SoylentNews

Arthur T Knackerbracket writes:

https://www.slashgear.com/2165779/us-lithium-discovery-appalachia-rival-china/

Lithium is an important metal used to manufacture the batteries that power everything from mobile phones and laptops to EVs, power tools, and much more. It also has a variety of industrial and medical applications, and it's a substance that many Americans benefit from every day. The U.S. is not one of the world's major lithium producers, trailing behind nations like Chile, Australia, and China. A discovery in the Appalachian Mountains, however, has revealed that the nation's lithium reserves are larger than previously thought. But that's not quite the end of the story.

According to estimates from the U.S. Geological Survey, around 2.3 million metric tons of lithium oxide deposits are present across parts of Maine, New Hampshire, and North Carolina. But the problem is that this lithium lies within hard rock formations known as pegmatites, which aren't easily accessible. As of this writing, those rocks are not being mined, and quite a bit of work would need to be done before the lithium could be extracted and put to good use.

In contrast, China's dominant lithium-ion battery industry puts it far ahead of the U.S., at least for now. But even if America's newfound lithium deposits can be developed, establishing a secure domestic supply chain would require rebuilding much of the existing infrastructure. So this discovery, while potentially a positive for the U.S. moving forward, doesn't do much to change the current imbalance that exists between America and other countries.

The recent discovery of lithium oxide deposits across several states seems to bode well for the U.S., which depends on rare earth elements for electric cars. Extraction issues aside, the U.S. Geological Survey's 2.3 million metric ton estimate is also based on a 50% confidence level. This means there's an equal chance of there being more or less lithium than estimated. The only way to confirm the total is through further development and analysis. Even then, the USGS' projection does not account for how much of the lithium can actually be extracted.

Currently, the U.S. has a limited lithium production base despite holding 4.4 million metric tons in reserve. As of 2026, the nation only has one active lithium mine in Silver Peak, Nevada, which produced around 1,000 metric tons of lithium in 2025. That output is extremely small compared to China, which produced 62,000 metric tons of lithium in 2025. China also has a slightly larger reserve of 4.6 million metric tons.

However, there is a second mine under construction in Nevada as of mid-2025. The Thacker Pass Lithium Mine received its permits in 2022 after years of review, public forums, and revisions to the original applications. The mine is scheduled to begin operations in 2028, with an expected annual output of around 40,000 metric tons of lithium.

Original Submission

Arthur T Knackerbracket writes:

The biggest risk often now comes from inside:

For the first time ever, internal threats have become more common that external ones, with hacking remaining pretty steady at 31% of attacks compared with employee misuse, which rose from 29% to 45%.

There's also the fact that hackers themselves are more frequently targeting company insiders, exploiting everyday employee behavior instead of having to rely on more sophisticated, crafted attacks from outside.

"While not inherently malicious, employee misuse can be just as damaging as a sophisticated breach, especially given that attackers are increasingly turning policy workarounds into external entry points," Senior Security Researcher Carl Morris explained.

Endpoints remain one of the biggest targets, with workers' devices involved in more than half (53%) of incidents. And while they account for a smaller percentage overall, identity attacks also rose from 10% to 17% in around a year.

Looking ahead, Orange Cyberdefense urges companies to acknowledge that many risks now come from within an organization. Tightening access controls and privileges can shrink the attack surface altogether, while simple multi-factor authentication can also serve to prevent attackers from gaining access.

Original Submission

Arthur T Knackerbracket writes:

Experts warn that the legislation could lead to websites banning all VPN addresses due to technical limitations:

The legislation follows similar proposed bills from Wisconsin and Michigan and is seen as the first major US step toward regulating VPN use to avoid age verification. 

However, privacy advocates warn that the legislation could lead to a blanket ban of all VPN addresses in a "technical whack-a-mole that likely no company can win". The Electronic Frontiers Federation wrote that "if a website cannot reliably detect a VPN user's true location and the law requires it to do so for all users in a particular state, then the legal risk could push the site to either ban all known VPN IPs, or to mandate age verification for every visitor globally."

