Iceland Is Beautiful Except for the 2 Million Tourists

Iceland is a windswept, volcanic island about the size of Kentucky. It’s a beautiful place, a land of vast tundra, stunning fjords, and tumbling waterfalls. You could call it idyllic. Quiet even. Well, before the tourists found it, that is.

Cheap flights and the exposure brought by Game of Thrones conspired to make Iceland the vacation destination. The place teems with globetrotters, and French photographer Denis Meyer spent weeks among them in March for his series Iceland: The Silent Epidemic. “I wanted to see the consequences of tourism in ecological and societal terms,” he says.

Calling it an epidemic feels apt. Some 2.3 million people are expected to visit this year, up from 489,000 just seven years ago. The $3.4 billion industry created one in every three jobs, making it Iceland’s largest source of revenue. But while the cash is great, the country struggles to deal with the influx. Popular destinations swarm with sightseers and hotels barely contain them all, some resulting in sewage overflow. Lawmakers are considering new taxes to ease the strain, even as construction companies scramble to keep up and businesses hire more help.

Gunnar Þór Jóhannesson, professor of geography and tourism at the University of Iceland, says the country desperately needs better infrastructure and a plan for minimizing and mitigating the environmental impact of all those people. “Uncontrolled tourism does have negative impacts on the environment,” he says. “So if tourism is not planned and managed properly we will see some of the natural attractions be damaged.”

Meyer got wind of Iceland’s woes listening to French tourists who visit the island often. They complained about the tour buses and construction, a sentiment echoed on numerous Trip Advisor reviews. “Nice experience,” wrote one visitor to the famed Blue Lagoon, “but there should be less people.” Curious to see for himself, Meyer booked a 400-euro round-trip flight from Paris to Reykjavik. He spent two weeks exploring the city, then rented a car to drive the “Ring Road,” an 800-mile highway that circumnavigates the island.

He photographed fellow tourists snapping selfies, squeezing into buses, and tromping all over the place—often with no regard for signs warning them to keep out. “Barriers have been installed on tourist sites, and they are regularly crossed by visitors who walk on the fragile ground so as to simply take photos without other tourists in the picture,” Meyer says.

The irony is that even as Meyers offers a commentary on all those damned tourists, his photos often look like tourism bureau ads. He couldn’t help it. Iceland is just so beautiful. The problem is, everyone knows it.

Go Back to Top. Skip To: Start of Article.

Iceland Is Beautiful Except for the 2 Million Tourists

Facebook’s Ability to Target “Insecure” Teens Could Prompt Backlash

Data mining is such a prosaic part of our online lives that it’s hard to sustain consumer interest in it, much less outrage. The modern condition means constantly clicking against our better judgement. We go to bed anxious about the surveillance apparatus lurking just beneath our social media feeds, then wake up to mindlessly scroll, Like, Heart, Wow, and Fave another day.

But earlier this month, The Australian uncovered something that felt like a breach in the social contract: a leaked confidential document prepared by Facebook that revealed the company had offered advertisers the opportunity to target 6.4 million younger users, some only 14 years old, during moments of psychological vulnerability, such as when they felt “worthless,” “insecure,” “stressed,” “defeated,” “anxious,” and like a “failure.”

The 23-page document had been prepared for a potential advertiser and highlighted Facebook’s ability to micro-target ads down to “moments when young people need a confidence boost.” According to The Australian’s report, Facebook had been monitoring posts, photos, interactions, and internet activity in real time to track these emotional lows. (Facebook confirmed the existence of the report, but declined to respond to questions from WIRED about which types of posts were used to discern emotion.)

The day the story broke, Facebook quickly issued a public statement arguing that the premise of the article was “misleading” because “Facebook does not offer tools to target people based on their emotional state.” The social network also promised that the research on younger users “was never used to target ads.” The analysis on minors did not follow Facebook’s research review protocols, the company wrote, so Facebook would be “reviewing the details to correct the oversight,” implying that the analysis had not been sanctioned by headquarters in Menlo Park.

A spokesperson for Facebook tells WIRED that the research had been commissioned by an advertiser. But Facebook’s public statement did not make that clear or explain how the research on minors ended up in a presentation to potential advertisers.

The statement said only that the analysis had been conducted by “an Australian researcher.” But the leaked presentation obtained by The Australian was prepared by two Australian Facebook employees, both managers who connect Facebook to ad agencies.

Privacy advocates and social media researchers, some of whom signed a public letter to Mark Zuckerberg about the ethical implications of tracking minors, tell WIRED the leak arrived at a crucial time in their campaign for stricter guidelines around consumer surveillance. Between the political fallout of psychographic profiling on Facebook and recent fines against the social network for breaking European laws about data collection, they hope this controversy could have lasting implications on the way the $400 billion behemoth tracks sensitive data.

Welcome to the next phase of Facebook privacy backlash, where the big fear isn’t just what Facebook knows about its users but whether that knowledge can be weaponized in ways those users cannot see, and would never knowingly allow.

Dear Mark Zuckerberg

Five years ago, Facebook conducted a mass experiment in manipulating emotions on nearly 700,000 unsuspecting users. The company tweaked News Feeds to show random users more positive or negative content, to see if it made those users happy or sad. In that case, there was no leaked document, no smoking gun: The results were published openly in an academic journal in 2014. In response, there was an outcry over what seemed like social engineering; the company said it had been “unprepared for the reaction” and strengthened its research review process accordingly.

A spokesperson for Facebook tells WIRED that the research referenced in the newly surfaced document complied with Facebook’s privacy and data policies, such as anonymizing the data by removing any personally identifiable information, but it did not meet those enhanced research protocols, which are supposed to require additional review for studies of “sensitive groups,” like minors.

Nonetheless, The Australian’s report claimed that the psychological insights had been culled from a database of 6.4 million younger Facebook users from Australia and New Zealand, included 1.9 million high school students with an average age of 16, and including some as young as 14.

A week after the document was leaked, more than two dozen nonprofits from the US, Europe, Brazil, and Mexico wrote a blistering public letter to Zuckerberg arguing that Facebook should release the document because the health and ethical implications were “far too concerning to keep concealed.” Facebook has become a “powerful cultural and social force in the lives of young people,” they wrote, and the mega-corporation could not just chalk up the mistake to a deviation from its research protocols. Marketers “and others” could use this research to “take advantage of young people by tapping into unique developmental vulnerabilities for profit,” the letter warned. (WIRED reached out to The Australian’s media editor, Darren Davidson, who obtained the leaked document, to see if the paper has plans to publish it in full, but did not receive an immediate response.)

“We take the concerns raised by these organizations seriously,” a Facebook spokesperson said in response to questions from WIRED. “Last week we reached out to several of these groups to discuss the research, and together agreed to set a meeting. We look forward to working with them.”

Jeff Chester, executive director of the Center for Digital Democracy, one of the nonprofits that signed the letter, will be present at the Facebook meeting. “I’ll be interested to see how honest they are,” he tells WIRED. “Are they going to acknowledge all of the similar research that they already do? Or what it means for Facebook and Instagram users worldwide? Are they going to talk about the fact that they are continually expanding the ability of their platform to identify and track consumers on behalf of powerful advertisers?”

Chester keeps close tabs on Facebook’s increasingly sophisticated marketing capabilities, a toolkit that includes neuro-marketing and biometric research techniques that can be used to test bodily reactions to ads, like responses in the brain, heart, eye movement, or memory recall. Chester pointed to a recent report from Facebook IQ—a research division within the social network designed to help marketers—that used an EEG headset to measure social connections and feelings in virtual reality.

“When Facebook said this was aberration, we knew that was not true, because it squarely fits into what Facebook does all the time in terms of analyzing the emotional reactions of individuals,” including vulnerable groups like young people, black people, and Latinos, Chester says. “Facebook is one big sentiment-mining apparatus.”

If the users in question weren’t teenagers—or if the emotion wasn’t insecurity—Facebook’s public statement might have been sufficient; the uproar from privacy advocates may have been duly noted, then promptly forgotten.

Instead, as Kathryn Montgomery, a professor at American University and the director of the school’s communications studies division—who is married to Chester—tells WIRED, The Australian’s report served as “a flashpoint that enables you to glimpse Facebook’s inner workings, which in many ways is about monetization of moods.”

A New Advertising Age

This may sound like a lot of sturm und drang for making money off of teenage insecurity, a mass market practice that has been around since at least World War II. The entire advertising industry is, after all, premised on the ability to leverage a consumer’s emotional state. But it’s one thing to show makeup ads to people who follow Kylie Jenner on Instagram; it’s another to use computational advertising techniques to sell flat-tummy tea to 14 year olds at the exact moment they’re feeling their worst.

In fact, Montgomery and Chester have been fighting to protect young people’s digital privacy for decades. The couple helped pass the Children’s Online Privacy Protection Act (COPPA) in 1998, which restricts data collection and online marketing from targeting children under 13 years old. The legislation was created to prevent the first wave of dotcom companies from engaging in deceptive practices, such as using games and contests to collect information about children without parental permission. The same year COPPA passed, the FTC filed its first internet privacy complaint against GeoCities, for misleading both child and adult consumers about how it was using their personal information. Since then, companies big, small, and fictional have racked up fines.

