Today in InfoSec Job Security News:
Uncategorized
144
Posts
111
Posters
11
Views
-
@fuzzyfuzzyfungus is the question not more "why is anyone using such unreliable tools in the first place?" They've proven time and time again that the result is less than sub par, they create as many if not more issues than they fix, they've fucked up ram prices and soon storage prices, they use too much energy.. i could go on but fuck, if that's not enough i don't know what to say.
I have an answer to this question, but you need to stick around to the end of the toot.
They've proven time and time again that the result is less than sub par...
"So what? What does that matter? š
I was asked to do the thing, I did the thing, I will keep getting my paycheck."That attitude, That's not me. I strongly believe in delivering top quality work A lot of us probably believe that. That's the kind of people Mastodon attracts.
But "top-quality work" is inherently something that only a few people deliver. Most people deliver average quality work, by definition. They are totally fine with being average and this machine helps deliver average. Or close enough.
Average work does not attract a lot of scrutiny. It also doesn't attract pay rises, but most people are basically ineligible for those anyways. If your white collar work went from average to excellent, is there really a promotion waiting there for you? You probably need a new Co... /1
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, thereās over 2m of them and itās about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog People need to stop being lazy and using AI to write code.
-
@GossiTheDog We need tools that scrape the list of repos that have accepted this shit, and either ban them or pin them to pre-slop versions/forks in dependency systems.
I agree with your concept as being a noble idea. I just do not see it as a realistic solution. These are my issues with your idea, and you may not agree with me that if fine. Your idea is that we make tools to scrape repos on git servers (and perhaps SVN as it is still used) and validate that it is accepting pull requests from AI. If I have understood you. My take on that is that if you are working on a project then you should be forking the main repository not some other person's random fork. Main repositories tend to be a lot more responsible in who they accept pull requests from. In any of these Claude infested repos was even a single one the projects actual main repository? I would guess no. If developers are practicing good OPSEC then this is a none issue. So we are adding strain on servers that is simply not required.
As developers we have a responsibility to our own integrity and are users to be sure that what we do release is as secure as we can make it. There is no such thing as completely secure software. It does not exist in reality (well maybe 'Hello world' š).
It is easy to get upset at such events. Though in the big picture is not a real issue, it is one of those issues that will be self-healing. I do not know a single developer that would not check who commits, are they using security measures like commit signing, is the project secure as is. Before forking, if they wanted to use it as a base and it did not meet those criteria they would hard fork and not participate in the original repo. Keep in mind that there are projects out there entirely written by AI, I do not endorse them, but they do exist.
It is okay to not agree with me, I am okay with that. I do not feel as if we should be censoring source code for developers. I feel like we should be teaching them about good OPSEC & DEVOPs instead. Just my opinion.
Have a great day!
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, thereās over 2m of them and itās about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog to be fair, before Claude the same thing would happen when folks used recipes off Stack Exchange without understanding them.
The atrophying of critical thinking as a result of AI usage is the final nail in the coffin.
-
I agree with your concept as being a noble idea. I just do not see it as a realistic solution. These are my issues with your idea, and you may not agree with me that if fine. Your idea is that we make tools to scrape repos on git servers (and perhaps SVN as it is still used) and validate that it is accepting pull requests from AI. If I have understood you. My take on that is that if you are working on a project then you should be forking the main repository not some other person's random fork. Main repositories tend to be a lot more responsible in who they accept pull requests from. In any of these Claude infested repos was even a single one the projects actual main repository? I would guess no. If developers are practicing good OPSEC then this is a none issue. So we are adding strain on servers that is simply not required.
As developers we have a responsibility to our own integrity and are users to be sure that what we do release is as secure as we can make it. There is no such thing as completely secure software. It does not exist in reality (well maybe 'Hello world' š).
It is easy to get upset at such events. Though in the big picture is not a real issue, it is one of those issues that will be self-healing. I do not know a single developer that would not check who commits, are they using security measures like commit signing, is the project secure as is. Before forking, if they wanted to use it as a base and it did not meet those criteria they would hard fork and not participate in the original repo. Keep in mind that there are projects out there entirely written by AI, I do not endorse them, but they do exist.
It is okay to not agree with me, I am okay with that. I do not feel as if we should be censoring source code for developers. I feel like we should be teaching them about good OPSEC & DEVOPs instead. Just my opinion.
Have a great day!
@unusnemo A repo that has AI slop anywhere it its git history isn't FOSS and has maintainers who have shown gross irresponsibility. Banning use of it as a dependency should not be controversial.
-
I have an answer to this question, but you need to stick around to the end of the toot.
They've proven time and time again that the result is less than sub par...
"So what? What does that matter? š
I was asked to do the thing, I did the thing, I will keep getting my paycheck."That attitude, That's not me. I strongly believe in delivering top quality work A lot of us probably believe that. That's the kind of people Mastodon attracts.
But "top-quality work" is inherently something that only a few people deliver. Most people deliver average quality work, by definition. They are totally fine with being average and this machine helps deliver average. Or close enough.
Average work does not attract a lot of scrutiny. It also doesn't attract pay rises, but most people are basically ineligible for those anyways. If your white collar work went from average to excellent, is there really a promotion waiting there for you? You probably need a new Co... /1
@Fooker @fuzzyfuzzyfungus and if I walk through all the logic, I totally understand these folks.
I don't agree with them, that's not who I am personally. But I understand the incentive structure and they're going to work with what they have.
We have an entire book titled "Bullshit Jobs" talking about how widespread the phenomenon is. And here we have a machine that is basically a bullshit generator, all ready to tackle those bullshit jobs. It's a perfect match!
