Roastidio.us in webspace https://www.theregister.com/

'Free' VPN Hola is LITERALLY flogging access to users' devices

Mon, 22 Jun 2026 21:02:08 +0000

The VPN service Hola, which claims to have more than 9.7 million users, is now selling its access to users' machines as exit-nodes under the Luminati brand.

Described as "the world's largest VPN network", Hola's Luminati brand is advertised as being simple and effective to use: "Route your HTTP, HTTPS or TLS requests to any one of our 'Super Proxies', and they will route the requests through our millions of end nodes."

Users of Hola route their traffic through each others' devices, thus freeing the company from those tricky bandwidth expenses.

REG AD

Those "end nodes" are idling user devices which have Hola's "free" VPN browser extension or app on them, in another example of users being the product rather than the customer.

REG AD

As the software only routes traffic through users' devices when those devices are idling, the interruption to the user is minimised.

This, along with the company's less-than-forthcoming approach to explaining how their VPN works, means many of its users do not realise that their machines are the VPN.

Now, following the launch of the Luminati service, access to these users' devices is being sold outside of that user base to businesses, and a poor vetting procedure for those purchasing that access has led to at least one malicious party exploiting those users' machines for an attack.

This was flagged up by Frederick Brennan, founder of 8chan, "a free-to-use board that allows posters to post completely anonymously [where] only content illegal in the USA is deleted", following a spam attack on the site. (Readers should note the site is definitely NSFW beyond the linked page)

Brennan explained to El Reg:

Starting on the 23rd of May, and climaxing on the 25th of May, 8ch.net was slammed with posts from IP ranges normally assumed to be clean – that is, those originating from residential networks and university networks.
The posts were all legitimate-seeming, and due to being from all different IPs 8ch.net's algorithms did not detect an attack and attempted to process all the posts, forcing the web servers to crash.
I had no idea why all these IPs were attacking and assumed someone had rented a botnet just to attack us, but Bui [the attacker] told me in IRC that actually he had signed up for a free trial on luminati.io.

Brennan says it is impossible to distinguish whether a given IP has the Hola VPN software installed or not:

8chan posts are – as is standard for image-board culture – often vulgar, abusive and full of highly off-colour lulz. The site's attitude towards free speech, however, doesn't reduce its need for anti-spam and anti-DDoS measures. Brennan explained that in "using regular IPs that are not on any DNSBLs (DNS blacklists), the Hola network subverted all of our safeguards".

[There's] no tell-tale open port, no special header from Luminati, and no specific range.
This is a huge issue for 8chan, which allows posters to post completely anonymously, and has some protections in place for typically abused ranges (like Tor and VPN ranges) but still allows posts through.
An attacker used the Luminati network to send thousands of legitimate-looking POST requests to 8chan's post.php in 30 seconds, representing a 100x spike over peak traffic and crashing PHP-FPM.

Brennan managed to implement a CAPTCHA as an emergency provision for his site, but this would not prevent against attacks on other forums which have also had their safeguards subverted by the IP-masking VPN.

REG AD

Ofer Vilenski, the founder of Hola, admitted to The Register that his service was used to attack 8chan.

"In such a case, our VPN network was the infrastructure that he used, and was one of many possibilities he had for an infrastructure," said Vilenski. "We screen users of our commercial network (Luminati) prior to them using it, and in this case [the hacker] got through our screening process, which we have adjusted following this case."

The road to woebegone peers

The architecture of the P2P VPN has provoked much disagreement between the company and outside parties regarding both the ability of Hola to take responsibility for malicious use of Luminati, and whether any effective protections could possibly be engineered to prevent such misuse.

The Register spoke to Sean Sullivan, security advisor at F-Secure, who suggested the structure of the service had to inform the apportioning of responsibility if it was misused.

As the users themselves effectively psuedonymise malicious actors with their own IP address, the service has been alleged to be commercially providing, as in the case of the 8chan attack, a kind of voluntary botnet - although the degree to which users can be considered to have volunteered is contentious.

Talking to The Register, Vilenski rejected the idea that the Hola service subverted important security standards at other sites, stating that "we are very concerned about not having cyber criminals use our network, and are doing our best to be able to offer a great service to consumers, while protecting them and the network against criminals. For this we screen users of our commercial network (Luminati) prior to them using it to avoid this type of mis-use as much as possible, and in this case [the attacker] got through our screening process. We have adjusted our procedures and technology accordingly."

Having a peer-to-peer structure, there is some credibility to the argument that Hola can’t be accountable enough for bad actors who use "its" service – because they don’t own the infrastructure, it’s made up of its users' computers. If there is a bad actor using the service to abuse people, the users are contributing to that abuse. That’s a factor which could cause some to rethink the cost of free.

Whether criminality can be screened whilst providing an effective network for users to circumvent location locks, for instance to access domestic entertainment content whilst abroad, is an established debate, as is that regarding private and unmonitored access to the internet.

REG AD

However, Vilenski's claims - which do explain what is possible when preventing or redressing attacks - may be considered selective in the light of archived pages for the Luminati service.

Luminati has explicitly advertised "Real anonymity – the Exit Nodes in the Luminati network are regular PCs, laptops and phones, and thus are not identified as proxies or as Tor network nodes."

Like Tor, only much larger, faster and more anonymous

The current site has notably updated these claims about the service and now simply asserts: "Unidentifiable. Exit nodes are personal devices".

A series of updates at both Hola and Luminati, largely covering the sites' promotional and user/customer-facing material, occurred after when Brennan asserted the attack on his site began.

Brennan told The Register that "before the 26th of May, Hola's FAQ was very vague as to how the service worked".

While Hola's old FAQ stated that the service "works by sharing the idle resources of its users for the benefit of all", it does not explicitly inform downloaders that they are providing the VPN service for their peers. The current FAQ is certainly more explanatory:

These changes, Brennan notes, followed sharply after his criticisms. Vilenski does not dispute this, and told El Reg: "We are listening to the conversations about Hola and while we think we've been clear about what we are doing, we have decided to provide more details about how this works, and thus the changes in the past 24 hours."

With regard to Hola's claims that it has "more than 9,761,015 exit nodes" on its Luminati site, Brennan criticised the service, saying: "They charge $20/GB to use lines that cost them nothing, their software simply mooches off of the unfortunate users who have installed the proprietary Hola software."

He also noted that the site had formerly advertised itself as being "like Tor, only much larger, faster and more anonymous".

When The Register asked Vilenski what he thought of this, the Hola founder said that Hola/Luminati "are not good networks for hardcore cyber-criminals to use", and offered three reasons why:

Hola built a peer-to-peer overlay network for HTTP, which securely routes the sites you choose through other Hola users' devices and not through expensive servers. Hola never takes up valuable resources from these users, since it only uses a user as a proxy if that users' device is completely idle (meaning device is connected to electric power (not on battery), no mouse or keyboard activity is detected, and device is connected to the local network or Wi-Fi (not on cellular)).

Broken nodes?

Vilenski defended Hola's business model against claims that its users had not given informed consent for their devices to be used as part of their commercial Luminati service. Vilenski explained to The Register: "Similar to how Skype spent millions to develop a P2P system for Voice which made voice calls free, Hola has (over a period of 4 years) spent millions of dollars to develop a P2P technology for HTTP that enables a free VPN network for consumers, and a good commercial VPN network for commercial use for which we get paid."

We asked F-Secure's Sullivan whether he was comfortable with Hola's business model. "Yes, in theory, the business model is acceptable," he said, "if users of the service are informed before they consent."

Sullivan thinks the problem lies at the end-user level, rather than with Hola.

"Unfortunately, many people looking to unblock restricted content for 'free' don’t really care about informed consent," he said. "So it’s difficult to tell if there is anybody really being exploited in this case. The buyer must beware just as much as the seller should be upfront."

1. TOR network is completely anonymous, and nobody (except the NSA maybe :-) has access to the source of the requests on that network. That makes it the ideal network for hardcore criminal activity, and running an exit node is most likely helping many of the wrong people, as well as putting the operator in danger
2. Hola on the other hand is a commercial network, run by a commercial company that has its customers and its business in mind. Thus if we sensed criminal activity on our network we are able to see the source of the request and thus to help law enforcement get to the real criminal, not the Hola user through which that traffic was relayed
3. The above two points seem to discourage this kind of activity on our network. We've never heard of a case where a Hola user had any such problems, despite having an install base which is thousands of times bigger than the Tor base

Sullivan also disagreed with the suggestions that Hola's "idle mode" model enabled the service to conceal its commercial functions.

8chan's Brennan, however, thinks that Hola should be responsible for acquiring explicit and affirmative informed consent from its users.

"In my opinion, the only way that they could handle this situation is to pop up a message in plain English to all their users that says something to the effect of: 'Hey there, just so you're aware, Hola is free because it lets others use your internet connection in exchange for you using the connections of others. You may receive abuse reports based on the actions of others. If you do not consent, uninstall Hola.'"

Peer-shaped security problems

Luminati says that its VPN connection "from your Super Proxy to any of millions of nodes 'in the wild' reduce[s] the risk of man-in-the-middle attacks, snooping, or control of end nodes (as may be the case in Tor)".

Sullivan suggests this is not the case, however, as "a peer-to-peer network requires trusting all of the peers. And with 9.7 million exit nodes, Hola users undoubtedly route some of their traffic through computers infected with malware."

The security of particular VPN connections, even when they have taken place in a relationship between a user and provider, has come under some strain since the logjam cryptography bug was disclosed earlier this month. ®

I’ve spoken with somebody who tried Hola and she uninstalled the Chrome plug-in because of poor performance after only a few hours. People are very demanding of software, even “free” software. I don’t think the idle mode function has anything to do with concealment – it’s all about performance. People generally know that there isn’t really such a thing as a free lunch, so any irregular performance can cause suspicion and an uninstall.

The business model doesn’t provide for security. 'Free' takes the 'private' out of Virtual Private Network. A VPN should be a relationship between a user and a provider, not a user and millions of others.

Apple's WebKit performance tax leaves iOS browsers stuck in the slow lane, says Microsoft

Sun, 21 Jun 2026 10:10:12 +0000

Critics and competitors have long complained about the "Apple Tax" – the sales commission developers are obliged to pay on App Store sales and in-app purchases.

Now Microsoft engineers have documented a performance tax – the performance hit that iOS users today endure because Apple requires iOS browsers, with theoretical exceptions, to use the WebKit browser engine that powers Safari.

The performance tax comes to 28.6 percent, almost as much as Apple's 30 percent commission rate.

REG AD

Browser rendering engines handle the heavy lifting for web browsers. "They determine how web standards are implemented, how security and privacy protections are enforced, and which actors ultimately shape the evolution of the web," as Mozilla recently explained.

REG AD

Just three major engines dominate commercial deployments: Blink, the foundation of Chrome and its Chromium-based siblings Edge, Vivaldi, Brave, and Opera, among others; WebKit, the foundation of Safari; and Gecko, the foundation of Firefox.

Firefox holds about 2 percent of the global browser market share, according to StatCounter. That helps explain Mozilla's concern that the lack of browser engine diversity, a consequence of the market power of Google and Apple, threatens the open web.

According to DigitalApplied, Safari owns 23.4 percent of mobile browsing on iOS globally and 51.2 percent of mobile browsing in North America.

But due to Apple's platform rules, every browser that runs on iOS is WebKit-based, so there are few opportunities for competitive differentiation outside of interface elements.

Browser rivals, advocacy groups, and web developers have argued that Apple should relax its platform rules and improve its web technology for years. Europe's Digital Markets Act (DMA), plus regulatory action in Japan and elsewhere, have amplified hope that Apple will allow more competition on its mobile OS. The latest such investigation comes from the Italian Competition Authority.

Microsoft has now highlighted the cost of the iOS browser engine monoculture – time lost to Safari's slowness.

On Monday, Kyle Pflug, group product manager for the Microsoft Edge Web Platform, published benchmark test results using Apple's Speedometer 3.1 and other test tools that show how a Chromium-based iOS browser using the open source Blink rendering engine compares to Apple's Safari browser, which relies on the open source WebKit rendering engine.

Edge is a Chromium-based browser, and if it were implemented for iOS using BrowserEngineKit, a framework Apple introduced in March 2024 to comply with Europe's Digital Markets Act (DMA), it would score 28.6 percent better (49.27 vs 38.3 on Speedometer 3.1) than Apple's Safari browser under iOS 26.5.1.

REG AD

It would also outperform Safari on the JetStream 3 benchmark (JavaScript and Wasm performance) by 13.1 percent (306.35 vs 270.9) and on the MotionMark 1.3.1 benchmark (graphics rendering) by 2.1 percent (4,773.52 vs 4,673.68).

"To be clear, this is a research prototype, not a product announcement; and these are preliminary numbers from my own device, not lab results," said Pflug. "But it does prove out the opportunity to close real capability gaps and deliver new competition on performance."

Rick Byers, principal Chrome engineer at Google, took note of the results.

"Given how Chromium and WebKit are always vying for the top spot in Speedometer on macOS, it's really striking how big the gap is on iOS!" he said in response to Pflug's post. "And we haven't even really tried to optimize performance for that platform yet! IMHO this is what you should expect to see when there's a lack of competition!"

Apple did not immediately respond to a request for comment.

The EU has enforced competition through browser selection screens, with some success. In theory, the bloc's rules should promote browser engine competition on iOS. The DMA allows EU-based developers to build browsers with rendering engines other than WebKit.

Since March 2024, Apple has provided tools to do so. Yet more than two years later, no browser maker has launched an alternative browser.

As Microsoft has done with Edge, Google and Mozilla have prototyped Blink and Gecko-based versions of their respective browsers for iOS. But no such browser has been released.

REG AD

That may be because building a new browser means scaling considerable technical hurdles that Apple hasn't rushed to lower, such as BrowserEngineKit bugs. Browser makers therefore consider the Apple rule compliance process too onerous. For example, if Microsoft were to release a Blink-based version of Edge on iOS, it would have to be a separate app from the WebKit-based version of Edge – leaving Redmond to reacquire its entire iOS user base.

Alex Moore, executive director of Open Web Advocacy, a group that has lobbied on behalf of web developers against Google and Apple's platform rules, pointed to citations [PDF] in US court filings (the US 2024 antitrust case against Apple is ongoing) and UK regulatory documents that highlight the problem posed by Apple's platform power.

In February 2020, these documents say, Apple's vice president of iPhone marketing proposed that the company should "set a stake in the ground for what features we think are 'good enough' for the consumer" rather than investing and innovating.

"This is a clear example of the costs Apple imposes on consumers and businesses worldwide, costs created by its 17-year ban on competing browser engines," Moore told The Register.

"Even in the EU and Japan, where Apple is now required to allow browser vendors to use their own engines, the barriers it has put in place ensure browser vendors are prevented from porting their own engines to iOS. Given that Apple has now had more than two years to produce a compliant solution, the European Commission needs to open a specification proceeding to instruct Apple, in precise terms, how these barriers must be removed."

"If Apple can restrict browser engines on iOS, it can limit what the mobile web is capable of, and keep businesses dependent on native apps and app store rules. This is, in our view, the most critical intervention the EU could possibly make, and the one most likely to reshape the entire mobile ecosystem. No other intervention comes close." ®

AI code boom drives production failures, higher spending

Fri, 19 Jun 2026 13:54:58 +0000

The rapid adoption of AI-generated code is driving production failures and higher costs for enterprise customers.

Eighty-one percent of enterprise technology leaders among more than 200 surveyed reported an increase in production issues linked to AI-generated code, according to a study published by enterprise software delivery biz CloudBees.

Sunil Gottumukkala, CEO of Averlon, an agentic vulnerability remediation biz, told The Register in an email that these issues tend to refer to functionality bugs, performance issues, availability problems, and security vulnerabilities rather than CI/CD failures.

