今日已更新 339 条资讯 | 累计 19899 条内容
关于我们

标签:#Privacy

找到 128 篇相关文章

AI 资讯

Privacy Isn't a Checkbox — It's Architecture

Privacy isn't a checkbox. It's not a statement in your terms of service. It's not a toggle in your settings app. Privacy is architecture. And most apps get this backwards. The Architecture Test Here's a simple test for any app that claims to be "privacy-first": If your server goes down, can anyone still access user data? If the answer is yes, your privacy is a policy question — not a technical guarantee. You've built a system where trust in the company replaces trust in the code. Every photo cleaner that uploads your images to a server has already failed this test. The moment data leaves your device, privacy becomes something you promise rather than something you enforce . What On-Device Processing Actually Means When we built Swipe Cleaner, we made one architectural decision that defined everything else: zero data leaves the phone . This means: No cloud processing of photos No API calls that transmit image data No server-side storage of any kind Every scan, every classification, every cleanup happens locally The app is 4.7 MB. That's it. There's nothing to hide because there's nowhere to hide anything. Why Architecture Beats Policy Companies spend millions on legal teams writing privacy policies that their architecture contradicts. They collect data "to improve the service" while the service could have been designed to not need that data in the first place. Policy-based privacy Architecture-based privacy "We promise not to misuse your data" "We can't misuse data we never have" Requires ongoing trust Verifiable by anyone Can change with an update to ToS Requires rewriting the entire app Compliance-driven Principle-driven The Trust Problem Here's what I've learned building privacy-focused tools: users can't verify your privacy policy. They can't audit your servers. They can't check if you're actually deleting their data after processing. But they can verify that an app never sends their photos anywhere. They can check network traffic. They can inspect the binary. Tha

2026-07-05 原文 →
AI 资讯

Weaponizing Silence: How to Disappear While Staying Connected

Everyone is talking. Almost no one is thinking. Your morning starts with a vibration, then another, then a pile-on. Slack wants a status update. Instagram wants your face. A group chat you muted in March has resurrected itself to debate brunch. By 9:07 am you have done the emotional labor of a small call center and you have not finished your coffee. We call this being connected. A more honest word is being farmed. The internet does not pay you for your best ideas. It pays you for your fastest replies. Availability became a virtue, then a job description, then a personality. Silence got rebranded as flaking. I decided to rebrand it back, but with better tools. Not the aesthetic digital detox where you post a grainy photo of trees with “offline” in lowercase and then lurk from a finsta. I mean real disappearance. The kind where your work still ships, your people still feel held, your money still moves, and you are simply not there to watch the conveyor belt. You do not need to quit. You need to quit performing presence. The Attention Tax Is Real, and You Are Overdrawn Every ping is a micro-withdrawal from your nervous system. You pay in focus, in mood, in the ability to finish a thought. Platforms collect the interest. Researchers at UC Irvine have been tracking this for years. After an interruption it takes roughly 23 minutes to get back to the original task. The average knowledge worker gets interrupted 80 to 90 times a day. Do the multiplication and you realize most people never actually get back. They just start new half-tasks until bedtime. We treat this like a willpower problem. It is an architecture problem. Your phone is designed to win. You will not out-discipline a trillion-dollar attention refinery. You have to change the plumbing. Silence is not doing nothing. Silence is compound interest for your brain. Ten uninterrupted minutes today becomes a finished essay next week becomes a body of work next year. The people who seem calm are not morally superior. Th

