AI 资讯
The Missing Check After Your Database Query
We have tools for checking whether a query is injectable. We have linters, scanners, ORMs, parameterized queries, and database policies. But after the database returns rows, most applications simply trust that the result set matches the operation that asked for it. queryguard starts there. The query may be safe. The result may still be wrong. SQL injection taught us to distrust query construction. Parameterized queries answered the question: Did the user control the query structure? That question is well understood. The tooling is mature. But it is a different question from the one queryguard asks: Did this operation receive only the rows and fields it was allowed to receive? Those two questions are not the same. A perfectly safe parameterized query can still return the wrong row — because a predicate was dropped, a join widened the result, a developer selected a column they shouldn't have, or a query was rewritten without updating its scope contract. queryguard is not a database firewall. It is not a SQL injection scanner. It is not an ORM plugin. It is a contract check for observed result sets. Where it sits The hook position is the core design decision. queryguard sits immediately after cursor execution — before any result shaping, filtering, serialization, or response mapping. cursor = conn . execute ( sql , bindings ) rows = [ dict ( row ) for row in cursor . fetchall ()] evidence = queryguard . run_check ( contract , { " contract_id " : " user_profile_lookup " , " contract_version " : " 0.1.0 " , " params " : { " user_id " : user_id }, " session " : { " tenant_id " : tenant_id }, " result " : rows , }) if evidence [ " verdict " ] != " PASS " : raise QueryguardViolation ( evidence ) return rows Not at the HTTP layer. Not inside the ORM. Not at the API gateway. Immediately after the cursor returns rows — while the result is still raw, before anything shapes or discards it. This is intentional. If rows are shaped before queryguard sees them, queryguard cannot det
AI 资讯
British Police Built a Sprawling Crime-Prediction Machine. Some Results Couldn’t Be Trusted
As UK police embrace the AI revolution, a WIRED investigation reveals the messy inside story of one region’s experiment with predictive analytics.
AI 资讯
Cellebrite said it cut off Russia, but Russia used is tools anyway
Security researchers found evidence that Russian authorities hacked the iPhone of a political opponent using a phone-unlocking device made by Cellebrite, even after the company said it would stop selling to Putin’s government.
AI 资讯
The Security Bug Every Node.js Developer Ships to Production
Last year I was doing a code review for a startup. Everything looked fine on the surface, clean code, good structure, tests passing. Then I noticed this: const query = `SELECT * FROM users WHERE email = ' ${ req . body . email } '` That's it. That's the bug. SQL injection, sitting right there in a startup that had been in production for 8 months. Nobody caught it. Not the developer, not the reviewer, not the CTO. Here's the thing, it's not that developers are careless. It's that this kind of bug is invisible until it isn't. The code works perfectly. Tests pass. Users are happy. Until someone types ' OR '1'='1 in the email field and walks straight into your database. The bugs I see most often 1. Raw SQL with user input // 🚨 This is everywhere const query = `SELECT * FROM users WHERE email = ' ${ email } '` // ✅ Use parameterized queries const query = ' SELECT * FROM users WHERE email = $1 ' db . query ( query , [ email ]) 2. Secrets in environment variables... committed to git # .env DATABASE_URL = postgres://user:actualpassword@prod-db.company.com/mydb STRIPE_SECRET = sk_live_... Then .env ends up in the repo because someone forgot to add it to .gitignore . I've seen this more times than I want to admit. GitHub's secret scanning catches some of these, but not always before someone has already cloned the repo. 3. JWT tokens that are never actually verified // 🚨 Decoding is not the same as verifying const user = jwt . decode ( token ) // ✅ Always verify const user = jwt . verify ( token , process . env . JWT_SECRET ) jwt.decode just reads the token. Anyone can forge it. jwt.verify actually checks the signature. The names are confusingly similar and the wrong one silently works in development. 4. No rate limiting on auth endpoints // 🚨 Anyone can try a million passwords app . post ( ' /login ' , async ( req , res ) => { const user = await db . findUser ( req . body . email ) // ... }) // ✅ Add rate limiting const authLimiter = rateLimit ({ windowMs : 15 * 60 * 1000 , m
开发者
Cloudflare Ships Agent Skills for Zero Trust Deployment and Migration
Cloudflare released the Cloudflare One stack, an open-source library of agent skills for planning, deploying, and managing Zero Trust environments. The skills include automated migration logic for Zscaler and Palo Alto Networks, the same logic used in Cloudflare's Descaler program that has moved enterprise customers in hours rather than months. By Steef-Jan Wiggers
AI 资讯
Monorepo Dependency Security — Vulnerability Scanning Across Packages
