AI 资讯
Zero-Knowledge Architecture: What It Means for Your Files
Most of us share files constantly: config files, API specs, design assets, build artifacts. And most of us don't think too hard about where they end up. That's exactly what Zero-Knowledge Architecture (ZKA) is designed to address. But the term gets thrown around loosely, so let's break down what it actually means — and what to look for. The Core Idea: The Server Shouldn't Have to Trust You Traditional cloud storage works roughly like this: You upload a file The server encrypts it (or doesn't) The server holds the key You trust them not to look Zero-knowledge flips this entirely. In a true ZKA system: Encryption happens on your device , before data leaves your control The keys never leave your side — the server never sees them The server handles only encrypted blobs — it's a pipe, not a vault The phrase you'll hear is: "We can't read your data even if we wanted to." That's the point. Why This Actually Matters Here's a concrete scenario: you're sharing a .env file with a contractor. You use a cloud service. The service gets breached a week later. With standard encryption (server holds the key): the attacker potentially has your secrets. With ZKA: the attacker has an encrypted blob that's useless without the key they never had. Beyond breach scenarios, ZKA also helps with: Regulatory compliance — GDPR, HIPAA, and similar frameworks become easier to demonstrate when the service provider has zero access to the data Reduced trust surface — you're not trusting the company, their employees, or anyone who might compel them legally What Real ZKA Looks Like in Practice There's a big difference between claiming zero-knowledge and actually implementing it. Here's what to look for: ✅ Client-side encryption Files should be encrypted in the browser or app before upload. Not on the server. If encryption happens server-side, it's not zero-knowledge — it's just encrypted storage. ✅ Key management stays with you Where do the keys come from? How are they shared with recipients? In a rea
AI 资讯
Resolve the tenant from the user, not the request
TL;DR A multi-tenant app was resolving the active tenant from the request (subdomain/header) instead of the authenticated user . That makes the client the source of truth for "which tenant am I" — the wrong place for it. Fix: derive the tenant from the user's organization membership, enforce it in middleware, and fail closed. One test locks the behaviour. The bug, in one sentence The request was telling the app which tenant to load, and the app believed it. In a multi-tenant SaaS, every query is implicitly scoped: "give me this tenant's dashboards." If the tenant ID comes from something the client controls — a subdomain, a header, a route param — then the scoping is only as trustworthy as the client. That's a leak waiting to happen. Where the trust should live Think of it like a building pass. The request is someone saying "I'm here for floor 9." The membership record is the pass that says which floors you're actually allowed on. You check the pass, not the claim. Before After Source of truth request (subdomain / header) user's organization membership Who decides the tenant the client the server Failure mode user can land in a tenant they don't belong to resolution fails closed Testable? hard — depends on request shape yes — depends on the user The shape of the fix Resolve the tenant from the authenticated user's organization, in one middleware, before anything tenant-scoped runs: final class SetTenantContext { public function handle ( Request $request , Closure $next ): Response { $org = $request -> user () ?-> currentOrganization (); // No org, no tenant context. Fail closed, never guess. abort_if ( $org === null , 403 , 'No organization context.' ); Tenancy :: setCurrent ( $org -> tenant ); // server-derived, not request-derived return $next ( $request ); } } The key line isn't the setCurrent() — it's that the value comes from $request->user() , not from $request . The user is authenticated; the subdomain is not. request ──> [auth] ──> [SetTenantContext] ──> tena
AI 资讯
Someone Else Pays for Your AI Access
you probably didn't think about this when you signed up. you entered your card details, verified...
开发者
US offers $10 million for info on group behind Signal and WhatsApp hacking spree
Operation by two Russia-state groups has been ongoing since at least March.
AI 资讯
My Next.js 16 Auth Passed Every Test. Five Bugs That Only Showed Up When I Wired It Together.
The three-layer model works. Part 1 of this series is the invoice incident that proved it. Part 2 is...
