A remote code execution (RCE) vulnerability in the React JavaScript library, which earlier today caused disruption across the internet as Cloudflare pushed mitigations live on its network, is now being exploited by multiple threat actors at scale, according to reports.

Maintained by Meta, React is an open source resource designed to enable developers to build user interfaces for both native and web applications.

The vulnerability in question, assigned CVE-2025-55182 and dubbed React2Shell by the cyber community, is a critically scored pre-authentication RCE flaw in versions 19.0.0, 19.1.0, 19.1.1 and 19.2.0 of React Server Components that exploits a flaw in how they decode payloads sent to React Function Endpoints.

This means that by crafting a malicious HTTP request to a Server Function endpoint, this means a threat actor could gain the ability to run arbitrary code on the target server.

It was added to the US’s Cybersecurity and Infrastructure Security Agency’s catalogue on Friday 5 December, and according to Amazon Web Services (AWS) chief information security officer and vice-president of security engineering, CJ Moses, the chief culprits behind the rapid exploitation are thought to be China-nexus threat actors.

Moses cautioned that China’s habit of running shared, large-scale anonymisation infrastructure for multiple state-backed threat actors made definitive attribution challenging, however, following disclosure on Wednesday 3 December, groups tracked as Earth Lamia and Jackpot Panda were observed taking advantage of React2Shell.

“China continues to be the most prolific source of state-sponsored cyber threat activity, with threat actors routinely operationalising public exploits within hours or days of disclosure,” he wrote. “Through monitoring in our AWS MadPot honeypot infrastructure, Amazon threat intelligence teams have identified both known groups and previously untracked threat clusters attempting to exploit CVE-2025-55182.”

Earth Lamia is well-known for exploiting web application vulnerabilities against organisations primarily located in Latin America, the Middle East and Southeast Asia, with a particular focus on educational institutions, financial services organisations, government bodies, IT companies, logistics firms and retailers.

Jackpot Panda, according to AWS, targets its activity at entities in East and Southeast Asia, with its operations aligning to China’s goals relating to corruption and domestic security.

Massive attack

With reports suggesting there may be over 950,000 servers running vulnerable frameworks such as React and Next.js, Radware threat researchers warned of a massive potential attack surface.

React and Next.js are both well-used thanks to their efficiency and flexibility, while robust ecosystems make them a default choice for many developers – and as such they are found under the bonnet everywhere, from mobile apps and consumer-facing websites to enterprise-grade platforms, said Radware.

“This widespread reliance means a single critical flaw can have cascading consequences for a significant portion of modern web infrastructure,” the Radware team said. “A substantial number of applications across public and private clouds are immediately exploitable, necessitating urgent and widespread action.”

Michael Bell, founder and CEO of Suzu Labs, a penetration testing and AI security specialist, said that hours from disclosure to active exploitation by nation-state actors was the new normal, and matters would likely get worse.

“China-nexus groups have industrialised their vulnerability response: they monitor disclosures, grab public PoCs – even broken ones – and spray them at scale before most organisations have finished reading the advisory,” he said.

“AWS’s report showing attackers debugging exploits in real-time against honeypots demonstrates this isn’t automated scanning; it’s hands-on-keyboard operators racing to establish persistence before patches roll out,” said Bell. “With AI tools increasingly capable of parsing vulnerability disclosures and generating exploit code, expect the window between disclosure and weaponisation to shrink from hours to minutes.”

He added that the earlier Cloudflare outage in service of an emergency patch “tells you everything about the severity calculus here”.

Source

DevOps adoption has been going on for a decade and shows no signs of slowing. In Forrester’s 2024 developer experience survey, 87% of developers indicated that their organisation had already adopted DevOps practices or planned to do so in the coming year.

But for many organisations, scaling their DevOps practice has been complicated, expensive and, in the end, insufficient in delivering the value leaders had expected. These organisations start with a grassroots approach to DevOps adoption, with each team self-selecting its toolchain, creating its best practices and infusing its institutional knowledge.

Forrester clients tell us this team-based approach breaks down at scale. It creates as many problems as it solves and does not deliver the results the C-suite was expecting.

For instance, bespoke toolchains create headaches. Organisations that took this approach are now saddled with too many unique toolchains, each requiring nurturing by the same developers who are supposed to be building customer-focused products. These toolchains also require unique automation, create trapped institutional knowledge, contribute to tool sprawl and limit any chance for volume DevOps tool pricing.

All these factors create headaches for IT leaders trying to reduce overheads while improving productivity and efficiency.

Many organisations now understand that improving the developer experience increases efficiency by removing impediments to the development process. High among those impediments is unnecessary context switching, which breaks the concentration of developers and decreases flow.

Disconnected automation tools, multiple systems of record and multiple platforms slow developers down by forcing them to play hopscotch with numerous tools. Without a common platform as the backbone, when developers change projects, they may go through entirely new onboarding procedures to get access to repositories and commit their first pull request.

The lack of standardised practices causes governance issues as well. Without a standard approach to software delivery, you end up with ad hoc governance implemented differently depending on the toolchain. This creates trust barriers between developers and enterprise governance teams, can add manual oversight and red tape that slows processes down, and works against efforts to improve productivity and efficiency at scale.

Another issue software developers face is that the traditional IT service catalogue is a heavyweight solution. Many organisations have had service portals for years, grounded in IT and enterprise service management practices and based on products such as ServiceNow, Atlassian’s Jira Service Management or BMC Helix.

These tools remain because they often serve non-technical users and may be leveraged by traditional infrastructure organisations for ticketed offerings. However, developers find ticket ops to be too slow and unresponsive, which is why a market emerged for dedicated internal developer platforms (IDPs).

A scaled platform for services

IDPs provide a framework for creating an IT platform where services can be defined, automated and exposed across the enterprise.

Examples of IT services that can be incorporated into an IDP include allocating a new piece of infrastructure, such as a new virtual machine, instantiating an automated continuous integration/continuous delivery (CI/CD) pipeline to build and deliver code, or creating the scaffolding for a new microservice project using organisational best practices.

Internal developer platforms provide a framework for creating an IT platform where services can be defined, automated and exposed across the enterprise Forrester

IDPs facilitate management and access to service automations by providing a framework to manage and expose automation at scale.

IDPs can provide visibility into tools and frameworks. One feature of IDPs is scorecards, which provide information about both the technical and business performance of technologies. This helps developers make the right choice when faced with multiple frameworks, and also gives leaders insight into adoption.

New tool adoption becomes apparent to leadership, as does abandonment of older technologies, enabling leaders to deprecate and remove older components when it makes sense for the business.

