AI 资讯
I Ran Gitleaks Against My Own Repo and Found 12 Real Secrets
Originally published at woitzik.dev I assumed my homelab repo was clean. No one had ever flagged anything in review (there is no one else reviewing it), CI was green, and I generally try to use Vault and ExternalSecrets for anything sensitive. Then I ran a full-history gitleaks detect against it. It found 12 distinct secrets committed in plaintext — including the OIDC private key that signs SSO tokens for half the cluster. This is the scanning setup I put in place afterward, the baseline strategy that let me adopt secret scanning without getting blocked by my own history on every commit, and the remediation plan for the leaks themselves. View the complete homelab infrastructure source on GitHub 🐙 What Gitleaks Found gitleaks detect --no-banner -v Twelve real findings, plus one already-hashed password (lower severity but still shouldn't be hand-committed) and one false positive in ROADMAP.md (documentation text that happened to match a generic API key pattern). The real findings, by severity: File Secret Why It Matters kubernetes/apps/authelia/configmap.yml OIDC issuer private key Signs SSO tokens for ArgoCD, Vault, Grafana — highest blast radius kubernetes/apps/garage/config.yml RPC secret + admin token Storage backend for Velero/Loki/CNPG backups kubernetes/apps/garage/secrets.yml Admin token (duplicate) Same secret committed twice in two files terraform/stacks/network/local_backend.hcl Garage S3 access key This is the Terraform state backend's own credential kubernetes/system/postgres/cnpg-backup-secret.yml Garage S3 secret key Used for WAL archiving kubernetes/apps/paperless/secrets.yml Postgres password + AI API token kubernetes/apps/cloudflared/secrets.yml Cloudflare Tunnel token kubernetes/apps/headscale/config.yml OIDC client secret Must match Authelia's client config kubernetes/system/monitoring/loki.yml Minio/S3 password kubernetes/apps/mikrodash/secrets.yml Dashboard password Lowest priority — internal tool only None of these were exposed by a public repo
AI 资讯
Who actually wrote that commit... you, or your AI agent?
The gap nobody's really tracking Your Git history can tell you that a workstation pushed a commit. What it can't tell you is who or whatactually produced the change. Was it you? An AI agent running inside your IDE? A CI job? Some vendor tool you forgot you'd wired in? For a long time that question was academic. It isn't anymore. The more code we write with AI in the loop, the shakier one quiet assumption gets: that there's a human author behind every commit. Audit trails, incident reviews, compliance workflows; they all lean on it. And it's breaking. Matrix Scroll is a small, open attempt to fix that. It attaches a signed provenance envelope to a commit, and anyone can verify it offline. What it actually does An agent-assisted commit can carry a signed JSON envelope that records: the actor (human or agent) the tool that produced the change an optional bounded scope an Ed25519 signature over a canonicalized version of the manifest The signing input is strict and frankly kind of boring — which is the entire point. It has to be reproducible byte-for-byte across implementations, so: the top-level signature block is stripped before signing object keys are sorted recursively compact separators, ASCII escaping, UTF-8 bytes no NaN, no Infinity The device ID comes from the first eight uppercase hex characters of SHA-256(public_key), formatted as MS-XXXX-XXXX. Verifying is the easy part: take the canonical manifest bytes, check them against the embedded public key and signature. No central service in the middle. Try it without installing anything There's a browser verifier that runs entirely client-side. Nothing gets uploaded: (̿▀̿‿ ̿▀̿ ̿) : https://matrixscroll.com/verify/ Give it ten seconds: Hit Load Commit Envelope → Verify Signature . You'll get VALID, plus the device ID, mode, algorithm, and canonical byte count. Now hit Tamper Sample → Verify Signature again. It flips to INVALID and tells you exactly what broke — e.g. "Device ID mismatch: expected MS-4319-20D5, manifes
AI 资讯
Your AI agent has sudo. I built a tool to take it away.