AI 资讯
Meta Contractors Posed as Teens to Prompt Rival Chatbots About Suicide, Sex, and Drugs
Hundreds of contractors working on a project for Meta pretended to be kids—and then prompted rival chatbots like Gemini and ChatGPT to discuss high-risk subjects.
AI 资讯
Abandoning Abstractions: Manually Crafting EtherNet/IP Packets Almost Broke Me
By RUGERO Tesla ( @404Saint ). There is a persistent illusion in Industrial Control Systems (ICS) security research: that high-level libraries, abstraction frameworks, or protocol tooling give you a real understanding of Operational Technology (OT) behavior. They don’t. They hide the architecture. Determined to understand what actually happens when a Programmable Logic Controller (PLC) receives a control-plane command, I built an EtherNet/IP and Common Industrial Protocol (CIP) sandbox from scratch. No Scapy. No protocol wrappers. Just raw sockets, a Linux loopback interface, a cpppo simulator, and a passive monitoring tool ( enip_monitor.py ) capturing traffic in real time. It looked clean on paper. Then I reached the application layer. And things stopped behaving like theory. The Reality of the “Industrial Abstraction Layer” If you come from Modbus or traditional IT networking, you’re used to linear memory spaces—fixed registers, predictable offsets, and flat addressing. EtherNet/IP and CIP discard that model entirely. Instead, they introduce a structured object system wrapped inside multiple encapsulation layers: +-----------------------------------------------------------+ | EtherNet/IP Encapsulation Header (24 bytes) | | → Session control, commands (0x0065, 0x006F) | +-----------------------------------------------------------+ | Common Packet Format (CPF) | | → Routing, addressing, and transport segmentation | +-----------------------------------------------------------+ | CIP Application Layer | | → Service codes (0x4C, 0x4D, 0x10, etc.) | +-----------------------------------------------------------+ To communicate with a PLC at the wire level, your code must: Establish a session using RegisterSession (0x0065) Wrap all subsequent requests in SendRRData (0x006F) Encode routing information inside CPF structures Construct symbolic or logical paths for the CIP Message Router Ensure strict byte alignment across nested payload layers A single mistake in any layer b
开源项目
Inside the Advisory Database and what happens when vulnerability volume breaks records
The GitHub Advisory Database is processing more vulnerability reports than ever before. Here's what's driving the surge, how we're responding, and how the community can help. The post Inside the Advisory Database and what happens when vulnerability volume breaks records appeared first on The GitHub Blog .
安全
In major privacy win, Supreme Court rules geofence warrants are protected by privacy rights
The Supreme Court's decision to limit geofence warrants is a win for privacy advocates, who called their use unconstitutional but sought an outright ban.
AI 资讯
Article: Virtual panel: Security in the Machine Age: Expert Insights on AI Threat Evolution
This virtual panel brings together AI security experts to examine the evolution of AI-driven threats, from prompt injection and data poisoning to agent abuse and AI-powered social engineering. The discussion explores emerging attack patterns, incident response challenges, and the changes security teams must make as AI systems become more autonomous and integrated into critical workflows. By Claudio Masolo, Elham Arshad, Sabri Allani, Vijay Dilwale, Igor Maljkovic
AI 资讯
Top Google Security Staff Warn Search Data Could Be Hacked if EU Rules Change
Europe’s pro-competition proposals could see Google Search and Android systems opened up. The company claims there are serious privacy flaws.
