HPE is taking advantage of VMware's expensive licensing changes by offering customers free use of its own VM Essentials product for a year, plus a $1 license for its Zerto data protection product to help ease migrations. The jolly green giant announced the cheapies at the Partner Growth Summit staged alongside its HPE Discover event in Las Vegas, and framed them as a migration assistance program intended to arm channel partners who want to help customers reduce their financial risk when migrating virtualization platforms. "One of the big things we see is that as customers are going through this journey on transforming their operating model, you end up with double expenses and so we're really pleased to announce the program around Morpheus and platform migration," said EVP and CTO Fidelma Russo. "We are announcing that as a customer goes through this transformation with HPE Morpheus VM Essentials, you don't pay for the first year of licenses. You will get Zerto migration licenses during that period to help you move, and so what this does is it helps mitigate the double-bubble cost problem that customers see as they are looking to migrate from one platform to another." Neither Russo nor HPE mentioned VMware as part of their pitch for this migration assistance program, but it seems pretty clear where it is aimed. At its last Discover event in Barcelona, HPE talked about customers seeing license fees for virtualization skyrocketing and claimed that it was able to provide "a fully integrated enterprise-grade alternative" with Morpheus and OpsRamp management tools, plus Zerto disaster recovery software. A survey recently found that half of VMware users plan to reduce their use of the virtualization pioneer's products by 2028. Since being acquired by Broadcom, VMware license costs have increased by 800 to 1,500 percent for some customers. VMware also ended partner programs that many service providers relied on. HPE says it is introducing VM Essentials for Partner IT to help providers transition their virtualized business applications. This will see it provide VM Essentials software licenses free of charge for three years, with partners paying only support costs, to the 600 partners who gain Private Cloud with Virtualization competency by the end of the year. The company is also extending its channel-only model to cover HPE Private Cloud PC3000 (formerly HPE Private Cloud Business Edition), HPE SimpliVity PC1000, and HPE Zerto software from July 1. HPE said this follows the success of selling Morpheus VM Essentials through a channel-only route to market. Also at the Partner Growth Summit, the IT biz will disclose that it is unifying the HPE and Juniper Networks partner programs under its Partner Ready Vantage umbrella. The aim is to have a single, global program for partners to offer services across networking, cloud, and AI. This change will take effect from November 1, after which partners will operate under one program with a simplified structure, aligned incentives, and a consistent engagement model, while existing investments are protected, or so HPE claims. The company also says it will help cloud service providers build and operate differentiated private cloud services with CloudOps Software and the backing of HPE Partner Ready Vantage. "Partners want a simpler way to engage and a bigger opportunity to grow," said Simon Ewington, HPE's SVP for Worldwide Channel and Partner Ecosystem. ®

ShinyHunters claims to have breached the Council of Europe and stolen more than 297 GB of data after exploiting a zero-day flaw in Oracle PeopleSoft and abusing that hole to hack more than 100 organizations. According to a post on the extortion crew’s data-leak site, the 429,000 pilfered files contain HR and payroll records, payslips, purchase-order records, CVs, and employees’ salary, banking, tax, and medical records. A Council of Europe spokesperson told The Register that it is “currently investigating the matter and assessing the situation,” but declined to comment further. A spokesperson for the cybercrime group told us that the Council is yet another victim of the Oracle PeopleSoft heist. Oracle has yet to respond to The Register’s inquiries, and it's unclear if the vulnerability, tracked as CVE-2026-35273, has been patched. ShinyHunters previously told us that the gang exploited the CVE to compromise more than 100 organizations across 300 vulnerable instances, and that these victims included the University of Nottingham. Last week, the crims listed the UK uni on their leak site, then dumped data belonging to around 454,600 current and former students, including personal and academic records. Meanwhile, a Google threat report published late last week noted malicious activity, “consistent with the exploitation of CVE-2026-35273,” between May 27 and June 9, and said that its incident responders notified more than 100 global orgs “whose IP addresses correlated with potentially vulnerable endpoints." Most of these are US-based organizations, and 68 percent operated within the higher education sector. This latest heist follows another ShinyHunters intrusion targeting data belonging to university and K-12 students, teachers, and staff. In mid-May, ed-tech giant Instructure said it “reached an agreement” - this is corporate-speak for “paid the ransom demand” - with the data theft and extortion crew after ShinyHunters breached its Canvas digital learning platform and accessed data tied to 275 million students, teachers, and staff. In March, ShinyHunters claimed it stole data from K-12 software provider Infinite Campus as part of a broader wave of Salesforce-related intrusions. The ed tech company did not pay up, and the group subsequently published data they claim was stolen from Infinite Campus, including 137,000 individuals’ email addresses along with names, phone numbers, physical addresses and support tickets. Infinite Campus, in its data breach notification, said that the leaked files largely consisted of “names and contact information for school staff" and that “the majority is directory information commonly found on school websites.” ®

Oracle software engineer Lois Foltan has confirmed that Java Enhancement Proposal 401 for Value Classes and Objects – part of Project Valhalla – will be integrated into the OpenJDK mainline early next month, targeting JDK 28. Previews of JEP 401 have so far been available only in early-access builds. The current JDK (Java Development Kit) is 26, with JDK 27 expected in September and JDK 28 in March 2027. The next long-term support version is likely to be JDK 29 in September 2027. Foltan said it was an "extremely large change", such that other OpenJDK committers are asked to avoid large commits in order to help a successful integration. The pull request for the first preview of JEP 401 adds more than 197,000 lines of code in 1,816 changed files. Created in August 20222, JEP 401 tackle a longstanding Java limitation: aside from a small number of primitives including int, char, byte and double, all types in the language are reference types. The JEP introduces "value objects" – class instances that lack object identity and are distinguished solely by the values of their fields. A few examples illustrate the problem JEP 401 is trying to solve. Java's LocalDate class stores date values, but every instance gets its own unique reference, so even if two instances represent the same data, comparing them with ==returns false, as they're different objects in memory. LocalDate provides an "equals" method instead.. Another example, even more confusing example is Integer, which wraps an int to provide convenience methods like toString(). Internally, Integer caches instances for values below 128, so two Integer objects with the same small value can compare equal with == but for larger values, == always returns false even when the underlying values match. Due to this quirk, Java editors generally warn against using == with Integer, a pitfall JEP 401 describes as "unwanted complexity." JEP 401 will migrate some JDK classes such as Integer to value classes, and the number of migrated classes is likely to increase gradually. Developers will also be able to create their own value classes. One of the goals of JEP 401 is to give freedom to the JVM (Java virtual machine) to store value objects in ways that maximize performance. The memory footprint of reference types is greater than for reference types, and they must be dereferenced to obtain their values. Iterating over value types is more efficient. Project Valhalla has been so long in the making, thanks to the complexity of the changes, that some onlookers have joked about getting to Valhalla itself (a realm in the afterlife in Norse mythology) before the project is delivered. Oracle's Java Language Architect Brian Goetz said this is "just the first part of Valhalla" and even after the preview is delivered, "the 'but they'll never deliver it' crowd' will quickly switch gears into 'but they haven't delivered the most important part' soon enough.'" Goetz said "there are many things that force us to treat objects with reference semantics. JEP 401 knocks down the first level of these, by taking identity off the table, which exposes a lot of new optimizations, especially for smaller objects. But fully treating objects with value semantics requires giving up more: nullity and atomicity-safety-under-race (ASUR). Lots of languages have, or are working on, ways to get there, (such as C# structs.) "The main challenge is how to package it in the user model so that it doesn't fight with our own preconceived notions of object integrity and encapsulation; classes are, for better and worse, a very effective abstraction barrier." He said that Valhalla will introduce deliberate breaking changes to Java, such as that "code that synchronizes on Integer objects now fails with an exception." Goetz added JEP 401 will still likely be in preview in the next LTS release of the JDK. "Hoping for it to exit preview for 29 seems … optimistic. Vector API should be able to exit incubation when it rebases on the underlying VM primitives from Valhalla ... don’t hope for a shorter-than-usual preview window." ®

