惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

GbyAI
GbyAI
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
P
Proofpoint News Feed
L
Lohrmann on Cybersecurity
S
Secure Thoughts
Attack and Defense Labs
Attack and Defense Labs
人人都是产品经理
人人都是产品经理
Stack Overflow Blog
Stack Overflow Blog
W
WeLiveSecurity
O
OpenAI News
SecWiki News
SecWiki News
博客园 - Franky
NISL@THU
NISL@THU
Microsoft Azure Blog
Microsoft Azure Blog
T
Tor Project blog
Microsoft Security Blog
Microsoft Security Blog
aimingoo的专栏
aimingoo的专栏
Security Latest
Security Latest
H
Hacker News: Front Page
Google Online Security Blog
Google Online Security Blog
P
Privacy & Cybersecurity Law Blog
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
D
Darknet – Hacking Tools, Hacker News & Cyber Security
月光博客
月光博客
李成银的技术随笔
Spread Privacy
Spread Privacy
F
Full Disclosure
F
Fortinet All Blogs
T
The Exploit Database - CXSecurity.com
Vercel News
Vercel News
AWS News Blog
AWS News Blog
WordPress大学
WordPress大学
IntelliJ IDEA : IntelliJ IDEA – the Leading IDE for Professional Development in Java and Kotlin | The JetBrains Blog
IntelliJ IDEA : IntelliJ IDEA – the Leading IDE for Professional Development in Java and Kotlin | The JetBrains Blog
V
Visual Studio Blog
J
Java Code Geeks
博客园 - 三生石上(FineUI控件)
G
Google Developers Blog
云风的 BLOG
云风的 BLOG
博客园 - 司徒正美
Engineering at Meta
Engineering at Meta
Last Week in AI
Last Week in AI
P
Palo Alto Networks Blog
宝玉的分享
宝玉的分享
T
True Tiger Recordings
N
News and Events Feed by Topic
酷 壳 – CoolShell
酷 壳 – CoolShell
Cisco Talos Blog
Cisco Talos Blog
N
News | PayPal Newsroom
S
SegmentFault 最新的问题
Jina AI
Jina AI

Hacker News - Newest: "AI"

