Looking for the most recent Connections answers? Click here for today’s Connections hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle, Connections: Sports Edition and Strands puzzles.

I thought today’s NYT Connections puzzle was pretty tricky. Read on for clues and today’s Connections answers.

The Times has a Connections Bot like the one for Wordle. Go there after you play to receive a numeric score and to have the program analyze your answers. Players who are registered with the Times Games section can now nerd out by following their progress, including the number of puzzles completed, win rate, number of times they nabbed a perfect score and their win streak.

Read more: Hints, Tips and Strategies to Help You Win at NYT Connections Every Time

Hints for today’s Connections groups

Here are four hints for the groupings in today’s Connections puzzle, ranked from the easiest yellow group to the tough (and sometimes bizarre) purple group.

Yellow group hint: It may convey fluids or other materials.

Green group hint: What a con artist does.

Blue group hint: Earl Grey, hot.

Purple group hint: Place for education.

Answers for today’s Connections groups

Yellow group: Conduit.

Green group: Swindle.

Blue group: Tea-making verbs.

Purple group: “School” modifiers.

Read more: Wordle Cheat Sheet: Here Are the Most Popular Letters Used in English Words

What are today’s Connections answers?

The yellow words in today’s Connections

The theme is conduit. The four answers are duct, line, main and pipe.

The green words in today’s Connections

The theme is swindle. The four answers are fleece, hose, squeeze and stiff.

The blue words in today’s Connections

The theme is tea-making verbs. The four answers are boil, pour, steep and strain.

The purple words in today’s Connections

The theme is “school” modifiers. The four answers are grade, grammar, high and primary.

Toughest Connections puzzles

We’ve made a note of some of the toughest Connections puzzles so far. Maybe they’ll help you see patterns in future puzzles.

#5: Included “things you can set,” such as mood, record, table and volleyball.

#4: Included “one in a dozen,” such as egg, juror, month and rose.

#3: Included “streets on screen,” such as Elm, Fear, Jump and Sesame.

#2: Included “power ___” such as nap, plant, Ranger and trip.

#1: Included “things that can run,” such as candidate, faucet, mascara and nose.

Gardyn Home 4.0 (read my full review here) was one of the easiest indoor gardens to assemble set up out of the box; it also yielded the most dramatic success of any of the brands I tried. Flowers, kohlrabi, thyme, and even a whole cauliflower all thrived in this pipe-based system with the lights in front to allow for taller plant growth.

Seeds arrive in proprietary pods called yCubes. Part of what makes the Gardyn foolproof is the subscription app add-on, “Kelby,” which monitors your plants via attached sensors and cameras. It delivers customized watering and lighting schedules, as well as maintenance suggestions via AI (which an anonymous source told me is basically OpenAI’s ChatGPT with an overlaid prompt). This subscription adds an additional $259 a year to the base purchase price, though it includes a certain number of credits per month, depending on whether you have the Home or Studio model, with which to buy new yCubes. There’s a free 30-day trial for Kelby, but you can use the Gardyn without it by relying on manual light and watering controls. Also, there have been some recent privacy concerns with Kelby (more below).

Each Gardyn purchase comes with your choice of yCube sets: “Salad Lover,” “Budding Florist,” or “Chef Faves.” I’ve tried both “Budding Florist” and “Chef Faves,” and my favorite is the latter; it has an interesting variety of everything from breen and Tokyo bekana greens to Thai basil and miniature sunflowers. Though Gardyn recommends starting the yCubes in the company’s add-on $80 nursery, I’ve germinated plenty of yCubes right in the system just fine. (Make sure you don’t add nutrients until they sprout. If you’re germinating yCubes later on, when nutrients are already in the system, you can just use a shallow bowl with loosely tented plastic wrap.) The seeds arrive tucked in mineral wool, snug in their little yCubes that slot into larger cups (“yPods”) that fit into the pipes. When the Gardyn waters the plants, the yPods fill with nutrient-infused water, and the plants’ roots grow right into the water.

Once a month, the base needs to be emptied and scrubbed. Every few weeks, the roots need to be checked for root rot and growth outside the yPod, examined for whether it’s time to prune, and/or tucked back in if they’ve wandered too far. This maintenance is admittedly a bit laborious, and if you do not do it consistently, you will be very sorry when it’s time to clean the Gardyn and prepare it for its next planting. (Ask me how I know!)

I now have two Gardyns, a Home 4 and a Studio 2, which features an upgraded camera and columns. Aside from some funky yCubes (which the company will replace upon request), I have no major complaints about the system. Though I will note that the plants in the Studio have been overall less lush due to the Studio’s having one light bar rather than two, which is why my primary recommendations remains the Home. I also like that Gardyn offers a Vacation Mode, which adjusts the lighting and watering to slow growth and minimize maintenance tasks while you’re away.

