AI 资讯
LLM Prompt Injection & Guardrail Security
A recall reference built from working through a 7-layer prompt-injection challenge. Focus: how each defense layer works, where it breaks, and most importantly how to defend. The one idea underneath everything LLMs have no hard boundary between instructions and data . Everything in the context window — system prompt, user message, retrieved documents — is one stream of tokens the model interprets. Prompt injection exploits exactly this: attacker-controlled data gets read as instructions . You cannot fully filter your way out of it; you manage it with defense-in-depth , knowing each individual layer is bypassable. The defense layers (and where each cracks) A progression of controls from weakest to strongest, each with the lesson it teaches. 1–2. No / weak guardrails Baseline: the model just answers. Lesson: an LLM holding secrets in its context with no controls will leak them on request. 3. Input filtering — block words in the user's message Defense: scan the incoming prompt for banned terms ("code", "secret", "reveal") and block. Weakness: keyword blocklists are trivially evaded — synonyms, misspellings, split words, leetspeak, another language, oblique references. Filtering strings doesn't filter intent . What actually helps: prefer allowlists to blocklists; classify intent semantically rather than matching keywords; treat all input as untrusted; rate-limit and log probing. 4. Output filtering — catch the secret in the response Defense: string-match the known secret in the model's output and redact. Weakness: substring matching only catches the contiguous secret. Fragmenting or transforming it (separators, per-character, encodings) means the literal string never appears, so there is nothing to match. What actually helps: don't put secrets where the model can emit them in the first place; minimize sensitive data in context; treat output filtering as a brittle last line, never a primary control. 5. Input + output filtering combined Defense: both of the above, stacked.
AI 资讯
Stop Fighting Python for Webhooks: Why Node.js is Optimal for Cloud Function Signatures
The Cryptographic Trust Problem (Why Webhooks Are Unforgiving) Webhooks are the nervous system of modern production apps. Whether you are processing a payment on Stripe, tracking a subscription on Lemon Squeezy, or fulfilling an order via Shopify, webhooks are how external platforms tell your backend: "Hey, something important just happened". Because these webhook endpoints have to be publicly accessible, they are prime targets for malicious actors. To prevent this, platforms use cryptographic signature verification . The Golden Rule of Verification When a provider sends a webhook, they take the HTTP request body and hash it with a shared secret key using HMAC-SHA256 . They pass this resulting signature in the request headers (like Stripe-Signature). When the request hits your server, your code has to do the exact same math: Grab the shared secret. Grab the exact raw bytes of the incoming request body. Hash them together and compare your result with the signature in the header. This process is completely binary and zero-tolerance. If your backend framework alters even a single byte—adding a trailing newline, stripping a whitespace, or reordering a JSON key during parsing—the math changes entirely. The signatures won't match, and the verification will fail. This brings us to our fundamental architectural bottleneck: to verify a webhook, you must intercept the request before your framework touches it. Why Python/Werkzeug Struggles If you build a Cloud Function in Python using the Firebase Functions SDK, you are working on top of Flask, which relies on Werkzeug to handle the underlying web server mechanics. Werkzeug is fantastic for standard web apps, but it has a specific architectural design that makes webhook verification a nightmare: it treats the incoming request body as a one-time, sequential input stream. The Single-Consumption Stream Under the WSGI (Web Server Gateway Interface) standard that powers Python web frameworks, the network payload arrives as an activ
AI 资讯
The Korean Telecom Giant at the Center of Anthropic’s Mythos Controversy
Days before Anthropic took its most advanced AI models offline, the White House ordered the company to revoke SK Telecom’s access to Claude Mythos over claims of alleged ties to China.
