In 2020, Lyft and Uber picked up more essential workers who can’t work remotely

Before the COVID-19 pandemic, the typical Uber and Lyft rider was a younger, urban-dwelling, high-income worker who would use the ride-hailing apps to go to the office, or to the movies, or to a show, and then to go out drinking.

But with events, offices, bars, restaurants, and more effectively closed, the “loyal base” — as these riders are called — has stayed away from the ride-hailing apps. While the apps are struggling to catch up to pre-pandemic ridership levels almost a year later, a new group of riders is on these platforms.

Lyft reported in its latest annual economic impact report that of the 14 percent of riders who used Lyft more during the COVID-19 pandemic, those riders were more likely to be minority women working essential jobs than those who stopped using Lyft. 

Those riders, according to the report, were also less likely to have a college degree and more likely to have a lower income. This group was almost three times as likely to be an essential worker. Lyft considers essential jobs to include firefighters, nurses, EMTs, law enforcement officers, postal and delivery workers, grocery workers, and pharmacy workers. This is in-person work that can’t be done on Zoom.

Likewise, during Uber’s latest earnings call, CEO Dara Khosrowshahi spoke about a “new customer acquisition” in a jargon-heavy explanation for why ridership hasn’t completely fallen off and will rebound. It’s because of new riders using the app instead of other options like public transit or taxis. These new riders are more “price-sensitive” than the previous loyal base, he said. They are riders who can’t work remotely like Uber’s usual customers.

ValuePenguin, a financial data firm owned by Lending Tree, found in a review of 110,000 transactions that Americans spent 69 percent less on car services in 2020 compared to 2019. Again, the usual ride-share users weren’t patronizing those platforms like they used to. 

The Uber CEO framed this pandemic-induced shift as a good thing even once the pandemic subsides, since “we’ll have a bunch of new customers who have switched over from other forms of transportation, and then we’ll have our loyal base coming back as well.”

But Khosrowshahi is betting on workers who used to take public transit to continue to pay more for a private ride even after the public health and safety threat drops. 

Both Lyft and Uber have suspended cheaper carpooling options on the apps to make rides safer with fewer people in a small space during the health crisis. But that means many of these new riders are being forced to pay more to ensure a safe trip to and from work.

Clubhouse will issue security update over Chinese data-sharing concerns

Clubhouse didn’t officially release in China and it was also banned just days ago, but the app’s creators are still nervous enough to take action.

Sometime during the long U.S. holiday weekend, developer Alpha Exploration Co. will make backend changes that will boost the service’s encryption and prevent user ID pings from being routed through servers in China. The Clubhouse dev also pledged to have “an external data security firm…review and validate these changes.”

The move follows a detailed report from the Stanford Internet Observatory (SIO) revealing the audio chat app’s previously unreported links to a tech interest in China. Agora is a “video, voice and live interactive streaming platform” that provides backend services to Clubhouse — namely hosting and piping the app’s raw audio across the internet.

This is particularly worrisome, as the SIO notes, because “a user’s unique Clubhouse ID number and chatroom ID are transmitted in plaintext, and Agora would likely have access to users’ raw audio.” Imagine a Chinese citizen hosts a chat on a provocative subject, and the accompanying data is subsequently able to connect the user and Clubhouse ID to audio from the chat.

Agora is jointly headquartered in the U.S. and China, which means the company is subject to the latter’s restrictive cybersecurity law requiring it to provide aid in any criminal or national security investigation. And although Agora claims that it doesn’t store any audio or user data, there are genuine concerns about data privacy when it comes to Chinese companies.

The specifics here get fairly technical, but Clubhouse does store user audio temporarily for trust and safety investigations. That audio is stored in the U.S. — which effectively puts it outside the Chinese government’s reach — but it could still be at risk if an outside partner, such as, say, Agora, held the audio somewhere inside China.

As a result of SIO’s thorough investigation, which you should definitely read through for more specifics, Clubhouse is going to see some backend changes. The report ends with a statement from Alpha Exploration running through the plans.

