Today in InfoSec Job Security News:
Uncategorized
153
Posts
118
Posters
15
Views
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog can you please post this also over on LinkedIn for all of the corporate people and CEOs to see?
We can't highlight how much of a liability generator all of this is...
-
@da_667 I demoed that very thing recently. Prompted up a form page and visually I could see a handful of basic JavaScript issues.
Ask Claude to review the code it generated for vulns using OWASP Top 10. And it finds them.
That’s just bonkers. Sure, a lazy initial prompt so it’s all my fault, really.
@badsamurai @da_667 @GossiTheDog Hey, as somebody writing a CTF, it's handy to get randomly introduced vulnerabilities!
-
undefined oblomov@sociale.network shared this topic
-
@GossiTheDog If only a significant number of security practitioners could have seen it coming and warned people.
Well I guess this must be what they meant by the saying "only idiots don't learn anything from their failures and smart people even learn from the failures of others, not just their own."
-
I'd invite anyone to enjoy the collection of content at #directoryTraversalMemes
(with @cR0w being a delightful contributor)
-
@GossiTheDog I guess the AI security scanners will clean this up with their automated scan and CVE requests.</joke>
@hughsie @GossiTheDog It’s the circle of life. Extra points if the fix has new vulnerabilities in it!
-
@nihkeys @DJGummikuh @GossiTheDog I don't think that phrase allows for incompetency in design. The purpose is what was intended, not what actually results. There is a distinction.
@draeath @nihkeys @DJGummikuh @GossiTheDog not if you want to understand the system.
https://en.wikipedia.org/wiki/The_purpose_of_a_system_is_what_it_does -
@GossiTheDog I became used to checking projects I am checking out for claude (etc) in the source files and commits really fast
@spinnyspinlock@infosec.exchange @GossiTheDog@cyberplace.social If github lists claude (or other LLMs) as one of the top contributors I consider that a red flag
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog which framework?
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog I feel sorry for all the persons named Claude https://github.com/search?q=claude&type=commits
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog this happens when people don’t care nor use AI responsibly… we have to do proper reviews EVERY SINGLE TIME
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog but... Do these repositories all not have any review processes for their PRs?
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog
So just make a bot that goes around behind claude and files a vuln bug and lists the revert as the fix. -
@GossiTheDog
So just make a bot that goes around behind claude and files a vuln bug and lists the revert as the fix.@GossiTheDog
Nvm these are commits, not prs. -
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
Is there a cwe (common weakness enumeration) for AI slop usage already?
-
@da_667 @GossiTheDog took me a while but I finally thought of something :
Who says AI hasn't generated any real value? It's doing wonders for the threat actors
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog I'm anti-AI. I used program generators long ago - they didn't work. They aren't maintainable. Major updates required complete rewrites.
Now there's AI. It's a manager's wet dream...until it isn't.
...but look how productive AI is. It can whip out code as fast as a gossip can spread noise. Sure, there will be glitches, but they'll be fixed when found.
What about the $$$$$ liability of glitches that are not found?
-
We don't need Skynet becoming sentient to trigger the End o' Days.
We got Claude, happily vibing/making 2.1M commits while we were asleep.😴
-
We don't need Skynet becoming sentient to trigger the End o' Days.
We got Claude, happily vibing/making 2.1M commits while we were asleep.😴
@funnymonkey @GossiTheDog Insert Mickey Mouse as the Sorcerer's Apprentice, and all those animated mops carrying pails of water...
Gli ultimi otto messaggi ricevuti dalla Federazione
-
@GustavinoBevilacqua @zero be', certo, gli endless running sono platformer.
-
-
Forse saremmo ancora più divisi... A meno che il "contenitore grande" funzioni
-
Ti occupi di DPI? Aumenta la tua visibilità con lo Speciale PuntoSicuro
@lavoro
https://www.puntosicuro.it/pubbliredazionale-C-119/ti-occupi-di-dpi-aumenta-la-tua-visibilita-con-lo-speciale-puntosicuro-AR-26150/
Non solo pubblicità: trasforma la tua competenza in un vantaggio competitivo. Con gli Speciali PuntoSicuro, la tua azienda diventa un punto di riferimento autorevole nel mercato della sicurezza.
-
Pensare l'Europa come un insieme di territori (e chi li abita), non un insieme di nazioni? (Forse non è così importante?)
-
@angel eheh this is more accurate than you might imagine 😉
-
@zero no, la strada è già smontata e devi fare dei saltoni https://www.youtube.com/watch?v=abxd5d0MEM0
-
My plans for moderation:
I plan to allow sharing of blocklists of did:keys that are known to spamAllow clientside filtering of what replies you see to your posts (followers-only, etc.)Future things also:
In the future I plan to add RFC9420/MLS support for limited-audience posts (which will mean posts are ACTUALLY encrypted, including DM's). Right now for public posts, that is completely pointless, so I am not doing that. Because... why. If it's public, what's the point in encryption beyond, say, HTTPS?Maybe a standalone app or something so you're not running this all as a mystery meat blob of JavaScript.Other database/relay backends besides OrbitDB.Maybe a proof-of-work system akin to HashCash to prevent spam.
