Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
Public exploits have been released for the critical “wp2shell” remote code execution vulnerabilities affecting WordPress Core, making it imperative that administrators patch their sites immediately.
The wp2shell attack consists of two flaws, tracked as CVE-2026-63030 and CVE-2026-60137, that can be chained together to achieve pre-authentication remote code execution against WordPress installs running versions 6.9.x and 7.0.x.
The flaws were discovered by Adam Kues of Searchlight Cyber, which says an unauthenticated attacker can exploit them against a default WordPress installation.
“Searchlight Cyber’s security research team has discovered a pre-authentication RCE in WordPress Core,” explained Searchlight Cyber.
“The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.”
Searchlight Cyber estimates that more than 500 million websites use WordPress, giving the vulnerability a potentially massive impact, especially now that public proof-of-concept exploits have been released.
Due to the severity of the vulnerabilities, the WordPress security team has enabled forced automatic security updates for supported installations running affected versions, urging site owners to update to WordPress 7.0.2 or 6.9.5 immediately.
“Because this is a security release, it is recommended that you update your sites immediately,” WordPress said in its security announcement.
“Due to the severity, the WordPress.org team have enabled forced updates via the auto-update system for sites running affected versions.”
The issue is not a single vulnerability but rather two independent flaws that can be combined into an unauthenticated remote code execution chain.
The first flaw, CVE-2026-63030, is a REST API batch-route confusion vulnerability introduced in WordPress 6.9. According to the GitHub advisory, the flaw can be combined with the SQL injection issue to achieve remote code execution.
The second vulnerability, CVE-2026-60137, is an SQL injection flaw in the ‘author__not_in‘ parameter of ‘WP_Query'. WordPress describes it as a high-severity SQL injection vulnerability affecting WordPress 6.8 and later.
According to the WordPress advisories, the complete RCE chain affects WordPress 6.9.0 through 6.9.4 and WordPress 7.0.0 through 7.0.1.
The SQL injection vulnerability also affects WordPress 6.8.0 through 6.8.5, but cannot be chained to remote code execution because the REST API batch-route confusion bug was added in WordPress 6.9.
The full wp2shell attack chain has been fixed in WordPress 6.9.5 and 7.0.2.
Searchlight Cyber is currently withholding technical details to give administrators time to patch, instead creating the wp2shell.com website, which allows admins to test whether their WordPress installations are vulnerable.
For organizations unable to immediately update, Searchlight Cyber recommends:
/wp-json/batch/v1 and ?rest_route=/batch/v1 at a WAF level.
The company warns these mitigations should only be used as a temporary measure until systems can be updated.
Cloudflare also announced that it has deployed Web Application Firewall (WAF) protections for both vulnerabilities across all plans, including free accounts, that are proxied behind its platform.
According to Cloudflare, the rules block attempts to exploit both the SQL injection flaw (CVE-2026-60137) and the REST API batch-route confusion vulnerability (CVE-2026-63030).
“WAF protections reduce exposure while customers update, but they are not a substitute for patching,” Cloudflare said.
While Searchlight Cyber delayed releasing technical details to give administrators time to patch, multiple public proof-of-concept exploits have since been published on GitHub.
Some publicly available exploits combine the two vulnerabilities to extract WordPress password hashes via SQL injection, then crack an administrator password to log in, upload a malicious plugin, and execute commands.
However, other proof-of-concept exploits claim to achieve pre-authentication remote code execution without requiring administrator credentials, which is more in line with Searchlight Cyber’s description of the flaws.
BleepingComputer has contacted Searchlight Cyber to confirm that its attack chain does not require an administrator password.
Security firm watchTowr says it has already seen in-the-wild exploitation after the public exploits were released.
“WordPress gets a bad rap for security. But the reality is that a highly impactful, unauthenticated SQL injection or remote code execution vulnerability in WordPress core is actually fairly rare,” watchTowr CEO Benjamin Harris told BleepingComputer via email.
“That is exactly what makes this one different, and why everyone is scrambling to patch before widespread exploitation takes hold. The watchTowr team is already seeing PoC exploits in circulation, and we are beginning to see the first signs of in-the-wild exploitation.”
Given the availability of public proof-of-concept exploits and the first reported signs of in-the-wild exploitation, administrators should ensure their sites are updated to WordPress 7.0.2 or 6.9.5 as soon as possible.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
One of the major strengths of the BASIC programming languages has always been their no-fuss setup and rich set of commands for operations that would take considerably more work in a bare-bones language like C. MoonBASIC continues this legacy with a BASIC variant optimized for both 2D and 3D game development.
