Linux fréttir

Observability outfit Grafana Labs has revealed that an attacker accessed its GitHub repository and stole its codebase. In social media posts the company blamed the situation on an “unauthorized party” who was somehow able to obtain a token that offered access to its GitHub environment. The company thinks it has identified the source of the credential leak, and therefore “invalidated the compromised credentials and implemented additional security measures to further secure our environment against unauthorized access.” But that didn’t stop the attacker from threatening to release the company’s code unless Grafana paid a ransom. Grafana says it won’t pay. “Based on our operational experience and the published stance of the Federal Bureau of Investigation, which notes that ‘paying a ransom doesn't guarantee you or your organization will get any data back’ and only ‘offers an incentive for others to get involved in this type of illegal activity,’ we have determined the appropriate path forward is to not pay the ransom,” the company wrote. It’s not clear if that stance is entirely principled, because plenty of Grafana’s products are already open source. The company’s posts suggest that the attacker accessed code that is not freely available. The Register has sought clarification about just what the attacker accessed, because if they lifted code that’s mostly already open source there’s little reason for Grafana to pay a ransom! Grafana’s decision not to pay may also be easier than it is for other victims of cybercrime because the company says it “determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations.” The company therefore appears confident that whatever code the attackers downloaded won’t make a material different to its business, or harm customers. The same couldn’t be said for educationware giant Canvas, which last week paid extortionists after they claimed to have stolen data describing over 275 million students and faculty. The Register will update this story if we receive additional information from Grafana Labs. ®

Today Linus Torvalds announced another Linux release candidate on the kernel mailing list. But he also highlighted "documentation updates" to address a new problem. "The continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools." (The new documentation says the security team has found "bugs discovered this way systematically surface simultaneously across multiple researchers, often on the same day.") TORVALDS: People spend all their time just forwarding things to the right people or saying "that was already fixed a week/month ago" and pointing to the public discussion. Which is all entirely pointless churn, and we're making it clear that AI-detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved — and only makes that duplication worse because the reporters can't even see each other's reports. AI tools are great, but only if they actually help, rather than cause unnecessary pain and pointless make-believe work. Feel free to use them, but use them in a way that is productive and makes for a better experience. The documentation may be a bit less blunt than I am, but that's the core gist of it. The new documentation offers this overview. "It turns out that the majority of the bugs reported via the security team are just regular bugs that have been improperly qualified as security bugs due to a lack of awareness of the Linux kernel's threat model." "So just to make it really clear," Torvalds said at the end of his post. "If you found a bug using AI tools, the chances are somebody else found it too. "If you actually want to add value, read the documentation, create a patch too, and add some real value on *top* of what the AI did. Don't be the drive-by 'send a random report with no real understanding' kind of person. Ok?"

Read more of this story at Slashdot.

Samsung found itself facing down controversy in South Korea last week, when the weather app pre-installed on many of its devices incorrectly labelled an island territory named Dokdo as part of North Korea. Dokdo is a group of volcanic islets that is the subject of a territorial dispute between South Korea, North Korea, and Japan. Netizens were therefore outraged by a champion of South Korean industry handing the islands to foes in North Korea. Mislabelling the map was therefore sufficiently controversial that Samsung quickly pushed an update to fix the error – and blamed data from The Weather Channel as the source of the mistake. While we’re talking about islands … The Federated States of Micronesia, the Republic of Kiribati, and the Republic of Nauru last week connected to the world over a submarine cable for the first time. The three Pacific island nations hooked up to the East Micronesia Cable System, which NEC Corporation built and last week handed over to telecoms companies in the three nations. The cable can carry 100Gbps to each country where it lands, and has capacity to reach 10 Tbps. The three nations are collectively home to around 100,000 people. The governments of Australia, Japan, and the USA funded construction of the cable as part of ongoing diplomatic efforts to woo Pacific nations at a time China is also active in the region. Bitdefender spots alleged Chinese attack on Azerbaijan Antivirus vendor Bitdefender last week published what it says is evidence of a China-backed “multi-wave intrusion targeting an Azerbaijani oil and gas company from late December 2025 through late February 2026.” Bitdefender linked the attacks to the resurgent FamousSparrow crew, which apparently deployed “an evolved DLL sideloading technique” to drop the Deed RAT and Terndoor backdoors. The company’s researchers think attackers targeted a vulnerable Microsoft Exchange server. Senior security researcher Victor Vrabie suggested the attack is a sign that Russia and China are both trying to gain a foothold in Azerbaijan’s energy infrastructure, to gain leverage over energy supplies to Europe. The central Asian nation is a major oil and gas producer, and exports much of its output through pipelines that reach Turkey and Georgia. The importance of those routes has grown thanks to slowing gas exports from the Middle East. China seemingly shuns Nvidia to focus on its own alternatives The United States has allowed several Chinese companies to acquire Nvidia’s H200 accelerators, but Beijing won’t let local buyers do the deed. That’s the washup of President Trump’s visit to China last week, during which US authorities reportedly issued licenses allowing Nvidia to sell its wares to Chinese tech companies including Alibaba, Tencent, ByteDance and JD.com. But President Trump later remarked that China has not allowed its tech companies to buy H200s “because they chose not to, they want to develop their own.” That’s perhaps the strongest signal yet that China has decided to decouple from foreign tech stacks. Bottom drops out of India’s smartphone market Analyst firm IDC last week reported that smartphone shipments in India slumped by 4.1 percent in the first quarter of 2026. IDC said that subdued result would have been worse had brands not decided to front-load channel inventory before the cost of smartphone rise due to the soaring cost of memory. The firm said the result “signals a structural turning point for one of the world’s largest smartphone markets” because device-makers who sell entry-level devices “face shrinking margins and reduced market viability as memory costs continue to rise.” When consumers who buy sub-US$100 phones do upgrade, they “are being pushed upmarket by necessity rather than aspiration” – meaning demand is muted and will likely remain so for quite some time. ®

America's Library of Congress "is preserving a little piece of Hell," jokes Engadget, "by inducting the soundtrack to the original Doom into the National Recording Registry." The album of demon-slaying tracks is joined by several other notable 2026 additions to the registry, like Weezer's self-titled debut album (colloquially known as "The Blue Album"), Taylor Swift's "1989," Beyonce's "Single Ladies (Put a Ring On It) and the original "Mambo No. 5." "Doom" was created by Bobby Prince, a freelance composer who worked on lots of id Software games, and also scored Doom's '90s rival Duke Nukem 3D. The soundtrack draws clear inspiration from metal bands, but also touches on techno and ambient music throughout its track list, making for an eclectic soundscape for tearing through enemies. That it all fits together is also impressive in its own right: All of the music for Doom was written before the game had completed levels to play through, according to Prince. The official announcement from the Library of Congress says Doom "brought a heavy metal energy to MS-DOS systems across the globe," while also pioneering first-person shooter videogames. "Key to Doom's popularity was the adrenaline-fueled soundtrack created by freelance video game music composer Bobby Prince. Prince, a lifelong musician and practicing lawyer, was fascinated by the MIDI technology that rose in prominence in the mid-1980s as a means for instrument control and composition... For "Doom," Prince took inspiration from a pile of CDs loaned by the game's chief designer, John Romero, including seminal works by Alice in Chains, Pantera and Metallica. Despite the limitations of the 1993-era sound card drivers, Prince composed the perfect riff-shredding accompaniment for the game's demon-slaying journey to hell and back. Taking advantage of his knowledge of MIDI, Prince even worked to ensure that the sound effects he created could cut through the music by assigning them to different MIDI frequencies.

Read more of this story at Slashdot.

