Block the merge when a PR ships a vulnerability: a CI security gate with Synapse
I have a simple rule when I work with a team: if a vulnerability makes it into main, the process...
找到 559 篇相关文章
I have a simple rule when I work with a team: if a vulnerability makes it into main, the process...
Nine months ago I wrote a post on here claiming my ENS identity architecture had reached "85% Knowledge Panel trigger probability." Two things happened since. Google's Knowledge Graph actually minted an entity node for me. And I learned that the 85% number was fiction — mine. This is the honest retrospective. The timeline, with receipts Date What happened Aug 2025 ookyet.com first indexed Oct 2025 Entity markup shipped: Person @graph , Dentity verification, ENS identifiers. The "85%" post Jun 2026 Search Console turned red: Q&A errors, Profile page: Invalid object type . Cleanup Jun 28, 2026 Fixed markup deployed. Then: hands off Jul 2, 2026 Knowledge Graph Search API returns a machine-minted Person node for ookyet Jul 7, 2026 Search Console fully green: ProfilePage valid, indexed pages up, zero 404s Still no Knowledge Panel. Keep reading — that part matters. What Google actually built You can reproduce this: curl "https://kgsearch.googleapis.com/v1/entities:search?query=ookyet&limit=10&key=YOUR_API_KEY" { "result" : { "@id" : "kg:/g/11z806my44" , "name" : "Qifeng Huang" , "@type" : [ "Person" ] } } Three details in that tiny response taught me more than anything I shipped in 2025. The /g/ MID is machine-minted. You can't register one, buy one, or submit one. Google's entity reconciliation creates it when enough independent sources agree that a person exists. This is the mechanical prerequisite for a Knowledge Panel — the entity has to exist in the graph before anything can be displayed about it. The node's name is my real name, not my handle. My site declares name: "ookyet" . The node says "Qifeng Huang" — pulled from the high-authority anchors (LinkedIn, ORCID), not from my self-declaration. Third-party corroboration outweighs anything you say about yourself. Expected, and honestly a relief: the graph is working as designed. The Knowledge Graph holds 8 distinct people named Qifeng Huang. Query any of them by real name and you get a crowded namespace. Query ookyet
Part 1 of "Trust the Machine" -> a series on building AI infrastructure that is secure, compliant, and governable by design. Most organizations can produce an accurate catalog of the web services they operate. Far fewer can produce an equivalent catalog of the AI systems they run — the models, fine-tunes, retrieval pipelines, agents, and third-party AI APIs now embedded throughout their products and internal tooling. This asymmetry defines the state of AI security in 2026. Adoption has outpaced oversight. Industry reporting this year has described a surge in enterprise AI activity on the order of 83% year over year, with governance and visibility lagging well behind. The consequence is a large and only partially mapped attack surface — one that many organizations cannot fully enumerate, let alone defend. Every mature security program rests on a single first principle: you cannot protect what you cannot see. Artificial intelligence is no exception. Before threat-modeling an agent or authoring a guardrail, an organization must be able to answer a deceptively difficult question: what AI is running across the environment, and who is accountable for it? This post examines how to build that answer. The rise of shadow AI Shadow IT — the unsanctioned adoption of tools outside official channels has been a recognized challenge for decades. Shadow AI is its faster-moving successor, and it appears in more forms than most inventories are designed to detect: Embedded API calls. A product team integrates a hosted model in a few lines of code and an API key, with no formal review. Copilots and assistants enabled across existing SaaS platforms, frequently activated by the vendor rather than the customer. Fine-tunes and adapters trained on internal data and stored in locations that fall outside standard scanning. Agents and automations that have incrementally acquired the ability to act—filing tickets, sending communications, initiating transactions—one permission at a time. Model de
I spend a lot of time preaching architecture and constraints, so it is always nice when a side project gives me receipts. Adding this new feature to DumbQuestion.ai was a good reminder that a well-structured first version lets you spend your next iteration on value, not repair. Below, you will find a few relatively simple challenges and how thoughtful, upfront design made the changes effortless. To vibe or not to vibe ... Many developers jump right in and just rip out an app, ship fast, let the coding agent sort it out, come back and deal with it later. To be fair, that absolutely can get you to first release faster. But even on a solo project, a little proper SDLC discipline pays back later when you want to extend the product without turning every feature into a rescue mission, which is a theme that already runs through how I have been building DumbQuestion.ai. Extend this to the enterprise and you turn a little upfront effort into potential huge savings on token spend Roasting starup pitches (for sport) ... The core idea for Startup Roast was simple enough: take a startup pitch, roast it, and add a reality-check section so the output is not just mockery for mockery’s sake. To illustrate (and avoid just vaguely describing the feature) I picked a random but highly upvoted pitch from Product Hunt: Vida . Vida, which pitches itself as an “AI clone” that learns how you work, remembers what matters, and becomes a “second you,” with early use cases like Reply Rescue, Prompt Rescue, Resume Rescue, Workspace Cleanup, and Daily Wrap. This is a pretty common target use case of agentic AI making it a solid candidate. If you want to skip ahead, here's an example roast for Vida. Combining a preliminary web "market search" into the content yielded a result that was not just sarcastic, but informed. The roast hit the obvious AI-clone positioning, questioned whether the product was really a clone versus a macro suite, and then turned the market context into a sharper Reality Check
Open source models’ success isn’t coming at the expense of frontier labs. Instead, they each seem to capture two phases of the same life cycle.
