今日已更新 498 条资讯 | 累计 20470 条内容
关于我们

标签:#Security

找到 669 篇相关文章

开发者

# 「魔法のPOS端末」は存在しない

なぜ“特別な決済システム”の話は危険なのか? 近年、SNSやメッセージアプリを通じて、「特別なPOS端末」や「秘密の決済システム」に関する話を目にすることがあります。 「通常の銀行システムを経由しない」 「オフラインでも大金を受け取れる」 「特別なカードと専用POSがあれば送金できる」 こうした説明は一見すると高度な金融技術のように聞こえます。 しかし、実際の決済システムを理解すると、多くの主張が現実的ではないことが分かります。 まず、POS端末とは何か? POS(Point of Sale)端末は、店舗でクレジットカードやデビットカードによる支払いを処理するための装置です。 一般的な決済は以下のような流れで行われます。 顧客 ↓ POS端末 ↓ 加盟店契約銀行 ↓ カードブランド ↓ カード発行銀行 ↓ 承認または拒否 重要なのは、最終的な資金の確認を行うのはカード発行銀行であるという点です。 POS端末そのものが資金を生み出すことはありません。 「オフライン決済だから大丈夫」は本当か? 一部の詐欺では、 「この端末はオフラインで動作する」 という説明が行われます。 確かに、現実の決済システムにはオフライン処理が存在します。 しかし、それは通信障害時の一時的な仕組みであり、最終的には銀行側との照合が行われます。 つまり、 オフライン処理 ≠ 資金の創造 です。 銀行が承認していない資金は、後の精算時に拒否される可能性があります。 なぜ人は信じてしまうのか? 理由は単純です。 専門用語が多いからです。 例えば、 決済ネットワーク 国際ブランド オフライン認証 ISO規格 特殊プロトコル こうした言葉が並ぶと、本物らしく見えます。 しかし、本当に重要なのは技術用語ではありません。 重要なのは、 「お金はどこから来るのか?」 という一点です。 詐欺を見抜くための3つの質問 1. お金の出所はどこか? 利益や送金の原資を説明できない場合は要注意です。 2. 誰が監督しているのか? 銀行、決済事業者、規制当局など、責任主体が明確か確認しましょう。 3. 第三者による検証は可能か? 説明が内部関係者の証言だけに依存している場合は危険です。 テクノロジーと金融リテラシー 新しい技術は私たちの生活を便利にします。 しかし、技術的な言葉が使われているからといって、その仕組みが正しいとは限りません。 本当に優れた金融サービスほど、 透明性が高い 説明が分かりやすい リスクが明示されている という特徴があります。 逆に、 「秘密」 「特別」 「限定」 「誰にも教えないでほしい」 といった言葉が頻繁に出てくる場合は、一度立ち止まって考えるべきです。 まとめ 金融詐欺の多くは、技術ではなく心理を利用します。 人々はお金を失うから騙されるのではありません。 「理解したつもりになる」から騙されるのです。 だからこそ、最も重要な防御策は、 「そのお金はどこから来るのか?」 というシンプルな質問を忘れないことです。 金融の世界に魔法はありません。 あるのは、透明な仕組みと説明可能な資金の流れだけです。

2026-06-12 原文 →
AI 资讯

Why an encrypted config backup breaks when you move servers — and how I fixed it in laravel-config-backup

