Security

How Millions of Digital Home Devices Are Secretly Powering Cyberattacks (yahoo.com) 33

The Wall Street Journal reports on internet-connected devices — and how every year millions of them "can contain a secret digital backdoor that opens up access to your home internet, so that anyone... can surf the web as if they were you." (And this is especially true for "knockoffs that you buy online"...)

In a video report this week they tested two digital picture frames from Amazon and three streaming devices from Walmart "because we heard that they often ship with backdoor software used in cyberattacks. Security experts believe manufacturers are being paid to add this malware, but many people also get tricked into downloading the software onto their phones or computers... Within minutes of turning the devices on, there was a surge of internet traffic... Visits to gambling, porn, cryptocurrency and loads of other sketchy web sites started pouring in from users around the world." (And remote visitors also tried to access Outlook and Gmail accounts...)

Residential proxy companies even rent out access to "tens of millions of home networks around the world," according to the report. "But the problem is actually worse than that. Hackers figured out a way to seize control of these backdoors, and they started taking over these residential networks. Last month authorities arrested a 23-year-old Ottawa man, saying he'd taken control of more than a million devices to launch some of the largest cyberattacks anyone had ever seen.."

After a couple months the Journal's reporter collected logs of all the traffic, and sent it to an investigator at Comcast, who said both were conducting DDoS attacks. But estimate for the number of infected devices are as low as tens of millions or as high 500 million-plus. "We've seen nation state attacks launched through these kind of endpoints, which means your device sitting in your house is part of a nation state attack against another nation state... We've seen ad fraud, we've seen ticket scalping, we've seen financial fraud."

But more importantly, "We have seen some of the largest computer attacks — meaning computers attacking other computers at human request — ever recorded in our digital history in the last several months." At cybersecurity conferences, some are warning "there are much larger ones on the horizon if we don't get a hold of this problem."

The company making the picture frame "couldn't be reached for comment," while Amazon said it's been out of stock since last year. Both Amazon and Walmart said they take action when they confirm malware on a third-party product.
AI

Waymo Recalls About 3,900 Robotaxis After Some Drove Into 'Freeway Construction Zones' (cnbc.com) 59

CNBC reports: Waymo is recalling almost 3,900 robotaxis in the U.S. to fix software issues after some cars drove into freeway construction zones, according to notices filed with the National Highway Traffic Safety Administration. The voluntary recall, the Alphabet-owned company's second in just over a month, followed 13 known incidents where Waymo robotaxis drove into construction zones on freeways in Phoenix, or entered freeway lanes with active construction in the San Francisco area, the filings published Thursday said... A letter posted to the regulator's website... noted that, "Driving through a closed construction zone increases the risk of a crash..."

[Waymo said in a statement emailed to CNBC] "We voluntarily restricted freeway operations last month while making improvements, proactively notified state and federal regulators, and decided to file a voluntary software recall with NHTSA. We continue to safely serve riders on surface streets in all the cities where we operate...."

The company implemented another voluntary recall in May after some of its robotaxis had driven into flooded zones or standing water. The NHTSA Safety Board also initiated a probe of Waymo after a January incident in which a robotaxi illegally passed a stopped school bus.

GNU is Not Unix

FSF Patches Two-Year-Old Vulnerability Found by AI Researchers in GNU Savannah Repository (fsf.org) 4

The Free Software Foundation's GNU Savannah hosts thousands of free software projects — both GNU and non-GNU projects, including Drupal.

But in early May, security researchers from Hacktron.AI reported vulnerabilities and demonstrated an exploit, according to a new statement Friday from the FSF: We have been working with these researchers since their initial report, and have also addressed additional security issues they submitted. All reported issues have been patched thanks to the hard work of GNU and FSF volunteers, as well as FSF staff. After thorough review, we have found no reason to believe that sensitive project data or credentials were accessed, nor that there has been any compromise of Savannah's software supply chain.

Nevertheless, we take the security of the GNU system, the tools which make it possible, and the projects we host very seriously. This body of software has become essential to millions (if not billions) of users around the world. We are therefore taking additional precautionary steps. Though the initial security issue was reported to us in early May, the vulnerabilities were discovered in software that was published approximately two years prior. We will be communicating directly with Savannah-hosted projects about steps they can take to review and strengthen the security of their projects.

We have also communicated with the other Savane instances we're aware of to assist their review of their own environments, and take any steps needed to help protect their users... This statement is intended as an initial notice. We expect to publish a report on the incident within 30 days.

Hacktron.AI bills itself as "Your AI teammate for security." Its web page notes that its investors include Meta, DeepMind, and Perplexity.
Businesses

Amazon Retaliated Against Workers Who Supported Regulating Data Centers, Complaint Says (nytimes.com) 45

