[Anton Gaia]’s SPIRAL sculpture resembles an organizer or modern shelving unit, but what’s really interesting is how it goes together. It’s made entirely from assembling copies of a single component …read more

Daniel Pearson , CEO, KnownHostJune 12, 20253 Min ReadBusiness success concept. Cubes with arrows and target on the top.Cyber incidents are expected to cost the US $639 billion in 2025. According to the latest estimates, this dynamic will continue to rise, reaching approximately 1.82 trillion US dollars in cybercrime costs by 2028. These figures highlight the crucial importance of strong cybersecurity strategies, which businesses must build to reduce the likelihood of risks. As technology evolves at a dramatic pace, businesses are increasingly dependent on utilizing digital infrastructure, exposing themselves to threats such as ransomware, accidental data loss, and corruption.  Despite the 3-2-1 backup rule being invented in 2009, this strategy has stayed relevant for businesses over the years, ensuring that the loss of data is minimized under threat, and will be a crucial method in the upcoming years to prevent major data loss.   What Is the 3-2-1 Backup Rule? The 3-2-1 backup rule is a popular backup strategy that ensures resilience against data loss. The setup consists of keeping your original data and two backups.  The data also needs to be stored in two different locations, such as the cloud or a local drive.  The one in the 3-2-1 backup rule represents storing a copy of your data off site, and this completes the setup.  This setup has been considered a gold standard in IT security, as it minimizes points of failure and increases the chance of successful data recovery in the event of a cyber-attack.  Related:Why Is This Rule Relevant in the Modern Cyber Threat Landscape? Statistics show that in 2024, 80% of companies have seen an increase in the frequency of cloud attacks.  Although many businesses assume that storing data in the cloud is enough, it is certainly not failsafe, and businesses are in bigger danger than ever due to the vast development of technology and AI capabilities attackers can manipulate and use.  As the cloud infrastructure has seen a similar speed of growth, cyber criminals are actively targeting these, leaving businesses with no clear recovery option. Therefore, more than ever, businesses need to invest in immutable backup solutions.  Common Backup Mistakes Businesses Make A common misstep is keeping all backups on the same physical network. If malware gets in, it can quickly spread and encrypt both the primary data and the backups, wiping out everything in one go. Another issue is the lack of offline or air-gapped backups. Many businesses rely entirely on cloud-based or on-premises storage that's always connected, which means their recovery options could be compromised during an attack. Related:Finally, one of the most overlooked yet crucial steps is testing backup restoration. A backup is only useful if it can actually be restored. Too often, companies skip regular testing. This can lead to a harsh reality check when they discover, too late, that their backup data is either corrupted or completely inaccessible after a breach. How to Implement the 3-2-1 Backup Rule? To successfully implement the 3-2-1 backup strategy as part of a robust cybersecurity framework, organizations should start by diversifying their storage methods. A resilient approach typically includes a mix of local storage, cloud-based solutions, and physical media such as external hard drives.  From there, it's essential to incorporate technologies that support write-once, read-many functionalities. This means backups cannot be modified or deleted, even by administrators, providing an extra layer of protection against threats. To further enhance resilience, organizations should make use of automation and AI-driven tools. These technologies can offer real-time monitoring, detect anomalies, and apply predictive analytics to maintain the integrity of backup data and flag any unusual activity or failures in the process. Lastly, it's crucial to ensure your backup strategy aligns with relevant regulatory requirements, such as GDPR in the UK or CCPA in the US. Compliance not only mitigates legal risk but also reinforces your commitment to data protection and operational continuity. Related:By blending the time-tested 3-2-1 rule with modern advances like immutable storage and intelligent monitoring, organizations can build a highly resilient backup architecture that strengthens their overall cybersecurity posture. About the AuthorDaniel Pearson CEO, KnownHostDaniel Pearson is the CEO of KnownHost, a managed web hosting service provider. Pearson also serves as a dedicated board member and supporter of the AlmaLinux OS Foundation, a non-profit organization focused on advancing the AlmaLinux OS -- an open-source operating system derived from RHEL. His passion for technology extends beyond his professional endeavors, as he actively promotes digital literacy and empowerment. Pearson's entrepreneurial drive and extensive industry knowledge have solidified his reputation as a respected figure in the tech community. See more from Daniel Pearson ReportsMore ReportsNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also Like

Jun 16, 2025Ravie LakshmananMalware / DevOps Cybersecurity researchers have discovered a malicious package on the Python Package Index (PyPI) repository that's capable of harvesting sensitive developer-related information, such as credentials, configuration data, and environment variables, among others. The package, named chimera-sandbox-extensions, attracted 143 downloads and likely targets users of a service called Chimera Sandbox, which was released by Singaporean tech company Grab last August to facilitate "experimentation and development of [machine learning] solutions." The package masquerades as a helper module for Chimera Sandbox, but "aims to steal credentials and other sensitive information such as Jamf configuration, CI/CD environment variables, AWS tokens, and more," JFrog security researcher Guy Korolevski said in a report published last week. Once installed, it attempts to connect to an external domain whose domain name is generated using a domain generation algorithm (DGA) in order to download and execute a next-stage payload. Specifically, the malware acquires from the domain an authentication token, which is then used