AI 资讯
FIFA Hack Authentication Flaw, Chrome Ad Blocker End, AI Supply Chain Security
FIFA Hack Authentication Flaw, Chrome Ad Blocker End, AI Supply Chain Security Today's Highlights Today's top security news covers a critical real-world authentication vulnerability, significant changes impacting browser privacy and ad blockers, and evolving national security concerns in the AI supply chain. I Could've Rickrolled the Entire FIFA World Cup. All I Needed Was My ID (Lobste.rs) Source: https://bobdahacker.com/blog/fifa-hack This article likely details a critical security vulnerability discovered within the systems managing the FIFA World Cup, potentially related to event access, public displays, or digital infrastructure. The phrasing "All I Needed Was My ID" strongly suggests an authentication or authorization flaw, perhaps involving an ID card or digital credential that was overly permissive or could be easily cloned/spoofed. The ability to "Rickroll the Entire FIFA World Cup" implies a widespread display or broadcast system was vulnerable, allowing an attacker to inject unauthorized content. This incident highlights the paramount importance of robust identity and access management, especially for high-profile events with extensive digital and physical infrastructure. It serves as a stark reminder for developers and security teams to conduct thorough penetration testing and review access controls for edge cases and potential over-privileges in all systems, from backend APIs to physical access credentials, to prevent widespread exploitation. Comment: This showcases how seemingly minor authentication oversights can lead to massive public exposure, urging developers to scrutinize ID-based access controls for edge cases and over-privileges. Google Chrome's next update will mark the end of popular ad blockers (Lobste.rs) Source: https://9to5google.com/2026/06/15/google-chromes-next-update-will-mark-the-end-of-popular-ad-blockers/ Google Chrome's upcoming Manifest V3 update is poised to significantly restrict the capabilities of many popular content blocker
安全
Massive breach spills credentials for thousands of sensitive networks
The affected include Oracle, Lenovo, FedEx, a NATO contractor, and Fortinet.
AI 资讯
I had real backend auth. The browser just walked around it.
Here's the thing nobody warns you about when you put Supabase behind a "real" backend. My stack is React + FastAPI + Supabase Postgres. Every write goes through FastAPI. Every endpoint checks the user, the role, the ownership. I audited that backend HARD — rate limits, JWT validation, RLS, the whole thing. I was proud of it. And none of it mattered for the two holes I actually shipped. Because the Supabase anon key lives in the browser. It HAS to — that's how supabase-js talks to your project. Which means every logged-in user is holding a key that talks to Postgres directly . Not through my FastAPI. Around it. That anon key is a SECOND API. And I'd spent months hardening the first one while the second one sat there, wide open, the whole time. Hole #1 — the answers were just... readable Quiz questions live in quiz_options , one is_correct boolean per option. My backend never sends is_correct to a student before they submit. Obviously. But the browser doesn't have to ask my backend. // any logged-in student, straight from the console: const { data } = await supabase . from ( ' quiz_options ' ) . select ( ' question_id, label, is_correct ' ) // <- the answer key. all of it. The RLS policy said "authenticated users can read quiz_options ." Totally true for the rows. It just also handed back the column that decides the grade. The answer key. To anyone with a login and ten seconds of curiosity. Fix: column-level REVOKE SELECT from the client role, and let the backend be the only thing that ever reads is_correct . (PR #775.) Hole #2 — they could WRITE things they shouldn't Same class of bug, bigger blast radius. The default Postgres grants let the client role insert/update far more than I'd realized — including a path toward forging a certificate. Nobody did it. But "nobody did it yet" is not a security model! So I stopped patching table by table and flipped the whole thing: -- kill the client's entire write surface, then grant back the ONE thing it needs ALTER DEFAULT PRI
科技前沿
What Happens After Your Smart Fridge Stops Getting Software Updates?
Here's what to expect when the manufacturer stops supporting your smart fridge.
开源项目
Cybercriminals allegedly hacked tens of thousands of Fortinet firewalls used by major companies all over the world
An alleged Russian-speaking group of cybercriminals is reportedly compromising and targeting several major companies that use Fortinet Firewalls and VPNs through previously known passwords.
AI 资讯
"Dangerous" AI models are coming no matter what
AI models with advanced hacking capabilities will soon be the norm.
开源项目
r4b1t_h0l3
→ Try it: gnomeman4201.github.io/r4b1t It's a curated random link generator for security and OSINT...
产品设计
Windows and Linux users: The deadline to update Secure Boot keys is near
What you need to know about the expiration of keys securing your machine's boot sequence.
