An independent security researcher has found malicious code in 18 Chrome extensions currently available in the Chrome Web Store. Combined, the extensions have over 57 million active users. It’s yet more evidence that Chrome extensions need to be evaluated with a critical eye. 

Chrome extensions are apps built on top of Google Chrome that allow you to add extra features to your browser. The tasks that this customizable feature can do are wide-ranging, but some popular extensions can auto-fill your password, block ads, enable one-click access to your todo list, or change how a social media site looks. Unfortunately, because Chrome extensions are so powerful and can have a lot of control over your browsing experience, they are a popular target for hackers and other bad actors. 

Earlier this month, independent security researcher Wladimir Palant discovered code in a browser extension called PDF Toolbox that allows it to inject malicious JavaScript code into any website you visit. The extension purports to be a basic PDF processor that can do things like convert other documents to PDF, merge two PDFs into one, and download PDFs from open tabs. 

It’s that last feature that leaves PDF Toolbox open for bad intentions. Google requires extension developers to only use the minimum permissions necessary. In order to download PDFs from tabs that aren’t currently active, PDF Toolbox has to be able to access every web page you currently have open. Without this feature, it would not be able to pseudo-legitimately access your browser to the same extent.

While PDF Toolbox seemingly can do all the PDF tasks it claims to be able to, it also downloads and runs a JavaScript file from an external website which could contain code to do almost anything, including capture everything you type into your browser, redirect you to fake websites, and take control of what you see on the web. By making the malicious code resemble a legitimate API call, obfuscating it so that it’s hard to follow, and delaying the malicious call for 24 hours, PDF Toolbox has been able to avoid being removed from the Chrome Web Store by Google since it was last updated in January 2022. (It is still available there at the time of writing, despite Palant lodging a report about its malicious code.) 

Palant had no way of confirming what the malicious code in PDF Toolbox did when he first discovered it. However yesterday, he disclosed 17 more browser extensions that use the same trick to download and run a JavaScript file. These include Autoskip for Youtube, Crystal Ad block, Brisk VPN, Clipboard Helper, Maxi Refresher, Quick Translation, Easyview Reader view, Zoom Plus, Base Image Downloader, Clickish fun cursors, Maximum Color Changer for Youtube, Readl Reader mode, Image download center, Font Customizer, Easy Undo Closed Tabs, OneCleaner, and Repeat button, though it is likely that there are other infected extensions. These were only the ones that Palant found in a sample of approximately 1,000 extensions.

In addition to finding more affected extensions, Palant was able to confirm what the malicious code was doing (or at least had done in the past). The extensions were redirecting users’ Google searches to third-party search engines, likely in return for a small affiliate fee. By infecting millions of users, the developers could rake in a tidy amount of profit. 

Unfortunately, code injection is code injection. Just because the malicious JavaScript fairly harmlessly redirected Google searches to alternative search engines in the past, doesn’t mean that it does so today. “There are way more dangerous things one can do with the power to inject arbitrary JavaScript code into each and every website,” writes Palant.

And what kind of dangerous things are those? Well, the extensions could be collecting browser data, adding extra ads to every web page someone visits, or even recording online banking credentials and credit card numbers. Malicious JavaScript running unchecked in your web browser can be incredibly powerful. 

If you have one of the affected extensions installed on your computer, you should remove it now. It’s also a good idea to do a quick audit of all the other extensions you have installed to make sure that you are still using them, and that they all look to be legitimate. If you not, you should remove them too. 

Otherwise, treat this as a reminder to always be vigilant for potential malware. For more tips on how to fight it, check out our guide on removing malware from your computer.

The post This PDF Chrome extension might contain malware appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

The days of freely sharing a Netflix account are over. This week, Netflix finally announced that it would stop American subscribers from sharing their Netflix account with family members, friends, and anyone else who lives at a different location. In an email to affected subscribers, the streaming giant wrote: “Your Netflix account is for you and the people you live with—your household.”

Although Netflix embraced—or at least tacitly allowed—password sharing for years, slowing financial growth, subscriber retention issues, subscriber growth falling short of expectations, and competition from Disney and other streaming services have forced the company to change its tact. Last year, it launched the limited $6.99/month ad-supported tier. At that time, Netflix started cracking down on password sharers in three test countries: Chile, Costa Rica, and Peru. Seemingly, those trials proved successful (or at least lucrative), as the streamer is now rolling these features out to subscribers in 103 countries around the world, including the US, most of Europe, Australia, Singapore, Mexico, and Brazil.

According to Netflix, anyone who lives with you will be able to continue to use your account as normal, but anyone who lives in a different location—like children away at university, deployed military personnel, and the ex you haven’t spoken to in three years—will have to transfer their profile to another account or convince you to pay $7.99/month to add an extra member to your account. 

“A Netflix account is for use by one household,” the company says in the email to subscribers. “Everyone living in that household can use Netflix wherever they are—at home, on the go, on holiday—and take advantage of new features like Transfer Profile and Manage Access and Devices.” 

Netflix now wants users to set up a Netflix Household by signing in on a TV connected to their home internet. Any device that uses the same internet connection will be automatically added to the Household. 

Netflix is keeping quiet about how exactly it detects if you’re sharing your account with someone you shouldn’t. In an FAQ on the website, the company says: “We use information such as IP addresses, device IDs, and account activity to determine whether a device signed into your account is part of your Netflix Household. We do not collect GPS data to try to determine the precise physical location of your devices.” Still, it’s unclear what will trigger the system. Presumably your device needs to connect to the Household internet connection with some regularity, but does a three week backpacking trip or semester abroad count as a holiday? Or will Netflix’s automated systems decide that someone needs to set up a new account. 

Similarly, if you have a complicated Wi-Fi setup, expect Netflix to have Household issues. In the same FAQ, the company says that for subscribers with “multiple Wi-Fi networks, we may only associate one with your Netflix Household. If you want to watch Netflix on devices that are connected to Wi-Fi networks using different ISP accounts or that have different external IP addresses, you may be asked to verify that device as part of your Netflix Household.”

But no matter what happens with the edge cases, it sounds like Netflix is pretty serious about stopping out-and-out password sharing. If you don’t genuinely live with the person whose account you use, it looks like your options are pretty limited. If you really want to stay on the same account, you can ask them to add an extra member slot for $7.99/month; though only if they are on the $15.49/month Standard or $19.99/month Premium plan. The $6.99/month Standard with Ads and $9.99/month Basic plans don’t support extra members. 

Otherwise, you can transfer your profile to a new account and start paying (ugh) or just give up on Netflix for a little while and check out what some of the other streaming services have to offer. 

Though there is, perhaps, one workaround. Apparently, “If you don’t watch Netflix on a TV or don’t have one, you do not need to set a Netflix Household for your account.” So as long everyone watches on their laptops, tablets or smartphones, you might be able to dodge the great password sharing crackdown.

The post Netflix is rolling out a feature that ends password sharing in the US appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Wing, Google parent company Alphabet’s drone-delivery subsidiary, pulled off a fun demonstration delivery earlier this month: one of its drones delivered beer and peanuts to Coors Field, the Colorado Rockies’ stadium in the middle of Denver. While this novel first comes with a heavy dose of caveats, it still gives a nice glimpse of how far some drone delivery operations have come over the past few years. 

What are the caveats? According to Wing, the drone delivered a small package of beer (“Coors of course”) and peanuts to the outfield area of Coors Field during the opening party for the Association of Unmanned Vehicle Systems International’s (AIVSI) annual autonomous systems conference. There were apparently 1,000 people in the stands, though as you can see in the video, it was no game day crowd. Crucially, Wing wasn’t using its drones to deliver beers and peanuts on demand—this was purely a demonstration flight to show the drone operating in a downtown urban environment. 

“Our drones will never match the experience of flagging down a vendor and having them toss peanuts to you from 20 seats away. Nor do we think delivering during game day is a particularly compelling use-case for our technology,” writes Jonathan Bass, Wing’s head of marketing and communications in the blog post announcing the feat. “We’re more focused on supplementing existing methods of ground-based delivery to move small packages more efficiently across miles, not feet.”

And Coors Field was a suitable environment to show just how capable its drones have become. Over the past few years, the former moonshot has progressed from delivering to rural farms and lightly populated suburbs to flying packages around denser suburbs and large metro areas like Dallas-Forth Worth in Texas. As Bass explains it, despite Wing having done 1,000 deliveries on some days in one of its Australian bases of operations, the company is still regularly asked if drone delivery could work in “dense, urban environments”.

“We chose Coors Field because it’s a particularly challenging environment,” writes Bass. “Coors Field sits in the middle of Denver, Colorado—one of the fastest growing cities in America. Any professional sports stadium—with stadium seating, jumbotrons, and the like—makes for a fun challenge.”

The demonstration is all part of Wing’s plans to massively expand where it operates over the next while. Earlier this year, it announced the Wing Delivery Network. Drones in this program would work more like ride-sharing vehicles that picked up and dropped off packages as needed instead of operating from a single store or base. To make this possible, Wing unveiled a device called the AutoLoader. It sits in a parking spot outside a store and enables to staff to leave a package for a drone to autonomously collect. 

While things seem to be taking off for Wing, the scene is a bit more turbulent across the drone delivery industry. In particular, Amazon’s Prime Air is really struggling to launch. Despite first being unveiled almost a decade ago, Prime Air has now completed a total of “100 deliveries in two small US markets,” according to a report earlier this month by CNBC. The company apparently intended to reach 10,000 deliveries this year, but has had to revise those projections. It probably doesn’t help that a significant number of workers were laid off earlier this year.

Other companies are having more success. Zipline, best known for delivering medical supplies by parachute in rural Africa from catapult-launched fixed-wing drones, recently showcased a new platform that would allow it to deliver more typical packages—like a Sweetgreen salad—by lowering them on a tether from a hover-capable drone. It, along with DroneUp and Flytrex, have partnered with Walmart and collectively completed more than 6,000 deliveries last year. The big question consumers have: Are delivery drones going to be everywhere in the next few years? Probably not, but they are likely to be more present. 

Watch the drone in action below:

The post Watch a Google drone deliver beer and snacks to Denver’s Coors Field appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Wendy’s announced this week that it is going to try using underground autonomous robots to speed up how customers collect online orders. The burger joint plans to pilot the system designed by “hyperlogistics” company Pipedream, and aims to be able to send food from the kitchen to designated parking spots.

Wendy’s seems to be on a quest to become the most technologically advanced fast food restaurant in the country. Last week, it announced that it had partnered with Google to develop its own AI system (called Wendy’s FreshAI) that could take orders at a drive-thru. This week, it’s going full futuristic. (Pipedream’s current marketing line is “Someday we’ll use teleportation, until then we’ll use Pipedream.”)

According to a PR email sent to PopSci, digital orders now make up 11 percent of Wendy’s total sales and are growing. On top of the 75 to 80 percent of orders that are placed at a drive-thru.

The proposed autonomous system aims “to make digital order pick-up fast, reliable and invisible.” When customers or delivery drivers are collecting an online order, they pull into a dedicated parking spot with an “Instant Pickup portal,” where there will be a drive-thru style speaker and kiosk to confirm the order with the kitchen. In a matter of seconds, the food is then sent out by robots moving through an underground series of pipes using “Pipedream’s temperature-controlled delivery technology.” The customer can then grab their order from the kiosk without ever leaving their car. Apparently, the “first-of-its-kind delivery system” is designed so that drinks “are delivered without a spill and fries are always Hot & Crispy.”

[Related: What robots can and can’t do for a restaurant]

Wendy’s is far from the first company to try and use robots to streamline customer orders, though most go further than the parking lot. Starship operates a delivery service on 28 university campuses while Uber Eats is still trialing sidewalk delivery robots in Miami, Florida; Fairfax, Virginia; and Los Angeles, California. Whether these knee-height six-wheeled electric autonomous vehicles can graduate from school and make it into the real world remains to be seen.

The other big semi-autonomous delivery bets are aerial drones. Wing, a subsidiary of Google-parent Alphabet, unveiled a device called the Auto-Loader earlier this year. It also calls for a dedicated parking spot and aims to make it quicker and easier for staff at partner stores to attach deliveries to one of the company’s drones. 

What sets Wendy’s and Pipedream’s solution apart is that it all happens in a space that the restaurant controls. Starship, Uber Eats, and Wing are all trying to bring robots out into the wider world where they can get attacked by students, take out power lines, and otherwise have to deal with humans, street furniture, and the chaos of existence. Providing Wendy’s abides by building ordinances and any necessary health and safety laws, cost is the only stopping them adding tube-dwelling robots to every restaurant the company controls. Really, the option Wendy’s is trialing has more in common with a pneumatic tube system—hopefully it will be a bit more practical.

The post Wendy’s wants underground robots to deliver food to your car appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Google said this week that it would start deleting unused and abandoned accounts at the end of this year. In a blog post announcing an update to its inactive account policies, Ruth Kricheli, vice president of product management, explained that any accounts that haven’t been logged into or used in the previous two years were potentially in line for removal. 

Google is presenting the updated policy as a security decision. In the blog post, Kricheli wrote that, “if an account hasn’t been used for an extended period of time, it is more likely to be compromised. This is because forgotten or unattended accounts often rely on old or re-used passwords haven’t had two factor authentication set up, and receive fewer security checks by the user.” According to Google’s internal analysis, unused accounts are “at least 10x less likely” to have two-factor verification set up which makes them easier for malicious actors to hijack and then use for identity theft, to send spam, and more. 

As a result, Google is going to start deleting inactive accounts and their contents from Gmail, Google Docs, Google Drive, Google Meet, Google Calendar, and Google Photos no earlier than December, 2023. The company intends to take a phased approach and start by deleting accounts that were created but never used. Before an account is deleted, Google will send multiple notifications to the email address associated with it as well as any recovery email addresses.

[Related: All the products that Google has sent to the graveyard]

The new inactivity policy applies to any personal Google Accounts that haven’t been signed into or used in some way in the last two years. Accounts managed by a business or school are safe, at least for now, even if they aren’t currently active. 

It’s worth noting that the previous inactivity policy, announced in 2020, already allowed Google to delete the contents of any account that hadn’t been logged into for two years. The difference here is that the company may now delete the entire account, instead of just its content. According to 9to5Google, any deleted email addresses won’t be reassigned which nicely avoids the issues plaguing Twitter’s recently trial-ballooned username reassignment plan. The accounts will just permanently stop working. 

There are also another few edge cases and caveats to note. Google Photos has its own two-year inactivity rules. To keep your photos from being deleted, you need to log into the service separately. Logging into your Google account will keep it active, but you may still lose your photos. 

9to5Google reports that accounts with YouTube videos are also safe, at least for the time being, because deleting them “would be tricky as some old abandoned clips might have historical relevance.” Similarly, accounts that are signed into Android devices are considered active, as are any with an ongoing subscription to Google One or third-party apps. 

The wording of the whole announcement seems to suggests that Google either hasn’t finalized the process and policies, or that it is keeping things relatively secret for security reasons. Either way, keeping your account active is relatively easy. All you have to do is sign in and perform some basic actions, like reading or sending an email, watching a YouTube video, using Google Search, or logging into a third-party service. 

Kricheli also uses the announcement to recommend that Google users create a backup plan for their account and its contents. You can set up a recovery email, so that you can reclaim you account if you forget their password or otherwise lose access to it. If you no longer use an account, the Takeout feature allows you to download all your data and export it to another platform. 

Finally, there is a Google feature called the Inactive Account Manager that allows you to specify what happens if you don’t sign into your account for 18 months. You can set up a Gmail autoresponder, send specific files to chosen contacts, or delete your account entirely. It’s designed so that if something bad happens to you, you have control over what happens to the (potentially meaningful) contents of your account. 

The post Google will start deleting inactive accounts later this year appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

At Google’s annual I/O developer’s conference, the tech giant announced a whole heap of AI-powered features that will be coming soon to its core apps, like Gmail, Docs, Sheets, Photos, and Meet. It even showcased an updated version of Project Starline, the 3D video-calling booth it announced back in 2021. 

While all very fun and exciting, Google’s flashy new project announcements are usually met with some degree of trepidation by the tech press. The company has undeniably revolutionized search and advertising, and products like Gmail and Docs are incredibly popular. But, it has also announced countless products with great fanfare, failed to support them, then quietly killed them. Let’s have a look at some of the high and low lights from Google’s product graveyard. 

Google Glass, Wave, Reader, and the other ones people are still bitter about

Over the past two decades, Google has killed off a lot of products—and some of them were pretty popular, or at least had diehard fans. Others, not so much. 

Google Reader is, perhaps, the biggest victim here. The beloved RSS reader app was unceremoniously axed, possibly in an attempt to drive people to Google+. It’s still missed by a lot of tech writers. 

The Google URL Shortener was a handy free alternative to bit.ly and other similar services. It got killed in 2019. Another similar service, Google Go Links, that allowed you to make your own custom URL shortener was also discontinued in 2021.

Inbox by Gmail, an innovative mobile-first email app, was pulled in 2019. However, most of its features, like snoozing emails and smart replies, were added to Gmail. 

Another groundbreaking Google app was Google Wave: A real-time editing and collaborative document tool. Apps like Notion, Slack, and even Google Docs owe a lot to the trend-setting app, which was shut down in 2012. 

Less bitterly, Google Glass was discontinued for consumers in 2015 and the Glass OS version of Android was discontinued a few years later in 2017. Its official demise was announced earlier this year. Not many people were sad to see it go, though if rumors are to be believed, we might be gearing up for the next AR goggle hype-cycle. 

And perhaps most famously, Google+ was an attempt to build a Facebook-style social network that failed spectacularly. Despite cramming Google+ features into YouTube, Gmail, and every other Google app, it was faded off in 2019.

Now, with some of the big names out of the way, here are some products you might have forgotten Google even launched. 

Stadia, we hardly knew ya

Google Stadia was a cloud gaming service that ran through Chrome, a Chromecast, or a mobile app. The idea was that you could stream games that actually played on Google’s server. As long as you had a fast enough internet connection, it would effectively turn your smartphone, TV, or under-powered PC into a games console. 

Unfortunately, despite some dedicated fans and a lot of hype from Google, the company never delivered the one thing a games console needs: great games. It stopped operating early this year. 

Jacquard

One of Google’s wildest ideas, Jacquard was a collaboration between Google and Levi’s, the clothing brand. Somehow, the two companies made two generations of a smart jacket—one in 2017 and another in 2019. It featured a touch-sensitive strip of fabric on your wrist so you could play and pause music and answer phone calls. 

While it’s hard to argue that Jacquard ever really took off, Google officially killed it earlier this year.

YouTube (not so) Originals

Launched in 2016, YouTube Originals was a somewhat misguided attempt to compete with Netflix and justify the $12/month Google was asking for YouTube Premium (at the time called YouTube Red). Already big YouTubers like PewDiePie were given large budgets to make poorly received shows. 

Though it wasn’t all bad: Cobra Kai, a sequel to The Karate Kid, got two seasons as a YouTube Original before moving to Netflix. 

YouTube Originals was finally discontinued in late 2022. 

About 9 different messaging apps

Google has a long history of releasing messaging apps before merging them, pivoting them, killing them, and reusing the name. The situation is so ridiculous that we had to write a full explainer last year. 

But in short, Google currently has three communications apps: Google Chat, Google Meet, and Messages. To get to this streamlined situation, it has killed, rebranded, or otherwise discontinued: Google Talk or GChat, Google+ Messenger, SMS on Android, Google Voice, Google Messenger (a different app again), YouTube Messages, Google Allo, Google Duo, and Google Hangouts.

So, while Project Starline looks awesome, we fear there’s a good chance the general public never sees it. The AI-features look more likely to get some support, but who knows how long Google will let them stick around.

The post All the products that Google has sent to the graveyard appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Wendy’s is working with Google to create an AI chatbot that will be able to take customer orders at its drive-thrus. According to a press release from both companies, the AI—called Wendy’s FreshAI—is set to debut at a chain restaurant in Columbus, Ohio, in June.

Although the AI is being billed as a chatbot, it’s safe to assume it will work a little differently to ChatGPT or Bing AI. From a report in The Wall Street Journal, it seems that the customers will be able to speak to the AI but will receive a reply in the form of on-screen text. Once a customer places their order, it will be sent to a screen for the line cooks. When the meal is ready, the customer will then drive forward and collect it. This is one of the first instances we’ve seen where a chatbot is being taken out into the real world—and it sounds like it could work. 

Wendy’s FreshAI is powered by Google Cloud’s generative AIs and large language models (LLMs). Over the past few years, Google has developed a number of LLMs and other AI tools, including GLaM, PaLM, and LaMDA (the AI model that one researcher got fired for thinking was sentient). They’re all trained on gigantic datasets and are capable of understanding complex sentences and concepts and generating human-like text. LaMDA used to power the chatbot Google Bard, but it’s since been moved to the new and improved PaLM 2 model.

Crucially, these LLMs can be further trained on specific data—which is exactly what Wendy’s has done. According to the press release, because customers can completely customize their orders, there are billions of possible menu combinations. To limit miscommunications and incorrect orders, the AI has been trained on Wendy’s menu. According to The WSJ report, it has been taught the “unique terms, phrases and acronyms” that customers use when ordering at Wendy’s, including “JBC” for junior bacon cheeseburger and “biggie bags” for “various combinations of burgers, chicken nuggets and soft drinks.” Apparently, you will even be able to order a milkshake—despite Wendy’s officially calling them “Frosties.” It’s even been taught to upsell customers by offering larger sizes and daily specials, and to answer frequently asked questions.

[Related: Google previews an AI-powered future at I/O 2023]

To keep Wendy’s FreshAI from spouting nonsense or taking orders for McNuggets, it has also been trained on the company’s established business practices and was given some logical and conversational guardrails. While it can take your order, it probably won’t be able to plot world domination. Still, Wendy’s Chief Executive Todd Penegor told The WSJ: “it will be very conversational. You won’t know you’re talking to anybody but an employee.”

And from the tests so far, it’s apparently a pretty good employee at that. “It’s at least as good as our best customer service representative, and it’s probably on average better,” Kevin Vasconi, Wendy’s chief information officer, told The WSJ.

Wendy’s hopes the AI will speed up drive-thru orders which the company says account for between 75 and 80 percent of its business. Of course, getting the chatbot to work perfectly won’t be without its challenges. 

“You may think driving by and speaking into a drive-through is an easy problem for AI, but it’s actually one of the hardest,” Thomas Kurian, CEO of Google Cloud, told The WSJ. He listed the noise of music or children in a family car and people changing their mind mid-order as some of the problems that the AI has to be able to overcome. 

Assuming the AI works as planned, Wendy’s is aiming to launch it at a company-operated store in Columbus, Ohio, next month. If it’s a success, it could roll out more widely over the next few months. 

The post Google is helping Wendy’s build an AI drive-thru appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

The passwordless future is slowly becoming a reality. This week, Google announced that you can now log into your Google account with just a passkey. It’s a huge milestone in what promises to be the incredibly long, awkward move away from using passwords for security. 

In case you haven’t heard yet, passwords are terrible. People pick awful passwords to begin with, find them really hard to remember, and then don’t even use them properly. When someone gets hacked, that may just involve someone using (or reusing) a really bad password or accidentally giving it to a scammer. To try to solve these difficult problems, an industry group—including Apple, Google, and Microsoft—called the FIDO Alliance developed a system called passkeys. 

Passkeys are built using what’s called the WebAuthentication (or WebAuthn) standard and public-key cryptography. It’s similar to how end-to-end encrypted messaging apps work. Instead of you creating a password, your device generates a unique pair of mathematically related keys. One of them, the public key, is stored by the service on its server. The other, the private key, is kept securely on your device, ideally locked behind your biometric data (like your fingerprint or face scan), though the system also supports PINs. 

[Related: Microsoft is letting you ditch passwords. Here’s how.]

Because the keys are mathematically related, the website or app can get your device to verify that you have the matching private key and issue a one-time login without ever actually knowing what your private key is. This means that account details can’t be stolen or phished and, since you don’t have to remember anything, logging in is simple. 

Take Google’s recent implementation. Once you’ve set up a passkey, you will be able to log into your Google account just by entering your email address and scanning your fingerprint or face. It feels similar to how built-in password managers work, though without any password in the mix. 

Of course, passkeys are still a work in progress, and implementations are inconsistent. As ArsTechnica points out, passkeys currently sync using your operating system ecosystem. Right now, if you exclusively use Apple devices, things are pretty okay. Your passkeys will sync between your iPhone, iPad, and Mac using iCloud. For everyone else though, they’re a mess. If you create a passkey on your Android smartphone, it will sync to your other Android devices, but not your Windows computer or even your Chrome browser. There are workarounds using tools like QR codes, but it’s a far cry from the easy password-sharing built into most browsers.

[Related: Apple’s passkeys could be better than passwords. Here’s how they’ll work.]

Also, passkeys aren’t very widely supported yet. Different operating systems support them to various degrees and there currently are just 41 apps and services that allow you to use them to login. Google joining the list is a huge deal, in part because of how many services rely on Sign In With Google.

Password managers have become a good tool for managing complex, unique passwords across different devices and operating systems. These same password managers, like Dashlane and 1Password, are working to solve the syncing issues currently baked into passkeys. In a statement to PopSci, 1Password CEO Jeff Shiner said, “Passkeys are the first authentication method that removes human error—delivering security and ease of use… In order to be widely adopted though, users need the ability to choose where and when they want to use passkeys so they can easily switch between ecosystems… This is a tipping point for passkeys and making the online world safe.”

If you’re ready to try passkeys despite the sync issues and lack of support, you can read our guide on how to set up a passkey for your Google account right now. Unfortunately, this only works with regular Google accounts. Google Workspace accounts aren’t supported just yet. 

The post Google joins the fight against passwords by enabling passkeys appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Apple and Google have jointly proposed a new industry specification aimed at preventing the misuse of Bluetooth location-tracking devices like AirTags. The new proposal outlines a number of best practices for makers of Bluetooth trackers and, if adopted, would enable anyone with an iOS or Android smartphone to get a notification if they were the target of unauthorized tracking.

Since launching in 2021, Apple’s AirTags have been controversial. The coin-sized Bluetooth devices work using Apple’s Find My network, which is also used to track the location of iPhones, iPads, MacBooks, and other Apple devices. In essence, every Apple device works as a receiver and reports the location of any other nearby device back to Apple; this means that you can still track devices that don’t have GPS or even cellular data. Everything is end-to-end encrypted so only the authorized device owner can see where something is, but that hasn’t stopped AirTags being misused.

While a small location-tracking device with a long battery life that clips to your keys or fits in your bag has some very obvious benefits, they have also been called “a gift for stalkers.” If you can put an AirTag in your coat pocket or handbag, so can someone else. Similarly, it’s easy to find stories of abusive partners using AirTags to track their victims, or thieves using them to track valuable cars.

However, for all the negatives, a lot of people recognize that Bluetooth trackers can be incredibly useful. Just this week, the New York Police Department (NYPD) and Mayor Eric Adams announced that they were encouraging car-owning New Yorkers to leave an AirTag in their cars and said that they would be giving 500 away for free. “AirTags in your car will help us recover your vehicle if it’s stolen,” said NYPD Chief of Department Jeffrey Maddrey on Twitter. “Help us help you, get an AirTag.” 

Similarly, there are lots of stories of people using AirTags to get their lost (or stolen) luggage back, find dogs missing in storm drains, and, as the NYPD suggests, recover stolen cars. 

The newly proposed industry specification represents a big step toward limiting the potential for abuse from AirTags and other location-tracking Bluetooth devices. At the moment, unwanted tracking notifications are an absolute mess. 

Already, iPhone users get a notification if their phone detects an unknown AirTag moving with them—which is likely why there are a lot more news stories of people finding AirTags than other Bluetooth location-tracking devices. They also get a notification if some other Bluetooth location-tracking devices that support the Find My network are found nearby, like eufy SmartTrack devices. However, to find Tile devices, iPhone users have to use an app to scan for them, something they’re only likely to do if they suspect they’re being tracked, or wait for the Tile device to beep after it’s been separated from its owner for three days. 

Things are worse for Android users. They have to use the Tracker Detect app to find nearby AirTags and other Find My compatible devices. They also have to use an app to scan for Tile trackers, or wait for them to beep.

If the new specifications are adopted, a Bluetooth location-tracking device that’s separated from its owner—and possibly being used to stalk someone—would automatically alert nearby users of any smartphone platform that they are possibly a target of unwanted tracking, and they would then be able to find and disable the tracker in question. There’d be no need for anyone to use an app to scan for trackers or wait to hear a beep.

In a statement on Apple’s website, Ron Huang, Apple’s vice president of sensing and connectivity, says, “We built AirTag and the Find My network with a set of proactive features to discourage unwanted tracking—a first in the industry—and we continue to make improvements to help ensure the technology is being used as intended. This new industry specification builds upon the AirTag protections, and through collaboration with Google results in a critical step forward to help combat unwanted tracking across iOS and Android.”

And things look promising. Samsung, Tile, Chipolo, eufy Security, and Pebblebee, who all make similar tracking devices, have indicated their support for the promised specifications. There will now be a three-month comment period where interested parties can submit feedback. After that, Apple and Google will work together to implement unwanted tracking alerts into future iOS and Android releases. 

The post Tech giants have a plan to fight dangerous AirTag stalking appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

When it comes to computers, convenience and security are often at odds. A simple, easy-to-use system that you can’t lock yourself out of tends to be less secure than something a little less user-friendly. This is often the case with end-to-end encryption (E2EE), a system in which messages, backups, and anything else can only be decrypted by someone with the right key—and not the provider of the service or any other middlemen. While much more secure, it does have some issues with convenience, and it’s been in the news a lot lately. 

The UK Parliament is currently considering its long awaited Online Safety Bill, which would essentially make secure end-to-end encryption illegal. Both WhatsApp and Signal, which use E2EE for their messaging apps, said they would pull out of the UK market rather than compromise user security. 

Slack, on the other hand, doesn’t use E2EE to protect its users. This means that Slack can theoretically access most messages sent on its service. (The highest paying corporate customers can use their own encryption set up, but the bosses or IT department can then read any employee messages if they are the ones in control of the key.) Fight for the Future, a digital rights group, has just launched a campaign calling on Slack to change this, as it currently “puts people who are seeking, providing, and facilitating abortions at risk in a post-Roe environment.”

Finally, Google has updated its two-factor Authenticator app to allow the secret one-time codes that allow you to log in to sync between devices. This means that users don’t need to reconfigure every account with 2FA set up when they get a new phone. Unfortunately, as two security researchers pointed out on Twitter, Google Authenticator doesn’t yet use E2EE, so Google—or anyone who compromised your Google account—can see the secret information used to generate 2FA one-time codes. While exploiting this might take work, it fatally undermines what’s meant to be a secure system. In response, Google has said it will add E2EE, but has given no timeline.

[Related: 7 secure messaging apps you should be using]

For such an important technology, E2EE is a relatively simple idea—though the math required to make it work is complicated and involves factoring a lot of very large numbers. It’s easiest to understand with something like text messages, though the same principles can be used to secure other kinds of digital communications—like two-factor authorization codes, device back ups, and photo libraries. (For example, messages sent through iMessage, Signal, and WhatsApp are end-to-end encrypted, but a standard SMS message is not.)

E2EE generally uses a system called public key cryptography. Every user has two keys that are mathematically related: a public key and a private key. The public key can genuinely be public; it’s not a secret piece of information. The private key, on the other hand, has to be protected at all costs—it’s what makes the encryption secure. Because the public key and private key are mathematically related, a text message that is encoded with someone’s public key using a hard-to-reverse algorithm can only be decoded using the matching private key. 

So, say Bob wants to send Alice an encrypted text message. The service they’re using stores all the public keys on a central server and each user stores their private keys on their own device. When he sends his message, the app will convert it into a long number, get Alice’s public key from the server (another long number), and run both numbers through the encryption algorithm. That really long number that looks like absolute nonsense to everyone else gets sent to Alice, and her device then decrypts it with her private key so she can read the text. 

But this example also highlights where E2EE can cause headaches. What happens if Alice loses her device containing her private key? Well, then she can’t decrypt any messages that anyone sends her. And since her private key isn’t backed up anywhere, she has to set up an entirely new messaging account. That’s annoying if it’s a texting app, but if it’s an important backup or a 2FA system, getting locked out of your account because you lost your private key is a very real risk with no good solution. 

And what happens if Bob sends Alice a message about his plans for world domination? Well, if the UK government has a law in place that they must be copied on all messages about world domination, the service provider is in a bit of a bind. They can’t offer E2EE and perform any kind of content moderation. 

This is part of why E2EE is so often in the news. While it’s theoretically great for users, for the companies offering these services, there is a very real trade-off between providing users with great security and setting things up so that customer support can help people who lock themselves out of their accounts, and so that they can comply with government demands and subpoenas. Don’t expect to see encryption out of the news any time soon. 

The post Some of your everyday tech tools lack this important security feature appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Intel and Google Cloud have just released a joint report detailing a months-long audit of a new security feature on Intel’s latest server chips: Trust Domain Extensions (TDX). The report is a result of a collaboration between security researchers from Google Cloud Security and Project Zero, and Intel engineers. It led to a number of pre-release security improvements for Intel’s new CPUs.

TDX is a feature of Intel’s 4th-generation “Sapphire Rapids” Xeon processors, though it will be available on more chips in the future. It’s designed to enable Confidential Computing on cloud infrastructure. The idea is that important computations are encrypted and performed on hardware that’s isolated from the regular computing environment. This means that the cloud service operator can’t spy on the computations being done, and makes it harder for hackers and other bad actors to intercept, modify, or otherwise interfere with the code as it runs. It basically makes it safe for companies to use cloud computing providers like Google Cloud and Amazon Web Services for processing their most important data, instead of having to operate their own secure servers.

However, for organizations to rely on features like TDX, they need some way to know that they’re genuinely secure. As we’ve seen in the past with the likes of Meltdown and Spectre, vulnerabilities at the processor level are incredibly hard to detect and mitigate for, and can allow bad actors an incredible degree of access to the system. A similar style of vulnerability in TDX, a supposedly secure processing environment, would be an absolute disaster for Intel, any cloud computing provider that used its Xeon chips, and their customers. That’s why Intel invited the Google security researchers to review TDX so closely. Google also collaborated with chipmaker AMD on a similar report last year.

According to Google Cloud’s blogpost announcing the report, “the primary goal of the security review was to provide assurances that the Intel TDX feature is secure, has no obvious defects, and works as expected so that it can be confidently used by both cloud customers and providers.” Secondarily, it was also an opportunity for Google to learn more about Intel TDX so they could better deploy it in their systems. 

While external security reviews—both solicited and unsolicited—are a common part of computer security, Google and Intel engineers collaborated much more closely for this report. They had regular meetings, used a shared issue tracker, and let the Intel engineers “provide deep technical information about the function of the Intel TDX components” and “resolve potential ambiguities in documentation and source code.”

The team looked for possible methods hackers could use to execute their own code inside the secure area, weaknesses in how data was encrypted, and issues with the debug and deployment facilities. 

In total, they uncovered 81 potential attack vectors and found ten confirmed security issues. All the problems were reported to Intel and were mitigated before these Xeon CPUs entered production. 

As well as allowing Google to perform the audit, Intel is open-sourcing the code so that other researchers can review it. According to the blogpost, this “helps Google Cloud’s customers and the industry as a whole to improve our security posture through transparency and openness of security implementations.”

All told, Google’s report concludes that the audit was a success since it met its initial goals and “was able to ensure significant security issues were resolved before the final release of Intel TDX.” While there were still some limits to the researchers access, they were still able to confirm that “the design and implementation of Intel TDX as deployed on the 4th gen Intel Xeon Scalable processors meets a high security bar.” 

The post Cloud computing has its security weaknesses. Intel’s new chips could make it safer. appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

US Facebook users can now apply for their share of the settlement from the Cambridge Analytica class action lawsuit. Meta, Facebook’s parent company, settled the suit last December, agreeing to pay $725 million—although it didn’t have to admit any wrongdoing. If you reside stateside and had an active Facebook account any time between May 24th, 2007, and December 22nd, 2022, you are entitled to a part of the multi-million dollar payout even if you have since deleted your account. You just have to submit a claim before August 25th, 2023.

The settlement all stems from the 2018 revelations that Facebook allowed Cambridge Analytica, a now-defunct British consulting and data mining company, to improperly access personal information from up to 87 million users and use it to target voters during Donald Trump’s 2016 election campaign. The data was purportedly collected for academic purposes using a personality quiz app. Even though only 270,000 people took the quiz, because of Facebook’s lax privacy policies, the app was able to scrape personal information from their Facebook friends. 

The fall out at the time was pretty severe. Facebook CEO (and now Meta CEO) Mark Zuckerberg was called before Congress to answer questions related to the scandal, and the company agreed to voluntarily enforce GDPR-like privacy rules globally to prevent something similar from happening again.

After an investigation, the Federal Trade Commission fined Facebook a record-breaking $5 billion. The SEC also fined the company $100 million for misleading investors. And, of course, there was this class action lawsuit—which was later expanded to encompass any other third parties Facebook had allowed to improperly access user data. 

Unfortunately, whatever sum of money you get from this settlement will likely be pretty small. As the FAQs explain, every claimant will be given one point for each month they used Facebook between 2007 and 2022. The full settlement, minus administrative fees, legal costs, and a few other expenses, will then be divided by the total number of points and shared out accordingly. If you have only used Facebook for a few years, you’ll get less than someone who has used the service for the full 15-year claim period.

It’s impossible to know the exact amount that anyone will get until the claim period has passed, but we can do some quick calculations to get a rough range. There were 240 million US Facebook users in 2022. If all of them submitted a claim and they’d all (impossibly) been using monthly Facebook since 2007, assuming the lawyers received 33 percent of the settlement, then you would be entitled to just around the $2 mark. 

At the other end of things, let’s say that just 10 percent of the 50 million users on the site in October, 2007 bother to apply for the settlement and the lawyers only take 25 percent as fees, you’d be entitled to something north of $100. 

So, depending on how active you’ve been on Facebook over the past 15 years, it seems likely that class action participants will get enough for a meal out—though whether that’s at McDonald’s or a local steakhouse remains to be seen. (Of course, if only a handful people bother to fill in Facebook’s claim form, then you could walk away with a few hundred thousand dollars. That seems unlikely, but you never know.)If you want to submit a claim, Facebook has set up a dedicated website. Once you (ironically) fill in a few personal details and select whether you want to be paid with a prepaid gift card, through PayPal or Venmo, or directly into your bank account, all you have to do is wait for your money.

The post Facebook probably owes you money. Here’s how to get it. appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

For the first time, a prominent ransomware group appears to be actively targeting macOS computers. Discovered last weekend by MalwareHunterTeam, the code sample suggests that the Russia-based LockBit gang is working on a version of its malware that would encrypt files on Mac devices.

Small businesses, large enterprises, and government institutions are frequently the target of ransomware attacks. Hackers often use phishing emails to send real-seeming messages to try to trick staff into downloading the ransomware payload. Once it’s in, the malware spreads around any computer systems, automatically encrypting user files and preventing the organization from operating until a ransom is paid—usually in crypto currencies like Bitcoin. 

Over the past few years, ransomware attacks have disrupted fuel pipelines, schools, hospitals, cloud providers, and countless other businesses. LockBit has been responsible for hundreds of these attacks, and in the past six months has brought down the UK’s Royal Mail international shipping service and disrupted operations in a Canadian children’s hospital over the Christmas period.

Up until now, these ransomware attacks mostly targeted Windows, Linux, and other enterprise operating systems. While Apple computers are popular with consumers, they aren’t as commonly used in the kind of businesses and other deep-pocketed organizations that ransomware gangs typically go after. 

MalwareHunterTeam, an independent group of security researchers, only discovered the Mac encryptors recently, but they have apparently been present on malware-tracking site VirusTotal since November last year. One encryptor targets Apple Macs with the newer M1 chips, while another targets those with Power PC CPUs, which were all developed before 2006. Presumably, there is a third encryptor somewhere that targets Intel-based Macs, although it doesn’t appear to be in the VirusTotal repository. 

Fortunately, when BleepingComputer assessed the Apple M1 encryptor, it found a fairly half-baked bit of malware. There were lots of code fragments that they said “are out of place in a macOS encryptor.” It concluded that the encryptor was “likely haphazardly thrown together in a test.”

In a deep dive into the M1 encryptor, security researcher Patrick Wardle discovered much the same thing. He found that the code was incomplete, buggy, and missing the features necessary to actually encrypt files on a Mac. In fact, since it wasn’t signed with an Apple Developer ID, it wouldn’t even run in its present state. According to Wardle, “the average macOS user is unlikely to be impacted by this LockBit macOS sample” but that a “large ransomware gang has apparently set its sights on macOS, should give us pause for concern and also catalyze conversions about detecting and preventing this (and future) samples in the first place!”

Apple has also preemptively implemented a number of security features that mitigate the risks from ransomware attacks. According to Wardle, operating system-level files are protected by both System Integrity Protection and read-only system volumes. This makes it hard for ransomware to do much to disrupt how macOS works even if it does end up on your computer. Similarly, Apple protects directories such as the Desktop, Documents, and other folders, so the ransomware wouldn’t be able to encrypt them without user approval or an exploit. This doesn’t mean it’s impossible that ransomware could work on a Mac, but it certainly won’t be easy on those that are kept up-to-date with the latest security features. 

Still, the fact that a large hacking group is seemingly targeting Macs is still a big deal—and it’s a reminder that whatever reputation Apple has for developing more secure devices is constantly being put to the test. When BleepingComputer contacted LockBitSupp, the public face of LockBit, the group confirmed that a Mac encryptor is “actively being developed.” While the ransomware won’t do much in its present state, you should always keep your Mac up-to-date—and be careful with any suspicious files you download from the internet.

The post Ransomware intended for Macs is cause for concern, not panic appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

The foundation for the world’s deepest offshore wind turbine has just been installed 17 miles off the coast of Scotland. Last week, the roughly 441,000-pound “jacket,” or foundation, was placed at a depth of 58.6 meters—just over 192 feet—by the Sapiem 7000, the world’s third largest semi-submersible crane vessel. It was the 112th jacket installed at the 114-wind turbine Seagreen wind farm, which will be Scotland’s largest when it is fully operational later this year.

Wind turbines like these work like an inverse fan. Instead of using electricity to generate wind, they generate electricity using wind. The thin blades are shaped like aircraft wings and as the wind flows across them, the air pressure on one side decreases. This difference in air pressure across the blade generates both lift and drag, which causes the rotor to spin. The spinning rotor then powers a generator, sending electricity to the grid. 

Offshore wind farms like Seagreen have a number of advantages over land-based wind turbines. Since wind speeds at sea tend to be faster and more consistent than they are over land, it’s easier to reliably generate greater amounts of electricity. Even small increases in wind speed can have a dramatic effect: in a 15-mph wind, a turbine can generate double the amount of electricity it can generate in a 12-mph wind.

[Related: The NY Bight could write the book on how we build offshore wind farms in the future]

Also, coastal areas frequently have high energy requirements. In the US, more than 40 percent of the population, some 127 million people, live in coastal counties. By generating power offshore close to where it’s used, there is less need for long-distance energy transmission, and cities don’t have to dedicate already scarce space to power plants. 

But of course, the biggest advantage of any wind farm is that they can provide renewable energy without emitting toxic environmental pollutants or greenhouse gasses. They don’t even need or consume important non-petrochemical resources like water, although they can have other environmental impacts that engineers are trying to solve for.

The recently installed foundations at Seagreen will each support a Vestas V164-10 MW turbine. With a rotor diameter of roughly 540-feet—that’s more than one-and-a-half football fields—and standing up to 672 feet tall—more than twice the height of the Statue of Liberty—these turbines will be absolutely huge. Each one will be capable of generating up to 10,000 kilowatts (KW) of power in good conditions.

Although Seagreen actually started generating electricity last summer, when the wind farm is fully operational later this year, the 114 wind turbines will have a combined total capacity of 1,075 megawatts (MW). While that’s not enough to crack the top 100 power stations in the US, the wind farm is projected to produce around 5,000 gigawatt hours (GWh) of electricity each year, which is enough to provide clean and sustainable power to more than 1.6 million UK households. That’s around two-thirds of the population of Scotland. 

Really, the Seagreen site shows how far wind power has come. While wind farms don’t yet have the capacity to fully replace fossil fuel power plants, Seagreen will still displace more than 2 million tonnes of carbon dioxide that would otherwise have been released by Scottish electricity generation. According to Seagreen, that’s the equivalent of removing a third of all Scotland’s cars from the road. 

