Shannon Garcia – Page 44

H5N1 testing in cow veterinarians suggests bird flu is spreading silently

bird flu, CDC, health / Shannon Garcia / February 14, 2025

Three veterinarians who work with cows have tested positive for prior infections of H5 bird flu, according to a study released today by the Centers for Disease Control and Prevention.

The finding may not seem surprising, given the sweeping and ongoing outbreak of H5N1 among dairy farms in the US, which has reached 968 herds in 16 states and led to infections in 41 dairy workers. However, it is notable that none of the three veterinarians were aware of being infected, and none of them worked with cows that were known or suspected to be infected with H5N1. In fact, one of them only worked in Georgia and South Carolina, two states where H5N1 infections in dairy cows and humans have never been reported.

The findings suggest that the virus may be moving in animals and people silently, and that our surveillance systems are missing infections—both long-held fears among health experts.

The authors of the study, led by researchers at the CDC, put the takeaway slightly differently, writing: “These findings suggest the possible benefit of systematic surveillance for rapid identification of HPAI A(H5) virus in dairy cattle, milk, and humans who are exposed to cattle to ensure appropriate hazard assessments.”

H5N1 testing in cow veterinarians suggests bird flu is spreading silently Read More »

When software updates actually improve—instead of ruin—our favorite devices

airpods, fire tv, Smart Home, Software, Tech, valve / Shannon Garcia / February 12, 2025

Opinion: These tech products have gotten better over time.

The Hatch Restore 2 smart alarm clock. Credit: Scharon Harding

For many, there’s a feeling of dread associated with software updates to your favorite gadget. Updates to a beloved gadget can frequently result in outrage, from obligatory complaints around bugs to selective aversions to change from Luddites and tech enthusiasts.

In addition to those frustrations, there are times when gadget makers use software updates to manipulate product functionality and seriously upend owners’ abilities to use their property as expected. We’ve all seen software updates render gadgets absolutely horrible: Printers have nearly become a four-letter word as the industry infamously issues updates that brick third-party ink and scanning capabilities. We’ve also seen companies update products that caused features to be behind a paywall or removed entirely. This type of behavior has contributed to some users feeling wary of software updates in fear of them diminishing the value of already-purchased hardware.

On the other hand, there are times when software updates enrich the capabilities of smart gadgets. These updates are the types of things that can help devices retain or improve their value, last longer, and become less likely to turn into e-waste.

For example, I’ve been using the Hatch Restore 2 sunrise alarm clock since July. In that time, updates to its companion app have enabled me to extract significantly more value from the clock and explore its large library of sounds, lights, and customization options.

The Hatch Sleep iOS app used to have tabs on the bottom for Rest, for setting how the clock looks and sounds when you’re sleeping; Library, for accessing the clock’s library of sounds and colors; and Rise, for setting how the clock looks and sounds when you’re waking up. Today, the bottom of the app just has Library and Home tabs, with Home featuring all the settings for Rest and Rise, as well as for Cue (the clock’s settings for reminding you it’s time to unwind for the night) and Unwind (sounds and settings that the clock uses during the time period leading up to sleep).

A screenshot of the Home section of the Hatch Sleep app.

Hatch’s app has generally become cleaner after hiding things like its notification section. Hatch also updated the app to store multiple Unwind settings you can swap around. Overall, these changes have made customizing my settings less tedious, which means I’ve been more inclined to try them. Before the updates, I mostly used the app to set my alarm and change my Rest settings. I often exited the app prematurely after getting overwhelmed by all the different tabs I had to toggle through (toggling through tabs was also more time-consuming).

Additionally, Hatch has updated the app since I started using it so that disabled alarms are placed under an expanding drawer. This has reduced the chances of me misreading the app and thinking I have an alarm set when it’s not currently enabled while providing a clearer view of which alarms actually are enabled.

The Library tab was also recently updated to group lights and sounds under Cue, Unwind, Sleep, and Wake, making it easier to find the type of setting I’m interested in.

The app also started providing more helpful recommendations, such as “favorites for heavy sleepers.”

Better over time

Software updates have made it easier for me to enjoy the Restore 2 hardware. Honestly, I don’t know if I’d still use the clock without these app improvements. What was primarily a noise machine this summer has become a multi-purpose device with much more value.

