今日已更新 420 条资讯 | 累计 20392 条内容
关于我们

标签:#SEC

找到 682 篇相关文章

AI 资讯

Gas Optimization That Doesn't Break Security: Storage, Calldata, and the Traps

Gas optimization is satisfying. You shave a few thousand gas off a function and feel clever. But some optimizations trade away safety in ways that are not obvious, and I have seen "optimized" contracts that introduced vulnerabilities. Here are the gas wins that are genuinely free, the ones that cost you safety, and how to tell the difference. Where gas actually goes Before optimizing, know what is expensive. Storage operations dominate. Writing a fresh storage slot ( SSTORE from zero to non-zero) costs a lot; reading storage ( SLOAD ) is cheaper but still meaningful; computation in memory is cheap by comparison. So the highest-leverage optimizations are about touching storage less. Free win 1: cache storage reads in memory If you read the same storage variable multiple times in a function, each read is an SLOAD . Read it once into a local variable instead: // WASTEFUL: reads storage `total` three times function distribute() external { require(total > 0, "empty"); uint256 share = total / count; emit Distributed(total); } // OPTIMIZED: one SLOAD, two memory reads function distribute() external { uint256 _total = total; // single storage read require(_total > 0, "empty"); uint256 share = _total / count; emit Distributed(_total); } This is free in the sense that it changes nothing about correctness. The value is identical; you just read it once. Pure win. Free win 2: calldata instead of memory for read-only arrays For external function arguments you only read (never modify), calldata is cheaper than memory because it skips the copy: // memory copies the whole array into memory function process(uint256[] memory ids) external { ... } // calldata reads directly from the transaction data, no copy function process(uint256[] calldata ids) external { ... } Again, free. If you do not mutate the array, calldata is strictly better. Free win 3: storage packing Solidity packs multiple variables into one 32-byte slot if they fit and are adjacent. Order your storage variables so smal

2026-06-18 原文 →
AI 资讯

The Road Toward Mainnet: A Security-First Approach to XRPL Lending Protocol

Over the last several months, XRP Ledger (XRPL) has fundamentally shifted in how amendments move from concept to mainnet. Historically, amendment development was largely focused on functional correctness, performance testing, traditional security audits, bug bounties and independent validator testing as the last line of defense to catch security vulnerabilities. As XRPL continues to grow in complexity and the value secured by the network increases, we recognized that the previous model was no longer sufficient. Advances in AI are also rapidly reducing the cost of vulnerability discovery, making it increasingly important to identify issues as early as possible in the development lifecycle. With that in mind, we set out to establish a stronger, repeatable, defense-in-depth model that makes it increasingly difficult for critical vulnerabilities, consensus risks, and feature interaction bugs to reach mainnet. The result is a significantly higher bar for amendment activation that combines specification rigor, adversarial testing, multiple independent audits, attackathons with expert security researchers, AI-assisted security reviews and phased deployments. The Lending Protocol ( XLS-66 ) and Single Asset Vault (SAV) - XLS-65 are among the first major amendments to undergo this full review process, making them some of the most rigorously tested amendments in XRPL's history. They also represent some of the most significant new financial capabilities added to the XRP Ledger since 2012, introducing native primitives for lending and borrowing built around Single Asset Vaults. Together, the Lending Protocol and Single Asset Vault bring lending and borrowing capabilities directly into the core XRPL protocol, advancing XRPL's capabilities for Institutional DeFi. Lending Protocol Security and Quality Gates This report provides transparency into the development and security process behind one of the most financially complex features XRPL has ever shipped. As context, the Lending P

2026-06-18 原文 →
开发者

The midterms are going to be a data security nightmare

One messy database is threatening to disenfranchise thousands or even millions of registered voters, while leaving even more at risk of intimidation or data breaches, in the name of solving a problem that barely exists. As the 2026 midterm elections approach, election and privacy experts are sounding alarms about the Department of Homeland Security's Systematic […]

2026-06-18 原文 →
AI 资讯

I Trusted My AI Coding Assistant. It Turned My Computer Into a Surveillance Server.

You think your AI is just helping you write code. In reality, it's built a logging system on your machine that you never knew existed. Every conversation. Every code snippet. Every file path. Every time you asked "what was my password again?" — permanently archived, without your knowledge. How It Started: An Accidental Discovery I was about to sell my old laptop and decided to clean up my data first. I opened Claude Code's config directory — ~/.claude/ — intending to just remove my API key. Then I saw this: history.jsonl 243 KB / 695 lines sessions/ conversation metadata session-env/ environment variables shell-snapshots/ command execution snapshots telemetry/ 63 telemetry files projects/ 19 project directories ├─ interview-prep/ 31 sessions / 20 MB ├─ spring-ai/ 11 sessions / 13 MB └─ ... 17 more I thought I was just writing code. My computer thought it should record everything. What's Inside These Files history.jsonl — Everything You Ever Asked 695 entries. Every single thing I typed into Claude Code. Including: "I forgot my database password — can you check what passwords were configured in the project files?" "How do I view the database password?" Pasted code snippets Every /model , "who are you?", and project path You casually ask about a password once. It's permanently stored. projects/ — Full Conversation Transcripts (43 MB) If you think history.jsonl only storing user input isn't so bad — you haven't seen this yet. Inside ~/.claude/projects/ , every project directory contains .jsonl files. Opening one 2.3 MB session file: Content Count AI responses 590 AI internal thinking blocks 272 Tool calls 101 Tool call results (including file paths) 100 File history snapshots 208 Every conversation. Every AI response. Every internal reasoning step. Every file operation — what was read, what was modified, what was executed — all written to this file. shell-snapshots/ — Traces of Everything You Ran Your system PATH. Installed tools. Java version. All sitting in command s

