How Ford Made Its F-150 Pickup Lighter and Safer Than Ever

A computer simulation of the 2015 F-150 smashing into a wall. Notice how the passenger compartment is barely affected because the engine compartment absorbs the brunt of the collision. A computer simulation of the 2015 F-150 smashing into a wall. Notice how the passenger compartment is barely affected because the engine compartment absorbs the brunt of the collision. Ford

The 2014 Ford F-150 had a 4-star NHTSA overall safety rating, making it as good as or better than any pickup on the US market, except for the 5-star Chevy Silverado.

Ford’s complete redesign of the truck for 2015 included a switch to an all-aluminum body that made the F-150 hundreds of pounds lighter, improving fuel economy and towing capacity. It also gave Ford the chance to go after that fifth star.

As part of the redesign, Ford added 31 new safety features, including neat things like rear seat belts that inflate in a crash, acting like a softening airbag.

The automaker’s engineers also looked at the frame of the truck, focusing their efforts on what they call the front crush horn. It’s the chunk of the frame that absorbs force in a frontal crash. It’s crucial, because every bit of force sucked up isn’t applied to the structure that surrounds the occupants. The engine compartment gets crunched so the driver doesn’t.

A computer simulation of the 2015 F-150's frame during an impact. The front crash horns are illustrated in dark grey. The second wider brace (on the right) was added this year to improve side impact protection. A computer simulation of the 2015 F-150’s frame during an impact. The front crash horns are illustrated in dark grey. The second wider brace (on the right) was added this year to improve side impact protection. Ford

Using computer simulations of crashes followed by physical testing, Ford’s engineers decided to replace the rectangular crush horn with a new, cross-shaped design (dark grey in the GIF above) as the best balance of weight and performance. Ford says the patented, 12-corner design provides a 100 performance improvement in crushing distance (as in, it’s stronger) over the outgoing version.

“We found that changing certain shapes led to a weight reduction, while also improving crash performance,” says Ford Truck Safety manager Matt Niesluchowski.

Part of what makes this setup twice as effective is, paradoxically, the addition of strategic weak spots. By punching out holes and bending the metal just so, the team can ensure that the horn crushes properly and absorbs the impact, without bending or compromising the overall design of the frame.

It appears all the work paid off: The first F-150 tested, the four-door cab version, landed five stars from NHTSA. Official ratings for the regular and SuperCab F-150 models are expected later this year but Ford says this is the safest F-150 it’s ever made.

Jawbone’s New Up4 Does So Much More Than Count Steps

Travis Bogard wants to get the obvious out of the way up front. Not five minutes after we sit down in a small conference room in Jawbone’s office in San Francisco, he says yes, he knows it took a long time to produce an Up3 that was ready for the masses. When Jawbone’s designers and engineers built prototypes of its powerful new fitness tracker they were waterproof to 10 meters. This was big news, and Jawbone proudly proclaimed the spec when it announced the band in November. But when its manufacturing partner started mass-producing the new bracelet, what came out of the factory just wasn’t passing the test. After months of tweaking the designs and production processes, Jawbone gave up—the new Up3 isn’t waterproof, but rather water-resistant.

On the plus side, you can finally get one! Months of pre-orders will be filled beginning April 20, and the $179 tracker will be available in stores and online as well. And lest you think the roadblocks suggest Jawbone has bitten off more innovation than it can chew, the company’s also introducing two new Up models: the Up2, on sale now, and the Up4, coming this summer.

The Up2 is functionally identical to the existing Up24, with basic activity and sleep tracking (and that great silent alarm feature), but has the same flexible, prettier, more comfortable body of the Up3. The Up24 was modeled after the infamous Livestrong bracelets everyone wore for a few months, but the rubbery look has gone the way of Lance Armstrong’s seven Tour de France victories, replaced by a more traditional bracelet aesthetic. Bogard points out the design a number of times, stacking it on top of a Fitbit Force as a reminder of just how much smaller it is. It comes in black and silver, and its $99 price hits an important spot in the market.

The $99 Up2 is a total redesign of the Up24. The $99 Up2 is a total redesign of the Up24. Jawbone

The Up4 is much more exciting. When—actually, that should be if, given Jawbone’s history—it comes out this summer, it’ll be the flagship model. After all that work, the Up3 gets only a brief moment in the sun. For $199 (only $20 more than the Up3), the Up4 also adds a handy new payment system courtesy of American Express. Bogard claims it works more or less like Apple Pay, using NFC to shuttle information between your device and your credit card company. Most of these systems are far from perfect, but in theory all you should have to do is tap your bracelet on a compatible reader and walk away. AmEx treats your Up4 like a credit card, in that it assumes you’re the one using it without other authentication. If your bracelet is stolen or lost, you can quickly use the app to disconnect your card. Jawbone’s case here is surprisingly compelling: the Up’s battery lasts days, not hours, and it’s explicitly made to never come off your body. The only cognitive workload left is figuring out if the store you’re shopping in has an NFC-capable reader, but those are quickly becoming ubiquitous too.

With the Up3 and Up4, Jawbone’s beginning to collect an enormous amount of data about its users. The new devices track your heart rate and hydration levels, the temperature of both your skin and your surroundings, and much more. But Bogard and Jawbone are crystal-clear about the fact that none of this data is useful unless it’s helping you do more and live better. The company’s “Smart Coach” feature is becoming ever more personalized and powerful, offering specific and actionable tips. It has really interesting ways of correlating data, too; Smart Coach can figure out that you’re always more active when you sleep even 30 minutes more, and can tell you exactly when to go to sleep.

When fitness trackers can not only tell us how to live better but invisibly help us do so, they'll become immensely powerful tools.

And soon, Bogard says, it could go even further. The Up3 will know that you’re sleeping poorly, and that your body temperature is higher than it should be. It can already tell you the next morning to turn the temperature down when you go to bed, but soon, thanks to its integrations with Nest and others, it might be able to just turn down the thermostat for you. When fitness trackers can not only tell us how to live better but invisibly help us do so, they’ll become immensely powerful tools. That’s what Jawbone is after, and that’s why there are so many sensors inside the Up3 and Up4. The company has been talking about this for a while, and the new devices seem to be the keys to unlock that potential.

Jawbone, as it has always been, is full of good ideas. It’s outrageously ambitious, and almost always in the right way. Yet its history is riddled with complications, particularly with its wristwear. Making this stuff is hard work—not to mention phenomenally, company-threateningly expensive—and the Up line hasn’t always gotten it right. But if Jawbone has really, truly solved its production woes, the Up3 and Up4 may prove that Jawbone is onto something much bigger than “fitness tracking.”

Twitter’s New Homepage Doesn’t Fix Its Big Problem

Today, Twitter introduced a new homepage designed to make the service useful to those who don’t yet have a Twitter account. It’s an attempt to bypass the awkward acclimation period for new users by introducing them to curated content streams. It also manages to obscure what makes Twitter great in the first place.

