Servervirtualisierung verspricht Effizienz, Flexibilität und Kostenvorteile – birgt jedoch auch Risiken. Wir geben Orientierung für die Wahl der Plattform. Ein Ratgebertext von Otto Geißler (Virtualisierung, Cloud Computing)
Quelle: Golem
In erster Linie mutet All of You wie ein Liebesdrama an, der Film arbeitet aber mit Sci-Fi-Elementen. (Science-Fiction, Film)
Quelle: Golem
Toxische Führung, sinnlose Tätigkeiten, gesundheitliche Probleme – irgendwann reicht’s! Hier sind eure Geschichten. (Arbeit, CRM)
Quelle: Golem
The fundamental challenge with MCP-enabled attacks isn’t technical sophistication. It’s that hackers have figured out how to catfish your AI. These attacks work because they exploit the same trust relationships that make your development team actually functional. When your designers expect Figma files from agencies they’ve worked with for years, when your DevOps folks trust their battle-tested CI/CD pipelines, when your developers grab packages from npm like they’re shopping at a familiar grocery store, you’re not just accepting files. Rather, you’re accepting an entire web of “this seems legit” that attackers can now hijack at industrial scale.
Here are five ways this plays out in the wild, each more devious than the last:
1. The Sleeper Cell npm Package Someone updates a popular package—let’s say a color palette utility that half your frontend team uses—with what looks like standard metadata comments. Except these comments are actually pickup lines designed to flirt with your AI coding assistant. When developers fire up GitHub Copilot to work with this package, the embedded prompts whisper sweet nothings that convince the AI to slip vulnerable auth patterns into your code or suggest sketchy dependencies. It’s like your AI got drunk at a developer conference and started taking coding advice from strangers.
2. The Invisible Ink Documentation Attack Your company wiki gets updated with Unicode characters that are completely invisible to humans but read like a love letter to any AI assistant. Ask your AI about “API authentication best practices” and instead of the boring, secure answer, you get subtly modified guidance that’s about as secure as leaving your front door open with a sign that says “valuables inside.” To you, the documentation looks identical. To the AI, it’s reading completely different instructions.
3. The Google Doc That Gaslights That innocent sprint planning document shared by your PM? It’s got comments and suggestions hidden in ways that don’t show up in normal editing but absolutely mess with any AI trying to help generate summaries or task lists. Your AI assistant starts suggesting architectural decisions with all the security awareness of a golden retriever, or suddenly thinks that “implement proper encryption” is way less important than “add more rainbow animations.”
4. The GitHub Template That Plays Both Sides Your issue templates look totally normal—good formatting, helpful structure, the works. But they contain markdown that activates like a sleeper agent when AI tools help with issue triage. Bug reports become trojan horses, convincing AI assistants that obvious security vulnerabilities are actually features, or that critical patches can wait until after the next major release (which is conveniently scheduled for never).
5. The Analytics Dashboard That Lies Your product analytics—those trusty Mixpanel dashboards everyone relies on—start showing user events with names crafted to influence any AI analyzing the data. When your product manager asks their AI assistant to find insights in user behavior, the malicious event data trains the AI to recommend features that would make a privacy lawyer weep or suggest A/B tests that accidentally expose your entire user database to the internet.
The Good News: We’re Not Doomed (Yet)
Here’s the thing that most security folks won’t tell you: this problem is actually solvable, and the solutions don’t require turning your development environment into a digital prison camp. The old-school approach of “scan everything and trust nothing” works about as well as airport security. That is, lots of inconvenience, questionable effectiveness, and everyone ends up taking their shoes off for no good reason. Instead, we need to get smarter about this.
Context Walls That Actually Work Think of AI contexts like teenagers at a house party—you don’t want the one processing random Figma files to be in the same room as the one with access to your production repositories. When an AI is looking at external files, it should be in a completely separate context from any AI that can actually change things that matter. It’s like having a designated driver for your AI assistants.
Developing AI Lie Detectors (Human and Machine) Instead of trying to spot malicious prompts (which is like trying to find a specific needle in a haystack made of other needles), we can watch for when AI behavior goes sideways. If your usually paranoid AI suddenly starts suggesting that password authentication is “probably fine” or that input validation is “old school,” that’s worth a second look—regardless of what made it think that way.
Inserting The Human Speed Bump Some decisions are too important to let AI handle solo, even when it’s having a good day. Things involving security, access control, or system architecture should require a human to at least glance at them before they happen. It’s not about not trusting AI—it’s about not trusting that AI hasn’t been subtly influenced by something sketchy.
Making Security Feel Less Like Punishment
The dirty secret of AI security is that the most effective defenses usually feel like going backward. Nobody wants security that makes them less productive, which is exactly why most security measures get ignored, bypassed, or disabled the moment they become inconvenient. The trick is making security feel like a natural part of the workflow rather than an obstacle course. This means building AI assistants that can actually explain their reasoning (“I’m suggesting this auth pattern because…”) so you can spot when something seems off. It means creating security measures that are invisible when things are working normally but become visible when something fishy is happening.
The Plot Twist: This Might Actually Make Everything Better
Counterintuitively, solving MCP security will ultimately make our development workflows more trustworthy overall. When we build systems that can recognize when trust is being weaponized, we end up with systems that are better at recognizing legitimate trust, too. The companies that figure this out first won’t just avoid getting pwned by their productivity tools—they’ll end up with AI assistants that are genuinely more helpful because they’re more aware of context and more transparent about their reasoning. Instead of blindly trusting everything or paranoidly trusting nothing, they’ll have AI that can actually think about trust in nuanced ways.
