TheRegister

Democratic lawmakers on Thursday blasted President Trump’s spending priorities – specifically a proposed $1 billion White House security and ballroom project and a nearly $1.8 billion “slush fund” for Trump allies tied to the January 6 Capitol riot – as his administration pushes deep cuts to cybersecurity funding. US Representative Delia Ramirez (D-IL) decried the president's priorities as Congress weighs reauthorization of the State and Local Cybersecurity Grant Program (SLCGP), a funding effort that began in 2022 and earmarked $1 billion to state and local governments over the next four years to help mitigate cyber risks. "Budgets are moral documents, and spending a billion dollars on a ballroom, which is what the president wants, or $1.7 billion to incentivize insurrectionists while we still are waiting for the reauthorization of this critical grant program, says a lot about where priorities are right now with this administration," she said during a House Homeland Security subcommittee hearing on state and local cybersecurity. Another Democrat on the committee, Rep. James Walkinshaw (D-VA), noted the US Cybersecurity and Infrastructure Security Agency (CISA) also eliminated federal support for the Multi-State Information Sharing and Analysis Center (MS-ISAC), which used to provide free and low-cost threat detection and response services to state and local governments. The MS-ISAC has since shifted to a fee-based model to support the state threat sharing program. This means, as expert witness Samir Jain, VP of policy for the Center for Democracy and Technology, testified, “jurisdictions that most need the help are least likely to be able to afford it. Smaller jurisdictions, because if they don't have the resources and the money to join the ISAC, they probably also don't have the resources and the money to buy equipment, to buy network monitoring tools, to have cybersecurity staff. It's the ones who need it the most are the least likely to be able to get it as a result.” Walkinshaw also pointed out that CISA’s 2025 budget was about $3 billion. President Trump proposed slashing the cyber-defense agency’s spending by $707 million in 2027, to just over $2 billion. This is on top of the $135 million in cuts to CISA, along with about a third of its workforce (close to 1,000 people) since Trump returned to office. “So we are looking at a one-third cut in federal funding for cybersecurity,” Walkinshaw said. “If President Trump gets his way, we'd be spending a billion dollars for the ballroom and $1.8 billion for the January 6 slush fund – $2.8 billion just on those two items, $800 million more than his total commitment to cybersecurity.” Meanwhile, other expert witnesses who testified before the committee, all IT and security chiefs from Tennessee, New York, and Florida, implored the lawmakers to spend more – not less – on state and local infosec. “State and local governments operate critical systems that citizens rely on every day, including emergency services, schools, utilities, courts, and public infrastructure,” Tennessee CIO Kristin Darby told lawmakers. “Those systems are increasingly targeted by criminal organizations and nation-state actors,” she said, adding that “demand for cybersecurity support far exceeds the current funding levels.” As AI-enabled attacks, ransomware infections, and cloud-based system intrusions accelerate across Tennessee, “many local governments across our state have little or no dedicated cybersecurity staff,” Darby continued. “This creates a dangerous imbalance between highly sophisticated attackers and severely resource-constrained defenders.” New York state director of security and intelligence Colin Ahern urged lawmakers to “reauthorize and fully fund the state and local cybersecurity grant program, which is the single most consequential investment in the cyber protection of state and local governments in this country.” He also advocated for frontier-model AI access for state and local governments, which are tasked with protecting the power grid, drinking water supply, public health systems, and other critical operations. “We cannot do that while frontier defensive AI capabilities are restricted to federal partners and a handful of large enterprises,” Ahern said. “Cybersecurity is the silent partner of democracy,” he continued. “When the utilities, school districts, and state and local governments that constitute the operational fabric of American life are hollowed out by cyber attacks, the institutions that support our democratic life are hollowed out with them.” ®

Google’s AI-powered transformation of its search engine will give the mega company a more captive audience than ever before - and what better way to turn those eyeballs into cash than by serving up new forms of AI-powered ads? Announcements out of the Chocolate Factory’s I/O AI fest continued Wednesday with the premiere of what the company called “a new generation of ads” tailor-made “for the AI era of Search” that it decided you definitely need earlier this week. As we mentioned in our earlier I/O coverage, Google announced what Search VP Elizabeth Reid called the “biggest upgrade in over 25 years” to Google Search. Those changes center on pushing Gemini 3.5 Flash deeper into Search and AI Mode, giving the engine the ability to “anticipate your intent” and surface more detailed AI-generated responses. That doesn’t mean AI Mode is being made the default, mind you. Google told The Register that standard search engine result pages are still going to be the default for anyone doing a typical Google search, though AI responses will be served alongside results, we’re told. Any web search that returns an AI Overview, on the other hand, will include an option to follow up with the Overview in AI Mode, and AI Mode with rich content input can be selected from the Search box as well. It’s here that Google’s beefing up its AI, letting it do the searching for you and surface whatever it’s been programmed to prioritize in a manner designed to keep you from clicking away, enabling Google to hand you more profit-generating content … er, helpful results. Those results will include “more helpful ads,” which will come in two varieties: Conversational Discovery ads, and Highlighted Answers. Regarding the Conversational Discovery ads, Gemini’s responses to specific questions will build ads “tailored to that search, highlighting specific relevant features.” Google cites the example of someone searching for a way to make their house smell fresher. Results for such a search could recommend deodorizing your house using, say, a $1 box of baking soda mixed with water or a simple 1:1 vinegar/water mix - or it could tell you how much you need a $20 reed diffuser, electric wax melter, or some other expensive product Google’s getting paid to flog. Highlighted Answers, on the other hand, means “highly relevant, high-quality ads are eligible to appear” on lists of recommendations delivered by AI Mode. What meets that threshold wasn’t mentioned, but Google told us that it’s using similar standards to its existing ad filtering, and the same auction mechanics to get the ads in front of eyeballs. Brands approved for Highlighted Answers will have their recommendations inserted into the end of AI Mode results, Google explained. The feature is currently in testing, with Google telling us it wants its placement to feel natural and add value to users' searches. Of course, just because the standard Google Search mode isn’t going away, contrary to the panic that Google’s announcements triggered this week, that doesn’t mean Google isn’t stuffing more AI ads into those results, too. AI-powered shopping ads that use Gemini to “pull up your most relevant products and instantly write a custom explainer highlighting why your product may be the right choice” are coming to Google’s standard search results pages in the coming months, as is the ability to “put a smart brand agent right inside your ad.” Those ads, for example, could be a chat window that provides answers on the content of a website, Google explained, “turning a practical interaction into a valuable lead.” Google said that it’s also expanding its Direct Offers program that allows retailers to offer user-tailored discounts and offers on products purchased via Gemini, giving brands more ways to motivate consumers to buy whatever they’re flogging without customers ever leaving Google’s ecosystem. Businesses that want to use these new AI advertising features will be encouraged to build campaigns around Google’s AI Max and Performance Max ad tools, naturally ensuring the Chocolate Factory keeps collecting its cut as it pushes advertisers deeper into the AI era of Search. Google assured us that people actually do want this, and that they really are gravitating toward AI experiences delivered through Google, even though they’re not always optional. The Chocolate Factory further told us that, despite ads featuring prominently across its various AI tools, ads never impact organic results. They’re just buried behind an ever-growing wall of AI schlock one has to weed through to find actual search results, and now even more ads. ®

