Author name: Kris Guyer

8bitdo’s-$100-wireless-mechanical-keyboard-is-a-tribute-to-commodore-64

8BitDo’s $100 wireless mechanical keyboard is a tribute to Commodore 64

  • Fits in nicely with old cassettes and floppy disks.

    8BitDo

  • The keyboard uses a top mount and has an aluminum top plate.

    8BitDo

  • The keyboard has knobs for toggling connectivity modes (left) and controlling the connected system’s volume (right).

    8BitDo

  • There’s a magnetic compartment for storing the optional wireless dongle.

    8BitDo

The Commodore 64 introduced a generation of future computer geeks to personal computing. The 8-bit system first launched in 1982 and was discontinued in 1994. During that time, it made its mark as one of the first and most influential personal computers, and many still remember the computer fondly.

A Commodore 64.

Enlarge / A Commodore 64.

Gaming peripherals maker 8BitDo wants to bring that nostalgia to people’s fingertips and this week announced the Retro Mechanical Keyboard – C64 Edition. 8BitDo is careful not to use the name “Commodore” outright. But with marketing images featuring retro Commodore gear in the background, press materials saying that the keyboard was “inspired by the classics,” and certain design cues, the keyboard is clearly a tribute to the ’80s keyboard-computer.

8BitDo starts with the sort of beige that you only see on new peripherals these days if the gadgets are trying to appear old. A rainbow stripe runs horizontally and north of the function row, like on Commodore’s computer. There’s a power button with a bulb popping out of the keyboard case, ready to illuminate when it receives the signal.

  • The 8BitDo keyboard’s power LED.

    8BitDo

  • Retro rainbow.

    8BitDo

Like the Commodore 64, the C64 keyboard has limited keys, foregoing a number pad. The column of F-keys on the right side of the retro computer is abandoned in favor of today’s standard navigation keys. Naturally, the ports have also been updated. 8BitDo’s wireless mechanical keyboard can connect with a detachable USB-C to USB-A power cable via a 2.4 GHz wireless USB-A dongle or Bluetooth 5.0. 8BitDo claims that the keyboard’s 2000 mAh battery can endure 200 hours of use before needing a charge.

The new keyboard also reduces the bulkiness of a true vintage keyboard. It’s 6.7 inches tall and weighs 2.31 pounds. Commodore 64s were about 8 inches tall and weighed over 4 pounds.

A trimmer keyboard should help 8BitDo better appeal to its core audience of gamers. The keyboard even comes with a separate pair of large buttons and a joystick for gaming with an arcade feel. The joystick and Super Buttons, as 8BitDo calls them, are programmable, including with macros, without downloading 8BitDo’s software.

NES-inspired keyboard.” data-height=”1708″ data-width=”2560″ href=”https://cdn.arstechnica.net/wp-content/uploads/2024/03/5-Super-Stick-and-Super-Buttons.jpg”>The keyboard comes with a joystick and mega-size buttons, just like 8BitDo's <a href=NES-inspired keyboard.” height=”427″ src=”https://cdn.arstechnica.net/wp-content/uploads/2024/03/5-Super-Stick-and-Super-Buttons-640×427.jpg” width=”640″>

Enlarge / The keyboard comes with a joystick and mega-size buttons, just like 8BitDo’s NES-inspired keyboard.

8BitDo

The C64 doesn’t support Apple devices; it only supports Windows 10 and Android 9.0 and higher. The software for reprogramming the keyboard and setting up different profiles (which you can toggle with the heart button near the keyboard’s top edge) doesn’t officially support Apple OSes.

SA keycaps

If you really want to feel like you’re typing on an ’80s system, it’s not just about muted shades of beige; it’s about what your fingers feel. While there are some design changes that might have made the keyboard feel more authentic, some thought was clearly given to making this 2024 keyboard feel like it came out more than 30 years ago.

To start, the C64’s keycaps are made of ABS plastic with doubleshot legends. Some premium mechanical keyboards these days opt for PBT, as such keycaps typically offer better grip and resist fingerprint smudges better. But if we’re trying to be as accurate to the original C64 as possible, doubleshot ABS is the way to go.

The keycaps on the Commodore 64 were also notably spherical and contoured. 8BitDo’s design uses SA-profile keycaps, which are some of the tallest keycaps that are widely available. Some hardcore enthusiasts can tell the difference between SA keycaps and the Commodore 64’s original keycaps, but this is still a strong choice from 8BitDo, (plus the original Commodore 64 keycaps wouldn’t fit on modern mechanical switches without some modding).

8BitDo’s $100 wireless mechanical keyboard is a tribute to Commodore 64 Read More »

report:-redesigned-m3-ipad-pros,-large-screened-ipad-air-now-expected-in-may

Report: Redesigned M3 iPad Pros, large-screened iPad Air now expected in May

the wait continues —

Next-gen iPads will be Apple’s first new tablets since late 2022.

The M2 iPad Pro. The updated version will come with refined designs and new accessories.

Enlarge / The M2 iPad Pro. The updated version will come with refined designs and new accessories.

Apple

If you’ve been waiting for new iPads to come out, prepare to wait just a little longer: Bloomberg’s Mark Gurman says that redesigned iPad Pros with Apple’s M3 chip, plus refreshed iPad Air models with the M2 and a larger-screened option, should now arrive sometime in “early May.” Gurman had previously reported that new iPads could arrive in March or April, not long after the updated M3 MacBook Airs.

Gurman suggests that “complex new manufacturing techniques” for the new iPad screens have “contributed to the delay,” and that Apple is also “working to finish software for the devices.”

The details of what the new iPads will look like hasn’t changed. The new iPad Pro models will shift to using OLED display panels for the first time and will have their designs tweaked for the first time since the 2018 iPad Pros introduced the current rounded, slim-bezeled look. Those new iPad Pros will also come with redesigned Magic Keyboard and Apple Pencil accessories, though it’s unclear whether those accessories will be totally rethought or if they’ll just tweak existing designs to work with the new tablets.

