Fast Company

Lowe's may not be where most people would expect to find a cutting-edge augmented reality app.

But later this year, the home-improvement company plans to release Lowe's Vision, an app for Google's 3-D smartphone platform Tango that will let customers visualize how new furniture and appliances will look in their homes. It will even take accurate measurements through augmented reality, which means that you can go from mapping out your room to browsing a filtered selection of Lowe's products without having to put down your phone to wrestle with a tape measure.

"Having those measurements allows you to search by the space," says Lowe's Innovation Labs executive director Kyle Nel. "For instance, if the space in your kitchen for your fridge is only a certain size, why would we show you all of the different fridges that don't fit in that space?"

If Lowe's seems like an unlikely place to find such an app, it may be even more surprising to learn that inspiration for the technology came from a comic book.

According to Nel, the North Carolina-based chain actively works with science-fiction writers and illustrators to turn emerging trends that could affect its business into narratives in graphic novel form, which in-house research teams then use to keep market strategies up to date.

"We hire professional, published science-fiction writers and give them all of our marketing research and trend data," says Nel. "There's a whole rigor and process to this, but then they come back with the probable, possible convergence of people trends and tech trends, and what that might look like."

One such storyline focused on virtual and augmented reality, which led to Lowe's Vision.

"When we did this story, it was way before Oculus Rift came out—this was way, way back when nobody was really talking about VR/AR in any meaningful way," Nel says. "And since then, we've been iterating a number of times to help achieve that vision."

The company previously launched Lowe's HoloRoom, which lets customers in select stores visualize customized bathrooms and kitchens through Google Cardboard or Oculus Rift virtual reality headsets. Customers who used this program could experience holographic virtual remodels through Microsoft's HoloLens platform.

"As the technology's improved, it's gotten so much easier to use and so much more intuitive. And you can see that people are more and more engaged over time as a result of that," Nel says.

In addition to launching the Vision app, Lowe's will also be offering Lenovo's Phab 2 Pro phone, expected to be the first commercially available smartphone that supports Google's Tango technology. This is the first time that Lowe's is selling a cell phone, and Nel says the app's capabilities make the device a natural offering for the store.

"The way we think about it is, it's a digital power tool," he says. "It's an incredible phone, but it does so many things that if you're going to be making a major remodel, spending $500 to really make sure that you're visualizing your space and doing all the measurements, for most people we think it will definitely be worth it."

Since Lowe's Vision relies on the Tango platform's 3D orientation technology, it will only be available for Tango-enabled phones, starting with the Phab 2 Pro. (Google's developer kit models will also work, but those are designed for software professionals, not consumers.) The app will even be able to detect and measure flat surfaces like floors, ceilings, and walls, which should help users visualize—and even price—new tile or other flooring materials, Nel says.

"You can even lay virtual objects on top of that tile or that virtual flooring and just iterate over and over and over again, all while choosing to leave—if you want—the actual existing stuff. So you can go around, like, a fireplace if you want," he says.

And if customers go to a brick-and-mortar Lowe's store, the app will help them navigate the aisles housing the merchandise they've previewed on their phones and provide customer reviews.

Lowe's Vision won't be the chain's last foray into virtual and augmented reality, which Nel says the company is committed to "for the long haul."

"We're at this interesting time where we can build things that nobody would have expected a Lowe's to build or be first in the world with," he says. "Because Lowe's is Lowe's, we have the opportunity to provide these technologies to everyone in a real-world setting."

Last week, within hours of deadly terror attacks in Istanbul and Dhaka, Facebook activated its Safety Check feature, marking roughly three dozen times that the company has let people in the area of a disaster instantly tell their friends and relatives if they were safe.

But after Sunday's deadly truck bombing in Baghdad, striking a crowded shopping district and killing at least 250, a secondary outrage grew online: Facebook didn't activate the feature for users in Baghdad until the following day, July 4th, at 6:55pm local time.

"The Facebook's safety check-in for Baghdad comes about 30 hours late from the actual explosions," Razbar Sulaiman, a hackathon organizer and UN specialist who lives in Iraqi Kurdistan, wrote in a blog post, echoing frustrations on social media. "Did it seriously take 30 hours after the explosions to create/consider the safety check-in? I'm extremely disappointed."

Initially, a Facebook spokesperson told Politico that the feature was not deployed following the bombing on Sunday, because "she noted the feature is not used during longer-term crises, like wars or epidemics, because such emergencies have no clear start or end, making it difficult to determine when an individual is 'safe.'"

In an email to Fast Company, however, a spokesperson confirmed that Safety Check did roll out in Baghdad on Monday, but that it was triggered due to a feature introduced last month, "community-generated Safety Check," which is intended to initiate the Safety Check process after a critical mass of users are discussing a crisis on the network, rather than requiring an engineer or employee to begin the process.

"In June we began testing features that allow people to both initiate and share Safety Check on Facebook," she said, adding that the Safety Check sent out in Orlando last month after the deadly nightclub shooting there was also community-generated.

Marcy Scott Lynn, of Facebook's Global Public Policy team, added more detail in an email on Wednesday: "While we have improved the launch process to make it easier for our own team to activate more frequently and faster, we believe that we can make Safety Check even more relevant for people when they need and want it most by empowering communities to identify and elevate local incidents."

The new feature—and the confusion about how Safety Check was activated in Baghdad—reflects the challenges Facebook faces as it seeks to play a larger role in humanitarian crises.

Facebook's public issues with Safety Check are a "great example of unintended consequences," says Timothy Coombs, a professor and crisis expert at Texas A&M University."The company is not in the emergency notification business. It is a sideline, not their core business, so we should not expect them to carefully sort through every global event. The community-based idea takes that decision making and responsibility out of their hands."

Safety Check allows Facebook to push a message following a disaster to users who are in the affected area, asking, "Are you safe?"; Their replies are then automatically distributed to their networks and prominently displayed.

The project is managed by Facebook's Social Good team, which organizes a number of other Facebook safety and humanitarian efforts, like a digital Amber alert system and a charitable donation system. A Facebook intern began developing Safety Check at an internal hackathon after seeing Japanese residents turn to social media to communicate with loved ones after that country's 2011 earthquake and tsunami.

So far, about a billion people have received such notifications since the feature was first used in 2014, after the Philippines was struck by Hurricane Ruby, according to the company. Recently it's expanded its use from natural disasters to incidents of terrorism, beginning with the deadly attacks in Paris in November.

"The Safety Check stuff that we've done, where 150 million people were notified of their friends being safe in the [Nepal] earthquake," CEO Mark Zuckerberg told Fast Company's Harry McCracken last year, "you can only do that if you've mapped out what people's relationships are, and you have a sense of where people are in the world, and you have a tool that they're checking every day."

Between January and May 2016, Facebook activated Safety Check 17 times, compared with 11 times in 2014 and 2015 combined. Via Facebook

After deploying Safety Check in response to the attacks in Paris, the company won praise for enabling people to quickly and easily notify their contacts that they were safe. But others criticized Facebook for not deploying the feature when, just a day before the Paris attacks, a pair of suicide bombers killed dozens in Beirut.

"Since we activated Safety Check in Paris, we have heard positive feedback about how reassuring it is to receive notifications that a friend or loved one is safe,"wrote Alex Schultz, the company's vice president of growth, in a blog post last year. "I personally have received several from people I know and love and have felt firsthand the impact of this tool. But people are also asking why we turned on Safety Check in Paris and not other parts of the world, where violence is more common and terrible things happen with distressing frequency."

Schultz and, in a separate post, Zuckerberg, explained that the policy had initially been to use the feature solely for natural disasters, until the company noticed a burst of activity on the social network after the Paris attacks.

"There has to be a first time for trying something new, even in complex and sensitive times, and for us that was Paris," wrote Schultz.

The challenges of running Safety Check aren't just political, but technical. As Facebook has sought to enable the backend to more efficiently locate people in the area of a disaster, the scale and speed required has been a test for the company's infrastructure and automated systems. How, for instance, to push the feature quickly to all the people likely to be in an affected area? "Previous activations have ranged from a small city in Canada with only 60,000 residents to more than 20 million people in Ecuador after an earthquake. We needed an approach that could handle this range of population sizes with both accuracy and speed, but also remain stable and ready to launch at a moment's notice,"engineer Peter Cottle wrote last month.

His team had to figure out how to prevent the system from overload. "While the above process is quite effective in practice, it could quickly schedule an enormous number of jobs, depending on the size of the affected area and the density of the social graph. If we were to assume that each person on Facebook has 500 friends, we could be scheduling more than 125 million jobs after just three levels of graph traversal. To our automated systems, this would look like the job was growing out of control." That meant locating users likely to be affected by a disaster through their social networks—checking friends of those already determined to be in the area—at a rate fast enough to be effective but not so speedy as to overwhelm Facebook's network limits.

Facebook's isn't the only "safety check" for those who've survived disasters: Google's Person Finder and various open source systems that humanitarian organizations can deploy after disasters offer similar services. But the rapidly growing use and scale of Safety Check raises a number of questions, besides when and where its deployed.

"There is a very slippery moral slope in determining what is a disaster, especially from the safe confines of Silicon Valley,"Wayan Vota, a cofounder of ICT Works, a nonprofit focused on international development technology, wrote on the group's blog. "I don't feel comfortable leaving it up to Facebook to decide which disasters are worthy of social media support or not. I would much rather see the Safety Check feature managed or at least influenced by local Red Cross or Red Crescent organizations and government emergency response agencies."

Others have pondered what kind of stewardship a company like Facebook should have over a system like Safety Check. "What if a person registers that they are okay on one service but not another? What if someone marks someone else as safe (a useful option that Facebook provides) based on inaccurate information?"Slate's Lily Hay Newman wondered last year. "And what if you don't want to answer the question 'are you safe?' when you're lying in a hospital bed after a trauma?"

What other unintended effects come from Safety Check notices spreading across the world's largest social network, and following a terrorist attack in particular, is just a matter of speculation for Robinson Meyer, writing at the Atlantic last year. "On the one hand, maybe it's the sole piece of information you need to know after a major attack: "The people you love are safe. You may pay attention to other horrors than these." Or maybe it reinforces terror's message."

Still, some humanitarian groups have come to rely on the tool during crises. "We've had personnel in the vicinity of a couple of incidents, which whether natural or manmade, our personnel will check in which obviously makes a huge difference to us to know everybody's safe and okay," says Rebecca Gustafson, senior advisor for global communications at International Medical Corps.

The group has also worked with Facebook to discuss disaster planning, and Gustafson says she's sympathetic to the trade-offs between declaring a disaster too quickly versus waiting for more information, particularly when an organization doesn't have staff of its own in the affected areas.

"The biggest thing we always say in emergency response is bad information is worse than no information," she says. "People can criticize emergency responders as taking too long, but the tech community moves at warp speed, and I think being able to take this extra beat to say, is this, is this not, is worth it to verify."

Per Aarvik, the Norway-based president of the Standby Task Force, a volunteer-led humanitarian group that coordinates geographical and other information after sudden-onset disasters, issued cautious praise for Safety Check.

"Both Google and Facebook are global powers, and just as government or large corporations, they are obliged to use their tools for good when needed," he said. "And the more they can do it in kind of an unselfish mode, the better, because they have the really sources to go beyond their day-to-day mission during emergencies or times of crisis."

Choosing When To Activate

The new effort to bypass a human engineer or employee at Facebook when deciding to deploy Safety Check is intended in part to grapple with the technical and political challenges of running the world's largest such service. Last month, Facebook made it easier for non-engineering employees to activate the feature.

"Over the past few months, we have improved the launch process to make it easier for our team to activate more frequently and faster, while testing ways to empower people to identify and elevate local crises as well," said the company spokesperson.

After Paris, Schultz said Facebook would continue to evaluate when Safety Check should be used, though he seemed to caution it might not be appropriate for every disaster. For instance, in the case of an ongoing disaster or recurring violence, the company is reluctant to risk letting users tell their loved ones they're safe, only to then be hurt or killed soon after.

"In the case of natural disasters, we apply a set of criteria that includes the scope, scale, and impact," Schultz wrote. "During an ongoing crisis, like war or epidemic, Safety Check in its current form is not that useful for people: because there isn't a clear start or end point and, unfortunately, it's impossible to know when someone is truly 'safe.'"

