Tim Belzer – Page 53

Final reminder: Donate today to win swag in our annual Charity Drive sweepstakes

gaming / Tim Belzer / January 2, 2025

How it works

Donating is easy. Simply donate to Child’s Play using a credit card or PayPal or donate to the EFF using PayPal, credit card, or cryptocurrency. You can also support Child’s Play directly by using this Ars Technica campaign page or by picking an item from the Amazon wish list of a specific hospital on its donation page. Donate as much or as little as you feel comfortable with—every bit helps.

Once that’s done, it’s time to register your entry in our sweepstakes. Just grab a digital copy of your receipt (a forwarded email, a screenshot, or simply a cut-and-paste of the text) and send it to [email protected] with your name, postal address, daytime telephone number, and email address by 11: 59 pm ET Thursday, January 2, 2025.

One entry per person, and each person can only win up to one prize. US residents only. NO PURCHASE NECESSARY. See the official rules for more information, including how to enter without making a donation. Also, refer to the Ars Technica privacy policy (https://www.condenast.com/privacy-policy).

We’ll then contact the winners and have them choose their prize by January 31, 2025 (choosing takes place in the order the winners are drawn). Good luck!

Final reminder: Donate today to win swag in our annual Charity Drive sweepstakes Read More »

The perfect New Year’s Eve comedy turns 30

Coen brothers, culture, Entertainment, film, film anniversaries, Sam Raimi, The Hudsucker Proxy, Warner Bros. / Tim Belzer / December 31, 2024

There aren’t that many movies specifically set on New Year’s Eve, but one of the best is The Hudsucker Proxy (1994), Joel and Ethan Coen’s visually striking, affectionate homage to classic Hollywood screwball comedies. The film turned 30 this year, so it’s the perfect opportunity for a rewatch.

(WARNING: Spoilers below.)

The Coen brothers started writing the script for The Hudsucker Proxy when Joel was working as an assistant editor on Sam Raimi’s The Evil Dead (1981). Raimi ended up co-writing the script, as well as making a cameo appearance as a brainstorming marketing executive. The Coen brothers took their inspiration from the films of Preston Sturgess and Frank Capra, among others, but the intent was never to satirize or parody those films. “It’s the case where, having seen those movies, we say ‘They’re really fun—let’s do one!’; as opposed to “They’re really fun—let’s comment upon them,'” Ethan Coen has said.

They finished the script in 1985, but at the time they were small indie film directors. It wasn’t until the critical and commercial success of 1991’s Barton Fink that the Coen brothers had the juice in Hollywood to finally make The Hudsucker Proxy. Warner Bros. greenlit the project and producer Joel Silver gave the brothers complete creative control, particularly over the final cut.

Norville Barnes (Tim Robbins) is an ambitious, idealistic recent graduate of a business college in Muncie, Indiana, who takes a job as a mailroom clerk at Hudsucker Industries in New York, intent on working his way to the top. That ascent happens much sooner than expected. On the same December day in 1958, the company’s founder and president, Waring Hudsucker (Charles Durning), leaps to his death from the boardroom on the 44th floor (not counting the mezzanine).

A meteoric rise

Norville Barnes (Tim Robbins) gets a job at Hudsucker Industries Warner Bros.

To keep the company’s stock from going public as the bylaws dictate, board member Sidney Mussburger (Paul Newman) proposes they elect a patsy as the next president—someone so incompetent it will spook investors and temporarily depress the stock so the board can buy up controlling shares on the cheap. Enter Norville, who takes the opportunity of delivering a Blue Letter to Mussburger to pitch a new product, represented by a simple circle drawn on a piece of paper: “You know… for kids!” Thinking he’s found his imbecilic patsy, Mussburger names Norville the new president.

The perfect New Year’s Eve comedy turns 30 Read More »

Power company hid illegal crypto mine that may have caused outages

Bitcoin, crypto mining, Cryptocurrency, Policy, russia, siberia / Tim Belzer / December 30, 2024

But Russia presumably gets no taxes on illegal crypto mining, and power outages can be costly for everyone in a region. So next year, Russia will ban crypto mining in 10 regions for six years and place seasonal restrictions that would disrupt some crypto mining operations during the coldest winter months in regions like Irkutsk, CoinTelegraph reported.

Illegal mining is still reportedly thriving in Irkutsk, though, despite the government’s attempts to shut down secret farms. To deter any illegal crypto mining disrupting power grids last year, authorities seized hundreds of crypto mining rigs in Irkutsk, Crypto News reported.

In July, Russian president Vladimir Putin linked blackouts to illegal crypto mines, warning that crypto mining currently consumes “almost 1.5 percent of Russia’s total electricity consumption,” but “the figure continues to go up,” the Moscow Times reported. And in September, Reuters reported that illegal mines were literally going underground to avoid detection as Russia’s crackdown continues.

Even though illegal mines are seemingly common in parts of Siberia and increasingly operating out of the public eye, finding an illegal mine hidden on state land controlled by an electrical utility was probably surprising to officials.

The power provider was not named in the announcement, and there are several in the region, so it’s not currently clear which one made the controversial decision to lease state land to an illegal mining operation.

