The Register

Once you're done with your smartphone, it either ends up in a drawer, on the growing second-hand market, or perhaps in a recycle bin. However, it's a computer and, when combined with others like it, can offer real processing power. Computer scientists at the University of California, San Diego, working in collaboration with Google, plan to deploy a rather unusual compute cluster built not from conventional servers, but using 2,000 retired phones. The goal is to demonstrate how these devices might continue to serve as a low-cost, low-carbon computing platform after their original owners have abandoned them for a shiny new widget to doomscroll TikTok on. “The project was the brainchild of Jennifer Switzer, a former PhD student at UCSD who is now working on a post-doc at Google,” Ryan Kastner, an associate professor of computer science at UCSD, told El Reg. In particular, UCSD will be using 2,000 Pixel Fold smartphones courtesy of Google. Google estimates that the average person upgrades their phone every four years or so. While the physical device and battery may show some wear and tear from their years of service, their core computing functionalities remain intact. “It's just a vast amount of sort of thrown away compute and recycling is a terrible option for most of these smartphones,” Kastner said, adding that Switzer started by building a couple of small clusters using smartphones to prove the concept. Since then, the project’s scale has grown considerably. According to the Chocolate Factory, the motherboard represents about 50 percent of the smartphone’s embodied carbon. A lot of early testing used unmodified smartphones, Kastner noted, but as the team quickly learned, this wasn’t practical or safe. “In some early meetings with Google, their engineers said that, if you're going to put these in the datacenter, those batteries are no-go — a lot of things are a no-go — because they're just fire hazards,” he said. Some of this work was done by researchers, including Switzer and another UCSD computer science prof Patrick Pannuto, but for the full deployment this fall, Kastner said, Google is working with a third party to extract the phones' motherboards from their cases. Once the phone’s motherboards have been extracted from their shells, the researchers say that the chips hiding within remain more than potent enough to be useful for a variety of tasks. In many cases, the single-threaded performance of these chips is as good as, if not better than, what you’d find from a many-cored datacenter chip. The Pixel Fold smartphones, which will form the basis of the cluster, are powered by a Google Tensor G2 processor with two 2.85 GHz Cortex-X1, two 2.35 GHz Cortex-A78 and four 1.80 GHz Cortex-A55 Arm cores, a Mali-G710 MP7 GPU, and 12 GB of system memory. Early benchmarking using the SPEC suite suggests that 25-50 phones should deliver performance similar to that of a conventional server. The major challenge, instead, is distributing workloads across multiple devices, each of which has a handful of cores of one or more varieties, and most have 8-12 GB of memory. UCSD researchers are approaching this challenge from a couple of different angles. The first is by targeting applications that can easily fit within a single device. The second is using Kubernetes to orchestrate container deployments across clusters of 25-50 phones. For this to work, the devices first need to be flashed with a Linux operating system suitable for the job. While Android makes for a great handheld experience, it is not intended for server duty. In the blog post, researchers note that Android includes functionality intended to stop rogue applications from chewing up excessive amounts of memory and draining your battery. In server context, these safety mechanisms are no longer necessary. Kastner told us this was by no means an easy task, but the team has made steady progress toward getting Linux running smoothly on these devices, including support for the phone’s onboard GPUs. Access to some functionality, like the chip’s integrated tensor processing unit, remains elusive. Clustering these devices will require networking the phones together. Normally these devices would connect over cellular or Wi-Fi, but at this scale, this not only isn’t practical, but also has implications for security, he explained. Instead, the team will employ PCBs that both supply power and break out wired Ethernet networking. The researchers suggest that many EdTech, grading, and research workloads commonly run by universities in the cloud are small enough to run on the cluster without issue. “The vast majority of these applications are within the capabilities of a single smartphone to host, with the standard grading backend running on small cloud instances,” a blog post detailing the planned deployment reads. “Early experiments show that even a moderately-sized cluster of 20 phones is capable of supporting peak submission rates for a 75+ student class.” "A lot of the sort of function as a service workloads seem to make a whole lot of sense, because they're sort of sporadic, and don't need a whole lot of high-performance compute," Kastner said. Alongside traditional IT applications, the cluster will also support exploration into parallel computing and systems programming, which sounds an awful lot like the smartphone equivalent of the Beowulf clusters of the ‘90s, which saw researchers cobble together supercomputers from consumer PCs. UCSD is also home to the San Diego Supercomputing Center. Kastner told us the plan is to make the cluster available to teams working at the center, which suggests we could see a High-Performance Linpack run before long. The full smartphone cluster is expected to launch this fall. Depending on how well the initial phase goes, we're told the cluster could grow even larger. This is far from the only unorthodox cluster we’ve seen in recent memory. Just up the Pacific coast from San Diego, UC Santa Barbara deployed what at the time was the largest Raspberry Pi cluster ever. The system, built in collaboration with Oracle, featured 1,050 Raspberry Pi 3B+ single board computers. More recently, we came across a tiny cluster developed by Gigabyte that packed 40 Intel Lunar Lake notebook processors, each with eight cores and 32 GB of memory, into a system the size of a pizza box. ®

A San Francisco startup best known for its AI-generation software is making a bizarre leap into medical imaging, and trying to says it hopes draw curiosity-seekers into its new spa to get scanned. On Wednesday, Midjourney announced the establishment of Midjourney Medical, which it admitted was a bit out of left field. To promote the tech, it claims to be opening a spa in San Francisco where guests will be able to step “into a shallow pool of golden light,” before being lowered into a tank where ultrasound sensors bombard their bodies in order to take a scan that AI pieces together into MRI-like images. This sounds like the plot of a cheap sci-fi movie, but there is some real science behind it. “As you descend into the water, hundreds of thousands of tiny elements take turns, sending out waves, listening together, compressing and then streaming data to a massive cluster where thousands of computers split the task,” Midjourney explained in the announcement. “By looking at how the shapes of all the waves change, we reconstruct a detailed map or ‘image’ which basically lets us figure out what’s in there.” That “basically” isn’t exactly reassuring when Midjourney says it wants to have 50,000 or more of the things deployed around the world by 2031 “with a total scanning capacity of a billion scans a month” for use as a preventative health tool. It’s not clear how fast the process is with the prototype unit, but Midjourney said its goal is for the whole thing to take around a minute. “We think it's completely possible that with enough early imaging in the future, the world could avoid 30% of all deaths and 50% of all healthcare costs,” the company added. According to a “technical” video included in the announcement, there’s a ring of 40 scanners included in the prototype unit the company has built. That ring of 40 elements contains 358,000 ultrasonic elements made up of tiny transducers that create ultrasound waves in water while listening for how they change when they slap the body of whoever is in Midjourney’s dunk tank up to a thousand times a second. The Midjourney Scanner, as the company has named it, can capture tissue details up to half a millimeter, which is on par with standard clinical MRIs, but pales in comparison to the resolution of more advanced designs. Oh, did we not mention our partner? Midjourney said its scanner is the first of its kind ever constructed, but the technical video says it relies on Fullbody Ultrasound Computational Tomography (FUCT, or USCT, as the industry has taken to calling it to avoid the more questionable acronym). That's not new. Fast, full-body ultrasound scanning that requires patients to be submerged in a water tank has been an active project at Caltech based on a research paper from earlier this year. Same goes for the sensors Midjourney is including in its scanner. You wouldn’t know that from reading the announcement, which makes it seem like this was a project entirely of Midjourney’s own AI fever dreams, but ultrasound tech firm Butterfly Network was compelled to issue its own press release “following Midjourney’s public announcement” in order to “provide commentary” on the AI outfit’s new venture. Butterfly confirmed in its release that it provided the 40 ultrasound imaging modules for the Midjourney Scanner. The hardware was “licensed under a co-development agreement between the two companies,” according to Butterfly. According to a 2025 SEC filing, Butterfly expects to rake in $74 million over five years for providing the hardware. There's some irony in Midjourney's failure to mention its partner: The company has faced lawsuits claiming it used copyrighted works without permission to train its AI image generation model. We reached out to both companies to learn more. Midjourney didn’t respond, and Butterfly declined to add anything beyond what was in its press release. Midjourney said that it’s planning to open its first ultrasound scanner spa at the end of 2027, but it has another hurdle to jump: FDA approval. Beyond improving its tech so that the second-generation scanner is ready for its 2027 spa date, “regulation is the next limit,” the company said. “Normally, for every diagnostic medical capability you need FDA approval,” Midjourney explained. “We’re starting by just giving you detailed body composition maps — and we’ll be submitting regular test results to the FDA for increased capabilities.” Midjourney also fails to mention how it will store and secure those scans, whether it will use said scans to train its body composition-detection algorithms, and how it’s ensuring those algorithms get things right that it usually take a human a few years of education and training to learn. ®