2026-07-04 原文 →
AI 资讯

How to Test OAuth Recovery Emails Without Exposing Real Inboxes

OAuth recovery emails look harmless until you test them the lazy way. A team sends password reset links or recovery codes into one shared mailbox, confirms that something arrived, and marks the job done. From a security view, that test is too weak. It can hide token reuse, wrong-user delivery, or log retention that exposes sensitive account events. For non-production checks, I like using a disposable email address that belongs to one test run. Some teams build that inbox layer themselves, some use tempmailso, but the core principle is the same: isolate the recovery event, inspect it quickly, and delete the evidence you no longer need. That is helpful when Authentication and OAuth changes ship together. Why OAuth recovery emails deserve their own threat model Recovery email tests are not just "did the mail send?" checks. They sit on the edge of account takeover risk, so the message itself matters almost as much as the login flow. A decent threat model for these emails should ask: did the message reach only the intended inbox for this run? does the link or code expire when the product says it does? is the message revealing too much user data in subject lines or previews? can an older token still be used after a new recovery request? do logs or test fixtures keep the recovery secret longer than they should? This is where shared inboxes become dangerous in a subtle way. Even if nobody has bad intent, mixed test data makes it harder to prove which token belonged to which request. The same operational confusion shows up in email change confirmation checks , and it gets worse when the email can restore account access. OWASP recommends testing authentication recovery features with the same care as sign-in and session controls, because weak recovery paths are a common bypass route for stronger primary login defenses: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html A safer test flow for recovery links and codes The cleanest pattern is one inbox

2026-07-04 原文 →
AI 资讯

Testando Fluxos de Verificação por SMS Sem Queimar Números de Telefone Reais

Todo projeto que envolve autenticação via telefone acaba esbarrando no mesmo problema chato: como testar isso de verdade? Você não pode ficar digitando seu próprio número toda vez que roda um fluxo de cadastro. Definitivamente não deveria pedir para os colegas de equipe cederem o deles. E a maioria dos pipelines de CI não tem uma pessoa sentada ali, pronta para ler uma mensagem de texto e digitar o código num formulário. É uma daquelas coisas que parecem pequenas até você estar três sprints dentro de um projeto com 2FA via SMS e perceber que a cobertura de teste desse fluxo inteiro é "testei uma vez, manualmente, antes do almoço". Por Que a Verificação por Telefone É Complicada de Testar A maioria dos fluxos de autenticação de um stack típico é fácil de automatizar. Verificação por e-mail, dá para interceptar com uma caixa de entrada de teste ou um serviço de captura de e-mails. Tokens de sessão, dá para mockar. Redefinição de senha, você controla o loop inteiro. O SMS quebra esse padrão porque o código precisa sair completamente do seu sistema, ser entregue por uma rede de telecomunicação real e voltar antes que o teste possa continuar. Essa ida e volta introduz vários pontos de falha que não têm nada a ver com o seu código: atrasos de operadora, filtros de spam, peculiaridades de entrega por região, limites de taxa. Se você já viu um pipeline de CI falhar numa etapa de verificação por telefone e depois passar numa nova tentativa sem nenhuma mudança de código, é quase sempre por causa disso. O instinto de muitas equipes é pegar um número público gratuito de um dos vários sites de "receber SMS online" para checagens manuais rápidas. Isso funciona bem para uma verificação pontual. Mas desmorona rápido quando você tenta automatizar, porque esses números são compartilhados potencialmente por milhares de outras pessoas usando o mesmo pool. Códigos podem se perder numa caixa de entrada lotada, o próprio número pode já estar bloqueado pela plataforma que você está testand

2026-07-03 原文 →
AI 资讯

Format-preserving encryption for PII in Polars: FF3-1 vs FF1 for RUT, CPF, and DNI