US legislation covering federal datacenters is set to expire in September and it appears that the Trump administration is simply going to allow it to lapse without replacement. The Federal Data Center Enhancement Act (FDCEA) of 2023 covers certain standards that are to be adhered to for facilities that are wholly or partially owned, operated, or maintained by a federal agency. It includes requirements relating to availability and uptime of the facility; the use of sustainable energy sources; protection against power failure; protections against physical intrusion and natural disasters; plus IT security protections. We understand that the legislation will sunset on September 30, 2026, and according to Wired, neither the US Congress nor the Trump administration appears to be making any move to extend the act, or put alternate legislation in place. The danger is that if the FDCEA is not renewed or superseded by similar legislation, then federal agencies across the US may cease to follow the requirements and simply act as they see fit when procuring new datacenter infrastructure. We asked the White House and Congress for comment. According to implementation guidance issued by the Office of Management and Budget (OMB) under the previous administration, agency datacenters “must provide secure and highly available computing infrastructure to enable reliable access to Federal information and information systems.” It notes that the "needs of the federal government with respect to data access and data processing systems have evolved since 2014,” when the Federal Data Center Consolidation Initiative (FDCCI) was established, and hence the latter was not renewed but replaced by the FDCEA. The OMB states that effective operation of datacenters requires regular monitoring, and optimization of resources by operators, and directs agencies to incorporate automated tools into the management of all new facilities, including tools that monitor metrics such as electrical consumption. It also states that the “cost, scarcity, and environmental impact of energy and water consumption necessitates that agencies evaluate datacenters against resource consumption metrics and best practices when making their decisions” regarding new datacenter builds. Perhaps most importantly, it requires that federal facilities “must be able to meet the reliability and resiliency needs of their hosted information and information systems through implementation of the appropriate information security and physical security protections.” It is widely known that the Trump administration does not look kindly on regulations, especially those relating to environmental protection. Instead, policy has focused on fast-tracking the federal permitting process for datacenters, particularly those dedicated to training and developing AI models. A recent report from Politico stated that the Trump administration was not inclined to set nationwide environmental requirements or recommendations for the datacenter industry. Instead, Environmental Protection Agency (EPA) Administrator Lee Zeldin said that while there are technologies and practices that reduce air pollution and water usage, individual states and communities know what works best for them. At the same time, opposition to datacenter construction is growing across the US, precisely because of public fears over factors such as air pollution, water usage, and the prospect of spiking energy bills. A recent survey found more than 70 percent of respondents said that they would be against the construction of an AI datacenter in their neighborhood. ®

It’s been more than a quarter century since the Y2K bug threatened to disrupt the not-so-modern world, and while the patching efforts of global IT heroes prevented a millennial mess, the problem persists as a Dutch dev just found a new instance of the numeric nightmare. While working on an emulator for the venerable Programmed Data Processor (PDP) series of “minicomputer” systems manufactured between the 1950s and 1990s, Folkert van Heusden spotted an unpatched Y2K bug in the Network Time Protocol daemon in BSD 2.11. To be fair, it’s not like van Heusden stumbled onto a potentially devastating issue that’s simply waiting to cause chaos: Not only was the bug specific to the PDP-11/70, a system that entered service in 1975, but it also requires a Precision Standard Time, Inc.(PSTI) receiver manufactured by defunct hardware maker Traconex used to pick up time signals broadcast by short wave radio stations managed by the US National Institute of Standards and Technology. Even at that point, the bug won't instantly break network time, as a would-be attacker must take several steps to configure the ancient mahicnes in a way that causes the error. Van Heusden’s writeup explains how to trigger the flaw. “I'm writing a PDP emulator,” van Heusden told The Register in an email. “I'm also very much interested in time keeping on computers. That combined, I dove into the NTP-implementation on the PDP. When adding emulation for the PSTI-device, I suddenly noticed 19126 for the year.” Unsurprisingly, when the PSTI receiver actually produces the correct output, the system throws an error that the time offset between the PDP emulator and the emulated PSTI device is a bit “excessive.” Only by 17,000 years, give or take a couple centuries. Luckily, van Heusden has coded a fix that’ll bring the times back in sync, eliminating what may be one of the few remaining Y2K bugs still floating around in the wild - after all, when’s the last time you heard of a forgotten (or, in this case, overlooked due to technological obsolescence) Y2K bug being patched? If you want to tinker with a 50-year old emulated system running a 35-year old operating system, the good news is that the PDP and its 16-bit CPU ran at 5MHz and needed just 4 MB main memory - a spec that van Heusden’s PDP-11/70 emulator can easily run on modest hardware like a Raspberry Pi Pico, and it’s available on GitHub. Just be sure you patch that Y2K bug if you plan to tinker with time keeping. ® Correction: A previous version of this article referred to the developer as Danish rather than Dutch.

We've all seen it: an unexpected management meeting that turns up in your calendar. It could mean HR wants a quiet and perhaps terminal word, or, in the case of NASA, something altogether different. During a chat with Space.com, NASA astronaut Bob Hines explained that the meeting was engineered to ensure all five Artemis III astronauts would be in the same room together and introduced face-to-face. The process space NASA uses to select astronauts has long been shrouded in mystery. The first American man in space, Alan Shepard, recalled in Light This Candle that his assignment to the Mercury 7 – the first batch of NASA astronauts – came from a caller who said, "We'd like you to join us. Are you still willing to volunteer?" Shepard later learned he would be the first American man in space during a meeting with fellow astronauts Gus Grissom and John Glenn, plus the Director of the Space Task Group, Bob Gilruth. Gilruth said, "Alan Shepard will make the first suborbital flight." Several factors went into that decision, including the seven Mercury astronauts rating their peers. In his memoir, Riding Rockets, Space Shuttle astronaut Mike Mullane recalled receiving a summons, along with four crewmates, to the office of then Director of Flight Operations, George Abbey. In that meeting, Abbey apparently asked: "We've been looking at the mission manifest, and think it's time to assign some more crews. I was wondering if you would be interested in STS-41D?" The whys and wherefores were unimportant. The astronauts were just delighted to get an assignment. These days, an unannounced management meeting with invitees a person might not normally see on a request is apparently how things are done. How those invitees are picked, however, remains a little opaque. With luck, NASA has sorted out the Outlook problem that bedeviled Artemis II, in which an astronaut plaintively told controllers, "I have two Outlooks, and neither one of those is working." Artemis III is, after all, set to be a very complicated mission, and, if all goes to plan, the crew will have fewer than 18 months to train. That is considerably less than the three years the Artemis II crew spent preparing for their mission to the Moon. The crew of four – three NASA astronauts and one European Space Agency astronaut (with Bob Hines as back-up) – will ideally rendezvous with two commercial spacecraft to check out docking operations and, in the case of Blue Origin, enter the vehicle. All this will take place in Low Earth Orbit as a precursor to the Artemis IV mission, which NASA expects will land humans on the Moon for the first time since the final Apollo mission in 1972. The meeting reportedly happened two weeks before the public announcement of the crew, and NASA's chief astronaut, Scott Tingle, told the group, "Look around. This is your Artemis 3 crew." Hines told Space.com, "That was a really, really cool way to find out." Certainly better than being presented with a pink slip by HR and a box to pack your possessions. ®

