TheRegister

Eating in the field has never been fun for US Army soldiers. And they may soon face even stranger field rations than they do today: Alternative proteins delivered in formats ranging from powders and sauces to gels and semi-solids. The Army on Monday published a sources sought announcement to gather submissions from interested industry and academic partners in the "alternative protein sector," willing to help the branch develop rations that are lighter weight, have a longer shelf life, and could potentially be produced in combat-forward environments. According to the announcement, the Army is looking for submissions covering four areas: Technologies for developing alternative proteins, like fermentation and other biomanufacturing methods, meat alternative products for ration inclusion, consumer research seeking to "enhance the acceptability … of alternative proteins within a military population,” and food samples for government taste and performance evaluations. As an added element, the Army said that it wants ration products that meet its existing “stringent requirements for nutrition, shelf stability, and palatability,” though anyone who has served in the US Army and eaten field rations may have doubts about the military branch's commitment to palatability on its Meal, Ready-to-Eat (MRE). As a US Army veteran, this vulture can attest to an unfortunate level of familiarity with MREs, circa 2002. Beef frankfurters were famously one of the worst, as was the so-called “beef steak” meal that was more like a compressed loaf of meat leavings than an actual steak. The flavor didn’t matter at the end of the day, though, when you’d just marched 15 miles carrying 75 pounds on your back: You just needed sustenance, and even that five pack of frankfurters with a taste I shudder to recall sounded good under the right circumstances. The MRE menu lineup, which has changed several times in the past 20 years, includes a few vegetarian options, and it's those that make one of the Army’s requirements for this program so surprising. Civilians might be surprised to learn how popular the non-meat meals were, even among hardcore carnivores. The four or so vegetarian options in the overall MRE lineup were always the first to go when I was in. Not only did they replace military mystery MRE meat with something more appealing to eat out of an envelope, but they were actually tasty - relatively, of course. Vegetarian MREs also tended to be slightly less calorically dense than their animal-derived counterparts, so they included extra bits that made them an even bigger hit. Whether that would translate into soldiers embracing alternative proteins in future MREs isn’t a guarantee, of course. Most weren’t choosing the veggie MREs for alignment with their personal ethics so much as that they wanted a meal that didn’t suck. The Army’s goal of developing “lightweight and nutrient-dense ration solutions to reduce logistical burdens and physical load on warfighter” through the program is definitely a noble one. MREs get heavy quickly if you’re on a long field expedition, but the openness the Army is leaving in the announcement doesn’t make it sound like appetizing solutions could be the first to come out. “Gel/semi-solid formats, dry powder mixes, [and] sauce-style components” are all on the table, with the Army saying the format of “novel ready-to-eat formats … is at the offeror’s discretion.” In other words, future ration components could include gel packs stuffed with fermented mushroom protein and other nutrients, some form of unholy shake, or whatever else food scientists can come up with. Interested parties will need to move fast, though: As a sources sought announcement, this isn’t a solicitation, includes no promise the ideas will be given a research grant or procurement dollars, and has to be in by Friday, May 15, with no assistance from the government. The submissions the Army receives could help shape future solicitations in this space, however, meaning the MRE we currently know and … love … may eventually evolve into something rather more futuristic. Hopefully it tastes a bit better. One thing that soldiers will probably be thrilled about? No bugs in whatever field rations come next. "We are specifically excluding solutions related to cell-cultured, lab-grown meat or insect protein," the Army said, though we note that's only for the purposes of this particular announcement, so tomorrow's soldiers might still be subsisting on crickets and ants. ®

America's telco regulator has seen some sense over its ban on foreign-made routers, deciding that existing devices should continue receiving software and firmware updates after all. The Federal Communications Commission (FCC) has extended waivers covering certain foreign-made routers (and drones) already operating in the US, pushing the update deadline to at least January 1, 2029. Without the extension, updates would have been blocked as early as 2027. Back in March, the FCC updated its Covered List to include all foreign-made consumer routers, prohibiting the approval of any new models. This effectively banned any new kit made in other countries from being sold, but did not prevent the import, sale, or use of existing models that had previously been authorized. The policy stems from fears that foreign-made router pose a security threat. Because they handle network traffic, they could introduce vulnerabilities exploitable against critical infrastructure, and in the words of the FCC represent "a severe cybersecurity risk that could harm Americans." Miscreants have exploited security flaws in routers to disrupt networks or steal intellectual property, and routers are implicated in the Volt, Flax, and Salt Typhoon cyberattacks. The policy was widely regarded as flawed, not just because the vast majority of consumer router kit is made outside the US or built from components sourced abroad, but because vulnerabilities and security flaws are not limited to any particular geography, and appear in products from all brands and countries of origin, as noted by the Global Electronics Association (GEA). Blocking firmware updates, which typically deliver security patches for newly discovered flaws, also seemed a peculiar own goal for a regulator whose stated motivation is reducing network vulnerability. The FCC has belatedly recognized this, stating that its policies would have "had the effect of prohibiting permissive changes to the UAS, UAS critical components, and routers added to the Covered List in December and March. "This prohibition would be in effect even for Class I and Class II permissive changes - such as software and firmware security updates that mitigate harm to US consumers - because previously authorized UAS, UAS critical components, and routers are now covered equipment." The waivers now run until at least until January 1, 2029, falling into the final month of the Trump administration, when there is a chance this may be overlooked in the preparations for Trump’s successor. The FCC extension was met with some approval. Doc McConnell, head of policy and compliance at security biz Finite State said in a supplied remark: “I strongly support the FCC’s decision to allow firmware and software updates for already-authorized routers, including covered devices already deployed in the United States.” “The biggest practical security risk with routers is not only who made them, but whether they remain patched. When they stop receiving updates, known vulnerabilities remain exposed, attackers gain durable footholds, and consumers are left with equipment they cannot realistically secure on their own. “The original restriction risked creating exactly that problem: millions of deployed routers frozen in time, unable to receive security fixes. I appreciate the FCC recognizing that preventing updates could unintentionally make Americans less safe,” he added. However, as previously reported by The Register, the FCC’s Conditional Approval framework explicitly requires vendors seeking approval for new routers to submit plans to establish or expand manufacturing in America, with quarterly progress updates. As stated by the GEA, “The policy’s logic assumes that manufacturers can and will move production to the United States.” That might be an assumption too far. ®

