Feed aggregator

The AI systems approved for Ontario healthcare providers routinely missed critical details, inserted incorrect information, and hallucinated content that neither patients nor clinicians mentioned, according to a provincial audit of 20 approved vendors’ systems. The findings come from the Office of the Auditor General of Ontario, Canada, and are included in a larger report about the state of AI usage by public services in the province. They specifically address the AI Scribe program, the Ontario Ministry of Health initiated for physicians, nurse practitioners, and other healthcare professionals across the broader health sector. As part of the procurement process, officials conducted evaluations using simulated doctor-patient recordings. Medical professionals then reviewed the original recordings alongside the AI-generated notes to evaluate their accuracy. What they found was, frankly, shocking for anyone concerned about the accuracy of AI in critical situations. Nine out of 20 AI systems reportedly “fabricated information and made suggestions to patients' treatment plans” that weren’t discussed in the recordings. According to the report, evaluators spotted potentially devastating incorrect information in the sample reports, such as no masses being found, or patients being anxious, even though these things were never discussed in the recordings. Twelve of the 20 systems evaluated inserted incorrect drug information into patient notes, while 17 of the systems “missed key details about the patients’ mental health issues” that were discussed in the recordings. Six of the systems “missed the patients’ mental health issues fully or partially or were missing key details,” per the report. OntarioMD, a group that offers support for physicians in adopting new technologies and was involved in the AI Scribe procurement process, has recommended that doctors manually review their AI notes for accuracy, but the report notes there’s no mandatory attestation feature in any of the AI Scribe-approved systems. Bad evaluations don’t help, either AI systems making mistakes isn’t exactly shocking. As we’ve reported previously, consumer-focused AI has a tendency to provide bad medical information to users, and some studies have found large language models failed to produce appropriate differential diagnoses in roughly 80 percent of tested cases. But the tools evaluated here are for doctors, not consumers, and such poor performance necessitates explanation. A good portion of the report blames how the systems were evaluated. According to the report, the weight given to various categories of AI Scribe performances was wonky. While 30 percent of a platform’s evaluation score depended solely on whether they had a domestic presence in Ontario, the accuracy of medical notes contributed only 4 percent to the total score. Bias controls accounted for only 2 percent of the total evaluation score; threat, risk, and privacy assessments counted for another 2 percent; and SOC 2 Type 2 compliance contributed an additional 4 percentage points. In other words, criteria tied to accuracy, bias controls, and key security and privacy safeguards made up only a small portion of the total evaluation score for the AI Scribe systems. “Inaccurate weightings could result in the selection of vendors whose AI tools may produce inaccurate or biased medical records or lack adequate protection to safeguard sensitive personal health information,” the report said of the scoring regime. The Register reached out to the Ontario Health Ministry for its take on the report, and whether it was going to conform to its recommendations for the AI Scribe program, but we didn’t immediately hear back. A spokesperson for the Ministry told the CBC on Wednesday that more than 5,000 physicians in Ontario are participating in the AI Scribe program and there have been no known reports of patient harms associated with the technology. ®

Google doesn't design mouse traps, so it's trying to design a better mouse. Google DeepMind announced a research effort to transform the standard computer mouse cursor into a context-aware, AI-powered tool, marking what the company described as the first major rethinking of the cursor in more than 50 years. The project by researchers Adrien Baranes and Rob Marchant integrated Google's Gemini AI model with an experimental context-aware mouse pointer. In this way, the company said, the system can understand where a user clicks, what they are clicking on, and the likely intent behind the interaction. Researchers said there is a persistent friction in how people currently interact with AI tools. Most AI assistants today live in a separate window, requiring users to copy, paste, or drag content into a chat interface before receiving help. The new approach aims to reverse that dynamic. "We want the opposite: intuitive AI that meets users across all the tools they use, without interrupting their flow," the researchers stated in the blog post. The mouse pointer works alongside the computer’s microphone, allowing Gemini to listen as the user points. This lets users refer to features on the screen with object pronouns like “this” and “that.” In a demonstration website, a user can hover a cursor over a crab and say “move this here,” and the system understands enough context to grab the crab and move it to where the cursor indicates. The first computer mouse, a one-button prototype with metal wheels for the x- and y-axis, was built out of wood in 1964 and was patented in 1970 by its inventors Doug Engelbart and Bill English, who worked at the Stanford Research Institute. Engelbart foresaw a day when humans and computers would interact more easily and naturally, which he talked about during his 1997 acceptance speech for the Lemelson-MIT Prize. “The computer technology, the digital capabilities, it’s affecting communications, displays, storage, computer processing. It’s affecting the way you can interface to things a lot more flexibly,” he said. “That’s going to be so pervasively high-impact in our society and our organizations that it's more than anything we’ve had to cope with evolutionary wise.” Maintain the flow At Google, the team said it laid out four design principles guiding the project. The first, which the researchers called "Maintain the flow," stated that AI capabilities should work across all applications rather than forcing users into separate AI-specific environments. Under this principle, a user could point at a PDF and request a summary, or hover over a statistics table and ask for a chart, all without leaving the current application. The next, "Show and tell," addressed the burden of prompt writing. The researchers stated that an AI-enabled pointer could capture visual and semantic context from the screen, reducing the need for users to write detailed text instructions to the model. They also developed the AI cursor based on how humans naturally communicate using short phrases and gestures like “this” and “that.” The researchers stated that the system would allow users to issue commands like "Fix this" or "Move that here" while the AI fills in the contextual gaps. The fourth principle, "Turn pixels into actionable entities," lets the pointer recognize structured objects within on-screen content. The researchers stated that this capability could turn a photo of a handwritten note into an interactive to-do list, or convert a paused video frame showing a restaurant into a booking link. In the blog, the researchers said that Google DeepMind has already begun integrating the lessons learned into products. A feature called Magic Pointer will soon roll out on the forthcoming Googlebook laptop platform, which The Chocolate Factory introduced earlier this week. The company said the technology will also allow users of Gemini in Chrome to point at specific parts of a webpage and ask questions, rather than composing a full text prompt. Experimental demos of the AI-enabled pointer are currently available through Google AI Studio, where users can test image-editing and map-based interactions using the point-and-speak approach. The company said it plans to continue testing the concept across additional platforms, including Google Labs' Disco. ®

