The Register

Cybercrime now accounts for more than 30 percent of all offenses across the Asia and South Pacific (ASP) region, according to the latest figures from Interpol. The international cop shop said on Wednesday that the region has seen “a dramatic increase” in the number of recorded cybercrimes, driven largely by an uptake of digital infrastructure, new technologies, and the increasingly organized nature of criminal networks. Interpol’s latest ASP Cyberthreat Assessment Report states that online scams and phishing attacks dominate cybercrime in the region. Data taken from 2024-2025 shows that phishing campaigns have matured beyond the spray-and-pray mass emails of yesteryear and now resemble the more sophisticated techniques deployed elsewhere in the world. Targeted spear phishing is more common nowadays, and the growing use of AI helps even low-skilled script kiddies to apply a layer of authenticity to their attacks. The region’s problem with organized scamming gangs that run camps where hundreds of people are compelled to commit crimes is especially pronounced and well-documented. A United Nations report published last year described scam call centers across Southeast Asia as an epidemic that is metastasizing across the region “like a cancer.” These compounds can be found across countries such as Cambodia, Laos, Myanmar, and the Philippines, and often see vulnerable individuals trafficked into the scam centers to work under poor conditions – or even as slaves. Interpol cited Singaporean research, which estimated the regional scam industry generates close to $40 billion each year. AI tools, especially those capable of generating convincing deepfake imagery, have also proven popular with cybercriminals across ASP, just as they have beyond the region. In 2024, the same scam compounds were found using deepfake imagery to support romance scams. In February 2024, an employee at a multinational business in Hong Kong was duped into authorizing a $25 million payment because the faces of company execs were convincingly deepfaked on a video call. A similar case was also reported in Singapore in March 2025, when a finance director at a different multinational was tricked into transferring more than $499 million following a Zoom call in which fraudsters assumed the identities of company chiefs, including the CEO and CFO. Interpol’s report highlights how cyber threats are evolving into large-scale challenges for multiple jurisdictions, and no longer represent relatively uncommon, isolated incidents. While digitization across the region is growing, opening new economic opportunities for these countries, law enforcement agencies are struggling to keep pace with the increase in cybercrime. Many lack the skills and tools needed to investigate these crimes. The issue is especially pronounced in developing countries and small island states in the Pacific, which face “significant resource and capacity constraints,” and are thus more vulnerable to direct targeting in attacks by criminals who have a greater chance of evading consequences. Neal Jetton, cybercrime director at Interpol, said: “The findings in this report highlight a rapidly evolving cyber threat landscape across Asia and the South Pacific, where cybercriminals are leveraging artificial intelligence, ransomware-as-a-service models, and sophisticated social engineering techniques on an industrial scale. “As digital adoption accelerates across the region, strengthening operational cooperation, information sharing, and cyber resilience remains essential to protecting communities and critical infrastructure.” Some improvement Interpol lauded many jurisdictions and governments within the ASP region for their proactive approaches to countering cybercrime growth. Hong Kong and the Republic of Korea are two areas that have made strides by introducing new cybersecurity legislation, while others have established national task forces, codified national action plans, and launched awareness campaigns. But even in more developed countries globally, and those with more mature cybersecurity regulatory and legislative landscapes, the issue of increasing rates of cybercrime persists. While Interpol does not collect cybercrime figures for other regions, such as Europe and North America, in the same way that it does for ASP, it’s easy to see that problems persist everywhere. The UK’s Office for National Statistics (ONS) publishes crime rates by type across England and Wales each year, and while computer misuse offenses in 2025 decreased by 58 percent compared to 2017’s figures, there were still an estimated 735,000 cases across the year. Expanding the data to look beyond pure cyber offenses to cyber-supported crimes, such as banking and credit fraud, these offenses account for more than 2.7 million of the circa 9.6 million total crimes committed. The FBI in the US produces its annual IC3 report examining the rates of cybercrime across the country. Although it doesn’t compare it to total offenses or other crime types, the latest report reflecting 2025’s figures showed cybercrime reports topped one million for the first time, and total losses reached a record $20.87 billion. ®

Estonia plans to allow AI agents to have their own digital identities so they can act on behalf of people in a way that can be verified and audited. The initiative, backed by the country's Eesti.ai advisory board, calls for the development of ID codes that AI agents can use to take actions, subject to some unspecified authorization and task delegation process. Academics and corporate technical folk have already made related proposals in recognition of the absence of agentic technical infrastructure. Last month, researchers under the flag of OWASP proposed the Agent Name Service for agent discovery and interoperability. DNS for AI Discovery is another such project. But these have more to do with platform plumbing while Estonia, known for its embrace of technology, is more focused on permission and punishment. Establishing digital identities for AI agents and authorizing limited powers will help avoid scenarios where individuals are required to delegate broad authority to an agent at the expense of their rights, the government says. "In the future, AI will increasingly carry out digital tasks on our behalf, compiling reports, preparing declarations or interacting with information systems," said Prime Minister Kristen Michal in a statement. "To that end, it must be clear who is acting on whose behalf with what rights, and who is ultimately responsible." By taking this step, Estonia casts itself as "first country to create digital identities for AI agents." Two weeks ago, Argentina's President Javier Milei endorsed a similar idea, legislation to allow "non-human corporations," managed by software, with limited liability. "Limited liability is not a luxury for such entities; it is a precondition for their existence," Milei wrote in a Financial Times op-ed. Several decades ago, IBM took a similar line on liability but reached the opposite conclusion about automated decision making: "A computer can never be held accountable, therefore a computer must never make a management decision." Despite the citation of that passage from IBM's 1979 Training Manual in a 2025 blog post, Big Blue's designated author Doug Bonderud sounds less certain about the impermissibility of AI action these days. "Should AI be used for management decisions?" he mused. "Maybe. Will it be used to make some of these decisions? Almost certainly." While governments work on legal changes that will allow AI agents to operate, private sector companies are already taking a stance, at least with respect to external AI agent usage by customers. Target Corporation earlier this year revised its Terms & Conditions with a section titled Agentic Commerce and Delegated Access. It states, "Purchases and other actions taken by an Agentic Commerce Agent that you have authorized are considered transactions authorized by you." American Express meanwhile has taken the opposite tack by assuming liability for errant agentic commerce. "In the future, if a Card Member authorizes an AI agent to make a purchase and that agent sends American Express the customer’s authenticated purchase intent, American Express will protect eligible customers from charges related to AI agent error," the company said in April when it introduced its agentic commerce developer kit. In a pre-print paper last year titled "AI Agents and the Law," Georgia Institute of Technology professors Mark Riedl and Deven Desai observe that once AI agents have the ability to act in a way that changes the state of the world – e-commerce transactions as opposed to output that requires human interaction for effect – concerns about harm become more pressing. They note that while the law is well equipped to deal with conflicts arising from human agents, it's not well-suited to the possibilities of software agents. "Put simply, although computer science and law have similar notions of agents, a software agent is not the same as a human agent," they write "For example, agency law disciplines agents by imposing legal liabilities on agents when they misbehave. Human agents can face financial and even criminal penalties; that is not so for software agents." To date, AI companies have done their best to limit liability for AI harms. But they've not been entirely successful: A Canadian court held Air Canada liable for bad chatbot advice, and a German court held Google liable for inaccurate AI Overview content. It may be a while before the rules for AI agents get hammered out and harmonized to whatever extent is possible. But in the interim we'll at least have digital identifiers to call out bad agents by name. ®

