今日已更新 328 条资讯 | 累计 20300 条内容
关于我们

标签:#SEC

找到 679 篇相关文章

开发者

BurnAfterRead – E2E encrypted self-destructing drops on Cloudflare Workers

I built a zero-knowledge secret sharing tool. Text and files are encrypted in the browser with AES-GCM 256 before upload - the server only ever sees ciphertext. The decryption key lives exclusively in the URL fragment (#k=...). URL fragments are never sent in HTTP requests (RFC 9110 §4.2.3), so Cloudflare Workers, D1, and R2 never see it - even in logs. A few things I tried to do right: Single-use by default: Durable Objects handle atomic read→decrement→delete with blockConcurrencyWhile, no race conditions on concurrent requests Paranoid mode: returns not_found instead of expired/burned, no timing oracle Revoke endpoint: delete a drop before it's read using a SHA-256'd token with constant-time comparison CLI: burnafter send / burnafter receive - full E2E from terminal, key never touches a browser - /security page with a live in-browser AES-GCM demo and a manual Node.js decryption snippet so you can verify without trusting me Stack: Cloudflare Workers + D1 + R2 + Durable Objects. No third-party crypto libs. Live: https://burnafterread.casablanque.com Source: https://github.com/casablanque-code/burnafterread Verify: https://burnafterread.casablanque.com/security

2026-06-27 原文 →
AI 资讯

I let my AI agent provision cloud infra. Then I made sure it couldn't go bankrupt doing it.

A few days back I wrote about giving an autonomous agent database access and building a firewall so it couldn't DROP TABLE prod. Same lesson, new surface: this time the agent had cloud credentials . The failure mode isn't a destructive command here. It's spend. An agent pointed at a networking task can scan a whole range looking for hosts, then spin up a fleet of instances to do it faster. Every individual call is "authorized," your IAM role said yes. The bill is what eventually says no. ## Two shapes, two right answers The interesting part is that these are not the same kind of problem, so they don't get the same verdict. 1. The scan is never legitimate as an agent tool call. An nmap -sS -p- 10.0.0.0/16 or a masscan across a network is reconnaissance and abusive egress. There's no benign version of an agent sweeping a network at scale, so it gets hard-blocked , deterministically, before the call runs. (A scan of your own localhost is a dev check, so that's exempt.) 2. The provisioning might be totally fine. Spinning up 50 instances could be a real scale-out, or a runaway loop burning money. You can't tell from the action alone, only from the consequence. So instead of blocking it, AgentX pauses it for a human : a 202, "held for approval," routed to whoever owns the budget. Block the thing that's never okay, escalate the thing that's sometimes okay. Gate on consequence, not identity. Both checks are zero-LLM. No model in the hot path means no latency tax and nothing to talk out of it. A runaway fleet should be caught by a rule, not a vibe. ## The bigger thing this closes We keep a catalog of real, documented agent failures and triage each one: is it something an action firewall can deterministically catch, or is it someone else's category (output hallucination, content safety, model internals)? We only build for the coverable ones, and we flag the rest honestly instead of faking a signature. With this release, the coverable list is done . Every failure shape an acti

2026-06-27 原文 →
AI 资讯

Your cloud keys should not exist

Most cloud platforms that need access to your infrastructure start with the same onboarding step: paste in a service account key. Or an access key and secret. Or a JSON blob you downloaded from the console and definitely should not be emailing to yourself. You paste it in. The platform stores it. You hope they encrypted it. You hope they rotate it. You hope nobody on their team can read it. You move on with your day and try not to think about it. We built Zero — b0gy's platform for engineering truth — around a different premise. For cloud infrastructure access — GCP and AWS — we don't store credentials at all. The platform connects to your projects and accounts using short-lived, federated identity tokens that are minted on demand and expire in minutes. There is nothing to leak because there is nothing stored. Not every integration can work this way. GitHub, Slack, and Jira use OAuth, which means we do hold tokens for those services. But for the highest-risk connections — the ones with read access to your entire cloud infrastructure — keyless was a hard requirement. This is the first post in a three-part series about building Zero. We're starting here because the connector model shaped everything else. Why stored secrets are the wrong default The argument for storing a service account key is convenience. You paste it once, the platform can access your cloud whenever it needs to. Simple. The argument against it is longer. A stored secret is a liability that compounds over time. The moment you paste a GCP service account key into a third-party platform, you've created a credential that is valid indefinitely, scoped to whatever permissions you granted, and stored in a system you don't control. If that platform gets breached — or if an employee with database access gets curious — that key works until someone revokes it. And nobody revokes it, because nobody remembers it exists. This isn't theoretical. The GitGuardian 2026 report found 28.65 million hardcoded secrets pus