“With the help of researchers at the Stanford Internet Observatory, we have identified a few areas where we can further strengthen our data protection,” the statement reads, going on to explain the changes described at the outset of this story. “We welcome collaboration with the security and privacy community as we continue to grow.”

As we reported earlier in the week, it’s not clear exactly what earned Clubhouse an official ban in China. There’s probably no single reason. Although the app was never released there, as Alpha Exploration explained in its SIO statement, people in China found workarounds that allowed them to get online. 

h/t Engadget

Amazon’s driver monitoring app is an invasive nightmare

Amazon’s app to monitor drivers while in delivery vehicles is called “Mentor” but it doesn’t seem to be helping those workers.

A CNBC report about the tracking app comes after Amazon confirmed on Feb. 3 that it is using AI cameras in vans to monitor driver behavior and flag any safety issues. Those cameras are used on top of the separate driver safety app. The app is tracking the driver at all times either on an Amazon-provided device or on drivers’ personal cellphones. 

Mentor is made by eDriving, which describes the app on its website as a “smartphone-based solution that collects and analyzes driver behaviors most predictive of crash risk and helps remediate risky behavior by providing engaging, interactive micro-training modules delivered directly to the driver in the smartphone app.”

But CNBC talked to drivers who said the app mostly invades their privacy or miscalculates dangerous driving behavior. One driver said even though he didn’t answer a ringing phone, the app docked points for using a phone while driving. Another worker was flagged for distracted driving at every delivery stop she made. The incorrect tracking has real consequences. ranging from restricted payouts and bonuses to job loss. 

The app gives a safety score which is used to rank drivers and compare them to colleagues. The App Store description calls this “a little friendly competition!” The app also tracks braking, acceleration, cornering, speeding, and distraction. CNBC reported that seatbelt use is another factor for the safety score. 

Drivers have come up with creative workarounds to appease the Mentor app, which often determines any movement as a sign of distracted driving. Reddit and other online forums, as well as YouTube videos, give advice on how to keep your Mentor score high while doing your job. Being forced to  game an app instead of focusing on the task of driving and getting packages delivered sure sounds safe.

 

A look at Amazon’s leaked Ring Video Doorbell Pro 2: 3D motion detection and more

Amazon is back at it again with a new Ring doorbell, and the latest model is raising the bar.

On Friday, The Verge reported that the Ring Wi-Fi Video Doorbell Pro 2 leaked in a listing at Best Buy Canada. The new doorbell listing, which was spotted by ZatzNotFunny, has since been removed from the site (cached here), but not before the product details and description were noted. 

A look at Best Buy Canada's Ring Wi-Fi Video Doorbell Pro 2 listing.

A look at Best Buy Canada’s Ring Wi-Fi Video Doorbell Pro 2 listing.

The Ring Wi-Fi Video Doorbell Pro 2 listing featured a release date of March 31, 2021, and a set price of $324.99 (approximately $250.00 in the United States). According to the product overview, the new Ring home security device will be “Equipped with HD video, 3D motion detection, and 2-way talk features” and “[i]t even has Alexa greetings built right in that conveniently answer the door for you.”

The device will also feature an “expanded Head to Toe View” that will users you get a fuller picture of who’s ringing their doorbells, along with customizable privacy settings and more.

It remains unclear if the product will actually be released by the end of March, but at least now Ring fans have a new product to fantasize about.

A Facebook smartwatch? It could be coming for your health data in 2022.

Facebook, the social media company that definitely cares a lot about user data, is reportedly developing a smartwatch.

The rumored wearable, which the company would look to release in 2022, was first reported by The Information (note: this is paywalled), citing “people with direct knowledge of the device.” In addition to health and fitness features, the smartwatch would of course give users wrist-mounted access to Facebook services, such as Messenger.

The rumored device, powered by an open source version of Android, would support cellular connections, meaning users wouldn’t be required to pair it with a smartphone. It would also be able to connect directly with other health and fitness-focused products, such as Peloton Interactive.

