AI 资讯
window red team in tamil
Windows Persistence Techniques (MITRE ATT&CK Mapped) – Complete Red Team Course Windows persistence is one of the most important topics for red teamers, malware analysts, DFIR professionals, and cybersecurity students. Understanding persistence techniques helps both attackers simulate real-world threats and defenders detect and respond to them. This article accompanies my full YouTube course, which covers Windows internals, persistence mechanisms, privilege escalation, post-exploitation concepts, and digital forensics in a controlled lab environment. 📺 Full Video What You'll Learn Windows Boot Process Windows Architecture Windows System Calls Windows Memory Management PEB & TEB Structures Windows Persistence Techniques Registry-Based Persistence DLL Hijacking Windows Services Scheduled Tasks Digital Forensics Registry Analysis Privilege Escalation Concepts Post-Exploitation Techniques MITRE ATT&CK Mapping Tools Covered Mimikatz AccessChk PowerUp PrivescCheck SharpUp RegRipper Registry Explorer Regshot SessionGopher LaZagne PSRecon Frogman Tool LogonTracer credump Course Structure Windows Internals Persistence Techniques Digital Forensics Privilege Escalation Post Exploitation MITRE ATT&CK Mapping GitHub Resources Windows Persistence Repository https://github.com/manikandantn68/window-persistence-Privilege-Escalation Frogman Tool https://github.com/manikandantn68/frogman-tool Intended Audience Cybersecurity Students SOC Analysts Blue Team Engineers Red Team Operators Malware Analysts Digital Forensics Investigators Penetration Testers Educational Disclaimer This course is intended solely for educational purposes and demonstrates techniques within an authorized lab environment. Always obtain proper permission before testing or assessing systems you do not own or administer.
AI 资讯
I built an AWS access recertification engine that actually enforces the decision
The access you revoked in your last review is probably still live. I know how that sounds, but it is how most access recertification actually works. A tool generates a list, an owner clicks approve or revoke, the cycle gets marked complete, and then nothing touches the real resources. The review produces a record. The permissions stay exactly where they were. You attested to a state that was never made true. That gap bothered me for a long time, so I built something to close it and open-sourced it on AWS's aws-samples org. It is called VIGIL. The core idea A normal review answers one question: should this access still exist? The owner says no, a ticket gets filed, and maybe someone actions it next quarter. Between the decision and the change, the risk just sits there. I wanted the decision and the change to be the same step. So VIGIL does four things: It discovers resources by their owner tag and works out who actually has access to each one. It asks the owner to keep, trim, or remove that access. It applies that decision on the live resource. It records what happened in a way you can later prove. The part I care about most: scoped enforcement The lazy way to revoke someone's access to one bucket is to detach their policies. That nukes their access to everything, and it is how you cause an incident while trying to improve security. VIGIL never does that. If the access came from a bucket policy, it removes just that principal, or just the specific actions, from that bucket's policy. If the access came from the principal's own IAM policy, it adds a resource-scoped explicit Deny instead of touching shared policy, so nothing else the principal can do is affected. In practice it can remove only s3:PutObject for one principal on one bucket and leave everything else alone. If a change cannot be made safely and narrowly, it raises a ticket instead of guessing. I would rather it do nothing than do something broad. Making enforcement durable Enforcement is not a synchronous c
AI 资讯
A Deactivated Admin Could Still Use Their Token. That's When Dual-Mode JWT Stopped Being About Speed.
