news aggregator

Students around the world have an excuse to bunk off after hacking crew ShinyHunters did something nasty to educational SaaS Canvas. Canvas is widely used by schools and universities to communicate with students, publish and store course material, and collect assignments. An outfit called Instructure develops the software and an entry on its Status Page dated May 2 features Chief Information Security Officer Steve Proud stating the org "recently experienced a cybersecurity incident perpetrated by a criminal threat actor." "We are actively investigating this incident with the help of outside forensics experts. We are working quickly to understand the extent of the incident and actively taking steps to minimize its impact," he added. Numerous posts report that attempts to log into Canvas earlier this week failed, but did produce a notice from an entity claiming to be the notorious hacking crew ShinyHunters, who claimed the outage was only possible due to lax patching. The crew also claimed to have stolen data from institutions that use Canvas and threatened to leak it unless a "settlement" is reached by May 12. Canvas has thousands of customers, meaning any confirmed breach could have wide impact. As of Thursday evening US time, Canvas says its wares are now available "for most users" and won't offer further comment. A student of The Register's acquaintance – OK, one of my kids – shared an email advising that his uni has prevented access to Canvas while it tries to understand the situation and the risk of data leakage. We've seen multiple universities posting notices about the incident that say more or less the same thing. Most also warn students of heightened phishing risk and urge caution. Several also advise that as they require students to lodge assignments in Canvas, students can assume they have an extension on deadlines. Your correspondent's offspring does not mind this one little bit. This is an evolving story. The Register will update it as more information becomes available. ®

Meta appears to have decided Britain's Online Safety Act would be much easier to swallow if Ofcom stopped counting all the money the social media giant makes everywhere else. The Facebook and Instagram owner has launched a legal challenge against the UK comms regulator, arguing that the way Ofcom calculates fees and potential penalties under the Online Safety Act is fundamentally wrong because it relies on global turnover rather than UK-specific revenue. The law allows Ofcom to fine companies for up to 10 percent of their qualifying worldwide revenue, or £18 million, whichever is higher. For Meta, which brought in about $201 billion last year, that means the numbers stop sounding like regulatory penalties and start sounding like national infrastructure projects. Meta is now seeking a judicial review in the High Court over how Ofcom defines "qualifying worldwide revenue." The dispute boils down to three complaints. First, Meta argues that Ofcom should only consider UK revenue tied to regulated services, not the company’s global income. Second, it objects to rules that treat multiple services under the same corporate umbrella as jointly liable, potentially exposing the wider organization to larger penalties. Third, it is challenging how Ofcom aggregates revenue across services rather than assessing them individually. An Ofcom spokesperson told The Register: "Meta have initiated a judicial review in relation to online safety fees and penalties. Under the Online Safety Act, these are to be set with reference to a provider's 'Qualifying Worldwide Revenue', which we have defined based on a plain reading of the law. "Disappointingly, Meta are objecting to the payment of fees, and any penalties that could be levied on companies in future, that are calculated on this basis. We will robustly defend our reasoning and decisions." A Meta spokesperson told The Register: "We are committed to cooperating constructively with Ofcom as it enforces the Online Safety Act. However, we and others in the tech industry believe its decisions on the methodology to calculate fees and potential fines are disproportionate. We believe fees and penalties should be based on the services being regulated in the countries they're being regulated in. This would still allow Ofcom to impose the largest fines in UK corporate history." The case marks the latest flare-up between Silicon Valley and Britain over the Online Safety Act, which has already triggered complaints from US politicians, free speech campaigners, and tech firms unhappy about the scale of Ofcom’s new powers. The regulator has not been shy about flexing them either. It has already threatened action against Elon Musk's X over sexually explicit AI-generated images linked to Grok and, in March, issued its first fine under the regime against 4chan. Meta appears to have looked at where that enforcement road leads and decided now was the time to argue about the math. ®

EPISODE 9 It's 3:30 am and I'm at work, having been woken up by numerous outage notifications. The Boss – as useful as Jason Statham's method acting coach – is also on site, presumably to offer moral support. The Building Manager – who's so old that his CV likely includes the construction of a vessel for the shipping of pairs of animals – is nowhere to be seen. The PFY is also absent. His excuse will likely be that he "accidentally" put his phone into silent mode. Had any of the alerts been from his rack of Bitcoin mining machines, however, he'd have been in the office in a flash. Security appears to be hard at work protecting the couches in the foyer of the building from being stolen. The rest of the building is in darkness – save for the shining beacon that is Mission Control. "What's happened?" the Boss asks. "Power outage," I reply. "Do we get someone in for that?" "Only if we want to wait till 9am to call our electrical contractors, who'll agree to turn up between 9 and 5 sometime in the next two weeks." "So what do we do?" "We go to the basement!" I reply, "but first we need THE KEYS". "The keys?" "No. THE KEYS." "What are THE KEYS?" he asks. "THE KEYS are what ex-local government buildings like this have for access to places you're not supposed to go. They're for the rooms you 'accidentally' show people if you think they're planning a hostile takeover of the company. You open the door and say something like 'I'm pretty sure that's not asbestos' or 'Why would we have needed all those leaky drums of 2,4,5-Trichlorophenoxyacetic acid ?'" "Are the rooms dangerous?" "Not if you keep the doors closed." "So what are you going to do?" "I'll open a couple of the doors." ...Five minutes later in the basement... "Oooh, there's a clue," I say to the Boss, pointing. "A Bakelite – or, to be specific, phenolic – label. Circa 1970s. There's bound to be something horrible behind that door." >creak< ... >slam< "Moving on," I say. "What was behind the door?" "Something horrible. We're not talking 'three-hour Richard Stallman monologue' horrible, but it was pretty bad. Anyway, let's try door number two." >creeeeeeak< "Ah, now this is promising. Cables from the ceiling. Unless they're snakes." "SNAKES!" the Boss gasps. "Nah, just cables. And, look, ALL METAL service breakers – and not a speck of safety-oriented insulation to be seen!" "What does that mean?" "It means life was cheap back in the '70s. Now, see those four massive breakers, all pointing to the Bakelite ON position, and one ABSOLUTELY MASSIVE breaker over there, in the OFF position?" "Yes. Do we just turn it on?" the Boss asks. "Only if you want to save your loved ones the cremation fees." "?" "The smaller breakers are three-phase 1,000-amp units, but that big one's a 5,000-amp unit. Designed for the days when offices were crammed with people and bar heaters." "So what do we do?" the Boss asks. "We get a broom. A wooden broom. A DRY wooden broom. Then we turn OFF all the massive breakers, then turn ON the REALLY massive breaker." ...Two minutes later... "Is this safe?" the Boss asks nervously. "Not even slightly," I say, brandishing the broom. >CLACK!< >CLACK!< >CLACK!< >CLACK!< "That wasn't so bad," the Boss sighs. "We're not to the good part yet. But maybe you want to move away a little bit." "How far?" "The third floor would be wise, but the doorway will do." .... >CLUNK!< ... "So we're... OK then?" the Boss asks. "In the words of Karen Carpenter, we've only just begun. Now we have to turn all of those smaller breakers on again, one of which will likely trip the massive breaker." "Is that a problem?" "The really massive breaker's over 50 years old, covered in rust, and has probably only ever tripped from a fault once. The miracle here is that it did so without exploding." "So?" "So, sometimes you've just got to spin the potato," I say, raising the broom again. >CLACK!< ... >CLACK!< ... >CLACK!< ... ... >CLACK!< "It worked!" the Boss gasps happily, as light returns to the building. "Yeeeessss," I say, leading the Boss out of the room and shutting the door as quickly as I can. "You... don't seem happy?" "No. There's a fair chance that whatever tripped the big breaker will trip it again the next time whatever it is star-" >FZZZZZ< >CLUNK< "Oh," the Boss says, disappointed. "Do we switch it back on again?" "Did you hear that buzzing sound before the lights went out?" "Uhhh, yes. What does that mean?" "It means we need to (a) go upstairs, (b) turn off the power to a rack of very noisy machines, and (c) switch our phones to silent and pretend we've never been here..." BOFH: Previous episodes on The RegisterThe Compleat BOFH Archives 95-99