The big draw for a Facebook smartwatch, as the company sees it, is giving users the ability to directly link their fitness activities with one of the prevalent online social spaces in their lives. Being able to track and compare workouts with friends or speak with trainers directly is a lot more exciting when it plugs directly into your existing social profile.

The tradeoff, of course, is all of this filtering through Facebook, which provides the company with a new vector for collecting data on its users. Such links haven’t historically been popular with users, given the history of improper data collection. We saw this play out recently in the backlash that ensued after the announcement that, by 2023, Oculus VR users would have to use a Facebook account.

Fitness services like Supernatural have proven that there’s a segment of the regularly exercising public that likes to have, and is even motivated by, social connections in their fitness regimen. But is that enough of a draw to overcome the misgivings held by many when it comes to forking over more personal information to Facebook?

It remains to be seen. The smartwatch effort is described in The Information’s report as being “far along,” but not so close to release that plans can’t change. Facebook could still scuttle the whole effort. Though as the same report notes, citing a comment from CTO Mike Schroepfer during a December all hands meeting, the company sees a bright future for itself in wearables.

A Billion-Dollar Dark Web Crime Lord Calls It Quits

Just over a week ago, an employee at a water treatment treatment plant in Oldsmar, Florida noticed that the mouse on his screen started moving seemingly on its own. Soon it was clicking through controls, raising the supply of lye in the water supply from 100 parts per million to 1,100ppm, enough to cause serious damage to human tissue. Fortunately, the employee moved quickly to revert things to normal levels. It’s still unclear who was behind this dramatic hack, and a sober reminder of how exposed so many industrial systems remain despite years of warnings.

Facebook also seems to have ignored of warnings about the proliferation of Covid-19 scams on its platform; researchers this week exposed multiple scams they found on both the social media network and the messaging service Telegram.

Cyberpunk 2077 developer CD Projekt Red had already been battered by players frustrated with the game’s rampant bugs and poor gameplay on legacy consoles. This week it disclosed that ransomware was recently added to its list of woes, as a hacker group claimed to have stolen internal documents as well as source code for its most popular games. CD Projekt Red said it would not pay the ransom.

Microsoft finally patched a vulnerability that was first introduced into its Windows Defender antivirus product—renamed Microsoft Defender last year—at least 12 years ago. A barcode scanner app started serving up adware to its millions of users after an update in December. And be sure to read the third installment of 2034, the fictional tale of an all to real-sounding future war with China.

And there’s more! Each week we round up all the news we didn’t cover in depth. Click on the headlines to read the full stories. And stay safe out there.

Since 2014, if you were in the market for a stolen credit card or identity on the dark web—or until recently out in the open—the Joker’s Stash has been your one-stop shop. According to analysis by blockchain analysis firm Elliptic, the operator of Joker’s Stash announced that they would close up shop this month after taking in what Elliptic pegs at over a billion dollars of cryptocurrency during their run. (It’s unclear whether JokerStash, the account that runs the marketplace, is an individual or a group.)

In October 2018, Bloomberg published “The Big Hack,”, an incendiary account of how China had implanted tiny microchips on motherboards from US-based Supermicro to infiltrate dozens of companies, including Apple and Amazon. Everyone implicated in that story offered vociferous denials, and outside security experts were highly dubious. This week, Bloomberg came back with a fresh round of reporting, including several law enforcement types speaking on the record about the claims. It was still not enough, though, to appease most skeptics.

Facebook has been insistent—chief operating officer Sheryl Sandberg in particular—that the bulk of the planning for the Capitol riots happened on platforms other than its own. Court documents refute that claim, Forbes found, with Facebook garnering far more references than any other social media site. The actual uses varied, with many alleged rioters using Facebook to livestream the chaos, but clearly it had more of a role in events than it has come to terms with.

Apple continues its privacy push, this time adding a feature to its Safari browser that sends all of your traffic through its own proxy servers, effectively hiding your IP address from Google when you’re in Safe Browsing mode. It shouldn’t affect your experience in practice, or limit the effectiveness of Google’s protective feature. It just gives Mountain View a little smaller slice of data about your journey across the internet.