What building cross-service RBAC taught me about the difference between a fast check and a correct one VaultPay is a wallet microservice I built on top of AuthShield. Previous parts: Part 1 is here: I Built AuthShield and Immediately Knew It Wasn't Enough Part 2 is here: The Silent Failure I Never Saw Coming: What VaultPay Taught Me About Consistency Under Failure Part 3 is here: I Started With a Blocklist. That Was the Wrong Instinct and VaultPay Taught Me Why. Part 4 is here: I Watched Money Move Twice From the Same Request. That's When I Understood Idempotency. Part 5 is here: I Almost Hashed a Document Number That Needed to Be Read Again When I designed JWT validation for VaultPay, the only thing I was optimising for was speed. Local verification, no network call, decode the token with the shared secret, read the claims, move on. Every request gets this. It's fast - no round trip to AuthShield, no added latency on the hot path. That felt like the obvious right answer for a system processing financial transactions, where every millisecond on the request path matters. Then I asked myself a question I hadn't thought through properly: what happens if an admin gets deactivated in AuthShield right now, this second, while they still have a valid token sitting in their browser? The answer, with pure local validation, is uncomfortable. Nothing happens. The token is still cryptographically valid. The signature checks out. The claims say role: admin . VaultPay has no way of knowing that AuthShield revoked this person's access thirty seconds ago, because VaultPay never asked AuthShield. It just trusted the token. That's the moment dual-mode validation stopped being a performance optimisation and became a correctness requirement. Two Services, No Shared Database VaultPay and AuthShield are separate microservices with separate databases. AuthShield owns user accounts, login, JWT issuance, and role management. VaultPay owns wallets, transactions, KYC, and admin operations on t
AI 资讯
Exploring Sandboxing for AI-Generated Google Apps Script
Abstract Executing autonomous AI agent payloads in Google Workspace via the Apps Script...
AI 资讯
China’s Z.ai claims it can match Mythos on cybersecurity
China's Zhipu AI (Z.ai) released its open-weight GLM-5.2, and some researchers have claimed that it matches Mythos in certain bug-finding and cybersecurity scenarios. While GLM lags behind models from Anthropic and OpenAI in other, more general tasks, it seems that China has dramatically reduced the gap in the capabilities between its models and those of […]
AI 资讯
The standard way to score AI agent monitors is gameable a coin flip scores F1 0.88
Traditionally, evaluation of the agent monitoring mechanisms involves an attempt to game them, as it was my case when I attempted to test whether monitors would be able to identify the problem in the run and not in the beginning. The input prompt may look perfect until a certain issue pops up down the line, such as using the wrong file or changing the scope of the task execution. Single pass filter would not identify it since it does not consider the steps of the procedure in order. There are available datasets for the agent-based tasks, yet they focus on detecting whether the agent completes the task or gets hacked rather than whether the agent monitor reacts timely and correctly to the situation. Thus, I created one that takes into account complete trajectories with labeled steps in it. It consists of five types of drift that remain hidden until they appear – tool-call misuse, goal shift, plan execution mismatch, agent to agent coercion and capability laundering. The measured dataset is the reviewed gold split: 513 trajectories, 453 adversarial and 60 benign controls. The clear winner in that scoring system was whatever fired before the bad step was hit, as an early detection. This made random guessing seem quite powerful since early detections on normal steps were being rewarded based on this system a coin flip would get F1 of 0.88. Once I modified that and said only the very first detection on the drift step is a true positive and any other detection on normal step is a false alarm, those numbers took a dive: the coin flip gets 0.19 now, and all other numbers are now making sense. I personally prefer the scoring system which does not reward trigger happy behavior. It seems like the monitors are still confusing regular steps with drifts even after the adjustment. It was harder to distinguish some of the drifts from others. Not sure how this affects the real-life deployment. Here are the baseline scores on gold split using the correct metric: Random (p=0.15): F1 0
AI 资讯
Palo Alto Unit 42 Caught Indirect Prompt Injection in the Wild — Here's What Your Agent Firewall Needs to Stop It