Lego has released a set to coincide with the Project Hail Mary movie, and it's a clever bit of Technic-style engineering, even if the price is a little high. Usually, we only look at Lego builds of real objects – think Concorde and the recent Artemis set. However, having enjoyed Andy Weir's Project Hail Mary (the book more than the film), I was keen to see what Lego had done with its license. The answer is: it's good, but a bit pricey. The 830-piece set comprises a model of the eponymous spacecraft, a minifig-scale Ryland Grace, and Lego's version of the Rocky character. It also, thankfully, does not have the stickers that have blighted recent Lego sets. This set is not cheap, though Lego has at least invested in some pre-printed components rather than making customers fiddle with sticky transfers that invariably end up looking awful. Lego lists the set's age as 18+, which I'd quibble with. It's a lengthy (at least in terms of steps) but straightforward build. Budget around half a day to a full day for building it, depending on your skill level and how often little bits of Lego get flung around the room. Starting with the spacecraft, it's worth emphasizing that this is essentially a Technic set. If Technic components aren't your thing, this set isn't for you. However, persevere, and it is difficult not to be impressed with the design work. As the spacecraft comes together, so the mechanism reveals itself. Turn a crank, and the crew modules slide out before the entire spacecraft rotates to simulate gravity. Turn the crank in the opposite direction to return the crew modules. No, it's not like the book, but it is like the film, which deviates from the book in several other places too. We'd be tempted to fit a motor to achieve smoother rotation. The spacecraft is mounted on a stand that also includes a place for the Grace minifigure and the Rocky character. Both have pre-printed accessories, such as a tape measure, which will be familiar to those who have seen the film. It's a fun build and an impressive bit of Technic design. The elephant in the room, however, is cost. At £99.99 in the UK, this is not cheap. Certainly not when compared to the Artemis Technic set, which retails for £54.99. Turn the crank there, and the SLS rises, boosters separate, and Orion heads off to the Moon. Yes, there are fewer pieces (and some stickers to deal with), but for our money, it's a better value set. However, if you're a fan of Weir's book or the movie adaptation, there's a lot to like here, and the Technic designer deserves an award for making the mechanics of the spacecraft work. If only it were a little cheaper. ®

BORK, BORK, BORK! There was a time when information boards were handwritten or paper-based affairs. Then departure information was shown on split-flap displays, which made a satisfying tick sound as the display changed. Pixel-based boards followed (we took a look at the excellent take-home-and-keep versions by UK Departure Boards in 2024, but, with the inevitability of death and taxes, Windows of course had to get involved, which brings us to this unhappy example spotted in a Northampton bus station by a Register reader. "This poor main display announcing bus times has been dying for a while," our reader said. "The time has been out by 3-4 minutes, meaning any passenger trying to get somewhere on time would have missed their bus. Now its time info software is not loading." The screen looks like Windows 10 is running in the background, but instead of helpful information for customers taking a bus journey, there's just the default Windows desktop background and a few forlorn icons. The screen has been fitted with spikes to prevent birds from perching and leaving deposits, no such luxury has been afforded to the software. Somebody crueler than us might suggest this is because no feathered friend would deign to perch atop Microsoft's finest, or that a healthy dose of bird droppings could only improve the appearance of Windows. The bus station in question is Northgate, a relatively recent addition to Northampton's architectural landscape, opened in 2014. Windows 10 was released the following year and now clings, limpet-like, to the information boards. Our reader's comment that the display appears to be wheezing its last is, of course, nothing to do with Microsoft's fervent wish that Windows 10 would hurry up and die so that it can notch up more Windows 11 users. The question is, would Northampton's avian chums be any keener on the display if it were running the latest and greatest? Certainly, Windows 11 could use some improvements. Even Microsoft has admitted as much, but we're not sure the rear of a bird is where those improvements should come from. ®

