wiredmikey shares a report from SecurityWeek: Anthropic says its Claude Mythos model discovered thousands of severe vulnerabilities across more than 1,000 open source software (OSS) projects. According to the AI giant, Mythos Preview has identified more than 23,000 potential vulnerabilities. Of these, 1,900 have been reviewed by external security firms, and 1,726 have been confirmed, including over 1,000 rated "high" or "critical" severity.

The findings are still being reviewed, and Anthropic estimates that nearly 3,900 critical and high-severity vulnerabilities will be confirmed based only on current findings. As the scans are ongoing, the company believes the number of severe vulnerabilities may reach 6,200. Anthropic says more than 1,100 unverified findings have been reported to vendors, and 75 issues with a critical or high severity rating have been patched. Vendors have published 65 security advisories. "The number of patches is still relatively low for three reasons. First, we're still early in the 90-day window that's set out in our Coordinated Vulnerability Disclosure policy: we expect many more patches to land soon," the AI company explained.

"Second, we are likely to be undercounting patches because some vulnerabilities are patched without a public advisory: in those cases, we're reliant on scanning for the patches ourselves using Claude. Third, the low volume of patches reflects a genuine problem: even at our relatively slow pace of disclosures, Mythos Preview is adding to an already-overloaded security ecosystem," it added.

Spain has temporarily blocked Polymarket and Kalshi while it investigates whether the prediction-market platforms are violating gambling laws by operating without a license. Engadget reports: The country's ministry in charge of consumer affairs said it blocked the websites as a precautionary measure pending an official investigation. This investigation will determine if the platforms violate Spain's gambling laws. It's set to complete within the next four months and could mandate that these companies require specific administrative licenses to operate.

An anonymous reader quotes a report from Reuters: Ride-share drivers for app-based companies such as Uber and Lyft have unionized in Massachusetts, forming what state officials and labor leaders said was the first officially recognized organization in the U.S. to represent such gig workers. The newly formed App Drivers Union received certification from the Massachusetts Department of Labor Relations on Friday to represent nearly 70,000 ride-share drivers operating as independent contractors in the state.

"It changes the game for ride-share workers across this country," Massachusetts Governor Maura Healey, a Democrat, said at a rally with drivers and labor activists in Boston on Tuesday. The certification occurred after voters in November 2024 approved a ballot measure that created a novel framework to allow drivers for companies like Uber and Lyft to organize and bargain collectively over pay and benefits. That vote followed a years-long, nationwide battle over whether ride-share drivers should be considered independent contractors or employees entitled to benefits and wage protections.

"Following months of public debate and protests against American IT giant Kyndryl's proposed acquisition of Solvinity, a Dutch cloud provider that hosts the Netherlands' online identity platform, the Dutch government has decided to block the acquisition," writes longtime Slashdot reader rastakid. "The deal triggered fears that it would mean that 'DigiD' data would fall under foreign control, and could be demanded by U.S. authorities." Politico reports: In a letter to the national parliament published on Tuesday, State Secretary for Digital Economy Willemijn Aerdts said the national authority charged with screening investments had advised the government to block the acquisition. The purchase was seen as posing "a possible risk to the public interest."

The government on Monday decided to adopt the advice and block the acquisition, Aerdts said. "The Netherlands attaches great value to the presence of foreign, especially U.S.-based tech companies, and their added value to the Dutch economy and digital infrastructure, but it maintains, at the same time, an independent investment screening framework aimed at protecting the public interest and which applies equally to all investors, independent of their country of origin," the letter read. Kyndryl said in a statement it was "extremely disappointed" about the decision. "The politicization of this process has overshadowed the clear and important benefits this transaction would have brought to Solvinity's customers and Dutch citizens."

Further reading: Challenges Face European Governments Pursuing 'Digital Sovereignty'

Nvidia is retiring its classic Control Panel for GeForce Game Ready and Studio Driver users after 20 years, as it pushes users to a newer, more unified "NVIDIA" app. Longtime Slashdot reader BrendaEM first shared the news, commenting: "Nvidia seems to no long want you to have control over your own video card that you paid your hard-earned money for? WTF!?" VideoCardz.com reports: Existing Control Panel installs will remain on users' systems. NVIDIA says the old panel will only disappear after a clean driver installation. Users who still need it can continue to download it from the Microsoft Store, but NVIDIA will no longer add new features, fixes, or other changes.