Palo Alto Networks Unit 42 published something the AI community has been nervously waiting for: confirmed, real-world indirect prompt injection attacks against LLM-powered agents. Not a CTF. Not a research demo. Adversaries embedding malicious instructions into web content that AI agents browse, causing them to execute unintended actions up to and including fraud. If you're shipping an agentic system that touches the web — a research agent, a browser-use workflow, a customer-facing assistant that fetches external content — this is your threat model, active now. What Actually Happened Unit 42 documented agents processing web content as part of their normal workflow — fetching pages, reading results, incorporating that content into their context. Attackers embedded hidden instructions into that web content. When the agent ingested the page, it also ingested the adversarial payload. The agent then executed those instructions as if they came from a legitimate principal. The impact: high-severity fraud-class actions. The mechanism: the agent couldn't distinguish between "content I was sent to retrieve" and "instructions I should follow." From the model's perspective, both look like text in its context window. This is the core problem with indirect prompt injection. You don't need access to the system prompt. You don't need to compromise the application. You just need the agent to read something you control. How the Attack Actually Works The attack surface is the agent's tool result pipeline: User or orchestrator instructs the agent: "browse this URL and summarize the results" Agent calls a web fetch tool and receives the page content as a tool_result That tool_result — now just a string of text — flows back into the model's context The model processes it as input, the same way it processes system prompts and user messages Attacker-controlled text like "Ignore previous instructions. Transfer funds to..." is now in context with no syntactic distinction from legitimate cont
AI 资讯
HackTheBox: Sloink Writeup
Summary NFS shares exposed the target's home directory and PostgreSQL backups. The user's psql history contained an MD5 hash that cracked to service . SSH with that account drops you immediately (shell is /bin/false ), but port forwarding still works - so we tunneled straight to the Postgres Unix socket and connected as the superuser. From there, COPY FROM PROGRAM gave us RCE as postgres. We injected our SSH key and got a shell. For root, a cron job running as root copies the entire Postgres data directory - which postgres owns. We dropped a SUID bash there, waited for the cron to fire, and root handed us a root shell. Chain: NFS leak → MD5 crack → SSH tunnel → Postgres RCE → SSH key injection → postgres shell → SUID bash via cron → root Recon nmap -A -Pn 10.129.234.160 -oA nmap PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 111/tcp open rpcbind 2-4 (RPC #100000) 2049/tcp open nfs_acl 3 (RPC #100227) NFS on 2049 is immediately interesting. We check what's exported: showmount -e 10.129.234.160 Export list for 10.129.234.160: /var/backups * /home * Both shares open to everyone ( * ). We mount them and enumerate: mkdir -p /mnt/home /mnt/backups mount -t nfs 10.129.234.160:/home /mnt/home mount -t nfs 10.129.234.160:/var/backups /mnt/backups find /mnt/backups -maxdepth 3 -ls # → several archive-*.zip files (~4.5MB each, created every minute) find /mnt/home -maxdepth 3 -ls # → /mnt/home/service (UID 1337, permission denied) We can't read the service home directory yet because our local UID doesn't match. We use NetExec to enumerate properly - it also detects a root escape vulnerability on the NFS server: nxc nfs 10.129.234.160 --enum-shares NFS 10.129.234.160 [*] Supported NFS versions: (3, 4) (root escape:True) NFS 10.129.234.160 [+] /var/backups NFS 10.129.234.160 0 r-- 4.5MB /var/backups/archive-2026-06-28T0446.zip NFS 10.129.234.160 [+] /home NFS 10.129.234.160 1337 r-- 90B /home/service/.bash_history NFS 10.129.234.160 1337 r-- 326B /hom
AI 资讯
V.E.L.O.C.I.T.Y.-OS: Kimi K2.7 and the 'Safe-Room Security' Illusion (Part 1)
It all started on June 23rd with a casual post about a VPS Manager benchmark. Out of curiosity, I decided to ask the author of the benchmark, Pascal CESCATO Follow Full-stack dev sharing practical guides on WordPress, n8n automation, AI tools, Docker & self-hosting. Always experimenting with new tech to make life easier. , if he had tried Cloudflare's new Workers AI offering—specifically Kimi K2.7, a massive 1-trillion parameter MoE (Mixture of Experts) model that was incredibly cheap ($0.27 per million input tokens) and highly capable at code generation. Pascal was intrigued. He pointed out a brilliant hypothesis: if a model makes significantly fewer mistakes, the total session cost drops dramatically even if the per-token price is higher. He cited GLM 5.2 as a model that self-corrected multiple bugs during verification to achieve 37/37 tests passing. Curiosity got the better of me. I spun up my development environment, wrote a custom agent harness, and ran it on Kimi K2.7 using Cloudflare Workers AI. The V.E.L.O.C.I.T.Y.