Microsoft

Microsoft Adds Another Year To Windows 10 Extended Update Program (arstechnica.com) 122

Microsoft has quietly extended free Windows 10 security updates for consumers by another year, pushing the Extended Security Updates (ESU) program's end date from October 12, 2026, to October 12, 2027. "The ESU support page was updated with that date, and Microsoft's blog post on the program has a new editor's note confirming the change," reports Ars Technica. From the report: The prevalence of Windows across so many devices and form factors has given Microsoft a massive customer base for decades, but it has also stymied the company's efforts to roll out new operating systems. Microsoft famously extended the support window for Windows XP numerous times throughout the 2010s as it became apparent that millions of PCs would never be updated. Windows 10 isn't quite as entrenched as XP was, but it has still been a slog getting people to upgrade to Windows 11 even nearly five years after release.

Unlike many past Windows updates, Windows 11 required some users to buy new PCs with specific CPU technologies and a Trusted Platform Module (TPM). Microsoft was widely criticized for excluding perfectly serviceable PCs, and that's turning into a problem in 2026. The AI-driven shortage of storage and memory has made system upgrades vastly more expensive, potentially slowing upgrades. Some have also avoided Windows 11 due to Microsoft's intense focus on AI features.

The result is that Windows 10 remains stubbornly popular. According to StatCounter data, Windows 10 is still running on about 26 percent of PCs, while Windows 11 sits at 72 percent. That means there are still hundreds of millions of active Windows 10 installs, but those machines will be up to date for at least an additional year.

Transportation

Polestar Banned From Selling Cars In US From Model Year 2027 125

Longtime Slashdot reader schwit1 shares a report from autoevolution: The U.S. Department of Commerce's Bureau of Industry and Security denied Polestar an authorization under the Connected Vehicle Rule. Polestar will continue to sell its existing inventory of Polestar 3 and 4 crossovers in the United States and will continue to offer support to customers and access to its service network. But no new 2027 models will set wheels on American soil.

The Connected Vehicle Rule is a regulation that restricts the import and sale of vehicles equipped with Vehicle Connectivity Systems (VCS) and Automated Driving Systems (ADS) tied to foreign adversaries, primarily from China and Russia. Polestar is owned by Chinese auto giant Geely, which has also been the parent company of Swedish brand Volvo since 2010. However, Volvo has recently been granted authorization to sell connected vehicles in the United States.

The rule, set out by the Bureau of Industry and Security (BIS), classifies modern vehicles as mobile data centers and is designed to protect national security by keeping sensitive driver data and vehicle control systems out of the hands of foreign governments. Michael Lohscheller, Polestar CEO, confirms that the company is well aware that the automotive industry is entering a new phase, based on regional dynamics. So, Polestar will shift its strategy to its biggest market as it is preparing its exit from the U.S. market.
The report notes that Polestar sold 5,384 cars in the U.S. in 2025, with 60,119 units sold globally.
AI

Trump Administration Asks OpenAI To Stagger Release of New Model 64

The Trump administration has reportedly asked OpenAI to stagger the release of GPT-5.6 over security concerns. The model will initially be offered to a small group of partners, with the government "approving access customer by customer during this preview period," reports The Information. The request came from conversations with the Office of the National Cyber Director and the Office of Science and Technology Policy, the report said.
AI

Linux Foundation Launches Akrites To Coordinate AI-Driven Open Source Security (nerds.xyz) 17

BrianFagioli writes: The Linux Foundation has announced Akrites, a new initiative to coordinate vulnerability disclosure and remediation for critical open source software as AI dramatically speeds up vulnerability discovery. Founding members include AWS, Google, Microsoft, OpenAI, Red Hat, NVIDIA, IBM, Cisco, JPMorganChase, and others. Akrites will provide a shared Security Incident Response Team (SIRT), a standardized coordinated vulnerability disclosure process, and act as a "maintainer of last resort" for abandoned but widely used packages.