Anthropic is pushing into the small business space with a set of new plug-and-play tools designed for those without a tech team budget, but be warned: Depending on your Anthropic subscription tier, some business data might get sucked up to train Claude. Anthropic announced Claude for Small Business (CSB) on Wednesday, describing the new plugin as a way for SMB owners without AI expertise to automate the basic business tasks they’re saddled with, like payroll, chasing payments, and launching campaigns, that are usually the purview of different departments at the enterprise level. Installation is designed to be dead simple, with Pro, Max, and Teams plan users able to add it as a plugin from the Cowork space in the Claude Desktop app. Skills can then be run using natural language prompts or slash commands outlined here. Users will find “a package of connectors and ready-to-run workflows” inside the CSB plugin, according to the announcement. The aforementioned capabilities of the plugin are part of 15 skills based on common repeatable business tasks, while 15 agentic workflows are also included across areas like finance, operations, marketing and the like. As for the connectors themselves, Anthropic specifically mentions seven of them included in Claude for Small Business: Intuit Quickbooks, PayPal, HubSpot, Canva, Docusign, Google Workspace, and Microsoft 365. An Anthropic spokesperson told The Register in an email that CSB isn’t limited to those connectors, but the skills and workflows rolling out for the plugin were only optimized for those connectors to start. Anthropic told us it chose those products based on the results of a survey of SMB owners, but it plans to add support for more connectors in the coming months. In other words, if you’re a small business owner and you rely on a platform not on that list, you’ll have to keep waiting a while longer if you want to pull that info into Claude. Gotta reach ‘em all It's logical that Anthropic is pushing into the SMB space. The company has seen a leap in business customer subscriptions this year, taking advantage of OpenAI’s slip in the professional user space, and with growth comes the search for new markets to tap. As Anthropic notes in the announcement, and as many analysts have pointed out, AI adoption among SMBs has historically lagged enterprises. That’s to be expected, of course: Enterprises have far more resources to invest in new, unproven technologies and the money to absorb failure when said new tech doesn’t pan out as expected. Anthropic said in its CSB announcement that it specifically designed the new plugin for “those who have historically been last in line for new technology,” or small businesses, in other words. The company also launched an AI fluency for small business course to help SMB owners understand what exactly they’re installing when they tell Claude to install CSB. But if you're taking part, you have to be OK with the idea that Anthropic might train its AI on your business data. Anthropic points out in the announcement that it doesn't train its AI models on the data of its business customers “on our Team and Enterprise Plans.” But as we noted above, Anthropic is marketing CSB to those on Pro, Max, and Teams plans, and the privacy policy page for Pro and Max says something quite different: “We will use your chats and coding sessions (including to improve our models),” the page states. “Chat and coding session data we may use for improving our models includes the entire related conversation, along with any content, custom styles or conversation preferences, as well as data collected when using Claude for Chrome.” Raw content from connectors isn’t included, the page explains, “though data may be included if it’s directly copied into your conversation with Claude.” This only applies to users who, under regular circumstances, have chosen to allow Anthropic to use chats to improve Claude, but it likely won’t shock any El Reg readers to learn that permission is on by default – Anthropic told us that it's on users to turn it off. If you're copacetic with all this, you can start using CSB today - there’s no extra cost associated with installing the tool for anyone on a Pro, Max, or Teams plan. ®

It looks like a popular blog post about the decline and fall of dBase has knocked the long-moribund database's website offline. Sic transit gloria mundi? We were rather entertained by a recent blog post on "Delphi Nightmares" mourning the passing of the online store for the dBase website: dBase: 1979-2026. When the post went up, the online shop at store.dbase.com was still online, but since the post was shared on Hacker News yesterday, even that has gone. One could say that after 47 years, dBase has finally been debased. It's an interesting telling of the decline and fall of what was once an industry titan, and for us, the disappearance of the site itself once the blog post went up is just the cherry on top. Indirectly, what turned into dBase started out as a tool called JPLDIS, written for the Jet Propulsion Laboratory's three Univac 1108 computers. A FORTRAN rewrite of the simpler Tymshare RETRIEVE [PDF] tool, it was started by Jack Hatfield and finished by Jeb Long. C. Wayne Ratliff then rewrote it in Intel 8080 assembly language for PTSDOS on his IMSAI 8080, and tried to sell it under the name Vulcan: he put an advert in BYTE Magazine, offering it for $50. It wasn't a hit, as he recounted in an interview with Susan Lammers. Serial entrepeneur Ed Tate hired him and licensed Vulcan. Tate set up a new company called Ashton-Tate – there was no Ashton, but he later bought a parrot, named it Ashton and made it the mascot. Ashton-Tate renamed the database to dBASE II – to sound more mature – raised the price dramatically, and sold the CP/M version as shrink-wrap software.The late John Walker noted in 1982 that it was "selling like hotcakes at $800 a pop." That same year, a PC version of dBase II became one of early commercial business applications for IBM's new PC. Former dBase Developer's Bulletin editor Jean-Pierre Martel's personal history of dBASE recounts how it remained one of the industry-standard apps throughout the 1980s. In 1984, the enhanced dBase III did even better, followed in 1986 by dBase III+, with a menu-driven UI as well as the infamous "dot prompt" command line. In 1988, dBase IV followed, but didn't include the promised compiler for the dBase programming language. This opened up opportunities for rivals. Nantucket's Clipper was one, which could compile dBase code into applications. It was already out there: because it didn't include the interactive language, that meant it didn't have the same primary UI, which protected it from being sued. Clipper ended up acquired by Computer Associates. Fox Software's FoxBase, later FoxPro, was another, and even Ratliff himself was impressed. Microsoft eventually acquired FoxPro. There were many others, and that was the real program for Ashton-Tate and the dBase product: its programming language became standardized, and because of trademark issues, known as xBase. Even before the era of "open source," there was a DOS shareware app called WAMPUM, which is still out there. There are a number of FOSS implementations, including Harbour and its fork xHarbour. The Harbour GitHub repo has seen some activity this year, and the xHarbour one some too. Once your expensive proprietary app's file format and programming language escape into the wild and become partially standardized, that can make it hard to keep making money from it. It looks like that finally spelled the end for dBase LLC… but in the meantime, the xBase language is alive and reasonably well considering its advanced age for a bit of software. ®

