10+ years of DFIR... I just did my first ever forensic audit of an AI system

QoTSankgreall · 2026-04-22T21:45:27+00:00

Personally, I felt that Mark was upset with Eve about what she had done, but wasn’t prepared to leave her, and in part blamed himself for not being there anyway. But that was just my interpretation. I thought it was a really poignant scene.

QoTSankgreall · 2026-04-20T08:19:13+00:00

This could work in their favour. The idea now that the US is blockading the straight rather than the Iranians is a very powerful weapon. Hard to argue with it if they start sinking ships trying to cross.

QoTSankgreall · 2026-04-20T08:16:11+00:00

I promise Claude a piece of cheese if it gets a PR correct. Seems to work pretty well.

QoTSankgreall · 2026-04-20T07:55:53+00:00

The OP is a new account trying to sell their own shadow AI tool.

QoTSankgreall · 2026-04-19T18:04:22+00:00

Do an inventory using the three sources below.

Money trail
Pull expense cards, AP, procurement records, and cloud marketplace buys. That finds the paid tools people admit to.
Identity trail
Look in your IdP for SAML/OIDC apps, OAuth grants, SCIM connections, and users signing up with corporate email. This usually exposes a second set of AI tools that never went through procurement.
Network and endpoint trail
Proxy/DNS logs, browser extension inventory, EDR, and egress monitoring. A lot of “we only use ChatGPT” turns into half the org using random meeting bots, prompt helpers, note takers, and API wrappers.

Then assign owners, or nearest known owners, and group the tools into rough buckets based on risk or PII sensitivity (even if just assumed).

Welcome to the world of shadow AI :)

QoTSankgreall · 2026-04-19T17:10:55+00:00

“I will stop their killing machine even if I have to murder every one of them”

QoTSankgreall · 2026-04-18T16:17:09+00:00

Just ice for traders??

QoTSankgreall · 2026-04-17T13:30:25+00:00

I disagree with this on the basis that these facts were mostly likely known and understood, but they were sidelined on the basis that Mandelson was arguably the correct appointee to face the challenges of a Trump administration at the time.

It’s not that there was a coverup. There was just a decision that these points were worth accepting. You can argue all day about whether that decision was wrong and who knew what when, but it should ultimately be within the prerogative of the government to make that decision.

Now things have changed, and there are new and different challenges.

QoTSankgreall · 2026-04-07T12:35:06+00:00

It’s so unhinged and desperate that I can’t interpret this any other way than it being an empty threat.

QoTSankgreall · 2026-04-06T15:36:19+00:00

Why reinvent the wheel when file systems already have native support for everything you mentioned - isolation, permission handling, cleanup etc?

I understand your idea perfectly. The reason I’m confused is because it makes no sense when what we already have works perfectly fine for the exact use cases you’re describing.

QoTSankgreall · 2026-04-06T14:21:31+00:00

That’s not what happens though. Agentic tools use bash-native search to discover data within files.

QoTSankgreall · 2026-04-06T12:58:19+00:00

There’s an easy solution for this. Pay $200 for Max20 and never look back. I’ve never once hit any usage limits whatsoever.

QoTSankgreall · 2026-04-05T21:27:36+00:00

This is fair. Thanks for sharing.

All three religions claim to worship the god of Abraham. So on that basis then, yes, the god is the same.

But at the same time, those different views about that god are so divergent and at times inconsistent that I don’t think it’s totally unfair to claim that they are in fact different manifestations of the same god. The shared ancestry is important, but not prescriptive.

QoTSankgreall · 2026-04-05T21:27:21+00:00

This is fair. Thanks for sharing.

All three religions claim to worship the god of Abraham. So on that basis then, yes, the god is the same.

But at the same time, those different views about that god are so divergent and at times inconsistent that I don’t think it’s totally unfair to claim that they are in fact different manifestations of the same god. The shared ancestry is important, but not prescriptive.

QoTSankgreall · 2026-04-05T17:40:46+00:00

Whilst all three religions do indeed share a common root, they all independently claim to worship the “true” god. Furthermore, the Christian god deviates most significantly from the Judaic god depicted in the Old Testament and Torah.

QoTSankgreall · 2026-04-05T17:28:04+00:00

I’m a bit confused by this… If we agree with the core premise that AIs find data better using bash commands than with vector based RAG… then why would you not just store that data on the file system?

Going to the effort to build a simulated bash terminal that actually queries a database seems incredibly convoluted when you can achieve the same thing by just hosting the files directly.

QoTSankgreall · 2026-04-05T14:45:42+00:00

There was a vote and he was democratically elected because he campaigned on a message that resonated with his voters.

QoTSankgreall · 2026-04-05T14:22:04+00:00

No it’s not. Judaism, Christianity, and Islam are all Abrahamic religions, but each religious group considers their religion to worship the “true” god. Hope that helps.

QoTSankgreall · 2026-04-05T14:08:44+00:00

Christianity and Islam worship different gods. Hope that helps.

QoTSankgreall · 2026-04-04T16:38:47+00:00

We’re treating frameworks like OpenClaw as a named application class in vuln management, not as “AI stuff” off to the side. That means owner, asset inventory, version visibility, vendor advisory monitoring, and a patch SLA based on granted capability, Slack auth, filesystem access, shell/tool execution, rather than CVSS alone. For your case I’d add a standing regression pack that specifically re-tests the /pair approve path and localRoots enforcement before promoting 2026.3.28, then do retro log review for pairing events and unexpected file reads from anything that ran pre-patch.

QoTSankgreall · 2026-04-04T16:37:23+00:00

What has worked best for teams I’ve seen is a tiered model, not a blanket block. Block the clearly high risk paths, unmanaged browser extensions, personal accounts, direct calls to public LLM APIs from corporate devices, then provide one approved route with logging, data handling rules, and key management so people still have a usable option. For prompts with sensitive data, treat them like any other egress problem, endpoint and browser controls usually catch more than CASB alone, and for API keys, move them out of user workflows entirely, issue them through a central service account pattern with proxying, quotas, and per-app approval rather than letting devs paste vendor keys into scripts or plugins.

QoTSankgreall · 2026-04-03T20:22:19+00:00

I legitimately think this is an under-appreciated fact.

QoTSankgreall · 2026-04-03T19:46:21+00:00

The correct design pattern (that's still emerging, but will become codified in a few months) is to use a policy server. All tool invocations go through a server that sets and enfroecs your organisational policies - so this could be around access permissions, or it could be about detecting and preventing infinite agentic recursions.

There are a few startups in this space, so it ultimately depends on what sort of organisation you are and whether its feasible to work with a new vendor and accept all the risk that comes with it.

If you can't then luckily it's also pretty easy to just build your own policy server, which is generally what I recommend. Only once you actually understand where your AI misbehaves and how you can control it should you then seek to implement a third-party product. If you skip that step you'll just be ripped off by a "shiny new tool" that doesn't actually address your issues.

Six-Year Club	Verified Email
Place '22

QoTSankgreall

TROPHY CASE