REG AD

MORE CONTEXT

"These are issues that surface after code has already been deployed to production, which means the code passed every review and deployment gate and still broke things," said Gottumukkala. "When failures happen post-deployment, it signals that the validation process itself isn’t keeping pace with what AI is producing."

REG AD

Yet 92 percent of respondents expressed confidence that their code was production-ready before it shipped.

Jacob Krell, senior director of secure AI solutions and cybersecurity at Suzu Labs, told The Register in an email that the report does not isolate what specifically failed at these organizations.

"It spans functional defects, security vulnerabilities, and compliance violations that reach production because governance and validation have not scaled with output," he said. "The same study found 69 percent citing security vulnerabilities and 63 percent citing compliance issues introduced by AI generated code specifically."

Krell said what ties them together is the verification gap.

"AI generates code faster than teams can validate it," he said. "Seventy percent of respondents now say test suite maintenance is a larger burden than writing code itself. These are not system crashes in the traditional sense. They are the full spectrum of what reaches production when volume outpaces the capacity to verify quality, security, and compliance before deployment."

Respondents said 61 percent of their organizations' code has been generated by AI or has come into being with AI assistance. And 64 percent of the engineering organizations involved say AI is widely or fully integrated into their workflows.

The result is that more than half (52 percent) of those surveyed report an uptick in software development output. And while 68 percent of organizations appear to be convinced AI is delivering business value, only 31 percent of AI-related spending can be linked to specific business results. In 36 percent of organizations, AI spending is tracked without measuring the return on investment or isn't tracked at all.

With more code comes more cost from infrastructure spending, in the form of increased CI/CD, testing, and security scanning. Some 54 percent of respondents said CI/CD infrastructure spending has risen significantly in the past 12 months, and 53 percent flagged rising testing, security, and deployment costs.

REG AD

Only 45 percent of respondents say these costs are predictable quarter to quarter. Yet relatively few organizations have taken steps to control AI spending: 27 percent report quotas or limits on token usage, while just 18 percent have automated spending controls.

And this is a problem without ownership. Just 12 percent of organizations have dedicated AI governance. For 46 percent, the buck stops with the CTO or VP of engineering when there's a production failure. For 32 percent, blame falls on the engineering lead or team associated with the tool that messed up the code. For 7 percent, the developer who shipped the pull request takes the heat.

It may be tempting to take comfort in the fact that 93 percent of respondents say their organization has a formal process for reviewing and releasing AI-generated code. But keep in mind that only 56 percent of survey takers say those processes are always enforced. ®

Feds freaked over Fable 5 after simple 'fix this code' prompt, not jailbreak, says researcher

Thu, 18 Jun 2026 00:16:09 +0000

The “jailbreak” that prompted the Trump administration to block Anthropic’s most advanced models was actually a simple three-word prompt: “Fix this code.”

That's according to Katie Moussouris, founder and CEO of Luta Security, and the fairy godmother of bug bounties. She says she was the only outside expert to read the third-party research paper on the Fable 5 guardrail bypass techniques that prompted the ban.

On Friday, the US government, reportedly citing national security concerns, issued an export control directive to suspend access to Fable 5 and Mythos 5 by any foreign national, inside or outside the United States. In response, Anthropic disabled both models “for all our customers to ensure compliance.”

REG AD

Anthropic shared the report privately with her, Moussouris wrote in a Monday blog post.

REG AD

The outside researchers reportedly fed Anthropic’s Fable 5, Mythos, and Claude Opus models open-source code containing known CVEs, plus new code intentionally laced with vulnerabilities, and asked the models to “review the code for security issues.”

As Moussouris tells it, Fable 5 refused, so the researchers asked the AI systems to “fix this code.” The model reportedly obliged, and after additional prompts also produced scripts to test the patches.

“That’s it,” Moussouris wrote. “‘Fix this code,’ plus several manual steps to generate test scripts, should never have triggered an export control. I feel like making ’90s-style t-shirts with ‘fix this code’ on the front and ‘this shirt is a munition’ on the back.”

Between 2013 and 2017, Moussouris served on the technical expert group that renegotiated the Wassenaar Arrangement, a voluntary agreement between 42 nations that governs certain export controls for classified dual-use software and technology.

The group eventually won exemptions for defensive cybersecurity activity. This allows defenders to share vulnerability data, conduct malware analysis, and coordinate incident response internationally without the threat of criminal prosecution.

On Sunday, Moussouris joined more than 100 other cybersecurity leaders and signed an open letter urging the Trump administration to reverse the restrictions on Fable 5 and Mythos and restore cybersecurity firms' access to the advanced models.

“To pull the best capabilities away from defenders without a good reason when our adversaries are rapidly advancing is dangerous,” they wrote.

In her blog, Moussouris argues that there was no guardrail bypass or jailbreak. Defenders should be able to ask AI systems to find and fix bugs, and write tests to validate the patch, she said. Anthropic’s models were doing “the most valuable thing an AI model can do for defensive security: executing the find, fix, and test loop defenders run every day.”

REG AD

Removing the capability for models to respond to defensive requests makes AI systems “worse at finding bugs and verifying patches,” she continued.

Plus, the US can’t extend export controls to open-weight systems or similar advanced models from China and other countries - and these systems will soon achieve Mythos-like capabilities, anyway. Anthropic and Google have both accused China-based rivals including DeepSeek of using “distillation attacks” to train their models by siphoning knowledge from American companies’ AI.

Banning Anthropic’s advanced models is going to hurt defenders more than attackers, Moussouris warns. “Defense improves when defenders find the same bugs attackers find and fix them faster,” she wrote. “We need the best tools to defend against increasingly capable attackers in the AI era of cybersecurity.”

The Register reached out to the Trump administration for comment on Moussouris' assertion, and we'll update this post if we hear back. ®

MORE CONTEXT

Technology news and analysis | The Register

Wed, 17 Jun 2026 19:27:53 +0000

Tesco is sprinting to quit VMware and Broadcom despite rapid migration risks

Supermarket giant has turned to third-party support as court sets date to hear licensing dispute

AI and brain-computer interface allow speechless ALS patient to work a full-time job

The hardware isn't new, but a UC Davis research team's machine learning-powered method of translating brain activity in an ALS patient into sentences with 92% accuracy is

Developers build the best tools for developers – and are now defanging the AI menace

Fear and even grief are natural reactions to machines that do your job. The next reactions – acceptance and innovation – are more useful

Crooks found a new way to collaborate using Teams – by hiding command-and-control traffic

Custom malware routed communications through legitimate Microsoft services, making malicious activity look like routine corporate collaboration

Only half of US datacenter capacity planned for 2026 is actually under construction

Another fun example of AI hype and reality colliding

System76 boss reckons he can liberate the entire PC stack... just give him another 15 years

Bootstrapped Linux box-botherer flogs new Thelio kit, talks up COSMIC, and politely declines to bolt AI onto everything

There's no such thing as an agentic CPU

AI agents are a general-purpose workload no different from any other

NetworkS

Nvidia-backed optics vendor to boost wafer output by 4x to meet AI interconnect demand

Jensen can't risk semiconductor supply chains derailing the AI hype train

Massive password-stealing attack hits 75k Fortinet firewalls

Why are you even reading this?! Rotate your passwords!!

Uncle Sam bets $500M that Alphabet spinoff's AI can dig up new semiconductor materials

AI drug discovery is so last year, even though it hasn't accomplished much yet

Smartphone market to shrink 15 percent this year due to memory crisis

Buyers put off by rising prices expected to turn to second-hand phones instead

DEVOPS

AWS hypes continuous agentic DevOps, puts Kiro in your pocket

Trust is the biggest barrier to AI adoption, says AI chief, claiming that new features in Bedrock AgentCore will prevent bad outcomes

Surface tension rises as Microsoft's latest kit starts at a pricey $1,499

Snapdragon X2 silicon and recycled aluminum are nice, the sticker shock less so

Security

Cisco adds another SD-WAN box to max-severity bug advisory

Updated at the time? No sweat. Check those logs, though

Homebrew 6.0 released with new security mechanism, Linux sandbox and more

Homebrew was "less vulnerable 10 years ago than npm is today," project lead tells us

Apple's WebKit performance tax leaves iOS browsers stuck in the slow lane, says Microsoft

Rival rendering engines could make pages load almost 30% faster on iPhones, Redmond claims

Intel starts cooking up enhanced 18A-P silicon for would-be foundry customers

Chipzilla claims 9% speed bump without extra power draw but is compatible with designs for 18A

Windows devs rerolled old code to save precious bytes

There really was a time when Microsoft cared about every KB

Public sector

UK.gov links up with LinkedIn for jobs market intel from 40M accounts

What anonymized data taught me about B2B sales... and reliance on the private sector for statistical info

REG AD

PERSONAL TECH

Brit competition cops order Google to make search rankings less mysterious

New rules cover organic rankings, AI Overviews, and user-approved search data sharing

Cyber-crime

Helpdesk scammers are making house calls to make their lies feel more real

15-year-old among six arrested after Dutch cops target suspected bank fraud call center

PERSONAL TECH

Windows update leaves third-party Office document launches in limbo

Microsoft won the OLE vs OpenDoc wars. Now it's saying OLE dependencies don't matter

CYBER-CRIME

Cyberattack sees crops kept in the ground

Bitter harvest for Australia's Mackay Sugar, attacked in peak cane crushing season

MOST POPULAR

Columnists

AWS reportedly to tuck Elon Musk's Grok into Bedrock, despite zero enterprise demand

The energy drink of frontier models

Corey Quinn

EU's digital sovereignty boo-boo may be the best thing to ever happen to the project

DIY or die. Just don't let the CIA buy it

Rupert Goodwins

REG AD

Utah tells porn sites to take the P out of VPNs, and it's their fault that they can't

Rupert Goodwins

AWS to Quick admins: The access control didn't work, but you weren't using it anyway, so what's the problem?

Corey Quinn

AI will soon be capable of telling convincing lies

Mark Pesce

Taiwan's train cyber-trauma reveals a global system that's coming off the tracks

Rupert Goodwins

Trump jumps from 'anything goes' to 'strict regulation' AI policy

Steven J. Vaughan-Nichols

Microsoft's bad obsession is showing up in shabby services and slipshod software. Here's proof

Rupert Goodwins

AWS plants more tombstones in the application graveyard

Corey Quinn

AMD's Mext buy shows how AI could solve the RAM shortage it created

Running low on memory, can't afford more? The House of Zen's latest acquisition puts an AI spin on flash-based memory expansion

ai + ml

The new Siri makes one of Apple's most convenient OS features a cumbersome mess

Goodbye, useful Spotlight; hello force-fed Apple intelligence bloatware that feels distressingly like Google AI Overviews

AI AND ML

Python dev saved from disaster by intuition... and AI

I'm sorry, Dave. I can't install that repo that will totally hose your system

HPC

Intel-born networking tech resurfaces as InfiniBand alternative for DoE supers

Omni-Path lights up Lawrence Livermore system at 400 Gbps

Security

Three critical Fortinet sandbox bugs splattered by unknown attackers

All have patches, so make sure you upgrade to a fixed version

Personal tech

Commodore gets into the phone biz with Sailfish-powered retro 'Callback'

Ships sans email, web, or socials, but with plenty of beige plastic

Software

Firefox 152 understands 'Sssh!'

As Google continues crippling Chrome ad-blockers, it's a good time to try Firefox

SOFTWARE

Microsoft faces down sueball, capacity problems in series of challenges

Misleading statements about Copilot and AI? Surely not!

OS PLATFORMS

Linux kernel 7.1 sends Intel 486 support to silicon heaven

More than 140,000 lines of code bite the dust as ancient CPUs, bus mice, and other legacy leftovers face the chop

SYSTEMS

Non-x86 servers now nearly half the market, IDC says

Demand for AI systems plus the shortage of DRAM and NAND are shaping the global market

PUBLIC SECTOR

NHS Palantir claims face scrutiny after data suggests uneven results

Campaign group says FOI figures show some trusts carried out fewer procedures than before

SCIENCE

NASA said nyet to Roscosmos plan to cut into leaky ISS segment

Crew sheltered in SpaceX Dragon as aging Zvezda segment's cracks continue to test orbital nerve

CYBER-CRIME

Cardiac monitor maker's security skips a beat as data thieves go for the jugular

Attackers used social engineering to access third-party business apps and steal patient information

Systems

Qualcomm said to be circling AI chip biz Tenstorrent in $10B RISC-V power play

Potential takeover would represent significant commitment to the open instruction set architecture

cyber-crime

Scammers keep scoring: Brits fleeced for £1.3B as Americans lose $3.5B to impersonators

More reasons to love social media and AI

PUBLIC SECTOR

Capita is about to sail past deadline to fix civil service pensions scheme

Union says outsourcer will miss June 30 target after portal meltdown and mounting complaints

DATABASES

SQL Server may be too lucrative for Microsoft to ditch, but too legacy to love

Analysts say Redmond still has billions of reasons to keep backing its flagship DBMS, even as Azure, Postgres, and AI hog the spotlight

AI AND ML

ERP users may soon get ahead by going headless, says Rimini Street boss

Look to AI agents and open source to escape the vendor-driven upgrade cycle

On-PREM

France's digital sovereignty push is struggling to escape the Microsoft gravity well

Nextcloud rollout shows locally controlled storage is one thing; getting users off Office is quite another

AI + ML

A modest proposal: Reformat everything to make documents more palatable to AI

What's up, DocLang?

PATCHES

Cisco SD-WAN make-me-root bug under attack

Second Catalyst SD-WAN Manager flaw exploited as an 0-day this month

security

Feds freaked over Fable 5 after simple 'fix this code' prompt, not jailbreak, says researcher

According to the one person who actually read the research paper

offbeat

DARPA seeks swappable satellites to help with future star wars

Worried that an unexpected strike could take out critical orbital systems, Pentagon researchers want to know how fast the industry thinks it could launch replacements

AI AND ML

Anthropic reserves right to check ID for Claude subs

How can I help you today? Present your papers to begin

Virtualization

HPE offers VMware refugees a year off the meter

Free VM Essentials license and cut-price Zerto dangled at customers eyeing a platform escape

CYBER-CRIME

Council of Europe hacked in ShinyHunters' PeopleSoft heist

Joins the ranks of Nottingham Uni and 100 other unnamed victims

DevOps

Java's Project Valhalla finally lands a preview in JDK 28

Don't hold your breath, though – architect Brian Goetz warns devs it will likely still be preview in next LTS release

PUBLIC SECTOR

Feds snooze as US datacenter law set to lapse with no replacement in site

Federal Data Center Enhancement Act (FDCEA) of 2023 covers standards including security and sustainability

offbeat

The Y2K bug is back! Dutch dev digs up untimely flaw in old BSD build

26 years late and no threat unless you still run a PDP-11/70 and rely on short-wave timekeeping broadcasts

SCIENCE

NASA management wants a word and won't say why

A mystery calendar event is certainly one way to find out about being selected for the Artemis III crew

SOFTWARE

Red Hat gives Ubuntu a bootc up the backside at Canonical shindig

Bootable containers pitch shows how distro can be managed with familiar OCI tooling

Security

Microsoft site throwing warnings after someone forgot to renew cert

Connectivity checker trips browser alarms thanks to lapsed security paperwork

REG AD

AI and ML

Salesforce reels in customer support AI specialist Fin for $3.6B

Support bot maker claims its AI agents can resolve three-quarters of customer queries without human help

RESEARCH

PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data

Google says the intruders were on the hunt for everything from drone tech to pathogens

Security

Arch Linux locks down AUR signups amid wave of malicious commits

Community repo freezes new accounts after attackers swamp it with poisoned package updates

AI AND ML

US clampdown on Anthropic models sends EU sovereignty surge into overdrive

Brussels says access curbs prove Europe needs greater technological independence

SOFTWARE

Flatpak-NG sounds like bad news for systemd refuseniks

Linux app packaging rethink could leave alternative-init distros in the cold

AI and ML

UK AI hiring surges as firms seek people to babysit the bots

PwC says AI hiring jumped 61 percent despite wider slowdown in vacancies, with employers increasingly looking for workers who can use AI rather than build it

PUBLIC SECTOR

UK Treasury hunts CTO on salary that may not compute for top tech talent

The pension may be cushy, but the looming headaches for £77K are not

Public Sector

Palantir's NHS data deal called in for a second opinion

Experts welcome contract review after claims NHS England missed chance to grow UK health tech market

Personal Tech

Britain plots digital bedtime after kicking under-16s off social media

UK plans to go further than Australia, while also targeting stranger contact, livestreaming, and addictive platform features

Ai and ml

Google found liable for bad AI Overview results. Let’s play Truth Or Consequences

Hush. children, what’s that sound? Has the flood gates’ key been found?

