> So obviously they don't think it's safe to use broadly.

More likely, everything gets added to the list because there shouldn't be false positives, it's worth investigating to make sure there isn't an adjacent gap in the security systems.

You are uploading information to the chat system every time you use it. Doubly true if you’re having it analyze or work with documents.

I presume pulling this data out is simple if you’re, say, China.

There really no security to investigate. Without a private instance, it’s an absolute non-starter for anything classified.

> presume pulling this data out is simple if you’re, say, China

Why would you presume that?

A nationstate has a lot of capacity to do things they shouldn't be doing

Because this is a discussion about national security.

Somehow I think that the weak link in our government security is at the top - the President, his cabinet, and various heads of agencies. Because nobody questions what they're allowed to do, and so they're exempt from various common-sense security protocols. We already saw some pretty egregious security breaches from Pete Hegseth.

That's also the case in businesses. No one denies the CEO a security exemption.

I have never worked in a company where an obviously incorrect CEO-demanded security exemption (like this one) would have been allowed to pass. Professionalism, boards (with a mandatory employee member/representative, after some size) and ethics exist.

30 years in about 8 software companies, Northern Europe. Often startups. Between 4 to 600 people. When they grow large the work often turns boring, so it's time to find something smaller again.

Ah, Northern Europe is probably the difference. This passes all the time in the US. It's probably more common in non-tech companies, as well.

I’m in the US, SE since 1998, startups to multinationals. What the GP said holds true for me too. There are serious professionals in the world - I don’t know why some people want to drag every one else down to the level of the current US administration- they are exceptionally inept.

CTO at a successfull cybersecurity startup I worked at long ago was exempt from critical security updates. She refused to restart her computer out of fear for her Excel state.

I used to work devops for a startup. The _only_ person who was exempted from 2-factor auth was the CEO. It's the perfect storm: a tech illiterate person with access to everything and the authority to exclude himself from anything he finds inconvenient.

>I have never worked in a company where an obviously incorrect CEO-demanded security exemption (like this one) would have been allowed to pass

You don't have worked in enough companies then.

Just for the sake of argument, you think anybody would have denied Jobs or Bezos or Musk one?

I saw what joining Apple did to a friend in the early 2000s.

(Extreme burnout, did not get rich from the pain. It was just pointless destruction.)

The phrase ‘Don’t you know who I am?’ Will be taken differently depending on corporate culture.

There are many reasons to deny a CEO ... in a good company structure such denials are circled back around to the board for review.

Case in point: Allowing a CEO with no flight training to "have the keys" to the company <rare, expensive, uniquely outfitted, airframe> because they want to take it for a spin.

Sheparding Royalty in Monarchies has been a neccessary, delicate, loaded, and life threatening role for centuries.

Being a C-suite Groom of the Stool isn't a happy job, but somebody has to do it.

I guess, but it’s his plane in a sense. If he wants to fly it and destroy the company, it’s his call. You just give the advice.

To be clear, I’m referring much more to CEO/owners - maybe more like Zuck than Bezos

No, it isn't - it's an asset owned by the company and shareholders - a CEO is an appointed or elected officer.

> To be clear, I’m referring much more to CEO/owners

Owners are what you are talking about. CEO / Owners are Owners and can act like owners.

That said, even owners need to be herded like cats when they are making bad decisions that impact tens of thousands of people on the basis of hubris and feels.

Somebody has to toss them shiny keys until the moment passes and they can make rational choices again.

The question isn’t whether they want it is whether they have a business need, as with any employee.

The CEO of vocal cola has no business need to know the secret formula. Giving it to him has no upside only downside, so you don’t.

So who gets the formula? A chemist with no vested interest? I have no clue why a CEO would be untrustworthy when any other employer wouldn’t be.

Whoever needs to to do their job. And you put in security controls (e.g. part A and part B). Also compensate your people well and don’t publicize who they are.

Semiconductor does this all the time…engineers on team A know only about their process critical gate materials step. Engineers on team B know about their lithography step. They are trained not to disclose and people respect that.

Been there. The CEO of an internet security company was the one who clicked on the wrong email attachment and turned a virus loose.

I mean, I don't know if he had a security exemption, or if anyone who clicked on it would have infected us. But he was the weak link, at least in that instance.

Hah no, weak links are everywhere at all levels. The stories just don't generate revenue for news companies.

A fish rots from the head back.

whether he is personally and directly responsible for this specific incident, his leadership absolutely sets the tone for the rest of the federal government.