The US Congress has summoned education tech firm Instructure's CEO Steve Daly to the Hill to explain how digital thieves breached its Canvas online platform twice within two weeks. In a letter sent to the digital learning giant late Monday - around the same time Instructure said it had reached an “agreement” with extortion crew ShinyHunters - the US House Homeland Security Committee “requested” that Daly or a “senior representative” schedule a briefing with the committee as part of its investigation into the hacks. “The briefing should address the circumstances of both intrusions, the nature and volume of data accessed, the steps Instructure has taken and is taking to contain the threat and notify affected institutions, and the adequacy of the company’s coordination with federal law enforcement and CISA,” Homeland Security Committee Chairman Andrew Garbarino (R-NY) wrote [PDF]. “With students at more than 8,000 institutions navigating final examinations and end of semester deadlines, the disruption of a platform that Instructure itself describes as serving more than 30 million active users globally is a matter of national concern,” Garbarino said. Also late Monday, the education tech giant said it "reached an agreement with the unauthorized actor involved in this incident." Both Instructure and ShinyHunters, the cyber gang that claimed to have stolen data affecting up to 275 million students, teachers, and staff, claimed that this “agreement” involved deleting all of the stolen files. In other words: the company paid the undisclosed extortion demand prior to the Tuesday deadline, at which time ShinyHunters said they would leak all of the 8,800 colleges, universities, and K-12 schools’ records. "We received digital confirmation of data destruction (shred logs)," Instructure said, adding "We have been informed that no Instructure customers will be extorted as a result of this incident, publicly or otherwise." The Reg has learned that ShinyHunters abused XSS vulnerabilities in Canvas' Free-for-Teacher learning software, and the bugs allowed the data thieves to obtain administrative access. During the first intrusion, which Instructure detected on April 29, the extortionists claimed to have stolen about 3.6 TB of uncompressed data, including usernames, email addresses, course names, enrollment information, and messages. On May 7, the crooks broke back into Canvas’ systems via the same vulnerability and injected JavaScript containing ransom demands directly into hundreds of Canvas school login portals, causing the ed-tech firm to take the platform offline for a day - during final exams and Advanced Placement testing for many. This is the second known security incident involving ShinyHunters and Instructure in less than a year. The extortion crew also breached Instructure's Salesforce environment in September 2025. Instructure plans to hold a public webinar on Wednesday with the leadership team “to detail information about the cyber attack and our activities to harden the system,” which will be held across “multiple time zones.” ®

The US Department of Justice has begun accepting applications from victims of the AirBit Club crypto Ponzi scheme for a slice of more than $400 million in forfeited assets tied to the fraud. The compensation fund currently lists about $150 million as available for payout. Launched in 2015, AirBit Club’s schtick was that it ostensibly offered investors guaranteed daily passive income through cryptocurrency mining and trading. It was pitched as a trustworthy multi-level marketing initiative, although prosecutors have since said it mainly preyed on “unsophisticated investors,” running conferences and expos as ways to demonstrate its legitimacy. Members were given access to an investor portal, which would display sums they wanted, and expected, to see – daily profits building as promised. However, these figures were entirely fabricated. Investors’ money was never used for cryptocurrency mining or trading; instead, prosecutors said, it was pocketed by the fraudsters behind AirBit Club and used to fund additional recruitment events across the United States, Latin America, Asia, and Eastern Europe. Of course, when investors tried to withdraw their funds, they were met with delays, fees sometimes exceeding 50 percent, or just plain old account freezes. According to a dedicated website established for the compensation scheme, victims must meet a number of criteria in order to prove their eligibility, including that they used their own money to invest, did so without willful ignorance of the scam’s illegitimacy, and that they had funds still inside AirBit Club at the time of its collapse in August 2020. Those who withdrew their funds before that time, likely incurring the huge withdrawal fees to do so, will not be eligible. “Investor euphoria over new technology is all too often fertile ground for fraudsters,” said US Attorney Jay Clayton for the Southern District of New York. “It is our job to root out those fraudsters." “Here, the defendants led a multimillion-dollar pyramid scheme based on lies about virtual currency trading and mining. They now face justice, and this outcome should deter anyone who may be tempted to target others with false promises of high returns in virtual currency investments.” Five AirBit defendants Five defendants involved in the AirBit Club scam were sentenced in 2023 after pleading guilty, including co-founders Pablo Renato Rodriguez and Gutemberg Dos Santos, who received prison terms of 12 years and 40 months, respectively, in addition to extensive forfeiture orders. Both Rodriguez and Dos Santos were previously sued by the SEC in 2017 for their roles in a separate pyramid investment scheme, Vizinova, and paid $1.7 million in penalties. Cecilia Millan and Karina Chairez were identified in court documents as senior promoters in the AirBit Club scheme. Millan was sentenced to five years in prison and three years of supervised release, while Chairez received a sentence of one year and one day in prison followed by three months of supervised release. The final member was Scott Hughes, described as the scheme’s attorney. He was sentenced to 18 months in prison and three years of supervised release after pleading guilty to laundering approximately $18 million for AirBit Club, through domestic and foreign bank accounts, as well as an attorney trust account that was reserved for handling his practice’s clients’ funds. He also helped the group erase negative articles about it from the internet. In one case, Hughes engaged a website removal company to remove 15 articles calling AirBit a scam. The group paid $3,000 for each of the 15 takedowns, court documents stated. ®

