Jeffrey Martin takes massive panoramic photographs of the world and his photos let you go from the panoramic to the intimate in a single mouse swipe. Now he’s truly outdone himself with a 900,000 pixel-wide photo of Prague’s Old Town that took six months to build.
The photo, viewable here, has a total spherical resolution of 405 gigapixels and is amazing. Martin used a 600mm lens and 50MP DSLR to take photos of nearly everything in the Old Town. You can see the Cathedral, Castle Hill and even spot street signs, building signs and pigeons. It’s a fascinating view of a beautiful city.
Martin said it took him over six months to post-process the picture and it required thousands of photos and tweaks. He said the files are six times bigger than anything Photoshop can manage so he found himself working with delicate fixes as he stitched this amazing photo together.
Last night’s 10 minutes of terror as the InSight Mars Lander descended to the Martian …
Venmo, the popular mobile payment service, has redesigned its app. That’s normally news you could safely ignore, but this announcement is worth a closer look. In addition to making some navigational tweaks and adding new purchase protections, the PayPal-owned platform is finally shutting down its global social feed, where the app published transactions from people around the world. It’s an important step toward resolving one of the most prominent privacy issues in the world of apps, but the work isn’t finished yet.
Venmo’s global feed has for years been a font of voyeuristic insights into the financial habits of total strangers. The feed doesn’t display amounts for a given transaction, but names and notes emoji and likes are included. Tapping on a name brings you to that user’s profile, and an enterprising busybody (or worse) could pretty quickly build a small dossier of that person’s friends, their hobbies, and anything else they’ve slipped into the stream—without, perhaps, realizing how public that info can be. In the time it took to write these paragraphs, relatives reimbursed each other for Phillies tickets, someone made a payment for “liquid gold 😍,” more than one set of roommates split their internet bill.
The visibility of Venmo transactions and other user data has been criticized by privacy and consumer advocates for years. “This commitment to this weird corporate bit, this corporate DNA, of a social payment app is a huge liability,” says Gennie Gebhart, activism director at the Electronic Frontier Foundation, a digital rights group. “It’s not a disaster waiting to happen, it’s a disaster that’s already happened so many times to so many people.”
The most recent and most high-profile instance of where that openness can go wrong came in May, when a team of Buzzfeed reporters found President Joe Biden’s Venmo account, along with those of his family and close friends, simply by searching within the app. It took them 10 minutes.
At the time, even if your transaction history was locked down, your friends list was fair game for anyone to find. Which, again, seems a little unwise for an app built around the often sensitive business of sending and receiving money. Two weeks after the Buzzfeed report, however, Venmo added new privacy controls, letting you make your list of contacts on the app private for the first time.
The removal of the global feed extends that work, by making it incrementally harder to snoop on total strangers. Soon, the social element of the app will be limited to what your Venmo contacts are up to. “This change allows customers to connect and share meaningful moments and experiences with the people who matter most,” the company said in a blog post announcing the redesign. While it certainly counts as progress, privacy advocates believe it doesn’t go far enough.
“Venmo’s finally getting the message that maximum publicity on a financial app is a terrible idea,” says Kaili Lambe, senior campaigner at the Mozilla Foundation, a nonprofit focused on internet openness and accessibility. “However, from the beginning we have been calling on Venmo to be private by default, because so many Venmo users don’t actually know that their transactions are public to the world.”
A Venmo spokesperson said the company has no plans at this time to consider making those transactions private by default. That means users will still need to go out of their way to make sure their every peer-to-peer transaction isn’t broadcast to the world. It’s hard to see the benefit of maintaining the status quo.
“You think of a lot of really sensitive use cases,” says Gebhart. “You think about therapists, you think about sex workers. You think about the president of the United States. It doesn’t take a big imagination to imagine places where these defaults could go horribly wrong and cause real harm to real people.”
The implications of Venmo’s public-by-default stance have played out beyond the discovery of Biden’s account. In 2018, privacy advocate and designer Hang Do Thi Duc used Venmo’s public API to sort through nearly 208 million transactions on the platform, piecing together alarmingly detailed portraits of five users based only on their activity in the app. The following year, programmer Dan Salmon wrote a 20-line Python script that let him scrape millions of Venmo payments in a matter of weeks.
Venmo has since placed restrictions on the rate at which you can access transaction data through the public API, but Salmon says the company hasn’t gone far enough. “Venmo basically had a firehose I could connect to of transaction data,” he says. “Now that that is cut off, the transactions are still out there; it will just take a few more steps to go get them.” He says it would take about an hour of work to build a new scraping tool.
