Russian Spies Rush to Exploit the Latest Flash Zero Day and More Security News This Week

There’s nothing like a hefty security freakout to start the week, and the Key Reinstallation AttackWi-Fi vulnerability—you know it as Krack—announced on Monday fit the bill. The bug is in the ubiquitous WPA2 Wi-Fi protocol, so while it fortunately doesn’t impact every single device that exists, it does affect a significant portion of them. And many will likely never receive protective patches, a longstanding and critical security problem that particularly affects the Internet of Things. The relative simplicity of the Krack bug itself also highlights the importance of making technical standards accessible to researchers for review and feedback.

Google announced a new tier of account security this week called Advanced Protection that uses physical authentication tokens, advanced scanning, and siloing to help defend particularly at-risk accounts (or anyone who wants to be very cautious). And after its disastrous corporate breach, Equifax is receiving a thorough public shaming. Researchers also discovered that for just $ 1,000 they can exploit mobile advertising networks to track people’s movements in both cyberspace and the real world. Not great!

US-Iranian relations are tense and could nudge Iran’s cyber operations. And crooks have a new favorite hustle called “cryptojacking” that can secretly use your devices to mine cryptocurrency when you visit infected websites. Highs and lows.

And there’s more. As always, we’ve rounded up all the news we didn’t break or cover in depth this week. Click on the headlines to read the full stories. And stay safe out there.

Flash Patched Its Recent Zero Day, So Russian Hackers Are Using It While They Can

Kaspersky Labs researchers announced a new Adobe Flash vulnerability on Monday, noting that unidentified hackers exploited the bug in an attack on October 10, using a compromised Microsoft Word document to deliver FinSpy malware. Adobe coordinated with Kaspersky to issue a patch on the day of the disclosure. In the wake of the patch, researchers at the security firm Proofpoint observed the hackers doubling down to exploit the flaw before potential targets widely adopt the fix. The group, which Proofpoint says is the Russia-backed collective Fancy Bear, launched an email spearphishing campaign that targeted state departments and aerospace companies. But researchers say the operation was sloppy, and that the group has followed this pattern in the past.

Microsoft Didn’t Disclose 2013 Breach of a Sensitive Vulnerability Database

Sophisticated hackers breached Microsoft’s internal vulnerability-tracking database more than four years ago, but the company didn’t publicly disclose the incident. Five former Microsoft employees told Reuters that the company was aware of the intrusion in 2013. The database would have contained critical vulnerabilities in Microsoft’s widely used software products, including Windows, and may have even included code for exploiting those flaws. Such information would be a gold mine for foreign government-backed hackers or third-party criminals alike, and could have facilitated breaches and espionage at the time.

Reuters’ sources said in separate interviews that Microsoft never connected the breach to any other attacks, and that the company didn’t disclose the incident, because doing so would have pushed attackers to exploit the vulnerabilities before they were patched. Microsoft presumably patched everything in the compromised database years ago, though. Reuters’ sources say that the Microsoft did at least improve its internal security in response to the hack. The incident was part of a rash of attacks that also hit Apple, Facebook, and Twitter. The group behind these hacks is still unidentified, but is known by different researchers as Morpho, Butterfly, and Wild Neutron, and is still active today.

UK Concludes That Iran, Not Russia or North Korea, Hacked Officials’ Email Accounts

Investigators in the United Kingdom concluded last week that Iranian government-backed hackers were behind a June email network intrusion that targeted numerous members of parliament and Prime Minister Theresa May. Every MP uses the network, but the hackers specifically looked for accounts protected by weak passwords or reused ones that had leaked online after other breaches. The parliamentary digital services team told the Guardian that it was making email security changes in response to the attack. The incident underscores Iran’s ongoing digital offensive initiatives. Though the country has been less focused on Western targets in the last few years, it is still an active threat around the world. Recently, US President Donald Trump has worked to undermine the Iran nuclear deal, but Theresa May and other European leaders say they want to preserve it.

Police Did Social Media Surveillance on New York Black Lives Matter Group

The Black Lives Matter Global Network chapter in the Rockland County, New York filed a federal lawsuit in August claiming that local Clarkstown police conducted illegal surveillance on it throughout 2015. Clarkstown police records from the Strategic Intelligence Unit describe social-media surveillance targeted at BLM members. The documents even show evidence that a lead detective told the Strategic Intelligence Unit supervisor to stop the surveillance, but this didn’t end the program. BLM is alleging that Clarkstown police engaged in racial profiling, and violated the group members’ rights to free speech and assembly.