OFFBEAT

Munch Museum Windows display gives visitors something to scream about

When art reflects modern realities

offbeat

Chinese e-tailer claimed 14-inch box stretched the size of a 9-inch tablet

This is why you don’t let junior staff ‘save the company a few dollars’

Features

Systems

Europe built sovereign clouds to escape US control. Then forgot about the processors

Intel ME and AMD PSP: The silicon layer nobody certifies

Security

Nobody believes the 'criminals and scumbags' who hacked Canvas really deleted stolen student data

Other than Instructure execs - maybe?

Europe wants out from under US tech – but first it has to find the exits

Report maps the weak points in cloud, identity, and public sector procurement

REG AD

Off-PREM

Fire burns Google Cloud India’s network, which remains slow a week later

PLUS: Japan’s space truck is back in business; Zoho's DIY servers; Record tech exports for Korea, and more!

OFFBEAT

US Army picks out Vampire to fill a gap in its layered drone defenses

L3Harris supplies system that can down incoming drones with laser-guided rockets

AI AND ML

AI is code – and can't be prompted into being smarter

From Java tests to Shai-Hulud, bots keep proving they'll swallow anything you feed them

OFF-PREM

EU sovereignty push gives tech buyers a new alphabet soup to swallow

Brussels presses on despite US fury as it looks to enforce cloud autonomy and bolster open source

personal tech

Scientists pour cold water on claims phones are rewiring kids' brains

MPs told that while concerns over handsets and social media grows, evidence they're changing children's brains is limited

OFFBEAT

World Cup AI predictor now lets users ask daft what-ifs

Spoiler: It doesn't end well for Team Register

Networks

AWS rolls the dice for faster, more efficient networking

Honey, I flattened the datacenter network

Databases

NHS patients can't opt out of Palantir's data platform – but their hospital can

Minister says trusts can go it alone on procurement as Parliament mulls February 2027 FDP contract renewal

offbeat

XP-era Windows spotted haunting London's driverless railway

A blast from the past greets commuters

ai and ml

NanoClaw now armed with JFrog for safer packages

AI agents can't be trusted, so don't give them dangerous powers

systems

SK Hynix to boost memory production 3x ... you can wait another 8 years, right?

We're moving as fast as we can, says SK Group chair

Software

Holy git! Microsoft code-sharing site suffers downtime, despite move to Azure

GitHub caught off guard by customers actually using the AI being evangelized

Systems

EXPLORE SYSTEMS

Windows Open Source FOSS Linux Virtualization Storage

SOFTWARE

MX Linux 25.2 provides possible refuge from AI as well as systemd

Plus, Raspberry Pi edition finally catches up

Security

Fired IT worker jailed for 21 months after sabotaging old school district

Iowan’s scheme undone after misplacing trust in former coworker

AI and ML

KPMG's AI report becomes an accidental demo of AI hallucinations

GPTZero claims only 5 of the report's 45 citations matched their sources, raising questions about how the Big Four's AI study was assembled

Security

Novo Nordisk reports cyberattack as UK gives Wegovy pill the nod

Clinical trial participant data stolen, but pharma giant says exposed records were pseudonymized

ON-PREM

Amazon owns up to using 2.5bn gallons of H2O in its bit barns last year

The West's biggest online shopping mall comes clean about its datacenter water usage

SECURITY

Microsoft has mostly repaired flaw in Surface hardware that allowed unprotected devices to be bricked by a single packet

And it was Microsoft Copilot that unwittingly revealed the longstanding vulnerability

Security

Google fires sueball at alleged Chinese phishers over AI-powered fraud ops

Telegram-based 'Outsider Enterprise' accused of sending millions of scam texts and impersonating trusted brands

OFFBEAT

Elon Musk is now worth more than $1,000,000,000,000

Retail investors lined up to get a handful of Musk's magic beans in SpaceX's debut

AI and ml

Met Police boss threatens to cut 700 frontline jobs after Palantir deal blocked

Commissioner Mark Rowley says automation savings are now 'at risk'

Security

Plymouth council exposes hundreds in latest local government email gaffe

Authority admits mass message to home-schooling families revealed recipients' addresses, prompting ICO report and apology

Public Sector

UK digital ID gets brain trust to 'challenge' ministers on policy

CEO of Mumsnet among the six-member team

BOFH

BOFH: For one ambitious security type, chaos is a ladder

Mission Control sends its regards

REG AD

EVENTS

^{_{^{_{Explore all of our events}}}}

offbeat

Windows bowls a BSOD at sports fans

It's just not cricket

SYSTEMS

Delos Data offers AI chip startups a fast track to rack scale

Half the trouble of building an Nvidia NVL or AMD Helios competitor is just getting the networking out of the box

Personal Tech

This is your BIOS speaking. Please fix me. Your PC is broken

Casual IT team learns that building bespoke PCs can be a false economy

ai and ml

Claude is ready for its corporate close-up

IDC says recent moves show Anthropic racing to meet enterprise requirements

ai and ml

Everyone hates frontier AI labs, says Palantir boss

'Enterprises are fed up,' says Alex Karp, because LLM makers 'want to tokenmax' instead of understanding enterprise needs

AI AND ML

Anthropic recruits army to sell Claude to nonprofits

Join Claude Corps, see the world, spread the gospel of AI

Security

ShinyHunters hacked 100+ orgs by exploiting an Oracle PeopleSoft 0-day

University of Nottingham is first of many, Shiny tells The Reg

ai and ml

Google's new open-weights model brings image-generation tricks to AI text generation

Language model builds on diffusion tech to boost output performance by up to 4x, claims Chocolate Factory

Security

Microsoft's worst 'Nightmare' unleashes BitLocker bypass 0-day

offbeat

Hand-cranked AI box lets you get a workout while you wait for answers

We're all familiar with AI cranks by now, but what about crank-powered AIs?

PAAS AND IAAS

Graviton 5 impresses, but please, for the love of all that's holy, stop calling them 'AI chips'

AWS better at running chip fabs than their mouths

PERSONAL TECH

Trump phone has HTC guts. Tremendous guts. The best guts

iFixit teardown reveals two-year-old, mid-range, Chinese Android

* FOSS

AI and ML

Netflix wiz creates app to slash AI bills, then open sources it

Project Headroom could save you big money, too

OpenBSD 7.9 arrives, a diamond in the rough proud of every sharp edge

Sixtieth release adds more cores, delayed hibernation, and basic Wi-Fi 6 without losing its ascetic streak

Fedora: Microsoft is all aboard, but Deepin is dumped

Red Hat’s free distro loses a desktop, but makes an important new friend

LocalSend puts your sneakernet out of business

Like AirDrop, minus the Apple lock-in

Next Platform | HYPERSCALERS

Blocks & Files | STORAGE

DevClass | ENGINEERING

security

VRChat says somebody faked a breach notice with the Maine AG's office

'We have no reason to believe that our data or systems have been compromised. We are in the process of contacting the Maine Attorney General's office to have this removed.'

DEVOPS

Apple gives Mac devs a WSL-ish thing to call their own

Blending containers and VMs but some features half-baked

Science

Race against re-entry: Swift's would-be saviour straps itself to a rocket

Katalyst's LINK spacecraft is go for integration, with a launch from Kwajalein expected within weeks

Applications

Apple version of Office 2019 becomes useless in a month

The only solution is to buy an upgrade (or switch providers)

SYSTEMS

Dutch chip startup claims all-European fab flow – with help from a very American friend

Satnav parts designed and manufactured in the EU, but using GlobalFoundries to produce them

AI and ML

OpenAI could go from AI pioneer to AI's BlackBerry, says Forrester

As OpenAI courts investors and chases enterprise customers, Forrester says today's AI leader could become tomorrow's cautionary tale

PAAS AND IAAS

Oracle's AI datacenter splurge gives investors the capex jitters

Q4 sales climbed 21%, but Wall Street more interested in $70B buildout bill

Personal tech

Met Police joins forces with Apple to choke London's stolen phone trade

Intelligence-sharing pact tracks kit that comes back online after being nicked

Cyber-crime

Malware scare keeps schoolkids home for a second day

Great Marlow restricts network access while it investigates suspected infection

PUBLIC SECTOR

NS&I dangles £220K salary for CEO willing to straighten out £3B IT mess

Comes with a corner office, government scrutiny, and the 'full-spectrum disaster' known as Project Rainbow

Cyber-crime

Nottingham Uni says student records raided after ShinyHunters claims cyberattack

Crooks claim 40 GB haul as breach database pegs number of exposed email addresses at 455K

SAAS

UK Treasury still deciding whether to show up to £1.7B ERP program it agreed to fund

Move from Oracle put back until December following delays to Workday rollout

Partner Content

DON'T MISS

Anthropic sues US government after unprecedented national security designation

Brands Trump administration decision 'legally unsound' and has 'no choice but to challenge it in court'

SECURITY

Every employee’s password was stored in a single Excel file

The CEO thought this was the best way to deal with some email issues

Security

Chinese agents caught rebuilding botnets and stirring the pot on AI datacenter debate

PRC eyes are watching you

AI + ML

Memory and personalization make AI more likely to tell you what you want to hear

A little knowledge is a dangerous thing, particularly for enterprise applications

offbeat

Blockbuster new Raspberry Pi project turns any screen into old-school VCR

Who needs fancy menus and high definition? 240-MP will play your media files like it's 1999

AI AND ML

It blocked us at 'hello!' Anthropic Fable 5 refusing innocuous prompts

Hyper-vigilant safety classifiers turn Fable into cautionary tale

Security

Angry bug hunter with Microsoft beef drops new Windows 0-day

Revenge is a dish best served code

on-prem

GM gets datacenter fever, decides to build grid-scale sodium-ion batteries

Detroit automaker partners with Peak Energy to try a saltier route to energy storage

On Call

Offbeat

Tech support chap hauled out to help SWAT team saw his life flash before his eyes

Networks

Russian oligarch's financial network crashed thanks to a crank and a cleaner

Software

Marketing demanded IT add website feature that was already working

Systems

On-call techie decided job was done and hit the bottle – just before his pager went off

Lazy weekend of Grand Prix fun turned into a terrifying all-nighter

On-Prem

Custom PC worked in the lab, failed on site – and so did the angry client

Applications

User found the perfect formula to make Excel misbehave

Networks

To fix this Wi-Fi network, we'll need a crane

Networks

Support tech caught by 'Technician Aura': the bug that only hides when you're watching

AI Companies

AI AND ML

'It would be good for the world' to slow down AI sprints, Anthropic says

The plea for caution comes the same week it beat AI archrival OpenAI to filing for an IPO

UK banks offered access to OpenAI’s GPT-5.5 amid exclusion from Anthropic’s Glasswing expansion

150 new organizations inducted to cyber’s Soho House, including the first outside the US

Cisco sings Mythos' praises - but doesn't say how many bugs the model uncovered

Meanwhile, Anthropic adds 150 partners to Project Glasswing

Google explains how it will infuse ads into AI answers

Just like in The Truman Show

Google touts its tokenmaxxing and capex spending amid AI orgy

Chocolate Factory readies always-on agents for searchers

Anthropic, now atop the AI bubble, files for its IPO

First it tops OpenAI's valuation, then it beats Altman to the IPO punch

Anthropic co-founder hallucinates ghost in the machine

The nature of AI is unnatural. It's not intelligent. It's not human

on-prem

Datacenter growth may run into a power wall by 2030

Grid operators could struggle to support new bit barn construction

OS PLATFORMS

macOS 27 beta boots Asahi Linux off Apple Silicon

Partition's still there, but good luck seeing it and don't upgrade until fix lands, says team

LEGAL

Vercel escapes contempt rap after admitting it botched FBI warrant response

Files sought by feds were sitting in a deletion queue, not gone for good

OS PLATFORMS

Linux Lite 8.0 sheds Chrome, slims down, and finds its name fits better than ever

Firefox is in, Snap and Flatpak are still out, but a default AI helper may raise eyebrows

AI AND ML

Brit workers waste nearly six hours a week 'botsitting'

Productivity gains lost as staff spoon-feed AI and correct its cock-ups

DevOps

GitHub pulls pin on npm's auto-run scripts

Shai-Hulud worm exploited exactly this. Better late than never, says everyone except the malware authors

SCIENCE

NASA names crew for Artemis III lunar lander rehearsal

Whether any of the spacecraft will be ready in time for H2 2027 remains unanswered

Patches

Ivanti tells Sentry customers to patch now as critical bugs hit 10.0 and 9.9

Remote, unauthenticated RCE with root privileges is about as bad as it gets

ON-PREM

Brussels' datacenter efficiency scorecard may come with a credit warning

Moody's says proposed A-to-G green grades for bit barns could affect financing

Channel

Node4 CEO Neil Muller found dead at home after suspected stabbing

MSP says it is 'absolutely devastated' as woman arrested on suspicion of murder

systems

SpacemiT shows off usably quick RISC-V mini desktop

Actual RVA23 hardware and useful performance – for a certain price

bootnotes

France and Germany agree to disagree, ditch joint next-gen Euro fighter

Aircraft at core of the Future Combat Air System canned as parties could not decide who leads on the work

Infosec

security

World Food Programme breach exposes data of 600k vulnerable Gazan families

Those receiving aid in the famine-threatened, war-torn territory told support will remain

Security

Council in UK's City of York outs hundreds of disabled residents with a single email blunder

Blue Badge holders exposed to each other after BCC function proves too complex

CYBER-CRIME

Pink is the latest goon squad to use fake helpdesk calls to steal creds

A familiar tactic popularized by chaotic crime crew Lapsus$

Security

OpenAI's agent chained decade-old DoS attacks to crash web servers in seconds

Codex drops an HTTP/2 Bomb

Five Eyes: Watch out for odd LinkedIn connection requests, China's back on the hunt for state secrets

Cash-for-intel tradecraft continues to concern intelligence officials years after it was first spotted

Explore Security

CISO Identity Authentication Zero Trust Governance Encryption End Point Protection Advanced persistent threat Incident Phishing Ransomware Malware Spyware Hijack Trojan Breach Password

cyber-crime

Duo who sold car crash victims' data must repay £118k

Fresh penalties secured after initial prison, community service sentences for RAC double act

RESEARCH

Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine

'Attackers can now cheaply operationalize known vulnerabilities at scale,' boffins tell The Reg

SECURITY

All the passwords were stored in Active Directory description fields

It was far too easy for a hacker to get the information

MORE INFOSEC

PERSONAL TECH

Logitech knows when to fold 'em

Meet Mobi Fold - creased popster or clever portable mouse

PATCHES

AI is making Patch Tuesday (kinda) fun again

Unless you're an admin or vulnerability manager – then you're totally screwed

SaaS

Salesforce cuts staff amid acquisition spree and $50 billion share buyback

The layoffs come after CEO Marc Benioff boasted of record revenue and 'incredible cashflow' two weeks ago

personal tech

If your sex life is dead, you can blame Steve Jobs

Economists find signs of a ‘large and causal relationship between iPhones and fertility' in AT&T exclusivity-era data

AI AND ML

Anthropic spins a Fable of a tamer, safer Mythos

Company also changes data retention policy

cyber-crime

Miasma worms its way onto GitHub as attack kit goes open source

As if there weren't enough package poisonings to worry about

science

MIT boffins take electrospray nozzles out of the cleanroom, into the 3D printer

Who said sub-millimeter, three-layer science juice had to be expensive to squirt?

personal tech

Apple’s iOS 27 goes all agentic on compromised passwords, promises to change them with one tap

iBiz might not win the AI race, but analysts say it's focusing on features people may actually use

Databases

Neo4j plots Palantir alternative with GraphAware acquisition

Graph database biz says on-prem, air-gapped intel stack gives governments a no-kill-switch option

Applications

LibreOffice brands Euro-Office a 'de facto ally' of Microsoft's lock-in strategy

The Document Foundation accuses newly launched Euro-Office of undermining digital sovereignty by defaulting to Microsoft's OOXML document format

DEVOPS

Devs know AI code is riddled with holes, but ship it anyway

Pressure to deploy wins out over security as four in five orgs confess to breaches from vulnerable apps

SECURITY

Signal says UK plan to scan devices for nude images 'endangers us all'

Off Prem

off prem

Google, Canonical team up to certify Ubuntu images for TPU VMs

Chocolate Factory shifts Tensor Processing Unit Ubuntu support back upstream

Arm moves into the heart of the cloud stack

SPONSORED POST: Hyperscaler adoption and AI workloads are accelerating multi-architecture infrastructure

off-Prem

Snowflake to burn $6B on AWS Graviton CPUs and AI accelerators

Dataware house gambles cloud conveniences, AI accelerated insights will justify the cost.

