Welcome to the December 9, 2020 edition of ACM TechNews, providing timely information for IT professionals three times a week.

ACM TechNews mobile apps are available for Android phones and tablets (click here) and for iPhones (click here) and iPads (click here).

To view "Headlines At A Glance," hit the link labeled "Click here to view this online" found at the top of the page in the html version. The online version now has a button at the top labeled "Show Headlines."

An app notifies University of Arizona users on campus about their possible exposure to the coronavirus. Coronavirus Apps Show Promise but Prove a Tough Sell
The New York Times
Jennifer Valentino-DeVries
December 7, 2020

Despite pilot studies demonstrating that smartphone applications can slow Covid-19 transmission, buy-in from people and states is lacking. Apple and Google's exposure-notification apps respect privacy by not tracking user locations, using Bluetooth to detect which phones have been within several feet of one another for more than a few minutes. When a user receives a positive test result, the local health system supplies code via email, text message, or phone call to enter into the app, alerting anyone who was in proximity while the person was contagious. A pilot program at the University of Arizona offered what may be the first example of an app slowing transmission; researchers estimated this fall the app sent alerts for up to 12% of transmissions. Yet such apps are only available in about a third of U.S. states, hampered by privacy issues, little awareness or interest, poor access to quick testing, and a hodgepodge of government health authorities.

Full Article
*May Require Paid Registration
Researchers Receive Hall of Fame Award for Seminal Paper on Smartphone Security
Penn State News
Sarah Small
December 7, 2020

ACM's Special Interest Group on Operating Systems named a multi-institutional research team to receive a Hall of Fame Award for a 2010 paper that detailed how smartphone applications use personal data. The awards committee said the paper was selected because it "sparked an important research agenda on smartphone privacy that continues to this day" by highlighting "dozens of potential leaks of sensitive and private information" in smartphone apps. The paper’s analysis of 30 popular apps found 20 were using global-positioning systems and supplying personal data to third parties. Pennsylvania State University's Patrick McDaniel, co-author of the paper, said the research was first to expose smartphone apps' hidden costs, and launched extensive investigations into operating systems security by that university’s researchers. Said McDaniel, "The biggest impact this has had is that it changed conversation from, 'Are apps using our private information?' to 'They are—how should we deal with it?'"

Full Article
Better Learning with Shape-Shifting Objects
MIT News
Adam Conner-Simons
December 7, 2020

Shape-shifting objects that can help users improve their skills is an area of investigation for Massachusetts Institute of Technology (MIT) researchers, who conceived of a basketball hoop that trains players more effectively by shrinking and raising to help them make shots more consistently. Experiments demonstrated that training on the auto-adaptive hoop improved player performance more than using a static hoop or the manually-adaptive mode. Autodesk's Fraser Anderson said, "You don't have to rely on your own sense of whether or not you've mastered a skill: the system can do that and take out the self-doubt, overconfidence, or guesswork."

Full Article

Flaws in the so-called TCP/IP stacks affect devices with no clear path to patching. Critical Flaws in Millions of IoT Devices May Never Get Fixed
Lily Hay Newman
December 8, 2020

Internet of Things (IoT) security firm Forescout uncovered 33 flaws, collectively labeled Amnesia:33, in seven open source TCP/IP stacks that potentially leave millions of IoT devices vulnerable. Many of the bugs were basic programming errors, like missing input validation checks that keep a system from accepting problematic values or operations. Patching these flaws is difficult if not impossible, as five stacks have been around for nearly two decades, while two have circulated since 2013; this means numerous versions and variants exist, with no central authority to issue fixes. Moreover, manufacturers who have incorporated the code into their products would have to proactively adopt the correct patch for their version and deployment, then circulate it to users. Said Forescout’s Elisa Costante, "What scares me the most is that it’s very difficult to understand how big the impact is and how many more vulnerable devices are out there."

Full Article
Silicon Valley's Next Goal Is 3D Maps of the World—Made by Us
Financial Times
Tim Bradshaw
December 8, 2020

Ordinary online users are being conscripted by Silicon Valley technology companies to produce three-dimensional digital maps of the world. Facebook, Google, and others hope to furnish this crowdsourced virtual Earth as a precursor to augmented reality (AR) technology. Google this month announced it would ask Google Maps users to upload photos to Street View using their smartphones for the first time, and only phones running its AR software can participate. Meanwhile, game developer Niantic is recruiting players to capture scans of local points of interest that form gyms and "PokeStops" in its Pokemon Go game, promising in-game items in return. Facebook's efforts, unlike Niantic's, focus on non-public locations, including a research project called Replica to generate photorealistic models of homes and offices, with Facebook researchers claiming this "could help us to place your grandma's digital avatar in the seat next to you."

Full Article
*May Require Paid Registration

The profile banner of an account allegedly run by the Internet Research Agency, an organization that ran social media influence campaigns in Russia, Germany, Ukraine, and the U.S. dating back to 2009. NSA Says Russian State Hackers Are Using VMware Flaw to Ransack Networks
Ars Technica
Dan Goodin
December 7, 2020

The U.S. National Security Agency (NSA) says unidentified Russian state hackers are infiltrating multiple VMware platforms to install malware, expose sensitive data, and maintain a grip on remote work platforms. The attacks exploit a command-injection flaw unpatched until Dec. 3, stemming from code that did not filter unsafe user input like HTTP headers or cookies. After exploiting the flaw, attackers would upload a Web shell that installs a persistent interface for running server commands, eventually enabling them to access the active directory to generate accounts, change passwords, and execute other privileged tasks. According to NSA officials, "The exploitation via command injection led to installation of a Web shell and follow-on malicious activity where credentials in the form of SAML authentication assertions were generated and sent to Microsoft Active Directory Federation Services, which in turn granted the actors access to protected data."