Included in the package are Raylib, Box2D, and Jolt, whose functionality is exposed via over 4,200 commands in their respective namespaces. You can also download a whole IDE package based around VS Code, use it on the command line, or add it to an existing VS Code installation.
A quick glance at the ‘getting started‘ guide gives a pretty good idea of what to expect of MoonBASIC, including a range of custom language additions and support for PBR materials, dynamic lighting, and other modern game engine features.
Whether writing a game in BASIC was on your bingo card for this year or not, it might be worth taking a look to see whether it’s your jam. After all, if BASIC was good enough for both AI and game development in the 1980s, surely it can be used for complex games in 2026.
This is not going to be a popular review because it is one of my rare negative-leaning takes on a new release by Terry Callier, a fine, if underappreciated, folk singer with a rich style that falls somewhere between Richie Havens and Tim Buckley.
While I have no problem with the artist, the music, or even the underlying performance on Terry Callier at the Earl of Old Town (Time Traveler Records), I felt an obligation to offer some perspective on the underlying value proposition of the vinyl edition. The promotional buzz surrounding this recent Record Store Day release appeared promising:
“These 1967 live tapes—unearthed from a private archive were recorded by Joe Segal in Chicago at The Earl of Old Town Club. Showcasing Callier’s distinctive blend of folk, soul, and jazz in its purest form. His intricate guitar work, luminous voice, and spiritual depth are presented in stunning clarity, giving both longtime fans and new listeners an unfiltered glimpse into a foundational moment in American music history. Transferred from the original tapes, restored by Joe Lizzi and mastered by Matthew Lutthans at The Mastering Lab. The limited-edition 180-gram 2-LP edition includes a booklet with rare photographs and newly commissioned liner notes… “

Sounds super appealing, right? Unfortunately, as is sometimes the case with archival releases, the reality is a bit different from the pre-release promotional descriptions.
As a lifelong Deadhead, I certainly appreciate a good audience-captured, fan-made unofficial recording. I get it. Rare recordings like this are invaluable for better appreciating an artist’s life’s work. Accordingly, I can even love a less-than-perfect archival recording if it is presented in its proper context. And therein lies the rub: Terry Callier at the Earl of Old Town is presented as “restored,” but it sounds far from that. For an album selling for upwards of $50 when you add taxes and shipping, it feels like a bit much.

As I listened to this just-OK-quality, lo-fi, audience-sounding recording, I questioned whether it really needed to be pressed as a fancy double 180-gram audiophile vinyl set. Coupled with the relatively short performance time of approximately 58 minutes, I suspect it could have been mastered to fit on a less costly, standard-weight 140-gram single LP without a significant sacrifice in fidelity. I’ll put it this way: if Herbie Hancock and Chick Corea could issue a live album in 1978 with a 35-minute-long side, a 30-minute side in 2026 should be feasible. Just sayin’!

For example, there are warbles audible during “The Last Thing on My Mind,” indicating that the recording was damaged somehow. There are moments of distortion throughout. Mr. Callier was playing in a small club before a relative handful of patrons who are polite except when they aren’t, so there is a fair amount of talking in the background during some tunes. In short, this is a far-from-perfect document. I guess that is the “unfiltered glimpse” part of the offering noted above.

Terry Callier At The Earl of Old Town is currently selling for $46.02 at Amazon. Of course if you are a deep fan, you probably already own this. However if you’ve been on the fence you might be better off going for the less pricey 2CD version, which you can find on Amazon for $23.56 — although I need to point out that at 58 minutes in length, it could have been all put on a less expensive-still single CD. Alternately, you might just want to simply wait until the prices come down on both of these options.
★★★★★★★★★★ Music
★★★★★★★★★★ Sound Quality
★★★★★★★★★★ Pressing Quality
Mark Smotroff is a deep music enthusiast / collector who has also worked in entertainment oriented marketing communications for decades supporting the likes of DTS, Sega and many others. He reviews vinyl for Analog Planet and has written for Audiophile Review, Sound+Vision, Mix, EQ, etc. You can learn more about him at LinkedIn.

Greenhill Forge wanted to find out whether solar air heating could handle actual laundry drying without relying on a big electric heating element. The short answer from his latest build and test is yes, and the numbers make a strong case for it. He connected an upgraded solar air collector panel directly to a standard clothes dryer. The panel supplies heated air that replaces the usual 2,400-watt electric element. In the real-world trial, a test shirt came out completely dry after one hour. The only electricity consumed during that hour went to spinning the drum. Total draw sat around 155 watts.
