Thursday, 18 June 2026

AMD silently strips memory encryption from consumer Ryzen CPUs; 10,000 GitHub repos found laundering Trojan malware; AI coding accrues a second, invisible 'cognitive debt'

Today's Lead

Engineering

Tom's Hardware

AMD Silently Removes Memory Encryption from Consumer Ryzen CPUs

AMD has silently disabled Secure Memory Encryption (SME) on consumer Ryzen CPUs through a newer AGESA firmware update, leaving owners unaware that a hardware-enforced protection against physical and cold-boot memory attacks has quietly vanished. The change shipped with no public disclosure, no release-note entry, and no security advisory, and AMD engineers declined to comment when pressed for an explanation. This is a textbook sociotechnical failure: a safety-relevant property was removed in the opaque firmware layer where users have minimal visibility and no realistic ability to observe or consent. For deployed systems that relied on memory encryption as part of their threat model, the regression introduces unquantified exposure and may force a reconsideration of baseline security assumptions. The episode is a sharp argument for treating any removal of a protective feature as an event requiring formal, explicit communication rather than a firmware push into the dark.

Read →

Engineering

Orchid Files

I Found 10,000 GitHub Repositories Distributing Trojan Malware

A researcher uncovered a large-scale campaign using roughly 10,000 GitHub repositories to distribute Trojan payloads, cloning legitimate projects and injecting malicious zip-archive links into their README files. The operator kept the repos ranking and discoverable by re-committing identical messages every few hours and seeding popular tags, while targeting freshly created repositories to dominate search results. Crucially, the bundled Windows executables scanned clean individually on VirusTotal but flagged as Trojans only inside the full zip, pointing to packaging-based evasion. By replicating real project histories and contributor metadata, the campaign defeats the cursory provenance checks most developers rely on, and it appears to continue an established pattern of SmartLoader/StealC distribution. The takeaway for supply-chain security is that metadata inspection is insufficient — repository provenance verification and sandboxed execution of artifact archives belong before anything enters a build pipeline.

Read →

LeadDev

AI Coding Creates Two Kinds of Debt. You're Only Measuring One

Beyond conventional technical debt, AI-assisted development accrues a second, largely invisible liability the author calls 'cognitive debt' — the erosion of a team's shared understanding of why a system exists and how it is built, accumulated when code is generated faster than engineers can absorb it. Unlike technical debt, it hides behind clean, well-tested code: velocity metrics and developer satisfaction can rise while the collective mental model needed for sustainable maintenance quietly decays. The piece cites interns under heavy AI assistance who report higher satisfaction yet develop only a fraction of the skill of earlier cohorts, framing this as trading long-term engineering capability for short-term throughput. The danger is the blind spot — organizations diligently track the measurable debt and miss the one that actually predicts whether they'll still understand their systems. The proposed remedy is a discipline question, not a tooling one: measure cognitive debt deliberately alongside the metrics you already trust.

Read →

Blain Smith

RFC 10008: The HTTP QUERY Method

RFC 10008 standardizes a new HTTP QUERY method to close a longstanding gap: GET forbids a request body, while POST signals state change and breaks caching, leaving read-only-but-complex operations awkwardly stranded. QUERY accepts a request body yet remains safe, idempotent, and fully cacheable, which is exactly what JSON-RPC-style and other structured read APIs have needed for years. The RFC specifies body-aware caching mechanics — including JSON normalization to lift cache-hit rates — so reverse proxies and CDNs can serve cached responses for identical queries without bespoke application-level layers. Both Go and Rust already expose QUERY through their standard libraries, so adoption requires no new infrastructure. It is a small standards change that restores proper HTTP cache semantics to a large class of APIs that had quietly given them up.

Read →

Alex Ellis

Local Qwen Isn't a Worse Opus, It's a Different Tool

Alex Ellis argues that local models like Qwen are not inferior frontier models but a categorically different tool, and that benchmark gaps (Qwen 27B scoring ~12% lower) miss the point. Their real value lies in bounded, specialized use cases where sovereignty, privacy, and data control dominate — confidential customer data, telemetry analysis, and support workflows that can run airgapped. He is candid about the limits: local models can't be trusted with unsupervised, long-horizon tasks because of hallucination and infinite-loop risk, so they demand human oversight. Adopting them is less a cost play than a way to mitigate vendor risk and protect enterprise data, but doing it well requires real operational infrastructure — identity, access control, and metering. The framing is complementary, not competitive: local models earn their place alongside frontier services, not as a drop-in replacement.

Read →
Humanities

JSTOR Daily

The Ghost Roads of Ireland's Great Famine

During Ireland's Great Famine of the 1840s, the British government built an extensive network of deliberately impractical 'famine roads' as make-work relief rather than direct aid, echoing earlier follies erected by the starving in exchange for wages. Plotted with minimal surveying, the roads ran from nowhere to nowhere — sometimes cut through solid rock — while workers endured twelve-hour winter shifts for wages that barely bought turnips, even as grain was exported abroad. The policy was an ideological choice: relief had to be earned through labor, never simply given. Archaeology underscores the destitution, finding almost no artifacts at the worksites, and the folklore record shows survivors could scarcely narrate the horror, displacing it onto strangers and neighboring towns. As these roads dissolve back into grass, they stand as physical monuments to state-sanctioned hardship — a sharp case study in how infrastructure encodes a society's moral assumptions about poverty and obligation.

Read →

Astral Codex Ten

Waiting for the Miracle

Scott Alexander proposes that the famous 'sun miracles' reported at religious sites like Fatima and Medjugorje are not supernatural but explicable products of optics and human perception. He argues that a specific, rare combination of atmospheric conditions — the sun dimmed to a particular brightness after rain — lets observers stare at it long enough to trigger afterimages, eye drift, and ultraviolet-induced color distortions, producing the reported spinning, multicolored disc. Having experienced the effect himself, he notes the phenomenon feels impossible precisely because the necessary conditions (unusual dimness plus expectation-driven staring) almost never co-occur in ordinary life. The result is a naturalistic reframing of a mass religious experience as a perceptual artifact rather than divine intervention. It is a tidy demonstration of how a 'miracle' can be an emergent property of physiology and expectation — a useful parable for anyone who reasons about how shared belief shapes what people sincerely report seeing.

Read →