The iPad Air refresh will be more straightforward. It should retain the current design, which is very similar to the 2018-era iPad Pro refresh but with a power button-mounted TouchID fingerprint sensor instead of a FaceID camera for authentication. But the new Airs will come with an M2 chip instead of the current M1, and a 12.9-inch variant will provide a less-expensive large-screened option for people who want to use their iPad as their primary computer but who don’t want to pay for the extra bells and whistles of the Pro.

Some rumors have suggested the iPad Pro could come with a price hike relative to the current-generation model, though the sources of those rumors can’t agree on how big a jump it would be. Gurman hasn’t mentioned Apple’s pricing plans in his reports.

There’s also no word about the other tablets in Apple’s lineup, all of which are at least a year or two old. The sixth-generation iPad mini and the $329 ninth-generation iPad were last updated in September 2021, while the awkwardly positioned 10th-generation iPad was released in October 2022.

New hardware is always nice to have, but it does continue to feel like the power of Apple’s M-series chips is a bit wasted on Apple’s tablets. The iPad’s relatively limited multitasking model, restrictions on third-party software and the general dearth of performance-intensive high-end apps in Apple’s app store mean that performance really isn’t a problem on current-generation iPads; there’s nothing an iPad can currently do that an M1 can’t handle with room to spare. Apple will announce new operating system versions at its Worldwide Developers Conference keynote on June 10; it’s possible that iPadOS will get some new features that more fully leverage the power of Apple’s newer chips.

Report: Redesigned M3 iPad Pros, large-screened iPad Air now expected in May Read More »

google-says-running-ai-models-on-phones-is-a-huge-ram-hog

Google says running AI models on phones is a huge RAM hog

8GB of RAM ought to be enough for anybody —

Google wants AI models to be loaded 24/7, so 8GB of RAM might not be enough.

The Google Gemini logo.

Enlarge / The Google Gemini logo.

Google

In early March, Google made the odd announcement that only one of its two latest smartphones, the Pixel 8 and Pixel 8 Pro, would be able to run its latest AI model, called “Google Gemini.” Despite having very similar specs, the smaller Pixel 8 wouldn’t get the new AI model, with the company citing mysterious “hardware limitations” as the reason. It was a strange statement considering the fact that Google designed and marketed the Pixel 8 to be AI-centric and then designed a smartphone-centric AI model called “Gemini Nano” yet still couldn’t make the two work together.

A few weeks later, Google is backtracking somewhat. The company announced on the Pixel Phone Help forum that the smaller Pixel 8 actually will get Gemini Nano in the next big quarterly Android release, which should happen in June. There’s a catch, though—while the Pixel 8 Pro will get Gemini Nano as a user-facing feature, on the Pixel 8, it’s only being released “as a developer option.” That means you’ll be able to turn it on only via the hidden Developer Options menu in the settings, and most people will miss out on it.

Google’s Seang Chau, VP of devices and services software, explained the decision on the company’s in-house “Made by Google” podcast. “The Pixel 8 Pro, having 12GB of RAM, was a perfect place for us to put [Gemini Nano] on the device and see what we could do,” Chau said. “When we looked at the Pixel 8 as an example, the Pixel 8 has 4GB less memory, and it wasn’t as easy of a call to just say, ‘all right, we’re going to enable it on Pixel 8 as well.'” According to Chau, Google’s trepidation is because the company doesn’t want to “degrade the experience” on the smaller Pixel 8, which only has 8GB of RAM.

Chau went on to describe what it’s like to have a large language model like Gemini Nano on your phone, and it sounds like there are big trade-offs involved. Google wants some of the AI models to be “RAM-resident” so they’re always loaded in memory. One such feature is “smart reply,” which tries to auto-generate text replies.

Chau told the podcast, “Smart Reply is something that requires the models to be RAM-resident so that it’s available all the time. You don’t want to wait for the model to load on a Gboard reply, so we keep it resident.” On the Pixel 8 Pro, smart reply can be turned on and off via the normal keyboard settings, but on the Pixel 8, you’ll need to turn on the developer flag first.

The bigger Pixel 8 Pro gets the latest AI features. The smaller model will have it locked behind a developer option.

Enlarge / The bigger Pixel 8 Pro gets the latest AI features. The smaller model will have it locked behind a developer option.

Google

So unlike an app, which can be loaded and unloaded as you use it, running something like Gemini Nano could mean permanently losing what is apparently a big chunk of system memory. The baseline of 8GB of RAM for Android phones may need to be increased again in the future. The high mark we’ve seen for phones is 24GB of RAM, and the bigger flagships usually have 12GB or 16GB of RAM, so it’s certainly doable.

Google’s Gemini Nano model is also shipping on the Galaxy S24 lineup, and the base model there has 8GB of RAM, too. When Google originally cited hardware limitations on the Pixel 8 for the feature’s absence, its explanation was confusing—if the base-model S24 can run it, the Pixel 8 should be able to as well. It’s all about how much of a trade-off you’re willing to make in available memory for apps, though. Chau says the team is “still doing system health validation because even if you’re a developer, you might want to use your phone on a daily basis.”

The elephant in the room, though, is that as a user, I don’t even know if I want Gemini Nano on my phone. We’re at the peak of the generative AI hype cycle, and Google has its own internal reasons (the stock market) for pushing AI so hard. While visiting ChatGPT and asking it questions can be useful, that’s just an app. Actually useful OS-level generative AI features are few and far between. I don’t really need a keyboard to auto-generate replies. If it’s just going to use up a bunch of RAM that could be used by apps, I might want to turn it off.