Fortnite maker and Apple nemesis Epic Games has decided to git good all on its own with the open-source release of its homemade version control system, dubbed Lore. The project began life as Unreal Revision Control, and was used by internal teams and as the version control system (VCS) built into Unreal Editor for Fortnite. Now, Epic is ready to share its handiwork with the world. Lore is a centralized, content-addressed VCS that’s meant to be more flexible for developers, as it's licensed under the less restrictive MIT License instead of the copyleft requirements inherent in the GNU standard. MIT is generally considered more permissive because, unlike GNU, it doesn't require derivatives to be licensed in the same way (e.g., a fork of Lore could be proprietary). Lore can be installed on macOS, Windows, and Linux and its server side is designed to be transportable into different cloud services as well. The biggest difference between Lore and other VCS is its equal treatment of text files – e.g., code – and binaries. “All content is treated as opaque byte streams on the hot path,” Epic explains in its system design explanation document. “Text-aware features are layered on top, never assumed by the storage or transport paths. Binary content gets the same first-class treatment as text.” With that in mind, it’s obvious who Epic is targeting with the release: Game developers. Lore is purpose-built for projects that use large binary files such as games, Epic said, but that doesn’t preclude other use cases with heavy binary loads, like AI model builders, systems developers, and others who work with large amounts of machine-readable data alongside their own code. We have lots of VCS data, so why do we need Lore? There are plenty of VCS options out there: Git, Perforce, Mercurial (and its descendent Sapling) are all mentioned by Epic as alternatives that resemble Lore in its design and use. So, why a new VCS? That’s easy, says the Fortnite studio: None of ‘em do it all. Git, says Epic, has great revision graphing, but treats binaries as “second class citizens” and lacks multi-tenant isolation that ensures users on the same infrastructure can't access each others work. Perforce requires multiple server round trips to conduct standard operations, making it too slow. Mercurial and Sapling elegantly solve “the scale of source repositories” via their distributed architecture, but again treat text as king and everything else as second-class data. “The motivation is not that prior systems are bad,” Epic explained. “What Lore offers that the prior art does not is the union” of all those features, and some others too. Key design goals Epic had in mind when designing Lore included the aforementioned binary-first design, a sparse-by-construction architecture that only downloads necessary fragments from the server to clients to ensure fewer round trips, the elimination of partially-applied revisions, in-between states are invisible to readers, and a full-surface API that allows Lore to work with a variety of programming languages. If you want to give Lore a spin Epic has published a thorough quickstart guide, and pre-built binaries are available, ironically enough, on GitHub. ®

If you're exposing your agent to a strong odor, it's time to clean up your instructions. Risky or poorly structured code patterns are known as "code smells," and it turns out coding agent directives can be similarly redolent, leading to wasted tokens and worse output. Coding agents rely on configuration files that summarize expected agent behavior. These context-enhancing files are commonly written in Markdown and named either CLAUDE.md for those using Anthropic models or AGENTS.md for pretty much everyone else. They include various text instructions that advise the coding agent about desired behavior and tool use. And they can get rather wordy. Anthropic advises no more than 200 lines of text because longer files consume model context and may hinder model coherence. Researchers affiliated with the computer science department of the Federal Institute of Minas Gerais in Brazil recently scoured some 532,000 files to build and analyze a dataset of 100 popular open-source projects containing either an AGENTS.md or a CLAUDE.md file. "Our results show that configuration smells are widespread," the authors state. "Lint Leakage was the most common smell, affecting 62 percent of the files, followed by Context Bloat (42 percent) and Skill Leakage (35 percent)." Linting is the process of running automated tools to check code for programming and style errors. Lint Leakage refers to agent instructions that repeat rules already enforced by linters, format checkers, and static analysis tools. Duplicative rules waste tokens by burdening the underlying model with guidance for a task already handled reliably by programmatic tools. Context Bloat, as its name suggests, describes the tendency of developers to overspecify code agent behavior. "Bloated configuration files increase token consumption, raise costs, and reduce the visibility of important instructions," the authors observe, pointing to Anthropic's recommendation of no more than 200 lines of text. Skill Leakage, another common configuration smell, occurs when rarely used tools or practices get added to the AGENTS.md file, which gets loaded in every agent session. The agent instructions would be better in a separate skills file (e.g. SKILLs.md) that gets loaded only when needed. Skill leakage also expands the agent's context unnecessarily and potentially distracts agents from other things. Other agentic odors include: Blind References, which happens when configuration files reference external documents (e.g. via URLs) without explaining when that resource becomes relevant; Init Fossilization, configuration details set up upon a project's initialization that are no longer relevant; and Conflicting Instructions, which occur when agent directives contradict each other. The study authors say that they found at least one of these six smells in 91 of the 100 AGENTS.md files tested. "These results suggest that developers could benefit from catalogs and tools designed to spot configuration issues in agent configuration files," they conclude in the preprint paper, entitled "Configuration Smells in AGENTS.md Files: Common Mistakes in Configuring Coding Agents." The authors are Helio Victor F. dos Santos, Vitor Costa, Joao Eduardo Montandon, Luciana Lourdes Silva, and Marco Tulio Valente. The message here is that less is more when it comes to code agent configuration files, perhaps even to the point that anything is worse than nothing. Similarly, when ETH Zurich boffins examined the impact of context files for agents a few months ago, they found [PDF] that developer-generated instructions raised costs and only improved code performance about 4 percent, while LLM-generated instructions had a small (3 percent) negative impact on agent-generated code. They concluded "unnecessary requirements from context files make tasks harder, and human-written context files should describe only minimal requirements." ®

As AI systems grow larger, optics are playing a larger part in their design – so much so that at Computex earlier this month, Nvidia CEO Jensen Huang proclaimed the technology would make Marvell the next trillion dollar company. Now, Nvidia-backed photonics vendor Coherent plans to boost indium phosphide (InP) wafer production at its Sherman, Texas, fab by 4x in anticipation AI proliferation will trigger an explosion in optical interconnect demand. Supply chains must be ready to meet that demand when (or if) it materializes, and Coherent is one such supplier. The company operates eight wafer fabs across the US that produce semiconductors used in laser light sources and optical modules. These supply chains are so important to Nvidia’s future growth that, in March, the GPU slinger invested $2 billion in the optics vendor to bolster its production capacity. Coherent is wasting little time putting those funds to use. Along with $20 million in funding from the Texas Semiconductor Innovation Fund and the Sherman Economic Development Corporation, and up to $50 million in CHIPS and Science Act funding, Coherent plans to plow $650 million into its Sherman plant, effectively doubling the factory’s footprint and quadrupling InP wafer output. InP semis are commonly employed in lasers, photodetectors, and modulators found in optical interconnects. As rack scale AI systems grow from a few dozen accelerators to hundreds or thousands, copper is no longer sufficient and optics are now required to achieve this scale. We expect this trend to dramatically increase the number of optical components employed by these systems over the next couple of years. Coherent claims that the Sherman expansion will create about 1,000 new jobs, roughly 550 of which are directly related to advanced manufacturing, engineering, and technical roles. The company hasn't shared a timeline for when the expansion will be completed. We've reached out for comment and will let you know if we hear anything back. Coherent is not the only optics vendor Nvidia is bankrolling. This spring, GPUzilla also invested $2 billion in Lumentum, which produces a variety of optical products used in datacenters including pluggable transceivers, optical circuit switches, and laser modules. Less than a month later, Nvidia plowed another $2 billion into Marvell in part to accelerate its silicon photonics roadmap. ®

