Today in InfoSec Job Security News:

draeath

@badsamurai @da_667 @GossiTheDog I've seen setups that run tests and such all in a closed loop, I suppose if one really wanted to "use" this shit, they could implement that sort of thing too.

It'll cause a shedload more token use (and electrical waste) but might mitigate some of the idiocy.

Alan Langford 🇨🇦🧤🧊摏

@cR0w @GossiTheDog Where "a sufficient number" is defined as 125% of all existing and future security practitioners, certified or not.

draeath

@nihkeys @DJGummikuh @GossiTheDog I don't think that phrase allows for incompetency in design. The purpose is what was intended, not what actually results. There is a distinction.

Daniel Lakeland

@GossiTheDog
The real question is why does a bot have commit privileges on a "major web framework"?

i mean the answer is probably because google owns the repo probably... but why?

draeath

@s_bergmann @GossiTheDog I like how AIDER uses co-authors, so you can't escape from blame. All these tools should be doing similar!

Violet Madder

@nihkeys @DJGummikuh @GossiTheDog

The damage is the point.

It's a weapon.

Not sure I'd call it a "targeted" attack, when the goal is to flood absolutely EVERYTHING with shit everywhere.

Alun Jones

@GossiTheDog fault injection into production code at scale. Nice.

spinnyspinlock

@GossiTheDog I became used to checking projects I am checking out for claude (etc) in the source files and commits really fast

Petr Tesařík

@etchedpixels Bug bounties? You know nothing about business…
You set up a giant scam tool, let venture capital pay for its development, then use it to hack the world and sell all of it:

license the tool,
hacked applications,
vulnerability scanning,
protection racket from affected companies.

That' how real capitalists do business.
@GossiTheDog

John Lusk

@etchedpixels @GossiTheDog

Gahhh. Takes a little effort to imagine LESS rewarding work.

Keith Lawson

@GossiTheDog This was literally the first major security mistake I made in my early days as a Perl developer and I don't imagine it's that uncommon. Claude has probably been trained with a truckload of code with these vulnerabilities.

That's okay because we run everything in single-purpose Docker containers now though, right? /s

Rachel

@GossiTheDog@cyberplace.social I wonder across the industry how common is it for orgs to skip static code analysis, or other code vulnerability scans as part of their pipelines? Even then how many of those scans are actually effective?

Looks like AI is potentially an insider threat, and code generated by it has to be treated accordingly, even in the case of it being generated by project members and "reviewed"

Bradley

@da_667 @GossiTheDog

spinnyspinlock

@GossiTheDog I see it, could probably start a threat intelligence business off the claude feed ‍️

Eric Likness

@GossiTheDog

That Claude is a "clod", and boy does Claude get around I tell ya'.

Claude is everywhere you want an exploit to be.

fuzzyfuzzyfungus

@draeath @badsamurai @da_667 @GossiTheDog That's what amazes me about the "hallucinated citations" stories. Making bots not hallucinate is certainly not readily feasible, quite possible infeasible in practice; but just checking citations one at a time for existence would have been cutting edge in maybe the 1960s. Why is anyone skipping such trivial cleanup steps when using a known-unreliable tool?

claudex

@GossiTheDog in a few months, the user creation and password management will be a solved problem, every software will have a semi-public backdoor that everybody will use

kpcyrd 🏴

@GossiTheDog what was the vulnerability you found in those search results over and over? I only get html and css stuff when I click that link.

B'ad Samurai 🐐🇺🇦

@draeath

These MFers yeet DIRFT (Do it right the first time) and TQM principles to play hooky on the plinko and demand you call them a genius.

@da_667 @GossiTheDog

Anthony

@GossiTheDog@cyberplace.social An instance of eating the seed corn, I'd say ( https://buc.ci/abucci/p/1705679109.757852 ).