Google says running AI models on phones is a huge RAM hog Read More »

openai-holds-back-wide-release-of-voice-cloning-tech-due-to-misuse-concerns

OpenAI holds back wide release of voice-cloning tech due to misuse concerns

AI speaks letters, text-to-speech or TTS, text-to-voice, speech synthesis applications, generative Artificial Intelligence, futuristic technology in language and communication.

Voice synthesis has come a long way since 1978’s Speak & Spell toy, which once wowed people with its state-of-the-art ability to read words aloud using an electronic voice. Now, using deep-learning AI models, software can create not only realistic-sounding voices, but also convincingly imitate existing voices using small samples of audio.

Along those lines, OpenAI just announced Voice Engine, a text-to-speech AI model for creating synthetic voices based on a 15-second segment of recorded audio. It has provided audio samples of the Voice Engine in action on its website.

Once a voice is cloned, a user can input text into the Voice Engine and get an AI-generated voice result. But OpenAI is not ready to widely release its technology yet. The company initially planned to launch a pilot program for developers to sign up for the Voice Engine API earlier this month. But after more consideration about ethical implications, the company decided to scale back its ambitions for now.

“In line with our approach to AI safety and our voluntary commitments, we are choosing to preview but not widely release this technology at this time,” the company writes. “We hope this preview of Voice Engine both underscores its potential and also motivates the need to bolster societal resilience against the challenges brought by ever more convincing generative models.”

Voice cloning tech in general is not particularly new—we’ve covered several AI voice synthesis models since 2022, and the tech is active in the open source community with packages like OpenVoice and XTTSv2. But the idea that OpenAI is inching toward letting anyone use their particular brand of voice tech is notable. And in some ways, the company’s reticence to release it fully might be the bigger story.

OpenAI says that benefits of its voice technology include providing reading assistance through natural-sounding voices, enabling global reach for creators by translating content while preserving native accents, supporting non-verbal individuals with personalized speech options, and assisting patients in recovering their own voice after speech-impairing conditions.

But it also means that anyone with 15 seconds of someone’s recorded voice could effectively clone it, and that has obvious implications for potential misuse. Even if OpenAI never widely releases its Voice Engine, the ability to clone voices has already caused trouble in society through phone scams where someone imitates a loved one’s voice and election campaign robocalls featuring cloned voices from politicians like Joe Biden.

Also, researchers and reporters have shown that voice-cloning technology can be used to break into bank accounts that use voice authentication (such as Chase’s Voice ID), which prompted Sen. Sherrod Brown (D-Ohio), the chairman of the US Senate Committee on Banking, Housing, and Urban Affairs, to send a letter to the CEOs of several major banks in May 2023 to inquire about the security measures banks are taking to counteract AI-powered risks.

OpenAI holds back wide release of voice-cloning tech due to misuse concerns Read More »

apple’s-first-new-3d-vision-pro-video-since-launch-is-only-a-few-minutes-long

Apple’s first new 3D Vision Pro video since launch is only a few minutes long

Immersive Video —

Major League Soccer highlight reel is the first Immersive Video since launch.

  • All the available Immersive Video launch content fit on a small strip in the TV app.

    Samuel Axon

  • Initial videos were labeled as episodes in a series, but subsequent episodes haven’t come.

Tonight, Apple will debut some new Immersive Video content for the Vision Pro headset—the first sports content for the device. It doesn’t seem like much after two months of no new content, though.

Starting at 6 pm PT/9 pm ET, Vision Pro users will be able to watch a sports film captured for the platform’s Immersive Video format. The video will be a series of highlights from last year’s Major League Soccer (MLS) playoffs, and according to Six Colors, it will run just five minutes. It will be free for all Vision Pro users.

On February 2, Apple released what appeared to be the first episodes of three Immersive Video series: Adventure, Prehistoric Planet, and Wildlife. Each debuted alongside the Vision Pro’s launch with one episode labeled “Episode 1” of “Season 1.”

However, it’s been almost two months, and none of those series have received new episodes. The only other piece of Immersive Video content available is an Alicia Keyes performance video that also debuted on February 2. Most of these videos were only a few minutes long.

That means that this short soccer video depicting sports moments from 2023 will be the only new piece of Immersive Video content Apple has put out since the device launched at the beginning of February.

When I reviewed the Vision Pro as an entertainment device, I lauded its capabilities for viewing 2D films and videos, but I also talked a bit about its 3D video capabilities. I said the first pieces of original 3D content from Apple seemed promising and that I looked forward to future episodes. Given that they were labeled just like Apple TV+ series in the TV app, I assumed they would arrive at a weekly cadence. Further episodes haven’t come.

Notably, Apple didn’t include a first-party app for playing 3D videos downloaded from the web with the Vision Pro, though an independent developer filled that gap with an app called Reality Player. There are a few 3D video streaming or downloading services in the visionOS App Store, but the selection is very anemic compared to what you have access to with other headsets.

Apple hasn’t been calling the Vision Pro a VR headset, opting instead for the term “spatial computing”—and that’s understandable because it does a lot more than most VR headsets.

But if you’re looking for new examples of the sorts of passive viewing content you can enjoy on other headsets, the Vision Pro is still far behind the competition two months in.

The device can display a wealth of 2D video content, but this drives home the initial impression that the Vision Pro is meant for viewing flat, 2D content as windows in 3D space. The situation isn’t quite as dire with apps and games, with a handful of new spatial apps in those categories rolling out in recent weeks.

Most apps behave just like iPad apps, with 2D viewports at the content; you can position those viewports wherever you want in the room around you. Most video content is also 2D.

There are situations where that’s neat to have, but it’s surprising Apple hasn’t invested more in actual 3D content yet. In terms of new stuff, this short soccer video debuting tonight is all we have right now.

