GOT OPSEC? DOGE software engineer’s computer infected by info-stealing malware The presence of credentials in leaked "stealer logs" indicates his device was infected. Dan Goodin – May 8, 2025 2:27 pm | 52 Credit: Getty Images Credit: Getty Images Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Login credentials belonging to an employee at both the Cybersecurity and Infrastructure Security Agency and the Department of Government Efficiency have appeared in multiple public leaks from info-stealer malware, a strong indication that devices belonging to him have been hacked in recent years. Kyle Schutt is a 30-something-year-old software engineer who, according to Dropsite News, gained access in February to a “core financial management system” belonging to the Federal Emergency Management Agency. As an employee of DOGE, Schutt accessed FEMA’s proprietary software for managing both disaster and non-disaster funding grants. Under his role at CISA, he likely is privy to sensitive information regarding the security of civilian federal government networks and critical infrastructure throughout the US. A steady stream of published credentials According to journalist Micah Lee, user names and passwords for logging in to various accounts belonging to Schutt have been published at least four times since 2023 in logs from stealer malware. Stealer malware typically infects devices through trojanized apps, phishing, or software exploits. Besides pilfering login credentials, stealers can also log all keystrokes and capture or record screen output. The data is then sent to the attacker and, occasionally after that, can make its way into public credential dumps. “I have no way of knowing exactly when Schutt's computer was hacked, or how many times,” Lee wrote. “I don't know nearly enough about the origins of these stealer log datasets. He might have gotten hacked years ago and the stealer log datasets were just published recently. But he also might have gotten hacked within the last few months.” Lee went on to say that credentials belonging to a Gmail account known to belong to Schutt have appeared in 51 data breaches and five pastes tracked by breach notification service Have I Been Pwned. Among the breaches that supplied the credentials is one from 2013 that pilfered password data for 3 million Adobe account holders, one in a 2016 breach that stole credentials for 164 million LinkedIn users, a 2020 breach affecting 167 million users of Gravatar, and a breach last year of the conservative news site The Post Millennial. As Lee notes, the presence of an individual’s credentials in such logs isn’t automatically an indication that the individual himself was compromised or used a weak password. In many cases, such data is exposed through database compromises that hit the service provider. The steady stream of published credentials for Schutt, however, is a clear indication that the credentials he has used over a decade or more have been publicly known at various points. In the event, however, that Schutt used the same or similar credentials in systems or machines during his work at CISA and DOGE, attackers may already have been able to access sensitive information he’s privy to. And as Lee noted, the four dumps from stealer logs show that at least one of his devices was hacked at some point. DOGE critics said Lee’s findings are consistent with other operational security gaffes by the office, such as a website that could be edited by anyone and unprecedented and extraordinarily broad access to government data like that stored in the federal payroll system. “At this point it's difficult not to suspect their awful 0pSec is a choice, and that there are specific people (*ahem* *cough cough* the Russians *cough*) to whom they're leaking secrets, with incompetence being merely plausible deniability for their true, treasonous agenda,” one critic wrote on Mastodon. Representatives at CISA and the Department of Homeland Security—the agency that oversees CISA—didn’t immediately respond to an email seeking confirmation of the report. Dan Goodin Senior Security Editor Dan Goodin Senior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 52 Comments

robot's little helper AI use damages professional reputation, study suggests New Duke study says workers judge others for AI use—and hide its use, fearing stigma. Benj Edwards – May 8, 2025 4:23 pm | 27 Credit: demaerre via Getty Images Credit: demaerre via Getty Images Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Using AI can be a double-edged sword, according to new research from Duke University. While generative AI tools may boost productivity for some, they might also secretly damage your professional reputation. On Thursday, the Proceedings of the National Academy of Sciences (PNAS) published a study showing that employees who use AI tools like ChatGPT, Claude, and Gemini at work face negative judgments about their competence and motivation from colleagues and managers. "Our findings reveal a dilemma for people considering adopting AI tools: Although AI can enhance productivity, its use carries social costs," write researchers Jessica A. Reif, Richard P. Larrick, and Jack B. Soll of Duke's Fuqua School of Business. The Duke team conducted four experiments with over 4,400 participants to examine both anticipated and actual evaluations of AI tool users. Their findings, presented in a paper titled "Evidence of a social evaluation penalty for using AI," reveal a consistent pattern of bias against those who receive help from AI. What made this penalty particularly concerning for the researchers was its consistency across demographics. They found that the social stigma against AI use wasn't limited to specific groups. Fig. 1 from the paper "Evidence of a social evaluation penalty for using AI." Credit: Reif et al. "Testing a broad range of stimuli enabled us to examine whether the target's age, gender, or occupation qualifies the effect of receiving help from Al on these evaluations," the authors wrote in the paper. "We found that none of these target demographic attributes influences the effect of receiving Al help on perceptions of laziness, diligence, competence, independence, or self-assuredness. This suggests that the social stigmatization of AI use is not limited to its use among particular demographic groups. The result appears to be a general one." The hidden social cost of AI adoption In the first experiment conducted by the team from Duke, participants imagined using either an AI tool or a dashboard creation tool at work. It revealed that those in the AI group expected to be judged as lazier, less competent, less diligent, and more replaceable than those using conventional technology. They also reported less willingness to disclose their AI use to colleagues and managers. The second experiment confirmed these fears were justified. When evaluating descriptions of employees, participants consistently rated those receiving AI help as lazier, less competent, less diligent, less independent, and less self-assured than those receiving similar help from non-AI sources or no help at all. Fig. 3 from the paper "Evidence of a social evaluation penalty for using AI." Credit: Reif et al. The researchers discovered this bias affects real business decisions. In a hiring simulation, managers who didn't use AI themselves were less likely to hire candidates who regularly used AI tools. However, managers who frequently used AI showed the opposite preference, favoring the AI-using candidates. The final experiment revealed that perceptions of laziness directly explain this evaluation penalty. The researchers found this penalty could be offset when AI was clearly useful for the assigned task. When using AI made sense for the job, the negative perceptions diminished significantly. Notably, the study showed that evaluators' own experience with AI significantly influenced their judgments. In the study, those who used AI frequently were less likely to perceive an AI-using candidate as lazy. A complicated picture The Duke AI study also notes that similar concerns of stigma have historically accompanied other new technologies. From Plato questioning whether writing would undermine wisdom, to modern debates about calculators in education, people have long worried that labor-saving tools might reflect poorly on users' abilities. Reif and colleagues suggest this social impact may present a hidden barrier to AI adoption in workplaces. Even as organizations push AI implementation, individual employees might resist due to concerns about how they'll be perceived. That dilemma is apparently already here. In August last year, while covering ChatGPT hitting 200 million active weekly users, we mentioned that Wharton professor Ethan Mollick (who frequently researches AI) called people who use AI without telling their bosses "secret cyborgs." Because many companies ban the use of AI outputs, many workers have anecdotally turned to secret AI use. And if that doesn't complicate the picture enough, we previously covered a study that adds a different layer to AI workplace issues. Research from economists at the University of Chicago and University of Copenhagen found that while 64–90 percent of workers reported time savings from AI tools, these benefits were sometimes offset by new tasks created by the technology. The study revealed that AI tools actually generated additional work for 8.4 percent of employees, including non-users tasked with checking AI output quality or detecting AI use in student assignments. So, although using AI to do some tasks potentially saves time, employees may be creating additional work for themselves or others. In fact, the World Economic Forum's Future of Jobs Report 2025 suggested that AI may create 170 million new positions globally while eliminating 92 million jobs, resulting in a net gain of 78 million jobs by 2030. So the picture is complicated, but it appears the impact of AI on work is ongoing at a steady pace. Benj Edwards Senior AI Reporter Benj Edwards Senior AI Reporter Benj Edwards is Ars Technica's Senior AI Reporter and founder of the site's dedicated AI beat in 2022. He's also a tech historian with almost two decades of experience. In his free time, he writes and records music, collects vintage computers, and enjoys nature. He lives in Raleigh, NC. 27 Comments

Don't look up A Soviet-era spacecraft built to land on Venus is falling to Earth instead Kosmos 482 is encased in a titanium heat shield, with a good chance of reaching the surface intact. Stephen Clark – May 8, 2025 4:59 pm | 18 A replica of the Venera 8 descent module; it's thought to be identical to Kosmos 482. Credit: NASA Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Kosmos 482, a Soviet-era spacecraft shrouded in Cold War secrecy, will reenter the Earth's atmosphere in the next few days after misfiring on a journey to Venus more than 50 years ago. On average, a piece of space junk the size of Kosmos 482, with a mass of about a half-ton, falls into the atmosphere about once per week. What's different this time is that Kosmos 482 was designed to land on Venus, with a titanium heat shield built to withstand scorching temperatures, and structures engineered to survive atmospheric pressures nearly 100 times higher than Earth's. So, there's a good chance the spacecraft will survive the extreme forces it encounters during its plunge through the atmosphere. Typically, space debris breaks apart and burns up during reentry, with only a small fraction of material reaching the Earth's surface. The European Space Agency, one of several institutions that track space debris, says Kosmos 482 is "highly likely" to reach Earth's surface in one piece. Fickle forecasts The Kosmos 482 spacecraft launched from the Baikonur Cosmodrome, now part of Kazakhstan, aboard a Molniya rocket on March 31, 1972. A short time later, the rocket's upper stage was supposed to propel the probe out of Earth orbit on an interplanetary journey toward Venus, where it would have become the third mission to land on the second planet from the Sun. But the rocket failed, rendering it unable to escape the gravitational grip of Earth. The spacecraft separated into several pieces, and Russian engineers gave up on the mission. The main section of the Venus probe reentered the atmosphere in 1981, but for 53 years, the 3.3-foot-diameter (1-meter) segment of the spacecraft that was supposed to land on Venus remained in orbit around the Earth, its trajectory influenced only by the tenuous uppermost layers of the atmosphere. The mission was part of the Soviet Union's Venera program, which achieved the first soft landing of a spacecraft on another planet with the Venera 7 mission in 1970, and followed up with another successful landing with Venera 8 in 1972. Because it failed, Soviet officials gave the next mission, which would have become Venera 9, a non-descriptive name: Kosmos 482. Over time, the dead spacecraft succumbed to aerodynamic drag, slowly losing altitude before dipping deeper into the atmosphere in recent weeks. In the last few days, Kosmos 482's orbit brought the spacecraft less than 100 miles (150 kilometers) from Earth. This additional aerodynamic drag is hastening the craft's fall from space. As of Thursday, expert predictions centered on a likely reentry of Kosmos 482 early Saturday. But reentry forecasts have large margins of error. Small variations in the density of the upper atmosphere driven by solar activity could bring down the spacecraft sooner or later than expected. The Aerospace Corporation's experts predict Kosmos 482 will fall to Earth some time nine hours before or after 1:54 am EDT (05:54 UTC) Saturday. The European Space Agency's forecast is centered on 3:12 am EDT (07:12 UTC) Saturday, plus or minus 13.7 hours. The reentry windows will narrow over the next couple of days, but experts won't be able to pinpoint an exact time or location before the spherical spacecraft makes its final plunge. "As we approach the reentry, the uncertainty in the prediction decreases," the European Space Agency wrote on a website tracking Kosmos 482. "The remaining uncertainty is caused by the difficulty of modeling the atmosphere, the influence of space weather, and the unknowns about the object itself, such as which way it is facing." However, there are a few things we know about where it will come down. Kosmos 482's flight path takes the spacecraft between 52 degrees north and south latitude on each orbit, so it never flies over the northernmost parts of Canada, Europe, and Russia. As the forecasts become more precise, it will be possible to identify the corridors where Kosmos 482 will fly during the reentry window. A map of Kosmos 482's orbital tracks during the Aerospace Corporation's 18-hour reentry window is shown below. This map from the Aerospace Corporation shows the track of Kosmos 482 in low-Earth orbit, with blue lines denoting the spacecraft's locations before the middle of the reentry window, and yellow lines after the middle of the reentry window. Credit: Aerospace Corporation If you go through most of your days without worrying about space junk falling on you, there's little reason for serious alarm now. The Aerospace Corporation says any one individual on Earth is "far likelier" to be struck by lightning than to be injured by Kosmos 482. The US government's safety threshold for uncontrolled reentries requires the risk of a serious injury or death on the ground to be less than 1 in 10,000. The Aerospace Corporation projects the risk of at least one injury or fatality from Kosmos 482 to be 0.4 in 10,000 if the descent craft reaches the surface intact. Marco Langbroek, a Dutch archeologist and university lecturer on space situational awareness, wrote on his website that the risk of public injury from Kosmos 482 is lower than that from the reentry of a SpaceX Falcon 9 upper stage. One of those came down uncontrolled over Poland in February, scattering some debris but causing no injuries. Langbroek said the reentry analysis suggests the Kosmos 482 descent capsule will impact the ground or water at about 150 mph (242 kilometers per hour), assuming it makes it to the surface in one piece. The lander carries a parachute that would have slowed its final descent to Venus, but it's not likely that the parachute deployment system still works after 53 years in space. "There are many uncertain factors in whether the lander will survive reentry though, including that this will be a long shallow reentry trajectory, and the age of the object," Langbroek wrote. If you find yourself along one of the lines on this map, perhaps it's worth keeping track of Kosmos 482 over the next couple of days—out of curiosity more than worry. Chances are the spacecraft will fall into the ocean or over an unpopulated area. But what happens in the unlikely event that Kosmos 482 winds up in your yard? "If Kosmos defies the odds and does land in your yard, please don’t touch it!" the Aerospace Corporation said. "It could potentially be hazardous, and it is best to notify your local authorities. "As for keeping it, don’t get your hopes up," Aerospace says. "There is a United Nations treaty that governs found debris—the 1967 Outer Space Treaty. It states that countries keep ownership of objects they launch into space, even after those objects reenter and return to Earth. The country that launched the object in this case is Russia, which could request the return of any parts that survived reentry. "It is also worth noting that the treaty says that the launching country is also internationally liable for damages." Stephen Clark Space Reporter Stephen Clark Space Reporter Stephen Clark is a space reporter at Ars Technica, covering private space companies and the world’s space agencies. Stephen writes about the nexus of technology, science, policy, and business on and off the planet. 18 Comments

Good news New RSV vaccine, treatment linked to dramatic fall in baby hospitalizations CDC study finds big declines in hospitalizations—and they may be underestimates. Beth Mole – May 8, 2025 5:54 pm | 11 An intensive care nurse cares for a patient suffering from respiratory syncytial virus (RSV), who is being ventilated in the children's intensive care unit of the Olga Hospital of the Stuttgart Clinic in Germany. Credit: Getty | picture alliance An intensive care nurse cares for a patient suffering from respiratory syncytial virus (RSV), who is being ventilated in the children's intensive care unit of the Olga Hospital of the Stuttgart Clinic in Germany. Credit: Getty | picture alliance Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Far fewer babies went to the hospital struggling to breathe from RSV, a severe respiratory infection, after the debut of a new vaccine and treatment this season, according to an analysis published today by the Centers for Disease Control and Prevention. RSV, or respiratory syncytial (sin-SISH-uhl) virus, is the leading cause of hospitalization for infants in the US. An estimated 58,000–80,000 children younger than 5 years old are hospitalized each year. Newborns—babies between 0 and 2 months—are the most at risk of being hospitalized with RSV. The virus circulates seasonally, typically rising in the fall and peaking in the winter, like many other respiratory infections. But the 2024–2025 season was different—there were two new ways to protect against the infection. One is a maternal vaccine, Pfizer's Abrysvo, which is given to pregnant people when their third trimester aligns with RSV season (generally September through January). Maternal antibodies generated from the vaccination pass to the fetus in the uterus and can protect a newborn in the first few months of life. The other new protection against RSV is a long-acting monoclonal antibody treatment, nirsevimab, which is given to babies under 8 months old as they enter or are born into their first RSV season and may not be protected by maternal antibodies. For the new study, CDC researchers looked at RSV hospitalization rates across two different RSV surveillance networks of hospitals and medical centers (called RSV-NET and NVSN). They compared the networks' hospitalization rates in the 2024–2025 RSV season to their respective rates in pre-pandemic seasons between 2018 and 2020. The analysis found that among newborns (0–2 months), RSV hospitalizations fell 52 percent in RSV-NET and 45 percent in NVSN compared with the rates from the 2018–2020 period. However, when the researcher excluded data from NVSN's surveillance site in Houston—where the 2024–2035 RSV season started before the vaccine and treatment were rolled out—there was a 71 percent decline in hospitalizations in NVSN. For a broader group of infants—0 to 7 months old—RSV-NET showed a 43 percent drop in hospitalizations in the 2024–2025 RSV season, and NVSN saw a 28 percent drop. Again, when Houston was excluded from the NVSN data, there was a 56 percent drop. Lastly, the researchers looked at hospitalization rates for toddlers and children up to 5 years old, who wouldn't have been protected by the new products. There, they saw RSV hospitalization rates were actually higher in the 2024–2025 season than in the pre-pandemic years. That suggests that the latest RSV season was more severe, and the drops in infant hospitalizations may be underestimates. Beth Mole Senior Health Reporter Beth Mole Senior Health Reporter Beth is Ars Technica’s Senior Health Reporter. Beth has a Ph.D. in microbiology from the University of North Carolina at Chapel Hill and attended the Science Communication program at the University of California, Santa Cruz. She specializes in covering infectious diseases, public health, and microbes. 11 Comments