Whereas previously users without an account would be greeted with only a sign-in or sign-up option at, starting today they’ll find a healthy handful of feeds organized around popular topics and personalities. Celebrity Chefs & Personalities, Country Artists, Tech Blogs and Reporters (sure!), and over a dozen other suggested categories get prime homepage real estate, while more granular categories await attention in a sidebar. There are 58 groupings to choose from in all, a content smorgasbord that should in theory provide a little something for every interest.

Clicking on any one of them leads you to a traditional Twitter stream filled with contributions from relevant accounts. Importantly, you’re not greeted with a firehose, which would overwhelm even the most enthusiastic new microblogger. Instead, Twitter filters in select tweets based on what appears to be a combination of popularity and visual appeal. A search bar also gets prominent real estate at the top of the page, both at and within the curated streams.

It’s nice! The layout’s clean and clear, and communicates that you don’t need to actually tweet to enjoy Twitter’s benefits. And the feeds centered around generalized topics, like Celebrity News or Cute Animals, are everything you would want Twitter to be; timely, fast, germane.

The organizing principle for the majority of suggested streams, though, seems to be personality-driven. NBA Players instead of NBA. Country Artists, not Country music. And that’s where the trouble starts.

Tweets from famous people are an effective way to confirm that those famous people (and their PR teams) do, in fact, use the internet. But they don’t make for a particularly enjoyable, or more importantly, cohesive, experience. When I tried it a few minutes ago, clicking on the Celebrity Chefs lists yields a few links to recipes, sure, but also a missive about women’s wrestling and the new Duck Dynasty musical. Or, more specifically, #DucksMusical, which to an uninitiated Twitter sampler (and maybe everyone) means nothing.

Because here’s the thing: going to a stream filled with tweets by celebrity chefs or NBA players doesn’t mean you’re going to read a lot about cooking or basketball, even though that’s why you presumably went there to begin with. NBA players and chefs—the ones who are enjoyable on Twitter, anyway—tweet about all kinds of things. Likewise journalists, likewise reality TV stars. Any group of individuals will create a scrambled and hard-to-parse streaming experience, precisely because they’re individuals.

And this is what makes Twitter’s learning curve so steep, but worthwhile. That human beings for the most part tweet like they’re human beings, not content-bots, is part of what makes the service great. There’s a little bit of voyeuristic glee in seeing Kristen Bell talk allergies, or knowing that Susan Sarandon was hanging out with Eddie Vedder. Yet it’s also this endless cascade of disconnected ideas and half-conversations that make Twitter hard to dive into. Combined with Twitter’s unique lexicon and etiquette—hashtags and at replies are just the start (subtweeting! manual retweets!)—they make for an alienating experience, regardless of the organizing principle.

The broader categories on Twitter’s new homepage are generally more successful than these personality-driven lists, but fall short in the opposite direction. Video Games and Gamers, for instance, follows mostly brand accounts like Halo and Nintendo of America. It reads more like a marketing survey than a modern day salon.

The disconnect is that Twitter opted to present the focus of conversation rather than the conversations themselves. Following a baseball team on Twitter is fine, but arguing about starting rotations or sharing absurd GIFs with fellow fans is where the real fun begins. Twitter’s homepage presents it as a ticker-tape of celebrities and brands, instead of what it really is: A chance to tear that tape into confetti and throw a snark parade.

The two types of feeds you’re left with, then, are either jarring or bland; it’s a group of individuals who happen to share the same (high-profile, celebrity-status) jobs but few consistent interests, or the interests themselves bled of all personality. Neither of those visions of Twitter keeps people coming back.

The answer, presumably, would be to offer streams based on keywords or subject that include quality tweets no matter who they come from. Eventually, the homepage could evolve to focus on events and topics rather than personalities and brands, a low-key, tightly curated evolution of the hashtag for people who don’t know what one is. You can imagine an Oscars stream on Oscars night being useful and fun for people who have no intention of joining the 140 character fray themselves.

Ultimately, any welcome mat is better than the barren sign-in hinterlands that came before this new homepage design. Hopefully someday it’ll help highlight Twitter’s strengths, not talk around them.

Netflix Says HBO Is Not A Threat. Yeah, Right

Netflix released its earnings for the first quarter of 2015 today, and the numbers look good. The streaming giant added a record 4.9 million subscribers globally, bringing more viewers than expected to the service thanks in part to its growing international audience.

Despite its apparent health, however, Netflix felt the need to make one thing clear: HBO is absolutely, totally, definitely not a threat—even with its new standalone streaming service HBO Now.

“As we have said in the past, Netflix and HBO are not substitutes for one another given differing content,” CEO Reed Hastings and CFO David Wells wrote in a letter to investors. “We think both will continue to be successful in the marketplace, as illustrated by the fact that HBO has continued to grow globally and domestically as we have rapidly grown over the past 5 years.”

The dedicated paragraph in the relatively succinct letter seems to signal worry—or at the very least an awareness of the possibility of concern on the part of investors. And its make-nice tone is a world away from the time not so long ago when Hastings joked that HBO was Netflix’s “bitch.”

And yet the threat from HBO is greater than ever before. Prior to the launch of its HBO Now streaming service, HBO may have seemed too different to be a worry. Netflix’s streaming service has always catered to cord-cutters (or cord-nevers), while HBO’s service was still linked with cable, even through HBO Go. That all changed last week when HBO launched HBO Now for $14.99 a month, compared to Netflix’s monthly $7.99 fee for streaming.

While Netflix may want to claim that HBO’s offerings are complementary, HBO Now offers far more than just Girls and Game of Thrones. The service has a wealth of documentaries, premium TV shows, and films. Yes, Netflix has amassed an audience looking for exclusive shows like Orange is the New Black and House of Cards. But when it comes to high-quality original content, HBO still sets the standard.

So, yes, Netflix is doing great. But it’s hard to imagine that HBO Now couldn’t steal at least some of that thunder. The world may have room for both. But there’s no doubt that they’re now fighting on the same turf.

Agents of S.H.I.E.L.D. GIF and a Graf: Melinda May’s Ultimate Sacrifice

Agents of S.H.I.E.L.D. GIF and a Graf: Melinda May’s Ultimate Sacrifice

The Piracy ‘Problem’ With Periscope Really Isn’t One

Piracy is a serious issue. Live-streaming apps like Periscope and Meerkat have plenty of sticky societal implications. These are two indisputable facts! Let’s not make the mistake, though, of assuming that they overlap.

This week, HBO confirmed that it sent takedown notices to Periscope, the Twitter-owned emporium of bored iPhone owners showing off their cats in real time. At issue were several streams of the network’s Game of Thrones season five premiere that had found their way onto the service, thanks to a handful of unscrupulous users.

Devoting serious resources to Periscope and Meerkat piracy is like swatting away a ladybug in a room full of vipers.

If you’re not familiar with Periscope or Meerkat, or know of them but haven’t actually used them, you’re in the vast majority and should be applauded for your restraint and/or focus on more vital aspects of human existence. You should also, though, be aware that while watching a live-stream from a smartphone can be fun and engaging under certain circumstances, watching someone else’s television or computer is not one of them. Even setting aside the mind-numbing absurdity of looking at your screen through someone else’s screen to yet another screen, consider the quality, or lack thereof.

