news aggregator

xAI has launched Grok Build, "a coding agent of its own to serve as competitor to its rivals' products, such as Anthropic's Claude Code," reports Engadget: As Bloomberg notes, xAI has been trying to catch up to its rival companies like Anthropic and OpenAI. Elon Musk, the company's founder and CEO, previously admitted that it has fallen behind its competitors when it comes to coding. A couple of months ago, Musk said he was rebuilding xAI "from the foundations up" after several co-founders had left the company. One of the company's executives reportedly told staffers to work on getting Grok to match Claude's performance across various tasks. More details from PCMag: Grok Build is currently available in beta to those with a SuperGrok Heavy subscription, which starts at $300 per month. Just download it from the xAI website and log in. It's described as "a powerful new coding agent and CLI for professional software engineering and complex coding work." In its early version, xAI is seeking feedback and looking to fix any bugs... Only a few features have been highlighted, including a plan mode that lets you review, edit, and approve a plan before execution, and support for existing plug-ins and workflows.

Read more of this story at Slashdot.

For those who miss what Windows looked like in 2009, Classic 7 is a heavily modified version of Windows 10 IoT LTSC, reworked to make it look as much as possible like Windows 7, while still being in support and receiving updates. This has been accomplished thanks to a large compilation of skins, themes, add-ons, tweaks, and so on – some of which are real components from older versions of Windows, adapted and modified to run on Windows 10. We were not sure whether to cover Classic 7, because while it is impressive and fun, we are not at all sure it is legitimate to use. But we can see a target audience. This isn't just a layer of makeup; it's more like a face transplant. It includes some real binaries from Windows 7, and indeed earlier versions, adapted and grafted onto Windows 10. One component is the Windows Media Center from Windows XP, which was cut from Windows 10 before release. The specific version of Windows 10 that it's modified is significant. It's Windows 10 IoT LTSC. We talked about this specific edition in April 2025 because it's the last version of Windows 10 that is still in support and receiving updates. The standard Windows 10 Enterprise LTSC release will continue to receive updates until 2027, and the IoT edition, which is only available in US English, will get updates until 2032 – so this is the longest-lived version of Windows 10. At the bottom of our story on Windows 10 LTSC, we mentioned the slightly shady world of third-party modified editions of Windows. Classic 7 is one; it's a modified version of an Enterprise edition of Windows, one that's only available for legitimate licensing via a Volume License Agreement. Unless you have appropriate volume licensing for the underlying Windows edition and have paid the fairly hefty fee, this is an unlicensed copy of Windows. So we have to spell out that this is not for production use, and you should not use it in any working environment. It's an interesting hack, though, and it might be a bit of fun for a home gaming machine or something like that. As an aside, one of the most widely used tools for activating unauthorized copies of Windows and Office, MassGrave, is in fact hosted on GitHub. In other words, Microsoft itself is hosting tools to activate unlicensed copies of Windows and Office. Whether that counts as tacit approval, we wouldn't like to say. Classic 7 has been under construction for over a year and a half, and it's the sequel to an earlier project called Reunion7 – also hosted on GitHub, as it happens. As its list of credits shows, Classic 7 is in part a compilation of a lot of existing tools. Some of them are relatively well known, such as Winaero Tweaker, which can run on any copy of Windows and, among lots of other options, allows some of the less desirable changes in the Windows UI to be undone – for instance, switching to the hidden Aero Lite theme. Classic 7 includes this and a lot more besides. We could identify some of the couple of dozen credited projects, such as the Aero11 theme, itself a port of Aero10 to Windows 11. This works alongside OpenGlass, which brings Aero-style transparency to Windows 10. There's also the Windows NT Modding Utility, and another hack that lets you change the Windows version number reported on the command-line, called Custom CMD Version Text. Multiple sub-components come from the Windhawk mods collection, some credited to a developer called ImSwordQueen, whose themes can be seen on DeviantArt. Other components are more than just cosmetic. For instance, the remarkable description of Explorer7: "explorer7 is a wrapper library that allows Windows 7's explorer.exe to run properly on modern Windows versions, aiming to resurrect the original Windows 7 shell experience." So this is not merely a theme for Windows 10 Explorer: as far as we can tell, it's the real Windows 7 Explorer, but running on top of 10. The same appears to apply to Control Panel as well, thanks to the Control Panel Restoration Pack. Thanks to the Windows Media Center (Modern Hardware) effort, this is the real XP version, which an on-screen message says replaced the Windows 8 version used in an older build. We tried Classic 7 in VMware, and the experience is quite uncanny. We did hit some glitches: our first installation failed when we let it do its own disk partitioning. Deleting all the partitions, manually creating a single large C: drive, and telling the installer to use that worked. A few error messages did appear here and there. Trying to change screen resolution went badly awry until we installed the VMware guest additions. Opening Windows Update just threw an error. Overall, though, it is genuinely remarkable. It looks and feels like Windows 7 – but in principle, you can run the latest apps and drivers and they should work. It even includes your choice of older Firefox versions, including version 115 ESR, skinned to look exactly like Internet Explorer – an effort called BeautyFox. Last year, we wrote a piece on running Windows 7 in 2025 and it really reminded us how great the 2009 release looked compared to anything that's come since. Apparently, that late-noughties translucent look is now known as Frutiger Aero, and frankly we miss it. In all honesty, we feel Classic 7 goes too far. We don't want Help/About dialog boxes, and even the winver tool and the ver command to lie to us. We'd prefer something that told the truth, but looked pretty while doing it. But as we wrote last year, some personal friends are still running Windows 7 by choice, and compatibility is starting to become a problem. If you want a recent Firefox, well, you're out of luck. Firefox 115 from 2023 still works, and remarkably, it's still getting security fixes now: the March end-of-life has been postponed again, and it's currently August 2026. The Irish Sea wing of Vulture Towers is still running it on OS X 10.13 and it works flawlessly. This is a way out: to keep the 17-year-old vintage look, while running a codebase that still has another five years in it. If you're that determined, it's an option… and it's undeniably an attractive GUI. Whether this unauthorized rebuild of an unlicensed OS is an attractive option, though – you must decide that for yourself. ®

England's Department for Education is advertising a role paying up to £200,000 a year to lead a new digital and infrastructure group overseeing school buildings and maintenance, as well as technology and data. Its Director General, Digital and Infrastructure, will lead the technology function of around 1,800 staff, develop a new strategy covering digital services, data, and artificial intelligence, and lead work on a unique identifier for children and other learners in England. Scotland, Wales, and Northern Ireland run education services on a devolved basis. The successful candidate will also implement a new strategy for "the education estate" of schools, colleges, nurseries, and children's homes. The job ad warns the function "carries some of the highest levels of risk and accountability in the department - including life-and-death decisions on safety," citing ongoing work to remove unsafe reinforced autoclaved aerated concrete (RAAC) from schools. "I am looking for a leader who is motivated by impact - someone who is able to combine their digital and data expertise with their drive to improve outcomes for children and young people," writes the department’s permanent secretary, Susan Acland-Hood, in a briefing document with the advert. "Whilst you do not need to be an expert on education policy, you need to be curious and committed to rapidly building your understanding of the latest evidence, system, and policy landscape." The department is willing to base the job in Bristol, Cambridge, Coventry, Darlington, London, Manchester, Nottingham, or Sheffield, although those who do not work in the capital will need to go there frequently. Applications close on June 1. Several other departments have recently advertised digital director-general posts, the civil service job category just below permanent secretary (equivalent to chief executive). In January, England's Department of Health and Social Care advertised the role of director general for technology, digital and data with a salary of up to £285,000 a year. In February, the Ministry of Defence offered £270,000 to £300,000 for its chief digital and information officer job. And in April, the Department for Science, Innovation and Technology advertised for three directors-general, one paid £174,000 and the other two paying between £200,000 and £260,000 annually. ®