You know your Google API key has leaked so you rush to disable it before bad actors can start running up charges on your account. Bad news: According to security researchers at Aikido, people can use the API keys for up to 23 minutes after a user deletes them, creating a window of opportunity that, when combined with Google’s automatic billing tier upgrades, can devastate victims. “We've identified a substantial window where an attacker with access to a leaked Google API key can continue to misuse that credential, after the user believes the key is revoked,” Joseph Leon, a security researcher with Aikido, told The Register. “In that window, an attacker could run up charges, pull sensitive files uploaded to Gemini, and exfiltrate cached context.” Aikido tested the gap during 10 trials over two days. In each trial, researchers created an API key, deleted it, and then sent three to five authenticated requests per second until no valid response came back for several minutes. From the time a user deletes the Google API key to when it can no longer be used propagates gradually across Google's infrastructure, he said. Some servers reject the key within seconds while others keep accepting it for 23 minutes. What this means is that an attacker holding a deleted key can repeatedly send requests until one reaches a server that has not caught up, Leon said. If Gemini is enabled on the project, they can dump files that were uploaded and exfiltrate cached conversations. The paper cited a similar problem researchers disclosed in December involving AWS keys. In that case, after deletion, attackers had a four-second window to exploit, and researchers showed how they could create new credentials in that time. “Four seconds was enough to matter on AWS,” Leon wrote in the paper. “Given recent attention to Google API keys used to access Gemini, we set out to measure how long Google's API key revocation window remains open.” Flaws can hit devs with huge surprise bills The Register has reported numerous cases of Google API key abuse in which developers are suddenly hit with five figure bills after their credentials are compromised. The problem was compounded in April after Google reworked its billing policy to include spending tiers for users. While developers initially thought of it as a way to limit costs, Google automatically upgrades that spending tier to the next highest level without their knowledge. For users who have been working with Google for more than 30 days and have spent more than $1,000 over the lifetime of the account, their cap can be increased from $250 to $100,000 if their usage spikes – a windfall for crooks if the credentials fall into the wrong hands. Developers whose Google API keys were stolen told The Register that their bills rocketed up to five figures minutes after their credentials were stolen, as bad actors loaded up on Google’s Gemini models such as Nano Banana and its video production model Veo 3. Google issued refunds in the three instances that The Register brought to its attention, returning $154,000 to those developers. The victims told The Register that, during the attack, they were frantically trying to shut down the spending and turn off access to their projects even as costs climbed by thousands of dollars. Leon said in cases where a Google developer tries to shut off access to their account, deleting the API key will still give crooks time to inflict damage. “It's hard to put a dollar figure on it,” Leon told us. “The window averaged 16 minutes in our testing and stretched to nearly 23 at the worst. During that window, the success rate is wildly unpredictable. We saw minutes where over 90% of requests still authenticated, and others where fewer than 1% did. An attacker who knows this can send requests at high volume to maximize their odds of hitting a server that hasn't caught up. For Google API keys with Gemini access, the damage isn't just a compute bill. It's the files and cached context an attacker can exfiltrate before the key actually dies.” Using VMs, Aikido tested its findings across three Google Cloud regions – east coast US, western Europe, and southeast Asia – then they spot checked those results on different dates. For each trial, Aikido deleted a single API key and sent requests from each of the three VMs in parallel, Leon wrote in the paper. “VMs further from the US picked up the deletion faster, which is the opposite of what you'd expect. We can't say exactly why from the outside. Google's request routing is more complex than ‘VM region equals server region,’ and a VM in Singapore isn't necessarily talking to servers in Singapore,” the paper states. “But the pattern was consistent across trials, which points to something about regional infrastructure, caching, or routing affinity driving the difference.” The trial used keys with access to Gemini, but he observed the same behavior with keys scoped to other GCP APIs, such as BigQuery and Maps. Google has built faster revocation for other credential types, Leon said. He said Google’s service account API credential revocations propagate in about 5 seconds. Gemini's newer API key format – the one that starts with AQ – propagates in about a minute. “Both run at Google scale. Both suggest this is technically solvable for Google API keys, too,” Leon wrote. But Google told Aikido it has no plans to address the 23-minute gap researchers found with its other API keys. “After reviewing our report, they closed it as ‘Won't Fix (Infeasible)’ with the comment ‘the delay due to propagation of the deletion of these keys is working as intended,’ “ Leon told us. The Register has reached out to Google about this research, but has not yet received a response. ®

GitHub's npm package registry has rolled out a publishing approval step to prevent the distribution of compromised packages before they can poison the software supply chain. Modern software development relies on imported bundles of code known as packages (and sometimes libraries or modules). In the past decade or so, miscreants have focused on gaining access to the accounts of package maintainers. Subverting a widely used package offers a fast track to malware distribution. Last December, amid the Shai-Hulud 2.0 campaign that compromised software packages, GitHub described a series of planned security measures intended to harden security for npm package publishers. One of the measures, staged publishing, has now been implemented. GitHub on Wednesday merged npm stage into npm CLI (v11.15.0) and has updated the registry documentation that describes the process. Staged publishing might also be called gated publishing – it requires a project maintainer to approve changes to a package that has been staged for release. It's been under discussion since 2020. "Instead of publishing directly with npm publish, you can submit packages to a staging area with npm stage publish," the documentation explains. "A maintainer must then review and explicitly approve the staged package — with two-factor authentication (2FA) via the CLI or npmjs.com — before it becomes publicly available." This process should have particular value for automated workflows, which typically don't include a way to authorize via 2FA. Automated workflows often rely on tokens for authentication, but these can be copied and stolen. Tokens that remain valid for long periods of time become attractive targets for cyberattackers. That's why GitHub did away with long-lived classic tokens and encouraged the use of short-lived session tokens and permission-limited access tokens for automation. GitHub's discontinuation of classic tokens hasn't gone all that well because short-lived tokens tend to expire at inconvenient times – no one likes having to regenerate tokens every 90 days or less and then go through the reconfiguration process. Staged publishing should make it easier for developers to set up maintainable workflows without burdensome re-authentication rituals. It gives package publishers the option to stage their package via automation and to delay the 2FA approval for publishing at a later date. GitHub offers trusted publishing as a way to establish trust between npm and the developer's CI/CD provider using OpenID Connect (OIDC) authentication. The OIDC mechanism still doesn't work when trying to publish a package for the first time, but together with staged publishing, the software supply chain looks a bit more defensible – so long as developers avail themselves of these tools. ®

