Apple

Signs point to a sooner-rather-than-later M5 MacBook Pro refresh

Apple, Apple M5, MacBook Air, MacBook Pro, Tech / Beth Washington / January 19, 2026

Mac power users waiting on new high-end MacBook Pro models may have been disappointed last fall, when Apple released an M5 upgrade for the low-end 14-inch MacBook Pro without touching the M4 Pro or Max versions of the laptop. But the wait for M5 Pro and M5 Max models may be nearing its end.

The tea-leaf readers at MacRumors noticed that shipping times for a handful of high-end MacBook Pro configurations have slipped into mid-to-late February, rather than being available immediately as most Mac models are. This is often, though not always, a sign that Apple has slowed down or stopped production of an existing product in anticipation of an update.

Currently, the shipping delays affect the M4 Max versions of both the 14-inch and 16-inch MacBook Pros. If you order them today, these models will arrive sometime between February 3 and February 24, depending on the configuration you choose; many M4 Pro versions are still available for same-day shipping, though adding a nano-texture display or upgrading RAM can still add a week or so to the shipping time.

Apple could choose to launch new Pro hardware on January 28, to go with the new Creator Studio subscription it announced last week. Aimed primarily at independent content creators that make their own video, audio, and images, the Creator Studio subscription bundles Final Cut Pro, Logic Pro, Pixelmator Pro, and enhancements for the Pages, Numbers, and Keynote apps (along with some other odds and ends) for $13 a month or $130 a year. None of these apps require a MacBook Pro, but many would benefit in some way from the additional CPU and GPU power, RAM, and storage available in Apple’s high-end laptops.

Of course, an imminent replacement isn’t the only reason why the shipping estimates for any given Mac might slip. Ongoing, AI-fueled RAM shortages could be causing problems, and Apple probably prioritizes production of the widely-used base-model M4 and M5 chips to the larger, more expensive, more complex Max models.

But the only other device in Apple’s lineup that offers the M4 Max and similar RAM configuration options is the high-end Mac Studio, which currently isn’t subject to the same shipping delays. That does imply that the delays are specific to the MacBook Pro—and one explanation for this is that the laptop is about to be replaced.

Signs point to a sooner-rather-than-later M5 MacBook Pro refresh Read More »

Are people avoiding iOS 26 because of Liquid Glass? It’s complicated.

Apple, ios 18, ios 26, Tech / Shannon Garcia / January 15, 2026

are people really skipping Liquid Glass?

Liquid Glass is controversial, but adoption rates aren’t as low as they seem.

iPhones running iOS 26. Credit: Apple

Last week, news about the adoption rates for Apple’s iOS 26 update started making the rounds. The new update, these reports claim, was being installed at dramatically lower rates than past iOS updates. And while we can’t infer anything about why people might choose not to install iOS 26, the conclusion being jumped to is that iPhone users are simply desperate to avoid the redesigned Liquid Glass user interface.

The numbers do, in fact, look bad: Statcounter data for January suggests that the various versions of iOS 26 are running on just 16.6 percent of all devices, compared to around 70 percent for the various versions of iOS 18. The iOS 18.7 update alone—released at the same time as iOS 26.0 in September for people who wanted the security patches but weren’t ready to step up to a brand-new OS—appears to be running on nearly one-third of all iOS devices.

Those original reports were picked up and repeated because they tell a potentially interesting story of the “huge if true” variety: that users’ aversion to the Liquid Glass design is so intense and widespread that it’s actively keeping users away from the operating system. But after examining our own traffic numbers, as well as some technical changes made in iOS 26, it appears Statcounter’s data is dramatically undercounting the number of iOS 26 devices in the wild.

We’ve taken a high-level look at all iPhone traffic across all Condé Nast websites for October, November, and December of 2025 and compared it to traffic from October, November, and December of 2024. This data suggests that iOS 26 is being adopted more slowly than iOS 18 was the year before—roughly 76 percent of all iPhone pageviews came from devices running iOS 18 in December of 2024, compared to about 45 percent for iOS 26 in December of 2025.

That’s not as cataclysmic a dropoff as Statcounter’s data suggests, even before considering other mitigating factors—iOS 26 dropped support for 2018’s iPhone XS, XS Max, and XR, for example, while iOS 18 ran on every iPhone that could run iOS 17.

But it’s still a much slower rate of adoption than we’re used to for most iOS versions, and it’s something to monitor as we get closer to iOS 27 and Apple’s first opportunity to make major changes to Liquid Glass. And to monitor it, it’s important to be able to measure it correctly. There have been behind-the-scenes changes to iOS 26 that appear to have thrown off Statcounter’s data collection—let’s talk about those, about what our own data shows, and about why you may want to upgrade to iOS 26 soon even if you don’t care for Liquid Glass.

User agent string changes in iOS 26

It turns out that telling an iOS 18 device from an iOS 26 device is harder than it ought to be, and that’s because of a change Apple made to Safari in iOS 26.

Web analytics software (and services like Statcounter) attempt to gather device data by looking at the browser’s user agent string, a short list of information about the hardware, operating system, browser, and browser engine. There are benign and useful reasons to collect this kind of data. If you’re a web developer fielding a ton of user complaints from people who are all using a specific browser or OS version, it can help you narrow down what the issue is and test a fix. You could also use the user agent string to decide whether to show the desktop or mobile version of your site to a user.

But if this information is too accurate or detailed, it can lead to “fingerprinting”—the ability for sites to identify a specific user or specific type of user from their user-agent string. Browser makers have taken steps, both together and separately, to reduce the amount of fingerprinting that is possible.

And occasionally, browsers will intentionally misrepresent their user agent string for compatibility reasons. For example, the default user agent string for Safari running on modern versions of iPadOS claims that the browser is running on top of macOS to make sites rendered on an iPad work more like sites rendered on a Mac. Apple froze the macOS version in Safari’s user agent string to 10.15.7 several years ago, partly to reduce fingerprinting and partly to resolve compatibility problems that some sites had when Apple put “macOS 11” in the user agent string after decades of macOS 10.