The EU's Digital Markets Act (DMA) has been kind to Mozilla, which says Firefox use is on the up as Europeans are given a choice of default browser on mobile. Through these browser selection screens, the company reckons 6 million users have opted for Firefox instead of what would otherwise have been Safari or Chrome, depending on whether they used an iPhone or Android device. Moz has seen the greatest success on iGadgets, with a 113 percent increase compared to a mere 12 percent rise on Android. This is less likely to be explained by overwhelming disdain for Safari than by the ways in which Apple and Google implemented these browser choice screens. Android devices display the browser selection screens upon first boot or after factory reset, whereas iPhone and iPad users are now shown the same screen as soon as they open Safari for the first time. The DMA obligations began applying in March 2024. Apple's implementation of the EU requirements was always going to lead to more people being prompted to select their browser than Google's, which mostly applies to new Android owners after the DMA was enforced, rather than existing users. Mozilla won't care, though, because not only are user numbers up, but user retention is also looking good – it is five times higher than before the DMA, by its reckoning. Other browser vendors have reported similar results, according to a recent European Commission review [PDF] of the DMA's efficacy, although it didn't cite any specific figures. Few vendors have published long-term results like Mozilla's, although Aloha, Brave, Opera, and Vivaldi all reported sizable uplifts in users in the initial days and weeks following the DMA's enforcement. Further, in recent publications [PDF], DuckDuckGo said around 40 percent more users selected its browser on Android thanks to the DMA browser choice screen. The privacy-focused tech biz offered the statistic in its submission to the UK government's consultation on how to maintain competition in online search. Moz also submitted its thoughts on the topic, and unsurprisingly, given they both benefited massively from them, both vendors want the same DMA-style browser choice screens to feature in the UK market. DuckDuckGo said they should be shown to users annually, and Google should be forced to remove its "Switch back to Google" prompt in Chrome. Mozilla wants the browser choice screens to be delivered to UK users in 2026, for the same users also to be presented with similar screens for default search engines, and for these measures to be enforceable rather than relying only on voluntary commitments from the relevant vendors. Criticizing the DMA, Moz added that it would also like to see the same measures applied to desktop browsers, alleging that Microsoft deploys deceptive design tactics to push its Edge browser. ®

When you think of a terminal emulator, you imagine a command line interface filled with ASCII text and a prompt. However, one developer has reimagined the experience to include inline 3D objects and image support. Dubbed Ratty by its creator Orhun Parmaksiz for its 3D spinning rat cursor, the terminal window itself is a 3D canvas that supports sprites and 3D models, can render 3D drawings in real time, and even includes its own graphics protocol. “Terminal emulators are a big part of our daily lives as developers but yet we are not making enough innovations in that space,” Parmaksiz told The Register in an email. “With Ratty I hope to inspire others to experiment with terminals and push the limits of what they can do.” Parmaksiz wrote in his blog post introducing Ratty that he accomplished the whole thing using his own Rust terminal interface library, Ratatui, along with the Bevy game engine, also built with Rust. The aforementioned Ratty Graphics Protocol was created in order to register 3D assets and place them in an anchored terminal cell space. “Ratty separates terminal emulation from presentation: one side handles PTY I/O and terminal parsing, while the other turns the result into a GPU-rendered 2D or 3D scene,” Parmaksiz explained. “This allows for a lot of flexibility in how the terminal output is displayed (e.g. you can warp the whole damn thing).” Ratatui ends up serving as the terminal rendering layer, Parmaksiz explained, taking whatever the terminal state is, rebuilding it in its own buffer, and rendering said buffer onto a texture that is then rendered via Bevy. Given its design, be forewarned if you try to install and run Ratty: It’s going to eat up a lot of memory since it’s running a game engine. “I know, sacrificing 300 MB of RAM just to run a terminal emulator is a lot,” Parmaksiz said. “But everything comes with a cost, especially the spinning rat cursor.” Building the fourth temple Parmaksiz’s desire to push the limits of terminal emulators past their logical limits didn’t come from nowhere - he actually got inspiration from a source that some grey-hairs in the tech community might have been reminded of at the very beginning of this story: TempleOS. For those unfamiliar with TempleOS, it’s an operating system that was developed by the late Terry Davis, a schizophrenic, and arguably genius, software developer who believed he was building the OS at the command of God to serve as a digital Jewish Third Temple. Using TempleOS is an exercise in frustration given its confusing interface, not to mention deliberate constraints (Davis believed its 640x480 desktop, 16-color display, single-voice audio and other features were part of God’s commandment), but it also included a fascinating capability not seen in other OSes: first-class, insertable sprites on the command line. “I was blown away by the creativity and passion behind it,” Parmaksiz told us of TempleOS, noting that 3D command line sprites in the OS were his inspiration for Ratty. “I wanted to see how adopting that to a modern-day terminal emulator would look like and experimented with a couple of other things while I was at it. I'm super happy with the result!” Parmaksiz told us that a number of people instantly caught on to the TempleOS inspiration, and that the feedback has been overwhelmingly positive. That said, he also admitted that most people who’ve used it have been scratching their heads over an actual use case. “I think this will also clarify itself if we give it more time,” Parmaksiz said in his email. “I mean... I really would like to see a full-fledged CAD program in the terminal built with Ratty Graphical Protocol at some point!” Whether that’ll ever happen remains to be seen - this is purely a fun project for now and Parmaksiz isn’t even sure it’s in his personal time budget to continue to maintain. “I'm just testing the waters for now, but the reception has been amazing so far. I would be happy to continue development if people start using Ratty and start developing cool things with it,” Parmaksiz said, noting that the code is open and he’d be thrilled if others contributed. Parmaksiz has developed a Ratatui widget that enables devs to build applications that run in Ratty, like a temple runner knockoff. “My ultimate goal with Ratty is to explore the possibilities of what a terminal can be and inspire new ideas and projects in the terminal space,” Parmaksiz wrote in his blog post. “I believe these kinds of experiments are where creativity is born and I hope to spark some ideas for the future of terminals.” ®