In the past year, both Australia and the UK have enacted age-verification measures to restrict access to "harmful content." While Australia's legislation has been called an "unmitigated disaster" by Wikipedia founder Jimmy Wales, it's been reported that children in the UK have been drawing on mustaches to get past age barriers.

Original Submission

An Anonymous Coward writes:

References to goblins and gremlins spiked with the release of GPT-5.1's 'Nerdy' personality, and then spread to other models:

OpenAI is opening up about its goblin problem. After a report from Wired revealed instructions to OpenAI's coding model to "never talk about goblins, gremlins, raccoons, trolls, ogres, pigeons, or other animals or creatures," the AI startup published an explanation on its website, calling references to the creatures a "strange habit" its models developed as a result of their training. As outlined in the blog post, OpenAI began noticing metaphors referencing goblins and other creatures starting with its GPT-5.1 model — specifically when using the "Nerdy" personality option. OpenAI says the problem continued to worsen with subsequent model releases, until it found that its reinforcement training rewarded the quirky metaphors with the Nerdy personality, which newer models were training on.

The rewards were applied only in the Nerdy condition, but reinforcement learning does not guarantee that learned behaviors stay neatly scoped to the condition that produced them. Once a style tic is rewarded, later training can spread or reinforce it elsewhere, especially if those outputs are reused in supervised fine-tuning or preference data.

Original Submission

Arthur T Knackerbracket writes:

Curiosity just found molecules on Mars tied to the chemistry of life, hinting at a more habitable past:

NASA's Curiosity rover has discovered a wide variety of organic molecules on Mars, including compounds often viewed as essential ingredients for the origin of life on Earth.

These results come from a chemical experiment carried out on another planet for the first time. The findings show that the Martian surface can preserve molecules that might serve as indicators of ancient life. However, the experiment cannot determine whether these organic compounds formed from past life on Mars, natural geological activity, or arrived via meteorites.

To confirm any true signs of past life, scientists would need to return Martian rock samples to Earth for more detailed analysis.

[...] “We think we’re looking at organic matter that’s been preserved on Mars for 3.5 billion years,” said Williams, who helped develop the experiment. “It’s really useful to have evidence that ancient organic matter is preserved, because that is a way to assess the habitability of an environment. And if we want to search for evidence of life in the form of preserved organic carbon, this demonstrates it’s possible.”

[...] The experiment identified more than 20 different chemicals. Among them was a nitrogen-containing molecule with a structure similar to compounds involved in building DNA, something never before detected on Mars. The rover also found benzothiophene, a large sulfur-containing compound with a double-ring structure that is commonly delivered to planets by meteorites.

“The same stuff that rained down on Mars from meteorites is what rained down on Earth, and it probably provided the building blocks for life as we know it on our planet,” Williams said.

Arthur T Knackerbracket writes:

Apple processors are made by TSMC, but that could change:

There is no doubt that Apple needs to diversify its processor supply chain, but Samsung and Intel are weak alternatives next to TSMC. Apple may try anyway.

Rumors have come and gone about Apple buying Intel for its US foundries, but something about that idea stuck. More recent rumors suggested Apple could start relying on Intel for Apple Silicon production as soon as 2027 or 2028.

According to a new report from Bloomberg, Apple has been considering Intel and Samsung to build "main device chips" for some time. While the recent chip and memory shortage has added some pressure, Apple had allegedly been making these considerations well before the current situation.

Samsung makes sense as an option because it is the distant number two chip fabricator to TSMC. It has the capabilities of meeting Apple's strict quality demands, though it would be vastly limited on capacity.

Intel has been repeatedly mentioned in many rumors for various reasons. There was a time when it seemed Intel would dissolve, but it was revived thanks to a controversial 10% stake purchased from the US government under Trump.

The company even approached Apple for a direct investment, though it appears that nothing ever came from that.

Even if the Intel and TSMC's joint venture results in some Apple chip production in the United States, it would be a paltry amount that barely put a dent in TSMC's monopoly. However, it would surely score some brownie points with the US administration.

The report suggests that no decision has been made and Apple may not move forward with any new partners. TSMC continues to be the producer of Apple Silicon with over 60% of that made in Taiwan.

