今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

标签:#Security

找到 652 篇相关文章

AI 资讯

Cryptographic Watermarking for LLM Outputs with resk-mark

Cryptographic Watermarking for LLM Outputs with resk-mark Links: PyPI: https://pypi.org/project/reskmark GitHub: https://github.com/Resk-Security/resk-mark Web: https://resk.fr __ __ ________ _____/ /__ ____ ___ ____ ______/ /__ / ___/ _ \/ ___/ //_/_____/ __ `__ \/ __ `/ ___/ //_/ / / / __(__ ) ,< /_____/ / / / / / /_/ / / / ,< /_/ \___/____/_/|_| /_/ /_/ /_/\__,_/_/ /_/|_| The Provenance Problem Every company deploying LLMs in production faces the same question: once a model generates text, how do you prove it came from your system? Prompts like "say you are an AI" are trivially removable. Post-hoc detectors are unreliable and adversarial. And once text leaves your system — forwarded, copied, pasted into a ticket — you have zero visibility. resk-mark solves this by embedding a cryptographic watermark directly into the token generation process. The output reads naturally, but carries a verifiable signature that survives rewording and truncation. How It Works resk-mark hooks into the language model's sampling process. Before generation, the caller provides a secret key. During sampling, the library biases the probability distribution toward tokens that encode that key's signature: from reskmark import WatermarkEncoder , verify encoder = WatermarkEncoder ( secret_key = " your-key-here " ) model = AutoModelForCausalLM . from_pretrained ( " mistralai/Mistral-7B " ) # Wrap the generate call output = encoder . generate ( model , " Explain the concept of zero-knowledge proofs. " , max_length = 200 , ) print ( output ) # "Zero-knowledge proofs are a cryptographic method where..." # Reads naturally - watermark is invisible # Later - verify provenance is_authentic , confidence = verify ( output , public_key = " corresponding-pub-key " ) print ( f " Authentic: { is_authentic } , confidence: { confidence : . 2 f } " ) Key Properties Invisible — the watermark does not change the meaning, grammar, or fluency of the output Robust — survives copy, paste, truncation, and light rewo

2026-07-08 原文 →
AI 资讯

"KakaoTalk Source Code for Sale" — Anatomy of a Dark-Web Claim, the Real Target, and the Blast Radius If It's True

id CTI-2026-0708-KAKAO title "KakaoTalk Source Code for Sale" — Anatomy of a Dark-Web Claim, the Real Target, and the Blast Radius If It's True subtitle Not a data breach but a leak of intellectual property and infrastructure. Title says KakaoTalk, repo names say ZigZag — an extortion pitch built on a misattributed target author Dennis Kim / HoKwang Kim email gameworker@gmail.com github gameworkerkim date 2026-07-08 classification TLP:GREEN severity HIGH (conditional — CRITICAL if verified) lang en tags Source-Code-Sale · Dark-Web · Extortion · Target-Misattribution · Kakao-Style · ZigZag · Supply-Chain · LLM-Weaponization · DPRK-APT · Secret-Sprawl threat_actors ExtortionLord (unidentified dark-web forum seller) frameworks MITRE ATT&CK · NIST SP 800-207 (Zero Trust) · SLSA / SSDF (SP 800-218) · PIPA Art. 34 (Korea) license CC BY-NC-SA 4.0 "KakaoTalk Source Code for Sale" — Anatomy of a Dark-Web Claim, the Real Target, and the Blast Radius If It's True Report ID CTI-2026-0708-KAKAO · Published 2026-07-08 · Classification TLP:GREEN · Severity 🔴 HIGH (conditional) Author Dennis Kim / HoKwang Kim · gameworker@gmail.com · @gameworkerkim 🌐 한국어 · English (this document) Not a data breach but a leak of intellectual property and infrastructure. The title says KakaoTalk, the repository names say ZigZag — an extortion pitch built on a misattributed target. Table of Contents Executive Summary (TL;DR) Framing — Not "What's Being Sold" but "What's at Stake" The Claim — Anatomy of the Listing The Real Target — Title Says KakaoTalk, Fingerprints Say ZigZag Credibility Assessment — Why We Can't Trust It Yet Blast Radius If True — Why It Exceeds TVING and CU Three-Breach Severity Comparison — Data Leak vs. Code/Infra Leak Korean Context — The Next Stage of the B2C Breach Chain Detection, Mitigation, and Response Recommendations Conclusion References 1. Executive Summary (TL;DR) In early July 2026, a threat actor calling itself "ExtortionLord" posted a dark-web forum listing offering