Computer Weekly reports on "the long-awaited reform of Britain's outdated Computer Misuse Act of 1990 — which has hamstrung the work of the nation's cyber security professionals and researchers for years." The Computer Misuse Act was passed 35 years ago in response to a high-profile hacking incident involving no less than the King's father, the late Duke of Edinburgh. It defined the offence of unauthorised access to a computer — which has been used successfully in countless cyber crime prosecutions over the years. However, as the cyber security landscape has developed into its current form, this language has become increasingly vague and for some years now, a growing number of bona fide security professionals have been arguing that it potentially criminalises their work because from time to time, they may need to gain covert access to IT systems in the course of legitimate research. Speaking to Computer Weekly in 2025, Belfast-based security consultant Simon Whittaker described how the police showed up at his front door after his research was erroneously implicated in the infamous WannaCry incident of 2017... Sabeen Malik, vice-president for global government affairs and public policy at Rapid7, added: "As AI-driven vulnerability discovery scales, defenders need to run automated scanning, agentic red-teaming, and large-scale vuln research at machine speed — activities the 1990 Computer Misuse Act's broad unauthorised-access provisions were never designed to accommodate, leaving UK researchers exposed to criminal risk for work their adversaries face no equivalent friction performing." The reforms are part of a new bill that's "enhancing the powers available to law enforcement and the security services," according to the article. It points out that the U.K. government also intends "to create a Cyber Crime Risk Order that can be applied to control the behaviour of cyber criminals, and new abilities to search people believed to be concealing evidence on behalf of suspected offenders." It's all part of a proposed bill "designed to make the UK a harder target for hostile foreign states and other dangerous groups to attack."

Read more of this story at Slashdot.

Today Amazon ends support for first- and second-generation versions of Kindles and Kindle Fire tablets, along with the Kindle Touch, the 9.7-inch Kindle DX, and other devices released in 2012 or earlier. Owners can continue reading ebooks that they've already downloaded, and they can also still sideload books using a USB cable (from, for example, Project Gutenberg). And PCMag points out that "There are plenty of e-stores where you can buy DRM-free novels legally, such as ebook.com and Smashwords. If you want to try this process for free, public-domain repositories such as the one at Standard Ebooks are a great place to start." (eBook files can be converted for the Kindle with the open source tool Calibre.) New ebooks can no longer be purchased directly from Amazon. But most of Amazon's affected devices "have not received firmware updates for over a decade," notes the blog OMG Ubuntu, "and most lost on-device access the Kindle Store." Some Kindle owners are taking things even further: You can unlock the firmware of older devices to add extra functionality (custom screensavers, epub support) or run entirely different software. On the hardware hacks side, some choose to turn old Kindles into photo frames or online dashboards. TechCrunch offers some caveats about jailbreaking: This process allows users to install custom fonts, new screensavers, alternative reading apps, and even third-party tools that expand the Kindle's functionality... [I]t's important to note that jailbreaking a Kindle might violate Amazon's terms of service. In many jurisdictions, jailbreaking isn't considered a criminal offense for personal use, but it may become a crime if it involves copyright infringement, illegal software distribution, or the sale of modified devices. Many Kindle owners who opt to jailbreak view it as a method to gain control over a device they purchased that is still functional, rather than being forced to buy a new device. However, jailbreaking is technical and carries risks, including the possibility of rendering the device unusable if something goes wrong. It also isn't possible on every Kindle model or firmware version, so before proceeding, Kindle owners should first spend some time researching if their device is compatible. Alternately, PCMag notes, "If you're feeling particularly virtuous, you can donate your old Kindle to a local library or send it back to Amazon free of charge via its electronic recycling program."

Read more of this story at Slashdot.

An anonymous reader shared this report from Electrek: A Nevada utility just told 49,000 Lake Tahoe residents that it's redirecting 75% of their electricity supply to data centers, and they have less than a year to find a new power source. It's one of the starkest examples yet of the AI boom's impact on everyday Americans... NV Energy needs the capacity for data centers being built by Google, Apple, and Microsoft around the Tahoe-Reno Industrial Center east of Reno, according to Fortune... Data centers drove half of all US electricity demand growth last year.... That dynamic — small residential customers losing out to massive industrial electricity buyers — is exactly what's driving the broader shift to distributed solar and storage. When the grid becomes unreliable or unaffordable because of data center demand, the homeowners who have solar panels and a battery in the garage are the ones with options. "The shift is measurable," they argue: Third-party ownership models (leases and power purchase agreements), which still qualify for the [U.S.] commercial investment tax credit through 2027, are projected to grow 25% in 2026 and capture up to 69% of residential installations, up from roughly 45% in 2025. Homeowners aren't waiting for incentives to come back — they're finding new ways to get solar on their roofs... [A] battery that can store cheap solar energy and deploy it during peak hours is increasingly essential. California utility customers alone are adding roughly 8,000 new home batteries per month — about 100 MW of new storage capacity. Municipal programs are accelerating the trend. Ann Arbor, Michigan, recently became the first US city to directly deploy solar and battery systems on 150 homes through its city-owned utility. Vermont's Green Mountain Power is offering home batteries at little to no upfront cost. These programs signal that utilities themselves recognize the value of distributed energy.

Read more of this story at Slashdot.

"Every link leads to an entry that does not exist yet," explains the GitHub page for a Wikipedia-like site called Halupedia. "Until you click it, at which point an LLM pretends it has always existed and writes it for you, in the deadpan register of a 19th-century scholarly press..." Every article is invented on demand. The footnotes are also lies... The hardest problem with an infinite, on-demand encyclopedia is internal contradiction... When the LLM writes an article, it is required to add a context="..." attribute on every <a> it inserts, summarising the future article it is linking to (e.g. context="19th-century clerk who formalized footnote drift, Pellbrick's mentor")... When that target article is later requested for the first time, the worker loads the accumulated hints and injects them into the system prompt as "PRIOR REFERENCES — these are CANON". The LLM is instructed that the encyclopedia is hallucinated and absurd, but it must not contradict itself. Fast Company reports that Halupedia was created by software developer BartÅomiej Strama, who confessed in a Reddit comment that the site came about after a drunk night with a friend. In the week since launch, he says Halupedia has amassed more than 150,000 users." Beyond indulging in silly alternate histories, what's the point of using Halupedia? Strama hinted at one larger purpose in a reply to a donor on his Buy Me a Coffee page: "Your contribution towards polluting LLM training data will surely benefit society!" he wrote. The site is licensed as free software under the GPL-3.0 license. Thanks to long-time Slashdot reader schwit1 for sharing the news.

