今日已更新 412 条资讯 | 累计 19972 条内容
关于我们

标签:#EU

找到 48 篇相关文章

开发者

The Shifting Line Between CSS States and JavaScript Events

CSS has always had pseudo-classes that style things when baed on user interactions. Recent features, however, are blurring the line between what CSS "listens" for and how they are alternatives to what Javascript typically listens for. The Shifting Line Between CSS States and JavaScript Events originally handwritten and published with love on CSS-Tricks . You should really get the newsletter as well.

2026-06-29 原文 →
AI 资讯

Layer 2: A Engenharia Secreta Que Destrava a Velocidade do Ethereum [PT-BR]

Quando comecei a trabalhar com aplicações descentralizadas há mais de uma década, lembro bem da frustração de pagar US$ 50 em taxas de transação para mover alguns tokens na rede Ethereum durante um pico de congestionamento. Era um problema técnico que ameaçava inviabilizar todo o ecossistema. Hoje, observo com entusiasmo profissional como as soluções de Layer 2 transformaram radicalmente esse cenário, abrindo portas para casos de uso que antes eram economicamente impraticáveis — especialmente aqui no Brasil, onde a tokenização de ativos e os pagamentos em stablecoins crescem em ritmo acelerado. O problema fundamental: o trilema da escalabilidade Para entender por que as soluções de segunda camada são tão importantes, precisamos compreender o trilema da blockchain proposto por Vitalik Buterin. Uma rede precisa equilibrar três pilares: descentralização, segurança e escalabilidade. O Ethereum, em sua arquitetura original, priorizou os dois primeiros, processando apenas cerca de 15 a 30 transações por segundo (TPS) na camada base. Para se ter dimensão, redes de pagamento tradicionais como a Visa processam milhares de transações por segundo. Quando o DeFi explodiu em 2020 e 2021, e novamente com o boom dos NFTs, a rede simplesmente não dava conta da demanda. As taxas de gas dispararam, e usuários comuns foram literalmente expulsos pelo custo. Em meus projetos de consultoria, atendi empresas brasileiras que desistiram de iniciativas Web3 justamente porque os custos operacionais inviabilizavam o modelo de negócio. A pergunta que sempre me faziam era: "Como cobrar R$ 5 de um cliente se a taxa da transação custa R$ 30?". A resposta estava — e está — nas camadas de segunda geração. Como funcionam as soluções de Layer 2 O conceito central das soluções de Layer 2 é elegante: em vez de processar todas as transações diretamente na blockchain principal (Layer 1), executamos a maior parte do processamento "fora da cadeia" e depois enviamos apenas uma prova compacta de volta para o

2026-06-29 原文 →
AI 资讯

HackTheBox: Sloink Writeup

Summary NFS shares exposed the target's home directory and PostgreSQL backups. The user's psql history contained an MD5 hash that cracked to service . SSH with that account drops you immediately (shell is /bin/false ), but port forwarding still works - so we tunneled straight to the Postgres Unix socket and connected as the superuser. From there, COPY FROM PROGRAM gave us RCE as postgres. We injected our SSH key and got a shell. For root, a cron job running as root copies the entire Postgres data directory - which postgres owns. We dropped a SUID bash there, waited for the cron to fire, and root handed us a root shell. Chain: NFS leak → MD5 crack → SSH tunnel → Postgres RCE → SSH key injection → postgres shell → SUID bash via cron → root Recon nmap -A -Pn 10.129.234.160 -oA nmap PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 111/tcp open rpcbind 2-4 (RPC #100000) 2049/tcp open nfs_acl 3 (RPC #100227) NFS on 2049 is immediately interesting. We check what's exported: showmount -e 10.129.234.160 Export list for 10.129.234.160: /var/backups * /home * Both shares open to everyone ( * ). We mount them and enumerate: mkdir -p /mnt/home /mnt/backups mount -t nfs 10.129.234.160:/home /mnt/home mount -t nfs 10.129.234.160:/var/backups /mnt/backups find /mnt/backups -maxdepth 3 -ls # → several archive-*.zip files (~4.5MB each, created every minute) find /mnt/home -maxdepth 3 -ls # → /mnt/home/service (UID 1337, permission denied) We can't read the service home directory yet because our local UID doesn't match. We use NetExec to enumerate properly - it also detects a root escape vulnerability on the NFS server: nxc nfs 10.129.234.160 --enum-shares NFS 10.129.234.160 [*] Supported NFS versions: (3, 4) (root escape:True) NFS 10.129.234.160 [+] /var/backups NFS 10.129.234.160 0 r-- 4.5MB /var/backups/archive-2026-06-28T0446.zip NFS 10.129.234.160 [+] /home NFS 10.129.234.160 1337 r-- 90B /home/service/.bash_history NFS 10.129.234.160 1337 r-- 326B /hom

2026-06-28 原文 →
AI 资讯

New Dimensions of Onchain Threats, Accelerated by AI.