If you live long enough, you'll wake up one day and find that you're living in a world you no longer understand. Lately there are things happening with AI in a couple of disparate parts of Amazon that brought that lesson home in a big way. The first is that, late last year, they acquired Bee, an AI wearable that is distressingly, upsettingly good. The second, which I want to talk about today as I fly back from AWS's NYC Summit, is Quick Desktop. The best way to describe this is "Enterprise OpenClaw in a polished app." Yes, I know this sounds like I'm being blackmailed. Read on. You work at Amazon, right? Amazon has spent the last three years breathlessly telling us that they're a leader in AI, then shipping products which make it clear that they're unsure what leadership looks like. They've spent far longer building user interfaces that carry a design aesthetic of "complete crap." Even Amazon's website, where you buy everything from underpants to chainsaws to dog food to more underpants, is not a well-designed interface; we've all just learned to live with it. The single good interface to come from Bezos and Coo was the Kindle e-reader: push a button, the page turns. And then they removed the buttons. So yes; "We're launching a desktop AI assistant" is the exact opposite of encouraging coming from these folks. It started like you'd expect. You pop over to the download page and grab the download. On a Mac it's half a gigabyte because of course it is; this is totally normal and fine in 2026. Install it, fire it up, and ... wait a bit. It has to think, and gather its wherewithal before it can get to work. And then the hits start coming. I had talked to people who have used this and raved about it. The problem here is that all of these people work at Amazon, and the current state of the product reflects that. They have a single identity provider they use internally; external users see a confusing array of offerings, each with its own byzantine flows. The feeling is not dissimilar to waking up in the middle of a hedge maze, with no idea how you got there, and discovering that someone just set it on fire. At one point during my time using Quick Desktop, I was logged out and had to log back in. After guessing seven different identity providers, I gave up and emailed the service team for help with this. After some back and forth, I was able to get back in. (GitHub! Future Corey, if you find yourself in this situation, you authenticated via GitHub!) It's clear that the people building this service aren't living the external user experience. It's why I maintain that Amazon's internal AWS account management tool is the service that I hate the most; it separates the people building AWS from the customers using it. At the moment, other similar challenges show up. You'd never have more than one email account from the same provider, right? (Google Workspace in my case, provided it hasn't been deprecated by the time this article goes to print.) You'd never have business conversations via iMessage, or Signal, or LinkedIn DMs, or any number of other services, right? The point isn't the snark; it's that Quick Desktop only knows about the channels its connectors deign to support. Every deal I've ever closed in a LinkedIn DM, every favor traded over Signal, every "hey, quick question" that arrived via iMessage is simply invisible to it — but it makes its confident little suggestions anyway, blissfully unaware that a good chunk of my professional life happens in places it can't see. Here's a free hint to the product team: do you think I mentioned the Bee in the opening of this article because I'm making a fashion statement? And then it starts to work… Once you prove yourself worthy by getting Quick Desktop set up, it ... sits there without doing much. It has a chatbot interface, which surely you've never seen before in an app, backed by a personality I'll call "Uninspiring Accountant." What was the point? And then things start to happen. Your activity feed starts surfacing things from your email. From Slack. From your calendar. I don't know about the rest of you, but my email inbox is where tasks and hope go to die. Slowly but surely, Quick Desktop starts making suggestions, surfacing things that you should handle, proposing email drafts (ugh, in such a bland corporate voice; I hope this email finds you before I do), and giving you quick links to the various apps where these things live so you can see the context it's surfacing. I went in skeptical, partly because I'd already cobbled together a janky version of this for myself by pointing Claude Code at a pile of APIs, so I had a decent sense of what these things miss. And that's when I became a Quick Desktop convert: it flagged an email buried forty messages deep in my inbox that I'd mentally filed under "dealt with" - but very much was not. My own inbox had given up on me like everyone who's ever tried to love me, but Quick Desktop hadn't. This is an Amazon product, and it's pretty clear that they expect you to work with Quick Desktop the way they reportedly work with their own employees: by beating them into compliance. Their own custom connectors and (lack of) extensibility system make it pretty clear that there's a corporate IT department somewhere that's configuring and getting this set up for folks. I freely admit that's not my use case; I'm testing this by myself, not sharing it with my colleagues. But the product is improving. Today, it doesn't really sync data or state between multiple machines; we're still waiting for Amazon to discover this whole "cloud" thing. That's almost certainly going to change in the near future. Along with the just-announced AWS Context approach, once you have a team of people using it, the shared knowledge graph it can build about your entire organization promises to be a significant boon. The part where I trust Amazon That same knowledge graph is also a massive security treasure trove: every deal, every org-chart grudge, every "please don't forward this," every "how do I do the basic functions of my job" chat sessions, lives in one queryable place. Handing that to a vendor terrifies me. It should terrify you. And yet Amazon is one of a vanishingly small number of companies I'd trust with it. I want to acknowledge how strange it is that I just wrote that. I have spent a decade as a professional thorn in this company's side. I have a financial incentive, a personal brand, and frankly a temperament that all point toward not trusting AWS with so much as my lunch order. But credit where it's due: whatever else they get wrong, Amazon takes security and data privacy deadly seriously, and they have the scars and the org structure to prove it. I have lived through this multiple times, and I've seen what AWS does when security competes with other pressures. The list of companies I'd let build a map this detailed of my business is damn short, and most of the names on it are not the ones building these products. They have the security chops, but they have a completely different massive marketing problem. How do you get customers to try this out when you've incinerated your credibility in this space like it's your engineering team's token budget? "For once we have a product that is not shite," while honest, is probably going to be tricky to get through AWS corporate comms. Would I use it myself? I am Reader, I pay cash money for this. Everything I've said above about its sharp edges are true, and I've barely gotten started. I have three pages, ten slides, and one interpretive dance full of "here's why the product sucks" feedback I'll be giving to their product team, who are going to be astounded when I bust into their office uninvited. But I'm not throwing stones from the sidelines on this: "I am a paying customer, and I want this thing I pay you for to be better than it is, so you will listen to every goddamned word I have to say" is a powerful message, and one that's particularly resonant to Amazonians. I can see a world in which I roll this out to the rest of the company. My Claude Code contraption is interesting and in some ways more capable, but it scales precisely as far as "grumpy former sysadmin with a penchant for the CLI" and not one inch further. Our team would justifiably revolt if I tried to inflict it upon them. The hell of it is, the only thing that Amazon has to do to get Quick Desktop to beat my Frankenstein setup is "let Quick configure itself." Yes, there are problems with that approach; I leave them to Amazon to sort through. And so... I don't entirely know what to do with myself in a world where suddenly Amazon is shipping desirable AI products that I'm happy to pay for. First the Bee wearable and now this. That's two data points, and for a company whose AI track record reads like a list of things to apologize for, two data points is alarmingly close to a trend. Their biggest problem is going to lie in outrunning their own shadow, and changing their own nature. I used to be confident they couldn't. I'm less confident now, and I'm not sure how I feel about that. ®

