Kevin BeaumontFeb 16

Today in InfoSec Job Security News:

I was looking into an obvious ../.. vulnerability introduced into a major web framework today, and it was committed by username Claude on GitHub. Vibe coded, basically.

So I started looking through Claude commits on GitHub, there’s over 2m of them and it’s about 5% of all open source code this month.

https://github.com/search?q=author%3Aclaude&type=commits&s=author-date&o=desc

As I looked through the code I saw the same class of vulns being introduced over, and over, again - several a minute.

GitHub · Change is constant. GitHub keeps you ahead.

Join the world's most widely adopted, AI-powered developer platform where millions of developers, businesses, and the largest open source community build software that advances humanity.

GitHub
Show threadDJGummikuhFeb 16
@GossiTheDog so would you consider this mass accidents or a targeted supply-chain attack?
Show threadAleksandr KoltsoffFeb 16
@DJGummikuh @GossiTheDog The purpose of a system is what it does. IMO these are not accidents.
Show threaddraeathFeb 16
@nihkeys @DJGummikuh @GossiTheDog I don't think that phrase allows for incompetency in design. The purpose is what was intended, not what actually results. There is a distinction.
Show threadAzuaronFeb 16

@draeath @nihkeys @DJGummikuh @GossiTheDog If it was an accident, or incompetence, then it would be rapidly corrected.

If it's not rapidly corrected, then it is the purpose.

Show threadDemi Marie ObenourMar 14

@Azuaron @draeath @nihkeys @DJGummikuh @GossiTheDog That assumes that the technology to fix it even exists.

For all I know, the companies behind coding LLMs don’t want it to produce insecure code, but do not know how to make it produce secure code.

Show threadAzuaron

@alwayscurious @draeath @nihkeys @DJGummikuh @GossiTheDog I do not assume that. I guess an unstated corollary is that it would be rapidly corrected or decommissioned.

But, that doesn't change the purpose of the system. The purpose of a system is always what it does, with a short grace period to allow for corrections.

For instance, there was a law that was almost put into place in New Hampshire that was supposed to doubly punish anyone who killed a pregnant woman, but not prohibit abortion. The version of the bill that passed both legislative houses unintentionally made murder legal for pregnant women. Not just abortion, but the murder of anyone. Once this was noticed, and before the governor signed it, the legislature went into overdrive to correct the bill. An alternative solution would have been for the governor to veto the bill.

The purpose of the New Hampshire government was not to allow pregnant women to legally kill anyone they wanted.

If New Hampshire legalized murder by the pregnant, then afterward threw up their hands and said, "Woe is us! It was an accident! There's nothing we can do!" who would take them seriously?

The beauty of "The purpose of a system is what it does" framework is you no longer have to read someone's mind or listen to their disingenuous protestations. You don't need, for instance, to know if the companies behind coding LLMs "want" them to produce insecure code. Their wants, stated or otherwise, are completely irrelevant.

You might say, the purpose of "The purpose of a system is what it does" framework is to head off that kind of dissimulation.

Mar 15 at 8:57pmWeb
Show threadDemi Marie ObenourMar 16

@Azuaron @draeath @nihkeys @DJGummikuh @GossiTheDog There are cases where a system can have unintended consequences that are not its purpose.

A simple example is that various forms of government regulation impose extra overhead on businesses. The purpose of the regulations is usually something else, such as improving safety or protecting the environment. If the goal was to impose extra overhead, taxation would be a much simpler approach. Imposing overhead is a necessary but unwanted side-effect in this case.

Show threadAleksandr KoltsoffMar 16

@alwayscurious

https://en.wikipedia.org/wiki/The_purpose_of_a_system_is_what_it_does

@Azuaron @draeath @DJGummikuh @GossiTheDog

The purpose of a system is what it does - Wikipedia

Show threadDemi Marie ObenourMar 16
@nihkeys @Azuaron @draeath @DJGummikuh @GossiTheDog I don’t think that is inconsistent with the idea that systems can have undesired consequences that are not the goals of the system, and that those who operate the system prefer to minimize to the extent possible.
Show threadAleksandr KoltsoffMar 16

@alwayscurious

"minimize to the extent possible."

Maybe they should not push the systems if only the second order effects are dominant? I honestly haven't seen any "minimization to the extent possible" over the 3.5 years so I think we're just looking at different things here.

@Azuaron @draeath @DJGummikuh @GossiTheDog

Show threadDemi Marie ObenourMar 16
@nihkeys @Azuaron @draeath @DJGummikuh @GossiTheDog Yeah, you’re referring to commercial LLMs, while I’m talking about systems in general.
Show threadAzuaronMar 16

@alwayscurious @nihkeys @draeath @DJGummikuh @GossiTheDog You're fully missing the point.

The purpose of a system is what it does.

No, it doesn't matter what people say their "intentions" were.

No, it doesn't matter what anyone says their "goals" were.

The purpose of a system is exactly what it does, no more and absolutely no less.

The purpose of business regulation is both the restriction of the regulation and also increased overhead on business, no matter what anyone says about their goals or intentions.

The purpose of a system is what it does. If people had different "goals" or "intentions", they're welcome to change the system. But, the purpose of a system will remain what the system does until the system is changed. Once changed, the purpose of the system is what it does.

The purpose of a system is always what it does, including every part of it that people hate and want changed or minimized.

Show threadDemi Marie Obenour2d ago

@Azuaron @nihkeys @draeath @DJGummikuh @GossiTheDog In that case, what is the difference between “purpose” and “effect”?

My understanding is that those two words are not synonyms.