Millions of Crucial Cryptography Keys Weakened By Trusted Generator

A flaw in how a popular code base generates cryptographic keys has ruined the security of millions of encryption schemes. The generator appeared in two security certification standards used my numerous governments and large corporations worldwide, meaning that the flawed keys are meant to protect particularly sensitive platforms and data. German chipmaker Infineon developed the software, which has included the key generating flaw since 2012 or possibly earlier. Attackers could exploit the bug to figure out the private part of a key from its public component. From there they could do things like manipulate digitally signed software, disable other network protections, or, of course, decrypt sensitive data. The situation affects Estonia’s much-touted secure digital ID system. Infineon, Microsoft, and Google warn that the flaw will undermine their Trusted Platform Module products until customers generate new, more robust keys. Estonia has announced plans to update the keys used for its national IDs.

Tech

Riot Games Esports Co-Head Talks ‘League of Legends’ 2017 World Championship

The world’s top competitive video gamers are facing off in China over the next few weeks for the League of Legends 2017 World Championship, one of the premier tournaments in the fast-growing world of esports.

Hosted by Riot Games, the company that makes the popular League of Legends (LoL) online game, the tournament’s early rounds turned in a fair amount of excitement and upsets, though last year’s champion is still standing. The Korean professional esports team SK Telecom T1 remains a favorite in a field that also features teams like Samsung Galaxy (sponsored by the South Korean electronics giant) and the North American team Cloud 9.

If none of those names ring a bell, then the rapid ascension of esports has likely passed you by. Competitive gaming’s popularity around the world has exploded in recent years, and the esports industry is now expected to generate more than $ 1.5 billion in annual revenue by 2020, according to one estimate.

Meanwhile, major professional sports teams like the New York Yankees and Cleveland Cavaliers are throwing money at esports, while tech giants like Amazon and Google compete to lure gaming fans to stream live gameplay and competitions on their digital video platforms, Twitch and YouTube, respectively. Last year, Riot Games (which is owned by Chinese tech giant Tencent) signed a reported $ 300 million streaming rights deal with Walt Disney’s BAMTech, and this year’s LoL world championship tournament is available for streaming around the world on Twitch and YouTube.

The influx of media rights deals has also opened the door for a range of high-profile corporate sponsors, with Riot Games landing sponsorships in recent years from the likes of Acer Gaming, Coca-Cola, T-Mobile, and Mercedes-Benz.

This week Fortune caught up with Jarred Kennedy, the co-head of esports at Riot Games, to discuss the world championship (the finals will take place Nov. 4 at the Bird’s Nest National Stadium in Beijing) as well as the overall growth of the esports industry and Riot’s plans, much like rival Activision Blizzard, to remodel its own esports league after major professional sports leagues like the NFL and NBA.

The following conversation has been edited and condensed for clarity.

Fortune: What are some of the big storylines fans will be following heading into the quarterfinals of the LoL World Championships this weekend?

Kennedy: Where to begin? We’ve got some great teams that have made it through. Lots of regions are still alive. You’ve got your defending champions, SK Telecom T1, where they always are, which is contending. But, you’ve got teams that are potentially going to give them a run for their money. I think if [Chinese team] Royal Never Give Up and SK Telecom T1 wind up meeting in the semifinals in Shanghai that could be incredible. Honestly, any of the match-ups with the teams we have right now are going to be really fun to watch, because they’ve all proven themselves to get to this stage. And, the competition just keeps getting better and better the deeper we get into the tournament. That’s one of the reasons that worlds is so compelling.

How has the media rights aspect of the esports business expanded in recent years for Riot?

I think what you’re seeing is the maturation of our sport. With esports, I wouldn’t say it’s entered the mainstream, but it is increasingly an option that marketers look to. And, that’s great for us, because what we’re trying to do is build up the overall ecosystem, and having those increases in revenue coming in on that side allows us to invest in the professional players, the teams, and it allows these players to make a career out of this in a really meaningful way.

That leads into the bigger question of the esports industry’s overall growth trajectory. What are the areas of business that you think are most ripe for increasing revenue in the industry?

