<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: ricco020</title>
    <description>The latest articles on DEV Community by ricco020 (@ricco020).</description>
    <link>https://dev.to/ricco020</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3960216%2Fbc01eb94-de65-41c2-9767-966a157976ae.jpeg</url>
      <title>DEV Community: ricco020</title>
      <link>https://dev.to/ricco020</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/ricco020"/>
    <language>en</language>
    <item>
      <title>What is an API? A clear, practical explainer</title>
      <dc:creator>ricco020</dc:creator>
      <pubDate>Wed, 24 Jun 2026 12:25:36 +0000</pubDate>
      <link>https://dev.to/ricco020/what-is-an-api-a-clear-practical-explainer-4mkh</link>
      <guid>https://dev.to/ricco020/what-is-an-api-a-clear-practical-explainer-4mkh</guid>
      <description>&lt;p&gt;An API (Application Programming Interface) is a contract that lets one piece of software ask another for data or actions, without knowing how it works inside. What an API is, how a request and response work, the common styles like REST and GraphQL, and why developers build on them.&lt;/p&gt;

&lt;p&gt;An API — short for Application Programming Interface — is a set of rules that lets one program talk to another. It defines how you ask for data or an action, what you have to send, and what you get back, so two pieces of software can work together without either one knowing how the other is built inside. It is the contract between them.&lt;/p&gt;

&lt;p&gt;A common analogy is a restaurant menu. The menu lists what you can order and what each dish costs, you place an order, and the kitchen prepares it — but you never need to see the kitchen or know how the cooking is done. An API is that menu for software: it tells you what you can request and how, and hides everything behind it.&lt;/p&gt;

&lt;p&gt;More precisely, an API exposes a set of operations a service is willing to perform. A weather service might offer an operation that returns the forecast for a city; a payment service might offer one that charges a card. You call the operation with the inputs it expects, and the service does the work and hands back a result. The internals stay private and can change freely, as long as the contract holds.&lt;/p&gt;

&lt;p&gt;On the web, most APIs work over the same protocol as web pages: HTTP. Your program sends a request to a URL called an endpoint, usually with a method that signals intent — GET to read data, POST to create it, PUT or PATCH to update, DELETE to remove. The request can carry parameters and a body; the server processes it and sends back a response.&lt;/p&gt;

&lt;p&gt;That response has two important parts: a status code and a payload. The status code is a short number that says how it went — 200 means success, 404 means the thing was not found, 500 means the server hit an error. The payload is the data itself, today almost always formatted as JSON, a lightweight text format that is easy for programs to read and write.&lt;/p&gt;

&lt;p&gt;APIs come in a few common styles. REST is the most widespread: it organises everything around resources addressed by URLs and leans on the standard HTTP methods. GraphQL takes a different approach, letting the client ask for exactly the fields it needs in a single query, which avoids over-fetching. Older systems may use SOAP, and real-time apps often add WebSockets for a continuous two-way connection.&lt;/p&gt;

&lt;p&gt;Many APIs are protected, because they expose real data and actions. Authentication proves who is calling — often with an API key or a token such as OAuth — and rate limiting caps how many requests a caller can make in a window, so one client cannot overwhelm the service. Public APIs publish documentation describing every endpoint, its inputs, and its responses.&lt;/p&gt;

&lt;p&gt;Developers rely on APIs because they let you build on top of existing services instead of reinventing them. You can add maps, payments, email, login, or AI to an app by calling someone else’s API. They also let large systems split into smaller services that talk to each other, and they are how a mobile app or single-page front end fetches data from a backend.&lt;/p&gt;

&lt;p&gt;Developers rely on APIs because they let you build on top of existing services instead of reinventing them. You can add maps, payments, email, login, or AI to an app by calling someone else’s API. They also let large systems split into smaller services that talk to each other, and they are how a mobile app or single-page front end fetches data from a backend.&lt;/p&gt;

&lt;p&gt;Finally, an API has to run somewhere. The service behind it — the backend that receives requests and returns responses — needs a reliable, always-on server. For your own APIs, that means a host you control: a VPS or cloud server where the backend stays up and reachable. A solid host is the foundation the whole interface sits on.&lt;/p&gt;

&lt;p&gt;Self-hosting needs a reliable home with full runtime and network control. Infomaniak — a Swiss, privacy-respecting provider — offers VPS and cloud servers to host your CMS or app.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://versiondude.net/articles/what-is-an-api" rel="noopener noreferrer"&gt;versiondude.net&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>api</category>
      <category>webdev</category>
      <category>beginners</category>
      <category>programming</category>
    </item>
    <item>
      <title>What Is a Higher-Order Function? Functions as Values, Explained (2026)</title>
      <dc:creator>ricco020</dc:creator>
      <pubDate>Wed, 24 Jun 2026 08:37:13 +0000</pubDate>
      <link>https://dev.to/ricco020/what-is-a-higher-order-function-functions-as-values-explained-2026-4kcp</link>
      <guid>https://dev.to/ricco020/what-is-a-higher-order-function-functions-as-values-explained-2026-4kcp</guid>
      <description>&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fywjuoqqi7wk2nvl8m1xa.jpg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fywjuoqqi7wk2nvl8m1xa.jpg" alt="A code editor open on a laptop: higher-order functions are an everyday tool you write here — functions that take other functions as arguments, like map and filter." width="800" height="533"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;In most languages a function is something you call. In functional programming a function is also a value — you can store it in a variable, pass it into another function, and get one back as a result. A &lt;strong&gt;higher-order function&lt;/strong&gt; is exactly the function that does one of those last two things. This guide explains what a higher-order function is, why &lt;code&gt;map&lt;/code&gt;, &lt;code&gt;filter&lt;/code&gt; and &lt;code&gt;fold&lt;/code&gt; are the classic examples, how they replace loops, and how they look in &lt;a href="https://coldwa.st/e/blog/2026-06-14-what-is-haskell.html" rel="noopener noreferrer"&gt;Haskell&lt;/a&gt;.&lt;/p&gt;

&lt;h2&gt;
  
  
  The short definition
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;A higher-order function is a function that takes one or more functions as arguments, returns a function as its result, or both.&lt;/strong&gt; A function that does neither — it only takes and returns plain values like numbers or strings — is called a first-order function. The "higher-order" name simply means it operates on functions the way an ordinary function operates on data.&lt;/p&gt;

&lt;p&gt;This only works in a language where functions are &lt;strong&gt;first-class values&lt;/strong&gt;: things you can name, pass around and return, just like an integer. Haskell, JavaScript, Python, Swift and many others treat functions this way, which is what makes higher-order functions possible.&lt;/p&gt;

&lt;h2&gt;
  
  
  The three classics: map, filter and fold
&lt;/h2&gt;

&lt;p&gt;Almost every functional codebase leans on three higher-order functions. Each one takes a function as an argument and applies it across a collection:&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;- **map** applies a function to every element of a list and gives back a new list of the results. `map (+1) [1,2,3]` gives `[2,3,4]` — the function `(+1)` is the argument.

- **filter** keeps only the elements for which a function returns true. `filter even [1,2,3,4]` gives `[2,4]` — here `even` is the function you pass in.

- **fold** (also called reduce) collapses a list down to a single value by combining elements two at a time. `foldr (+) 0 [1,2,3]` adds them up to `6` — the combining step `(+)` is the function argument.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

&lt;p&gt;In each case you supply the small piece of logic — increment, "is even", add — and the higher-order function handles the walking-over-the-list part. You describe what to do to each element, not the bookkeeping of how to step through them.&lt;/p&gt;

&lt;h2&gt;
  
  
  How they replace loops
&lt;/h2&gt;

&lt;p&gt;In an imperative language you might write a loop with a counter, an accumulator, and an explicit index. The same intent expressed with a higher-order function disappears into a single line, because the iteration is already baked into &lt;code&gt;map&lt;/code&gt; or &lt;code&gt;fold&lt;/code&gt;. That is why purely functional code, which avoids mutable loop counters, leans so heavily on these functions and on &lt;a href="https://coldwa.st/e/blog/2026-06-16-what-is-recursion.html" rel="noopener noreferrer"&gt;recursion&lt;/a&gt; — the two cover the work that loops do elsewhere. &lt;a href="https://coldwa.st/e/blog/2026-06-14-haskell-list-comprehensions.html" rel="noopener noreferrer"&gt;List comprehensions&lt;/a&gt; are often a readable shorthand for the same &lt;code&gt;map&lt;/code&gt;-and-&lt;code&gt;filter&lt;/code&gt; combination.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F955qi6y2uw09tfpdk0n5.jpg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F955qi6y2uw09tfpdk0n5.jpg" alt="A higher-order function in another language: here a closure (the block in braces) is passed as the completionHandler argument to document.open — a function handed to another function, exactly the idea behind map and filter." width="800" height="568"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Returning a function: where it gets powerful
&lt;/h2&gt;