No matter how big a Periscope pirate’s TV is, it’s going to look might small on your smartphone’s display. Streaming quality has come a long way over the years, but trusting both your connection and a Periscoper’s to hold up for a full hour is a fool’s game. And unless you’re dealing with someone who has either a smartphone tripod or wrist supports, you’re going to be shaking all the way from King’s Landing to Winterfell.

None of which prevented people from streaming the Game of Thrones premiere last weekend. Although Periscope wouldn’t provide WIRED with the number of associated takedowns it issued, there were reportedly dozens of accounts broadcasting the episode as it aired. What’s not clear is how many people actually watched those streams, or how much self-loathing it took to make it through more than a few minutes of the blurry, bouncy, bite-sized mess.

Yes, Piracy is bad, and HBO is fully justified in protecting its lavish Daenerys and Dragons spectacle, as is Periscope in swiftly responding to valid, copyright-related takedown requests. But there are wildly varying degrees of bad in this world, and devoting serious resources to Periscope and Meerkat piracy is like swatting away a ladybug in a room full of vipers.

Game of Thrones provides helpful context here, too, and not just because of the cutthroat power-mongering. If you really truly wanted to watch the first episode of season five—or in this case, the first four episodes—without paying, it was available on torrent sites before it ever hit television sets. Imagine that! A clear, crisp, full-screen, downloadable version, instead of one that features occasional sneezes from an invisible stranger death-gripping his Droid Turbo.

Unless you’re dealing with someone who has a smartphone tripod, you’re going to be shaking all the way from King’s Landing to Winterfell.

Those torrents, popular and pervasive, are of genuine concern to content providers everywhere. According to piracy-tracking site TorrentFreak, the Game of Thrones premiere alone was downloaded over a million times within 18 hours of its release. Periscope piracy, by contrast, is (if anything) a reminder that hey, yeah, I bet this would be really fun under remotely watchable circumstances. It’s shakeycam movie DVD bootlegs without the reusable jewel case.

At least some potential Periscope and Meerkat piracy victims realize that the issue’s not yet serious. After a WSJ report that Major League Baseball would police live-streaming of its games—an subscription tops out at a hefty $130 per year, after all—MLB executive Bob Bowman later clarified that it wasn’t an actual concern. And rightly so; spending an entire baseball game recording with your smartphone not only defeats the purpose of going to a baseball game (along with demolishing your battery and data plan), but watching a stream like that would be unthinkable. You’d be better off with a box score and a vivid imagination.

A better argument could be made for following an illicit stream of a big pay-per-view event, like Wrestlemania, or a big boxing match if boxing ever becomes popular again. You can usually find higher quality versions of those on the internet already, though, if you’re already intent on law-breaking. The only Periscope piracy live event stream even remotely worth following would be Spike Lee recording at a Knicks game, because he is both an iconic filmmaker and has good seats. But even then, you’d have to watch the Knicks.

There will almost certainly come a day when live-streaming quality advances to the point that a Periscope feed of your favorite show or event isn’t excruciating to watch. There will just as certainly still be higher-fidelity, more easily attained options that lead to the same ends. If you want to fight piracy, spend your energies there. For now, at least, watching Game of Thrones through someone else’s lens is punishment enough.

Bacterial raincoat discovery paves way to better crop protection

Fresh insights into how bacteria protect themselves -- by forming a waterproof raincoat -- could help develop improved products to protect plants from disease.

Researchers have discovered how communities of beneficial bacteria form a waterproof coating on the roots of plants, to protect them from microbes that could potentially cause plant disease.

Their insights could lead to ways to control this shield and improve its efficiency, which could help curb the risk of unwanted infections in agricultural or garden plants, the team says.

Scientists at the Universities of Edinburgh and Dundee studied the protective film formed by the common soil bacterium Bacillus subtilis. They found it incorporates proteins that change shape as they reach the film surface. This exposes an impervious surface on the protein molecules, enabling them to slot together like a jigsaw puzzle, to protect bacteria underneath.

The film is able to repel water -- which means other potentially harmful molecules also bounce off. Researchers say that being able to control the production of the biofilm in agricultural products could enable improved protection for plants.

The study, funded by the Engineering and Physical Sciences Research Council and the Biotechnology and Biological Sciences Research Council, is published in Proceedings of the National Academy of Sciences. The team behind the finding plans to research further applications for their discovery.

Professor Cait MacPhee, of the University of Edinburgh's School of Physics and Astronomy, said: "Such a controlled shape change in a protein is unusual. This protein only responds in exactly the right way and in the right place. It protects microbes from the outside world, but the ability to control the creation of a water-repellent film has many possible applications."

Dr Nicola Stanley-Wall, of the University of Dundee's Division of Molecular Microbiology, said: "Our findings highlight one of the amazing mechanisms that bacteria have evolved to provide protection from changes in their environment. It also demonstrates the advances that can be made when biologists and physicists work together on a problem of mutual interest."

Story Source:

The above story is based on materials provided by University of Edinburgh . Note: Materials may be edited for content and length.

WIRED Binge-Watching Guide: Orphan Black

Orphan Black begins at a train station, where a down-on-her-luck British punk named Sarah Manning (Tatiana Maslany) sees an exact physical copy of herself commit suicide by jumping on the tracks. Turns out she’s a clone—in fact she’s one of many, many identical clones (all played by Maslany) with very different nationalities, personalities, and lives, but the same face.

If you’re guessing that sounds like the beginning of a pretty addictive show, you’d be right. Much like Sarah, you’ll likely start off BBC America’s critically beloved series with a lot of questions: Where did these clones come from? Why were they created? And who is killing them off? Throughout the past two seasons, Orphan Black has gone about answering those questions—and asking all new ones—at a breakneck pace. And if you’re ready to start binge-watching now, you can get caught up on what has and hasn’t been revealed just in time to start watching Season 3 when it premieres on Sunday.

But getting into Orphan Black means something else, too. It means finally being able to understand why all those fans were up in arms when Maslany wasn’t nominated for an Emmy. What she offers is not a mere performance but an emotional and physical Venn diagram of performances, and the creation of an entire cast of characters who seem distinct down to their tiniest mannerisms. Not only does she pull off mind-boggling scenes where they interact physically, she often ends up playing them when they’re pretending to be each other. It’s not easy to convey the idea that you’re a British punk who’s pretending to be a Canadian cop who’s pretending to be a soccer mom, but she does. Without skipping a beat.

So, whaddya say? Ready to join the Clone Club? Think you might be a Clonesbian? Here’s how to binge-watch Orphan Black to find out.

Orphan Black

Number of Seasons: 2 (20 episodes)

Time Requirements: The first two seasons will set you back 20 hours, which could take you anywhere from a weekend to a week or two, depending your level of determination/commitment.

Where to Get Your Fix: Amazon Prime

Best Character to Follow:

Of all the versions of Tatiana Maslany we’ve met, Helena is the most difficult to ignore—or forget. While we don’t want to spoil too much about her backstory, she’s a blonde, Ukrainian, Jell-O-loving terror who has a lot of baggage, and you won’t be able to take your eyes off her. If we have to pick a non-Maslany character, Sarah’s occasionally scandalous adopted brother Felix (Jordan Gavaris) is a total delight.

