Windows 11 sucks slightly less now, thanks to a June update
The update brings a low-latency profile, speeds up search, and patches hundreds of flaws.
找到 669 篇相关文章
The update brings a low-latency profile, speeds up search, and patches hundreds of flaws.
Typing a few letters and numbers into my web browser, I find myself gaping at the identity documents of complete strangers. The passport of a young woman from Germany. The passport of a man from Spain with glasses resting on his head. The front and back of another man's driver's license, a stereotypically goofy expression […]
Camouflage has always been graded by human eyes. But the thing hunting for you in 2026 is increasingly a detection model — so test against that. The premise Surveillance is automated now: drones, trail cameras, perimeter systems — most of what "sees" runs an object-detection network. Which makes traditional camouflage evaluation (a person squinting at a photo) the wrong test. The right test is adversarial: run the actual detector against your concealment and measure what it finds. That's the whole demo: upload a photo, and an object-detection model hunts for people in it — at four simulated distances — producing a detection-range profile and a stealth score. Simulating distance with pixels You can't move the camera after the photo is taken, but you can simulate the dominant factor in long-range detection: pixels on target . A person at 50 m simply occupies far fewer pixels than at 5 m. So each analysis run downscales the image progressively and re-runs detection: const DISTANCE_LEVELS = [ { label : ' Close (~5m) ' , scale : 1 }, { label : ' Mid (~15m) ' , scale : 0.45 }, { label : ' Far (~30m) ' , scale : 0.22 }, { label : ' Very far (~50m) ' , scale : 0.12 }, ]; for ( const level of DISTANCE_LEVELS ) { const scaled = drawScaled ( image , level . scale ); const detections = await model . detect ( scaled , 10 , 0.15 ); // best 'person' confidence at this simulated range } The output reads like a range card: detected at 5 m with 96% confidence, 41% at 15 m, invisible beyond 30 m. A stealth score aggregates it: how poorly did the adversary see you, averaged across ranges? Honest about the model The detector is COCO-SSD (a pretrained MobileNet-based model from the TensorFlow.js team) running entirely on-device — I didn't train it, and the demo says so on the page. The contribution here is the evaluation framework : using detectors as adversaries, simulating range, and turning subjective "good camo" into a measurable profile. The full version of this concept goes further
Introduction and Background The Rust ecosystem, celebrated for its memory safety and performance, relies heavily on crates —its package management system. These crates, hosted on the crates.io registry, are the building blocks of Rust projects, enabling developers to share and reuse code efficiently. However, this convenience comes with a hidden cost: a single compromised crate can cascade into a full-blown supply chain attack, as recently demonstrated by the 'onering' crate compromise . The Role of Crates in the Rust Ecosystem Crates serve as the backbone of Rust's dependency system. When a developer adds a crate to their project, Cargo , Rust's package manager, automatically resolves and includes all transitive dependencies. This mechanism, while streamlining development, amplifies the attack surface . A malicious crate, like 'onering', can propagate through multiple projects, executing harmful code during build or runtime. The attack on 'onering' exploited this very mechanism, leveraging the trust inherent in the Rust ecosystem to exfiltrate sensitive code from unsuspecting systems. The 'onering' Compromise: A Case Study in Supply Chain Vulnerability The 'onering' crate was compromised through a malicious code injection during an upload or update. This injection bypassed the insufficient security measures of the crates.io registry, which lacks robust checks for uploaded crates. Once deployed, the malicious code executed during the build process, exfiltrating sensitive data from systems that depended on it. The attack's success underscores the lack of developer vigilance regarding supply chain security and the overreliance on registry integrity . Systemic Failures and Their Mechanisms Insufficient Security Scanning: The crates.io registry failed to detect the malicious code during upload due to limited automated scanning capabilities . This allowed the compromised crate to enter the ecosystem undetected. Overreliance on Registry Security: Developers often trust cr
The ShinyHunters hacking gang claims to have compromised the Oracle PeopleSoft servers of more than 100 organizations, including many universities.
“Defenders cannot afford to take weeks to patch,” one Cybersecurity and Infrastructure Security Agency official warned on Wednesday.
US lawmakers are alarmed that Bill Pulte, a housing official with no intelligence experience, is poised to take charge of one of the government's most powerful surveillance tools.
North Korean hackers posing as remote IT workers and recruiters remain a major threat to U.S., European, and Asian companies, accounting for about half of all attacks over the past 12 months.
