Apple is finally giving AirPods users something they’ve been demanding for years: proper control over sound.

With iOS 27, Apple is adding a custom equaliser to its AirPods lineup. For the first time, users can manually tweak how their headphones sound.

The new EQ option allows listeners to adjust key parts of the audio profile, including boosting bass, lifting treble, or shaping the overall sound signature to taste. It’s a straightforward addition. However, it is meaningful for anyone who has ever felt locked into Apple’s default tuning.

Until now, AirPods have largely relied on automated audio features rather than manual control. Tools like Adaptive Audio and Conversational Awareness already adjust sound in real time depending on what you’re doing or where you are. However, they don’t let users directly fine-tune the listening experience.

This article is crossposted from IEEE Spectrum’s careers newsletter. Sign up now to get insider tips, expert advice, and practical strategies, written in partnership with tech career development company Parsity and delivered to your inbox for free!

Early in my career, I walked into a shared office space on my first day as a full stack software developer and sat down between the CTO and the CEO to get onboarded. There were four of us in total. Before the day was over, I received my first assignment.

This was one of the most formative—and most stressful—experiences of my professional life. In the decade since, I have worked at half a dozen companies including Fortune 100 firms, mid-size startups, and companies you’ve probably never heard of. I have also spoken with roughly a thousand developers at various stages of their careers.

Most engineers entering the field are obsessed with landing at Google, Meta, or Amazon. But those roles represent approximately 0.6 percent of software engineering positions. For most of us, the real choice is between a small startup, a mid-size company, and a large enterprise. Each comes with tradeoffs, and your experience will differ from mine. What follows is an honest account of what you might reasonably expect.

The Small Startup

Pros

Your work actually matters. A feature you build might determine whether the company closes its next funding round. You gain exposure to the full spectrum of the business, from deployment pipelines to sales and operations and everything in between. You wear many hats out of necessity. For engineers who want to grow quickly and understand how a product is built end to end, few environments move faster.

Cons

Everything is on fire, always. Work-life balance is difficult to maintain when every release feels critical. Priorities shift without warning and culture tends to reflect the personality of whoever has the most influence in a small room. Startups optimize for speed over craft which means engineers learn to move fast but don’t always learn to build well, and that gap can follow you into your next role.

The Mid-Size Company

Pros

“So this is how a real business works.” There is process, documentation, a quality assurance function, and some form of career structure. The team is large enough to offer a diversity of experience and perspective. Stability is a myth, especially nowadays, but it is considerably more predictable than an early-stage startup.

Cons

“So this is how a real business works?” Processes that enable quality also produce friction. Access controls, approval workflows, and cross-team dependencies slow things down. The career ladder exists but it might stop at senior engineer. Without significant organizational growth, your salary and title can plateau early.

The Large Enterprise

Pros

That badge on your LinkedIn profile just bought you credibility for the next five years. Compensation at this level can be meaningfully higher, particularly when equity is included. The career ladder is long and clearly defined. Engineering practices at mature organizations tend to be more rigorous, and a well-known employer carries market value in future job searches.

Cons

It’s slow. Technology stacks often lag industry trends by several years. Political dynamics shape advancement as much as technical ability does. Skill atrophy is a risk when you spend years on a narrow slice of a legacy system. You are now a small fish in a big pond and it will be harder to get noticed.

The Roadmap I Would Take If I Could Start Over

According to a recent Stack Overflow survey, 47 percent of professional developers work at companies with fewer than 100 employees. This may surprise you because social media is dominated by engineers who work at the most well known companies on the planet.

The path most engineers imagine for themselves and the path most engineers actually walk are two very different things.

If I could do it again, here’s the path I’d take: Start at a small company to build breadth and learn how a business works across functions. This also provides some room to experiment within different roles. Next, move to a mid-size organization with a clear goal of reaching a senior or leadership role. Making a lateral move is easier than trying to get up-leveled at the next company. Finally, target a more mature company where a leadership position opens the door to meaningful equity and long-term growth (aka stocks and bonuses).