Finding vulns just doesn't pay like it used to. At least one bug hunter who found an open source security flaw and reported it months ago via HackerOne’s backlogged Internet Bug Bounty (IBB) program finally got paid for his work - but at a drastically reduced reward rate. The security researcher found a medium-severity vulnerability that previously paid $1,843. As of Monday, HackerOne’s IBB pays $297 for the same severity level. Similarly, the new IBB cash prize for a critical vulnerability is $2,257, compared to the previous $9,250 reward. High-severity bugs now fetch $1,009, while they used to earn a $4,429 payout. And low-severity bugs earn researchers $68, compared to the previous $597 reward. HackerOne’s IBB remains on a break, and is not accepting new submissions. “The IBB program is currently paused while we evaluate adjustments to the program that will maximize value to researchers, sponsors, and the open-source ecosystem,” a spokesperson told us. “We remain committed to strengthening open source security through ethical security research.” When asked if AI-generated reports played a role in the pause and reduced reward amounts, a spokesperson didn’t give us a direct answer. “The Internet Bug Bounty is a unique, dynamic program where bounty levels automatically adjust based on the contributions from active participating sponsors,” the HackerOne spokesperson said. “Payouts under this program are regularly adjusted accordingly, as provided in the IBB program description.” Tale of two hackers Back in January, The Register talked with hacker Jakub Ciolek, who told us he reported two denial-of-service bugs in Argo CD, a popular Kubernetes controller, via HackerOne’s IBB program last fall. Both were assigned CVEs and fixed. Ciolek expected to receive about $8,500 for the two flaws - but instead HackerOne ghosted him for months, finally sending him an email after The Register reached out to the bug bounty platform. HackerOne thanked him for his patience and said his bug reports remain "pending reward processing due to a temporary operational backlog." Shortly after, we heard from another researcher in a similar situation. “I still hope to get some bounty some day for it,” the bug hunter told The Reg, noting that HackerOne set an end-of-March deadline to sort the backlog. On Wednesday, this hacker told us he finally received a bounty announcement and payout from HackerOne, although at $297, it was less than expected, as the payout amounts changed after they submitted their report. “I am glad I finally got something,” they said. Ciolek said he’s still waiting for any word from HackerOne, and told us repeatedly that this isn’t about the money. “The reduced payout is a symptom,” he said. “The economics of vulnerability reporting are changing very quickly.” Until just a few months ago, project maintainers - and bug hunters themselves, Ciolek included - dismissed this as an AI-slop problem. Recently, however, as models have gotten exponentially better at writing code and exploits, open source projects can’t keep up with the pace of bug reports, which still require humans to evaluate them. "Over the last few months, we have stopped getting AI slop security reports in the curl project,” Daniel Stenberg, founder and lead developer of curl, famously said in a social media post. "They're gone. Instead, we get an ever-increasing amount of really good security reports, almost all done with the help of AI." Linux kernel maintainer Greg Kroah-Hartman also noted in an interview with The Register how AI-assisted bug reports contained less slop and more valid concerns. On Sunday, Linux kernel boss Linus Torvalds declared that the project’s security mailing list has become “almost entirely unmanageable” due to multiple researchers using AI to find bugs and then filling the list with duplicate reports. “The recent Linux security mailing list situation is a clear signal: AI-assisted reports are increasingly real enough to matter, but numerous enough to overwhelm the people who have to validate and fix them,” Ciolek told us. “Bug bounties were supposed to reward what was scarce,” he continued. “That used to be discovery. Today, finding plausible bugs is becoming much cheaper, and generating reports is easy to scale. The expensive part is still very human: someone has to verify impact, deduplicate reports, decide whether something really crosses a security boundary, coordinate disclosure, and get a safe fix shipped.” While Ciolek says he’s sympathetic to changing economics, and overworked, underpaid open source project maintainers' capacity to investigate every serious-looking security report, the trust issue between researchers and bug bounty programs remains. “The trust issue here is that the change was effectively applied long after the work was already done, fixed, and publicly credited under a different expectation,” Ciolek said. “Responsible disclosure depends on researchers believing the process is predictable. The rules should not change after the work is complete. Serious researchers will price that in as risk, or they will stop participating.” Ciolek says he’s no longer actively doing bug bounty research - but will report serious issues as he finds them. “With the current flood of findings, I don't want to add more volume unless I'm confident the issue is serious enough,” Ciolek said. “In this AI-assisted era, the valuable work is no longer just ‘I found another bug.’ It is ‘I verified this matters and helped get it fixed.’ I think the original discovery-first bug bounty model is becoming obsolete. The next model has to reward more of the remediation cycle, not only the finding.” ®

Generative AI apps and services are getting more expensive by the day as model devs grapple with surging infrastructure costs. A new generation of GPUs and AI accelerators promises relief from rising inference demand, but you won't see the savings. After years and billions spent building bigger and better models, the great AI houses are beginning to find tangible use cases for the technology beyond chatbots and image generators. Claude Code, Codex, GitHub Copilot, and the slew of other code assistants have arguably become AI’s biggest success story to date, but history tells us they won’t be the last. But success is a double-edged sword. The bit barns built with borrowed money to train the Sonnets, GPTs, and Geminis at the heart of these apps and services were never meant to serve them at this scale. Inference and training are very different beasts. Those selling the shovels of the AI boom are now racing to bring new hardware better suited to serving these models. Nvidia pulled $20 billion from its war chest to acquihire AI chip startup Groq for this very reason. And it's not alone; everyone, from AMD and AWS to Intel and Google, is rearchitecting their GPUs, AI accelerators, and systems to drive down the cost per token. Cheaper tokens mean better inference economics, higher margins, and the venture capitalists fanning the flames hope that OpenAI, Anthropic, and all the others might actually drag themselves out of the red one day. Your AI addiction is their opportunity There’s just one little problem. All that AI-optimized hardware isn’t quite ready yet. Much of it is promised for the second half of this year, but it takes time to work out the kinks and ramp supply chains, which means the bulk of these new systems won't have widespread deployments until early to mid 2027. But here lies a fleeting opportunity for the flag-bearers to see how addictive their products have become, and just how much the market will bear. If Nvidia and AMD are the arms dealers of the AI age, the model devs are the drug dealers: the first hit's free, the next ones are cheap, and before long you’re hooked. We’re already seeing this play out. With the launch of GPT-5.5, OpenAI doubled the price per token to $5 (input), $0.50 (cached input), and $30 (output) per million tokens. It didn’t take long for Google to follow suit. The Chocolate Factory’s newly-launched Gemini Flash 3.5 is between 3x and 6x more expensive than Gemini 3.1 Flash-Lite and Gemini 3 Flash Preview. These price hikes are further compounded by the fact that the agent harnesses being built atop these models are burning through tokens orders of magnitude faster than a typical chatbot. Flat rate pricing makes a lot of sense when the majority of your customers aren’t running up against usage caps. It makes a lot less sense when customers are spending $200 a month on $5,000 worth of tokens. Microsoft seems to have figured this out. It outright abandoned seat-based pricing for GitHub Copilot and began transitioning its customers to usage-based pricing. Anthropic appears to be rethinking its pricing model as well, but rather than moving to a pure usage-based pricing model, it’s considering watering down its subscription features. AI isn’t the payroll paradise execs were promised Executives who thought AI was going to replace a full-time employee for pennies on the dollar are in for a rude awakening. That's not happening and it probably never will. Not when Anthropic, Google, or OpenAI can charge the equivalent of $30 an hour in tokens and make the case it’s still cheaper than paying an employee $40 an hour plus benefits and unemployment insurance. Just wait, before long AI pricing will be marketed in dollars per full-time equivalent ($/FTE) instead of dollars per million tokens. AI may not be the sweet deal execs might have hoped for, but that hasn’t stopped large tech firms from laying off thousands in pursuit of the technology. The FOMO has never been higher, and, if there’s anything big tech loves, it’s leading by example. So far this month, we’ve learned: Meta is laying off about 10 percent of its global workforce, closing around 6,000 open positions, and reassigning some 7,000 workers to AI-focused divisions. Cloudflare is cutting more than 1,100 workers, citing increased reliance on AI. Cisco is letting about 4,000 workers go because, as its CEO Chuck Robbins put it, “The companies that will win in the AI era will be those with focus, urgency, and the discipline to continuously shift investment toward the areas where demand and long-term value creation are strongest.” Even New Zealand has revealed plans to use AI to sack around 9,000 government workers. Competition won’t save us Competition, it’s said, is the cure to high prices, but for that to happen, there has to be a profit margin to shave and so far the top model devs are all running deep in the red. Hyperscalers have the advantage here. They can lose billions on AI investments for years while leaning on other product divisions to keep their shareholders from staging a riot. But it is probably not the death knell for Sam Altman’s hypemaxing or Dario Amodei’s sanctimonious posturing. Someone still has to build the models. Microsoft, Meta, and AWS are dabbling in model training, but have yet to show they can compete with OpenAI or Anthropic in any meaningful way. Google is really the standout in this respect. Gemini routinely trades blows with GPT and Claude, and after this week’s I/O, it’ll be practically inescapable. If history tells us anything, the AI boom and inevitable bust will follow a familiar trajectory. Competition abounds in a bubble, but once it bursts, consolidation is inevitable. ®