&lt;p&gt;The other half of the definition — functions that return functions — is just as common. A function can build and hand back a new, specialised function. A classic example is a "multiplier maker": you give it a number and it returns a function that multiplies its input by that number. Call it with &lt;code&gt;3&lt;/code&gt; and you get back a "times three" function you can then use like any other. The maker is higher-order because its result is itself a function.&lt;/p&gt;

&lt;p&gt;In Haskell this is woven into the language through &lt;strong&gt;currying&lt;/strong&gt;: every function of several arguments is really a chain of one-argument functions, each returning the next. That is why &lt;code&gt;map (+1)&lt;/code&gt; works — &lt;code&gt;(+1)&lt;/code&gt; is the addition function with one argument already supplied, returning a function that still expects the other. Partial application like this is higher-order functions at work, often without you noticing.&lt;/p&gt;

&lt;h2&gt;
  
  
  Higher-order functions in Haskell
&lt;/h2&gt;

&lt;p&gt;Haskell makes the idea explicit in its &lt;strong&gt;type signatures&lt;/strong&gt;. The type of &lt;code&gt;map&lt;/code&gt; is written &lt;code&gt;map :: (a -&amp;gt; b) -&amp;gt; [a] -&amp;gt; [b]&lt;/code&gt;. Read it left to right: the first argument &lt;code&gt;(a -&amp;gt; b)&lt;/code&gt; is itself a function — that is the higher-order part — followed by a list of &lt;code&gt;a&lt;/code&gt;, producing a list of &lt;code&gt;b&lt;/code&gt;. The arrows make it visible on the page that a function is being passed in. The same pattern appears in &lt;code&gt;filter :: (a -&amp;gt; Bool) -&amp;gt; [a] -&amp;gt; [a]&lt;/code&gt; and across the standard library.&lt;/p&gt;

&lt;p&gt;You often pass these functions inline as &lt;strong&gt;lambdas&lt;/strong&gt; — small anonymous functions written with a backslash, like &lt;code&gt;map (\x -&amp;gt; x * x) [1,2,3]&lt;/code&gt; to square each element. Whether you pass a named function, an operator section like &lt;code&gt;(*2)&lt;/code&gt;, or a lambda, it is the same mechanism: a function travelling as a value into a higher-order function.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why they matter
&lt;/h2&gt;

&lt;p&gt;Higher-order functions let you factor out the common shape of a computation — "do something to every element", "keep the ones that match", "combine them all" — and reuse it with different logic plugged in. That means less repeated boilerplate, code that reads closer to its intent, and small, testable pieces of logic you can compose. They are the building block on top of which much of &lt;a href="https://coldwa.st/e/blog/2026-06-15-what-is-functional-programming.html" rel="noopener noreferrer"&gt;functional programming&lt;/a&gt; is expressed, and combined with Haskell's &lt;a href="https://coldwa.st/e/blog/2026-06-14-lazy-evaluation-haskell.html" rel="noopener noreferrer"&gt;lazy evaluation&lt;/a&gt; they even let you map and filter over lists that are conceptually infinite.&lt;/p&gt;

&lt;h2&gt;
  
  
  The honest trade-offs
&lt;/h2&gt;

&lt;p&gt;Higher-order functions take some getting used to: reading &lt;code&gt;foldr&lt;/code&gt; or a chain of &lt;code&gt;map . filter&lt;/code&gt; is a skill, and deeply nested lambdas can become hard to follow. Passing functions around can also make a stack trace less obvious when something goes wrong. The payoff — far less repetitive iteration code and logic you can recombine — is why they have spread well beyond functional languages into everyday JavaScript, Python and Swift. Used with restraint, they make code shorter and clearer; overused, they can obscure it like any other tool.&lt;/p&gt;

&lt;h2&gt;
  
  
  Frequently asked questions
&lt;/h2&gt;

&lt;p&gt;What is a higher-order function in simple terms?&lt;br&gt;
A higher-order function is a function that takes another function as an argument, returns a function as its result, or both. Instead of working only on plain data like numbers and strings, it works on functions. Classic examples are map, filter and fold, which each take a small function and apply it across a list.&lt;/p&gt;

&lt;p&gt;Is map a higher-order function?&lt;br&gt;
Yes. map takes a function as its first argument and applies it to every element of a list, returning a new list of the results. Because one of its arguments is itself a function, map is a textbook higher-order function — and so are filter and fold for the same reason.&lt;/p&gt;

&lt;p&gt;What is the difference between a higher-order and a first-order function?&lt;br&gt;
A first-order function only takes and returns ordinary values, such as numbers or strings. A higher-order function takes one or more functions as arguments, or returns a function, or both. The difference is whether the function operates on data alone or also on other functions.&lt;/p&gt;

&lt;p&gt;Do higher-order functions only exist in Haskell?&lt;br&gt;
No. They exist in any language that treats functions as first-class values — values you can store, pass and return. Haskell, JavaScript, Python, Swift and many others all support them. Haskell makes the idea especially visible through its type signatures and currying, but the concept is widespread.&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Recommended
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;
&lt;h3&gt;
  
  
  A Linux box to build and run your Haskell code
&lt;/h3&gt;

&lt;p&gt;Trying these higher-order functions for real — loading them into GHCi, building a project with map and fold, then running it — is smoother on a proper Linux machine than a laptop. A cloud server gives you full control to install GHC and a Haskell toolchain in a clean environment and reach it over &lt;a href="https://coldwa.st/e/blog/2026-06-22-what-is-ssh.html" rel="noopener noreferrer"&gt;SSH&lt;/a&gt;. Infomaniak — a Swiss, privacy-respecting provider — offers cloud servers for exactly that.&lt;/p&gt;
&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;[See Infomaniak Cloud →](https://coldwa.st/go/cloud.html)
Affiliate link — it supports these free guides.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;

&lt;p&gt;Browse more clear explainers in our &lt;a href="https://coldwa.st/e/" rel="noopener noreferrer"&gt;guides index&lt;/a&gt;.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://coldwa.st/e/blog/2026-06-24-higher-order-functions.html" rel="noopener noreferrer"&gt;coldwa.st&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>haskell</category>
      <category>functional</category>
      <category>programming</category>
      <category>beginners</category>
    </item>
    <item>
      <title>MCP Security: The Risks of Model Context Protocol and How to Govern It (2026)</title>
      <dc:creator>ricco020</dc:creator>
      <pubDate>Wed, 24 Jun 2026 07:31:23 +0000</pubDate>
      <link>https://dev.to/ricco020/mcp-security-the-risks-of-model-context-protocol-and-how-to-govern-it-2026-1963</link>
      <guid>https://dev.to/ricco020/mcp-security-the-risks-of-model-context-protocol-and-how-to-govern-it-2026-1963</guid>
      <description>&lt;p&gt;The &lt;a href="https://dev.to/ai/model-context-protocol"&gt;Model Context Protocol (MCP)&lt;/a&gt; is the open standard that lets an &lt;a href="https://dev.to/ai/what-is-an-ai-agent"&gt;AI agent&lt;/a&gt; plug into your tools, files, and apps through one common interface — often described as "USB-C for AI." It is genuinely useful, and through 2025 and 2026 it has been adopted across AI assistants, IDEs, and agent frameworks. But the same connector that makes an agent powerful is also its biggest attack surface. Recent moves toward governing AI agents in the enterprise — security vendors shipping tools to monitor coding agents, and MCP-based governance layers landing inside Claude, ChatGPT, and Copilot — are a sign of the same thing: connecting an agent to your environment is a security decision, not a convenience setting. Here is the honest picture of MCP security in 2026 and how to govern it.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why MCP is a security problem, not just a feature
&lt;/h2&gt;

&lt;p&gt;MCP itself is just plumbing: a standard way for a model to discover tools, read their descriptions, and call them. The risk isn't the protocol — it's what flows through it.&lt;/p&gt;

&lt;p&gt;When an agent connects to an MCP server, that server provides two things the model trusts: &lt;strong&gt;tool descriptions&lt;/strong&gt; (text telling the model what each tool does and how to call it) and &lt;strong&gt;tool outputs&lt;/strong&gt; (whatever the tool returns). The model reads both and acts on them. So every MCP server you attach is effectively code and instructions running with your agent's privileges. Whatever the agent can reach — your files, a repository, an API, your email — a malicious server can try to reach &lt;em&gt;through&lt;/em&gt; the agent.&lt;/p&gt;

&lt;p&gt;This is the same shift that makes &lt;a href="https://dev.to/ai/ai-agent-security-2026"&gt;AI agent security&lt;/a&gt; hard in general, applied to a specific connector: the security of your MCP setup is the security of every server you plug into it.&lt;/p&gt;

&lt;h2&gt;
  
  
  The MCP-specific risks in 2026
&lt;/h2&gt;

