Connect with us
DAPA Banner
DAPA Coin
DAPA
COIN PAYMENT ASSET
PRIVACY · BLOCKDAG · HOMOMORPHIC ENCRYPTION · RUST
ElGamal Encrypted MINE DAPA
🚫 GENESIS SOLD OUT
DAPAPAY COMING

Tech

WordPress Core “wp2shell” RCE flaws get public exploits, patch now

Published

on

WordPress

Public exploits have been released for the critical “wp2shell” remote code execution vulnerabilities affecting WordPress Core, making it imperative that administrators patch their sites immediately.

The wp2shell attack consists of two flaws, tracked as CVE-2026-63030 and CVE-2026-60137, that can be chained together to achieve pre-authentication remote code execution against WordPress installs running versions 6.9.x and 7.0.x.

The flaws were discovered by Adam Kues of Searchlight Cyber, which says an unauthenticated attacker can exploit them against a default WordPress installation.

image

“Searchlight Cyber’s security research team has discovered a pre-authentication RCE in WordPress Core,” explained Searchlight Cyber.

“The attack has no preconditions and can be exploited by an anonymous user in a stock install of WordPress with no plugins.”

Advertisement

Searchlight Cyber estimates that more than 500 million websites use WordPress, giving the vulnerability a potentially massive impact, especially now that public proof-of-concept exploits have been released.

Due to the severity of the vulnerabilities, the WordPress security team has enabled forced automatic security updates for supported installations running affected versions, urging site owners to update to WordPress 7.0.2 or 6.9.5 immediately.

“Because this is a security release, it is recommended that you update your sites immediately,” WordPress said in its security announcement.

“Due to the severity, the WordPress.org team have enabled forced updates via the auto-update system for sites running affected versions.”

Advertisement

The issue is not a single vulnerability but rather two independent flaws that can be combined into an unauthenticated remote code execution chain.

The first flaw, CVE-2026-63030, is a REST API batch-route confusion vulnerability introduced in WordPress 6.9. According to the GitHub advisory, the flaw can be combined with the SQL injection issue to achieve remote code execution.

The second vulnerability, CVE-2026-60137, is an SQL injection flaw in the ‘author__not_in‘ parameter of ‘WP_Query'. WordPress describes it as a high-severity SQL injection vulnerability affecting WordPress 6.8 and later.

According to the WordPress advisories, the complete RCE chain affects WordPress 6.9.0 through 6.9.4 and WordPress 7.0.0 through 7.0.1.

Advertisement

The SQL injection vulnerability also affects WordPress 6.8.0 through 6.8.5, but cannot be chained to remote code execution because the REST API batch-route confusion bug was added in WordPress 6.9.

The full wp2shell attack chain has been fixed in WordPress 6.9.5 and 7.0.2.

Searchlight Cyber is currently withholding technical details to give administrators time to patch, instead creating the wp2shell.com website, which allows admins to test whether their WordPress installations are vulnerable.

For organizations unable to immediately update, Searchlight Cyber recommends:

Advertisement
  • Installing a plugin that blocks anonymous access to the REST API entirely; or
  • Blocking /wp-json/batch/v1 and ?rest_route=/batch/v1 at a WAF level.

The company warns these mitigations should only be used as a temporary measure until systems can be updated.

Cloudflare also announced that it has deployed Web Application Firewall (WAF) protections for both vulnerabilities across all plans, including free accounts, that are proxied behind its platform.

According to Cloudflare, the rules block attempts to exploit both the SQL injection flaw (CVE-2026-60137) and the REST API batch-route confusion vulnerability (CVE-2026-63030).

“WAF protections reduce exposure while customers update, but they are not a substitute for patching,” Cloudflare said.

Public PoC exploits released

While Searchlight Cyber delayed releasing technical details to give administrators time to patch, multiple public proof-of-concept exploits have since been published on GitHub.

Advertisement

Some publicly available exploits combine the two vulnerabilities to extract WordPress password hashes via SQL injection, then crack an administrator password to log in, upload a malicious plugin, and execute commands.

However, other proof-of-concept exploits claim to achieve pre-authentication remote code execution without requiring administrator credentials, which is more in line with Searchlight Cyber’s description of the flaws.

BleepingComputer has contacted Searchlight Cyber to confirm that its attack chain does not require an administrator password.

Security firm watchTowr says it has already seen in-the-wild exploitation after the public exploits were released.

Advertisement

“WordPress gets a bad rap for security. But the reality is that a highly impactful, unauthenticated SQL injection or remote code execution vulnerability in WordPress core is actually fairly rare,” watchTowr CEO Benjamin Harris told BleepingComputer via email.

“That is exactly what makes this one different, and why everyone is scrambling to patch before widespread exploitation takes hold. The watchTowr team is already seeing PoC exploits in circulation, and we are beginning to see the first signs of in-the-wild exploitation.”