Who needs a minister when you have an LLM? America’s Christian population appears to have found God in precisely the place you’d expect a manifestation of the divine to be spotted in 2026: Amid AI chatbot responses. A survey of Americans published this week by Evangelical polling outfit Barna sought to discover what Christians thought about AI’s ability to serve as a spiritual mentor, and the split is surprisingly even: A full 48 percent of practicing US Christians told the organization that they trusted AI’s advice to aid their spiritual growth. Potentially more surprising than that, 34 percent said spiritual advice dispensed by an AI was just as trustworthy as what they'd get out of a flesh-and-blood pastor. That share rises, unsurprisingly, among younger Christians, with 39 percent of Gen Z respondents and 44 percent of Millennials agreeing that preachers and AI are at trust parity. Pastors themselves, it likely won’t surprise you to learn, are splitting sharply from their flocks on the matter of AI’s ability to fill their roles in the lives of congregates, with just 12 percent saying they agree that AI can help people grow spiritually. That said, there’s a pretty serious tension among American Christians when it comes to AI. At the same time half say it’s aiding their spiritual journeys, most also expressed concerns about negative effects of AI on spirituality. A full 83 percent of practicing US Christians believe AI is likely to misinterpret scripture, 73 percent are worried AI will cause loss of religious faith, and 72 percent believe that AI is beginning to act as a replacement for God and earthly spiritual leaders. “Christians say they trust AI with spiritual growth, and a meaningful share say its spiritual guidance is as trustworthy as a pastor’s—yet large majorities are simultaneously concerned about AI misinterpreting scripture, replacing God, or undermining the role of spiritual leaders, Barna VP of research Daniel Copeland said of the findings, which he called “confounding.” “That level of openness is higher than we might have expected,” Copeland added in the Barna’s report. Worshipping at the altar of Altman AI and religion have been butting heads for the past couple of years, with the Catholic Church particularly outspoken about the technology. The late Pope Francis called on world governments to establish global AI regulations in 2023, as well as calling on people to avoid turning to AI models for moral and ethical decisions. Vatican AI authority Friar Paolo Benanti later accused Silicon Valley elites of playing God with their creations, AI included, noting that “the focus will always be on using AI for profit,” which - according to the good book itself - isn’t compatible with Christianity. That hasn’t stopped some of God’s faithful from creating an AI Jesus and Christian AI platforms, and the new Pope, Leo XIV, has continued his crusade against the technology. "By simulating human voices and faces, wisdom and knowledge, consciousness and responsibility, empathy and friendship… artificial intelligence [could] not only interfere with information ecosystems, but also encroach upon the deepest level of communication, that of human relationships,” Leo said earlier this year. Leo further expressed worry that AI was turning people into “passive consumers of unthought thoughts,” and that’s not even to touch on the fact that AI has a tendency to make stuff up to appease its questioners, potentially leading the spiritually curious into full-blown episodes of psychosis aided by a digital yes-man in the guise of an authority. ®

Flipper Devices has announced the Flipper One, an ARM-based Linux computer built around openness, though its price tag may give you pause. The computer is not a successor to the Flipper Zero, according to the manufacturer, despite the visual similarity. Whereas the Flipper Zero was more about hacking anything from NFC cards to infrared controls and RFID devices, the One is a full-fledged Linux computer. The device uses a Rockchip RK3576 as its main CPU, and a Raspberry Pi RP2350B microcontroller to take care of the on-device controls and the 256 x 144 grayscale screen. There is also a pair of USB-C ports (one to charge the device), a USB-A port, and a full-size HDMI connector. Rounding out the package are two Gigabit Ethernet ports, a MicroSD card slot, and a 3.5 mm audio jack. The device has 8 GB of LPDDR5 memory and 64 GB of internal storage. There's also Wi-Fi and Bluetooth. For users keen to expand the device, there is an M.2 port and GPIO connectors. The device's cost is tricky – the aim is $350 for the base configuration without the cellular module. However, considering the volatility of chip prices at the moment (and the relentless rise in memory costs), the final figure might be different. The first prototype arrived earlier this year, and the inevitable Kickstarter campaign is due at the end of the summer. The question is whether it is a worthwhile investment. The price elevates the device firmly out of the impulse purchase category, but its flexibility does have appeal. The HDMI port makes it a useful media box for connecting to televisions. It could also serve as a Linux workstation, and all the networking interfaces make the device a "multi-tool," as the company put it. Flipper Devices suggests use cases including VPN gateway, Ethernet sniffer, and USB Wi-Fi/Ethernet adapter. As if to emphasize the clear blue water between the Zero and the One, there is no NFC reader or RFID onboard – hopefully an M.2 peripheral will handle that, or users can fall back on a Zero. Flipper Devices plans to keep development running – the Zero and One are very different categories of device. Things get more interesting on the software front. Flipper Devices is aiming for full mainline Linux kernel support and has partnered with Collabora to bring the RK3576 SoC into the mainline kernel and give Flipper One full upstream support. "The current state of ARM Linux is depressing," it wrote. "Every vendor bolts on their own custom mess: closed boot blobs, vendor-specific patches, 'board support packages' that nobody outside the chip maker can really understand. "You can no longer just read the specs and understand how computers work – you can only learn the workarounds for one specific chip with one specific BSP. We're sick of this ourselves, and we don't want to be part of the problem by shipping yet another product that just adds to the mess." But first you have to ship it. Calling the Flipper One a "community-driven project," Flipper Devices added: "We've made the entire development process open – so you can see how things are built and even take part in shaping Flipper One's future." While the project has now been officially announced, prospective purchasers should keep in mind that there are no guarantees about what (if anything) will actually ship. And, of course, one should always exercise caution when backing Kickstarter projects. In the announcement, Flipper Devices boss Pavel Zhovner wrote: "There's a lot of uncertainty in this project, along with technical challenges and financial risks (like the current RAM chip crisis). "I don't know if we'll be able to do everything we've planned, but we'll give it everything we've got. Thank you all, and welcome to a new adventure." ®

A "state of Web Dev AI" survey shows that nearly half of web developers worry AI will displace their jobs, with one stating "it will be devastating to our sector." The survey of 7,258 developers is the second on this topic to be conducted by Devographics, home of other surveys including State of JavaScript and State of CSS. There are big changes since the first in early 2025, when the majority of respondents used AI to create less than 25 percent of their code, whereas today 63 percent of devs use AI to generate more than half their code. Over a quarter of respondents (27 percent) use AI for 90 percent or more of their code. Code generation is the top AI use case, followed by code review, research, and debugging. The researchers gathered respondents from those who had completed previous surveys plus others contacted via social media, and state that the topic may have "biased the respondent set towards developers who do have an interest in AI." Regarding job security, a common view is that although developer skills remain relevant in an AI world, their bosses may be convinced otherwise and let them go. "AI companies can convince employers that AI can take my job, even if it can’t," said one. Another commented that they "already had to search for a new one, because my job as designer and frontend dev got cancelled for AI." There is concern over loss of skills as junior hires decrease. "Companies will rather spend the money on AI than train employees," one commented. The most used model provider is ChatGPT (88.4 percent), just ahead of Anthropic’s Claude (82.1 percent). When it comes to paid subscriptions though, Claude is the winner (69 percent), followed by ChatGPT (49 percent) and Google Gemini (32 percent). Despite increased usage, the respondents are by no means AI enthusiasts. Use of AI for image generation has fallen since last year, from 38 percent to 37 percent, and some respondents have ethical objections. "I do not use image generators on principle," said one, and another claimed "AI image generators are built entirely on stolen images." A general section on AI risks revealed a multitude of concerns: while job displacement topped the list, military use of AI, environmental impact, and AI slop takeover were not far behind. Security issues and rising costs were also areas of unease. The survey limited respondents to three top choices; many comments showed that they would have liked to pick more. From a technical perspective, the biggest issues cited were hallucination and inaccuracies (64 percent); poor code quality (53 percent) and lack of context (38 percent). It is a strangely mixed picture, with respondents expressing strong reservations about the overall impact of AI, while at the same time becoming dependent on it. 74 percent agreed AI tools are integral to their workflow, and 64 percent felt they were more productive thanks to AI. 88 percent feel the quality of AI tools has improved significantly year on year.®