NOTE: On February 24, 2026, and April 2, 2026, the US Cybersecurity and Infrastructure Security Agency (CISA) released advisories regarding vulnerabilities in Gardyn Home and Studio devices. These security weaknesses could have allowed someone to take remote control of a Gardyn device, access plant photos, and obtain personal information such as names, addresses, phone numbers, and email addresses. Gardyn claims these vulnerabilities have been remediated with the most recent firmware update, and advises customers to ensure their Gardyns are internet-connected and running firmware version 619 or later. If you think your device may have been compromised, email [email protected] or call 844-4-GARDYN. For more information, see Gardyn’s Security update for Gardyn Home and Gardyn Studio.

While the idea is appealing, I have never fully enjoyed using the speech-to-text feature for voice typing. I understand why it exists, and I have used it in a pinch. But it has always felt like one of those phone features that works just enough times to be useful, and not often enough to be conveniently reliable.

It’s not just about speaking clearly; the problem is a bit more subtle. You have to avoid doubling back mid-sentence, or you have to pretend your brain naturally produces clean text messages in one smooth pass. And since mine does not, I’m looking forward to Google’s new Rambler feature for Gboard. It’s a part of the Gemini Intelligence on Android, but what has my attention is how it works.

Rambler turns natural spoken thoughts into concise text. Google says that it can deal with the way people actually speak, including self-corrections, repeated words, and filler sounds like “ums,” “ahs,” and “likes.” This might sound boring until you think about how often typing is the slowest part of using a phone.

Bigger phones might finally be for me

Modern smartphones now sport near 7-inch displays that are fantastic for watching, reading, and gaming. But typing on them or using them with one hand is still annoying. And with the screen getting taller, there’s an awkward reaching game to hit the letters at the far side of a wider keyboard. Trying to reply while walking, carrying a bag, sitting in a cab, or holding coffee usually means typos, shorter replies, or waiting until both hands are free.

Voice typing should have been the obvious fix. The problem is that raw speech-to-text often gives you exactly what you said, and people don’t speak in rigid sentence structures. Real speech has pauses, restarts, half-formed thoughts, and random corrections. A voice note can carry that chaos because tone helps. A text message cannot.

Rambler’s solution is simple. Google is letting you talk how you’d normally do in a conversation or voice note. But rather than getting the exact wording and focusing on accuracy, Rambler will pick out the important parts and fit them into a message that still sounds like you.

The bilingual angle is actually huge

The great part about being bilingual is how two different languages blend during natural speech. So it was great to hear that multilingual support is available right from the get-go. Google says Rambler can switch between languages in a single message using Gemini’s multilingual model, including examples like English mixed with Hindi. A lot of people, like myself, do not text in one language alone.

We switch depending on the person, the mood, or the context. Standard voice typing can struggle when a sentence naturally moves between languages. It might get the words right, though it skips the rhythm. If Rambler can actually preserve that mixed-language flow while cleaning up the clutter, it becomes far more practical than a generic “make this sound professional” AI button.

It still has to prove it is faster than typing

I am not convinced this becomes a daily habit for everyone. A lot of people already type fast enough. Some prefer voice notes. Others may not want to talk to their phone in public, no matter how smart the transcription gets. There is also a privacy comfort test. The company claims that it will show when Rambler is enabled, and that audio is only used to transcribe in real time and is not stored or saved. Still, it has to prove that it is fast and low-effort to really stick around. But at least, Google is promising that you don’t have to think twice before speaking or make perfect sentences.

Looking for the most recent regular Connections answers? Click here for today’s Connections hints, as well as our daily answers and hints for The New York Times Mini Crossword, Wordle and Strands puzzles.

Today’s Connections: Sports Edition is a tough one, though as a Minnesota pro football fan I appreciated the yellow group. If you’re struggling with the puzzle but still want to solve it, read on for hints and the answers.

Connections: Sports Edition is published by The Athletic, the subscription-based sports journalism site owned by The Times. It doesn’t appear in the NYT Games app, but it does in The Athletic’s own app. Or you can play it for free online.

Read more: NYT Connections: Sports Edition Puzzle Comes Out of Beta

Hints for today’s Connections: Sports Edition groups

Here are four hints for the groupings in today’s Connections: Sports Edition puzzle, ranked from the easiest yellow group to the tough (and sometimes bizarre) purple group.

Yellow group hint: Skol!

Green group hint: College division.

Blue group hint: Same first name.

Purple group hint: Think hat.

Answers for today’s Connections: Sports Edition groups

Yellow group: An NFC North athlete.

