今日已更新 412 条资讯 | 累计 19972 条内容
关于我们

标签:#TRAI

找到 21 篇相关文章

AI 资讯

Developing a Practical, Ethical Web/AppSec Learning Platform for Modern Vulnerabilities and Patterns

Introduction: The Need for Modern Web/AppSec Training The cybersecurity landscape is evolving at a breakneck pace, but the tools we use to train the next generation of defenders are stuck in the past. Most web/appsec learning platforms still focus on basic, textbook vulnerabilities —XSS popups, simple SQL injection, or trivial IDORs. These labs are like teaching someone to swim in a kiddie pool; they might grasp the concept, but they’re ill-prepared for the open ocean of modern web applications . The gap isn’t just in depth—it’s in relevance . Real-world apps today are complex, API-driven, and riddled with subtle, pattern-based vulnerabilities that don’t fit into neat, isolated lessons. Consider this: a developer misconfigures a GraphQL endpoint, exposing an entire database. Or an API leaks sensitive data because of a flawed rate-limiting mechanism. These aren’t edge cases—they’re common mistakes in modern apps. Yet, most training platforms ignore them, leaving learners to either stumble upon these issues in the wild or remain oblivious. The result? A workforce of security professionals who can theoretically exploit a vulnerability but struggle to identify or fix it in a real-world context . The problem isn’t just outdated content—it’s the lack of ethical, hands-on practice environments . Many aspiring security professionals resort to illegal or gray-area practices to gain experience, risking legal consequences and ethical dilemmas. What’s needed is a platform that simulates real-world scenarios without crossing ethical boundaries, one that teaches not just how to exploit but also why vulnerabilities occur and how to fix them . Here’s the core issue: modern apps are systems, not isolated components . A vulnerability in one part—say, a file upload feature—can cascade into a full account takeover if combined with a session management flaw. Most labs fail to teach this interconnectedness , leaving learners with a fragmented understanding. A practical platform must brid

2026-07-03 原文 →
AI 资讯

Why IT Training Matters More Than Ever in Nepal

A look at what's actually changing in Nepal's job market, what it means for students and working professionals, and what separates training that gets you hired from training that just gives you something to print on a resume. Nepal is at an interesting crossroads right now. On one side, the country still carries the weight of a job market that hasn't kept up with its graduates. Every year, more than 500,000 young people enter the workforce. The economy, for all its resilience, simply does not generate enough traditional jobs to absorb that number. The result is familiar to most Nepali families: children who studied hard, passed their exams, collected their certificates, and then spent months, sometimes years, waiting for something to happen. On the other side, something genuinely different is building. Nepal's IT exports crossed $1 billion in 2025, according to NASIT's estimates. Software and BPO exports grew over 20% in the first seven months of fiscal year 2024/25 alone. The government's 16th development plan has set a target of 250,000 new IT jobs and a 5% GDP contribution from the sector by 2029. International companies, from Indian IT majors to US-based outsourcing firms, are paying attention to Nepal in ways they weren't a decade ago. These two realities exist at the same time, in the same country, often in the same family. A brother driving a taxi while his younger sister lands a remote software development contract earning more than their father ever did in a government job. The difference between those two outcomes, more often than not, comes down to whether someone made the decision to learn something the market actually needs, and found a way to learn it properly. That's what this piece is about. The Skills Gap Problem Nobody Talks About Enough Nepal's IT sector is growing, but that growth comes with a problem attached: a persistent, widening mismatch between what employers need and what most fresh graduates can actually do on day one. Companies like Deer

2026-06-23 原文 →
AI 资讯

The Chomsky Objection the AI Industry Has Been Quietly Working Around

A useful technical idea, repeated often enough, eventually generates an unuseful philosophical claim. The current example is grammar-constrained decoding. The technique is straightforward — at each generation step, the language model's next-token logits are masked so that only tokens whose continuation can satisfy a formal grammar remain selectable; the output is, by construction, structurally valid. JSON parses. SQL is well-formed. Function-call signatures match. There is a real engineering payoff and a healthy ecosystem of libraries that deliver it. The drift is not in the engineering. It is in the rhetorical move that follows the engineering. A growing corner of 2025-2026 AI writing argues, more or less explicitly, that constraining a model's output is making the model approach meaning — that filtering linear sequences is somehow building structure, and that structure is somehow building understanding. I want to take that drift seriously, because it is the same conflation Chomsky and collaborators flagged in their March 2023 essay in the New York Times , and the engineering literature on constrained decoding agrees with Chomsky on the substantive question, even when the marketing copy doesn't. What grammar-constrained decoding actually is A language model produces output one token at a time. At each step, the model emits a probability distribution over its vocabulary, and the decoding strategy (greedy, top-k, nucleus, etc.) picks one token. Without modification, the model is free to emit any continuation; the resulting text might happen to be valid JSON, or it might not. Grammar-constrained decoding intervenes in that step. A formal grammar — typically a context-free grammar, sometimes a regular expression, sometimes a JSON schema or Pydantic model — defines what counts as valid output. At each generation step, the constraint engine computes which next tokens could lead to a continuation that is still satisfiable under the grammar, masks the logits for all other

2026-06-10 原文 →
AI 资讯

Device Code Flow: The Overlooked Phishing Vector (And How to Block It)

Device Code Flow abuse is not a new technique. Security teams have known for some time that this OAuth feature can be leveraged in phishing attacks to obtain tokens without stealing credentials. What is new is how accessible and scalable this attack has become. In April 2026, the FBI warned about a Phishing-as-a-Service (PhaaS) platform called Kali365, which operationalizes this exact technique. It allows even low-skilled attackers to run campaigns that trick users into entering device codes on legitimate Microsoft login pages — ultimately granting attackers OAuth tokens and acess to Microsoft 365 environments without triggering traditional authentication defenses. How Device Code Flow Works Device code flow is an authentication method designed for scenarios where a device has limited input options or lacks a convenient browser interface (such as smart TVs, IoT devices, or command-line tools). Instead of entering credentials directly on the device, the application generates a verification code and displays it. The user then switches to a secondary device (such as a laptop or smartphone), navigates to https://microsoft.com/devicelogin , and enters the provided code. After successfully authenticating, the identity provider securely links the session and grants the original device access to the requested resource. Why Device Code Flow Should Be Restricted In practice, many organizations don’t have a real or current business need for device code flow, yet leave it enabled—unnecessarily expanding their attack surface. Disabling it helps reduce exposure by removing a legacy or rarely used authentication path and reinforces modern controls. Microsoft recommends getting as close as possible to a full block. Start by auditing existing usage, validate whether any legitimate scenarios still require it, and strictly limit access only to well-defined, secured, and documented use cases (e.g., specific legacy tools). In all other cases, device code flow should be disabled by defau

2026-06-01 原文 →