今日已更新 287 条资讯 | 累计 20259 条内容
关于我们

标签:#security

找到 658 篇相关文章

AI 资讯

Network Fingerprinting: Analyzing Default ICMP Structures and Payload Mimicry

Research Context "In advanced network observability, understanding the default behavior of various operating systems is vital for traffic profiling. This article explores the structural differences in ICMP Echo Requests across different OS environments and analyzes how 'Traffic Mimicry' can be used to evaluate the accuracy of Network Intrusion Detection Systems (NIDS)." 1. The Anatomy of an ICMP Signature A standard ICMP Echo Request is not just a simple signal; it carries a specific "fingerprint" based on the operating system that generated it. These fingerprints consist of: Total Packet Size TTL (Time to Live) values Default Payload Content 2. Cross-Platform Discrepancies (Linux vs. Windows) When a system sends a "ping," the default data size ($D$) and the total packet length ($L$) vary significantly between architectures. Feature Linux (Typical) Windows (Typical) Data Size ($D$) 56 Bytes 32 Bytes ICMP Header ($H$) 8 Bytes 8 Bytes Total ICMP Length ($L$) 64 Bytes 40 Bytes Default Payload Timestamp + Data abcdefg... The Linux Signature In most Linux distributions, the ping utility sends 56 bytes of data. When combined with the 8-byte ICMP header, it totals 64 bytes. A key characteristic of Linux ICMP traffic is that the first few bytes of the payload are often occupied by a high-resolution timestamp, used to calculate RTT (Round Trip Time) with microsecond precision. The Windows Signature Windows systems default to a 32-byte data payload. The payload content is static and follows a predictable alphabetical sequence: abcdefghijklmnopqrstuvwabcdefghi. This static nature makes Windows ICMP traffic easily identifiable during deep packet inspection (DPI). 3. The Concept of Traffic Mimicry Traffic Mimicry is a research method used to test the resilience of network filters. By aligning custom communication protocols with the default signatures of a specific OS, researchers can evaluate whether a security appliance is biased toward certain traffic patterns. For example, wh

2026-06-27 原文 →
AI 资讯

Solving IP Endianness in x64 Assembly: A Single-Pass Algorithm

Research Context When doing low-level network programming in Assembly, you experience firsthand the immense chaos running behind the scenes of operations we solve with a single line in high-level languages (Python, C, etc.). While developing the Nested-ICMP-Communication Analysis project, specifically an Encapsulated ICMP framework, I hit exactly this kind of wall: extracting an IP address from a packet header and printing it to the screen in the correct format. Sounds simple, right? However, when x86 architecture and network protocols are involved, seeing 5.1.168.192 instead of 192.168.1.5 on your terminal is extremely common. So why does this happen, and what kind of algorithm did I develop to overcome this issue during the debugging process? Let's dive into the background. The Endianness Problem in Network Headers When you capture a packet coming over the network and read the source/destination IP address inside the sockaddr_in structure, the data arrives in Network Byte Order (Big-Endian) format. This means the most significant byte is stored at the lowest memory address. However, the x86/x64 processor architectures we use rely on Little-Endian (Host Byte Order). When the processor pulls this 4-byte IP data into a register, the reading direction is effectively reversed for our purposes. The result? A packet that arrives as 192.168.1.5 appears scrambled if we try to naively print it from memory. The inet_ntoa() function in high-level languages handles this conversion in the background. But if you are writing a custom sniffer in pure Assembly, you must do this conversion byte by byte yourself. Debugging Hell: The Problems Encountered While writing this conversion, I encountered a few critical issues that cost me hours in GDB (GNU Debugger): Register Clashes: While separating each octet (byte) of the IP address and converting it to an ASCII character (string), you must use the AX register for division operations (DIV). If you don't carefully manage your remainders