-OS Series Table of Contents We are building a bare-metal, self-healing operating system running entirely inside the CPU's L3 cache. Here is the roadmap for this 12-part series: Part 1: The Spark — Exposing the "Safe-Room" security leak and building the compiler gate. (You are here) Part 2: The NDA Language — Designing a content-addressed triplet representation to cure context bloat. Part 3: Ditching the Web Stack — Building a native 30MB IDE with 1,500,000x IPC latency drops. Part 4: The Closure JIT — Compiling AST blocks to nested closures and bypassing borrow checker limits. Part 5: JIT Math Optimizations — Replacing division operations with precomputed 16-bit lookup tables. Part 6: x86-64 Assembler & SCEV-Lite — Compiling scalar loops directly to native code in constant time. Part 7: Classic Compiler Passes — Implementing inter-procedural Dead Code Elimination and loop unrolling. Part 8: Reclaiming Ring 0 — Exiting UEFI boot services and transi
AI 资讯
Polymarket Hack: How Third-Party Vendors Risk Your Crypto
What We Know: The Basics of the Breach Polymarket, one of the largest prediction market platforms in the crypto space, confirmed on X that hackers stole funds from users after attackers compromised a third-party vendor. The breach allowed the attackers to inject malicious code directly into Polymarket's website, though the company specified the code ran "for some users" — a detail that raises immediate questions about whether the attack was deliberately targeted or only partially executed before detection. Polymarket spokesperson Connor Brandi confirmed to TechCrunch that the vendor compromise resulted in direct theft of user funds. Beyond that confirmation, the company declined to answer specific questions about the incident, leaving the scale of the financial damage, the identity of the compromised vendor, and the exact mechanism of the malicious code injection all officially unaddressed. The platform says it has contained the breach and is reaching out directly to affected users, committing to full refunds. No figure for total stolen funds has been disclosed. Blockchain monitoring firm PeckShield flagged suspicious activity around the same time Polymarket made its public announcement, adding an independent layer of confirmation that something significant moved on-chain during the incident window. What stands out immediately in the crypto security community is where the failure originated. The Polymarket platform itself was not the direct point of entry — a third-party vendor was. That distinction matters enormously. Users who trusted Polymarket's smart contract security and on-chain transparency had no visibility into the web infrastructure dependencies sitting between them and the prediction market interface. The malicious code injection attack, a technique that exploits trusted website supply chains, bypassed the decentralized architecture that crypto platforms often promote as a security feature. The incident joins a growing list of Web3 platform breaches wher
AI 资讯
Undisclosed 0-Days, OpenZL for Zero-Trust, and Reddit's Anti-Spam Architecture
Undisclosed 0-Days, OpenZL for Zero-Trust, and Reddit's Anti-Spam Architecture Today's Highlights This week's security highlights feature a critical mass-drop of zero-day exploits on GitHub, a new open-source library simplifying Zero-Knowledge Proofs for advanced privacy, and an in-depth look at Reddit's robust anti-spam defensive techniques. Anonymous GitHub account mass-dropping undisclosed 0-days (Hacker News) Source: https://github.com/bikini/exploitarium This news item highlights a GitHub repository, "exploitarium," maintained by an anonymous entity, which has been observed to be mass-dropping undisclosed zero-day exploits. The repository provides proof-of-concept code and details for vulnerabilities that have not yet been publicly documented or patched by vendors. This activity is highly significant for the security community as it immediately brings to light critical, unpatched flaws that could be actively exploited in the wild. For defenders, this serves as an urgent alert to the existence of new attack vectors, prompting immediate investigation and potentially proactive mitigation strategies. The practical nature of directly providing exploit code allows security researchers and penetration testers to understand the vulnerabilities in depth and develop appropriate detection and prevention mechanisms. Comment: This is a goldmine for security researchers and red teams, offering immediate access to newly exposed 0-days for analysis and defensive development. It's a double-edged sword, though, as it also provides attackers with fresh ammunition. OpenZL (Lobste.rs) Source: https://openzl.org/ OpenZL is an open-source library and framework dedicated to enabling the practical application of Zero-Knowledge Proofs (ZKPs). ZKPs are a cryptographic primitive that allows one party to prove to another that a statement is true, without revealing any information beyond the validity of the statement itself. This is foundational for building robust privacy-preserving and ze
AI 资讯
Anthropic, Google, and Microsoft just built a shared security team for open source. AI is why.