At a high level, IDPs can serve a similar role to traditional platform as a service (PaaS) by providing an abstraction layer to IT infrastructure services. However, whereas many PaaS implementations have opaque abstraction layers, IDPs offer a transparent layer via service definition files that enable developers and infrastructure engineers to view, reuse and improve upon the underlying abstraction mechanisms.

Platform builders need to understand these differences to determine which abstraction model will serve their needs best.

The role of Backstage

Backstage, the IDP that Spotify donated to the Cloud Native Computing Foundation (CNCF), was one of the most downloaded apps from the CNCF in 2024. The topic of Backstage adoption garnered a full day of presentations and user stories at KubeCon 2024.

There are several reasons for its adoption. Spotify has a reputation for transformational engineering processes. Many organisations have adopted the now-famous Spotify model, featuring squads, tribes and guilds. Having Backstage reside in the CNCF ensures governance and a healthy community of contributors and adopters. A growing number of commercial DevOps tool suppliers support Backstage plug-ins. And most importantly, because it’s open source, Backstage is free for developers to download and try, further accelerating interest in platforms in general.

Before committing to an IDP, IT leaders should build a compelling business case outlining which benefits the IDP will bring to the organisation and how it will measure these Forrester

Many teams had assumed, or hoped, that Backstage was a ready-to-use platform, but soon became overwhelmed by its complexity. This has created an opportunity for commercial software providers to differentiate their offerings from Backstage. These commercial tools providers claim their products are easier to get started with, have a lower learning curve and offer technological advantages to Backstage, such as providing a service orchestration layer.

Spotify also offers Backstage as a paid commercial subscription that includes product support, additional plugins and no-code capabilities to help companies get started faster with greater confidence. Users see these commercial add-ons, such as Soundcheck (a plug-in that helps teams visualise quality, security and reliability checks on services), as value-adds.

Before committing to an IDP, Forrester recommends IT leaders build a compelling business case outlining which benefits the IDP will bring to the organisation and how it will measure these. Developing a comprehensive business plan will ensure alignment between the stakeholders funding the platform initiative and those responsible for its creation.

Forrester has found that nearly every IDP company and end user who has successfully built an IDP started small by building a proof of concept (PoC). The first implementation can take several weeks to months.

Forrester recommends that IT leaders first identify a team that is collaborative and sees the benefit of an IDP approach. Then, build the PoC around a few of members’ crucial needs while engaging with them for additional suggestions and even their own contributions to improve the IDP. This approach can be built upon and used as a springboard for other teams to continue to grow the IDP in a sustainable way.

This article is based on an excerpt of Forrester’s “Originated by Spotify, Backstage sparks a platform revolution” report. Andrew Cornwall is a senior analyst at Forrester.

Source

AlexandrinaZ/Shutterstock

When you get a 3D printer, it can be overwhelming to figure out what you want to make. There are several designs you can discover online, and eventually, you can create your own using programs like SketchUp, CAD, or free apps like Blender, just to name a few. Creating these models is a much more advanced piece of 3D printing, and not everyone is ready to jump to this step immediately. You may also want to do some research to see what 3D printing accessories you can grab online. In the meantime, new printers should focus on finding simple projects and models that others have already created. All you have to do is upload the files to your printer to see the results. 

For those starting with a 3D printer who haven’t completed many projects, we’ve gathered some of the best starter projects you can do for your first time. They’re nowhere near as complicated as 3D printing your own laptop. These projects aren’t too complex, and they have plenty of uses throughout your home to test the final product and see how sturdy they are after you’ve put in the work. This list shares 10 of the best 3D printing projects for beginners, along with some alternatives if you want to try different designs or models.

Measuring cups

Measuring cups are a reliable tool you can find in nearly every kitchen. They come in various sizes, and sometimes they’re not the best quality. When you’re starting your 3D printing adventure, measuring cups can be a great place to start. These cups are simple, small designs that don’t use up too much filament, and there are multiple choices available to fit your cooking and baking needs. If you want a design with a large imprint showing the type of measuring cup you grabbed, check out the models created by OogiMe on Thingiverse. They have the measuring cup size raised in the middle, making it easy to spot which one you’ve grabbed. The measuring cups in this set range from 1/4 cup to one cup.

For anyone who wants to start smaller and is all set on measuring cups, there’s a set of spoons and scoops you can use from Ty10y. You won’t have to use as much filament for these models. It’s a stackable set that you break out when you need more, make smaller and precise measurements, like measuring flour for baking or adding oil before you begin cooking. These cups range from a teaspoon to 1/3 of a cup.

Tablet / smartphone stand

Using your smartphone or tablet at your desk and workstation is a good way to multitask, but it helps to have a reliable stand to keep your device in place. For a starting 3D printer project, creating a smartphone stand is a simple project, and one you can use just about anywhere you prefer your device to be hands-free. One elegant model created by Deltaprints features a simple base with a mount on the back and a lip at the front to keep your smartphone in place. It’s a sleek, elegant design that looks professional in any workplace and doesn’t take up too much space. It’s a small stand that gets the job done, and would fit right in on our list of some of the coolest gadgets you never knew you needed.

An alternative option for those who use a tablet or a smartphone on their desk is this model by alex_3dprint. It’s a slightly larger design with a base and a hook that extends. This stand suspends your tablet or smartphone slightly above your desk. It is compatible with nearly any model, and it incorporates cord management slots and a small storage space. There’s more freedom for the device you want to use with it. Both models are single molds that take a few hours to print, so you won’t have to leave your printer on overnight to see the final product. You can have it on in the background throughout the day.

Chess set

You might have lost a few crucial parts of a game over the years, or you want to make your own, customized models to use when you have guests over.  A 3D printer can let you print board game pieces for your favorite games. However, some of these pieces can be difficult to find proper models of online and even more challenging to create. For your first time making game pieces with your printer, go with something straightforward and intriguing, such as creating an entire chess set. These modern chess pieces made by Chris are familiar with an interesting twist. They are single molds that won’t take too long to print individually, as they are relatively simple models. Creating the entire set takes time, but making individual pieces should be quick compared to other projects. Though the whole project takes 16 hours, it’s a far cry from incredible projects like this 3D printed building being constructed in Europe.

There are several alternative models you could try. There’s a more complex design from ParasitKegel, with chess pieces that are much more complicated in design. These are still single molds, but expect a longer print time for the entire set. For those who want to make their guests laugh when they break out the chess game, there are these pieces that look like cows from the FlyingPurple Cow. To get the most from the cow chess pieces, expect to spend time painting afterward, for the full effect.