Power company hid illegal crypto mine that may have caused outages Read More »

Evolution journal editors resign en masse

AI, AI in science, Elsevier, Journal of Human Evolution, retraction watch, Science, science journals / Tim Belzer / December 30, 2024

an emerging form of protest?

Board members expressed concerns over high fees, editorial independence, and use of AI in editorial processes.

Over the holiday weekend, all but one member of the editorial board of Elsevier’s Journal of Human Evolution (JHE) resigned “with heartfelt sadness and great regret,” according to Retraction Watch, which helpfully provided an online PDF of the editors’ full statement. It’s the 20th mass resignation from a science journal since 2023 over various points of contention, per Retraction Watch, many in response to controversial changes in the business models used by the scientific publishing industry.

“This has been an exceptionally painful decision for each of us,” the board members wrote in their statement. “The editors who have stewarded the journal over the past 38 years have invested immense time and energy in making JHE the leading journal in paleoanthropological research and have remained loyal and committed to the journal and our authors long after their terms ended. The [associate editors] have been equally loyal and committed. We all care deeply about the journal, our discipline, and our academic community; however, we find we can no longer work with Elsevier in good conscience.”

The editorial board cited several changes made over the last ten years that it believes are counter to the journal’s longstanding editorial principles. These included eliminating support for a copy editor and a special issues editor, leaving it to the editorial board to handle those duties. When the board expressed the need for a copy editor, Elsevier’s response, they said, was “to maintain that the editors should not be paying attention to language, grammar, readability, consistency, or accuracy of proper nomenclature or formatting.”

There is also a major restructuring of the editorial board underway that aims to reduce the number of associate editors by more than half, which “will result in fewer AEs handling far more papers, and on topics well outside their areas of expertise.”

Furthermore, there are plans to create a third-tier editorial board that functions largely in a figurehead capacity, after Elsevier “unilaterally took full control” of the board’s structure in 2023 by requiring all associate editors to renew their contracts annually—which the board believes undermines its editorial independence and integrity.

Worst practices

In-house production has been reduced or outsourced, and in 2023 Elsevier began using AI during production without informing the board, resulting in many style and formatting errors, as well as reversing versions of papers that had already been accepted and formatted by the editors. “This was highly embarrassing for the journal and resolution took six months and was achieved only through the persistent efforts of the editors,” the editors wrote. “AI processing continues to be used and regularly reformats submitted manuscripts to change meaning and formatting and require extensive author and editor oversight during proof stage.”

In addition, the author page charges for JHE are significantly higher than even Elsevier’s other for-profit journals, as well as broad-based open access journals like Scientific Reports. Not many of the journal’s authors can afford those fees, “which runs counter to the journal’s (and Elsevier’s) pledge of equality and inclusivity,” the editors wrote.

The breaking point seems to have come in November, when Elsevier informed co-editors Mark Grabowski (Liverpool John Moores University) and Andrea Taylor (Touro University California College of Osteopathic Medicine) that it was ending the dual-editor model that has been in place since 1986. When Grabowki and Taylor protested, they were told the model could only remain if they took a 50 percent cut in their compensation.

Elsevier has long had its share of vocal critics (including our own Chris Lee) and this latest development has added fuel to the fire. “Elsevier has, as usual, mismanaged the journal and done everything they could to maximize profit at the expense of quality,” biologist PZ Myers of the University of Minnesota Morris wrote on his blog Pharyngula. “In particular, they decided that human editors were too expensive, so they’re trying to do the job with AI. They also proposed cutting the pay for the editor-in-chief in half. Keep in mind that Elsevier charges authors a $3990 processing fee for each submission. I guess they needed to improve the economics of their piratical mode of operation a little more.”

Elsevier has not yet responded to Ars’ request for comment; we will update accordingly should a statement be issued.

Not all AI uses are created equal

John Hawks, an anthropologist at the University of Wisconsin, Madison, who has published 17 papers in JHE over his career, expressed his full support for the board members’ decision on his blog, along with shock at the (footnoted) revelation that Elsevier had introduced AI to its editorial process in 2023. “I’ve published four articles in the journal during the last two years, including one in press now, and if there was any notice to my co-authors or me about an AI production process, I don’t remember it,” he wrote, noting that the move violates the journal’s own AI policies. “Authors should be informed at the time of submission how AI will be used in their work. I would have submitted elsewhere if I was aware that AI would potentially be altering the meaning of the articles.”

There is certainly cause for concern when it comes to using AI in the pursuit of science. For instance, earlier this year, we witnessed the viral sensation of several egregiously bad AI-generated figures published in a peer-reviewed article in Frontiers, a reputable scientific journal. Scientists on social media expressed equal parts shock and ridicule at the images, one of which featured a rat with grotesquely large and bizarre genitals. The paper has since been retracted, but the incident reinforces a growing concern that AI will make published scientific research less trustworthy, even as it increases productivity.

That said, there are also some useful applications of AI in the scientific endeavor. For instance, back in January, the research publisher Science announced that all of its journals would begin using commercial software that automates the process of detecting improperly manipulated images. Perhaps that would have caught the egregious rat genitalia figure, although as Ars Science Editor John Timmer pointed out at the time, the software has limitations. “While it will catch some of the most egregious cases of image manipulation, enterprising fraudsters can easily avoid being caught if they know how the software operates,” he wrote.