After the Baghdad truck bombing on Sunday, a spokeswoman for Facebook told Politico that it has worked with the "global humanitarian community" to identify conflict zones where it won't deploy the feature, including in Iraq, Syria, Afghanistan, and Yemen.

Instead, it was by automatically detecting user discussion around the Baghdad bombing that the "community generated" Safety Check kicked into gear. But the alert was only sent out the following day, and amid a torrent of complaints on social media that Facebook was paying more attention to terrorist attacks elsewhere.

A new internal feature implemented last month allows "trained teams" to begin a Safety Check for a given region. Via Facebook

Trending Crises

Facebook has been experimenting with new ways of deploying Safety Check. Last month, the company made it possible for "trained teams" around the globe to deploy the feature without assistance from engineers, and rolled out an internal "Crisis Bot," so technical issues can be more quickly rooted out. (See sidebar above.)

When it works properly, the "community-generated" Safety Check will enable Facebook to defer to the wisdom of its users as to when the feature should be considered, rather than requiring the company's staff to first evaluate situations around the globe to determine whether Safety Check is appropriate.

"Safety Check is just one tool that people use during times of crisis or disaster, and should be seen as a symbol of how important and impactful technology can be in helping people," Marcy Scott Lynn, of Facebook's Global Public Policy team, wrote by email, "but this is still very early days."

While students have been using flash cards to memorize facts and vocabulary at least since the Victorian era, it's no secret that the study tools can be deathly dull.

Hoping to change that is Duolingo, the Pittsburgh-based company behind the popular language learning app of the same name. On Tuesday, the company released TinyCards, a game-like, modern version of flash cards that automatically tracks what users already have learned and even lets users level up, video game-style, as they progress in their knowledge.

"Duolingo redefined the way millions of people learn languages by making it fun, effective and free," said Duolingo cofounder and CEO Luis von Ahn in a statement. "We're excited to bring that experience to flashcards in order to help school kids suffering through memorization for tests. We also hope this will motivate adults to learn new topics to enhance their lives."

For now, the free app is exclusively available for iOS, though the company said on Twitter that versions for other platforms will be available soon.

TinyCards launched with hundreds of illustrated (and frequently adorable) virtual decks on subjects from languages to science. Users are also able to create and share their own decks on subjects of their choice, from wine pairings to characters from Game of Thrones and Pokémon, according to Duolingo.

Security breaches and digital attacks are a regular part of the news cycle these days. An even scarier reality is that, according to experts, there aren't enough people trained to fend off these cyber raids.

A frequently cited report from networking giant Cisco estimates that more than 1 million worldwide security jobs sit unfilled. And a 2015 report from ISACA (a body formerly known as the Information Systems Audit and Control Association) found that 86% of polled members agreed that cybersecurity is an understaffed industry. Only 38% felt prepared to deal with a sophisticated digital attack.

"I think the shortage is absolutely dire, and it's one of the bigger contributing factors to the failures of information security that we're seeing over the past several years," says Eddie Schwartz, chairman of ISACA's Cybersecurity Advisory Council and president and CEO of the security firm White Ops.

The scarcity of employees with proper skills began around the turn of the century, Schwartz says. It has been compounded by the focus—by both schools and the industry—on training workers in security basics typically required by corporate compliance standards. Consequently, issues like patching known vulnerabilities and installing firewall and antivirus software take precedence over more complex techniques necessary for fending off modern sophisticated attacks. "Most of these compliance frameworks were not tuned to be able to handle a world of advanced threats," Schwartz says.

Also difficult to find are workers with expertise in so-called white hat hacking techniques, like conducting penetration tests to find vulnerabilities, just as malicious hackers would do. "There isn't a real educational track," says Mike Weber, vice president at the Colorado-based security company Coalfire, where he heads up the Labs Division. "There isn't a real career path to get to that end, to become that guy."

Another challenge is that it's difficult to enter the cybersecurity field straight out of college, since graduates need a certain amount of more general tech-industry experience to learn to identify where vulnerabilities might lay—where rushed engineers would take shortcuts to get a server online, for instance, or to ship an app by deadline.

"The way to be able to identify mistakes is to know where where one would make them oneself," Weber says. "It's really a role of reverse-engineering, and in order to be able to reverse-engineer something, you need to be able to forward-engineer it."

To help fill the demand for security professionals, a number of industry groups, including ISACA and universities, are beginning to offer hands-on training in white hat hacking techniques.

Vermont's Norwich University, known as the nation's oldest private military college, offers graduate level courses and certificate programs in cybersecurity that include instruction in forensics and vulnerability management.

"The penetration testing lab itself was developed a number of years ago in response to a direct request from a large company that wanted us to be able to train their in-house IT people in penetration testing," says Rosemarie Pelletier, program director for the university's information security and assurance master's degree program.

Among the programs' students are often security professionals looking to fine-tune their skills and members of the military in need of training to transition into civilian careers. Few have trouble finding work after graduation. "Those with good skill sets, with good, solid credentials, are snapped up in a heartbeat," Pelletier says.

Offensive Security, the company known for developing the Kali Linux ethical hacking-focused operating system, offers its own training and certification programs that are built around hands-on work, not written exams.

"Our base level, foundational level certification is a 24-hour exam," says Offensive Security president Jim O'Gorman. "You connect into a network that has a certain number of systems. You have a number of tasks that are put in front of you. You either accomplish those tasks or you don't. You write a document explaining those results, and then that's graded based on a predetermined and communicated set of criteria. And then you either pass or fail."

But even as training programs turn out graduates, there still just aren't enough applicants to make up for the overall workforce shortage. And until that changes, many companies will continue to outsource security operations to consultants—or outsource IT operations in general to cloud providers. Giants like Amazon, Google, Apple, and IBM have the in-house expertise to keep their systems safe, and big security companies can make their specialists available to smaller outfits that may only need their services sporadically. The dearth of skilled employees makes it difficult for established cybersecurity companies to staff up—and all but impossible for more modest organizations. "If you're in a small or medium-sized business, you must outsource it," ISACA's Schwartz says. "There's just no way to build these competencies at this point."

As the FBI confirmed that it's investigating the recent hack that led to last week's disclosure by WikiLeaks of tens of thousands of Democratic National Committee emails, multiple leading cybersecurity firms are more convinced than ever that the hack was the work of the Russian government.

The hack isn't the first reported attack by state-sponsored hackers on a government or political party: Germany has previously blamed Russian hackers for a digital attack on its parliament and U.S. officials have alleged that hackers linked to the Chinese government stole documents from both major presidential campaigns in 2008.

But, experts say, this is the first time that such documents have been released to the public in a possible attempt to influence the result of a U.S. election.

"We've never seen anything like this here in the States—nothing like this on this scale," says Rich Barger, chief intelligence officer at security firm ThreatConnect. "I think what we saw on Friday is a game changer."

Barger and others pointed at evidence first analyzed in June by security firm CrowdStrike, hired by the DNC to investigate the breach, which indicated that two Russian government hacking groups dubbed Cozy Bear and Fancy Bear had managed to penetrate the DNC's systems.

"Both adversaries engage in extensive political and economic espionage for the benefit of the government of the Russian Federation and are believed to be closely linked to the Russian government's powerful and highly capable intelligence services," the company said in June.

CrowdStrike and other firms, including Fidelis Cybersecurity and Mandiant, have indicated that malware found on DNC computers appears similar to that found in other attacks attributed to the Bear groups. Thomas Rid, a professor of security studies at King's College in London, also wrote in Motherboard that some of the malware included references to an IP address belonging to a remote control server linked to the attack on the German legislature—something Rid compared to an identical fingerprint appearing in two burglarized buildings.

A CrowdStrike representative declined to comment on the matter beyond what the company has already released.

While the ultimate effects of the hack and any additional disclosures may not be known at least until November's election, last week's leak has already managed to stir up plenty of discord in the Democratic Party. After leaked emails revealed apparent hostility by DNC higher-ups toward the candidacy of Vermont Senator Bernie Sanders, leading to the resignation of DNC chair Debbie Wasserman Schultz, The Daily Beastreported that U.S. officials have privately speculated that the attacks were an effort by Vladimir Putin's regime to help Republican nominee Donald Trump win the White House. Representatives from Democratic candidate Hillary Clinton's campaign were quick to point out the leak came soon after Trump's campaign apparently insisted on changes to the Republican platform seen as favorable to Russia, something the Trump campaign derided as "nonsense."

And while some DNC documents were purportedly leaked by a purported Romanian hacker who identified himself as Guccifer 2.0, security experts have argued that inconsistencies in the hacker's story suggest that Guccifer was himself a fiction created by the real attackers.

The hacker claimed that he was able to gain access to the DNC network by reverse-engineering code from political software vendor NGP VAN, but it's highly unlikely that an outsider would be able to get access to the company's code, since it's a cloud-based service made available to political campaigns, not downloadable binary software, according to a ThreatConnect blog post. And, after conducting a Twitter chat interview with the alleged hacker, a journalist from Motherboard reported that his grasp of Romanian appeared unusually shaky to native speakers.

Russia has previously been accused of fabricating bogus organizations to take credit for state-sponsored hacks, including a group called the Cyber Caliphate that attacked U.S. and U.K. government computers and a French television network, ThreatConnect says.

"Here's what we think is going on: Guccifer 2.0 is leaking purported DNC documents of minimal value to Russian intelligence for possible political points in the U.S. and Russian propaganda at home about the failings of democracy and the West," the company wrote.

Still, not every security expert is entirely convinced that Russia's behind the hack: Jeffrey Carr, the founder of security firm Taia Global and the author of the book Inside Cyber Warfare, argued in a Medium post that the evidence just isn't sufficient to conclusively blame the attack on the Russian government.

"There is only circumstantial evidence which these firms are stamping their imprimatur on as their best guess," he said in an interview with Fast Company.

While he says it's certainly possible that the Russian regime is, in fact, behind the hack, he argues that it's also possible that some other party got ahold of the same malware previously used by Russian agencies, or even took steps to make it seem like the Russians are to blame. Finding a Russian-made rifle at a murder scene wouldn't automatically imply that the killer was Russian, he argues.

"Do you automatically say it must be a Russian shooter or it must be Mr. Kalashnikov himself?" he asks, referring to the inventor of the AK-47.

But, other experts argue, it's unlikely that attackers not affiliated with the Russian state would be able to get access to the particular crafted malware tools its agents typically deploy. Even if they could get access to the software used to infect computers, they likely wouldn't know how to control its obfuscated code or have access to the server code with which it communicates, says Barger.

The Russian government has publicly denied being connected to the attack, seemingly mockingly suggesting that the DNC may have simply have had weak passwords, letting even untrained attackers in.

And while those comments seem intended more as taunts, the ultimate lessons from the DNC attack seem to be the same advice typically given after security breaches: Make sure employees are trained to resist phishing emails, a primary vector for malware, and avoid writing anything in email you wouldn't want made public.

"If they're aren't happy putting it down in writing, then it's probably the wrong approach to something, as was really evidenced by this leak," says Peter Bauer, cofounder and CEO of email security company Mimecast. "This wasn't what we would expect from the DNC, and hence the resignation of the person at the top."

When the Olympic Games begin next month in Rio de Janeiro, billions of people are expected to watch athletes from countries around the world compete.

But also watching over the Olympic and Paralympic events will be a set of futuristic, balloon-mounted surveillance camera systems capable of monitoring a wide swath of the city in high resolution and in real-time.

Initially developed for use by U.S. forces in Iraq and Afghanistan by Fairfax, Virginia-based Logos Technologies, the technology is sold under the name Simera, and offers live aerial views of a large area, or what the company calls "wide-area motion imagery," captured from a balloon tethered some 200 meters above the ground. The system's 13 cameras make it possible for operators to record detailed, 120-megapixel imagery of the movement of vehicles and pedestrians below in an area up to 40 square kilometers, depending on how high the balloon is deployed, and for up to three days at a time.

The Brazil sale, which includes four systems operated under an $8 million contract, marks the first export of Simera, and the first time such as system will be deployed by a non-U.S. government at a large-scale event, the company says. "Simera was built late last year and we tested it this past February and then immediately sold four of them to Brazil," says Doug Rombough, Logos's vice president of business development.