Apple is stuck between a rock and a hard place, as is the rest of the world. TSMC has been one of the few companies the world can rely on for advanced silicon, and if China decides to invade, it could devastate the global economy.

At this point, it seems Apple's only options are strengthening its rival Samsung or embracing the flailing Intel. This situation could be among the defining aspects of John Ternus' tenure as CEO, though some are apparently more worried about retiring executives.

Original Submission

https://insideevs.com/news/794295/chinese-ev-headlight-movie-projectors/

Huawei showed off the newest version of its headlight tech, XPixel, at the Huawei Qiankun Technology Conference at the Beijing Auto Show last week. The headlights now have the ability to project a full range of colors like a giant movie projector mounted to the front of the car. That means the ability to park your car and use the nearest wall to watch your favorite show or movie like it's some sort of personal drive-in movie theater.

The actual XPixel tech that Huawei is using to underpin the new full-color projection feature has been around for about three years now. Vehicles like the Huawei Stelato S9 already use it, and what's particularly cool is how the tech is neatly tied into the car's driver assistance features— meaning that it can help to assist with lane changing by showing a guided path, or even direct pedestrians when to cross in front of the car. It's can also project interactive games for kids (like hopscotch).

Original Submission

Freeman writes:

https://arstechnica.com/cars/2026/05/inside-toyotas-10b-private-utopia-big-ideas-few-people-cameras-everywhere/

At the Consumer Electronics Show in 2020, Toyota CEO Akio Toyoda pledged to build a city of the future, a place where researchers, engineers, and scientists could live and work together. It was framed as the start of a transformation for the world's largest car company, moving it toward becoming a fully fledged mobility company.

Six months ago, after Toyota spent an estimated $10 billion to build an urban paradise atop a disused factory, the first residents moved in.
[...]
The company says it wants to create a "society with zero accidents"—a tall order given the sheer number of Toyotas currently on the road.
[...]
To get there, Absmeier said Toyota's cars will need far more awareness than onboard systems can provide, even with the most advanced lidar, radar, and imaging sensors on the planet. For instance, the only way to spot a kid darting out from behind a truck, he said, is with cameras on every street watching for hazards, paired with warning systems for oncoming traffic.

This is part of the age-old promise of vehicle-to-everything communications
[...]
But if the idea of ubiquitous cameras watching everyone gives you pause, you're not alone—it certainly seemed startling to me.
[...]
There are plenty of cameras in urban areas around the world, but I haven't seen anything approaching this level of density. All of them feed into what Toyota calls the Woven City AI Vision Engine, an agentic system designed to monitor, catalog, and report activity.
[...]
Kota Oishi, general manager at Woven City, said that Toyota has surveyed people around the world, including Americans and Europeans, about their views on privacy and data. While people in Southeast Asia tended to be fairly relaxed about privacy, Japanese respondents were far more cautious, he said.
[...]
"We have our own consent management to ensure that all the data being shared or being collected," he said. "We act under the consent of the data provider."
[...]
"We allow the Weavers to select what they want to share or not. So whether it's nothing or whether it's everything is up to the individual," Absmeier told me. Oishi, the GM, said the vast majority of the Weavers have opted into the roughly 20 experiments currently underway. For example, 98 percent allow a robot with cameras to operate in their homes.

An Anonymous Coward writes:

It runs Linux, plays Steam games, and only time will tell how long before Sony DMCAs it.

Linux gaming has been on a great trajectory these past few years.

Proton turned a massive chunk of the Steam library into playable Linux titles thanks to Wine as its backbone, and purpose-built Linux gaming consoles are now a product category that actually exists.

We recently covered the Playnix Console, a $1,179 Linux gaming machine from the EmuDeck team that ships with a custom Arch-based OS and boots straight into Steam's gaming mode.

Today, we have a project that lets you run a Linux-powered operating system on Sony's PlayStation 5 console.

Running Linux on a PS5?

Andy Nguyen, the developer behind this, first posted about him running Linux on the PS5 back in March, where he demonstrated playing GTA V Enhanced with Ray Tracing enabled.