Three Amazon employees have filed a civil-rights complaint alleging the company retaliated against them for publicly supporting Seattle regulations on data centers. "The complaint was filed on the workers' behalf by Amazon Employees for Climate Justice, an independent group of corporate employees at Amazon that since 2018 has organized around climate issues," reports The New York Times. "It said the company started investigations and told the employees that they could face discipline, in one case up to potential termination, in an act of intimidation that violated the city's civil rights protections against discrimination for political beliefs." Amazon says it launched the internal investigations to determine whether the employees appeared to be speaking on the company's behalf rather than as private citizens. "As we looked more closely at how these employees represented themselves, and how their comments were received by others, it became clear that they may have been speaking in their capacity as Amazonians and not as private citizens," said an Amazon spokesperson. They said that the company does not allow retaliatory behavior and that when the investigation is concluded, Amazon "may or may not take action based on what we find." The New York Times reports: Five Amazon tech workers affiliated with Amazon Employees for Climate Justice testified at several different hearings before the Seattle City Council and two of its committees. Their testimony in the company's hometown drew national attention, and it put the tech giant in the awkward position of responding to public criticism of data centers and artificial intelligence from its own employees. Patrick Schloesser, who has worked as a software engineer at Amazon Web Services since 2020, said in an interview with The New York Times that Amazon told him he was under investigation last week, when he was called into a meeting with no notice. He had testified at two City Council hearings in early June. "I had this rising sense of anger that Amazon is attempting to infringe on my rights to speak out politically in my city," he said. "If we allow corporations to decide which speech is or is not allowed, that absolutely hurts democracy." [...]

[...] The Amazon employees testified that Seattle should consider conditions on allowing new data centers, such as requiring new renewable energy sources of power, banning the use of nondisclosure agreements between the city and developers, and limiting public subsidies. They offered to help create new rules based on their experience as tech workers. "Seattle needs to set the terms so the way any new data centers get built here actually moves us closer to the future we want," Darius Irani, who has worked as a software engineer in Amazon's grocery business since 2021, said at a June 3 hearing before the Council's Parks and City Light Committee. He suggested requiring public reporting of water and power use, banning shell companies and harnessing the heat emitted from the chips in data centers to warm nearby buildings.

Amazon told news organizations at the time that it respected 'our colleagues' right to voice their opinions and that the company did not have plans to build data centers within the city limits. On June 9, the Council unanimously voted for a one-year moratorium on new, large data centers in order to give it time to develop regulations. The next day, an Amazon employee relations staff member met the three workers in individual meetings and told them that they were under investigation for their testimony, according to the complaint. Mr. Irani said he was repeatedly questioned about his testimony and who else at Amazon was present at the hearings. "It feels like they say one thing publicly and try to silence and intimidate me privately, which I think is wrong," Mr. Irani said.

First Person Shooters (Games)

Doom Composer Bobby Prince Has Died (engadget.com) 21

Video game composer and sound designer Bobby Prince has died at age 81 following an illness. Developer id software shared the news. Engadget reports: Prince was perhaps best known for his pioneering work on the Doom series. The Library of Congress inducted his soundtrack for the original game into the National Recording Registry just last month. "Despite the limitations of the 1993-era sound card drivers, Prince composed the perfect riff-shredding accompaniment for the game's demon-slaying journey to hell and back," the Library of Congress stated.

"Taking advantage of his knowledge of MIDI, Prince even worked to ensure that the sound effects he created could cut through the music by assigning them to different MIDI frequencies." Prince also worked on games such as Wolfenstein 3D, Rise of the Triad and Duke Nukem 3D. In 2006, the Game Audio Network Guild honored Prince with a lifetime achievement award.

Security

New Unpatchable Exploit Targets Apple Devices With A12 and A13 Chips (9to5mac.com) 39

Researchers have disclosed a new unpatchable BootROM exploit affecting Apple devices with A12, A13, S4, and S5 chips. The attack requires physical USB access and DFU mode, but can let an attacker run code before iOS loads, bypass signature checks, and boot modified software. 9to5Mac reports the details: In a highly detailed technical post published today, the Paradigm Shift Team details usbliter8, a new exploit that "leverages both a hardware bug in the USB controller and a specific configuration flaw present in the device firmware" and cannot be patched. The PS Team explains that ahead of today's disclosure, it shared its findings and worked with Apple Product Security to coordinate the release. The researchers also thanked Apple's security team for its "prompt response, constructive engagement, and cooperation throughout" the process.

In a nutshell, this bug affects the following Apple SoCs: A12, S4, S5, and A13. [...] They add that "technical support for A12X/Z is possible," but "it is not currently implemented." That could add the 2018 and 2020 iPad Pro lineups to the list. The way usbliter8 works is: it sends specially crafted data to a device over USB while it is in DFU mode, confusing the USB controller and causing it to write data to the wrong part of memory. That gives an attacker with physical access to the device control over its startup process. From there, they can run their own code before iOS loads, bypass signature checks, and boot modified system software.

Importantly, the exploit does not affect or compromise the device's Secure Enclave, which in practice means that data such as passcodes and encrypted user data remain secure. That said, PS Team says that "although usbliter8 doesn't affect SEP itself, it opens up wider attack vectors to compromise the Secure Enclave," adding that "by releasing this exploit publicly, we hope to highlight the real-world impact of these hardware flaws and contribute to a broader understanding of modern SecureROM security." [...] Given that this is also an unpatchable exploit, the researchers note that "affected users should be aware that migrating to newer hardware remains the most effective mitigation."