Rombough compares Simera to a live city-wide Google Maps combined with TiVo, explaining that it lets authorities not only view ground-level activities in real time but also rewind through saved images to do things like track a suspicious vehicle—for instance, one that departs a crime scene—back to its origin.

The government has announced it will deploy 47,000 security guards, 65,000 police, and 20,000 armed service personnel to patrol the Games, which have raised security concerns amid soaring crime rates in the city and a global burst in terrorist activity. Last week, Brazilian police arrested 12 people alleged to be planning an ISIS-inspired attack on the Games, which have been said to be a target discussed in jihadist chat groups.

The system evolved from technologies Logos previously supplied to the Defense Department for use in combat zones, including the Constant Hawk aircraft-mounted surveillance camera system and Kestrel, a similar balloon-mounted sensor system that's been used in Afghanistan to monitor activity near about a dozen U.S. bases.

There, the company says the technology helped U.S. troops monitor potentially threatening activity as it evolved over days, enabling officials, for instance, to track the movement of suspicious vehicles in the vicinity of an attack. But as Logos's technology continues to evolve and become easier and cheaper to deploy in civilian scenarios, it's likely to raise more questions about the appropriate balance between security and privacy.

Over time, the company's sensor systems have become lighter and easier to deploy: Early Constant Hawk systems weighed about 1,500 pounds, Kestrel units weighed around 150 pounds, and Simera systems just 40 pounds, expanding the range of aircraft that can carry the devices. Including the ground-based equipment necessary to control and monitor the cameras, the Simera system—which generally costs $500,000 to $900,000 per unit, depending on features— can be transported in a single vehicle and put into an operation in under three hours, according to Logos.

And as the company's systems have gotten lighter in weight and easier to deploy, the range of potential use cases has expanded. In addition to policing large events and patrolling borders and ports, the company hopes its system could prove useful in supporting humanitarian assistance and disaster relief missions.

A 2013 video describing the Kestrel system

"We see Simera not only being used for the Department of Defense but, we believe, event security, disaster relief, or even protecting wildlife from poachers in national parks," says Rombough.

In 2012, a weeklong test of Kestrel's potential by the Department of Homeland Security led to 80 arrests near the Mexican border in Nogales, Arizona, the company said. The company has also recently been testing Redkite, a smaller sensor system designed for mounting beneath small planes, helicopters, and tactical unmanned aircraft, and, Serenity, a system that includes an acoustic sensor and can be mounted on drones or on lower-altitude towers.

The Simera systems will likely be deployed outside four Olympic venues, Rombough says, though Logos won't be involved in the day-to-day operations of the units, which are being deployed by Brazilian Ministry of Justice contractor Altave. Operators will be able to monitor multiple camera angles at once—the system can provide up to 10 video windows within its field of view, and Rombough says operators can generally pay attention to data from up to about eight feeds at any given time. As many as six users can watch different parts of the full captured image as if they were independent Pan, Tilt, and Zoom (PTZ) cameras, and use a DVR-style rewind feature to scan through up to eight hours of cached footage, says Logos. (The Simera systems omit some infrared night-vision capabilities that were available in military models, making it easier to sell outside the U.S. under export control rules.)

Generally, Rombough says, Simera's only limiting factor is the time that a balloon or aerostat can stay in the air—typically up to three days before more helium is required—and the weather. "The most important part for us to make sure that our sensor can handle more turbulence and winds and that type of stuff than the balloon itself can handle so we're not the restricting part of that type of system," he says. "If the balloon can stay up itself, then we're able to stay up and provide good imagery."

While the image clarity from Simera's sensors is good enough to follow individual people and vehicles as they move about the city, it's not high enough resolution to make out individual faces or license plate numbers, Rombough says. However, a higher resolution video camera attached to the same balloon, which captures images at 60 times that of full HD resolution, or 15 times 4K, at three frames per second, will allow operators to get a closer look at anything or anyone that looks suspicious.

"It's good enough to track people on the ground, and of course to track vehicles, and at any given time, if you see something suspicious, and you want a closer look, that's when you cue that full-motion video camera system that hopefully is flying on the same balloon or aerostat with you," he says.

When it comes to privacy concerns, Rombough says it's ultimately up to the operating agencies to follow applicable rules about what's allowed. "I guess it's like any Homeland Security or law enforcement tool—these systems will be subject to the government rule and regulations, and we'll let the appropriate agencies deal with that," he says. He argues the systems are only monitoring outdoor, publicly visible activities that could already be tracked with existing tools like police helicopters.

Still, courts and privacy activists have wrestled with the privacy implications of other technologies that make widespread, mass surveillance more practical and inexpensive. Simera and similar systems would seem to make monitoring wide swaths of cities much easier than would be possible with circling helicopters.

Jay Stanley, a senior policy analyst at the American Civil Liberties Union who's written in the past about drone-based surveillance, says the privacy risks from deploying the technology in a U.S. city would simply be too great to justify its use.

"It's a tremendously powerful surveillance technology that has the potential of monitoring the whereabouts of everyone in a town or city, and that is just too much power to allow the government to wield," he says. "While every technology has its benefits, at a certain point we say no, because the privacy invasion is too significant."

Stanley says it's not entirely clear how courts would rule on domestic police use of such a tool, since most laws haven't been written with such technology in mind, though he says it's possible courts would consider such surveillance an unconstitutional search, citing a 2012 Supreme Court ruling that police GPS tracking of a private vehicle requires a warrant. And, he says, a plan by a Utah police department to monitor high crime areas from an unmanned blimp was denied by the Federal Aviation Administration, saying the "nocturnal surveillance airship" was too much of a risk to other aircraft.

But with security concerns on the rise across the globe, Rombough says the company's exploring a wide variety of business opportunities.

"We've kind of got fishing lines in the water in a lot of different areas," he says. "We kind of believe this is a kind of technology, as the world continues to be in upheaval security-wise, that people are gonna want this more and more."

Updated: July 27, 2016 11:53 am

Phishing In An Olympic-Sized Pool

Olympics fans will be seen as a lucrative target for email phishing attacks, just because there are so many of them, warns Fischer. One avenue will be scammers selling counterfeit tickets to those planning to attend the Games—something security firm Kaspersky reported finding online this spring.

"On phishing websites users have been asked to provide personal information—including bank account details—to pay for the fake Olympic Games tickets," the company warned. "After extracting this information, criminals use it to steal money from victim bank accounts. To sound even more convincing, fraudsters are informing their victims that they will receive their tickets two or three weeks before the actual event."

In a report published last week, the U.S. cybersecurity research firm Fortinet warned of a recent surge of suspicious websites in Brazil. "The volume of malicious and phishing artifacts (i.e., domain names and URLs) in Brazil is on the rise," the company wrote. "The highest percentage growth was in the malicious URL category, at 83 percent, compared to 16 percent for the rest of the world."

Fraudulent emails and social media posts will also likely offer links to video clips, downloadable apps, games, and other content that can distribute malware to those watching from home, security experts say. That's happened at past major sporting events, like when phishing attacks targeted soccer fans around the 2014 World Cup. Security experts also reported similar phishing attempts revolving around that year's Winter Olympics in Sochi, Russia.

"All of these are looking at scamming you in some way to get personal data or to get access to your machine," Fischer says. "Ransomware is the big thing right now—I think we'll see a lot of phishing scams that will either direct you to downloading a piece of malware or running a piece of malware out of the email."

Email scammers may also invite fans to gamble on the Games, with criminals themselves betting that those trying to place illegal wagers will be less likely to call police if something goes wrong, says Samir Kapuria, senior vice president of Cyber Security Services at Symantec.

Some security software, including Kaspersky's, has already begun to filter out bogus domain names with strings like "rio2016" in them, and even users not using such software can take basic precautions, like questioning any offers that just seem too enticing.

"The first thing is to just be aware that these things exist," says Kapuria. "If something looks too good to be true, it likely is too good to be true."

Bank card readers and ATMs are yet another vulnerability, IT security firm Trend Micro has warned. In one scheme, chip-and-PIN machines—long used in Europe and often considered secure—can skim information from chips and the four-digit PINs that cardholders enter. In another scheme, a card fitted with a doctored chip can insert malware into legitimate card readers, which transmits future card information and personal data to thieves, who can quickly clone the cards. Another common scheme in Brazil involves so-called Chupa Cabras, plastic skimmers inserted into the card slots of ATMs.

Last year, 49% of Brazilians reported experiencing some kind of credit card fraud—an annual jump of 19%. Only Mexico beat Brazil, with a card fraud rate of 56%, according to a survey by ACI Worldwide and the Aite Group; the U.S. is in third place with 47%.

Last week, a reporter for a North Carolina newspaper reported that his card was hacked immediately after using it at the gift shop at the IOC press center. And on Friday, two McClatchy reporters in Rio said their cards had been hacked and cloned soon after arrival.

Visitors also shouldn't accept any kind of promotional USB sticks distributed by advertisers, since they can also carry malware, warns security company Tripwire. "Putting an unknown USB stick into your device is simply asking for trouble," says a statement from the company.

Watching Out For Counterfeit Hotspots

Fans attending the Games will inevitably want to share selfies or just get some work done while in Rio, meaning they'll be searching for Wi-Fi hotspots to let them get online. Criminals are likely respond to that impulse by setting up rogue Wi-Fi access points that surreptitiously log activity and data, including unencrypted usernames and passwords, or even inject malware into web traffic, warns Fischer.

"[They'll] be able to capture all the traffic and read it as it's going through or analyze later to extract usernames and passwords," he says.

In an analysis last month of over 4,500 unique wireless access points around Rio, Kaspersky found that about a quarter of them are vulnerable or insecure, protected with an obsolete encryption algorithm or with no encryption at all.

Secure and insecure Wi-Fi hotspots in Rio, according to a July analysis by Kaspersky Labs

During last month's Republican National Convention in Cleveland, security firm Avast Software tested attendees' awareness about Wi-Fi security by setting up access points with a mix of pro-Republican network names and others mimicking brands like Starbucks and AT&T. More than 1,200 people connected to the networks, which could have put them at risk had the hotspots been set up by someone malicious, the company said.

Olympic officials might be able to detect and shut down any rogue access points that pop up at event sites themselves, but it would be considerably more challenging for them to do so everywhere tourists would gather, says Fischer. "The problem lies with when it's actually going to outside the event perimeter."

Those who do use open wireless access points can help keep themselves safe by using virtual private networks, which will encrypt traffic even before it passes over the air to reach the access point, says Kapuria.

"If you're using an open Wi-Fi, a VPN is the right way to encrypt your traffic and make sure that's secure," he says.

Stockholm-based wireless technology provider Aptilo Networks has said that it's working with telecom companies to provide wireless connections at Olympic venues, transportation hubs, beaches, and cafes in the Rio area. The company has said that it's taking steps to ensure security and suitable bandwidth for those visiting for the Games, though it wasn't able to make someone available for an interview to discuss those steps in detail. Brazilian telecom company Linktel has said it's working with Aptilo and with international Wi-Fi carriers like Boingo and AT&T to let their subscribers connect to its network with their own credentials.

Messing With The Games Themselves

It's also possible that activist hackers or other digital miscreants will try to tamper with the infrastructure surrounding the Games themselves.

"The biggest [attack] they'll have is potentially someone trying to do a denial of service," says Fischer. That is, someone may attempt to disrupt the networks officials use to communicate scores and other data in an effort to disrupt the tight event schedule, he says. One possible attack would be to jam official wireless networks, or to inject data packets that force the networks to repeatedly disconnect, making it hard for data to get through.

Denial-of-service attacks often rely on botnets, servers that have been commandeered by hackers to overwhelm computers with data requests. According to Symantec's 2016 Internet Security Report, "Brazil was one of the top 10 countries for Botnet attacks."

"If you do a denial of service, you're going to disrupt the games, and that's going to look bad, and have more impact that anything else," says Fischer.

Ideally, organizers will be able to log those types of attacks, and use signal detection hardware to find where the rogue broadcasts are coming from, he says.

In a statement to Bloomberg, Atos SE, the France-based information technology partner of the International Olympics Committee (IOC), said that cybersecurity is a "priority" and that it "has implemented the latest cybersecurity technologies to protect the games IT infrastructure and systems."