to send a request to the same domain and retrieve the Python-based information stealer. The stealer malware is equipped to siphon a wide range of data from infected machines. This includes - JAMF receipts, which are records of software packages installed by Jamf Pro on managed computers Pod sandbox environment authentication tokens and git information CI/CD information from environment variables Zscaler host configuration Amazon Web Services account information and tokens Public IP address General platform, user, and host information The kind of data gathered by the malware shows that it's mainly geared towards corporate and cloud infrastructure. In addition, the extraction of JAMF receipts indicates that it's also capable of targeting Apple macOS systems. The collected information is sent via a POST request back to the same domain, after which the server assesses if the machine is a worthy target for further exploitation. However, JFrog said it was unable to obtain the payload at the time of analysis. "The targeted approach employed by this malware, along with the complexity of its multi-stage targeted payload, distinguishes it from the more generic open-source malware threats we have encountered thus far, highlighting the advancements that malicious packages have made recently," Jonathan Sar Shalom, director of threat research at JFrog Security Research team, said. "This new sophistication of malware underscores why development teams remain vigilant with updates—alongside proactive security research – to defend against emerging threats and maintain software integrity." The disclosure comes as SafeDep and Veracode detailed a number of malware-laced npm packages that are designed to execute remote code and download additional payloads. The packages in question are listed below - eslint-config-airbnb-compat (676 Downloads) ts-runtime-compat-check (1,588 Downloads) solders (983 Downloads) @mediawave/lib (386 Downloads) All the identified npm packages have since been taken down from npm, but not before they were downloaded hundreds of times from the package registry. SafeDep's analysis of eslint-config-airbnb-compat found that the JavaScript library has ts-runtime-compat-check listed as a dependency, which, in turn, contacts an external server defined in the former package ("proxy.eslint-proxy[.]site") to retrieve and execute a Base64-encoded string. The exact nature of the payload is unknown. "It implements a multi-stage remote code execution attack using a transitive dependency to hide the malicious code," SafeDep researcher Kunal Singh said. Solders, on the other hand, has been found to incorporate a post-install script in its package.json, causing the malicious code to be automatically executed as soon as the package is installed. "At first glance, it's hard to believe that this is actually valid JavaScript," the Veracode Threat Research team said. "It looks like a seemingly random collection of Japanese symbols. It turns out that this particular obfuscation scheme uses the Unicode characters as variable names and a sophisticated chain of dynamic code generation to work." Decoding the script reveals an extra layer of obfuscation, unpacking which reveals its main function: Check if the compromised machine is Windows, and if so, run a PowerShell command to retrieve a next-stage payload from a remote server ("firewall[.]tel"). This second-stage PowerShell script, also obscured, is designed to fetch a Windows batch script from another domain ("cdn.audiowave[.]org") and configures a Windows Defender Antivirus exclusion list to avoid detection. The batch script then paves the way for the execution of a .NET DLL that reaches out to a PNG image hosted on ImgBB ("i.ibb[.]co"). "[The DLL] is grabbing the last two pixels from this image and then looping through some data contained elsewhere in it," Veracode said. "It ultimately builds up in memory YET ANOTHER .NET DLL." Furthermore, the DLL is equipped to create task scheduler entries and features the ability to bypass user account control (UAC) using a combination of FodHelper.exe and programmatic identifiers (ProgIDs) to evade defenses and avoid triggering any security alerts to the user. The newly-downloaded DLL is Pulsar RAT, a "free, open-source Remote Administration Tool for Windows" and a variant of the Quasar RAT. "From a wall of Japanese characters to a RAT hidden within the pixels of a PNG file, the attacker went to extraordinary lengths to conceal their payload, nesting it a dozen layers deep to evade detection," Veracode said. "While the attacker's ultimate objective for deploying the Pulsar RAT remains unclear, the sheer complexity of this delivery mechanism is a powerful indicator of malicious intent." Crypto Malware in the Open-Source Supply Chain The findings also coincide with a report from Socket that identified credential stealers, cryptocurrency drainers, cryptojackers, and clippers as the main types of threats targeting the cryptocurrency and blockchain development ecosystem. Some of the examples of these packages include - express-dompurify and pumptoolforvolumeandcomment, which are capable of harvesting browser credentials and cryptocurrency wallet keys bs58js, which drains a victim's wallet and uses multi-hop transfers to obscure theft and frustrate forensic tracing. lsjglsjdv, asyncaiosignal, and raydium-sdk-liquidity-init, which functions as a clipper to monitor the system clipboard for cryptocurrency wallet strings and replace them with threat actor‑controlled addresses to reroute transactions to the attackers "As Web3 development converges with mainstream software engineering, the attack surface for blockchain-focused projects is expanding in both scale and complexity," Socket security researcher Kirill Boychenko said. "Financially motivated threat actors and state-sponsored groups are rapidly evolving their tactics to exploit systemic weaknesses in the software supply chain. These campaigns are iterative, persistent, and increasingly tailored to high-value targets." AI and Slopsquatting The rise of artificial intelligence (AI)-assisted coding, also called vibe coding, has unleashed another novel threat in the form of slopsquatting, where large language models (LLMs) can hallucinate non-existent but plausible package names that bad actors can weaponize to conduct supply chain attacks. Trend Micro, in a report last week, said it observed an unnamed advanced agent "confidently" cooking