If you have a Fortinet firewall, it's time to stop and change your passwords. Intruders somehow gained access to around 75,000 Fortinet firewall devices and stole credentials belonging to major corporations across 194 countries, in some cases leading to full network compromise. Security researchers say that they have verified the data, and the cracked FortiGate passwords belong to accounts spanning multinational corporations including FoxConn, Samsung, Comcast, Siemens, Lenovo, FedEx, PxW, Accenture, Oracle and many others. Check to see if your organization made the list of affected domains – and immediately rotate all passwords associated with Fortinet VPN and administrative interfaces. Make sure multi-factor authentication is turned on, too, as this type of massive credential leak can lead to very serious consequences, giving attackers full, remote access to not only the firewall but the entire corporate network. Hudson Rock, which analyzed the data, said the leak affects 21,632 unique domains. “The scale of this breach touches nearly every sector of the global economy, sparing no industry. The threat actors have built a verified database of working credentials for some of the largest enterprises on the planet,” the security shop said on its Infostealer blog. Researcher Volodymyr “Bob” Diachenko first spotted the intrusions and attributed them to a Russian-speaking group. “They intercept SSL VPN authentication, crack hashes on a 45-GPU cluster managed via Hashtopolis, and pivot into internal Active Directory environments,” he wrote on LinkedIn. “The operation processed 1.16 billion credential attempts against 320,777 FortiGate targets and 2.1 billion attempts against 163,650 MSSQL servers.” Plus, according to Diachenko, the criminals fully pwned at least four organizations, including a Turkish NATO defense contractor, and, in that case, stole classified defense documents. Security sleuth Kevin Beaumont, who also verified the stolen credentials, said “the data is legit.” “I have worked with several orgs listed, and can confirm the logins and passwords are real,” Beaumont wrote. “Many of the devices sampled are on fairly recent patches.” According to device search engine Shodan, the massive heist comprises about half of all internet-facing Fortinet firewalls. Plus, Beaumont noted, most of the compromised Fortinet devices remain online. So if you’re still reading this story: stop now, and go reset your Fortinet firewall passwords stat. The Register reached out to Fortinet and the companies affected by the so-called FortiBleed campaign for comment, Lenovo said it was looking into it; we didn't receive responses from the others. ®

In order to move more semiconductor manufacturing onshore, the US needs to depend less on foreign-sourced materials. Now, the government is giving an Alphabet spinoff $500 million in CHIPS Act funds to find domestic minerals, molecules, and chemicals needed for this process. SandboxAQ (that’s AI and Quantum, for those wondering), which spun off from Alphabet in 2022 under the chairmanship of former Google CEO Eric Schmidt, announced the award Wednesday. The company won’t be doing any manufacturing – this is just an R&D grant to turn the startup's AI simulation software toward discoveries necessary to build a domestic chip industry. According to SandboxAQ, the $500 million awarded to it by the Department of Commerce will go toward developing “novel molecules and formulations for semiconductor manufacturing," including chip production materials that are free of PFAS ("forever chemicals"), new semiconductor fabrication catalysts, magnets that don’t rely on foreign-sourced neodymium and other rare earths, and fab-powering batteries that don’t rely on majority foreign-sourced materials like lithium. The CHIPS and Science Act, signed into law by President Biden in 2022, was designed in part to dole out $52 billion to US firms to reignite domestic semiconductor manufacturing, which has mostly fled the country for more favorable production environments overseas. Four years on, the government’s many investments have seen some payoff, like the acquisition of a 10 percent stake in Intel to help keep the company afloat, but there’s still a lot of work to be done to reduce dependence on foreign supply chains and manufacturers. SandboxAQ relies its own large quantitative models (LQMs), which it describes as “AI systems trained on the laws of physics, chemistry, and biology, not human language.” That, the company asserts, means they’re well-suited to discover new materials needed to eliminate harmful PFAS and foreign-sourced materials from the semiconductor supply chain. The hope is that the LQMs will be able to generate their own material predictions that researchers then test in the lab – essentially the same process that’s undergirded the years-long effort to use AI to help synthesize new drugs. Despite AI industry leaders prognosticating we’d be popping AI-designed drugs in 2025, AI has yet to design a functional medicine, according to the US National Institutes of Health. Why, then, should we presume an AI will succeed at replacing critical battery and chip manufacturing components where drug research has failed? In fact, according to SandboxAQ’s announcement, its LQMs aren’t even necessarily grounded in real-world data. They rely in part on synthetic data, which is then fed into the company’s LQMs and used to train their design-make-test workflows. A company spokesperson told The Register in an email that it still uses real-world data where possible. “Where experimental data exists, we incorporate it,” SandboxAQ told us. “Where it doesn't, we can still move forward and solve the problem.” When asked whether an error in the reasoning process could compound, leading to considerable lost time for researchers and a lack of results, the company admitted that such a potential is exactly what “any rigorous AI-driven materials program has to answer.” “Our models are trained on the laws of physics and chemistry, so they are anchored to physical reality, rather than free to drift,” the spokesperson told us, adding that lab testing is the final check on AI accuracy. “A material either performs in the lab, or it doesn’t, and that validation gate is precisely what prevents a chain of reasoning from running away with itself.” SandboxAQ added that it is not starting from zero in any of the four target areas, having done previous work on catalysts, battery materials, alloy discovery, and PFAS breakdown that will be incorporated into its CHIPS Act-funded work. “In commercial deployment, we’ve already cut development timelines from months to weeks” at the candidate screening stage, the SandboxAQ spokesperson explained. SandboxAQ said that some of the work it's doing, like PFAS mitigation, could be rolled out to existing fabs, as could new batteries and the like, but it admitted that the various verticals will operate on different timelines. “Qualification in the semiconductor industry is genuinely rigorous and does take time – we wouldn’t minimize that – but the path runs through validation and industrial qualification with existing manufacturers, not through standing up new fabrication capacity from scratch,” SandboxAQ told us. ®

Don't count your bit barns before they've at least started to hatch. Developers continue to announce new datacenter construction projects, but construction work for many due to come online this year or next appear not to have commenced, while planned capacity may have been overestimated. According to financial analyst Jefferies, known promises to build new stateside datacenters suggest 160 GW worth of infrastructure will be operational in the country by 2032 In a research note shared with The Register, the firm reports pervasive delays and claims that only 12 GW out of 24 GW of datacenter capacity scheduled for 2026 is currently under construction. The situation is even worse for the 2027/2028 timeframe, as substantial construction of as much as 80 percent of the planned capacity does not appear to have started yet. The reasons for the delays are familiar: zoning and/or permitting challenges, interconnection setbacks, problems accessing energy supply, labor shortages, and the signing of commercial contracts with end users. Power availability is a well-known issue, as are grid connection setbacks. The latter have grown so bad – reports of seven-year delays - that the US Energy Secretary directed the Federal Energy Regulatory Commission (FERC) to implement new rules to speed the process for customers such as datacenters. Jefferies highlights another factor, that of duplicative counting inflating the planned total capacity due to hyperscalers making multiple requests to various energy utilities. For this reason, it does not expect the majority of the extra load forecast for 2026 and 2027/2028 to materialize. Some investor expectations do not reflect real-world constraints, primarily labor, the report says, suggesting that 15-20 GW of capacity coming online per year is more realistic than the 40+ GW forecast by some for 2027-28. Announced capacity should not be considered a reliable way of evaluating data campus load growth, Jefferies says, citing offtake agreements, permitting progress, financing, and a realistic construction timeline as better indicators. The report points to strategies that operators are taking to circumvent the issues outlined above. Behind-the-meter and hybrid models are solutions to the power problem, with “hybrid” referring to datacenters tending to take all they can get from the grid first, before later turning to behind-the-meter sources - typically on-site power generation. Jefferies says that the build pipeline is shifting increasingly toward regions with more attractive interconnection and permitting options, pointing out that Texas had 14 GW of new capacity announced in the second quarter of this year alone. ®