Your next work PC could live in the cloud. A couple of years ago, the Cloud Software Group – the private-equity-owned vendor that mashed up Citrix with Tibco – built a tool to analyze the ideal desktop environment for its users, a cost-control exercise aimed at ensuring it wasn’t spending big on under-utilized endpoints. Last month, the company productized the result and put it on sale under the name “Citrix DaaS Flex.” The product is effectively a front for Citrix’s existing portfolio of desktop-as-a-service (DaaS) and application publishing tools. Deploying Flex starts with an assessment of an organization’s endpoint fleet, which general manager for the company’s DaaS portfolio Shawn Bass told The Register often includes many inappropriate machines. Bass believes that few organizations have the data to understand which cloudy PC instance types are appropriate for their users, or experience running fleets of hosted PCs, so they end up paying too much for virtual machines that have far more performance than some users require. Others, he said, end up with bill shock if they sign up for consumption-based pricing. Some use virtual PCs when they can easily get by with a hosted managed browser locked into certain SaaS sites and published apps. Once Citrix figures out what your users need, it suggests “personas” – a collection of templates that suit different users. Bass said that organizations often need three personas – one each for task workers, knowledge workers, and power users. A persona could involve a full cloud PC, a managed browser, or just access to published apps. Whatever the recommendation, Citrix goes and makes it all happen. Users don’t see the company’s products; they just get to consume endpoints. Citrix runs the virtual PCs in Azure. Citrix charges for Flex using a system of credits. It might price a virtual PC for a power user at 60 credits a month, for example. After assessing users’ endpoint needs, Citrix will propose a credit budget, and a deal spanning three or more years and billed monthly. Users can hold back some credits to take into account seasonal usage spikes – Bass suggested retailers who add staff for Christmas shopping might plan to use more credits for a couple of months a year, without exceeding the total credits available over the life of a contract. Citrix budgets for virtual PCs to run between 10 and 14 hours a day. If users burn the midnight oil and incur extra Azure costs, that’s Citrix’s problem. Bass told us that Citrix plans to bring Flex into other hyperscale clouds and is also looking to make it work with on-prem platforms. The Reg suspects that will mean long-time partners like Nutanix get a look-in. A version for the channel is also in the works. When we cover virtual desktops, readers often note that accessing a cloudy PC requires an actual PC, or another device, and suggest that’s wasteful. Bass thinks the times may now suit DaaS, because the high price of memory means PC fleet refreshes are more expensive. Cloudy desktops, he thinks, therefore represent an upgrade path. Of course, he would say that because Citrix offers its own lightweight OS – eLux from Unicon – tailored to remote access and which comfortably runs on old PCs. Bass said customer interest in that offering is rising. ®

Canonical has published more details about the local speech-to-text engine that will take dictation in the forthcoming Ubuntu version 26.10, aka "Stonking Stingray." In a post on the company’s Discourse forums on Wednesday, the outfit named one of the most significant new elements that’s coming in the next version: Myna: Speech to Text for Ubuntu Desktop. Earlier this month, we reported from the Ubuntu Summit that Canonical was going big on AI and that one of the first signs would be speech-to-text input via locally run speech-recognition models. After the Summit, the company then published the Ubuntu Desktop 26.10 “Stonking Stingray” Roadmap, as we mentioned towards the end of our review of MX Linux 25.2. The announcement explains – and illustrates – what the plan is, how it will work, and the user interface that the team is aiming for in the initial release: For Ubuntu 26.10, we’re deliberately focusing on the basics: a reliable desktop dictation. The initial experience will be simple: Press a keyboard shortcut, speak naturally, and see the resulting text appear in the application you’re using. Myna is designed to provide speech recognition with clear visual feedback while dictation is active. This is good stuff. Although it won’t be an accessibility revolution on its own, it’s an important step and will help desktop Linux catch up with the commercial competition. Speech recognition is built into Apple’s macOS in a tool called Voice Control. On modern Macs with Apple Silicon processors, the recognition engine is on-device and works offline. For a few months in 2023, The Reg's FOSS desk was unable to use his right arm, and when he returned to work, he dictated his articles into an M1 MacBook Air using this feature. Register columnist Colin Hughes knows much more about such matters than we do. He wrote about how Voice Control needed more work later that same year, and he returned to the subject on Global Accessibility Awareness Day – May 21. Microsoft’s current offering is called Voice Access, which is replacing the Windows Speech Recognition tool that Microsoft introduced with Windows Vista in 2006. The Myna project will be open source, and there’s already a GitHub repository for it, but there’s not very much there yet beyond some planning notes. There’s time: although the October release of 26.10 is only about four months away, this is not a major new pioneering technology. Various tools can already do similar things. One of the first was Mycroft, although it is no longer around: some three years ago, The Register described how the creator of the Linux virtual assistant blamed a "patent troll" for the project’s death. There is also Michal Kosciesza’s Speech Note tool, which you can install from Flathub. Last August, we reported on the release of FFmpeg 8, which can use the local whisper.cpp version of OpenAI’s Whisper model to do on-device speech-to-text, enabling it to automatically add subtitles to video files. Although this writer is unconcerned about being labelled an AI hater, we do feel allowing voice control of a PC is an acceptable and beneficial role for the technology. Or as the author of jqwik and noted AI skeptic Johannes Link put it, an Ethical Use of Generative AI. ®

It might not yet have reached Earth orbit, but Relativity Space has announced plans for a mission to Mars carrying a NASA payload. The mission, dubbed Aeolus and scheduled for 2028, will launch a Mars orbiter carrying four NASA-built instruments. Relativity Space will supply the rocket, spacecraft, and cruise operations, while NASA will deal with the payload. The four instruments comprise a Doppler wind and temperature-sounder, a thermal limb sounder, a surface radiometric sensor package, and a wide-field context camera. NASA will support instrument operations for at least one Martian year, while Relativity Space will maintain the spacecraft. NASA's Ames Research Center will be responsible for designing, building, and integrating the payload. Data collected by Aeolus will be used to improve models of dust, winds, temperature, and seasonal atmospheric behavior. It will also, according to NASA, "generate the detailed environmental knowledge required to reduce risk for future crewed and uncrewed landings. These measurements will directly inform entry, descent, and landing systems and support safer, more predictable mission planning for astronauts." NASA's Mars Odyssey and Mars Reconnaissance Orbiter already have spent decades orbiting Mars. Its MAVEN spacecraft was declared unrecoverable after controllers lost touch with the vehicle at the end of 2025. The Mars Sample Return mission, slated to recover samples deposited by NASA's Perseverance rover, is unlikely to reach the red planet any time soon. NASA boss Jared Isaacman said: "Public-private partnerships like this are a force multiplier for science," extolling the virtues of "pairing NASA's world‑class instruments with commercial innovation and investment," but the mission is a risky endeavor. Relativity Space has yet to get into Earth orbit, let alone beyond. Its first rocket, the mostly 3D-printed Terran 1, experienced a problem during its second stage burn, although it did manage to pass the 100 km Kármán line and reach space. The company has been working on Terran R since 2023, a medium-to-heavy-lift reusable rocket. The first launch of the vehicle might take place this year. NASA has increased commercial involvement in its missions in recent years. The agency's lunar ambitions lean heavily on vendors such as SpaceX and Blue Origin, and the upcoming Swift rescue mission, a high-risk, high-reward attempt to boost the orbit of an observatory, is being undertaken by Katalyst Space. The approach has, however, attracted criticism from some NASA veterans, one of whom expressed concern to The Register that the thoroughness that defined the missions of the 1970s might not be such a priority in the future. That said, the agency's budget is also not what it was. Increasing risk by doing more with less evokes the ghosts of the '90s and the "faster, better, cheaper" management philosophy at NASA that did not work so well. Although NASA did not say so in its post, the Aeolus mission requires unproven rocket and spacecraft technology, and a commercial vendor who hasn't even reached orbit yet. The potential rewards are considerable, but a failure could prove unpalatable. ®

ZTE announced that China Telecom Guangdong has officially released the E‑Surfing Simulation 2.0 – Cross‑Vendor IP Network Simulation Standard at the Talent & Expertise Development Forum (Peizhi Talent Empowerment Initiative) hosted by the company. Built on the joint simulation system co-developed by ZTE and China Telecom Guangdong, the standard applies digital twin technology to form a closed‑loop workflow from change submission through simulation verification to implementation authorization. This marks a pivotal shift of network O&M from experience‑reliant manual work to systematic pre‑verification. The solution has become a replicable benchmark for multi‑vendor collaborative simulation in the telecommunications industry, serving as a milestone to accelerate the rollout of intelligent network operations across the sector. Achieving High‑Precision Network Simulation to Strengthen Predictive O&M Capabilities The system adopts advanced network mirroring technology and proprietary protocol simulation algorithms, overcoming the traditional bottleneck of resource‑intensive dynamic modeling. It achieves over 95% digital twin fidelity for device status and routing protocols. O&M staff can accurately evaluate the impact of network adjustments in advance, enhancing the safety and precision of network operations. Breaking Multi‑Vendor Simulation Barriers to Build an Efficient O&M Model As communication networks keep expanding and evolving into more complex architectures, cross‑vendor O&M faces prominent challenges including low modeling efficiency, difficult collaboration and excessive resource consumption. ZTE and China Telecom Guangdong have innovated a distributed cross‑vendor simulation architecture following the principle of vendor‑specific simulation, unified collaboration. A global coordinator works seamlessly with dedicated simulation systems from different vendors to eliminate device simulation barriers, effectively reduce development and maintenance costs and enhance system scalability. Remarkable Pilot Results Enable Zero‑Error Network Changes Prior to the standard release, China Telecom Guangdong and ZTE completed phased pilot deployments from single-vendor to multi-vendor scenarios in Foshan and Yangjiang. The pilots covered all devices on the new metropolitan area networks of the two cities, targeting four core scenarios: protocol parameter modification, new home broadband service cutover, new device commissioning and network transformation. The solution covers more than 90% of mainstream network change scenarios. Field tests prove that pre‑simulation verification can substantially lower network change risks and realize zero‑error operations, laying a solid foundation for large‑scale nationwide promotion. Looking ahead, ZTE and China Telecom Guangdong will further upgrade system functions, expand application scenarios and iterate the standard to solidify the ecosystem of cross‑vendor intelligent O&M. Leveraging technological collaboration, ZTE will build the HI‑IPNet high-performance and high-intelligence IP network core platform, driving the IP network to evolve from manual O&M to intelligent scheduling and global cross‑network coordination. Committed to openness and continuous innovation, ZTE will partner with global industry players to advance the automation and intelligence of telecommunication networks, empowering the high‑quality development of the digital economy. Contributed by ZTE.