UBUNTU SUMMIT At a Canonical event, we didn't expect a presentation on using Red Hat's container management tools, but if this is something you might need, it does sound useful. At Ubuntu Summit 26.04, Red Hat Principal Software Engineer Joseph Marrero Corchado presented a talk called Bootc: Use your container knowledge and infrastructure to build and deploy your Ubuntu hosts. Although Ubuntu is very strong in the desktop Linux space, in large corporate server environments, Ubuntu is just another distro among many. This can be a good thing: it is just another Linux distro, and that means that it's perfectly possible to deploy and manage it using existing FOSS tooling. Marrero introduced himself by saying that he works at Red Hat, but personally runs Ubuntu – and has been doing so for long enough that he has some original media from Canonical's ShipIt program, which the company discontinued in 2011. While we were surpised to see a Red Hat engineer presenting a talk at the summit, it's not unprecedented. System76's Pop!_OS distro is based on Ubuntu, but it overlaps with other distros as well. It has its own desktop and eschews Snap for Flatpak – and yet, at the previous Summit, System76 boss Carl Richell presented a talk about it. The year before, the Academy Software Foundation's talk started by telling us that Rocky Linux strongly dominated the SFX industry. Our plan here isn't to recap the entire talk. It's up on YouTube now, and if this is the sort of thing that sounds interesting, it's probably a good use of 42 minutes of your time. bootc grows up We've mentioned the bootc toolchain a few times on The Register. Back in April 2024, we reported that Fedora 40's immutable editions were being rebuilt as bootable containers. Two years and four more Fedora releases later, the toolchain is getting more mature, as we covered in April with Fedora 44, and we linked to Quentin Joly's explainer, Bootc and OSTree: Modernizing Linux System Deployment, which is still one of the best we've read. Now bootc has graduated to the point of being a CNCF incubator project. The new project website has a slightly better explanation: Transactional, in-place operating system updates using OCI/Docker container images. The tools for creating and managing OCI containers are familiar to many sysadmins now, and the idea of bootc is to make it possible to manage complete OS images, either for VMs or for bare metal, using the same tooling. Marrero explained bootc by saying that it lets you perform OS installations and upgrades with OCI containers, which lets you define and ship your customized images of the Ubuntu OS as OCI container images. This allows transactional in-place updates, with rollback. This tech is already in real-world public-facing use: SteamOS uses bootc, and he pointed to the Bootcrew project, which maintains a growing collection of bootc images of different OSes, including Ubuntu, SteamOS, openSUSE, and Debian. What's special about these images is that each one is a container, but with a kernel. So this means that it can run on metal, but you can run (and test) it in continuous integration as well. Ubuntu on bootc is still Ubuntu; it's just a different way to deploy it. Doing it this way is an alternative to Canonical's own Ubuntu-image system, which uses standard Ubuntu and Canonical tools, the apt command, normal repositories, and so on. Instead, bootc uses container tools and container images, and a container registry in place of Ubuntu's apt repositories. Marrero has his own experimental Ubuntu-bootc image on GitHub, whose description says: An Ubuntu 26.04 LTS ("Resolute Raccoon") bootable container image with cloud-init and podman built-in, designed for use with bootc and bcvk. (For the record, bcvk is the bootc virtualization kit, which "helps launch ephemeral VMs from bootc containers, and also create disk images that can be imported into other virtualization frameworks.") The idea is that this lets you manage and deploy a server, cloud, or desktop OS, along with all its tools and all its applications, from a single central point that you control. This replaces a whole raft of configuration management tools, including local update management, and eliminates the need for tools such as "Puppet, Chef, or shell automation." The images are constructed using composefs – specifically, the Rust-based composefs-rs – which in turn builds on existing and established Linux tools such as overlayfs, the EROFS read-only filesystem, and fsverity for integrity-checking. He noted that some of Ubuntu's metadata initially stopped composefs from working, but he and the Bootcrew team found it and fixed it. He also offers an Ubuntu 26.04 LTS with bootc – Getting Started Guide, which "walks you through converting an Ubuntu 26.04 LTS VM into a bootc-managed system using composefs. By the end you will have an immutable, image-based Ubuntu system that can be updated atomically via container images." He also demonstrated the tech live on stage using a few demonstration images he'd built beforehand. First, he deployed an empty default Ubuntu installation, with no additional tools. Running it under QEMU took just a couple of seconds. Then, by adding another single-line container file layered on top, he added the tmux terminal multiplexer. He also used wget to demonstrate that no web server was running and the VM didn't respond to HTTP requests, then switched the existing VM to a different image with Apache and a demo page installed, which took only about a second to deploy, followed by a VM reboot. He also demonstrated that it really was Ubuntu, that snapd was present and working, and installed LXD to prove the point. The "bootable containers" toolchain has visibly matured since we first encountered it, and the demo was quite impressive. This vulture is very happy that he no longer has to run servers for a living, and is positively delighted that he has no use for any of these tools. Even so, it's impressive to see that without all that much work, Ubuntu can be slotted into a very different set of management tools and function quite happily. ®

Microsoft appears to have dropped the ball with its certificate management after a domain used by sysadmins worldwide to test connectivity to Microsoft 365 started throwing untrusted connection warnings in browsers. The connectivity.office.com domain is used by IT pros to test their network's connectivity to Microsoft 365 and ensure their firewalls aren't blocking anything that could affect an organization's access to Microsoft servers. An SSL server report retrieved on Monday showed that the certificate expired on June 14 after last being renewed on December 16, 2025. At the time of writing, 35 hours have passed since the certificate expired, and Microsoft has still not renewed it, despite many in the IT community making their opinions on the matter known. Certificate renewals are often automated in this day and age, but in organizations still relying on manual processes, those responsible for renewals would almost certainly have received multiple alerts warning of the impending expiration. It suggests that something, or someone, involved in the certificate-renewal process at Microsoft has messed up. The Register contacted Redmond for a response. The company's publicists acknowledged the request for comment but did not return one in time for publication. The fallout could have been much worse. Browser warnings on a network diagnostic tool are irritating, but hardly catastrophic compared with the same thing happening to login.microsoft.com or another critical service. Teams users may remember the collaboration platform abruptly deciding to take Monday off in 2020, after an authentication certificate expired, for example. Whatever went wrong here, Microsoft will have to tighten its processes before shorter certificate lifespans arrive in the coming years. As of March 26, new SSL/TLS certs will have a maximum lifespan of 200 days. This is set to decrease to 100 days by March 15, 2027, and then to 47 days two years later. ®

Most large European enterprises have no shortage of AI ambition, but they lack the data foundation to support it. Fragmented legacy systems, strict GDPR obligations, and anxiety about handing sensitive data to foreign cloud infrastructure have left many IT leaders running the same modernization projects on a loop, stuck in AI pilot purgatory before they reach production. Onix, a leading services-as-software data and AI specialist, thinks it has the answer. The outfit is rolling out Wingspan across the UK and Europe this summer, built around a proprietary technology it calls the Semantic Twin: a continuously updated intelligence layer that maps an organization's entire data landscape, system relationships, and business context, then uses that foundation to give AI agents the grounding they need to work. To find out what that means in practice, Onix's EMEA managing director, Vittorio Sanvito, answers IT and compliance leaders' most pressing questions. Q: With Google Cloud seeing significant, high-growth demand, why is now the critical moment for Onix to make this unified push across the continent? A: The European tech sector is at a pivotal moment. Market demand is undeniable: Google Cloud has a substantial backlog going into the coming year and continues to grow at pace, which reflects strong AI demand across every industry. Yet large enterprises in Europe are struggling to execute because they lack the proper data foundation, stuck in perpetual data modernization cycles that prevent them from scaling. We're at the major Google Cloud Summits across Europe this summer with a single message: you don't have to stay trapped in pilot purgatory. The Wingspan rollout across Europe and our expanded strategic collaboration with Google Cloud, which is expected to drive over $500 million in cloud consumption, together reflect the scale of what we're trying to do here. We want to make clear that Onix is the execution engine for enterprises that want to turn their AI ambitions into measurable impact. Q: When enterprise leaders speak about what keeps them up at night, data privacy and security are almost always at the top of the list. There are concerns that using advanced AI means sacrificing control over localized, sensitive data. How are Onix and Wingspan directly addressing this while keeping organizations compliant? A: It's a valid concern, and the exact reason we built a localized, customer-first approach into the core of Wingspan. European businesses shouldn't be forced to choose between maintaining their digital sovereignty and remaining economically competitive on a global scale. Wingspan is designed as what we call an Enterprise Intelligence Fabric. It activates data locally and securely, supports complex multi-country deployments, and complies with GDPR and regional data residency requirements by design rather than bolted on afterward. It operates across hybrid and multi-cloud environments without creating vendor lock-in. The Semantic Twin is central to all of this: because it maps your data landscape internally and continuously, you never push unverified or unstructured data outside your governance boundary to make AI work. Q: How does Semantic Twin technology work under the hood to alleviate fears about the AI "black-box"? A: A modern AI agent might be born today and put to work tomorrow, but it doesn't know how to execute tasks because it lacks instruction on standard operational steps. Traditional AI initiatives usually fail because they lack this deep business context. The Semantic Twin solves this by acting as a living intelligence layer that continuously maps an organization's entire data landscape, system relationships, and operational dependencies directly to KPI levels. By providing this connective tissue up front, the Semantic Twin grounds AI agents in real enterprise data with built-in guardrails, so they operate with 99.9 percent data validation accuracy. From a compliance perspective, this eliminates the AI black-box. The Semantic Twin enables full lineage tracking and governance-aware orchestration, so AI outcomes are grounded in corporate data, fully auditable, and explainable. This strict data grounding minimizes the hallucination risks that keep compliance teams awake at night. Q: That level of governance-aware orchestration is mission-critical for highly regulated and data-intensive industries like financial services, healthcare, and the public sector. But beyond compliance, what does the operational impact look like for a customer who's deployed this? A: Because the Semantic Twin provides the true enterprise context and meaning behind the data, our AI agents can move beyond simple, static automation and advance toward autonomous, high-accuracy decision-making. We're helping customers create a new AI operating model that will replace standard SDLC models. This translates to faster time-to-value. By combining agentic AI with this enterprise context, we help organizations orchestrate data modernization and AI operations within a single framework. This accelerates modernization by 3x, moves data into an "AI-ready" state in a matter of weeks rather than years, and delivers a 50 percent to 80 percent reduction in manual effort. Beyond the platform itself, we've also changed how we structure engagements. We're shifting away from traditional, bloated consulting models that rely on endless time-and-materials billing. About 75 percent of our engagements are now set up as outcome-based, with fixed-milestone projects. We guarantee exponential ROI by using AI-assisted delivery pods to execute these transformations rapidly. Q: What does success look like for Onix in Europe over the next 12 months? A: Success looks like the enterprises that came to us running consecutive AI pilots finally having something in production: governed, measurable, and connected to business outcomes rather than sitting in a sandbox. Europe has been cautious about AI for good reasons, and GDPR exists for good reasons. What we want to prove is that caution and ambition aren't mutually exclusive. The Semantic Twin is how we make that case technically; the rest is execution. Contributed by Onix.

