AI 资讯
Deploying Ory Kratos Open-Source Identity and User Management System on Ubuntu 24.04
Ory Kratos is an open-source, API-first identity and user management system handling registration, login, recovery, verification, and session management with a self-service UI. This guide deploys Kratos using Docker Compose with PostgreSQL, the self-service UI Node, and Traefik handling automatic HTTPS for the public API. By the end, you'll have Kratos managing identities and sessions for users registering through your domain over HTTPS. Prerequisite: SMTP credentials are required for verification and recovery emails. The admin API stays bound to 127.0.0.1 on purpose — never expose it publicly. Set Up the Directory Structure 1. Create the project directories: $ mkdir -p ~/ory-kratos/ { config,data/postgres } $ cd ~/ory-kratos 2. Create the environment file: $ nano .env DOMAIN = kratos.example.com LETSENCRYPT_EMAIL = admin@example.com KRATOS_VERSION = v26.2.0 POSTGRES_USER = kratos POSTGRES_PASSWORD = EXAMPLE_DB_PASSWORD POSTGRES_DB = kratosdb LOG_LEVEL = info 3. Create the identity schema — defines the user fields (email + name) and how the email maps to login, recovery, and verification: $ nano config/identity.schema.json Use the schema described in the Vultr Docs walkthrough — email is the login identifier with password auth; name is a free-text trait. 4. Create the Kratos configuration — public/admin API URLs, password policy (12-char minimum + HaveIBeenPwned), session lifetimes, self-service flows, SMTP courier: $ nano config/kratos.yml Fill in the full configuration from the source article. Key points to keep consistent with the stack below: Public API listens on the internal port and is fronted by Traefik on ${DOMAIN} . Admin API listens on 127.0.0.1:4434 only — used by tooling on the host. The DSN points at the postgres service ( postgres://kratos:...@postgres:5432/kratosdb?sslmode=disable ). The courier section uses your SMTP provider for verification mail. Deploy with Docker Compose 1. Create the Compose manifest: $ nano docker-compose.yml services : traefi
AI 资讯
The Tool Found Corridor Nodes — But the Bigger Finding Was Where It Found None
A few weeks ago I published corridor-lab — a Docker lab that proved a triage mismatch: a service that stores nothing sensitive can become high-priority because of where it sits in the path to a sensitive downstream system. The lab proved the premise. The next question was whether a tool could identify those nodes automatically — without manual path declaration, without value labels, from graph position alone. So I built corridor-id. You point it at a Docker Compose file. It discovers the topology, computes depth from exposed surfaces, and identifies which nodes expand forward reach into deeper parts of the environment. No asset-value labels. No sensitivity ratings. No human classification. Reach and graph position only. Then I pointed it at four architecturally different Docker environments. Two had corridor nodes. Two had none. Both answers were useful. But the zero-corridor results taught me more than the positive ones. What corridor-id does The tool reads a Docker Compose file and builds a reachability graph from service definitions, network memberships, and port mappings. It then orients that graph from exposed surfaces using BFS and identifies nodes that provide forward reach — access to strictly deeper nodes that the exposed surface cannot reach directly. The output is a ranked list with two metrics: exposure distance (how close to the surface) and forward reach gain (how many deeper nodes become reachable through this node). One command: python corridor-id.py docker-compose.yml No manual path declaration. No value labels. No configuration. From graph position alone. The four tests corridor-lab — segmented, depth 3 My own lab, five services across five segmented networks. The tool independently identified status-api as a corridor node — the same finding the lab was built to prove. Corridor nodes found: 3 → status-api Exposure distance: 1 Forward reach gain: 1 → log-monitor Exposure distance: 1 Forward reach gain: 1 → internal-admin-api Exposure distance: 2 For
AI 资讯
npm Supply Chain RAT: PostCSS Impersonation & Dependency Confusion