The goal is to reduce duplicate reports, avoid conflicting patches, and help upstream maintainers address vulnerabilities before they can be exploited. As AI makes it easier to find security flaws, can a coordinated industry effort help protect open source, or does it risk giving large corporations too much influence over the ecosystem?
"Akrites is the largest coordinated effort in history to create systems and deploy tooling that leverages the collective power of the community to make everyone safer," the Linux Foundation said in an open letter. "Akrites participants will contribute engineering resources; work to build and ship fixes; or fund the engineers who do. Some companies have contributed mightily already. The reality is, collectively, we need to contribute more."
Privacy

Meta Pauses Employee-Tracking Program Following Internal Data Leak (wired.com) 22

Meta has paused its Model Compatibility Initiative that tracked employee mouse movements, clicks, keystrokes, and screen content to train AI agents, after some of its collected data became accessible to more employees than intended. Meta says it has no evidence the information was improperly accessed and will not restart the program until it is confident in its safeguards. Wired reports: Meta rolled out the Model Compatibility Initiative (MCI) tool in April to US employees. The tool "collects computer inputs such as mouse movements, click locations and keystrokes, as well as screen content," according to workers who have been petitioning against it over privacy, security, and personal liberty concerns. When MCI launched, employees couldn't opt out, but that changed to a limited degree after workers protested. Meta executives have repeatedly defended the data-gathering project, saying it was necessary to train AI systems to operate computer software the way humans do and that employees were the best examples for the artificial intelligence to learn from.

On Monday, a Meta engineer issued an internal security notice stating that databases filled with information gathered by MCI had been exposed to anyone inside the company. A former employee actively involved in pushing back against MCI describes the lapse as "a mess" -- and one that employees had expected would occur. "When workers raised concerns, leadership doubled down and failed to acknowledge the risks workers raised about the safety and privacy of worker and customer data," the person says. "Leadership has clearly created an authoritarian environment where workers are no longer respected or heard."

But after critical comments poured into internal forums on Monday expressing frustration about the security issue, Meta shocked some of its staff by pausing MCI altogether, telling WIRED about the development several hours before announcing it to employees. A few workers told WIRED they were confused in the meantime because the tool was continuing to run on their laptops. Late on Monday, Stephane Kasriel, a Meta vice president overseeing AI research, announced the pause and told staff that the security issue had been discovered on June 18 and addressed within four hours. But the initial fix didn't stick and access to the data had to be further locked down. The issue made "some MCI-derived data" accessible to more people than intended, he wrote, without elaborating.

Security

29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests (thehackernews.com) 19

A 29-year-old bug in the Squid web proxy, dubbed Squidbleed and tracked as CVE-2026-47729, can let an authorized proxy user retrieve fragments of another user's cleartext HTTP requests, including credentials and session tokens. The security researcher who reported the flaw credited Anthropic's Claude Mythos Preview for the discovery. The Hacker News reports: Squid describes this as an attack by a trusted client: someone already permitted to use the proxy, not any random host on the internet. That matches Squid's usual home, shared networks like schools, offices, and public Wi-Fi. In those setups, the attacker is just another user of the same proxy. The leak also only reaches traffic that Squid can read. Normal HTTPS rides an opaque CONNECT tunnel, so Squid never sees inside it; the exposed traffic is cleartext HTTP, plus TLS-terminating setups where Squid decrypts and inspects. The attacker also needs the proxy to reach an FTP server they control on port 21. Both FTP and that port are on by default.

[...] If you patch, verify the fix, not just the version. Confirm the guard is in FtpGateway.cc, or check your distribution's backport, since distros ship their own builds (Debian packages Squid 5.7). The public thread is still inconsistent: maintainer Amos Jeffries first said Squid 7.6 carried the fix, then corrected that to 7.7, and on June 22 Debian's Salvatore Bonaccorso noted the referenced commit looks like it is already in 7.6. The fix is small, a null-terminator check before the vulnerable strchr calls, merged to the development branch in April and v7 in May. Squid 7.6 does separately patch CVE-2026-50012, an unrelated cache_digest heap overflow.

The cleaner move is the one the researchers recommend anyway: turn FTP off. Chromium dropped FTP years ago, and most networks carry almost none of it, so disabling it removes this attack surface for free, whatever build you run. The risk is real but bounded. SUSE rates it moderate, CVSS 6.5, and the vector explains the score: the attacker needs proxy access (low privileges), and the only impact is confidentiality, nothing on integrity or availability.