Today former Google CEO Eric Schmidt "was booed multiple times," reports NBC News, "while discussing AI during a commencement speech at the University of Arizona." Schmidt had started by remembering how computer platforms "gave everyone a voice" but also "degraded the public square... They rewarded outrage. They amplified our worst instincts. They coarsen the way we speak to each other, and that way, and in the way that we treat each other, is in the essence of a society." But then Schmidt "drew a parallel between artificial intelligence and the transformative impact of the computer — and was immediately met with boos." "I know what many of you are feeling about that. I can hear you," Schmidt said, addressing the crowd as many continued to boo him. "There is a fear ... there is a fear in your generation that the future has already been written, that the machines are coming, that the jobs are evaporating, that the climate is breaking, that politics is fractured, and that you are inheriting a mess that you did not create, and I understand that fear." He went on to argue that the future remains unwritten and that the graduating class of 2026 has real power to shape how AI develops — a claim that drew further disapproval from parts of the audience... He closed by congratulating the class and offering them closing words. "The future is not yet finished. It is now your turn to shape it." 404 Media shared a video on YouTube of the crowd's booing — and what Schmidt said that provoked them: SCHMIDT: "If you don't care about science that's okay because AI is going to touch everything else as well. [Very loud booing] Whatever path you choose, AI will become part of how work is done..." "You can now assemble a team of AI agents to help you with the parts that you could never accomplish on your own. [Loud booing] When someone offers you a seat on the rocket ship, you do not ask which seat. You just get on... The rocket ship is here."

Read more of this story at Slashdot.

Linux kernel boss Linus Torvalds has declared the project’s security mailing list has become “almost entirely unmanageable” due to multiple researchers using AI to find bugs and then filling the list with duplicate reports. Torvalds used his weekly state of the kernel post to deliver release candidate four for Linux 7.1 and report “fairly normal” progress towards a full release. He then pointed kernelistas to the project’s documentation, which he wrote “might be worth highlighting” as “the continued flood of AI reports has basically made the security list almost entirely unmanageable, with enormous duplication due to different people finding the same things with the same tools.” “People spend all their time just forwarding things to the right people or saying ‘that was already fixed a week/month ago’ and pointing to the public discussion,” Torvalds complained. The Penguin Emperor believes that kind of chatter is “all entirely pointless churn” and isn’t productive because “AI detected bugs are pretty much by definition not secret, and treating them on some private list is a waste of time for everybody involved – and only makes that duplication worse because the reporters can't even see each other's reports.” He then offered an opinion on how best to use AI to improve software security. “AI tools are great, but only if they actually help, rather than cause unnecessary pain and pointless make-believe work,” he wrote. “Feel free to use them, but use them in a way that is productive and makes for a better experience.” “The documentation may be a bit less blunt than I am,” he added, “but that's the core gist of it.” “So just to make it really clear: If you found a bug using AI tools, the chances are somebody else found it too. If you actually want to add value, read the documentation, create a patch too, and add some real value on *top* of what the AI did. Don't be the drive-by ‘send a random report with no real understanding’ kind of person. OK?” Torvalds' remarks contrast with recent comments from fellow kernel maintainer Greg Kroah-Hartman, who recently told The Register that AI has become an increasingly useful tool for the FOSS community. ®