“At Venmo, we routinely assess our technical protocols as part of our commitment to platform security and continually improving the Venmo experience for our customers. Scraping Venmo is a violation of our terms of service, and we actively work to limit and block activity that violate these policies,” Venmo spokesperson Jaymie Sinlao wrote in an emailed statement. “We continue to enable select access to our existing APIs for approved developers to continue innovating and building upon the Venmo platform.”
Venmo is far from the only app that makes you opt out of sharing rather than actively seeking it out. But because its use case is exclusively financial, the stakes are significantly higher, and the assumption of its users potentially misplaced. Venmo hasn’t made it especially easy for users to figure out what they are or are not sharing; in 2018 it reached a settlement with the Federal Trade Commissions related in part to its confusing privacy settings.
“Anecdotally, people are very surprised to find that a financial services app is public by default,” says the Mozilla Foundation’s Lambe. “Even people who’ve been using Venmo for years might not know that their settings are public.”
To make sure that yours aren’t going forward, head to Settings > Privacy and select Private. Then tap Past Transactions, and tap Change All to Private to lock things down retroactively. And while you’re at it, go ahead and tap Friends List, then tap Private and toggle off Appear in other users’ friends list. Otherwise, you’re sharing the digital equivalent of your credit card purchases with everyone you know, and lots of people you don’t. Or consider using something like Square’s Cash App instead, which is private by default.
Losing the global feed is an important step toward privacy for Venmo and its users. Hopefully, more steps are still to come.
Apple and Roku know that remotes for streaming devices are important. It’s why they recently inked a deal to put an Apple TV+ button on Roku remotes going forward. It’s also why they’ve made some thoughtful upgrades to their respective streaming devices in the form of redesigned remotes. Both companies are focused on improving usability and adding features via the remote, rather than retooling the streamers themselves.
Apple’s new Siri Remote and Roku’s Voice Remote Pro are new devices that existing users can buy to make their streaming experiences much less frustrating (in Apple’s case) or easier and more feature-rich (in Roku’s). For Apple, a redesign was long overdue. Apple TV remotes have been the stuff of nightmares since the first and only redesign over half a decade ago. Roku’s remotes never had that sort of over-engineering problem—instead, they’ve suffered from the opposite issue, often feeling hollow and cheap while missing some useful functions on all but the highest-end Roku players.
Now, these remotes aren’t in direct competition with one another. And in some key areas like price and wide-ranging support, the streamers they control both fall behind the latest Google Chromecast—a device we found preferable not just to those, but to Amazon’s Fire TV platform as well. But for anyone who’s already using a streaming option from Apple or Roku, scrapping those devices entirely could be a significant waste of money and a general pain depending on their setup. Adding one of these new remotes, though, will improve the experience appreciably.
The new Siri Remote
Apple TV Siri Remote
(Ars Technica may earn compensation for sales from links on this post through affiliate programs.)
Apple’s first-generation Siri remote was too thin and slick, being made of aluminum and glass. Its touchy trackpad was a minefield you couldn’t avoid. That anxiety-inducing design stuck around the Apple TV for six long years, but it’s now been totally redesigned.
Compared to the first-generation remote’s aluminum body, the new Siri remote has been slightly beefed up for a better grip and feel. The remote has a more satisfying heft in the hand, and it’s thick and square enough to avoid feeling like you might drop it when you go to press a button. The more robust build quality should also fare better if/when drops do occur, especially compared to the aluminum and glass design of the previous generation.
The new design does incorporate some touch elements introduced in the last Siri Remote, though. Thankfully, it’s not as touchy (ahem) as before. That’s largely due to the smaller footprint of the touch area. Instead of taking up a third of the remote’s body, touch sensitivity is confined only to the center button itself, which is also concave. That means it’s much harder to accidentally swipe the touch controls while reaching for or grasping the remote. Furthermore, you can disable touch entirely or, like the previous generation, adjust the touch sensitivity as well.
Whether you have touch control enabled or not, you can use the directional arrows surrounding the enter button to navigate entirely, as early Apple TV adopters used to enjoy. The mixture of these two is the perfect sweet spot for usability. It’s fun to still be able to flick through titles but also click buttons when I want more precision. The touchpad now reacts only when I want it to, and it works smoothly for selection or scrubbing through media playback.