EXCLUSIVE Google has a security hole in a Kubernetes operator that could allow attackers to bypass Google Cloud Platform (GCP) identity and access protections and gain full control over any organization's cloud environment. Or it has a serious communication and transparency problem when it comes to its bug bounty programs. Maybe both. Researcher and frequent cloud bug hunter Justin O'Leary told us that he found and reported to Google a major flaw that allows any Kubernetes namespace user to bypass GCP's Identity and Access Management (IAM) controls and therefore gain root access to managing an organization's cloud resources. Google initially rated the bug high priority and high severity, with a rep telling O'Leary "Nice Catch!" Then, the cloud giant changed course and told O'Leary and The Register that there's no vulnerability, so no fix and no reward payout. The bug report, however, is still marked high-priority and accepted. O'Leary spoke exclusively with The Register about the vulnerability, which he named ConfigConfusion, and what has happened since he reported it to Google on March 8. He is also releasing a blog post with more details. It stems from an issue in Config Connector, an open source Kubernetes add-on that lets users manage Google Cloud resources through Kubernetes. According to O'Leary, Config Connector doesn't perform an authorization check, and this allows any Config Connector service account with org-level permissions to bypass Identity and Access Management (IAM) authorization and gain the highest level of control (roles/owner) to an entire GCP Organization – the root node of all of a company's resources within Google Cloud. On March 27, a Google security engineer accepted O'Leary's report and told him: "Nice catch!" The employee said that they filed a bug based on O'Leary's report with the relevant product team and assured him the Chocolate Factory's security squad would work with relevant Google Cloud people to fix the flaw. "We'll work with the product team to ensure this issue is address. We'll let you know when the issue was fixed," the engineer said. "In the meantime, review the payment option selected in your bughunters.google.com profile." Google assigned the bug P1 priority and S1 severity, signifying a flaw worthy of urgent repair because it affects a large percentage of users and can disrupt core organizational functions. "I figured that was the end of that," O'Leary said in a phone interview with The Register. Eleven days later, on April 7, he received a new message from a Google Security Bot reversing the earlier decision. The Reg viewed the email, and O'Leary included a screenshot in his Thursday writeup. The message said that the Cloud Vulnerability Reward Program panel decided that the "security impact of this issue does not meet the criteria to qualify for a reward." After reviewing the bug report, Google determined the software "is working as intended," the message continued. It also noted that the program's decision not to pay a bounty "does not mean that the product team won't fix the issue." Nearly three months later, the case remains P1/S1 with the status "in progress (accepted)." Google hasn't assigned a CVE or issued a fix. O'Leary didn't receive any reward for his research. This isn't the first time this has happened to O'Leary – or other security researchers submitting bug bounty reports. O'Leary had a similar experience with Microsoft earlier this year. In a story that has become all too familiar among bug hunters, O'Leary disclosed a privilege escalation vulnerability in Azure Backup for AKS. Microsoft rejected his report – and then silently patched the flaw without assigning a CVE or publishing a security advisory. "This is a pattern," O'Leary told us. "This is just how these trillion-dollar companies deal with people like me. In my day job, we use GKE, and it's incredibly frustrating on my end, when I find a critical vulnerability in the system that's being widely used, and I can't even get the vendor to patch their own stuff." Google's response When The Reg asked Google about O'Leary's situation, the company told us that it didn't issue a bug bounty reward because there's no vulnerability. “The issue reported does not qualify for a reward because the GCP IAM authorization bypass is only exploitable if an attacker has access to a Config Connector Service Account that’s been granted the Organization Admin role by the organization (i.e., it is privileged)," a Google spokesperson said in an email to The Register. "Additionally, an attacker would first need to gain entry to an organization's environment (e.g., an exposed container) in order to leverage the privileged Config Connector instance and execute commands with administrative authority, such as the IAM bypass," the spokesperson continued. "Granting this level of access to the Config Connector Service Account goes against Google Cloud’s publicly shared best practices and the principle of least privilege." Google did not answer The Register's questions about why the bug report case remains marked in progress – and not closed – on its end of things. O'Leary told us this is the same explanation he received. And he doesn't buy it. Yes, the Config Connector service account does need org-level permissions to manage resources across multiple GKE clusters. But Google's own documentation instructs users how to do this, he noted. We confirmed this as well. Moreover, "having those permissions doesn't mean any namespace user should be able to abuse them," O'Leary posited. "A developer with kubectl access to one namespace – and zero GCP IAM permissions – should not be able to become Organization Owner. They also shouldn't be able to impersonate any service account in the project with no audit trail." According to O'Leary: "The vulnerability is the missing authorization check. Config Connector executes privileged operations on behalf of users without verifying those users are authorized." Three lines, five seconds, full admin control In a video demonstrating ConfigConfusion, O'Leary shows how an attacker can write three lines of YAML to achieve full administrative control of a GCP Organization in about five seconds. "Config Connector has these missing validation checks," he said. "Config Connector is basically a Google-managed Kubernetes operator, and I found that having these missing validation checks creates these confused deputies, which means there's no validation of who's asking for what." Confused deputies pose a major security challenge because they allow an entity that doesn't have permission to perform an action to force a more-privileged entity to perform the action. To exploit this issue, a user with kubectl access to one namespace – and no GCP permissions – submits a malicious IAMPolicyMember, which escalates the attacker's privileges. Config Connector passes the user-controlled organization ID directly to the GCP IAM API without performing an authorization check, making the user a GCP Organization owner. This gives the attacker full admin control over everything in the environment – projects, secrets, billing, and Gmail accounts. "And there's no record of it," O'Leary said. This is because "the attacker's Kubernetes identity never touches GCP IAM," he wrote in the disclosure. "Config Connector executes the request using its own elevated credentials." 'Jenga' vulnerabilities According to O'Leary, Google has fixed this confused-deputy issue twice before in different services that access GCP. Tenable Research documented those issues and reported them to Google. One, called ImageRunner, abused permissions in Google Cloud Run to pull private Google Artifact Registry and Google Container Registry images in the same account. The second, ConfusedComposer, allowed an identity with edit permissions inside a Cloud Composer environment to escalate privileges to the default Cloud Build service account. "This privilege-escalation vulnerability in GCP builds upon a broader attack class of vulnerabilities in cloud services that we call 'Jenga,'" Tenable security researcher Liv Matan said at the time. ConfusedComposer "exploits the somewhat-hidden cloud provider misconfigurations related to cloud services permissions to escalate privileges beyond intended access levels," Matan explained. "This variant highlights how attackers can abuse interconnected services the cloud provider automatically deploys behind the scenes, as part of a service-orchestration process." Google ultimately added authorization checks to both Cloud Run and Cloud Composer. O'Leary says he doesn't understand why Google can't also add that check to Config Connector. Or perhaps he does. "It's just me versus Google," he said. "They can't do that same level of gaslighting to Tenable because they have PR teams and legal teams to fight them. I'm just a guy saying I don't understand how this is true" – that is, how something can be both a high-severity, high-priority bug and also working as intended. "And they just say: 'Well, it is true.'" ®