up a phantom Python package named starlette-reverse-proxy, only for the build process to crash with the error "module not found." However, should an adversary upload a package with the same name on the repository, it can have serious security consequences. Furthermore, the cybersecurity company noted that advanced coding agents and workflows such as Claude Code CLI, OpenAI Codex CLI, and Cursor AI with Model Context Protocol (MCP)-backed validation can help reduce, but not completely eliminate, the risk of slopsquatting. "When agents hallucinate dependencies or install unverified packages, they create an opportunity for slopsquatting attacks, in which malicious actors pre-register those same hallucinated names on public registries," security researcher Sean Park said. "While reasoning-enhanced agents can reduce the rate of phantom suggestions by approximately half, they do not eliminate them entirely. Even the vibe-coding workflow augmented with live MCP validations achieves the lowest rates of slip-through, but still misses edge cases." Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post. SHARE    

While IO Interactive may be heavily focused on its inaugural James Bond game, 2026’s 007 First Light, it’s still providing ambitious new levels and updates for Hitman: World of Assassination and its new science fiction action game MindsEye. To continue to build hype for First Light and IOI’s growing partnership with the James Bond brand, the latest World of Assassination level is a Bond crossover, as Hitman protagonist Agent 47 targets Le Chiffre, the main villain of the 2006 movie Casino Royale. Available through July 6, 2025, the Le Chiffre event in World of Assassination features actor Mads Mikkelsen reprising his fan-favorite Bond villain role, not only providing his likeness but voicing the character as he confronts the contract killer in France. Den of Geek attended the first-ever in-person IO Interactive Showcase, a partner event with Summer Game Fest held at The Roosevelt Hotel in Hollywood. Mikkelsen and the developers shared insight on the surprise new World of Assassination level, with the level itself playable in its entirety to attendees on the Nintendo Switch 2 and PlayStation Portal. The developers also included an extended gameplay preview for MindsEye, ahead of its June 10 launch, while sharing some details about the techno-thriller. Matching his background from Casino Royale, Le Chiffre is a terrorist financier who manipulates the stock market by any means necessary to benefit himself and his clients. After an investment deal goes wrong, Le Chiffre tries to recoup a brutal client’s losses through a high-stakes poker game in France, with Agent 47 hired to assassinate the criminal mastermind on behalf of an unidentified backer. The level opens with 47 infiltrating a high society gala linked to the poker game, with the contract killer entering under his oft-used assumed name of Tobias Rieper, a facade that Le Chiffre immediately sees through. At the IO Interactive Showcase panel, Mikkelsen observed that the character of Le Chiffre is always one that he enjoyed and held a special place for him and his career. Reprising his villainous role also gave Mikkelsen the chance to reunite with longtime Agent 47 voice actor David Bateson since their ‘90s short film Tom Merritt, though both actors recorded their respective lines separately. Mikkelsen enjoyed that Le Chiffre’s appearance in World of Assassination gave him a more physical role than he had in Casino Royale, rather than largely placing him at a poker table. Of course, like most Hitman levels, there are multiple different ways that players can accomplish their main objective of killing Le Chiffre and escaping the premises. The game certainly gives players multiple avenues to confront the evil financier over a game of poker before closing in for the kill, but it’s by no means the only way to successfully assassinate him. We won’t give away how we ultimately pulled off the assassination, but rest assured that it took multiple tries, careful plotting, and with all the usual trial-and-error that comes from playing one of Hitman’s more difficult and immersively involved levels. Moving away from its more grounded action titles, IO Interactive also provided a deeper look at its new sci-fi game MindsEye, developed by Build a Rocket Boy. Set in the fictional Redrock City, the extended gameplay sneak peek at the showcase featured protagonist Adam Diaz fighting shadowy enemies in the futuristic city’s largely abandoned streets. While there were no hands-on demos at the showcase itself, the preview demonstrated Diaz using his abilities and equipment, including an accompanying drone, to navigate the city from a third-person perspective and use an array of weapons to dispatch those trying to hunt him down. MindsEye marks the first game published through IOI Partners, an initiative that has IOI publish games from smaller, external developers. The game did not have a hands-on demo at the showcase and, given its bug-heavy and poorly-received launch, this distinction is not particularly surprising. Build a Robot Boy has since pledged to support the game through June to fix its technical issues but, given the game’s hands-on access at the IOI Showcase, there were already red flags surrounding the game’s performance. With that in mind, most of the buzz at the showcase was unsurprisingly centered around 007 First Light and updates to Hitman: World of Assassination, and IO Interactive did not disappoint in that regard. Even with Hitman: World of Assassination over four years old now, the game continues to receive impressive post-release support from IO Interactive, both in bringing the title to the Nintendo Switch 2 and with additional DLC. At the showcase, IOI hinted at additional special levels for World of Assassintation with high-profile guest targets like Le Chiffre, without identifying who or if they’re also explicitly tied to the James Bond franchise. But with 007 First Light slated for its eagerly anticipated launch next year, it’s a safe bet that IOI has further plans to hype its own role in building out the James Bond legacy for the foreseeable future. The Hitman: World of Assassination special Le Chiffre level is available now through July 6, 2025 on all the game’s major platforms, including the Nintendo Switch 2. MindsEye is now on sale for PlayStation 5, Xbox Series X|S, and PC.