2026-06-27 原文 →
开发者

Malware Unpacking & Anti-Analysis Bypass: A Deep Dive into Real-World Techniques

Malware authors don't make our job easy. Every time we think we've figured out their tricks, they layer on another obfuscation technique, another anti-debugging check, another sandbox evasion. Over the past few weeks, I've been deep in the trenches with some particularly stubborn samples — the kind that detect your debugger, hide their strings behind XOR encoding, and hollow out legitimate processes to hide their payload. This article walks through my hands-on exploration of these techniques. We'll look at how malware detects analysis tools, how it obfuscates its strings, how it unpacks itself in memory, and most importantly — how we can bypass these defenses to see what the malware is actually trying to do. The tools we'll use: x64dbg/x32dbg for dynamic analysis and patching IDA Pro for static disassembly REMnux (Linux toolkit) for string deobfuscation FLOSS, XORSearch, bbcrack for automated string decoding Scylla & OllyDumpEx for dumping unpacked payloads Process Hacker for memory forensics Problem Statement Modern malware is rarely "what you see is what you get." A single executable might be: Packed — the actual malicious code is compressed/encrypted and only revealed at runtime Anti-debug aware — it checks for debuggers and changes behavior or terminates Sandbox-aware — it detects virtualized environments and refuses to execute its payload String-obfuscated — URLs, registry keys, and IOCs are encoded to evade signature detection Process-injecting — it hollows out a legitimate process (like explorer.exe ) and runs its code there Our goal: peel back these layers and extract the real payload for analysis. Exercise 1: Bypassing Debugger Detection in getdown.exe What I Found The first sample, getdown.exe , refused to show any network activity when run inside a debugger. Outside the debugger, it connected to 1.234.27.146:80 . Classic anti-debugging behavior. The Detection Mechanism Using x64dbg, I searched for intermodular calls and immediately spotted IsDebuggerPrese

2026-06-27 原文 →
AI 资讯

On-premises AI coding tools - safeguarding data privacy in software development

Check how on-premises AI solutions empower enterprises to safeguard sensitive code, ensure data residency, and maintain full compliance without compromising performance. Why privacy and security matter in AI-powered development? As enterprises increasingly adopt AI to automate code reviews, testing, and vulnerability scanning, ensuring data privacy becomes paramount. Cloud-based AI tools may expose sensitive source code, customer data, or intellectual property to external risks. By contrast, on-premise AI tools allow organizations to keep data within their controlled environments by aligning with data sovereignty and compliance requirements like GDPR and CCPA. According to Gartner, by 2026, 75% of organizations will demand AI solutions that guarantee strong data residency and compliance assurances. What are on-premise AI tools for software development On-premise AI tools are artificial intelligence solutions that are deployed and operated within an organization’s own infrastructure, rather than relying on external cloud services. In the context of software development, on-premise AI allows teams to leverage advanced AI capabilities such as code analysis, automated testing, and security scanning while keeping all data and processes within their own controlled environment. Core components of on-premise AI infrastructure include: Hardware: servers, GPUs, and storage devices physically located on-site or in a private data center. Software: AI models, orchestration tools, and management platforms installed and maintained by the organization. Security Measures: firewalls, access controls, and monitoring systems tailored to the organization’s specific needs. Examples of on-premise AI tools in software development: AI-powered code review platforms installed on internal servers automated vulnerability scanners running within the company’s network machine learning models for test automation, hosted locally. Primary connection to data privacy: on-premise AI ensures that sensit

2026-06-26 原文 →
AI 资讯

Argo CD 3.5 Tightens Supply Chain Security with Internal mTLS and Source Integrity