For its part, Facebook has been open and cooperative in responding to concerns about minors in the past. After The Wall Street Journal reported in 2012 that Facebook was considering allowing children younger than 13 to open accounts, the company met with privacy advocates who helped convince the platform to continue barring children from the platform.

Facebook also understands that minors require additional protections. By default, it turns off location sharing for minors, and offers warnings before young people share a post publicly. Indeed, Facebook sometimes uses its tracking capabilities to safeguard users, such as newly released artificially intelligent suicide prevention tools that “help people in real time.”

“We do, of course, want to try to help people in our community who are at risk, including if their friends report to us that they may be considering self-harm, but that’s not related to the incorrect allegations that were made in The Australian’s piece,” a Facebook spokesperson tells WIRED.

Regardless, advances in ad targeting may require more default protections. Marketers want to pinpoint people in an “intimate, ongoing, interactive way,” says Chester. As people use more and more devices across different networks, companies that collect this information have amassed bank vaults of data on users’ locations, recent life events, affinity groups, or, theoretically, emotional states.

“This is the holy grail of advertising,” says Saleem Alhabash, an assistant professor at Michigan State University. A consumer has “a particular need or motivation at this particular moment in time, and you are giving them messages that feed exactly to what they’re feeling. The return on investment is huge.”

To that end, Alhabash believes companies should, for the most part, have the freedom to conduct business. “I do not think that advertising in general is manipulative.” he says. “Where it becomes manipulative is when certain parts of our personal information gets used against us to makes us crave and want things that we do not want.” (Alhabash worked on a study about how Facebook ads for alcohol can increase the desire to drink.)

Amid a swirl of recent concerns over how Facebook can influence our actions in the real world and the ways that micro-targeting can be weaponized—such as voter-suppression campaigns targeting African Americans—the leaked document seems like another sign that fears about the company have taken on a different shape.

“We’ve entered a new phase because of the controversy in promoting fake news, in disseminating hate speech, in Facebook’s outsized influence in campaigns that resulted in Brexit, the election of Trump, and other political developments,” Chester explains.

Europe Plays Hardball

Unfortunately for Facebook, the Australian ad targeting controversy cropped up just as European regulators have been cracking down on social networks, charging that they “aren’t taking complaints from their users seriously enough.” That’s the reason Germany’s justice minister cited in March when he proposed a law that would fine social media companies up to €50 million if they don’t respond quickly enough to reports of illegal content or hate speech.

This week, the focus has shifted to Facebook’s privacy violations. On Tuesday, data protection authorities (DPAs) from France, the Netherlands, Spain, Germany, and Belgium issued a joint statement detailing the results of national investigations into Facebook for privacy issues, including processing personal data for advertising purposes.

France and the Netherlands handed down what amounted to a slap on the wrist and a small fine, but this is just the preview. Europe’s strict privacy laws are about to get even stricter. It’s all part of a growing sense in the EU that it’s time to throw a bridle on Silicon Valley.

In 368 days (regulators have posted a handy countdown clock) the General Data Protection Regulation will go into effect for the European Union. Once the new rules are in place, companies will be forced to take privacy more seriously, if only because of the fines, David Martin, senior legal officer at the European Consumer Organization, tells WIRED by email. France fined Facebook €150,000 for unlawfully tracking internet users to display targeted advertising, the maximum it can currently impose. But once the new rules are in place, the fines could be as high as €20 million, or 4 percent of the company’s global revenue, whichever is higher, Martin says.

For companies like Google and Facebook, with market capitalizations in the hundreds of billions, compliance might be a bigger issue than fines. But American advocates hope that some of that momentum will be contagious, pressuring Silicon Valley’s oligarchy into creating stronger safeguards for sensitive data. Says Chester, “The feedback I got from my colleagues in Europe was, ‘Look, you guys have that letter. We have laws and rules that need to be enforced.’”

In the joint statement on Tuesday, the Dutch authorities reported that Facebook violated data protection laws for its 9.6 million users in the Netherlands by using sensitive personal data without the users’ explicit consent, including serving targeted ads based on users’ sexual preferences. Facebook changed its practices to comply, and the Dutch DPA said it will issue a sanction if it finds out the violations have not stopped.

In response to questions from WIRED about the sanctions, a different Facebook spokesman says that the company respectfully disagrees with the findings by the French and Dutch authorities. Facebook maintains that its practices have been compliant, but the spokesperson says that Facebook welcomes the dialogue.

“At Facebook, putting people in control of their privacy is at the heart of everything we do,” the spokesperson tells WIRED. “Over recent years, we’ve simplified our policies further to help people understand how we use information to make Facebook better. We’ve built teams of people who focus on the protection of privacy—from engineers to designers—and tools that give people choice and control.”

And yet the findings from the investigations don’t sound that far off from the leaked Australian document, which is partly what made the specter of preying on teen insecurity so unsettling.

It’s not a dystopian nightmare. It’s just a few clicks away from the status quo.

Go Back to Top. Skip To: Start of Article.

Get Ready for the Next Big Privacy Backlash Against Facebook

‘Star Trek: Discovery’ Trailer Proves That TV Is the Best Final Frontier of All

Between 1967 and 2005, 684 hour-long episodes of live-action Star Trek and 22 half-hour episodes of the animated series aired on TV. Allowing for commercial breaks, that gives us 521 hours of Star Trek, give or take. Add in the 13 movies, from 1979’s Star Trek: The Motion Picture to Star Trek Beyond in 2016, and you wind up with more than 48 full days of Star Trek—not counting books and comics, which, if you want to argue about canonicity and amount of content, my DMs are open. (Not really.)

In-world time runs even longer—by a lot. The prequel series Star Trek: Enterprise begins in the year 2151, roughly, and the last movie set in that same timeline, Nemesis, takes place in 2379 or so. But Voyager traveled back to the Big Bang in one episode and Next Generation reached into its own future, to 2395. So that’s 14 billion years of history covered. Oh, and the three “reboot” movies—Star Trek, ST Into Darkness, and ST Beyond—take place in an alternate timeline sprouted off from the original. And each of the TV series spent time in a “mirror universe” where good and evil were inverted. That means we have three full Trek universes.

What I’m saying is, there is already a lot of Star Trek.

And now the first real look at the long-delayed new show Star Trek: Discovery has finally frontiered. I’m gonna watch that show, too. All 15 hours of it, set to air on the subscription streaming service CBS All Access in the autumn. (When I showed my editor the new trailer, he said, “Sure, but who’s gonna get CBS All Access?” “Me,” I meeped. “For that.”) As a lifelong, devout Trekkie, I hear your concerns about the new show—why did they keep pushing the release? Why did showrunner Bryan Fuller bail for American Gods? What is up with that awful typeface on the intertitle cards?—but like Star Trek itself, I remain hopeful.

In fact, I am fuller of hope now than I have been about any of the movies since the whale one (which I liked). Because Trek’s serialized self, its television self? That’s Trek’s best self.

Discovery will focus on a callow commander (Sonequa Martin-Green) rather than a sophisticated captain, though we’re still getting the latter, too, played by the great Michelle Yeoh. Lantern-jawed cis-het white men have been rightly cleared off the bridge in favor of a team that more accurately reflects the galaxy (and Gene Roddenberry’s vision). New ship, new crew, new strange new worlds, new life, new civilizations. Beam me up.

The trailer’s visuals combine the shiny, lens-flaring, camera-tilting modes of the JJ Abrams and Justin Lin reboot movies. But that slickness is a sop to non-fans. Give me bulkheads that wobble and actors pretending to fall over when the camera shakes to simulate the loss of inertial dampers after a phaser takes the forward shields down to 30 percent. I mean, I get it: The structural rigidity of epic-sci-fi movies turns pretty much every Trek film (except the good ones) into a quest adventure with a third-act reveal and a finale of VFX and explosions. But audiences get enough of that these days from Star Wars and Marvel movies. A television show, with more time for story and presumably way less money in the budget, let Star Trek get back to its authentic guts.

To the extent that Trek TV shows worked at all, it was due to their persistence. Like any long-running television show, the actors and writers got into grooves (and out of them and into new ones) over years. They experimented with genres from humor to horror. Characters combined and recombined into satisfying riffs, ‘shipped and otherwise. At their best, the writers remembered that the science-fiction was just a fulcrum for metaphoric levers; fundamentally, Trek shows are about different kinds of Americans trying to figure out how to be good in the world. The bad guys are always the geopolitical bad guys of the time, from the original series’ Klingons proxying for Cold-War Russia to the Borg making like a stereotypical Asian collectivist culture, up through Enterprise’s alien terrorists from the future. Sure, every show repeats the “exploring what it means to be human” trope—Spock, Data, Odo, the Doctor, Seven of Nine, T’Pol—but those arcs, over years, all took interestingly different ballistic paths. (Odo looked into it and basically said, “meh, I’m good with being shapeshifting glop in a big lake of same, thanks.”)

The good news for Star Trek: Discovery, I suspect, is that all good television is like that now. Quality television tends toward lightly or heavily serialized drama, where even the one-off episodes usually have at least an undertone of long-arc character growth and a Big Bad hiding in the season finale. The Original Series did that by accident; most episodes started and ended with the crew gathered on the bridge, staring at the big TV screen that gave them their missions. But all the subsequent shows experimented at least a little with call-backs and character development. Now, all good TV does that.

