TheRegister

Opposition to datacenters: it's not just for the Bernie Sanders crowd anymore. An arch-conservative running for the governorship of a solidly Republican state has called for a datacenter moratorium in one of the clearest signs yet that the tech sector is facing a backlash against its AI ambitions. US Representative and gubernatorial candidate Nancy Mace (R-SC) on Monday called for a one-year moratorium on new datacenter projects in her state, saying that reports of the southeastern state becoming a hot destination for datacenters don’t mean her constituents ought to see their power bills rise. "South Carolina is not Big Tech's personal power grid," Mace said in a statement published on Monday in her capacity as a congressional representative. "These companies are planting massive data centers across our state, driving up energy demand, and leaving families and small businesses to pick up the tab. South Carolinians are already stretched thin. The last thing they need is a higher electricity bill subsidizing Big Tech's bottom line." Mace said a one-year pause on new projects would give the state an opportunity to implement rules ensuring any future projects include protections that wouldn’t cause residents to pay more for electricity. She also said she does not want eminent domain seizures of private property on the table either, pointing to an ongoing matter in South Carolina’s neighboring state, Georgia. Mace’s concerns over datacenters leading to higher energy costs aren't an unrealized fear, either. As we reported last week, wholesale power costs in the largest US energy market, the PJM Interconnection, rose by 75 percent over the past year due to datacenter growth. South Carolina isn’t part of the PJM, but if it’s a hot destination for datacenter projects, one could assume similar pains might be felt there if more datacenter operators come knocking. Mace has made statements about datacenters through her gubernatorial campaign as well, calling for South Carolina to adopt legislation that would require datacenter projects to cover their own energy costs, as well as expressing opposition to a bill designed to regulate datacenter development. “While initially appearing to be a framework for sensible regulation, a dissection of this bill illustrates it is a masterclass in corporate welfare while leaving the hardworking citizens of South Carolina to foot the bill and suffer the consequences,” Mace said of South Carolina Senate Bill 867. You don’t need a weatherman to know which way the wind blows To call Mace a conservative is a bit of an understatement: She’s been deep in President Donald Trump’s MAGA camp for years. She and Trump have had an on-again/off-again relationship due to her opposition to Trump’s handling of the January 6 insurrection, insistence on the release of the Epstein files, and uncertainty regarding the Iran war, but she’s continued to support him and seek his endorsement for her race to lead South Carolina. In other words, she’s about as conservative as they come - she’s even called herself “Trump in high heels” in a bid to earn votes in the governor’s race. Speaking of Trump, the President has been a major proponent for datacenter expansion in the US, though he has also called for DC operators to provide their own power without increasing costs for other ratepayers. As for South Carolina, it isn’t exactly a toss-up state in terms of federal or state electoral politics. The governorship has been in Republican hands since 2003, and a Democrat hasn’t won a statewide election there since 2006. The state’s presidential vote has gone to a Republican in 13 of the last 14 elections, with Jimmy Carter’s 1976 win in the state the sole exception. The South Carolina Republican gubernatorial primary is scheduled for June 9, and the race is tight. Mace’s victory isn’t guaranteed - she’s leading in some polls, but competition is fierce heading into the final stretch. If Mace is trotting out a datacenter moratorium plan with less than a month before the primary, she’s trying to win votes, suggesting citizens in deeply conservative South Carolina are just as opposed to bit barns as those everywhere else. Polling outfit Gallup recently reported that more than 70 percent of Americans are opposed to datacenter projects in their neighborhoods, making opposition to new projects something folks on both sides of the aisle are coming together over. That said, Mace doesn’t appear to be entirely opposed to the use of AI (she’s pushed a bill to train federal government employees on the use of the tech) or datacenter projects done responsibly (her moratorium isn’t calling for the state to ban new datacenter projects). “When it is over, the rules are simple: datacenters pay their own way or they do not come here,” Mace said of future datacenter projects in her state. Mace’s teams didn’t respond to specific questions about her broader positions on AI or datacenter projects. ®

Of the world’s most powerful supercomputers, nine of the top 10 are powered by GPUs, but that might not be the case for much longer. As chipmakers like Nvidia prioritize AI FLOPS over the ultra-precise floating point calculations used in scientific computing, US National Labs are turning to new chip architectures to get their FP64 fix. Among the candidates is NextSilicon’s Maverick-2, a dataflow processor designed explicitly with the 64-bit floating point mathematics that dominate the Department of Energy’s most important simulations. Despite its name, the Department of Energy is concerned with far more than the US’ power grid. It operates some of the largest publicly known supercomputers in the world, which are responsible for everything from simulating the physics of nuclear weapons at the moment of criticality and bioweapons defense to public health and safety. Since the Titan Supercomputer made its debut in 2012, a growing number of these supercomputers have been powered by GPUs from Nvidia, and more recently AMD. But that’s not the case for Sandia National Laboratory’s new Spectra supercomputer, which was built in collaboration with Penguin Solutions and NextSilicon. Compared to exascale systems like Frontier or El Capitan, Spectra is tiny. The machine counts 64 nodes and 128 of NextSilicon’s “runtime-configurable” accelerators. But scale isn’t the point. Spectra is a test bed for NextSilicon’s Maverick-2. This week, Sandia gave the chips the thumbs up, announcing that the big iron had met all of its system acceptance requirements, opening the door for the chips to be deployed in larger systems in the future. Not another GPU Despite some similarities to Nvidia’s B200, Maverick-2 is a very different beast. Instead of the standard von Neumann compute architecture that underpins most CPUs and GPUs today, NextSilicon’s chips employ a reconfigurable dataflow architecture. The processor’s two compute dies comprise a grid of arithmetic logic units interconnected in a graph. Each unit is configured at runtime to perform a specific operation, whether it be addition, multiplication, or some other logic operation. But the chip’s real trick is overlapping data flow and compute. As soon as data reaches the next unit in the pipeline, it’s computed immediately, no waiting for load-store operations to shuffle data around. According to NextSilicon, this dramatically improves the performance and efficiency of the chips in real-world workloads. Dataflow architectures aren’t new. Groq, Cerebras, and SambaNova have all built chips based on the concept. However, all of these designs are aimed at AI inference or training. NextSilicon’s is one of the few we’ve seen aimed at HPC. Dataflow is notoriously difficult to program for, which is likely why the chip startups that have built chips around it have largely offered them as a managed or white glove service rather than selling bare metal servers. Rather than trying to port workloads to run on its chips, NextSilicon has built a compiler that it claims allows it to run any existing C, Python, Fortran, or CUDA codebases on its chips. As we understand it, it works by initially running these workloads on the CPU. The compiler then captures the compute graph, maps it to the chips, and then optimizes it to maximize performance. With Spectra, Sandia has now validated the parts across three key workloads: the high-performance conjugate gradient (HPCG) benchmark, the LAMMPS molecular dynamics test suite, and the Sparta Monte Carlo simulation suite. AI is changing GPUs NextSilicon’s focus on HPC comes in stark contrast to the next generation of GPUs from Nvidia. The company’s Rubin GPUs due out later this year promise gobs of memory bandwidth and up to 50 petaFLOPS of FP4 compute. This makes the chips strong contenders for AI inference and training workloads, which is probably why the DoE is also deploying them in systems like the Doudna supercomputer at Lawrence Berkeley National Laboratory. While FP64 compute remains relevant for many existing scientific workloads, for AI workloads, Nvidia's GPUs are still relevant to US Labs. However, all those AI FLOPS come at the expense of hardware FP64 vector and matrix performance. Rubin tops out at 33 teraFLOPS, making it slower than even Nvidia’s nearly four-year-old H100. But that’s not to say it’s not good for scientific computing. For matrix heavy workloads like High Performance Linpack (HPL), Nvidia is leaning on a somewhat controversial spin on the Ozaki scheme, which uses lower precision data types to emulate FP64 compute. Using this approach, Nvidia claims Rubin can deliver up to 200 teraFLOPS of FP64 matrix performance. We dug deeper into Nvidia’s emulated FP64 algorithms earlier this year, but suffice to say it’s not perfect. While it has shown promise in certain HPC workloads, in others, particularly vector-heavy ones, like computational fluid dynamics, it offers little if any benefit. Coincidentally, the latter happens to be the same kind of workload that NextSilicon has focused its attention on. We don’t yet have system-level benchmarks for NextSilicon’s hardware, much less Spectra, but we’re told a single Maverick-2 can deliver about 600 gigaFLOPS of FP64 compute HPCG. The startup claims this performance is roughly on par with leading GPUs while consuming half the power. While Nvidia is clearly prioritizing AI compute in its latest generation of GPUs, AMD has taken a different approach. Like Rubin, AMD’s new MI455X accelerators are tuned for AI inference and training, but it’s only one of several versions of the GPU the House of Zen has baked in TSMC’s oven. For the MI430X, AMD swapped out the AI-centric compute dies for some built specifically for HPC. Earlier this month, we learned the chip would deliver up to 200 teraFLOPS of peak FP64 grunt to the DoE’s upcoming Discovery and Europe's Alice Recoque supercomputers. Who needs GPUs anyway? Chip startups like NextSilicon still need to prove their chips can scale to larger systems. But, across the Pacific, China has already shown that, at least for scientific computing, it doesn’t need GPUs to compete with the West’s best supers. China has a history of building boutique silicon specifically to advance its national supercomputing capability. Some systems, like the Sunway TaihuLight supercomputer, used a custom manycore processor like 260 custom RISC processors. Others, like the Tianhe 2A, used a homegrown digital signal processor (DSP) called the Matrix 2000 for its FP64 compute. More recently, we caught wind of a new supercomputer, called the LineShine, that, similar to the TaihuLight machine, reportedly uses 47,000 custom CPUs, which are expected to push the machine to 2 exaFLOPS of FP64 grunt. Of course, because China doesn’t participate in the annual Top500 ranking of the fastest publicly known supers anymore, we may never know for sure. China’s use of boutique silicon is due in part to US trade restrictions on the sale of high-end accelerators in the region. Even where still legal, these chips have become a supply chain vulnerability for Beijing. In fact, the US government’s decision to bar Intel from selling its Xeon Phi processors to China drove the development of the Matrix 2000. In the US, the bigger challenge may be competing with chip designers' shareholders. AI has made Nvidia the most valuable company in the world; HPC by comparison remains an important, albeit niche market. ®