Google's new phones could feature glowing LEDs and higher price tags.
Google's upcoming event in August will introduce new Pixel devices.
Google's next Pixel event will be August 12 at 6pm ET.
Google is hosting its next Made by Google launch event for Pixel hardware on August 12th in New York City, according to an invitation sent by Google to The Verge. Unusually, the event is taking place in the evening: It'll kick off at 6PM ET that day. The email also includes a brief animation teasing […]
Male dragonflies' dramatic aerial combat maneuvers emerge from relatively simple vision-based rules.
The U.S. Army has fixed two of its websites that were hacked to display messages calling President Trump a "pedophile" and a "thief."
Google is going to give content creators and website owners a better idea of how people find their social media profiles and YouTube content through Search. With a new feature in the Google Search Console called "platform properties," Google says that you'll be able to "easily track which search terms lead people to your Instagram, […]
The Problem When building BotForge, our AI no-code chatbot platform, we needed a retrieval system that could handle messy, real-world user queries — typos, partial phrases, semantically similar-but-differently-worded questions. A naive vector search alone wasn't good enough. It's powerful but brittle to out-of-vocabulary terms and exact keyword lookups. The Solution: Four-Tier Parallel Retrieval We ran four retrieval strategies simultaneously using Promise.all\ , then merged results with a weighted scoring function. \ javascript const [semanticResults, textResults, regexResults, fuzzyResults] = await Promise.all([ semanticSearch(query, embeddings), // weight 1.8x mongoFullTextSearch(query), // weight 1.5x regexKeywordSearch(query), // weight 1.0x fuzzyPerWordMatch(query), // weight 0.6x ]) \ \ Tier 1: Semantic Search (1.8× weight) Using Gemini gemini-embedding-2\ to produce 3072-dimensional vectors , we compute cosine similarity against stored document embeddings. This catches meaning — "how do I reset my login?" matches "account recovery options" even with no shared words. Tier 2: MongoDB Full-Text Search (1.5× weight) A native MongoDB Atlas text index for fast, exact keyword hits. Great for technical terms, product names, and precise phrases. Tier 3: Regex Keyword Matching (1.0× weight) Each significant word in the query is compiled to a case-insensitive regex. Catches partial matches and hyphenated variants. Tier 4: Fuzzy Per-Word Matching (0.6× weight) Levenshtein distance matching per query word — handles typos and misspellings like "configuraton" → "configuration". Weighted Score Merging Each result carries a base score from its retrieval strategy. We deduplicate by chunk ID, sum scores across strategies, and sort descending: \ javascript function mergeResults(tiers, weights) { const scoreMap = new Map() tiers.forEach((results, i) => { results.forEach(({ id, score, chunk }) => { const weighted = score * weights[i] scoreMap.set(id, { chunk, total: (scoreMap.get
Most backtests lie to you. Not intentionally. But they lie. You design a strategy, run it on historical data, and watch the returns look incredible. Then you run it live — and it underperforms a simple buy-and-hold from day one. The math wasn't wrong. The data was. If you're: testing momentum or mean-reversion strategies in Python, building quant tools for personal or professional use, or tired of backtests that collapse the moment real execution begins, This changes how you work. TL;DR What this covers: Backtesting trading strategies in Python using EODHD's historical OHLCV data API Stack: requests , pandas , numpy — no heavy frameworks (no backtrader, no vectorbt) Scripts included: Script 1 — Fetch adjusted historical price data from EODHD Script 2 — SMA crossover strategy (20/50-day) Script 3 — RSI mean-reversion strategy Script 4 — Performance metrics: Sharpe ratio, max drawdown, win rate EODHD pricing: Free tier available; full access from $19.99/month Best for: Developers and analysts who need reliable, split/dividend-adjusted data without scraping The Problem with Free Data Most developers start with Yahoo Finance or a scraped CSV. That works fine for a quick prototype. It stops working the moment your strategy includes anything that happened around a stock split, dividend payment, or ticker change. Non-adjusted price data creates ghost signals. A stock "drops 50%" when it actually split 2:1. Your moving average calculates a crossover that never happened in real life. Your strategy looks profitable because it's trading on a data artifact. The free path costs you accuracy. And in backtesting, accuracy is the whole point. The Fix Is Simpler Than You Think The real bottleneck isn't the strategy logic. It's the data source. Use split- and dividend-adjusted closing prices from a reliable provider, and half your backtest reliability problems disappear before you write a single signal. EODHD APIs provides exactly this. Their historical data endpoint returns adjusted
Not sure this will have any effect, but I support the effort: According to Google’s legal filing, Outsider Enterprise operates through Telegram. The group offers phishing-as-a-service to individuals who may not be technically savvy enough to set up fraudulent websites and text campaigns on their own. In its Telegram channels, Outsider Enterprise reportedly provided instructions on how to use Google’s Gemini AI to create websites that imitate those of Google, YouTube, and government agencies such as New York’s E-ZPass. The group offered nearly 300 scam templates...