A monorepo can look like one repository, but security teams should treat it as many applications living under one roof. One repo may contain 10 frontend packages, 5 backend services, 3 shared utility libraries, 2 mobile apps, and one root lockfile that does not tell the full story by itself. Monorepo dependency security means scanning the root dependency graph, every workspace package, shared libraries, lockfiles, and generated SBOMs. If you scan only one file, you may miss the vulnerable package that ships in production. Why Monorepos Create Unique Vulnerability Challenges Monorepos centralize multiple packages, apps, services, and libraries inside one repository. This improves code sharing, dependency alignment, refactoring, CI caching, and cross-team collaboration. It also creates a security problem: one repository can contain many different dependency trees, owners, deployment targets, and risk profiles. A typical JavaScript or TypeScript monorepo may include apps/web , apps/admin , apps/api , packages/ui , packages/auth , packages/logger , and packages/config . Each package may have its own package.json . Some packages are deployed to production. Some are internal libraries. Some are build-only tools. Some are used by every app. A vulnerability in one package can affect one app, many apps, or the whole repo depending on how dependency relationships are structured. The biggest issue is shared code. If packages/auth depends on a vulnerable version of jsonwebtoken , every application that imports packages/auth may be affected. If packages/ui uses a vulnerable utility such as lodash , every frontend app that consumes that UI package may inherit the same risk. If a build tool dependency is compromised, the risk may appear during CI/CD rather than runtime. Real CVEs show why this matters. CVE-2021-23337 affected lodash through command injection in template handling. CVE-2022-31129 affected moment through inefficient parsing that could cause denial of service. CVE-202
AI 资讯
Should Your App Adopt Passkeys?
Someone on your leadership team asked a reasonable question: should we adopt passkeys? You searched for answers and found implementation tutorials - WebAuthn server libraries, credential storage schemas, ceremony diagrams. They assume you've already decided. None of that helps you answer the question you were actually asked. This article is a decision guide. The question isn't how to implement passkey login. It's whether you should, when the timing makes sense, and for which users first. Implementation details matter eventually - but they don't belong at the front of the decision. You've seen Apple's demos and Google's Chrome nudges. Your security team may have sent a memo about phishing-resistant authentication. You know the term. What you don't have is a clear way to evaluate whether passkeys fit your product, your users, and your team's capacity to ship and support them. By the end of this article, you'll have scored your app against a readiness checklist, mapped show-stoppers that can block adoption, and drafted a one-page recommendation for leadership. Plain Terms: Passkeys, Passwords, and MFA Before scoring your app, you and stakeholders need to mean the same thing when you say "passkey", "password", and "MFA". Vendor decks use these loosely. A PM might say "passkeys replace passwords" while security means "phishing-resistant credentials". Both can be true. Passwords are shared secrets the user types; your server checks a hash. They leak via breaches and phishing sites. Users forget them, reuse them, and call support. MFA adds a second factor - app push, SMS, hardware key, or biometric. It cuts credential-stuffing and many phishing attacks, but adds friction, lost-device tickets, and cross-platform complexity. Passkeys are cryptographic key pairs on the user's device. The private key never leaves the device or synced passkey manager. Sign-in means unlocking with biometrics or a PIN; your server stores only the public key and verifies a signature. On web, the b
AI 资讯
Your Database Will Be Breached Someday. The Question Is: Will Passwords Be Inside?
Most developers think password hashing is about authentication. It's not. Authentication is just a side effect. Password hashing exists for a much darker reason: because databases get stolen. Every year, companies invest millions in firewalls, monitoring systems, cloud security, and access controls. Yet breach after breach continues to make headlines. The uncomfortable truth is that security teams don't assume a breach will never happen. They assume it eventually will. And when that day comes, one question determines whether the incident becomes a minor security event or a full-scale disaster: Did you hash the passwords? The Difference Between an Incident and a Catastrophe Imagine an attacker gains read access to your production database. Not a far-fetched scenario. A leaked backup. A vulnerable API. A compromised employee account. A misconfigured cloud bucket. The attacker runs a simple query: SELECT email , password FROM users ; If your system stores passwords in plain text, the breach is over. The attacker already won. No advanced techniques. No brute force. No expensive infrastructure. They now possess something more valuable than your database itself: your users' digital identities. Because users rarely reuse databases. They reuse passwords. The same password protecting an account on your platform might also unlock their Gmail, GitHub, LinkedIn, banking app, or company VPN. What started as your security problem instantly becomes everyone else's. This Is Not Theoretical History has repeatedly shown what happens when passwords are handled incorrectly. The RockYou breach exposed more than 30 million passwords stored in plain text. Attackers didn't need to crack anything. They simply read the data. Years later, those leaked passwords were still appearing in credential stuffing attacks across the internet. A single backend decision survived longer than the company itself. That's the thing about password leaks. They don't expire when the incident report is published.