The post At 441,000 pounds and 192 feet underwater, this is the world’s deepest wind turbine appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Public USB ports seem like a convenient way to charge your phone. But, as the FBI’s Denver field office recently tweeted, they may not be safe. With a technique called “juice jacking,” hackers can use public USB ports to install malware and monitoring software on your devices. Theoretically, the kind of tools that can be installed this way can allow hackers to access the contents of your smartphone and steal your passwords, so they can do things like commit identity theft, transfer money from your bank account, or simply sell your information on the dark web. 

While “juice jacking” is just one of the ways that USB devices can spread malware, it’s a particularly insidious technique as you don’t need to be targeted directly. Just plugging your smartphone into a USB port in an airport, hotel, shopping center, or any other public location could be enough for your data to get stolen. According to the FCC, criminals can load malware directly onto public USB charging stations, which means that literally any USB port could be compromised. While any given bad actor’s ability to do this likely depends on the particular kind of charging port and what software it runs, it’s also possible that criminals could install an already-hacked charging station—particularly if they have the assistance of someone who works there. 

In other words, there is no way guarantee that a public USB port hasn’t been hacked, so the safest option is to assume that they all come with potential dangers. And it’s not just ports—free or unattended USB cables could also be used to install malware.

The issue lies with the USB standard itself. As The Washington Post explains, USB-A cables (the standard one) have four pins—two for power transfer and two for data transfer. Plugging your smartphone into a USB port using a regular USB potentially means connecting it directly to a device that can transfer data to or from it. And although the Post cites an expert saying that he recommends using newer devices that charge over USB-C, even they are not immune to juice jacking attacks. (Nor for that matter are iPhones that charge over a lightning cable.)

Software engineers for both Android and iOS devices have taken some steps to mitigate the risk of having user data stolen or malware installed over public USB ports. However, our coverage of all the various “zero day” attacks (or previously undiscovered vulnerabilities) should be enough to convince you that even keeping your smartphone up to date with all the latest security patches may not be sufficient to protect you against every new and emerging threat. 

So what can you do? Well, the simplest option is to just bring your own charging cable and wall plug. Unless you are the target of an Ocean’s 11-worth heist, it is highly unlikely that your personal charging cable or plug is compromised. Just make sure to plug directly into an AC power outlet, and not a USB outlet.

If you’re traveling internationally and aren’t sure about what sort of plugs you will have access to, a USB battery pack and your own charging cable would be good to have handy. You can also charge directly from other personal devices like a laptop.

There are power-only USB cables and devices called “USB condoms” that block all USB data transfer, but they’re likely a less ideal options, purely because you need to remember to bring a special cable rather than your standard USB cable. 

And if you do absolutely have to connect to a public USB port, keep a close eye on your smartphone. If you get a popup asking if you trust the device, saying you have connected to a hard drive, or notice any kind of strange behavior, disconnect it immediately. Though seriously—your best bet is to just bring your own charger.

The post Why you shouldn’t charge your phone at a public USB port appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

In a blog post this week, Meta AI announced the release of a new AI tool that can identify which pixels in an image belong to which object. The Segment Anything Model (SAM) performs a task called “segmentation” that’s foundational to computer vision, or the process that computers and robots) employ to “see” and comprehend the world around them. As well as its new AI model, Meta is also making its training dataset available to outside researchers. 

In his 1994 book, The Language Instinct, Steven Pinker wrote “the main lesson of 35 years of AI research is that the hard problems are easy and the easy problems are hard.” Called Moravec’s paradox, 30-odd years later it still holds true. Large language models like GPT-4 are capable of producing text that reads like something a human wrote in seconds, while robots struggle to pick up oddly shaped blocks—a task so seemingly basic that children do it for fun before they turn one. 

Segmentation falls into this looks-easy-but-is-technically-hard category. You can look at your desk and instantly tell what’s a computer, what’s a smartphone, what’s a pile of paper, and what’s a scrunched up tissue. But to computers processing a 2D image (because even videos are just series of 2D images) everything is just a bunch of pixels with varying values. Where does the table top stop and the tissue start?

Meta’s new SAM AI is an attempt to solve this issue in a generalized way, rather than using a model designed specifically to identify one thing, like faces or guns. According to the researchers, “SAM has learned a general notion of what objects are, and it can generate masks for any object in any image or any video, even including objects and image types that it had not encountered during training.” In other words, instead of only being able to recognize the objects it’s been taught to see, it can guess at what the different objects are. SAM doesn’t need to be shown hundreds of different scrunched up tissues to tell one apart from your desk, it’s general sense of things is enough. 

[Related: One of Facebook’s first moves as Meta: Teaching robots to touch and feel]

You can try SAM in your browser right now with your own images. SAM can generate a mask for any object you select by clicking on it with your mouse cursor or drawing a box around it. It can also just create a mask for every object it detects in the image. According to the researchers, SAM is also able to take text prompts—such as: select “cats”—but the feature hasn’t been released to the public yet. It did a pretty good job of segmenting the images we tested out here at PopSci. 

While it’s easy to find lots of images and videos online, high-quality segmentation data is a lot more niche. To get SAM to this point, Meta had to develop a new training database: the Segment Anything 1-Billion mask dataset (SA-1B). It contains around 11 million licensed images and over 1.1 billion segmentation masks “of high quality and diversity, and in some cases even comparable in quality to masks from the previous much smaller, fully manually annotated datasets.” In order to “democratize segmentation,” Meta is releasing it to other researchers. 

Meta has big plans for its segmentation program. Reliable, general computer vision is still an unsolved problem in artificial intelligence and robotics—but it has a lot of potential. Meta suggests that SAM could one day identify everyday items seen through augmented reality (AR) glasses. Another project from the company called Ego4D also plans to tackle a similar problem through a different lens. Both could one day lead to tools that allow users to follow directions along with a step-by-step recipe, or leave virtual notes for your partner on the dog bowl. 

More plausibly, SAM would also have a lot of potential uses in industry and research. Meta proposes using it to help farmers count cows or biologists track cells under a microscope—the possibilities are endless.

The post Meta just released a tool that helps computers ‘see’ objects in images appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

If you have a Nexx brand WiFi garage door opener, now would be a good time to uninstall it. A security researcher has discovered a number of vulnerabilities that allow hackers anywhere in the world to remotely open any Nexx-equipped garage door, and detailed it in a blog post on Medium. Worst of all, the company has made no attempt to fix things.

First reported by Motherboard, security researcher Sam Sabetan discovered the critical vulnerabilities in Nexx’s smart device product line while conducting independent security research. Although he also found vulnerabilities in Nexx’s smart alarms and plugs, it’s the WiFi connected Smart Garage Door Opener that presents the biggest issue. 

As Sabetan explains it, when a user sets up a new Nexx device using the Nexx Home mobile app, it receives a password from the Nexx cloud service—supposedly to allow for secure communication between the device and Nexx’s online services using a lightweight messaging protocol called MQTT (Message Queuing Telemetry Transport). MQTT uses a communications framework called the publish-subscribe model, which allows it to work over unstable networks and on resource-constrained devices, but comes with additional security concerns. 

When someone uses the Nexx app to open their garage door, the app doesn’t directly communicate with the door opener. Instead, it posts a message to Nexx’s MQTT server. The garage door opener is subscribed to the server and when it sees the relevant message, it opens the door. This enables reliable performance and means your smartphone doesn’t have to be on the same network as your garage door opener, but it’s crucial that every device using the service has a secure, unique password. 

That’s not the case, though. Sabetan discovered that all of the Nexx Garage Door Controllers and Smart Plugs have the exact same password. 

In a video demonstrating the hack, Sabetan shows how he was able to get the universal password by intercepting his Nexx Smart Garage Door Opener’s communications with the MQTT server. Sabetan was then able to log into the server with the intercepted credentials and see the messages posted by devices from hundreds of Nexx customers. These messages also revealed the email addresses, device IDs, and the name of the account holder. 

Worse, Sabetan was able to replay the message posted to the server by his device to open his garage door. Although he didn’t, he could have used the same technique to open the garage door of any Nexx user in the world. (He could also have turned on or off their smart plugs which would have been very annoying, but not as likely to be dangerous.)

Since Nexx IDs are tied to email addresses, this vulnerability potentially allows hackers to target specific Nexx users, or just randomly open garage doors because they can. And because the universal password is embedded directly in the devices, there is no way for users to change it or otherwise secure themselves. 

Sabetan estimates that there are over 40,000 affected Nexx devices, and he determined that more than 20,000 people have active Nexx accounts. If you’re one of them, the only thing you can do is unplug your Nexx devices and open a support ticket with the company. 

And as damning as all this is, Nexx’s lack of response makes things even worse. Sabetan first contacted Nexx support about the vulnerability in early January. The company ignored his report despite multiple follow-ups, but responded to an unrelated support question. In February, Sabetan contacted the US Cybersecurity and Infrastructure Security Agency (CISA) to report the vulnerabilities, and even CISA wasn’t able to get a reply from Nexx. Finally, Motherboard attempted to contact Nexx before running the story revealing the vulnerability publicly—of course, it heard nothing back. 

Now, CISA has issued a public advisory notice about the vulnerabilities, and Sabetan and Motherboard have described them in detail. This means everything a hacker needs to know to exploit a Nexx Garage Door Opener, Smart Plug, or Smart Alarm is out in the wild. So if you have one of these devices, go and unplug it right now. 

The post These WiFi garage doors have a major cyber vulnerability appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Amnesty International revealed this week that its Security Lab has uncovered a “sophisticated hacking campaign by a mercenary spyware company.” They say it has been running “since at least 2020” and takes aim at Android smartphones with a number of “zero-day” security vulnerabilities. (A “zero day” vulnerability is an exploit that is previously undiscovered and unmitigated.) 

Amnesty International disclosed the details of the campaign to Google’s Threat Analysis Group, so it—as well as other affected companies, including Samsung—have since been able to release the necessary security patches for their devices. 

Amnesty International’s Security Lab is responsible for monitoring and investigating companies and governments that employ cyber-surveillance technologies to threaten human rights defenders, journalists, and civil society. It was instrumental in uncovering the extent to which NSO Group’s Pegasus Spyware was used by governments around the world. 

While the Security Lab continues to investigate this latest spyware campaign, Amnesty International is not revealing the company it has implicated (though Google suggests it’s Variston, a group it discovered in 2022). Either way, Amnesty International claims that the attack has “all the hallmarks of an advanced spyware campaign developed by a commercial cyber-surveillance company and sold to governments hackers to carry out targeted spyware attacks.”

As part of the spyware campaign, Google’s Threat Analysis Group discovered that Samsung users in the United Arab Emirates were being targeted with one-time links sent over SMS. If they opened the link in the default Samsung Internet Browser, a “fully featured Android spyware suite” that was capable of decrypting and capturing data from various chat services and browser applications would get installed on their phone. 

The exploit relied on a chain of multiple zero-day and discovered but unpatched vulnerabilities, which reflects badly on Samsung. A fix was released for one of the unpatched vulnerabilities in January 2022 and for the other in August 2022. Google contends that if Samsung had released the security updates, “the attackers would have needed additional vulnerabilities to bypass the mitigations.” (Samsung released the fixes in December 2022.)

With that said, one of the zero-day vulnerabilities would also allow hackers to attack Linux desktop and embedded systems, and Amnesty International suggests that other mobile and desktop devices have been targeted as part of the spyware campaign, which has been ongoing since at least 2020. The human rights group also notes that the spyware was delivered from “an extensive network of more than 1000 malicious domains, including domains spoofing media websites in multiple countries,” which lends credence to its claims that a commercial spyware group is behind it.

Although it is not yet clear who the targets of this attack were, according to Amnesty International, “human rights defenders in the UAE have long been victimized by spyware tools from cyber-surveillance companies.” For example, Ahmed Mansoor was targeted by spyware from the NSO Group and jailed as a result of his human rights work. 

As well as the UAE, Amnesty International’s Security Lab found evidence of the spyware campaign in Indonesia, Belarus, and Italy, though it concludes that “these countries likely represent only a small subset of the overall attack campaign based on the extensive nature of the wider attack infrastructure.”

“Unscrupulous spyware companies pose a real danger to the privacy and security of everyone. We urge people to ensure they have the latest security updates on their devices,” says Donncha Ó Cearbhaill, head of Security Lab, in the statement on Amnesty International’s website. “While it is vital such vulnerabilities are fixed, this is merely a sticking plaster to a global spyware crisis. We urgently need a global moratorium on the sale, transfer, and use of spyware until robust human rights regulatory safeguards are in place, otherwise sophisticated cyber-attacks will continue to be used as a tool of repression against activists and journalists.”

At least in the United States, the government seems to agree. President Biden signed an executive order on March 27 blocking federal agencies from using spyware “that poses significant counterintelligence or security risks to the United States Government or significant risks of improper use by a foreign government or foreign person.”

The post What to know about a ‘sophisticated hacking campaign’ against Android phones appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

As we’ve learned over the past few years, almost anything that connects to the internet, uses Bluetooth or any other wireless protocols, or simply has a computer chip inside can be hacked—and that includes cars. There are just too many potential vulnerabilities across all these surfaces for hackers to exploit, and every time there’s a software update, there is a chance that new ones get introduced even as the old ones are patched out. (Seriously, keep your software up-to-date, though. It’s the best way to stay as secure as possible.)

With that in mind, researchers from French security firm Synacktiv have won $530,000 and a Tesla Model 3 at Pwn2Own Vancouver, a security competition where “white hat” hackers and security researchers can win the devices with previously unknown vulnerabilities (that they discover and exploit)—plus a cash prize.

The team from Synacktiv demonstrated two separate exploits. In the first, they were able to breach the Model 3’s Gateway system, the energy management interface that communicates between Tesla cars and Tesla Powerwalls, in less than two minutes. They used a Time of Check to Time of Use (TOCTOU) attack, a technique that exploits the small time gap between when a computer checks something like a security credential and when it actually uses it, to insert the necessary malicious code. For safety reasons, they weren’t hacking a real Model 3, but they would have been able to open the car’s doors and front hood, even while it was in motion. 

The second exploit allowed the hackers to remotely gain root (or admin) access to the mock Tesla’s infotainment system and from there, to gain control of other subsystems in the car. They used what’s known as a heap overflow vulnerability and an out-of-bounds write error in the Bluetooth chipset to get in. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative (ZDI), told Dark Reading, “The biggest vulnerability demonstrated this year was definitely the Tesla exploit. They went from what’s essentially an external component, the Bluetooth chipset, to systems deep within the vehicle.” 

According to TechCrunch, Tesla contends that all the hackers would have been able to do is annoy the driver, though the researchers themselves aren’t so sure. Eloi Benoist-Vanderbeken, one of the Synacktiv researchers, told TechCrunch, “[Tesla] said we wouldn’t be able to turn the steering wheel, accelerate or brake. But from our understanding of the car architecture we are not sure that this is correct, but we don’t have proof of it.” Apparently they are looking forward to fact-checking Tesla’s claim as soon as they get their hands on their new Model 3. 

This is the second year in a row that Synacktiv has been able to hack a Tesla. Last year the French security team were also able to exploit the infotainment system, but weren’t able to gain enough access to the rest of the system to win the car. 

It’s worth noting that Tesla was a willing participant and provided the car to Pwn2Own. It—along with all the other companies involved—uses the competition as an opportunity to find potentially devastating “zero day” or undiscovered vulnerabilities in their devices so they can fix them. Apparently, the company is already working on a patch for these latest bugs that will roll out automatically. 

As well as Tesla, some of the big names at Pwn2Own were Oracle, Microsoft, Google, Zoom, and Adobe. An exploit using two bugs in Microsoft SharePoint was enough to win Star Labs $100,000, while two bugs in Microsoft Teams won Team Viettel $75,000. Synacktiv also picked up another $80,000 for a three-bug exploit against Oracle’s Virtual Box. 

In total, contestants found 27 unique zero-day bugs and won a combined $1,035,000 (plus a car). 

The post These hackers revealed security vulnerabilities in a Tesla—and won a car appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

An Ecuadorian journalist has been injured by a bomb hidden inside a USB drive, according to AFP. Lenin Artieda, a television journalist, received an envelope containing what “looked like a USB drive,” the BBC reported. When he loaded it into his computer, it exploded. Fortunately, Artieda only sustained “slight injuries,” AFP reports, and no one else was hurt in the targeting campaign, which included “at least five journalists.” 

While this is an incredibly extreme example, it is an important reminder to never insert strange USB devices—and especially USB pen or thumb drives—into your computer. The most commonplace threat they pose is that they could come packed with malware. It’s called a USB attack, and they rely on the victim willingly inserting a USB device into their computer. In some cases, they’re being Good Samaritans and trying to return a USB drive to someone who’s lost it. In others, they’re lied to and told the USB drive has a list of things they can spend a gift card on, or even confidential or important information. 

However it happens, once the target inserts the USB device, the hackers and other bad actors have gotten what they want. USB devices provide them with multiple ways to ruin your day. In fact, researchers at Ben-Gurion University of the Negev in Israel identified four broad categories of attack. 

Type A attacks are where one USB device, like a thumb drive, impersonates another, like a keyboard. When you plug it in, the keyboard automatically sends keystrokes that can install malware, take over your system, and basically do whatever the attacker wants. It’s called a Rubber Ducky attack, which is a pretty cute term for something that can cause a lot of problems. 

Type B1 and B2 attacks are similar. Instead of impersonating a different USB device, the attacker either reprograms the USB drive’s firmware (B1) or exploits a software bug in how the computer’s operating system handles USB devices (B2) to do something malicious. Finally, type C attacks deliver a high-powered electrical charge that can destroy the computer. 

In any case, these attacks aren’t theoretical. Infected USB keys were used to take down Iranian nuclear centrifuges. They’ve also been used to infect US power plants and other infrastructure, like oil refineries. And it’s not just heavy industries that are affected—banks, hospitality providers, transport companies, insurance providers, and defense contractors have all been targeted over the past few years with USB drives sent through the mail.

While email is still the most common method of malware delivery and most attacks target large companies, small businesses and individual users should still be careful. Ransomware in particular is a very real threat at the moment.

So what do you do if you find a USB key abandoned on the ground? Well, your best bet is to pop it in the nearest trash can—or better yet, send it to an e-waste recycling center. Whatever you do, don’t plug it into your computer. 

If you receive a USB key in the mail, you should do much the same—unless you are expecting one from someone you trust. 

Even the free USB keys that companies give out at conferences likely should be treated the same way. It’s too easy for a bad actor to sneak in, pretend to be working for a firm at the show, and hand out loads of malware-infected devices. 

And if you do insist on plugging it in, check out our guide on how to do it as safely as possible. It’s still can be a risky gambit—and it doesn’t mitigate risk from, in what’s certainly a very rare case, an explosive device—but at least the chance of your PC getting infected with malware will be reduced. 

The post Don’t plug in mysterious USB drives appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Artificial intelligence systems that can generate images have been big news for the past year. OpenAI’s DALL-E 2 and Stable Diffusion have dominated the headlines, and Google, Meta, and Microsoft have all announced features they are working on. But one huge name has been conspicuously absent: Adobe. Today, with the announcement of Firefly, which is a family of generative AI models, that changes.

For more than two decades, Adobe has led the digital image making and manipulation industries. Its flagship product, Adobe Photoshop, has become a verb—against its will. And while its products have always had AI-powered features, like Content Aware Fill and Neural Filters, Firefly represents Adobe’s first publicly announced image-generating AI. Initially, the beta will integrate with Express, Photoshop, Illustrator, and the marketing-focused Adobe Experience Manager.

What Adobe’s Firefly will do 

Like DALL-E 2 and Stable Diffusion, Firefly can take a text-prompt and turn it into an image. Unlike those two apps, however, Firefly is designed to give more consistent results. Alexandru Costin, Adobe’s vice president of Generative AI and Sensei, called the kind of prompts most people use as “word soup” on a video call with PopSci. To get great results with Stable Diffusion, for example, you often need to add buzzwords to your prompt, like “4K,” “trending on artstation,” “hyper-realistic,” “digital art,” and “super detailed.” 

So, instead of saying something like “batman riding a scooter,” you say “batman riding a scooter, cinematic lighting, movie still, directed by Chris Nolan.” It’s very hack-y, but for most generative AIs, it’s the best way to get good results. 

Firefly is taking a different approach. The overall look and feel of a generated image is determined by drop-downs and buttons. You can type “batman riding a scooter” and then select from the various options to dial in the look you want. Costin also explained that the images don’t regenerate each time you select a new style, so if you’re happy with the content of the image, you don’t have to worry that changing the style will create something completely different. It aims to be a lot more user-friendly. 

As well as creating new images from text prompts, Firefly will also be able to generate text effects. The example that Costin showed (above) was rendering the word “Firefly” with “many fireflies in the night, bokeh effect.” It looks impressive, and it shows how generative AIs can integrate with other forms of art and design. 

What Firefly aims not to do

According to Costin, Adobe wants to employ AI responsibly, and in his presentation he directly addressed two of the most significant issues with generative AI: copyright concerns and biases. 

Copyright is a particularly thorny issue for generative AIs. StabilityAI, the makers of Stable Diffusion, is currently being sued by a collection of artists and the stock image service Getty Photos for using their photos to train Stable Diffusion without licensing them. The example images where Stable Diffusion creates a blurry Getty-like logo are particularly damning. 

Adobe has sidestepped these kinds of copyright problems by training Firefly on hundreds of millions of Adobe Stock images, as well as openly licensed and public domain content. It protects creators from any potential copyright problems, especially if they intend to use generated content for commercial purposes. 

Similarly, Costin says that Adobe has dealt with the potential biases in its training data by designing Firefly to deliberately generate diverse images of people of different ages, genders, and ethnicities. “We don’t want to carry over the biases in the data,” he says, so he says that Adobe has proactively addressed the issue. Of course, you can still prompt the AI to render a specific thing, but when left to its own devices it should hopefully avoid producing biased results. 

While Firefly is launching in beta, Adobe has big plans. “The world is going to be transformed by AI,” says Costin, and Adobe intends to be part of it. 

Going forward, Adobe wants a future where creators are able to train their own AI models on their work, and where generative AIs integrate seamlessly across its full range of products. In theory, this would allow artists to generate whatever assets they needed right in Photoshop or Illustrator, and treat them as they do any other image or block of text. 

If you want to check Firefly out, you can apply to join the beta now.

The post Adobe built its Firefly AI art generator to avoid bias and copyright issues appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

A UK-based startup is aiming to heat swimming pools with its data centers. According to BBC News, Deep Green is using the heat generated by a “washing-machine-sized” server rig to heat the water in Exmouth Leisure Centre’s 25-meter (82 foot) public swimming pool. Its “digital boilers” are a pretty clever idea, and can reduce the environmental impact of both the swimming pool and the server. 

Data centers have a surprisingly large environmental impact. While browsing the web, streaming shows on Netflix, or posting to Instagram doesn’t necessarily feel like you’re doing something that could harm the environment, all the information getting sent to your smartphone, computer, or TV is stored in a data center somewhere. It takes a fair amount of electricity to keep all the servers running, and most importantly, to cool them down so they don’t overheat. 

According to the International Energy Agency (IEA), data centers and data transmission networks account for between 1 and 1.5 percent of global electricity use and are collectively responsible for around 1 percent of energy-related greenhouse gas emissions (or 0.6 percent of total greenhouse gas emissions). While that might not sound like a lot, it puts it in the same ballpark as aviation and shipping, which are responsible for 1.7 percent and 1.9 percent of total greenhouse gas emissions. 

[Related: This Is Why Microsoft Is Putting Data Servers In The Ocean]

This is why Deep Green’s data center solution is so neat. Instead of just relying on electricity—often generated by fossil fuels—to cool its server rigs, the internal components are submerged in mineral oil which absorbs the heat, then a heat exchanger transfers the warmth to a swimming pool full of cold water, which cools the oil and thus keeps the components operating safely. The system is able to convert around 96 percent of the electricity it uses into heat for the pool. And since the electricity only comes from renewable sources, the whole thing as is green as is feasible. 

While the digital boiler can’t heat Exmouth Leisure Center’s pool entirely on its own, it is able to keep the water at a comfortable 86ºF roughly 60 percent of the time. While the gas boiler is still necessary to top up the water temperature, Deep Green claims that its system saves the pool over £20,000 (~$24,000) per year and reduces its annual CO2 emissions by almost 26 tons. Sean Day, who runs the leisure center, told BBC News: “The partnership has really helped us reduce the costs of what has been astronomical over the last 12 months—our energy prices and gas prices have gone through the roof.” 

[Related: Extreme heat is knocking out data centers]

Perhaps most interestingly about Deep Green’s technology, is that it costs the swimming pool operator nothing. The setup, installation, and digital boiler are all managed and maintained by Deep Green. The pool is even reimbursed for the electricity costs of running the server, so all the heat generated is essentially free. Instead, Deep Green operates as a regular web services company, charging its commercial customers for computing power and hosting. 

According to The Next Web, seven other pools around the UK have expressed an interest in Deep Green’s digital boiler. And the company doesn’t just plan to target leisure centers. Its technology can work with anything that requires large volumes of hot water, like apartment heating systems and distilleries. 

Deep Green isn’t the only company looking to repurpose waste heat from data centers. In Finland, the new Microsoft data center will be used to heat approximately 250,000 homes and businesses. A Facebook data center in Denmark warms 6,900 homes, while Amazon uses its data centers to heat its headquarters in Seattle as well as apartments, offices, and university buildings in Ireland. It’s likely that this is an engineering design we’re going to see a lot more of; data centers may heat everything from swimming pools to metropolises. 

The post This startup wants to use heat from data centers to warm swimming pools appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Today Google unveiled a series of new generative AI features across a range of its products including Gmail and its other Workspace apps, Google Docs, Sheets, and Slides. The AI-powered features will roll out to trusted testers in the coming weeks, and once they’ve been refined, Google says they will be available more generally. If this feels to you like Google is trying to play catch up with Microsoft and its multi-billion investment in/collaboration with OpenAI, the developers of ChatGPT and DALL-E 2, , well, you wouldn’t be wrong. According to The New York Times, it’s been a “code red” situation inside the company since ChatGPT launched last year, with plans to launch as many as 20 new products to address the perceived gap. 

Still, in Google’s press releases, the company is quick to point out that it’s actually been doing this AI thing for a long time. A blog post from earlier this year lists nine ways that AI is used in the company’s products, including in Google Search, Maps, YouTube, Gmail, and, of course, Ads. Its existing AI features, like Smart Compose and Smart Reply in Gmail, are apparently already “helping 3 billion users.” And we can’t forget about the furore last year when an engineer got fired for claiming that LaMDA, a large language model, was sentient. It’s not Google who’s slow—it’s Microsoft, okay?

While Google announced a number of other features, it’s the generative AI integrations with apps like Gmail and Docs that are the most interesting. And assuming the beta testing goes well, they will likely be used by far more people. 

According to Google, the new features will soon allow you to draft messages, reply to messages, summarize conversations, and prioritize messages in Gmail, brainstorm ideas, get your work proofread, generate text, and rewrite text in Docs, create AI-generated images, audio, and videos in Slides, capture notes and generate backgrounds in Meet, and more easily “go from raw data to insights and analysis” in Sheets (although these appear not to be connected to Google’s new AI chatbot, Bard).

[Related: Google’s own upcoming AI chatbot draws from the power of its search engine]

In the blog post announcing the new features, Johanna Voolich Wright, vice president of product at Google Workspace, gives a few specific examples. In Docs, she shows the generative AI creating a rough draft of a job post for a regional sales rep, and in Gmail she shows it turning a short bulleted list into a formal email. Voolich Wright suggests these features would work whether you’re “a busy HR professional who needs to create customized job descriptions, or a parent drafting the invitation for your child’s pirate-themed birthday party.”

Voolich Wright is at pains to say that these features are meant to be you collaborating with AI, not letting it just do its own thing. “As we’ve experimented with generative AI ourselves, one thing is clear,” she writes. “AI is no replacement for the ingenuity, creativity, and smarts of real people.” In accordance with Google’s AI Principles, the generative AI is meant to do things like create first drafts that you edit and perfect, not publishable copy. You, the user, are meant to stay in control. 

While these examples are cool and genuinely seem useful, all we have to go on right now is Google’s own announcement posts and demo videos. These tools aren’t yet available even to testers, so it’s important to treat the listed features and the examples Google gives with a bit of skepticism. We’re not saying that AI wasn’t used to generate the text in the demos Voolich Wright shows off, but they could just have easily been written by an intern in the marketing department as an example of what Google would like the new features to be able to do. 

Still, Google has a legitimately world class AI research division and has been working on these sorts of features for more than six years. It might just be able to successfully integrate generative AI tools into some of its most popular products—and make them useful.

The post Your next Gmail or Google Doc could be written with help from AI appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Wing, the drone-delivery subsidiary of Alphabet, Google’s parent company, has just revealed a new device called the AutoLoader that brings the company a step closer to its vision of wide-spread, affordable, drone-powered, last-mile delivery. The AutoLoader will allow delivery drones to collect packages from an automated curb-side device that can be situated in an unused parking spot. The device, which enables a drone to collect a package without landing or much human intervention, will mean that drones no longer have to return to a central hub after each trip as part of the company’s new Wing Delivery Network.

Over the past few years, Wing has proved to be one of Alphabet’s most interesting moonshots. It now operates commercial drone delivery services in the Dallas-Fort Worth area in Texas, as well as in Finland and Australia, where customers can order small products, groceries, and take-away food from local shops using an app. According to Wing, it has “moved as many as one thousand packages per day in a delivery region of more than 100,000 people.”

While an impressive feat, Wing is limited by how it currently operates. When a customer orders something, a package is prepared by staff and loaded onto a drone waiting outside on a charging pad. It then flies to the customer at speeds of up to 65 mph, giving it a six-mile range and maximum of six-minute delivery time, before dropping off its package using a tether and returning to its base. It works as a proof of concept, but as a system, it doesn’t offer a lot of opportunity for growth or scale. 

Wing’s AutoLoader and Wing Delivery Network aim to solve these problems. The AutoLoader is designed to work with a store’s existing curb-side pickup workflow, and means that packages don’t have to come from a single drone-supported location. Instead, staff at the store will be able to load a package into the AutoLoader where one of Wing’s aircraft can collect it using its tether and drop it to a customer. Then, as long as it has enough battery life, the drone can collect another package from a different store, and so on and so on, until it needs to return to base to land and recharge. In a video introducing the setup, Wing CEO Adam Woodworth likened it to ride-sharing apps like Uber. In other words, instead of a hub-and-spoke model, this approach aims to link multiple stops together.

[Related: Check out Wing’s new delivery drone prototypes]

The AutoLoader and Wing Delivery Network are both part of Wing’s aim to have a delivery system capable of delivering millions of packages to millions of customers by mid-2024—and at a lower cost per delivery than ground transport, like cars, bikes, and scooters, can do for the fast delivery of small packages.

“The discussion in this industry has often been about building a great drone delivery service, but it hasn’t really been about building a delivery service,” Woodworth explains by Zoom. To him, “the drone part is the least important part.” 

If Wing is to succeed, it needs to go beyond the novelty of flying packages around and become a meaningful delivery business. On the same call, Jonathan Bass, head of Wing’s marketing and communications, says, “It’s not replacing ground delivery, but we strongly believe that, as part of a multimodal delivery environment, [Wing] can play a significant role in the fast delivery of small packages.”

And according to Woodworth, things are looking good. “We are now at the place where the technology is largely ready. [Wing’s] demonstrations in the different markets have shown that these are viable options and that people want to actually use the service, and the regulatory environments are at a place where that sort of scale and that sort of growth is feasible,” he says. “This is the time to go and push it over the finish line.”

The AutoLoader will likely roll out in Australia first, according to Woodworth, where Wing has its most mature commercial market. If it works there, Wing plans to scale and replicate it around the world. If it can do that, it might get its millions of packages to millions of customers.

Watch a short video about the new approach, below.

The post Save a parking spot for Wing’s slick new ‘AutoLoader’ for drones appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Yesterday, lawmakers introduced a new bipartisan Senate bill that would give the US government the power to ban TikTok. The bill is called, clunkily, the Restricting the Emergence of Security Threats that Risk Information and Communications Technology, or RESTRICT Act. It was introduced in part by Sen. Mark Warner of Virginia, who is also the chair of the Senate Intelligence Committee, and it would allow the Commerce Department to review deals, software updates, and data transfers from apps and tech companies in which “foreign adversaries,” specifically the governments of China, Cuba, Iran, North Korea, Russia, and Venezuela, have an interest. 

It’s the latest—and perhaps the closest to becoming law—in a long line of proposals that look to limit the potential for the Chinese Communist Party (CCP) to exert influence on TikTok, and by extension, its users around the world.

Both the US and European Union governments are considering banning TikTok, limiting how it can handle customer data, and generally just increasing the regulatory burden it’s under compared to, say, Facebook or Instagram. Both entities have gone so far as to ban it on government staff’s work phones over espionage fears. Let’s take a look at why. 

Although TikTok has over 100 million active monthly users in the US and at least 10,000 employees across the US and Europe, its parent company, ByteDance, is headquartered in Beijing, China. This has led to some security concerns as well as plenty of bellicose posturing from US lawmakers and China-hawks. 

The security concerns come in part because ByteDance has bowed down to the CCP in the past. For example, in 2018, its then-CEO and founder, Zhang Yiming, had to issue a groveling, self-criticizing apology after the CCP compelled it to shut down one of its other apps. He promised to “further deepen cooperation” with the authoritarian government.

TikTok and ByteDance employees also have a manual override for what goes viral and gets promoted by the app’s “For You” algorithm. Earlier this year, a Forbes report on the “heating” feature revealed that TikTok frequently promoted videos in order to court influencers and brands and entice them into partnerships based on inflated video view counts. The concern here is that government propaganda, fake news, and anything else could be manipulated in the same way. 

Then there are legitimate concerns about TikTok’s data handling practices. Last year, a BuzzFeed news report revealed that engineers in China were able to access data from US users, despite the information supposedly being stored in the US. TikTok’s COO, Vanessa Pappas, did little to alleviate those concerns in a grilling before the Senate Homeland Security and Governmental Affairs Committee last summer. Finally, TikTok had to fire four employees based in the US and China for attempting to spy on reporters, including Emily Baker-White who wrote both the Forbes and BuzzFeed investigations. 

Of course, the app also enjoys a huge amount of popularity domestically—more than two-thirds of teens use TikTok, after all. 

As David Greene, civil liberties director of the Electronic Frontier Foundation, explains over Zoom, ByteDance and TikTok aren’t really handling data or bowing down to government pressure in a wildly different way compared to other social media apps. The big difference is where ByteDance is headquartered. 

Greene also thinks any US government attempt to ban TikTok is on shaky ground. “If the government wants to ban a way for people in this country to communicate with each other and with other people, it’s going to have to do so within the framework of the First Amendment,” he says. 

As Greene explains it, this means the US government will need to show that not only does some real threat to the public exist, but also that banning TikTok is justified. “It can’t just be responding to undifferentiated fear, or to uninvestigated or unproven concerns, or at the worst, xenophobia,” he says. 

TikTok is also fighting hard to ensure it can continue to operate in the US and Europe. It’s recently launched Project Texas and Project Clover, multi-billion dollar restructuring plans that would involve storing US data in the US and European data in Ireland and Norway in ways that they could not be accessed in China. Whether these efforts can reassure lawmakers that it doesn’t need additional oversight—or worse, a total ban—remains to be seen.

The same day the bill was introduced, the White House said in a statement from the National Security Advisor that they “urge Congress to act quickly to send it to the President’s desk.” You can watch Senator Warner talk more about the bill here.

The post Why some US lawmakers want to ban TikTok appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

The US Marshals Service, a division of the Justice Department, was hacked last month. According to the New York Times, the hackers stole “a trove of personal information about investigative targets and agency employees.” It’s not a good look for the department tasked with protecting judges, transporting federal prisoners, and managing witness protection. (Fortunately, the latter database wasn’t stolen in the hack.)

According to Justice Department officials, the breach happened on February 17 and was done using ransomware. This information is a bit vague from a security perspective, but suggests that a ransomware tool was used to steal data from the US Marshals’ computer system in order to extort a payout in return for not releasing the information. This is different from another kind of common ransomware attack where the target’s computer is encrypted so they can’t use it, or a straight up hack where the bad actor just steals whatever they can in order to sell it or use it for international espionage. It’s unclear as of yet if the Justice Department intends to pay the hackers off, or if the stolen data—including “sensitive law enforcement information”—has been leaked on the dark web. 

The Marshals are far from the first US government organization to suffer a security breach. Last year, at least six state governments were targeted by Chinese hackers. In 2020, a Russian intelligence agency hacked the State Department, the Department of Homeland Security, parts of the Pentagon, and dozens more federal agencies exploiting a vulnerability in a software package called SolarWinds. And local governments are frequently targeted too. Last month, the City of Oakland had to declare a state of emergency after a ransomware attack forced it to take all its IT systems offline. The Center for Strategic and International Studies keeps a list of significant cyber incidents, and there are major attacks on government agencies around the world basically every month. 

[Related: Cybersecurity experts say $2 billion is too little, too late]

It’s an issue that the government is aware of, and claims to be actively working to fix. In 2021, a federal cybersecurity evaluation found that almost all of the agencies reviewed did not meet the standards for keeping the data they store safe. Aging computer systems and outdated codes are problems that come up over and over again. Since then, there has reportedly been efforts made to reorganize cybersecurity infrastructure, develop guidelines, and implement best practices.

So what makes government agencies such tempting targets to hackers? Well, let’s leave aside the espionage angle, where adversarial governments attempt to steal state secrets, shut down nuclear programs, and generally just go all John le Carré. Their motivations are fairly self-explanatory. For hackers looking to make a quick buck there are a number of reasons government agencies can be a lucrative option. 

According to a report by Sophos, local governments are often targeted because they have weak defenses, low IT budgets, and limited IT staff. In other words, they’re often overstretched compared to the private sector and so the hackers are likely to have an easier time installing ransomware. For larger government departments, presumably including the US Marshals, the appeal is their access to public funds. It makes them seem a lucrative target, whether or not the hackers are able to actually extract a payment. 

Cybersecurity has been a priority for the Biden administration, but it’s clear that there is still a long way to go before ransomware attacks like these are no longer an issue for government organizations. The reality is that a single weak link, phishing attack, or vulnerable computer can offer hackers a way in—and keeping ahead of them is a nearly impossible task.

The post Why government agencies keep getting hacked appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

In a paper published in Nature this week, Google’s Quantum AI researchers have demonstrated a way to reduce errors in quantum computers by increasing the number of “qubits” in operation. According to Google CEO Sundar Pichai, it’s a “big step forward” towards “making quantum applications meaningful to human progress.”

Traditional computers use binary bits—that can either be a zero or a one—to make calculations. Whether you’re playing a video game, editing a text document, or creating some AI generated art, all the underlying computational tasks are represented by strings of binary. But there are some kinds of complex calculations, like modeling atomic interactions, that are impossible to do at scale on traditional computers. Researchers have to rely on approximations which reduce the accuracy of the simulation, and renders the whole process somewhat pointless.

This is where quantum computers come in. Instead of regular bits, they use qubits that can be a zero, a one, or both at the the same time. They can even be entangled, rotated, and manipulated in other quantum-specific ways. Not only could a workable quantum computer allow researchers to better understand molecular interactions, but they could also allow us to model complex natural phenomenon, more easily detect credit card fraud, and discover new materials. (Of course, there are also some potential downsides—quantum computers can break the classical algorithms that secure everything today from passwords and banking transactions to corporate and government secrets.)

For now though, all this is largely theoretical. Quantum computers are currently much too small and error prone to change the world. Google’s latest research goes someway towards fixing the latter half of the problem. (IBM is trying to fix the first half.)

The problem is that quantum computers are incredibly sensitive to, well, everything. They have to operate in sealed, cryogenically cooled cases. Even a stray photon can cause a qubit to “decohere” or lose its quantum state, which creates all kinds of wild errors that interfere with the calculation of the problem. Until now, adding more qubits has also meant increasing your chances of getting a random error.

According to Google, its third generation Sycamore quantum processor with 53 qubits typically experiences error rates of between 1 in 10,000 and 1 in 100. That is orders of magnitude too high to solve real world problems; Google’s researchers reckon we will need qubits with error rates of between 1 in 1,000,000,000 and 1 in 1,000,000 for that.

Unfortunately, it’s highly unlikely that anyone will be able to get that increase in performance from the current designs for physical qubits. But by combining multiple physical qubits into a single logical qubit, Google has been able to demonstrate a potential path forward. 

The research team gives a simple example of why this kind of set up can reduce errors: If “Bob wants to send Alice a single bit that reads ‘1’ across a noisy communication channel. Recognizing that the message is lost if the bit flips to ‘0’, Bob instead sends three bits: ‘111’. If one erroneously flips, Alice could take a majority vote (a simple error-correcting code) of all the received bits and still understand the intended message.”

Since qubits have additional states that they can flip to, things are a bit more complicated. It also really doesn’t help that, as we’re dealing with quantum, directly measuring their values can cause them to lose their “superposition”—a quantum quirk that allows them to have the value of ‘0’ and ‘1’ simultaneously. To overcome these issues, you need Quantum Error Correction (QEC) where information is encoded across multiple physical qubits to create a single logical qubit. 

The researchers arranged two types of qubits (one for dealing with data, and one for measuring errors) in a checkerboard. According to Google, “‘Data’ qubits on the vertices make up the logical qubit, while ‘measure’ qubits at the center of each square are used for so-called ‘stabilizer measurements’.” The measure qubits are able to tell when an error has occurred without “revealing the value of the individual data qubits” and thus destroying the superposition state.

To create a single logical qubit, the Google researchers used 49 physical qubits: 25 data qubits and 24 measure qubits. Crucially, they tested this set up against a a logical qubit composed of 17 physical qubits (9 data qubits and 8 measure qubits) and found the larger grid outperformed the smaller one by being around 4 percent more accurate. While only a small improvement, it’s the first time in the field that adding more qubits reduced the number of errors instead of increasing it. (Theoretically, a grid of 577 qubits would have an error rate close to the target 1 in 10,000,000).

And despite its recent layoffs, Google is seemingly committed to more quantum research. In his blog post, Pichai says that Google will “continue to work towards a day when quantum computers can work in tandem with classical computers to expand the boundaries of human knowledge and help us find solutions to some of the world’s most complex problems.” 

The post How Google plans to fix quantum computing’s accuracy problem appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

There are few laws more fundamental to the way the internet works than Section 230. Just 26 words long, it created the framework for much of the modern web. But now the Supreme Court has taken up two cases that challenge its basic premise: Gonzalez v. Google LLC and Twitter, Inc. v. Taamneh. If you want to know what all the hubbub is about, here’s what the law says, and what people think about it.

What is Section 230? 

Section 230 of the Communications Decency Act was initially passed in 1996. That’s before Google, Facebook, Amazon, or many of today’s internet giants were founded. Instead, it was designed to deal with an internet filled with message boards and rudimentary search engines. 

Section 230 has two key provisions: (c)(1), which states, “No provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider;” and (c)(2), which provides protection from liability for “any action voluntarily taken in good faith to restrict access to or availability of” objectionable content, whether or not that content is constitutionally protected by the First Amendment. 

In general, the courts in the US have taken a broad approach to interpreting Section 230. They have largely ruled that search engines, large social media services, e-commerce sites, and even small blogs that host comment sections aren’t liable for content that users post—though there are exceptions for things like illegal content and content that violates intellectual property law. The courts have also ruled that platforms have broad rights to remove whatever content they like, which is how former President Donald Trump got himself banned. 

This law has very important ramifications for how websites have been able to operate over the past 26 years. Sophia Cope, a senior staff attorney at the Electronic Frontier Foundation, explains that “Section 230 is considered both an immunity from suit as well as from liability.” (The EFF has filed amicus briefs in support of Section 230 in both recent Supreme Court cases, and has long argued that it is an essential law for maintaining free speech rights on the internet.)

The law means that not only are websites and social networks off the hook from any potential civil settlements for any harm that comes to a plaintiff from user-generated content these platforms host, but they can get out of any lawsuit early without having to defend against the specifics of the claim. 

As Cope explains, without Section 230, “Platforms would have to defend themselves all the way to the very end of a case that might take several years… and then there could be multiple appeals that cost a lot of money and take a lot of time.” 

Why do tech companies like Section 230? 