Unless your personal tech budget has bloated, prepare to stick with your current smartphone for a while thanks to AI-driven demand that has driven up memory prices and made new handsets so expensive that sales are falling dramatically. So says research firm CCS Insight, which expects smartphone shipments to fall by 15 percent this year as some entry-level devices have already seen their sticker prices go up by more than 50 percent since last year. The firm found that the primary smartphone market (meaning new devices) contracted 4.4 percent in the first quarter of this year, despite sales channels front-loading (meaning stockpiling) product inventory, as device prices begin to rise sharply. As CCS notes, this casts an ominous shadow on the outlook for the rest of the year, and it seems things have worsened since The Register first started reporting on the smartphone memory woes. Back in January, the forecast was for handset price rises of 6-8 percent, while the most pessimistic outlook was that the global market might contract as much as 5.2 percent. By February, analysts were expecting to see a decline in shipments of around 8 percent across the global market, and for prices to increase by about 14 percent. The root cause of all this is the AI craze, which has seen huge demand for high-performance GPU-filled servers to process it all. Chipmakers have moved to capitalize on this by prioritizing production of high-margin memory components for those servers, rather than making the plain old DRAM and NAND needed for PCs and phones. This is different from the usual boom-bust cycle of the memory market, where prices rise because of production issues constraining supply. Instead, it is demand-side pressure from hyperscalers that has tipped the balance, leading to a memory supercycle that may last until 2028. "The memory chip crisis shows no sign of slowing down in the near future, ramping up the pressure on manufacturers and consumers. Memory components now account for more than 30 percent of a manufacturer's bill of materials in some smartphones.,” said CCS research analyst Ben Hatton. “The full impact has yet to be felt in many regions, but it's clear that device prices will accelerate over the rest of the year.” As expected, budget devices are the worst hit, as memory and storage costs make up a higher proportion of their bill of materials, hence some entry-level devices seeing a 50 percent jump in price. In contrast the organized secondary market (meaning traders in pre-owned devices) grew by four percent during the first quarter, as consumers in search of low-cost phones increasingly see used devices as a suitable alternative. CCS therefore believes the second-hand smartphone market will grow by 15 percent this year. But there’s a snag. With fewer people buying new phones, the supply of pre-owned models will tail off as well, as it relies on people trading up. This was highlighted by a report in May, which found that replacement cycles are getting longer as consumers often hold on to their devices for more than four years, rather than the couple of years that used to be typical. There are also fewer smartphone vendors these days, meaning fewer launches every year. “The secondary market has an opportunity to serve some of the demand that will be unfulfilled by the primary market,” commented Hatton. “The major challenge in the near term is to grow supply during a fallow period of flagship launches.” Countries with mature trade-in programs will be in a stronger position to capitalize on this opportunity and see higher growth rates in the pre-owned market. As The Register reported last year, this probably doesn’t mean Europe, as less than a third of consumers there trade in or sell their old phones, limiting the supply of second-hand devices. ®

AWS today introduced new and enhanced agents aimed at DevOps and code security at its New York Summit, including previews of Continuum for identifying and fixing application vulnerabilities, and an iOS mobile app for its Kiro coding tool. Matt Wood, chief AI and technology officer, said in a press briefing that the company sees AI tools operating continuously in the background, rather than being used on demand. AWS Continuum, now in closed preview, is a set of agents that "continually provide security continuity using artificial intelligence, building on penetration testing and code review," he said. Sounds expensive? According to Wood, the cost of using AI tools is falling despite the rising price of tokens. "While the cost of a token at the frontier continues to go up, if you normalize for a particular point of intelligence, the cost continues to decrease year by year," he claimed. AWS Continuum currently includes two products. Continuum for code vulnerabilities performs vulnerability scans of an AWS environment and is claimed to prioritize findings that are actually reachable in a production path, with exploits demonstrated in a sandbox. The tool will also generate suggested fixes such as network changes or patches for the code. The existing AWS Security Agent will be renamed "Continuum pen testing" and "Continuum code scanning". The AWS DevOps agent, first previewed at the company's re:Invent conference in late 2025, is billed as an AI tool that can resolve and prevent application outages and optimize application reliability and performance. It was made generally available in March. DevOps Agent is gaining release management capabilities, now in preview, which assess code readiness and run software in an AWS-managed isolated environment to verify the builds. The new feature follows other enhancements to DevOps Agent introduced earlier this month. DevOps Agent has always had support for calling tools via Model Context Protocol (MCP) but now exposes its own MCP endpoint, enabling other tools to call the Agent API. There is also support for the Agent2Agent (A2A) protocol, introduced by Google last year to assist agent collaboration. These new endpoints are in addition to the standard AWS REST API. DevOps Agent is designed to use other observability tools as input, including AWS CloudWatch, Datadog, Dynatrace, New Relic, and Splunk, as well as code from repositories such as GitHub and GitLab. It can also connect to Microsoft Azure and Azure DevOps. AWS Transform, an AI service for migrating and modernizing workloads and application code, gets a new preview feature called continuous modernization. AWS suggests it as a tool to cover both the day-to-day work of upgrading and patching libraries, and larger projects such as moving to a more recent framework or runtime for Java or .NET applications. Kiro is an IDE and service for specification-driven AI coding. Kiro can be extended with "powers," wrappers for one or more MCP servers available from GitHub. Powers exist for AWS services such as DevOps Agent and Lambda, as well as for third-party services such as Datadog and Dynatrace. Now in closed preview, the Kiro mobile app for iOS can launch and manage remote sessions. There are three modes of interaction: chat, spec for continuing a specification workflow, and autonomy for delegating tasks. The app shows the live state from cloud sessions, and renders code diffs as cards that the company says are legible on a small screen. According to AWS, it is a true native app, not a wrapper for a web application. In addition to DevOps tools, the company also previewed AWS Context, a service for mapping company data into a knowledge graph for agentic search. It is similar to search in the existing Amazon Quick service, except that Context is designed to be organizational rather than personal. Context publishes its metadata into Amazon S3 tables in Apache Iceberg format. According to AWS, all queries are identity-aware to prevent users from accessing data they are not authorized to see. Amazon Quick will use the same underlying technology as Context. Quick is also getting the ability to create autonomous agents via voice prompts, or to choose from a library of pre-configured agents. Hundreds of connectors add integration with third-party services such as Gmail, Slack, and Microsoft Teams and SharePoint. Finally, Amazon Bedrock AgentCore, a platform for custom agents, adds a managed knowledge base, web search, and the ability for agents to spend money on paid content such as financial market feeds. Companies going all-in on agentic AI will find it costly. Services like Quick are subscription-based, and others like DevOps Agent are based on per-second usage, currently the same for incident response, evaluations (incident prevention), and on-demand tasks such as chat. Pricing is somewhat opaque because the time an agent will take for a task is unknown. There are also additional charges for AWS services an agent consumes, such as CloudWatch queries. Another issue is reliability. In its post on AgentCore, AWS acknowledges that "the most dangerous agent failures aren't the ones that throw errors. They're the ones that look fine on dashboards: an agent that confirms an order modification it never executed, one that fabricates product availability when an API times out, another that skips an approval step while dashboards show a 99 percent success rate." AWS claims new AgentCore features address this with "failure, intent, and trajectory insights across hundreds of sessions." AgentCore also has policy capabilities that define what an agent can and cannot do, and Bedrock Guardrails, which run at a gateway layer outside the agent and evaluate actions for prompt injection, harmful content, and data exposure. "Trust is the single biggest barrier to adoption for artificial intelligence systems inside most organizations," said Wood. He said that AWS is trying to build agents that "exhibit and communicate trusted outcomes to their users," using Bedrock AgentCore policy and guardrails to make AI agents safer and more reliable. ®