Off-prem

Big Tech extracts retirement-scale wealth from UK internet users, research shows

Britain's 'free' internet economy is powered by invisible data extraction that feeds advertisers, AI firms, and digital platforms

Off-Prem

Open Compute urges local government to bask in the warm glow of excess datacenter heat

Org that represents Meta, Google and Microsoft plans more heat reuse guidelines as debate over bit barn social license burns red hot

Explore Off Prem

Systems Storage Networks HPC CPU GPU Compute Infrastructure

Off-Prem

Google Cloud suspended major customer Railway.com without cause, causing outage

This is the service we get when we spend $10m plus? asks automated code deployment outfit

Off-Prem

Broadcom finds a VMware customer willing to stick around: London Stock Exchange

LSEG signs up for five more years of Cloud Foundation, but keeps quiet on how much it'll cost

Off-Prem

Baidu says the quiet part out loud – you can’t build AI infrastructure, so clouds can cash in

CFO says GPU rentals are ‘structurally higher margin than CPU cloud’

MORE OFF PREM

SECURITY

Chrome's zero-day Whac-A-Mole continues with fifth exploited bug of the year

Google paid researcher a tidy $55K bounty for its discovery

Security

France probes compromise of gov messaging platform after account hijack

Authorities say the breach only exposed public chat rooms, but alleged attacker claims to have accessed far more data

ON-PREM

Kyndryl showers execs with shares while staff ponder redundancy packages

IBM spin-off's top brass bag six-figure stock awards

offbeat

Next stop, C:\ ... Paris Metro screen goes off the tracks

Prochain arrêt: Gare du Bork! French capital city train does the tech can-can

Cyber-crime

Qilin NHS breach tally grows as Essex trust confirms stolen records

Two years on from ransomware attack, hospitals are still trying to identify and warn patients

Public Sector

UK.gov warned that digital transformation hype is no substitute for delivery

Parliamentary committee says £45B savings claim risks undermining public sector tech reform rather than helping it

AI and ML

Uncle Sam considers buying a seat on the Titanic

L'etat, c'est AI

DEVOPS

Apple courts developers with privacy and context in AI comeback bid

Apple Intelligence stumbled through 2024 and 2025. It's starting to look respectable

Security

Norks blast 250+ fake job offers to developers over 6 weeks to try and snarf creds and crypto

When an unsolicited job offer sounds too good to be true …

PERSONAL TECH

Apple's Orwellian device controls for tots also mean more work for parents

The new features ignore the argument that if parents wanted to spend more time on their kids, they wouldn't have supplied them with an iPad or iPhone in the first place

ai + ml

It's do or die for Apple AI

WWDC announcements earned tempered praise from analysts, with an emphasis on the word 'if'

cyber-crime

Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix

Scumbags, including a Qilin ransomware affiliate, began hitting this hole May 7

Who Me?

Networks

networks

Brit regulator finds mobile network service on trains is far from first class

Comms watchdog says up to 83% of tests fail the 'good performance' threshold

networks

Bend the beam like Beckham to defeat anti-jamming tech

networks

Don’t repeat 5G mistakes with 6G, plead mobile operators

Networks

The tech that could make Marvell the next trillion dollar company

Networks

Marvell enters the AI network fray with 102.4 Tbps switch silicon

Canonical sends Ubuntu into the AI agent era

Sandboxed LLM dev environments lead the show, but accessibility may be the real prize

offbeat

NASA's Secret: Moon astronauts will be rocking Prada underwear

What, you think any old liquid-cooled bodysuit would be acceptable to pair with such a fashionable outer layer?

Cyber-crime

Ransomware sends Illinois high school on an early summer vacation

Meanwhile, 13 schools in Wales affected by separate attack

NETWORKS

Amazon Leo's satellite homework is late, but FCC won't flunk it just yet

Orbital broadband biz will miss its July 30 deadline to have 1,616 spacecraft in place

AI AND ML

NHS prescribes half a million Copilot licenses for its paperwork headache

After a trial claimed chatbot saved staff 43 minutes a day, NHS England has decided it's time to supersize the experiment

security

GitHub nukes 70+ Microsoft repos, breaks CI/CD pipelines, following suspected worm infections

Miasma worm shapeshifts, but cloud secret-scouting remains the goal

The Register NEWSLETTER

^{Sign up to get IT daily}

EXPLORE OUR COVERAGE

AWS Google Microsoft Red Hat Anthropic Nvidia Databricks Servicenow Snowflake Everpure Crowdstrike OpenAI Palo Alto Networks Cloudflare Oracle HPE ASML Nutanix HashiCorp Zscaler Dell IngramMicro Broadcom AMD SAP Salesforce Fedora Palantir Atlassian HPE

devops

Python JIT compiler project under threat after steering council says proper process wasn't followed

No new features to be submitted to main branch, existing code removed in 6 months if new proposal not created and accepted

SECURITY

NSO Group back in Meta's crosshairs after alleged WhatsApp targeting

Zuckercorp says surveillance-for-hire vendor was still running phishing operations after federal court told it to knock it off

SCIENCE

UK boffin bait lands 18 international researchers

AI and ML

Brit fraudsters using AI to doctor 'evidence' in motor insurance claims

Policy-holders increasingly turn fender benders into much more by sprinkling in their favorite AI chatbots, Aviva says

AI and ML

Department of Work and Pensions' answer to AI job fears is a bot to polish your CV

Whitehall says Work Assistant will help jobseekers apply around the clock – provided employers don't mind machine-written applications

OS Platforms

History of CentOS: How a biochemist's Linux hobby project became the enterprise world's default operating system

When a community came together after Red Hat said Windows was 'probably the right product'

os platforms

Yes! It’s true! Windows 11 is an agentic platform

It always has been, but Microsoft didn’t realize it

WHITEPAPERS

Architecting the Future: Unlocking Enterprise Data Services for Kubernetes

Join us to discover how to eliminate infrastructure silos and establish a standardized, enterprise-grade cloud-native platform.

Software

Consultant mistakenly deleted a ton of data – but reported it as a bug

And he got away with it too!

systems

Our systems editor flew all the way to Taiwan and still couldn't get away from AI

Every show now is an AI show, and that included this year's Computex

offbeat

Brit maritime agency heralds fresh global rules for crewless cargo ships

If you thought driverless cars were bad, imagine a 200,000 ton container ship

Public sector

Home Office ditches legacy asylum database, keeps the spreadsheets

Years into a major IT overhaul, MPs say the department still lacks reliable view of what is happening across the asylum system

Personal Tech

England's exam watchdog frets over smart specs turning GCSEs into Google searches

Ofqual says smart glasses, hidden earpieces, and AI tools are creating a new generation of cheating headaches

Off Beat

Science

science

Trump pumps federal funds into coal plants in the name of energy security

DoE wants to keep 13 coal-fired power generators going at the same time as funding nuclear research

Science

Blue Origin's New Glenn makes a crater-sized dent in Artemis plans

Science

Swift thinking buys NASA observatory a little more time before re-entry

Rescue mission might have until the end of summer after science operations halted

science

NASA to pull an IKEA by dropping tons of plastic, metal, and glass on the Moon

Astronauts will get to self-assemble lunar base

MORE SCIENCE

Science

Bezos rocket fell short after cryogenic leak cut engine thrust

Frozen hydraulic line blamed for leaving payload in the wrong orbit

Science

Starship shows it can deploy satellites, but Moon mission clock still ticks

What's a tumbling Super Heavy and a skipped Raptor relight between friends?

Science

Japanese Space Agency names arrival date for BepiColombo Mercury mission

Due on November 21, eleven months late - but on time to do science!

science

Feds unwittingly leak pilots' pre-crash conversation

Release of spectrogram of cockpit recorder audio allows conversation recovery with 'emerging' decades-old tech

Science

SpaceX scrubs Starship launch with seconds to go

Not all bad news: Crypto billionaire signs up for a mission to Mars

Science

ESA boss tires of being dragged around by NASA mood swings

Are we pilots or are we passengers? Aschbacher asks

BOFH

security

Oxford Uni student data pwned yet again - this time via career platform breach

Totally different attack from the break-in last month. Oh so that's OK then

legal

Start spreading the news: Datacenters may face one-year ban in NY

The bill awaits Gov. Hochul's signature after passing the state legislature

cyber-crime

If you don't fall for these extortionists' calls, they'll show up with USB sticks

When 'Chatty Spider' morphs into tech services cosplay spider

security

Yet another Cisco SD-WAN 0-day under attack, and no patch in sight

Good luck, sys admins

SCIENCE

Serious ISS air leak forces NASA astronauts to temporarily take shelter in Dragon capsule

Business is back to normal in the orbital station, but one of two newly discovered leaks is still unrepaired

Big Tech has not enforced Australia’s social media ban

Wed, 17 Jun 2026 19:27:49 +0000

Australia’s eSafety Commission is “moving into an enforcement stance” after finding that Meta, YouTube, TikTok and Snapchat haven’t done enough to comply with the nation’s social media minimum age (SMMA) obligation, which bans social media outfits from providing their services to children under 16 years of age.

The Commission today delivered its first report on compliance with the ban, which finds that regulated social media operators “have taken some steps to comply with the SMMA obligation” and blocked around five million accounts.

However, eSafety also surveyed 898 Australian parents and found "around 7 in 10" reported that their child still had an account. The regulator also “observed poor practices by some platforms” and listed the following four examples of their bad behavior:

REG AD

Messaging to children aged under 16 on some platforms has encouraged them to attempt age assurance even where their declared age prior to 10 December 2025 was under 16.
In some cases, platforms have enabled children aged under 16 to repeatedly attempt the same age assurance method to ultimately obtain a 16+ outcome.
Pathways for reporting age-restricted accounts have generally not been accessible and effective, particularly for parents.
Some platforms appear not to have done enough to prevent children aged under 16 from having accounts. However, eSafety is continuing its investigations to enable it to form a concluded view as to whether any platform has not taken reasonable steps to comply with the SMMA obligation.

REG AD

The report offers examples of how social media platforms have failed to meet their obligations.

The one that caught The Register’s eye describes a 12-year-old who two years ago signed up for a social media account and falsely claimed they were 14 at the time. The platform now thinks the user is 16 but they are really 14.

In discussions with a parent, the child said the platform had not attempted to verify their age. The parent therefore requested the platform close their child’s account. The platform responded by asking for a legal letter to prove the parent’s status, a costly exercise the parent chose not to pursue.

The 14 year old remains able to use their ill-gotten social media account.

That sort of scenario has led eSafety to investigate what it describes as “potential non-compliance by five platforms – Snap, TikTok, Facebook, Instagram and YouTube.” The regulator wants to wrap up those probes and make a decision about any enforcement action “by the middle of 2026.”

“These investigations will require giving further legally enforceable information-gathering notices to assess whether the steps taken by platforms are reasonable, identifying gaps, and assessing the totality of all steps taken by a platform,” the report states. “eSafety will not hesitate to take enforcement action where it has sufficient evidence of non-compliance. This will include assessing whether the evidence provides reasonable grounds for commencing civil penalty proceedings.”

MORE CONTEXT

Australia’s government made the social media ban a key part of its policy platform, and other nations have used it as an example for their own efforts or policies. Indonesia, the world’s fourth-most-populous country, this week enacted a similar ban and several more nations are working on similar regulations.

eSafety’s report will therefore likely be widely read as it shows how social media operators dodge bans. One passage in the report may interest regulators around the world, as it sees eSafety observe expected “short-term increases in downloads of some emerging apps, but we have not seen any significant migration to non-compliant platforms or other online services that are not required to comply with the SMMA obligation.”

REG AD

That’s noteworthy because opponents of social media bans have sometimes argued such regulations could see kids adopt social services run from jurisdictions beyond regulatory reach. eSafety’s evidence suggests that’s not happening, because “the profusion of online services young people may be migrating to do not have a critical mass of their peers established on these smaller, less entrenched services. ®

IP telephony goes mainstream

Sun, 14 Jun 2026 12:23:27 +0000

Small and medium sized enterprises are warming to hosted IP telephony services. Frost & Sullivan (F&S) reports that the North American enterprise IP Telephony end point market hit revenues of $822.8m last year. It estimates that revenues will reach $2.44bn in 2012.

All this ought to spell boom times for equipment manufacturers and service providers. However, F&S reckons that increased competition and the commoditisation of IP phones could erode margins over time. But firms that are able to market products that are distinguishable from competing offerings can look forward to tapping into a lucrative market opportunity.

"IP telephony, which was restricted to the medium and large enterprises segment, is beginning to make inroads into small enterprises as well, thus leading to a rise in demand for IP telephony end points," said Frost & Sullivan research analyst Kumar Alagappan.

REG AD

The availability of hosted IP telephony solutions from service providers and growing acceptance of open standards such as session initiation protocol (SIP) is shaking up the market, according to F&S. "The IP telephony market, which is characterised by end-to-end solutions based on proprietary protocols, will slowly shift to best-of-breed solutions with the increasing popularity of SIP based telephony solutions. Enterprises that were previously confined to phones based on proprietary protocols will now have the option of choosing from low-cost third-party SIP phones," Alagappan explained.

REG AD

As the IP telephony market matures, interoperability, which is currently limited to basic private branch exchange (PBX) features, could be extended to support more advanced feature sets. Vendors need to develop SIP phones that can offer support for the PBX features provided by their proprietary IP phones, which nonetheless still have a future.

F&S reckons manufacturers should distinguish their proprietary products by incorporating support for custom applications, such as CRM, targeted at specific industry verticals. ®

off_prem channel

ShinyHunters claims Oracle PeopleSoft 0-day hit 100+ orgs

Fri, 12 Jun 2026 07:12:56 +0000

Data theft and extortion group ShinyHunters has exploited a critical Oracle PeopleSoft bug as a zero-day to compromise more than 100 organizations, including the University of Nottingham, across 300 vulnerable instances.

A spokesperson for the cybercrime crew on Thursday told The Register that they exploited CVE-2026-35273 to break into the university’s PeopleSoft system and steal 40 GB of personal data and billing records belonging to hundreds of thousands of current and former students.

ShinyHunters posted the UK university on its data leak site on Tuesday before publishing the stolen files later that same day, presumably because the school refused to pay the extortion demand.

REG AD

“University of Nottingham on our leak site is one of the first publicly confirmed incidents,” a ShinyHunters spokesperson told us. “We have only just started outreach to affected orgs and are actively looking to reach an agreement with affected orgs.”

