Linux fréttir

Instructure, the company behind the widely used Canvas learning platform, says it reached an agreement with the hackers who stole 3.5 terabytes of student and university data. The company says it received "digital confirmation" that the information was destroyed and that affected schools and students would not be extorted. The BBC reports: Paying cyber criminals goes against the advice of law enforcement agencies around the world, as it can fuel further attacks and offers no guarantee the data has been deleted. In previous cases, criminals have accepted ransom payments but lied about destroying stolen data, instead keeping it for resale. For example, when the notorious LockBit ransomware group was hacked by the National Crime Agency, police found stolen data had not been deleted even after payments had been made. Instructure said in a statement on its website that protecting students' and education staff data was its primary motivation. "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible," the company said. Instructure did not set out the terms of the agreement but said that it meant that: - the data was returned to the company - it received "digital confirmation of data destruction" - it had been informed that no Instructure customers would be extorted as a result of the incident - the agreement covers all affected customers, with no need for individuals to engage with the hackers

Read more of this story at Slashdot.

Google is rolling out a new line of laptops based on Android instead of ChromeOS, and using the opportunity to try and move upmarket from the budget-conscious Chromebooks – while also baking AI into every fissure of the system. The new line of so-called Googlebooks seems even more obtrusive about pushing embedded AI than Windows 11 embedding Copilot into everything. With the OS on Googlebooks, which the company touts as the best of Chrome OS and Android, even moving the cursor over an on-screen task such as the text of an email nags you to offload work to Gemini. Google was has been publicly planning to merge Android and ChromeOS for a while, with Android boss Sameer Sama saying last year that the Android codebase would be the core of the new platform. This gives the company a chance to break into the premium laptop market, using one of its core assets, the Android ecosystem, to differentiate from the kid-friendly and budget-oriented Chromebook lineup. While the laptops won't be coming until later this year, we can already see from the press materials and video demo that this new kind of notebook is meant to out-Copilot Microsoft. One of the main features demoed, Magic Pointer, activates when you wiggle the cursor and shows you contextual suggestions based on what you hover over. For example, in the video, Alexander Kuscher, Senior Director of Laptops and Tablets at Google, showed how hovering over the date in an email brought up options to view his schedule, craft a reply saying "I'm in town on May 19," or even use Google maps to suggest meetup spots. Having AI crammed into Windows Notepad seems quaint by comparison. Kuscher also showed how dragging images on a Googlebook can combine them. He dragged a photo of a nursery onto an image of a swath of wallpaper and a picture of a crib and the system generated a picture of the nursery with the crib and the wallpaper included. The Google exec pointed out that an act like combining photos normally involves logging into a chatbot, uploading the photos, and giving it a prompt. Here it was just drag and drop. No word on whether the system can use your photos as training data. Android apps will also work on Googlebooks, and users will also be able to launch them from the phones, much like Apple's iPhone Mirroring. In the demo, Kuscher showed Duolingo running in a portrait-shaped window on the desktop operating system as if it were on his phone. Google said that Googlebooks are being "built with premium craftsmanship and materials” by partners like Acer, ASUS, Dell, HP, and Lenovo. They also sport a Google-colored glowbar on the cover so everyone knows who owns your digital soul. Considering the RAM shortage and the fact that IDC expects PC shipments to decline by 11.3 percent in 2026, Google has picked a challenging time to come out with a whole new category of laptop. While the company has not released pricing, we can only imagine that Googlebooks will be significantly more expensive than Chromebooks, which are currently in the $200 to $500 range in the US. These new notebooks are likely to compete with premium consumer Windows and macOS laptops at a time when demand is declining and people are holding onto old devices longer. We see no evidence that Google is even targeting businesses and we doubt IT departments would be interested in the features the company has focused on. Google also announced the expansion of Gemini Intelligence onto high-end Android devices (i.e., Samsung Galaxy and Google Pixel devices) as part of Tuesday’s I/O preview, noting that it’s designed “to help your phone handle boring tasks for you.” Google provides examples like filling out online forms, summarizing websites, and even rewriting voice-to-text messages to get rid of pauses and other natural speech patterns that detract from the written word. Speaking of Chromebooks, we asked Google what will become of its budget hardware line with the release of the Googlebook, but we didn’t hear back. We imagine that they will probably continue to serve the educational market for some time. Google made several other announcements during Tuesday's presentation, including a new Pause Point feature in the upcoming Android 17 that follows in Apple’s steps by protecting you from your own worst instincts to scroll endlessly or waste half your day playing chess on your phone. It allows you to mark certain apps as "distracting" so that when you launch them, the phone asks you to take a deep breath and reconsider your actions, which is something Apple’s mindfulness app doesn’t do. To the bane of everyone tired of social media reaction videos, Google is also baking the format right into Android with Screen Reactions that will allow users to capture video of their device screen along with sticking themselves in the lower corner so they can regale everyone with their opinion about whatever they’re talking over. ®

An anonymous reader quotes a report from the Financial Times (via Ars Technica): Amazon employees are using an internal AI tool to automate non-essential tasks in a bid to show managers they are using the technology more frequently. The Seattle-based group has started to widely deploy its in-house "MeshClaw" product in recent weeks, allowing employees to create AI agents that can connect to workplace software and carry out tasks on a user's behalf, according to three people familiar with the matter. Some employees said colleagues were using the software to automate additional, unnecessary AI activity to increase their consumption of tokens -- units of data processed by models. They said the move reflected pressure to adopt the technology after Amazon introduced targets for more than 80 percent of developers to use AI each week, and earlier this year began tracking AI token consumption on internal leader boards. "There is just so much pressure to use these tools," one Amazon employee told the FT. "Some people are just using MeshClaw to maximize their token usage." Amazon has told employees that the AI token statistics would not be used in performance evaluations. But several staff members said they believed managers were monitoring the data. "Managers are looking at it," said another current employee. "When they track usage it creates perverse incentives and some people are very competitive about it."