AI 资讯
Why the Scams Prevention Framework Requires More Than Awareness
For years, scam prevention has leaned heavily on awareness. Be careful. Do not click suspicious links. Check the sender. Call the organisation directly. Do not trust urgent payment requests. Slow down before you act. These messages are useful, and they should not disappear. But awareness is no longer enough to describe what serious scam defence requires. The Scams Prevention Framework, or SPF, moves the conversation from “make users more careful” to “make the scam ecosystem harder to exploit.” That shift is important. Modern scams do not succeed only because a user failed to notice a warning sign. They succeed because scam operators move through gaps between messaging channels, platforms, brand impersonation, payment pressure, fake infrastructure, multilingual persuasion, reporting delays, and weak post-report disruption. Awareness helps at the point of decision. SPF requires capability across the whole chain. In my view, awareness alone covers about 28% of the real scam defence problem. The rest sits in evidence quality, intelligence sharing, infrastructure disruption, multilingual interpretation, safe financial harm context, recurrence monitoring, and operational response. That is why SPF should not be read as an education policy. It should be read as an operating model. The Awareness Ceiling Awareness is a front-line control, not a full defence system. It helps users recognise risk, but it cannot remove the fake page, connect related reports, preserve evidence, disrupt a fake app, identify a phone-linked abuse path, or monitor the next replacement domain. It also assumes the user has enough time, confidence, language support, and emotional distance to make a calm decision. Many scam situations are built specifically to remove those conditions. Scammers do not only trick uninformed people. They create urgency for informed people. They create authority for cautious people. They create routine-looking payment requests for busy people. They create private pressure fo
AI 资讯
Grab Builds Secure Agentic AI Workload Platform
Grab's security team built Palana, a Kubernetes-native secure execution platform, to run autonomous AI agents safely. Unlike deterministic software, model-driven agents exhibit unpredictable tool-use, code-writing, and prompt injection risks. Palana contains these threats at the infrastructure level using isolated namespaces, out-of-process control planes, and proxy-mediated, Vault-backed secrets. By Patrick Farry
AI 资讯
How I built an end-to-end encrypted pastebin (and why the server can’t read your text)
got annoyed that pastebin and similar sites log everything and keep your text forever, so i built one where the server literally cant read what you paste. heres how the encryption actually works and what i learned building it the problem most paste sites work like this: you type something, it goes to their server as plain text, and it sits in their database. they can read it. their employees can read it. anyone who breaches them can read it. and a lot of them keep it forever even after you think its gone. i didnt want to just promise not to look at your stuff. i wanted it so that i cant look even if i wanted to. the idea: encrypt before it leaves the browser the trick is that all the encryption happens on your side, in the browser, before anything gets sent. the server only ever sees scrambled bytes. the key never touches the server at all, it lives in the part of the url after the # , which browsers dont send in requests. so the flow is basically: you paste text browser generates a random key text gets encrypted with that key only the encrypted blob goes to the server the key gets stuck in the link after a # whoever opens the link decrypts it locally the actual code modern browsers have the Web Crypto API built in, so you dont need any library for this. heres the encrypt part, stripped down: \ `js async function encrypt(text) { const key = await crypto.subtle.generateKey( { name: "AES-GCM", length: 256 }, true, ["encrypt", "decrypt"] ); const iv = crypto.getRandomValues(new Uint8Array(12)); const encoded = new TextEncoder().encode(text); const ciphertext = await crypto.subtle.encrypt( { name: "AES-GCM", iv }, key, encoded ); // export the key so we can put it in the url const rawKey = await crypto.subtle.exportKey("raw", key); return { ciphertext, iv, rawKey }; } ` \ the ciphertext and iv go to the server. the rawKey gets base64'd and dropped into the link after the # . decrypting is just the same thing in reverse with crypto.subtle.decrypt . the thing that tripped
创业投融资
New website names and shames companies that still don’t offer passkeys to users
According to a new site, 24% of the most popular websites in the world don't offer support for passkeys, which are considered the most secure way to log in to apps and services.
工具
One-two punch delivered in global operation disrupts cybercrime "assembly line"
"Operation Endgame" simultaneously disrupts two widely used crime tools.