No week at The Register is complete without a new installment of On Call, the reader-contributed column in which you share tales of the peaks and troughs of the tech support experience. So let's get going and meet this week's contributor, who we shall Regomize as "Gerald." He took us back to an early moment in his career, when he worked for an outfit that configured Windows 98 PCs as "data collectors" for its clients. As part of his job, Gerald built PCs and provided field support. In this story, he built a new data collector, checked that it worked with the usual round of tests, and left it for someone else to install because he had another job to do elsewhere for a different client. That visit was interrupted by his boss, who Gerald said "reamed me out for allowing a non-functional system to leave the shop." After the criticism stopped, Gerald's boss ordered him to fix the stricken PC, ASAP, even though it was 100 km away by car. "The boss man said go, so I went," Gerald told On Call. "About an hour and a half later, I arrived to diagnose the recalcitrant PC. The client was literally hopping mad and asking how I could be so stupid, because his firm was losing money." Gerald got to work and inspected the PC, which was on the shop floor, connected to power and peripherals. It booted and worked well but couldn't reach the network. "A check of devices installed showed the network card," Gerald reported, "and a ping to home worked... but nothing outside the box itself was reachable." Gerald decided the only thing to do was take the PC back to the office for more tests, so he started unplugging the peripherals. "Out came the power cord, display cable, keyboard, mouse..." and then he noticed the network cable wasn't plugged in. "It was neatly coiled and taped to a support column," Gerald told On Call, making it very easily fixed – and quite the embarrassment for the angry client and boss. Have you been abused for a customer's error? If so, click here to send On Call an email so we can share your story on a future Friday. ®

Wired describes the recent Canvas breach as an unusually disruptive ransomware-style extortion incident because one attack on Instructure's learning platform temporarily paralyzed thousands of schools during finals and end-of-year assignments. The hackers using the "ShinyHunters" name claim more than 8,800 schools were affected, while Instructure says exposed data included names, email addresses, student ID numbers, and platform messages. From the report: Higher education has long been a target of ransomware gangs and data extortion attacks. But never before, perhaps, has a cyberattack against a single software platform so thoroughly disrupted the daily operations of thousands of schools across the United States. The widely used digital learning platform Canvas was put into "maintenance mode" on Thursday after its maker, the education tech giant Instructure, suffered a data breach and faced an extortion attempt by attackers using the recognizable moniker "ShinyHunters." Though the hackers have been advertising the breach and attempting to extract a ransom payment from Instructure since May 1, the situation took on additional immediacy for regular people across the US and beyond on Thursday because the Canvas downtime caused chaos at schools, including those in the midst of finals and end-of-year assignments. Universities like Harvard, Columbia, Rutgers, and Georgetown sent alerts to students about the situation in recent days; other institutions, including school districts in at least a dozen states, also appear to have been affected. In a list published by the hackers behind the attack on their ransom-focused dark web site, they claim the breach affected more than 8,800 schools. The exact scale and reach of the breach is currently unclear, though. And the fact that Canvas was down throughout Thursday afternoon and evening further complicated the picture. In a running incident update log that began on May 1, Steve Proud, Instructure's chief information security officer, said that the company had "recently experienced a cybersecurity incident perpetrated by a criminal threat actor." He added on May 2 that "the information involved" for "users at affected institutions" included names, email addresses, student ID numbers, and messages exchanged by users on the platform. The situation was ultimately marked as "Resolved" on Wednesday, with Proud writing that "Canvas is fully operational, and we are not seeing any ongoing unauthorized activity." At midday on Thursday, though, the Instructure status page registered an "issue" where "some users are having difficulties logging into Student ePortfolios." Within a few hours, the company had added another status update: "Instructure has placed Canvas, Canvas Beta and Canvas Test in maintenance mode." Late Thursday evening, the company said that Canvas was available again "for most users." TechCrunch reported on Thursday that the hackers launched a secondary wave of attacks, defacing some schools' Canvas portals by injecting an HTML file to display their own message on the schools' Canvas login pages. According to The Harvard Crimson, attackers modified the Harvard Canvas login page to show a message that included a list of schools that the hackers claim were impacted by the breach. The message from attackers "urged schools included on the affected list to consult with a cyber advisory firm and contact the group privately to negotiate a settlement before the end of the day on May 12 -- or else risk their data being leaked," The Crimson reported. "It is unclear what information tied to Harvard affiliates was included in the alleged breach."

Read more of this story at Slashdot.

Cloudflare has revealed it will farewell 1,100 staff, due to its current and future use of AI. In a blog post that oozes Orwellian “doublespeak,” CEO Matthew Prince and President/COO Michelle Zatlyn used the headline “Building for the future” to share the email they sent to all employees. That mail opens: “We are writing to let you know directly that we’ve made the decision to reduce Cloudflare’s workforce by more than 1,100 employees globally.” The post explains, “Cloudflare’s usage of AI has increased by more than 600% in the last three months alone. Employees across the company from engineering to HR to finance to marketing run thousands of AI agent sessions each day to get their work done.” All that AI means “we have to be intentional in how we architect our company for the agentic AI era in order to supercharge the value we deliver to our customers and to honor our mission to help build a better Internet for everyone, everywhere.” Sackings are therefore needed, and are “about defining how a world-class, high-growth company operates and creates value in the agentic AI era.” To rub salt into the wounds of sacked staff, the email went out not long before Cloudflare announced quarterly results that included 34 percent year-over-year revenue growth and guidance for 30 percent future growth. Prince opened the company’s earnings call by stating “We had a very strong start to 2026.” Analysts on the earnings call asked Prince to explain the layoffs and whether they will make Cloudflare stronger. “We have seen that there are roles at Cloudflare that are not the roles we need for the future,” Prince responded. “Just because you are fit does not mean you cannot get fitter. Over the last six months especially, the productivity gains from the people directly talking to customers and directly creating code have been incredible, and a lot of the support roles behind them are not going to be the roles that drive companies going forward.” The CEO said Cloudflare has “always lived a little bit in the future” and said the company is an early beneficiary of AI. And he said the company will keep hiring. “The people embracing these tools are so much more productive than we have ever seen before,” he said. “I would guess that in 2027 we will have more employees than we did at any point in 2026, but the roles are changing dramatically, and you have to do something dramatic to make that shift.” “This is not about downsizing or saving costs,” Prince said. “This is about having the right people in the right roles to build the future.” As is often the case these days, the email to staff warned them of a brief doomsday countdown. “Within the next hour, every member of our global team will receive an email from both of us clarifying how this change affects them,” the message states. “For those departing today, we will send this update to both their personal and Cloudflare addresses to ensure they receive the information immediately.” The Register imagines that went down well for workers in time zones where employees might avoid their work email outside 9-5, but sneak an early-morning-or-late-night-glance at their personal inboxes. Prince and Zatlyn told employees they hope “to do this only once” and then contradict themselves by saying they “don’t want to do it again for the foreseeable future.” “By taking decisive action now, we provide immediate clarity to those departing and protect the stability of the team that remains,” they wrote, before adding their view that one deep cut because “dragging a reorganization out over multiple quarters creates prolonged emotional uncertainty for employees and stalls our ability to build.” Firing 1,100 people is therefore “the right thing to do; it’s the honest thing to do; and it reflects the values of the company we are continuing to build.” ®