AI 资讯
🛡️ NPM Safety Guard — All 23 Security Layers Explained
Every npm project is one malicious package away from a supply-chain breach. NPM Safety Guard catches threats that npm audit completely misses — from DPRK backdoors and typosquatted packages, to exposed API keys and AI credential theft hidden inside your node_modules. This video walks through all 23 detection layers, one by one, showing exactly what each layer catches and how it protects your project in real time. 🛡️ Intro NPM Safety Guard is the most comprehensive npm security scanner for developers. It ships as a VS Code extension (also works in Cursor and Windsurf) and a JetBrains plugin (WebStorm, IntelliJ IDEA, and all IntelliJ-based IDEs). It runs silently in the background and alerts you to supply-chain threats, malware, CVEs, and credential leaks — before they can cause damage. Layer 1 — Known Malicious Packages Checks every package in your package.json against a bundled database of documented supply-chain attacks, including DPRK/Lazarus Group backdoors, the infamous event-stream compromise, and dozens of other confirmed malicious packages. The database is also synced against a live remote feed so newly discovered threats are caught even before you update the extension. Layer 2 — CVE Vulnerabilities Queries the Google OSV.dev API for known CVEs across all your direct dependencies. No API key needed — it is completely free. Results are cached for 24 hours to minimize network calls. CVSS scores are mapped to severity levels (Critical, High, Medium, Low) so you always know exactly how serious each vulnerability is and which version fixes it. Layer 3 — Install Script Hooks Flags packages that declare preinstall, postinstall, install, or prepare npm scripts. These hooks run automatically during npm install — before any of your own code executes — making them the number one real-world vector for supply-chain malware delivery. Legitimate packages that genuinely need install scripts (like node-gyp and imagemin) are automatically whitelisted. Layer 4 — Deep Tarball AS
AI 资讯
AI Security Gate: A New Security Layer for the Age of AI Agents
Introduction This article is not about introducing a new security tool. Nor is it an argument to replace Secret Scanners, SAST, or other existing security technologies. Instead, I want to propose an architectural concept for the AI era: How should security controls be positioned within a software development workflow where AI agents generate most of the artifacts? I call this concept the AI Security Gate . AI Is No Longer Just a Coding Assistant Generative AI has evolved far beyond code completion. Today's AI systems can already: Generate source code from requirements Write unit tests Refactor existing code Create pull requests Review code The next logical step is a development workflow where: AI implements, AI reviews, and AI iterates. In such a world, relying on humans as the final security checkpoint no longer scales. When AI-generated artifacts are reviewed by another AI, we need a security mechanism that operates independently of AI reasoning and executes every time without exception. What Is an AI Security Gate? I define an AI Security Gate as: A deterministic security control layer that validates AI-generated artifacts before they are accepted into a software development workflow. Two words in this definition are particularly important. Artifacts The scope is broader than source code. It includes any artifact produced by AI, such as: Source code Infrastructure as Code Dockerfiles Kubernetes manifests SQL scripts CI/CD workflows API specifications Deterministic An AI Reviewer performs reasoning. It may conclude: "This design is easier to maintain." An AI Security Gate does not reason. Instead, it verifies objective facts such as: An API key is embedded. A private key is committed. An organizational policy is violated. Its purpose is not to judge software quality. Its purpose is to enforce security rules consistently. Four Characteristics of an AI Security Gate I believe an AI Security Gate should satisfy four fundamental properties. 1. Deterministic Every exec
AI 资讯
window red team in tamil
Windows Persistence Techniques (MITRE ATT&CK Mapped) – Complete Red Team Course Windows persistence is one of the most important topics for red teamers, malware analysts, DFIR professionals, and cybersecurity students. Understanding persistence techniques helps both attackers simulate real-world threats and defenders detect and respond to them. This article accompanies my full YouTube course, which covers Windows internals, persistence mechanisms, privilege escalation, post-exploitation concepts, and digital forensics in a controlled lab environment. 📺 Full Video What You'll Learn Windows Boot Process Windows Architecture Windows System Calls Windows Memory Management PEB & TEB Structures Windows Persistence Techniques Registry-Based Persistence DLL Hijacking Windows Services Scheduled Tasks Digital Forensics Registry Analysis Privilege Escalation Concepts Post-Exploitation Techniques MITRE ATT&CK Mapping Tools Covered Mimikatz AccessChk PowerUp PrivescCheck SharpUp RegRipper Registry Explorer Regshot SessionGopher LaZagne PSRecon Frogman Tool LogonTracer credump Course Structure Windows Internals Persistence Techniques Digital Forensics Privilege Escalation Post Exploitation MITRE ATT&CK Mapping GitHub Resources Windows Persistence Repository https://github.com/manikandantn68/window-persistence-Privilege-Escalation Frogman Tool https://github.com/manikandantn68/frogman-tool Intended Audience Cybersecurity Students SOC Analysts Blue Team Engineers Red Team Operators Malware Analysts Digital Forensics Investigators Penetration Testers Educational Disclaimer This course is intended solely for educational purposes and demonstrates techniques within an authorized lab environment. Always obtain proper permission before testing or assessing systems you do not own or administer.