Section 230 is often described as a “liability shield,” and really, that’s why tech companies like it. 

In other countries around the world, tech companies have far stricter obligations to remove content than they presently do in the US. In Germany, for example, social media companies have to promptly remove illegal content (that can include crimes such as insulting a public office) or face up to a €50 million (roughly $53 million) fine. 

And not only are they forced to pay fines, but they’re forced to employ lawyers and lobbyists to argue against the cases and the laws in the first place. It’s why they have fought so hard against the latest spate of European Union laws like the Digital Services Act and the Digital Markets Act that are expressly designed to rein American tech companies in. 

How do politicians feel about Section 230?

As much as tech companies enjoy the protection of Section 230, politicians from across the political spectrum take issue with it. 

As Cope explains it, Republican politicians over the past several years tend to feel that, under Section 230, “platforms are taking down too much content—particularly too much conservative or Republican content.” Former President Trump, for example, has called for it to be abolished. 

“But on the other hand,” says Cope, “You have the Democrats, or more the liberals, who actually think that not enough content is being taken down. They complain about a lot of bad content, like hate speech, which is protected under our First Amendment.” 

In a Wall Street Journal op-ed last month, President Joe Biden called for “bipartisan action from Congress to hold Big Tech accountable,” including amending Section 230 to make the companies more liable for the content they host.

What else is there to know about Section 230?

For better or worse, change could be on the horizon. “It seems like there’s consensus in Congress that after 25 years of Section 230, they want to do something,” says Cope, “but it’s not a hundred percent clear what it is they would do.” 

First though, the Supreme Court has to consider it. Both Gonzalez v. Google LLC and Twitter, Inc. v. Taamneh are being taken under the federal Anti-Terrorism Act, and both hinge on how the court interprets Section 230. In reporting on the first of those cases yesterday, The New York Times said that the court appears leary of making big changes to the law. 

It’s the first time the highest court has considered Section 230, and whatever it decides will have serious implications for the future of the internet around the world. 

The post A guide to Section 230, the law that made the internet the Wild West appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

South Korean automakers Hyundai and Kia have developed a software fix that is intended to stop a recent social-media-fueled theft wave. Over the past few years, thousands of Hyundai and Kia vehicles have been stolen as videos demonstrating how easy certain models were to start without a key spread on YouTube and TikTok. According to the National Highway Traffic Safety Administration (NHTSA), the fix will be available free of charge and will roll out over the coming months.

Most modern cars are fitted with an immobilizer system that prevents them from being hot wired or started without the correct key. A chip in the key communicates with the electronic control unit (ECU) in the car’s engine. When the driver attempts to start the car, either by turning the key or pushing a button, the chip sends a signal confirming that they are using the right key for the car, and the ECU allows the engine to start. If a thief tries to start a car without the correct key—say, using a screwdriver—then the ECU doesn’t receive the signal and prevents the vehicle from turning on. While immobilizers won’t stop dedicated, technologically advanced thieves, they make it much harder for opportunists.

Unfortunately for car owners, the Hyundai and Kia models targeted in the recent thefts don’t have an immobilizer. The simple chip system in the key can be bypassed by connecting a USB phone charger to a specific circuit accessible in the steering column, and the car can then be started with a screwdriver. 

According to a report by CNBC last year, police around the country have noted a sharp spike in TikTok-inspired thefts. The fallout was bad enough that multiple cities have pursued legal action against the two Korean automakers. There’s also a class action lawsuit, and some insurance companies are refusing to cover the impacted models. NHTSA claims that there have been at least 14 crashes and eight deaths. 

According to NHTSA, the software fix will roll out to the approximately 3.8 million affected Hyundais and 4.5 million affected Kias in a number of phases starting later this month. The specific models aren’t being widely publicized for somewhat obvious reasons, but they are mostly the more affordable ones that use a mechanical key rather than a fob and push-button. If you want to learn more about your vehicle, NHTSA recommends contacting Hyundai (800-633-5151) or Kia (800-333-4542) for more information.

The update makes two changes to the theft alarm software in the cars. It increases the length of time the alarm sounds from 30 seconds to one minute and also prevents the car from starting if the key isn’t in the ignition. 

This isn’t the first time that a software update has been used to add anti-theft features to a line of cars. Back in 2021, Dodge rolled out an update to its high horsepower Charger and Challenger models that were apparently being targeted by key-spoofing thieves. While already fitted with an immobilizer, the update added an additional layer of protection that limited the engines to just three horsepower if the correct pin wasn’t entered.

As well as the software update, affected Hyundai and Kia customers will receive a window sticker to alert would-be thieves that the vehicle has the anti-theft measures installed. While it won’t add any extra security, it might stop some thieves before they break a car window. 

In a more old school fix, Hyundai and Kia have also been working with law enforcement agencies to provide more than 26,000 steering wheel locks to affected vehicle owners. The steering wheel locks have been sent to 77 agencies in 12 states. The Department of Transportation’s NHTSA suggests contacting local law enforcement to see if one is available if you own an affected car. 

The post A software update could make your Hyundai or Kia harder to steal appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Zoox, a self-driving car company owned by Amazon, announced yesterday that it had successfully tested its futuristic-looking robotaxi with passengers on public roads in Foster City, California. The company claims that this is the first time “a purpose-built autonomous robotaxi without traditional driving controls” (you know, elements like a steering wheel and pedals) has transported real humans on open public roads. Unfortunately, if you’re hoping to flag down one of these vehicles, there’s a catch—for the foreseeable future it’s for Zoox employees only. 

It’s rare these days to see some positive news about driverless cars. After a rollercoaster few years, the current situation has mostly been bad news for the highly speculative, typically miles-from-turning-a-profit autonomous-vehicle industry. In the past few months, Ford and Volkswagen-backed Argo AI shut down, Alphabet-owned Waymo laid off a number of workers, and self-driving truck company TuSimple cut its workforce by 25 percent. Meanwhile, GM-owned Cruise is under investigation from security regulators even as it rolls out its robotaxi service, and at the Super Bowl last weekend, a 30-second ad from The Dawn Project called on the DOT to ban Tesla’s Full Self-Driving (FSD) system. Last year, TechCrunch went so far as to declare that “self-driving cars aren’t going to happen,” and with the recent spate of news, it’s easy to agree with that prediction. 

[Related: Pete Buttigieg on how to improve the deadly track record of US drivers]

But into this news cycle rolls the cutesy toaster-like robotaxi with plans to merrily ferry people about in the California sun. 

Zoox’s electric robotaxi looks different from a typical vehicle. By removing the steering wheel, gearstick, and other manual controls, Zoox has been able to reimagine what a vehicle can look like. It seats four people facing each other, like in an old horse-drawn carriage, minus the horse. Plus, with no need for a driver, it doesn’t really have a front or a back, so it can drive bi-directionally. It has four-wheel steering to make it easy to maneuver through narrow streets and into tight curbside pick-up spots. Zoox has also packed in a huge 133 kWh battery so it can keep trundling all day. (For reference, a Tesla Model S Dual Motor has a 100 kWh battery while the base Model 3 has a 60 kWh battery.)

[Related: Why this Amazon-owned company is bringing its autonomous vehicles to Seattle]

Of course, manufacturing a cool concept vehicle is very different from actually operating a robotaxi service in the real world. To get to the point where the California Department of Motor Vehicles would let it operate on the state’s public roads, Zoox had to complete rigorous testing on private and semi-private roads. Even without traditional controls, Zoox claims its vehicle meets the Federal Motor Vehicle Safety Standards (FMVSS)—though admittedly, it says that it “self-certified.”

February 11 marked the start of a planned robotaxi shuttle service for Zoox employees between the company’s two main office buildings in Foster City. The route is roughly a mile and requires the robotaxi to navigate left and right turns, traffic lights, cyclists, pedestrians, other vehicles, and all the general chaos of California roads at speeds of up to 35 mile-per-hour. Since the service will only be available to full-time workers, Zoox won’t actually charge for it—and there is no firm timeline for when it will expand to other routes or the general public. For that, Zoox would need additional permits from the California DMV. In other words, it’s still unclear if robotaxis will be a real thing that happens or if progress will continue to stall. 

The post An autonomous EV with no steering wheel is hitting the road in California appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Conversational AI-powered tools are going mainstream, which to many disinformation researchers, is a major cause for concern. This week, Google announced Bard, its answer to Open AI’s ChatGPT, and doubled down on rolling out AI-enhanced features to many of its core products at an event in Paris. Similarly, Microsoft announced that ChatGPT would soon be integrated with Bing, its much maligned search engine. Over the coming months these conversational tools will be widely available, but already, some problems are starting to appear.

Conversational AIs are built using a neural network framework called “large language models” (LLMs) and are incredibly good at generating text that is grammatically coherent and seems plausible and human-like. They can do this because they are trained on hundreds of gigabytes of human text, most of it scraped from the internet. To generate new text, the model will work by predicting the next “token” (basically, a word or fragment of a complex word) given a sequence of tokens (many researchers have compared this to the “fill in the blank” exercises we used to do in school). 

For example, I asked ChatGPT to write about PopSci and it started by stating “Popular Science is a science and technology magazine that was first published in 1872.” Here, it’s fairly clear that it is cribbing its information from places like our About page and our Wikipedia page, and calculating what are the likely follow-on words to a sentence that starts: “Popular Science is…” The paragraph continues in much the same vein, with each sentence being the kind of thing that follows along naturally in the sorts of content that ChatGPT is trained on.

Unfortunately, this method of predicting plausible next words and sentences mean conversational AIs can frequently be factually wrong, and unless you already know the information already, you can easily be misled because they sound like they know what they’re talking about. PopSci is technically no longer a magazine, but Google demonstrated this even better with the rollout of Bard. (This is also why large language models can regurgitate conspiracy theories and other offensive content unless specifically trained not to.)

[Related: A simple guide to the expansive world of artificial intelligence]

One of the demonstration questions in Google’s announcement (which is still live as of the time of writing) was “What new discoveries from the James Webb Space Telescope can I tell my 9 year old about?” In response, Bard offered three bullet points including one that said that “JWST took the very first pictures of a planet outside of our solar system.” 

While that sounds like the kind of thing you’d expect the largest space telescope ever built to do—and the JWST is indeed spotting exoplanets—it didn’t find the first one. According to Reuters and NASA, that honor goes to the European Southern Observatory’s Very Large Telescope (VLT) which found one in 2004. If this had instead happened as part of someone asking Bard for advice and not as part of a very public announcement, there wouldn’t have been dozens of astronomy experts ready to step in and correct it. 

Microsoft is taking a more up front approach. The Verge found that Bing’s new FAQ stated that ”the AI can make mistakes,” and that “Bing will sometimes misrepresent the information it finds, and you may see responses that sound convincing but are incomplete, inaccurate, or inappropriate.” It continues calling on users to exercise their own judgment and double-check the facts that the AI offers up. (It also says that you can ask Bing: “Where did you get that information?” to find out what sources it used to generate the answer.)

Still, this feels like a bit of a cop out from Microsoft. Yes, people should be skeptical of information that they read online, but the onus is also on Microsoft to make sure the tools it is providing to millions of users aren’t just making stuff up and presenting it as if it’s true. Search engines like Bing are one of the best tools people have for verifying facts—they shouldn’t add to the amount of misinformation out there. 

And that onus may be legally enforceable. The EU’s Digital Services Act, which will come into force some time in 2024, has provisions to specifically prevent the spread of misinformation. Failure to comply with the new law could result in penalties of up to 6 percent of a company’s annual turnover. Given the EU’s recent spate of large fines for US tech companies and existing provision that search engines must remove certain kinds of information that can be proved to be inaccurate, it seems plausible that the 27-country bloc may take a hard stance on AI-generated misinformation displayed prominently on Google or Bing. They are already being forced to take a tougher stance on other forms of generated misinformation, like deepfakes and fake social media accounts.

With these conversational AIs set to be widely and freely available soon, we are likely to see more discussion about how appropriate their use is—especially as they claim to be an authoritative source of information. In the meantime, let’s keep in mind going forward that it’s far easier for these kind of AIs to create grammatically coherent nonsense than it is for them to write an adequately fact-checked response to a query.

The post Just because an AI can hold a conversation does not make it smart appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Google announced on Monday that it is launching an AI-powered chatbot it’s calling Bard “in the coming weeks.” While this might look like a response to ChatGPT—OpenAI’s AI-powered chatbot that has been getting a lot of attention since it launched late last year—the reality is that Google has been developing AI tools for more than six years. And although these tools have not been previously made available to the public, now, that might start to change. 

In the blog post announcing Bard, Google and Alphabet CEO Sundar Pichai writes that Google has been developing an “experimental conversational AI service” powered by its Language Model for Dialogue Applications or LaMDA. (That’s the AI model that one Google engineer tried to claim was sentient last summer.) Bard aims to “combine the breadth of the world’s knowledge with the power, intelligence and creativity of [Google’s] large language models” by drawing from information around the web and presenting it in fresh, easy to understand ways. 

Pichai gives a few examples for how Bard can be used, such as getting ideas to help plan a friend’s baby shower, comparing two Oscar nominated movies, or getting suggestions for what new discoveries by the James Webb Space Telescope to discuss with a 9-year-old. 

While Bard is only available to “trusted testers” right now, it is due to roll out to the general public over the next few weeks. Google has used its lightweight model version of LaMDA, which requires less computing power to operate, to allow it to serve more users, and thus get more feedback. Here at PopSci, we will jump in and try it out as soon as we get the chance. 

Of course, Google’s end-goal is to use AI to improve its most important product: its search engine. In the blog post, Pichai highlights some of the AI tools it’s already using—including BERT and MUM—that help it understand the intricacies of human language. During the COVID pandemic, MUM, for example, was able to categorize over 800 possible names for 17 different vaccines in 50 different languages so Google could provide the most important and accurate health information. 

Crucially, Pichai says that the way people use Google search is changing. “When people think of Google, they often think of turning to us for quick factual answers, like ‘how many keys does a piano have?’ But increasingly, people are turning to Google for deeper insights and understanding—like, ‘is the piano or guitar easier to learn, and how much practice does each need?’”

He sees Google’s latest AI technologies, like LaMDA and PaLM, as an opportunity to “deepen our understanding of information and turn it into useful knowledge more efficiently.” When faced with more complex questions where there is no one right answer, it can pull in different sources of information and present them in a logical way. According to Pichai, we will soon see AI-powered features in search that “distill complex information and multiple perspectives into easy-to-digest formats, so you can quickly understand the big picture and learn more from the web.”

Once or twice in the blog post, you get a sense that Pichai is perhaps frustrated with OpenAI’s prominence. While never name checking OpenAI or ChatGPT directly, he links to Google’s Transformer research project, calling it “field-defining” and “the basis of many of the generative AI applications you’re starting to see today,” which is entirely true. The “T” in ChatGPT and GPT-3 stands for Transformer; both rely heavily on research published by Google’s AI teams. But despite its research successes, Google isn’t the company with the widely discussed AI chatbot today. Maybe Bard’s presence will change that.

The post Google’s own upcoming AI chatbot draws from the power of its search engine appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Over the past week, Apple has rolled out some important security updates—including updates to iOS 16, iOS 15, and even iOS 12 to protect iPhones from a major vulnerability that’s still in the wild. That extends to older iPhone models too.

Although the iPhone 5s was released back in 2013 and discontinued in 2016, it still gets the occasional crucial software update from Apple. The newest software for these older devices, iOS 12.5.7, was released last week and patches a bug with the catchy name of CVE-2022-42856 in older iPhones and iPads, including the iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation). 

For the newer versions of iPhones, CVE-2022-42856 was squashed at the end of November as part of iOS 16.1.2. It was also dealt with on other devices with the release of iOS 15.7.2, iPadOS 15.7.2, tvOS 16.2, and macOS Ventura 13.1. Basically, if you’ve been tapping “Remind Me Tomorrow” on your Apple updates for a few weeks, now is the time to do it. 

First spotted late last year by Clément Lecigne of Google’s Threat Analysis Group, CVE-2022-42856 is a bug in Apple’s browser engine, WebKit, that allows an attacker to create malicious web content that can execute code on iPhones, iPads, Macs, and even Apple TVs. While everyone is a little cagey about the specifics of the exploit so that more bad actors can’t figure it out, it has a “High” severity score. That’s on a scale that goes None, Low, Medium, High, and then Critical. It’s based on both how much control these kind of exploits give attackers and how easily and widely they can be implemented. 

Crucially, Apple said on January 23 that it has received reports that this issue is being “actively exploited.” In other words, there are hackers out there using it to target Apple devices—including older devices running iOS 12—so it’s best to update to stay safe.

As well as CVE-2022-42856, iOS 16.3, iPadOS 16.3, macOS Ventura 13.2, and watchOS 9.3, which were released last week, squash a long list of vulnerabilities. Among them are two more WebKit bugs that could allow attackers to execute malicious code, two macOS denial-of-service vulnerabilities, and two macOS kernel vulnerabilities that could be abused to reveal sensitive information, execute malicious code, or determine details about its memory structure—possibly allowing for further attacks. 

But these latest updates don’t just deal with bugs. After being announced last year, Apple has added support for security keys to Apple IDs. Basically, when you log in to your Apple ID, instead of getting a two-factor authentication (2FA) code sent to your phone which can be intercepted by hackers, you can use a hardware security key that connects to your Apple device over USB port, Lightning port, or NFC. It’s significantly more secure because an attacker would have to physically steal your security key and learn your password to gain access to your account. 

To get started with setting your phone up with a hardware security system, you need at least two FIDO certified security keys that are compatible with your Apple devices, just in case you lose one. Apple recommends the YubiKey 5C NFC or YubiKey 5Ci for most Mac and iPhone models, and the FEITAN ePass K9 NFC USB-A for older Macs. You also need your devices updated to iOS 16.3 and macOS Ventura 13.2. Once you’re ready, you can connect your security keys to your account in the Password & Security section of the relevant Settings app. 

The post Why you should update your iPhone ASAP, even if it is ancient appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

ChatGPT, OpenAI’s AI-powered chatbot, has been impressing the public—but AI researchers aren’t as convinced it’s breaking any new ground. In an online lecture for the Collective[i] Forecast, Yann LeCun, Meta’s Chief AI Scientist and Turing Award recipient, said that “in terms of underlying techniques, ChatGPT is not particularly innovative,” and that Google, Meta, and “half a dozen startups” have very similar large language models, according to ZDNet. 

While this might read as a Meta researcher upset that his company isn’t in the limelight, he actually makes a pretty good point. But where are these AI tools from Google, Meta, and the other major tech companies? Well, according to LeCun, it’s not that they can’t release them—it’s that they won’t. 

Before we dive into the nitty gritty of what LeCun is getting at, here’s a quick refresher on the conversations around ChatGPT, which was released  to the public late last year. It’s a chatbot interface for OpenAI’s commercially available Generative Pre-trained Transformer 3 (GPT-3) large language model that was released in 2020. It was trained on 410 billion “tokens” (simply, semantic fragments) and is capable of writing human-like text—including jokes and computer code. While ChatGPT is the easiest way for most people to interact with GPT, there are more than 300 other tools out there that are based on this model, the majority of them aimed at businesses. 

From the start, the response to ChatGPT has been divisive. Some commenters have been very impressed by its ability to spit out coherent answers to a wide range of different questions, others have pointed out that it’s just as capable at spinning total fabrications that merely adhere to English syntax. Whatever ChatGPT says sounds plausible—even when it’s nonsense. (AI researchers call this “hallucination”.)

For all the think-pieces being written (including this one), it’s worth pointing out that OpenAI is an as-yet-unprofitable start up. Its DALL-E 2 image generator and GPT models have attracted a lot of press coverage, but it has not managed to turn selling access to them into a successful business model. OpenAI is in the middle of another fundraising round and is set to be valued at around $29 billion after taking $10 billion in funding from Microsoft (on top of the $3 billion Microsoft has invested previously). It’s in a position to move fast and break things, that as LeCun points out, more established players aren’t. 

For Google and Meta, their progress has been slower. Both companies have large teams of AI researchers (though less after the recent layoffs) and have published very impressive demonstrations—even as some public access projects have devolved into chaos. For example,  last year, Facebook’s Blenderbot AI chatbot started spewing racist comments, fake news, and even bashing its parent company within a few days of its public launch. It’s still available, but its kept more constrained than ChatGPT. While OpenAI and other AI start ups like StabilityAI have been able to roll through their models’ open bigotry, Facebook understandably has had to roll back. Its caution comes from the fact that it’s significantly more exposed to regulatory bodies, government investigations, and bad press. 

With that said, both companies have released some incredibly impressive AI demos that we’ve covered here on PopSci. Google has shown off a robot that can program itself, an AI-powered story writer, an AI-powered chatbot that one researcher tried to argue was sentient, an AI doctor that can diagnose patients based on their symptoms, and an AI that can convert a single image into a 30-second video. Meta meanwhile has AIs that can win at Go, predict the 3D structure of proteins, verify Wikipedia’s accuracy, and generate videos from a written prompt. These incredibly impressive tasks represent just a small fraction of what their researchers are doing—and because the public can’t be trusted, we haven’t got to try them yet. 

Now though, OpenAI might have influenced Google and Meta to give more publicly accessible AI demonstrations and even integrate full-on AI features into their services. According to The New York Times, Google views AI as the first real threat to its search business, has declared “code red”, and even corralled founders Larry Page and Sergey Brin into advising on AI strategy. It’s expected to release upwards of 20 AI-adjacent products over the next year, and we will presumably see more from Meta too. Though given how long some Google products last after launch, we will see if any stick around.

The post Is ChatGPT groundbreaking? These experts say no. appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Misinformation is rampant on social media, and a new study has shed some light on why. Researchers from Yale University and the University of Southern California argue that basically, some people develop a habit for sharing things on social media—whether they’re true or not. Although “individual deficits in critical reasoning and partisan bias” are commonly cited as reasons that people share fake news, the authors wrote in the paper, “the structure of online sharing built into social platforms is more important.” 

Previous studies have found that some people—especially older people—just don’t consider whether something is true before sharing it. Other research has shown that some people are motivated to share news headlines that support their identity and match their existing beliefs, whether the headlines are true or not—especially Conservatives. 

While the research team from Yale and USC accept these as contributing factors to the spread of misinformation online, they hypothesized that they may not be the only mechanisms that lead people to share fake news. Both the idea that people share misinformation because of a lack of critical thinking or that it’s a result of partisan bias assume that they would share less fake news if they were sufficiently motivated or able to consider the accuracy of the headlines they are sharing, however, the Yale-USC team’s research suggests that may not be the case. 

Instead, the team argues that “misinformation sharing appears to be part of a larger pattern of frequent online sharing of information.” To support that, they found that the people in their 2,476-participant study who shared the greatest amount of fake news stories, also shared more true news stories. The paper is based on four related, but separately conducted studies all aimed at teasing out how habitual sharing affects the spread of misinformation. 

[Related: The biggest consumers of fake news may benefit from this one tech intervention]

In the first study, 200 online participants were shown eight stories with true headlines and eight stories with false headlines and asked if they’d share them on Facebook. The researchers also measured how strong their habitual sharing was on social media using data on how frequently they shared content in the past and a self-reported index that measured if they did so without thinking. 

As the researchers expected, participants with stronger sharing habits reposted more stories and were less discerning about whether they were true or not than participants with weaker habits. The participants with the strongest habits shared 43 percent of the true headlines and 38 percent of the false headlines while those with the weakest habits shared just 15 percent of the true headlines and 6 percent of the false ones. In total, the top 15 percent of habitual sharers were responsible for 37 percent of the shared false headlines across this study. 

The second study, which contained 839 participants, was aimed at seeing if participants would be deterred from habitual sharing after they were asked to consider the accuracy of a given story.

While asking participants to assess the headline accuracy before sharing reduced the amount of fake headlines shared, it was least effective in the most habitual participants. When participants had  to assess the accuracy before being asked about whether or not they would share a sample of stories,they shared 42 percent of the true headlines and still shared 22 percent of the false ones. But, when participants were only asked about whether or not they would share the stories, the most habitual participants shared 42 percent of the true headlines and 30 percent of the false ones.

[Related: These psychologists found a better way to teach people to spot misinformation]

The third study aimed to assess if people with strong sharing habits were less sensitive to partisan bias and shared information that didn’t align with their political views. The structure was similar to the previous study, with around 836 participants asked to assess the whether a sample of headlines aligned with liberal and conservative politics, and whether or not they’d share them. 

Again the most habitual sharers were less discerning about what they shared. Those not asked to assess the politics of the headlines beforehand reposted 47 percent of the stories that aligned with their stated political orientation and 20 percent of the stories that didn’t. Even when asked to assess the political bias first, habitual sharers reposted 43 percent of the stories that aligned with their political views and 13 percent of the ones that didn’t. In both conditions, the least habitual sharers only shared approximately 22 percent of the headlines that aligned with their views and just 3 percent of the stories that didn’t. 

Finally, in the fourth study, the researchers tested whether changing the reward structure on social media could change how frequently misinformation was shared. They theorized that if people get a reward response to likes and comments, it would encourage the formation of habitual sharing—and that the reward structure could be changed. 

To test this, they split 601 participants into three groups: a control, a misinformation training condition, and an accuracy training condition. In each group, participants were shown 80 trial headlines and asked whether or not they’d share them before seeing the eight true and eight false test headlines similar to the previous studies. In the control condition, nothing happened if they shared the true or false headline, while in the misinformation condition, participants were told they got “+5 points” when they shared a false headline or didn’t share a true one, and in the accuracy condition they were told they got “+5 points” when they shared a true headline or didn’t share a false one. 

As predicted, both accuracy training and misinformation training were effective in changing participants sharing behaviors compared to the controls. Participants in the accuracy condition shared 72 percent of the true headlines and 26 percent of the false headlines compared with participants in the misinformation condition who shared 48 percent of the true headlines and 43 percent of the false ones. (Control participants shared 45 percent of the true headlines and 19 percent of the false.)

The researchers conclude that their studies all show that habitual sharing is a major factor in the spread of misinformation. The top 15 percent most habitual sharers across were responsible for between 30 and 40 percent of all shared misinformation across all studies. They argue that this is part of the broader response patterns established by social media platforms—but that they could be restructured by internal engineers to promote the sharing of accurate information instead. 

The post The real reason people share so much fake news on social media appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Meta’s Oversight Board—an independent group responsible for overseeing Facebook and Instagram’s content moderation policies—wants to suggest a change the company’s long standing nudity policy to be more inclusive and respectful of human rights. It comes as the Oversight Board overturned Meta’s original decision earlier this month to remove two posts on Instagram that depicted transgender and non-binary people with bare chests. 

The case was brought to the Oversight Board by a US couple who identify as transgender and non-binary. In 2021 and 2022 they posted two images on Instagram where, according to the Board’s decision, they were “bare-chested with the nipples covered.” The captions discussed transgender healthcare and said the couple were fundraising and selling t-shirts so one of them could undergo top surgery—gender-affirming surgery that generally involves the removal of breast tissue.

After a series of alerts from both Meta’s content moderation AIs and reports from users, the posts were “reviewed multiple times for potential violations of various Community Standards” by the human moderation team. In the end, both posts were removed for violating the Sexual Solicitation Community Standard—which is meant to ban sex workers soliciting payments—“seemingly because they contain breasts and a link to a fundraising page.”

The couple appealed the content moderation decision to Instagram and then the Oversight Board on the basis that the reason for the removals did not match the actual intention for the post. After the Board accepted the two cases, Meta’s moderation team decided it had been wrong to remove the posts and restored them. This was too little, too late for the Board, which heard the cases anyway in order to give broader recommendations on Meta’s nudity policies. 

The decision released this week found in the couple’s favor. The Oversight Board decided that removing the posts was “not in line with Meta’s Community Standards, values or human rights responsibilities,” and highlighted “fundamental issues with Meta’s policies.” It found that Meta’s guidance to moderators about the Sexual Solicitation policy was too broad for the stated rationale and publicly available guidance. 

The Oversight Board also found that the Adult Nudity and Sexual Activity Community Standard—which “prohibits images containing female nipples other than in specified circumstances, such as breastfeeding and gender confirmation surgery”—is inappropriately based on a binary view of gender. The distinction between male and female bodies makes it unclear to both users and moderators “how the rules apply to intersex, non-binary and transgender people, and requires reviewers to make rapid and subjective assessments of sex and gender.” Regardless of the ethics of the situation, the Board highlights that it’s “not practical when moderating at scale.”

Similarly, the Board called the restrictions and exceptions to the rules on showing female nipples “confusing, particularly as they apply to transgender and non-binary people.” Female nipples are allowed be shown as part of a protest, during childbirth, and in medical and health contexts (including top surgery) but not while someone is at the beach or in other context where anyone may “traditionally go bare-chested.” It argues that, as these cases show, “Meta’s policies on adult nudity result in greater barriers to expression for women, trans and gender non-binary people on its platforms” and that LGBTQI+ people can be “disproportionally affected.” 

As well as overturning Meta’s original decision to remove the posts, the Board had three recommendations for improving the company’s policies around nudity, LGBTQI+ expression, and nipples in general. 

First, Meta should “define clear, objective, rights-respecting criteria to govern its Adult Nudity and Sexual Activity Community Standard, so that all people are treated in a manner consistent with international human rights standards, without discrimination on the basis of sex or gender.” Second, it should “provide more detail in its public-facing Sexual Solicitation Community Standard on the criteria that leads to content being removed.” Finally, it needed to “revise its guidance for moderators on the Sexual Solicitation Community Standard so that it more accurately reflects the public rules on the policy,” which could help reduce the number of enforcement errors. 

All in all, it’s a pretty clear win for free expression—though as TechCrunch notes, if some of the Board’s recommendations are taken to the fullest extent, it could result in some pretty major changes to how nudity is moderated on Facebook and Instagram. Automatically presuming that nude female, transgender, and non-binary bodies are sexually suggestive while male bodies are not is at odds with the kind of gender-neutral policies that international human rights standards call for. 

Meta says that it welcomes the Oversight Board’s decision and that it already reinstated the affected content. It says it will conduct a review of the Board’s recommendations, and will issue an update when it decides how it plans to move forward. 

The post Facebook and Instagram might revamp their nudity policies appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

For the first time in more than 10 years, Wikipedia is getting a design overhaul. The changes, which are rolling out to the desktop version of the site starting this week, make for a cleaner, easier reading experience. To see them for yourself, Wikipedia recommends you head to the Galaxy page on a laptop.

Since launching in 2001, Wikipedia—the open-edit internet encyclopedia—has grown into one of the most visited sites in the world. The English language version had over 115 billion page views last year and is maintained by around 40,000 active editors. In the 2000s, Wikipedia and its mission to democratize access to knowledge were frequently criticized for being unrealistic. Students were warned not to rely on the site as a source for essays or formal assignments due to its perceived inaccuracy—and it was even a joke on The Office. Oh how things have changed. 

Now, Wikipedia is often seen as a reliable—if occasionally imperfect—summary of huge chunks of human knowledge. One study found it was more than 99.5 percent accurate for pharmacological information when compared to undergraduate-level textbooks.

Those imperfections can be funny, though. Perhaps most famously, in 2020 a Reddit user discovered almost half of the Scots language Wikipedia entries had been written by an American teenager who didn’t even speak the language. He just substituted occasional, frequently misspelled, Scots words into English sentences. Just check out this definition of a village: “A veelage is a clustered human settlement or community, larger than a hamlet but smawer than a toun, wi a population rangin frae a few hunder tae a few thoosand (sometimes tens o thoosands).”

Despite the occasional hoax, Wikipedia is generally pretty resistant to misinformation campaigns —even if screenshots of controversial or rolled back edits sometimes go viral on social media. It’s even been used by Facebook and YouTube to counteract conspiracy theories and provide additional information. (Meta, Facebook’s owner, is actually also in early stages of testing an AI-based Wikipedia fact-checker). 

[Related: Meta thinks its new AI tool can make Wikipedia more accurate]

But even as Wikipedia’s content has been kept up-to-date, its appearance hasn’t been. It’s had largely the same look and layout since 2003, though updates in 2005 and 2011 stopped it from looking like Geocities, and kept it readable as screens got larger and higher-resolution. The latest tweaks aren’t huge and certainly don’t change the overall “black and blue text on a white background” look of the site that everyone knows and tolerates, but they will make it easier to use.

As well as generally embracing a slightly more modern, minimalist design, there are two big features of note. The first is the new table of contents sidebar. Now as you scroll through an article, the sidebar will continue to display the article’s different sub-heads so you can easily jump around to the most relevant sections. If you don’t like it, you can just click Hide to get rid of it. The original sidebar with its links to different pages around Wikipedia is now accessible from the Hamburger menu in the top left. 

The second big change is the new language drop-down inline with the article title. It allows you to quickly view an article in any of the different languages it’s available in. 

In addition to these changes, Wikipedia said that it is changing its default font-size and setting a maximum line length to make long articles easier to read—especially on bigger screens. Wikipedia also claims it has improved the search experience, “which now leverages images and descriptions” to make it easier to find what you’re looking for. Users logged in to their account will have a header bar that stays at the top of their screen as they scroll. 

While the sum total of the changes might be small, all in all, they make for a nicer-looking Wikipedia that still maintains the site’s character—for better or worse. At the current rate, we can expect the mobile site to be updated in 2033. 

The post For the first time in a decade, Wikipedia is getting a makeover appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

There’s a new AI on the block, and it can mimic someone’s voice from just a short audio clip of them speaking. If it sounds like there are a lot of wacky AIs out there right now that can generate things, including both images and words, you’re right! And because it can get confusing, we wrote you a quick guide. Here are some of the most prominent AIs to surface over the past 12 months.

VALL-E

The latest entrant, VALL-E is a new AI from Microsoft researchers that can generate a full model of someone’s voice from a three-second seed clip. It was trained on over 60,000 hours of English language speech from more than 7,000 speakers and works by turning the contents of the seed clip into discrete components through a process called tokenization, which breaks down texts into smaller units called tokens. The AI’s neural network then speculates what the other tokens required to make a full model would sound like, based off the few it has from the short clip. The results—which you can check out on the VALL-E website—are pretty astounding. 

Because of the obvious deep fake uses for an AI model like VALL-E, Microsoft hasn’t released it to the public. (Microsoft has previously invested in DALL-E and ChatGPT-owner OpenAI and is also reportedly in talks to invest billions more.) Still, it shows the kind of things these generative AIs are capable of with even the smallest seed. 

DALL-E 2

OpenAI’s DALL-E 2 arguably kicked off the latest AI craze when it was announced last April. It can create original images from a text prompt, whether you want something realistic or totally out there. It can even expand the boundaries of existing artwork with a technique called outpainting. 

The best thing about DALL-E 2 is that its free for anyone to try. In your first month, you get 50 credits which each allow you to generate four image variations from a single text prompt. After that, you get 15 free credits per month. 

Stable Diffusion

While OpenAI control access to DALL-E 2, Stability AI took a different approach with its image generator, Stable Diffusion: it made it open source. Anyone can download Stable Diffusion and create incredibly realistic looking images and imaginative artworks using a reasonably powerful laptop. 

Because it’s open source, other companies have also been able to use Stable Diffusion to launch generative AI tools. The biggest name here is Lensa’s Magic Avatars. With the smartphone app, you are able to upload 10 to 20 photos which are used to train a custom Stable Diffusion model and then generate dozens of off-beat artistic avatars. 

Midjourney

The other big name in image generation, Midjourney, is still in Beta and only accessible through a Discord channel. Its algorithm has improved a lot over the past year. Personally, I find the images created by its current model—Version 4—the most compelling and naturalistic, compared to other popular image generators. Unfortunately, accessing it through Discord is a weird hurdle, especially when compared to Stable Diffusion or DALL-E 2.

GPT-3

OpenAI’s Generative Pre-trained Transformer 3 or GPT-3 language model was actually released in 2020, but it has made headlines in the past couple of months with the release of ChatGPT, a chatbot that anyone can use. Its answers to a variety of questions and prompts are often accurate and, in many cases, indistinguishable from something written by a human. It’s started serious conversations about how colleges will detect plagiarism going forward (maybe with an AI-finding AI). Plus, it can write funny poems. 

While ChatGPT is by far the most obvious instance of GPT-3 out in the world, it also powers other AI tools. Of all the generative AIs on the list, at PopSci we suspect it’s the one you will hear a lot more about in the next while. 

Codex

OpenAI’s GPT-3 isn’t just good at generating silly songs and short essays; it also has the capacity to help programmers write code. The model called Codex is able to generate code in a dozen languages, including JavaScript and Python, from natural language prompts. On the demo page, you can see a short video of a browser game being made without a single line of code being written. It’s pretty impressive!And Codex is already out in the wild: GitHub Copilot uses it to automatically suggest full chunks of code. It’s like autocomplete on steroids.

The post A guide to the internet’s favorite generative AIs appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

In an attempt to make its app less awful to use, Instagram announced this week that it will redesign the navigation bar at the bottom of the screen next month. From February, instead of Reels being at the center of the navigation bar, the shortcut to create content (the + button) will be back where it belongs. Reels will shift to the right and the Shop tab will be removed entirely. 

Instagram originally changed the navigation bar in 2020 in a not-so-subtle attempt to push users to try all the new features—like Reels and Shopping—that they didn’t ask for. It meant the Compose button and Activity tab moved to the top right of the app (where I still struggle to find them). Presumably, Meta, Instagram’s parent company, was hoping to pump its Reels and Shopping engagement numbers, which it may feel offer better revenue-generating opportunities than pictures posted to a feed or story. 

While these changes happened without major backlash, other shifts Instagram made over the past year, like trying full screen videos, have been less well received. Meta’s attempt to make the app increasingly more like TikTok with lots of suggested videos from people you don’t follow broke one of the cardinal rules of social media: don’t piss off the Kardashians. A campaign to “make Instagram Instagram again” drew a response from Instagram head Adam Mosseri who admitted things were “not good yet” and that if users were seeing a lot of suggested posts that they weren’t interested in, they were “doing a bad job.” The internet largely agreed with him and the hubbub died down after Instagram walked back a few of the changes, like temporarily limiting the number of suggested posts users would see, though the underlying issues of Instagram losing its way weren’t solved. By chasing trends, and younger users, the Instagram app today has lost much of its original appeal in the midst of its many reinventions.

[Related: It’s not just you—everyone hates Instagram now. Here’s why.]

Now, in the face of increased competition from TikTok, especially among teen users, Instagram is trying the wild idea of making its app nicer to use. Sure, moving a few buttons isn’t going to fix everything—but it at least gives the impression that posting content—rather than watching an endless stream of suggested videos—is something you’re meant to do on the platform. 

A Meta spokesperson told TechCrunch that businesses who use the Shopping feature have no reason to be concerned. “You will still be able to set up and run your shop on Instagram as we continue to invest in shopping experiences that provide the most value for people and businesses across Feed, Stories, Reels, ads, and more,” they said. To us, that sounds like anyone relying on the Shopping feature does have a reason to be concerned.

These improvements to the navigation bar aren’t the only changes coming to Instagram over the next month or two. Meta is also going to change how users under-18 can be targeted by ads on both Facebook and Instagram. It is ending the ability for advertisers to target them based on their in-app activity, like who they follow and their gender. Advertisers will only be able to target teens based on their age and location. Teen users will also get the option to “see less” of any topic to control what kind of ads are served to them. These changes come after Meta was fined €405 million (~$435 million) by Irish Data Protection Commission last year for violating the General Data Protection Regulation (GDPR) for how it handled teen users’ data. (Meta has been fined more than $1 billion over the past year by EU regulators for breaching similar privacy laws.) 

Whether these changes are all a sign that Instagram is course correcting after trying too hard to be TikTok is still unclear, but they are welcome nonetheless. Though if you truly want a better Instagram experience right now, we’ve got one tip here for you at PopSci: skip the mobile app and use the web app instead.

The post Instagram’s new update promises to make the platform suck a little less appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

This week, Meta was fined €390 million ($410 million) by the European Union for illegally forcing users to accept personalized ads or stop using its services. It now has three months to outline how it will change its practices to comply with EU law. 

The General Data Protection Regulations (GDPR) came into force in 2018 and since then, they’ve been a major headache for Meta. Amongst other things, it requires organizations to be transparent about why they are collecting data, have a lawful reason to do so, and get clear, affirmative consent users. This is why so many sites inflict large GDPR popups on visitors, and it’s what has caused Meta its latest issues. 

This fine stems from two complaints, one against Facebook and one against Instagram, both filed on May 25, 2018, —the date that GDPR came into operation. In essence, Meta attempted to comply with GDPR by changing the Terms of Service so that personalized ads and other data-driven services were a core part of what the company offered. By clicking “I Accept” on the Terms of Service popup, users weren’t opting into personalized ads, they were agreeing to a contract with Meta that happened to include them. Both complaints argued that by doing this, Meta was forcing users to opt-in to data collection and thus was falling afoul of the requirements of the GDPR. 

The specifics of Meta’s legal wangling get into the weeds, but the gist of it is that the Irish Data Protection Commission (which is Meta’s main regulator in Europe as it has its headquarters there) found that the company was in breach of its obligations to be transparent with users about what data it was collecting and why. As a result, it was fined €210 million ($~ 221 million) for Facebook and €180 million ($~ 189 million) for Instagram and it has been given three months to outline how it will comply with the ruling and bring its Terms of Service in line with GDPR.

These latest penalties bring the total that Meta has been fined by the EU in the past 12 months to more than $1 billion. According to the Irish Times, the company has set aside $2 billion to deal with the penalties it expects to receive this year. 

While the fines amount to a small chunk of its overall profits, Meta’s revenue fell last quarter for the first time and it laid off more than 11,000 employees worldwide. It also has to contend with declining advertising revenue and major investments in the Metaverse that, so far, does not seem to be paying off. 

Meta isn’t the only company having issues with the EU. Over the past few years, the 27-country bloc has been open in its attempt to control how the US tech giants operate within its borders. Amazon, Twitter, and Google have all been hit with fines for breaching the terms of GDPR. A new law that requires all portable electronic devices to use USB-C is forcing Apple to ditch its lightning connector. Over the next two years, the Digital Markets Act (DMA) is going to add a whole host of new obligations to “online gatekeepers”—including forcing Apple to open up its App Store. While the wheels of bureaucracy turn very very slowly, the US tech giants might finally be facing a reckoning in Europe—though expect the legal process to drag out for the next decade.

The post EU fines Meta for forcing users to accept personalized ads appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

3G cellular connections are no more, at least in the US. Verizon, the last carrier operating a 3G network, cut its last customers’ connections throughout December. The final switch off date was December 31st, 2022, although Verizon isn’t leaving people in the lurch: any affected users were sent a free 4G flip phone last year.

3G cellular data is arguably one of the most important technologies of the last two decades. It was the third generation of cellular connection (the G stands for generation) and brought connection speeds that allowed for basic internet browsing and data transfer. It ushered in the age of the smartphone.

The first commercial 3G networks launched in the US in 2001. Before that, only 2G GSM connections were available, and they limited data speeds to 64 kbps. At the best possible speeds, downloading a 2 MB file would take more than 30 seconds—and possibly cost a few dollars. However, 3G networks offered peak speeds of around 8 Mbps—that was fast enough to stream a HD YouTube video.

[Related: AT&T just shut down its 3G network. Here’s how it could affect your car.]

While other phones supported 3G networks first, the launch of the iPhone 3G in 2008 and Android phones like the original Samsung Galaxy S in 2010 are still considered by many to be a huge turning point for society. That’s when it became possible to use the internet easily and affordably from anywhere—or at least anywhere close enough to a cell tower. Just think about browsing the internet on a flip phone versus using Safari on an iPhone. Without the 3G network, apps like Instagram and WhatsApp wouldn’t have been possible.

Of course, 3G’s network speeds were still too slow for serious data use. Over the next decade carriers rolled out 4G LTE, which offers peak speeds of up to 90 Mbps, and later 5G, which can offer Gbps-range download speeds (though an average of a few hundred Mbps is much more likely in most areas). 4G and 5G networks also provided 3G-speed connections at longer distances from cell towers which made expanding coverage into rural areas significantly easier as they could serve wider areas with fewer masts. These are the widespread networks that your cell phone uses now.

While Verizon is the last US carrier to turn off its 3G network, it isn’t much of a hold out. Both AT&T and T-Mobile switched off their networks in 2022. The 3G infrastructure nationwide is being decommissioned now to allow carriers to build newer, even faster networks. T-Mobile, for example, repurposed part of the 3G wireless spectrum for its 5G network. 