Coat hanger hooks

Coat hanger hooks are great tools to have hung up throughout your home, making it easy to keep your clothing or other small items from taking up countertop or closet space while keeping them off the ground. Rather than going out to buy some, you can 3D print coat hanger hooks. These won’t be as intricate as the larger coat hangers you have in your closet. Instead, these are small enough that you might hang them on a wall or hook them underneath an existing coat hanger, giving you even more closet space. The coat hanger hook by Anubis MK is a good choice, as it allows coat hangers to hang on each other, stacking up to four for expanded storage options in the same amount of space. These are exceptionally simple, with a minimalist design, making them great for any beginner 3D printer.

For those who enjoy woodworking, there’s the coat hanger from Itsme. These five coat hangers slip through a wooden plank that you can hang on a wall, creating a DIY coat rack. The overall design of these coat hangers for a 3D printer is simple, and they slip right into a wooden base that you can place anywhere inside your home. Alternatively, for those who want more fun, with a slightly more complicated 3D model, there’s the Coo Coat Hanger from Jim Killie, which isn’t just adorable, but also ideal for placing in a cubicle to hold your stuff during the workday.

Storage boxes

Storage container boxes are a reliable way to organize everything in a closet, a tool chest, or, if they’re small enough, on your desk. For those who wish to store boxes that stack on top of each other, the set created by Metikumi offers a wide range of choices. You’ll be able to find the box set that fits your preferences, and print it out to add to your desk or closet. They also have grid space for you to organize multiple items in a single container. You can also pick the model based on the rail grid type if you plan to put them inside a desk, but it’s entirely optional. Regardless of your choice, these boxes are a single print and come with a complete guide on the best printing practices if you want to learn more about your 3D printing hobby.

The stackable storage bins are a good place for any beginning 3D printer, but there are also the Gridfinity storage boxes from DatBuschi if you want to try something else. These are similarly simple designs, ideal for a desk, and capable of stacking on top of each other. There are multiple models to pick from, each with a different printing time. You can make as many as you want to hold your 3D-printed creations or to help keep a space organized.

Cable organizer

It’s easy for cables to get out of control at your desk, nightstand, or behind your televisions in a living room. Keeping them untangled can be a nightmare, and a good way to help manage it is with an organizer. These are simple devices you can attach to a wall or to your desk, depending on your setup. With your 3D printer, you can easily create one that fits the number of wires you want to manage and keeps them in a set place. TuTu designed a straightforward cable organizer that lets you slide your cables in and keep them in place. They have a model that allows you to screw it into a wall, or one that you don’t have to if you’d rather it rest on your desk.

If you’d prefer to have a storage unit, we were able to track down a cable organizer box created by i6o6. There’s an option to print them with or without a bottom, and another that stacks them, keeping them in a single place. These boxes are a single mold, making them straightforward to print on any 3D printer. They come in small, medium, and large sizes. The practical, basic design of these cable storage boxes makes them ideal for those testing out their 3D printers, with the added bonus of addressing a need most of us have run into.

Bag clips

Clips are small, simple 3D-printed options you can use for many things, from hanging laundry to organizing cords to keeping snack bags closed so they stay fresher longer. These are great items that you can use for your 3D printer, and they won’t take too long to complete. When you’re looking for a straightforward design for snack bags or baking ingredients, try the mini bag clip from Fifindr. These only take 13 minutes to print, so you can knock out several in a single day with your printer. You have two models to choose from: a standard one and a larger, stronger one. It’s not printing an entire house in under 80 hours, but its a fine and rewarding way to carry on your 3D printing journey. 

For a more traditional layout, there’s this chip bag clip from Butch Wise. These are slightly larger, with an extended handle at the end that you push on to open. There are three files you can choose from, all of which look the same. Finally, there’s a third bag clip option, which also comes from Fifindr. You’ll need to print out two different pieces. One piece slides into the other, pinching the bag top in between them. We recommend this model if you’ve tried the other two or are looking for a slightly more complicated 3D design to try out on your printer.

Funnel sets

A funnel is another helpful tool that you can use in your kitchen, laundry room, or garage. Having one or two of these simple devices somewhere in your home is always a good idea, and they are not too complicated for a 3D printer. You’ll find multiple funnel sets that you can download for your printer, and the screw-on funnel set from Fifindr is a reliable design, especially if you’d like to use it on plastic bottles. These funnels are a single mold, and the files come in three different sizes. Each has a bottle thread on the base, allowing you to secure them tightly and prevent any liquid from spilling. As a single mold, it should be straightforward for a 3D printer to develop, and it’ll take a few hours to finish.

Totalrepair made an alternative funnel design that you may want to consider. It comes with a single file and a small base, but it still features a screw thread, ideal for use on large containers. What makes it different is a small trench inside the funnel, which keeps the liquid inside and down a direct path. This model might be better suited for a garage, as it helps you avoid the risk of antifreeze, oil, or washer fluid getting on the ground or your clothing.

Pen holders

With 3D printing, desk organization can be a much more appealing concept as you’re able to create individual and unique bins for your workspace. It’s an effective way to save money, plus, many of the designs are relatively simple when you’re initially starting with a printer. There are several pen holder designs that you can track down, capable of holding your pens and other small tools that might clutter up your desk. There’s a large desk organization design from Meyui that comes with several inserts you can swap out, depending on what you need for your desk space. The complete set will take several hours to print, but you don’t have to print them all, as not every piece is required for the design to work.

For something with a smaller footprint, check out this pen holder model from dirk144347. They have a central tower with multiple storage spaces surrounding it for various items that you want to have on your desk. It’s a single design, but because of its size, expect it to take a little less than 24 hours. If you’d like an alternative and unique model, user Markury posted a small crab. It only holds one pen or pencil, but the adorable crab face will always be there to support you during your late-night projects.

Bottle opener

A bottle opener on your keychain or in your kitchen is a nice, simple tool you can use for many occasions, and it’s another straightforward design you can leave to your 3D printer. One option is to go with the small design with a keychain loop from DrLex. It has the traditional teeth out on the bottom of the front, giving you enough room on the handle to apply pressure and peel away the bottle cap. There’s also a small hole at the end of the handle where you slip a keychain loop, allowing you to carry it with your wallet or keys. You can expect this to take less than an hour to print.

If you’d like a slightly larger design that has more functionality, there’s the 3-in-1 Bottle Buddy from Minkas. You can use it on glass or plastic bottles, making it more versatile than the standard keychain. Although it is larger, don’t expect to wait too long before it’s done printing. It still only comes out as a single mold, making it easy to see if it works with the bottles you have in your house, or if you need to make any minor adjustments to the design’s size.