Read more of this story at Slashdot.

Former Microsoft programmer Keith Curtis "wrote and self-published After the Software Wars to explain the caliber of free and open source software," according to his entry on Wikipedia, "and why he believes Linux is technically superior to any proprietary OS." He's also KeithCu (long-time Slashdot reader #925,649), and has written a blog post on "How I added an LLM-based grammar checking + TeX math import to LibreOffice." : At Microsoft, I spent five years working on the text components RichEdit and Quill, and came to understand the "physics" of word processing: the file formats, data structures, and algorithms that provided fast access to text and properties, independent of the length of the file. Selecting one million characters to make them bold took about the same time as changing one character, because of the clever data structures (piece tables) and algorithms in these engines... When I decided to add a real-time AI grammar checker to [LibreOffice plugin] WriterAgent, I knew what I was getting into, but I underestimated the trickery of LibreOffice's UNO. His site shares the surprises he encountered, one by one. (Starting with "the office suite throws a bunch of initialization variables at your constructor. If your Python __init__ method doesn't handle them, the code fails to map the call, the stack misaligns, and the program dies.") There's sentence casing issues, duplicate words, and foreign-language syntax — all culminating in new features for "a LibreOffice extension (Python + UNO) that adds generative AI editing to Writer, Calc, and Draw..." "If you want to try it out, the repo is here... Let's make LibreOffice and the free desktop AI-native!"

Read more of this story at Slashdot.

Bloomberg reports that Apple's two-year-old partnership with OpenAI "has become strained, according to people familiar with the matter." Bloomberg describes OpenAI as "failing to see the expected benefits from the deal and now preparing possible legal action." OpenAI lawyers are actively working with an outside legal firm on a range of options that could be formally executed in the near future, said the people, who asked not to be identified because the deliberations are private. That could include sending the iPhone maker a notice alleging breach of contract without necessarily filing a full lawsuit at the outset, according to the people... OpenAI believed that the companies' partnership, which wove ChatGPT into Apple software, would coax more users into subscribing to the chatbot. It also expected deeper integration across more Apple apps and prime placement within the Siri assistant. Instead, Apple's use of OpenAI technology across its operating systems remains limited, and features can be hard to find... Apple has had its own concerns about OpenAI, including whether the company does enough to protect user privacy. And a recent push [by OpenAI] to make devices — an effort overseen by former Apple executives — has rankled the iPhone maker. Any legal move by OpenAI likely wouldn't come until after the conclusion of the Musk trial, according to the people. No final decisions have been made, and OpenAI still hopes to resolve its issues with Apple outside of court. The article points out that OpenAI "initially believed the deal could generate billions of dollars per year in subscriptions — something that hasn't come close to happening." An OpenAI executive argues to Bloomberg that from a product perspective Apple hasn't done everything they could, "and worse, they haven't even made an honest effort."

Read more of this story at Slashdot.

"Most of the plastic waste in California is about to lose the recycling symbol," writes the Washington Post's "climate coach." The "chasing arrows" symbol, created in 1970 by a college student inspired by the burgeoning environmental movement, has been stamped indiscriminately on plastic bottles, clamshell takeout containers, chip bags and more for decades. The majority of the items emblazoned with the mark have been virtually impossible to recycle for most people. California lawmakers say they want to end the charade: Under what's known as the Truth in Recycling law, plastics cannot use the symbol if they aren't collected by curbside programs serving 60% of Californians and sorted by facilities serving 60% of the state's recycling programs (with some additional requirements). If the law goes into effect as scheduled on October 4, more than half of the types of plastic packaging and products sold in the state can no longer carry the chasing arrows logo. That will affect plastic films, foam, PVC and mixed plastics... Food and packaging groups have sued the state of California, calling the law a form of censorship whose vague restrictions violate the First Amendment and due process rights.... Advocates of the law counter that corporations deliberately misled the public by turning the recycling symbol into a marketing device that masks the fact that only a small fraction of plastic packaging is ultimately recycled... The mark was originally intended to informwaste processors what polymers a plastic item was made from. But the public reasonably assumed anything stamped with the symbol was recyclable. Millions of tons of worthless plastic trash have since poured into recycling facilities unable to process it.... States are now taking action. Seven have passed laws shifting the cost of recycling onto packaging makers. Oregon and Washington have lifted requirements that plastic containers carry the chasing arrows symbol. The article notes that Norway already recovers 97% of beverage bottles, while Slovakia recycles 60% of plastic packaging. "But the U.S. only recovers about a third of its PET and HDPE bottles, and just 13% of plastic packaging, according to U.S. Plastics Pact, an industry-led forum. "It won't be easy for the U.S. to reach higher levels of recycling: The necessary infrastructure and incentives are chronically underfunded, no federal mandate exists for minimum-recycled-content that would create demand and a mix of mostly unrecyclable hydrocarbons still dominates the waste stream."

Read more of this story at Slashdot.

"The vulnerability is simple in practice," writes Tom's Hardware: "run a command as a standard user and gain root (administrator) access to the machine." And it was Mythos Preview that helped the security researchers at Palo Alto-based Calif bypass a five-year Apple security effort in just five days. The blog 9to5Mac reports: Last year, Apple introduced Memory Integrity Enforcement (MIE), a hardware-assisted memory safety system designed to make memory corruption exploits much harder to execute... [The researchers note it's built into Apple all models of the iPhone 17 and iPhone Air, and some MacBooks] They explain they have a 55-page technical report on the hack, but they won't release it until Apple ships a fix for the exploit. But they do note in broad terms that Anthropic's Mythos Preview model helped them identify the bugs and assisted them throughout the entire collaborative exploit development process. "Mythos Preview is powerful: once it has learned how to attack a class of problems, it generalizes to nearly any problem in that class. Mythos discovered the bugs quickly because they belong to known bug classes. But MIE is a new best-in-class mitigation, so autonomously bypassing it can be tricky. This is where human expertise comes in. Part of our motivation was to test what's possible when the best models are paired with experts. Landing a kernel memory corruption exploit against the best protections in a week is noteworthy, and says something strong about this pairing...." [I]n a time when even small teams, with the help of AI, can make discoveries such as this one, "we're about to learn how the best mitigation technology on Earth holds up during the first AI bugmageddon."

Read more of this story at Slashdot.

