this post was submitted on 17 Dec 2024
55 points (85.7% liked)

Technology

60102 readers
1844 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 21 points 1 week ago (1 children)

Classified information leaks in 3 ... 2 ...

[–] [email protected] 12 points 1 week ago (1 children)

Even worse: It's a compliance nightmare!

Classified information leaking in this way is a one-off situation that might get an individual in trouble. If someone at a heavily-regulated company uploads the wrong thing though, that can cause major disruptions to commercial services while the regulators investigate. Not just fines or prosecutions after-the-fact!

Here's why it's a big deal: Nearly every organization allows employees to use google.com. That necessitates allowing POSTs to google.com and from a filtering perspective it makes it nearly impossible to prevent. The best you can do is limit the POST size.

Having said that, search forms in general always pose a 3rd party information disclosure risk but when you enable uploading of entire files instead of just limited text prompts you increase the risk surface by an order of magnitude.

[–] [email protected] 6 points 1 week ago

My organization seems to have already thrown in the AI towel, or at least are resorting to magical thinking about it

We’re highly integrated with Microsoft - Windows Login, Active Directory, Microsoft 365, and even a managed version of Edge as the org-wide ‘default’ browser that we’re encouraged to sign into with our organizational credentials to sync account information, etc. Our AI policy is basically “You can use any Microsoft AI feature your account can access.”
They can try to block whatever sites they want with the firewall, but once you let a user get comfortable with the idea of allowing systems to exfiltrate data, you aren’t going to also make them more discrete. They’re trusting that by throwing open the floodgates users will actually use Microsoft’s offerings instead of competing offerings — as if folks who sometimes still cannot tell the difference between a web browser and ‘the internet’ will know the difference. And they are also trusting that Microsoft is going to uphold our enterprise license agreement and their own security to keep that data within our own cloud instance.

Boy howdy, this will be interesting.