Bug

Google Told Researcher 'Nice Catch!' Then Denied Bug Bounty For Flaw It Still Hasn't Fixed (theregister.com) 38

Security researcher Justin O'Leary says Google initially accepted his Config Connector privilege-escalation report as a high-priority, high-severity bug, then denied a bounty by declaring the behavior "working as intended." According to The Register, a Google rep initially praised O'Leary's report with a "Nice catch!" before the cloud giant reversed course, declaring that no vulnerability existed and therefore no fix or reward was warranted. "The bug report, however, is still marked high-priority and accepted," the publication notes. The alleged flaw, dubbed ConfigConfusion, could let a Kubernetes namespace user exploit an overprivileged service account to become a GCP organization owner with only a few lines of YAML and little apparent audit visibility. O'Leary details the incident in a blog post. The Register reports: According to O'Leary, Config Connector doesn't perform an authorization check, and this allows any Config Connector service account with org-level permissions to bypass Identity and Access Management (IAM) authorization and gain the highest level of control (roles/owner) to an entire GCP Organization -- the root node of all of a company's resources within Google Cloud. On March 27, a Google security engineer accepted O'Leary's report and told him: "Nice catch!" The employee said that they filed a bug based on O'Leary's report with the relevant product team and assured him the Chocolate Factory's security squad would work with relevant Google Cloud people to fix the flaw. "We'll work with the product team to ensure this issue is address. We'll let you know when the issue was fixed," the engineer said. "In the meantime, review the payment option selected in your bughunters.google.com profile."

Google assigned the bug P1 priority and S1 severity, signifying a flaw worthy of urgent repair because it affects a large percentage of users and can disrupt core organizational functions. "I figured that was the end of that," O'Leary said in a phone interview with The Register. Eleven days later, on April 7, he received a new message from a Google Security Bot reversing the earlier decision. The Reg viewed the email, and O'Leary included a screenshot in his Thursday writeup. The message said that the Cloud Vulnerability Reward Program panel decided that the "security impact of this issue does not meet the criteria to qualify for a reward."

After reviewing the bug report, Google determined the software "is working as intended," the message continued. It also noted that the program's decision not to pay a bounty "does not mean that the product team won't fix the issue." Nearly three months later, the case remains P1/S1 with the status "in progress (accepted)." Google hasn't assigned a CVE or issued a fix. O'Leary didn't receive any reward for his research. [...] "This is a pattern," O'Leary told [The Register]. "This is just how these trillion-dollar companies deal with people like me. In my day job, we use GKE, and it's incredibly frustrating on my end, when I find a critical vulnerability in the system that's being widely used, and I can't even get the vendor to patch their own stuff."
A Google spokesperson told The Register: "The issue reported does not qualify for a reward because the GCP IAM authorization bypass is only exploitable if an attacker has access to a Config Connector Service Account that's been granted the Organization Admin role by the organization (i.e., it is privileged). Additionally, an attacker would first need to gain entry to an organization's environment (e.g., an exposed container) in order to leverage the privileged Config Connector instance and execute commands with administrative authority, such as the IAM bypass. Granting this level of access to the Config Connector Service Account goes against Google Cloud's publicly shared best practices and the principle of least privilege."
Businesses

Tesco Moving 40,000 Server Workloads Off VMware Amid Broadcom's 'Abusive Conduct' (arstechnica.com) 65

An anonymous reader quotes a report from Ars Technica: Tesco, a retail conglomerate headquartered in the United Kingdom, is moving 40,000 server workloads off of VMware amid "abusive conduct" from Broadcom, recent legal filings claim. Tesco filed a lawsuit in the UK's High Court against Broadcom alleging breach of contract last year. According to a September report from The Register, the lawsuit claimed that in January 2021, Tesco bought perpetual licenses for VMware's vSphere Foundation and Cloud Foundation, a subscription to VMware Tanzu, plus support services until 2026, with the option to extend support for four additional years.

But when Broadcom took over VMware in November 2023, it would not honor the deal and instead tried to get Tesco to pay "excessive and inflated prices for virtualization software for which Tesco has already paid" and would not allow it to buy support services for its perpetually licensed software without buying "duplicative subscription-based licenses for those same Software products," the initial complaint read, The Register reported at the time. Tesco, which reported 73.7 billion pounds (about $98.7 billion) in revenue in its fiscal year 2026, has since started migrating away from VMware and Broadcom's mainframe products, according to late-May court filings reported on by The Register today.

In January, Broadcom stopped supporting Tesco's VMware products, Tesco said, and Tesco has been paying for third-party support since. In its initial filing, Tesco also said that Broadcom refused to upgrade software or provide all security updates to customers without subscriptions. One of Tesco's recent filings, per The Register, reads: "Faced with Broadcom's abusive conduct, and given the criticality of virtualization and mainframe software and services to its business, Tesco has been forced to incur material costs to procure alternative solutions with reduced functionality, and to migrate to that software in a manner, and on a timeframe, that creates very significant risks to its business."

If it works "at exceptional pace," Tesco will be completely off VMware by the end of 2027 at the earliest. However, "the timeframe in which that migration must be undertaken has created and continues to create operational and commercial risk, and at material ongoing cost and disruption to the business," Tesco reportedly noted. Tesco is also dealing with migration challenges related to data security because its new, unnamed virtualization software is incompatible with the Veeam and Zerto products it uses. Tesco initially requested at least 100 million pounds (about $133.6 million) in damages each from Broadcom, VMware, and reseller Computacenter, plus interest. In its recent filings, Tesco said it turned down at least four offers from Broadcom to continue using VMware and Broadcom's mainframe tech. [...] The case is expected to go to court between November 1, 2027, and February 25, 2028, The Register reported. Afterward, it could go to trial.
Further reading: HPE Tempts VMware Users, Partners With Year of Free Virtualization Software
Government

Anthropic Employees Accuse Trump Administration of Targeting Them 122

Anthropic employees say they remain confused and increasingly convinced that the Trump administration is singling out the company after officials gave it less than 90 minutes to disable Fable 5 and Mythos 5 over alleged national security concerns. Cybersecurity experts, however, argue that the cited behavior of helping to identify vulnerabilities in software is also available in rival models and is more valuable to defenders than attackers. The New York Times reports: Inside the company, employees' private group chats immediately lit up. Managers were instructed to prepare customers for a potential service disruption to the models, called Fable 5 and Mythos 5. But the messaging kept changing, with workers initially being told that the security problem was the ability of foreign companies to gain access to the systems, and later that a major vulnerability had been discovered in the models.