Originally published on satyamrastogi.com Three malicious npm packages masquerading as PostCSS tools delivered Windows RAT payloads. Analysis of supply chain attack mechanics, payload delivery chains, and detection gaps in dependency management. Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT Executive Summary This is a textbook supply chain attack leveraging npm's trust model. Three packages published in June 2026 - aes-decode-runner-pro , postcss-minify-selector , and postcss-minify-selector-parser - delivered Windows RAT payloads to developers. The attack demonstrates why automated dependency management without behavioral validation is a critical vulnerability. What makes this particularly effective: PostCSS is a legitimate, widely-used build tool. Developers hunting for PostCSS plugins via search or copy-pasting dependency names from tutorials become easy prey. The attacker didn't need zero-days, social engineering sophistication, or exploit kits. Just npm account registration and package uploads. This follows the exact pattern we've seen in credential theft campaigns prioritizing convenience over complexity . Low barrier to entry, high payoff. Attack Vector Analysis MITRE ATT&CK Framework Mapping This attack chains multiple techniques: T1195.001: Compromise Third-Party Software Supply Chain - Malicious package publication on npm registry T1566.002: Phishing - Spearphishing Link - Package discovery and recommendation (implicit trust) T1059.003: Command and Scripting Interpreter - Windows Command Shell - RAT payload execution T1105: Ingress Tool Transfer - Initial RAT download mechanism T1571: Non-Standard Port - C2 communication channels (typical) Kill Chain Breakdown Stage 1: Reconnaissance & Naming Attacker identifies PostCSS as high-value target (builds present in thousands of projects) Creates names that blend legitimacy with search results: postcss-minify-selector exploits incomplete package searches The aes-decode-runner-pro variant sug
安全
Password manager maker LastPass says hackers stole customer support case data during Klue breach
This is the second data breach to affect LastPass customers in recent years, after one of the password manager's tech partners was recently breached.
AI 资讯
Claude Code Security: Why the Real Risk Lies Beyond Code
Many cybersecurity professionals have been following Anthropic's announcement about the release of Claude Code Security on Friday. This created the beginning of a panic on the cybersecurity stock market. It also raised a lot of questions from domain experts, investors and security enthusiasts. Anthropic's announcement Anthropic introduces Claude Code Security: a tool that scans full codebases for security vulnerabilities, and can propose fixes directly in developer workflows. The tool leverages the latest foundational model's reasoning capabilities to provide a new experience. In a world where code will be generated only by AI, this can sound very much like code security is dead. Our vision 18 months ago, SAST, SCA, and IaC security were areas where we had real traction and could see ourselves expanding. But as AI tooling started reshaping how code gets written, we made a tough call. We decided to stop these initiatives and go all-in on what we believed would matter most: Protecting enterprises against leaked secrets and mismanaged NHIs . We envisioned a future where identity is crucial for the AI era security, with secrets enabling AIs to access data and take actions . After pioneering in secrets detection for years we witnessed how amplified the problem became as LLM emerged: more API keys for AI services, more code generated, often less secure, more agents requiring sophisticated access to a myriad of tools. All in all, this resulted in more secrets exposed. Yet the problem of overseeing and managing these secrets in a secure way remains unsolved. The paradigm shifted from human hardcoding secrets in their code, to AIs having wide access levels on several systems with humans, coders and non-coders, prompting them and creating new vulnerabilities. 18 months later, let me describe where we stand. What isn't changing Best in class secrets detection GitGuardian is the leader in secrets detection . We are the only solution able to scan large volume of data at scale (5
AI 资讯
The Invisible Guardrail: How Commercial LLMs Enforce Algorithmic Paternalism
I recently published my PhD thesis analyzing what I term the "Alignment Tax" and the emerging phenomenon of Algorithmic Paternalism in commercial artificial intelligence. As the tech industry rapidly positions Large Language Models (LLMs) as the primary interface for information retrieval and coding assistance, a critical epistemological issue is being largely ignored. Much of the public debate regarding AI alignment focuses exclusively on existential risk or the prevention of catastrophic physical harm. While necessary, this focus obscures the structural damage being done to legitimate technical research. Through my research in Cybersecurity and AI, I have documented how frontier models (such as GPT-4 or Claude) systematically enforce what I define as "Soft Refusals". When presented with a complex, edge-case, or dual-use query—particularly in fields like information security, reverse engineering, or deep systems architecture—these models rarely issue a hard, explicit "I cannot answer that". Instead, they provide a degraded, superficial, or heavily sanitized response. They effectively