cURL developer Daniel Stenberg has seen Anthropic’s Mythos, a model the AI biz has suggested is too capable at finding security holes to release publicly, scan his popular open source project. But after the system turned up just a single vulnerability, he concluded the hype around Mythos was “primarily marketing” rather than a major AI security breakthrough. Stenberg explained in a Monday blog post that he was promised access to Anthropic’s Mythos model - sort of - through the AI biz’s Project Glasswing program. Part of Glasswing involves giving high-profile open source projects access via the Linux Foundation, but while Stenberg signed up to try Mythos, he said he never actually received direct access to the model. Instead, someone else with access ran Mythos against curl’s codebase and later sent him a report. “It’s not that I would have a lot of time to explore lots of different prompts and doing deep dive adventures anyway,” Stenberg explained. “Getting the tool to generate a first proper scan and analysis would be great, whoever did it.” That scan, which analyzed curl’s git repository at a recent master-branch commit, was sent back to him earlier this month, and it found just five things that it claimed were “confirmed security vulnerabilities” in cURL. Saying he had expected an extensive list of vulnerabilities, Stenberg wrote that the report “felt like nothing,” and that feeling was further validated by a review of Mythos’ findings. “Once my curl security team fellows and I had poked on this short list for a number of hours and dug into the details, we had trimmed the list down and were left with one confirmed vulnerability,” Stenberg said, bringing us back to the aforementioned number. As for the other four, three turned out to be false positives that pointed out cURL shortcomings already noted in API documentation, while the team deemed the fourth to be just a simple bug. “The single confirmed vulnerability is going to end up a severity low CVE planned to get published in sync with our pending next curl release 8.21.0 in late June,” the cURL meister noted. “The flaw is not going to make anyone grasp for breath.” That said, Mythos did find several other non-security bugs that Stenberg said the team is working on fixing, and he notes that their description and explanation were well done. Mythos can do good work, in other words, but it’s not a ground-breaking, game-changing AI model like Anthropic has claimed. “My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing,” Stenberg said in the blog post. “I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos.” cURL code is no stranger to AI To say cURL has become widely used in its nearly three decades of existence would be an understatement. Its wide reach has meant that its team has been running it through all sorts of static code analyzers and fuzz testing it since well before the dawn of the AI age. With AI’s rise, the cURL team has adapted, meaning Mythos is hardly the first AI to get its fingers on cURL’s codebase. “These tools and the analyses they have done have triggered somewhere between two and three hundred bugfixes merged in curl through-out the recent 8-10 months or so,” Stenberg said of tools like AISLE, Zeropath, and OpenAI Codex Security that’ve tested cURL code. “A bunch of the findings these AI tools reported were confirmed vulnerabilities and have been published as CVEs. Probably a dozen or more.” Stenberg’s experience with AI testing cURL, in other words, makes it a great candidate to see how effective Mythos can really be at finding more than the average AI. As Stenberg noted elsewhere in his blog post, Mythos isn’t doing anything particularly novel when it comes to security discoveries: It might be a bit better at finding things than previous models, but “it is not better to a degree that seems to make a significant dent in code analyzing,” the cURL author noted. Stenberg isn’t an AI doomer when it comes to its ability to improve software design, though. Yes, he may have closed the cURL bug bounty earlier this year due to an influx of sloppy, useless bug reports, but he also noted a few months prior to the bounty closure that some security researchers assisted by AI have made valuable reports. “AI powered code analyzers are significantly better at finding security flaws and mistakes in source code than any traditional code analyzers did in the past,” Stenberg said, adding an important qualifier for the Mythos moment: “All modern AI models are good at this now.” Mythos isn’t any more creative than its creators Both older AI models and security-focused tools like Mythos have a common limitation, as far as Stenberg is concerned: They’re only as good at finding security vulnerabilities as the humans who programmed them. “AI tools find the usual and established kind of errors we already know about. It just finds new instances of them,” Stenberg said. “We have not seen any AI so far report a vulnerability that would somehow be of a novel kind or something totally new.” As for Mythos, Stenberg remains unimpressed, calling it "an amazingly successful marketing stunt for sure" in his blog post. In an email to The Register, Stenberg admitted that it’d be possible for AI models to actually discover new, novel types of vulnerabilities, but he’s still not convinced that they can go beyond what humans are capable of finding, given that they’re limited by our understanding of how software vulnerabilities work. At the end of the day, Stenberg explained, when we talk about security, we’re only talking about code. “Source code is text and it feels like maybe we already know about most ways we can do security problems in it,” he pondered in his email. In other words, like the valuable AI-assisted reports made to the cURL bug bounty program before its closure due to a flood of AI garbage, making valuable use of systems like Mythos is going to require humans to get creative. Sorry, no foisting your critical thinking onto a bot. “Human researchers have always used tools when they look for security problems,” Stenberg told us. “Adding AIs to the mix gives the humans even more powerful tools to use, more ways to find problems. I expect that many security bugs going forward will be found by humans coming up with new ways and angles of prompting the AIs.” Stenberg said that he hopes he’ll actually get his hands on Mythos so he can experiment with its capabilities, but he doesn’t seem to be holding out hope the promised access will materialize. “I have been promised access and for all I know I will eventually get it,” Stenberg told us. “I just don't know when.” ®

