Google’s continued abuse of the Fitbit brand is continuing with the shutdown of the web dashboard. Fitbit.com used to be both a storefront and a way for users to get a big-screen UI to sift through reams of fitness data. The store closed up shop in April, and now the web dashboard is dying in July.
In a post on the “Fitbit Community” forums, the company said: “Next month, we’re consolidating the Fitbit.com dashboard into the Fitbit app. The web browser will no longer offer access to the Fitbit.com dashboard after July 8, 2024.” That’s it. There’s no replacement or new fitness thing Google is more interested in; web functionality is just being removed. Google, we’ll remind you, used to be a web company. Now it’s a phone app or nothing. Google did the same thing to its Google Fit product in 2019, killing off the more powerful website in favor of an app focus.
Dumping the web app leaves a few holes in Fitbit’s ecosystem. The Fitbit app doesn’t support big screens like tablet devices, so this is removing the only large-format interface for data. Fitbit’s competitors all have big-screen interfaces. Garmin has a very similar website, and the Apple Watch has an iPad health app. This isn’t an improvement. To make matters worse, the app does not have the features of the web dashboard, with many of the livid comments in the forums on Reddit calling out the app’s deficiencies in graphing, achievement statistics, calorie counting, and logs.
The web dashboard.
Fitbit
Google bought Fitbit back in 2021 and has spent most of its time shutting down Fitbit features and making the products worse. Migrations to Google Accounts started in 2022. The Google Assistant was removedfrom Fitbit’s 2022 product line, the Sense 2 and Versa 4, when support existed on the previous models. Social features—a key part of fitness motivation for many—were killed off in 2023. Google has mostly focused on making Fitbit an app for the Pixel Watch.
Enlarge/ Detail from the reconstructed stone tzompantli, or skull rack, at Chichén Itzá, evidence of ritual human sacrifice.
Christina Warinner
Inhabitants of the ancient Maya city of Chichén Itzá are well-known for their practice of ritual human sacrifice. The most prevalent notion in the popular imagination is that of young Maya women being flung alive into sink holes as offerings to the gods. Details about the cultural context for these sacrifices remain fuzzy, so scientists conduced genetic analysis on ancient remains of some of the sacrificial victims to learn more. That analysis confirmed the prevalence of male sacrifices, according to a new paper published in the journal Nature, often of related children (ages 6 to 12) from the same household—including two pairs of identical twins.
Chichén Itzá (“at the mouth of the well of the Itzá”) is located in Mexico’s eastern Yucatán. It was one of the largest of the Maya cities, quite possibly one of the mythical capital cities (Tollans) that are frequently mentioned in Mesoamerican literature. It’s known for its incredible monumental architecture, such as the Temple of Kukulcán (“El Castillo”), a step pyramid honoring a feathered serpent deity. Around the spring and fall equinoxes, there is a distinctive light-and-shadow effect that creates the illusion of a serpent slithering down the staircase. There is also a well-known acoustical effect: clap your hands at the base of the staircases and you’ll get an echo that sounds eerily like a bird’s chirp—perhaps mimicking the quetzal, a brightly colored exotic bird native to the region and prized for its long, resplendent tail feathers.
The Great Ball Court (one of 13 at the site) is essentially a whispering gallery: even though it is 545 feet long and 225 feet wide, a whisper at one end can be heard clearly at the other. The court features slanted benches with sculpted panels depicting aspects of Maya ball games—which were not just athletic events but also religious ones that often involved ritual sacrifices of players by decapitation.
“Evidence of ritual killing is extensive throughout the site of Chichén Itzá and includes both the physical remains of sacrificed individuals as well as representations in monumental art,” the authors of the new Nature paper wrote. Decapitation was just one method of sacrifice favored by the Maya over various historical periods. The Maya were equally fond of cutting out the still-beating hearts of victims, accessing the organ either from below the diaphragm or through the sternum. There were also rituals that involved binding victims to a stake and shooting arrows at a white target painted on the heart.
The site features underground rivers with natural sinkholes, called cenotes, providing water to the local inhabitants. One of those is known as the Cenote Sagrado (“Sacred Cenote”), or the Well of Sacrifice, some 200 feet (60 meters) wide and surrounded by sheer cliffs. As its name implies, the Maya would regularly sacrifice valuable objects and the occasional human by tossing them into the sinkhole to appease the Maya rain god, Chaac. (If the 89-foot (27-meter) fall didn’t kill them, drowning would.)