Each stop builds something the others cannot. The startup gives you range. The mid-size company gives you a taste of how larger orgs operate. The enterprise gives you leverage, credibility and maybe even some stability.

Your path will not look like mine. At a five person startup, I had no idea what I was in for. Looking back, I would not trade it. Just know what you are signing up for before you sign.

—Brian

“Social engineering” is a concept that has become associated with phishing, in which scammers manipulate people into disclosing personal information. But shaping human behavior in this way doesn’t have to have such negative effects. Systems engineer Guru Madhavan argues that we need to reclaim the term and govern the practice to defend ourselves from bad actors and benefit from social engineering’s good side.

Read more here.

Smartphone apps are increasingly used to help manage medical conditions, but many of these have not been verified by any regulatory agencies. To help ensure these apps are credible, the IEEE Standards Association recently launched a directory listing apps that have been vetted by experts for technical soundness, ethical design, data security and privacy, and clinical efficacy. The registry will be publically available at no cost, and developers can now apply for approval.

Read more here.

A veteran chip designer reflects on what he learned when moving from academia to industry, where the goal changes from proof of concept to ensuring a design works reliably at scale. Differences in risk tolerance, he discovered, lead to varying approaches in the rapidly growing semiconductor industry.

Read more here.

from the abusive-spying-is-abusive dept

President Trump’s highly politicized appointment of an entirely unqualified acting Director of National Intelligence (DNI) underscores why the government’s warrantless mass spying power must be reformed. 

Congress now faces a deadline of Friday, June 12 to reauthorize Section 702 of the Foreign Intelligence Surveillance Act, an unconstitutional program rife with problems, loopholes, and compliance issues. Section 702 allows the National Security Agency to collect communications from targets overseas – including communications with Americans in the U.S. – and stores them in massive databases. The NSA then allows other agencies, including the Federal Bureau of Investigation, to access untold amounts of that information.  

Under current practice, the FBI can query and even read the U.S. side of that communication without a warrant. What’s more, victims won’t even know and have very few ways of finding out that their communications have been surveilled. EFF and other civil liberties advocates have been trying for years to know how data collected through Section 702 is used in domestic investigations and prosecutions.  

Our advocacy to reform Section 702 has been consistent across administrations, including when the federal Intelligence Community was run by people with experience in the relevant agencies. In fact, the 2004 law creating the position of DNI – which coordinates America’s 18 spy agencies – requires those who hold it to have “extensive national security expertise.” 

Enter Bill Pulte. 

Trump on Tuesday named Pulte – currently director of the Federal Housing Finance Agency (FHFA) and chairman of Fannie Mae and Freddie Mac – to replace current DNI Tulsi Gabbard, who announced her resignation last month. Pulte lacks any intelligence, military, or congressional experience.  

“William has deep experience managing the most sensitive matters in America, the safety and soundness of the Markets, and over 10 Trillion Dollars at Fannie Mae/Freddie Mac, a substantial increase from where it was just 12 months ago,” Trump wrote on his Truth Social platform.

Because Trump named him acting DNI, Pulte isn’t subject to Senate confirmation. And under the Vacancies Act, Pulte could remain in the role for about seven months. 

This is particularly concerning because of Pulte’s history of using private information held by the government as a political weapon. In his FHFA role, he has accused several of the President’s political foes and targets – including New York State Attorney General Letitia James, U.S. Sen. Adam Schiff, D-Calif., and Federal Reserve governor Lisa Cook – of mortgage fraud based on private data held by his agency.  

All these targets and others have denied wrongdoing. A federal criminal complaint filed against James in Virginia imploded after a judge found prosecutor Lindsey Halligan had been unlawfully appointed, and prosecutors twice failed to convince a grand jury to indict James. Pulte’s accusations against Schiff, Cook, and others have not led to criminal charges. 

Pulte also used his FHFA pulpit to attack then-Federal Reserve Chair Jerome Powell and dismantle internal oversight. 

Pulte isn’t a qualified intelligence administrator. He does, however, seem to be unquestioningly loyal to President Trump and willing to use his position to attack and smear the President’s political foes. As acting DNI, Pulte would have access to every scrap of classified information the Intelligence Community holds, and under Section 702, that includes massive amounts of information about Americans. 