Now, you might argue that Hatch could’ve implemented these features from the beginning. That may have been more sensible, but as a tech enthusiast, I still find something inherently cool about watching a gadget improve in ways that affect how I use the hardware and align with what I thought my gadget needed. I agree that some tech gadgets are released prematurely and overly rely on updates to earn their initial prices. But it’s also advantageous for devices to improve over time.

The Steam Deck is another good example. Early adopters might have been disappointed to see missing features like overclocking controls, per-game power profiles, or Windows drivers. Valve has since added those features.

Valve only had a few dozen Hardware department employees in the run up to the launch of the Steam Deck. Credit: Sam Machkovech

Valve has also added more control over the Steam Deck since its release, including the power to adjust resolution and refresh rates for connected external displays. It’s also upped performance via an October update that Valve claimed could improve the battery life of LCD models by up to 10 percent in “light load situations.”

These are the kinds of updates that still allowed the Steam Deck to be playable for months, but the features were exciting additions once they arrived. When companies issue updates reliably and in ways that improve the user experience, people are less averse to updating their gadgets, which could also be critical for device functionality and security.

Adding new features via software updates can make devices more valuable to owners. Updates that address accessibility needs go even further by opening up the gadgets to more people.

Apple, for example, demonstrated the power that software updates can have on accessibility by adding a hearing aid feature to the AirPods Pro 2 in October, about two years after the earbuds came out. Similarly, Amazon updated some Fire TV models in December to support simultaneous audio broadcasting from internal speakers and hearing aids. It also expanded the number of hearing aids supported by some Fire TV models as well as its Fire TV Cube streaming device.

For some, these updates had a dramatic impact on how they could use the devices, demonstrating a focus on user, rather than corporate, needs.

Update upswings

We all know that corporations sometimes leverage software updates to manipulate products in ways that prioritize internal or partner needs over those of users. Unfortunately, this seems like something we have to get used to, as an increasing number of devices join the Internet of Things and rely on software updates.

Innovations also mean that some companies are among the first to try to make sustainable business models for their products. Sometimes our favorite gadgets are made by young companies or startups with unstable funding that are forced to adapt amid challenging economics or inadequate business strategy. Sometimes, the companies behind our favorite tech products are beholden to investors and pressure for growth. These can lead to projects being abandoned or to software updates that look to squeeze more money out of customers.

As happy as I am to find my smart alarm clock increasingly easy to use, those same software updates could one day lock the features I’ve grown fond of behind a paywall (Hatch already has a subscription option available). Having my alarm clock lose functionality overnight without physical damage isn’t the type of thing I’d have to worry about with a dumb alarm clock, of course.

But that’s the gamble that tech fans take, which makes those privy to the problematic tactics used by smart device manufacturers stay clear from certain products.

Still, when updates provide noticeable, meaningful changes to how people can use their devices, technology feels futuristic, groundbreaking, and exciting. With many companies using updates for their own gain, it’s nice to see some firms take the opportunity to give customers more.

Scharon is a Senior Technology Reporter at Ars Technica writing news, reviews, and analysis on consumer gadgets and services. She’s been reporting on technology for over 10 years, with bylines at Tom’s Hardware, Channelnomics, and CRN UK.

When software updates actually improve—instead of ruin—our favorite devices Read More »

Tariffs will “blow a hole” in the US auto industry, says Ford CEO

Cars, Ford, tariffs / Shannon Garcia / February 12, 2025

The US has had to pause some of these new tariffs almost immediately, and the proposed 25 percent tariffs against any Canadian or Mexican imports have been delayed for a month. But yesterday, the president imposed 25 percent tariffs on any imported steel or aluminum. When last in office, Trump also imposed tariffs on steel (25 percent) and aluminum (10 percent), igniting a trade war and cutting US steel imports by far more than domestic steel production was able to rise to meet it.

“Let’s be real honest: long-term, 25 percent tariffs across the Mexican and Canadian border would blow a hole in the US industry that we have never seen,” Farley said, pointing out that the tariffs would “give free rein” to OEMs that import their vehicles from Japan, South Korea, or Europe.

As the CEO of Polestar told Ars last week, the main thing automakers want is clarity. The last they want is chaos, where the rules have changed from one day to the next based on whim. At the conference, Farley had a similar message. “They need to understand there’s a lot of policy uncertainty here, but in the meantime, we’re scrambling to manage the company as professionals,” he said.