More Great WIRED Stories

Prosecutor charges former phone company employee in SIM-swap scheme

Prosecutor charges former phone company employee in SIM-swap scheme
Getty Images

A former phone company worker has been charged with conspiracy to commit fraud for allegedly using his access to customer account data to take over the phone numbers of 19 customers, including at least one cryptocurrency holder.

Stephen Daniel DeFiore of Brandon, Florida, received about $2,325 between October 20, 2018, and November 9, 2018 in exchange for swapping the targeted customers’ SIM cards with ones belonging to a co-conspirator, prosecutors in New Orleans said earlier this week. For each SIM swap, the co-conspirator sent DeFiore the customer’s phone number, a four-digit PIN, and a SIM card number to which that phone number was to be swapped, prosecutors said.

The charges come eight months after federal prosecutors charged Richard Yuan Li of Hercules, California, with conspiracy to commit fraud for his alleged role in a SIM swap scam that targeted at least twenty people. Li was in possession of an iPhone 8 which the number of at least one of DeFiore’s victims was routed to, prosecutors said.

The alleged victim was a New Orleans-area medical doctor with cryptocurrency accounts at exchanges including Binance, Bittrex, Coinbase, Gemini, Poloniex, ItBit, and Neo Wallet. Li and his co-conspirators then allegedly accessed the physician’s email and cryptocurrency accounts and stole a “significant portion” of the victim’s holdings.

Prosecutors went on to allege that even after the doctor recovered the phone account, Li or one of his co-conspirators called the doctor to say he had viewed images in the doctor’s Gmail account and balances in the doctor’s cryptocurrency accounts. The caller then demanded 100 bitcoins, worth about $640,000 at the time, in exchange for not publishing the photos or stealing the cryptocurrency.

Prosecutors didn’t identify the phone company DeFiore worked for, but this LinkedIn profile lists a Stephen DiFiore who works as a Verizon customer service representative in Brandon, Florida. Verizon representatives didn’t immediately respond to an email seeking comment for this story. Attempts to reach DeFiore weren’t successful.

LinkedIn

This week’s charges come as so-called SIM swapping crimes continue to proliferate, motivated in large part by criminals’ attempts to obtain large amounts of cryptocurrency in online accounts. Once a perpetrator obtains control over victims’ phone accounts, the perp typically uses that access to complete account resets for email accounts and from there resets passwords for other accounts.

If convicted, DeFiore faces a maximum of five years in prison and a fine of up to $250,000. Earlier this week, European officials announced the arrests of 10 individuals in connection with a series of SIM-swapping attacks that reaped more than $100 million.

Scientists Can Literally Become Allergic to Their Research

This story originally appeared on Undark and is part of the Climate Desk collaboration.

Bryan Fry’s heart was pounding as he stepped back from the snake enclosure and examined the bite marks on his hand. He had just been bitten by a death adder, one of Australia’s most venomous snakes. Its neurotoxin-laced bite could cause vomiting, paralysis and—as the name suggests—death.

Fry, at the time a graduate student, had kept snakes for years. Oddly, the neurotoxins weren’t his biggest worry; the nearby hospital would have the antivenom he needed, and, although data is limited, people who receive treatment generally survive. Anaphylactic shock, on the other hand, might kill him within minutes.

“Anaphylactic shock is the single worst feeling you can possibly imagine,” recalled Fry, now a biologist at the University of Queensland in Australia. “It is just insane. Every cell in your body is screaming out in mortal terror.”

Fry, who had spent his life admiring and eventually studying venomous snakes, had become deathly allergic to them.

While most cases are not so extreme, anecdotal reports and expert analysis suggest that it is far from rare for scientists, students, and laboratory technicians to develop allergies to the organisms they study. Perversely, some allergy researchers say, it is the researchers’ passion for their subjects—the close observation, the long hours of work each day, and the years of commitment to a research project—that puts them at such high risk.

