While President Joe Biden contemplates retaliating against the Russian hackers whose attack on another software company, SolarWinds, became public in December, the Hafnium hack has become an enormous free-for-all, and its consequences could be even worse. As experts sprint to close the holes opened up by the Chinese hacking, officials say the American government is focused closely on what happens next to thousands of newly vulnerable servers—and how to respond to China.
“The gates are wide open to any bad actor that wants to do anything to your Exchange server and the rest of your network,” says Sean Koessel, vice president at Volexity, the cybersecurity firm that helped discover the hacking activity. “The best case is espionage—somebody who just wants to steal your data. The worst case is ransomware getting in and deploying it across the entire network.”
The distinction between the two attacks is not just about technical details, or even which country committed them. Although 18,000 companies downloaded the compromised SolarWinds software, the number of genuine targets was just a fraction that size. Hafnium, meanwhile, was far more indiscriminate.
“Both started out as espionage campaigns, but the difference really is how they were conducted,” says Dmitri Alperovitch, chairman at the Silverado Policy Accelerator and cofounder of security firm CrowdStrike. “The Russian SolarWinds campaign was very carefully done, where the Russians went after the targets they cared about and they shut down access everywhere else, so that neither they nor anyone else could get into those targets that were not of interest.”
“Contrast that with the Chinese campaign,” he says.
“On February 27, they realize the patch is going to come out, and they literally scan the world to compromise everyone. They left web shells that can now enable others to get into those networks, potentially even ransomware actors. That’s why it’s highly reckless, dangerous, and needs to be responded to.”
Exploitation en masse
The beginning of the Hafnium campaign was “very under the radar,” says Koessel.
The hacking was missed by most security checks: it was only spotted when Volexity noticed strange and specific internet traffic requests to the company’s customers who were running their own Microsoft Exchange email servers.
A month-long investigation showed that four rare zero-day exploits were being used to steal entire mailboxes—potentially devastating for the individuals and companies involved, but at this point there were few victims, and the damage was relatively limited. Volexity worked with Microsoft for weeks to fix the vulnerabilities, but Koessel says he saw a major change at the end of February. Not only did the number of victims start to rise, but there was also an increase in the number of hacking groups.
It’s not clear how multiple government hacking groups became aware of the zero-day vulnerabilities before Microsoft made any public announcement. So why did the extent of the exploitation explode? Perhaps, some suggest, the hackers may have realized their time was almost up. If they did know a patch was coming, how did they find out?
“I think it is very uncommon to see so many different [advanced hacking] groups having access to the exploit for a vulnerability while the details are not public,” says Matthieu Faou, who leads research into the Exchange hacks for ESET. “There are two major possibilities,” he says. Either “the details of the vulnerabilities were somehow leaked to the threat actors,” or another vulnerability research team working for the threat actors “independently discovered the same set of vulnerabilities.”
VR is as good as psychedelics at helping people reach transcendence
As we inched nearer, I worried about infringing upon the other participants’ personal space. Then I remembered that oceans and thousands of miles separated me from them—and wasn’t ditching the notion of personal space the whole point? So I tried to settle into the intimacy.
“What happens in VR is that sense of completely forgetting about the existence of the external world,” says Agnieszka Sekula, a PhD candidate at the Centre for Human Psychopharmacology in Australia and a cofounder of a company that uses VR to enhance psychedelic therapy. “So there is definitely similarity there to this sense of experiencing an alternate reality under psychedelics that feels more real than what’s actually out there.”
But, she adds, “there’s definitely differences between what a psychedelic experience feels like and what virtual reality feels like.” Because of this, she appreciates that Isness-D charts a new path to transcendence instead of just mimicking one that existed already.
More research is needed on the enduring effects of an Isness-D experience and whether virtual reality, in general, can induce benefits similar to psychedelics. The dominant theory on how psychedelics improve clinical outcomes (a debate far from settled) is that their effect is driven by both the subjective experience of a trip and the drug’s neurochemical effect on the brain. Since VR only mirrors the subjective experience, its clinical benefit, which has yet to be rigorously tested, may not be as strong.
Jacob Aday, a psychiatry researcher at the University of California, San Francisco, says he wishes the study had measured participants’ mental wellness. He thinks VR likely can downregulate the default mode network—a brain network that’s active when our thoughts aren’t directed at a specific task, and which psychedelics can suppress (scientists theorize that this is what causes ego death). People shown awe-inspiring videos have diminished activity in this network. VR is better at inducing awe than regular video, so Isness-D might similarly dial it down.
Already, a startup called aNUma that spun out of Glowacki’s lab allows anyone with a VR headset to sign up for Isness sessions weekly. The startup sells a shortened version of Isness-D to companies for virtual wellness retreats, and provides a similar experience called Ripple to help patients, their families, and their caregivers cope with terminal illness. A coauthor of the paper describing Isness-D is even piloting it in couples and family therapy.
“What we’ve found is that representing people as pure luminosity really releases them from a lot of judgments and projections,” Glowacki says. That includes negative thoughts about their body and prejudices. He has personally facilitated aNUma sessions for cancer patients and their loved ones. One, a woman with pancreatic cancer, died days later. The last time she and her friends gathered was as mingling balls of light.
For one phase of my Isness-D experience, moving created a brief electric trail that marked where I’d just been. After a few moments of this, the narration prodded: “What does it feel like to see the past?” I started to think of people from my past who I missed or had hurt. In sloppy cursive, I used my finger to write their names in the air. Just as quickly as I scribbled them, I watched them vanish.
