今日已更新 328 条资讯 | 累计 20300 条内容
关于我们

标签:#security

找到 665 篇相关文章

AI 资讯

Should Your App Adopt Passkeys?

Someone on your leadership team asked a reasonable question: should we adopt passkeys? You searched for answers and found implementation tutorials - WebAuthn server libraries, credential storage schemas, ceremony diagrams. They assume you've already decided. None of that helps you answer the question you were actually asked. This article is a decision guide. The question isn't how to implement passkey login. It's whether you should, when the timing makes sense, and for which users first. Implementation details matter eventually - but they don't belong at the front of the decision. You've seen Apple's demos and Google's Chrome nudges. Your security team may have sent a memo about phishing-resistant authentication. You know the term. What you don't have is a clear way to evaluate whether passkeys fit your product, your users, and your team's capacity to ship and support them. By the end of this article, you'll have scored your app against a readiness checklist, mapped show-stoppers that can block adoption, and drafted a one-page recommendation for leadership. Plain Terms: Passkeys, Passwords, and MFA Before scoring your app, you and stakeholders need to mean the same thing when you say "passkey", "password", and "MFA". Vendor decks use these loosely. A PM might say "passkeys replace passwords" while security means "phishing-resistant credentials". Both can be true. Passwords are shared secrets the user types; your server checks a hash. They leak via breaches and phishing sites. Users forget them, reuse them, and call support. MFA adds a second factor - app push, SMS, hardware key, or biometric. It cuts credential-stuffing and many phishing attacks, but adds friction, lost-device tickets, and cross-platform complexity. Passkeys are cryptographic key pairs on the user's device. The private key never leaves the device or synced passkey manager. Sign-in means unlocking with biometrics or a PIN; your server stores only the public key and verifies a signature. On web, the b

2026-06-25 原文 →
AI 资讯

Your Database Will Be Breached Someday. The Question Is: Will Passwords Be Inside?

Most developers think password hashing is about authentication. It's not. Authentication is just a side effect. Password hashing exists for a much darker reason: because databases get stolen. Every year, companies invest millions in firewalls, monitoring systems, cloud security, and access controls. Yet breach after breach continues to make headlines. The uncomfortable truth is that security teams don't assume a breach will never happen. They assume it eventually will. And when that day comes, one question determines whether the incident becomes a minor security event or a full-scale disaster: Did you hash the passwords? The Difference Between an Incident and a Catastrophe Imagine an attacker gains read access to your production database. Not a far-fetched scenario. A leaked backup. A vulnerable API. A compromised employee account. A misconfigured cloud bucket. The attacker runs a simple query: SELECT email , password FROM users ; If your system stores passwords in plain text, the breach is over. The attacker already won. No advanced techniques. No brute force. No expensive infrastructure. They now possess something more valuable than your database itself: your users' digital identities. Because users rarely reuse databases. They reuse passwords. The same password protecting an account on your platform might also unlock their Gmail, GitHub, LinkedIn, banking app, or company VPN. What started as your security problem instantly becomes everyone else's. This Is Not Theoretical History has repeatedly shown what happens when passwords are handled incorrectly. The RockYou breach exposed more than 30 million passwords stored in plain text. Attackers didn't need to crack anything. They simply read the data. Years later, those leaked passwords were still appearing in credential stuffing attacks across the internet. A single backend decision survived longer than the company itself. That's the thing about password leaks. They don't expire when the incident report is published.

2026-06-25 原文 →
AI 资讯

Why the Scams Prevention Framework Requires More Than Awareness

For years, scam prevention has leaned heavily on awareness. Be careful. Do not click suspicious links. Check the sender. Call the organisation directly. Do not trust urgent payment requests. Slow down before you act. These messages are useful, and they should not disappear. But awareness is no longer enough to describe what serious scam defence requires. The Scams Prevention Framework, or SPF, moves the conversation from “make users more careful” to “make the scam ecosystem harder to exploit.” That shift is important. Modern scams do not succeed only because a user failed to notice a warning sign. They succeed because scam operators move through gaps between messaging channels, platforms, brand impersonation, payment pressure, fake infrastructure, multilingual persuasion, reporting delays, and weak post-report disruption. Awareness helps at the point of decision. SPF requires capability across the whole chain. In my view, awareness alone covers about 28% of the real scam defence problem. The rest sits in evidence quality, intelligence sharing, infrastructure disruption, multilingual interpretation, safe financial harm context, recurrence monitoring, and operational response. That is why SPF should not be read as an education policy. It should be read as an operating model. The Awareness Ceiling Awareness is a front-line control, not a full defence system. It helps users recognise risk, but it cannot remove the fake page, connect related reports, preserve evidence, disrupt a fake app, identify a phone-linked abuse path, or monitor the next replacement domain. It also assumes the user has enough time, confidence, language support, and emotional distance to make a calm decision. Many scam situations are built specifically to remove those conditions. Scammers do not only trick uninformed people. They create urgency for informed people. They create authority for cautious people. They create routine-looking payment requests for busy people. They create private pressure fo