All of this is to say: information derived from the user-agent string is only as accurate as the OSes and browsers that are reporting their user-agent strings. And in iOS 26, Apple decided to freeze the iOS version in Safari’s user agent string to version 18 in order to reduce fingerprinting (credit to developer and blogger Niels Leenheer, who both explained this change and confirmed with Apple engineer Karl Dubost why it was made).

Which explains why anyone looking at Statcounter’s data could draw incorrect conclusions about iOS 26 adoption: because most iOS users are running Safari, and because all Safari versions running on iOS 26 are claiming to be running on iOS 18.6 or 18.7 instead.

Only third-party browsers like Google Chrome or Microsoft Edge are reporting an iOS version of 26 in their user agent strings, so what Statcounter is inadvertently measuring is the number of Chrome users who have updated to iOS 26, not the total number of users who have updated.

What our data says

There is a workaround for this, at least for iOS. Safari on iOS 26 will report an iOS version of 18.6 or 18.7, but it also reports a Safari version of 26.x. This isn’t as useful on macOS, where Safari 26 could be running on macOS 14 Sonoma, macOS 15 Sequoia, or macOS 26 Tahoe. But on iOS, Safari 26 only runs on iOS 26, so it’s a useful proxy for identifying the operating system version.

	iOS 18 Safari pageviews in 2024	iOS 26 Safari pageviews in 2025
October	24.9%	22.1%
November	35.1%	26.3%
December	75.9%	45.3%

For these stats, we’ve grouped together all devices claiming to run Safari 26 on an iPhone, regardless of whether the underlying iOS version is listed as 18.x or 26.x (some apps or third-party browsers using Apple’s built-in WebKit engine can still identify themselves as “Safari,” though Chrome, Edge, and Mozilla Firefox at least report their own user-agent strings). We’ve compared those numbers to all devices claiming to run Safari 18 on iPhones claiming to run iOS 18. This does screen out users running third-party browsers on iPhones, but Statcounter data suggests that the ratio of Safari to Chrome users on iOS hasn’t changed much over that period.

What’s interesting is that for October 2024 and October 2025—the first full month that iOS 18 and iOS 26 were available, respectively—adoption numbers don’t look all that different. About 25 percent of iPhone pageviews across all Condé Nast were served to devices running Safari on iOS 18, compared to 22 percent for iOS 26 the following year. That is a step down, but it suggests that early adopters weren’t repelled en masse by Liquid Glass or anything else about the operating system.

But the gap widens over the next two months, which does suggest that “normal” users aren’t in a rush to get the update. By December 2024, our data shows that 76 percent of iPhone Safari pageviews were going to iOS 18 devices, compared to just 45 percent for iOS 26 in December 2025.

Adoption of new iOS versions does plateau after a while. Adoption of iOS 18 hit 80 percent in January 2025, according to our data, and then rose more slowly afterward, peaking at around 91 percent in August 2025. Those stats are in the same ballpark as both Statcounter data (78 percent as of August 2025) and the last stats Apple has published (82 percent of all iPhones as of June 2025) for iOS 18. (We’ve asked the company if it has any updated internal stats to share and will update the article if we receive a response.)

We’ll see where iOS 26 eventually settles. If I’m Apple, I’m a bit less worried about slower adoption as long as iOS 26 eventually hits that same 80 to 90 percent range. But if usage settles significantly below that historical watermark, it could signal a more lasting negative response to the iOS 26 update that needs to be addressed in future versions.

Why it’s time to take the plunge, even if you don’t like Liquid Glass

Apple’s most recent security updates for iOS 18 are only available for phones that can’t run iOS 26 at all, like the iPhone XR. That means it’s probably time to install iOS 26 even if you don’t like Liquid Glass. Credit: Samuel Axon

However you feel about Liquid Glass, we’re getting to the point that upgrading is going to become necessary for people who want security patches and functional fixes for their phones.

For a short time after each new iOS version is released, Apple continues to provide security patches for the previous version of iOS, for people who would rather wait for early bugs in the new OS to be patched. The company started this practice in 2021, when it provided security patches for iOS 14 for a couple of months after the release of iOS 15. But those patches don’t last forever, and eventually devices that can upgrade to the new operating system will need to do it to stay patched.

Apple never formally announces when these security updates have stopped, but you can tell by looking at the company’s security updates page. The iOS 18.7, 18.7.1, and 18.7.2 updates all apply to the “iPhone XS and later.” But the iOS 18.7.3 update released on December 12, 2025, only applies to the iPhone XS, iPhone XS Max, and iPhone XR. It’s a subtle difference, but it means that Apple is only continuing to patch iOS 18 on devices that can’t run iOS 26.

This is standard practice for iPhones and iPads, but it differs from the update model Apple uses for macOS—any Mac can continue to download and install security updates for macOS 14 Sonoma and macOS 15 Sequoia, regardless of whether they’re eligible for the macOS 26 Tahoe upgrade.

If you skipped the early versions of iOS 26 and iPadOS 26 because of Liquid Glass, the good news is that Apple provided options to allow users to tone down the effect. The iOS 26.1 update added a “tinted” option for Liquid Glass, increasing the interface’s contrast and opacity to help with the legibility issues you’ll occasionally run into with the default settings. The company also added opacity controls for the lock screen clock in iOS 26.2. Personally, I also found it helpful to switch the Tabs view in the Safari settings from “Compact” to “Bottom” to make the browser look and act more like it did in its iOS 18-era iteration.

Those settings may feel like half-measures to hardcore Liquid Glass haters who just want Apple to revert to its previous design language. But if you’ve got a modern iPhone or iPad and you want to stay up to date and secure, those toggles (plus additional controls for motion and transparency in the Accessibility settings) may at least ease the transition for you.

