今日已更新 386 条资讯 | 累计 20358 条内容
关于我们

标签:#security

找到 666 篇相关文章

AI 资讯

Windows Platform Security and the Race to Secure AI Agents

In a new Windows Developer Blog post titled "Windows platform security for AI agents", Microsoft positions Windows as the trustworthy operating system for autonomous agents and introduces the Microsoft Execution Containers (MXC) SDK as the core of that strategy. The post argues that containment, identity and manageability must be built into the operating system. By Matt Saunders

2026-06-19 原文 →
AI 资讯

How to implement field-level AES-256-GCM encryption in Spring Boot (and why we packaged it into one annotation)

If you've ever had to encrypt a nationalId , a creditCardNumber , or a medicalRecord field in a Spring Boot entity, you already know the drill. You write an AttributeConverter , you wire up a Cipher instance, you generate an IV, you figure out where the key lives, you get the GCM tag handling wrong once, you fix it, and three weeks later you finally trust it enough to ship. We've done this enough times — across healthcare and fintech projects — that we stopped doing it manually. This post walks through the full implementation from scratch, the mistakes that are easy to make along the way, and then shows the one-annotation version we eventually packaged into Nucleus , our open-core Java framework. Why GCM, and not just AES-CBC If you search "AES encryption Java" you'll find a lot of CBC-mode examples. Don't use them for new code. CBC gives you confidentiality but no integrity check — an attacker can flip bits in the ciphertext and you won't know it happened until something downstream breaks in a weird way, or worse, doesn't break at all. GCM (Galois/Counter Mode) gives you both confidentiality and authentication in one pass. It produces an authentication tag alongside the ciphertext, and decryption fails loudly if either the ciphertext or the tag has been tampered with. It's also the mode behind TLS 1.3, which is a reasonable signal that it's held up to scrutiny. The relevant specification is NIST SP 800-38D. Building it by hand Here's a minimal, correct implementation. This is the version you'd write before you have a framework to lean on. public class AesGcmEncryptor { private static final String ALGORITHM = "AES/GCM/NoPadding" ; private static final int GCM_TAG_LENGTH_BITS = 128 ; private static final int GCM_IV_LENGTH_BYTES = 12 ; private final SecretKey key ; public AesGcmEncryptor ( SecretKey key ) { this . key = key ; } public String encrypt ( String plaintext ) { try { byte [] iv = new byte [ GCM_IV_LENGTH_BYTES ]; SecureRandom . getInstanceStrong (). nextByt

2026-06-19 原文 →
AI 资讯

Securing AI-Generated Bash Scripts Before You Run Them

Bash is the easiest language for AI to write and the easiest language to get devastating output from. A 20-line script that "just cleans up old files" can recursively delete a home directory because the model assumed a variable would always be set. A "simple log shipper" can write your secrets to a remote server because the model used set -x for debugging and forgot to remove it. I have run AI-generated bash that I should not have. Most engineers I know have too. After enough close calls, there's a short checklist that catches the worst of it. This is that checklist. The five things to check before running any AI-generated bash 1. Does it start with a strict pragma? The first lines of any non-trivial bash script should be: #!/usr/bin/env bash set -euo pipefail IFS = $' \n\t ' What each does: set -e — exit on any command failure. Without this, a failure in line 5 doesn't stop the script from happily running lines 6-50. set -u — error on undefined variables. This is the one that saves you from rm -rf $UNDEFINED/ . set -o pipefail — propagate failures through pipes. Without it, failing-command | grep something succeeds because grep succeeds. IFS=$'\n\t' — sane field splitting. Defends against word-splitting bugs in filenames. If the AI-generated script doesn't have these, add them and re-read the script. You'll often discover bugs the pragma now flags. 2. Is every variable expansion quoted? # Wrong rm -rf $TARGET_DIR # Right rm -rf " $TARGET_DIR " The wrong version is what causes the "I deleted the root directory" stories. If $TARGET_DIR is empty or contains a space, the command becomes rm -rf (delete current directory) or rm -rf foo bar (delete two unintended things). Models default to the wrong version about half the time because the right version is harder to write in chat ("escape the quotes!") and the wrong version is what most blogs show. Fix: When reading AI bash, mentally check every $VAR for quotes. Add them if missing. This is the single biggest source of bas