Anker has announced a new version of its wireless sleep buds that could be even more effective at delivering a peaceful slumber by blocking out disturbing noises using active noise cancellation. Previous versions of the Soundcore Sleep earbuds blocked external sounds passively using just a snug fit inside the ear, but the new Sleep A30 finally add ANC while still offering enough battery life to last the night.As with previous versions, Anker is making its new Soundcore Sleep A30 available for preorder through a Kickstarter crowdfunding campaign that’s launching today, while full availability of the earbuds is expected sometime in August 2025 through Amazon and Soundcore’s online store. At $229.99, the Sleep A30 are quite a bit more expensive than last year’s $149.99 Sleep A20, but the earliest Kickstarter backers can get the A30 discounted to $139.The Sleep A30 are slimmer and smaller than previous versions, potentially making them more comfortable to wear overnight. Image: AnkerThe Sleep A30 earbuds are now 7 percent slimmer and feature a smaller design that ensures they don’t protrude from your ears so there’s reduced pressure while wearing them and laying on a pillow if you’re a side sleeper. To help you find a snug fit, Anker includes four sizes of silicone ear tips, three sizes of memory foam tips, and three sizes of ear wings.Anker claims the new Sleep A30 block up to 30dB of external noise, but the added ANC, which uses two mics positioned inside and outside your ears, does result in reduced battery life. The A20 could run for up to 14 hours on a single charge, but the A30 max out at up to nine hours on their own, or up to 45 hours with their charging case. However, that’s only when listening to white noise or other sounds designed to help you fall asleep that are stored on the buds themselves. When streaming music or podcasts from a phone, battery life is further reduced to up to 6.5 hours or 35 hours with the case.The Sleep A30’s charging case has been upgraded to detect snoring sounds and generate audio to mask them. Image: AnkerThe Sleep A30’s charging case has been upgraded with what Anker is calling “Adaptive Snore Masking technology.” If it detects the sounds of snoring from another person nearby, it analyzes the volume and frequency of the sounds and generates “noise masking audio” that’s sent to the buds to help block it out.The new earbuds also feature sleep monitoring and sleep position tracking, allowing you to see how restful or eventful your night was through the Soundcore mobile app; a private repeatable alarm with snooze functionality; and a Find My Earbud feature should they fall out in the night and get lost in the sheets.See More:

One stock recently impacted by a whirlwind of volatility is Block—the fintech powerhouse behind Square, Cash App, Tidal Music, and more. The company’s COO and CFO, Amrita Ahuja, shares how her team is using new AI tools to find opportunity amid disruption and reach customers left behind by traditional financial systems. Ahuja also shares lessons from the video game industry and discusses Gen Z’s surprising approach to money management.   This is an abridged transcript of an interview from Rapid Response, hosted by Robert Safian, former editor-in-chief of Fast Company. From the team behind the Masters of Scale podcast, Rapid Response features candid conversations with today’s top business leaders navigating real-time challenges. Subscribe to Rapid Response wherever you get your podcasts to ensure you never miss an episode. As a leader, when you’re looking at all of this volatility—the tariffs, consumer sentiment’s been unclear, the stock market’s been all over the place. You guys had a huge one-day drop in early May, and it quickly bounced back. How do you make sense of all these external factors? Yeah, our focus is on what we can control. And ultimately, the thing that we are laser-focused on for our business is product velocity. How quickly can we start small with something, launch something for our customers, and then test and iterate and learn so that ultimately, that something that we’ve launched scales into an important product? I’ll give you an example. Cash App Borrow, which is a product where our customers can get access to a line of credit, often $100, $200, that bridges them from paycheck to paycheck. We know so many Americans are living paycheck to paycheck. That’s a product that we launched about three years ago and have now scaled to serve 9 million actives with $15 billion in credit supply to our customers in a span of a couple short years. The more we can be out testing and launching product at a pace, the more we know we are ultimately delivering value to our customers, and the right things will happen from a stock perspective. Block is a financial services provider. You have Square, the point-of-sale system; the digital wallet Cash App, which you mentioned, which competes with Venmo and Robinhood; and a bunch of others. Then you’ve got the buy-now, pay-later leader Afterpay. You chair Square Financial Services, which is Block’s chartered bank. But you’ve said that in the fintech world, Block is only a little bit fin—that comparatively, it’s more tech. Can you explain what you mean by that? What we think is unique about us is our ability as a technology company to completely change innovation in the space, such that we can help solve systemic issues across credit, payments, commerce, and banking. What that means ultimately is we use technologies like AI and machine learning and data science, and we use these technologies in a unique way, in a way that’s different from a traditional bank. We are able to underwrite those who are often frankly forgotten by the traditional financial ecosystems. Our Square Loans product has almost triple the rate of women-owned businesses that we underwrite. Fifty-eight percent of our loans go to women-owned businesses versus 20% for the industry average. For that Cash App Borrow product I was talking about, 70% of those actives, the 9 million actives that we underwrote, fell below 580 as a FICO score. That’s considered a poor FICO score, and yet 97% of repayments are made on time. And this is because we have unique access to data and these technology and tools which can help us uniquely underwrite this often forgotten customer base. Yeah. I mean, credit—sometimes it’s been blamed for financial excesses. But access to credit is also, as you say, an advantage that’s not available to everyone. Do you have a philosophy between those poles—between risk and opportunity? Or is what you’re saying is that the tech you have allows you to avoid that risk? That’s right. Let’s start with how do the current systems work? It works using inferior data, frankly. It’s more limited data. It’s outdated. Sometimes it’s inaccurate. And it ignores things like someone’s cash flows, the stability of your income, your savings rate, how money moves through your accounts, or how you use alternative forms of credit—like buy now, pay later, which we have in our ecosystem through Afterpay. We have a lot of these signals for our 57 million monthly actives on the Cash App side and for the 4 million small businesses on the Square side, and those, frankly, billions of transaction data points that we have on any given day paired with new technologies. And we intend to continue to be on the forefront of AI, machine learning, and data science to be able to empower more people into the economy. The combination of the superior data and the technologies is what we believe ultimately helps expand access. You have a financial background, but not in the financial services industry. Before Block, you were a video game developer at Activision. Are financial businesses and video games similar? Are there things that are similar about them? There are. There actually are some things that are similar, I will say. There are many things that are unique to each industry. Each industry is incredibly complex. You find that when big technology companies try to do gaming. They’ve taken over the world in many different ways, but they can’t always crack the nut on putting out a great game. Similarly, some of the largest technology companies have dabbled in fintech but haven’t been able to go as deep, so they’re both very nuanced and complex industries. I would say another similarity is that design really matters. Industrial design, the design of products, the interface of products, is absolutely mission-critical to a great game, and it’s absolutely mission-critical to the simplicity and accessibility of our products, be it on Square or Cash App. And then maybe the third thing that I would say is that when I was in gaming, at least the business models were rapidly changing from an intermediary distribution mechanism, like releasing a game once and then selling it through a retailer, to an always-on, direct-to-consumer connection. And similarly with banking, people don’t want to bank from 9 to 5, six days a week. They want 24/7 access to their money and the ability to, again, grow their financial livelihood, move their money around seamlessly. So, some similarities are there in that shift to an intermediary model or a slower model to an always-on, direct-to-consumer connection. Part of your target audience or your target customer base at Block are Gen Z folks. Did you learn things at Activision about Gen Z that has been useful? Are there things that businesses misunderstand about younger generations still? What we’ve learned is that Gen Z, millennial customers, aren’t going to do things the way their parents did. Some of our stats show that 63% of Gen Z customers have moved away from traditional credit cards, and over 80% are skeptical of them. Which means they’re not using a credit card to manage expenses; they’re using a debit card, but then layering on on a transaction-by-transaction basis. Or again, using tools like buy now, pay later, or Cash App Borrow, the means in which they’re managing their consistent cash flows. So that’s an example of how things are changing, and you’ve got to get up to speed with how the next generation of customers expects to manage their money.