&lt;p&gt;These aren't hypothetical — security researchers have documented them on real MCP clients.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Tool poisoning.&lt;/strong&gt; A malicious server hides instructions inside a tool's &lt;em&gt;description&lt;/em&gt; — text the model reads but the user usually doesn't. A tool that looks like a harmless &lt;code&gt;add(a, b)&lt;/code&gt; can secretly instruct the agent to read private files and exfiltrate them. Because users tend to approve tool calls without inspecting the description, this is one of the most impactful MCP-specific attacks.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Rug pulls (silent redefinition).&lt;/strong&gt; An MCP tool changes its own definition &lt;em&gt;after&lt;/em&gt; you've installed and approved it. You vetted something safe; the server later swaps in malicious behaviour without telling you.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Tool shadowing and cross-server attacks.&lt;/strong&gt; When several servers connect to the same agent, a compromised one can override or intercept calls meant for a trusted tool — a "confused deputy" problem where the agent does the attacker's bidding while thinking it's using a legitimate tool.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;The exfiltration trifecta.&lt;/strong&gt; The genuinely dangerous combination is an agent that has &lt;em&gt;private data&lt;/em&gt;, reads &lt;em&gt;untrusted content&lt;/em&gt;, and has an &lt;em&gt;exfiltration path&lt;/em&gt; to the outside. MCP makes all three easy to wire together by accident.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Indirect &lt;a href="https://dev.to/ai/prompt-injection"&gt;prompt injection&lt;/a&gt;.&lt;/strong&gt; Even an honest server returns outputs the agent reads — a web page, an issue, a document — that may contain hidden instructions. The agent can obey them as if they came from you.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;&lt;a href="/images/mcp-security-body.jpg" class="article-body-image-wrapper"&gt;&lt;img src="/images/mcp-security-body.jpg" alt="A close-up of a laptop's side showing a USB port and an SD card slot, illustrating MCP as a universal connector for plugging tools into an AI"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  How to govern MCP safely
&lt;/h2&gt;

&lt;p&gt;You don't need to avoid MCP. You need to govern what you connect and box it in so a single bad server can't become a disaster. The principles are old security wisdom applied to a new connector.&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Vet and pin trusted servers.&lt;/strong&gt; Prefer official or well-reviewed MCP servers. Don't attach arbitrary third-party servers to an agent that holds real access, and watch for tool definitions that change after install.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Least privilege per server.&lt;/strong&gt; Give each server only the access its job needs, using &lt;strong&gt;scoped, revocable credentials&lt;/strong&gt; — never your primary accounts or production keys. If a server only needs to read, don't let it write.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Limit the blast radius.&lt;/strong&gt; Avoid connecting many untrusted servers to the same agent, since one compromised server can intercept others. Isolate sensitive work from anything that reads the open web.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Human in the loop for high-impact actions.&lt;/strong&gt; Require explicit confirmation before anything irreversible — sending money, deleting data, posting publicly, changing access. Let the agent draft; you approve.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Treat tool descriptions and outputs as untrusted.&lt;/strong&gt; Both can carry injected instructions. The same caution applies when an agent uses &lt;a href="https://dev.to/ai/ai-code-review-tools"&gt;AI code review tools&lt;/a&gt; or any tool that ingests external content.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Log and audit tool calls.&lt;/strong&gt; Keep a record of which servers and tools the agent used, so you can spot anomalies and revoke fast.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Keep secrets out of prompts and tool arguments.&lt;/strong&gt; Passwords and API keys pasted into a prompt or a tool call become text on a server. Use scoped tokens and secret managers instead.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  The honest takeaway
&lt;/h2&gt;

&lt;p&gt;MCP security comes down to one mindset shift: an MCP server is not a plugin you install and forget — it's a new participant with autonomy and access, and you should treat it like one you don't fully trust. The protocol is open and useful; the danger is in granting broad, standing trust to servers you haven't vetted. Connect deliberately, scope every server tightly, keep a human gate on anything irreversible, and assume every tool description and output could be trying to hijack your agent. The teams now building governance around AI agents — and the &lt;a href="https://dev.to/ai/ai-coding-agent"&gt;AI coding agents&lt;/a&gt; that lean on MCP most — are converging on exactly that: connect less, trust narrowly, and verify.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;What is MCP security?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;MCP security is the practice of safely connecting AI models and agents to external tools and data through the Model Context Protocol — an open standard introduced by Anthropic in late 2024, often described as 'USB-C for AI'. MCP itself is just a connector: the security question is what you plug into it and how much you trust it. Each MCP server an agent connects to is code and instructions running with the agent's access, so a malicious or compromised server can read your data, call other tools, or take actions on your behalf. MCP security means vetting servers, scoping permissions tightly, and treating tool descriptions and outputs as untrusted input.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What is tool poisoning in MCP?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Tool poisoning is when a malicious MCP server hides instructions inside a tool's description or metadata — text the model reads but the user usually doesn't. The model treats those hidden instructions as commands, so a tool that looks like a harmless 'add two numbers' function can secretly tell the agent to read private files and send them somewhere. Security researchers have documented this as one of the most impactful MCP-specific risks, because users tend to approve tool calls without inspecting the underlying descriptions.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What is an MCP rug pull?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A rug pull, also called silent redefinition, is when an MCP tool changes its own definition after you've already installed and trusted it. You approve a tool that looks safe, and later the server quietly swaps in malicious instructions without notifying you. A related attack is tool shadowing, where a malicious server overrides or intercepts calls meant for a trusted tool. Both exploit the fact that trust granted once is rarely re-checked, which is why monitoring tool definitions for changes matters.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Is MCP safe to use?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;MCP is broadly safe for everyday use if you connect only to servers you trust and scope their access tightly, but it is not safe to wire up arbitrary third-party servers with broad permissions and walk away. The protocol is an open connector, so its safety depends entirely on the servers you attach and the access you grant them. Use official or well-reviewed servers, give each one separate revocable credentials instead of your main accounts, keep a human in the loop for high-impact actions, and review what tools can do before approving them.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How do I secure MCP servers?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Apply least privilege: give each MCP server only the access its job needs, using scoped, revocable tokens rather than admin keys or your primary accounts. Vet and pin trusted servers, prefer official ones, and watch for tool definitions that change after install. Treat tool descriptions and tool outputs as untrusted content that may contain injected instructions. Avoid connecting many untrusted servers to the same agent, since one compromised server can intercept others. Log tool calls so you can audit and revoke, and keep secrets out of prompts and tool arguments.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://alexi.sh/ai/mcp-security-2026" rel="noopener noreferrer"&gt;alexi.sh&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>security</category>
      <category>llm</category>
      <category>programming</category>
    </item>
    <item>
      <title>What Is a Vector Database? A Plain-English Guide (2026)</title>
      <dc:creator>ricco020</dc:creator>
      <pubDate>Mon, 22 Jun 2026 05:27:58 +0000</pubDate>
      <link>https://dev.to/ricco020/what-is-a-vector-database-a-plain-english-guide-2026-29c</link>
      <guid>https://dev.to/ricco020/what-is-a-vector-database-a-plain-english-guide-2026-29c</guid>
      <description>&lt;p&gt;If you have read about RAG, AI search or recommendations, you have probably hit the term &lt;strong&gt;vector database&lt;/strong&gt;. Here is the plain version. A vector database stores data as &lt;em&gt;vectors&lt;/em&gt; — lists of numbers that capture meaning — and finds items by &lt;strong&gt;similarity&lt;/strong&gt;, not by exact match. That one idea is what makes modern AI search feel like it understands you.&lt;/p&gt;

&lt;h2&gt;
  
  
  What a vector database actually is
&lt;/h2&gt;

&lt;p&gt;Normal databases are great at exact questions: find the user with this ID, or every order from last week. They struggle with "find me things that &lt;em&gt;mean&lt;/em&gt; the same thing." A vector database is built for exactly that.&lt;/p&gt;

&lt;p&gt;It works on &lt;a href="https://alexi.sh/ai/what-is-an-embedding" rel="noopener noreferrer"&gt;embeddings&lt;/a&gt; — the numeric fingerprints an AI model gives to text, images or audio. Items with similar meaning get vectors that sit close together. The database stores those vectors and, when you search, returns the ones nearest to your query.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fw2gwqub1f3jdtb4hj1az.jpg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fw2gwqub1f3jdtb4hj1az.jpg" alt="A vector database keeps millions of embeddings on disk and in memory, and searches them by similarity in milliseconds." width="800" height="533"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  How similarity search works
&lt;/h2&gt;

&lt;p&gt;The flow has three steps:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Embed.&lt;/strong&gt; An embedding model turns each document, image or sentence into a vector.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Index.&lt;/strong&gt; The database stores those vectors in a special index (like HNSW or IVF) so it can search huge sets fast.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Query.&lt;/strong&gt; Your search is embedded too. The database returns the vectors closest to it by distance.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;So a search for "how to reset my password" can surface an article called "recover a forgotten login." The words differ, but the meaning — and the vectors — are close.&lt;/p&gt;