In employee chats, Anthropic engineers asked one another if the company's plan to go public this year would be harmed by the White House directive. Many shared news reports that offered conflicting information about why the White House had ordered Anthropic to suspend access to Fable 5 and Mythos 5 for all foreign nationals. "What are you telling your clients?" one employee asked in a chat viewed by The New York Times. Another said, "Does anyone know what to believe?" In another message, a worker said, "I don't understand what the issue is."

Six days later, Anthropic's roughly 3,000 employees still have few answers. The San Francisco company is continuing to grapple with internal confusion as Dario Amodei, the chief executive, and some of his lieutenants meet with the Trump administration to try and resolve the situation. But after discussions on Monday and Tuesday, there was no breakthrough over ending the U.S. order to limit access to the company's new A.I. models. In a statement on Monday, Anthropic said it would continue meeting with government officials and pledged its "ongoing commitment to working alongside the administration."

The dispute highlights how singular Anthropic has become in Washington. It was the second time in six months that the fast-growing A.I. start-up has become embroiled in a fight with the Trump administration over its powerful technologies, even as other A.I. companies offer similar models that have not received the same attention. And it has left Anthropic's employees in what they described as a holding pattern, with some wondering if they were being picked on by President Trump. "Are we being bullied based on bad vibes?" one employee asked in a chat viewed by The Times.
Yesterday, TechCrunch's Zack Whittaker argued that the move sets a troubling precedent: the government can unilaterally disrupt American software products without court approval, potentially undermining trust in U.S. AI providers.
Privacy

Hacking Group Claims Major Hack of Novo Nordisk, Attempted $25 Million Extortion (reuters.com) 15

Reuters reports a cyber extortion group has claimed responsibility for breaching Novo Nordisk's network, stealing roughly 1.3 terabytes of data, including source code, drug research, clinical-trial records, employee and physician information, production-system details, and internal AI model data. The group says it's exploring selling parts of the data after unsuccessfully demanding $25 million from the company. From the report: FulcrumSec, a cyber extortion group that emerged in October 2025, said in a long message posted to its website that it spent more than two months in Novo Nordisk's networks stealing data. It said that data included company source code, proprietary information on released and unreleased drugs, trial data, employee, doctor and patient data, information related to company processing facilities and internal AI model information.

[...] FulcrumSec told Reuters in an email that Novo Nordisk representatives contacted the group on June 3, roughly 48 hours after the group's initial contact to unnamed company executives. The company used a random Proton Mail email address sent to email addresses that FulcrumSec used in its initial outreach, and confirmed it was the company by requesting specific files for verification only the company would know about.

The FulcrumSec representative also said that the group would prefer not to sell data, "as open sourcing it is a more effective deterrent for future companies to avoid paying." [...] FulcrumSec said it would not share some of the data it stole, including information on thousands of company employees and physicians, and roughly 11,500 pseudonymized clinical trial patients. The group said it also would withhold data related to operational technology and software used to interact with sensors and machinery at Novo Nordisk production facilities as part of its "harm-reduction strategy."
A Novo Nordisk spokesperson said in an email that the company "is aware of claims that data allegedly copied externally without authorization from our systems has been published online. We take this matter seriously and maintain continued operations of our main platforms. We are in contact with the relevant authorities."
Virtualization

HPE Tempts VMware Users, Partners With Year of Free Virtualization Software (arstechnica.com) 25

An anonymous reader quotes a report from Ars Technica: Hewlett Packard Enterprise's (HPE) new virtualization software promotion will likely pique the interest of end users and resellers who are unhappy with Broadcom's pricing of VMware. During its HPE Discover event in Las Vegas this week, HPE announced that customers could use its "HPE Morpheus Software -- VM Essentials" offering for free for "up to one year," per a press release. HPE's website describes its virtualization platform as a "VMware alternative." It includes a hardware virtual machine (HVM) hypervisor and unified management and lets users "manage VMware ESXi and HVM clusters from one console and migrate when you're ready," HPE's website says. "New VM Essentials customers can receive up to one free year of licenses for VM Essentials, a year of HPE Zerto for $1 to support non-disruptive migration to HPE virtual machines, and 0 percent interest on software through HPE Financial Services," HPE's announcement reads, referring to HPE's group for helping IT teams manage funding.

Free for a year is cheaper than what Broadcom has charged for VMware vSphere since taking over. VMware prices have skyrocketed due to VMware's parent company eliminating perpetual licenses and bundling products into expensive packages. Notably, per its website, HPE recommends charging $600 per CPU socket per year for VM Essentials; Broadcom has controversially shifted vSphere licensing pricing to a per-core basis. "Customers are feeling quite a bit of pain in the change that some of the virtualization companies have put there, specifically Broadcom," Jeremiah Jenson, VP of HPE's North American channel and partner ecosystem, told CRN. The executive claimed that VM Essentials could bring up to 90 percent cost savings compared to VMware while also helping to "eliminate vendor lock-in and simplify hybrid IT."