Encryption

Following User Outcry, AMD Reinstates Memory Encryption In Consumer CPUs 34

Last week, AMD was found to have stripped memory encryption from its consumer CPUs without any warning or notice. Now, following a wave of backlash on social media, the chipmaker has now reinstated the protection, though it still hasn't explained why the safeguard was disabled in the first place. Ars Technica reports: Following the revelation, social media was deluged by comments from AMD consumers decrying the move. They noted that AMD's quiet removal of TSME after supporting it for so long seemed underhanded. The move came solely as a result of firmware changes made in a recent update. With no physical changes required to silicon, continued support was largely, if not purely, a matter of will rather than a necessity required by changes to hardware. The critics called on AMD to reverse the move.

Over the weekend, AMD said it planned to do just that in a firmware update scheduled for release next month. More often than not, the chipmaker refers to TSME as Memory Guard. "Regarding certain non-PRO Ryzen 9000-series desktop processors, a BIOS option to enable Memory Guard was previously available but was removed in a recent update," AMD said in an email. "Based on valuable community feedback, we will reinstate this option in an upcoming BIOS release in July."

The company has yet to explain why it removed the protection. Critics speculate that AMD dropped it in an attempt to steer customers toward more costly CPUs. It's possible, though, that there were less nefarious reasons, such as the difficulty of continued support as chip designs changed. Another possibility is that AMD made the move for performance reasons. Encrypting and decrypting data in memory creates latency. Slowdowns are the enemy of gamers, one of the more popular customer segments using the 9000-line of Ryzen processors. Since many gamers already voluntarily disabled TSME and had little need for it in the first place, AMD may not have considered the change of much consequence.
Cellphones

2,000 Retired Google Pixel Phones Get a Second Life As a Private Cloud (theregister.com) 27

UC San Diego researchers are working with Google to build a private cloud from 2,000 retired Pixel Fold motherboards, demonstrating how discarded smartphones could provide useful, low-cost computing capacity. "The full smartphone cluster is expected to launch this fall," reports The Register. "Depending on how well the initial phase goes, we're told the cluster could grow even larger." From the report Once the phone's motherboards have been extracted from their shells, the researchers say that the chips hiding within remain more than potent enough to be useful for a variety of tasks. In many cases, the single-threaded performance of these chips is as good as, if not better than, what you'd find from a many-cored datacenter chip. The Pixel Fold smartphones, which will form the basis of the cluster, are powered by a Google Tensor G2 processor with two 2.85 GHz Cortex-X1, two 2.35 GHz Cortex-A78 and four 1.80 GHz Cortex-A55 Arm cores, a Mali-G710 MP7 GPU, and 12 GB of system memory. Early benchmarking using the SPEC suite suggests that 25-50 phones should deliver performance similar to that of a conventional server.

The major challenge, instead, is distributing workloads across multiple devices, each of which has a handful of cores of one or more varieties, and most have 8-12 GB of memory. UCSD researchers are approaching this challenge from a couple of different angles. The first is by targeting applications that can easily fit within a single device. The second is using Kubernetes to orchestrate container deployments across clusters of 25-50 phones. For this to work, the devices first need to be flashed with a Linux operating system suitable for the job. While Android makes for a great handheld experience, it is not intended for server duty. In the blog post, researchers note that Android includes functionality intended to stop rogue applications from chewing up excessive amounts of memory and draining your battery. In server context, these safety mechanisms are no longer necessary.

[Ryan Kastner, an associate professor of computer science at UCSD] told us this was by no means an easy task, but the team has made steady progress toward getting Linux running smoothly on these devices, including support for the phone's onboard GPUs. Access to some functionality, like the chip's integrated tensor processing unit, remains elusive. Clustering these devices will require networking the phones together. Normally these devices would connect over cellular or Wi-Fi, but at this scale, this not only isn't practical, but also has implications for security, he explained. Instead, the team will employ PCBs that both supply power and break out wired Ethernet networking.