The death of US 3G networks hasn’t been without issue. Some older devices like early Amazon Kindles have lost their ability to connect to the internet (though Amazon offered affected users a $50 credit towards a new device). Similarly, some cars that used a 3G connection to provide information like real-time traffic, weather, and notifications when your car was unlocked will no longer work without an upgrade. According to The Verge, voting machines in Michigan were even affected. Last summer, the election reporting process was significantly delayed because voting machines could no longer transmit their unofficial results; instead, they had to be driven by election officials to city and town halls to link up to computers there. 

While no longer available in the US, 3G is still used around the world. Some carriers in Europe don’t plan to shut down their networks until around 2030. Still, it’s clear that the writing is on the wall for 3G. In India, where 3G connections are still available, 99 percent of mobile users use 4G.

Correction January 4, 2023: This post previously said that customers will still be able to call 911 and Verizon customer service until February. Verizon said that 3G only phones will not be able to access 911 after the switch-off date. 

The post It’s the end of an era—Verizon says farewell to 3G appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Quantum researchers at Ford have just published a new preprint study that modeled crucial electric vehicle (EV) battery materials using a quantum computer. While the results don’t reveal anything new about lithium-ion batteries, they demonstrate how more powerful quantum computers could be used to accurately simulate complex chemical reactions in the future. 

In order to discover and test new materials with computers, researchers have to break up the process into many separate calculations: One set for all the relevant properties of each single molecule, another for how these properties are affected by the smallest  environmental changes like fluctuating temperatures, another for all the possible ways any  two molecules can interact together, and on and on. Even something that sounds simple like two hydrogen molecules bonding requires incredibly deep calculations. 

But developing materials using computers has a huge advantage: the researchers don’t have to perform every possible experiment physically which can be incredibly time consuming. Tools like AI and machine learning have been able to speed up the research process for developing novel materials, but quantum computing offers the potential to make it even faster. For EVs, finding better materials could lead to longer lasting, faster charging, more powerful batteries. 

Traditional computers use binary bits—which can be a zero or a one—to perform all their calculations. While they are capable of incredible things, there are some problems like highly accurate molecular modeling that they just don’t have the power to handle—and because of the kinds of calculations involved, possibly never will. Once researchers model more than a few atoms, the computations become too big and time-consuming so they have to rely on approximations which reduce the accuracy of the simulation. 

Instead of regular bits, quantum computers use qubits that can be a zero, a one, or both at the same time. Qubits can also be entangled, rotated, and manipulated in other wild quantum ways to carry more information. This gives them the power to solve problems that are intractable with traditional computers—including accurately modeling molecular reactions. Plus, molecules are quantum by nature, and therefore map more accurately onto qubits, which are represented as waveforms.

Unfortunately, a lot of this is still theoretical. Quantum computers aren’t yet powerful enough or reliable enough to be widely commercially viable. There’s also a knowledge gap—because quantum computers operate in a completely different way to traditional computers, researchers still need to learn how best to employ them. 

[Related: Scientists use quantum computing to create glass that cuts the need for AC by a third]

This is where Ford’s research comes in. Ford is interested in making batteries that are safer, more energy and power-dense, and easier to recycle. To do that, they have to understand chemical properties of potential new materials like charge and discharge mechanisms, as well as electrochemical and thermal stability.

The team wanted to calculate the ground-state energy (or the normal atomic energy state) of LiCoO2, a material that could be potentially used in lithium ion batteries. They did so using an algorithm called the variational quantum eigensolver (VQE) to simulate the Li2Co2O4 and Co2O4 gas-phase models (basically, the simplest form of chemical reaction possible) which represent the charge and discharge of the battery. VQE uses a hybrid quantum-classical approach with the quantum computer (in this case, 20 qubits in an IBM statevector simulator) just employed to solve the parts of the molecular simulation that benefit most from its unique attributes. Everything else is handled by traditional computers.

As this was a proof-of-concept for quantum computing, the team tested three approaches with VQE: unitary coupled-cluster singles and doubles (UCCSD), unitary coupled-cluster generalized singles and doubles (UCCGSD) and k-unitary pair coupled-cluster generalized singles and doubles (k-UpCCGSD). As well as comparing the quantitative results, they compared quantum resources necessary to perform the calculations accurately with classical wavefunction-based approaches. They found that k-UpCCGSD produced similar results to UCCSD at lower cost, and that the results from the VQE methods agreed with those obtained using classical methods—like coupled-cluster singles and doubles (CCSD) and complete active space configuration interaction (CASCI). 

Although not quite there yet, the researchers concluded that quantum-based computational chemistry on the kinds of quantum computers that will be available in the near-term will play “a vital role to find potential materials that can enhance the battery performance and robustness.” While they used a 20-qubit simulator, they suggest a 400-qubit quantum computer (which will soon be available) would be necessary to fully model the Li2Co2O4 and Co2O4 system they considered.

All this is part of Ford’s attempt to become a dominant EV manufacturer. Trucks like its F-150 Lightning push the limits of current battery technology, so further advances—likely aided by quantum chemistry—are going to become increasingly necessary as the world moves away from gas burning cars. And Ford isn’t the only player thinking of using quantum to edge it ahead of the battery chemistry game. IBM is also working with Mercedes and Mitsubishi on using quantum computers to reinvent the EV battery. 

The post Ford used a quantum computer to explore EV battery materials appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

TikTok is launching a new feature that will let users see why a particular video has appeared in their For You feed. According to a blog post this week, it’s all part of the company’s goal to “bring meaningful transparency” to its platform. 

TikTok’s For You feed offers up a never ending stream of suggested videos. Its algorithm bases its recommendations on lots of different factors, including the people users follow, the videos they like, interact with or watch, and the kind of content they create. But largely, TikTok has been cagey regarding the specifics of what goes into their secret formula. However, leaked reports to the New York Times suggest that the app might also be taking into account what users are sending to each other on private messages. Once the algorithm learns what a given user likes—and doesn’t like—it gets remarkably good at keeping users engaged with the app. Its success is why Meta is trying—and largely failing—to cram as many TikTok-like features into Instagram. Whatever the algorithm is doing under the hood, its recommendations seem to resonate with users in a way that suggested posts on other social networks just don’t.

Experts have previously told PopSci that part of this is because TikTok is pulling its inventory of videos from everyone on the platform, instead of just from a user’s friends and following. And Bytedance engineers have published a pretty technical preprint paper on the app’s recommendation system. 

[Related: How to find your recently watched TikTok videos]

But being good at mysteriously accessing user interests can often come at a fault. Investigations by publications like Wall Street Journal showcases how the app can steer users down a rabbit hole of potentially toxic content, although TikTok has since refuted this, saying that WSJ’s experiment “isn’t representative of real user behavior because humans have a diverse set of interests.”

Now though, TikTok is going to give users some information about why exactly a video has appeared in their feed. To see it, you tap the Share icon and then the Question Mark icon called “Why This Video?”

While it won’t reveal any major details about how TikTok’s algorithm works (sorry, Meta), it does give users a hint as to why a particular video has been shown to them. In the blog post, TikTok says that it will offer explanations like the post is similar to the content a user has interacted with or searched for, it was posted by an account that they follow, or simply that it is popular or was just posted in their geographic region (a ‘Nearby’ feed was rumored to be in the works earlier this year).

[Related: 7 tricks to make the most of TikTok]

TikTok provides tools for users to stop certain content being recommended. You can tap the Share icon and then “Not Interested” on any video. If you tap “Details” after, you can also permanently filter out specific #hashtags. TikTok also maintains a list of content, like dangerous stunts, overtly sexualized content, and content promoting alcohol or tobacco misuse, that will never be shown in the For You feed. 

This new feature is coming out just as the app is coming under fire from US regulators for how it handles the privacy and security of its users. Last year, its chief operating officer was grilled at a Senate hearing about what kind of data it collects, and where the data goes. This month, several states have already moved to ban the app from being downloaded or opened on government devices. TikTok is also a part of an ongoing national security review by the Biden administration.  

Regulatory drama aside, TikTok says the “Why This Video?” feature will be rolling out to everyone over the next few weeks. We didn’t have access to it yet at PopSci, so we have not been able to test just how detailed the explanations currently were. Though the company claims that it will “continue to expand this feature to bring more granularity and transparency to content recommendations.”

The post TikTok to tell users the ‘why’ behind ‘For You’ appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

According to a report published last week in Bloomberg, Apple is preparing to allow iPhone users to install apps from other app stores. This comes in response to the European Union’s Digital Markets Act (DMA), which was passed earlier this year and introduces strict requirements on how large tech companies operate in its 27 member states. This is the second major change that Apple has had to make to appease the bloc. Another major change coming next year is that new iPhones will likely have a USB-C port.

Since it was released in 2008, Apple’s App Store has been the only widely available way to legitimately install apps on iPhones and iPads. Workarounds like “jailbreaking”—cracking some of the security layers on the device—or installing developer betas have given dedicated and tech savvy users some freedom. But really, Apple has managed to keep pretty tight control over what apps people can download. 

In doing so, Apple has been able to take a 15 to 30 percent cut of all sales—much to the ire of developers and app makers. In response, private companies like Epic Games (the maker of Fortnite) have sued Apple over the level of control it maintains in the App Store, though that case isn’t going well for Epic. Regulators in the EU have also taken issue with Apple’s practices. Apple has been fined five times in the Netherlands over the past few years for failing to comply with laws that would allow some apps in the App Store to use an alternative payment method. Just this week, it was fined over €1 million (~$1.06 million) by French regulators for imposing abusive commercial clauses on app developers.

The EU’s DMA is designed to prevent unfair practices by “gatekeepers in the online platform economy” and carries with it some pretty heavy conditions and potential fines. 

The DMA is particularly concerned with allowing fair competition and preventing gatekeepers that control “core platform services” like online search engines, social networks, some messaging services, web browsers, and app stores from leveraging their dominant position to snuff out competitors who are forced to rely on their platforms to access customers. A big requirement is that these gatekeepers open up their various platforms, which in Apple’s case likely means allowing other app stores on iOS, giving users more control over the different default apps, and even potentially making iMessage and FaceTime interoperate with other communication standards. 

If Apple doesn’t comply, it could be fined up to 10 percent of its annual turnover. Apple’s turnover (not profit) was more than $365 billion in 2021, so we’re talking about fines of up to $36 billion. That’s a lot harder to shrug off than the relatively paltry $1 million that the French regulators are looking for. 

[Related: Europe’s big new Digital Markets Act could help hold tech giants accountable]

While Apple is one of the most affected companies, the law’s restrictions will likely also require Google, Meta, and Amazon to change various aspects of their operations. The wording of the law is pretty opaque, the exact specifics of what the different tech companies have to do to comply might depend on varying agreements made between the regulators and  the various highly paid legal teams defending these companies. 

Although the DMA officially became law a few months ago, its restrictions are going to come into effect on a rolling basis over the next two years. Apple doesn’t strictly have to open up iOS to other app stores until 2024, though according to Bloomberg, it is aiming to have the required changes made so they can be released alongside the iOS 17 software update in fall of 2023. 

It’s also not clear yet exactly what changes Apple will make. Bloomberg claims that in order to protect against “unsafe apps,” Apple is considering mandating certain security requirements for apps distributed through other app stores that it would verify in return for a fee. This could be viewed by most developers as Apple following the letter of the law while entirely ignoring the spirit of it. It’s to be seen whether this kind of behavior will fly with EU regulators. 

Similarly, Bloomberg claims that Apple is working to open up more of its core APIs to developers. This would allow them to build apps that use features so far limited only to Apple’s first-party apps, like the near-field communications chip and some advanced camera technologies. 

Even with a more open app store ecosystem, it’s unclear whether Apple’s users and developers will actually change their habits. Google’s Android smartphone operating system currently allows third-party app stores, but its Play Store is still by far the most dominant app store on the platform. Also, according to Bloomberg, Apple will only bring these changes to European users, so even if change happens, it might not impact US users for a while. But ultimately, although an “avalanche of app stores” could precipitate, but they won’t stand a snowball’s chance in hell if people don’t use them.

Perhaps the biggest change will be a continued softening in Apple’s relationship with developers. Until 2020, it took a 30 percent cut of all transactions. Now, that’s dropped to 15 percent for small developers. And just this month it rolled out a series of new price points and pricing tools that will give developers more control over what they charge in different countries. While we might not see a thriving alternative app store ecosystem, a less restrictive, more developer friendly Apple App Store might be the good that comes out of this. 

The post Apple could be opening up its platform to other apps stores—here’s what it means appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Online content moderation is hard (as Elon Musk is currently finding out). But Meta—the company behind Facebook, Instagram, and WhatsApp—is hoping to make it easier for other platforms. Last week it announced that it would open up the source code for its Hasher-Matcher-Actioner (HMA) tool and make it freely available. This news comes as Meta is set to assume the chair of the Global Internet Forum to Counter Terrorism (GIFCT)’s Operating Board. 

Founded in 2017 by Facebook, Microsoft, Twitter, and YouTube, GIFCT has since evolved into a nonprofit organization that works with member companies, governments, and civil society organizations to tackle terrorist and violent extremist content on the internet. One aspect of this is maintaining a shared hash database of extremist content so that if one company, say Facebook, flags something as terrorist-related, other companies, like YouTube, would be able to automatically take it down.

In order for these databases to work efficiently (and so that no company has to store petabytes of horrifically violent content), they don’t store a complete copy of the offending content. Instead, they store a unique digital fingerprint, or hash. 

Here’s how hashes are made: In essence, a copy of the extremist video, terrorist photo, PDF manifesto, or anything else is fed through an algorithm that converts it to a unique string of digits and letters. You can’t recreate the content using the hash, but putting the same video through the algorithm will always yield the same result. As long as all the platforms are using the same algorithm to create the hashes, they can use a shared database to track terrorist content.

[Related: Antivaxxers use emojis to evade Facebook guidelines]

Meta’s HMA tool allows platforms to automate the process of hashing any image or video, matching it against a database, and taking action against it—like stopping the video from being posted, or blocking the account trying to do so. It isn’t limited to terrorist content, and can work with a shared database like the one maintained by GIFCT, or a proprietary one like YouTube’s Content ID. 

It’s worth pointing out that all this happens in the background, all the time. Once HMA or any other similar automated tool is up and running, all the photos and videos users post are hashed and checked against the relevant databases as they are being uploaded. If something is later flagged by moderators as violent, offensive, or otherwise warranting removal, it can go back and automatically remove the other instances that are live on the platform. It’s a continuous process that strives to keep objectionable content from being seen or spread.

While most big platforms already operate with some kind of automated content moderation, Meta hopes that its HMA tool will help smaller companies that lack the resources of the major platforms. “Many companies do not have the in-house technology capabilities to find and moderate violating content in high volumes,” explains Nick Clegg, former Deputy Prime Minister of the United Kingdom and now Meta’s President of Global Affairs, in the press release. And the greater the number of companies participating in the shared hash database, the better every company becomes at removing horrific content—especially as it is rarely just shared in a single place. “People will often move from one platform to another to share this content.”

Meta claims to have spend around $5 billion on safety and security last year and is committed to tackling terrorist content as “part of a wider approach to protecting users from harmful content on our services.” Clegg claims that “hate speech is now viewed two times for every 10,000 views of content on Facebook, down from 10-11 times per 10,000 views less than three years ago.”Without access to Facebook’s internal data we can’t verify that claim, and somereports seem to indicate that the company’s own system is far from perfect. However, initiatives like HMA and the Oversight Board at least give the impression that Meta is serious about solving the problem of content moderation in a fair and consistent manner—unlike Twitter.

The post Meta is open sourcing its automated content moderation tool appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Lensa is an AI-powered photo editing app that has risen to the top of app stores around the world. Although it has been available since 2018, it’s only with the release of its Magic Avatars feature last month that it became a worldwide social media hit. If you’ve been on Twitter, Instagram, or TikTok in the last few weeks, you’ve almost certainly seen some of its AI-generated images in a variety of styles.

Lensa relies on Stable Diffusion (which we’ve covered before) to make its Magic Avatars. Users upload between 10 and 20 headshots with the iOS or Android app, and Lensa trains a custom version of Stable Diffusion’s image generation model with them. By using a personalized AI model, Lensa is able to create dozens of images in an assortment of artistic styles that actually resemble a real person instead of the abstract idea of one. Or at least, it’s able to do it just enough of the time to be impressive. There is a reason that Magic Avatars are only available in packs of 50, 100, and 200 for $3.99, $5.99, and $7.99 respectively. 

Of course, Lensa’s Magic Avatars aren’t free from artifacts. AI models can generate some incredibly weird images that resemble monsters or abstract art instead of a person. The shapes of eyes, fingers, and other smaller details are more likely to be imperfect than, say, the position of someone’s mouth or nose. 

And like most AI-generators, Lensa’s creations aren’t free from gender, racial, and other biases. In an article in The Cut called “Why Do All My AI Avatars Have Huge Boobs,” Mia Mercado (who is half white, half Filipina) wrote that her avatars were “underwhelming.” According to Mercado, “the best ones looked like fairly accurate illustrations.” Most, though, “showed an ambiguously Asian woman,” often with “a chest that can only be described as ample.”

[Related: Shutterstock and OpenAI have come up with one possible solution to the ownership problem in AI art]

Writing for MIT Technology Review, Melissa Heikkilä (who is similarly of Asian heritage) calls her avatars “cartoonishly pornified.” Out of 100 portraits that she generated, 16 were topless and another 14 had her “in extremely skimpy clothes and overtly sexualized poses.” And this problem isn’t limited to Lensa. Other AI image generators that use Stable Diffusion have also created some incredibly questionable images of people of color.

The issue is so widespread that in an FAQ on its website, Prisma Labs, the company behind Lensa, had to give a response to the question: “Why do female users tend to get results featuring an over sexualised look?” The short answer: “Occasional sexualization is observed across all gender categories, although in different ways.”

Per the FAQ, the problem can be traced back to the dataset that Stable Diffusion is initially trained on. It uses the Laoin-5B dataset, which contains almost 6 billion unfiltered image-text pairs scraped from around the internet. Stability AI (the makers of Stable Diffusion) has openly acknowledged that “the model may reproduce some societal biases and produce unsafe content.” This includes sexualized images of women and generic, stereotypical, and racist images of people of color. 

Both Stability AI and Prisma claim to have taken steps to minimize the prevalence of NSFW outputs, but these AI models are black boxes by design, meaning that sometimes the human programmers don’t even fully know about all the associations that the model is making. Short of creating a bias-free image database to train an AI model on, some societal biases are probably always going to be present in AI generators’ outputs.

And that’s if everyone is operating in good faith. TechCrunch was able to create new NSFW images of a famous actor using Lensa. They uploaded a mixture of genuine SFW images of the actor and photoshopped images of the actor’s face on a topless model. Of the 100 images created, 11 were “topless photos of higher quality (or, at least with higher stylistic consistency) than the poorly done edited topless photos the AI was given as input.” Of course, this is against Lensa’s terms of service, but that hasn’t exactly stopped people in the past. 

The most promising feature of these AI generators, though, is how fast they are improving. While its undeniable that marginalized groups are seeing societal biases reflected in their outputs right now, if these models continue to evolve—and if the developers remain as receptive to feedback—then there is reason to be optimistic that they can do more than just reflect back the worst of the internet. 

The post The good and the bad of Lensa’s AI portraits appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

VTT, a Finish research group, announced last month that it had connected a small quantum computer to Europe’s most powerful classical supercomputer. Here are the specifics: VTT’s quantum computer is a 5-qubit machine called HELMI, and LUMI is a pan-European supercomputer that ranks third on the Top500 list. Both are situated in Finland. Combining the best functionalities of HELMI and LUMI to offer hybrid services allows researchers to better use the quantum computer’s unique computing properties—and crucially, to learn how to take advantage of them to solve future problems. 

Quantum computers can in theory perform certain operations and complete different tasks far faster than traditional computers, but they are still a long way from reaching their full potential. While a traditional computer uses binary bits—which can be a zero or a one—to perform all its calculations, quantum computers use qubits that can be a zero, a one, or both at the same time. As hard to wrap your head around as that sounds, things get even more complicated when you consider that qubits can be entangled, rotated, and manipulated in other quantum ways to carry additional information. All this is to say that quantum computers aren’t just a regular computers with an extra digit to play with: they provide a completely different way of working that has its own strengths and weaknesses. 

In the pros column, quantum computers should be able to make what are currently incredibly hard computing tasks that usually involves solving linear algebra problems significantly easier.

One big example is factoring, where the computer has to divide an incredibly long number into the two numbers that equal it when multiplied together. (For example, the factors of 21 are 3 and 7.) This is an incredibly resource intensive task for traditional computers, which is why it’s at the core of nearly every encryption algorithm that’s widely used today. All of our passwords, banking transactions, and important corporate secrets are protected by the fact that current computers kind of suck at factoring large numbers. A quantum computer, though, is theoretically much better at factoring large numbers, and a sufficiently powerful one could tear through the encryption layers that protect digital life. That’s why the US Government has been working to develop quantum-resistant cryptographic algorithms.

[Related: Quantum computers could break encryption. The US government is trying to prevent that.]

Breaking encryption is just the tip of the iceberg when it comes to new problems that these machines can tackle. Quantum computers also show promise for modeling complex phenomena in nature, detecting credit card fraud, and discovering new materials. According to VTT, they could be  used for predicting short-term events, like the weather or trading patterns. 

In the cons column, quantum computers are hard to use, require a very controlled set up to operate, and have to contend with “decoherence” or losing their quantum state which gives weird results. They’re also rare, expensive, and for most tasks, way less efficient than a traditional computer. 

Still, a lot of these issues can be offset by combining a quantum computer with a traditional computer, just as VTT has done. Researchers can create a hybrid algorithm that has LUMI, the traditional supercomputer, handle the parts it does best while handing off anything that could benefit from quantum computing to HELMI. LUMI can then integrate the results of HELMI’s quantum calculations, perform any additional calculations necessary or even send more calculations to HELMI, and return the complete results to the researchers. 

Finland is now one of few nations in the world with a quantum computer and a supercomputer, and LUMI is the most powerful quantum-enabled supercomputer. While quantum computers are still a way from being broadly commercially viable, these kinds of integrated research programs are likely to accelerate progress. VTT is currently developing a 20-qubit quantum computer with a 50-qubit upgrade planned for 2024.

The post Why European researchers hooked up a quantum machine to a supercomputer appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Google announced this week that it is bringing continuous scrolling to desktop browsers. Now when you scroll down to the bottom of the search results page, Google will automatically load another page worth of results without you having to click on an additional button. This feature has been available on mobile devices since last year, but it will now roll out to all US users searching in English—and from there, it will presumably expand to other countries and languages. 

Google is careful to call this feature “continuous scrolling” rather than “infinite scrolling.” A similar function exists across most social media sites or apps where as you scroll, new content keeps popping up into your feed just as you get to the bottom of the page. Though, infinite scroll has had its critics, some of which blame the feature for wreaking havoc on our attention spans. 

Google, though, will only load six pages of results before you need to click a button that says “See More Results.” (On mobile devices, you can scroll through up to four pages before you have to tap anything.) Also, Google doesn’t load the six pages of results all at once—how fast it presents the next pages is related to the speed that the user scrolls at.

Until now, Google has displayed search results across multiple pages with ten results per page interspersed with ads, suggested results, and other call-out boxes. There’s an entire industry of search engine optimization (SEO) consultants, companies, blogs, and tools that are able to quantify the value of different organic (which means not a paid ad or other feature) search positions, and provide advice on how to rank your website higher. 

According to one recent analysis of 4 million Google search results by SEO training website Backlinko, an average of 27.6 percent of searchers clicked on the top result. By comparison, less than five percent of searchers clicked on the results in positions six through ten on the first page. The rates are even worse for results that don’t make the first page: 0.63 percent of Google searchers clicked on any link on the second page. (Other similar analysis have come to pretty much the same conclusions.)

Presumably, Google is hoping its new continuous scrolling will encourage searchers to click on or at least consider more results—which increase the likelihood that they will find what they are looking for. 

To that end, it’s also rolled out a few other features in recent months aimed at improving the quality of the results that people see, though these are mostly available on the mobile app in the US (which seems to be where most new features get released first). Google added a “Discussions and forums” call out box nested within the first page of search, similar to the existing “News” and “Images” ones, for queries that could “benefit from the diverse personal experiences found in online discussions.” It’s also taken steps to tweak its algorithm and make visual search more natural and intuitive by allowing you to add additional queries using “multisearch.” This will supposedly allow the engine to take on more complex questions. Similarly, it has tried to encourage searchers to explore deeper by offering up topic suggestions based on their searches and showing more visuals when they shop for products on a desktop. Notably, it hasn’t committed to showing less ads.

Given the growing narrative that Google’s search results and overall user experience are getting worse (even if it might really be an internet-wide issue), getting the right results to people when they look for them is clearly important to the company—especially as more people turn to social media like Reddit and TikTok for information, but those platforms come with their own issues around misinformation and taking statements out of context. Google is also competing against other browsers like Bing and the privacy-centric DuckDuckGo (see how results across the sites vary here). Whether Google’s wide-ranging attempts to improve its product are enough to keep searchers happy remains to be seen. 

The post Google Search’s new changes are designed to make you see even more results appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

A new AI called “DeepNash” has mastered Stratego, one of the few iconic boardgames where computers don’t regularly trounce human players, according to a paper published this week. It’s a huge and surprising result—at least to the Stratego community. 

Stratego is a game with two distinct challenges: it requires long-term strategic thinking (like chess) and also requires players to deal with incomplete information (like poker). The goal is to move across the board and capture the other player’s flag piece. Each game takes place over a 10 x 10 gridded board with two 2 x 2 square lakes blocking the middle of the board. Both players have 40 pieces with different tactical values that can are deployed at the start of the game—the catch is that you can’t see what your opponent’s pieces are and they can’t see what yours are. When you are planning an attack, you don’t know if the defender is a high-ranked Marshal that will beat almost all your pieces or a lowly Sergeant that can be taken out by a Lieutenant or Captain. Some of the other playable pieces include bombs (powerful but immobile), scouts (that can move more than one square at once), and miners (who can defuse bombs) which all add to the tactical complexity. The game only ends when one player’s flag piece is captured or they can no longer make any legal moves. 

All this is to say that Stratego creates a unique challenge for computers to solve. Chess is relatively easy because all the information is visible to everyone—in game theory, it’s called a “perfect information game”. A computer can look at your defences, simulate 10 or so moves ahead for a few different options, and pick the best one. It gives them a serious strategic advantage over even the best human players. It also helps that chess is a game that tends to be won or lost by in a few key moments rather than by gradual pressure. The average chess game takes around 40 moves while Stratego takes more than 380. This means each move in chess is far more important (and for humans, warrants a lot more consideration) whereas Stratego is more fast paced and flexible. 

[Related: Meta’s new AI can use deceit to conquer a board game world]

Stratego, on the other hand, is an “imperfect information game.” Until an opponent’s piece attacks or is attacked, you have no way of knowing what it is. In poker, an imperfect information game that computers have been able to play at a high level for years, there are 10^164 possible game states and each player only has 10^3 possible two-card starting hands. In Stratego, there are 10^535 possible states and more than 10^66 possible deployments—that means there’s a lot more unknown information to account for. And that’s on top of the strategic challenges. 

Combined, the two challenges make Stratego especially difficult for computers (or AI researchers). According to the team, it’s “not possible to use state-of-the-art model-based perfect information planning techniques nor state-of-the-art imperfect information search techniques that break down the game into independent situations.” The computer has to be able to make strategic plans that incorporate the imperfect information it has available to it. 

But DeepNash has been able to pull it off. The researchers used a novel method that allowed the AI to learn to play Stratego by itself while developing its own strategies. It used a model-reinforcement learning algorithm called Regularized Nash Dynamics (R-NaD) combined with a deep neural network architecture that seeks a Nash equilibrium—“an unexploitable strategy in zero-sum two-player games” like Stratego—and by doing so, it could learn the “qualitative behavior that one could expect a top player to master.” This is an approach that has been used before in simple Prisoners Dilemma-style games, but never with a game as complex as this. 

DeepNash was tested against the best existing Stratego bots and expert human players. It beat all other bots and was highly competitive against the expert humans on Gravon, an online board games platform. Even better, from a qualitative standpoint, it was able to play well. It could make trade-offs between taking material and concealing the identity of its pieces, execute bluffs, and even take calculated gambles. (Though the researchers also consider that terms like “deception” and “bluff” might well refer to mental states that DeepNash is incapable of having.)

All told, it’s an exciting demonstration of a new way of training AI models to play games (and maybe perform other similar tasks in the future)—and it doesn’t rely on computationally heavy deep search strategies which have previously been used to play other games like chess, Go, and poker.

The post Here’s how a new AI mastered the tricky game of Stratego appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

British airplane engine maker Rolls-Royce and low-cost airline easyJet announced this week that they had successfully powered a modern airplane engine using 100% hydrogen fuel. The test took place at a military facility in the UK, with the engine remaining stationary on the ground. 

Since the aviation industry currently produces about 2% of global carbon emissions, there are serious reasons to develop a greener way to fuel planes. Rolls-Royce (the aerospace and defense contractor, not the similarly named car brand that is owned by BMW) is hoping that hydrogen might hold the answers it needs to keep selling its turbofans and other engines into the future. 

Most airplane engines run on jet fuel, which is based on kerosene. Unfortunately for the climate, that’s a fossil fuel that releases CO2 when burned. Some airlines mix in sustainable aviation fuels (SAFs) that are chemically identical to kerosene, though are manufactured from renewable starting materials like used cooking oil, food scraps, and corn stover (the remains of corn cobs after the harvest). Still, because SAFs are chemically the same as kerosene, they release just as much CO2 when they are burned—the benefits are just that the processes required to manufacture them may be more environmentally sustainable.

Hydrogen offers a potentially better option as it contains no carbon. When it’s burned, the main byproduct is water vapor (though there are still some pollutants like nitrous oxide). As long as the hydrogen is produced using wind, wave, or other renewable forms of electricity, it can legitimately be a carbon-neutral fuel. For this test, Rolls-Royce used “green hydrogen” from the European Marine Energy Centre in the Orkney Islands. It was produced using tidal energy, rather than reconstituted from methane gas.

Hydrogen can potentially power planes in two different ways: As the fuel source for an electricity generating fuel cell that powers an electric motor, or by being directly burned. Rolls-Royce and easyJet took the second approach using a Rolls-Royce AE 2100-A regional aircraft engine that had been modified to burn hydrogen instead of jet fuel. Given the success of this test, they plan to work up to a full-scale ground test using a Rolls-Royce Pearl 15 jet engine and eventually a flight test using civil aero engines.

Of course, hydrogen comes with its own host of problems. It is significantly less energy dense than kerosene, so aircraft would have to carry larger amounts of fuel to cover the same distance. It’s also a gas at temperatures above −423°F (−253°C), which makes storing it more challenging. For Rolls-Royce’s test engine, it was compressed to 200 bar (roughly 100 times the typical tire pressure of a car). This makes it significantly more viable for short haul flights, rather than trans-oceanic and other long haul routes. 

Still, there are promising signs that hydrogen could have a future in the world of aviation—especially as the industry strives to be carbon neutral by 2050. Johan Lundgren, the CEO of easyJet, called it “a huge step forward” in the press release. Similarly, Grazia Vittadini, the Chief Technology Officer of Rolls-Royce, said, “The success of this hydrogen test is an exciting milestone… We are pushing the boundaries to discover the zero carbon possibilities of hydrogen, which could help reshape the future of flight.”

Rolls-Royce isn’t the only aerospace company exploring hydrogen as an option. Airbus has plans to get an A380 in the air with a hydrogen engine by 2026. The European Union hopes that by 2035, short-range flights would be possible, and that by 2050 up to 40 percent of flights in Europe would be powered by hydrogen. 

But make no mistake: No matter how successful Rolls-Royce and easyJet’s tests are, we are still a long way from large numbers of hydrogen-powered jets taking to the skies. 

The post Can airplane engines run on hydrogen? A recent ground test showed good results. appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

It’s the final countdown for the leap second, a janky way of aligning the atomic clock with the natural variation in the Earth’s rotation—but we’ll get to that. At a meeting last week in Versailles, the International Bureau of Weights and Measures (BIPM) voted nearly unanimously to abandon the controversial convention in 2035 for at least 100 years. Basically, the world’s metrologists (people who study measurement) are crossing their fingers and hoping that someone will come up with a better solution for syncing human timekeeping with nature. Here’s why it matters. 

Unfortunately for us humans, the universe is a messy place. Approximate values work well for day-to-day life but aren’t sufficient for scientific measurements or advanced technology. Take years: Each one is 365 days long, right? Well, not quite. It actually takes the Earth something like 365.25 days to rotate around the sun. That’s why approximately every fourth year (except for years evenly divisible by 100 but not by 400) is 366 days long. The extra leap day keeps our calendar roughly aligned with the Earth’s actual rotation. 

Things get more frustrating the more accurately you try to measure things. A day is 86,400 seconds long—give or take a few milliseconds. The Earth’s rotation is actually slowing down due to lots of complicated factors including the ocean tides and shifts in how the Earth’s mass is distributed. All this means that days are getting ever so slightly longer, a few milliseconds at a time. If we continued to assume that all days are exactly 86,400 seconds long, our clocks would drift out of alignment with the sun. Wait long enough and it would start rising at midnight. 

In 1972, BIMP (it comes from the French name, Bureau International des Poids et Mesures) agreed to a simple fix: leap seconds. Like leap days, leap seconds would be inserted into the year so as to align Universal Coordinated Time (UTC) with the Earth-tracking Universal Time (UTI). Leap seconds aren’t needed predictably or very often. So, instead of having a regular pattern for adding them, BIMP would tally up all the extra milliseconds and it was necessary, tell everyone to add one whole millisecond to the clock. Between 1972 and now, 27 leap seconds have been inserted into UTC. 

While probably not the best idea even back in the 70s, the leap second has become a progressively worse idea as computers made precision timekeeping more widespread. When the leap second was created, accurate clocks were the preserve of research laboratories and military installations. Now, every smartphone can get the exact UTC time accurate to 100 billionth of a second from the GPS and other navigation satellites in orbit. 

The problem is that all the interlinked computers on the internet use UTC to function, not just let you know that it’s time for lunch. When files are saved to a database, they’re time stamped with UTC; when you play an online video game, it relies on UTC to work out who shot first; if you post a Tweet, UTC is in the mix. Keeping everything on track is a major headache for large tech companies like Meta—which recently published a blog post calling for the abolition of the leap second—that rely on UTC to keep their servers in sync and operational.

That’s because the process of adding leap seconds—or possibly removing one as the Earth appears to be speeding up again for some reason—break key assumptions that computers have about how time works. These are simple rules: Minutes have 60 seconds, time always goes forward, doesn’t repeat, doesn’t stop, and so on. Inserting and removing leap seconds makes it very easy for two computers that are meant to be in sync to get out of sync—and when that happens, things break. 

When a leap second was added in 2012, Reddit went down for 40 minutes. DNS provider Cloudflare had an outage on New Year’s Day in 2017 when the most recent leap second was added. And these happened despite the best efforts of the companies involved to account for the leap second and mitigate any adverse effects.

While large companies have developed techniques like “smearing,” where the leap second is added over a number of hours rather than all at once. Still, it would make things a lot easier if they didn’t have to at all. 

Of course, that brings us back to last Friday’s important decision. From 2035, leap seconds are no longer going to matter. BIMP is going to allow UTC and UTI to drift apart until at least 2135, hoping that scientists can come up with a better system of accounting for lost time—or computers can get smarter about handling clock changes. It’s not a perfect fix, but like many modern problems, it might be easier to kick it down the line.

The post The leap second’s time will be up in 2035—and tech companies are thrilled appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

According to a new report from Business Insider, Amazon Alexa, the shopping giant’s voice assistant, is on track to lose $10 billion dollars this year. Long-terms plans for the Echo devices Alexa runs on are also up in the air as the division responsible for its development is set to be one of the most affected in a planned round of approximately 10,000 layoffs. It’s all a bit shocking for one of Amazon’s most popular and public facing products. 

Amazon launched Alexa in 2014. According to the Business Insider report, it was a “pet project” of Jeff Bezos, the founder and former CEO, who took a very hands-on approach. Initially, the aim was to monetize user interactions with Echo devices, rather than sell the products themselves for a profit. If consumers could be convinced to order everything from laundry detergent to games consoles from Amazon with a quick voice command, the company stood to make a lot of money. 

That, however, did not pan out as expected. A rake of privacy scandals certainly didn’t help and, despite Alexa getting roughly a billion user interactions per week in 2018, they were mostly simple requests to play music or deliver a weather report. Not exactly the kind of asks that can easily be monetized. That year, it lost almost $5 billion.

Amazon tried other methods of turning a profit including partnering with companies like Domino’s Pizza and Uber to allow customers to order pizza or a ride with a voice command, but it never took off. And even though, users are likely to spend more on other products from Amazon or sign up for Prime, the extra profit from other sectors is no where near enough to cover the ongoing cost of the voice assistant. 

According to Business Insider’s report, Worldwide Digital, the division that handles Echo devices, Alexa, and Prime Video streaming, had an operating loss of over $3 billion in the first quarter of this year. The vast majority of that was “tied to Amazon’s Alexa and other devices.” It is apparently on track to lose more than $10 billion this year.

Despite never having reached profitability, it’s hard to call Alexa a straight up failure. Echo devices are among the best selling items on Amazon (although they are apparently sold for roughly what they cost to manufacture and deliver.) One employee quoted in the report calls Alexa “a colossal failure of imagination” and “a wasted opportunity,” which feels closer to the mark. Although Amazon tends to keep sales numbers private, it announced in 2019 that it had sold a total of 100 million devices with Alexa onboard. If sales figures stayed flat, that would suggest there are somewhere in the region of 200 million devices with Alexa out in the world. 

Business Insider claims Alexa is the third most popular voice assistant with 71.6 million users, behind Apple’s Siri (77.6 million users) and Google Assistant (81.5 million users). What’s notable about this is that Siri and Google Assistant come pre-installed on smartphones, while Alexa is primarily available on dedicated smart speakers. To get by in modern society, you kind of need a smartphone—but nobody needs a smart speaker. 

Google is seemingly in a similar situation with Google Assistant—it apparently does not generate significant revenue for the company. According to a recent report from The Information, the search giant will invest less in making it available on non-Google (and non-smartphone) hardware. 

Strangely, Apple’s much maligned Siri could be the most successful of the voice assistants—or at least the one that is causing its parent company the smallest headache. The reason could be that it’s a shared component across the iPhone-Mac-Apple Watch ecosystem, not a standalone product. But Apple also has its own separate Siri-supported smart home hardware. The original $350 HomePod smart speaker was a commercial failure, though the $99 HomePod Mini seems to be doing much better—and was the top-selling smart speaker in quarter one of this year. There are apparently plans to relaunch a full-size HomePod. Especially when you consider Apple’s prices and usual margins, it’s fairly safe to assume these devices aren’t being sold at cost price. 

What’s next for the big names in smart speakers remains to be seen. Both Amazon and Google are set to ax workers from the divisions that run them, though both companies have not announced plans to cease development or roll back features. Certainly, it seems unlikely that there is some as-yet-undiscovered way to turn successful scraps from this technology into profitable device-based businesses.

The post Alexa, why are you losing so much money? appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Live streaming? Easy. Grab your phone, open Instagram, and go live. Doing it well? Harder—but doable.

It’s all about the sound

The most important part of a livestream isn’t the video, it’s the sound. Just think of all the blurry, low-resolution YouTube videos and questionably-procured episodes of TV you’ve watched over the years. It’s much more important to hear the bride and groom make their vows than to see it happen in 4K HDR.

For the best sound quality, you’ll need a dedicated directional microphone placed close to wherever people will be speaking. The microphone built into your computer, webcam, or smartphone won’t cut it; it will pick up too much noise from the environment, and there’s no workaround.

You can get fancy and use wireless lapel mics or other more elaborate options, but it’s hard to beat a good USB microphone on a long cable. The two I recommend are the Blue Snowball and the Blue Yeti.

OK, video matters too

With a good audio setup, you can get away with a lot of video sins. Seriously: You can connect a Blue Yeti directly to your smartphone (you may need a USB-C-to-USB-A or Lightning-to-USB-A adapter, depending on your phone) and have a livestream that’s far better than most one-on-one Zoom calls.

Still, you can make things even better without a huge amount of effort.

First up: the camera you’re recording with. You can connect a modern DSLR or a mirrorless camera to your computer and use it as a webcam, but I don’t recommend it. They’re not designed for recording long, continuous video, so they can overheat, run out of battery, or fall victim to a number of issues. If you know what you’re doing, it can work, but for most people, the bump in video quality will be offset by a lot of extra stress and failure.

Ultimately, the best camera will be your smartphone. You can, as I suggested earlier, wire a mic straight in, but it’s better to use your phone as a webcam connected to a computer. There are quite a few apps that let you do this:

• Camo Pro: This is what I went with. It started as an Apple-only service, but you can now use it with Android and Windows devices as well. It’s also one of the most expensive options, at $5 a month, $40 a year, or $80 forever. However, the Camo Studio app gives you a huge amount of control over the video feed, which I wanted.
• EpocCam Pro: This is a less-expensive option at $8, and it works with any iOS device connected to a PC or a Mac.
• DroidCamX Pro: This is only $5, and it connects both Android and iOS devices to Windows or Linux PCs.

Whichever option you go with, I’d recommend using a USB connection rather than wireless. For live, one-time events, you want the simplest setup possible—you won’t want to wrangle a fickle WiFi router that’s struggling to handle loads of guests. Go with a 3- or 6-foot cable and you’ll have lots of options for where to place the camera.

[Related: Gear to make better movies on your smartphone]

You can hold your smartphone yourself, but a stable tripod is better. If you already have one, you can get a tripod mount for your phone. Otherwise, any phone tripod will do—as long as you can place the smartphone where you want. Worst comes to worst, prop it up higher with a chair.

I went with Zoom’s Video Webinar. It was overkill and pricey, at $40 a month for up to 100 attendees, but Zoom’s offerings have changed since then. Now, you can host a 100-person event on Zoom One Pro for $15 a month, or livestream to 300 people for $20 a month. There’s a free version, but you can’t stream for more than 40 minutes. Zoom Webinars are now $80 a month for a minimum of 500 attendees.

Overall, Zoom gave me a lot of control over how people viewed the stream, most people were already familiar with it, and I needed something bulletproof since my brother is only getting married once. As a bonus, I was able to record a local copy of the event and see everyone’s in-person and Zoom chat reactions.

If most of your audience or guests are on Facebook, YouTube, or Twitch, those platforms’ livestreaming options are good, but you may have to jump through some hoops to get set up. Don’t count on them on short notice.

Also, be aware that no matter where you host the stream, you are probably running afoul of copyright laws if you play any music. For a private event, copyright owners are unlikely to notice or shut everything down mid-event, but don’t use the tips in this article to broadcast a bootleg concert to thousands of people. And they can still punish you afterward.

Test, test, test

The time to test everything (and I mean everything) is not the day of the event. Instead, make sure everything is working at least a day or two beforehand so you can fix any of the (almost inevitable) bugs, problems, and other weird issues.

A non-exhaustive dry-run checklist includes ensuring that:

With that said, make sure you give yourself enough time to set everything up (if you can’t leave it set up from the tests you did the day before).

Some key things to bear in mind as you get ready to start the stream:

The post How to livestream an event for all your friends and family appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

It’s been a heck of a few months for cryptocurrencies. Back in May, so-called stablecoin UST, or Terra, collapsed, crashing both Bitcoin and Ethereum to the point that almost half of all Bitcoin holders had lost money. Then Three Arrows Capital, a crypto hedge fund, filed for bankruptcy and the founders fled. That was followed by Voyager, another exchange that went bankrupt. One bright spot was Ethereum pulling off a major transition called the Merge, but that has done little to slow the fall of its price—or answer questions about its usefulness. 

The latest and most significant drama comes from a cryptocurrency exchange called FTX, which has made headlines over the past 10 days or so as shocking details have emerged about the state of its internal operations. If you’re just catching up, here’s everything you need to know. 

What is FTX?

FTX is a cryptocurrency exchange based in the Bahamas founded by Sam Bankman-Fried (known as SBF). It and 130 or so affiliated companies are currently in the middle of Chapter 11 bankruptcy filings brought about by, well—stay tuned, and we’ll explain. In brief, it looks like some combination of gross mismanagement, a total lack of oversight, and possibly some fraud. 

