Xfene

‼️🚨 BREAKING: Another researcher skipped coordinated disclosure entirely and dropped a critical 1-click GitHub token theft in public because he doesn't want to deal with MSRC. In his own words: "I really don't want to deal with MSRC on VSCode bugs." The bug: just clicking a link can hand an attacker a GitHub token that reads AND writes to all your repos, including private ones. It lives in github[.]dev, GitHub's browser-based VSCode editor, which passes the browser an OAuth token that isn't scoped to a single repo. That token can touch everything you can. Researcher Ammar Askar found that VSCode's sandboxed "webviews" leak keyboard events to the main editor. A malicious repo opened via one link can simulate keystrokes, install a local extension that skips VSCode's publisher-trust check, and exfiltrate your token. He published a working proof-of-concept. He says when he reports github[.]dev bugs, GitHub tells him they're out of scope and to go report to MSRC, and a prior VSCode bug he reported was silently fixed with no credit. One commenter summed up the mood: "MSRC has turned into Feedback Hub."

Local AI hardware = capacity × bandwidth × software stack - Capacity tells you what fits - Bandwidth tells you how hard the box can breathe - The software stack tells you how much of the spec sheet you can actually cash out. Hardware by Memory Bandwidth - Mac Studio M3 Ultra: up to 512GB @ 819 GB/s - RTX PRO 6000 Blackwell: 96GB @ 1792 GB/s - RTX 5090: 32GB @ 1792 GB/s - RTX 4090: 24GB @ 1008 GB/s - RX 7900 XTX: 24GB @ 960 GB/s - Radeon PRO W7900: 48GB @ 864 GB/s - AMD Radeon AI PRO R9700: 32GB @ 640 GB/s - Intel Arc Pro B65: 32GB @ ~608 GB/s - Tenstorrent Wormhole n300: 24GB @ 576 GB/s - Tenstorrent Blackhole p150: 32GB @ 512 GB/s + 800G - MacBook Pro M5 Max: 460-614 GB/s - MacBook Pro M5 Pro: 307 GB/s - DGX Spark: 128GB @ 273 GB/s (coherent + CUDA) - Mac mini M4 Pro: 273 GB/s - Ryzen AI Max / Strix Halo: ~256 GB/s (~96GB usable GPU) - MacBook Air M5: 153 GB/s - Snapdragon X2 Elite: 152-228 GB/s - Intel Lunar Lake: 136 GB/s - Snapdragon X Elite: 135 GB/s - Mac mini M4: 120 GB/s - Arc Pro B60: 24GB @ ~456 GB/s Verdict - GPUs are still the bandwidth kings - Apple wins: stupid amounts of memory, don’t want to shard across GPUs - Apple loses: when raw tokens/sec & concurrency matter more - DGX Spark: coherent memory + NVIDIA stack - Strix Halo / Ryzen AI Max: first real x86 unified-memory contender - Tenstorrent: fully OSS stack, excited to see this mature Fitting ≠ serving Even if it fits, you still pay for - bandwidth during decode - KV cache growth - dequantization - batching + concurrency - scheduler quality - framework overhead The only mental model that matters: 1. What must fit? 2. What bandwidth tier do I need? 3. What software stack can actually deliver it? In short: - NVIDIA → fastest raw speed - Apple Studio M3 Ultra → biggest one-box memory - Strix Halo → first real x86 unified - DGX Spark → coherent NVIDIA dev appliance - AMD / Intel Arc → rising alternatives - Tenstorrent → fully opensource stack Do ask: “which bottleneck am I buying?” Not: “which hardware is best?”