Read more of this story at Slashdot.

AI models can take your written work, they can take your voice, and they can even take your likeness to use for training material and for creating content that looks exactly like it came from you. Now, some actors are promoting a new licensing spec designed to protect their famous faces and yours too. The newly formed public benefit non-profit is extending the Really Simple Licensing (RSL) spec developed by the RSL Internet Collective with the draft RSL Media Human Consent Standard (RSL-MEDIA) 1.0, which aims to cover creative works as well as people's names, likenesses, voices, and other identity attributes. The initial launch allows people to sign up and reserve an identifier that will serve as a key to structured data entered into the RSL Media public registry, scheduled to launch next month. The registry will allow people to verify their identities, set permissions governing the use of their works and likeness, encode those permissions for machine consumption, and verify that AI systems are checking declared permissions. Whether there will be any legal consequences for AI services that ignore registry settings remains to be seen. The data broker industry in the US hasn't exactly suffered due to the notional existence of "privacy rights." And public concern about non-consensual AI nudification and explicit deepfakes hasn't really put an end to that form of technological abuse or punished the social media sites distributing it. But this time, Hollywood has shown up. "AI technologies are expanding rampantly, essentially unchecked and unregulated," said celebrated actress and RSL Media co-founder Cate Blanchett, in a statement. "In order for humans to remain in front of these technologies, consent must be the first consideration. RSL Media is a simple, effective and free solutions-based technology for facilitating and activating consent. It’s also the industry’s first practical solution where people everywhere, not just public figures, can assert control over how their work is used by AI." Nikki Hexum, co-founder and CEO of RSL Media, said, "AI can’t respect rights it can’t see, and this means human consent is virtually invisible in this new digital era. The right to decide whether AI can use your work or identity should not be reserved for only those who can afford lawyers or have platforms big enough to be heard, it is a basic human right." That's not entirely correct. Rights do not need to be seen to be respected; due diligence prior to using material that may be copyrighted is expected. Ignorance of copyright does not excuse infringement, even if it might mitigate potential liability. AI model makers could have chosen to respect rights by default, by seeking permission to use data for training. They could have chosen to seek permission to crawl websites and could have heeded existing signals to crawlers like the Robots Exclusion Protocol. They could have chosen to abide by the requirements of open source software licenses in harvested code. They did not do so, because Silicon Valley prefers to ask forgiveness rather than seek permission. Permission is expensive; there wouldn't be much of an AI industry if that were the norm. The law may be one of the things broken by those applying Meta's shelved mantra "move fast and break things." So far, industry disinterest in seeking permission has worked well – AI companies have been held to account in only a few of the hundred-plus lawsuits objecting to AI content capture. The underlying RSL standard is slowly gaining adoption. The RSL Collective says more than 1,500 media organizations, brands, technology companies, and standards groups now support it following the launch of RSL 1.0 last December and the relevant RSL XML file can be seen at sites like The Guardian. While it's unclear what impact the RSL has had on AI biz behavior, extending the RSL to cover personal identity with the RSL-MEDIA standard may stir broader interest in AI rules and their enforcement. Or it may just affirm the XKCD comic about specifications and how they proliferate. There are already several similar protocols: TDM AI and TDMRep, Spawning's ai.txt, AI Preferences, not to mention a few that focus solely on images and commercial offerings like Cloudflare's Pay per crawl. But RSL Media may have a leg up thanks to the involvement of high-profile celebrities like Blanchett and endorsements from similarly well-known peers. "Of course artists and cultural creatives will inevitably be involved with AI," said Dame Emma Thompson in a statement. "At the moment, however, AI is merely stealing from us all. This is an urgent and essential initiative. It's also eminently doable, so let’s do it without delay." ® Editor's note: This story was amended post-publication with clarification about the relationship between RSL Media and the RSL Internet Collective.

Google is teasing a new line of "Googlebook" laptops for this fall, powered by a new Android-and-ChromeOS-derived operating system that will run Chrome, Android apps, phone-connected apps and files, and deeply integrated Gemini features. The company says Chromebooks will continue "after the launch of Googlebook" and "...all Chromebooks will continue to receive support through their device's existing date commitment." The Verge reports: "We'll have more to share on the exact OS branding later this year," Peter Du of Google's global communications team tells The Verge. [...] Googlebooks will have a Magic Pointer feature that offers contextual suggestions whenever you shake your cursor and point it at something on the screen. Google's examples include setting up a meeting by pointing at a date in an email or selecting images of furniture and a living space to visualize them together. Beyond your mouse pointer, Googlebooks will also feature the custom AI-created widgets that Google is also debuting today for Android phones and Wear OS smartwatches. I don't know what kind of horrors people will be able to make into widgets, but Google gives the example of making one to organize your flights, hotel information, restaurant reservations, and another for creating a countdown timer for an upcoming family reunion. (It's always flights, hotels, and restaurants, isn't it?) While there are many outstanding questions to be answered about Googlebooks, the biggest and most obvious ones are what will these laptops look like, what chips will be in them, and what will they cost? We've got none of that so far. Google only has some initial renders of a mysterious Googlebook and the promise that it's working with Acer, Asus, Dell, HP, and Lenovo to make the first models. There are no model names. No specs. Nada. Google isn't even saying if the laptop in its renders is made by a partner or a tease of some first-party Pixel-like Googlebook to come or is just a cool mockup. The one distinct hardware feature shown, the bar of glowing Google-colored light, will be a signature of all Googlebooks. (Sure, bring on the RGB. Why not?)