Europe, like much of the world, is living through a period of heightened geopolitical uncertainty in which sanctions risk, legal divergence, and cyber disruption have moved from abstract concerns to board-level variables. Digital sovereignty is shifting from aspiration to operational requirement, driven by resilience expectations, critical service dependency, and rising geopolitical and cyber risk. Definitions of sovereignty vary, ranging from blanket data localization edicts to industrial policy to national security, but the absence of an agreed definition should not be mistaken for an absence of intent. Sovereignty is already shaping procurement, regulatory compliance, and technology strategy. From my years working at the intersection of government and the technology industry, I have seen how quickly digital policy can harden into operational constraints. I have also seen how easily "sovereignty" becomes a stand-in for broader concerns: dependency, geopolitics, and the fear that critical services may not remain available during a crisis Two issues are at play. First, policymakers are right that over-dependency on foreign technology can become a national resilience problem. Cloud market concentration is a case in point: last year across Europe, the three leading cloud providers accounted for around 70 percent of the market, while European providers' collective share remained around 15 percent. Concentration is not, by itself, a security failure, but it is a strategic dependency that can become acute when legal regimes diverge, access is contested, or a geopolitical shock tightens the room to maneuver. It also amplifies the "ripple effect": disruption at a small number of providers can cascade across thousands of organizations and supply chains. Second, business leaders are right to worry that blunt sovereignty initiatives raise costs and regulatory complexity. A hard localization mandate or a "sovereign-only stack" duplicates infrastructure, slows modernization, and in practice keeps organizations tied to legacy systems longer than planned while limiting access to leading technologies. The same tension is shaping Europe's competitiveness debate. Former Italian prime minister Mario Draghi has argued that security is a precondition for sustainable growth and that deep dependencies can leave Europe vulnerable to coercion as geopolitical volatility increases. The question is not whether sovereignty matters but how to pursue it without turning it into a counterproductive procurement ideology. From policy to platform choice A recent decision by the French government to restrict certain foreign-made video conferencing tools in favor of a homegrown alternative illustrates the direction of travel across the EU. Whether one agrees with the decision or not, it signals something larger: sovereignty is becoming a set of practical constraints that can reshape technology choices quickly. Many organizations are responding with a third, damaging outcome: delay. In a recent Zscaler-commissioned survey, 73 percent of respondents said digital sovereignty concerns had caused them to delay or cancel transformation initiatives. That "pause dynamic" is dangerous because it prolongs exposure to legacy risk, weakens cyber readiness, and leaves organizations less able to absorb disruption from ransomware, supply chain compromise, systemic outages, or sudden changes in cross-border rules at a time when the threat landscape is shifting faster than ever. If Europe wants sovereignty that strengthens resilience rather than undermines it, political and business leaders need a framework that is practical, measurable, compatible with open markets, and informed by the technology sector's expertise. Here is one: control, choice, and continuity. An outcome-based framework Sovereignty begins with what an organization can control in practice: who can access data, who can administer systems, whether a vendor can see customer content, where logs are stored, how keys are managed, what subcontractors can see, and how policies can be enforced. Control is not about isolation; it is about enforceable governance and reducing hidden dependency. Sovereignty also requires choice: credible options when assumptions break. Too many organizations discover too late that their "vendor strategy" is really a dependency strategy, with few realistic alternatives. Choice is not achieved by buying two of everything. It is achieved through architecture and contracts that keep an organization mobile and avoid vendor lock-in: portability for data and configurations; full transparency on who they rely on, where access sits, and which jurisdictions and subcontractors are in the chain; and pre-agreed exit paths that can be executed under time pressure. It also requires leaders to prevent the sovereignty debate from becoming an excuse to stop transformation. Every program facing sovereignty constraints should be forced through a decision path: redesign, mitigation, or exit on a timeline. The third C is continuity: keeping critical services running during any kind of disruption. If sovereignty is meant to reduce strategic vulnerability, continuity is where it either becomes real or becomes theater. Continuity is measurable through recovery time objectives, tested failover, supplier-failure drills, and exercises for jurisdiction-change scenarios. Across Europe, the urgency is reinforced by the threat environment. Zscaler ThreatLabz data shows rising numbers of damaging ransomware attacks year over year across the region: Spain (+116 percent), Germany (+74 percent), Belgium (+73 percent), Italy (+53 percent), and France (+34 percent) among others. Separate research on resilience found that 52 percent of IT executives believe their current security measures are insufficient to defend against existing or emerging threats such as agent-based AI and quantum computing. The UK's National Cyber Security Centre, meanwhile, reported a 130 percent rise in "nationally significant" incidents over the past year. AI is accelerating these risks. It already gives "bad actors" new capabilities to increase the speed, scale, and sophistication of their attacks. The question is not whether disruption happens, but whether systems can withstand it. Mandate outcomes, not vendors Business leaders argue that sovereignty will raise costs, increase compliance friction, and shrink access to leading technology. That is often true. Policymakers' concerns are also legitimate: strategic dependency can undermine national security and resilience. The mistake is writing sovereignty rules that dictate which vendors to buy rather than what controls buyers must have to keep services running during shocks. The most useful sovereignty requirements are outcome-based: enforceable control over access and data, credible choice through portability and exit, proven continuity through testing and recovery. They create room for organizations to use global platforms safely while meeting local requirements, without freezing modernization. If sovereignty is now an operating requirement, every stakeholder has a role. Boards should define what "sovereign enough" means for their organization, then require regular reporting and testing, with incentives tied to resilience outcomes. CEOs and COOs should treat sovereignty as continuity, fund the modernization that reduces brittle legacy dependency, and force decisions on blocked programs. CIOs and CISOs should map and minimize third-party access, implement localization and multi-region resilience where required, and build plans for supplier failure and jurisdiction-change scenarios. Regulators should clarify definitions, harmonize requirements where possible, and create compliance pathways with transition periods that reward modernization rather than incentivize delay. The approach must be risk-based and agreed in consultation with industry. Scaling control, choice and continuity To make control, choice and continuity achievable at scale, two additional disciplines are required: collaboration and compliance. Collaboration keeps sovereignty compatible with openness through interoperability, shared incident readiness, transparent subcontracting, and trusted vendor partnerships that reduce concentration risk instead of merely relocating it. Solutions must be tailored for local demands and drive investment in local ecosystems. Compliance makes sovereignty measurable through clear definitions, auditable evidence, and regulatory approaches that focus on operational controls so that organizations are pushed to modernize rather than to delay. Sovereignty on European terms should be judged by outcomes rather than rhetoric: whether organizations can govern access, keep options open, recover quickly when incidents happen, and continue delivering critical services when dependencies fail. Done well, digital sovereignty becomes a catalyst for resilience, innovation, growth and competitiveness; done bluntly, it becomes a brake on the very transformation it is meant to protect. Contributed by Zscaler.