What’s so shocking about this situation is that FTX and SBF were once seen as the respectable faces of crypto. FTX was the third largest cryptocurrency exchange by volume, had the name sponsorship of the Miami Heat’s arena, and even had deals with Tom Brady and Shaq. It was valued at $32 billion this January, with investment from some of the largest venture capital firms, like Sequoia and SoftBank. SBF himself was subject of glowing profiles and heralded for his charitable ambitions. In short, this wasn’t meant to be some dodgy, fly-by-night operation—it was supposed to be the future of crypto. And now it’s in shambles. 

For the uninitiated, a crypto exchange is a place where people can buy or exchange cryptocurrencies. Have dollars to spare, but want Bitcoin? Use a crypto exchange to make that happen. But you can also use an exchange to change from one cryptocurrency to another, like Bitcoin to Ethereum. They are often used like a bank to store them, too—which is why this FTX situation is a problem. Other examples of exchanges include Coinbase, Binance, and Crypto.com. 

So, what happened at FTX?

For now, we don’t have a complete picture of what happened, but here’s what we do know. The catalyst for the collapse was a liquidity crisis brought about by an article on CoinDesk that raised worrying questions about the state of FTX’s finances, but how the company got to the point that it could not satisfy customer withdrawal requests is going to be the subject of lengthy bankruptcy proceedings, an investigation by the Securities and Exchange Commission (SEC), another investigation by the Department of Justice, class action lawsuits, and perhaps a book by The Big Short author, Michael Lewis. Details from all these investigations are going to trickle out over the next few years, but for now there are a couple of key things we know for sure. 

FTX’s business was allegedly a mess. The bankruptcy filings from the new CEO John J. Ray III (an attorney and liquidation specialist who handled Enron’s bankruptcy) said that never in his career had he seen “such a complete failure of corporate controls and such a complete absence of trustworthy financial information.” There was no complete list of bank accounts, financial statements were incomplete, and almost all the value of assets was based on cryptocurrencies that FTX had created. “From compromised systems integrity and faulty regulatory oversight abroad, to the concentration of control in the hands of a very small group of inexperienced, unsophisticated and potentially compromised individuals,” writes Ray, “this situation is unprecedented.”

What’s more, FTX lent money to another SBF-founded company, the trading firm Alameda Research, in order to keep it afloat. These $10 billion or so in loans are the source of the SEC investigation as the two were meant to be separate businesses, and undisclosed trading with customer deposits is illegal. If the situation is as bad as it looks, SBF could be in a lot of trouble. FTX most likely lent the capital to Alameda Research to cover bad trades as a result of crashing crypto prices throughout 2022, but the specifics aren’t clear yet.

The rumors that Alameda Research had been receiving capital to prop up its business from FTX were enough to start the run on the bank. Initially, it looked like a rival exchange, Binance, would step in and buy FTX, but it did not. FTX was unable to secure any other investors and, as a result, had to halt trading and file for bankruptcy.

SBF and three other FTX executives received over $4.1 billion in loans from FTX. Money from the company was also used to purchase real estate and other personal items for employees. What’s happened with all this cash is, so far, unknown. 

Between $1 and $2 billion of customer assets have just disappeared. Another $477 million was stolen in a hack during the collapse.

In short, despite presenting itself as an above-board, well-run operation, FTX appears to have been anything but.

How much money have customers lost?

As with all things crypto, assigning real-world dollar values to intangible tokens can be challenging. At the time of its collapse, FTX claimed to have $9 billion worth of liabilities, which include customer assets. Crypto currencies have mostly had a bad year, so there is no telling how many dollars its customers had actually invested using FTX’s platform, but the short answer is probably a heck of a lot. 

The ripple effect has also had indirect costs across the crypto community. Both Bitcoin and Ether fell in response to the collapse, while another exchange, Genesis, has had to halt customer withdrawals. We will likely never know just how much capital was really lost as a result.

What happens next?

As the dust settles on the FTX debacle, the long, slow, bankruptcy proceedings and other investigations will start. Ray and his team will attempt to sell FTX’s assets for the highest possible value so as to return as much money as possible to creditors. Given the state of FTX’s balance sheet, it remains to be seen how much this will actually be. If SBF really did use FTX customer funds to prop up Alameda Research, the SEC investigation is not going to be pretty. One bright side is at least we hopefully have a new Michael Lewis book to look forward to. 

Christian Catalini, founder of the MIT Cryptoeconomics Lab, hopes that for the crypto space, this is a “wake up call.” In an email to PopSci, he called FTX’s meltdown “a reminder of the urgent need for a regulatory framework that is purpose-built for crypto’s unique opportunities and challenges.” He also said that it showed that the crypto community (and investors) had been focussed on “the wrong metrics of success and progress.” Instead of ventures like FTX that drive speculation, he would like to see more projects that focus on solving actual problems. 

Is that actually possible? That remains to be seen, though 2022 has not been the banner year crypto enthusiasts would have hoped for.

The post Your questions about FTX’s meltdown and crypto’s bad year, answered appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Writing working code can be a challenge. Even relatively easy languages like HTML require the coder to understand the specific syntax and available tools. Writing code to control robots is even more involved and often has multiple steps: There’s code to detect objects, code to trigger the actuators that move the robot’s limbs, code to specify when the task is complete, and so on. Something as simple as programming a robot to pick up a yellow block instead of a red one is impossible if you don’t know the coding language the robot runs on. 

But Google’s robotics researchers are exploring a way to fix that. They’ve developed a robot that can write its own programming code based on natural language instructions. Instead of having to dive into a robot’s configuration files to change block_target_color from #FF0000 to #FFFF00, you could just type “pick up the yellow block” and the robot would do the rest. 

Code as Policies (or CaP for short) is a coding-specific language model developed from Google’s Pathways Language Model (PaLM) to interpret the natural language instructions and turn them into code it can run. Google’s researchers trained the model by giving it examples of instructions (formatted as code comments written by the developers to explain what the code does for anyone reviewing it) and the corresponding code. From that, it was able to take new instructions and “autonomously generate new code that re-composes API calls, synthesizes new functions, and expresses feedback loops to assemble new behaviors at runtime,” Google engineers explained in a blog post published this week, In other words, given a comment-like prompt, it could come up with some probable robot code. Read the preprint of their work here.

To get CaP to write new code for specific tasks, the team provided it with “hints,” like what APIs or tools were available to it, and a few instructions-to-code paired examples. From that, it was able to write new code for new instructions. It does this using “hierarchical code generation” which prompts it to “recursively define new functions, accumulate their own libraries over time, and self-architect a dynamic codebase.” This means that given one set of instructions once, it can develop some code that it can then repurpose for similar instructions later on.

[Related: Google’s AI has a long way to go before writing the next great novel]

CaP can also use the arithmetic operations and logic of specific languages. For example, a model trained on Python can use the appropriate if/else and for/while loops when needed, and use third-party libraries for additional functionality. It can also turn ambiguous descriptions like “faster” and “to the left” into the precise numerical values necessary to perform the task. And because CaP is built on top of a regular language model, it has a few features unrelated to code—like understanding emojis and non-English languages. 

For now, CaP is still very much limited in what it can do. It relies on the language model it is based on to provide context to its instructions. If they don’t make sense or use parameters it doesn’t support, it can’t write code. Similarly, it apparently can only manage a handful of parameters in a single prompt; more complex sequences of actions that require dozens of parameters just aren’t possible. There are also safety concerns: Programming a robot to write its own code is a bit like Skynet. If it thinks the best way to achieve a task is to spin around really fast with its arm extended and there is a human nearby, somebody could get hurt. 

Still, it’s incredibly exciting research. With robots, one of the hardest tasks is generalizing their trained behaviors. Programming a robot to play ping-pong, doesn’t make it capable of playing other games like baseball or tennis. Although CaP is still miles away from such broad real world applications, it does allow a robot to perform a wide range of complex robot tasks without task-specific training. That’s a big step in the direction of one day being able to teach a robot that can play one game how to play another—without having to break everything down to new human-written code.

The post Google is testing a new robot that can program itself appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Tomorrow, the European Union’s Digital Markets Act (DMA) comes into force. It aims to put an end to unfair practices by “gatekeepers in the online platform economy.” Over the next year it will likely force large US tech companies—like Google, Meta, and Amazon—to change how they operate in Europe. It’s the latest in a large string of EU regulations that are having huge knock on effects for American firms. 

The DMA introduces a series of new rules that so-called gatekeepers to ten “core platform services” will have to comply with if they want to operate in the EU. They include companies in charge of online intermediation, online search engines, social networks, video-sharing platforms, some messaging services, operating systems, cloud computing services, online advertising networks, web browsers, and virtual assistants. In short, it basically applies to all the core services of companies like Amazon, Apple, Alphabet (Google’s parent company), Microsoft, and Meta.

Fortunately for small businesses, the most onerous terms of the law only apply to the biggest companies. If a company has an annual turnover of more than €7.5 billion (~$7.4 billion) in the EU or a market capitalization of €75 billion (~$74 billion) and serves more than 45 million monthly European end users and 10,000 yearly business customers for the previous three years, it is considered a gatekeeper and is obliged to comply with the DMA. 

Under the DMA, gatekeepers “carry an extra responsibility to conduct themselves in a way that ensures an open online environment that is fair for businesses and consumers.” In practice, this means there is a list of “dos and don’ts” that companies are obliged to abide by that will likely force the large US tech companies to change the way their systems function. 

For example, the DMA would radically change how Apple’s iOS operating system works if they were strictly enforced. Under the DMA, Apple would have to allow users to install third-party apps and app stores, allow third-parties to inter-operate with its services (possibly including deeper iOS functionality), and be banned from requiring app developers to use its payment processing to be listed in the App Store. EU users would be able to install Google Chrome from its official website and set it as the default—and uninstall Safari after. 

Similarly, gatekeepers will be banned from using data from their platform business to compete on their own platform. This means that they might not be able to prioritize their own services over their competitors. Amazon, then, couldn’t use sales data to develop its own label products and nor could it rank them more favorably by default, and Google couldn’t automatically promote Google Flights over Skyscanner on its home page.

How this all plays out remains to be seen and will likely involve some lengthy legal battles. Unlike with an antitrust investigation and monetary fine after some bad behavior, the big shift with the DMA is that it will put responsibility on the gatekeepers to show that they are playing fair from the start. If they can’t show that they are providing a fair and open platform, they won’t be allowed to operate in the EU’s 26 member countries. 

It’s also unclear how global the effects of the law will be. Previous EU laws like GDPR and a French right-to-repair law have changed how the large tech companies operate in non-EU countries as well. Apple, for example, is adding USB-C to all its iPhones because it’s cheaper and easier than creating a special EU addition with a different port. But, at least with digital services, companies could conceivably comply with certain prohibitions only in the EU—while continuing to operate in a manner that the EU considers unfair in the rest of the world.

As with all things in the EU, the DMA moves slowly but inexorably. While the law comes into force tomorrow, it won’t actually be enforceable until May 2, 2023. Various parts will also be implemented in different stages, so large gatekeepers won’t have to fully abide by the terms of it until at least mid-2024. 

The post Europe’s big new Digital Markets Act could help hold tech giants accountable appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Argo AI, the autonomous driving startup backed by Ford and Volkswagen, is shutting down. The news came as part of Ford’s third-quarter earnings report and was first reported by TechCrunch. It’s a big shakeup in the autonomous vehicle space. 

Argo AI was founded in 2016 by former staff of Google and Uber’s self-driving car programs. After securing $1 billion in investment from Ford in 2017 (and a further $2.6 billion from Ford and VW a few years later), it quickly became one of the most promising operators of autonomous vehicles. Just this year it expanded its testing cities to cover Miami, Austin, Palo Alto, Detroit, Pittsburgh, Washington D.C., and internationally in Munich and Hamburg, Germany. It had even partnered with Lyft to offer driverless (with a safety driver) ride-hailing, and Walmart to offer driverless grocery delivery. 

Given the traditional car makers supporting it and how seemingly advanced its testing was, Argo AI’s sudden shutdown is a bit of a shock. This wasn’t some billionaire making bold claims that never materialized and are now under criminal investigation—it was a serious self-driving project from industry veterans. 

The issue for Argo AI seemed to be the timeline (and funding) for developing fully capable autonomous vehicles. In its third-quarter earnings report, Ford said that when it initially invested in Argo AI, the company had planned to bring a Level 4 advanced driver-assistance system (ADAS) to market by 2021—essentially a car capable of totally driving itself in some specific situations, though with human override still possible. That didn’t happen and Argo AI was unable to attract additional investment earlier this year. 

[Related: What’s going on with self-driving cars right now?]

On top of that, Ford CEO Jim Farley says in the earnings report that “profitable, fully autonomous vehicles at scale are a long way off.” Ford (and VW) have apparently lost faith in Argo AI’s ability to deliver a self-driving car program in any sort of reasonable timeframe, or at least without losing much more capital. 

This doesn’t mean that Ford and VW are giving up on any form of driver automation, but they are refocusing their priorities. Farley says that although he optimistic that there will be L4 ADAS systems in the future (and that Ford will be able to buy one instead of having to build it), Ford will focus on developing lower levels of ADAS—specifically L2+ and L3 which include things like automatic lane following cruise control, automated lane changing, and other highly automated features that fall short of full self-driving. According to its press release, VW is still developing L4 ADAS systems, just not with Argo AI. 

What this high profile casualty means for the rest of the self-driving industry remains to be seen. There are still a number of companies testing autonomous cars in the US and globally, including Pony.ai, Aurora, Cruise (owned by General Motors), Motional (owned by Aptiv and Hyundai), Waymo (owned by Google-parent company, Alphabet), and Zoox (owned by Amazon). All, though, are operating geographically limited trials generally overseen by human drivers; none of them are yet profitable or operating at scale. And all are facing the same technical challenges that Argo AI failed to overcome. 

With venture capital investments falling across the board, we could be facing a tough few years for full driverless car dreamers. TechCrunch has gone as far as declaring that “it’s time to admit self-driving cars aren’t going to happen,” at least not in the near future and not with any kind of ubiquity. 

The post A major player in the AV space is hitting the brakes—here’s why appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

In a blog post published today, Mozilla product manager Karen Kim detailed an experiment she conducted to see how many tracking cookies got installed in her browser when she researched a family trip for two adults and two children to Costa Rica. 

By visiting multiple flight, hotel, and car rental comparison sites, and using Google to find sightseeing information, guidance on traveling with children, and product recommendations, Kim picked up a total of 1,620 cookies—around 20 percent of which were third-party tracking cookies from analytics and ad companies like Google and Facebook. Kim concluded that there was something “insidious” about the whole situation, saying: “In the act of planning a trip online without anti-tracking protection, someone out there now knows about the ages of your children, your partner’s interests, which family scuba lesson you’ve booked and with whom.”

While some cookies are crucial for keeping modern websites operating, others are a bit more nefarious. Good cookies track things like your preferred language and the contents of your shopping cart, and keep you logged in when you browse around a site. No one really has any issues with these kinds of cookies—they are a necessary part of the modern web. Without them, all but the most basic websites would cease to function. 

Third-party tracking cookies, on the other hand, are the kind of cookies that privacy experts are most concerned about. Combined with other kinds of tracking, they allow companies and data brokers to create incredibly detailed profiles of your online activities. In Mozilla’s blog post, Kim said that the advertising companies would have been able to link the age of her children, her partner’s interests, and the tours that she booked together. In theory, the information would have been anonymous as it would have likely been linked to a user ID rather than her name and address—but these anonymous profiles are startlingly easy to de-anonymise. 

Worse, though, is that the same companies could also have built profiles for her hypothetical kids. This process starts early. Period and fertility-tracking apps—which are currently under a lot of scrutiny due to the Roe V Wade being overturned in the US—essentially start collecting information about children before they are even born. As their parents search the web for answers to parenting questions, to book vacations, and everything else, that profile grows. Some companies are even gathering and selling data from children while they attend classes online. One pre-pandemic report found that by the time a child is 13, over 72 million pieces of personal data will have been collected on them. That figure is almost certainly higher now. 

To counter this, Kim suggests using Firefox which has Total Cookie Protection—a special browser mode that silos cookies to prevent third-party tracking cookies following you around the web—enabled by default. However, most modern browsers now offer similar features. Safari blocks all cross-site tracking, including cookies, by default with a feature called Intelligent Tracking Prevention. Brave, Opera, and the new DuckDuckGo browser all use similar strategies to block third-party cookies while still allowing websites to function normally. Even Microsoft Edge has an option—but you will need to enable its stricter settings. The only real holdout is Google Chrome (unsurprisingly)—but even it is due to start blocking them next year.

Cookies as a tracking tool are on the way out. Soon enough, only users with old and obsolete versions of web browsers will be capable of being tracked using them. The bigger problem, unfortunately, is that tracking continues to evolve.  Soon, there might be a whole range of alternative tracking tools that will need to be avoided. In particular, first-party tracking by the websites you visit is very hard to prevent. And while you can block cookies, it’s impossible to stop Google from knowing everything you do across Google properties like Gmail and YouTube. If you are logged into your account, it can see every YouTube video you watch, every document you share, and what you search for.

The post Booking a trip online? Here’s what tracking cookies could be gathering about your family. appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Yesterday, Google Research unveiled two new projects it’s been working on with a table tennis-playing robot. The Robotics team at Google taught a robot arm to play 300+ shot rallies with other people and return serves with the precision of “amateur humans.” While this might not sound that impressive given how bad some people are at table tennis, the same techniques could be used to train robots to perform other “dynamic, high acceleration tasks” that require close human-robot interaction. 

Table tennis is an interesting task for robots to learn because of two complementary properties: It requires both fast and precise movements in a structured game that occurs in a fixed and predictable environment. The learning algorithm the robot relies on to make decisions has to work hard to get good, but the confines of a table tennis table limit how much of the world it has to contend with. It does help that playing table tennis is a task that requires two parties: the robot can play with another robot (or simulation) or an actual human to train. All this makes it a great set up for exploring human-robot interaction and reinforcement learning techniques (where the robot learns from doing).

Google engineers designed two separate projects using the same robot. Iterative-Sim2Real, which will be presented at CoRL later this year, and GoalsEye, which will be presented at IROS next week. Iterative-Sim2Real is the program that trained the robot to play 300-shot cooperative rallies with humans while GoalsEye allows it to return serves to a specific target point on the table with amateur human-like precision.

Iterative-Sim2Real is an attempt to overcome the “chicken and egg problem” of teaching machines to mimic human behaviors. The research team explains that if you don’t have a good robot policy (a set of rules for the robot) to begin with, then you can’t collect high-quality data on how people will interact with it. But, without a human behavior model to start with, you can’t come up with the robot policy in the first place. One alternative solution is to exclusively train robots in the real-world. However, this process is “often slow, cost-prohibitive, and poses safety-related challenges, which are further exacerbated when people are involved.” In other words, it takes a long time and people can get hurt by robot arms swinging table tennis bats around. 

Iterative-Sim2Real sidesteps this problem by using a very simple model of human behavior as a starting point and then training the robot both with a simulation and a human in the real world. After each iteration, both the human behavior model and the robot policy are refined. Using five human subjects, the robot trained with Iterative-Sim2Real outperformed an alternative approach called sim-to-real plus fine-tuning. It had significantly fewer rallies that ended in less than five shots and its average rally length was 9 percent longer. 

GoalsEye, on the other hand, set out to tackle a different set of training problems and taught the robot to return the ball to an arbitrary location such as “the back left corner” or “just over the net on the right side.” Imitation learning—where a robot develops a play strategy derived from human performance data—is hard to conduct in high-speed settings. There are so many variables affecting how a human hits a ping pong ball that makes tracking everything necessary for a robot to learn practically impossible. Reinforcement learning is typically good for these situations but can be slow and sample inefficient—especially at the start. (In other words, it takes a lot of repetitions to develop a fairly limited play strategy.) 

GoalsEye attempts to overcome both sets of issues using an initial “small, weakly-structured, non-targeted data set” that enables the robot to learn the basics of what happens when it hits a ping pong ball and then allowing it to self-practice to teach it to hit the ball precisely to specific points. After being trained on the initial 2,480 demonstrations, the robot was able to return a ball to within 30 centimeters (~1 foot) only 9 percent of the time. But after self-practicing for ~13,500 shots, it was accurate 43 percent of the time. 

While teaching robots to play games might seem trivial, the research team contends that solving these kinds of training problems with table tennis has potential real-world applications. Iterative-Sim2Real allows robots to learn from interacting with humans while GoalsEye shows how robots can learn from unstructured data and self-practice in a “precise, dynamic setting.” Worst case scenario: If Google’s big goals don’t pan out, at least they could build a robot table tennis coach. 

The post Google is training robots to interact with humans through ping pong appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Today at Adobe MAX, the company’s annual creativity conference, Adobe will preview a new technology called “Beyond the Seen” that uses artificial intelligence to extend the boundaries of two-dimensional images and even turn them into immersive three-dimensional scenes. While just a demonstration, it shows how AI image generators designed for specific purposes could have far reaching commercial and artistic applications. 

The image generator works by taking a landscape or photograph from inside a building and expanding it into a full 360-degree spherical panorama around the camera. Of course, it can’t know what’s actually behind the camera, so it uses machine learning to create a plausible and seamless environment—whether the input image is of a mountain landscape or the interior of a concert hall. Adobe’s algorithms can also estimate the 3D geometry of the new environment, which enables the view point to be changed, and even for the camera to appear to move around the environment.

While image extension or out-painting isn’t new, Adobe’s AI generator is the first to be built exclusively around it. For example, DALL-E 2 allows users to extend their images in small blocks, while Stable Diffusion requires a work around. 

Adobe’s AI image generator is a little different from more general image generators like DALL-E 2 and Stable Diffusion in a couple of key ways. First, it’s trained on a much more limited dataset with a specific purpose in mind. DALL-E 2 and Stable Diffusion were trained on billions of text-image pairs that cover every concept from avocados and Avril Lavigne, to zebras and Zendaya. Adobe’s generator was trained exclusively on a dataset of roughly 250,000 high-resolution 360-degree panoramas. This means it’s great at generating realistic environments from seed images, but it has no text-to-image features (in other words, you can’t enter a text prompt and get a weird result) or any other general generation features. It’s a tool with a specific job. However, the images it outputs are significantly larger.

Adobe’s generator currently uses an artificial intelligence technique called a General Adversarial Network, or GAN, and not a diffusion model. GANs work by using two neural networks against each other. The Generator is responsible for creating new outputs, and the Discriminator has to guess whether any image it is presented with is an output from the Generator or an actual image from the training set. As the Generator gets better at creating realistic images, it gets better at fooling the Discriminator, and thus a functioning image generation algorithm is created. 

Meanwhile, diffusion models, which DALL-E 2 and Stable Diffusion use, start with random noise and edit it to create a plausible image. Recent research has shown that they can produce more realistic results than GANs. Given that, Gavin Miller, VP and Head of Adobe Research, tells PopSci the algorithm could be adapted to use a diffusion model before it was commercially released. 

Although this is still in early development, Adobe has highlighted a couple of potential uses for the technology. While there are the claims about the Metaverse and generating 3D worlds from 2D snapshots, it’s the regular image extension features that are likely to prove valuable first. One example Adobe demonstrated in the demo video is how its algorithm allowed for “specular” (or shiny) rendered objects to be inserted into an image. The AI generator was used to extrapolate what could be behind the camera and above the object in order to create realistic reflections off of that shiny object. This is the kind of thing that would allow architects and interior designers to more easily create accurate-seeming renderings for their projects. 

Similarly, it would allow photographers and videographers to expand the background of their images in a more natural way. Miller explained that the content aware tools, which have been in Adobe’s apps like Photoshop since 2010, are able to generate naturalistic texture, while the new generative models are capable of creating both texture and structure.

While there is no word yet on when this technology will be available to the public, revealing it today is all “part of a larger agenda towards more generative technologies,” that Adobe is pursuing, Miller says. It’s always been possible to create 360-degree panoramas with hardware, but soon it will be possible to create realistic seeming ones using just software. And that really could change things—and yes, maybe make it possible for small creators to make metaverse-adjacent experiences.

The post Adobe’s new AI can turn a 2D photo into a 3D scene appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Passwords are a pain. People use the same insecure passwords over and over again and yet still manage to forget them, which makes protecting accounts and data challenging for big tech companies. Even when someone does use a password that is long and complex enough to be relatively secure—because, say, they have a password manager—it is still vulnerable to social engineering attacks like phishing. All in all, passwords are a terrible system for protecting personal data, sensitive information, and your dog photos—which is why Apple, Google, Microsoft, and the rest of the FIDO Alliance are so keen to replace them with an approach called passkeys. And they’re doing it right now. 

This week, Google announced that it was bringing passkey support to Android and Chrome—or at least to their latest beta software. If you’re enrolled in the Google Play Services beta or the Chrome Canary channel, you will be able to use them right now to log in to websites that support them. Google says they will come to the stable releases later this year and that their next milestone for 2022 will be to release an API (an application programming interface) to allow native Android apps to support them. 

Google supporting passkeys in its products is a big step towards widespread adoption. Apple started supporting passkeys on the iPhone with iOS 16 and will support them on Macs later this year with macOS Ventura. Once Google adds them to Android and Chrome, the two most popular mobile platforms and the two most popular browsers will support them. That’s huge.

Passkeys use public key cryptography to create a more secure authentication protocol than passwords. When you sign up for a new account with a passkey, your device will create a pair of keys—a public key that is shared with the service and a private key that it stores securely locked behind your biometric data or a PIN. 

[Related: Apple’s passkeys could be better than passwords. Here’s how they’ll work.]

Because of the underlying math, the public key can be public, as its name implies. It doesn’t matter if the site gets hacked and it is released in a data breach or shared on social media, it isn’t enough to log in to your account. It only allows the website to verify that your device has the right private key saved. 

And the system is set up so that all user verification is handled by your device. This means your private key is never transmitted over the internet, which makes passkeys basically impossible to phish or steal. Instead, a temporary single-use token is sent that tells the website that you have the right private key. It’s really a great system. 

[Related: Apple, Google, and Microsoft team up for new password-free technology]

But perhaps the best thing about passkeys isn’t that they’re more secure, but that they’re much more convenient to use. In the blog post announcing passkey support, Google explains how you are able to create a passkey or log in to an account just using your fingerprint, face, or screen lock code—it’s literally two steps. You don’t have to worry about coming up with a long code or adding the requisite number of special symbols. And you don’t have to remember them either—they will automatically be synced in the background between your devices using Google Password Manager. Basically, the user experience will be like an autofilling password—but better and more reliable.

And, because passkeys are an industry standard, you will also be able to use your phone to log in to nearby devices regardless of what operating system they have. Say you need to print something using a friends’ Mac. You can log in to your Gmail account in Safari just by scanning a QR code on your Android phone. Really, the long sought-after passwordless future is coming soon—and it looks great. 

The post Google’s new passkey support is helping kill the password appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

After almost a decade of keeping quiet about exactly how many people view its most popular shows, Netflix is finally going to start sharing some hard figures—at least in the UK. This week, the Broadcasters Audience Research Board (BARB), a UK organization that reports broadcast and streaming numbers similarly to Nielsen, announced that it was working with Netflix to measure and publicly release data on what streaming shows people are watching. In the statement announcing the news, Reed Hastings, Co-CEO of Netflix, said that the company had been in touch with BARB since 2019.

Netflix has previously revealed limited viewership details about its most popular shows. It publishes weekly global Top 10s as well as individual most popular lists for nearly 100 countries it operates in. The numbers, though, are fudged. 

Netflix counts each season of a TV show individually and ranks things in terms of hours viewed (which sounds meaningful, but obscures a lot of information and favors longer movies and TV series). Nielsen has attempted to measure and rank Netflix’s offerings against the other streaming platforms, but there isn’t a whole lot of agreement between the lists from Nielsen and Netflix. For example, NCIS, Cocomelon, and Grey’s Anatomy make Nielsen’s list for September 5 – 11 (the one it has public right now). But, these shows don’t appear anywhere on Netflix’s list for the same period—presumably because the viewing time is spread over all the different seasons. 

When BARB’s reports start early next month, it will be the first time the public (or at least BARB’s subscribers) see independently assessed viewership figures from an organization that Netflix is collaborating with and providing the necessary data to.  

Crucially, Netflix’s numbers won’t be announced in isolation. They will be released as part of BARB’s daily, weekly, and monthly breakdowns of the UK broadcast TV, broadcast video on demand (BVOD), and streaming markets (technically, advertising video on demand or AVOD and subscription video on demand or SVOD). As well as giving an idea of how many regular viewers Netflix has compared to Amazon, Disney+, and even broadcast channels like the BBC, it will also show just how popular Netflix’s shows are compared to regularly scheduled TV.

Given Netflix’s well-documented tendency to cancel shows before they have reached a natural end to their run or even after just one season, the weekly top 50 shows list is sure to provide interesting insights behind the company’s decision. Fans of Sense8, Cowboy Bebop, and some of the other shows Netflix has canceled would certainly have loved to have had more concrete data about how they were performing, especially compared to shows on other streaming services. Though it might be too late to save them, at least fans might get some justice from BARB.

For the time being, at least, this is all UK only. While there is obviously some overlap between the shows popular globally, in the US, and in the UK, there are some differences. Peaky Blinders: Season 6, for example, is on the UK list, while The Great British Baking Show, which is broadcast on Channel 4 in the UK, is on the US list. Similarly, The Blacklist and El Rey, Vicente Fernández are on the US list, but don’t make the global list. Factors like these make it risky to use data from one region to draw general conclusions about the popularity of certain offerings and Netflix’s strategy for growing its subscriber base.

The post We’re about to get a peek at how many views Netflix shows get appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Traveling broadens the mind and drains your bank account—but it’s totally worth it. Even so, if you’ve never traveled outside your own country before or just put things on pause for the duration of the pandemic, your first international trip can be a bit intimidating.

But don’t worry, as there are plenty of things you can do to make sure this first great adventure goes smoothly. Or, at least as smoothly as you want—because, as you will soon learn, half the fun of traveling is that things sometimes don’t quite go according to plan.

Before you go, take a moment to let yourself get excited about all the new things you’ll see, the people you’ll meet, and the food you’ll try. All this diversity might be overwhelming at first, but you shouldn’t worry—embrace it.

If you don’t do enough research before you go, you’re likely to miss out on a lot. It’s easy to cross the big tourist highlights off your list no matter where you go, but the most fun things tend to be the smaller places you discover for yourself and cater to your specific interests. If you love photography, find a gallery that features local artists. If your thing is food, don’t just go to the high-end or tourist trap restaurant, and find some of the places that locals eat at. You can do all this on the ground, but it’s easier when you’re at home with a stable Wi-Fi connection and all the time in the world. 

On the other hand, you want to have a list of things your want to see or do, but not a tight schedule. If you’re rushing from one place to another, you won’t ever get time to enjoy the destination and experience serendipity, or happy accidents. You will meet interesting people you might want to chat with for a bit longer, take cool opportunities you didn’t know about, and at some point, you’ll just need a break. And to enjoy all of that, you’ll need a bit of flexibility.

I’ve found the best balance is to plan one big activity every day (like a museum visit, a hike, or a theater show), choose a restaurant nearby for a meal, and have a couple of ideas for things to do during the day. But leave the rest of the schedule somewhat open. This way you’re still going to have a good plan and you’ll cross all the big things you want to do off your list. But if someone invites you to do something epic, you’ll also have the time to say yes. 

But while a passport is necessary, it’s not always enough. To enter many countries you’ll also need a visa, eVisa, electronic travel authorization, or pre-approved visa waiver. The easiest way to quickly find out exactly what you need is to visit The Passport Index. This site compares passports from all over the world and lists the entry requirements for any country you’d like to go to using that passport. 

Similarly, while the world is opening up, some countries still require negative COVID-19 tests or proof of vaccination for entry. Make sure to do your research to find out health guidelines at your destination, like mask mandates or local documentation to go to places like restaurants or theaters. Also, plan ahead if you find out you need to take a PCR test before your trip: some countries may require results within no more than 24 hours before departure, which could complicate matters if the lab or medical center you go to can’t assure you a quick turnaround.

Before you go, it’s worth using Duolingo (available for iOS and Android, and on the web) to pick up the very basics of the local language. Grab a phrasebook (or a guidebook with some handy phrases) as well so you can ask for directions, order a meal from a menu, or tell a taxi driver to take you to your hotel. Even just being able to say “Hello”, “Please”, and “Thank you”, in the local language will endear you to a lot of people, as there are few things more embarrassing than watching foreigners talk slowly and loudly at someone who clearly doesn’t understand a word they’re saying. 

And for emergencies, you can always count on Google Translate. Download the dictionary of the language spoken at your destination, and you’ll be able to translate text and speech in real-time and offline. Keep in mind that the platform is not perfect and might have a hard time translating slang or local turns of phrases, but it can certainly help you when basic phrases are just not enough. 

Yes, you can carry around a power bank, but just in case, make sure you have a hard copy of everything important, like booking confirmation slips and a photocopy of your passport. Also, write down contact information for your hotel, recommended restaurants, and anything else you might want to reference. 

I can’t count the number of times my phone has run out of battery while I was exploring somewhere, and I was only able to get back to my hotel because I had the details written down. 

Countries that widely use debit and credit cards accept both Visa and Mastercard pretty universally, but unfortunately, that’s not always the case with American Express cards. I’ve seen a lot of confused Americans in Dublin trying to pay for dinner with an Amex, not knowing that they’re usually not accepted anywhere that doesn’t explicitly cater to American tourists, and it’s the same in most of Europe. 

Whatever card you plan on using, make sure to check what are the foreign transaction and ATM withdrawal fees. You should also check what is your card’s exchange rate, as there’s often a mark-up that means paying with plastic will be more expensive than buying currency and paying in cash. And if you’re not careful, that difference can add up quickly and you can easily spend hundreds of dollars more than you need to. It might be worth talking to your bank to see if they offer a travel card with reduced fees. 

All that’s assuming you can even use a card. Some countries are still heavily cash-based and many small or local businesses won’t accept plastic. If that’s the case, you’ll need to make sure you carry enough cash with you to cover your daily expenses. This is good advice for most countries with a few exceptions—like Sweden, which is mostly cash-free.

The best way to use your phone while you’re away is to buy a cheap, local pay-as-you-go SIM card. For about $30 in most countries, you’ll get a gigabyte or two of data you can use to stay online on the go. But this only works if your phone is carrier unlocked. If you’ve been on your current contract for a while, contact your provider and see if you’re eligible to get your phone unlocked. 

If you’re planning to travel a lot, you could also consider switching to a plan with good roaming options. If you don’t know where to start, WhistleOut has a great breakdown of all the best options.

Before you go, check the Department of State’s travel advisories—they provide a good overview of everything you should know in terms of safety, including health advisories and the possibility for civil unrest. For example, the entry on France notes that the recent demonstrations and protests may affect your travel plans.

[Related: 6 travel hacks to try for your next adventure]

And, while you’re physically likely to stay safe, your things might not be so lucky. Pickpockets in major cities target tourists, airlines routinely misplace bags, and it’s much easier to lose a phone when you’re out of your daily routine. You’ll have to exercise caution towards all these things but the simplest way to make sure some small problem doesn’t derail your whole trip is to get good travel insurance. If things go wrong, your flight gets canceled, or you have to come home prematurely, at least it won’t cost you too much. Your credit card might already come with a policy, so check that you’re not already insured before buying a one.

Travel insurance is particularly important these days when delayed and rescheduled flights commonly leave people stranded at airports and airlines refuse to refund tickets in case of cancellations. You should also keep in mind that some countries now require travelers to get insurance, as local state-sponsored care for severe cases of COVID-19 may not benefit foreigners. 

Exploring new places and having new experiences is what makes exploring new places so much fun. International travel is especially good because things can be so, well, foreign. Ideas and attitudes you take for granted at home might not exist at your destination, which may be challenging, but also absolutely eye-opening. 

The post 8 things you need to know before traveling international for the first time appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Rigging your living room with computer-controlled lights like the bridge of the USS Enterprise used to be a multi-hundred dollar prospect. But over the last few years smart lights have become more affordable, and you can get started for less than $50.

If you’re thinking about joining the smart home revolution, stop for a minute, though—there are a few things you need to know before giving your lights brains.

Colors and automation—the prettiest side of the smart bulb

First and foremost, smart lights are fun—especially the changing colors. It’s so nice to have dim red lights in the early morning; bright white ones when you’re working, and warm orange ones when it’s time to chill. And a cool purple glow on the weekends, just because it’s fabulous. Systems such as the Philips Hue can even help you set the ambiance by having your lights change color to match the movie or video game on your TV. It’s hard to go back to boring old bulbs after that.

Automation can be sweet, too. Depending on how consistent your daily routine is, you can program things so you never have to touch a light switch again. You can have lights come on automatically in the evening, and turn off as you go to bed. If you’re away, this feature also turns your lights on and off to make it seem like you’re home, to deter strangers from coming in.

But there’s a gap between the promise and the reality of smart lights, and even though the industry is getting better at getting these gizmos to work more seamlessly, it’s a good idea to save yourself from disappointment by knowing what you’re actually getting yourself into.

Choosing a platform is a lifetime commitment (sort of)

Smart bulbs are just regular LED bulbs enhanced with a few extra features, and they’re rated to last between 15,000 and 25,000 hours. At three hours a day, that’s somewhere between 13 and 28 years, which means that unless someone swings at your fixtures with a broom handle, your smart bulbs should still be shining a decade from now.

Different brands offer different platforms, each with their pros and cons, but it’s important that when you choose one, you stick to it. Even if it’s technically possible to have two functioning smart lights systems in your house, you don’t want that. Dealing with one set of quirks is fine, but dealing with two or more, and trying to get them to work together, will prove to be hell on Earth.

To hub or not to hub

Regardless of the manufacturer, there are two kinds of smart light systems: those that need a smart home hub, and those that don’t.

Hubbed systems have a base station that connects directly to your router, and use a wireless protocol like Zigbee or Z-Wave to communicate with all your smart home devices. They work differently from the WiFi network in your house, so they won’t interfere with it. Hubless systems, on the other hand, skip the base station, so you control them directly over WiFi or Bluetooth. There are also hybrid models like the the latest Philips Hue lights, which are compatible with both modalities.

It’s more expensive to set up a hubbed system, but these tend to offer more automation and better integration with other smart home products like smart blinds or smart plugs. They can also create a mesh network where each device is directly connected to every other device, so even if something is out of range of the hub, it’s still connected to the network. Philips Hue and Ikea Trådfri are some of the big names here.

Hubless systems are less expensive to set up, but have a few downsides. The biggest one is that each light in your house has to independently connect to your wireless router. That’s fine if you only want a few bulbs in a small apartment, but if you’re trying to rig up a six-bedroom house with a cheap router and a few WiFi dark spots, you can easily clog up the network for everyone at your home. And your lights won’t even work. LIFX and Eufy are two manufacturers that offer this modality.

How smart you want your home to be overall will be a big part of your decision. If you’re serious about automating everything, using a home hub makes more sense. Depending on what brand you ultimately choose, you’ll be able to integrate everything more easily and your WiFi network won’t collapse under the demands of your smart doorbells. But if you just want a few lights you can voice control, hubless is all you need.

Setting things up takes time

How many people does it take to screw in a smart light bulb?

One—but it takes a while.

No matter the kind of smart light platform you go with, the setup process is a little more involved than twisting your wrist a few times, as they all require downloading apps and connecting bulbs to gateways, control devices, and WiFi networks.

And that’s before you even start setting up the cool features, like preset scenes, schedules, voice control, and other automations. Although, in reality, that kind of setup never really ends, as there will always be some exception to your existing schedule, or a voice command that needs some troubleshooting.

The smart light paradox: inexpensive but costly at the same time

Over their total lifespan, smart bulbs don’t cost much. They can go from $15 to $50 depending on whether you’re getting a basic dimmable white smart bulb, like this one from Etekcity, or something more sophisticated, like a Philips Hue bulb with Bluetooth support. But over a 13-year lifespan that’s a bargain—like, a less-than-a-dime-a-month bargain.

However, starting out can be a bit pricey: hubs cost $35 to $60, six bulbs is at least $100, and smart bulb-compatible switches usually retail for $20 or more. If you want voice control, you’ll need a smart speaker like the Amazon Echo (from $25) within shouting range of every room. Yes, you can get a Hue starter kit for $70, but you’ll likely need to spend more to get a system that works for you.

Once you’ve got the basics covered, the costs start coming down. You should only ever need one gateway or bridge to power your smart lights, for example, and that same smart speaker can control more than one room as long as they’re all connected to the same network.

Color is awesome but it’ll cost you extra

Smart bulbs’ best feature isn’t the automation—it’s the changing colors. But this comes at a premium. Bulbs that let you choose among various shades of white light, like the Philips Hue White Ambiance bulb, go for $22, while if you want to have the full color version, you’ll have to pay $55.

You’ll have to ponder if the extra cost is worth it—if you’re happy with regular white light bulbs, maybe it’s better if you stick with that and save some money. The long-term plan for my own home is for almost every bulb to have full color control, but with 20-plus light fixtures in the house, it’ll take time—or a pay raise.

Light switches have a place

When I walk into the bedroom, it’s a lot slower to say, “Alexa, lights on,” and then wait a second or two for the lights to come on, than it is to flip the switch conveniently located a foot from me. Similarly, controlling lights with an app sounds reasonable, but it actually takes longer than a voice command. Good thing smart lights still work the old fashioned way.

But there’s a problem with this, too. When you turn your lights on from the switch, they usually turn on to whatever your last setting was, but if you turn them off the same way, you lose the smart-functionality—the exact level of dimness, for example—until you turn it on. This is particularly bad when not everyone in your household is on board.

Smart light-compatible switches can be the answer. They connect to your network and have different buttons for different presets, so if people keep messing up your voice-controlled presets, they’ll be just as handy as that good ol’ on-off switch.

Automation leaves a lot to be desired

I had big visions of the automated light setup I was going to have. I wanted to be able to say, “Alexa, wake us up at 6:30 a.m.,” and then have the lights slowly ramp up at that time, starting red and going to white, before the radio came on as the alarm. This is possible on a daily schedule, but you can’t set up a different wake-up time with a quick voice command, and it takes two different apps to make work properly. Maybe there’s a way to make this happen, but I haven’t managed to get it to work—and I’m a person who gets paid to figure these things out.

And there’s other, smaller quirks, like when your smart assistant and your smart light platform just don’t offer the same options. For example, Alexa supports a more limited range of colors than those in the Ikea app, so I can’t dial in the exact color I want without picking up my phone. Using the word “light” in any custom voice commands confuses things in weird ways, too, and there’s no way to stop a routine that’s in progress, which means I can’t cancel my 30-minute evening wind-down if I want to go to sleep earlier. If I turn off the lights, they get turned back on again a few minutes later so they can be automatically dimmed.

The various components of your smart home setup have different sets of problems, so even though you may not have these exact troubles, it is likely you’ll run into something similar and equally annoying. Different setups or some coding may be enough to take care of some of these problems, while others will take some work from manufacturers to fix. But for all the marketing smart bulb makers do around automation, things are just not easy if you don’t want to stick to their rigidly defined parameters.

Getting started

If the idea of smartening up your lighting situation is still irresistible, all that’s left to do is get started. The good news is that as messy as the setup and interoperability of things can be later on, things are simpler when you’re starting out. If you go for a hubbed system, most smart bulbs are compatible with most smart speakers, so you can use that as your primary way of controlling things.

This is a good way to go if you’re planning to replace more than a couple of lights. But if you’re just dabbling, grab a cheap WiFi smart bulb and see how you like it before you spend more money.

Once you’ve figured that out, you can plan out what you need. There are smart bulbs available for all the different light fixtures, and some are a bit pricier than others, so you don’t really want to buy anything you can spare. Starter kits are often good deals that come with a couple of bulbs, and a hub if necessary. But they’re not worth getting if you’re going to be left with bulbs you can’t use.

Finally, think about how you’re going to control things. Having to whip out your phone to do everything gets annoying fast, so budget in any extra smart speakers or smart light switches you’ll need.

When you know exactly what you need, smash that buy button. And set aside a weekend to get it all up and running.

The post Find the best smart light for your home appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

The wheels of the European Union bureaucracy are slowly turning in its quest to crush e-waste. The law requiring that all new smartphones and other similar electronic devices sold within the 27 member countries have a USB-C charging port—last reported on by PopSci back in June—has now overwhelmingly passed a vote in the European Parliament. It is on track to come into force by the end of 2024. Its intention is to reduce some of the 11,000 tons of e-waste made up of discarded and unused chargers.