2026-06-27 原文 →
AI 资讯

What 10,000 domains actually publish for email authentication in 2026

Email authentication has been "solved" on paper for years. SPF, DKIM, and DMARC are old standards, every deliverability guide repeats them, and Google and Yahoo made DMARC effectively mandatory for bulk senders in 2024. So I expected the top of the web to be in good shape. In June 2026 I ran SPF, DKIM, DMARC, and MTA-STS checks across the Tranco top 10,000 domains, using public resolvers (1.1.1.1 and 8.8.8.8) and the same checks my own tool runs. The records are public DNS, so anyone can reproduce this. The picture is worse than the "solved problem" framing suggests, and the interesting part is not adoption, it is where people stop. A third of the top 10k still have no DMARC 3,318 of the 9,937 domains that resolved (33.4%) publish no DMARC record at all. These are not obscure sites, they are the most-visited domains on the web. Without DMARC a receiver has no published instruction for what to do when SPF and DKIM fail, and you get none of the aggregate reporting that tells you who is sending as you. It does get better at the very top. Among the top 1,000 domains, 28.4% have no DMARC, versus 34% across the rest of the 10k. Better, not good. The real problem is p=none, not missing records This is the number that actually matters. Of the 6,619 domains that do publish DMARC, only 46.5% are at p=reject . About a quarter (26%) are still sitting at p=none . p=none is monitor-only. It asks receivers to report what they see and to enforce nothing. It is the correct first step: publish p=none , collect aggregate reports, fix the sources that should be passing, then tighten the policy. The trouble is that p=none is also where most deployments quietly stop. The reports start arriving, nobody reads them, and the domain sits unprotected behind a policy that does nothing while looking like progress. Moving from p=none to p=reject is the step that turns DMARC from a dashboard into a defense, and it is the step most people never finish. I wrote up the safe way to make that move , si

2026-06-27 原文 →
AI 资讯

How offline license activation actually works

If you ship a desktop app outside an app store, you eventually hit the same wall: how do you check a license when the user is on a plane, behind a corporate firewall, or just offline? Calling your server on every launch isn't an option. Here's how offline activation actually works, without the hand-waving. The naive version, and why it breaks The first thing everyone reaches for is "call home on launch, get back yes/no." It works in the demo and fails in the wild: No network = no app. Fail-closed locks out paying customers. Fail-open means anyone who blocks your domain runs free. Both are bad. A boolean is forgeable. If your app trusts a {"valid": true} response, a proxy or a patched DNS entry returns that for free. The fix isn't a better endpoint. It's moving the trust off the network and onto cryptography. The model that works: signed leases The durable pattern is a cryptographically signed lease (Keygen calls these license files, Keylight calls them leases — same idea): On first activation, the device talks to the server once . The server returns a small signed document: the license state, an expiry, the device binding, and any entitlements (which features/tiers are unlocked). The document is signed with the server's private key (Ed25519 is the modern choice — small, fast, boring in the good way). Your app ships the matching public key and verifies the signature locally on every launch. No network needed. Because the app only ever verifies with a public key, there's nothing secret in the binary to steal, and a forged lease fails the signature check. That's the whole trick: the server vouches once, math vouches forever after. first launch ──► server signs lease (Ed25519, private key) ──► stored on device every launch ──► app verifies signature (public key) ──► no network Device binding (so one key isn't infinite installs) A lease is bound to a device so a single license can't be pasted onto a thousand machines. The lease embeds a device fingerprint, and the SDK ch

2026-06-27 原文 →
AI 资讯

Security Profiles Operator hits v1 with stable APIs and a hardening pass

After several years carrying a beta tag, the Kubernetes Security Profiles Operator went 1.0.0 on June 26, freezing eight CRD APIs and clearing a third-party security audit with no criticals. For cluster admins, the practical effect is small but consequential: the syscall and LSM profile a workload runs under is now declared on APIs that will not move under your feet. The release was announced by Sascha Grunert of Red Hat on the CNCF blog. SPO is the Kubernetes operator that manages seccomp, SELinux and AppArmor profiles as cluster-scoped objects, then attaches them to pods. Until now the value proposition was good and the API was provisional. v1.0.0 nails the second half down. What's actually stable All eight CRDs graduated to v1, including SeccompProfile , ProfileRecording , SelinuxProfile , RawSelinuxProfile , and the AppArmor profile type. Conversion webhooks ship with the release, so a cluster running earlier API versions can roll forward without scheduling downtime. The older versions remain available and are slated for removal in a future release. The migration is on the clock, not on fire. The audit pass came with some shape changes that are worth reading before you upgrade. SelinuxProfile swapped its boolean permissive field for a mode enum with Enforcing and Permissive values, which means any GitOps templates that hard-coded permissive: true need a rewrite. RawSelinuxProfile is now gated by an enableRawSelinuxProfiles configuration flag and a validating admission webhook, so the most privileged path through the operator is off by default. AppArmor inputs run through strict regex validation, raw policy payloads are capped at 500 KB, and the eBPF profile recorder picked up explicit resource limits. Why a cluster team should care The point of an operator like this is to take the profile out of the host's filesystem and into the API. That changes the blast radius of "we shipped a container with no profile at all." With SPO and a workload-attached profile, the r