Read more of this story at Slashdot.

Microsoft and G42's planned $1 billion AI data center in Kenya has stalled amid disagreements over power commitments, with President William Ruto saying the country would need to "switch off half the country" to support the project at full scale. Tom's Hardware reports: The project, announced in May 2024 during Ruto's visit to Washington, was supposed to bring a geothermal-powered data center to the Olkaria region in Kenya's Rift Valley. G42 was to lead construction, with the facility running Microsoft Azure in a new East Africa cloud region. The first phase targeted 100 megawatts of capacity and was expected to be operational by this year, with a long-term goal of scaling to 1 gigawatt. President Ruto isn't exaggerating about shutting off half the country's power. Kenya's total installed electricity capacity sits between 3,000 and 3,200 megawatts, and peak demand reached a record 2,444 megawatts in January, according to data from KenGen, the country's government-owned electricity producer. The full 1 gigawatt build would therefore have consumed roughly a third of the country's total capacity, and even the first 100 megawatts would have required a significant share of the Olkaria geothermal complex's output, which currently generates around 950MW across all its plants. John Tanui, principal secretary at Kenya's Ministry of Information, told Bloomberg that the project hasn't been withdrawn and that talks are continuing, adding that the "scale of the data center they [Microsoft] wanted to do still requires some structuring." A separate 60-megawatt project with local developer EcoCloud is also still under discussion. [...] Microsoft is spending $190 billion on capex in 2026, and the company adds approximately 1 gigawatt of data center capacity every three months globally. But power constraints are proving to be a universal bottleneck: nearly half of planned U.S. data center builds this year have been delayed or canceled due to shortages of electrical infrastructure.

Read more of this story at Slashdot.

The EU plans to target "addictive design" features on TikTok, Instagram, and other platforms, including endless scrolling, autoplay, push notifications, and recommendation loops that can steer children toward harmful content. European Commission President Ursula von der Leyen said new regulation could arrive later this year, alongside an EU age-verification app meant to make child-safety rules easier to enforce. CNBC reports: "We are taking action against TikTok and its addictive design -- endless scrolling, autoplay, and push notifications. The same applies to Meta, because we believe Instagram and Facebook are failing to enforce their own minimum age of 13," Von der Leyen said. "We are investigating platforms that allow children to go down 'rabbit holes' of harmful content -- such as videos that promote eating disorders or self-harm," she added. The EU's executive arm has also developed its own age verification app, which has the "highest privacy standards in the world," according to Von der Leyen. Member states will soon be able to integrate it into their digital wallets, and it can easily be enforced by online platforms. "No more excuses -- the technology for age-verification is available," the EU chief said. The EU Commission could have a legal proposal prepared as soon as the summer, as it awaits the advice and findings of its 'Special Panel of experts on Child Safety Online.'

Read more of this story at Slashdot.

Eating in the field has never been fun for US Army soldiers. And they may soon face even stranger field rations than they do today: Alternative proteins delivered in formats ranging from powders and sauces to gels and semi-solids. The Army on Monday published a sources sought announcement to gather submissions from interested industry and academic partners in the "alternative protein sector," willing to help the branch develop rations that are lighter weight, have a longer shelf life, and could potentially be produced in combat-forward environments. According to the announcement, the Army is looking for submissions covering four areas: Technologies for developing alternative proteins, like fermentation and other biomanufacturing methods, meat alternative products for ration inclusion, consumer research seeking to "enhance the acceptability … of alternative proteins within a military population,” and food samples for government taste and performance evaluations. As an added element, the Army said that it wants ration products that meet its existing “stringent requirements for nutrition, shelf stability, and palatability,” though anyone who has served in the US Army and eaten field rations may have doubts about the military branch's commitment to palatability on its Meal, Ready-to-Eat (MRE). As a US Army veteran, this vulture can attest to an unfortunate level of familiarity with MREs, circa 2002. Beef frankfurters were famously one of the worst, as was the so-called “beef steak” meal that was more like a compressed loaf of meat leavings than an actual steak. The flavor didn’t matter at the end of the day, though, when you’d just marched 15 miles carrying 75 pounds on your back: You just needed sustenance, and even that five pack of frankfurters with a taste I shudder to recall sounded good under the right circumstances. The MRE menu lineup, which has changed several times in the past 20 years, includes a few vegetarian options, and it's those that make one of the Army’s requirements for this program so surprising. Civilians might be surprised to learn how popular the non-meat meals were, even among hardcore carnivores. The four or so vegetarian options in the overall MRE lineup were always the first to go when I was in. Not only did they replace military mystery MRE meat with something more appealing to eat out of an envelope, but they were actually tasty - relatively, of course. Vegetarian MREs also tended to be slightly less calorically dense than their animal-derived counterparts, so they included extra bits that made them an even bigger hit. Whether that would translate into soldiers embracing alternative proteins in future MREs isn’t a guarantee, of course. Most weren’t choosing the veggie MREs for alignment with their personal ethics so much as that they wanted a meal that didn’t suck. The Army’s goal of developing “lightweight and nutrient-dense ration solutions to reduce logistical burdens and physical load on warfighter” through the program is definitely a noble one. MREs get heavy quickly if you’re on a long field expedition, but the openness the Army is leaving in the announcement doesn’t make it sound like appetizing solutions could be the first to come out. “Gel/semi-solid formats, dry powder mixes, [and] sauce-style components” are all on the table, with the Army saying the format of “novel ready-to-eat formats … is at the offeror’s discretion.” In other words, future ration components could include gel packs stuffed with fermented mushroom protein and other nutrients, some form of unholy shake, or whatever else food scientists can come up with. Interested parties will need to move fast, though: As a sources sought announcement, this isn’t a solicitation, includes no promise the ideas will be given a research grant or procurement dollars, and has to be in by Friday, May 15, with no assistance from the government. The submissions the Army receives could help shape future solicitations in this space, however, meaning the MRE we currently know and … love … may eventually evolve into something rather more futuristic. Hopefully it tastes a bit better. One thing that soldiers will probably be thrilled about? No bugs in whatever field rations come next. "We are specifically excluding solutions related to cell-cultured, lab-grown meat or insect protein," the Army said, though we note that's only for the purposes of this particular announcement, so tomorrow's soldiers might still be subsisting on crickets and ants. ®