A US commercial bank just tattled on itself to the Securities and Exchange Commission (SEC) for plugging a bunch of customer data into an unauthorized AI application. Community Bank, which operates in southwestern Pennsylvania, Ohio, and West Virginia, filed an 8-K with the regulator on Monday, saying it launched an investigation into the internal cockup, which remains ongoing. It felt compelled to submit the filing "due to the volume and sensitive nature of the non-public information." This included customer names, dates of birth, and Social Security numbers, but the filing provided no further detail about the incident. Community Bank did not specify what this "unauthorized AI-based software application" was or how it was used. However, the disclosure of data such as SSNs, which in the US are generally categorized among the most sensitive types of data that organizations can store on behalf of customers, is protected under several federal and state laws. One possibility is that the data was entered into a generative AI tool outside the bank's approved systems. If so, that could raise questions about whether the information was transmitted to a third-party provider and how it may have been retained or processed. The Register asked Community Bank for more details and will update this story if it responds. The bank confirmed that it suffered no operational impact and customers were not prevented from accessing their accounts or payment services as a result. "The company is evaluating the customer data that was affected and is conducting notifications as required by applicable federal and state laws and regulatory guidance," Community Bank stated in its cybersecurity disclosure. "The company has been, and continues to be, in communication with relevant banking and financial regulators regarding the incident." It also promised to continue its remediation efforts, take action to prevent future failures, and gave the "we're committed to protecting customers' data" line that always goes down so well. ®

SpaceX is set to launch the third version of its Starship rocket after completing a Wet Dress Rehearsal (WDR) - a full fueling test - yesterday. It was second time lucky for Elon Musk's rocketeers, after a first attempt over the weekend was aborted. The issue cropped up before propellant was loaded. However, on Monday, the company tried again and confirmed that during the countdown (designed to check out as many activities as possible short of launching the behemoth) 5,000 metric tons (more than 11 million pounds) of propellant were loaded into the vehicles stacked on the company's new Pad 2 at its Starbase facility in Texas. NASA's Artemis II also suffered from WDR problems, although the US space agency was forced to roll the rocket stack back to the Vehicle Assembly Building for repairs. Whatever issue bedeviled SpaceX's latest Starship and its Super Heavy Booster was dealt with at the pad, and the test was successfully repeated. A launch of the latest rocket revision could therefore occur in the coming days or weeks, pending the results of the WDR and approval from the Federal Aviation Administration (FAA). Although SpaceX has yet to confirm a target date, it is likely sometime toward the end of May. SpaceX had already performed a full-duration and full-thrust static fire of the 33 engines of the Super Heavy Booster earlier in May, and showed off imagery of the complete Starship V3 stack on May 9. Time is running out for the company. NASA has stated that it aims to launch the Artemis III mission at the end of 2027, intended to test hardware for a planned lunar landing the following year. SpaceX is contracted to produce a lunar lander for the US space agency, and getting the third version of Starship into space is an essential part of those plans. This next mission, Flight 12, will not be troubling orbit as SpaceX tests the changes made to the new version of the launcher. Future launches must, however, reach orbit if the company is to stand a chance of meeting NASA's requirement for a rendezvous demonstration and check-out as part of Artemis III. ®

Vodafone has not listed a potential liability in its 2026 financial results stemming from a legal claim by franchise operators who allege they were harmed by company-imposed business decisions. The Fairer Franchise campaign group represents 62 current and former Vodafone franchisees, who are bringing an £85 million ($115 million) High Court claim, alleging the telco unilaterally cut commissions and overhauled the way it compensated them for operating Vodafone-branded stores, often without consultation. The claimants, some of whom are former employees of Vodafone, say they were encouraged to invest heavily in Vodafone stores after the firm established a franchise program in mid-2017. This expanded to around 400 branches, 183 of which were operated by the claimants in the case. Vodafone is alleged to have repeatedly and unilaterally cut the commissions paid to franchisees for sales of its products and services, particularly from July 2020 onward. The group also claims Vodafone changed remuneration models without consultation or proper consideration of the impact this would have on the franchised businesses. In particular, the claimants allege Vodafone unlawfully clipped remuneration from August 1, 2020, by reducing the commission rates on customer and home broadband upgrade transactions, and that it restructured the calculation of commission to franchisees in a manner beneficial to itself, as part of the rollout of a scheme called "EVO" in June 2021. At the heart of the case is the group's claim that the franchisees were effectively "commercial agents" of Vodafone – within the meaning of the Commercial Agents Regulations – because they sold products and contracts on Vodafone's behalf. Vodafone denies this and says the regulations do not apply. If the High Court rules that they are applicable, the franchise operators may be entitled to termination indemnities that the claimants estimate could be worth up to £52 million ($70 million) alone. The group says Vodafone has already conceded aspects of the claim in court, including admitting breach of contract in relation to rent-free periods for some stores that were not passed on to the franchisees. A spokesperson for the Fairer Franchise group told The Register: "Vodafone has again failed to disclose our £85 million High Court claim as a contingent liability in today's results, while quietly paying more than £20 million to other franchisees with no explanation, and after admitting it breached our contracts over rent-free periods never passed on to us." "We are 62 people who lost our businesses, our savings, and in many cases our health. As VodafoneThree prepares to reshape two retail estates, the question for investors and analysts is whether this management team should press ahead while serious allegations about its treatment of franchisees remain unresolved." The next hearing is scheduled for July 9. The Register asked Vodafone for a statement regarding the group's claims and why it did not mention the case as a potential liability in its financial results. In its results report published Tuesday, Vodafone says: "Legal proceedings where the Group considers that the likelihood of material future outflows of cash or other resources is more than remote are disclosed below. Where the Group assesses that it is probable that the outcome of legal proceedings will result in a financial outflow, and a reliable estimate can be made of the amount of that obligation, a provision is recognized for these amounts." For the UK, Vodafone lists two lawsuits. One involves alleged overcharging of customers who signed contracts that included both a handset and airtime. The other covers alleged collusion between the major UK mobile networks to withdraw their business from Phones 4U, causing its collapse. There is no mention of the Fairer Franchise case. Vodafone Group's fiscal 2026 results showed an 8 percent year-on-year increase in revenue to €40.5 billion ($47.6 billion), attributed to strong services growth and the consolidation of Three UK. Service revenue grew 8.8 percent to €33.5 billion ($39.3 billion), although for the UK the rise was just 0.3 percent. ®