Full Article
The World's First DNA 'Tricorder' in Your Pocket
Cold Spring Harbor Laboratory
December 7, 2020

Scientists at New York's Cold Spring Harbor Laboratory (CSHL) have developed what they’re calling the first-ever mobile genome sequence analyzer, in the form of an iPhone application paired with a handheld DNA sequencer. The iGenomics app, programmed by former CSHL researcher Aspyn Palatnick, operates wholly on the iOS device, making large hardware less necessary in the field. Users can AirDrop sequencing data to each other, facilitating DNA analysis in remote areas, including those lacking Internet access. CSHL's Michael Schatz said, "Today, we all carry professional cameras in our pockets, so it's not that hard to imagine in the next couple years, all of us carrying our own DNA sequencers on our smartphones as well. There's just so many opportunities to do measurements of our environment and look for pathogens, maybe even do scans of yourself."

Full Article

Soybeans. Drones, AI Detect Soybean Maturity With High Accuracy
University of Illinois College of Agricultural, Consumer & Environmental Sciences
Lauren Quinn
December 7, 2020

University of Illinois, Urbana-Champaign (UIUC) researchers combined drone images and artificial intelligence to predict soybean maturity date within two days. UIUC's Rodrigo Trevisan taught computers to identify changes in canopy color using drone images collected across five trials, three growing seasons, and two countries, while also accounting for "bad" images to maintain accuracy. He employed deep convolutional neural networks that pick up on image elements like color, shape, and texture. Trevisan said, "The advantage of the artificial intelligence models we used is that it would be quite straightforward to use the same model to predict another trait, such as yield or lodging. So now that we have these models set up, it should be much easier for people to use the same architecture and the same strategy to do many more things."

Full Article
In Battle Against Hackers, Companies Try to Deceive the Deceivers
The Wall Street Journal
Heidi Mitchell
December 7, 2020

Companies are attempting to trap hackers by enticing them with deception technology. Agribusiness firm Land O'Lakes uses cybersecurity vendor TrapX's DeceptionGrid tool to deploy decoys and booby traps throughout its network that mimic crucial data, tricking hackers into thinking they have accessed vital information. Deception technology spreads false data throughout corporate networks to lure attackers and alert the company; an alarm is triggered when a malefactor interacts with a decoy, and the cybersecurity team can either eject the intruders or isolate them from the rest of the network in order to examine their methods—and better identify them later. To reduce the risk that hackers inside the network could steal real assets rather than decoys, most users combine deception technology with traditional safeguards like firewalls, encryption, and authentication systems.

Full Article
*May Require Paid Registration
Researchers Find Even 'Fair' Hiring Algorithms Can Be Biased
Kyle Wiggers
December 4, 2020

Researchers at Harvard University and Germany's Technische Universität Berlin analyzing how "fair" ranking algorithms affect gender uncovered inconsistent ranking of job candidates. The team reviewed algorithms used on TaskRabbit, a marketplace that matches users with jobs by leveraging programs to sift through available workers and produce a ranked list of suitable candidates. The researchers explored the generation of gender biases in TaskRabbit and their impact on hiring decisions by tapping various interacting sources—including types of ranking algorithms, job contexts, and employers' prejudices. The team determined that while fair or de-biased ranking algorithms can help boost the number of underrepresented candidates hired, their efficacy is constrained by the job contexts in which employers favor particular genders. The researchers said, "We hope that this work represents a step toward better understanding how algorithmic tools can [or cannot] reduce gender bias in hiring settings."

Full Article

Researchers simulated a smart speaker interaction to test how altering peoples’ moods might influence the extent to which they trust autonomous products. Stanford Researchers Study Trust in Autonomous Products
Stanford News
Taylor Kubota
December 8, 2020

Stanford University engineers investigating how altering peoples' moods affect their trust in a smart speaker were surprised by their results. Said Stanford’s Erin MacDonald, “We definitely thought that if people were sad, they would be more suspicious of the speaker and if people were happy, they would be more trusting. It wasn’t even close to that simple.” Experiments confirmed that a user's opinion of how well technology performs is the key determinant of their trust in it, although this differed by age group, gender, and education level. Curiously, subjects who said the smart speaker met their expectations trusted it more if the researchers attempted to put them in either a positive or a negative mood, while those in a neutral mood did not trust the device more. Stanford’s Ting Liao said, "The ultimate goal is to see whether we can calibrate people's emotions through design so that, if a product isn't mature enough or if the environment is complicated, we can adjust their trust appropriately."

Full Article
Bug Could Expose Patient Data From GE Medical Imaging Devices
Sean Lyngaas
December 8, 2020

Security researchers at medical security company CyberMDX found a software flaw in more than 100 models of General Electric (GE) medical devices that could enable hackers to steal sensitive patient data from those x-ray and magnetic resonance imaging scanners. The maintenance software for the GE devices used publicly exposed login credentials, which could allow attackers to execute code on those devices. CyberMDX's Elad Luz said, "The bigger picture here is authentication, and it's a problem that's unfortunately typical for medical devices." The researchers disclosed the bug to GE in May, and the manufacturer is in the process of replacing the vulnerable credentials.

Full Article
2020 ACM Transactions on Internet of Things (TIOT)
ACM Chapters

Association for Computing Machinery

1601 Broadway, 10th Floor
New York, NY 10019-7434

ACM Media Sales

If you are interested in advertising in ACM TechNews or other ACM publications, please contact ACM Media Sales or (212) 626-0686, or visit ACM Media for more information.

To submit feedback about ACM TechNews, contact: [email protected]