YOUR DASHER IS ON THE WAY Fidji Simo joins OpenAI as new CEO of Applications Simo will oversee business operations while Altman focuses on research and compute. Benj Edwards – May 8, 2025 2:45 pm | 23 CEO of Instacart Fidji Simo poses during a photo session at the AI Action Summit in Paris on February 11, 2025. Credit: Joel Saget via Getty Images CEO of Instacart Fidji Simo poses during a photo session at the AI Action Summit in Paris on February 11, 2025. Credit: Joel Saget via Getty Images Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more On Wednesday, OpenAI announced that Instacart CEO Fidji Simo will join the maker of ChatGPT as "CEO of Applications" later this year, according to a company blog post. Simo, who has served on the company's board since March 2024, will oversee business and operational teams while continuing to report directly to Altman in the newly created role. Altman will remain the primary CEO of OpenAI. According to Reuters, Simo spent a decade at Meta, including a stint serving as the head of Facebook from 2019 to 2021. She also currently sits on the board of e-commerce services site Shopify. The announcement came earlier than planned due to what Altman described as "a leak" that "accelerated our timeline." At OpenAI, Simo will manage what Altman called "traditional company functions" as the organization enters its "next phase of growth." The applications category at OpenAI includes products like ChatGPT, the popular AI assistant. "Applications brings together a group of existing business and operational teams responsible for how our research reaches and benefits the world," wrote Altman in a message to staff later published on the OpenAI website. Simo will transition into her new position at OpenAI over time. She posted on LinkedIn that she is "not going anywhere for a couple of months," saying she'll stay on with Instacart for a bit longer as that company appoints a successor. In the message, Altman described Simo as bringing "a rare blend of leadership, product and operational expertise" and expressed that her addition to the team makes him "even more optimistic about our future as we continue advancing toward becoming the superintelligence company." Simo becomes the newest high-profile female executive at OpenAI following the departure of Chief Technology Officer Mira Murati in September. Murati, who had been with the company since 2018 and helped launch ChatGPT, left alongside two other senior leaders and founded Thinking Machines Lab in February. OpenAI’s evolving structure The leadership addition comes as OpenAI continues to evolve beyond its origins as a research lab. In his announcement, Altman described how the company now operates in three distinct areas: as a research lab focused on artificial general intelligence (AGI), as a "global product company serving hundreds of millions of users," and as an "infrastructure company" building systems that advance research and deliver AI tools "at unprecedented scale." Altman mentioned that as CEO of OpenAI, he will "continue to directly oversee success across all pillars," including Research, Compute, and Applications, while staying "closely involved with key company decisions." The announcement follows recent news that OpenAI abandoned its original plan to cede control of its nonprofit branch to a for-profit entity. The company began as a nonprofit research lab in 2015 before creating a for-profit subsidiary in 2019, maintaining its original mission "to ensure artificial general intelligence benefits everyone." Benj Edwards Senior AI Reporter Benj Edwards Senior AI Reporter Benj Edwards is Ars Technica's Senior AI Reporter and founder of the site's dedicated AI beat in 2022. He's also a tech historian with almost two decades of experience. In his free time, he writes and records music, collects vintage computers, and enjoys nature. He lives in Raleigh, NC. 23 Comments

it's all making sense now Echoing Xbox, prices are going up for high-end Surfaces and some accessories Discontinuation of 256GB models gives older Surface PCs an effective price hike. Andrew Cunningham – May 8, 2025 12:27 pm | 0 Microsoft's 13-inch Surface Pro 11. Credit: Andrew Cunningham Microsoft's 13-inch Surface Pro 11. Credit: Andrew Cunningham Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more When Microsoft announced new Surface devices earlier this week, we noted that there wasn't a lot of daylight between the starting prices of the new but lower-end devices ($799 for the 12-inch Surface Pro, $899 for the 13-inch Surface Laptop) and the starting prices of the older-but-higher-end Surfaces from last spring ($999 for both). It appears Microsoft has quietly solved this problem by discontinuing the 256GB versions of the 13.8-inch Surface Laptop 7 and the 13-inch Surface Pro 11. Microsoft's retail pages for both devices list only 512GB and 1TB configurations, with regular prices starting at $1,199. Though not technically a price hike—the 512GB versions of both devices also cost $1,199 before—it does amount to an effective price increase for last year's Surface hardware, especially given that both devices have user-replaceable storage that can easily be upgraded for less than the $200 that Microsoft charged for the 256GB-to-512GB upgrade. The upshot is that the new Surface PCs make more sense now than they did on Tuesday in relative terms, but it's only because you'll pay more to buy a Surface Pro 11 or Surface Laptop 7 than you would before. The 15-inch version of the Surface Laptop 7 still lists a 256GB configuration and a $1,299 starting price, but the 256GB models are currently out of stock. While the Surface Pro and Laptop get price hikes that aren't technically price hikes, some Surface accessories have had their prices directly increased. The Surface USB-C Travel Hub is now $120 instead of $100; the Surface Arc Mouse is now $90 instead of $80, and a handful of replacement parts are more expensive now than they were, according to recent Internet Wayback Machine snapshots. Generally, Surface Pen accessories and Surface Pro keyboard covers are the same price they were before. Microsoft also raised prices on its Xbox consoles earlier this month while warning customers that game prices could go up to $80 for some releases later this year. If you're quick, you can still find the 256GB Surface devices in stock at third-party retailers. For example, Best Buy will sell you a Surface Laptop 7 with a 256GB SSD for $799, $100 less than the price of the 13-inch Surface Laptop that Microsoft just announced. We'd expect these retail listings to vanish over the next few days or weeks, and we wouldn't expect them to come back in stock once they're gone. Increased import tariffs imposed by the Trump administration could explain at least some of these price increases. Though PCs and smartphones are currently exempted from the worst of them (at least for now), global supply chains and shipping costs are complex enough that they could still be increasing Microsoft's costs indirectly. For the Surface Pro and Surface Laptop, the decision to discontinue the old 256GB models also seems driven by a desire to make the new 12-inch Pro and 13-inch Laptop look like better deals than they did earlier this week. Raising the base price does help clarify the lineup; it just does so at the expense of the consumer. Andrew Cunningham Senior Technology Reporter Andrew Cunningham Senior Technology Reporter Andrew is a Senior Technology Reporter at Ars Technica, with a focus on consumer tech including computer hardware and in-depth reviews of operating systems like Windows and macOS. Andrew lives in Philadelphia and co-hosts a weekly book podcast called Overdue. 0 Comments

Truth can hurt Bill Gates accuses Elon Musk of “killing” children with DOGE-led USAID cuts "The picture of the world’s richest man killing the world’s poorest children is not a pretty one." David Pilling, Financial Times – May 8, 2025 9:30 am | 0 Bill Gates said the abruptness of the cuts could cause the resurgence of diseases such as measles, HIV and polio. Credit: Hollie Adams/Bloomberg Bill Gates said the abruptness of the cuts could cause the resurgence of diseases such as measles, HIV and polio. Credit: Hollie Adams/Bloomberg Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Billionaire philanthropist Bill Gates ratcheted up his feud with Elon Musk, accusing the world’s richest man of “killing the world’s poorest children” through what he said were misguided cuts to US development assistance. Gates, who is announcing a plan to accelerate his philanthropic giving over the next 20 years and close down the Gates Foundation altogether in 2045, said in an interview that the Tesla chief had acted through ignorance. In February, Musk’s so-called Department of Government Efficiency (Doge) in effect shut down the US Agency for International Development, the main conduit for US aid, saying it was “time for it to die.” The co-founder of Microsoft, and once the world’s richest man himself, said the abruptness of the cuts had left life-saving food and medicines expiring in warehouses and could cause the resurgence of diseases such as measles, HIV and polio. “The picture of the world’s richest man killing the world’s poorest children is not a pretty one,” he told the Financial Times. Gates said Musk had cancelled grants to a hospital in Gaza Province, Mozambique, that prevents women transmitting HIV to their babies, in the mistaken belief that the US was supplying condoms to Hamas in Gaza in the Middle East. “I’d love for him to go in and meet the children that have now been infected with HIV because he cut that money,” he said. Gates, 69, on Thursday announced plans to spend virtually his entire fortune over the next 20 years, during which time he estimates his foundation will spend more than $200 billion on global health, development and education against $100 billion over the previous 25 years. The Gates Foundation will close its doors in 2045, decades earlier than previously envisaged. Gates said the rationale for accelerated spending was to have maximum impact, with the potential for finding once-and-for all solutions such as eradicating polio and curing HIV. “It gives us clarity,” he said. “We’ll have a lot more money because we’re spending down over the 20 years, as opposed to making an effort to be a perpetual foundation.” The foundation will continue to spend the bulk of its budget, which will rise to about $10 billion a year, on global health, with vaccines, maternal and child health continuing to be a focus. But Gates said that private philanthropy could not make up the shortfall from the cuts to USAID, whose budget was $44 billion last year. Gates intends to pass on less than 1 percent of his wealth to his children. He said he was a supporter of a strong estate tax to prevent “dynastic wealth” and of “much more progressive taxation.” Critics have accused Gates of using his foundation’s charitable status as a tax shield and of parlaying his billions into undue influence on global health priorities. In a letter outlining his decision, Gates said: “People will say a lot of things about me when I die, but I am determined that ‘he died rich’ will not be one of them. There are too many urgent problems to solve.” Gates and Musk have clashed before over philanthropy. In 2012, Musk signed the Giving Pledge, launched by Bill and Melinda Gates and investor Warren Buffett, through which dozens of billionaires promised to give away at least half their wealth. But Musk later told Gates that philanthropy was mostly “bullshit” and that commercial solutions to problems like climate change, including Tesla’s electric vehicles, were more effective, according to Musk’s biographer Walter Isaacson. Isaacson described Musk’s fury in 2022 on learning that Gates had shorted Tesla stock, calling him a hypocrite for trying to make money by undermining a company that was seeking to do good. In a comment at the time on Twitter, now X, Musk posted an unflattering photograph of Gates accompanied by the caption: “In case u need to lose a boner fast.” Gates told the FT that Musk, who called USAID “a criminal organisation,” had no understanding of what the US agency did or how it operated. Musk in February acknowledged mistaking the Mozambican province of Gaza for the Palestinian territory, saying that “some of the things that I say will be incorrect.” Gates has been more restrained in his criticism of Donald Trump, saying he may not have fully understood the impact of cuts and holding out the prospect that some could be reversed. The Gates Foundation is one of many that fear the US president might try to remove their tax-free status through an executive order. Gates criticised Trump’s appointment of Robert F Kennedy Jr as secretary of health, saying that Kennedy had “attacked vaccines, and specifically my role . . . with a lot of falsehoods.” But he reserved his sternest criticism for Musk, whose cuts he said threatened to undermine 25 years of Gates Foundation work. Gates once told Isaacson that Musk should spend more time worrying about life on Earth than seeking solutions on other planets. “He’s overboard on Mars,” he said. Musk and Doge did not respond to requests for comment. Additional reporting by Joe Miller in Washington. © 2025 The Financial Times Ltd. All rights reserved. Not to be redistributed, copied, or modified in any way. David Pilling, Financial Times David Pilling, Financial Times 0 Comments

French gendarmes have been busy policing crypto crimes, but these aren't the usual financial schemes, cons, and HODL! shenanigans one usually reads about. No, these crimes involve abductions, (multiple) severed fingers, and (multiple) people rescued from the trunks of cars—once after being doused with gasoline. This previous weekend was particularly nuts, with an older gentleman snatched from the streets of Paris' 14th arrondissement on May 1 by men in ski masks. The 14th is a pleasant place—I highly recommend a visit to the catacombs in Place Denfert-Rochereau—and not usually the site of snatch-and-grab operations. The abducted man was apparently the father of someone who had made a packet in crypto. The kidnappers demanded a multimillion-euro ransom from the man's son. According to Le Monde, the abducted father was taken to a house in a Parisian suburb, where one of the father's fingers was cut off in the course of ransom negotiations. Police feared "other mutilations" if they were unable to find the man, but they did locate and raid the house this weekend, arresting five people in their 20s. (According to the BBC, French police used "phone signals" to locate the house.) Sounds crazy, but this was the second such incident this year. In January, crypto maven David Balland was also abducted along with his partner on January 21. Balland was taken to a house, where he also had a finger cut off. According to The Guardian, "Police were contacted by Balland’s business partner, who received a video of the finger alongside a demand for a large ransom in cryptocurrency, of around €10m. Balland was freed in a police raid soon after. His partner was found tied up in the boot of a car in a carpark in the Essonne area south of Paris the next day." And a few weeks before that, attackers went to the home of someone whose son was a "crypto-influencer based in Dubai." At the father's home, the kidnappers "tied up [the father's] wife and daughter and forced him into a car. The man’s influencer son received a ransom demand and contacted police. The two women were then quickly freed. The father was only discovered 24 hours later in the boot of a car in Normandy, tied up and showing signs of physical violence, having been sprinkled with petrol."

This matters Matter update may finally take the tedium out of setting up your smart home Matter is taking care of a few common smart home headaches. Ryan Whitwam – May 7, 2025 4:21 pm | 35 Credit: Connectivity Standards Alliance Credit: Connectivity Standards Alliance Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more There is no product category that better embodies the XKCD take on standards than smart home. With an ocean of connectivity options and incompatible standards, taming this mess has been challenging, but Matter could finally have a shot at making things a little less frustrating. The latest version of the standard has launched, offering multiple ways to streamline the usually aggravating setup process. The first public release of Matter was in late 2022, but compatible systems didn't get support until the following year. Now, there are Matter-certified devices like smart bulbs and sensors that will talk to Apple, Google, Amazon, and other smart home platforms. Matter 1.4.1 includes support for multi-device QR codes, NFC connection, and integrated terms and conditions—all of these have the potential to eliminate some very real smart home headaches. It's common for retailers to offer multi-packs of devices like light bulbs or smart plugs. That can save you some money, but setting up all those devices is tedious. With Matter 1.4.1, it might be much easier thanks to multi-device QR codes. Manufacturers can now include a QR code in the package that will pair all the included devices with your smart home system when scanned. QR codes will still appear on individual devices for pairing, but it might not always be a QR code going forward. The new Matter also gives manufacturers the option of embedding NFC tags inside smart home gadgets. So all you have to do to add them to your system is tap your phone. That will be nice if you need to pair a device after it's been installed somewhere that obscures the visible code. Left: The way Matter supporters want the smart home to work. Right: The way it still works, sadly. Credit: Connectivity Standards Alliance Left: The way Matter supporters want the smart home to work. Right: The way it still works, sadly. Credit: Connectivity Standards Alliance The last change revamps how users interact with a device's terms and conditions, but don't underestimate this. The new "Enhanced Setup Flow" has the option to display the OEM's terms and conditions, which you probably don't care about. Still, for legal reasons, every company shoves that document in your face. By integrating that with Matter setup, it saves you from being kicked to another app to review the terms, which can screw up the pairing process. The value proposition of many smart home devices has always been suspect. It's really not that difficult to use a light switch or a regular deadbolt. The smart alternatives do offer useful functionality, but they cost more, and managing devices is a pain. More than a few speed bumps and you may miss your dumb home. With these changes to onboarding, Matter is one step closer to eliminating those pain points. However, companies have to start producing new devices with Matter 1.4.1 before you can enjoy the benefits. The good news is that, after some early hesitation, Matter support is picking up steam. Ryan Whitwam Senior Technology Reporter Ryan Whitwam Senior Technology Reporter Ryan Whitwam is a senior technology reporter at Ars Technica, covering the ways Google, AI, and mobile technology continue to change the world. Over his 20-year career, he's written for Android Police, ExtremeTech, Wirecutter, NY Times, and more. He has reviewed more phones than most people will ever own. You can follow him on Bluesky, where you will see photos of his dozens of mechanical keyboards. 35 Comments