The National Health Service in England has confirmed it is allowing staff from Palantir access to patient data following a change in policy. The US spy-tech firm provides the technology for the Federated Data Platform (FDP), under a £330 million ($446 million) contract it won in 2023. The system is designed to improve data sharing across the NHS in England and help the state healthcare provider recover from the pandemic backlog. Under previously agreed rules, Palantir staff working on the FDP could only access the National Data Integration Tenant (NDIT), a data repository for patient data before it is transferred to the "pseudonymized" analytics system, if they apply to access for specific data sets. A document released by NHS England says that Palantir staff can get a new "admin" role and access the NDIT and its identifiable patient data. Other consultants working on the FDP will get similar access. The briefing document, seen by the FT and confirmed by The Register, said granting access to the data to Palantir staff and others could "risk of loss of public confidence" in its assurances about "safeguarding patient data and ensuring appropriate use and access to it." The Register understands the change is designed apply to a small number of people working on the new central data collection platform, used to monitor NHS performance using the NDIT. An NHS England spokesperson said: "The NHS has strict policies in place for managing access to patient data and carries out regular audits to ensure compliance - including monitoring the work of engineers helping to set up the central data collection platform that will track NHS performance and help improve care for patients. “Anyone external requiring access must have government security clearance and be approved by a member of NHS England staff at director level or above.” Sam Smith, coordinator at health privacy campaign group medConfidential, said Palantir and other consultants have already been able to access patient data - albeit pseudonymized in some cases - in other tenants of the FDP. But NHS England became unstuck because of its lack of clarity, he said, adding: "It's the equivalent of telling a civil servant, 'Only you can read your email' and then going, 'Oh, but freedom of information exists'. It is just a lack of transparency that we got through a leak, rather than saying 'We're going to do this thing, here's what it will mean'." NHS England is the quango which runs the NHS in England under the Department for Health and Social Care. The incumbent Labour government is disbanding NHS England and plans to run the service directly from the Whitehall department. In March, the Health Service Journal reported that nearly a third of NHS trusts connected to the FDP in 2025 were not meeting data security standards. An NHSE spokesperson told the publication: "The Federated Data Platform has data protection and cyber security at its core, which is why the NHS has worked with local organizations to ensure they meet the required standards and have introduced strengthened measures where appropriate." The minister responsible for the FDP, Zubir Ahmed, told MPs last month that NHS England and NHS organizations would "retain full control as data controllers, including over decisions about how data is used, who can access it and which products are deployed." He said: "Palantir does not own the data, the products or the intellectual property, nor can it use the NHS data for its own purposes." He said: "Palantir operates strictly within a UK-regulated contract where the NHS controls all data, access is tightly governed, and information can be used only for agreed purposes that benefit patients." When it launched the FDP contract, the NHS said patient data would be protected through "clear regulations, security measures, retained within the UK region, with access fully audited and NHS cyber security monitoring and protection." Palantir was awarded the FDP contract after winning a succession of pandemic-era deals, worth a combined £60 million, without competition. ®

Frontier AI safety testing is becoming a security nightmare of its own, with a new RUSI report warning that the process of granting outsiders access to inspect powerful AI models is itself creating new security risks. The paper, published Tuesday by London-based think tank Royal United Services Institute (RUSI), warns that the rapidly expanding system of third-party AI evaluations is riddled with inconsistent standards, vague terminology, weak access controls, and security assumptions that would make most enterprise infosec teams break out in hives. The report focuses on a growing problem facing governments and AI companies alike: meaningful safety testing requires outsiders to access advanced models, but every new access pathway creates another opportunity for theft, tampering, espionage, or abuse. That gets especially risky when the systems in question are being evaluated for capabilities related to cyberattacks or chemical and biological weapon development. "The security risks associated with this access, from intellectual property leakage to model compromise to exploitation by state-sponsored actors, remain poorly mapped and inadequately standardized," the authors wrote. RUSI argues that the industry has drifted into a situation in which labs, evaluators, governments, and researchers are all operating under different definitions of what "secure access" actually means. One evaluator might get limited API access, while another receives deeper visibility into model internals, infrastructure, or training environments. The paper introduces what it calls an "Access-Risk Matrix" designed to map different types of model access against different threat scenarios. Unsurprisingly, handing outsiders write access to frontier models lands firmly in the "what could possibly go wrong?" category. "Write access to model internals represents the access type with the highest level of risk," the report warns, because it potentially allows adversaries to tamper with model behavior directly. The report also punctures the industry's tendency to frame frontier AI security as some entirely new class of problem requiring magical new solutions. Some of the biggest risks identified by the authors are depressingly familiar: stolen credentials, poor credential hygiene, weak access revocation, and overprivileged users. In other words, the same identity and access management problems corporate security teams have wrestled with for decades, except now attached to systems being tested for catastrophic misuse risks. RUSI also warns that the lack of internationally standardized rules governing AI evaluations is creating openings for hostile states, criminal groups, and rogue insiders to exploit gaps between jurisdictions and organizations. "Access decisions remain ad hoc, security expectations are inconsistent and the language used to describe access levels varies across jurisdictions, organizations and agreements," the paper states. The report ultimately calls for formalized international governance frameworks and closer coordination between cybersecurity professionals and AI safety researchers before the current patchwork system turns into the world's most expensive lesson in privileged access management. ®

