Technology

jeudi 11 avril 2024

VanMoof S5 e-bike review: too much, too late

A long list of features, but how many do you really need?

Update April 11th, 6:00AM ET: VanMoof stopped sales of the S5 and A5 series following its bankruptcy in 2023. The re-engineered e-bikes were put back on sale in April 2024 with several internal tweaks and a few new features. The original review has been updated below, and the score lowered from an 8 to a 6 to reflect the current competitive landscape.

“Sometimes you have to kill your darlings,” is a phrase used by designers to justify the removal of elements they find personally exciting but fail to add value.

The last time I heard it was in April, 2022, when I rode pre-production versions of VanMoof’s new full-size S5 and smaller A5 electric bikes. The phrase was uttered by the company’s co-founder and former CEO Taco Carlier to justify the removal of VanMoof’s iconic matrix display for a new “Halo Ring” interface.

One year later and both e-bikes were finally being delivered, well after their original target of July 2022. It was priced much higher than VanMoof’s previous generation e-bikes — the VanMoof S3 / X3 — when introduced for a rather remarkable price of $1,998 / €1,998 back in 2020. In hindsight, VanMoof was likely selling those bikes for a loss in order to gain marketshare, and the volume grab contributed to the company’s eventual bankruptcy.

The 2024 S5 and A5 have now been re-engineered by the company’s new owners, with new features and many internal tweaks to ensure robustness and ease of service.

But can a two-year old e-bike priced at €3,298 still compete?

Although the S5 and A5 pedal-assisted e-bikes still look like VanMoofs with that extended top tube capped by front and rear lights, everything from the frame down to the chips and sensors have been re-engineered. First in 2022, when the company said that only a “handful of parts” were carried over from the troubled S3 an X3 models, then again in 2024 when the new owners evaluated reliability data to fixed several short-comings of the original SA5 e-bikes that were rushed into the sales channels for reasons that are now abundantly clear.

Here are some of the most notable changes:

New LED Halo Ring visual interfaces flanking both grips.
An integrated SP Connect phone mount (you provide the case) with USB-C charging port.
New almost completely silent Gen 5 front-hub motor with torque sensor and three-speed automatic e-shifter (the S3 / X3 had four-speed e-shifters).
New multi-function buttons have been added below the bell (next to left grip) and boost (next to right grip) buttons.
The boost button now offers more oomph with torque increasing to 68Nm from 59Nm.
The S5 frame which has been criticized for being too tall has been lowered by 5cm (2 inches) to better accommodate riders as tall as 165cm (5 feet, 5 inches), while the A5 caters to riders as tall as 155cm (5 feet, 1 inch) and allows for an easier step-through than the X3 it supersedes.
Low battery notification alerts, blinking brake-light indicator, and turn signals.

These join a very long list of standard features found on VanMoof e-bikes like a well designed and useful app, integrated Kick Lock on the rear wheel, baked in GPS tracking and Apple Find My support, hydraulic disc brakes, muscular city tires, bright integrated front and rear lights, mudguards, and kickstand. In 2024, however, the company discontinued VanMoof’s Peace of Mind insurance service which guaranteed recovery of stolen bikes.

The 2024 S5 and A5 e-bikes are launching with several improvements you can’t see, meant to solve known issues with the 2022 models and improve long-term durability. These include a new firmware release that fixes connectivity issues between the e-bike and smartphones, improved waterproofing, screws that don’t come loose as easily (notably at the brake lever), a reinforced motor bracket and longer connector to help ensure longevity and servicing, and a new saddle connector that won’t droop over time. But it’s still an e-bike made from lots and lots of proprietary parts that the company says are now in ample supply from its re-engineered supply chain.

VanMoof e-bikes now have integrated mounts and USB-C charging for your phone.

I’ve had one of the 2024 S5 e-bikes to use as my daily driver for the past two weeks. It looks and rides exactly the same as my review e-bike from a year ago. Still, it was delivered with a software issue that created a mechanical “pop” every 30 minutes or so when parked in my living room, as if the integrated Kick Lock was trying to disengage. It’s a very minor annoyance that didn’t affect usage, from what I can tell, and VanMoof says it’s a known but very rare issue. Nevertheless, it’s still concerning, given VanMoof’s messaging around re-engineering everything in the name of quality.

Back in 2023 when I first reviewed the S5, I picked up my dark gray (also available in light gray) VanMoof S5 loaner in March but I ran into a few issues that delayed publication. These included intermittent connectivity failures between the app and bike, a Kick Lock that didn’t always disengage, and an alarm that would briefly trigger for no apparent reason. Those issues were all corrected by an over-the-air firmware (v1.20) update released in mid-April before I could even report them back to VanMoof support.

I had mixed emotions about this. The S5 and A5 had just started shipping in quantity — albeit, eight months late — so you’d think they would have had time to sort out any issues in VanMoof’s new testing labs. That’s annoying given VanMoof’s history of initial quality issues and assurances provided by the company that they wouldn’t be repeated. Then again, premium e-bikes from companies like VanMoof are increasingly complex machines, and seeing the company solve issues so quickly was commendable.

One issue that wasn’t fixed at the time was idle battery drain, but VanMoof told me that a firmware update would solve it in “two weeks” time. In my case, the issue caused the idle S5’s battery to drain from 86 percent to 65 percent over a period of 10 days. I generally lost about two percent charge each day whether I ride it or not, back in 2023.

Oh, and that 2023 e-bike required several firmware updates (v1.2.4 was my last). Annoyingly, the S5 plays a jaunty little tune the entire time the firmware is being installed. It was cute at first, my daughter even offered a little dance to go with it. But it takes five to 10 minutes, and after the first time you hear it, it’s just annoying and there’s no way to turn it off. It still does that in 2024, even at firmware v1.5.0 I tested.

Regarding new features, the Halo Rings next to each grip are the most visible change from previous VanMoofs. At least until you hit sunlight and those weak LEDs washout almost completely. The Halo Rings are meant to show speed, charge remaining, current pedal-assist power level, and more through a series of light bars and animations. Overall they’re fine, if gimmicky, but I don’t have much of a need for status information when bicycling. I also didn’t miss the old top-tube matrix display.

Riding a 23kg / 50.7lbs VanMoof S5 feels like an S3 albeit with fewer shifts and a boost button that provides more torque when trying to pass someone or get an early jump off the line. The fifth generation 250W motor of VanMoof design is absolutely quiet, even at its top speed of 25km/h in Europe (which increases to 20mph in the US). And the new three-speed e-shifter does a better job of accurately finding the right gear than the S3’s four-speed e-shifter did. I still felt a few clinks and spinning pedals, especially when mashing down hard on the cranks when in a hurry. But overall the S5’s predictive shifting is much improved, especially when rolling along at a casual pace. Still, it’s not as smooth as the automatic shifters from Enviolo, for example, so there’s still work to be done.

It’s a shame VanMoof doesn’t offer a simple belt-drive option for its e-bikes. That coupled with the S5’s torquey boost button would obviate the need for any gears when riding in all but the most hilly environments.

As to range, VanMoof says I should be able to get 60km on full power mode. However, in 2023, I was only able to eke out 48.6km (30.2 miles) from the S5’s 487Wh battery when riding in full power mode and frequently pressing the boost button, in temperatures that ranged from freezing to 15C (59F). That’s about the same range I got when testing the VanMoof S3 — 47 km (29.2 miles) — and its bigger 504Wh battery. VanMoof claims the 2024 S5 and A5 models use the battery more efficiently but I wasn’t able to confirm this.

The battery can be charged from zero to 100 percent in 6 hours and 30 minutes via the included charger — that’s slow, but it’s also good for the long-term health of that expensive battery.