2026-06-27 原文 →
开发者

BurnAfterRead – E2E encrypted self-destructing drops on Cloudflare Workers

I built a zero-knowledge secret sharing tool. Text and files are encrypted in the browser with AES-GCM 256 before upload - the server only ever sees ciphertext. The decryption key lives exclusively in the URL fragment (#k=...). URL fragments are never sent in HTTP requests (RFC 9110 §4.2.3), so Cloudflare Workers, D1, and R2 never see it - even in logs. A few things I tried to do right: Single-use by default: Durable Objects handle atomic read→decrement→delete with blockConcurrencyWhile, no race conditions on concurrent requests Paranoid mode: returns not_found instead of expired/burned, no timing oracle Revoke endpoint: delete a drop before it's read using a SHA-256'd token with constant-time comparison CLI: burnafter send / burnafter receive - full E2E from terminal, key never touches a browser - /security page with a live in-browser AES-GCM demo and a manual Node.js decryption snippet so you can verify without trusting me Stack: Cloudflare Workers + D1 + R2 + Durable Objects. No third-party crypto libs. Live: https://burnafterread.casablanque.com Source: https://github.com/casablanque-code/burnafterread Verify: https://burnafterread.casablanque.com/security

2026-06-27 原文 →
AI 资讯

I let my AI agent provision cloud infra. Then I made sure it couldn't go bankrupt doing it.

A few days back I wrote about giving an autonomous agent database access and building a firewall so it couldn't DROP TABLE prod. Same lesson, new surface: this time the agent had cloud credentials . The failure mode isn't a destructive command here. It's spend. An agent pointed at a networking task can scan a whole range looking for hosts, then spin up a fleet of instances to do it faster. Every individual call is "authorized," your IAM role said yes. The bill is what eventually says no. ## Two shapes, two right answers The interesting part is that these are not the same kind of problem, so they don't get the same verdict. 1. The scan is never legitimate as an agent tool call. An nmap -sS -p- 10.0.0.0/16 or a masscan across a network is reconnaissance and abusive egress. There's no benign version of an agent sweeping a network at scale, so it gets hard-blocked , deterministically, before the call runs. (A scan of your own localhost is a dev check, so that's exempt.) 2. The provisioning might be totally fine. Spinning up 50 instances could be a real scale-out, or a runaway loop burning money. You can't tell from the action alone, only from the consequence. So instead of blocking it, AgentX pauses it for a human : a 202, "held for approval," routed to whoever owns the budget. Block the thing that's never okay, escalate the thing that's sometimes okay. Gate on consequence, not identity. Both checks are zero-LLM. No model in the hot path means no latency tax and nothing to talk out of it. A runaway fleet should be caught by a rule, not a vibe. ## The bigger thing this closes We keep a catalog of real, documented agent failures and triage each one: is it something an action firewall can deterministically catch, or is it someone else's category (output hallucination, content safety, model internals)? We only build for the coverable ones, and we flag the rest honestly instead of faking a signature. With this release, the coverable list is done . Every failure shape an acti

2026-06-27 原文 →
AI 资讯

Your cloud keys should not exist

Most cloud platforms that need access to your infrastructure start with the same onboarding step: paste in a service account key. Or an access key and secret. Or a JSON blob you downloaded from the console and definitely should not be emailing to yourself. You paste it in. The platform stores it. You hope they encrypted it. You hope they rotate it. You hope nobody on their team can read it. You move on with your day and try not to think about it. We built Zero — b0gy's platform for engineering truth — around a different premise. For cloud infrastructure access — GCP and AWS — we don't store credentials at all. The platform connects to your projects and accounts using short-lived, federated identity tokens that are minted on demand and expire in minutes. There is nothing to leak because there is nothing stored. Not every integration can work this way. GitHub, Slack, and Jira use OAuth, which means we do hold tokens for those services. But for the highest-risk connections — the ones with read access to your entire cloud infrastructure — keyless was a hard requirement. This is the first post in a three-part series about building Zero. We're starting here because the connector model shaped everything else. Why stored secrets are the wrong default The argument for storing a service account key is convenience. You paste it once, the platform can access your cloud whenever it needs to. Simple. The argument against it is longer. A stored secret is a liability that compounds over time. The moment you paste a GCP service account key into a third-party platform, you've created a credential that is valid indefinitely, scoped to whatever permissions you granted, and stored in a system you don't control. If that platform gets breached — or if an employee with database access gets curious — that key works until someone revokes it. And nobody revokes it, because nobody remembers it exists. This isn't theoretical. The GitGuardian 2026 report found 28.65 million hardcoded secrets pus