An attacker has published 84 malicious versions of official TanStack npm packages, with the impact including credential theft, self-propagation, and complete disk wipe of an infected host. The attack is part of a wave of attacks across npm and PyPI, continuing the Mini Shai-Hulud campaign. Supply chain security company Socket reports that other compromised packages include the OpenSearch client, Mistral AI, UiPath, and Guardrails AI. Malicious npm packages for TanStack, an open source application stack, were published between 19:20 and 19:26 UTC on May 11. The attack was detected and reported within 30 minutes by StepSecurity, triggering incident response and npm deprecation. GitHub published a security advisory at 21:30 UTC, including a list of affected packages. TanStack founder Tanner Linsley published a postmortem describing how the attacker used a malicious commit on a fork to create a pull request on the TanStack repository, causing scripts to auto-run and build the malware. This poisoned the GitHub Actions cache in what Linsley said is a variant of a known GitHub Action vulnerability discovered in 2024. The malware then extracted the npm OpenID Connect (OIDC) token, used for trusted npm publishing, from runner memory using the same code used to compromise tj-actions in an attack last year. No TanStack maintainers were compromised. StepSecurity has a detailed analysis of the attack, noting that the payload "reads files from over 100 hardcoded paths" including those that may contain cloud credentials, SSH (secure shell) keys, developer tool configuration files, crypto wallets, VPN configurations, messaging credentials, and shell history. Shell history may contain tokens and passwords pasted into the terminal. Security researcher Nicholas Carlini warned the payload "installs a dead-man's switch… as a system user service." The service checks whether a stolen GitHub token has been revoked and, if it has, runs a command to wipe the local disk completely. Socket's write-up includes recommended actions such as rotating all secrets on any affected system. GitHub's advisory suggests "any developer or CI environment that ran npm install, pnpm install, or yarn install against an affected version on 2026-05-11 should be considered compromised." The Mistral AI has also been reported reported on GitHub, and at the time of writing, the Mistral AI project is quarantined on PyPI. This attack is still evolving and will likely have a far-reaching impact. It confirms again that running everyday commands like npm install is unsafe, that for all their efforts major package repositories including npm and PyPI are still not secured, and that software development is now best done in isolated, ephemeral environments. ®

The EU's Digital Markets Act (DMA) has been kind to Mozilla, which says Firefox use is on the up as Europeans are given a choice of default browser on mobile. Through these browser selection screens, the company reckons 6 million users have opted for Firefox instead of what would otherwise have been Safari or Chrome, depending on whether they used an iPhone or Android device. Moz has seen the greatest success on iGadgets, with a 113 percent increase compared to a mere 12 percent rise on Android. This is less likely to be explained by overwhelming disdain for Safari than by the ways in which Apple and Google implemented these browser choice screens. Android devices display the browser selection screens upon first boot or after factory reset, whereas iPhone and iPad users are now shown the same screen as soon as they open Safari for the first time. The DMA obligations began applying in March 2024. Apple's implementation of the EU requirements was always going to lead to more people being prompted to select their browser than Google's, which mostly applies to new Android owners after the DMA was enforced, rather than existing users. Mozilla won't care, though, because not only are user numbers up, but user retention is also looking good – it is five times higher than before the DMA, by its reckoning. Other browser vendors have reported similar results, according to a recent European Commission review [PDF] of the DMA's efficacy, although it didn't cite any specific figures. Few vendors have published long-term results like Mozilla's, although Aloha, Brave, Opera, and Vivaldi all reported sizable uplifts in users in the initial days and weeks following the DMA's enforcement. Further, in recent publications [PDF], DuckDuckGo said around 40 percent more users selected its browser on Android thanks to the DMA browser choice screen. The privacy-focused tech biz offered the statistic in its submission to the UK government's consultation on how to maintain competition in online search. Moz also submitted its thoughts on the topic, and unsurprisingly, given they both benefited massively from them, both vendors want the same DMA-style browser choice screens to feature in the UK market. DuckDuckGo said they should be shown to users annually, and Google should be forced to remove its "Switch back to Google" prompt in Chrome. Mozilla wants the browser choice screens to be delivered to UK users in 2026, for the same users also to be presented with similar screens for default search engines, and for these measures to be enforceable rather than relying only on voluntary commitments from the relevant vendors. Criticizing the DMA, Moz added that it would also like to see the same measures applied to desktop browsers, alleging that Microsoft deploys deceptive design tactics to push its Edge browser. ®

Microsoft is "streamlining" access to Copilot within its productivity applications and updating the keyboard shortcut to activate the assistant. "We heard from many of you that you're unsure how to start engaging with Copilot," the company says, though it did not elaborate on where it had heard this. On its Microsoft 365 Copilot feedback forum, the top-voted request was for more granular agent availability controls. Awkwardly, the fifth-most-voted request at the time of writing is "Disable the M365 Copilot Floating Button in Office Apps," which called the feature "highly disruptive." One commenter stated: "Not allowing users to remove this floating bubble is beyond obnoxious." Fortunately for such refuseniks, Microsoft is going to make accessing Copilot more straightforward. First, the company is reducing the number of entry points to its assistant. There will be the Copilot icon in the bottom-right corner of the screen (hover over it to get suggestions), and a contextual entry point when users interact with content (Microsoft gives the example of selecting text). Microsoft has also updated the keyboard shortcuts for its assistant. Hitting F6 now shifts the focus to the Copilot button in the canvas, and the Up Arrow key lets users move between prompts. In addition to setting focus on the Copilot button, Alt+C will move focus to the Copilot Chat pane if it is already open. "Before you know it, Copilot will be editing your content directly from conversation," enthused Microsoft. The first user to comment on Microsoft's announcement wrote: "How to not show the icon at all? Even the docked one is really annoying." Shush you. This is all about helping the "many" users Microsoft has heard from who want to engage with Copilot. The new Copilot button and updated shortcuts are due to reach general availability in Word, Excel, and PowerPoint for Windows and Mac by early June. Mac users will need to hit Cmd + Control + I to set focus on the Copilot button. ®