We know this from the writings of Friar Diego de Landa, among others, who wrote in 1566 of the Maya custom of throwing men alive into the sinkhole during droughts, as well as other prized objects. Dredging the Sacred Cenote with a bucket-and-pulley system in the early 1900s yielded artifacts made of gold and jade, as well as pottery, incense, and human remains. There were also archaeological excavations in the 1960s that yielded even more such objects, including flint, shell, rubber, cloth, and wood preserved in the water.
Enlarge/ El Castillo, also known as the Temple of Kukulcan, is among the largest structures at Chichén Itzá, and its architecture reflects its far-flung political connections.
Johannes Krause
Archaeologists also uncovered a full-scale stone representation of a massive tzompantli (skull rack) and a subterranean chamber near the Sacred Cenote, likely a repurposed water cistern (chultún) that had been enlarged to connect to a small cave. The Maya viewed both cenotes and chultúns as connections to the underworld, and this particular chultún housed the remains of over 100 children.
Rodrigo Barquera, an immunogeneticist and postdoc at the Max Planck Institute for Evolutionary Anthropology, and his fellow Nature co-authors conducted their in-depth genetic analysis on 64 child remains recovered from the chultún, along with stable isotope analysis of bone collagen and nitrogen and radiocarbon dating. They compared the genetic data to the genomes from blood samples taken from 68 present-day Maya residents of a nearby town (Tixcacaltuyub).
Most of the children had been sacrificed between 800 to 1000 CE, per the radiocarbon and nitrogen dating. Barquera et al. were surprised to find that all of the remains sampled were male and from the local Maya populations. Nearly one-quarter of those were closely related to at least one other child interred in the chultún, and the related children had similar diets, so were likely raised in the same household. The most surprising discovery: two sets of identical male twins. All this suggests that the Maya selected pairs of male children for sacrificial rituals associated with the chultún.
Google’s June Android update is out, and it’s bringing a few notable changes for Pixel phones. The most interesting is that the Pixel 8a, Pixel 8 and Pixel 8 Pro are all getting DisplayPort Alt Mode capabilities via their USB-C ports. This means you can go from USB-C to DisplayPort and plug right into a TV or monitor. This has been rumored forever and landed in some of the Android Betas earlier, but now it’s finally shipping out to production.
The Pixel 8’s initial display support is just a mirrored mode. You can either get an awkward vertical phone in the middle of your wide-screen display or turn the phone sideways and get a more reasonable layout. You could see it being useful for videos or presentations. It would be nice if it could do more.
Alongside this year-plus of display port rumors has been a steady drum beat (again) for an Android desktop mode. Google has been playing around with this idea since Android 7.0 in 2016. In 2019, we were told it was just a development testing project, and it never shipped to any real devices. Work around Android’s desktop mode has been heating up, though, so maybe a second swing at this idea will result in an actual product.
Android 15’s in-development desktop mode.
Android Authority’s Mishaal Rahman has been tracking down the new desktop mode for a while now and now has it running. The new desktop mode looks just like a real desktop OS. Every app gets a title bar window decoration with an app icon, a label, and maximize and close buttons. You can drag windows around and resize them; the OS supports automatic window tiling by dragging to the side of the screen; and there’s even a little drop-down menu in the title bar app icon. If you were to turn that on with Tablet Android’s bottom app bar, you would have a lot of what you need for a desktop OS.
Just like last time, we’ve got no clue if this will turn into a real product. The biggest Android partner, Samsung, certainly seems to think the idea is worth doing. Samsung’s “DeX” desktop mode has been a feature for years on its devices.
DisplayPort support is part of the June 2024 update and should roll out to devices soon.
Enlarge/ The rocket for SpaceX’s fourth full-scale Starship test flight awaits liftoff from Starbase, the company’s private launch base in South Texas.
SpaceX
Few people were happier with the successful outcome of last week’s test flight of SpaceX’s Starship launch system than a NASA engineer named Catherine Koerner.
In remarks after the spaceflight, Koerner praised the “incredible” video of the Starship rocket and its Super Heavy booster returning to Earth, with each making a soft landing. “That was very promising, and a very, very successful engineering test,” she added, speaking at a meeting of the Space Studies Board.
A former flight director, Koerner now manages development of the “exploration systems” that will support the Artemis missions for NASA—a hugely influential position within the space agency. This includes the Space Launch System rocket, NASA’s Orion spacecraft, spacesuits, and the Starship vehicle that will land on the Moon.