There are lots of different pools of revenue. Big ones would include media rights, which not unlike the NFL, NBA, or the Premier League, media rights are a large driver. For some games, including ours, there’s in-game content, and that’s something that’s unique to esports, as opposed to stick-and-ball or traditional sports, where there’s an opportunity for teams to participate in some of the in-game revenue streams. I think those are probably the biggest ones, but we’re always on the lookout for new ways to engage with fans of our sport.

You used to work at Sony Pictures Television. Would it benefit esports to make that leap to being more of a presence on traditional TV networks?

We don’t feel the need to go to TV as a point of validation. We’ve found that a lot of our fans of this sport are online, they tend to consume digitally, and thus the BAMTech deal and some other things we’ve done—negotiations with Twitch, YouTube, etc.—is just to serve them where they are. But, we’re not looking to be on NBC at 8 p.m. on a Saturday broadcasting to all of America, because we don’t think that’s where our fans want to watch, and we think it would probably be casting too wide of a net.

Why model Riot Games’ North American League of Legends Championship Series league after major professional sports leagues with revenue-sharing and a players association?

We’ve always looked at professional sports, not because we want to model exactly what other sports do, but even when you’re attempting to innovate, sometimes there are things that already exist in the world that work really well and work for a reason, and we shouldn’t be afraid to use some of that. Our goal is to have sophisticated owners of teams that can operate at a high level, know how to build businesses, know how to build sports, and who aren’t going to be working against each other, but are going to be collaborating in the best interests of fans around the world.

Going back to your point about esports not yet being in the mainstream, what needs to happen to put esports on the same level as one of the major professional sports leagues?

It takes time to get to the scale of where major sports are today, and I don’t think we have any illusions that we’re going to be able to do that overnight. We do have the advantage of being a digital property that tends to grow faster and can grow more virally. Friends tend to bring their friends into the sport, we found. We’re looking to build the best ecosystem for our fans that we can and we hope that by doing that it will thrive and grow, and over time we’ll have a chance to be as big as some of the major sports that exist today. But our primary goal is delivering value to fans day in and day out. And, if we can do that, then the rest will take care of itself.

Tech

Equifax Deserves the Corporate Death Penalty

Equifax is in trouble. The credit reporting company failed to protect the personal financial data of as many as 143 million Americans. Equifax’s failure exposed not just names and addresses, but also Social Security numbers, birth dates, drivers’ license numbers, and credit card numbers. The Federal Trade Commission, Congress, and about 40 state attorneys general are investigating the data breach, and both the Massachusetts attorney general and the city of San Francisco are suing on behalf of residents whose information was compromised.

WIRED OPINION

ABOUT

Ron Fein (@ronfein) is the legal director of Free Speech for People, a national non-partisan nonprofit organization that advocates for democracy reform and corporate accountability.

That’s a start. But it’s not enough. Equifax’s failure calls for the corporate death penalty, through a rare but vital procedure called judicial dissolution.

Under the law of Georgia, where Equifax is incorporated, the state attorney general may file a lawsuit in state court to dissolve a corporation if the corporation “has continued to exceed or abuse the authority conferred upon it by law.” (All 50 states have similar provisions.) State attorneys general don’t invoke these corporate death penalty statutes often, especially not against large, well-known corporations. But Equifax could not have obtained its unusually important position in our economy without the privileges of a corporate charter conferred by law, and it has forfeited its claim to those privileges.

Equifax’s entire reason for existence is to collect and maintain private financial data about individuals who are not customers of the company. This isn’t like other data breaches, such as the 2012 credit card data breach at Barnes & Noble, or the 2015 hack of frequent-flyer account data at British Airways. Those breaches were bad. But they affected people who had chosen to do business with these companies by buying books or airplane trips. Most of the people whose data was compromised by Equifax’s lax security don’t even know that Equifax exists, let alone that it maintains their private financial data.

While there’s never an excuse for major companies to be sloppy with customer data, Barnes & Noble and British Airways aren’t in the business of securely storing private financial data. They’re in the businesses of selling books and flying airplanes. When a bookstore or airline doesn’t manage customer data well, then the company needs to compensate its customers for its negligence, accept its punishment, and reform. But when a company’s entire reason for being is managing individuals’ most sensitive private financial data, and it fails spectacularly, it should not be further entrusted with that important responsibility.

Equifax’s conduct after the breach has given little comfort. Before revealing the breach to the public, senior executives sold $ 2 million worth of stock. Meanwhile, after the breach was made public, Equifax offered consumers free credit monitoring—but tried to force them to accept a mandatory arbitration provision clause buried in the fine print.