IntroductionHello! My name is Denys. I was born and raised in Nigeria, where I'm currently based. I began my journey into 3D art in March 2022, teaching myself through online resources, starting, of course, with the iconic donut tutorial on YouTube. Since then, I've continued to grow my skills independently, and now I'm working toward a career in 3D generalism, with a particular interest in environment art.I originally got into Blender because SketchUp wasn't free, and I could not keep up with the subscriptions. While searching for alternatives, I came across Blender. That's when I realized I had installed it once years ago, but back then, the interface completely intimidated me, and I gave up on it. This time, though, I decided to stick with it – and I'm glad I did.I started out creating simple models. One of my first big projects was modeling the entire SpongeBob crew. That led to my first animation, and eventually, the first four episodes of a short animated series (though it's still incomplete). As I grew more confident, I began participating in online 3D competitions, like cgandwe, where I focused on designing realistic environments. Those experiences have played a huge role in getting me to where I am today.Getting Started Before starting any scene, I always look for references. It might not be the most original approach, but it's what works best for me. One piece that inspired me was a beautiful artwork by Calder Moore. I bookmarked it as soon as I saw it back in 2023, and luckily, I finally found the time to bring it to life last month.BlockoutThe goal was to match the original camera angle and roughly model the main frame of the structures. It wasn't perfect, but modeling and placing the lower docks helped me get the perspective right. Then I moved on to modeling and positioning the major structures in the scene.I gave myself two weeks to complete this project. And as much as I enjoy modeling, I also enjoy not modeling, so I turned to asset kits and free models to help speed things up. I came across an awesome paid kit by Bigmediumsmall and instantly knew it would fit perfectly into my scene.I also downloaded a few models from Sketchfab, including a lamp, desk console, freighter controls, and a robotic arm, which I later took apart to add extra detail. Another incredibly helpful tool was the Random Flow add-on by BlenderGuppy, which made adding sci-fi elements much easier. Lastly, I pulled in some models from my older sci-fi and cyberpunk projects to round things out.Kitbashing Once I had the overall shape I was aiming for, I moved on to kitbashing to pack in as much detail as possible. There wasn't any strict method to the madness; I simply picked assets I liked, whether it was a set of pipes, vents, or even a random shape that just worked in the sci-fi context. I focused first on kitbashing the front structure, and used the Random Flow add-on to fill in areas where I didn't kitbash manually. Then I moved on to the other collections, following the same process.The freighter was the final piece of the puzzle, and I knew it was going to be a challenge. Part of me wanted to model it entirely from scratch, but the more practical side knew I could save a lot of time by sticking with my usual method. So I modeled the main shapes myself, then kitbashed the details to bring it to life. I also grabbed some crates from Sketchfab to fill out the scene.Texturing This part was easily my favorite, and there was no shortcut here. I had to meticulously create each material myself. Well, I did use PBR materials downloaded from CGAmbient as a base, but I spent a lot of time tweaking and editing them to get everything just right.Texturing has always been my favorite stage when building scenes like this. Many artists prefer external tools like Substance 3D Painter (which I did use for some of the models), but I've learned so much about procedural texturing, especially from RyanKingArt, that I couldn't let it go. It's such a flexible and rewarding approach, and I love pushing it as far as I can.I wanted most of the colors in the scene to be dark, but I did keep the original color of the pipes and the pillars, just to add a little bit of vibrance to the scene. I also wanted the overall texture to be very rough and grungy. One of the biggest helps in achieving this was using the Grunge Maps from Substance 3D Painter. I found a way to extract them into Blender, and it helped.A major tool during the texturing phase was Jsplacement, which I used to procedurally generate sci-fi grids and plates. This was the icing on the cake for adding intricate details. Whenever an area felt too flat, I applied bump maps with these grids and panels to bring the materials to life. For example, both the lamp pole and the entire black metal material feature these Jsplacement Maps.Lighting For this, I didn't do anything fancy. I knew the scene was in a high altitude, so I looked for HDRI with a cloudless sky, and I boosted the saturation up a little to give it that high altitude look.Post-Production The rendering phase was challenging since I was working on a low-end laptop. I couldn't render the entire scene all at once, so I broke it down by collections and rendered them as separate layers. Then, I composited the layers together in post-production. I'm not big on heavy post-work, so I kept it simple, mostly tweaking brightness and saturation on my phone. That's about it for the post-production process.Conclusion The entire project took me 10 days to complete, working at least four hours each day. Although I've expressed my love for texturing, my favorite part of this project was the detailing and kitbashing. I really enjoyed piecing all the small details together. The most challenging part was deciding which assets to use and where to place them. I had a lot of greebles to choose from, but I'm happy with the ones I selected; they felt like a perfect fit for the scene.I know kitbashing sometimes gets a negative reputation in the 3D community, but I found it incredibly relieving. Honestly, this project wouldn't have come together without it, so I fully embraced the process.I'm excited to keep making projects like this. The world of 3D art is truly an endless and vast realm, and I encourage every artist like me to keep exploring it, one project at a time.Denys Molokwu, 3D Artist