“It is true that some things cause allergies more often than others, but the biggest factor is the frequency of the interaction with the study organism,” said John Carlson, a physician and researcher at Tulane University who specializes in insect and dust mite allergies. “You probably have about a 30 percent chance of developing an allergy to whatever it is that you study.” While data is limited, that estimate is in line with research on occupational allergies, which studies suggest occur in as many as 44 percent of people who work with laboratory rodents, around 40 percent of veterinarians, and 25 to 60 percent of people who work with insects.

Federal guidelines suggest that laboratories have “well-designed air-handling systems” and that workers don appropriate personal protective equipment, or PPE, to reduce the risk of developing an allergy. However, interviews with researchers and experts suggest that there may be little awareness of—or adherence to—guidelines like these. For scientists working with less common species and those engaged in fieldwork, information on what exactly constitutes appropriate PPE may be very limited.

Many researchers, perhaps especially those who do fieldwork, are used to being uncomfortable in service of their work, Carlson points out. “I think that a lot of researchers are so interested in the process of the research,” he said, “that they aren’t really considering the long-term effects that it could have on them.”

In general, allergies develop when the immune system overreacts to a substance that is usually harmless, or relatively harmless. The immune system monitors the body for potentially dangerous invaders like bacteria, fungi, and viruses. Sometimes, for reasons that are not well understood, the immune system identifies something benign, like pollen or animal dander, as dangerous. To help mark the intruder, a person who has become sensitized in this way produces antibodies, or types of proteins, to identify it.

When that person comes into contact with the substance again, the antibodies flag it as an invader. As part of the response, immune cells release compounds like histamine, which irritate and inflame the surrounding tissues, resulting in allergy symptoms.

Although some risk factors have been identified, researchers who study allergies are often unable to determine exactly why this overreaction occurs in some people but not others. But it’s clear that, for some substances, repeated exposures can increase the likelihood of an allergic response.

While anecdotes of allergic scientists abound, research into the issue is scant. The best documented are allergies to rodents, which are ubiquitous in biomedical research. But some scientists report allergies that are almost completely unstudied, potentially because relatively few people—at least in the wealthy nations where many allergy studies are conducted—regularly come into contact with the organisms that cause them.

For example, while most people avoid regular contact with leeches, University of Toronto doctoral student Danielle de Carle goes out looking for them. De Carle studies leech genetics in order to figure out how different species are related to one another and to understand how blood feeding evolved. To study the leeches, she first has to catch them, and like other researchers in her field, she uses her own body as bait.

“We wade into swamps and stuff, and we let them attach to us and feed from us,” she said. For most people, leech bites are relatively painless. When de Carle needed to keep the leeches alive in the lab, she would let them feed on her then as well.

After about a year and a half of this, she started to notice symptoms. At first, the bites became itchy, but the more she was exposed, the worse it got. “The last time I fed a leech—which I try not to do anymore—my entire hand swelled up so much that I could hardly make a fist,” she said. “It itched like crazy.” De Carle said that when she’s out hunting leeches now, she can avoid an allergic reaction if she removes the leech after it attaches itself to her but before it starts to feed. For the leeches she keeps in the lab, she’s switched to feeding them pig’s blood from a butcher shop instead of letting them feed on her.

Nia Walker, a PhD student in biology at Stanford University, has also begun reacting to her research organism. Walker studies how genetics influence coral bleaching resistance and recovery. She began to notice rashes on her hands during her third trip to conduct fieldwork on corals in Palau, an island nation in the South Pacific. “And then each subsequent trip after that, it got more and more extreme,” she said. “It got to the point where my face would bloat and I’d get welts on my hands from touching them.”

While her symptoms are especially intense, Walker said she’s not the only member of her lab who has developed a sensitivity. By now, she said, everyone in the lab has “developed a slight irritation to corals.” Walker has been able to manage her allergy by using protective equipment and over-the-counter antihistamines. “It’s sad,” she said, “but it’s also pretty funny.”