Eliminating waste Genetic-engineered bacteria break down industrial contaminants Five clusters of genes from different organisms put into a single bacterial strain. John Timmer – May 7, 2025 4:50 pm | 2 Credit: Aldo Pavan Credit: Aldo Pavan Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Over the last century or more, humanity has been developing an ever-growing list of chemicals that have never been seen by Earth's creatures. Many of these chemicals end up being toxic contaminants that we'd love to get rid of, but we struggle to purify them from the environment or break them down once we do. And microbes haven't had much chance to evolve the ability to break them down for us. Over the last few years, however, we've found a growing number of cases where bacteria have evolved the ability to break down industrial contaminants and plastics. Unfortunately, these bacteria are all different species, target different individual contaminants, and thrive in different environments. But now, researchers have developed a new way to take the genes from all these species and place them in a single bacterial strain that can decontaminate complex waste mixtures. Targeting contaminants The inspiration for this work was the fact that a lot of industrial contamination contains a mixture of toxic organic molecules, but is found in brackish or salty water. So, the research team, based in Shenzhen, China, started by simply testing a number of lab strains to determine the ability to survive these conditions. The one that seemed to do the best is called Vibrio natriegens. These bacteria were discovered in a salt marsh, and their primary claim to fame is an impressive growth rate, with a population being able to double about every 10 minutes. Unfortunately, Vibrio natriegens doesn't have the sophisticated molecular tools that are available in a species like E. coli. So, the researchers spent some time making Vibrio natriegens a bit more amenable to manipulations, making it more capable of taking up DNA and incorporating it into a specific location in the genome. Once that was done, the researchers started looking through the genomes of species that have been identified as breaking down industrial contaminants. The breakdown of complex molecules typically involves more than one enzyme, and the genes for these enzymes tend to end up clustered together, so that they can be produced as a single, large RNA that encodes all the proteins needed. This simplifies regulating their production, making it easy to ensure the bacteria only make the proteins if the molecule they break down is actually present. In this case, the clusters ranged from just three genes all the way up to 11. Once nine of these gene clusters were identified, the DNA that would encode them was ordered and assembled into a single DNA molecule in yeast. The researchers took some time while ordering this DNA to better optimize the genes to be active and produce proteins in Vibrio natriegens, as opposed to whatever species the genes were normally used by. From yeast, each of these individual gene clusters was inserted into Vibrio natriegens, creating different strains that could digest one of the following: benzene, toluene, phenol, naphthalene, biphenyl, DBF29, and dibenzothiophene (DBT). (Some of the nine clusters target the same contaminant.) Each of these bacterial strains was then put in a solution with the chemical they were engineered to digest. Five of the nine worked, giving researchers strains that could digest biphenyl, phenol, napthalene, DBF, and toluene. Good, but limited From there, the researchers developed a system that would enable them to iteratively insert a new gene cluster at the tail end of a previously inserted gene cluster. This allowed them to build up a cluster of clusters, eventually including all five of the ones that had shown activity in the earlier tests. Given two days, this single strain could remove about a quarter of the phenol, a third of the biphenyl, 30 percent of the DBF, all of the naphthalene, and nearly all of the toluene. All those contaminants came from a mixture created by the researchers specifically for the test. To get a better sense of its capabilities, the team got hold of two wastewater mixtures that also included some salt in the water. Here, the engineered Vibrio natriegens strain proved highly effective, eliminating over 95 percent of most chemicals, and about 80 percent of phenol. The strain also worked against contaminated soil. That said, this shouldn't be seen as the solution to contamination with organic chemicals. For starters, there were a number of chemical targets that weren't digested—not to mention a huge range of chemicals that weren't tested. In addition, Vibrio natriegens doesn't grow especially well when salt isn't present, so it can't just be unleashed on all of our contamination. But perhaps the biggest problem is that, unlike the bacteria that the gene clusters originated in, Vibrio natriegens has no way of using the broken-down products of these reactions. Other bacteria evolved these gene clusters because the clusters allowed them to incorporate the breakdown products as if they were food. In contrast, Vibrio natriegens lacks the enzymes that enable this sort of incorporation; instead, these chemical products just end up sitting around when the bacteria are done digesting. That means that, while this engineered strain gets rid of dangerous chemicals, it will leave a variety of less dangerous chemical contaminants. And, since the Vibrio natriegens can't use this material as food, there's no evolutionary selection going on for the activity of these engineered gene clusters. That means that there's no pressure to even keep the gene clusters around (though the researchers confirmed they weren't lost during these experiments). Also, no pressure that could improve their activity further. So, in the long term, it might be best to start plugging the pathways that break down contaminants into the cell's basic metabolism. Despite these limitations, though, the work is a clear demonstration of the potential of bacteria to help us clean up some of the messes we're making. Nature, 2025. DOI: 10.1038/s41586-025-08947-7  (About DOIs). John Timmer Senior Science Editor John Timmer Senior Science Editor John is Ars Technica's science editor. He has a Bachelor of Arts in Biochemistry from Columbia University, and a Ph.D. in Molecular and Cell Biology from the University of California, Berkeley. When physically separated from his keyboard, he tends to seek out a bicycle, or a scenic location for communing with his hiking boots. 2 Comments

Slicing ISS budget NASA scrambles to cut ISS activity after Trump budget—its options are not great "The Budget reduces the space station’s crew size and onboard research." Eric Berger – May 7, 2025 11:16 am | 30 The Alpha Magnetic Spectrometer was installed on the International Space Station in 2011. Credit: NASA The Alpha Magnetic Spectrometer was installed on the International Space Station in 2011. Credit: NASA Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more One major surprise in the Trump administration's "skinny budget" proposal for NASA, released last Friday, was a demand that the US space agency reduce its activities on the International Space Station. "The Budget reduces the space station’s crew size and onboard research, preparing for a safe decommissioning of the station by 2030 and replacement by commercial space stations," stated the budget request for fiscal year 2026. "Crew and cargo flights to the station would be significantly reduced. The station’s reduced research capacity would be focused on efforts critical to the Moon and Mars exploration programs." The budget proposal estimates this would save $508 million from a budget of about $3 billion annually to support the International Space Station. NASA has not said much publicly about how it would comply with such a budget, but according to two sources, NASA officials will propose the following actions should such a budget come to pass: Reducing the size of the crew complement of Crew Dragon missions from four to three, starting with Crew-12 in February 2026 Extending the duration of space station missions from six to eight months Canceling all upgrades to the Alpha Magnetic Spectrometer science instrument attached to the station Nothing is final yet The budget is not final, of course. A budget request is just the opening salvo of negotiations, and NASA has not cemented these proposals. But these changes, or something similar, would be necessary should the White House budget cuts for space station operations be adopted. Some of the changes are not completely unreasonable. By extending the standard crewed mission from six to eight months, NASA would only need to fly three crewed missions to the station on Crew Dragon every two years instead of four. This would save a considerable amount of money in transportation costs. Such a change would also match what Roscosmos plans to do with its Soyuz missions. Similarly, as a cost-saving measure and beginning with the Soyuz MS-27 mission launched last month, Russia has extended the duration of flights to eight months. The primary downside of extending missions for NASA is that fewer of its astronauts would get experience in orbit. Canceling the tracker layer upgrade to the spectrometer would also not be catastrophic. The addition of a silicon tracker layer on top of the detector would increase the amount of data from the $2 billion physics experiment over the next five years by a factor of three. However, the experiment has been in operation since 2011, so it has had ample time to collect information about dark matter and other fundamental physics in the universe. Cutting crews down to size The real eye-catching proposal in NASA's options is reducing the crew size from four to three. Typically, Crew Dragon missions carry two NASA astronauts, one Roscosmos cosmonaut, and an international partner astronaut. Therefore, although it appears that NASA would only be cutting its crew size by 25 percent, in reality, it would be cutting the number of NASA astronauts on Crew Dragon missions by 50 percent. Overall, this would lead to an approximately one-third decline in science conducted by the space station. (This is because there are usually three NASA astronauts on station: two from Dragon and one on each Soyuz flight.) It's difficult to see how this would result in enormous cost savings. Yes, NASA would need to send marginally fewer cargo missions to keep fewer astronauts supplied. And there would be some reduction in training costs. But it seems kind of nuts to spend decades and more than $100 billion building an orbital laboratory, putting all of this effort into developing commercial vehicles to supply the station and enlarge its crew, establishing a rigorous training program to ensure maximum science is done and then to say, well, actually we don't want to use it. NASA has not publicly announced the astronauts who will fly on Crew-12 next year, but according to sources, it has already assigned veteran astronaut Jessica Meir and newcomer Jack Hathaway, a former US Navy fighter pilot who joined NASA's astronaut corps in 2021. If these changes go through, presumably one of these two would be removed from the mission. Will this actually happen? The cuts are by no means a certainty. The president's budget proposal is just the beginning of a monthslong process in which the White House Office of Management and Budget will work with Congress to establish funding levels and programmatic priorities for fiscal year 2026. If this budget process is like those in years past, a final budget may not even be set by the start of the fiscal year this October. Congress has been broadly supportive of the space station, which is slated to fly through 2030 before being decommissioned. The Trump White House nominee to lead NASA, Jared Isaacman, also spoke in favor of "maximizing" science on the space station during his confirmation hearing last month. In subsequent answers to written questions, Isaacman reaffirmed this position. "My priority would be to maximize the remaining value of the ISS before it is decommissioned," Isaacman wrote. "We must prioritize the highest-potential science and research that can be conducted on the station—and do everything possible to 'crack the code' on an on orbit economy." This comment reflects a desire to focus on science that will help jump-start a commercial economy in low-Earth orbit, as opposed to the White House budget's desire to focus on research related to the Moon and Mars. Isaacman has not been confirmed yet—that should happen within the next couple of weeks—so he did not have direct input into setting the White House budget proposal. That process was led by Russell Vought, who leads the White House Office of Management and Budget. Eric Berger Senior Space Editor Eric Berger Senior Space Editor Eric Berger is the senior space editor at Ars Technica, covering everything from astronomy to private space to NASA policy, and author of two books: Liftoff, about the rise of SpaceX; and Reentry, on the development of the Falcon 9 rocket and Dragon. A certified meteorologist, Eric lives in Houston. 30 Comments

GOT CRYPTOGRAPHY? WhatsApp provides no cryptographic management for group messages The weakness creates the possibility of an insider or hacker adding rogue members. Dan Goodin – May 7, 2025 6:04 pm | 0 Credit: Stan Honda / Getty Images Credit: Stan Honda / Getty Images Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more The world has been abuzz for weeks now about the inclusion of a journalist in a group message of senior White House officials discussing plans for a military strike. In that case, the breach was the result of then-National Security Advisor Mike Walz accidentally adding The Atlantic Editor-in-Chief Jeffrey Goldberg to the group chat and no one else in the chat noticing. But what if someone controlling or hacking a messenger platform could do the same thing? When it comes to WhatsApp—the Meta-owned messenger that’s frequently touted for offering end-to-end encryption—it turns out you can. A clean bill of health except for ... A team of researchers made the finding in a recently released formal analysis of WhatsApp group messaging. They reverse-engineered the app, described the formal cryptographic protocols, and provided theorems establishing the security guarantees that WhatsApp provides. Overall, they gave the messenger a clean bill of health, finding that it works securely and as described by WhatsApp. They did, however, discover a largely overlooked behavior that should give some group messaging users pause: Like other messengers billed as secure—with the notable exception of Signal—WhatsApp doesn’t provide any sort of cryptographic means for group management. “This means that it is possible for the WhatsApp server to add new members to a group,” Martin R. Albrecht, a researcher at King's College in London, wrote in an email. “A correct client—like the official clients—will display this change but will not prevent it. Thus, any group chat that does not verify who has been added to the chat can potentially have their messages read.” The chance of someone exploiting this weakness to access a WhatsApp group for soccer parents is likely nil. A nation-state operative, on the other hand, trying to crash a group of government officials discussing sensitive national security issues is well within the realms of possibility. In such a case, a WhatsApp admin with sufficient system privileges could add as many users to an existing group as desired. So could an attacker who managed to hack the WhatsApp infrastructure. With many groups numbering in the dozens or even hundreds of members, the notification might not be easy to notice. The flow of adding new members to a WhatsApp group message is: A group member sends an unsigned message to the WhatsApp server that designates which users are group members, for instance, Alice, Bob, and Charlie The server informs all existing group members that Alice, Bob, and Charlie have been added The existing members have the option of deciding whether to accept messages from Alice, Bob, and Charlie, and whether messages exchanged with them should be encrypted With no cryptographic signatures verifying an existing member wants to add a new member, additions can be made by anyone with the ability to control the server or messages that flow into it. Using the common fictional scenario for illustrating end-to-end encryption, this lack of cryptographic assurance leaves open the possibility that Malory can join a group and gain access to the human-readable messages exchanged there. WhatsApp isn’t the only messenger lacking cryptographic assurances for new group members. In 2022, a team that included some of the same researchers that analyzed WhatsApp found that Matrix—an open source and proprietary platform for chat and collaboration clients and servers—also provided no cryptographic means for ensuring only authorized members join a group. The Telegram messenger, meanwhile, offers no end-to-end encryption for group messages, making the app among the weakest for ensuring the confidentiality of group messages. In contrast, the open source Signal messenger provides a cryptographic assurance that only an existing group member designated as the group admin can add new members. In an email, researcher Benjamin Dowling, also of King’s College, explained: Signal implements “cryptographic group management.” Roughly this means that the administrator of a group, a user, signs a message along the lines of “Alice, Bob and Charley are in this group” to everyone else. Then, everybody else in the group makes their decision on who to encrypt to and who to accept messages from based on these cryptographically signed messages, [meaning] who to accept as a group member. The system used by Signal is a bit different [than WhatsApp], since [Signal] makes additional efforts to avoid revealing the group membership to the server, but the core principles remain the same. On a high-level, in Signal, groups are associated with group membership lists that are stored on the Signal server. An administrator of the group generates a GroupMasterKey that is used to make changes to this group membership list. In particular, the GroupMasterKey is sent to other group members via Signal, and so is unknown to the server. Thus, whenever an administrator wants to make a change to the group (for instance, invite another user), they need to create an updated membership list (authenticated with the GroupMasterKey) telling other users of the group who to add. Existing users are notified of the change and update their group list, and perform the appropriate cryptographic operations with the new member so the existing member can begin sending messages to the new members as part of the group. Most messaging apps, including Signal, don’t certify the identity of their users. That means there’s no way Signal can verify that the person using an account named Alice does, in fact, belong to Alice. It’s fully possible that Malory could create an account and name it Alice. (As an aside, and in sharp contrast to Signal, the account members that belong to a given WhatsApp group are visible to insiders, hackers, and to anyone with a valid subpoena.) Signal does, however, offer a feature known as safety numbers. It makes it easy for a user to verify the security of messages or calls with specific contacts. When two users verify out-of-band—meaning using a known valid email address or cell phone number of the other—that Signal is displaying the same safety number on both their devices, they can be assured that the person claiming to be Alice is, in fact, Alice. Walz, the former National Security Advisor, failed to follow this crucial step when adding The Atlantic editor-in-chief to a Signal group. That failure resulted in sensitive military plans being sent to someone unauthorized to receive them. No matter what app three or more people use for group messages, it’s crucial that they know the identity behind all fellow group member names. The hurdles for causing the WhatsApp server to add a user to an existing group—either by a malicious insider or someone hacking WhatsApp infrastructure—are high enough that the weakness is likely to be exploited only in extraordinary cases. The fact that the weakness exists at all is a good reason for groups trading truly sensitive messages to steer clear of the app. The researchers previously sent their findings to WhatsApp. WhatsApp didn’t immediately respond to Ars' request for comment. Dan Goodin Senior Security Editor Dan Goodin Senior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 0 Comments