Variety reports: Amazon MGM Studios started auditioning actors for the part of 007 in the past few weeks, Variety has learned... The next James Bond film will be directed by Denis Villeneuve, the filmmaker behind the "Dune" franchise, "Arrival" and "Sicario." Amy Pascal of the "Spider-Man" films and David Heyman of the "Harry Potter" series will produce the picture, which will feature a script from "Peaky Blinders" creator Steven Knight. Tanya Lapointe ("Dune") is executive producing the film. The BBC notes it's been five full years since the release of the last Bond film No Time To Die, and 15 months "since Amazon MGM Studios took control of the Bond franchise." But they also offer this list of "the current bookmakers' favourites" for who will become the seventh actor to play the gadget-loving super spy in the franchise's 64-year history: Callum Turner — the 36-year-old actor is the current bookies' frontrunner. He has been in the Fantastic Beasts franchise, was nominated for a Bafta for TV drama The Capture, and starred in Apple TV's Masters of the Air... Jacob Elordi — the Australian actor, 28, made his name in TV's Euphoria and cult hit film Saltburn, and was nominated for an Oscar this year for playing the monster in Frankenstein. The Rest Is Entertainment host Marina Hyde recently said she'd heard from a number of well-placed sources that he's now "in pole position" to be Bond. Harris Dickinson — the 29-year-old is playing John Lennon in the forthcoming major Beatles biopics, and has previously appeared in Maleficent, The King's Man, Where the Crawdads Sing and Babygirl, and received a Bafta TV Award nomination for A Murder at the End of the World. Henry Cavill — the Superman, The Witcher and Mission: Impossible actor is a fan favourite and was widely regarded to have been the runner-up when Craig landed the part. But at 43, is he now too old to start a lengthy stint as 007? Aaron Taylor-Johnson — the Bafta-nominated 35-year-old, known for films like Kick-Ass, Kraven the Hunter and 28 Years Later, is a perennial contender, and would fit the bill. Theo James — the suitably suave star, 41, made his name in the Divergent films and has since built his reputation in The Time Traveler's Wife, The White Lotus and The Gentlemen. ...Or producers could well go for one of the many other names who have been touted for the role, or an unexpected choice.

Read more of this story at Slashdot.

INTERVIEW Enthusiasm among managers to adopt AI tools has outpaced developers' ability to learn those tools and use them effectively. Moshe Sambol, VP of customer solutions at software observability outfit Lightrun, told The Register in an interview that he speaks with a lot of companies. Some of the developers in those organizations, he said, are very comfortable with AI tools. "But the reality is that a lot of developers are much earlier in the curve," he said. "The expectations of businesses are getting ahead of where the developers are in terms of their mental model and in terms of the training that they're providing, the enablement they're providing to make their teams comfortable with the tools, and the rate at which these tools are evolving." Sambol said the degree of AI tool adoption varies. "I absolutely have customers who've told their developers, 'You don't write code anymore. You review code. No one should write a line of code unless for some reason you failed after three attempts getting GenAI to do it,'" he said. "I have customers like that. I don't know if I should name them, but absolutely." And he said on the other side of the spectrum, there are organizations like banks that are just starting to roll AI tools out due to compliance obligations and traditional industry caution. "It's an exciting time to be adopting these tools and learning these tools, but it puts a lot of pressure on the developer," he said. "It puts this expectation of being more productive." Not everyone manages that, and Sambol said he has a lot of sympathy for developers who have been directed to use AI tools without training and organizational guidance. Generative AI models will produce a lot of code quickly, he said, and because the code seems correct initially, it often gets pushed forward. "If it's not creating bugs en masse today, it's just pain waiting to happen," he said. "The number one question I think we have to be asking developers is, 'Can you explain that code? Have you validated that the code actually fits in the context of the broader system?'" Sambol said the answer isn't necessarily yes or no because developers have different levels of experience and often work on large projects where they focus only on a specific part of the code base. It's common in enterprises, he said, that no one person will understand the entire system end-to-end, which is why problem resolution often requires a group of people. The issue he sees is that generative AI systems don't help bridge the missing knowledge gap. They don't provide the context to understand all the components involved. Sambol went on to describe an incident in which a developer was using an AI assistant to build an Ansible automated workflow. "The generative AI was creating the Ansible template for him, which seems like a perfect match – it's drudge work," he explained. "And it's much better at getting the syntax exactly right." It worked. And then it stopped working. "The system that he was deploying to, all of a sudden, he could not get the component up," Sambol said. "It just wouldn't start. A process that had been going smoothly for a couple of hours in the morning, now all of a sudden, his service is down and it will not run. "And he's pulling his hair out trying to unstitch the day's work so far to figure out what went wrong, why is the service not working," he said, adding that the AI agent proved unhelpful by going off in the wrong direction, reinstalling the operating system, and undertaking other ineffective steps to effect repairs. What happened, Sambol explained, is that earlier in the day, the developer had installed the component in a certain way – it was running in a container with a systemd service. As such, it needed access to the ports on the device, which precluded running the component in Docker. "So the AI model re-wrapped it, repackaged it, and deployed it in a different way, but kept the original one running," he explained. "So it was simply a matter of the fact that the one he had initially deployed was still running and it was blocking the port and the second one couldn't run. "It's a fairly simple, easy-to-understand problem once you see it, but he lost the entire afternoon going down all kinds of dead ends with the AI looking at this, looking at that, because the AI model didn't remember that it had guided him to deploy the system a certain way earlier in the day." Sambol said various studies show a significant percentage of AI generated code contains errors and creates technical debt. That's not to say human developers are without fault. Sambol said developers have their own weaknesses. Many companies, he said, have offshored or globally distributed development teams, so there's a lot of variation. He argues that it's important to acknowledge that imperfection and work toward processes that improve results. One way to do that is to automate the prompting process in a way that makes it more repeatable. "When you do that, you identify where you're starting to get good results and you don't expect everybody to come up with a well-structured long prompt." Sambol added, "I think these tools are absolutely getting better. And so I'm reluctant to call any of them junk or deeply flawed. They're getting better shockingly rapidly. If you can take advantage of a couple of different ones – with a human being in the loop – then you are more likely to get output that is at least as good as you were getting before." ®

The blog It's FOSS has an update on the Fedora AI Developer Desktop Initiative, a proposed platform for AI/machine learning workloads on Fedora. It's now been blocked "after two Fedora Council members retracted their earlier approval votes." The initiative was proposed by Red Hat engineer Gordon Messmer, aiming to deliver an Atomic Desktop with accelerated AI workload support, covering developer tools, hardware enablement, and building a community around AI on Fedora... At the May 6 council meeting, the members unanimously voted to approve this new initiative. After which a short, lazy consensus window was left open until May 8 to accommodate absent members, after which the decision was to be ratified. But that last bit never happened, as council member Justin Wheeler (Jflory7) was the first person to change their vote to -1... ["While I strongly support leveraging AI to establish Fedora as a leading platform, completely rearchitecting our kernel strategy is a massive structural shift. It requires explicit alignment with our legal and engineering stakeholders before we commit the project to this path."] Following that, fellow council member Miro HronÄok (churchyard) put in his -1, saying that he had originally assumed the proposal was purely additive and therefore uncontroversial. But seeing the community's response, he realized that he was mistaken about that. As an elected representative, he felt the need to reflect on this major proposal before signing it off. Over 180 replies have piled up in the proposal's discussion thread, with many well-known Fedora contributors pushing back on things like kernel policy, proprietary software, and project identity. Hans de Goede from the packaging team called out the proposal's emphasis on CUDA support as going against Fedora's foundational commitment to free software, arguing that open alternatives like AMD's ROCm and Intel's oneAPI should be the focus instead.

Read more of this story at Slashdot.