Outdated coding practices and memory-unsafe languages like C are putting software, including cryptographic libraries, at risk. Fortunately, memory-safe languages like Rust, along with formal verification tools, are now mature enough to be used at scale, helping prevent issues like crashes, data corruption, flawed implementation, and side-channel attacks. To address these vulnerabilities and improve memory safety, we’re rewriting SymCrypt (opens in new tab)—Microsoft’s open-source cryptographic library—in Rust. We’re also incorporating formal verification methods. SymCrypt is used in Windows, Azure Linux, Xbox, and other platforms. Currently, SymCrypt is primarily written in cross-platform C, with limited use of hardware-specific optimizations through intrinsics (compiler-provided low-level functions) and assembly language (direct processor instructions). It provides a wide range of algorithms, including AES-GCM, SHA, ECDSA, and the more recent post-quantum algorithms ML-KEM and ML-DSA.  Formal verification will confirm that implementations behave as intended and don’t deviate from algorithm specifications, critical for preventing attacks. We’ll also analyze compiled code to detect side-channel leaks caused by timing or hardware-level behavior. Proving Rust program properties with Aeneas Program verification is the process of proving that a piece of code will always satisfy a given property, no matter the input. Rust’s type system profoundly improves the prospects for program verification by providing strong ownership guarantees, by construction, using a discipline known as “aliasing xor mutability”. For example, reasoning about C code often requires proving that two non-const pointers are live and non-overlapping, a property that can depend on external client code. In contrast, Rust’s type system guarantees this property for any two mutably borrowed references. As a result, new tools have emerged specifically for verifying Rust code. We chose Aeneas (opens in new tab) because it helps provide a clean separation between code and proofs. Developed by Microsoft Azure Research in partnership with Inria, the French National Institute for Research in Digital Science and Technology, Aeneas connects to proof assistants like Lean (opens in new tab), allowing us to draw on a large body of mathematical proofs—especially valuable given the mathematical nature of cryptographic algorithms—and benefit from Lean’s active user community. Compiling Rust to C supports backward compatibility   We recognize that switching to Rust isn’t feasible for all use cases, so we’ll continue to support, extend, and certify C-based APIs as long as users need them. Users won’t see any changes, as Rust runs underneath the existing C APIs. Some users compile our C code directly and may rely on specific toolchains or compiler features that complicate the adoption of Rust code. To address this, we will use Eurydice (opens in new tab), a Rust-to-C compiler developed by Microsoft Azure Research, to replace handwritten C code with C generated from formally verified Rust. Eurydice (opens in new tab) compiles directly from Rust’s MIR intermediate language, and the resulting C code will be checked into the SymCrypt repository alongside the original Rust source code. As more users adopt Rust, we’ll continue supporting this compilation path for those who build SymCrypt from source code but aren’t ready to use the Rust compiler. In the long term, we hope to transition users to either use precompiled SymCrypt binaries (via C or Rust APIs), or compile from source code in Rust, at which point the Rust-to-C compilation path will no longer be needed. Microsoft research podcast Ideas: AI and democracy with Madeleine Daepp and Robert Osazuwa Ness As the “biggest election year in history” comes to an end, researchers Madeleine Daepp and Robert Osazuwa Ness and Democracy Forward GM Ginny Badanes discuss AI’s impact on democracy, including the tech’s use in Taiwan and India. Listen now Opens in a new tab Timing analysis with Revizor  Even software that has been verified for functional correctness can remain vulnerable to low-level security threats, such as side channels caused by timing leaks or speculative execution. These threats operate at the hardware level and can leak private information, such as memory load addresses, branch targets, or division operands, even when the source code is provably correct.  To address this, we’re extending Revizor (opens in new tab), a tool developed by Microsoft Azure Research, to more effectively analyze SymCrypt binaries. Revizor models microarchitectural leakage and uses fuzzing techniques to systematically uncover instructions that may expose private information through known hardware-level effects.   Earlier cryptographic libraries relied on constant-time programming to avoid operations on secret data. However, recent research has shown that this alone is insufficient with today’s CPUs, where every new optimization may open a new side channel.  By analyzing binary code for specific compilers and platforms, our extended Revizor tool enables deeper scrutiny of vulnerabilities that aren’t visible in the source code. Verified Rust implementations begin with ML-KEM This long-term effort is in alignment with the Microsoft Secure Future Initiative and brings together experts across Microsoft, building on decades of Microsoft Research investment in program verification and security tooling. A preliminary version of ML-KEM in Rust is now available on the preview feature/verifiedcrypto (opens in new tab) branch of the SymCrypt repository. We encourage users to try the Rust build and share feedback (opens in new tab). Looking ahead, we plan to support direct use of the same cryptographic library in Rust without requiring C bindings.  Over the coming months, we plan to rewrite, verify, and ship several algorithms in Rust as part of SymCrypt. As our investment in Rust deepens, we expect to gain new insights into how to best leverage the language for high-assurance cryptographic implementations with low-level optimizations.  As performance is key to scalability and sustainability, we’re holding new implementations to a high bar using our benchmarking tools to match or exceed existing systems. Looking forward  This is a pivotal moment for high-assurance software. Microsoft’s investment in Rust and formal verification presents a rare opportunity to advance one of our key libraries. We’re excited to scale this work and ultimately deliver an industrial-grade, Rust-based, FIPS-certified cryptographic library. Opens in a new tab