The researchers suggest that many EdTech, grading, and research workloads commonly run by universities in the cloud are small enough to run on the cluster without issue. "The vast majority of these applications are within the capabilities of a single smartphone to host, with the standard grading backend running on small cloud instances," a blog post detailing the planned deployment reads. "Early experiments show that even a moderately-sized cluster of 20 phones is capable of supporting peak submission rates for a 75+ student class."

United Kingdom

UK Official Promises Statements 'Around VPNs' and Further Teen Restrictions on Chatbots and Social Media (pcgamer.com) 30

PC Gamer reports: The UK government is considering an Australia-style ban on social media for under-16s, with Prime Minister Keir Starmer saying that the ban could take effect as soon as spring next year. As for the much nearer future, Science and Technology Secretary Liz Kendall told BBC Breakfast earlier this week, "We will make further statements in July about VPNs and further restrictions."

To be clear, no specific restrictions have yet been announced and Kendall sounded somewhat cautious about an outright ban during a parliament debate that took place the same day. "I have commissioned further research about their usage. There are really important issues to balance here," she says. "Many people want to use VPNs for privacy — that is important — but we know that some children use them to get around restrictions. I will come back to that in July in our response to the consultation." So, we'll have to wait until next month for anything definite, but it's hard not to feel like a full ban on VPNs is already on the table. If that does come to pass, more than the contents of my Bluesky inbox will be at stake.

Utah in the US has already tried to implement a full VPN ban (though this was postponed until September after Aylo, the parent company of Pornhub, challenged the law in court)... [T]he UK could just be the next domino after Utah, potentially setting off a chain reaction that affects users around the world.

The article also argues that age checks can also be a privacy nightmare "with the security breach that exposed the personal info of 70,000 Discord users last year being one case in point."

Here's the complete statement from UK Technology Secretary Kendall. "I'll come back in July with a further statement around VPNs but also additional measures that we want to look at, further restrictions on AI chatbots that parents have found very worrying, more about overnight curfews or breaks in doomscrolling for 16- and 17-year-olds."
Government

US Bill Would Mandate AI Chip Location Tracking to Thwart China and Other Adversaries (nbcnews.com) 51

NBC News reports: A group of companies that specialize in tracking international shipments of sensitive technologies is backing a Capitol Hill bill that would require America's most powerful AI chips to incorporate stronger security mechanisms aimed at preventing the chips from reaching China and other adversaries. The letter, signed by six companies, says the Chip Security Act (CSA) would increase American chip companies' competitiveness and close key loopholes in the U.S. export control regime.

The move clashes with claims from semiconductor lobbying groups that the requirements would constrain America's booming chip industry. Sent to congressional leadership Thursday morning and seen by NBC News, the dispatch instead argues that more robust security verification would assure chip customers and manufacturers that they are abiding by sensitive restrictions on chip sales. The companies argue that the boosted confidence will "lead to increased sales, faster export approvals, larger transactions, greater access to new markets, and more expansive chip deals."

Despite U.S. export control laws banning sales of advanced AI chips to certain countries, including China, loopholes in current requirements have allowed billions of dollars' worth of America's best AI chips to be sold to entities in third-party countries that can then forward them to China. In just one case in March, the Justice Department charged three people with conspiring to forward $2.5 billion of AI chips to China. The CSA aims to address those loopholes, mandating that chip exporters better track where advanced chips are sent, via either bespoke location-verification hardware or software that can run on existing hardware. That, bill proponents claim, would ensure that sensitive chips could be sold to countries like Malaysia or Indonesia without fear of further transfer to China... Experts say that because chips perform the advanced computations required for frontier AI systems, cutting off access to the chips is crucial to prevent geopolitical rivals from using AI systems for military or economic purposes.

Programming

The Rust Ecosystem Gets an AI Security Engineer in Residence (rustfoundation.org) 3

While the Rust Foundation has a Security Initiative to protect its ecosystem, "the threats have expanded," they announced this week, "and so has the kind of help maintainers need." Much of this comes back to a single shift: Automated tooling (much of it now built on large language models) has gotten good enough to surface real vulnerabilities in open source code quickly and at scale. That is useful, and several large Rust projects have already received and fixed credible issues found this way. The same tooling has also made it trivial to generate vulnerability reports that look plausible and are worthless. Maintainers across the ecosystem are losing real hours sorting these from the reports that matter, and the noise tends to bury the signal.