USA Today reports: Trump Mobile phones are being shipped this week, the company exclusively confirmed to USA TODAY in an email May 11.... The company's first smartphone — the T1 Phone — was originally scheduled for release in August. However, the golden gadget's release was later delayed to October before being pushed back again to this week. Now, Trump Mobile CEO Pat O'Brien told USA TODAY, pre-ordered phones will start getting sent out to customers this week... O'Brien said the company anticipates all pre-ordered phones to be delivered within the next several weeks... The company's 5G "47 Plan" is available for $47.45 a month, a nod to President Donald Trump's two presidential terms, according to the website... Customers will also have Trump(SM) displayed as the status bar in their network. The Verge reported the phone was added last week to Google's public list of devices certified for Google Play, "usually one of the final steps before an Android phone is launched." Trump Mobile may have broken radio silence partly in response to a recent wave of media coverage alleging that buyers had received emails notifying them that their preorders had been canceled, coverage that even made it onto Stephen Colbert's The Late Show... [T]here's seemingly no evidence of the alleged cancellation emails beyond unverified social media claims. In January The Verge also questioned reports that 600,000 people preordered the Trump phone with a $100 deposit. "I can't find a shred of evidence that this figure is true," calling it "a microcosm of how the modern media landscape and AI chatbots can combine to give falsities the sheen of respectability." I first saw the figure in, of all places, the Threads feed of California governor Gavin Newsom's press office, which had shared a screenshot of a tweet of a Grok summary making the claim. Trustworthy, right? The Grok post cites "reports from sources like Fortune, NPR, and The Guardian" for the 600,000 preorders, but a quick search of their recent output shows no sign of the number... India's Economic Times and Hindustan Times both reported a more specific figure of 590,000 preorders, referencing an unspecified Associated Press report as the source. [The Associated Press] VP of corporate communications, Lauren Easton, confirmed to me that "AP's original stories never contained such a number...." Hindustan Times writer Shamik Banerjee called the citation "a typo," and told me that the figure was in fact taken from The Times of India. The Times of India story, which is bylined only to the newspaper's lifestyle desk, is more transparent in its sourcing: a viral post by a meme account... It's been covered by multiple publications, now presented as fact on MSN.com and tech site Phone Arena. And that coverage has helped it to filter into the chatbots and not just Grok — Gemini and ChatGPT were both happy to confirm to me that 600,000 T1 Phones have been ordered so far, the former falsely attributing the number to the Associated Press, and the latter to Phone Arena. As for how many Trump Phone preorders have actually been placed? No one outside the company knows.

Read more of this story at Slashdot.

What's going on with the U.S. job market? "The economy is growing. Unemployment is low," notes the Washington Post. "And yet, for millions of workers, finding a job has become harder than at almost any other point in decades," with the hiring rate "well below pre-pandemic levels for more than a year." Part of the problem? "Of the net 369,000 positions added across the entire economy since the start of 2025, health care alone accounted for nearly 800,000 — meaning every other sector, taken together, shed jobs." By the end of 2025 nearly half of college graduates ages 22 to 27 were working at jobs that didn't require a degree, according to stats from New York's Federal Reserve Bank. The headline unemployment rate, at 4.2%, looks healthy. But that figure has been buoyed by a shrinking labor force: Fewer people are actively looking for work, which keeps the rate down even as hiring slows... [Some large tech companies] are trying to recalibrate after their hiring sprees of 2021 and 2022, when many had raised pay, offered flexible schedules and signed people quickly... Higher interest rates have also made expansion more expensive, pushing many firms to invest in technology rather than headcount. Another reason hiring has slowed is uncertainty about AI. Even though the technology has not yet replaced large numbers of workers, it is already shaping how companies think about hiring. "I don't think this is AI displacement," said Ben Zweig, chief executive of Revelio Labs, a workforce data company. "What we're seeing is anticipatory." Instead of rushing to bring on new workers, some firms are waiting to see how the technology evolves and which tasks it will eventually take over. A 39-year-old web developer tells the Post it took 453 job applications to get a handful of interviews and two offers. And a journalism school graduate said they'd sent hundreds of job applications but most led nowhere, and they're now couch-surfing to save money. But the problem seems even worse for young people. One 18-year-old told the Post that in a year and a half of job searching, they'd yet to even meet an employer in person. The unemployment rate for people ages 22 to 27 who recently completed college hit 5.6% in the final months of 2025 — well above the 4.2% rate for all workers, according to national data from the Federal Reserve Bank of New York... At one point last summer, new workforce entrants made up a larger share of the unemployed than at any point since the late 1980s — higher even than during the Great Recession. When hiring slows, the door closes first on those without an existing foothold. For the class of 2026, the timing could hardly be worse. "It is getting increasingly clear that young people are being more affected by AI than older workers," Zweig said. Companies are not eliminating jobs at scale, but many are slow to hire junior workers. At the same time, older workers are staying in the labor force longer, leaving fewer openings for new arrivals. Even when jobs are available, the bar has shifted. Positions once considered entry level now often require several years of experience, technical expertise and familiarity with AI tools. With fewer openings and more applicants, companies are holding out for candidates who can do the job immediately and need little training... Employers are also looking for a different mix of skills. An analysis of millions of job postings by Indeed found that communication skills now appear in nearly 42% of all listings, while leadership skills feature in nearly a third — capabilities that are harder to prove on a résumé and harder still to demonstrate without an existing professional network. Christine Beck, a career coach who works with early-career job seekers, said employers are asking more of the people they do hire.

Read more of this story at Slashdot.

Last year, The Register spotted Dell selling cloud-manageable wireless earbuds that feature the company’s famously stoic styling at a price higher than Apple charges for its latest AirPods. Dell eventually offered your correspondent a pair of the Pro Plus Earbuds to try so we could hear what all the fuss is about – and we accepted, on condition that the company showed us the cloudy management tools that make the buds worth the big bucks. Divya Soni, a go to market lead, showed me Dell’s cloudy Device Management Console, a tool that lets admins enroll and track the buds, send them new firmware, or do things like turn on active noise cancellation by default across a fleet of earbuds. New firmware matters for earbuds because they’re Bluetooth devices and the wireless protocol has had its fair share of security scares over the years. The buds have already earned Microsoft’s Teams Open Office Certification – a seal of approval for being able to handle noisy offices, plus a Zoom accreditation. New firmware might help there, too. Soni admitted earbuds aren’t the main priority for the Device Management Console, which Dell expects customers will mostly use to manage docks and displays. Dell delivers firmware updates to those devices at least once a year, to address security issues or fix bugs. The tool can do the same for keyboards or headsets. I can’t imagine anyone would adopt Dell’s Device Manager just to keep an eye on earbuds. I’m also not sure anyone would buy the buds for personal use. I say that because I own two sets of wireless earbuds and in their own way both are better than the Dells. My go-to buds are JB’s $40 Vibe Beam 2, which fit brilliantly, bring out some nice nuances in much music, boast batteries that last about six hours and only need about 15 minutes to recharge. That makes them satisfactory for long-haul flights, during which they drop a warmly enveloping cone of silence when active noise cancelling kicks in. My other pair are $100 Soundcore Space A40s (bought after destroying another pair). These buds have even nicer noise cancelling powers but fit terribly: I recently endured quite the scene when running to catch a bus and one dropped out of my ear and bounced into a shrub. The Soundcores redeem themselves with impressive microphones, so I use them when Zooming or recording a podcast. I prefer them to stay home because the case is bulbous and a little conspicuous in a front jeans pocket. The Dells are even bigger. They fit my ears well and battery life is strong at around eight hours. Active noise cancelling is poor: A high hiss persists in-flight and I perceived distracting artefacts when using them in noisy environments on the ground. Neither of my two PCs made a Bluetooth connection with the Dell buds. Dell has a fix for that – the buds’ case houses a small USB-C dongle devoted to connecting with the buds. It works every time and delivers a more stable connection than Bluetooth and brings out some musical nuances that I can’t hear with my other buds or desktop speaker. The dongle feels like a clue about how Dell imagines these buds will be used, because today's laptops seldom offer more than a pair of USB-C ports and they’re commonly used for power in and video out. Dedicating a port to earbuds seems wasteful … unless you’re using a Dell dock or monitor that offers more ports. The USB-C audio connector therefore made it hard to escape the idea that Dell expects these buds will almost always be sold as part of a corporate peripheral purchase. I can’t imagine consumers would prefer them to Apple’s AirPods, or the many cheaper earbuds that match them for performance. But if the boss decides your organization must have cloud-manageable earbuds it would be churlish to turn down the chance to use a pair of Pro Plus Earbuds for work and play. The experience of using them is in the name: they're built for the office but can handle after hours activities. They’re not delightful, but they’re far from trashy, annoying, or inconvenient. And when I inevitably lose or destroy my current buds I’ll be very happy if I have the Dells on hand. ®