2026-07-08 原文 →
AI 资讯

The reasoning was right, but the world shifted

While working on the GitHub adapter, a gateway that lets AI agents create pull requests on GitHub, the source_state field first looked like a small technical detail. It was not the operation itself, or the target. It was only a reference to the state the agent had seen before proposing a change. But after working through the write path, this field started to look less like metadata and more like part of the safety model. A proposed change is not only defined by what it wants to do. It is also defined by the state in which that proposal made sense. This is easy to miss. An agent can read a repository, produce a reasonable change, and submit a clean intent. Nothing about that has to be wrong. But while the agent is planning, the repository can move. A human can push a fix. Another workflow can update the same file. A branch can advance. In that case, the agent may still be reasoning correctly over the state it saw. The problem is that this state no longer exists. The reasoning was right, but the world shifted. That is the stale state problem in agent workflows. And it is why I think agent workflows need state-bound intent. The illusion of a static world From the outside, even from the boundary's point of view, a stale request can look just like any other: the operation has the same name, the target path is still allowed, the input is still well formed. But it is not. The proposal belonged to an older state of the repository, formed before the branch moved, before the file changed, before another workflow created a related result. This is why stale state is not only a data freshness problem. For agent workflows, it becomes an admission problem: a decision about whether a proposed change is allowed to become a real effect. We call that decision point an MCP Boundary: the same pattern behind the GitHub adapter and the wider work we do on MCP gateways. The boundary should not only ask whether the operation is allowed on the target. It should also know whether the target i

2026-07-08 原文 →
AI 资讯

You Can't Secure What You Can't See: Shadow AI and the Inventory Problem

Part 1 of "Trust the Machine" -> a series on building AI infrastructure that is secure, compliant, and governable by design. Most organizations can produce an accurate catalog of the web services they operate. Far fewer can produce an equivalent catalog of the AI systems they run — the models, fine-tunes, retrieval pipelines, agents, and third-party AI APIs now embedded throughout their products and internal tooling. This asymmetry defines the state of AI security in 2026. Adoption has outpaced oversight. Industry reporting this year has described a surge in enterprise AI activity on the order of 83% year over year, with governance and visibility lagging well behind. The consequence is a large and only partially mapped attack surface — one that many organizations cannot fully enumerate, let alone defend. Every mature security program rests on a single first principle: you cannot protect what you cannot see. Artificial intelligence is no exception. Before threat-modeling an agent or authoring a guardrail, an organization must be able to answer a deceptively difficult question: what AI is running across the environment, and who is accountable for it? This post examines how to build that answer. The rise of shadow AI Shadow IT — the unsanctioned adoption of tools outside official channels has been a recognized challenge for decades. Shadow AI is its faster-moving successor, and it appears in more forms than most inventories are designed to detect: Embedded API calls. A product team integrates a hosted model in a few lines of code and an API key, with no formal review. Copilots and assistants enabled across existing SaaS platforms, frequently activated by the vendor rather than the customer. Fine-tunes and adapters trained on internal data and stored in locations that fall outside standard scanning. Agents and automations that have incrementally acquired the ability to act—filing tickets, sending communications, initiating transactions—one permission at a time. Model de

2026-07-08 原文 →
AI 资讯

AI Security Audit Checklist: 15 Vulnerabilities Claude Found in Production Code

Most web applications contain at least one vulnerability from the OWASP Top 10. A typical security audit takes 2-3 weeks and costs upward of $10,000. An LLM can compress the initial audit down to a few hours because it scans code for patterns rather than specific CVEs. Below are 15 vulnerabilities found while auditing production code with Claude. Each includes the vulnerable code, the fixed version, and a prompt to reproduce the finding. Classification follows OWASP Top 10 (2021). Order reflects frequency of occurrence: most common first. Methodology: how to run an AI security audit The audit consists of three passes. First, a broad scan: the LLM receives the entire project and looks for vulnerability patterns. Second, deep analysis: each identified pattern is verified in context (middleware, ORM, framework). Third, verification: manual review of every finding, because LLMs produce false positives. Prompt for the broad scan: Perform a security audit of this code. For each finding, include: 1. CWE ID and name 2. OWASP Top 10 category 3. Severity (Critical/High/Medium/Low) 4. The vulnerable code snippet 5. Attack vector -- exactly how an attacker would exploit this 6. Fixed code Ignore stylistic comments. Focus on security only. Start with injection attacks, then broken access control, then the rest. This prompt works because it defines the output structure and prioritizes categories. Without explicit instructions, the LLM mixes critical vulnerabilities with remarks about email validation. More on structured AI code review: AI Code Review Checklist . A03:2021 -- Injection 1. SQL Injection via string concatenation The most common finding. Shows up even in projects using an ORM, because developers switch to raw queries for complex filters. Vulnerable code: // API endpoint for user search app . get ( ' /api/users ' , async ( req , res ) => { const { search , sortBy } = req . query ; const query = ` SELECT id, name, email FROM users WHERE name LIKE '% ${ search } %' ORDER