KETTLE Hopefully you haven't had reason to notice yet, but there's a rising problem with AI services on Google Cloud, AWS, and other platforms sticking their customers with bills in the tens of thousands of dollars. This week's episode of the Kettle focuses on two such stories that The Register published this week, one concerning Google and another involving AWS. In both cases, cloud customers using AI incurred massive bills without any prior notification from their provider and not a lot of help to resolve the matter with any sense of urgency. Tune in to this week's episode to hear host Brandon Vigliarolo chat with O'Ryan Johnson and Richard Speed about their stories, what's causing these massive bills, and how you can avoid a similar situation at your own organization. You can listen to The Kettle here, as well as on Spotify and Apple Music, or read the transcript of the latest episode below. It's been lightly edited for clarity. Brandon (00:01) Hello everyone and welcome back to another episode of The Register's Kettle podcast. I'm Reg reporter Brandon Vigliarolo, and this week I'm joined by my colleagues Richard Speed and Kettle newcomer O'Ryan Johnson to talk about a recent spike in cloud AI API abuse that's sticking customers with some massive charges. We're talking tens of thousands of dollars that Google is seeming to...try hard not to refund. Guys, thanks for coming on. O'Ryan Johnson (00:29) Great to be here. Brandon (00:30) And O' Ryan, welcome again to your first Kettle episode. Glad to have you here. So in this case, this one is primarily based on an exclusive you published this week about compromised Google Cloud API keys. And from what I read, it seems like cyber criminals are using those keys to run all the AI inference they want on most expensive models that Google has without paying a dime. So walk me through what exactly this story's about. O'Ryan Johnson (00:33) So there were a couple parts of this. One is the API abuse. But then there was this policy by Google that kind of threw gasoline on the fire. So if you're a developer and you've created an API key for your projects, if your project uses Maps, you'll create an API key. And for years, the advice from Google was put that API key on the front end of that, make it public so that when users are using your site, it links back to your project. The problem was a couple years ago, they allowed those API keys, if they were configured correctly, to also access Gemini. And a lot of folks who were early adopters of AI went in and said, okay, I want to use Gemini with my project. And not really connecting the dots that their API key on the front end that was publicly available would now also allow anybody to inference Google's Gemini platform. And it wasn't a big deal, I think, for a lot of years because I don't think the platform was really that amazing. Brandon (02:01) Yeah, because you said this is a three year old change, right? O'Ryan Johnson (02:22) But recently...Nano Banana and the Veo 3 models came out. And that's when I think we started to see a lot of this. This great security company named Truffle wrote something about this in February saying, look, be careful because if you've put your API key out according to Google's instructions, and if you've also been working with Gemini models, there's a chance that you may have inadvertently opened up your API key to anybody to be able to inference [Veo] and NanoBanana to their heart's content. Brandon (02:40) And specifically a Maps API key, right? Okay, O'Ryan Johnson (02:51) Correct. Which again was, was Google had told everybody for quite a while was safe. And so, what happened kind of inevitably is folks were bad actors were in fact using that for for those purposes So you'd have these you know sort of like horror stories of waking up in the morning and seeing your Google account Which you maybe you never spent more than fifty dollars a month, all of a sudden you have a $3,000 bill, $5,000 bill. I talked to a guy who got a notification from his credit card company that "Hey, we're basically we're shutting off your account because you spent too much," and he's like "What the hell is going on?" And as he's in there trying to figure it out he sees the bill keeps going up.... Brandon (03:26) ...I think you mentioned basically that where this is, how you figure this out, is kind of buried, right? It's hard to find, right? So as he's looking, trying to frantically figure out what's happening, more charges are being added. I couldn't imagine waking up in the morning to that kind of scenario. O'Ryan Johnson (03:36) It's a rough, rough way to start the day. It's really tough. Brandon (03:50) So that's the first part, right? So what's the second part then? O'Ryan Johnson (03:52) So, right, that's the first part. The second part is that, you know, this happened to people who had spending caps in place. And Google has only recently put spending caps in place, but they're really loose caps. I talked to a developer in Australia who said, "Look, I put a $250 spending cap in place. And when I woke up, I had a $10,000 bill." ...And he said, "When I was going to going through afterwards, I looked and I said my spending tier was at the $100,000 limit. And I said, how does it happen?" Well, if you look like Google was actually very upfront about this. In March, they put out a blog and said, "Hey, we're going to help you out. If you've only got a $250 spending cap, if you spent $1,000 in the lifetime of your account and you've been a Google member for 30 days or more, a Google Cloud developer for 30 days or more, you can spend $100,000." Brandon (04:47) And there's no notification to the user accounts that this is being done? O'Ryan Johnson (04:50) Except for the emails that say this is how much you owe us, which is all after the fact. Brandon (04:57) And if you're less than 30 days, right, it's moving to tier two is, I think, what's the cap on that? O'Ryan Johnson (05:01) Two thousand dollars. Brandon (05:04) But even then, it's spend a hundred bucks in the lifetime of your account? O'Ryan Johnson (05:06) A hundred dollars and be three days old, and Google will give you a $2,000 cap to spend. Those are the most generous terms – you guys have been around IT for years, what distributor would ever give you terms like that like if you went to TD Synnex or if you went to Ingram Micro and said, "Hey, I'm 30 days old and I've spent $1,000. I would like $100,000 in credit with you." They would laugh . Brandon (05:13) They would laugh you out of the office and then maybe close your account. O'Ryan Johnson (05:37) Yeah, even the best distributor in the world is not going to give you those terms, but Google's opened that up. And then of course the problem is trying to get that money ... trying to get your account restored. like in two of the cases, the money had already been spent. So the credit cards, one was $17,000, one was $10,000. The money was already out of their account and they have this project. If they charge it back, they're afraid that Google's going to shut down their project and delete it. If they stick with the bill, then they're stuck with this debt that is obviously outside the bounds of any budget that they had set for their Google Cloud project. Brandon (06:12) Yeah, for a small developer that can be devastating. O'Ryan Johnson (06:15) Right. Right. So Google, though, we do have an update coming today. Google has refunded the two people we talked about and looked in their account. It looks like they're kind of going after this with more accounts too, based on what I've talked to with Google, they're going to look at a lot more of these issues...This didn't come to me in a vacuum. I mean, this this was on these posts have been kind of flooding Reddit. If you go to the Google Cloud subreddit there, you you pretty much don't go, there's two or three a day that are popping up saying, "Hey, my gosh, I've got $10,000. I got $7,000 in bills. Like I only ever spent, you know, $50 with these folks. How am I getting these bills?" Brandon (06:57) Right, so it's kind of a two-part story here. The automatic tier upgrades are obviously a problem, but are all these cases that you're seeing, are they tied back to the Truffle notice? I mean, these are all Maps API keys? O'Ryan Johnson (07:02) Not all of them. Some people say like, "Look, I never put my API key out publicly." And I talked to a guy yesterday who said, "Look, my API key has been hidden from everybody. I think I got brute forced." ....I don't possibility or the probability of being able to brute force an API key, they're huge, long chains of numbers and texts. Probably not impossible...But this guy, his bill was $127,000, which is just a huge, huge amount. Brandon (07:40) God that is so that is so much money that's ridiculous. Ten thousand dollars is bad enough add another zero to that and oh my God. O'Ryan Johnson (07:51) That's rough. Fortunately, he caught it before...That bill only exists with Google. Fortunately, the good side is, it's not in his credit card. So he doesn't have to try to pay that back. The bad news is, his Google project is looking at a possible deletion if he can't convince Google that, "Look, this wasn't me, this was really somebody else who brute-forced my API." Brandon (08:15) I'm guessing proving that is pretty difficult. O'Ryan Johnson (08:17) Well it's difficult, what makes it difficult is he no longer has access to the logs because he hasn't paid the account, so now he has to rely on somebody at Google to go through those logs and make his case for him. Brandon (08:34) When there's $100,000 on the line. O'Ryan Johnson (08:36) When there's 127 on the line. That's a gamble. That's a gamble. Brandon (08:43) So this is bad enough, but as I understand, Richard, Google's not the only company being a bit shifty with their AI billing. You wrote a story this week about an AWS customer who was billed $30,000 despite supposedly having a setting enabled to prevent this. So what's this all about? Richard Speed (08:50) It's kind of almost a cautionary tale in some ways. Again, we've talked about Google, there's also, this is AWS. And this is a user who was using AWS Bedrock. He wanted to take Claude Opus out for a spin, try it out. He had some startup credits fired by Activate. All great. Now he was using a tool called the AWS Cost Anomaly Detection Tool. What that does, that actually sends you alerts if you're doing some odd things and your account is incurring additional costs, and as well as using AI machine learning, you can also set some custom thresholds... "If I spend more than this then stop or shout at me or whatever Brandon (09:39) Yeah, cut me off. Yeah. Richard Speed (09:45) So he thought, "Great, I've got that, what could possibly go wrong?" And so he began to use his AWS Bedrock and no alerts were fired, all was good until about a month after he began using it he got a bill for $30,000 or $38,000 through where he was expecting hundreds. And the reason being was that AWS Bedrock apparently bills through AWS Marketplace, and that is not compatible with the cost anomaly detection. Brandon (10:06) So Marketplace is where you can pick up third party integrations for AWS, right? Richard Speed (10:17) Right, and that's where AWS Bedrock was being billed, was basically invoiced through. And to be completely fair to AWS, that is documented. It is in the documentation, "This will happen." So, hence the cautionary tale aspect. But again, I've had a few people say, actually it's pretty unintuitive, this. You kind of would assume it's being caught and it wasn't caught. And so this is gone through. Now, unfortunately, at the moment, I don't think there is the happy ending about a refund. If and when I get more information, I willupdate. But the cautionary tale aspect is, I've heard from somebody else who said, yeah, similar sorts of things can happen. So I tend to go through directly through the AI provider. In this case, it's Anthropic. And there again, you can put limits in place. And those limits did save this particular person from a $50,000 mistake. And he only ended up paying $50 because he'd accidentally turned on a thing which enabled a lot more invoicing to happen, and of course it was stopped before it got out control. Brandon (11:25) I'm assuming a lot of customers, with the way they have their architectures and their infrastructure set up and their various providers, I mean, is it going to be simple for a lot of businesses to say, I'm going to skip AWS and go straight to the AI company itself? I mean, that seems like it might work in some cases, right? But a lot of people are going to be trying to integrate these. And so they're going to have to go through things. So does Cost Anomaly Detection function only with first-party Amazon products then basically? Anything in the Marketplace that you're pulling from a third-party provider doesn't get included in this? Richard Speed (11:59) Yeah, I believe so. Yeah, it's just through AWS services except for Marketplace stuff. But there are other checks and things in place in AWS. It's just in this instance, the expectation was if I'm using Cost Anomaly Detection, it should stop me running up a massive invoice or running up a massive bill using AWS Bedrock. In this case, it didn't. It was completely silent as the thousands and thousands and thousands began to rack up on the account. Brandon (12:05) And even, I think you wrote, even when his credits ran out. Like, he ran out of credits and switched to cash billing and there was no notice. Richard Speed (12:29) Exactly. It suddenly went from from credits to cash billing again with no notification or warning. It just happened. And so again, his account began to incur these charges. And so he didn't realize until the invoice came through. "Oh, my goodness me. How terrifying is this?" As as Ryan said, it's quite a shock when when you're used to a small amount per month and then suddenly a massive invoice comes through. O'Ryan Johnson (12:53) One thing that is kind of universal across this that one of these users pointed out, is that the most frustrating part is that they have the information. They can see what you're doing in your account and they don't stop it. All this information that we're talking about, whether it's your usage, whether it's your billing, all that stuff is within the four walls of, whether it's Google or AWS and they, whether it's intentionally or unintentionally – we live in this era where everybody talks about immaculate orchestration across all their environments, right? Like, I mean, if you're in SaaS, that's all you hear is about how amazing and perfect their SaaS products are. And we just don't see that in practice. You don't see that orchestration, and you certainly don't see it if it can ever give the user an advantage, or if it can ever give the user the ability to control how much they spend. Like if a user could shut off – if there was a notification that came in and said, "Hey, did you know that you're on Veo right now and you're generating videos? Would you like to shut that off?" Think about your credit card company. If I go one county over and I spend $10 at a Target, I'll get an alert from my card company. "Hey, are you sure?" Are you telling me, Google and AWS, that you can't do that? Like, don't give me that. I mean, this reminds me like when the banks in the US had overdraft fees, they used to – they could see how much money you had in your account. They would gladly let you spend much more than that so that they could fine you for every transaction. And so it was very similar. You'd open up your bank account and see like, I'm $800 in debt. So that was eventually determined to be, hey, that's an aggressive, that's not a good policy. We shouldn't allow people to do that. And I just wonder if, I wonder if there's gonna be some sort of trade regulation that kicks in on this. Brandon (14:26) I mean, it almost feels like there has to be. What we have in these two stories this week is multiple cloud platforms making their AI billing usage or usage billing so convoluted that a non-trivial number of customers are seeing their bill skyrocket, whether both due to cybercrime or simply the fact that Cost Anomaly Detection on AWS isn't very well-defined on the Marketplace, right? You're seeing multiple companies this is happening to, right? Again, O'Ryan, you kind of went right to the, the conspiracy theory, but that's where my mind goes too, this seems really convenient. Google's move in March. All these kinds of things are very well timed to ensure that companies that are adopting AI are being left with this ambiguous billing situation. Richard Speed (15:35) I mean, if only there was a tool that could spot strange patterns in data and frames. I mean, what would that look like? [Laughter.] Brandon (15:43) Yeah, I don't know. ⁓ There's no way, there's no way that ⁓ Google and AWS don't see this usage or can't monitor it. Can't pop a large language model on there to keep an eye out for ⁓ unusual billing and notify people. Like you said, if you never use [Veo] or never use NanoBanana and all of a sudden your account's racking up thousands of dollars of charges on it, Google should probably say, "Hey, is this you?" Right? Like, you know, that would be, I would hope that would happen. Right? You know, it's like you said, right? Your bank, Target will know, or your credit card company will notify if you spend things a county over. Right? If I try to log into a video game online from a different IP address, it locks me out and makes me me approve it. Right? Like this is not a complicated technology here. O'Ryan Johnson (16:32) No, think about the user agreements that we have like with all of our subscriptions like you know like Netflix. If my kid tries to log into my Netflix from where they live, they can't, and I get these notifications from Netflix, "Hey do you want to add somebody on your account?" Like don't tell me that you can't do that, Google. And Google actually says that they hat between the usage and the spend, they're better than AWS when it comes to being able to spot this. But it's like, it's still something like 28 days to be able to reconcile usage with spend. And that just does not make any amount of sense. Brandon (17:16) It takes Google 28 days? O'Ryan Johnson (17:18) They're pushing people into these products. They're pushing, they want you to use these products. They want developers to, they want to be able to say, we have X number of developers who are using this. We have X number of spend. All of those hijacked API keys are inevitably helping marketing for Gemini. Just through sheer usage numbers, through sheer revenue and dollar spend, that drives a narrative that they can then, you on the quarterly earnings call say, "Hey, look at all these people using our product. Look at all the spend on [Veo]. Look at all the spend on Banana." come on, you guys, you got to make it fair for the rest of us, man. Brandon (17:59) I'm just gonna toss it allegedly in there before Google comes after us, right? You know. We don't know for sure that this is what they're planning, but it sure seems, the ducks do line up, right? So guys, are you familiar? Do you know, are any other cloud platforms...are there similar issues on Azure, on other platforms? Have you heard anything? Or does this seem to be mainly confined right now to Google and AWS? Richard Speed (18:11) There have been some issues on Azure. I read a piece, oh crikey, several weeks, maybe even months ago now, regarding a similar thing to what's happened with AWS with a user who had, he hadn't realized that his startup credits didn't count towards AI usage. And then he found himself hit with a massive invoice because again, Microsoft just quietly said, "Yeah, sure. You want that service? No problem. Here you go. Use it." And so he used it and then the huge invoice came through. I think... I think it's important to point out that these companies, they're not doing anything wrong legally. Ethically, I'm with O'Ryan, they should be warning you to say, "Hey, you know, you're spending way more now than you ever used to before. These services that you've never used before, are you sure you want to be doing that? Are you sure about that?" Brandon (18:51) I was talking to my wife about Google before we started the podcast, right? Because when we were talking about the topic for this week, and I think Matt, our editor in chief said, "AI overage charges." I was like, "What? This is going to be a boring episode." And then I got to actually reading these stories and I'm like, "Oh my God, this is really interesting." My wife's like, "Surely this is illegal." I'm like, "I don't know, if it's in the terms of service, right? You know? Yeah." O'Ryan Johnson (19:23) It's like the South Park episode. Richard Speed (xx:xx) I think another aspect of this is there's a perception that AI services are inexpensive and you won't run up these massive costs. One thing I've come across a few times are companies saying, "Hey, we can increase the productivity of our staff enormously because we can roll out these AI tools and our employees can use them and they'll be massively more productive and it'll be great." They're forgetting that of course there is a cost to that. And I think what we're seeing here are people hitting these costs. So I think that the message has got to be, you need to be – I mean, until these companies actually put in warnings to say, know, perhaps make it very clear how much this stuff is really costing, I think you need to be aware that this isn't a free service, you know, it's going to be paid for somehow. Brandon (xx:xx) I guess that's kind of the big warning to businesses, right? Or AI users, anyone who's using AI in the cloud in general, It's like these things are not free. Yeah, sure, you can use ChatGPT for free if you're, you know, some random person logging into the website. But if you want to go enterprise with this or use it in any kind of business capacity, it's going to cost you money and potentially a lot of it. So Richard, you said that it looks like the AWS user might be a little bit hosed on getting a refund. Do you know is Amazon – did you talk to Amazon for the story? Do they have any intention to change the marketplace versus non-marketplace CAD policy? Richard Speed (xx:xx) They did respond, and at the moment there's no plans to change it. O'Ryan Johnson (xx:xx) Google is also, they're sticking by their automatic tier upgrades. They like the flexibility that it gives to developers. Flexibility, of course, meaning that developers can spend a lot more than they initially wanted to, or agreed to. Brandon (xx:xx) It's a very one-sided flexibility, really, when you think about it. O'Ryan Johnson (xx:xx) In fairness, we are kind of helping at least notify people that this could happen. This is something that is really happening to people and their bills really do become five-figure, in some cases six-figure bills at the end of the month through no intention of their own. Brandon (xx:xx) Yeah, so I guess basically the big, yeah, like we said, the big takeaway for business AI customers is to just really watch that billing, be sure that whatever system you have in place to prevent overages is actually doing its job, and hide those API keys. Well, like we said, guess this is just a cautionary tale, you know, to watch that billing. So if this keeps happening, we are definitely going to be talking about it and writing about it again. And we hope that you will tune in on a future episode of The Kettle to find out more. ®