An anonymous reader quotes a report from Reuters: EBay on Tuesday rejected a $56 billion takeover bid from the much smaller GameStop over financing doubts, calling the proposal "neither credible nor attractive." EBay, which has roughly four times GameStop's market value, also underscored that its turnaround efforts under CEO Jamie Iannone have boosted growth, with its stock returning 201% since Iannone took the position six years ago. "We have concluded that your proposal is neither credible nor attractive," eBay Chairman Paul Pressler said in a statement. "eBay's Board is confident the company, under its current management team, is well-positioned to continue to drive sustainable growth." He also pointed to concerns with GameStop's bid, including its financing, its impact on eBay's long-term growth and the leadership structure of a potentially combined company. Last week, GameStop's CEO Ryan Cohen delivered one of the most memorable CNBC interviews in recent memory... initially disinterested, then increasingly hostile, with little eye contact, few real answers to basic questions, and repeated robotic deflections to "check the website." It's worth a watch if you have a few extra minutes.

Read more of this story at Slashdot.

America's telco regulator has seen some sense over its ban on foreign-made routers, deciding that existing devices should continue receiving software and firmware updates after all. The Federal Communications Commission (FCC) has extended waivers covering certain foreign-made routers (and drones) already operating in the US, pushing the update deadline to at least January 1, 2029. Without the extension, updates would have been blocked as early as 2027. Back in March, the FCC updated its Covered List to include all foreign-made consumer routers, prohibiting the approval of any new models. This effectively banned any new kit made in other countries from being sold, but did not prevent the import, sale, or use of existing models that had previously been authorized. The policy stems from fears that foreign-made router pose a security threat. Because they handle network traffic, they could introduce vulnerabilities exploitable against critical infrastructure, and in the words of the FCC represent "a severe cybersecurity risk that could harm Americans." Miscreants have exploited security flaws in routers to disrupt networks or steal intellectual property, and routers are implicated in the Volt, Flax, and Salt Typhoon cyberattacks. The policy was widely regarded as flawed, not just because the vast majority of consumer router kit is made outside the US or built from components sourced abroad, but because vulnerabilities and security flaws are not limited to any particular geography, and appear in products from all brands and countries of origin, as noted by the Global Electronics Association (GEA). Blocking firmware updates, which typically deliver security patches for newly discovered flaws, also seemed a peculiar own goal for a regulator whose stated motivation is reducing network vulnerability. The FCC has belatedly recognized this, stating that its policies would have "had the effect of prohibiting permissive changes to the UAS, UAS critical components, and routers added to the Covered List in December and March. "This prohibition would be in effect even for Class I and Class II permissive changes - such as software and firmware security updates that mitigate harm to US consumers - because previously authorized UAS, UAS critical components, and routers are now covered equipment." The waivers now run until at least until January 1, 2029, falling into the final month of the Trump administration, when there is a chance this may be overlooked in the preparations for Trump’s successor. The FCC extension was met with some approval. Doc McConnell, head of policy and compliance at security biz Finite State said in a supplied remark: “I strongly support the FCC’s decision to allow firmware and software updates for already-authorized routers, including covered devices already deployed in the United States.” “The biggest practical security risk with routers is not only who made them, but whether they remain patched. When they stop receiving updates, known vulnerabilities remain exposed, attackers gain durable footholds, and consumers are left with equipment they cannot realistically secure on their own. “The original restriction risked creating exactly that problem: millions of deployed routers frozen in time, unable to receive security fixes. I appreciate the FCC recognizing that preventing updates could unintentionally make Americans less safe,” he added. However, as previously reported by The Register, the FCC’s Conditional Approval framework explicitly requires vendors seeking approval for new routers to submit plans to establish or expand manufacturing in America, with quarterly progress updates. As stated by the GEA, “The policy’s logic assumes that manufacturers can and will move production to the United States.” That might be an assumption too far. ®