In recent months, NASA officials like Koerner have been grappling with the reality that not all of this hardware is likely to be ready for the planned September 2026 launch date for the Artemis III mission. In particular, the agency is concerned about Starship’s readiness as a “Human Landing System.” While SpaceX is pressing forward rapidly with a test campaign, there is still a lot of work to be done to get the vehicle down to the lunar surface and safely back into lunar orbit.
A spare tire
For these reasons, as Ars previously reported, NASA and SpaceX are planning for the possibility of modifying the Artemis III mission. Instead of landing on the Moon, a crew would launch in the Orion spacecraft and rendezvous with Starship in low-Earth orbit. This would essentially be a repeat of the Apollo 9 mission, buying down risk and providing a meaningful stepping stone between Artemis missions.
Officially, NASA maintains that the agency will fly a crewed lunar landing, the Artemis III mission, in September 2026. But almost no one in the space community regards that launch date as more than aspirational. Some of my best sources have put the most likely range of dates for such a mission from 2028 to 2032. A modified Artemis III mission, in low-Earth orbit, would therefore bridge a gap between Artemis II and an eventual landing.
Koerner has declined interview requests from Ars to discuss this, but during the Space Studies Board, she acknowledged seeing these reports on modifying Artemis III. She was then asked directly whether there was any validity to them. Here is her response in full:
So here’s what I’ll tell you, if you’ll permit me an analogy. I have in my car a spare tire, right? I don’t have a spare steering wheel. I don’t have spare windshield wipers. I have a spare tire. And why? Why do we carry a spare tire? That someone, at some point, did an assessment and said in order for this vehicle to accomplish its mission, there is a certain likelihood that some things may fail and a certain likelihood that other things may not fail, and it’s probably prudent to have a spare tire. I don’t necessarily need to have a spare steering wheel, right?
We at NASA do a lot of those kinds of assessments. Like, what happens if this isn’t available? What happens if that isn’t available? Do we have backup plans for that? We’re always doing those kinds of backup plans. Do we have backup plans? It’s imperative for me to look at what happens if an Orion spacecraft is not ready to do a mission. What happens if I don’t have an SLS ready to do a mission? What happens if I don’t have a Human Landing System available to execute a mission? What happens if I don’t have Gateway that I was planning on to do a mission?
So we look at backup plans all the time. There are lots of different opportunities for that. We have not made any changes to the current plan as I outlined it here today and talked about that. But we have lots of people who are looking at lots of different backup plans so that we are doing due diligence and making sure that we have the spare tire if we need the spare tire. It’s the reason we have, for example, two systems now that we’re developing for the Human Landing System, the one for SpaceX and the other one from Blue Origin. It’s the reason we have two providers that are building spacesuit hardware. Collins as well as Axiom, right? So we always are doing that kind of thing.
That is a long way of saying that if SpaceX’s Starship is not ready in 2026, NASA is actively considering alternative plans. (The most likely of these would be an Orion-Starship docking in low-Earth orbit.) NASA has not made any final plans and is waiting to see how Artemis II progresses and what happens with Starship and spacesuit development.
What SpaceX needs to demonstrate
During her remarks, Koerner was also asked what SpaceX’s next major milestone is and when it would need to be completed for NASA to remain on track for a lunar landing in 2026. “Their next big milestone test, from a contract perspective, is the cryogenic transfer test,” she said. “That is going to be early next year.”
Enlarge/ Some details about the Starship propellant transfer test.
NASA
This timeline is consistent with what NASA’s Human Landing System program manager, Lisa Watson-Morgan recently told Ars. It provides a useful benchmark to evaluate Starship’s progress in NASA’s eyes. The “prop transfer demo” is a fairly complex mission that involves the launch of a “Starship target” from the Starbase facility in South Texas. Then a second vehicle, the “Starship chaser,” will launch and meet the target in orbit and rendezvous. The chaser will then transfer a quantity of propellant to the target spaceship.
The test will entail a lot of technology, including docking mechanisms, navigation sensors, quick disconnects, and more. If SpaceX completes this test during the first quarter of 2025, NASA will at least theoretically have a path forward to a crewed lunar landing in 2026.
Enlarge/ A drone camera captures the hotfire test of Stoke Space’s full-flow staged combustion engine at the company’s testing facility in early June.
Stoke Space
On Tuesday, Stoke Space announced the firing of its first stage rocket engine for the first time earlier this month, briefly igniting it for about two seconds. The company declared the June 5 test a success because the engine performed nominally and will be fired up again soon.
“Data point one is that the engine is still there,” said Andy Lapsa, chief executive of the Washington-based launch company, in an interview with Ars.
