Today in InfoSec Job Security News:
Uncategorized
50
Posts
40
Posters
6
Views
-
@GossiTheDog So you are saying there is a business opportunity following claude around projects with bug bounties 8)
@etchedpixels Bug bounties? You know nothing about business…
You set up a giant scam tool, let venture capital pay for its development, then use it to hack the world and sell all of it:- license use of the tool,
- hacking applications,
- vulnerability scanning,
- protection racket from affected companies.
That' how real capitalists do business.
The tool is called Claude.
@GossiTheDog -
@GossiTheDog So you are saying there is a business opportunity following claude around projects with bug bounties 8)
Gahhh. Takes a little effort to imagine LESS rewarding work.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog This was literally the first major security mistake I made in my early days as a Perl developer and I don't imagine it's that uncommon. Claude has probably been trained with a truckload of code with these vulnerabilities.
That's okay because we run everything in single-purpose Docker containers now though, right? /s
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog@cyberplace.social I wonder across the industry how common is it for orgs to skip static code analysis, or other code vulnerability scans as part of their pipelines? Even then how many of those scans are actually effective?
Looks like AI is potentially an insider threat, and code generated by it has to be treated accordingly, even in the case of it being generated by project members and "reviewed" -
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog I see it, could probably start a threat intelligence business off the claude feed 🙂↕️
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
That Claude is a "clod", and boy does Claude get around I tell ya'. 🏃
Claude is everywhere you want an exploit to be. 🚨
-
@badsamurai @da_667 @GossiTheDog I've seen setups that run tests and such all in a closed loop, I suppose if one really wanted to "use" this shit, they could implement that sort of thing too.
It'll cause a shedload more token use (and electrical waste) but might mitigate some of the idiocy.
@draeath @badsamurai @da_667 @GossiTheDog That's what amazes me about the "hallucinated citations" stories. Making bots not hallucinate is certainly not readily feasible, quite possible infeasible in practice; but just checking citations one at a time for existence would have been cutting edge in maybe the 1960s. Why is anyone skipping such trivial cleanup steps when using a known-unreliable tool?
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog in a few months, the user creation and password management will be a solved problem, every software will have a semi-public backdoor that everybody will use
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog what was the vulnerability you found in those search results over and over? I only get html and css stuff when I click that link.
-
@badsamurai @da_667 @GossiTheDog I've seen setups that run tests and such all in a closed loop, I suppose if one really wanted to "use" this shit, they could implement that sort of thing too.
It'll cause a shedload more token use (and electrical waste) but might mitigate some of the idiocy.
These MFers yeet DIRFT (Do it right the first time) and TQM principles to play hooky on the plinko and demand you call them a genius.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog@cyberplace.social An instance of eating the seed corn, I'd say ( https://buc.ci/abucci/p/1705679109.757852 ).
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog can you please post this also over on LinkedIn for all of the corporate people and CEOs to see?
We can't highlight how much of a liability generator all of this is...
-
@da_667 I demoed that very thing recently. Prompted up a form page and visually I could see a handful of basic JavaScript issues.
Ask Claude to review the code it generated for vulns using OWASP Top 10. And it finds them.
That’s just bonkers. Sure, a lazy initial prompt so it’s all my fault, really.
@badsamurai @da_667 @GossiTheDog Hey, as somebody writing a CTF, it's handy to get randomly introduced vulnerabilities!
-
undefined oblomov@sociale.network shared this topic
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@evan Years ago I was flying from CNF to GIG with a conference mate and CNF is a horrible airport in the middle of nowhere. My mate was the type of person who likes to arrive at the last minute and swore everything would be fine. It wasn’t, we missed the flight and had to wait for the next one, for like 5h - it would be impractical to go back to the city, etc.
This is to say: now I always make a point of arriving 3h early no matter what.
-
@Parolinventate
Non c'è di che... 🤭
-
@Nick44 io sto allenando la mia tolleranza.
-
@martijn knowing me, mine would get left on the train or get stuck somewhere.
-
@evan
Yes, but...- only when the original posts are public or quiet-public.
- with appropriate protections against "ai" scrapers and whatever other prevailing threats of the day.
-
@francina1909 ti capisco che sono nella stessa situazione: parli e sbagli, stai zitto e ti chiedono la tua solo per criticarla... Bisogna avere pazienza nella vita 🤦
-
...
...
Ugh FINE 🙄🙄
I'll rewatch Silicon Valley.
-
@francommit io conosco solo "whereever you will go" e ce l'ho nella playlist sullo smartphone
