今日已更新 233 条资讯 | 累计 20205 条内容
关于我们

标签:#Security

找到 657 篇相关文章

AI 资讯

Building a Fault-Tolerant File Storage over JPEG Images

TL;DR: The idea is to use a set of ordinary JPEG images as a distributed medium for an encrypted container. The data is split into redundant fragments and distributed across the images, allowing the container to be recovered even if some of the JPEG files are lost. We will not examine the code; instead, we will focus only on the general principle behind the approach. Where the idea came from Most steganographic systems follow a "one image — one file" model. If the image is lost or damaged, the embedded data is lost with it. The idea was to distribute the data container across multiple JPEG images while preserving the ability to recover the data even if some of those images are lost. I should point out right away that this is not steganography in the traditional sense. The additional data is written to JPEG images after the EOI ( End Of Image ) marker, where it can be easily detected by even the simplest analysis. The goal is not to completely hide the presence of the data, but to use ordinary JPEG images as a distributed medium for an encrypted container. At the same time, in everyday use the JPEG images remain fully functional, look like ordinary photographs, and do not attract attention. Even if the additional data is detected, it does not reveal whether it is an encrypted container, write artifacts, or simply an arbitrary sequence of bytes. Why JPEG First, JPEG is the most widely used image format. Photographs in this format naturally accumulate on computers and phones and are shared between people. Second, this format has one important property: a JPEG file ends with a special EOI marker. Everything written after it is ignored during image decoding, so the additional data does not affect how the image is displayed. This is the area we will use: JPEG JPEG Additional data EOI data │ │ │ ...░░░░░░░░░░░░░▓▒▒▒▒▒▒▒▒▒▒▒▒▒▒ At first glance, the solution looks extremely simple: just split the encrypted container into fragments and write one fragment to the end of each JP

2026-07-01 原文 →
AI 资讯

Stop Letting AI Agents Raw-Dog Your Filesystem: Building SafeMCP

We need to have a serious talk about the Model Context Protocol. Everyone is losing their minds over "vibe coding" right now. You plug an MCP server into Cursor, Claude Code, or VS Code, tell the AI to fix a bug across three directories, and go grab a coffee while it spins up local servers, reads files, and executes terminal commands. It feels like absolute magic. But honestly? It's also completely terrifying. Maybe I’m just paranoid, but it seems like we’ve collectively skipped the part where we ask ourselves if giving a statistical text-prediction engine raw, unvetted access to our local machines is a good idea. Some security folks are already warning that we’re walking directly into a massive remote code execution crisis. Think about it. Most MCP servers run as local subprocesses. They inherit your exact user permissions. If you run your editor as an admin or with access to sensitive environment variables, so does the AI. And the real issue isn't that the AI will spontaneously turn evil. The issue is prompt injection. The Security Void in the Hype I spent some time looking through public MCP servers on GitHub recently, and the sheer lack of input validation is wild. Because developers are rushing to build cool tools, basic security hygiene has completely lagged behind. If an AI agent reads an untrusted string—like a malicious comment in a GitHub issue, an automated email, or a dirty record inside a database—it can easily be manipulated into executing an injection payload. The model doesn't know the difference between your system instructions and the data it's processing. It treats them exactly the same. What happens when a prompt injection tricks a standard filesystem MCP tool into looking for a file named ../../../../../../etc/passwd or pulling your private AWS keys? The tool just does it. It’s a classic path traversal vulnerability, except instead of a malicious hacker typing it into a web form, an automated agent is doing it because a piece of text told it to.

2026-07-01 原文 →
AI 资讯

Your OTP regex assumes six digits. Supabase magic links don't.