2026-06-25 原文 →
AI 资讯

Grab Builds Secure Agentic AI Workload Platform

Grab's security team built Palana, a Kubernetes-native secure execution platform, to run autonomous AI agents safely. Unlike deterministic software, model-driven agents exhibit unpredictable tool-use, code-writing, and prompt injection risks. Palana contains these threats at the infrastructure level using isolated namespaces, out-of-process control planes, and proxy-mediated, Vault-backed secrets. By Patrick Farry

2026-06-25 原文 →
AI 资讯

How I built an end-to-end encrypted pastebin (and why the server can’t read your text)

got annoyed that pastebin and similar sites log everything and keep your text forever, so i built one where the server literally cant read what you paste. heres how the encryption actually works and what i learned building it the problem most paste sites work like this: you type something, it goes to their server as plain text, and it sits in their database. they can read it. their employees can read it. anyone who breaches them can read it. and a lot of them keep it forever even after you think its gone. i didnt want to just promise not to look at your stuff. i wanted it so that i cant look even if i wanted to. the idea: encrypt before it leaves the browser the trick is that all the encryption happens on your side, in the browser, before anything gets sent. the server only ever sees scrambled bytes. the key never touches the server at all, it lives in the part of the url after the # , which browsers dont send in requests. so the flow is basically: you paste text browser generates a random key text gets encrypted with that key only the encrypted blob goes to the server the key gets stuck in the link after a # whoever opens the link decrypts it locally the actual code modern browsers have the Web Crypto API built in, so you dont need any library for this. heres the encrypt part, stripped down: \ `js async function encrypt(text) { const key = await crypto.subtle.generateKey( { name: "AES-GCM", length: 256 }, true, ["encrypt", "decrypt"] ); const iv = crypto.getRandomValues(new Uint8Array(12)); const encoded = new TextEncoder().encode(text); const ciphertext = await crypto.subtle.encrypt( { name: "AES-GCM", iv }, key, encoded ); // export the key so we can put it in the url const rawKey = await crypto.subtle.exportKey("raw", key); return { ciphertext, iv, rawKey }; } ` \ the ciphertext and iv go to the server. the rawKey gets base64'd and dropped into the link after the # . decrypting is just the same thing in reverse with crypto.subtle.decrypt . the thing that tripped

2026-06-25 原文 →
AI 资讯

I built a local-only credential vault because every dev team I worked with stored PATs in Notepad

The Problem I Kept Seeing Over the past year working across multiple client teams on DevOps and pipeline work, I kept noticing the same thing. Developers storing GitHub PATs in Notepad. QA engineers keeping API keys in a text file on the desktop. DevOps folks with database passwords in a sticky note app. During screen shares — sprint reviews, debugging sessions, pair programming, recorded demos — those credentials were just sitting there. Visible to everyone in the call. Nobody said anything. It just kept happening. Why Existing Tools Didn't Fit I looked for something simple that solved this. Here's what I found and why none of it quite worked: Password managers (1Password, Bitwarden) Good tools. But they're built around cloud sync, browser extensions, and team sharing. For an individual developer who just wants somewhere safe to keep a PAT — overkill. Also: corporate IT policies often block installation of cloud-synced password managers on work machines. Secret managers (HashiCorp Vault, AWS Secrets Manager) These are infrastructure tools, not personal workflow tools. Setting up Vault for an individual developer's PAT collection is like using a forklift to move a chair. OS keystores (Windows Credential Manager, macOS Keychain) Actually decent for storage. But no UI built for this workflow, no copy-to-clipboard, and they don't solve the screen-exposure problem at all. The gap: Something simple, local, and designed around the moment of use — not just storage. So I Built Tokenly Tokenly is a local-only desktop credential vault. The core design principle is simple: Credential values are never shown on screen. You copy them to clipboard. That's the only way to use them. The clipboard auto-clears after 30 seconds. If you need to visually verify a value — press and hold a button. Release it, the value hides immediately. Not a toggle — a hold. Toggles get forgotten. Holds don't. Technical Decisions Worth Explaining Why Tauri over Electron Tauri uses the operating system's