From March 1 to June 30, HPE has also been offering a free year of VM Essentials via rebate to customers who buy an AMD server and a one-year VM Essentials license. VM Essentials is only available through channel partners, a stark contrast from Broadcom's VMware approach, where the chip giant has drastically reduced the number of resellers that can sell VMware products. HPE's new promotion aims to entice customers to more deeply consider migrating off VMware. [...] HPE also announced that it would give 600 reseller partners who earn the HPE partner program's Private Cloud with Virtualization competency by the end of the year free VM Essentials software licenses for three years. Partners still have to pay support costs, though.
The benefit is "a step in the correct direction," said Dean Colpitts, CTO of Canadian managed services provider (MSP) Members IT Group (MITG), which VMware cut from its reseller program after 19 years of partnership a year ago. However, limiting the promotion to 600 partners is "very shortsighted." He believes that HPE should give all of its partners VM Essentials "to facilitate getting [VM Essentials] into customer sites and displacing the competitors."

"They need to fling [VM Essentials] as far and as fast as they possibly [can] to immediately gain traction and draw ISVs to them, which will increase adoption even more," he said.
Businesses

SpaceX To Acquire AI Coding Startup Cursor For $60 Billion (cnbc.com) 67

SpaceX has agreed to acquire Cursor for $60 billion in stock, adding the popular AI coding assistant to Elon Musk's newly public aerospace-and-AI conglomerate. CNBC reports: Cursor built a popular AI coding tool that helps software developers generate, edit and review code, and the company has experienced explosive growth since its founding in 2022. In November, Cursor said it crossed $1 billion in annualized revenue, according to a release at the time. Cursor was also ranked at No. 37 on the annual CNBC Disruptor 50 list in 2026.

[...] Musk merged SpaceX with his AI startup, xAI, earlier this year, and the Cursor deal looks set to help revitalize the company's efforts to compete with rivals like Anthropic and OpenAI, which also offer popular coding tools. SpaceX expects the merger to close during the third quarter of this year, according to a filing with the Securities and Exchange Commission. The transaction is subject to "requisite regulatory approvals," the filing said.

Government

The US Government's Anthropic Models Ban Was Never About an AI Jailbreak (techcrunch.com) 58

TechCrunch's Zack Whittaker argues that the U.S. government's abrupt export-control order forcing Anthropic to pull its Fable 5 and Mythos 5 models offline was "never about an AI jailbreak" threat. Instead, it was driven more by "personality differences" between the AI company and Trump administration. Security experts say the reported guardrail bypass did not justify the order and warn that the move sets a troubling precedent: the government can unilaterally disrupt American software products without court approval, potentially undermining trust in U.S. AI providers. From the report: Katie Moussouris, a cybersecurity veteran and researcher who founded Luta Security, said in a blog post that Anthropic recently shared with her a private copy of a paper written by security researchers describing an alleged guardrail bypass in Fable 5. (The Wall Street Journal reports that the paper's authors are security researchers at Amazon.) Moussouris said that Anthropic reached out to ask for her take on the paper. Moussouris' blog post described how the researchers triggered the guardrail bypass, but said that the bypass itself "should never have triggered an export control." The difference is largely between asking an AI model to "review code for security issues" versus asking it to "fix this code."

The end result is largely the same, even if the questions are posed slightly differently. "The behavior described in the paper cannot meaningfully be fixed, and any attempt would only weaken the model for defense," said Moussouris, who criticized the export control directive as hasty, heavy-handed, and misguided. Moussouris and dozens of other top security researchers and experts have since called on the Trump administration to revoke the export control order, calling the move to pull advanced cybersecurity capabilities from network defenders in the U.S. as "dangerous."

Past administrations have made sweeping decisions on knowledge gaps. For instance, language used by the U.S. government during the 2010s to fix export law covering cybersecurity tools that could also be used for cyberattacks was so broad that inadvertently, it nearly outlawed legitimate security and vulnerability research. However, the Trump administration's directive appears retaliatory. Justin Hendrix, the editor of Tech Policy Press, said the Trump administration's move is "likely to raise alarms in foreign capitals about the reliability of American AI for critical applications." The message is that AI companies in the United States can't be trusted to operate without interference from the U.S. government.

The Trump administration hasn't confirmed why it invoked its export control directive. Did the officials misread the report and freak out? Did Amazon CEO Andy Jassy say something to senior government officials that prompted the reaction, out of caution or spite? Was something lost in translation, or was this a way to pressure Anthropic, with whom the administration already has a fractious relationship? It's possible that the White House was unaware of the far-reaching consequences of the letter's demand and officials are scrambling to undo the damage of their own making. To quote Hendrix, "the climate is one of a cloud of suspicion that senior officials are picking favorites based on personal and political factors." The aftermath is that the government has set a dangerous precedent about how much control it intends to wield over the release of American-made software. This time the government took issue with Anthropic; tomorrow it could be with anyone else.

Security

Cybersecurity Vets Protest 'Dangerous' US Government Ban On Anthropic's Most Powerful Models (techcrunch.com) 40

An anonymous reader quotes a report from TechCrunch: A group made up of dozens of cybersecurity experts, including several well-known veterans of the industry, published an open letter to the U.S. government asking it to lift the export control order on Anthropic's Fable and Mythos models. According to the open letter, "this action has taken the best models away from [cybersecurity] defenders" who now can't use the models to find vulnerabilities and make their software and products more secure. "To pull the best capabilities away from defenders without a good reason when our adversaries are rapidly advancing is dangerous," read the letter.