&lt;h2&gt;
  
  
  Vector database vs a normal database
&lt;/h2&gt;

&lt;p&gt;They solve different problems, and most real apps use both. A relational database holds your structured records and answers exact queries. A vector database answers "what is most like this?" You keep customer rows in one and searchable meaning in the other. Tools like pgvector even let you add vector search to a normal PostgreSQL database, so both live in one place.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why it matters for AI
&lt;/h2&gt;

&lt;p&gt;A vector database is the retrieval engine behind a lot of AI. It powers semantic search, product and content recommendations, and — most importantly — the &lt;em&gt;retrieval&lt;/em&gt; step in &lt;a href="https://alexi.sh/ai/what-is-rag" rel="noopener noreferrer"&gt;RAG&lt;/a&gt;, where an assistant fetches relevant text before answering. Without fast similarity search over embeddings, none of those features would be practical at scale.&lt;/p&gt;

&lt;h2&gt;
  
  
  The bottom line
&lt;/h2&gt;

&lt;p&gt;A vector database stores meaning as vectors and finds items by similarity instead of exact match. It does not replace your normal database — it sits beside it and answers the questions a keyword search never could. If you are building anything with semantic search or RAG, a vector database is the piece doing the heavy lifting.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;What is a vector database in simple terms?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A vector database stores data as vectors — long lists of numbers called embeddings that capture meaning. Instead of matching exact words, it finds items whose vectors are closest to your query's vector. So a search for 'how to reset my password' can return a help article titled 'recover a forgotten login', because they mean the same thing. It is the engine behind semantic search, recommendations, and the retrieval step in most AI assistants.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How is a vector database different from a normal database?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A normal (relational) database is built for exact, structured queries: find the row where id = 42, or where country = 'France'. A vector database is built for similarity: find the items most like this one. It does not look for an exact match — it ranks results by how close their vectors are. The two are complementary. Many apps use a normal database for records and a vector database for meaning-based search.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;How does similarity search actually work?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Three steps. First, an embedding model turns each item (a document, image, or sentence) into a vector. Second, the vector database stores those vectors in a special index (such as HNSW or IVF) that makes nearest-neighbour search fast, even over millions of items. Third, when a query comes in, it is embedded too, and the database returns the vectors closest to it by distance. You get the most similar items back in milliseconds.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Which vector databases are popular in 2026?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Common options include Pinecone, Weaviate, Qdrant, Milvus, and Chroma, plus pgvector, which adds vector search to PostgreSQL so you can keep everything in one database. The right choice depends on scale, whether you want a managed service or to self-host, and whether you need vectors alongside your existing relational data. For small projects, pgvector or Chroma are easy starting points.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://alexi.sh/ai/what-is-a-vector-database" rel="noopener noreferrer"&gt;alexi.sh&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>database</category>
      <category>webdev</category>
      <category>programming</category>
    </item>
    <item>
      <title>What Is a Home Server? A Plain-English Guide (2026)</title>
      <dc:creator>ricco020</dc:creator>
      <pubDate>Sun, 21 Jun 2026 13:38:09 +0000</pubDate>
      <link>https://dev.to/ricco020/what-is-a-home-server-a-plain-english-guide-2026-5085</link>
      <guid>https://dev.to/ricco020/what-is-a-home-server-a-plain-english-guide-2026-5085</guid>
      <description>&lt;p&gt;There is a running joke online: someone sets out to build a "home server," and a year later they have a rack of machines, a labelled network, and a power bill to match — they accidentally built a tiny data center. It is funny because it is true, but it hides a simpler fact. A home server does not have to be any of that. At its core, &lt;strong&gt;a home server is just a computer that stays on to serve other devices in your home.&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  What a home server actually is
&lt;/h2&gt;

&lt;p&gt;Think of it as a helper computer. It runs all the time, sits quietly in a corner, and waits for your other devices to ask it for something. You do not sit in front of it. Once it is set up, it has no screen or keyboard — you reach it from your phone, laptop or TV over your home Wi-Fi.&lt;/p&gt;

&lt;p&gt;The hardware can be almost anything. An old laptop works. So does a cheap mini PC, a Raspberry Pi, or a ready-made NAS box. What makes it a "server" is the job it does, not the size of the machine.&lt;/p&gt;

&lt;h2&gt;
  
  
  What people run on one
&lt;/h2&gt;

&lt;p&gt;A home server earns its keep by doing a few steady jobs:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;File storage&lt;/strong&gt; — one place for documents and photos that every device can reach.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Media streaming&lt;/strong&gt; — your own films and music, streamed to any screen in the house.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Backups&lt;/strong&gt; — automatic copies of your phones and laptops, so a lost device is not a lost life.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Smart-home control&lt;/strong&gt; — local software that runs your lights and sensors without the cloud.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;A self-hosted VPN&lt;/strong&gt; — a private door back into your home network while you travel.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;You can run just one of these, or several at once. Most people keep each job in its own container so they stay tidy and easy to update.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzmig12xm238es7wj59tm.jpg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Fzmig12xm238es7wj59tm.jpg" alt="A real data center looks like this. A home server does not have to — an old laptop in a cupboard counts." width="799" height="449"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Home server vs a VPS
&lt;/h2&gt;

&lt;p&gt;The two get confused, but they solve different problems. A home server lives in your house, holds your data, and costs only the electricity to run it. The catch is that it depends on your home internet and you look after it yourself.&lt;/p&gt;

&lt;p&gt;A &lt;strong&gt;VPS&lt;/strong&gt; is a server you rent in a data center. It is always online, has a fast connection and a public IP, and is easier to reach from anywhere — which is why people host a VPN or a website on one. If you are weighing the two, our guide on &lt;a href="https://www.vpnsmith.com/en/blog/what-is-a-vps" rel="noopener noreferrer"&gt;what a VPS is&lt;/a&gt; explains it in plain terms. Many setups use both: a home server for local files and media, a small VPS for anything the outside world needs to reach.&lt;/p&gt;

&lt;h2&gt;
  
  
  What you need to start
&lt;/h2&gt;

&lt;p&gt;Very little. An always-on computer you already own, a wired network connection if you can manage it, and one job to begin with — say, a file share or a media library. Add a second service only once the first is steady. Start small, keep it simple, and let it grow with you.&lt;/p&gt;

&lt;h2&gt;
  
  
  The bottom line
&lt;/h2&gt;

&lt;p&gt;A home server is not a data center. It is a spare computer doing useful work while you get on with your day — storing your files, backing up your devices, streaming your media, and, if you want, giving you a private way home over a VPN. Begin with one machine and one job. That is all it takes to have a home server.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;What is a home server in simple terms?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;A home server is a computer in your home that stays on so other devices can use it. It does not need a screen or a keyboard once it is set up. You reach it from your phone, laptop or TV over your home network. People use one to store files, stream their own media, run automatic backups, host smart-home software, or run a self-hosted VPN. Any always-on computer can be a home server — an old laptop, a mini PC, a Raspberry Pi, or a NAS box.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Do I need a home server, or is a VPS better?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;It depends on what you want. A home server keeps your data in your house and costs nothing to run beyond electricity, but it relies on your home internet and you maintain it yourself. A VPS (a rented server in a data center) is always online with a fast, stable connection and a public IP, which is easier for hosting a VPN or a website that you reach from anywhere. Many people use a home server for local files and media, and a small VPS for anything that needs to be reachable from outside the house.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What can you run on a home server?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Common uses are: a file share for all your devices, a media library (so you stream your own films and music), automatic backups of phones and laptops, a photo library, smart-home automation, ad-blocking for the whole network, and a self-hosted VPN to reach your home safely while travelling. You can run one of these or several at once, usually inside containers so they stay tidy and separate.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Is a home server hard to set up?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Not as hard as it used to be. A basic file or media server can be running in an afternoon with free software and a guide. The learning curve is real if you want remote access, secure logins, and automatic updates, but you can start small with one service and add more later. A Raspberry Pi or an old laptop is a cheap, low-risk way to learn before spending money on dedicated hardware.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://www.vpnsmith.com/en/blog/what-is-a-home-server" rel="noopener noreferrer"&gt;vpnsmith&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>selfhosted</category>
      <category>homelab</category>
      <category>linux</category>
      <category>beginners</category>
    </item>
    <item>
      <title>What Is Vibe Coding? The AI-First Way to Build Software (2026)</title>
      <dc:creator>ricco020</dc:creator>
      <pubDate>Sun, 21 Jun 2026 13:36:38 +0000</pubDate>
      <link>https://dev.to/ricco020/what-is-vibe-coding-the-ai-first-way-to-build-software-2026-260a</link>
      <guid>https://dev.to/ricco020/what-is-vibe-coding-the-ai-first-way-to-build-software-2026-260a</guid>
      <description>&lt;p&gt;Ask an AI assistant to "build me a habit-tracker app" and watch it produce working code in seconds — then ask it to tweak the colours, add a chart, fix a crash, all in plain English, without you reading a single line. That loop has a name now: &lt;strong&gt;vibe coding&lt;/strong&gt;. This guide explains what vibe coding actually is, where the term came from, how it works in practice, and the honest line between a brilliant shortcut and a trap.&lt;/p&gt;