BORK!BORK!BORK! "Let's cross this one off your list" are words to strike fear into the hearts of many a Windows user, particularly when they appear on some Post Office digital signage. Spotted by an eagle-eyed Register reader in East Dulwich, London, the screen is one of two public displays designed to entertain and inform customers waiting to be ignored by a member of staff. The Post Office is a place where objects can be sent and forms completed or collected. It is normally identifiable by a queue of depressed citizens snaking toward (and sometimes beyond) the door, and an impressive ability to have not quite enough staff to ensure all available positions are open. Here, Windows is thankfully relegated to serving up information rather than the all-important task of announcing available counters. The English may be patient queuers, but even they would baulk at a mechanical voice declaring "IRQL_NOT_LESS_OR_EQUAL", followed by the news that Windows needed to dump its memory before service could resume. That said, using Microsoft's finest to run an information screen does seem overkill. "I've always been amazed that a full-fat OS is used on a system that only has to perform a trivial function," our reader noted, and we'd have to agree, particularly when Windows, in this instance, doesn't even seem able to do that right. The message, in theory, is helpful. Windows needs an update and is politely asking when a good time would be. The problem is that, without a keyboard and mouse is available nobody in the queue can help. And, frankly, Windows shouldn't need to ask. Considering the opening times of the average Post Office, there is plenty of time when the doors are locked, and there are no punters on hand to witness the operating system giving itself a jolly good update, with a cheeky reboot or two to finish the job. ®

Apple and Google have taken a big step toward securing cross-platform texting, ending years of messages bouncing around in glorified plaintext. Apple announced this week that encrypted Rich Communication Services (RCS) messaging is rolling out in beta for iPhone users running iOS 26.5 and Android users on the latest version of Google Messages. The feature works across supported carriers and adds end-to-end encryption to cross-platform chats that were still taking the scenic route through carrier-era messaging infrastructure. Users will know it's enabled when a lock icon appears in RCS conversations. Apple says E2EE RCS messages cannot be read while traveling between devices, bringing Android-to-iPhone chats closer to the protections offered by WhatsApp and Signal. The move lands as other platforms head in the opposite direction. Earlier this month, Meta confirmed it was backing away from parts of its encryption rollout for Instagram DMs, telling The Register that "very few" people actually used the feature and suggesting privacy-minded users head over to WhatsApp instead. Apple, meanwhile, appears content to lean harder into the privacy angle, finally plugging one of the more obvious holes in modern messaging security. That gap has been hanging around for years. While iMessage chats between Apple devices were already encrypted, conversations involving Android phones could fall back to SMS or unencrypted RCS, depending on carrier support. Google had offered encrypted RCS chats inside Google Messages for years, but only when both sides used Google's ecosystem. Apple joining the party means cross-platform RCS encryption is finally starting to span the two largest mobile ecosystems. The rollout is still marked as beta, and carrier support varies by region, so not everyone will get encrypted chats immediately. UK availability remains unclear for now, as none of the major UK networks currently appear on Apple's published compatibility lists for the feature. Still, after two decades of the mobile industry insisting that interoperability and security could not coexist, cross-platform texting may finally be catching up with the rest of modern messaging. ®

Partner Content ZTE Corporation and Claro have launched a new 4K Ultra HD IP STB in Brazil, combining stunning visuals, intelligent voice control and rich content, introducing a new generation of 4K Ultra HD set-top box (STB) in Brazil – bringing together stunning Ultra HD visuals, intelligent voice control, fast connectivity, and rich content into one seamless experience. Against the backdrop of the sustained rapid development of Brazil's digital TV and streaming media business, user requirements for video quality, interactive experience, and network performance continue to rise. ZTE together with Claro, officially launched the new-generation 4K Ultra HD IP STB Z4KW6, bringing “Ultra HD + Intelligent Voice + High-Speed Connectivity + Massive Content” comprehensively to Brazilian households and driving a further upgrade of the digital entertainment experience. Built for the next era of digital TV and streaming, it delivers sharper picture quality and effortless hands-free interaction with far-field voice, making everything feel faster, smoother, and more intuitive. With enhanced connectivity, streaming stays smooth – even in peak usage hours of multi-device homes. And with a rich content ecosystem, all entertainment comes together in one place. Designed for simplicity and built for performance, the Z4KW6 sets a new benchmark for home entertainment. This launch marks a new step forward for home entertainment in Brazil – smarter, faster, and more immersive than ever.

A month after Chevin Fleet Solutions declared its FleetWave outage contained and systems restored, the company has now admitted that attackers accessed customer databases and potentially acquired operational and personal data. Chevin confirmed the breach in an email to customers, seen by The Register, marking the first time it has acknowledged that data was accessed during the April incident that knocked parts of web-based software offline across the UK and US. At the time, Chevin said it had pulled parts of its Azure-hosted FleetWave tool offline while outside cybersecurity specialists investigated. Status pages showed a "major outage" across the UK and US, but beyond that, customers got little detail on what had happened or whether any data had been caught up in it. Now it turns out that at least some customer databases were indeed affected by the breach. According to the email, Chevin’s forensic investigation determined that an "unauthorized third-party accessed and potentially acquired certain data" from customer databases backed up on April 3, 2026. The exposed information varies depending on how customers configured FleetWave, but includes operational fleet management data alongside personal information such as names, contact details, and payroll numbers. It’s unclear how many individuals and organizations have been affected. The Register’s asked for comment and a spokesperson told us: "Chevin recently experienced a cybersecurity incident affecting certain systems. We immediately took steps to contain the incident, engaged with law enforcement and external cybersecurity experts, and have since restored impacted services. "Following consultation with external cybersecurity forensic experts, we are confident our systems have been secured. Our customers are our top priority, and we are working directly with those impacted." The company insists that the stolen information does not generally include any of the higher-risk categories under GDPR, such as financial information, payment card details, passport data, or special category data. Chevin also claims in its email to customers that it has taken steps to stop the information from being "published, sold, or misused," and says ongoing dark web monitoring has not identified evidence of the data circulating online. One Chevin customer told The Register their organization was unlikely to have been the intended ransomware target due to its size, suggesting the breach may have been aimed elsewhere. The customer also questioned why Chevin appeared confident enough to restore systems and close out forensic work before later returning with confirmation that data had in fact been accessed. The customer said the mention of payroll numbers came as a surprise because their company does not use FleetWave for payroll data, raising questions about how tailored the notification really was. Chevin is now offering affected customers a one-time download of their SQL database and a spreadsheet summarizing potentially exposed records through a secure portal. In the email, signed by CEO Gary Thompson, Chevin says it is "confident that the incident has been contained" and FleetWave systems are now "safe and secure for customers." ®