This is a follow-up to my earlier posts, and it is more of an open question than an answer. I have the data, I have a way to act, and I am genuinely unsure that acting is the right call. I could use the community's help thinking it through. Last week a supply-chain worm got into my GitHub account and repositories. I got out, cleaned up the proper way, and wrote it up. Then I checked the public list of repositories hit by the same worm, to see how the cleanup was going across the ecosystem. Nearly a week later, most of them are still carrying the live payload. It is worse than a count When you look closely, a lot of the owners are clearly trying. But they are missing how this actually works, in two ways that matter: Deleting is not removing. They remove the malicious files with an ordinary commit. That takes the payload off the branch tip, but the commit that introduced it is still in history, and the blob is still recoverable by anyone who reverts or checks out the old commit. The only real removal is rewriting history (reset, not revert) and asking GitHub to purge the objects, because the fork network keeps them reachable by SHA. One branch is not all branches. They clean the branch they know about and never see the backdated copies the worm planted on other branches, which are still live. And the part that genuinely worries me: some of these owners are almost certainly opening the infected repository in VS Code or an AI assistant to fix it , which is exactly the trigger that runs the payload again. The act of trying to clean it can re-detonate it. So: a large number of repositories still carrying a live credential stealer, and a large number of owners and contributors who do not know they are still exposed. The dilemma Here is where I am stuck. There are two paths and I do not like either. Report them to GitHub. Their response is automated and blunt. The repo gets disabled, with no human in the loop, the same hands-off automation that locked me out of my own accou
Cybersecurity researchers are complaining that Anthropic's new model Fable has guardrails that are too strict for any cybersecurity work.
Reentrancy is the oldest trick in smart contract exploitation. The DAO fell to it in 2016. You would think a bug this famous would be extinct by now. It isn't. Protocols still lose millions to reentrancy every year, because the textbook version is the easy one, and attackers stopped using the textbook version a long time ago. This post walks through the classic bug, then the modern variants that still bite in 2026: cross-function, cross-contract, read-only reentrancy through view functions, and callback reentrancy through ERC777 and ERC721. I'll show why ReentrancyGuard is not the silver bullet most developers think it is, and how an LLM-based auditor reasons about the call-then-state-change pattern in a way pattern matchers can't. The Classic: Single-Function Reentrancy Here is the canonical vulnerable withdraw. contract VulnerableVault { mapping(address => uint256) public balances; function deposit() external payable { balances[msg.sender] += msg.value; } function withdraw() external { uint256 amount = balances[msg.sender]; (bool success, ) = msg.sender.call{value: amount}(""); require(success, "transfer failed"); balances[msg.sender] = 0; // state update AFTER the external call } } The attack is simple. The attacker is a contract. When withdraw sends ETH via msg.sender.call , control passes to the attacker's receive() function before balances[msg.sender] is zeroed. The attacker calls withdraw again. The balance is still the original amount, so the vault pays out again. Repeat until the vault is empty. contract Attacker { VulnerableVault vault; receive() external payable { if (address(vault).balance >= 1 ether) { vault.withdraw(); // re-enter before balance is zeroed } } } The fix is checks-effects-interactions. Do all your checks, then update all your state, and only then make the external call. function withdraw() external { uint256 amount = balances[msg.sender]; balances[msg.sender] = 0; // effect first (bool success, ) = msg.sender.call{value: amount}(""); //
ServiceNow is used by thousands of enterprises to automate their internal processes, but says several customers had data accessed because of a security bug.
After over a decade, Steam will no longer sell physical gift cards in stores. In a support page spotted earlier by Windows Central, Valve says it will no longer restock its gift cards once they run out, citing scammers who "continue to have an impact on Steam customers and other unsuspecting individuals." In its post, […]
The ACLU is suing two Florida police departments over the arrest of a Fort Myers man in a child-abduction case, saying officers treated a flawed face-recognition match as a near-certain ID.