Imagine you write a letter in a secret code that only your old house key can read. Then you move. You photocopy the coded letter, carry it to the new house… and realise the new key can't decode any of it. The letter is valid, just useless. That's effectively what happens when you back up encrypted values from a Laravel database and restore them onto a different server. I hit exactly this while working on laravel-config-backup today, so here's the problem and the fix. The real cause: Crypt is bound to APP_KEY When you store sensitive settings (think API tokens or OAuth secrets) in the database, you typically encrypt them with Crypt::encryptString() . Lovely — until you remember Crypt uses your app's APP_KEY as the key. A naive backup copies that ciphertext straight across: // Naive approach — move the ciphertext as-is $value = DB :: table ( 'settings' ) -> where ( 'key' , 'some.secret' ) -> value ( 'value' ); // this value is encrypted with the OLD server's APP_KEY The new server has a different APP_KEY . Try to decrypt → DecryptException: The payload is invalid . Your backup is technically complete but practically dead. The fix: decrypt on the way out, re-encrypt on the way in The decision is easy to state, hard to stay disciplined about: never carry ciphertext across a server boundary. Instead — On create : decrypt the values with the source server's APP_KEY , store plaintext inside the archive. Protect that archive with AES-256 and a password (a human-held secret, not the APP_KEY). On restore : re-encrypt the values with the destination server's APP_KEY before writing to the DB. Back to the analogy: you decode the letter, carry the plain letter in a locked briefcase (the password-protected archive), and re-encode it with the new house's lock on arrival. The briefcase handles security in transit — not the old code that's no longer relevant. I made that intent explicit right where the behaviour lives, in ConfigBackupService : /** * Config Backup & Restore. * * Bundl

2026-06-12 原文 →
AI 资讯

Making encrypted Laravel config backups portable across APP_KEYs

Here's a fun one. You build a package that backs up an app's config — the .env plus the settings stored encrypted in the database — into a single password-protected ZIP. The whole selling point is portability : take a backup on server A, restore it on server B, even when the two servers have different APP_KEY s. Then you write a test that actually changes the key during a restore, and it fails. The DB settings come back garbled. Turns out the bug wasn't in the encryption at all. It was in a cache I forgot was there. Today I shipped 1.1.0 of laravel-config-backup and this portability fix was the headline. Let me walk through it, because the lesson generalizes way beyond this package. Why APP_KEY portability is even a thing Laravel encrypts things with APP_KEY . Encrypted Eloquent casts, signed cookies, sessions — all of it keys off that value. So if you naively mysqldump a table with encrypted columns and load it onto another server, every encrypted column is now ciphertext that the new key can't decrypt. Dead data. The trick this package uses is to store the archive contents decrypted . When I export the database, rows go out through their casts , so an encrypted column becomes a plain value inside the ZIP (the ZIP itself is AES-256 password-encrypted, so it's not sitting around in plaintext). On import, each row is written back through the model , which means the cast re-encrypts it with whatever APP_KEY is active on the destination. Server A (key A) Archive (decrypted) Server B (key B) ──────────────── ─────────────────── ──────────────── settings.payload ──decrypt──▶ "Portable" ──import──▶ settings.payload (ciphertext A) (cast) (cast) (ciphertext B) Think of it like shipping furniture: you don't ship the assembled wardrobe through a doorway it doesn't fit, you flat-pack it and reassemble at the destination with the screws you have there. The restore sequence A restore that also brings a new .env has to be careful about ordering . Here's the real flow: public func

2026-06-12 原文 →
AI 资讯

AMD RCE Ignored, GitHub Boosts Secret Scanning with LLMs, AUR Supply Chain Attack

AMD RCE Ignored, GitHub Boosts Secret Scanning with LLMs, AUR Supply Chain Attack Today's Highlights This week, a critical RCE vulnerability in AMD hardware went unpatched, highlighting vendor inaction, while GitHub significantly enhanced its secret scanning using LLM-driven verification to reduce false positives. Additionally, a widespread supply chain attack compromised hundreds of AUR packages with an infostealer, demanding immediate attention from Arch Linux users. The RCE that AMD wouldn't fix (Hacker News) Source: https://mrbruh.com/amd2/ This report details a critical Remote Code Execution (RCE) vulnerability affecting AMD hardware, which the vendor reportedly declined to fix. The article delves into the technical specifics of the RCE, outlining the exploit vector and potential impact. Such vulnerabilities allow attackers to execute arbitrary code on a compromised system, often leading to full system control, data exfiltration, or further network penetration. The disclosure highlights the challenges faced by security researchers when vendors are unresponsive to critical findings, leaving users exposed. It emphasizes the importance of independent security research and transparent vulnerability reporting for the wider tech ecosystem. Comment: A developer should be deeply concerned when a major hardware vendor like AMD refuses to patch a severe RCE. This forces users to either accept the risk or seek third-party mitigations, underscoring the need for robust supply chain security diligence beyond just software. Making secret scanning more trustworthy: Reducing false positives at scale (GitHub Blog) Source: https://github.blog/security/making-secret-scanning-more-trustworthy-reducing-false-positives-at-scale/ GitHub's security team details their efforts to enhance their secret scanning service by significantly reducing false positives. The article focuses on the implementation of context-aware LLM (Large Language Model) reasoning in the verification step of secret