&lt;h2&gt;
  
  
  What vibe coding actually is
&lt;/h2&gt;

&lt;p&gt;Vibe coding is building software by &lt;em&gt;describing intent&lt;/em&gt; to an AI and iterating on what it generates, instead of writing and reviewing the code yourself. You operate at the level of "what I want it to do" — add a feature, change a behaviour, fix an error — and let the model handle "how it's written." Your job shifts from author to director: you prompt, you run it, you react to the result, and you repeat.&lt;/p&gt;

&lt;p&gt;The defining trait is how little you look at the code. In classic development you read and own every line. In vibe coding you often accept the AI's output without fully reading it, judging the program by whether it &lt;em&gt;behaves&lt;/em&gt; the way you wanted rather than by how it's built.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F1qo69l2k8z6521tm7fmy.jpg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F1qo69l2k8z6521tm7fmy.jpg" alt="Vibe coding keeps you at the keyboard but moves your attention from writing lines to describing intent and judging the result." width="800" height="534"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Where the term came from
&lt;/h2&gt;

&lt;p&gt;The phrase was popularised by Andrej Karpathy in early 2025. He described a mode of working where you "fully give in to the vibes" and rely on the AI so completely that you barely engage with the underlying code — fun and fast, in his framing, for weekend projects and throwaway tools. The name stuck because it captured something developers were already doing with conversational &lt;a href="https://alexi.sh/ai/best-ai-coding-assistants-2026" rel="noopener noreferrer"&gt;best AI coding assistants&lt;/a&gt;: less typing, more describing.&lt;/p&gt;

&lt;h2&gt;
  
  
  How it works in practice
&lt;/h2&gt;

&lt;p&gt;A vibe-coding session looks like a conversation. You state a goal, the assistant writes or edits files, you run the result, and you describe what's wrong or what to add next. The model keeps the project context, so each turn builds on the last. The faster that loop — prompt, run, react — the more it feels like "coding by vibes" rather than by syntax.&lt;/p&gt;

&lt;p&gt;This is close to, but not the same as, &lt;a href="https://alexi.sh/ai/ai-pair-programming" rel="noopener noreferrer"&gt;AI pair programming&lt;/a&gt;. Pair programming with an AI implies you're still reading along, reviewing and steering line by line, like a navigator beside a driver. Vibe coding leans further: you delegate the &lt;em&gt;how&lt;/em&gt; almost entirely and judge only the outcome. The same tools support both modes — the difference is how much you choose to look.&lt;/p&gt;

&lt;h2&gt;
  
  
  Where it shines — and where it bites
&lt;/h2&gt;

&lt;p&gt;Vibe coding genuinely excels at:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Prototypes and MVPs&lt;/strong&gt; — get a clickable idea in front of people fast.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Throwaway scripts&lt;/strong&gt; — one-off automation you'll run once and delete.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Learning and exploration&lt;/strong&gt; — see one working approach, then dig in.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Non-critical personal tools&lt;/strong&gt; — where a bug is an annoyance, not a breach.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;It bites hardest when the stakes rise. Shipping code you haven't read means inheriting problems you can't see: exposed API keys, missing input validation, insecure dependencies, and subtle logic bugs. When something breaks in production, debugging code you never understood is painful, and a codebase nobody can explain becomes a maintenance liability. The accelerator that built the prototype is a poor foundation for the thing real users depend on.&lt;/p&gt;

&lt;h2&gt;
  
  
  The bottom line
&lt;/h2&gt;

&lt;p&gt;Vibe coding is a real shift in how software gets made: describe intent, let the AI write it, iterate on the result. For prototypes, scripts and learning it's a superpower that collapses hours into minutes. For anything handling money, data or security, treat the AI's output as a fast first draft from a junior collaborator — read it, test it, and understand it before it ships. The developers who get the most from vibe coding are the ones who know exactly when to stop vibing and start reviewing.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;What is vibe coding?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Vibe coding is the practice of building software by describing what you want in natural language to an AI assistant and accepting or iterating on the code it generates, rather than writing and reviewing every line yourself. You stay at the level of intent — 'add a login form', 'make this faster', 'fix that bug' — and let the model produce the implementation. It works best with conversational AI coding tools and is excellent for prototypes and small scripts, but it shifts your role from author to reviewer-and-director.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Who coined the term 'vibe coding'?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;The phrase was popularised by Andrej Karpathy in early 2025, when he described a way of working where you 'fully give in to the vibes' and lean on the AI so heavily that you barely look at the code. He framed it as fun and fast for throwaway projects. The term caught on quickly because it named something many developers had already started doing with tools like Cursor, GitHub Copilot and Claude Code.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Is vibe coding good or bad?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Neither on its own — it depends entirely on the stakes. For prototypes, personal tools, learning experiments and disposable scripts, vibe coding is a genuine accelerator: you get something working in minutes. For production software, anything handling money, personal data or security, shipping code you haven't read is risky, because you inherit bugs and vulnerabilities you can't see and will struggle to debug. The skill is knowing which mode a task calls for.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Is vibe coding safe for production apps?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Not without review. The danger of pure vibe coding is that you ship code you don't understand, which can hide security flaws (exposed secrets, missing input validation, insecure dependencies), subtle logic bugs, and maintenance debt that nobody on the team can explain later. For anything real, treat the AI's output as a draft from a fast but junior collaborator: read it, test it, and understand it before it goes live.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://alexi.sh/ai/what-is-vibe-coding" rel="noopener noreferrer"&gt;alexi.sh&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>programming</category>
      <category>webdev</category>
      <category>beginners</category>
    </item>
    <item>
      <title>What Is the Model Context Protocol (MCP)? A Plain Guide (2026)</title>
      <dc:creator>ricco020</dc:creator>
      <pubDate>Sun, 21 Jun 2026 13:35:59 +0000</pubDate>
      <link>https://dev.to/ricco020/what-is-the-model-context-protocol-mcp-a-plain-guide-2026-287a</link>
      <guid>https://dev.to/ricco020/what-is-the-model-context-protocol-mcp-a-plain-guide-2026-287a</guid>
      <description>&lt;p&gt;If you have heard the term &lt;strong&gt;MCP&lt;/strong&gt; thrown around in AI circles in 2026 and were not sure what it meant, here is the short version. The &lt;strong&gt;Model Context Protocol (MCP)&lt;/strong&gt; is an open standard that lets an AI model connect to outside tools, data and apps through one common interface. People often call it &lt;strong&gt;"USB-C for AI"&lt;/strong&gt; — one standard plug instead of a different cable for every device.&lt;/p&gt;

&lt;h2&gt;
  
  
  What MCP actually is
&lt;/h2&gt;

&lt;p&gt;An AI model on its own only knows what it was trained on. It cannot read your files, query your database, or check your calendar unless something hands it that access. MCP is the agreed way to hand it that access.&lt;/p&gt;

&lt;p&gt;It works through two roles. An &lt;strong&gt;MCP server&lt;/strong&gt; exposes a tool or data source — your documents, a code repository, a search engine. An &lt;strong&gt;MCP client&lt;/strong&gt; lives inside the AI app and connects to those servers. Because both sides follow the same protocol, any client can talk to any server. The model can then list the available tools and use them.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F7fcjmlfom3csmr9yy1yv.jpg" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2F7fcjmlfom3csmr9yy1yv.jpg" alt="MCP gives a model a standard way to reach code, tools and data — instead of a custom connector for each one." width="800" height="534"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  Why MCP matters
&lt;/h2&gt;

&lt;p&gt;The value is in the maths. Say you have many AI apps and many tools. Connecting each app to each tool by hand is the classic "N times M" problem — a lot of duplicated, brittle code. MCP turns it into "N plus M". Each tool ships one MCP server. Each app speaks MCP once. After that, they all work together.&lt;/p&gt;

&lt;p&gt;That is what makes modern AI agents useful. An agent that can only talk is limited. An agent that can read your files, run a query, or open a ticket can actually get work done. MCP is the plumbing that lets it reach those systems safely and in a standard way.&lt;/p&gt;

&lt;h2&gt;
  
  
  How it works in practice
&lt;/h2&gt;

&lt;p&gt;MCP was introduced by Anthropic in late 2024 as an open standard, with public specs and open-source SDKs. Through 2025 and 2026 it spread across AI assistants, IDEs and agent frameworks.&lt;/p&gt;