Salesforce has agreed to buy AI customer support outfit Fin for $3.6 billion, bolstering its Agentforce business as software vendors race to convince customers that bots really can handle customer service. The CRM giant announced on Monday that it had signed a definitive agreement to acquire Fin, formerly known as Intercom, in a deal expected to close during the fourth quarter of Salesforce's fiscal 2027. Fin's flagship product is an AI customer service agent designed to handle support requests across platforms including live chat, email, WhatsApp, SMS, Slack, and phone. Fin says that the system is powered by its proprietary Apex model, built specifically for customer support workloads. "We're thrilled to welcome Fin to Salesforce as we enable every company to become an agentic enterprise," Salesforce CEO Marc Benioff said in a statement. "Fin brings proven agent technology, a deep commitment to customer success, and an incredible AI team that will complement Agentforce with powerful service agent capabilities." The acquisition adds both technology and customers. Salesforce said Fin serves more than 30,000 companies worldwide and cited examples of customers using its AI agents to resolve an average of 76 percent of support requests end-to-end without human intervention. Fin chief exec and co-founder Eoghan McCabe said joining Salesforce would allow the company to deploy its technology at a much larger scale than it could independently. The deal also strengthens Salesforce's Agentforce business, the company's flagship push into AI agents. Salesforce said Agentforce reached $1.2 billion in annual recurring revenue during the first quarter of fiscal 2027, up 205 percent year over year. It also arrives during a busy period for the company. Last week Salesforce confirmed another round of layoffs affecting teams including Agentforce, MuleSoft, and Marketing Cloud, while also pressing ahead with the acquisition of usage-based billing specialist m3ter and expanding its stock buyback program. Salesforce has spent the past two years positioning AI agents as the next major battleground for enterprise software vendors, alongside rivals including Microsoft, Oracle, and SAP. While much of that competition has focused on building increasingly-capable AI systems, the acquisition suggests Salesforce is also willing to write sizeable checks for companies that have already persuaded customers to put those systems into production. ®

Chinese government spies remained hidden in the networks of multiple North American medical and military research organizations for more than a year, deploying custom malware and snooping through Gmail inboxes and stealing sensitive data. This PRC-nexus espionage crew, which Google tracks as UNC6508, used some particularly noteworthy search terms as they were scanning for data to steal. They included such esoteric topics as drone technology and a viral disease that spreads from mosquitoes to humans. “It’s one of the most interesting grocery shopping lists of things to collect that I’ve seen from a state-sponsored actor,” Luke McNamara, deputy chief analyst at Google Threat Intelligence Group, told The Register. “We have defense-related activity, which was a significant bulk of the different terms, or emails related to defense platform systems or companies,” McNamara said. “Some of those were looking for any emails that were coming in or going out that used @ and then a big defense name. Others were specific email addresses of individuals at more niche defense companies.” While most of the terms related to defense and technology, the intruders also searched for some medical research facilities – and the very specific pathogen, “Chikungunya,” a viral disease transmitted to humans from mosquitoes that was responsible for an outbreak in China's Guangdong province in July 2025. Google won’t say how many organizations were compromised in this campaign. A Monday report said the operation targeted several national, state, and private medical entities. “These organizations comprise world-renowned clinical providers, premier academic centers, North American military health institutions, professional advocacy groups, and health regulatory bodies,” according to the report. “Their research areas span a broad spectrum of modern medicine, from molecular discovery and clinical drug trials to state-level public health policy and military readiness.” McNamara told us that the tech company’s incident responders notified all the victims they identified, “and we suspect there's probably even more.” Incident responders first detected this campaign in early 2025, but told us it dates back to at least 2023. And all of these attacks began with the digital intruders somehow exploiting externally facing REDCap (Research Electronic Data Capture) servers. These servers are primarily used by universities, hospitals, and research institutions to build and manage online databases and surveys, and to store sensitive clinical research data. The earliest known intrusion happened in September 2023, when UNC6508 compromised a REDCap server belonging to a North American medical research institution. McNamara told us that all of the intrusions followed this same pattern. Seeing (Infinite)Red After three months, the snoops silently deployed custom malware named InfiniteRed to capture legitimate REDCap login credentials. The malware includes three modular components. The first allows it to maintain persistent remote access by injecting its code into new REDCap versions after intercepting the upgrade process. Then it injects a credential harvester into the authentication system file to compromise user accounts. Finally, it functions as a backdoor with custom hooks that executes on every REDCap page load. Google’s threat intelligence team identified “multiple” US and Canada-based organizations infected with InfiniteRed, and offered assistance with removing the malware. After remaining undetected for more than a year, UNC6508 used the stolen credentials to access admin accounts and the victims’ internal network. Finally, the attackers added sneaky domain content compliance rules for data theft. All 'Patroit' themed emails sent to BebitaBarefoot774 Content compliance rules are legitimate features in many cloud-based enterprise productivity suites - like Google Workspace - to exfiltrate specific email communications. Administrators can create these rules to manage messages that contain predefined sets of words or phrases, and these rules apply to all of the users in an organizational unit. UNC6508 created a compliance rule named "Patroit" (yes, they misspelled “Patriot”) to match keywords and email address patterns in sent or received emails. These messages were then silently BCC-forwarded to an attacker-controlled Gmail address, BebitaBarefoot774[@]gmail[.]com, delivering a steady stream of geo-strategic policy, military strategy, advanced technology, and medical research emails to the PRC-linked crew. The search terms also included professional email addresses and phone numbers for members of organizations in these spaces. GTIG disabled the Gmail account to prevent further data exfiltration. “One of the questions that we've had internally around this is: We're seeing this show up primarily at medical research institutions,” McNamara said. “Why are they searching for things like unmanned drones and unmanned vehicles? Why would you expect to find that there?” One theory, he said, is that this particular threat group was tasked with collecting data across different categories of national-security-related terms and information. “Maybe they were copy-and-pasting this across multiple victims, including ones outside of this medical research space?” Plus, some of the targeted institutions were likely working on research with a military or government agency connection. “So there was a potential that they could be in correspondence with someone where one of these terms showed up, and the actors were casting a very wide net,” McNamara said.®