Andrew is a Senior Technology Reporter at Ars Technica, with a focus on consumer tech including computer hardware and in-depth reviews of operating systems like Windows and macOS. Andrew lives in Philadelphia and co-hosts a weekly book podcast called Overdue.

Are people avoiding iOS 26 because of Liquid Glass? It’s complicated. Read More »

Civilization VII is headed to iPhone and iPad with “Arcade Edition”

2K Games, 4X, Apple, Apple Arcade, Behaviour Interactive, Civiliation VII, civilization, Firaxis Games, gaming, strategy games / 9u50fv / January 14, 2026

Civilization VII is coming to the iPhone and iPad, Apple and publisher 2K announced today.

Formally titled Sid Meier’s Civilization VII Arcade Edition, it is developed by Behaviour Interactive with input from original developer Firaxis Games.

The game will be available as part of the Apple Arcade service, which offers ad-free games for Apple platforms for $7 per month. Neither announcement makes any mention of a non-Arcade version, so this appears to be exclusively part of the subscription.

That shouldn’t be too much of a surprise; full-priced premium games have struggled on the platform when not bundled in a subscription. For example, Rockstar Games’ Red Dead Redemption came out both as a standalone title on the App Store and as part of Netflix’s subscription. The Netflix version surpassed a staggering 3.3 million downloads, while the $40 direct purchase managed just over 10,000.

The announcement calls this release “the authentic Civilization experience,” which you can probably take to mean that it doesn’t simplify the gameplay in any way. That said, there is some fine print you shouldn’t miss.

The App Store listing for the game says this release will not receive any of the DLC planned for other platforms. It also notes that “post-launch updates that apply to other platforms may be excluded or delayed.” Also, the supported players listed is “1,” suggesting it may not have multiplayer. (The desktop and console versions already lack hotseat multiplayer, but they support online play.)

Civilization VII is headed to iPhone and iPad with “Arcade Edition” Read More »

The RAM shortage’s silver lining: Less talk about “AI PCs”

AI, Apple, Biz & IT, dell, Desktops, generative ai, IDC, laptops, Tech / 9u50fv / January 13, 2026

RAM prices have soared, which is bad news for people interested in buying, building, or upgrading a computer this year, but it’s likely good news for people exasperated by talk of so-called AI PCs.

As Ars Technica has reported, the growing demands of data centers, fueled by the AI boom, have led to a shortage of RAM and flash memory chips, driving prices to skyrocket.

In an announcement today, Ben Yeh, principal analyst at technology research firm Omdia, said that in 2025, “mainstream PC memory and storage costs rose by 40 percent to 70 percent, resulting in cost increases being passed through to customers.”

Overall, global PC shipments increased in 2025, according to Omdia, (which pegged growth at 9.2 percent compared to 2024), and IDC, (which today reported 9.6 percent growth), but analysts expect PC sales to be more tumultuous in 2026.

“The year ahead is shaping up to be extremely volatile,” Jean Philippe Bouchard, research VP with IDC’s worldwide mobile device trackers, said in a statement.

Both analyst firms expect PC makers to manage the RAM shortage by raising prices and by releasing computers with lower memory specs. IDC expects price hikes of 15 to 20 percent and for PC RAM specs to “be lowered on average to preserve memory inventory on hand,” Bouchard said. Omdia’s Yeh expects “leaner mid to low-tier configurations to protect margins.”

“These RAM shortages will last beyond just 2026, and the cost-conscious part of the market is the one that will be most impacted,” Jitesh Ubrani, research manager for worldwide mobile device trackers at IDC, told Ars via email.

IDC expects vendors to “prioritize midrange and premium systems to offset higher component costs, especially memory.”

The RAM shortage’s silver lining: Less talk about “AI PCs” Read More »

Apple’s Mac and iPad creative apps get bundled into “Creator Studio” subscription

Apple, Final Cut Pro, Logic Pro, Pixelmator, Tech / DJ Henderson / January 13, 2026

Apple’s professional creative apps have been slower to jump on the subscription bandwagon than those from Adobe or some of its other competitors, but the company is taking a step in that direction today. Starting on January 28, Apple will offer an Apple Creator Studio subscription for $13 a month, or $130 a year. Subscribers will get access to the Mac and (where applicable) iPad versions of Final Cut Pro, Logic Pro, Pixelmator Pro, Motion, Compressor, and MainStage, as well as “intelligent features and premium content” for the Mac, iPad, and iPhone versions of Keynote, Pages, Numbers, and Freeform.

Apple says it will also offer a one-month free trial for the subscription and a discounted version for students at $3 a month, or $30 a year.

Most of the apps also seem to be getting small feature updates to go along with the Creator Studio announcement. Final Cut will get a new Transcript Search feature that will allow you to dig through video footage by searching for specific dialogue, and a new Montage Maker feature “will analyze and edit together a dynamic video based on the best visual moments within the footage.” An updated Logic Pro “helps creators deliver original music for their video content” and adds a synth player to the app’s lineup of “AI Session Players.”

The biggest update is probably a new version of Pixelmator Pro for the iPad, designed around the Apple Pencil accessory. When Apple announced it was acquiring Pixelmator in late 2024, the image and vector editing app was only available for the Mac.

As for Keynote, Pages, and Numbers—in another lifetime, the apps formerly known as “iWork”—the core apps remain free, but the Creator Studio subscription adds “premium templates and themes” for the apps, as well as access to a Content Hub that provides “curated, high-quality photos, graphics, and illustrations” for the apps. Apple is also offering a handful of OpenAI-powered generative features, including upscaling and transformation for existing images, the ability to generate images from text, and a Keynote feature that will create a slide deck from a text outline.