Sometime in 2024 I had a Coinbase wallet on my laptop. I had created the wallet some months back, backed up and all, and just sent very little amount of $ETH to the wallet. Then in 2024 I was paid $100 for a gig which I sent to this wallet, I also sent another $650 worth of cryto as "savings". The next morning I decided to check my "savings", wallet was empty. At first I didn't believe that I was hacked, because I had some $1.50 or so worth of $ETH in the wallet for months and it was safe, so what happened? I traced the transaction history and there was the full detail of how someone sent some $ETH to the wallet, then moved out my "savings" and afterwards also took back the remaining $ETH from the one they had sent in for the attack. I checked on Twitter and saw many other posts of people who had experienced the same exploit, exactly the same pattern... and some of the people who lost their funds were experienced blockchain developers and crypto guys. I made a post about it, told my friends to avoid the wallet and tried to forget about the experience. Blockchain hit instant PMF for many, especially people in parts of the world where there are crazy high fees and bank charges. The moment people tried sending crypto and for a few cents in gas fees, there was no going back for them. The only issue has always been how to secure users' funds, desperate people will always find a way no matter how complex the UX was. After losing my savings I stopped using self custodial wallets and only used Centralized Exchanges for a while. I thought, even though that was a non-custodial wallet, the builders still should have ensured strong security and secure backups, so users don't lose funds unnecessarily. This happened to me when AI and LLMs were still at their early development stages. You can only imagine how sophiscated the attacks have gotten, now that AI and LLMs are very advanced and more capable. To put things in perspective, more than $640 million was lost to deFi hacks and

2026-06-23 原文 →
AI 资讯

Why We Chose AGPL Instead of MIT for Neural Inverse Cloud

When we open sourced Neural Inverse Cloud, the easiest choice would have been MIT. Most developers like MIT. It's short, permissive, and widely adopted. If you've released an open-source project before, MIT is probably the first license you considered. We didn't choose it. We chose AGPL. Not because we dislike permissive open source. Not because we want to restrict users. We chose it because infrastructure software plays by different rules. The Infrastructure Problem MIT works incredibly well for libraries. You publish code, developers use it, and occasionally improvements flow back into the project. Nobody is forced to contribute, but community norms often make it happen anyway. Infrastructure software is different. Cloud IDEs, databases, developer platforms, deployment systems, and backend services can be monetized without ever distributing the source code. A company can: Fork your project Add proprietary features Launch a hosted version Build a competitive advantage on top of community work Never contribute anything back The original project does all the R&D. The fork captures the value. We've seen this pattern repeatedly across open-source infrastructure over the last decade. Why AGPL Exists AGPL closes a loophole that traditional open-source licenses leave open. With GPL, if you distribute modified software, you must publish your changes. But what if you never distribute the software? What if you simply run it as a hosted service? That's where AGPL comes in. If you modify AGPL software and provide it to users over a network, you must also provide the source code for those modifications. That applies to everyone. Including us. If we improve Neural Inverse Cloud, those improvements stay open. If someone else builds a SaaS business on top of it, their modifications stay open too. Why This Matters for Users We wanted users to have guarantees. With AGPL: You can self-host the latest version Community improvements remain accessible No company can create a permanently