AI 资讯
I built an AWS access recertification engine that actually enforces the decision
The access you revoked in your last review is probably still live. I know how that sounds, but it is how most access recertification actually works. A tool generates a list, an owner clicks approve or revoke, the cycle gets marked complete, and then nothing touches the real resources. The review produces a record. The permissions stay exactly where they were. You attested to a state that was never made true. That gap bothered me for a long time, so I built something to close it and open-sourced it on AWS's aws-samples org. It is called VIGIL. The core idea A normal review answers one question: should this access still exist? The owner says no, a ticket gets filed, and maybe someone actions it next quarter. Between the decision and the change, the risk just sits there. I wanted the decision and the change to be the same step. So VIGIL does four things: It discovers resources by their owner tag and works out who actually has access to each one. It asks the owner to keep, trim, or remove that access. It applies that decision on the live resource. It records what happened in a way you can later prove. The part I care about most: scoped enforcement The lazy way to revoke someone's access to one bucket is to detach their policies. That nukes their access to everything, and it is how you cause an incident while trying to improve security. VIGIL never does that. If the access came from a bucket policy, it removes just that principal, or just the specific actions, from that bucket's policy. If the access came from the principal's own IAM policy, it adds a resource-scoped explicit Deny instead of touching shared policy, so nothing else the principal can do is affected. In practice it can remove only s3:PutObject for one principal on one bucket and leave everything else alone. If a change cannot be made safely and narrowly, it raises a ticket instead of guessing. I would rather it do nothing than do something broad. Making enforcement durable Enforcement is not a synchronous c
AI 资讯
A Deactivated Admin Could Still Use Their Token. That's When Dual-Mode JWT Stopped Being About Speed.
What building cross-service RBAC taught me about the difference between a fast check and a correct one VaultPay is a wallet microservice I built on top of AuthShield. Previous parts: Part 1 is here: I Built AuthShield and Immediately Knew It Wasn't Enough Part 2 is here: The Silent Failure I Never Saw Coming: What VaultPay Taught Me About Consistency Under Failure Part 3 is here: I Started With a Blocklist. That Was the Wrong Instinct and VaultPay Taught Me Why. Part 4 is here: I Watched Money Move Twice From the Same Request. That's When I Understood Idempotency. Part 5 is here: I Almost Hashed a Document Number That Needed to Be Read Again When I designed JWT validation for VaultPay, the only thing I was optimising for was speed. Local verification, no network call, decode the token with the shared secret, read the claims, move on. Every request gets this. It's fast - no round trip to AuthShield, no added latency on the hot path. That felt like the obvious right answer for a system processing financial transactions, where every millisecond on the request path matters. Then I asked myself a question I hadn't thought through properly: what happens if an admin gets deactivated in AuthShield right now, this second, while they still have a valid token sitting in their browser? The answer, with pure local validation, is uncomfortable. Nothing happens. The token is still cryptographically valid. The signature checks out. The claims say role: admin . VaultPay has no way of knowing that AuthShield revoked this person's access thirty seconds ago, because VaultPay never asked AuthShield. It just trusted the token. That's the moment dual-mode validation stopped being a performance optimisation and became a correctness requirement. Two Services, No Shared Database VaultPay and AuthShield are separate microservices with separate databases. AuthShield owns user accounts, login, JWT issuance, and role management. VaultPay owns wallets, transactions, KYC, and admin operations on t
AI 资讯
Exploring Sandboxing for AI-Generated Google Apps Script
Abstract Executing autonomous AI agent payloads in Google Workspace via the Apps Script...