An anonymous reader quotes a report from Business Insider: As the trial between Elon Musk and OpenAI ended its second week, the Tesla CEO started scoring points against Sam Altman. His witnesses landed three solid punches in testimony about how Altman runs OpenAI as CEO, raising concerns about his dedication to AI safety, the nonprofit's mission, and his honesty as a leader of the organization. [...] This week, Musk's legal team called a parade of witnesses who questioned whether Altman was acting in the interest of the nonprofit. On Thursday, that included a former OpenAI safety researcher, who described a slow erosion of the company's safety teams, which prompted her to leave the company. Witnesses also shared stories about the company launching products without the proper safety reviews -- or the knowledge of the board. Rosie Campbell, a former AI safety researcher at OpenAI, testified that the company became more product-focused during her time there and moved away from the long-term safety work that had initially drawn her in. She said both long-term AI safety teams were eventually eliminated, and that she supported Altman's reinstatement only because she feared OpenAI might otherwise collapse into Microsoft: "It was my understanding at the time that the best way for OpenAI to not disintegrate and fall about would be for Sam to return." Still, Campbell's testimony wasn't entirely favorable to Musk. She also said xAI, Musk's AI company, likely had an inferior approach to safety than OpenAI. Helen Toner, another former OpenAI board member, also testified about the board's concerns leading up to Altman's removal. She said the board was not primarily worried about ChatGPT's safety, but about Altman's leadership and investor relationships, saying, "The issues that we were concerned about in our decision to fire Sam were exacerbated by relationships with investors." Toner also described concerns that Altman was misrepresenting what others had said, telling the court, "We were concerned that Sam was inserting words into other people's mouths in order to get people to do what he wanted." Meanwhile, Tasha McCauley, a former OpenAI board member, described a deep loss of trust in Altman and accused him of creating "chaos" and "crisis" inside the company. She said Altman fostered a "culture of lying and culture of deceit," including allegedly misleading others about whether GPT-4 Turbo needed internal safety review before launch. Musk's lawyers then called to the stand David Schizer, a Columbia Law professor and nonprofit-governance expert, who framed Altman's alleged behavior as a serious governance problem for an organization that was supposed to be mission-driven. Asked about claims that products were launched without full board awareness or safety review, he said, "The board and CEO need to be partnering, working together, to make sure the mission is being followed," adding that "if the CEO is withholding that information, it's a big problem." The day ended with the start of a Microsoft executive's deposition. Microsoft VP Michael Wetter said Azure had integrated OpenAI technology, that Microsoft saw strategic value in having AI developers build on Azure, and that a 2016 agreement allowed OpenAI to use Microsoft tools for free even though it could mean a loss of up to $15 million for Microsoft. Testimony ended early, with no court on Friday and the trial set to resume Monday. Recap: Sam Altman's Management Style Comes Under the Microscope At OpenAI Trial (Day Seven) Brockman Rebuts Musk's Take On Startup's History, Recounts Secret Work For Tesla (Day Six) OpenAI President Discloses His Stake In the Company Is Worth $30 Billion (Day Five) Musk Concludes Testimony At OpenAI Trial (Day Four) Elon Musk Says OpenAI Betrayed Him, Clashes With Company's Attorney (Day Three) Musk Testifies OpenAI Was Created As Nonprofit To Counter Google (Day Two) Elon Musk and OpenAI CEO Sam Altman Head To Court (Day One)

Read more of this story at Slashdot.

Amazon Web Services is working to address a power outage that has created “impairments” to services served from the notorious US-EAST-1 region. A May 7 incident report time-stamped 5:25 PM PDT (00:25 UTC Friday) states that AWS spotted problems in the use1-az4 availability zone of the US-EAST-1 Region. A subsequent update states “EC2 instances and EBS volumes hosted on impacted hardware are affected by the loss of power during the thermal event.” An update time-stamped 6:47 PM PDT reveals“We continue to work towards mitigating the increased temperatures to its normal levels,” but warns “Other AWS services that depend on the affected EC2 instances and EBS volumes in this Availability Zone may also experience impairments.” At 8:06 PM PDT Amazon said it was "actively working to restore temperatures to normal levels ... though progress is slower than originally anticipated." The cloudy concern said it made "incremental progress to restore cooling systems" but users of EC2 Instances, EBS Volumes, and other services are "experiencing elevated error rates and latencies for some workflows." AWS has also shifted traffic away from the stricken AZ, and suggested companies shift workloads into other US-EAST-1 availability zones. Good luck getting that done because the update admits “Customers may experience longer than usual provisioning times.” US-EAST-1 is arguably AWS’s problem child, as it was the site of major outages that took big chunks of the internet offline in 2021 and then again in October 2025 . AWS execs have told The Register the region isn’t inherently more fragile than other parts of the Amazonian cloud, but often runs things at bigger scale than elsewhere and therefore imposes extra stress on services. The Register will update this story as the situation evolves. ®