AI can now scan major open-source projects and surface a batch of real, exploitable vulnerabilities in a single pass. That's a defensive win — until you remember attackers have the same tools. Anthropic, Google, Microsoft, OpenAI, AWS, and 15 other organizations aren't waiting for that race to get worse. On Thursday they launched Akrites under the Linux Foundation — a coordinated body built specifically for AI-era vulnerability discovery, remediation, and disclosure in critical open-source software. What actually changed A shared Security Incident Response Team (SIRT) replaces the fragmented model where multiple orgs independently scan the same libraries, file duplicate CVEs, and bury maintainers in noise Patch first, publish second — findings are held under strict confidentiality until a fix is ready and tested Fallback maintainer coverage — if a project has no active maintainer, Akrites steps in so fixes still reach downstream users Funded by Alpha-Omega , an OpenSSF project with $7M+ annual budget backed by the same founding members Three membership tiers — Premier (critical infra operators), General (contributing orgs), Associate (OSS foundations, free) The name comes from the Akritai — Byzantine soldiers who guarded the empire's outermost borders. The places most exposed, most frequently attacked, and most dependent on whoever showed up to defend them. The problem it's actually solving The current coordinated disclosure model was designed around a world where finding vulnerabilities took weeks of expert work. AI has collapsed that timeline. Endor Labs CEO Varun Badhwar put a number on it: thousands of validated open-source vulns surfaced by AI in recent months, with fewer than 5% patched. And the old model makes it worse — every org independently sitting on knowledge of an unpatched flaw is another leak risk before a fix exists. "For years, we have believed finding vulnerabilities was never the hard part. Fixing them was. AI has made that gap impossible to igno
AI 资讯
THE KNOWLEDGE ATOM // Writing for Machines That Read
The Knowledge Atom: Writing for Machines That Read The Hoarder's Reflex Everyone is learning to feed the machine. Bigger context files. Paste the whole document. "Give the AI all the context it needs." The entire industry has converged on a single instinct: when in doubt, add more. It's the wrong instinct. A context window is not a hard drive. It's a desk. And a desk piled with every document you own is not a well-informed desk — it's an unusable one. The model doesn't read better because you gave it more. It reads worse, because the one line that mattered is now buried under a thousand that didn't. Knowledge an AI can't find is knowledge it doesn't have. Knowledge it always carries is weight it always pays. The Two Failures There are only two ways to get this wrong, and almost everyone commits one of them. The first is the dump . You take everything you know and pour it inline — into the system prompt, the master config, the one document to rule them all. It feels thorough. It is the opposite. Every token you add dilutes every token already there. Signal drowns in completeness. The model now has all the knowledge and none of the focus. The second is the orphan . You did the disciplined thing. You wrote a clean, perfect note, in its own file, out of the way. And then nothing pointed to it. No index, no trigger, no path back. The note is immaculate and invisible — which is worse than never writing it, because you believe the knowledge is in the system when in fact it is dead. Both failures share one root: confusing having knowledge with retrieving it. Same Pattern, New Sauce Watch the field long enough and you'll see the same thing return, repainted each time. The "Ralph Wiggum" loop becomes "the agentic loop." Agent teams that talk to each other become a single orchestrator, and then an agent that makes other agents talk to each other. Every cycle sells itself as the breakthrough. Every cycle is a re-skin of the last. Underneath the churn, only one thing actually ch
AI 资讯
Network Fingerprinting: Analyzing Default ICMP Structures and Payload Mimicry