When enterprises first began building AI strategies, the default assumption was straightforward: AI would run in the hyperscaler cloud. The APIs were ready, GPU capacity was building out, and the inertia of a decade of public cloud investment pointed in one direction. Broadcom’s Private Cloud Outlook 2026 report finds that, as enterprises move to scale, the direction has changed. The Private Cloud Outlook 2026: The AI Tipping Point draws on a blind, global survey of 1,800 senior IT leaders across eight countries. Now in its second year, the report tracks a shift in cloud strategy that is no longer something on the horizon, but one already showing up in production workloads, capital budgets, and board-level priorities. Enterprise AI has found its infrastructure home in private cloud. Production AI is moving to private cloud Last year, 56 percent of enterprises used public cloud as the primary environment for production AI inference. This year, that figure has fallen 15 percentage points to 41 percent, while 56 percent of enterprises are now running or planning to run production inferencing in a private cloud. The shift goes deeper than the top-line numbers. Forty-three percent of enterprises actively repatriating workloads are moving AI training, large language models, and inference out of the public cloud, a category that did not exist in last year's study. The broader repatriation trend has accelerated sharply as well: 83 percent of enterprises are now considering repatriation , up from 69 percent in 2025, and half have already moved at least some workloads, a 15-point jump in a single year. The forces driving enterprise AI to private cloud are the same ones that pulled storage, security-sensitive applications, and regulated data there before it. Security, control, cost, and governance did not become more important because of AI, but the consequences of getting them wrong became much harder to absorb at production scale. When IT leaders place workloads, those classified as high-security, latency sensitive, business critical, or data-intensive consistently land in private cloud. The bill for AI infrastructure has arrived For the first time in this study, cost has overtaken security as the top concern about public cloud. That reflects a familiar reality for enterprise IT leaders: public cloud costs were already difficult to forecast and manage, and AI workloads have made that problem substantially worse. Nearly all IT leaders surveyed (97 percent) believe some portion of their public cloud spend is wasted, and more than half (52 percent) say that waste exceeds 25 percent of their total spending. Generative AI and agentic workloads are compounding the pressure, with 62 percent of IT leaders reporting that they are very or extremely concerned about AI infrastructure costs. Enterprises are revising their investment strategies accordingly. Net intent to increase private cloud investment over three years has risen from 51 percent to 72 percent, and private cloud investment is now growing at more than twice the rate of public cloud. Cost predictability has become the second biggest driver of that shift, cited by 39 percent of organizations. Enterprises that built AI ambitions on variable, consumption-based public cloud pricing are recalculating. Private cloud, with its predictable economics and direct IT control over infrastructure, is increasingly where the budget decisions are landing. Sovereignty has become a board-level priority Geopolitics has moved squarely into the infrastructure conversation. Eighty-six percent of IT leaders say geopolitical and regulatory factors are now directly affecting their IT strategy and operations. Data sovereignty and residency requirements are the top concern, cited by 54 percent of respondents, followed by jurisdiction-specific compliance requirements at 51 percent. For enterprises operating across borders, decisions about where data lives carry direct implications for where workloads can run. AI workloads that process sensitive, regulated, or proprietary data require infrastructure that provides governance and control from the ground up. Security and compliance remain the single most important factor in workload placement decisions, cited by 32 percent of respondents. AI is adding new obligations on top of existing ones: data protection and privacy (37 percent) and security and control (36 percent) are now the leading infrastructure requirements that AI imposes. Private cloud provides the governance architecture to meet those requirements by design, built in from the start rather than bolted on after deployment. Complexity is a platform problem Running production AI at enterprise scale is an operations challenge as much as an infrastructure one. The top skills gap cited by IT leaders is AI infrastructure and operations, named by 40 percent of respondents, followed by cloud security operations at 38 percent and Kubernetes operations at 37 percent. To close that gap, 81 percent of enterprises now fully outsource or use professional services for their cloud-related needs. Operational simplification matters as much as picking the right technology partners. Enterprises that standardize on a unified, well-governed private cloud platform address the AI skills challenge with fewer specialists, less operational fragmentation, and clearer organizational accountability. A platform-centric approach reduces the surface area that teams have to manage, and that is where the real operational gains lie. The tipping point is here The Private Cloud Outlook 2026 confirms what the data has been building toward for two years. Enterprise IT has reached the AI tipping point, and private cloud is the preferred platform for production AI because it addresses what AI at scale demands: security, cost predictability, data sovereignty, and governance that enterprises cannot treat as optional. VMware Cloud Foundation 9.1 is built for this environment. It provides a unified platform for running AI and traditional workloads together, with the performance, cost controls, and security capabilities that production AI at enterprise scale requires. The research shows where enterprise AI is heading, and VMware Cloud Foundation is the platform built to get organizations there. Read the full Private Cloud Outlook 2026 report: https://www.vmware.com/docs/private-cloud-outlook-2026 Contributed by Broadcom.

Brain-inspired computing may one day help curb AI's ballooning energy demands, but don't expect it to replace today's datacenter hardware any time soon, UK politicans have been told. Speaking to MPs this week, University of York professor Martin Trefzer said neuromorphic and other bio-inspired systems could improve efficiency by borrowing ideas from biological brains, where memory and processing are integrated rather than split across separate components. Analysis from last year shows AI is the biggest driver pushing global datacenter electricity use to more than double by 2030 to around 945 terawatt-hours (TWh), slightly more than the entire electricity consumption of Japan. "Data movement is probably one of the fundamental things we can learn from the brain. We don't have a memory bank on one computer and a [processor] on the other; it's all one system, and that is underpinning the efficiency," Trefzer told the House of Commons Science, Innovation and Technology Committee. At the same time, the brain "is not a rigid computer that is kind of clocked in a digital system." "This is motivating us to really build computing systems that are adaptable, to make them more robust, and to potentially adapt them to be more efficient in certain circumstances," Trefzer said. However, given the complexity of the as-yet-experimental computing model, it could be a long time before it proves its worth as a replacement for mature computing systems. "It is always pitched against a very mature technology like LLMs running in datacenters, but suffering from all the energy and sustainability problems," he said. The only way experimental technologies like neuromorphic computing – which takes inspiration from the brain – could have a practical impact in the short term is through specific applications alongside conventional computing to make it more efficient. "A wearable device, let's say a hearing aid, for example: you currently have these devices that are built on a digital substrate. We train models offline, but you could imagine a neuromorphic substrate that is susceptible to sound, that has modalities that allow it to function in a more brain-inspired computational manner. Then you could push functionality out of the digital system into, in this case, a sensor. This is where there is significant potential to be much more energy efficient, by orders of magnitude," Trefzer said. The short-term impact will be in identifying use cases for hybrid integration that work with current technology to optimize it. Also speaking to the committee, University of Manchester physics professor Caterina Doglioni said these advantages need to be offset against the energy and carbon cost of putting more devices on the edge, but there could be a threshold over which a new model is more efficient. "I hate to be the person that breaks it, but you have to think about how much it costs you and the environment to build these devices, but one can reach a break-even point where ultimately it is doing a better job on environmental sustainability, but that needs the studies," she said. ®