I had been wondering how VanMoof would use the new multifunction buttons located just below the bell and boost buttons. The small button on the right (below the boost) can be configured to change your motor power on the fly with a press or hold it to indicate a right turn (by flashing the right half of the rear light). The left button (below the bell) makes your front lights flash rapidly when pressed, akin to a BMW driver bearing down upon you on the autobahn. It can also be configured as a left turn indicator when held, with an accompanying — and slightly embarrassing — sound effect. All of these features tick boxes on marketing sheets but aren’t very useful in everyday usage. The company promises more features in the future via software updates to the firmware and app.

And since this is a VanMoof, the battery is integrated and can only be removed during maintenance. The new VanMoof selling the 2024 S5 and A5 has no plans to re-introduce the “click-on” version (no velcro!) of its extended battery that could have been charged inside the home.

The dark gray VanMoof S5: too complex for its own good?

I’ve had a nagging concern about VanMoof e-bikes for the last few years that I even mentioned in the S3 review. Are they getting too complex for their own good?

Electric bikes — especially commuter e-bikes like the S5 — are subjected to daily wear and tear in all kinds of weather conditions. Even basic bikes are difficult to maintain when used everyday and VanMoof’s e-bikes are expensive rolling computers.

Honestly, I could do without the fancy automatic chain-driven three-speed shifter, superfluous multifunction buttons, programmable electronic bell, Halo Ring interface, Apple tracking, and perky sounds for startup, shutdown, and firmware updates. Give me one gear and a maintenance-free belt drive alongside that torquey boost button on a pedal-assisted e-bike that will get me back and forth to my office every day, no matter what, in style and without fail. But that’s not the S5.

Don’t get me wrong, the VanMoof S5 is a very good electric bike with a longer feature list than any other e-bike I can name. But the brand is now owned by an untested company using an untested partner network of third-party sales and service centers. And since most S5 / A5 parts are only available from VanMoof, you’d better make sure a sales and service center is nearby if you’re interested in buying.

The VanMoof S5 is currently €599 more expensive than the comparable Cowboy Cruiser and the same price as the better Veloretti Ace 2 (€3,299). Viewed in those terms, VanMoof’s pricing is too high.

As good as the S5 is, the feature set is verging on gimmickry, in my opinion. They’re cute and entertaining, sure. But many just aren’t needed for regular commuters. The S5 has too many darlings, and not enough killing.

All photography by Thomas Ricker / The Verge

Computer Theorist Wins $1 Million Turing Award

Computer Theorist Wins $1 Million Turing Award This year’s honor will go to Avi Wigderson, an Israeli-born mathematician and theoretical computer scientist who specializes in randomness.

mardi 9 avril 2024

In the first Joker: Folie à Deux trailer, twisted love wins

You might know the broad strokes of the Joker and Harley Quinn’s twisted romance from Batman: The Animated Series and other DC projects. But the first trailer for Joker: Folie à Deux makes it seem like director Todd Phillips is doing something very different with his musical take on the characters.

Arthur Fleck (Joaquin Phoenix) is still locked up in Arkham in Folie à Deux’s new trailer, and it seems as if the events from the previous film have led to his being put under an increased amount of supervision. The Asylum looks like a lonely, bleak place as Arthur’s marched around by armed guards. But there’s hope in Arthur’s eyes when crosses paths with fellow inmate Harleen Quinzel (Lady Gaga).

Though the trailer features a handful of shots suggesting that Arthur will end up back on Gotham’s streets, the real emphasis is on how Harley and Arthur’s meeting will lead them into musical flights of fancy that appear to be heightened escapes from reality. Waltzing across rooftops, headlining nightclubs, and hosting TV shows are all very much the kinds of things Harley and the Joker get up to in DC’s comics. But the trailer obfuscates how much of what is happening is real, and how much of it might just be happening in Arthur’s head.

The trailer definitely makes Joker: Folie à Deux look like it’ll be a novel spin on its two lead characters. But Warner Bros. really needs to stop playing coy, and just let us hear Harley and the Joker sing already. The sequel hits theaters on October 4th.

Cruise will resume robotaxi tests after one of its cars ran someone over

Regulators To Vote On San Francisco Robotaxi Expansion — *Cruise will look to get its driverless cars under control before it takes on new passengers.* | Getty

Cruise has announced that it’s resuming tests for its fleet of self-driving taxis in Phoenix, Arizona , though not with passengers just yet. The autonomous vehicle maker says it will start with humans behind the wheel, with no passengers and no autonomous driving mechanisms engaged.

In California, lawmakers banned the GM subsidiary from operating its vehicles in the state after one of them ran over a San Francisco pedestrian and dragged them over 20 feet in October, after another vehicle threw the victim into the robotaxi’s path. That was just weeks after another incident where one of Cruise’s vehicles collided with a fire truck after failing to properly yield to the truck’s emergency signals.

The company’s been dealing with the fallout ever since; Cruise first paused operations nationwide and issued a software update to 950 of its vehicles to change how the cars respond to crash events, amidst multiple investigations into the incidents. They’ve caused something of a mass exodus in the company, starting with then CEO and co-founder Kyle Vogt and nine other leaders. Cruise also laid off 24 percent of its workforce shortly after.

Cruise says its intent with renewed testing is to help improve its systems by collecting more road data to continue feeding its machine learning model, and that it hopes to eventually resume human-supervised autonomous tests in Phoenix. It picked the city, it says, based on its “strong history” of supporting automotive innovation and because many of its employees reside there.

Cruise has a lot of work ahead to prove that its driverless cars are ready to fully return to the road. To our knowledge, California hasn’t lifted the original ban it imposed, though the state has apparently made the company’s path to redemption clear. “The DMV has provided Cruise with the steps needed to apply to reinstate its suspended permits,” the California Department of Motor Vehicles wrote last October. Addressing those concerns, whatever they are, would be a big step toward establishing some goodwill.

Ted Cruz hosts a podcast for free — a Ted Cruz super PAC gets paid

Sen. Ted Cruz — Photo by Nathan Howard / Getty Images

This is Hot Pod, The Verge’s newsletter about podcasting and the audio industry. Sign up here for more.

I hope you all had a great weekend/eclipse/first moment of NYC sunshine. Today, I’ve got a look at Ted Cruz’s eyebrow-raising arrangement with iHeart and news on two new acquisitions. Let’s get into it.

iHeart doesn’t pay Ted Cruz for hosting Verdict. It pays a Ted Cruz super PAC.

This is certainly one way to raise campaign money. Sen. Ted Cruz hosts an iHeartMedia podcast, Verdict, which performs reasonably well among right-wing political shows. He does not get paid for hosting the podcast, but reporting in recent weeks from Forbes and the Houston Chronicle shows that iHeart has paid more than $630,000 to a super PAC that supports his campaign. For good reason, this has raised eyebrows, and now a campaign finance watchdog has filed a complaint with the Federal Elections Commission.

This is how the transaction works: Ted Cruz’s leadership PAC, Jobs, Freedom, and Security PAC, produces Verdict. The show is then distributed and monetized by Premiere Networks, a subsidiary of iHeartMedia. Then, according to Premiere Networks, iHeart pays money made from the show’s ads to Truth and Courage PAC, an independent political action committee that supports Cruz’s reelection. “Senator Cruz volunteers his time to host this podcast and isn’t compensated for it,” Rachel Nelson, spokesperson for Premiere Networks, said in a statement to Hot Pod last week.