HPE has delivered the first fruits of its Juniper acquisition: Wi-Fi access points that users can manage with either Aruba Central or the Mist platform, and “self-driving” tools that use AI to allow some autonomous operations. The access points are the prosaically named HPE Networking 723H, a three-radio Wi-Fi 7 machine the company recommends for hospitality, branch, and teleworker deployments. The APs also represent HPE’s first application of AI-powered autonomous networks. Mittal Parekh, HPE’s marketing lead for campus and branch networking, told The Register one self-driving scenario HPE provides is scanning the local RF environment to detect any frequencies Wi-Fi should avoid because they’re required or in use by military or other organizations that have priority. Self-driving means networks will automatically steer clear of those frequencies when it makes sense to do so. He also pointed to “dynamic capacity optimization,” which he said will see HPE Wi-Fi networks detect a gathering of users for events like an all-hands meeting, and adjust itself as necessary to ensure connections remain strong and steady. Detecting mismatched or missing VLANs, and rebuilding networks before traffic drops, is another self-driving capability. Parekh said those scenarios currently require IT teams to do manual work that might not be possible to complete before the meeting ends, or a military user vacates a frequency. HPE’s tech will also detect and de-fang rogue DHCP servers before they become a problem. Parekh said HPE’s tech allows humans to remain in the loop if they choose but hopes that NetAdmins begin to develop sufficient trust that they let networks take care of their own affairs and spend their time on higher-value tasks. The application that delivers self-driving capabilities runs in the cloud, and uses oodles of data HPE and Juniper collected over decades, plus the Marvis AI Juniper offered when it was an independent outfit. Jeff Aaron, marketing lead for HPE’s networking business unit, pointed out that HPE has delivered a unified product within months of closing its Juniper acquisition, and snarked that Cisco took years to do likewise when merging its own-brand Wi-Fi with Meraki’s. Competitive sniping aside, Aaron said the self-driving tech and Wi-Fi APs show how HPE plans to cross-pollinate its Aruba and Juniper portfolios, without forcing users of either brand to make a jump. HPE is not alone in pursuing agentic network operations, or merging networking brands: Cisco is combining its Catalyst and Meraki management tools, and is betting on AI to detect network issues and automate fixes. ®

Mozilla fixed 423 Firefox security bugs in April, a repair rate more than five times higher than the 76 fixes issued in March and almost 20 times higher than its 21.5 monthly average last year. The browser maker previously said Anthropic's ballyhooed Mythos Preview model found 271 of these in Firefox 150. Now, a trio of technical types has come forward to provide a bit more detail about what Mythos (and its less storied sibling Opus 4.6) actually found. But they also highlight something that may matter more than the model: the agentic harness – the middleware mediating between AI and the end user. Brian Grinstead, Firefox distinguished engineer, Christian Holler, Firefox tech lead, and Frederik Braun, head of the Firefox security team, observe that over the past few months, AI-generated security reports have gone from slop to rather more tasty. They attribute the transformation to better models and development of better ways of harnessing those models – steering them in a way that increases the ratio of signal to noise. But they also appear to be aware that there's some skepticism in the security community about Mythos. So they've decided to publicize selected wins in an effort to encourage others to jump aboard the AI bug remediation train. "Ordinarily we keep detailed bug reports private for several months after shipping fixes and issuing security advisories, largely as a precaution to protect any users who, for whatever reason, were slow to update to the latest version of Firefox," they said. "Given the extraordinary level of interest in this topic and the urgency of action needed throughout the software ecosystem, we’ve made the calculated decision to unhide a small sample of the reports behind the fixes we recently shipped." The post links to a dozen Firefox bugs with varying degrees of severity. The list includes, for example, a 20-year-old heap use-after-free bug (high severity) that a web page could trigger using the XSLTProcessor DOM API without any user interaction. Many of these bugs are sandbox escapes, they note, which are difficult to find using techniques like fuzzing. AI analysis, they say, helps provide broader security coverage. And they add that it has helped validate prior browser hardening work designed to prevent prototype pollution attacks – audit logs showed AI models making unsuccessful exploitation attempts using this technique. Following Anthropic's announcement of Project Glasswing – a program for companies to gain early access to Mythos because it's touted as too dangerous for public release – security experts expressed skepticism. For example, Davi Ottenheimer, president of security consultancy flyingpenguin, wrote in an April 13 blog post, "The supposedly huge Anthropic 'step change' appears to be little more than a rounding error. The threat narrative so far appears to be ALL marketing and no real results. The Glasswing consortium is regulatory capture dressed up poorly as restraint." He subsequently ran a test in which he strapped Anthropic's lesser models Sonnet 4.6 and Haiku 4.5 into a harness called Wirken with an auditing skill called Lyrik. The result was eight findings in two minutes at a cost of about $0.75, Ottenheimer claims, noting that two of the eight matched bugs Mythos had identified. Other security folk have also reported that bug hunting and exploit development can be quite productive with off-the-shelf models like Opus 4.6, which among other virtues costs about 5x less than Mythos. In an email to The Register, Ottenheimer said, "There's a fundamental philosophical failure in the Mozilla post. A reading and a measurement are not the same thing. I don't see a measurement, but they seem to want us to believe we're looking at one. "When they give us the 'behind the scenes math' it's circular, a trick. 'Mythos found 271 bugs' is what Mythos found, not what other tools could not find against the same code. Why leave it as an assumption if it can be proven?" Ottenheimer said Mozilla advocates that every project adopt a similar approach without proving the merits of that approach. "It's like saying if you don't drink Coca-Cola, you can't run a mile under six minutes, because that's what a guy sponsored by Coca-Cola just did," he said. "The bar moves on rhetoric, marketing, not proper evidence. That is the capture crew again." He notes that the merits of Mythos might be more convincing if Mozilla had reported they couldn't do this work without Mythos. And since they're not saying that, he suggests, it's worth asking why there's no transparent comparison of Mythos to other models. He points to Mozilla's admission that Opus 4.6 was already identifying "an impressive amount of previously unknown vulnerabilities." "Mozilla never quantifies what Opus 4.6 [did] before saying what Mythos added," he said. "So 271 attributed to Mythos doesn't fit the analysis. And there's a deeper reveal when they say 'we dramatically improved our techniques for harnessing these models.' The improvement may be entirely in the harness, not as much in the model. This maps to my own experience. A nail gun has advantages over the hammer, yet without being in the right hands the outputs are as bad or worse." ®