Corruption is sending shock waves through China’s chipmaking industry
It remains unclear whether the failure of Unigroup directly triggered the anticorruption earthquake within Big Fund. However, the strategy that the latter has taken—throwing massive investments against the wall and seeing what sticks—can fail miserably. According to longtime observers, that strategy is also the perfect breeding ground for corruption.
“This is the least surprising corruption investigation I’ve heard of for a while,” says Matt Sheehan, a fellow at the US think tank the Carnegie Endowment for International Peace. “Not because I know Ding Wenwu is personally corrupt, but when you have that amount of money sloshing around in an industry, it’d be way more surprising if there isn’t a major corruption scandal.”
A significant part of the problem was a lack of precision, says Sheehan. China knew it needed to invest in semiconductors but didn’t know what exact sub-industry or company to prioritize. The country has been forced to learn by trial and error, feeling its way through issues like the bankruptcy of Unigroup and the expanding technology blockade by the US. The next step should be more targeted investments into specific companies, Sheehan says.
That might mean a new boss for the Big Fund—someone who’s better versed in getting financial returns, says Paul Triolo, a senior VP at the business strategy firm Albright Stonebridge, which advises companies operating in China. Many of the Big Fund’s managers came from government backgrounds and may simply have lacked the relevant experience. Ding, who’s under investigation now, used to be a department director at China’s Ministry of Industry and Information Technology.
“You need competent people to run this [Big Fund] that understand the industry, finance, and are not going to fund projects that don’t have a sound commercial basis,” Triolo says.
Ultimately, these investigations may end up being positive for China’s semiconductor industry because they highlight the limitation of politically driven funding and may push the Big Fund to be managed on a more market-based basis. Beijing’s appetite for experiments is waning as its worries about self-sufficiency intensify. “They can’t afford to squander $5 billion on fabs that aren’t going to be viable,” says Triolo.
The Download: experimental embryos and the US monkeypox emergency
In a search for novel forms of longevity medicine, a biotech company based in Israel says it intends to create embryo-stage versions of people in order to harvest tissues for use in transplant treatments.
The company, Renewal Bio, is pursuing recent advances in stem-cell technology and artificial wombs, demonstrated by Jacob Hanna, a biologist at the Weizmann Institute of Science in Rehovot. Earlier this week, Hanna showed that starting with mouse stem cells, his lab could form highly realistic-looking mouse embryos and keep them growing in a mechanical womb for several days until they developed beating hearts, flowing blood, and cranial folds.
It’s the first time such an advanced embryo has been mimicked without sperm, eggs, or even a uterus. Now Hanna has set his sights on extending the technology to humans—he’s already experimenting with human cells and hopes to eventually produce artificial models of human embryos. “We view the embryo as the best 3D bio printer,” he says. Read the full story.
Automated techniques could make it easier to develop AI
Machine-learning researchers have to make many decisions when designing new models, meaning that complex models end up being designed by human intuition, rather than systematically. A growing field called automated machine learning, or autoML, aims to eliminate that guesswork, allowing algorithms to take over the decision making, which could both simplify the process and make machine learning more accessible.
Big Tech is paying attention. Companies like Amazon and Google already offer low-code machine-learning tools that take advantage of autoML techniques, and computer scientists are excited by the notion of being able to simply specify a problem, before tasking the computer with figuring it out. But researchers have a lot of work to do before autoML can be deployed more widely. Read the full story.
I’ve combed the internet to find you today’s most fun/important/scary/fascinating stories about technology.
1 The US has declared monkeypox a public health emergency
It has surpassed 7,100 cases, more than any other country. (WSJ $)
+ Many queer men have been unable to get vaccinated. (Vox)
+ Some people will be at risk of contracting both monkeypox and covid. (The Atlantic $)
+ There’s still no evidence to suggest that monkeypox has become more virulent. (Slate)
+ Everything you need to know about the monkeypox vaccines. (MIT Technology Review)
2 Alex Jones must pay $4 million to the parents of a Sandy Hook victim
The conspiracy theorist is finally facing consequences for calling the massacre a hoax. (BBC)
+ The jury could choose to award further damages, too. (Buzzfeed News)
3 Elon Musk has accused Twitter of fraud
He also claims he was “hoodwinked” into signing the purchase agreement. (Bloomberg $)
+ A tool used to assess Twitter bots reportedly flagged Musk’s own account as one. (FT $)
+ Twitter’s lawyers aren’t holding back. (The Verge)
+ Meanwhile, Musk predicts the US will weather a “mild recession” for 18 months. (Insider)
4 The UK’s cost of living crisis has birthed a wave of scams
Which feels particularly cruel, if sadly inevitable. (FT $)
5 Your brain appears to unlock new realities when you die 🧠
The new dimensions of reality some dying people experience are not the same as hallucinating. (Neo.Life)
6 We’re buying fewer video games than we used to
With less disposable income, shoppers are cutting down on non-essentials. (WP $)
7 The animals we know least about are most at risk of extinction
Many are already believed to have died out before we could discover them. (Motherboard)
+ Machine learning could help identify the species most at risk. (The Verge)
+ Understanding how species mate is crucial to ensuring their future safety. (Knowable Magazine)
8 The internet is obsessed with tracking the celebrities’ flights
Aviation enthusiasts are revealing the data that the rich and famous would rather keep secret. (The Guardian)
9 Hollywood is getting better at portraying young, online lives
Being Extremely Online is no longer the preserve of the loner. (The Atlantic $)
+ How the next generation is reshaping political discourse. (MIT Technology Review)