This is technically true in that paying the money into Truth and Courage is not the same as paying Cruz directly. But he clearly sees a personal benefit, and the Campaign Legal Center argues that it crosses the legal line. “There is reason to believe Cruz has violated federal campaign finance laws that prohibit federal candidates and officeholders from soliciting or directing ‘soft money’ — including money from corporations, which are categorically prohibited from contributing to candidates — in connection with his 2024 reelection efforts,” the group’s complaint reads. Nelson did not respond to a request for comment on the filing.

Cruz’s camp denies any wrongdoing. “Senator Cruz appears on Verdict three times a week for free. He does this to pull back the veil on the corrupt inner workings of Washington — none of which ever get fairly covered,” campaign spokesperson Macarena Martinez told Hot Pod in a statement.

How the FEC rules could have big implications for how politicians are able to leverage podcasting for fundraising purposes. The typical election-cycle relationship between campaigns and the big radio companies is that those campaigns buy up a lot of spots in local markets — it’s a transaction that financially benefits the radio company. But the Cruz situation flips that relationship on its head. Cruz gets the publicity while also making ad money that then gets funneled, if not to his official campaign, then to entities that support it. It’s not clear how replicable this would even be — Cruz is a star who can command a national audience and get ad dollars — but it does set a troubling precedent for the politics-media dynamic.

Behold! Podcast M&A: The Roost acquired by Night, Sony buys Neon Hum

Not so much of this these days. We have not one but two acquisitions announced this week. The Roost, which is the podcasting arm of the recently shuttered Rooster Teeth, has been purchased by influencer talent agency Night. Neon Hum, which previously had Sony Music as an investor, has been bought outright by the music giant. Notably, both companies offer something other than original content.

The Roost, which handles ad sales and distribution for The H3 Podcast and The Kinda Funny Podcast as part of its network, is the last pillar left standing of Rooster Teeth. Rooster Teeth was shut down last month by parent company Warner Bros. Discovery. The agency that is buying it, Night, represents digital stars like MrBeast and Kai Cenat, so it seems like a fit. Plus, Night’s president, Ezra Cooperstein, served as the president of Rooster Teeth between 2018 and 2019. In buying The Roost, Night has acquired a podcasting infrastructure that could be extended to its valuable roster of clients.

With Neon Hum, Sony is also broadening its reach. In addition to originals like Smoke Screen, Neon Hum produced shows for clients like NBC News and HBO Max. As companies scale back on their own podcast units, they turn to production houses like Neon Hum to maintain a podcast presence. In a similar vein, Audacy laid off Pineapple Street Studio staffers who worked on original shows with an intention to focus more on client services.

So, yes: podcast companies can still be acquisition targets, but increasingly, it is the less sexy stuff that sells.

That’s all for today! I’ll be back on Thursday.

Logitech’s new wireless keyboard targets pro gamers needing portability

The Logitech G Pro X 60 Lightspeed being used on a desk. — *The Logitech G Pro X 60 Lightspeed offers plentiful features in a compact form factor.* | Image: Logitech

Logitech has announced the Pro X 60 Lightspeed, the first wireless gaming keyboard from the company to come in a compact 60 percent format. Available through the gaming-focused Logitech G sub-brand, the keyboard is available now for $179 in a choice of two GX optical switch types (tactile or linear) and three colors (black, white, or pink).

Positioned as a compact follow-up to Logitech’s G Pro X TKL Lightspeed, the Pro X 60 includes many of the same features. Users get three connectivity options: wired, using the included six-foot USB-C to USB-C charging cable, or wireless via Bluetooth or Logitch’s Lightspeed dongle, with the latter providing a polling rate of 1000Hz.

One key difference is that, unlike the Pro X TKL, the Pro X 60 isn’t a mechanical keyboard — it’s optical so the feel is different. Neither keyboard offers hot-swappable switches. Both the GX optical linear and tactile switch options for the Pro X 60 have a 1.8mm actuation point and 4mm travel distance, with an actuation force of 50g and 60g respectively.

Additional customizations for things like assigning macro shortcuts, lighting, and audio effects can be achieved via the new Keycontrol tool in Logitech’s G Hub software, with key re-mapping capable of giving each key up to 15 different functions. It also supports Logitech’s Lightsync RGB lighting, which is pre-programmed to a static blue out of the box to reduce distractions but can be customized to allow your choice of color and lighting sequences to shine through the Pro X 60’s dual-shot PBT keycaps. Battery life when connected via wireless Lightspeed with lighting enabled is around 65 hours on a full charge.

The Logitech G Pro X 60 also comes with a few quality-of-life features, such as a volume roller that’s in easy reach when fingers are positioned over the WASD keys, a Game Mode switch on the side that disables keys like the Windows key that might be distracting while gaming, and a carry case for taking the keyboard on the go. The main appeal here is that all these features and customizations are available in such a portable form factor — if you enjoy competitive gaming and travel frequently, this will be much easier to shove into a bag than a full-layout keyboard.

lundi 8 avril 2024

Elon Musk says his posts did more to ‘financially impair’ X than help it

An image of Elon Musk in a tuxedo making an odd face. The background is red with weight scales on it. — Image: Kristen Radtke / The Verge; Getty Images

Elon Musk admitted that his posts on the platform formerly known as Twitter may have financially harmed the company in the long run, in a March 27th deposition made public on Monday by The Huffington Post. The billionaire also admitted to have a “limited understanding” of the lawsuit for which he was being deposed.

The 22-year old Ben Brody sued Musk for defamation last fall, alleging that Musk pushed a conspiracy theory that falsely identified Brody as being involved in a fight between two far-right groups in Oregon. Musk’s attorney filed multiple requests to keep the transcript of his nearly two-hour testimony confidential, but they were denied by the judge.

At one point, Musk is asked by Brody’s attorney, Mark Bankston, about his purchase of Twitter and what impact it had on his usage of the site. Musk responded that he believed his posts had “really remained unchanged before and after the acquisition.” But he acknowledged that maintaining that attitude likely did X more harm than good.

“The — and going back to the sort of self-inflicted wounds, the Kevlar shoes, I think there’s — I’ve probably done — I may have done more to financially impair the company than to help it, but certainly I — I do not guide my posts by what is financially beneficial but by what I believe is interesting or important or entertaining to the public,” said the owner of X.

On multiple occasions, Musk expressed confusion over why Brody was pursuing litigation against him and basic details about the case. At one point he accused Bankston — Brody’s attorney — of performing a cash grab by pursuing the lawsuit. “My — what I want to think it’s really about is about you getting a lot of money,” said Musk.

The focus of the lawsuit is a series of tweets that Musk made last summer that promoted a far-right conspiracy theory that falsely linked Brody to an Oregon brawl between the Proud Boys and a local neo-Nazi group. Brody, who is based in California, bore a vague resemblance to a participant in the brawl. Online trolls quickly latched onto the theory that the brawl was a “false flag,” and that Brody was an undercover government agent. Musk engaged with users who were pushing this conspiracy theory on X, agreeing with their conclusions that the brawl was likely a staged incident. On June 27th, Musk replied to a post that contained a video of the fight and suggested that Brody was part of a “false flag” operation. In truth, Brody was falsely identified by online trolls as one of the men in the video.

“Looks like one is a college student (who wants to join the govt) and another is maybe an Antifa member, but nonetheless a probable false flag situation,” Musk tweeted.

That tweet was directly referenced by Brody’s attorney. Musk argued that his post didn’t have that much reach due to it merely being a reply.

“The replies get 100 times less attention than a primary tweet. So this was certainly not any attempt to generate advertising revenue. In fact, generally advertisers would not want to advertise with content that is contentious,” said Musk.

Given the size of Musk’s account and his public prominence, his reply, which still remains on the site, was viewed by over a million people, Brody’s attorney estimated.