Related Video: Are The Olympics Really Worth It?

A new cybersecurity approach could keep your data safe.

The program coordinator at the Catholic Charities of Santa Clara County in California never suspected that an email she received earlier this year contained anything more than the corporate invoice it claimed. But as soon as she opened the attachment, malware began to encrypt data on her computer. The breach threatened to expose far more than just her personal files: In order to provide its customers with health care, immigration assistance, and other social services, Catholic Charities handles the medical and financial records of more than 54,000 people each year. Of all the cybersecurity systems—including firewalls and antivirus software—that the nonprofit had in place to shield those sensitive documents, only one flagged the intrusion.

The security breach was detected by the flagship product created by Darktrace, a U.K.-based cybersecurity company founded in 2013. Just days before the malware attack, Catholic Charities had begun testing Darktrace's pioneering new technology, the enterprise immune system (EIS).

Modeled after the human body's immune system, the EIS embeds in a computer network and learns what behavior is considered normal for that system. It can then spot suspicious activity and even work to slow an attack, just as the human immune system releases antibodies at the first sign of invasive cells.

Darktrace's immunity approach represents a compelling new take on cybersecurity. The $75 billion industry is under mounting pressure to evolve beyond traditional methods as dated systems have failed to prevent high-profile hacks on major businesses. With attackers increasingly relying on fast-moving algorithms to carry out highly sophisticated security breaches—such as those that have recently compromised major universities and hospitals—Darktrace is responding in kind, creating complex formulas that allow machines to continuously scan entire networks and register anomalies that other advanced systems may overlook. Its technology, built in part by former members of the British Intelligence Agencies MI5 and GCHQ, is intended to support—and enhance—existing systems.

Self-defense

How Darktrace halts a hypothetical ransomware attack

Breach

An HR employee opens an attachment believing it is a résumé. His computer connects to a server in Eastern Europe; ransomware begins encrypting files.

Recognition

The EIS spots an anomaly: No device in the company's network has ever connected with this server.

Reaction

As ransomware encrypts documents, Darktrace flags the employee's computer for accessing so many files.

Response

Antigena, Darktrace's system for slowing attacks, limits the number of files the employee's computer can open and blocks its access to shared folders and corporate email.

notification

Within a half-hour of the breach, a Darktrace analyst sees the activity and tells the company to remove the computer from the network. Some of the computer's files have been compromised, but the ransomware did not spread through the network.

Where most cybersecurity companies focus on teaching their technology to recognize the digital footprints of malware (which can quickly become outdated as new attacks emerge) or building firewalls to block intruders, Darktrace takes a more hands-off approach. Rather than rely on humans to feed them specific examples of suspicious behavior, its algorithms train themselves to find abnormalities—a technique that's known as unsupervised machine learning.

"The concept of Darktrace says that [as attacks become more sophisticated] you're not going to be able to keep the bad stuff out," says Vanessa Colomar, a member of Darktrace's board of directors. It's far more effective to figure out how to stop attackers once they're in. CEO Nicole Eagan says the EIS has been deployed in more than 1,000 networks worldwide, with clients ranging from a two-person hedge fund to a global bank. Once the hour-long installation is complete, the EIS searches for new threats while also examining the network for existing breaches. "Within the first and second weeks, we find things out of the ordinary in about 80% of the Fortune 500s we're deployed in," says Eagan. "It's things their legacy tools totally missed."

That success has helped accelerate the three-year-old company's growth. Of the companies that have registered for its 30-day free trial, about two-thirds have become paying customers. The company, valued at $400 million, now has 20 offices, including outposts in New York; Hong Kong; Warsaw, Poland; and Milan.

Darktrace's use of unsupervised machine learning comes with certain benefits: Since there are no assumed rules about what a hack looks like, attackers can't simply tweak their code to dupe the system. And since the EIS operates as an observer, there's no barrier that hackers could try to disable.

"What we're really passionate about is that there's no one algorithm that rules them all," says Dave Palmer, Darktrace's director of technology. "We've got a dozen different machine-learning techniques, all fighting to be the best representation for your specific setup."

Not everyone agrees that unsupervised machine learning is the best approach to cybersecurity. Supervised learning—the technique used by antispam filters, in which algorithms are taught to discern between junk mail and the real thing—can help eliminate false positives that sometimes result when an unsupervised system reacts to a routine change within a network. (For example, an algorithm might notice that data is suddenly being transferred to Dropbox and flag it as a security violation, when in fact the company just added Dropbox as an official storage tool.)

Avoiding such confusion is why some security companies take a hybrid approach of supervised and unsupervised machine learning. PatternEx, which launched in February, uses unsupervised learning to scan for abnormalities, then presents its data to a human analyst to distinguish true attacks from false positives. In a recent study, researchers from PatternEx and MIT found the system caught 85% of attacks, while delivering fewer false alarms than unsupervised learning alone. There hasn't been a similar lab study completed on Darktrace, though Eagan says her system—despite being totally unsupervised—typically generates five to 10 alerts per client per week.

Eric Ogren, a senior analyst at IT advisory firm 451 Research, says that most businesses will likely opt for the headache of false positives if it means a more secure network. "What's the bigger risk, that you chase down a false positive, or that someone makes off with your customer data?" he asks. "I think that within five years, unsupervised machine learning is going to be driving security architecture."

Can machine learning help government agencies track down terrorists? A secretive arm of the business intelligence firm SAP says yes.

A specialized division of the business software powerhouse SAP (System Application Products) is building tools to harness machine learning and artificial intelligence for antiterrorist intelligence missions and cybersecurity—though details of how exactly the software has been used are shrouded in secrecy.

SAP National Security Services, which describes itself as an independent subsidiary of the German-based software giant that's operated by U.S. citizens on American soil, works with homeland government agencies to find ways to track potential terrorists across social media.

"One [use] is the identification of bad actors: People that may be threats to us—people and organizations," says Mark Testoni, president and CEO of SAP NS2, as the company is known. "Secondarily, once we've identified those kinds of players and actors, we can then track their behaviors and organizations."

SAP NS2 is also working with cybersecurity firm ThreatConnect to use some of the same underlying technology to track intruders and menaces in computer networks in real time, the companies announced this week.

And in the national security sphere, NS2's government partners—Testoni says he's not at liberty to name specific agencies—use SAP's HANA data processing platform to analyze thousands of terabytes of data from social media and other public online sources.

"There have been success cases, I can tell you," he says. "Unfortunately, I can't tell you about any of it."

Many experts have argued that social media has been key to the rise of ISIS and the spread of support for the organization around the globe. Democratic presidential nominee Hillary Clinton is one of the politicians who has called on social network operators to take down extremist content, and agencies including the Department of Homeland Security have recently sought to study the technical aspects—and legal and privacy ramifications—of tracking publicly accessible social posts.

In 2003, federal plans for a massive global digital surveillance program dubbed Total Information Awareness came under heavy scrutiny due to privacy concerns, and the project was eventually defunded by Congress. But critics have said similar surveillance programs quietly continued at agencies, including the National Security Agency, with a level of secrecy that makes it difficult to judge their effectiveness or potential privacy violations.

In the case of SAP NS2, the underlying HANA system is designed to store huge quantities of information in memory, rather than on disk, for speedy access and processing. It organizes data by columns storing the same type of information from different records, rather than by rows corresponding to individual records, a time-and-space-saving technique shared by big data platforms from other vendors including Amazon and Oracle.

It also includes features for network graph analysis, automated machine learning, and sophisticated text processing that can extract meaning from written language, including online posts, according to Testoni.

This is useful when it comes to monitoring potential terrorists. "They're online communicating to their followers and recruiting using social media and digital platforms, so that kind of sentiment analysis is helpful in identifying those platforms and tracking them," Testoni says. "We're trying to help identify threats with customers, and once we find them, and we identify people and organizations, then it becomes a little bit easier because then you can potentially track them."

The tools can help analysts detect relationships between suspects and track data from multiple sources in real time, flagging anomalous patterns or feeding risk models that identify potential threats, the company says.

"You'd be looking for activity on social media, either known or potentially known accounts and others, and establishing the other connections that may be associated," says Testoni, adding that one partner tracks about 30 online sites in several languages.

According to the company, a HANA-based system has proven powerful enough to parse a large set of simulated military documents, extracting the people, places, and events described in them.

For ThreatConnect, HANA provides processing speed that helps clients keep track of potential security-related events happening on their networks in real time, while also reducing the number of false alarms about harmless noise, says the company's cofounder and CEO, Adam Vincent.

"It allows our software to be effectively super-powered around faster and more sophisticated analytics," Vincent says. "In particular, the ability to process more data in real-time and do real-time analytics on incoming events, so that we can filter out the noise faster. Most organizations today are getting tens of thousands of alerts every day—humans can't possibly comb through them all."

ThreatConnect's systems, which the company has integrated with HANA through a collaboration with SAP NS2, can help clients track cybersecurity the way such tools as Salesforce manage customer relationships. Ideally, they can replace more ad hoc methods that can leave security personnel struggling to stay up to speed, particularly as many companies are grappling with a skills shortage.

ThreatConnect also functions as an "expert system," effectively automating the thought processes that humans go through to determine which network activities are threats. This service will improve as the company integrates HANA's machine learning support.

Says Vincent, "What we're trying to do with this product is help the security professional do their job faster, and there's never been a time when that was needed more than it was today."

A combination of complex legacy computer systems and strict uptime requirements make more of these disruptions almost inevitable.

After a data center outage caused Delta Air Lines to cancel more than 2,100 flights this week, Delta CEO Ed Bastian said the company's doing everything it can to make sure such an event never happens again.

"This isn't the quality of service, the reliability that you've come to expect from Delta Air Lines," he said in a statement, after the company offered $200 vouchers to customers whose flights were canceled. "We're very sorry. I'm personally very sorry."

But experts say the airline industry's legacy computing systems, 24-hour uptime requirements, and difficulties attracting top technology workers could make preventing future similar outages a major challenge.

"The airlines are dealing with a hodgepodge of equipment that's been cobbled together over the years," says George Hobica, the president of Airfarewatchdog.

Industry mergers have meant airlines have interlinked systems, sometimes decades old, from a range of legacy carriers, all without the luxury of ever shutting down their systems for maintenance, he says. While other businesses can occasionally shut down their computer systems for scheduled or even emergency maintenance without a public outcry, airlines simply can't track passengers, baggage, planes, or crew without their technology systems, he says.

"In order to fix the No. 2 [New York subway] line, the MTA sometimes has to shut it down," Hobica says, but airlines never plan to ground flights or shutter reservation systems to do upgrades or maintenance. And they're also competing with technology companies that can often offer more pay and prestige to hire workers with the skills to keep tech systems up and running, he says.

"Good IT talent is really hard to find," he says. "And if you're a superstar, are you gonna work for Delta because you get free flights now and then, or are you gonna work for Google or Facebook, or a billion dollar startup that is giving you stock options?"

And, says Joseph George, vice president of global recovery services at Sungard Availability Services, air travel can be a particularly unforgiving field when it comes to computer problems: Outages in a variety of systems can make it difficult to check in customers or dispatch planes, quickly wreaking havoc for the traveling public and costing airlines huge amounts of money.

"They've got more mission critical customer facing applications, so when there is downtime it's immediately obvious," he says.

Delta attributed the service disruption to a fire in an uninterrupted power supply component, which led to a power outage at the airline's main Atlanta data center that wasn't properly handled by the airline's backup systems.

"Around 300 of about 7,000 data center components were discovered to not have been configured appropriately to avail backup power," the company said. "In addition to restoring Delta's systems to normal operations, Delta teams this week have been working to ensure reliable redundancies of electrical power as well as network connectivity and applications are in place."

But similar service issues, attributed to different technology failures, have affected other airlines in recent months: A router issue led to the cancellation of more than 2,000 Southwest Airlines flights just last month, reportedly costing the airline more than $54 million, and similar issues caused widespread disruptions for United Airlines and American Airlines flights last year.

"It seems like the redundant systems are not working," says Billy Sanez, vice president of marketing at travel search engine FareCompare.