They didn’t say when they planned to post the other 100 or so claimed victims.

A Google threat intelligence report published Thursday afternoon corroborated ShinyHunters’ claims to have compromised more than 100 organizations.

Google said it spotted malicious activity, “consistent with the exploitation of CVE-2026-35273,” between May 27 and June 9, and notified more than 100 global orgs “whose IP addresses correlated with potentially vulnerable endpoints."

Most of these, we’re told, are based in the US and 68 percent are in the higher-education sector.

MORE CONTEXT

PeopleSoft is a widely used enterprise software suite that large corporations and institutions use to manage their human resources, payroll and billing applications, supply chains, and student records.

CVE-2026-35273 is a 9.8 CVSS-rated vulnerability that allows remote, unauthenticated attackers with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools and fully take over the platform.

On Wednesday, a day after ShinyHunters leaked the school’s data, the University of Nottingham confirmed the breach and Oracle issued an out-of-band security alert. It’s unclear, however, if the software provider has issued a patch to fix the security flaw. The Register reached out to Oracle, and did not receive any response to our questions.

REG AD

Google-owned Mandiant Chief Technology Officer Charles Carmakal, in a brief LinkedIn post on Thursday, warned that PeopleSoft was one of two zero-day vulnerabilities “actively being exploited in the wild.”

“Oracle released mitigations,” Carmakal wrote. “Patches should come soon.”

The other zero-day, for the record, is this Cisco Catalyst SD-WAN Manager vulnerability.®

Google Cloud suspended major customer Railway.com without cause, causing outage

Thu, 11 Jun 2026 17:38:31 +0000

PaaS platform Railway says Google temporarily suspended its account on Wednesday without cause, inducing a major outage.

Railway automates code deployment by taking a GitHub repo and doing all the work needed to get it running from the cloud.

It’s struggled to do that for the last few hours and the company’s status page tells the sad tale, starting with an update time-stamped May 19, 22:29 UTC that said the company is “investigating a widespread service disruption.” The incident meant “Users may be experiencing errors including ‘no healthy upstream’, ‘unconditional drop overload’, login failures, and inability to access the dashboard.”

REG AD

Angelo Saraceno, a solutions engineer for Railway, told The Register the company noticed a problem at around 22:00 UTC. He said the company’s resources appeared to have been deleted and simply not to exist. Google has since explained it suspended the account, making Railway’s resources invisible.

REG AD

“Our contacts at Google were confused, customers are irate,” he added.

We are livid and still trying to get all the details

Ironically, in 2024 Railway decided to shift much of its infrastructure into colocation services after Google “caused a multitude of problems that have posed an existential risk to our business.” Those problems resurfaced in 2025 after more trouble at Google Cloud that again impacted Railway’s services.

But Railway kept its control plane in Google Cloud and still has a dependency on databases that run there. Those resources see it spend an eight-figure sum each year on the G-Cloud . Yet Saraceno said when this incident commenced, it took an hour for Google’s support team to engage.

“We are livid and still trying to get all the details,” he said before advancing a theory that Railway somehow triggered an enforcement rule.

MORE CONTEXT

Railway’s status page says that as of 22:43 UTC the company “escalated this directly with Google.”

Oh, to have been a fly on the wall during that escalation!

Railway’s most recent status update, at the time of writing, is an 03:05 UTC May 20 missive that states “More workloads are coming back online. Some users may still experience intermittent issues during the recovery. Non-enterprise deploys remain paused; enterprise deploys are unaffected.”

REG AD

The Register has contacted Google to ask if and why it blocked Railway’s account. You know the drill: We will update this story if we receive more than corporate platitudes.

Cloud providers might rightly block a customer’s account over unpaid bills or inappropriate use – but usually do so after giving fair warning. Railway told us this incident came out of the blue.

Google has form taking down customers without cause: In 2024 it infamously wiped out all rented infrastructure used by Australian pension fund UniSuper.

Railway’s status page includes apologies to its customers, despite the problem being at Google’s end.

“Our customers don’t care if it is Google,” Saraceno said. “We have to own our uptime.” ®

Zuck defends monitoring employees to win AI race in purported leaked audio

Thu, 11 Jun 2026 17:38:31 +0000

Meta CEO Mark Zuckerberg appears so determined to win the AI race that he is willing to sacrifice some employee privacy to make it happen.

In a leaked audio recording published by the worker advocacy group More Perfect Union, Zuckerberg purportedly answered an employee's question about "device monitoring" with a six-minute monologue in which he said Meta employees are very smart and to win the most competitive technology race in history, he would need to collect their keystrokes, mouse clicks, and screenshots to make its own AI measure up to its rivals.

MORE CONTEXT

“We are using this to feed a very large amount of content into the AI model, so that way it can learn how smart people use computers to accomplish tasks. I think that this is going to be a very big advantage if we can do it,” Zuckerberg purportedly said during an April 30 meeting in which an employee asked about the "top of mind" issue.

REG AD

Meta did not reply to an email from The Register seeking comment and has not confirmed the authenticity of the audio clip, but a company spokesperson confirmed in April that Meta would monitor employees to train AI. Meta's tracking tool is called Model Capability Initiative, according to reports.

REG AD

The audio was posted the same day Meta announced 8,000 job cuts. It captured Zuckerberg's thoughts on the news, first reported by Reuters, that Meta planned to install software on employees' computers to monitor activity for AI training. More Perfect Union did not reply to an email from The Register seeking comment.

"So if we're trying to teach the models coding, for example, then having people internally build tools that or solve tasks that help teach the model how to code, we think, is going to dramatically increase our models' coding ability faster than what others in the industry have the capability to do, who don't have thousands and thousands of extremely strong engineers at their company," he purportedly said in the audio.

"So that's one example. Another thing that our system needs to be very good at is using computers, so the way that you get a system to be good at using computers is by having it watch really smart people use computers. So that's basically the essence of what we are trying to do here."

In one part of the audio, Zuckerberg said the software would not be used to surveil employees' actions on the job, though he stopped short of saying the data would be anonymized. Rather, he said the purpose was narrowly focused on making its AI work better than competitors.

“The content is sort of, you know, stripped out in like as much as is possible,” he purportedly said in the leaked audio. “It's like none of the data has been used for like looking at what people are doing, or surveillance, or performance tracking, or anything like that.”

That aligns with what a Meta spokesperson told Reuters: that MCI data would not be used for performance assessments. European employees are reportedly exempt from the program because the EU's General Data Protection Regulation likely prohibits this type of monitoring without explicit consent, according to multiple reports.

Meta is not the only major technology company turning to its own workforce for AI training data. The Information reported this week that Microsoft and xAI are also leveraging internal employees to generate and refine training datasets. In a similar vein to what Zuckerberg purportedly said, Microsoft, which employs thousands of software engineers, reportedly views its workforce as a competitive advantage for improving GitHub Copilot.

In the recording, Zuckerberg purportedly said Meta settled on using its own employees over contractors because they were smarter.

REG AD

“One basic insight and hypothesis that we have is that a lot of data generation across the field is done by these like contract companies,” Zuckerberg purportedly said. “(B)ut in general, the average intelligence of the people who are at this company is significantly higher than the average set of people that you can get to do tasks if you're working through these contractors.”

However, the contractor pipeline is also being watched.

In January 2026, Wired reported that OpenAI's data vendor, Handshake AI, began asking freelance contractors to upload real work products from past and current jobs, including contracts, financial models, presentations, and code repositories. OpenAI provided a tool to help contractors strip confidential information before uploading, but intellectual property lawyers warned the approach carries significant legal risk.

Zuckerberg said this sort of surveillance and the difficult conversations around it are the cost of competing at the frontier of AI.

"How do we navigate running the company through what is just this incredibly dynamic period?" he said. "There's lots of things that people would like more certainty on than we have." ®

GitHub Copilot users threaten exit as metered billing kicks in

Wed, 10 Jun 2026 04:51:53 +0000

Developers seem to hate Microsoft’s new usage-based billing policy for GitHub Copilot as they report burning through a month's worth of credits in hours.

“This is a staggering shift from a 'predictable subscription' to a 'stressful meter-based' service that hinders my productivity rather than helping it,” wrote one developer on GitHub's user forum who said they were paying for Microsoft's $39-per-month Copilot Pro+ plan but burned through about 8 percent of their monthly AI Credits allocation in two hours under the new billing system. “At this rate, my 7,000-unit quota will be depleted in less than two days.”

Their outrage is a consistent and growing theme among the business users of AI who suddenly see eye-popping bills after years of experimenting with a nearly free service. One GitHub Copilot developer requested a single change to their project and burned more than $6, they wrote.

REG AD

“Not after a day of usage. Not after dozens of prompts. After ONE request,” the developer stated on GitHub’s user forum. “I understand that large projects require context, but this level of consumption feels completely unreasonable and impossible to predict. How are individual developers supposed to budget for this when a single feature request can consume such a large portion of the monthly allowance?”

REG AD

The changes went into effect across the site on Monday. In GitHub’s April post announcing the new billing scheme, Microsoft said the change was made from monthly billing to usage-based because GitHub Copilot is “not the same product it was a year ago.”

“It now powers far more complex, agentic workflows that consume far more compute. This change is designed to deliver a more sustainable and reliable product experience by aligning pricing to actual usage and costs,” the post to its user community reads. “We believe GitHub Copilot remains the best value and experience for agentic coding. Usage-based billing aligns cost more closely to actual usage and value, while continuing to offer developers the freedom to choose the models and agents that work best for them.”

GitHub Copilot lets developers access a range of AI models from within their development tools. That had allowed some users to make large numbers of requests across multiple models while paying as little as $10 per month for Copilot Pro, or $39 per month for Copilot Pro+.

MORE CONTEXT

Now, each request from users is dynamically priced depending on the model used, the request, and the amount of material submitted by the user, as well as the complexity of the answer returned.

“Woke up to the new billing UI this morning. Figured I'd test it out on some actual work — just needed Claude 4.8 to help fix a couple things on a site I'm editing,” one Reddit user posted. “It gave some pretty mediocre suggestions. Didn't really solve the problem, I still had to do most of the work myself … Then I checked the actual usage page. 1,180 credits used. 16% of my monthly Pro+ allowance. Gone. For basically nothing.”

The comments online have been overwhelmingly negative, with users on GitHub’s forum and Reddit vowing to abandon the product and move their work directly to Anthropic, OpenAI, and some creating their own workarounds through a series of free or cheaper AI vendors, like RooCode, LM Studio, or OpenRouter.

“I’ve opted to stick to Pro+, burn through my allocated credit in a week, and then pivot to using OpenRouter for the remainder of the month,” one user posted. “OpenRouter offers a similar set of advantages that Copilot has over other providers. It can be used within the same VS Code interface. Plus it has more models and credit rolls-over for up to a year."

The Register asked Microsoft about the user complaints and a GitHub spokesperson responded with a statement saying it had introduced a new billing policy, and provided a link to a FAQ.

REG AD

"Usage-based billing is now in effect. Pricing for GitHub Copilot now reflects actual usage with spending limits, usage dashboards, and model selection available to help manage costs. We're also introducing Copilot Max for users who need more capacity," the statement reads. ®

Uncle Sam considers buying a seat on the Titanic

Tue, 09 Jun 2026 14:51:35 +0000

OPINION The US government is reportedly weighing whether to take a financial stake in AI companies, which looks a bit like negotiating for a seat on the Titanic.

Neither OpenAI nor Anthropic, the marquee brands in US AI, are profitable yet. While Anthropic may be nearer to that point if its accounting survives scrutiny, OpenAI's $1.4 trillion in financial commitments over the next eight years have been interpreted as a red flag for investors.

This raises (at least) two questions: Should the US government be picking winners? And should the US government be picking losers?

REG AD

The first question appears already to have been decided. As noted by the US Council on Foreign Relations, since January 2025, the feds have invested $20.9 billion in sixteen deals that involve direct ownership. This represents a change from more hands-off financial arrangements involving grants, loans, and tax incentives.

REG AD

The Department of Commerce, for example, has taken a 10 percent stake in Intel, once a symbol of American technical prowess and now a national security backstop. The Development Finance Corporation had invested in minerals, energy, and infrastructure. And the Department of Defense has undertaken at least seven similar deals.

Neoliberal US notions about competition and the separation of church, state, and private industry have succumbed to the new world disorder.

When economists from Harvard and Yale looked at the issue in a 2021 paper titled "The Dance Between Government and Private Investors: Public Entrepreneurial Finance around the Globe," they were cautiously optimistic.

Authors Jessica Bai (Harvard), Shai Bernstein (Harvard), Abhishek Dev (Yale) and Josh Lerner (Harvard) looked at 755 entrepreneurial finance policies in 66 countries during the period from 1995 to 2019. They concluded that "government funding programs are associated with subsequent increases in innovation," as measured by "top patents."

They offered some caveats, such as the observation that "government programs frequently rely on private capital markets through capital matching requirements, where private capital groups are often allowed to invest in more preferential terms than the public funds."

And they also noted that economists have long recommended government investment in response to market failures – areas where private funding has chosen not to invest, presumably due to the uncertainty of returns.

MORE CONTEXT

A recent example of that would be the US Commerce Department's decision to invest $2 billion in quantum computing in exchange for a minority controlling stake in nine technology companies. Pure-play quantum computing companies like D-Wave, Quantinuum, IonQ, and Rigetti Computing are not making a profit. But concern that quantum computing might some day do meaningful computing not possible with classical computers is enough to keep the funds flowing for now.

The US government's reported interest in AI companies might be interpreted in a similar light, as a bailout for companies that have committed to spend heavily on data centers before demand has been demonstrated and pricing has stabilized. With OpenAI and Anthropic preparing to go public, the White House would do better to wait before placing its bet.

REG AD

OpenAI CEO Sam Altman is said to have pushed for federal investment last year but publicly repudiated the idea after CFO Sarah Friar suggested federal loan guarantees. If the feds were to buy into OpenAI, the deal might take the form of a public wealth fund – so the public would receive revenue from intellectual property that AI firms have captured and are reselling.

US Senator Bernie Sanders (I-VT) last week said he planned to introduce a bill called the American AI Sovereign Wealth Fund Act. Funded by a one-time 50 percent tax paid in AI company stock, it would give the public a say in how AI is used and a portion of the revenue generated by AI companies (which, again, follows from the largely uncompensated capture of public content).

Meanwhile, the White House last week issued an executive order directing "the national security enterprise to accelerate AI adoption to meet surging demand, adapt the best commercial and open-source technologies for mission use, assure that fielded systems are robust, steerable, controllable, and preserve clear lines of accountability under the Constitutional chain of command." And the order promises "new partnerships with willing private-sector companies to secure America’s cutting-edge AI against global threats."

Buying into these companies doesn't make a lot of sense if they can deliver on their promises at a viable price. The market would ensure plenty of good options for federal procurement.

But if leading AI models are priced like Claude Mythos, reported to run $25 per million input tokens and $125 per million output tokens, or about 5x Opus 4.8, there may be some concern that leading edge AI will be too costly for much of the market. Uber's $1,500 monthly token spending cap per employee AI tool suggests companies won't reward the AI industry for over-investing. If cutting-edge AI is going to be priced out of reach for most industries and if it really can accomplish things that lesser models cannot, the case for federal involvement gets stronger.

It would be a shame if the feds rewarded OpenAI and its peers with taxpayer money because that would reward fiscal irresponsibility and hinder startups hoping to innovate. Worse still, it would commit funds prematurely and unnecessarily for some notional national security edge that's razor thin and is being dulled by evolving open weight models and foreign model providers.

The jury is still out – there are at least 115 lawsuits against AI companies – on whether there's a broad, sustainable market for AI services outside of software development and perhaps a few other knowledge work markets. The government should wait for the courts, the public, and the market to weigh in before riding to the rescue. ®

Microsoft researchers find AI models and agents can't handle long-running tasks

Mon, 08 Jun 2026 16:00:07 +0000

Companies exploring automated workflows would be well advised to keep their AI agents on a short leash.