Tariffs will “blow a hole” in the US auto industry, says Ford CEO Read More »

Google Chrome may soon use “AI” to replace compromised passwords

AI, chrome, chrome browser, Data breaches, Google, google chrome, have i been pwned, haveibeenpwned, passwords, Tech, website breaches / Shannon Garcia / February 12, 2025

Google’s Chrome browser might soon get a useful security upgrade: detecting passwords used in data breaches and then generating and storing a better replacement. Google’s preliminary copy suggests it’s an “AI innovation,” though exactly how is unclear.

Noted software digger Leopeva64 on X found a new offering in the AI settings of a very early build of Chrome. The option, “Automated password Change” (so, early stages—as to not yet get a copyedit), is described as, “When Chrome finds one of your passwords in a data breach, it can offer to change your password for you when you sign in.”

Chrome already has a feature that warns users if the passwords they enter have been identified in a breach and will prompt them to change it. As noted by Windows Report, the change is that now Google will offer to change it for you on the spot rather than simply prompting you to handle that elsewhere. The password is automatically saved in Google’s Password Manager and “is encrypted and never seen by anyone,” the settings page claims.

If you want to see how this works, you need to download a Canary version of Chrome. In the flags settings (navigate to “chrome://flags” in the address bar), you’ll need to enable two features: “Improved password change service” and “Mark all credential as leaked,” the latter to force the change notification because, presumably, it’s not hooked up to actual leaked password databases yet. Go to almost any non-Google site, enter in any user/password combination to try to log in, and after it fails or you navigate elsewhere, a prompt will ask you to consider changing your password.

Google Chrome may soon use “AI” to replace compromised passwords Read More »

Bird flu strain that just jumped to cows infects dairy worker in Nevada

bird flu, CDC, dairy worker, H5N1, health, Infectious disease, outbreak, USDA / Shannon Garcia / February 12, 2025

However, the new Nevada case is notable because it marks the first time D1.1 is known to have jumped from birds to cows to a person. Moreover, D1.1 has proven dangerous. The genotype is behind the country’s only severe and ultimately fatal case of H5N1 so far in the outbreak. The death in the Louisiana case linked to wild and backyard birds was reported last month. The CDC’s statement added that the person had “prolonged, unprotected” exposure to the birds. The D1.1. genotype was also behind a severe H5N1 infection that put a Canadian teenager in intensive care late last year.

In a February 7 analysis, the USDA reported finding that the D1.1 strain infecting cows in Nevada has a notable mutation known to help the bird-adapted virus replicate in mammals more efficiently (PB2 D701N). To date, this mutation has not been seen in D1.1 strains spreading in wild birds nor has it been seen in the B3.13 genotype circulating in dairy cows. However, it was seen before in a 2023 human case in Chile. The CDC said it has confirmed that the strain of D1.1 infecting the person in Nevada also contains the PB2 D701N mutation.

The USDA and CDC both reported that no other concerning mutations were found, including one that has been consistently identified in the B3.13 strain in cows. The CDC said it does not expect any changes to how the virus will interact with human immune responses or to antivirals.

Most importantly, to date, there has been no evidence of human-to-human transmission, which would mark a dangerous turn for the virus’s ability to spark an outbreak. For all these reasons, the CDC considers the risk to the public low, though people with exposure to poultry, dairy cows, and birds are at higher risk and should take precautions.

To date, 967 herds across 16 states have been infected with H5N1 bird flu, and nearly 158 million commercial birds have been affected since 2022.

Bird flu strain that just jumped to cows infects dairy worker in Nevada Read More »

Sam Altman: OpenAI is not for sale, even for Elon Musk’s $97 billion offer

AI, machine learning, openai / Shannon Garcia / February 12, 2025

A brief history of Musk vs. Altman

The beef between Musk and Altman goes back to 2015, when the pair partnered (with others) to co-found OpenAI as a nonprofit. Musk cut ties with the company in 2018 but watched from the sidelines as OpenAI became a media darling in 2022 and 2023 following the launch of ChatGPT and then GPT-4.

In July 2023, Musk created his own OpenAI competitor, xAI (maker of Grok). Since then, Musk has become a frequent legal thorn in Altman and OpenAI’s side, at times suing both OpenAI and Altman personally, claiming that OpenAI has strayed from its original open source mission—especially after reports emerged about Altman’s plans to transition portions of OpenAI into a for-profit company, something Musk has fiercely criticized.