Microsoft has unveiled new Surface hardware at prices that could keep customers away until the hardware supply chain sorts itself out. Two devices were announced – a new Surface Pro and Surface Laptop with Snapdragon X2 silicon. The 13-inch Pro has, according to Microsoft, 53 percent faster graphics performance than the previous generation, and the 13.8 and 15-inch Laptop deliver 58 percent better graphics performance. The batteries should last all day, and the touchpad on the Laptop features haptic technology. Of course, there is dedicated NPU silicon for those on-device AI tasks that have yet to become a killer application. Still, nice to have. Less nice is the price. The Pro starts at $1,499, and the Laptop $1,599. The base Pro comes with 16 GB RAM and a 256 GB SSD, as does the base Laptop. The base 15-inch Laptop ups the storage to 512 GB, although the price starts at $1,699. The devices look great and appear well built. Microsoft has claimed they are "designed with sustainability and repair in mind," with 100 percent recycled aluminum enclosures and a new Surface Repair Tool to guide users through repair workflows for components such as the battery or display. But there is no getting around the prices, which are a hike on top of the increases Microsoft rolled out in April. Remember the Surface Laptop 7? It came in at $999 when it launched in 2024 and included a 256 GB SSD and 16 GB RAM. The new Surface Laptop is a whopping $600 more. Microsoft is not the only company affected by rising component costs, and has attempted to soften the blow a little. There's a free keyboard on offer for Surface Pro 13-inch buyers, and a free Surface Arc Mouse for Laptop purchasers. There's also up to $900 on offer for trade-ins. It is, however, difficult to recommend the devices or indeed any premium device in the current hardware climate. The problem Microsoft faces is the rise of portables like Apple's $599 MacBook Neo. While it is a vastly underpowered device when compared to the latest Surface Laptop, it is more than adequate for most purposes and an attractive proposition for customers reluctant to drop another thousand dollars on Microsoft's (or any other premium vendor's) latest and greatest. The latest Surface devices represent a missed opportunity for Microsoft. Although a price hike for a premium device is difficult to avoid, considering component shortages, other vendors appear capable of releasing more basic hardware at a price point that is not so heart-stopping. Dell, for example, has launched a new XPS 13 laptop for $699. In Microsoft's last earnings report, revenue from Windows OEM and Devices was down 2 percent. It is difficult to see how the newly announced Surfaces will change this trend as customers consider whether a premium device is worth quite such a premium price. ®

Cisco has updated a February security advisory, adding another product to the list of those affected by the maximum-severity CVE-2026-20127. Switchzilla made a small amendment to the original advisory on Tuesday evening, noting that Cisco Catalyst SD-WAN Validator, formerly vBond, was also among the boxes attackers could pop open. Readers may remember the fuss over CVE-2026-20127 (10.0) a few months ago. The make-me-admin improper authentication flaw prompted a Five Eyes alert since attackers could essentially gain persistent root access to all vulnerable instances. In other words, it's a far-from-ideal situation that could could create espionage opportunities, given the prevalence of Cisco's SD-WAN offerings in Western networks. Cisco said at the time that attackers could exploit CVE-2026-20127 to gain admin rights, access NETCONF, and reconfigure the SD-WAN fabric, before exploiting CVE-2022-20775 (7.8), a path traversal flaw discovered in September 2022, to gain root access. Cisco Talos, the company's threat intel arm, posited that the bug could have been exploited for as long as three years by the time it was discovered. Talos attributed the exploitation activity to a group it tracks as UAT-8616, whose activity dates back to at least 2023, according to its researchers' estimates. No one has formally attributed UAT-8616 to a specific country or group of individuals, but experts say that it is a highly sophisticated outfit that has a history of targeting critical infrastructure sectors. Ollie Whitehouse, NCSC-UK's CTO, said at the time: "Our new alert makes clear that organizations using Cisco Catalyst SD-WAN products should urgently investigate their exposure to network compromise and hunt for malicious activity, making use of the new threat hunting advice produced with our international partners to identify evidence of compromise. "UK organizations are strongly advised to report compromises to the NCSC, and to apply vendor updates and hardening guidance as soon as practicable to reduce the risk of exploitation." The Register asked Cisco for more information, but it did not immediately respond. Customers should not have to make any new changes, provided that they upgraded their software to a fixed version across all systems when the advisory was first published in February, not just SD-WAN Controller and SD-WAN Manager. The update comes weeks after Cisco disclosed another zero-day affecting Catalyst SD-WAN, suggesting that it had been exploited for at least a week at the time. Tracked as CVE-2026-20245, it marked the sixth SD-WAN flaw disclosed this year, and the second to be exploited as a zero-day in as many months. ®

The Homebrew team has released version 6.0 of this popular open-source package manager for macOS and Linux, with a new mechanism for trusting packages and support for sandboxing on Linux, to align with existing sandboxing on macOS. Homebrew 6.0 introduces tap trust, a "tap" being a collection of formulae, casks (a package of pre-compiled binaries) and commands which usually reside in a Git repository. The tool trusts official Homebrew taps by default, but requires an explicit agreement before it will trust third-party taps (which can include arbitrary Ruby code) before they install or run any code. Tap trust is part of Homebrew’s approach to supply chain security, which has a number of distinctive features. Package maintainers are Homebrew maintainers, not the authors of the package. Names are maintainer-curated, so typosquats (giving a package a misleading name designed to be similar to one that is popular) can be rejected. Each download is pinned to a sha256 checksum. Package binaries are built from source, which protected Homebrew from incidents like the Trivy compromise earlier this year when official Trivy binaries were replaced with malicious versions. These and other features of Homebrew security are described in the documentation. Project leader Mike McQuaid told us that "Homebrew was less vulnerable 10-15 years ago than npm is today. The trust model is radically different and, even today, we are much quicker to break backwards compatibility in the interest of security." A new security feature is sandboxing on Linux when Homebrew compiles software. This was already implemented on macOS (and has been for a decade). Version 6.0 adds a Linux implementation based on the Bubblewrap project, and this will be on by default for developers. A new Homebrew sub-command, brew vulns, will check installed packages for known vulnerabilities, by checking against the OSV (vulnerability database for open source). The commands brew install and brew upgrade will now show a dependency summary and require a conformation prompt before running, called ask mode, following a developer survey earlier this year where this was highly requested. Another new command, brew exec, will run a Homebrew-provided executable, similar to the way npx works for npm packages. Homebrew startup performance in 6.0 is said to be faster, thanks to parallelised bottle fetching (a bottle is a pre-built package) and other optimizations. Apple is phasing out support for Intel macOS both for future versions of macOS and for Rosetta, the Intel compatibility layer. Homebrew is following: in September this year no new bottles will be built for macOS Intel and from September 2027 macOS Intel will be "unsupported entirely and all related code deleted," according to the post introducing Homebrew 6.0. Homebrew is well-liked by developers, and becoming more popular on Linux as well as macOS. There is some frustration though regarding the dropping of Intel support. "The deprecation of Intel support is agressive! Every Mac enthusiast I know who uses a Mac as a server uses their old machines, which are pretty much all Intel. We'll lose support from you guys a year before Apple!," said one. McQuaid replied noting that Homebrew will still work for a year after support is dropped to "Tier 3”, meaning almost unsupported, and added that "there’s nothing stopping you for doing the work to setup ‘Intelbrew’ and support it for the community." Another issue he mentioned is that GitHub is dropping macOS Intel runners for continuous integration towards the end of 2027. It is notable that Homebrew 6.0 made extensive use of AI coding. A document on responsible AI usage takes the line that AI contributions must be disclosed and human-reviewed, and that AI is not responsible for any code, rather the human contributor is responsible. "AI is great if used responsibly which means a human reviewing all changes both before PRs submitted and a maintainer reviewing before PRs are merged. I have found despite using it responsibly it has been a huge personal accelerator," McQuaid told us. ®