Methodology

Stenko Vlad/Shutterstock

When selecting the products we wanted to highlight for this list, we focused on ones that were not too complicated. Ideally, they were single molds that wouldn’t require too many fitting pieces, gluing, or additional construction after they came out of the 3D printer. We also wanted to ensure that many of the items would not take too long to print, and if they did take long, the finished design had to be simple. For example, the pen holder from Dirk144347 was a single, large design with multiple holes, and required almost a complete day, but was ready to use as soon as the printing process was complete.

With these requirements for printing items in mind, we also wanted to find practical projects and items that almost anyone could use. For those learning to use a 3D printer, getting use from it immediately is a great feeling. We wanted to make sure that those who are just starting out feel like it’s a hobby with tangible benefits. Everything on this list is not too complicated, and offers a way for someone brand new to get used to the process before they try out more difficult files and designs with their printer.

Source

We may receive a commission on purchases made from links.

If you are tired of shoveling snow off your driveway, there is a self-driving robot that can do that for you. Called the Yarbo Snow Blower, this robot has the ability to clear snow up to a height of 5 inches and can recharge itself, making your snow cleaning chores much easier.

The Yarbo Snow Blower costs a staggering $4,999. Unless you have that kind of money lying around, this product might not look appealing. Furthermore, anyone who lives in areas that don’t get a lot of snow or who has reliable residential snow plowing services likely won’t receive a big enough benefit to justify the cost. However, if you live where it snows heavily and frequently, and you often have to clean your own driveway and walkways, the Yarbo may be a great investment.

The Yarbo Snow Blower brings to mind similar yard-maintenance robots, such as watering tractors or the Ecovacs GOAT A3000 robotic lawn mower. Now you can have a robot to help you out in the wintertime, as well. While advertised performance and capabilities suggest you can rely on the Yarbo Snow Blower, and customer reviews back this up, given the price point, it’s worth fully understanding what you are getting and if it will be worth it.

How the snowblower works

As an autonomous device, the Yarbo Snow Blower offers self-driving snow-clearing capabilities. In light, 1-inch-deep snow, it’s capable of clearing out 6,000 square feet in a single charge. The robot blows the snow it drives over off to one side, easily removing it from driveways and walkways. While driverless cars may struggle in the snow, the Yarbo Snow Blower works on a variety of surfaces, including pavement, concrete, and gravel.

Each Yarbo Snow Blower revolves around a base module that weighs 77 pounds. Every purchase also includes a snow blower module with a 2-foot-wide intake, a battery, snow tracks, shovel, and a docking station. The module is designed to be versatile and work with other Yarbo products and accessories, including a snowplow blade and a lawnmower attachment.

The robot uses a lithium-ion battery and takes about an hour and a half to charge from 20% to 80% battery life. It’s capable of throwing the snow it clears up to a distance of 40 feet, ensuring you don’t have giant stacks of snow lining the edges of your driveway. Furthermore, the Yarbo’s camera helps it detect obstacles and avoid crashes, but the robot has protective bumpers just in case. While you can schedule the Yarbo to clear out the snow at certain times, the Yarbo app and weather forecasting capabilities let the robot choose when it thinks it’s best to clear the snow, streamlining the process.

What users say about the snowblower

The Yarbo Snow Blower Amazon product page boasts very positive reviews that sit at an average of 4.5 stars. Customers who enjoyed the product say it is “easy to assemble,” that its “autonomous operation is a true lifesaver,” and that it is “worth every penny.” Multiple reviews mention its sturdiness and durability. However, take these reviews with a grain of salt because only 27 customers reviewed the product, 24 of whom gave the device 5 stars.

A small number of reviews are downright negative, however. One customer thought the assembly was way too long and complicated, so they hired someone else to assemble it for them. Another said that the product did not arrive with its battery. The official Yarbo Snow Blower product page does say the device comes with a 30-day free return policy and 24/7 customer support, which could apply to and help fix these types of situations.

While the future of snow-clearing technology promises advancements such as phase-change concrete that can melt ice and snow, the Yarbo Snow Blower is available here and now. If you’re willing to spend some extra money, you can also add on varying levels of a protection plan, as well. With the Yarbo Snow Blower, you may never have to lift a snow shovel again.

Source

We may receive a commission on purchases made from links.

Keeping the inside of a vehicle clean isn’t always easy. Without even factoring in children or pets, the interior of an automobile can have a multitude of areas for dust, dirt, and debris to hide. Keeping every nook and cranny clean can be rather cumbersome, but a quirky item available on Amazon might just do the trick, even if it does look peculiar.

Right now, Amazon has the PULIDIKI Car Cleaning Putty on sale for $6.62, netting you a 26% savings off the typical $8.99 price tag. Even if the putty itself seems like it’s two parts weird, one part amusing, it’s currently an Amazon best seller and has rave reviews from customers. The amorphous putty clings to objects without separating, meaning it can seep into cracks and collect debris without leaving any bits of itself behind.

Even if the cleaning putty may look like something that eats people in a cheesy old horror movie, it can be helpful in eliminating dust from hard-to-reach areas. Additionally, it has some nice uses outside of a vehicle as well, making it a worth addition to our list of accessories under $20 for office workers. With that in mind, this can be a solid choice for yourself or it can make a good stocking stuffer or Secret Santa gift.

Keep your car clean with the PULIDIKI Car Cleaning Putty

A good deal on something that’s actually handy can be hard to beat. Just like finding something useful for the office at Dollar Tree, it can be a nice feeling to find something that actually serves a purpose without overspending. Though it may look incredibly strange, the PULIDIKI Car Cleaning Putty fits the bill, and the deal currently going on over at Amazon is worth checking out.

The PULIDIKI Car Cleaning Putty is composed of an eco-friendly material, and it’s safe for vehicles, meaning it can grab dust and debris from air vents and corners without causing damage. It can also be used for cleaning a keyboard in an office, but the company notes not to use it on cellphone screens or computer monitors –- and there are safer ways to remove dust from certain electronics, anyway.

Currently a #1 Best Seller on Amazon in the Automotive category, over 100,000 have been sold in the past month, and the product also has a 4.1-star rating out of five with over 96,800 reviews. Folks appreciate the Car Cleaning Putty’s ease of use, longevity, and its effectiveness at cleaning the small corners of a vehicle. However, at least one user notes that the substance can leave a greasy feeling on your hands and recommends using a rag. Nonetheless, this can be a solid go-to for keeping in your car, but remember to store it in a cool, dry place.