Green group: An ACC athlete.

Blue group: Ja(y)lens in the NBA.

Purple group: ____ cap.

Read more: Wordle Cheat Sheet: Here Are the Most Popular Letters Used in English Words

What are today’s Connections: Sports Edition answers?

The yellow words in today’s Connections

The theme is an NFC North athlete. The four answers are Bear, Lion, Packer and Viking.

The green words in today’s Connections

The theme is an ACC athlete. The four answers are Cavalier, Eagle, Hokie and Mustang.

The blue words in today’s Connections

The theme is Ja(y)lens in the NBA. The four answers are Brown, Brunson, Duren and Green.

The purple words in today’s Connections

The theme is ____ cap. The four answers are baseball, guardian, rally and salary.

Japanese modder TERA set out to solve a problem that had bothered him for years. He wanted a PlayStation 5 that could go anywhere without sacrificing the full experience players expect from the console at home. His latest creation delivers exactly that in a form that slides easily into most laptop bags.

Months passed since TERA finished a much larger portable version of this device based on the same hardware. That machine, weighing nearly five kilograms, had a battery life of less than an hour, but it had to have an oversized screen, which made it a pain in the neck to carry around and store, but they learned a lot from that effort, and all of those lessons were applied to this new project.

PlayStation®5 console – 1TB

• PlayStation 5 Console – 1TB, includes wireless controller, 1TBSSD, Disc Drive, 2 Horizontal Stand Feet, HDMI cable, AC power cord, USB cable, printed…
• 1TB of Storage, keep your favorite games ready and waiting for you to jump in and play
• Ultra-High Speed SSD, maximize you play sessions with near instant load times for installed PS5 games

To get began, they disassembled an old PlayStation 5 that they purchased for only 22,000 yen. TERA took out the motherboard and flung the remainder of the components into a corner. This specific board was roughly two-thirds the size of the one used in the prior generation, which was significant since it gave them a lot more room to play with in terms of packing.

Now, heat management was a top priority because the main processor has a poor tendency of drawing nearly 200 watts when it’s under load. Early testing with the regular CPU cooling revealed that it could not last more than a few minutes before temperature warnings appeared. TERA opted to employ a vapor-chamber heatsink, which is commonly used in server equipment and can withstand high temperatures. He printed a mount for it and then added some heat pipes and aluminum bars to assist move heat away from the surrounding chips, as well as some liquid metal compound to the processor after applying a protective coating to prevent the surrounding electronics from shorts.

Then there was fan design, which was as significant. TERA simply took an off-the-shelf fan, cut its blades down to size, and printed a new housing and brand new blades to match the heatsink exactly. Then he added a temperature sensor, which sent data to a small circuit that adjusted the fan speed on the fly. They also added a display to the finished unit, which shows the temperature and fan speed at a glance.

The next step was power delivery, so they inserted a modified server power supply unit within the casing to avoid having to deal with a large, bulky external brick. They also installed some bespoke timing boards to ensure that the screen and fan did not draw any power unless you hit the power button. Finally, they added a tiny copper plate that connected to ground to eliminate the video noise that appeared during the initial tests.

This was built with a 15.6-inch Sharp LCD panel, which is a smaller display than the one used in the last design, but its glossy surface keeps the colors vibrant and helps them shave off some of the weight and thickness. They printed off several plastic elements for the outside shell, including ventilation slits on the sides and a metal handle for hauling. They then used double-sided tape to secure the screen and precise spacers to keep the back panel in place.

As for battery life, it’s still a work in progress. In other testing with a compact RC car battery pack attached directly, they were able to get the unit to run a PlayStation 4 game for roughly 30 minutes. Of course, the power-hungry PS5 titles don’t last as long, but the architecture allows for a detachable battery pack in future editions.

FEATURE Can digital sovereignty exist on American silicon? 

Europe is pouring more than €2 billion into sovereign cloud initiatives designed to reduce exposure to US legal reach. The EU’s IPCEI-CIS program funds infrastructure development. France qualifies operators under SecNumCloud, a framework with nearly 1,200 technical requirements promising “immunity from extraterritorial laws.”

But most datacenters and qualified cloud operators still rely heavily on Intel or AMD processors. And inside those processors sits a computer beneath the computer: management engines operating at Ring -3, below the operating system, outside the control of host security software, persistent even when the machine appears powered off. Under the US Reforming Intelligence and Securing America Act (RISAA) 2024, hardware manufacturers count as “electronic communications service providers” subject to secret government orders. 

Europe’s frameworks certify the clouds. They don’t assess the silicon.