There’s also a new power button in the top right corner which you can hold down to power off your Apple TV and any other IR devices you’ve paired with the Siri Remote. Pairing up my older Polk Surroundbar 5000 with the Apple TV via the latter’s remote learning function was easy enough, though I couldn’t pair my first-generation Beats by Dre Beatbox in the same way.
Both the Polk and Beatbox remotes use direct line of sight IR, so that was a somewhat unexpected bummer. I do realize we’re talking about controlling a device that has been discontinued for the better part of a decade now, but it still cranks some serious sound, OK? You shouldn’t have any issues controlling relatively new soundbars or TVs with the latest Siri Remote, though.
The Siri activation button has also been moved to the side of the remote, where I initially mistook it for a volume rocker, as this is the volume control placement on both Roku’s and Google’s streaming remotes. I’d prefer the latter placement. “Hey Siri” voice activation could ameliorate any potential awkwardness, but Siri’s actual functionality is unchanged with the new remote, so that’s still a bit lacking. This seemed like a good time to add such support but, for now, it’s easy enough to settle for my nearest iOS device handling the command instead. Battery life on the Siri Remote seems strong, as I’ve been using it for about an hour of TV time a day for four weeks and have 60% of the battery leftover at the time of this writing.
Apple says the new Siri Remote works with both generations of Apple TV 4K streamers as well as the Apple TV HD.
Roku’s Voice Remote Pro
Roku Voice Remote Pro
(Ars Technica may earn compensation for sales from links on this post through affiliate programs.)
Roku’s remotes all vary slightly from device to device, be it a TV, streaming stick, or otherwise, but the Voice Remote Pro is the best iteration the company has released in nearly every way.
Compared to the others, the only knock I can give is its inclusion of a Sling TV button, which is sensibly replaced by an Apple TV+ shortcut on Roku’s Express 4K+ remote. Roku says this change will also be made in future production of the Voice Remote Pro, as the two companies recently agreed to keep this change going forward on all of Roku’s remotes. In the end, it’s not a huge deal, as there are also two programmable buttons you can easily map to apps or common functions to ameliorate this.
Depending on your Roku device, you could be missing any of the following buttons and features of the Voice Remote Pro:
A remote-finding siren
Hands-free “Hey Roku” commands (which you can enable or disable)
A rechargeable battery, unfortunately charged via the ancient microUSB standard (a cable is included, but come on)
A 3.5mm headphone jack for private listening
Two programmable buttons that can act as shortcuts to apps or commonly used commands, like switching the HDMI input
Even if you have Roku’s top-of-the-line devices, like the Roku Ultra or Streambar Pro, picking up a Voice Remote pro will add hands-free “Hey Roku” commands and USB charging beyond your current remote’s features. It’ll also beef up the remote’s footprint in a pleasing albeit not totally necessary way
All of Roku’s remotes are made of plastic and feel a bit light and hollow. The one that came with my TCL Roku TV, bought in 2020, feels the cheapest, lightest, and most bottom-heavy, while the regular voice remote (which comes with the Express 4K+ and a couple of other Roku devices) and Voice Remote Pro both feel more solid and balanced. The Pro is the thickest, but that made very little difference for better or for worse. Both feel superior to my Roku TV’s remote in every way, from different plastic textures to the overall weight and balance.
Features are the main reason you’ll want to upgrade, not how it feels in hand. In this area, all works smoothly and as intended right out of the gate. Plugging in the remote to a power source put mine directly into pairing mode. Once I was in the appropriate TV menu, connecting it to my TV was done with a push of a button.
Plugging in a pair of headphones to the remote works immediately, too. As for volume, it does get loud enough to drown out people talking, and different style headphones can help with that as well. Unfortunately, there’s no compatibility with Bluetooth headphones, so you will have to use a wired set like those that come with the remote.
“Hey Roku” works well, as does the switch to disable it, and saving a command via the shortcut button only requires a long press after the action is executed. For basic commands and functions, this all works exactly as you’d like, but as noted in our comparison between Roku, Chromecast, and Amazon’s Fire Stick, it’s not always the best way to search for content. Of course, if you have a Roku currently, then you’re likely familiar with how best to search for content and the Voice Remote Pro won’t be changing that.
If you didn’t have it before, the remote finder is a feature you may appreciate and something that really should be standard for all tiny streaming remotes like this. There are options to change the sound to sharper or more boisterous tones, as well. Whatever your preference, it gets loud enough to hear in a room or the next room over, as long as your TV isn’t blaring.