In fact, Equifax wasn’t even competent enough to close the stable door after the horse had bolted. Over a week after the US breach was revealed, a small computer company in Milwaukee noticed that in one Equifax computer system based in South America, customer records could still be accessed by entering the username “admin” and the password…”admin.”

This is not the conduct of a company that deserves to continue to be entrusted with a critical role in our economy. State laws enable the creation of corporations because they are thought to confer a benefit on society. But not in this case. Equifax had one job, and it failed. More than half of American adults woke up one day to learn that a corporation that few had ever heard of had lost control of financial data that they never knowingly gave it.

Dissolving Equifax would not require putting innocent people out of work or demolishing its office buildings. Working with a court-appointed receiver, the Georgia attorney general could develop a plan to deconstruct Equifax’s current corporate structure. It could continue to operate and pay its staff and vendors while dissolution is pending in court, and legitimate business lines could operate successfully afterwards under new ownership.

Equifax’s core customer data business, meanwhile, has some assets that could be sold to competitors or other new owners. Some of the main so-called assets, however, are questionable: the private financial data, which the company can no longer be entrusted to maintain; the computer code that maintains and protects that data, which evidently is inadequate to the task; and the intangible value of Equifax as a going concern, known in accounting as “goodwill.” Dissolving the company would certainly eliminate any remaining goodwill. But frankly, Equifax doesn’t have much goodwill these days anyway.

To be fair, Georgia’s attorney general, Chris Carr, hasn’t ignored the Equifax breach. He signed a group letter to Equifax along with over 30 other state attorneys general, and joined the larger multi-state investigation. Yet Carr has been content simply to participate in a broader coalition, emphasizing his duty to protect Georgia’s consumers. That’s a start, but not the end. Because of his office’s unique oversight powers over Georgia corporations, Carr needs to ask larger questions—including whether Equifax’s abuse of its state-granted corporate powers justifies revoking its corporate charter.

A few years ago—starting soon after the Supreme Court’s 2010 Citizens United decision, which held that corporations have the same right as people to spend money to influence elections—a popular bumper sticker proclaimed, “I’ll believe corporations are people when Texas executes one.”

We shouldn’t use the corporate death penalty lightly. But at this point, Equifax has lost its justification for existence.

WIRED Opinion publishes pieces written by outside contributors and represents a wide range of viewpoints. Read more opinions here.

Tech

SoftBank's big checks are stalling tech IPOs

LAGUNA BEACH, Calif. (Reuters) – Big cash infusions for startups from an ever-expanding group of financiers, led by SoftBank Group Corp (9984.T) and Middle East sovereign wealth funds, have extinguished hopes that the technology IPO market would bounce back this year.

These deep-pocketed financiers, which have traditionally invested in the public markets but are seeking better returns from private tech companies, have enabled startups to raise more money, stay private longer and spurn the regulatory hassles of an IPO even as they become larger than many public companies.

At The Wall Street Journal D.Live conference this week in Southern California, a number of venture capitalists, entrepreneurs, IPO experts and dealmakers spoke with Reuters about the surprisingly low number of IPOs and pointed to investors such as SoftBank for changing the business of startup financing.

“It’s not surprising if these companies get 10 term sheets,” said Nicole Quinn, an investing partner with Lightspeed Venture Partners, referring to formal offers of investment.

The result is a protracted IPO slump that has contributed to a 50 percent drop in the number of U.S. public companies over the last two decades, according to the Nasdaq. IPOs have fallen especially precipitously since 2014 – the year public market investors, including mutual funds, ramped up investment in private tech companies.

There are some signs of a more active fall for IPOs. Tech companies Switch (SWCH.N), MongoDB (MDB.O) and Roku (ROKU.O) have gone public in the past few weeks, with debuts from ForeScout and Zscaler ahead.

CORRECTION AHEAD?

Yet many investors are bracing for a market tumble after a sustained rally, raising questions about IPO opportunities for 2018.

Just 12 venture capital-backed tech companies went public in the United States in the first three quarters this year, compared to 27 for the same time period in 2014, according to IPO investment adviser Renaissance Capital.

The drought continues even though both the Dow Jones Industrial Average .DJI and Nasdaq Composite .IXIC are up more than 26 percent in the last year and market volatility is low, normally ideal conditions for an IPO.