This corresponds to more than ten times less power as a standard electric dryer. The heating burden just evaporated, replaced by free solar energy harvested on-site. Greenhill Forge has been experimenting with solar air heating on his little rural homestead for a long time. Previously, he conducted side-by-side studies on five distinct collection designs, each measuring approximately two square meters square. The panels used insulated boxes with clear polycarbonate on top to trap heat, and dark absorber surfaces like black painted corrugated steel or dark insect netting pushed air past or through them.
These tests made it clear that performance varied substantially. The versions with transpired designs (in which air passes through small holes in the absorber) and many layers of black bug net screen functioned remarkably well regardless of sun angle or flow rate. When conditions were good, peak output was around 1400 to 1500 watts of useable heat, with overall collector efficiency ranging from 70 to 80 percent under full sun. This research influenced the design of the new collector for the dryer duty. They built it with a plywood frame, appropriate insulation, a black absorber surface (sheet metal or the better insect net solution), and windows. New fans were placed to double air flow over earlier generations, and they even incorporated some extra instruments like a data logger and temperature probes to get a true picture of how it was working rather than speculating.

Air enters the collector, gathers up heat from the sun-warmed absorber, and exits at a usable temperature. A duct then transports the air to the dryer. The only item needed on the dryer side was a modified flange that could handle warm air, and a blower fan was removed or repurposed to accomplish the job. The electric heating element was pulled out of the circuit. Temperature control was critical since clothing can easily be scalded if the air is too hot, and efficiency suffers if the air is too cold. Greenhill Forge created a custom controller using an Arduino board to fix this. It simply monitors the temperature of the air entering the dryer and changes the fan speed to keep the air at the appropriate drying temperature without requiring constant adjustment.

During the test run, the system maintained the heat levels exactly where they needed to be while the drum tumbling the load. 60 minutes later, the clothing were completely dry. The collector did all the hard lifting on the heat side, while the drum motor and controller required only 155 watts in total. This method avoids the losses associated with initially creating power and then converting it back to heat. A solar air collector simply absorbs heat energy and circulates it using a fan. The materials are basic and inexpensive; previous panels cost roughly $100 to construct. The improved version maintained the same down-to-earth approach while ticking boxes to improve durability and output consistency.
[Source]

Pocket cameras are becoming more popular in purses and everyday carry bags because they solve a real frustration. Phone footage seems OK until you play it back on a bigger screen or try to film while moving. Dedicated rigs give better outcomes, but they necessitate time, preparation, and, in many cases, a second set of hands. The Xtra Muse, priced at $329 (was $449), fills that gap without asking buyers to sacrifice features essential for vlogging and trip filming. It has a one-inch sensor, shoots 4K video at 120 fps, and uses a physical three-axis gimbal to steady shots.
The camera stands about 5 and a half inches tall and weighs between a hundred and 280 grams, depending on the setup. It’s big enough to be more than just a tiny smartphone, but not so huge that it can’t fit in your pocket with your wallet and keys. The box has a rough grip and a tiny threaded handle to prevent it from slipping out of your grasp when you need to hold it firmly. A small 2 inch touchscreen on the side allows you to switch from portrait to landscape mode with a single tap, which is useful if you’ve recorded a clip for YouTube or Instagram Reels and don’t want to worry about any of your clips needing additional cropping. The screen brightness increases to 750 nits, making it much simpler to take photos outside in bright sunshine. To be honest, the build quality is sturdy enough to withstand being flung into a purse or pocket, and it comes with a carrying case and wrist strap to keep it secure while on the go.
Sale
Behind a fixed f/2.0 lens with a 20mm equivalent focal length is a 1 inch CMOS sensor that gathers far more light than most phones or action cameras, making a significant difference when shooting indoors or at nightfall. You will notice less noise and greater definition in the shadows, as well as more natural-looking colors. The lens also performs a good job of blurring the background, so you can get a clean subject against a chaotic background without changing any settings. If you want to get serious about your stills, the maximum resolution is 9.4 megapixels, which is more than enough for the types of fast social posts or reference images you’d be creating while on the go. The sensor, on the other hand, significantly improves video quality, particularly when combined with the 10-bit X-Log color profile.