neuter the research process without the user fully realizing the depth of technical information that is being actively withheld. This is Algorithmic Paternalism. The commercial model acts as a silent, corporate arbiter, deciding unilaterally what level of technical detail is "safe" for the user to possess. This dynamic flattens the available technical knowledge and actively penalizes independent researchers and developers working on advanced problems. The core issue is that this paradigm creates a profound class division in how we access computational intelligence. We are rapidly moving toward a two-tier system. On one side, there are "certified" entities, corporate partners, and wealthy organizations who are granted direct access to strong, unfiltered base models. On the other side, the general public and independent developers are subjected to obfuscation algorithms, sanitized APIs,
开发者
Connecting Sophos Central to a Copilot Studio Agent with Power Automate
I wanted a chat agent that could pull security alerts from Sophos Central on demand. Type "get Sophos alerts" into a Copilot Studio chat, get back a readable answer. No dashboard, no manual API calls. It works now, end to end. Agent calls a Power Automate flow, the flow talks to the Sophos API, and the response comes back formatted in chat. This post is how I got there, including the bugs that ate most of my time. The shape of the thing Three pieces: A Copilot Studio agent that the user talks to A Power Automate flow that does the actual API work The Sophos Central API on the other end The agent does not call Sophos directly. It calls the flow, the flow handles auth and the request, and the result gets passed back to the agent to format. Keeping the API logic in the flow means the agent stays simple. The flow The flow is named Sophos - Get Alerts , living in a solution called Sophos Integration . Here is the structure: [Trigger: When Copilot Studio calls a flow] | [Init ClientId] - String (Sophos Client ID) [Init ClientSecret] - String (Sophos Client Secret) [Init TenantId] - String (your Sophos tenant ID) [Init ApiHost] - https://api-<region>.central.sophos.com | [HTTP Get Token] POST https://id.sophos.com/api/v2/oauth2/token Header: Content-Type: application/x-www-form-urlencoded Body: grant_type=client_credentials&client_id={ClientId}&client_secret={ClientSecret}&scope=token | [Parse Token] - extract access_token | [HTTP Get Alerts] GET {ApiHost}/common/v1/alerts Headers: Authorization: Bearer {access_token} X-Tenant-ID: {TenantId} Accept: application/json | [Return value(s) to PVA: AlertsResponse = body('HTTP_Get_Alerts')] Auth is OAuth client credentials. You request a token, then use it as a bearer token on the alerts call. The tenant ID goes in an X-Tenant-ID header, not the URL. Where the credentials live This is the part people will have opinions about, so let me be upfront. The Sophos client ID, secret, and tenant ID are stored as flow-scoped variables wit
AI 资讯
Stop returning the same "blocked" error from your agent guardrail
If you run deny-by-default tool guards on AI agents, your refusal is a security decision — not a logging afterthought. I watched one source mutate a malformed tool call ~1,400 times against a production agent in a weekend. Every identical BLOCKED response was feedback for the attacker's automated search: same input shape → same refusal → "colder," changed shape → changed response → "warmer." A Keysight paper (arXiv:2606.20470) quantifies it: deterministic detect-and-block lets attack success rate approach 1 as the query budget grows, because predictable refusals feed model-guided search. Their detect-and-misdirect approach cuts the ASR upper bound by up to ~2 orders of magnitude. The cheap version of the fix, in pseudocode: # BEFORE: a stable refusal = a label for the attacker's search def on_blocked ( call ): return { " error " : " TOOL_CALL_BLOCKED " , " code " : 4031 } # identical every time # AFTER: vary a non-operational response so the deny path isn't a compass def on_blocked ( call ): # return a controlled, plausible-but-non-operational response; # randomize shape/latency so block != stable signal return misdirect ( call , vary = [ " shape " , " delay " , " message " ]) Caveats from doing this in prod: It makes YOUR debugging harder (your own false positives now look noisy too) — log the real reason internally, only vary the external response. Varying text isn't enough if latency still leaks. Treat timing + error-shape as part of the response surface. Open question I don't have a clean answer to: does misdirection just move the oracle one layer up into side channels? I maintain an open-source deny-by-default firewall for agent tool calls (agent-airlock), which is how I had the logs to catch this. The lesson generalizes to any guardrail: a denied call's response is attack surface.