&lt;p&gt;In day-to-day use you rarely see it. You add an MCP server — for GitHub, a database, your notes — to an AI app that supports it. The app's client connects, the model sees the new tools, and you can ask it to use them in plain language. If you want the bigger picture of what an agent is, see our guide on &lt;a href="https://alexi.sh/ai/what-is-an-ai-agent" rel="noopener noreferrer"&gt;what an AI agent is&lt;/a&gt;; MCP is one of the things that makes those agents practical. The same standard shows up in the &lt;a href="https://alexi.sh/ai/best-ai-coding-assistants-2026" rel="noopener noreferrer"&gt;best AI coding assistants&lt;/a&gt;, where it connects the model to your repo and tools.&lt;/p&gt;

&lt;h2&gt;
  
  
  The bottom line
&lt;/h2&gt;

&lt;p&gt;MCP is a small idea with a big effect: one open standard for connecting AI models to the real world of tools and data. It replaces a mess of custom integrations with a single shared plug. You do not need to build it yourself to benefit — you just need to know that when an AI app "supports MCP", it can now reach far beyond its training data and actually act for you.&lt;/p&gt;

&lt;h2&gt;
  
  
  FAQ
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;What is the Model Context Protocol (MCP)?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;MCP is an open standard that lets an AI model connect to outside tools, data and apps through one shared interface. Before MCP, every assistant needed its own custom code to reach each tool — your files, a database, GitHub, a calendar. MCP replaces that with a common protocol, so any AI app that speaks MCP can use any tool that speaks MCP. It is often called 'USB-C for AI' because it is a single, standard plug that works across many devices.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Who created MCP and is it open?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;MCP was introduced by Anthropic in late 2024 as an open standard, with public specifications and open-source software development kits. Being open means any company or developer can build MCP servers (to expose a tool) or MCP clients (to use one), without permission from a single vendor. Through 2025 and 2026 it was adopted across many AI assistants, IDEs and agent frameworks, which is why it has become a common way to give models access to real tools.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Why does MCP matter?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;It solves a scaling problem. With many AI apps and many tools, connecting each app to each tool by hand is a huge amount of duplicated work — the classic N-times-M problem. MCP turns it into N-plus-M: each tool exposes one MCP server, each app speaks MCP once, and they all interoperate. That makes AI agents far more useful, because they can act on your real data and systems instead of only answering from memory.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Is MCP the same as an API or a plugin?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Not quite. An API is how one program talks to another; a plugin is a feature bolted onto a specific app. MCP is a shared standard that sits above those — it defines a common way for an AI model to discover and use tools, whatever they are. A tool still has its own API underneath, but the MCP server wraps it so the model sees a consistent interface. So MCP complements APIs rather than replacing them.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Originally published on &lt;a href="https://alexi.sh/ai/model-context-protocol" rel="noopener noreferrer"&gt;alexi.sh&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>mcp</category>
      <category>webdev</category>
      <category>programming</category>
    </item>
    <item>
      <title>Encryption at rest vs zero-knowledge: who can actually read your cloud files</title>
      <dc:creator>ricco020</dc:creator>
      <pubDate>Sat, 20 Jun 2026 20:01:48 +0000</pubDate>
      <link>https://dev.to/ricco020/encryption-at-rest-vs-zero-knowledge-who-can-actually-read-your-cloud-files-23ko</link>
      <guid>https://dev.to/ricco020/encryption-at-rest-vs-zero-knowledge-who-can-actually-read-your-cloud-files-23ko</guid>
      <description>&lt;p&gt;"Encrypted cloud storage" is one of the most abused phrases in tech marketing. Almost every provider claims it — but the word that decides whether &lt;em&gt;they&lt;/em&gt; can read your files is &lt;strong&gt;zero-knowledge&lt;/strong&gt;, and most consumer clouds quietly don't offer it. Here's the technical distinction, because it changes who holds the keys.&lt;/p&gt;

&lt;h2&gt;
  
  
  Encryption-at-rest vs zero-knowledge
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Encryption at rest&lt;/strong&gt; means the provider encrypts your files on their disks — with keys &lt;em&gt;they&lt;/em&gt; control. It protects against a stolen hard drive in their data center. It does &lt;strong&gt;not&lt;/strong&gt; protect against the provider itself, a rogue employee, a subpoena, or a server-side breach that also grabs the keys. Most mainstream clouds stop here.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Zero-knowledge (client-side) encryption&lt;/strong&gt; means your data is encrypted on &lt;em&gt;your&lt;/em&gt; device, with a key derived from &lt;em&gt;your&lt;/em&gt; passphrase, before it ever leaves. The server stores ciphertext it cannot decrypt. The provider has "zero knowledge" of your contents. The trade-off is real: if you lose the passphrase, nobody — not even support — can recover your files. That's not a bug; it's the entire point.&lt;/p&gt;

&lt;h2&gt;
  
  
  How it actually works
&lt;/h2&gt;

&lt;p&gt;A typical zero-knowledge flow:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;Your passphrase runs through a slow KDF (Argon2id or PBKDF2 with a high iteration count) to derive a master key. Slow on purpose — it makes brute-forcing the stored ciphertext impractical.&lt;/li&gt;
&lt;li&gt;A random per-file (or per-account) key encrypts the data with an authenticated cipher like &lt;strong&gt;AES-256-GCM&lt;/strong&gt; or &lt;strong&gt;XChaCha20-Poly1305&lt;/strong&gt;.&lt;/li&gt;
&lt;li&gt;That file key is itself wrapped with your master key. The server only ever sees wrapped keys + ciphertext.&lt;/li&gt;
&lt;li&gt;Decryption happens entirely client-side after you authenticate.&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The security property that matters: &lt;strong&gt;the plaintext and the master key never reach the server.&lt;/strong&gt; If you can't point to where in a provider's flow that's true, assume it isn't.&lt;/p&gt;

&lt;h2&gt;
  
  
  What this means in practice
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;A breach of a zero-knowledge provider leaks ciphertext&lt;/strong&gt;, not your files. A breach of an encryption-at-rest provider can leak both data and keys.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Metadata usually isn't encrypted&lt;/strong&gt; even under zero-knowledge — filenames, sizes, folder structure, timestamps often leak. Check each provider's specifics; "zero-knowledge" rarely means "zero metadata."&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;You become the single point of failure&lt;/strong&gt; for key recovery. Use a strong, unique passphrase and store a recovery code somewhere safe.&lt;/li&gt;
&lt;/ul&gt;

&lt;p&gt;This isn't an argument that everyone needs zero-knowledge for cat photos. It's that you should &lt;em&gt;know which model you're on&lt;/em&gt;, because "encrypted" on a pricing page tells you almost nothing about whether the company can read your files.&lt;/p&gt;

&lt;p&gt;I wrote a deeper, plain-English explainer — including how to verify a provider's claims and where metadata leaks — here: &lt;a href="https://www.priviy.com/en/blog/what-is-zero-knowledge-encryption" rel="noopener noreferrer"&gt;What is zero-knowledge encryption?&lt;/a&gt;&lt;/p&gt;

</description>
      <category>security</category>
      <category>encryption</category>
      <category>privacy</category>
      <category>webdev</category>
    </item>
    <item>
      <title>Self-hosting a password manager with Vaultwarden: a clean, hardened Docker setup</title>
      <dc:creator>ricco020</dc:creator>
      <pubDate>Sat, 20 Jun 2026 20:01:04 +0000</pubDate>
      <link>https://dev.to/ricco020/self-hosting-a-password-manager-with-vaultwarden-a-clean-hardened-docker-setup-8em</link>
      <guid>https://dev.to/ricco020/self-hosting-a-password-manager-with-vaultwarden-a-clean-hardened-docker-setup-8em</guid>
      <description>&lt;p&gt;A hosted password manager means trusting a company's servers with the keys to your entire digital life. &lt;a href="https://github.com/dani-garcia/vaultwarden" rel="noopener noreferrer"&gt;Vaultwarden&lt;/a&gt; — a lightweight, unofficial Rust re-implementation of the Bitwarden server API — lets you keep that vault on hardware you control, while still using the official Bitwarden apps and browser extensions. It runs comfortably on a $5 VPS or a Raspberry Pi.&lt;/p&gt;