Today, in post DeadwoodSopranosGalacticaBreaking Bad nirvana, with Netflix and Amazon Prime in a knife fight not for most but for best, TV writers’ rooms know what they can aspire to, now. I hope the Discovery room remembers. They’re adding text to one of fiction’s grand, collaborative canon, created almost as much by its fans as its writers. I hope they go boldly.

Go Back to Top. Skip To: Start of Article.

Star Trek: Discovery Proves That TV Is the Best Final Frontier of All

XData Ransomware Is Infecting Ukranian Computers Much Faster Than WannaCry Did

Just as the reverberations from last week’s WannaCry ransomware outbreak have started to slow, a new threat has already cropped up. A virulent ransomware strain called XData has gained momentum in Ukraine, so far leading to about three times as many infections as WannaCry did in the country. That XData appears to target Ukraine specifically tempers some fears, but were it to spread globally it would potentially leave even more devastation than last week’s WannaCry mess.

Discovered on Thursday by MalwareHunter, a researcher with the MalwareHunterTeam analysis group, XData had 94 detected unique infections as of midday Friday, and the number was rising. In contrast, MalwareHunterTeam’s data indicates that there were less than 30 WannaCry infections in Ukraine in all (the total number of infections worldwide was about 200,000). A few dozen cases may not sound like a lot. But considering that WannaCry infected 200,000 devices out of the billions of devices in the world, rate of infection is an important indicator. An outbreak moving this much faster than WannaCry did, even in an isolated setting, portends deeper troubles if it goes global.

“As it spread that fast in the Ukraine, it is not unlikely that it will spread fast outside of Ukraine, too,” says German security researcher Matthias Merkel.

Experts are still analyzing the ransomware to identify how it infects devices and spreads, but so far XData shows at least some level of sophistication. That’s in contrast to WannaCry, whose creators’ incompetence limited its scope. Researchers have confirmed that XData fully encrypts the files it claims to, and that there isn’t a way to get around the process and decrypt the files for free, as you can with WannaCry in some cases on Windows XP and Windows 7.

XData’s ransom note is simply in a text file instead of showing up as a window plastered across a victim’s screen. Merkel notes that the ransomware regularly closes all processes running on infected devices except for itself, but it seems that it may not connect to the internet after it infects a device. If that’s the case then it probably doesn’t have the worm-like qualities of WannaCry and is relying on a different mechanism to generate new infections. Usually that would be something like spam, malvertising, or tainted software a user unknowingly downloads, but the rate of infection in Ukraine indicates that there may be an additional driver.

Curiously, XData doesn’t specify an amount of money it requires to release hostage files. MalwareHunter speculates that the attackers may set the ransoms on a victim-by-victim basis, depending on whether they are individuals or businesses.

The XData focus on Ukraine has kept the ransomware at least somewhat contained. And researchers caution that it’s too early to predict how effective it would be outside the country, since so much remains unknown about the mechanics of XData attacks. Researchers at Symantec said on Friday that they had evaluated two XData-related samples, and confirmed that it is currently “highly active” in Ukraine and Russia. But they hadn’t yet determined whether the ransomware was exploiting a particular software vulnerability to infect devices.

WannaCry notoriously exploits the Windows server vulnerability known as EternalBlue, which surfaced in a leak of stolen NSA spy tools published by the Shadow Brokers hacking group. Microsoft had patched the bug in mid-March, but WannaCry preyed on devices that didn’t have the fix installed. Victims included the UK’s National Health Service, various European telecoms, and thousands more victims in 150 countries around the world.

Perhaps counterintuitively, XData turning out to leverage the same EternalBlue exploit would be for the best, given the general awareness at this point of the need to patch that particular bug. It’s a known problem. “I want to believe they are exploiting [the same flaw], says MalwareHunter, “because if not, and they still got that crazy amount of victims, that is really bad.”

Even if XData doesn’t have the same efficacy on the world stage (fingers crossed), it still highlights the larger reality that new ransomware families, each with their own tweaks and modifications, constantly surface and affect some number of victims. And attackers learn from both successes and failures. WannaCry showed just how bad things can get when relatively unknown ransomware has the right infection strategy at the right time. It won’t be the last to do so.

Now researchers are analyzing, watching and waiting to see what happens next with XData. The rate of infection ebbs and flows hour to hour, but has been steadily rising overall. “Imagine what would happen if they targeted everyone,” MalwareHunter says.

Go Back to Top. Skip To: Start of Article.

Another Ransomware Nightmare Could Be Brewing in Ukraine

USC Students Set New Rocket Record

Look Out Elon—A Bunch of Students Have Set a Rocket Record

DDOS Attacks Are Trying to Bring WannaCry Ransomware Back

Over the past year, two digital disasters have rocked the internet. The botnet known as Mirai knocked a swath of major sites off the web last September, including Spotify, Reddit, and the New York Times. And over the past week, the WannaCry ransomware outbreak crippled systems ranging from healthcare to transportation in 150 countries before it an unlikely “kill-switch” in its code shut it down.

Now, a few devious hackers appear to be trying to combine those two internet plagues: They’re using their own copycats of the Mirai botnet to attack WannaCry’s kill-switch. So far, researchers have managed to fight off the attacks. But in the unlikely event that the hackers succeed, the ransomware could once again start spreading unabated.

Under Seige

Since the WannaCry ransomware worm began to fan out through the internet Friday, security researchers noticed a curious feature. When it infects a computer, it first reaches out to a certain, random-looking web address, apparently as part of a check that it’s not running in a “sandbox” environment, which security researchers use to test malware samples safely. If WannaCry connects to a valid server at that specified domain, the ransomware assumes it’s under scrutiny, and goes dormant.

Marcus Hutchins, 22-year-old cybersecurity analyst for the security firm Kryptos Logic, spotted that trait last week, and immediately registered the web domain in WannaCry’s code. In doing so, he effectively neutered the malware, cutting short what would have otherwise been a far worse epidemic, and instantly becoming a minor celebrity in cybersecurity circles.

Since then, hackers have directed armies of zombie devices—webcams, modems, and other gadgets caught up in the expansive Mirai botnet—to funnel junk traffic to the kill-switch web address, also called a “sinkhole,” a site security researchers direct malware to in order to contain it. The presumed intention? Knock the domain offline, trigger some of WannaCry’s dormant infections to reactivate, and end the epidemic’s nearly week-long lull.

“Pretty much as soon as it went public what had happened, one of the Mirai botnets started on the sinkhole,” says Marcus Hutchins, the British security researcher who registered the WannaCry kill-switch domain. Since then, he says, near-daily attacks from that first botnet and others built with the same Mirai malware have steadily ticked up in size and impact.

If the DDOS assault did succeed, not all WannaCry infections would immediately reignite. The ransomware stops scanning for new victims 24 hours after installing itself on a computer, says Matt Olney, a security researcher with Cisco’s Talos team. But any time one of those infected machines reboots, it starts scanning again. “The ones that were successfully encrypted are in this zombie state where they’re waiting to be reactivated if that domain goes away,” says Olney.

Hutchins says he doesn’t believe the source of the botnet attacks are the original malware authors, but other groups of hackers hoping to kickstart WannaCry again just for the amusement of watching it spread. “They’ve obviously got no financial inventive. They’re not the ransomware developers,” Hutchins says. “They’re just doing it to cause pain.”

Mirai Image

The first DDOS attack, Hutchins says, was so small he barely noticed it. “It was sort of a love-tap from a botnet,” he says. But since then, he’s seen five attacks, trending upward. On Wednesday, Mirai hit the sinkhole domain with its worst flood yet, 20 gigabits per second of traffic. For comparison, that’s less than a 50th of the size of the Mirai DDOS that hit the DNS provider Dyn in September and knocked major websites offline, but 20 times the gigabit-per-second that DDOS-tracking firm Arbor Networks measured as an average attack in 2016.

Hutchins says he has no doubt that he and his colleagues at Kryptos Logic can still keep the attackers at bay. They’ve now enlisted the services of a DDOS mitigation firm that he declines to name—he says identifying it might help the attackers make their attacks more efficient. The service should help absorb any future attacks, and even take over the domain from Kryptos Logic if necessary. But before Hutchins fully engaged that protection service, he says the pressure to keep the sinkhole online and safe from attack was intense. He pulled an all-nighter after registering it to make sure it stayed up, and didn’t sleep more than three consecutive hours until Tuesday.

Even though Hutchins’ domain has protection, it’s not the only one that’s key to preventing WannaCry’s spread. Over the weekend, another variant of the worm appeared, designed to connect to a different web address. Researcher Matt Suiche, the Dubai-based founder of security firm Comae Technologies, quickly registered it to enable a new kill-switch. Suiche says that he’s also experienced at least one DDOS attack against his domain, but declined to say more, or comment on how he’s protecting it.

‘Now any idiot and their dog can set up a Mirai botnet.’ Marcus Hutchins, Kryptos Logic

It’s not clear exactly who’s behind the sinkhole attacks. But Hutchins says he’s fairly sure it’s not the original authors of the WannaCry malware itself. He says the attacks appear to be coming instead from known knock-offs of the original Mirai botnet that began to pop up when Mirai’s creator released the code for the internet-of-things-hijacking tool.