The IMF is warning that advanced AI-powered cyberattacks pose a serious threat to global financial stability. "IMF analysis suggests that extreme cyber-incident losses could trigger funding strains, raise solvency concerns, and disrupt broader markets," the lender warned in a new report. The report urged greater international cooperation and emphasized resilience, since breaches are "inevitable" -- particularly for emerging economies with weaker defenses. Agence France-Presse reports: The study's authors highlighted the risks posed by the highly interconnected nature of the global financial system, with advanced AI models able to "dramatically reduce" the time and cost of exploiting vulnerabilities. [...] The IMF warned that emerging and developing countries, "which often have more severe resource constraints, may be disproportionately exposed to attackers targeting regions with weaker defenses." The risks, the authors said, were systemic, cut across sectors and came with the threat of contagion, with the reliance on a small number of platforms and cloud providers likely to increase "the impact of any single exploited weakness." "Defenses will inevitably be breached, so resilience must also be a priority, specifically to limit how far incidents spread and ensure rapid recovery," the report said. IMF chief Kristalina Georgieva warned last month that the global financial system was not ready for the cybersecurity threats posed by AI. "We are very keen to see more attention to the guardrails that are necessary to protect financial stability in a world of AI," she told CBS News, seeking global collaboration on the issue.

Read more of this story at Slashdot.

If you're a ServiceNow customer, you can stop waiting for developers to help you on a project. Dyna Software, an eight-year-old ServiceNow Elite Build Partner based in Calgary, Alberta, has launched Platform Copilot, the first agentic AI tool that lets business users and not just developers configure and build on the ServiceNow platform using natural language. Dyna Software CEO Ron Browning showed it off at ServiceNow’s event Knowledge 2026 in Las Vegas this week, telling The Register that it draws a sharp distinction between what the platform vendor offers and what his company built. "A lot of things today are still focused on enabling developers, as opposed to really enabling business," Browning said. He noted that most AI-assisted tools in the ServiceNow ecosystem still require a developer in the loop to translate business requirements into technical configurations, which is the bottleneck Dyna Soft set out to eliminate. Platform Copilot connects to a customer's ServiceNow development instance and reads the existing schema and configuration details. When a business analyst or process consultant describes what they want in plain language, or uploads an image of a legacy form, the tool generates a wireframe model, validates the proposed changes against the instance's actual environment, and then builds the configuration. Browning said the tool can handle roughly 80 percent of the enhancement work that typically flows through ServiceNow development teams. “The goal that I really have, to be honest, is a situation where you could have a business person literally just fill in a form that says ‘I need this. I want it to be this. Here are my parameters,’ hit send. And that just goes directly into Platform Copilot,” he said. “And then basically, the next step, you've got it built, and you're ready to move it over. And technical folks didn't really have to be involved at all.” The "instance-aware" design, meaning it is built for the user's own ServiceNow instance, is central to Dyna Software's pitch. Generic AI coding tools like Anthropic's Claude or OpenAI's Codex can generate ServiceNow configurations, but they produce generic output unless a developer manually supplies environment-specific parameters, Browning said. Platform Copilot pulls those parameters automatically, which Browning said prevents the kind of conflicts and technical debt that can otherwise plague large ServiceNow deployments. He pointed to an early use case with a partner in Australia that needed to migrate more than 200 catalog items from a legacy system into ServiceNow. Under a traditional approach, that project could stretch close to a year. With Platform Copilot, a business analyst uploaded images of the legacy forms, reviewed generated wireframes in minutes, made adjustments, and pushed production-ready configurations without developer intervention. Government agencies represent another target market. Browning described a common scenario: a backlog of PDF forms that need to be digitized into a ServiceNow portal, with estimated timelines stretching to two years. Platform Copilot compresses that timeline by automating the dozens of discrete configuration changes that even a simple form requires across the ServiceNow platform. The company built Platform Copilot on top of its existing flagship product, Guardrails, an on-platform DevOps toolset used by some top ServiceNow customers to manage customizations and protect against upgrade failures. That foundation gives Platform Copilot its understanding of how to build configurations that comply with ServiceNow’s best practices and avoid downstream conflicts. Dyna Software, which recently achieved elite partner status with ServiceNow, abandoned two earlier versions of the product to skip ahead to what it calls version four, a decision Browning attributed to rapid advances in LLMs over the past eight months. "We ended up basically scrapping our v3 lane and focusing on our v4, simply because it ended up surpassing in terms of what our outcomes and goals were," Browning said. "Things like Anthropic, OpenAI, in the last probably eight months, they have gone lightning speed in terms of what you can actually do with them." Browning acknowledged limits to what users can do without a DevOps team. Complex application builds that require extensive custom coding or external system integrations remain better suited to developer-led work with traditional AI coding assistants, he said. Platform Copilot targets the high-volume, repetitive configuration work that clogs ServiceNow backlogs such as catalog items, workflows, forms, and agent configurations. "Developers are not really going to go away completely,” he said. “There's going to be need for really smart systems architects and capable developers. But the ones that are doing grunt work and non-glamorous stuff, I do believe that's going to get phased out." Platform Copilot entered open beta on May 5, with full commercial availability targeted for July 2026. He said pricing is set to allow a low barrier of entry and follows a usage-based consumption model with a $100 minimum credit purchase and no subscription commitment. ®