Hawks acknowledged on his blog that the use of AI by scientists and scientific journals is likely inevitable and even recognizes the potential benefits. “I don’t think this is a dystopian future. But not all uses of machine learning are equal,” he wrote. To wit:

[I]t’s bad for anyone to use AI to reduce or replace the scientific input and oversight of people in research—whether that input comes from researchers, editors, reviewers, or readers. It’s stupid for a company to use AI to divert experts’ effort into redundant rounds of proofreading, or to make disseminating scientific work more difficult.

In this case, Elsevier may have been aiming for good but instead hit the exacta of bad and stupid. It’s especially galling that they demand transparency from authors but do not provide transparency about their own processes… [I]t would be a very good idea for authors of recent articles to make sure that they have posted a preprint somewhere, so that their original pre-AI version will be available for readers. As the editors lose access, corrections to published articles may become difficult or impossible.

Nature published an article back in March raising questions about the efficacy of mass resignations as an emerging form of protest after all the editors of the Wiley-published linguistics journal Syntax resigned in February. (Several of their concerns mirror those of the JHE editorial board.) Such moves certainly garner attention, but even former Syntax editor Klaus Abels of University College London told Nature that the objective of such mass resignations should be on moving beyond mere protest, focusing instead on establishing new independent nonprofit journals for the academic community that are open access and have high academic standards.

Abels and his former Syntax colleagues are in the process of doing just that, following the example of the former editors of Critical Public Health and another Elsevier journal, NeuroImage, last year.

Jennifer is a senior reporter at Ars Technica with a particular focus on where science meets culture, covering everything from physics and related interdisciplinary topics to her favorite films and TV series. Jennifer lives in Baltimore with her spouse, physicist Sean M. Carroll, and their two cats, Ariel and Caliban.

Evolution journal editors resign en masse Read More »

Frogfish reveals how it evolved the “fishing rod” on its head

anglerfish, frogfish, oceanography, Science / Tim Belzer / December 30, 2024

In most bony fish, or teleosts, motor neurons for fins are found on the sides (ventrolateral zone) of the underside (ventral horn) of the spinal cord. The motor neurons controlling the illicium of frogfish are in their own cluster and located in the dorsolateral zone. In fish, this is unusual.

“The peculiar location of fishing motor neurons, with little doubt, is linked with the specialization of the illicium serving fishing behavior,” the team said in a study recently published in the Journal of Comparative Neurology.

Fishing for answers

So what does this have to do with evolution? The white-spotted pygmy filefish might look nothing like a frogfish and has no built-in fishing lure, but it is still a related species and can possibly tell us something.

While the first dorsal fin of the filefish doesn’t really move—it is thought that its main purpose is to scare off predators by looking menacing—there are still motor neurons that control it. Motor neurons for the first dorsal fin of filefish were found in the same location as motor neurons for the second, third and fourth dorsal fins in frogfish. In frogfish, these fins also do not move much while swimming, but can appear threatening to a predator.

If the same types of motor neurons control non-moving fins in both species, the frogfish has something extra when it comes to the function and location of motor neurons controlling the illicium.

Yamamoto thinks the unique group of fishing motor neurons found in frogfish suggests that, as a result of evolution, “the motor neurons for the illicium [became] segregated from other motor neurons” to end up in their own distinct cluster away from motor neurons controlling other fins, as he said in the study.

What exactly caused the functional and locational shift of motor neurons that give the frogfish’s illicium its function is still a mystery. How the brain influences their fishing behavior is another area that needs to be investigated.

While Yamamoto and his team speculate that specific regions of the brain send messages to the fishing motor neurons, they do not yet know which regions are involved, and say that more studies need to be carried out on other species of fish and the groups of motor neurons that power each of their dorsal fins.

In the meantime, the frogfish will continue being its freaky self.

Journal of Comparative Neurology, 2024. DOI: 10.1002/cne.25674

Frogfish reveals how it evolved the “fishing rod” on its head Read More »

You can love or hate AI, but it’s killed crappy 8GB versions of pricey PCs and Macs

Apple, apple intelligence, chatgpt, copilot+ PC, Tech / Tim Belzer / December 30, 2024

I’d describe myself as a skeptic of the generative AI revolution—I think the technology as it currently exists is situationally impressive and useful for specific kinds of tasks, but broadly oversold. I’m not sure it will vanish from relevance to quite the extent that other tech fads like the metaverse or NFTs did, but my suspicion is that companies like Nvidia and OpenAI are riding a bubble that will pop or deflate over time as more companies and individuals run up against the technology’s limitations, and as it fails to advance as quickly or as impressively as its most ardent boosters are predicting.

Maybe you agree with me and maybe you don’t! I’m not necessarily trying to convince you one way or the other. But I am here to say that even if you agree with me, we can all celebrate the one unambiguously positive thing that the generative AI hype cycle has done for computers this year: the RAM floor for many PCs and all Macs is now finally 16GB instead of 8GB.

Companies like Apple and Microsoft have, for years, created attractive, high-powered hardware with 8GB of memory in it, most egregiously in $1,000-and-up putative “pro” computers like last year’s $1,599 M3 MacBook Pro or the Surface Pro 9.