The test took place at the company’s facilities in Moses Lake, Washington. Seven of these methane-fueled engines, each intended to have a thrust of 100,000 pounds of force, will power the company’s Nova rocket. This launch vehicle will have a lift capacity of about 5 metric tons to orbit. Lapsa declined to declare a target launch date, but based on historical developmental programs, if Stoke continues to move fast, it could fly Nova for the first time in 2026.
Big ambitions for a small company
Although it remains relatively new in the field of emerging launch companies, Stoke has gathered a lot of attention because of its bold ambitions. The company intends for the two-stage Nova rocket to be fully reusable, with both stages returning to Earth. To achieve a vertical landing, the second stage has a novel design. This oxygen-hydrogen engine is based on a ring of 30 thrusters and a regeneratively cooled heat shield.
Lapsa and Stoke, which now has 125 employees, have also gone for an ambitious design in the first-stage engine tested earlier this month. The engine, with a placeholder name of S1E, is based on full-flow, stage-combustion technology in which the liquid propellants are burned in the engine’s pre-burners. Because of this, they arrive in the engine’s combustion chamber in fully gaseous form, leading to a more efficient mixing.
Such an engine—this technology has only previously been demonstrated in flight by SpaceX’s Raptor engine, on the Starship rocket—is more efficient and should theoretically extend turbine life. But it is also technically demanding to develop, and among the most complex engine designs for a rocket company to begin with. This is not rocket science. It’s exceptionally hard rocket science.
It may seem like Stoke is biting off a lot more than it can chew with Nova’s design. Getting to space is difficult enough for a launch startup, but this company is seeking to build a fully reusable rocket with a brand new second stage design and a first stage engine based on full-flow, staged combustion. I asked Lapsa if he was nuts for taking all of this on.
Are these guys nuts?
“I’ve been around long enough to know that any rocket development program is hard, even if you make it as simple as possible,” he responded. “But this industry is going toward full reusability. To me, that is the inevitable end state. When you start with that north star, any other direction you take is a diversion. If you start designing anything else, it’s not something where you can back into full reusability at any point. It means you’ll have to stop and start over to climb the mountain.”
This may sound like happy talk, but Stoke appears to be delivering on its ambitions. Last September, the company completed a successful “hop” test of its second stage at Moses Lake. This validated its design, thrust vector control, and avionics.
Enlarge/ This engine is designed to power the Nova rocket.
Stoke Space
After this test, the company turned its focus to developing the S1E engine and put it on the test stand for the first time in April before the first test firing in June. Going from zero to 350,000 horsepower in half a second for the first time had a “pretty high pucker factor,” Lapsa said of the first fully integrated engine test.
Now that this initial test is complete, Stoke will spend the rest of the year maturing the design of the engine, conducting longer test firings, and starting to develop flight stages. After that will come stage tests before the complete Nova vehicle is assembled. At the same time, Stoke is also working with the US Space Force on the regulatory process of refurbishing and modernizing Launch Complex 14 at Cape Canaveral Space Force Station in Florida.
Enlarge/ Apple Senior VP of Software Engineering Craig Federighi announces “Private Cloud Compute” at WWDC 2024.
Apple
With most large language models being run on remote, cloud-based server farms, some users have been reluctant to share personally identifiable and/or private data with AI companies. In its WWDC keynote today, Apple stressed that the new “Apple Intelligence” system it’s integrating into its products will use a new “Private Cloud Compute” to ensure any data processed on its cloud servers is protected in a transparent and verifiable way.
“You should not have to hand over all the details of your life to be warehoused and analyzed in someone’s AI cloud,” Apple Senior VP of Software Engineering Craig Federighi said.
Trust, but verify
Part of what Apple calls “a brand new standard for privacy and AI” is achieved through on-device processing. Federighi said “many” of Apple’s generative AI models can run entirely on a device powered by an A17+ or M-series chips, eliminating the risk of sending your personal data to a remote server.
When a bigger, cloud-based model is needed to fulfill a generative AI request, though, Federighi stressed that it will “run on servers we’ve created especially using Apple silicon,” which allows for the use of security tools built into the Swift programming language. The Apple Intelligence system “sends only the data that’s relevant to completing your task” to those servers, Federighi said, rather than giving blanket access to the entirety of the contextual information the device has access to.
And Apple says that minimized data is not going to be saved for future server access or used to further train Apple’s server-based models, either. “Your data is never stored or made accessible by Apple,” Federighi said. “It’s used exclusively to fill your request.”