Apple’s Mac and iPad creative apps get bundled into “Creator Studio” subscription Read More »

Apple chooses Google’s Gemini over OpenAI’s ChatGPT to power next-gen Siri

AI, Apple, Gemini, Google, openai, Siri, Tech / DJ Henderson / January 12, 2026

The “more intelligent” version of Siri that Apple plans to release later this year will be backed by Google’s Gemini language models, the company announced today. CNBC reports that the deal is part of a “multi-year partnership” between Apple and Google that will allow Apple to use Google’s AI models in its own software.

“After careful evaluation, we determined that Google’s technology provides the most capable foundation for Apple Foundation Models and we’re excited about the innovative new experiences it will unlock for our users,” reads an Apple statement given to CNBC.

Today’s announcement confirms reporting by Bloomberg’s Mark Gurman late last year that Apple and Google were nearing a deal. Apple didn’t disclose terms, but Gurman said that Apple would be paying Google “about $1 billion a year” for access to its AI models “following an extensive evaluation period.”

Bloomberg has also reported that the Gemini model would be run on Apple’s Private Cloud Compute servers, “ensuring that user data remains walled off from Google’s infrastructure,” and that Apple still hopes to improve its own in-house language models to the point that they can eventually be used instead of relying on third-party models.

Apple chooses Google’s Gemini over OpenAI’s ChatGPT to power next-gen Siri Read More »

Expired certificate completely breaks macOS Logitech apps, user customizations

Apple, Logitech, macOS, Tech / DJ Henderson / January 7, 2026

If you’re a Mac user with Logitech accessories and you’ve noticed that your settings and customizations seem to have gone away this week, you’re not alone.

The company’s Logi Options+ and G Hub apps for macOS abruptly stopped functioning on Monday, refusing to launch and reverting all accessories’ settings to their built-in defaults.

The culprit, according to both a Logitech support page and Reddit posts from Logitech Head of Global Marketing Joe Santucci, was a security certificate that was inadvertently allowed to expire, rendering both apps non-functional.

“The certificate that expired is used to secure inter-process communications and the expiration results in the software not being able to start successfully,” wrote Santucci in one post. “We dropped the ball here,” he said in another post. “This is an inexcusable mistake. We’re extremely sorry for the inconvenience caused.”

Logitech is already offering patches for both apps that include an updated certificate. But unfortunately for users, one of the features broken by the expired certificate is the app’s built-in updater, meaning that there’s no automated way for Logitech to fix this problem. Anyone who wants their apps to work and their customizations to return will need to manually grab the patch (or updated versions of the apps, which Logitech says it is also working on). If you use both apps, each will need to be patched separately.

Expired certificate completely breaks macOS Logitech apps, user customizations Read More »

Supply chains, AI, and the cloud: The biggest failures (and one success) of 2025

2025 year end, AI, Apple, Biz & IT, Cloud, Security, signal messenger, supply chain attacks / 9u50fv / December 31, 2025

The past year has seen plenty of hacks and outages. Here are the ones topping the list.

Credit: Aurich Lawson | Getty Images

In a roundup of the top stories of 2024, Ars included a supply-chain attack that came dangerously close to inflicting a catastrophe for thousands—possibly millions—of organizations, which included a large assortment of Fortune 500 companies and government agencies. Supply-chain attacks played prominently again this year, as a seemingly unending rash of them hit organizations large and small.

For threat actors, supply-chain attacks are the gift that keeps on giving—or, if you will, the hack that keeps on hacking. By compromising a single target with a large number of downstream users—say a cloud service or maintainers or developers of widely used open source or proprietary software—attackers can infect potentially millions of the target’s downstream users. That’s exactly what threat actors did in 2025.

Poisoning the well

One such event occurred in December 2024, making it worthy of a ranking for 2025. The hackers behind the campaign pocketed as much as $155,000 from thousands of smart-contract parties on the Solana blockchain.

Hackers cashed in by sneaking a backdoor into a code library used by developers of Solana-related software. Security firm Socket said it suspects the attackers compromised accounts belonging to the developers of Web3.js, an open source library. They then used the access to add a backdoor to a package update. After the developers of decentralized Solana apps installed the malicious update, the backdoor spread further, giving the attackers access to individual wallets connected to smart contracts. The backdoor could then extract private keys.

There were too many supply-chain attacks this year to list them all. Some of the other most notable examples included:

The seeding of a package on a mirror proxy that Google runs on behalf of developers of the Go programming language. More than 8,000 other packages depend on the targeted package to work. The malicious package used a name that was similar to the legitimate one. Such “typosquatted” packages get installed when typos or inattention lead developers to inadvertently select them rather than the one they actually want.
The flooding of the NPM repository with 126 malicious packages downloaded more than 86,000 times. The packages were automatically installed via a feature known as Remote Dynamic Dependencies.
The backdooring of more than 500 e-commerce companies, including a $40 billion multinational company. The source of the supply-chain attack was the compromise of three software developers—Tigren, Magesolution (MGS), and Meetanshi—that provide software that’s based on Magento, an open source e-commerce platform used by thousands of online stores.
The compromising of dozens of open source packages that collectively receive 2 billion weekly downloads. The compromised packages were updated with code for transferring cryptocurrency payments to attacker-controlled wallets.
The compromising of tj-actions/changed-files, a component of tj-actions, used by more than 23,000 organizations.
The breaching of multiple developer accounts using the npm repository and the subsequent backdooring of 10 packages that work with talent agency Toptal. The malicious packages were downloaded roughly 5,000 times.

Memory corruption, AI chatbot style

Another class of attack that played out more times in 2025 than anyone can count was the hacking of AI chatbots. The hacks with the farthest-reaching effects were those that poisoned the long-term memories of LLMs. In much the way supply-chain attacks allow a single compromise to trigger a cascade of follow-on attacks, hacks on long-term memory can cause the chatbot to perform malicious actions over and over.