Given the availability of public proof-of-concept exploits and the first reported signs of in-the-wild exploitation, administrators should ensure their sites are updated to WordPress 7.0.2 or 6.9.5 as soon as possible.


article image

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Advertisement

Get the whitepaper

Source link

Continue Reading
Click to comment

You must be logged in to post a comment Login

Leave a Reply

Tech

Write 2D And 3D Games In Modern MoonBASIC

Published

on

One of the major strengths of the BASIC programming languages has always been their no-fuss setup and rich set of commands for operations that would take considerably more work in a bare-bones language like C. MoonBASIC continues this legacy with a BASIC variant optimized for both 2D and 3D game development.

Included in the package are Raylib, Box2D, and Jolt, whose functionality is exposed via over 4,200 commands in their respective namespaces. You can also download a whole IDE package based around VS Code, use it on the command line, or add it to an existing VS Code installation.

A quick glance at the ‘getting started‘ guide gives a pretty good idea of what to expect of MoonBASIC, including a range of custom language additions and support for PBR materials, dynamic lighting, and other modern game engine features.

Advertisement

Whether writing a game in BASIC was on your bingo card for this year or not, it might be worth taking a look to see whether it’s your jam. After all, if BASIC was good enough for both AI and game development in the 1980s, surely it can be used for complex games in 2026.

Source link

Advertisement
Continue Reading

Tech

Terry Callier at the Earl of Old Town Review: Better on CD Than 180 Gram Vinyl

Published

on

This is not going to be a popular review because it is one of my rare negative-leaning takes on a new release by Terry Callier, a fine, if underappreciated, folk singer with a rich style that falls somewhere between Richie Havens and Tim Buckley.

While I have no problem with the artist, the music, or even the underlying performance on Terry Callier at the Earl of Old Town (Time Traveler Records), I felt an obligation to offer some perspective on the underlying value proposition of the vinyl edition. The promotional buzz surrounding this recent Record Store Day release appeared promising:

“These 1967 live tapes—unearthed from a private archive were recorded by Joe Segal in Chicago at The Earl of Old Town Club. Showcasing Callier’s distinctive blend of folk, soul, and jazz in its purest form. His intricate guitar work, luminous voice, and spiritual depth are presented in stunning clarity, giving both longtime fans and new listeners an unfiltered glimpse into a foundational moment in American music history. Transferred from the original tapes, restored by Joe Lizzi and mastered by Matthew Lutthans at The Mastering Lab. The limited-edition 180-gram 2-LP edition includes a booklet with rare photographs and newly commissioned liner notes… “

terry-callier-at-the-earl-of-old-town-2lp

Sounds super appealing, right? Unfortunately, as is sometimes the case with archival releases, the reality is a bit different from the pre-release promotional descriptions.

Advertisement

As a lifelong Deadhead, I certainly appreciate a good audience-captured, fan-made unofficial recording. I get it. Rare recordings like this are invaluable for better appreciating an artist’s life’s work. Accordingly, I can even love a less-than-perfect archival recording if it is presented in its proper context. And therein lies the rub: Terry Callier at the Earl of Old Town is presented as “restored,” but it sounds far from that. For an album selling for upwards of $50 when you add taxes and shipping, it feels like a bit much.

terry-callier-live-back-cover

As I listened to this just-OK-quality, lo-fi, audience-sounding recording, I questioned whether it really needed to be pressed as a fancy double 180-gram audiophile vinyl set. Coupled with the relatively short performance time of approximately 58 minutes, I suspect it could have been mastered to fit on a less costly, standard-weight 140-gram single LP without a significant sacrifice in fidelity. I’ll put it this way: if Herbie Hancock and Chick Corea could issue a live album in 1978 with a 35-minute-long side, a 30-minute side in 2026 should be feasible. Just sayin’!

herbie-hancock-chick-corea-label

For example, there are warbles audible during “The Last Thing on My Mind,” indicating that the recording was damaged somehow. There are moments of distortion throughout. Mr. Callier was playing in a small club before a relative handful of patrons who are polite except when they aren’t, so there is a fair amount of talking in the background during some tunes. In short, this is a far-from-perfect document. I guess that is the “unfiltered glimpse” part of the offering noted above.

terry-callier-at-the-earl-of-old-town-cd

Terry Callier At The Earl of Old Town is currently selling for $46.02 at Amazon. Of course if you are a deep fan, you probably already own this. However if you’ve been on the fence you might be better off going for the less pricey 2CD version, which you can find on Amazon for $23.56 — although I need to point out that at 58 minutes in length, it could have been all put on a less expensive-still single CD. Alternately, you might just want to simply wait until the prices come down on both of these options.