The US Congress has summoned education tech firm Instructure's CEO Steve Daly to the Hill to explain how digital thieves breached its Canvas online platform twice within two weeks. In a letter sent to the digital learning giant late Monday - around the same time Instructure said it had reached an “agreement” with extortion crew ShinyHunters - the US House Homeland Security Committee “requested” that Daly or a “senior representative” schedule a briefing with the committee as part of its investigation into the hacks. “The briefing should address the circumstances of both intrusions, the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company’s coordination with federal law enforcement and CISA,” Homeland Security Committee Chairman Andrew Garbarino (R-NY) wrote [PDF]. “With students at more than 8,000 institutions navigating final examinations and end of semester deadlines, the disruption of a platform that Instructure itself describes as serving more than 30 million active users globally is a matter of national concern,” Garbarino said. Also late Monday, the education tech giant said it "reached an agreement with the unauthorized actor involved in this incident." Both Instructure and ShinyHunters, the cyber gang that claimed to have stolen data affecting up to 275 million students, teachers, and staff, claimed that this “agreement” involved deleting all of the stolen files. In other words: the company paid the undisclosed extortion demand prior to the Tuesday deadline, at which time ShinyHunters said they would leak all of the 8,800 colleges, universities, and K-12 schools’ records. "We received digital confirmation of data destruction (shred logs)," Instructure said, adding "We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise." The Reg has learned that ShinyHunters abused XSS vulnerabilities in Canvas' Free-for-Teacher learning software, and the bugs allowed the data thieves to obtain administrative access. During the first intrusion, which Instructure detected on April 29, the extortionists claimed to have stolen about 3.6 TB of uncompressed data, including usernames, email addresses, course names, enrollment information, and messages. On May 7, the crooks broke back into Canvas’ systems via the same vulnerability and injected JavaScript containing ransom demands directly into hundreds of Canvas school login portals, causing the ed-tech firm to take the platform offline for a day - during final exams and Advanced Placement testing for many. This is the second known security incident involving ShinyHunters and Instructure in less than a year. The extortion crew also breached Instructure's Salesforce environment in September 2025. Instructure plans to hold a public webinar on Wednesday with the leadership team “to detail information about the cyber attack and our activities to harden the system,” which will be held across “multiple time zones.” ®

The FCC has softened its ban on foreign-made consumer routers, allowing vendors to keep issuing broader software and firmware updates for devices already in use in the U.S. through at least January 2029. Dark Reading reports: Under the original FCC ruling, foreign manufacturers were permitted to provide only limited maintenance and security patches to US customers through March 2027. In a public note (PDF) on May 8, the FCC extended that deadline to at least January 2029 and also expanded the scope of permissible updates. The FCC will now allow foreign manufacturers to provide not just minor security fixes and changes, but also more major software and firmware updates that could affect router functionality, which previously required additional FCC review. The agency described the revisions as intended to ensure the continued safety of already deployed foreign-made consumer routers in the US. "The FCC likely issued this revision in response to the operational realities of network security and the slow pace of equipment replacement," says Jason Soroko, senior fellow at Sectigo. "Replacing millions of embedded devices across national infrastructure requires immense time and capital, and abandoning existing systems to a completely unpatched state would create an immediate vulnerability." "This waiver significantly alleviates the most pressing fears tied to the initial ban by preventing a sudden and dangerous security vacuum," added Soroko.

Read more of this story at Slashdot.

The US Department of Justice has begun accepting applications from victims of the AirBit Club crypto Ponzi scheme for a slice of more than $400 million in forfeited assets tied to the fraud. The compensation fund currently lists about $150 million as available for payout. Launched in 2015, AirBit Club’s schtick was that it ostensibly offered investors guaranteed daily passive income through cryptocurrency mining and trading. It was pitched as a trustworthy multi-level marketing initiative, although prosecutors have since said it mainly preyed on “unsophisticated investors,” running conferences and expos as ways to demonstrate its legitimacy. Members were given access to an investor portal, which would display sums they wanted, and expected, to see – daily profits building as promised. However, these figures were entirely fabricated. Investors’ money was never used for cryptocurrency mining or trading; instead, prosecutors said, it was pocketed by the fraudsters behind AirBit Club and used to fund additional recruitment events across the United States, Latin America, Asia, and Eastern Europe. Of course, when investors tried to withdraw their funds, they were met with delays, fees sometimes exceeding 50 percent, or just plain old account freezes. According to a dedicated website established for the compensation scheme, victims must meet a number of criteria in order to prove their eligibility, including that they used their own money to invest, did so without willful ignorance of the scam’s illegitimacy, and that they had funds still inside AirBit Club at the time of its collapse in August 2020. Those who withdrew their funds before that time, likely incurring the huge withdrawal fees to do so, will not be eligible. “Investor euphoria over new technology is all too often fertile ground for fraudsters,” said US Attorney Jay Clayton for the Southern District of New York. “It is our job to root out those fraudsters." “Here, the defendants led a multimillion-dollar pyramid scheme based on lies about virtual currency trading and mining. They now face justice, and this outcome should deter anyone who may be tempted to target others with false promises of high returns in virtual currency investments.” Five AirBit defendants Five defendants involved in the AirBit Club scam were sentenced in 2023 after pleading guilty, including co-founders Pablo Renato Rodriguez and Gutemberg Dos Santos, who received prison terms of 12 years and 40 months, respectively, in addition to extensive forfeiture orders. Both Rodriguez and Dos Santos were previously sued by the SEC in 2017 for their roles in a separate pyramid investment scheme, Vizinova, and paid $1.7 million in penalties. Cecilia Millan and Karina Chairez were identified in court documents as senior promoters in the AirBit Club scheme. Millan was sentenced to five years in prison and three years of supervised release, while Chairez received a sentence of one year and one day in prison followed by three months of supervised release. The final member was Scott Hughes, described as the scheme’s attorney. He was sentenced to 18 months in prison and three years of supervised release after pleading guilty to laundering approximately $18 million for AirBit Club, through domestic and foreign bank accounts, as well as an attorney trust account that was reserved for handling his practice’s clients’ funds. He also helped the group erase negative articles about it from the internet. In one case, Hughes engaged a website removal company to remove 15 articles calling AirBit a scam. The group paid $3,000 for each of the 15 takedowns, court documents stated. ®