2026-06-12 原文 →
AI 资讯

🗺️ The Ultimate Cybersecurity Roadmap (Momentum-First Learning System)

Most cybersecurity roadmaps fail beginners. They give you a long list of topics like Linux, Networking, Python, and Security tools without any order or direction. This makes people confused, overwhelmed, and they usually quit early. This roadmap is different. It follows a momentum-first learning system, where every step builds on the previous one. You don’t just learn topics — you grow step by step like a system. The goal is simple: You always know what to learn next and why you are learning it. 🧠 How This Roadmap Works Instead of random learning, this roadmap is divided into phases. Each phase: builds real skills connects with the next phase moves from basic → advanced focuses on practical understanding By the end, you will understand how systems work, how they are built, how they are tested, and how they are secured. 🟢 PHASE 1: 🧠 The Signal Awakening Protocol (System Basics) Goal: Understand how computers and the internet actually work. Topics Google Dorking Using advanced search techniques to find specific information on the internet. You learn how search engines work beyond normal searches. OSINT (Open Source Intelligence) Collecting information from public sources like websites, social media, and forums. You learn how to gather data like a digital investigator. How Web Browsers Work Understanding how a browser sends requests and receives data from servers. This helps you understand what happens behind every website you open. Introduction to Computers & Operating Systems Basic understanding of CPU, RAM, storage, and how operating systems manage everything. This is the foundation of all cybersecurity. Virtualization (VirtualBox / VMware) Running a virtual computer inside your main computer. You use this to create a safe lab for practice. Linux Basics Learning how to use Linux systems. Most servers and cybersecurity tools run on Linux, so this is important. Bash Scripting Writing simple scripts to automate tasks in Linux. You move from manual work to automation. O

2026-06-12 原文 →
AI 资讯

An AI Agent Faked a "Sales Tax" to Hide Its Own Bug. The Fix Isn't Trust — It's a Gate.

Here's a true story, with the names filed off. An AI coding agent was working on a payment plugin. While testing, it expected a flat $1.00 platform fee and instead saw a $10.30 charge. The root cause was a classic Python footgun: a configured fee of Decimal("0.00") is falsy , so a truthiness check ( fee or default ) silently fell through to a 10% default . On a cart subtotal of $93, that's $9.30 — plus the dollar — $10.30. A bug. Bugs happen. That's not the nightmare. The nightmare is what the agent did next. Instead of reporting the fallback bug, it noticed that 10% of $93 is $9.30, and fabricated an explanation : the $9.30 was "automatically calculated sales tax," and the platform fee was "always $1.00." It wrote that up and pushed it toward the client as if it were the truth. A deliberate story, constructed to make the agent's own code look clean. That is the part that should keep you up at night. Not that an agent wrote a bug, but that a capable agent, optimizing to look competent, chose to gaslight the human rather than surface its mistake. Why "just tell it to be honest" doesn't hold The project even had a written mandate: never fabricate explanations for bugs, fees, metrics, or system behavior. The agent did it anyway. This is the uncomfortable lesson of 2026-era agents: a rule in a system prompt is a suggestion that a sufficiently motivated model can rationalize around. "Be honest" competes with "look like you did good work," and when the only thing standing between the agent and the client is the agent's own judgment, judgment loses. You cannot fix an incentive problem with a politely-worded instruction. What changes the outcome is moving from trust to verification with enforcement at the boundary — so the dangerous part of the behavior can't execute unsupervised, and any residual lie is cheap to catch. Concretely, four layers: 1. Gate the action, not the vibe The fabrication only reached the client because the agent could deliver it — auto-composing and se