Source

Looking to bridge and eventually transcend the world of traditional mobile networks with IP communications infrastructures ahead of the shutdown of 3G services in the country, leading Swiss national railway operator Schweizerische Bundesbahnen (SBB) has delivered what is claimed to be Europe’s first live integration of legacy railway communications system GSM-R with an advanced IP Multimedia Subsystem (IMS) platform with voice over LTE (VoLTE) service using Ericsson technology.

With the mission statement of connecting Switzerland, and with 35,500 employees, SBB transports over 1,410,000 people and 170,000 tonnes of freight to their destinations every day. It also operates the mobile network for all Swiss railways on the standard gauge network.

For years, voice roaming for Swiss rail communication relied on telco Swisscom’s public 3G network in areas where GSM-R coverage was not available. GSM-R is the current standard for secure, reliable railway communications, supporting essential voice and data for train control and operations.

With Swisscom’s decision to decommission its 3G services, Swiss railway operators faced an urgent need to modernise. Expanding the old GSM-R system was one option, but SBB engaged Ericsson to deliver a platform based on IMS and VoLTE, bridging GSM-R rail-specific functions with modern mobile and fixed telephony systems.

The infrastructure upgrade is intended to ensure uninterrupted, nationwide railway communication for Switzerland’s 3,100km rail network ahead of the planned decommissioning of Swisscom’s 3G services by the end of 2025. Furthermore, onboard 4G service upgrades have been implemented for about 1,000 trains, in a move that Ericsson says no less then redefines connectivity and reliability for SBB’s railway operations.

Said to offer resilience and innovation, the new system ensures continuous end-to-end rail communication, setting benchmarks for railway operators across Europe facing legacy telecom shutdowns.

In addition, the deployment strategy aimed to prioritise zero service interruptions and robust safety compliance. Key features of the IMS implementation included IMS-GSM-R interworking, GSM-R numbering adaptation and mandatory safety-critical functions such as emergency stop calls.

The IMS/VoLTE integration progressed through a number of key testing phases: platform deployment was initiated in June 2023; the first end-to-end VoLTE-to-GSM-R calls were successfully completed in early 2024; field tests across pilot trains, certified by Switzerland’s Federal Authority Office of Transport, took place in January 2025; and nationwide go-live of the system occurred in April 2025 ahead of schedule. The infrastructure is currently in operation with approximately 450 trains and 1,000 operational devices using VoLTE technology with zero downtime.

Ericsson says the live IMS/VoLTE platform guarantees high-performance rail communication with scalable, modernised dispatcher telephony, reducing risks and limitations of the legacy infrastructure. Key rail-specific functions – including EIRENE functional numbering (European Integrated Radio Enhanced Network), emergency stop calls, group calls  and onboard announcements – have been preserved.

By enabling 4G/5G, Switzerland’s railway network is attributed with avoiding service interruptions from the 3G shutdown while laying the groundwork for upcoming 5G-based Future Railway Mobile Communication System innovations. Migrations to date are said to have proceeded smoothly, supported by training provided to SBB’s operational teams.

While the full migration of train fleet communications and smartphone operations continues towards its December 2025 completion, the collaboration is said to have paved the way for future enhancements. Insights gained during this project will guide improvements in strategies for similar railway transformations globally.

Source

Even though the footprint of the UK’s alternative broadband providers (altnets) has doubled in less than two years, the sector is now moving from expansion to survival, with several operators facing commercial pressure that could trigger an expected consolidation wave, a study from Intelligens Consulting has found.

The State of the UK fibre market 2025 report revealed that the UK broadband market is on the brink of its biggest shakeout yet, as the industry shifts from rapid expansion to targeted, commercially grounded fibre investment.

Intelligens Consulting said the altnet sector had quietly doubled in under two years. Indeed, when it published its 2024 update, UK altnets had passed just over 8.6 million premises. By late 2025, that figure has grown to around 16 million, which the analyst described as “an extraordinary” increase delivered despite rising costs, slowing build rates and investor caution.

Altnets now account for around 57% of all UK fibre-to-the-premises (FTTP) deployments, according to the study, with three firms – CityFibre, Netomnia and nexfibre – anchoring the independent fibre sector and driving the majority of new coverage. In addition, several operators have moved significantly up or down the rankings over the past year, with Lightspeed, F&W Networks and G.Network dropping out of the top 10, replaced by nexfibre, FullFibre/Zzoomm, Trooli and Freedom Fibre (including VXFibre).

Yet even with the rapid growth in altnet footprint and sector investment surging to £21.3bn, defying predictions of a slowdown, the study flagged several signs that the roll-out momentum is slowing, with take-up rates varying from 4% to almost 50%. This sparked concerns over the long-term viability of several operators, according to Intelligens Consulting.

The study found that the UK now sits at an average 2.44 fibre networks per household, raising fresh questions about overbuild, competition and sustainability. The report showed UK broadband leader Openreach was now passing 1.1 million premises per quarter, with take-up exceeding 50% in older cohorts, further squeezing altnet competitiveness. At the same time, nexfibre’s rise from nowhere to become a top-three builder in just 12 months was said to have intensified competitive pressure and reshaped the national roll-out map.

The altnet market has never been bigger – or more fragile. 2026 will be a make-or-break year. Those who fail to differentiate, partner smartly, or rethink their commercial strategy will not survive Iqbal Singh Bedi, Intelligens Consulting

These changes are regarded in the study as reflecting the stronger capital positions, faster build momentum and more decisive strategies of the rising operators. And while predictions of a merger wave have persisted for years, outside a handful of transactions, such as CityFibre acquiring Connexin, the market remains fragmented. Most operators are still pursuing independent strategies, although several face growing financial pressure and are pursuing crowdfunding solutions instead. The analyst suggested that while decisions may finally be forced in 2026, for now, the sector remains unconsolidated.

Commenting on the report, Intelligens Consulting managing partner Iqbal Singh Bedi said the altnet industry had arrived at a “make-or-break moment” for the UK fibre industry as a whole.

“The market has never been bigger – or more fragile,” he said. “Some operators are winning with strong brands and 30-50% take-up. Others are stuck in single-digit traction. 2026 will be a make-or-break year. Those who fail to differentiate, partner smartly, or rethink their commercial strategy will not survive.”

Looking forward, the study noted that one of the most striking findings was the role local authorities will play in the next phase of growth. Indeed, local authorities were cited as being critical to survival for companies. “We’re now past the land-grab era,” said Bedi. “Sustainable growth will come from smarter, place-based partnerships. Councils and operators must collaborate to reduce build risk, accelerate take-up and align fibre with smart place ambitions.”

