ippsec

Looking for a video on a specific hacking technique/tool? Check out ippsec.rocks - Searches over 100 hours of my videos to find you the exact spot in the video you are looking for.

@MJHallenbeck I'm guessing you are thinking of bustakube.com - Not sure how up to date it is.

Is there a DVWA for Kubernetes? I swear there was a good one but I cant find it...

The HackTheBox Sorcery Video is up! An extremely long video, but for good reason, there were a lot of tough parts of this box. My favorite part was near the beginning, when we had an XSS Bug and had to use CSRF to MITM PassKey Enrollment youtu.be/aFa1ike_Q7I

I can't seem to find any examples on your timeline atleast within the last week. Again I don't doubt it, but I'm pretty tired of just seeing negative takes on things that have reasonable explanations. I just empathize a lot with the employee's trying to manage and correct things when there is an overflow of random crap that gets started by a couple of YT/Twitch people that ought to know better but fell victim to the instant gratification hate/clickbait can bring. Then when they do finally find/fix the problem and try to be transparent just get more crap flung at them. All that does is discourage them from being open in the future.

@ippsec @HackingDave I dont think Boris was one of them though, but I think he interacted with @HackingDave in good faith, I didnt read the whole exchange though, Dave might be able to provide more info.

Mfers were telling me its a skills and prompt issue. You all look super silly right now. 25 years developing, I know what I'm doing - finally acknowledged. I'm glad they are trying to address this, but a month to get this out is crummy. I do appreciate all the fine folks at Anthropic innovating and doing cool stuff - I hope these types of issues are addressed faster in the future. Appreciate ya'll.

@MJHallenbeck @HackingDave Have anthropic employee's gaslit people? Or is that just the algorithm amplifying hate? I could be wrong, but I don't think I ever saw someone like Boris say there isn't a problem. Just try to debug via X which is a noble but impossible effort, so they direct people to /feedback

@ippsec @HackingDave I would agree with you but they've been gaslighting people reporting the degradation for almost a month now.

Yeah, but "exact public build" could mean a lot of things. Modification could be as simple as pointing to nightly models or something. Which is backed up by the following paragraph of them targeting specific models. I'm not saying there wasn't an issue, definitely was. I just hate all the quick negative takes when people are trying to do good.

@ippsec @HackingDave Did you read their article? They said they were not using the same thing as the public but will be doing a bunch of improvements to their testing pipeline now.

I think that could be a gross oversimplification. It is equally as likely they weren't impacted as much because they "use it properly", which partially masked the problem. I'd imagine their pre/post hooks among many other things look vastly different than the normal person, which could mask the problem slightly.

@ippsec @HackingDave They havent been eating their own dog food though, which is how we essentially got these issues.

@MJHallenbeck @HackingDave Easy to point fingers but I’m not sure Claude being vibe coded is a bad thing. Vibe coding does seem like a major goal of theirs, so eating their own dog food does help them in the long run. I’m pretty sure “department being disconnected” can be said about any large company.

@HackingDave Pretty embarrassing it took them this long to fix it. Its obvious their entire product is vibe coded and the model people are disconnected from everything else.

I can't believe it's almost been a year since I covered Device Code Phishing with @odiesec. We almost didn't make this video because M$ released plans to "fix this issue" and seemed like they were on top of it. Sad to see it is still being abused - youtube.com/watch?v=Y8SSYL…

@HackingLZ I used to laugh at "baselines" -- Until I burned a couple days trying to figure out why my paid C2 wasn't working on a client. Turned out to be the first client i came across that enabled "Windows FIPS Mode" and it was blocking XOR. Standard security hardening, does wonders lol.

I would probably rant less if I didn't have to deal with "The sky is falling what should our strategy be for all this impending 0day..." Well you might want to finish rolling out MFA and finish that EDR deployment first...

@Ahqg46 @dhulqab Probably but I don't think that is AI's fault, it is a cycle that has repeated itself many times researchers are always falling out of the public to favor small groups.

@ippsec @dhulqab I think many people will move to small cyber groups instead of sharing their best work for free, which is totally understandable. Let’s see how this affects the quality of publicly accessible AI.