The latest version of the KDE desktop - Plasma 6.7.0 - has arrived, bringing several shiny new functions – some of which have been a long time coming – and features the return of the popular Oxygen theme from KDE 4. Since the KDE 6 “megarelease” two and a half years ago, the project's developers have been very busy. Fresh Plasma releases have come thick and fast. It's fewer than six months since the release of KDE Plasma 6.6.0 back in February. This rate of change matters, as a massive implementation change is coming: as the team announced in November last year, the plan is that KDE Plasma 6.8 will be Wayland-only. That means that this new release is the last to support X11. From some time early next year, KDE Plasma will be “Wayland or no way.” There are already functional differences between Plasma on X11 and Plasma on Wayland, as the Dedoimedo blog described when reviewing Kubuntu 26.04 last month. (Dedoimedo is written by Igor Ljubuncic, who we interviewed at the 2023 Ubuntu Summit.) X11 holdouts need not feel entirely abandoned as there’s a new fork of the X11-capable version of the desktop, called SonicDE. The project’s self-description says: "We aim to preserve and improve the X11-specific aspects of KDE since they announced they are going Wayland-only in KDE Plasma 6.8. SonicDE currently consists of the customized KWin/X11 sonic-win window manager and compositor, Plasma Workspace components, the Silver theme, an SDDM theme, and some support libraries." SonicDE joins at least two existing forks of older versions of KDE: the Trinity desktop environment, based on the last version of KDE 3, and MiDesktop, which we mentioned recently, based on the last version of KDE 1. (If there are any others out there that we’ve missed, do please let us know.) Matching Macs For now, Plasma 6.7 isn’t radically different from the existing Plasma 6.6, but this version has some significant new features. Two of them may be familiar to macOS users. Firstly, while KDE has always supported virtual desktops, in this release, on computers with more than one physical display, each screen can have its own set of virtual desktops. Apple’s macOS does this, and it’s the only way to get a separate global menu bar on each screen. Aside from that, for this vulture, it’s more trouble than it’s worth – but from what we read, many people like it a lot and we think this will be a popular change. Secondly, to type letters with accents (technically, “diacritics”), such as ä or ç or Š, you can now press and hold a key, and a list of alternatives appears. This is how Macs have done it for decades. If you only very occasionally need these characters, it does have the advantage that you avoid having to memorize special shortcuts or combinations. Personally, this Vulture finds it faster to configure and use a Compose key, which KDE supports just fine, but this is a handy change if you only rarely need such things. These aren’t the only changes, of course. Alongside Plasma’s existing System Tray applets, the tray now shows GNOME-style “Background Apps” – commonly found in Flatpak apps. The Overview screen is easier to navigate, and you can now switch virtual desktops by scrolling with your pointing device, or using the PgUp and PgDn keys. The Discover software store makes the Install button more prominent, and sorts installed apps into categories. It’s now easier to switch light and dark mode globally with one click, and there’s better support for hardware detection of lighting brightness. Theme handling is in the middle of a major revamp, in an initiative called Union, which brings management of multiple different types of theme together in one place. Developers carefully modernized the “Oxygen” theme, the default dark look for KDE 4, and did likewise for its lighter equivalent “Air”. If you fancy a change from the now-ubiquitous flat look, it’s available to install, along with matching Horos wallpapers. There are a lot of smaller changes. There’s an option to test your microphone right from the taskbar. When the clock shows multiple timezones, it shows the offset in hours. Windows can be selectively hidden when recording or streaming the desktop. Type-ahead search optionally now works on the desktop itself. The printer status icon shows how many jobs are outstanding. Notifications now glide onscreen rather than fading into view, making them more obvious. There’s better color management, and ICC profiles and HDR are no longer mutually exclusive. GPU handling refinement should now mean both better performance and lower GPU utilization, even on Intel integrated GPUs. The Plasma wiki offers a more complete list, and there’s a complete changelog of everything since 6.6.5. Although the release notes still point to it, it looks to us like the KDE Neon download page is blank and empty. We’ve previously reported on the project’s technologically-innovative demo distro KDE Linux, and that now works well in VirtualBox – complete with documentation on how to do it. It’s already up to Plasma 6.7.80, a pre-release of what will become 6.8. The project dedicated this release to the late Eric Laffoon, a long-time KDE supporter. ®

Many people worry about what AI knows, but what about an AI Nose that can smell what disease you might have? Ainos, an AI and biotech company that is developing smell technology, is working with National Taiwan University (NTU) to explore whether its platform can help diagnose patients by analyzing volatile organic compounds (VOCs) in exhaled breath. The year-long research effort, which starts in July, will examine individuals who present with dyspnea, or shortness of breath, said to be one of the most common symptoms seen in emergency departments. Dyspnea can be a symptom of many conditions, including acute exacerbation of chronic obstructive pulmonary disease (AECOPD) and acute decompensated heart failure (ADHF), each of which requires different treatments. Ainos and NTU hope to develop and evaluate a system to analyze VOC-based breathprints to detect AECOPD and/or ADHF in patients. Ainos's Smell AI platform relies on an AI Nose module that features multiple micro-electro-mechanical system (MEMS) sensors and an integrated digital processor. Sensor resistance increases in the presence of detectable gases, and this is converted to a digital signal that is interpreted in much the way the human nose interprets scents, according to Ainos. That interpretation is handled by by a proprietary Smell Language Model that has been developed to learn, classify, and contextualize complex scent patterns. "AI Nose was originally developed with medical diagnostic applications in mind, where non-invasive sensing, accuracy, and real-world validation are essential," said Ainos CEO Eddy Tsai. "This research program brings that experience back into a high-value clinical setting and extends our Smell AI platform into digital breath intelligence." Not content with "digital breath intelligence," a term we must confess to not being too familiar with, the the company frames the research as part of its broader vision of "building Smell ID data and Smell Language Model capabilities across healthcare, industrial, and physical AI environments." If successful, the research could help create a breathprint database for dyspnea and support future studies for emergency, outpatient, and even home-monitoring settings. The research follows a separate program testing the AI Nose in an active emergency department at National Taiwan University Hospital. The system has been deployed to monitor respiratory infections and overcrowding in waiting areas, treatment areas, and observation zones. ®

People of a certain age sometimes like to reminisce about how software in the old days was somehow more responsive and more efficient on far less powerful hardware. Microsoft's approach was to take its software binaries and optimize the heck out of them. Former Microsoft engineer Dave Plummer spilled the beans on the practice, confirming that the company used an internal application called Basic Block Tool (BBT) – known internally as Microsoft Lego – to shuffle the internals of binaries to speed execution. Plummer's recollections go back to the '90s, when his first NT development system ran on a paltry 12 MB of RAM, but software was relentlessly growing in size. A binary might have 10 MB of code, but the startup path only needed 300 KB of it. "But if those 300 KB are sprinkled like Parmesan across 10 MB of binary, then the loader and the memory manager have to touch far more pages than the actual executed code would suggest," Plummer said. And if a trip to disk was needed to page the code in and out, the performance impact could be disastrous. Hence BBT, through which Microsoft ran a binary and came up with something that was functionally the same, but a good deal more performant. The binary was effectively defragmented as related code was lumped together. Similar techniques have, of course, persisted even as computational power has increased. BOLT, for example, can speed up large applications by optimizing the layout of binaries. Then there was HP's Dynamo [PDF], which could optimize code at runtime. This approach is not without risk. Tinkering with a binary is not for the faint of heart, but Microsoft had an incentive to wring every last bit of performance from systems. "Windows and Office were large native code products running on constrained machines, and the wins were user-visible," Plummer explained. "If you could reduce the number of pages touched during boot or shell startup, users felt it. If you could make common application paths fit into fewer memory pages, multitasking got better. "If you could keep hot code out of the swap file, the whole system felt less like it was dragging a refrigerator through wet cement." As with Raymond Chen's recent war story regarding binary translation and code rerolling at Microsoft, Redmond's engineers were laser-focused on performance. Whether that same focus survives in some of today's software is another matter. Plummer thinks his past efforts remain applicable. "Modern software has the same problem at a different scale," he said. "The binaries are much larger. The services are distributed. The frameworks are deeper. The machines are faster, but the dependency graphs are absurd. "And we still discover over and over again that locality matters as it always does. So put the hot data together. Put the hot code together. Keep the common path small. Push rare paths away. "Don't make the CPU fetch a haystack when it only needs the needle." ®