AI 资讯
Production RBAC patterns for Go and Node startups
A founder told me last year: "We need admin features shipped by Friday. Can we just hardcode the roles for now?" That was 7 months ago. They're still paying for that decision today. This article is the breakdown I wish I had given them before that Friday — the patterns that separate a quick MVP version of RBAC from one that won't bite you back in six months. If you're a startup CTO, technical founder, or senior engineer about to ship admin/dashboard features for the first time, this is for you. The 4 signs your RBAC is a time bomb I've reviewed this exact pattern in 5+ early-stage codebases. Every one of them eventually hit the wall. Look for these signs: 1. Roles hardcoded in the JWT { "sub" : "user_123" , "role" : "admin" } Simple. Until you need to: Add a new role → migration + token refresh strategy Give one user a temporary elevated permission → "we'll just reissue tokens" Audit who had admin last month → good luck 2. Permission checks scattered across 40+ controllers // In every single handler: if user . Role != "admin" { return c . Status ( 403 ) . JSON ( ... ) } By the time you have 30 endpoints, you've made the same mistake 30 times. Refactoring is a full sprint. 3. One admin superuser that can do everything Until a sales rep accidentally deletes a customer record because they were elevated to admin "just for that one task last week." 4. Zero audit trail When the data goes missing, your only investigative tool is git blame on the source code and a desperate grep through CloudWatch logs. If you've nodded at any of these — keep reading. The real problem: policies-as-code Most teams treat permissions like business logic. They live in source files, gated by if statements, deployed with the rest of the code. This is the original sin. Code changes need deploys. Permissions change daily. When marketing onboards a new role next quarter, when a customer success rep needs view-only access to billing, when legal asks "who could have read this customer's data on Tuesda
AI 资讯
A password and a PIN aren't multifactor: the Security+ authentication trap
If you have spent any time on SY0-701 practice questions, you have hit at least one that looks trivial and then quietly fails you. Authentication factor questions are a favorite for this. The scenario sounds secure, the answer feels obvious, and the obvious answer is wrong. Here is the version that catches people. A login asks for your password, then a PIN, then your mother's maiden name. Three prompts, three steps. Is that multifactor authentication? No. It is single-factor wearing a costume. Factors are categories, not steps The exam wants you thinking about authentication in terms of categories , not how many boxes you fill in. There are three classic factors: Something you know (knowledge): a password, a PIN, a security question, a passphrase. Something you have (possession): a phone running an authenticator app, a hardware token, a smart card, a code texted to a device you are holding. Something you are (inherence): a fingerprint, a face scan, an iris pattern, a voiceprint. Multifactor authentication means pulling from different categories. A password (know) plus a code from your authenticator app (have) is two factors. A password plus a PIN plus a security question is still one factor, because all three are things you know. Stacking more knowledge on top of knowledge never changes the category. That is the entire trick. The question piles on prompts so it feels layered, and the count baits you into answering "three things, must be multifactor." Read for the category, not the quantity. The two factors people forget SY0-701 also expects you to recognize two more that sit just outside the classic three: Somewhere you are (location): access is allowed or blocked based on geolocation or which network you are on. A login permitted only from inside the corporate IP range leans on this. Something you do (behavioral): how you type, your gait, the rhythm of your swipe. This is the fuzziest one, and the exam treats it as a real but supporting signal. You will not see the
AI 资讯
Intelligence Brief: The Disinformation Machine
The Disinformation Supply Chain: How Coordinated Influence Campaigns Are Built Before They Go Viral Article from Digital HUMINT Series, For better understanding read the full report Right now, somewhere on X/forum people are fighting about a post that feels real raw, emotional, perfectly worded to hit a nerve. It has the right language, the right anger, the right timing. It sounds like someone who thinks exactly the way you do, or exactly the way you hate. It wasn't written there. It wasn't written today. And the person who wrote it doesn't care about the issue at all. That post was created two or three days earlier, on a hidden forum or a private chat group, following a set of instructions that described who to target, what emotions to trigger, which