The Linux 7.1 kernel has added new documentation clarifying what qualifies as a security bug and how AI-assisted vulnerability reports should be handled. Phoronix reports: Stemming from the recent influx of security bugs to the Linux kernel as well as an uptick in bug and security reports from discoveries made in full or in part with AI, additional documentation was warranted. Longtime Linux developer Willy Tarreau took to authoring the additional documentation around kernel bugs. To summarize (since the documentation is a bit too lengthy for a Slashdot story), the AI-assisted vulnerability reports should "be treated as public" because such findings "systematically surface simultaneously across multiple researchers, often on the same day." It adds that reporters should avoid posting a reproducer openly, instead "just mention that one is available" and provide it privately if maintainers request it. The guidance also tells AI-assisted reporters to keep submissions concise and plain-text, focus on verifiable impact rather than speculative consequences, include a thoroughly tested reproducer, and, where possible, propose and test a fix. As for what qualifies as a security bug, the documentation says the private security list is for "urgent bugs that grant an attacker a capability they are not supposed to have on a correctly configured production system" and are easy to exploit, creating an imminent threat to many users. Reporters are told to consider whether the issue "actually crosses a trust boundary," since many bugs submitted privately are really ordinary defects that belong in the normal public reporting process. All the new documentation can be read via this commit.

Read more of this story at Slashdot.