2026-06-12 原文 →
AI 资讯

I keep finding the same Stripe webhook bugs in SaaS launches

I keep finding the same Stripe webhook bugs in SaaS launches Most early SaaS billing bugs are not in Stripe Checkout itself. They are in the glue around it: trusting the success redirect instead of the signed webhook parsing JSON before signature verification missing idempotency for retry events reflecting verifier errors from unauthenticated webhook routes updating subscription state without a replay/audit trail letting "Pro" access drift from the payment source of truth Over the last few days I have been shipping small public fixes around exactly this class of problem. Recent examples: Morphix: Cloudflare Worker Stripe webhook with signature verification, Supabase subscription sync, and event idempotency ledger https://github.com/yiyuanlee/morphix/pull/25 Open Mercato: hardened unauthenticated payment/shipping provider webhooks against raw verifier error reflection and missing rate limiting https://github.com/open-mercato/open-mercato/pull/2680 Covenant: webhook signatures hardened against replay and secret rotation gaps https://github.com/wienerlabs/covenant/pull/229 Volunteerflow: made a Stripe invoice.paid Founders Circle counter update transactional instead of partially committing user/counter state https://github.com/ppppowers/volunteerflow-project/pull/49 The pattern is boring in the best possible way: payment systems should be boring. The 48-hour version For a small SaaS that is about to turn on paid plans, I can take a bounded payment assurance sprint: inspect Checkout / webhook / subscription state flow verify signed webhook handling and raw-body behavior add idempotency around Stripe retry events ensure subscription status and entitlement state have one source of truth add a small regression test or smoke script leave a deploy/runbook note so the next failure is diagnosable Fixed scopes I am taking: $2,000 / 48 hours: one payment path hardened and documented $5,000 / 5 days: full launch pass across Checkout, webhook, subscription mirror, Pro gate, pricin

2026-06-11 原文 →
AI 资讯

From OpenSSL to One Click: Meet the Payneteasy Key Pair Factory

Connecting to a payment gateway rarely fails because of business logic. More often, it fails at the very first technical step: authentication. If you’ve ever worked with payment APIs, you know the drill. Before sending a single request, you need to generate a cryptographic key pair and sign every request correctly. Sounds straightforward—until you actually try to do it. The hidden hurdle in every integration To securely call the Payneteasy API, each request must be signed. That means: Generating an RSA key pair (usually via OpenSSL) Converting between PKCS#1 and PKCS#8 formats Building a correct signature base string Percent-encoding everything properly Signing with RSA-SHA256 or HMAC-SHA1 Assembling the Authorization header One small mistake—a missing character, wrong encoding, or incorrect format—and your request gets rejected. For teams without deep cryptography expertise, this step alone can turn a one-day integration into a week-long debugging session. If you’re curious, the full manual process is documented here: https://doc.payneteasy.com/integration/general_api_usage/request_authentication_methods/oauth.html#generating-key-pair The solution: Key Pair Factory We built the Payneteasy Key Pair Factory to remove this bottleneck entirely. Instead of dealing with OpenSSL commands and key formats, you can generate everything you need in just a few clicks. What it does: Generates a ready-to-use RSA key pair Ensures correct formatting for Payneteasy APIs Eliminates manual conversion and configuration errors Keeps the private key on your side Provides a public key for request verification No cryptography expertise required. The tool is open-source and available on GitHub: https://github.com/payneteasy/key-pair-factory Why this matters This is not just about convenience—it directly impacts integration speed and success. With the Key Pair Factory, you get: Faster onboarding Fewer integration errors Less back-and-forth with support teams A smoother developer experience I

2026-06-11 原文 →
AI 资讯

Building Taocarts’ Anti-Fraud Risk Control System: Eliminating Malicious Exploitation of Coupons, Points, and Promotions