160 miles north of New York City, a man was convicted of manslaughter "with the help of license plate reader technology," reports a local news station. In the small town of Troy (population: 51,000), the mayor described the cameras as "a critical tool" in that investigation. But locals and city officials "have raised concerns about who can access the data collected locally, along with data security, privacy invasions and use by federal authorities, including U.S. Immigration and Customs Enforcement, reports WNYT: When Troy's contract came up for renewal, Mayor Carmella Mantello wanted to keep paying Flock and the council paused payments. The mayor then issued a public safety emergency declaration to keep the license plate readers active. The council has filed a lawsuit to overturn that..."If this illegal emergency order is left unchallenged, we give this mayor and any future mayor regardless of their political party or ideology, unchecked authority to issue an emergency declaration whenever they disagree with the council on any issue," [said Troy council president Sue Steele]. "The technology that's in place today is not the technology of six years ago," council president Steele told another local news station. "We have AI, we have rapidly changing and advancing technology. So that begs the need for regulations to protect certain data." The American Civil Liberties Union warns that Flock will use AI to let law enforcement search its trove of videos. But "Listen, if it was infringing on people's rights, people's liberties, we'd be the first to get rid of it. We have safeguards in place," [mayor] Mantello responded. Mantello noted that data captured by Troy's Flock cameras is only being shared with other local municipalities. Steele said the data had been shared nationally until she and other elected officials raised concerns. "As far as sharing with local law enforcement, that's necessary in the normal course of investigations. The concern is what Flock does with this data: sharing it with ICE, for instance, and other nefarious outlets," Steele said. As the debate continues over the small city's 26 Flock cameras, a columnist in Albany wrote that "it's a good thing. We should be asking questions about the growing surveillance state. We should be debating whether this is the future we want." As the American Civil Liberties Union noted, [Flock] has quietly built a broad mass-surveillance infrastructure, with cameras installed in 5,000 communities around the country, and is continually expanding how that network is used. Did we ask for that? Did we vote for it? Not really. The cameras have been installed in municipality after municipality, mostly with little discussion or controversy, which makes us like the proverbial frogs who didn't notice the water getting warmer until it was boiling. Suddenly, surveillance cameras are everywhere; we're always being watched... [T]he City Council's Democratic majority is considering legislation that, among other steps, would require that data collected by the cameras be generally deleted after 48 hours and that the city be more transparent about how the cameras are used. The controversy and pushback continues to draw local coverage. The mayor complains the proposed rules restricts the cameras "almost exclusively to cases involving individuals with outstanding felony arrest warrants or situations where officers can determine in advance that an incident will result in a felony charge... This is beyond reckless." But the Albany columnist still argues many of America's Flock cameras are unnecessary and are "being installed just because... It's worth considering where this might lead and whether the future we're installing is the future we want."