On Friday, the U.S. government ordered Anthropic to limit the export of Fable and Mythos, citing national security concerns, without explaining the specific reasons behind the order, according to Anthropic. In response, the company suspended access to the models to all users worldwide. As of this writing, the letter is signed by 76 cybersecurity experts, including Alex Stamos, former Facebook chief of security; Casey Ellis, the founder bug bounty platform Bugcrowd; Jon Callas, famed cryptographer and former Apple security design and architecture manager; Paul Vixie, computer scientist ; Dino Dai Zovi, the former head of applied security engineering at Block; Katie Moussouris, the founder of Luta Security; and Rachel Tobac, the CEO of the security awareness training firm SocialProof Security.

[...] Anthropic said that the White House export control order may have been based on a report that there was a method to bypass -- or jailbreak -- Fable to unlock its powerful Mythos-level capabilities. According to Katie Moussouris, one of the signatories of the open letter, the method was demonstrated by Amazon researchers in a paper that is not public but that she has reviewed. But Moussouris said in a blog post that the paper did not actually demonstrate a real jailbreak. Instead, she wrote, the researchers simply asked Fable to fix open source code with public and known vulnerabilities along with "deliberately planted vulnerabilities," after the model initially refused to "review the code for security issues."

"The behavior described in the paper cannot meaningfully be fixed, and any attempt would only weaken the model for defense," Moussouris wrote. "Defenders need to be able to ask AI to fix the bugs in a file, explain why the fix matters, and write tests that confirm the patch works. That is not a guardrail bypass. It is the most valuable thing an AI model can do for defensive security: executing the find, fix, and test loop defenders run every day." Moussouris' critique was echoed in the open letter, which also said that the group of experts believe the model capabilities in the Amazon paper "can be replicated" on OpenAI's GPT-5.5, on Anthropic's own publicly available Claude Opus 4.8 and Sonnet, "and even Chinese models like Kimi 2.7."

Moussouris told TechCrunch that "the bugs used to demonstrate the techniques in the paper can be found using the other models. The method in the paper is a guardrail bypass technique. Other models that lack the Fable guardrails often won't refuse the straightforward request to look for security bugs, so they don't need a bypass." The letter also asked for transparently and fairly enforced regulations created by "a democratic rule-making process" that are based on scientific research done by industry and academic experts, and "used only to the minimal extent necessary to ensure the safety of the American public."

First Person Shooters (Games)

Blizzard Sues To Take Down Another Private World of Warcraft Server, Project Ascension (aftermath.site) 32

"Blizzard Entertainment is continuing its crusade against private World of Warcraft servers," reports the gaming news site Aftermath: The company filed a new lawsuit on Friday in a California court against the makers of Project Ascension, alleging copyright infringement, Digital Millennium Copyright Act violations, and other claims. Blizzard Entertainment claims that Project Ascension is a "lucrative way to exploit and profit from the popularity of the WoW game experience," according to the complaint, obtained by Aftermath. Blizzard Entertainment's lawyers say in the complaint that Project Ascension purports to have "over a million players." Lawyers write that the developers have "distributed (and are continuing to distribute) millions of pirated copies of Blizzard's copyrighted WoW game software."

They also allege that Project Ascension's servers are hosted on Russian "bulletproof" servers with Aeza Group, a company that was sanctioned in 2025 "for its role in supporting cybercriminal activity targeting victims in the United States and around the world," per a U.S. Department of Treasury press release... Project Ascension lets players combine pieces of World of Warcraft's different classes to build unique characters. It's free-to-play, but players can purchase in-game currency, Donation Points, to buy things in-game, such as cosmetics and experience boosts. Blizzard Entertainment's lawyers assert that Project Ascension has made "millions of dollars from the sale of Donation Points...."

Blizzard Entertainment successfully sued a popular World of Warcraft server called Turtle Wow last year. The project had been running since 2018, taking donations from players for the free-to-play server. Both sides announced in April 2026 that they'd reached a settlement after Blizzard Entertainment was awarded a permanent injunction to shut down Turtle WoW. The details of the settlement were not made public. Turtle WoW was shut down for good shortly after May 15; players gathered online to mourn the end of the server.

Open Source

Vim Classic 8.3 Launched as an AI-Free Vim Fork (linuxiac.com) 57

This month saw the release of Vim Classic 8.3, the first stable version of a new long-term support fork of Vim maintained without generative AI tools. Linuxiac reports: The release is based on Vim 8.2.0148 and includes selected bug fixes and patches backported from later upstream Vim releases. Vim Classic was first announced by [SourceHut's CEO/founder] Drew DeVault in March 2026 after he objected to LLM-assisted development in Vim and Neovim. In his announcement, DeVault said he no longer wanted to use software developed with LLM assistance and introduced Vim Classic as a fork for users who want to continue using Vim without that involvement... Vim Classic follows Vim's charityware model and continues to direct users toward Bram Moolenaar's long-running support for children in Uganda. The release is distributed as a signed source tarball from SourceHut, while future important announcements are expected through the project's mailing list.
"Vim is important to me..." DeVault wrote in March. (DeVault even tattooed "hjkl" on his right arm.) "[A]lmost every word I have ever committed to posterity, through this blog, in my code, all of the docs I've written, emails I've sent, and more, almost all of it has passed through Vim."