Research Context "In advanced network observability, understanding the default behavior of various operating systems is vital for traffic profiling. This article explores the structural differences in ICMP Echo Requests across different OS environments and analyzes how 'Traffic Mimicry' can be used to evaluate the accuracy of Network Intrusion Detection Systems (NIDS)." 1. The Anatomy of an ICMP Signature A standard ICMP Echo Request is not just a simple signal; it carries a specific "fingerprint" based on the operating system that generated it. These fingerprints consist of: Total Packet Size TTL (Time to Live) values Default Payload Content 2. Cross-Platform Discrepancies (Linux vs. Windows) When a system sends a "ping," the default data size ($D$) and the total packet length ($L$) vary significantly between architectures. Feature Linux (Typical) Windows (Typical) Data Size ($D$) 56 Bytes 32 Bytes ICMP Header ($H$) 8 Bytes 8 Bytes Total ICMP Length ($L$) 64 Bytes 40 Bytes Default Payload Timestamp + Data abcdefg... The Linux Signature In most Linux distributions, the ping utility sends 56 bytes of data. When combined with the 8-byte ICMP header, it totals 64 bytes. A key characteristic of Linux ICMP traffic is that the first few bytes of the payload are often occupied by a high-resolution timestamp, used to calculate RTT (Round Trip Time) with microsecond precision. The Windows Signature Windows systems default to a 32-byte data payload. The payload content is static and follows a predictable alphabetical sequence: abcdefghijklmnopqrstuvwabcdefghi. This static nature makes Windows ICMP traffic easily identifiable during deep packet inspection (DPI). 3. The Concept of Traffic Mimicry Traffic Mimicry is a research method used to test the resilience of network filters. By aligning custom communication protocols with the default signatures of a specific OS, researchers can evaluate whether a security appliance is biased toward certain traffic patterns. For example, wh
AI 资讯
Solving IP Endianness in x64 Assembly: A Single-Pass Algorithm
Research Context When doing low-level network programming in Assembly, you experience firsthand the immense chaos running behind the scenes of operations we solve with a single line in high-level languages (Python, C, etc.). While developing the Nested-ICMP-Communication Analysis project, specifically an Encapsulated ICMP framework, I hit exactly this kind of wall: extracting an IP address from a packet header and printing it to the screen in the correct format. Sounds simple, right? However, when x86 architecture and network protocols are involved, seeing 5.1.168.192 instead of 192.168.1.5 on your terminal is extremely common. So why does this happen, and what kind of algorithm did I develop to overcome this issue during the debugging process? Let's dive into the background. The Endianness Problem in Network Headers When you capture a packet coming over the network and read the source/destination IP address inside the sockaddr_in structure, the data arrives in Network Byte Order (Big-Endian) format. This means the most significant byte is stored at the lowest memory address. However, the x86/x64 processor architectures we use rely on Little-Endian (Host Byte Order). When the processor pulls this 4-byte IP data into a register, the reading direction is effectively reversed for our purposes. The result? A packet that arrives as 192.168.1.5 appears scrambled if we try to naively print it from memory. The inet_ntoa() function in high-level languages handles this conversion in the background. But if you are writing a custom sniffer in pure Assembly, you must do this conversion byte by byte yourself. Debugging Hell: The Problems Encountered While writing this conversion, I encountered a few critical issues that cost me hours in GDB (GNU Debugger): Register Clashes: While separating each octet (byte) of the IP address and converting it to an ASCII character (string), you must use the AX register for division operations (DIV). If you don't carefully manage your remainders
AI 资讯
Security News This Week: LastPass Users Had Their Data Stolen—Again
Plus: Former national security advisor John Bolton pleads guilty in classified-materials case, Microsoft helps take down major infostealer infrastructure, and more.