Musk initially sued the company and Altman in March 2024, claiming that OpenAI’s alliance with Microsoft had broken its agreement to make a major breakthrough in AI “freely available to the public.” Musk withdrew the suit in June 2024, then revived it in August 2024 under similar complaints.

Musk and Altman have been publicly trading barbs frequently on X and in the press over the past few years, most recently when Musk criticized Altman’s $500B “Stargate” AI infrastructure project announced last month.

This morning, when asked on Bloomberg Television if Musk’s move comes from personal insecurity about xAI, Altman replied, “Probably his whole life is from a position of insecurity.”

“I don’t think he’s a happy guy. I feel for him,” he added.

Sam Altman: OpenAI is not for sale, even for Elon Musk’s $97 billion offer Read More »

After Trump killed a report on nature, researchers push ahead with release

biodiversity, climate change, Donald Trump, environmental justice, nature loss, Policy, Science / Shannon Garcia / February 11, 2025

But one word in the federal register notice describing key principles of the nature report—”inclusive”—may have triggered Trump’s decision to end it. Christopher Schell, a lead author of a chapter called “Nature and Equity in the US,” told The Times that his chapter’s focus on environmental justice may have made the project an easy target for Trump.

On day one of his administration, Trump issued executive orders rescinding Biden-era priorities and ending several environmental justice and equity initiatives in government. According to an analysis from two experts at Harvard’s energy and environmental law program, Carrie Jenks and Sara Dewey, Trump claimed, “without explanation,” that the Biden initiatives violate “longstanding Federal civil-rights laws” and “threaten the safety of American men, women, and children.”

Now “federal agencies no longer have a mandate, unless required under separate rules, to consider how their actions will disproportionately harm low-income communities, communities of color, and other vulnerable populations,” the Harvard researchers warned.

Trump contradictions in environmental orders

Grist reported on the scramble to salvage a wide range of Trump-purged climate data like the National Nature Assessment that could help protect vulnerable communities by remaining in the public sphere. That report noted that climate data access was similarly lost during Trump’s prior administration, when “as much as 20 percent of the EPA’s website became inaccessible to the public” and the government’s “use of the term ‘climate change’ decreased by more than a third.”

But even if some members of the public remain jaded from Trump’s prior administration, researchers working on the nature report told The Times that their biggest concern in moving forward with the report is that the general public views government studies as more authoritative than independent studies. The fear is that even if the report is eventually published, its impact could be watered down without the government’s involvement or endorsement.

After Trump killed a report on nature, researchers push ahead with release Read More »

Handful of users claim new Nvidia GPUs are melting power cables again

Blackwell, gaming, GeForce, geforce 5090, NVIDIA, Tech / Shannon Garcia / February 11, 2025

The 12VHPWR and 12V-2×6 connectors are both designed to solve a real problem: delivering hundreds of watts of power to high-end GPUs over a single cable rather than trying to fit multiple 8-pin power connectors onto these GPUs. In theory, swapping two to four 8-pin connectors for a single 12V-2×6 or 12VHPWR connector cuts down on the amount of board space OEMs must reserve for these connectors in their designs and the number of cables that users have to snake through the inside of their gaming PCs.

But while Nvidia, Intel, AMD, Qualcomm, Arm, and other companies are all PCI-SIG members and all had a hand in the design of the new standards, Nvidia is the only GPU company to use the 12VHPWR and 12V-2×6 connectors in most of its GPUs. AMD and Intel have continued to use the 8-pin power connector, and even some of Nvidia’s partners have stuck with 8-pin connectors for lower-end, lower-power cards like the RTX 4060 and 4070 series.

Both of the reported 5090 incidents involved third-party cables, one from custom PC part manufacturer MODDIY and one included with an FSP power supply, rather than the first-party 8-pin adapter that Nvidia supplies with GeForce GPUs. It’s much too early to say whether these cables (or Nvidia, or the design of the connector, or the affected users) caused the problem or whether this was just a coincidence.

We’ve contacted Nvidia to see whether it’s aware of and investigating the reports and will update this piece if we receive a response.

Handful of users claim new Nvidia GPUs are melting power cables again Read More »

Citing EV “rollercoaster” in US, BMW invests in internal combustion

bmw, Cars, Electric vehicles, EV, EVs, internal combustion, PHEVs, syndication / Shannon Garcia / February 11, 2025

“We anticipated that people wouldn’t want to be discriminated against because of the power train,” Goller said. “We’ve gone the path which others are now following.”