This meant that, for the kinds of power users and professionals drawn to these machines, that their starting prices were effectively mirages; “pay for 16GB if you can” has been my blanket advice to MacBook buyers for years now, since there’s basically no workload (including Just Browsing The Web) that won’t benefit at least a little. It also leaves more headroom for future software bloat and future hobby discovery. Did you buy an 8GB Mac, and then decide you wanted to try software development, photo or video editing, CAD design, or Logic Pro? Good luck!

You can love or hate AI, but it’s killed crappy 8GB versions of pricey PCs and Macs Read More »

Passkey technology is elegant, but it’s most definitely not usable security

Biz & IT, Features, login, passkeys, passwords, phishing, Security, signin / Tim Belzer / December 30, 2024

NOT (QUITE) READY FOR PRIMETIME

Just in time for holiday tech-support sessions, here’s what to know about passkeys.

It’s that time again, when families and friends gather and implore the more technically inclined among them to troubleshoot problems they’re having behind the device screens all around them. One of the most vexing and most common problems is logging into accounts in a way that’s both secure and reliable.

Using the same password everywhere is easy, but in an age of mass data breaches and precision-orchestrated phishing attacks, it’s also highly unadvisable. Then again, creating hundreds of unique passwords, storing them securely, and keeping them out of the hands of phishers and database hackers is hard enough for experts, let alone Uncle Charlie, who got his first smartphone only a few years ago. No wonder this problem never goes away.

Passkeys—the much-talked-about password alternative to passwords that have been widely available for almost two years—was supposed to fix all that. When I wrote about passkeys two years ago, I was a big believer. I remain convinced that passkeys mount the steepest hurdle yet for phishers, SIM swappers, database plunderers, and other adversaries trying to hijack accounts. How and why is that?

Elegant, yes, but usable?

The FIDO2 specification and the overlapping WebAuthn predecessor that underpin passkeys are nothing short of pure elegance. Unfortunately, as support has become ubiquitous in browsers, operating systems, password managers, and other third-party offerings, the ease and simplicity envisioned have been undone—so much so that they can’t be considered usable security, a term I define as a security measure that’s as easy, or only incrementally harder, to use as less-secure alternatives.

“There are barriers at each turn that guide you through a developer’s idea of how you should use them,” William Brown, a software engineer specializing in authentication, wrote in an online interview. “None of them are deal-breaking, but they add up.”

Passkeys are now supported on hundreds of sites and roughly a dozen operating systems and browsers. The diverse ecosystem demonstrates the industry-wide support for passkeys, but it has also fostered a jumble of competing workflows, appearances, and capabilities that can vary greatly depending on the particular site, OS, and browser (or browser agents such as native iOS or Android apps). Rather than help users understand the dizzying number of options and choose the right one, each implementation strong-arms the user into choosing the vendor’s preferred choice.

The experience of logging into PayPal with a passkey on Windows will be different from logging into the same site on iOS or even logging into it with Edge on Android. And forget about trying to use a passkey to log into PayPal on Firefox. The payment site doesn’t support that browser on any OS.

Another example is when I create a passkey for my LinkedIn account on Firefox. Because I use a wide assortment of browsers on platforms, I have chosen to sync the passkey using my 1Password password manager. In theory, that choice allows me to automatically use this passkey anywhere I have access to my 1Password account, something that isn’t possible otherwise. But it’s not as simple as all that.

When I look at the passkey in LinkedIn settings, it shows as being created for Firefox on Mac OS X 10, even though it works on all the browsers and OSes I’m using.

Screenshot showing passkey is created for Firefox on Mac OS X 10.

Why is LinkedIn indicating otherwise? The answer is that there’s no way for LinkedIn to interoperate flexibly with the browsers and OSes and vice versa. Per the FIDO2 and WebAuthn specs, LinkedIn knows only the browser and OS I used when creating the credential. 1Password, meanwhile, has no way to coordinate with LinkedIn to ensure I’m presented with consistent information that will help me keep track of this. Suddenly, using passkeys is more confusing than it needs to be for there to be utility to ordinary users.

Things get more complicated still when I want to log into LinkedIn on Firefox for Android, and am presented with the following dialog box.

Screenshot showing a dialog box with the text: “You’re using on-device encryption. Unlock your passwords to sign in.”

At this point, I don’t know if it’s Google or Firefox that’s presenting me with this non-intuitive response. I just want to open LinkedIn using the passkey that’s being synced by 1Password to all my devices. Somehow, the mysterious entity responsible for this message (it’s Google in this case) has hijacked the process in an attempt to convince me to use its platform.

Also, consider the experience on WebAuthn.io, a site that demonstrates how the standard works under different scenarios. When a user wants to enroll a physical security key to log in on macOS, they receive a dialog that steers them toward using a passkey instead and to sync it through iCloud.

Dialog box showing macOS passkeys message.

The user just wants to enroll a security key in the form of a USB dongle or smartphone and can be used when logging in on any device. But instead, macOS preempts this task with directions for creating a passkey that will be synced through iCloud. What’s the user to do? Maybe click on the “other options” in small text at the very bottom? Let’s try and see.

The dialog box that appears after clicking “other options.”