Our HR department just migrated all our mandatory compliance training to a new gamified learning management system. I received an automated email stating I had 48 hours to complete a module on data privacy or my badge would be deactivated. I logged into the portal and was greeted by a cartoon badger named Barnaby. Barnaby told me I was about to embark on a security quest. I'm 44 years old. I don't want to go on a quest. The first module was a video about phishing scams produced like a high-budget daytime soap opera. The actors were inappropriately attractive for a simulated accounts payable department. The main character, Chad, left his laptop open at a coffee shop while he ordered a matcha latte. A guy in a black hoodie immediately sat down and downloaded the entire corporate mainframe to a USB drive in four seconds. Then the video paused and asked me to identify Chad's critical mistake. The multiple choice options were leaving the device unsecured, using public Wi-Fi, or failing to foster a culture of vigilance. I clicked the first one. Barnaby the badger popped up and told me I was technically correct, but I lacked a holistic security mindset. He deducted 10 "synergy tokens" from my digital wallet. I didn't even know I had a digital wallet. The next scenario involved a complex ethical dilemma about accepting gifts from vendors. A supplier offered the protagonist a branded corporate fleece. The video framed this as the first step toward international corporate espionage. I was asked if accepting the fleece was a violation of the anti-bribery statutes. I clicked yes. Barnaby congratulated me and awarded me a bronze digital badge of integrity. I tried to fast-forward through the next video because it was 45 minutes long. The player immediately froze and a warning message appeared saying Barnaby notices you are rushing. The video restarted from the very beginning. I sat there for 45 minutes watching a dramatization of password hygiene while staring blankly at my monitor. At the end of the quest, I had to take a 50-question final exam. One question asked how long a visitor badge is valid under the new global security matrix. I guessed 24 hours. Barnaby appeared with a sad face and told me it was 12 hours. I failed the module with an 84 percent. The passing grade was 85 percent. Barnaby informed me that my quest must start over. I considered throwing my company-issued laptop out the window. Instead, I sent an email to HR asking for an extension. I got an automated reply saying the HR representative was out of the office on a corporate wellness retreat. I clicked replay on the video. Chad is about to leave his laptop at the coffee shop again. This time I hope the hacker deletes my employee profile entirely.

Today the EU made American AI illegal in 27 countries. The reason is ONE sentence Microsoft's own lawyer said under oath: This morning in Brussels, EU Tech Chief Henna Virkkunen unveiled the Cloud and AI Development Act. It's the most aggressive anti-American tech move from Europe since GDPR. The law forces EU public sector procurement in banking, healthcare, defense, and energy to apply mandatory non-price factors favoring software and hardware built inside the EU. Microsoft Azure can be cheaper, AWS can be faster, Google Cloud can have the better model, and EU governments MUST legally prefer European alternatives. AWS, Microsoft, and Google currently control roughly 70% of the European cloud market. Brussels is now openly targeting greater independence from US providers in cloud, AI, and semiconductors. The largest regulatory market-share transfer in tech history is being written into law right now. But the real story is how this happened... On June 10, 2025, a man almost no one outside Brussels had heard of walked into the French Senate. His name is Anton Carniaux, Director of Public and Legal Affairs at Microsoft France. Senator Dany Wattebled asked him under oath whether he could guarantee that data belonging to French citizens, stored on Microsoft European servers, would never be transmitted to US authorities without explicit consent from the French government. Carniaux answered honestly. He admitted he could not guarantee it, because Microsoft must comply with the US CLOUD Act regardless of where European data physically sits. One sentence of sworn testimony from Microsoft's own counsel killed every sovereign cloud defense Big Tech had spent five years building. It became the legal foundation for the law unveiled today. Then Trump accelerated the divorce. January 2025 brought executive orders expanding US surveillance authorities. Vance went to Munich and attacked European democracies on stage. The tariffs followed and so did the Pentagon's $200 million AI contract war that ended with OpenAI replacing Anthropic after Hegseth labeled it a supply chain risk. So did OpenAI's Stargate and yesterday's Trump AI Executive Order, whose Section 3 lets the White House pick which AI companies get 30-day early access to frontier models. American AI was officially declared a US government strategic asset. Europe heard every word of it. On May 12, Mistral CEO Arthur Mensch told the French National Assembly that Europe had 24 months to build sovereign AI infrastructure or become a permanent US VASSAL state. And the response came fast: April 24: Cohere acquired Germany's Aleph Alpha for $20 billion with both Germany's and Canada's digital ministers in the room at the Berlin announcement. May 30: SoftBank committed up to $87 BILLION for French nuclear-powered data centers, the largest AI infrastructure project in European history. Yesterday: EU Parliament announced it's dropping Google for French search engine Qwant tomorrow. France ordered every government workstation off Windows and onto Linux. Today the Cloud and AI Development Act made all of it law. - Mistral is building a 1.4 gigawatt AI campus near Paris by 2028 with Nvidia, MGX, and Bpifrance - SAP's EU AI Cloud, launched last November, runs on Cohere, Mistral, and SAP's own sovereign infrastructure - McKinsey forecasts $600 billion in sovereign AI needs by 2030 None of that money is going to Silicon Valley. The America First AI policy built a wall around the world's most regulated economy, and American companies are on the wrong side of it. Microsoft's lawyer told the truth in a Senate hearing nobody watched. Trump turned that admission into a national security narrative while the EU turned that narrative into procurement law. And one entire continent walked away from the American tech stack...