Analysts say BMW is better positioned than rivals to meet the EU’s tougher emissions targets without selling EVs at deep discounts. It is also less exposed to Trump’s tariff war since 65 percent of its cars sold in the US are built locally, and it is also a net exporter from the US.

“From an operational standpoint, I think BMW, outside China, is very well placed,” said UBS analyst Patrick Hummel. “They’re pretty much where they need to be in terms of the EV share in the mix.”

Jefferies analyst Philippe Houchois has described BMW, which has in the past drawn criticism from investors for hedging its bets on power train technology, as “the most thoughtful [original equipment manufacturer] over the years.”

This year, the group will launch its Neue Klasse platform for its next generation of EVs, with longer range, faster charging, and upgraded software capabilities, which Houchois said would “consolidate a lead in software-defined vehicles, multi-energy power train, and battery sourcing.”

But China has proved challenging to the Munich-based carmaker. BMW and Mini sales in the world’s largest automotive market fell more than 13 percent last year to 714,530 cars, a more severe slump than rivals such as Mercedes-Benz and Audi.

Analysts at Citigroup have warned that BMW remains vulnerable to China, where intensifying price pressure in an overcrowded market has been forcing carmakers to discount prices. Sliding sales in the country, where BMW still delivers just under a third of its cars, “remains our key concern,” the Citi analysts said.

Goller acknowledged China was unlikely to return to the explosive economic growth that first attracted foreign carmakers to flood into the country.

“But we still see a growing market… and therefore, our ambition is clearly that we want to participate in a growing market,” he said.

Goller added that it shouldn’t come as “a shock” that Chinese brands were rapidly taking domestic marketshare from foreign carmakers.

“The cars are really good from a technology perspective,” he said. “But we are not afraid.”

Citing EV “rollercoaster” in US, BMW invests in internal combustion Read More »

Developer creates endless Wikipedia feed to fight algorithm addiction

addiction, AI, Claude, Internet addiction, smartphone, Social Media, Tech, tiktok, Wikpedia / Shannon Garcia / February 8, 2025

On a recent WikiTok browsing run, I ran across entries on topics like SX-Window (a GUI for the Sharp X68000 series of computers), Xantocillin (“the first reported natural product found to contain the isocyanide functional group), Lorenzo Ghiberti (an Italian Renaissance sculptor from Florence), the William Wheeler House in Texas, and the city of Krautheim, Germany—none of which I knew existed before the session started.

How WikiTok took off

The original idea for WikiTok originated from developer Tyler Angert on Monday evening when he tweeted, “insane project idea: all of wikipedia on a single, scrollable page.” Bloomberg Beta VC James Cham replied, “Even better, an infinitely scrolling Wikipedia page based on whatever you are interested in next?” and Angert coined “WikiTok” in a follow-up post.

Early the next morning, at 12: 28 am, writer Grant Slatton quote-tweeted the WikiTok discussion, and that’s where Gemal came in. “I saw it from [Slatton’s] quote retweet,” he told Ars. “I immediately thought, ‘Wow I can build an MVP [minimum viable product] and this could take off.'”

Gemal started his project at 12: 30 am, and with help from AI coding tools like Anthropic’s Claude and Cursor, he finished a prototype by 2 am and posted the results on X. Someone later announced WikiTok on ycombinator’s Hacker News, where it topped the site’s list of daily news items.

A screenshot of the WikiTok web app running in a desktop web browser. Credit: Benj Edwards

“The entire thing is only several hundred lines of code, and Claude wrote the vast majority of it,” Gemal told Ars. “AI helped me ship really really fast and just capitalize on the initial viral tweet asking for Wikipedia with scrolling.”

Gemal posted the code for WikiTok on GitHub, so anyone can modify or contribute to the project. Right now, the web app supports 14 languages, article previews, and article sharing on both desktop and mobile browsers. New features may arrive as contributors add them. It’s based on a tech stack that includes React 18, TypeScript, Tailwind CSS, and Vite.