Wait, why is it still offering the option for the passkey to be synced in iCloud, and how does that qualify as “other options”? And why is the most prominent suggestion that the user “continue with Touch ID”? It isn’t until selectng “security key” that the user will see that option they wanted all along—to store the credential on a security key. Only after this step—now three clicks in—does the light on a USB security key begin blinking, and the key is finally ready to be enrolled.

Dialog box finally allows the creation of a passkey on a security key.

The dueling dialogs in this example are by no means unique to macOS.

Too many cooks in the kitchen

“Most try to funnel you into a vendor’s sync passkey option, and don’t make it clear how you can use other things,” Brown noted. “Chrome, Apple, Windows, all try to force you to use their synced passkeys by default, and you have to click through prompts to use alternatives.”

Bruce Davie, another software engineer with expertise in authentication, agreed, writing in an October post that the current implementation of passkeys “seems to have failed the ‘make it easy for users’ test, which in my view is the whole point of passkeys.”

In April, Son Nguyen Kim, the product lead for the free Proton Pass password manager, penned a post titled Big Tech passkey implementations are a trap. In it, he complained that passkey implementations to date lock users into the platform they created the credential on.

“If you use Google Chrome as your browser on a Mac, it uses the Apple Keychain feature to store your passkeys,” he wrote. “This means you can’t sync your passkeys to your Chrome profile on other devices.” In an email last month, Kim said users can now override this option and choose to store their passkeys in Chrome. Even then, however, “passkeys created on Chrome on Mac don’t sync to Chrome in iPhone, so the user can’t use it seamlessly on Chrome on their iPhone.”

Other posts reciting similar complaints are here and here.

In short, there are too many cooks in the kitchen, and each one thinks they know the proper way to make pie.

I have put these and other criticisms to the test over the past four months. I have used them on a true heterogeneous environment that includes a MacBook Air, a Lenovo X1 ThinkPad, an iPhone, and a Pixel running Firefox, Chrome, Edge, Safari, and on the phones, a large number of apps, including those for LinkedIn, PayPal, eBay, Kayak, Gmail, Amazon, and Uber. My objective has been to understand how well passkey-based authentication works over the long term, particularly for cross-platform users.

I fully agree that syncing across different platforms is much harder than it should be. So is the messaging provided during the passkey enrollment phase. The dialogs users see are dictated arbitrarily by whatever OS or browser has control at the moment. There’s no way for previously made configuration choices to be communicated to tailor dialog boxes and workflow.

Another shortcoming: There’s no programming interface for Apple, Google, and Microsoft platforms to directly pass credentials from one to the other. The FIDO2 standard has devised a clever method in an attempt to bridge this gap. It typically involves joining two devices over a secure BLE connection and using a QR code so the already-authenticated device can vouch for the trustworthiness of the other. This process is easy for some people in some cases, but it can quickly become quirky and prone to failure, particularly when fussy devices can’t connect over BLE.

In many cases, however, critics overstate the severity of these sorts of problems. These are definitely things that unnecessarily confuse and complicate the use of passkeys. But often, they’re one-time events that can be overcome by creating multiple passkeys and bootstrapping them for each device. From then on, these unphishable, unstealable credentials live on both devices, in much the way some users allow credentials for their Gmail or Apple ID to be stored in two or more browsers or password managers for convenience.

More helpful still is using a cross-platform password manager to store and sync passkeys. I have been using 1Password to do just that for a month with no problems to report. Most other name-brand password managers would likely perform as well. In keeping with the FIDO2 spec, these credentials are end-to-end encrypted.

Halfway house for password managers

With my 1Password account running on my devices, I had no trouble using a passkey to log into any enrolled site on a device running any browser. The flow was fast and intuitive. In most cases, both iOS and Android had no problem passing the key from 1Password to an app for Uber, Amazon, Gmail, or another site. Signing into phone apps is one of the bigger hassles for me. Passkeys made this process much easier, and it did so while also allowing me the added security of MFA.

This reliance on a password manager, however, largely undermines a key value proposition of passkeys, which has been to provide an entirely new paradigm for authenticating ourselves. Using 1Password to sync a password is almost identical to syncing a passkey, so why bother? Worse still, the majority of people still don’t use password managers. I’m a big believer in password managers for the security they offer. Making them a condition for using a passkey would be a travesty.

I’m not the first person to voice this criticism. David Heinemeier Hansson said much the same thing in September.

“The problem with passkeys is that they’re essentially a halfway house to a password manager, but tied to a specific platform in ways that aren’t obvious to a user at all, and liable to easily leave them unable to access … their accounts,” wrote the Danish software engineer and programmer, who created Ruby on Rails and is the CTO of web-based software development firm 37signals. “Much the same way that two-factor authentication can do, but worse, since you’re not even aware of it.”

He continued:

Let’s take a simple example. You have an iPhone and a Windows computer. Chrome on Windows stores your passkeys in Windows Hello, so if you sign up for a service on Windows, and you then want to access it on iPhone, you’re going to be stuck (unless you’re so forward thinking as to add a second passkey, somehow, from the iPhone will on the Windows computer!). The passkey lives on the wrong device, if you’re away from the computer and want to login, and it’s not at all obvious to most users how they might fix that.

Even in the best case scenario, where you’re using an iPhone and a Mac that are synced with Keychain Access via iCloud, you’re still going to be stuck, if you need to access a service on a friend’s computer in a pinch. Or if you’re not using Keychain Access at all. There are plenty of pitfalls all over the flow. And the solutions, like scanning a QR code with a separate device, are cumbersome and alien to most users.