Seasons/Episodes You Can Skip:

There’s only 10 episodes per season, and pretty much every one involves some sort of revelation or major plot development, so it might not be a good idea to skip many of them. But if you do, make sure you read a summary or recap somewhere online. That said, there are a couple less-than-stellar episodes in the bunch.

Season 2: Episode 7, “Knowledge of Causes, and Secret Motion of Things” There’s a plot point involving Dr. Aldous Leekie (Matt Frewer!) that you should probably find out about, but everything involving Sarah’s perpetually annoying ex-boyfriend Vic (Michael Mando) and his stint at a substance abuse center is deeply missable.

"Orphan Black" Ep205_D8_11-22Photo: Jan Thijs 2013 BBC America

Seasons/Episodes You Can’t Skip:

Season 1: Episode 1, “Natural Selection” It’s the pilot, so … yeah, you have to watch it.

Season 1: Episode 2, “Instinct” The family of known clones doubles in this episode, and Sarah continues to live out that nightmare where you show up for a test but you haven’t studied, except that she shows up for an inquest into a police shooting where everyone thinks she’s the cop who fired the bullet and she has no idea what happened. Whoops.

Season 1: Episode 3, “Variation Under Nature” This is the episode where Sarah finally learns about the clones, and the broader arc of their secret history begins. If the police drama isn’t quite doing it for you, hold on—things are going to get a lot more interesting.

Season 1: Episode 6, “Variations Under Domestication” If you enjoy the suburban drama of soccer mom clone Alison, then this is the episode where it goes full Desperate Housewives at a neighborhood party that collides directly with clone drama. We also meet the Neolutionists, who believe in human evolution through technology. This will be important.

Season 1: Episode 9, “Unconscious Selection” A lot of secrets get revealed in ways that unravel the lives of the various clones—and in same cases, help them knit their lives back together.

Season 1: Episode 10, “Endless Forms Most Beautiful” The first season finale kicks things up a notch in ways that involve interventions, murders, and major familial revelations.

Season 2: Episode 1, “Nature Under Constraint and Vexed” The Season 2 premiere hits the ground running, with a thrilling episode where Sarah infiltrates the dangerous inner sanctum of her enemy.

Season 2: Episode 6, “To Hound Nature in Her Wanderings” This episode is worth watching for the bar scene alone, where Helena finally meets a nice boy—and ends up kicking the crap out of Those Guys (you know the ones) at the bar.

Season 2: Episode 8, “Variable and Full of Perturbation” Meet Tony. He’s kind of a big deal.

Season 2: Episode 9, “Things Which Have Never Yet Been Done” The bizarre relationship between Alison and her husband Donnie goes to unexpected new places, Sarah’s daughter Kira ends up in danger again, and Helena unleashes the whirlwind.

Season 2: Episode 10, “By Means Which Have Never Yet Been Tried” The Season 2 finale isn’t quite as strong as the episode that precedes it, but there’s a big twist to set up the third season, not to mention the famous clone dance party.

Why You Should Binge:

Orphan Black is a compelling sci-fi drama all on its own, but watching the virtuosic versatility of Maslany as she carries entire scenes—and most of the show—while acting opposite herself is akin to watching a feat, and one that wows again and again. It’s the sort of thing that Joss Whedon’s Dollhouse wanted to pull off, but never quite did.

Best Scene—Clone Dance Party:

The four-clone dance party from the season two finale is just fabulous. Spoilers, kind of, but all they do is groove.

The Takeaway:

Orphan Black is a thunderous counter to the skepticism of anyone who thinks a female character can’t (or shouldn’t) anchor a show. But OB also goes much further: It proves that a single woman can be almost the entire cast, and still knock it out of the park.

If You Liked Orphan Black, You’ll Love:

Other sci-fi/speculative shows like Fringe, Continuum, Black Mirror, and The X-Files. Do not watch Dollhouse. We can’t stress this enough.

Hackers Could Commandeer New Planes Through Passenger Wi-Fi

An Airbus A350 on an assembly line, in Toulouse, France, April 11, 2015. An Airbus A350 on an assembly line, in Toulouse, France, April 11, 2015. Remy Gabalda/AFP/Getty

Seven years after the Federal Aviation Administration first warned Boeing that its new Dreamliner aircraft had a Wi-Fi design that made it vulnerable to hacking, a new government report suggests the passenger jets might still be vulnerable.

Boeing 787 Dreamliner jets, as well as Airbus A350 and A380 aircraft, have Wi-Fi passenger networks that use the same network as the avionics systems of the planes, raising the possibility that a hacker could hijack the navigation system or commandeer the plane through the in-plane network, according to the US Government Accountability Office, which released a report about the planes today.

A hacker would have to first bypass a firewall that separates the Wi-Fi system from the avionics system. But firewalls are not impenetrable, particularly if they are misconfigured. A better design, security experts have warned for years, is to air gap critical systems from non-critical ones—that is, physically separate the networks so that a hacker on the plane can’t bridge from one to the other, nor can a remote hacker pass malware through the internet connection to the plane’s avionics system. As the report notes, because the Wi-Fi systems in these planes connect to the world outside the plane, it opens the door for malicious actors to also remotely harm the plane’s system.

“A virus or malware planted in websites visited by passengers could provide an opportunity for a malicious attacker to access the IP-connected onboard information system through their infected machines,” according to the report.

Members of the House Transportation and Infrastructure Committee requested the report from the GAO out of growing concern that modern transportation systems, including planes, trains and automobiles, are becoming increasingly computerized and therefore susceptible to some of the same vulnerabilities and attacks that have long plagued desktop and laptop systems.

Boeing responded to the GAO report with a statement saying that a pilot manual override system would prevent someone from successfully commandeering its planes in this way.

This is not the first time the issue of aviation Wi-Fi security has come up for Boeing. In 2008, while Boeing was in the final stages of production on its new Dreamliner line of planes, the Federal Aviation Administration issued a report directing Boeing to address concerns about the passenger Wi-Fi system. The report was a “special conditions” document that the FAA produces whenever it encounters new aircraft designs and technologies that aren’t addressed by existing regulations and standards.

That report was pointing out the same problem that’s getting the company in trouble today. Boeing’s design for the Dreamliner’s Wi-Fi network, the FAA noted in the document, connected it to the plane’s control, navigation and communication systems, thereby establishing “new kinds of passenger connectivity to previously isolated data networks” that are critical to the safe operation of the plane. The FAA called on Boeing at the time to demonstrate that it had resolved this issue before the new line of planes could be put into service.

Boeing spokeswoman Lori Gunter told WIRED in 2008 that the company did indeed design a solution to address the FAA concerns. She wouldn’t go into detail about how Boeing was tackling the problem but said Boeing was employing a combination of solutions that involved some physical air-gapping of the networks as well as software firewalls. “There are places where the networks are not touching, and there are places where they are,” she had said.

Gunter added that although data could pass between the networks, “there are protections in place” to ensure that the passenger internet service didn’t access the maintenance data or the navigation system “under any circumstance.”

But security experts had warned at the time that software firewalls were still insufficient to separate critical networks from the Wi-Fi network.