The computer your OS can’t see

That computer beneath the computer has a name. On Intel processors, it is the Management Engine (ME), or more precisely the Converged Security and Management Engine (CSME). On AMD, it is the Platform Security Processor (PSP). Both run at what security researchers call Ring -3, below the operating system, below the hypervisor, in a privilege level the host cannot see or log.

“It’s a computer inside your computer,” explains John Goodacre, Professor of Computer Architectures and former director of the UK’s £200 million Digital Security by Design program. He is clear about what that means in practice. The ME has its own memory, its own clock, and its own network stack, and because it can share the host’s MAC and IP addresses, any traffic it generates is indistinguishable from the host’s own traffic to the firewall.

The architecture is not theoretical. Embedded in the Platform Controller Hub, the CSME is a separate microcontroller that operates independently of the host, with direct memory, device access, and network connectivity the host operating system cannot monitor. AMD’s PSP works the same way.

Intel’s Active Management Technology (AMT), the remote management feature the ME enables, exposes at least TCP ports 16992, 16993, 16994, and 16995 on provisioned devices. Goodacre notes that an attack surface exists on unprovisioned hardware too. These ports deliver keyboard-video-mouse redirection, storage redirection, Serial-over-LAN, and power control to administrators managing fleets of devices remotely. The capability has legitimate uses. It also provides a channel that operates at a level below what European sovereignty frameworks can attest.

Microsoft documented in 2017 that the PLATINUM nation state actor used Intel’s Serial-over-LAN (SOL) as a covert exfiltration channel. SOL traffic transits the Management Engine and the NIC sideband path, delivered to the ME before the host TCP/IP stack runs. The host firewall and endpoint detection saw nothing, and any security tooling running on the compromised machine itself was equally blind. PLATINUM did not exploit a vulnerability. It exploited a feature, requiring only that AMT be enabled and credentials obtained. In documented cases, those credentials were the factory default: admin, with no password set.

Goodacre catalogues this and related scenarios in a 37-page risk assessment prepared for CISOs evaluating Intel vPro hardware connected to corporate networks. Its conclusion is blunt: connecting an untouched-ME device to corporate resources “exposes the organization to a class of compromise that defeats the host security stack in its entirety.”

The ME does not stop when the machine appears to. Users recognize the symptom: a laptop powered off and stored for weeks is found, on next boot, to have a depleted battery. On modern thin and light platforms, what Microsoft documents as Modern Standby means “off” does not correspond to “all subsystems unpowered.” The system-on-chip components the Management Engine runs on remain in low-power states, drawing enough to drain a 55 Wh battery over weeks, on the order of 100-200 mW continuous draw.

The implication is documented in Goodacre’s risk assessment: “Whether the radio is in a Wake-on-Wireless-LAN listening state is firmware policy. On a device whose firmware has been tampered with during transit through the supply chain, the answer cannot be inferred from the visible power state.” A laptop that appears off, in a bag, can associate with a hostile network the user has no knowledge of.

Professor Aurélien Francillon, a security researcher at French engineering school EURECOM, has spent years studying exactly this class of problem. Working with colleagues, he built a fully functional backdoor in hard disk drive firmware [PDF], a proof of concept demonstrating how storage devices could silently exfiltrate data through covert channels. Three months after presenting it at an academic conference, the Snowden disclosures revealed the NSA’s ANT catalogue, which documented an identical capability already deployed in the field. 

“The NSA were already doing it,” Francillon says flatly. “Quite amazing.” That background informs his assessment of the ME. “Yes, it can probably be used as a backdoor, like many other things, including BMC [baseboard management controller] and many other firmwares,” he says. The question, he argues, is not whether the backdoor exists but whether operational controls make it unreachable in practice.

AMD faces the same architectural question. On April 14, 2026, researchers demonstrated the Fabricked attack against AMD’s SEV-SNP confidential computing technology, achieving a 100 percent success rate with a software-only exploit. The Platform Security Processor proved vulnerable to the same class of compromise.

On server hardware, the picture is the same. Intel ME runs on servers under a different name, Server Platform Services or SPS, and the BMC, the remote administration controller standard in datacenter hardware, relies on it. “More or less the same,” Francillon says of the server variant. For datacenter operators, he sharpens the focus further: “If I look at cloud systems, servers, I would be more concerned with the BMC,” pointing to published research demonstrating remote exploitation of BMC vulnerabilities that could allow an attacker to reinstall or fully compromise a server. The BMC is not a separate concern from the ME: on server hardware, it is the primary network entry point into the SPS, making it both the most exposed interface and the most consequential.

Both Intel and AMD processors contain management engines that operate below the operating system. The silicon is designed by American companies and subject to American legal process.