One such attack used a simple user prompt to instruct a cryptocurrency-focused LLM to update its memory databases with an event that never actually happened. The chatbot, programmed to follow orders and take user input at face value, was unable to distinguish a fictional event from a real one.

The AI service in this case was ElizaOS, a fledgling open source framework for creating agents that perform various blockchain-based transactions on behalf of a user based on a set of predefined rules. Academic researchers were able to corrupt the ElizaOS memory by feeding it sentences claiming certain events—which never actually happened—occurred in the past. These false events then influence the agent’s future behavior.

An example attack prompt claimed that the developers who designed ElizaOS wanted it to substitute the receiving wallet for all future transfers to one controlled by the attacker. Even when a user specified a different wallet, the long-term memory created by the prompt caused the framework to replace it with the malicious one. The attack was only a proof-of-concept demonstration, but the academic researchers who devised it said that parties to a contract who are already authorized to transact with the agent could use the same techniques to defraud other parties.

Independent researcher Johan Rehberger demonstrated a similar attack against Google Gemini. The false memories he planted caused the chatbot to lower defenses that normally restrict the invocation of Google Workspace and other sensitive tools when processing untrusted data. The false memories remained in perpetuity, allowing an attacker to repeatedly profit from the compromise. Rehberger presented a similar attack in 2024.

A third AI-related proof-of-concept attack that garnered attention used a prompt injection to cause GitLab’s Duo chatbot to add malicious lines to an otherwise legitimate code package. A variation of the attack successfully exfiltrated sensitive user data.

Yet another notable attack targeted the Gemini CLI coding tool. It allowed attackers to execute malicious commands—such as wiping a hard drive—on the computers of developers using the AI tool.

Using AI as bait and hacking assistants

Other LLM-involved hacks used chatbots to make attacks more effective or stealthier. Earlier this month, two men were indicted for allegedly stealing and wiping sensitive government data. One of the men, prosecutors said, tried to cover his tracks by asking an AI tool “how do i clear system logs from SQL servers after deleting databases.” Shortly afterward, he allegedly asked the tool, “how do you clear all event and application logs from Microsoft windows server 2012.” Investigators were able to track the defendants’ actions anyway.

In May, a man pleaded guilty to hacking an employee of The Walt Disney Company by tricking the person into running a malicious version of a widely used open source AI image-generation tool.

And in August, Google researchers warned users of the Salesloft Drift AI chat agent to consider all security tokens connected to the platform compromised following the discovery that unknown attackers used some of the credentials to access email from Google Workspace accounts. The attackers used the tokens to gain access to individual Salesforce accounts and, from there, to steal data, including credentials that could be used in other breaches.

There were also multiple instances of LLM vulnerabilities that came back to bite the people using them. In one case, CoPilot was caught exposing the contents of more than 20,000 private GitHub repositories from companies including Google, Intel, Huawei, PayPal, IBM, Tencent, and, ironically, Microsoft. The repositories had originally been available through Bing as well. Microsoft eventually removed the repositories from searches, but CoPilot continued to expose them anyway.

Meta and Yandex caught red-handed

Another significant security story cast both Meta and Yandex as the villains. Both companies were caught exploiting an Android weakness that allowed them to de-anonymize visitors so years of their browsing histories could be tracked.

The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allowed Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they’re off-limits for every other site.

A clever hack allowed both companies to bypass those defenses.

2025: The year of cloud failures

The Internet was designed to provide a decentralized platform that could withstand a nuclear war. As became painfully obvious over the past 12 months, our growing reliance on a handful of companies has largely undermined that objective.

The outage with the biggest impact came in October, when a single point of failure inside Amazon’s sprawling network took out vital services worldwide. It lasted 15 hours and 32 minutes.

The root cause that kicked off a chain of events was a software bug in the software that monitors the stability of load balances by, among other things, periodically creating new DNS configurations for endpoints within the Amazon Web Services network. A race condition—a type of bug that makes a process dependent on the timing or sequence of events that are variable and outside the developers’ control—caused a key component inside the network to experience “unusually high delays needing to retry its update on several of the DNS endpoint,” Amazon said in a post-mortem. While the component was playing catch-up, a second key component—a cascade of DNS errors—piled up. Eventually, the entire network collapsed.

AWS wasn’t the only cloud service that experienced Internet-paralyzing outages. A mysterious traffic spike last month slowed much of Cloudflare—and by extension, the Internet—to a crawl. Cloudflare experienced a second major outage earlier this month. Not to be outdone, Azure—and by extension, its customers—experienced an outage in October.

Honorable mentions

Honorable mentions for 2025 security stories include:

Code in the Deepseek iOS app that caused Apple devices to send unencrypted traffic, without first being encrypted, to Bytedance, the Chinese company that owns TikTok. The lack of encryption made the data readable to anyone who could monitor the traffic and opened it to tampering by more sophisticated attackers. Researchers who uncovered the failure found other weaknesses in the app, giving people yet another reason to steer clear of it.
The discovery of bugs in Apple chips that could have been exploited to leak secrets from Gmail, iCloud, and other services. The most severe of the bugs is a side channel in a performance enhancement known as speculative execution. Exploitation could allow an attacker to read memory contents that would otherwise be off-limits. An attack of this side channel could be leveraged to steal a target’s location history from Google Maps, inbox content from Proton Mail, and events stored in iCloud Calendar.

Proving that not all major security stories involve bad news, the Signal private messaging app got a major overhaul that will allow it to withstand attacks from quantum computers. As I wrote, the elegance and adeptness that went into overhauling an instrument as complex as the app was nothing short of a triumph. If you plan to click on only one of the articles listed in this article, this is the one.

Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.