And so far, he is sticking to his vision of a free way to enjoy Wikipedia without being tracked and targeted. “I have no grand plans for some sort of insane monetized hyper-calculating TikTok algorithm,” Gemal told us. “It is anti-algorithmic, if anything.“

Developer creates endless Wikipedia feed to fight algorithm addiction Read More »

Donkey Kong’s famed kill screen has been cleared for the first time

gaming / Shannon Garcia / February 8, 2025

A short emulator-aided demonstration of how the broken ladder glitch works (not shown: the dozens of frame-perfect inputs needed to pull it off).

Better to be lucky than to be good

While players have theorized about using the broken ladder glitch to pass the kill screen for years, it initially seemed like even this glitched shortcut was too slow for the short kill screen timer. Yet when Kosmic attempted the same trick using his own emulator-assisted setup recently, he says he was able to complete the level on his first try. What gives?

As it turns out, Kosmic was the beneficiary of some significant luck. Basically, every time Donkey Kong throws a barrel, there is a 1 in 32 chance that he will wait an extra half second or so before throwing the next barrel (this random process is explained in way too much detail in this Pastebin). Since the game’s bonus timer only ticks down when Donkey Kong actually throws a barrel, the semi-rare delay can give Mario the crucial extra frames he needs to reach the top of the kill screen using the broken ladder glitch.

Funnily enough, this randomized barrel-throwing delay can theoretically repeat indefinitely, provided the game’s randomizer picks the same lucky 1-in-32 sequence over and over again. If Donkey Kong decides to delay his barrel throw about 19 times in a row, Mario would actually be able to complete the kill screen normally, without the broken ladder glitch (and without facing many barrels, even). Of course, the chances of that happening on unmodified arcade hardware are nearly 1 in 40 octillion (1 in 32^19, to be precise), so don’t count on encountering it in the wild any time soon.

Mario dies on level 22-6, which Kosmic now considers the “true” *Donkey Kong* kill screen. Credit: Kosmic

With the ladder glitch, though, Kosmic’s emulator-assisted run needed significantly less luck to pass the kill screen at 22-1. He was even able to push the game past the next four stages (including previously unseen spring and pie factory screens) to reach level 22-6.

Kosmic calls that stage the game’s true kill screen, as there’s currently no known way for Mario to remove all eight rivets quickly enough to overcome the glitch-shortened timer, even with emulator assistance. Then again, for decades, players assumed there was no way to complete level 22-1, either. Maybe someone will figure out a clever method for beating this new kill screen with 40 more years of sustained effort.

Donkey Kong’s famed kill screen has been cleared for the first time Read More »

DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers

AI, Apple, Biz & IT, DeepSeek, Encryption, iOS, privacy, Security / Shannon Garcia / February 7, 2025

Apple’s defenses that protect data from being sent in the clear are globally disabled.

A little over two weeks ago, a largely unknown China-based company named DeepSeek stunned the AI world with the release of an open source AI chatbot that had simulated reasoning capabilities that were largely on par with those from market leader OpenAI. Within days, the DeepSeek AI assistant app climbed to the top of the iPhone App Store’s “Free Apps” category, overtaking ChatGPT.

On Thursday, mobile security company NowSecure reported that the app sends sensitive data over unencrypted channels, making the data readable to anyone who can monitor the traffic. More sophisticated attackers could also tamper with the data while it’s in transit. Apple strongly encourages iPhone and iPad developers to enforce encryption of data sent over the wire using ATS (App Transport Security). For unknown reasons, that protection is globally disabled in the app, NowSecure said.

Basic security protections MIA

What’s more, the data is sent to servers that are controlled by ByteDance, the Chinese company that owns TikTok. While some of that data is properly encrypted using transport layer security, once it’s decrypted on the ByteDance-controlled servers, it can be cross-referenced with user data collected elsewhere to identify specific users and potentially track queries and other usage.

More technically, the DeepSeek AI chatbot uses an open weights simulated reasoning model. Its performance is largely comparable with OpenAI’s o1 simulated reasoning (SR) model on several math and coding benchmarks. The feat, which largely took AI industry watchers by surprise, was all the more stunning because DeepSeek reported spending only a small fraction on it compared with the amount OpenAI spent.

A NowSecure audit of the app has found other behaviors that researchers found potentially concerning. For instance, the app uses a symmetric encryption scheme known as 3DES or triple DES. The scheme was deprecated by NIST following research in 2016 that showed it could be broken in practical attacks to decrypt web and VPN traffic. Another concern is that the symmetric keys, which are identical for every iOS user, are hardcoded into the app and stored on the device.

