Information Technology

OVHcloud has suffered a disastrous fire that has engulfed some of the firm’s data centers. 

On March 10, OVHcloud founder and chairman Octave Klaba started a Twitter thread updating customers on the situation, which has claimed at least one data center. 
OVHcloud is a global cloud, dedicated server, and managed bare metal services provider catering to over 1.5 million customers. 
The company manages 27 data centers in countries including the US, UK, France, and Australia. 
As data centers manage vast quantities of data for customers, providers have to be stringent when it comes to security. OVHcloud restricts physical access to employees only and security personnel are always on-site — but this has not stopped a fire from breaking out. 
“We have a major incident on SBG2,” Klaba said. “The fire declared in the building. Firefighters were immediately on the scene but could not control the fire in SBG2. The whole site has been isolated which impacts all services in SGB1-4.”
The impacted data centers, located in Strasbourg, France, includes SBG2, which has been completely destroyed. Part of SBG1 has been destroyed, too, but firefighters were able to protect SBG3. SBG4 has not been impacted by the fire. Klaba says that “everyone is safe.”

Images shared on social media appear to show the extent of the fire.
“Firefighters continue to cool the buildings with the water,” the executive said. “We don’t have the access to the site. That is why SBG1, SBG3, SBG4 won’t be restarted today.”
The fire has now been quelled but an assessment of the overall damage caused to OVHcloud’s data centers may take some time. Impacted clients have been urged to turn to backups to minimize downtime and disruption.
“We recommend [you] activate your Disaster Recovery Plan,” Klaba added. 
At the time of writing, Klaba is on-site. In an update, the executive said:

“We finished to shutdown the UPS in SBG3. Now they are off. We are looking to enter into SBG3 and check the servers. The goal is to create a plan to restart , at least SBG3/SBG4, maybe SBG1. To do so, we need to check the network rooms too.”

Update 10.19 am GMT: According to Klaba, “all servers in SBG3” are okay, while still non-operational, and the company is working on a way to restart them. Work on verifying SBG1 is now underway. 
ZDNet has reached out to OVHcloud and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Following reports that live feeds from over 150,000 of its security cameras were exposed, including those situated in prisons, hospitals, schools, police stations, and Tesla factories, Verkada has disabled accounts to prevent further access.
According to Bloomberg, a group of hackers accessed the data collected by the Silicon Valley startup. The hackers are reported as saying they also have access to the full video archive of all Verkada customers.
Bloomberg claims to have sighted footage validating the details of the breach.
Verkada has described itself as bringing “the ease of use that consumer security solutions provide, to the levels of scale and protection that businesses and organisations require”.
Commentary provided to Bloomberg from the hackers claiming responsibility for the incident said the breach intended to show the pervasiveness of video surveillance and the ease with which systems could be broken into.
“We have disabled all internal administrator accounts to prevent any unauthorised access,” a Verkada spokesperson told ZDNet.
 “Our internal security team and external security firm are investigating the scale and scope of this issue, and we have notified law enforcement.”

The startup claims over 5,200 customers, including Cloudflare, Equinox, the Salvation Army, and Tesla. It is understood customers of the startup have been made aware of the issue.
LATEST SECURITY NEWS More

Human Rights Law Centre and the Law Council of Australia have asked that the federal government redraft the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, calling its contents “particularly egregious” and “so broad”.
The Bill, if passed, would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new computer warrants for dealing with online crime.
“Sweeping state surveillance capacity stands in stark contrast to the core values that liberal democracies like Australia hold dear,” Human Rights Law Centre senior lawyer Kieran Pender declared to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Wednesday.
“In the past two decades, the surveillance capabilities of Australian law enforcement and intelligence have rapidly expanded, every increase in state surveillance imposes a democratic cost.”
According to Pender, each time further surveillance powers are contemplated, three questions should be asked: Are the proposed powers strictly necessary, carefully contained, and fully justified.
“We believe that the Bill in its present shape does not satisfy those criteria,” he said.
“While many of the expansions made to surveillance powers in this country in recent years have been troubling, this Bill stands out as particularly egregious because its scope encompasses any and every Australian.”

The first of the warrants is a data disruption one, which according to the Bill’s explanatory memorandum, is intended to be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”.
The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant.
The last warrant is an account takeover warrant that would allow the agencies to take control of an account for the purposes of locking a person out of the account.
“The powers offered by the Bill are extraordinarily intrusive, the explanatory memorandum and commentary by the minister indicate that powers are intended to only be used in cases of the most severe wrongdoing, yet the Bill does not reflect that,” Pender said.
He believes the Bill’s relevant offence threshold of three years imprisonment is too low and should be increased; and that the definitions provided by the network activity warrants are so expansive as to be practically unlimited in scope.
“We would urge the committee to recommend that these warrants be redrafted to prevent their application to individuals that have no involvement whatsoever in the relevant offence, otherwise, every single Australian is at risk of having their online activities monitored by the Federal Police even where they’re not suspected of having done anything wrong,” he said.
As noted in its submission on the Bill, the OAIC believes the Bill’s definition of a criminal network of individuals has the potential to include a significant number of individuals, including third parties not the subject or subjects of the warrant who are only incidentally connected to the subject or subjects of the warrant.
David Neal from the Australian Law Council further expanded on the risk posed to those peripheral to the individual/s that are the subject of a warrant.
“[The definition is] so broad that as soon as one individual suspected of a relevant offence, users, for example of WhatsApp, in theory, this Bill will allow warrant in regards to anyone who uses WhatsApp because they’re then an electronically linked group of individuals with that one person,” he said.
“Now, you know, someone defending the Bill might say, Well, you know, there are sort of all these other criteria that go to that, and we accept that to an extent, although I think those criteria needs to be more robust.”
Representatives from both organisations agreed the broad definitions within the Bill could exacerbate the risk of abuse and misuse.
“There’s all of these channels that are totally going to be sort of swept pass potentially under this under this Bill, and give rise to concerns about abuse,” Neal said.
In its submission to the PJCIS, the Law Council made a total of 57 recommendations on how to make the Bill more fit for purpose.
“The appropriate course of action we respectfully submit is for the committee to recommend that the government substantially redraft this bill before it returns to Parliament,” Pender declared.
MORE ON THE BILL More