If you're using Quick Steps in Microsoft Outlook and wondering why they're grayed out, a bug introduced in version 2512 is the culprit. Classic Outlook is approaching the twilight years of its prodigiously long life, but users can still fall victim to productivity-killing bugs – in this case, a problem with Quick Steps. Quick Steps automates common or repetitive tasks in Outlook. Always have to move a bunch of messages to a specific folder? Quick Steps is your friend. Pin an email and mark it as unread? Again, the actions can be lined up in Quick Steps and executed with a single click or a keyboard shortcut. Until Microsoft breaks it. In a support article, Microsoft has confirmed that in some situations, Quick Steps in classic Outlook can appear grayed out. The workaround (if rolling back or switching clients isn't an option) is to use a keyboard shortcut. "The shortcut will work even if the Quick Step is grayed out in the user interface," Microsoft wrote. The problem is that if a Quick Step contains actions that "can't be fulfilled," it's grayed out. Microsoft's own the example states: "A Quick Step that moves a message to a folder and clears categories will be grayed out in messages where there are no categories applied." "This is known to happen with Quick Steps with Flags and Categories actions such as 'Clear flags on message' or 'Clear categories'." Classic Outlook has suffered several glitches of late. Microsoft admitted in April that it could occasionally chow down on system resources for no obvious reason. Then there was its tendency to explode when opening too many emails. Microsoft has been clear that Classic Outlook's days are numbered. Outlook 2024 is due to drop out of mainstream support in 2029. However, there remains much that Classic Outlook does which New Outlook doesn't, such as COM support. And, when Microsoft hasn’t broken them, Quick Steps. ®

The next major release of macOS looks likely to remove Apple Filing Protocol (AFP) support, stopping Time Capsules from working… but life FOSS, uh, finds a way. The current version of macOS "Tahoe" 26.4 already has network Time Machine issues, especially for folks using Apple Time Capsules. It looks like macOS 27 may completely remove the network protocol they need. However, the Time Capsules run NetBSD under the hood, and that means that the FOSS world has been able to come up with a workaround. It's called TimeCapsuleSMB, and it aims to keep older Time Capsules usable with modern macOS. It's eight months since Apple released macOS 26, and the company's annual release schedule means that macOS 27 is looming. Although Cupertino hasn't told the world much about it yet, it is warning sysadmins to "prepare your network environment for stricter security requirements." Reading the bulletin, we found it rather clixby: while it firmly warns that security checks will become stricter, it doesn't spell out what products will change or how. Happily, there are elder Mac gurus out there who interpret Apple's sometimes Delphic utterances, and Howard Oakley is one of the greatest. In a post about networking changes coming in macOS 27, he translates that it will require TLS 1.2 or above. (The Register explained TLS back in 2002, and version 1.2 appeared about six years later.) However, he also warns that it could mean the end of AFP, which is basically Appletalk-over-TCP/IP version 3.4. AppleTalk was the Mac network protocol for file sharing from System 6 onward. In 2013, OS X 10.9 "Mavericks" made Microsoft's SMB the default file-sharing protocol in place of AFP, and it looks like AFP now faces the ax: it was officially deprecated in macOS 15.5. To be fair, macOS 26 Macs started displaying a warning to Time Capsule users nearly a year ago. Apple introduced the first model of Time Capsule in 2008, and the fifth-generation version in 2013. The company discontinued the whole AirPort product line in 2018. All generations only support AFP and SMB version 1. That’s the original version that appeared with LAN Manager in 1987, and we reported on Samba dropping SMB1 back in 2022. The good news is that even if Apple kills its original file-sharing protocol next year, the FOSS community is on the case and won't let working kit die. The Time Capsule hardware is essentially a box containing a Wi-Fi access point and a hard disk, and an Arm chip with just enough software to share that HDD as network-attached storage. Apple didn't write this software from scratch: it picked up and customized NetBSD for the job. The first four generations of Time Capsule (flat square boxes) run NetBSD 4, and the fifth-gen devices – the tall tower-shaped models from 2013 onward – run NetBSD 6. That gave Microsoft's James Chang an opening. Since the devices run NetBSD, it's possible to compile a newer version of Samba, and copy it somewhere that the tiny embedded Arm computer can find it. Teaching such old kit a new trick is never that easy, though, and he faced a number of challenges, which he details in the design section of the project README. Among them are machines that only have about 900 KB of available disk space – less than 1 MB – and a tiny 16 MB RAMdisk. He settled on Samba 4.8, which dates back to 2018, the same year Apple discontinued the product line, but which includes the necessary Time Machine support, via a module named vfs_fruit. The TimeCapsuleSMB docs are worth a read. We found his descriptions of how he worked around the hardware's very significant limitations impressive. Notably, on the early models, you'll need to manually reload the software every time you reboot the Time Capsule. The final model can do this automatically. Don't fret at the thought of backing up to such an elderly spinning hard disk: iFixit has descriptions of how to replace the drive in both the early models and the later ones too. ®

