Today in InfoSec Job Security News:
-
@n1xnx @GossiTheDog Especially earlier in my career, I could easily have been taken in by thinking I'm getting actual help from a "friend" who wants to join me on the project and I'd have not really looked into it too much.
A lot of these projects are just peoples' hobbies that blow up...you know, or fail to. When they do blow up the developer(s) can end up severely overworked and frankly inexperienced for dealing with the management part.
So yeah...this is going to be a disaster.
@crazyeddie @GossiTheDog
Sigh. Yes, that makes perfect sense.I remember reading commentary back in the 1980s to the effect that automating a (business) process doesn't make it BETTER, it just makes its existing failure modes happen FASTER, often with the result that the humans who were able to cope with those failures when they came at a human rate are now overwhelmed by them occurring at the speed of computer processing.
It was true then for paper-based accounting, and it's true now for collaborative software projects.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog But think about the AI-powered "security researchers". They can now use their AI models to find these vulnerabilities and create 8.2 severity issues to fix it again.
It's like that picture with the circular economy between Nvidia and OpenAI and Microsoft, but with 0days!
-
@GossiTheDog https://github.com/claude right now showing "Something went wrong, please refresh the page to try again." Yeah, dude.
@vlkr @GossiTheDog I get the same behavior here and can go to other profiles just fine
No public repos. Something went wrong.
I guess it could just be that I picked a particularly irrelevant profile to compare against but it did show up just fine without any error.
Could also be that it's too sudden a shift in interest in that particular user.
-
@GossiTheDog what's funny to me, is that there were influencers on linkedin a few days ago claiming claudecode could find vulnerabilities in code faster than humans, and they're like "look at all these openssl vulns it found!" now I'm like. "well no shit its finding vulnerabilities, when its the one introducing them."
@da_667 @GossiTheDog and I’ve been seeing several posts in the past 48 hours that say that A”I” vuln scanners aren’t finding most of them.
Almost makes me wonder if there’s a two-pronged attack here. Introduce them and ignore them.
-
@GossiTheDog ladies and gentlemen, it's this stupid shit (tm) that we are paying up the ass for new SSDs and RAM for.
@da_667 @GossiTheDog I have 5 500MB HDDs that are now probably worth thousands.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog could you explain what the vulnerability is?
-
I mean, if climate change becomes fixed eventually there won't be any more cancer, so they aren't completely wrong.
@fennix @thomasfuchs @GossiTheDog If climate change is not fixed there will also be no more cancer.
-
@GossiTheDog what's funny to me, is that there were influencers on linkedin a few days ago claiming claudecode could find vulnerabilities in code faster than humans, and they're like "look at all these openssl vulns it found!" now I'm like. "well no shit its finding vulnerabilities, when its the one introducing them."
@da_667 @GossiTheDog every single arsonist would love to be a fireman. Now with Claude you can too. Lol
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog
This is more and more feels like a coordinated attack on FOSS by the big software. -
Makes me wonder if this is a effort by "closed source" to disrupt/poison/discredit open source?
@c64whiz @GossiTheDog not possible; these places are not coordinated enough for even one of them to orchestrate something like this, much less invent the poison pill they intend to give everyone. forget about any cross-company collaboration on something like this. people fight over C++ ISO committee decisions, and they WANT to work together, and they already know what is needed, there is no way any for-profit businesses came up with "AI", got people to buy into it (more than their own products even) and trick everyone into introducing bugs into their own code.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog protip, go to https://github.com/claude and click on Block User and you will see a helpful warning banner on any github repo that contains code from it.
-
@crazyeddie @GossiTheDog
Sigh. Yes, that makes perfect sense.I remember reading commentary back in the 1980s to the effect that automating a (business) process doesn't make it BETTER, it just makes its existing failure modes happen FASTER, often with the result that the humans who were able to cope with those failures when they came at a human rate are now overwhelmed by them occurring at the speed of computer processing.
It was true then for paper-based accounting, and it's true now for collaborative software projects.
@n1xnx @crazyeddie @GossiTheDog That was a classic problem with "computerize this workflow." The consultants would go in and document the formal process. Then they would draw their flowcharts and data flow diagrams, and the coders would replicate the formal process in code.
But with the paper process, you could write notes in the margins of the form, and the code didn't capture that.
You could line out wrong entries, but the program didn't capture that.
So the code wasn't usable, and you 1/3
-
@GossiTheDog protip, go to https://github.com/claude and click on Block User and you will see a helpful warning banner on any github repo that contains code from it.
@joeyh @GossiTheDog Oh no
*well*
Guess I'm staying on the version I have. -
@n1xnx @crazyeddie @GossiTheDog That was a classic problem with "computerize this workflow." The consultants would go in and document the formal process. Then they would draw their flowcharts and data flow diagrams, and the coders would replicate the formal process in code.
But with the paper process, you could write notes in the margins of the form, and the code didn't capture that.
You could line out wrong entries, but the program didn't capture that.
So the code wasn't usable, and you 1/3
@n1xnx @crazyeddie @GossiTheDog spent a couple of years and a lot of money modifying the code to handle all the exceptions that humans just took care of.
I ran into that at a restaurant. Tried to order online and there was no way to do any ingredient substitutions, so I had to call in and explain to a human.
Computer based processes also let badguys exploit holes in the exception handlers that humans would notice. The book "Catch Me If You Can" is a classic example with check routing. 2/3
-
@fennix @thomasfuchs @GossiTheDog If climate change is not fixed there will also be no more cancer.
@pier @thomasfuchs @GossiTheDog
That was the joke; I was using a different form of the word "fixed".
Either way, gallows humour.
-
@n1xnx @crazyeddie @GossiTheDog spent a couple of years and a lot of money modifying the code to handle all the exceptions that humans just took care of.
I ran into that at a restaurant. Tried to order online and there was no way to do any ingredient substitutions, so I had to call in and explain to a human.
Computer based processes also let badguys exploit holes in the exception handlers that humans would notice. The book "Catch Me If You Can" is a classic example with check routing. 2/3
@n1xnx @crazyeddie @GossiTheDog You could change one digit to route a "local" check clear across the country, and then it would be mailed back, taking over a week for the check to bounce. Funds were available in three days.
The best automations are not based on cloning the old process, but rather a rethink of the entire problem. Ex: container shipping. They did not invent a robot longshoreman, but instead reconsidered the problem of moving stuff.
Or you automate only the easy part: ATMs. 3/3
-
@da_667 @GossiTheDog I will create the viruses and then sell my antivirus product to protect you
@Drat @da_667 @GossiTheDog pay llm to introduce bugs then pay llm to find and fix and then pay llm to detect the ones they didn't find and fix. win win win.
-
@GossiTheDog @deliberately_me oh goodie. Our global repository has been compromised by a worm.
@GossiTheDog @deliberately_me @perigee GitHub is also the training set for many different AIs including Copilot.
Maybe it is also an attack on Copilot.
As a global repo, we should try to go elsewhere - like Codeberg.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
Claude contributes 0% of any of the repos I use. Though, I will keep an eye on that. Why are pull requests being accepted without analysis? These repos themselves are suspect that they we do so.
-
R AodeRelay shared this topic
-
@da_667 @GossiTheDog and I’ve been seeing several posts in the past 48 hours that say that A”I” vuln scanners aren’t finding most of them.
Almost makes me wonder if there’s a two-pronged attack here. Introduce them and ignore them.
@zarchasmpgmr @da_667 @GossiTheDog Or msybe introduce 20 vulnerabilities and show off by then finding 10 of them giving a false sense of competence.