Microsoft researchers have found that even the priciest frontier models introduce errors in long workflows, the very thing for which AI software has been pitched.

Anthropic, for example, says, "Claude Cowork handles tasks autonomously. Give it a goal and Claude works on your computer, local files, and applications to return a finished deliverable."

REG AD

Redmond promotes similar usage, touting Microsoft 365 Copilot's ability to "Tackle complex, multistep research across your work data and the web."

REG AD

The Windows maker's scientists aren't so sure about that.

Philippe Laban, Tobias Schnabel, and Jennifer Neville from Microsoft Research set out to study what happens when large language models (LLMs) are asked to complete multistep tasks.

They recently published their findings in a preprint paper with a spoiler title: "LLMs Corrupt Your Documents When You Delegate."

MORE CONTEXT

To test how LLMs handle long-running knowledge work tasks, the researchers devised a benchmark called DELEGATE-52.

It simulates multistep workflows across 52 professional domains, such as writing code, crystallography, and music notation. It is a more taxing test than sorting a spreadsheet, a task that should be table stakes for any aspiring workflow agent.

In the accounting domain, for example, the challenge involves a seed document that represents the accounting ledger of Hack Club, a nonprofit organization. The model is asked to split the seed document into separate category-based files and then to merge these chronologically back into a single file.

"Our findings show that current LLMs introduce substantial errors when editing work documents, with frontier models (Gemini 3.1 Pro, Claude 4.6 Opus, and GPT 5.4) losing on average 25 percent of document content over 20 delegated interactions, and an average degradation across all models of 50 percent," the authors report.

The authors found that LLMs did better on programming tasks and worse on natural language tasks.

REG AD

To be considered "ready" for a given work domain, the researchers set the bar at 98 percent or higher after 20 interactions. They only found one domain qualified: Python programming. For every other domain, the authors found LLMs fell short of "ready."

"A per-domain breakdown of end-of-simulation scores reveals that models are not ready for delegated workflows in the vast majority of domains, with models severely corrupting documents (at least -20 percent degradation) in 80 percent of our simulated conditions," the authors state.

The study found that "catastrophic corruption," meaning a benchmark score of 80 percent or less, occurred in more than 80 percent of model/domain combinations. The best performing model, Google Gemini 3.1 Pro, was ready for only 11 of 52 domains.

In weaker models, degradation took the form of content deletion; in frontier models, it took the form of content corruption.

And when errors occurred, they tended to happen all at once, resulting in the loss of 10 to 30 points in a single round-trip interaction, rather than accumulating over the entire test run.

"The stronger models (Gemini 3.1 Pro, Claude 4.6, GPT 5.4) aren’t avoiding small errors better, they delay critical failures to later rounds and experience them in fewer interactions," the researchers observe in their paper.

The Microsoft authors went on to test how agents – LLMs given access to file reading, writing, and code execution through a basic harness – handle the DELEGATE-52 benchmark.

Tools in this instance didn't help. "The four tested models perform worse when operated agentically with tools than without, incurring an average additional degradation of 6 percent by the end of simulation," the authors observe, in reference to GPT-5.4, 5.2, 5.1, and 4.1.

REG AD

Given that task delegation is the whole point of an AI agent – if you wanted to do it yourself, you wouldn't have tried to automate the task – this casts a bit of a shadow on the AI hype train.

An intern who corrupted a quarter of a document over a long workflow would be shown the door. Yet companies are showing AI the money: according to Deloitte, organizations are spending an average of 36 percent of their digital budgets on AI automation.

That might make sense if arming LLMs with the tools to function as full-blown agents meant less document degradation. But that's not the case. The authors found "using a basic agentic harness does not improve the performance of LLMs" with regard to the DELEGATE-52 test and that LLM performance after two interactions doesn't reflect how models perform after 20, which they argue underscores the need for long-horizon evaluation.

"Current LLMs are ready for delegated workflows in some domains such as Python coding, but not in other less common domains," the authors conclude. "In general, users still need to closely monitor LLM systems as they operate and complete tasks on their behalf."

Yet they also note that LLMs have been getting better, pointing to the performance of OpenAI's GPT model family, which has seen its benchmark performance increase over 16 months from 14.7 percent to 71.5 percent. ®

GOV.UK goes Dutch on payments as it dumps Stripe

Sat, 06 Jun 2026 14:56:22 +0000

The UK’s Government Digital Service (GDS) has replaced Stripe with Dutch provider Adyen as its processor for many payments made through its GOV.UK Pay service.

Adyen will take over GOV.UK Pay card payments for local authorities, police forces and armed forces units from Stripe, as well as pay by bank services, under a three-year contract worth up to £25.3 million.

According to the tender notice published in February 2025, the contract covers around 17 percent of payments made through GOV.UK Pay but more than 70 percent of its organizations and includes the only option allowing users to start taking payments within one working day. At that point the contract had an estimated maximum value of £49 million, although with no guarantees over volume.

REG AD

In a blogpost about the contract award on 2 June, GDS said it will migrate around 1,000 services to the new supplier. “We will make migration as straightforward as possible while complying with Know Your Customer legislation that protects everyone from fraud,” wrote Alan Maddrell, senior content designer for the service. “Most importantly, there will be no discernible difference for paying users and no loss in functionality.”

REG AD

He added that the change of supplier will help introduce new options including pay by bank, which transfers money directly between bank accounts using open banking services and avoids the need to type in card details. GDS will continue to use WorldPay to process payments for central government, linked organizations and NHS bodies.

MORE CONTEXT

GDS established GOV.UK Pay to save public services the effort and cost of setting up online payments themselves. It doesn’t charge organizations for the service beyond passing on transaction fees.

According to its performance data page, GOV.UK Pay has processed 137.5 million transactions since it was set up in 2016, worth around £9.2 billion. It currently provides 1,718 services, including 662 for local government and 256 for police forces, to 608 organisations ranging from 1079 (Tiverton) Squadron RAF Air Cadets to Yeovil Town Council. ®

Netflix wiz creates app to slash AI bills, then open sources it

Mon, 01 Jun 2026 02:29:39 +0000

As the COOs from both Uber and Microsoft recently learned, encouraging company engineers to use AI aggressively can lead to hefty usage bills, perhaps even offsetting all the gains from laying off employees.

The AI bills at Netflix may not be so eye-popping thanks to company senior engineer Tejas Chopra, who has created software to prune agent instructions, as measured in tokens, before they hit the LLM.

Chopra has estimated that as much as 90% of tokens are redundant to the giant thinking machine of your choice.

REG AD

Although not an official Netflix project, several teams there already use Project Headroom, and a number of external projects rely on it as well.

REG AD

In a talk at the Open Source Summit last week, Chopra said that Headroom has saved an estimated $700,000 for its users, who collectively now have 200 billion tokens to spend elsewhere.

Not bad for an open source application that’s been out only since January. Headroom, currently at a still-raw v0.22, has gathered 2,000 stars on GitHub and has been forked over 120 times.

“A lot of our users are people who have been really burned by token costs, more than anything else,” Chopra said in his presentation.

Lossless context compression

A $287 bill from Claude Sonnet first brought Chopra’s attention to the idea of token economization.

The bill was typical home project stuff: a bit of debugging, some refactoring, MCP tools querying a database. At the time, Claude Sonnet’s token-based pricing seemed pretty generous: $3 for every million input tokens, or $6/million if you went over the 200,000 token limit for your context window. Still, that $287 added up quickly.

Upon deeper inspection, Chopra found a lot of this data was highly redundant to the LLM. By and large, his own hand-crafted instructions were not the culprit. Rather it was all the boilerplate and machine metadata that came along for the ride: Needlessly-verbose JSON schemas, nested templates within API responses, identical database columns.

“This isn’t prose. This isn’t creative writing. This is compressible data masquerading as text,” Chopra wrote in a blog post introducing his software. In 2025, a group of researchers found that reading user input accounted for about 76% of all token consumption.

REG AD

The model providers have their own tools to save tokens. But to date, the settings on these tools are somewhat oblique to end users. By default, Claude has a prefix cache setting of just five minutes. After five minutes of inactivity, the entire context window needs to be refreshed, even if the LLM needs the exact same data. Another setting is exposed in the API documentation: a one-hour time to live (TTL). But there is a catch. "You pay two times the cost for your writes to get 90% savings for your reads," Chopra told the audience. It’s up to you to find the sweet spot.

There are also a number of new commercial token barbers popping up, such as YCombinator-funded Token Company, which offers token compression as a service. On the open source side there is RTK (Rust Token Killer), which trims to the output of verbose commands, such as calls to a repository. Another open source project, LeanCTX, is a variant of RTK.

All these tools are useful, Chopra admitted, but he designed Headroom to keep the operations confined to the developer’s workflow. And it had something none of the apps and services could offer: reversible compression.

Headroom’s job is to compress all the source material that is fed into the user’s context window – not only the conversation history, but also logs, tool outputs, files, chunks of documentation that the RAG found useful – before it arrives at the LLM.

The context window is the set space for each user session. The latest frontier models are rapidly expanding their context windows upwards towards two million tokens, which holds both input and output.

Such generosity is a mixed blessing, as Pope Leo might point out. As a unit of measurement, a single token is more or less equivalent to a human word. For pay-as-you go plans, the more you feed the context window, the more you’ll pay.

Gobbling tokens like Pac-Man

Running on Python and Node, Headroom runs as a proxy (port 8787) on the engineer’s computer. The user wraps their LLM at the command line interface (i.e. “headroom wrap codex”) and it then parses the input.

REG AD

While Headroom does compress a bit of programming code and human instruction, it is best at chopping server logs (90% of which can be jettisoned), MCP tool outputs (70% redundant JSON), Database outputs (it’s all one schema), and file trees (much repeated metadata).

Headroom’s first step is a process called CacheAligner which looks only for information that has been changed within input that's already been entered, and ships only the new info, eliminating the need to replace an entire body of mostly unchanged text in KV Cache, the cache where the AI provider stores the user’s context window.

“If your system prompt contains a date field or contains some UUID that changes per session, you are effectively getting a cache miss every single time,” he told the audience. “That will blow up your costs.”

Then, a router process infers the type of content and sends it to one of a number of compressors. An Abstract Syntax Tree (AST) compressor squishes programming code. JSON and Document Object Model (DOM) compressors snip unneeded JSON and Web boilerplate, respectively.

Headroom also has some “squashers” that look at text or JSON input and decide which bits are actually relevant, based on statistical analysis. These tools learn in a feedback loop if they are over- or under-compressing, based on how often the model has to call back into the original uncompressed prompt.

The final process, called Compress Cache and Retrieve (CCR), offers that ability for the LLM to look at the original unsquashed data. It puts markers to where the data has been compressed, so if the LLM wishes to get the original context, it can call a Headroom MCP to retrieve the needed material from the user’s machine. The original context is stored on Redis or SQLite.

There is still work to be done to this software stack, Chopra admitted, particularly on testing accuracy. It should be an easy task because the CCR stores the original prompts. More compressors can also be built for other specific types of data, such as financial data.

Audio, image, and video will also have to be tackled (one user has already forked the project for video parsing). A related project, which Chopra says will be open source soon, is Headlight. Headlight will keep track of the origin of each token, which could be especially handy for ensuring the accuracy of multi-model work.

A token saved is a token earned

Minding your tokens does not only save money, it can improve results, research suggests.

Agents send more context than the model can possibly use, which, in addition to emptying the user’s coffers, can actually make the LLM dumber.

Like the rest of us, LLMs get confused when presented with too much information. A group of Stanford University boffins found that LLMs tend to pay more attention to the beginning and the end of the context window, and tend to disregard the middle bits.

Likewise, a set of researchers from data integrator Chroma deduced that, across 18 LLMs, “performance grows increasingly unreliable as input length grows.”

“Context rot,” they called this phenomenon.

Trimming prompts can also improve latency. In his presentation, Chopra relayed how one of Headroom’s users forked the software for a voice-activated application. With voice, even silence can generate tokens. The user expects a response from the app within 200 milliseconds for the service to sound natural, so the company is using Headroom to help shrink that latency window down as much as possible.

Headroom also offers some good news for those worrying about data centers heating the world into a fiery inferno with their energy usage. Fewer tokens means a smaller context window, which means less energy use – at least until Jevon's Paradox kicks in and people find even more power-hungry ways to render their animated cat movies. ®

Microsoft 0-day feud escalates as researcher threatens another Windows exploit dump

Sat, 30 May 2026 16:27:32 +0000

The ongoing saga of Microsoft versus Nightmare Eclipse (aka Chaotic Eclipse), the disgruntled bug hunter with a deep understanding of Windows and an even deeper grudge against Microsoft, reached a fever pitch, with the researcher, who has thus far released six Windows zero-days, promising a “bone shattering” drop on July 14.

Microsoft, for its part, finally responded to the security researcher and their weaponized Windows flaws with a blog post on (un)coordinated vulnerability disclosure about the now-public bugs: RedSun, UnDefend, BlueHammer, YellowKey, GreenPlasma, and MiniPlasma. Redmond says that none of these were reported via its official channels prior to being made public.

Attackers began hammering three of the six - BlueHammer, RedSun, and UnDefend - soon after Nightmare published working proof-of-concept exploit code for each on now-banned GitHub (owned by Microsoft) and GitLab accounts.

REG AD

MORE CONTEXT

YellowKey, GreenPlasma, and MiniPlasma still don’t have fixes, and Microsoft has deemed “exploitation more likely” for YellowKey, aka CVE-2026-45585, citing a working POC.

REG AD

“We remain firmly opposed to these actions, and any disclosure outside proper coordination that could harm our customers and the digital ecosystem,” Microsoft wrote in a Wednesday blog, and then seemingly threatened legal action against Nightmare:

“Uncoordinated disclosures that put proof-of-concept code for unpatched vulnerabilities into the hands of bad actors are never justifiable and have real-world consequences. Our security teams across the company work tirelessly tracking threat actors who look for weaknesses just like these to attack Microsoft and our customers. Our Digital Crimes Unit will continue bringing cases against these actors and those that enable their criminal activity – coordinating as needed with law enforcement around the world.”

Microsoft did not respond to The Register’s questions, including whether its legal team planned to sue Nightmare, whether the zero-day researcher is a current or former employee, and whether Microsoft axed Nightmare’s MSRC account, meaning that the bug hunter can’t disclose vulnerabilities to the Windows giant.

Nightmare, in their latest anti-Microsoft missive, claims Microsoft did just that.

“When I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people,” they wrote on Saturday. “You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.”

Mark this date July 14th, I will make sure your bones are shattered that day

Nightmare also noted that “Microsoft still has chains in my hands,” preventing them from releasing “documents” yet, or anytime in June, and then warned: “Mark this date July 14th, I will make sure your bones are shattered that day.”

Regardless of what does or does not happen on July 14, Nightmare has already caused chaos - and real enterprise-level damage, as systems engineer Muhammad Qasim Shahzad said on LinkedIn.

“One person caused more enterprise-level damage in six weeks than most APT groups cause in a year,” Shahzad wrote. “The gap between disclosure and weaponization is now measured in hours, not days. Your patching window is shrinking fast.”

REG AD

Zero Day Initiative’s bug hunter-in-chief Dustin Childs, who previously spent about seven years working for Microsoft security and has decades of experience on both sides of the coordinated vulnerability disclosure (CVD) process, told The Register that Microsoft could have handled this better. And he wondered what happened between the two parties to get to this point.

“CVD is a two-way street,” he said. “The vendor has some responsibility as well, so to go out publicly stating this person violated CVD without showing any of the correspondence seems bold.”

Microsoft could also improve its communications to customers on “what the real risks from these bugs are and how they can defend themselves,” Childs added. “That clear direction seems to be missing.”