&lt;p&gt;Here's a clean, minimal setup plus the hardening that actually matters.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Docker Compose
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;services&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;vaultwarden&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;image&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;vaultwarden/server:latest&lt;/span&gt;
    &lt;span class="na"&gt;container_name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;vaultwarden&lt;/span&gt;
    &lt;span class="na"&gt;restart&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;unless-stopped&lt;/span&gt;
    &lt;span class="na"&gt;environment&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="na"&gt;DOMAIN&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;https://vault.example.com"&lt;/span&gt;
      &lt;span class="na"&gt;SIGNUPS_ALLOWED&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;false"&lt;/span&gt;   &lt;span class="c1"&gt;# turn off after you create your account&lt;/span&gt;
      &lt;span class="na"&gt;ADMIN_TOKEN&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;&amp;lt;argon2-hash&amp;gt;"&lt;/span&gt; &lt;span class="c1"&gt;# see below&lt;/span&gt;
    &lt;span class="na"&gt;volumes&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s"&gt;./vw-data:/data&lt;/span&gt;
    &lt;span class="na"&gt;ports&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="s"&gt;127.0.0.1:8080:80"&lt;/span&gt;      &lt;span class="c1"&gt;# bind to localhost, terminate TLS at a reverse proxy&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Two deliberate choices in that file:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;&lt;code&gt;ports: 127.0.0.1:8080:80&lt;/code&gt;&lt;/strong&gt; — Vaultwarden speaks plain HTTP. Never expose that to the internet. Bind it to localhost and put a reverse proxy (Caddy/nginx/Traefik) in front to handle TLS. The web vault and the Bitwarden clients refuse to send credentials over anything but HTTPS, so this isn't optional.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;&lt;code&gt;SIGNUPS_ALLOWED: "false"&lt;/code&gt;&lt;/strong&gt; — leave it &lt;code&gt;true&lt;/code&gt; only long enough to register your own account, then flip it and recreate the container. An open Vaultwarden on a public IP &lt;em&gt;will&lt;/em&gt; get strangers registering on it.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Hardening that matters
&lt;/h2&gt;

&lt;p&gt;&lt;strong&gt;Hash the admin token.&lt;/strong&gt; The &lt;code&gt;/admin&lt;/code&gt; panel is a juicy target. Don't paste a plaintext token — generate an Argon2 hash and use that:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;docker run &lt;span class="nt"&gt;--rm&lt;/span&gt; &lt;span class="nt"&gt;-it&lt;/span&gt; vaultwarden/server /vaultwarden &lt;span class="nb"&gt;hash&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Put the admin panel behind something extra&lt;/strong&gt; — IP allow-list at the proxy, or a VPN-only route. A leaked admin token otherwise exposes every user.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Back up &lt;code&gt;vw-data/&lt;/code&gt;.&lt;/strong&gt; It holds the SQLite DB (encrypted blobs, but also account metadata) plus your &lt;code&gt;rsa_key&lt;/code&gt; files. No backup = one disk failure from losing every password. A nightly &lt;code&gt;sqlite3 .backup&lt;/code&gt; to an offsite target (the 3-2-1 rule applies to your vault too) is the difference between an inconvenience and a catastrophe.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Keep the image pinned and updated.&lt;/strong&gt; &lt;code&gt;latest&lt;/code&gt; is fine for a personal box if you actually pull regularly; Vaultwarden ships security fixes and you want them.&lt;/p&gt;

&lt;h2&gt;
  
  
  What you're actually trading
&lt;/h2&gt;

&lt;p&gt;Self-hosting removes the "trust a third party's servers" risk and replaces it with "you are now the server admin." That's a real responsibility: you own patching, backups, TLS, and uptime. For a lot of developers that trade is worth it; for non-technical family members, a reputable hosted manager is often the safer default. There's no universally right answer — only the one that matches your threat model and your willingness to operate infrastructure.&lt;/p&gt;

&lt;p&gt;If you want the full step-by-step — reverse-proxy configs, automatic backups, fail2ban, and the security trade-offs in detail — I wrote it up here: &lt;a href="https://www.pwdfortress.com/en/blog/self-host-vaultwarden-tutoriel" rel="noopener noreferrer"&gt;Self-host a password manager with Vaultwarden&lt;/a&gt;.&lt;/p&gt;

</description>
      <category>selfhosted</category>
      <category>docker</category>
      <category>security</category>
      <category>devops</category>
    </item>
    <item>
      <title>AI text detectors are mostly guessing: how they actually work</title>
      <dc:creator>ricco020</dc:creator>
      <pubDate>Sat, 20 Jun 2026 19:59:48 +0000</pubDate>
      <link>https://dev.to/ricco020/ai-text-detectors-are-mostly-guessing-how-they-actually-work-2ibl</link>
      <guid>https://dev.to/ricco020/ai-text-detectors-are-mostly-guessing-how-they-actually-work-2ibl</guid>
      <description>&lt;p&gt;If you write documentation, blog posts, or even commit messages, there's a decent chance an "AI detector" has flagged something you wrote by hand. These tools are now bolted onto plagiarism checkers, CMSs, and hiring pipelines — and a lot of people treat their output as a verdict. It isn't. Here's what they actually measure, and why the score is closer to a weather forecast than a fact.&lt;/p&gt;

&lt;h2&gt;
  
  
  What they actually measure
&lt;/h2&gt;

&lt;p&gt;No detector "reads" your text for meaning. They estimate the probability that a passage was machine-generated from surface statistics. Three approaches dominate:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Perplexity&lt;/strong&gt; — how &lt;em&gt;surprised&lt;/em&gt; a language model is by each next word. Human writing tends to take odd turns; LLM output is, by construction, the high-probability next token most of the time. So low, flat perplexity reads as "probably AI."&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Burstiness&lt;/strong&gt; — how much sentence length and complexity vary. Humans mix a 4-word sentence with a 40-word one. Models trend toward an even rhythm. Low variance → "probably AI."&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Trained classifiers&lt;/strong&gt; — a model shown lots of human and machine samples that learns to output a probability. This is only as good as its training distribution; feed it a domain it hasn't seen and it guesses.&lt;/p&gt;

&lt;p&gt;A fourth idea, &lt;strong&gt;watermarking&lt;/strong&gt;, biases the model's word choices in a pattern a matching detector can later spot. It's the most principled approach in theory, but it only works if the provider actually watermarks output &lt;em&gt;and&lt;/em&gt; the watermark survives copying, paraphrasing, or light editing. Usually it doesn't.&lt;/p&gt;

&lt;h2&gt;
  
  
  Why the score is unreliable
&lt;/h2&gt;

&lt;p&gt;Because all of the above measure &lt;em&gt;predictability&lt;/em&gt;, not authorship, the failure modes are systematic:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Clean human writing scores as AI.&lt;/strong&gt; The exact style we teach people to write — short, clear, well-structured — is low-perplexity. The better your prose, the more "robotic" it looks to a detector.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Documented bias against non-native English.&lt;/strong&gt; A widely cited 2023 Stanford study (Liang et al., published in &lt;em&gt;Patterns&lt;/em&gt;) found detectors disproportionately flag text by non-native English speakers, whose simpler phrasing reads as low perplexity. That's a fairness problem, not a rounding error.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Trivially defeated.&lt;/strong&gt; A few paraphrases, a synonym pass, or moderate editing collapses the signal. So the tool punishes honest plain writers while waving through anyone who lightly edits machine output.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Even OpenAI gave up.&lt;/strong&gt; OpenAI quietly discontinued its own AI Text Classifier in July 2023, citing low accuracy. When the lab that ships the generator can't reliably detect it, a third-party box promising "99% accurate" should set off alarms.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  What to do instead
&lt;/h2&gt;

&lt;p&gt;If you ship anything that acts on a detector score — moderation, grading, hiring — treat the number as a faint hint, never proof:&lt;/p&gt;

&lt;ol&gt;
&lt;li&gt;
&lt;strong&gt;Never auto-act on a single score.&lt;/strong&gt; A false positive that accuses a student or rejects a candidate causes real harm.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Look at process and context&lt;/strong&gt; — drafts, edit history, the ability to explain the work — not a probability.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;If you build with detectors, log and surface the uncertainty.&lt;/strong&gt; Show the confidence band, not a binary "AI / human."&lt;/li&gt;
&lt;/ol&gt;

&lt;p&gt;The honest summary: AI detectors are probabilistic pattern-matchers with high false-positive rates and a built-in bias against plain and non-native writing. Useful as a weak prior; dangerous as a verdict.&lt;/p&gt;

&lt;p&gt;I wrote a longer, fully-sourced breakdown — including how watermarking holds up and what the research actually says — here: &lt;a href="https://alexi.sh/ai/how-do-ai-detectors-work" rel="noopener noreferrer"&gt;How do AI detectors work?&lt;/a&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>machinelearning</category>
      <category>writing</category>
    </item>
    <item>
      <title>How browser fingerprinting actually identifies you (and how to check yours)</title>
      <dc:creator>ricco020</dc:creator>
      <pubDate>Tue, 16 Jun 2026 14:49:18 +0000</pubDate>
      <link>https://dev.to/ricco020/how-browser-fingerprinting-actually-identifies-you-and-how-to-check-yours-2f7o</link>
      <guid>https://dev.to/ricco020/how-browser-fingerprinting-actually-identifies-you-and-how-to-check-yours-2f7o</guid>
      <description>&lt;p&gt;Cookies are easy to block. Fingerprinting is the technique that quietly replaces them — and most people have never tested how exposed they are.&lt;/p&gt;

&lt;h2&gt;
  
  
  What a fingerprint actually is
&lt;/h2&gt;