Examine your options Starlink: Here’s a free satellite dish—if you pay $120 a month instead of $90 Accepting free dish blocks $90 monthly price available in excess-capacity areas. Jon Brodkin – May 7, 2025 2:41 pm | 26 Starlink satellite dish. Credit: Starlink Starlink satellite dish. Credit: Starlink Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Starlink last week announced a new deal for its standard hardware kit, giving the satellite dish and Wi-Fi router for free to customers who sign up for a 12-month commitment. The deal is reminiscent of the hardware rental agreements long used by cable companies, but Starlink's offer has generated a bit of excitement. Some analysts suggested that the free kits are a reason for the federal government's $42 billion broadband deployment fund to send grants to Starlink instead of to fiber-to-the-home providers, or that the government should buy Starlink kits at the regular price of $349 each so that Elon Musk's company doesn't have to eat the cost. You may not be surprised to learn that the free hardware kit isn't really free. But much of the discussion around the offer has ignored the fine details that could make a reasonable Starlink buyer decide to reject the deal. Similarly, policymakers deciding which ISPs should get government money might be wise to remember that fiber provides superior and more future-proof Internet service and that Starlink's offers to customers could change at any time. Starlink's free-dish offer isn't available nationwide, and in many of the places where it is available, you'll be able to pay a bit less overall by buying the kit at the full price of $349. Customers in these areas who are certain they will use Starlink for at least 12 months may want the free kit in order to pay for it over a year instead of all at once, but anyone enticed by the offer should compare their options before diving in. Where you live is a major determining factor in whether it will be worth it. In some areas, the offer with a free kit will be significantly cheaper over the first year. In other areas it will be slightly cheaper during the first year to pay the up-front price for the kit, and this might also result in a better monthly price after the first year. Get a free kit or pay $30 less per month Starlink is offering the free kit in parts of the US and other countries; you can see where it's available here. The limited availability isn't surprising since Starlink already charges different rates in different areas depending on network availability. In early 2023, Starlink started charging $120 a month for service in areas with limited capacity and $90 a month in areas with excess capacity. Starlink also imposes a "congestion charge" on new users in high-demand areas. You can see the price at your home by going through the Starlink ordering page. First, we'll look at a scenario in which the $90 monthly price is available for those who buy the kit at full price. Looking at my address in Massachusetts this week, I saw two options. One option is to pay $349 up front for the Starlink Standard Kit, plus $21.81 in tax, and buy service for $90 a month with no time commitment. The other option is to get the Starlink Standard Kit for free, plus the same $21.81 tax, and pay $120 a month while committing to at least 12 months of service. Canceling before the year is over can result in a $325 fee, but there's a 30-day trial during which you can get a refund and not pay that fee. With a free kit, this works out to $1,440 over 12 months, excluding the tax. Purchasing the kit for $349 and paying $90 a month adds up to $1,429 in the first 12 months. It's a tiny bit more expensive to get the free kit, but the deal lets you spread the cost out evenly over the first year and possibly let you earn some extra interest if you invest the $349 initial savings. But a buyer's decision still isn't that clear-cut because there's an unanswered question about what you'll pay in year two. Ordering Starlink without the free kit. Ordering Starlink without the free kit. Ordering Starlink with the free kit. Ordering Starlink with the free kit. Ordering Starlink without the free kit. Ordering Starlink with the free kit. What’s the price after 12 months? The question is what the monthly service price will be after the first 12 months. Do people who choose the "free" kit have to keep paying $120 a month in the second year and beyond while those who bought the kit for $349 keep paying $90 a month? I contacted Starlink support to ask those specific questions about the price after 12 months. I received a vague response that did not answer my questions and a link to an FAQ that I had already read. I also contacted SpaceX's media relations team with the same questions yesterday and received no response. If I were buying Starlink service, I would assume that the $120 price doesn't automatically drop to $90 after the 12-month commitment and that I'd have to contact SpaceX at that time and hope to get a $30 price cut. Operating under that assumption, I'd feel more comfortable buying the kit at full price and paying $90 a month from the beginning. Starlink could raise that price at any time—either by declaring the area to have limited capacity or simply by changing the standard rates. But taking the $90 price from the beginning strikes me as more likely to work out in my favor in the long run. This is just guesswork, and perhaps the process of changing plans would be as easy as Starlink describes on its website. However, in the absence of a specific answer from Starlink about this scenario, I would be hesitant to start out with the $120 price in any area where the $90 price is available. Free kit not available with $80 lite plan Complicating matters is that in some areas, Starlink offers a Residential Lite plan that costs less than the standard plan and has slower speeds. Starlink explains that Residential Lite is "deprioritized compared to Residential service during peak hours," and that "speeds should range from 50 - 100 Mbps (as compared to 150 - 250 Mbps for the Residential service plan." The free kit wasn't available with this tier of service when I tested the ordering site this week. There are 15 US states in which Residential Lite is offered: Maine, Vermont, New Hampshire, Montana, North Dakota, South Dakota, Minnesota, Iowa, Wyoming, Nebraska, Kansas, Nevada, Utah, New Mexico, and Hawaii. This territory generally overlaps with the larger territory in which the free Starlink kit is available. Some states, such as California, Texas, New York, and Massachusetts, have access to the free kit offer but not the Residential Lite plan. When attempting to order service in one of the overlap areas where both are available, an address in Maine, I was given three options. One option was to get the hardware for free and pay $120 a month with a 12-month commitment. Another option was to pay $349 for the kit and get the standard residential plan for the same $120 monthly price, but with no minimum term commitment. The third option was to pay $349 for the kit and get the worse Residential Lite plan for $80 a month, with no commitment. The $90 price for full-speed service wasn't available. Ordering Starlink's lite service. Ordering Starlink's lite service. Ordering Starlink with free kit and $120 monthly price. Ordering Starlink with free kit and $120 monthly price. Ordering Starlink with $349 kit and $120 monthly price. Ordering Starlink with $349 kit and $120 monthly price. Ordering Starlink with free kit and $120 monthly price. Ordering Starlink with $349 kit and $120 monthly price. If you don't mind the Lite plan's slower speeds and deprioritization during peak hours, it's cheaper during the first year to buy the kit at full price and pay $80 a month ($1,309 compared to $1,440). If you want to avoid the lite plan and you live in a place where the $90 full-speed plan isn't available, it's significantly cheaper to get the free kit because you'd have to pay $120 either way. You presumably would be able to switch to the $80 lite plan after the 12-month commitment, assuming Starlink still offers it a year from now. In summary, if you were thinking about getting Starlink already, check out the free-kit offer and see if it makes sense for you. Just don't hit the buy button immediately without examining the other options. Jon Brodkin Senior IT Reporter Jon Brodkin Senior IT Reporter Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry. 26 Comments

the future is worth fighting for The Third Crisis dawns in Foundation S3 teaser "If we fail, humanity will be lost forever. We act, or we lose." Jennifer Ouellette – May 7, 2025 12:15 pm | 2 Credit: Apple TV+ Credit: Apple TV+ Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more We have our first teaser for the upcoming third season of Foundation. It's been nearly two years, but the third season of Foundation, Apple TV+'s epic adaptation (or remix) of the Isaac Asimov series, is almost here. The streaming platform released an action-packed teaser of what we can expect from the new ten-episode season: the onset of the Third Crisis, a galactic war, and a shirtless Lee Pace. (Some spoilers for first two seasons below.) Showrunner David S. Goyer took great pains in S1 to carefully set up his expansive fictional world, and the scope only broadened in the second season. As previously reported, Asimov's fundamental narrative arc remains intact, with the series taking place across multiple planets over 1,000 years and featuring a huge cast of characters. Mathematician Hari Seldon (Jared Harris) developed a controversial theory of "psychohistory," and his calculations predict the fall of the Empire, ushering in a Dark Age period that will last 30,000 years, after which a second Empire will emerge. The collapse of the Empire is inevitable, but Seldon has a plan to reduce the Dark Ages to a mere 1,000 years through the establishment of a Foundation to preserve all human knowledge so that civilization need not rebuild itself entirely from scratch. He is aided in this endeavor by his math prodigy protegé Gaal Dornick (Lou Llobell). The biggest change from the books is the replacement of the Empire's ruling committee with a trio of Eternal Emperor clones called the Cleons—a genetic triune dynasty comprised of Brother Day (Pace), Brother Dusk (Terrence Mann), and Brother Dawn (Cassian Bilton). Technically, they are all perfect incarnations of the same man at different ages, and this is both the source of their strength as a team and of their conflicts. Their guardian is an android, Eto Demerzel (Laura Birn), one of the last surviving androids from the ancient Robot Wars, who is programmed to protect the dynasty at all costs. The first season ended with a major time jump of 138 years, and S2 focused on the Second Crisis: imminent war between Empire and the Foundation, along with an enemy seeking to destroy Empire from within. The Foundation, meanwhile, adopted the propaganda tactics of religion to recruit new acolytes to the cause. We also met a colony of "Mentalics" with psionic abilities. Goyer stepped down as showrunner after S2 but has reportedly remained very much involved with production. And we're getting another mega time jump for the Third Crisis. Per the official premise: Set 152 years after the events of S2, The Foundation has become increasingly established far beyond its humble beginnings while the Cleonic Dynasty’s Empire has dwindled. As both of these galactic powers forge an uneasy alliance, a threat to the entire galaxy appears in the fearsome form of a warlord known as “The Mule” whose sights are set on ruling the universe by use of physical and military force, as well as mind control. It’s anyone’s guess who will win, who will lose, who will live, and who will die as Hari Seldon, Gaal Dornick, the Cleons and Demerzel play a potentially deadly game of intergalactic chess. Most of the main cast is returning: Pace, Bilton, Mann, Harris as Llobell, and Birn, as well as Rowena King as legendary mathematician Kalle. Pilou Asbæk plays the Mule, briefly introduced in S2. New S3 cast members include Cherry Jones, Brandon P. Bell, Synnøve Karlsen, Cody Fern, Tómas Lemarquis, Alexander Siddig, and Troy Kotsur. The third season of Foundation premieres on July 11, 2025, on Apple TV+. New episodes will air weekly through September 12, 2025. A few first look images are featured in the gallery below. Jared Harris returns as Hari Seldon. Apple TV+ Jared Harris returns as Hari Seldon. Apple TV+ The Cleons: Brother Dawn (Cassian Bilton), Brother Day (Lee Pact), and Brother Dusk (Terrence Mann). Apple TV+ The Cleons: Brother Dawn (Cassian Bilton), Brother Day (Lee Pact), and Brother Dusk (Terrence Mann). Apple TV+ Laura Birn as the android Demerzel. Apple TV+ Laura Birn as the android Demerzel. Apple TV+ The Cleons: Brother Dawn (Cassian Bilton), Brother Day (Lee Pact), and Brother Dusk (Terrence Mann). Apple TV+ Laura Birn as the android Demerzel. Apple TV+ Lou Llobell as Gaal. Apple TV+ Pilou Asbæk as the Mule. Apple TV+ Jennifer Ouellette Senior Writer Jennifer Ouellette Senior Writer Jennifer is a senior writer at Ars Technica with a particular focus on where science meets culture, covering everything from physics and related interdisciplinary topics to her favorite films and TV series. Jennifer lives in Baltimore with her spouse, physicist Sean M. Carroll, and their two cats, Ariel and Caliban. 2 Comments

can someone check the thermostat in hell Apps like Kindle are already taking advantage of court-mandated iOS App Store changes Epic v. Apple litigation ushers in minor but user-friendly changes. Andrew Cunningham – May 6, 2025 1:51 pm | 19 Credit: Getty Images | NurPhoto Credit: Getty Images | NurPhoto Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Last week, a federal judge ruled that Apple was in "willful violation" of a court injunction that required the company to refrain from "anticompetitive conduct and anticompetitive pricing" in its tightly controlled iOS App Store. Part of the ongoing litigation between Epic Games and Apple, the injunction specifically forbade Apple from "denying developers the ability to communicate with, and direct purchasers to, other purchasing mechanisms." Following the ruling, Apple said it would comply with the court's injunction while the company continued to appeal the decision. The day after the ruling was handed down, Apple altered several of its App Review Guidelines to grant developers permission to do things they hadn't been allowed to do before. As summarized in an email to developers, reported by MacRumors: 3.1.1: Apps on the United States storefront are not prohibited from including buttons, external links, or other calls to action when allowing users to browse NFT collections owned by others. 3.1.1(a): On the United States storefront, there is no prohibition on an app including buttons, external links, or other calls to action, and no entitlement is required to do so. 3.1.3: The prohibition on encouraging users to use a purchasing method other than in-app purchase does not apply on the United States storefront. 3.1.3(a): The External Link Account entitlement is not required for apps on the United States storefront to include buttons, external links, or other calls to action. We're already beginning to see new versions of apps that take advantage of these changes. Case in point: Amazon's Kindle app for iPhones and iPads, which from its original launch in 2009 up until yesterday wouldn't actually let anyone buy books in the app. Users instead needed to navigate on their own to Amazon's store in Safari or on their PC and Mac and buy the books they wanted, at which point the books would be available in the Kindle app. As of an update released today, the iOS app still doesn't allow books to be purchased directly in the app, but you can search Amazon's virtual bookstore inside the app and tap a new "Get Book" button that automatically pops you over to Amazon.com in your phone or tablet's default browser. This is not as convenient for users as allowing them to purchase digital goods or services directly in the app, but it does make things a lot more friendly for users of apps whose developers don't want to pay Apple a cut. For the first time ever, the Kindle app on iOS can automatically direct book buyers to Amazon's site to complete a purchase. Credit: Andrew Cunningham Apple's position on its App Store commissions has generally been, to write a high-level summary, that these third-party app developers benefit from the size and reach of Apple's platform, the work Apple does to maintain the App Store and to make apps discoverable, and Apple's payment processing services, among other benefits. Even when it complied with a court order to allow third-party developers to use alternate payment processors in their apps, Apple still insisted on a 12 to 27 percent cut (rather than the usual 15 to 30 percent) to cover these other less-tangible benefits of offering apps and services on Apple's devices. (Apple's method of complying with that ruling, including onerous filing requirements for developers who used third-party payment services, was one of many things Judge Gonzalez criticized Apple for in last week's ruling.) A new headache for Apple Apple is appealing last week's ruling, and it may well succeed in the end, giving the company the ability to roll back these rule changes and once again force developers to either use Apple's in-app payments or force users to buy goods and services externally. But even if this change is only temporary, it still creates new potential PR headaches for Apple. That's because, from 2009 until yesterday, the lack of simple user-friendly features like those redirect buttons was just the way these apps worked. It seemed silly, and it was a minor pain, but at this point, I'm so used to working around it that it doesn't even occur to me to try to buy Kindle books from within the Kindle app. But for as long as Amazon, Spotify, and other longtime critics of Apple can take advantage of the changed rules, they'll be helping to create a new baseline expectation: that apps that don't offer direct in-app purchases can still easily redirect you to a place where you can make those purchases. It may also lead to some apps that currently do offer in-app purchases to change that to a redirect button instead to get around giving Apple a cut of their revenue. If Apple wins the appeal, this puts the company in a position of taking something away from developers and users, rather than preserving the status quo. Loss aversion among Apple's users could result in a fresh wave of user complaints and negative coverage, even though this "new" situation would be the same as it was in the very recent past, and Apple would have to weigh any potential blowback against whatever revenue it earns from locking developers into its own in-app purchasing system. Andrew Cunningham Senior Technology Reporter Andrew Cunningham Senior Technology Reporter Andrew is a Senior Technology Reporter at Ars Technica, with a focus on consumer tech including computer hardware and in-depth reviews of operating systems like Windows and macOS. Andrew lives in Philadelphia and co-hosts a weekly book podcast called Overdue. 19 Comments

"Imbecilic" Trump admin picks COVID critic to be top FDA vaccine regulator Vinay Prasad is known for Twitter fights, comparing COVID responses to rise of Nazis. Beth Mole – May 6, 2025 3:48 pm | 55 Vinay Prasad Credit: Getty | Marvin Joseph Vinay Prasad Credit: Getty | Marvin Joseph Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Oncologist Vinay Prasad, a divisive critic of COVID-19 responses, will be the next top vaccine regulator at the Food and Drug Administration, agency Commissioner Martin Makary announced on social media Tuesday. Prasad will head the FDA's Center for Biologics Evaluation and Research (CBER), which is in charge of approving and regulating vaccines and other biologics products, such as gene therapies and blood products. "Dr. Prasad brings the kind of scientific rigor, independence, and transparency we need at CBER—a significant step forward," Makary wrote on social media. Prasad, a professor in the department of epidemiology and biostatistics at the University of California, San Francisco, is perhaps best known for his combative social media postings and criticism of the mainstream medical community. He gained notoriety amid the COVID-19 pandemic for assailing public health responses, such as masking and vaccine mandates. In an October 2021 newsletter, titled "How Democracy Ends," Prasad compared the country's pandemic responses to the rise of Adolf Hitler's Third Reich. The post led New York University bioethicist Arthur Caplan to rebuke Prasad, writing in The Cancer Letter that the comparison is "ludicrous, dangerous, and offensive," before adding "imbecilic." Prasad has also criticized the FDA for approving COVID-19 booster vaccines. Last year, he accused his predecessor as the head of the CBER, Peter Marks, of being "either incompetent or corrupt" for allowing the approvals. “Absurd” More recently, Prasad has heaped praise on new FDA Commissioner Makary, while continuing to criticize Marks. In early March, Prasad called Makary "smart, thoughtful, and disciplined" and "exactly what we need at the FDA." Later in the month, he continued to take shots at Marks, writing: "You could replace Peter Marks with a bobblehead doll that just stamps approval and you would have the same outcome at FDA with lower administrative fees. Maybe something DOGE should consider." The next week, Marks was pushed out of the FDA. In a resignation letter, Marks wrote: "It has become clear that truth and transparency are not desired by the [health] secretary, [anti-vaccine advocate Robert F. Kennedy Jr.], but rather he wishes subservient confirmation of his misinformation and lies." In a subsequent interview with The Associated Press, Marks said he was forced out after he refused to give Kennedy's team unrestricted access to a critical vaccine safety database. Instead, Marks offered to give them the ability to read the database but not directly edit it. “Why wouldn’t we [give them full access]? Because frankly we don’t trust [them],” Marks told the AP. "They’d write over it or erase the whole database." The AP reported that Marks used profanity in the comment, but did not indicate where. Since the removal of Marks, concern has only grown that the FDA, under Makary and Kennedy, will thwart vaccines and vaccine approvals. Last week, news broke that the FDA will impose new clinical trial requirements for updating vaccines, which may make it impossible for COVID-19 boosters to be approved in the tight timeframe needed for seasonal shots. Prasad supports the move, suggesting that treating seasonally updated COVID-19 booster doses the same way it treats seasonally updated flu shots is "absurd," and calling those who disagree "anti-vaccine, anti-science, and pro-corporate." Beth Mole Senior Health Reporter Beth Mole Senior Health Reporter Beth is Ars Technica’s Senior Health Reporter. Beth has a Ph.D. in microbiology from the University of North Carolina at Chapel Hill and attended the Science Communication program at the University of California, Santa Cruz. She specializes in covering infectious diseases, public health, and microbes. 55 Comments