2026-06-27 原文 →
开发者

Malware Unpacking & Anti-Analysis Bypass: A Deep Dive into Real-World Techniques

Malware authors don't make our job easy. Every time we think we've figured out their tricks, they layer on another obfuscation technique, another anti-debugging check, another sandbox evasion. Over the past few weeks, I've been deep in the trenches with some particularly stubborn samples — the kind that detect your debugger, hide their strings behind XOR encoding, and hollow out legitimate processes to hide their payload. This article walks through my hands-on exploration of these techniques. We'll look at how malware detects analysis tools, how it obfuscates its strings, how it unpacks itself in memory, and most importantly — how we can bypass these defenses to see what the malware is actually trying to do. The tools we'll use: x64dbg/x32dbg for dynamic analysis and patching IDA Pro for static disassembly REMnux (Linux toolkit) for string deobfuscation FLOSS, XORSearch, bbcrack for automated string decoding Scylla & OllyDumpEx for dumping unpacked payloads Process Hacker for memory forensics Problem Statement Modern malware is rarely "what you see is what you get." A single executable might be: Packed — the actual malicious code is compressed/encrypted and only revealed at runtime Anti-debug aware — it checks for debuggers and changes behavior or terminates Sandbox-aware — it detects virtualized environments and refuses to execute its payload String-obfuscated — URLs, registry keys, and IOCs are encoded to evade signature detection Process-injecting — it hollows out a legitimate process (like explorer.exe ) and runs its code there Our goal: peel back these layers and extract the real payload for analysis. Exercise 1: Bypassing Debugger Detection in getdown.exe What I Found The first sample, getdown.exe , refused to show any network activity when run inside a debugger. Outside the debugger, it connected to 1.234.27.146:80 . Classic anti-debugging behavior. The Detection Mechanism Using x64dbg, I searched for intermodular calls and immediately spotted IsDebuggerPrese

2026-06-27 原文 →
AI 资讯

On-premises AI coding tools - safeguarding data privacy in software development

Check how on-premises AI solutions empower enterprises to safeguard sensitive code, ensure data residency, and maintain full compliance without compromising performance. Why privacy and security matter in AI-powered development? As enterprises increasingly adopt AI to automate code reviews, testing, and vulnerability scanning, ensuring data privacy becomes paramount. Cloud-based AI tools may expose sensitive source code, customer data, or intellectual property to external risks. By contrast, on-premise AI tools allow organizations to keep data within their controlled environments by aligning with data sovereignty and compliance requirements like GDPR and CCPA. According to Gartner, by 2026, 75% of organizations will demand AI solutions that guarantee strong data residency and compliance assurances. What are on-premise AI tools for software development On-premise AI tools are artificial intelligence solutions that are deployed and operated within an organization’s own infrastructure, rather than relying on external cloud services. In the context of software development, on-premise AI allows teams to leverage advanced AI capabilities such as code analysis, automated testing, and security scanning while keeping all data and processes within their own controlled environment. Core components of on-premise AI infrastructure include: Hardware: servers, GPUs, and storage devices physically located on-site or in a private data center. Software: AI models, orchestration tools, and management platforms installed and maintained by the organization. Security Measures: firewalls, access controls, and monitoring systems tailored to the organization’s specific needs. Examples of on-premise AI tools in software development: AI-powered code review platforms installed on internal servers automated vulnerability scanners running within the company’s network machine learning models for test automation, hosted locally. Primary connection to data privacy: on-premise AI ensures that sensit

2026-06-26 原文 →
AI 资讯

Argo CD 3.5 Tightens Supply Chain Security with Internal mTLS and Source Integrity

The Argo CD project released a v3.5 release candidate in June 2026. This version adds mutual TLS enforcement for internal components. It also includes Git commit signature verification for supply chain security and native ApplicationSet management in the UI. The release also graduates two significant features: impersonation and Source Hydrator, from alpha to beta. By Claudio Masolo

