AI features enabled when upgrading

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)

https://fleetdm.com

Other

2.91k stars 404 forks source link

AI features enabled when upgrading #19365

Closed pacamaster closed 2 months ago

pacamaster commented 3 months ago

Fleet version:  4.50.0 Web browser and operating system: Current browser and OS

💥 Actual behavior

Modal and spec state that these are off by default for existing Fleet deployments.

🧑‍💻 Steps to reproduce

Start or upgrade to 4.50.0
Notice that AI features are turned on

🕯️ More info (optional)

Related to #19351

🛠️ To fix

Disable AI feature by default for existing Fleet deployments (migration) while enable for new Fleet deployments.

zayhanlon commented 3 months ago

@noahtalerman FYI - if you want to update the priority order of this, up to you.

noahtalerman commented 3 months ago

Hey @sharon-fdm I think this bug deserves P2.

With Luke out (DRI of the release), up to Sharon on adjusting the priority (P- label)

As part of #18187 we intended to disable AI feature by default for existing users (migration) while enable for new Fleet deployments.

noahtalerman commented 3 months ago

Hey @pacamaster and @nonpunctual FYI I made this small tweak to the expected behavior:

Disable AI feature by default for existing Fleet deployments (migration) while enable for new Fleet deployments.

sharon-fdm commented 3 months ago

@noahtalerman NP. we can take it as high priority.

sharon-fdm commented 2 months ago

3 cases: Migration from a version without the feature (<4.50 (?) ) --> disable. Migration from a version WITH the feature --> leave the status as-is. New installation --> enable.

nonpunctual commented 2 months ago

@noahtalerman @sharon-fdm My opinion would be that they should be disabled by default. Again, what customer-reedtimmer took issue with was compliance. I guess the assumption would be that someone setting up new would have checked this off their list, but, what if they don't & what if we forget to tell them? There may be a strict policy in an org against enabling AI anything & that mandate may be an SLA or a legal agreement.

noahtalerman commented 2 months ago

Hey @nonpunctual we decided to take the risk here and enable by default for new deployments.

Why? Triggering AI-features is up to the user. They have to click the "Auto-fill" button to send an osquery query (SQL) to OpenAI. Also, the only data they can send are osquery queries.

what if they don't & what if we forget to tell them?

They can immediately to settings to disable the feature.

If you have any concerns let's chat about this during product office hours :)

nonpunctual commented 2 months ago

@noahtalerman Queries can contain proprietary data that is intended to be private to an organization:

email address + personal name (anything that identifies a user with a corporate identity is considered by most orgs to be PII)
hardware serial numbers (linked to warranties, repairs, purchasing)
file names
yara rules (which may contain passwords or keys or have patterns that uncover malicious behavior that admins do not necessarily want users to have)
software paths (which can become an attack vector if it is known that a particular org uses vulnerable software)

I am not saying what we should or should not do. I am pointing out the reason why security-minded orgs object to sending data off to a 3rd party.

fleet-release commented 2 months ago

Upgraded Fleet shines, AI features, default off, Balance, users find.