“Now any idiot and their dog can set up a Mirai botnet,” Hutchins says. He believes the attackers are likely nihilistic, low-skilled hackers using public tools to cause mayhem for their own entertainment.

In this case, however, the Mirai attacks are more than a nuisance or a temporary disruption. The WannaCry malware that those attacks seek to reactivate has caused untold thousands of victims to lose data—in some cases, permanently—and even paralyzed life-saving healthcare systems. That makes the repeated attacks on Hutchins’ sinkhole especially sadistic, perhaps even more so than the creation of the ransomware in the first place, Hutchins argues. “The initial developers were doing it for money,” he says. “These people are doing it just of the fun of hurting people. Which I guess is worse.”

Go Back to Top. Skip To: Start of Article.

Hackers Are Trying to Reignite WannaCry With Nonstop Botnet Attacks

WannaCry Ransomware Victims Might Have Some Hope–If They’re on Windows XP

Since the WannaCry ransomware ripped through the internet late last week, infecting hundreds of thousands of machines and locking up critical systems from health care to transportation, cryptographers have searched for a cure. Finding a flaw in WannaCry’s encryption scheme, after all, could decrypt all those systems without any ransom.

Now one French researcher says he’s found at least a hint of a very limited remedy. The fix still seems too buggy, and far from the panacea WannaCry victims have hoped for. But if Adrien Guinet’s claims hold up, his tool could unlock some infected computers running Windows XP, the aging, largely unsupported version of Microsoft’s operating system, which analysts believe accounts for some portion of the WannaCry plague.

No Silver Bullet

On Friday, Guinet released “WannaKey” to the open source code repository Github. Guinet, who works for the Paris-based security firm QuarksLab, says the software can pull traces of a private key from the memory of a Windows XP computer, which can then be used to decrypt a WannaCry-infected PC’s files.

Guinet says he’s successfully used the decryption tool several times on test XP machines he’s infected with WannaCry. But he cautions that, because those traces are stored in volatile memory, the trick fails if the malware or any other process happened to overwrite the lingering decryption key, or if the computer rebooted any time after infection.

“If you get some luck, you can access parts of the memory and regenerate a key,” says Guinet. “Maybe it’ll still be there, and you can retrieve a key used to decrypt the files. It won’t work every time.”

In particular, Guinet warns any XP WannaCry victims who might still be able to recover their files to leave the computer untouched until they can run his program. “Do not reboot your computer, and try this!” he wrote in a followup email.

Other security researchers haven’t yet confirmed WannaKey’s prowess, and at least one researcher, Comae Technologies founder Matt Suiche, tells WIRED it failed to decrypt files in his initial test. But other researchers who looked at the tool’s code and Guinet’s notes on Github and Twitter say it seems to leverage a genuine flaw in WannaCry’s otherwise airtight encryption—at least on Windows XP. “It looks legit,” says cryptography-focused Johns Hopkins computer science professor Matthew Green. But he warns that whether it works for any specific victim will be partly a matter of chance. “It’s kind of a lottery ticket right now,” Green says.

Decrypt Keeper

WannaKey’s decryption scheme takes advantage of a strange quirk in a Microsoft cryptography function for deleting keys from memory—one that WannaCry’s authors themselves seem to have missed. WannaCry works by generating a pair of keys on the victim’s machine: a “public” key for encrypting their files, and a “private” key for decrypting them if, in theory, the victim pays the ransom. (Whether WannaCry’s sloppy operators reliably decrypt the files of paying victims is far from clear.) To prevent the victim from accessing that private key and decrypting their files themselves, WannaCry encrypts that key also, only making it accessible when the ransomware operators decrypt it.

But Guinet found that after WannaCry encrypts the private key, a Microsoft-designed deletion function also wipes the unencrypted version from the computer’s memory. Apparently unbeknownst to the ransomware writers, that function doesn’t actually delete the key in Windows XP’s memory, only a “handle” that refers to the key. “Why would you have a key destruction function that doesn’t destroy the keys?” asks Mikko Hypponen, a researcher for the Finnish security firm F-Secure who also reviewed Guinet’s work. “It’s really weird. And that’s probably why no one else found it before.”

‘It’s kind of like a lottery ticket right now.’ Matthew Green, Johns Hopkins University

It’s not clear how many computers running Windows XP ran into WannaCry. Early in the outbreak, Microsoft rushed out a patch to protect XP devices, and Cisco researchers say that at least Windows XP machines with 64-bit processors were vulnerable to the worm that spread WannaCry starting Friday. The ransomware plague created new fears that XP machines would be caught up in the wave of infections, since Microsoft hasn’t supported that 16-year-old operating system since 2014. The software is still disturbingly prevalent, and even used in some critical systems like Britain’s National Health Service, one of WannaCry’s most high-profile victims.

Regardless of how many infected XP computers there are, WannaKey can likely help only a fraction, due to its rebooting and overwriting caveats. “It’s unlikely a lot of victims have left their machines untouched since Friday,” says F-Secure’s Hypponen.

Still, any hope for WannaCry’s victims and their scrambled data is better than none. And ironically, Hypponen points out, the savior for a fortunate few users could be the idiosyncrasies of encryption software written by Microsoft—the same company that’s widely being blamed for leaving XP users vulnerable in the first place. “We’re not often happy about bugs in Windows,” says Hypponen. “But this bug might help some WannaCry victims recover their files.”

Go Back to Top. Skip To: Start of Article.

A WannaCry Flaw Could Help Some Windows XP Victims Get Files Back

How Boring Old Pension Funds Might Curb Global Warming

If civilization still exists a century from now, Earth ought to throw a parade for pension funds. For all their fiscally conservative stodginess, the people tasked with safeguarding your nest egg are forcing the financial world to pay attention to climate change.

Last week, some retirement funds and church endowments, along with BlackRock, the world’s largest investment bank, approved a proposal that Occidental Petroleum begin researching and reporting its climate-related vulnerabilities. Shareholders of other petroleum companies have petitioned for climate risk disclosure before, but no one’s ever pushed through a vote. These aren’t save-the-planet activist shareholders, either. They’re investment companies whose business is ensuring they have enough money to pay out future financial obligations.

Occidental Petroleum is one of the nation’s largest oil companies. Not surprisingly, it opposed the proposal. But the vote needn’t have happened. BlackRock1, and other investors, had been asking the company for more than a year to voluntarily disclose its risk. Occidental demurred, saying it already considered the long term risks climate change poses to its business. The rigor of those reports dissatisfied many investors. So they passed a measure calling on the company to, among other things, issue annual reports (starting in 2018) on how things like the Paris agreement—which seeks to limit global warming to 2˚C—will impact its its business.

The investment community—despite its cold-as-money reputation—wields significant planet-saving power, says Sangwon Suh, a professor of environmental science and management at UC Santa Barbara. “This is an example of what I call the Trojan strategy, which is where socially-responsible investors can actually make a change in the company’s decision making,” he says. In a December, 2016, op-ed for the Huffington Post, Suh wrote that this “Trojan strategy” was probably the most effective. By contrast, divestment is a strategy where climate-conscious investors pull their money out of environmentally subpar companies. Suh points out that this just makes those shares available for other, morally-ambiguous investors.

But BlackRock, with $5.4 trillion in global assets, is not predominantly concerned with social responsibility. It’s worried about protecting its clients’ assets. Retirement funds—like those that predominantly made up the bloc of shareholders that voted in favor of the Occidental climate risk disclosure—manage smaller funds, but have similar responsibilities. A 2015 white paper outlining climate risks to investment portfolios made BlackRock’s stance clear: “You may or may not believe man-made climate change is real or dismiss the science behind it. No matter. Climate change has arrived as an investment issue.”

Rising seas and higher temperatures might not directly impact an oil company, but government regulations could. In late 2015, nearly 200 governments made a pact to act against climate change when they signed the Paris agreement. During the 2016 campaign, Donald Trump promised to cancel or renegotiate this country’s commitment. As president, however, he’s repeatedly postponed doing anything, probably because fulfilling his promise could place the US at a diplomatic disadvantage. Key trading partners like China, Canada, and the European Union remain committed to their Paris goals.

But from an investing standpoint, those commitments aren’t absolutes. The EU could disintegrate, China’s economy could go crawling back to coal, and Canada could ditch progressive Justin Trudeau in favor of someone hell-bent on slurping Alberta’s tar sands dry. And the US could renege on Paris, inspiring others to do the same. Point is: How are these retirement funds and investors so sure climate will be a risk?

Well, BlackRock and other fund managers read direct climate signals from various economic sectors—say, property insurance, which is seeing rising premiums due to the uptick in severe storms. They also get feedback from a growing number of clients interested in sustainable investing.

Finally, climate policy isn’t a monolith—Paris might not encompass the whole world, but many countries with strong, resilient economies will carry on with their pledges. Let’s say, for instance, Norway places a moratorium on oil drilling. Any oil buried below that nation (and its territorial waters) is stranded. “There’s a small risk of this actually happening, but a huge impact if it actually does happen,” says Suh. “And investment companies look at total risk, which is chance times impact.”