You need to hand a dataset of Chilean RUTs to an outside analytics team. They will join it against other tables by identifier, run the cohort analysis, and hand back a model. They do not need to know, and should never learn, who any of these people are. Asterisk the RUT column and the join dies on contact: **********-K matches every other asterisked RUT in the file. Not almost every one. Every one. You need the same input to reappear as the same output, shaped like a real, check-digit-valid identifier the rest of your schema still recognizes, and eight weeks later, when a fraud investigator needs the original RUT back for one row, you need to be able to give it to them. Irreversible masking cannot do any of this. Hashing gets you consistency but not the format, and never the value back. What you need is format-preserving encryption: run a digit string through a cipher and get out another digit string, same length, same shape, that decrypts to the original under the key you hold. Nothing else. What FPE actually does MaskOps exposes this as mask_pii_fpe . It masks digit-based PII, cards, phones, RUT, CPF, Argentine DNI, in place, and gives back something the same length and shape: import maskops import secrets key = secrets . token_bytes ( 32 ) # AES-256, client holds this tweak = secrets . token_bytes ( 7 ) # per-column/per-dataset context df . with_columns ( maskops . mask_pii_fpe ( " rut_column " , key , tweak )) 76.354.771-K becomes some other RUT-shaped, check-digit-valid string of the same length, under this key and tweak. Run it back through with the same key and tweak and it decrypts. Non-digit PII, IBAN, VAT, email, IP, EU national IDs, gets none of this. It always asterisks. There is no clean digit domain to encrypt into, so MaskOps does not pretend there is. The key never touches MaskOps' output. The client generates it, holds it, and passes it in at call time, and because MaskOps makes no network call and keeps no storage layer, there is nowhere for that k

2026-07-03 原文 →
AI 资讯

Cloud KMS and Bring-Your-Own-Key: What You're Actually Trusting

Every major cloud provider sells a key management service, and most sell a "bring your own key" option layered on top, marketed as the difference between trusting the provider and trusting yourself. The pitch is clean. The mechanics underneath are not, and the part that actually determines who can read your data is rarely the part the sales page shows you. If you've provisioned storage on AWS, Google Cloud, or Azure in the last few years, you've seen the encryption-at-rest checkbox: "encrypt with a key you manage." It sounds like a meaningful control. In practice it's three different architectures wearing the same marketing label, and they don't provide the same guarantee. What a KMS Actually Does A cloud Key Management Service is a hosted service that generates, stores, and performs operations with cryptographic keys on your behalf. When you ask a KMS to encrypt something, in most cases the plaintext key material never leaves the service's boundary. What you get back is a ciphertext blob and, for envelope encryption schemes, a wrapped data key you can use locally. The design goal is real: keys shouldn't sit in application memory or config files where a compromised host can grab them. The question that matters is not "does a KMS exist in this architecture" but "who can invoke it, and under what legal or operational conditions." That's where customer-managed keys and bring-your-own-key start to diverge in ways the naming doesn't make obvious. Customer-Managed Keys vs Bring-Your-Own-Key Customer-managed keys (CMK) means the key was generated inside the provider's KMS, under your account, and you control the access policy: who can use it, when it rotates, whether it can be disabled. The key material itself still lives entirely inside the provider's infrastructure. You never see the raw bytes. You're managing permissions on a key you didn't generate and can't export. Bring-your-own-key (BYOK) means you generate the key material yourself, outside the provider's environme

2026-07-02 原文 →
AI 资讯

Your Git Commit History Is More Public Than You Think 🕵️‍♂️

In the open source world, we often say that "your code is your resume." However, what many developers forget is that every time they run a git push , they're handing over much more than just lines of code. They're delivering a permanent digital trail that can be tracked, analyzed, and used against them years later. This article is an educational guide about privacy in Git and how the metadata you generate every second can compromise your security and your professional future. The command that reveals your "naked identity" If you want to see exactly what you're sharing with the world, open your terminal in any repository and run the following command: git log --format = fuller Unlike the standard log, the fuller format breaks down the complete anatomy of your contributions. This is where most developers are shocked to see what they're actually leaking: 1. Name and Email (Direct Exposure) Git stores your user.name and user.email locally in every commit. This data: Is harvested by spam bots for marketing databases. Allows recruiters to map all your historical activity, even on projects you no longer represent. Exposes you to doxxing attacks if you contribute to controversial projects. 2. Dates and Timestamps (Time Analysis) Git not only saves the day, but also the exact second and time zone of the authorship and commit. This allows you to create an activity pattern : What time do you usually code? Are you working on personal projects during office hours? What geographical area are you actually in? 3. File Patterns and Metadata In addition to text, if you upload binaries (PDFs or images), these usually contain EXIF ​​metadata (GPS coordinates, camera model, etc.) that Git doesn't clean up by default. The Problem with "Permanent Logs" GitHub is, by design, an accountability platform, not a privacy one. Once a commit enters the public history, deleting it is extremely difficult and often pointless if the repository has already been cloned or indexed by third-party service