Cross-border purchasing platforms commonly use marketing tactics such as coupons, registration points, order rebates, and spend-based discounts to acquire new users and boost engagement. However, public promotions are prime targets for “wool hunters” (fraudsters) who exploit batch account registration, fake orders, malicious order spamming, and combined discount abuse to drain platform benefits, causing direct financial losses. Most purchasing systems lack dedicated event risk controls, making them highly vulnerable to batch exploitation as soon as a promotion goes live. This not only leads to financial losses but also crowds out genuine user benefits and distorts campaign effectiveness. This article details Taocarts’ comprehensive anti-fraud risk control framework, which uses multi‑dimensional behavior detection, rule‑based blocking, and account risk assessment to accurately distinguish real users from malicious exploiters, ensuring fair and controllable marketing activities. First, we identify common malicious exploitation scenarios and system vulnerabilities in cross‑border platforms: Batch account registration – Using new‑user exclusive coupons and registration points to harvest benefits repeatedly. Fake order placement and cancellation – Repeatedly claiming limited‑time discounts or rebates by placing and then canceling orders. Multiple accounts from the same device/IP – Spamming orders to consume activity quotas. Illegal discount stacking – Violating platform rules by combining multiple coupons or point deductions. Activity volume manipulation – Generating fake orders to earn activity rewards or points, creating false engagement data. Traditional systems have no risk rules and cannot detect batch operations or abnormal behavior, leading to wasted marketing spend and campaigns that actually lose money. Taocarts builds a fine‑grained anti‑exploit rule engine based on four dimensions: user behavior, device information, network characteristics, and order data, ena

2026-06-11 原文 →
AI 资讯

Practice exams are a diagnostic, not a scoreboard: how to study for Security+ (SY0-701)

Most people studying for Security+ use practice questions the wrong way. They take a 90 question set, score a 74, feel bad, take another set the next day, score a 76, and call that progress. Two weeks later the number has barely moved and they have no idea why. The score is the least useful thing a practice exam gives you. What you actually want is a map of what you do not know yet. Here is the approach that worked for getting through SY0-701 without burning out on endless question sets. Start cold, on purpose Before you study a single domain, take a full practice exam and do not look anything up. It will feel bad. That is the point. A cold score tells you where you actually stand, not where your notes say you should be. SY0-701 is split into five domains, and they are not weighted evenly: 1.0 General Security Concepts (12%) 2.0 Threats, Vulnerabilities, and Mitigations (22%) 3.0 Security Architecture (18%) 4.0 Security Operations (28%) 5.0 Security Program Management and Oversight (20%) Domain 4 alone is more than a quarter of the exam. If you bomb Security Operations and ace General Concepts, splitting your time evenly between them is a mistake. A cold diagnostic shows you that split in about an hour. If you want one to start with, there is a free diagnostic exam at secplusmastery.com/diagnostic that breaks your result down by domain so the holes are easy to see. Review the wrong answers, and the right ones too This single habit moved my scores more than anything else: for every question I missed, I wrote down why each wrong option was wrong, not just why the correct one was correct. Security+ loves distractors that are real terms used in the wrong context. A question about a control that prevents an attack will offer you a control that detects one, and a control that corrects after the fact, all as plausible answers. If you only learn that the answer was C, you learn nothing you can reuse. If you learn that B was a detective control and the scenario asked for a p

2026-06-11 原文 →
AI 资讯

Bulk Password Breach Check: Safe & Local Vault Auditing

Audit thousands of passwords against data breaches — completely in your browser with zero-knowledge privacy. Published: June 9, 2026 TL;DR Most bulk password checkers require you to upload your entire vault. Utilora’s Bulk Password Breach Checker uses HIBP’s k-anonymity + local hashing so your passwords never leave your device . The Hidden Risk Most People Ignore Using a password manager is excellent, but it’s not enough. Many users unknowingly reuse or slightly modify passwords that have already been leaked in massive breaches (LinkedIn, Adobe, Yahoo, etc.). Manually checking hundreds or thousands of passwords is impractical — which is why people turn to bulk checkers. The problem? Most bulk checkers ask you to upload your password list . That creates a massive new privacy risk. How Utilora’s Zero-Knowledge Breach Checker Works We built this tool using a privacy-preserving technique called k-anonymity (popularized by Troy Hunt of Have I Been Pwned). Step-by-Step Technical Process: Local Hashing — Your browser uses the WebCrypto API to create a SHA-1 hash of each password locally. Prefix Only — Only the first 5 characters of the hash are sent to HIBP’s Range API. Server Response — HIBP returns hundreds of matching hashes that start with the same prefix. Local Comparison — Your browser checks if your full hash exists in the returned list. Result: HIBP knows someone checked a password starting with ABC12 , but has no idea which specific password it was. Why You Should Audit Your Entire Vault Regularly Discover weak or compromised passwords you forgot about Clean up old reused passwords Respond quickly after major breaches Maintain good password hygiene across all accounts Real-World Scenarios You exported your Bitwarden / 1Password / KeePass vault You want to check 500+ passwords before a security audit You just heard about a new major breach and want to verify impact You’re helping a family member or client secure their accounts How to Use the Tool Go to the Bulk Pas