The retirement currently applies to Game Ready and Studio Drivers. NVIDIA RTX PRO users will continue to receive Control Panel support until the company moves professional features to the NVIDIA app. For GeForce users, NVIDIA says the app now includes the modern functionality previously available through Control Panel. [...] The classic panel is therefore not being removed from every system overnight. It is being moved into maintenance mode for GeForce users...

California lawmakers are moving to exempt most open-source operating systems from the state's upcoming age-verification law after backlash from Linux and privacy advocates who warned that the original rules could force decentralized projects to collect users' ages. The amendment would likely shield major Linux distributions, though SteamOS and other Linux-based platforms tied to proprietary app stores may still face compliance questions. Tom's Hardware reports: Assembly Bill 1856 (AB 1856), currently moving through California's legislature ahead of committee reviews in June, would amend the state's earlier age-assurance law by excluding software distributed under licenses that allow users to "copy, redistribute, and modify the software." The proposed amendment specifically states: "Operating system provider" does not mean a person or entity that distributes an operating system or application under license terms that permit a recipient to copy, redistribute, and modify the software.

The amendment follows months of backlash after California passed the original Assembly Bill 1043 (AB 1043), formally known as the Digital Age Assurance Act, in late 2025. The law sought to shift online age verification away from individual websites and apps and down to the operating-system level instead. Under the original law, operating systems would be required to request a user's age or birth date during device setup, then expose an "age bracket signal" to apps and app stores. The law, which defined brackets such as "under 13," "13-15," "16-17," and "18+," immediately raised questions about how such requirements would apply to decentralized, open-source software ecosystems. [...]

AB 1856 does not repeal the original Digital Age Assurance Act. Instead, it narrows the definition of who qualifies as an "operating system provider" under the law. Commercial platforms with proprietary app ecosystems could remain subject to California's age-assurance requirements even if most open-source Linux distributions are ultimately exempted. California Assembly Member Buffy Wicks introduced the amendment on February 11, 2026. However, the open-source exemption language appeared in later revisions that began drawing attention across Linux and privacy communities. The latest version is dated May 18, 2026, and as of May 19, 2026, the bill was read a second time and ordered to third reading.

An anonymous reader quotes a report from the New York Times: Pope Leo XIV on Monday set out a sweeping vision for corporate executives, politicians and individuals who will shape and be shaped by the future of artificial intelligence, warning leaders to safeguard humanity from A.I.'s most disruptive effects. Leo's declaration came in the form of a papal encyclical, an open letter to "all people of good will" that ran to roughly 42,300 words in its English version. It outlined his desire to protect human dignity and agency in an age in which technology threatens to replace humans in many professional and social roles. He presented it alongside Christopher Olah, a co-founder of Anthropic, a major A.I. developer, in a symbolic gesture of dialogue between leaders of the spiritual and technological worlds.

While emphasizing that "technology should not be considered, in itself, as a force antagonistic to humanity," he wrote that "the pursuit of greater profits cannot justify choices that systematically sacrifice jobs." Among other things, Leo called for:
- government regulation of the private companies that are driving the development of A.I.
- protection and retraining for workers whose jobs are threatened
- education to help students think critically about the technology
- action to protect children from violent, hypersexualized or fake information online that is often generated by A.I.
- safeguards to ensure that humans, not artificial intelligence, remain responsible for all decisions regarding the use of weapons.

Above all he emphasized the importance of retaining a fundamental social role for all human beings. "A society that guarantees employment to only a small fraction of the population, despite having a high level of technical development, risks exposing many to forced inactivity," he wrote. "This creates a paradox of material progress and anthropological regression that undermines the foundations of a just and stable social peace," he added. Anthropic's Christopher Olah said companies like his own need moral guidance to avoid being swayed by "a set of incentives and constraints that can sometimes conflict with doing the right thing."

"We need moral voices that the incentives cannot bend," Olah said. "Today is just the beginning -- the start of a long collaboration between those of us who are building this and those who can see what we, from the inside, cannot."