One issue, he says, is that airlines' flight networks are so intertwined that any disruptions to service quickly cascade through the country or even the world. With planes scheduled to make multiple stops throughout the day, a cancelled takeoff can lead to two or three more cancellations at the aircraft's next destinations. And while airlines may be able to operate a limited schedule without computer systems, operating a full slate of flights with pen and paper just isn't practical, he says.

"You can do it manually, but instead of doing thousands of flights a day, you can probably do a hundred a day," Sanez says.

The bottom line, he says, is that travelers shouldn't be completely surprised to see flights grounded by computer problems in the foreseeable future.

"As passengers, you always have to be prepared for things like this," he says. "No meeting is too important. No vacation can't be rescheduled."

So-called "overlay malware," which impersonates other apps' login screens, is becoming increasingly prevalent.

For years, security firms have warned of keystroke logging malware that surreptitiously steals usernames and passwords on desktop and laptop computers.

In the past year, a similar threat has begun to emerge on mobile devices: So-called overlay malware that impersonates login pages from popular apps and websites as users launch the apps, enticing them to enter their credentials to banking, social networking, and other services, which are then sent on to attackers.

Such malware has even found its way onto Google's AdSense network, according to a report on Monday from Moscow-based security firm Kaspersky Lab. The weapon would automatically download when users visited certain Russian news sites, without requiring users to click on the malicious advertisements. It then prompts users for administrative rights, which makes it harder for antivirus software or the user to remove it, and proceeds to steal credentials through fake login screens, and by intercepting, deleting, and sending text messages. The Kaspersky researchers call it "a gratuitous act of violence against Android users."

Overlay malware screenshots via Security Week

"By simply viewing their favorite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking Trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q," according to the company. "There you are, minding your own business, reading the news and BOOM!—no additional clicks or following links required."

The issue has since been resolved, a Google spokeswoman said in an email, adding that there's no indication the attack ever affected more than one website. The company has said in the past that it works to block malware attacks from third-party ads distributed through its networks. The effort has become increasingly critical as Google and other advertising networks try to dissuade users from filtering out ads altogether with adblocking tools, which also aim to reduce ad-delivered malware and the web beacons used to track users across websites.

Researchers from Kaspersky have reported a 15.6% increase in the number of financial malware in the second quarter of 2016, compared to the previous quarter, as well as a continuing .

Beware Of Sideloading And Malvertising

The creators of such malware can charge would-be fraudsters thousands of dollars on underground hacking marketplaces for mobile malware tools that deploy such bogus login pages, often in conjunction with other features like the ability to intercept SMS messages, according to research by Limor Kessem, an executive security advisor at IBM Security.

Attackers then send phishing-style SMS messages to mobile users to encourage them to install apps containing the malware, sometimes even soliciting their phone numbers through pop-up messages on PCs in order to send a link to the malicious apps, she tells Fast Company.

"It's usually some sort of social engineering that would get them to install this application," Kessem said, though users should also be concerned about the rise in ad-distributed malware, sometimes called malvertising.

"Due to the popularity of malvertising and the ability of cybercriminals to exploit ad networks even on very well known websites... this vector is increasingly potent," she said. "Security professionals often recommend disabling/blocking ads to reduce the risk of drive-by infections."

When a phishing link is sent via text, it might be a bogus notification about a package delivery that needs to be tracked through a specialized app, an invitation to participate in an app-based poll, or anything else attackers can think up, said Jimmy Su, director of threat research at security firm FireEye. And if the phishing messages are effective enough, the malware can more than pay for itself.

One malware maker recently raised prices from $5,000 to $15,000, not including monthly service fees, after adding new features, according to Kessem.

"The initial version of this from last November was distributed on a Russian hacking forum, and they were advertising a service where they would charge a certain amount of money per month to provide this command-and-control [server] where they would store the logins and the passwords, and also the customization of the application," said Su. "Then we can see that these kind of logins and passwords can be purchased on the black market, and that's how the cycle of the economics works."

Screenshot of Svpeng trojan, via Kaspersky Labs

Generally, attackers have targeted phones running Google's Android operating system, which has a larger user count than Apple's iOS platform and makes it easier to install apps from outside the official marketplace—a practice often called sideloading.

"We've seen some malware on Google Play and on iTunes," said Domingo Guerra, cofounder and president of mobile security company Appthority. "However, for the most part, Apple and Google do a good part of removing it from the app stores."

So far, overlay malware has mostly targeted users in Europe and Russia, but there's no reason to think it won't become more prevalent in other markets, including the U.S., Su said.

"Both the localization and category of apps are going to expand," he said. "We already see localizations for particular countries and it will be customized for that particular language."

How To Stay Safe

For the most part, experts say, the best ways to stay safe from mobile malware and phishing attacks are similar to techniques users are hopefully already using to keep their PCs safe from hackers. Those include keeping operating systems up to date as much as possible, removing unused apps that could house vulnerabilities, and being wary of any kinds of unsolicited links or downloads.

"The same rules of hygiene and security hygiene apply in the PC and the mobile device," said Kessem.

Users should be particularly wary of any invitations to install apps from outside of official app stores, said Guerra. "Every legitimate app is going to be on Google Play or on iTunes," he said.

The trouble is, users not accustomed to smartphone malware may be at risk for infection until it sinks in that mobile devices are ultimately just as much a target for attackers as laptop and desktop computers, he warns.

"I unfortunately think it's going to get worse," he said. "As users, we're not thinking of these as computers, so we kind of trust it more than we should."

Related Video: Inside The Secret World Of Code-To-Code Combat

Smarter technology could make farms more efficient and food tastier, though environmentalists argue none of it is guilt-free.

During the 20th century, advances in fertilizers, irrigation, and mechanized farming technology helped make it possible to feed a dramatically growing world population.

Now, advocates say, the next big advance in agricultural technology may come from the digital world, as modern computer vision, precision sensors, and machine-learning technology help farmers use last century's advances more efficiently and precisely to grow healthier and tastier food.

"We're at the cusp of this next wave of innovation in agriculture, which we call digital agriculture," says Mike Stern, the president of The Climate Corporation. "It has to do with, over the past five to seven years, the farm really digitizing, not unlike how our society has changed in terms of the tools and types of things we can do."

The Climate Corp., which was purchased by agriculture giant Monsanto for roughly $1 billion in 2013, is one of several companies working to build a digital analytics hub for farmers, merging images from satellites, drones, and cameras, as well as readings for everything from soil thermometers to tractors' on-board computers. That can help growers better understand what's happening on their farms and let predictive algorithms guide more precise applications of seeds, water, pesticides, and fertilizers.

"In the Midwest, when corn is growing, we have a fair amount of cloud cover, and satellites have trouble seeing through clouds, so that's a problem because all of a sudden, a grower can only see a part of the field from one image to the next," says Sam Eathington, Climate Corp.'s chief scientist. "We've developed, using some machine-learning techniques, a way to bring together multiple images and remove the clouds and cloud shadows that a grower would be seeing in the data in the specific field."

Just this week, the company announced that it's opening its platform to allow other sensor manufacturers to contribute data more easily, starting with high-resolution soil sensor data from Kansas-based Veris Technologies.

The market for digital "precision agriculture" services is expected to grow to $4.55 billion by 2020, according to figures from research firm Markets and Markets, though the push to bring the Internet of Things onto the world's farms hasn't been without its critics. According to a 2013 report in the New Yorker, Climate Corp.'s founders came under heavy criticism for the decision to sell to Monsanto, a company that's long been controversial for its intellectual property policies and involvement with genetically modified crops.

And the American Farm Bureau Federation, a farming industry group, has cautioned farmers to make sure they understand how their data is stored by digital providers. The Farm Bureau has recently worked with tech providers, including Climate Corp., to formulate rules and industry data-sharing arrangements designed to make sure farmers can control how their information is used and potentially migrate it to new providers.

"Tractors, tilling equipment, planters, sprayers, harvesters, and agricultural drones are increasingly connected to the Internet,"the group said in March. "Farmers don't always have the ability to precisely control where that data goes, nor transfer it from one data processor to another."

But agriculture tech companies generally say their goal isn't just to make money, or even help farmers boost their own profits. They're also trying to help feed a still-growing world population as climate change disrupts farms and populations, and expanding middle-class societies around the world purchase more food. That could require doubling world food production by 2050, experts told the United Nations in 2009, something advocates of digital agriculture say may only be possible through data-driven efficiency.

"Basically, the production we're getting out of our food crop today is actually not keeping pace with the pace we need to double prediction by 2050," says Lance Donny, the CEO of Fresno, California-based OnFarm.

Like Climate Corp., OnFarm aims to process and combine data from a variety of sources: Donny says the company serves several hundred farms, with an average of 160 incoming data streams each. Farmers traditionally ran processes like irrigation based on the calendar, watering a certain amount at certain times, or based on their own observations—"I look out and I drive the field, and the crop looks like it's going to need some water, so I add some water at this time," he says—but Donny says OnFarm's technology can first bring farmers unified figures they can easily understand and trust, then predictions and guidance they can rely upon.

"Not only can we tell you what's going to happen, we can help you make a better decision—to maximize the decision you're going to make," he says. "This is really bringing that machine learning down to the grower to make a decision going forth this week, next week."

Ultimately, farmers will rely less on intuition and more on number-driven predictions, says Daniel Koppel, the CEO and cofounder of Tel Aviv-based digital agriculture company Prospera.

"I think at the end of the day, growers are going to be data scientists," he says. "The actual operations side, in the very far future, that's going to be done with robots, or a lot of it is going to be automated."

But in the meantime, his company's tools have used sensor data and machine-learning techniques like neural networks to detect issues like plants stressed by improper irrigation and diseases that could put crops in jeopardy. And while he unabashedly speaks in terms that might make foodie purists wince—"We're trying to treat agriculture as any other industrial manufacturing facility," he says—Koppel says digital technology can mean fresher food and a cleaner environment, too.

Data scientists will be able to crunch the numbers to find ways to use pesticides and water more efficiently, meaning less runoff and fewer pest-killing chemicals on food, he says. The same will be true of fertilizers, Donny predicts, meaning less nitrogen runoff in soil and groundwater.

Still, some environmental advocates are skeptical, warning that tools primarily designed to boost crop yields and farm profits won't automatically undo all the environmental harm wrought by large-scale, industrial farming.

"Hopefully, in most cases, they will result in less use of farm chemicals, and less farm chemicals leaking into people's drinking water or whatever, but that's not really what they're designed to do," says Craig Cox, senior vice president for agriculture and natural resources at the Environmental Working Group. "They're designed to help farmers determine what the economically optimal rate is to apply these farm chemicals, and sometimes the economically optimal rate is to use more farm chemicals."

Donny says better data won't just mean bigger production of commodity crops like corn and soybeans—it'll mean optimizing the quality of specialty produce from wine grapes to almonds. In some cases already, farmers have been able to switch from producing old standbys like corn to more diverse collections of vegetables, he says.

That can also bring environmental gains, particularly if diversification means fields spend less time outside of growing seasons lying fallow and allowing chemicals to leach into surrounding water, according to Cox, though he emphasizes the details will make a tremendous difference.

Of course, it will also mean more income for farmers and more variety for an increasingly food-conscious society. "The ability to grow closer to the customer is important. More diversity in crops is important," Donny says. "Restaurants are driving that. Consumers are driving those needs."

The company wants to bring mom-and-pop e-commerce vendors the kind of automated recommendations made famous by Amazon and Netflix.

Automated product recommendations are a signature feature of big-name e-commerce companies like Amazon and Netflix, but they can be hard to implement for smaller online vendors, says John Foreman, chief data scientist at MailChimp.

That's why the email marketing service is launching a feature to let its customers—many of them online merchants with fewer than 10 employees—incorporate statistically generated recommendations into the emails they send out without having to build any technology on their own.

"It's become almost synonymous with Amazon," Foreman says. "We just started wondering, can we do the same thing for small businesses?"

Over the course of about a year, MailChimp has been developing and testing the feature, which will pull purchase history data from popular online store platforms like Magento, BigCommerce, and Shopify and use that information to generate product recommendations that users can automatically drop into their marketing emails. (Of MailChimp's roughly 10 million customers, about 30% use the service to help sell goods online, the company says.)

Product recommendations are just another **drag-and-drop** module for MailChimp users

In tests MailChimp has run, the tool's customized recommendations have beat out handcrafted links to featured products, Foreman says.