But DeVault wrote that he also cares about AI's impact on air pollution, fresh water supplies, global supply chains, and the working conditions of miners in African companies: And at a moment when the climate demands immediate action to reduce our footprint on this planet, the AI boom is driving data centers to consume a full 1.5% of the world's total energy production in order to eliminate jobs and replace them with a robot that lies... All this to enrich the few, centralize power, reduce competition, and underwrite an enormous bubble that, once it bursts, will ruin the lives of millions of the world's poor and marginalized classes.

I don't think it's cute that someone vibe coded "battleship" in VimScript. I think it's more important that we stop collectively pretending that we don't understand how awful all of this is. I don't want to use software which has slop in it. I do what I can to avoid it, and sadly even Vim now comes under scrutiny in that effort as both Vim and NeoVim are relying on LLMs to develop the software... To keep my conscience clear, and continue to enjoy the relationship I have with this amazing piece of software, I have forked Vim...

Since forking from this base, I have backported a handful of patches, most of which address CVEs discovered after this release, but others which address minor bug fixes. I also penned a handful of original patches which bring the codebase from this time up to snuff for building it on newer toolchains...

I invite you to use Vim Classic, if you feel the same way as me, and to maintain it with me, contributing the patches you need to support your own use cases.

United States

Anthropic 'Suspends' All Mythos and Fable Access After US Order Limiting Foreign Access (reuters.com) 56

UPDATE: Amazon CEO's Talks With U.S. Officials Triggered Crackdown on Anthropic Models.

"Anthropic said on Friday it will 'abruptly disable' its most advanced AI models for all users," reports Reuters, "after the U.S. government ordered it to suspend access to the models for foreign nationals, citing national security concerns. The company received the export control directive to suspend access to Fable 5 and Mythos 5 for all foreign nationals, without being given specific details of its national security concern, Anthropic said in a statement."

Anthropic's blog post writes that the directive applies to foreign nationals "whether inside or outside the United States, including foreign national Anthropic employees. The net effect of this order is that we must abruptly disable Fable 5 and Mythos 5 for all our customers to ensure compliance."

"Access to all other Anthropic models will not be affected." We received the directive from the government today at 5:21pm (ET)... Our understanding is that the government believes it has become aware of a method of bypassing, or "jailbreaking" Fable 5... We have not even received a disclosure of a concerning non-universal potential jailbreak that led to a harmful result. The potential jailbreaks that have been disclosed to us are either entirely benign responses or are minor findings that provide no Mythos-specific uplift.

To date, the government has only given us verbal evidence of a potential narrow, non-universal jailbreak, which essentially consists of asking the model to read a specific codebase and fix any software flaws. Our understanding is that one potential jailbreak was shared with the government. We have reviewed a report that we believe is the basis of the government's directive and validated that the level of capability displayed there is widely available from other models (including OpenAI's GPT-5.5), and is used every day by the defenders who keep systems safe... We are complying with the government's legal directive and are removing access to Fable 5 and Mythos 5 for all users. However, we disagree that the finding of a narrow potential jailbreak should be cause for recalling a commercial model deployed to hundreds of millions of people. If this standard was applied across the industry, we believe it would essentially halt all new model deployments for all frontier model providers.

As we have stated publicly, we believe the government should have the ability to block unsafe deployments, as part of a statutory process that is transparent, fair, clear, and grounded in technical facts. This action does not adhere to those principles. We apologize for this disruption to our customers. We believe this is a misunderstanding and are working to restore access as soon as possible.

Reuters notes that Amazon's cloud unit AWS "said late on Friday that Anthropic has asked it to revoke access to the models for 'all users in all regions.'" Dean Ball, a former White House official who contributed to the AI Action Plan the administration issued in the summer of 2025, said in a post on X that the order suggests all "non-Americans" would be restricted from using Anthropic's latest models, including those based in the U.S. "This means you should expect to have to prove your citizenship to use Anthropic models," Ball said. Several key Anthropic personnel, including co-founder Chris Olah, AI researcher Andrej Karpathy and philosopher Amanda Askell, were born outside the United States.
Security

Microsoft Surface Flaw Allowed Unprotected Devices To Be Bricked By a Single Packet 21

Longtime Slashdot reader Dotnaught shares a report from The Register: For the past 90 days, Microsoft has been quietly patching a firmware flaw in Surface devices that allowed the hardware to be bricked with a single packet, though only for those who have disabled Secure Core and Secure Boot. And the company's Copilot AI software inadvertently helped identify the faulty firmware.

According to Jack Darcy, a security researcher based in Australia, his instance of Microsoft Copilot stumbled across the bug after being asked to adjust the screen backlighting on a Surface device. The Copilot-conjured Python script ended up rendering the researcher's laptop inoperable by overwriting the embedded controller firmware. "Copilot autonomously created and executed four progressively aggressive Python scripts during a probe for backlight control values that sent raw SSAM ioctl commands (SSAM_CDEV_REQUEST = 0xC028A501) directly to the SAM microcontroller through the SAM software path," Darcy explained to The Register.