If you’re going to teach someone how to deal with all of this, and all the potential pitfalls that might lock them out of your service, you almost might as well teach them how to use a cross-platform password manager like 1Password.

Undermining security promises

The security benefits of passkeys at the moment are also undermined by an undeniable truth. Of the hundreds of sites supporting passkeys, there isn’t one I know of that allows users to ditch their password completely. The password is still mandatory. And with the exception of Google’s Advanced Protection Program, I know of no sites that won’t allow logins to fall back on passwords, often without any additional factor. Even then, all but Google APP accounts can be accessed using a recovery code.

This fallback on phishable, stealable credentials undoes some of the key selling points of passkeys. As soon as passkey adoption poses a meaningful hurdle in account takeovers, threat actors will devise hacks and social engineering attacks that exploit this shortcoming. Then we’re right back where we were before.

Christiaan Brandt, co-chair of the FIDO2 technical working group and an identity and security product manager at Google, said in an online interview that most users aren’t ready for true passwordless authentication.

“We have to meet users where they are,” he wrote. “When we tested messaging for passkeys, users balked at ‘replace your password with passkeys,’ but felt much more comfortable with more softened language like “you can now use a passkey to log in to your account too.’ Over time, we most definitely plan to wean users off phishable authentication factors, but we anticipate this journey to take multiple years. We really can only do it once users are so comfortable with passkeys that the fallback to passwords is (almost) never needed.”

A design choice further negating the security benefits of passkeys: Amazon, PayPal, Uber, and no small number of other sites supporting passkeys continue to rely on SMS texts for authentication even after passkeys are enrolled.

SMS-based MFA is among the weakest form of this protection. Not only can the texts be phished, but they’re also notoriously vulnerable to SIM swaps, in which an adversary gains control of a target’s phone number. As long as these less-secure fallbacks exist, passkeys aren’t much more than security theater.

I still think passkeys make sense in many cases. I’ll say more about that later. First, for a bit more context, readers should know:

Passkeys are defined in the WebAuthn spec as a “discoverable credential,” historically known as a “resident key.” The credential is in the form of a private-public key pair, which is created on the security key, which can be in the form of a FIDO-approved secure enclave embedded into a USB dongle, smartphone, or computer. The key pair is unique to each user account. The user creates the key pair after proving their identity to the website using an existing authentication method, typically a password. The private key never leaves the security key.

Going forward, when the user logs in, the site sends a security challenge to the user. The user then uses the locally stored private key to cryptographically sign the challenge and sends it to the website. The website then uses the public key it stores to verify the response is signed with the private key. With that, the user is logged in.

Under the FIDO2 spec, the passkey can never leave the security key, except as an encrypted blob of bits when the passkey is being synced from one device to another. The secret key can be unlocked only when the user authenticates to the physical key using a PIN, password, or most commonly a fingerprint or face scan. In the event the user authenticates with a biometric, it never leaves the security key, just as they never leave Android and iOS phones and computers running macOS or Windows.

Passkeys can be stored and synced using the same mechanisms millions of people already use for passwords—a password manager such as Bitwarden, Apple iCloud, Google Password Manager, or Microsoft’s cloud. Just like passwords, passkeys available in these managers are end-to-end encrypted using tried and true cryptographic algorithms.

The advent of this new paradigm was supposed to solve multiple problems at once—make authenticating ourselves online easier, eliminate the hassle of remembering passwords, and all but eradicate the most common forms of account takeovers.

When not encumbered by the problems mentioned earlier, this design provides multifactor authentication in a single stroke. The user logs in using something they have—the physical key, which must be near the device logging in. They must also use something they know—the PIN or password—or something they are—their face or fingerprint—to complete the credential transfer. The cryptographic secret never leaves the enclave embedded into the physical key.

What to tell Uncle Charlie?

In enterprise environments, passkeys can be a no-brainer alternative to passwords and authenticators. And even for Uncle Charlie—who has a single iPhone and Mac, and logs into only a handful of sites—passkeys may provide a simpler, less phishable path forward. Using a password manager to log into Gmail with a passkey ensures he’s protected by MFA. Using the password alone does not.

The takeaway from all of this—particularly for those recruited to provide technical support this week but also anyone trying to decide if it’s time to up their own authentication game: If a password manager isn’t already a part of the routine, see if it’s viable to add one now. Password managers make it practical to use a virtually unlimited number of long, randomly generated passwords that are unique to each site.

For some, particularly people with diminished capacity or less comfort being online, this step alone will be enough. Everyone else should also, whenever possible, opt into MFA, ideally using security keys or, if that’s not available, an authenticator app. I’m partial to 1Password as a password manager, Authy as an authenticator, and security keys from Yubico or Titan. There are plenty of other suitable alternatives.

I still think passkeys provide the greatest promise yet for filling the many security pitfalls of passwords and lowering the difficulty of remembering and storing them. For now, however, the hassles of using passkeys, coupled with their diminished security created by the presence of fallbacks, means no one should feel like a technophobe or laggard for sticking with their passwords. For now, passwords and key- or authenticator-based MFA remain essential.