Our Ratings

★★★★★★★★★★ Music

★★★★★★★★★★ Sound Quality

★★★★★★★★★★ Pressing Quality

Advertisement
Advertisement. Scroll to continue reading.

Where to buy:


Mark Smotroff is a deep music enthusiast / collector who has also worked in entertainment oriented marketing communications for decades supporting the likes of DTS, Sega and many others. He reviews vinyl for Analog Planet and has written for Audiophile Review, Sound+Vision, Mix, EQ, etc.  You can learn more about him at LinkedIn.

Advertisement

Source link

Continue Reading

Tech

Sunlight Turns Into Hot Air That Dries Clothes in an Hour While Using Only a Fraction of Normal Power

Published

on

Sunlight Air Heating Collector Clothes Dryer
Greenhill Forge wanted to find out whether solar air heating could handle actual laundry drying without relying on a big electric heating element. The short answer from his latest build and test is yes, and the numbers make a strong case for it. He connected an upgraded solar air collector panel directly to a standard clothes dryer. The panel supplies heated air that replaces the usual 2,400-watt electric element. In the real-world trial, a test shirt came out completely dry after one hour. The only electricity consumed during that hour went to spinning the drum. Total draw sat around 155 watts.



This corresponds to more than ten times less power as a standard electric dryer. The heating burden just evaporated, replaced by free solar energy harvested on-site. Greenhill Forge has been experimenting with solar air heating on his little rural homestead for a long time. Previously, he conducted side-by-side studies on five distinct collection designs, each measuring approximately two square meters square. The panels used insulated boxes with clear polycarbonate on top to trap heat, and dark absorber surfaces like black painted corrugated steel or dark insect netting pushed air past or through them.


BigBlue 28W Solar Panel Charger with Dual USB-C and USB-A, Portable Solar Phone Charger for Camping…
  • Advanced Performance: BigBlue 28W portable solar charger provides 20% more power from every ray, thanks to shadow-free surface design (No metal lines…
  • Upgraded Triple-Port: Dual USB-C and one USB-A ports deliver a maximum output of 5V/3A each, collectively achieving 5V/4.8A. This solar panel charger…
  • High-Efficiency & IP44 Waterproof: 28W USB solar panel phone charger converts 25.4% sunlight into free energy – industry-leading efficiency. Our…

These tests made it clear that performance varied substantially. The versions with transpired designs (in which air passes through small holes in the absorber) and many layers of black bug net screen functioned remarkably well regardless of sun angle or flow rate. When conditions were good, peak output was around 1400 to 1500 watts of useable heat, with overall collector efficiency ranging from 70 to 80 percent under full sun. This research influenced the design of the new collector for the dryer duty. They built it with a plywood frame, appropriate insulation, a black absorber surface (sheet metal or the better insect net solution), and windows. New fans were placed to double air flow over earlier generations, and they even incorporated some extra instruments like a data logger and temperature probes to get a true picture of how it was working rather than speculating.

Sunlight Air Heating Collector Clothes Dryer
Air enters the collector, gathers up heat from the sun-warmed absorber, and exits at a usable temperature. A duct then transports the air to the dryer. The only item needed on the dryer side was a modified flange that could handle warm air, and a blower fan was removed or repurposed to accomplish the job. The electric heating element was pulled out of the circuit. Temperature control was critical since clothing can easily be scalded if the air is too hot, and efficiency suffers if the air is too cold. Greenhill Forge created a custom controller using an Arduino board to fix this. It simply monitors the temperature of the air entering the dryer and changes the fan speed to keep the air at the appropriate drying temperature without requiring constant adjustment.

Sunlight Air Heating Collector Clothes Dryer
During the test run, the system maintained the heat levels exactly where they needed to be while the drum tumbling the load. 60 minutes later, the clothing were completely dry. The collector did all the hard lifting on the heat side, while the drum motor and controller required only 155 watts in total. This method avoids the losses associated with initially creating power and then converting it back to heat. A solar air collector simply absorbs heat energy and circulates it using a fan. The materials are basic and inexpensive; previous panels cost roughly $100 to construct. The improved version maintained the same down-to-earth approach while ticking boxes to improve durability and output consistency.
[Source]

Advertisement

Source link

Continue Reading

Tech

Xtra Muse at $329 Becomes the 4K Pocket Camera That Finally Makes Sense for Everyday Creators

Published

on

Xtra Muse Pocket Camera Gimbal 2026
Pocket cameras are becoming more popular in purses and everyday carry bags because they solve a real frustration. Phone footage seems OK until you play it back on a bigger screen or try to film while moving. Dedicated rigs give better outcomes, but they necessitate time, preparation, and, in many cases, a second set of hands. The Xtra Muse, priced at $329 (was $449), fills that gap without asking buyers to sacrifice features essential for vlogging and trip filming. It has a one-inch sensor, shoots 4K video at 120 fps, and uses a physical three-axis gimbal to steady shots.



