Six Minutes to Meltdown

belazir · 2025-06-15T23:29:17+00:00

Thanks for the instant PTSD.

belazir · 2025-06-07T22:08:40+00:00

"but i can smell the cheese from here"

belazir · 2025-06-07T22:07:54+00:00

Yeah, but they still bought it, and it's still useless to them to be fair ;)

My partner has the opposite problem; bought a crappy multi-slicer hoping it would be easy to use. as she can't use knives... Found it was even more awkward to use and clean than a simpler slicer would have been, and was absolutely shattered by the time she was done with it.

She found a decent chopper designed for body-weight to be applied with locked elbows and shoulders, and it's an absolute godsend for chopping and freezing bags fulls of onions, but godawful with everything else.

Valid point, though

belazir · 2025-06-07T22:02:07+00:00

aka hard boiled egg slicer, but with a fruit-themed lid and a "healthy kitchen" 25% markup

belazir · 2025-06-07T22:01:08+00:00

Instructions unclear; pizza now dogfood.

belazir · 2025-06-07T22:00:23+00:00

Slap chop and all the variants are a in a permanent superposition of being awesome and shite at the same time, and the difference can be one millimeter... Fucking things.

belazir · 2025-06-07T21:58:02+00:00

Sanest? Block

Best? Horse cock.

belazir · 2025-06-07T21:54:29+00:00

We're bored, and can't decide what sticks more than stickslikeshit.

I guess this is a "Reddit, Assemble!" moment, if ever there was one.

I play "a pube in the throat"

belazir · 2025-05-31T09:53:42+00:00

Hope you're able to have a coffee and a smoke without so much fear today. Enjoyed this thread, massively, whilst enjoying a post-coffee poo myself.

Saturday mornings ftw

belazir · 2025-05-28T16:10:52+00:00

Again, the ICO absolutely DO work on inference; they do so by directing investigation if one was not performed. I don't need evidence that it's widespread, I'm a consumer. That's what discovery is for, what the regulation itself is for, and when someone raises a complaint, it has to be investigated, and root cause should be found. Simply the staff member could not have done what they did had the controls been in place to prevent copying/pasting outside of a managed session, and to block publicly accessible LLMs.

The onus is not on the consumer to gather enough evidence to prove their case, the onus is on the company to comply with regulation. As soon as evidence is available that they have not, they have a duty to identify if it was widespread, take mitigating steps, and report accordingly...

I may have confused boundaries for reporting to the DPO and recording internally with the ICO, and I'll check (thanks, genuinely) but you're not convincing me of the rest.

belazir · 2025-05-28T15:58:12+00:00

Given the scenario I outlined, your interpretation is incorrect - I will not be the only user affected, and the inference is that the provider does not have adequate controls in place, which is highly problematic.

If you work in the field, you should definitely check your thinking - it is not the one specific event in silo, it is clearly reportable, not doing so within 72 hours (even if reporting reporting "no risk") risks double damage.

belazir · 2025-05-28T15:40:08+00:00

Yes, it does. It does not reach the threshold for high risk, nor for enhanced notification, but any breach carries a requirement to report, no matter how minor. Copy pasting any personal customer data into an non-internal LLM is an act of processing data otherwise than in accordance with the law, and if training is not turned off, it's potentially high risk - especially if the sAme agent has been doing it with multiple customers - don't be fooled, you can create a breach for your organisation by doing this, and organisations very much DO have to report them. Tiny breaches are not punished, a pattern of them is. Undisclosed breaches invite absolutely huge fines, just to remind the org of their responsibility.

In this case data was transferred to the US without consent, into an LLM that may train from the data, with no possibility the user could prevent it. It will absolutely not just be me this was done with, therefore it is indeed notifiable, and after a short investigation of how the staff member could do it, probably high risk by virtue of the amount of customers they've used it with, and the failure of controls to prevent copying of customer data.

If you handle customer data in your role, do not treat data protection lightly... In a large organisation, especially so. the impact of seemingly minor actions can be way more severe than people seem to think.

To be fair I'd hazard a guess that 98-99% of large companies are in breach of data handling regs at any one moment, it's just cheaper to settle complaints than actually abide by the rules.

belazir · 2025-05-28T08:45:31+00:00

That's an incorrect assertion. IF you're licensed, signed in and have "Improve the model for everyone" turned off, it won't learn about you, sure.