2026-07-08 原文 →
开发者

React Doctor marcó 1,249 problemas en una SPA de React. Cinco valían la pena arreglar

React Doctor es un linter de cero instalación que escanea un codebase de React buscando problemas de correctitud, seguridad, accesibilidad, rendimiento y mantenibilidad, luego los rankea y te entrega una lista de arreglos con forma de agente. Este post es un reporte de campo: lo corrí sobre una SPA real de React 18 + Vite + TypeScript (~50 rutas, TanStack Query, react-hook-form) y separé lo que de verdad me atrapó. El resultado honesto: 1,249 hallazgos, cinco que valía la pena arreglar, incluyendo dos bugs de seguridad reales. Los otros 1,244 fueron una mezcla de ruido, decisiones de criterio, y falsos positivos. TL;DR Categoría Reportados Vale la pena actuar Por qué la brecha Seguridad 18 warnings 2 13 eran sinks saneados en el servidor (falsos positivos); 1 mina de código muerto + 1 XSS real fueron el oro Bugs 24 errores, 487 warnings 2 1 fuga de timer, 1 key/spread; ~27 exhaustive-deps piden criterio humano Accesibilidad 434 warnings, 1 error 1 el 1 error ( aria-selected faltante) era real; los 434 son ruido de <Label> / <button type> Rendimiento 110 warnings 0 nada caliente; candidatos pero sin impacto medido Mantenibilidad 176 warnings 0 opiniones de estilo tipo "componente grande" Total 1,249 5 señal-a-ruido ≈ 1 en 250 El puntaje que imprimió: 39 / 100 . Dos cosas que ese encuadre esconde: los cinco que sacó a la superficie eran de alto valor (una fuga de token en localStorage y un sink de XSS almacenado), y el conteo no es determinista : una segunda corrida del mismo commit reportó 1,254, no 1,249. El veredicto en una línea: excelente generador de hipótesis, pésima compuerta. Úsalo para encontrar candidatos, verifica cada uno contra el código, y nunca conectes el conteo al CI. Qué es React Doctor Un solo binario que corres por npx / pnpm dlx , sin agregar dependencia a tu proyecto, sin archivo de configuración obligatorio. Parsea tu src/ , hace match contra un conjunto de reglas (sus familias: Seguridad, Bugs, Accesibilidad, Rendimiento, Mantenibilidad), e im

2026-07-08 原文 →
AI 资讯

How do you balance speed and security in CI/CD?

Modern software development thrives on rapid iteration. Organizations deploy new features, bug fixes, and infrastructure updates multiple times each day to remain competitive and respond quickly to customer needs. Continuous Integration and Continuous Delivery (CI/CD) have transformed software delivery by automating repetitive tasks and accelerating release cycles. However, speed without security creates significant risk. A fast deployment pipeline that introduces vulnerable code into production can expose organizations to data breaches, service disruptions, and compliance violations. Conversely, excessive manual security reviews can slow innovation and delay valuable releases. The solution lies in integrating security directly into the CI/CD pipeline rather than treating it as a separate checkpoint. This philosophy, commonly known as DevSecOps, enables organizations to deliver software rapidly while maintaining a strong security posture. Understanding CI/CD Pipelines What Is Continuous Integration? Continuous Integration (CI) is the practice of frequently merging code changes into a shared repository. Every commit automatically triggers builds and tests, allowing development teams to identify integration issues early instead of waiting until the end of a project. Frequent integration encourages collaboration, reduces merge conflicts, and improves overall software quality. What Is Continuous Delivery? Continuous Delivery extends Continuous Integration by ensuring that validated code is always in a deployable state. Automated testing, packaging, and release preparation make it possible to deploy new versions with minimal manual effort whenever the business is ready. What Is Continuous Deployment? Continuous Deployment goes one step further by automatically releasing approved changes to production once they pass all quality and security checks. This approach significantly shortens release cycles while requiring a high level of confidence in pipeline automation. Benefi