🚨 New unpatched Windows flaw lets attackers steal your NTLMv2 hash. The issue lives in the built-in search: URI handler. A simple malicious link can force your system to leak your hash to an attacker-controlled server. Captured hashes could be used in relay attacks for deeper network access. Details here: https://t.co/umigYNnYxO

China just handed the AI agent community a production-grade sandbox for free. OpenSandbox is an open-source sandbox runtime for AI agents. Secure, fast, and built for coding agents, GUI agents, code execution, and RL training. - SDKs in Python, Go, TS, Java, C#, .NET - Runs on Docker or Kubernetes - Strong isolation via gVisor, Kata, Firecracker - Works with Claude Code, Codex, Gemini CLI, Qwen Code 100% Open Source. 10k Stars on GitHub.

just hit the 50 GB ceiling on Sia Storage App mid-migration e2e encryption, 50 GB free, my keys hold the only access path, files survive any single host going dark this is the substrate user-owned AI needs. already replacing tools I've paid for for a decade https://t.co/nfzX5cc5SF

8 DevOps GitHub repos that should be illegal — they are quietly killing billions in enterprise software revenue. SAVE THIS. 1. Infisical Open source secrets manager. Replaces HashiCorp Vault Enterprise which costs $22,000 a year per cluster. Infisical self-hosted is completely free and takes 10 minutes to set up. Repo → https://t.co/GrRV68Drv2 2. Coolify Self-hosted Heroku and Netlify replacement. Heroku charges $25 per dyno per month. Netlify charges $19 per user per month. Coolify runs unlimited apps on your own server for $0. Repo → https://t.co/lgBJSw1ucY 3. Buildah Build production Docker images without Docker installed and without root access. Every CI pipeline that runs rootless containers should be using this. Almost nobody does. Repo → https://t.co/Qy4hBxdfo0 4. Ctrlplane Deploy software across Kubernetes, cloud functions and VMs from a single platform. Replaces the custom deployment orchestration scripts every DevOps team has cobbled together over years. Free and open source. Repo → https://t.co/oqoMZ4z1Lz 5. Coroot Full observability from eBPF with zero code changes. No SDK. No instrumentation. Just install it and it automatically maps every service, every dependency and every bottleneck in your stack. Replaces tools that cost $69 per host per month. Repo → https://t.co/xCpONcPILm 6. Dozzle Real time Docker log viewer in your browser. No Elasticsearch. No Kibana. No $10,000 a month logging bill. Just logs, live, in one place. Repo → https://t.co/hGndScZ76M 7. Groundcover eBPF based Kubernetes monitoring that auto discovers every service in your cluster with zero instrumentation. Datadog charges $23 per host. Groundcover's community edition is free and sees everything Datadog sees. Repo → https://t.co/rAW1dyAfxA 8. Dockprom A complete Prometheus and Grafana monitoring stack for Docker environments that spins up in one docker compose command. Teams spend weeks building this from scratch. This repo does it in 60 seconds. Repo → https://t.co/bZ6qAnUNK8 Here is the wildest part. Most DevOps teams are paying for enterprise tools while these repos sit on GitHub with thousands of stars and zero marketing budget. The best infrastructure tools do not need a sales team. They just need one engineer who finds them first. 100% free. 100% open source. 100% production ready.