UPDATED Web hosting bills getting too expensive? Maybe you ought to consider serving your site from a one-dollar 8-bit microcontroller. Okay, you won’t exactly be serving up a high-performance, graphic-rich website using this project from European developer and blogger Maurycy Zalewski. The setup is limited to one URL, but hey, it actually works, provided an influx of visitors hasn’t killed the site yet. The bargain-basement chip that serves as the central component of this project is the AVR64DD32, which currently retails from DigiKey for $1.30. It has a single 8-bit AVR core with a blistering 24 MHz max clock speed, 8 KB of static RAM, 64 KB of flash memory, and 256 bytes of EEPROM non-volatile memory for storing a very limited amount of data. Zalewski told The Register in an email that the whole build was free for him, as he had everything on hand, but he estimates the total cost of the thing to run closer to $2 or $3 when accounting for resistors and capacitors, the board the chip is attached to, and the like. Serving a web page from such a limited chip is a task, to say the least, and Maurycyz had to do a lot of legwork to get the thing working. The I/O pins on the AVR max out at 12 MHz, which Zalewski explained meant that it wouldn’t be possible to use Ethernet for the project, as the data flow from even the aged baseline Ethernet connection of 10BASE-T is too fast for the chip to handle. “10BASE-T still runs at 10 megabits/second,” Zalewski wrote. “Worse, it uses Manchester encoding: a zero is sent as ‘10’ and a one as ‘01,’ so 10 megabits of data is actually 20 megabits at the wire.” “The proper solution is to buy a dedicated Ethernet chip from DigiKey, but then I'd be waiting weeks to finish this project,” Zalewski noted. Instead of waiting, he decided to take a different approach by turning to Serial Line Internet Protocol (SLIP), just like the guy who turned a discarded vape into a web server last year. For those unfamiliar with SLIP, it’s a 38-year-old protocol designed to encapsulate IP traffic for transmission over serial lines, and it was widely used to make internet connections in the olden days. SLIP is still supported in modern Linux builds due to its compact size and the fact that it’s often used to connect microcontrollers to the internet. Now, giving the AVR an internet connection didn’t solve the harder problem of actually serving a web page to visitors. Zalewski said the chip could generate response packets by swapping the source and destination addresses on incoming traffic and resetting the packet’s TTL value, but implementing TCP still took several days of work. HTTP handling was simplified by returning a hardcoded response for every request, which works as long as the site only serves a single URL. Here’s that limitation we were talking about: “This works fine as long as there's only a single URL on the site,” Zalewski said. Sorry for those wanting to host more pages from that $1 microcontroller. Lastly, Zalewski said he had to figure out how to get requests from the internet to the microcontroller without spending money on a publicly routed IP address. That was resolved by using WireGuard to connect the microcontroller located at his home to a public-facing machine at a Helsinki datacenter, which then proxied requests to the microcontroller using a local address block. “This means that visitors aren't directly connecting to the MCU's TCP/IP stack... but hey, it's the same setup that the Vape Server uses and no one complained,” Zalewski said. And all without having to buy a vape or root through dumpsters to find an old one. Zalewski told us that the hardware he used for the task was so simple that it only took a few minutes to build the thing itself. The software was another thing altogether, though. "Wiring up the board only took a few minutes, but writing the software took multiple days," Zalewski said. Lucky for those wanting to duplicate or add to his work, the source code and a pre-compiled binary that'll run on an 8-bit microcontroller are included in his blog post. ® Updated at 1854 GMT on 3/18/2026 with more information after we spoke to the developer.