So, with funding from the Alpha-Omega Project, the Rust Foundation is bringing on a full-time AI Security Engineer in Residence dedicated to the Rust ecosystem. This position is being funded with part of the $12.5M in open source security funding that the Linux Foundation announced in March. The role exists to take pressure off maintainers. The person in this position will use a mix of human-led and AI-assisted methods to proactively review Rust itself and the crates the ecosystem leans on most and help us separate real, exploitable issues from false positives and low-signal noise before anything reaches a maintainer...

This role will run full-time for six months to start, with room to extend depending on what we learn and the funding available. Methods, playbooks, and prompts will be documented so the work doesn't end with the contract. We are grateful that Rust is not embarking on this work in isolation. Several other ecosystems have received parallel Alpha-Omega grants for the same kind of work (e.g., the PHP Foundation and the Drupal Association) and we plan to share tooling, triage practices, and what we learn rather than duplicating work

A statement from Rust's new AI Security Engineer in Residence acknowledges that "One of our next challenges is the wave of bugs discovered by the next generation of AI-powered developer tools."
Security

How Millions of Digital Home Devices Are Secretly Powering Cyberattacks (yahoo.com) 33

The Wall Street Journal reports on internet-connected devices — and how every year millions of them "can contain a secret digital backdoor that opens up access to your home internet, so that anyone... can surf the web as if they were you." (And this is especially true for "knockoffs that you buy online"...)

In a video report this week they tested two digital picture frames from Amazon and three streaming devices from Walmart "because we heard that they often ship with backdoor software used in cyberattacks. Security experts believe manufacturers are being paid to add this malware, but many people also get tricked into downloading the software onto their phones or computers... Within minutes of turning the devices on, there was a surge of internet traffic... Visits to gambling, porn, cryptocurrency and loads of other sketchy web sites started pouring in from users around the world." (And remote visitors also tried to access Outlook and Gmail accounts...)

Residential proxy companies even rent out access to "tens of millions of home networks around the world," according to the report. "But the problem is actually worse than that. Hackers figured out a way to seize control of these backdoors, and they started taking over these residential networks. Last month authorities arrested a 23-year-old Ottawa man, saying he'd taken control of more than a million devices to launch some of the largest cyberattacks anyone had ever seen.."

After a couple months the Journal's reporter collected logs of all the traffic, and sent it to an investigator at Comcast, who said both were conducting DDoS attacks. But estimate for the number of infected devices are as low as tens of millions or as high 500 million-plus. "We've seen nation state attacks launched through these kind of endpoints, which means your device sitting in your house is part of a nation state attack against another nation state... We've seen ad fraud, we've seen ticket scalping, we've seen financial fraud."

But more importantly, "We have seen some of the largest computer attacks — meaning computers attacking other computers at human request — ever recorded in our digital history in the last several months." At cybersecurity conferences, some are warning "there are much larger ones on the horizon if we don't get a hold of this problem."

The company making the picture frame "couldn't be reached for comment," while Amazon said it's been out of stock since last year. Both Amazon and Walmart said they take action when they confirm malware on a third-party product.
Cellphones

Cellphone Alert System Breached in Brazil, Message Sent in Leetspeak (cnn.com) 9

CNN reports: An unauthorized alert bearing a mysterious message that was sent to cell phones in several states across Brazil on Saturday morning is suspected to be the work of hackers, the Brazilian government said. Devices lit up with the word "misantropi4," an alphanumeric spelling of the Portuguese word "misantropia," which in English translates to "misanthropy". The final letter "a" was substituted with a number '4' — a practice often used by hackers and termed "leetspeak.". The alert — categorized as "extreme" — was initially received in the southern state of Paraná, but a second warning was triggered a few minutes later for cell phones in the major cities of São Paulo and Rio de Janeiro. Brazilian authorities said that the National Civil Defense's warning platform was taken offline after being targeted by a likely hacker attack, and the government is working to restore the tool once all security conditions are reestablished.
Security

Microsoft Discovers Cryptocurrency Stealer That Spreads Through USB Drives and Uses Tor (arstechnica.com) 12

Ars Technica's senior security editor reports: Microsoft says it has detected new self-propagating malware that spreads through USB drives in search of cryptocurrency credentials, which it then sends to attacker-controlled servers.