Negative reactions are mounting against the UK National Health Service's plan to back away from open source – and you can add your voice. On Monday, The Register reported that the management at the NHS told its tech leadership to wall off the organization's FOSS repositories due to concerns about new LLM bug-hunting tools finding security vulnerabilities. If you will pardon a Douglas Adams quotation, this has made a lot of people very angry and been widely regarded as a bad move. One of the first reactions that The Reg FOSS desk received was from the Free Software Foundation Europe (FSFE), which sent it to us both by email and direct message. The FSFE says NHS England should not hide public code behind closed doors, and we feel that it has a good point. If you agree, there's an open letter to which you can attach your name. It's called "An open letter asking NHS England to keep its code open" on the simple and memorable domain keepthingsopen.com. At the time of writing, it has 812 signatures. By the time you read this, this vulture, whose shattered limbs have been reassembled by the NHS more than once, will appear on the list too. As a more general point, there is also a petition to the UK Parliament: "Migrate UK civil service to open-source software for data sovereignty & security." As a sensible step toward digital sovereignty and independence from systems and services run by other countries – countries that may not always be the friendly allies they have been – this, too, strikes us as a good move. If public money is paying for computer software, the code should be public as well. ®

Who needs power outlets when you can charge off of animal labor? The next time someone asks you if a hamster running on a wheel can produce a measurable amount of energy, you can point them to one inventive young YouTuber who has proven that the answer isn’t just yes - it’s also enough energy to harvest. Flamethrower, a Spanish YouTuber whose channel is full of experiments and DIY projects, most recently took to the video platform to post about his experiment in turning his brother’s hamster’s wheel into a machine he could use to charge his smartphone. “After my parents prohibited me from genetically or cybernetically modifying it,” Flamethrower explained in the video, “I deemed its existence … unacceptably useless. So what did I do? Exploit it for energy production, of course.” As anyone who’s owned a hamster knows, midnight runs on a squeaky wheel can be obnoxious to say the least. Sleepless nights, combined with memories of cartoons where hamster wheels powered the contraptions of evil geniuses, gave the young maker an idea: Strap a turbine to the wheel and make that hamster earn its keep. Of course, it’s not as simple as just attaching a 5V electric motor to use as a turbine and wiring it up to a USB-C plug. Hamsters can’t exactly be cajoled onto a wheel for regular charging shifts, and even if they could be, keeping them running at a charging pace would be pretty much impossible. “Say you have one of those common 5V DC motors,” Flamethrower explained. “Unless you spin that at over 10,000 RPM you wouldn't even reach the standard 15-watt charging speed” of most modern smartphones. “Forget about quick charging,” he added. “The motor would probably melt before that.” To get around those limitations, Flamethrower turned to the CJMCU-2557 low-power energy-harvesting chip. Energy harvesters like the 2557 (albeit larger ones) are designed to boost and regulate tiny amounts of input power, from sources such as solar cells or generators, into a usable voltage suitable for charging components like a capacitor or, in this case, a single lithium-ion battery cell. After doing some wiring work and putting the contraption together, Flamethrower left it to run overnight, and woke to a battery with enough charge in it to provide juice to his phone, though the amount wasn’t substantial. “I haven't measured exactly how much battery it can charge,” Flamethrower told us in an email. “It's not a lot, so it certainly won't fill the entirety of a phone's battery in a single night, although of course the energy generated each day can vary a lot based on the hamster's mood.” “I did a very rough calculation and the current generated might be like around an amp when the fella is running,” Flamethrower added. In other words, as frenetic as a hamster can get, it’s still not producing that much energy. Regardless, the young inventor told us that he is still using the device, and that it’s proved to be fantastic for providing energy to charge the family's smartwatches. As for whether he might consider attaching a bigger battery, that might be a bit overkill, he told us. “In any case, the CJMCU-2557 is only meant to charge 1 cell,” Flamethrower said. “There are, admittedly, slightly higher capacity cells, but I use it frequently enough to not have to care about reaching their limit.” A useful invention, then, if not a bit of an on-the-nose realization of a science-fiction dystopia trope. Hey, at least the hamster is happy and putting all that necessary calorie burning to work for a good cause - if we all used our pets' episodes of the zoomies to charge our devices, think of the load on the grid we could save. ®

NASA's Curiosity Rover got a rock stuck to the drill at the end of its robotic arm, necessitating some remote-controlled shaking and jiggling to free the tool. We've all been there, doing a bit of do-it-yourself with a power tool when something awful happens. It might be hitting a pipe while drilling a hole for a Rawlplug. Or punching through a drywall to find nothing beyond. In this case, NASA's trundlebot drilled a sample from a rock, lifted its drill and… the rock came too. The rock, dubbed "Atacama" and measuring 1.5 feet in diameter at its base and 6 inches thick, weighed approximately 28.6 pounds (13 kilograms). After drilling the sample on April 25, the rover operators retracted Curiosity's arm as they had done many times before. However, this time, the entire rock was lifted, "suspended by the fixed sleeve that surrounds the rotating drill bit," according to NASA. So what to do? Had a human been there, a swift poke of the drill would have removed the offending chunk of Mars. But the nearest humans are millions of miles away on Earth, so some remote control shenanigans were needed. First, the team tried vibrating the drill to shake off the rock. No joy. On April 29, they tried reorienting the robotic arm and vibrating the drill again. Some sand shook loose, but Atacama remained firmly attached to the drill. Finally, on May 1, the team tried tilting the drill more, rotating and vibrating the drill, and spinning the drill bit, and success! The rock tumbled off, fracturing on the ground. The rover has been trundling around Mars since 2012, and its drill has presented engineers with the odd headache or two. In 2016, the tool's feed mechanism, responsible for moving the bit into and out of rocks, didn't move when commanded. The solution was to use the robotic arm instead, and first drill a shallow pilot hole. "This," wrote NASA, "lets Curiosity adjust its arm motion and avoid getting stuck while drilling kind of like you might adjust your arm while drilling into a wall at home." The latest incident is also, at least as far as this writer is concerned, just like drilling into a wall at home: a bit more wall than expected came away. And sadly, unlike this writer, NASA can't simply call out a professional to do the job properly. ®