Researchers at Columbia demonstrated the first real-time brain-controlled hearing system that can identify which speaker a listener is focusing on in a noisy environment and automatically amplify that voice while suppressing others. "This breakthrough addresses the 'cocktail party effect,' a major limitation of conventional hearing aids, which often struggle to distinguish between overlapping conversations in noisy settings," reports Neuroscience News. From the report: In the new study, Columbia researchers teamed up with surgeons and their epilepsy patients who were undergoing brain surgery to better pinpoint the sources of their seizures. The hospital patients, who volunteered to be part of this study, already had electrodes implanted in their brains. [senior author Nima Mesgarani's] system used the electrodes to measure the brain activity of the patients as they focused on one of two overlapping conversations played simultaneously. The system then automatically detected which conversation a patient was paying attention to and adjusted the volume in real time, turning up that conversation while quieting the other. For one volunteer, the experience of controlling the system with her brain was literally unbelievable. She accused the researchers of secretly adjusting the volumes. Others told stories about friends and family with hearing impairments who could benefit from such a technology. One person said: "It seems like science fiction." [...] The scientists developed real-time machine-learning algorithms that could examine the brainwaves and identify which conversation the patients were paying attention to. Once deployed, their system could rapidly deduce which conversation each listener was paying attention to and make it easier for them to hear it. This happened both when the researchers guided the subjects toward a particular conversation, and when the subjects chose freely, as would be necessary in a real-world conversation. "For this to work in real time, the system has to be very fast, accurate and stable for the experience to feel pleasant for the listener," Dr. Mesgarani said. The scientists found their new system correctly identified which conversation the volunteers paid attention to. This dramatically improved the intelligibility of the speech the volunteers focused on, reduced listening effort, and was consistently preferred by the volunteers when compared to conversations the system did not provide assistance with. One volunteer recalled her uncle, who had hearing problems. "Can you imagine if this technology existed in a world [where] ... he could access it? He might actually live a much more peaceful... life." The research has been published in Nature Neuroscience.

Read more of this story at Slashdot.

A US commercial bank just tattled on itself to the Securities and Exchange Commission (SEC) for plugging a bunch of customer data into an unauthorized AI application. Community Bank, which operates in southwestern Pennsylvania, Ohio, and West Virginia, filed an 8-K with the regulator on Monday, saying it launched an investigation into the internal cockup, which remains ongoing. It felt compelled to submit the filing "due to the volume and sensitive nature of the non-public information." This included customer names, dates of birth, and Social Security numbers, but the filing provided no further detail about the incident. Community Bank did not specify what this "unauthorized AI-based software application" was or how it was used. However, the disclosure of data such as SSNs, which in the US are generally categorized among the most sensitive types of data that organizations can store on behalf of customers, is protected under several federal and state laws. One possibility is that the data was entered into a generative AI tool outside the bank's approved systems. If so, that could raise questions about whether the information was transmitted to a third-party provider and how it may have been retained or processed. The Register asked Community Bank for more details and will update this story if it responds. The bank confirmed that it suffered no operational impact and customers were not prevented from accessing their accounts or payment services as a result. "The company is evaluating the customer data that was affected and is conducting notifications as required by applicable federal and state laws and regulatory guidance," Community Bank stated in its cybersecurity disclosure. "The company has been, and continues to be, in communication with relevant banking and financial regulators regarding the incident." It also promised to continue its remediation efforts, take action to prevent future failures, and gave the "we're committed to protecting customers' data" line that always goes down so well. ®

SpaceX is set to launch the third version of its Starship rocket after completing a Wet Dress Rehearsal (WDR) - a full fueling test - yesterday. It was second time lucky for Elon Musk's rocketeers, after a first attempt over the weekend was aborted. The issue cropped up before propellant was loaded. However, on Monday, the company tried again and confirmed that during the countdown (designed to check out as many activities as possible short of launching the behemoth) 5,000 metric tons (more than 11 million pounds) of propellant were loaded into the vehicles stacked on the company's new Pad 2 at its Starbase facility in Texas. NASA's Artemis II also suffered from WDR problems, although the US space agency was forced to roll the rocket stack back to the Vehicle Assembly Building for repairs. Whatever issue bedeviled SpaceX's latest Starship and its Super Heavy Booster was dealt with at the pad, and the test was successfully repeated. A launch of the latest rocket revision could therefore occur in the coming days or weeks, pending the results of the WDR and approval from the Federal Aviation Administration (FAA). Although SpaceX has yet to confirm a target date, it is likely sometime toward the end of May. SpaceX had already performed a full-duration and full-thrust static fire of the 33 engines of the Super Heavy Booster earlier in May, and showed off imagery of the complete Starship V3 stack on May 9. Time is running out for the company. NASA has stated that it aims to launch the Artemis III mission at the end of 2027, intended to test hardware for a planned lunar landing the following year. SpaceX is contracted to produce a lunar lander for the US space agency, and getting the third version of Starship into space is an essential part of those plans. This next mission, Flight 12, will not be troubling orbit as SpaceX tests the changes made to the new version of the launcher. Future launches must, however, reach orbit if the company is to stand a chance of meeting NASA's requirement for a rendezvous demonstration and check-out as part of Artemis III. ®