The Secure Government Email (SGE) Common Implementation Framework New Zealand’s government is introducing a comprehensive email security framework designed to protect official communications from phishing and domain spoofing. This new framework, which will be mandatory for all government agencies by October 2025, establishes clear technical standards to enhance email security and retire the outdated SEEMail service.  Key Takeaways All NZ government agencies must comply with new email security requirements by October 2025. The new framework strengthens trust and security in government communications by preventing spoofing and phishing. The framework mandates TLS 1.2+, SPF, DKIM, DMARC with p=reject, MTA-STS, and DLP controls. EasyDMARC simplifies compliance with our guided setup, monitoring, and automated reporting. Start a Free Trial What is the Secure Government Email Common Implementation Framework? The Secure Government Email (SGE) Common Implementation Framework is a new government-led initiative in New Zealand designed to standardize email security across all government agencies. Its main goal is to secure external email communication, reduce domain spoofing in phishing attacks, and replace the legacy SEEMail service. Why is New Zealand Implementing New Government Email Security Standards? The framework was developed by New Zealand’s Department of Internal Affairs (DIA) as part of its role in managing ICT Common Capabilities. It leverages modern email security controls via the Domain Name System (DNS) to enable the retirement of the legacy SEEMail service and provide: Encryption for transmission security Digital signing for message integrity Basic non-repudiation (by allowing only authorized senders) Domain spoofing protection These improvements apply to all emails, not just those routed through SEEMail, offering broader protection across agency communications. What Email Security Technologies Are Required by the New NZ SGE Framework? The SGE Framework outlines the following key technologies that agencies must implement: TLS 1.2 or higher with implicit TLS enforced TLS-RPT (TLS Reporting) SPF (Sender Policy Framework) DKIM (DomainKeys Identified Mail) DMARC (Domain-based Message Authentication, Reporting, and Conformance) with reporting MTA-STS (Mail Transfer Agent Strict Transport Security) Data Loss Prevention controls These technologies work together to ensure encrypted email transmission, validate sender identity, prevent unauthorized use of domains, and reduce the risk of sensitive data leaks. Get in touch When Do NZ Government Agencies Need to Comply with this Framework? All New Zealand government agencies are expected to fully implement the Secure Government Email (SGE) Common Implementation Framework by October 2025. Agencies should begin their planning and deployment now to ensure full compliance by the deadline. The All of Government Secure Email Common Implementation Framework v1.0 What are the Mandated Requirements for Domains? Below are the exact requirements for all email-enabled domains under the new framework. ControlExact RequirementTLSMinimum TLS 1.2. TLS 1.1, 1.0, SSL, or clear-text not permitted.TLS-RPTAll email-sending domains must have TLS reporting enabled.SPFMust exist and end with -all.DKIMAll outbound email from every sending service must be DKIM-signed at the final hop.DMARCPolicy of p=reject on all email-enabled domains. adkim=s is recommended when not bulk-sending.MTA-STSEnabled and set to enforce.Implicit TLSMust be configured and enforced for every connection.Data Loss PreventionEnforce in line with the New Zealand Information Security Manual (NZISM) and Protective Security Requirements (PSR). Compliance Monitoring and Reporting The All of Government Service Delivery (AoGSD) team will be monitoring compliance with the framework. Monitoring will initially cover SPF, DMARC, and MTA-STS settings and will be expanded to include DKIM. Changes to these settings will be monitored, enabling reporting on email security compliance across all government agencies. Ongoing monitoring will highlight changes to domains, ensure new domains are set up with security in place, and monitor the implementation of future email security technologies.  Should compliance changes occur, such as an agency’s SPF record being changed from -all to ~all, this will be captured so that the AoGSD Security Team can investigate. They will then communicate directly with the agency to determine if an issue exists or if an error has occurred, reviewing each case individually. Deployment Checklist for NZ Government Compliance Enforce TLS 1.2 minimum, implicit TLS, MTA-STS & TLS-RPT SPF with -all DKIM on all outbound email DMARC p=reject  adkim=s where suitable For non-email/parked domains: SPF -all, empty DKIM, DMARC reject strict Compliance dashboard Inbound DMARC evaluation enforced DLP aligned with NZISM Start a Free Trial How EasyDMARC Can Help Government Agencies Comply EasyDMARC provides a comprehensive email security solution that simplifies the deployment and ongoing management of DNS-based email security protocols like SPF, DKIM, and DMARC with reporting. Our platform offers automated checks, real-time monitoring, and a guided setup to help government organizations quickly reach compliance. 1. TLS-RPT / MTA-STS audit EasyDMARC enables you to enable the Managed MTA-STS and TLS-RPT option with a single click. We provide the required DNS records and continuously monitor them for issues, delivering reports on TLS negotiation problems. This helps agencies ensure secure email transmission and quickly detect delivery or encryption failures. Note: In this screenshot, you can see how to deploy MTA-STS and TLS Reporting by adding just three CNAME records provided by EasyDMARC. It’s recommended to start in “testing” mode, evaluate the TLS-RPT reports, and then gradually switch your MTA-STS policy to “enforce”. The process is simple and takes just a few clicks. As shown above, EasyDMARC parses incoming TLS reports into a centralized dashboard, giving you clear visibility into delivery and encryption issues across all sending sources. 2. SPF with “-all”In the EasyDARC platform, you can run the SPF Record Generator to create a compliant record. Publish your v=spf1 record with “-all” to enforce a hard fail for unauthorized senders and prevent spoofed emails from passing SPF checks. This strengthens your domain’s protection against impersonation. Note: It is highly recommended to start adjusting your SPF record only after you begin receiving DMARC reports and identifying your legitimate email sources. As we’ll explain in more detail below, both SPF and DKIM should be adjusted after you gain visibility through reports. Making changes without proper visibility can lead to false positives, misconfigurations, and potential loss of legitimate emails. That’s why the first step should always be setting DMARC to p=none, receiving reports, analyzing them, and then gradually fixing any SPF or DKIM issues. 