Cyborg Cockroach Sparks Ethics Debate

 

At the TEDx conference in Detroit last week, RoboRoach #12 scuttled across the exhibition floor, pursued not by an exterminator but by a gaggle of fascinated onlookers. Wearing a tiny backpack of microelectronics on its shell, the cockroach—a member of the Blaptica dubia species—zigzagged along the corridor in a twitchy fashion, its direction controlled by the brush of a finger against an iPhone touch screen (as seen in video above).

RoboRoach #12 and its brethren are billed as a do-it-yourself neuroscience experiment that allows students to create their own “cyborg” insects. The roach was the main feature of the TEDx talk by Greg Gage and Tim Marzullo, co-founders of an educational company called Backyard Brains. After a summer Kickstarter campaign raised enough money to let them hone their insect creation, the pair used the Detroit presentation to show it off and announce that starting in November, the company will, for $99, begin shipping live cockroaches across the nation, accompanied by a microelectronic hardware and surgical kits geared toward students as young as 10 years old.

That news, however, hasn’t been greeted warmly by everyone. Gage and Marzullo, both trained as neuroscientists and engineers, say that the purpose of the project is to spur a “neuro-revolution” by inspiring more kids to join the fields when they grow up, but some critics say the project is sending the wrong message. "They encourage amateurs to operate invasively on living organisms" and "encourage thinking of complex living organisms as mere machines or tools," says Michael Allen Fox, a professor of philosophy at Queen's University in Kingston, Canada.

“It’s kind of weird to control via your smartphone a living organism,” says William Newman, a presenter at TEDx and managing principal at the Newport Consulting Group, who got to play with a RoboRoach at the conference. At the same time, he says, he is pleased that the project will teach students about the neuroscience behind brain stimulation treatments that are being used to treat two of his friends with Parkinson’s disease.

The roaches’ movements to the right or left are controlled by electrodes that feed into their antennae and receive signals by remote control—via the Bluetooth signals emitted by smartphones. To attach the device to the insect, students are instructed to douse the insect in ice water to “anesthetize” it, sand a patch of shell on its head so that the superglue and electrodes will stick, and then insert a groundwire into the insect’s thorax. Next, they must carefully trim the insect’s antennae, and insert silver electrodes into them. Ultimately, these wires receive electrical impulses from a circuit affixed to the insect’s back.

Gage says the roaches feel little pain from the stimulation, to which they quickly adapt. But the notion that the insects aren’t seriously harmed by having body parts cut off is “disingenuous,” says animal behavior scientist Jonathan Balcombe of the Humane Society University in Washington, D.C. “If it was discovered that a teacher was having students use magnifying glasses to burn ants and then look at their tissue, how would people react?”

Gage says that in his experience, working carefully and closely with insects and other animals in experiments can sensitize students to the fact that roaches “are actually similar to us and have the same neurons that we have.” He also notes that the company doesn’t kill their own roaches after the experiments, but sends them to a “retirement” tank that the team calls Shady Acres. Although they may be missing legs or antennae, the insects tend to get on with their lives after the experiments, he says. “They do what they like to do: make babies, eat, and poop.”

“I try not to downplay the fact that in science we use animal models and a lot of times they are killed,” Gage says. “As scientists, we do this all the time, but it happens behind closed doors.” By following the surgical instructions, he says, all students learn that they have to care for the roaches—treating wounds by “putting a little Vaseline” on them, and minimizing suffering whenever possible. Still, Gage acknowledges, “we get a lot of e-mails telling us we’re teaching kids to be psychopaths.”

The RoboRoach “gives you a way of playing with living things,” like a short-lived version of the forbidden “Imperius Curse” in the Harry Potter novels, says bioethicist Gregory Kaebnick of the Hastings Center in Garrison, New York. He finds the product “unpleasant,” but adds that he won’t be calling for a boycott, either. “I’ll just be happy that I found a cleverly marketed consumer item that I am very happy not to own.”

Source: Science Mag

How The NSA Deploys Malware: An In-Depth Look at the New Revelations

We've long suspected that the NSA, the world's premiere spy agency, was pretty good at breaking into computers. But now, thanks to an article by security expert Bruce Schneier—who is working with the Guardian to go through the Snowden documents—we have a much more detailed view of how the NSA uses exploits in order to infect the computers of targeted users. The template for attacking people with malware used by the NSA is in widespread use by criminals and fraudsters, as well as foreign intelligence agencies, so it's important to understand and defend against this threat to avoid being a victim to the plethora of attackers out there.

How Does Malware Work Exactly?