Read more of this story at Slashdot.

Forbes describes it as "definitely already out there, and under active exploitation according to the U.S. Cybersecurity and Infrastructure Security Agency, urging all organizations to prioritize timely remediation as the attack vector poses a significant risk." "We have issued CVE-2026-42897 to address a spoofing vulnerability affecting Exchange Outlook Web Access (OWA)," Microsoft told SecurityWeek. "We recommend customers enable EEMS to be better protected, and to follow our guidance available here." Microsoft this week patched 137 vulnerabilities with its Patch Tuesday updates and the cybersecurity industry was surprised to see that the latest updates did not address any zero-days. However, a zero-day was disclosed just 48 hours later, on May 14... described as a spoofing and XSS issue affecting Exchange Server Subscription Edition, 2016, and 2019. "Improper neutralization of input during web page generation ('cross-site scripting') in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network," Microsoft said in its advisory. The company noted that the vulnerability affects Exchange Outlook Web Access (OWA) and an attacker can exploit it by sending a specially crafted email to the targeted user. "If the user opens the email in Outlook Web Access and certain interaction conditions are met, arbitrary JavaScript can be executed in the browser context," Microsoft explained. CSO Online shares more details. "Admins should note there are known issues once the mitigation is applied either manually or automatically through the EM Service." - OWA Print Calendar functionality might not work. As a workaround, copy the data or screenshot the calendar you want to print, or use Outlook Desktop client. - Inline images might not display correctly in the recipient's OWA reading pane. As a workaround, send images as email attachments or use Outlook Desktop client... - Admins may get a message saying "Mitigation invalid for this Exchange version." in mitigation details. This issue is cosmetic and the mitigation does apply successfully if the status is shown as "Applied". Microsoft is investigating how to address this glitch. Forbes notes "It's been something of a rough few days for Microsoft Exchange on the security vulnerability front," since this week also saw a zero-day demonstrated at the Pwn2Own Berlin hacking event, "which has been responsibly disclosed and not released into the wild." The Berlin event got off to a flying start on May 14 as Windows 11 was hit by no less than three zero-day exploits. On day two, hacking teams were no less successful, chaining together three new vulnerabilities in Microsoft Exchange in order to achieve the holy grail of SYSTEM-level remote code execution. Such was the level of this achievement that Orange Tsai from the DEVCORE Research Team was rewarded with a $200,000 bounty payment in return for immediately handing over all the technical details to the event organizers. "This is, in fact, good news," Forbes writes, since "full details of the vulnerabilities underlying the exploits, along with the technical nature of the exploit code itself, will be handed over to Microsoft, which will then have 90 days to provide a fix before any details are made public."

Read more of this story at Slashdot.

"We may have accidentally detected dark matter back in 2019," writes ScienceAlert. "What if instead of trying to see dark matter, scientists attempted to hear it instead?" asks Space.com: New research suggests dark matter could leave a tiny but discernible imprint in the cacophony of ripples in spacetime called "gravitational waves" that ring through the cosmos when two black holes slam together and merge... Fortunately, when it comes to detecting gravitational waves from colliding black holes, humanity's instruments, such as LIGO (Laser Interferometer Gravitational-Wave Observatory), are getting more and more sensitive all the time... Vicente and colleagues searched through data gathered by LIGO and its fellow gravitational wave detectors, KAGRA (Kamioka Gravitational Wave Detector) and Virgo, focusing on 28 of the clearest signals from merging black holes. Of these, 27 appeared to have come from mergers that occurred in the relative vacuum of space. One signal, however, GW190728, first heard on July 19, 2019, and the result of merging binary black holes with a combined mass of 20 times that of the sun and located an estimated 8 billion light-years away, seemed to carry the telltale trace of this merger occurring in a region of dense, "buttery" dark matter. The team behind this research is quick to point out that this can't be considered a positive detection of dark matter, but does say it gives us a hint at what to look for and thus where to direct follow-up investigations... "We know that dark matter is around us. It just has to be dense enough for us to see its effects," said team leader Josu Aurrekoetxea, of the Massachusetts Institute of Technology (MIT) Department of Physics. "Black holes provide a mechanism to enhance this density, which we can now search for by analyzing the gravitational waves emitted when they merge." They published their results this week in the journal Physical Review Letters.

Read more of this story at Slashdot.

Test scores "are lower than they were a decade ago in school districts across the U.S.," reports Times magazine, citing new data released Wednesday by Stanford researchers. "Reading scores were down roughly 0.6 grades in 2025 compared to 2015, and math scores were down about 0.4 grades. This means that students were 60% of one school year behind where their peers were in reading a decade earlier and 40% of one school year behind in math." But Stanford's announcement notes that America's schools "were in a 'learning recession' for seven years before the COVID-19 pandemic, with student test scores in math and reading on a steady decline since 2013." This reversal ended two decades of progress, according to Sean Reardon, the Professor of Poverty and Inequality at Stanford Graduate School of Education, whose data forms the backbone of the new research... The study reframes the narrative of pandemic-era learning loss, arguing that the crisis of the last few years was an acceleration of a problem that was already underway. "The pandemic was the mudslide that followed seven years of erosion in student achievement," said Professor Tom Kane, faculty director of the Center for Education Policy Research at Harvard University, and a lead author of the report... The study found that the slowdown in learning coincided with two major shifts in American childhood and education policy: the widespread dismantling of test-based accountability systems that defined the No Child Left Behind era and the rise of social media use among young people. Reading scores, in particular, suffered consistently, with the average annual loss in the years just before the pandemic being just as large as the loss during it... Today, 8th-grade reading scores on national assessments are at their lowest point since 1990. Compounding the problem, chronic student absenteeism remains a major obstacle to improving learning. Though down from its pandemic peak, 23 percent of students were chronically absent in the 2024-25 school year, far above the pre-pandemic rate of 15 percent. More context from Time magazine: Reading scores were down roughly 0.6 grades in 2025 compared to 2015, and math scores were down about 0.4 grades. This means that students were 60% of one school year behind where their peers were in reading a decade earlier and 40% of one school year behind in math... "The decline started around the time that social media's use among teens was exploding, and this was also occurring in a number of other countries," says Thomas Kane, one of the authors of the Educational Scorecard report and a professor at Harvard University... [H]e maintains that it is at the core of the decline in reading achievement. He points out that social media use was shown to be heaviest among the lowest achieving students. "Some states and school districts are making progress," notes the Associated Press, "largely by shifting toward phonics-based instruction and providing extra support for struggling readers." And "The picture is also brighter in math. Almost every state in the analysis saw improvements in math test scores from 2022 to 2025."

Read more of this story at Slashdot.