Britain's Ministry of Defence (MoD) has clocked up a £16.6 million ($22.6 million) bill with Starlink over the past four years, despite SpaceX CEO Elon Musk expressing a desire to overthrow the UK government. Data released by the MoD shows that Britain has continued to pay for access to the spaceborne data network, primarily to help support the Ukrainian military in its ongoing battle against the Russian invasion. Not all of the expenditure is accounted for by Ukraine, however. Some goes toward providing British military personnel serving overseas with a vital link home. According to Business Matters, upward of 50,000 Starlink terminals have been sent to Ukraine since the start of the war in 2022. Initially, the cost of helping that nation's frontline communications was borne by Starlink itself, with some grumbling from Musk, who controls the company's parent business, SpaceX. However, a year later the satellite operator clinched an official US government contract covering the Starlink service for Ukraine, which we understand is still funded by the Department of Defense (DoD), although President Trump has not sought congressional approval for any new funding for US military assistance to Ukraine since returning to office. The UK appears to be footing part of the Starlink bill. The MoD acknowledged the figure, with some spending understood to cover terminals gifted to Ukraine, including their purchase and airtime. However, the MoD seems keen to emphasize that Starlink is not being used for any kind of military purposes by British forces. "Starlink technology is not used for military operations and is primarily used by our hardworking personnel to stay connected with their loved ones when they're in areas without regular internet access, for example on a warship," a spokesperson told The Register. "As the public would rightly expect, all spending is rigorously checked to ensure it delivers value for taxpayers' money and spend on Starlink has significantly reduced in the last year." Ukraine uses Starlink for battlefield communications and remote control of drones. The sum is modest in relation to the entire UK defense budget, on track to hit £62.2 billion ($85 billion) for FY 2025/26. It is also likely just covering a small part of the Ukrainian service costs, as Starlink was asking for $400 million per year to cover these at one point. Some Brits may feel uncomfortable paying a man who has openly called for the overthrow of the British government. Earlier this year, Musk publicly mused whether the US should "liberate the people of Britain from their tyrannical government." No, it wasn't on April 1. ®

Japan’s prime minister Sanae Takaichi has ordered a review of government cybersecurity strategy, citing the arrival of Anthropic’s bug-hunting model Mythos as a moment that makes it necessary to order a cabinet-level project. In a Tuesday cabinet meeting, the PM instructed cybersecurity minister Hisashi Matsumoto to devise measures to check the state of government systems to determine whether it’s possible to detect and fix vulnerabilities, and to develop a plan to ensure critical infrastructure operators can do likewise. Japan’s leader ordered the checks because she feels Mythos and similar frontier models may be misused, and that attacks on infrastructure may therefore increase in speed and scale – perhaps even exponentially. Over the last couple of years cybersecurity vendors and researchers have often pointed out that AI models make it possible to find flaws and automate attacks. When Anthropic debuted Mythos in early April, the notion that AI has the potential to vastly complicate the security landscape went mainstream. Many regulators around the world have issued guidance to point out that now is the perfect time to revisit and improve security strategies and capabilities, because Mythos and other AI models mean defenses are going to be tested like never before. India’s securities regulator went a step further by ordering a security review at the organizations it oversees. And now Japan’s leader has decided the matter is of sufficient importance that her office needs to weigh in and set new policy to ensure AI doesn’t go on a destructive rampage through Japanese infrastructure. Whether Takaichi’s urgency is needed is open to debate. Some researchers have said that while Mythos can find bugs at speed, but doesn’t find flaws humans can’t detect with their naked brains. Others suggest Mythos is not vastly better at finding bugs than open source models that pre-date it and are publicly available – unlike Mythos which is restricted to certain users. Others have all but dismissed Mythos as a marketing stunt. ® .