"We sent them out side by side to thousands and thousands of people, and we just tracked clicks and purchases and sure enough, the product recommendation emails made more money," he says. "Right there, that was sort of the green light for us. We should build this: It makes people money."

The new feature, which Foreman says will be added to all paid MailChimp accounts as of next week, isn't the only way to generate product recommendations: Amazon includes a Machine Learning engine as part of its Amazon Web Services cloud software suite, and other vendors offer their own data-science-as-a-service cloud options.

But Foreman says that most of those don't offer the same ease of use, where small businesses pressed for time and lacking in in-house statistical chops can simply drag and drop a recommendations module into their existing emails. After all, even Netflix famously once granted a million-dollar prize for an improved recommendation tool, yet never fully integrated the winning algorithms into its systems, partially due to "the engineering effort needed to bring them into a production environment."

The new MailChimp tool, coupled with the service's existing email automation logic, will let customers add recommendations to emails welcoming customers who've just made their first purchases or to ones who haven't visited a store in a while, says Foreman.

"I think that's what makes it unique—there are plenty of things out there that do this type of calculation," he says. "Where this one becomes unique is taking the mathematical modeling and completely marrying it with use and design."

Foreman says the service also automatically adjusts its recommendation techniques—though he didn't want to go into too many details about the mathematical "secret sauce"—as companies sell more products and acquire more data.

Users will be able to preview recommendations for a given email address, something that's important to MailChimp's customers. "There is kind of some nervousness around this—email is something where you send it out to a lot of people, and you hope it makes a lot of money for your business," Foreman explains. "You don't just send out anything—you want to preview it."

So far, he adds, customers and MailChimp engineers alike have been impressed with the accuracy of the recommendations.

"We would look at what people had bought in the past, and what we're recommending, and I was just sort of floored, and our customers were floored, at how much it makes sense," he says, discussing an example involving retro T-shirts. "It was just interesting to see the model pick up around, you [ordered] these particular Zelda shirts in the past, now you have these other throwback Nintendo shirts, and it's going to recommend those."

"Never before in the history of humankind have people across the world been subjected to extortion on a massive scale as they are today."

Ransomware attacks, in which online criminals block access to critical files until they're paid to release them, are on the rise, security experts warn.

Last year, the Federal Bureau of Investigation's Internet Crime Complaint Center saw 2,453 complaints about ransomware incidents that cost users a total of more than $1.6 million, according to the center's annual report. The report cautions that many online attacks go unreported to law enforcement altogether, meaning total incidents and losses could be that much higher.

"And if the first three months of this year are any indication, the number of ransomware incidents—and the ensuing damage they cause—will grow even more in 2016 if individuals and organizations don't prepare for these attacks in advance," the FBI warned in late April. According to security firm Proofpoint, in 2015 ransomware represented three percent of sample infected emails, but five months into 2016, ransomware already represents 30 percent of samples.

"Never before in the history of humankind have people across the world been subjected to extortion on a massive scale as they are today," security firm Symantec said in an August report on the subject.

Ransomware typically installs itself after a victim is tricked into clicking an attachment or link in a phishing email, or when a victim visits a hacked website running code that can exploit vulnerabilities in a local operating system. It either prevents the victim from logging in to the computer or encrypts files with a secret key known only to the attackers. Then, it presents a message demanding a ransom to restore access, typically to be paid with bitcoin or another digital money transfer tool.

Typical ransom demands are about $300, according to the Symantec report, but victims—including companies and government agencies—can often be induced to pay more for access to their data. Hollywood Presbyterian Hospital in Los Angeles paid more than $17,000 in bitcoin to end a ransomware attack in February, Reuters reports, and even some local police departments have found themselves paying ransoms to regain access to their files.

The attacks can be more disruptive than traditional cyberattacks focused on stealing information, since they can entirely prevent access to critical business data that isn't properly backed up.

"As harsh as it sounds, businesses can easily continue operations after a data breach," according to a March report from the Institute for Critical Infrastructure Technology. "Customers and end users tend to be the long-term victims. The same cannot be said for an active ransomware attack. Business operations grind to a halt until the system is restored or replaced."

And as the attacks have proven lucrative, they've also grown more sophisticated. While some early ransomware developers apparently wrote their own encryption code—considered poor programming practice in any circumstances—newer ransomware has used off-the-shelf libraries that are significantly harder to crack, says Engin Kirda, a professor at Northeastern University's College of Computer and Information Science, who's written about the subject.

"We're seeing more and more ransomware using existing libraries," he says. "There's a bit of sophistication from that point of view."

Attackers have also shifted to more sophisticated delivery mechanisms, switching from mass email blasts, which are often blocked by spam filters, to more targeted spear-phishing campaigns, according to the Symantec report. They've also developed downloadable ransomware toolkits that less-sophisticated hackers can deploy, and even "ransomware-as-a-service" offerings where developers pay commissions to hackers who can get their ransomware installed on other systems.

In some recent cases, including one that triggered a warning from Microsoft late last month, ransomware software can jump from computer to computer through flash drives and network drives like a traditional computer virus, though the Symantec report says ransomware operators are wary of accidentally holding the same organization's systems for ransom multiple times, since they're less likely to get multiple payouts.

"If the ransomware is continuously spreading through a network, infecting multiple computers and demanding payment each time, the cybercriminal's promise to repair the damage after the victim pays the ransom is broken," according to Symantec. "Nobody will be willing to pay if the same gang continues to demand ransom payment after payment."

To some extent, the best way to prevent ransomware and minimize the damage it does is just establishing general good security practices: training users not to open unknown email attachments, making frequent backups and patching systems to remove vulnerabilities that could give it a way in.

In fact, if you're prepared to restore machines from clean backups, getting attacked with ransomware can be better than other forms of malware, since it announces its presence rather than stealing data in the background, says Kirda.

"Ransomware is a problem, but at least if it hits you, they have to tell you that you've been infected to make money," he says. "If you actually do backups and you do offline backups, so you copy your data to the cloud, and you copy some good security practices, compared to some other types of malware ransomware's not actually that bad, since once you're infected you know something happened."

One problem, says Brian Nussbaum, a former intelligence analyst and an assistant professor of public administration at the State University of New York at Albany, is that many smaller organizations, including local governments, just have fewer computer security resources to prepare for that kind of attack.

"It's going to be something that will push them to improve their IT practices," he says. "But it's something that I think we're likely to see for at least a while longer until people start having good backups and doing other hygiene stuff that keeps you safe from it."

"Biohackers" are putting microchips and magnets in their bodies for everything from unlocking the front door to detecting moon earthquakes.

Tim Shank can guarantee he'll never leave home without his keys. Why? His house keys are located inside his body.

Shank, the president of the Minneapolis futurist group TwinCities+, has a chip installed in his hand that can communicate electronically with his front door and tell it to unlock itself. His wife has one, too.

"You have mental checklists as you're coming and going out of your home," Shank says. "One of those things is my wallet, keys, all those things I have with me. Once you start to eliminate all those things, you start to see all the mind space it actually clears not to have to worry about them."

In fact, Shank has several chips in his hand, including a near field communication (NFC) chip like the ones used in Apple Pay and similar systems, which stores a virtual business card with contact information for TwinCities+. "[For] people with Android phones, I can just tap their phone with my hand, right over the chip, and it will send that information to their phone," he says. In the past, he's also used a chip to store a bitcoin wallet.

Shank is one of a growing number of "biohackers" who implant hardware ranging from microchips to magnets inside their bodies.

Some biohackers use their implants in experimental art projects. Others who have disabilities or medical conditions use them to improve their quality of life, while still others use the chips to extend the limits of human perception. Shank, for instance, has experimented with a portable distance sensor that vibrates a magnet in his hand; it's like a sonar system that lets him sense how far away obstacles are. He also considered installing a chip that would track his body temperature. But not every use case is so ambitious—for some, the chips are merely convenient ways to store data and unlock doors.

Experts sometimes caution that the long-term health risks of the practice are still unknown. But many biohackers claim that, if done right, implants can be no more dangerous than getting a piercing or tattoo. In fact, professional body piercers are frequently the ones tasked with installing these implants, given that they possess the training and sterilization equipment necessary to break people's skin safely.

"When you talk about things like risk, things like putting it in your body, the reality is the risk of having one of these installed is extremely low—it's even lower than an ear piercing," claims Amal Graafstra, the founder of Dangerous Things, a biohacking supply company.

Graafstra, who is also the author of the book RFID Toys, says he first had an RFID chip installed in his hand in 2005, which allowed him to unlock doors without a key. When the maker movement took off a few years later, and as more hackers began to explore what they could put inside their bodies, he founded Dangerous Things with the aim of ensuring these procedures were done safely.

"I decided maybe it's time to wrap a business model around this and make sure that the things people are trying to put in their bodies are safe," he says. The company works with a network of trained body piercers and offers online manuals and videos for piercers looking to get up to speed on the biohacking movement.

At present, these chips are capable of verifying users' identities and opening doors. And according to Graafstra, a next-generation chip will have enough on-board cryptographic power to potentially work with credit card terminals securely.

"The technology is there—we can definitely talk to payment terminals with it—but we don't have the agreements in place with banks [and companies like] MasterCard to make that happen," he says.

Paying for goods with an implantable chip might sound unusual for consumers and risky for banks, but Graafstra thinks the practice will one day become commonplace. He points to a survey released by Visa last year that found that 25% of Australians are "at least slightly interested" in paying for purchases through a chip implanted in their bodies.

"It's on the minds of people," he says. "It just needs to be brought to fruition."

Other implantable technology has more of an aesthetic focus: Pittsburgh biohacking company Grindhouse Wetware offers a below-the-skin, star-shaped array of LED lights called Northstar. While the product was inspired by the on-board lamps of a device called Circadia that Grindhouse founder Tim Cannon implanted to send his body temperature to a smartphone, the commercially available Northstar features only the lights and is designed to resemble natural bioluminescence.

Grindhouse founder **Tim Cannon** with his Northstar implant looking out over the skyline of Pittsburgh from Mt. WashingtonPhoto: Ryan O'Shea

"This particular device is mainly aesthetic," says Grindhouse spokesman Ryan O'Shea. "It can backlight tattoos or be used in any kind of interpretive dance, or artists can use it in various ways."

The lights activate in the presence of a magnetic field—one that is often provided by magnets already implanted in the same user's fingertips. Which brings up another increasingly common piece of bio-hardware: magnetic finger implants. Hackers say these small magnets allow users to sense the presence of electromagnetic fields, to diagnose electrical problems like faulty wiring, and even to pull small metal objects like paper clips and bottle caps toward you, making you into something of a low-rent Magneto. Despite the power of these implants, they're fortunately not strong enough to trip metal detectors, wipe hard drives, or interfere with MRI scans.

Tim Cannon's hand (right) minutes after implant with Justin Worst's healed Northstar implantPhoto: Ryan O'Shea

"Most [Northstar clients] already have the magnets," says Zack Watson, a piercer who installs implants for Grindhouse. "The magnets are kind of like a baby step into the heavy mod community. It's not so much visible as it is modifying the body to get that magnetic vision, and then the byproduct is that you're able to activate the implant."

According to O'Shea, a second-generation Northstar will include a Bluetooth transmitter and gesture-recognition sensors, which will let it communicate with a smartphone to control Internet of Things-type technology. That's not the only reason many early adopters may eventually choose to upgrade their implants. Another has to do with the limited battery life.

"[The device] will die, much like a pacemaker will die," he says. "When a pacemaker does die, it is removed in a procedure and is completely replaced with a new unit. That is similar to what will happen with Northstar."

Luckily for users, the Northstar can be inserted or replaced in about 15 minutes by a skilled piercer, says O'Shea.

"It's just a small incision, usually in the side of the hand," he adds. "The skin is separated from the hand there, and the device is just inserted, and the skin is stitched up."

As long as they're inserted properly, the implants leave minimal scarring, says Watson. He has magnets in his hand that let him do "little parlor tricks" and pick up needles while he works. "My kids are convinced I have a magic finger," he says. Meanwhile, an RFID chip in his hand lets him unlock his phone and automatically load his Instagram portfolio for potential customers to see.