Sometimes, allergies that scientists have picked up during lab work can spill over into daily life. More than a decade ago, evolutionary biologist Karl Grieshop worked in a fruit fly lab in which bananas were a key part of the flies’ diet. Ever since, he said, his throat gets itchy every time he eats a banana. Jon Giddens, a doctoral student in plant biology at the University of Oklahoma, said that he didn’t have any allergies before he started studying Eastern red cedar, a small evergreen tree that is widespread in some regions of the country. But now, even though it’s been more than a year since he last worked with the species in the field, he has year-round nasal allergy symptoms—he thinks from the red cedar pollen in the air.

Likewise, Brechann McGoey, who received her doctorate in ecology and evolutionary biology from the University of Toronto, said she didn’t experience hay fever before she started her graduate work. But after repeated exposure to ragweed pollen during experiments, she developed symptoms like postnasal drip and a persistent cough. Even though she no longer works with the species, she still gets hay fever every fall during ragweed season. “It’s a souvenir from my PhD,” she joked.

Reflecting previous research on occupational allergies in veterinarians, most of the researchers who spoke with Undark did not seek medical attention or get a formal diagnosis for their allergies.

In many cases, scientists report that their allergies are annoying but manageable. But sometimes the allergies force researchers to make major changes.

Entomologist Chip Taylor began his career studying sulphur butterflies as a PhD student at the University of Connecticut. When he started his own lab at the University of Kansas in 1969, he had every intention of continuing to work with the species. But, he said, “by the time it rolled around to 1973, I realized I was so allergic to these butterflies.” Taylor began to experience asthma-like symptoms whenever he worked with them.

In the summer of that year, during a research trip to central Arizona, Taylor and a colleague rented a trailer to use as a workstation to process butterfly wing samples. “I could not go in the trailer,” he recalled. “I slept outside with my back up against a tree so my sinuses and my throat could drain.” To manage his symptoms, he was regularly taking prednisone, a powerful anti-inflammatory drug that can have serious side effects. “I decided that I had to get out of working with those butterflies,” Taylor said. “I had to readjust my career to work on something else.”

Taylor spent the next few decades studying killer bees. He returned to butterfly research in 1992, when he started the monarch butterfly conservation program Monarch Watch. Taylor said he’s never experienced any symptoms while working with monarchs—maybe, he guesses, because the two species produce different types of pigments.

Fry, the biologist who became allergic to snake venom, also said his allergy has shaped his career. The venoms of different snake species share similar components, Fry said, so someone who is allergic to one type of snake is likely allergic to many types. Because of this allergy, Fry also has to be extremely careful even around venomous snakes that are usually not dangerous to humans.

“Whenever I work with these animals now, I look like I’m going into the Hurt Locker,” he said, referencing the Oscar-winning movie about US Army specialists who defused bombs in Iraq. “So, of course, in the tropical sun I’m absolutely melting.” Those limitations, he said, have made working with snakes less enjoyable. “I can’t just blithely interact with these animals that I find so absolutely fascinating, knowing that death is just around the corner at any given moment, even from a snake that normally wouldn’t be a medical problem.”

Fry survived his encounter with the death adder thanks to a snakebite kit containing injectable adrenaline and antihistamines, as well as a quick-thinking friend who raced him to the hospital. The allergy, he said, has caused him to redirect much of his research to studying venoms in other animals, including Komodo dragons, slow lorises (the world’s only venomous primates), funnel-web spiders, and box jellyfish. “I’ve managed to turn it into a good thing,” he said, “but it’s been nevertheless very frustrating.”

Allergy experts say that reducing exposure is the key to preventing allergy development. Exactly how much the exposure needs to be reduced is less clear, and increasing protection may be costly for institutions and inconvenient for researchers.

Some laboratories that use mice and rats have equipment and policies designed to reduce exposure to allergens. These labs install ventilation systems for the cages, use a robotic system to clean them out, house fewer animals per room, and provide an area for workers to change out of allergen-contaminated clothing. PPE such as masks, gloves, and gowns can also help researchers reduce their exposure.