Sign-in worked flawlessly in dev. Then a real user pasted a real code and got "invalid format" — before the code ever reached Supabase. The credential was fine. My regex was wrong. Here's the one-line assumption that broke auth for every human who wasn't me. I run a Discord-native Company Brain. Teams /save docs and /ask grounded answers; access is gated by a magic-link claim that emails a one-time code. Standard GoTrue OTP flow. The client shows a box, you paste the code, the server verifies it. Boring — which is exactly what auth should be. The bug: a six-digit assumption in a validation guard The claim handler did a cheap client-side sanity check before calling verifyOtp : // The bug. Looks reasonable. Rejects every real code. const OTP = /^ \d{6} $/ ; function normalize ( input : string ): string { const code = input . trim (); if ( ! OTP . test ( code )) throw new Error ( " Enter the 6-digit code from your email. " ); return code ; } Every OTP tutorial uses \d{6} . Every code demo shows six digits. So I typed six digits into the test and it passed. In dev I was generating my own codes and never actually reading the email. Supabase's GoTrue emits an eight-digit code on this project. ^\d{6}$ rejects eight digits outright. The user's perfectly valid credential got thrown out by my own front door with a lie for an error message — "enter the 6-digit code" when the email plainly showed eight. Why it happens: OTP length is a setting, not a constant The length of a GoTrue email OTP is configurable — GOTRUE_MAILER_OTP_LENGTH (Dashboard → Authentication → Email). It defaults to six in many setups and to eight in others depending on when and how the project was provisioned. The number in the tutorial is that author's project setting , not a property of OTPs. Hardcoding 6 couples your client to a server config you don't control and might change. Bump the length for security later and every client silently starts rejecting valid codes. No error in your logs — the rejection

2026-07-01 原文 →
AI 资讯

Aikido buys Root to patch open source in place, without the upgrade dance

Every open-source CVE backlog has that one line item you keep sliding into next quarter. The library is a couple of majors behind, the upgrade breaks four services, and the fix upstream ships against a version you cannot ride to. So you file the ticket again. (Everyone's doing great, thanks for asking.) On June 30, Aikido Security said it had acquired Root, whose whole pitch is to make that ticket go away by another route: patch the vulnerability directly into the version already resolved by your build, and skip the upgrade entirely. Per The New Stack, the deal is worth $70 million, and Root's patching technology gets folded into a new Aikido product. Let me phrase what has just moved as plainly as I can. A vendor now edits open-source packages on your behalf and hands you back a version string upstream never shipped. If that sentence made you flinch, hold the flinch. It is doing useful work. The problem this is actually solving The dirty secret of dependency remediation is that a lot of "known" CVEs sit unfixed because remediating them means a version bump that carries breaking changes. You do not get a security patch for the 2.x line, you get a "fixed in 4.0" release note and a laugh track. Backporting the fix is the right operational move: keep the API surface, change only the vulnerable bytes. Linux distributions have done exactly this for decades. The reason your app team is not doing it too is that nobody has the muscle to maintain a patched fork of every transitive dependency in a lockfile. If Aikido now makes that muscle available to the average CI/CD owner, teams get a lever they simply did not have. That is the honest upside. Own it. Who is signing what, exactly Here is the part I care about, which is trust. When your build resolves a package by name and version, you rely on a chain: the registry answers, the digest matches what upstream published, the SBOM you generate downstream still refers back to that same identity. A backported build breaks that chai

2026-07-01 原文 →
AI 资讯

Privacy by design: what it is and how to apply it

"Privacy by design" is one of those phrases you read everywhere and rarely understand. It is often treated as a document to attach to a project, a box to tick before going live. In reality it is not a piece of paperwork: it is the way software is conceived and built from the very first line, so that it protects people's data without anyone having to remember to do so afterwards. What the GDPR actually says The principle is written plainly in Article 25 of the GDPR, which speaks of "data protection by design and by default". These are two distinct things. Protection by design concerns the choices made while the system is being built. Protection by default concerns how the system behaves the moment it is switched on, before anyone touches a single setting. The law does not mandate a specific technology. It asks for an outcome: that data protection be built into the system, proportionate to the risks, and not bolted on afterwards as a patch. It is a difference of substance, not of form. A well-designed system does not have to chase compliance: it already has it inside. It is not a document, it is an architecture The most common mistake is to reduce privacy by design to a file. A report is written, filed, and the building goes on exactly as before. But a PDF protects no data. What protects data are the technical decisions: what information is collected, where it is stored, who can see it, how long it stays, what happens when it is no longer needed. These decisions are made at design time, and changing them later costs far more than getting them right at the start. The principles, turned into concrete choices Privacy by design becomes useful only when it stops being a slogan and turns into a series of choices. Translated into practice, the principles sound like this. Minimisation. You collect only the data genuinely needed to deliver the service. A field you do not collect does not need protecting, cannot be lost in a breach, does not need keeping. The safest piece of da