The camera stands about 5 and a half inches tall and weighs between a hundred and 280 grams, depending on the setup. It’s big enough to be more than just a tiny smartphone, but not so huge that it can’t fit in your pocket with your wallet and keys. The box has a rough grip and a tiny threaded handle to prevent it from slipping out of your grasp when you need to hold it firmly. A small 2 inch touchscreen on the side allows you to switch from portrait to landscape mode with a single tap, which is useful if you’ve recorded a clip for YouTube or Instagram Reels and don’t want to worry about any of your clips needing additional cropping. The screen brightness increases to 750 nits, making it much simpler to take photos outside in bright sunshine. To be honest, the build quality is sturdy enough to withstand being flung into a purse or pocket, and it comes with a carrying case and wrist strap to keep it secure while on the go.

Sale


Xtra Muse, Vlogging Camera with 1” CMOS & 4K/120fps Videos, Pocket Camera with 3-Axis Gimbal Stabilizer…
  • Cinematic-Style Footage – Experience the power of Xtra Muse’s 1-inch CMOS sensor, capable of recording breathtaking 4K resolution videos at 120fps…
  • Ultra-Steady Shooting – No more shaky videos! Xtra Muse’s advanced 3-axis gimbal camera stabilizer ensures exceptional smoothness. Enjoy smooth…
  • Effortless Framing – Enjoy Xtra Muse’s expansive 2-inch touch screen, and switch between horizontal and vertical shooting effortlessly.


Behind a fixed f/2.0 lens with a 20mm equivalent focal length is a 1 inch CMOS sensor that gathers far more light than most phones or action cameras, making a significant difference when shooting indoors or at nightfall. You will notice less noise and greater definition in the shadows, as well as more natural-looking colors. The lens also performs a good job of blurring the background, so you can get a clean subject against a chaotic background without changing any settings. If you want to get serious about your stills, the maximum resolution is 9.4 megapixels, which is more than enough for the types of fast social posts or reference images you’d be creating while on the go. The sensor, on the other hand, significantly improves video quality, particularly when combined with the 10-bit X-Log color profile.

Advertisement


The three-axis mechanical gimbal only moves the camera head, not the body. So whether you’re walking, jogging, or scooting around on a bike or skateboard, handheld shots will be rock solid smooth, and because it’s a mechanical system, you shouldn’t see any of the nasty warping or stretching that digital stabilization can cause, so your footage will simply look really solid and stable. Slow-motion options include 4K at 120fps and 1080p at 240fps. When you slow down footage that much, it really hits home exactly how rapid (or otherwise) the action was, and the gimbal still keeps the subject right in frame, even at those super-slow rewind periods.

Xtra Muse Pocket Camera Gimbal 2026
A Master Follow mode makes face and object tracking much easier, essentially keeping a subject in your sights while the camera is mounted on a tripod or in your hands (as long as they are steady). Simply double-tap to lock onto that subject, and the system will take care of framing changes; there is no need to repeatedly pan back and forth. It’s useful if you’re recording yourself giving a lecture to the camera, or if you want to catch a pet or a child on the move without wrestling with the camera.

Xtra Muse Pocket Camera Gimbal 2026
A firmware update added support for Bluetooth mics, so you can simply pair your wireless mic straight via Bluetooth, no need for any extra gear or cables dangling from the handle, and real-time audio meters are available on the touchscreen to keep track of your levels. In terms of battery life, you can expect two to three hours of recording time depending on the resolution and functions you use, which should be sufficient for most people for a day of stop-start shooting, especially if you’re a traveler or vlogger.

Source link

Advertisement
Continue Reading

Tech

Your Face Never Leaves Your Device

Published

on

On-device age verification

Age checks are becoming law worldwide. The question is no longer whether platforms verify age, but what happens to the faces they collect — and whether they need to collect them at all.

By Ricardo Amper, Founder & CEO, Incode Technologies

More than 30 age assurance laws are now in force worldwide. The UK is enforcing the Online Safety Act’s “highly effective” age check requirement, with restrictions on under-16 access to social media planned for spring 2027.

Australia’s under-16 rules took effect in December, and the government has signaled its intent to double maximum fines to $99 million after early waves of non-compliance. Brazil’s Digital ECA became enforceable in March 2026, now half of U.S. states now mandate some form of age verification.

Advertisement

Facial age estimation has emerged as one of the most accessible ways to comply. It needs no government ID and no database lookup, which makes it workable for users of all age groups, including those with no documents to show.

In regulated markets, Incode’s data shows users choose it eight out of ten times over other age assurance methods. But it asks people for one of the things they feel least comfortable sharing: their face. And until now, nearly every implementation has worked the same way — capture the face, send it to a server, run the estimate there.

