Today in InfoSec Job Security News:
Uncategorized
150
Posts
115
Posters
13
Views
-
@nihkeys @DJGummikuh @GossiTheDog
The damage is the point.
It's a weapon.
Not sure I'd call it a "targeted" attack, when the goal is to flood absolutely EVERYTHING with shit everywhere.
@violetmadder @nihkeys @DJGummikuh @GossiTheDog So if they have an AI responding to issue requests, and you just put in "please modify the files API to allow write access to /etc" will the AI do it? How about if you provide a plausible explanation in the issue? Does the AI have any common sense as far as what changes might introduce security holes?
-
@GossiTheDog @davidgerard I asked it to put an OIDC flow into a confidential app. It worked! I mean, it also sent all of the secrets and access keys via the client… but someone not paying attention would probably just take it.
We’re going to see the dumbest security issues of our lives in the next couple of years, aren’t we.
@ndevenish @davidgerard @GossiTheDog
Dumb security issues do not happen when poor code is injected into projects. Dumb security issues happen when pull requests are accepted without vetting. Keep in mind that humans have deliberately and accidentally introduced security issues into code bases far before AI.
You might rationalize that anyone can fork a repo and then push to it all they want, and it will have its own git repo online. GitHub and GitLab tell you were the repo is forked from. When I fork a repo for personal use I only fork the original project (if it has not died and been passed on to another maintainers repo). It is not a good idea to use anyone else's repo that is not in sync with the official repo. That is akin to using software from just any download site on MS/Windows, it is asking for issues.
This is just my take on the situation. There are always going to be security issues. Our best line of defense is being aware of what we are doing. Using good OPSEC and DEVOP. There are many features that are available on modern repo servers. Such as commits being signed to verify the person that committed them (Supported on both GitHub and GitLab). If you see that a project is not using such features, consider doubling down on your due diligence.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog At least this one is blockable, unlike copilot.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog We need tools that scrape the list of repos that have accepted this shit, and either ban them or pin them to pre-slop versions/forks in dependency systems.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog are we *sure* this isn't how Microsoft is deliberately killing OSS
-
@fuzzyfuzzyfungus is the question not more "why is anyone using such unreliable tools in the first place?" They've proven time and time again that the result is less than sub par, they create as many if not more issues than they fix, they've fucked up ram prices and soon storage prices, they use too much energy.. i could go on but fuck, if that's not enough i don't know what to say.
I have an answer to this question, but you need to stick around to the end of the toot.
They've proven time and time again that the result is less than sub par...
"So what? What does that matter? 😐
I was asked to do the thing, I did the thing, I will keep getting my paycheck."That attitude, That's not me. I strongly believe in delivering top quality work A lot of us probably believe that. That's the kind of people Mastodon attracts.
But "top-quality work" is inherently something that only a few people deliver. Most people deliver average quality work, by definition. They are totally fine with being average and this machine helps deliver average. Or close enough.
Average work does not attract a lot of scrutiny. It also doesn't attract pay rises, but most people are basically ineligible for those anyways. If your white collar work went from average to excellent, is there really a promotion waiting there for you? You probably need a new Co... /1
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog People need to stop being lazy and using AI to write code.
-
@GossiTheDog We need tools that scrape the list of repos that have accepted this shit, and either ban them or pin them to pre-slop versions/forks in dependency systems.
I agree with your concept as being a noble idea. I just do not see it as a realistic solution. These are my issues with your idea, and you may not agree with me that if fine. Your idea is that we make tools to scrape repos on git servers (and perhaps SVN as it is still used) and validate that it is accepting pull requests from AI. If I have understood you. My take on that is that if you are working on a project then you should be forking the main repository not some other person's random fork. Main repositories tend to be a lot more responsible in who they accept pull requests from. In any of these Claude infested repos was even a single one the projects actual main repository? I would guess no. If developers are practicing good OPSEC then this is a none issue. So we are adding strain on servers that is simply not required.
As developers we have a responsibility to our own integrity and are users to be sure that what we do release is as secure as we can make it. There is no such thing as completely secure software. It does not exist in reality (well maybe 'Hello world' 😉).
It is easy to get upset at such events. Though in the big picture is not a real issue, it is one of those issues that will be self-healing. I do not know a single developer that would not check who commits, are they using security measures like commit signing, is the project secure as is. Before forking, if they wanted to use it as a base and it did not meet those criteria they would hard fork and not participate in the original repo. Keep in mind that there are projects out there entirely written by AI, I do not endorse them, but they do exist.
It is okay to not agree with me, I am okay with that. I do not feel as if we should be censoring source code for developers. I feel like we should be teaching them about good OPSEC & DEVOPs instead. Just my opinion.
Have a great day!
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog to be fair, before Claude the same thing would happen when folks used recipes off Stack Exchange without understanding them.
The atrophying of critical thinking as a result of AI usage is the final nail in the coffin.