2026-07-01 原文 →
AI 资讯

Papa Johns Surveillance-Based Advertising

Papa Johns is spying on people’s buying activities to predict when they are low on food: The pizza chain recently tapped NBCUniversal, Instacart and the dentsu-owned media agency Carat for help reaching consumers when they’re low on groceries—and thus more likely to be swayed by a mouth-watering ad. The idea is to reach hungry consumers by “knowing what is in their fridge without being too creepy,” said Carrie Drinkwater, chief investment officer at Carat. To achieve that goal, NBCU and Instacart created a custom audience of shoppers who regularly purchase grocery staples on Instacart, such as eggs, milk, meat and produce. Based on that data, Papa Johns can determine which days of the week certain consumers are likely to run out of groceries and serve them an ad on NBCU streaming content accordingly. The brand served custom creatives to consumers based on their food preferences—such as whether they buy meat regularly—with QR codes and calls to action such as, “Light on groceries?” or “Empty fridge?”...

2026-07-01 原文 →
AI 资讯

Privacy by design: what it is and how to apply it

"Privacy by design" is one of those phrases you read everywhere and rarely understand. It is often treated as a document to attach to a project, a box to tick before going live. In reality it is not a piece of paperwork: it is the way software is conceived and built from the very first line, so that it protects people's data without anyone having to remember to do so afterwards. What the GDPR actually says The principle is written plainly in Article 25 of the GDPR, which speaks of "data protection by design and by default". These are two distinct things. Protection by design concerns the choices made while the system is being built. Protection by default concerns how the system behaves the moment it is switched on, before anyone touches a single setting. The law does not mandate a specific technology. It asks for an outcome: that data protection be built into the system, proportionate to the risks, and not bolted on afterwards as a patch. It is a difference of substance, not of form. A well-designed system does not have to chase compliance: it already has it inside. It is not a document, it is an architecture The most common mistake is to reduce privacy by design to a file. A report is written, filed, and the building goes on exactly as before. But a PDF protects no data. What protects data are the technical decisions: what information is collected, where it is stored, who can see it, how long it stays, what happens when it is no longer needed. These decisions are made at design time, and changing them later costs far more than getting them right at the start. The principles, turned into concrete choices Privacy by design becomes useful only when it stops being a slogan and turns into a series of choices. Translated into practice, the principles sound like this. Minimisation. You collect only the data genuinely needed to deliver the service. A field you do not collect does not need protecting, cannot be lost in a breach, does not need keeping. The safest piece of da

2026-07-01 原文 →
AI 资讯

The Realities of AI Video Surveillance

The Financial Times has a good article on how AI is changing the capabilities of video surveillance, with information from both Israel/Iran and Russia. I wrote about this sort of thing a few years ago, how AI enables mass spying in the way that computers and networks enabled mass surveillance. The interesting development in the article is that AI allows people to ask natural language questions about video footage to AIs—and AIs can answer them. In contrast with older tools restricted to a few dozen preset searches, these new tools allow an almost unlimited range of enquiries by enabling language-based searches on video...

2026-06-30 原文 →
AI 资讯

The Hidden Cost of Free Online Image Compressors

I analyzed what happens when you upload a photo to 5 popular free image compression sites. The Test I uploaded a 4.2MB photo to each service and monitored network requests. Results: Service A : File sent to their CDN (AWS us-east-1). 12 analytics trackers fired simultaneously. Service B : File uploaded, but 5 minutes later a second request sent the file to a different domain. Service C : Cleanest of the five, but their privacy policy reserves the right to "use uploaded content to improve compression algorithms." Service D : 23 third-party scripts loaded on the page. Your image URL is accessible to all of them. Service E : Actually clean — only one request to their server for processing. Only one of five didn't leak data to third parties. One. The Alternative I built compress2png.com to test whether image compression could work without any server. Turns out Canvas API + clever JavaScript handles it: Resize images client-side before export Strip EXIF/metadata in the browser Convert to optimal formats based on content For format-specific needs, svg2png.org handles vector conversion and webp2png.io handles next-gen format conversion — all browser-local. Check the Network tab next time you use a "free" online tool. You might be surprised what you find.