"My phone has a reader in it, and you're able to use that reader to scan my hand," Watson says. "It's a cool way to show off your work."

Grindhouse is also working on an enhanced version of the Circadia device that tracks founder Cannon's body temperature. Cannon says that in the future, Circadia could potentially track other vital signs like blood oxygen, heart rate, and blood glucose. That, however, could pose tricky regulatory challenges for the company, he acknowledges, potentially bringing the device closer to medical sensors regulated by the Food and Drug Administration.

The line between medical devices and personal electronics has already begun to grow fuzzier. In recent months, the FDA has tentatively said it doesn't want to impose the same red tape on "low-risk devices" like fitness trackers that it would impose on medical equipment. Even the White House has weighed in, saying it's exploring options to bridge the gap between expensive, regulated hearing aids and cheaper amplification or tracking tools technically not certified for medical use.

Grindhouse's foray into blood sugar tracking would follow projects like the Open Artificial Pancreas System, which lets diabetes patients build their own automatic blood sugar regulation tools using a Raspberry Pi computer to talk to an insulin pump and a glucose monitor. Some in the biohacking community have already used custom-built tools to overcome other disabilities or limitations. Artist Neil Harbisson, for instance, who was born color blind, used an implanted antenna to translate colors into audible sounds.

O'Shea says Grindhouse isn't at all opposed to regulation: The company already does extensive testing to make sure its products are safe and won't break down in the body—not even after physical trauma—and would welcome regulations that ensure people don't unwittingly put something toxic or otherwise dangerous into their bodies.

"With Northstar right now, if there's something that you encounter that's going to destroy the Northstar in your body, you're probably already dead at that point," he asserts.

What the company doesn't want to see, O'Shea says, is the same full-on regulation of medical devices brought to bear on implantable products like the Circadia, which could make them impractical for startups and hackers to develop and prohibitively expensive for many potential users.

"The issue with FDA regulations is not only does it take an expensive amount of time and money that many bootstrapped companies do not have access to, but it also limits the people who can do these procedures," O'Shea says. "We want these augmentative devices to be open to as many people as possible for as cheap as possible, so there aren't people who can't have access to this technology."

In the meantime, with implants essentially flying under the regulatory radar, hackers are exploring how they can use the devices to manipulate and receive input from the world around them without a great deal of scrutiny from government bodies.

One of these hackers is artist, dancer, and self-proclaimed cyborg Moon Ribas, who has an Internet-connected implant in her arm that vibrates to alert her to earthquakes around the world—information she can incorporate into her choreographed routines.

She hopes to add additional, more precise implants that would communicate the continent where the earthquake took place, and perhaps another that reports quakes on the moon.

"This would allow me to be here and be in space in the same time," she says.

Ribas is also working on a commercial implant that would let users feel a vibration when they face due north, potentially training them to develop a directional sense similar to some animals. That's a far cry from Tim Shank's comparatively unambitious door-unlocking implant.

"I like things that are related to nature, space, or animals," she says. "Everyone has his own interests—it's just that it doesn't fulfill me as much to think about having an implant to open a door."

Bitcoin was going to disrupt the world's big banks. Instead, its technology is poised to save them billions of dollars.

When bitcoin first appeared a little over eight years ago, early adopters saw the potential to disrupt the big banks of the world.

It's all there in the very first line of the abstract to the paper that introduced the cryptographically powered currency. "A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution," wrote bitcoin's mysterious creator, Satoshi Nakamoto.

The new form of digital money attracted attention from fans of Occupy Wall Street and contrarian businesspeople alike, including Overstock CEO Patrick Byrne, who is perhaps known as much for his battles with Wall Street brokers as for his online retail success; in 2007, Overstock sued Morgan Stanley and Goldman Sachs over alleged stock market manipulation that Byrne claimed caused his company's shares to drop.

Blockchain transactions

But while big banks have generally avoided dealing in bitcoin and other cryptocurrencies, many have become quite taken with the underlying technology behind these alternative monetary systems: the digitally shared ledgers known as blockchains. In fact, within the past year or so, a Who's Who list of the world's largest banks—from Goldman Sachs and BNY Mellon to Deutsche Bank and Mitsubishi UFJ—have all very publicly announced plans to explore blockchain technology.

"This kind of feels like when the Internet started," says Suresh Kumar, BNY Mellon's chief information officer. "There is an expectation that, okay, this is something new and different, so there is some value to leveraging it, and the question is: Okay, what are the implications of that for the traditional services, and what kind of services can be enabled that were not practical before?"

While it can be implemented in a number of different ways, the core idea of the blockchain is that it's a transaction database, similar to an accountant's traditional ledger, but one that is digitally synced between market participants with built-in cryptographic safeguards to keep anyone from altering data that's already been recorded. These digital ledgers are designed to ensure that everyone involved in a transaction has the same record of what's taken place without the need to periodically reconcile records. In some cases, blockchains can also give trading partners who don't particularly trust each other a way to do business without a mutually reliable intermediary.

"Each transaction in the ledger is openly verified by a community of networked users rather than by a central authority, making the distributed ledger tamper-resistant; and each transaction is automatically administered in such a way as to render the transaction history difficult to reverse," states a report issued last year by Santander InnoVentures, the Spanish bank's financial tech venture capital arm, in conjunction with finance tech investment firm Oliver Wyman.

Financial institutions are exploring the possibility of using blockchain technology to record everything from stock trades to regulatory compliance data. The answer why is simple: It could save financial institutions tremendous amounts of money and time. A widely quoted estimate from that report predicts that the blockchain could save banks $15 to $20 billion per year by 2022.

Those savings, says Oliver Wyman partner Ben Shepherd, would stem from the blockchain's ability to enable banks to streamline processes around reconciliation—that is, the labor-intensive procedure banks go through with their customers, trading partners, and securities exchanges to verify everyone agrees on who's paid how much for what. "That function is typically one of the biggest headcount areas on the bank operations team," says Shepherd.

Banks hope that by automatically sharing a trusted record of each transaction, they'll reduce the need for human intervention and the potential for error, because they will know their trading partners are looking at the same records in the same format. The goal is to shift more transaction types toward so-called straight-through processing (STP), which allows transactions to be handled from beginning to end by automated processes with no need for human intervention.

"If a process has a high STP rate, then there's not that much more that blockchain can do," says Kumar.

One negative side effect is that by cutting human intervention, this will almost certainly lead to cutting jobs. "I think generally it would be mean a lot less staff, particularly in the sort of transactional control area," says Shepherd.

Employment at top financial institutions peaked in 2010, The Wall Street Journal reported last year, and employees from analysts to bank tellers are facing growing competition from increasingly smarter banking bots. A March study released by Citigroup found that bank employment could fall by another 30% by 2025, mostly thanks to automation.

Ironically, the technology that just a few years ago bitcoin enthusiasts thought might unseat Wall Street's banking titans could end up helping the "1%" cut jobs.

But if the technology is widely adopted, the blockchain may have effects on the financial system beyond simply replacing bank workers with robots.

In areas from the $2 trillion repo market, which lets banks and hedge funds extend one another short-term loans using securities as collateral, to the syndicated loan market, where institutions team up to fund big deals like corporate buyouts, banks are planning to test whether shared ledgers will enable deals to settle faster. That could potentially mean less risk that transactions will fall through and less capital that banks have to set aside while deals are waiting to clear. The exact financial savings, however, remain to be seen.

"We believe that the capital release is beneficial but not game changing," the authors of the Citigroup report write. "We do see some small benefit from reduced operational risk thanks to fewer trade fails and reduced counter party risk from shorter exposure."

A move to the blockchain also brings the promise of smart contracts—agreements written in code, rather than legalese—that can automatically execute programs to shift money and other assets from account to account when certain conditions are met. The technology's been in the news lately after a smart contract-based organization called The DAO raised $130 million through Ethereum, a recently developed cryptocurrency, with a promise to fund projects democratically selected by investors.

But traditional financial institutions and their tech firm partners are looking at smart contracts as well: just as they hope shared blockchain ledgers will help them streamline data sharing and keep information about what transactions have already taken place in sync, banks expect that mathematically encoded contracts could help them agree on the next steps in complex, multiphase transactions like derivatives deals or so-called corporate actions like share buybacks.

"Examples include removing much of the cost of corporate actions for custodian banks that manage security holdings on the part of the investors, for the automation of fund portfolio allocations following trades executed on behalf of asset managers, or in the context of international trade finance or domestic invoice financing," states a report released earlier this month by the SWIFT Institute, the research arm of the international banking network.

But even the biggest blockchain boosters acknowledge that some of these developments are still years away. Industry standards for blockchain structures have yet to be solidified, and, as the SWIFT Institute authors point out, neither have the legal standards for smart contracts. There's also a need to adapt the kind of contracts presently used by lawyers and judges to resolve disputes to this new technological framework.

In the meantime, though, banks are testing out blockchain technology with smaller-scale experiments, says Jerry Cuomo, IBM's vice president of blockchain technologies. If blockchain is a "moonshot" technology for the financial industry, he likens current projects to NASA's individual Apollo missions in the 1960s, which grew in ambition until they finally put men on the surface of the moon.

"While everyone still has their eye on the big ones, those big game-changing use cases, there are more incremental use cases that we're starting to talk to financial institutions about that are quite interesting but more incremental," Cuomo says.

In some cases, he adds, companies are setting up "shadow chains" which replicate existing business records on shared blockchains. That could let companies doing business together confirm that they agree on particular data points without having to change how their internal systems store information. One potential benefit of shadow chains would be in resolving accounting discrepancies in complicated transactions, because it makes it faster for companies to see where their understandings diverged.

"[Companies can say] the dispute happened after this point, but up until this point, everyone was in complete agreement," Cuomo says. "This is where something went awry—some piece of information was captured incorrectly, or whatever."

As smaller blockchain projects prove successful, they give companies confidence in the technology itself and, presumably, in software and cloud-computing vendors like IBM who are lining up to provide the underlying tools of the blockchain.

"It's doing these projects that give you more conviction in going after the big projects," Cuomo says. "I think there's more conviction after some successful, more humble projects that the big projects are doable, and now we know how to go after them."

So while cryptocurrencies like bitcoin arguably still search for their killer applications, their core algorithms might turn out to be pretty useful to the financial institutions they were once thought to be in line to disrupt.

"Sometimes people ask me, is blockchain a friend or foe, and to me, why would I think of that as a foe?" says BNY Mellon's Kumar. "It's another piece of technology that could help us and our clients and remove friction from the system."

A system of audio transmitters would stand in for GPS's satellite broadcasts and let underwater drones navigate without surfacing.

We take for granted that GPS can get us where we're going pretty much anywhere on earth, but there's one important place satellite navigation systems are essentially guaranteed not to work: under the sea.

The satellite broadcasts that GPS systems rely on can't penetrate very far below the ocean's surface, and that's a problem for unmanned underwater vehicles—essentially, drone submarines—designed to autonomously navigate below the sea.

That's why the Defense Advanced Research Projects Agency has announced plans to build an underwater GPS-style system called Posydon—which stands for Positioning System for Deep Ocean Navigation—that will use underwater sound broadcasts to let submarines determine their own positions without coming to the surface.

"By measuring the absolute range to multiple source signals, an undersea platform can obtain continuous, accurate positioning without surfacing for a GPS fix,"the agency says.

So what are the maritime drones used for, anyway? In the past, the U.S. Navy has used these robot subs for clearing underwater mines and for various other underwater reconnaissance missions, but it has plans to deploy them more widely for the purpose of minesweeping, undersea patrols, and other tasks, according to a November report from Bard College's Center for the Study of the Drone.

Surfacing is naturally a particular problem for military missions that require stealth, says Geoff Edelson, director of maritime systems and technology at BAE Systems, a contractor working on the project. And while there are technologies that allow subs to determine their locations to some extent without surfacing, they're often expensive and energy-consuming, which also makes them less than ideal for drone missions.

"For unmanned vehicles, power and energy is at a premium," says Edelson. "If they're using up all their power and energy to navigate, that doesn't really help them in performing their mission."

Essentially, the Posydon system will be a network of underwater sound-emitting devices attached to buoys placed in areas designed to cover wide swaths of the sea. Underwater ships will be able to determine their distance from multiple devices and therefore triangulate their own positions.