2026-06-18 原文 →
AI 资讯

Gas Optimization That Doesn't Break Security: Storage, Calldata, and the Traps

Gas optimization is satisfying. You shave a few thousand gas off a function and feel clever. But some optimizations trade away safety in ways that are not obvious, and I have seen "optimized" contracts that introduced vulnerabilities. Here are the gas wins that are genuinely free, the ones that cost you safety, and how to tell the difference. Where gas actually goes Before optimizing, know what is expensive. Storage operations dominate. Writing a fresh storage slot ( SSTORE from zero to non-zero) costs a lot; reading storage ( SLOAD ) is cheaper but still meaningful; computation in memory is cheap by comparison. So the highest-leverage optimizations are about touching storage less. Free win 1: cache storage reads in memory If you read the same storage variable multiple times in a function, each read is an SLOAD . Read it once into a local variable instead: // WASTEFUL: reads storage `total` three times function distribute() external { require(total > 0, "empty"); uint256 share = total / count; emit Distributed(total); } // OPTIMIZED: one SLOAD, two memory reads function distribute() external { uint256 _total = total; // single storage read require(_total > 0, "empty"); uint256 share = _total / count; emit Distributed(_total); } This is free in the sense that it changes nothing about correctness. The value is identical; you just read it once. Pure win. Free win 2: calldata instead of memory for read-only arrays For external function arguments you only read (never modify), calldata is cheaper than memory because it skips the copy: // memory copies the whole array into memory function process(uint256[] memory ids) external { ... } // calldata reads directly from the transaction data, no copy function process(uint256[] calldata ids) external { ... } Again, free. If you do not mutate the array, calldata is strictly better. Free win 3: storage packing Solidity packs multiple variables into one 32-byte slot if they fit and are adjacent. Order your storage variables so smal

2026-06-18 原文 →
AI 资讯

The Road Toward Mainnet: A Security-First Approach to XRPL Lending Protocol

Over the last several months, XRP Ledger (XRPL) has fundamentally shifted in how amendments move from concept to mainnet. Historically, amendment development was largely focused on functional correctness, performance testing, traditional security audits, bug bounties and independent validator testing as the last line of defense to catch security vulnerabilities. As XRPL continues to grow in complexity and the value secured by the network increases, we recognized that the previous model was no longer sufficient. Advances in AI are also rapidly reducing the cost of vulnerability discovery, making it increasingly important to identify issues as early as possible in the development lifecycle. With that in mind, we set out to establish a stronger, repeatable, defense-in-depth model that makes it increasingly difficult for critical vulnerabilities, consensus risks, and feature interaction bugs to reach mainnet. The result is a significantly higher bar for amendment activation that combines specification rigor, adversarial testing, multiple independent audits, attackathons with expert security researchers, AI-assisted security reviews and phased deployments. The Lending Protocol ( XLS-66 ) and Single Asset Vault (SAV) - XLS-65 are among the first major amendments to undergo this full review process, making them some of the most rigorously tested amendments in XRPL's history. They also represent some of the most significant new financial capabilities added to the XRP Ledger since 2012, introducing native primitives for lending and borrowing built around Single Asset Vaults. Together, the Lending Protocol and Single Asset Vault bring lending and borrowing capabilities directly into the core XRPL protocol, advancing XRPL's capabilities for Institutional DeFi. Lending Protocol Security and Quality Gates This report provides transparency into the development and security process behind one of the most financially complex features XRPL has ever shipped. As context, the Lending P

2026-06-18 原文 →
开发者

The midterms are going to be a data security nightmare

One messy database is threatening to disenfranchise thousands or even millions of registered voters, while leaving even more at risk of intimidation or data breaches, in the name of solving a problem that barely exists. As the 2026 midterm elections approach, election and privacy experts are sounding alarms about the Department of Homeland Security's Systematic […]

2026-06-18 原文 →
AI 资讯

I Trusted My AI Coding Assistant. It Turned My Computer Into a Surveillance Server.

