Today in InfoSec Job Security News:
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog Not just bad vibes, but the *same* bad vibes repeated endlessly!
-
Makes me wonder if this is a effort by "closed source" to disrupt/poison/discredit open source?
@c64whiz @GossiTheDog
This was honestly my first thought.The vast majority of the tv-news-watching public barely understands computers as it is through no real fault of their own as they have been spoonfed "magic and mystery" since the dialup days.
The distinction of "open source = MORE dangerous than big company software" would be very easy for a front of united major media outlets owned by a handful rich folks to spread and most people will not be equipped to tell facts from misinformation.
How well have those open source legal protections been working against the "smart TV" industry? I'd bet every TV holding shelf I hit at Wal-Mart will be stocked with misappropriated GPL code and no source distribution.
This is the same tactic major corps use to obtain IP for themselves.
Lock up the originator in tedious, costly busywork (typically legal, claiming infringement to start a costly time-consuming trial, for most corps) and then when the originator can't handle it and collapse under the weight of it all, the corps take the product as their own.
Tying up repos with vulnerabilities that might not get noticed just might work out well for the major software outfits in the long run.
It's reprehensible and a little more haphazard, but it sure looks awfully familiar.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog
Aaaahhh!
Who is giving clankers commit privileges to their repositories? Seems like an obvious failure of project management. -
@GossiTheDog This was literally the first major security mistake I made in my early days as a Perl developer and I don't imagine it's that uncommon. Claude has probably been trained with a truckload of code with these vulnerabilities.
That's okay because we run everything in single-purpose Docker containers now though, right? /s
I keep pointing out to my coworkers that these clankers are trained on StackOverflow posts that contain code examples followed by "here's what I wrote, why doesn't it work?"
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
This is just starting to sound like a cyber attack.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog This kind of basic stuff is easily caught by any free static analysis tool. There's no excuse to not be running one in one's repo, vibe-coded or not.
-
@da_667 @GossiTheDog I wish that juice actually existed...
@Drat @da_667 @GossiTheDog It does. In the form I was really fond of it's $50 per 750 ml and makes you say stupid shit like, "GASP...that's really smooth...." and then shove your head up your ass.
But I'm actually sick to death of that kind of oblivion. The shit I have to unsee just keeps adding up as does the shame of letting shit pass by unopposed.
-
@Drat @da_667 @GossiTheDog It does. In the form I was really fond of it's $50 per 750 ml and makes you say stupid shit like, "GASP...that's really smooth...." and then shove your head up your ass.
But I'm actually sick to death of that kind of oblivion. The shit I have to unsee just keeps adding up as does the shame of letting shit pass by unopposed.
-
@GossiTheDog
Aaaahhh!
Who is giving clankers commit privileges to their repositories? Seems like an obvious failure of project management.@n1xnx @GossiTheDog Especially earlier in my career, I could easily have been taken in by thinking I'm getting actual help from a "friend" who wants to join me on the project and I'd have not really looked into it too much.
A lot of these projects are just peoples' hobbies that blow up...you know, or fail to. When they do blow up the developer(s) can end up severely overworked and frankly inexperienced for dealing with the management part.
So yeah...this is going to be a disaster.
-
@draeath @badsamurai @da_667 @GossiTheDog That's what amazes me about the "hallucinated citations" stories. Making bots not hallucinate is certainly not readily feasible, quite possible infeasible in practice; but just checking citations one at a time for existence would have been cutting edge in maybe the 1960s. Why is anyone skipping such trivial cleanup steps when using a known-unreliable tool?
@fuzzyfuzzyfungus is the question not more "why is anyone using such unreliable tools in the first place?" They've proven time and time again that the result is less than sub par, they create as many if not more issues than they fix, they've fucked up ram prices and soon storage prices, they use too much energy.. i could go on but fuck, if that's not enough i don't know what to say.
-
@n1xnx @GossiTheDog Especially earlier in my career, I could easily have been taken in by thinking I'm getting actual help from a "friend" who wants to join me on the project and I'd have not really looked into it too much.
A lot of these projects are just peoples' hobbies that blow up...you know, or fail to. When they do blow up the developer(s) can end up severely overworked and frankly inexperienced for dealing with the management part.
So yeah...this is going to be a disaster.
@crazyeddie @GossiTheDog
Sigh. Yes, that makes perfect sense.I remember reading commentary back in the 1980s to the effect that automating a (business) process doesn't make it BETTER, it just makes its existing failure modes happen FASTER, often with the result that the humans who were able to cope with those failures when they came at a human rate are now overwhelmed by them occurring at the speed of computer processing.
It was true then for paper-based accounting, and it's true now for collaborative software projects.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog But think about the AI-powered "security researchers". They can now use their AI models to find these vulnerabilities and create 8.2 severity issues to fix it again.
It's like that picture with the circular economy between Nvidia and OpenAI and Microsoft, but with 0days!
-
@GossiTheDog https://github.com/claude right now showing "Something went wrong, please refresh the page to try again." Yeah, dude.
@vlkr @GossiTheDog I get the same behavior here and can go to other profiles just fine
No public repos. Something went wrong.
I guess it could just be that I picked a particularly irrelevant profile to compare against but it did show up just fine without any error.
Could also be that it's too sudden a shift in interest in that particular user.
-
@GossiTheDog what's funny to me, is that there were influencers on linkedin a few days ago claiming claudecode could find vulnerabilities in code faster than humans, and they're like "look at all these openssl vulns it found!" now I'm like. "well no shit its finding vulnerabilities, when its the one introducing them."
@da_667 @GossiTheDog and I’ve been seeing several posts in the past 48 hours that say that A”I” vuln scanners aren’t finding most of them.
Almost makes me wonder if there’s a two-pronged attack here. Introduce them and ignore them.
-
@GossiTheDog ladies and gentlemen, it's this stupid shit (tm) that we are paying up the ass for new SSDs and RAM for.
@da_667 @GossiTheDog I have 5 500MB HDDs that are now probably worth thousands.
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog could you explain what the vulnerability is?
-
I mean, if climate change becomes fixed eventually there won't be any more cancer, so they aren't completely wrong.
@fennix @thomasfuchs @GossiTheDog If climate change is not fixed there will also be no more cancer.
-
@GossiTheDog what's funny to me, is that there were influencers on linkedin a few days ago claiming claudecode could find vulnerabilities in code faster than humans, and they're like "look at all these openssl vulns it found!" now I'm like. "well no shit its finding vulnerabilities, when its the one introducing them."
@da_667 @GossiTheDog every single arsonist would love to be a fireman. Now with Claude you can too. Lol
-
Today in InfoSec Job Security News:
I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.
So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.
https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc
As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.
@GossiTheDog
This is more and more feels like a coordinated attack on FOSS by the big software. -
Makes me wonder if this is a effort by "closed source" to disrupt/poison/discredit open source?
@c64whiz @GossiTheDog not possible; these places are not coordinated enough for even one of them to orchestrate something like this, much less invent the poison pill they intend to give everyone. forget about any cross-company collaboration on something like this. people fight over C++ ISO committee decisions, and they WANT to work together, and they already know what is needed, there is no way any for-profit businesses came up with "AI", got people to buy into it (more than their own products even) and trick everyone into introducing bugs into their own code.