Wall Street stock indexes have posted a string of record highs in recent weeks, and the Dow closed above 23,000 for the first time on Wednesday. [.N]

But Barry Diller, a longtime dealmaker and chairman of InterActiveCorp and Expedia Inc (EXPE.O), said the huge funding rounds had eliminated the traditional reason for an IPO.

“There is no reason to be public unless you need capital, and almost all these companies do not need capital,” Diller said.

SOFTBANK-UBER DEAL EYED

Increasingly, the big checks are coming from SoftBank, which in May closed a $ 93 billion investment fund.

So far this year, it has announced at least 14 investments in technology companies globally, including a $ 500 million deal with fintech company Social Finance and a $ 3 billion investment in shared workspace company WeWork, both private and already worth billions of dollars.

SoftBank is in the next week expected to finalize a highly anticipated deal with Uber Technologies Inc [UBER.UL] in which it, along with other investors, would purchase as much as $ 10 billion in Uber shares, most of them from employees and existing investors in a so-called secondary offering.

“This is the third liquidity option,” said Larry Albukerk, who runs secondary market firm EB Exchange and spoke to Reuters by phone. “It used to be IPO or acquisition.”

SoftBank’s deals are causing venture capitalists to “prepare for more M&A exits,” and fewer IPOs over the long term, said Jenny Lee, managing partner at GGV Capital.

Meanwhile, Nasdaq’s private market business, set up in 2014, facilitated more than $ 1 billion in secondary market transactions last year, according to Bruce Aust, vice chairman of Nasdaq.

Secondary transactions allow employees and investors to get some cash by selling to other private investors, removing a significant pressure to go public.

The flood of private capital, and the lofty valuations that have come with it, have, paradoxically, created another reason for avoiding an IPO, said Chris Clapp, a managing director with consulting group MorganFranklin.

“Many times with my clients I don’t think they would achieve the same valuation in the public markets,” Clapp said in a phone interview.

Meal delivery company Blue Apron Holdings Inc (APRN.N) took a 27 percent haircut when it went public in June and software company Cloudera Inc (CLDR.N) lost 53 percent of its valuation in its April IPO.

Snap Inc (SNAP.N), the owner of messaging app Snapchat, is down more than 10 percent from its IPO price in March.

Reporting by Heather Somerville; editing by Jonathan Weber and G Crosse

Tech

To Survive the Streets, Self-Driving Cars Must Learn to Think Like Humans

Next time you’re driving down the road or walking down the street, pause to consider how you read your surroundings. How you pay extra attention to the kid kicking a soccer ball around her front lawn and the slightly wobbly, nervous looking cyclist. How you deprioritize the woman striding toward the street, knowing she’s heading for the group of friends waving to her from the sidewalk.

You make these calls by drawing on a lifetime of social and cultural experience so ingrained you hardly need to think about it. But imagine you’re an autonomous car trying to do the same thing, without that accumulated knowledge or the shared humanity that lets you read others’ nuanced behavioral cues. Treating every pedestrian, cyclist, and vehicle as an obstacle to be avoided might keep you from hitting anything, but it could just as easily keep you from getting anywhere.

“We call it the freezing robot problem,” says Anca Dragan, who studies autonomy in UC Berkeley’s electric engineering and computer sciences department. “Anything the car could do is too risky, because there is some worst-case human action that would lead to a collision.”

Expect a thaw. Researchers like Dragan are tackling the challenges of interpreting—and predicting—human behavior to make self-driving cars safer and more efficient, but also more assertive. After all, if every machine screeches to a stop for every unpredictable human, we’ll have soon millions of terrified robots choking the streets.

To prevent the clog, those researchers are leaning on artificial intelligence and the ability to teach driving systems, through modeling and repetitive observation, what behaviors mean what, and how the system should react to them.

TU Delft

That begins with recognizing that people are not, in fact, obstacles. “Unlike, say, a tumbleweed moving along the street under the wind’s effect, people move because they make decisions,” Dragan says. “They want to do something, and they act to achieve it. We’re first looking into inferring what people want based on the actions they’ve been taking so far. So their actions are rational when seen from [that perspective], and would appear irrational when seen from the perspective of other intentions.”

Say a driver in the right lane of the freeway accelerates. The computer knows people should slow down as they approach exits, and can infer this person is likely to continue straight ahead instead of taking that upcoming off ramp. It’s a basic example that makes the point: Once computers can estimate what humans want and how they might achieve it, they can reasonably predict what they’ll do next, and react accordingly.