But you don’t just have to trust Apple on this score, Federighi claimed. That’s because the server code used by Private Cloud Compute will be publicly accessible, meaning that “independent experts can inspect the code that runs on these servers to verify this privacy promise.” The entire system has been set up cryptographically so that Apple devices “will refuse to talk to a server unless its software has been publicly logged for inspection.”
While the keynote speech was light on details for the moment, the focus on privacy during the presentation shows that Apple is at least prioritizing security concerns in its messaging as it wades into the generative AI space for the first time. We’ll see what security experts have to say when these servers and their code are made publicly available in the near future.
You’ll be able to write out expressions with the Apple Pencil and see them solved in real time.
Samuel Axon
CUPERTINO, Calif.—After going into detail about iOS 18, Apple took a few moments in its WWDC 2024 keynote to walk through some changes.
There are a few minor UI changes and new features across Apple’s first party apps. That includes a new floating tab bar. The bar expands into the side bar when you want to dig in, and you can customize the tab bar to include the specific things you want to interact with the most. Additionally, SharePlay allows easier screen sharing and remote control of another person’s iPad.
But the big news is that the Calculator app we’ve all used on the iPhone to the iPad, after years of the iPad having no first-party calculator app at all. The iPad Calculator app can do some things the iPhone version can’t do with the Apple Pencil; a feature called Math Notes can write out expressions like you would on a piece of paper, and the app will solve the expressions live as you scribble them—plus various other cool live-updating math features. (These new Math Notes features work in the Notes app, too.)
Apple didn’t use the word AI here, but this is surely driven by machine learning in some way. Doubly so for a new handwriting feature called Smart Script, which refines and improves your handwriting as you go, tweaking letters to make them more legible when you’re writing very quickly to take notes. It uses machine learning to analyze your handwriting, so these adjustments are meant to match your normal script. That means you can scribble as quickly and recklessly as you want during a conference or a day of classes, but ostensibly, it will be legible at the end of the day.
Not everyone’s a big Pencil user—for some of us, handwriting long ago took a back seat to typing—but Apple is aggressively selling these kinds of flashy features for those who want that experience.
The release date for iPadOS 18 hasn’t been announced yet, but it will likely arrive in September or October alongside iOS 18 and the new iPhone models that will probably be announced then.
The data confirms that H5N1 infections are significantly different from seasonal influenza viruses that circulate in humans. Those annual viruses make ferrets sick but are not deadly. They have also shown to be highly efficient at spreading via respiratory droplets, with 100 percent transmission rates in laboratory settings. In contrast, the strain from the Texas man (A/Texas/37/2024) appeared to have only a 33 percent transmission rate via respiratory droplets among ferrets.
“This suggests that A/Texas/37/2024-like viruses would need to undergo changes to spread efficiently by droplets through the air, such as from coughs and sneezes,” the CDC said in its data summary. The agency went on to note that “efficient respiratory droplet spread, like what is seen with seasonal influenza viruses, is needed for sustained person-to-person spread to happen.”
In the CDC’s study, researchers infected six ferrets with A/Texas/37/2024. The CDC’s data summary did not specify how the ferrets were infected in this study, but in other recent ferret H5N1 studies, the animals were infected by putting the virus in their noses. Ars has reached out to the agency for clarity on the inoculation route in the latest study and will update the story with any additional information provided.
All six of the infected ferrets developed severe disease and died. To test how well the virus could spread among the ferrets, the CDC scientists set up experiments to test transmission through direct contact and respiratory droplets. For the direct transmission test, three healthy ferrets were placed in the same enclosures with three experimentally infected ferrets. All three healthy ferrets became infected.
For the respiratory transmission test, three healthy ferrets were placed in enclosures next to enclosures containing the experimentally infected animals. The infected and uninfected ferrets shared air, but did not have direct contact with each other. Of the three healthy ferrets, only one contracted the H5N1 virus (33 percent). Additionally, that one respiratory transmission event seemed to have a one- to two-day delay compared with what’s seen in the same test with seasonal influenza viruses. This suggests further that the virus is inefficient at respiratory transmission.
The CDC called the overall results “not surprising.” Previous ferret experiments with H5N1 isolates—collected prior to the current bird flu outbreak among US dairy cows—have also found that H5N1 is often lethal to ferrets. Likewise, H5N1 isolates collected from Spain and Chile during the current global outbreak also found that the virus was inefficient at spreading via respiratory droplets among ferrets—with rates ranging from 0 percent to 37.5 percent.
For now, the findings don’t affect the CDC’s overall risk assessment for the general public, which is low. However, it does reinforce the risk to those who have contact with infected animals, particularly dairy and poultry farm workers.