Friends in high places Trump and DOJ try to spring former county clerk Tina Peters from prison Trump directs DOJ to help secure release of Peters from Colorado prison. Jon Brodkin – May 6, 2025 4:14 pm | 73 Tina Peters on June 28, 2022, in Sedalia, Colorado. Credit: Getty Images | Marc Piscotty Tina Peters on June 28, 2022, in Sedalia, Colorado. Credit: Getty Images | Marc Piscotty Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more President Donald Trump is demanding the release of Tina Peters, a former election official who parroted Trump's 2020 election conspiracy theories and is serving nine years in prison for compromising the security of election equipment. In a post on Truth Social last night, Trump wrote that "Radical Left Colorado Attorney General Phil Weiser ignores Illegals committing Violent Crimes like Rape and Murder in his State and, instead, jailed Tina Peters, a 69-year-old Gold Star mother who worked to expose and document Democrat Election Fraud. Tina is an innocent Political Prisoner being horribly and unjustly punished in the form of Cruel and Unusual Punishment." Trump said he is "directing the Department of Justice to take all necessary action to help secure the release of this 'hostage' being held in a Colorado prison by the Democrats, for political reasons." The former Mesa County clerk was indicted in March 2022 on charges related to the leak of voting-system BIOS passwords and other confidential information. Peters was convicted in August 2024 and later sentenced in a Colorado state court. "Your lies are well-documented and these convictions are serious," 21st Judicial District Judge Matthew Barrett told Peters at her October 2024 sentencing. "I am convinced you would do it all over again. You are as defiant a defendant as this court has ever seen." DOJ reviews case for “abuse” of process After Peters' August 2024 conviction, Colorado Secretary of State Jena Griswold said that "Tina Peters willfully compromised her own election equipment trying to prove Trump's big lie." Peters appealed her conviction in a Colorado appeals court and separately sought relief in US District Court for the District of Colorado. She asked the federal court to order her release on bond while the state court system handles her appeal and said her health has deteriorated while being incarcerated. Trump's Justice Department submitted a filing on Peters' behalf in March, saying the US has concerns about "the exceptionally lengthy sentence imposed relative to the conduct at issue, the First Amendment implications of the trial court's October 2024 assertions relating to Ms. Peters, and whether Colorado's denial of bail pending appeal was arbitrary or unreasonable under the Eighth and Fourteenth Amendments." The DOJ urged the federal court to give "prompt and careful consideration" to Peters' petition and said the Peters case is being examined as part of a broader review of "abuses of the criminal justice process." The DOJ said its "review will include an evaluation of the State of Colorado's prosecution of Ms. Peters and, in particular, whether the case was 'oriented more toward inflicting political pain than toward pursuing actual justice or legitimate governmental objectives.'" State AG: Peters “believed she was above the law” Weiser responded in a March 11 filing that the Trump administration's intervention "appears to be a naked, political attempt to threaten or intimidate either this Court or the attorneys that prosecuted this matter," and that the US "cites not a single fact to support its baseless allegations that there are any reasonable concerns about Ms. Peters' prosecution or sentence, or that the prosecution was politically motivated in any way." The Weiser filing continued: While serving as the Clerk and Recorder of Mesa County, Ms. Peters deceived county employees to obtain credentials that allowed an unauthorized person to access Mesa County's voting system after the 2020 election. A Mesa County jury convicted Ms. Peters of three counts of attempt to influence a public servant, one count of conspiracy to commit criminal impersonation, and one count each of: first-degree official misconduct, violation of duty, and failure to comply with requirements of the Secretary of State. Ms. Peters sought an appeal bond, which the trial court denied because Ms. Peters demonstrated repeatedly that she believed she was above the law—from deceiving county employees, to violating the State's rules governing its election systems, to appearing (with a camera crew) at a voting site in violation of a protection order issued by the trial court. At no point during the proceedings did Ms. Peters exhibit any indication that she understood the gravity of her criminal conduct. Instead, even after her conviction, she reaffirmed her position that her conduct was justified by her conspiracy theories about the 2020 election. Weiser's brief said he is unaware of the US ever previously "filing a statement in a habeas application challenging the State of Colorado's criminal proceedings." Peters’ petition has a problem US Magistrate Judge Scott Varholak appears ready to dismiss some of Peters' claims because she hasn't exhausted potential remedies in state courts. Varholak yesterday wrote that Peters hasn't exhausted appeals for her claim "that she was denied due process under the Fourteenth Amendment" and her claim that "she was denied the right to immunity under the Supremacy Cause and Privileges and Immunities Clause." By contrast, Varholak found that Peters has exhausted her claim that the denial of bond pending appeal violated her First Amendment right to free speech. This makes her complaint in federal court a "mixed petition" that contains both unexhausted and exhausted claims. A mixed petition would have to be dismissed in its entirety, but Varholak said Peters can continue in federal court by dropping the unexhausted claims and going forward with the exhausted one. Doing so "likely will bar her from seeking review of the unexhausted claims in a second or successive application," he noted. Peters can alternatively "request a stay of this action while she attempts to exhaust the unexhausted claims in state court." Weiser's office said in a statement to Colorado Public Radio today that he will continue to fight the Trump administration. "Tina Peters is in prison because of her own actions," Weiser's statement said. "A grand jury indicted her and a trial jury found her guilty of breaking Colorado's criminal laws. No one is above the law. The Colorado Attorney General's Office will continue to defend this criminal conviction in post-conviction proceedings and on appeal. We are firm in pursuing justice for the people of the state of Colorado, protecting free and fair elections, and standing up for the rule of law." Jon Brodkin Senior IT Reporter Jon Brodkin Senior IT Reporter Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry. 73 Comments

THE PEOPLE HAVE SPOKEN Jury orders NSO to pay $167 million for hacking WhatsApp users The verdict is a major victory for opponents of exploit sellers. Dan Goodin – May 6, 2025 8:26 pm | 10 Credit: Getty Images | the-lightwriter Credit: Getty Images | the-lightwriter Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more A jury has awarded WhatsApp $167 million in punitive damages in a case the company brought against Israel-based NSO Group for exploiting a software vulnerability that hijacked the phones of thousands of users. The verdict, reached Tuesday, comes as a major victory not just for Meta-owned WhatsApp but also for privacy- and security-rights advocates who have long criticized the practices of NSO and other exploit sellers. The jury also awarded WhatsApp $444 million in compensatory damages. Clickless exploit WhatsApp sued NSO in 2019 for an attack that targeted roughly 1,400 mobile phones belonging to attorneys, journalists, human-rights activists, political dissidents, diplomats, and senior foreign government officials. NSO, which works on behalf of governments and law enforcement authorities in various countries, exploited a critical WhatsApp vulnerability that allowed it to install NSO’s proprietary spyware Pegasus on iOS and Android devices. The clickless exploit worked by placing a call to a target's app. A target did not have to answer the call to be infected. “Today’s verdict in WhatsApp’s case is an important step forward for privacy and security as the first victory against the development and use of illegal spyware that threatens the safety and privacy of everyone,” WhatsApp said in a statement. “Today, the jury’s decision to force NSO, a notorious foreign spyware merchant, to pay damages is a critical deterrent to this malicious industry against their illegal acts aimed at American companies and the privacy and security of the people we serve.” NSO created WhatsApp accounts in 2018 and used them a year later to initiate calls that exploited the critical vulnerability on phones, which, among others, included 100 members of "civil society" from 20 countries, according to an investigation research group Citizen Lab performed on behalf of WhatsApp. The calls passed through WhatsApp servers and injected malicious code into the memory of targeted devices. The targeted phones would then use WhatsApp servers to connect to malicious servers maintained by NSO. After discovering the attack, WhatsApp shut them down with a software update that patched the critical vulnerability and notified target users that their devices had been hacked. In the weeks following, Facebook and WhatsApp also kicked NSO employees off their platforms. WhatsApp’s lawsuit was unprecedented at the time because it was among the first to take aim at the unregulated industry selling sophisticated malware services to governments around the world. NSO argued that it should be immune from such legal actions because it sold tools solely to licensed government intelligence and law-enforcement agencies for use in fighting terrorism, child sex abuse, and other serious crimes. The company said it barred customers from using the tools against human-rights activists, journalists, and dissidents. NSO also said it acted as a check against strongly encrypted platforms that could be used as a haven for criminals. Tuesday’s verdict—from a jury empaneled by the US District Court for the Northern District of California—is a sharp rebuke of NSO’s defense. “Turns out regular people don't like companies that help dictators hack dissidents,” John Scott-Railton, a senior researcher at Citizen Lab, wrote on Bluesky. “NSO had all the fancy legal arguments. And all the PR spin. But when their conduct got laid bare... the jury sent a massive Monsanto-style punitive damages signal. Other spyware companies: you may be next.” Besides setting a possible precedent for hacking victims and their technology providers, WhatsApp’s suit exposed NSO practices the company had long tried to keep secret. Last year, the judge hearing the case ordered NSO to reveal some of the source code that makes its products work. The litigation also exposed who some of NSO’s customers were and the location of many of the targeted WhatsApp users. NSO Group didn’t immediately respond to a request for comment. Dan Goodin Senior Security Editor Dan Goodin Senior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 10 Comments

Winged victory The company with the world’s largest aircraft now has a hypersonic rocket plane "Hypersonic systems are now pushing the envelope beyond what can be done by the human body." Stephen Clark – May 6, 2025 4:46 pm | 11 Stratolaunch's Talon-A2 rocket plane fires its 5,000-pound-thrust Hadley main engine, burning a mix of kerosene and liquid oxygen propellants. Credit: Stratolaunch/Julian Guerra Stratolaunch's Talon-A2 rocket plane fires its 5,000-pound-thrust Hadley main engine, burning a mix of kerosene and liquid oxygen propellants. Credit: Stratolaunch/Julian Guerra Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Stratolaunch has finally found a use for the world's largest airplane. Twice in the last five months, the company launched a hypersonic vehicle over the Pacific Ocean, accelerated it to more than five times the speed of sound, and autonomously landed at Vandenberg Space Force Base in California. Stratolaunch used the same vehicle for both flights. This is the first time anyone in the United States has flown a reusable hypersonic rocket plane since the last flight of the X-15, the iconic rocket-powered aircraft that pushed the envelope of high-altitude, high-speed flight 60 years ago. Stratolaunch announced the results of its two most recent test flights Monday. In December and again in March, Stratolaunch's Talon-A2 rocket plane launched from the belly of an enormous carrier aircraft over the Pacific Ocean and flew several hundred miles to Vandenberg, a military spaceport about 140 miles northwest of Los Angeles. There, the aircraft touched down on a concrete runway that NASA and the Air Force once considered for Space Shuttle landings. Mach 5 or bust Zachary Krevor, president and CEO of Stratolaunch, spoke with Ars on Monday afternoon. He said the Talon test vehicle advances the capability lost with the retirement of the X-15 by flying autonomously. Like the Talon-A, the X-15 released from a carrier jet and ignited a rocket engine to soar into the uppermost layers of the atmosphere. But the X-15 had a pilot in command, while the Talon-A flies on autopilot. "Why the autonomous flight matters is because hypersonic systems are now pushing the envelope in terms of maneuvering capability, maneuvering beyond what can be done by the human body," Krevor said. "Therefore, being able to perform flights with an autonomous, reusable, hypersonic testbed ensures that these flights are exploring the full envelope of capability that represents what's occurring in hypersonic system development today." Stratolaunch's Talon-A is a little smaller than a school bus, or about half the size of the X-15. Stratolaunch's Talon-A2 vehicle lands at Vandenberg Space Force Base, California. Credit: Stratolaunch Stratolaunch performed the two recent Talon-A test flights under contract with Leidos, a defense contractor tapped by the Pentagon to manage the Multi-Service Advanced Capability Hypersonics Test Bed (MACH-TB) program for the Defense Department's Test Resource Management Center and Naval Surface Warfare Center. "Demonstrating the reuse of fully recoverable hypersonic test vehicles is an important milestone for MACH-TB," said George Rumford, director of the Test Resource Management Center, in a statement. "Lessons learned from this test campaign will help us reduce vehicle turnaround time from months down to weeks." Krevor said Talon-A carried multiple experiments on each mission but did not offer any details about the nature of the payloads, citing proprietary reasons and customer agreements. "We cannot disclose the nature of those payloads, other than to say typical materials, instrumentation, sensors, etc.," he said. "The customers were thrilled with their ability to recover the payloads shortly after landing." Stratolaunch completed the first powered flight of a Talon-A vehicle last year, when the rocket plane launched over the Pacific Ocean and fired its liquid-fueled Hadley engine—produced by Ursa Major—for about 200 seconds. The Talon-A1 vehicle accelerated to just shy of hypersonic speed, then fell into the sea as planned and was not recovered. That set the stage for Talon-A2's first flight in December. Military officials previously stated they set up the MACH-TB program to enable more frequent flight testing of hypersonic weapon technologies, including communication, navigation, guidance, sensors, and seekers. Stratolaunch aims for monthly flights of the Talon-A rocket plane by the end of the year and eventually wants to ramp up to weekly flights. "These flights are setting the stage now to increase the cadence of hypersonic flight testing in this country," Krevor said. "The ability to have a fully reusable hypersonic flight architecture enables a very high cadence of flight along with a lot of responsiveness. The DoD can call Stratolaunch if there's a priority program, and we can have a hypersonic flight next week, assuming the readiness of all the other technologies and payloads." Pentagon officials in 2022 set a goal of growing US capacity for hypersonic testing from 12 to 50 flight tests per year. Krevor believes Stratolaunch will play a key part in making that happen. Catching up So, why is hypersonic flight testing important? The Pentagon seeks to close what it views as a technological gap with China, which US officials acknowledge has become the world's leader in hypersonic missile development. Hypersonic weapons are more difficult than conventional missiles for aerial defense systems to detect, track, and destroy. Unlike ballistic missiles, hypersonic weapons ride at the top of the atmosphere, enhancing their maneuverability and ability to evade interceptors. Hypersonic flight is an unforgiving environment. Temperatures outside the Talon-A vehicle can reach up to 2,000° Fahrenheit (1,100° Celsius) as the plane plows through air molecules, Krevor said. He declined to disclose the duration, top speed, and maximum altitude of the December and March test flights but said the rocket plane performed a series of "high-G" maneuvers on the journey from its drop location to Vandenberg. Talon-A2 suspended underneath Stratolaunch's carrier aircraft. Credit: Stratolaunch/Brandon Lim Engineers know less about the conditions of the hypersonic flight regime (in excess of Mach 5) than they do about lower-speed supersonic flight or spaceflight. The only vehicles that regularly fly at hypersonic speeds are missiles, rockets, and spacecraft reentering the atmosphere. They spend just a short time flying in the hypersonic environment as they transition to and from space. There are two things you should know about hypersonic missiles. First, rockets have flown at hypersonic speeds since 1949, so when officials talk about hypersonic missiles, they are referring to vehicles that operate in the hypersonic flight environment, instead of just transiting through it. Second, hypersonic vehicles come in a couple of variations. One is a glide vehicle, which is accelerated by a conventional rocket to hypersonic speed, then steers itself toward its destination or target using aerodynamic forces. The other is a cruiser that can sustain itself in hypersonic flight using exotic propulsion, such as scramjet engines. The military recently tested an intermediate-range hypersonic weapon, known by the Army as Dark Eagle and by the Navy as Conventional Prompt Strike, using the glide vehicle architecture. The Army's version could be operational later this year. Meanwhile, the Air Force is working on a scramjet-powered hypersonic cruise missile, but it likely won't be ready for combat for a few more years. Not only must a vehicle operate in the extreme hypersonic flight regime, but any operational hypersonic weapon must be "affordable" and "manufactured at high rate," two Pentagon officials wrote in prepared testimony to the House Armed Services Committee last year. "Our goal is to enable the nation’s industrial base to manufacture hypersonic systems at a cost comparable to traditional weapon systems and at the capacity necessary to achieve a decisive advantage for the warfighter on the battlefield," the officials wrote. A test launch of the US Navy's Conventional Prompt Strike weapon occurred April 25 at Cape Canaveral, Florida. Credit: US Defense Department The Pentagon has spent about $12 billion on hypersonic weapons development and testing since 2018. None of the weapons are operational yet. All of these initiatives aim to match China's hypersonic capabilities. US officials believe China's first hypersonic weapon, using the glide vehicle architecture, became operational in 2019. Russia's government claimed it deployed a hypersonic weapon named Avangard the same year. China began testing a scramjet-powered hypersonic cruise missile in 2018. Paving the way The Pentagon's emphasis on hypersonic weapons is relatively new. After the X-15's final flight in 1968, the government lacked any major hypersonic flight test programs for several decades. NASA flew the autonomous X-43 test vehicle to hypersonic speed two times in 2004, and the Air Force demonstrated an air-breathing scramjet engine at Mach 5.1 with the X-51 Waverider aircraft in 2013. While some of the X-43 and X-51 test flights failed, they provided early-stage data on hypersonic propulsion systems that could power high-speed aircraft and missiles. But these were expensive government-led programs. Together, they cost nearly $1 billion in 2025 dollars, with only a handful of flight tests to show for it. The military now wants to lean heavier on commercial industry. Since its founding 14 years ago, Stratolaunch has pivoted its mission from the airborne launch of satellites to hypersonic testing. Stratolaunch was one of the first US launch companies to capitalize on the US military's growing interest in hypersonic technology. Rocket Lab now flies a suborbital version of its Electron satellite launcher to carry hypersonic experiments. ABL Space Systems, now known as Long Wall, last year announced it was walking away from the space launch business entirely to focus on hypersonic testing. The military's MACH-TB program offers a lucrative source of revenue for these rocket companies. Through its subsidiary Dynetics, the defense contractor Leidos manages the first phase of the MACH-TB program, which aims to develop and demonstrate commercial hypersonic test vehicles. In January, the Pentagon awarded a nearly $1.5 billion contract to Kratos Defense & Security Solutions for MACH-TB 2.0, which will transition the program from flight demonstrations to hypersonic test services. Stratolaunch and Rocket Lab will launch hypersonic experiments under MACH-TB 2.0, while a range of government, commercial, and academic institutions will develop the materials and technologies to be tested. Quilty Space, a space industry research firm, estimates the market for hypersonic testing is worth between $6 billion and $7 billion. This illustration from the Government Accountability Office compares the trajectory of a ballistic missile with those of a hypersonic glide vehicle and a hypersonic cruise missile. Credit: GAO It has taken a long time for Stratolaunch to find its footing. At one time, Stratolaunch partnered with SpaceX to use an air-launched version of the Falcon 9 rocket to deliver satellites to orbit. When that partnership fell through, Stratolaunch worked with Orbital Sciences, now part of Northrop Grumman, to design an air-launched rocket. Stratolaunch's founder, Microsoft billionaire Paul Allen, died in 2018, putting the company's future in doubt. Stratolaunch flew its huge carrier aircraft, named Roc, for the first time in April 2019 but ceased operations the following month. Cerberus Capital Management, a private equity firm, purchased Stratolaunch from Allen's heirs later that year and redirected the company's mission from space launch to hypersonic flight testing. Through it all, Stratolaunch continued flying Roc, a twin-fuselage airplane with a wingspan of 385 feet (117 meters). For a time, it appeared Roc might share a fate with Howard Hughes' "Spruce Goose" flying boat, which held the record as the airplane with the widest wingspan, until Roc (officially designated the Scaled Composites Model 351) took off for the first time in 2019. The Spruce Goose flew just once after its business prospects faded in the aftermath of World War II. Now, the Pentagon's hunger for hypersonic weapons seems likely to feed Stratolaunch's coffers for some time to come. The company is building a second rocket plane, Talon-A3, scheduled to enter service in the fourth quarter of this year. It will launch from a Boeing 747 carrier aircraft that Stratolaunch acquired from Virgin Orbit after it went bankrupt in 2023. The longer range of the 747 will allow Stratolaunch to stage hypersonic tests from other locations beyond the West Coast. Stephen Clark Space Reporter Stephen Clark Space Reporter Stephen Clark is a space reporter at Ars Technica, covering private space companies and the world’s space agencies. Stephen writes about the nexus of technology, science, policy, and business on and off the planet. 11 Comments