Another Linux kernel flaw has handed local unprivileged users a way to peek at files they should never be able to read, including root-only secrets such as SSH keys. The bug affects multiple LTS kernel lines from 5.10 upward, although a fix has already landed – and there is now a proposal for reducing the odds of similar surprises in future. What FOSS analytics vendor Metabase memorably dubbed the strip-mining era of open source security continues. This time, the culprit is CVE-2026-46333, a local kernel vulnerability that lets an unprivileged user read files they should not be able to access, including those normally available only to root. An attacker who already has login access to an affected machine could therefore potentially grab SSH keys, password files, or other confidential credentials, as the KnightLi blog explains. Despite its official designation, a demo exploit on GitHub calls it ssh-keysign-pwn. It is not quite as catchy a name as Copy Fail, or Dirty Frag, or indeed Fragnesia, but we feel it is safe to say it hasn't been a good month. According to a report on Linux Stans, it affected LTS kernel versions 5.10, 5.15, 6.1, 6.6, 6.12, 6.18 and 7.0. The good news is that it's already been fixed: Linus himself, in commit 31e62c2, called the fix "ptrace: slightly saner 'get_dumpable()' logic." The issue was reported on the oss-security list on Friday by security consultancy Qualys, as noted on X by grsecurity's Brad Spengler. In the same thread, Altan Baig pointed out that the underlying issue was reported by Jann Horn on the Linux Kernel Mailing List way back in 2020. The problem with tracking security reports, which Penguin Emperor Torvalds described recently, is not new, alas. ModuleJail This also seems like a good time to look at what we thought was an interesting new defensive measure, Jasper Nuyens' ModuleJail. The top line of the README summarizes it: The mention of "no AI inside the tool" is arguably something of a giveaway, and you can see a CLAUDE.md file in the repo. Even so, how it works is simple enough. Although Linux has a monolithic kernel, it is modular: when the kernel's source code is compiled, the person or tool building it can choose if each individual component is included (built into the binary), not included at all, or compiled as a module, which can be loaded on the fly as and when it's needed. Since the kernel is mostly device drivers, it's normal for distribution vendors to compile most non-essential components as kernel modules – as the Arch wiki explains. Blacklisting a module just means adding its name to a list of modules not to load. Blacklisting unusued models for added security isn't a new idea. It's in the RHEL 6 documentation, for instance, and a DoHost blog post from last year describes it as a security measure. ModuleJail simply automates the process: it blacklists any modules not currently in use. Probably safe for a server, but rather less ideal for a laptop or machine where you need to plug in new hardware on the fly. Connecting a USB headset, say, is quite different from plugging one into a headphone socket. While a device with a jack plug uses your existing sound controller, by connecting a USB one you're effectively adding a new sound controller – just one that happens to be connected over USB. ModuleJail mentions that its approach avoids changing the initramfs. An initramfs, like an initrd, is a file containing a temporary RAM disk, so that a generic kernel can find and load the drivers it needs for the particular box it's running on – even before it can find the machine's SSD and mount the root partition. Back in the 1990s, as grumpy old graybeards such as this vulture recall, recompiling your kernel was a standard part of periodic system maintenance. One benefit of building the kernel customized for your own computer was eliminating the need for an initramfs. If all the drivers are built in, there's no need for this temporary stage, although as the ArchWiki notes, this does limit some advanced features, which, for instance, systemd uses. We would love to see some of the systemd-free distros incorporate such automatic ModuleJail-style identification of essential modules, and use it to build a custom kernel on the fly, then banish the use of initramfs. (Maybe just keep the all-options-enabled installation kernel around as an emergency fallback.) Aside from a few special cases such as OpenZFS, this should work on most hardware – and make life simpler, quicker, and perhaps slightly more secure. ®

Europe's hunt for secure, high-capacity satellite communications infrastructure has produced a laser-equipped mountaintop ground station in northern Greece. Lithuanian space and defense biz Astrolight says that it has commissioned a new optical ground station in Greece that will support ESA-backed CubeSat missions testing laser-based communications between satellites and Earth. The Holomondas Optical Ground Station was built through the PeakSat project, led by the Aristotle University of Thessaloniki with backing from the European Space Agency and Greece's Ministry of Digital Governance. Its job is to receive data from satellites via infrared laser links rather than the radio systems that space operators have relied on for decades. PeakSat and ERMIS-3, two Greek CubeSats launched in March under ESA's wider Greek IOD/IOV mission program, both carry Astrolight's ATLAS-1 optical communication terminal. Astrolight also built the ground segment, giving the project a fully integrated end-to-end optical communications setup. Astrolight CEO Laurynas Mačiulis told The Register that the company originally pursued laser communications after concluding it "would need to tap into the optical spectrum," as demand for satellite bandwidth continues to grow. He described optical connectivity as "one of the enabling technologies for further expansion into space." The company says the station uses an 808-nanometer laser beacon and an optical C-band receiver capable of receiving data at up to 2.5 Gbps. Unlike traditional RF systems, optical links use tightly focused infrared beams that are harder to intercept or jam while also supporting significantly higher throughput. The engineering problem, however, is slightly more complicated than pointing a laser pointer at the sky and hoping for the best. "You have two moving objects that try to establish a laser link, which means trying to point a very, very narrow laser pointer at your object, which is potentially tens of thousands of kilometers away, moving at eight kilometers per second," Mačiulis said. ESA and its partners are pitching optical comms partly as an answer to an increasingly crowded radio spectrum, but the tech is also drawing attention from defense and dual-use operators interested in more resilient communications systems. "There is a need for networking in space, both for connectivity and tactical reasons, and dual-use defense applications," Mačiulis said, adding that future satellite constellations "will inevitably rely on optical links, because that gives information superiority and security and resistance to jamming electronic warfare." He added "there's also sovereignty aspects, which means that there will never be a single player – there cannot be just Starlink." ®

Netherlands police’s scheme to unmask and shame scammers into submission is proving highly successful, with 74 of its 100 most wanted now known to investigators. The country's “Game Over?!” campaign involved releasing the blurred images of fraudsters into the public domain and threatening to unmask them within two weeks if they did not turn themselves in. True to its word, after two weeks, the Dutch police unblurred the alleged offenders’ faces via social media and advertising boards across the country, including at gas stations, shopping centers, and train stations. The result? Thirty-four handed themselves in, and revealing the remaining faces led to the identification of a further 40 individuals. The police said it received more than 500 tips from the public after it unblurred the faces. Its website was viewed more than two million times, and its campaign images were seen nearly 90 million times on social media. Of the 74 now known to the police, more than half (38) have been questioned, and the interrogations for the rest are already scheduled. Police have arrested six individuals so far, although they stated that this doesn’t necessarily mean the arrests were directly for their alleged crimes. Arrests may take place when someone fails to appear for police questioning, for example, or if a suspect is linked to multiple offenses. Anne Jan Oosterheert, portfolio holder for online crime at the Dutch Politie, said: “This form of crime claims many victims. It has a huge impact on both the victims and society. The goal of Game Over?! is therefore to identify and prosecute the suspects. “With the identification of 74 suspects, this goal has been amply achieved, and so far, we can speak of a successful investigative offensive. We are very satisfied and grateful for all the help we have received from citizens.” An unusual take on appealing to the public for support, Game Over?! aimed to give the alleged offenders the chance to retain their anonymity in exchange for helping the police, and potentially assisting their own prosecution. The idea behind naming the campaign “Game Over?!” came from the term “F-Game,” or fraud game, which is what police say offenders often refer to when discussing their actions. The police’s initial announcement explicitly called the campaign a public attack on criminals, saying that it was also relying on public shaming to eventually apprehend the alleged offenders. The same message also came with a warning that young people were increasingly being recruited to these schemes, often paid very little for the privilege. Of the 74 now identified, the police said today that the youngest suspect was aged just 14, with the oldest being 42. The average age across them all was 22. Game Over?! explicitly targeted banking helpdesk impersonators, fake police officers, and card collectors, with officials saying they had become a “nasty” social problem. “These nasty forms of fraud have now become a social problem that can also be solved in collaboration with society," said Oosterheert previously as part of the campaign’s launch announcement. Of the crime types police strategists are looking to stamp out, cases involving bank helpdesk fraud are the most common, and typically target the elderly. The classic script goes: scammer calls the victim pretending to be a representative of their bank; throughout the course of the phone call, the scammer convinces the victim to surrender enough of their details so they can go away and access their account; the scammer then steals their money. Fake police officer scams are another, more recent scourge on the country, that in some cases have become violent and even deadly. They typically also target the elderly and see criminals knocking on doors, offering to safeguard valuables on the residents’ behalf. Police say that tens of thousands of elderly victims have fallen victim to scams like these, resulting in police fielding calls from victims and their “frightening stories.” “The impact on these often vulnerable victims is enormous,” the police said. “Their sense of security is often completely gone, as is their trust in the government and their fellow human beings.” ®