The company named the worm Crypto Clipper because it monitors the contents of device clipboards for patterns consistent with wallet addresses or seed phrases. When found, the malware also takes five screenshots over a 10-second period... "The execution of this clipper is notable because it does not depend on a traditional installer or exposed IP-based C2 infrastructure," Microsoft said Thursday. "Instead, it deploys a portable Tor client, routes traffic through a local SOCKS5 proxy, and blends data theft with remote code execution, turning a financially motivated stealer into a lightweight backdoor."

Microsoft said it observed Crypto Clipper spreading through .lnk file on a USB drive. These files store executable code. When an infected USB drive is plugged into a device, the code checks whether it is already installed on the machine. If it isn't, the malware downloads it through the Tor proxy. To better conceal evidence of the worm, the malware scans the infected USB drive and names the .lnk files with similar names... The stealer also replaces addresses it finds with ones belonging to attacker-controlled wallets. This allows the malware to divert payments to the attacker's pockets. Microsoft believes the purpose of the screenshots is to provide context that may be useful. "This malware family shows how lightweight, script-based stealers can deliver outsized impact when paired with anonymized communications and runtime tasking," Microsoft said. "The combination of Tor-routed C2, clipboard targeting, screenshot capture, and remote code execution gives attackers both immediate monetization paths and continued control over compromised devices."

Thanks to Slashdot reader joshuark for sharing the news.
GNU is Not Unix

FSF Patches Two-Year-Old Vulnerability Found by AI Researchers in GNU Savannah Repository (fsf.org) 4

The Free Software Foundation's GNU Savannah hosts thousands of free software projects — both GNU and non-GNU projects, including Drupal.

But in early May, security researchers from Hacktron.AI reported vulnerabilities and demonstrated an exploit, according to a new statement Friday from the FSF: We have been working with these researchers since their initial report, and have also addressed additional security issues they submitted. All reported issues have been patched thanks to the hard work of GNU and FSF volunteers, as well as FSF staff. After thorough review, we have found no reason to believe that sensitive project data or credentials were accessed, nor that there has been any compromise of Savannah's software supply chain.

Nevertheless, we take the security of the GNU system, the tools which make it possible, and the projects we host very seriously. This body of software has become essential to millions (if not billions) of users around the world. We are therefore taking additional precautionary steps. Though the initial security issue was reported to us in early May, the vulnerabilities were discovered in software that was published approximately two years prior. We will be communicating directly with Savannah-hosted projects about steps they can take to review and strengthen the security of their projects.

We have also communicated with the other Savane instances we're aware of to assist their review of their own environments, and take any steps needed to help protect their users... This statement is intended as an initial notice. We expect to publish a report on the incident within 30 days.

Hacktron.AI bills itself as "Your AI teammate for security." Its web page notes that its investors include Meta, DeepMind, and Perplexity.
Security

New Unpatchable Exploit Targets Apple Devices With A12 and A13 Chips (9to5mac.com) 39

Researchers have disclosed a new unpatchable BootROM exploit affecting Apple devices with A12, A13, S4, and S5 chips. The attack requires physical USB access and DFU mode, but can let an attacker run code before iOS loads, bypass signature checks, and boot modified software. 9to5Mac reports the details: In a highly detailed technical post published today, the Paradigm Shift Team details usbliter8, a new exploit that "leverages both a hardware bug in the USB controller and a specific configuration flaw present in the device firmware" and cannot be patched. The PS Team explains that ahead of today's disclosure, it shared its findings and worked with Apple Product Security to coordinate the release. The researchers also thanked Apple's security team for its "prompt response, constructive engagement, and cooperation throughout" the process.

In a nutshell, this bug affects the following Apple SoCs: A12, S4, S5, and A13. [...] They add that "technical support for A12X/Z is possible," but "it is not currently implemented." That could add the 2018 and 2020 iPad Pro lineups to the list. The way usbliter8 works is: it sends specially crafted data to a device over USB while it is in DFU mode, confusing the USB controller and causing it to write data to the wrong part of memory. That gives an attacker with physical access to the device control over its startup process. From there, they can run their own code before iOS loads, bypass signature checks, and boot modified system software.