More recently, he posted that his project "ps5-linux" was live on GitHub, allowing gamers to turn their PS5 (non-slim) devices into a fully functioning Linux gaming PC.

You see, the PS5 does not run a Linux kernel. Sony's operating system is built on a heavily modified version of FreeBSD, which is a separate Unix-like OS altogether. What ps5-linux delivers is a genuine Linux port, not some tweak on top of what was already there.

In terms of what you actually get, it's a full desktop Linux environment. The PS5's 8-core, 16-thread CPU can be pushed to 3.5 GHz, the GPU to 2.23 GHz, and HDMI video output goes up to 4K at 60Hz. Steam runs on it, providing you with access to PC games and settings that Sony's own OS doesn't offer.

There are some gaps though; the PS5's onboard Bluetooth and networking hardware currently have no Linux driver support. You'll need a USB Ethernet or WLAN adapter for internet access and a Bluetooth dongle if you want to use a DualSense controller wirelessly.

It's also not a persistent install as the console's internal SSD is left completely untouched, so bricking your PS5 isn't really a concern. The trade-off is having to re-run the exploit from scratch on every single reboot.

I ported Linux to the PS5 and turned it into a Steam Machine. Running GTA 5 Enhanced with Ray Tracing. 🤯 pic.twitter.com/aMbT0PQ1dS
        — Andy Nguyen (@theflow0) March 6, 2026

Want to install it?

It works on PS5 (non-slim) consoles only. Devices running firmware 3.xx (3.00, 3.10, 3.20, 3.21) are supported but without M.2 SSD support. If you are on firmware 4.xx (4.00, 4.02, 4.03, 4.50, 4.51), you get the full package, including the ability to dedicate an M.2 SSD to Linux.

And you can run the following Linux distributions:

• Arch Linux (with Sway)
• Ubuntu 24.04 LTS
• Ubuntu 26.04 LTS
• Alpine Linux 3.21

Apart from that, you will have to follow the instructions closely and make use of the PS5 Linux Image Builder to get a Linux OS installed on your PlayStation 5 device. Andy also has a Discord server set up for people who can do a kernel exploit on his project and help him hack drivers.

Some thoughts

Is it practical? Not really. Using the exploit means starting the whole process over, and Sony will almost certainly DMCA the repos or employ some other legal mechanism at some point.

But someone built a full Linux port for a console that was never meant to run it, got Steam working on it, and put it all out for free. The Linux community has always been more interested in proving something is possible than in whether it's convenient, and this project is exactly that.

Original Submission

hubie writes:

Research finds how consumers' comparison across products can erode total profit from more differentiated pricing:

Big data, artificial intelligence and advanced pricing algorithms make it easier than ever for companies to fine-tune prices for individual products to closely reflect their unique value and cost. The conventional wisdom is straightforward: better data, better algorithms and sharper segmentation should produce better profits. But new research suggests that the most profitable answer isn't always more fine-grained pricing across a product line. In fact, it is fewer, better-chosen price points.

The study, titled "Consumer-Driven Class Pricing," is by Zuhui Xiao from the University of Wisconsin-Milwaukee. Class pricing is a surprisingly widespread feature of everyday markets: the practice of assigning a small number of price points to a much larger assortment of related products. Think of a bar menu with many draft beers but only three price points, or a supermarket aisle with hundreds of SKUs but a dozen distinct shelf prices. Similar patterns extend to fast-moving consumer goods, restaurants, toys, discount stores, convenience retail, budget travel, books and car rentals.

The rationale for class pricing is not just operational simplicity; it is consumer psychology. Consumers do not evaluate prices in isolation. Rather, they form price expectations across the products in front of them and compare what they pay with what they expected to pay for nearby alternatives. Paying more than expected is perceived as a psychological loss, while paying less than expected is perceived as a psychological gain.

Xiao finds that the key driver of class pricing is "loss aversion," the well-established tendency for people to be more sensitive to perceived losses than to equivalent gains. In this context, consumers feel the pain of paying more than expected more intensely than they appreciate the pleasure of paying less than expected.