Even lawmakers who are typically friendly to the intelligence community acknowledge that this is a disaster in the making. U.S. Sen. Mark Warner, D-Va., who is the Senate Intelligence Committee’s ranking Democrat, told NPR that Pulte has “no experience in the military, no experience in Congress, no experience in the intel community or law enforcement” and was chosen because he is “100% loyal to doing anything and everything President Trump demands.” 

And Senate Majority Leader John Thune, R-S.D., told reporters “we don’t need a weaponized” national intelligence director. Asked about fears that Pulte might pursue Trump’s political opponents, Thune said: “We need professionals there.” 

Congress already has had trouble reauthorizing Section 702 as Freedom Caucus Republicans and many Democrats joined forces to demand reforms including the common-sense requirement that federal agencies get a probable cause warrant from a judge before searching any data involving Americans. Pulte’s appointment exemplifies why no administration should have the power granted by Section 702 without the independent judicial review required in seeking a warrant. 

Republished from EFF’s Deeplinks blog.

Filed Under: 702 reform, bill pulte, fisa, odni, section 702, surveillance

• Ukraine wants to flood future battlefields with millions of combat drones annually
• Kyiv says its drone factories could dwarf Russian and Chinese military production
• Ukrainian drones are now reaching military and energy targets deep inside Russia

Ukraine’s defense ministry has laid out a startling industrial vision which could reshape global military manufacturing.

Deputy Defense Minister Mstislav Banik recently told NATO lawmakers that his country could produce 20 million military drones each year if allied nations commit sufficient resources to Ukrainian production lines.

A security researcher has released a new Microsoft Defender zero-day exploit named “RoguePlanet” just hours after Microsoft fixed two previously disclosed flaws during June 2026 Patch Tuesday.

The researcher, known as Nightmare Eclipse, says the new vulnerability affects fully patched Windows 10 and Windows 11 devices, allowing attackers to spawn a command prompt with SYSTEM privileges via a Microsoft Defender race condition vulnerability.

The researcher shared a proof-of-concept exploit on Tuesday afternoon in a self-hosted Git repository after saying that GitHub and GitLab repositories hosting their exploits had previously been removed by Microsoft.

“The exploit is a race condition, so it’s a hit or miss. I have managed to get a 100% success rate on some machines while it struggled to work on others,” Nightmare Eclipse wrote in the repository.

The flaw was reportedly tested against Windows 11 Official and Canary builds, as well as Windows 10 systems with the June 2026 security updates installed.

When successful, a Windows command prompt will be spawned with SYSTEM privileges.

Cybersecurity firm ThreatLocker told BleepingComputer that they successfully reproduced the flaw in their testing and confirmed the exploit worked against fully patched Windows 11 systems with KB5094126 installed, and shared a video demonstrating it.

“Our initial analysis confirms that the RoguePlanet exploit is viable and performs as described. Organizations using application allowlisting can prevent the exploit from executing, providing an effective layer of protection against this attack,” Danny Jenkins, CEO of ThreatLocker, told BleepingComputer.

According to Nightmare Eclipse, RoguePlanet was originally developed as a remote code execution vulnerability that exploited Microsoft Defender’s handling of files hosted on remote SMB shares.

“In initial development, it was confirmed that this vulnerability was a remote code execution,” the researcher explained in a blog post.

“It required an attacker to coerce a victim to open a .vhd(x) in a remote SMB server, succesful exploitation resulted in defender overwriting its own files and obviously the end outcome was an RCE.”

The researcher says another attack scenario could lead to remote code execution simply by coercing a victim into opening an SMB share if symlink evaluation settings were enabled.

However, the researcher claims Microsoft silently hardened Defender in mid-May by patching “mpengine!SysIO*” API, which blocked junction attacks.

“Rewriting RoguePlanet to make it functional again drained my soul and I couldn’t complete the other scenarios and for now it remains unclear if RoguePlanet is limited to LPE or there is some sort of way to turn it into an RCE,” the researcher wrote.