An anonymous reader shared this report from Electrek: When Fisker Inc. filed for Chapter 11 bankruptcy in June 2024, it left roughly 11,000 Ocean SUV owners holding the keys to vehicles that cost them anywhere from $40,000 to $70,000 — and that were rapidly losing the software brains that made them work. No more over-the-air updates. No more connected services. No more warranty. The manufacturer was dead. What happened next is one of the most remarkable stories in the history of the electric vehicle industry. Instead of accepting that their cars would become rolling paperweights, Fisker Ocean owners organized, reverse-engineered their vehicles' proprietary software, hacked into CAN bus networks, built open-source tools on GitHub, and effectively stood up a volunteer-run open-sourced car company from the ashes of Fisker... Within months of the bankruptcy filing, thousands of Ocean owners formed the Fisker Owners Association (FOA) — a nonprofit that quickly grew to 4,000 members and began operating as something between a car club, a tech startup, and an independent automaker. The FOA hired independent tech experts who began reverse-engineering Fisker's proprietary software patches. Members taught each other how to flash firmware. They organized bulk purchases of replacement parts — negotiating the price of key fobs down from roughly $1,000 each to a fraction of that through coordinated group buys. They hosted free global key fob pairing events, saving each owner $100 to $250... What started as desperate troubleshooting has evolved into a genuine open-source ecosystem around the Fisker Ocean. On GitHub, a developer named MichaelOE reverse-engineered the API behind Fisker's official "My Fisker" mobile app and built a Home Assistant integration that exposes every cloud API value as a sensor — with all the app's buttons available as Home Assistant controls... [Community members have also been systematically mapping CAN bus files.] The article noes this "is not an isolated incident. Nikola also filed for bankruptcy, leaving its owners in a similar bind. Canoo and Arrival are headed for liquidation auctions..." Consumer advocates are now pushing for structural changes: mandatory software escrow funds that would keep vehicle software running even if the manufacturer disappears, open-source mandates in bankruptcy proceedings, and shared repair data requirements... European automakers, meanwhile, are moving in a different direction entirely — Volkswagen, BMW, Mercedes-Benz, and eight suppliers signed a memorandum in 2025 to develop a shared open-source automotive software platform.... The Fisker Owners Association has proven that a dedicated community can keep orphaned EVs on the road. But they shouldn't have had to... [O]wners shouldn't need to become hackers and parts brokers and quasi-manufacturers just to keep driving the cars they already paid for.

Read more of this story at Slashdot.

Long-time Slashdot reader internet-redstar shares an interestging response to "the recent wave of Linux kernel privilege escalation vulnerabilities like 'Copy Fail' and 'Dirty Frag'": Belgian Linux sysadmin and Tesla Hacker "Jasper Nuyens" got tired of the idea of manually blacklisting dozens or even hundreds of obscure kernel modules across large fleets of Linux systems in the near future. So he wrote ModuleJail, a GPLv3 shell script that scans a running Linux system and automatically blacklists currently unused kernel modules, reducing kernel attack surface without requiring a reboot. The idea is simple: many modern Linux privilege escalation bugs target obscure or rarely used kernel functionality that is still enabled by default on servers that do not actually need it. ModuleJail works across major distributions including Debian, Ubuntu, RHEL, Fedora, AlmaLinux and Arch Linux, generating 1 modprobe blacklist rules file while preserving commonly-used modules. Nuyens argues that the increasing speed of AI-assisted vulnerability discovery will likely turn kernel hardening and attack surface reduction into a much bigger operational priority for sysadmins over the next few weeks and months.

Read more of this story at Slashdot.

After nearly four years and hundreds of billions burned building smarter and more capable models, folks understandably would like to see them do something more than run a chatbot. In this respect, OpenClaw served like blood in the water, demonstrating that, in spite of its seemingly endless supply of security flaws, LLMs really can be used to automate complex tasks. Since then, you've probably noticed the term "harness" coming up more frequently to describe agentic AI frameworks, and for good reason. You don't need a harness to interact with a chatbot – local tools like Ollama send API calls directly to the LLMs – but to do today's advanced work, they are essential. On their face, AI harnesses are just a bit of code that wraps around an LLM's API endpoint, orchestrates tool calls, and manages context. OpenClaw, Claude Code, Codex, and Pi Coding Agent are all examples of code-focused harnesses you may already be familiar with. As simple as all this sounds, harnesses are changing the way we think about everything from training new models to how we build and run them at scale. LLM inference on its own is pretty dumb – not the models so much as the way we interact with them. The OpenAI-compatible API calls that have become the de facto standard are transactional. With most early chatbots, you made a request and the API would supply a response. A harness, by comparison, orchestrates those API calls, breaking down one request into multiple. If you were to ask a code agent to build an app that parses logs, the harness might make one request to plan things out, another to review the log directory, a third to generate and execute that code in an interpreter, and a fourth to debug and fix any errors. This multi-step loop would continue until the work is done or the harness cuts it short to ask for user input. At least for coding, these harnesses are getting good enough to be useful. In fact, a harness may have a bigger impact on whether the code assistant will be successful than the model itself. Even Qwen3.6-27B, a small-to-medium-sized LLM, proved to be a surprisingly effective alternative to larger paid models when paired with harnesses like Anthropic’s Claude Code or Cline. And yes, if you didn’t know, Claude Code works with any model you like. In fact, the realization that small models with well-designed harnesses can now automate complex tasks has contributed to a shortage of Mac Minis, as AI enthusiasts race to self-host OpenClaw and LLMs on them. Changing the way we build models Training dominated the first two years of the AI boom. OpenAI, Google, Microsoft and others raced to build smarter models using as much data as they could harvest. But by the end of 2024, the payoff of building ever larger models started to taper off, as the extra parameters only engendered small gains in intelligence. DeepSeek R1 brought “reasoning” models and test-time scaling to the mainstream. To be clear, these models don’t actually reason, but instead trade time and tokens for higher quality answers and a lower propensity to make stuff up (aka "hallucinate," although we at El Reg try to avoid anthropomorphizing AI). It wasn’t the first. OpenAI’s o1 beat them to it, but R1 was the first widely adopted open weights model that used reinforcement learning (RL) to teach the model new skills, like chain-of-thought reasoning. Over the past year, agentic code assistants have steadily gained traction. Consequently, people are increasingly using RL to teach models to use the tools and resources that agent harnesses expose to them. If you look at many of the recent model releases on Hugging Face, you’ll notice a strong emphasis on agentic tool calling and long-context reasoning. If you want a model to work effectively with an agent harness, it needs to execute tool calls reliably. And since those tool calls can return large quantities of information, you also need the model not to lose track of that information. While these qualities make for better agentic models, they also require a very different set of hardware. CPUs take center stage Compute to run these agent harnesses is in high demand. After living in the shadow of high-end GPUs and AI accelerators for the past few years, CPUs are back in the limelight. Intel Xeon processors are selling faster than Intel can make them. Meta is buying up every chip it can get from Arm and Nvidia, and renting boatloads of Amazon’s Graviton CPUs while it awaits delivery. This is happening because agent harnesses don’t run on GPUs. Even with enough CPU cores to execute these tasks at scale, the number of requests is also reshaping the way we run models. If you haven’t noticed, inference costs have been on the rise. OpenAI recently raised the price of GPT-5.5, Microsoft moved GitHub Copilot to a purely usage-based pricing model, and Anthropic could soon force Claude Code users onto its pricier “Max” subscriptions. Some of this is because of increased demand. Like it or not, vibe coding is catching on and probably isn’t going away. However, we suspect some of it may be down to the fact that these models are running on hardware that was originally built for training and is now having to play double duty for inference. Only in the last year and a half have we started to see inference-optimized systems like Nvidia’s NVL72 racks hit the market. AWS, AMD, and others are now racing to catch up with rack-scale compute platforms of their own. But it turns out that even these systems aren’t enough on their own. If agentic code harnesses are making dozens of requests, each generating hundreds of lines of code, inference performance becomes a major bottleneck. In the early days of ChatGPT, it might have been enough to churn out tokens faster than the average person could read. Remove the meatbag from the equation and speed becomes everything. GPUs are incredibly compute-dense parallel processors, but their memory isn’t great for the kind of auto-regressive large models these harnesses are being saddled to. Groq and Cerebras get their moment under the AI sun Faced with these challenges, infrastructure providers have adopted new compute architectures that combine GPUs with specialized AI accelerators. Nvidia’s acquihire of Groq is a prime example. Late last year, Nvidia dropped $20 billion to license the AI chipmaker’s language processing unit (LPU) chip tech and hire away its engineering staff. As we wrote at the time, Nvidia could have built its own SRAM-heavy decode accelerator, if it wanted to, but because it was faster to use someone else’s. By combining its compute heavy GPUs with Groq’s high-bandwidth LPUs, Nvidia was able to churn out more tokens faster and, in theory, improve the economics for AI agents. Higher interactivity is key for agentic workloads because they can now serve more requests in the same amount of time, or “think” about the information that’s been provided to them for longer. We’ve previously explored Nvidia’s new Groq-based LPXs back at GTC as well as the market dynamics behind the multi-rack architecture. AWS is using recently public Cerebras Systems' wafer-scale AI accelerators in much the same way, while Intel is now working with SambaNova on its own disaggregated compute architecture. The pendulum swings Given the sheer amount of compute these agent harnesses require, there’s a good chance we’ll start to see hyperscalers cut costs by offloading some of the work onto client devices. Because of the way these harnesses work, simpler requests like planning could be run on small models running locally on the user’s PC. In fact, Google appears to be doing just that. As we reported earlier this month, Google quietly began shipping as part of Chrome a small LLM that will eat up 4 GB of disk space, and presumably just as much memory when in operation. The model appears to power basic functionality like “help me write” functionally, scam detection, and other AI-assisted functions which have steadily invaded our browsers as of late. It’s not hard to imagine code agents doing something similar. A small local model could be used to draft and test code snippets while the larger cloud-hosted model is used to debug and correct errors, shifting much of the load off datacenters and onto client devices. For that to work, we’re going to need systems with a whole lot more high-speed memory, which poses a bit of a problem in light of the DRAM and NAND shortage. While user-facing agent harnesses could be used to shove some of the computational load onto customer devices, many still want to see agents carrying out entire departments' worth of work. Take the human out of the loop, and these agents wouldn’t be constrained by limitations of their fleshy masters and could work orders of magnitude faster given enough compute resources. So, just like the rise of PCs didn’t spell the end of mainframes, local AI will no is unlikely to end investors' obsession with ever hotter and more power hungry bit barns any time soon. ®