It’s unclear if the authors of the new GAO report tested or examined Boeing’s solution and found it was still vulnerable to hacking or if they simply based their report on statements from experts that any design that doesn’t involve complete air-gapping of networks is vulnerable to hacking.

Boeing responded to the GAO report with a statement saying that “Boeing airplanes have more than one navigational system available to pilots” and that “[n]o changes to the flight plans loaded into the airplane systems can take place without pilot review and approval. In addition, other systems, multiple security measures, and flight deck operating procedures help ensure safe and secure airplane operations.”

Airbus also released a statement, which said only that it “constantly assesses and revisits the system architecture of our products, with an eye to establishing and maintaining the highest standards of safety and security. Beyond that, we don’t discuss design details or safeguards publicly, as such discussion might be counterproductive to security.”

Verizon: Mobile Malware Isn’t a Problem

In its annual breach investigations report, Verizon suggests that the threat of mobile malware for phones and tablets is much less than the providers of mobile security products would have us believe.

Contrary to claims from companies like Lookout that provide mobile security solutions and who have for years warned about the rapid and massive growth of mobile malware, Verizon found virtually no iOS malware for iPhones or iPads in the data it examined from Verizon mobile customers last year, and virtually no Android malware either.

“We’re seeing that the exploits just aren’t happening,” Bryan Sartin, head of Verizon’s RISK team told reporters in a phone call today discussing the company’s annual Breach Investigations Report.

As you might guess, Verizon’s annual report card is rarely optimistic—and, in fact, this year was mostly no different: one major finding of the report suggests that the time it takes for hackers to get into a system and siphon data, on average, is mere minutes and seconds. But this mobile malware finding serves as an unexpected bright spot. In a section of the report titled, “I’ve Got 99 Problems and Mobile Isn’t Even 1% of Them,” Verizon says although it found hundreds of thousands of malware infections for mobile devices, most of them were simply annoying adware programs. The really big mobile threats didn’t materialize.

“The reality was when we talk about really truly malicious [code], it was really 0.03 percent of Android devices per week,” Sartin said during the press call. “That’s a blip. That’s virtually nothing.” And the Android malware they did find far outnumbered any that targeted iOS devices.

Although Verizon’s dataset was limited—it involved just six months worth of data from Verizon Wireless customers and the tens of millions of devices they use to connect to the Verizon network—the authors of the report note that their findings are consistent with the analysis of other forensic firms like FireEye who also say that mobile devices just don’t show up in their forensic investigations. “This report is filled with thousands of stories of data loss—as it has been for years—and rarely do those stories include a smartphone,” the Verizon authors write.

Despite the fact that serious vulnerabilities have been found in mobile devices over the years, Verizon found little evidence that attackers were actually releasing exploits to attack them—for now. But this means, Sartin said during the press call, that companies have an opportunity to stay ahead of mobile attackers if they act now to secure and monitor their devices before the mobile attack waves strike.

But mobile security firm Lookout says that Verizon and other forensic firms likely don’t have the infrastructure or controls needed to properly detect mobile malware.

“It’s unsurprising that enterprises haven’t seen the more concerning, targeted threats because few of them actually have the mobile security controls in place that would detect these,” said Lookout CEO John Hering.

Hey, Book World: Sexism is Way Bigger Than the Hugos

I am a novelist. I also have a Master’s degree from MIT. So numbers appeal to me, especially numbers that provide clear data on thorny issues, like, oh, sexism and racism in literature.

This year, the Hugo Awards—probably the most famous and visible awards in speculative literature—were hijacked by a coordinated campaign of conservative writers who felt they’d been shut out of the community. I was bummed, because for the first time, I had a dog in the fight—my debut The Girl in the Road came out last year and got rave reviews, and I did harbor a small hope that I’d follow in the footsteps of my heroes Ursula K. Le Guin and Kim Stanley Robinson, both multiple Hugo nominees.

Monica Byrne


Monica Byrne is a novelist and playwright based in Durham, North Carolina. She’s on Twitter, Facebook, WordPress, and Instagram.

’Twas not to be. Since the Hugos are determined by popular vote—basically, anyone who buys a $40 membership to the convention that hosts the Hugos, which means a pool of only a few thousand—the system is vulnerable. And this year, it was taken over by “Sad Puppies,” an online “protest group” led by three conservative writers and editors: Vox Day, Larry Correia, and Brad Torgersen, men for whom I honestly can’t rouse myself to feel much more than pity. Clowns are sad.

Meanwhile, the actual leaders in the field—including Nora K. Jemisin, Kameron Hurley, and George R. R. Martin, raining down righteous hellfire from his blog—have mobilized en masse to explain to them and to the public exactly why they’re cartoonish fools who not only don’t represent the field, but in their vehemence, serve as proof that the field as a whole is diversifying brilliantly.

And while the state of speculative literature is far from perfect, that’s why I’m actually not worried about it. At all.

But that’s only half of my story. Just a few days after the Hugo nominations were announced, the sixth annual VIDA Count was released. Tracking trends in another genre, literary fiction, the study tallies bylines by women and coverage of books by women—and, for the first time this year, a separate data set for women of color—in the most influential literary journals in the English-speaking world.

The results are pretty awful. Though the overall numbers are inching closer to parity than when VIDA first started tracking them, most have made little to no change. There’s no accountability on the part of the journals—and usually no comment at all. Either they simply don’t care, or they believe they’re not constitutionally capable of unconscious bias.

Whereas the numbers clearly demonstrate that they are. Statistics are helpful like that.

I’ve never been comfortable identifying fully with the literary genre or the speculative genre. My novel is both. I admire work in both. I’m influenced by work in both. But as a writer who also happens to be a woman, I’ve been watching both fields carefully over the last year. And here is a difference that ends up mattering quite a lot: the speculative community hashes out its sexism and racism issues right on the surface, whereas the literary community has convinced itself it doesn’t have any. As such, the leaders in the latter are far more dangerous to diversity in literature as a whole than Day, Correia, or Torgersen could ever be.

For example, editor of The New York Review of Books , Robert Silvers.

Or editor of the Times Literary Supplement , Peter Stothard.

Or editor of The New Republic , Chris Hughes.

Or The Atlantic . Or Harpers . Or The London Review of Books . Or The New Yorker . Or The Nation .

The statistics not only show systemic bias, but a conscious refusal to change. It’s easy to shun Day, Correia, and Torgerson as embarrassing dinosaurs. Why should it be any harder to point to Silvers, Stothard, and Hughes as the same?

At last year’s National Book Awards, Ursula K. Le Guin spoke of art as a tool of change. A writer with serious cachet in both speculative and literary genres nevertheless claims proud membership in the former, among those who are “writers of the imagination” and “realists of a larger reality.” And true to that charge, over the past ten years, speculative literature has been measurably diversifying.

How many VIDA Counts will it take for the literary establisment to do the same? Hungry young writers of all colors, all races, all genders, all faiths, all philosophies, and all orientations are moving up through the ranks, not waiting for permission to be heard. The future belongs to us. We’re already writing it. Now, where will we do so?

Where we feel welcome.