“You do understand that the amount of people who saw this, who have viewed this tweet, is equivalent to all 30 major baseball stadiums filled to capacity?” asked Bankston.

But Musk claimed that Twitter had five to eight trillion views a year, and so a million views wasn’t significant on the platform.

“No big deal?” said Bankston.

“Hit or miss, yeah,” responded Musk.

“Not a big deal that this went out to so many people?”

“Correct. And more of a — this is kind of the thing where advertisers, when it’s contentious, will not advertise, which means we do not get revenue from it,” Musk responded.

Musk also admitted that he was the owner of an account called @ermnmusk in which he role-played as his own toddler son. Motherboard and several other outlets uncovered the mysterious account last year.

Musk also made it clear that he didn’t believe that Brody, who was forced to evacuate his home at one point, was “meaningfully harmed” due to the false accusations that he helped spread.

“People are attacked all the time in the media, online media, social media, but it is rare that that actually has a meaningful negative impact on their life,” said Musk.

Tesla Settles Lawsuit Over a Fatal Crash Involving Autopilot

Tesla Settles Lawsuit Over a Fatal Crash Involving Autopilot A Tesla driver’s family had sought damages for the 2018 crash, which happened while the carmaker’s driver-assistance software was in use.

Can you watch a solar eclipse in the Apple Vision Pro?

Woman wearing Vision Pro while pinching fingers — Image: Apple

This morning, remembering I’d forgotten to order eclipse glasses, I wondered out loud: Would it be an absolutely awful idea to watch today’s solar eclipse on the Apple Vision Pro? I’m extremely not a camera expert, but I seem to recall that pointing a camera at the sun is bad. However, online answers vary widely, so I put the question to The Verge’s Emmy-winning senior video producer Becca Farsace.

Her answer was that the Vision Pro is expensive; it has a lot of cameras; and it isn’t worth the risk. She added: “Wes, you are a free soul! you can do whatever you please, but if I saw this on the internet I would be so mad that someone who spent that much money was out there doing this.”

She’s right; I am a free soul! Challenge accepted, Becca.

Here’s what the eclipse looks like in the Vision Pro.

Okay, okay, maybe a friend gave me a pair of eclipse glasses. Putting them over the Vision Pro’s cameras enabled my vile digital sungazing ambitions (which I had already chickened out of, by the way) without risking my very expensive headset.

So yes, you can look at the eclipse with the Vision Pro, so long as you don’t mind a big “Tracking Failed” error message popping up in the middle of your view, telling you it’s too dark out.

If you would also like to point a camera at the sun — eclipse or no — Becca has additional tips in the video below.

View this post on Instagram

A post shared by The Verge (@verge)

A24’s horror trilogy heads to the ’80s in first Maxxxine trailer

A still photo from the 1980s-set horror movie Maxxxine. — Image: A24

It’s shaping up to be a promising summer of horror. Last week, we got a first glimpse at Tilman Singer’s Cuckoo, which comes out in August, and this week is starting off with the first trailer for Ti West’s Maxxxine. The movie will round out a trilogy that kicked off in 2022 with the release of both X and its prequel Pearl; it hits theaters on July 5th.

As the title implies, the new movie follows aspiring actress Maxine Minx (Mia Goth) as she attempts to make it big in Hollywood in 1985 following the gruesome events of X. Much like Pearl before her (also played by Goth), she seems willing to do anything to make it happen. But bad news: a mysterious killer known as the “night stalker” is on the loose, complicating those plans.

Despite telling parts of the same story, each entry in West’s trilogy has had a completely different vibe. X introduced both Pearl and Maxine and was modeled after ’70s slasher movies. Pearl, meanwhile, was set a few decades earlier and had elements of The Wizard of Oz (only, you know, much darker). So Maxxxine naturally is very ’80s, from the music to the fashion.

In addition to Goth, it stars Elizabeth Debicki, Moses Sumney, Michelle Monaghan, Bobby Cannavale, Halsey, Lily Collins, Giancarlo Esposito, and Kevin Bacon.

Spotify’s latest AI feature builds playlists based on text descriptions

A screenshot taken of the new Spotify AI Playlist feature in the iOS app. — *Spotify says it will continue working on its generative playlist feature “over the coming months.”* | Image: Spotify / *Verge*

After experimenting with AI playlist generation in its DJ feature last year, Spotify is now launching a beta tool that allows users to create a curated tracklist based on text descriptions. Its new AI Playlist beta is initially rolling out to Spotify Premium subscribers on mobile devices in the United Kingdom and Australia.

Android and iOS users in those locations can find the AI Playlist generator by heading into “Your Library” and tapping the “+” button at the top-right of the page. After selecting the AI Playlist option from the drop-down menu, users can type in a prompt — such as “music to read to on a cold, rainy day” — to get a playlist of 30 songs that match that vibe. The results can be tweaked using additional prompts like “more sad music” until the user is satisfied with the playlist, at which point it can be saved by tapping “create” at the top right.

Four mobile devices showing a step-by-step guide to using Spotify’s new AI Playlist beta feature. — *This is where you’ll find the feature if AI Playlists have rolled out to your device.*

In my testing, AI Playlists did an impressive job of matching songs to niche prompts. For example, it spat out a delightful mix of rave-appropriate techno music when I asked it to generate a playlist that would “make me feel like a vampire hunter from Blade (1998)” and even titled the playlist as “Blade’s Essence” without additional input. Spotify says that users will get better playlists by using prompts that contain “a combination of genres, moods, artists, or decades,” and that places, animals, activities, movie characters, colors, and even emojis can be referenced by the feature. Spotify says it will continue working on its generative playlist feature “over the coming months.”

A screenshot of Spotify on iOS, using the new AI Playlists feature in beta. — *You get a few options for curation, including additional prompts and removing specific tracks you don’t want.*

There are a few limitations to be aware of — AI Playlists won’t produce results for non-music-related prompts like current events or specific brands, and there are “measures in place around prompts that are offensive,” for example.

Using it has been a fun experience so far. It’s a much faster way to throw together an ensemble than manually building a playlist, and provides some functionality as a music discovery tool for those who want to find new tunes that follow a specific aesthetic. That already makes it feel more useful than Spotify’s AI DJ, which generates a custom playlist based on your entire listening history with limited options to curate the final results.

The new feature could, however, also be a contributing factor in the price increases Spotify is expected to introduce later this year. At the moment, Premium subscriptions start at $5.99 per month for students or $10.99 for individuals. We have asked Spotify when other regions can expect the beta and will update this story if we hear back.

dimanche 7 avril 2024

Maryland Passes 2 Major Privacy Bills, Despite Tech Industry Pushback

Maryland Passes 2 Major Privacy Bills, Despite Tech Industry Pushback One bill would require apps like Instagram and TikTok to prioritize young people’s safety and the other would restrict the collection of consumer data.

Who is Apple’s rumored OLED iPad Pro for?

A picture of an iPad Pro 11-inch sitting on a desktop. — Image: Wes Davis / The Verge

Earlier this year, there were enough rumors about imminent new Apple products to make for a big spring event, but the company instead announced its new M3 MacBook Airs via press release — and new iPads haven’t shown up since. Today, Mark Gurman writes in his Power On newsletter for Bloomberg that the big spring iPad update, which includes new OLED iPad Pros, is due on May 6th — about 19 months since the last one.

But why upgrade? My 2021 model still feels like new, and I know at least one person who says the same of the 2018 iPad Pro. Unless it does more than what’s been rumored, which is precious little at this point in the grand scheme of things, it narrows who it’s for to just the very specific subset of people who like iPadOS a lot and would shell out for a good, contrasty OLED screen. But what if it just embraced the fact that it’s essentially a laptop with a touchscreen?