The release is part of an ongoing dispute between Nightmare Eclipse and Microsoft over the company’s vulnerability disclosure and bug bounty practices.

Over the past several months, the researcher has publicly released multiple Windows zero-days, including the BlueHammer, RedSun, GreenPlasma, and YellowKey flaws. Some of the zero-days targeted Microsoft Defender, while others targeted BitLocker and Windows components. 

Microsoft fixed the GreenPlasma and YellowKey flaws today as part of the June 2026 Patch Tuesday updates.

Microsoft previously reacted to the disclosures with warnings that it would work with law enforcement when people engage in “malicious activity causing real harm to our customers,” leading many in the cybersecurity community to think Microsoft was threatening the researcher.

Nightmare Eclipse claims Microsoft repeatedly targeted and removed previous repositories hosted on GitHub and GitLab, prompting the creation of a self-hosted code platform at projectnightcrawler.dev.

BleepingComputer has contacted Microsoft about the new zero-day and will update the story if we receive a statement.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Advertisement

Get the whitepaper

In 2021, I was a demoralized educator: not burnt out, but demoralized. As I shared in my first article for EdSurge, demoralization occurs when teachers “encounter consistent and pervasive challenges to enacting the values that motivate their work.”

That year, the pervasive challenges seemed obvious and communal. We were all navigating online platforms, figuring out how to replicate student services virtually and struggling to make up for lost time in instruction, social-skill development and relationship-building for when students returned to in-person schooling.

When I think about what feels most pressing now, it seems those challenges persist but are perhaps less obvious to society at large. As the authors of “Going the Distance: The Teaching Profession in a Post-COVID World (2024)” wrote:

A crisis is not merely an event: it’s the context in which an event takes place and the response to that event.” The global pandemic has ended, but how much has the context changed and did the response meet the needs?

Right now, I believe teaching is the most important thing we can do. When the world is on fire, what feels most pressing is teaching students to claim their humanity and helping educators understand how much the communal learning experience matters. Five years later, I have come full circle.

This time, I return to that same claim with a broader and deeper understanding of what makes a school. We use that old adage, “It takes a village…” More and more, I see that we, as school communities, are the village and the villagers that we need right now. What really makes a school more human is not just the principals and teachers, but the child welfare staff, paraeducators, campus supervisors, guidance counselors, cafeteria workers, coaches, librarians, custodians and secretaries. The list is long, but it feels necessary to name the people on campus who make students feel like they belong, support them and have their backs when students need it. These are the colleagues who have shown me what it is like to truly model humanity to our students.

The truth is that the onus is on all of us to create an environment in which mutual respect and empathy are the baseline expectations. So, as an instructional coach, as a leader and as a voice of change in this context, what can I do? How do I communicate to teachers that, while they have been beaten down and blamed for society’s ills, they also have the herculean task of helping students learn how to be human together?

In 2021, I said that I was demoralized. In 2026, I am revitalized and committed to my role as an educator, instructional coach and teacher advocate.

Since participating in the inaugural cohort of the Voices of Change fellowship, I have contributed essays to The California Educator, Edutopia and EdSurge. I have joined podcast panels to talk about social-emotional learning, culturally responsive teaching and civil discourse in the classroom.

This fellowship showed me the power of personal writing for representation and advocacy. I have started to write children’s books about my own neurodivergent children. I have presented at local and state conferences and will continue to use my voice and my words to advocate for students, for educators, for quality professional development and schools that model the best of humanity. Writing for the Voices of Change fellowship has helped me claim my voice, my humanity and my power.

At long last, a corporate training you might actually enjoy.

ServiceNow is warning about a security incident after attackers exploited an unauthenticated access flaw through a vulnerable API endpoint, allowing them to query data from customer instances.

The company quietly warned impacted customers through a support bulletin and direct support cases after detecting “anomalous activity” related to the issue.

The bulletin, which is hidden behind ServiceNow’s customer support login portal, states that the company applied a security update to hosted customer instances on June 5, 2026.

“On June 5, 2026, ServiceNow applied a security update to hosted customer instances,” reads the support bulletin.