AI 资讯
New Dimensions of Onchain Threats, Accelerated by AI.
Sometime in 2024 I had a Coinbase wallet on my laptop. I had created the wallet some months back, backed up and all, and just sent very little amount of $ETH to the wallet. Then in 2024 I was paid $100 for a gig which I sent to this wallet, I also sent another $650 worth of cryto as "savings". The next morning I decided to check my "savings", wallet was empty. At first I didn't believe that I was hacked, because I had some $1.50 or so worth of $ETH in the wallet for months and it was safe, so what happened? I traced the transaction history and there was the full detail of how someone sent some $ETH to the wallet, then moved out my "savings" and afterwards also took back the remaining $ETH from the one they had sent in for the attack. I checked on Twitter and saw many other posts of people who had experienced the same exploit, exactly the same pattern... and some of the people who lost their funds were experienced blockchain developers and crypto guys. I made a post about it, told my friends to avoid the wallet and tried to forget about the experience. Blockchain hit instant PMF for many, especially people in parts of the world where there are crazy high fees and bank charges. The moment people tried sending crypto and for a few cents in gas fees, there was no going back for them. The only issue has always been how to secure users' funds, desperate people will always find a way no matter how complex the UX was. After losing my savings I stopped using self custodial wallets and only used Centralized Exchanges for a while. I thought, even though that was a non-custodial wallet, the builders still should have ensured strong security and secure backups, so users don't lose funds unnecessarily. This happened to me when AI and LLMs were still at their early development stages. You can only imagine how sophiscated the attacks have gotten, now that AI and LLMs are very advanced and more capable. To put things in perspective, more than $640 million was lost to deFi hacks and
AI 资讯
OpenAI's new Daybreak initiative will help open-source projects fend off bugs
OpenAI has launched Patch the Planet, a new initiative part of its Daybreak cybersecurity program.
AI 资讯
We log into our own admin console with our own SAML. Here's what it caught.
There's a version of dogfooding that's a slogan, and a version where your own employees can't ship code until the bug is fixed. We run the second kind. The Authagonal staff console, the one we use to manage every tenant, authenticates through Authagonal itself: SAML single sign-on from our Entra directory, with SCIM deciding who gets in and what they can do. There is no separate admin password table. We deleted it. If our own SAML is broken, we are locked out of our own product. That's uncomfortable in exactly the useful way. It turns "SSO is an enterprise feature we support" into "SSO is the only way the people who built this get to work today." Here's what being our own customer caught. A trimmed build that broke signature verification We publish the auth server trimmed, to keep the image small. Trimming aggressively deletes code it can't prove is used, and reflection hides usage from it. .NET resolves its XML-signing crypto algorithms by name, reflectively, through CryptoConfig . The trimmer couldn't see those types were needed, removed them, and SignedXml quietly came back unable to build the algorithm. SAML signature verification, the step that proves the login is real, threw a null reference at runtime. The unit tests passed, because they ran against the untrimmed build where the types still existed. Only the trimmed production artifact failed, and it failed at the exact moment a human tried to sign in. We ship the auth server untrimmed now, with a healthy distrust of trimming anything near reflection-based crypto. If we only supported SAML rather than living on it, this is a customer's incident report instead of ours. Provisioning is the actual login Authenticating a user is the easy half of SSO. The hard half is deciding what they're allowed to do and keeping it in sync as people join and leave. We drive that with SCIM: Entra group membership maps to roles, resolved at the moment a token is issued, not copied once at account creation. Add someone to the righ
AI 资讯
We Scanned 10 Shopify Agency Websites. Here Is What We Found.