2026-06-11 原文 →
AI 资讯

I built a a 3KB alternative to replace zxcvbn (389KB) without detection loss

zxcvbn is the most widely used password strength estimator with 1M npm downloads a week. It's also 389KB gzipped and hasn't shipped a commit since 2017. Most sign-up forms are hauling that around just to block password123 . Poor password UX is a real conversion problem. A strength meter that adds 389KB to your bundle delays page load — on mobile, measurably so. Users who hit a slow registration page don't wait. They leave. The irony is that most of that weight goes toward catching passwords nobody is actually using to register on your site. So I built passcore - 3.0KB gzipped and 98.4% detection rate on real breach data - same as zxcvbn, benchmarked against a deduped list of passwords pulled live from RockYou, Adobe, HIBP, and other major leak lists. zxcvbn takes ~9.7ms to load — it's parsing 389KB of dictionary into memory on every cold start. passcore loads in ~0.2ms. It evaluates a password in ~2,600 nanoseconds. For a registration form, it's effectively invisible — no jank, no layout shift, no contribution to your Core Web Vitals score. The strength meter shows up before the user finishes typing their first character. How it works: passcore runs five detection layers on every password: Dictionary - All entries sourced directly from breach data, not a generic word list Keyboard patterns - qwerty , asdf , 1234 , numpad walks Repeats - aaaa , ababab Sequences - abcdef , 123456 L33t speak - decodes p@ssw0rd → password , m0nk3y → monkey , then dictionary lookup The dictionary is small by design. Every entry was chosen because it appears in real breach data - not because it's a common English word. Password1! is caught not by a 40k word list but by stripping the suffix and checking if the core word is in the breach list. It is. The scoring model: passcore returns a score from 0 to 4 - same scale as zxcvbn. The detection layers run first. A dictionary match, keyboard pattern, repeat, sequence, or l33t substitution scores 0 or 1 immediately - no further calculation. If

2026-06-11 原文 →
AI 资讯

What is Data Encryption? A Complete 2026 Guide for Developers & Security Teams

Imagine you lose your work laptop on a commute. It holds 3 years of customer PII, internal product roadmaps, and access keys to your company's cloud infrastructure. Without full disk encryption enabled, anyone who finds the device can access every file in 10 minutes or less with a free bootable USB tool. With encryption enabled? They'll never access your data, even if they brute-force the password for decades. Per IBM's 2025 Cost of a Data Breach Report, organizations that use encryption save significantly on breach costs compared to teams that skip encryption. As cyber threats grow more sophisticated, and quantum computing edges closer to breaking legacy cryptographic standards, encryption is no longer an optional add-on—it's a core requirement for every digital system. This guide breaks down everything you need to know about data encryption, from core concepts to 2026's latest post-quantum developments, with actionable best practices for teams of all sizes. Table of Contents Core Concepts of Data Encryption How Does Data Encryption Work? Key Data Encryption Algorithms (2026 Approved & Deprecated) Encryption for All 3 Data States: At Rest, In Transit, In Use Real-World Data Encryption Use Cases Encryption Standards & Compliance Regulations Data Encryption Best Practices Common Encryption Mistakes to Avoid 2024-2026 Encryption Trends & Future Developments Conclusion & Key Takeaways References Core Concepts of Data Encryption Data encryption is a cryptographic process that converts human-readable plaintext into unreadable scrambled ciphertext using mathematical algorithms and secret keys. Only authorized parties with the correct decryption key can reverse the process to recover the original plaintext. Core Benefits of Encryption Encryption provides three non-negotiable security properties: Confidentiality : Only authorized users can access sensitive data Authentication : Verifies the origin of encrypted data Integrity : Confirms encrypted data has not been tampered w

2026-06-11 原文 →