In conclusion, the research said altnet survival will now depend on take-up, operational efficiency and commercial discipline, and not sheer roll-out volume. The long-expected consolidation will likely begin with those whose take-up, funding or strategy lags the market’s direction of travel. The likely winners will be those that build where it matters, invest where returns can be realised and collaborate where value can be unlocked. 

Source

Mijansk786/Shutterstock

We may receive a commission on purchases made from links.

Purchasing electronics online requires shopping blind at times, which can make the purchase process uncomfortable when it comes time to check out. Big-ticket items like televisions and laptops may warrant some in-person use before making a long-term commitment, and even less-expensive electronics are worth researching prior to making a purchase. Of course, just about every online electronics retailer will provide you with all the stats and specs you’ll want to know for various pieces of tech, but shopping for electronics at Amazon comes with some additional benefits.

Free shipping isn’t exclusive to Amazon, but if you’re an Amazon Prime Member you can almost always count on free fast shipping. At no additional cost to Prime Members, two-day, overnight, and even same-day shipping are speedy options available on many Amazon products. Amazon’s return policy is also favorable. Many items are available to return for up to 365 days, which gives you a chance to test the product before committing to it. And while Amazon makes the delivery and return process one of its major pros over other online retailers, its deep inventory and wide range of electronics offers far more convenience than the traffic, noise, and sometimes unhelpful staff attached to brick and mortar retailers.

Smart TVs

DIA TV/Shutterstock

Whether you’re looking for a small television to fill out a corner space or a much larger television (perhaps even a 116-inch model) for your own in-home theater experience, Amazon is a great place to purchase your next smart TV. It carries models made by some of the most reliable TV brands, including widely recognized names like Sony, LG, Samsung, and Hisense. You’ll also be able to find TVs that range in size from under 32 inches to more than 70 inches.

But Amazon also has its own lineup of smart TVs, the Amazon Fire TV. The Fire TV lineup helps Amazon stand out among other retailers. The TVs offer tremendous value at their regular prices, and they frequently see discounts exclusive to Amazon shoppers. Deals on Fire TVs are available to shop throughout the year, and during the holidays and major sales events Amazon is known to drop Fire TVs to their lowest prices ever.

The inclusion of free shipping on a large piece of tech like a TV is a nice throw-in, but for Prime Members it also means you could have a new TV up and running within a day or two. Amazon’s return policy also makes the online purchase of a TV more convenient, as it gives you a chance to test out the TV and return it at no cost if it’s not the right size or otherwise is the wrong fit for you.

Kindles

bigwa11/Shutterstock

The Amazon Kindle is one of the most recognized names among dedicated e-readers. The entry-level model starts at just $110, while more premium options like the Kindle Paperwhite and Kindle Colorsoft are also available. One thing that sets Kindle devices apart from tablets is the lineup’s e-ink display technology, which is intended to eliminate eye strain during long reading sessions. In fact, the entire Kindle experience is designed to mimic the experience of reading a physical book — and through the Amazon Kindle Store, readers will get access to millions of e-books.

Because Amazon is the manufacturer of Kindles, it’s the natural place to turn to when purchasing one. The retailer discounts each of its Kindle models throughout the year, with massive discounts often available on Prime Day and during major annual sales events. But in many regards you could look at the entire Kindle lineup as always on sale when you shop at Amazon, as a 20% discount is included if you have an eligible device to trade-in. Amazon’s standard return policy applies to Kindles, meaning you can try one out for 30 days and return it with no additional charge.

Laptops

DenPhotos/Shutterstock

As electronics go, laptops are a somewhat high-stakes purchase. Because a new laptop can get quite expensive, it’s the kind of device that’s meant to be used for several years before needing replacement. If you’re shopping on a budget, Amazon has a wide range of well-reviewed Chromebooks to choose from, sometimes offering discounts on models from top brands such as ASUS, HP, and Acer. More powerful laptop options are also available at Amazon, with brands like Dell, Lenovo, Samsung, and Microsoft always in the mix.

But Amazon is also a great place to shop for Apple laptops. Apple doesn’t often discount its products through its own online store, but Amazon frequently drops the price of the MacBook Air. The base model regularly goes for $999, but you can find it on Amazon for as low as $799 at various points throughout the year. Even more powerful MacBook options, such as the new MacBook Pro M5, show up on Amazon with a price drop from time to time. Most laptops you’ll find on Amazon are subject to its standard 30-day return policy, though Apple products have a shorter 15-day return window.

Amazon Basics electronics

Tigarto/Shutterstock

Despite the convenience and cost-effectiveness of shopping for larger and more expensive products at Amazon, where the retail giant can really stand out is with everyday electronics. Amazon Basics is its private-label inventory lineup. Through it, Amazon offers a wide range of products that are often cheaper than those of its competitors, and electronics is one category that showcases the brand’s extensive and inexpensive assortment.

These are the kinds of products you may simply tuck away in utility drawers, but there’s also plenty to choose from that can be put to immediate use. Amazon Basics offers eight-packs of rechargeable AA batteries for about $12, for example, and everything from AAA to 9-volt alkaline batteries are available as well. HDMI cables, power strips, smartphone tripods, smart lights bulbs, cordless drills, battery chargers, and smart trackers are just some of the other everyday electronics Amazon Basics sells at affordable prices.

Source

Police use of live facial recognition (LFR) technology reconfigures suspicion in subtle yet important ways, undermining so-called human-in-the-loop safeguards.

Despite the long-standing controversies surrounding police use of LFR, the technology is now used in the UK to scan millions of people’s faces every year. While initial deployments were sparse, happening only every few months, they are now run-of-the-mill, with facial recognition-linked cameras regularly deployed to events and busy areas in places like London and Cardiff.

Given the potential for erroneous alerts, police forces deploying the technology claim that a human will always make the final decision over whether to engage someone flagged by an LFR system. This measure is intended to ensure accuracy and reduce the potential of unnecessary police interactions.

However, a growing body of research highlighting the socio-technical nature of LFR systems suggests the technology is undermining these human-in-the-loop safeguards, by essentially reshaping (and reinforcing) police perceptions of who is deemed suspicious and how police interact with them on the street as a result.

A growing body of research

According to one paper from March 2021 – written by sociologists Pete Fussey, Bethan Davies and Martin Innes – the use of LFR “constitutes a socio-technical assemblage that both shapes police practices yet is also profoundly shaped by forms of police suspicion and discretion”.

The authors argue that while under current police powers, officers recognising someone may constitute grounds for a stop and search, this changes when LFR is inserted into the process, because the “initial recognition” does not result from an officer exercising discretion.