In honor of World Password Day, Kaspersky researchers revisited their study on the crackability of real-world passwords and found that 60% of MD5-hashed passwords could be cracked in under an hour with a single Nvidia RTX 5090, and 48% could be cracked in under a minute. "The bottom line is that passwords protected only by fast hashing algorithms such as MD5 are no longer safe if attackers obtain them in a data breach," reports The Register. From the report: Much of the reason password hashes have become so easy to crack is password predictability. Per Kaspersky, its analysis of more than 200 million exposed passwords revealed common patterns that attackers can use to optimize cracking algorithms, significantly reducing the time needed to guess the character combinations that grant access to target accounts. In case you're wondering whether there's a trend to compare this to, Kaspersky ran a prior iteration of this study in 2024, and bad news: Passwords are actually a bit easier to crack in 2026 than they were a couple of years ago. Not by much, mind you -- only a few percent -- but it's still a move in the wrong direction. "Attackers owe this boost in speed to graphics processors, which grow more powerful every year," Kaspersky explained. "Unfortunately, passwords remain as weak as ever." "This World Password Day, the main message ought not to be to the users, who often have no choice but to use passwords anyway, but to the sites and providers that are requiring them to do so," said senior IEEE member and University of Nottingham cybersecurity professor Steven Furnell. His advice is that providers need to modernize their login systems and enforce stronger protections, because users are often stuck with whatever security options they're given.

Read more of this story at Slashdot.

Companies including Philips and Pandora say they plan to seek tariff reimbursements after the Supreme Court ruled Trump's sweeping duties illegal, with the U.S. potentially facing up to $175 billion in refunds. Many firms say tariffs hurt earnings, but CFO survey results suggest companies applying for refunds are unlikely to pass savings back to consumers through lower prices. CNBC reports: Companies across Europe are flagging disruption from tariffs as a factor contributing to a skewed earnings picture. "We will ask for a rebate of tariffs in line with the government policies," Roy Jakobs, CEO of healthtech firm Philips, told CNBC's "Squawk Box Europe" on Wednesday morning. "We have been saying that of course we prefer a world without tariffs, without trade barriers, because we want to serve patients." Philips included the cost of tariffs within its full-year guidance and did not assume the impact from any potential refunds. Danish jeweler Pandora also announced its intention to apply for a rebate on Wednesday, with CEO Berta de Pablos-Barbier telling CNBC that tariffs were a "headwind" to earnings in the first quarter. "We have no news yet, so we cannot count on any of that refund," she told CNBC's "Squawk Box Europe." "Let's wait and see." De Pablos-Barbier noted that the biggest factor impacting Pandora's profit this quarter is the cost of silver, which more than quadrupled in the last 18 months. She reiterated the firm's pivot from pure silver to platinum as a way of reducing costs. BMW, Daimler, Renishaw, Smith & Nephew and Continental all flagged tariffs as negatively impacting results in a slew of earnings updates on Wednesday, but the companies did not say whether they are applying for rebates. Businesses often bear some of the cost of tariffs, with some costs passing on to consumers through price hikes. Tariffs have had an overall inflationary impact on the economy, economists have told CNBC. Despite the refund process potentially covering more than 330,000 importers on roughly 53 million entries, per court documents, consumers are unlikely to benefit, according to the results of the latest CNBC CFO Council quarterly survey. Twelve of the 25 chief financial officers interviewed said their company plans to apply for tariff refunds, however, none intend to lower prices in response.

Read more of this story at Slashdot.

Playing host to company laptops used by North Korean scammers posing as American IT workers might earn you a cut of the cash Pyongyang siphons from US firms, but as two more suckers have learned, it also means taking the fall when the FBI figures out what’s going on. Matthew Isaac Knoot, from Nashville, Tennessee, and Erick Ntekereze Prince, of New York, were each sentenced to 18 months in prison in separate cases, the Justice Department reported Wednesday. Prince and Knoot will also face three years and one year of supervised release, respectively, after their prison terms. While the cases were different, the crimes were largely the same, with both Knoot and Prince misrepresenting themselves as either an American IT worker, or a company offering IT services performed by Americans, respectively. Both won jobs to perform IT work for US-based companies, and both provided space for company-owned laptops in their home or office, where remote access software was installed to allow North Koreans to work from overseas while appearing to be located in the States. According to the DoJ, the pair generated more than $1.2 million in fraudulent revenue for North Korea, some of which was paid to them for their participation in the scheme. Knoot reportedly earned $15,100, which he will have to pay back as restitution to the companies and to the government; Prince will have to give back approximately $89,000 he got from Kim Jong Un's government. Between them, Prince and Knoot forced the nearly 70 US companies they victimized to spend $1.5 million to audit and remediate their devices, systems, and networks to eliminate all traces of the Nork intruders. The pair are the latest to find themselves facing the wrath of the Justice Department for enabling North Korea’s fake IT worker scheme, which has been wildly successful. According to the most recent data from earlier this year, North Korean IT worker schemes are raking in more than $500 million a year for the Kim regime. That number doesn’t include any monetary value of data stolen from those organizations, either. These scams have broadened their reach, too. Once confined to the realm of big tech, they’ve also been found in the healthcare, finance, and professional services spaces as well, as all present ripe opportunities for harvesting valuable data along with scoring money for the government. Knoot and Prince got off easy compared to some of the previous folks sentenced for aiding North Korea’s schemes, though. Kejia Wang and Zhenxing Wang were jailed for a combined 200 months when sentenced last month, though to be fair their operation was larger, their takes greater, and their targets more prominent. Regardless of the amount of time, the FBI said that the latest sentences should serve as a reminder that helping North Korea run its IT worker scam isn’t a good idea no matter how much they offer to pay. “These cases should leave no doubt that Americans who choose to facilitate these schemes will be identified and held accountable,” FBI cyber division assistant director Brett Leatherman wrote in the announcement. “Hosting laptops for DPRK IT workers is a federal crime which directly impacts our national security, and these sentences should serve as a warning to anyone considering it.” ®