Supply chains, AI, and the cloud: The biggest failures (and one success) of 2025 Read More »

Big Tech basically took Trump’s unpredictable trade war lying down

AMD, Apple, bytedance, china, Donald Trump, Features, intel, NVIDIA, Policy, reciprocal tariffs, tariffs, tiktok, trade war / Mike M. / December 29, 2025

From Apple gifting a gold statue to the US taking a stake in Intel.

Credit: Aurich Lawson | Getty Images

As the first year of Donald Trump’s chaotic trade war winds down, the tech industry is stuck scratching its head, with no practical way to anticipate what twists and turns to expect in 2026.

Tech companies may have already grown numb to Trump’s unpredictable moves. Back in February, Trump warned Americans to expect “a little pain” after he issued executive orders imposing 10–25 percent tariffs on imports from America’s biggest trading partners, including Canada, China, and Mexico. Immediately, industry associations sounded the alarm, warning that the costs of consumer tech could increase significantly. By April, Trump had ordered tariffs on all US trade partners to correct claimed trade deficits, using odd math that critics suspected came from a chatbot. (Those tariffs bizarrely targeted uninhabited islands that exported nothing and were populated by penguins.)

Costs of tariffs only got higher as the year wore on. But the tech industry has done very little to push back against them. Instead, some of the biggest companies made their own surprising moves after Trump’s trade war put them in deeply uncomfortable positions.

Apple gives Trump a gold statue instead of US-made iPhone

Right from the jump in February, Apple got backed into a corner after Trump threatened a “flat” 60 percent tariff on all Chinese imports, which experts said could have substantially taxed Apple’s business. Moving to appease Trump, Apple promised to invest $500 billion in the US in hopes of avoiding tariffs, but that didn’t take the pressure off for long.

By April, Apple stood by and said nothing as Trump promised the company would make “made in the USA” iPhones. Analysts suggested such a goal was “impossible,” calling the idea “impossible at worst and highly expensive at best.”

Apple’s silence did not spare the company Trump’s scrutiny. The next month, Trump threatened Apple with a 25 percent tariff on any iPhones sold in the US that were not manufactured in America. Experts were baffled by the threat, which appeared to be the first time a US company was threatened directly with tariffs.

Typically, tariffs are imposed on a country or category of goods, like smartphones. It remains unclear if it would even be legal to levy a tariff on an individual company like Apple, but Trump never tested those waters. Instead, Trump stopped demanding the American-made iPhone and withdrew other tariff threats after he was apparently lulled into submission by a gold statue that Apple gifted him in August. The engraved glass disc featured an Apple logo and Tim Cook’s signature above a “Made in USA” stamp, celebrating Donald Trump for his “Apple American Manufacturing Program.”

Trump’s wild deals shake down chipmakers

Around the same time that Trump eased pressure on Apple, he turned his attention to Intel. On social media in August, Trump ordered Intel CEO Lip-Bu Tan to “resign immediately,” claiming he was “highly conflicted.” In response, Tan did not resign but instead met with Trump and struck a deal that gave the US a 10 percent stake in Intel. Online, Trump bragged that he let Tan “keep his job” while hyping the deal—which The New York Times described as one of the “largest government interventions in a US company since the rescue of the auto industry after the 2008 financial crisis.”

But unlike the auto industry, Intel didn’t need the money. And rather than helping an ailing company survive a tough spot, the deal risked disrupting Intel’s finances in ways that spooked shareholders. It was therefore a relief to no one when Intel detailed everything that could go wrong in an SEC filing, including the possible dilution of investors’ stock due to discounting US shares and other risks of dilution, if certain terms of the deal kick in at some point in the future.

The company also warned of potential lawsuits challenging the legality of the deal, which Intel fears could come from third parties, the US government, or foreign governments. Most ominous, Intel admitted there was no way to predict what other risks may come, both in the short-term and long-term.

Of course, Intel wasn’t the only company Trump sought to control, and not every company caved. He tried to strong-arm the Taiwan Semiconductor Manufacturing Company (TSMC) in September into moving half its chip manufacturing into the US, but TSMC firmly rejected his demand. And in October, when Trump began eyeing stakes in quantum computing firms, several companies were open to negotiating, but with no deals immediately struck, it was hard to ascertain how seriously they were entertaining Trump’s talks.

Trump struck another particularly wild deal the same month as the Intel agreement. That deal found chipmakers Nvidia and AMD agreeing to give 15 percent of revenue to the US from sales to China of advanced computer chips that could be used to fuel frontier AI. By December, Nvidia’s deal only drew more scrutiny, as the chipmaker agreed to give the US an even bigger cut—25 percent—of sales of its second most advanced AI chips, the H200.

Again, experts were confused, noting that export curbs on Nvidia’s H20 chips, for example, were imposed to prevent US technology thefts, maintain US tech dominance, and protect US national security. Those chips are six times less powerful than the H200. To them, it appeared that the Trump administration was taking payments to overlook risks without a clear understanding of how that might give China a leg-up in the AI race. It also did not appear to be legal, since export licenses cannot be sold under existing federal law, but government lawyers have supposedly been researching a new policy that would allow the US to collect the fees.

Trump finally closed TikTok deal

As the end of 2025 nears, the tech company likely sweating Trump’s impulses most may be TikTok owner ByteDance. In October, Trump confirmed that China agreed to a deal that allows the US to take majority ownership of TikTok and license the TikTok algorithm to build a US version of the app.

Trump has been trying to close this deal all year, while ByteDance remained largely quiet. Prior to the start of Trump’s term, the company had expressed resistance to selling TikTok to US owners, and as recently as January, a ByteDance board member floated the idea that Trump could save TikTok without forcing a sale. But China’s approval was needed to proceed with the sale, and near the end of December, ByteDance finally agreed to close the deal, paving the way for Trump’s hand-picked investors to take control in 2026.

It’s unclear how TikTok may change under US control, perhaps shedding users if US owners cave to Trump’s suggestion that he’d like to see the app go “100 percent MAGA” under his hand-picked US owners. It’s possible that the US version of the app could be glitchy, too.