That may still be the Hugos. That may still be The New Yorker. It’s a matter of institutional will, as always. To quote Le Guin again, “Any human power can be resisted and changed by human beings.”

But of the literary and speculative genres, I see only one truly doing so.

Don’t Starve’s Developer Has a Stealthy New Game

Invisible, Inc. , a new tactical espionage game from Klei Entertainment, is graduating from Steam’s Early Access service and officially launching on May 12.

Klei is known for its stylish takes on familiar genres, such as the ninja-platformer Mark of the Ninja and the survival-horror roguelike Don’t Starve.

Invisible, Inc. continues this legacy with the company’s take on tactical espionage, the genre best known as home to the Metal Gear Solid franchise.

The official release brings several major improvements over Invisible’s last early access update, including an all new voiceover, fully-animated 3-D cinematics, new gameplay elements, and a fully realized story and world.

In the month leading up to release, Klei has ceased new sales of the early access version of the game—though if you already own it, you can keep playing the development build.

Invisible, Inc. will be available on PC, Mac, and Linux via either Steam or DRM-free on Klei’s website. A PlayStation 4 version is also in the works, but there’s no release date for that just yet.

EU Formally Accuses Google of Antitrust Violations

European competition commissioner Margrethe Vestager gives a press conference at European Commission headquarters in Brussels on November 20, 2014. European competition commissioner Margrethe Vestager gives a press conference at European Commission headquarters in Brussels on November 20, 2014. Emmanuel Dunand/AFP/Getty

Five years ago the European Union began an investigation into whether Google violated its antitrust laws. Now it will finally bringing charges against the company as well as open a new investigation into Google’s Android operating system.

On Wednesday the EU’s executive branch, the European Commission, announced it had served the company with a formal complaint known as a Statement of Objections. If Google is ultimately found guilty of violating the law, the EU could reportedly level fines as large as $6.4 billion—roughly 10 percent of Google’s operating revenue.

At issue is whether the company uses its position as the dominant search engine company to muscle out competition from specialized search services, specifically comparison shopping sites, by prioritizing its own Google Shopping search results. European shopping search company Foundem filed a lawsuit against Google in 2010 and triggered the European Commission’s investigation. Although the investigation has dragged on for years, new European competition commissioner Margrethe Vestager seems determined to bring it to an end.

The European Commission also confirmed that it is opening an investigation into Android as well. Although the operating system is open source, meaning that any manufacturer can install it on the phones and tablets they sell, many core applications, including the Google Play store, are proprietary. Manufacturers must enter into special agreements with Google to include these proprietary apps. The investigation will attempt to determine whether Google is using its position to discourage the inclusion of rival applications on Android-based phones.

Saw It Coming

Google saw this coming. On Tuesday tech news site Re/code published what it says is a leaked internal memo from Google that acknowledged the EU’s move and asked employees not to comment on the matter either internally or externally.

Google’s defense is that it’s facing increased competition both in search, from services ranging from Bing to Apple’s Siri, and in mobile, from iOS and from mobile apps created by companies such as Facebook. The memo includes four graphs showing increased traffic to competing shopping and travel search sites in Europe based on data from comScore.

“All told, consumers have a lot of choice — and they are exercising it,” the memo says.

The Federal Trade Commission’s Take

Federal Trade Commission staffers quite didn’t see it that way in 2012. Earlier this year the Wall Street Journal obtained a staff report by the FTC’s bureau of competition recommending that the agency bring a lawsuit against Google for unfair practices. The document was apparently released to the paper by mistake. The report lodged several complaints against Google, such as its practice of displaying content from sites such as Yelp and Amazon on its own competing services. “When competitors asked Google to stop taking their content, it threatened to remove them from its search engine,” the Journal reported.

The paper also reported that the staffers concluded that Google demoted or refused to display links to certain specialized search services, but recommended against an antitrust suit based on the because Google had adequate pro-consumer justifications for its actions. And in a footnote, the staffers wrote that although Google had at one point sought to demote search results for all comparison shopping sites, the company had since tweaked its algorithm based on negative feedback from testers.

Ultimately, the FTC commissioners chose not to pursue a lawsuit and ended the investigation after Google elected to make a few changes to its practices. Most notably it agreed to allow competitors to opt-out of having their content used in its services.

Harsher Climates

Google might not be able to reach as favorable an agreement in the EU, which has been more aggressive in its dealings with the tech industry. Last November the EU’s legislative branch, the European Parliament, passed a resolution recommending that Google’s search engine be “unbundled” from the rest of its business.

The European Parliament doesn’t actually have the authority to force Google to split-up, according to the Financial Times . But it does illustrate how different the climate towards technology companies is in Europe, which has much more strict privacy laws than the U.S. Goole was also recently hit with the so-called “Right to be Forgotten Law” that requires it to remove outdated search results that might unfairly damage individual reputations. The policy has already become a nightmare for the company.

Meanwhile six European countries are investigating Facebook’s privacy practices, such as how it uses “like” buttons to track browsing habits. And many European cities have banned Uber’s controversial car service. On the other hand, Google was fined only $189,000 in Germany in 2013 for inadvertently but illegally collecting data from private WiFi networks as part of its Street View scanning process, indicating that these cases don’t always result in hefty fines or increased regulatory oversight.

Google still has time to negotiate with the European Commission. But it will certainly face a harsher environment there than in the U.S.

Small Packages of Code Are the Biggest Thing in App-Making

Open source is everywhere. On our phones, running the servers behind the world’s largest web services, and sometimes even in our cars and appliances.

But even though we hear a lot about big open source projects such as the Linux operating system or the Hadoop data-crunching platform, a bigger movement is afoot just beneath the surface of practically all of today’s software. Instead of building big, monolithic applications, programmers are increasingly stitching apps together using open source software packages. As the package paradigm has taken hold, app-making has become more efficient than ever.

You wouldn't believe how many modules you end up using. You might only have ten but each of those have ten modules that they depend on, so before you know it you're up to 100. Edmond Meinfelder, DocuSign

These smaller software packages are a lifesaver for many developers, rescuing them from writing common features from scratch, taking the busywork out of everything from password verification to complex mathematics. But packages can also create new forms of complexity, even as they make other jobs simple. Each one needs to be upgraded when new versions arrive, and many packages depend on other packages to work properly.

“You wouldn’t believe how many modules you end up using,” says Edmond Meinfelder, a software architect at DocuSign. “You might only have ten but each of those have ten modules that they depend on, so before you know it you’re up to 100.”

Developers often mitigate this complexity by using tools called “package managers” to automatically install and update these chunks of software. And if a package requires another package, the package manager will go out and fetch the required software from centralized servers.

Package management is so important, in fact, that one company is trying to make it a business. The company, npm, makes a package manager of the same name, just raised $8 million in venture capital to make that plan a reality.

From Walmart to Uber

Some package managers work at the operating system level, but many others are designed for specific programming languages. The Node Package Manager—known universally among developers as “npm”—is designed for the popular backend development platform Node.js.

Node lets developers to use the programming language JavaScript, initially developed for adding interactivity to web pages, to write full-blown applications that run on servers. Because it helps developers create complex applications using only one language instead of a mix of JavaScript and more traditional server-side languages, it’s become wildly popular with a companies ranging from huge startups such as Uber to huge corporations like Walmart.