Listing image by Samuel Axon

Apple’s first new 3D Vision Pro video since launch is only a few minutes long Read More »

getting-a-charge:-an-exercise-bike-that-turns-your-pedaling-into-power

Getting a charge: An exercise bike that turns your pedaling into power

Getting a charge: An exercise bike that turns your pedaling into power

I enjoy getting my exercise, but hate doing it indoors. I’d much rather get some fresh air and watch the world drift past me as I cycle or hike somewhere than watch a screen while sweating away on something stationary.

To get a bit more of what I like, I’ve invested in a variety of gear that has extended my cycling season deeper into the winter. But even with that, there are various conditions—near-freezing temperatures, heavy rains, Canada catching fire—that have kept me off the roads. So, a backup exercise plan has always been on my to-do list.

The company LifeSpan offers exercise equipment that fits well into a home office and gave me the chance to try its Ampera model. It’s a stationary bike that tucks nicely under a standing desk and has a distinct twist: You can pedal to power the laptop you’re working on. Overall, the hardware is well-designed, but some glitches, software issues, and design decisions keep it from living up to its potential.

Solid hardware

Many aspects of the Ampera are pretty well designed. Its hefty weight keeps it stable even when someone my size (~90 kg/200 lbs) is pedaling away on it. If it starts tilting, there’s a metal ring around the base that should keep it from falling over, although I’ve been fortunate enough not to test this. Despite its size, it’s still easy to move around since it tilts forward onto some wheels and rolls around easily.

That tilting is best managed by using a handle that attaches to the underside of the seat. That’s more of a mixed bag, as it limits how far back on the seat you can sit. It should be possible to install it upside-down so the handle tilts under the seat if this is a problem, though. The height of the seat is easily adjustable. It telescopes out of the base on a metal pole; pull up on a lever under the seat, and it will slide up or down to wherever you find comfortable.

Even with my relatively long legs, I had no problem finding a comfortable setting. However, to keep working while pedaling, I needed to set a standing desk at its maximum height. This is not something that you can expect to use while sitting at a more traditional desk.

As for the seat itself, it’s wide and cushy, so quite unlike a typical bike saddle. There are a few things about this that I’m not convinced by. To start with, the padding will eventually wear down if it’s heavily used, and the use of a non-cycling attachment—it bolts onto a flat metal plate—means it’s going to be harder to replace. The fabric might also be a problem if, as I do, you tend to sweat a lot while exercising. (More expensive stationary bikes, like Pelotons, can fit standard bicycle seats.)

The seat of the Ampera isn't typical cycling hardware, and incorporates a handled to move the base around.

Enlarge / The seat of the Ampera isn’t typical cycling hardware, and incorporates a handled to move the base around.

John Timmer

The pedals are fine. The texture of the polymer mostly kept my feet where I wanted them. The occasional slip was likely because I’m unused to thinking about how to keep my feet in place—the product of using clipless pedals on both my road and mountain bikes.

The two other notable features of the hardware are a ring of colored LEDs around the cranks, a USB-C port at the front of the base, and a Qi wireless charging pad in the center of the pedestal. There aren’t any controls on the hardware; everything is controlled via software.

Getting a charge: An exercise bike that turns your pedaling into power Read More »

facebook-let-netflix-see-user-dms,-quit-streaming-to-keep-netflix-happy:-lawsuit

Facebook let Netflix see user DMs, quit streaming to keep Netflix happy: Lawsuit

A promotional image for Sorry for Your Loss, with Elizabeth Olsen

Enlarge / A promotional image for Sorry for Your Loss, which was a Facebook Watch original scripted series.

Last April, Meta revealed that it would no longer support original shows, like Jada Pinkett Smith’s Red Table Talk talk show, on Facebook Watch. Meta’s streaming business that was once viewed as competition for the likes of YouTube and Netflix is effectively dead now; Facebook doesn’t produce original series, and Facebook Watch is no longer available as a video-streaming app.

The streaming business’ demise has seemed related to cost cuts at Meta that have also included layoffs. However, recently unsealed court documents in an antitrust suit against Meta [PDF] claim that Meta has squashed its streaming dreams in order to appease one of its biggest ad customers: Netflix.

Facebook allegedly gave Netflix creepy privileges

As spotted via Gizmodo, a letter was filed on April 14 in relation to a class-action antitrust suit that was filed by Meta customers, accusing Meta of anti-competitive practices that harm social media competition and consumers. The letter, made public Saturday, asks a court to have Reed Hastings, Netflix’s founder and former CEO, respond to a subpoena for documents that plaintiffs claim are relevant to the case. The original complaint filed in December 2020 [PDF] doesn’t mention Netflix beyond stating that Facebook “secretly signed Whitelist and Data sharing agreements” with Netflix, along with “dozens” of other third-party app developers. The case is still ongoing.

The letter alleges that Netflix’s relationship with Facebook was remarkably strong due to the former’s ad spend with the latter and that Hastings directed “negotiations to end competition in streaming video” from Facebook.

One of the first questions that may come to mind is why a company like Facebook would allow Netflix to influence such a major business decision. The litigation claims the companies formed a lucrative business relationship that included Facebook allegedly giving Netflix access to Facebook users’ private messages:

By 2013, Netflix had begun entering into a series of “Facebook Extended API” agreements, including a so-called “Inbox API” agreement that allowed Netflix programmatic access to Facebook’s users’ private message inboxes, in exchange for which Netflix would “provide to FB a written report every two weeks that shows daily counts of recommendation sends and recipient clicks by interface, initiation surface, and/or implementation variant (e.g., Facebook vs. non-Facebook recommendation recipients). … In August 2013, Facebook provided Netflix with access to its so-called “Titan API,” a private API that allowed a whitelisted partner to access, among other things, Facebook users’ “messaging app and non-app friends.”