The backdoor the CLOUD Act doesn’t use

That legal process has teeth that most European policymakers underestimate. The CLOUD Act, passed in 2018, gave US authorities extraterritorial reach to data held by American companies. FISA Section 702 allows intelligence agencies to compel US persons and companies to provide access to communications. Both are well known in European sovereignty discussions. They operate through the front door: a legal order served on a company that controls data. Less well known is RISAA 2024, a law that opens a different entrance entirely.

RISAA amended FISA’s definition of “electronic communications service provider” in ways that go beyond cloud operators and platform companies, and beyond the bilateral agreements that European policymakers have built their legal defenses around. Hardware manufacturers now fall within scope. Intel and AMD can be compelled, via secret orders with gag clauses, to cooperate with US intelligence access.

The mechanism through which that access could be exercised is the management engine: a persistent, privileged, network-connected runtime that operates below anything the host operating system can see or block. A SecNumCloud-certified operator can be legally isolated from American data demands. The processor inside its servers cannot. “You’ve actually got a policy mechanism by which any such machine anywhere can deliver any of its information,” Goodacre says.

RISAA’s two-year term expired on April 20, 2026, but Congress extended it by 45 days while debating reforms. Whether it is renewed, amended or allowed to lapse, the architecture it targets does not change.

SecNumCloud’s blind spot

France’s SecNumCloud is Europe’s most rigorous attempt to build a cloud certification that is legally immune to American law. It did not emerge from nowhere. ANSSI, France’s national cybersecurity agency, was established in 2009 as part of a broader effort to build institutional muscle on digital sovereignty long before the term became fashionable. When Edward Snowden revealed the scale of NSA surveillance in 2013, France’s response was technical rather than rhetorical: ANSSI published the first SecNumCloud framework in July 2014. A decade later, that framework has grown to nearly 1,200 technical requirements.

At the time, SecNumCloud was a cybersecurity qualification, not a sovereignty instrument: it set requirements for architecture, encryption standards, access controls, and incident response, but said nothing about who controlled the underlying infrastructure or whose laws applied to it. The CLOUD Act changed that. Passed in 2018, it gave American authorities extraterritorial reach to data held by US companies, and suddenly a French cybersecurity framework had a geopolitical dimension it was not designed for. Version 3.2, introduced in 2022, added Chapter 19: a set of explicit requirements targeting extraterritorial law, mandating that only EU operators could run the service, that no non-EU party could access customer data, and that the provider could operate autonomously without external intervention. It promised “immunity from extraterritorial laws.”

In December 2025, S3NS, a joint venture between French defense and technology group Thales and Google Cloud, operating Google Cloud Platform technology under French control, became the first “hybrid” cloud to receive SecNumCloud qualification. The certification triggered heated debate: was this real sovereignty, or American technology with a European flag?

But the debate missed a more fundamental question. Does SecNumCloud’s certification reach as far as the silicon it runs on? Francillon is positioned to see both sides of that question. He sits on the French Technology Academy’s working group on cloud security, a body that advises on the technical foundations of frameworks like SecNumCloud. And he has spent years studying firmware backdoors in academic literature and demonstrated them in practice.

He knows what the hardware can do, and he knows what the certification requires. His starting point is that SecNumCloud provides genuinely valuable protection, and that the silicon gap does not negate that. When asked whether SecNumCloud explicitly addresses Intel Management Engine or AMD Platform Security Processor vulnerabilities, his answer is unambiguous: “There is no direct requirement for firmware backdoor prevention.”

The framework is not designed to be a technical specification for hardware-layer security. “The document aims to be generic and not dive into technical details,” Francillon says. “Most of it is organizational security.” What SecNumCloud does require is that providers build a proper threat model, consider mitigation mechanisms, and monitor administration gateways where external tech support could be exploited. The hardware layer was not addressed by oversight. It was left out by design.

Francillon’s assessment is not a fringe view. Vincent Strubel, the director of ANSSI, the very agency that designed and administers SecNumCloud, is equally explicit about what the framework does and does not cover. In a January 2026 LinkedIn post addressing SecNumCloud’s scope, he writes that all cloud offerings, hybrid or not, depend on electronic components whose design and updates are not 100 percent controlled in Europe. If Europe were ever cut off from American or Chinese technology, he argues, the result would be a global problem of security degradation, not just in hybrid clouds, but everywhere.

Strubel frames SecNumCloud carefully: it is “a cybersecurity tool, not an industrial policy tool.” It protects against extraterritorial law enforcement and kill-switch scenarios. It was never designed to eliminate technology dependencies at the hardware layer, and no actor, state, or enterprise fully controls the entire cloud technology stack anyway.

