upvote

points

by darkwater4 hours ago |
comments
upvoteby fg13718 minutes ago|
next
[-]
Do we actually know the employee downloaded it on their work machine? At least this article doesn't say that (and I couldn't find it in other sources as well). Plenty of companies allow you to VPN into corporate network, or log into certain internal systems from the public Internet. Not saying they should, but it is much more common than you think.

For reference, look at how Disney got hacked. One employee downloaded compromised software on a personal computer. One thing led to another and boom. IT in many companies are much more incompetent than you think. I have seen that first hand.

reply
upvoteby gmerc3 hours ago|
prev|
next
[-]
Let’s just say that OpSec at companies adopting AI is low across the board because security just isn’t a deciding feature at the moment. See McDonalds breach 2 years ago
reply
upvoteby wongarsu2 hours ago|
parent|
[-]
As somebody who tried selling cybersecurity software: Cyber-related OpSec is bad in most companies, AI or not. If effort and budget is allocated to it at all it's usually to a box-checking exercise that is about optics, liability and staying eligible for insurance payouts
reply
upvoteby cyanydeez1 hours ago|
parent|
next
[-]
Right, and adding the shifting sands of AI security just makes it worse. AI isn't a technology that's improving security.
reply
upvoteby NoahZuniga1 hours ago|
prev|
next
[-]
I'd instead blame the IT department that let users install arbitrary software.
reply
upvoteby fg13736 minutes ago|
parent|
[-]
Or how it is possible to grant broad permissions to their Google workspace account. That doesn't happen where I work. Only a handful of approved applications can connect.
reply
upvoteby skywhopper1 hours ago|
prev|
next
[-]
That’s one among a dozen factors at play here. Yes that’s bad, but also the security of other systems should never depend on your work laptop never getting hacked or having spyware installed. If that’s the only defense, you’re going to have problems.
reply
upvoteby ErroneousBosh3 hours ago|
prev|
[-]
Right? This isn't "A Roblox cheat and an AI tool", this is a failure of basic basic basic opsec across two organisations.

One for which the Context.ai employee needs to have their arse booted up and down the car park for.

reply
upvoteby sitkack3 hours ago|
parent|
[-]
What about the context.ai security team?

You can blame individuals, but security is a property of the system.

reply
upvoteby baxtr2 hours ago|
parent|
[-]
It’s a very fine line. How do you check if people adhere to policies and at the same time don’t monitor them permanently?
reply
upvoteby Topfi2 hours ago|
parent|
[-]
Endpoint Detection and Response?

Heck, not giving the person Admin privileges would have sufficed to prevent this. Or better hiring preventing people who install Roblox cheats on work devices...

There is no excuse and no fine line here. Even outside them boasting about SOC 2 Type II, this would be embarrassing for an SME not in the tech sector.

reply
upvoteby baxtr1 hours ago|
parent|
[-]
OP was talking about the security team. Not sure what you are proposing?

Do you want to let any applicant be screened by the security team?

reply
upvoteby Topfi1 hours ago|
parent|
[-]
Any security team that gives unrestricted admin privileges to random employees is not a security team. So doing the most basic parts of their job, that would be my proposal.

If specific to my hiring comment, was meant a bit facetious, though I will point out this line in their "compliance" report by "auditor" Delve:

> The organization carries out background and/or reference checks on all new employees and contractors prior to joining in accordance with relevant laws, regulations and ethics. Management utilizes a pre-hire checklist to ensure the hiring manager has assessed the qualification of candidates to confirm they can perform the necessary job requirements.

Maybe those pre-hire checklists should include a question like "Are you a massive idiot, who'd install a game on their work computer, then on top of that be the type of idiot who likes to cheat, then on top of that be the type of idiot to install cheats on your work computer?", maybe that'd prevent this in the future. Or again, just don't give everyone Admin privileges...

reply