Meta said it rolled out end-to-end encryption “for all personal chats and calls on Messenger and Facebook” in December. And in 2018, Facebook told Vox that it doesn’t use private messages for ad targeting. But a few months later, The New York Times, citing “hundreds of pages of Facebook documents,” reported that Facebook “gave Netflix and Spotify the ability to read Facebook users’ private messages.”

Meta didn’t respond to Ars Technica’s request for comment. The company told Gizmodo that it has standard agreements with Netflix currently but didn’t answer the publication’s specific questions.

Facebook let Netflix see user DMs, quit streaming to keep Netflix happy: Lawsuit Read More »

astronomers-have-solved-the-mystery-of-why-this-black-hole-has-the-hiccups

Astronomers have solved the mystery of why this black hole has the hiccups

David vs. Goliath —

Blame it on a smaller orbiting black hole repeatedly punching through the accretion disk.

graphic of hiccuping black hole

Enlarge / Scientists have found a large black hole that “hiccups,” giving off plumes of gas.

Jose-Luis Olivares, MIT

In December 2020, astronomers spotted an unusual burst of light in a galaxy roughly 848 million light-years away—a region with a supermassive black hole at the center that had been largely quiet until then. The energy of the burst mysteriously dipped about every 8.5 days before the black hole settled back down, akin to having a case of celestial hiccups.

Now scientists think they’ve figured out the reason for this unusual behavior. The supermassive black hole is orbited by a smaller black hole that periodically punches through the larger object’s accretion disk during its travels, releasing a plume of gas. This suggests that black hole accretion disks might not be as uniform as astronomers thought, according to a new paper published in the journal Science Advances.

Co-author Dheeraj “DJ” Pasham of MIT’s Kavli Institute for Astrophysics and Space research noticed the community alert that went out after the All Sky Automated Survey for SuperNovae (ASAS-SN) detected the flare, dubbed ASASSN-20qc. He was intrigued and still had some allotted time on the X-ray telescope, called NICER (the Neutron star Interior Composition Explorer) on board the International Space Station. He directed the telescope to the galaxy of interest and gathered about four months of data, after which the flare faded.

Pasham noticed a strange pattern as he analyzed that four months’ worth of data. The bursts of energy dipped every 8.5 days in the X-ray regime, much like a star’s brightness can briefly dim whenever an orbiting planet crosses in front. Pasham was puzzled as to what kind of object could cause a similar effect in an entire galaxy. That’s when he stumbled across a theoretical paper by Czech physicists suggesting that it was possible for a supermassive black hole at the center of a galaxy to have an orbiting smaller black hole; they predicted that, under the right circumstances, this could produce just such a periodic effect as Pasham had observed in his X-ray data.

Computer simulation of an intermediate-mass black hole orbiting a supermassive black hole and driving periodic gas plumes that can explain the observations.

Computer simulation of an intermediate-mass black hole orbiting a supermassive black hole and driving periodic gas plumes that can explain the observations.

Petra Sukova, Astronomical Institute of the CAS

“I was super excited about this theory and immediately emailed to say, ‘I think we’re observing exactly what your theory predicted,” Pasham said. They joined forces to run simulations incorporating the data from NICER, and the results supported the theory. The black hole at the galaxy’s center is estimated to have a mass of 50 million suns. Since there was no burst before December 2020, the team thinks there was, at most, just a faint accretion disk around that black hole and a smaller orbiting black hole of between 100 to 10,000 solar masses that eluded detection because of that.

So what changed? Pasham et al. suggest that a nearby star got caught in the gravitational pull of the supermassive black hole in December 2020 and was ripped to shreds, known as a tidal disruption event (TDE). As previously reported, in a TDE, part of the shredded star’s original mass is ejected violently outward. This, in turn, can form an accretion disk around the black hole that emits powerful X-rays and visible light. The jets are one way astronomers can indirectly infer the presence of a black hole. Those outflow emissions typically occur soon after the TDE.

That seems to be what happened in the current system to cause the sudden flare in the primary supermassive black hole. Now it had a much brighter accretion disk, so when its smaller black hole partner passed through the disk, larger than usual gas plumes were emitted. As luck would have it, that plume just happened to be pointed in the direction of an observing telescope.

Astronomers have known about so-called “David and Goliath” binary black hole systems for a while, but “this is a different beast,” said Pasham. “It doesn’t fit anything that we know about these systems. We’re seeing evidence of objects going in and through the disk, at different angles, which challenges the traditional picture of a simple gaseous disk around black holes. We think there is a huge population of these systems out there.”

Science Advances, 2024. DOI: 10.1126/sciadv.adj8898  (About DOIs).

Astronomers have solved the mystery of why this black hole has the hiccups Read More »

pypi-halted-new-users-and-projects-while-it-fended-off-supply-chain-attack

PyPI halted new users and projects while it fended off supply-chain attack

ONSLAUGHT —

Automation is making attacks on open source code repositories harder to fight.

Supply-chain attacks, like the latest PyPI discovery, insert malicious code into seemingly functional software packages used by developers. They're becoming increasingly common.

Enlarge / Supply-chain attacks, like the latest PyPI discovery, insert malicious code into seemingly functional software packages used by developers. They’re becoming increasingly common.

Getty Images

PyPI, a vital repository for open source developers, temporarily halted new project creation and new user registration following an onslaught of package uploads that executed malicious code on any device that installed them. Ten hours later, it lifted the suspension.

Short for the Python Package Index, PyPI is the go-to source for apps and code libraries written in the Python programming language. Fortune 500 corporations and independent developers alike rely on the repository to obtain the latest versions of code needed to make their projects run. At a little after 7 pm PT on Wednesday, the site started displaying a banner message informing visitors that the site was temporarily suspending new project creation and new user registration. The message didn’t explain why or provide an estimate of when the suspension would be lifted.

Screenshot showing temporary suspension notification.

Enlarge / Screenshot showing temporary suspension notification.