Machines en Scene

The key, even with machine learning, is to look beyond the individual elements of a scene. “It’s important to make strides there, but it’s only seeing part of what’s going on in a roadway setting,” says Melissa Cefkin, a design anthropologist at Nissan’s Silicon Valley R&D center. “We’re really good as human beings at recognizing certain kinds of behaviors that look one way to a machine, but in our social lens, it’s something else.”

Imagine you’re driving down a city block when you see a man walking toward the curb. The robot driver might calculate his speed and trajectory, determine he’s about to cross the street, and stop to avoid hitting him. But you see he’s holding car keys, and realize he’s stepping into the street to reach the driver’s side door of his parked car. You’ll slow down to be sure, but no need to stop traffic.

“The ways people move through the environment are already culturally and socially encoded,” Cefkin says. “It’s not always people-to-people interactions, but people interacting with things, too.”

Again, that’s a simple example. Cefkin points to what she calls the “multi-agent problem,” in which pedestrians and other drivers react to everyone around them. “If a pedestrian is going to cross in front of me, rather than looking at me they’re just as likely to look out into traffic for a gap,” Cefkin says. “So now I’m trying to figure out whether or not it’s safe to keep going based on what the rest of the traffic is going to do.”

Buying Time

If it seems the world is now headed for some sort of drivers-ed hellscape, don’t worry. Teaching AI-based autonomous systems to navigate the eternal weirdness of the human wilderness is tough, Cefkin says, but hardly impossible. In the Netherlands, where cities buzz with pedestrians and cyclists, researchers are doing the work. Dariu Gavrila, who researches intelligent vehicles at Delft University of Technology, training computers for the challenges like road debris, traffic police, and, things as unusual as someone pushing a cart down the middle of the street. The goal, he says, is to develop a more adaptive driving style for the machines—and thus enhancing social acceptance of the new hardware.

That work means factoring in the context around pedestrian traffic—proximity to curbs, the presence of driveways or public building entrances—and the norms of behavior in these environments. It extends all the way to individual movement, such as a person’s head looking one direction while their torso is pointing in another, and what that might mean. “Recognizing pedestrian intent can be a life saver,” Gavrila says. “We showed in real vehicle demonstration that an autonomous system can react up to one second faster than a human, without introducing false alarms.”

TU Delft

There are practical limits to what the computers can do, though. “This is no Minority Report,” Gavrila says—no one’s telling the future. “Uncertainty in future pedestrian or cyclist position rapidly increases with the prediction horizon, how many seconds in the future we’re trying to model. Basic behavior models already stop being useful after one second. More sophisticated behavior models might give us up to two seconds of predictability.”

Still, that second or two of warning might be all a computerized system needs, since it’s well within the scope of the human response times. But other autonomy experts think we might be setting our machines up to actually overthink every microsecond of driving.

“When you’re essentially trying to predict the future, that’s a massive computational task, and of course it just produces a probabilistic guess,” says Jack Weast, Intel’s chief systems architect for autonomous drive systems. “So rather than throw a supercomputer into every car, we just want to ensure that the car’s never going to hit any of those people anyway. It’s a much more economically scalable way of doing things.”

Getting Aggressive

There’s another wrinkle here. The ideal robocar won’t just comprehend its surroundings, it will understand how it itself changes the scene. Many robotic systems, Dragan says, come with a built-in flaw: Their makers assume the presence of an autonomous car won’t change how other actors move. “An autonomous car’s actions will influence human actions, whether we like it or not,” she says. “Cars need to start accounting for this influence.”

That’s why Dragan and her team have built a system that includes a model of human drivers’ responses to the car. “Our car is no longer ultra-defensive, because it knows it can trigger reactions from people, too,” she says. “Like other vehicles slowing down when our car merges in front of them. We’ve also looked at actively estimating human intentions, again by leveraging the autonomous car’s actions. In that case, our car might slow down gently to see if the person wants to be let in.”

That sort of assertiveness training will likely be key to traffic flow in the future. The key to a working robocar may be giving it not just human-like awareness, but a healthy dose of human-like entitlement.

Tech

Fed to step-up focus on payment security with study, working groups: Fed's Powell

WASHINGTON (Reuters) – The U.S. Federal Reserve is stepping-up its focus on payment security as the industry reaches a “critical juncture” driven by new technologies, Federal Reserve board governor Jerome Powell said on Wednesday.