Importantly, the exploit does not affect or compromise the device's Secure Enclave, which in practice means that data such as passcodes and encrypted user data remain secure. That said, PS Team says that "although usbliter8 doesn't affect SEP itself, it opens up wider attack vectors to compromise the Secure Enclave," adding that "by releasing this exploit publicly, we hope to highlight the real-world impact of these hardware flaws and contribute to a broader understanding of modern SecureROM security." [...] Given that this is also an unpatchable exploit, the researchers note that "affected users should be aware that migrating to newer hardware remains the most effective mitigation."

EU

Rolls-Royce Secures Deal To Build Small Nuclear Reactors For Sweden 85

Rolls-Royce SMR has secured a multibillion-pound agreement to build three small modular reactors on Sweden's west coast, "marking a major step in the British engineering group's ambition to become a leading supplier of the technology in Europe," reports Euronews. From the report: Following a rigorous selection process that started in 2022, UK engineering giant Rolls-Royce's nuclear division, Rolls-Royce SMR, won the contract to build nuclear reactors for Sweden. As part of the deal, the group, selected by Videberg Kraft as its partner, will deliver three Small Modular Reactors (SMRs) to Sweden's west coast, at the Varo Peninsula. "The Videberg Project will build Sweden's first new nuclear power plant in more than forty years, supporting industries and households in southern Sweden," a press statement from Rolls-Royce said. The partnership with utility Vattenfall and developer Karnfull Next is seen as one of the most advanced opportunities for deployment outside of the UK.

[...] The European Commission considers small modular reactors (SMRs) to be a promising low-carbon technology that could help support the bloc's clean energy and energy security goals. In order to remove regulatory barriers, the EU's SMR strategy was adopted in March 2026 to accelerate the development and deployment of the technology across Europe. SMRs are smaller than conventional nuclear power plants, typically generating between 20 and 300 megawatts of electricity. At the upper end of that range, a reactor could produce around 7.2 million kilowatt-hours of electricity per day -- enough to power hundreds of thousands of homes. The International Energy Agency (IEA) estimates that more than 1,000 small modular reactors could be deployed worldwide by 2050 under a supportive policy scenario, requiring cumulative investment of around $670 billion.
IOS

Apple Announces Major App Store Changes on iOS in Brazil (macrumors.com) 10

Apple is allowing iPhone developers in Brazil to distribute apps through authorized alternative marketplaces and use third-party payment systems following action by the country's competition regulator. "In other words, developers in Brazil will be able to circumvent the App Store and Apple's in-app purchase system, but there are still fees," reports MacRumors. Apple will collect commissions ranging from 5% on externally distributed apps to as much as 26% for some App Store transactions using its payment system. From the report: Alternative app marketplaces will have to be authorized by Apple and will need to meet ongoing requirements. For apps that are still distributed through the App Store, developers will be able to include an alternative payment processing method in their app and/or link users to a website to complete a transaction. These changes are available on iOS 26.5 and later, and they are the result of regulatory action from Brazil's competition regulator. Apple has added a new page on its website with additional details for developers in Brazil.

Apple said these changes introduce privacy and security risks for users, including children. The company has introduced safeguards to mitigate these risks, including a notarization process for iOS apps, an authorization process for app marketplaces, and limitations on external links and alternative payments for users under the age of 18. Apple has already allowed alternative app stores and/or third-party payment systems on iOS in the EU, Japan, and South Korea, and it will likely be forced to do so in the UK and Australia too, due to similar regulations in those countries.

Android

Android 17 Drops For Pixel Phones and Watch (phonearena.com) 27

Google has begun rolling out Android 17, the June Pixel Feature Drop, and Wear OS 7 simultaneously across supported Pixel phones and watches. Highlights include floating app bubbles, improved foldable multitasking and gaming, tighter location and contact permissions, stronger lost-device protections, new Pixel AI tools, and up to 10% better Pixel Watch battery life. PhoneArena reports: Pixel owners are the clear winners, since everything here reaches Pixel first and a lot of it goes back to the Pixel 6. Fold owners get the most toys, with the Bubble Bar and foldable gaming mode built for the big screen. Watch wearers get the quietly important upgrade. Better battery and Live Updates make an everyday wearable easier to rely on, especially if you keep it on overnight. Google's latest Pixel Drop combines several AI-powered tools with a broader slate of Android 17 upgrades. Pixel owners gain Lyria 3 for generating music from text or images, Gemini Omni for creating custom video clips, enhanced call translation and screening, AirDrop-compatible Quick Share, expanded Magic Cue support, and conversational photo editing.