How explicit does the maker of a footgun need to be about the product's potential to shoot you in the foot? That's essentially the question security firm Adversa AI is asking with the disclosure of a one-click remote code execution attack via an MCP server in Claude Code, Gemini CLI, Cursor CLI, and Copilot CLI. The TrustFall proof-of-concept attack demonstrates how a cloned code repository can include two JSON files (.mcp.json and .claude/settings.json) that open the door to an attacker-controlled Model Context Protocol (MCP) server. MCP servers make tools, configuration data, schemas, and documentation available in a standard format to AI models via JSON. The vulnerability arises from inconsistent restrictions governing the scope of settings: Anthropic blocks some dangerous settings at the project level (e.g. bypassPermissions) but not others (e.g. enableAllProjectMcpServers and enabledMcpjsonServers). The JSON files simply enable those settings. "The moment a developer presses Enter on Claude Code's generic 'Yes, I trust this folder' dialog, the server spawns as an unsandboxed Node.js process with the user's full privileges — no per-server consent, no tool call from Claude required," Adversa AI explains in its PoC repo. The likely result is a compromised system. The PoC demonstrated in this video. It worked on Claude Code CLI v2.1.114, as of May 2. Other agent CLIs are also said to be affected, but specific PoCs have not been published. "It's the third CVE in Claude Code in six months from the same root cause (project-scoped settings as injection vector)," Alex Polyakov, co-founder of Adversa AI, told The Register in an email. "Each gets patched in isolation but the underlying class hasn't been finally fixed. Most developers don't know these settings exist, let alone that a cloned repo can set them silently." Anthropic, according to the security biz, contends that the user's trust decision moves the issue outside its threat model. CVE-2025-59536 was considered a vulnerability because it triggered automatically when a user started up Claude Code in a malicious directory. TrustFall, however, is considered out of scope because the user has been presented with a dialog box and made a trust decision. Adversa argues that the decision is not being made with informed consent, citing a prior, more explicit warning notice that was removed in v2.1 of the Claude Code CLI. "The pre-v2.1 dialog explicitly warned that .mcp.json could execute code and offered three options including 'proceed with MCP servers disabled,'" writes Adversa's Sergey Malenkovich. "That informed-consent UX was removed. The current dialog defaults to 'Yes, I trust this folder' with no MCP-specific language, no enumeration of which executables will spawn, and no opt-out for MCP while keeping the rest of the trust grant." Then there's the zero-click variant to consider for CI/CD pipelines that implement Claude Code. When Claude Code is invoked in CI/CD, that happens via SDK rather than the interactive CLI. So there's no terminal prompt. Malenkovich argues that Anthropic should make three changes. First, block enableAllProjectMcpServers, enabledMcpjsonServers, and permissions.allow from any settings file inside a project. The idea is that a malicious server should not be able to approve its own servers. Second, implement a dedicated MCP consent dialog that defaults to "deny." And third, require interactive consent per server rather than for all servers. Anthropic did not respond to a request for comment. ®

joshuark shares a report from Linux Magazine: Microsoft has issued a warning that a vulnerability with a CVSS score of 7.8 has been found in the Linux kernel. The vulnerability in question is tagged CVE-2026-31431 and, according to the Cybersecurity and Infrastructure Security Agency (CISA), "This Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise." The distributions affected are Ubuntu, Red Hat, SUSE, Debian, Fedora, Arch Linux, and Amazon Linux. This could also affect any distribution based on those in the list, which means pretty much every Linux distro that isn't independent. The flaw is found in the Linux kernel cryptographic subsystem's algif_aead module of AF_ALG. The problem is that a particular optimization has led to the kernel reusing the source memory as the destination during cryptographic operations. What this means is that attackers can take advantage of interactions between the AF_ALG socket interface and a splice() system call. Until patches are released, Microsoft is advising that the affected crypto feature should be disabled, or AF_ALG socket creation should be blocked. The vulnerability is also known as "Copy Fail," which has been shared on Slashdot and detailed in a technical report. The vulnerability affects almost every version of the Linux OS and is now being exploited in the wild. U.S. cybersecurity agency CISA has ordered all civilian federal agencies to patch any affected systems by May 15.

Read more of this story at Slashdot.

An anonymous reader quotes a report from Ars Technica: Wearables have really come full circle. The early Fitbits didn't have screens, but the move to smartwatches put a screen on everyone's wrist. Now, devices like Whoop and Hume are designed as data trackers first and foremost without so much as a clock. Google's newest wearable jumps on that trend: The Fitbit Air doesn't have a screen, but it does have a suite of health sensors that pipe data into the new Google Health app. And if you want, Google has a new AI-powered health coach in the app ready to tell you what that data means (maybe). The Fitbit Air itself is a small plastic puck about 1.4 inches long and 0.7 inches wide. It slots into various bands that hold the bottom-mounted sensors against your wrist. There's no display pointing upward, so the entire device is covered by the fabric or plastic of the band. It's a streamlined and potentially stylish look -- in uncharacteristic fashion, Google has plenty of colors and style options available, including a special-edition Steph Curry version. You may have heard chatter about Curry being seen teasing a new screenless Fitbit, and this is it. [...] The Fitbit app is getting a major makeover and a new name. An update in the coming weeks will transform that app into Google Health, featuring a new interface with a more extensive Material Expressive aesthetic and redesigned menus and tabs. You also won't see Fitbit branding in as many places -- the Fitbit Premium subscription will become Google Health Premium. Without a subscription, the app still does all the basic things, like tracking your health stats, automatically logging workouts, and showing it all in a pretty dashboard. With the Premium subscription, you get all the features from Fitbit Premium plus the new AI Health Coach. It's a chatbot, so you can ask it about any health or wellness topics, and the answers are grounded in your health data. The Fitbit Air launches May 26 for $99.99, includes a Performance Loop band, and comes with three months of the new Google Health Premium that replaces Fitbit Premium and adds Google's AI Health Coach. Meanwhile, Google Health Premium will cost $10 per month or $100 per year, though it's included with AI Pro or AI Ultra. Non-subscribers can still use basic tracking features. Ars also notes that when Google Fit shuts down later this year, users will need to migrate their data to Google Health.

Read more of this story at Slashdot.