A veteran network architect named James Thain has drafted a proposal for “Internet Protocol Version 8” (IPv8) and hopes to crowdfund work to create a testbed that will demonstrate his ideas. Thain’s proposal appeared as an Internet Engineering Task Force (IETF) Internet-Draft on April 16th. Like all such documents, it has no official standing – the multistakeholder systems under which the internet is governed allow open participation and this is Thain’s contribution. The draft opens with a bold vision for IPv8, describing it as “a managed network protocol suite that transforms how networks of every scale – from home networks to the global internet – are operated, secured, and monitored.” On the IPv8 website he describes it as “a managed network protocol suite that resolves IPv4 exhaustion, unifies network management, and stays 100 percent backward compatible — no flag day, no forced migration.” The draft protocol is also “a proper subset of IPv8. An IPv8 address with the routing prefix field set to zero is an IPv4 address. No existing device, application, or network requires modification.” In conversation with The Register, Thain said he created the IPv8 draft because existing protocols were developed for the networking problems of the day, and things have now well and truly moved on. He also thinks that few organizations other than hyperscalers and network operators have a good reason to adopt IPv6, because it doesn’t offer major improvements over IPv4 and migrations to the newer protocol seldom produce return on investment. He allows that IPv4 exhaustion means many organizations and network operators do need to consider IPv6 but feels the best course of action is to improve IPv4 so users get a better protocol without the need for upgrades. One improvement in IPv8 expands the IPv4 numberspace by adding what he calls an “area code” based on a network operator autonomous system number (ASN), the unique identifiers assigned to networks by regional internet registries. ASNs effectively function as addresses for a network, to inform routing decisions. IPv8 proposes an address format r.r.r.r.n.n.n.n where the “r” is the ASN address encoded as a 32-bit integer and the “n” is a conventional IPv4 address. This scheme means every ASN holder gets 232 host addresses – 4,294,967,296 addresses apiece. Thain thinks that will suffice for almost every organization, and those who need more probably already operate multiple ASNs. His scheme would see the IPv4 numberspace expand to around 30 trillion (3 x 1013) unique addresses. That’s well short of the 340 undecillion 3.4 x 1038 addresses available under IPv6, but Thain thinks it’s still enough and that users will appreciate not having to migrate away from IPv4. “It doesn’t require a ton of changes to Border Gateway Protocol which already knows how to route multiple protocols,” Thain told us. “So does MPLS.” IPv8 therefore “gives you a roll forward of IPv4, you just need servers to translate the ‘area codes’. The rest of the stack is all well-known,” Thain said. “There is no magic here, it is just an area code plus IPv4 Another IPv8 feature is what Thain calls a “Zone server” that his draft explains “runs every service a network segment requires: address assignment (DHCP8), name resolution (DNS8), time synchronisation (NTP8), telemetry collection (NetLog8), authentication caching (OAuth8), route validation (WHOIS8 resolver), access control enforcement (ACL8), and IPv4/IPv8 translation (XLATE8).” IPv8 has caused a stir in internetworking circles, and some at times bitter criticism. Others have been more nuanced. Silvan Gephart of ISP Openfactory blogged about the draft and said “I like that there is a proposal thinking about the routing table, addressing, management, authentication and operational complexity as one bigger problem.” Some of the criticism levelled at the protocol suggests it’s the work of AI. Thain doesn’t shy away from having used chatbots to work on his draft and told The Register he feels doing so is contemporary practice. He thinks he can prove the nay-sayers wrong by building an IPv8 testbed and has commenced a crowdfunding campaign that aims to raise $100,000 to cover the cost of developing open-source software, research and testing infrastructure, plus demos and documentation. You can find the crowdfunding project here. ®

GitLab has opened the voluntary separation window and hopes an unspecified number of employees will exit the busniess to help it become "the trusted enterprise platform for software creation in the AI era." According to CEO Bill Staples, the company's effort to trim its workforce differs from other AI-related layoffs. "This restructure process is not like others you may be seeing in the news," wrote Staples in a blog post. "Of course AI is changing the way we work and is part of our transformation plan, but this is not an AI optimization or cost cutting exercise." What is it then? Well, according to Staples, GitLab plans to use most of the money it saves by sacking staff to invest in its business. We note that the five fundamental architectural bets at the heart of this business reorientation – agent-specific APIs; reworked CI/CD; a data model for surfacing context; governance; and support for human-owned, agent-assisted, and autonomous workloads – sound like infrastructure investments, the very thing other companies fuel with vacated payroll obligations. But GitLab isn't (so far as we can tell) returning freed funds to investors, initiating a stock buyback, larding executive bonuses, or launching an ill-advised metaverse venture that will consume $80 billion over five years. So maybe that's the difference to which Staples alluded. The other difference Staples cited is his company's plan to have managers chat with employees about staying or going. "Starting today, managers across the company are entering deeper conversations with leadership about how the restructuring principles land inside their teams," he said. "Those conversations will inform the decision of impacted roles." There's no word on the rubric for these retention-or-departure chats. Presumably employees deemed insufficiently enthused about the new direction will be encouraged to exit through the voluntary separation window. Absent that cooperation, defenestration at the hands of managers will likely follow. While Staples has not provided target for the number of desired layoffs – details will be revealed during the company's Q1 FY2027 financial report on June 2nd – he did set a territory footprint goal. "We're reevaluating our operational footprint, and are planning to reduce the number of countries by up to 30 percent where we have small teams," he said. GitLab currently operates in 60 countries. That's a lot of different corporate entities to run, tax laws to master, and offices to rent. The code biz did not immediately respond to a request to clarify how "small teams" is defined. Nor does it disclose its headcount in recent annual reports. According to analytics biz Unify, GitLab has about 1,800 employees, of whom almost 1,500 work outside the US. Another goal of the layoff plan is to reduce GitLab's organizational layers. "We’re flattening our organization because eight layers is too deep for a company our size and management layers are slowing us down," said Staples. GitLab is betting heavily on its Duo Agent Platform (DAP), which entered general availability in January. As recently as its 2025 annual report [PDF], GitLab talked up the possibility of continued hiring. "We intend to grow our international revenue by strategically increasing our investments in international sales and marketing operations, including headcount in the EMEA and APAC regions," the biz said during a more optimistic time. Now, not so much. Beyond other challenges like soft government business, one reason for the AI remake appears to be the company's decision to raise prices back in 2023. In March, during GitLab's Q4 FY2026 [PDF] conference call for investors, Staples admitted that price-sensitive organizations didn't much appreciate having to pay more. "Our 50 percent Premium price increase a few years ago also coincided with rising AI code experimentation and flattish SaaS budgets," he said. "Simultaneously, our upmarket shift reduced technical resources at the lower end of the market. Together, these have slowed Premium growth, particularly among price-sensitive customers which we estimate at roughly 20 percent of our ARR, including the SMB weakness that we have been discussing recently." ®