FEATURE Can digital sovereignty exist on American silicon? Europe is pouring more than €2 billion into sovereign cloud initiatives designed to reduce exposure to US legal reach. The EU's IPCEI-CIS program funds infrastructure development. France qualifies operators under SecNumCloud, a framework with nearly 1,200 technical requirements promising "immunity from extraterritorial laws." But most datacenters and qualified cloud operators still rely heavily on Intel or AMD processors. And inside those processors sits a computer beneath the computer: management engines operating at Ring -3, below the operating system, outside the control of host security software, persistent even when the machine appears powered off. Under the US Reforming Intelligence and Securing America Act (RISAA) 2024, hardware manufacturers count as "electronic communications service providers" subject to secret government orders. Europe's frameworks certify the clouds. They don't assess the silicon. The computer your OS can't see That computer beneath the computer has a name. On Intel processors, it is the Management Engine (ME), or more precisely the Converged Security and Management Engine (CSME). On AMD, it is the Platform Security Processor (PSP). Both run at what security researchers call Ring -3, below the operating system, below the hypervisor, in a privilege level the host cannot see or log. "It's a computer inside your computer," explains John Goodacre, Professor of Computer Architectures and former director of the UK's £200 million Digital Security by Design program. He is clear about what that means in practice. The ME has its own memory, its own clock, and its own network stack, and because it can share the host's MAC and IP addresses, any traffic it generates is indistinguishable from the host's own traffic to the firewall. The architecture is not theoretical. Embedded in the Platform Controller Hub, the CSME is a separate microcontroller that operates independently of the host, with direct memory, device access, and network connectivity the host operating system cannot monitor. AMD's PSP works the same way. Intel's Active Management Technology (AMT), the remote management feature the ME enables, exposes at least TCP ports 16992, 16993, 16994, and 16995 on provisioned devices. Goodacre notes that an attack surface exists on unprovisioned hardware too. These ports deliver keyboard-video-mouse redirection, storage redirection, Serial-over-LAN, and power control to administrators managing fleets of devices remotely. The capability has legitimate uses. It also provides a channel that operates at a level below what European sovereignty frameworks can attest. Microsoft documented in 2017 that the PLATINUM nation state actor used Intel's Serial-over-LAN (SOL) as a covert exfiltration channel. SOL traffic transits the Management Engine and the NIC sideband path, delivered to the ME before the host TCP/IP stack runs. The host firewall and endpoint detection saw nothing, and any security tooling running on the compromised machine itself was equally blind. PLATINUM did not exploit a vulnerability. It exploited a feature, requiring only that AMT be enabled and credentials obtained. In documented cases, those credentials were the factory default: admin, with no password set. Goodacre catalogues this and related scenarios in a 37-page risk assessment prepared for CISOs evaluating Intel vPro hardware connected to corporate networks. Its conclusion is blunt: connecting an untouched-ME device to corporate resources "exposes the organization to a class of compromise that defeats the host security stack in its entirety." The ME does not stop when the machine appears to. Users recognize the symptom: a laptop powered off and stored for weeks is found, on next boot, to have a depleted battery. On modern thin and light platforms, what Microsoft documents as Modern Standby means "off" does not correspond to "all subsystems unpowered." The system-on-chip components the Management Engine runs on remain in low-power states, drawing enough to drain a 55 Wh battery over weeks, on the order of 100-200 mW continuous draw. The implication is documented in Goodacre's risk assessment: "Whether the radio is in a Wake-on-Wireless-LAN listening state is firmware policy. On a device whose firmware has been tampered with during transit through the supply chain, the answer cannot be inferred from the visible power state." A laptop that appears off, in a bag, can associate with a hostile network the user has no knowledge of. Professor Aurélien Francillon, a security researcher at French engineering school EURECOM, has spent years studying exactly this class of problem. Working with colleagues, he built a fully functional backdoor in hard disk drive firmware [PDF], a proof of concept demonstrating how storage devices could silently exfiltrate data through covert channels. Three months after presenting it at an academic conference, the Snowden disclosures revealed the NSA's ANT catalogue, which documented an identical capability already deployed in the field. "The NSA were already doing it," Francillon says flatly. "Quite amazing." That background informs his assessment of the ME. "Yes, it can probably be used as a backdoor, like many other things, including BMC [baseboard management controller] and many other firmwares," he says. The question, he argues, is not whether the backdoor exists but whether operational controls make it unreachable in practice. AMD faces the same architectural question. On April 14, 2026, researchers demonstrated the Fabricked attack against AMD's SEV-SNP confidential computing technology, achieving a 100 percent success rate with a software-only exploit. The Platform Security Processor proved vulnerable to the same class of compromise. On server hardware, the picture is the same. Intel ME runs on servers under a different name, Server Platform Services or SPS, and the BMC, the remote administration controller standard in datacenter hardware, relies on it. "More or less the same," Francillon says of the server variant. For datacenter operators, he sharpens the focus further: "If I look at cloud systems, servers, I would be more concerned with the BMC," pointing to published research demonstrating remote exploitation of BMC vulnerabilities that could allow an attacker to reinstall or fully compromise a server. The BMC is not a separate concern from the ME: on server hardware, it is the primary network entry point into the SPS, making it both the most exposed interface and the most consequential. Both Intel and AMD processors contain management engines that operate below the operating system. The silicon is designed by American companies and subject to American legal process. The backdoor the CLOUD Act doesn't use That legal process has teeth that most European policymakers underestimate. The CLOUD Act, passed in 2018, gave US authorities extraterritorial reach to data held by American companies. FISA Section 702 allows intelligence agencies to compel US persons and companies to provide access to communications. Both are well known in European sovereignty discussions. They operate through the front door: a legal order served on a company that controls data. Less well known is RISAA 2024, a law that opens a different entrance entirely. RISAA amended FISA's definition of "electronic communications service provider" in ways that go beyond cloud operators and platform companies, and beyond the bilateral agreements that European policymakers have built their legal defenses around. Hardware manufacturers now fall within scope. Intel and AMD can be compelled, via secret orders with gag clauses, to cooperate with US intelligence access. The mechanism through which that access could be exercised is the management engine: a persistent, privileged, network-connected runtime that operates below anything the host operating system can see or block. A SecNumCloud-certified operator can be legally isolated from American data demands. The processor inside its servers cannot. "You've actually got a policy mechanism by which any such machine anywhere can deliver any of its information," Goodacre says. RISAA's two-year term expired on April 20, 2026, but Congress extended it by 45 days while debating reforms. Whether it is renewed, amended or allowed to lapse, the architecture it targets does not change. SecNumCloud's blind spot France's SecNumCloud is Europe's most rigorous attempt to build a cloud certification that is legally immune to American law. It did not emerge from nowhere. ANSSI, France's national cybersecurity agency, was established in 2009 as part of a broader effort to build institutional muscle on digital sovereignty long before the term became fashionable. When Edward Snowden revealed the scale of NSA surveillance in 2013, France's response was technical rather than rhetorical: ANSSI published the first SecNumCloud framework in July 2014. A decade later, that framework has grown to nearly 1,200 technical requirements. At the time, SecNumCloud was a cybersecurity qualification, not a sovereignty instrument: it set requirements for architecture, encryption standards, access controls, and incident response, but said nothing about who controlled the underlying infrastructure or whose laws applied to it. The CLOUD Act changed that. Passed in 2018, it gave American authorities extraterritorial reach to data held by US companies, and suddenly a French cybersecurity framework had a geopolitical dimension it was not designed for. Version 3.2, introduced in 2022, added Chapter 19: a set of explicit requirements targeting extraterritorial law, mandating that only EU operators could run the service, that no non-EU party could access customer data, and that the provider could operate autonomously without external intervention. It promised "immunity from extraterritorial laws." In December 2025, S3NS, a joint venture between French defense and technology group Thales and Google Cloud, operating Google Cloud Platform technology under French control, became the first "hybrid" cloud to receive SecNumCloud qualification. The certification triggered heated debate: was this real sovereignty, or American technology with a European flag? But the debate missed a more fundamental question. Does SecNumCloud's certification reach as far as the silicon it runs on? Francillon is positioned to see both sides of that question. He sits on the French Technology Academy's working group on cloud security, a body that advises on the technical foundations of frameworks like SecNumCloud. And he has spent years studying firmware backdoors in academic literature and demonstrated them in practice. He knows what the hardware can do, and he knows what the certification requires. His starting point is that SecNumCloud provides genuinely valuable protection, and that the silicon gap does not negate that. When asked whether SecNumCloud explicitly addresses Intel Management Engine or AMD Platform Security Processor vulnerabilities, his answer is unambiguous: "There is no direct requirement for firmware backdoor prevention." The framework is not designed to be a technical specification for hardware-layer security. "The document aims to be generic and not dive into technical details," Francillon says. "Most of it is organizational security." What SecNumCloud does require is that providers build a proper threat model, consider mitigation mechanisms, and monitor administration gateways where external tech support could be exploited. The hardware layer was not addressed by oversight. It was left out by design. Francillon's assessment is not a fringe view. Vincent Strubel, the director of ANSSI, the very agency that designed and administers SecNumCloud, is equally explicit about what the framework does and does not cover. In a January 2026 LinkedIn post addressing SecNumCloud's scope, he writes that all cloud offerings, hybrid or not, depend on electronic components whose design and updates are not 100 percent controlled in Europe. If Europe were ever cut off from American or Chinese technology, he argues, the result would be a global problem of security degradation, not just in hybrid clouds, but everywhere. Strubel frames SecNumCloud carefully: it is "a cybersecurity tool, not an industrial policy tool." It protects against extraterritorial law enforcement and kill-switch scenarios. It was never designed to eliminate technology dependencies at the hardware layer, and no actor, state, or enterprise fully controls the entire cloud technology stack anyway. One technology frequently cited in sovereignty discussions is OpenTitan, Google's open source secure element deployed on its server hardware and used within the S3NS infrastructure. Francillon is clear about what it is and, critically, what it is not. "OpenTitan is a secure element, a small chip on the side that can be used for protecting sensitive keys, providing signatures, making attestations," he explains. "It's a bit like a TPM." What it is not is a replacement for the main processor. "The Linux and all your applications will not run on it." OpenTitan sits alongside x86 infrastructure as an external root of trust, independent of the ME. That matters because the default embedded TPM lives inside the ME, making it subject to the ME attack surface. OpenTitan sits outside that boundary. The two address different problems entirely, and conflating them, as sovereignty advocates sometimes do, obscures where the residual exposure actually lies. ANSSI's own technical position paper [PDF] on confidential computing, published in October 2025, concludes that Intel SGX, TDX, and AMD SEV-SNP are "not sufficient on their own to secure an entire system, or to meet the sovereignty requirements of SecNumCloud 3.2." Physical attackers are "explicitly out-of-scope" of vendor security targets. Supply chain attackers are "explicitly out-of-scope." The ME attack surface discussed in this article falls into neither category: it is a remote network threat, not a physical one. The paper's conclusion for users concerned about hostile cloud providers is stark: "Switch to a cloud provider they trust, or use their own hardware with physical security protection measures." The castle with a structural flaw Francillon does not dispute that SecNumCloud leaves the ME unassessed. His argument is that this does not matter in practice. "What I mean is that if there is a backdoor to access a room, it cannot be directly used if the room is in a castle. You have to pass the castle walls first." Network isolation, monitoring, and threat modeling are the walls. SecNumCloud's operational requirements mandate that administration gateways be isolated, that external tech support be monitored, that network segmentation prevents lateral movement. The Management Engine backdoor may exist, but the framework makes it unreachable except in what Francillon calls "very high-end attacks." That qualifier matters. Francillon is not claiming perfect security. He is claiming that proper operational controls reduce the threat to a level where only nation state actors with significant resources could exploit it. For most threat models, he argues, that is sufficient. "Saying it is useless to do SecNumCloud because there is ME, or whatever backdoor in some hardware we don't control, is a mistake," he says. SecNumCloud improves security over deployments without such controls, he argues, provided that hardware is carefully evaluated and firmware securely configured. The castle walls have a structural flaw that Goodacre's risk assessment documents in detail. Corporate perimeter firewalls see the device's traffic, but because the ME shares the host's MAC and IP addresses, they cannot tell ME-originated flows apart from legitimate host traffic. "The perimeter cannot attribute a flow to host-versus-CSME origin without out-of-band knowledge," Goodacre writes. A TLS-encrypted tunnel from the ME to an attacker server on port 443 looks, to the perimeter, like any other HTTPS connection the laptop makes. Network filtering reduces attack surface. It does not eliminate the exposure. Goodacre's position is that a "Tier-3 supply-chain residual remains in both cases and is the irreducible cost of buying any silicon that ships with a Ring -3 manageability engine." He defines Tier 3 as nation state cyber services operating at the level of compromising firmware in transit, mis-issuing CA certificates via in-country authorities, and modifying hardware at customs or courier hubs. The NSA's Tailored Access Operations division treated supply chain interdiction as routine business, with explicit doctrinal preference for BIOS and firmware implants over disk-level malware. His risk assessment's data on fleet vulnerability is concrete. Industry telemetry from Eclypsium, analyzing production enterprise environments, found that approximately 72 percent of devices observed remained vulnerable to INTEL-SA-00391 years after public disclosure, and 61 percent remained vulnerable to INTEL-SA-00295. The same reporting documented that the Conti ransomware group developed proof-of-concept Intel ME exploit code with the intent of installing highly persistent firmware-resident implants. "Connecting an untouched-ME vPro laptop to corporate resources exposes the organization to a class of compromise that defeats the host security stack in its entirety," Goodacre concludes. "The exposed controls include BitLocker full-disk encryption, FIDO2-protected sign-in, endpoint detection and response, the host firewall and the corporate VPN." The disagreement between Francillon and Goodacre is not about whether the vulnerability exists. Both confirm it does. Both confirm AMD faces the same issue. Both confirm software alone cannot fix it. The disagreement is about whether operational controls, Francillon's castle walls, make an architectural backdoor irrelevant in practice, or merely reduce its exploitability while leaving nation state actors with a path through. For SecNumCloud operators processing sensitive government or commercial data, the distinction is not academic. It is worth noting that SecNumCloud is designed for a higher level of security than standard cloud certifications, but is not intended for classified or restricted government data. The threat that can still slip through Francillon's castle walls is precisely the threat SecNumCloud was designed to keep out. The gap nobody names Goodacre told The Register he tested awareness of the Management Engine with various attendees at the CyberUK conference in April 2026. "Almost no one" knew about it, he reports. The gap between the sovereignty rhetoric and the silicon reality is not being surfaced in policy discussions, procurement decisions, or public debate over what digital sovereignty means. The debate that does happen, hybrid versus non-hybrid, Google/Thales versus pure European providers, focuses on operational control and legal structure. It does not address the shared silicon foundation. Strubel's LinkedIn post pushes back against the framing: "Imagining this problem is limited to hybrid cloud offerings is pure fantasy that doesn't survive confrontation with facts." Every cloud provider, hybrid or not, depends on components they don't fully control. The distinction isn't hybrid versus sovereign. It is what you're protecting against, and whether the controls you're implementing address that threat. There is no immediate solution. RISC-V, the open source processor architecture European sovereignty advocates point to as a long-term alternative, remains years from competitive performance in datacenter workloads. "It will take decades," Francillon says flatly. Arm is a cautionary precedent: it took nearly 20 years from the first server attempts before Arm achieved any meaningful datacenter presence. Can sovereignty exist on compromised silicon? For Goodacre, the bottom line is simple: the Tier-3 supply chain residual is "the irreducible cost of buying silicon with a Ring -3 manageability engine." Francillon argues that operational controls, including network isolation, monitoring, and threat modeling make the backdoor unreachable except in very high-end attacks. Strubel acknowledges hardware dependencies are real but maintains that SecNumCloud provides valuable protection for what it does cover: legal control, kill-switch resistance, defense against cyberattacks and insider threats. The disagreement is not about technical facts. It is about risk tolerance and threat model calibration. For European CIOs choosing SecNumCloud-certified providers, the question to ask vendors is: how do you address Intel Management Engine and AMD Platform Security Processor in your threat model? The answer will clarify whether the vendor treats the hardware layer as out of scope, or has implemented controls that reduce but do not eliminate the exposure. For European policymakers, the question is broader. Can digital sovereignty exist on non-sovereign silicon? The current frameworks do not answer that question. They certify operational controls, legal structure, and autonomous execution capability. They do not certify silicon-layer immunity, because the hardware is American or Chinese, subject to American or Chinese law, designed with management engines that European authorities did not specify, cannot legally compel on their own terms, and cannot replace. Whether that is a gap worth addressing, or a risk worth accepting as the unavoidable cost of participating in global technology supply chains, is a question Europe will need to answer for itself. ®

