built for.

    Reply View 0 replies
  • oblio 19 hours ago

    Git isn't good with big files.

    I wanted to comment more, but this new tool is Mac only for now, so there isn't much of a point.

    Reply View 2 replies
    • mhitza 11 hours ago

      Too hard for AI to make crossplatform tools.

      Reply View 0 replies
    • Imustaskforhelp 19 hours ago

      git with lfs

      There is also xet by huggingface which tries to make git work better with big files

      Reply View 0 replies
big-chungus4 7 hours ago

A human can also accidentally delete or mess up some files. The question is whether Claude Cowork is more prone to it.

Reply View 0 replies
Weryj 19 hours ago

TimeMachine has never been so important.

Reply View 8 replies
__MatrixMan__ 10 hours ago

I hope we see further exploration into immutable/versioned filesystems and databases where we can really let these things go nuts, commit the parts we want to keep, and revert the rest for the next iteration.

Reply View 0 replies
akurilin 16 hours ago

You make a good point. I imagine that they will eventually add Perforce-style versioning to the product and this issue will be solved.

Reply View 0 replies
o_m 19 hours ago

So the future is NixOS for non-technical people?

Reply View 2 replies
  • porkloin 15 hours ago

    Yes, and I think we're already seeing that in the general trend of recent linux work toward atomic updates. [bootc](https://developers.redhat.com/articles/2024/09/24/bootc-gett...) based images are getting a ton of traction. [universal blue](https://universal-blue.org/) is probably a better brochure example of how bootc can make systems more resilient without needing to move to declarative nix for the entire system like you do in NixOS. Every "upgrade" is a container deployment, and you can roll back or forward to new images at any time. Parts of the filesystem aren't writeable (which pisses people off who don't understand the benefit) but the advantages for security (isolating more stuff to user space by necessity) and stability (wedged upgrades are almost always recoverable) are totally worth it.

    On the user side, I could easily see [systemd-homed](https://fedoramagazine.org/unlocking-the-future-of-user-mana...) evolving into a system that allows snapshotting/roll forward/roll back on encrypted backups of your home dir that can be mounted using systemd-homed to interface with the system for UID/GID etc.

    These are just two projects that I happen to be interested in at the moment - there's a pretty big groundswell in Linux atm toward a model that resembles (and honestly even exceeds) what NixOS does in terms of recoverability on upgrade.

    Reply View 0 replies
  • teekert 18 hours ago

    Or rather ZFS/BTRFS/BchachFS. Before doing anything big I make snapshot, saved me recently when a huge Immich import created a mess, `zfs rollback /home/me@2026-01-12`... And it's like nothing ever happened.

    Reply View 0 replies
hopelite 15 hours ago

Somewhat related is a concern I have in general as things get more "agentic" and related to the prompt injection concerns; without something like legally bullet-proof contracts, aren't we moving into territory of basically "employing" what could basically be "spies" at all levels from personal (i.e., AI company staff having access to your personal data/prompts/chats) to business/corporate espionage, to domestic and international state level actors who would also love to know what you are working on and what you are thinking/chatting about and maybe what your mental health challenges are that you are working through with an AI chat therapist.

I am not even certain if this issue can be solved since you are sending your prompts and activities to "someone else's computer", but I suspect if it is overlooked or hand-waved as insignificant, there will be a time when open, local models will become useful enough to allow most to jettison cloud AI providers.

I don't know about everyone else, but I am not at all confident in allowing access and sending my data to some AI company that may just do a rug pull once they have an actual virtual version of your mind in a kind of AI replication.

I'll just leave it at that point and not even go into the ramifications of that, e.g., "cybercrimes" being committed by "you", which is really the AI impersonator built based on everything you have told it and provide access to.

Reply View 0 replies
[removed] 15 hours ago
[deleted]
Reply View 0 replies
kamaal 12 hours ago

>>I expect to see many stories from parents, non-technical colleagues, and students who irreparably ruined their computer.

I do believe the approach Apple is taking is the right way when it comes to user facing AI.

You need to reduce AI to being an appliance that does one or at most a few things perfectly right without many controls with unexpected consequences.

Real fun is robots. Not sure no one is hurrying up on that end.

>>Edit: most comments are focused on pointing out that version control & file system snapshot exists: that's wonderful, but Claude Cowork does not use it.

Also in my experience this creates all kinds of other issues. Like going back up a tree creates all kinds of confusions and keeps the system inconsistent with regards to whatever else it is you are doing.

You are right in your analysis that many people are going to end up with totally broken systems

Reply View 0 replies
heliumtera 17 hours ago

There was a couple of posts here on hacker news praising agents because, it seems, they are really good at being a sysadmin. You don't need to be a non-technical user to be utterly fucked by AI.

Reply View 2 replies
  • TeMPOraL 14 hours ago

    Theoretically, the power drill you're using can spontaneously explode, too. It's very unlikely, but possible - and then it's much more likely you'll hurt yourself or destroy your work if you aren't being careful and didn't set your work environment right.

    The key for using AI for sysadmin is the same as with operating a power drill: pay at least minimum attention, and arrange things so in the event of a problem, you can easily recover from the damage.

    Reply View 1 reply
    • intended 7 hours ago

      If a power tool blows up regularly, they get sued or there is a recall.

      We have far more serious rules at play for harm when it comes to physical goods which we have experience with, than generative tools.

      There is no reason generative tools should not be governed by similar rules.

      I suspect people at anthropic would agree with this, because it would also ensure incentives are similar for all major GenAi purveyors.

      Reply View 0 replies
neocron 19 hours ago

Not a big problem to make snapshots with lvm or zfs and others. I use it automatically on every update

Reply View 6 replies
  • lp0_on_fire 19 hours ago

    What percentage of non-IT professionals know what zfs/lvm are let alone how to use them to make snapshots?

    Reply View 4 replies
    • neocron 19 hours ago

      I assumed we are talking about IT professionals using tools like claude here? But even for normal people it's not really hard if they manage to leave the cage in their head behind that is ms windows.

      My father is 77 now and only started using computer abover age 60, never touched windows thanks to me, and has absolutely no problems using (and administrating at this point) it all by himself

      Reply View 3 replies
  • fouronnes3 19 hours ago

    I'm not even sure if this is a sarcastic dropbox-style comment at this point.

    Reply View 0 replies