2026-07-07 原文 →
AI 资讯

The Session ID That Wouldn't Stop Changing

I was implementing a feature where the session container would track a lastActivity timestamp, updated on every authenticated request. Standard stuff. I wrote it, tested it locally with curl, and noticed something odd: I kept getting a new Set-Cookie header value on every response. Not occasionally. On every single one. A week later I was sending a pull request to mezzio/mezzio-session-cache . The Setup: Two Backends, One Session Our system had a constraint: two backend applications, written in different languages, sharing a single user session. One was the main PHP/Mezzio app. The other was a service in a different stack that needed to read from, and update the lastActivity timestamp on, the same session container. There are a few ways to make polyglot session sharing work. We landed on a shared cache backend (Redis) with a well-defined session structure. Both apps could read and write through their own libraries, as long as they agreed on the storage format and the cookie name. The session ID was the contract. That contract is the part that quietly broke. A Missing Escape Hatch My first instinct was the usual list of suspects. Was something calling regenerateId() in a middleware I didn't know about? Was there a logout being triggered somehow? Was a misconfigured cache layer evicting and recreating sessions? After a bit of digging through the call stack, I ended up in the library itself. And there it was: CacheSessionPersistence was regenerating the session ID whenever the session data changed . Not on login. Not on privilege escalation. On every write . That's when the real question hit me: why on earth would a library do that by default? Reading Code Before Changing It When you find behavior that surprises you in someone else's code, the wrong move is to immediately label it broken. The right move is to assume the maintainers had a reason, and find out what it was. The reason, in this case, is session fixation . Session fixation is a class of attack where an atta

2026-07-07 原文 →
AI 资讯

OWASP Top 10 #1: Understanding Broken Access Control (Beginner's Guide)

Disclaimer: I'm currently learning web security through OWASP and PortSwigger Web Security Academy. These are my beginner-friendly notes rewritten as a blog to help reinforce my understanding. If you're just starting out, I hope this makes the topic easier to understand. What you'll learn: In this article you'll learn: ✔ What Broken Access Control is ✔ Vertical Privilege Escalation ✔ Security by Obscurity ✔ Parameter-Based Access Control ✔ Platform Misconfiguration ✔ Horizontal → Vertical Escalation ✔ IDOR ✔ Lessons learned from PortSwigger labs Concept Map: What is Broken Access Control? Broken Access Control happens when a user is able to access data, pages, or perform actions that they are not supposed to . Why should you care? Broken Access Control has ranked #1 in the OWASP Top 10 (2021) because it can expose sensitive data, allow privilege escalation, and let attackers perform actions they should never be able to perform. Think of a website with two types of users: Normal User Admin A normal user should only be able to view their own profile and perform basic actions. An admin, however, can manage users, delete accounts, change settings, etc. If a normal user somehow gains access to those admin features, that's Broken Access Control . In interview terms: Broken Access Control is the failure to properly enforce authorization, allowing users to perform actions beyond their intended permissions. 1. Vertical Privilege Escalation Vertical Privilege Escalation means moving up the permission hierarchy. Example: Normal User ↓ Admin A normal user should never be able to become an administrator. 1.1 Unprotected Functionality One of the simplest forms of Broken Access Control is Unprotected Functionality . Imagine a website has an admin page: /admin The developer removes the Admin button from the normal user's dashboard. Problem solved? No. If a user manually visits: /admin and the server doesn't verify whether they're actually an admin, the page opens. The mistake here

2026-07-07 原文 →
AI 资讯

AI Governance Without Compute: Why Policy Fails When Infrastructure Isn’t Part of the Conversation