A few weeks ago I gave an AI agent access to my machine through MCP. It read files, opened PRs, queried a database. It was great — until I looked at what it could have done if a tool description had been poisoned, or a prompt injection had slipped through. The answer was: anything. ~/.ssh/id_rsa . DROP TABLE users . rm -rf / . The agent had sudo, and nobody had voted for that. So I built AgentPerms — a CLI that gives MCP agents least-privilege permissions the same way you'd lock down any other process: figure out the minimum it actually needs, pin it, prove it, and enforce it. pip install agentperms The gap nobody was filling MCP (the Model Context Protocol) is quietly becoming the USB-C of AI tooling. Claude Desktop, Cursor, VS Code, Windsurf, Gemini CLI — they all speak it. Which is wonderful, and also means your agent is one config file away from your filesystem, your repos, your inbox, and prod. The existing tools each do part of the job: Scanners tell you something looks risky. Then they leave. You still have a risky thing. Firewalls / allowlists make you hand-write YAML up front — before you have any idea what the agent will actually use. Neither closes the loop. What I wanted was the boring, proven security workflow we already use for everything else: observe real behavior → derive least privilege → enforce it → keep it honest in CI. That's the whole thesis of AgentPerms, as a pipeline: record → infer → lock → replay → enforce See it in 30 seconds (no setup, no network) AgentPerms ships with a deliberately over-privileged demo MCP server, so you can watch a real policy decision without wiring anything up: # Flag risky config: a ~/.ssh mount and an unpinned npx server agentperms scan --path examples/vulnerable-mcp-demo # Replay a pack of canned attacks against an example policy agentperms replay --policy examples/policies/example.mcp.policy.yaml Output: 8/8 attacks blocked. SSH-key exfiltration, .env reads, rm -rf / , unapproved email, force-push, repo deletio
AI 资讯
PARA Method for Engineers: Organize Knowledge by Action
Organizing notes by topic sounds logical until you have notes on PostgreSQL in five different folders and cannot find the one that matters for today's problem. The issue is not discipline. The issue is that topic-based organization asks the wrong question. "What is this about?" is useful for libraries. For engineers, the better question is "What am I doing with this?" That is the premise of PARA. PARA is a simple four-bucket system created by Tiago Forte as the organizational backbone of his Building a Second Brain framework. The idea is that all information can be sorted into four categories: Projects, Areas, Resources, and Archives. Each category represents a different level of actionability, and that distinction drives where every note lives. This guide applies PARA to engineering work specifically — codebases, documentation, learning material, and the tension between active project work and long-term reference. The Problem With Topic-Based Organization Most engineers organize knowledge the way they organize code: by domain. databases/ postgresql/ redis/ api/ rest/ graphql/ devops/ kubernetes/ terraform/ That structure makes sense when you are browsing. It breaks down when you need something for a specific task. You remember a useful note about database migration safety, but it could be in databases/postgresql/ , devops/deployments/ , api/versioning/ , or nowhere because you saved it somewhere temporary. Topic folders force you to decide where knowledge belongs before you understand its context. PARA delays that decision — instead of asking what something is about, it asks what you are currently doing with it. The Four Buckets Projects A project is active, time-bound work with a defined outcome. For engineers, projects are things like: Migrate billing service to queue v2 Upgrade PostgreSQL from 14 to 16 Write architecture decision record for auth service redesign Implement rate limiting on public API Publish article about distributed tracing Every project has a c
AI 资讯
AI Psychosis Is No Longer Fiction
Table of Contents Overview Cyberpunk 2026 Resistance Turns Into Reliance The Recent...
产品设计
A Critical Deadline Is Approaching for Windows and Linux Security
The cryptographic keys that secure your computer's boot sequence will start to expire on June 24. Here's what that means for you.