AI 资讯
I built a local-only credential vault because every dev team I worked with stored PATs in Notepad
The Problem I Kept Seeing Over the past year working across multiple client teams on DevOps and pipeline work, I kept noticing the same thing. Developers storing GitHub PATs in Notepad. QA engineers keeping API keys in a text file on the desktop. DevOps folks with database passwords in a sticky note app. During screen shares — sprint reviews, debugging sessions, pair programming, recorded demos — those credentials were just sitting there. Visible to everyone in the call. Nobody said anything. It just kept happening. Why Existing Tools Didn't Fit I looked for something simple that solved this. Here's what I found and why none of it quite worked: Password managers (1Password, Bitwarden) Good tools. But they're built around cloud sync, browser extensions, and team sharing. For an individual developer who just wants somewhere safe to keep a PAT — overkill. Also: corporate IT policies often block installation of cloud-synced password managers on work machines. Secret managers (HashiCorp Vault, AWS Secrets Manager) These are infrastructure tools, not personal workflow tools. Setting up Vault for an individual developer's PAT collection is like using a forklift to move a chair. OS keystores (Windows Credential Manager, macOS Keychain) Actually decent for storage. But no UI built for this workflow, no copy-to-clipboard, and they don't solve the screen-exposure problem at all. The gap: Something simple, local, and designed around the moment of use — not just storage. So I Built Tokenly Tokenly is a local-only desktop credential vault. The core design principle is simple: Credential values are never shown on screen. You copy them to clipboard. That's the only way to use them. The clipboard auto-clears after 30 seconds. If you need to visually verify a value — press and hold a button. Release it, the value hides immediately. Not a toggle — a hold. Toggles get forgotten. Holds don't. Technical Decisions Worth Explaining Why Tauri over Electron Tauri uses the operating system's
AI 资讯
Verify Nylas webhook signatures to trust your data
A webhook endpoint is a public URL sitting on the internet, and anything on the internet can send it a POST . If your app acts on whatever lands there, an attacker who guesses the URL can forge events: fake an inbound email, trigger a workflow, or feed your system garbage. The fix is to confirm two things before you trust a request, that you own the endpoint and that Nylas actually sent the payload, and both are built into how webhooks work. This post covers verifying webhooks from two angles: the HTTP mechanics your endpoint implements, and the nylas CLI for testing a signature without standing up a server. I work on the CLI, so the terminal commands below are the ones I reach for when I'm debugging a signature mismatch. Two layers of webhook trust There are two separate checks, and they happen at different times. The first is a one-time endpoint challenge: when you register or activate a webhook, Nylas sends your URL a request with a challenge value you echo back, proving you control the endpoint. The second runs on every notification afterward: each delivery carries a cryptographic signature you verify against a shared secret, proving the payload is genuine and wasn't tampered with. You need both because they defend against different things. The challenge stops you from accidentally registering an endpoint you don't own and confirms the URL is live. The signature stops anyone else from posting forged events to that URL once it's known. Skip the signature check and your public endpoint will trust any POST that reaches it, which is the most common webhook security mistake. Pass the endpoint challenge The first time you set up a webhook or flip one to active , Nylas sends a GET request to your endpoint with a challenge query parameter. Your endpoint has to return the exact value of that challenge in the body of a 200 OK response, within 10 seconds, or the webhook won't verify. It's a quick handshake that proves the URL is yours and reachable. // Express: echo the ch
AI 资讯
Notes on adversarial paraphrasing: a paper review
Just finished reading Saha et al. arXiv 2506.07001 on adversarial paraphrasing for AI detector evasion. Key claim: detector-guided paraphrasing with RoBERTa as reward reduces TPR by 87.88 percent across Binoculars, Fast-DetectGPT, Ghostbuster, RADAR, GPTZero. Universal, training-free. What surprised me: the approach works even on detectors that were trained with adversarial examples baked in. Suggests the discriminator signal is fundamentally narrower than the generator space. Open questions: Does this generalize to detectors using surprisal variance (DivEye 2509.18880)? Multi-LLM round-robin generation: would mixing 3-4 models in pipeline give even more headroom? Token-level homoglyph substitution (SilverSpeak) is trivially detectable via Unicode normalization, but adversarial paraphrasing leaves no such forensic signal.
AI 资讯
Welcome to My Developer Blog
I'm Dr. Mohammad Reza Beheshti, Founder of CyberSiARA. I hold a PhD in Electronic Engineering and Artificial Intelligence and have over 15 years of experience in cybersecurity research and innovation. My passion has always been solving complex security challenges through technology. This journey led me to found CyberSiARA, where we're developing AI-powered bot protection and human verification solutions to help organizations defend against increasingly sophisticated cyber threats. I enjoy combining academic research with practical engineering to create technologies that are both innovative and effective in the real world. Through this blog, I share insights from my research, product development, and experiences building a cybersecurity company, with the aim of helping developers and security professionals stay ahead of emerging threats. I'm always keen to learn, collaborate, and contribute to the global developer and cybersecurity communities.
科技前沿
White House drastically shortens deadline for dropping quantum-vulnerable crypto
Order warns of national security risks if post-quantum cryptography isn't adopted in time.
安全
Klue says hackers stole credential from 2022 that led to customer data breaches
It's unclear why Klue had not revoked the credential after the limited pilot, which hackers then used to breach a system holding keys for accessing customers' data.
AI 资讯
Dialog Claims It Was Hacked. A Misconfigured Website Left Its Members Exposed
The private events group, cofounded by Peter Thiel, says a “criminal” hacker is behind a breach that exposed members’ personal details. WIRED found no evidence a break-in was needed to access the files.