The three-axis mechanical gimbal only moves the camera head, not the body. So whether you’re walking, jogging, or scooting around on a bike or skateboard, handheld shots will be rock solid smooth, and because it’s a mechanical system, you shouldn’t see any of the nasty warping or stretching that digital stabilization can cause, so your footage will simply look really solid and stable. Slow-motion options include 4K at 120fps and 1080p at 240fps. When you slow down footage that much, it really hits home exactly how rapid (or otherwise) the action was, and the gimbal still keeps the subject right in frame, even at those super-slow rewind periods.

A Master Follow mode makes face and object tracking much easier, essentially keeping a subject in your sights while the camera is mounted on a tripod or in your hands (as long as they are steady). Simply double-tap to lock onto that subject, and the system will take care of framing changes; there is no need to repeatedly pan back and forth. It’s useful if you’re recording yourself giving a lecture to the camera, or if you want to catch a pet or a child on the move without wrestling with the camera.

A firmware update added support for Bluetooth mics, so you can simply pair your wireless mic straight via Bluetooth, no need for any extra gear or cables dangling from the handle, and real-time audio meters are available on the touchscreen to keep track of your levels. In terms of battery life, you can expect two to three hours of recording time depending on the resolution and functions you use, which should be sufficient for most people for a day of stop-start shooting, especially if you’re a traveler or vlogger.
Age checks are becoming law worldwide. The question is no longer whether platforms verify age, but what happens to the faces they collect — and whether they need to collect them at all.
By Ricardo Amper, Founder & CEO, Incode Technologies
More than 30 age assurance laws are now in force worldwide. The UK is enforcing the Online Safety Act’s “highly effective” age check requirement, with restrictions on under-16 access to social media planned for spring 2027.
Australia’s under-16 rules took effect in December, and the government has signaled its intent to double maximum fines to $99 million after early waves of non-compliance. Brazil’s Digital ECA became enforceable in March 2026, now half of U.S. states now mandate some form of age verification.
Facial age estimation has emerged as one of the most accessible ways to comply. It needs no government ID and no database lookup, which makes it workable for users of all age groups, including those with no documents to show.
In regulated markets, Incode’s data shows users choose it eight out of ten times over other age assurance methods. But it asks people for one of the things they feel least comfortable sharing: their face. And until now, nearly every implementation has worked the same way — capture the face, send it to a server, run the estimate there.
The record shows why that is a growing liability, especially for vendors relying on third party tech stack. According to the Identity Theft Resource Center’s 2025 Annual Data Breach Report, the U.S. recorded 3,322 data compromises last year — a record high and a 79% increase over five years — while supply-chain breaches doubled over the same period.
The same organization found that 63% of consumers have expressed serious concern over biometric data collection.
Meanwhile, the attacks are scaling faster than the defenses. Across more than 7 billion identity verifications processed on its platform, Incode has tracked the rise of agentic fraud — fraud attempts carried out with the help of AI agents.
In 2024, agentic fraud made up 3% of fraud attempts. By the first quarter of 2026 it had reached 40%, and Incode estimates it will exceed 90% within the next 18 months.
Incode’s facial age estimation and passive liveness models now run entirely on the user’s phone, tablet, or laptop – the face is never transmitted and never stored.
See how platforms can meet age assurance requirements worldwide without the user’s face leaving the user’s device.
The industry’s standard answer has been a privacy policy: a written promise that biometric data will be handled with care and deleted after the check happens.
A policy is a legal document. It is not a security control. It cannot stop a breach, an insider, or a compromised vendor; it can only assign responsibility afterward.
Privacy by architecture is a different proposition: build the system so the sensitive data never becomes accessible in the first place. If a face is never transmitted, it cannot be intercepted.
If it is never stored, it cannot be breached. Users do not have to trust anyone’s word. Privacy stops being a promise and becomes a fact of the architecture.
Last month, Incode Technologies, a leader in AI-powered identity verification and fraud prevention, announced a $100 million commitment to advancing privacy-preserving identity infrastructure, alongside its acquisition of Identiq, a company specializing in privacy-enhancing cryptographic solutions for peer-to-peer anti-fraud collaboration.
The funds are directed at on-device processing capabilities, continued R&D in privacy-enhancing technologies, and expanded engineering resources and global footprint.
Two weeks later, the first product was made public. On-Device Age Estimation, launched in July, the first time Incode’s proprietary models run fully on the user’s own device.
Both trace back to architectural decisions made at the company’s founding: verification driven by AI rather than by human access to biometric data, processing pushed to the user’s own device, and fraud collaboration designed to work without exposing data.
On-Device Age Estimation runs two of Incode’s models directly inside the user’s phone, tablet, or laptop: facial age estimation and passive liveness detection, which confirms that a real, live person — not a photo, a deepfake, or a replayed clip — is in front of the camera. The face is analyzed locally and is not transmitted or stored.