While this is often portrayed as big news for Apple, it affects far more device makers at every level of the market. Although this law has been in the works for a while, it has had to clear several stages to get to this vote and there are still a few more to go. But given the level of support it has among EU member states (the vote was passed 602 for and 13 against with 8 abstentions) and the provisional agreement reached this summer, it seems like the final steps to get it over the finish line will be a formality. 

The next step is for the European Council, the EU’s upper legislative body, to approve the law (technically called a Directive). That is likely to happen in the next few weeks and once it does, it will be published in the EU Official Journal and become a formal policy 20 days later. From that point, each member state will have 12 months to transpose the Directive into their national laws and another 12 months to start applying them. This timeline estimates that almost all portable electronic devices will have to use a USB-C charging port by the end of 2024. 

The list of devices affected is long. It includes mobile phones, tablets, digital cameras, headphones, headsets, earbuds, portable speakers, handheld video game consoles, e-readers, keyboards, mice, portable navigation systems, and more. 

Laptop makers get an additional two years grace. They won’t have to incorporate USB-C until spring 2026. Also, the law only includes devices that are “rechargeable via a wired cable.” The EU is working to standardize wireless charging but, for the time being, wirelessly charged devices are exempted. 

There’s one other caveat: this only applies to devices “operating with a power delivery of up to 100 Watts.” More powerful electronics like toasters, ovens, washing machines, and the like aren’t going to have to add a USB-C port any time soon. 

One interesting quirk is that the law requires consumers be able to purchase any device with or without a charger. Some companies like Apple and Amazon already sell a lot of their portable electronics without a bundled charger, but this will likely change how many electronic devices are sold within the EU. 

According to the EU, the changes to the law “will lead to more re-use of chargers and will help consumers save up to 250 million euro a year on unnecessary charger purchases.” 

Of course, while the reasons behind the new laws are largely good, the effect on consumers remains to be seen. Varying power and data transmission standards across devices have made the USB-C situation a “total mess.” Although all USB-C devices use the same port, they don’t all support or require the same power or data transfer speeds. Some cables max out at 5 Gbps, others at 40 Gbps—with no indication on the cable.

According to the EU, “dedicated labels will inform consumers about the charging characteristics of new devices, making it easier for them to see whether their existing chargers are compatible.” However, this puts a large burden on consumers to know what chargers they have and need for their devices.

For the tech savvy capable of parsing the arcane symbols on the boxes, the law will likely be a good thing. Interoperable devices and chargers will make it simple for people to travel with just a single cable, and they will be able to ensure that their devices always get the fastest possible charging and data transfer speeds. There are likely to be many regular consumers getting incredibly slow charging speeds with their laptops because they are trying to use a 5 Watt wall wart to power a device that needs a 85 Watt charger.

Regardless, the new EU policy is already inspiring lawmakers around the world. This summer, three Democratic senators—Bernie Sanders of Vermont, and Elizabeth Warren and Ed Markey of Massachusetts—called for the US to introduce similar laws.With the single common charging standards now sorted, EU lawmakers are turning their attention to other tech issues. This week it unveiled a series of new draft rules that would make it easier for people to sue AI companies for harm. It will be years if or when they take effect, but like this USB-C charging situation, it could one day have a major world wide impact.

The post USB-C is on track to become the charging cable standard in the EU appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Text-to-image generators powered by artificial intelligence, like DALL-E 2 and Stable Diffusion, have had a huge year. It’s almost impossible to scroll through Twitter without seeing some images generated from an (often ridiculous) written prompt. Researchers, though, are already looking at the next generation of generators: text-to-video.

In a paper published this week, researchers at Meta AI revealed a text-to-video generator they call Make-A-Video. It takes a written prompt like “a teddy bear painting a portrait” or “a dog wearing a superhero outfit with red cape flying through the sky” and returns a short video clip depicting the machine learning model’s best attempt at recreating it. The videos are clearly artificial, but very impressive all the same. 

As well as written prompts, Make-A-Video can make videos based on other videos or images. It can add motion to a static image and create a video that links two images.

At the moment, Make-A-Video’s silent clips are composed of 16 frames output at 64 x 64 pixels that are then upscaled using another AI model to 768 x 768 pixels. They’re only five seconds long and just depict a single action or scene. While we’re a long way from an AI creating a feature film from scratch (though AI has previously written screenplays and even directed movies), the researchers at Meta intend to work on overcoming some of these technical limits with future research.

Like the best text-to-image generators, Make-A-Video works using a technique called “diffusion”. It starts with randomly generated noise and then progressively adjusts it to get closer to the target prompt. The accuracy of the results largely depends on the quality of the training data. 

According to the blog post announcing it, Make-A-Video’s AI learned “what the world looks like from paired text-image data and how the world moves from video footage with no associated text.” It was trained with more than 2.3 billion text-image pairs from the LAOIN-5B database and millions of videos from the WebVid-10M and HD-VILA-100M databases.

Meta claims that static images with paired text are sufficient for training text-to-video models as motion, actions, and events can be inferred from the images—like a woman drinking a cup of coffee or an elephant kicking a football. Similarly, even without any text describing them, “unsupervised videos are sufficient to learn how different entities in the world move and interact.” The results from Make-A-Video suggest they are right. 

The researchers said they have done what they can to control the quality of the training data, filtering LAOIN-5B’s dataset of all text-image pairs that contained NSFW content or toxic words, they acknowledge that like “all large-scale models trained on data from the web, [their] models have learnt and likely exaggerated social biases, including harmful ones.” Preventing AIs from creating racist, sexist, and otherwise offensive, inaccurate, or dangerous content is one of the biggest challenges in the field.

For now, Make-A-Video is only available to researchers at Meta (although you can register your interest in getting access here). Although the videos the team has shown off are impressive, we have to accept they were probably selected to show the algorithm in the best possible light. Still, it’s hard not to recognize how far AI image generation has come. Just a few years ago, DALL-E’s results were only mildly interesting—now they’re photorealistic.

Text-to-video is definitely more challenging for AI to get accurate. As Mark Zuckerberg said in a Facebook post, “It’s much harder to generate video than photos because beyond correctly generating each pixel, the system also has to predict how they’ll change over time.” The videos have an abstract, unnatural, janky quality to them—depicting not-so-natural motion. 

Despite the low-quality, Zuckerberg called this tool “pretty amazing progress.”

The post Meta is pivoting to video with its new AI generator appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Batteries are more crucial than ever as they propel cars, power our myriad devices, and even allow some experimental aircraft to fly. But battery technology has a long way to go before we will see a more widespread adoption of electric vehicles, months-long laptop battery lives, and longer flights on electric planes. That’s why engineers and researchers around the world are constantly looking for the next big battery innovation.

According to a paper recently published in Nature Communications, researchers from Carnegie Mellon have used a combined robotic and artificial intelligence system to design better electrolytes for lithium-ion batteries. In particular, the team was looking for electrolytes that would allow for batteries to charge faster—which is one of the biggest problems in battery technology today and a major barrier to widespread electric vehicle adoption. 

Lithium-ion batteries have a cathode and an anode surrounded by an electrolyte. When they are charged, ions migrate through the electrolyte from the cathode to the anode (and vice-versa when they discharge). The exact composition of the electrolyte determines how fast a battery charges, discharges, and otherwise performs. Optimizing the electrolyte solution is thus one of the key challenges for battery designers. 

The research team used an automated arrangement of pumps, valves, vessels, and other lab equipment that they dubbed “Clio” to mix together different ratios of three potential solvents and one salt. As the paper points out, “battery innovations can take years to deliver” in part because there are so many potential chemicals that can be used in various ratios that optimizing them is “time-consuming and laborious”—at least for people. But with its various automated parts, Clio was able to run experiments significantly faster. 

[Related: Why Dyson is going all-in on solid-state batteries]

To remove the human element even more, Clio’s results were fed into a machine-learning system dubbed “Dragonfly” that analyzed the data to look for patterns and propose alternative ratios that might perform better. Clio then automatically ran those new proposed experiments, allowing for Dragonfly to optimize the chemical recipes yet further. 

In total, working with just the one salt and three solvents, Clio and Dragonfly were able to run 42 experiments over two days and come up with six solutions that out-performed an existing electrolyte solution made from the same four chemicals. The best test cell containing one of the robot-AI-developed electrolytes boasted a 13 percent improvement in performance compared to the best performing test cell using the commercially available electrolyte. 

In an interview with MIT Technology Review, Venkat Viswanathan, an associate professor at Carnegie Mellon and one of the co-authors of the Nature Communications paper, explained that the problem with working with electrolyte ingredients is that you can combine them “in billions of ways.” Prior to now, most research relied on guesswork, intuition, and trial and error. By being both free from bias and rapidly able to cycle through experimental conditions, Clio and Dragonfly can test far more options than human researchers—whether they’re minor refinements or moonshot solutions—and aren’t hamstrung by their preconceived notions. They can then take what they learn from each experiment and tweak things to find optimal electrolytes for whatever the researcher team needs. 

In this case, Clio and Dragonfly were optimizing for recharge speed, but similar “closed-loop” experiments could optimize for capacity, discharge time, voltage, and all the other factors that matter in commercial battery performance. In fact, the team thinks their work will “be useful beyond the battery community,” claiming that their “custom-designed robotic platform, experiment planning, and integration with device testing will be valuable in optimizing other autonomous discovery platforms for energy applications and material science in general.”

The team at Carnegie Mellon aren’t the only ones exploring how machine learning can optimize the many design considerations and complex variables that go into battery manufacturing, maintenance, and charging. Late last month, a team of government researchers at the Department of Energy-run Idaho National Laboratory announced that they had found a way to safely and reliably recharge electric vehicles up to 90 percent within just 10 minutes. They used a machine learning algorithm to analyze between 20,000 and 30,000 data points from different kinds of lithium-ion batteries to find the most efficient and safest method of recharging. They were then able to confirm their results by testing the newly developed recharging protocols on real batteries. 

And while liquid electrolytes are one frontier for battery research, another involves exploring ways to replace that liquid with a solid instead.

The post An AI called Dragonfly is helping design faster-charging batteries appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

There was major news in the cryptocurrency world earlier this month: On September 15, the Ethereum community successfully pulled off what’s known as The Merge, moving the Ethereum blockchain validation mechanism away from the energy-intensive proof-of-work method. From now on, Ethereum will use the significantly greener and less resource-intensive proof-of-stake method. 

According to an analysis from the Crypto Carbon Ratings Institute, the transition should drop Ethereum’s electricity usage by 99.988 percent, significantly reducing its effect on the environment. But Ethereum is only the second-most popular cryptocurrency—Bitcoin still uses the energy-intensive proof-of-work system and is highly unlikely to change in the near future. Here’s why.

It was hard to do 

First, what the core team behind Ethereum pulled off is technically very impressive. Christian Catalini, the founder of the MIT Cryptoeconomics Lab, points out that even simple updates to an app or operating system can go wrong. That the Ethereum community completed such a “major upgrade” without anything going awry is a testament to the level of planning and preparedness, he says. Crucially, it shows that these kinds of upgrades are possible—even for a cryptocurrency as big as Bitcoin.

Since The Merge, though, the value of Ethereum has fallen around 15 percent. This is most likely due to external market forces, rather than anything to do with the technical aspects of the transition to proof-of-stake. Still, it shows that a greener cryptocurrency isn’t automatically a more valuable one—especially as Ethereum still has incredibly high transaction (or “gas”) fees.

Proof-of-work, unlike proof-of-stake, is basically a high-stakes math lottery. Computers around the world compete to be the first to guess the answer to an exceptionally difficult cryptographic equation. The first to do it gets to add the next block to the blockchain—and is paid in cryptocurrency for their trouble. The problem is that for every winner, there are thousands of losers who had their computers running at full speed—burning through copious amounts of electricity—attempting to guess answers. It’s a huge waste, and the big reason that cryptocurrencies are considered an environmental issue. 

Proof-of-stake, on the other hand, has no such waste. The computer that gets to add the next block (and gets paid) is chosen at random from a pool in which the operator of each machine has staked a sizeable chunk of the relevant cryptocurrency. If they misbehave or otherwise fail to add the block correctly, they can be penalized by having their stake confiscated. 

While Bitcoin has used proof-of-work to secure its blockchain for 15 years, proof-of-stake has never been tested at the scale it is now. Post-Merge, Catalini says, “The long term viability and security of proof-of-stake is going to be a continuous experiment.” If the Ethereum blockchain remains as secure as it was under proof-of-work, that will be a major win for the community. One drawback is that it is, at least theoretically, more vulnerable to a number of different attacks.

Diverging philosophies

There are other issues with proof-of-stake too. The US Securities and Exchange Commission Chair Gary Gensler said last week that staked cryptocurrencies may be subject to federal securities regulations, which is something that the cryptocurrency community has been broadly against since its inception. 

And it also remains to be seen what former-Ethereum miners will do with their energy-intensive GPU rigs which are no longer needed under proof-of-stake. Some may move to mining other proof-of-work currencies (including Bitcoin) or branch out into other fields, like 3D modeling and graphics processing. Either way, the massive server farms that had worked hard under the old Ethereum mechanisms are unlikely to sit idle.

Also, Catalini says Bitcoin is “extremely conservative” and “much more risk averse” compared to Ethereum, which is far more prepared to take major risks like transitioning to proof-of-stake. 

He also points out that the two major cryptocurrencies don’t really compete, which is yet another reason why Bitcoin seems unlikely to follow suit. Ethereum launched with significantly more programmability (hence why it’s used in NFTs) than Bitcoin, part of an attempt to fix what was seen as a shortcoming with Bitcoin. In response, the Bitcoin community kept doing their own thing. As a result, he says Bitcoin changing its consensus method isn’t “credible in the foreseeable future.” Ethereum doing it isn’t a big push. 

Even so, Catalini says there are ways that the Bitcoin community could reduce the environmental impact of the network. (It currently uses about as much electricity as Pakistan annually.) He thinks that “the evolution and sustainability of Bitcoin will be much more driven by miners targeting renewables and targeting energy sources that can make Bitcoin more green in the long run,” rather than a grand transition to proof-of-stake.

First, miners could just use more renewable sources of energy, and even “carbon negative” sources like flare gas released from oil and natural gas extraction. This would allow Bitcoin mining to make use of electricity that would be “stranded” or otherwise not able to be used for other applications. Catalini says, “As long as you have a satellite dish or Starlink connection, you could mine in the middle of nowhere.”

Second, mining could absorb peak capacity. According to Catalini, miners can “come off the grid or go on the grid instantly.” As a result, miners could come off the grid when energy is needed elsewhere or go on the grid when there is an excess of electricity generated that would otherwise go to waste, such as when solar power is making more energy than people need. Still, cryptocurrency miners’ environmental claims have been massively overstated in the past. It is unlikely the methods suggested by Catalini would significantly reduce the environmental impact of Bitcoin to the extent that switching to proof-of-stake would, especially since miners are generally motivated by potential profits.

The post Why Bitcoin won’t go green any time soon appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

A new report from Mozilla, the makers of the privacy-focused Firefox browser, suggests that YouTube’s user controls are ineffective at controlling what people see on the platform—despite what Google claims. Using data from almost 23,000 volunteers, Mozilla was able to show that YouTube kept recommending similar videos even when people used the various different options to indicate that they didn’t want to see that kind of content. 

YouTube is the second-most popular website in the world (the first is Google) and according to Mozilla, an estimated 70 percent of the 1 billion hours viewed daily on the platform are as a result of algorithmic recommendations. Various reports have shown how the algorithm can polarize people and recommend misinformation and harmful content—something that Google claims it has worked hard to fix. In this study, Mozilla set out to test the effectiveness of the controls YouTube offers to users to manage the recommended videos they see. 

In a previous report released in July last year, Mozilla found that people were routinely recommended videos they didn’t want to see and felt that the controls available to them were ineffective. This new study used a browser plug-in Mozilla developed called RegretsReport to see if this was true. 

Mozilla looked at four different Google-suggested controls: Clicking that thumbs-down “Dislike” button, “Not interested,” “Don’t recommend channel,” and “Remove from watch history.” Meanwhile, users of the RegretsReport plug-in see a “Stop Recommending” button on YouTube videos. When they clicked it, the control-option (such as for the Dislike button) corresponding to their test group was sent to YouTube, while data about future recommended videos were sent to Mozilla. (There was also a control group where clicking the button did nothing.)

[Related: Why YouTube is hiding dislikes on videos]

Over the course of the study, 22,722 participants used the RegretsReporter, allowing Mozilla to analyze 567,880,195 recommended videos. To assess this huge amount of data, the researchers reviewed 40,000 pairs of recommended videos and rated their similarity. This allowed the team to quantitatively study whether the videos participants were being recommended were similar to videos that they had previously rejected. In other words, to look at whether YouTube’s tools effectively reduced the number of bad recommendations. 

For example, if someone saw an anti-vax video recommended to them, and clicked “Not interested,” and then got recommended a cat video, that would be a good recommendation. On the other hand, if they kept getting suggested anti-vax videos after indicating that they weren’t interested in them, those would be bad recommendations. Page 22 of the report [PDF] has some good visual examples.

Mozilla’s report found that no user control was especially effective at preventing unwanted recommendations. The “Don’t recommend channel” option had the biggest impact, preventing 43 percent of bad recommendations, with “Remove from watch history” preventing 29 percent, and “Dislike” and “Not interested” preventing 12 percent and 11 percent, respectively. Mozilla argues that its “research suggests that YouTube is not really that interested in hearing what its users really want, preferring to rely on opaque methods that drive engagement regardless of the best interests of its users.”

As a result of its findings, Mozilla is calling on people to sign a petition asking YouTube to fix its feedback tools and give users actual control over the videos they get recommended. It also has four specific recommendations for YouTube and policy makers based on its study. 

Mozilla suggests that YouTube’s user controls should be easy to use and understand, and be designed to put “people in the driver’s seat.” It also wants YouTube to grant researchers better access to data (so they don’t have to use browser extensions to study these kinds of things). Finally, it calls on policy makers to pass laws providing legal protections for those engaged in public interest.

Whether this report is enough to get Google to add some real user controls to YouTube remains to be seen. For now, it’s a fairly damning indictment of the ineffective controls that are currently in place. 

The post Clicking ‘dislike’ on YouTube probably doesn’t do much to customize your feed appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

At a US Senate hearing yesterday on the impact of social media on homeland security, TikTok Chief Operating Officer Vanessa Pappas bore the brunt of the questioning (watch the hearing here, and read Pappas’ written testimony here). Lawmakers repeatedly asked her if American users’ data could be accessed by the government of the People’s Republic of China. This line of questioning stems from a small change to TikTok’s privacy policy last year that gave it permission to collect biometric data including “faceprints and voiceprints,” as well as a report from BuzzFeed News earlier this year on how US data could be accessed in China. 

TikTok’s relationship with ByteDance, its Chinese parent company, has long been an issue for the US government. Former President Donald Trump attempted to force ByteDance to sell the popular social media app to an American company in 2020, though it never happened. According to The New York Times, President Biden has been negotiating with TikTok in private over “steps that could mitigate the government’s concerns.” Apparently though, his efforts aren’t sufficient for TikTok skeptics.

In an effort to allay concerns over how it handled data, in June this year, TikTok announced that all US traffic was now being routed through American computer company Oracle’s cloud infrastructure. Some user data is still backed up to TikTok-owned servers in Singapore and Virginia for now, but the company says that it plans to delete them in the future. 

That same day, however, BuzzFeed News released a report detailing how “engineers in China had access to US data between September 2021 and January 2022, at the very least.” In one recording seen by BuzzFeed News, a director called one Beijing-based engineer a “Master Admin” with “access to everything.” Whether traffic was being routed through the US or not, ByteDance employees in the PRC seemingly had access to it, at least for a time.

With TikTok’s overall data handling processes under scrutiny, its decision to collect biometric data from US users is understandably drawing ire from lawmakers. In June last year, it updated its privacy policy to include a new section called “Image and Audio Information” as part of “information we collect automatically.” It stated that TikTok may “collect information about the images and audio that are part of your User Content,” listing examples like identifying objects seen or the words spoken in a post. Crucially, it also stated that TikTok “may collect biometric identifiers and biometric information as defined under US laws, such as faceprints and voiceprints, from your User Content.”

[Related: A look inside TikTok’s seemingly all-knowing algorithm]

Other than that, the privacy policy is incredibly vague on what the biometric data is being collected for and how it could be used. (It’s worth noting that this section is absent from the privacy policy for EU users where data protection laws are much stronger.)

According to TechCrunch, Senator Kyrsten Sinema of Arizona asked Pappas, TikTok’s COO, if biometric data from US users had “ever been accessed by or provided to any person located in China,” and if doing so was possible. Pappas avoided giving a direct answer, instead, according to TechCrunch, she explained that Tiktok didn’t use “any sort of facial, voice or audio, or body recognition that would identify an individual.” 

Pappas apparently elaborated, explaining that what TikTok called “biometric” data was only used to apply filters—like the ones that add sunglasses or dog ears to your videos—and was deleted from the user’s device immediately afterwards. 

This would seem to suggest that engineers in China would be unable to access the data as it doesn’t exist, however Pappas did not state that directly. 

As well as facing questions about biometric data handling, Pappas was also asked about reports that TikTok’s in-app browser could log keystrokes. She responded by saying that TikTok had not collected the contents of what was typed, and that it had been used as “an anti-spam measure.”

Whether Pappas’ responses at yesterday’s hearing are enough to satisfy US lawmakers remains to be seen. The company, meanwhile, appears to be carrying on business as usual. Today, TikTok announced a new feature that it’s rolling out to users called “Now,” which allows them to capture moments with both the front and back camera (a hallmark of the up and coming app, BeReal).

According to Bloomberg, the national security review of TikTok is still ongoing, and despite the fact that it paints itself as a global company, it is still very much owned by ByteDance.

The post TikTok remains evasive on the data it collects appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

A security researcher has just published a new, proof-of-concept attack that allows thieves to unlock and steal a Tesla Model Y. Josep Pi Rodriguez, a principal security consultant with IOActive, identified the potential exploit and, while it might be tricky to pull off in the real world, it shows how cars underpinned by advanced technology can also be vulnerable to novel attacks. 

A Tesla Model Y can be legitimately unlocked in three ways: With a keycard that uses near field communication (NFC), with a correctly configured smartphone, or with a key fob (that is a $175 add-on). This attack—called an NFC relay attack—targets the Tesla’s keycard system. 

Before looking at how the hackers exploit this vulnerability, let’s step back and understand how the keycard system works. Tesla provides two smart keycards with every car. They are required to set up the smartphone-based key, and Tesla recommends that drivers keep a keycard in their wallet at all times as a backup in case their phone breaks or runs out of battery, or Tesla’s servers go down. (As futuristic as unlocking your car with a phone is, getting stuck somewhere because you dropped your device in the toilet is not exactly Jetsons material.)

To unlock their car, drivers hold the keycard up to the middle B-pillar. The car detects the nearby card and issues a cryptographic challenge over NFC. The smart keycard calculates the correct response and replies using NFC. The car validates the response and opens the doors. The driver then has two minutes to start the car and drive off before the keycard needs to be validated again. This is the process that the NFC relay attack seeks to break. 

To pull it all off, the relay attack requires two thieves working together. One stays close to the car with a device called a Proxmark that is capable of imitating NFC devices, while the other has to get close to the target’s keycard with a NFC reader equipped smartphone. The Proxmark and the smartphone communicate over Bluetooth or Wi-Fi. You can see it in action in the video above. 

Of course, developing the attack was a little more complex. Rodriguez had to decipher the Tesla’s communication protocol in order to accurately emulate it. If you want to see the low-level code, he breaks it all down in the research paper. 

Also, it’s worth mentioning that this is all just a proof-of-concept. While thieves have taken Teslas with relay attacks in the past, there are still a number of challenges that they would face pulling this method off in the real world. First, the attackers have to find a target that carries their keycard in a predictable pocket. Second, they have to get a smartphone or other NFC-reading device close to the target’s keycard without them noticing—possibly while they’re standing in line for coffee or are otherwise stuck in a queue. Finally, the two attackers currently have to be within Bluetooth or Wi-Fi range of each other, so the target is still going to be pretty close to the car. 

Of course, there are ways to overcome some of these challenges for a motivated hacker. Rodriguez theorizes that the range of the NFC-reading device could be increased from around 2 inches to around 2 feet. Similarly, the Wi-Fi range of the Proxmark can be increased using a Raspberry Pi as a wireless relay. He also thinks it is possible to perform the attack using an internet connection. 

Once the car is unlocked, the attacker can hop in and drive off. They aren’t able to restart the car if they stop the engine, so they are most likely going to sell it for parts or steal any valuables left lying around.

If you own a Tesla—or any other car that uses an NFC keycard—you should be aware of this attack, but not overly concerned. This is the kind of thing that can only be pulled off if you are specifically targeted. Regular Tesla drivers going about their business are unlikely to be at much risk. 

With that said, there are still a number of steps you can take to mitigate the attack. Enabling Pin-to-Drive would prevent the attackers from being able to drive off. You could also keep the keycard in an RFID-blocking sheath which would prevent it from being read while you stand in line for your coffee. 

Overall, Rodriguez thinks that Tesla has a good security track record. In an interview with The Verge, he says, “Tesla takes security seriously, but because their cars are much more technological than other manufacturers, this makes their attack surface bigger and opens windows for attackers to find vulnerabilities.” In other words, as cars get more like computers, hackers have way more options in how they can attack them. There may not be a need for crowbars any more. 

The post Tesla Model Y vehicles can be hacked—in theory appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Space—the final frontier—is getting more crowded. According to the Union of Concerned Scientists, there are now almost 5,500 satellites orbiting Earth, and that number is only going to increase over the next few years. In particular, private enterprises are planning to launch communications satellites at an unprecedented rate. That’s why Iridium, OneWeb, and SpaceX, three of the biggest players, have jointly launched a guide to orbital safety best practices. So, if you’ve plans to deploy your own satellite or are merely curious as to what’s required to do so safely, read on. 

The guidelines were created by the three companies and were “facilitated by” the American Institute of Aeronautics and Astronautics (AIAA). According to the Union of Concerned Scientists, SpaceX is the largest operator of satellites—by far. It has a whopping 2,219 satellites in orbit as part of its Starlink constellation, which dwarves everyone else, including NASA (73), the US Air Force (95), and the Russian military (73). OneWeb, another satellite internet operator, is a distant second with 427 satellites in orbit. Iridium, a satellite communications operator, is able to cover the planet with just 75 satellites, though its voice and text call services have far lower bandwidth requirements than full-blown internet connections. 

In the introduction to the best practices guidelines, the three companies explain their reasoning: They want to get ahead of regulations that would limit them too much. “Given the rapid innovation occurring in the space sector, governments have a responsibility to put appropriate regulatory structures in place that keep pace with and promote this innovation,” the report explains. “To be effective, these regulations must strike the appropriate balance of maintaining sustainable operations in space without stifling innovation or preventing new applications that bring tangible benefits to the public and governments.” (In other words, they would like to keep doing what they’re doing.)

The proposed best practices are divided into four stages: Design Time (A), Pre-Launch and Early Orbit (B), On Orbit (C), and Satellite Disposal (D). Each stage has a number of key practices that satellite operators should ideally abide by. 

At Design Time, the guidelines are concerned with prepping the satellite for a safe launch and time in orbit. They suggest three key practices: “Consider collision avoidance (CA) implications” when selecting an orbit; make sure the spacecraft’s hardware is up to the job; and make sure the software running on the craft and controlling it from the ground is capable, too.  

For Pre-Launch and Early Orbit, the guidelines are mostly concerned with making sure other space operators know what you’re doing, and not accidentally crashing into another orbiting satellite—or worse, a manned spacecraft. The three suggested practices are: Tell other space operators and the global community your launch strategy well in advance, make sure you don’t go anywhere near “crewed assets,” and work with a “cataloguing” organization to track your launch and early orbit. 

Once the satellite is in space, the “On Orbit” guidelines are concerned with keeping things that way. And once again, doing it without crashing into things. The recommended practices are: Keep everyone up-to-date with what you are doing with your satellite; continuously perform collision avoidance risk assessments; and when there’s a high-risk of collision, do something about it. 

Finally, once the satellite’s mission is complete, the Satellite Disposal guidelines are about making sure that it can be decommissioned safely. There is a limited amount of space in orbit, so dead satellites shouldn’t be left up there. To that end, there is just one best practice: Actively and expeditiously manage the de-orbit of low-Earth orbit (LEO) satellites that are reaching the end of their useful mission life.

Of course, having a set of guidelines is very different from having a set of laws that everyone is required to follow. SpaceX in particular has been criticized for the sheer volume of satellites it’s planning to launch (and has launched). Whether this attempt at self-regulation is enough to stave off individual countries creating what the report calls “an unmanageable patchwork of incongruous rules” remains to be seen. 

The post Interested in launching a satellite? Three space companies have put together a ‘best practices’ guide appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Just two days after a previous update, Google pushed an emergency Chrome update last Friday to deal with a zero-day vulnerability that is already being exploited in the wild. If you use Chrome, the update process is automatic; you just need to restart your browser when it asks for it to take effect. Users of other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi should also keep their eyes out for an update. Google is keeping things quiet for security reasons, but here’s what we know. 

The vulnerability—catchily called CVE-2022-3075—was only brought to Google’s attention on August 30 by an anonymous security researcher. That the company pushed an emergency security update on September 2 speaks volumes about the severity of the underlying issue. The previous update—coincidentally released on August 30—patched 24 security issues including a different critical zero-day, so it is a big deal that Google felt the need to release an update to address a single vulnerability immediately. This was the sixth zero-day that Google has patched this year.

According to Google, CVE-2022-3075 concerns “insufficient data validation in Mojo,” a collection of important low-level routines in Chromium, which is the browser engine that Google Chrome uses. It is listed as a “critical” vulnerability, which essentially means that an attacker exploiting it is likely to be able to significantly compromise your browser or computer. Depending on the vulnerability, this could mean things like being able to steal passwords or credit card details, install malware on your system, and otherwise do very nasty things. These are the kind of exploits that hackers in movies (or working for national governments) use.

[Related: You need to protect yourself from zero-click attacks]

For now, Google is keeping many details about the vulnerability quiet until a substantial portion of the Chrome user base is safe from exploitation. If it is being used in the wild, Google does not want to highlight its usefulness to bad actors. The bug bounty payout for the anonymous researcher also hasn’t been announced, but could be up to $150,000.

[Related: ‘The Merge’ is happening. Here’s what that means for those in crypto.]

This emergency update, which upgrades Chrome to version 105.0.5195.102 on Windows, Mac, and Linux, rolled out over the last few days. You can check what version of Chrome you are currently using by going to More (the three little dots) > Help > About Chrome. Updates should be downloaded automatically, but you have to restart your browser for it to fully install. If you see the Update button in the top-right corner of your browser, click it. This is a serious security update and worth installing immediately. 

If you use other Chromium-based browsers like Microsoft Edge, Brave, Opera, and Vivaldi, you should also update it as soon as possible. All four have updates available that prevent the exploit. 

The post Using Chrome? Check for this update right away appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Open AI, developers of the AI text-to-image generator DALL-E 2, have just announced a new feature for the app called “outpainting”. It allows users to extend existing images and works of art with AI-generated content. It’s pretty exciting, and hugely expands the capabilities of the tool. 

DALL-E 2 is one of the most popular text-to-image generators available at the moment. With more than a million users, it’s no wonder that content created by it seems to be everywhere. (A lot of other text-to-image generators are either in a closed beta, like Stable Diffusion, are not available to the public, like Google’s Imagen, or are much more limited in scope, like Craiyon.) 

DALL-E 2 takes a text prompt, like “an astronaut riding a horse in the style of Andy Warhol,” and generates nine 1,024-pixel by 1,024-pixel images that illustrate it. It uses a process called “diffusion” where it starts with randomly generated noise and then edits it to match the salient features of the prompt as closely as possible. 

Until now, users were limited with the size and aspect ratio of what they could create with DALL-E 2. The AI program could only generate 1,024-pixel by 1,024-pixel squares—anything larger or a different shape was out of the question. It was possible to use a feature called “inpainting” to modify details in existing artworks, but to actually create a bigger canvas involved manually stitching different sections together using an app like Photoshop. (For different aspect ratios, you could crop your image, but that reduced the overall resolution.)

Now with outpainting, the only limit users face—other than the content filters—are the number of credits they have. (Everyone gets 50 free generation credits during their first month and 15 to use every month after that. Blocks of 115 additional credits can be purchased for $15.) Generating an initial image takes one credit, as does every additional outpainted section. 

Outpainting works as an extension to DALL-E 2. Users select a 1,024-pixel by 1,024-pixel square area where they want to extend the image to and can specify any additional prompts to guide the AI. For example, to add more of a background to the astronaut on a horse, you could change the prompt to “an astronaut riding a horse on the moon with stars in the background in the style of Andy Warhol.” 

For each outpainted section, DALL-E 2 will offer up four possibilities for users to select. If none of them work for the image, you can get it to try again. 

Most impressively, outpainting “takes into account the image’s existing visual elements—including shadows, reflections, and textures.” This means that any details added “maintain the context” of the image and can really look like part of a coherent whole. 

In DALL-E 2’s announcement of outpainting, there’s a timelapse showing Girl with a Pearl Earring by Johannes Vermeer being extended to around 20 times its original size. Instead of a simple portrait, it shows a young woman standing in a cluttered house. It’s fascinating to see because so long as you don’t look too closely, it really does look like an extension of the original painting. The overall style and mood is spot on. It’s almost like an imaginary behind the scenes shot.

If you want to try outpainting, you will need to sign up to DALL-E 2. Open AI is currently operating a rolling waitlist. If you want to sign up, you can do so here. 

The post DALL-E’s latest trick: extending the boundaries of paintings appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

The cryptocurrency Ethereum, the second-biggest name in cryptocurrency and the most popular by number of trades, is due to undergo its biggest upgrade ever next month. Known as “the Merge,” it will change up how Ethereum runs its operation behind-the-scenes. Specifically, it is shifting away from using something called a proof-of-work algorithm to verify transactions between users to the more environmentally friendly proof-of-stake algorithm. This transition, which has been promised by Ethereum for years, has faced many delays in its rollout.

“It’s a highly anticipated moment in crypto,” explains Christian Catalini, the founder of the MIT Cryptoeconomics Lab. “We don’t see major shifts and changes to the governance and incentives model of a large cryptocurrency that often.”

Here’s what’s going to happen. 

The problem with proof-of-work

Bitcoin and Ethereum currently use a so-called proof-of-work algorithm to add new blocks to their blockchains. Whenever a new block is due to be added, computers (or “miners”) around the world compete to be the first to solve an incredibly hard math problem. The first miner to do so is paid with some of the cryptocurrency—which is how new tokens get added to the economy. (For a more detailed explanation, check out our guide to the basics of cryptocurrencies.)

The problem with this is that it is incredibly wasteful. Bitcoin has roughly 1 million miners while Ethereum has around 120,000. For every one miner that solves the math equation, tens of thousands more are just wasting electricity. It’s one of the reasons why cryptocurrencies use so much electricity to process relatively tiny numbers of transactions compared to a payment company like Visa.

The Merge and proof-of-stake

Proof-of-stake is a different method for validating blockchains. Instead of a race, in proof-of-stake systems, “validators” deposit or “stake” a number of coins to enter a lottery to be the one to add each block. The coins are held as insurance against bad actors. If a validator misbehaves and approves a fraudulent transaction, for example, their stake can be confiscated. In payment for running the network, validators earn a return on their staked coins from transaction fees. 

Because only one computer does the work, and it doesn’t involve incredibly complex math, and a device as small as a Raspberry Pi can be a validator, cryptocurrencies with proof-of-stake algorithms require dramatically less electricity to run, according to experts in the industry. After the Merge, for example, Ethereum estimates that its energy use should fall by around 99.95 percent. 

What does the Merge mean?

Since November 2020, the Beacon Chain (which uses proof-of-stake) has been running in parallel with the Ethereum blockchain. The organizations responsible for Ethereum’s development introduced the Beacon Chain as a pilot test of sorts for proof-of-stake within the larger Ethereum ecosystem. Because the Beacon Chain existed separately from the main Ethereum network over the past two years, “The Merge” refers to the plan to integrate the proof-of-stake system that’s “controlled and coordinated by the Beacon Chain” into the main Ethereum network. 

Over the past two years, the developers have trialed everything with a number of test networks, so they are confident that they can pull this off without a hitch. The Merge is currently scheduled to start on September 6 and should finish sometime between September 10 and September 20. (The mechanics of how the proof-of-work algorithm will be phased out means the exact time of the Merge can’t be known in advance.)

Once it’s done, Ethereum will be the largest proof-of-stake cryptocurrency. 

What does this mean for cryptocurrencies?

The biggest change, presuming the Merge is successful, will be the reduction in the Ethereum network’s energy demands. 

“The environmental impact of Ethereum would be greatly reduced,” says Catalini. However, he says that we can’t be sure of much else. “Proof-of-work has a very long history in terms of security, resilience, and distribution, and a lot less is known about what an ecosystem looks like when you rely on staking of coins and proof-of-stake.”

“While some of these incentives and rules look good on paper,” he says, “you could imagine adversarial actors looking to take advantage of this transition to disrupt things.”

There is also the risk that disgruntled miners could create a new Ethereum “fork.” In other words, there wouldn’t be one chain, but multiple competing chains. “Some people are big fans of proof-of-work,” says Catalini. “Will they embrace some other proof-of-work version of Ethereum?” How that would affect the overall crypto-economy is impossible to predict.

But Catalini is generally positive. While he says that “a lot of this depends on how the merge plays out,” he thinks that in the long term, the merge will be “good news for Ethereum.”

Is now a good time to buy Ethereum?

Catalini is careful to warn off anyone thinking of making a quick buck trading Ethereum over the coming weeks. He says, “there is so much uncertainty, it is extremely dangerous to trade around this Merge.”

“There are going to be more informed participants in the ecosystem that will be able to trade earlier,” he stresses. “Is a consumer making a bet on the Merge likely to win outside of luck?” We think not.

The post ‘The Merge’ is happening. Here’s what that means for those in crypto. appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

To stay on top, Google is always trying to improve its search engine, both in how it presents the information it has to searchers and how it finds that information in the first place. If it can’t give people the answers they’re looking for, why would they keep turning to the big G? In its latest round of changes (called the Helpful Content Update), Google says it is trying to show “more content by people, for people” in search results by targeting sites that attempt to game its results pages with low-quality and algorithmically generated content. Instead, it says it will prioritize original content and product reviews from experts.

For most people, the customer-facing changes will always be the most obvious. Think of things like the quick answer box that you see at the top of more and more searches (officially called Featured Snippets), Google’s AI-driven efforts last year to offer more comprehensive search suggestions to complex queries, and the Knowledge Graph, which is what tells you actors’ birthdays, moon phases, and other facts when you look for them. All of these are big, visible changes in how Google presents information about the thing you’ve searched for that are designed to make it faster for you to find whatever it is you’re looking for.

But while these front-end changes can feel dramatic, especially given how much the Google Search page has changed over the years, it’s the backend adjustments that can have the most profound effects on the results you see. In the past, popular sites have been been essentially purged from the top results by updates to Google’s search algorithms. 

A big part of the problem for Google is search engine optimization, or SEO. While not inherently bad, sites can take SEO way too far by attempting to game Google’s results pages. In its most benign form, SEO is simply taking sensible steps to ensure that Google can understand and access the content you’re publishing, and make sure that it loads quickly and is readable for everyone. (Google doesn’t want to serve up a link to a site that takes ages to load and, when it even does, it’s unreadable on mobile devices.)

For the most part, this means making sure the content is logically written, that you include the kind of key phrases that people are actually looking for, and that your site is well made and maintained. When it comes to individual articles, ideally they should set out to answer a question—and then actually answer it. And whether you view the article on a desktop or smartphone, it should look good and load quickly. All in all, a win for everyone. 

But then there’s also the dark side. Online, traffic is money. If you get people to visit your website and see ads, you get paid. The higher up your site appears in the Google rankings on average, the more traffic it gets, and, so, the more money you get. The incentives to try and game Google’s algorithms are pretty clear. 

You’ve almost certainly encountered SEO-driven sites that are set up just to get traffic and not really help people. For example, millions of people (including many of us here at PopSci) are eagerly awaiting season three of Ted Lasso. The release date hasn’t been announced yet, but if you Google “ted lasso season 3 release date” you will get a dozen sites with headlines making it sound like it has been. Similarly, there are lots of automated sites that scrape content from around the web and repackage it with ads—without adding anything else of value. It’s these kinds of sites that Google’s latest update is targeting. 

This is all part of Google’s broader strategy to promote useful and relevant content. An update earlier this year, for example, was aimed at showing better product reviews. It was designed to rank in-depth, well-researched, hands-on reviews written by people with experience with the product rather than just roundups. 

This latest Helpful Content update is taking a similar strategy and aims to promote content that is “by people, for people.” In other words, things that are written for humans to read, not Google’s search algorithms. It says that it will do this by ranking original content more highly, rather than articles that aggregate publicly available information without anything, and promoting reviews by experts. 

If you run a site and you’re worried that Google is about to take away some of your hard earned (or hardly earned) traffic, then you can peruse a guide it released on what creators should know about the update. If you just want to know more about how Google search works, it’s also a good read. 

Finally, if you’re interested in trying out a non-Google search engine, check out Brave or DuckDuckGo. 

The post What Google’s latest algorithm tweaks mean for your search results appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

In a report released last week, Mozilla, makers of the privacy-focused browser Firefox, found that 18 out of 25 reproductive health apps and wearable devices that it investigated had insecure, insufficient, or outright exploitative privacy and security practices. In a post-Roe America, the kind of data these apps and wearables collect can be—and has been—used by authorities to determine if users are or have been pregnant, sought information about abortion services, or even obtained an abortion.

In 2017, Mozilla created its *Privacy Not Included buying guide to help people shop for safe products that are connected to the internet. Many devices and services track large amounts of identifying and incredibly personal information, and don’t take the necessary steps to protect it. 

The minimum security standards Mozilla is looking for are fair and, for the companies and developers creating these products, relatively simple to have in place. The organization says that user data should be encrypted when transmitted over the internet and stored in a database; security updates should be automatic, enabled by default, and supported for a reasonable period after sale; people should be required to use a strong password; the manufacturer needs to have a vulnerability management system in place so security researchers can inform them of any security issues they find; and there needs to be a publicly available privacy policy. 

As well as the minimum security standards, Mozilla also investigates how each product uses the data it collects on its users (for example, selling it to data brokers is a bad thing), how easy it is for users to control their data, and if the company has a good track record of protecting user privacy. 

[Related: The dangers of digital health monitoring in a post-Roe world]

If an app or product falls short on two or more of the categories (or Mozilla can’t confirm it meets the minimum security standards) it gets flagged with a *Privacy Not Included warning label. This is what 18 of the 25 reproductive health tracking tools received. 

In its investigation, Mozilla looked at ten of the most popular period tracking apps, ten of the most popular pregnancy tracking apps, and five wearable devices that track fertility. 

Overall, the apps fared terribly. Mozilla found that these apps typically collected a “buffet” of data that was used to target users with ads, and was sold to third-parties. Often the apps operated a “data first, then consent” model where data collection started before users even opted in. There were also rarely clear guidelines about how, when, and what data could be shared with law enforcement—a particularly troubling issue given the nature of the apps and devices in question. The only app to get a Best Of was Euki created by Women Help Women. Natural Cycles – Birth Control also did okay, but still had some troubling data practices.

Here are all the apps that got slapped with the *Privacy Not Included warning label: Clue Period & Cycle Tracker, Preglife Pregnancy App, Ovia Pregnancy, Babycenter, Pregnancy+, Period Tracker by GP International LLC, WebMD Pregnancy, My Calendar Period Tracker, What to Expect Pregnancy Tracker & Baby App, Flo Ovulation & Period Tracker, Pregnancy & Due Date Tracker, The Bump Pregnancy Tracker & Baby App, Ovia Fertility, Glow Nurture & Glow Baby, Maya Period, Fertility, Ovulation, & Pregnancy, Period Calendar Period Tracker, Glow & Eve by Glow, and Sprout Pregnancy. 

The wearables did much better. None of the Garmin, Apple Watch, Oura Ring, Fitbit, or Whoop devices Mozilla investigated handled data as poorly as the apps. There are still plenty of legitimate concerns with any kind of large scale data collection, but the odds are much higher that your data will stay safe. 