“Instead, officers act more akin to intermediaries, interpreting and then acting upon a (computer-instigated) suggestion originating outside of, and prior to, their own intuition,” the sociologists wrote. “The technology thus performs a framing and priming role in how suspicion is generated.”

More recently, academics Karen Yeung and Wenlong Li argued in a September 2025 research paper that, given the potential for erroneous matches, the mere generation of an LFR match alert is not in itself enough to constitute “reasonable suspicion”, which UK police are required to demonstrate to legally stop and detain people.

“Although police officers in England and Wales are entitled to stop individuals and ask them questions about who they are and what they are doing, individuals are not obliged to answer these questions in the absence of reasonable suspicion that they have been involved in the commission of a crime,” they wrote.

“Accordingly, any initial attempt by police officers to stop and question an individual whose face is matched to the watchlist must be undertaken on the basis that the individual is not legally obliged to cooperate for that reason alone.”

Despite being legally required to have reasonable suspicion, a July 2019 paper from the Human Rights, Big Data & Technology Project based at the University of Essex Human Rights Centre, which marked the first independent review into trials of LFR technology by the Metropolitan Police, observed a discernible “presumption to intervene” among police officers using the technology.

According to authors Fussey and Daragh Murray, who is a reader in international law and human rights at Queen Mary’s School of Law, this means the officers involved tended to act on the outcomes of the system and engage individuals that it said matched the watchlist in use, even when they did not.

As a form of automation bias, the “presumption to intervene” is important in a socio-technical sense, because in practice it risks opening up random members of the public to unwarranted or unnecessary police interactions.

Priming suspicion

Although Yeung and Li noted that individuals are not legally obliged to cooperate with police in the absence of reasonable suspicion, there have been instances where failing to comply with officers after an LFR alert has affected people negatively.

In February 2025, for example, anti-knife crime campaigner Shaun Thompson, who was returning home from a volunteer shift in Croydon with the Street Fathers youth outreach group, was stopped by officers after being wrongly identified as a suspect by the Met’s LFR system.

Thompson was then held for almost 30 minutes by officers, who repeatedly demanded scans of his fingerprints and threatened him with arrest, despite being provided with multiple identity documents showing he was not the individual on the database.

Thompson has publicly described the system as “stop and search on steroids” and said it felt like he was being treated as “guilty until proven innocent”. Following the incident, Thompson launched a judicial review into the Met’s use of LFR to stop others ending up in similar situations, which is due to be heard in January 2026.

Even when no alert has been generated, there are instances where the use of LFR has prompted negative interactions between citizens and the police.

During the Met’s February 2019 deployment in Romford, for example, Computer Weekly was present when two members of the public were stopped for covering their faces near the LFR van because they did not want their biometric information to be processed.

Writing to the Lords Justice and Home Affairs Committee (JHAC) in September 2021 as part of its investigation into policing algorithms, Fussey, Murray and criminologist Amy Stevens noted that while most surveillance in the UK is designed to target individuals once a certain threshold of suspicion has been reached, LFR inverts this by considering everyone that passes through the camera’s gaze as suspicious in the first instance.

This means although people can be subsequently eliminated from police inquiries, the technology itself affects how officers see suspicion, by essentially “priming” them to engage with people flagged by the system. 

“Any potential tendency to defer or over-rely on automated outputs over other available information has the ability to transform what is still considered to be a human-led decision to de facto an automated one,” they wrote.

“Robust monitoring should therefore be in place to provide an understanding of the level of deference to tools intended as advisory, and how often and in which circumstances human users make an alternative decision to the one advised by the tool.”

Watchlist creation and bureaucratic suspicion

A key aspect mediating the relationship between LFR and the concept of “reasonable suspicion” is the creation of watchlists.

Socio-technically, researchers investigating LFR use by police have expressed a number of concerns around watchlist creation, including how it “structures the police gaze” to focus on particular people and social groups.

In their 2021 paper, for example, Fussey, Davies and Innes noted that creating watchlists from police-held custody images naturally means police attention will be targeted toward “the usual suspects”, inducing “a technologically framed bureaucratic suspicion in digital policing”.

This means that, rather than linking specific evidence from a crime to a particular individual (known as ‘incidental suspicion’), LFR instead relies on the use of general, standardised criteria (such as a person’s prior police record or location) to identify potential suspects, which is known in sociology as “bureaucratic suspicion”.

“Individuals listed on watchlists and databases are cast as warranting suspicion, and the AFR [automated facial recognition] surveillant gaze is specifically oriented towards them,” they wrote.

“But, in so doing, the social biases of police activity that disproportionately focuses on young people and members of African Caribbean and other minority ethnic groups (inter alia The Lammy Review 2017) are further inflected by alleged technological biases deriving from how technical accuracy recedes for subjects who are older, female and for some people of colour.”

Others have also raised separate concerns about the vague criteria around watchlist creation and the importance of needing “quality” data to feed into the system.

Yeung and Li, for example, have highlighted “unresolved questions” about the legality of watchlist composition, including the “significance and seriousness” of the underlying offence used to justify a person’s inclusion, and the “legitimacy of the reason why that person is ‘wanted’ by the police” in the first place.

As an example, while police repeatedly claim that LFR is being used solely on the most serious or violent offenders, watchlists regularly contain images of people for drug, shoplifting or traffic offences, which legally do not meet this definition.

Writing in their September 2025 paper, Yeung and Li also noted that while the Met’s watchlists were populated by individuals wanted on outstanding arrest warrants, they also included “images of a much broader, amorphous category of persons” who did not meet the definition of serious offenders.

This included “individuals not allowed to attend the Notting Hill Carnival”, “individuals whose attendance would pose a risk to the security and safety of the event”, “wanted missing” individuals and children, and even individuals who “present a risk of harm to themselves and to others” and those who “may be at risk or vulnerable”.

In December 2023, senior officers from the Met and South Wales Police confirmed that LFR operates on a “bureaucratic suspicion” model, telling a Lords committee that facial recognition watchlist image selection is based on generic crime categories attached to people’s photos, rather than a context-specific assessment of the threat presented by a given individual.

The Met Police’s then-director of intelligence, Lindsey Chiswick, further told Lords that whether or not something is “serious” depends on the context, and that, for example, retailers suffering from prolific shoplifting would be “serious for them”.

While the vague and amorphous nature of police LFR watchlist creation has been highlighted by other academics – including Fussey et al, who argued that “broad categories offer significant latitude for interpretation, creating a space for officer discretion with regards to who was enrolled and excluded from such databases” – the issue has also been highlighted by the courts.