To date, there have been four human cases of H5N1 in the US since the current global bird flu outbreak began in 2022—one in a poultry farm worker in 2022 and three in dairy farm workers, all reported between the beginning of April and the end of May this year. So far, the cases have been mild, the CDC noted, but given the results in ferrets, “it is possible that there will be serious illnesses among people,” the agency concluded.
Enlarge/ Fungus samples are seen on display inside the Fungarium at the Royal Botanic Gardens in Kew, west London in 2023. The Fungarium was founded in 1879 and holds an estimated 380,000 specimens from the UK.
It’s hard to miss the headliners at Kew Gardens. The botanical collection in London is home to towering redwoods and giant Amazonian water lilies capable of holding up a small child. Each spring, its huge greenhouses pop with the Technicolor displays of multiple orchid species.
But for the really good stuff at Kew, you have to look below the ground. Tucked underneath a laboratory at the garden’s eastern edge is the fungarium: the largest collection of fungi anywhere in the world. Nestled inside a series of green cardboard boxes are some 1.3 million specimens of fruiting bodies—the parts of the fungi that appear above ground and release spores.
“This is basically a library of fungi,” says Lee Davies, curator of the Kew fungarium. “What this allows us to do is to come up with a reference of fungal biodiversity—what fungi are out there in the world, where you can find them.” Archivists—wearing mushroom hats for some reason—float between the shelves, busily digitizing the vast archive, which includes around half of all the species known to science.
Enlarge/ Fungarium Collections Manager Lee Davies inspects a fungus sample stored within the Fungarium at the Royal Botanic Gardens in Kew, west London in 2023.
In the hierarchy of environmental causes, fungi have traditionally ranked somewhere close to the bottom, Davies says. He himself was brought to the fungarium against his will. Davies was working with tropical plants when a staffing reshuffle brought him to the temperature-controlled environs of the fungarium. “They moved me here in 2014, and it’s amazing. Best thing ever, I love it. It’s been a total conversion.”
Davies’ own epiphany echoes a wider awakening of appreciation for these overlooked organisms. In 2020, mycologist Merlin Sheldrake’s book Entangled Life: How Fungi Make Our Worlds, Change Our Minds, and Shape Our Futures was a surprise bestseller. In the video game and HBO series The Last of Us, it’s a fictional brain-eating fungus from the genus Cordyceps that sends the world into an apocalyptic spiral. (The Kew collection includes a tarantula infected with Cordyceps—fungal tendrils reach out from the soft gaps between the dead insect’s limbs.)
While the wider world is waking up to these fascinating organisms, scientists are getting to grips with the crucial role they play in ecosystems. In a laboratory just above the Kew fungarium, mycologist Laura Martinez-Suz studies how fungi help sequester carbon in the soil, and why some places seem much better at storing soil carbon than others.
Soil is a huge reservoir of carbon. There are around 1.5 trillion tons of organic carbon stored in soils across the world—about twice the amount of carbon in the atmosphere. Scientists used to think that most of this carbon entered the soil when dead leaves and plant matter decomposed, but it’s now becoming clear that plant roots and fungi networks are a critical part of this process. One study of forested islands in Sweden found that the majority of carbon in the forest soil actually came from root-fungi networks, not plant matter fallen from above the ground.
A critical vulnerability in the PHP programming language can be trivially exploited to execute malicious code on Windows devices, security researchers warned as they urged those affected to take action before the weekend starts.
Within 24 hours of the vulnerability and accompanying patch being published, researchers from the nonprofit security organization Shadowserver reported Internet scans designed to identify servers that are susceptible to attacks. That—combined with (1) the ease of exploitation, (2) the availability of proof-of-concept attack code, (3) the severity of remotely executing code on vulnerable machines, and (4) the widely used XAMPP platform being vulnerable by default—has prompted security practitioners to urge admins check to see if their PHP servers are affected before starting the weekend.
When “Best Fit” isn’t
“A nasty bug with a very simple exploit—perfect for a Friday afternoon,” researchers with security firm WatchTowr wrote.
CVE-2024-4577, as the vulnerability is tracked, stems from errors in the way PHP converts unicode characters into ASCII. A feature built into Windows known as Best Fit allows attackers to use a technique known as argument injection to pass user-supplied input into commands executed by an application, in this case, PHP. Exploits allow attackers to bypass CVE-2012-1823, a critical code execution vulnerability patched in PHP in 2012.