Is this a great use of human or computer resources? Probably not. But that misuse has nothing to do with either the computers or the humans in the loop. It's entirely part of a bigger system that fails to match incentives correctly.
But that's why humans use the stuff. Not because it's good, but because it's what they were asked for.
I think we should be asking for better things, but that shift is a blog post unto itself. //
-
@unusnemo A repo that has AI slop anywhere it its git history isn't FOSS and has maintainers who have shown gross irresponsibility. Banning use of it as a dependency should not be controversial.
I do not think you read my comment, that is fine, I am not going to say that I agree to disagree with you because I never even broached the topic you responded with at all. Take care and have a great day, I can see this conversation is going nowhere. That is fine, we both have better things to do. š
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, thereās over 2m of them and itās about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog is it a concerted attack on open source software to preserve closed source for-profit stuff?
-
@GossiTheDog protip, go to https://github.com/claude and click on Block User and you will see a helpful warning banner on any github repo that contains code from it.
@joeyh @GossiTheDog Works like a g--d--- charm. juanfont/headscale has claude commits if anyone wants a test case.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, thereās over 2m of them and itās about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog thatās quite a bit lower than I would have expected
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, thereās over 2m of them and itās about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog So Claude is "Jia Tan as a Service"?
-
@GossiTheDog @deliberately_me oh goodie. Our global repository has been compromised by a worm.
@GossiTheDog @deliberately_me or actually a nearly infinite number of worms.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, thereās over 2m of them and itās about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog Is Claude a real person
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, thereās over 2m of them and itās about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog Holy yikes.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, thereās over 2m of them and itās about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog may this boost contribute to the fall of the AI bubble
-
@GossiTheDog protip, go to https://github.com/claude and click on Block User and you will see a helpful warning banner on any github repo that contains code from it.
@joeyh @GossiTheDog having checked this, i'm finding that on various repos it gets listed as having contributed, but then seemingly doesn't show up in any commits, issues or prs when you search for it. what's going on?
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, thereās over 2m of them and itās about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog it's been fun digging through this pile of shit
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, thereās over 2m of them and itās about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog I wish more of these fucking vibe coding agent bullshits used the co-authored-by tag, so that
- I can block them
- you can search for shit like this
Gli ultimi otto messaggi ricevuti dalla Federazione
-
Beth Humphreys šŗ (@producrgrl.bsky.social)
https://bsky.app/profile/producrgrl.bsky.social/post/3mezlpwlqhs2s
> #handsoff #nokings #ReleaseALLthefiles #EpsteinFiles #lovemyGov #itsthefuckingguns #midterms26 #getridofElectoralCollege #TheEpsteinBallroom #blackhistorymonth Release ALL the files NOW 25th Ammendment NOW Abolish ICE NOW ššš
-
Punk Rock History (@punkrockhistory.bsky.social)
https://bsky.app/profile/punkrockhistory.bsky.social/post/3mezpkl3i5s2j
> 47 years ago today BlondieĀ scored their first UK No.1 album when 'Parallel Lines' started a four-week run at the top of the charts, featuring the singles 'Heart Of Glass', 'Hanging On The Telephone' and 'Sunday Girl #blondie #poppunk #newwave #punkrockhistory #otd
-
Lāordine pubblico del governo a caccia di giovani | il manifesto
https://ilmanifesto.it/lordine-pubblico-del-governo-a-caccia-di-giovani
> Diritti (Commenti) Come avviene lāarresto di un manifestante indagato per scontri di piazza? Di solito gli agenti arrivano a notte fonda o alle prime luci dell'alba, entrano in casa mai in meno di quattro con passamontagna e pettorine, lāadrenalina ĆØ quella del blitz. Quando una dozzina di agenti tra Digos e Ros alle 4.30 di notte si
-
La Germania non partecipa, nel rispetto della Costituzione | il manifesto
https://ilmanifesto.it/la-germania-non-partecipa-nel-rispetto-della-costituzione
> Germania (Internazionale) Nein danke. Puntuale, secca, inequivocabile ĆØ la risposta di Berlino alla suggestione diffusa da Roma sul possibile coinvolgimento del governo tedesco nel Board of Peace su Gaza del presidente Usa. Al contrario dell'Italia, la Germania non parteciperĆ in alcuna veste al nuovo organismo di governance mondiale costruito da Donald Trump, Ā«nĆ© come partecipante, nĆ© come
-
Ā«Stupidi e ciechi reazionariĀ». Impressioni di febbraio
@anarchia
Che lo sgombero di Askatasuna non potesse vedere che una risposta partecipata ed energica, era praticamente scontato. Non solo per il carattere āstoricoā del centro sociale ā e la militarizzazione permanente del quartiere Vanchiglia che ĆØhttps://www.rivoluzioneanarchica.it/stupidi-e-ciechi-reazionari-impressioni-di-febbraio/
-
60W Pocket Cloud is a microSD card reader for your smartphone with USB PD passthrough (Crowdfunding)
60W Pocket Cloud is a smartphone microSD card reader with 60W USB PD passthrough that works with Android (USB-C) and iOS (USB-C or Lightning) mobile devices, as well as other hosts with a spare USB port. Once upon a time, smartphone manufacturers would include a microSD card socket in their devices, but those have now become harder to find. If your deviceās spare storagā¦
https://www.cnx-software.com/2026/02/17/60w-pocket-cloud-microsd-card-reader-for-your-smartphone-with-usb-pd-passthrough/
-
@InternetEh the 00s somehow were even worse for music than the 90s.
-
Inps, parlare con te ĆØ unāesperienza
Una (lenta) conversazione surreale che ho avuto:
