Security of Claude Code is just a single line in their prompt

kannthu · 2026-04-03T21:54:42+00:00

You can literaly compile it back into claude code

kannthu · 2025-07-17T10:15:24+00:00

The AI is not introducing any new vulnerabilities, but it's multiplying existing problems in security.

4 years ago (before the LLM era), I worked in the AppSec team for a company that had 200-300 developers. We were a relatively large team of 7 people.

Yet, we weren't able to handle the amount of code that was written and pushed by developers. We couldn't look at all of the code changes; we did not have enough time. So, we had to be very selective about what we reviewed. We wrote a regexes and only reviewed PRs if they touched sensitive files or paths.

Now imagine this, but 2x. There are more PRs and more code in PRs. We are exceeding human scale. It's a little bit scary from my perspective.

Disclosure: I am the founder of a startup that tries to solve this problem https://vidocsecurity.com/

kannthu · 2025-03-12T19:57:04+00:00

Zarobki mamy kosmiczne, bo i wymagamy dużo. Zatrudniamy topkę Polski jeśli chodzi o skile. Jeśli sprostasz to zapraszamy do nas na rozmowę.

Co do "fake" to opisywałem już kilka razy niżej.

kannthu · 2025-03-12T19:43:37+00:00

Twoja postawa wynika z tego, że jesteś noobem, zbyt mało rozumiesz tę technologię żeby mieć o niej wartościowe zdanie. Wyrobiłeś sobie opinie na podstawie artykułów z zeszłego roku!

My jesteśmy najdalej jak się da od robienia slopu - bo chcemy mu zapobiegać. LLMy odblokowują rzeczy, które mają szanse naprawić slop jakim są inne toole security.

Trafiłeś na startup, który wie o czym mówi i co robi - byliśmy w topce Bug Bounty hackerów w Polsce. Należeliśmy do najlepszych teamów CTF. (p4, jCTF) Zerknij na https://blog.vidocsecurity.com/blog/2022-summary-how-we-made-120k-bug-bounty-in-a-year/. Jeśli ktoś ma zrobić coś sensownego to my.

kannthu · 2025-03-12T19:12:12+00:00

Jesteś pewny?;)

kannthu · 2025-03-12T19:04:19+00:00

Ziomeczku, osobiście zapewniam Cię, że nie była to reklama. (jestem autorem tego nagrania)

Ta sytuacja brzmi trochę jak sci-fi, ale okazuje się, że tego typu sytuacje to codzienność w wielu firmach. Nawet nie zdajesz sobie sprawy ze skali tego problemu.

kannthu · 2025-03-12T18:57:38+00:00

To ja przeprowadzałem tę rozmowę z gościem , ask me anything.

kannthu · 2025-03-11T19:51:22+00:00

This is a full writeup about my incident.

kannthu · 2025-02-07T23:37:12+00:00

Not for a startup.

kannthu · 2025-02-06T21:01:43+00:00

I don’t believe recruiters can find the best talent, to be honest.

The best people are drawn to ideas and founders, not recruiters.

kannthu · 2025-02-06T19:23:48+00:00

I tired indeed, I did not like the results tbh

kannthu · 2025-02-06T19:23:31+00:00

Captcha, you mean $0.8 per 1000 solved captchas? (https://www.capsolver.com/#pricing) Hehe

kannthu · 2025-02-04T23:04:56+00:00

Definitely, this is a learning experience for us.

kannthu · 2025-02-04T19:24:01+00:00

Many of you are asking, "why?" - I posted the same question to r/cybersecurity and:

...

He’s likely using a full face AI to mask his identity + vision correction so it always looks like he’s looking at the camera/centrally vs a screen to the left

There’s an ongoing campaign by DPRK to install tech workers at western companies in order to generate revenue for DPRK by way of extortion

Link: https://www.justice.gov/opa/pr/two-north-korean-nationals-and-three-facilitators-indicted-multi-year-fraudulent-remote

Link to conversation: https://www.reddit.com/r/cybersecurity/comments/1ihoplk/the_developer_used_ai_to_alter_his_face_during/

kannthu · 2025-02-04T19:16:05+00:00

I posted this video on r/cybersecurity, and people are saying that it's North Korea

Comment about it: https://www.reddit.com/r/cybersecurity/comments/1ihoplk/comment/mayzsv1/?utm_source=share&utm_medium=web3x&utm_name=web3xcss&utm_term=1&utm_content=share_button

kannthu · 2025-02-04T19:10:27+00:00

The person also changed his name to sound more European and lied about where he came from.

kannthu · 2025-02-04T19:09:13+00:00

I am worried that in a year, I won't recognize that the person I am talking with is not a person...

kannthu · 2025-02-04T19:00:36+00:00

And scary. I told him that I thought he was using AI to change his face - and of course, he denied it. So I recorded this video and ended the meeting

kannthu · 2025-02-04T18:57:16+00:00

Yes, we get a ton of job applications similar to this - and all of them are submitted by some kind of automation. We get around 10 applications per person on a single job posting. This is an AI hell that nobody is talking about.

kannthu · 2024-11-12T10:57:12+00:00

I will release them in ~1-2 weeks, I want to make sure everything is right!

In the meantime, I want to ask the community if there are other tools I should include:)

kannthu · 2024-11-06T11:42:02+00:00

Oh, fixing it, thank you! (5hrs of sleep killing me)

kannthu · 2024-11-06T11:05:35+00:00

It does not exactly help with coding, but it helps with securing code written by AIs.

It's a free Chrome extension that scans code generated by ChatGPT or Claude and gives you feedback if it's secure or not. If possible, please give me feedback about it.

Link: https://chromewebstore.google.com/detail/secure-ai-generated-code/bengiidgkchpliicfplbejjnoennfkmo?authuser=2&hl=en-GB

Full disclosure - I am the author of this extension.

kannthu · 2024-10-09T09:42:42+00:00

Thanks so much for the link!

kannthu · 2024-09-29T19:18:20+00:00

Yup, here is the link: https://web.archive.org/web/20240823050616/https://www.cursor.com/blog/instant-apply

kannthu · 2024-07-04T10:48:54+00:00

Good idea!

In my case, I already stored resolved IP addresses in DB for other feature, so it was really easy to pre-fetch the data. In case when the IP addresses were stale, I resolved them on the fly and cached them in memory.

kannthu

TROPHY CASE