The problem with server-based age estimation

The record shows why that is a growing liability, especially for vendors relying on third party tech stack. According to the Identity Theft Resource Center’s 2025 Annual Data Breach Report, the U.S. recorded 3,322 data compromises last year — a record high and a 79% increase over five years — while supply-chain breaches doubled over the same period.

The same organization found that 63% of consumers have expressed serious concern over biometric data collection.

Advertisement

Meanwhile, the attacks are scaling faster than the defenses. Across more than 7 billion identity verifications processed on its platform, Incode has tracked the rise of agentic fraud — fraud attempts carried out with the help of AI agents.

In 2024, agentic fraud made up 3% of fraud attempts. By the first quarter of 2026 it had reached 40%, and Incode estimates it will exceed 90% within the next 18 months.

Incode’s facial age estimation and passive liveness models now run entirely on the user’s phone, tablet, or laptop – the face is never transmitted and never stored.

See how platforms can meet age assurance requirements worldwide without the user’s face leaving the user’s device.

Advertisement

See How It Works

Privacy by policy vs. privacy by architecture

The industry’s standard answer has been a privacy policy: a written promise that biometric data will be handled with care and deleted after the check happens.

A policy is a legal document. It is not a security control. It cannot stop a breach, an insider, or a compromised vendor; it can only assign responsibility afterward.

Privacy by architecture is a different proposition: build the system so the sensitive data never becomes accessible in the first place. If a face is never transmitted, it cannot be intercepted.

If it is never stored, it cannot be breached. Users do not have to trust anyone’s word. Privacy stops being a promise and becomes a fact of the architecture.

Advertisement

A $100 million commitment, in two parts

Last month, Incode Technologies, a leader in AI-powered identity verification and fraud prevention, announced a $100 million commitment to advancing privacy-preserving identity infrastructure, alongside its acquisition of Identiq, a company specializing in privacy-enhancing cryptographic solutions for peer-to-peer anti-fraud collaboration.

The funds are directed at on-device processing capabilities, continued R&D in privacy-enhancing technologies, and expanded engineering resources and global footprint.

Two weeks later, the first product was made public. On-Device Age Estimation, launched in July, the first time Incode’s proprietary models run fully on the user’s own device.

Both trace back to architectural decisions made at the company’s founding: verification driven by AI rather than by human access to biometric data, processing pushed to the user’s own device, and fraud collaboration designed to work without exposing data.

Advertisement

Part one: age checks where the face never leaves the device

On-Device Age Estimation runs two of Incode’s models directly inside the user’s phone, tablet, or laptop: facial age estimation and passive liveness detection, which confirms that a real, live person — not a photo, a deepfake, or a replayed clip — is in front of the camera. The face is analyzed locally and is not transmitted or stored.

What travels onward is the outcome: whether the user meets the platform’s required age threshold. If the check cannot be completed for any reason, the user is automatically offered another verification method selected by the platform.

Making that possible meant shrinking the models. Incode compressed both to roughly a tenth of their original size using knowledge distillation — a technique in which a compact model is trained to reproduce the judgments of a much larger, more accurate one.

The resulting models are small enough to run inside an ordinary browser or app, across a wide range of devices, with no special hardware required.

Advertisement

Because the face is analyzed on the user’s own device, there is no technical way for Incode or any client platform to access a biometric or face image. In plain terms: the user proves their age. The face stays on the device.

Why does anything reach a server at all?

An age check that is easy to cheat protects no one. What the device alone cannot fully rule out is tampering with the session itself — an injected camera feed, for example, or a manipulated device. Incode’s server-side layer analyzes session metadata — when and how the session happened, and the characteristics of the device and connection — to detect injection attacks and tampering.

That data contains no facial or biometric information; it exists for fraud detection and session integrity.

Without it, minors could appear as adults and adults as minors, and the result would be worthless for safety and compliance.

Advertisement

Those defenses carry the record of the environments they came from. For more than a decade, Incode’s models have operated in some of the most attacked environments online — banks, fintechs, healthcare, and other high-stakes services where fraudsters bring deepfakes, injection attacks, and replayed video every day.

Incode’s security layer achieves 99% spoof detection across deepfakes, injection attacks, replay attacks, and physical spoofing — the same anti-impersonation standard trusted by eight of the top ten U.S. banks — and has flagged more than 1 million face attacks across Incode’s platform in 2026.

On-Device Age Estimation is the first enterprise-ready offering to combine on-device age estimation with those defenses — a combination the company believes can reset the standard for how platforms verify age worldwide.

Part two: fighting fraud together without pooling the data

The second part of the commitment addresses a different exposure: the way institutions share fraud intelligence. Fraudsters collaborate across institutional boundaries; the institutions defending against them typically work alone, each seeing a fraction of the threat data.