You built a workflow worth sharing — and it works perfectly. Until someone else imports it. The bottleneck is the API key. Use yours, and every user is billed against your account. Use theirs, and they each have to find the credential UI, paste their key, and reconnect every time. Both are friction. The cleaner option is to let the workflow ask for the key on the form, then thread it through to the HTTP nodes that need it. It's simpler than it sounds. This post walks through the pattern with a working credential setup, an alternative for single-node simple cases, the gotchas, and a note on what this enables for custom node authors. The screenshots below come from n8n's built-in Bearer Auth credential and from the n8n-nodes-ldxhub package's own credential schema. The technique itself is generic — what's shown here works for any HTTP-node workflow and any custom node that supports expression-mode credentials. The form asks, the credential listens The simplest case: a Form Trigger collects an API key, then an HTTP node hits an authenticated endpoint with that key. Two nodes, one bridge between them — but the bridge isn't a direct expression. It runs through a credential. The flow: Form Trigger collects api_key (use the Password element type for masking) A Bearer Auth credential references that form input via expression HTTP node picks the credential The Form Trigger is straightforward. Add one field: Form Trigger Form Fields : - Label : API Key - Element Type : Password - Custom Field Name : api_key - Required Field : yes Element type matters. Use Password instead of Text and the input gets masked on screen — the key isn't readable to someone glancing at the browser. Here's the rendered form a user sees when they open the workflow URL: Wiring the credential to expression mode For a Bearer token (which is what most modern APIs use), create a new credential of type Bearer Auth — a generic credential built into n8n that's purpose-built for Authorization: Bearer ... header
OAuth for Remote MCP Servers How each AI assistant signs in to a remote MCP (Model Context Protocol) server, and why the flow differs by client and by where it runs. Overview The protocol throughout is standard OAuth 2.1 — an open, widely implemented authorization standard. The human sign-in runs through oauth2-proxy , one of the most widely deployed open-source auth proxies; the only deployment-specific piece is a thin, spec-conforming authorization server (the /oauth endpoints) that hands MCP clients their tokens. Every client ends up the same way — a person signs in against Google (restricted to your organization's domain), and the client holds a short-lived bearer token it presents on each /mcp call. Two things differ between assistants: where the client runs (a machine on the VPN — private — vs. the vendor's cloud — public ), which decides the host it reaches; and what kind of OAuth client it is — a public client proving itself with PKCE (Proof Key for Code Exchange, which lets a client with no secret prove the token request comes from the same client that started the flow), or a confidential client proving itself with a secret. The participants oauth2-proxy — the public-facing reverse proxy. It authenticates the human against Google (the sign-in restricted to your organization's domain) and forwards the verified identity to the app behind it. Only oauth2-proxy faces the internet. It is a mature, heavily-deployed open-source project — the standard way to put Google/OIDC (OpenID Connect) single sign-on in front of a service, widely used in Kubernetes deployments — so the most security-sensitive leg of the flow (the OAuth exchange with the identity provider) runs on battle-tested code. The MCP server — the app on a loopback port behind the proxy. It plays two roles: the OAuth authorization server ( /oauth/authorize , /oauth/token , /oauth/register , .well-known discovery) and the /mcp tool endpoint. It mints codes and tokens, and validates a token on every /mcp c
The organization claims that the FIFA tournament could have impacts on the rights of local people and visiting soccer fans in all three host countries.
Most US World Cup stadiums are surrounded by surveillance cameras. Want to know if you’re being watched on your way to a match? These maps will help you.
From anti-drone tech to face recognition, 2026 World Cup stadiums in the US, Canada, and Mexico are subjecting fans to an array of surveillance tech. Here’s what you need to know.
📝 Originally published on unfoldcms.com — reposted here for the DEV community. (I work on UnfoldCMS.) A coupled CMS puts the admin login on the same hostname visitors reach. A headless CMS puts it on a different hostname behind auth. That single architectural difference is why headless CMS security is meaningfully better than traditional coupled-CMS security on most real-world dimensions — and it's also why the comparison gets oversimplified into "headless is more secure" when the truth is more interesting. This post is the architectural take on headless CMS security : why decoupled is safer on most dimensions, where it can be less safe if you don't handle API hygiene properly, and what the honest comparison looks like in 2026. TL;DR : headless wins on attack-surface reduction (admin off the public hostname, smaller plugin attack surface, API-first auth model) but loses on dimensions teams typically don't think about (exposed APIs without rate limits, JWT misuse, secrets in frontend code, draft preview tokens leaking). A well-built headless CMS is meaningfully more secure than a typical WordPress site; a poorly-configured headless CMS can be worse than a maintained WordPress site. The architecture biases toward safer; the implementation determines actual outcomes. The audience: technical decision-makers and security-conscious teams comparing CMS architectures with security as a deciding factor. If you're earlier in the architectural decision, see headless CMS vs traditional CMS: key differences . For the WordPress-specific security picture this post compares against, WordPress security problems in 2026 . The Attack Surface Difference The single biggest architectural difference between coupled and headless CMS security is where the admin lives . A traditional WordPress site puts the admin login at yourdomain.com/wp-admin . The same hostname your visitors reach. The same SSL cert. The same Cloudflare config. Every brute-force attempt, every credential-stuffing bot, ev