As far as battery life goes, I’ve been testing this remote for about four weeks and have 80% battery left from the original charge. It’s not getting a ton of use though, mostly just to switch sources or queue something up to watch, so your mileage may vary. Regardless, it’s a nice perk to skip stocking batteries for one more device.
In terms of compatibility, Roku says the Voice Remote Pro will work with “all Roku TV models, Roku audio players, and most Roku players,” including the Roku Express, Roku Express +, Roku Streaming Stick, Roku Streaming Stick+, Roku Ultra, Roku Ultra LT, Roku SE, Roku 2, Roku 3, Roku Premiere, Roku Premiere+, and Roku 4. The company notes that some older Express and Express+ may not work, however.
When it comes to cutting-edge, feature-rich streaming experiences, how much do these remotes push the category forward? Not much. But do they make Apple TV and Roku die-hards’ lives better? Undoubtedly.
In short, neither of these upgraded remotes make their respective streaming platforms higher-valued or generally better picks over the Google Chromecast with Google TV, our current general-purpose pick among media streamers. For most people, the $50 Chromecast will deliver an overall better experience with its wide device compatibility, superior search functionality, and, most importantly, its unmatched ability to serve up relevant and varied watch suggestions.
Still, if you already have an Apple TV that you don’t plan to replace, and you’re willing to pay a bit more to eliminate that “don’t touch the remote!” streaming anxiety, upgrading to the new Siri Remote will successfully do that. As for Roku’s Voice Remote Pro, $30 is awfully close to the $50 price of a brand-new Google Chromecast (which itself would work with any Roku TV). But if you’ve already made your bed with a Roku streamer and want more out of it, you’ll be doing yourself a favor by getting a remote that’s harder to lose, doesn’t require batteries, and adds private listening and hands-free voice control to your TV.
The shadowy world of private spyware has long caused alarm in cybersecurity circles, as authoritarian governments have repeatedly been caught targeting the smartphones of activists, journalists, and political rivals with malware purchased from unscrupulous brokers. The surveillance tools these companies provide frequently target iOS and Android, which have seemingly been unable to keep up with the threat. But a new report suggests the scale of the problem is far greater than feared—and has placed added pressure on mobile tech makers, particularly Apple, from security researchers seeking remedies.
This week, an international group of researchers and journalists from Amnesty International, Forbidden Stories, and more than a dozen other organizations published forensic evidence that a number of governments worldwide—including Hungary, India, Mexico, Morocco, Saudi Arabia, and the United Arab Emirates—may be customers of the notorious Israeli spyware vendor NSO Group. The researchers studied a leaked list of 50,000 phone numbers associated with activists, journalists, executives, and politicians who were all potential surveillance targets. They also looked specifically at 37 devices infected with, or targeted by, NSO’s invasive Pegasus spyware. They even created a tool so you can check whether your iPhone has been compromised.
NSO Group called the research “false allegations by a consortium of media outlets” in a strongly worded denial on Tuesday. An NSO Group spokesperson said, “The list is not a list of Pegasus targets or potential targets. The numbers in the list are not related to NSO Group in any way. Any claim that a name in the list is necessarily related to a Pegasus target or potential target is erroneous and false.” On Wednesday, NSO Group said it would no longer respond to media inquiries.
NSO Group isn’t the only spyware vendor out there, but it has the highest profile. WhatsApp sued the company in 2019 over what it claims were attacks on over a thousand of its users. And Apple’s BlastDoor feature, introduced in iOS 14 earlier this year, was an attempt to cut off “zero-click exploits,” attacks that don’t require any taps or downloads from victims. The protection appears not to have worked as well as intended; the company released a patch for iOS to address the latest round of alleged NSO Group hacking on Tuesday.
In the face of the report, many security researchers say that both Apple and Google can and should do more to protect their users against these sophisticated surveillance tools
“It definitely shows challenges in general with mobile device security and investigative capabilities these days,” says independent researcher Cedric Owens. “I also think seeing both Android and iOS zero-click infections by NSO shows that motivated and resourced attackers can still be successful despite the amount of control Apple applies to its products and ecosystem.”
Tensions have long simmered between Apple and the security community over limits on researchers’ ability to conduct forensic investigations on iOS devices and deploy monitoring tools. More access to the operating system would potentially help catch more attacks in real time, allowing researchers to gain a deeper understanding of how those attacks were constructed in the first place. For now, security researchers rely on a small set of indicators within iOS, plus the occasional jailbreak. And while Android is more open by design, it also places limits on what’s known as “observability.” Effectively combating high-caliber spyware like Pegasus, some researchers say, would require things like access to read a device’s filesystem, the ability to examine which processes are running, access to system logs, and other telemetry.