But actually applying those preventative measures can be challenging, said Johanna Feary, who studies occupational lung disease as a senior clinical research fellow at Imperial College London.

In 2019, Feary and several colleagues published a study of seven research institutions in the United Kingdom that performed research on mice. They found that facilities that used individually ventilated cages, instead of open cages, had dramatically lower airborne allergen levels. But even that was not sufficient to prevent technicians from becoming sensitized to mouse allergens. The facilities with the lowest levels of sensitization were those where workers also wore properly fitted masks. The research, she said, demonstrated that, at least in the UK, the development of allergies to lab animals “is probably preventable in almost all cases.”

But Feary said that lab animal allergies continue to be a problem for many people. “We should be getting better at it,” she said. “I’m not sure we are getting better at it.” The main reason, according to Feary, is that it can be costly to install equipment that reduces allergen exposure, such as robotic cage cleaners, especially if it requires renovating older facilities.

It’s also hard to accurately assess the magnitude of the problem, she said, especially given that conditions and practices differ widely around the world. While well-run facilities will monitor workers’ exposure and health, “at the other end of the scale, you have filthy places with poor health and safety,” she said, where recordkeeping is patchy and people who develop allergies may simply feel compelled to seek work elsewhere. “So, it may look like everything’s fine, and nobody’s got any symptoms, but actually all the sick people have left,” Feary said.

It may also be the case that only the best-run facilities will report their data, she said, while the rest will simply not engage. Indeed, several years ago, when a group of Duke University researchers attempted a nationwide survey of the incidence of anaphylaxis associated with lab-animal bites in the US, only 16 percent of facilities even responded.

And with less well-studied allergies, there’s simply little information available regarding prevalence and what sorts of protections are sufficient to prevent their development. Several scientists living with allergies, though, said they think that more information and awareness could help increase the number of scientists taking precautions in their research.

Fry said there is more awareness of snake venom allergy than there was when he started formally studying snakes in the late 1990s. But, he added, “it’s still not as well known as it should be.” Researchers in the field, he wrote in a follow-up email, can be reticent to talk about venom allergies. But, he said, “I’m quite candid about it, because, you know, this is life-saving information.”

Walker, the coral biologist, said more research on allergies among researchers would be helpful. “A lot of these things can be addressed if you knew to look out for it,” she said.

Early-career scientists generally receive thorough training on proper handling of biohazards and harmful chemicals. Institutions often provide extensive safety plans for fieldwork to help researchers prepare for the various risks involved, from dehydration to hypothermia to bear attacks. But scientists may learn little about the potential for developing allergies to seemingly harmless organisms.

“I feel like maybe there’s a bit too much of a casual attitude about protective gear,” said McGoey, who developed an allergy after doing research on ragweed. “Maybe especially if you’re working with a plant or animal, where it’s like a natural thing, and you’re not in the lab with a chemical, maybe people are just not careful enough.”

“As silly as it sounds, just maybe having more emphasis on using PPE and the consequences of not doing it would be kind of nice,” said de Carle, the leech researcher. “It can be really easy to just think, like, ‘Oh, I don’t really need to wear gloves; I’m just touching flowers or whatever.’”

Carlson, the allergist, said that even well-informed researchers can get caught up in their enthusiasm for the work and rationalize not taking the proper precautions.

In 2009, Carlson worked on a project that involved collecting data on house dust mites, microscopic arthropods that cause nasal and respiratory issues in millions of people worldwide. Despite his expertise, he neglected PPE. “I know all this,” he said. “I know I should be wearing a mask, but it’s hot, and it’s sweaty, and I don’t have a boss telling me what to do.” As he worked, he developed a runny nose and itchy eyes—the first steps toward a full-fledged allergy. “I pushed through and I ended up hyper-sensitizing myself,” Carlson said, to the point that even getting down on the ground to play with his then young children made him “absolutely miserable.”