A wave of malicious commits hit the Arch User Repository (AUR) over the weekend, prompting the team to disable new account registration on Monday morning while it cleans up the mess. The issue was first acknowledged on June 12, with a post stating: "We are currently experiencing a high volume of malicious package adoptions and updates in the Arch User Repository." The team warned that users might have issues opening new accounts, pushing package updates, and adopting or creating fresh packages. Around 400 user-submitted packages were believed compromised; that figure climbed past 1,500 over the weekend. On June 14, a more sophisticated wave of malicious packages was spotted. The Arch Linux team this morning disabled new account registration "while we are working on the cleanup." The core Arch distribution itself is unaffected. The AUR is a community-run package repo – if something isn't in the official repo, it's probably here, assuming nobody's poisoned it. The AUR is user-submitted and unsupported, so users are expected to inspect package build files themselves before installation. The malicious packages attempted to pull in hostile JavaScript dependencies, including npm packages identified in the campaign. Arch Linux is a fast, lightweight Linux distribution. It isn't for beginners – users need to pick their own display manager and desktop environment as well as their own applications. However, this makes it highly customizable. The project's website says: "Currently we have official packages optimized for the x86-64 architecture. We complement our official package sets with a community-operated package repository that grows in size and quality each and every day." Unless, of course, miscreants go wild with malicious commits, and the team has to wade in to deal with the problem. According to the AUR, there are just over 107,000 packages, with 5,586 updated and 273 packages added in the past seven days. This isn't Arch Linux's first brush with trouble. In 2025, the project was hit with a Distributed Denial of Service (DDoS) attack that disrupted its main web page, the AUR, and the project's forums. It also had to address compromised browser packages that reportedly contained a Remote Access Trojan. Both incidents highlight risks in the way the AUR is structured and maintained. It's an invaluable library of packages led by a community of smart Arch users, yet that open, community-driven model can be abused by attackers. New account creation remains disabled at the time of writing. The Arch team will no doubt be pondering how to avoid this situation in the future. ®

As Anthropic execs prepare to visit the White House after effectively being ordered to cease offering the company's Mythos 5 and Fable 5 models, the European Commission says the incident is another example of why the EU must achieve technological autonomy. Anthropic announced on Friday that the US government issued an export control directive that required the AI upstart to prevent any non-US citizens from accessing its cybersecurity models Mythos 5 and Fable 5. The order meant even some Anthropic staff could not use its models. And as there’s no way to tell if someone on the internet is a US citizen, the order effectively meant that the AI company had to stop making the models available to everyone to ensure compliance. Anthropic isn't sure why the White House issued the order. "Our understanding is that the government believes it has become aware of a method of bypassing, or 'jailbreaking,' Fable 5," the company said. "To date, the government has only given us verbal evidence of a potential narrow, non-universal jailbreak, which essentially consists of asking the model to read a specific codebase and fix any software flaws. "Our understanding is that one potential jailbreak was shared with the government." The Wall Street Journal reports that the directive was the result of conversations held between Amazon CEO Andy Jassy and US officials, including Treasury secretary Scott Bessent, and Jassy's report of a possible jailbreak. Anthropic executives are set to meet with US officials at the White House this week to gain a fuller understanding of the developments that informed the directive, according to Axios. Whatever the Trump administration's reason for the order, Mythos and Fable remain unavailable at the time of writing. A case study for sovereignty The incident has not gone unnoticed. Thomas Regnier, spokesperson for the European Commission, said the body is still examining the directive's implications for the EU amid concerns that the US can switch off access to technology that allied partners could soon come to rely on heavily. "The Commission has taken note of Anthropic's statement regarding the US export control directive on its most advanced models and is assessing its implications, including for users in the European Union," he said. "We are seeing a new generation of highly capable AI models reach the market. These models offer significant benefits, including for cyber-defence, but they also raise serious cybersecurity concerns that need to be addressed. "This is a shared challenge, not one confined to a single jurisdiction or company. We believe that contingency measures taken in this light should not be discriminatory against partners. "This development is a further illustration of why Europe needs to strengthen its technological sovereignty, and it underlines the relevance of the cybersecurity and AI legislation already in place at EU level, including the AI Act, the Cyber Resilience Act, and the NIS2 Directive – as tools to manage exactly this kind of risk on our own terms. "We are looking closely at the practical consequences of this for European users of these services." The comments come days after the EU launched its European Technological Sovereignty Package, a slew of measures aimed at sharply reducing its reliance on technology developed by the US and China. Cybersecurity-specific AI models such as Mythos 5, Fable 5, and OpenAI's GPT-5.5 are still very early in their development, and are not yet available to many organizations, let alone casual users. The cost of dependency stays invisible until it's too late The US directive to prevent foreign nationals from accessing Anthropic's models will nevertheless prompt concerns among global partners and organizations about how a foreign government can simply revoke access to technology on which they may become highly reliant in the future. For Aled Lloyd Owen, chief of staff at Responsible AI UK, the news of Anthropic restricting access to its models only strengthens the case for the EU's plans to loosen its ties to US tech. "This is another incident that just proves the rule and proves that [the EU] must move faster and deeper, and really establish that independence as soon as possible," he told The Register. As for alternatives, Mistral AI is one of the EU's flagship AI development projects. It is widely regarded as a fast, capable, open-source model, but one that lacks the performance of "frontier" models such as those made by Anthropic and OpenAI. Owen said there is a limit to how quickly the EU can achieve autonomy, but the latest Anthropic story is "quite helpful in a lot of ways." "It's saying: 'You can't, from a commercial point of view, trust these bodies,' so to some extent, are you willing to sacrifice performance, both perceived and real, for European homegrown models that are not quite there but are certainly driving in that direction, in order to have a more reliable sovereign service? "So, the ability to shift is both technological, in terms of building effective models and building effective infrastructure, but will also involve weaning European companies from the high-capability overseas models that they're already using." Kate Hanaghan, chief research officer at TechMarketView, said: "Last week, I was talking to a couple of European integrators about exactly this issue. One framed it as 'The cost of dependency stays invisible until it's too late.' "For UK enterprises, the risk is now very clear. Depending on a single US frontier provider leaves operations exposed if that access is withdrawn. And this weekend showed it can happen without warning. Ultimately, that leaves Europe to work out what it should, and realistically can, develop for itself." Voices in the UK echo those in the EU. Kanishka Narayan, minister for AI and online safety, posted on X: "The main lesson: as we debate the future of national security and technological sovereignty, access to AI capabilities is crucial." I care about sovereign AI because it now decides our security Separately, he said: "We treat every other threat to our sovereignty with deadly seriousness, but we haven't learned to treat this one in the same way." "I care about sovereign AI because it now decides our security… it will reshape our economy faster than anything else we've seen in our lifetimes," he added. The MP went on to say: "I'm not going to pretend there's a simple switch that we can pull. There isn't. Britain needs more AI capability. This is the central political question of our time, and our first duty is to see it clearly before someone else decides the answer for us." Policy on the run The order has also angered others, for different reasons. A group of 54 security and AI experts co-signed an open letter to the US government after the directive was issued, calling on the government to lift the restrictions. They also asked the government to commit to a more transparent approach to handling AI risk assessments in the future, saying that it should be a more democratic process. Not all the signatories believe the US should have regulatory control over AI models (Anthropic believes the US rightfully holds the authority to block releases), but they said that materially impactful decisions should be grounded in science and security teams should be given time to prepare. The letter pointed out that vulnerability researchers and red teams are already relying on these models every day, and decisions to revoke access to them should be made through a democratic process, and should restrict capabilities only to the minimal extent necessary. "As a result, this action has taken the best models away from defenders, created market uncertainty, and risked America's AI leadership without any real risk to justify it," the signatories wrote. Who's next? In its response to the White House order, Anthropic asserted the allegedly problematic features of Fable and Mythos are also present in other models, including GPT-5.5. Anthropic has stated from the launch of Fable 5 that it believes developing AI models with perfect jailbreak resistance "does not appear to be possible today," and that no one has developed a universal jailbreak for its models to the best of its knowledge. It has long advocated for and continues to stand by its defense-in-depth approach to managing risks. ®