  "When firms introduce more granular pricing, it triggers consumers' direct comparison of prices," said Xiao. "Consumers perceive higher-priced items as losses relative to cheaper alternatives and tend to resent higher prices more than they reward lower ones. As a result, the price disadvantage of higher-priced items is psychologically amplified, making them look worse than the underlying price difference alone would suggest."

Because of this amplified price disadvantage, even when higher-priced products carry greater prestige, better taste or higher quality, firms cannot fully translate that stronger appeal into sufficiently higher willingness to pay. At the same time, they must keep lower-priced products cheap enough to attract additional demand. The result is an asymmetry: firms give up more on the lower-priced products than they can recover on the higher-priced ones, reducing total profit.

"This asymmetry can reduce consumers' total willingness to pay across the assortment and outweigh the benefits of differentiating prices based on cost or value," added Xiao. "That is why adding more price points can actually backfire."

As a result, expanding the number of price points may reduce total profitability. The findings challenge the assumption that more data and better algorithms should always lead to more precise pricing.

"Even with advanced technologies, firms should be cautious," Xiao explained. "More pricing flexibility does not necessarily translate into higher profits. In many cases, simpler pricing structures are more effective."

Journal Reference: https://doi.org/10.1287/mksc.2023.0133

Original Submission

The NetHack DevTeam is announcing the release of NetHack 5.0.0 on May 2, 2026

An Anonymous Coward writes:

https://nethack.org/v500/release.html

NetHack 5.0 is an enhancement to the dungeon exploration game NetHack, which is a distant descendent of Rogue and Hack, and a direct descendent of NetHack 3.6.

NetHack 5.0.0 is a release of NetHack. As a .0 version, there may be some bugs encountered. Constructive suggestions, GitHub pull requests, and bug reports are all welcome and encouraged.

Along with the game improvements and bug fixes, NetHack 5.0 strives to make some general architectural improvements to the game or to its building process. Among them, 5.0:

- Has its source code compliant with the C99 standard.
- Removes barriers to building NetHack on one platform and operating system, for later execution on another (possibly quite different) platform and/or operating system. That capability is generally known as "cross-compiling." See the file "Cross-compiling" in the top-level folder for more information on that.
- The build-time "yacc and lex"-based level compiler, the "yacc and lex"-based dungeon compiler, and the quest text file processing previously done by NetHack's "makedefs" utility, have been replaced with Lua text alternatives that are loaded and processed by the game during play.

A list of over 3100 fixes and changes can be found in the game's sources in the file doc/fixes5-0-0.txt. The text in there was written for the development team's own use and is provided "as is". Some entries might be considered "spoilers", particularly in the "new features" section.

VideoLAN Releases dav2d 0.0.1 as Early Preview AV2 Decoder

An Anonymous Coward writes:

VideoLAN releases dav2d 0.0.1 "Merbanan," an early preview AV2 decoder and successor to its widely used dav1d AV1 project.

VideoLAN, the organization behind VLC media player, has released dav2d 0.0.1 "Merbanan," the first public preview of its AV2 decoder and successor to the widely used dav1d AV1 decoder.

VideoLAN president and lead VLC developer Jean-Baptiste Kempf prepared the release, describing it as "a very early preview release of an AV2 decoder."

AV2 is the planned successor to AV1, the royalty-free video codec developed by the Alliance for Open Media. Earlier this year, AOMedia released a draft AV2 specification for public review after several years of development. The codec remains in the standardization process, so dav2d is an early implementation rather than production-ready software.

The new decoder builds on the approach established by dav1d, VideoLAN's AV1 decoder developed with the FFmpeg community, which played a key role in AV1 adoption by offering a fast, cross-platform software decoder while hardware support was still expanding.

dav2d is intended to serve a similar role for AV2, though it remains in the early stages of development. The decoder is CPU-based, cross-platform, and built on dav1d, with ongoing work on the C implementation, API, platform support, and architecture-specific optimizations.