Critics and competitors have long complained about the "Apple Tax" – the sales commission developers are obliged to pay on App Store sales and in-app purchases. Now Microsoft engineers have documented a performance tax – the performance hit that iOS users today endure because Apple requires iOS browsers, with theoretical exceptions, to use the WebKit browser engine that powers Safari. The performance tax comes to 28.6 percent, almost as much as Apple's 30 percent commission rate. Browser rendering engines handle the heavy lifting for web browsers. "They determine how web standards are implemented, how security and privacy protections are enforced, and which actors ultimately shape the evolution of the web," as Mozilla recently explained. Just three major engines dominate commercial deployments: Blink, the foundation of Chrome and its Chromium-based siblings Edge, Vivaldi, Brave, and Opera, among others; WebKit, the foundation of Safari; and Gecko, the foundation of Firefox. Firefox holds about 2 percent of the global browser market share, according to StatCounter. That helps explain Mozilla's concern that the lack of browser engine diversity, a consequence of the market power of Google and Apple, threatens the open web. According to DigitalApplied, Safari owns 23.4 percent of mobile browsing on iOS globally and 51.2 percent of mobile browsing in North America. But due to Apple's platform rules, every browser that runs on iOS is WebKit-based, so there are few opportunities for competitive differentiation outside of interface elements. Browser rivals, advocacy groups, and web developers have argued that Apple should relax its platform rules and improve its web technology for years. Europe's Digital Markets Act (DMA), plus regulatory action in Japan and elsewhere, have amplified hope that Apple will allow more competition on its mobile OS. The latest such investigation comes from the Italian Competition Authority. Microsoft has now highlighted the cost of the iOS browser engine monoculture – time lost to Safari's slowness. On Monday, Kyle Pflug, group product manager for the Microsoft Edge Web Platform, published benchmark test results using Apple's Speedometer 3.1 and other test tools that show how a Chromium-based iOS browser using the open source Blink rendering engine compares to Apple's Safari browser, which relies on the open source WebKit rendering engine. Edge is a Chromium-based browser, and if it were implemented for iOS using BrowserEngineKit, a framework Apple introduced in March 2024 to comply with Europe's Digital Markets Act (DMA), it would score 28.6 percent better (49.27 vs 38.3 on Speedometer 3.1) than Apple's Safari browser under iOS 26.5.1. It would also outperform Safari on the JetStream 3 benchmark (JavaScript and Wasm performance) by 13.1 percent (306.35 vs 270.9) and on the MotionMark 1.3.1 benchmark (graphics rendering) by 2.1 percent (4,773.52 vs 4,673.68). "To be clear, this is a research prototype, not a product announcement; and these are preliminary numbers from my own device, not lab results," said Pflug. "But it does prove out the opportunity to close real capability gaps and deliver new competition on performance." Rick Byers, principal Chrome engineer at Google, took note of the results. "Given how Chromium and WebKit are always vying for the top spot in Speedometer on macOS, it's really striking how big the gap is on iOS!" he said in response to Pflug's post. "And we haven't even really tried to optimize performance for that platform yet! IMHO this is what you should expect to see when there's a lack of competition!" Apple did not immediately respond to a request for comment. The EU has enforced competition through browser selection screens, with some success. In theory, the bloc's rules should promote browser engine competition on iOS. The DMA allows EU-based developers to build browsers with rendering engines other than WebKit. Since March 2024, Apple has provided tools to do so. Yet more than two years later, no browser maker has launched an alternative browser. As Microsoft has done with Edge, Google and Mozilla have prototyped Blink and Gecko-based versions of their respective browsers for iOS. But no such browser has been released. That may be because building a new browser means scaling considerable technical hurdles that Apple hasn't rushed to lower, such as BrowserEngineKit bugs. Browser makers therefore consider the Apple rule compliance process too onerous. For example, if Microsoft were to release a Blink-based version of Edge on iOS, it would have to be a separate app from the WebKit-based version of Edge – leaving Redmond to reacquire its entire iOS user base. Alex Moore, executive director of Open Web Advocacy, a group that has lobbied on behalf of web developers against Google and Apple's platform rules, pointed to citations [PDF] in US court filings (the US 2024 antitrust case against Apple is ongoing) and UK regulatory documents that highlight the problem posed by Apple's platform power. In February 2020, these documents say, Apple's vice president of iPhone marketing proposed that the company should "set a stake in the ground for what features we think are 'good enough' for the consumer" rather than investing and innovating. "This is a clear example of the costs Apple imposes on consumers and businesses worldwide, costs created by its 17-year ban on competing browser engines," Moore told The Register. "Even in the EU and Japan, where Apple is now required to allow browser vendors to use their own engines, the barriers it has put in place ensure browser vendors are prevented from porting their own engines to iOS. Given that Apple has now had more than two years to produce a compliant solution, the European Commission needs to open a specification proceeding to instruct Apple, in precise terms, how these barriers must be removed." "If Apple can restrict browser engines on iOS, it can limit what the mobile web is capable of, and keep businesses dependent on native apps and app store rules. This is, in our view, the most critical intervention the EU could possibly make, and the one most likely to reshape the entire mobile ecosystem. No other intervention comes close." ®

While Intel ramps up production of its 18A process node, the chipmaker has started limited output of its enhanced variant, 18A-P, promising 9 percent higher performance at the same power. At the IEEE's 2026 VLSI Symposium in Hawaii, Intel disclosed that it has started risk production using 18A-P, the first of its planned enhancements for the 18A process, and potentially the first to be used for commercial customers of Intel's foundry biz. Risk production refers to initial low-volume output to qualify a new manufacturing node. Chipzilla says reaching this stage means it is meeting timelines it has shared with customers and partners. The x86 giant launched its first chips made with the base 18A process back in January, in the form of the "Panther Lake" Core Ultra Series 3 processors. But it had already detailed plans for updated versions of the manufacturing tech last year, as reported by The Register at the time. Intel claims 18A-P delivers 9 percent better performance than 18A while consuming the same power as 18A silicon, or, alternatively, 18 percent lower power consumption for the same performance. It achieves these performance and power benefits through a mix of transistor, interconnect, and design technology co-optimizations, the firm says. But a key factor is that 18A-P is said to be fully design rule compatible with 18A, meaning that any chips designed for 18A should be easily transferable for production with Intel's newer process. Industry talk is that Intel's first foundry customers may therefore skip straight to 18A-P. Previously, the chipmaker planned to offer the upcoming and more advanced 14A node as its first mainstream commercial offering but it is understood that chief exec Lip-Bu Tan changed that plan. Intel is also reportedly in talks with Apple to manufacture some of its silicon on 18A or 18A-P. "Our updates and presentations at VLSI signal to Intel Foundry customers and partners that we are fully committed to leading edge process innovation over the long term," said Intel Foundry EVP Naga Chandrasekaran. The other process node variant Intel is working on is called 18A-PT, which is optimized for designs requiring through-silicon vias (TSVs). This is to allow a final product to be assembled by stacking multiple chips or chiplets on top of one another. Industry watchers believe Intel expects AI accelerator designers will favor 18A-PT, as it allows memory tiles to be manufactured separately and integrated during packaging. Also at the VLSI event, Intel disclosed several technologies still under development. These include CFET (Complementary FET) using vertically stacked NMOS and PMOS devices for increased transistor density, and integration of gallium nitride power devices with silicon logic, enabling digital control circuitry alongside high-power transistors in a single process. Speaking at a conference earlier this month, Intel chief financial officer David Zinsner admitted that the firm had bitten off more than it could chew with 18A, referring to the delays in getting it into production last year. "I would say it this way, I don't know, early last year, I think the challenge around 18A was two things. One, we tried to do too much at once. And it took a while to get that settled. And I think second is, we were trying to play performance and yield and trying to improve both at the same time. It was like trying to fly the plane and fix the wing at the same time, basically," he said. ®