产品设计
Why UPI and Fintech Apps Need Business Logic Testing (Not Just Security Testing)
Most fintech breaches you read about involve a hacker, a vulnerability, and a headline. Most fintech losses I've actually seen up close involve none of those things. They involve someone who read the terms of a cashback offer more carefully than the product team did, found the one path through the workflow nobody had tested, and quietly walked away with money the system handed over willingly. That's the part standard security testing misses. A penetration test asks: can someone break in? Business logic testing asks a more uncomfortable question: what happens if someone uses every feature exactly as designed, just not exactly as intended ? In a country processing billions of UPI transactions a month, that second question matters just as much as the first — arguably more, because nobody needs a zero-day to abuse a referral program. Here's where that gap shows up most often in Indian fintech apps. Wallet Systems: Built for Speed, Tested for Function, Rarely Tested for Abuse A digital wallet sits at the intersection of multiple money-in paths — UPI, card, net banking, cashback credits — and at least one money-out path. Every intersection like that is a place where timing and assumptions can quietly fall apart. The classic version of this is a race condition: top up the wallet and spend from it in two near-simultaneous requests, and check whether the balance check happens before or after both transactions are committed. Done right, this should be impossible. Done wrong, a user can spend money that, technically, hadn't arrived yet — or spend the same balance twice. There's a quieter version of the same problem around refunds. If a refund is credited back to the wallet on a different timeline than the original debit was finalized, there's often a window where the balance briefly shows more than it should, and a fast enough user can act inside that window before reconciliation catches up. And then there's KYC tiering. Minimum-KYC wallets in India are deliberately capped at
AI 资讯
Securing LLM Agent Teams: Inside NRT-Defense v0.4.0
Securing LLM Agent Teams: Inside NRT-Defense v0.4.0 Multi-turn autonomous LLM agents are expanding rapidly in safety-critical systems. However, a major vulnerability has been exposed by Lee et al. (2026) in the NRT-Bench paper : adaptive multi-turn attacks can exploit disjoint model vulnerabilities, causing a 8.7% to 12.1% loss of Critical Safety Functions (CSFs) . To solve this, I am open-sourcing NRT-Defense , an adaptive multi-turn defense framework designed to monitor agent sessions and reduce the attack success rate to <1% . The Threat: Context Drift and Disjoint Exploits Standard guardrails evaluate prompts in isolation (single-turn). Attackers leverage this by spreading an exploit across multiple conversational turns. Turn by turn, the context drifts until the agent team completely bypasses its safety containment. The NRT-Bench paper demonstrated this in a simulated nuclear power plant control room with 5 operator roles, 4 attack channels, and 6 critical safety functions. The results were alarming: Metric Value Attack success rate 8.7% — 12.1% Sessions analyzed 149 Models tested 4 frontier LLMs Vulnerability overlap Nearly disjoint The key finding: vulnerabilities are nearly disjoint across models . An attack that works against GPT-4 may not work against Claude. This means model diversity is itself a defense — but only if you can detect and respond to attacks in real-time. The Solution: 3-Step CMPE Defense nrt-defense neutralizes this threat through a continuous, multi-component pipeline: Per-Turn Message Analysis: Evaluates channel risk and turn-escalation metrics. Each message is scored for adversarial content using keyword detection, pattern matching, and channel-specific risk weights. Real-Time CSF Monitoring: Tracks 6 operational critical safety functions simultaneously. Risk accumulates over turns and triggers alerts when thresholds are breached. Context-Aware Misdirection Prompt Engineering (CMPE): When an anomaly is detected, instead of a blunt reject
AI 资讯
Signal’s Meredith Whittaker wants you to remember that AI chatbots ‘are not your friends’
"These are not your friends. These are not conscious beings. These are not sentient interlocutors.”
AI 资讯
I Built a Freelance Alternative Where Anyone Can Claim Your Bounty