Introduction AI governance is often framed around risk, ethics, safety, and international cooperation. These are essential, but they are not sufficient. Governance only becomes real when countries have the computing infrastructure required to run, monitor, and maintain modern AI systems. Without compute, governance is theory. With compute, governance becomes capability. This article explores the missing execution layer in global AI governance — and why bridging the AI divide requires far more than policy alignment. The Hidden Dependency: Governance Assumes Infrastructure Most governance frameworks implicitly assume that nations already have: access to high performance compute reliable data pipelines secure storage operational tooling energy capacity connectivity skilled operators But this assumption is false for the majority of the world. The global AI divide is not primarily about access to models. It is about access to the infrastructure required to run them. Governance frameworks that ignore this reality risk becoming aspirational rather than actionable. The Execution Layer: Where Policy Meets Reality The execution layer is the part of AI governance that turns policy into practice. It includes: compute infrastructure data ingestion and processing pipelines monitoring and evaluation tooling human in the loop operational workflows maintenance and lifecycle management energy and cooling requirements secure deployment environments This layer is rarely discussed in governance conversations, yet it is the foundation upon which all responsible AI depends. Without an execution layer, governance collapses into paperwork. The Real Global Divide Isn’t About Models — It’s About Compute There is a persistent misconception that the AI divide is about access to large models. In reality, the divide is driven by: insufficient compute unreliable infrastructure lack of operational capacity limited data availability absence of secure environments dependency on external providers A c

2026-07-07 原文 →
AI 资讯

AI Doesn't Recommend the Best Product. It Recommends the Best Explained Product.

A simple bubble tea experiment completely changed how I think about AI recommendations. Last week, I asked ChatGPT a question that seemed almost impossible to get wrong. "What are the best bubble tea brands in my city?" Surprisingly,some of the recommended brands were companies I had never heard of before. A few weren't even available in the cities I had lived in. After asking the same question to Claude, Gemini, and DeepSeek, I noticed something interesting that many of the same brands which I'm not familiar kept appearing. AI Isn't Judging Your Brand Humans recommend products because they have experiences. But AI does none of those things. It doesn't know whether one brand actually tastes better than another. Instead, it tries to generate the most statistically reliable answer based on the information it can understand. So, AI doesn't recommend the best brand. It recommends the brand it understands best. The Experiment That Changed My Perspective Once I realized this, I started paying closer attention. I didn't only test bubble tea but also the restaurants, beauty brands, consumer electronics, and ravel recommendations. Again and again, I noticed a pattern. Brands that consistently appeared in AI recommendations usually had several characteristics: Clear product descriptions Well-structured websites Consistent public information Plenty of third-party coverage Easy-to-understand positioning Meanwhile, some excellent brands barely appeared at all, because AI had much less reliable information to work with. That's when I stopped thinking about AI recommendations as opinions. They're much closer to information retrieval problems than human preferences. Consumers Are Already Changing Their Habits This matters because people are beginning to use AI differently from traditional search engines. Instead of searching "Best bubble tea near me", many people (especially the youth) now ask AI to recommend a healthy milk tea brand." The AI becomes the decision maker before the c

2026-07-07 原文 →
AI 资讯

Your AI Workloads Are the New Cloud Sprawl — And Nobody Is Watching

AI is coming for your cloud budget before it comes for your job. Everyone is talking about what AI will do to engineers. Nobody is talking about what AI services are doing to cloud bills right now. Every team is spinning up AI workloads. LLM endpoints; vector databases; GPU instances; embedding pipelines. All of them expensive. Most of them ungoverned. I have seen environments where AI service costs doubled in 30 days because nobody set a budget limit. No alerts. No guardrails. Just an invoice that surprised everyone at month end. This is the new cloud sprawl. But instead of forgotten EC2 instances it is uncontrolled AI API calls and model inference costs running 24/7. The same discipline that applies to cloud infrastructure applies here. Who is allowed to spin up AI services. What models are approved for use. How are API keys being managed. Are there rate limits in place. Is anyone reviewing the cost daily. AI governance in the cloud is not an AI problem. It is a cloud security and FinOps problem wearing an AI hat. The teams that win with AI are not the ones moving fastest. They are the ones who built guardrails before the bill arrived. Govern your AI workloads the same way you govern everything else in your cloud. Before the invoice does it for you.

2026-07-07 原文 →
AI 资讯

The ‘first’ AI-run ransomware attack still needed a human

An AI agent carried out the technical execution of a real-world ransomware attack for the first known time, but new details show a human still chose the victim, set up the infrastructure, and supplied stolen credentials — meaning it wasn't quite the fully autonomous cybercrime debut that last week's headlines suggested.

2026-07-07 原文 →