The AI industry is copying techniques used by tobacco firms, big pharma and oil companies to influence governmental policy and regulation of itself, according to an academic study. Researchers at the University of Edinburgh, Trinity College Dublin, Delft University of Technology, and Carnegie Mellon University claim they identified patterns of "corporate capture" by which regulations and public bodies come to act in the interest of industry rather than the citizens they are meant to protect. Their paper, “Big AI’s Regulatory Capture: Mapping Industry Interference and Government Complicity,” details various mechanisms of capture and how these work. The most frequent include what the researchers identify as Discourse & Epistemic influence (D&EI), Elusion of law, or Direct influence on policy. For evidence, the researchers analyzed 100 news stories covering four global AI events between 2023 and 2025; the EU AI Act negotiations, and the global AI summits held in the UK, South Korea, and France. They report finding numerous cases fitting capture patterns. One of the most prevalent here was “narrative capture,” which is when an industry or company attempts to steer discussion in a direction that benefits them, and influences the position or decisions of public officials and official regulations. As an example, it cites how the European Commission has uncritically followed the industry’s call to "simplify” the AI Act (alongside other digital regulation) even before it has been fully implemented. Earlier this month, The Register reported how enforcement of the rules was delayed, while the rules themselves were cut back after months of angry complaints from AI companies. Narratives deployed emphasized how "regulation stifles innovation" and centered on "red tape," where regulation is portrayed as unnecessary or excessive, setting the stage for later calls explicitly advocating for "deregulation." The researchers found that "elusion of law" (using legal loopholes) is the most recurring after narrative-framing activity. This may comprise violations, such as disregarding existing laws, or contentious interpretations of laws governing areas including antitrust, privacy, copyright and labor laws. Reg readers will be familiar with AI developers' efforts to exempt themselves from copyright laws, for example, by arguing that requiring permission or payment for training data would stifle progress or even destroy the industry entirely. This position has been championed by the Tony Blair Institute and by the UK’s former deputy PM and erstwhile Meta apologist Sir Nick Clegg, who now works for neocloud biz Nscale. The study also identified lobbying and "Revolving Door" as common tools for shaping policy, the latter referring to public officials moving into private sector roles or industry figures securing influential government posts. The UK government’s flagship AI Opportunities Action Plan - for example - was authored by entrepreneur Matt Clifford, who it turns out happens to have financial interests in nearly 500 tech firms, including a number involved with AI. The paper concludes that while it is only right that government regulators attend to the concerns of industry, regulation should always prioritize protecting and promoting the core public values for which governments bear responsibility. It warns that the AI industry’s power, wealth and influence have "far-reaching implications" in terms of impact on the rule of law, the labor market, the environment, knowledge production, and, ultimately, on the functioning of democracy itself. The level of power held by the AI industry is "so corrosive" that policymakers ought to treat it as an emergency, the paper says. Government complicity is detrimental to ensuring the rule of law and to restoring trust in public interest technologies, it points out. ®

The TanStack team has documented security measures and proposals following a damaging breach last week, including the possibility of making pull requests (PRs) by invitation only - a break from the open-contribution model that defines most open source projects. The attack used code from the Shai-Hulud worm, published by malware outfit TeamPCP, which can extract secrets from memory used by GitHub Actions. It began with a PR that triggered an automatic workflow via TanStack's use of the pull_request_target feature, causing the malicious code to be built and run by a GitHub Action, poisoning a cache used across the entire repository. The TanStack team said that its workflow used a pattern GitHub warns against: pull_request_target id intended for PRs that "do not require dangerous processing, say building or running the content of the PR." Since the attack, TanStack has removed all use of pull_request_target from its continuous integration (CI) pipeline, disabled caches used by pnpm (a Node.js package manager) and GitHub Actions, pinned actions to commit SHA (Secure Hash Algorithm) hashes rather than retargetable tags, and disabled use of text messages for 2-factor authentication. The TanStack repository also now uses a feature of pnpm 11 called minimumReleaseAge, which requires dependencies to have been published for a set period before they can be installed. The idea is that compromised packages are usually detected and removed before that period completes. A more drastic proposal is closing the ability for external contributors to open pull requests at all. "We are absolutely not going closed source," the team said, but it could put in place a mechanism where contributions begin with an issue or discussion, and a PR can be submitted only by invitation. TanStack acknowledged that it would be a radical step to take as "open PRs are part of how a lot of us became maintainers in the first place." It might not be necessary if the repository can be hardened enough that malicious PRs cannot cause damage. It is a debate that maintainers of other open source projects will watch with interest. Supply chain security is a huge issue, but making pull requests invitation-only could hurt projects by deterring contributions. Another aspect of this is the extent to which GitHub itself is to blame. "Cache scoping in GitHub Actions shouldn't silently bridge fork PRs and base-repo branches," said the TanStack team.®

Microsoft has begun rolling out tweaks to the Windows 11 experience to make good on its promise to "fix" the operating system, starting with the ability to move the taskbar around. The changes are only for Windows Insiders brave enough to be in the Experimental channel, but will be welcomed by customers left baffled by Microsoft's decision to strip features from its OS with Windows 11. The update allows the taskbar to be positioned at the top, bottom, left, or right of the screen, with icon alignment selectable for each position. Flyouts, including those for Start and Search, appear relative to the taskbar location, and it is also possible to "never combine" taskbar buttons, meaning each app window appears as a separate labeled button. Shifting the taskbar to the side opens up additional screen space at the bottom – which is handy for editing code or writing lengthy pieces complaining about Microsoft's approach to product quality. It's a good start, but it isn't all there yet. This is the Experimental channel after all. However, some omissions, such as auto-hide (which isn't yet supported in alternate positions) and Search boxes being just a search icon, are irritating. Microsoft is also pondering different taskbar positions per monitor and drag-and-drop, but wrote: "Our focus is to deliver the core functionality you need while keeping the experience simple, predictable." A cynic might suggest the company takes the same approach to testing its security updates. Other improvements include the ability to shrink the taskbar with smaller buttons, something that will be welcomed by users running on smaller screens where every pixel matters, and more control over the Start menu. Currently, the size of the Start menu is decided by Windows. The update means users can choose Small or Large themselves, and those choices will remain across displays. Microsoft is also simplifying control over the Start menu sections and recommendations, and adding the option to hide a user's profile picture – useful for those presentation moments when having something personal pop up unbidden might not suit the audience. The update will receive more polishing before reaching production – there are still some howlers, such as notifications, that seem to completely ignore the taskbar's position. But this is more of a preview than anything else at this stage, and an opportunity for enthusiasts to file feedback on the direction of travel. However, there is also the nagging feeling that Microsoft had all this in earlier versions of Windows, and it's taken half a decade for the company to reinvent what was working before. Windows Design Director Diego Baca explained: "The taskbar was modernized during Windows 11 to support better animations, more states, and several other features. So we could not reuse that old code." That "old code" should, coupled with user feedback, have given Microsoft a starting point for the Windows 11 user interface, which it chose to ignore. Now, as Windows 12 lurks in the shadows, Microsoft is reimplementing functionality that users have missed from previous versions. Better late than never. ®