Checkmarx

About 10 hours later, PyPI restored new project creation and new user registration. Once again, the site provided no reason for the 10-hour halt.

According to security firm Checkmarx, in the hours leading up to the closure, PyPI came under attack by users who likely used automated means to upload malicious packages that, when executed, infected user devices. The attackers used a technique known as typosquatting, which capitalizes on typos users make when entering the names of popular packages into command-line interfaces. By giving the malicious packages names that are similar to popular benign packages, the attackers count on their malicious packages being installed when someone mistakenly enters the wrong name.

“The threat actors target victims with Typosquatting attack technique using their CLI to install Python packages,” Checkmarx researchers Yehuda Gelb, Jossef Harush Kadouri, and Tzachi Zornstain wrote Thursday. “This is a multi-stage attack and the malicious payload aimed to steal crypto wallets, sensitive data from browsers (cookies, extensions data, etc.) and various credentials. In addition, the malicious payload employed a persistence mechanism to survive reboots.”

Screenshot showing some of the malicious packages found by Checkmarx.

Enlarge / Screenshot showing some of the malicious packages found by Checkmarx.

Checkmarx

The post said the malicious packages were “most likely created using automation” but didn’t elaborate. Attempts to reach PyPI officials for comment weren’t immediately successful. The package names mimicked those of popular packages and libraries such as Requests, Pillow, and Colorama.

The temporary suspension is only the latest event to highlight the increased threats confronting the software development ecosystem. Last month, researchers revealed an attack on open source code repository GitHub that was ​​flooding the site with millions of packages containing obfuscated code that stole passwords and cryptocurrencies from developer devices. The malicious packages were clones of legitimate ones, making them hard to distinguish to the casual eye.

The party responsible automated a process that forked legitimate packages, meaning the source code was copied so developers could use it in an independent project that built on the original one. The result was millions of forks with names identical to the original ones. Inside the identical code was a malicious payload wrapped in multiple layers of obfuscation. While GitHub was able to remove most of the malicious packages quickly, the company wasn’t able to filter out all of them, leaving the site in a persistent loop of whack-a-mole.

Similar attacks are a fact of life for virtually all open source repositories, including npm pack picks and RubyGems.

Earlier this week, Checkmarx reported a separate supply-chain attack that also targeted Python developers. The actors in that attack cloned the Colorama tool, hid malicious code inside, and made it available for download on a fake mirror site with a typosquatted domain that mimicked the legitimate files.pythonhosted.org one. The attackers hijacked the accounts of popular developers, likely by stealing the authentication cookies they used. Then, they used the hijacked accounts to contribute malicious commits that included instructions to download the malicious Colorama clone. Checkmarx said it found evidence that some developers were successfully infected.

In Thursday’s post, the Checkmarx researchers reported:

The malicious code is located within each package’s setup.py file, enabling automatic execution upon installation.

In addition, the malicious payload employed a technique where the setup.py file contained obfuscated code that was encrypted using the Fernet encryption module. When the package was installed, the obfuscated code was automatically executed, triggering the malicious payload.

Checkmarx

Upon execution, the malicious code within the setup.py file attempted to retrieve an additional payload from a remote server. The URL for the payload was dynamically constructed by appending the package name as a query parameter.

Screenshot of code creating dynamic URL.

Enlarge / Screenshot of code creating dynamic URL.

Checkmarx

The retrieved payload was also encrypted using the Fernet module. Once decrypted, the payload revealed an extensive info-stealer designed to harvest sensitive information from the victim’s machine.

The malicious payload also employed a persistence mechanism to ensure it remained active on the compromised system even after the initial execution.

Screenshot showing code that allows persistence.

Enlarge / Screenshot showing code that allows persistence.

Checkmarx

Besides using typosquatting and a similar technique known as brandjacking to trick developers into installing malicious packages, threat actors also employ dependency confusion. The technique works by uploading malicious packages to public code repositories and giving them a name that’s identical to a package stored in the target developer’s internal repository that one or more of the developer’s apps depend on to work. Developers’ software management apps often favor external code libraries over internal ones, so they download and use the malicious package rather than the trusted one. In 2021, a researcher used a similar technique to successfully execute counterfeit code on networks belonging to Apple, Microsoft, Tesla, and dozens of other companies.

There are no sure-fire ways to guard against such attacks. Instead, it’s incumbent on developers to meticulously check and double-check packages before installing them, paying close attention to every letter in a name.

PyPI halted new users and projects while it fended off supply-chain attack Read More »

ubuntu-will-manually-review-snap-store-after-crypto-wallet-scams

Ubuntu will manually review Snap Store after crypto wallet scams

Linux app distribution —

Former Canonical employee calls out the “Safe” label applied to Snap apps.

Man holding a piggy bank at his desk, with the piggy wired up with strange circuits and hardware

Enlarge / One thing you can say about this crypto wallet: You can’t confuse it for any other.

Getty Images

The Snap Store, where containerized Snap apps are distributed for Ubuntu’s Linux distribution, has been attacked for months by fake crypto wallet uploads that seek to steal users’ currencies. As a result, engineers at Ubuntu’s parent firm are now manually reviewing apps uploaded to the store before they are available.

The move follows weeks of reporting by Alan Pope, a former Canonical/Ubuntu staffer on the Snapcraft team, who is still very active in the ecosystem. In February, Pope blogged about how one bitcoin investor lost nine bitcoins (about $490,000 at the time) by using an “Exodus Wallet” app from the Snap store. Exodus is a known cryptocurrency wallet, but this wallet was not from that entity. As detailed by one user wondering what happened on the Snapcraft forums, the wallet immediately transferred his entire balance to an unknown address after a 12-word recovery phrase was entered (which Exodus tells you on support pages never to do).