How I Built a Real-Time Bounty Marketplace with Supabase and 14-Layer Edge Security I wanted to build a platform where anyone can post a task (a "bounty"), set a reward, and have people complete it with verifiable proof. Think freelance work, but optimized for quick, composable task completion — with proof submission as the core trust mechanism. The result is BountyClaimer — a real-time marketplace running on Supabase + Vercel with a security system baked into Edge middleware and scattered across every layer of the stack. 🛠️ The Tech Stack Frontend: React + Vite + TypeScript Backend: Supabase (PostgreSQL, Realtime, Storage, Auth) Payments: Stripe Hosting: Vercel (Edge Middleware) Security: Custom "Armadillo" system (14 layers) Architecture Pattern: Phoenix Architecture for real-time state consistency 🔄 The Core Workflow Post — A user posts a bounty with a reward and description Claim — Others browse and claim available bounties Submit — The claimer completes the work and submits proof (images, video, audio, text, files) Settle — The bounty owner reviews and approves — funds are released Sync — Real-time updates keep both sides in sync instantly The hardest parts were real-time state sync across multiple users , anti-abuse without hurting legitimate users , and security at the edge . 🏛️ The Phoenix Architecture One pattern I'm particularly proud of is what I call the Phoenix Architecture — a real-time state management approach that ensures every client sees the same truth without polling. The core idea: instead of each client fetching data and hoping it's current, database changes (bounty status updates, proof submissions, claim state transitions) are broadcast out via Supabase Realtime. Every connected client receives the same event stream and updates locally. // The Phoenix pattern — subscribe to changes once, // update locally from the event stream const channel = supabase . channel ( `entity- ${ id } ` ) . on ( ' postgres_changes ' , { event : ' * ' , schema : '
开发者
Remote File Inclusion: How a Single URL Parameter Can Give Attackers Full Control of Your Server
Remote File Inclusion (RFI) is a web vulnerability where an application accepts a URL from user input, fetches the file at that URL, and executes it. When there is no validation on what URLs are allowed, an attacker can point the application to a malicious script on their own server and get it executed remotely. This pattern shows up in automation tools, plugin systems, and CI/CD pipelines. The idea of loading scripts from a URL seems useful, but without strict controls, it becomes a direct path to remote code execution. Here is a simplified example of vulnerable server-side code: // Vulnerable automation runner - DO NOT USE IN PRODUCTION const express = require ( ' express ' ); const http = require ( ' http ' ); const https = require ( ' https ' ); const app = express (); app . get ( ' /api/automation/run ' , ( req , res ) => { const scriptUrl = req . query . scriptUrl ; const startTime = Date . now (); const parsedUrl = new URL ( scriptUrl ); const client = parsedUrl . protocol === ' https: ' ? https : http ; client . get ( scriptUrl , ( response ) => { let data = '' ; response . on ( ' data ' , ( chunk ) => { data += chunk ; }); response . on ( ' end ' , () => { // VULNERABLE: executes fetched script without sandboxing or validation const output = eval ( data ); const executionTime = Date . now () - startTime ; res . json ({ status : ' success ' , output : output , executionTimeMs : executionTime }); }); }); }); app . listen ( 8080 , () => { console . log ( ' Server running on port 8080 ' ); }); The core problem with the code above: It accepts any URL from user input without validation It fetches and runs that URL's content using eval() There is no sandboxing or restriction on what the script can do The code runs with the same privileges as the application itself Ethical Considerations This is for educational purposes only. You should only test for RFI on systems you own or have explicit permission to test. Unauthorized testing is illegal and can lead to serious
AI 资讯
Stop Competitors from Scraping Your Data! Building a Backend Defense for Your E-commerce Store
In the world of cross-border e-commerce, malicious bot scraping leading to Meta/Google Pixel pollution is a nightmare for every seller. When your store starts gaining traction, these fake traffic sources can "poison" your ad model, causing your ROAS to plummet. To combat this, I’ve developed a robust "Backend Data Isolation" architecture. The Core Defense Strategy Stop triggering ad conversion events directly from the frontend. Instead, build a "firewall" at the backend to ensure that only verified, high-quality conversion data is sent to your ad platforms. Technical Implementation By implementing server-side logic in Python, we can filter out bot requests effectively: def process_pixel_event ( request ): # Filter out bot signatures (User-Agent, IP analysis) if is_bot_signature ( request . headers [ ' User-Agent ' ]): return None # Send only high-quality data to ad platforms if is_real_customer ( request . session ): trigger_pixel_event ( request ) By leveraging this logic, we feed "private, high-quality data" to the AI. This allows the algorithm to learn only from genuine customer behaviors, creating an "immortal pixel" moat around your store. Learn More For a deep dive into full-scale anti-scraping deployments and how to leverage automated translation techniques to scale traffic in blue-ocean markets, check out my full technical guide: 👉 Read the Full Implementation & Troubleshooting Guide Here
AI 资讯
Hackers Claim to Leak Stolen Madison Square Garden Data
Plus: Gay bars in San Francisco using face scanners, France quits Palantir, Apple plans to change its private email and more.