“The update concerned a security issue that could allow an unauthenticated user, in certain circumstances, to gain greater access to ServiceNow instances than intended.”

The company says this security update changes the API endpoint configuration to limit access to authenticated users only.

ServiceNow also confirmed that attackers exploited this flaw to successfully query the customer instance tables.

While ServiceNow did not disclose which data was accessed during the attacks, instances commonly store sensitive enterprise information, including IT support tickets, employee records, internal documentation, asset inventories, security incident reports, workflow data, and configuration details for corporate systems and services.

Support case information has become an increasingly popular target for threat actors, as tickets can contain credentials, API tokens, internal documentation, and authentication secrets shared during troubleshooting.

According to the advisory, ServiceNow has now opened support cases with affected customers. If a customer has not received one, they are not believed to be affected by the incident.

While ServiceNow has not publicly disclosed technical details about the flaw, administrators discussing the incident on Reddit say the issue appears to be tied to a REST endpoint at ‘/api/now/related_list_edit/create‘.

One commenter claimed the endpoint was configured with ‘requires_authentication=false‘, potentially allowing unauthenticated requests to access instance data. The security update released on Friday was allegedly used to set requires_authentication to true.

Numerous admins shared indicators of compromise, including API requests from the IP address ‘51.159.98.241,’ advising other administrators to review logs for requests to the vulnerable endpoint.

The bulletin states the issue primarily impacts customers running the Australia platform release or customers on older releases who made certain configuration changes.

“The security issue pertains to customers who are on the Australia platform release or made certain configuration changes to instances on releases prior to Australia,” ServiceNow warned.

BleepingComputer contacted ServiceNow earlier today after a reader alerted us to the incident, asking how long the activity had been ongoing, what caused the issue, and whether customer data had been stolen. We did not receive a response before publication.

ServiceNow says it is still evaluating whether it will publish a CVE for the issue.

Administrators are advised to review ServiceNow logs for requests to /api/now/related_list_edit, particularly from the IP address 51.159.98.241.

Impacted organizations should review exposed tickets and records for sensitive information, rotate credentials or tokens shared through support workflows, and ensure API logging is enabled.

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper

When a verdict map is deleted from memory, catchall elements are deactivated and a chain’s reference counter is decremented. When errors occur the deletion can be reversed and the counter incremented. CVE-2026-53111 allows for that process to be altered. As a result, the exploit can decrement the variable an arbitrary number of times and then delete and free the chain when some objects still point to it.

“In this blog post, we have seen how one incorrect exclamation mark introduced a use-after-free vulnerability which can be exploited by an unprivileged user on Debian and Ubuntu to escalate privileges to root,” researchers from security firm Exodus Intelligence wrote Monday. “Although the exploit triggers the use-after-free vulnerability multiple times to leak the kernel base address, leak heap addresses, and hijack the control flow, the stability tests resulted in a stability of >99% on an idle system.”

The vulnerability was fixed in the kernel in February and subsequently back ported to major Linux distributions. Security firm FuzzingLabs demonstrated a proof of concept exploit in April. Exodus Intelligence, which discovered the bug, included its own PoC exploit in Monday’s post. It worked on Debian and Ubuntu.

CVE-2026-53111 is one of at least three potent elevation-of-privilege vulnerabilities to hit Linux in recent weeks. The vulnerabilities are serious, because, when chained to a separate exploit, they can be used to evade security defenses baked into the OS.

Here’s what Shopee collection point hosts really deal with

Shopee’s neighbourhood collection point network has quietly become part of Singapore’s daily landscape since 2023.

The e-commerce firm has established over 2,800 collection points across Singapore as of today, including residential addresses, convenience stores, and lockers—placing most homes within 250m of their nearest pickup option.

This kills two birds with one stone. 

For customers, it offers a more affordable and convenient delivery option, with savings of up to S$1.99 in delivery fees per item. For ordinary Singaporeans, it creates an opportunity to earn passive income by turning their homes or businesses into micro logistics hubs.

But what does running a Shopee collection point actually look like behind the scenes?

Easy passive income?