“While implementing PHP, the team did not notice the Best-Fit feature of encoding conversion within the Windows operating system,” researchers with Devcore, the security firm that discovered CVE-2024-4577, wrote. “This oversight allows unauthenticated attackers to bypass the previous protection of CVE-2012-1823 by specific character sequences. Arbitrary code can be executed on remote PHP servers through the argument injection attack.”
CVE-2024-4577 affects PHP only when it runs in a mode known as CGI, in which a web server parses HTTP requests and passes them to a PHP script for processing. Even when PHP isn’t set to CGI mode, however, the vulnerability may still be exploitable when PHP executables such as php.exe and php-cgi.exe are in directories that are accessible by the web server. This configuration is set by default in XAMPP for Windows, making the platform vulnerable unless it has been modified.
One example, WatchTowr noted, occurs when queries are parsed and sent through a command line. The result: a harmless request such as http://host/cgi.php?foo=bar could be converted into php.exe cgi.php foo=bar, a command that would be executed by the main PHP engine.
No escape
Like many other languages, PHP converts certain types of user input to prevent it from being interpreted as a command for execution. This is a process known as escaping. For example, in HTML, the < and > characters are often escaped by converting them into their unicode hex value equivalents < and > to prevent them from being interpreted as HTML tags by a browser.
The WatchTowr researchers demonstrate how Best Fit fails to escape characters such as a soft hyphen (with unicode value 0xAD) and instead converts it to an unescaped regular hyphen (0x2D), a character that’s instrumental in many code syntaxes.
The researchers went on to explain:
It turns out that, as part of unicode processing, PHP will apply what’s known as a ‘best fit’ mapping, and helpfully assume that, when the user entered a soft hyphen, they actually intended to type a real hyphen, and interpret it as such. Herein lies our vulnerability—if we supply a CGI handler with a soft hyphen (0xAD), the CGI handler won’t feel the need to escape it, and will pass it to PHP. PHP, however, will interpret it as if it were a real hyphen, which allows an attacker to sneak extra command line arguments, which begin with hyphens, into the PHP process.
This is remarkably similar to an older PHP bug (when in CGI mode), CVE-2012-1823, and so we can borrow some exploitation techniques developed for this older bug and adapt them to work with our new bug. A helpful writeup advises that, to translate our injection into RCE, we should aim to inject the following arguments:
This will accept input from our HTTP request body, and process it using PHP. Straightforward enough – let’s try a version of this equipped with our 0xAD ‘soft hyphen’ instead of the usual hyphen. Maybe it’s enough to slip through the escaping?
Oh joy—we’re rewarded with a phpinfo page, showing us we have indeed achieved RCE.
The vulnerability was discovered by Devcore researcher Orange Tsai, who said: “The bug is incredibly simple, but that’s also what makes it interesting.”
The Devcore writeup said that the researchers have confirmed that XAMPP is vulnerable when Windows is configured to use the locales for Traditional Chinese, Simplified Chinese, or Japanese. In Windows, a locale is a set of user preference information related to the user’s language, environment, and/or cultural conventions. The researchers haven’t tested other locales and have urged people using them to perform a comprehensive asset assessment to test their usage scenarios.
CVE-2024-4577 affects all versions of PHP running on a Windows device. That includes version branches 8.3 prior to 8.3.8, 8.2 prior to 8.2.20, and 8.1 prior to 8.1.29.
The 8.0, 7, and 5 version branches are also vulnerable, but since they’re no longer supported, admins will have to follow mitigation advice since patches aren’t available. One option is to apply what are known as rewrite rules such as:
The researchers caution these rules have been tested only for the three locales they have confirmed as vulnerable.
XAMPP for Windows had yet to release a fix at the time this post went live. For admins without the need for PHP CGI, they can turn it off using the following Apache HTTP Server configuration:
C:/xampp/apache/conf/extra/httpd-xampp.conf
Locating the corresponding lines:
ScriptAlias /php-cgi/ "C:/xampp/php/"
And comment it out:
# ScriptAlias /php-cgi/ "C:/xampp/php/"
Additional analysis of the vulnerability is available here.
Work toward brain-computer interfaces has never been more charged. Though neuroscientists have toiled for decades to tap directly into human thoughts, recent advances have the field buzzing with anticipation—and the involvement of one polarizing billionaire has drawn a new level of attention.
With competition amping up in this space, Ars spoke with Ben Rapoport, who is a neurosurgeon, electrical engineer, and co-founder of the brain-computer interface (BCI) company Precision Neuroscience. Precision is at the forefront of the field, having placed its BCI on the brains of 14 human patients so far, with two more scheduled this month. Rapoport says he hopes to at least double that number of human participants by the end of this year. In fact, the 3-year-old company expects to have its first BCI on the market next year.