The OLED iPad Pro is supposed to be the Big Deal of the new lineup. Both the 11-inch and 13-inch versions are expected to get the better screen, and Apple is apparently releasing more laptop-like aluminum Magic Keyboards for them. Gurman writes in the subscriber edition of his newsletter that there may be a new Apple Pencil with a pressure-sensitive button on the side too. Two new iPad Airs with M2 processors are also expected — one in the standard 10.9-inch size, and a larger 12.9-inch model that would use the same Magic Keyboard accessories available now for the Pro.

That could steal some thunder from the Pro since not everybody cares that much about OLED or high refresh rates — a bigger screen is arguably worth more than fancy display technology. The iPad Pro is an ultra-portable productivity device, and a fancy Magic Keyboard reinforces that idea. But for now, it has one USB-C port and runs iPadOS, which still feels limited, despite multitasking features Apple has added, like Stage Manager.

The 12.9-inch 2022 model is already $1,099 for 128GB of storage and 8GB of RAM. The same money will get you a M3 MacBook Air with 256GB of memory, a bigger screen, a built-in keyboard and trackpad, and an operating system with four-decades-and-counting of software ecosystem support and evolution behind it. The next iPad Pro may be even more expensive. You’d really have to like iPadOS to pick the former over the latter.

Federico Viticci, who’s known for being an iPad power user, said recently that using macOS in a virtual display alongside visionOS apps (which presumably included some iPad apps) “felt powerful and flexible in a way that iPadOS hasn’t made me feel in a while.” That was in a fun MacStories article last month about his experience making a bizarre FrankenPad out of an iPad Pro and a headless MacBook.

At $3,500, the Vision Pro is no immediate threat to the iPad Pro, but Viticci’s story highlights the tablet’s vulnerability. Even if iPad productivity isn’t your bag, it’s great for casual, personal content consumption. If the Vision Pro can take that job over, then the iPad really needs something fresh. One thing Apple could do is make the iPad Pro a true hybrid.It’s already a great secondary display for my MacBook Air.

Apple has shown in the past few years it’s willing to give people a little bit of what they ask for by returning HDMI and SD card ports to the MacBook Pro. I say bring that energy to the iPad. Give it one more USB-C port and — while I’m here asking for things that probably won’t happen but would be awesome if they did — let it dual-boot macOS and iPadOS.

New Disney animatronics breathe convincing life into its 2D characters

A picture of the Louis the Aligator animatronic from Disney’s Tiana’s Bayou Adventure ride. — *This massive, chonky Louis animatronic has almost as much range of movement as I do.* | Image: Disney

No matter your opinion on the current state of its animated movies, Disney is proving that it can still knock animatronics out of the park. This week, the entertainment giant gave us another early look at the new audio-animatronics being prepared for Tiana’s Bayou Adventure — a retheming of the iconic (and controversial) Splash Mountain ride — and the demonstrations so far have been breathtakingly impressive.

Recognizable characters from The Princess and the Frog (2009) have been brought to robotic life across various social media posts and Disney’s new “We Call It Imagineering” YouTube series, including Princess Tiana herself, Mama Odie, Charlotte La Bouff, Louis the Alligator, and a host of other swamp critters.

I compiled all the clips of animatronics that have been revealed for Tiana's Bayou Adventure (so far) pic.twitter.com/qmGvRXwHAr
— Matt DH (@DisneyScoopGuy) April 4, 2024

Seriously, some of these animatronics move so fluidly that they seem genuinely alive! If these new animatronics were developed like the ones for Tokyo Disneyland’s Beauty and the Beast attraction, their movements and facial expressions may have been provided by actual animators from Walt Disney Animation Studios, which is why it feels like the characters have simply escaped their 2D confinements. They’re not as realistically lifelike as the Shaman that features in the Na’vi River Journey ride, but that animatronic was a groundbreaking feat of engineering in 2017 — it’s exciting to see technology that complex now being applied at scale around the parks.

I’m also pleased that Disney has moved away from the rear-projection technology that was used on the Seven Dwarfs Mine Train and Frozen Ever After rides in Disney World. It just looks odd and unusually washed out in some circumstances and feels rather lazy compared to previous animatronic innovations from Disney’s Imagineering division over the last 60 years. By contrast, seeing the Princess and the Frog character’s lips, eyes, and facial structure physically moving makes me take a second to remember that these are real metal and plastic constructs and not CGI.

It’s an exciting time for any like-minded nerds who love to see animatronics or robots used in theme parks and other live experiences. The free-roaming, chicken-like BD-X droids showcased by Disney Imagineering last year will be set loose at the Black Spire Outpost in Disneyland’s Galaxy’s Edge park between April 5th and June 2nd.

We’ve also seen some incredible robots designed around Shanghai Disney Resort’s Zootopia land, and Universal is working on bringing life-size dragons to some of the experiences at the How To Train Your Dragon-themed land it’s constructing for its upcoming Epic Universe park.

If any of this has piqued your interest then I recommend watching The Imagineering Story docuseries on Disney Plus — it provides some fascinating insight into Disney’s extensive history in the animatronic industry.

In Battle Over Health Care Costs, Private Equity Plays Both Sides

In Battle Over Health Care Costs, Private Equity Plays Both Sides As medical practices owned by private equity firms fuel overbilling, a payment tool also backed by such investors helps insurers boost their profits.

samedi 6 avril 2024

How Tech Giants Cut Corners to Harvest Data for A.I.

How Tech Giants Cut Corners to Harvest Data for A.I. OpenAI, Google and Meta ignored corporate policies, altered their own rules and discussed skirting copyright law as they sought online information to train their newest artificial intelligence systems.

vendredi 5 avril 2024

Instagram makes more money from ads than YouTube does, and it has for years

Image: Kristen Radtke / The Verge

In a motion Meta filed on Friday to try and get the FTC’s monopoly claims dismissed, it includes details of how much advertising revenue Instagram brought in over the last few years.

At $32.4 billion for 2021 alone, that’s even more than YouTube, which pulled in $28.8 billion in the same year. Business Insider previously pointed out the lead it has over Google’s video unit, and mentions that YouTube gives up 55 percent of each advertising dollar it makes to content owners who upload videos while Instagram coughs up a lot less.

Google and Meta documents showing annual ad revenue for Instagram and YouTube

The gap is also there even if you look further back. In 2020 and 2019, Meta lists Instagram’s ad revenue as $22 and $17.9 billion, respectively, while YouTube’s ad revenue is listed in its annual report (PDF) as $19.7 and $15.1 billion for the same years.

According to Bloomberg, the figures show the share of Meta’s revenue that comes from Instagram has jumped from 26 percent in 2020 to almost 30 percent in the first six months of 2022. The figures from the filing give more insight than Meta’s quarterly earnings reports, which don’t break out Instagram, but now we have a much clearer idea about how much Adam Mosseri’s section means to Meta.

Back in the ’90s, This Eclipse Webcast Put the Cosmos on Demand

Back in the ’90s, This Eclipse Webcast Put the Cosmos on Demand A total solar eclipse in Aruba was streamed to millions of users of the World Wide Web in 1998, helping to start an ongoing era of viral videos of space and astronomy.