NASA plans to open competition for the contract to operate JPL for the first time in nearly a century, meaning Caltech's historic role managing the iconic deep-space lab could come to an end when its current agreement expires in 2028. According to JPL, Caltech has managed the lab since the its inception in the 1930s, and has done so for NASA since the agency was established in 1958. Space.com reports: According to the JPL statement, Caltech has been preparing for this possible transition since last summer, so the news "comes as no surprise." But the potential change is part of a larger shakeup for the agency. Earlier this morning, NASA announced a major reorganization, which is separate from the JPL news. "To support the agency's ambitious short- and long-term goals, NASA is taking action to increase specialization at centers and integrate mission directorates, elevating delivery of technically excellent work," the agency said in a statement today.

JPL is NASA's lead center for the robotic exploration of Mars and other deep-space locales. The agency has worked with JPL through Caltech as a manager for nearly 70 years. Though JPL still counts as one of NASA's field centers, it's run as a contracted FFRDC (federally funded research and development center). This status has allowed the lab to function slightly differently than other NASA centers; it has a unique sort of independence, though NASA has always had significant oversight of the lab. "As an FFRDC, JPL operates under a special contractual and governance framework designed to ensure that its work is performed in the public interest and aligned with national priorities," NASA has stated. "The FFRDC model enables NASA to retain access to this depth of capability while maintaining a clear separation between government decision-making authority and contractor execution responsibilities."

Opening up the competition for institutions beyond Caltech to operate JPL could mean significant changes for everything from day-to-day mission management to big NASA science programs. Until now, JPL and Caltech have been heavily intertwined, with mission personnel, scientists, leadership, and others working closely "across the pond" between JPL and Caltech. JPL mission and program meetings often include Caltech employees and sometimes even take place on its Pasadena campus.

The Pentagon released a second batch of UAP files, including 50 videos and documents showing unexplained objects over the Middle East, Syria, Iran, and in NASA recordings. Despite the reports, the agency stresses that it has found no evidence of extraterrestrial origin. The Guardian reports: In one video from the Middle East in 2019, taken "likely from an infrared sensor aboard a US military platform operating within the US Central Command area of responsibility," according to the Pentagon, three UAP are captured flying in formation over the Persian Gulf. Another formation of four unidentified objects is seen flying past vessels on the water off Iran in a video from 2022.

Footage taken over Syria in 2021 shows a mysterious object racing away at speed akin to instantaneous warp-speed acceleration from science fiction movies. Few of the objects seem to resemble flying saucers, discs or other traditionally perceived forms for UAP, although one October 2022 clip taken at an undisclosed location shows a cigar-shaped entity racing over what appears to be a residential area.

None of the videos are accompanied by explanations, and the Pentagon's all-domain anomaly resolution office (AARO) has previously stated it has no evidence to suggest any of the thousands of objects seen on video, or described in written testimony, is of extraterrestrial origin. In its May 8 release, a statement from the defense department said the public "can ultimately make up their own minds about the information contained in these files." Additionally, the information is collated from a diverse range of sources, including government agencies including several military branches, the FBI, the state department and Nasa. "Many of these materials lack a substantiated chain-of-custody," the Pentagon notes

SpaceX's upgraded Starship V3 launched today from Starbase, Texas, for the first time, successfully deploying 22 dummy Starlink satellites and completing a planned fiery splashdown in the Indian Ocean. Reuters reports: The towering vehicle, consisting of the upper-stage Starship astronaut vessel stacked atop a Super Heavy booster rocket, blasted off at about 5:30 p.m. CT on Friday (2230 GMT) from SpaceX facilities in Starbase, Texas, on the Gulf of Mexico near Brownsville. A live SpaceX webcast of the liftoff showed the rocketship, more than 40 stories tall, climbing from the launch tower as the Super Heavy's cluster of Raptor engines thundered to life in a ball of flames and billowing clouds of vapor and exhaust. The test ended about an hour later when the Starship vehicle made it through a blazing re-entry through Earth's atmosphere and splashed down into the Indian Ocean, nose up as planned, as SpaceX employees who gathered to watch a live webcast of the flight cheered. The lower-stage Super Heavy came down separately in the Gulf of Mexico about six minutes after blast-off.