Exploit attempts are already hammering a newly disclosed NGINX bug dubbed "NGINX Rift," proving once again that attackers read patch notes faster than most admins. Researchers at VulnCheck said they are seeing active exploitation tied to CVE-2026-42945, a heap buffer overflow flaw affecting both NGINX Open Source and NGINX Plus that was disclosed last week after apparently sitting unnoticed for 18 years. VulnCheck's Patrick Garrity said the company observed exploitation activity on its canary systems "just days after the CVE was published." "An unauthenticated attacker can crash the NGINX worker process by sending crafted HTTP requests," he said. "On servers with ASLR disabled – which, of course, is extremely unlikely – code execution is possible." Researchers at Depthfirst disclosed the bug last week, saying the flaw had been sitting in NGINX's rewrite module since 2008. The vulnerability, nicknamed "NGINX Rift," was assigned a CVSS score of 9.2. According to F5, which acquired NGINX in 2019, the flaw can be triggered by specially crafted HTTP requests under certain server configurations. In most cases, the result is a crashed worker process and a forced restart, though systems running without standard Linux memory protections could potentially face code execution. A public proof-of-concept exploit appeared the same day patches dropped, which helps explain why researchers started seeing exploitation attempts almost immediately. In practice, turning this into reliable remote code execution takes a pretty specific setup. The target server must be running a specific rewrite configuration, attackers need enough knowledge of that setup to exploit it correctly, and ASLR must also be disabled on the host system. Security researcher Kevin Beaumont noted that while the bug is real, modern Linux defaults significantly reduce the likelihood of successful real-world RCE. "Regarding CVE-2026-42945 in nginx – no modern (or even old) Linux distribution runs nginx without ASLR," Beaumont said. "So, cool, sweet technical vuln – it's valid – but the RCE apocalypse ain't coming." Even so, VulnCheck said Censys scans surfaced roughly 5.7 million internet-exposed NGINX servers running potentially vulnerable versions, which means patching teams everywhere just inherited another very long week. ®

The Polish government is urging public officials and "entities within the National Cybersecurity System" to stop using Signal, directing them to instead use an encrypted messenger developed by a leading Polish research organization. In an announcement on Friday, the government stated that Signal comes with security risks, including social engineering attacks orchestrated by advanced persistent threat (APT) groups. "National-level Computer Security Incident Response Teams (CSIRTs) have identified phishing campaigns conducted by APT groups linked to hostile state agencies," the announcement says. "These attacks target, among others, public figures and government employees." Offering examples of these social engineering campaigns, the government said attackers impersonate Signal support staff and abuse this perceived trust to take over victims' accounts. Attackers trick users into opening malicious links by sending messages designed to create a sense of urgency, such as those supposedly informing them of their account being blocked. Successful attempts can expose victims' phone numbers and, crucially, messages sent between government officials, potentially threatening national security. A more detailed advisory cited "recent security incidents" related to Signal as reasons for the change. It didn't specify what these recent attacks were, or even who was behind them, but it can be reasonably assumed that the Polish government was indirectly referencing Russia's phishing attempts against both Signal and WhatsApp, which were revealed in March. Dutch intelligence agencies AIVD and MIVD reported a "large-scale" campaign targeting their own government officials, noting that some attacks were successful. "The Russian hackers have likely gained access to sensitive information," the AIVD and MIVD said, adding that successful attacks were carried out on government bods as well as journalists. Beyond Signal support staff impersonation, the agencies said the attacks can also involve outsiders persuading victims to surrender their verification codes or PINs, or abusing the platform's Linked Devices feature via QR codes to take control of accounts. The FBI, CISA, and the German information security department issued near-identical warnings. The alternative Poland announced the launch of mSzyfr Messenger in March, saying it was designed for use by public administration entities, those involved in the National Cybersecurity System, and others to be decided by the government. Developed by the Ministry of Digital Affairs and the Scientific and Academic Computer Network – National Research Institute (NASK), mSzyfr was touted by the government as "the first secure instant messenger fully under Polish jurisdiction." It does, however, rely on multi-factor authentication (MFA) provided by US megacorps. Microsoft is the recommended option, but users can also opt for Google or FreeOTP. Further, if users want to retain access to messages even after logging out of the platform, they must set up a recovery key, which the installation manual suggests storing in a password manager. That undercuts the government's emphasis on Polish jurisdiction somewhat, since many popular password managers are either foreign-owned or open source. An FAQ document for mSzyfr states that the messenger is built with a privacy-by-design philosophy, and explicitly notes that neither WhatsApp nor Signal fits this description. It also claimed the US-based platforms are not GDPR-compliant. The mSzyfr app is not publicly available. Only individuals working for approved organizations are able to receive invites to join the platform. It replaces Swiss-founded Threema, which the Polish government began endorsing for state officials and law enforcement in 2022, but data such as messages cannot be transferred because of the apps' encrypted nature. All Threema users should expect to receive an invite to mSzyfr in the near future, if they have not already. The Register asked Signal to comment on Poland's announcement, but it did not immediately respond. It did, however, recently address security concerns raised by various intelligence agencies last week, introducing new warnings and alerts inside the platform to help users weed out potential impostors and bad actors. ®

Microsoft has admitted that the May 2026 security update might fail to install with a "Something didn't go as planned. Undoing changes" message. The problem is related to the EFI System Partition (ESP), which is usually where the device boots from. Its minimum size is 200 MB, and the operating system manages it. However, if there is 10 MB or less free space, then the update might fail with a 0x800f0922 error code and the helpful message. "On affected devices, the installation might proceed through the initial phases but fail during the reboot phase at approximately 35-36% completion," Microsoft said. As with all security updates, there is important stuff in here that needs to be installed. In our earlier coverage, we called this a "doozy of a Patch Tuesday." While nothing was reported as being under active attack, there were dozens of fixes for critical Microsoft CVEs. On devices experiencing the issue, Microsoft has suggested either a registry edit, which will have administrators rolling their eyes, or a Known Issue Rollback (KIR) to deal with the problem. The company wrote: "The resolution has already propagated automatically to consumer devices and non-managed business devices." The issue affects Windows 11 25H2 and 24H2, and emerged while Microsoft was enjoying a period of no known issues with its operating system products. The admission was made doubly unfortunate by coinciding with a company blog post titled "Improving Windows Quality". Microsoft clearly has more work to do on the quality front, which, frankly, is understandable. Windows is more akin to a supertanker than an agile skiff, and changing direction will take time. However, as administrators reach for the KIR group policy to deal with this latest issue, many would be forgiven for looking at Microsoft's protestations around quality and muttering the infamous aphorism: "The more things change, the more they stay the same." ®