Last but not least, VideoLAN has not announced when dav2d will be integrated into a stable VLC release, but that certainly won't happen anytime soon. At the moment, it only lays the groundwork for future playback support in open-source multimedia software as the codec and ecosystem mature.

dav2d 0.0.1 is available through VideoLAN's official GitLab repository.

FreeBSD 15.1 Beta Released For Early Testing

An Anonymous Coward writes:

https://www.phoronix.com/news/FreeBSD-15.1-Beta-1

Following last year's release of FreeBSD 15.0, FreeBSD 15.1 is working its way toward release release in June. For kicking off the release dance, FreeBSD 15.1 Beta 1 is available today for testing.

FreeBSD 15.1 pulls in a number of driver updates, including for better hardware support and the various WiFi driver enhancements that have been pursued as of late along with working toward better power management. As of writing, the 15.1 release notes have yet to begin to be filled out for fully documenting the many changes being made for FreeBSD 15.1.

One of the changes I was excited to see with FreeBSD 15.1 was the new KDE Plasma desktop install option from within their existing CLI installer. This has been part of the effort to enhance the laptop/desktop experience for FreeBSD. Surprisingly though when firing up the FreeBSD 15.1 Beta 1 AMD64 install media this morning, the KDE Plasma desktop option was not presented in any of the installer interfaces.

So unfortunately that KDE Plasma desktop option seems to have not made it unless it's otherwise being restricted to certain detected hardware/software state or other limitations. In any event those wanting to try out the FreeBSD 15.1 Beta 1 release can find the download information via the mailing list announcement.

From here there are weekly betas expected until the end of May when the release candidate happens and then if all goes well FreeBSD 15.1-RELEASE will be out on 2 June.

Original Submission #1  Original Submission #2  Original Submission #3 

hubie writes:

Researchers emphasize fructose's unique role in obesity, metabolic syndrome and other chronic diseases:

A new report, published today in Nature Metabolism, is shedding light on the distinct and underappreciated role of fructose in driving disease, separate from its role as a simple source of calories.

Researchers examine how common dietary sweeteners, including table sugar (sucrose) and high-fructose corn syrup, impact human health. While both contain glucose and fructose, fructose has unique metabolic effects that may more directly contribute to obesity and related conditions.

"Fructose is not just another calorie," said Richard Johnson, MD, professor at the University of Colorado Anschutz and study lead author. "It acts as a metabolic signal that promotes fat production and storage in ways that differ fundamentally from glucose."

The report outlines how fructose metabolism bypasses key regulatory steps in the body's energy-processing pathways. This can lead to increased fat synthesis, depletion of cellular energy (ATP) and the production of compounds linked to metabolic dysfunction. Over time, these effects may contribute to metabolic syndrome, a cluster of conditions that includes obesity, insulin resistance and cardiovascular risk.

Importantly, the authors emphasize that fructose's impact extends beyond dietary intake alone. The body can also produce fructose internally from glucose, suggesting that its role in disease may be broader than previously recognized.

The findings come amid ongoing concern about rising rates of obesity and diabetes worldwide. Although some countries have seen declines in sugary beverage consumption, overall intake of "free sugars" remains above recommended levels in many regions and continues to increase in others.

While fructose may have once served an evolutionary purpose, helping the body store energy that can aid survival during times of food scarcity, the researchers argue that in today's environment of constant food availability, these same mechanisms now contribute to chronic disease.

"This review highlights fructose as a central player in metabolic health," said Johnson. "Understanding its unique biological effects is critical for developing more effective strategies to prevent and treat metabolic disease."

Journal Reference: Johnson, R.J., Lanaspa, M.A., Tolan, D.R. et al. Fructose: metabolic signal and modern hazard. Nat Metab (2026). https://doi.org/10.1038/s42255-026-01506-y

Original Submission

An Anonymous Coward writes:

Since 1 PM EST on April 30, 2026, Ubuntu's infrastructure started falling over. Users trying to reach ubuntu.com were getting 503 errors. By the time the picture came into focus, it wasn't an outage in the ordinary sense, but it was a deliberate, large-scale attack, and the group behind it wasn't done talking. Till now, even after 12+ hours, its down. Country archive mirrors and archive.ubuntu.com seems to be working as of now along with documentation.ubuntu.com. The default repo URLs are not working.