Denic says the DNS blunder that brought most of Germany’s internet down on Tuesday evening is now resolved, and that websites should be operating normally after hours of disruption. The registry, which looks after Germany’s .de top-level domain, said the problems were first detected at 21:57 on April 5, but engineers rolled out fixes by 01:15. It said the issues were related to Domain Name System Security Extensions (DNSSEC), and that faulty DNSSEC signatures were distributed. At the time of writing, it is still working on understanding the root cause of how this error came to pass. Denic did not provide many details about the specific tech glitch behind the disruption. Some online commentators have suggested it was related to a zone signing key rollover, although not everyone agrees, and this is not an official explanation. The registry promised to provide more details after its investigation concludes. As the issue was rooted in DNSSEC, only DNSSEC-signed domains were affected. According to ICANN, only 3.6 percent of .de domains are DNSSEC-signed, but this still represents hundreds of thousands of domains, given there are close to 18 million registered with the .de TLD. Downdetector’s German website shows thousands of outage reports made concerning major websites such as Amazon, DHL, Steam, Web.de, around the same times that Denic confirmed the problems. Anecdotal reports from the wider web indicate that the likes of eBay and mainstream news outlets were also unavailable. Enabling DNSSEC helps website owners tackle nuisances such as DNS spoofing by providing additional validation for DNS responses. Despite going mainstream in 2010, after DNS attacks really started picking up in 2008, DNSSEC uptake is generally low across the board. Less than 10 percent of most TLDs make use of the security extensions. There are a few outliers, including the Netherlands, Sweden, Czechia, and China, where uptake is more common, but DNSSEC is largely overlooked by most domains. The issues deterring website operators from making the switch include complexity, reduced web performance, and cases like Denic’s this week or New Zealand’s in 2023, whereby a website can be brought offline by a registry’s failure. ®

Firefox 149 quietly shipped an interesting new feature buried in the code. As Mozilla bug #2013888 documents, the browser maker incorporated Brave's Rust-based adblock engine back in March - a detail surfaced in a blog post by Shivan Kaul Sahib, VP of Privacy and Security at Brave. The important thing here is that although Firefox has picked up the core Rust code that Brave uses for its internal ad-blocker, that's not what Firefox is using it for. Right now, in fact, it's disabled by default, but as a post from the official Firefox Reddit account says: The Firefox team is experimenting with ways to improve the built-in Enhanced Tracking Protection feature in Firefox. This is one of the libraries we're going to experiment with... Note: We are not bundling Brave's ad-blocking system, we're testing one of their open source Rust components to improve how Firefox processes tracker lists. In other words, inclusion of the code is experimental, and it's not intended for blocking ads. That's presumably also why it didn't appear in the release notes for either the early March beta or the late March release. So, yes, there is code for an ad-blocker in the last two versions of Firefox, but it’s off by default, and there’s no user interface to enable it. (There are ways round this, and we'll return to that later.) That said, the code from Brave can do this – because as it happens, the privacy-enhanced Waterfox fork of Mozilla's browser is also experimenting with a built-in ad-blocker, and it's using the same code. Waterfox recently celebrated its 15th birthday, and recent releases have an experimental built-in ad-blocker. At the time of writing, the latest version is 6.6.12, and that version's release notes mention the experimental ad-blocker, and link to the feature's feedback page which has more info. This says: The core is adblock-rs, Brave's Rust adblock engine. I started development back in January, and by happy coincidence Mozilla did a better job of integrating the crate in Bug 2013888, so I could piggyback off of that work. Waterfox recently integrated another popular add-on. The last major release, Waterfox 6.6.0 in August last year - rebased on the new Firefox 140 ESR - included a native vertical tab bar. As revealed in a 2024 blog post, this is based on an integrated version of the popular Tree Style Tab extension. The new ad-blocker works similarly. If you enable it, on restart, Waterfox looks for other ad-blockers, such as Reg FOSS desk recommendation uBlock Origin, and offers to disable them. We tried this, and the uBO icon in the toolbar is replaced by a no-entry symbol, with a small number overlaid to show how many ads were blocked on the current page. (For instance, just two for Astronomy Picture of the Day, but 38 – and counting – for MSN.co.uk. And that's on top of network-level blocking from our Pi-hole.) So, experimental or not, adblock-rs is in there and it does work. It is possible to enable the version embedded in the desktop version of Firefox. It's controlled by two settings in about:config. The problem is that enabling it is not as simple as installing an extension, because extensions are not allowed to change those advanced settings. There is an experimental add-on called adblock-rust Manager. The README there carefully walks you through the manual steps you need to perform to enable the engine and tell it what to block, and then the add-on can monitor it and tell you what it's doing. We tried it, and it seems to do a perfectly acceptable job. For now, though, unless you're curious, we suggest staying with uBlock Origin, which works fine and isn't going anywhere. ®

Vendor benchmark finds APIs let you do the job faster and cheaper

Amazon Web Services has let AI agents loose in its cloudy WorkSpaces virtual PCs.…

Securities regulator urges market players to develop new strategies and nail cyber-basics before AI models fuel mass attacks

India’s Securities and Exchange Board has advised participants in the nation’s equities industry to immediately revisit their information security systems and practices, in case Anthropic’s Mythos bug-finding AI sparks a cyberattack spree.…