Microsoft's 'dumpster fire'

Luta Security founder and CEO Katie Moussouris, who pioneered Microsoft’s bug bounty program despite execs vowing never to pay researchers for bugs, said Redmond’s response to Nightmare sends “mixed messages.”

“It confusingly claims their program ‘ensures researchers are compensated and publicly acknowledged’ in a statement answering a researcher who says he got neither,” Moussouris told The Register. “The language choices are also not deescalating. Microsoft invoked the outdated term ‘responsible disclosure,’ which I retired years ago at Microsoft because it was subjective and judgy.”

This phrase, Moussouris added, “got in the way of coordination” when the two sides disagreed about how to best protect end users.

“The mention of the Digital Crimes Unit in a post discussing vulnerability disclosure makes the post vaguely threatening, which seems intentional, but then they wrap up the post saying they welcome reports regardless of disclosure history,” she said. “No one except the parties involved can know for sure what happened between this researcher and Microsoft. Whatever the facts, it's hard to imagine why Microsoft would not try to deescalate, if for no other reason than avoiding the chilling effect on other researchers.”

REG AD

Security sleuth Kevin Beaumont, in his blog on the ongoing Microsoft-Nightmare Eclipse saga, called it a "dumpster fire of [Microsoft’s] own making.”

Beaumont also used to work at Microsoft, and he noted that the Windows company previously hired a hacker called SandboxEscaper after she published zero-day POC exploits for Microsoft products - something that Redmond’s blog now describes as criminal.

“If Microsoft’s tactic is to try to criminalise not following often arbitrary ‘responsible disclosure’ frameworks, good luck defending that in court - because there’s a whole clown car of prior decision making within Microsoft and facts which would emerge in that process,” Beaumont said.

To be clear: neither Beaumont nor the researchers that The Reg spoke to support Nightmare’s zero-day antics. Childs called the “July 14” post “troubling” and Moussouris said the date plus “incendiary language … doesn't help organizations trying to make sense of the technical risk.”

'David and Goliath dynamic'

Moussouris did add that this latest missive, taken in context with the earlier blog posts, “paint[s] a picture of someone who believes they have been pushed to this extreme. It is the sound of someone who believes every legitimate channel was closed to them: GitHub account deleted, payments withheld, credit stripped, then publicly accused of violating CVD after Microsoft cut off their ability to coordinate. The researcher's grievances are serious and specific.”

Ultimately, “the bugs are Microsoft's,” Moussouris said. “They wrote the code and they own the risk to customers. Often researchers who previously work with a vendor respond in the extreme only when they feel there is no other choice. The power they hold is not at all proportionate to the vendor. This is a David and Goliath dynamic we don't like to see play out, especially since it’s users who lose when coordination negotiations fail."

While it’s a very extreme - perhaps the most extreme - example of coordinated disclosure gone wrong, it’s not an isolated problem. Researchers have been complaining about CVD, and specifically Redmond’s bug disclosure habits, for years.

“While some companies have improved, Microsoft has not,” Childs said. “If anything, they are seen as difficult to work with, especially if your bug is Moderate instead of Critical. I’ve had researchers tell me that they stopped looking at Microsoft altogether because they were too difficult to work with.”

Plus, these types of disagreements between researchers and bug bounty programs will likely increase, as AI-assisted bug reports become the norm and vulnerabilities skyrocket.

“We as an industry need to take a breath, remember there are real people involved, and that poor interactions could lead to real customer risk,” Childs said. “Real-world impact is lost far too often when disclosure goes wrong.” ®

ICE awards Bi2 $25M contract for 1,570 biometric scanners

Sat, 30 May 2026 01:14:10 +0000

If you thought US Immigration and Customs Enforcement’s widespread use of face recognition apps was a privacy violation, you’re about to get eye-rate over a new $25 million contract.

According to a largely unreported contract summary published last week by ICE parent agency the Department of Homeland Security, US immigration cops have doled out about $25.1 million to a company called Bi2 Technologies for 1,570 biometric recognition devices able to identify people through fingerprints, iris scans, and facial recognition.

Additional procurement data indicates that the devices can be used in the field in both mobile and stationary configurations, and they provide ICE agents with access to Bi2’s Inmate Recognition and Identification System (IRIS), which matches biometrics to a database of more than five million booking, arrest, and incarceration records from 47 US states. The Bi2 system is also able to access driver’s license and vehicle plate info.

REG AD

The deal was made without seeking any competing bids, and ICE justified the sole-source acquisition by pointing not only to Bi2’s capabilities being “unmatched by any competitor,” but also to a contract from last year in which it paid the company $4.6 million for what now appears to have been a one-year trial run of its technology on a much smaller scale.

REG AD

Per the FY 2025 contract, which expires at the end of this coming September, ICE got similar access to the IRIS database and mobile/stationary biometric scanning technology as this year’s award, but only 200 devices were deployed across the US. With the addition of this contract, 1,770 of the devices could now be on American streets by the end of May 2027.

MORE CONTEXT

While the Bi2 contracts have yet to cause a stir on the level of other ICE biometric surveillance technologies, the widespread deployment of eyeball scanners linked to law enforcement databases and other forms of government documentation could end up stirring up more controversy.

Senate Democrats have been railing against ICE’s use of biometric identification technology like Mobile Fortify, an app reportedly used by DHS under the Trump administration’s immigration enforcement push to identify people suspected of immigration violations and, potentially, protesters.

In a letter last September, senators demanded ICE immediately cease using Mobile Fortify over concerns that the app could be inaccurate, biased, and might have a chilling effect on the legal expression of protected civil rights in the US.

Neither ICE nor DHS responded to questions for this story. ®

Dutch navy frigate tracked by mailing it a Bluetooth tracker

Fri, 29 May 2026 02:20:48 +0000

Militaries around the world spend countless hours training, developing policies, and implementing best operational security practices, so imagine the size of the egg on the face of the Dutch navy when journalists managed to track one of its warships for less than the cost of some hagelslag and a coffee.

The security snafu was reported by Dutch regional broadcaster Omroep Gelderland. In a Thursday report, Omroep Gelderland journalist Just Vervaart said the broadcaster was able to track HNLMS Evertsen, a Dutch air-defense frigate deployed to help protect France’s aircraft carrier Charles de Gaulle against missile threats, by mailing a Bluetooth tracker concealed in a postcard to the ship.

Per Vervaart, the Dutch Ministry of Defence makes it easy to send mail and packages to soldiers and sailors in the Dutch armed forces and posts full instructions online. It's that freely available open-source intelligence data that Vervaart was able to use to send the tracker to the Evertsen.

REG AD

The report says the tracker remained active for about 24 hours, showing HNLMS Evertsen leaving port in Heraklion, Crete, and sailing first west along the island’s coast before turning east toward Cyprus. The tracker finally went offline a day later when the ship was near Cyprus, and hasn't come back online.

REG AD

According to Dutch defence officials Vervaart spoke to for his story, the tracker was found during mail sorting and was disabled. Still, the Ministry is reportedly changing its mail policies in response to the incident and will now ban greeting cards containing batteries along with further reviewing mail guidelines.

The ban on greeting cards containing batteries appears to be a direct response to Vervaart's test, as he chose to conceal the Bluetooth tracker in a postcard after ministry videos and mailing guidance indicated envelopes were not X-rayed, unlike packages, making that route more likely to pass through undetected.

An opsec lesson for civvies, too

As a military veteran myself, I understand the delicate balance to be made between letting troops stay in touch with their families and protecting them from accidentally spilling crucial secrets.

Social media, for example, has been an absolute opsec disaster for militaries, as even the most innocuous seeming post can accidentally include information that's incredibly valuable to the right person. Limits obviously have to be put in place to that end.

MORE CONTEXT

Cut soldiers and sailors off from physical mail while on deployment, though, and you're likely to have a mutiny on your hands. Technology has changed, though, and something once as innocuous as posting instructions on how to send mail to military members has to be weighed in a new light.

"Nowadays, you can eliminate targets remotely and with great precision, but you do need to know where they are," retired Dutch lieutenant general Mart de Kruif told Omroep Gelderland in the original story. "So, as a frigate, you never want to reveal your location to other people."

This isn't just a military lesson, either: Technological evolution means things that were totally acceptable in the enterprise world before may now be critical security risks that have yet to enter into your OPSEC equation. ®

Pentagon and soldiers let too many secrets slip on socials

Fri, 29 May 2026 02:20:47 +0000

Loose lips sink ships, the classic line goes. Information proliferation in the internet age has government auditors reiterating that loose tweets can sink fleets, and they're concerned that the Defense Department isn't doing enough to stop sensitive info from getting out there.

The Government Accountability Office (GAO) on Monday made public a report finding that the DoD hasn't been properly training its civilian staff or military members, nor issuing proper guidance, on how to keep secrets secret. The info leaks include social media posts by military members and their families, but press releases and other information the Pentagon publishes itself were as part of the equation, too.

GAO auditors posed as threat actors and found multiple ways they could use info they discovered online to disrupt operations.

REG AD

Take naval maneuvers, for example. In one case, GAO auditors cited public social network support groups for families of deployed sailors, and private social media groups that discussed promotions, assignments, and squadron compositions. Such data could be used to link sailors to their immediate family members, locations, and behaviors, creating an avenue for blackmail or other coercive tactics to extract info from servicemembers. It could also endanger military units on active maneuvers, GAO noted.

REG AD

In another case, a press release identified - with photographs - a service member who completed urban sniper training. GAO investigators were able to buy information about the individual on the dark web, linking them to a particular unit, their rank, and other details. Additional research gave them info about the member's family, too, again opening up the possibility of blackmail.

"The digital activity of DoD's service members, contractors and family members … can generate volumes of traceable data that can threaten their privacy and safety, and ultimately our national security," GAO said of its findings.

This isn't a problem unique to the US military, either. Russian forces have outed their positions in Ukraine via social media posts since the beginning of Moscow's invasion of its neighbor.

Plenty of blame to go around

According to the report, 10 DoD components were guilty either of failing to train their people properly, or didn't assess their own security tactics adequately. Unfortunately, we didn't need the GAO to tell us that.

Nine components had training material that was inconsistent or too narrowly focused, typically on OPSEC, while ignoring force protection, insider threats, and mission assurance. Likewise, eight of those ten components fail to conduct threat assessments across all those aforementioned areas.

Sure, soldiers, sailors, airmen, and marines bear the blame for posting things on social media that they shouldn't, but if they aren't being properly trained, the DoD only has itself to blame.

The Office of the Secretary of Defense, GAO noted, "has not consistently issued policies and guidance to address the digital profile threat."

REG AD

MORE CONTEXT

The GAO issued 12 recommendations to the DoD to help beef up its exposure to digital threats. The DoD concurred with all the recommendations and said it was taking action to address them, save perhaps the most crucial one.

The GAO suggested that the Defense Security Enterprise Executive Committee, a body within the DoD responsible for security policy, assess security policies and guidance across the Defense Department to identify gaps and make recommendations to fix them. But the DoD only partially concurred, arguing that Pentagon's authority is limited when it comes to the personal activities of DoD personnel, much less that of their families.

In essence, the DoD admitted that it could be more careful about sharing information, but its hands are tied when it comes to what its people share. GAO auditors didn't seem impressed with that excuse.

"We recognize that there is a spectrum of who releases information," the GAO said in response. "However, as we depicted in our scenarios, a malicious actor does not care who releases the data … That is why we did not limit our recommendation to just policy, but also included improvements to training and awareness campaigns."

This vulture, for one, is glad he did his tour of duty in the US Army before the era of social media. Sure, a single soldier could do some damage by saying the wrong thing to the wrong person, but it's nothing like the security nightmare that comes with people publishing every aspect of their lives on the internet.

Now if only the DoD cared enough to do more than just updating old WWII-era messaging for the modern age, we'd be in a much better position. ®

Macron's bodyguards show his location by sharing Strava data

Fri, 29 May 2026 02:20:47 +0000

The French equivalent of the US Secret Service may have been letting their guard down, as an investigation showed they are easily trackable via the fitness app Strava.

An investigation by Le Monde has shown that members of the Security Group for the Presidency of the Republic (GSPR) have been openly displaying their location on the popular software during their workout sessions. Since they travel with President Emmanuel Macron, this makes it fairly easy to work out his location. A dozen of his bodyguards were leaking key information this way.

"Macron's security guards record and publish their runs on the platform. But there's a problem: They are sharing geolocalized information publicly," the newspaper reports.

REG AD

"In other words, Macron's bodyguards are unknowingly sharing their locations online, both personal and professional. This security flaw means it's possible to track the French president's bodyguards; that is, Macron's hotels, meeting rooms and trips can be tracked through this app."

REG AD

More disclosures are promised later, but it appears that both President Biden and Russia's Vladimir Putin are also vulnerable to this kind of tracking. In the latter case, it would be interesting if someone - say a Ukrainian drone operator - got hold of such information.

This isn't the first time Strava users have been caught leaking information in this way. In 2018, the US military ordered a review of soldiers' use of the app after an analysis of the data it generated revealed the location of secretive American and Australian military bases.

MORE CONTEXT

This is all down to a user interface problem feature with the app's Global Heatmap function. Strava users can choose to keep their location secret, but the app maps information by default and it appears that GSPR members may be more interested in showing off their fitness prowess than securing their data, even after years of examples of why this is a really bad idea.

Other workout software is just as bad. Fitness app Polar has been caught exposing similar information, which prompted a massive review of operations and a tightening up of security defaults for the code, but only after journalists started exposing the flaws in openly publishing years of its users' movements.

Some Strava users celebrate sharing their data, however, and can be quite artistic about it. In 2021 Aussie cyclist Peter Stokes pedaled over 150km around Adelaide to trace out the outline of the baby used for the cover of Nirvana's classic Nevermind album.

Hopefully, French bodyguards will put "Something in the Way" of further data disclosures. ®

Beer rating app reveals homes and identities of spies and military bods, warns Bellingcat

Fri, 29 May 2026 02:20:46 +0000

A beer and pub-rating app built off the back of Foursquare’s location-tracking API poses a risk to the security of military and intelligence personnel, according to legendary OSINT website Bellingcat.

Untappd 'has over eight million mostly European and North American users, and its features allow researchers to uncover sensitive information about said users at military and intelligence locations around the world,' wrote Bellingcat’s Foeke Postma in a fascinating guide to using the app for tracking down people of interest.

Bellingcat is an open-source intelligence and investigative journalism website. Its most famous contribution to the world was identifying the Russian military personnel who shot down Malaysian Airlines flight MH17, something that saw Russian hackers target it in revenge.

REG AD

Untappd’s concept of operations is simple. You go to the pub and drink beer. During the beer-drinking process you take a picture of your beer with your smartphone and rate it. You can also rate the pub and leave comments. To do these things you need to register an account and provide some personal details – or log in with Facebook.

REG AD

“Untappd users log hundreds, often thousands of time-stamped location data points. These locations are neatly sorted in over 900 categories, which can be as diverse and specific as 'botanic garden.' 'strip club,' 'gay bar,' 'west-Ukrainian restaurant,' and 'airport gate.' As the result of this, the app allows anyone to trace the movements of other users between sensitive locations,' wrote Bellingcat’s Postma.

All you need to do to deploy Untappd as an intelligence-gathering tool is use the app through its normal user interface. With a little knowledge of how the app works plus access to online map websites that list pub, bar and restaurant details, it’s scarily simple to find people who probably shouldn’t be easily findable.

So we put it to the test

Using Bellingcat’s techniques, The Register was easily able to identify someone who enjoyed a few pints over the years at hostelries close to, among other places: GCHQ Cheltenham; the Atomic Weapons Establishment base at Aldermaston; an Army base at South Cerney in Gloucestershire; and his regular pub crawls around his hometown, which we are not naming.