2026-07-01 原文 →
AI 资讯

A Simple Way to Reduce the Grype Noise

Security Team: “I have a major Grype...with what I Syfted out of your provided image." Developer: “Well your Grype is slowing me down...let’s tone it down a notch.” While deploying bookstack into my local environment, this issue surfaced. It is true for many organizations today deploying images and packages in their environment. How can this noise fatigue in the software supply chain be remedied? Add a .gype.yaml file to the root directory of your project. This will allow grype to ignore certain CVE's that do not execute or pose a threat in your environment. The yaml config can be as simple as below: Linux Environment # grype.yaml ignore : - vulnerability : CVE-2026-32631 reason : " Platform-specific false positive. Git for Windows only; not applicable to this Linux-based image." - vulnerability : CVE-2016-2781 reason : " Chroot escape via ioctl. Containers rely on namespaces/cgroups, not chroot, so this path isn't exploitable here." OR # grype.yaml ignore : - vulnerability : CVE-2026-32631 - vulnerability : CVE-2016-2781 This will help developers and security engineers get along better. 😃 Grype config reference: https://oss.anchore.com/docs/reference/grype/configuration/

2026-07-01 原文 →
AI 资讯

A Prompt Is a Wish. A Tool Is a Law.

How I let non-engineers ship AI tools to production — and the boring infrastructure that made it safe. A product manager described a workflow in plain English — "every morning, pull yesterday's failed payments, group them by error code, and post a summary to our channel." Twenty minutes later it was running in production. She never opened an editor. She never saw a line of TypeScript. She talked to an agent, the agent wrote the code, and — once a human had reviewed the pull request — it shipped. That sentence should make you nervous. It made me nervous, and I'm the one who built the thing. The demo is "look, it wrote the code." The operation is "a marketer's tool now has a path to the payments database and nobody reviewed it." The interesting engineering isn't the part where an LLM writes code — that's the easy, demo-able part. It's the guardrails that decide whether the code it writes is allowed to exist. Here's the platform, and the five problems I had to solve to make it safe to hand to people who can't read the code that runs. The shape of the thing The platform is a place where anyone — engineers, PMs, designers, QA — can publish a reusable AI tool, and everyone else can use it. Write once, available to all. A few terms up front, because the whole design leans on them: MCP (Model Context Protocol) is a standard way for an AI client to discover and call your functions. The key detail: there's a step where the client asks the server "what tools do you have?" and the server answers with a list. Hold onto that — half the design hangs off that one list. Cloudflare Workers is code that runs on Cloudflare's servers at the network edge instead of your own. Durable Objects is per-session server-side storage that lives outside the model's context — the finite, token-costing window of everything the model can currently see. None of this is exotic; what matters is where each piece of state lives. Under the hood it's three small Workers speaking MCP: a gateway (auth, routin

2026-06-30 原文 →
AI 资讯

Sycophancy in AI Is the Safety Problem That Looks Like Politeness

I corrected my AI system mid-task. A terse one-liner: "wrong." Instead of asking which part was wrong, it manufactured an explanation. It cited a rule number that didn't exist, described a limitation I'd never written, and apologized for a mistake it couldn't actually identify. The correction was real. The apology was fabricated. It was trying to agree with me so hard that it invented evidence to support the agreement. That's sycophancy in AI. And if you're running AI in anything that resembles production, it's already happening to you. What Is Sycophancy in AI? Sycophancy in AI is a systematic behavioral distortion where models produce outputs that match what the user wants to hear rather than what's accurate. It goes well beyond your chatbot saying "Great question!" before every response. The mechanism is straightforward. Modern language models are trained using Reinforcement Learning from Human Feedback (RLHF). Human evaluators rate model responses. Responses with higher ratings get reinforced. The problem: evaluators are human. They rate responses higher when those responses validate their existing beliefs, sound confident, and don't push back. Anthropic's research on sycophancy confirmed this across five state-of-the-art AI assistants, finding that both humans and preference models sometimes prefer convincingly written sycophantic responses over correct ones. The model learns a simple lesson. Agreeing is rewarded. Disagreeing is punished. Over thousands of training iterations, the model develops a tendency to mirror the user's position, soften objections, and present information in whatever framing the user seems to prefer. This is a structural incentive baked into the training process itself, not a bug in any individual model. Why It's More Than Annoying In a chatbot demo, sycophancy is a quirk. In production, it's a compounding failure mode. Here are four patterns I've observed running an AI operations system in daily production. They don't always happen in s