2026-06-30 原文 →
AI 资讯

Zero-Knowledge Architecture: What It Means for Your Files

Most of us share files constantly: config files, API specs, design assets, build artifacts. And most of us don't think too hard about where they end up. That's exactly what Zero-Knowledge Architecture (ZKA) is designed to address. But the term gets thrown around loosely, so let's break down what it actually means — and what to look for. The Core Idea: The Server Shouldn't Have to Trust You Traditional cloud storage works roughly like this: You upload a file The server encrypts it (or doesn't) The server holds the key You trust them not to look Zero-knowledge flips this entirely. In a true ZKA system: Encryption happens on your device , before data leaves your control The keys never leave your side — the server never sees them The server handles only encrypted blobs — it's a pipe, not a vault The phrase you'll hear is: "We can't read your data even if we wanted to." That's the point. Why This Actually Matters Here's a concrete scenario: you're sharing a .env file with a contractor. You use a cloud service. The service gets breached a week later. With standard encryption (server holds the key): the attacker potentially has your secrets. With ZKA: the attacker has an encrypted blob that's useless without the key they never had. Beyond breach scenarios, ZKA also helps with: Regulatory compliance — GDPR, HIPAA, and similar frameworks become easier to demonstrate when the service provider has zero access to the data Reduced trust surface — you're not trusting the company, their employees, or anyone who might compel them legally What Real ZKA Looks Like in Practice There's a big difference between claiming zero-knowledge and actually implementing it. Here's what to look for: ✅ Client-side encryption Files should be encrypted in the browser or app before upload. Not on the server. If encryption happens server-side, it's not zero-knowledge — it's just encrypted storage. ✅ Key management stays with you Where do the keys come from? How are they shared with recipients? In a rea

2026-06-30 原文 →
AI 资讯

Why I Built a JSON Toolkit That Never Touches a Server

Most of the time, when I need to inspect a complex JSON payload, I copy the raw string from my terminal or network tab, open a browser tab, and paste it into one of the many "JSON Formatter" sites that clutter the first page of Google. It’s a ritual we all do. We paste, we click "Format," and we wait. For small payloads, this is fine. But when you are debugging a massive API response, a deeply nested configuration file, or a large dataset, that ritual breaks down. The browser freezes. The site asks you to upload a file. Worse, many of these tools send your data to a server for processing. If that JSON contains API keys, user PII, or internal schema definitions, you are essentially trusting a third-party service with your proprietary data every time you hit "pretty print." I got tired of the latency and the privacy overhead. So I built JSONForge . The core premise is simple: do everything locally. No server-side processing. No file uploads. No network requests for the core logic. Everything happens in your browser, powered by WebGPU for heavy lifting and a small model that runs in your browser for schema inference. The WebGPU Advantage JSON parsing is computationally cheap for a modern CPU, but rendering and diffing large structures is not. When you have a 5MB JSON file, the DOM manipulation required to display it as a tree view can cause significant jank. By offloading the parsing and formatting logic to the GPU via WebGPU, JSONForge handles massive payloads without blocking the main thread. You can open a file, click "Pretty Print," and see the result instantly, even if the file is hundreds of kilobytes or larger. The UI remains responsive because the heavy computation is parallelized on the graphics card. This also means the tool works offline. If you are on a plane, or your internet drops in the middle of a debugging session, your toolkit doesn’t vanish. You can continue to diff, validate, and format without interruption. Schema Generation Without the Server Roun

2026-06-29 原文 →