A lot of criticism has centered on Apple in this regard, because the company has historically offered stronger security protections for its users than the fragmented Android ecosystem.
“The truth is that we are holding Apple to a higher standard precisely because they’re doing so much better,” says SentinelOne principal threat researcher Juan Andres Guerrero-Saade. “Android is a free-for-all. I don’t think anyone expects the security of Android to improve to a point where all we have to worry about are targeted attacks with zero-day exploits.”
In fact, the Amnesty International researchers say they actually had an easier time finding and investigating indicators of compromise on Apple devices targeted with Pegasus malware than on those running stock Android.
“In Amnesty International’s experience there are significantly more forensic traces accessible to investigators on Apple iOS devices than on stock Android devices, therefore our methodology is focused on the former,” the group wrote in a lengthy technical analysis of its findings on Pegasus. “As a result, most recent cases of confirmed Pegasus infections have involved iPhones.”
Some of the focus on Apple also stems from the company’s own emphasis on privacy and security in its product design and marketing.
“Apple is trying, but the problem is they aren’t trying as hard as their reputation would imply,” says Johns Hopkins University cryptographer Matthew Green.
Even with its more open approach, though, Google faces similar criticisms about the visibility security researchers can get into its mobile operating system.
“Android and iOS have different types of logs. It’s really hard to compare them,” says Zuk Avraham, CEO of the analysis group ZecOps and a longtime advocate of access to mobile system information. “Each one has an advantage, but they are both equally not sufficient and enable threat actors to hide.”
Apple and Google both appear hesitant to reveal more of the digital forensic sausage-making, though. And while most independent security researchers advocate for the shift, some also acknowledge that increased access to system telemetry would aid bad actors as well.
“While we understand that persistent logs would be more helpful for forensic uses such as the ones described by Amnesty International’s researchers, they also would be helpful to attackers,” a Google spokesperson said in a statement to WIRED. “We continually balance these different needs.”
Ivan Krstić, head of Apple security engineering and architecture, said in a statement that “Apple unequivocally condemns cyberattacks against journalists, human rights activists, and others seeking to make the world a better place. For over a decade, Apple has led the industry in security innovation and, as a result, security researchers agree the iPhone is the safest, most secure consumer mobile device on the market. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals. While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”
The trick is to strike the right balance between offering more system indicators without inadvertently making attackers’ jobs too much easier. “There is a lot that Apple could be doing in a very safe way to allow observation and imaging of iOS devices in order to catch this type of bad behavior, yet that does not seem to be treated as a priority,” says iOS security researcher Will Strafach. “I am sure they have fair policy reasons for this, but it’s something I don’t agree with and would love to see changes in this thinking.”
Thomas Reed, director of Mac and mobile platforms at the antivirus maker Malwarebytes, says he agrees that more insight into iOS would benefit user defenses. But he adds that allowing special, trusted monitoring software would come with real risks. He points out that there are already suspicious and potentially unwanted programs on macOS that antivirus can’t fully remove because the operating system endows them with this special type of system trust, potentially in error. The same problem of rogue system analysis tools would almost inevitably crop up on iOS as well.
“We also see nation-state malware all the time on desktop systems that gets discovered after several years of undetected deployment,” Reed adds. “And that’s on systems where there are already many different security solutions available. Many eyes looking for this malware is better than few. I just worry about what we’d have to trade for that visibility.”
The Pegasus Project, as the consortium of researchers call the new findings, underscore the reality that Apple and Google are unlikely to solve the threat posed by private spyware vendors alone. The scale and reach of the potential Pegasus targeting indicates that a global ban on private spyware may be necessary.
“A moratorium on the trade in intrusion software is the bare minimum for a credible response—mere triage,” NSA surveillance whistleblower Edward Snowden tweeted on Tuesday in reaction to the Pegasus Project findings. “Anything less and the problem gets worse.”
On Monday, Amazon Web Services took its own step by shutting down cloud infrastructure linked to NSO.
Regardless of what happens to NSO Group in particular, or the private surveillance market in general, user devices are still ultimately where clandestine targeted attacks from any source will play out. Even if Google and Apple can’t be expected to solve the problem themselves, they need to keep working on a better way forward.