Flatpak development has been very quiet for years. Discussions about a next-generation take are happening – and some of the signs are worrying if, like many FOSS folks, you are systemd-intolerant. In the course of researching our article on MX Linux 25.2, we came across an interesting Reddit discussion from last month, which in turn led us to a Flatpak development blog post from late last year. It looks like a team is collecting ideas for what is currently called "Flatpak-NG" – as in next generation. If this solidifies into code, this may form the basis of Flatpak version 2. The blog post isn't very informative, but the Reddit thread links to the video of a presentation from last month's Linux App Summit in Berlin, which spells things out more clearly. The Flatpak-NG idea involves handing off a lot of the isolation in Flatpak from the current bubblewrap layer to an as-yet-unwritten systemd component that the developers are currently calling systemd-appd. This would considerably simplify Flatpak, and enable it to do more isolation, including virtualizing the network stack – but at the price of making Flatpak 2 depend on systemd. A developer who was at the talk, Jorge Castro, later explained and confirmed this in a Fediverse thread. The teams behind other init systems could, of course, write their own replacement for the notional systemd-appd, but that would be a substantial amount of work. The tool that provides the new init-switching functionality in MX Linux 25.1 and 25.2, init-diversity, currently supports six other init systems besides systemd, and we've seen little sign of them cooperating to create an alternative to systemd that provides even a subset of its wider functionality. Flatpak is widely used and supported. Not all distros include it by default, but it's the only widely adopted alternative to Canonical's Snap packaging system. Snap is more versatile: it works fine with shell programs, and even the kernel can be packaged as a Snap, which is how Ubuntu Core handles it. Snap's implementation is much simpler and cleaner than Flatpak's, as is the distribution model – which, as we've reported before, is entirely open source. The only proprietary part is Canonical's Snap Store website. The trouble is, the louder advocates in the peanut gallery rarely even think about things like implementation details; they just get upset about more visible things that are easier to understand – such as who owns a website. There are other alternatives out there, such as AppImage, 0install, AppDir, and GNUstep's implementation of NeXT and Apple's .app format. We have compared these in detail before. Only two really have wide adoption, though. There's Snap, which Canonical claims has more users simply because Ubuntu has more users than all the other desktop distros put together, and there's Flatpak, which is used by every other distro with any kind of cross-distro package support. The snag is, if Flatpak 2 does arrive in a year or two, and requires systemd, then that could spell the end of Flatpak support on many systemd-free distros. That includes MX Linux, Alpine Linux, Devuan, Slackware, and many other smaller projects. For many of these, Flatpak is a lifeline: the only way to access much of the wider Linux app market. It's not so much that the Flatpak-NG team is the "A-Team," but the only team. In the original A-Team, Colonel John "Hannibal" Smith was wont to say "I love it when a plan comes together." We suspect a lot of people will not love it if this plan comes together. ®

Britain's AI jobs boom is creating a two-track labor market, according to PwC, which just so happens to make a healthy living helping companies navigate AI-driven transformation. The consulting giant's latest AI Jobs Barometer found hiring for AI specialists in the UK jumped 61 percent over the past year, rising from 112,000 roles in 2024 to 180,000 in 2025, even as overall job vacancies across the economy fell by 6.6 percent. That headline figure is the sort of thing consultancies put in press releases, but the more interesting bit comes later. PwC's analysis suggests employers aren't rushing to hire hordes of machine learning engineers and model builders. Instead, they're increasingly looking for people who can use AI inside existing professions and business functions. The firm found that so-called AI user roles grew by almost 66,000 positions during the year, while AI developer roles increased by just 2,600. After years of declaring that AI will revolutionize everything from accounting to sandwich-making, companies appear to have reached the awkward stage where somebody actually must make the technology useful. PwC argues the result is a "two-track" labor market. Jobs where AI helps skilled workers automate repetitive tasks and focus on higher-value work are growing faster than roles where the technology mainly makes tasks easier and lowers barriers to entry. According to the report, roles most enhanced by AI have grown by 39 percent since 2018, compared with 17 percent growth in jobs where AI is primarily simplifying work. The firm’s wage data tells a similar story. Jobs requiring AI skills now command an average wage premium of 34.2 percent, up from 11 percent a year ago. Consumer market companies are offering premiums as high as 64 percent, while government and public sector employers top out at 12 percent. That's certainly good news for workers with AI skills. It's also not the sort of conclusion likely to upset a firm that advises clients on AI strategy for a living. The findings land against a backdrop of growing anxiety about AI's impact on employment. Recent polling found one in five Britons believes AI-driven layoffs could eventually trigger civil unrest, while another survey found that office workers are already spending nearly six hours every week checking, correcting, or redoing work generated by AI tools. For all the excitement around AI, the hiring surge appears to be concentrated in a surprisingly old-fashioned category: people who know what they're doing. ®

His Majesty's Treasury (HMT) is looking for a new chief technology officer, offering an annual salary of up to £77,000 – less than some elite graduates might expect in their first job at a tech vendor. HMT promises "an exciting opportunity to influence decision making that affects the whole of the UK." The successful candidate also gets a generous civil service pension, with an employer contribution of nearly 30 percent. The salary range is from £69,820 to £77,000 for a role that can be based in London, Darlington (North East England), or Norwich (East Anglia). "HMT is a fast‑paced, policy‑driven organisation with a diverse user base of several thousand staff, including ministers, senior officials and analysts, all reliant on secure, resilient and responsive digital services," the job ad says. The role offers "a unique opportunity to work at the centre of government, operating at pace, influencing major decisions, and ensuring technology effectively supports ministers and the Treasury's critical role in stewarding the UK economy." These are the kinds of users less forgiving of tech problems, as they are responsible for controlling public spending, directing the UK's economic policy, and achieving sustainable economic growth at a time when the public expects both good services and low taxes. The incoming CTO will do all this with a "predominantly Microsoft‑based technology ecosystem, including Microsoft 365, Azure and associated security and endpoint tooling, delivered through a largely outsourced, multi‑tower operating model." Leading technical staff and dealing with multiple strategic suppliers, the lucky individual is expected to define technology strategy, standards, and architecture, all while giving taxpayers value for money. Weighty expectations also come with the people side of the job, since the CTO needs to be "a trusted technical adviser to enable informed decisions" both inside HMT and across other Whitehall departments. This being 2026, the job ad mentions AI as one of the technologies the role is expected to champion. What the ad does not mention is another looming headache: HMT must decide by December whether to move its finance and HR systems from Oracle Fusion to Workday, or stick with Oracle and diverge from the government's overarching £1.7 billion shared services strategy – which HMT signed off. No pressure, then. ®

Experts have welcomed the UK government's decision to review its contract with Palantir to provide software central to tackling the elective care backlog. The US spy-tech biz has, for some, been a controversial presence at the heart of the National Health Service in England since it was awarded a contract for just £1 to help provide data tools during the pandemic. It later won £60 million in uncontested deals. After the pandemic, it won a £330 million award – with other companies as partners – to provide the Federated Data Platform (FDP) under a SaaS model for the former Conservative government. NHS England defended the decision to award the FDP contract to Palantir after a competitive tender, saying it would help provide increased productivity necessary to help the NHS recover from its mammoth post-pandemic elective care backlog. Since Labour took office, however, the Palantir deal has looked less comfortable. The company was founded with backing from CIA-linked venture capital firm In-Q-Tel and provides technology to ICE and other controversial US security agencies. Attention has begun to focus on a contractual break clause next February, with the UK government saying it is planning to review the contract. Lord Paul Drayson, a member of the House of Lords Science and Technology Committee, welcomed the decision to review the contract. Speaking at the Digital and AI Sovereignty event organized by open source advocates OpenUK last week, he claimed the decision to appoint Palantir to the NHS England deal did not meet the standards of clear rules and fair deals. "The issues relating to values really go to the heart of it. It's great there's being a review. The UK has the technology to do federated data platforms, and it's an example of the shift in the politics that's taking place," said Drayson, founder and former CEO of UK clinical AI and digital healthcare company Arcturis Data. Palantir said the results of its technology in the NHS were already evident as 110,078 additional patients have undergone procedures in hospital theatres since the FDP product was implemented. Nearly 7 percent more patients with referrals for suspected cancer were now receiving answers within 28 days compared to the 12 months before FDP, it said. However, experts at the OpenUK event expressed concern that the decision to give Palantir the FDP deal reflected poor decisions in shaping the UK tech market and poor stewardship of NHS data as a UK asset. Mike Bracken, partner at consultancy Public Digital and former Cabinet Office executive director for digital, said NHS England had a 15-year history of failing to set a standard health data taxonomy and classification in order to develop a thriving supply market. "That was the complete failure of NHSE," Bracken said. "We've heard talk about market shaping. Where we are now is a 15-year failure to shape a market around common standards and platforms. It really is not difficult. We're in a current position where the absence of doing that allows any single entity or company to own that taxonomy and that federated model that is not healthy for this country." "It is not actually about Palantir. If you look around our public sector, our officials believe in market orthodoxy, and our markets are little short of oligopolies and monopolies, and this is just another example. If we generally want market activity, competition, innovation, you have to create markets. You do not create markets by handing single control of federated platforms, in this case, to single companies, Palantir or otherwise." Secretary of State for Health and Social Care James Murray was asked about the FDP during a recent interview on BBC Radio 4's Today program. "The FDP is a single contract with Palantir, and it's being reviewed at the moment ahead of its breakpoint next year," he said. Speaking at the OpenUK meeting, Laura Gilbert, Senior Director for AI at the Tony Blair Institute and former director of data science in the Prime Minister's Office, said the FDP was exactly the use case that you don't outsource, and certainly not outside the country. The UK has the skills to build its own NHS data systems, which could lead to benefits for the wider tech and healthcare economy, she said. "Locking down to a single vendor is clearly risky when it is something so important. Once again you're in a place where you are not just giving the money away offshore but the benefit of the data – some going back to the patient, which is great – but we should be learning from that data and building a better health service, not allowing an offshore company to learn and build better products they can sell to somebody else." The Tony Blair Institute has received funding from Larry Ellison, co-founder of Oracle, which was part of one of the losing FDP bids. The next few months will be critical for Palantir's involvement in the NHS. With the writing on the wall for UK Prime Minister Sir Keir Starmer, frontrunner to replace him is Andy Burnham, currently the mayor of Manchester. The Greater Manchester Integrated Care Board has rejected the FDP, preferring to use the system it built on Microsoft Azure with technology from data pipeline vendor Matillion, analytics and data lake company Snowflake, data visualization firm Tableau, University of Manchester's eLab, and others. A report last year claimed it "exceeds anything the FDP currently offers." ®