India has decided to block messaging service Telegram for a few days to reduce the chance of scams targeting over two million people taking a single exam that has already provoked a national scandal. The exam is called the National Eligibility cum Entrance Test (NEET) and is the only way to earn a place to study medicine in India. In most years, over two million people take the test – but only around 100,000 people earn a place in a medical school. Competition for those places is fierce, and student stress levels can be stratospheric. India's National Testing Agency (NTA), which oversees entrance exams across India, conducted the 2026 NEET on May 3. A few days later, however, Indian netizens noticed Telegram posts dated May 1 that included footage of the NEET questions – suggesting the exam paper leaked. NTA insisted the exam paper had not leaked before the test but also admitted the exam paper in the videos was legitimate. The agency was able to do so because the videos included a unique identifier on the paper that NTA used to identify the candidate associated with the paper shown in the video and the test center where it was used. NTA used its ability to trace the paper as evidence that it conducted the exam securely. Officials have pointed out that Telegram allows users to edit posts without changing the date. A post dated May 1, then updated on May 4, could therefore include exam questions and appear to be a pre-exam leak – but would actually be an edited post. In a separate incident, in the days after the May 3 test, netizens found a "guess paper" – an unofficial NEET exam created to help students revise for the test – that contained significant overlap with the actual questions asked in this year's test. NTA deemed the document sufficiently concerning that it annulled the test and rescheduled it for June 21. NTA requested the Telegram ban ahead of the new test by asking the Ministry of Electronics and Information Technology (MeitY) to use its powers under the Information Technology Act. The testing authority wants the ban to prevent a repeat of the May mess, and also to stop scammers offering paid access to exam papers. MeitY issued directions restricting access to Telegram from June 16 until June 22. The ministry also directed Telegram to disable message editing in India until June 30 to avoid the panic that followed the original exam. India has in the past shut down internet access across entire cities during major exams, earning criticism due to the impact such outages have on the wider community. NTA acknowledged the blast radius of its request, saying it "affects lakhs [hundreds of thousands] of citizens who use the Telegram platform for legitimate personal, educational, professional and informational purposes." The agency said it "sincerely regrets the inconvenience caused to them." Lobby group the Internet Freedom Foundation has criticized the Telegram ban, saying it is unconstitutional and represents overreach. "If the exam is secure and no leak exists, what is being suppressed is rumor, and rumor cannot justify closing a platform when specific blocking and criminal prosecution remain available." India is not the only country to shut off internet access during exams. We've seen it happen in Syria and Sudan too. The Internet Society has condemned the practice. "Internet shutdowns are never a proportionate response to anything, no matter how long they last," the nonprofit wrote in 2023. "Even if a shutdown were to prevent exam cheaters from communicating, it also prevents everyone else from using online services. It is not an effective anti-cheating mechanism, and it comes at a cost to all of society." ®

After a delay when a microcode-related boot problem surfaced, FreeBSD 15.1 is now available. Laptop support is getting there, but a GUI from the installer isn't – yet. You'll have to put in some extra work if you want to have more than a command prompt. As you might expect from its version number, it's much like a point release of other, more widely used OSes: it contains lots of bug fixes, and hardware support in multiple areas is improved. For the lowdown on what has changed, the Release Notes contain a list of fixes and new features, and the one known issue – in the NFS client – is detailed in the Errata. Desktop use is something of an edge case for FreeBSD, but the Laptop Support and Usability Project is working on it. We gave a brief update when KDE Plasma 6.6.0 appeared back in February, but work has continued. The May status update is encouraging. Now laptop suspend and resume work, and if you wish, FreeBSD 15.1 can put laptops to sleep when their lids are closed, and wake them when the lids are opened. The team is still working on hibernation, as well as the more modern "S0ix" sleep modes. Wireless networking support is also making significant strides. Version 15.1 has improved versions of the Intel iwlwifi and Realtek rtw88 and rtw89 drivers, which are based on Linux version 7.0. This means that FreeBSD 15.1 now supports Wi-Fi 4 and Wi-Fi 5. If, like this vulture, you're more familiar with ratified standards than marketing names, the former means 802.11n (2.4 GHz and 5 GHz, up to 600 Mbps) and the latter denotes 802.11ac (5 GHz, up to 3.5 Gbps). And if you're not sure which chipset your wireless controller uses, the FreeBSD 15.1 Hardware Notes page has full details of the names of all the supported devices. The release was delayed a couple of weeks due to what the RC3 announcement called "a critical bug fix to the x86 boot loader," which also noted the importance of manually updating the EFI boot loader. This step is also specified in the Upgrade instructions. The instructions are quite complex, and we recommend you study them closely. For one thing, you need to know if you installed your system using the traditional distribution sets or the more modern, and still somewhat experimental, base system packages. We upgraded the FreeBSD 15.0 VM we installed seven months ago, and we couldn't remember which method we used. Fortunately, the freebsd-update command told us, so we followed the commands given in the guide for package-based installations. By Linux standards, they're very wordy and we did miss at least one vital punctuation mark, but it worked in the end. A year ago, the project said that it hoped to offer the KDE desktop right from the installer. That didn't make it into FreeBSD 15.0 last December, and it's not in 15.1 either. We installed a clean copy on a test machine, a Core i5-based ThinkPad X220. The installation program is much the same as in FreeBSD 13 or 14: it still installs a resolutely text-only OS, and if you want a graphical environment or desktop, you must install and configure it yourself. The handy optional desktop-installer script is still available, but as far as we can tell, it hasn't been updated for version 15.1 yet. In our testing, it couldn't correctly install a working desktop, and whatever desktop we tried, it failed without giving any visible error. We worked out that we needed to install the GPU drivers separately. We manually installed the drm-kmod drivers, and enabled them by editing the main init script by hand. After this, even before loading X11, the boot process picked up the native resolution of the machine's LCD and automatically changed the screen mode to fit. Once this was working, the desktop-installer ran to completion – but by that point, most of its work was done. As well as the very basic TWM, we also tried the FreeBSD-native Lumina desktop, Xfce, and GNOME (albeit on X11 only). FreeBSD 15.1 also offers several others, including the rather dated GNOME 47 and the much more recent KDE Plasma 6.6.5. FreeBSD is making good strides in supporting modern portable hardware. We feel that this matters for two reasons. First, any FOSS project can only thrive if it continually wins new users, and if curious newbies graduate from VMs to bare metal, most are likely to try it on laptops. Second, power management matters everywhere, although it's unfairly neglected on servers. Even there, power management is useful: the world could save substantial amounts of power if workloads were migrated off underused machines and they were allowed to go to sleep, only waking when accessed. For tired Linux users looking for an escape from ever-more-bloated corporate-influenced distros, FreeBSD is getting more viable all the time. It doesn't have systemd, Flatpak, Snap, UKIs, or built-in AI features. It does support Wayland, if that's something you want. The main problem you will face is getting it as far as a GUI. Both NetBSD 11 and OpenBSD 7.8 are ahead in this department, but they are also smaller, simpler OSes. FreeBSD can do far more, even including running Linux binaries and Linux OCI containers. ®

Transport for London (TfL) has extended supplier Capita's two road user charging contracts at a potential cost of £912 million including VAT after delaying the start of a combined replacement by two years. TfL announced it was directly awarding the contract extensions to Capita on June 11, saying this was required given the time it will take to buy and implement a replacement support service for its road user charging schemes. These comprise the congestion charge, Low and Ultra Low Emission Zones (LEZ/ULEZ), tolls for the Blackwall and Silvertown tunnels, HGV safety permits, and traffic fines, with the work including processing data from thousands of automatic number plate recognition (ANPR) cameras along with customer account management, payment, and billing. In May 2025, TfL said that it wanted to replace Capita's current contracts for Business Operations (BOps) and Enforcement Operations (EOps) for Road User Charging with a single deal. It planned to publish a full tender notice for this around March 31, 2026, and start the new contract on September 30, 2027. In a revision of this notice in February this year, it pushed back the tender notice to April 15, 2027, and the contract start to October 2, 2028. Last week, TfL said it plans to award the new combined contract in mid-2029, in procurement notices extending the BOps contract at a cost of up to £510 million and the EOps one by up to £402 million. Both extensions are for five years with the option to extend them to a total of seven. "Due to the scale and complexity of the existing services and the need to design, build, integrate and safely deploy a replacement solution, the full procurement, mobilisation and transition is expected to require a minimum of five years based on current programme assumptions," TfL said in the notices. It added that it will have rights to end the extended contracts early, "enabling TfL to transition to a replacement supplier at the earliest point at which it is technically feasible and operationally safe to do so." TfL expects the new combined contract to be worth more than £2 billion over 20 years. Last month, TfL disclosed that its Revenue Collection Services contract, which it awarded to Spanish defense and tech group Indra Sistemas in January covering almost all public transport ticketing in London, could be worth up to £1.964 billion if all extensions and variations are exercised. ®