Pope takes pains to note that cryptocurrency is inherently fraught with loss risk. Still, Ubuntu’s App Center, which presents the Snap Store for desktop users, tagged the “Exodus” app as “Safe,” and the web version of the Snap Store describes Snaps as “safe to run.” While Ubuntu is describing apps as “Safe” in the sense of being an auto-updating container with runtime confinement (or “sandboxed”), a green checkmark with “Safe” next to it could be misread, especially by a newcomer to Ubuntu, Snaps, and Linux generally.

More than that, Pope’s post points out that writing, packaging, and uploading the Snap to Ubuntu’s store results in an app that is “immediately searchable, and available for anyone, almost anywhere to download, install and run it” (emphasis Pope’s). There are, he noted, “No humans in the loop.”

Mark Shuttleworth, founder of Ubuntu and CEO of Canonical, responded to a related thread on whether crypto apps should be banned entirely. “I agree that cryptocurrency is largely a cesspit of ignoble intentions, even if the mathematics are interesting,” Shuttleworth wrote. At Ubuntu, it was “fair to challenge ourselves” to offer additional safety measures, “even if they will never be perfect.” Making apps safer for people vulnerable to social engineering is “a very hard problem but one I think we can and should engage in,” Shuttleworth wrote.

He did not, however, agree that cryptocurrency apps should be broadly banned.

After what Shuttleworth described as “a quiet war with these malicious actors for the past few months” (which was, according to Pope, ongoing as of earlier this month), Snaps are indeed changing.

At the Snapcraft forums, Holly Hall, product lead for Ubuntu’s backing services company Canonical, wrote last week about a new policy of manual review for all new Snap registrations. Engineering teams will review apps and reach out to publishers to verify names and intents. A name that is “suspected as being malicious or is crypto-wallet-related” will be rejected. A policy regarding how to properly publish a crypto wallet in the Snap store is forthcoming, Hall wrote.

As noted by The Register, a different sandboxed app platform (store), Flathub, recently made related changes to its validation process. Flathub now flags apps that have made notable changes to permission requests or package names. Open software repositories have long faced issues with malicious look-alike uploads, including the PyPI index for Python programming.

Ars has reached out to Canonical for comment and will update this post if we receive a response.

Ubuntu will manually review Snap Store after crypto wallet scams Read More »

china-has-a-big-problem-with-super-gonorrhea,-study-finds

China has a big problem with super gonorrhea, study finds

Alarming —

Drug-resistant gonorrhea is a growing problem—one that doesn’t heed borders.

A billboard from the AIDS Healthcare Foundation is seen on Sunset Boulevard in Hollywood, California, on May 29, 2018, warning of a drug-resistant gonorrhea.

Enlarge / A billboard from the AIDS Healthcare Foundation is seen on Sunset Boulevard in Hollywood, California, on May 29, 2018, warning of a drug-resistant gonorrhea.

Health officials have long warned that gonorrhea is becoming more and more resistant to all the antibiotic drugs we have to fight it. Last year, the US reached a grim landmark: For the first time, two unrelated people in Massachusetts were found to have gonorrhea infections with complete or reduced susceptibility to every drug in our arsenal, including the frontline drug ceftriaxone. Luckily, they were still able to be cured with high-dose injections of ceftriaxone. But, as the US Centers for Disease Control and Prevention bluntly notes: “Little now stands between us and untreatable gonorrhea.”

If public health alarm bells could somehow hit a higher pitch, a study published Thursday from researchers in China would certainly accomplish it. The study surveyed gonorrhea bacterial isolates—Neisseria gonorrhoeae—from around the country and found that the prevalence of ceftriaxone-resistant isolates nearly tripled between 2017 and 2021. Ceftriaxone-resistant strains made up roughly 8 percent of the nearly 3,000 bacterial isolates collected from gonorrhea infections in 2022. That’s up from just under 3 percent in 2017. The study appears in the CDC’s Morbidity and Mortality Weekly Report.

While those single-digit percentages may seem low, compared to other countries they’re extremely high. In the US, for instance, the prevalence of ceftriaxone-resistant strains never went above 0.2 percent between 2017 and 2021, according to the CDC. In Canada, ceftriaxone-resistance was stable at 0.6 percent between 2017 and 2021. The United Kingdom had a prevalence of 0.21 percent in 2022.

Ceftriaxone is currently the first-line treatment for gonorrhea because Neisseria gonorrhoeae has spent the past several decades building up resistance to pretty much everything else. As the CDC notes, in the 1980s, the drugs of choice for gonorrhea infections were penicillin and tetracycline. But the bacteria developed resistance. By the 1990s, the CDC was forced to switch to a class of antibiotics called fluoroquinolones, including ciprofloxacin (Cipro). But fluoroquinolone-resistance developed, too, and resistance to Cipro is now widespread. In the early 2000s, the CDC began having to tweak the recommendations as resistance spread to new places and populations.

Resistance rising

By 2007, the agency switched to cephalosporins, including cefixime. In 2010, the CDC updated the treatment again, recommending that doctors combine cephalosporins with one of two other types of antibiotics—azithromycin or doxycycline—to try to thwart the development of resistance. But, it also was no use. Two years later, in 2012, the CDC updated recommendations when cefixime resistance developed. In 2020, azithromycin was also abandoned. The cephalosporin ceftriaxone is the last drug standing in the US to treat gonorrhea infections.

Resistance of gonococcal isolates to ciprofloxacin, penicillin, tetracycline, azithromycin, cefixime, ceftriaxone, and spectinomycin—13 Gonococcal Resistance Surveillance Program sentinel sites, China, 2022.

Enlarge / Resistance of gonococcal isolates to ciprofloxacin, penicillin, tetracycline, azithromycin, cefixime, ceftriaxone, and spectinomycin—13 Gonococcal Resistance Surveillance Program sentinel sites, China, 2022.