        The attackers identified themselves as the Islamic Cyber Resistance in Iraq – 313 Team. They claimed responsibility for the assault and then, in a move that escalated things considerably, sent a direct message to Canonical: open a negotiation channel or the attack continues. They provided a Session contact ID and made clear they wanted a response. What they were after beyond that hasn't been publicly specified, but the implication was plain enough, this was extortion.

        That's the part that security researchers found notable, not just the volume of traffic being thrown at Canonical's servers, but the shift from disruption to demand. A DDoS that hits a website homepage is annoying and embarrassing. A DDoS that specifically targets your security update infrastructure, and then comes with conditions attached, is a different kind of problem.

What's Actually Offline

The main ubuntu.com domain is affected, which is the visible, obvious part. But the more serious damage is to the security API and the CVE repositories, the systems that Ubuntu-based machines use to check what vulnerabilities need to be patched and to pull those patches down.

For most individual users running Ubuntu on a personal machine, this is mildly concerning but manageable. You sit on your current patch level, you wait, you avoid pulling in new software from dubious sources in the meantime. Not ideal, but survivable.

For enterprises running large fleets of Ubuntu servers (and there are a lot of them), the picture is more complicated. Automated patch management pipelines are broken. Scripts that should be checking for CVE updates are returning errors or nothing at all. Security teams that operate on the assumption that their systems are continuously pulling current vulnerability data are now operating on stale information, and they may not immediately know how stale.

The concern raised by threat intelligence analysts is that other actors – ones with no connection to the 313 Team might look at this window and try to exploit it. Known vulnerabilities that would normally get patched within hours of disclosure are sitting unpatched on machines that simply cannot reach the relevant repositories. It's a gap, and gaps don't stay unnoticed for long.

Who Is the 313 Team

The 313 Team has shown up in hacktivist contexts before, usually associated with pro-resistance political positions and targeted disruptions rather than financially motivated attacks. But what's described here, with the Beamed Network providing backend infrastructure, isn't the profile of a small group running off commodity tools. The scale and the apparent technical organization behind it suggest either that the group has grown its capabilities considerably, that it has backing it didn't previously have, or both.

That said, there's still a lot that isn't known. The exact volume of traffic, how Canonical's mitigation efforts are going, whether any communication has actually taken place between Canonical and the attackers, none of that has been confirmed. Canonical has not issued a detailed public statement. An Estimated Time of Recovery hasn't been given. The status page is the most current source most users have, and it's been grim reading.

The Extortion Angle

This is the piece worth sitting with. DDoS attacks against major infrastructure targets aren't new. What's less common is the explicit demand attached – the attackers effectively saying: find us, talk to us, or this keeps going. That's a negotiating posture, not just a protest.

Whether Canonical engages with that posture, and what either outcome looks like, is genuinely unclear. Negotiating with groups like this sets a precedent security professionals universally hate. Not negotiating means the attack continues, with real consequences for the millions of users who depend on Ubuntu's update infrastructure. There's no clean path here.

Security researchers tracking this have noted that the specific targeting of patch mechanisms rather than just public-facing websites shows a degree of strategic thinking. You go after the homepage, you get headlines for a day. You go after the security update pipeline, you create compounding problems – every hour that passes is another hour that newly disclosed vulnerabilities can't be addressed by automated systems. The damage stretches forward in time even after the attack ends, because systems that should have been patched during the outage window remain unpatched until someone manually intervenes.

hubie writes:

Anthropic silently installed a spyware bridge on my machine:

I was working on a personal project, debugging a Native Messaging helper I had written for it. In the process I needed to check what Brave Browser had registered on my laptop. What I found was a file I had never put there. It was not mine. I had not installed it. I had not authorised it. I had not even been told about it.

It was from Anthropic.