Gigantic investors like BlackRock wield great leverage over a lot of different companies. But even BlackRock’s 7.8 percent share in Occidental Petroleum wouldn’t have been enough to force the company to disclose climate risk on its own. The major push came from smaller funds, like the California Public Employees’ Retirement System and the Texas Teachers’ Retirement System. These are tiny players compared to BlackRock’s $5.4 trillion stake in Occidental—CalPERS holds a mere $203 billion in assets, and Texas Teachers just $133 billion. But combined, these and the other pension and endowment managers held enough shares to push the vote nearly to the brink. Occidental hasn’t disclosed the actual votes, but a similar climate risk vote at last year’s shareholders meeting narrowly failed. Reports are that BlackRock’s weight pushed it through this year.

Of course, not every shareholder that voted in favor did so out of purely financial reasons. The Nathan Cummings Foundation—which co-introduced this year’s resolution—proudly proclaims its activist bent. And CalPERS is known to have progressive values. Even BlackRock isn’t totally cold to ideology. A spokesperson explained that the values of its clients—who are increasingly interested in sustainable investment—goes into its financial calculus. “But none of these groups are doing this solely to save the environment or the world,” says Suh. “Their primary concern is whether or not their money is at risk.”

And they aren’t alone. More than 1,500 institutional investors are members of the UN-supported Principles for Responsible Investment, which lists accounting for climate risk among its six tenets. “Together, they represent more than $60 trillion in combined assets,” says Suh. Maybe retirement saving isn’t so boring after all.

1 UPDATE 05/18/17 7:30pm ET — Corrected from BlackWater, which is a private military company (now named Academi).

Go Back to Top. Skip To: Start of Article.

How Boring Old Pension Funds Might Curb Global Warming

Preschoolers Hospitalized After School Science Experiment Goes Wrong

Photo: Getty

Twelve students at a Houston preschool were injured on Tuesday when a class science experiment didn’t go as planned. Most reportedly had minor burns but seven of the students had to be rushed to a local hospital.

According to CNN, the incident occurred at the Yellow School which is run by Memorial Drive Presbyterian Church. The students were outdoors watching an unidentified teacher demonstrate how to make colored flames using boric acid and methanol. It’s just the kind of cool science experiment that little kids would enjoy and when it works, it should look something like this. But if you get it wrong, a chemical flash can occur. A similar incident happened in Reno, Nevada at a Discovery Museum in 2014.

Apparently, the teacher had successfully changed the color of the flame a few times but the last one wouldn’t ignite. He added more alcohol to the mixture and the resulting flash injured the observing students. “It was an experiment that went wrong,” church business administrator Bob Giles told a local news outlet. “There was a brief moment of flame and it was put out fairly quickly.”

Hopefully, everyone comes out of this okay and doesn’t let it affect their outlook on science. The last thing we need is a bunch of kiddos at a religious school in Texas being turned off of the subject at an early age.


Chris Cornell’s Last Tweet Shows Just How Surprising His Death Was Last Night at 52

Chris Cornell at the KROQ Weenie Roast Y Fiesta on May 5, 2012, at The Verizon Ampitheater in Irvine, California (AP Photo/Katy Winn)

When a celebrity dies unexpectedly, there’s a strange new ritual that fans partake in as we remember the person’s contributions to our lives. We scour the internet for the social media posts for a glimpse of their last moments. In the case of Chris Cornell, the lead singer for Soundgarden who died last night at the age of 52, we have his last tweet.

The tweet was posted at 8:06pm Eastern time and showed the marquee in Detroit just before his last show. At just 52-years-old, we assumed Cornell had a long life ahead. Brian Bumbery, a representative for Cornell, told the Associated Press that his death was “sudden and unexpected.”

Update, 6:03am: Local news in Detroit are reporting that it was a possible suicide:

Sources confirm to 7 Action News that Cornell died at MGM Grand Detroit following a show at Fox Theatre. Detroit police say it appears he died from a possible suicide.

Police say Cornell’s wife called a family friend and asked him to check on his well-being. The friend forced opened the door and found Cornell on the bathroom floor, according to police. We’re told Cornell was pronounced dead on the scene.

Aside from Cornell’s own tweets, we also have the social media posts of fans who saw last night’s Soundgarden concert.

Chris Cornell was a huge part of my teenage years as I was discovering rock music in the mid-1990s. And I loved the music that would come to be regarded by the previous generation, Generation X, as not nearly as cool as Soundgarden’s “earlier work.”

The 1996 album Down on the Upside was derided by critics, and Cornell’s first solo album, 1999’s Euphoria Morning, was considered deeply uncool. But to me they were magic. They were the soundtrack of a depressed teenager who had narrowly missed the “cool” era of grunge in the early 90s. Even after Soundgarden split in 1997, Cornell continued making amazing music for kids like me.

Naturally, people are taking to social media to mourn in their own ways. The cause of death has not been determined and the Cornell’s family has asked for privacy.

RIP Chris Cornell.

Top GOP Lawmakers Were Secretly Recorded Saying They Think Putin Pays Trump

Photo: Getty

Thanks to the ubiquity of recording devices and the duplicitousness of members of the GOP, we now know that top Republican congressmen were discussing potential collusion between Trump and Putin before he was even nominated. They didn’t care then and they don’t care now.

The Washington Post has obtained a recording from a private meeting between House GOP leaders that happened on Capitol Hill on June 15th, 2016. The Post was able to listen to, verify and transcribe the recording and let’s just say, it looks pretty bad.

Three people are identified in the transcript: Speaker of the House Paul Ryan, House Majority Leader Kevin McCarthy, House Majority Whip Steve Scalise and Conference Chair Cathy McMorris Rogers. Ryan and McCarthy discuss their meetings with the Prime Minister of Ukraine that day. They talk about Russia funding populist politicians to destabilize Europe’s democracies, and then they shift to how it could be happening here. They mention the incredibly sophisticated propaganda machine that Russia is using, and then talk turns to the DNC hacking that was reported the day before. McCarthy says that he thinks two people in politics are on Putin’s payroll: Californian Republican Representative Dana Rohrabacher, who is known for defending Putin, and Donald Trump. He laughs, but then says, “swear to god.” Ryan then insists that this is just between them, right?

From the report:

When initially asked to comment on the exchange, Brendan Buck, a spokesman for Ryan, said: “That never happened,” and Matt Sparks, a spokesman for McCarthy, said: “The idea that McCarthy would assert this is absurd and false.”

After being told that The Post would cite a recording of the exchange, Buck, speaking for the GOP House leadership, said: “This entire year-old exchange was clearly an attempt at humor. No one believed the majority leader was seriously asserting that Donald Trump or any of our members were being paid by the Russians. What’s more, the speaker and leadership team have repeatedly spoken out against Russia’s interference in our election, and the House continues to investigate that activity.”

Hahahahahaha. It was just a joke. And we know that Ryan has been tireless in supporting Devin Nunes as the head of the House Intelligence Committee. He continually insisted Nunes shouldn’t recuse himself from the Russia investigation even though Nunes very obviously colluded with the White House to muddy the waters of the inquiry.

Does this recording show that they wouldn’t mind if Trump was working with Russia? Not at all. It mostly shows that they understood the gravity of Russia’s political operations, and that once Trump was president, they decided to ignore it and drag their feet on the investigation. Check out this exchange:

Ryan: “Russia is trying to turn Ukraine against itself.”

Rodgers: “Yes. And that’s…it’s sophisticated and it’s, uh…”

Ryan: “Maniacal.”

Rodgers: “Yes.”

Ryan: “And guess, guess who’s the only one taking a strong stand up against it? We are.”

Rodgers: “We’re not…we’re not…but, we’re not.”

McCarthy [referring to DNC hacking]:“I’ll guarantee you that’s what it is…The Russians hacked the DNC and got the opp [opposition] research that they had on Trump.”

Ryan: “The Russians hacked the DNC…

McHenry: “…to get oppo…”

Ryan: “On Trump and like delivered it to…to who?”

McCarthy: “There’s… there’s two people, I think, Putin pays: Rohrabacher and Trump…[laughter]…Swear to God.”

Ryan: “This is an off the record…[laughter]…No leaks…[laughter]…alright?!. This is how we know we’re a real family here.”

Scalise: “That’s how you know that we’re tight.”


Ryan: “What’s said in the family stays in the family.”


Yeah, there’s a lot of laughter in there. It’s totally believable that they aren’t fully convinced that Trump coordinated with Russia. But, really, that’s not what this whole drama has been about. If Trump really did coordinate with Russia, that would be insane. What we do know is that Russia used many tactics to meddle in our election, a review needs to take place, and Republicans have insisted there’s nothing to see here because they don’t want to jeopardize their power. This recording makes it clear—top Republicans know exactly what they’re doing: putting party before country.

Luckily, Trump pissed off the Deputy Attorney General in charge of the investigation, who proceeded to appoint a special counsel to handle the investigation independently today. Maybe he’ll have some questions for these chuckleheads.

[The Washington Post, Transcript]

HTC’s Squishy New Phone Has All The Things—Even Alexa

Imagine you’re HTC. You were once atop the smartphone heap, making some of the best-designed and most impressive Android devices on the planet. Life was so exciting! Then everyone else kept improving, and you didn’t. Samsung, and Apple, and Xiaomi, and Oppo, and, well, just about everybody passed you by. You’re trying to get back into the game. What do do you?