In China, the swift spread of ceftriaxone-resistance isolates is alarming. The data stems from 2,804 isolates, representing 2.9 percent of all cases reported in China during 2022. Those figures come from 13 of the country’s 19 provinces. While the overall prevalence of ceftriaxone-resistance isolates was 8.1 percent among the 2,804 isolates, five of those 13 provinces had prevalence rates above 10 percent. Three provinces had prevalence rates above 25 percent. In all, 18 isolates were resistant to all the antibiotics tested except for a bygone antibiotic called spectinomycin, which is discontinued in the US and elsewhere.

The study has limitations. For one, the reported number of gonorrhea cases are very likely an undercount of actual cases. Beyond gaps in reporting, many people with gonorrhea have no symptoms and, as such, don’t seek treatment. Additionally, the isolates the researchers did have represented less than 3 percent of reported cases, so it’s possible the prevalence rates don’t represent the isolates of the entire country. Also, the researchers didn’t have detailed case data that might help identify specific risk factors for resistance development, such as the antibiotic treatments patients had. The authors did note that antibiotics are only given by prescription in China.

“These findings underscore the urgent need for a comprehensive approach to address antibiotic-resistant N. gonorrhoeae in China, including identifying factors contributing to this high resistance rate, especially in provinces where the percentage of gonococcal isolates resistant to ceftriaxone is >10 percent,” the authors write.

But they also note that this is not just an alarming finding for China but also a “pressing public health concern” for the entire world. “These resistant clones have spread internationally, and collaborative cross-border efforts will be essential to monitoring and mitigating its further spread,” they write.

China has a big problem with super gonorrhea, study finds Read More »

biden-orders-every-us-agency-to-appoint-a-chief-ai-officer

Biden orders every US agency to appoint a chief AI officer

Mission control —

Federal agencies rush to appoint chief AI officers with “significant expertise.”

Biden orders every US agency to appoint a chief AI officer

The White House has announced the “first government-wide policy to mitigate risks of artificial intelligence (AI) and harness its benefits.” To coordinate these efforts, every federal agency must appoint a chief AI officer with “significant expertise in AI.”

Some agencies have already appointed chief AI officers, but any agency that has not must appoint a senior official over the next 60 days. If an official already appointed as a chief AI officer does not have the necessary authority to coordinate AI use in the agency, they must be granted additional authority or else a new chief AI officer must be named.

Ideal candidates, the White House recommended, might include chief information officers, chief data officers, or chief technology officers, the Office of Management and Budget (OMB) policy said.

As chief AI officers, appointees will serve as senior advisers on AI initiatives, monitoring and inventorying all agency uses of AI. They must conduct risk assessments to consider whether any AI uses are impacting “safety, security, civil rights, civil liberties, privacy, democratic values, human rights, equal opportunities, worker well-being, access to critical resources and services, agency trust and credibility, and market competition,” OMB said.

Perhaps most urgently, by December 1, the officers must correct all non-compliant AI uses in government, unless an extension of up to one year is granted.

The chief AI officers will seemingly enjoy a lot of power and oversight over how the government uses AI. It’s up to the chief AI officers to develop a plan to comply with minimum safety standards and to work with chief financial and human resource officers to develop the necessary budgets and workforces to use AI to further each agency’s mission and ensure “equitable outcomes,” OMB said. Here’s a brief summary of OMB’s ideals:

Agencies are encouraged to prioritize AI development and adoption for the public good and where the technology can be helpful in understanding and tackling large societal challenges, such as using AI to improve the accessibility of government services, reduce food insecurity, address the climate crisis, improve public health, advance equitable outcomes, protect democracy and human rights, and grow economic competitiveness in a way that benefits people across the United States.

Among the chief AI officer’s primary responsibilities is determining what AI uses might impact the safety or rights of US citizens. They’ll do this by assessing AI impacts, conducting real-world tests, independently evaluating AI, regularly evaluating risks, properly training staff, providing additional human oversight where necessary, and giving public notice of any AI use that could have a “significant impact on rights or safety,” OMB said.

OMB breaks down several AI uses that could impact safety, including controlling “safety-critical functions” within everything from emergency services to food-safety mechanisms to systems controlling nuclear reactors. Using AI to maintain election integrity could be safety-impacting, too, as could using AI to move industrial waste, control health insurance costs, or detect the “presence of dangerous weapons.”

Uses of AI presumed to be rights-impacting include censoring protected speech and a wide range of law enforcement efforts, such as predicting crimes, sketching faces, or using license plate readers to track personal vehicles in public spaces. Other rights-impacting AI uses include “risk assessments related to immigration,” “replicating a person’s likeness or voice without express consent,” or detecting students cheating.

Chief AI officers will ultimately decide if any AI use is safety- or rights-impacting and must adhere to OMB’s minimum standards for responsible AI use. Once a determination is made, the officers will “centrally track” the determinations, informing OMB of any major changes to “conditions or context in which the AI is used.” The officers will also regularly convene “a new Chief AI Officer Council to coordinate” efforts and share innovations government-wide.

As agencies advance AI uses—which the White House says is critical to “strengthen AI safety and security, protect Americans’ privacy, advance equity and civil rights, stand up for consumers and workers, promote innovation and competition, advance American leadership around the world, and more”—chief AI officers will become the public-facing figures accountable for decisions made. In that role, the officer must consult with the public and incorporate “feedback from affected communities,” notify “negatively affected individuals” of new AI uses, and maintain options to opt-out of “AI-enabled decisions,” OMB said.

However, OMB noted that chief AI officers also have the power to waive opt-out options “if they can demonstrate that a human alternative would result in a service that is less fair (e.g., produces a disparate impact on protected classes) or if an opt-out would impose undue hardship on the agency.”

Biden orders every US agency to appoint a chief AI officer Read More »