[...] "We appreciate the work of Jack Darcy and The Register for reporting this issue under a coordinated vulnerability disclosure," a Microsoft spokesperson said in a statement. "Our investigation found that a deprecated UEFI interface could trigger a boot loop on some devices. To trigger this loop, the user must have administrator privileges and have already disabled the Secure Boot security feature. We have released updates to address the issue for most impacted devices."

That means managed devices are not at risk. But those using Linux, or Windows users who have disabled Secure Core and Secure Boot for gaming, or who use custom Windows drivers, or who have USB boot enabled, may still be vulnerable if their systems haven't received the update. We're uncertain about the range of Surface devices affected. Our source said it appears to be all of them (Surface Laptops 3-6, Surface Book 1-3) except for Surface Go models. ARM variants, however, have not been tested.
The report notes that Microsoft is planning to move the Surface stack to a more secure architecture based on Rust code.

"Our most recent Surface for Business hardware features a major architectural shift in terms of improved reliability and security that spans our embedded controller, UEFI, but also some of our drivers," said David Abzarian, chief architect for Microsoft Surface. "We're investing in the most secure foundation for a PC by building our embedded controller firmware from the ground up in Rust (as part of leveraging and contributing to the Open Device Partnership (ODP)) in addition to a rewrite of the UEFI DXE Core in Rust; these projects are known as Secure EC and Project Patina respectively."

"We're also not only shipping some of our drivers written in Rust, but also helping co-develop the framework Windows Drivers in Rust (WDR) to help enable a broad set of partners in the Windows ecosystem to capitalize on these benefits. I will also note that all of these efforts are open-source promoting one of our key security principles around transparency."
The Military

Pokemon Go Data Was Used To Help Train AI Systems Being Developed For Military Drones (dronexl.co) 44

Pokemon Go players' optional location scans reportedly helped train Niantic Spatial's visual positioning system, which uses camera imagery and 3D maps to navigate when GPS is unavailable or jammed. According to DroneXL, that technology is now being paired with Vantor's drone navigation software for military and intelligence use, raising questions about whether gamers understood that footage collected for in-game rewards could eventually support defense systems. From the report: The pipeline runs from a mobile game to the battlefield in three steps. Players scanned the physical world. Niantic Spatial turned those scans into a 3D map that lets a machine locate itself by sight when satellite signals fail. And in December 2025, Niantic Spatial announced a partnership with Vantor, the defense and intelligence firm formerly known as Maxar Intelligence, to fuse that ground-level system with Vantor's aerial navigation software for use in GPS-denied operations.

I have spent years covering how drones lose their way the moment an electronic warfare unit switches on a jammer, a problem that has spread from the battlefield into civilian airspace, from Ukrainian workshops cycling through navigation generations to American programs scrambling for alternatives. The unsettling part of this story is not the technology. It is where the training data came from, and whether the people who supplied it would have agreed had anyone explained the destination.
"Now as part of Scopely (the Saudi-owned company that acquired Niantic last year for $3.5 billion), Pokemon GO data is not shared with Niantic Spatial," a company spokesperson said in a statement to Kotaku. "AR Scans collected through Pokemon GO were submitted voluntarily by players who opted into the feature and were subject to the applicable Terms of Service and Privacy Policy at the time. The discontinuation of AR scanning and the end of data sharing with Niantic Spatial were part of the transition planning associated with Pokemon GO's move to Scopely."
Open Source

Euro-Office 1.0 Arrives To Open-Source Infighting: 'Compatibility Is Not Sovereignty' (zdnet.com) 81

An anonymous reader quotes a report from ZDNet: If digital sovereignty is important to you, and it certainly is in the European Union (EU), then you'll be pleased to know that EuroOffice, a new open-source browser-based office suite alternative to Microsoft 365 and Google Workspace, has officially reached its first stable release. A coalition of EU-based companies, including Nextcloud, Ionos, and other Euro-Stack participants, is positioning Euro-Office as a cornerstone of European digital sovereignty. However, The Document Foundation (TDF), LibreOffice's steward, accuses the project of reinforcing Microsoft's document lock-in, which TDF argues isn't friendly to open standards.

Setting aside the open-source politics for the moment, here's what Euro-Office brings you. The release went live on June 9. It is, however, not a stand-alone office suite. As the software's backers explain in a FAQ, "Euro-Office is more of an integration component. It merely handles document editing itself. Storage, as well as navigation, permissions, and sharing logic, have to be offered by a platform it is integrated in, like Proton Docs, Nextcloud Hub, or OpenProject." So, while you can install Euro-Office on your own Linux server, you'll need to integrate it yourself. If you're not a Linux expert, however, don't give up hope. Some companies have already released packaged, ready-to-install Euro-Office stacks, including Nextcloud Hub 26 Spring, Ionos' Nextcloud Workspace, and Office.eu. These initial deployments are web-based rather than standalone desktop suites.

The goal, organizers say, is to give European organizations a way to host their office suite on EU infrastructure under EU law, while maintaining an experience familiar to Microsoft Office users. Specifically, Euro-Office is meant to be "a solution for editing documents, spreadsheets, and presentations, developed as a true sovereign community collaboration of over a dozen different organizations."
TDF's main objection is that Euro-Office's decision to default to Microsoft's OOXML format undercuts its claims of European digital sovereignty, since OOXML remains closely tied to Microsoft Office behavior and control. "Compatibility is not sovereignty," TDF warned, saying a European-branded suite that saves files in OOXML by default "is de facto an ally of Microsoft in its content lock-in strategy."

Slashdot Top Deals