Fortunately, it shouldn't take too much extra space.
This story originally appeared in The Algorithm, our weekly newsletter on AI. To get stories like this in your inbox first, sign up here. OpenAI CEO Sam Altman’s oft-discussed promise that Americans will share in the wealth AI creates was in the news again last week. On Thursday, the Financial Times reported that Altman is in…
PSA: A change to Google's privacy settings let it train its AI on more of your data. Here's how to opt out.
Todo dev brasileiro que já precisou consultar CNPJ conhece o dilema: ou você usa uma API que faz proxy da Receita (3 a 10 segundos por consulta, quando não cai), ou baixa o dump de dados abertos e monta a própria base — e descobre que "baixar um CSV" era a parte fácil. Eu montei a própria base. Este post é o diário honesto do que funcionou, do que quebrou e dos números reais — 217 milhões de linhas servidas em ~10ms de p50 dentro do datacenter, num Postgres de 1 vCPU. A arquitetura em uma frase Não consulte a Receita em tempo real. Ingira o dump mensal e sirva da sua infra. O resto é decorrência. Receita (dump mensal, ~6GB zip) ──▶ ingestão Go (COPY) ──▶ Postgres ──▶ API (chi) CGU (CEIS/CNEP, zip diário) ──▶ job diário ──┘ O dump da Receita: as pegadinhas que ninguém documenta O layout oficial existe, mas o que quebra parser de verdade é o que está fora dele: Encoding latin1 (ISO-8859-1) — acento vira lixo se você ler como UTF-8. Em Go: charmap.ISO8859_1.NewDecoder() num transform.Reader streaming. Decimal com vírgula ( "1000000,00" ) e datas YYYYMMDD onde 0 e 00000000 significam nulo. CNPJ quebrado em 3 colunas (básico 8 + ordem 4 + DV 2). A chave de junção entre empresas, estabelecimentos e sócios é o básico — errar isso custa um dia. As partições 0–9 não se alinham entre arquivos. O estabelecimento da partição 3 pode ser de uma empresa da partição 7. Foreign key rígida entre as tabelas = COPY quebrando no meio da carga. A solução: sem FK; a integridade vem da fonte. Bytes NUL ( 0x00 ) no meio dos dados. O Postgres rejeita NUL em text . Um strings.ReplaceAll(s, "\x00", "") no parser economizou três recargas. Desde jan/2026 o repositório é um Nextcloud do SERPRO+ com WebDAV público — dá pra listar meses com PROPFIND e baixar com o token do share como usuário. Adeus, scraping. COPY ou morte A diferença entre INSERT em lote e o protocolo COPY não é incremental — é outra categoria. Com pgx.CopyFrom e lotes de 50k: 28,1 milhões de empresas em 1m28s (~320k linhas/s) num
France is accelerating its transition to post-quantum encryption: France’s cybersecurity agency ANSSI said on Tuesday it would stop certifying security products that lack quantum-resistant encryption, a move that will force government bodies and critical operators to shift away from older systems. Samih Souissi, ANSSI’s chief of staff, said at the France Quantum conference that the agency would halt such certifications from 2027, and that businesses should be buying only quantum-safe products by 2030. ANSSI approval is required for use in French government agencies and critical infrastructure, making the policy a de facto phase-out of older encryption...