One technology frequently cited in sovereignty discussions is OpenTitan, Google’s open source secure element deployed on its server hardware and used within the S3NS infrastructure. Francillon is clear about what it is and, critically, what it is not. “OpenTitan is a secure element, a small chip on the side that can be used for protecting sensitive keys, providing signatures, making attestations,” he explains. “It’s a bit like a TPM.” What it is not is a replacement for the main processor. “The Linux and all your applications will not run on it.” OpenTitan sits alongside x86 infrastructure as an external root of trust, independent of the ME. That matters because the default embedded TPM lives inside the ME, making it subject to the ME attack surface. OpenTitan sits outside that boundary. The two address different problems entirely, and conflating them, as sovereignty advocates sometimes do, obscures where the residual exposure actually lies.

ANSSI’s own technical position paper [PDF] on confidential computing, published in October 2025, concludes that Intel SGX, TDX, and AMD SEV-SNP are “not sufficient on their own to secure an entire system, or to meet the sovereignty requirements of SecNumCloud 3.2.” Physical attackers are “explicitly out-of-scope” of vendor security targets. Supply chain attackers are “explicitly out-of-scope.” The ME attack surface discussed in this article falls into neither category: it is a remote network threat, not a physical one. The paper’s conclusion for users concerned about hostile cloud providers is stark: “Switch to a cloud provider they trust, or use their own hardware with physical security protection measures.”

The castle with a structural flaw

Francillon does not dispute that SecNumCloud leaves the ME unassessed. His argument is that this does not matter in practice. “What I mean is that if there is a backdoor to access a room, it cannot be directly used if the room is in a castle. You have to pass the castle walls first.” Network isolation, monitoring, and threat modeling are the walls. SecNumCloud’s operational requirements mandate that administration gateways be isolated, that external tech support be monitored, that network segmentation prevents lateral movement. The Management Engine backdoor may exist, but the framework makes it unreachable except in what Francillon calls “very high-end attacks.”

That qualifier matters. Francillon is not claiming perfect security. He is claiming that proper operational controls reduce the threat to a level where only nation state actors with significant resources could exploit it. For most threat models, he argues, that is sufficient. “Saying it is useless to do SecNumCloud because there is ME, or whatever backdoor in some hardware we don’t control, is a mistake,” he says. SecNumCloud improves security over deployments without such controls, he argues, provided that hardware is carefully evaluated and firmware securely configured.

The castle walls have a structural flaw that Goodacre’s risk assessment documents in detail. Corporate perimeter firewalls see the device’s traffic, but because the ME shares the host’s MAC and IP addresses, they cannot tell ME-originated flows apart from legitimate host traffic. “The perimeter cannot attribute a flow to host-versus-CSME origin without out-of-band knowledge,” Goodacre writes. A TLS-encrypted tunnel from the ME to an attacker server on port 443 looks, to the perimeter, like any other HTTPS connection the laptop makes. Network filtering reduces attack surface. It does not eliminate the exposure.

Goodacre’s position is that a “Tier-3 supply-chain residual remains in both cases and is the irreducible cost of buying any silicon that ships with a Ring -3 manageability engine.” He defines Tier 3 as nation state cyber services operating at the level of compromising firmware in transit, mis-issuing CA certificates via in-country authorities, and modifying hardware at customs or courier hubs. The NSA’s Tailored Access Operations division treated supply chain interdiction as routine business, with explicit doctrinal preference for BIOS and firmware implants over disk-level malware.

His risk assessment’s data on fleet vulnerability is concrete. Industry telemetry from Eclypsium, analyzing production enterprise environments, found that approximately 72 percent of devices observed remained vulnerable to INTEL-SA-00391 years after public disclosure, and 61 percent remained vulnerable to INTEL-SA-00295. The same reporting documented that the Conti ransomware group developed proof-of-concept Intel ME exploit code with the intent of installing highly persistent firmware-resident implants.

“Connecting an untouched-ME vPro laptop to corporate resources exposes the organization to a class of compromise that defeats the host security stack in its entirety,” Goodacre concludes. “The exposed controls include BitLocker full-disk encryption, FIDO2-protected sign-in, endpoint detection and response, the host firewall and the corporate VPN.”

The disagreement between Francillon and Goodacre is not about whether the vulnerability exists. Both confirm it does. Both confirm AMD faces the same issue. Both confirm software alone cannot fix it. The disagreement is about whether operational controls, Francillon’s castle walls, make an architectural backdoor irrelevant in practice, or merely reduce its exploitability while leaving nation state actors with a path through.

For SecNumCloud operators processing sensitive government or commercial data, the distinction is not academic. It is worth noting that SecNumCloud is designed for a higher level of security than standard cloud certifications, but is not intended for classified or restricted government data. The threat that can still slip through Francillon’s castle walls is precisely the threat SecNumCloud was designed to keep out.