Speaking at a conference in New York, Powell said the U.S. central bank would early next year launch a study analyzing payment security vulnerabilities and also planned to create new working groups focused on reducing the industry costs associated with securing payments.

“Rapidly changing technology is providing a historic opportunity to transform our daily lives, including the way we pay. Fintech firms and banks are embracing this change, as they strive to address consumer demands for more timely and convenient payments,” said Powell.

“It is essential, however, that this innovation not come at the cost of a safe and secure payment system that retains the confidence of its end users.”

The Fed does not have complete authority over the U.S. payment system, but it has led industry efforts to make it faster and easier to use. The central bank also leads the 160-member Secure Payments Task Force.

Powell’s comments underline growing concerns among financial market participants and regulators about the risks cyber thieves pose to the financial system following a series of recent incidents.

Last year, SWIFT, the global financial messaging system, disclosed it had suffered hacking attacks on its member banks including the high-profile $ 81 million heist at Bangladesh Bank.

During that incident, hackers broke into the computers of Bangladesh’s central bank and sent fake payment orders, tricking the Federal Reserve Bank of New York into transferring the funds. [here]

Powell said on Wednesday new fintech payment companies posed “significant challenges to traditional banking business models” and that the payment system was reaching a “critical juncture.”

His comments echoed those of Barclays Chief Executive Officer Jes Staley who on Saturday warned payments would be the next battleground for banks amid increasing competition from fintech players and tech giants including Amazon and Facebook.

Reporting by Michelle Price; Editing by Chris Reese

Tech

Apple and GE team up on software to track power plants, machinery

(Reuters) – Apple Inc and General Electric Co say they are working together to make it easier to write software that can track power plants and jet engines on Apple’s iPhones and iPads.

The companies have come up with a tool for app developers to connect Apple’s iOS operating system more easily to Predix, the cloud-based software at the heart of GE’s effort to turn itself into a “digital industrial” company.

The Predix software connects sensor-laden industrial machines like wind turbines, jet engines and elevators to data centers, so that streams of information from the machines can be analyzed to help predict failures and make the machines run more cost effectively.

GE expects the software to help generate $ 12 billion in digital revenue by 2020, though it took a two-month “time-out” earlier this year to iron out technical problems.

Now with the help of the new software built with Apple, which GE plans to release on Oct. 26, more information from Predix will be available to the on-the-ground managers of factories and power plants who work most closely with GE’s equipment, said Kevin Ichhpurani, executive vice president of global ecosystem and channels at GE Digital.

For example, Ichhpurani said, a power plant manager might be debating the best time to take a generator offline for scheduled maintenance. With the Predix software, the manager can see data on the machine and could share notes and photographs from an iPad at the site of the generator and even start a video call.

“These decisions can be made at the power plant or on the factory floor, as opposed to being made at corporate,” Ichhpurani told Reuters in an interview.

As part of arrangements between the two companies, GE plans to make iPhones and iPads the standard mobile devices for its 330,000 employees and will also offer Mac desktop computers as a choice for them.

In return, Apple will help promote GE’s Predix software to Apple’s enterprise customers. Apple’s salespeople will be trained on Predix’s capabilities and will promote the software in sales situations alongside iOS devices, Susan Prescott, vice president of product market at Apple, told Reuters.

Over the past several years, Apple has courted business software firms such as Accenture PLC, International Business Machines Corp, Cisco Systems Inc, Deloitte and SAP SE in an effort to move business applications over to iOS devices and make them easier to use in corporate settings.

Reporting by Stephen Nellis; Editing by Leslie Adler

Tech

U.S. senator probes Pentagon on Russian source code reviews

WASHINGTON (Reuters) – A U.S. senator on Tuesday asked the Defense Department to explain how it manages the risks when it uses software that has been scrutinized by foreign governments, saying the practice may represent a national security threat.

Reuters reported earlier this month that Hewlett Packard Enterprise Co allowed a Russian defense agency to review the source code or inner workings of cyber defense software known as ArcSight, which is used by the Pentagon to guard its computer networks.

”HPE’s ArcSight system constitutes a significant element of the U.S. military’s cyber defenses,” Democratic Senator Jeanne Shaheen wrote in a letter to Defense Secretary James Mattis seen by Reuters.

Shaheen, a member of the Senate Armed Services Committee, said disclosure of ArcSight’s source code to the Russian agency presented an “opportunity to exploit a system used on [Defense Department] platforms.”