Microsoft's latest Windows update might or might not have improved performance for the company's flagship operating system, but there was a time when its engineers cared about performance. A lot. Veteran Microsoft engineer Raymond Chen on Monday hearked back to that time by telling another war story from the glory days of Windows, when a team was working on an x86-32 emulator for an unnamed processor (though it isn't particularly difficult to identify potential candidates). The emulator used binary translation – native code was generated for the original x86-32 code. Chen explained, "This offered a significant performance improvement over emulation via interpreter. You can imagine that x86-32 is just a bytecode, and the emulator is a JIT compiler." The team came across a function that needed to allocate 64 KB of memory. Simple enough stuff – check that there is enough memory available, subtract 65536 from the stack pointer, and then initialize the memory in a loop. Use the comments to correct me, but this sounds like loop rolling, where repetitive code gets condensed into a loop. However, it appeared that a compiler had … optimized … the code "by unrolling the loop into 65,536 individual 'write byte to memory' instructions, each 4 bytes long." Perhaps a bit quicker, but goodness – quite the memory hog. "All in all," wrote Chen, "it took this program 256 kilobytes of code to initialize 64 kilobytes of data." Almost like a glimpse into a future where operating systems don't appear to give two hoots about efficient use of storage. What would that look like? As for the engineers working on the CPU emulator, Chen said, "This offended the team so much that they added special code to the translator to detect this horrible function and replace it with the equivalent tight loop." It would be interesting to know what that same team would make of the internals of some Windows binaries today, but it is heartening to know that, at one point, engineers cared about memory efficiency enough to reroll something. Sure, there might, just might, have been a performance hit, but spitting out 256 KB of code just to initialize 64 KB of data? Naughty. Very naughty. The much younger version of this hack, optimizing the heck out of code to fit within the confines of computers from yesteryear, would have been horrified. ®

The UK's Department for Work and Pensions (DWP) will draw on 40 million UK LinkedIn accounts to get a better understanding of local job markets. DWP said it plans to use anonymized data to help it find trends such as mismatches between local job ads and the skills possessed by local people. The department won't scrape the Microsoft-owned social network, instead relying on Redmond to analyze data and pass its findings to Skills England, a DWP agency whose officials are already working on the project. "This partnership with LinkedIn will give us a clearer understanding of the jobs market – what employers need, where opportunities are, and how people are building their careers, in order to boost economic growth," DWP minister Pat McFadden said in a canned statement. He added that more detailed insights into local workforces could particularly help young people. Skills England intends to use LinkedIn data to investigate how people move between jobs to help them develop new career options and support businesses in widening their recruitment nets. LinkedIn has nearly four million more UK-registered accounts than the 36.2 million adults who were working or looking for work in the first quarter of this year, according to figures from the Office for National Statistics (ONS). However, the service is open to students and retirees, so perhaps that accounts for the discrepancy. The Reg knows some users have more than one account on the site as well. The UK government increasingly draws on commercial data to supplement its official statistics. For example, the ONS publishes "real-time indicators" that include monthly data on new online job adverts, based on Textkernel scraping information from 90,000 job board and recruitment pages. The ONS has suffered from falling response rates for official data-gathering exercises such as its Labour Force Survey, making commercial sources more attractive. A recent report from Germany-based digital policy group Interface suggests that other arms of government are also taking advantage of commercial data, with Hungary's intelligence services using location data gathered for mobile advertising and equivalent organizations in other countries likely to be doing similar. ®

The UK's Competition and Markets Authority (CMA) has imposed two new conduct requirements for Google's search services, to improve transparency and fairness in result rankings and allowing users to port their search data to third parties. The requirements follow the CMA's actions in early June that let publishers opt out of having their work appear in AI Overviews, while requiring attribution and clear links to sources. "More activity is expected over the summer," the regulator warned. The fair ranking requirement arises from complaints from UK businesses that Google's current approach is "neither fair nor transparent," as the web giant makes changes without sufficient notice and does not offer an easy way to complain. Google sees it differently. A spokesperson told The Register: "Our ranking systems are fair, transparent and show the most relevant, highest quality results. "We are committed to protecting the integrity of our systems, and will work constructively with the CMA to ensure that we can uphold the high quality of Search for our users." Be that as it may, the CMA's conduct requirements call for Google to provide businesses with more transparency into how its rankings work and to introduce "clear processes" for raising concerns about the Big G's practices. Furthermore, "organic" search results must be ranked using "objective and non-discriminatory criteria." The requirement also encompasses Google's AI Overviews, but not sponsored results. Google has six months to implement the ranking requirements. It has three months to implement a data portability requirement, but this is more about putting the voluntary processes already in place via Google's UK Data Portability API on a legal footing. According to the CMA, "the rights of UK users will now be on a par with those in the EU (under the EU's Digital Markets Act)." Businesses, unsurprisingly, are keen to get hold of that data. The CMA wrote: "Using this data would allow third parties to offer people more personalized features – like tailored travel suggestions, more relevant shopping deals, and rewards (including cashback and discounts)." Will Hayter, Executive Director for Digital Markets at the CMA, said: "These new measures will ensure search results are ranked fairly and objectively, with clearer information about changes and effective routes to raise concerns. "At the same time, innovative businesses will have the confidence that they can access search data in practice, unlocking investment and innovation in new products and services for users." The CMA slapped Google with Strategic Market Status (SMS) in general search and search advertising in October 2025. This designation was a recognition of Google's market power, although it does not, by itself, indicate the company has acted anti-competitively. It does, however, give the CMA more power to introduce interventions such as the conduct requirements above. Google is not the only company facing scrutiny. The CMA recently launched a fourth SMS investigation into Microsoft's business software ecosystem. ®

Six people suspected of bank helpdesk fraud are in custody after Dutch cops stormed an Amsterdam residence and caught them in conversation with a potential victim. Police say the individuals were aged between 15 and 30 and operated out of a makeshift call center they had established in an Amsterdam home. Authorities believe the accused committed bank helpdesk fraud, which has become increasingly popular across the Netherlands. Offenders were recently targeted as part of Game Over?!, a novel law enforcement scheme that successfully shamed criminals into submitting themselves to authorities. Helpdesk scammers typically operate call victims on the phone, using methods similar to voice phishing, or "vishing." They present themselves as bank employees contacting victims under various guises, all designed to steal their money. In this case, police say the alleged criminals tried to convince victims to "increase their limits," and in "several" cases, succeeded in stealing funds from their accounts. The precise cover story is largely irrelevant, however. The aim of the game is the same each time: Convince a prospective victim to surrender enough details to access their bank accounts and steal their money. While these scams mostly take place remotely, Dutch police said in their announcement on Tuesday that the crew sent members to visit victims in person, purportedly offering hands-on assistance to secure their accounts. The same tactic can often be observed with fake police officer shakedowns, which have also become popular in the country. Police say tens of thousands of elderly people, who make up the majority of targets for such scams, have fallen victim to the confidence scams. In these cases, fraudsters visit elderly individuals' houses and pretend to represent law enforcement, offering a service to safeguard their valuables. The crooks then steal those valuables, and police say previous cases have turned violent. Some have also ended in fatalities. Multiple victims of the helpdesk frauds reported their respective cases, according to the cops. The National Intervention Team for Digital Crime was called in to investigate, and during a raid on June 10, officers found the suspects mid-call with a potential victim. Officers seized multiple laptops and phones after apprehending the six suspects, and found several bank cards at the property. Further arrests have not been ruled out. ®