With any luck, passkeys will someday be ready for the masses, but that day is not (yet) here.

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

Passkey technology is elegant, but it’s most definitely not usable security Read More »

After a 24-second test of its engines, the New Glenn rocket is ready to fly

blue origin, new glenn, Space / Tim Belzer / December 27, 2024

After a long day of stops and starts that stretched well into the evening, and on what appeared to be the company’s fifth attempt Friday, Blue Origin successfully ignited the seven main engines on its massive New Glenn rocket.

The test firing as fog built over the Florida coast marks the final major step in the rocket company’s campaign to bring the New Glenn rocket—a privately developed, super-heavy lift vehicle—to launch readiness. Blue Origin said it fired the vehicle’s engines for a duration of 24 seconds. They fired at full thrust for 13 of those seconds.

“This is a monumental milestone and a glimpse of what’s just around the corner for New Glenn’s first launch,” said Jarrett Jones, senior vice president of the New Glenn program, in a news release. “Today’s success proves that our rigorous approach to testing–combined with our incredible tooling and design engineering–is working as intended.”

Completion of the dynamic hot-fire test sets up a historic moment for the company founded by Jeff Bezos nearly a quarter of a century ago, the firm’s first ever orbital launch attempt. It will occur from Launch Complex-36, at Cape Canaveral Space Force Station.

Blue Origin’s post-test update did not include a launch date, but based on flight advisory information, a no-earlier than launch date is likely to be January 6.

A license to fly

Friday was important for New Glenn’s debut mission in another way. Several hours before the test firing, the Federal Aviation Administration said it had issued a launch license for the rocket. The license allows Blue Origin to conduct orbital missions from Cape Canaveral with New Glenn, as well as to attempt first stage landings on a barge in the Atlantic Ocean. The license is valid for five years.

After years of waiting, the much-anticipated mission is finally coming together. The hot-fire test, taking place just two days after the Christmas holiday in the United States, reflects the urgency that Bezos has injected into his rocket company over the last 18 months. In the fall of 2023, Bezos ousted Bob Smith as chief executive of Blue Origin, and tapped a long-time Amazon executive, Dave Limp, to lead the company.

After a 24-second test of its engines, the New Glenn rocket is ready to fly Read More »

Could microwaved grapes be used for quantum sensing?

applied physics, microwaving grapes, Physics, quantum sensing, Science / Tim Belzer / December 27, 2024

The microwaved grape trick also shows their promise as alternative microwave resonators for quantum sensing applications, according to the authors of this latest paper. Those applications include satellite technology, masers, microwave photon detection, hunting for axions (a dark matter candidate), and various quantum systems, and driving spin in superconducting qubits for quantum computing, among others.

Prior research had specifically investigated the electrical fields behind the plasma effect. “We showed that grape pairs can also enhance magnetic fields which are crucial for quantum sensing applications,” said co-author Ali Fawaz, a graduate student at Macquarie University.

Fawaz and co-authors used specially fabricated nanodiamonds for their experiments. Unlike pure diamonds, which are colorless, some of the carbon atoms in the nanodiamonds were replaced, creating tiny defect centers that act like tiny magnets, making them ideal for quantum sensing. Sapphires are typically used for this purpose, but Fawaz et al. realized that water conducts microwave energy better than sapphires—and grapes are mostly water.

So the team placed a nanodiamond atop a thin glass fiber and placed it between two grapes. Then they shone green laser light through the fiber, making the defect centers glow red. Measuring the brightness told them the strength of the magnetic field around the grapes, which turned out to be twice as strong with grapes than without.

The size and shape of the grapes used in the experiments proved crucial; they must be about 27 millimeters long to get concentrated microwave energy at just the right frequency for the quantum sensor. The biggest catch is that using the grapes proved to be less stable with more energy loss. Future research may identify more reliable potential materials to achieve a similar effect.

DOI: Physical Review Applied, 2024. 10.1103/PhysRevApplied.22.064078 (About DOIs).

Could microwaved grapes be used for quantum sensing? Read More »

FTC launches probe of Microsoft over bundling

antitrust, ftc, microsoft, Policy, syndication, Tech / Tim Belzer / December 27, 2024

John Lopatka, a former consultant to the FTC who now teaches antitrust law at Penn State, told ProPublica that the Microsoft actions detailed in the news organization’s recent reporting followed “a very familiar pattern” of behavior.

“It does echo the Microsoft case” from decades ago, said Lopatka, who co-authored a book on that case.

In the new investigation, the FTC has sent Microsoft a civil investigative demand, the agency’s version of a subpoena, compelling the company to turn over information, people familiar with the probe said. Microsoft confirmed that it received the document.

Company spokesperson David Cuddy did not comment on the specifics of the investigation but said the FTC’s demand is “broad, wide ranging, and requests things that are out of the realm of possibility to even be logical.” He declined to provide on-the-record examples. The FTC declined to comment.

The agency’s investigation follows a public comment period in 2023 during which it sought information on the business practices of cloud computing providers. When that concluded, the FTC said it had ongoing interest in whether “certain business practices are inhibiting competition.”

The recent demand to Microsoft represents one of FTC Commissioner Lina Khan’s final moves as chair, and the probe appears to be picking up steam as the Biden administration winds down. The commission’s new leadership, however, will decide the future of the investigation.