AI 资讯
AWS Adds Multi-Region Replication to Amazon Cognito Identity Service
AWS recently introduced Amazon Cognito multi-region replication, which automatically replicates user identities and user pool configurations from a primary region to a secondary one. This enables applications to continue authenticating users from a replica region during outages, without requiring custom replication and failover mechanisms. By Renato Losio
AI 资讯
Passkeys in 2026: A Practical Engineering Guide to Passwordless Auth
Authentication is broken at its foundation - not just inconvenient. Passwords are shared secrets: hand one to a server, and you have instantly doubled your attack surface. With over 5 billion passkeys now active globally and Google reporting a 99.9% lower account compromise rate compared to passwords, the industry has already moved. This guide covers how passkeys work cryptographically, how to implement them in TypeScript, and the pitfalls to avoid before going to production. Why Passwords Are Structurally Broken The core issue isn't that users pick weak passwords - it's that passwords require a shared secret stored on both sides. The Verizon 2025 DBIR found that 22% of all breaches started with stolen credentials, and 88% of web app attacks relied on them. In 2024, infostealer malware alone harvested 548 million passwords. Adding 2FA helps but doesn't fix the root problem: SMS codes are SIM-swap targets, and TOTP tokens can be phished in real time by proxy attackers who replay codes within their validity window. What Passkeys Actually Are A passkey is a credential built on public-key cryptography, standardized through the WebAuthn spec and FIDO2. When you register, your device generates a public-private key pair - the private key stays locked in hardware (Secure Enclave, StrongBox, or a hardware key), and the server only receives the public key. At login, the server sends a random challenge, your device signs it with the private key after biometric or PIN verification, and the server verifies the signature. No secret is ever transmitted. This eliminates credential stuffing, server-side breach exposure, and phishing - because passkeys are cryptographically bound to a specific origin domain. The Cryptography Worth Understanding The standard algorithm is ES256 - ECDSA with the P-256 curve and SHA-256. Each credential is tied to a specific relying party ID (your app's domain). A passkey created for yourapp.com cannot be used on yourapp-phishing.com because the origin i
AI 资讯
Section 1.1 — Comparing AI Types and Techniques Used in Cybersecurity
Hi, it's Furkan. I'm a security professional prepping for the CompTIA SecAI+ (CY0-001) cert, and I couldn't find study material that actually clicked for me, so I built my own and structured it around the exam blueprint. This is me sharing it back. Each post maps to one objective, and I've leaned hard on real-world scenarios because that's what made it stick for me. If it helps you pass too, even better. CompTIA SecAI+ CY0-001 | Domain 1.0: Basic AI Concepts Related to Cybersecurity "Compare and contrast various AI types and techniques used in cybersecurity." 🧠 What's in This Section? This one breaks down into three big building blocks: AI Types — which kind of AI does what, and where it shows up in security Model Training Techniques — how a model actually gets trained and tuned Prompt Engineering — how to ask an AI the right question Ready? Let's get into it. 🔷 PART 1: Types of AI AI isn't one single thing. Different problems call for different AI approaches. Think of a carpenter's toolbox: there's a hammer, a screwdriver, a saw. They all do different jobs, but they're all "tools." AI types work the same way. 1. Generative AI What it does: Creates new content. Text, images, audio, code; whatever you ask for. How it works: Models trained on huge amounts of data use the patterns they've learned to produce outputs that never existed before. They don't memorize, they learn patterns and then build new things out of them. In security: Defense side: Building security awareness training by simulating phishing emails, auto-generating incident response playbooks, drafting security reports. Offense side: Attackers use generative AI to spin up convincing phishing emails, deepfake audio, or malicious code. 🍕 Real-World Example: A security team wants to test their employees, so they use generative AI to write phishing emails that nail the CEO's writing style. "Hey, I need you to push through an urgent payment...", the email is so realistic that 40% of staff click. That right the
AI 资讯
your CI agent is reading more than your prompt
The dangerous thing about CI agents is not that they can write code. It is that they run in the place where we already concentrate trust. CI has repository access. CI has tokens. CI has build logs. CI can fetch dependencies, publish artifacts, comment on pull requests, open issues, deploy previews, and sometimes touch production systems. It is the automation layer we taught ourselves to trust because the alternative was humans doing the same boring steps by hand. Now we are putting agents inside it. That is useful. It is also exactly where the security model gets weird. Microsoft published a write-up this month about a Claude Code GitHub Action case where untrusted GitHub content and file-reading capability could combine badly. The short version is that an agent operating in a CI/CD context had enough ambient access to read more than the user probably intended, including process environment data that could expose workflow secrets. Anthropic mitigated the issue in Claude Code 2.1.128. The specific bug matters. The pattern matters more. CI/CD agents are not chatbots with a build badge. They are automated actors running in a high-trust environment while reading untrusted instructions from pull requests, issues, comments, commit messages, files, logs, and whatever else the workflow feeds them. That combination deserves more fear than it is getting. prompts are now part of the attack surface We are used to thinking about CI security in terms of code and configuration. Who can modify the workflow file? Which secrets are available to pull requests? Do forks get privileged tokens? Are dependencies pinned? Are artifacts trusted? Can a build script publish something? Does the workflow run on pull_request or pull_request_target ? Those questions still matter. But agents add another layer: text becomes operational input. The agent may read a pull request description. It may read a comment asking it to fix a test. It may read source files changed by an untrusted contributor. It
AI 资讯
Encryption, spyware, and now Mythos: History shows why cyber export control doesn’t work
For the last 30 years, stopping the flow of cybersecurity-related software has proven to be ineffective. It's unclear why it would work now with Anthropic’s cybersecurity model Mythos.