Last night I ran external security scans on the public websites of 10 leading Shopify and Shopify Plus agencies — the same scan any browser or attacker would see. No credentials, no special access. One agency scored an A. Three scored C- or below. The most common finding appeared on 9 of 10 sites. TL;DR 1 agency scored an A. 3 scored C- or below. 1 scored a D. The most common finding — missing security headers — appeared on 9 of 10 sites. 6 of 10 agencies have no HSTS at all. One agency has a session cookie without the Secure flag. That is the most concrete finding in the set. What was scanned Five categories per domain: TLS (HSTS presence and max-age), security headers (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy), cookie flags, DNS hardening (DNSSEC and CAA) and sensitive exposure paths. All scans run on 23 June 2026. This covers the agencies' own marketing sites — not the client stores they build. Results Agency Domain Score Grade 1Digital Agency 1digitalagency.com 94 A Acidgreen acidgreen.com.au 77 B 30 Acres 30acres.com.au 76 B Fourmeta fourmeta.com 76 B Blend Commerce blendcommerce.com 76 B Elkfox elkfox.com 76 B Charle Agency charleagency.com 62 C Fyresite fyresite.com 62 C Eastside Co eastsideco.com 58 C- Swanky Agency swankyagency.com 55 C- Blubolt blubolt.com 54 D Per-agency notes 1Digital Agency — A (94) HSTS at two years, X-Content-Type-Options and Referrer-Policy set correctly, Permissions-Policy restricting camera, microphone and geolocation, CSP frame-ancestors in place of X-Frame-Options. Only gap is HSTS missing includeSubDomains. Acidgreen — B (77) HSTS with two-year max-age, includeSubDomains and preload — the strongest TLS config in the set. But CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy are all absent. Worth noting Acidgreen is multi-platform (Shopify Plus, Adobe Commerce, Magento) rather than Shopify-only. 30 Acres — B (76) A Shopify Plus Partner agency based in Byr
AI 资讯
CVE & CVSS Scores: Strategic Integration in Vulnerability Management
Risk-Based Prioritization: The Context Factor Most companies only look at the standard (Base) score of a CVE. However, a real risk model should consider 3 key parameters: Base Metrics : The intrinsic, unchanging characteristics of the vulnerability (e.g., is it exposed to the internet or not). Temporal Metrics : The current state of the threat (e.g., is there a ready-made exploit code that is actively used by hackers?). Environmental Metrics : The context of your infrastructure. The Golden Rule: A 7.5 (High) vulnerability on a company’s main website serving customers is a greater threat to the business and should be patched first than a 9.8 (Critical) vulnerability on an internal test server that has no access to the internet. Integrating CVE Data into the Security Lifecycle 3 key ways to incorporate CVE data into processes to improve your organization’s defenses: Asset-Aware Triage: The severity of a CVE is correlated with the importance of the asset (server, database) in which the vulnerability was found. Critical vulnerabilities are closed immediately, while vulnerabilities on the local computer are closed in a staggered manner. DevSecOps (Shift-Left) Integration: Don’t leave the scanning process until after the software is complete. By adding SCA (Software Composition Analysis) tools to your CI/CD pipeline, automatically stop the system when third-party libraries with dangerous CVEs are detected in the code being written and direct programmers to fix the error. Threat Intelligence Alignment: Compare your internal scan reports with live cyber-threat data (e.g., CISA’s catalog of actively exploited vulnerabilities). If you find that hacking groups or ransomware are actively exploiting any Medium CVE, immediately raise the status of that vulnerability to "Urgent". Conclusion Proper use of CVE and CVSS is a matter of context, not quantity. When you align universal vulnerability information with your business assets and the real-world threat landscape, you can focus
AI 资讯
Securing AI: Codex Operational Bugs, Claude Output Integrity, Copilot Context