What travels onward is the outcome: whether the user meets the platform’s required age threshold. If the check cannot be completed for any reason, the user is automatically offered another verification method selected by the platform.
Making that possible meant shrinking the models. Incode compressed both to roughly a tenth of their original size using knowledge distillation — a technique in which a compact model is trained to reproduce the judgments of a much larger, more accurate one.
The resulting models are small enough to run inside an ordinary browser or app, across a wide range of devices, with no special hardware required.
Because the face is analyzed on the user’s own device, there is no technical way for Incode or any client platform to access a biometric or face image. In plain terms: the user proves their age. The face stays on the device.
An age check that is easy to cheat protects no one. What the device alone cannot fully rule out is tampering with the session itself — an injected camera feed, for example, or a manipulated device. Incode’s server-side layer analyzes session metadata — when and how the session happened, and the characteristics of the device and connection — to detect injection attacks and tampering.
That data contains no facial or biometric information; it exists for fraud detection and session integrity.
Without it, minors could appear as adults and adults as minors, and the result would be worthless for safety and compliance.
Those defenses carry the record of the environments they came from. For more than a decade, Incode’s models have operated in some of the most attacked environments online — banks, fintechs, healthcare, and other high-stakes services where fraudsters bring deepfakes, injection attacks, and replayed video every day.
Incode’s security layer achieves 99% spoof detection across deepfakes, injection attacks, replay attacks, and physical spoofing — the same anti-impersonation standard trusted by eight of the top ten U.S. banks — and has flagged more than 1 million face attacks across Incode’s platform in 2026.
On-Device Age Estimation is the first enterprise-ready offering to combine on-device age estimation with those defenses — a combination the company believes can reset the standard for how platforms verify age worldwide.
The second part of the commitment addresses a different exposure: the way institutions share fraud intelligence. Fraudsters collaborate across institutional boundaries; the institutions defending against them typically work alone, each seeing a fraction of the threat data.
The traditional fix — pooling customer data across institutions — solves one problem by making the other worse. Central data lakes are precisely the kind of target the breach statistics describe.
Identiq spent nearly a decade and invested more than $50 million developing patented privacy-enhancing technology that lets organizations share fraud signals without exposing customer data to any third party.
No central data lakes. No data brokerage.
Integrated into Incode’s platform, that work is projected to reach billions of verifications annually, adding network fraud intelligence to the platform’s capabilities.
“Every institution shared the same concern with us: how do we fight fraud together without giving up control of our customers’ data,” said Itay Levy, Co-Founder and CEO of Identiq.
“Identiq built the answer to that very question. As part of Incode, that answer is now available to every organization that deals with massive amounts of user data.”
The pressure comes from both directions: regulation keeps expanding, and users are increasingly demanding more privacy-preserving ways to meet it. Regulators, meanwhile, are actively deciding which age assurance methods count as effective — which makes this the period in which the standard gets set.
Incode’s position going into that period is a matter of record rather than roadmap: a compliance program spanning SOC 2 Type 2, ISO/IEC 27001, HIPAA Attestation of Compliance, FedRAMP Ready, the Age Check Certification Scheme (ACCS), and the Kantara IAL2 Component Services Trust Mark; more than 7 billion trust checks processed; and now a shipping product where the face never leaves the device, alongside fraud collaboration that never pools the data.
“We have always believed that privacy and fraud prevention are not a tradeoff, but part of the same problem — solved together or not at all,” said Ricardo Amper, Founder and CEO of Incode.
“Age checks are becoming law around the world. Our job is to do what we can so that proving your age asks as little of the user as possible.”
See how On-Device Age Estimation lets platforms meet age assurance requirements without the user’s face leaving the user’s device, and book a walkthrough for your team: incode.com/privacy
Sponsored and written by Incode.
7-Zip version 26.02 was released to fix a remote code execution vulnerability that could allow attackers to execute malicious code by convincing users to open specially crafted compressed files.
The vulnerability, disclosed by Lunbun researcher Landon Peng, exists in 7-Zip’s processing of XZ-compressed data.
According to an advisory from the Zero Day Initiative, specially crafted XZ data can trigger a heap-based buffer overflow, potentially allowing attackers to execute arbitrary code as the user.
While the developer has not published technical details about the flaw, the changes in the 26.02 source code suggest it is related to how 7-Zip tracks available space while decompressing XZ data.