The Argo CD project released a v3.5 release candidate in June 2026. This version adds mutual TLS enforcement for internal components. It also includes Git commit signature verification for supply chain security and native ApplicationSet management in the UI. The release also graduates two significant features: impersonation and Source Hydrator, from alpha to beta. By Claudio Masolo

2026-06-26 原文 →
AI 资讯

Understanding Malware Analysis: Types, Methodology, and Lab Setup Fundamentals

I've been digging into malware analysis lately, and one thing became clear pretty fast: before you ever touch a debugger or run a suspicious binary, you need to understand the landscape — what malware actually is, how it's classified, and what a safe, repeatable analysis workflow looks like. This post is my attempt to organize that foundation. No flashy exploit walkthrough here — just the core concepts I think anyone starting out in malware analysis needs to internalize first, because skipping this step is how people either get sloppy or get burned (sometimes literally infecting their own host machine). Problem Statement If you search "malware analysis tutorial," you mostly get tool-specific guides — "how to use Ghidra," "how to use Process Monitor" — without context on why you'd choose static vs. dynamic analysis, or how to build a lab that won't accidentally compromise your real network. I wanted to write down the methodology layer first: the classification of malware, the four analysis approaches, and the non-negotiables of lab isolation. This is the stuff that makes the tool-specific tutorials actually make sense later. What Malware Analysis Actually Is Malware analysis is the study of a malicious program's behavior — the goal is to understand what it does, how it got in, and how to detect/eliminate it across an environment, not just on one infected machine. A few concrete objectives that stuck with me: Determine the nature of the malware — is it an infostealer, a keylogger, a spam bot, ransomware? Understand the compromise — how did it get in, and what's the blast radius? Infer attacker motive — banking credential theft usually points to financial motive; persistence + C2 beaconing might point to espionage. Extract network indicators — domains, IPs, User-Agent strings — for network-level detection. Extract host-based indicators — registry keys, dropped filenames, mutexes — for endpoint-level detection. This connects directly to something called the Pyramid of P

2026-06-26 原文 →
AI 资讯

AI Agents and Persistent Context: What design.md Teaches Us

A GitHub repository called design.md has been trending recently, accumulating over 1,400 stars. The concept is straightforward: provide AI agents with a persistent design document they can reference throughout their work. This approach addresses a practical challenge in agent development that many teams encounter. The Context Challenge When working on complex tasks, AI agents need to understand the broader picture. What's the architecture? What constraints exist? What approaches have been tried before? Typically, agents get context from: Current conversation (limited window) Code comments (often outdated) Documentation (if it exists) The issue is that this context is fragmented and temporary. When conversation moves forward, earlier context disappears. When documentation is outdated, agents make incorrect assumptions. A design.md provides a single source of truth that persists across sessions. What Belongs in design.md An effective design.md answers these questions: What are we building? Beyond feature lists, document the core purpose. Why does this project exist? What problem does it solve? What are the key architectural decisions? Document major choices and their rationale: "PostgreSQL was chosen over MongoDB because ACID guarantees are required for financial transactions" "Microservices architecture was adopted because components have different scaling requirements" What constraints exist? Technical constraints (performance requirements, browser support), business constraints (budget, timeline), and regulatory constraints (GDPR, HIPAA). What has been tried before? Document failed approaches to prevent agents from suggesting rejected solutions. What are the current challenges? Known issues, technical debt, areas needing improvement help agents prioritize work. How Agents Use design.md When starting a task, agents can: Read design.md to understand context Make decisions aligned with documented architecture Avoid solutions violating constraints Reference design.md i