If you answered “throw a hundred ideas into a single phone and see what happens,” congratulations! You just joined HTC’s product team. The company’s new phone, the U11, sounds like a youth soccer league but is absolutely loaded to the brim with interesting new tech and ideas. There’s Edge Sense, an entirely new interface that lets you gently squeeze the sides of your phone to take a selfie, dictate a text, or open an app—like 3D Touch, only on the sides of the phone instead of the screen. There’s also a new design language HTC calls “Liquid Surface,” a super-refractive (and by the looks of it, super-reflective) glass manufacturing process that makes the phone glisten in the light. HTC’s even touting its audio prowess, which it calls USonic, and incorporates into a pair of noise-cancelling headphones that come with the new phone.

The U11’s most awesome feature is its Alexa integration. It works hands-free, so you don’t have to unlock the phone to use Alexa—and you get all the same stuff you’d get on an Echo. If the Fire Phone had survived, this is how Amazon would have integrated its virtual assistant. Since it’s an Android phone, the U11 also has Google Assistant; you decide which you want to talk to at any given time. And since it’s an HTC phone, there’s a whole other assistant too! The Sense Companion keeps your phone running smoothly, reminds you to leave for work on time, helps with fitness goals, and the like. You could argue three assistants is too many, but we’d say there’s no such thing. Though we’d also like to humbly request a “Hey y’all” wake word to speak to all three assistants at once. And have questions about whether the assistants know of each other, and may get jealous over time. But we digress.

Not interested in lovingly squeezing your phone or chatting with the peanut gallery inside, and just want some super-duper hardware specs? HTC’s got you. The U11 has a 5.5-inch, 2560×1440 screen, and runs Qualcomm’s brand-spankin’-new Snapdragon 835 processor, along with 4 gigs of RAM and 64 gigs of storage. Its new 12-megapixel camera has wide aperture and fast autofocus, and apparently received the highest score ever from DxO Labs, an independent image-quality tester. (The previous winner was the Google Pixel, which has a truly fantastic camera.) Fingerprint reader: check. Waterproof: check. Sprint exclusive: sadly, check.

The Edge Sense stuff is HTC’s biggest swing here, as the company grasps for a genuinely new and useful way to use your smartphone. It sounds clever, actually, but it’s hard to imagine many developers building for one feature on one Android device, which means phone-squeezing is probably forever just a shortcut button. Luckily, the U11 seems to have plenty of other stuff going for it. The phone’s available for pre-order now, starting at $649 unlocked or $29 a month on your Sprint bill. It comes in blue, black, and silver, all of which look good.

Is it enough to make HTC cool again? We’ll have to see how good those photos really are. And how much we like talking to Alexa on the go. But at first glance, the kitchen-sink approach seems like the right one.

Go Back to Top. Skip To: Start of Article.

HTC’s Squishy New Phone Has All The Things—Even Alexa

5 Tools To Protect Yourself From Ransomware

A devastating global cyberattack called WannaCry has alerted millions of people to the dangers of ransomware. Hospitals, utilities, businesses, and more were locked out of their computers, facing payment demands from anonymous hackers. And while it’s too late for over hundreds of thousands of devices across 150 countries that WannaCry hit, there are a few tools you can use to help limit your own risk, both now and going forward.

After all, WannaCry’s hardly the only ransomware out there. Protect yourself now, before the next one hits.

When you buy something using the retail links in our buying guides, we sometimes earn a small affiliate commission. Read more about how this works.

WD My Passport Hard Drive

Really, any external hard drive backup will do; we just like the WD My Passport for its built-in hardware encryption and three-year warranty. What specific model you go for, though, matters much less than how you use it. The key here? Regularly back up your system, but keep your hard drive disconnected from your desktop. Otherwise, the ransomware will find and encrypt your backup just like it did your main system. Learn More | Buy on Amazon


Really, any external hard drive backup will do; we just like the WD My Passport for its built-in hardware encryption and three-year warranty. What specific model you go for, though, matters much less than how you use it. The key here? Regularly back up your system, but keep your hard drive disconnected from your desktop. Otherwise, the ransomware will find and encrypt your backup just like it did your main system. Learn More | Buy on Amazon

CrashPlan Data Backup

When you think “cloud backup,” you might think “Dropbox.” Don’t! At least not for these purposes. Dropbox offers a lot of value as a syncing service, keeping your files straight across multiple devices. Handy, but not much help if ransomware hits. Instead, look for a true cloud backup service that backs up and encrypts all of your files in a server far, far away. If a hacker locks up your digital life, a cloud backup means you can just wipe and start over with an uninfected version. CrashPlan gets solid reviews from a range of sites for its ease of use and cost, but competitors like Carbonite and Backblaze offer similar functionality. Buy Now.


When you think “cloud backup,” you might think “Dropbox.” Don’t! At least not for these purposes. Dropbox offers a lot of value as a syncing service, keeping your files straight across multiple devices. Handy, but not much help if ransomware hits. Instead, look for a true cloud backup service that backs up and encrypts all of your files in a server far, far away. If a hacker locks up your digital life, a cloud backup means you can just wipe and start over with an uninfected version. CrashPlan gets solid reviews from a range of sites for its ease of use and cost, but competitors like Carbonite and Backblaze offer similar functionality. Buy Now.

Windows 10

Are you on an older version of Windows? Are you even (gasp) still using Windows XP? Please stop that immediately. In fact, thanks in part to a big release of NSA tools by a hacking group called Shadow Brokers, you should consider any Windows version other than the very latest a potential risk. You’re past the free Windows 10 upgrade period at this point, but it’s still worth the investment for the added peace of mind. Just make sure that even once you’re up to date, you’re downloading each patch as soon as it becomes available. Buy Now.


Are you on an older version of Windows? Are you even (gasp) still using Windows XP? Please stop that immediately. In fact, thanks in part to a big release of NSA tools by a hacking group called Shadow Brokers, you should consider any Windows version other than the very latest a potential risk. You’re past the free Windows 10 upgrade period at this point, but it’s still worth the investment for the added peace of mind. Just make sure that even once you’re up to date, you’re downloading each patch as soon as it becomes available. Buy Now.

Bitdefender Internet Security

Anti-virus software gets a bad rap sometimes, and not without reason. It gets its hooks into so many parts of your computer that if something goes wrong with your AV, your whole system’s at risk. Then again, if ransomware takes over, you don’t have a system to begin with. There are a lot of fine choices here, but Bitdefender stands out for having repeatedly aced real-world protection testing from independent reviewer AV-Comparisons over the last year. And yes, it protects against WannaCry, as would almost any top AV product. Learn More | Buy on Amazon


Anti-virus software gets a bad rap sometimes, and not without reason. It gets its hooks into so many parts of your computer that if something goes wrong with your AV, your whole system’s at risk. Then again, if ransomware takes over, you don’t have a system to begin with. There are a lot of fine choices here, but Bitdefender stands out for having repeatedly aced real-world protection testing from independent reviewer AV-Comparisons over the last year. And yes, it protects against WannaCry, as would almost any top AV product. Learn More | Buy on Amazon

An iPhone

Don’t get us wrong, Android phones are wonderful! But ransomware doesn’t just hit desktop computers. It’s surging  on smartphones as well. And while both the iOS App Store and Android’s Google Play do a pretty good job of keeping malicious apps off your phone, the prevalence of third-party app stores for Android make it a much bigger risk for ransomware infection. An iPhone is your safest bet; just don’t click on any links in spammy text messages. And if you prefer Android regardless, stick with official downloads only. Learn More | Buy on Amazon


Don’t get us wrong, Android phones are wonderful! But ransomware doesn’t just hit desktop computers. It’s surging  on smartphones as well. And while both the iOS App Store and Android’s Google Play do a pretty good job of keeping malicious apps off your phone, the prevalence of third-party app stores for Android make it a much bigger risk for ransomware infection. An iPhone is your safest bet; just don’t click on any links in spammy text messages. And if you prefer Android regardless, stick with official downloads only. Learn More | Buy on Amazon

Go Back to Top. Skip To: Start of Article.

5 Tools to Help Protect Yourself From Ransomware

Trump’s Bodyguard Leaks the Defense Secretary’s Phone Number ‘the Old-Fashioned Way’

Photo: AP

Donald Trump famously doesn’t trust computers. At an event on New Year’s Eve, he told reporters, “You know, if you have something really important, write it out and have it delivered by courier, the old-fashioned way.” Well, a pen and paper screwed him when his bodyguard recently displayed the cellphone number of the Secretary of Defense for all the world to see.

What you see in the picture above is Keith Schiller, Trump’s longtime bodyguard, walking with the president and carrying a folder with Defense Secretary Jim Mattis’s private cellphone number written on a sticky note. We are running the photo blurred but it’s still widely available on the AP wire service. Just to give you an idea of how clear the number is, here’s a zoomed-in version:

Photo: AP

Yeah, it’s almost like they did it on purpose. But no, they’re probably just dumb.

The Washington Post ran this photo on a story about Schiller on May 11th. A concerned reader contacted the Post about the number being visible. And after confirming that it is indeed General Mattis’s phone number, the Post swapped the image out on its website. Gizmodo called the number and it still went to Jim “Mad Dog” Mattis’s voicemail at the time of this post’s publication. It also appears that Mattis is using an iPhone. You get the blue bubble when texting him.