Green light go FAA green-lights Starship launches every other week from Starbase If SpaceX can clean up Starship's reliability issues, the company is free to fly. Eric Berger – May 6, 2025 2:46 pm | 30 Starship and Super Heavy stand 397 feet (121 meters) tall. Credit: Stephen Clark/Ars Technica Starship and Super Heavy stand 397 feet (121 meters) tall. Credit: Stephen Clark/Ars Technica Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Although we are still waiting for SpaceX to signal when it will fly the Starship rocket again, the company got some good news from the Federal Aviation Administration on Tuesday. After a lengthy review, the federal agency agreed to allow SpaceX to substantially increase the number of annual launches from its Starbase launch site in South Texas. Previously, the company was limited to five launches, but now it will be able to conduct up to 25 Starship launches and landings during a calendar year. "The FAA has determined that modifying SpaceX’s vehicle operator license supporting the increased launch and landing cadence of the Starship/Super Heavy launch vehicle would not significantly impact the quality of the human environment," states the document, known as a Mitigated Finding of No Significant Impact. This finding was signed by Daniel P. Murray, executive director of the FAA's Office of Operational Safety. This ruling follows a draft finding issued six months ago that indicated this would be the final outcome. Assessing all of the impacts Among the impacts considered were increased trucking operations to deliver water and various propellants needed to support Starship launches. An earlier analysis by the FAA found that, to support a cadence of 25 launches a year, the vehicle presence on State Highway 4 to Boca Chica Beach will grow from an estimated 6,000 trucks a year to 23,771 trucks annually. Because of this, the FAA is requiring SpaceX to undertake dozens of mitigating actions. For example, for trucks, it has sought to reduce employee miles driven on the primary artery leading to the Starbase launch site. "The Proposed Action would increase annual truck traffic, but mitigation measures like employee shuttles and limiting water truck deliveries to daytime hours would help reduce traffic impacts to wildlife," the FAA document states. The FAA considered all manner of fish, wildlife, and environmental impacts, as well as those that could affect resources for residents of Brownsville and other nearby communities. For example, the FAA found that the increased water use would not affect supplies available for the area's residents. "While water use for launches would increase by 10.27 million gallons annually, this represents only 0.1% of the City of Brownsville’s 2018 usage and remains well within capacity," the document states. No firm date for flight test 9 Although the new finding permits SpaceX to significantly increase its flight rate from South Texas, the company still has work to do before it can fly Starship again. The company's engineers are still working to get the massive rocket back to flight after its eighth mission broke apart off the coast of Florida on March 6. This was the second time, in two consecutive missions, that the Starship upper stage failed during its initial phase of flight. The FAA is still investigating this mishap and has not yet issued a launch license for a ninth test flight. After two consecutive failures, there will be a lot riding on the next test flight of Starship. It will also be the first time the company attempts to fly a first stage of the rocket for a second time. The stage designated for the upcoming test flight, Super Heavy "Booster 14," flew successfully on the rocket's seventh test flight in January 2025. The upper stage, "Ship 35," has undergone test firings at Starbase, but there may have been some issues during this process. SpaceX has not definitively said the ship is ready to fly. However, according to some sources, if additional testing of this upper stage goes well, Starship could launch as early as May 19. This date is also supported by a notice to mariners, but it should be taken as notional rather than something to be confident in. Eric Berger Senior Space Editor Eric Berger Senior Space Editor Eric Berger is the senior space editor at Ars Technica, covering everything from astronomy to private space to NASA policy, and author of two books: Liftoff, about the rise of SpaceX; and Reentry, on the development of the Falcon 9 rocket and Dragon. A certified meteorologist, Eric lives in Houston. 30 Comments

GPU prices can't stay ridiculous forever, probably Nvidia’s RTX 5060 arrives on May 19 with a (hypothetical) $299 price tag New mainstream card has hardware upgrades but is still stuck with 8GB of RAM. Andrew Cunningham – May 6, 2025 12:27 pm | 0 Credit: Nvidia Credit: Nvidia Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Nvidia will release the GeForce RTX 5060 on May 19 starting at $299, the company announced via press release today. The new card, a successor to popular past GPUs like the GTX 1060 and RTX 3060, will bring Nvidia's DLSS 4 and Multi Frame-Generation technology to budget-to-mainstream gaming builds—at least, it would if every single GPU launched by any company at any price wasn't instantly selling out these days. Nvidia announced a May release for the 5060 last month when it released the RTX 5060 Ti for $379 (8GB) and $429 (16GB). Prices for that card so far haven't been as inflated as they have been for the RTX 5070 on up, but the cheapest ones you can currently get are still between $50 and $100 over that MSRP. Unless Nvidia and its partners have made dramatically more RTX 5060 cards than they've made of any other model so far, expect this card to carry a similar pricing premium for a while. RTX 5060 Ti RTX 4060 Ti RTX 5060 RTX 4060 RTX 5050 (leaked) RTX 3050 CUDA Cores 4,608 4,352 3,840 3,072 2,560 2,560 Boost Clock 2,572 MHz 2,535 MHz 2,497 MHz 2,460 MHz Unknown 1,777 MHz Memory Bus Width 128-bit 128-bit 128-bit 128-bit 128-bit 128-bit Memory bandwidth 448GB/s 288GB/s 448GB/s 272GB/s Unknown 224GB/s Memory size 8GB or 16GB GDDR7 8GB or 16GB GDDR6 8GB GDDR7 8GB GDDR6 8GB GDDR6 8GB GDDR6 TGP 180 W 160 W 145 W 115 W 130 W 130 W Compared to the RTX 4060, the RTX 5060 adds a few hundred extra CUDA cores and gets a big memory bandwidth increase thanks to the move from GDDR6 to GDDR7. But its utility at higher resolutions will continue to be limited by its 8GB of RAM, which is already becoming a problem for a handful of high-end games at 1440p and 4K. Regardless of its performance, the RTX 5060 will likely become a popular mainstream graphics card, just like its predecessors. Of the Steam Hardware Survey's top 10 GPUs, three are RTX xx60-series desktop GPUs (the 3060, 4060, and 2060); the laptop versions of the 4060 and 3060 are two of the others. If supply of the RTX 5060 is adequate and pricing isn't out of control, we'd expect it to shoot up these charts pretty quickly over the next few months. Andrew Cunningham Senior Technology Reporter Andrew Cunningham Senior Technology Reporter Andrew is a Senior Technology Reporter at Ars Technica, with a focus on consumer tech including computer hardware and in-depth reviews of operating systems like Windows and macOS. Andrew lives in Philadelphia and co-hosts a weekly book podcast called Overdue. 0 Comments

the usual lack of foresight Trump’s attacks on green energy are big trouble for data centers, AI Without renewables, it's nearly impossible to meet growing power demand from AI. Martha Muir, Financial Times – May 6, 2025 9:26 am | 2 Credit: Ashley Cooper Credit: Ashley Cooper Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more The US data center industry has warned that the Trump administration’s crackdown on renewable energy could slow its growth and undermine Washington’s goal to win the global artificial intelligence race. Renewables have become a flashpoint since Donald Trump re-entered the White House, with his administration suspending clean energy developments on federal land, pausing federal loans and last month cancelling high-profile projects such as Equinor’s $5 billion Empire Wind site. For tech companies struggling to secure reliable energy supplies to power and train AI, a clampdown on renewables could create power bottlenecks, drive up costs and push operators towards dirtier energy, experts said. Simon Ninan, senior vice-president at Hitachi Vantara, which builds equipment and infrastructure for data centers, said the Trump administration’s “antagonistic approach” towards renewable energy could make it “impossible to satisfy the data growth that’s happening.” “Strategically, the US could risk undermining its current pole position in the global AI race . . . China, on the other hand, has taken a proactive approach towards grid modernisation and efficient power distribution.” Energy shortages could “result in cancellation or delays in data center build-outs or infrastructure upgrades,” he said. The Trump administration has warned that losing the AI race to China is a bigger threat to the world than global warming and has advocated increasing the use of fossil fuels to power them. But experts warn it will be difficult to meet surging demand without adding a lot more renewable energy capacity, which is faster and cheaper to deploy than building gas power plants. The assault on renewables has alarmed Democratic leaders in north-eastern states, which are relying on the expansion of wind energy to meet future electricity demand. On Monday a coalition of Democratic attorneys-general from 17 states sued the Trump administration in an effort to block its attempt to end the development of wind energy. Data centers are expected to add 83.7 gigawatt of energy demand by 2030, equivalent to adding a new state the size of Texas to the grid, according to the Center for Strategic and International Studies think-tank. While many companies are investing in nuclear small modular reactor technologies, it may be years before they are operational. “We’ve seen increased competition for green energy over the last couple of years,” said Nick Hertlein, a managing director at Stonepeak, an alternative investment firm specialising in infrastructure and real assets. “If US AI development is a priority, [policymakers] need to find ways to accommodate the data center industry’s growth.” While large-scale gas generation projects are being fast-tracked by major grid operators such as PJM, MISO and ERCOT, this may come at the expense of cheaper sources such as renewables. Gas turbine suppliers such as Siemens and GE Vernova have warned lead times can stretch to 2029 for larger models. “If we can’t bring on new, lower-cost resources when demand is increasing, we’ll have to rely more and more on higher-cost resources,” said Rich Powell, chief executive of the Clean Energy Buyers Association. “We just need to flood the zone with new electricity as quickly as we can.” Although big participants in the technology industry may be able to lobby the administration to “loosen up” restrictions on new power sources, small to medium-sized players were in a “holding pattern” as they waited to see if permitting obstacles and tariffs on renewables equipment were lifted, said Ninan. “On average, [operators] are most likely going to try to find ways of absorbing additional costs and going to dirtier sources,” he said. Amazon, which is the largest corporate purchaser of renewable energy globally, said carbon-free energy must remain an important part of the energy mix to meet surging demand for power, keep costs down and hit climate goals. “Renewable energy can often be less expensive than alternatives because there’s no fuel to purchase. Some of the purchasing agreements we have signed historically were ‘no brainers’ because they reduced our power costs,” said Kevin Miller, vice-president of Global Data Centers at Amazon Web Services. Efforts by state and local governments to stymie renewables could also hit the sector. In Texas—the third-largest US data center market after Virginia, according to S&P Global Market Intelligence—bills are being debated that increase regulation on solar and wind projects. “We have a huge opportunity in front of us with these data centers,” said Doug Lewin, president of Stoic Energy. “Virginia can only take so many, and you can build faster here, but any of these bills passing would kill that in the crib.” The renewables crackdown will make it harder for “hyperscale” data centers run by companies such as Equinix, Microsoft, Google and Meta to offset their emissions and invest in renewable energy sources. “Demand [for renewables] has reached an all-time high,” said Christopher Wellise, sustainability vice-president at Equinix. “So when you couple that with the additional constraints, there could be some near to midterm challenges.” Additional reporting Jamie Smyth. © 2025 The Financial Times Ltd. All rights reserved Not to be redistributed, copied, or modified in any way. Martha Muir, Financial Times Martha Muir, Financial Times 2 Comments

Materially different Google accidentally reveals Android’s Material 3 Expressive interface ahead of I/O Google published and then deleted details of the new Material 3 Expressive theme. Ryan Whitwam – May 5, 2025 3:54 pm | 91 Credit: Google Credit: Google Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Google's accelerated Android release cycle will soon deliver a new version of the software, and it might look quite different from what you'd expect. Amid rumors of a major UI overhaul, Google seems to have accidentally published a blog post detailing "Material 3 Expressive," which we expect to see revealed at I/O later this month. Google quickly removed the post from its design site, but not before the Internet Archive saved it. It has been a few years since Google introduced any major changes to its Material theming, but the design team wasn't just sitting idly this whole time. According to the leaked blog post, Google has spent the past three years working on a more emotionally engaging vision for Android design. While the original Material Design did an admirable job of leveraging colors and consistent theming, it could make apps look too similar. The answer to that, apparently, is Material 3 Expressive. Material 3 Expressive aims to make the most important things easier to see and tap. Credit: Google Material 3 Expressive aims to make the most important things easier to see and tap. Credit: Google Google says this is "the most-researched update to Google’s design system, ever." The effort reportedly included 46 separate studies with hundreds of sample designs. The team showed these designs to more than 18,000 study participants to understand how the user experience would work. In these studies, the design team used a variety of metrics, including the following: Eye tracking: Analyzing where users focus their attention Surveys and focus groups: Gauging emotional responses to different designs Experiments: Gathering sentiment and preferences Usability: Seeing how quickly participants could understand and use an interface The result of all this is an interface that appears much more varied than the previous Material Design. The Internet Archive didn't snag most of the blog post's visuals, but 9to5Google saved them. The images include interesting elements, like a floating toolbar and larger, easier to tap buttons in certain areas where they won't interfere with other UI elements. There are a lot of attention-grabbing shapes and bold colors throughout the interface, but there's a reason it's like that. The experimental approach led to theming that reduces the time it takes people to notice and interact with important UI elements by as much as four times. On the flip side, not everyone uses apps the same way—if you are interested in different UI elements than Google, this could be frustrating. The youths love it. Credit: Google The youths love it. Credit: Google All those studies allegedly revealed that people prefer Material 3 Expressive to the old version. However, that preference varies greatly with age. Zoomers apparently like Material 3 Expressive a lot, with over 80 percent of younger folks saying it was better than the non-expressive design. That drops to 52 percent by the time you get to the 55-plus age group. Yeah, change can be scary. Google also says Material 3 Expressive was rated as subjectively "cooler" than old designs. One of many This leak confirms Android will get a stylish overhaul in version 16, but the benefits (and drawbacks) won't be shared equally. Android is open source, and other OEMs have their own priorities. They can choose to adopt elements of expressive design or not. Just because Google decrees it does not mean it is so. Depending on the phone you have, the update to Android 16 might not look all that visually different from Android 15. Google creates the open source code and closed-source Google bits, but licensees like Samsung and OnePlus take that and run with it to produce custom versions of the OS with their own branding. It's common to hear Samsung and OnePlus talk about One UI and Oxygen OS, respectively, but not so much about Android itself. Material 3 Expressive may bleed into these modified versions of Android, but you'll need a Google Pixel device for the full effect. Google's Pixel devices will have system elements attached to this theming system, and most of Google's apps will be updated to the new system at some point. If you've got another phone, you'll probably see much less of the expressive style. However, Motorola's Hello UI usually sticks pretty close to Google's material theming. Material 3 Expressive isn't just about the system UI or preloaded apps. Google will also make these design templates available to app developers who can support the bright, energetic theming for all phones. However, uptake of material design in apps has been modest so far. It's common to see apps that use a few material UI elements or color theming, but almost no one is running the full Google style. Google struggled for years to unify Android design aesthetics, but it never made much progress. While Material 3 Expressive looks very thoughtfully designed, it's unlikely it will see any more take-up than the company's previous attempts. Google's contracts with OEMs and its management of the Play Store have both come under legal scrutiny, so the company won't be able to use any heavy-handed tactics to encourage the adoption of Material 3 Expressive. Ryan Whitwam Senior Technology Reporter Ryan Whitwam Senior Technology Reporter Ryan Whitwam is a senior technology reporter at Ars Technica, covering the ways Google, AI, and mobile technology continue to change the world. Over his 20-year career, he's written for Android Police, ExtremeTech, Wirecutter, NY Times, and more. He has reviewed more phones than most people will ever own. You can follow him on Bluesky, where you will see photos of his dozens of mechanical keyboards. 91 Comments