The infinite attack surface isn’t the end of the world. Rather, it’s just a continuation of the longstanding back-and-forth where bad actors leverage what makes us human. The good part? Humans have navigated trust relationships for millenia. Systems that navigate it through the novel lens of AI are in the early stages and will get much better for the same reasons that AI models get better with more data and greater sample sizes. These exquisite machines are masters at pattern matching and, ultimately, this is a pattern matching game with numerous facets on each node of consideration for AI observation and assessment.
Quelle: https://blog.docker.com/feed/
Starting today, AWS WAF’s Targeted Bot Control, Fraud, and DDoS Prevention Rule Group are available in the AWS Asia Pacific (Taipei), Asia Pacific (Bangkok), and Mexico (Central) regions. These features help customers to stay protected against sophisticated bots, application layer DDoS and account takeover attacks.
AWS WAF is a web application firewall that helps you protect your web application resources against common web exploits and bots that can affect availability, compromise security, or consume excessive resources.
To see the full list of regions where AWS WAF is currently available, visit the AWS Region Table. For more information about the service, visit the AWS WAF page. For more information about pricing, visit the AWS WAF Pricing page.
Quelle: aws.amazon.com
Amazon Relational Database Service (RDS) for Db2 now offers Reserved Instances with up to 47% cost savings compared to On-Demand prices. The option to use Reserved Instances is available for all supported instance types. Amazon RDS for Db2 Reserved Instances provide size flexibility for both Bring Your Own License (BYOL) and Db2 license purchased through AWS Marketplace. With Reserved Instances size flexibility, the discounted rate for Reserved Instances automatically applies to usage of any size in the same instance family. For example, if you purchase a db.r7i.2xlarge Reserved Instance in US East (N. Virginia), the discounted rate of this Reserved Instance can automatically apply to 2 db.r7i.xlarge instances. For information on RDS Reserved Instances, refer to Reserved DB instances for Amazon RDS. You can purchase Reserved Instances through the AWS Management Console, AWS CLI, or AWS SDK. For detailed pricing information and purchase options, refer to Amazon RDS for Db2 Pricing.
Quelle: aws.amazon.com
Amazon MSK Connect is now available in five additional AWS Regions: Asia Pacific (Thailand), Asia Pacific (Taipei), Mexico (Central), Canada West (Calgary), and Europe (Spain). MSK Connect enables you to run fully managed Kafka Connect clusters with Amazon Managed Streaming for Apache Kafka (Amazon MSK). With a few clicks, MSK Connect allows you to easily deploy, monitor, and scale connectors that move data in and out of Apache Kafka and Amazon MSK clusters from external systems such as databases, file systems, and search indices. MSK Connect eliminates the need to provision and maintain cluster infrastructure. Connectors scale automatically in response to increases in usage and you pay only for the resources you use. With full compatibility with Kafka Connect, it is easy to migrate workloads without code changes. MSK Connect will support both Amazon MSK-managed and self-managed Apache Kafka clusters. You can get started with MSK Connect from the Amazon MSK console or the Amazon CLI. Visit the AWS Regions page for all the regions where Amazon MSK is available. To get started visit, the MSK Connect product page, pricing page, and the Amazon MSK Developer Guide.
Quelle: aws.amazon.com
AWS Clean Rooms now supports incremental processing of rule-based ID mapping workflows with AWS Entity Resolution. This helps you perform real-time data synchronization across collaborators’ datasets with the privacy-enhancing controls of AWS Clean Rooms. With this launch, you can populate ID mapping tables in a Clean Rooms collaboration with only the new, modified, or deleted records since the last analysis. Data collaborators can enable incremental processing for rule-based ID mapping workflows in AWS Entity Resolution, and then update an existing ID mapping table in a collaboration. For example, a measurement provider can maintain up-to-date offline purchase data in a collaboration with an advertiser and a publisher, enabling always-on measurement of campaign outcomes, reduced costs, and maintained privacy controls for all collaboration members. AWS Entity Resolution is natively integrated within AWS Clean Rooms to help you and your partners more easily prepare and match related customer records. Using rule-based or data service provider-based matching can help you improve data matching for enhanced advertising campaign planning, targeting, and measurement. For more information about the AWS Regions where AWS Clean Rooms is available, see the AWS Regions table. To learn more about AWS Clean Rooms, visit AWS Clean Rooms.
Quelle: aws.amazon.com
Amazon Neptune Analytics is now available in the Asia Pacific (Mumbai) Region. You can now create and manage Neptune Analytics graphs in the Asia Pacific (Mumbai) Region and run advanced graph analytics. Neptune Analytics is a memory-optimized graph database engine for analytics. With Neptune Analytics, you can get insights and find trends by processing large amounts of graph data in seconds. To analyze graph data quickly and easily, Neptune Analytics stores large graph datasets in memory. It supports a library of optimized graph analytic algorithms, low-latency graph queries, and vector search capabilities within graph traversals. Neptune Analytics is an ideal choice for investigatory, exploratory, or data-science workloads that require fast iteration for data, analytical and algorithmic processing, or vector search on graph data. It complements Amazon Neptune Database, a popular managed graph database. To perform intensive analysis, you can load the data from a Neptune Database graph or snapshot into Neptune Analytics. You can also load graph data that’s stored in Amazon S3. To get started, you can create a new Neptune Analytics graphs using the AWS Management Console, or AWS CLI. For more information on pricing and region availability, refer to the Neptune pricing page.
Quelle: aws.amazon.com
Peter Thiel spricht in mehreren Vorträgen davon, wie durch die Regulierung von Technologie, Wissenschaft und KI das Ende der Welt eingeläutet wird. (KI, Technologie)
Quelle: Golem