2026-06-24 原文 →
AI 资讯

Verify Nylas webhook signatures to trust your data

A webhook endpoint is a public URL sitting on the internet, and anything on the internet can send it a POST . If your app acts on whatever lands there, an attacker who guesses the URL can forge events: fake an inbound email, trigger a workflow, or feed your system garbage. The fix is to confirm two things before you trust a request, that you own the endpoint and that Nylas actually sent the payload, and both are built into how webhooks work. This post covers verifying webhooks from two angles: the HTTP mechanics your endpoint implements, and the nylas CLI for testing a signature without standing up a server. I work on the CLI, so the terminal commands below are the ones I reach for when I'm debugging a signature mismatch. Two layers of webhook trust There are two separate checks, and they happen at different times. The first is a one-time endpoint challenge: when you register or activate a webhook, Nylas sends your URL a request with a challenge value you echo back, proving you control the endpoint. The second runs on every notification afterward: each delivery carries a cryptographic signature you verify against a shared secret, proving the payload is genuine and wasn't tampered with. You need both because they defend against different things. The challenge stops you from accidentally registering an endpoint you don't own and confirms the URL is live. The signature stops anyone else from posting forged events to that URL once it's known. Skip the signature check and your public endpoint will trust any POST that reaches it, which is the most common webhook security mistake. Pass the endpoint challenge The first time you set up a webhook or flip one to active , Nylas sends a GET request to your endpoint with a challenge query parameter. Your endpoint has to return the exact value of that challenge in the body of a 200 OK response, within 10 seconds, or the webhook won't verify. It's a quick handshake that proves the URL is yours and reachable. // Express: echo the ch

2026-06-24 原文 →
AI 资讯

Notes on adversarial paraphrasing: a paper review

Just finished reading Saha et al. arXiv 2506.07001 on adversarial paraphrasing for AI detector evasion. Key claim: detector-guided paraphrasing with RoBERTa as reward reduces TPR by 87.88 percent across Binoculars, Fast-DetectGPT, Ghostbuster, RADAR, GPTZero. Universal, training-free. What surprised me: the approach works even on detectors that were trained with adversarial examples baked in. Suggests the discriminator signal is fundamentally narrower than the generator space. Open questions: Does this generalize to detectors using surprisal variance (DivEye 2509.18880)? Multi-LLM round-robin generation: would mixing 3-4 models in pipeline give even more headroom? Token-level homoglyph substitution (SilverSpeak) is trivially detectable via Unicode normalization, but adversarial paraphrasing leaves no such forensic signal.

2026-06-24 原文 →
AI 资讯

Welcome to My Developer Blog

I'm Dr. Mohammad Reza Beheshti, Founder of CyberSiARA. I hold a PhD in Electronic Engineering and Artificial Intelligence and have over 15 years of experience in cybersecurity research and innovation. My passion has always been solving complex security challenges through technology. This journey led me to found CyberSiARA, where we're developing AI-powered bot protection and human verification solutions to help organizations defend against increasingly sophisticated cyber threats. I enjoy combining academic research with practical engineering to create technologies that are both innovative and effective in the real world. Through this blog, I share insights from my research, product development, and experiences building a cybersecurity company, with the aim of helping developers and security professionals stay ahead of emerging threats. I'm always keen to learn, collaborate, and contribute to the global developer and cybersecurity communities.