Isaac Schlueter created npm in 2009 shortly after Node was first released to the public. He quickly found himself using many other people’s modules in his own Node applications and needed a way to manage them. But Schlueter did something different from most other package management systems. He designed npm so that anyone could add a package to his servers without him having to approve it first. This helped it grow quickly, and it soon became the standard way to install Node software.

Still, despite its widespread use, Schlueter’s package manager remained a side project for the next several years. In 2012, he took over managing the core Node project when creator Ryan Dahl stepped down. But by the next year, it was becoming clear that npm needed full-time support.

Since npm was released, its servers have experienced a few outages, making it impossible for developers to download packages, and at least one significant security issue was discovered. Schlueter knew that he had to devote more time and resources to keeping the servers up and running, and to making the product work well. “The best way to make good software is to hire people and pay them like grown-ups rather than expecting them to do it in their free time,” he says.

The issue, of course, is how to pay those engineers for that time. Fortunately, companies were not just willing but eager to pay for npm. So Schlueter quit his job and stepped down as the manager of the core Node project and to found npm the company.

Small Software Is Big

The company’s first product was npm Enterprise, which enables customers to run their own private npm system in their own servers. And starting today, npm will also allow customers to host private packages on the company’s servers but only share them with certain people, such as co-workers or partners, for $7 per person.

“The basic idea is that anything you publish into open source will be free forever,” Schlueter says. “But anything you need to keep secret, you need to pay for that.”

In addition to secrecy, customers can gain more control over the code they use, says DocuSign’s Meinfelder. “We want all the code that we use to undergo a rigorous security review process,” he says. By hosting their own mirrors of npm’s open source packages, companies can rest assured that they’re installing code that has already been reviewed and only switch to updated versions after proper vetting.

While the value of npm to Node developers is clear, the big question for npm is whether enough companies will adopt Node in the coming years to make its business viable. Given Node’s explosive growth recently, it’s certainly a possibility. Still, the most important thing about npm might not be the specific platform that it supports today, but what its popularity says about rise of packages as the new paradigm for constructing apps. Small software, it turns out, is a really big deal.

Smart Surf Watch Tells You When to Head to the Beach, Brah

The market is awash in wrist-worn digital tech. You can wear an Apple Watch, a Pebble, or one of many Android Wear offerings, all of which will put every last notification on your wrist. Your tweets, your faves, texts from your sweetie. You can wear a fitness band that will count your steps and tell you when to take a jog.

This watch is different. It will not nag you or interrupt your life, except to deliver perhaps the most important notification of all: It tells you when your local surf spot is going off.

The Ultratide ($300, available later this month) is the latest surf watch from Nixon. The company has a few other surf watches, including last year’s excellent Supertide. But while all of those models will tell you which way the tides are moving, only the Ultratide grabs real-time data from Surfline and displays the current surf conditions at any beach of your choosing. And there’s no better place to get your surf reports—Surfline has been watching the oceans for 30 years now, and delivers detailed local condition reports as well as 48-hour surf forecasts.

To get the watch working, you pair it with your phone over Bluetooth using Nixon’s Ultratide app (iOS only, Android coming late 2015). From there, you can set it to track a few different spots. Surfline collects live data for over 2,700 locations around the world, so there’s a very good chance your local break can be programmed into the watch. Even better, the smartphone app can geolocate you, so you can just get updates from the beach closest to you if you’re island-hopping.

Current conditions are displayed on the watch’s face at all times. The reports are detailed, too. You get tide status, wave height, wind direction and speed, swell direction, and the temperatures of both the air and the ocean. You also get Surfline’s general assessment in a tidy one-word note, like “Fair” or “Good”. I programmed two local spots into the watch, Ocean Beach and Bolinas Jetty, plus one in Hawaii. A button on the side of the watch lets you flip through your programmed locations and check the conditions. Your phone collects the up-to-the-minute reports and delivers the data to the watch, so at any time, you can also view more detailed reports inside the app.

As is typical for spring in the Bay Area, things rarely got above “Poor” at Ocean Beach. But that’s where the alerts come in—you can program a notification to sound whenever your local spot is kicking. You can rely just on Surfline’s one-word ratings (so it pings you whenever conditions are “Epic,” for example) or you can set the watch to tell you whenever conditions are just to your liking. A particular wave height, a south swell, offshore winds. I asked the Ultratide to alert me whenever Ocean Beach was rated as “Good” or higher. It went off exactly once, in the middle of the night. Maybe I should move.

Once you’ve paddled out, you press another sequence of buttons on the watch, and it logs your session. If that session ended up happening on a particularly glassy and gorgeous day, the Ultratide can find out what the conditions report was for that hour you were in the water, then set up an alert that’ll go off whenever the conditions at that location are similar. It’s pretty smart.

It’s also sharply designed. The Ultratide uses a battery like a regular watch, so charging isn’t something you ever have to think about. The battery lasts at least one year, and to restore it, you ship it back to Nixon. The company will replace the battery for free and service all the gaskets to make sure the watch stays water-tight. The stainless steel case is smooth and classy, and the silicone band is extraordinarily soft and comfortable. Behind the buckle, there’s a little nub on the strap that fastens into a hole on the looper, locking the strap into place. It never slips. This will come in handy when (not if) I get sucked over the falls.

WIRED’s Guide to Produce That Won’t Make the Drought Worse

wired_california_drought_guide Save this graphic to your cellphone so you can reference it on the go. WIRED

Summer weekends find me at San Francisco farmers’ markets, buying up as much local stone fruit as I can carry. The peaches, plums, and cherries are burstingly delicious. They are also, it turns out, terribly thirsty crops. California’s historic drought has brought renewed attention to the water-suckingness of beef and almonds, and deservedly so. But look, about half the vegetables and three-quarters of the fruit grown in the US comes from California. So the question is, if you want to be environmentally sensitive and exert a bit of business pressure on water-users, what should you be eating? What’s the most drought-friendly part of the produce aisle?

To figure that out, we analyzed data produced by M.M. Mekonnen and A.Y. Hoekstra at the University of Twente in the Netherlands, showing the water required to grow crops around the world. We then ranked the crops by water usage and organized them by season.

The result: the WIRED Guide to California Produce.

It’s not all bad news: Go ahead and toss that salad! Er. Rather, feel free to throw lettuce, carrots, tomatoes, spinach, and yes, kale into your shopping cart—they all fare well in our analysis. For your fruit plate, you’re safe with strawberries, grapefruit, and cantaloupe. But when you start to reach for the avocados, asparagus, and cherries, you’re getting into more dangerous territory. They are the produce aisle’s biggest water hogs.

Oh, and speaking of hogs. Yes: Compared with animals like pigs and cows, fruits and vegetables are a cactus. As the Los Angeles Times reported, raising animals for human consumption requires an enormous amount of water; producing a pound of bacon, for example, requires eight times more water than a pound of asparagus. The animals don’t drink it; it’s because of the huge amounts of water required to grow the plants they eat. Gizmodo’s Alissa Walker smartly notes that one of agriculture’s biggest drought offenders is alfalfa, grown as animal feed and then exported.