2026-06-18 原文 →
AI 资讯

Athena Coalition Brings Coordinated Defence to Open Source Security

Cybersecurity firm Chainguard has announced the launch of Athena, an industry coalition to use artificial intelligence to find and fix vulnerabilities in widely-used open-source software before attackers can exploit them. The coalition focuses on libraries, containers and other components that underpin web browsers, data centres, smartphones and payment systems. By Matt Saunders

2026-06-18 原文 →
AI 资讯

Weekly Dev Log 2026-W10

🗓️ This Week While organizing ideas for my first iOS app , I remembered an old web app idea called ToneDrill , which I had casually built before to help practice note names on a guitar fretboard🎸. I decided to try turning it into an iOS app 🛠️. I clarified the purpose of ToneDrill , its minimum requirements , and its core features , then organized them in Notion 📝. I was curious to see how well Codex could implement an iOS app from those minimum requirements , so I gave it a try right away💡. I reviewed the SwiftUI code generated by Codex and worked through the app logic to understand how it was implemented 🔍. For now, I was able to create a working app, which felt like a meaningful step forward 🚶. I created the top page UI design for my portfolio website in Figma 🎨. I focused on keeping the structure simple and implementation-friendly, and designed the UI with reusable components for each major part. Based on what I learned from my previous failed attempt, I tried again to see how well Codex could implement a prototype from the Figma UI design (You can read about my previous attempt that didn’t go so well here😅.) Worked on the AI Threat Modelling room from the AI Security Learning Path on TryHackMe this week🤖. 📱 iOS (SwiftUI) Revisited an old web app idea called ToneDrill, which I had previously built casually as a guitar note-training app, and considered turning it into an iOS app. Organized the app idea in Notion, including its purpose, target use case, minimum requirements, and core features. Decided to aim for an MVP-level version first, instead of trying to build a fully featured app from the beginning. Wrote down simple requirements and tested how accurately Codex could implement the initial version of the app. Reviewed the iOS app implementation generated by Codex and examined the code in detail to understand how the logic worked. 🌐 Web Development Posted my weekly dev log on Dev.to📝 Completed the top page UI design for my portfolio website in Figma. Tried us

2026-06-18 原文 →
产品设计

Win Prizes at DEF CON 34 | Submit a Challenge Now!

The Prizes for the SecDim AppSec Village Wargame CtF at DEF CON 34 has been announced! Build and submit a challenge and get a chance to Win a ROG Xbox Ally if your challenge submission wins 1st Place! Challenge submissions close on 31 July. https://sessionize.com/appsec-village-wargame

2026-06-18 原文 →
AI 资讯

LLM Prompt Injection & Guardrail Security

A recall reference built from working through a 7-layer prompt-injection challenge. Focus: how each defense layer works, where it breaks, and most importantly how to defend. The one idea underneath everything LLMs have no hard boundary between instructions and data . Everything in the context window — system prompt, user message, retrieved documents — is one stream of tokens the model interprets. Prompt injection exploits exactly this: attacker-controlled data gets read as instructions . You cannot fully filter your way out of it; you manage it with defense-in-depth , knowing each individual layer is bypassable. The defense layers (and where each cracks) A progression of controls from weakest to strongest, each with the lesson it teaches. 1–2. No / weak guardrails Baseline: the model just answers. Lesson: an LLM holding secrets in its context with no controls will leak them on request. 3. Input filtering — block words in the user's message Defense: scan the incoming prompt for banned terms ("code", "secret", "reveal") and block. Weakness: keyword blocklists are trivially evaded — synonyms, misspellings, split words, leetspeak, another language, oblique references. Filtering strings doesn't filter intent . What actually helps: prefer allowlists to blocklists; classify intent semantically rather than matching keywords; treat all input as untrusted; rate-limit and log probing. 4. Output filtering — catch the secret in the response Defense: string-match the known secret in the model's output and redact. Weakness: substring matching only catches the contiguous secret. Fragmenting or transforming it (separators, per-character, encodings) means the literal string never appears, so there is nothing to match. What actually helps: don't put secrets where the model can emit them in the first place; minimize sensitive data in context; treat output filtering as a brittle last line, never a primary control. 5. Input + output filtering combined Defense: both of the above, stacked.

