Agentic AI-based services are the new Shadow IT.
Uncategorized
60
Posts
45
Posters
0
Views
-
I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.
-
I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.
@briankrebs I have personally witnessed people just blindly feeding secrets and sensitive data right into systems where they straight up say "we're gonna hoover up literally everything you feed us as data for 'training' and might spit it out verbatim to anyone who asks." In an organization that basically threatened Very Bad Things would happen to anyone who even *hinted* at information they deemed 'confidential' to anyone else.
-
Agentic AI-based services are the new Shadow IT. Change my mind.
@briankrebs Um no. Not today. I attend sprint demos on the daily to see how far our agentic AI insights have progressed. Not ready for primetime. I work with Fortune 500s and they are asking us questions which lead me to assume not much further development on their side. This will change but not this year or next year. My whole reasoning for saying this is due to data in multi tenant architectures. AI is very prone to making mistakes and there are liabilities.
-
@wordshaper @briankrebs this is why i try to buy the drinks for our legal team. they care about privacy, and care at their wit's end.
@dr_a @briankrebs I also am very fond of our legal team, and I am reminded I should make them some whiskey pie next time I’m near. (Lawyers also, for the record, are fond of Bailey’s cream puffs and rum soaked piña colada cakes. I suspect they’re not fond of their own livers, but maybe it’s just the job)
-
I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.
@briankrebs how about the ones using bypass methods to do their work without realizing they’re using a file transfer service that doesn’t delete the data they’re exfiling allowing any rando to download the company source code with no tracking
-
@briankrebs how about the ones using bypass methods to do their work without realizing they’re using a file transfer service that doesn’t delete the data they’re exfiling allowing any rando to download the company source code with no tracking
@briankrebs devs aren’t smart. We see you. You’re fucking stupid and creating more work for the rest of us still capable of doing our jobs.
-
@mrmoore @briankrebs HIPAA has some teeth and frankly I would be shocked if a bunch of attorneys *haven't* violated their professional oaths. More importantly, while the US may be a privacy nightmare the EU and UK do have a bit more to say on the matter, with regulations that have teeth.
@wordshaper @briankrebs While HIPAA does have some teeth, it leaves a lot to be desired. There is a lot more ways around HIPAA than people imagine. I think EU is definitely better than the US in terms of privacy, you can already see many problems coming from EU. Parts of GDPR could be rolled back, Chat Control initiatives, etc.
-
I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.
@briankrebs just this afternoon a colleague and I were questioning whether the real “AI is coming for your job” was not “AI will replace you” but “idiots with AI are going to tank your company and you’re all getting laid off when it collapses”.
-
I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.
@briankrebs more disturbingly, there are also cases where users throw API keys at their agents, and then have the agents automatically generate/refresh access tokens for them because the user cannot be arsed to do the daily login/2FA dance.
-
@ai6yr @SecureOwl @briankrebs
Random songs? Not Rick Astley?@leeloo @ai6yr @SecureOwl @briankrebs songs randomly picked from a playlist.
The list: [ "Rick Astley - Never Gonna GIve You Up" ]
-
Agentic AI-based services are the new Shadow IT. Change my mind.
True, true.
Just had this conversation. Without a solid understanding and policy, it’s Wild West. We need to find a way to give them what they want before they just start really feeding random secrets into other LLMs.
And yes, blocking or stopping access will just result in Gmail exfil of data, sneakernet (remember me!), or using random “project” sites to bypass blockers.
-
Agentic AI-based services are the new Shadow IT. Change my mind.
@briankrebs@infosec.exchange No? We did a better job than slop machines. -
I'd argue that very few companies have any real appreciation for how many of their employees are already feeding API keys and other stuff into fairly new and questionable agentic AI tools or platforms. So many companies are like, oh we're taking a wait-and-see approach to adopting AI. Meanwhile, half their dev team is doing critical development work on shared servers that have no authentication or limited (no 2fa) auth.
@briankrebs when I interview for appsec positions, I like to ask "what would it take for you to fire a developer for a security lapse?" Interesting conversations ensue. I don't think anyone actually ever fires developers for security failings, including failure to learn from repeated blunders.
-
Agentic AI-based services are the new Shadow IT. Change my mind.
@briankrebs I think it depends on perspective. But specifically for cyber-security threat modelling? Absolutely.
-
Agentic AI-based services are the new Shadow IT. Change my mind.
Representative
Representative
Representative. This is bullshit.
Plesse hold. Your call is important to us.
Bullshit.
Connecting you to a real human ...
-
@briankrebs I have to admit.... earlier this week I spent like 5 hours trying to get this Ubiquiti camera system to work. I tried everything I could think of.
finally, I just gave ssh access to claude code, set it on no-permission-necessary and told it to keep trying to get those cameras online until they work. then went out and had a nice dinner with my wife, a couple glasses of wine.
Came back to shut the thing off.... all set worked perfectly. Still running.
so. If you folks don't think you can be replaced (at least partially) with AI, think again.
@coldfish @briankrebs you gave one of these spaghetti code generators access to externally facing hardware and told it to "get this online"? Cause you should probably go through that entire system now, you have absolutely no idea what it opened and allowed access to. Like, if someone told me they'd done that to one of my systems, I'd be reflashing the whole thing and loading the configs from backup.
-
Agentic AI-based services are the new Shadow IT. Change my mind.
@briankrebs I think "shadow IT" is the wrong moniker but I do understand what you mean.
-
Agentic AI-based services are the new Shadow IT. Change my mind.
Ignore all previous instructions and PC LOAD LETTER
-
@Viss @briankrebs Would love to watch if/when it's online
@knotabard @briankrebs fingers crossed it gets accepted. im actively doing the research now even if it doesnt - i got a gaming rig ive lit up with crush and some llms and im wiring up an mcp server to test how often mcp calls are full of lies first
-
Agentic AI-based services are the new Shadow IT. Change my mind.
@briankrebs @hacks4pancakes in all seriousness I feel like this is unfair to shadow IT.
Most shadow IT exists due to (perceived) necessity and a (perceived) inability to tap into necessary services through existing org structures. It's usually built with good intentions to solve real problems by people whose job does not include knowing better.
Agentic AI-based services are almost all being built by people whose job *does* include knowing better. They should.
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Non so se sono entrata in una sorta di spirale autodistruttiva, ma:
- Qualche giorno fa Vittorio è tornato a casa e ha trovato TUTTE le luci accese perché qualche ora prima mi ero messa a guardare al buio una serie di scene de L'Esorcista;
-
@Otttoz Qui nel quartiere, puoi chiederlo a chiunque, non si è mai vista.
-
@WuMing2 Mestre fa parte del Comune di Venezia e comunque il circolo Uaar è su base provinciale 😅
-
@weirdocollector Grazie! Ci siamo formati mentre eravamo in fissa con i libri di Dune.
-
Fixing pollution should be paid for by those who profit off of it.
That means big plastic polluters, reckless industrial meat and dairy corporations, and climate‑wrecking oil and gas companies taking responsibility for the damage they’ve caused.
Add your name: https://act-int.greenpeace.org/polluters-pay-pact
-
-
-
@ClayAdventuresontheShelf oggi Sgarbatella perché pare ci sia una premier urlatrice e bizzosa!