Britain's F-35 fighter fleet is set to carry US-made glide bombs as an interim measure until delayed F-35 software updates from Lockheed Martin add support for the SPEAR 3 mini-cruise missile intended for the aircraft. The news comes in an official response from the Ministry of Defence (MoD) to Parliament's Public Accounts Committee (PAC), which published a scathing report last year on the MoD's management of the F-35 program. That report noted that the stealth fighter force lacks essential capabilities, one of which is a stand-off weapon to attack ground targets from a safe distance. The SPEAR missile is intended to fulfil this requirement, but although it is ready and passed test firings in 2024, the F-35 is not currently able to operate it. This capability should have been delivered by now through the Block 4 software update from F-35 prime contractor Lockheed Martin, but this has met with a series of delays. It is now expected in 2031, five years behind schedule. One of the PAC's recommendations was that the MoD should set out in the Defence Investment Plan (DIP) how it will ensure a stand-off capability until SPEAR 3 is fully integrated onto the aircraft. Permanent Secretary at the MoD Jeremy Pocklington wrote back in a letter that approval has been given to proceed with a Foreign Military Sales (FMS) procurement of the precision-guided munition, Small Diameter Bomb (SDB II). "This acquisition will provide the F-35 with an interim stand-off capability until the introduction of SPEAR 3 into service," he stated. SDB II, designated GBU-53/B StormBreaker in US service, is a roughly 200-pound (93 kg) bomb with fold-out wings to allow it to glide to a target up to 69 miles (111 km) away. It has a tri-mode seeker in the nose that lets it use radar, infrared, or laser tracking to home in. Other criticisms leveled at the MoD were that it lacked suitably qualified engineers, and the department's pattern of delaying purchases to meet annual budget targets, which the PAC claimed has the effect of inflating total program costs while reducing operational capacity. Pocklington conceded that not enough spares were available to support the F-35 squadrons aboard aircraft carrier HMS Prince of Wales during the eight-month Operation Highmast deployment last year. "The surge to 24 F-35B aircraft during Operation HIGHMAST exceeded the Afloat Spares Pack capacity of 12. This was mitigated by supplementing with the Deployable Spares Pack [designed for land-based deployments] and taking additional spares from the RAF Marham Base Spares Pack," he wrote. "The Lightning Force is collaborating closely with the Royal Navy to optimise joint scheduling between home and embarked operations, given the current limitation of two front-line squadrons. The Department also plans to double the capacity of the Afloat Spares Pack and procure an additional Deployable Spares Pack for land operations, subject to the DIP." In response, PAC chair Sir Geoffrey Clifton-Brown MP commented on the "entirely unacceptable incompetence that flies in the face of any kind of sensible planning from the Ministry of Defence." "At the heart of any military planning is sound logistics. The UK sent an aircraft carrier with 24 F-35 fighter jets on it to the Middle East – with not enough spare parts to support them." "In an increasingly dangerous world, our military and the country need more than this half-baked approach from the MoD. Our brave fighting men and women, before being sent into potential harm's way, must have absolute certainty that they are well-supported in their equipment, with clear and reliable supply lines," he added. Pocklington's letter also said a short-term reduction in the availability of F-35 aircraft was likely due to the MoD stepping up corrosion awareness and prevention practices. While corrosion can be an issue for all aircraft, this is especially true for those operated from carriers, and it can also impact the F-35's radar-defeating stealth capabilities. The PAC report had noted that the MoD is behind in delivering a UK Aircraft Signature Assessment Facility, needed to check that the F-35's stealth technology is still doing its job and has not been compromised. On the lack of qualified engineers, Pocklington claimed that steps were being taken to address this by increasing available posts to 168. "The RAF has plans in place to fill its remaining engineering posts by 2032. This date is driven by the amount of time (up to three years) it takes to make engineers fully competent on an aircraft type," he said, adding that "the number of personnel recruited into the Engineering Profession, who are now in the training system, has already increased." However, the government's Defence Investment Plan (DIP) was due in autumn 2025, but there is currently no official publication date for it, despite the fact that many key projects are in limbo until it is delivered. ®

Mozilla has warned Britain not to turn VPNs into collateral damage in the government's increasingly desperate hunt for ways to stop kids dodging Online Safety Act age checks. In a submission to the Department for Science, Innovation and Technology's "Growing up in the online world" consultation, Mozilla argued that VPNs are "essential privacy and security tools" used by millions of ordinary people, from those securing public Wi-Fi and remote work traffic to journalists, activists, and other vulnerable users. "VPNs serve as critical privacy and security tools for users across all ages," said Svea Windwehr, policy manager at Mozilla. "By hiding users' IP addresses, VPNs help protect users' location, reduce tracking and avoid IP-based profiling." Windwehr added that people rely on VPNs for everything from connecting remotely to school or work networks to avoiding censorship and "simply protecting their privacy and security online." The filing lands in the middle of an increasingly strange UK debate where privacy tools are being recast as a threat to online safety enforcement. VPN usage in the UK surged almost immediately after Online Safety Act age checks started rolling out last year, as users scrambled to avoid handing sensitive identity data to adult websites and platforms demanding facial scans or ID verification. Child safety advocates and officials then turned their attention to VPNs themselves, with the Children's Commissioner for England even suggesting the government should explore ways to stop children from using them altogether. Mozilla's response argues the government is chasing the wrong target. The company pointed to research from Internet Matters suggesting that relatively few children use VPNs in the first place, and that only a small minority use them specifically to bypass age restrictions. Mozilla instead argued that most successful workarounds involve fake birth dates, borrowed accounts, weak age assurance systems, or laughably fragile facial estimation tools that children have reportedly fooled with drawn-on facial hair. Mozilla also pointed out a central problem with age-gating VPNs: users would first need to hand over personal information before accessing software intended to reduce tracking and data collection. Britain is not the only country suddenly developing strong opinions about VPNs. Denmark recently floated anti-piracy legislation broad enough to trigger fears that VPN usage itself could become legally risky, before ministers hurriedly insisted nobody was trying to ban VPNs. Across Europe, VPNs are being treated less like routine security software and more like an obstacle to enforcement as users turn to them to bypass restrictions. Unfortunately for regulators, the technology industry appears to be moving in the opposite direction. Mozilla has already been testing built-in VPN functionality directly inside Firefox, joining a wider browser trend toward integrating privacy features that previously required separate software. Blocking standalone VPN apps is one thing, but trying to untangle VPN functionality from modern browsers is a much bigger problem. Mozilla's submission repeatedly argues Britain is drifting toward "safety through surveillance" instead of addressing the recommendation systems, engagement algorithms, and platform incentives that actually drive online harms. ®