As the twirl turns OpenAI scraps controversial plan to become for-profit after mounting pressure The nonprofit board will retain control, but now investor billions hang in the balance. Benj Edwards – May 5, 2025 4:18 pm | 47 Credit: Benj Edwards / OpenAI Credit: Benj Edwards / OpenAI Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more On Monday, ChatGPT-maker OpenAI announced it will remain under the control of its founding nonprofit board, scrapping its controversial plan to split off its commercial operations as a for-profit company after mounting pressure from critics. In an official OpenAI blog post announcing the latest restructuring decision, CEO Sam Altman wrote: "We made the decision for the nonprofit to stay in control after hearing from civic leaders and having discussions with the offices of the Attorneys General of California and Delaware." The move represents a significant shift in OpenAI's proposed restructuring. While the most recent previous version of the company's plan (which we covered in December) would have established OpenAI as a Public Benefit Corporation with the nonprofit merely holding shares and having limited influence, the revised approach keeps the nonprofit firmly in control of operations. Former employees and Elon Musk, a co-founder of OpenAI who later split with its leaders, had criticized the restructuring plan, saying it would remove important oversight of its technology. Musk filed a lawsuit seeking to block the plan, which is still ongoing. A judge recently agreed that Musk adequately pled that OpenAI breached an implied contract and then "unjustly retained the benefit" of his early investments in the company. While the ruling largely sustained Musk’s core complaint, OpenAI did get some claims dropped, including a claim that Musk was misled by public OpenAI statements that the court found he helped write. A plan that met significant resistance OpenAI originally announced its intention to pivot last September, when Reuters reported that the company was planning to restructure its core business into a for-profit benefit corporation that would no longer be controlled by its nonprofit board. The proposed change, spearheaded by Altman, would have ostensibly made OpenAI more attractive to investors while creating a more conventional corporate structure. Under that plan, Altman would have received equity—reportedly around 7 percent—for the first time, representing a significant departure from his previous stance of not taking equity in line with OpenAI's humanitarian mission. The restructuring would have also allowed OpenAI to remove the cap on returns for investors, potentially making the firm more appealing to venture capitalists, with the nonprofit arm continuing to exist but only as a minority stakeholder rather than maintaining governance control. This plan emerged as the company sought a funding round that would value it at $150 billion, which later expanded to the $40 billion round at a $300 billion valuation. However, the new change in course follows months of mounting pressure from outside the company. In April, a group of legal scholars, AI researchers, and tech industry watchdogs openly opposed OpenAI's plans to restructure, sending a letter to the attorneys general of California and Delaware. Former OpenAI employees, Nobel laureates, and law professors also sent letters to state officials requesting that they halt the restructuring efforts out of safety concerns about which part of the company would be in control of hypothetical superintelligent future AI products. "OpenAI was founded as a nonprofit, is today a nonprofit that oversees and controls the for-profit, and going forward will remain a nonprofit that oversees and controls the for-profit," he added. "That will not change." Uncertainty ahead While abandoning the restructuring that would have ended nonprofit control, OpenAI still plans to make significant changes to its corporate structure. "The for-profit LLC under the nonprofit will transition to a Public Benefit Corporation (PBC) with the same mission," Altman explained. "Instead of our current complex capped-profit structure—which made sense when it looked like there might be one dominant AGI effort but doesn't in a world of many great AGI companies—we are moving to a normal capital structure where everyone has stock. This is not a sale, but a change of structure to something simpler." But the plan may cause some uncertainty for OpenAI's financial future. When OpenAI secured a massive $40 billion funding round in March, it came with strings attached: Japanese conglomerate SoftBank, which committed $30 billion, stipulated that it would reduce its contribution to $20 billion if OpenAI failed to restructure into a fully for-profit entity by the end of 2025. Despite the challenges ahead, Altman expressed confidence in the path forward: "We believe this sets us up to continue to make rapid, safe progress and to put great AI in the hands of everyone." Benj Edwards Senior AI Reporter Benj Edwards Senior AI Reporter Benj Edwards is Ars Technica's Senior AI Reporter and founder of the site's dedicated AI beat in 2022. He's also a tech historian with almost two decades of experience. In his free time, he writes and records music, collects vintage computers, and enjoys nature. He lives in Raleigh, NC. 47 Comments

Tragically preventable Heartbreaking video shows deadly risk of skipping measles vaccine SSPE is rare but tragic—more so because it's completely vaccine-preventable. Beth Mole – May 5, 2025 7:50 pm | 34 A brightly colored transmission microscope image of measles viruses. Credit: Getty | BSIP A brightly colored transmission microscope image of measles viruses. Credit: Getty | BSIP Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more In a hard-to-watch video, a healthy-looking 4-year-old boy lies on a bed as doctors lift his eyelids to watch his big brown eyes erratically swirl and roll backward. His head jerks, and his little limbs weakly twitch and spasm. A small bit of foam pushes past his lips. The video, captured by neurologists in India and published today in JAMA Neurology, shows what it looks like when the measles virus is allowed to ravage a child's brain. (The video can be viewed here.) The boy was never vaccinated and developed a rare complication from measles called subacute sclerosing panencephalitis (SSPE). The condition occurs when the measles virus quietly sneaks into the central nervous system. It often lurks for years after an initial infection before it begins wreaking havoc, triggering damaging inflammation, destroying neurons, and causing brain lesions. SSPE is almost always fatal, and there is no treatment for it. After the video was taken, the boy continued to deteriorate. He will almost certainly die. His doctors captured the video with permission from the boy's father and a critical message: "Herein, we emphasize the importance of measles vaccination for children, as SSPE is typically fatal and yet also entirely preventable by vaccination." The poignant video and message could not come at a more critical time. Measles has resurged globally in the wake of the COVID-19 pandemic, and it's having a particularly notable revival in the US, where vaccination rates have slipped nationwide.  Many American communities have immunization rates below the threshold needed for herd immunity, and the country is currently seeing the largest outbreak in over a quarter-century. Modeling suggests that measles will once again become endemic. Meanwhile, the country's top health official, Robert F. Kennedy Jr., is an unswerving anti-vaccine advocate with a long history of spreading dangerous misinformation, which may spur vaccination rates to fall further. Measles risks The video of SSPE is a clear reminder of the devastation that measles can cause, and the risks parents take by not getting their children vaccinated. An uncomplicated measles infection causes intense fevers and a thoroughly miserable rash for several days. But complications are not that rare. In the US, 20 percent of children with measles will be hospitalized. Ten percent will develop diarrhea and/or an ear infection, which has the potential to cause hearing loss. One in 20 will develop pneumonia, and 1 in 1,000 will develop brain swelling—up to 3 in 1,000 will die of these respiratory and neurologic complications. Even when a child makes it through the acute phase of the infection, the risks aren't over. The measles virus can wipe out the immune system's memory of how to fight other germs—a phenomenon called "immune amnesia." This leaves children vulnerable to secondary infections for approximately two to three years after an infection. Then, there's SSPE. The neurologic condition is considered rare and is poorly understood. Researchers estimate that there are up to 11 SSPE cases per 100,000 measles cases. However, the risk of SSPE is higher for children who get infected before the age of 5, in which case it's 18 per 100,000 measles cases. SSPE doesn't develop immediately, it can take months to many years after an acute infection—the average is between seven to ten years post-infection. Experts don't entirely understand how it happens. Some evidence suggests that abnormal immune responses or mutations that the virus may acquire once inside neurons may play a role. What is clear is that the risk from measles far outweighs any risk posed by vaccination. Once SSPE develops, it moves through progressive stages, starting with mood swings, personality changes, depression, lethargy, and possibly fever and headache. This first stage can last up to six months. Then stage two involves jerking movement, spasms, loss of vision, dementia, and seizures. The third stage sees the jerking turn to writhing and rigidity. In the last stage, autonomic failure sets in—heart rate, blood pressure, and breathing become unregulated. Then comes coma and death. About 95 percent of SSPE cases are fatal. Tragic ending In the boy's case, his parents don't know when he was infected with measles. When doctors saw him, his parents recalled that in the prior six months, he had started having jerky movements, falls, and progressive cognitive decline. Before that, he had been healthy at birth and had been hitting all of his developmental milestones. In some ways, his decline was an unmistakable case of SSPE. Imaging showed lesions in his brain. He had elevated anti-measles antibodies in his cerebrospinal fluid. An electroencephalography (EEG) showed brain waves consistent with SSPE. Then, of course, there were the jerking motions and the cognitive decline. What stood out, though, was his rolling and swirling eyes. Vision problems are not uncommon with SSPE—sometimes the condition damages the retina and/or optic nerve. Some patients develop complete vision loss. But, in the boy's case, he developed rapid, repetitive, erratic, multidirectional eye movements, a condition called opsoclonus. Doctors often see it in brain cancer patients, but brain inflammation from some infections can also cause the movements. Experts hypothesize that the root cause is a loss of specialized neurons involved in coordinated movement, namely Purkinje cells and omnipause cells. The boy's neurologists believe this is the first time opsoclonus associated with SSPE has been caught on video. They treated the boy with an antiviral drug and drugs to reduce convulsions, but his condition continued to worsen. Beth Mole Senior Health Reporter Beth Mole Senior Health Reporter Beth is Ars Technica’s Senior Health Reporter. Beth has a Ph.D. in microbiology from the University of North Carolina at Chapel Hill and attended the Science Communication program at the University of California, Santa Cruz. She specializes in covering infectious diseases, public health, and microbes. 34 Comments

MEA CULPA Man pleads guilty to using malicious AI software to hack Disney employee Fake image-generating app allowed man to download 1.1TB of Disney-owned data. Dan Goodin – May 5, 2025 8:05 pm | 0 Credit: Getty Images | naruecha jenthaisong Credit: Getty Images | naruecha jenthaisong Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more A California man has pleaded guilty to hacking an employee of The Walt Disney Company by tricking the person into running a malicious version of a widely used open source AI image generation tool. Ryan Mitchell Kramer, 25, pleaded guilty to one count of accessing a computer and obtaining information and one count of threatening to damage a protected computer, the US Attorney for the Central District of California said Monday. In a plea agreement, Kramer said he published an app on GitHub for creating AI-generated art. The program contained malicious code that gave access to computers that installed it. Kramer operated using the moniker NullBulge. Not the ComfyUI you’re looking for According to researchers at VPNMentor, the program Kramer used was ComfyUI_LLMVISION, which purported to be an extension for the legitimate ComfyUI image generator and had functions added to it for copying passwords, payment card data, and other sensitive information from machines that installed it. The fake extension then sent the data to a Discord server that Kramer operated. To better disguise the malicious code, it was folded into files that used the names OpenAI and Anthropic. Two files automatically downloaded by ComfyUI_LLMVISION, as displayed by a user's Python package manager. Credit: VPNMentor The Disney employee downloaded ComfyUI_LLMVISION in April 2024. After gaining unauthorized access to the victim’s computer and online accounts, Kramer accessed private Disney Slack channels. In May, he downloaded roughly 1.1 terabytes of confidential data from thousands of the channels. In early July, Kramer contacted the employee and pretended to be a member of a hacktivist group. Later that month, after receiving no reply from the employee, Kramer publicly released the stolen information, which, besides private Disney material, also included the employee’s bank, medical, and personal information. In the plea agreement, Kramer admitted that two other victims had installed ComfyUI_LLMVISION, and he gained unauthorized access to their computers and accounts as well. The FBI is investigating. Kramer is expected to make his first court appearance in the coming weeks. Dan Goodin Senior Security Editor Dan Goodin Senior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 0 Comments

Lousy Smarsh weather Signal clone used by Trump official stops operations after report it was hacked Mike Waltz needs to find a new app. Jon Brodkin – May 5, 2025 5:37 pm | 29 National Security Advisor Michael Waltz looks at his phone as he prepares for a TV interview at the White House on May 01, 2025 in Washington, DC. Credit: Getty Images | Andrew Harnik National Security Advisor Michael Waltz looks at his phone as he prepares for a TV interview at the White House on May 01, 2025 in Washington, DC. Credit: Getty Images | Andrew Harnik Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more A messaging service used by former National Security Advisor Mike Waltz has temporarily shut down while the company investigates an apparent hack. The messaging app is used to access and archive Signal messages, but is not made by Signal itself. 404 Media reported yesterday that a hacker stole data "from TeleMessage, an obscure Israeli company that sells modified versions of Signal and other messaging apps to the US government to archive messages." 404 Media interviewed the hacker and reported that the data stolen "contains the contents of some direct messages and group chats sent using [TeleMessage's] Signal clone, as well as modified versions of WhatsApp, Telegram, and WeChat." TeleMessage is based in Israel and was acquired in February 2024 by Smarsh, a company headquartered in Portland, Oregon. Smarsh provided a statement to Ars today saying it has temporarily shut down all TeleMessage services. "TeleMessage is investigating a recent security incident," the statement said. "Upon detection, we acted quickly to contain it and engaged an external cybersecurity firm to support our investigation. Out of an abundance of caution, all TeleMessage services have been temporarily suspended. All other Smarsh products and services remain fully operational." Last week, Waltz was photographed using the TeleMessage Signal app on his phone during a White House cabinet meeting. Waltz's ability to secure sensitive government communications has been in question since he inadvertently invited The Atlantic Editor-in-Chief Jeffrey Goldberg to a Signal chat in which top Trump administration officials discussed a plan for bombing Houthi targets in Yemen. Waltz was removed from his post late last week, with Trump nominating him to serve as ambassador to the United Nations. TeleMessage website removes Signal mentions The TeleMessage website until recently boasted the ability to "capture, archive and monitor mobile communication" through text messages, voice calls, WhatsApp, WeChat, Telegram, and Signal, as seen in an Internet Archive capture from Saturday. Another archived page says that TeleMessage "captures and records Signal calls, messages, deletions, including text, multimedia, [and] files," and "maintain[s] all Signal app features and functionality as well as the Signal encryption." The TeleMessage home page currently makes no mention of Signal, and links on the page have been disabled. The anonymous hacker who reportedly infiltrated TeleMessage told 404 Media that it took about 15 to 20 minutes and "wasn't much effort at all." While the hacker did not obtain Waltz's messages, "the hack shows that the archived chat logs are not end-to-end encrypted between the modified version of the messaging app and the ultimate archive destination controlled by the TeleMessage customer," according to 404 Media. "Data related to Customs and Border Protection (CBP), the cryptocurrency giant Coinbase, and other financial institutions are included in the hacked material, according to screenshots of messages and backend systems obtained by 404 Media," the report said. 404 Media added that the "hacker did not access all messages stored or collected by TeleMessage, but could have likely accessed more data if they decided to, underscoring the extreme risk posed by taking ordinarily secure end-to-end encrypted messaging apps such as Signal and adding an extra archiving feature to them." Jon Brodkin Senior IT Reporter Jon Brodkin Senior IT Reporter Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry. 29 Comments