Brits are now asking chatbots about mysterious lumps and weird rashes instead of calling their GP, which is probably not the digital healthcare revolution anybody meant to build. A new study from King's College London found that one in seven people in the UK have used AI instead of contacting a doctor or healthcare service, while one in ten said they had turned to chatbots rather than professional mental health support. Convenience was the biggest reason, cited by 46 percent of respondents, closely followed by curiosity at 45 percent. Another 39 percent said they used AI because they were unsure whether their symptoms were serious enough to bother a GP in the first place. The report, based on a survey of more than 2,000 adults, suggests that AI systems are quietly becoming Britain's unofficial second-opinion service while regulators are still arguing about what counts as "AI-enabled healthcare" in the first place. However, some respondents said the chatbot conversations ended up replacing medical care altogether. Around one in five respondents said chatbot advice discouraged them from seeking professional help, and 21 percent said they skipped contacting a healthcare provider because of something the AI told them. Public confidence in AI healthcare also looks shaky. The survey found Britons are almost perfectly split on whether AI should be involved in clinical decision-making, with 37 percent supporting its use and 38 percent opposing it. Safety and accuracy worries topped the list of public concerns about NHS AI use. Women, in particular, were less comfortable with the idea than men, and far more likely to say patients should be told when AI is involved in their care. Oddly, younger adults were among the most skeptical. Nearly half of 18 to 24-year-olds opposed clinical AI use, compared with 36 percent of people over 65. The public also appears to think AI has already taken over GP surgeries to a much greater extent than is the case. Respondents guessed that around 39 percent of GPs use AI in clinical decision-making, when the actual figure is closer to 8 percent. Professor Graham Lord, executive director at King's Health Partners, warned that responsibility for AI mistakes often lands on clinicians even when they have little control over the systems being deployed. "When something goes wrong with AI, responsibility is often placed on clinicians, even where they have limited control over how AI tools are introduced," Lord said. Which sounds suspiciously like someone in healthcare has already seen the incoming paperwork. ®