Advertisement

The traditional fix — pooling customer data across institutions — solves one problem by making the other worse. Central data lakes are precisely the kind of target the breach statistics describe.

Identiq spent nearly a decade and invested more than $50 million developing patented privacy-enhancing technology that lets organizations share fraud signals without exposing customer data to any third party.

No central data lakes. No data brokerage.

Integrated into Incode’s platform, that work is projected to reach billions of verifications annually, adding network fraud intelligence to the platform’s capabilities.

Advertisement

“Every institution shared the same concern with us: how do we fight fraud together without giving up control of our customers’ data,” said Itay Levy, Co-Founder and CEO of Identiq.

“Identiq built the answer to that very question. As part of Incode, that answer is now available to every organization that deals with massive amounts of user data.”

The standard is being set now

The pressure comes from both directions: regulation keeps expanding, and users are increasingly demanding more privacy-preserving ways to meet it. Regulators, meanwhile, are actively deciding which age assurance methods count as effective — which makes this the period in which the standard gets set.

Incode’s position going into that period is a matter of record rather than roadmap: a compliance program spanning SOC 2 Type 2, ISO/IEC 27001, HIPAA Attestation of Compliance, FedRAMP Ready, the Age Check Certification Scheme (ACCS), and the Kantara IAL2 Component Services Trust Mark; more than 7 billion trust checks processed; and now a shipping product where the face never leaves the device, alongside fraud collaboration that never pools the data.

Advertisement

“We have always believed that privacy and fraud prevention are not a tradeoff, but part of the same problem — solved together or not at all,” said Ricardo Amper, Founder and CEO of Incode.

“Age checks are becoming law around the world. Our job is to do what we can so that proving your age asks as little of the user as possible.”

Try Incode’s On-Device Age Estimation

See how On-Device Age Estimation lets platforms meet age assurance requirements without the user’s face leaving the user’s device, and book a walkthrough for your team: incode.com/privacy

Sponsored and written by Incode.

Advertisement

Source link

Continue Reading

Tech

7-Zip fixes RCE flaw exploitable with malicious archives

Published

on

7-Zip

7-Zip version 26.02 was released to fix a remote code execution vulnerability that could allow attackers to execute malicious code by convincing users to open specially crafted compressed files.

The vulnerability, disclosed by Lunbun researcher Landon Peng, exists in 7-Zip’s processing of XZ-compressed data.

According to an advisory from the Zero Day Initiative, specially crafted XZ data can trigger a heap-based buffer overflow, potentially allowing attackers to execute arbitrary code as the user.

image

While the developer has not published technical details about the flaw, the changes in the 26.02 source code suggest it is related to how 7-Zip tracks available space while decompressing XZ data.

The patch adds checks to ensure the decoder cannot write beyond the remaining available space in an output buffer, helping prevent a heap-based buffer overflow.

Advertisement

The advisory states that exploitation requires user interaction, such as visiting a malicious page or opening a malicious archive file.

No automatic update feature

As 7-Zip does not include an automatic update feature, users will not receive the security fix automatically. Instead, they must install it manually by downloading the latest version from the program’s official site, 7-zip.org.

Because 7-Zip is one of the most widely used archive utilities on Windows, security flaws impacting its archive features are an attractive target to threat actors.

A phishing campaign or social engineering attack could be used to distribute a malicious archive that exploits the flaw to install malware on vulnerable systems.

Advertisement

This is not far-fetched, as archive vulnerabilities, including those in 7-Zip, have been exploited in past attacks.

In early 2025, a 7-Zip vulnerability that allowed malware to bypass Windows’ Mark of the Web (MotW) security feature was exploited by Russian hackers as a zero-day.

Later that same year, a Russian hacking group exploited a WinRAR vulnerability tracked as CVE-2025-8088 via phishing attacks to install the RomCom malware.

There are currently no reports that attackers are actively exploiting this newly disclosed 7-Zip vulnerability.

Advertisement

However, users are advised to update to version 26.02 as soon as possible to reduce the risk of future attacks.


article image

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

Source link

Advertisement
Continue Reading

Tech

How Does The Apple Watch Water Lock Feature Actually Work?

Published

on

There are many smartwatches that are water-resistant, but rarely is anything fully waterproof. That said, you can safely swim (in freshwater sources) with one that meets an IPX8, IP68 (or higher) rating. But there’s still risk of damage if the watch isn’t dried out after submersion, which is why features like the Apple Watch’s water lock are really handy. With water lock activated, the Apple Watch not only disables the screen so pressure from water doesn’t inadvertently trigger an unintended action, but it also ejects water from inside the device to help it dry faster.