The UK government is preparing to kick under-16s off social media and clamp down on a range of online features aimed at children, declaring that Big Tech has had its chance to police itself and failed. Prime Minister Keir Starmer announced plans on Monday to ban under-16s from social media as part of a package that also includes new restrictions on livestreaming, stranger contact, disappearing messages, and AI companion chatbots. The legislation is expected to be introduced before Parliament's Christmas recess, with the new rules due to take effect in spring 2027. "Parents want to keep their kids safe and happy, but the online world has made that harder than ever," Starmer said. "I've heard firsthand from families crying out for change and we will do right by them." The prime minister reserved his sharpest criticism for the technology industry. "This is a line in the sand," he said. "Tech giants had their chance and failed, but we're stepping in to protect children, back parents, and set a new normal for future generations." The government is pitching the move as a direct response to parental concerns. According to its Growing Up in an Online World consultation, 91 percent of parents who responded supported a minimum age of 16 before social media platforms can offer services to children. More than four in five respondents said the risks of social media outweigh the benefits for children, while 88 percent said fewer children would be exposed to inappropriate or harmful content if age restrictions were introduced. Ministers also point to evidence that many parents are simply exhausted by the battle over screen time. Three-quarters of respondents said restrictions would lead to fewer arguments at home, while 77 percent said schools and teachers would find it easier to manage children's digital behavior. The government said it intends to follow Australia's model by targeting user-to-user platforms whose primary purpose is social interaction and user-generated content. That would include services such as Snapchat, TikTok, YouTube, Instagram, Facebook, and X. The social media ban is only part of the package. Ministers also want to restrict a range of features they say expose children to harm, including stranger contact, explicit image sharing, livestreaming, and AI companion chatbots. Those restrictions would remain in force by default for 16 and 17-year-olds as well to avoid what ministers describe as a "cliff edge" when children turn 16. Ministers are also examining further measures for under-18s, including overnight social media curfews and mandatory breaks in infinite scrolling, with additional details expected in July. The government said it will seek to avoid some of the problems encountered in Australia by requiring what it describes as "highly effective age assurance" measures. Whether those systems prove any better at telling teenagers from adults remains unclear: recent age-verification trials have already produced examples of youngsters reportedly bypassing checks using little more than a drawn-on mustache. Ofcom, which will be responsible for enforcing much of the regime, signaled support for the government's plans. "So far, Ofcom has driven some of the strongest changes of any online safety regulation in the world, from widespread age checks to grooming protections for children," a spokesperson said. "But the industry needs to go much further to make people safe. The government has entrusted us to build on this progress with new measures to protect children, and we're ready to work closely with them as the detailed regulations take shape." But not everyone is convinced the government has found the right answer. James Baker, Platform Power and Freedom of Expression Programme Manager at the Open Rights Group, warned that lawmakers risk repeating a familiar pattern. "Every failed attempt to make children safer online is followed by more surveillance and censorship," he said. "Children have rights too and these policies will harm their free expression and privacy rights, and push them into less regulated spaces. Meanwhile the business models driving harms are untouched." Others questioned whether the measures can realistically be enforced. Mark Jones, an online harms specialist and partner at law firm Payne Hicks Beach, noted that the consultation closed only weeks ago and warned that determined teenagers have a habit of finding ways around restrictions. "A social media ban only helps if it is genuinely enforceable," Jones said. "If large numbers of young people simply circumvent the restrictions, parents will just lose visibility into where their children are actually spending time online rather than reclaiming any control." The political case for the crackdown appears relatively straightforward, but the practical one is less so. The government now has to persuade social media companies to enforce the rules and teenagers not to find ways around them. ®

BORK!BORK!BORK! "The Scream" by Edvard Munch is an iconic painting, so it somewhat appropriate that a display in a museum dedicated to the artist shows an error likely to elicit the same response from many a Windows user: a Microsoft account recovery screen. Spotted by Paul, a Register reader at the Munch Museum in Oslo, the screen shows what appears to be Google Chrome attempting to display a page that requires a Microsoft account to access. For whatever reason – perhaps a password has been forgotten – an account recovery screen is visible rather than information more suited to the museum. It's enough to elicit a horrified shriek from a user seeking authenticated content. Not unlike the artist's work more than a century earlier. According to the museum, the motif is "a universal symbol of anxiety," not unlike the trepidation that accompanies modern authentication. The painting likely originated from an evening stroll Munch took, during which he had a strong reaction to a sunset. He attempted to come to terms with it in words and images, which is where the iconic "Scream" motif comes from. Munch produced several versions of the image, and the museum keeps three in rotation to minimize deterioration. One is always on display, while the others are kept in the dark. Despite its age, "The Scream" is as striking to modern audiences as it was in Munch's day. Perhaps more so, as humans deal with new technology and react to the latest news about the benefits and/or threats of AI, depending on whom you ask. In that sense, flashing up an account recovery prompt is perhaps the most appropriate modern interpretation of "The Scream." An expression of horror, anxiety, or despair is one that is all too easy to associate with a user struggling with authentication technology. Or, in the case of whoever is administering this display, whatever Microsoft service is lurking in the background and needs an account recovered. ®