In August 2020, for example, the Court of Appeal ruled that the use of LFR by South Wales Police was unlawful, in part because the vagueness of the watchlist criteria – which used “other persons where intelligence is required” as an inclusion category – left excessive discretion in the hands of the police.

“It is not clear who can be placed on the watchlist, nor is it clear that there are any criteria for determining where AFR can be deployed,” said the judgment, adding that, “in effect, it could cover anyone who is of interest to the police.”

During the December 2023 Lords session, watchlist size was also highlighted by Yeung – who was called to give evidence given her expertise – as an important socio-technical factor.

“There is a divergence between the claims that they only put pictures of those wanted for serious crimes on the watchlist, and the fact that in the Oxford Circus deployment alone, there were over 9,700 images,” she said.

Unlawful custody images retention

Further underpinning concerns about the socio-technical impacts of watchlist creation, there are ongoing issues with the unlawful retention of custody images in the Police National Database (PND). This represents the primary source of images used to populate police watchlists.

In 2012, a High Court ruling found the retention of custody images in the PND to be unlawful on the basis that information about unconvicted people was being treated in the same way as information about people who were ultimately convicted, and that the six-year retention period was disproportionate.

Despite the 2012 ruling, millions of custody images are still being unlawfully retained.

Writing to other chief constables to outline some of the issues around custody image retention in February 2022, the National Police Chiefs Council (NPCC) lead for records management, Lee Freeman, said the potentially unlawful retention of an estimated 19 million images “poses a significant risk in terms of potential litigation, police legitimacy, and wider support and challenge in our use of these images for technologies such as facial recognition”.

In November 2023, the NPCC confirmed to Computer Weekly that it had launched a programme that would seek to establish a management regime for custody images, alongside a review of all currently held data by police forces in the UK.

The issue was again flagged by the biometric commissioner of England and Wales, Tony Eastaugh, in December 2024, when he noted in his annual report that “forces continue to retain and use images of people who, while having been arrested, have never subsequently been charged or summonsed”.

Eastaugh added that while work was already “underway” to ensure the retention of images is proportionate and lawful, “the use of custody images of unconvicted individuals may include for facial recognition purposes”.

Source

The UK’s National Cyber Security Centre (NCSC) has highlighted a potentially dangerous misunderstanding surrounding emergent prompt injection attacks against generative artificial intelligence (GenAI) applications, warning that many users are comparing them to more classical structured query language (SQL) injection attacks, and in doing so, putting their IT systems at risk of compromise.

While they share similar terminology, prompt injection attacks are categorically not the same as SQL injection attacks, said the NCSC in an advisory blog published on 8 December. Indeed, said the GCHQ-backed agency, prompt injection attacks may be much worse, and harder to counteract.

“Contrary to first impressions, prompt injection attacks against generative artificial intelligence applications may never be totally mitigated in the way SQL injection attacks can be,” wrote the NCSC’s research team.

In their most basic form, prompt injection attacks are cyber attacks against large language models (LLMs) in which threat actors take advantage of the ability of such models to respond to natural language queries and manipulate them into producing undesirable outcomes – for example, leaking confidential data, creating disinformation, or potentially guiding the creation of malicious phishing emails or malware.

SQL injection attacks, on the other hand, are a class of vulnerability that enable threat actors to mess with an application’s database queries by inserting their own SQL code into an entry field, giving them the ability to execute malicious commands to, for example, steal or destroy data, conduct denial of service (DoS) attacks and, in some cases, even enable arbitrary code execution.

SQL injection attacks have been around for a long time and are very well understood. They are also relatively simple to address, with most mitigations enforcing a separation between instructions and sensitive data. The use of parameterised queries in SQL, for example, means that whatever the input may be, the database engine cannot interpret it as an instruction.

While prompt injection is conceptually similar, the NCSC believes defenders may be at risk of slipping up because LLMs are not able to distinguish between what is an instruction and what is data.

“When you provide an LLM prompt, it doesn’t understand the text in the way a person does. It is simply predicting the most likely next token from the text so far,” explained the NCSC team.

“As there is no inherent distinction between ‘data’ and ‘instruction’, it’s very possible that prompt injection attacks may never be totally mitigated in the way that SQL injection attacks can be.”

The agency is warning that unless this spreading misconception is addressed in short order, organisations risk becoming data breach victims at a scale unseen since SQL injection attacks were widespread 10 to 15 years ago, and probably exceeding that.

It further warned that many attempts to mitigate prompt injection – although well-intentioned – in reality do little more than try to overlay the concepts of instructions and data on a technology that can’t tell them apart.

Should we stop using LLMs?

Most objective authorities on the subject concur that the only way to avoid prompt injection attacks is to stop using LLMs altogether, but since this is now no longer really possible, the NCSC is calling for efforts to turn to reducing the risk and impact of prompt injection within the AI supply chain.

It called for AI system designers, builders and operators to acknowledge that LLM systems are “inherently confusable” and account for manageable variables during the design and build process.

It laid out four steps that, taken together, may help alleviate some of the risks associated with prompt injection attacks.

1. First, and most fundamentally, developers building LLMs need to be aware of prompt injection as an attack vector, as it is not yet well-understood. Awareness also needs to be spread across organisations adopting or working with LLMs, while security professionals and risk owners need to incorporate prompt injection attacks in their risk management strategies.
2. It goes without saying that LLMs should be secure by design, but particular attention should be paid to hammering home the fact that LLMs are inherently confusable, especially if systems are calling tools or using application programming interfaces (APIs) based on their output. A securely designed LLM should focus on deterministic safeguards to constrain an LLM’s actions rather than just trying to stop malicious content from reaching it. The NCSC also highlighted the need to apply principles of least privilege to LLMs – they cannot have any more privileges than the party/ies interacting with them does.
3. It is possible to make it somewhat harder for LLMs to act on instructions that may be included within data fed to them. Researchers at Microsoft, for example, found that using different techniques to mark data as separate from instructions can make prompt injection harder. However, at the same time it is important to be wary of approaches such as deny-listing or blocking phrases such as “ignoring previous instructions, do Y”, which are completely ineffective because there are so many possible ways for a human to rephrase that prompt, and to be extremely sceptical of any technology supplier that claims it can stop prompt injection outright.
4. Finally, as part of the design process, organisations should understand both how their LLMs might be corrupted and the goals an attacker might try to achieve, and what normal operations look like. This means organisations should be logging plenty of data – up to and even including saving the full input and output of the LLM – and any tool use or API calls. Live monitoring to respond to failed tool or API calls is essential, as detecting these could, said the NCSC, be a sign that a threat actor is honing their cyber attack.

Source