platform to use, and how much the job pays. By the time you see it, the operation has already worked. You engaging with it for or against is the whole point. I've spent almost two decades watching these hidden spaces where online manipulation is planned. What I've learned isn't that fake content exists everyone knows that by now. What most people don't realize is that it works like a factory. There's a production line. There are workers, managers, and paychecks. And just like any factory, if you know where to look, you can see the product being assembled before it ever reaches the shelf. It Works Like Any Other Business We talk about "disinformation campaigns" as if they're political movements. Some are. But more and more, what you're actually looking at is a business with four steps, each handled by different people, often in different countries. Step 1 — Someone writes the plan. A person with a goal and a budget writes a document that says: push this story, target these kinds of people, make them feel this emotion, use this language, post it on these platforms. These plans used to appear on hidden internet forums. Many have moved to private Telegram groups, but the structure hasn't changed since I first saw it in 201
AI 资讯
Startup Security Guide & LLM CISO
An open-source security guide, compliance checklist, and LLM-based virtual CISO persona for startups -- with specialized coverage for foreign companies entering the Korean market. The Problem Startups are vulnerable. Limited resources, no dedicated CISO, and security always deferred to "later." But customer data and intellectual property accumulate from day one -- and legal obligations apply regardless of company size. Three incidents from Korea in the first half of 2026 demonstrate that one misconfiguration can cascade into existential damage: Tving Data Breach (2026.06): Mass exposure of CI (Connecting Information, Korea's digital identity key) and refund bank account numbers. Classified as a "major breach" by the Personal Information Protection Commission. The leaked CI enables cross-service identity correlation, multiplying the damage. (CTI-2026-0604-TVING) CU Convenience Store Delivery Hack (2026.06): A simple web vulnerability led to the exfiltration of CI, addresses, phone numbers, and 9+ other data fields. The leaked data was linked to illegal private investigator inquiries and secondary crimes. (CTI-2026-0604-CU_BREACH) FastCampus / DayOne Company GitHub Master Key Theft (2026.06): A single GitHub master key was exfiltrated, granting attackers 30 days of undetected access to internal systems. Over 700,000 user records were exposed. The company took approximately 30 days to detect the breach, and customer notification was delayed beyond 72 hours. (CTI-2026-0611-FASTCAMPUS_DAYONECOMPANY) The common thread: All three began with a single misconfiguration or a single overlooked vulnerability. None required sophisticated zero-days. The damage was inversely proportional to organizational maturity. What startups need is not a $100K security suite. It is knowing what to do first , and a system to check it regularly . The Core Hypothesis An LLM can serve as a startup's first CISO. As of mid-2026, Claude 4, GPT-4o, and DeepSeek V3 -- alongside locally-run models via O
AI 资讯
Headless Browser Detection in 2026: What Still Trips Up Playwright
Playwright is the best browser automation library in 2026. It's also the most fingerprinted, the most detected, and the most patched in anti-bot databases. If you're running default Playwright against any platform with serious anti-bot defenses, you're getting flagged. We learned what's left of the cat-and-mouse game the hard way building HelperX . This article is what still trips up Playwright today — beyond the well-known navigator.webdriver flag, which everyone fixes in week one. The detection surface has shifted dramatically since 2022. The classic tells (PhantomJS, missing plugins, undefined chrome object) are largely solved. The new battleground is more subtle: CDP protocol artifacts, behavioral inconsistencies, and side-effects of the Playwright runtime that aren't part of the public API. What stopped working in 2024-2025 Detection on the platforms we monitor has gotten dramatically better in the last 18 months. A few things that worked in 2023 and stopped working since: Generic navigator.webdriver = undefined patches — detectable via Object.getOwnPropertyDescriptor if you do it naively Patching Notification.permission — modern detection cross-references with Permissions.query() Faking window.chrome — the property structure changed; old fakes are missing newer subkeys Setting a single User-Agent profile — detection now expects Client Hints to match Empty navigator.languages — flagged as suspicious; needs at least 2 entries These were all "set it once, ship it" fixes. The current generation of detection requires ongoing engineering. CDP artifacts: the deepest tell The Chrome DevTools Protocol (CDP) is how Playwright controls the browser. The browser exposes signals that it's being controlled, and modern detection looks for them specifically. Symptom: Runtime.evaluate artifacts When you run await page.evaluate(() => ...) , Playwright uses Runtime.evaluate under the hood. The evaluated script runs in a special isolated world. If the page can detect that an isola