Carlson is saddened thinking about those scientists who have to give up the work they love due to allergies. “I really do feel for these folks doing their work and developing an allergy,” he said. “The more we get the word out there, the better.”


More Great WIRED Stories

A Windows Defender vulnerability lurked undetected for 12 years

Shadowy figures stand beneath a Microsoft logo on a faux wood wall.

Just because a vulnerability is old doesn’t mean it’s not useful. Whether it’s Adobe Flash hacking or the EternalBlue exploit for Windows, some methods are just too good for attackers to abandon, even if they’re years past their prime. But a critical 12-year-old bug in Microsoft’s ubiquitous Windows Defender antivirus was seemingly overlooked by attackers and defenders alike until recently. Now that Microsoft has finally patched it, the key is to make sure hackers don’t try to make up for lost time.

The flaw, discovered by researchers at the security firm SentinelOne, showed up in a driver that Windows Defender—renamed Microsoft Defender last year—uses to delete the invasive files and infrastructure that malware can create. When the driver removes a malicious file, it replaces it with a new, benign one as a sort of placeholder during remediation. But the researchers discovered that the system doesn’t specifically verify that new file. As a result, an attacker could insert strategic system links that direct the driver to overwrite the wrong file or even run malicious code.

Windows Defender would be endlessly useful to attackers for such a manipulation, because it ships with Windows by default and is therefore present in hundreds of millions of computers and servers around the world. The antivirus program is also highly trusted within the operating system, and the vulnerable driver is cryptographically signed by Microsoft to prove its legitimacy. In practice, an attacker exploiting the flaw could delete crucial software or data, or even direct the driver to run their own code to take over the device.

“This bug allows privilege escalation,” says Kasif Dekel, senior security researcher at SentinelOne. “Software that’s running under low privileges can elevate to administrative privileges and compromise the machine.”

SentinelOne first reported the bug to Microsoft in mid-November, and the company released a patch on Tuesday. Microsoft rated the vulnerability as a “high” risk, though there are important caveats. The vulnerability can only be exploited when an attacker already has access—remote or physical—to a target device. This means it isn’t a one-stop shop for hackers and would need to be deployed alongside other exploits in most attack scenarios. But it would still be an appealing target for hackers who already have that access. An attacker could take advantage of having compromised any Windows machine to bore deeper into a network or victim’s device without having to first gain access to privileged user accounts, like those of administrators.

SentinelOne and Microsoft agree there is no evidence that the flaw was discovered and exploited prior to the researchers’ analysis. And SentinelOne is withholding specifics on how the attackers could leverage the flaw to give Microsoft’s patch time to proliferate. Now that the findings are public, though, it’s only a matter of time before bad actors figure out how to take advantage. A Microsoft spokesperson noted that anyone who installed the February 9 patch, or has auto-updates enabled, is now protected.

An eternity

In the world of mainstream operating systems, a dozen years is a long time for a bad vulnerability to hide. And the researchers say that it may have been present in Windows for even longer, but their investigation was limited by how long the security tool VirusTotal stores information on antivirus products. In 2009, Windows Vista was replaced by Windows 7 as the current Microsoft release.

The researchers hypothesize that the bug stayed hidden for so long because the vulnerable driver isn’t stored on a computer’s hard drive full-time, like your printer drivers are. Instead, it sits in a Windows system called a “dynamic-link library,” and Windows Defender only loads it when needed. Once the driver is done working, it gets wiped from the disk again.

“Our research team noticed the driver is loaded dynamically, and then deleted when not needed, which is not a common behavior,” SentinelOne’s Dekel says. “So we looked into it. Similar vulnerabilities may exist in other products, and we hope that by disclosing this we’ll help others stay secure.”

Historic bugs crop up occasionally, from a 20-year-old Mac modem flaw to a 10-year-old zombie bug in Avaya desk phones. Developers and security researchers can’t catch everything every time. It’s even happened to Microsoft before. In July, for example, the company patched a potentially dangerous 17-year-old Windows DNS vulnerability. As with so many things in life, better late than never.

This story originally appeared on wired.com.