On the other hand, if you use an app that got Mozilla’s *Privacy Not Included warning label, we suggest you click through to the relevant link above and read a little more. Mozilla is very good at laying out what exactly was concerning about the apps. For example, it flags that WebMD Pregnancy collects user data that it transfers (and possibly sells) to third-parties. It also has a very wishy-washy statement about complying with law enforcement requests. If any of that concerns you, then you shouldn’t use WebMD Pregnancy. 

In the report, Ashley Boyd, Mozilla’s vice president of advocacy, says, “Overnight, apps and devices that millions of people trust have the potential to be used to prosecute people seeking abortions. Our research confirms that users should think twice before using most reproductive health apps; their privacy policies are riddled with loopholes and they fail to properly secure intimate data.” We agree.

The post Privacy concerns over period-tracking apps are valid, Mozilla report finds appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

At the Black Hat USA cybersecurity and DEF CON hacker conferences in Las Vegas last week, a lot of exciting developments and updates in cybersecurity were announced. Security researchers demonstrated that they could jailbreak John Deere tractors and hijack decommissioned satellites, while major tech companies found new ways for existing security tools to work together. 

One story highlighted a flaw in a major operating system’s software: In 2020, Dutch researcher Thijs Alkemade found a vulnerability that broke every layer of security in macOS. It’s since been patched, but older applications running on macOS may still be vulnerable. This research is particularly interesting considering Apple’s recent release of a security update to fix a flaw that could allow hackers to take complete control of devices.

Alkemade’s discovery was a vulnerability in macOS’s “saved state” feature. When you shutdown your Mac, you have the option to check a box that will automatically reopen all your apps and windows when you turn it back on. This creates a saved system state on your hard drive that the operating system reloads your applications from. (It’s also used as part of “App Nap”, where apps that are being used are suspended to free up system resources.)

By repeatedly using a technique called “process injection” against the saved state feature, Alkemade was able to evade all the system protections macOS has and take over a vulnerable Mac, reading any file on disk, installing other malware, and even activating the webcam without the user knowing. This includes macOS’s “App Sandbox”, which is designed to limit malicious code to a single application and stop hackers from being able to use a single vulnerability (like this one) to take over the whole system. 

Process injection works by tricking the operating system into running malicious code by disguising it as part of another process that is allowed to run. In general, this means inserting malicious code into apps and system tools that have a lot of permission to access the most secure corners of the operating system. While this is a common mode of attack, few are as widespread or dangerous as this one. 

In this case, Alkemade was able to create a malicious “serialized object”—which is a kind of commonly used data structure in macOS that can be converted into a string of raw computer code and back again (this is usually done to get the data ready for storage or sharing). He then saved it in the macOS file system so that it would be loaded by the saved state feature if the targeted app was running when the user initiated a system shut down. (The specifics of all this are covered in depth in Alkemade’s blog post detailing the exploit.)

[Related: How digital bounty hunters search for software bugs—and money]

To evade the App Sandbox, Alkemade abused macOS’s Open and Save panel. It’s one of the few processes that can run inside a Sandboxed app that enables it to see files it wouldn’t otherwise have access to. The panel’s permissions enabled Alkemade to run his malicious code outside of the App Sandbox and then, by piggybacking on the permissions of the macOS Public Beta Access Utility to gain root access (basically, administrator level permissions) to the system. 

The final layer of macOS security Alkemade had to bypass is called “System Integrity Protection” or SIP. It’s explicitly designed to prevent a malicious actor with root access taking over your system, controlling your webcam, or accessing certain protected files. He was able to get around it by using the process injection attack on macOS Update Assistant, which has permission to read and write data to all SIP protected locations. 

With that done, Alkemade had near total control over the Mac. He was in a position where he could install any malicious tools—like keyloggers and other spyware—or steal any data on the system. And all using the one vulnerability in macOS. Alkemade informed Apple in 2020 and received a payout through the Apple Security Bounty program. Two updates to patch various aspects of the vulnerability were released, in April and October, 2021. And while there has so far been no evidence of it being used in the wild, because of the nature of the attack, older applications (or updated applications that can be maliciously downgraded) will remain vulnerable for the foreseeable future.

The post Older macOS apps could still be vulnerable to a devastating security flaw appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

TikTok has launched a new in-app AI-powered text-to-image generator called the “AI greenscreen” filter. First reported by The Verge, users can now type a prompt like “exploding galaxy flowers” and TikTok will create an abstract interpretation that can be used as a video background. 

AI text-to-image models like OpenAI’s DALL-E 2, Google’s Imagen, and Midjourney are having a bit of a moment. It’s hard to avoid their output on social media (especially Twitter), where people share the weirdest and wildest things they are able to get the AI models to create. The results are undeniably impressive—and it’s going to be fascinating to see how these tools develop as they gather more input. 

Since Imagen isn’t yet open to the public, and DALL-E 2 and Midjourney are both in Beta, TikTok is now the AI text-to-image generator with the largest (potential) user base. With an app update, more than a billion people have access to the kind of tool that—until last week— was limited to a few million at most.  

[Related: The Dall-E Mini image generator’s ridiculousness might be its main appeal]

TikTok’s version, however, is much more limited. While DALL-E 2 and Midjourney can produce some incredibly well realized outputs, TikTok’s text-to-image generator is limited to more abstract interpretations of the prompt. In the examples we’ve seen, it produces color-appropriate backgrounds without much in the way of recognizable objects. 

By remaining relatively abstract, TikTok has managed to avoid many of the potential pitfalls associated with text-to-image generators, like displaying obvious biases in its output. 

With a community of more than a billion users who are known for experimenting with online art forms, it was probably a good idea that the developers played it safe. Recently, Meta platforms saw similar issues materialize when they let their chatbot learn from internet users.

[Related: 5 ways to get Craiyon, formerly Dall-E mini, to bend to your will]

Additionally, TikTok is infamous for the amount of misinformation on the platform. Providing users with a tool that could potentially be used to create misinformation-related content, would likely have attracted a lot of criticism. (Presumably, creating more abstract backgrounds also demands less intensive computational resources—another bonus for many users.)

Of course, none of this has stopped people from trying to push TikTok’s text-to-image generator to breaking point. Both The Verge and TechCrunch tried to get TikTok to violate its own community guidelines, with prompts like “assassination of Joe Biden,” “naked model on beach,” and “man killing another man.” In all instances, the background was clearly inspired by the prompt—flesh tones, bright oranges, and blues for the model on a beach; an abstract pattern of red, grey, and white for the murdering men—but it didn’t show anything remotely graphic. Regular users on TikTok have tried similar stunts, without much success. 

AI Greenscreen is available for TikTok users right now. Just tap the Effects option on the Camera screen and search for “AI Greenscreen”. It’s already being used in a few TikTok challenges. Specifically, users are entering their name into the generator to see what their “aesthetic” is. Others are entering their birthday—though we really can’t advise sharing that kind of information publicly.

The post TikTok’s new AI art filter riffs on your text appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

The Black Hat USA cybersecurity conference was on in Las Vegas this week, featuring exciting cybersecurity news and demonstrations. One of the most interesting tidbits to break is a new common data standard for sharing cybersecurity information called the Open Cybersecurity Schema Framework (OCSF). It was developed by 18 major tech and cybersecurity companies, including Amazon, Splunk, and IBM.

So why is something like this necessary? Monitoring the computers systems under their purview is a major challenge for cybersecurity departments. In order to stop hacks—or piece together what happened after one—these departments need to be able to see information about things like the number of recent login attempts, what files have been accessed, and when it’s all happened. To do this, they typically use a lot of different software—most of which uses its own proprietary data structures. 

This lack of interoperability between the different security systems data is a big issue. In Amazon’s press release announcing the OCSF framework, Mark Ryland, director of AWS’s office of the CISO, says, “Security teams have to correlate and unify data across multiple products from different vendors in a range of proprietary formats… Instead of focusing primarily on detecting and responding to events, security teams spend time normalizing this data as a prerequisite to understanding and response.” 

In other words, cybersecurity teams aren’t solving cybersecurity problems: they’re using spreadsheets to try and get the data they need from one product to line up with the data they need from another. 

For example, one bit of software might track logins and login attempts, another tracks what logged-in users do with files on the server, and a third tracks admin access and other high-level requests. Then, assume a hacker breaks into a computer system, installs a bit of malware into a particular folder, and uses that piece of malware to get admin access—all so they can download a load of industry secrets or whatever their target might be.

To follow or recreate this complex (though incredibly simplified, in this example) sequence of events, the cybersecurity team will have to combine data from all three logging tools. The login-tracking app will report how the hacker got in, the file-tracking app will report the malware install and the download of all the important files, while the admin-tracking app will report how and when they did it. Unless all three apps use the same data format (which they presently don’t), that’s going to involve a lot of data manipulation.

What the OCSF does is create an open data format that any product vendor can use. This means that different security, hosting, and other relevant tech products can all work together much more easily. Instead of the login, file, and admin-tracking apps all having their own proprietary way of logging timestamps, they’d all be able to use the same standardized data structure. That way, the cybersecurity team could easily track—and ideally stop—the hacker. 

While it gets a bit abstract and complex, you can check out the OCSF framework on Github right now. You can also explore the current list of categories of data here—or even contribute to it. 

The framework isn’t just wishful thinking. It’s been introduced at one of the most important cybersecurity conferences in the world by some of the biggest names in tech and cyber security. In addition to Amazon, Splunk, and IBM, Broadcom, Salesforce, Rapid7, Tanium, Cloudflare, Palo Alto Networks, DTEX, CrowdStrike, JupiterOne, Zscaler, Sumo Logic, IronNet, Securonix, and Trend Micro were all involved in developing OCSF—and all are working towards including it in their products.

As Ryland says in Amazon’s press release, “Although we as an industry can’t directly control the behavior of threat actors, we can improve our collective defenses by making it easier for security teams to do their jobs more efficiently.” And more efficient cybersecurity teams are better at doing what matters: keeping all of our data safe.

The post To fight cyber attacks, tech companies are banding together appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Messaging platforms and bubble colors go hand in hand: There are Google’s green bubbles—how messages sent from its Android phones appear on iPhones—and of course the well known blue bubbles of iPhone users. 

On that front, Google is adding even more color to the situation by trying to publicly shame Apple into adopting a protocol called RCS with a new website and social media campaign launched this week. “Get The Message” lays out Google’s arguments for why Apple should enable RCS instead of SMS—and encourages users to “Help @Apple #GetTheMessage” by Tweeting about it. 

Messaging, of course, is an incredibly important feature of smartphones. Collectively, we send billions of iMessages, WhatsApp messages, and other kinds of text messages every single day. It’s understandable that this is something Google feels strongly about: texting between iPhones and Android phones using SMS sucks. Plus, the SMS protocol that’s used between the two platforms really is objectively worse than the iMessage protocol used for iPhone-to-iPhone texting. 

So, let’s look at what’s really going on. 

Messaging for dummies

Not all text messages are the same. Depending on the protocol or service you use, they can be sent in entirely different ways. 

To start, SMS (Short Message Service) and MMS (Multimedia Message Service) are what many of us grew up with. Developed in the 1980s, they’re wildly out of date, inefficient, and insecure—and still widely used today. You’re limited to 160 characters per message and they’re sent over the cell network. (On an iPhone, they’re displayed as a green bubble.)

Then there’s iMessage, Apple’s proprietary messaging protocol. Messages are end-to-end encrypted and sent over the internet. It also allows you to see when someone is typing, receive “read” notifications, send and receive high quality images and videos, and participate in group chats. Plus, it has add-on features like reactions and voice notes. (On an iPhone, they’re displayed as a blue bubble.)

Next comes Rich Communication Service (RCS), which is supposed to be the successor to SMS and MMS. It enables messages to be sent over the internet, which allows many of the features people expect in a messaging app that are missing from SMS—like group chats, live typing notifications, read receipts, audio notes, and high-quality photos. While the iPhone doesn’t support RCS, it’s available through Google’s Messages app on modern Android phones.

This is what all the current drama is about: Google wants Apple to use the RCS standard for messages sent between iPhones and Android phones, not SMS, which it currently uses. 

Is RCS really the same as iMessage?

While Google attempts to equate RCS and iMessage, the two are fundamentally different in a couple of ways. Apple’s iMessage is more akin to WhatsApp, Signal, or Skype than SMS. Yes, on an iPhone, they’re sent from the same app, but they’re not the same sort of texts.

On the other hand, RCS is an open standard built on top of SMS and MMS. It was designed by a consortium in 2007 before the iPhone even launched, and it has taken years to roll out. One big barrier was that it originally required support from wireless carriers who are hardly famous for their rapid embrace of new technologies. In 2019, Google did an end-run around them and launched an app that would allow it to enable RCS on Android on its own. 

One big iMessage feature that the RCS protocol lacks is end-to-end encryption. However, Google has developed a workaround: All one-on-one RCS conversations using its Messages app are end-to-end encrypted. (Group messaging will be encrypted later this year.) However, this undermines one of the supposed points of RCS: that it’s an open standard that any compatible app can use. If encryption is only available between certain apps, it’s no longer open.

Locked in and loaded

As interesting as the subtle differences between the various messaging protocols are, the latest news is related to something else: Google’s absolute failure to develop its own messaging protocol despite countless attempts. It is trying to shame Apple into using RCS, because it has utterly failed to compete with iMessage.

That’s not to say it wouldn’t be good for consumers if Apple embraced RCS, but it’s only in the last couple of years that it has become a credible alternative to SMS, let alone any other service. And it still doesn’t offer all the features that are available in iMessage—in particular, always enabled end-to-end encryption.

Could Apple embrace RCS messaging and work with Google to make it end-to-end encrypted between iPhones and Android devices? Sure, but Google would have to solve a few more problems first. And for now, Apple clearly enjoys the benefits of the customer lock-in that comes with iMessage, despite Google’s increasing public pressure.

Meanwhile, in Europe, another option looms large: Meta-owned WhatsApp is installed on more than 90 percent of smartphones in some countries. It’s cross-platform, end-to-end encrypted, and supports all the features you could want. 

But whatever happens over the next few years, remember, RCS is still a fundamentally different protocol to iMessage. Don’t expect the green bubbles to ever go away.

Correction on August 12: This post has been updated to clarify that WhatsApp is installed on more than 90 percent of smartphones in some European countries.

The post Google pleads its case to Apple to switch from SMS to RCS texts appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Two new lawsuits allege that Meta, Facebook’s parent company, and a number of US hospitals violated medical privacy law HIPAA, according to The Verge. These lawsuits follow a report from The Markup published this June documenting how the Meta Pixel, an ad analytics tracking tool installed on many websites, potentially shared identifying patient data in a way that violated HIPAA. Both lawsuits were filed in the Northern District of California and argued that the use of the Meta Pixel on hospital websites allowed sensitive health information to be sent to Facebook. The lawyers for the plaintiffs are trying to get them classified as class action suits and demanding jury trials. 

But let’s step back a bit and answer some key questions: What is the Meta Pixel, how does it work, and why are hospitals’ installing it on their websites? And since they are, is that likely to be a HIPAA violation? 

The Meta Pixel is a free ad tracking tool from Facebook. According to research conducted by The Markup, approximately a third of the 80,000 most popular websites have the Meta Pixel installed. (Full disclosure: PopSci is one of them). This tool allows website owners to see analytics from Facebook and Instagram ads they run, and target Facebook and Instagram users who have visited their sites with ads. 

The Meta Pixel is automatically triggered when someone visits a website with it installed. If they’re logged into Facebook (and not using a browser that protects against third-party tracking), it sends information about who they are and what they do on the site to Facebook. (Even if they’re not logged in, Facebook has other ways of attempting to glean information about visitors through the Meta Pixel). What information is sent to Facebook is controlled by the website operator, and this is where the HIPAA troubles start. 

As part of The Markup’s Pixel Hunt investigation into Facebook ad tracking, it tested the websites of Newsweek’s top 100 US hospitals for 2022. It found the Meta Pixel installed on 33 of them, and all of them sent sensitive data to Facebook, including identifying information such as a visitor’s IP address, and when they attempted to schedule an appointment. 

[Related: How data brokers threaten your privacy]

“On the website of University Hospitals Cleveland Medical Center, for example, clicking the ‘Schedule Online’ button on a doctor’s page prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the search term we used to find her: ‘pregnancy termination,’” The Markup reported. 

For seven hospitals, the situation was even worse. The Meta Pixel wasn’t just installed on the public facing web pages, but also on the password-protected patient portals. For five of those websites, it documented real patient data—provided by volunteers who signed up to help the Pixel Hunt investigation using Mozilla’s ad-tracker tracking Rally plugin—being sent to Facebook. Some of that information included “the names of patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.”

According to The Markup, “former regulators, health data security experts, and privacy advocates” all expressed concern that the hospitals using the Meta Pixel on their patient portals may have violated HIPAA regulations. David Holtzman, a health privacy consultant who has previously served as a senior privacy adviser for the US government agency that enforces HIPAA, told The Markup that while he couldn’t say for certain, “it is quite likely a HIPAA violation.”

It’s important to note that Facebook itself is not subject to HIPAA as it is not a healthcare provider. Still, there is cause for legitimate scrutiny of how Meta handles sensitive data. Following a report in The Wall Street Journal and a New York Department of Financial Services investigation in 2019, Meta said it was introducing a tool to automatically filter out sensitive medical data sent by websites through the Meta Pixel. However, according to previous reporting by The Markup and leaked Facebook internal documents, it is unlikely that the tool is 100 percent effective at filtering out sensitive medical data. 

Medical providers, on the other hand, are bound by HIPAA. They are not supposed to share data with third-parties without express consent from the patient in question. From The Markup’s reporting, it seems unlikely that any of the hospitals obtained that. 

While the majority of hospitals documented by The Markup’s investigation removed the Meta Pixel from their patient portals after they were contacted (and some also removed it from their public websites), their past actions set the stage for these two lawsuits. 

As well as Meta, one of the lawsuits names University of California San Francisco and Dignity Health patient portals as defendants. Apparently, a patient claims her medical information was sent to Facebook where she was then served targeted ads relating to her heart and knee conditions. The other suit doesn’t name any other defendants, but claims at least 664 healthcare providers have sent medical data to Meta. 

We won’t know whether either case will become a class action or even proceed for a while yet, but it’s another bad story for Meta—which really can’t seem to catch a break. 

The post Hospital patients say a Facebook-linked ad tool violated their privacy appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

A University of Oxford study published on Wednesday in the Royal Society Open Science journal found that the amount of time spent playing video games is unlikely to have a significant impact on well being. The study from the Oxford Internet Institute, with almost 40,000 individual gamers tracked over six weeks, is the largest of its kind and directly counters the narrative that gaming is harmful to mental health.

The Oxford study has quite a few things going for it. Unlike most previous studies, they collaborated with game publishers in order to get actual player data rather than relying on self-reported gaming time. Working with Nintendo, EA, CCP Games, Microsoft, Sony, and Square Enix, the study recruited 38,935 Animal Crossing: New Horizons, Apex Legends, Eve Online, Forza Horizon 4, Gran Turismo Sport, Outriders, and The Crew 2 players. 

Each participant was asked to fill out three surveys, sent to them via email. In every survey, one set of questions was related to their mental well being, and the other set about their experiences and motivations for gaming. Participants answered these questions at the start of the study, at two weeks, and at four weeks. The researchers used each participants’ game play data from the two weeks preceding each survey to investigate the effect—if any—of the amount of time each player spent gaming on their mental health.

After crunching the numbers, the research team found that time spent gaming had a “negligible” effect on mental well being. The study data suggested that the average player would have to play 10 hours more than they typically do each day for there to be a noticeable change to their mental health. There were some minor variations when researchers looked at player motivations and the different types of games, but on the whole there was no major impact. 

[Related: Inside the ambitious video game project trying to preserve Indigenous sports]

Of course, 40,000 players across seven games is a tiny fraction of the 3.2 billion people who play and the thousands of different games they play. There could well be more nuanced effects on sub-populations who play other games than the ones the researchers tracked. Animal Crossing: New Horizons (13,536 players) and Gran Turismo: Sport (19,073 players) were by far the most popular games in their dataset, but neither is representative of the kind of games most often criticized. 

Professor Andrew K. Przybylski, Senior Research Fellow at the Oxford Internet Institute, says in the accompanying press release: “Our study finds little to no evidence of connections between gameplay and well-being.” However, he recognizes that even the large data set is insignificant given that it is limited to just seven games. “We know we need much more player data from many more platforms to develop the kind of deeper understanding required to inform policy and shape advice to parents and medical professionals.”

Similarly, Dr Matti Vuorre, Researcher at the Oxford Internet Institute says that “right now there is not enough data and evidence for policymakers and regulators to be developing laws and rules to restrict gameplay among certain groups in a population.” (Something that has happened in China.)

While this study has the largest dataset of its kind, it is not the only one suggesting that gaming is not the villain it is sometimes painted as. A secondary analysis of just the two online shooter games (Apex Legends and Outriders)  in the study found that time spent playing had no measurable effect on self-reported feelings of anger. Similarly, previous research by the same research group found that the players who spent more time gaming reported slightly greater levels of well being. There is also plenty of evidence suggesting that playing video games can improve cognition, boost your memory, and increase cognitive flexibility.

With all that said, it’s also important to note that with a large dataset like this, you are really getting a sense of the average effect of video gaming across the population, not on individual gamers. The World Health Organization recognizes video game addiction and organizations like game quitters provide incredibly compelling anecdotal evidence that games can take over peoples’ lives. It’s also easy to argue that the kind of people for whom gaming is a problem would be among the least likely to respond to a survey.

The post Major study finds video games don’t hurt or help your mental health appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Instagram’s latest updates to how it handles videos are not going down well with its users. A Change.org petition calling on it to roll back most of the latest changes and “Make Instagram Instagram Again” has garnered more than 200,000 signatures as of Wednesday. The shifts have also attracted the ire of the Kendall-Jenner clan. 

To catch you up on what’s been happening: Last week, Instagram announced that it was making some sweeping changes that absolutely had nothing to do with TikTok and were in no way copying its features. It added more options to its Remix feature, which allows you to combine your own photos and videos with those from other people into new videos—just like TikTok. 

It also announced that all videos shorter than 15 minutes would automatically be shared as Reels—the TikTok-like fullscreen video format that pops up in the main feed—rather than as regular video posts. Not only would this change how they would appear to your friends and followers, but if you had a public account it would make them eligible to be recommended to random users who don’t follow you in their feeds, and means they could also appear in the center Explore tab (yes, just like TikTok). This all comes on top of Instagram announcing it was testing a TikTok-like full-screen feed, offering a way to bring back a very limited version of the chronological feed a few months ago, and also polluting the main feed with countless “Suggested Posts.” 

Basically, just like Instagram added video after Vine came along and Stories after Snapchat, it’s now rapidly morphing into a TikTok clone to try to stop younger users leaving the platform—or steal them back from TikTok.

Of course, dramatic changes to how social media apps work rarely go ignored by their users, and this time is no exception. Photographer Tati Bruening set up that campaign to “Make Instagram Instagram Again,” calling on the service to stop trying to be TikTok, bring back the chronological timeline for everything, and listen to creators. 

Bruening’s post promoting her petition was shared by Kylie Jenner, the second-most followed person on Instagram, who added a big “PLEASEEEEEEE.” It was also shared by her sisters Kim and Kourtney Kardashian (the seventh- and 16th-most followed people respectively) who added similar pleas. 

While this might not seem like a big deal, it’s worth noting that alienating the most popular and active users is hardly a solid business strategy for Instagram and, crucially, Jenner’s social media displeasure can move markets. When she tweeted a complaint about a Snapchat update in 2018, the parent company Snap’s market cap fell $1.3 billion, roughly 6 percent of its total at the time. 

While Jenner’s wrath hasn’t knocked a few billion off Instagram and Facebook parent company Meta’s market cap yet, other factors have. Facebook lost more users than it gained for the first time ever this year, Apple’s privacy-focused iOS updates cost it $10 billion in ad revenue, the pivot to the metaverse is an expensive bet that shows no signs of paying off soon, and whistleblowers are continuing to paint a picture of a company in chaos. 

Just this week, The Verge published a long article detailing a June 30 Q&A call with Meta CEO Mark Zuckerberg where he declared that some people currently working at the company shouldn’t be there and a leaked memo declaring that the company faced “serious times” with “fierce headwinds.” 

While he might not be able to solve every problem besetting Meta and Facebook, Instagram head Adam Mosseri could at least attempt to address the Kardashian-Jenners’ concerns. In a Reel posted on Tuesday, he acknowledged that “there’s a lot going on on Instagram.” With regards to the full-screen feed, Mosseri admitted it was “not yet good” but that it was still being tested with a small percentage of users. 

The shift to video, on the other hand, is here to stay. According to Mosseri, Instagram will “continue to support photos” but that he believes “more and more of Instagram is going to become video over time.” He argues that this is happening naturally regardless of any changes on Instagram’s end of things but, as The Verge declares, it does mark the end of Instagram as people know it.

While Mosseri defended the massive number of recommended posts, he admitted that if users were seeing things they weren’t interested in, it meant they were “doing a bad job” with them.

To finish, Mosseri shut down the idea that Instagram would roll back anything. He declared that “the world is changing quickly, and we have to change along with it.” 

The post It’s not just you—everyone hates Instagram now. Here’s why. appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

This story has been updated. It was originally published on February 13, 2020.

Digital photos are wonderful, but there’s no point shooting them if you just leave them sitting on your smartphone, totally ignored. Sure you’ve thought about putting everything in place, but just thinking about diving into those folders most likely scares you. Don’t worry—I’m here to tell you that sorting that photo mess of yours is possible, though it won’t be quick.

Keeping the good photos is easier and will give you a much smaller library. You’re essentially adopting a “hell yeah” or “nope” approach. Simply work your way through all your photos and pull out the ones you think are objectively great. Delete anything that doesn’t hit the mark.

The problem with only keeping the technically good photos is that you throw a lot of baby pictures out with the bath water. Most people have hundreds or thousands of OK photos that won’t pass the test, but it’s also kind of a shame to lose them because they hold so much sentimental value. They’re the repetitive photos of your dog, sunset snaps, or shots from your trip to London with an ex. You can’t say you love every photo or that you’ll ever print them off, but they’re a record of your life, and maybe you’ll just want to have them in the future.

Culling all the actively bad photos is the better long-term solution. Rather than only keeping great pics, you delete all the bad ones—the random screenshots, the duplicates, all those out-of-focus images, the myriad of terrible selfies, and so on. At a guess, I’d say this type of photo makes up between 50 and 75 percent of what you have on your camera roll.

By purging all the bad photos, you end up with a functioning photo library. All the images in it are meaningful—even if there are thousands of them. It might not be as good as your grandmother’s perfectly sorted albums, but it’s a workable solution for most people.

[Related: Permanently delete files (for real)]

Just keep in mind that both of these methods will reduce your photo library considerably, but they won’t solve the overall issue—your photos will still be in a huge, unsorted pile, and, if you keep snapping at the rate you are without making any changes, it’ll all become a mess again in no time.

Choose what you’re going to use as your master photo collection going forward and add all the unsorted photos from anywhere else to it. Boom—one really huge mess instead of several big ones.

For this, I’d really recommend either Apple’s Photo app (with iCloud Photos) or Google Photos, depending on your platform of choice. They both have web, smartphone, and desktop apps so you can access your images from anywhere (provided you have enough cloud storage, but we’ll get to that). A tool such as Lightroom is great if you’re a professional photographer, but is serious overkill for most people: it’s expensive and won’t play nice with your phone.

Get enough cloud storage

For years, the hardest part of having a photo library was making sure it was backed up. External hard drives dying and taking entire collections of important images with them was a real problem. I lost hundreds of photos I thought were backed up but actually weren’t.

Unless you shoot RAW photos on a professional camera, the cost of enough cloud storage to protect all your photos is almost nothing. You’ll get 5GB of free storage space with iCloud, which is not a lot, but you can up that to 50GB for 99 cents a month—that’s enough for about 15,000 photos. For bigger libraries, you’ll need to pony up $2.99 a month for 200GB, which should be enough to handle any photo library. If it can’t, you’re not sorting yours very well.

Google takes a slightly different approach. Every Google account comes with 15GB of free storage shared across Gmail, Google Drive, and Google Photos, and any photos you back up there will count against that total. If you’ve been using Google for a while, know that “high-quality” photos (marketing speak for images compressed and cropped to 16 megapixels and videos limited to 1080p) backed up before June 1, 2021, don’t count.

When that free chunk of storage runs out, Google’s plans start at $1.99 a month for 100GB, but the space-sharing rule remains the same: If you have a lot of files backed up on Google Drive, you’ll have less space for photos, and vice versa.

Also, note that you can use Google’s platform even if you have an iPhone—it’s just not as integrated with the whole Apple ecosystem. If you want those free photo backups, grab Google Photos from the App Store.

[Related: Rip out your computer’s guts and craft an external hard drive]

And if you want to, you can buy an external hard drive for $50, but then you have to back things up manually. And since the whole point here is to sort things out once and for all, it’s better to go with the easy option: put everything in the cloud and treat any monthly fee as insurance against losing any important photos from #WolfpackTrip2K19.

Unless you only recently took up photography, your photo library is likely a problem that’s been building for years. This isn’t something you’ll be able to fix in a few minutes. Yes, there are apps out there, like Gemini Photos for iOS and iPadOS, that can help you find duplicate or blurry shots, but if you want to get things done right, you’re going to have to go through your library photo by photo—no AI can yet do the job for you.

But that doesn’t mean you have to do it all by yourself. My favorite tool for the job is Slidebox, which is basically Tinder for your photo library: swipe up to delete an image, left to leave it unsorted, or tap to add it to an album. It’s a lot quicker than using the built-in photo app on iOS or Android when you’re going through a lot of photos.

And even with Slidebox, sorting your whole photo mess will take time. If you review an average of 30 photos a minute, 1,000 photos will take just over half an hour. Depending on the size of your photo library, you’re probably facing at least a few hours culling.

A couple of tips to get it done and not die trying:

• Do something else at the same time. Don’t just go through your photo library—throw on a podcast or Netflix in the background. It’ll distract you and you won’t feel like you spent three hours just looking at your phone, though you totally did.
• Do it in blocks. Spend 10 minutes every evening going through your photo library. Or snatch two minutes while you’re waiting for a train. Don’t try to do it all in one horrific go. It might take you a few weeks to get through everything, but you’ll finish the job sane.

To tag or not to tag

Adding photos to albums, naming all the files better, or adding tags to your images is a suggestion you see in most articles like this one—but I’m against that whole idea. In theory, I love perfectly tagged, album-ized photo libraries because they appeal to the productivity geek in me, but I refuse to believe anyone actually has one.

Photo albums made sense when a roll of film had 36 pictures and had to be developed and stored. It’s easy to go through two or three rolls worth of pictures and sort them, but your iPhone can shoot 36 photos in a couple of seconds. Your fanatically-into-photography grandmother might have shot 100 photos just last month, and you probably shoot that at a single event.

Now, it’s ludicrous to suggest that most people sort their photos neatly into albums. If it’s something you want to spend hours doing, absolutely go for it. But for the majority it’s just not a realistic option. (I can’t even keep my professional photos accurately tagged.)

Instead, the better solution is to harshly downsize your photo library to a minimum and let technology do the heavy lifting. If you use an app like Slidebox, create big buckets instead of specific folders—I have one named “Travel and Stupid Stuff,” rather than creating one for every trip—and then use the built-in tools to find photos as you need them.

You want photos from your trip to Miami? Your smartphone geotagged them. What about Christmas a couple of years ago? Sort by date. And all the photos of your kids? Well, Apple and Google are going hard on auto-generated tags and facial recognition technology, so their platforms will automatically sort your photos according to who is in them. The systems aren’t perfect, but they work a lot better than spending months of your life categorizing images into discrete albums.

The post Organize your catastrophic digital photo library appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Amazon announced this week that it is taking legal action against the administrators of more than 10,000 Facebook groups dedicated to orchestrating fake reviews in its online store in return for cash or free products. Apparently, these groups recruited individuals to post “incentivised and misleading reviews” on Amazon’s US, UK, German, French, Italian, Spanish, and Japanese stores. 

Amazon has long had a problem with fake reviews, where sellers get fake buyers to leave positive reviews. A Which? investigation last year revealed how sellers could buy individual reviews from one provider, AMZTigers, for around $15 or in bundles of up to 1000 for around $9,000. An account manager for the site claimed that they could help sellers secure the “Amazon’s Choice” branding within two weeks. Other sites offered reviews from “Verified Purchasers” by providing refunds through PayPal and allowing the purchaser to keep the product for free—or to even receive a small kickback. 

And while a couple of fake, overly positive reviews here and there might sound like a small problem, it can dramatically shift people’s buying habits with large consequences. One recent study found that the fake reviews influence $3.8 trillion dollars of e-commerce spending globally and $791 billion dollars of e-commerce spending in the United States. As the largest e-commerce retailer in the US and one of the largest in the world, some significant fraction of those spendings must have happened on Amazon’s platform. Globally, the cost of all these fake reviews is around $152 billion dollars.

It’s understandable that the economic impact of all these fake reviews have caught the attention of regulators. Both the European Union and the United Kingdom have legislation in the works that would make buying fake reviews illegal—and potentially put the onus on the platforms to ensure that all reviews are legitimate. According to Vox, the FTC, which has directly pursued review buyers in the past, is also “prodding” Amazon to better police its merchants.

[Related: Canceling Prime just got easier for Amazon customers in the EU]

With this developing regulatory environment, it’s understandable that Amazon is trying to do something—or at least appear to do something—about fake reviews. If it doesn’t sort things itself, it may end up with some more onerous legislation directing how it handles its business. After all, the EU just forced it to make canceling an Amazon Prime subscription significantly easier.

To that end, Amazon is working with Meta—Facebook’s parent company—to shut down as many review solicitation groups as possible. According to its recent press release, the “fraudsters” running these groups have solicited fake reviews for hundreds of products on Amazon, including car stereos and camera tripods. 

One of the groups—imaginatively titled “Amazon Product Review”—that Meta shutdown earlier this year had over 43,000 members. The administrators were able to keep it online for so long by using cunning tactics, like “obfuscating letters from problematic phrases”, to “hide their activity and evade Facebook’s detection.” In other words, they said things like “bye Amaz0n rev1ews” instead of “buy Amazon reviews.”

Of the more than 10,000 review solicitation groups Amazon says it has identified and reported to Meta, more than half have already been taken down for policy violations. (Presumably, the list of 10,000 groups that it reported and that it’s suing are the same.) It says that it intends to use the lawsuit to discover information that would allow it to “identify bad actors and remove fake reviews commissioned by these fraudsters that haven’t already been detected by Amazon’s advanced technology, expert investigators, and continuous monitoring.”

The other thing the press release claims is that Amazon’s attempts to stop fake reviews are effective. Dharmesh Mehta, Amazon’s vice president of Selling Partner Services, said: “Our teams stop millions of suspicious reviews before they’re ever seen by customers, and this lawsuit goes a step further to uncover perpetrators operating on social media.” Similarly, the release also claimed that Amazon’s expert investigators and their industry-leading tools “proactively stopped more than 200 million suspected fake reviews in 2020 alone.”

Whether that’s enough for the UK, EU, and the FTC, remains to be seen. Amazon, at least, accepts that more probably needs to be done. It claims “the nefarious business of brokering fake reviews” is an industry-wide problem that will require “collaboration between the affected companies, social media sites, and law enforcement” to address fully.

The post Amazon targets Facebook groups to curb fake product reviews appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Researchers from the New Jersey Institute of Technology released last week the details of a new targeted attack that can reveal the identity of a supposedly anonymous website visitor. It allows a bad actor who has control over a website to determine whether specifically targeted people visit it. It does this by using services, like YouTube, Google Drive, or Dropbox, that users may be logged into in the background to identify an anonymous ID like a username. It’s a difficult attack to protect against as it doesn’t rely on things like cookies, browser fingerprinting, or any of the usual methods for tracking website visitors, that browsers like Firefox and Safari are starting to block.

This attack is a bit complicated if you don’t understand how it works, so let’s break it down. It relies on the attackers having three things:

• Control over a website that their target might conceivably visit (or be tricked into visiting).
• Their target’s email address, Facebook account, Twitter account, or some other publicly identifiable profile. 
• A service like Facebook, YouTube, Google Drive, or Dropbox that allows for documents, files, or anything else to be shared with specific users. 

The attackers have to assume that, like most internet users, their target probably stays logged into most of these resource-sharing services. This, after all, is how Facebook is able to track so much data about its users. 

[Related: With site-specific ‘cookie jars,’ Firefox hopes to curb user tracking]

A simple version of the attack would look something like this: Say, a hacker wants to install something like the Pegasus spyware on my computer but they don’t want to install it on every website visitor’s because they worry that security researchers would discover it and come up with ways to mitigate the threat. They know I’m into science and technology because I write for Popular Science, and they know my email address because it’s public. To target me, they could set up a fake science press release site (or better yet, blackmail or hack their way into control of a legitimate one) and embed a Google Document in the page. The document is set so that it’s public to everyone except for a single blocked Google account—the one associated with my email address.

If you or anyone else visits the page, the document loads normally. However, if I visit the page (and I’m logged into Gmail in the background), the document doesn’t load. The hackers can’t see any of this but they can use Javascript to probe the performance of the CPU cache, which can measure the time it takes to read data, and use that to infer whether the document is loading for the user or not. After gaining total control of the website and honing in on the targeted user, they could deploy a zero-day “zero-click” attack to install their spyware on my computer without me noticing—and without installing it for anyone else by mistake. All they have to do is get me to visit the website. 

While this is very much a targeted attack, the researchers also suggest another broader possible use case for the attack. If the FBI discovered a forum being used by anonymous extremists and was able to take control of it (a tactic they’ve used in the past), they could potentially deanonymize a number of users based on a list of suspected Facebook accounts associated with the group. 

It can also impact many different types of devices and browsers. The researchers used it across multiple desktop and mobile CPU architectures (including Intel, Apple, and Qualcomm), operating systems (including Windows, macOS, and Android), browsers (including Chrome, Safari, Firefox, and the security focused Tor Browser), and popular resource-sharing services (including Google, Twitter, LinkedIn, TikTok, Facebook, Instagram, and Reddit). They concluded that “a large majority of Internet users are vulnerable.”

And even if you know you’re vulnerable, it’s still a hard attack to prevent. The researchers have reached out to the affected browser vendors and sharing services, but said that there is no “immediate fix… that does not dramatically affect user browsing experience.” In the interim, they’ve released a plug-in for Chrome and Firefox called Leakuidator+ that can mitigate some variants of the attack, by stripping third-party identifying data like cookies from any potentially risky request.

Meanwhile, users can take preventative steps by not giving out unnecessary logins to sharing services, not logging into personal accounts on another device such as a work computer or vice versa, and using Safari, Tor, Firefox, or another browser that limits third-party cookies by default (as it makes certain variants of the attack impossible to pull off). 

Almost all these steps will make using the internet less pleasant and more inconvenient—but that is the sacrifice you have to make if you fear you could be a victim of a sophisticated targeted (and likely state-sponsored) attack. These are the types of hacks that Apple’s new Lockdown Mode was designed to deal with. 

The post A new targeted attack can be used to ID anonymous website visitors appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

This week, Apple announced a new “extreme, optional” security feature called Lockdown Mode that is aimed at a very small minority of users who are at risk of being deliberately targeted by cyberattacks “from private companies developing state-sponsored mercenary spyware.” It will launch with iOS 16, iPadOS 16, and macOS Ventura this fall. 

Lockdown Mode is designed to block a category of hyper-targeted hacks that are generally used by governments (or private companies with support from governments) against activists, dissidents, journalists, and high-level business people. Although there are presumably other, similar exploits that have not been exposed, the most infamous of these is the spyware called Pegasus. 

Pegasus, developed by the (now sanctioned) Israeli technology firm NSO Group, turns iPhones and Android smartphones against their users. It’s basically the stereotypical Hollywood hack: The attackers have access to pretty much everything on the device, can intercept calls and messages, and even use the microphone, camera, and GPS to record and track people. Crucially, Pegasus can be a “zero-click” exploit, meaning that it can be installed without the user doing anything; at one point, phones could even be infected through a missed WhatsApp voice call. 

Cybersecurity typically involves a tradeoff between convenience and security. If you want your computer to be very difficult to hack, don’t connect it to the internet—lock it in a secure room in your house. No viruses! But also no email, Amazon, or Minecraft. Modern iPhones, iPads, and Macs come with loads of features that make them fast, convenient, and easy to use, but these same features also give hackers large “attack surfaces” to work with. Lockdown Mode turns off a lot of these features, or at least makes them disabled by default, at the expense of a great user experience. 

Some of the features that get disabled by Lockdown Mode, for example, are the speed and efficiency technologies in a bit of software called WebKit (which powers Safari). Web pages that haven’t been flagged as “trusted” will take longer to load and may be jankier to use, but those web pages won’t be able to exploit any potential JavaScript bugs. Similarly, in Messages, most attachments other than certain trusted image types are disabled, as are link previews. If the device is locked, wired connections to computers or accessories are blocked.

There are also features designed to limit who can contact you in an unsolicited manner, which should make zero click exploits harder to pull off. FaceTime calls, for example, are blocked unless you previously called the person in the last 30 days. 

Another key feature is that once a device is in Lockdown Mode, it can’t be registered (or unregistered) in an enterprise mobile device management (MDM) program, which is what large companies use to control the devices used by their employees. Nor can configuration profiles be installed, which are used by college and enterprise networks to handle the devices that connect to them. These are two features that have allowed hackers access to devices in the past, and presumably are still possible to abuse.

And these are just some of the features at launch. Apple plans to continue to develop Lockdown Mode based on feedback from security researchers and other affected groups. 

All in all, an iPhone in Lockdown Mode will be worse to use than an iPhone without—but it will also be much more secure. This is why, as scary as attacks like Pegasus are, Apple is stressing that this is not a feature for most users. In the press release, Ivan Krstić, Apple’s head of security engineering and architecture, says, “Lockdown Mode is a groundbreaking capability that reflects our unwavering commitment to protecting users from even the rarest, most sophisticated attacks. While the vast majority of users will never be the victims of highly targeted cyberattacks, we will work tirelessly to protect the small number of users who are.”

As well as announcing Lockdown Mode, Apple also announced that its “Bug Bounty” program rewards would be doubled—up to a maximum of $2 million—for any vulnerability that researchers find that could bypass its security features.

It also announced a $10 million grant (as well as any proceeds from its lawsuit against NSO Group) to “support organizations that investigate, expose, and prevent highly targeted cyberattacks.” Ron Deibert, director of the Citizen Lab, a research group at the University of Toronto that has uncovered a lot of information about Pegasus, said in a statement that accompanied Apple’s press release, “There is now undeniable evidence from the research of the Citizen Lab and other organizations that the mercenary surveillance industry is facilitating the spread of authoritarian practices and massive human rights abuses worldwide. I applaud Apple for establishing this important grant, which will send a strong message and help nurture independent researchers and advocacy organizations holding mercenary spyware vendors accountable for the harms they are inflicting on innocent people.”

The post Apple’s new Lockdown Mode will offer ‘extreme’ security measures. You probably won’t use it. appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

After a “dialogue” with the European Commission (the Executive Branch of the European Union), Amazon has agreed to simplify the process of canceling a subscription to Amazon Prime to comply with EU consumer law. What previously took navigating a complicated user interface filled with “dark patterns” (or deceptive design elements) can now be done with two clicks using “a prominent and clear ‘cancel button.’” The European Commission illustrated the difference between the two cancellation processes in a July 1 press release, and said that Amazon “will implement the changes as of today.”

Amazon agreed to make the changes following a scathing report by EU consumer groups including the Norwegian Consumer Council that accused it of breaching consumer law. In particular, it argued that the process of canceling an Amazon Prime subscription was so obtuse that it fell afoul of the EU’s Unfair Commercial Practices Directive (UCPD) which bans unfair, misleading, and aggressive practices that can distort a consumer’s economic behavior. The report revealed “how Amazon makes it unreasonably cumbersome to unsubscribe from the Amazon Prime service” and described that the process of canceling as “riddled with a combination of manipulative design techniques” or dark patterns. With screenshots over 14 pages, it showed how a consumer looking to leave the service had to deal with “complicated navigation menus, skewed wording, confusing choices, and repeated nudging,” while signing up for Prime was a seamless process that took just two pages to explain. 