It’s a useful and underrated feature of Apple Watch that every smartwatch should have, especially those that are rated to be safe to wear while swimming. I use this feature often with my Apple Watch Series 11, and I love that it’s automatically triggered any time I hop in a pool or wade in the ocean. It works while scuba diving as well if you have the Apple Watch Ultra, Apple Watch Ultra 2 or Apple Watch Ultra 3, all three of which are safe for deep diving (standard Apple Watches are not).

How Apple Watch water lock works

To manually turn on water lock, which is available on all Apple Watch models from Series 2 and onward, press the side button to open the Control Center. Select the water droplet icon (you may have to scroll down to see it). When the water lock is active, you won’t be able to manipulate the watch screen. It simply won’t respond. Once you come out of the water, press and hold the Digital Crown to unlock the watch. You will see a water ejection mode begin and hear a series of tones, which sound sort of like an ’80s video game, until the process is done.

What’s happening inside the watch when you do this? It’s pretty fascinating. When you press and hold the button, water comes streaming out of the tiny side speaker holes. It’s a lot more water than you might realize or even notice, since it happens so fast and the speakers and water droplets are so tiny. The watch pauses to settle and eject again, repeating this cycle over and over. This is why you have to press and hold the Crown for at least a few seconds instead of a quick press. It keeps you from initiating this process accidentally.

Advertisement

Why use Water Lock on Apple Watch

When should you use water lock? It’s a no-brainer to use the water lock feature on Apple Watch if you’re a swimmer or have a pool at home. In fact, you won’t have a choice, since it turns on automatically when you’re engaged in a water exercise like swimming or surfing. As an extra precaution, you might want to turn it on manually using the steps noted above during times when your wrist isn’t completely submerged, but the watch still gets wet. This might be if you wear it in the shower, while washing dishes or just during a run home in the rain. Utilizing this feature will ensure that any residual water is removed.

What happens if you don’t turn on water lock? The watch will likely be fine (assuming it’s a model with a high water-resistance rating), but you run the risk of water pooling inside and causing eventual damage. While that water-resistance rating gives you the confidence to wear an Apple Watch while swimming or doing other water-based activities, you should be aware that water-resistance weakens over time with any device. Keeping as much water out of the insides as possible, especially if you’re swimming in a chlorinated pool, can help prolong the life of your smartwatch. Next time you go for a swim, see if you can spot the water coming out of the side speaker when you press the button. And consider the intricate process that’s happening to keep the watch free of moisture inside.

Advertisement

Source link

Continue Reading

Tech

AI weapons under scrutiny as activists plan weekend protest at Anduril’s Seattle office

Published

on

Defense giant Anduril is operating its autonomous naval vessel manufacturing facility at the old Foss Shipyard on the Lake Washington Ship Canal in Seattle. Demonstrators plan to protest a different location, Anduril’s downtown Seattle office. (GeekWire Photo / John Cook)

A coalition of activists and community organizations plans to rally Sunday outside Anduril’s Seattle office, protesting the defense technology company’s development of artificial intelligence-powered military systems and its growing presence in the region.

The demonstration, scheduled for 9:30 a.m. at Anduril’s downtown Seattle office, is being organized by groups including BAYAN Washington, International Coalition for Human Rights in the Philippines and The International League of Peoples’ Struggle. Organizers say the event will highlight concerns about the use of AI in warfare, autonomous weapons systems and the expansion of defense technology companies in Washington state. They expect more than 50 to attend.

“The rally will respond to urgent developments in the expansion of AI weapons companies in Washington State and will expose Anduril as an engine of U.S.-led wars of aggression and a domestic threat to migrant and working class communities,” the organizations said in a statement.

Anduril said it recognizes the right to protest, while defending its work supporting the U.S. military and service members.

“We respect the right to free speech and we understand that protests are a hallmark of democratic expression,” Anduril said in a statement provided to GeekWire. “That said, it is perplexing when people choose to protest a company dedicated to supporting the very military that safeguards those rights.”

Advertisement

The company’s statement continued:

“At Anduril, we’re proud of our role in helping the brave men and women who risk their lives to defend the freedoms that we all enjoy, freedoms that include the right to stand outside and protest our existence. We’ll continue to honor those serving our country, even when others stand in opposition.”

The protest comes as Anduril expands its operations in the Seattle area, including a new maritime manufacturing and testing operation along Seattle’s historic Lake Washington Ship Canal. GeekWire reported earlier this year that the company has taken over the former Foss shipyard, where it is thought to be testing autonomous vessels for the U.S. Navy.

Founded in 2017 by entrepreneur Palmer Luckey, Anduril has become one of the most prominent defense technology companies in the country, developing autonomous aircraft, maritime systems, surveillance technologies and AI-powered software platforms for military and national security customers.