Screenshot: Gizmodo

So, while Trump is embroiled in controversy over leaking classified intelligence to the Russian government, his bodyguard leaked the phone number of the Secretary of Defense, and Trump is still ranting on Twitter about how the FBI can’t find leakers.

RIP Mattis’s inbox, but there’s more to be concerned about. Security experts have warned for years that just having a person’s cellphone number can give hackers a ton of opportunities to break into a person’s phone. A number of techniques have been used to hack cellphones and surely there are methods that aren’t widely known—the kind of methods that say, other governments might be aware of.

In 2013, an encryption flaw in SIM cards was found that put around 750 million phones at risk. There’s also a famous vulnerability in the global system of mobile phone networks that is known as Signalling System No 7 (SS7). It was discovered in 2014, and if someone has the expertise to exploit it, they could gain full access to the targeted phone’s communications. The vulnerability continues to exist and will only be fixed if telecoms step up and do something about it.

In a news cycle filled with stories about obstruction of justice, massive failures of intelligence and complete incompetence in the White House, this one’s just a blip on the radar. But the careless security mistakes could have major consequences as Trump prepares to embark on a trip around the world. Good luck to us all.

[Washington Post]

Inside the Cult of ‘Carol,’ the Internet’s Most Unlikely Fandom

Just before sitting down to write this, I realized that I’d been staring at Cate Blanchett’s cheekbones for more than two hours. Granted, Blanchett does have empirically wonderful cheekbones, but realizing such a thing can make you feel a bit … obsessive. I hadn’t gone looking for her cheekbones, of course. They just kept popping up, in fan-created YouTube edits of scenes from the movie Carol. In fan-compiled collections of Blanchett’s interviews with Carol co-star Rooney Mara. In Carol-devoted Tumblrs. In Carol-specific GIFs. (A scene of Mara choking on creamed spinach remains a fave reaction shot.) And in lovingly illustrated fan art.

I found a fandom I never would have imagined. Not because it is particularly insular or difficult to find, but because of its character: Like the film it adores, the Carol community is open and painfully earnest. You might even say it feels flung out of space. And by coalescing around Todd Haynes’ critically acclaimed film about two women and their secret affair in the 1950s, it rebuts many of the expectations people hold about the nature of fandom itself.

My pilgrimage started in mid-April, when a colleague mentioned that Carol enjoys an online profile far larger than other films of similar size (Carol, released in 2015, grossed less than $50 million). Yes, Carol inspires the same sorts of fan art Tumblrs, GIFs, Twitter accounts, Facebook groups common throughout fandom. And it generates random news-reaction posts from folks who may or may not be fans of the the film, but still have references at the ready—like this reaction to the Fyre Festival debacle.

But I saw something else at play: Carol boosters (Carolinians? #catepeople?) exhibit the kind of devotion typically reserved for subreddits devoted to Dredd. These are the kinds of fans who start an in-joke about something a fan overheard an older woman telling her male companion during a screening (“Harold, they’re lesbians”). This is fandom of the sort you see with any under-appreciated futuristic sci-fi movie, but with a meditative queer drama set in the 1950s. It is, essentially, internet obsession for grownups.

The mid-April spike was no accident. A quick search of the message boards revealed that April 17 is something of an unofficial Carol Day. In the film, that is the day Carol (Cate Blanchett) and Therese (Rooney Mara) reunite. It also happens to be Mara’s birthday—and the date on which Haynes’ filmed the movie’s love scene. Fans know this because Mara mentioned it in interviews. I know this because of fans. I also know that I could take just about anyone on a walking tour of Carol filming locations throughout Cincinnati (shout-out to Instagram user freakingdorkok and the tour of the “Holy City of Cincinnati”). This is what falling down a rabbit hole feels like.

“The first few months after the film came out I struggled with this weird sense of shame that I loved it too much,” says Allison Tate, a video producer in Los Angeles. “But then I went online and saw the passion of so many people around the world—the beautiful art, and the blogs, and the fan-fiction that people were writing—and realized, no, this is a beautiful thing.”

Such internet group-forming isn’t unique to Carol, obviously. You can find a subreddit devoted to almost anything. It is fitting that it happened to a movie based on a beloved bit of pulp fiction—Patricia Highsmith’s The Price of Salt—but it could easily happen with, say, Moonlight in the next year.

Still, the fact that it exists for a measured drama about two women falling in love says something about how cult movies are christened now. In the days before message boards, B-movies would languish in obscurity, slowly gaining fans via late-night art-house screenings before those fans maybe—maybe—found each other created something as robust as the fandom of The Rocky Horror Picture Show. Then the internet happened, and people who loved weird things could find each other almost immediately. With that, even movies like Carol could fight their way back into the zeitgeist without waiting a decade or two to get rediscovered.

Aliza Ma, the head of programing for New York’s Metrograph theater, discovered this in a very peculiar way. During its opening month in March, 2016, the Metrograph screened a 35mm print of Carol an hosted a Q&A with Haynes along with the film’s producer and cinematographer. It sold out. So did a second screening. One woman and her daughter showed up with homemade Carol and Therese ragdolls and, Ma says, “shoved them into Todd’s lap.” The movie was so popular the Metrograph held screenings during the holidays and plans to hold more.

“Some theaters are known for showing midnight screenings for films and giving them that life, like what happened with Eraserhead,” Ma says. “Well, people have joked that Carol is our Eraserhead, because we keep showing it and it keeps selling out and it’s just this weird cult that’s developed here.”

Ma doesn’t see Carol‘s low-key resurgence as a result of internet fandom, but rather a testament to the ever-broadening idea of what makes a cult classic. Repeated midnight screenings and overzealous video store clerks are no longer the litmus test. Now films gain traction through Netflix recommendations, Alamo Drafthouse double features, social media, and literal word-of-mouth. Sometimes movies gain a following online—like Dredd, or even Pitch Perfect—and others win over cinephiles, who happen to bring that fandom online.

That’s exactly what appears to have happen with Carol. Whip-smart netizens still tweet GIFs of Carol saying “… flung out of space” every so often, but its fans share their love offline, too. They go to Cincinnati, and share it Instagram. They watch the movie in unison on April 17/Carol Day, then tweet about it together.

And the truly devoted? They make movies about Carol addiction. Carol Support Group arose last year after Tate found super-fans in her own office. Lucky for Tate, she was working as a video producer for Here Media, a company that produces LGBTQ content and agreed to back her movie. The result is an eight-minute short, slated to premiere next month at the Frameline Film Festival in San Francisco, that Tate says tells the story of a “mutiny in a support group of people addicted to the film Carol.” It’s a comedy, but it is no joke. Tate says it represents a real feeling many fans experience.

Carol Support Group is as much a love letter to the fans as it is to the film,” she says. “Part of my experience of why I made the film is that I had never been in a fandom before. It’s been this fascinating and empowering experience to feel a part of an international family.”

Go Back to Top. Skip To: Start of Article.

Inside the Cult of Carol, the Internet’s Most Unlikely Fandom

Facebook Unveils ParlAI, a Training Ground For Chatbots

2016 was the year the chatbots took over Silicon Valley. The only trouble: They didn’t really know how to chat.

As Facebook and so many other Silicon Valley players trumpet the benefits of software that can carry on a conversation—apps that book your plane flights or manage your bank account through SMS-like dialogue—the technology still lags behind. In recent years, using what are called deep neural networks, companies like Facebook, Google, and Microsoft have fashioned services that can reliably identify faces and objects in photos, recognize voice commands on smartphones, and translate from one language to another. But building bots that can truly carry on conversations is still proving elusive. It’s an undertaking that requires a far more varied array of AI techniques; researchers are still trying to figure out how the different approaches all fit together, or whether they’ll really work at all.

With these challenges in mind, a team of Facebook researchers has built a new framework for making chatbots chattier—a “training ground” for AI to master a wide range of conversational techniques—not just one or two. “You need to see what a machine learning method can do—which things can it solve, which break it—so we can understand what to fix,” says Jason Weston, a Facebook researcher who specializes in conversational systems. “Just training on one task alone? We don’t think you’re going to get to an intelligent machine that way.”

Facebook’s chatbot training ground is called ParlAI—a play on words well suited to the company’s central artificial intelligence lab, which is littered with French-speaking researchers. And in keeping with its approach to so many of its new technologies, Facebook is sharing this creation with the world at large as an open source tool. The company is offering the software along with a varied collection of public datasets that researchers can use to train their “agents.” The system also ties into Amazon’s Mechanical Turk service, the online retailer’s platform for crowdsourced labor, so that researchers can test their bots in conversation with live humans. In turn, these tests will generate still more data, creating a virtuous circle of chatbot development.

Everyone’s Talking

Facebook’s latest move is part of a widespread effort to accelerate the evolution of conversational AI. All the big internet players—from Google to Amazon to Microsoft to IBM—are pushing in this direction, each hoping to fundamentally change the way humans interact with machines. In January, Microsoft acquired a Canadian startup, Maluuba, that specializes in conversational AI research. Amazon is working to build its own datasets for training bots to converse—key to the success of its Alexa platform. For nearly two years, meanwhile, Facebook has been gathering a particularly complex set of data using an experimental digital assistant called Facebook M.