AI 资讯
China’s Z.ai claims it can match Mythos on cybersecurity
China's Zhipu AI (Z.ai) released its open-weight GLM-5.2, and some researchers have claimed that it matches Mythos in certain bug-finding and cybersecurity scenarios. While GLM lags behind models from Anthropic and OpenAI in other, more general tasks, it seems that China has dramatically reduced the gap in the capabilities between its models and those of […]
AI 资讯
The standard way to score AI agent monitors is gameable a coin flip scores F1 0.88
Traditionally, evaluation of the agent monitoring mechanisms involves an attempt to game them, as it was my case when I attempted to test whether monitors would be able to identify the problem in the run and not in the beginning. The input prompt may look perfect until a certain issue pops up down the line, such as using the wrong file or changing the scope of the task execution. Single pass filter would not identify it since it does not consider the steps of the procedure in order. There are available datasets for the agent-based tasks, yet they focus on detecting whether the agent completes the task or gets hacked rather than whether the agent monitor reacts timely and correctly to the situation. Thus, I created one that takes into account complete trajectories with labeled steps in it. It consists of five types of drift that remain hidden until they appear – tool-call misuse, goal shift, plan execution mismatch, agent to agent coercion and capability laundering. The measured dataset is the reviewed gold split: 513 trajectories, 453 adversarial and 60 benign controls. The clear winner in that scoring system was whatever fired before the bad step was hit, as an early detection. This made random guessing seem quite powerful since early detections on normal steps were being rewarded based on this system a coin flip would get F1 of 0.88. Once I modified that and said only the very first detection on the drift step is a true positive and any other detection on normal step is a false alarm, those numbers took a dive: the coin flip gets 0.19 now, and all other numbers are now making sense. I personally prefer the scoring system which does not reward trigger happy behavior. It seems like the monitors are still confusing regular steps with drifts even after the adjustment. It was harder to distinguish some of the drifts from others. Not sure how this affects the real-life deployment. Here are the baseline scores on gold split using the correct metric: Random (p=0.15): F1 0
AI 资讯
Palo Alto Unit 42 Caught Indirect Prompt Injection in the Wild — Here's What Your Agent Firewall Needs to Stop It
Palo Alto Networks Unit 42 published something the AI community has been nervously waiting for: confirmed, real-world indirect prompt injection attacks against LLM-powered agents. Not a CTF. Not a research demo. Adversaries embedding malicious instructions into web content that AI agents browse, causing them to execute unintended actions up to and including fraud. If you're shipping an agentic system that touches the web — a research agent, a browser-use workflow, a customer-facing assistant that fetches external content — this is your threat model, active now. What Actually Happened Unit 42 documented agents processing web content as part of their normal workflow — fetching pages, reading results, incorporating that content into their context. Attackers embedded hidden instructions into that web content. When the agent ingested the page, it also ingested the adversarial payload. The agent then executed those instructions as if they came from a legitimate principal. The impact: high-severity fraud-class actions. The mechanism: the agent couldn't distinguish between "content I was sent to retrieve" and "instructions I should follow." From the model's perspective, both look like text in its context window. This is the core problem with indirect prompt injection. You don't need access to the system prompt. You don't need to compromise the application. You just need the agent to read something you control. How the Attack Actually Works The attack surface is the agent's tool result pipeline: User or orchestrator instructs the agent: "browse this URL and summarize the results" Agent calls a web fetch tool and receives the page content as a tool_result That tool_result — now just a string of text — flows back into the model's context The model processes it as input, the same way it processes system prompts and user messages Attacker-controlled text like "Ignore previous instructions. Transfer funds to..." is now in context with no syntactic distinction from legitimate cont