Zack Korman (@ZackKorman) / X

Zack Korman

32.2K posts

Zack Korman

@ZackKorman

Cofounder @ Embroidery. Building AI cybersecurity stuff.

Oslo, Norway

Joined January 2014

Pinned
Zack Korman
@ZackKorman
Aug 19, 2025
Microsoft isn’t disclosing this so: M365 Copilot allowed users to access files without producing an audit log. All you had to do was ask Copilot to not link to the file. You don’t even have to ask; it sometimes just happens. If your org uses Copilot your audit log is likely wrong
520K
Zack Korman
@ZackKorman
Oct 5, 2025
Copilot in Excel is a global financial crisis waiting to happen.
2.8M
Zack Korman
@ZackKorman
Dec 4, 2022
Unlike most people on Twitter, I’m actually using GPT3 in a production system. The mistake people are making is they are asking “how can I use this to automate a smart person’s job”, when they should be asking “what would I do if I had unlimited dumb people”
Zack Korman
@ZackKorman
Oct 30, 2025
A Figma sales rep was trying to get us to upgrade. We did a meeting but decided no, so he wrote this back (see photo). Excuse me, what? “I don’t like your answer so I went digging through your data to find info to help me make a sale”. I’m not okay with that.
988K
Zack Korman
@ZackKorman
Oct 5, 2025
Replying to @LewisMcLellan1
Yea it thought for like 20 seconds before landing on this conclusion
62K
Zack Korman
@ZackKorman
Oct 30, 2025
Update: Figma’s response to this was very good. The CRO reached out quickly, and I just had a call with the CEO, @zoink, where he was able to walk me through their processes, how they handle access control, etc. And he apologized this happened. I feel they took this seriously.
1.1M
Zack Korman
@ZackKorman
Oct 20, 2025
Unlike human employees, AI never gets tired. Instead it just loses its mind. This is the output Gemini gave us, using ~60k tokens to repeat “flagged_for_review_by_AI_model_because_of_anomalous_activity_given_user_role_and_download_history_BOM_CAD_firmware_access”
00:00
152K
Zack Korman
@ZackKorman
Aug 18, 2025
Microsoft isn’t just not issuing a CVE, they’re actually not going to disclose this issue at all.
Zack Korman
@ZackKorman
Aug 12, 2025
Microsoft now confirmed that because the vulnerability I reported is important, not critical, and because they’ve now fixed it they won’t issue a CVE. It’s like they actually want to discourage people from reporting.
536K
Zack Korman
@ZackKorman
Oct 29, 2025
One of the biggest challenges to catching insider threats is separating them from the absolutely egregious sins your regular users commit on a daily basis. “Oh no that’s just Dave, he likes to download 800 files, zip them, and send them to his personal gmail. That’s fine.”
59K
Zack Korman
@ZackKorman
Aug 12, 2025
Microsoft now confirmed that because the vulnerability I reported is important, not critical, and because they’ve now fixed it they won’t issue a CVE. It’s like they actually want to discourage people from reporting.
Zack Korman
@ZackKorman
Aug 9, 2025
Microsoft is telling me they won’t issue a CVE for a vulnerability I reported because it is a cloud service and doesn’t require customer actions to fix. Which is quite literally not their policy. See link: msrc.microsoft.com/blog/2024/06/t…
141K
Zack Korman
@ZackKorman
Dec 4, 2022
Replying to @ChrisSommers79
I think that’s the main thing I’ve found too, so I just use it for really dumb stuff where it’s okay to kind of suck. The problem with using it for smart stuff is it isn’t that smart
Zack Korman
@ZackKorman
Oct 30, 2025
Replying to @rp1atten
Yea I’m furious about the whole process. The whole thing was a scare tactic on security, just to turn around and show they have none. This is shitty
50K
Zack Korman
@ZackKorman
Oct 5, 2025
Replying to @HarmPersonal
This is my favorite reply so far
51K
Zack Korman
@ZackKorman
Oct 11, 2025
Just want to make everyone aware that I’ll send them a Pistachio hoodie for a lot less than 10k likes
120K