Clearly fruits and vegetables aren’t the bad actors in the drought. Drop for drop you are better off eating just about any kind of produce instead of a steak, a ham, or (animal proteins’ worst offender) cow’s tongue. Another caveat, while we’re on the subject: Our data doesn’t consider foods’ nutritional properties, a considerable X factor. You could imagine, for example, that a water-intensive food that was also high-calorie and highly nutritious might be worth it.

But how do I know, you might be asking, if this artichoke (or whatever) was grown in California? Well, it pretty much was: 99 percent of the nation’s crop is grown here. Other produce that you can be pretty certain came from the Golden State includes garlic, plums, figs, broccoli, grapes, lettuce, celery, strawberries, lemons, and nectarines (ouch). California’s responsible for more than 90 percent of the United States’ production of those foods.

Now, about the nuts: Everyone’s tsk-tsking about California’s enormous almond crop. And it’s true. They suck up a lot of water. But if you want to hate on nuts, walnuts are equally thirsty, and the nation’s domestic supply comes almost entirely from California. Consider instead the pistachio: pretty, nutritious, and way less thirsty.

An App That Hides Secret Messages in Starcraft-Style Games

China’s internet cafes full of young nerds glued to Starcraft 2 might soon be taking on more than Zerg hordes and Protoss Colossi. One group of anti-censorship researchers wants to turn those games themselves into a weapon in the war for web freedom.

A group of graduate researchers at Stony Brook University in New York have built what they describe as a prototype tool for exploiting “covert channels” in real-time strategy games, the genre of desktop videogames that includes Starcraft, Warcraft, Shogun 2, and Company of Heroes. Their program, which they call Castle, is designed to encode secret messages into those multiplayer games’ communications with opponents and teammates across the Internet, translating emails, articles, and even web pages into the game’s commands and siphoning them to players who live in censorship regimes like China or Iran.

The researchers published their open source stealth tool this week on GitHub, and they’re still testing it for security. They hope it will not only circumvent censorship and surveillance, but that it will also impersonate normal game data closely enough to avoid even alerting authorities that their filters have been thwarted. “Tools which have distinctive features can be detected and blocked by censors. As a result, there is increasing interest in disguising censorship circumvention traffic as benign protocols,” they write in an as-yet unpublished paper they plan to submit to security conferences. “The current video game landscape [presents] advantages that distinguish games from other covert channels and make them amenable to winning the arms race between censors and circumvention tool developers.”

Castle doesn't impersonate a game's data so much as it simply <em>plays</em> the game.

Castle works by converting messages into scripts—a series of game moves that it executes automatically. It takes advantage of some universal tropes of real-time strategy games: “units” of soldiers that can be selected and moved around a map from overhead and commanded to “rally” at certain map points or buildings. Castle loads the same custom map on both players’ screens, then runs scripts coded in Autohotkey and python to execute commands like moving and rallying those units in patterns. Real-time strategy games tend to keep a log on all players’ computers of those moves as part of their “replay” function. And that log of in-game commands can be read by the other player’s copy of Castle on the receiving end and interpreted to decode the hidden messages.

Here’s a quick demo:

The advantages of that game-based technique, the researchers say, include the fact that real-time strategy games can switch between a server-based mode and one where players connect directly to one another if the server is blocked. The games already send a lot of data between players, which is usually encrypted to prevent cheating. This further obscures the communications channel from censors. And unlike other protocols that secret communications have impersonated in the past, such as Skype, a communications session of video game data can last hours without raising suspicion. “A three- to six-hour Skype call could look strange,” says Phillipa Gill, one of the Stony Brook researchers. “One of the nice properties of games is that the packet timings match and the session durations match.”

Another advantage of games as vessels for secrets is that the modern gaming industry has provided plenty of real-time strategy games to choose from, all using a similar map-based gameplay, the researchers say. That means that they can easily port their system over to a new one in a matter of hours, spreading their secret traffic among potential targets. So far, they’ve adapted Castle to send secret messages through an open source game still in development called Zero AD, as well as a more popular commercial game they declined to name for fear of creating controversy for the developer. “If the censors begin to block one of those games, we can move it to another,” says Rob Johnson, the computer science professor leading the group. “We have a lot of flexibility and mobility.”

In their testing so far, the researchers say that they’ve achieved communication bandwidths of up to 1.5 kilobits a second while still keeping their secret communications hidden. That’s a ridiculously slow speed for most kinds of modern communication, but they suggest it’s enough for sending emails and sharing articles, and if it were built into a browser plugin, web browsing with images disabled. And they’re working to widen that thin straw of bandwidth in future versions of the software.

Stony Brook’s real-time strategy game technique may have the potential to be more secure than some other methods of steganography—the science of trying to make secret data look like other less sensitive data, says Paul Vines, a graduate researcher at the University of Washington who has worked on steganographic techniques. Castle, after all, doesn’t impersonate a game’s data so much as it simply plays the game. And the fact that it’s playing it with automated scripts could be tough to spot, given that a typical game’s normal communications are encrypted and as much as 70 percent of those messages are routine game-state checking between computers that has nothing to do with the player’s commands. Vines says there may be enough room for randomness or “entropy” in game data to hide messages more effectively than by embedding them in a Skype call, as other tools like SkypeMorph and FreeWave have done. “Games have a lot of user input,” he says. “That provides a lot of natural entropy compared to some applications.”

In fact, the Stony Brook researchers aren’t the only ones using games as a covert data channel. Developers at a Human Rights Watch conference last year proposed using steganographic videogames to smuggle data into North Korea, albeit on off-line USB sticks. And Vines at the University of Washington is experimenting with hiding data in games, too: Last month he and another researcher released Rook, a tool for hiding messages in the communications of first-person shooter games. (Bizarrely, Vines says they had never heard of Castle when they named their tool Rook.) But unlike Castle, Rook doesn’t assume the data sent by the game is encrypted. So to hide that data, it has to much more closely mimic human playing. That restriction vastly reduces the amount of data Rook can send, Vines says.

Castle’s dependence on the game’s own encryption, however, means that Castle users could be more vulnerable to detection if game makers quietly gave censors access to decryption keys, says Vines. “I could see policies put in [by game companies or governments] to break that encryption,” Vines says. “If you stripped away the encrypted layer on the game channel, you could detect it relatively easily.”

In fact, it’s still far too early for anyone to trust Castle with truly sensitive data. The system’s Stony Brook developers claim it’s undetectable with traditional port blocking or deep packet inspection, but they admit they’re still testing it against machine learning techniques that might be able to distinguish Castle traffic from normal game traffic.

But despite its early stage, Vines says that Castle, and the more general videogame approach to stealthy messaging, holds promise. “It’s a pretty good system, and it could be practical to use this in the near future,” he says, “Right now it’s already a very compelling use of games for this kind of work.”

Read the researchers’ full paper below.

Games Without Frontiers: Investigating Video Games as a Covert Channel

How Big Tech Companies Make Their Tax Bills Vanish

How Big Tech Companies Make Their Tax Bills Vanish