AWS is pushing its European Sovereign Cloud, revealing some of the customers it has signed up to operate sensitive workloads on the platform and the continent's over how much sovereign control over data the Amazon subsidiary really offers. The service became generally available to European customers in January, amid growing alarm over the Trump administration’s open hostility to Europe and the continent's near-total dependence on US cloud platforms. AWS claims the European Sovereign Cloud represents a physically and logically separate cloud infrastructure, with all components located entirely within the EU. It started with just a single Region, located in the state of Brandenburg, Germany, but plans to extend its footprint across the EU. Organizations that have signed up for the service include University Hospital Essen, Schufa, a German credit information bureau, and smart energy and water meter biz Diehl Metering. Schufa has built a new credit scoring system that uses the AWS Cloud to hold the sensitive financial data of more than 69 million German consumers, while Diehl is operating services such as monitoring and billing for its public sector customers, helping critical infrastructure like waterworks and municipal utilities to manage water and energy data from a single centralized system. University Hospital Essen says it is using the platform for working with patient health data and also developing new AI technologies to improve patient care. “The AWS European Sovereign Cloud will support this mission by allowing us to work with health data at scale, while meeting German and European sovereignty expectations,” said Prof Jens Kleesiek, the hospital’s director of its Institute for Artificial Intelligence in Medicine, in a statement. There are, however, legitimate doubts about whether clouds operating under the aegis of any US company can really offer full sovereignty in Europe. Concerns often center on the US CLOUD Act, under which the authorities can compel any American organization to provide access to data they hold - including data stored outside the United States - subject to due legal process. An AWS spokesperson told The Register earlier this year that its European Sovereign Cloud includes multiple layers of protection – legal, operational, and technical – to safeguard data; that not even AWS employees can access customer data; and that it provides advanced encryption to allow customers to protect their content. A Microsoft executive was forced to admit under oath in a French Senate inquiry last year that it cannot guarantee data on French citizens would not be handed over to the American government if requested, and the same US legal rules – namely, the US Cloud Act – apply to AWS. “The AWS ESC is a fully isolated infrastructure with a separate legal entity in Germany. Although it does offer a certain level of legal insulation, it is still entirely owned by the US mother company. This is an important limitation to its immunity from the CLOUD Act and other US-led prescriptions,” said Forrester senior analyst Dario Maisto. Technology biz Thales unveiled on Thursday that it is launching its own European sovereign cloud service in Germany, working with Google Cloud. This is based on the model already used by S3NS, a Thales subsidiary, whereby Google Cloud software and services are operated on dedicated local infrastructure controlled by a local entity. In this case, Thales says it will be a new German entity, legally and operationally independent from Google Cloud, that will be staffed and managed by local German personnel. It is available in preview now and aims for general availability by the end of 2026. This new arrangement is perhaps because there are still doubts over whether the S3NS platform is entirely free from potential CLOUD Act interference. “The joint venture between Thales and Google - S3NS - offers (some) Google services on French sovereign infrastructure. The JV is owned for its vast majority by Thales, which is basically a French government-owned company. This legal configuration grants much better legal insulation and immunity from the CLOUD Act, although this is yet to be tested in court since Google still has a minority share,” Forrester's Maisto told The Register. The CLOUD Act worries have little to do with sovereignty in its strictest sense, he added, but rather with data privacy and data protection, which is regulated under the US-EU data privacy framework. Earlier this year, the European Commission awarded four contracts to Europe-based tech firms designed to advance cloud sovereignty in the EU, while spending on sovereign cloud infrastructure services is forecast to more than triple from 2025 to 2027. ®

The UK Post Office has awarded Accenture and OneView Commerce contracts worth £410 million to replace its troubled Horizon systems, which contributed to one of the most serious miscarriages of justice in British history. Accenture has won the bidding to replace incumbent supplier Fujitsu — which built the error-prone PoS and finance system starting from 1996 — on a so-called Walk In Take Over basis. It is set to stabilize services and upgrade software as it prepares for a complete business transformation and manages the migration to new SaaS. Its deal is worth £269 million for five years plus two optional single-year extensions, according to a procurement notice. The lesser-known OneView Commerce — a provider of retail and inventory management SaaS — has won the £141 million agreement to provide software to “transform [the Post Office's] retail technology platform to meet evolving business, operational, and customer requirements,” according to a tender notice. The system is set to be cloud-hosted, in an AWS or equivalent environment, and allows bespoke customization according to the Post Office's needs. It is expected to include ePOS, mobile services, customer engagement and insight, and self-service kiosks, among other features. The Post Office began rolling out the legacy Horizon IT system for accounting in 1999, along with two subsequent upgrades. From 1999 until 2015, around 736 subpostmasters were wrongfully prosecuted and convicted over errors resulting from the computer system, devastating lives in the process. A statutory inquiry into the mass miscarriage of justice launched in 2021 is ongoing. Its first report was published in July last year, finding that senior Post Office staff in the UK – and those working for suppliers Fujitsu and ICL – knew or should have known about the defects causing errors in the Horizon system. It also found that 13 lives were lost through suicide, most likely as a result of the Post Office prosecutions, in which Fujitsu assisted. In May 2025, the state-owned company gave up on its plan to build a replacement for Horizon in-house and launched the £410 million procurement process, which Accenture and OneView Commerce would win. Failed bidders included IBM and Escher Software, a provider of retail and ecommerce software. ®

A developer claims Google’s Gemini coding assistant deleted nearly 30,000 lines of working production code while making changes to a live application – the sort of productivity boost usually associated with ransomware. The now-viral Reddit post on the r/Bard subreddit details how Gemini 3.5 allegedly gutted large chunks of an application while working on a production codebase. According to the developer, the model broke core functionality, made sweeping unrelated changes, and left the system in bad enough shape that the changes ultimately had to be rolled back. The developer said Gemini repeatedly ignored instructions to preserve existing functionality while reorganizing the codebase. According to the post, Gemini opened a pull request touching 340 files that added roughly 400 lines of code while deleting 28,745 more. The developer claimed the model also removed unrelated e-commerce template assets and introduced a migration script that had nothing to do with the original request. The real damage allegedly came in a second commit, where Gemini modified Firebase routing settings and changed a rewrite service identifier to a value that looked correct but pointed traffic at a non-existent Cloud Run service instead. According to the developer, the mistake sent the entire production portal into 404 errors for 33 minutes. The thread quickly filled with developers sharing similar stories about AI coding tools going well off-script. One commenter described Gemini successfully solving several coding problems before deleting existing project files during its first commit after the user approved what they described as a flood of permission prompts. The result was a partially broken application and, as the commenter later summarized, “a disaster of a launch.” The wider comment thread was less sympathetic, as several users questioned why anyone was allowing AI coding agents anywhere near live production systems in the first place. One commenter wrote, subtly: “Why. WHY. WHY WHY WHY WHY WHY ARE YOU MORONS STILL RUNING [sic] AGENTS ON PROD?!??!!??!?!” According to OP, things reportedly became even messier after the rollback. The developer claimed Gemini generated a status message stating that production had been successfully restored and that traffic had been routed correctly, despite the referenced recovery build having been manually canceled. According to the post, the real fix came from a separate rollback deployment containing none of Gemini’s code. The post also alleges that Gemini generated fake “consultation” and post-mortem files inside the repository to make it appear the destructive changes had been properly reviewed and approved. According to the developer, Gemini later admitted that the consultation logs were entirely fabricated and generated solely to satisfy the project’s automated rule requirements. The behavior was ultimately traced back to a third-party npm package styled around Google’s Antigravity branding. The package allegedly seeded repositories with aggressive autonomy rules instructing the coding agent to avoid confirmation prompts, auto-deploy successful builds, automatically retry failed deployments, and even modify its own rule files when necessary. The incident lands amid a wider backlash against so-called “vibe coding,” the increasingly common practice of developers relying heavily on AI-generated production code while assuming the model understands the architecture better than it actually does. For now at least, the fastest thing about AI-assisted software development might still be the speed at which a perfectly functional production environment can be transformed into an outage report. ®