Shaheen questioned whether the Trump administration was pushing back on demands for source code from Russia and elsewhere that are imposed on U.S. companies as a condition for entry into foreign markets.

Such reviews highlight a quandary for U.S. technology companies, as they weigh U.S. cyber security protections while pursuing business with some of Washington’s adversaries, including Russia and China, according to security experts.

“I understand that individual businesses must make decisions weighing the risk of intellectual property disclosure against the opportunity of accessing significant overseas markets,” Shaheen wrote. “However, when such products undergird [Defense Department] cyber defenses, our national security may be at stake in these decisions.”

The Pentagon and HPE did not immediately respond to requests for comment about the letter.

Cyber security experts, former U.S. intelligence officials and former ArcSight employees said the review of ArcSight’s core instruction, also known as source code, could help Moscow discover weaknesses in the software, potentially helping hackers to blind the U.S. military to an attack.

HPE has said in the past that such reviews, by a Russian government-accredited testing company, have taken place for years at a research and development center it operates outside of Russia.

The software maker has also said it closely supervises the process and that no code is allowed to leave the premises, ensuring it does not compromise the safety of its products. A company spokeswoman said last week that no current HPE products have undergone Russian source code reviews.

HPE was spun off from Hewlett-Packard Inc as a separate software company in 2015.

Shaheen’s letter asked Mattis whether he foresaw risks associated with the disclosure of ArcSight’s code and whether the Pentagon was monitoring whether technology vendors share source code or “other sensitive technical data.”

She also asked how frequently vendors disclose the source code of products used by the Pentagon to foreign governments.

Shaheen recently led successful efforts in Congress to ban all government use of software provided by Moscow-based antivirus firm Kaspersky Lab, amid allegations the company is allied with Russian intelligence. Kaspersky vehemently denies such links.

Tech companies have been under increasing pressure to allow the Russian government to examine source code in exchange for approvals to sell products in Russia. While many Western firms have complied, some, including California-based cyber firm Symantec, have refused.

ArcSight was sold to British tech company Micro Focus International Plc in a deal completed in September.

The company said last week that while source code reviews were a common industry practice, it would restrict future reviews by “high-risk” governments and subject them to chief executive approval.

Reporting by Dustin Volz and Joel Schectman; Editing by Jonathan Weber and Tom Brown

Tech

Synchronoss to sell unit to Siris Capital for $1 billion

(Reuters) – Software maker Synchronoss Technologies Inc said private equity firm Siris Capital Partners would buy its Intralinks Holding unit in a deal worth about $ 1 billion.

Siris, Synchronoss’ top shareholder, will also invest $ 185 million in the company in the form of convertible preferred equity. [nBw1QwWdBa]

Reporting by Supantha Mukherjee in Bengaluru; Editing by Anil D’Silva

Tech

Apple Considered Buying Medical Startup Crossover Health

According to a new report on Apple’s healthcare push.

Apple’s push into healthcare may have included buying a popular startup that runs on-site medical clinics for companies.

The consumer technology giant spent several months discussing whether to buy Crossover Health, but eventually no deal was reached, according to a CNBC report published Monday that cites unnamed sources.

The report didn’t say why the deal fell through, but said it was intended to help the company possibly expand into primary care. Apple also approached the nationwide primary care group One Medical for some sort of deal, according to CNBC, but it’s unclear what the deal was intended to be.

Crossover Health operates four in-person clinics in Silicon Valley and one clinic in New York City, according to its website. The startup also maintains on-site health centers for companies like Facebook fb and Apple aapl that offer a variety of services like primary and urgent care and physical therapy.

Get Data Sheet, Fortune’s technology newsletter.

A Fortune story published in 2015 about Silicon Valley health initiatives described Apple’s Crossover center “as more of an Apple Store than a doctor’s office,” regarding the center’s decor and environment.

Apple CEO Tim Cook recently told Fortune that Apple is “extremely interested” in healthcare sees it as a “business opportunity.”

“If you look at it, medical health activity is the largest or second-largest component of the economy, depending on which country in the world you’re dealing with,” Cook said.

Apple’s medical tool for developers and another Apple health-initiative, Research Kit, was recently used to help gather data for a study on asthma and health. One of the Mount Sinai researchers who worked on the study said that ResearchKit was “particularly suitable for studies of short duration that require rapid enrollment across diverse geographical locations, frequent data collection, and real-time feedback to participants.”

Tech