2026-06-26 原文 →
AI 资讯

Dotsync – A zero-knowledge CLI to sync dotfiles and secrets in Go

I spent 3 months building a tool that solves the most annoying part of working on a dev team. You know the drill: → New dev joins → "hey check your DMs" → Someone pastes the .env in Slack → That message sits there forever → 6 months later someone screenshots it by accident or worse — → git add . → git commit -m "added env" → git push → you just leaked your prod database URL to the internet I got tired of it. So I built DotSync. ─────────────────────────────────── Here's what it looks like in practice: $ dotsync push 🔒 Encrypting 10 secrets for team access... 📤 Uploading... ✅ Version : v7 Secrets : 10 keys encrypted Teammates can now run: dotsync pull That's it. New dev joins? They run dotsync pull. Secrets updated? dotsync push. Moving between your laptop and work machine? dotsync pull. ─────────────────────────────────── The part I actually care about — security: Everything is encrypted ON your machine before it hits the network. The server stores a blob it literally cannot read. I'm not asking you to trust my infrastructure. You don't have to. Stack if you're curious: • Argon2id key derivation (64MB memory cost — brute force isn't happening) • AES-256-GCM encryption • Zero-knowledge server (stores ciphertext only) • Single Go binary, no runtime deps ─────────────────────────────────── Other things it does that I use daily: dotsync diff → shows exactly which keys changed vs remote (never shows values) dotsync history → full version history, who pushed what and when dotsync rollback → restore any previous version in one command dotsync run -- node server.js → injects secrets as env vars, nothing written to disk dotsync scan → scans your codebase for accidentally committed secrets ─────────────────────────────────── Free tier covers: • 1 project • 3 team members • 7 days history That handles most small teams completely free. ─────────────────────────────────── Now the part where I need your help: I'm looking for 100 engineers to actually stress test this. Not "give i

2026-06-26 原文 →
AI 资讯

Cybersecurity Roadmap

Introduction: Cybersecurity is one of the most in-demand fields on the planet - and also one of the most confusing to break into. This roadmap cuts through the noise. No fluff, no overwhelming jargon. Just a clear, step-by-step path from zero knowledge to job-ready skills. Who this is for: ▸ Complete beginners. ▸ Students who want practical skills, not just theory The Big Picture Phase Focus Goal Phase 1 Foundations : Understand how computers & internet actually work Phase 2 Networking : Read network traffic, understand protocols Phase 3 Linux & Windows : Navigate both OS like a professional Phase 4 Programming : Read & write basic scripts Phase 5 Core Security : Learn how attacks & defense work Phase 6 Specialize : Pick a lane: Red, Blue, or Cloud ** Phase 1 - Foundations:** Before learning how to hack or defend anything, you need to understand how computers and the internet actually work. Skip this and you'll be blindly running tools with no idea why they do what they do. What to learn: ▸ How computers store and process data (bits, bytes, binary) ▸ What an operating system does ▸ How the internet works at a basic level (client, server, request, response) ▸ What IP addresses, ports, and protocols are Free resources: ▸ CS50's Introduction to Computer Science : https://pll.harvard.edu/course/cs50-introduction-computer-science ▸ Professor Messer's CompTIA A+ : https://www.professormesser.com/get-a-plus-core-1-certified/ ** Phase 2 - Networking:** Networking is the bloodline of cybersecurity. Every attack and every defense happens over a network. You cannot protect what you don't understand. What to learn: ▸ OSI Model - 7 layers, what each one does ▸ TCP/IP - how data actually travels across the internet ▸ Key protocols: DNS, DHCP, HTTP/HTTPS, FTP, SSH, SMTP ▸ Subnetting - how IP ranges work ▸ How firewalls, routers, and switches fit together Hands-on tools: ▸ Wireshark - capture and read real network traffic ▸ Cisco Packet Tracer - simulate networks for free Free reso

2026-06-26 原文 →
AI 资讯

plugin marketplaces are the new endpoint policy for coding agents

GitHub added an enterprise setting this week that looks like the kind of thing most developers will never read about unless it breaks their editor. Enterprise managed settings now support strictKnownMarketplaces for VS Code and GitHub Copilot CLI. In plain English: an organization can restrict which extension and plugin marketplaces are known and allowed inside the developer tools people actually use. That sounds like desktop management. I think it is more interesting than that. If coding agents can discover tools, install plugins, call commands, read repositories, modify files, and run workflows from the IDE or terminal, then plugin marketplace policy is no longer a minor preference. It is part of the runtime boundary. The agent does not only need permission to think. It needs permission to reach for tools. And the place where those tools come from is now a security surface. the tool catalog moved closer to the developer For a long time, extension marketplaces felt like productivity infrastructure. You installed a formatter, a theme, a language server, a test explorer, a Docker helper, a cloud plugin, a database browser, maybe three things you forgot existed. Some companies cared a lot. Many mostly hoped the endpoint security product would notice anything truly bad. That world was already risky, but the blast radius was usually framed around the human developer. A plugin could read files, run code, exfiltrate data, or weaken the local environment. Bad, but familiar. Agents change the framing. An AI coding assistant sitting in the IDE or CLI may use plugins as capabilities. It may call into developer tooling, use installed extensions as context, or depend on local integrations to perform work. Even when the agent itself does not directly install anything, the available tool environment shapes what it can do. So the question stops being "which extensions are developers allowed to install?" It becomes "which tool supply chains are allowed to become part of our automat