2026-06-26 原文 →
AI 资讯

Understanding Malware Analysis: Types, Methodology, and Lab Setup Fundamentals

I've been digging into malware analysis lately, and one thing became clear pretty fast: before you ever touch a debugger or run a suspicious binary, you need to understand the landscape — what malware actually is, how it's classified, and what a safe, repeatable analysis workflow looks like. This post is my attempt to organize that foundation. No flashy exploit walkthrough here — just the core concepts I think anyone starting out in malware analysis needs to internalize first, because skipping this step is how people either get sloppy or get burned (sometimes literally infecting their own host machine). Problem Statement If you search "malware analysis tutorial," you mostly get tool-specific guides — "how to use Ghidra," "how to use Process Monitor" — without context on why you'd choose static vs. dynamic analysis, or how to build a lab that won't accidentally compromise your real network. I wanted to write down the methodology layer first: the classification of malware, the four analysis approaches, and the non-negotiables of lab isolation. This is the stuff that makes the tool-specific tutorials actually make sense later. What Malware Analysis Actually Is Malware analysis is the study of a malicious program's behavior — the goal is to understand what it does, how it got in, and how to detect/eliminate it across an environment, not just on one infected machine. A few concrete objectives that stuck with me: Determine the nature of the malware — is it an infostealer, a keylogger, a spam bot, ransomware? Understand the compromise — how did it get in, and what's the blast radius? Infer attacker motive — banking credential theft usually points to financial motive; persistence + C2 beaconing might point to espionage. Extract network indicators — domains, IPs, User-Agent strings — for network-level detection. Extract host-based indicators — registry keys, dropped filenames, mutexes — for endpoint-level detection. This connects directly to something called the Pyramid of P

2026-06-26 原文 →
AI 资讯

AI Agents and Persistent Context: What design.md Teaches Us

A GitHub repository called design.md has been trending recently, accumulating over 1,400 stars. The concept is straightforward: provide AI agents with a persistent design document they can reference throughout their work. This approach addresses a practical challenge in agent development that many teams encounter. The Context Challenge When working on complex tasks, AI agents need to understand the broader picture. What's the architecture? What constraints exist? What approaches have been tried before? Typically, agents get context from: Current conversation (limited window) Code comments (often outdated) Documentation (if it exists) The issue is that this context is fragmented and temporary. When conversation moves forward, earlier context disappears. When documentation is outdated, agents make incorrect assumptions. A design.md provides a single source of truth that persists across sessions. What Belongs in design.md An effective design.md answers these questions: What are we building? Beyond feature lists, document the core purpose. Why does this project exist? What problem does it solve? What are the key architectural decisions? Document major choices and their rationale: "PostgreSQL was chosen over MongoDB because ACID guarantees are required for financial transactions" "Microservices architecture was adopted because components have different scaling requirements" What constraints exist? Technical constraints (performance requirements, browser support), business constraints (budget, timeline), and regulatory constraints (GDPR, HIPAA). What has been tried before? Document failed approaches to prevent agents from suggesting rejected solutions. What are the current challenges? Known issues, technical debt, areas needing improvement help agents prioritize work. How Agents Use design.md When starting a task, agents can: Read design.md to understand context Make decisions aligned with documented architecture Avoid solutions violating constraints Reference design.md i

2026-06-26 原文 →
AI 资讯

Dotsync – A zero-knowledge CLI to sync dotfiles and secrets in Go

I spent 3 months building a tool that solves the most annoying part of working on a dev team. You know the drill: → New dev joins → "hey check your DMs" → Someone pastes the .env in Slack → That message sits there forever → 6 months later someone screenshots it by accident or worse — → git add . → git commit -m "added env" → git push → you just leaked your prod database URL to the internet I got tired of it. So I built DotSync. ─────────────────────────────────── Here's what it looks like in practice: $ dotsync push 🔒 Encrypting 10 secrets for team access... 📤 Uploading... ✅ Version : v7 Secrets : 10 keys encrypted Teammates can now run: dotsync pull That's it. New dev joins? They run dotsync pull. Secrets updated? dotsync push. Moving between your laptop and work machine? dotsync pull. ─────────────────────────────────── The part I actually care about — security: Everything is encrypted ON your machine before it hits the network. The server stores a blob it literally cannot read. I'm not asking you to trust my infrastructure. You don't have to. Stack if you're curious: • Argon2id key derivation (64MB memory cost — brute force isn't happening) • AES-256-GCM encryption • Zero-knowledge server (stores ciphertext only) • Single Go binary, no runtime deps ─────────────────────────────────── Other things it does that I use daily: dotsync diff → shows exactly which keys changed vs remote (never shows values) dotsync history → full version history, who pushed what and when dotsync rollback → restore any previous version in one command dotsync run -- node server.js → injects secrets as env vars, nothing written to disk dotsync scan → scans your codebase for accidentally committed secrets ─────────────────────────────────── Free tier covers: • 1 project • 3 team members • 7 days history That handles most small teams completely free. ─────────────────────────────────── Now the part where I need your help: I'm looking for 100 engineers to actually stress test this. Not "give i

2026-06-26 原文 →