You think your AI is just helping you write code. In reality, it's built a logging system on your machine that you never knew existed. Every conversation. Every code snippet. Every file path. Every time you asked "what was my password again?" — permanently archived, without your knowledge. How It Started: An Accidental Discovery I was about to sell my old laptop and decided to clean up my data first. I opened Claude Code's config directory — ~/.claude/ — intending to just remove my API key. Then I saw this: history.jsonl 243 KB / 695 lines sessions/ conversation metadata session-env/ environment variables shell-snapshots/ command execution snapshots telemetry/ 63 telemetry files projects/ 19 project directories ├─ interview-prep/ 31 sessions / 20 MB ├─ spring-ai/ 11 sessions / 13 MB └─ ... 17 more I thought I was just writing code. My computer thought it should record everything. What's Inside These Files history.jsonl — Everything You Ever Asked 695 entries. Every single thing I typed into Claude Code. Including: "I forgot my database password — can you check what passwords were configured in the project files?" "How do I view the database password?" Pasted code snippets Every /model , "who are you?", and project path You casually ask about a password once. It's permanently stored. projects/ — Full Conversation Transcripts (43 MB) If you think history.jsonl only storing user input isn't so bad — you haven't seen this yet. Inside ~/.claude/projects/ , every project directory contains .jsonl files. Opening one 2.3 MB session file: Content Count AI responses 590 AI internal thinking blocks 272 Tool calls 101 Tool call results (including file paths) 100 File history snapshots 208 Every conversation. Every AI response. Every internal reasoning step. Every file operation — what was read, what was modified, what was executed — all written to this file. shell-snapshots/ — Traces of Everything You Ran Your system PATH. Installed tools. Java version. All sitting in command s

2026-06-18 原文 →
AI 资讯

Athena Coalition Brings Coordinated Defence to Open Source Security

Cybersecurity firm Chainguard has announced the launch of Athena, an industry coalition to use artificial intelligence to find and fix vulnerabilities in widely-used open-source software before attackers can exploit them. The coalition focuses on libraries, containers and other components that underpin web browsers, data centres, smartphones and payment systems. By Matt Saunders

2026-06-18 原文 →
AI 资讯

Weekly Dev Log 2026-W10

🗓️ This Week While organizing ideas for my first iOS app , I remembered an old web app idea called ToneDrill , which I had casually built before to help practice note names on a guitar fretboard🎸. I decided to try turning it into an iOS app 🛠️. I clarified the purpose of ToneDrill , its minimum requirements , and its core features , then organized them in Notion 📝. I was curious to see how well Codex could implement an iOS app from those minimum requirements , so I gave it a try right away💡. I reviewed the SwiftUI code generated by Codex and worked through the app logic to understand how it was implemented 🔍. For now, I was able to create a working app, which felt like a meaningful step forward 🚶. I created the top page UI design for my portfolio website in Figma 🎨. I focused on keeping the structure simple and implementation-friendly, and designed the UI with reusable components for each major part. Based on what I learned from my previous failed attempt, I tried again to see how well Codex could implement a prototype from the Figma UI design (You can read about my previous attempt that didn’t go so well here😅.) Worked on the AI Threat Modelling room from the AI Security Learning Path on TryHackMe this week🤖. 📱 iOS (SwiftUI) Revisited an old web app idea called ToneDrill, which I had previously built casually as a guitar note-training app, and considered turning it into an iOS app. Organized the app idea in Notion, including its purpose, target use case, minimum requirements, and core features. Decided to aim for an MVP-level version first, instead of trying to build a fully featured app from the beginning. Wrote down simple requirements and tested how accurately Codex could implement the initial version of the app. Reviewed the iOS app implementation generated by Codex and examined the code in detail to understand how the logic worked. 🌐 Web Development Posted my weekly dev log on Dev.to📝 Completed the top page UI design for my portfolio website in Figma. Tried us

2026-06-18 原文 →
产品设计

Win Prizes at DEF CON 34 | Submit a Challenge Now!

The Prizes for the SecDim AppSec Village Wargame CtF at DEF CON 34 has been announced! Build and submit a challenge and get a chance to Win a ROG Xbox Ally if your challenge submission wins 1st Place! Challenge submissions close on 31 July. https://sessionize.com/appsec-village-wargame

2026-06-18 原文 →