Today in InfoSec Job Security News:
Uncategorized
153
Posts
118
Posters
15
Views
-
@GossiTheDog
This is more and more feels like a coordinated attack on FOSS by the big software.@hittitezombie @GossiTheDog I could totally see that. Like they're trying to get this Claude to mess up the FOSS projects' code enough that it'll force some people back into the arms of Big Software.
-
@zarchasmpgmr @da_667 @GossiTheDog Or msybe introduce 20 vulnerabilities and show off by then finding 10 of them giving a false sense of competence.
@cxj @zarchasmpgmr @da_667 @GossiTheDog 2016 AI thinkers: AI cannot possibly take over the world, because there just aren't enough security holes to give you root on all nuclear submarines in 30 seconds
2026 AI thinkers: hey AI, can you add security holes to my nuclear submarines?
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
Oh, man. Oh, oh, oh.
But as soon as somebody blocks every PR from AI or created with AI support the wailing starts.
-
@joeyh @GossiTheDog having checked this, i'm finding that on various repos it gets listed as having contributed, but then seemingly doesn't show up in any commits, issues or prs when you search for it. what's going on?
@0x9E01 @GossiTheDog I've seen in it a repo that had only Co-Authored-By: Claude, which a usual commit search won't find.
It may also flag repos that have a PR that got edited by the bot along the way, I'm not sure.
-
undefined swelljoe@mas.to shared this topic
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog
Looks like Claude is pasting the first result from Stack Overflow as well then -
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
Reminds me of this paper from a year ago.
https://arxiv.org/abs/2502.17424
LLM trained (fine tuned) on code with security vulns, but not told it was vulnerable code, not only reproduced vulnerable code (expected) but also showed spontaneous ethical misalignment "judgment" in other domains.
It's a really interesting read.
If the model is producing OWASP top 10 errors like directory traversal, would seem likely it was trained on vulnerable code.
Hmmm.
-
@violetmadder @nihkeys @DJGummikuh @GossiTheDog
It targets the concept of FLOSS as a whole. And the good ole idea of "Open Source means better software because everyone can read the source code".Flood the zone with slop.
@musevg @nihkeys @DJGummikuh @GossiTheDog
Yes. And it targets the entire internet, everything good that flows through it. Education, communication, creativity, news. Community. Truth.
Wherever they can't fully enclose the commons, they'll POISON it just to take it from us.
-
@GossiTheDog protip, go to https://github.com/claude and click on Block User and you will see a helpful warning banner on any github repo that contains code from it.
@joeyh @GossiTheDog where is the block button? -
@joeyh @GossiTheDog where is the block button?@joeyh @GossiTheDog found it, it's under the achievment badges for whatever reason
-
I keep pointing out to my coworkers that these clankers are trained on StackOverflow posts that contain code examples followed by "here's what I wrote, why doesn't it work?"
@n1xnx @keith_lawson @GossiTheDog @quixoticgeek Similarly, clanker stans don't seem to realize that when they're asking their spicy autocomplete pal for advice they're communing with every shitpost and ironic negation ever posted on reddit and twitter. "No, you CAN shave more efficiently by setting your beard on fire!"
-
@GossiTheDog It is interesting that these changes are attributed to a "user named Claude" and not to the "human using the agent named Claude". This is how diffusion of responsibility works, I guess.
@s_bergmann@chaos.social @GossiTheDog@cyberplace.social @marcel@waldvogel.family @tante@tldr.nettime.orgre: Diffusion of responsibility : The admins at Facebook were once people, but all named Facebook. The admins at Twitter were once people, but all named Twitter and now all named X. Now all people who use Claude to generate software are named Claude. At Wikipedia, everyone always had their own account. Every admin has an individual account. There are bots, but they are assigned to a human account.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog who could have ever imagined that automating copy/paste from stackoverflow (with a disgustingly energy intensive blender in the middle) would emit shit? Gasp.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog as someone who gets paid to find and point out bugs to human developers, i have to say that llms are producing work for me at a pace humans truly couldnt
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@kappazeta @thunderpussycat @emanuelecariati se ci sarò (ovvero, se mi riprendo in tempo), nel dubbio sarò ben mascherinata, per evitare di portarcela
(in realtà probabilmente è raffreddore e non influenza, ma le mascherine aiutano pure per quello)
-
@GustavinoBevilacqua @zero be', certo, gli endless running sono platformer.
-
@jpaskaruk stross doesn't need to build a profile; he has a profile high and large enough, that he blocks drive-by admonishments and aggressive replies to third parties just to keep his feed readable. this is not new.
(and before you ask, i was blocked by him because of the latter; there's no need to imagine nefarious reasons for his actions.)
-
@VoordeMus well aware. Larry Madowo, great Kenyan journalist at CNN...has produced multiple reports on that topic in recent weeks.
-
-
@adafruit Well, I know who I'm not buying components from again. This is really disgusting and weird LLM apologia that completely misunderstands the actual struggle of disrespect and abuse that women go through in labour.
-
While the degree of suffering differs, this phenomenon causes universal suffering to victims from around the world, from the US to Kenya, from the UK to Uganda.
Hope to share some more of my findings with you in the coming days. If you went through yet another long thread of mine all the way to thisnpoint, thank you your time is appreciated🙏🏿
Story dropped on Sunday. If you're in Canada, the story will be available in tomorrow morning's newspaper.
Yours,
-ZZ.https://www.theglobeandmail.com/world/article-africans-scam-camps-myanmar-scamming-rings-asia/
-
@avi_2022 there was no racism in this reply, only sarcasm.