The app is “not equipped or willing to provide basic security protections of your data and identity,” NowSecure co-founder Andrew Hoog told Ars. “There are fundamental security practices that are not being observed, either intentionally or unintentionally. In the end, it puts your and your company’s data and identity at risk.”

Hoog said the audit is not yet complete, so there are many questions and details left unanswered or unclear. He said the findings were concerning enough that NowSecure wanted to disclose what is currently known without delay.

In a report, he wrote:

NowSecure recommends that organizations remove the DeepSeek iOS mobile app from their environment (managed and BYOD deployments) due to privacy and security risks, such as:

Privacy issues due to insecure data transmission

Vulnerability issues due to hardcoded keys

Data sharing with third parties such as ByteDance

Data analysis and storage in China

Hoog added that the DeepSeek app for Android is even less secure than its iOS counterpart and should also be removed.

Representatives for both DeepSeek and Apple didn’t respond to an email seeking comment.

Data sent entirely in the clear occurs during the initial registration of the app, including:

organization id
the version of the software development kit used to create the app
user OS version
language selected in the configuration

Apple strongly encourages developers to implement ATS to ensure the apps they submit don’t transmit any data insecurely over HTTP channels. For reasons that Apple hasn’t explained publicly, Hoog said, this protection isn’t mandatory. DeepSeek has yet to explain why ATS is globally disabled in the app or why it uses no encryption when sending this information over the wire.

This data, along with a mix of other encrypted information, is sent to DeepSeek over infrastructure provided by Volcengine a cloud platform developed by ByteDance. While the IP address the app connects to geo-locates to the US and is owned by US-based telecom Level 3 Communications, the DeepSeek privacy policy makes clear that the company “store[s] the data we collect in secure servers located in the People’s Republic of China.” The policy further states that DeepSeek:

may access, preserve, and share the information described in “What Information We Collect” with law enforcement agencies, public authorities, copyright holders, or other third parties if we have good faith belief that it is necessary to:

• comply with applicable law, legal process or government requests, as consistent with internationally recognised standards.

NowSecure still doesn’t know precisely the purpose of the app’s use of 3DES encryption functions. The fact that the key is hardcoded into the app, however, is a major security failure that’s been recognized for more than a decade when building encryption into software.

No good reason

NowSecure’s Thursday report adds to growing list of safety and privacy concerns that have already been reported by others.

One was the terms spelled out in the above-mentioned privacy policy. Another came last week in a report from researchers at Cisco and the University of Pennsylvania. It found that the DeepSeek R1, the simulated reasoning model, exhibited a 100 percent attack failure rate against 50 malicious prompts designed to generate toxic content.

A third concern is research from security firm Wiz that uncovered a publicly accessible, fully controllable database belonging to DeepSeek. It contained more than 1 million instances of “chat history, backend data, and sensitive information, including log streams, API secrets, and operational details,” Wiz reported. An open web interface also allowed for full database control and privilege escalation, with internal API endpoints and keys available through the interface and common URL parameters.

Thomas Reed, staff product manager for Mac endpoint detection and response at security firm Huntress, and an expert in iOS security, said he found NowSecure’s findings concerning.

“ATS being disabled is generally a bad idea,” he wrote in an online interview. “That essentially allows the app to communicate via insecure protocols, like HTTP. Apple does allow it, and I’m sure other apps probably do it, but they shouldn’t. There’s no good reason for this in this day and age.”

He added: “Even if they were to secure the communications, I’d still be extremely unwilling to send any remotely sensitive data that will end up on a server that the government of China could get access to.”

HD Moore, founder and CEO of runZero, said he was less concerned about ByteDance or other Chinese companies having access to data.

“The unencrypted HTTP endpoints are inexcusable,” he wrote. “You would expect the mobile app and their framework partners (ByteDance, Volcengine, etc) to hoover device data, just like anything else—but the HTTP endpoints expose data to anyone in the network path, not just the vendor and their partners.”

On Thursday, US lawmakers began pushing to immediately ban DeepSeek from all government devices, citing national security concerns that the Chinese Communist Party may have built a backdoor into the service to access Americans’ sensitive private data. If passed, DeepSeek could be banned within 60 days.

This story was updated to add further examples of security concerns regarding DeepSeek.

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

DeepSeek iOS app sends data unencrypted to ByteDance-controlled servers Read More »

Author name: Shannon Garcia