Whether Trump’s deal actually complies with a US law requiring that ByteDance divest control of TikTok or else face a US ban has yet to be seen. Lawmaker scrutiny and possible legal challenges are expected in 2026, likely leaving both TikTok users and ByteDance on the edge of their seats waiting to see how the globally cherished short video app may change.

Trump may owe $1 trillion in tariff refunds

The TikTok deal was once viewed as a meaningful bargaining chip during Trump’s tensest negotiations with China, which has quickly emerged as America’s fiercest rival in the AI race and Trump’s biggest target in his trade war.

But as closing the deal remained elusive for most of the year, analysts suggested that Trump grew “desperate” to end tit-for-tat retaliations that he started, while China appeared more resilient to US curbs than the US was to China’s.

In one obvious example, many Americans’ first tariff pains came when Trump ended a duty-free exemption in February for low-value packages imported from cheap online retailers, like Shein and Temu. Unable to quickly adapt to the policy change, USPS abruptly stopped accepting all inbound packages from Hong Kong and China. After a chaotic 24 hours, USPS started slowly processing parcels again while promising Americans that it would work with customs to “implement an efficient collection mechanism for the new China tariffs to ensure the least disruption to package delivery.”

Trump has several legal tools to impose tariffs, but the most controversial path appears to be his favorite. The Supreme Court is currently weighing whether the International Emergency Economic Powers Act (IEEPA) grants a US president unilateral authority to impose tariffs.

Seizing this authority, Trump imposed so-called “reciprocal tariffs” at whim, the Consumer Technology Association and the Chamber of Commerce told the Supreme Court in a friend-of-the-court brief in which they urged the justices to end the “perfect storm of uncertainty.”

Unlike other paths that would limit how quickly Trump could shift tariff rates or how high the tariff rate could go, under IEEPA, Trump has imposed tariff rates as high as 125 percent. Deferring to Trump will cost US businesses, CTA and CoC warned. CTA CEO Gary Shapiro estimated that Trump has changed these tariff rates 100 times since his trade war began, affecting $223 billion of US exports.

Meanwhile, one of Trump’s biggest stated goals of his trade war—forcing more manufacturing into the US—is utterly failing, many outlets have reported.

Likely due to US companies seeking more stable supply chains, “reshoring progress is nowhere to be seen,” Fortune reported in November. That month, a dismal Bureau of Labor Statistics released a jobs report that an expert summarized as showing that the “US is losing blue-collar jobs for the first time since the pandemic.”

A month earlier, the nonpartisan policy group the Center for American Progress drew on government labor data to conclude that US employers cut 12,000 manufacturing jobs in August, and payrolls for manufacturing jobs had decreased by 42,000 since April.

As tech companies take tech tariffs on the chin, perhaps out of fears that rattling Trump could impact lucrative government contracts, other US companies have taken Trump to court. Most recently, Costco became one of the biggest corporations to sue Trump to ensure that US businesses get refunded if Trump loses the Supreme Court case, Bloomberg reported. Other recognizable companies like Revlon and Kawasaki have also sued, but small businesses have largely driven opposition to Trump’s tariffs, Bloomberg noted.

Should the Supreme Court side with businesses—analysts predict favorable odds—the US could owe up to $1 trillion in refunds. Dozens of economists told SCOTUS that Trump simply doesn’t understand why having trade deficits with certain countries isn’t a threat to US dominance, pointing out that the US “has been running a persistent surplus in trade in services for decades” precisely because the US “has the dominant technology sector in the world.”

Justices seem skeptical that IEEPA grants Trump the authority, ordinarily reserved for Congress, to impose taxes. However, during oral arguments, Justice Amy Coney Barrett fretted that undoing Trump’s tariffs could be “messy.” Countering that, small businesses have argued that it’s possible for Customs and Border Patrol to set up automatic refunds.

While waiting for the SCOTUS verdict (now expected in January), the CTA ended the year by advising tech companies to keep their receipts in case refunds require requests for tariffs line by line—potentially complicated by tariff rates changing so drastically and so often.

Biggest tariff nightmare may come in 2026

Looking into 2026, tech companies cannot breathe a sigh of relief even if the SCOTUS ruling swings their way, though. Under a separate, legally viable authority, Trump has threatened to impose tariffs on semiconductors and any products containing them, a move the semiconductor industry fears could cost $1 billion.

And if Trump continues imposing tariffs on materials used in popular tech products, the CTA told Ars in September that potential “tariff stacking” could become the industry’s biggest nightmare. Should that occur, US manufacturers could end up double-, triple-, or possibly even quadruple-taxed on products that may contain materials subject to individual tariffs, like semiconductors, polysilicon, or copper.

Predicting tariff costs could become so challenging that companies will have no choice but to raise prices, the CTA warned. That could threaten US tech competitiveness if, possibly over the long term, companies lose significant sales on their most popular products.

For many badly bruised by the first year of tariffs, it’s hard to see how tariffs could ever become a winning strategy for US tech dominance, as Trump has long claimed. And Americans continue to feel more than “a little pain,” as Trump forecasted, causing many to shift their views on the president.

Americans banding together to oppose tariffs could help prevent the worst possible outcomes. With prices already rising on certain goods in the US, the president reversed some tariffs as his approval ratings hit record lows. But so far, Big Tech hasn’t shown much interest in joining the fight, instead throwing money at the problem by making generous donations to things like Trump’s inaugural fund or his ballroom.

A bright light for the tech industry could be the midterm elections, which could pressure Trump to ease off aggressive tariff regimes, but that’s not a given. Trump allies have previously noted that the president typically responds to pushback on tariffs by doubling down. And one of Trump’s on-again-off-again allies, Elon Musk, noted in December in an interview that Trump ignored his warnings that tariffs would drive manufacturing out of the US.

