What was remarkable, for all the confusion of last winter, was how relatively simple that consistency was to find. In part, that was because the Ibasho residents all believed in a common set of facts and numbers based on scientific consensus: The virus spread through the air, masks and ventilation worked, being outdoors was better than not. With those assumptions shared, a surprising number of situations—a grocery store run, an outdoor barbeque, a day at the office—could be encapsulated with relatively few parameters. By the springtime, the roommates were still tallying up their risk points (for personal accountability, and because the level of freedom fluctuates with the local case rate). But Catherine Olsson, the project’s de facto leader, told me the rubric had helped her internalize what was safe. She knew, for the most part, what her hopes and needs for each week were, and what sort of points they would cost. Pandemic risk had become passive.
That was before this summer’s whiplash, before vaccines appeared to mean the pandemic was over, until it wasn’t. The math is more confusing now, a little harder to intuit. Delta and rising case rates make every activity more “expensive,” because transmission is higher. But being around other vaccinated people also offers a discount, because those people are less likely to have an active infection (and, potentially, to transmit the virus, though the latest data on that is fuzzier). And as the Microcovid team explains in their July update, getting vaccinated also means a bigger overall budget, because the risks of death and hospitalization are so much lower. The question is how much bigger should our budgets get?
Setting a baseline budget has always been tricky. It’s important, because all the activity calculations revolve around it, but it is also the least grounded in statistics. “It really is about feelings,” Olsson told me at the time—as personal as it is scientific. For Ibasho, an initial budget of 10,000 microcovids per week was drawn from discussing how they felt about their personal risks and risks to loved ones, as well as a sense of global responsibility—that they could not live outlandishly because they also contributed to transmission of the virus beyond their pod. Variants and vaccines haven’t changed those factors, even if the balance between them has shifted.
Read all of our coronavirus coveragehere.
I wasn’t at all sure how I felt about my budget. I hadn’t used Microcovid personally outside of my reporting. As a relatively cloistered young adult with one partner and no kids, it just wasn’t pressing to get my risk affairs in order. But this week, feeling jarred by the sudden return to restrictions, I decided to do some calculations on the Microcovid website. I entered in my activities from the previous few weeks: the unmasked errands, the dinner parties at home, the dance floor. (The last, as I ticked up the number of undistanced participants, eventually blared back a code blood-red: “DANGEROUSLY HIGH RISK.”) So would I do it all again next weekend? At current case rates, definitely not. Then I began making adjustments: Adding masks (required now indoors in San Francisco, anyway), reminding myself that an indoor party could probably still happen outside, cutting out the clubbing and remembering that eliminating a few big risks could help me feel better about taking extra smaller ones.
There’s a sad sum to those calculations: that life, in August 2021, is not about living in the moment, but about the sum total of our experiences. It’s about reframing the risks of a global pandemic into a series of street crossings, not setting them out of mind like satellites buzzing harmlessly overhead. That’s hard to take more than 500 days after San Francisco’s initial shelter-in-place order—to be typing life’s pleasures into a calculator and tabulating the damage, and acknowledging that one’s possibilities have limits. But it felt like a healthy practice, laying it all out. And maybe it would hasten a return to living more freely. I had kept my budget restrictive because cases in California are climbing fast, but I also knew that, as a vaccinated person, I would loosen it somewhat when this surge ebbed, as it eventually will. We will be living with viral risk for the long term, and with precautions against it. For me that life will include getting low once the case counts do too.
A ruthless criminal operative is poisoned and has less than 24 hours to exact revenge on her killers in Kate, a new action thriller from Netflix starring Mary Elizabeth Winstead, who played Huntress in Birds of Prey.
The streaming service seems to be casting about for a female version of the hugely successful John Wick franchise, but it’s harder to pull off than it looks. First, there was 2020’s The Old Guard, in which Charlize Theron leads an immortal group of mercenaries on a mission of revenge. Theron was terrific, but the film itself was uneven. Just last month, Netflix served up the disappointing Gunpowder Milkshake, which had a stellar cast and all the right elements, including some impressive fight choreography. But as with The Old Guard, nothing really jelled, and as much as I love Karen Gillan, she seemed ill-suited to the role. Gunpowder Milkshake ended up feeling flat, predictable, and like an exercise in style over substance.
The basic premise of Kate is a familiar one; it’s essentially a twist on the classic 1950 film noir D.O.A., in which a man—a seemingly ordinary accountant and notary public—walks into a police station and says he has been poisoned, with only a few days left to live and discover who murdered him. (Due to someone not renewing the copyright on time, the film is in the public domain.) It has inspired three direct remakes: 1969’s Color Me Dead, 1988’s D.O.A. (starring Dennis Quaid), and the 2017 film Dead on Arrival. And the film has influenced countless more, such as the 2006 film Crank, in which Jason Statham plays a British assassin who has to keep his adrenaline levels spiking to counteract being given a deadly poison.