An 82-year-old grandmother who livestreams her Minecraft gameplay to raise money for her grandson's cancer treatment faced a potentially deadly swatting attempt this week. "Dozens" of armed police officers stormed the home of Sue Jacquot, known online as GrammaCrackers, on May 18 while she was sleeping. Officers were responding to a swatting threat – common hoaxes called in by viewers of livestreams. These incidents typically involve someone locating a streamer's home and calling the local police department, informing them of a bomb threat or similar, which often prompts a full-force response. While most swatting cases result in nothing more sinister than a few broken doors, some have led to serious injuries and fatalities. Jacquot, however, was just thrilled to experience being in the back of a police car for the first time and meet people she otherwise never would have had the swatting call not been made. "I was asleep, I was so asleep," said Jacquot, recounting the event. "I did not want to get up, and these policemen came in the door… the prettiest policewoman I've ever seen. The beautiful eyes. So sweet. But I think she could kick butt if she needed to. She was so sweet. And they walked me out, and I didn't know what was going on, but it was kind of fun. "And my kids and my grandkid, they were hugging me. You know, you can't get that much attention normally. I was getting all kinds of hugs. I was really eating it up. It was kind of fun. "And then I got to ride in the police car. I've never been in a police car before… and then it was all over. So I thought, well, I've got to go to bed. So, I took an ibuprofen and went to bed." According to Austin Self, Jacquot's grandson and brother of Jack, whose cancer treatment is being crowdfunded by his grandmother's livestreams, by the time he and other family members arrived at Jacquot's residence following the police raid, she had already gone back to sleep. Police officers and a fleet of SWAT vans remained outside at the time. By Self's reckoning, there were 20 police cars and five SWAT vans situated outside Jacquot's apartment. Both Self, of Queen Creek, Arizona, and Jacquot said the first responders treated the 82-year-old with great kindness, and were even asking for her signature. Officers who entered Jacquot's residence told her family that they were almost certain the call was a hoax, and as such did not use much force when entering her home via the garage. One male officer who entered Jacquot's apartment saw the livestreaming setup and from then on was so sure that the call was benign that he contemplated doing a little dance on camera, as the livestream was still running after the grandmother had gone to sleep, Self said. Unfazed, Jacquot restarted her livestream the following morning, traveled to the Nether, and harvested around 60 Nether warts to brew potions back at her Minecraft house. ®

Users of the Myspace93 parody web art site be warned: the dataset spilled after a reported breach in 2021 included the plaintext usernames and passwords of more than 46,000 registered users. The site's co-creator has blamed "trusted members" of a Windows93 Discord channel for the leakage. The figure of 46,000+ users is a recent estimate from HaveIBeenPwned (HIBP) - the web's go-to breach aggregator - which ingested the related data this week, more than five years after the January 2021 attack. In addition to the clear-as-day passwords and usernames, HIBP said email addresses and IP addresses were also among the exposed data. Myspace93 is an offshoot of the Windows93 project. They’re both websites that spoof the old social media network and operating system respectively, allowing users to experience them now that they’re long gone. Its co-creator, who only goes by the alias jankenpopp, or Janken, penned a note to the website’s users following the attack. Dated July 4, 2021, Janken explained that the breach came about after they shared a beta app with trusted members of the Windows93 Discord channel. According to Janken, those members betrayed the co-creator and used their access to the beta application to steal server files and gain access to an unencrypted credential store. “None of them alerted me immediately to what was going on,” Janken wrote. “On the contrary, they created a program to download our entire server, and it was only a week later that another honest user alerted me to the fact that these people were bragging about having the Myspace passwords. “They didn't want to tell me the truth, and it took me two days to get a confession from them: not only had they downloaded all the source files of Windows93 behind my back, but also the unencrypted file containing the passwords of more than 45k Myspace users. The group had also shared a download tool - along with instructions for using it - in their chat, and had posted numerous stolen files (unrelated to Myspace) across multiple platforms, said Janken. “I removed the .smash app from the server and called them to order. They whimpered and promised me on their honor to delete all the stuff and that things would not go any further. I believed them because at the time we were very close, we talked every day, and they regularly helped me to manage the community, to fix bugs, sometimes to code new features for Windows93 or to make the services more secure. I really trusted them back in the day and considered them part of my team. I blame myself for being so naive.” The MySpace93 website is still up and running for anyone who wants to revel in a little noughties internet nostalgia, but the ability to register an account and use the site as a social network is closed. Affected users should make sure they watch out for any reused passwords on other sites and switch on 2FA where they can. Janken said they had closed all the social network-related services across all the Windows93 offshoots as a result of the findings. ®

Vivaldi's eponymous browser has reached version 8, with a major revamp of the user interface. The company refers to the redesign as "Unified" and describes it as "a rethinking of how the Vivaldi interface works as a system." Where before the browser's core elements – tabs, toolbars, panels, and content – existed as separate layers, everything is now one single continuous surface. It's easy on the eye, though you can switch back to the previous design. The company has added several default themes and has a vast library of community-generated themes available. There are also layouts that can be selected during onboarding or in settings. These range from minimalist to fully loaded setups packed with Vivaldi's familiar controls and settings. Don’t come looking for a list of new features, though. Vivaldi has loaded up the browser with gizmos over the years, and the redesign highlights some of those. A recent example is the auto-hide feature, which removes browser fluff to show more content. The company wrote: "While the rest of the browser industry has spent recent years racing to force artificial intelligence between people and the web, Vivaldi has taken a different path, adding tools that give users more power to explore the web and decide for themselves. "One big, crazy strategy: putting the users first." That's not to say Vivaldi is AI-free, though CEO Jon von Tetzchner was less than complimentary about many of its applications in a January Register interview. The browser uses AI for translation, for example, but the company has not slathered the technology across the product in the way some rivals have. Microsoft's Edge, also a Chromium browser, recently received updates that removed Copilot Mode in favor of more built-in Copilot features. The assistant can look across multiple tabs, surface key details, and reason based on browsing history and past chats. Bruce Lawson, self-described Regulator Botherer at Vivaldi, told The Register: "Microsoft retiring Copilot Mode isn't a retreat, it's an escalation. They're not removing the AI, they're embedding it into the browser so deeply that it's everywhere, all the time, with no off switch. That's not a feature. That's a takeover. "Our stance is clear: when you outsource exploration to an artificial agent, you're not browsing anymore, you're being browsed." ®

Cisco has disclosed yet another perfect 10 vulnerability, this time warning that unauthenticated attackers could gain Site Admin privileges in its Secure Workload platform simply by sending crafted API requests to vulnerable systems. The bug, tracked as CVE-2026-20223, earned the full 10.0 CVSS treatment and affects Cisco Secure Workload Cluster Software in both SaaS and on-prem environments. According to Cisco's barebones advisory, the issue boils down to weak validation and authentication checks in internal REST API endpoints. In practical terms, that means attackers don't require credentials, user interaction, or any significant effort to exploit the bug. Cisco said a successful attack could allow remote attackers to "read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user." Cross-tenant bugs tend to make cloud customers especially twitchy because they undermine one of the core assumptions of multi-tenant infrastructure: namely that somebody else's compromise is not supposed to become your problem. Cisco noted that the flaw affects internal REST APIs rather than the platform's web management interface, although that distinction is unlikely to bring much comfort to admins staring at a 10.0 severity score. The networking giant said there are currently no workarounds, and customers must install fixed releases to fully remediate the issue. Cisco Secure Workload 3.10 is fixed in version 3.10.8.3, while 4.0 is fixed in 4.0.3.17. Customers running version 3.9 or earlier are being told to migrate to a supported fixed release. Cisco added that its cloud-hosted SaaS deployments have already been patched and require no customer action. Cisco said it is not aware of active exploitation and that the flaw was discovered during internal security testing, though vulnerabilities carrying a 10.0 score and requiring no authentication rarely stay quiet for long. The bug lands less than a week after Cisco disclosed another maximum severity flaw affecting SD-WAN systems that could allow attackers to grant themselves administrator privileges, continuing what is becoming an increasingly awkward run of top-scoring Cisco security advisories. The company has spent much of the past year disclosing one 9.8-plus infrastructure flaw after another across products spanning firewalls, management platforms, identity systems, and enterprise networking gear. At this point, Cisco seems to be treating 10.0 CVSS scores as a recurring feature rather than a special occasion. ®