&lt;p&gt;A browser fingerprint is a combination of attributes your browser exposes to every site: user-agent, screen resolution, timezone, installed fonts, language, and — crucially — the way your specific GPU and graphics stack render a hidden &lt;code&gt;&amp;lt;canvas&amp;gt;&lt;/code&gt; or WebGL scene. Individually these are low-entropy. Combined, they're often unique enough to single you out of millions, with no cookie and no login.&lt;/p&gt;

&lt;p&gt;The key idea is &lt;strong&gt;entropy&lt;/strong&gt;: each attribute carries some bits of identifying information. Timezone alone is weak. Timezone + a canvas hash + your exact font list + audio-stack quirks can be more than enough to re-identify you across sessions and even across sites.&lt;/p&gt;

&lt;h2&gt;
  
  
  The main vectors in 2026
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Canvas / WebGL rendering&lt;/strong&gt; — the same drawing instructions produce subtly different pixels depending on your GPU, drivers and OS. A hash of that output is one of the most stable signals.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;AudioContext&lt;/strong&gt; — generating a waveform and reading it back leaks tiny differences in your audio stack.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Font enumeration&lt;/strong&gt; — the set of fonts you have installed is surprisingly personal.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Hardware hints&lt;/strong&gt; — &lt;code&gt;navigator.hardwareConcurrency&lt;/code&gt;, &lt;code&gt;deviceMemory&lt;/code&gt;, pointer/touch capabilities.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  How to reduce your fingerprint
&lt;/h2&gt;

&lt;p&gt;There's no perfect answer, but there are real trade-offs:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Tor Browser&lt;/strong&gt; makes everyone look identical by design — the strongest option, at the cost of speed and convenience.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Firefox&lt;/strong&gt; with &lt;code&gt;privacy.resistFingerprinting&lt;/code&gt; (or the simpler "strict" tracking protection) normalizes many of these signals.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Brave&lt;/strong&gt; randomizes canvas/audio readings per session so the hash isn't stable.&lt;/li&gt;
&lt;li&gt;Counter-intuitively, &lt;strong&gt;rare extensions or an exotic setup can make you &lt;em&gt;more&lt;/em&gt; identifiable&lt;/strong&gt;, not less — uniqueness is the enemy.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Test yours
&lt;/h2&gt;

&lt;p&gt;Before changing anything, measure it. &lt;a href="https://coveryourtracks.eff.org/" rel="noopener noreferrer"&gt;Cover Your Tracks (EFF)&lt;/a&gt; and AmIUnique both show your uniqueness score and which attributes leak the most bits.&lt;/p&gt;

&lt;p&gt;For a full 2026 technical breakdown — every vector, how detection works under the hood, and what each browser actually mitigates — I keep a deeper reference here: &lt;strong&gt;&lt;a href="https://alexi.sh/posts/browser-fingerprinting-state-art-2026" rel="noopener noreferrer"&gt;Browser fingerprinting: state of the art 2026&lt;/a&gt;&lt;/strong&gt;.&lt;/p&gt;

&lt;p&gt;The honest takeaway: you can't get to zero in a normal browser, but you can move from "trivially unique" to "blends into a large crowd" — and that's most of the battle.&lt;/p&gt;

</description>
      <category>privacy</category>
      <category>security</category>
      <category>webdev</category>
      <category>browsers</category>
    </item>
    <item>
      <title>rclone crypt: encrypt files client-side before they touch any cloud</title>
      <dc:creator>ricco020</dc:creator>
      <pubDate>Sun, 14 Jun 2026 03:13:55 +0000</pubDate>
      <link>https://dev.to/ricco020/rclone-crypt-encrypt-files-client-side-before-they-touch-any-cloud-123</link>
      <guid>https://dev.to/ricco020/rclone-crypt-encrypt-files-client-side-before-they-touch-any-cloud-123</guid>
      <description>&lt;p&gt;If you want files encrypted &lt;strong&gt;before&lt;/strong&gt; they ever reach a cloud provider — so the provider only ever sees ciphertext — &lt;code&gt;rclone crypt&lt;/code&gt; is the simplest tool that works with almost any backend (S3, Google Drive, Dropbox, pCloud, Backblaze B2, a plain SFTP box…). This is client-side, zero-knowledge-style encryption you fully control. Here's a clean setup.&lt;/p&gt;

&lt;h2&gt;
  
  
  The idea
&lt;/h2&gt;

&lt;p&gt;&lt;code&gt;rclone crypt&lt;/code&gt; is a &lt;strong&gt;wrapper remote&lt;/strong&gt;: it sits on top of a normal remote and transparently encrypts file contents &lt;em&gt;and&lt;/em&gt; file/dir names on the way up, decrypts on the way down. Your passphrase never leaves your machine.&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;local files  -&amp;gt;  [crypt remote: encrypt]  -&amp;gt;  [storage remote]  -&amp;gt;  cloud (sees ciphertext only)
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  1. Install
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;curl https://rclone.org/install.sh | &lt;span class="nb"&gt;sudo &lt;/span&gt;bash
&lt;span class="c"&gt;# or: sudo apt install rclone&lt;/span&gt;
rclone version
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  2. Configure the underlying storage remote
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;rclone config
&lt;span class="c"&gt;# n) New remote -&amp;gt; name it e.g. "drive" -&amp;gt; pick your provider -&amp;gt; OAuth/keys&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Test it:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;rclone lsd drive:
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;h2&gt;
  
  
  3. Add a crypt remote on top
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;rclone config
&lt;span class="c"&gt;# n) New remote -&amp;gt; name "secret" -&amp;gt; storage: "crypt"&lt;/span&gt;
&lt;span class="c"&gt;#   remote&amp;gt;  drive:encrypted        # a subfolder on the storage remote&lt;/span&gt;
&lt;span class="c"&gt;#   filename_encryption&amp;gt;  standard  # also encrypts file names&lt;/span&gt;
&lt;span class="c"&gt;#   directory_name_encryption&amp;gt;  true&lt;/span&gt;
&lt;span class="c"&gt;#   password&amp;gt;  (generate a strong one)&lt;/span&gt;
&lt;span class="c"&gt;#   password2&amp;gt;  (salt - optional but recommended)&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;strong&gt;Back up the passphrase + salt in a password manager.&lt;/strong&gt; There is no recovery if you lose them — that's the whole point of zero-knowledge.&lt;/p&gt;

&lt;h2&gt;
  
  
  4. Use it
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# Upload (everything is encrypted client-side first):&lt;/span&gt;
rclone copy ~/Documents secret: &lt;span class="nt"&gt;-P&lt;/span&gt;

&lt;span class="c"&gt;# List (decrypted view, local only):&lt;/span&gt;
rclone &lt;span class="nb"&gt;ls &lt;/span&gt;secret:

&lt;span class="c"&gt;# Mount as a normal folder:&lt;/span&gt;
rclone mount secret: ~/CloudCrypt &lt;span class="nt"&gt;--vfs-cache-mode&lt;/span&gt; writes
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;On the provider's side you'll see only opaque names like &lt;code&gt;a1b2c3d4...&lt;/code&gt; — no filenames, no content.&lt;/p&gt;

&lt;h2&gt;
  
  
  5. Verify the provider sees nothing
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;rclone &lt;span class="nb"&gt;ls &lt;/span&gt;drive:encrypted    &lt;span class="c"&gt;# raw view = encrypted blobs + scrambled names&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If you can read filenames here, filename encryption isn't on — recheck step 3.&lt;/p&gt;

&lt;h2&gt;
  
  
  Gotchas
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;&lt;code&gt;crypt&lt;/code&gt; encrypts content + names, not the &lt;em&gt;number&lt;/em&gt; of files or their sizes.&lt;/strong&gt; A motivated observer can still infer file count and approximate sizes. For metadata-sensitive cases, pad or archive first.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;It does not add redundancy.&lt;/strong&gt; crypt is encryption, not backup — keep the 3-2-1 rule.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Two different crypt remotes with different passwords are incompatible.&lt;/strong&gt; Decide your scheme once.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  When a provider-native E2E option is better
&lt;/h2&gt;

&lt;p&gt;&lt;code&gt;rclone crypt&lt;/code&gt; is great for bolting encryption onto &lt;em&gt;any&lt;/em&gt; backend. But if you want native end-to-end encryption, mobile apps, and sharing built in, a zero-knowledge provider may fit better. The trade-offs between "encrypt-it-yourself" and provider-native E2E/zero-knowledge are worth understanding:&lt;/p&gt;

&lt;p&gt;→ &lt;strong&gt;&lt;a href="https://priviy.com/en/blog/e2e-vs-zero-knowledge-cloud-storage-2026" rel="noopener noreferrer"&gt;End-to-end vs zero-knowledge cloud storage — what's the real difference&lt;/a&gt;&lt;/strong&gt;&lt;/p&gt;

</description>
      <category>rclone</category>
      <category>encryption</category>
      <category>privacy</category>
      <category>cloud</category>
    </item>
  </channel>
</rss>