BEWARE OF PICKPOCKETS AND HACKED SITES Hundreds of e-commerce sites hacked in supply-chain attack Attack that started in April and remains ongoing runs malicious code on visitors' devices. Dan Goodin – May 5, 2025 3:05 pm | 7 Credit: Getty Images Credit: Getty Images Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Hundreds of e-commerce sites, at least one owned by a large multinational company, were backdoored by malware that executes malicious code inside the browsers of visitors, where it can steal payment card information and other sensitive data, security researchers said Monday. The infections are the result of a supply-chain attack that compromised at least three software providers with malware that remained dormant for six years and became active only in the last few weeks. At least 500 e-commerce sites that rely on the backdoored software were infected, and it’s possible that the true number is double that, researchers from security firm Sansec said. Among the compromised customers was a $40 billion multinational company, which Sansec didn’t name. In an email Monday, a Sansec representative said that “global remediation [on the infected customers] remains limited.” Code execution on visitors’ machines The supply chain attack poses a significant risk to the thousands or millions of people visiting the infected sites, because it allows attackers to execute code of their choice on ecommerce site servers. From there, the servers run info-stealing code on visitor machines. “Since the backdoor allows uploading and executing arbitrary PHP code, the attackers have full remote code execution (RCE) and can do essentially anything they want,” the representative wrote. “In nearly all Adobe Commerce/Magento breaches we observe, the backdoor is then used to inject skimming software that runs in the user's browser and steals payment information (Magecart).” The three software suppliers identified by Sansec were Tigren, Magesolution (MGS), and Meetanshi. All three supply software that’s based on Magento, an open source e-commerce platform used by thousands of online stores. A software version sold by a fourth provider named Weltpixel has been infected with similar code on some of its customers' stores, but Sansec so far has been unable to confirm whether it was the stores or Weltpixel that were hacked. Adobe has owned Megento since 2018. The Sansec representative said that as of Monday, both Tigren and Magesolution continued to distribute backdoored versions of their software to customers. Meetanshi, the representative added, has denied “any tampering but admits to being hacked.” Tigren, Magesolution, and Meetanshi didn’t respond to questions sent by email and contact forms on their sites. Attempts to reach Weltpixel were unsuccessful. Sansec said that any e-commerce site that relies on software from one of the vendors should carefully inspect their platforms for signs of infection. One of the easiest ways to spot the malicious code is looking for a function added to it that executes a file named $licenseFile as PHP code. protected function adminLoadLicense($licenseFile) { // ... $data = include_once($licenseFile); // ... } The backdoor code checks for a secret key in incoming Web requests and when presented gives the key holder the ability to run commands on the e-commerce server. Once $licenseFile runs, it initiates a chain of additional functions that eventually execute malicious PHP code on the machines of site visitors. Sansec’s post, linked above, provides additional details admins can use to determine if they’re infected. In all, Sansec identified 21 extensions from the three providers that have been infected. They are: Vendor Package Tigren Ajaxsuite Tigren Ajaxcart Tigren Ajaxlogin Tigren Ajaxcompare Tigren Ajaxwishlist Tigren MultiCOD Meetanshi ImageClean Meetanshi CookieNotice Meetanshi Flatshipping Meetanshi FacebookChat Meetanshi CurrencySwitcher Meetanshi DeferJS MGS Lookbook MGS StoreLocator MGS Brand MGS GDPR MGS Portfolio MGS Popup MGS DeliveryTime MGS ProductTabs MGS Blog One of the biggest mysteries surrounding Sansec’s discovery is how the malware that kicked off the supply-chain attack managed to remain dormant and undetected for six years before coming to life. These sorts of delayed backdoors are a rarity. Sansec said it’s still investigating. Dan Goodin Senior Security Editor Dan Goodin Senior Security Editor Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82. 7 Comments

"We will not be relaunching" Largest deepfake porn site shuts down forever Unknown hero pulls the plug on biggest AI porn platform. Ashley Belanger – May 5, 2025 11:41 am | 11 Credit: Marco_Piunti | E+ Credit: Marco_Piunti | E+ Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more The most popular online destination for deepfake porn shut down permanently this weekend, 404 Media reported. "Mr. Deepfakes" drew a swarm of toxic users who, researchers noted, were willing to pay as much as $1,500 for creators to use advanced face-swapping techniques to make celebrities or other targets appear in non-consensual pornographic videos. At its peak, researchers found that 43,000 videos were viewed more than 1.5 billion times on the platform. The videos were generated by nearly 4,000 creators, who profited from the unethical—and now illegal—sales. But as of this weekend, none of those videos are available to view, and the forums where requests were made for new videos went dark, 404 Media reported. According to a notice posted on the platform, the plug was pulled when "a critical service provider" terminated the service "permanently." "Data loss has made it impossible to continue operation," Mr. Deepfakes confirmed, while warning not to trust any impostor platforms that pop up in its absence. "We will not be relaunching. Any website claiming this is fake. This domain will eventually expire and we are not responsible for future use. This message will be removed around one week." It remains unclear exactly which service cut off Mr. Deepfakes, but researchers noted that among the "most crucial components" that deepfake creators needed to keep generating the content was "free-tier cloud GPU access" provided through Google Colab notebooks. Google did not immediately respond to Ars' request to comment on whether that access was recently yanked. Downfall follows Take It Down Act passing The downfall of Mr. Deepfakes comes just after Congress passed the Take It Down Act, which makes it illegal to create and distribute non-consensual intimate imagery (NCII), including synthetic NCII generated by artificial intelligence. Any platform notified of NCII has 48 hours to remove it or else face enforcement actions from the Federal Trade Commission. Enforcement won't kick in until next spring, but the service provider may have banned Mr. Deepfakes in response to the passing of the law. Last year, Mr. Deepfakes preemptively started blocking visitors from the United Kingdom after the UK announced intentions to pass a similar law, Wired reported. The shuttering of Mr. Deepfakes won't solve the problem of deepfakes, though. In 2022, the number of deepfakes skyrocketed as AI technology made the synthetic NCII appear more realistic than ever, prompting an FBI warning in 2023 to alert the public that the fake content was being increasingly used in sextortion schemes. But the immediate solutions society used to stop the spread had little impact. For example, in response to pressure to make the fake NCII harder to find, Google started downranking explicit deepfakes in search results but refused to demote platforms like Mr. Deepfakes unless Google received an unspecified "high volume of removals for fake explicit imagery." According to researchers, Mr. Deepfakes—a real person who remains anonymous but reportedly is a 36-year-old hospital worker in Toronto—created the engine driving this spike. His DeepFaceLab quickly became "the leading deepfake software, estimated to be the software behind 95 percent of all deepfake videos and has been replicated over 8,000 times on GitHub," researchers found. For casual users, his platform hosted videos that could be purchased, usually priced above $50 if it was deemed realistic, while more motivated users relied on forums to make requests or enhance their own deepfake skills to become creators. Mr. Deepfakes' illegal trade began on Reddit but migrated to its own platform after a ban in 2018. There, thousands of deepfake creators shared technical knowledge, with the Mr. Deepfakes site forums eventually becoming "the only viable source of technical support for creating sexual deepfakes," researchers noted last year. Having migrated once before, it seems unlikely that this community won't find a new platform to continue generating the illicit content, possibly rearing up under a new name since Mr. Deepfakes seemingly wants out of the spotlight. Back in 2023, researchers estimated that the platform had more than 250,000 members, many of whom may quickly seek a replacement or even try to build a replacement. Further increasing the likelihood that Mr. Deepfakes' reign of terror isn't over, the DeepFaceLab GitHub repository—which was archived in November and can no longer be edited—remains available for anyone to copy and use. 404 Media reported that many Mr. Deepfakes members have already connected on Telegram, where synthetic NCII is also reportedly frequently traded. Hany Farid, a professor at UC Berkeley who is a leading expert on digitally manipulated images, told 404 Media that "while this takedown is a good start, there are many more just like this one, so let’s not stop here." Ashley Belanger Senior Policy Reporter Ashley Belanger Senior Policy Reporter Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience. 11 Comments

Amos-6, revisited SpaceX pushed “sniper” theory with the feds far more than is publicly known "It came out of nowhere, and it was really violent." Eric Berger – May 5, 2025 7:00 am | 9 The Amos 6 satellite is lost atop a Falcon 9 rocket. Credit: USLaunchReport The Amos 6 satellite is lost atop a Falcon 9 rocket. Credit: USLaunchReport Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more The rocket was there. And then it decidedly was not. Shortly after sunrise on a late summer morning nearly nine years ago at SpaceX's sole operational launch pad, engineers neared the end of a static fire test. These were still early days for their operation of a Falcon 9 rocket that used super-chilled liquid propellants, and engineers pressed to see how quickly they could complete fueling. This was because the liquid oxygen and kerosene fuel warmed quickly in Florida's sultry air, and cold propellants were essential to maximizing the rocket's performance. On this morning, September 1, 2016, everything proceeded more or less nominally up until eight minutes before the ignition of the rocket's nine Merlin engines. It was a stable point in the countdown, so no one expected what happened next. "I saw the first explosion," John Muratore, launch director for the mission, told me. "It came out of nowhere, and it was really violent. I swear, that explosion must have taken an hour. It felt like an hour. But it was only a few seconds. The second stage exploded in this huge ball of fire, and then the payload kind of teetered on top of the transporter erector. And then it took a swan dive off the top rails, dove down, and hit the ground. And then it exploded." The dramatic loss of the Falcon 9 rocket and its Amos-6 satellite, captured on video by a commercial photographer, came at a pivotal moment for SpaceX and the broader commercial space industry. It was SpaceX's second rocket failure in a little more than a year, and it occurred as NASA was betting heavily on the company to carry its astronauts to orbit. SpaceX was not the behemoth it is today, a company valued at $350 billion. It remained vulnerable to the vicissitudes of the launch industry. This violent failure shook everyone, from the engineers in Florida to satellite launch customers to the suits at NASA headquarters in Washington, DC. As part of my book on the Falcon 9 and Dragon years at SpaceX, Reentry, I reported deeply on the loss of the Amos-6 mission. In the weeks afterward, the greatest mystery was what had precipitated the accident. It was understood that a pressurized helium tank inside the upper stage had ruptured. But why? No major parts on the rocket were moving at the time of the failure. It was, for all intents and purposes, akin to an automobile idling in a driveway with half a tank of gasoline. And then it exploded. This failure gave rise to one of the oddest—but also strangely compelling—stories of the 2010s in spaceflight. And we're still learning new things today. The “sniper” theory The lack of a concrete explanation for the failure led SpaceX engineers to pursue hundreds of theories. One was the possibility that an outside "sniper" had shot the rocket. This theory appealed to SpaceX founder Elon Musk, who was asleep at his home in California when the rocket exploded. Within hours of hearing about the failure, Musk gravitated toward the simple answer of a projectile being shot through the rocket. This is not as crazy as it sounds, and other engineers at SpaceX aside from Musk entertained the possibility, as some circumstantial evidence to support the notion of an outside actor existed. Most notably, the first rupture in the rocket occurred about 200 feet above the ground, on the side of the vehicle facing the southwest. In this direction, about one mile away, lay a building leased by SpaceX's main competitor in launch, United Launch Alliance. A separate video indicated a flash on the roof of this building, now known as the Spaceflight Processing Operations Center. The timing of this flash matched the interval it would take a projectile to travel from the building to the rocket. A sniper on the roof of a competitor's building—forget the Right Stuff, this was the stuff of a Mission: Impossible or James Bond movie. At Musk's direction, SpaceX worked this theory both internally and externally. Within the company, engineers and technicians actually took pressurized tanks that stored helium—one of these had burst, leading to the explosion—and shot at them in Texas to determine whether they would explode and what the result looked like. Externally, they sent the site director for their Florida operations, Ricky Lim, to inquire whether he might visit the roof of the United Launch Alliance building. SpaceX pursued the sniper theory for more than a month. A few SpaceX employees told me that they did not stop this line of inquiry until the Federal Aviation Administration sent the company a letter definitively saying that there was no gunman involved. It would be interesting to see this letter, so I submitted a Freedom of Information Act request to the FAA in the spring of 2023. Because the federal FOIA process moves slowly, I did not expect to receive a response in time for the book. But it was worth a try anyway. No reply came in 2023 or early 2024, when the final version of my book was due to my editor. Reentry was published last September, and still nothing. However, last week, to my great surprise and delight, I got a response from the FAA. It was the very letter I requested, sent from the FAA to Tim Hughes, the general counsel of SpaceX, on October 13, 2016. And yes, the letter says there was no gunman involved. However, there were other things I did not know—namely, that the FBI had also investigated the incident. The ULA rivalry One of the most compelling elements of this story is that it involves SpaceX's heated rival, United Launch Alliance. For a long time, ULA had the upper hand, but in recent years, it has taken a dramatic turn. Now we know that David would grow up and slay Goliath: Between the final rocket ULA launched last year (the Vulcan test flight on October 4) and the first rocket the company launched this year (Atlas V, April 28), SpaceX launched 90 rockets. Ninety. But it was a different story in the summer of 2016 in the months leading up to the Amos 6 failure. Back then, ULA was launching about 15 rockets a year, compared to SpaceX's five. And ULA was launching all of the important science missions for NASA and the critical spy satellites for the US military. They were the big dog, SpaceX the pup. In the early days of the Falcon 9 rocket, some ULA employees would drive to where SpaceX was working on the first booster and jeer at their efforts. And rivalry played out not just on the launch pad but in courtrooms and on Capitol Hill. After ULA won an $11 million block buy contract from the US Air Force to launch high-value military payloads into the early 2020s, Musk sued in April 2014. He alleged that the contract had been awarded without a fair competition and said the Falcon 9 rocket could launch the missions at a substantially lower price. Taxpayers, he argued, were being taken for a ride. Eventually, SpaceX and the Air Force resolved their claims. The Air Force agreed to open some of its previously awarded national security missions to competitive bids. Over time, SpaceX has overtaken ULA even in this arena. During the most recent round of awards, SpaceX won 60 percent of the contracts compared to ULA's 40 percent. So when SpaceX raised the possibility of a ULA sniper, it came at an incendiary moment in the rivalry, when SpaceX was finally putting forth a very serious challenge to ULA's dominance and monopoly. It is no surprise, therefore, that ULA told SpaceX's Ricky Lim to get lost when he wanted to see the roof of their building in Florida. “Hair-on-fire stuff” NASA officials were also deeply concerned by the loss of the Falcon 9 rocket in September 2016. The space agency spent much of the 2010s working with SpaceX and Boeing to develop, test, and fly spacecraft that could fly humans into space. These were difficult years for the space agency, which had to rely on Russia to get its astronauts into space. NASA also had a challenging time balancing costs with astronaut safety. Then rockets started blowing up. Consider this sequence from mid-2015 to mid-2016. In June 2015, the second stage of a Falcon 9 rocket carrying a cargo version of the Dragon spacecraft into orbit exploded. Less than two weeks later, NASA named four astronauts to its "commercial crew" cadre from which the initial pilots of Dragon and Starliner spacecraft would be selected. Finally, a little more than a year after this, a second Falcon 9 rocket upper stage exploded during flight. Video of CRS-7 launch and failure. Even as it was losing Falcon 9 rockets, SpaceX revealed that it intended to upend NASA's long-standing practice of fueling a rocket and then, when the vehicle reached a stable condition, putting crew on board. Rather, SpaceX said it would put the astronauts on board before fueling. This process became known as "load and go." NASA's safety community went nuts. "When SpaceX came to us and said we want to load the crew first and then the propellant, mushroom clouds went off in our safety community," Phil McAlister, the head of NASA's commercial programs, told me for Reentry. "I mean, hair-on-fire stuff. It was just conventional wisdom that you load the propellant first and get it thermally stable. Fueling is a very dynamic operation. The vehicle is popping and hissing. The safety community was adamantly against this." Amos-6 compounded these concerns. That's because the rocket was not shot by a sniper. After months of painful investigation and analysis, engineers determined the rocket was lost due to the propellant-loading process. In their goal of rapidly fueling the Falcon 9 rocket, the SpaceX teams had filled the pressurized helium tanks too quickly, heating the aluminum liner and causing it to buckle. In their haste to load super-chilled propellant onto the Falcon 9, SpaceX had found its speed limit. At NASA, it was not difficult to visualize astronauts in a Dragon capsule sitting atop an exploding rocket during propellant loading rather than a commercial satellite. Enter the FBI We should stop and appreciate the crucible that SpaceX engineers and technicians endured in the fall of 2016. They were simultaneously attempting to tease out the physics of a fiendishly complex failure; prove to NASA their exploding rocket was safe; convince safety officials that even though they had just blown up their rocket by fueling it too quickly, load-and-go was feasible for astronaut missions; increase the cadence of Falcon 9 missions to catch and surpass ULA; and, oh yes, gently explain to the boss that a sniper had not shot their rocket. So there had to be some relief when, on October 13, Hughes received that letter from Dr. Michael C. Romanowski, director of Commercial Space Integration at the FAA. According to this letter (see a copy here), three weeks after the launch pad explosion, SpaceX submitted "video and audio" along with its analysis of the failure to the FAA. "SpaceX suggested that in the company's view, this information and data could be indicative of sabotage or criminal activity associated with the on-pad explosion of SpaceX's Falcon 9," the letter states. This is notable because it suggests that Musk directed SpaceX to elevate the "sniper" theory to the point that the FAA should take it seriously. But there was more. According to the letter, SpaceX reported the same data and analysis to the Federal Bureau of Investigation in Florida. After this, the Tampa Field Office of the FBI and its Criminal Investigative Division in Washington, DC, looked into the matter. And what did they find? Nothing, apparently. "The FBI has informed us that based upon a thorough and coordinated review by the appropriate Federal criminal and security investigative authorities, there were no indications to suggest that sabotage or any other criminal activity played a role in the September 1 Falcon 9 explosion," Romanowski wrote. "As a result, the FAA considers this matter closed." The failure of the Amos-6 mission would turn out to be a low point for SpaceX. For a few weeks, there were non-trivial questions about the company's financial viability. But soon, SpaceX would come roaring back. In 2017, the Falcon 9 rocket launched a record 18 times, surpassing ULA for the first time. The gap would only widen. Last year, SpaceX launched 137 rockets to ULA's five. With Amos-6, therefore, SpaceX lost the battle. But it would eventually win the war—without anyone firing a shot. Eric Berger Senior Space Editor Eric Berger Senior Space Editor Eric Berger is the senior space editor at Ars Technica, covering everything from astronomy to private space to NASA policy, and author of two books: Liftoff, about the rise of SpaceX; and Reentry, on the development of the Falcon 9 rocket and Dragon. A certified meteorologist, Eric lives in Houston. 9 Comments