Today in InfoSec Job Security News:
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog@cyberplace.social An instance of eating the seed corn, I'd say ( https://buc.ci/abucci/p/1705679109.757852 ).
-
@da_667 I demoed that very thing recently. Prompted up a form page and visually I could see a handful of basic JavaScript issues.
Ask Claude to review the code it generated for vulns using OWASP Top 10. And it finds them.
That’s just bonkers. Sure, a lazy initial prompt so it’s all my fault, really.
@badsamurai @da_667 @GossiTheDog Hey, as somebody writing a CTF, it's handy to get randomly introduced vulnerabilities!
-
@GossiTheDog I guess the AI security scanners will clean this up with their automated scan and CVE requests.</joke>
@hughsie @GossiTheDog It’s the circle of life. Extra points if the fix has new vulnerabilities in it!
-
@nihkeys @DJGummikuh @GossiTheDog I don't think that phrase allows for incompetency in design. The purpose is what was intended, not what actually results. There is a distinction.
@draeath @nihkeys @DJGummikuh @GossiTheDog not if you want to understand the system.
https://en.wikipedia.org/wiki/The_purpose_of_a_system_is_what_it_does -
@GossiTheDog I became used to checking projects I am checking out for claude (etc) in the source files and commits really fast
@spinnyspinlock@infosec.exchange @GossiTheDog@cyberplace.social If github lists claude (or other LLMs) as one of the top contributors I consider that a red flag
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog which framework?
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog I feel sorry for all the persons named Claude https://github.com/search?q=claude&type=commits
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog this happens when people don’t care nor use AI responsibly… we have to do proper reviews EVERY SINGLE TIME
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog but... Do these repositories all not have any review processes for their PRs?
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog
So just make a bot that goes around behind claude and files a vuln bug and lists the revert as the fix. -
@GossiTheDog
So just make a bot that goes around behind claude and files a vuln bug and lists the revert as the fix.@GossiTheDog
Nvm these are commits, not prs. -
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
Is there a cwe (common weakness enumeration) for AI slop usage already?
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
fuck.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog I'm anti-AI. I used program generators long ago - they didn't work. They aren't maintainable. Major updates required complete rewrites.
Now there's AI. It's a manager's wet dream...until it isn't.
...but look how productive AI is. It can whip out code as fast as a gossip can spread noise. Sure, there will be glitches, but they'll be fixed when found.
What about the $$$$$ liability of glitches that are not found?
-
@funnymonkey @GossiTheDog We don't need Skyntr becoming sentient to trigger the End o' Days.
We got Claude, happily vibing/making 2.1M commits while we were asleep.
-
@funnymonkey @GossiTheDog We don't need Skyntr becoming sentient to trigger the End o' Days.
We got Claude, happily vibing/making 2.1M commits while we were asleep.
@funnymonkey @GossiTheDog Insert Mickey Mouse as the Sorcerer's Apprentice, and all those animated mops carrying pails of water...
-
@funnymonkey @GossiTheDog Insert Mickey Mouse as the Sorcerer's Apprentice, and all those animated mops carrying pails of water...
@carpetbomberz @funnymonkey @GossiTheDog
this. Exactly this.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog That #claude #AI has been created to solve the „we have too much electricity“ problem.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog It's almost like, maybe, only humans should program computers. Computers should not be submitting and merging their own PRs, am I right ?
-
@GossiTheDog It's almost like, maybe, only humans should program computers. Computers should not be submitting and merging their own PRs, am I right ?
@GossiTheDog "AI" is the cryptocurrency of IT.
