@b
"• Outputs accepted or modified by you
• Inputs sent to GitHub Copilot, including code snippets shown to the model
• Code context surrounding your cursor position
• Comments and documentation you write
• File names, repository structure, and navigation patterns
• Interactions with Copilot features (chat, inline suggestions, etc.)
• Your feedback on suggestions (thumbs up/down ratings)"
H
harrysintonen@infosec.exchange
@harrysintonen@infosec.exchange
Posts
-
#Microsoft sent an email to everyone saying they're listening to people now and they will definitely not pushing AI to everything anymore. -
#Microsoft sent an email to everyone saying they're listening to people now and they will definitely not pushing AI to everything anymore.@david_chisnall They announced this policy change on 25th March 2026 and it comes into effect 24th April 2026.
Note that this change doesn't apply to Copilot Business and Copilot Enterprise users.
-
#Microsoft sent an email to everyone saying they're listening to people now and they will definitely not pushing AI to everything anymore.#Microsoft sent an email to everyone saying they're listening to people now and they will definitely not pushing AI to everything anymore.
Also Microsoft enabled #github to collect all your "inputs, outputs and associated context to train and improve AI models". This new tickbox is enabled by default, even if you explicitly disabled Copilot before.
Actions speak louder than words.
You can disable the option at https://github.com/settings/copilot/features
-
The two largest retailing organisations (and many other companies) in Finland have special responsibilities during a crisis.The two largest retailing organisations (and many other companies) in Finland have special responsibilities during a crisis. The operations will need to continue even in the case of emergencies or war. The crisis operations are practised periodically, too, rather than just being some words on paper.
Many large companies in specific fields (such as S-Ryhmä and Kesko) have a legal obligation to do so, but about 1500 companies contribute on a volunteer basis via a network managed by the National Emergency Supply Agency. The companies participate through ~30 sector-specific pools, which include the Logistics Pool (supply chain optimisation), the Finance Pool (continuity of payment systems and banking services), and the Energy Pool (energy system resilience), among others.
How Finnish supermarkets are central to the country's defence
The chains all have detailed plans to follow in the event of the nation going to war.
(www.bbc.com)
-
#Firefly is returning as an animated series with the original cast - https://www.youtube.com/shorts/gfK-s3FNMpo#Firefly is returning as an animated series with the original cast - https://www.youtube.com/shorts/gfK-s3FNMpo
-
It appears #Broadcom has restored #VMWareFusion update notifications.It appears #Broadcom has restored #VMWareFusion update notifications. Unfortunately there no longer is automatic updates: You have to login to the asinine Broadcom support website and download the updates and install them manually.
-
Reading up on integrating cloud-based LLMs to #KaliLinux and I am not quite sure who would sign this off for actual security assessment work.Reading up on integrating cloud-based LLMs to #KaliLinux and I am not quite sure who would sign this off for actual security assessment work. I can't see any client agreeing to potentially leaking information to Anthropic or other online LLMs. Also, the risk of actually doing damaging actions on a vulnerable system is way too high.
As the usefulness of any online AI integration is quite limited for actual project work, what could it be used for? For training, maybe?
Or maybe it is intended for some AI believers who don't see any risk associated with sending sensitive information to random cloud services?
It would be possible to run a fully local model, of course, but that is far more limited in quality and capability than online ones. It would also still retain the risks of exploiting vulnerabilities in a damaging way.
I, for one, am not signing up to vibehacking.
-
This should be obvious for everyone by now, but if you're not from US you must assume that all your use of US AI services (#ChatGPT, #Claude, #Gemini etc) is fed directly to US intelligence services.@kleisli Everything is encrypted of course. Some services are in my basement, too. Also encrypted.
Authorities have permission to install technical listening devices of course, but that requires permissions from courts, and suspicion of extremely serious crimes, such as terrorism. It seems quite unlikely that the local system would ever be perverted in a way that this could be abused.
-
This should be obvious for everyone by now, but if you're not from US you must assume that all your use of US AI services (#ChatGPT, #Claude, #Gemini etc) is fed directly to US intelligence services.@kleisli That is the only safe assumption, indeed. My self-hosting helps to a degree: https://infosec.exchange/@harrysintonen/115916299816297773
-
This should be obvious for everyone by now, but if you're not from US you must assume that all your use of US AI services (#ChatGPT, #Claude, #Gemini etc) is fed directly to US intelligence services.China is of course doing the same for any information fed to their online systems, for example DeepSeek.
-
This should be obvious for everyone by now, but if you're not from US you must assume that all your use of US AI services (#ChatGPT, #Claude, #Gemini etc) is fed directly to US intelligence services.This should be obvious for everyone by now, but if you're not from US you must assume that all your use of US AI services (#ChatGPT, #Claude, #Gemini etc) is fed directly to US intelligence services.
"We may share your Personal Data, including information about your interaction with our Services, with government authorities ... in compliance with the law (i)" (OpenAI)
"We may disclose personal data to governmental regulatory authorities as required by law" (Claude)
"We will share personal information outside of Google ... to: Respond to any applicable law, regulation, legal process, or enforceable governmental request" (Gemini)
The amount of valuable information fed to the systems voluntarily is staggering. It's not a matter of "if" it is happening, but "of course it is". It would be outright negligent if they weren’t capturing and disseminating it all.
https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillance_Act#Without_a_court_order
https://en.wikipedia.org/wiki/Foreign_Intelligence_Surveillance_Act#Amendments -
You should always consider network transport just that: a transport.You should always consider network transport just that: a transport. It's not a security control. Wi-Fi AP having a password or other means of authentication doesn't really mean much. You should always use encryption on top of the transport, no matter the type. HTTPS is good, VPN is even better.
@arstechnica
"New AirSnitch attack breaks Wi-Fi encryption in homes, offices, and enterprises"
New AirSnitch attack bypasses Wi-Fi encryption in homes, offices, and enterprises
That guest network you set up for your neighbors may not be as secure as you think.
Ars Technica (arstechnica.com)
-
Here we go again.@bagder "the hanging proves memory corruption."
️ -
Retroactively changing the role of a token or key is a very bad idea.Retroactively changing the role of a token or key is a very bad idea.
Google API Keys Weren't Secrets. But then Gemini Changed the Rules. ◆ Truffle Security Co.
Google spent over a decade telling developers that Google API keys (like those used in Maps, Firebase, etc.) are not secrets. But that's no longer true.
(trufflesecurity.com)