The patch adds checks to ensure the decoder cannot write beyond the remaining available space in an output buffer, helping prevent a heap-based buffer overflow.
The advisory states that exploitation requires user interaction, such as visiting a malicious page or opening a malicious archive file.
As 7-Zip does not include an automatic update feature, users will not receive the security fix automatically. Instead, they must install it manually by downloading the latest version from the program’s official site, 7-zip.org.
Because 7-Zip is one of the most widely used archive utilities on Windows, security flaws impacting its archive features are an attractive target to threat actors.
A phishing campaign or social engineering attack could be used to distribute a malicious archive that exploits the flaw to install malware on vulnerable systems.
This is not far-fetched, as archive vulnerabilities, including those in 7-Zip, have been exploited in past attacks.
In early 2025, a 7-Zip vulnerability that allowed malware to bypass Windows’ Mark of the Web (MotW) security feature was exploited by Russian hackers as a zero-day.
Later that same year, a Russian hacking group exploited a WinRAR vulnerability tracked as CVE-2025-8088 via phishing attacks to install the RomCom malware.
There are currently no reports that attackers are actively exploiting this newly disclosed 7-Zip vulnerability.
However, users are advised to update to version 26.02 as soon as possible to reduce the risk of future attacks.
Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.
The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.
There are many smartwatches that are water-resistant, but rarely is anything fully waterproof. That said, you can safely swim (in freshwater sources) with one that meets an IPX8, IP68 (or higher) rating. But there’s still risk of damage if the watch isn’t dried out after submersion, which is why features like the Apple Watch’s water lock are really handy. With water lock activated, the Apple Watch not only disables the screen so pressure from water doesn’t inadvertently trigger an unintended action, but it also ejects water from inside the device to help it dry faster.
It’s a useful and underrated feature of Apple Watch that every smartwatch should have, especially those that are rated to be safe to wear while swimming. I use this feature often with my Apple Watch Series 11, and I love that it’s automatically triggered any time I hop in a pool or wade in the ocean. It works while scuba diving as well if you have the Apple Watch Ultra, Apple Watch Ultra 2 or Apple Watch Ultra 3, all three of which are safe for deep diving (standard Apple Watches are not).
To manually turn on water lock, which is available on all Apple Watch models from Series 2 and onward, press the side button to open the Control Center. Select the water droplet icon (you may have to scroll down to see it). When the water lock is active, you won’t be able to manipulate the watch screen. It simply won’t respond. Once you come out of the water, press and hold the Digital Crown to unlock the watch. You will see a water ejection mode begin and hear a series of tones, which sound sort of like an ’80s video game, until the process is done.
What’s happening inside the watch when you do this? It’s pretty fascinating. When you press and hold the button, water comes streaming out of the tiny side speaker holes. It’s a lot more water than you might realize or even notice, since it happens so fast and the speakers and water droplets are so tiny. The watch pauses to settle and eject again, repeating this cycle over and over. This is why you have to press and hold the Crown for at least a few seconds instead of a quick press. It keeps you from initiating this process accidentally.
When should you use water lock? It’s a no-brainer to use the water lock feature on Apple Watch if you’re a swimmer or have a pool at home. In fact, you won’t have a choice, since it turns on automatically when you’re engaged in a water exercise like swimming or surfing. As an extra precaution, you might want to turn it on manually using the steps noted above during times when your wrist isn’t completely submerged, but the watch still gets wet. This might be if you wear it in the shower, while washing dishes or just during a run home in the rain. Utilizing this feature will ensure that any residual water is removed.
What happens if you don’t turn on water lock? The watch will likely be fine (assuming it’s a model with a high water-resistance rating), but you run the risk of water pooling inside and causing eventual damage. While that water-resistance rating gives you the confidence to wear an Apple Watch while swimming or doing other water-based activities, you should be aware that water-resistance weakens over time with any device. Keeping as much water out of the insides as possible, especially if you’re swimming in a chlorinated pool, can help prolong the life of your smartwatch. Next time you go for a swim, see if you can spot the water coming out of the side speaker when you press the button. And consider the intricate process that’s happening to keep the watch free of moisture inside.

A coalition of activists and community organizations plans to rally Sunday outside Anduril’s Seattle office, protesting the defense technology company’s development of artificial intelligence-powered military systems and its growing presence in the region.
The demonstration, scheduled for 9:30 a.m. at Anduril’s downtown Seattle office, is being organized by groups including BAYAN Washington, International Coalition for Human Rights in the Philippines and The International League of Peoples’ Struggle. Organizers say the event will highlight concerns about the use of AI in warfare, autonomous weapons systems and the expansion of defense technology companies in Washington state. They expect more than 50 to attend.