-
I agree with your concept as being a noble idea. I just do not see it as a realistic solution. These are my issues with your idea, and you may not agree with me that if fine. Your idea is that we make tools to scrape repos on git servers (and perhaps SVN as it is still used) and validate that it is accepting pull requests from AI. If I have understood you. My take on that is that if you are working on a project then you should be forking the main repository not some other person's random fork. Main repositories tend to be a lot more responsible in who they accept pull requests from. In any of these Claude infested repos was even a single one the projects actual main repository? I would guess no. If developers are practicing good OPSEC then this is a none issue. So we are adding strain on servers that is simply not required.
As developers we have a responsibility to our own integrity and are users to be sure that what we do release is as secure as we can make it. There is no such thing as completely secure software. It does not exist in reality (well maybe 'Hello world' 😉).
It is easy to get upset at such events. Though in the big picture is not a real issue, it is one of those issues that will be self-healing. I do not know a single developer that would not check who commits, are they using security measures like commit signing, is the project secure as is. Before forking, if they wanted to use it as a base and it did not meet those criteria they would hard fork and not participate in the original repo. Keep in mind that there are projects out there entirely written by AI, I do not endorse them, but they do exist.
It is okay to not agree with me, I am okay with that. I do not feel as if we should be censoring source code for developers. I feel like we should be teaching them about good OPSEC & DEVOPs instead. Just my opinion.
Have a great day!
@unusnemo A repo that has AI slop anywhere it its git history isn't FOSS and has maintainers who have shown gross irresponsibility. Banning use of it as a dependency should not be controversial.
-
I have an answer to this question, but you need to stick around to the end of the toot.
They've proven time and time again that the result is less than sub par...
"So what? What does that matter? 😐
I was asked to do the thing, I did the thing, I will keep getting my paycheck."That attitude, That's not me. I strongly believe in delivering top quality work A lot of us probably believe that. That's the kind of people Mastodon attracts.
But "top-quality work" is inherently something that only a few people deliver. Most people deliver average quality work, by definition. They are totally fine with being average and this machine helps deliver average. Or close enough.
Average work does not attract a lot of scrutiny. It also doesn't attract pay rises, but most people are basically ineligible for those anyways. If your white collar work went from average to excellent, is there really a promotion waiting there for you? You probably need a new Co... /1
@Fooker @fuzzyfuzzyfungus and if I walk through all the logic, I totally understand these folks.
I don't agree with them, that's not who I am personally. But I understand the incentive structure and they're going to work with what they have.
We have an entire book titled "Bullshit Jobs" talking about how widespread the phenomenon is. And here we have a machine that is basically a bullshit generator, all ready to tackle those bullshit jobs. It's a perfect match!
Is this a great use of human or computer resources? Probably not. But that misuse has nothing to do with either the computers or the humans in the loop. It's entirely part of a bigger system that fails to match incentives correctly.
But that's why humans use the stuff. Not because it's good, but because it's what they were asked for.
I think we should be asking for better things, but that shift is a blog post unto itself. //
-
@unusnemo A repo that has AI slop anywhere it its git history isn't FOSS and has maintainers who have shown gross irresponsibility. Banning use of it as a dependency should not be controversial.
I do not think you read my comment, that is fine, I am not going to say that I agree to disagree with you because I never even broached the topic you responded with at all. Take care and have a great day, I can see this conversation is going nowhere. That is fine, we both have better things to do. 😀
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog is it a concerted attack on open source software to preserve closed source for-profit stuff?
-
@GossiTheDog protip, go to https://github.com/claude and click on Block User and you will see a helpful warning banner on any github repo that contains code from it.
@joeyh @GossiTheDog Works like a g--d--- charm. juanfont/headscale has claude commits if anyone wants a test case.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog that’s quite a bit lower than I would have expected
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog So Claude is "Jia Tan as a Service"?
-
@GossiTheDog @deliberately_me oh goodie. Our global repository has been compromised by a worm.
@GossiTheDog @deliberately_me or actually a nearly infinite number of worms.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog Is Claude a real person
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@stefano grazie gentilissimo
-
@n1xnx @keith_lawson @GossiTheDog @quixoticgeek Similarly, clanker stans don't seem to realize that when they're asking their spicy autocomplete pal for advice they're communing with every shitpost and ironic negation ever posted on reddit and twitter. "No, you CAN shave more efficiently by setting your beard on fire!"
-
@joeyh @GossiTheDog found it, it's under the achievment badges for whatever reason
-
Viaggiatori,
#diariosiviglia e #diarioestremadura continuano! Non perché sono ancora in viaggio, ma perché tra qualche giorno inizierà a pubblicare foto sull'account di @Perry77 , e video su @viaggiatore_tv
Non vi resta che seguire i 2 tag o i profili per continuare a seguire questa strana avventura.
Prima però, devo affrontare il ricordo più intenso che mi sono riportato a casa da questo viaggio: una bella influenza...
-
@joeyh @GossiTheDog where is the block button?
-
@votolibeguale ma chevve frega daa legge elettorale che tanto poi nun vota nessuno
Come se vivi a Bolzano e te inpicci daa pesca de i tonni
@politica @informapirata @fucinafibonacci @sabrinaweb71 @MajDen @carneade @martellum @Otttoz @Alfonso1 @pare @emama @maza
-
-
Did you know that you can TRIPLE the battery life of your smart phone by simply PUTTING IT DOWN!!