Deploying malware over the web generally involves two steps. First, as an attacker, you have to get your victim to visit a website under your control. Second, you have to get software—known as malware—installed on the victim's computer in order to gain control of that machine. This formula isn't universal, but is often how web-based malware attacks proceed.

In order to accomplish the first step of getting a user to visit a site under your control, an attacker might email the victim text that contains a link to the website in question, in a so-called phishing attack. The NSA reportedly uses phishing attacks sometimes, but we've learned that this step usually proceeds via a so-called “man-in-the-middle” attack.1 The NSA controls a set of servers codenamed “Quantum” that sit on the Internet backbone, and these servers are used to redirect targets away from their intended destinations to still other NSA-controlled servers that are responsible for the injection of malware. So, for example, if a targeted user visits “yahoo.com”, the target's browser will display the ordinary Yahoo! landing page but will actually be communicating with a server controlled by the NSA. This malicious version of Yahoo!'s website will tell the victim's browser to make a request in a background to another server controlled by the NSA which is used to deploy malware.

Once a victim visits a malicious website, how does the attacker actually infect the computer? Perhaps the most straightforward method is to trick the user into downloading and running software. A cleverly designed pop-up advertisement may convince a user to download and install the attacker's malware, for example.

But this method does not always work, and relies on a user taking action to download and run software. Instead, attackers can exploit software vulnerabilities in the browser that the victim is using in order to gain access to her computer. When a victim's browser loads a website, the software has to perform tasks like parsing text given to it by the server, and will often load browser plugins like Flash that run code given to it by the server, in addition to executing Javascript code given to it by the server. But browser software—which is becoming increasingly complex as the web gains more functionality—doesn't work perfectly. Like all software, it has bugs, and sometimes those bugs are exploitable security vulnerabilities that allow an attacker to gain access to a victim's computer just because a particular website was visited. Once browser vendors discover vulnerabilities, they are generally patched, but sometimes a user has out of date software that is still vulnerable to known attack. Other times, the vulnerabilities are known only to the attacker and not to the browser vendor; these are called zero-day vulnerabilities.

The NSA has a set of servers on the public Internet with the code name “FoxAcid” used to deploy malware. Once their Quantum servers redirect targets to a specially crafted URL hosted on a FoxAcid server, software on that FoxAcid server selects from a toolkit of exploits in order to gain access to the user's computer. Presumably this toolkit has both known public exploits that rely on a user's software being out of date, as well as zero-day exploits which are generally saved for high value targets.2 The agency then reportedly uses this initial malware to install longer lasting malware.

Once an attacker has successfully infected a victim with malware, the attacker generally has full access to the user's machines: she can record key strokes (which will reveal passwords and other sensitive information), turn on a web cam, or read any data on the victim's computer.

What Can Users Do To Protect Themselves?

We hope that these revelations spur browser vendors to action, both to harden their systems against exploits, and to attempt to detect and block the malware URLs used by the FoxAcid servers.

In the meantime, users concerned about their security should practice good security hygiene. Always keep your software up to date—especially browser plugins like Flash that require manual updates. Make sure you can distinguish between legitimate updates and pop-up ads that masquerade as software updates. Never click a suspicious looking link in an email.

For users who want to go an extra step towards being more secure—and we think everyone should be in this camp—consider making plugins like Flash and Java “click-to-play” so that they are not executed on any given web page until you affirmatively click them. For Chromium and Chrome, this option is available in Settings => Show Advanced Settings => Privacy => Content Settings => Plug-ins. For Firefox, this functionality is available by installing a browser Add-On like “Click to Play per-element”. Plugins can also be uninstalled or turned off completely. Users should also use ad blocking software to stop unnecessary web requests to third party advertisers and web trackers, and our HTTPS Everywhere add-on in order to encrypt connections to websites with HTTPS as much as possible.

Finally, for users who are willing to notice some more pain when browsing the web, consider using an add-on like NotScripts (Chrome) or NoScript (Firefox) to limit the execution of scripts. This means you will have to click to allow scripts to run, and since Javascript is very prevalent, you will have to click a lot. For Firefox users, RequestPolicy is another useful add-on that stops third-party resources from loading on a page by default. Once again, as third-party resources are popular, this will disrupt ordinary browsing a fair amount. Finally, for the ultra paranoid, HTTP Nowhere will disable all HTTP traffic completely, forcing your browsing experience to be entirely encrypted, and making it so that only websites that offer an HTTPS connection are available to browse.

Conclusion

The NSA's system for deploying malware isn't particularly novel, but getting some insight into how it works should help users and browser and software vendors better defend against these types of attacks, making us all safer against criminals, foreign intelligence agencies, and a host of attackers. That's why we think it's critical that the NSA come clean about its capabilities and where the common security holes are—our online security depends on it.

Source: EFF