this post was submitted on 10 Aug 2024
255 points (100.0% liked)

TechTakes

1296 readers
123 users here now

Big brain tech dude got yet another clueless take over at HackerNews etc? Here's the place to vent. Orange site, VC foolishness, all welcome.

This is not debate club. Unless it’s amusing debate.

For actually-good tech, you want our NotAwfulTech community

founded 1 year ago
MODERATORS
dgerard@awful.systems
255
Microsoft’s Copilot Studio AI leaks your business info internally and externally (pivot-to-ai.com)
submitted 1 month ago by dgerard@awful.systems to c/techtakes@awful.systems
30 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] self@awful.systems 23 points 1 month ago (9 children)
  • don’t use any of this stupid garbage
  • if you’re forced to deploy this stupid garbage, treat RAG like a poorly-secured search engine index (which it pretty much is) or privacy-hostile API and don’t feed anything sensitive or valuable into it
  • document the fuck out of your objections because this stupid garbage is easy to get wrong and might fabricate liability-inducing answers in spite of your best efforts
  • push back hard on making any of this stupid garbage public-facing, but remember that your VPN really shouldn’t be the only thing saving you from a data breach
[–] SurpriZe@lemm.ee 5 points 1 month ago (8 children)

Thanks but it's too late. Here it's all over unfortunately. I'm just doing my best to mitigate the risks. Anything more substantial?

[–] froztbyte@awful.systems 8 points 1 month ago (6 children)

“better late than never”

if it already got force-deployed, start noting risks and finding the problem areas you can identify post-hoc, and speaking with people to raise alert level about it

probably a lot of people are going to be in the same position as you, and writing about the process you go through and whatever you find may end up useful to others

on a practical note (if you don’t know how to do this type of assessment) a couple of sittings with debug logging enabled on the various api implementations, using data access monitors (whether file or database), inspecting actual api calls made (possibly by making things go through logging proxies as needed), etc will all likely provide a lot of useful info, but it’ll depend on whether you can access those things in the first place

if you can’t do those, closely track publications of issues for all the platforms your employer may have used/rolled out, and act rapidly when shit inevitably happens - same as security response

[–] SurpriZe@lemm.ee 2 points 1 month ago (1 children)

How's it at your place? What's your experience been with this whole thing

[–] froztbyte@awful.systems 8 points 1 month ago (1 children)

whenever any of this dogshit comes up, I have immediately put my foot down and said no. occasionally I have also provided reasoning, where it may have been necessary/useful

(it’s easy to do this because making these calls is within my role, and I track the dodgy parts of shit more than anyone else in the company)

[–] SurpriZe@lemm.ee 2 points 1 month ago (1 children)

Hm, that's good to have such authority on the matter. What's your position?

I'm struggling with people who don't fully understand what this is all about the most.

[–] froztbyte@awful.systems 5 points 1 month ago (1 children)

my position is "the hell with all this clown-ass bullshit"

[–] SurpriZe@lemm.ee 0 points 1 month ago (1 children)

I mean your position in the company.

[–] froztbyte@awful.systems 4 points 1 month ago* (last edited 1 month ago)

I knew/understood what you meant

load more comments (4 replies)
load more comments (5 replies)
load more comments (5 replies)