The file sits at this path on my MacBook:

~/Library/Application Support/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.anthropic.claude_browser_extension.json

And its contents are this:

{
  "name": "com.anthropic.claude_browser_extension",
  "description": "Claude Browser Extension Native Host",
  "path": "/Applications/Claude.app/Contents/Helpers/chrome-native-host",
  "type": "stdio",
  "allowed_origins": [
  "chrome-extension://dihbgbndebgnbjfmelmegjepbnkhlgni/",
  "chrome-extension://fcoeoabgfenejglbffodgkkbkcdhcgfn/",
  "chrome-extension://dngcpimnedloihjnnfngkgjoidhnaolf/"
  ]
}

For the non-technical reader, this is a Native Messaging manifest. It is the document a Chromium-based browser consults when a browser extension wants to call an executable on the local machine. Native Messaging hosts run outside the browser sandbox, at the same privilege level as the user. If a browser extension with one of the three IDs listed above reaches my Brave install, Brave is pre-authorised to spawn the binary at /Applications/Claude.app/Contents/Helpers/chrome-native-host on my laptop with my access permissions.

I did not install any Anthropic browser extension. I have never installed a Claude browser extension due to privacy and security concerns. I did install Claude Desktop, the Mac app, a while back. That is the only thing on this machine which could have written the file. Claude Desktop reached into Brave, a browser from a completely separate vendor, and registered a back door for a browser extension I do not have.

One clarification before I continue, because the Anthropic ecosystem has two products whose names blur together. This article is about Claude Desktop, the Electron-based macOS application with bundle identifier com.anthropic.claudefordesktop, distributed as Claude.app. It is not about Claude Code, Anthropic's command line developer tool. Claude Code has its own, separately documented, Native Messaging bridge with the filename com.anthropic.claude_code_browser_extension.json. The bridge this article is about is installed under a different filename, com.anthropic.claude_browser_extension.json, by a different product, under a different internal subsystem, and is entirely undocumented by Anthropic. The two bridges coexist. This article concerns the undocumented one.

At rest, the bridge does nothing. The binary does not run until a browser extension with one of the three listed IDs calls it. So on my machine, right now, nothing is happening. That is the one argument Anthropic will try to hide behind. Let me cut through it in advance.

When the paired extension is present and the bridge is activated, it exposes browser automation capabilities to whatever agentic process Claude is running. Anthropic describe those capabilities in their own public documentation. [...]

That is explicit authenticated session access, DOM state read, form filling, and screen capture, described by Anthropic on their own documentation site. If I have my bank open in a tab, the bridge's documented capabilities include reading it as me. If I have Tax, or my Health portal, or a client's Slack, or an admin console to production infrastructure, the documented capabilities include acting as me there.

The bridge runs outside the browser's sandbox at user privilege level, and Native Messaging hosts do not surface in any standard macOS process or permission UI, they are invoked by the browser and communicate over stdio.

This is the capability that Anthropic pre-stages on my laptop the moment I install their desktop application. Without telling me. Without asking me. Without offering me the chance to say no.

TFA says folders were also created for other browsers that weren't installed, so if any of those browsers were later installed, this would be active from the start. Apart from whether Anthropic needs this to function, looking at it from a higher level, the fact that you can do this sounds to be like a horrible security loophole that can be easily exploited.

Original Submission

An Anonymous Coward writes:

https://lwn.net/Articles/1070864/

Terence Eden reports that the UK's National Health Service (NHS) is preparing to close almost all of its open-source repositories as a response to LLM tools, such as Anthropic's Mythos, becoming more sophisticated at finding security vulnerabilities. He does not, to put it mildly, agree with the decision:

The majority of code repos published by the NHS are not meaningfully affected by any advance in security scanning. They're mostly data sets, internal tools, guidance, research tools, front-end design and the like. There is nothing in them which could realistically lead to a security incident.

When I was working at NHSX during the pandemic, we were so confident of the safety and necessity of open source, we made sure the Covid Contact Tracing app was open sourced the minute it was available to the public. That was a nationally mandated app, installed on millions of phones, subject to intense scrutiny from hostile powers - and yet, despite publishing the code, architecture and documentation, the open source code caused zero security incidents.

Furthermore, this new guidance is in direct contradiction to the UK's Tech Code of Practice point 3 "Be open and use open source" which insists on code being open.

Original Submission