Andres Freund, el ingeniero que previno un posible ciberataque global

Andres Freund, el ingeniero que previno un posible ciberataque global Un ingeniero de Microsoft notó que algo andaba mal en un software en el que había trabajado. Pronto descubrió que probablemente alguien intentaba acceder a computadoras en todo el mundo.

jeudi 4 avril 2024

Google sues alleged crypto scammers for luring people into investments they’d never get back

Illustration of a digital coin on fire. — Illustration by Alex Castro / The Verge

Google is suing two alleged crypto scammers, accusing them of using its Play Store to offer fraudulent cryptocurrency trading apps and investment platforms that instead simply took users’ money. These apps were used in a type of romance scam commonly called “pig butchering” in reference to fattening a pig before it’s slaughtered.

The accused scammers — two app developers based in China and Hong Kong — allegedly uploaded 87 different fraudulent apps to enable their schemes, luring in more than 100,000 people who downloaded them. Based on user complaints, Google alleges that users lost anywhere from $100 to tens of thousands of dollars each. Apps uploaded by the pair and their unnamed associates have been used in versions of the scam since at least 2019, according to Google.

Google says it’s the first company of its peers to take this kind of action. It already shut down the apps on the Play Store once it determined they were fraudulent. “This litigation is a critical step in holding these bad actors accountable and sending a clear message that we will aggressively pursue those who seek to take advantage of our users,” Google’s general counsel, Halimah DeLaine Prado, said in a statement. Google says it was also harmed by the scheme because it threatens the “integrity” of its app store and diverted resources to detect and disrupt the operation. The company says it suffered economic damages of more than $75,000 investigating the fraud.

Here’s how the alleged scam worked, according to Google’s complaint: the developers would make fake cryptocurrency exchange and investment apps, misrepresenting them to the Play Store as legitimate investing apps and allegedly misrepresenting details like their location so they could be uploaded. Then, the alleged scammers or their associates would lure users to the platforms through a mix of romance scam messages and YouTube videos. While this kind of scam is often referred to as “pig butchering,” Google says in a footnote to its complaint that it doesn’t adopt or endorse the term.

The initial texts they would send might look familiar to anyone who’s received text spam — messages like, “I am Sophia, do you remember me?” or “I miss you all the time, how are your parents Mike?” according to the complaint. If they got a response, the alleged scammers would apparently try to start a conversation and eventually move it to a platform like WhatsApp, before convincing their new “friend” to download one of the fraudulent apps and put money into it.

The developers or their associates would also at times convince alleged victims that they could earn commission by hawking the apps themselves as “affiliates” of the platforms, according to the complaint.

Once users were on the apps, the developers made the platforms look convincing by showing a balance and returns on investments, Google alleges. The only problem: users couldn’t take their money out. At times, the apps would let them take out small amounts of money, according to Google, or would require a fee or minimum balance to make a withdrawal, ultimately scamming some out of even more money.

Google is accusing the developers of breaking its terms of service and violating the Racketeer Influenced and Corrupt Organizations Act. It’s asking the court to block them from committing further fraud and award Google an unspecified amount in damages.

mercredi 3 avril 2024

Amazon still has a serious plastic waste problem in the US

An Amazon package wrapped in plastic is seen on a conveyor belt. — *Products on a conveyor belt are scanned at an Amazon fulfillment center, where they are being sorted and shipped out during Cyber Monday on November 27th, 2023, in Tampa, Florida.* | Photo by Octavio Jones / Getty Images

Despite making pledges to cut down on plastic packaging, a new report from the nonprofit conservation organization Oceana estimates that Amazon’s plastic waste has continued to grow in the US.

The company created 208 million pounds of plastic waste from its packaging in the US in 2022 alone, which Oceana says is enough trash to circle Earth more than 200 times in the form of plastic air pillows. That’s a nearly 10 percent jump from the amount of plastic waste it generated the year before, according to the report.

The US is a worrying outlier for Amazon, Oceana says. Globally, the e-commerce giant says that it reduced its use of plastic packaging 11.6 percent in 2022 compared to the prior year. But the US is the company’s biggest market, and Oceana argues it’s where Amazon needs to make a lot more progress.

“Why are U.S. customers being left behind?” Matt Littlejohn, Oceana’s senior vice president for strategic initiatives, said in an emailed press release.

There’s not much transparency on how much plastic waste Amazon pumps out from place to place. Its latest sustainability report, which covers 2022, doesn’t break the data down by country. It also doesn’t report on all the plastic waste generated by orders fulfilled by third-party sellers. So Oceana relied on market data from firms Mordor Intelligence and Euromonitor to conduct its analysis, and then made adjustments based on public statements Amazon has made about new measures meant to reduce waste.

In an email to The Verge, Amazon vice president of mechatronics and sustainable packaging Pat Lindner called Oceana’s analysis a “misleading report with exaggerated and inaccurate information about our plastic packaging” and pointed to the company’s “multi-year effort to eliminate plastic delivery packaging from our US automated fulfillment centers.”

Amazon got rid of single-use plastic delivery bags for orders shipped from its fulfillment centers in Europe in 2022. It did the same in India in 2020. The switch has been slower in the US, where a fulfillment center in Ohio became the first in the nation to replace plastic delivery packaging with paper alternatives in 2023.

Plastic film bags used for packaging generally aren’t accepted in curbside recycling programs. Because this type of plastic is trickier to rehash than bottles, consumers who want to steer it away from landfills and incinerators would need to take it to designated drop-off locations in the US.

In July of last year, Amazon appeared to make a vague commitment to ditch some of its iconic plastic packaging altogether. “We are phasing out padded bags containing plastics in favor of recyclable alternatives,” the company said in its sustainability report at the time. But it didn’t set a timeline for when that would happen.

Oceana wants to see the company phase out plastic packaging in its home base, the US. It’s also calling on Amazon to shrink the total amount of plastic packaging it uses by a minimum of one-third by the end of the decade.

X’s ‘complimentary’ Premium push gives people blue checks they didn’t ask for

Illustration by Alex Castro / The Verge

Just as Elon Musk said, X is doling out free Premium and Premium memberships to accounts with a high number of verified followers.

Multiple X users on Wednesday reported seeing the familiar blue “Verified” checkmark next to their handles despite not paying for either paid X subscription tier. Musk last week announced that X accounts with over 2,500 “verified subscriber followers” would receive a free Premium membership; while accounts with over 5,000 would receive a free Premium Plus membership.

based on all the confused tweets i’m seeing, it looks like Twitter / X is starting to really ramp up the roll out of this now

if you suddenly have a blue checkmark even though you’re not paying for one, this is why: pic.twitter.com/T1XaBEeGgn
— Matt Binder (@MattBinder) April 3, 2024

Before Musk’s takeover, the verified symbol on the platform known as Twitter was generally applied to celebrities, politicians, journalists, and others in the public eye. After the platform rolled out paid verification, it became a label anyone could obtain along with purchasing a Premium membership. Previously verified X users who refused to pay lost their checkmarks, though Elon Musk personally intervened to push it on people like Steven King and LeBron, and it was eventually added to many accounts with more than a million followers (which also verified accounts for many people who’d died or otherwise had not requested it).

Now, it appears that many influential X accounts with already large followings in the tens or hundreds of thousands (which may translate to verified followings that cross the benchmark) are once again check-marked, or will be, whether they like it or not.

X users who were granted verification under the latest scheme received the following message, according to a screenshot by Peter Kafka of Business Insider.

This is the note they sent me pic.twitter.com/tXffJnBLqd
— Peter Kafka (@pkafka) April 4, 2024

Shit. I've been forcibly bluechecked.

How do I opt out?
— emptywheel (@emptywheel) April 3, 2024

My blue check is back and I just want to make clear I am not paying El*n M*sk for this thanks very much
— Lauren Goode (@LaurenGoode) April 3, 2024

oh no
— Katie Notopoulos (@katienotopoulos) April 3, 2024

NASA Picks 3 Companies to Help Astronauts Drive Around the Moon

NASA Picks 3 Companies to Help Astronauts Drive Around the Moon The agency’s future moon buggies will reach speeds of 9.3 miles per hour and will be capable of self-driving.