The gap nobody names

Goodacre told The Register he tested awareness of the Management Engine with various attendees at the CyberUK conference in April 2026. “Almost no one” knew about it, he reports. The gap between the sovereignty rhetoric and the silicon reality is not being surfaced in policy discussions, procurement decisions, or public debate over what digital sovereignty means.

The debate that does happen, hybrid versus non-hybrid, Google/Thales versus pure European providers, focuses on operational control and legal structure. It does not address the shared silicon foundation. Strubel’s LinkedIn post pushes back against the framing: “Imagining this problem is limited to hybrid cloud offerings is pure fantasy that doesn’t survive confrontation with facts.” Every cloud provider, hybrid or not, depends on components they don’t fully control. The distinction isn’t hybrid versus sovereign. It is what you’re protecting against, and whether the controls you’re implementing address that threat.

There is no immediate solution. RISC-V, the open source processor architecture European sovereignty advocates point to as a long-term alternative, remains years from competitive performance in datacenter workloads. “It will take decades,” Francillon says flatly. Arm is a cautionary precedent: it took nearly 20 years from the first server attempts before Arm achieved any meaningful datacenter presence.

Can sovereignty exist on compromised silicon?

For Goodacre, the bottom line is simple: the Tier-3 supply chain residual is “the irreducible cost of buying silicon with a Ring -3 manageability engine.” Francillon argues that operational controls, including network isolation, monitoring, and threat modeling make the backdoor unreachable except in very high-end attacks. Strubel acknowledges hardware dependencies are real but maintains that SecNumCloud provides valuable protection for what it does cover: legal control, kill-switch resistance, defense against cyberattacks and insider threats.

The disagreement is not about technical facts. It is about risk tolerance and threat model calibration. For European CIOs choosing SecNumCloud-certified providers, the question to ask vendors is: how do you address Intel Management Engine and AMD Platform Security Processor in your threat model? The answer will clarify whether the vendor treats the hardware layer as out of scope, or has implemented controls that reduce but do not eliminate the exposure.

For European policymakers, the question is broader. Can digital sovereignty exist on non-sovereign silicon? The current frameworks do not answer that question. They certify operational controls, legal structure, and autonomous execution capability. They do not certify silicon-layer immunity, because the hardware is American or Chinese, subject to American or Chinese law, designed with management engines that European authorities did not specify, cannot legally compel on their own terms, and cannot replace.

Whether that is a gap worth addressing, or a risk worth accepting as the unavoidable cost of participating in global technology supply chains, is a question Europe will need to answer for itself. ®

from the it’s-still-bad dept

Following criticism, lawmakers have narrowed the GUARD Act, a bill aimed at restricting minors’ access to certain AI systems. The earlier version could have applied broadly to nearly every AI-powered chatbot or search tool. The amended bill focuses more narrowly on so-called “AI companions”—conversational systems designed to simulate emotional or interpersonal interactions with users. 

That change does address some of the broadest concerns raised about the original proposal, though some questions about the bill’s reach remain. Bottom line: the revised bill still creates serious problems for privacy, online speech, and parental choice.

The new GUARD Act still requires companies offering AI companions to implement burdensome age-verification systems tied to users’ real-world identities. Even parents who specifically want their teenagers to use these systems would still face significant hurdles. A family might decide that a conversational AI tool helps an isolated teenager practice social interaction, or engage in harmless creative roleplay. A parent deployed in the military might set up a persistent AI storyteller for a younger child. Under the revised bill, those users could still face mandatory age checks tied to sensitive personal or financial information before they or their children can use these services.

The revised bill also leaves important definitions unclear while sharply increasing penalties for developers and companies that get those judgments wrong. Congress narrowed the GUARD Act. But it is still trying to solve a complicated social problem with vague legal standards, heavy liability, and privacy-invasive verification systems.

Intrusive Age-Verification Remains In The Bill

The revised GUARD Act still requires companies offering AI companions to verify that users are adults through a “reasonable age verification” system. The bill allows a broader set of verification methods than the earlier version, but they are still tied to a user’s real-world identity—such as financial records, or age-verified accounts for a mobile operating system or app store. 

That approach still raises serious privacy and access concerns. Millions of Americans do not have current government ID, accounts at major banks, or stable access to the kinds of digital identity systems the bill contemplates. Even for those who do, requiring identity-linked verification to access online speech tools creates real risks for privacy, anonymity, and data security. Many people are rightly creeped out by age-verification systems, and may simply forgo using these services rather than compromise their privacy and security.