The launch marked SpaceX's 12th Starship test flight since 2023 and the first ever for the V3 iteration of both the cruise vessel and its Super Heavy booster, as well as the first blast-off from a new launch pad designed for the more powerful rocket. During its suborbital cruise phase, Starship successfully released its payload of 20 mock Starlink satellites one by one, plus two actual modified satellites that scanned the spacecraft's heat shield and transmitted data back to operators on the ground during the vehicle's descent. Starship made it to its cruise phase despite the loss of one of its six upper-stage engines, and mission controllers opted not to attempt an inflight re-ignition of the engines before re-entry. But the vehicle did execute a return-landing burn at the very end of its flight, along with several aerodynamic maneuvers deliberately intended to place the spacecraft under maximum stress, and Starship completed those moves intact for its controlled final descent. You can watch a recorded livestream of the launch on YouTube.

Aikido Security found that deleted Google API keys can continue authenticating for a median of about 16 minutes and as long as 23 minutes, despite Google Cloud's UI claiming that once a key is deleted it can no longer make API requests. Dark Reading reports: Joe Leon, researcher at Belgian startup Aikido Security, recently analyzed the revocation window -- the time between a key's deletion and its last successful authentication -- for the cloud giant's API keys. In a blog post published today, Leon said Google Cloud Platform (GCP) customers expect API access to end immediately after the key is deleted, but this is not the case. In a series of tests, Leon found that the median revocation window was around 16 minutes, while the longest window was up to 23 minutes, "an incredibly long time" for API keys to continue authenticating successfully, he said.

And these windows have serious repercussions for organizations. "An attacker holding your deleted key can keep sending requests until one reaches a server that has not caught up. If Gemini is enabled on the project, they can dump files you have uploaded and exfiltrate cached conversations," Leon said. "The GCP console will not show the key, and it will not tell you the key is still working. You are trusting Google's infrastructure to eventually catch up."

[...] Leon tells Dark Reading the revocation windows for Google's API keys, as well as the unpredictable authentication success rates, complicate matters for incident response teams that are dealing with a potential breach. "This breaks the mental model IR teams have when responding to leaked credentials," he says. "It's assumed that when you click 'Delete' or 'Revoke' that the credential no longer works. Now IR teams need to remember that for GCP credentials, a window exists when that 'Deleted' credential still works for attackers."

To that end, Aikido recommended that security teams and IR personnel use a 30-minute window for Google API key deletions. Additionally, organizations should monitor their API requests by credential through the "Enabled APIs and services" portion of the GCP console, and review API requests by credential. "If you see unexpected usage from that credential after deletion, someone could be actively exploiting it," Leon wrote. Aikido reported the findings to Google, but the company closed the report as "won't fix," according to the blog post.

Canada's broadcast regulator says major streaming services such as Netflix must contribute 15% of their Canadian revenues to Canadian and Indigenous content. "That's three times the five-per-cent initial contribution requirement the CRTC set out in 2024, which is being challenged in court by major streamers, including Apple and Amazon," reports Global News. "Contribution requirements for traditional broadcasters, which currently pay between 30 and 45 percent, will be lowered to 25 percent." From the report: "The total contributions are expected to stabilize the funding at more than $2 billion in support of Canadian and Indigenous content, such as French-language content and news," the regulator said in a press release. The CRTC made the decisions as part of its implementation of the Online Streaming Act, which the U.S. has identified as a trade irritant ahead of trade negotiations with Canada.

The CRTC also set out rules on how the money must be spent for both streamers and broadcasters, including contributions toward production funds and direct spending on Canadian content. Most of the streamers' financial contributions can go toward content, though the CRTC is imposing rules on how that money must be spent for the largest streamers. For instance, streamers with Canadian revenues of more than $100 million annually must direct 30 percent of spending toward partnerships with Canadian broadcasters and independent producers. Large Canadian broadcasters will have to direct at least 15 percent of their contributions toward news.

The new financial contribution rules apply to streamers and broadcasters with at least $25 million in annual Canadian broadcasting revenues. The decision covers audiovisual programming, meaning it affects traditional TV broadcasters and online services that stream television content. The regulator also said Thursday online streamers will have to take steps to ensure Canadian and Indigenous content is available and visible to audiences. "This will make it easier for people to find this content on the platforms they use, while giving broadcasters flexibility in how they meet the new expectations," the CRTC said in the release. Details of those requirements will be determined at a later time.