"[The devices will be] placed somewhere in the water column at a depth that is good for that part of the ocean," Edelson says. "That's based on the propagation properties of the ocean in those local areas."

The exact signal the devices will transmit has still yet to be developed, but engineers plan to make it resistant to spoofing and jamming for security purposes. Moreover, taking a system based on the straight-line paths of GPS satellite broadcasts and adapting it to underwater sound transmissions—which move a lot more indirectly—will present its own challenges, says Edelson.

"When you put sound in the ocean, it goes over a very complicated, time-variant path," he says. "To be able to understand that and then determine what the actual range was from these very complicated path structures is what makes this problem pretty hard."

The first two phases of the project will involve a mix of real-world tests and computer simulations in order to plan and design the system. Within 30 months, Edelson says, researchers plan to test real-time distance measurements using a single-transmitter system, before moving on to developing a larger prototype with multiple transmitters.

"If these first two phases are very successful, the third phase that DARPA defined would be then a limited deployable system that can really show the positioning capability," he says.

If the system works as well as researchers hope it does, the project could ultimately have applications in the civilian world as well, just as GPS expanded from the defense sector to find itself in billions of smartphones. Existing unmanned subs are already used for underwater oil and gas exploration and other types of underwater surveys and scientific applications. Ultimately, these commercial systems could use a Posydon-type system to hold accurate positions for longer and potentially conduct their own missions more efficiently, Edelson says.

The BAE Systems team, which is working with researchers at the Massachusetts Institute of Technology, the University of Washington, and the University of Texas, plans to keep the computational requirements of receiver systems low, so they can be used without having to significantly boost the processing power of existing subs.

"You're not gonna have to bring a Cray [supercomputer] onboard, or anything like that," Edelson says.

A Princeton "web census" sheds new light on how websites are customizing and testing content for different users and audience segments.

Two visitors to the same news site see different headlines on the same article. Two potential donors see different suggested giving amounts on a charity website. A software vendor with free and premium versions keeps a list of "countries that are likely to pay."

Those are some recent findings from the Princeton University Center for Information Technology Policy's Web Transparency and Accountability Project, which conducts a monthly "web census," tracking privacy-related practices across the Internet. Essentially, the project team sends an automated web-crawling bot to visit about 1 million websites and monitor how they, in turn, monitor their visitors.

Showing different versions of a site to different people isn't inherently creepy, nor is monitoring what they do while visiting a website—without some basic monitoring and user segmentation, there would be no recommended products on Amazon or Netflix and no way for international websites to figure out which language users prefer.

And yet, some types of customization just make Internet users uncomfortable, and some may even risk crossing ethical boundaries. And so, without further ado, here's a mostly unscientific guide to web-tracking practices in the wild, on a scale of 1 (not particularly creepy) to 5 (pretty creepy).

First-Party Cookies

If you've visited any European websites in the past few years, you've probably seen a little pop-up warning explaining that the sites use cookies—small text files stored by your browser with information about your activity on the site.

Under EU regulations, sites are required to let you know if they use cookies and allow you to opt out of having your browser store the files.

But despite the ubiquitous warnings, basic, first-party cookies, which are stored by a particular website you're visiting and served back with each page on the site you load, really aren't all that creepy.

First, sites are generally out in the open about their use of cookies—if there's no European-style pop up, they're often disclosed in reasonably plain English in privacy policies—and it's easy to find instructions on viewing and deleting stored cookies in any major browser or on using private browsing modes to avoid storing them from browsing session to browsing session.

More importantly, first-party cookies are by definition tied to a particular website. They're just a convenient way for programmers to keep track of information, like your user name or what's in your shopping cart, that you've already provided to the site, often with the assumption that they'd store it.

A/B Testing

One reason different users see different editions of the same site or app is A/B testing—a practice where different users are purposely shown different versions of a site in order to measure which one is more effective.

The practice is a cornerstone of many modern, agile development practices, and of data-oriented business philosophies like Eric Ries's "Lean Startup" methodology. It's used by websites to test everything from quick color scheme tweaks to radically revamped algorithms for ordering social networking feeds. And modern Internet users are often accustomed to sites varying slightly from user to user, says Pete Koomen, cofounder and CTO of Optimizely, Optimizely, a San Francisco company that provides tools for customer segmentation and A/B testing.

"I actually think that at this point this is part and parcel of most users' expectation of how the web works," he says.

And yet, for particular sites, even sophisticated users can be unaware that there are multiple versions of the user experience, says Lisa Barnard, an assistant professor of strategic communication at Ithaca College who's studied online marketing. And they can be disturbed to learn that even seemingly static content like news headlines can vary from user to user as part of an experiment.

"I teach students who are digital natives, they understand how this stuff works, and every time I tell them about A/B testing, they're shocked," Barnard says. "They realize that something's happening [with targeted ads] because they know that they're seeing something they were looking at before, but with something like A/B testing of headlines on a news site, there's no tip off."

And once they find out it's been happening without their knowledge, they're not always happy, she says.

Among the information the Princeton researchers gather in their web census is the complete set of JavaScript code embedded in each page, explains project research engineer Dillon Reisman in a recent blog post. And on many sites, that includes code from Optimizely to implement A/B tests.

The team even built a Google Chrome extension—cheekily called Pessimizely—that can, depending on a website's configuration, make it possible to see which segments of a particular web page are being tested and tweaked with Optimizely and how the page's audience is being segmented.

Reisman emphasizes that there's absolutely nothing wrong with using Optimizely, which boasts more than 6,000 corporate customers. But, he says, the findings still point to general unresolved questions about how transparent Internet companies ought to be about how they're tracking visitor data and conducting user experiments, even if the practices themselves aren't inherently negative.

To be clear, Optimizely doesn't track users from website to website, explains Koomen.

"When a customer uses Optimizely to run experiments on their site, they only see the results of those experiments for their site alone," he says.

For researchers and the public at large, Optimizely actually provides an unusually good look at how websites can vary from visitor to visitor, says Reisman. Customers can configure it to make testing variations and customer segment names visible for better integration with third-party tools, and the web census project and Pessimizely extension are able to access that data as well.

Reisman says he'd generally like to see companies more explicitly spell out all of the tracking, testing, and personalized tweaking they do, perhaps in their privacy policies.

"I'm grateful that that data's there, because it's so rare that you get to see what websites are doing when they're A/B testing, and this actually is a very unique opportunity," he says.

Third-Party Tracking Cookies

A little more off-putting are third-party cookies: cookies set by a website other than the site you're visiting, which can help advertising companies and others track your behavior across the Internet.

Advertisers say these and other more complex tools for tracking users from site to site allow for better targeting of ads based on your browser history, but several studies have found consumers can find this more stalkerish than helpful.

A study by Barnard, the Ithaca College professor, found last year that ads that track users across websites can be perceived as "creepy" and sometimes make customers less likely to buy.

"They feel like companies know too much about them, and that they're tracking them around the Internet," Barnard says."There's something about that tracking that makes people uncomfortable, and, kind of, the uncertainty of how much these companies know about them and how they're using it."

And a Consumer Reports survey found most consumers unwilling to trade personal information for targeted ads and unconvinced such ads brought them more value. For those users, many popular browsers now contain built-in features to block third-party cookies.

Consumer Data Collection Tools

Cookies are data files stored by your browser, which means that if you're aware of them and willing to do a little legwork, you can control if and when they're stored.

But they're not the only way for advertisers and website owners to track visitors from site to site. Clever—or creepy—programmers have found other ways to monitor your travels around the web that can be harder to detect and control.

The researchers behind the Princeton web census found websites using a variety of "device fingerprinting" techniques that allow them to identify visitors based on characteristics of their computers or phones, without having to store any data. For instance, websites—and advertisers—can examine the list of fonts installed on a computer or the exact output produced by a system's audio or image processing software, which can vary from system to system.
It's hard not to view these techniques, which are generally designed to circumvent users' desired tracking restrictions, as intrusive. Luckily, at least one of the techniques, using characteristics of HTML graphics canvas elements to track users, appears to be on the decline after some public backlash, the researchers report.

"First, the most prominent trackers have by and large stopped using it, suggesting that the public backlash following that study was effective," they write. "Second, the overall number of domains employing it has increased considerably, indicating that knowledge of the technique has spread and that more obscure trackers are less concerned about public perception."

Still, while more legitimate websites may shy away from these techniques, it's likely there will be a cat-and-mouse game for some time between shadier trackers and researchers who reveal their techniques.

Psychological Experiments

In 2012, researchers at Facebook and Cornell University tweaked a selection of users' news feeds, showing them either a week of all positive stories or all negative stories. The immediate result? People who saw positive posts created more positive content of their own; people who saw negative stories posted more negative messages.

But the broader result was widespread condemnation of the project from across the Internet, including from the scientific community. Doing experiments with vague-at-best consent through website terms of service, with an eye toward influencing people's emotional state, was widely denounced as unsavory, unethical, and potentially even dangerous.

"Deception and emotional manipulation are common tools in psychological research, but when they're done in an academic setting they are heavily reviewed and participants have to give consent," says data ethicist Jake Metcalf, a founding partner at ethics consultancy Ethical Resolve.

The company has since adopted and published new research vetting guidelines, influenced by those used in academic studies, and says it hopes they can be informative to other companies doing similar work.

"It is clear now that there are things we should have done differently," Facebook CTO Mike Schroepfer acknowledged in a statement after the study came to light.

Surprising Price Variations

Last year, investigative journalism site ProPublica reported that prices of online test prep services booked through the Princeton Review's website could vary by more than $1,000 dollars based on users' zip codes. One result, according to the report, was that Asian users were more likely to be offered higher prices for tutoring services than non-Asians. The Princeton Review emphasized in a statement this was not its intent and that prices were based on "differential costs" and "competitive attributes" of different regional markets.

And in 2012, the Wall Street Journalreported that office supply chain Staples offered different prices to users in different zip codes and pointed out numerous other examples of online stores offering different prices, or discount offers, based on users' location, device type, or other information, often to users' frustration.

Also that year, the paper famously reported that travel booking site Orbitz was showing different lists of hotels on the first page of search results to Mac and Windows users, specifically showing higher-priced options for Apple users, who were found to be bigger spenders (though the company has emphasized particular hotels were priced the same for all users).

While differential pricing isn't generally illegal, as long as there's no discrimination against a protected class like a racial or religious group, it still often makes customers uncomfortable and anxious about whether they've truly gotten the best deal available.

"When that type of story comes out, people get upset," says Barnard. "It's that uncertainty that, I think, makes people really uncomfortable."

Lowe's Tangos With Google To Help You Remodel Your Home In Augmented Reality

What "Safety Check" Reveals About Facebook's Changing Role

Choosing When To Activate

Trending Crises

This New App From Duolingo Aims To Make Flash Cards Obsolete

How The Cybersecurity Industry Is Coping With A Skills Shortage

Why The Suspected Russian Hack Of The DNC Is Such A Game Changer

An All-Seeing Eye In The Sky Will Watch Over The Rio Olympics

Related Video: How Drones Are Changing The Lives Of Their Pilots

How WikiLeaks Has Changed: From Whistleblower To Weapon

Target's Tech For Tots Aisle: Sure To Be A Guilty Parenting Hotspot

How Hackers Are Going For Gold At Rio's Olympics

Phishing In An Olympic-Sized Pool

Watching Out For Counterfeit Hotspots

Messing With The Games Themselves

This Security Company Based Its Tech On The Human Immune System

SAP Targets Terrorism With AI

Turbulence Ahead: Delta Computer Outage Is Just The Start, Say Experts

Hackers Use Google's Ad Network To Spread "Fake Login" Malware

Beware Of Sideloading And Malvertising

How To Stay Safe

How Machine Learning Will Change What You Eat

MailChimp Brings Data-Driven Product Recommendations To Small Online Stores

Ransomware Attacks Are Still On The Rise, Experts Warn

Under My Skin: The New Frontier Of Digital Implants

How Banks Learned To Stop Worrying And Love The Blockchain, Bitcoin's Underlying Tech

Defense Researchers Plan To Bring "GPS" Where It's Never Gone Before: Under The Sea

Customized Or Creepy? Websites And Your Data, A Guide