To reach the goal of machines that can truly hold a conversation, each company is taking a slightly different tack. While Facebook is focusing on neural networks that can learn from existing conversations and other datasets, Maluuba specializes in a technique called reinforcement learning, where bots learn by extreme trial and error. But don’t think of these as competing methods. In the end, success will come from a combination of techniques. “We don’t use systems that try to solve everything with one machine learning approach,” says Yunyao Li, who oversees a natural language research lab inside IBM. “Instead, we use the right machine learning method at the right moment.”

This hybrid approach is the thinking that drove the creation of ParlAI. The training ground can help advance neural network research, reinforcement learning, and whatever else may prove useful. It’s designed to drive the development of new technologies not just from one company but from a world of AI researchers. The ultimate goal is to combine all sorts of methods into a chatbot that can actually chat. “This is not something that any entity—whether it’s Facebook or any other—does all by itself,” says Yann LeCun, the Paris-born researcher who oversees Facebook’s AI Lab. In making ParlAI available as open source, Facebook is signaling once again its belief that there’s more to gain by helping everyone advance toward the same goal than trying to get there alone.

Go Back to Top. Skip To: Start of Article.

Inside Facebook’s Training Ground for Making Chatbots Chattier

A New Trick for Male Birth Control: Switching Off Sperm’s Power

Condoms have come a long way from the linen and animal bladder sheaths used by the ancient Greeks, Romans, and Egyptians. But the tenets of modern male birth control are no different now than they were then: Keep sperm away from eggs. In the US, some 5.7 million women still rely on the male condom as their primary form of birth control.

But setting up a barrier isn’t the only way to keep sperm from fertilizing eggs. To succeed in their mission, sperm have to be good at two things: swimming and drilling. Most birth control, including condoms, targets the swimming portion of the baby-making biathlon; scientists haven’t been able to pull the plug on the sperm drilling operation itself. But now, using measurements of ion currents inside a single sperm, they’ve found the power switch—and a way to turn it off. The result, they say, could be a more effective contraceptive, and one that would work equally as well in men as in women.

To make their way from the cervix, through the uterus, and into a fallopian tube, sperm cells beat their tails side to side like a snake cutting across the countryside. It’s good for covering long (relative) distances: Human sperm have to swim 10 to 12 centimeters, or 24,000 times their own body length, to reach the egg. But that tail waggle is totally useless for pushing through an egg’s thick protective layer, called the zona pellucida. That barrier stands between a sperm and its Darwinian destiny.

The head of a human sperm is just five puny microns long. To get through the 30-micron-deep zona pellucida, it has to turn its tail into a powerful drill. Instead of beating side to side, it starts to turn in only one direction, corkscrewing the head forward, through the dense, viscous environment of the egg’s outer layers. Scientists call this maneuver the “power kick.”

And what powers the power kick? A massive dump of calcium ions into the sperm’s tail. (Ion transfer across membranes is how cells generate the electricity they need to power motor function.)

While there are thousands of different kinds of ion channels in every cell in the human body, the power kick relies on just one, found only in sperm. Its name is Catsper. And it only activates to let calcium in when it gets close to an egg and encounters progesterone. Scientists have known about Catsper (the friendly, sperm-specific ion channel) since 2001, when they stumbled across it while studying male infertility. The patients, it turned out, had a mutation in at least one of the nine genes that code for Catsper.

In a paper published today in PNAS, researchers at UC Berkeley screened more than 50 chemical compounds to find a few that could tightly bind with Catsper, gumming up its channel and preventing the calcium dump needed for a power kick. The two most promising ones both come from plants that humans have been consuming for millennia: lupeol, a compound found in mangos, grapes, and olives, and pristimerin, which comes from an ancient medicinal herb known as the “Thunder God Vine.” (Presumably the thunder god didn’t also preside over matters of fertility.)

“This could be used immediately to make a better and more efficient emergency contraceptive,” says study leader and biophysicist Polina Lishko. She points out that one of the biggest controversies over current Plan B options is that they sometimes work by preventing a fertilized egg from attaching to the uterus. That debate leaves current emergency contraception options vulnerable to anti-abortion advocates who believe life starts at conception. “This method is not only 10 times more effective than anything currently on the market, but it clearly prevents fertilization,” Lishko says. “There’s no embryo at any point.”

But it’s the potential for an effective male contraceptive that has Erwin Goldberg excited. A molecular biologist and sperm researcher at Northwestern University, he says the study, from a scientific perspective, should make a compelling pitch to drug developers. “We haven’t had anything new in the realm of male contraceptives since the introduction of the condom,” he says. A number of high-profile injectable hormonal male contraceptives have failed over the years or been stopped short for concern over side effects.

One notable exception is Vasalgel, a gel-like barrier that is injected into the vas deferens to block sperm. In February it passed a primate trial, and is headed towards humans next. The Berkeley researchers are a few steps behind that, but Goldberg still thinks they’re on to something. “As far as developing a new male contraception I personally think this is an important idea,” he says. But, he points out, pharmaceutical companies still have to believe there’s a demand for that sort of thing in order to back expensive clinical trials.

The results Lishko and her team published today came from measurements they made on human sperm in the lab. But they recently began trials in primates to see how long the drill-disabling effect lasts in the body, and to work out proper doses. She expects those results later this year. They’ll be important for the plans she has to start a company and commercialize the compounds within the next three years. The goal is what Lishko calls a universal contraceptive: one that works for both men and women and could be taken either orally or released slowly through an implantable ring. That would bring some much-needed gender equity to the pregnancy prevention pantheon. No drill, no baby, no drill.

Go Back to Top. Skip To: Start of Article.

Scientists Found Sperm’s Power Switch—And a Way to Turn It Off

Your Fidget Spinner Is (Maybe) Making You Smarter

Skip Suva is a fidgeter. When he worked at paper-intensive administrative jobs, he’d doodle incessantly; when he started a coding career last year, he took up fiddling with an SD-card reader that made pleasant snick noises. “Popping the SD card out and clicking it back in,” he laughs.

His fidgeting can seem like a crazy tic, Suva admits. But it helps him focus. “When my brain is moving a lot faster than my fingers can,” he says, “it feels like I need something to ground myself.”

Recently, Suva bought a tool just for fidgeting: the Fidget Cube, by Antsy Labs. It has six twiddly mechanisms on its faces, and each moves in a fascinating way: a rocker switch, a dial, a set of buttons that go kerchunk. “I love it,” Suva says.

When the Fidget Cube’s creators Kickstarted their gewgaw last summer, they aimed for $15,000—but wound up with over $6.4 million in support and more than 154,000 backers. Now other gizmo makers are doing a brisk business in “fidget spinners,” ball-bearing-loaded devices that spin around satisfyingly when flicked. Teens love them, as do office drones.

Why is fidgeting so hot? Because it’s an adaptation to deskbound lifestyles. Society increasingly demands mental work while enforcing unhealthy, sedentary physical habits. Fidgeting is a way to cope.

It also has cognitive benefits. Julie Schweitzer, a scientist at UC Davis, studied kids with ADHD while they performed mental tests. The more intensely the kids fidgeted, the higher they scored. (The effect didn’t hold for kids without ADHD.) Schweitzer hypothesizes that physical movement arouses us, generating neurotransmitters that improve focus. “They look—their faces—like they’re working harder when they’re moving,” she says. This violates our stereotypes, of course; we assume that deep concentration ought to look like Rodin’s Thinker, a human body absolutely still. But sometimes thought requires motion.

Today’s students and cubicle-dwellers get very little motion in their daily workflow. We barely even need to get up to visit the printer anymore. Hell, modern digital interfaces don’t even have buttons—they’re just sheets of flat glass. The physical environment is losing its physicality.

In this context, maybe the boomlet in fidget items reveals a collective hunger for the pleasures of mechanical motion and tactility. Knitters and crocheters have always appreciated how their activity stills the mind; coders love clicky keyboards. Fidget Cube fans have discovered what these subcultures have always known.

Of course, not everyone fidgets the same way. Katherine Isbister, a gaming researcher, and Michael Karlesky, a product manager for a startup, recently presented a study that uncovered a wild array of strategies. “Repetitive twiddling of something smooth might be calming,” Isbister says, “whereas fiddling with something sharp and clicky might be a way to get your attention going.” Those are just hypothetical, of course. But if Isbister is right, they’re signs of an evolving culture. It feels like people are developing a language of fidgeting.

Now, obviously fidgeting isn’t always good. It can be antisocial: I twirl my hair maniacally when I’m trying to concentrate, which in libraries or offices can drive my deskmates insane. Everyone has had the experience of sitting at a table with someone bouncing a leg. Your own fidget is calming; everyone else’s is massively annoying.

But within reasonable limits, I’m in favor of all our jitters. Frankly, maybe we should start thinking of fidgeting as an untapped energy source. Are you the kind of person who incessantly futzes with your phone or twirls your pen around your fingers? Maybe that kind of motion should regeneratively charge a battery, like Prius brakes do. We could power the world around us—even as we still and sharpen our minds.

This article appears in the June issue. Subscribe now.

Go Back to Top. Skip To: Start of Article.

Your Fidget Spinner Is (Maybe) Making You Smarter