“The rally will respond to urgent developments in the expansion of AI weapons companies in Washington State and will expose Anduril as an engine of U.S.-led wars of aggression and a domestic threat to migrant and working class communities,” the organizations said in a statement.
Anduril said it recognizes the right to protest, while defending its work supporting the U.S. military and service members.
“We respect the right to free speech and we understand that protests are a hallmark of democratic expression,” Anduril said in a statement provided to GeekWire. “That said, it is perplexing when people choose to protest a company dedicated to supporting the very military that safeguards those rights.”
The company’s statement continued:
“At Anduril, we’re proud of our role in helping the brave men and women who risk their lives to defend the freedoms that we all enjoy, freedoms that include the right to stand outside and protest our existence. We’ll continue to honor those serving our country, even when others stand in opposition.”
The protest comes as Anduril expands its operations in the Seattle area, including a new maritime manufacturing and testing operation along Seattle’s historic Lake Washington Ship Canal. GeekWire reported earlier this year that the company has taken over the former Foss shipyard, where it is thought to be testing autonomous vessels for the U.S. Navy.
Founded in 2017 by entrepreneur Palmer Luckey, Anduril has become one of the most prominent defense technology companies in the country, developing autonomous aircraft, maritime systems, surveillance technologies and AI-powered software platforms for military and national security customers.
@media (max-width: 600px) {
aside.callout { float:none !important; max-width:100% !important; margin-left:0 !important; margin-right:0 !important; }
aside.callout .callout-img { display:none !important; }
}
The company’s Seattle expansion has drawn attention because of the region’s long history as a hub for aerospace, maritime engineering, artificial intelligence and advanced manufacturing. The new maritime facility on the south bank of the Ship Canal represents a new chapter for a site with deep roots in Seattle’s shipbuilding history.
In announcing the rally, organizers cited the company’s work on autonomous systems, including underwater and surface vessels, and raised concerns about the role of artificial intelligence in global conflicts.
The groups also pointed to the ongoing Rim of the Pacific (RIMPAC) military exercises, a multinational naval exercise held in and around Hawaii. The exercise runs through July 31 and includes participation from dozens of nations.
Anduril has increasingly positioned itself as a technology company focused on modernizing defense capabilities, arguing that faster adoption of advanced software, autonomy and AI can improve the effectiveness and safety of military operations.
Sunday’s event is expected to include speeches, testimonials and cultural performances from participating community organizations.
The rally adds a new point of public debate around Anduril’s expansion in Seattle, as the company builds out its presence in a region already home to major technology companies, aerospace firms and a growing defense innovation sector.
In addition to the new facility at the Foss shipyard, Anduril operates facilities in downtown Seattle and Bellevue, where it expanded last summer with a lease for 39,851 square feet of space at Skyline Tower.
Anduril also is rapidly expanding its operations in California, where the company is headquartered. And it is building a massive facility just south of Columbus, Ohio, that it dubs Arsenal-1, described by the company as “the future of American defense manufacturing.”
In May, the company raised a $5 billion funding round from Thrive Capital, Andreessen Horowitz and others at a $61 billion valuation.
Looking for a different day?
A new NYT Strands puzzle appears at midnight each day for your time zone – which means that some people are always playing ‘today’s game’ while others are playing ‘yesterday’s’. If you’re looking for Saturday’s puzzle instead then click here: NYT Strands hints and answers for Saturday, July 18 (game #867).
Strands is the NYT’s latest word game after the likes of Wordle, Spelling Bee and Connections – and it’s great fun. It can be difficult, though, so read on for my Strands hints.
Want more word-based fun? Then check out my NYT Connections today and Quordle today pages for hints and answers for those games, and Marc’s Wordle today page for the original viral word game.
SPOILER WARNING: Information about NYT Strands today is below, so don’t read on if you don’t want to know the answers.
• Today’s NYT Strands theme is… Big talk
Play any of these words to unlock the in-game hints system.
• Spangram has 11 letters
• First side: left, 8th row
• Last side: right, 8th row
Right, the answers are below, so DO NOT SCROLL ANY FURTHER IF YOU DON’T WANT TO SEE THEM.
The answers to today’s Strands, game #868, are…
The letter Z helped me get the spangram — eventually, as I got “size” first, then “supersize” before finally SUPERSIZEIT.
Even though I understood the theme immediately and had an idea of the words we were searching for, I really struggled to put them together .