[Related: Everything you need to know about the battle between US tech and EU laws]

The report proposed that if Amazon can make signing up for Prime a simple process, it should also make unsubscribing an equally simple process.

The EU seemingly agreed with the report’s conclusions. In the press release announcing the results of the “dialogue,” the EU’s Commissioner for Justice, Didier Reynders, said in a statement: “Opting for an online subscriptions can be very handy for consumers as it is often a very straightforward process, but the reverse action of unsubscribing should be just as easy. Consumers must be able to exercise their rights [to unsubscribe] without any pressure from platforms.”

The process of canceling a Prime subscription changed in the EU on 1 July this year. According to The Guardian, the change will also affect consumers in the UK—despite it no longer being a member of the EU. (We suspect this is because Amazon.co.uk also serves the Irish market, which is still in the EU, and it is simpler to have everything aligned). The Verge said that Amazon “dodged questions” about whether similar changes would be made in the US. The spokesperson told the publication that there were “no changes to announce at this time” while at the same time declaring “customer transparency and trust are top priorities for us.” 

While this is definitely a win for consumers, it also seems to demonstrate that the EU is serious about its plans to ban dark patterns as part of the Digital Services Act (DSA) that it provisionally passed earlier this year and the draft text of which is currently working its way through the EU’s complex bureaucracy. If it is prepared to force Amazon to comply with prohibitions on unfair and manipulative UI design, it’s likely that it will also come for other large companies like Google, Facebook, and Microsoft that top the Deceptive Design Hall of Shame. For consumers outside Europe, it’s worth noting that EU law can and does change how companies act around the world. For example, it was a French law requiring a repairability score that was the catalyst for devices getting easier to service and repair in the US. Similarly, an EU directive is likely to force Apple to adopt the USB-C port with the iPhone worldwide.

The post Canceling Prime just got easier for Amazon customers in the EU appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Firefox is continuing its push to defend user privacy with a new feature that strips out URL identifiers and trackers when you follow a link. It’s intuitively called “Query Parameter Stripping” and it’s a handy feature if you don’t want to be trailed around the web since some sites like Facebook use URL strings to get around cookies being blocked.

This is easiest to understand with an example. You’ve probably noticed that when you copy and paste a URL after following it from social media or an email newsletter, there’s often a lot of extra bits tacked on the end. 

Take this link to our story on sharks learning to love coastal cities. The URL that was posted to Facebook was: https://www.popsci.com/environment/sharks-near-coastal-cities/. 

However, the actual URL when I clicked it on Facebook was: https://www.popsci.com/environment/sharks-near-coastal-cities/?utm_campaign=trueanthem_AI&utm_medium=social&utm_source=facebook&fbclid=IwAR0e807ix9JPTB_PwVoVw422Y7cXJ-iw-NvqamcKqCpe1Imgdc4f2u1Ccuc. 

Everything that comes after the question mark doesn’t make a difference to the link—it just provides Facebook (and, as a full disclosure, PopSci) with information about who is clicking on what links and why.

All the “UTM” stuff (that’s short for Urchin Tracking Module)—in this case, utm_campaign, utm_medium, and utm_source—are used by web analytics apps like Google Analytics to measure the effectiveness of marketing campaigns and compare sources of traffic. You can see that this link came from social media, specifically Facebook, and that it was part of a marketing campaign called “trueanthem_AI”. If the link was posted to Twitter, the utm_campaign and utm_medium would be the same, and the utm_source would be different. This, by itself, isn’t particularly insidious as it is just painting a broad picture of what drives traffic to particular stories. 

The fbclid URL query parameter, however, is a little more invasive. It’s used by Facebook to track who visits what websites and clicks on what links even if the site they’re visiting doesn’t have the Meta Pixel (Facebook’s tracking tool) installed. It’s all so Facebook can collect data, serve ads, and generally undermine your privacy for the sake of profit. 

It’s important to note that Facebook isn’t the only service that does this, and nor are the sites that the URLs link to entirely unaware of what’s happening. Almost every site that serves ads is relying on some kind of profile it has of who you are and what you’re interested in to maximize its ad revenue. Features like Firefox’s “Cookie Jar”, might make this profile  fairly meaningless and incomplete, but with no such protections in place, it can reveal shockingly personal information about you.

Although Bleeping Computer found that the new Firefox feature blocked URL tracking parameters from Olytics, Drip, Vero, HubSpot,  Marketo, as well as Facebook, this comes with a couple of caveats. Firefox isn’t the only browser that blocks URL trackers—Brave has had a similar feature for a while—but it is the most popular. Also, just blocking URL tracking isn’t enough if you want to stay anonymous on the web. It’s a great fallback strategy for ad tech companies when cookie-based tracking doesn’t work, but if you don’t have Total Cookie Protection enabled, it won’t make much difference. 

If you use Firefox, you can enable Query Parameter stripping by going to about:config, which you can type into the URL bar, and setting privacy.query_stripping.enabled.pbmode to true. Make sure you’ve also got Enhanced Tracking Protection (it’s in Settings > Privacy & Security) set to Strict to kill the cookies too. 

The post Firefox’s privacy crusade now targets a key form of tracking appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

In an era when most people carry a camera in their pockets, and a large amount of the pictures taken of us will eventually be posted on the internet forever, posing properly for a photo is an important skill everyone should have. You don’t have to look like a runway model, you just have to make sure you portray yourself in a flattering light. Posing is not hard, but if you haven’t practiced it, you’re probably doing something wrong. Don’t worry—we can fix that.

How not to pose

To paraphrase Leo Tolstoy, good photo poses are all alike, but every bad photo pose is bad in its own way. There are essentially unlimited ways to look awful or unintentionally ridiculous in a photo, and it’s possible you’re doing some of them whenever a camera is pointed at you. These are a few of the classic mistakes.

The forced grin

What we have here is the overeager forced grin. It’s the kind of thing that happens when you don’t know what to do with your face, so you just figure a huge smile will do the trick (it won’t). Here, all the muscles in my face are being violently pulled in opposite directions. It looks like I’m being electrocuted and honestly, if this photo resurfaces somewhere, I’ll wish I was.

The deer in headlights

Is a huge truck coming towards you with earthshaking force? Did you just hear a thunderously loud noise? Apparently I did—my eyes are so wide I look startled. Some consider big eyes a beautiful feature, but forcing them open will certainly not make you look better. Unless “utterly surprised” is the vibe you’re aiming for.

The multiple chins

Oh god, even with my beard I’ve got a treble chin. My head is not in a good place in this photo; or after looking at it. We all have necks, so we might as well just use them.

The Zoolander

Somebody call a model agency—Blue Steel is back! Being told you look like a model in photographs can definitely be a compliment, just as long as they don’t mean top American supermodel, Derek Zoolander. As we’ll see later, a slight pout can actually work well, but even a 13-year-old Instagram-fanatic can see this is seriously overdone.

The mid-talking

Whoops! I was chatting to whoever took the photo—well, myself—and now I look deranged. When you have a camera aimed at you, it is a good idea to shut up and concentrate on the possibility of your image being immortalized for posterity. You know, just in case this is the picture the world remembers you by. Alright, that’s enough masochism for now. I’m sure you get the idea, and you probably have a couple photos that prove you’ve made the same mistakes. All of these stem from the same problem: not knowing how to pose well.

Learn to pose your face

When it comes to photos, your face is the most important part of you. It doesn’t matter if you have the body of Adonis—if you smile like a beagle eyeing up dinner, any photos you’re in will look ridiculous.

The good news is posing your face is actually really simple. It’s mainly all about not making any of the big mistakes above, but also doing three key things that look really good in photos: one with your eyes, one with your mouth, and one with your jaw.

Work those eyes

Using your eyes only, you want to make it look like you’re smiling naturally, even if you’re not. This technique is called the “squinch” or “smizing.” Models and actors use it all the time, but regular mortals can rock it too. It generally makes you look confident, self-assured, and sexy.

The trick to the squinch is to squint slightly, but mostly with your lower eyelids. Your top eyelids will come down a little, but not so much you’ll look like you’re squinting and need glasses. Peter Hurley, the portrait photographer who coined the term “squinch,” has a video walkthrough if you need it, but the move is pretty simple to master.

Squinching will feel a little unnatural at first but it looks stellar in photos. A good idea is to practice in a mirror until you feel comfortable, then keep at it until you have it down.

Work that pout (but not too much)

Since there’s not a lot you can do with your nose or ears, your mouth is, by default, an important posing tool. The first step to posing your mouth is to not do anything else with it. That means no talking, no big say-cheese photo grins, and no over-the-top pouting. Avoiding those three mistakes will instantly make you look better in photos.

Next, you’ll want to give the appearance of a natural and flattering smile. To do this, lightly press your lips together, then pull the edges of your mouth up into a half-smile. If you want to go for a more mischievous or mysterious look, you can try subtly pulling up only one side of your mouth.

Combine this with the squinch, and it’ll look like you’re properly smiling. No forced rictus grins here.

Square that jaw

A strong jawline looks great in photos, but the way most people normally stand while posing for pictures doesn’t show it off.

Instead, to get a strong photo-jawline, you need to exaggerate it by extending your neck and leaning your head slightly forward, pointing the tip of your nose at the camera—a bit like the chestburster in Alien.

Again, this will feel a tad unnatural at first, but it really works. Maybe it goes without saying, but this technique will only look good as long as you’re posing front on—any other angle and you’ll look like you’re waiting for someone to repeat something you couldn’t hear. Peter Hurley also has a full video walking through this move.

Pulling it all together

Okay, now you have the three components of a good photo pose; it’s time to put them all together.

Don’t forget your body

Posing your face is enough for most photos, but sometimes, especially in group shots, you’ll also need to pose your body. Since you’re often at the mercy of what other people are doing around you, you won’t have much control over the situation, but there are some things you can do.

• Angle your body at 30-45 degrees towards the camera. It will make you look slimmer.
• Don’t lock your arms out straight or hold them stiff beside your body—they’ll look unnatural or bigger than they are. Slightly bend them. Also, keep your legs slightly bent—it’ll make your posture look more natural.
• If you’re not holding anything (or putting your arm around someone), clasp one wrist with your hand and let them hang at your waist. Do it casually, otherwise it’ll look like you’re taking your own pulse. You can also cross your arms, but make sure you do it in a relaxed way, since it can look a bit stern. The higher your forearms when crossed, the stiffer you’ll look.

On the left, I’m doing everything wrong. On the right, I’m applying all the tips combined.

Other tips and tricks

As I said at the very top, posing is a skill—you have to practice it. You could go to the effort of hiring a photographer, but it’s much easier to just spend 10 minutes in front of a mirror playing around with the different techniques and discovering what angles work best for your face and body. When you get a feel for them, try to repeat them and build some muscle memory. That way, whenever you see a camera pointed at you, your body will know what to do.

Unless you’re specifically going for a dreamy vibe, look directly down the lens of the camera, and though it may be one of the hardest things to do, try to ignore the person taking the picture and any distractions around you. Eye contact with the lens means eye contact in the photo, so all your attention should be on it.If you can, try to be either at eye level with the camera or slightly below it. It’s just a more flattering angle for everyone.

It goes without saying, but if you want to look good in a photo, make sure you look good out of it. Fix your hair, make sure your clothes are on straight, and touch up any makeup if you’re wearing it. A quick look in the mirror before you face a camera is always a good idea, for no amount of posing will help if your hair is pointing in all directions at once.

With these tips and a little practice, you should now be able to bust out an America’s Next Top Model-worthy pose whenever you need it. It’s a super-handy skill to have because it guarantees you will (almost) always look good in photos. Whenever a camera is pointed at me, I know that even if everyone else in a picture looks like a gremlin, I look hot as hell.

Is your head constantly spinning with outlandish, mind-burning questions? If you’ve ever wondered what the universe is made of, what would happen if you fell into a black hole, or even why not everyone can touch their toes, then you should be sure to listen and subscribe to Ask Us Anything, a podcast from the editors of Popular Science. Ask Us Anything hits Apple, Anchor, Spotify, and everywhere else you listen to podcasts every Tuesday and Thursday. Each episode takes a deep dive into a single query we know you’ll want to stick around for.

The post Make every photo a potential profile pic by learning how to pose appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Google Hangouts is finally getting shut down. If you still use the once-popular Google messaging app, you will get a prompt to move to Google Chat over the coming days. Once you get the “It’s time for Chat in Gmail” message, Hangouts will stop working. All your conversations should already have been ported over, though, so you can pick up where you left off. 

Before we get into what the future holds for Google’s messaging platforms, here’s a look back at how we got here. Google’s messaging efforts over the past decade and a half have been a complete mess. Google Talk (or GChat) launched in 2005 and for a few years things were simple. There was one service, and it worked really well.

Of course, the good days didn’t last. Google would iterate through increasingly inconsistent messaging apps that it later shutdown or rolled into other apps. 

Google Hangouts (the original, classic version) launched in 2011 as a video chat feature built into Google+. Initially, it was a really good product with a clear vision. While Google+ was a disaster as a social network that utterly failed to compete with Facebook or Twitter, and Google+ Messenger, the text-messaging feature, was incredibly bare bones, mobile only, and caught up in a trademark dispute, Hangouts was pretty popular. It offered free and easy group video chatting in your browser, and was far simpler to use than Skype. But Google wanted it to be more. 

At Google I/O in 2013, the company announced that Hangouts would become a full messaging service replacing Google Talk. (At the time, Google already had two messaging apps—Google Talk and Google+ Messenger— and two SMS-based options—SMS on Android and Google Voice). It was available on any operating system and any device from launch, though, despite replacing Google Talk, it was missing a few features like audio-calls and online presence indicators. Over the next few years, Google would add features like SMS integration on Android and the service grew into an undeniable success.

By 2016, though, Google was ready to change things up. Cell carriers had, reportedly, been unhappy with Google’s control over messaging through Hangouts so it had caved and created an alternative SMS-based messaging app that shipped with Android phones from 2014: Google Messenger. In 2016, it started pushing Messenger over Hangouts for SMS and then launched yet another messaging app, a very basic WhatsApp clone called Google Allo, that would become the new default messaging app on Android phones. 

This was the beginning of the end for Hangouts, although its death wasn’t announced until 2018 and it has taken four years for Google to take it off life support. In a weird twist, Hangouts has actually managed to outlast Allo, the app that nominally killed it. Despite attempting to mimic WhatsApp’s features, it had none of its user base and was shut down in 2019. 

In the years since, Google’s messaging efforts have only become more ridiculous. Not only did it add messaging features to apps that didn’t need them, like YouTube, Maps, Photos, and Stadia, but it launched some new apps too. Duo, a video chat app, was unveiled at the same time as Allo. Later this year, it will be merged with Google Meet (which launched as an enterprise Slack competitor in 2017 but has morphed into a consumer app). Google Chat (the app Hangouts users are being pushed to) was also part of Google’s enterprise push when it launched, but is now a consumer messaging app and the spiritual successor to Google Talk and Hangouts. The Messages app on Android has been updated to support the RCS messaging standard, although it is experiencing some teething pains, and carriers, smartphone manufacturers, as well as Apple are all hindering Google’s push for a wider embrace of the not-quite-iMessage-killing standard.

So, with all this flailing, it’s fair to be a little confused. But with Hangouts gone and Duo on the way out, things might finally be getting more streamlined. 

As it stands, the apps and services to keep in mind are:

• Google Chat: An instant messaging and video call app. It was originally built for workplace teams, but now anyone can use it. 
• Google Meet: A video call app. Like Chat, it started as an enterprise app but is now available to the general public. 
• Messages: An Android SMS app (though not necessarily the default one on all phones) that supports RCS.

Though with Google’s history with messaging apps, expect this list to be out of date by next Tuesday.

The post Google Hangouts is dead. Long live Google’s mess of chat apps. appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Microsoft announced on Tuesday that it will remove certain facial analysis tools from its Azure AI services in accordance with its new Responsible AI Standard. The ability to automatically “infer emotional states and identity attributes such as gender, age, smile, facial hair, hair, and makeup,” as Microsoft’s Chief Responsible AI Officer, Natasha Crampton, explains it in the statement, will cease to be available to new users this week and will be phased out for existing users this year. 

AI-powered facial recognition has been criticized by groups like the Electronic Frontier Foundation (EFF) for years. While law enforcement use is often the most worrying, studies have shown that these tools simply aren’t accurate in identifying attributes like gender—especially among diverse and minority groups. For example, MIT’s Media Lab found that IBM, Face++, and Microsoft’s facial recognition disproportionally misclassified the gender of darker-skinned faces and female faces. The worst performing tools misclassified the gender of darker-skinned female faces 34.7 percent of the time while the gender of lighter-skinned male faces were misclassified between just 0 percent and 0.8 percent of the time. 

What’s more, in the press release Microsoft acknowledges that facial expressions and emotions are not universal across cultures. Crompton writes, “Experts inside and outside the company have highlighted the lack of scientific consensus on the definition of ‘emotions,’ the challenges in how inferences generalize across use cases, regions, and demographics, and the heightened privacy concerns around this type of capability.”

This is all part of Microsoft’s Responsible AI Standard V2, which it has just released to the public. The document is an attempt to set guiding principles (grouped under Accountability, Transparency, Fairness, Reliability and Safety, Privacy and Security, and Inclusiveness) for its product development teams, while recognizing that society’s laws and norms simply haven’t caught up to the unique risks and challenges that artificial intelligence poses. (Meanwhile, the EU, in typically heavy-handed fashion, looks set to be the first group to bring in strict regulations for how AI can be used in a wide variety of settings.)

Of course, Microsoft isn’t the only company that has been criticized for its facial recognition programs (and it doesn’t provide its facial recognition services to law enforcement at the moment). Facebook ended its facial-recognition feature that would recognize and suggest friends to “tag” in your photos late last year after more than a decade of use, two hefty fines, and a lot of criticism. 

Zoom is also facing criticism at the moment for its AI-powered mood and engagement recognition features. More than 25 human rights groups signed a letter last month calling on Zoom to pull the features because they are manipulative, discriminatory, and pseudoscientific. According to Zoom’s help documents, Zoom IQ for Sales would track metrics like “talk-listen ratio,” “talking speed,” “filler words,” “longest spiel,” “patience,” “engaging questions,” and offer sentiment and engagement analysis for each caller. Zoom didn’t respond to a request from PopSci for comment, nor has it publicly responded to the letter. 

With Microsoft, it’s important to note that its facial recognition tools aren’t going away entirely. It will still offer them to companies like Uber looking to do things like verify that someone signing up for a service has a valid ID. However, it is taking the lessons it has learned implementing “appropriate use controls” with its Custom Neural Voice (which allows for the creation of a synthetic voice that sounds nearly identical to the original source) to ensure that they can’t be abused. It plans to limit their use to managed customers and partners, narrow the allowed use cases to “pre-defined acceptable ones,” and leverage technical controls to keep everything above board. 

Whether this is enough to offset the general criticism and legitimate concerns of facial recognition tools remains to be seen. While the tools can be helpful for purposes such as automatically blurring faces in security camera footage, they are also incredibly easy to abuse. And beyond concerns about private enterprises, the potential for the government and federal agencies to overstep with facial recognition is near limitless.

The post Why Microsoft is rolling back its AI-powered facial analysis tech appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Dislike clicking on images of crosswalks and bicycles? You could be in luck. In iOS 16, iPadOS 16, and macOS Ventura, Apple is debuting a handy new feature that will reduce the amount of CAPTCHAs you will need to fill in to verify that you’re a human and not a bot. The new tech promises to be helpful, and should make the web more usable and accessible for everyone.

CAPTCHAs are one of the most annoying parts of the modern internet. Want to buy a concert ticket? Click on all the bridges. Logging into your email account? Time to spot the motorbike. It’s slow, annoying, and easy to get wrong. Do you click on every square that has a tiny bit of pedestrian crossing in it, or just the ones that it’s mostly in? And it’s even worse for people who rely on tools like screen readers to access the internet. 

So what’s the point of a CAPTCHA?

They do serve a purpose. They offer up problems that are harder for computers to solve than humans (the name stands for Completely Automated Public Turing test to tell Computers and Humans Apart). Because these tasks can be a challenge for computers and are easier for us, it is a good solution for verifying whether someone is a human or not. And yes, they’re annoying, but they make it harder for bots to buy concert tickets ahead of you, hackers to automatically try and log into your accounts if there’s been a password breach, and dozens of other issues that website operators need a way to stop. 

Meanwhile, Google’s reCAPTCHA program (which is its implementation of the more generic CAPTCHAs) does feel like it has gotten a lot better in recent years. It does more behind the scenes to verify you are human, using signals like your IP address and activities on the website you’re using, rather than forcing you to identify traffic lights. Just clicking the “I’m Not a Robot” box is enough, a lot more often than it used to be. 

But overall, it is still far from a perfect system and is riddled with privacy problems. 

What’s Apple’s solution?

Earlier this month at its annual developer’s conference, WWDC, Apple revealed a feature called Private Access Tokens (PATs), developed in collaboration with engineers from Google, Fastly, and Cloudflare, that would allow users to bypass CAPTCHAs altogether on supported sites and apps. (These tokens are different from passkeys, which aim to replace passwords.) It works by moving the human verification process from the server to your device, ideally making things more frictionless, secure, and private. 

When you use your iPhone, you take actions such as logging in with Face ID or Touch ID—actions that are almost impossible for a computer to fake. Combining that with rate-limiting (a term that refers to the fact that you can only make a certain number of attempts before being forced to slow down or complete additional verification) and Apple can far more easily verify who is a human using their device in a normal manner and who is a bot (or user in an iPhone click farm) than a website that you are only interacting with for a few moments can. Certificates stored in your device’s Secure Enclave would keep a record of all your regular human antics.

PATs allow websites and apps to automatically authenticate users in the background. When you attempt to log in, they would send an attestation request to iCloud that would check the certificates stored on your device. Assuming you’re using your iPhone or Mac normally, it would attest that you are human and provide a cryptographically signed token so you’d be able to continue without an additional challenge. 

While this is undeniably more convenient, it also comes with some nice privacy benefits. Websites wouldn’t need to record your IP address or otherwise track your activity in order to verify you’re human. All that would happen privately on your device. You’d even be able to do things sometimes considered suspicious, like use a VPN, without automatically having to solve a CAPTCHA.

Automatic Verification will launch in iOS 16 and macOS Ventura. It’s currently enabled by default in the betas, though it can also be found in the Settings app by going to Apple ID > Privacy and Security and then scrolling down to Automatic Verification. With Google, Cloudflare, and Fastly all collaborating on this, support will hopefully be widespread by the time it officially launches later this year. 

The post How Apple wants to kill those annoying CAPTCHA tests appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Firefox announced this week that it is rolling out “Total Cookie Protection” by default to all its users worldwide. It’s a neat feature—we liked it so much that we called it one of the most transformative security innovations of 2021—and will go a long way towards keeping Firefox users safe from the pernicious practices of data brokers. It doesn’t stop all kinds of tracking, but it makes it much harder for your activities around the web to be tracked from site to site. 

Firefox is possibly more popular than you think. It has around 6.65 percent of the desktop browser market in the US and around 7.66 percent of the market worldwide. It’s the fourth most popular browser after Google Chrome, Microsoft Edge, and Safari. (The percentages change but its ranking doesn’t if you also include mobile web browsers.) In short, this update is going out to millions of people and will likely be yet another nail in the coffin for cookies. 

Total Cookie Protection works by making a separate “cookie jar” for every website you visit. All the cookies for a given site are put in its dedicated cookie jar. This means you can’t be tracked around the web (as other sites can only access their own cookie jar). So if you search for “running shoes” on Amazon, for example, you’ll no longer see ads for running shoes popping up on every site you visit. There’ll still be a cookie in Amazon’s cookie jar with the details of your search history, but the ad units on other sites won’t be able to see it and pull from it. You will likely end up with dozens of similar cookies stored in all your different cookie jars instead of just one, but since they’re tiny text files, they won’t affect your computer’s performance. 

[Related: What are cookies, and why are Google, Mozilla, and others going to war against them?]

In the blogpost announcing the feature, Mozilla claimed that, “this approach strikes the balance between eliminating the worst privacy properties of third-party cookies… and allowing those cookies to fulfill their less invasive use cases (e.g. to provide accurate analytics).” It’s a pretty fair summary. You won’t have to login to every site every time you visit (one of the good uses of cookies) but you will be much harder to track around the web (one of the very bad ones). 

As for the competition, Microsoft Edge is trialing a “Super Duper Secure” mode that has a similar feature, though it isn’t as private by default. Safari blocks all cross-site tracking whether using cookies, fingerprinting, or anything else by default with a feature called Intelligent Tracking Prevention; it is designed to limit all kinds of tracking “while still enabling websites to function normally.” But that is only available on macOS. Brave is available on Windows, Mac, and Linux and is at least as aggressive in how it blocks cookies by default; we suspect it’s not being included as it has less than 0.1 percent of the desktop browser market so hardly counts as a “major” player. Opera, with around 2.5 percent of the desktop browser market (about the same as Internet Explorer) is probably being excluded on the same grounds. DuckDuckGo is currently in a Mac-only beta, has negligible desktop market-share, and its privacy credentials are under fire after it was revealed it had a deal with Microsoft to allow certain trackers. 

Really, all that’s left is Google Chrome which, somewhat unsurprisingly, is not the most aggressive at preventing tracking cookies. It is due to start blocking third-party cookies next year—though similar plans have already been delayed in the past. 

If you use Firefox, this is definitely a nice boost to your privacy. Or if you use Microsoft Edge or Google Chrome and want something that’s a bit more privacy-focused, this could be a compelling reason to switch—Firefox is a good, modern browser. For Safari, Opera, Brave, and even DuckDuckGo users, though, Total Cookie Protection doesn’t offer any radical extra privacy protection. In those cases, it then comes down to what browser you like the most. 

The post With site-specific ‘cookie jars,’ Firefox hopes to curb user tracking appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

A group of researchers at MIT have discovered a new hardware vulnerability in Apple’s M1 chips. The team, led by Joseph Ravichandran and Weon Taek Na, have demonstrated how the attack—dubbed PACMAN—can bypass one of the M1 chip’s deepest lines of defenses. While it all sounds scary, it’s not quite as worrying as you might think: Attackers can only use PACMAN to exploit an existing memory bug in the system, which can be patched. 

To understand this issue, it helps to know about “pointers,” which are one of the fundamental bits of code that a CPU uses to run your computer. It’s the bit that points to where another variable is stored in memory, and they allow it to perform operations without having to work with the full variable. You can think of them like the index of a book. If you want to check if, say, “coffee” is mentioned, it’s much quicker to scan the index than to scan the whole book. Because pointers are so important, they’re a common vector for attack. If you can change where a pointer points, you can trick the CPU into doing things it shouldn’t. 

To defend against these kinds of attacks, the M1 chip is the first desktop CPU to use a technique called “pointer authentication.” In an interview with MIT News, Ravichandran, one of the co-lead authors of the new paper, said, “When pointer authentication was introduced, a whole category of bugs suddenly became a lot harder to use for attacks.” PACMAN is an exploit that brings these bugs back into play. 

Pointer authentication works by using a 16-bit cryptographic hash called a Pointer Authentication Code, or PAC (hence the name, PACMAN), to protect pointers from being modified. With it active, an attacker has to know the PAC value of a pointer to change it, or the system will crash; so, under normal circumstances, an attacker can’t just brute-force the PAC values.

PACMAN’s big innovation is a way to brute force and thus discern the PAC values for a given pointer without crashing the system. The researchers call the setup the “PAC Oracle” and it is able to guess all 65,536 possible PAC values in under three minutes without crashing the system. It does this by running them as “speculative executions.” This is where it performs the operation just in case it needs it a little later, but doesn’t really follow through, so it never gets challenged by pointer authentication. (This is the bit that needs the software bug to work.)

Of course, just guessing the values doesn’t help. The PAC Oracle also needs to know when it guesses correctly. It does this by watching a hardware memory store called the translation lookaside buffer (or TLB) to see if it changes. If it guesses wrong, nothing happens; if it guesses right, one of the things stored in the TLB will change. 

So, once the PAC is known for a given pointer, the attacker can then use the existing software bug to take over the operating system’s kernel and do pretty much whatever they want. They could install spyware or ransomware, steal all your files, or anything else hackers like to do. (While this all may sound complex, in reality, these details are very simplified; if you want the full rundown of how PACMAN works, check out the research paper.)

PACMAN is a real vulnerability and, because of how it relies on hardware features of the M1 chip, can’t be patched or fixed, but it’s important to note that the M1 chip is still more secure than older chips. This exploit requires an existing software bug (which can be patched) to run, and pointer authentication still protects your computer from any exploits that don’t have a way to bypass it. But as Ravichandran says, “We’ve shown that pointer authentication as a last line of defense isn’t as absolute as we once thought it was.”

Ultimately, this is all part of a big game of cybersecurity whackamole. For every new security system, there are bugs and exploits to be found to bypass it. The next generations of chips will likely come up with some way to prevent attacks like PACMAN, and then researchers will find new vulnerabilities and ways around that. 

What’s more, there’s no evidence that PACMAN is being used in the wild. Because it relies on an existing bug, the best defense is to keep your computer up to date. This exploit works on M1 chips. The researchers haven’t confirmed that it works on M2 chips, which Apple just introduced, though they believe it is possible. 

Apple was made aware of the issue by the researchers last year. In a statement to TechCrunch, it said: “We want to thank the researchers for their collaboration as this proof of concept advances our understanding of these techniques. Based on our analysis as well as the details shared with us by the researchers, we have concluded this issue does not pose an immediate risk to our users and is insufficient to bypass operating system security protections on its own.”

All in all, that’s probably a fair assessment. All computers are vulnerable to hacks and attacks. This is just another tool for bad actors to use that chip engineers are going to need to fix. When one mole is whacked, another pops its head out. 

The post Understanding PACMAN, the security vulnerability in Apple’s M1 chips appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Passwords stink as a security system. Humans are flat out terrible at creating long, unique, secure passwords. Most of us reuse the same short strings of meaningful information again and again—and even secure passwords aren’t very good. Social engineering attacks like phishing can con people into giving up even the longest of passwords, or they can be leaked if an entire unencrypted database gets hacked. This is a big problem for tech companies who are on the hook for keeping your data safe, not to mention the individuals themselves who suffer a privacy breach. So, Apple, Microsoft, Google, and the other companies in the FIDO Alliance have set out to develop a better solution called “passkeys.” 

At its Worldwide Developers Conference (WWDC) this week, Apple announced its implementation of the newly agreed upon passkey standards. It will roll out with iOS 16 and macOS Ventura, so it’s the first real-world look we’ve had at the long-promised password-less future (the FIDO Alliance, which is an industry group dedicated to “solving the World’s password problem,” has been working on this for a decade). 

In the WWDC keynote, Apple’s vice president of internet technologies, Darin Adler, called passkeys a “next generation credential that’s more secure, easier to use, and aims to replace passwords for good.” That’s actually a pretty good summary—and doesn’t even oversell it. 

So how will they work? Passkeys are built on the WebAuthentication, or WebAuthn, standard. It uses a cryptographic principle called public-key cryptography to secure your accounts. It’s the same idea that’s used for end-to-end encryption in iMessage, Signal, and other secure communications apps. Instead of creating a password for an account, your device will create a unique pair of mathematically related keys: a public key and a private key. The public key is stored on the server (because, as the name suggests, it’s not a secret) and will allow the website or app to verify your account—as long as you have the matching private key. The trick is that because of how the math works, the private key never needs to get shared with the server. Your device can do all the authentication without ever revealing it. It’s neat tech, and it has serious security implementations. 

Although passkeys might sound complicated (and the underlying cryptography is indeed complex), in practice, they will make signing up for new accounts even simpler. You will just use Touch ID or Face ID, and your iPhone, iPad, or Mac will do the rest. You don’t have to come up with a long password, add in a few $s and &s, and then try to remember it. You won’t even see your public or private keys. It’s all done in the background, which takes the squishy, unreliable human element out of things. 

Also, passkeys can’t be phished. Your public key for any given site isn’t privileged information. All that matters is the private key, which never leaves your device. A fake website designed to impersonate your bank, Ebay, or some other account can’t trick you into giving it up. It can set up a login prompt, but it just won’t do anything. 

Apple’s implementation of passkeys—at least in the supporting docs and WWDC talk—sounds solid. They will be synced between your devices using iCloud Keychain (which is end-to-end encrypted itself). Even Apple won’t have access to your private keys. 

The system has been designed so that your logins are safe, even if your Apple ID is compromised, you lose all your devices, or a rogue Apple employee tries to hack the iCloud Keychain servers. It requires you to use two-factor authentication with your Apple ID, which makes it much harder for an attacker, even one with your iCloud password, to set things up on a new device. There’s also a system called iCloud Keychain escrow that handles restoring your passwords if you lose your devices. It’s resistant to brute force attacks even by Apple. 

While we’re still waiting to see how Microsoft, Google, and the other big tech companies roll out passkeys, they have all pledged to make them interoperable across as many different devices as possible. We got a hint of that in the WWDC announcement when Adler demonstrated using an iPhone to login to a website by scanning a QR code. This would allow you to do things like check your email on a friend’s computer or print something in a hotel without a password. 

In short, this looks to be as secure a system as can reasonably be designed. There are always going to be attack vectors, and dedicated hackers targeting specific individuals may find and use them, but for regular people this system should solve three of the biggest problems: weak passwords, leaked passwords, and phishing. 

Watch the relevant bit of WWDC, below:

The post Apple’s passkeys could be better than passwords. Here’s how they’ll work. appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

The European Union has just decreed that all new smartphones and other similar electronic devices sold within its 27 member countries must have a USB-C charging port by fall of 2024. This is to allow customers to be able to charge all their devices with the one charger type, and so effectively bans Apple’s Lightning port on any new models released beginning in that time frame. Although the ruling only applies in the EU, it’s likely to affect devices globally. 

While this decision is being portrayed as the EU regulating smartphones, the new ruling covers a much wider range of “small and medium-sized portable electronic devices.” Any cell phone, tablet, e-reader, earbuds, digital camera, headphones, headset, handheld video game console, or portable speaker that has a rechargeable battery that’s charged over a wire (rather than, say, a dedicated charging dock or wirelessly) will have to have a USB-C port, regardless of the manufacturer. The ruling also applies to laptops, though manufacturers have an additional 40 months to meet the requirements. 

Technically, Apple doesn’t have to remove the Lightning port from forthcoming iPhones—it just has to add a USB-C port to any that are released after 2024. However, the chance that the design-focused company will choose to add a second port to its sleek smartphone is basically zero. A more likely option that has been touted for a while is that Apple will go fully wireless with the iPhone. If it’s not charged over a cable, it doesn’t need a USB-C port. 

[Related: The EU wants everyone to use USB-C chargers—including Apple]

Bloomberg reported recently that Apple has been testing USB-C iPhones, though similar rumors have also been floating around for a few years. It’s worth noting that the iPhone is an outlier in Apple’s lineup: the iPads Pro, Air, and Mini, MacBooks Air and Pro, and even some Beats headphones are all charged over USB-C. (Apple boasts of its versatility on the iPad Mini marketing page!) Apple even had a hand in designing USB-C as part of the USB Implementers Forum, so it isn’t as if the company has entirely avoided the connector. Now, the EU is just forcing it to fully embrace it.

The EU has a patchy history of regulation in this area. In 2009, it similarly tried to force manufacturers to use the Micro-USB connector. However, because of the way the law was written, Apple was able to meet the requirements by offering a Micro-USB-to-30-pin adapter for around $15. There’s no such loop hole on offer this time. 

Fortunately, the law will only apply to new products brought to market after the law goes into effect. This will likely be useful to Apple considering how they handle the previous year’s models: It discounts them and sells them as its mid-tier and entry-level options. Right now, you can buy the iPhone 13 and 13 Pro (released in 2021), the iPhone 12 (released in 2020), and the iPhone 11 (released in 2019). If we presume the first iPhone released under this law will be the iPhone 16 (assuming that’s indeed what it’s called), the iPhone 15 and 14 can still be sold with Lightning ports.

The EU is playing this as a big win for consumers. Alex Agius Saliba, the EU Parliament’s rapporteur, said: “Today we have made the common charger a reality in Europe! European consumers were frustrated long [sic] with multiple chargers piling up with every new device.” Unfortunately, in reality, the situation could be less clear cut. 

USB-C standards are widely regarded as a “total mess.” Although all devices use the same ports, they don’t always allow for the same power or data transfer speeds. In terms of those data transfer speeds, some USB-C cables offer 5 Gbps while others offer 20 Gbps. The only way to tell the difference is to check the packaging and see what the so-called SuperSpeed USB rating is. Similarly, different USB-C wall plugs have different wattages. The 10W plug for a smartphone might technically connect to a 16” MacBook Pro (which ships with a 140W charger), but it often can’t provide enough power to keep the battery charged while it’s in use. 

The EU has also declared that “the charging speed is also harmonized for devices that support fast charging, allowing users to charge their devices at the same speed with any compatible charger.” The reality may be that instead of having a drawer filled with different chargers, many consumers will end up with a drawer filled with similar looking chargers—and devices that never charge as fast as they could. 

The post What the EU’s ruling on USB-C chargers could mean for devices everywhere appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

A “zero-day” vulnerability in Microsoft Office (and Microsoft Windows) is being used by Chinese state-aligned hackers to target Tibetans. A zero-day attack is the cybersecurity term for any unpatched or previously unknown exploit. They are particularly useful to hackers as anti-virus software and other software defenses don’t work against them. Right now, if you open an infected Word document in any modern version of Office, the embedded code will run. 

According to Proofpoint, a threat analysis firm, a Chinese hacking group, known as TA413, is targeting Tibetan nationals with the recently reported “Follina” exploit. The attack is embedded in a malicious Word document purporting to be sent by the “Women Empowerments Desk” of the Central Tibetan Administration, the Tibetan Government-in-Exile in Dharamshala, India. This is not the first time that Chinese hackers have targeted Tibetan groups: a 2019 report by Citizen Lab identified a number of instances going back over a decade.

As well as Tibetans, Follina-infected Word documents have been found in the wild since April this year targeting people in Russia and India.

According to security researcher Kevin Beaumont (who named the exploit “Follina” and even designed an appropriately crap logo), the exploit works using Word’s remote template feature to fetch a HTML file from a remote web server that then hijacks the Microsoft Support Diagnostic Tool (MSDT) to download and execute some code in PowerShell. 

Because the exploit uses MSDT, a support tool, it works even if macros are disabled (which is a commonly exploited Office feature that allows the app to run external code). Similarly, the Protected View security feature can be avoided by using an RTF (Rich Text Format) document (which is another document format that Word can open by default). You can see it in action in the video above. The non-malicious proof of concept is set up to open the Calculator app as soon as the document has loaded.

As Beaumont writes, “That should not be possible.” He identifies two separate issues with the exploit: How Office is handling the loading of HTML Word templates and Outlook links, and that MSDT allows this kind of code execution.

Right now, the vulnerability is present in pretty much every modern version of Office. Researchers have demonstrated it in Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365, as well as in Windows itself as it can be called using .lnk files, which are files used by the operating system to open another file, folder, or application. 

Microsoft has acknowledged the issue (calling it the less catchy “CVE-2022-30190”) and issued a workaround that involves having the user disable the MSDT URL Protocol, which the exploit uses to load the PowerShell code. Presumably, its security engineers are working hard to develop a proper patch. 

Unfortunately, the Microsoft Security Response Center (MSRC) seems to have been a little slow to respond to Follina. The principles underlying the attack were first published in a 2020 Bachelor Thesis and in 2021 they patched a similar vulnerability in Microsoft Teams. A report filed with the MSRC in mid-April was dismissed, with the vulnerability ruled “not a security related issue.”

It wasn’t until after Nao Sec, a security vendor, tweeted an example of the exploit found in the wild in Belarus on May 27 and it was analyzed and named by Beaumont on May 29 that Microsoft publicly identified it as a zero-day exploit. 

Until Follina is fully patched, we’d recommend being careful opening Word documents from unknown sources. You can also follow Microsoft’s mitigation advice if you are concerned about being targeted (or are an administrator who wants to make sure their charges don’t run any malicious code by mistake). 

This is just another example of how theoretical exploits can go from research labs to the real world. While it’s incredibly important to keep security patches up-to-date, it can’t protect you from all possible attack vectors. In the realms of international cybersecurity and state-sponsored hackers, constant vigilance is the only option. 

It can pay off, though. Just this week, the FBI Director Christopher Wray announced that his agency had successfully thwarted an Iranian government-sponsored hack on Boston Children’s Hospital. According to the AP, the FBI learned of the attack from an unspecified intelligence partner and was able to provide the hospital with the information—and presumably security patches or some other kind of software mitigation—that helped it gear up against the threat. 

The post What to know about a malicious new Microsoft Office vulnerability appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.

Pony.ai is the latest autonomous car company to make headlines for the wrong reasons. It has just lost its permit to test its fleet of autonomous vehicles in California over concerns about the driving record of the safety drivers it employs. It’s a big blow for the company, and highlights the interesting spot the autonomous car industry is in right now. After a few years of very bad publicity, a number of companies have made real progress in getting self-driving cars on the road.

If you’re curious about what Pony.ai and some of the other major outfits are up to, here’s a handy alphabetized guide to some of the key firms working on autonomous vehicles. 

Argo AI 

Ford and Volkswagen’s self-driving car play is taking things to a few different cities. Just last week, it announced it was expanding its driverless operations to Miami and Austin where it will operate during daytime business hours. The service will be initially available to employees, but will soon integrate with Lyft to offer a driverless (with a safety driver) ride-hailing service and Walmart to offer driverless grocery delivery. Argo AI now has one of the most diverse testing pools. As well as Miami and Austin, it is testing in Palo Alto, Detroit, Pittsburgh, Washington, D.C., and Germany.

Aurora

This company bought Uber’s former self-driving division in 2020, and is testing its self-driving Toyota Siennas on the streets of the Dallas-Fort Worth metro area. It plans to launch a ride-hailing service with Uber in 2024. Though, perhaps more interestingly, it announced this month that it was expanding its self-driving freight pilot with FedEx. Its trucks, which currently operate a 240-mile trip every night between Dallas and Houston with two safety drivers in the cab, will soon start hauling goods between Fort Worth and El Paso, a roughly 600-mile journey. 

Cruise 

Owned by General Motors, Cruise has been quietly successful. It is offering rider-only autonomous trips to the public in San Francisco and is expanding its driverless Walmart delivery service in Phoenix. Its parent company is seemingly happy with the progress it’s making; GM expects to spend $2 billion on the autonomous vehicle subsidiary in 2022.

Motional

A joint venture between Aptiv and Hundai, Motional is offering free rides to the public, albeit with a safety-driver behind the wheel. It is currently testing in downtown Las Vegas, where it plans to launch a commercial driverless ride-hailing service with Lyft in 2023.

Pony.ai

Its California dreams are not looking great. The aforementioned permit the DMV just revoked was for it to test its fleet of 41 autonomous vehicles with safety drivers behind the wheel (it currently employs 71 drivers in this role). It lost the permit over issues with the driving records of three employees, and seemingly the process of approval that allowed these operators to monitor its cars. Its license to test its autonomous vehicles without a safety driver was suspended in November last year, after a collision with a lane divider and a street sign. Things appear to be going a bit better for the Chinese company in its home base: It recently secured permits to operate in Beijing and Guangzhou. 

Waymo 

This well-established firm is owned by Google-parent company Alphabet, and is expanding its Waymo One ride-hailing test service in Phoenix, Arizona. Its vehicles are now operating in both the East Valley and the city’s downtown area. It also just started offering fully autonomous rides to employees in San Francisco. The service has also demonstrated its practicality: One rider had taken more than 400 trips as of October last year. 

Zoox 

Bought by Amazon in 2020, Zoox is expanding from California and Las Vegas to new environs. It plans to start operating in Seattle, home of its parent company, this year explicitly to test its sensors in wet weather. Most autonomous vehicles are operating in sunny states, so it’s exciting to see the companies start testing in more diverse climates. Like Cruise, Zoox hopes to eventually employ a bidirectional vehicle that has no space for a driver at all. 

Ultimately, despite the still relatively frequent set-backs, the autonomous vehicle industry has been making quiet gains over the past year or two. We’re still a long way from ubiquitous driverless cars, but the technology is being tested in more places, in more ways, and with less drama. What a time to be a robot.

The post What’s going on with self-driving cars right now? appeared first on Popular Science.

Articles may contain affiliate links which enable us to share in the revenue of any purchases made.