3. DKIM on all outbound email DKIM must be configured for all email sources sending emails on behalf of your domain. This is critical, as DKIM plays a bigger role than SPF when it comes to building domain reputation, surviving auto-forwarding, mailing lists, and other edge cases. As mentioned above, DMARC reports provide visibility into your email sources, allowing you to implement DKIM accordingly (see first screenshot). If you’re using third-party services like Google Workspace, Microsoft 365, or Mimecast, you’ll need to retrieve the public DKIM key from your provider’s admin interface (see second screenshot). EasyDMARC maintains a backend directory of over 1,400 email sources. We also give you detailed guidance on how to configure SPF and DKIM correctly for major ESPs.  Note: At the end of this article, you’ll find configuration links for well-known ESPs like Google Workspace, Microsoft 365, Zoho Mail, Amazon SES, and SendGrid – helping you avoid common misconfigurations and get aligned with SGE requirements. If you’re using a dedicated MTA (e.g., Postfix), DKIM must be implemented manually. EasyDMARC’s DKIM Record Generator lets you generate both public and private keys for your server. The private key is stored on your MTA, while the public key must be published in your DNS (see third and fourth screenshots). 4. DMARC p=reject rollout As mentioned in previous points, DMARC reporting is the first and most important step on your DMARC enforcement journey. Always start with a p=none policy and configure RUA reports to be sent to EasyDMARC. Use the report insights to identify and fix SPF and DKIM alignment issues, then gradually move to p=quarantine and finally p=reject once all legitimate email sources have been authenticated.  This phased approach ensures full protection against domain spoofing without risking legitimate email delivery. 5. adkim Strict Alignment Check This strict alignment check is not always applicable, especially if you’re using third-party bulk ESPs, such as Sendgrid, that require you to set DKIM on a subdomain level. You can set adkim=s in your DMARC TXT record, or simply enable strict mode in EasyDMARC’s Managed DMARC settings. This ensures that only emails with a DKIM signature that exactly match your domain pass alignment, adding an extra layer of protection against domain spoofing. But only do this if you are NOT a bulk sender. 6. Securing Non-Email Enabled Domains The purpose of deploying email security to non-email-enabled domains, or parked domains, is to prevent messages being spoofed from that domain. This requirement remains even if the root-level domain has SP=reject set within its DMARC record. Under this new framework, you must bulk import and mark parked domains as “Parked.” Crucially, this requires adjusting SPF settings to an empty record, setting DMARC to p=reject, and ensuring an empty DKIM record is in place: • SPF record: “v=spf1 -all”. • Wildcard DKIM record with empty public key.• DMARC record: “v=DMARC1;p=reject;adkim=s;aspf=s;rua=mailto:…”. EasyDMARC allows you to add and label parked domains for free. This is important because it helps you monitor any activity from these domains and ensure they remain protected with a strict DMARC policy of p=reject. 7. Compliance Dashboard Use EasyDMARC’s Domain Scanner to assess the security posture of each domain with a clear compliance score and risk level. The dashboard highlights configuration gaps and guides remediation steps, helping government agencies stay on track toward full compliance with the SGE Framework. 8. Inbound DMARC Evaluation Enforced You don’t need to apply any changes if you’re using Google Workspace, Microsoft 365, or other major mailbox providers. Most of them already enforce DMARC evaluation on incoming emails. However, some legacy Microsoft 365 setups may still quarantine emails that fail DMARC checks, even when the sending domain has a p=reject policy, instead of rejecting them. This behavior can be adjusted directly from your Microsoft Defender portal. Read more about this in our step-by-step guide on how to set up SPF, DKIM, and DMARC from Microsoft Defender. If you’re using a third-party mail provider that doesn’t enforce having a DMARC policy for incoming emails, which is rare, you’ll need to contact their support to request a configuration change. 9. Data Loss Prevention Aligned with NZISM The New Zealand Information Security Manual (NZISM) is the New Zealand Government’s manual on information assurance and information systems security. It includes guidance on data loss prevention (DLP), which must be followed to be aligned with the SEG. Need Help Setting up SPF and DKIM for your Email Provider? Setting up SPF and DKIM for different ESPs often requires specific configurations. Some providers require you to publish SPF and DKIM on a subdomain, while others only require DKIM, or have different formatting rules. We’ve simplified all these steps to help you avoid misconfigurations that could delay your DMARC enforcement, or worse, block legitimate emails from reaching your recipients. Below you’ll find comprehensive setup guides for Google Workspace, Microsoft 365, Zoho Mail, Amazon SES, and SendGrid. You can also explore our full blog section that covers setup instructions for many other well-known ESPs. Remember, all this information is reflected in your DMARC aggregate reports. These reports give you live visibility into your outgoing email ecosystem, helping you analyze and fix any issues specific to a given provider. Here are our step-by-step guides for the most common platforms: Google Workspace Microsoft 365 These guides will help ensure your DNS records are configured correctly as part of the Secure Government Email (SGE) Framework rollout. Meet New Government Email Security Standards With EasyDMARC New Zealand’s SEG Framework sets a clear path for government agencies to enhance their email security by October 2025. With EasyDMARC, you can meet these technical requirements efficiently and with confidence. From protocol setup to continuous monitoring and compliance tracking, EasyDMARC streamlines the entire process, ensuring strong protection against spoofing, phishing, and data loss while simplifying your transition from SEEMail.