In addition to the swift progress, Precision is notable for its divergence from its competitor’s strategies, namely Neuralink, the most high-profile BCI company and headed by Elon Musk. In 2016, Rapoport co-founded Neuralink alongside Musk and other scientists. But he didn’t stay long and went on to co-found Precision in 2021. In previous interviews, Rapoport suggested his split from Neuralink related to the issues of safety and invasiveness of the BCI design. While Neuralink’s device is going deeper into the brain—trying to eavesdrop on neuron signals with electrodes at close range to decode thoughts and intended motions and speech—Precision is staying at the surface, where there is little to no risk of damaging brain tissue.
Shallow signals
“It used to be thought that you needed to put needle-like electrodes into the brain surface in order to listen to signals of adequate quality,” Rapoport told Ars. Early BCIs developed decades ago used electrode arrays with tiny needles that sink up to 1.5 millimeters into brain tissue. Competitors such as Blackrock Neurotech and Paradromics are still developing such designs. (Another competitor, Synchron, is developing a stent-like device threaded into a major blood vessel in the brain.) Meanwhile, Neuralink is going deeper, using a robot to surgically implant electrodes into brain tissue, reportedly between 3 mm and 8 mm deep.
However, Rapoport eschews this approach. Anytime something essentially cuts into the brain, there’s damage, he notes. Scar tissue and fibrous tissue can form—which is bad for the patient and the BCI’s functioning. “So, there’s not infinite scalability [to such designs],” Rapoport notes, “because when you try to scale that up to making lots of little penetrations into the brain, at some point you can run into a limitation to how many times you can penetrate the brain without causing irreversible and undetectable damage.”
Further, he says, penetrating the brain is just unnecessary. Rapoport says there is no fundamental data that suggests that penetration is necessary for BCIs advances. Rather, the idea was based on the state of knowledge and technology from decades ago. “It was just that it was an accident that that’s how the field got started,” he said. But, since the 1970s, when centimeter-scale electrodes were first being used to capture brain activity, the technology has advanced from the macroscopic to microscopic range, creating more powerful devices.
“All of conscious thought—movement, sensation, intention, vision, etc.—all of that is coordinated at the level of the neocortex, which is the outermost two millimeters of the brain,” Rapoport said. “So, everything, all of the signals of interest—the cognitive processing signals that are interesting to the brain-computer interface world—that’s all happening within millimeters of the brain surface … we’re talking about very small spatial scales.” With the more potent technology of today, Precision thinks it can collect the data it needs without physically traversing those tiny distances.
Enlarge/ A South Korean flag, left, and Samsung Electronics Co. flag fly outside the company’s headquarters in Seoul, South Korea.
Jean Chung/Bloomberg via Getty Images
Samsung Electronics workers are on strike! As The New York Times reports, Nationwide Samsung Electronics Union (NSEU) has about 28,000 members, or about one-fifth of Samsung’s workforce, walking out of the job on Friday. It’s Samsung’s first workers’ strike.
Specifically, the walkout is in Samsung’s chip division, which makes RAM, NAND flash chips, USB sticks and SD cards, Exynos processors, camera sensors, modems, NFC chips, and power and display controllers. Depending on how each quarter goes, Samsung is often the world’s largest chipmaker by revenue thanks to this division, and its parts are in products from a million different brands. It’s probably hard to find a tech product that doesn’t have some kind of Samsung chip in it.
As you might expect, the union wants higher pay. Samsung’s workers have gotten as much as 30 percent of their pay from bonuses, and there were no bonuses last year. UnionVP Lee Hyun Kuk told the Times that “it feels like we’ve taken a 30 percent pay cut.” The average pay for a union member is around $60,000 before bonuses.
This is officially a one-day strike, so it’s not expected to hurt Samsung’s output much. For now, this is more about a show of strength by the union in the hopes that Samsung will come to the negotiating table. Samsung reported a profit of $1.4 billion from its chip division in Q1 this year.
If this isn’t resolved, what exactly would happen to the tech industry during a long-term Samsung strike is anyone’s guess. Because of the ubiquity of Samsung’s components, every tech hardware company would have to deal with this somewhat. Samsung has a lot of competitors in each market, though. For instance, for memory it’s always battling SK Hynix and Micron, and a lot of manufacturers will use parts from the three companies interchangeably. Maybe Samsung’s competitors could just pick up the slack. Samsung has never been on strike before, so we’re in uncharted territory.