A first look at Europe’s alternative iPhone app stores

Cath Virginia / The Verge

DMA is about to unleash a brave new world of game emulators, clipboard managers, and uncertainty.

Almost a month after Apple’s begrudging capitulation to the Digital Markets Act (DMA), only one third-party iOS app store is currently live in Europe. It’s the B2B-focused Mobivention marketplace that allows companies to distribute their own apps internally. While that’s fine and all, things won’t stay this way for long — and it’s what’s coming soon that’ll really pique the interest of Verge readers.

Both the Epic Games Store and MacPaw’s Setapp have been announced, but it’s AltStore that’s likely to hit EU users’ phones first. This new app marketplace from developer Riley Testut is a version of AltStore, an App Store alternative that launched in 2019 that doesn’t require users to jailbreak their devices. The primary drive for its creation was Delta, a Nintendo emulator that Testut and his business partner Shane Gill are now bringing to the iPhone through their European app marketplace.

Currently, the new version of AltStore is deep in Apple’s approval process and will be ready to go live once it gets the thumbs up from the company. Thankfully, we’ve already had a chance to preview the marketplace and spend some time kicking its tires.

*The new AltStore is launching with both Delta game emulator and Clip clipboard apps from a single developer.*

One reason we’ve not seen more app stores launch at this point in time is partially down to Apple making it too costly. For example, its Core Technology Fee (CTF) requires developers to pay Apple 50 euro cents for every annual app install over 1 million, but developers of third-party app stores must pay the CTF for every first annual install of their app marketplace. In other words, every download of AltStore and Mobivention costs their developers 50 euro cents — a fee that could quickly become unsustainable. The current AltStore has been downloaded over a million times, for example.

There’s no best practice guide on managing this, but Mobivention has passed the CTF fees onto its customers through membership packages. At the time of writing, AltStore hasn’t announced how it plans to handle this.

Such fees aren’t financially devastating for users, but they could be enough of a blocker to stop the slightly curious from exploring alternative app stores — especially if people aren’t really sure what they’ll find there. No one likes paying for services they may not use, after all.

Installing an app marketplace

Another potential roadblock to widespread third-party marketplace adoption is just how fiddly it is, with each store taking around a dozen screen interactions to install.

It goes like this: you begin by clicking a browser-based link to load the alternative store. From there, you receive a pop-up informing you that your installation settings don’t allow marketplaces from that developer. Then, you head into Settings, enable the marketplace, return to your browser, click the download link again, and receive another prompt asking you to confirm the install. Finally, you can open the store and browse the available apps.

*Apple wants to make it very, very clear that installing a third-party marketplace is going to be a hassle.*

It’s not a tricky procedure to follow, but there are enough steps and scary language to make it irritating and act as a deterrent — especially when Apple’s App Store only requires a single click to get going. It’s hard to view this as anything other than the company’s attempt to sap people’s energy and dissuade them from carrying on, especially given Apple’s historical prowess at designing user experiences.

Thankfully, installing third-party apps themselves is easier. On both Mobivention and AltStore, it’s effectively the same process as the App Store: you click on a button that says “install” and… it installs. On first inspection, at least.

While this method works for AltStore’s bundled apps — Delta and Clip — using software from other providers requires a slightly different approach. AltStore allows you to add “sources,” which are URLs developers share that contain JSON files holding app metadata. Once these sources are added, the apps they point to can be downloaded from AltStore. It’s a little Inception-esque: stores within a store.

Clearly, this decentralized approach differs from Apple’s all-inclusive App Store and could further deter the general public. It’s a little complicated for most people. Saying that, I’d bet a lot of enthusiasts are rubbing their hands together with glee about this unrestrained approach to app distribution.

These sources won’t be available at release, but Testut says this is a “priority post-launch,” and there will soon be a curated list of recommended source partners to download apps from.

As I didn’t try out a source in the course of my testing, this left me to focus on the two apps available at launch: Delta and Clip. And this is where things get particularly exciting, because Delta, especially, is terrific.

Are the apps worth all the pain?

Delta is primarily a Nintendo emulator that focuses on the NES, SNES, N64, and pre-Switch handhelds. I wasn’t expecting to be impressed by the free app, but it genuinely blew me away. Playing classic games on my iPhone is something I didn’t even know I missed.

*Delta supports horizontal gameplay, of course.*

Actually using Delta was a breeze. You can upload ROMs via iCloud Drive or from your phone’s Download folder, and the performance while playing various titles was excellent. I will say that the controls were awkward on the touchscreen, but connecting an external controller made things much easier — even if I had a few issues accessing Delta’s menu afterward.

All in all, though, as someone who grew up with these games, finally playing them on an iPhone feels nothing short of magical.

Clip was another app I enjoyed using. This clipboard manager requires a minimum Patreon pledge of $1 a month (plus taxes) to download. You can cancel this monthly pledge at any time and still continue to use Clip, but it won’t receive any updates.

*When you copy something, you immediately receive a notification (top of image) and can swipe down to save it to your clipboard.*

Regarding the app itself, the version of Clip I tried differs from similar software offered on Apple’s App Store in that it constantly runs in the background. Normally, clipboard managers on iOS have to use a variety of workarounds to achieve comparable functionality. For example, Paste requires you to open the app each time you want to add something you’ve copied to the clipboard.

This is where Clip thrives, by comparison. When you copy something, you immediately receive a notification and can swipe down to save it to your clipboard. This means you have the option to add it if it’s something useful — like an address — or dismiss the notification if it’s something you don’t want logged, like a password. I found saving your copied items like this into a centralized location to be incredibly useful, as it makes sharing and reusing these snippets painless.

Clip works well, and it’s a tool I can see myself using, but it does raise some red flags. There’s a reason that Apple doesn’t allow fully functioning clipboard managers on the App Store after all. Security-wise, there’s a potential danger in allowing an app to snoop on everything you’re copying and pasting — especially if a bad actor manages to access your data store.

When I put this concern to Testut, he tells me Clip uses “standard iOS security (e.g. sandboxing)” and that everything is stored in an SQLite database, something that can’t be accessed by other apps, “unless your device is jailbroken.”

Caveat emptor

Nevertheless, it’s these types of apps that have raised concern around using third-party marketplaces — especially by companies like Apple. It contends that the DMA is throttling its ability to “detect, prevent, and take action against malicious apps on iOS and to support users impacted by issues with apps downloaded outside of the App Store.”

There’s some truth to that, but it’s not quite so binary. Apple still has to do a baseline review and notarize all apps on third-party app stores in order to “ensure [they] are free of known malware, viruses, or other security threats, function as promised, and don’t expose users to egregious fraud.” Under the DMA, Apple is also allowed to take “necessary and proportionate” steps to protect users and mitigate any security issues.

For example, after I had tested Clip, Testut had to tweak the app’s background monitoring feature in order for Apple to notarize it. The first version I tried used the user’s location to remain active, but was rejected by Apple. Testut then updated Clip with a Map feature — so there’s a reason for the app to remain active in the background — to receive approval.

This back and forth clearly shows that third-party marketplaces aren’t quite the Wild West some have feared.

This isn’t to say there aren’t dangers involved with operating outside of Apple’s walled garden though. Clip might protect your data, but what about the next app you decide to try? The sparsely populated app privacy sections on AltStore don’t help alleviate this concern, especially compared to the App Store. Being less secure doesn’t automatically mean you’ll have your identity or data stolen, but some additional transparency related to data collection, permissions, and privacy would certainly be welcome.