Advice for 2026 commencement speakers: Don't bring up AI Show HN: AI Manager AI is killing All About Berlin AI is just unauthorised plagiarism at a bigger scale Hating AI Is Good Ask HN: Are there any social media sites that are AI positive? GitHub - jaroslavsoucek-art/Giovanni: AI Chief of Staff methodology for Claude Code. Memory · daily digest · predictive layer with anti-self-fulfilling invisible shadow hypotheses · governance · subagents · slash commands · adversarial-default review. Show HN: We dropped Go for Rust in our real-time telephony AI media plane Nvidia says it has ‘largely conceded’ China’s AI chip market to Huawei Can AI solve this Bongard problem? Home — Noada Ask HN: Does anyone believe role-play AI is effective for training? Lovable’s AI built a 100% accessible site – or did it? | Axess Lab Designing a AI Access Layer for Systems of Record HiAI - HiAI IDE - HUAWEI Developer GitHub - openclaw-easy/ViralMint: Open-source viral content pipeline — scout trends, analyze competitors, generate AI videos, auto-publish. AGPL-3.0. Show HN: SoMatic – Vision-based OS automation framework for AI agents Physics AI – Free Physics Solver Online (Step-by-Step) PocketWebTools Forma – Smart AI Autofill for Job and Placement Forms (100% Local, No Cloud) Introducing AI Agent Support for Grid Global Accounts Let the AI cook | ivan.codes AI Can Seem More Human Than Real Humans in a Classic Turing Test, Study Finds Built a live multi-agent AI operations workspace for software engineering teams KiroGraph: Local code knowledge graph for AI, optimized for token efficiency GitHub - the-ai-coop/open-letter Intuit CEO says company’s 17% workforce cut had ‘nothing to do with AI’ AMD Ups Ante With 192GB Ryzen AI Max PRO 400 Chips for AI Systems I Taught an AI to Be Our On-Call Engineer AI token streaming isn't about SSE vs WebSockets — /dev/knill AI Engineering from Scratch Google search AI mode, the biggest update Gemini Omni Flash AI Video Generator | Free Online Twelve Ways to Be Wrong About AI-Assisted Coding Linki – open-source AI SDR for LinkedIn sequences and cold email Transforming Digital Pathology with AI GitHub - enzoferraripapa-arch/ai-vprocess-ops: Engineering memory for AI coding agents: requirements, decisions, evidence, traceability, and V-process/ALM handoff China has named, defined and started governing agentic AI WebMCP: I Made My Website AI Agent Ready (Here's How) Bezos defends billionaires, hypes AI, talks taxes and praises Trump in CNBC interview Growing an AI orchestration platform to $3k MRR in 4 weeks Do you enjoy reading any type of AI written text? Dust raises $40M Series B to scale multiplayer AI for human-agent collaboration SkinMax App | Your Personal Skin Care Coach Client Challenge AI red teaming agents change how LLMs get tested Standard Charter CEO Replaces 8000 "Lower Value Humans" with AI Design advice you can actually use SpaceX IPO filing lays bare losses and Musk control as it stakes future on AI Show HN: SafeRun – Replay debugging and inline prevention for AI agents 3 GitHub - sathvikc/agent-chat-bridge: Turn any AI agent chat session into an async agent. Register a timer, shell command, or webhook — the bridge automatically resumes the session with your prompt when the trigger fires. The Google AI Pro plan just got a quiet downgrade, here is the new deal Google is dethroning OpenAI as the king of consumer AI Ordo · Smart earbuds with cameras & AI TBN Protocol — Full Demo What I'd audit on an AI-built SaaS before its first paying customer The AI Client in WordPress 7.0 Show HN: SafeRun – Replay debugging and inline prevention for AI agents 2 White House briefs AI firms on plans for model review Invasion of the literary bots What Models? — Pick the right model for your GPU in seconds An AI system to help scientists write expert-level empirical software How Many Questions Can the World Afford to Ask AI? Meta Begins AI-Driven Layoffs, Report Says. Can They Boost the Struggling Stock? Benchmarking Open-EndedInference Optimization by AI Agents The Elements of Power (AI Supply Chain) JAM: DSP audio engine programmable via AI chat The SpaceX IPO filing is filled with AI bets, Starship dreams, and Elon Musk at the center Free AI Rewriter - Revise Can one run AI on source code with the prompt "Find below-avg swear rate files"? twitter.com The Developer's Guide to AI When AI can write your code, do you still need a CMS? Congress Banned a Gun Registry. AI Doesn't Need One Cloudflare CEO on how he chooses which employees to replace with AI Replacing NZ public servants with AI could come with hidden costs, critics warn How America Turned Against AI According to the Poll Data: A (Very Big) Compilation GitHub - brucehoult/k3_ai: Utility to start a program on the A100 "AI" cores on SpacemiT K3 machines. Claude.AI Pro Plan quotas too small for deep research AI slop? What about human slop? | NadathurX Token Offset · Offset the environmental cost of AI Show HN: AI Editor for Websites AI Resist List Wheelly.ai — AI in every app, with one hotkey AI atlas reveals hidden whole-body-damage caused by obesity AI robot is now a Buddhist monk Advanced AI models bring government to ‘reflection point,’ CIA official says Linus Torvalds admits he has a 'love-hate relationship with AI' Singapore inks AI deals with Google, OpenAI as ChatGPT-maker commits $234 million to local ecosystem San Francisco turns to AI to save whales from ship strikes as deaths soar What will better AI mean? Why Compiled AI makes AI Enterprise ready The Wake-Up Call for 2026 and 2027 · Greg Herlein The AI people have been right a lot Learn how to build AI products through practice The Alaska Permanent Fund as Loose Precedent for AI Data Center ‘UBI’ Payments Client Challenge The AI bots are coming and the young are booing, not applauding How to sell RL envs and data to AI labs [video] hty
Cloudflare's "Ask AI" created an API token with read access to my entire account
frr149 · 2026-05-21 · via Hacker News - Newest: "AI"

Last week, auditing my Cloudflare API tokens, I found one I never created: “Cloudflare Agent Token - 2026-04-28”, created by the dashboard’s AI assistant (“Ask AI”).

Cloudflare’s tooltip says it exists so the AI can “understand your environment and take actions on your behalf.”

Its actual grant, from the token’s own summary page: read access scoped to All accounts, All zones, and All users — more than 160 permissions. Every one is :Read: it cannot change anything. But “read-only” undersells it. The list includes Secrets Store:Read, Access: Keys:Read, Access: Service Tokens:Read, Zero Trust: PII:Read, Logs:Read, Account Audit Logs:Read, Billing:Read, API Tokens:Read, and every DNS, Access and identity-provider config you have.

It also has no expiry date.

A leaked token like this isn’t “an attacker reconfigures your infrastructure.” It’s total reconnaissance and data exfiltration: your security posture, your logs, your PII, your org and user structure — readable in one pass. For most teams that is a reportable breach by itself.

I used the “Ask AI” feature. That minted a standing, account-wide read credential that sat in my account for three weeks before I happened to notice it — and, never expiring, would otherwise have stayed valid forever. I was never meaningfully told that asking a question would do this, and “Ask AI” does not signal “provision a permanent agent that can read everything I have.”

An assistant answering a question needs read access scoped to that question, for that conversation. A permanent credential that reads your whole estate is a different thing, and must be a deliberate, informed, visible opt-in.

Check yours: dash.cloudflare.com/profile/api-tokens. If you see “Cloudflare Agent Token” and don’t use the agent, revoke it.

Yes: read-only, first-party, revocable. But it never expires, and it was never surfaced to me — so “revocable” means nothing unless you already know to go looking. None of that makes standing, permanent read access to your secrets, logs and PII proportionate to “I asked a chatbot a question.”

此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。