Vodafone has not listed a potential liability in its 2026 financial results stemming from a legal claim by franchise operators who allege they were harmed by company-imposed business decisions. The Fairer Franchise campaign group represents 62 current and former Vodafone franchisees, who are bringing an £85 million ($115 million) High Court claim, alleging the telco unilaterally cut commissions and overhauled the way it compensated them for operating Vodafone-branded stores, often without consultation. The claimants, some of whom are former employees of Vodafone, say they were encouraged to invest heavily in Vodafone stores after the firm established a franchise program in mid-2017. This expanded to around 400 branches, 183 of which were operated by the claimants in the case. Vodafone is alleged to have repeatedly and unilaterally cut the commissions paid to franchisees for sales of its products and services, particularly from July 2020 onward. The group also claims Vodafone changed remuneration models without consultation or proper consideration of the impact this would have on the franchised businesses. In particular, the claimants allege Vodafone unlawfully clipped remuneration from August 1, 2020, by reducing the commission rates on customer and home broadband upgrade transactions, and that it restructured the calculation of commission to franchisees in a manner beneficial to itself, as part of the rollout of a scheme called "EVO" in June 2021. At the heart of the case is the group's claim that the franchisees were effectively "commercial agents" of Vodafone – within the meaning of the Commercial Agents Regulations – because they sold products and contracts on Vodafone's behalf. Vodafone denies this and says the regulations do not apply. If the High Court rules that they are applicable, the franchise operators may be entitled to termination indemnities that the claimants estimate could be worth up to £52 million ($70 million) alone. The group says Vodafone has already conceded aspects of the claim in court, including admitting breach of contract in relation to rent-free periods for some stores that were not passed on to the franchisees. A spokesperson for the Fairer Franchise group told The Register: "Vodafone has again failed to disclose our £85 million High Court claim as a contingent liability in today's results, while quietly paying more than £20 million to other franchisees with no explanation, and after admitting it breached our contracts over rent-free periods never passed on to us." "We are 62 people who lost our businesses, our savings, and in many cases our health. As VodafoneThree prepares to reshape two retail estates, the question for investors and analysts is whether this management team should press ahead while serious allegations about its treatment of franchisees remain unresolved." The next hearing is scheduled for July 9. The Register asked Vodafone for a statement regarding the group's claims and why it did not mention the case as a potential liability in its financial results. In its results report published Tuesday, Vodafone says: "Legal proceedings where the Group considers that the likelihood of material future outflows of cash or other resources is more than remote are disclosed below. Where the Group assesses that it is probable that the outcome of legal proceedings will result in a financial outflow, and a reliable estimate can be made of the amount of that obligation, a provision is recognized for these amounts." For the UK, Vodafone lists two lawsuits. One involves alleged overcharging of customers who signed contracts that included both a handset and airtime. The other covers alleged collusion between the major UK mobile networks to withdraw their business from Phones 4U, causing its collapse. There is no mention of the Fairer Franchise case. Vodafone Group's fiscal 2026 results showed an 8 percent year-on-year increase in revenue to €40.5 billion ($47.6 billion), attributed to strong services growth and the consolidation of Three UK. Service revenue grew 8.8 percent to €33.5 billion ($39.3 billion), although for the UK the rise was just 0.3 percent. ®

The National Health Service in England has confirmed it is allowing staff from Palantir access to patient data following a change in policy. The US spy-tech firm provides the technology for the Federated Data Platform (FDP), under a £330 million ($446 million) contract it won in 2023. The system is designed to improve data sharing across the NHS in England and help the state healthcare provider recover from the pandemic backlog. Under previously agreed rules, Palantir staff working on the FDP could only access the National Data Integration Tenant (NDIT), a data repository for patient data before it is transferred to the "pseudonymized" analytics system, if they apply to access for specific data sets. A document released by NHS England says that Palantir staff can get a new "admin" role and access the NDIT and its identifiable patient data. Other consultants working on the FDP will get similar access. The briefing document, seen by the FT and confirmed by The Register, said granting access to the data to Palantir staff and others could "risk of loss of public confidence" in its assurances about "safeguarding patient data and ensuring appropriate use and access to it." The Register understands the change is designed apply to a small number of people working on the new central data collection platform, used to monitor NHS performance using the NDIT. An NHS England spokesperson said: "The NHS has strict policies in place for managing access to patient data and carries out regular audits to ensure compliance - including monitoring the work of engineers helping to set up the central data collection platform that will track NHS performance and help improve care for patients. “Anyone external requiring access must have government security clearance and be approved by a member of NHS England staff at director level or above.” Sam Smith, coordinator at health privacy campaign group medConfidential, said Palantir and other consultants have already been able to access patient data - albeit pseudonymized in some cases - in other tenants of the FDP. But NHS England became unstuck because of its lack of clarity, he said, adding: "It's the equivalent of telling a civil servant, 'Only you can read your email' and then going, 'Oh, but freedom of information exists'. It is just a lack of transparency that we got through a leak, rather than saying 'We're going to do this thing, here's what it will mean'." NHS England is the quango which runs the NHS in England under the Department for Health and Social Care. The incumbent Labour government is disbanding NHS England and plans to run the service directly from the Whitehall department. In March, the Health Service Journal reported that nearly a third of NHS trusts connected to the FDP in 2025 were not meeting data security standards. An NHSE spokesperson told the publication: "The Federated Data Platform has data protection and cyber security at its core, which is why the NHS has worked with local organizations to ensure they meet the required standards and have introduced strengthened measures where appropriate." The minister responsible for the FDP, Zubir Ahmed, told MPs last month that NHS England and NHS organizations would "retain full control as data controllers, including over decisions about how data is used, who can access it and which products are deployed." He said: "Palantir does not own the data, the products or the intellectual property, nor can it use the NHS data for its own purposes." He said: "Palantir operates strictly within a UK-regulated contract where the NHS controls all data, access is tightly governed, and information can be used only for agreed purposes that benefit patients." When it launched the FDP contract, the NHS said patient data would be protected through "clear regulations, security measures, retained within the UK region, with access fully audited and NHS cyber security monitoring and protection." Palantir was awarded the FDP contract after winning a succession of pandemic-era deals, worth a combined £60 million, without competition. ®