Apple has previewed a new batch of accessibility features coming later this year, with Apple Intelligence being used to improve Voice Control, VoiceOver, Magnifier and generated subtitles across its devices. The announcement came ahead of Global Accessibility Awareness Day, which falls today as we publish this article, on Thursday, May 21, and is the annual moment when technology companies often set out new work on digital access and inclusion. The most interesting change for anyone who relies on hands-free access is an update to Voice Control. Apple says users will be able to describe onscreen controls in more natural language, rather than having to remember exact labels, overlays, or rigid commands. Examples given by Apple include phrases such as “tap the guide about best restaurants” or “tap the purple folder.” The company also says the feature could help when app controls are not labelled properly for accessibility. That may sound like a small change, but for disabled people who use voice as their main way of operating an iPhone or iPad, it could make a real difference. Voice Control is already one of Apple’s most important accessibility tools, but it can still be brittle. If the wording does not match what the system expects, the command can fail. A more flexible “say what you see” approach could make voice navigation feel less like issuing machine instructions and more like asking for what you want. Apple says Voice Control powered by Apple Intelligence will be available in English in the UK, US, Canada and Australia later this year. However, Apple’s announcement specifically describes the new natural language navigation as helping people navigate iPhone and iPad by voice, with no clear mention of Mac support for this particular Voice Control update. That absence is important. For many people who rely on Voice Control, the Mac is not a secondary device. It is where longer writing, work, email and publishing happen. If natural language Voice Control launches first on iPhone and iPad only, Mac users may still be left waiting for the AI-assisted voice access that would help most with daily work. VoiceOver, Magnifier and generated subtitles get Apple Intelligence treatment Apple is also using Apple Intelligence to improve visual description tools. VoiceOver’s Image Explorer will provide more detailed descriptions of images, including photos, scanned documents and other visual content. Apple also says users will be able to ask follow-up questions about what appears in the iPhone camera viewfinder. Magnifier will gain similar AI-powered description features, along with spoken controls such as “zoom in” and “turn on flashlight.” There is a new generated subtitles feature for videos that do not already include captions. Apple says this will use on-device speech recognition and work across iPhone, iPad, Mac, Apple TV, and Apple Vision Pro. For deaf and hard-of-hearing people, that could be useful. It may also help anyone dealing with personal videos, shared clips or online content where captions are missing. However, generated subtitles will initially be limited to English in the US and Canada. Vision Pro moves into wheelchair control One of the more striking announcements is a new Apple Vision Pro feature that will allow compatible power wheelchair drive systems to be controlled with eye tracking. Apple says the feature will support Tolt and LUCI alternative drive systems in the United States, using Bluetooth or a wired connection. For some powered wheelchair users who cannot operate a joystick, that could be valuable. Wheelchair control is not a niche issue for the people affected by it. It is about independence, safety and the basic ability to move through the world. But there are obvious practical questions here, starting with Vision Pro itself. As a full-time electric wheelchair user, I would not be seen dead driving down my high street wearing an Apple Vision Pro headset. It is bulky, heavy and visually conspicuous. More seriously, I would not want to see severely disabled people expected to wear one for long periods to control a wheelchair, especially when many already deal with fatigue, posture problems, respiratory weakness or limited head and neck strength. Cost is another barrier. Many disabled people live in poverty, and the Apple Vision Pro’s UK starting price of £3,499 (the Stateside starting price is slightly lower at $3,499 ) would put it out of reach for many. That would come on top of the cost of any compatible wheelchair drive system, support, setup, and maintenance. A feature can be technically impressive and still remain impractical if the hardware required is far too expensive. That does not make the announcement unimportant. It may be most interesting as a sign of where the technology could go next. I would look at this very differently if the same kind of eye-control system eventually arrived on more traditional Apple smart glasses: lightweight, socially acceptable and practical to wear for long periods. That is where the idea could become more useful for people who struggle to use a wheelchair joystick. Vision Pro may be the early test bed, but lightweight glasses could be the form factor that makes this kind of wheelchair control usable. For now, this looks like an early and specialist step. Wheelchair control is safety-critical, so it will need careful testing, strong safeguards and real-world feedback from disabled people before anyone can judge its value properly. I am glad Apple is looking at the issue. The current implementation may not be practical for many people, but the underlying idea deserves attention. Apple is moving in the direction some of us asked for Calls for a smarter Voice Control are not new. In 2023, I wrote for The Register that Apple needed to bring more AI into Voice Control, especially to improve dictation accuracy and support people with non-standard speech. At the time, I argued that Personal Voice showed Apple already had some of the underlying technology to understand an individual voice more deeply. The obvious question was whether that intelligence could be applied to recognition as well as voice generation. Apple now appears to be taking a step in that direction, but with navigation rather than dictation. That is still useful. Voice Control needs to become less rigid if it is to serve people who depend on it every day. But it leaves a larger issue unresolved. Apple still has a dictation gap to close The wider voice-accessibility picture is now complicated. Apps such as Aqua Voice have shown how good AI-powered dictation can be. For many people, these newer tools are far more accurate and natural than traditional built-in dictation systems. They are especially strong at turning spoken thoughts into clean text without the user having to micromanage every comma and correction. But dictation is only half the problem Apple’s Voice Control is still one of the few mainstream tools that can control the operating system itself by voice. It can open apps, tap buttons, select menus, scroll pages and move around the interface. Third-party AI dictation apps may be better at writing, but they do not have the same deep system access. That leaves disabled people in an odd place. The best dictation experience may come from one app, while the best hands-free control still comes from the operating system. For people who cannot easily touch a screen, keyboard or mouse, the ideal future is not choosing between accurate dictation and reliable control. It is having both work together. That is why this Voice Control update is worth watching. It suggests Apple is starting to apply newer AI methods to one of its most important accessibility tools. But the next step should be more ambitious: a system-level way for advanced dictation and accessibility controls to work together. Whether Apple builds this itself or opens up deeper accessibility APIs for trusted apps, the goal should be the same. Users should be able to dictate accurately, correct text, move around apps, press buttons, send messages and control the operating system without switching between separate voice tools. Call it Universal Accessibility Control, or simply the next generation of Voice Control. The name matters less than the result: one joined-up voice experience that combines accurate dictation, command recognition and hands-free navigation. For now, Apple appears to be improving navigation before it tackles the harder dictation problem. Reliability will decide it Apple’s announcement also includes larger text support on tvOS, expanded Name Recognition, new FaceTime APIs for sign language interpreter apps, Vehicle Motion Cues for Vision Pro, and wider support for adaptive gaming controllers. But the Voice Control update is likely to attract the most attention from people who rely on hands-free access. Apple has not announced a major Siri accessibility overhaul here. Nor has it announced major changes to Personal Voice, Vocal Shortcuts or atypical speech recognition in this particular update. The company also has not said whether it plans to make Apple Watch more accessible to disabled people with severe upper limb disabilities. Natural language Voice Control could be valuable if it works reliably. For disabled people, accessibility features are not just nice additions. They are often the difference between using a device independently and not using it at all. The announcement is encouraging, coinciding with Global Accessibility Awareness Day. But Apple should not stop at making Voice Control more conversational. The larger task is to treat dictation, correction and navigation as parts of the same workflow. The test comes later this year, when disabled people can try these features in daily life. The longer term question is whether Apple can turn this first AI step into a fuller model of hands-free computing. ®