Google is encouraging its database developers to lean "heavily" on AI coding tools as it ramps up contributions to open source projects such as PostgreSQL. Earlier this year, Google announced a raft of new contributions to PostgreSQL, the open source database that has become a popular RDBMS for developers building new applications in the cloud. Sailesh Krishnamurthy, VP of Databases, Google Cloud, told The Register that the company was using AI coding tools to accelerate its contributions to open source database systems, although each developer remains responsible for their individual contributions. "We do encourage folks to use AI heavily ," he said. "We are seeing huge amounts of productivity improvements internally. In the end, we have individual engineers take accountability for our contributions. Whether you have a piece of code that is completely drafted by AI, or not even part of what you're pasting into your development environment, you have a whole spectrum where AI is used in different places. Either way, the accountability remains on behalf of the person who's done it." AI coding tools can be especially suited to developing contributions to open source projects because the codebase is publicly available and has been used to train the generative models, he said. "That's how models have a better sense of the code, as opposed to many proprietary pieces of code, which are inside the firewall." PostgreSQL was designed to be extensible. As such, it can be a system well suited to vibe coding to get new ideas off the ground quickly, Krishnamurthy said. "The sweet spot is where you have maybe an interesting academic idea that is well understood, and you have a codebase that's well understood, and you're trying to say, well, I want to take this idea and I want to take this piece of code and build an extension for it. That's a great example where you have something isolated – the blast radius is small – and you can go and use AI to interpret the code. Our own engineers are using AI quite heavily, but also judiciously." PostgreSQL became the most popular database among developers in 2023, according to the Stack Overflow survey. The trend owes a great deal to the plethora of PostgreSQL database services out there, not least from the big three cloud providers, which have ramped up investment in the open source system. Last year, Microsoft contributed pg_documentdb_core, a custom PostgreSQL extension that enables support for Binary JavaScript Object Notation (BSON, a binary-encoded serialization of JSON documents), and pg_documentdb_api, a data layer providing MongoDB-compatible commands for create, read, update and delete (CRUD) operations, queries, and index management. The extensions are set to run on the Azure Cosmos DB PostgreSQL database service and offer a document-store-style database to rival MongoDB. Microsoft has also announced a distributed PostgreSQL database service called HorizonDB. Krishnamurthy said: "The industry at large is investing heavily in PostgreSQL. We see this across the board, whether it's customers, whether it's digital native services, and certainly we see the migrations coming from commercial databases. It is also a broad industry trend of PostgreSQL as a layer, no matter where data is being stored." As such, Google has contributed new code to the project, with the engineering effort focused on advancing logical replication. Contributions included Automatic Conflict Detection, designed to allow the replication worker to automatically detect when an incoming change (Insert, Update, or Delete) conflicts with the local state; and logical replication of sequences. Demand for PostgreSQL services is coming from migrations as well as new applications, Krishnamurthy said. Customers are ditching Oracle, Microsoft SQL Server, and IBM Db2, as well as other legacy systems, including Sybase and Informix. Research from Gartner earlier this year shows that of the leading database vendors 15 years ago – Oracle, IBM, Microsoft, and SAP – only Microsoft has grown its market share since. As well as its own database systems, Microsoft offers PostgreSQL and MySQL services, as does AWS, the leading database vendor. Oracle remains third, ahead of Google, and that position seems unlikely to change soon. Nonetheless, with all the major cloud vendors contributing to open source database projects such as PostgreSQL, momentum is slowly shifting. ®

OPINION The terms "blindingly obvious," "logical consequence," and "that is not how it works" appear nowhere in the government handbook of internet legislation. In particular, the discovery that imposing age access controls on websites has pushed users to VPNs has come as a huge surprise to legislators in the UK, the EU, Canada, and Australia. Nobody here knows how old VPN users are, be they kids unwilling to lose access or adults unwilling to disgorge personally identifying data to who knows what. As they recover from this shocking discovery, these fine people are looking at ways to control VPNs, whether by adding age verification here too or by some magical "digital age of consent" technology that somehow evades the paradox that demanding more personal information in the name of safety itself reduces safety. Yet here, as in so many ways, the rest of the world is lagging behind America – more specifically, the great state of Utah, which has just enacted an anti-VPN law. This law makes it compulsory for any site that the state says needs age verification – porn, basically – to impose those checks on anyone physically in Utah whether or not they are using any VPN. Those would be the same VPNs whose sole purpose is to prevent the geolocation of their users. Which would seem, and is, another paradox. The only way to comply is to impose global age checks, effectively giving Utah worldwide regulatory powers. As there is no global standard for this, it's not a practical option. But then, there are no practical options to control VPNs, short of cutting off all internet access à la North Korea. Even China, the world's most effective cyber-authoritarian state and one which very much enjoys telling its citizens what to think, has to be very wary of putting the VPN screws on too harshly. The ground truth about VPNs is that if you allow people access to anywhere on the internet outside your direct control, they can access a VPN. Obvious vectors of denial, such as blacklisting VPN ingress or egress IP ranges, don't work for long. VPN operators are adept at moving these, and you can build your VPN infrastructure in the cloud, and there are plenty of stealth techniques. A VPN pipe looks to any router it traverses like an encrypted bitstream, which is to say like most internet traffic, and if you disguise the session establishment ports and protocols, it’s HTTPS going about its lawful business. All this adds up to a landscape where hundreds of VPN providers are able to react to any official monitoring or clampdown in ways that leave them more resilient and more expensive to tamper with. China knows this, discouraging rather than preventing access altogether, and putting the squeeze on only briefly as occasion demands. The reason age verification works as far as it does for social and salacious media is that these are advertising-driven, which means having a commercial presence everywhere they have advertisers. That puts their cash flow at the mercy of local regulators, which is how the British pirate radio ships of the 1960s were closed down. They operated in international waters and couldn't be jammed, so the UK government made it illegal to advertise on them. VPNs take your money directly, so don't react to local edicts. Plus, even if none of the above were true, VPNs are so essential to enterprise security, and are so available as open source, that they could no more be banned or backdoored than, say, HTTPS. VPNs are bombproof, as far as sense extends. Which means attempts to bomb them into compliance or out of existence in a fit of epic fury will work as well on the internet as it does in the desert. Lots of collateral damage, not so much victory. This isn't an unalloyed good, as the consumer VPN market is far less competitive than it appears and there are plenty of questions about connections between those who control VPNs and various national security interests. A VPN service is literally a man in the middle you pay to use, and assigning trust is up to you. Freedom rarely comes for free, and it would be unwise to rely on any VPN you can't check out if you're doing anything that might summon the intelligence services. Most of us aren't, at least in the free world, at least for now. VPNs, for all their faults, remain a genuine and essential brick in our antisurveillance Lego set. It is very much in our interests that we aren't forced to disclose additional identifying data to them, and that they're not used as an excuse to effectively close down services and sites a particular state dislikes. The Utah law may yet fail on various grounds, as it has already been challenged in court – although given the way the American legal system is being stress-tested right now, this is harder to call than it should be. If it stands, then it will spread to like-minded states like butter across a hot pan. The obvious consequence will be that people move their attention to smaller, less savory sites more resistant to state interdiction. This will come as a surprise to nobody except the legislators. Outside the US, the progress of the Utah experiment will be watched closely by those who see VPNs as loopholes to be blocked. It's our job to demonstrate that VPN regulation would be counterproductive and dangerous, and that concentrating on reducing harm at source is better than forcing consumers to reveal ID and tampering with the infrastructure. ®

The perennial question "Can it run Doom?" has a new answer, of sorts, after the USA's Library of Congress (LOC) added the iconic game's soundtrack to its National Recording Registry. An announcement of this year's new additions to the Registry hails Bobby Prince's 1993 soundtrack as "the perfect riff-shredding accompaniment for the game's demon-slaying journey to hell and back." "Key to Doom's popularity was the adrenaline-fueled soundtrack created by freelance video game music composer Bobby Prince," the LOC asserts, before revealing that the composer took inspiration from "a pile" of CDs loaned by Doom designer John Romero, including "seminal works by Alice in Chains, Pantera and Metallica." Prince was apparently "fascinated" by MIDI (Musical Instrument Digital Interface) and used his knowledge of the standard "to ensure that the sound effects he created could cut through the music by assigning them to different MIDI frequencies." That approach, the LOC says, saw the Doom soundtrack "go on to inspire countless remixes and lay the foundation for future generations of game composers." The Doom soundtrack is the third recording to make its way into the National Recording Registry, which added the Super Mario theme by Koji Kondo in 2023 and last year selected Daniel Rosenfeld's Minecraft: Volume Alpha soundtrack. Joining the Doom soundtrack in the archive are Taylor Swift's 2014 album 1989, Beyoncé's 2008 tune Single Ladies, and Weezer's 1994 debut The Blue Album. The National Recording Registry adds 25 titles each year, as recommended by the Librarian of Congress, who gets advice from the National Recording Preservation Board. All works added to the Registry are at least a decade old and are held to be "culturally, historically, or aesthetically significant." Other nations collect games, and therefore soundtracks, in their national archives – but don't conduct an annual inculcation process in the same way as the USA's National Recording Registry. ®