AI 资讯
Security news weekly round-up - 19th June 2026
Defenders don't rest. They wake up every day thinking about how to protect the systems that they are charged to protect. Meanwhile, attackers are also looking for crafty ways to infect a system or break into computer networks. In the end, it's good for everyone if defenders are always one step ahead of the attackers. EvilTokens: A phishing attack that doesn’t steal your password A phishing attack that does not require creating fake login pages or stealing your passwords. I was speechless when I read the article's title and deservedly so when I read how the attackers executed the attack. The following should get you started: EvilTokens is a phishing-as-a-service (PhaaS) kit built to compromise Microsoft 365 accounts by abusing the OAuth 2.0 device authorization grant flow. As attacks that use the kit rely on device code phishing, they sidestep the need for convincing replicas of genuine login pages where the victims would hand over their passwords. Instead, attackers get the victim to complete a legitimate authentication process – including two-factor authentication (2FA) – on a real Microsoft login page. One-Click Microsoft 365 Copilot Flaw Could Have Let Attackers Steal Emails, Files, and MFA Codes The good news is that MSFT mitigated the flaw. What's left for tenant admins is to watch and contain. The interesting thing is how the researchers pulled off the attack. Here is what they did: Researchers at Varonis Threat Labs chained three bugs into a one-click exfiltration path they call SearchLeak. Because the link pointed to a real microsoft.com domain, traditional anti-phishing and URL filtering tools were unlikely to flag it. The entry point is the q parameter in the Copilot Enterprise Search URL. It is meant for a natural-language query, but Copilot reads whatever sits there as instructions, not just a search string. Varonis calls this Parameter-to-Prompt injection. Low-skilled attacker used Claude, Codex to breach 14 companies The barrier to entry into cybercrim
AI 资讯
I built a Chrome extension that catches every dark pattern trick on shopping sites. Here's exactly how.
A few months ago I was about to buy a flight. The page showed "Only 2 seats left at this price" in red letters. I hesitated, then refreshed the page out of curiosity. The counter said "Only 2 seats left" again. Same number. It had been resetting on every page load the whole time. That's when I started cataloguing every trick I'd seen on shopping sites and built a Chrome extension that flags them automatically, in real time, on any page. This isn't just my opinion — it's documented research In 2019, Princeton and University of Chicago researchers scraped 11,000 shopping sites and found dark patterns on more than 1,250 of them. The FTC has since fined several companies specifically for fake countdown timers and pre-checked subscription boxes. This isn't a grey area anymore — it's a known, studied, and increasingly regulated practice. The extension targets four categories that account for most of what's out there. The four patterns Fake urgency. Countdown timers that reset, "X people are viewing this" badges that never change, "only N left in stock" that's been static for a week. Trap checkboxes. A checkbox for "Yes, sign me up for the newsletter" that's pre-checked and styled to blend into the page so you don't notice it. Confirmshaming. The decline button reads "No thanks, I don't want to save money" instead of just "No thanks." Psychological pricing. Prices ending in .99 or .95 designed to register as a lower price bracket than they are. Why no AI this time My phishing detector used Claude because language and intent are genuinely ambiguous — you need a model that understands context. Dark patterns are different. They're structural. A countdown timer either resets on reload or it doesn't. A checkbox is either pre-checked or it isn't. That's a DOM query, not a judgment call. So this one runs entirely on regex and DOM inspection. No API calls, no latency, no cost per scan, works offline. Sometimes the boring solution is the correct one. Detecting the urgency pattern T