2026-06-30 原文 →
AI 资讯

The Hidden Cost of Free Online Image Compressors

I analyzed what happens when you upload a photo to 5 popular free image compression sites. The Test I uploaded a 4.2MB photo to each service and monitored network requests. Results: Service A : File sent to their CDN (AWS us-east-1). 12 analytics trackers fired simultaneously. Service B : File uploaded, but 5 minutes later a second request sent the file to a different domain. Service C : Cleanest of the five, but their privacy policy reserves the right to "use uploaded content to improve compression algorithms." Service D : 23 third-party scripts loaded on the page. Your image URL is accessible to all of them. Service E : Actually clean — only one request to their server for processing. Only one of five didn't leak data to third parties. One. The Alternative I built compress2png.com to test whether image compression could work without any server. Turns out Canvas API + clever JavaScript handles it: Resize images client-side before export Strip EXIF/metadata in the browser Convert to optimal formats based on content For format-specific needs, svg2png.org handles vector conversion and webp2png.io handles next-gen format conversion — all browser-local. Check the Network tab next time you use a "free" online tool. You might be surprised what you find.

2026-06-30 原文 →
AI 资讯

Zero-Knowledge Architecture: What It Means for Your Files

Most of us share files constantly: config files, API specs, design assets, build artifacts. And most of us don't think too hard about where they end up. That's exactly what Zero-Knowledge Architecture (ZKA) is designed to address. But the term gets thrown around loosely, so let's break down what it actually means — and what to look for. The Core Idea: The Server Shouldn't Have to Trust You Traditional cloud storage works roughly like this: You upload a file The server encrypts it (or doesn't) The server holds the key You trust them not to look Zero-knowledge flips this entirely. In a true ZKA system: Encryption happens on your device , before data leaves your control The keys never leave your side — the server never sees them The server handles only encrypted blobs — it's a pipe, not a vault The phrase you'll hear is: "We can't read your data even if we wanted to." That's the point. Why This Actually Matters Here's a concrete scenario: you're sharing a .env file with a contractor. You use a cloud service. The service gets breached a week later. With standard encryption (server holds the key): the attacker potentially has your secrets. With ZKA: the attacker has an encrypted blob that's useless without the key they never had. Beyond breach scenarios, ZKA also helps with: Regulatory compliance — GDPR, HIPAA, and similar frameworks become easier to demonstrate when the service provider has zero access to the data Reduced trust surface — you're not trusting the company, their employees, or anyone who might compel them legally What Real ZKA Looks Like in Practice There's a big difference between claiming zero-knowledge and actually implementing it. Here's what to look for: ✅ Client-side encryption Files should be encrypted in the browser or app before upload. Not on the server. If encryption happens server-side, it's not zero-knowledge — it's just encrypted storage. ✅ Key management stays with you Where do the keys come from? How are they shared with recipients? In a rea

2026-06-30 原文 →
AI 资讯

Resolve the tenant from the user, not the request

TL;DR A multi-tenant app was resolving the active tenant from the request (subdomain/header) instead of the authenticated user . That makes the client the source of truth for "which tenant am I" — the wrong place for it. Fix: derive the tenant from the user's organization membership, enforce it in middleware, and fail closed. One test locks the behaviour. The bug, in one sentence The request was telling the app which tenant to load, and the app believed it. In a multi-tenant SaaS, every query is implicitly scoped: "give me this tenant's dashboards." If the tenant ID comes from something the client controls — a subdomain, a header, a route param — then the scoping is only as trustworthy as the client. That's a leak waiting to happen. Where the trust should live Think of it like a building pass. The request is someone saying "I'm here for floor 9." The membership record is the pass that says which floors you're actually allowed on. You check the pass, not the claim. Before After Source of truth request (subdomain / header) user's organization membership Who decides the tenant the client the server Failure mode user can land in a tenant they don't belong to resolution fails closed Testable? hard — depends on request shape yes — depends on the user The shape of the fix Resolve the tenant from the authenticated user's organization, in one middleware, before anything tenant-scoped runs: final class SetTenantContext { public function handle ( Request $request , Closure $next ): Response { $org = $request -> user () ?-> currentOrganization (); // No org, no tenant context. Fail closed, never guess. abort_if ( $org === null , 403 , 'No organization context.' ); Tenancy :: setCurrent ( $org -> tenant ); // server-derived, not request-derived return $next ( $request ); } } The key line isn't the setCurrent() — it's that the value comes from $request->user() , not from $request . The user is authenticated; the subdomain is not. request ──> [auth] ──> [SetTenantContext] ──> tena

2026-06-30 原文 →