Although rarely used, LEVIATHAN is an incredible word (it features in the Bible, describing a fire-breathing sea serpent).
I was thinking that it really should be the name of a horror or at least a wrestler when a Google search told me that both already exist; the 1989 horror flick made less cultural impact than Dave Batista, who used the nickname Leviathan before becoming The Animal. Every day’s a school day with Strands.
Strands is the NYT’s not-so-new-any-more word game, following Wordle and Connections. It’s now a fully fledged member of the NYT’s games stable that has been running for a year and which can be played on the NYT Games site on desktop or mobile.
I’ve got a full guide to how to play NYT Strands, complete with tips for solving it, so check that out if you’re struggling to beat it each day.
UK sales of Chinese-made cars hit 285,000 in 2025, up from 384 in 2015. No additional tariff on plug-in hybrids makes the UK more open than the EU or US.
Brits bought 384 Chinese-made vehicles in 2015. Last year, they bought 285,000, according to automotive consulting firm Mobility Global. The growth is accelerating. BYD nearly doubled its UK sales in the first half of 2026 to over 37,000 units, and Chinese brands collectively hold roughly 13% of new car registrations in Britain, double their share a year ago.
The reason is a tariff gap. The EU charges countervailing duties of up to 35.3% on Chinese battery-electric vehicles and is preparing additional tariffs on plug-in hybrids. The US charges 100%. The UK charges neither. Britain applies no additional tariff on Chinese plug-in hybrid vehicles, which has made it the easiest major Western market for Chinese automakers to enter at scale. “It becomes an excellent size market that’s progressing well towards electrification and is in demand for some cheaper vehicles with that void to fill,” said Will Roberts of Benchmark, an automotive consultancy.
The price gap is stark. A Volkswagen Tiguan plug-in hybrid built in Germany sells in the UK for just over £43,000 ($58,000). The BYD Seal U built in China costs almost £10,000 less. Buyers at a Geely dealership in Maidstone told CNBC the value proposition was obvious: better equipment, lower price. Canada opened its market to Chinese EVs in January with a 49,000-unit cap, but the UK’s approach is more permissive, with no quota and no additional duties.
China’s domestic auto market is cooling. Retail sales fell 26% in the first half of 2026 while exports rose 72%, according to the China Association of Automobile Manufacturers. That export surge has to go somewhere. Former GM board member Jon McNeill told CNBC that Chinese automakers are entering Europe “with really attractive cars at really attractive prices with technology that sort of blows away what they can buy from a European manufacturer.” Geely has already stopped building new factories and is using Volvo’s existing plants instead to sidestep tariffs and absorb overcapacity. The UK’s open door may not last: if Chinese market share keeps climbing, pressure to align with EU tariff policy will follow. For now, 285,000 cars in a single year tells its own story.
London Mayor Sadiq Khan handed a peerage by Keir Starmer alongside 15 other Labour figures… just days before the PM leaves No10
Weekend Open Thread – Corporette.com
The House | The City of London can help the new chancellor deliver growth in every postcode
CFTC blocks Kalshi from unwinding Michigan trades after court order
Young campaigners urge incoming PM to act on outdoor junk food ads
Nvidia Stock Slips After Big Tuesday Rally as Huang Confirms Vera Rubin Chip Is Now in Production Today
Ripple Payments Joins MiCA With 14 Firms, Does It Mean Anything For XRP?
Disney’s Most Ambitious Failed Star Wars Attraction Is Coming to SDCC
Ripple wins EU-wide access as ESMA adds it to MiCA register
Palantir Shares Rise After Expanded Nvidia Partnership and Fresh Analyst Upgrades Ahead of Earnings Day
Injective Submits SEC Transfer-Agent Registration to Onchain Ownership Records
Get Your ESP32 Sunny Side Up With This Solar Dev Board
XRP BOMBSHELL… XRP OMBOARDED FOR TRANSACTIONS!!!
Dark Secrets Emerge When Jailbreaking LLMs
Registration is now open for March for Men with Kev 2026
New Cornerback Enters Vikings Trade Rumor Mill
Money | Class 12 Economics | CBSE Board Exam 2026-27
Banco Bilbao Vizcaya Argentaria, S.A. (BBVA) Discusses Global Macro Environment and Economic Outlook for Core Markets Transcript
Claude Fable 5 Slips to Second in AI Coding Leaderboard
Cloudflare Precursor Watches Your Mouse and Keyboard To Decide If You Are Human
You must be logged in to post a comment Login