2026-06-22 原文 →
AI 资讯

Intelligence Brief: The Disinformation Machine

The Disinformation Supply Chain: How Coordinated Influence Campaigns Are Built Before They Go Viral Article from Digital HUMINT Series, For better understanding read the full report Right now, somewhere on X/forum people are fighting about a post that feels real raw, emotional, perfectly worded to hit a nerve. It has the right language, the right anger, the right timing. It sounds like someone who thinks exactly the way you do, or exactly the way you hate. It wasn't written there. It wasn't written today. And the person who wrote it doesn't care about the issue at all. That post was created two or three days earlier, on a hidden forum or a private chat group, following a set of instructions that described who to target, what emotions to trigger, which platform to use, and how much the job pays. By the time you see it, the operation has already worked. You engaging with it for or against is the whole point. I've spent almost two decades watching these hidden spaces where online manipulation is planned. What I've learned isn't that fake content exists everyone knows that by now. What most people don't realize is that it works like a factory. There's a production line. There are workers, managers, and paychecks. And just like any factory, if you know where to look, you can see the product being assembled before it ever reaches the shelf. It Works Like Any Other Business We talk about "disinformation campaigns" as if they're political movements. Some are. But more and more, what you're actually looking at is a business with four steps, each handled by different people, often in different countries. Step 1 — Someone writes the plan. A person with a goal and a budget writes a document that says: push this story, target these kinds of people, make them feel this emotion, use this language, post it on these platforms. These plans used to appear on hidden internet forums. Many have moved to private Telegram groups, but the structure hasn't changed since I first saw it in 201

2026-06-17 原文 →
AI 资讯

5 Claude Code Skills Every ADHD Developer Needs

I have built 114 Claude Code skills. Most of them are engineering plumbing. But five of them exist for one reason only: my executive function has specific, repeatable holes, and I got tired of falling into the same ones. These five are not productivity hacks. Each one maps to a named ADHD deficit, and each one fills it the same way every time so I do not have to re-improvise around my own brain at 2pm. If you want the broader system this sits inside, start with my Claude Code ADHD workflow and the CLAUDE.md guide . This post is the skills layer specifically. What Is a Claude Code Skill? A skill is a named, repeatable workflow you invoke with a slash command. Instead of re-prompting Claude Code from a blank slate every time ("okay, help me figure out what to work on, here is my situation again..."), you type /adhd-task-triage and it runs the same defined steps it ran yesterday. For an ADHD brain, that determinism is the feature. The skill does not depend on me remembering how to drive it. It just runs. Custom skills live in a .claude/skills/<name>/SKILL.md file that describes what the skill does and when it should fire. You can build one for any gap you fall into more than twice. 1. adhd-task-triage: Energy-Based Prioritization The gap it fills: task initiation paralysis. Standard task managers sort by priority or deadline. That assumes you can act on the top item by willpower. ADHD does not work that way. The top-priority task and the task you can actually start right now are often different tasks, and trying to force the high-priority one when your initiation circuit is offline produces zero output and a guilt spiral. adhd-task-triage sorts by available energy , not importance. You tell it where you are (wired, foggy, depleted), it looks at the work in front of you, and it hands back the task that matches the state you are actually in, not the one you wish you were in. /adhd-task-triage Why it helps specifically: it removes the moral framing. The question stops bei

2026-06-16 原文 →
AI 资讯

The contract is clean - for now: catching crypto scams that survive launch-time checks

Most token scam detectors, including the one I work on, share one implicit assumption: the contract you analyze at launch is the contract people will trade. Read the source, simulate a buy and a sell, cluster the deployer, score it, done. That is a snapshot. And a snapshot is exactly what a patient scammer plays against. Two token designs pass every launch-time check and then turn hostile later. This is how they work, and the two on-chain techniques we shipped this week to catch them. Design 1: the delayed honeypot A honeypot is a token you can buy but cannot sell. The classic version is non-sellable from block one, so a buy-then-sell simulation catches it instantly. The patient version is sellable at launch. Early buyers sell fine, the chart looks healthy, the token earns a clean verdict from every checker that judged it at T0. Then, days later, the operator flips a switch: a timed blacklist that rejects transfers after a block height or timestamp, a setTrading(false) / pause() kill switch pulled once liquidity has accumulated, a fee setter cranked to 100% on sells. From that moment it is a honeypot. But the only verdict on record is the clean one from launch day. The detection ran once, at the worst possible time to run it. Fix: re-simulate at J7 We keep post-launch snapshots of every token at J0, J7 and J30 (originally to catch slow rugs: volume collapse, late LP burns). The new piece re-runs the full buy/sell honeypot simulation at J7, but only for tokens that were genuinely sellable at J0. A clean-to-honeypot flip is the signal: // Only for tokens sellable + tradable at J0 - a clean->honeypot flip is the point. // Bounded per run because it is RPC-heavy. const eligible = ! j0 . risk_flags . some (( f ) => J0_SKIP_RESIM_FLAGS . has ( f )); if ( rpc && eligible && resims < resimLimit ) { const isNowHoneypot = await detectLateHoneypot ( rpc , tokenAddress ); if ( isNowHoneypot ) flags . push ( " late_honeypot " ); // +40 risk at J7 } One rule we hold to: an RPC hi

2026-06-15 原文 →