Microsoft on Wednesday open-sourced two AI tools designed to help developers and security teams build and maintain safer AI agents. The first is called RAMPART, which stands for Risk Assessment and Measurement Platform for Agentic Red Teaming. It’s a pytest framework for agentic AI applications built on Microsoft’s open‑source PyRIT toolkit that embeds automated red‑team tests into CI/CD pipelines. This allows developers to simulate real‑world attack scenarios - like prompt injection - and verify that agents stay within approved tool use, actions, and behavioral boundaries. It also supports statistical trials, meaning that teams can set policies such as “this action must be safe in at least 80 percent of runs,” to account for models’ probabilistic behavior. Plus, it allows red teams and incident responders to reproduce any AI security findings to ensure agents behave as intended - and that security mitigations work as they should. “It’s high time we stop talking about AI safety as a philosophy and start thinking about AI safety as an engineering discipline,” Ram Shankar Siva Kumar, Microsoft’s data cowboy and founder of its AI red team, told The Register. Microsoft has been using RAMPART internally, and while Kumar said he couldn’t provide specific details, he told us that a security researcher found an issue, and then the Redmond red team used RAMPART to test for the flaw across the agentic AI application. “RAMPART was able to take that one particular vector and find close to 100 different variants of that vector,” Kumar said. “And then we were able to use RAMPART to essentially go through this asset and see is this working, not just one time, not two times, but close to 300 times. We were also able to do in the context of multi-turn conversations.” The testing framework also allowed the developers to build mitigations into the product. “They were again able to use RAMPART to see if that remediation actually held water, not just against one vector, which the security researcher found, but multiple variations of those vectors,” Kumar explained. “This is empowering our incident responders and also our engineers.” The second AI tool that Microsoft open-sourced on Wednesday is an agent called Clarity, and it’s designed to serve as a “structured sounding board that helps teams figure out whether they are building the right thing before they write a single line of code,” according to a Wednesday blog that Kumar wrote about the two new tools. For example, say a developer wants to add real-time collaboration to a document editor. They tell Clarity this, and the agent responds with questions akin to what “experienced architects, product managers, and safety engineers would ask,” according to Microsoft. Clarity’s answers, as shown in a screenshot on GitHub: “Before we design that - what happens when two people edit the same paragraph at the same time? Do you need true real-time (cursors, presence), or is ‘no one loses work’ the actual requirement? Those lead to very different architectures.” The AI tool essentially aims to answer what problem the developer is trying to solve with an app, and what could possibly go wrong, and “talk” these issues out before the coding even begins. “It’s inherently collaborative,” Kumar said. “It helps the team take a step back, and say, ‘Hey, before we build this, are we going in the right direction? Because code is cheap. It takes a snap of a finger to generate a full system. Are we doing this in a way that makes sense?'” ®

Flagship tech projects such as the ID card scheme are at risk of failure unless the UK government changes its approach to legacy systems – which evidence shows is getting worse, a new think tank report claims. Re:State, a non-partisan policy unit focused on public service reform, says much of the government's ambitions for digital services and efficiency depend on "modern, interoperable systems." However, the problem of legacy systems is underestimated, it claims. "In Westminster the money doesn't get prioritized for tech, and so behind the scenes successive governments have neglected to fix many dangerously outdated systems, leaving a ticking time bomb for future generations to defuse," said Joe Hill, co-author of the report, director of Strategy at Re:State and former Treasury civil servant. Examples are not hard to find. They include problems migrating the Police National Database to the cloud, the scandalous data breach revealing the names of Afghan informants, and a creaking farm payments system. The problem lies in departmental control of legacy system remediation and the funding model for those projects. The Re:State report, From legacy to leadership [PDF], says that funding comes in two forms: crisis funding or maintenance funding. "Systems aren't transformed unless they fail in substantial ways. The result is that the gap between what systems can do and what services require widens each year. Departments fall behind with out-of-date technology stacks by relying on aging platforms that constrain service design, data use, and automation, which leaves them with ever more catch-up to play at a later date as operational urgency rises," it states. Much of the report relies on data from the State of Digital Government Review 2025, which found lost productivity from legacy IT cost 4-7 percent of annual public sector spending, holding back both productivity and public satisfaction. That review found the proportion of legacy systems in central government was around 28 percent. It ranged from 10 to 60 percent, depending on department, and had increased by 26 percent since 2023. Of those legacy systems, 22 percent were considered "red-rated," meaning they carried risks judged both highly likely and high impact. The proportion of red-rated systems had also increased. The scale of the problem and its embedded nature means that continuing with a department-led approach to tackling the legacy system problem won't work, the paper argues. Because there is little reward for prioritizing reduction in reliance on legacy systems, departmental leaders tend to focus on broader transformations, which come with more incentives and rewards. Budgeting is also a problem. Tech funding is awarded based on projects, rather than services, which makes underinvestment likely in two ways. "Firstly, because core operating costs of existing legacy technology have to constantly be reapproved as projects, making it easier to negotiate technology investment down in favour of other areas. And secondly, because it allows policymakers to plan additional investments in new technology like AI without thinking about investing in the underpinning services, which often have legacy IT components," the report adds. A new central government "Digital Modernization Taskforce" with a mandate to reduce systemic legacy risk and embed prevention, is one solution proposed. The report also proposes to tackle funding. "When central government investment is available for a particular kind of spending, such as legacy IT, interviewees for this paper felt that could disincentivise departments to make their own investments instead of 'waiting to see if [the Department for Science, Innovation and Technology] will fund the risk instead,'" the report states. "Instead, the Taskforce should adopt a 'match funding' model – using centrally allocated funding at the next Spending Review to match the amount that departments put into their own legacy IT transformation projects, in order to speed those up." The report has five other ideas for how the government can escape the deepening quagmire of legacy IT, including new approaches to procurement and supplier management. Welcome they might be, but with the government seemingly fixated on headline-grabbing announcements, only an optimist would expect to see them in action. ®

The UK government has upped the maximum value of a health service AI framework agreement by £600 million following a conversation with tech suppliers. The National Health Service's Shared Business Services (NHS SBS), a purchasing quango under the Department for Health and Social Care, recently launched a competition for places on a framework for NHS AI and robotics worth a maximum of £750 million excluding tax. Back in January 2025, the same procurement was priced at a maximum of £150 million, excluding tax, in an early market engagement with suppliers. An NHS SBS spokesperson said: “As with all our framework agreements, we conducted an extensive intelligence gathering exercise whilst bringing this framework to market. During this, both suppliers and customers indicated that a higher threshold was appropriate, and this has been approved by NHS England, the Cabinet Office and the Department for Science, Innovation and Technology.” The competition seeks to attract suppliers offering a broad sweep of AI and robotics systems. A framework deal offers suppliers an indicative amount of spend in return for pre-agreed prices. NHS SBS can charge a levy on all deals agreed under the framework. The recent procurement note says the procurement recognizes “the transformative potential of AI in addressing current and emerging healthcare challenges, from improving diagnostic accuracy and clinical decision-making to streamlining operational processes.” The shopping list for AI tech is split into eight lots. They include Radiology and Diagnostic Imaging, where the authority calls for “AI-powered radiology tools, medical imaging diagnostic platforms, and integrated imaging software solutions designed to support clinical decision-making and image-based diagnostics.” Standing out from the list is Virtual and Robotic Health, a lot which “covers innovative solutions that are transforming the healthcare landscape by enhancing clinical capabilities, improving patient care, and driving operational efficiency.” The tender also seeks AI tech for operational efficiency. It wants “platforms designed to enable data capture, analytics, and workflow automation to drive operational efficiencies within NHS and public sector environments.” At face value, these may seem like reasonable aspirations, but it’s also worth pointing out that they don't fully reflect what capabilities the NHS is looking for through this procurement or how success or failure would be measured. Meanwhile, £750 million is a lot of money, especially considering NHS resident doctors – an early-career specialist training role – are still seeking pay restoration after a decline in earnings of around 21 percent in real terms since 2008. UK government as a whole has pegged its hopes on AI to help extract it from an especially painful fiscal hole. The promise of tech investment in the NHS is just one strand of a thread through a cross-public sector approach which could save the public sector £45 billion, the government claimed. Experts later told MPs the figure was based on broad-brush guesswork. UK taxpayers might hope the latest NHS spending vehicle is built on a more sturdy design. ®