Shopee’s logistics arm, SPX Express, delivers parcels in bulk to registered collection points. For locker locations, customers can collect their orders independently.

At manned collection points—typically neighbourhood shops or residential addresses—the host stores the parcels, verifies customers’ identities using the Shopee app when they arrive, and hands over the items.

In return, hosts earn a fee for each parcel distributed. The role requires seemingly little: just sufficient storage space, an internet-connected device, and a commitment to the collection point’s operating hours.

Hosts generally earn between S$0.20 and S$0.30 per parcel. Channel News Asia also previously reported in 2024 that hosts earn at least S$90 per month. 

At the higher end, promotional information on Shopee’s app states that collection points that distribute up to 900 parcels a day can earn up to S$5,400 monthly, while 60 parcels daily can bring S$360 monthly. 

Sounds like easy passive income, right? Wrong.

The fine print

The commitment to turning your house into a Shopee collection point is far from passive.

Hosts must be open at least six days a week, for a minimum of 36 hours. On top of that, they must be present during operating hours to receive and hand over parcels, effectively tying the role to someone being at home consistently.

At first glance, the economics can look appealing. But at S$0.30 per parcel, the numbers only start to make sense at scale.

For example, handling 30 parcels a day translates to just S$9 in daily earnings. That’s already 30 separate customer handovers—yet it remains a modest payout for the time and space involved. Scaling up is where the workload intensifies significantly, with hundreds of daily parcels required to generate meaningful income.

Space is another major constraint. Many HDB flats have limited storage capacity, which can quickly become a bottleneck during peak delivery periods.

There is also little flexibility in scheduling. If hosts miss their operating hours, Shopee can impose penalties for non-compliance. At S$0.30 per parcel, even a S$50 fine effectively wipes out the earnings from more than 160 parcels.

Workload, risks & disruptions

Running a Shopee collection point means juggling the expectations of multiple parties: Shopee, customers, and even neighbours.

Complaints from hosts extend well beyond financial concerns.

Parcels arrive daily and are often left at the doorstep, making the host responsible for their safekeeping. Despite a stated weight limit of 6kg, some hosts have reportedly received bulkier items such as dumbbells, adding to storage and handling strain.

Some customers also arrive outside operating hours—occasionally as late as after 10PM—expecting collections regardless of the stated timing. Others treat the collection point like an extension of Shopee’s customer service, seeking assistance with orders, returns, and complaints that have nothing to do with the host.

“Operating a collection point is hard work and not a passive job like many think,” wrote the child of elderly parents who previously hosted a Shopee collection point at their home in a Reddit post.

Beyond the operational burden, some neighbours of residential collection points have also raised concerns about increased foot traffic outside their homes, citing potential security risks and a loss of privacy. The host is therefore not only managing their own household space, but also the flow of people in shared residential corridors.

“My post is just to let people know the realities of operating a collection point and not to trust the rosy picture that Shopee painted,” the same Reddit user added.

Who it actually makes sense for & why Shopee wins either way

It is important to note, however, that not everyone has the same negative experience. 

Generally, running a Shopee collection point would make more sense for shop owners. Two store owners whose shops became Shopee collection points in 2023 reported more customers than before.

At one store, many parcel collectors became regulars, while the other attracted new customers beyond its usual base. With the hours and foot traffic already there, the parcels become a free customer acquisition channel for their products on top of the per-parcel income.

For homemakers and retirees who are home throughout the day, the income genuinely adds up, especially if volume is high and the neighbourhood is a good fit.

But for someone already working or with young children at home, the intrusions can outweigh the returns quickly.

From Shopee’s perspective, the firm wins either way: collection points are an efficient logistics solution.

The company can expand its last-mile network without building warehouses or employing delivery staff as hosts absorb that cost in time and space, in exchange for a small per-parcel fee. 

For customers, collection points offer free shipping with no minimum spend, along with the convenience of a nearby pickup point—often just a short walk away.

While the model works for both Shopee and its customers, the question remains whether it works as well for those turning their homes or shops into collection points.

• Read other articles we’ve written on Singaporean businesses here.