Kate seems like a combination of D.O.A., Crank, and Gunpowder Milkshake. Per the official premise: “Meticulous and preternaturally skilled, Kate is the perfect specimen of a finely tuned assassin at the height of her game. But when she uncharacteristically blows an assignment targeting a member of the yakuza in Tokyo, she quickly discovers she’s been poisoned, a brutally slow execution that gives her less than 24 hours to exact revenge on her killers. As her body swiftly deteriorates, Kate forms an unlikely bond with the teenage daughter of one of her past victims.”
I don’t know why filmmakers seem to think female assassins have to bond with young girls to show their softer emotional side, but so be it. Director Cedric Nicolas-Troyan received an Oscar nomination for his visual effects for 2012’s Snow White and the Huntsman and made his directorial debut in 2016 with The Huntsman: Winter’s War. Based on this trailer, he has put that background to excellent use in Kate. We’ll have to see if Nicolas-Troyan can take this well-worn formula and make it his own, despite a frankly boring title.
The Huntress was my favorite character in Birds of Prey, largely due to Winstead’s deadpan delivery, which draws out both the character’s single-minded resolve and her extreme social awkwardness. Case in point: After taking out several bad guys with her trademark efficiency and athleticism, she turns around to see her compatriots staring at her in awe. “What?” she says, completely unaware of what a badass she is. If Winstead gets the chance to showcase that mix of skills again in Kate, she could easily establish her place alongside Charlize Theron as a credible action star.
The new Netflix series Masters of the Universe: Revelation, written by Kevin Smith, is the latest offering from Powerhouse Animation, which also produced the Netflix shows Blood of Zeus and Castlevania. Science fiction author Zach Chapman believes it’s superior to its predecessors.
“I think the animation actually surpasses Blood of Zeus—for sure in the designs, and redesigns, of a lot of the characters,” Chapman says in Episode 478 of the Geek’s Guide to the Galaxy podcast. “And then just in the quality of the animation itself. The battle scenes are, on average, better and more interesting than Castelvania.”
Masters of the Universe: Revelation picks up the story of He-Man as he appeared in the 1983 children’s cartoon He-Man and the Masters of the Universe. Geek’s Guide to the Galaxy host David Barr Kirtley enjoyed the show, but was surprised that it strayed so far from the classic He-Man formula. “I was disappointed that the show seemed to be sidelining the characters that I actually remembered,” he says. “My initial reaction was that I wanted to see more of the He-Man that I remember, where he’s switching back and forth between Adam and He-Man.”
TV writer Andrea Kail also had issues with the characterization of Teela, who emerges as the focal point of the series. “They frequently do this with women characters, where their lives are fine: She just got promoted, she’s got a great relationship with her dad—she was just hugging him—and then she finds out that somebody lied to her, and it’s like, ‘That’s it. I’m throwing down my sword and walking out, and I’m never talking to you again for years and years,’” Kail says. “It perpetuates the stereotype of the hysterical, overemotional woman who holds a grudge. So I really wish they hadn’t done that.”
But fantasy author Christopher M. Cevasco found Masters of the Universe: Revelation to be a near-perfect mix of classic characters and new ideas. “It ticked all the boxes that I was hoping it would, as someone who loved the show in the ’80s,” he says. “And I loved the new directions that they took it in from that starting point. So to me I just think it was the best of both worlds, and I look forward to seeing what happens next.”
Listen to the complete interview with Zach Chapman, Andrea Kail, and Christopher M. Cevasco in Episode 478 of Geek’s Guide to the Galaxy (above). And check out some highlights from the discussion below.
David Barr Kirtley on Skeletor:
“The guy who invented Skeletor, when he was a kid he went to some amusement park, and was in the haunted house, and this corpse on a noose dropped down in front of him and scared the crap out of him. And he’s like, ‘That’s a real dead body! I know that’s a real dead body.’ And it turned out it was a real dead body. There was this outlaw who died in a shootout with police, and no one came to collect the body, so the guy at the funeral home decided to embalm him and charge admission to see him. And then a conman came and cheated him out of it, and sold it to a carnival or something. It changed hands a bunch of times, and eventually people didn’t realize it was a real dead body, and it finally ended up in this amusement park. … So that’s what inspired Skeletor.”
Christopher M. Cevasco on He-Man and the Masters of the Universe:
“I actually used to record the episodes on VHS, and would watch them back and take careful notes for a planned project&mdsah;which of course never came to fruition—where I wanted to make a big compendium of the entire world, with details about the history and geography, and biographies of the various characters. … I loved the fact that it wasn’t just a run-of-the-mill cartoon where everything is on the surface. With various episodes throughout the run, you find out layers and layers of history behind characters, and they bring certain elements back, and the relationships that develop and the mythology behind the world get more and more developed as it goes along.”