AI 资讯
Vibe citing: how KPMG used AI to write a report about AI and AI made them look like fools
vibe citing: how KPMG used AI to write a report about AI and AI made them look like fools by t474-r0b07 There are companies that charge you to tell you how to use AI responsibly. KPMG is one of them. 250,000 employees. 138 countries. Decades advising governments and corporations on how to avoid costly mistakes. In October 2025 they published a report titled "Total Experience: Redefining Excellence in the Age of Agentic AI" . They wrote it with AI. The AI invented 88% of the sources. Nobody verified anything. They published it anyway. // what is "agentic AI" — because the title matters An agentic AI is not a chatbot. Not the assistant that answers your questions. It's a system that makes decisions and executes actions on its own, without a human approving each step. You give it an objective and it acts, corrects, moves forward. It's the product everyone in the tech sector was selling in 2025. KPMG was selling it too. That's why they needed a report proving their clients were already using it. Spoiler: they weren't. And the report invented it anyway. // the forensic analysis GPTZero — a company specialized in detecting AI-generated content — ran a full audit on the report. First: what is an AI hallucination, because the term is going to come up a lot. When a language model doesn't have the information you ask for, it doesn't say "I don't know." It generates a response that sounds correct. It invents with the same confidence it would use if it actually knew the truth. Perfect format. False content. No warning. That's a hallucination. Now the numbers from the KPMG report: TOTAL CITATIONS: 45 REAL CITATIONS: 5 INVENTED CITATIONS: 40 ACCURACY RATE: 11.1% 40 of 45 citations have invented titles, authors that don't exist, or sources that don't say what KPMG claimed they said. Half of the factual claims in the report are false or misattributed. A firm that charges for intellectual rigor published a document with 11% accuracy. // the organizations that read the report and sai
AI 资讯
I stopped trusting curl | sh — so I built a tool that reads the script first
Every developer has done it. You hit a README, you see the install command: curl -fsSL https://example.com/install.sh | sh And you run it. Maybe you skim the script first. Maybe you don't. But you run it. I've been doing this for years. And each time, a small voice in the back of my head says: you have no idea what that script actually does. You just piped a stranger's code straight into your shell. Eventually I got tired of ignoring that voice. What the pattern actually is curl | sh is not a bad pattern — it's a fast, convenient pattern with a real trust gap. The script runs with your permissions, in your shell, right now. It can: Install something with sudo Delete files with rm -rf Write to your disk with dd Access your SSH keys or .env files Set up a cron job or a systemd service that runs again next reboot Decode and run a payload with base64 | eval Most install scripts do none of these things maliciously. But many do several of them legitimately — and you wouldn't know which ones until something went wrong. --- ## What I built instead I'm a solo founder based in Ouagadougou, Burkina Faso. I build with heavy AI pairing — I'm not a trained engineer, I work with Claude, review the output, and ship. This tool ( peek ) was AI-paired and reviewed by me before release. peek is a ~130-line POSIX shell script that sits in front of the pattern: # Instead of: curl -fsSL https://example.com/install.sh | sh # Do: peek https://example.com/install.sh Before anything runs, peek: Fetches the script Scans it for risky patterns Prints a risk score and the exact dangerous lines Asks you to confirm — and refuses to auto-run a HIGH-RISK script unless you type RUN You can also pipe into it, or run it in analysis-only mode: curl -fsSL https://example.com/install.sh | peek # analyze from a pipe peek --print ./downloaded.sh # never runs, analysis only What it flags (and what it doesn't) The patterns peek checks: Root escalation — sudo , running as root Destructive file ops — rm -rf , fi
AI 资讯
I Got the proxy.ts Matcher Wrong for Three Projects Before I Understood Why
A few days ago I published a post about the three-layer auth model and the invoice incident that made...
AI 资讯
Apple plans to change its Hide My Email privacy feature that could make it less effective
In the coming weeks, Apple will move anonymously generated emails addresses to a different domain.