Are statistical programmers coalescing around a handful of popular languages? That's the question asked by the CEO of software assessment site TIOBE, which every month estimates the popularity of programming languages based on their frequency in search results: This month, the programming language R matched its all-time high by reaching position #8 in the TIOBE index once again. This is not a coincidence. The statistical programming language market is clearly undergoing a major consolidation. The biggest winners are Python and R, while many long-established alternatives continue to lose momentum. The era in which the statistical computing landscape was fragmented across many niche languages and platforms appears to be coming to an end. Several established players are steadily declining: — MATLAB is close to dropping out of the TIOBE top 20. — SAS is about to leave the top 30 for the first time since the TIOBE index began. — Wolfram/Mathematica remains well below its historical peak and is losing further ground. — SPSS dropped out of the top 100 last month.... Elsewhere in the index, Java and C++ swapped positions this month. Java gained momentum following the successful release of Java 26. Another notable riser is Zig, which is approaching the TIOBE top 30 for the first time. Zig's growing popularity appears to be driven by its rare combination of low-level performance, straightforward tooling, and relative ease of use compared to traditional systems programming languages. Their estimate for the most popular programming languages in May: PythonCJavaC++C#JavaScriptVisual BasicRSQLDelphi/Object Pascal The five next most popular languages on their rankings are Fortran, Scratch, Perl, PHP, and then Rust at #15. Rust is up for positions from May of 2025 — while Go has dropped to #16, seven ranks lower than its May 2025 position of #7.

Read more of this story at Slashdot.

Chris Willis, chief design officer and futurist for data platform biz Domo, wonders why people aren't more annoyed with AI companies. Willis said he was in San Francisco a few weeks ago and he couldn't fathom the lack of resentment. "Why aren't people more resentful that these companies have pushed this technology upon them and now everyone is feeling a tremendous amount of anxiety," he told The Register in an interview. "I'm sure you've seen the surveys and the research. Everyone from the C-suite on down feels like the clock is ticking and their careers are on the line." San Francisco is the home of OpenAI and Anthropic. Google, Microsoft, and Amazon are also in town. So there's a lot of self-interested AI enthusiasm in the city by the bay. The resentment is there if you look beyond the billboard evangelism shouting its way down the US 101 corridor that connects the city to Silicon Valley proper. But the existential dread behind Stop AI, Pause AI, Poison Fountain, and the firebombing of OpenAI CEO's Sam Altman's home isn't quite what Willis has in mind. He's concerned with the way AI has been marketed through fear – act now or be left behind by this technology that might just take everyone's job and enable DIY biological weapons, now that LLMs can more reliably count the number of "r"s in "strawberry." "Fear," he said, "is not a durable strategy for innovating." The problem as Willis sees it begins with the fact that AI models are a product without a spec. "When you're trying to create a product and you're trying to figure out how that product fits in the market, you have to figure out who it's for and what it's going to do and what it's not going to do," he said. "And these large language models, essentially the feature spec is: 'It'll do anything for anyone, anyway, anyhow, in any language.'" So it's not surprising, he said, that there's some confusion. "From a leadership perspective, we've seen many times the pattern where there is a lot of pressure for companies to suddenly innovate with a technology that's not well understood," he said. "And so organizations are spending a lot on buying these AI tools and then expecting innovation to just happen. And that's not usually how innovation works." What company leaders face, he said, is not an innovation problem but an impatience problem. "They're thinking, 'we have to do something now," he said, "and so AI in many ways is becoming a sort of theater. We have to show that we're doing something." The phenomenon known as "tokenmaxxing" – buying access to AI models and directing or expecting employees to use them as much as possible – illustrates the lack of strategy, Willis said. "In certain organizations where AI is theater and impatience is driving rather than innovation, tokenmaxxing is a convenient way to feed that narrative," he said. "But it doesn't change anything. The research does suggest that you might have people putting through a lot of tokens and maybe they are personally becoming more productive. But it's not changing the bottom line." The deeper problem, he said, is that companies are treating AI itself as a solution rather than as a tool to help power the solution. The result is a lot of proof-of-concept projects that lack what's required to make them durable, trustworthy, and deployable at scale. Starting with business needs first is essential, Willis argues. "If you don't understand the process and the automations and the workflows in your business, you run the risk of putting in a very powerful engine that's going to drive your business way faster, but with the lights off, at night," he said. Willis suggests companies should not set moonshot goals for AI, and start with something simple, like automating processes tied to a spreadsheet. He described work done with one customer that involved developing an app to go through company invoices, check for discrepancies, and surface anomalies for review by a person. The clients were thrilled. Understanding where human judgement is required and where decisions can be verified and hence automated, is key, he said. "Usually that question is not asked." Failing to ask questions like that invites problems. Willis pointed to the way that Swedish fintech biz Klarna replaced customer service staff with AI, only to return to replace the AI with people. "It's very enticing to say we're just going to replace everything with a chatbot," he said. "Frankly, no customer ever just wants to talk to your chatbot." Willis said there's no magic for innovating. Companies need to do the hard work of understanding how AI may or may not be useful for the desired outcome. "There will be a reckoning when it comes to budgets around these things," he said, "because CFOs are starting to as 'Why are we spending all this money and not gaining anything?'" ®

xAI has launched Grok Build, "a coding agent of its own to serve as competitor to its rivals' products, such as Anthropic's Claude Code," reports Engadget: As Bloomberg notes, xAI has been trying to catch up to its rival companies like Anthropic and OpenAI. Elon Musk, the company's founder and CEO, previously admitted that it has fallen behind its competitors when it comes to coding. A couple of months ago, Musk said he was rebuilding xAI "from the foundations up" after several co-founders had left the company. One of the company's executives reportedly told staffers to work on getting Grok to match Claude's performance across various tasks. More details from PCMag: Grok Build is currently available in beta to those with a SuperGrok Heavy subscription, which starts at $300 per month. Just download it from the xAI website and log in. It's described as "a powerful new coding agent and CLI for professional software engineering and complex coding work." In its early version, xAI is seeking feedback and looking to fix any bugs... Only a few features have been highlighted, including a plan mode that lets you review, edit, and approve a plan before execution, and support for existing plug-ins and workflows.

Read more of this story at Slashdot.