WHO, ME? Welcome to Monday morning, the time of week when The Register always asks “Who, Me?” because that’s the title of our reader-contributed column in which you confess to having made a mess, and found a way to egress without career distress. This week, meet a reader we’ll Regomize as “Miller” who told us that as a whippersnapper of just 21 summers he found himself tending a mainframe that created a virtual machine, and accompanying virtual disk, for each user. Miller’s employer shut down those VMs at the end of the working day to free up resources for overnight jobs. He therefore wrote a cleanup routine that removed the drives and backed up their contents. This story took place in 1981, a time when it was possible for code written by a 21-year-old to go into production without much scrutiny. Oversight arrived at 3 AM, when the overnight operators ran Miller’s cleanup code and it produced a “file not found” message. Miller spent his entire Saturday finding the problem, the roots of which lay in the fact that the mainframe assigned a letter to each user drive, with A-Z as the available labels. “The routine attached to all users’ drives and backed them up to a temporary drive,” Miller explained. “But you never knew in advance what drive letter the system would assign to the temporary drive. So I wrote a routine to attach it and capture the letter.” That approach worked, until it didn’t – because on this day Miller’s employer gave another user an account on the mainframe. And that user’s virtual drive meant the mainframe used the entire alphabet of disks. “The call for temp disk failed and my routine passed back an asterisk instead of an error code,” Miller confessed. The routine then ran its delete command, but instead of specifying a drive letter to destroy, applied the asterisk and deleted everything. “Every file, all the data, and all the code,” Miller admitted. “I had written all the code myself, long before the days of peer reviews or DevOps or any other controls, so it was all on me,” he added. The Register thinks that’s a bit harsh – who lets a kid write mission-critical code? It took Miller a day to restore data, while 20 other people twiddled their thumbs and waited for him to finish the job. “Hard lesson but it's stayed with me 40+ years!” Miller concluded. Have you written code that went awry? Or failed to supervise a junior? In either case, click here to send us an email so we can tell your tale on a future Monday. ®

Observability outfit Grafana Labs has revealed that an attacker accessed its GitHub repository and stole its codebase. In social media posts the company blamed the situation on an “unauthorized party” who was somehow able to obtain a token that offered access to its GitHub environment. The company thinks it has identified the source of the credential leak, and therefore “invalidated the compromised credentials and implemented additional security measures to further secure our environment against unauthorized access.” But that didn’t stop the attacker from threatening to release the company’s code unless Grafana paid a ransom. Grafana says it won’t pay. “Based on our operational experience and the published stance of the Federal Bureau of Investigation, which notes that ‘paying a ransom doesn't guarantee you or your organization will get any data back’ and only ‘offers an incentive for others to get involved in this type of illegal activity,’ we have determined the appropriate path forward is to not pay the ransom,” the company wrote. It’s not clear if that stance is entirely principled, because plenty of Grafana’s products are already open source. The company’s posts suggest that the attacker accessed code that is not freely available. The Register has sought clarification about just what the attacker accessed, because if they lifted code that’s mostly already open source there’s little reason for Grafana to pay a ransom! Grafana’s decision not to pay may also be easier than it is for other victims of cybercrime because the company says it “determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations.” The company therefore appears confident that whatever code the attackers downloaded won’t make a material different to its business, or harm customers. The same couldn’t be said for educationware giant Canvas, which last week paid extortionists after they claimed to have stolen data describing over 275 million students and faculty. The Register will update this story if we receive additional information from Grafana Labs. ®

Samsung found itself facing down controversy in South Korea last week, when the weather app pre-installed on many of its devices incorrectly labelled an island territory named Dokdo as part of North Korea. Dokdo is a group of volcanic islets that is the subject of a territorial dispute between South Korea, North Korea, and Japan. Netizens were therefore outraged by a champion of South Korean industry handing the islands to foes in North Korea. Mislabelling the map was therefore sufficiently controversial that Samsung quickly pushed an update to fix the error – and blamed data from The Weather Channel as the source of the mistake. While we’re talking about islands … The Federated States of Micronesia, the Republic of Kiribati, and the Republic of Nauru last week connected to the world over a submarine cable for the first time. The three Pacific island nations hooked up to the East Micronesia Cable System, which NEC Corporation built and last week handed over to telecoms companies in the three nations. The cable can carry 100Gbps to each country where it lands, and has capacity to reach 10 Tbps. The three nations are collectively home to around 100,000 people. The governments of Australia, Japan, and the USA funded construction of the cable as part of ongoing diplomatic efforts to woo Pacific nations at a time China is also active in the region. Bitdefender spots alleged Chinese attack on Azerbaijan Antivirus vendor Bitdefender last week published what it says is evidence of a China-backed “multi-wave intrusion targeting an Azerbaijani oil and gas company from late December 2025 through late February 2026.” Bitdefender linked the attacks to the resurgent FamousSparrow crew, which apparently deployed “an evolved DLL sideloading technique” to drop the Deed RAT and Terndoor backdoors. The company’s researchers think attackers targeted a vulnerable Microsoft Exchange server. Senior security researcher Victor Vrabie suggested the attack is a sign that Russia and China are both trying to gain a foothold in Azerbaijan’s energy infrastructure, to gain leverage over energy supplies to Europe. The central Asian nation is a major oil and gas producer, and exports much of its output through pipelines that reach Turkey and Georgia. The importance of those routes has grown thanks to slowing gas exports from the Middle East. China seemingly shuns Nvidia to focus on its own alternatives The United States has allowed several Chinese companies to acquire Nvidia’s H200 accelerators, but Beijing won’t let local buyers do the deed. That’s the washup of President Trump’s visit to China last week, during which US authorities reportedly issued licenses allowing Nvidia to sell its wares to Chinese tech companies including Alibaba, Tencent, ByteDance and JD.com. But President Trump later remarked that China has not allowed its tech companies to buy H200s “because they chose not to, they want to develop their own.” That’s perhaps the strongest signal yet that China has decided to decouple from foreign tech stacks. Bottom drops out of India’s smartphone market Analyst firm IDC last week reported that smartphone shipments in India slumped by 4.1 percent in the first quarter of 2026. IDC said that subdued result would have been worse had brands not decided to front-load channel inventory before the cost of smartphone rise due to the soaring cost of memory. The firm said the result “signals a structural turning point for one of the world’s largest smartphone markets” because device-makers who sell entry-level devices “face shrinking margins and reduced market viability as memory costs continue to rise.” When consumers who buy sub-US$100 phones do upgrade, they “are being pushed upmarket by necessity rather than aspiration” – meaning demand is muted and will likely remain so for quite some time. ®