Zach Chapman on Beast Man:
“I thought that Beast Man should have been against Triclops for reasons other than, ‘Hey, don’t hurt Evil-Lyn.’ Why is his alliance with her? His alliance should be with the beasts that he controls. [The Triclops cult] takes these nano-machines, and they drink them, and they become part machine. So Beast Man, being a beast, being of the natural world, should be opposed to this mixing of technology with flesh and polluting the natural world. I thought it would have been way cooler if they had gone that way. Immediately, I was like, ‘You’re making this guy just a bodyguard, when he could be way more interesting.’”
Andrea Kail on women writers:
“As I was watching [Masters of the Universe: Revelation], I watched the credits right at the beginning, and it stood out to me that there’s only one woman writer, and the main character—for all intents and purposes—is a woman. I just don’t understand why you can’t get more women writers in there. And no women directors either—it was just two guys. Watching the [Power of Grayskull] documentary this morning, they had more women working on the original show in the ’80s than they do on this. … There’s a call now for more strong women characters, and that’s great, but we need more women behind the scenes. We need more women writing women’s stories.”
At the end of June, just before the White House scrambled to respond to another ransomware attack from Russia, Moscow presented a new international cyber treaty in the United Nations. Moscow has tightened its grip on the internet domestically for years, and has recently pushed for a sovereign internet. While the Russian government’s internet strategy and policies are often misunderstood in the West—based on the false assumption that Putin’s hand moves everything in Russia—this focus on state dominance has remained crystal clear. But as the Biden administration moves to confront the growing ransomware threat from Russian cybercrooks, the new treaty underscores just how unwilling the Putin regime is to cooperate.
The crux of the 69-page document is hardly shocking: The Putin regime is continuing its battle for a more closed, state-controlled internet. Newly significant, however, is that it follows the passage of a new UN cyber agreement by Moscow (and Beijing and other authoritarian governments) in December 2019. Then, the Russian government capitalized on both surging calls for “cyber sovereignty” and the Trump administration’s undermining of American cyber diplomats to garner wide support from longtime backers of an open global internet. What followed was the creation of a UN committee tasked with considering a new cyber treaty—one meant to replace the Budapest Convention on cybercrime that Moscow has long opposed.
Russia’s treaty, awkwardly titled the Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes, is nominally about cybercrime, but the word “cybercrime” means something very different to the Putin regime than to Washington or Berlin. In the West, “information security” is used interchangeably with “cybersecurity,” generally referring to the confidentiality, integrity, and availability of systems, networks, and data. For the Russian government, information security is far more expansive, wrapping the security of the Putin regime, the state’s control over information flows, and the “stability” of Russian society into a single concept. When dozens of countries back Russia’s call for information security, then, it constitutes a push for greater state censorship and internet control around the world.
The definition of crimes is equally problematic. For a regime that wields all manner of violence against people challenging or resisting it—including murder, kidnapping, police brutality, and jailing—“internet crimes” are merely any online actions that scare the Kremlin or threaten Putin’s hold on power. Russia already has many laws to censor tech companies and punish individuals sharing what it deems “false information.” The treaty’s anti-cybercrime language extends Moscow’s push for greater top cover for internet repression. References to “terrorism” fall into the same bucket, given the state’s long-standing use of terms like “counterterrorism” and “counterextremism” to suppress dissent. The treaty contains incredibly broad definitions of terrorism that include unlawful acts motivated by political or ideological “hatred,” establishing a pretext to crack down on opposition.
The treaty also brandishes many other familiar rhetorical tools of the Russian regime: references to state sovereignty and nonintervention in other countries’ domestic affairs, which Putin continually stresses—usually in bad faith—as important to Russian security; vague definitions of computer operations that impact the “security of information”; surveillance-expanding calls for companies to archive user data and intercept online traffic; and cynical lip service to human rights.
Russia’s December 2019 feat in the UN might give the new treaty stronger legs than it would otherwise have; states voted to establish a new committee to weigh a cyber treaty, and Moscow has now presented such a document. It’s an open question whether the previous agreement’s many backers will support it. It also remains to be seen whether Biden can marshal diplomatic resources to successfully fight it.
When my wife started a little garden in our urban backyard, all I could think about were the worms. Also the bugs, and the dirt, which is of course filled with worms and bugs and composted corn cobs. But she was happy. She introduced me to many bees and enthused about borage, which is a flowering herb that bees like. We started to eat our own lettuce.