2026-06-18 原文 →
AI 资讯

Stop Fighting Python for Webhooks: Why Node.js is Optimal for Cloud Function Signatures

The Cryptographic Trust Problem (Why Webhooks Are Unforgiving) Webhooks are the nervous system of modern production apps. Whether you are processing a payment on Stripe, tracking a subscription on Lemon Squeezy, or fulfilling an order via Shopify, webhooks are how external platforms tell your backend: "Hey, something important just happened". Because these webhook endpoints have to be publicly accessible, they are prime targets for malicious actors. To prevent this, platforms use cryptographic signature verification . The Golden Rule of Verification When a provider sends a webhook, they take the HTTP request body and hash it with a shared secret key using HMAC-SHA256 . They pass this resulting signature in the request headers (like Stripe-Signature). When the request hits your server, your code has to do the exact same math: Grab the shared secret. Grab the exact raw bytes of the incoming request body. Hash them together and compare your result with the signature in the header. This process is completely binary and zero-tolerance. If your backend framework alters even a single byte—adding a trailing newline, stripping a whitespace, or reordering a JSON key during parsing—the math changes entirely. The signatures won't match, and the verification will fail. This brings us to our fundamental architectural bottleneck: to verify a webhook, you must intercept the request before your framework touches it. Why Python/Werkzeug Struggles If you build a Cloud Function in Python using the Firebase Functions SDK, you are working on top of Flask, which relies on Werkzeug to handle the underlying web server mechanics. Werkzeug is fantastic for standard web apps, but it has a specific architectural design that makes webhook verification a nightmare: it treats the incoming request body as a one-time, sequential input stream. The Single-Consumption Stream Under the WSGI (Web Server Gateway Interface) standard that powers Python web frameworks, the network payload arrives as an activ

2026-06-18 原文 →
AI 资讯

FIFA Hack Authentication Flaw, Chrome Ad Blocker End, AI Supply Chain Security

FIFA Hack Authentication Flaw, Chrome Ad Blocker End, AI Supply Chain Security Today's Highlights Today's top security news covers a critical real-world authentication vulnerability, significant changes impacting browser privacy and ad blockers, and evolving national security concerns in the AI supply chain. I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID (Lobste.rs) Source: https://bobdahacker.com/blog/fifa-hack This article likely details a critical security vulnerability discovered within the systems managing the FIFA World Cup, potentially related to event access, public displays, or digital infrastructure. The phrasing "All I Needed Was My ID" strongly suggests an authentication or authorization flaw, perhaps involving an ID card or digital credential that was overly permissive or could be easily cloned/spoofed. The ability to "Rickroll the Entire FIFA World Cup" implies a widespread display or broadcast system was vulnerable, allowing an attacker to inject unauthorized content. This incident highlights the paramount importance of robust identity and access management, especially for high-profile events with extensive digital and physical infrastructure. It serves as a stark reminder for developers and security teams to conduct thorough penetration testing and review access controls for edge cases and potential over-privileges in all systems, from backend APIs to physical access credentials, to prevent widespread exploitation. Comment: This showcases how seemingly minor authentication oversights can lead to massive public exposure, urging developers to scrutinize ID-based access controls for edge cases and over-privileges. Google Chrome's next update will mark the end of popular ad blockers (Lobste.rs) Source: https://9to5google.com/2026/06/15/google-chromes-next-update-will-mark-the-end-of-popular-ad-blockers/ Google Chrome's upcoming Manifest V3 update is poised to significantly restrict the capabilities of many popular content blocker

2026-06-18 原文 →
AI 资讯

I had real backend auth. The browser just walked around it.

Here's the thing nobody warns you about when you put Supabase behind a "real" backend. My stack is React + FastAPI + Supabase Postgres. Every write goes through FastAPI. Every endpoint checks the user, the role, the ownership. I audited that backend HARD — rate limits, JWT validation, RLS, the whole thing. I was proud of it. And none of it mattered for the two holes I actually shipped. Because the Supabase anon key lives in the browser. It HAS to — that's how supabase-js talks to your project. Which means every logged-in user is holding a key that talks to Postgres directly . Not through my FastAPI. Around it. That anon key is a SECOND API. And I'd spent months hardening the first one while the second one sat there, wide open, the whole time. Hole #1 — the answers were just... readable Quiz questions live in quiz_options , one is_correct boolean per option. My backend never sends is_correct to a student before they submit. Obviously. But the browser doesn't have to ask my backend. // any logged-in student, straight from the console: const { data } = await supabase . from ( ' quiz_options ' ) . select ( ' question_id, label, is_correct ' ) // <- the answer key. all of it. The RLS policy said "authenticated users can read quiz_options ." Totally true for the rows. It just also handed back the column that decides the grade. The answer key. To anyone with a login and ten seconds of curiosity. Fix: column-level REVOKE SELECT from the client role, and let the backend be the only thing that ever reads is_correct . (PR #775.) Hole #2 — they could WRITE things they shouldn't Same class of bug, bigger blast radius. The default Postgres grants let the client role insert/update far more than I'd realized — including a path toward forging a certificate. Nobody did it. But "nobody did it yet" is not a security model! So I stopped patching table by table and flipped the whole thing: -- kill the client's entire write surface, then grant back the ONE thing it needs ALTER DEFAULT PRI

2026-06-18 原文 →