Likely, the biggest hurdle for the general public to adopt third-party marketplaces will be leaving the comforting embrace of the App Store. People have been downloading apps from Apple since 2008. Whether it’s security, user privacy, app updates, fraud protection, or refunds, you feel confident that Apple has it under control on the App Store.

Third-party app stores introduce an element of doubt. What happens if you’re out of the EU for over a month and apps you depend on stop getting updates? Or you want a refund on a defective piece of software? Or an app scams you?

In the case of AltStore, Testut says that since all marketplace payments are done via Patreon pledges, Patreon will deal with any disputes as it does on the existing AltStore. Other app marketplaces will take different approaches. With Apple, you always know where you stand.

While AltStore and Mobivention aren’t well known enough to inspire confidence in the same way Apple does, other big hitters might. Both the aforementioned Epic Games Store and Setapp marketplaces are on the horizon, and their higher profiles could convince people of their ability to mitigate harm and moderate disputes. Normalizing app downloads outside the App Store will also get a boost after the spring when Apple enables web distribution for large developers.

Of course, for the public to get used to alternative marketplaces, consumer-focused ones need to launch first. While AltStore may be close to going live, the approval process has been slow and drawn out causing the launch to miss its March target.

Fundamentally, in their current state, third-party iOS app stores like AltStore will only be attractive to power users, groups of enthusiasts who are desperate to solve niche issues or have particular interests in something they can’t get on the App Store, like a fully functioning clipboard manager or game emulator.

And Apple? It’s probably pretty happy with this. The fewer things that mess with its big old moneymaker, the better — even if its approach to DMA compliance makes the company low-hanging fruit for hungry EU regulators.

mardi 2 avril 2024

How one volunteer stopped a backdoor from exposing Linux systems worldwide

Illustration of a computer screen with a blue exclamation point on it and an error box. — Photo by Amelia Holowaty Krales / The Verge

Linux, the most widely used open source operating system in the world, narrowly escaped a massive cyber attack over Easter weekend, all thanks to one volunteer.

The backdoor had been inserted into a recent release of a Linux compression format called XZ Utils, a tool that is little-known outside the Linux world but is used in nearly every Linux distribution to compresses large files, making them easier to transfer. If it had spread more widely, an untold number of systems could have been left compromised for years.

And as Ars Technica noted in its exhaustive recap, the culprit had been working on the project out in the open.

The vulnerability, inserted into Linux’s remote log-in, only exposed itself to a single key, so that it could hide from scans of public computers. As Ben Thompson writes in Stratechery. “the majority of the world’s computers would be vulnerable and no one would know.”

The story of the XZ backdoor’s discovery starts in the early morning of March 29th, as San Francisco-based Microsoft developer Andres Freund posted on Mastodon and sent an email to OpenWall’s security mailing list with the heading: “backdoor in upstream xz/liblzma leading to ssh server compromise.”

Freund, who volunteers as a “maintainer” for PostgreSQL, a Linux-based database, noticed a few strange things over the past few weeks while running tests. Encrypted log-ins to liblzma, part of the XZ compression library, were using up a ton of CPU. None of the performance tools he used revealed anything, Freund wrote on Mastodon. This immediately made him suspicious, and he remembered an “odd complaint” from a Postgres user a couple of weeks earlier about Valgrind, Linux’s program that checks for memory errors.

After some sleuthing, Freund eventually discovered what was wrong. “The upstream xz repository and the xz tarballs have been backdoored,” noted Freund in his email. The malicious code was in versions 5.6.0 and 5.6.1 of the xz tools and libraries.

Shortly after, enterprise opensource software company Red Hat sent out an emergency security alert for users of Fedora Rawhide and Fedora Linux 40. Ultimately, the company concluded that the beta version of Fedora Linux 40 contained two affected versions of the xz libraries. Fedora Rawhide versions likely received versions 5.6.0 or 5.6.1 as well.

PLEASE IMMEDIATELY STOP USAGE OF ANY FEDORA RAWHIDE INSTANCES for work or personal activity. Fedora Rawhide will be reverted to xz-5.4.x shortly, and once that is done, Fedora Rawhide instances can safely be redeployed.

Although a beta version of Debian, the free Linux distribution, contained compromised packages, its security team acted swiftly to revert them. “Right now no Debian stable versions are known to be affected,” wrote Debian’s Salvatore Bonaccorso in a security alert to users on Friday evening.

Freund later identified the person who submitted the malicious code as one of two main xz Utils developers, known as JiaT75, or Jia Tan. “Given the activity over several weeks, the committer is either directly involved or there was some quite severe compromise of their system. Unfortunately the latter looks like the less likely explanation, given they communicated on various lists about the “fixes” mentioned above,” wrote Freund in his analysis, after linking several workarounds that were made by JiaT75.

JiaT75 was a familiar name: they’d worked side-by-side with the original developer of .xz file format, Lasse Collin, for a while. As programmer Russ Cox noted in his timeline, JiaT75 started by sending apparently legitimate patches to the XZ mailing list in October of 2021.

Other arms of the scheme unfolded a few months later, as two other identities, Jigar Kumar and Dennis Ens, began emailing complaints to Collin about bugs and the project’s slow development. However, as noted in reports by Evan Boehs and others, “Kumar” and “Ens” were never seen outside the XZ community, leading investigators to believe both are fakes that existed only to help Jia Tan get into position to deliver the backdoored code.

“With your current rate, I very doubt to see 5.4.0 release this year. The only progress since april has been small changes to test code. You ignore the many patches bit rotting away on this mailing list. Right now you choke your repo. Why wait until 5.4.0 to change maintainer? Why delay what your repo needs?” — *An email from “Jigar Kumar” pressuring the developer of XZ Utils to relinquish control of the project.*

“I am sorry about your mental health issues, but its important to be aware of your own limits. I get that this is a hobby project for all contributors, but the community desires more,” wrote Ens in one message, while Kumar said in another that “Progress will not happen until there is new maintainer.”

In the midst of this back and forth, Collins wrote that “I haven’t lost interest but my ability to care has been fairly limited mostly due to longterm mental health issues but also due to some other things,” and suggested Jia Tan would take on a bigger role. “It’s also good to keep in mind that this is an unpaid hobby project,” he concluded. The emails from “Kumar” and “Ens” continued until Tan was added as a maintainer later that year, able to make alterations, and attempt to get the backdoored package into Linux distributions with more authority.

The xz backdoor incident and its aftermath are an example of both the beauty of open source and a striking vulnerability in the internet’s infrastructure.

The lesson from the xz fiasco is that investments in maintenance and sustainability are unsexy and probably won't get a middle manager their promotion but pay off a thousandfold over many years.

But try selling that to a bean counter
— FFmpeg (@FFmpeg) April 2, 2024

A developer behind FFmpeg, a popular open-source media package, highlighted the problem in a tweet, saying “The xz fiasco has shown how a dependence on unpaid volunteers can cause major problems. Trillion dollar corporations expect free and urgent support from volunteers.” And they brought receipts, pointing out how they dealt with a “high priority” bug affecting Microsoft Teams.

Despite Microsoft’s dependence on its software, the developer writes, “After politely requesting a support contract from Microsoft for long term maintenance, they offered a one-time payment of a few thousand dollars instead...investments in maintenance and sustainability are unsexy and probably won’t get a middle manager their promotion but pay off a thousandfold over many years.”

Details of who is behind “JiaT75,” how they executed their plan, and the extent of the damage are being unearthed by an army of developers and cybersecurity professionals, both on social media and online forums. But that happens without direct financial support from many of the companies and organizations who benefit from being able to use secure software.