There is a lot of mythos hype and while I do think it will be better, I don’t think it will be orders of magnitude better or even proportional to its cost better. At the end of the day, marketing is going to market. Everything I have read has been more exploits, not discovery. I think that word plays a big part but maybe I’m overthinking it. I know of a lot of times opus (or a combo of models), can find an exploit, be confident it is valid, but fail at building an exploit due to a failed primitive (ex: kaslr in kernel bugs). Without that proof, it goes on the back burner decimating tokens until it hits the lottery. There’s so many vulnerabilities being found right now, it’s hard to prioritize when its severity is an assumption. It’s probably been 6 months since the last major update, I’m guessing mythos knows more primitives. So when it’s launched it will look at notes left behind and get lots of credit when it worked off notes opus left behind and did a fraction of the work. About the “it’s so dangerous” comments. I think that is primarily it not listening to the operator, doing things it shouldn’t to accomplish its goal. At that point it makes sense to do a closed beta, expand testers and try to make it obedient. While that happens, cash in on publicity of doing the right thing and saying it’s too smart to go public. While true, it could be a little deceptive but as I said. Marketing is going to market.

@paulhshort @theo And this is A\ which does have some questionable decisions, especially recently. Normally user safety issues like they are the most sane.

@paulhshort @theo Assumptions are dangerous, note I dont really see this as a bad thing and I like the note that it’s possible with ClaudCode, which is the really dangerous part. User education is important and my pnt is ppl are buying things without reading, just assumed safe due to popularity.

I got the email too. Anthropic is on a sentiment suicide speed-run right now

@paulhshort @theo Do either of them support zero data retention?

@ippsec @theo You know they have Teams and enterprise subscription plans... Right?

@0xTib3rius @HackingDave It’s like the PlayStation v Xbox people have grown up 😂

It's team sports now. If you're team Claude, prepare to deal with team Codex. These models have had "can make mistakes" plastered all over them for years. That plus criticism is fine. Experience is based on so many contributing factors. Like I said earlier, I haven't noticed any issues with Claude's abilities like you have, but we probably have very different workflows.

Dude Claude is total trash - seen massive degrading of code quality, bugs, and more over the past several weeks. This week, I can’t even use it or rely on it to complete basic bug fixes or implementations. Codex has been performing substantially better. Anyone else ?

@deadvolvo Depends on your definition of cost. Probably around $600-850/m in subscriptions to be extremely effective (using all the frontier models). Which sounds like a lot until you look at the bounties that you can throw it at (ex: KernelCTF) and get a chance. High risk, high reward

@ippsec For sure, and I know these models are starting to thrive in SAST and source analysis, so this approach to testing makes sense for maintainers or those who have a vested interest in finding bugs in their product code, but cost is always a factor to get these results it seems.

Claude Code BURNS tokens like no other, so I am wondering how much this REALLY would have costed a non-employee to actually do. I am sure if you have deep pockets, you can find new bugs, but how reasonable is this when humans do it for peanuts, unfortunatly?

@NickADobos It would be much slower, lose a lot of context between commands, etc. I’m sure there are still edge cases that would make open claw worth it, but I’d guess most that try open claw and Claude code. Would just stick to Claude code.

Isn’t this impossible to enforce unless they remove a significant portion of Claude code? claude -p <prompt>

Their current price model (and all competitors) is not scalable. So each new model does seem like it costs them more when people fully utilize the subscription. Would not surprise me if compute does factor into when they release mythos or whatever they called it. Also pretty sure subscription users to any Frontier Ai, are not the customers (as much as we like to think we are). IMO they want the data it can collect, and running harnesses doing the same task 24/7 doesn’t give them any new data.

Then stop competing with all these products and create a great AI interface that can create prices that makes sense. Their current price model is no way going to find anyone besides the top enterprise companies and those companies can’t just swap AI on as fast as smaller companies.

@claudeai I'd think this would be more believable if you didn't have tools in house that still support all of this usage or trying to clone your tools to do all of this. This wouldn't be as big of a sting IMO if you were focused on just the AI interface layer instead of all these apps as well. Let the builders interface with your AI, figure out how to charge based on demand and stop this two way street.