Need to let loose a primal scream without collecting footnotes first? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful you’ll near-instantly regret.
Any awful.systems sub may be subsneered in this subthread, techtakes or no.
If your sneer seems higher quality than you thought, feel free to cut’n’paste it into its own post — there’s no quota for posting and the bar really isn’t that high.
The post Xitter web has spawned soo many “esoteric” right wing freaks, but there’s no appropriate sneer-space for them. I’m talking redscare-ish, reality challenged “culture critics” who write about everything but understand nothing. I’m talking about reply-guys who make the same 6 tweets about the same 3 subjects. They’re inescapable at this point, yet I don’t see them mocked (as much as they should be)
Like, there was one dude a while back who insisted that women couldn’t be surgeons because they didn’t believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I can’t escape them, I would love to sneer at them.
(Credit and/or blame to David Gerard for starting this.)
Here’s a fun one… Microsoft added copilot features to sharepoint. The copilot system has its own set of access controls. The access controls let it see things that normal users might not be able to see. Normal users can then just ask copilot to tell them the contents of the files and pages that they can’t see themselves. Luckily, no business would ever put sensitive information in their sharepoint system, so this isn’t a realistic threat, haha.
Obviously Microsoft have significant resources to research and fix the security problems that LLM integration will bring with it. So much money. So many experts. Plenty of time to think about the issues since the first recall debacle.
And this is what they’ve accomplished.
https://www.pentestpartners.com/security-blog/exploiting-copilot-ai-for-sharepoint/
Is that this one or a different instance of the same bug?
I think that these are different products? I mean, the underlying problem is the same, but copilot studio seems to be “configure your own llm front-end” and copilot for sharepoint seems to be an integration made by the sharepoint team themselves, and it does make some promises about security.
Of course, it might be exactly the same thing with different branding slapped on top, and I’m not sure you could tell without some inside information, but at least this time the security failures are the fault of Microsoft themselves rather than incompetent third party folk. And that suggests that copilot studio is so difficult to use correctly that no-one can, which is funny.
Abusing privileged identities like this to do things is apparently a thing the younger hackers are quite good at so this will all be fun.
@rook @BlueMonday1984 wow. Why go to all the trouble of social engineering a company when you can just ask Copilot?
@rook @BlueMonday1984 Maybe they have asked CoPilot to write the code that restricts access for CoPilot?
(Sometimes this future feels like 2001 A Space Odyssey, just as a farce. And without benevolent aliens.)
@rook @BlueMonday1984
Thankfully I’m able to say “what is sharepoint?”
I did meet it once. A client used it in their office. But when they wanted us offshore (via satellite link) to contribute to it, it became awfully unstable, probably because of latency/ unstable data links.
It’s M$. I doubt it has improved.