Oracle has shocked its customers by releasing new end-of-life conditions for its middleware products that thousands of large organizations rely on in their enterprise application deployments. In a missive published online earlier this month, Big Red warned that support for the widely used Oracle Fusion Middleware 12c Release 2 was approaching a “critical milestone.” Top-level Premier Support is set to end in December 2026, while Extended Support will stop by the end of December 2027. “After these dates, Oracle will no longer provide updates or security fixes for this product version. Technical assistance will be provided as defined in the Oracle Lifetime Support Policy. All customers and partners are strongly encouraged to begin planning and executing upgrades or migration strategies to currently supported Oracle Fusion Middleware releases as soon as possible,” the note said. Martin Biggs, vice president and general manager of third-party support specialist Spinnaker, said users would be concerned about the lack of time to plan for the migration or strategic change to a new platform and to recruit scarce skills. “That version of Fusion Middleware has been around for quite a while now, and the announcement of Extended Support being only a year is quite unusual — normally it's two to three years. In part, that's because they kept the Premier Support going for so long, and then telling everyone it's going to be managed, ‘Market Driven Support’ after Extended Support is not what the market was expecting,” Biggs said. In its note, Oracle said that “to help reduce the time sensitivity of these upgrade programs”, it planned to offer a Market Driven Support program for Oracle Fusion Middleware 12.2.1.4/12.2.1.19 on a yearly basis beyond 2027. “Details of this program, including scope, terms, and availability, will be communicated at a later date,” the vendor said. Biggs described Market Driven Support — a fee-based service which offers a lower level of support than Premier or Extended Support — as an “extraordinarily limited product” which does not provide full patching. “The situation right now is you've got so many security vulnerabilities being announced all the time, who knows what Market-Driven Support is going to include? They're basically saying, when it comes to January 2028, it's unclear what they’re going to do. By the way, Market Driven Support is far more expensive for a far weaker support product. That's the big surprise to the marketplace,” Biggs said. The Register has offered Oracle the opportunity to comment. The good news is that Oracle is broadening platform support by confirming future versions of Oracle WebLogic Server and Oracle Fusion Middleware will be available on IBM's AIX Unix operating system for its mid-range POWER processor architecture. The move would offer “a more deliberate approach to modernization, allowing upgrades to be aligned with infrastructure lifecycle planning, application dependencies and business-driven transformation timelines,” IBM said in a statement. Oracle has also promised more details — at some point in the future — about its plans for Fusion Middleware. It plans to deliver the next Oracle Fusion Middleware suite release on a Jakarta EE 11-based container [for Java-based applications]. "This release is intended to extend support for the next generation of Java and WebLogic Server capabilities across the broader Fusion Middleware portfolio,” it said. ®

The UK Cabinet Office is looking for an AI and Innovation Director who can develop civil servants' use of artificial intelligence and change the way the civil service works. The task of persuading public sector workers to love AI involves "re-imagining the future workforce and business model" for the UK's civil service, promoting adoption of AI tools, "championing, coordinating, and tracking AI adoption" across government departments, and instilling an "AI-first culture," according to the job advert. As that list implies, the individual will need to be "a natural influencer" with a "deep understanding of the AI landscape," both traditional and generative, ideally with experience of building AI services. "My ambition is for the civil service to be a global leader in AI government transformation, to enable a more productive civil service that achieves world-class outcomes for citizens and a country that is equipped for an AI world," writes Cabinet Secretary Antonia Romeo in an information pack published with the job ad. "We are seeking an exceptional individual who is an experienced strategic leader, can deliver under pressure, and will help shape the direction of the civil service at a pivotal time." The exceptional individual in question will need to be content to serve King and country for a relatively modest £100,000 to £163,000 a year, albeit with generous pension contributions, compared with some private sector equivalents. They will have to agree to an expected assignment period of at least three years, although this is not contractual, and be British, a national of most European countries, or any Commonwealth country. The right to work in the UK is another requirement. Reg readers who fit the bill can apply by submitting a CV and a 1,000-word statement about why they are suitable by five minutes to midnight on Monday, July 13. While candidates can use AI in applying, "all examples and statements provided must be truthful, factually accurate, and taken directly from your own experience," so perhaps championing AI adoption should wait until after getting the job given the technology's propensity to make things up. ®

The database a business depends on shouldn’t be a potential point of failure; it should be a competitive asset. That’s the proposition Cockroach Labs will put to enterprise architects and database administrators at Convene's Bishopsgate venue in London on Thursday, June 25, 2026. The one-day RoachFest London 2026 event will examine how a database makes that transition from costly liability to competitive advantage. Modern infrastructure grows more complex and harder to manage by the year: Today's challenge might be a traffic spike or a cloud provider outage; tomorrow's could be an AI agent that needs durable context across long-running sessions. At RoachFest London, Cockroach Labs will show why the database should not sit as a passive store, but act as the resilient layer that a modern enterprise depends on: one that lets teams operate without fear, build with confidence, and adapt to what's next. What to expect Tracks at RoachFest London 2026 cover: AI and agentic workloads Resiliency Migrations Operational efficiency Hands-on workshops range from foundational distributed SQL through multi-region architecture to vector storage, indexing, and retrieval-augmented generation (RAG) built on ACID guarantees. Databases in the age of AI In the keynote, Spencer Kimball, co-founder and CEO of Cockroach Labs, will walk through why the database industry is at an inflection point, facing a complexity tax and the sprawl of hundreds of alternatives that enterprises are struggling to operate and modernize. He'll connect those pain points to the wave of agentic AI that's creating data pressure the industry has never seen before, and make the case that distributed databases are no longer a luxury but an emerging requirement. He will also discuss how CockroachDB is evolving to meet this moment by collapsing cost and scaling elastically. He’ll close with the vision that the database of the next decade will operate itself, with humans elevated to policy and judgment, not log files and escalations. A separate panel session, led by Memori Labs co-founder Adam B. Struck, focuses on where long-term agent state should live and how to keep it consistent as conditions change. Cloud-busting on purpose Form3's vice president of engineering Kevin Holditch will walk attendees through a payments architecture that runs active/active/active across AWS, GCP, and Azure. Form3 takes disaster-recovery testing seriously enough to pull down a cloud provider for 24 hours in production, not staging. What's next for CockroachDB Cockroach Labs' vice president of product Igor Stanko will lay out the CockroachDB roadmap, including bring your own cloud, AI-powered migration tooling, and improvements to the database's price-performance ratio. Operating without fear The afternoon's featured guest knows high-stakes environments. In his session "Operating Without Fear", Major Tim Peake CMG, the first British astronaut to reach the International Space Station (ISS), draws a parallel between astronaut training and the discipline of building systems that thrive under adversity. RoachFest London 2026 takes place at Convene Bishopsgate on June 25. Workshops open at 9am, main stage sessions begin at 1:05, capped off by an evening reception from 4:30 to 6:00. Registration is free with promo code SP100 – register now as space is limited. See the full agenda and register at cockroachlabs.com/roachfest/location/london. Sponsored by Cockroach Labs.

PWNED Welcome back to PWNED, the weekly column where we register some of the worst tech security mistakes our readers have ever seen. Our goal: to help you not do the same. Have a story about someone leaving a gaping hole in their network? Share it with us at pwned@sitpub.com. Anonymity is available upon request. This week's tale of code carelessness comes courtesy of a database administrator we'll Regomize as Joker. Back in the first decade of the 21st century, she went for a job interview at one of the USA's leading national cellular carriers. What she saw would make you want to swap your SIM. After a successful meeting with a hiring manager, Joker was hired on the spot. Within hours the company sudo-level access to a database server, then instructed her to "take a look" at some of the databases. Joker soon realized the carrier's security was no laughing matter as she found herself accessing the main production server for the company's data services division, overseeing all services for the mobile web. This story took place in a time before the iPhone, so she was looking at nasty little versions of websites comressed for viewing on their BlackBerries or flip phones. After peeking around some more, Joker discovered that she had access to the master customer table. It contained nightmarish quantities of personally identifiable information: names, addresses, Social Security numbers, billing info, and even full 16-digit credit card numbers. All of this info was stored in the clear, with no encryption or obfuscation. The CVVs were missing from some credit card info, but many were present. "There was a central billing system upstream on Amdocs servers, but this database also had billing details so they didn't have to reach back upstream to Amdocs if users asked to provision new services," Joker said. After Joker informed management about the mess, they deleted the offending info and forced the developers to go upstream again for billing information, just like they should have been doing in the first place. Joker, like any reasonable DBA, assumed access to this information would be tightly controlled - not made available to new staff with full access rights on their first day. She also assumed her new employer would tokenize key pieces of data because that technique means certain info – say credit card and Social Security numbers – would not be visible in the same table as a customer's name and address. Instead, there would be tokens linking back to the actual numbers stored in a secure token vault. This is common in payment systems. If Joker were less ethical or someone else had gained admin access, they could have exfiltrated large amounts of sensitive data. Permissions should start from a zero-trust assumption and provide only what someone needs to do their job. Joker said that when she later moved on to work for a major online retailer, security was front and center, proving that some people did get it, even back in the George W. Bush era. ®