OPINION Tech companies hate liability, or at least the sort that makes them liable if something goes wrong. It doesn’t much matter if what they ship is buggy, shabby or simply blows chunks, it’s on you for using it. You fool. Corporates can get service level agreements to focus their suppliers’ minds, and life-critical applications such as health or transport wire in liability through regulation, but shlubs like us get nothing. This goes double for LLMs, which lie to our face all day every day and twice on Sundays. It’s on you to check. If you file a court brief with an hallucinated cite, or lose your production database to an insane agent, it’s on, yes, you. Again. Terms and conditions. If the AI companies were liable for the things they ship they know are faulty, the industry would look very different. Thus it is very interesting indeed that a Munich court has just found Google strictly liable for bad things that its own AI is doing — in this case, making false and potentially very damaging statements about a couple of publishers. The AI Overview linked the publishers to various scams, in prime position at the top of the search results. Normally, search results don’t make the search engine liable for what it digs up. These results weren’t dug up, they were made up. Normally, if a page returned by a search engine contains legally actionable material, you can go after the page's author. Here, there were no such pages. The author was Google’s own AI. No escaping it, the court decided, someone had to be liable and that someone was Google. The company argued in its defense that because everyone knew you can’t trust AI results, everyone knew to check what AI Overview told them. This worked as well as Alex Jones arguing that as he was a performance artist rather than a journalist, the massive damage caused by his Infowars platform wasn’t his responsibility. Don’t blame me Pompei, said Vesuvius, I was just putting on a fireworks show. No sale. Google, you are guilty. Stop doing it. This may seem on its face to be nothing new, not different in principle to a lawyer abusing AI and eating judge boot. The difference is that the lawyer can either stop abusing AI or stop using it altogether. Google can do neither. It has bet the shop on an AI it can’t control, one with a court-tested liability that can’t be fixed until hallucinations and false equivalencies are fixed. Businesses that use AI have indeed learned what Google said in court and have evolved their own processes to detoxify AI internally. It means using skilled humans to check and verify. It means that productivity benefits are as hard to find as Alex Jones’ donations to the Southern Poverty Law Center. As any sensible human knows, productivity isn’t the one metric to bind them all. Quality, value and integrity are part of the equation, and the skill is balancing the incalculable against the countable. Google can’t do that. It has mustered under the ‘AI All The Things’ banner, but unlike its fellow LLMinati, Google’s primary product is serving facts to billions of people. There can be no mitigating human filter, no legal prophylactic of ‘we made it up, but you know what we’re like’. Google multiplied is liability the day it made AI Overview not an option, but unavoidable and the first thing you see. It’s rolling out more and more layers of AI-mediated content in lieu of actual search results, despite nobody wanting that, under the corporate hallucination that lie ability trumps liability. Which has been true for most tech companies most of the time, but no longer. It’s improbable that Google can change course and do the obvious thing, incorporate an AI kill switch in its search product. It can no more compete on quality of results than a dodo can enter the All Mauritius Aviad Aerobatics championship. Which is a shame, because the first rats of legal liability have scuttled ashore. Expect this process to continue. Proponents of AGI are adept at minimizing the implicit — and in this court case, explicit — unreliability of LLMs as an unsolved problem. Humans are unreliable too, after all. We have evolved our own error detection and correction protocols, be they the scientific method or the police and legal systems in general, or internal reviews and test cycles in corporate. There is no way that AI’s insinuation into process can or should be exempt from these systems, at least while it mucks things up like a stoned teenager in a muscle car. The tech industry has avoided liability on the grounds of immaturity, that what it does is so wonderful that it shouldn’t be held back because of flaws that will take too long to fix. Immaturity only lasts so long, then you have to take the consequences not only of your actions, but of refusing to change your behavior. The Munich court has fired the warning shot of those consequences, and Google must search its soul and find the truth. If, that is, its AI will let it. ®

WHO, ME? Welcome to another instalment of Who, Me? It’s The Reg’s reader-contributed column in which you admit to mistakes and reveal your escapes! This week, meet a reader we’ll Regomize as “Rohan” who told us that a few years back he worked on the IT side of a warehouse. “Management purchased software that required a large-screen tablet, but when they saw those cost over $1,000, they balked at the price,” Rohan writes. The tech team’s resident pimply-faced youth (PFY) was therefore given the job of finding a cheaper alternative. Rohan didn’t pay much attention because he was about to go on a holiday. While he was away, the PFY ordered a generic 14-inch Android for just $150. “It was ordered quicker than you can say ‘I’d advise against that’,” Rohan wrote. He returned from holiday and found a package on his desk, plus an email from the PFY expressing his pride in saving the company so much money. Rohan noticed the unmistakable livery of a Chinese e-tailer on the package, and after opening it found a nine-inch tablet inside. He therefore opened a dispute with the sellers, who asked to see a picture of the machine. “I duly sent one showing a tape measure rolled out to nine inches,” Rohan wrote. The vendor responded with an explanation of their proprietary tablet-sizing methodology, which Rohan applied. Using their method, the tablet was an eleven-incher, so Rohan revived the dispute. The vendor’s response was to send an image of the box the tablet came in, plus evidence that the box it arrived in had a 14-inch diagonal measurement. Rohan now escalated the matter to the e-tail platform, an act that saw the seller offer a partial refund. But the e-tail platform was having none of that and advised Rohan to return the undersized tablet – and promised a full refund including postage! The seller then responded with an offer of a partial refund if Rohan would just keep the tablet and drop the dispute. That deal meant Rohan’s company would end up owning a tablet it couldn’t use, for just $60. “The moral of the story is to school your PFYs on the folly of believing things that are too good to be true,” Rohan advised. Have you been too optimistic when shopping for work kit online? Don’t short-change your fellow readers, click here to send Who Me an email so we can share your story! ®

Google Cloud customers with resources in India have had to deal with elevated latency for several days – and there’s no end in sight. Per a Google status page, on June 9th “A fire at a third-party data center facility required an emergency power shutdown of networking equipment, isolating a non-compute local Point of Presence (POP) in Delhi and reducing available network capacity in the metro area.” That shutdown caused “intermittent periods of elevated latency and possible packet loss” for network traffic headed to Google Cloud from Delhi, Chennai, Mumbai and surrounding areas. “Customers may experience slightly elevated latency and non-optimal network routing into Google Cloud until the affected facility is fully restored,” Google warned. Google has implemented “traffic mitigations” that it says have improved performance “for some Cloud customers,” and is trying to arrange extra peering capacity. That work is ongoing, with the ads-and-cloud giant promising it is “further augmenting our Delhi backbone capacity” and hopes to have better news on Monday. The web giant is also working to improve regional peering capacity in the city of Chennai, to assist large ISPs in India and hopes that work will be complete on Wednesday, June 17th. Japan’s space truck is back in business Japan’s Aerospace Exploration Agency (JAXA) last week successfully launched its H3 rocket, a welcome return to form after its previous two missions failed. This success will be doubly sweet for JAXA, because the H3 used for this mission employed a pair of outboard boosters – the first time the agency has used the launcher in this configuration. The rocket launched on June 12th and placed six satellites in orbit. South Korean tech exports boom, not just because of AI South Korea’s Ministry of Science and IT on Sunday announced exports of IT products reached $47.8 billion in May, a new record and a sum 128 percent higher than tech exports in May 2025. Semiconductor exports surged by 162.9 percent year over year, due to the AI boom. Mobile phone exports also grew by 15.9 percent, while a category the Ministry calls “computers and peripherals” saw 259.6 percent year-on-year growth. “Displays rebounded due to increased demand for OLEDs for new mobile phones and strong sales of new laptops,” the Ministry said. “Overall exports of mobile phones increased due to a rise in the average selling price of high-spec finished products and robust demand for high-value components such as camera modules.” South Korea imported over $15.7 billion worth of tech in the month, up 36 percent year-over-year, but still achieved a record trade surplus of over $32 billion. Zoho builds its own servers Indian SaaS giant Zoho has cooked up a custom server called “Nathu La” that it says will reduce the cost of operating its platform. “The design philosophy behind Nathu La is rooted in the Open Compute Project (OCP), emphasizing modularity, thermal efficiency, and ease of maintenance, and enabling Zoho's data centers to significantly reduce total cost of ownership and power consumption,” according to a company statement. The machines run Intel Xeon 6 processors and Chipzilla helped to design them, but Zoho says “all intellectual property [is] owned in India.” Zoho says the servers will also help to lower inferencing costs. The company didn’t say how it calculated its performance numbers. The Reg fancies Zoho has compared its own boxes to whatever machines it currently buys off the shelf, and believes that servers tuned to its own needs will deliver better performance. That’s a conclusion many hyperscalers reached years ago. NTT Data’s new boss Japanese tech giant NTT Data has a new president and CEO: Kazuhiko Nakayama scored the twin roles last week, capping a career with the company that started in 1989 and most recently saw him serve as chief financial officer. Previous CEO and president Yutaka Sasaki will become senior executive vice president. “Over the past three years I have had the honour of working closely with Mr Sasaki and the leadership team on a strategic course that has established NTT DATA among the top five IT services businesses globally,” Nakayama said, according to NTT Data’s announcement of its new leadership. “That experience has reinforced my conviction in the strength of our offering, the quality of our people and the size of the opportunity ahead. As I take on the responsibilities of CEO and lead the growth of the NTT DATA Group going forward, I feel a deep sense of dedication, possibility and excitement." ®