You’re supposed to love nature, so I kept my mouth shut. But I find the whole idea of it genuinely horrifying. Part of the privilege of being a nerd is that you’re able to forget you have a body: You cruise around cyberspace, get a beverage out of the fridge, cruise some more. In the natural world, bodies are inescapable. Everything keeps growing, and the growth feels like rot. There is hair everywhere. I did the math, and in the past 16.38 seconds humankind collectively added a mile of fingernails. That’s how I see nature. I don’t like dirt. I like devices.
But over time, you know, you get curious. You want to know what things are made of. It’s the same urge that makes you send your saliva to some random company in order to learn that, after an entire lifetime of being told you’re Irish, you’re Irish. It’s also why skeletons are cool. We like to look inside the thing.
So I learned some assembly language. Assembly is a method of programming that peels back almost all the layers of abstraction and gets you close to a computer’s CPU. Instead of speaking in long, detailed Python (for example) statements, you’re issuing tons of curt instructions: Move this bit over there. I have a broad definition of fun, but I found assembly to be none at all; it felt like using an angry calculator. To add two numbers, you have to tell the computer to reserve two places for the numbers, put them there, add them, and put the result somewhere else.
But as I read more about the physics of chips, I started to have a kind of acceptance of assembly language. I stopped seeing it as an annoying, unfinished abstraction—a bad programming language—and started seeing it for what it is: an interface to the physical world.
Billions of years ago, I learned, an evil witch, or perhaps God Themself, cursed the class of materials known as silicates, which are abundant on this planet, and made them neither insulators nor conductors but rather an eldritch horror known as semiconductors. Eventually, scientists realized that the dual nature of these materials could be exploited to turn them into tiny switches, visible only through a microscope. Put these little switches all together in a sequence, add a clock, and away you go. You know, something like that.
As I dug in further, I saw that beneath the orderly tower of abstraction there’s just an arbitrary, multilayered mess of worms and corn cobs. Each microchip has its own history, its own way of mixing up physics, chemistry, math, and manufacturing. And once I started to internalize and accept that mess—to accept that the computer is a weird hack of reality—it all became kind of fun. This is how we turn dirt into apps that trade Bitcoin.
In early 2019, a bug in group FaceTime calls would have let attackers activate the microphone, and even the camera, of the iPhone they were calling and eavesdrop before the recipient did anything at all. The implications were so severe that Apple invoked a nuclear option, cutting off access to the group-calling feature entirely until the company could issue a fix. The vulnerability—and the fact that it required no taps or clicks at all on the part of the victim—captivated Natalie Silvanovich.
“The idea that you could find a bug where the impact is, you can cause a call to be answered without any interaction—that’s surprising,” says Silvanovich, a researcher in Google’s Project Zero bug-hunting team. “I went on a bit of a tear and tried to find these vulnerabilities in other applications. And I ended up finding quite a few.”
Silvanovich has spent years studying “interaction-less” vulnerabilities, hacks that don’t require their targets to click a malicious link, download an attachment, enter a password in the wrong place, or participate in any way. Those attacks have taken on increasing significance as targeted mobile surveillance explodes around the world.
At the Black Hat security conference in Las Vegas on Thursday, Silvanovich is presenting her findings about remote eavesdropping bugs in ubiquitous communication apps like Signal, Google Duo, and Facebook Messenger, as well as popular international platforms JioChat and Viettel Mocha. All of the bugs have been patched, and Silvanovich says that the developers were extremely responsive about fixing the vulnerabilities within days or a few weeks of her disclosures. But the sheer number of discoveries in mainstream services underscores how common these flaws can be and the need for developers to take them seriously.
“When I heard about that group FaceTime bug I thought it was a unique bug that would never occur again, but that turned out not to be true,” says Silvanovich. “This is something we didn’t know about before, but it’s important now for the people who make communication apps to be aware. You’re making a promise to your users that you’re not going to suddenly start transmitting audio or video of them at any time, and it’s your burden to make sure that your application lives up to that.”
The vulnerabilities Silvanovich found offered an assortment of eavesdropping options. The Facebook Messenger bug could have allowed an attacker to listen in on audio from a target’s device. The Viettel Mocha and JioChat bugs both potentially gave advanced access to audio and video. The Signal flaw exposed audio only. And the Google Duo vulnerability gave video access, but only for a few seconds. During this time an attacker could still record a few frames or grab screenshots.
The apps Silvanovich looked at all build much of their audio and video calling infrastructure on real-time communication tools from the open source project WebRTC. Some of the interaction-less calling vulnerabilities stemmed from developers who seemingly misunderstood WebRTC features, or implemented them poorly. But Silvanovich says that other flaws came from design decisions specific to each service related to when and how it sets up calls.
When someone calls you on an internet-based communication app, the system can start setting up the connection between your devices right away, a process known as “establishment,” so the call can start instantly when you hit accept. Another option is for the app to hang back a bit, wait to see if you accept the call, and then take a couple of seconds to establish the communication channel once it knows your preference.