2026-06-24 原文 →
AI 资讯

Deploying Ory Kratos Open-Source Identity and User Management System on Ubuntu 24.04

Ory Kratos is an open-source, API-first identity and user management system handling registration, login, recovery, verification, and session management with a self-service UI. This guide deploys Kratos using Docker Compose with PostgreSQL, the self-service UI Node, and Traefik handling automatic HTTPS for the public API. By the end, you'll have Kratos managing identities and sessions for users registering through your domain over HTTPS. Prerequisite: SMTP credentials are required for verification and recovery emails. The admin API stays bound to 127.0.0.1 on purpose — never expose it publicly. Set Up the Directory Structure 1. Create the project directories: $ mkdir -p ~/ory-kratos/ { config,data/postgres } $ cd ~/ory-kratos 2. Create the environment file: $ nano .env DOMAIN = kratos.example.com LETSENCRYPT_EMAIL = admin@example.com KRATOS_VERSION = v26.2.0 POSTGRES_USER = kratos POSTGRES_PASSWORD = EXAMPLE_DB_PASSWORD POSTGRES_DB = kratosdb LOG_LEVEL = info 3. Create the identity schema — defines the user fields (email + name) and how the email maps to login, recovery, and verification: $ nano config/identity.schema.json Use the schema described in the Vultr Docs walkthrough — email is the login identifier with password auth; name is a free-text trait. 4. Create the Kratos configuration — public/admin API URLs, password policy (12-char minimum + HaveIBeenPwned), session lifetimes, self-service flows, SMTP courier: $ nano config/kratos.yml Fill in the full configuration from the source article. Key points to keep consistent with the stack below: Public API listens on the internal port and is fronted by Traefik on ${DOMAIN} . Admin API listens on 127.0.0.1:4434 only — used by tooling on the host. The DSN points at the postgres service ( postgres://kratos:...@postgres:5432/kratosdb?sslmode=disable ). The courier section uses your SMTP provider for verification mail. Deploy with Docker Compose 1. Create the Compose manifest: $ nano docker-compose.yml services : traefi

2026-06-24 原文 →
AI 资讯

The Tool Found Corridor Nodes — But the Bigger Finding Was Where It Found None

A few weeks ago I published corridor-lab — a Docker lab that proved a triage mismatch: a service that stores nothing sensitive can become high-priority because of where it sits in the path to a sensitive downstream system. The lab proved the premise. The next question was whether a tool could identify those nodes automatically — without manual path declaration, without value labels, from graph position alone. So I built corridor-id. You point it at a Docker Compose file. It discovers the topology, computes depth from exposed surfaces, and identifies which nodes expand forward reach into deeper parts of the environment. No asset-value labels. No sensitivity ratings. No human classification. Reach and graph position only. Then I pointed it at four architecturally different Docker environments. Two had corridor nodes. Two had none. Both answers were useful. But the zero-corridor results taught me more than the positive ones. What corridor-id does The tool reads a Docker Compose file and builds a reachability graph from service definitions, network memberships, and port mappings. It then orients that graph from exposed surfaces using BFS and identifies nodes that provide forward reach — access to strictly deeper nodes that the exposed surface cannot reach directly. The output is a ranked list with two metrics: exposure distance (how close to the surface) and forward reach gain (how many deeper nodes become reachable through this node). One command: python corridor-id.py docker-compose.yml No manual path declaration. No value labels. No configuration. From graph position alone. The four tests corridor-lab — segmented, depth 3 My own lab, five services across five segmented networks. The tool independently identified status-api as a corridor node — the same finding the lab was built to prove. Corridor nodes found: 3 → status-api Exposure distance: 1 Forward reach gain: 1 → log-monitor Exposure distance: 1 Forward reach gain: 1 → internal-admin-api Exposure distance: 2 For