2026-06-26 原文 →
AI 资讯

AI Content Detection, Zig Low-Level Hardening, & Sub-1nm Chip Security Focus

AI Content Detection, Zig Low-Level Hardening, & Sub-1nm Chip Security Focus Today's Highlights This week's highlights include a practical tool for detecting AI-generated content, crucial low-level compiler enhancements impacting code safety, and a look at the future security implications of cutting-edge hardware. tropius: detect AI tropes in prose (Lobste.rs) Source: https://tangled.org/desertthunder.dev/tropius The "tropius" project introduces a tool specifically designed to identify common stylistic patterns or "tropes" often found in AI-generated prose. In an increasingly complex digital landscape, where AI-produced text can be deployed for sophisticated misinformation campaigns, advanced phishing attempts, or large-scale automated content generation, the ability to accurately detect such artificial patterns is becoming a critical defensive technique. This tool could be instrumental for security professionals in a variety of contexts, including verifying the authenticity of critical communications, combating the rapid spread of deepfake text, or ensuring appropriate human oversight in sensitive information flows. For security teams, integrating AI content detection utilities like tropius into their threat intelligence and defense strategies offers a tangible way to enhance information integrity. It helps in proactively identifying and mitigating risks associated with malicious AI-driven content, bolstering resilience against evolving social engineering tactics that leverage artificial intelligence to appear more convincing or credible. Comment: Identifying AI-generated text is increasingly important for verifying content authenticity and combating misinformation. Tools like tropius offer a practical approach to detect AI tropes, which could be vital for security teams monitoring for AI-driven threats and maintaining information integrity. Zig's new bitCast semantics and LLVM back end improvements (Hacker News) Source: https://ziglang.org/devlog/2026/#2026-06-25

2026-06-26 原文 →
AI 资讯

From Root CA to User Authorization in nginx+apache. Part 2: Certificate Revocation, CRL and OCSP

A follow-up to Part 1 ( EN on LinkedIn · RU on Habr ), where we stood up a two-tier PKI: a Root CA and three intermediate CAs — Person, Server and Code. At the end of Part 1 I promised we'd learn to revoke certificates and run OCSP. That's what we'll do here. Like Part 1, this article is meant as a hands-on manual : for every command and extension we touch, there's an extended reference of the parameters you can actually use — with syntax, allowed values, defaults and gotchas. If you don't need a given option right now, just skim past the table; it's there so you don't have to dig through man later. Each section has the same shape: first the working commands for the common case, then the full parameter reference. Tested on versions. Flag names, defaults and extension syntax were verified against the official documentation of OpenSSL master , plus nginx and Apache mod_ssl. OpenSSL evolves per branch: anything marked "OpenSSL 4.0 / master" (for example the nonss qualifier on authorityKeyIdentifier ) is not yet available in the stable 3.x line. If you're on OpenSSL 3.0–3.6, double-check the disputed options with openssl <cmd> --help or your version's man before copy-pasting config. The numeric openssl verify error codes above 40 also shifted between branches — confirm them against your version's header. In this part: How a revoked certificate differs from an expired one, and why we need two mechanisms — CRL and OCSP. Adding the distribution points (CDP) and AIA to the config so issued certificates "tell" verifiers where to check them. Revoking a certificate and working with the CA database. Generating a CRL and inspecting it with openssl crl . Checking revocation with openssl verify . Running an OCSP responder: issuing its certificate, starting the daemon, querying status. Publishing the CRL and OCSP over HTTP (nginx), configuring OCSP stapling and revocation checking on the web server. All paths, file names and config sections are the same as in Part 1. Where you name

2026-06-25 原文 →