For those who miss what Windows looked like in 2009, Classic 7 is a heavily modified version of Windows 10 IoT LTSC, reworked to make it look as much as possible like Windows 7, while still being in support and receiving updates. This has been accomplished thanks to a large compilation of skins, themes, add-ons, tweaks, and so on – some of which are real components from older versions of Windows, adapted and modified to run on Windows 10. We were not sure whether to cover Classic 7, because while it is impressive and fun, we are not at all sure it is legitimate to use. But we can see a target audience. This isn't just a layer of makeup; it's more like a face transplant. It includes some real binaries from Windows 7, and indeed earlier versions, adapted and grafted onto Windows 10. One component is the Windows Media Center from Windows XP, which was cut from Windows 10 before release. The specific version of Windows 10 that it's modified is significant. It's Windows 10 IoT LTSC. We talked about this specific edition in April 2025 because it's the last version of Windows 10 that is still in support and receiving updates. The standard Windows 10 Enterprise LTSC release will continue to receive updates until 2027, and the IoT edition, which is only available in US English, will get updates until 2032 – so this is the longest-lived version of Windows 10. At the bottom of our story on Windows 10 LTSC, we mentioned the slightly shady world of third-party modified editions of Windows. Classic 7 is one; it's a modified version of an Enterprise edition of Windows, one that's only available for legitimate licensing via a Volume License Agreement. Unless you have appropriate volume licensing for the underlying Windows edition and have paid the fairly hefty fee, this is an unlicensed copy of Windows. So we have to spell out that this is not for production use, and you should not use it in any working environment. It's an interesting hack, though, and it might be a bit of fun for a home gaming machine or something like that. As an aside, one of the most widely used tools for activating unauthorized copies of Windows and Office, MassGrave, is in fact hosted on GitHub. In other words, Microsoft itself is hosting tools to activate unlicensed copies of Windows and Office. Whether that counts as tacit approval, we wouldn't like to say. Classic 7 has been under construction for over a year and a half, and it's the sequel to an earlier project called Reunion7 – also hosted on GitHub, as it happens. As its list of credits shows, Classic 7 is in part a compilation of a lot of existing tools. Some of them are relatively well known, such as Winaero Tweaker, which can run on any copy of Windows and, among lots of other options, allows some of the less desirable changes in the Windows UI to be undone – for instance, switching to the hidden Aero Lite theme. Classic 7 includes this and a lot more besides. We could identify some of the couple of dozen credited projects, such as the Aero11 theme, itself a port of Aero10 to Windows 11. This works alongside OpenGlass, which brings Aero-style transparency to Windows 10. There's also the Windows NT Modding Utility, and another hack that lets you change the Windows version number reported on the command-line, called Custom CMD Version Text. Multiple sub-components come from the Windhawk mods collection, some credited to a developer called ImSwordQueen, whose themes can be seen on DeviantArt. Other components are more than just cosmetic. For instance, the remarkable description of Explorer7: "explorer7 is a wrapper library that allows Windows 7's explorer.exe to run properly on modern Windows versions, aiming to resurrect the original Windows 7 shell experience." So this is not merely a theme for Windows 10 Explorer: as far as we can tell, it's the real Windows 7 Explorer, but running on top of 10. The same appears to apply to Control Panel as well, thanks to the Control Panel Restoration Pack. Thanks to the Windows Media Center (Modern Hardware) effort, this is the real XP version, which an on-screen message says replaced the Windows 8 version used in an older build. We tried Classic 7 in VMware, and the experience is quite uncanny. We did hit some glitches: our first installation failed when we let it do its own disk partitioning. Deleting all the partitions, manually creating a single large C: drive, and telling the installer to use that worked. A few error messages did appear here and there. Trying to change screen resolution went badly awry until we installed the VMware guest additions. Opening Windows Update just threw an error. Overall, though, it is genuinely remarkable. It looks and feels like Windows 7 – but in principle, you can run the latest apps and drivers and they should work. It even includes your choice of older Firefox versions, including version 115 ESR, skinned to look exactly like Internet Explorer – an effort called BeautyFox. Last year, we wrote a piece on running Windows 7 in 2025 and it really reminded us how great the 2009 release looked compared to anything that's come since. Apparently, that late-noughties translucent look is now known as Frutiger Aero, and frankly we miss it. In all honesty, we feel Classic 7 goes too far. We don't want Help/About dialog boxes, and even the winver tool and the ver command to lie to us. We'd prefer something that told the truth, but looked pretty while doing it. But as we wrote last year, some personal friends are still running Windows 7 by choice, and compatibility is starting to become a problem. If you want a recent Firefox, well, you're out of luck. Firefox 115 from 2023 still works, and remarkably, it's still getting security fixes now: the March end-of-life has been postponed again, and it's currently August 2026. The Irish Sea wing of Vulture Towers is still running it on OS X 10.13 and it works flawlessly. This is a way out: to keep the 17-year-old vintage look, while running a codebase that still has another five years in it. If you're that determined, it's an option… and it's undeniably an attractive GUI. Whether this unauthorized rebuild of an unlicensed OS is an attractive option, though – you must decide that for yourself. ®

England's Department for Education is advertising a role paying up to £200,000 a year to lead a new digital and infrastructure group overseeing school buildings and maintenance, as well as technology and data. Its Director General, Digital and Infrastructure, will lead the technology function of around 1,800 staff, develop a new strategy covering digital services, data, and artificial intelligence, and lead work on a unique identifier for children and other learners in England. Scotland, Wales, and Northern Ireland run education services on a devolved basis. The successful candidate will also implement a new strategy for "the education estate" of schools, colleges, nurseries, and children's homes. The job ad warns the function "carries some of the highest levels of risk and accountability in the department - including life-and-death decisions on safety," citing ongoing work to remove unsafe reinforced autoclaved aerated concrete (RAAC) from schools. "I am looking for a leader who is motivated by impact - someone who is able to combine their digital and data expertise with their drive to improve outcomes for children and young people," writes the department’s permanent secretary, Susan Acland-Hood, in a briefing document with the advert. "Whilst you do not need to be an expert on education policy, you need to be curious and committed to rapidly building your understanding of the latest evidence, system, and policy landscape." The department is willing to base the job in Bristol, Cambridge, Coventry, Darlington, London, Manchester, Nottingham, or Sheffield, although those who do not work in the capital will need to go there frequently. Applications close on June 1. Several other departments have recently advertised digital director-general posts, the civil service job category just below permanent secretary (equivalent to chief executive). In January, England's Department of Health and Social Care advertised the role of director general for technology, digital and data with a salary of up to £285,000 a year. In February, the Ministry of Defence offered £270,000 to £300,000 for its chief digital and information officer job. And in April, the Department for Science, Innovation and Technology advertised for three directors-general, one paid £174,000 and the other two paying between £200,000 and £260,000 annually. ®

Computer Weekly reports on "the long-awaited reform of Britain's outdated Computer Misuse Act of 1990 — which has hamstrung the work of the nation's cyber security professionals and researchers for years." The Computer Misuse Act was passed 35 years ago in response to a high-profile hacking incident involving no less than the King's father, the late Duke of Edinburgh. It defined the offence of unauthorised access to a computer — which has been used successfully in countless cyber crime prosecutions over the years. However, as the cyber security landscape has developed into its current form, this language has become increasingly vague and for some years now, a growing number of bona fide security professionals have been arguing that it potentially criminalises their work because from time to time, they may need to gain covert access to IT systems in the course of legitimate research. Speaking to Computer Weekly in 2025, Belfast-based security consultant Simon Whittaker described how the police showed up at his front door after his research was erroneously implicated in the infamous WannaCry incident of 2017... Sabeen Malik, vice-president for global government affairs and public policy at Rapid7, added: "As AI-driven vulnerability discovery scales, defenders need to run automated scanning, agentic red-teaming, and large-scale vuln research at machine speed — activities the 1990 Computer Misuse Act's broad unauthorised-access provisions were never designed to accommodate, leaving UK researchers exposed to criminal risk for work their adversaries face no equivalent friction performing." The reforms are part of a new bill that's "enhancing the powers available to law enforcement and the security services," according to the article. It points out that the U.K. government also intends "to create a Cyber Crime Risk Order that can be applied to control the behaviour of cyber criminals, and new abilities to search people believed to be concealing evidence on behalf of suspected offenders." It's all part of a proposed bill "designed to make the UK a harder target for hostile foreign states and other dangerous groups to attack."

Read more of this story at Slashdot.