Frontier AI safety testing is becoming a security nightmare of its own, with a new RUSI report warning that the process of granting outsiders access to inspect powerful AI models is itself creating new security risks. The paper, published Tuesday by London-based think tank Royal United Services Institute (RUSI), warns that the rapidly expanding system of third-party AI evaluations is riddled with inconsistent standards, vague terminology, weak access controls, and security assumptions that would make most enterprise infosec teams break out in hives. The report focuses on a growing problem facing governments and AI companies alike: meaningful safety testing requires outsiders to access advanced models, but every new access pathway creates another opportunity for theft, tampering, espionage, or abuse. That gets especially risky when the systems in question are being evaluated for capabilities related to cyberattacks or chemical and biological weapon development. "The security risks associated with this access, from intellectual property leakage to model compromise to exploitation by state-sponsored actors, remain poorly mapped and inadequately standardized," the authors wrote. RUSI argues that the industry has drifted into a situation in which labs, evaluators, governments, and researchers are all operating under different definitions of what "secure access" actually means. One evaluator might get limited API access, while another receives deeper visibility into model internals, infrastructure, or training environments. The paper introduces what it calls an "Access-Risk Matrix" designed to map different types of model access against different threat scenarios. Unsurprisingly, handing outsiders write access to frontier models lands firmly in the "what could possibly go wrong?" category. "Write access to model internals represents the access type with the highest level of risk," the report warns, because it potentially allows adversaries to tamper with model behavior directly. The report also punctures the industry's tendency to frame frontier AI security as some entirely new class of problem requiring magical new solutions. Some of the biggest risks identified by the authors are depressingly familiar: stolen credentials, poor credential hygiene, weak access revocation, and overprivileged users. In other words, the same identity and access management problems corporate security teams have wrestled with for decades, except now attached to systems being tested for catastrophic misuse risks. RUSI also warns that the lack of internationally standardized rules governing AI evaluations is creating openings for hostile states, criminal groups, and rogue insiders to exploit gaps between jurisdictions and organizations. "Access decisions remain ad hoc, security expectations are inconsistent and the language used to describe access levels varies across jurisdictions, organizations and agreements," the paper states. The report ultimately calls for formalized international governance frameworks and closer coordination between cybersecurity professionals and AI safety researchers before the current patchwork system turns into the world's most expensive lesson in privileged access management. ®

An attacker has published 84 malicious versions of official TanStack npm packages, with the impact including credential theft, self-propagation, and complete disk wipe of an infected host. The attack is part of a wave of attacks across npm and PyPI, continuing the Mini Shai-Hulud campaign. Supply chain security company Socket reports that other compromised packages include the OpenSearch client, Mistral AI, UiPath, and Guardrails AI. Malicious npm packages for TanStack, an open source application stack, were published between 19:20 and 19:26 UTC on May 11. The attack was detected and reported within 30 minutes by StepSecurity, triggering incident response and npm deprecation. GitHub published a security advisory at 21:30 UTC, including a list of affected packages. TanStack founder Tanner Linsley published a postmortem describing how the attacker used a malicious commit on a fork to create a pull request on the TanStack repository, causing scripts to auto-run and build the malware. This poisoned the GitHub Actions cache in what Linsley said is a variant of a known GitHub Action vulnerability discovered in 2024. The malware then extracted the npm OpenID Connect (OIDC) token, used for trusted npm publishing, from runner memory using the same code used to compromise tj-actions in an attack last year. No TanStack maintainers were compromised. StepSecurity has a detailed analysis of the attack, noting that the payload "reads files from over 100 hardcoded paths" including those that may contain cloud credentials, SSH (secure shell) keys, developer tool configuration files, crypto wallets, VPN configurations, messaging credentials, and shell history. Shell history may contain tokens and passwords pasted into the terminal. Security researcher Nicholas Carlini warned the payload "installs a dead-man's switch… as a system user service." The service checks whether a stolen GitHub token has been revoked and, if it has, runs a command to wipe the local disk completely. Socket's write-up includes recommended actions such as rotating all secrets on any affected system. GitHub's advisory suggests "any developer or CI environment that ran npm install, pnpm install, or yarn install against an affected version on 2026-05-11 should be considered compromised." The Mistral AI has also been reported reported on GitHub, and at the time of writing, the Mistral AI project is quarantined on PyPI. This attack is still evolving and will likely have a far-reaching impact. It confirms again that running everyday commands like npm install is unsafe, that for all their efforts major package repositories including npm and PyPI are still not secured, and that software development is now best done in isolated, ephemeral environments. ®