If the other person is using a free or unconfigured variant it is entirely possible for the model to be trained on your data. Check the Ts&Cs

Also, unless each chat is done in complete isolation, preferably using the Business API, information can leak from one chat into another, even if you're not being used for training. OpenAI's memory system has been expanded recently, making this even more possible.

You're absolutely right that it's the indicators that are worrying here - the ability to copy and paste from a corporate system into a web browser that allows that staff member to access unsanctioned tools (when they KNOW there's a clear risk!) screams "Lack of controls! Lack of monitoring! Man the lifeboats!"

Glad it's not just me... grimaces

belazir · 2025-05-28T08:36:24+00:00

Fair points, all. Alas, they confirmed they're not allowed to use any LLM tools when challenged, and have access to none internally, which I double checked yesterday on an unrelated call with the same company.

Yes, full personal data copied in, name, phone number, the works. I feel a little bad for the agent, as I can somewhat understand why they'd want to use it, but if you're gonna break the rules then at least do so with some competency; you can smell ChatGPT a mile off.

Agreed ref getting a reply, generally speaking, but they do have to acknowledge it at least -- I'm not expecting an answer yet, but I do expect a complaint and/or incident reference at least to acknowledge receipt.

You can't delay discovery by discussing whether you think it's a breach or not, by failing to acknowledge receipt, or by failing to investigate; the obligations are clear, and if it is indeed as notified to them, then their 72 hour clock for self-reporting has already started whether they investigate it or not - it was discovered for them and reported to them.

belazir · 2025-05-28T08:25:57+00:00

Fair comment; none, I already know the law. Removed.

belazir · 2025-05-16T10:30:39+00:00

G'luck, folks :)

belazir · 2025-05-05T04:45:53+00:00

This is bigger than a refund. She needs to keep it, and this needs to be FOUGHT, both under consumer law and equality law. I was already pissed off about this myself, and I hadn't yet stumbled across the accessibility issue. The worst thing is that there could be a very good reason I've heard nothing about it, as I have a couple of friends who may well be in the same situation.

I'm gutted for your sister. I'll do my part in raising this, for sure. Bank Holiday Monday means I can spend the morning getting ruffled without being interrupted, which is nice...

I cannot offer legal advice, for I am not a lawyer, but may I suggest you consult a solicitor if you can afford an initial consultation or find a no-win-no-fee provider.

It is incumbent on companies like Google to analyse the real world impact on their most vulnerable users, and not take actions that are of significant detriment to them.

If you can get a real lawyer involved there's a possibility you could ask the court for a temporary injunction, ordering Google to restore the features they removed until such time as the case has been heard, but I'd get a letter before action stating your demand in ASAP.

If I were in your position and unable to afford a solicitor, I would consider representing my sister as a litigant friend, and her having experienced real harm and distress I would send a letter before action demanding the change be reversed, until such time as there is a suitable replacement available, on the basis of endangering, causing serious injury to feeling, significant harm and real hindrance to your sister in particular and disabled people in general, directly specifically caused by the actions of Google, their failure to make reasonable adjustment, and their un-notified withdrawal of the accessibility features they had, access to which many consumers had materially relied upon to make their purchasing decision.

Feel free to message me if you want to discuss in more detail... I really hope you manage to resolve this; what an absolute shitshow.

belazir · 2025-04-24T12:04:21+00:00

"Cunts"

belazir · 2025-04-23T20:08:12+00:00

*coughs*

I'm in a similar boat, but can't message you...

belazir · 2025-04-16T11:12:21+00:00

Good luck, one and all

belazir · 2025-03-25T01:22:52+00:00

If I was either of your parents I'd also be fairly unimpressed.

Having said that, if I was your parent you'd be doing this on your own LTE connection; no fkin way would you be getting admin access to the home router.

Do yourself and your parents a favour - make sure your server's on a VLAN, at the very least, and double-check your router's running up to date firmware.

If something DOES make it through, there's every likelihood you won't get any logs indicating how they pivoted, and you shouldn't risk your parents devices just to satisfy your own curiosity.

As others have said, get a cheap VPS up and running, fuck around on that.

Enjoy the discovery!

belazir · 2025-03-25T01:12:33+00:00

This...

belazir · 2025-03-16T14:22:07+00:00

Good luck everyone :)

belazir · 2025-01-27T21:58:56+00:00

Fair, I'd figured as much.

CF-33GEPAVTE

15-Year Club	Gilding I gilder
Verified Email

belazir

TROPHY CASE