President-elect Donald Trump said this month that he will elevate Commissioner Andrew Ferguson, a Republican attorney, to lead the agency. Following the announcement, Ferguson said in a post on X, “At the FTC, we will end Big Tech’s vendetta against competition and free speech. We will make sure that America is the world’s technological leader and the best place for innovators to bring new ideas to life.”

Trump also said he would nominate Republican lawyer Mark Meador as a commissioner, describing him as an “antitrust enforcer” who previously worked at the FTC and the Justice Department. Meador is also a former aide to Sen. Mike Lee, a Utah Republican who introduced legislation to break up Google.

Doris Burke contributed research.

This story originally appeared on ProPublica.

FTC launches probe of Microsoft over bundling Read More »

Magnetic shape-shifting surface can move stuff without grasping it

Science / Tim Belzer / December 27, 2024

A kirigami design where the cuts’ length-to-width ratio was six was way more responsive to magnets, and that, in turn, enhanced an effect known as magnetically induced stiffening. With no magnets around, the kirigami disk was way more compliant than one without cuts. But when a magnetic field was applied, it became more than 1.8 times stiffer.

Overall, the kirigami dome could lift an object weighing 43.1 grams (28 times its own weight) to a height of 2.5 millimeters and hold it there. To test what this technology could do, Yin’s team built a 5×5 array of domes actuated by movable permanent magnetic pillars placed underneath that could move left or right, or spin. The array could precisely move droplets, potato chips, a leaf, and even a small wooden plank. It could also rotate a petri dish.

Next-gen haptics

The team thinks one possible application for this technology is precise transport and mixing of very tiny amounts of fluids in research laboratories. But there is another, arguably more exciting option. Chi’s shape-shifting surface is very fast; it reacts to changes in the magnetic field in under 2 milliseconds, which is a response time rivaling gaming monitors.

This, according to the team, makes it possible to use in haptic feedback controllers. Super-fast, magnetically actuated shape-shifting surfaces could emulate the sense of touch, texture, and feel of the objects you interact with wearing your VR goggles. “I’m new to haptics, but considering you can change the stiffness of our surfaces by modulating the magnetic field, this should enable us to recreate different haptic perceptions,” Yin says.

Before that becomes a reality, there is one more limitation the team must overcome.

If you compared Yin’s shape-shifting surface to a display where each dome stands for a single pixel, the resolution of this display would be very low. “So, there is the question how small can you make those domes,” Yin says. He suggested that, with advanced manufacturing techniques, it is possible to miniaturize the domes down to around 10 microns in diameter. “The challenge is how we do the actuation at such scales—that is something we focus on today. We try to pave the way but there is much more to do,” Chi adds.

Science Advances, 2024. DOI: https://doi.org/10.1126/sciadv.adr8421

Magnetic shape-shifting surface can move stuff without grasping it Read More »

Craving carbs? Blame an ancient gene.

Science / Tim Belzer / December 27, 2024

“This observation is concordant with the recent evidence of Neanderthal starch consumption, and perhaps the availability of cooked starch in archaic hominins made possible through the domestication of fire,” the researchers said in a study recently published in Science.

Out of eight genomes examined, multiple copies of AMY1 were found in two Eastern Neanderthal genomes, one from a Western Neanderthal, and one from a Denisovan. So why did these extra copies evolve? While the exact reason is still unknown, the team thinks that the gene itself was copy number variable, meaning the number of copies within a population can vary between individuals. This variation likely developed before humans diverged from Neanderthals and Denisovans.

With the grain

To the research team, it was inevitable that copies of AMY1 in individual genomes would increase as former hunter-gatherers established agricultural societies. Farming meant grains and other starch-rich foods, and the ability to adjust those meant carbs.

And the data here is consistent with that. The team “found a general trend where the AMY1 gene copy number is significantly higher among samples excavated from archaeologically agricultural contexts compared to those from hunter-gatherer contexts,” as they said in the same study.

In genomes from pre-agricultural individuals, there were already anywhere from four to eight copies of the gene. The variation is thought to have come from groups experimenting with food-processing techniques such as grinding wild grains into flour. AMY1 copy numbers grew pretty consistently from the pre-agricultural to post-agricultural period. Individuals from populations that were in the process of transitioning to agriculture (around 16,100 to 8,500 years ago) were found to have about similar numbers of AMY1 copies as hunter-gatherers at the time.

Individuals from after 8,500 years ago who lived in more established agricultural societies showed the most copies and therefore the most evidence of adaptation to eating diets high in carbs. Agriculture continued to advance, and the last 4,000 years have seen the most significant surge of AMY1 copy increases. Modern humans have anywhere from two to 15 copies.

Further research could help with understanding how genetic variation of AMY1 copy numbers influences starch metabolism, including conditions such as gluten allergy and celiac disease, and overall metabolic health.

Can we really blame AMY1 and amylase on our carb cravings? Partly. The number of AMY1 copies in a human genome determine not only the ability to metabolize starches, but will also influence how they taste to us, and may have given us a preference for them. Maybe we can finally ease up on demonizing bread.

Science, 2024. DOI: 10.1126/science.adn060

Craving carbs? Blame an ancient gene. Read More »

Author name: Tim Belzer