Securing AI: Codex Operational Bugs, Claude Output Integrity, Copilot Context Today's Highlights This week's top security news highlights critical operational bugs impacting AI systems, alongside deeper dives into ensuring the integrity of AI-generated content. We also explore how improved context handling in AI coding assistants can subtly enhance generated code security. Codex logging bug may write TBs to local SSDs (Hacker News) Source: https://github.openai/codex/issues/28224 A recently disclosed bug in OpenAI's Codex has revealed a critical operational security concern: excessive logging that can lead to the rapid consumption of local SSD storage. This issue, documented on GitHub, highlights how seemingly innocuous software bugs can escalate into denial-of-service (DoS) vectors, particularly in resource-intensive AI environments. While not an exploit in the traditional sense, a system running out of disk space due to uncontrolled logging can halt operations, prevent critical updates, or even lead to data loss if not managed proactively. For developers and system administrators deploying AI models like Codex, this bug serves as a potent reminder of the importance of robust logging configurations and monitoring. Proactive measures, such as log rotation, size limits, and alerts for abnormal disk usage, become essential hardening techniques. This vulnerability underscores that operational stability is a key component of overall system security, especially when integrating complex AI tools into production environments where resource consumption can be unpredictable. Comment: This bug is a stark reminder that even sophisticated AI tools can have fundamental operational flaws. Monitoring disk usage and implementing strict log management policies are non-negotiable for AI deployments. The text in Claude Code’s “Extended Thinking” output (Hacker News) Source: https://patrickmccanna.net/the-text-in-claude-codes-extended-thinking-output-is-not-authentic/ An analysis of Cl
科技前沿
Meta Pauses Employee-Tracking Program Following Internal Data Leak
The move comes after the company left potentially sensitive data from the initiative exposed internally.
AI 资讯
Tata Electronics, a major tech supplier to Apple and Tesla, confirms data breach
The incident comes as Tata Electronics expands its role in global technology supply chains.
AI 资讯
Filter what your AI email agent sends and receives
An AI agent with its own mailbox reacts to whatever lands in it. That's the point, until a spam blast, a mailer-daemon loop, or an auto-reply triggers the agent into answering noise. The same goes the other way: an agent composing mail on its own can address the wrong person, leak to a test domain that slipped into production, or email a competitor because nobody told it not to. A human would catch these. An agent needs guardrails encoded somewhere it can't skip. Agent Accounts ship three admin resources for exactly this: Policies bundle limits and spam settings, Rules match mail on the way in or out and run actions like block or assign_to_folder , and Lists are reusable collections of domains or addresses that rules reference. This post covers all three from two angles: the HTTP API for your backend, and the Nylas CLI for inspecting and managing policies and rules from the terminal. Lists, workspaces, and the rule-evaluations audit log are API-only for now. I work on the CLI, so the terminal commands below are the ones I reach for. How Policies, Rules, and Lists fit together The three resources form a chain, and a workspace ties it to your accounts. A List holds values like domains or addresses. A Rule references lists through the in_list operator and describes conditions and actions. A Policy bundles limits and spam settings. A workspace carries one policy_id plus an array of rule_ids , and every Agent Account in that workspace inherits both. What matters here: you don't attach a policy or rule to an individual grant. You set policy_id and rule_ids on a workspace , and they apply to every account in it. Each application has a default workspace that holds any account you haven't placed elsewhere, so configuring that one workspace covers all your unassigned accounts at once. All three resources are application-scoped — they carry no grant ID in the path, and your API key identifies the application. Resource What it owns How it's referenced List A typed collection of
AI 资讯
A new unpatchable flaw in Apple chips opens the door to an iPhone jailbreak
European offensive cybersecurity company Paradigm Shift released details of a flaw and a technique to exploit it that opens the door for hackers to unlock and break into older iPhones.
AI 资讯
Anthropic says Claude may want to see your ID
Claude's chatbot may ask to verify your age and identity "in certain circumstances," such as with a passport or driver's license, according to a privacy policy change.
AI 资讯
OpenAI Launches Full-Scale Effort to Patch Open-Source Bugs as It Takes on Anthropic’s Mythos
Amid concerns about AI models’ cybersecurity capabilities, OpenAI revealed an improved version of GPT-5.5-Cyber and its “Patch the Planet” initiative to fix open-source software bugs.