An executive for ChatGPT maker OpenAI said in court testimony on Tuesday that the AI model developer expects to burn $50 billion on computing power before the end of the year. Cofounder and president Greg Brockman threw out the number, which was previously reported by Bloomberg, during OpenAI's closely watched legal battle with hype-fiend Elon Musk. If it wasn't obvious, that would be $50 billion of someone else's money. Nearly four years after ChatGPT kicked off the AI boom, OpenAI's leadership hasn't yet figured out how to turn a profit. Heck, the company can't even manage to hit its own revenue targets, if recent reports are to be believed. That hasn't stopped CEO Sam Altman from talking the likes of Microsoft, Amazon, SoftBank, Nvidia and others into issuing press releases claiming plans to invest tens of billions of dollars into his quest for AGI. (Or was it AI superintelligence? The goalposts haven't exactly been fixed in concrete.) We're not sure if "investment" adequately captures the roundabout financial engineering that's gone into these highly publicized deals. Many are contingent on OpenAI using some of the pledged cash to lease massive quantities of compute either directly from its backers or their partners. Back in February, Amazon, Nvidia, and SoftBank announced a $110 billion investment in the AI startup, at least $80 billion of which came with strings attached. For example, OpenAI would need to rent two gigawatts of Amazon's Trainium AI accelerators and deploy its top GPT models in AWS to claim $35 billion of the $50 billion promised by the cloud titan. Similarly, Nvidia's $30 billion investment was tied to the deployment of five gigawatts of training and inference compute capacity at an estimated cost of $300 billion. In other words, these companies' investments in OpenAI are really more of a discount or rebate. It raises the question: Can OpenAI actually burn $50 billion in 2026, or is it simply throwing out more big numbers in hopes of maintaining an air of unassailable momentum? Place your bets – ideally in the form of burning as many heavily subsidized tokens as you can now, before prices inevitably rise. We've reached out to OpenAI for comment; we'll let you know if we hear anything back. ®

If the numbers are large enough, perhaps we won't question the math

An executive for ChatGPT maker OpenAI said in court testimony on Tuesday that the AI model developer expects to burn $50 billion on computing power before the end of the year.…

Astera Labs unveiled an alternative to Nvidia's NVSwitch for building rack-scale AI systems on Tuesday, claiming it will work with nearly any accelerator. The AI fabric switch, codenamed Scorpio X, crams 320 lanes of PCIe 6.0 connectivity into a single ASIC with 5.12 TB/s of bidirectional bandwidth. Historically, PCIe switches have been used in a variety of applications including scale-out compute fabrics. CPUs alone either didn't offer enough or fast enough lanes for all the GPUs, NICs, and storage required. So, rather than hanging everything off the CPU, a PCIe switch, often built into the NIC, was used to connect everything together. Astera contends that with a big enough switch, PCIe is a viable alternative to interconnects like NVLink, in the scale-up fabrics used to make dozens or more GPUs behave more like a single large one without needing to redesign their accelerators. However, Astera hasn't just built a bigger PCIe switch. Scorpio is equipped with many of the same in-network compute capabilities as Nvidia's NVSwitch, which help to accelerate collective communications. These communications are especially important for generative AI inference. Large language models have become rather chatty from a network standpoint as mixture-of-experts (MoE) architectures have caught on. MoE models are composed of multiple sub-models called experts. For each token generated, a different selection of experts, potentially running on different GPUs, may be used.  By moving collective communications to the switch, the GPUs spend less time waiting for the network to catch up and more time churning out tokens. Astera has gone so far as to develop a multicast operation optimized for MoE inference that it calls Hypercast. "One of the limitations of the standard multicast is the number of groups you can actually support, as well as the dynamic nature of needing to change those groups on the fly for mixture-of-experts models," Ahmad Danesh, AVP of product management at Astera, told El Reg. Where Scorpio fits in the scale-up ecosystem While there are clear benefits to using PCIe as a chip-to-chip interconnect, Scorpio isn't exactly a replacement for Nvidia's NVSwitch chips. NVSwitch 6, announced at CES in January, offers nearly 3x the bandwidth at 14.4 TB/s. However, Astera doesn't need to compete with NVSwitch directly. In fact, Astera announced plans to extend support for NVLink Fusion, Nvidia's attempt to open its high-speed interconnect to the broader ecosystem, last spring. Instead, Scorpio is being positioned more as a vendor agnostic alternative. Technologies like NVLink Fusion or the emerging UALink protocol are gaining traction, but chips need to be designed around them. PCIe works with just about anything because it's already used to get data in and out of the accelerators. For example, if you wanted to stitch together 32 or more Nvidia RTX Pro 6000 Server cards, you'd need a PCIe switch, since those GPUs don't support NVLink at all.  PCIe also makes it easier to mix and match chips for disaggregated inference architectures, like we've seen with Nvidia and Groq, AWS and Cerebras, or Intel and SambaNova. These architectures involve using one accelerator for compute heavy prefill operations and another for bandwidth intensive decode operations. For this to work, the chips have to be connected to one another. Many AI chip builders are doing this over Ethernet, but PCIe would be more direct. Alongside its Scorpio X family of chips, Astera is also expanding its Scorpio P-series switches with models ranging from 32 to 320 lanes of PCIe connectivity. All of these switches work with its COSMOS management suite, a hardware monitoring platform designed to help track down and resolve issues across the network fabric.  Astera's refreshed Scorpio switches are currently sampling with production expected to ramp in the second half of 2026. ®

High-speed connectivity without NVLink baggage

Astera Labs unveiled an alternative to Nvidia's NVSwitch for building rack-scale AI systems on Tuesday, claiming it will work with nearly any accelerator.…