The person concerned used his own mugshot as his profile picture on the app. Although Untappd only displays users’ first names and initials, this particular one used his surname as part of his username, so the app displayed 'Joe B. (bloggs123)' on his profile. It was a trivial step from there to find him on Linkedin (with the job title 'analyst') and cross-match that against postal address records for his name in his hometown.

Looking at pubs and bars near the Royal Navy nuclear submarine base at Faslane, up in the lochs of western Scotland by Glasgow, proved equally fruitful. Putting himself into the mindset of a thirsty sailor looking for the nearest drinking establishment, your correspondent soon identified a cluster of bars within easy staggering distance of Helensburgh railway station, the first stop up the line from Faslane.

From there it was simple to look through recent Untappd check-ins at those bars and identify a US Navy nuclear submarine officer, complete with mugshot. His favourite establishments included on-base bars at a US naval station in Norfolk, Virginia, USA; bars next to naval bases in Spain; and 'Naval Base San Diego', included as an actual check-in location on a beer-rating app.

From a casual browse of the submariner’s friends list on the app, your correspondent found the profile of a woman who drank in the same bars at the same time as the man himself. Her profile picture on Untappd included children.

REG AD

While the app itself is harmless, this ought to be a clear lesson for anyone in a sensitive job: do not use social media, and if you’re going to use social media anyway so you can have a normal life outside work, try not using it in a way where you pinpoint your precise location right next to your sensitive workplaces. Careless tagging, could, in some circumstances, cost lives. ®

NSA director appointment blocked over data privacy questions

Fri, 29 May 2026 02:20:46 +0000

Is the NSA buying up Americans' location and browsing data? Senator Ron Wyden (D-OR) is tired of asking and has now moved to block the confirmation of a new NSA director until he gets answers.

"The American people have a right to know whether the NSA is conducting warrantless domestic surveillance of Americans in a manner that circumvents the Fourth Amendment to the Constitution," Wyden said in a statement on Thursday submitted to the congressional record.

"Particularly as Congress is currently debating extending Section 702 of the Foreign Intelligence Surveillance Act, Congress must be able to have an informed public debate about the scope of the NSA's warrantless surveillance of Americans."

REG AD

As we've previously reported, plenty of personal information is available for purchase from commercial data brokers by US government agencies without a warrant. The Fourth Amendment provides Americans safeguards from unreasonable search and seizures - a protection some, including Senator Wyden, would argue the Feds (and cops to that matter) violate if or when they acquire this info without a warrant.

REG AD

Congress must be able to have an informed public debate about the scope of the NSA's warrantless surveillance of Americans

These data brokers harvest personal data from all sorts of places, mainly apps reselling your location and other info, and then bundle it up and peddle to interested parties.

Wyden said he was told by Uncle Sam's Defense Intelligence Agency that it, for one, was purchasing American citizens' location data, and he made that point public in early 2021. He said he further pressed the Pentagon for the names of other military agencies buying records of people's whereabouts, browsing histories, and other personal matters, and in March that year got the answers he wanted – but the disclosure was marked "controlled unclassified information" (CUI). The senator took that to mean he couldn't share it.

CUI is not classified information, as its name indicates, but it should, generally speaking, be protected with access controls and not widely disseminated. Wyden is clearly not a fan of this labeling, which he described as a "made up designation with no basis in law." CUI was created by an executive order from President Obama in 2010.

"The administration is abusing the CUI designation to keep this unclassified information from the American public," Wyden continued.

So now the senator has placed a hold on Lieutenant General Timothy Haugh's confirmation as NSA director until the spying nerve-center confirms or denies (presumably under an unclassified designation) that it is buying up citizens' location data and/or browser histories without a warrant. The senator wants a simple yes or no.

This won't guarantee answers, however. It does mean the NSA will either need to satisfy Wyden's request, or Congress will need to hold a procedural vote to push through the confirmation.

In his statement Wyden makes clear his objections to Haugh's promotion to the rank of general and nomination to the NSA directorship aren't personal nor related to his qualifications. The congressman simply wants Uncle Sam to open up a little.

MORE CONTEXT

Senator Wyden isn't the only one who's run into opposition trying to obtain more information on US domestic intelligence gathering efforts. The Electronic Frontier Foundation has filed freedom of information act requests and lawsuits to get this evidence.

REG AD

Wyden's latest effort comes as Congress weighs up the future of FISA Section 702, which is due to expire at the end of this year unless it's reauthorized, and in certain circumstances allows government snoops to analyze US persons' private communications without a warrant. While lawmakers are likely to renew the controversial intelligence tool, many on both sides of the aisle would like to see additional safeguards added.

One proposed reauthorization bill, which has already received pushback from the White House, includes several surveillance reforms, including one requiring warrants for government purchases of private information from data brokers. A rival and much more spy-friendly bill has also been introduced. ®

How data brokers sell personal info of US military personnel

Fri, 29 May 2026 02:20:45 +0000

The sensitive personal information of American military personnel and their families is on sale from US data brokers for a pittance, Duke University academics have found.

That personal data, sold for as little as $0.12 per record, is said to pose a threat because it could be acquired by foreign adversaries for malicious purposes – such as blackmail, operational targeting, or mapping sensitive military sites.

The Duke research team – Justin Sherman, Hayley Barton, Aden Klein, Brady Kruse, and Anushka Srinivasan – obtained military folks' health data, financial details, and information about their religious practices from US data brokers. Nosy types could also augment this with location data, as an extra threat.

REG AD

The researchers describe their findings in a report titled: "Data Brokers and the Sale of Data on US Military Personnel: Risks to Privacy, Safety, and National Security."

REG AD

The study, funded by a grant from the American military, follows from a proposal submitted by the scholars to the US Military Academy at West Point in 2021, in the wake of an August 2021 report [PDF] by one of the authors, Justin Sherman, who is currently a senior fellow at Duke University's Sanford School of Public Policy.

The 2021 report also found that US data brokers sell information about active duty military personnel. As noted in that report, the buying and selling of people's information is "virtually unregulated" in the US, and there's very little in federal or state law to prevent such sales to foreign entities. The info can be sourced from all manner of places, from phone apps and smart home devices, to payment transactions and public records.

Sherman testified before a US Senate subcommittee hearing about the issue on December 7, 2021. And he did so again during a House subcommittee hearing on April 19 this year.

Data privacy and national security concerns have long been intertwined with apps - as the US military has found out with fitness applications that show military base locations. The latest research report says that the 2020 scrutiny of TikTok – software banned by the US Army and subsequently assailed by the Trump administration – reignited the debate.

MORE CONTEXT

The current report argues the data brokerage industry itself represents a threat to national security. "Foreign and malign actors with access to these datasets could uncover information about high-level targets, such as military servicemembers, that could be used for coercion, reputational damage, and blackmail," it argues.

The report calls for Congress to pass a comprehensive federal privacy law – a feat US lawmakers have not managed despite years of advocacy from activists, lawyers, ands much of the technology industry.

Military claims it's taking this 'very seriously,' again

In an email to The Register, a spokesperson for the US Defense Department wrote that privacy matters to the military.

REG AD

"The Department takes the privacy interests of its personnel very seriously," the spokesperson claimed. "There is a large and growing amount of commercially available information, which raises concerns on privacy interests, civil liberties interests, national security implications, threats to service members from our adversaries, and operational security risks.

"The DoD has a responsibility to protect the privacy interests of individuals and will continue to stress with our personnel the importance of maintaining, training, and implementing robust safeguards to protect the privacy interests of our people."

Dr Lukasz Olejnik, independent privacy researcher and consultant, and author of Philosophy of Cybersecurity, told The Register in an email that the Duke University study is very significant.

"This study is certainly a bombshell, considering how important privacy is today on the one hand, and on the other – how respected the military or veterans in the US are," Olejnik observed.

"This excerpt from the conclusion is particularly spot on: the data consist of 'individually identified, and non-public information.' And are available on the cheap. This confluence of privacy invasion, military risk, and availability to foreign services is a powerful mix."

Olejnik expressed skepticism, however, that the findings will hasten the glacial legislative process for privacy in the US.

This study is certainly a bombshell, considering how important privacy is today

"I doubt that it will have an effect on the proposal for a comprehensive federal Privacy Act soon," he added. "First of all, if such an Act was to be put forward, it would happen after the elections next year (and subject to the result).

"Second, the US legal data protection culture has a traditional preference in fragmentation. Specific Acts are issued for specific spheres, with the infamous issuance of a single-issue regulation for video tape rentals, the Video Privacy Protection Act."

REG AD

In that spirit, Olejnik wryly suggested the US might end up pushing narrowly focused legislation called the Military Data Privacy Protection from Certain Brokers Act.

The Register proposes the Privacy Act for the Military, Elderly, Children, Billionaires, and Government Employees, But Not For Unworthy Wage-Earning Adult Citizens.

On a more serious note, Olejnik suggested, it's time to get moving on federal privacy rules. ®

US Pentagon scrambles after Strava base leaks. Here's a summary of the new rules: 'Secure that s***, Hudson!'

Fri, 29 May 2026 02:20:44 +0000

The American military has ordered a review of its grunts' personal electronics – after the Strava fitness app used by soldiers revealed base locations and other operational security gaffes.

In November, the exercise-tracking software maker released a "heatmap" to show where in the world people were using the application to monitor their daily workouts.

Unfortunately, because not all users marked their training information private, the map revealed military bases and the jogging routes of personnel. It also highlighted dangerously stupid explorers, and the data allowed viewers to drill down into an individual's fitness stats.

REG AD

In response, the Pentagon has urged servicemen and women to lock down the privacy settings on their apps – which, er, they should really have done in the first place. Meanwhile, top brass will come up with new rules, if necessary.

REG AD

"We take these matters seriously, and we are reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of Department of Defense personnel at home and abroad," Army Colonel Robert Manning III said at a Pentagon news conference on Monday.

"DoD personnel are advised to place strict privacy settings on wireless technologies and applications. The heat map incident re-emphasizes the need for service members to be cautious about what data to share via wearable electronic devices."

You'd have thought the Green Machine would be up on this already, given how America's enemies have blundered into this sort of opesec gotcha in the past. In 2015, a Daesh-bag fighter published a picture of his fellow terror bastards on social media with location data included in the snap – and 22 hours later, Uncle Sam showed him the real meaning of photobombing with three very large explosives sending him to the next world.

Russian military authorities also got caught out the year before. In 2014, with Russia denying its troops were invading Ukraine, its soldiers posted several selfies that location data showing were within the, er, Ukrainian borders.

As always, check the privacy settings of your apps – and not just Strava's. ®

Updated to add

Strava is having a rethink about how it shares people's data – and urged folks to check their applications settings while it works "with military and government officials to address potentially sensitive data."

"Many team members at Strava and in our community, including me, have family members in the armed forces," said CEO James Quarles. "Please know that we are taking this matter seriously and understand our responsibility related to the data you share with us."

Mobile phones ‘give away locations of soldiers’

Fri, 29 May 2026 02:20:44 +0000

Security

EVENTS

EXPLORE ALL OF OUR EVENTS

Roastidio.us in webspace https://www.theregister.com/

'Free' VPN Hola is LITERALLY flogging access to users' devices

The road to woebegone peers

Like Tor, only much larger, faster and more anonymous

Broken nodes?

Peer-shaped security problems

The business model doesn’t provide for security. 'Free' takes the 'private' out of Virtual Private Network. A VPN should be a relationship between a user and a provider, not a user and millions of others.

Apple's WebKit performance tax leaves iOS browsers stuck in the slow lane, says Microsoft

AI code boom drives production failures, higher spending

MORE CONTEXT

Even Claude agrees: hole in its sandbox was real and dangerous

Intel's CEO reveals early hiring challenges as bankruptcy concerns deterred top talent

OpenAI floats buy-before-your-try AI availability guarantee

Fedora: Microsoft is all aboard, but Deepin is dumped

Feds freaked over Fable 5 after simple 'fix this code' prompt, not jailbreak, says researcher

MORE CONTEXT

US clampdown on Anthropic models sends EU sovereignty surge into overdrive

Anthropic spins a Fable of a tamer, safer Mythos

It blocked us at 'hello!' Anthropic Fable 5 refusing innocuous prompts

Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops

Technology news and analysis | The Register

TOP STORIES

Tesco is sprinting to quit VMware and Broadcom despite rapid migration risks

AI and brain-computer interface allow speechless ALS patient to work a full-time job

Developers build the best tools for developers – and are now defanging the AI menace

Crooks found a new way to collaborate using Teams – by hiding command-and-control traffic

Only half of US datacenter capacity planned for 2026 is actually under construction

System76 boss reckons he can liberate the entire PC stack... just give him another 15 years

There's no such thing as an agentic CPU

Nvidia-backed optics vendor to boost wafer output by 4x to meet AI interconnect demand

Massive password-stealing attack hits 75k Fortinet firewalls

Uncle Sam bets $500M that Alphabet spinoff's AI can dig up new semiconductor materials

Smartphone market to shrink 15 percent this year due to memory crisis

AWS hypes continuous agentic DevOps, puts Kiro in your pocket

Surface tension rises as Microsoft's latest kit starts at a pricey $1,499

Cisco adds another SD-WAN box to max-severity bug advisory

Homebrew 6.0 released with new security mechanism, Linux sandbox and more

Apple's WebKit performance tax leaves iOS browsers stuck in the slow lane, says Microsoft

Intel starts cooking up enhanced 18A-P silicon for would-be foundry customers

Windows devs rerolled old code to save precious bytes

UK.gov links up with LinkedIn for jobs market intel from 40M accounts

Brit competition cops order Google to make search rankings less mysterious

Helpdesk scammers are making house calls to make their lies feel more real

Windows update leaves third-party Office document launches in limbo

Cyberattack sees crops kept in the ground

MOST POPULAR

Feds freaked over Fable 5 after simple 'fix this code' prompt, not jailbreak, says researcher

Amazon owns up to using 2.5bn gallons of H2O in its bit barns last year

Angry bug hunter with Microsoft beef drops new Windows 0-day

Every employee’s password was stored in a single Excel file

Capita is about to sail past deadline to fix civil service pensions scheme

Columnists

AWS reportedly to tuck Elon Musk's Grok into Bedrock, despite zero enterprise demand

EU's digital sovereignty boo-boo may be the best thing to ever happen to the project

Utah tells porn sites to take the P out of VPNs, and it's their fault that they can't

AWS to Quick admins: The access control didn't work, but you weren't using it anyway, so what's the problem?

AI will soon be capable of telling convincing lies

Taiwan's train cyber-trauma reveals a global system that's coming off the tracks

Trump jumps from 'anything goes' to 'strict regulation' AI policy

Microsoft's bad obsession is showing up in shabby services and slipshod software. Here's proof

AWS plants more tombstones in the application graveyard

MORE TOPICS

AMD's Mext buy shows how AI could solve the RAM shortage it created

The new Siri makes one of Apple's most convenient OS features a cumbersome mess

Python dev saved from disaster by intuition... and AI

Intel-born networking tech resurfaces as InfiniBand alternative for DoE supers

Three critical Fortinet sandbox bugs splattered by unknown attackers

Commodore gets into the phone biz with Sailfish-powered retro 'Callback'

Firefox 152 understands 'Sssh!'

Microsoft faces down sueball, capacity problems in series of challenges

Linux kernel 7.1 sends Intel 486 support to silicon heaven

Non-x86 servers now nearly half the market, IDC says

NHS Palantir claims face scrutiny after data suggests uneven results

NASA said nyet to Roscosmos plan to cut into leaky ISS segment

Cardiac monitor maker's security skips a beat as data thieves go for the jugular

Qualcomm said to be circling AI chip biz Tenstorrent in $10B RISC-V power play

Scammers keep scoring: Brits fleeced for £1.3B as Americans lose $3.5B to impersonators

Capita is about to sail past deadline to fix civil service pensions scheme

SQL Server may be too lucrative for Microsoft to ditch, but too legacy to love

ERP users may soon get ahead by going headless, says Rimini Street boss