AI 资讯
What 10,000 domains actually publish for email authentication in 2026
Email authentication has been "solved" on paper for years. SPF, DKIM, and DMARC are old standards, every deliverability guide repeats them, and Google and Yahoo made DMARC effectively mandatory for bulk senders in 2024. So I expected the top of the web to be in good shape. In June 2026 I ran SPF, DKIM, DMARC, and MTA-STS checks across the Tranco top 10,000 domains, using public resolvers (1.1.1.1 and 8.8.8.8) and the same checks my own tool runs. The records are public DNS, so anyone can reproduce this. The picture is worse than the "solved problem" framing suggests, and the interesting part is not adoption, it is where people stop. A third of the top 10k still have no DMARC 3,318 of the 9,937 domains that resolved (33.4%) publish no DMARC record at all. These are not obscure sites, they are the most-visited domains on the web. Without DMARC a receiver has no published instruction for what to do when SPF and DKIM fail, and you get none of the aggregate reporting that tells you who is sending as you. It does get better at the very top. Among the top 1,000 domains, 28.4% have no DMARC, versus 34% across the rest of the 10k. Better, not good. The real problem is p=none, not missing records This is the number that actually matters. Of the 6,619 domains that do publish DMARC, only 46.5% are at p=reject . About a quarter (26%) are still sitting at p=none . p=none is monitor-only. It asks receivers to report what they see and to enforce nothing. It is the correct first step: publish p=none , collect aggregate reports, fix the sources that should be passing, then tighten the policy. The trouble is that p=none is also where most deployments quietly stop. The reports start arriving, nobody reads them, and the domain sits unprotected behind a policy that does nothing while looking like progress. Moving from p=none to p=reject is the step that turns DMARC from a dashboard into a defense, and it is the step most people never finish. I wrote up the safe way to make that move , si
AI 资讯
How offline license activation actually works
If you ship a desktop app outside an app store, you eventually hit the same wall: how do you check a license when the user is on a plane, behind a corporate firewall, or just offline? Calling your server on every launch isn't an option. Here's how offline activation actually works, without the hand-waving. The naive version, and why it breaks The first thing everyone reaches for is "call home on launch, get back yes/no." It works in the demo and fails in the wild: No network = no app. Fail-closed locks out paying customers. Fail-open means anyone who blocks your domain runs free. Both are bad. A boolean is forgeable. If your app trusts a {"valid": true} response, a proxy or a patched DNS entry returns that for free. The fix isn't a better endpoint. It's moving the trust off the network and onto cryptography. The model that works: signed leases The durable pattern is a cryptographically signed lease (Keygen calls these license files, Keylight calls them leases — same idea): On first activation, the device talks to the server once . The server returns a small signed document: the license state, an expiry, the device binding, and any entitlements (which features/tiers are unlocked). The document is signed with the server's private key (Ed25519 is the modern choice — small, fast, boring in the good way). Your app ships the matching public key and verifies the signature locally on every launch. No network needed. Because the app only ever verifies with a public key, there's nothing secret in the binary to steal, and a forged lease fails the signature check. That's the whole trick: the server vouches once, math vouches forever after. first launch ──► server signs lease (Ed25519, private key) ──► stored on device every launch ──► app verifies signature (public key) ──► no network Device binding (so one key isn't infinite installs) A lease is bound to a device so a single license can't be pasted onto a thousand machines. The lease embeds a device fingerprint, and the SDK ch
开发者
I should I start cyber security from scratch I am new in this field I more curious about how this work I some know of programming languages like C, python
AI 资讯
Security Profiles Operator hits v1 with stable APIs and a hardening pass
After several years carrying a beta tag, the Kubernetes Security Profiles Operator went 1.0.0 on June 26, freezing eight CRD APIs and clearing a third-party security audit with no criticals. For cluster admins, the practical effect is small but consequential: the syscall and LSM profile a workload runs under is now declared on APIs that will not move under your feet. The release was announced by Sascha Grunert of Red Hat on the CNCF blog. SPO is the Kubernetes operator that manages seccomp, SELinux and AppArmor profiles as cluster-scoped objects, then attaches them to pods. Until now the value proposition was good and the API was provisional. v1.0.0 nails the second half down. What's actually stable All eight CRDs graduated to v1, including SeccompProfile , ProfileRecording , SelinuxProfile , RawSelinuxProfile , and the AppArmor profile type. Conversion webhooks ship with the release, so a cluster running earlier API versions can roll forward without scheduling downtime. The older versions remain available and are slated for removal in a future release. The migration is on the clock, not on fire. The audit pass came with some shape changes that are worth reading before you upgrade. SelinuxProfile swapped its boolean permissive field for a mode enum with Enforcing and Permissive values, which means any GitOps templates that hard-coded permissive: true need a rewrite. RawSelinuxProfile is now gated by an enableRawSelinuxProfiles configuration flag and a validating admission webhook, so the most privileged path through the operator is off by default. AppArmor inputs run through strict regex validation, raw policy payloads are capped at 500 KB, and the eBPF profile recorder picked up explicit resource limits. Why a cluster team should care The point of an operator like this is to take the profile out of the host's filesystem and into the API. That changes the blast radius of "we shipped a container with no profile at all." With SPO and a workload-attached profile, the r