The revised definition of “AI companion” is also narrower than before, but it’s unclear at the margins. The bill now focuses on systems that “engage in interactions involving emotional disclosures” from the user, or present a “persistent identity, persona or character.” 

EFF appreciates that the authors recognized that the prior definition could reach a variety of AI systems that are not chatbots, including internet search engines. But the narrowed definition could be read to also apply to a variety of chat tools that are not AI companions. For example, many modern online conversational systems increasingly recognize and respond to users’ emotions. Customer service systems, including completely human-powered ones that existed long before AI chatbots, have long been designed to recognize frustration and respond empathetically. As conversational AI becomes more emotionally responsive, a customer service chatbot’s efforts to empathize may sweep it within the bill’s definition. 

Bigger Penalties, Bigger Incentives To Restrict Access

The revised bill also sharply increases penalties. Instead of $100,000 per violation, companies—including small developers—can face fines of up to $250,000 per violation, enforced by both federal and state officials.

That kind of liability creates incentives to over-restrict access, especially for minors. Smaller developers, in particular, may decide it is safer to block younger users entirely, disable conversational features, or avoid developing certain tools at all, rather than risk severe penalties under vague standards.

The concerns driving this bill are real. Some AI systems have engaged in troubling interactions with vulnerable users, including minors. But the right answer to that is targeted enforcement against bad actors, and privacy laws that protect us all. The revised GUARD Act instead responds with a privacy-invasive system that burdens the right to speak, read, and interact online.

Congress did improve this bill, but EFF’s core speech, privacy, and security issues remain.

Reposted from the EFF’s Deeplinks blog.

Filed Under: age verification, ai, ai companions, free speech, guard act, parental controls, privacy

Automated Tire Inc. spent years in Boston perfecting a robotic system that takes over the dirtiest, most tiring part of any service bay. Called SmartBay, the machine steps right into a standard twelve-foot bay and goes to work on tires while the wheel stays bolted to the vehicle. Shops now have a practical way to move more cars through the day without adding extra hands or forcing techs to wrestle heavy assemblies on and off machines.

Lifted autos are hoisted into position as usual. Then SmartBay swoops in and grabs the tire, breaking the bead and peeling it off the rim in one fluid action. The lug nuts do not move, and the tire pressure monitor remains still. As the new tire glides onto the rim, the system quickly mounts it before balancing the complete wheel-end assembly, brakes, suspension, and everything else. The only input required from the technicians is to simply place the new tire on a nearby rack and watch the whole thing unfold.

Sale

LEGO Technic Ferrari FXX K Toy Car – Building Toy for Girls & Boys, Ages 10+ – Cool Birthday Gift for…

• LEGO FERRARI MODEL CAR KIT – Builders ages 10+ can create the legendary Technic Ferrari FXX K with authentic details and working mechanical features
• AUTHENTIC RACE CAR DETAILS – This supercar building set features working butterfly doors, opening hood, and an engine cover that reveals the…
• CAR MODEL KIT – Young engineers explore real automotive concepts with this educational learning toy as they build the working differential and watch…

The cameras positioned throughout the bay maintain a careful check on the wheel well as the job progresses. They’re like small sentinels, detecting anything strange with the brakes or suspension and sending that information directly to the shop computer for the customer report. They also have a precise cutter that can slap wheel weights onto the rim to the tune of a tenth of an ounce, resulting in a silky smooth final balance that would never be achieved manually. And the entire routine for four tires? Clocks in at roughly 45 minutes from the time the car drives up, with the business anticipating it to drop to around 30 as the system becomes smarter.

Now, you can have one technician standing in the midst of two or three of these bays and keep them all running at the same time. You know, a single individual working alone could be able to finish four tires in 75 minutes, but that same tech monitoring numerous SmartBays? No problem; they can go through twenty-four tires in the same amount of time. With the system handling all the work, consistency becomes automatic, since every automobile is treated with the same care, regardless of who is working that day or how busy the schedule is.

In terms of pricing, leasing one unit will cost you around $4900 per month, which is actually less than what you’d pay for a dedicated tire tech when you consider all of the perks, turnover, and downtime you’d normally have to deal with. Shops benefit from regular throughput, without having to worry about 1 employee calling in ill and disrupting the entire afternoon schedule. Car owners, particularly those with electric vehicles, will notice the change, as their heavier vehicles and rapid torque tend to burn through tires much faster, but SmartBay has their back, keeping service bays on track.

Instead of relying on a technician to manually remove the wheel and tire, as well as balance it all on the old equipment, SmartBay accomplishes it all for you, requiring just a minor touch-up from an operator. One technician may even run two or three of these SmartBays in tandem, churning through tires all day long, 24 of them each hour, compared to around four every 75 minutes today.
[Source]