Android 17 builds on those additions with floating app Bubbles, selfie-camera Screen Reactions, and a split-screen gaming mode for foldables, while also strengthening privacy and security with more granular location and contact permissions, improved lost-device protection, tighter PIN-guessing limits, and enhanced threat detection.

Other additions include expanded parental controls, separate assistant volume and app memory settings, and an option to hide app names for greater privacy.

You can read more about everything new in Android 17 in Google's blog post.
Bug

Google Told Researcher 'Nice Catch!' Then Denied Bug Bounty For Flaw It Still Hasn't Fixed (theregister.com) 38

Security researcher Justin O'Leary says Google initially accepted his Config Connector privilege-escalation report as a high-priority, high-severity bug, then denied a bounty by declaring the behavior "working as intended." According to The Register, a Google rep initially praised O'Leary's report with a "Nice catch!" before the cloud giant reversed course, declaring that no vulnerability existed and therefore no fix or reward was warranted. "The bug report, however, is still marked high-priority and accepted," the publication notes. The alleged flaw, dubbed ConfigConfusion, could let a Kubernetes namespace user exploit an overprivileged service account to become a GCP organization owner with only a few lines of YAML and little apparent audit visibility. O'Leary details the incident in a blog post. The Register reports: According to O'Leary, Config Connector doesn't perform an authorization check, and this allows any Config Connector service account with org-level permissions to bypass Identity and Access Management (IAM) authorization and gain the highest level of control (roles/owner) to an entire GCP Organization -- the root node of all of a company's resources within Google Cloud. On March 27, a Google security engineer accepted O'Leary's report and told him: "Nice catch!" The employee said that they filed a bug based on O'Leary's report with the relevant product team and assured him the Chocolate Factory's security squad would work with relevant Google Cloud people to fix the flaw. "We'll work with the product team to ensure this issue is address. We'll let you know when the issue was fixed," the engineer said. "In the meantime, review the payment option selected in your bughunters.google.com profile."

Google assigned the bug P1 priority and S1 severity, signifying a flaw worthy of urgent repair because it affects a large percentage of users and can disrupt core organizational functions. "I figured that was the end of that," O'Leary said in a phone interview with The Register. Eleven days later, on April 7, he received a new message from a Google Security Bot reversing the earlier decision. The Reg viewed the email, and O'Leary included a screenshot in his Thursday writeup. The message said that the Cloud Vulnerability Reward Program panel decided that the "security impact of this issue does not meet the criteria to qualify for a reward."

After reviewing the bug report, Google determined the software "is working as intended," the message continued. It also noted that the program's decision not to pay a bounty "does not mean that the product team won't fix the issue." Nearly three months later, the case remains P1/S1 with the status "in progress (accepted)." Google hasn't assigned a CVE or issued a fix. O'Leary didn't receive any reward for his research. [...] "This is a pattern," O'Leary told [The Register]. "This is just how these trillion-dollar companies deal with people like me. In my day job, we use GKE, and it's incredibly frustrating on my end, when I find a critical vulnerability in the system that's being widely used, and I can't even get the vendor to patch their own stuff."
A Google spokesperson told The Register: "The issue reported does not qualify for a reward because the GCP IAM authorization bypass is only exploitable if an attacker has access to a Config Connector Service Account that's been granted the Organization Admin role by the organization (i.e., it is privileged). Additionally, an attacker would first need to gain entry to an organization's environment (e.g., an exposed container) in order to leverage the privileged Config Connector instance and execute commands with administrative authority, such as the IAM bypass. Granting this level of access to the Config Connector Service Account goes against Google Cloud's publicly shared best practices and the principle of least privilege."

Slashdot Top Deals