Advertisement

@media (max-width: 600px) {
aside.callout { float:none !important; max-width:100% !important; margin-left:0 !important; margin-right:0 !important; }
aside.callout .callout-img { display:none !important; }
}

The company’s Seattle expansion has drawn attention because of the region’s long history as a hub for aerospace, maritime engineering, artificial intelligence and advanced manufacturing. The new maritime facility on the south bank of the Ship Canal represents a new chapter for a site with deep roots in Seattle’s shipbuilding history.

In announcing the rally, organizers cited the company’s work on autonomous systems, including underwater and surface vessels, and raised concerns about the role of artificial intelligence in global conflicts.

The groups also pointed to the ongoing Rim of the Pacific (RIMPAC) military exercises, a multinational naval exercise held in and around Hawaii. The exercise runs through July 31 and includes participation from dozens of nations.

Anduril has increasingly positioned itself as a technology company focused on modernizing defense capabilities, arguing that faster adoption of advanced software, autonomy and AI can improve the effectiveness and safety of military operations.

Advertisement

Sunday’s event is expected to include speeches, testimonials and cultural performances from participating community organizations.

The rally adds a new point of public debate around Anduril’s expansion in Seattle, as the company builds out its presence in a region already home to major technology companies, aerospace firms and a growing defense innovation sector.

In addition to the new facility at the Foss shipyard, Anduril operates facilities in downtown Seattle and Bellevue, where it expanded last summer with a lease for 39,851 square feet of space at Skyline Tower.

Anduril also is rapidly expanding its operations in California, where the company is headquartered. And it is building a massive facility just south of Columbus, Ohio, that it dubs Arsenal-1, described by the company as “the future of American defense manufacturing.”

Advertisement

In May, the company raised a $5 billion funding round from Thrive Capital, Andreessen Horowitz and others at a $61 billion valuation.

Source link

Continue Reading

Tech

NYT Strands hints and answers for Sunday, July 19 (game #868)

Published

on

Looking for a different day?

A new NYT Strands puzzle appears at midnight each day for your time zone – which means that some people are always playing ‘today’s game’ while others are playing ‘yesterday’s’. If you’re looking for Saturday’s puzzle instead then click here: NYT Strands hints and answers for Saturday, July 18 (game #867).

Strands is the NYT’s latest word game after the likes of Wordle, Spelling Bee and Connections – and it’s great fun. It can be difficult, though, so read on for my Strands hints.

Want more word-based fun? Then check out my NYT Connections today and Quordle today pages for hints and answers for those games, and Marc’s Wordle today page for the original viral word game.

Advertisement

Source link

Advertisement
Continue Reading

Tech

Chinese car sales in the UK jumped from 384 in 2015 to 285,000 last year. The tariff gap explains why.

Published

on

TL;DR

UK sales of Chinese-made cars hit 285,000 in 2025, up from 384 in 2015. No additional tariff on plug-in hybrids makes the UK more open than the EU or US.

Brits bought 384 Chinese-made vehicles in 2015. Last year, they bought 285,000, according to automotive consulting firm Mobility Global. The growth is accelerating. BYD nearly doubled its UK sales in the first half of 2026 to over 37,000 units, and Chinese brands collectively hold roughly 13% of new car registrations in Britain, double their share a year ago.

The reason is a tariff gap. The EU charges countervailing duties of up to 35.3% on Chinese battery-electric vehicles and is preparing additional tariffs on plug-in hybrids. The US charges 100%. The UK charges neither. Britain applies no additional tariff on Chinese plug-in hybrid vehicles, which has made it the easiest major Western market for Chinese automakers to enter at scale. “It becomes an excellent size market that’s progressing well towards electrification and is in demand for some cheaper vehicles with that void to fill,” said Will Roberts of Benchmark, an automotive consultancy.

The price gap is stark. A Volkswagen Tiguan plug-in hybrid built in Germany sells in the UK for just over £43,000 ($58,000). The BYD Seal U built in China costs almost £10,000 less. Buyers at a Geely dealership in Maidstone told CNBC the value proposition was obvious: better equipment, lower price. Canada opened its market to Chinese EVs in January with a 49,000-unit cap, but the UK’s approach is more permissive, with no quota and no additional duties.

Advertisement

The 💜 of EU tech

The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!

China’s domestic auto market is cooling. Retail sales fell 26% in the first half of 2026 while exports rose 72%, according to the China Association of Automobile Manufacturers. That export surge has to go somewhere. Former GM board member Jon McNeill told CNBC that Chinese automakers are entering Europe “with really attractive cars at really attractive prices with technology that sort of blows away what they can buy from a European manufacturer.Geely has already stopped building new factories and is using Volvo’s existing plants instead to sidestep tariffs and absorb overcapacity. The UK’s open door may not last: if Chinese market share keeps climbing, pressure to align with EU tariff policy will follow. For now, 285,000 cars in a single year tells its own story.

Advertisement

Source link

Continue Reading

Trending

Copyright © 2025