2026-06-23 原文 →
AI 资讯

npm Supply Chain RAT: PostCSS Impersonation & Dependency Confusion

Originally published on satyamrastogi.com Three malicious npm packages masquerading as PostCSS tools delivered Windows RAT payloads. Analysis of supply chain attack mechanics, payload delivery chains, and detection gaps in dependency management. Malicious npm Packages Pose as PostCSS Tools to Deliver Windows RAT Executive Summary This is a textbook supply chain attack leveraging npm's trust model. Three packages published in June 2026 - aes-decode-runner-pro , postcss-minify-selector , and postcss-minify-selector-parser - delivered Windows RAT payloads to developers. The attack demonstrates why automated dependency management without behavioral validation is a critical vulnerability. What makes this particularly effective: PostCSS is a legitimate, widely-used build tool. Developers hunting for PostCSS plugins via search or copy-pasting dependency names from tutorials become easy prey. The attacker didn't need zero-days, social engineering sophistication, or exploit kits. Just npm account registration and package uploads. This follows the exact pattern we've seen in credential theft campaigns prioritizing convenience over complexity . Low barrier to entry, high payoff. Attack Vector Analysis MITRE ATT&CK Framework Mapping This attack chains multiple techniques: T1195.001: Compromise Third-Party Software Supply Chain - Malicious package publication on npm registry T1566.002: Phishing - Spearphishing Link - Package discovery and recommendation (implicit trust) T1059.003: Command and Scripting Interpreter - Windows Command Shell - RAT payload execution T1105: Ingress Tool Transfer - Initial RAT download mechanism T1571: Non-Standard Port - C2 communication channels (typical) Kill Chain Breakdown Stage 1: Reconnaissance & Naming Attacker identifies PostCSS as high-value target (builds present in thousands of projects) Creates names that blend legitimacy with search results: postcss-minify-selector exploits incomplete package searches The aes-decode-runner-pro variant sug

2026-06-23 原文 →
AI 资讯

Claude Code Security: Why the Real Risk Lies Beyond Code

Many cybersecurity professionals have been following Anthropic's announcement about the release of Claude Code Security on Friday. This created the beginning of a panic on the cybersecurity stock market. It also raised a lot of questions from domain experts, investors and security enthusiasts. Anthropic's announcement Anthropic introduces Claude Code Security: a tool that scans full codebases for security vulnerabilities, and can propose fixes directly in developer workflows. The tool leverages the latest foundational model's reasoning capabilities to provide a new experience. In a world where code will be generated only by AI, this can sound very much like code security is dead. Our vision 18 months ago, SAST, SCA, and IaC security were areas where we had real traction and could see ourselves expanding. But as AI tooling started reshaping how code gets written, we made a tough call. We decided to stop these initiatives and go all-in on what we believed would matter most: Protecting enterprises against leaked secrets and mismanaged NHIs . We envisioned a future where identity is crucial for the AI era security, with secrets enabling AIs to access data and take actions . After pioneering in secrets detection for years we witnessed how amplified the problem became as LLM emerged: more API keys for AI services, more code generated, often less secure, more agents requiring sophisticated access to a myriad of tools. All in all, this resulted in more secrets exposed. Yet the problem of overseeing and managing these secrets in a secure way remains unsolved. The paradigm shifted from human hardcoding secrets in their code, to AIs having wide access levels on several systems with humans, coders and non-coders, prompting them and creating new vulnerabilities. 18 months later, let me describe where we stand. What isn't changing Best in class secrets detection GitGuardian is the leader in secrets detection . We are the only solution able to scan large volume of data at scale (5

2026-06-23 原文 →
AI 资讯

The Invisible Guardrail: How Commercial LLMs Enforce Algorithmic Paternalism

I recently published my PhD thesis analyzing what I term the "Alignment Tax" and the emerging phenomenon of Algorithmic Paternalism in commercial artificial intelligence. As the tech industry rapidly positions Large Language Models (LLMs) as the primary interface for information retrieval and coding assistance, a critical epistemological issue is being largely ignored. Much of the public debate regarding AI alignment focuses exclusively on existential risk or the prevention of catastrophic physical harm. While necessary, this focus obscures the structural damage being done to legitimate technical research. Through my research in Cybersecurity and AI, I have documented how frontier models (such as GPT-4 or Claude) systematically enforce what I define as "Soft Refusals". When presented with a complex, edge-case, or dual-use query—particularly in fields like information security, reverse engineering, or deep systems architecture—these models rarely issue a hard, explicit "I cannot answer that". Instead, they provide a degraded, superficial, or heavily sanitized response. They effectively neuter the research process without the user fully realizing the depth of technical information that is being actively withheld. This is Algorithmic Paternalism. The commercial model acts as a silent, corporate arbiter, deciding unilaterally what level of technical detail is "safe" for the user to possess. This dynamic flattens the available technical knowledge and actively penalizes independent researchers and developers working on advanced problems. The core issue is that this paradigm creates a profound class division in how we access computational intelligence. We are rapidly moving toward a two-tier system. On one side, there are "certified" entities, corporate partners, and wealthy organizations who are granted direct access to strong, unfiltered base models. On the other side, the general public and independent developers are subjected to obfuscation algorithms, sanitized APIs,

2026-06-23 原文 →