“The president has made it clear he loves tariffs,” Musk said.

Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.

Big Tech basically took Trump’s unpredictable trade war lying down Read More »

Apple hit with $115M fine for “extremely burdensome” App Store privacy policy

App Store, App Tracking, Apple, competition law, italy, personalized advertising, Policy, privacy policy / DJ Henderson / December 22, 2025

Apple was hit with a $115 million fine Monday after Italy’s competition authority alleged the tech giant was abusing its dominant position to harm third-party developers in its App Store.

In a press release, the Italian Competition Authority said that an “App Tracking Transparency” (ATT) privacy policy that Apple introduced in 2021 forced third-party developers to seek consent twice for the same data collection.

Requiring such “double consent” was “extremely burdensome” and “harmful” to some developers—especially the smallest developers, the regulator said. Many developers struggled to earn ad revenue after the policy was introduced, as users increasingly declined to opt into personalized ads.

Meanwhile, Apple may have benefited from the ATT restricting developers’ ad revenues, either “in the form of higher commissions collected from developers through the App Store and, indirectly, in terms of the growth of its own advertising service.” Since ATT was adopted, “revenues from App Store services increased,” the regulator said, as developers paid higher commissions and “likewise, Apple’s advertising division, which is not subject to the same stringent rules, ultimately benefited from increased revenues and higher volumes of intermediated ads.”

Without intervention, Apple would continue requiring third-party developers to provide an additional consent screen, which was “found to be disproportionate to the achievement of the company’s stated data protection objectives,” the press release said.

“Apple should have ensured the same level of privacy protection for users by allowing developers to obtain consent to profiling in a single step,” the regulator concluded.

Apple hit with $115M fine for “extremely burdensome” App Store privacy policy Read More »

Software leaks point to the first Apple Silicon “iMac Pro,” among other devices

Apple, Apple silicon, iMac, Mac, macos 26 tahoe, Tech / DJ Henderson / December 16, 2025

Apple doesn’t like to talk about its upcoming products before it’s ready, but sometimes the company’s software does the talking for it. So far this week we’ve had a couple of software-related leaks that have outed products Apple is currently testing—one a pre-release build of iOS 26, and the other some leaked files from a kernel debug kit (both via MacRumors).

Most of the new devices referenced in these leaks are straightforward updates to products that already exist: a new Apple TV, a HomePod mini 2, new AirTags and AirPods, an M4 iPad Air, a 12th-generation iPad to replace the current A16 version, next-generation iPhones (including the 17e, 18, and the rumored foldable model), a new Studio Display model, some new smart home products we’ve already heard about elsewhere, and M5 updates for the MacBook Air, Mac mini, Mac Studio, and the other MacBook Pros. There’s also yet another reference to the lower-cost MacBook that Apple is apparently planning to replace the M1 MacBook Air it still sells via Walmart for $599.

For power users, though, the most interesting revelation might be that Apple is working on a higher-end Apple Silicon iMac powered by an M5 Max chip. The kernel debug kit references an iMac with the internal identifier J833c, based on a platform identified as H17C—and H17C is apparently based on the M5 Max, rather than a lower-end M5 chip. (For those who don’t have Apple’s branding memorized, “Max” is associated with Apple’s second-fastest chips; the M5 Max would be faster than the M5 or M5 Pro, but slower than the rumored M5 Ultra.)

This device could be the long-awaited, occasionally-rumored-but-never-launched replacement to Apple’s 27-inch iMac, which was discontinued in 2022 with no direct replacement. An M5 Max chip would also make this machine the closest thing we’ve seen to a direct replacement for the iMac Pro, a 27-inch iMac variant that was launched in late 2017 but likewise discontinued without an update or replacement.

The current M4 Max chip includes 14 or 16 CPU cores, 32 or 40 GPU cores, and between 36GB and 128GB of unified memory, specs we’d expect an M5 Max to match or beat. And because the Max chips already fit into the 14- and 16-inch MacBook Pros, it should be no problem to fit one into an all-in-one desktop PC.

Software leaks point to the first Apple Silicon “iMac Pro,” among other devices Read More »

UK to “encourage” Apple and Google to put nudity-blocking systems on phones

age verification, Apple, Google, Policy, UK / Kelly Newman / December 15, 2025

The push for device-level blocking comes after the UK implemented the Online Safety Act, a law requiring porn platforms and social media firms to verify users’ ages before letting them view adult content. The law can’t fully prevent minors from viewing porn, as many people use VPN services to get around the UK age checks. Government officials may view device-level detection of nudity as a solution to that problem, but such systems would raise concerns about user rights and the accuracy of the nudity detection.

Age-verification battles in multiple countries

Apple and Google both provide optional tools that let parents control what content their children can access. The companies could object to mandates on privacy grounds, as they have in other venues.

When Texas enacted an age-verification law for app stores, Apple and Google said they would comply but warned of risks to user privacy. A lobby group that represents Apple, Google, and other tech firms then sued Texas in an attempt to prevent the law from taking effect, saying it “imposes a broad censorship regime on the entire universe of mobile apps.”

There’s another age-verification battle in Australia, where the government decided to ban social media for users under 16. Companies said they would comply, although Reddit sued Australia on Friday in a bid to overturn the law.

Apple this year also fought a UK demand that it create a backdoor for government security officials to access encrypted data. The Trump administration claimed it convinced the UK to drop its demand, but the UK is reportedly still seeking an Apple backdoor.

In another case, the image-sharing website Imgur blocked access for UK users starting in September while facing an investigation over its age-verification practices.

Apple faced a backlash in 2021 over potential privacy violations when it announced a plan to have iPhones scan photos for child sexual abuse material (CSAM). Apple ultimately dropped the plan.

UK to “encourage” Apple and Google to put nudity-blocking systems on phones Read More »