A few months ago, if you’d asked someone what their biggest concern was about IT security, you would have received lots of different answers. Then Solarwinds catastrophically failed to secure its software supply chain, leading to what’s been called IT’s Pearl Harbor. So it is today that locking down your software supply chain has become job number one for all CSO and CISOs who take their jobs seriously. To answer this call for open source, the Linux Foundation, along with Red Hat, Google, and Purdue University have created the sigstore project. 

SolarWinds Updates

The just-announced sigstore aims to improve the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies. It will do this by empowering developers to securely sign software artifacts such as release files, container images, and binaries. These signing records will then be kept in a tamper-proof public log. This service will be free for all developers and software providers to use. The sigstore code and operation tooling that will be used to make this work is still being developed by the sigstore community.
With this, as David A Wheeler, the Linux Foundation’s director of Open Source Supply Chain Security, observed earlier, we’ll be on our way to creating verified reproducible builds. Wheeler explained, “A reproducible build is one “that always produces the same outputs given the same inputs so that the build results can be verified. A verified reproducible build is a process where independent organizations produce a build from source code and verify that the built results come from the claimed source code.”
This, in turn, could be used to create a software bill of materials (SBOM). With an SBOM you’ll know exactly what code you’re using in any given project. This is another argument for open source. Orion, Solarwinds hacked program, for example, like all proprietary software, is a black box. No one except its builders knows what’s in it. And as we now know, Solarwinds didn’t know what was inside it until outside companies spotted its corruption. 
Sigstore will avoid this, Luke Hinds, Red Hat’s Security Engineering lead in the office of the CTO, explained as it will enable “all open-source communities to sign their software and combine provenance, integrity, and discoverability to create a transparent and auditable software supply chain.” This isn’t easy. While there are some open-source digital signing tools available today, few developers use them. Many programmers, even now, don’t see the point of taking the extra steps needed to “sign” their software. 
Besides, as Matt Sicker, Apache Software Foundation member and CloudBees’ senior security engineer, said, “Applications commonly used for signing software typically have confusing UIs and require learning basic cryptography concepts in order to properly use them. Without some sort of code signing policy in place for a larger open source project, many developers are simply unaware of the benefits of signing their software.”
Because of that, what tools there are for confirming the origin and authenticity of software relies on an often disparate set of approaches and data formats. The solutions that do exist, often rely on digests that are stored on insecure systems that are susceptible to tampering. 

Newer, better signing tools are on their way. For example, Tidelift-managed catalogs track well known-good, proactively maintained components that cover common language frameworks such as JavaScript, Python, Java, Ruby, PHP, .NET, and Rust.
Even so, very few open-source projects currently cryptographically sign their software releases. That’s largely because of the challenges software maintainers face on secure key management, key compromise/revocation. and the distribution of public keys and artifact digests. Users are all too often left to fend for themselves to find out which keys to trust and how to validate signing. That is not a job for ordinary IT people. 
But, wait, there’s more. The ways we currently distribute digests and public keys is, in a word, bad. All too often they’re stored on hackable websites or a README file on a public git repository. That’s just asking to be hacked. Sigstore seeks to solve these issues by utilization of short-lived ephemeral keys with a trust root leveraged from an open and auditable public transparency log.
In other words, as Alex Karasulu, also an ASF member and OptDyn CEO, observed, “The problem isn’t that open-source developers are lazy or reluctant. It is that a standard mechanism for two-factor authentication (2FA) specifically around code signing does not exist. Some techniques exist to achieve this: Git revisions can be signed and the process loosely protected with mandated 2FA accounts at GitHub, or GPG code signing keys can be stored on devices requiring a second factor to digitally sign anything including code and release checksums. There are many ways to skin this cat — but there is no standard making the process consistent. It’s essentially discretionary.”
Without standardization, securing the software supply chain will be almost impossible. It’s sigstore backers’ hope that they can fix these issues. The goal is worth the effort. As Josh Aas, executive director of the Internet Security Research Group (ISRG) and Let’s Encrypt, said “Securing a software deployment ought to start with making sure we’re running the software we think we are. Sigstore represents a great opportunity to bring more confidence and transparency to the open-source software supply chain.”
There is, after all, as Santiago Torres-Arias, Purdue assistant professor of Electrical and Computer Engineering and project founder, pointed out, “The software ecosystem is in dire need of something like it to report the state of the supply chain. I envision that, with sigstore answering all the questions about software sources and ownership, we can start asking the questions regarding software destinations, consumers, compliance (legal and otherwise), to identify criminal networks and secure critical software infrastructure.”
We really need sigstore. Even now, we still haven’t really grasped how bad the Solarwinds disaster was. Without a truly secure open-source supply chain, we can be certain we’ll see even worse disasters.
Related Stories: More

The auditor-general of Western Australia has found four business applications used by state government entities contain control weaknesses, mostly around poor information security and policies and procedures.
In her latest audit, the auditor-general probed the Teacher Registration System, handled by the Department of Education, Teacher Registration Board of Western Australia; the Forest Products Commission’s Deliveries and Billing System; the Housing Management System (Habitat) from the Department of Communities; and the TAFE Student Management System, which is under the watch of the Department of Training and Workforce Development.
The testing was performed during 2019-20. The report [PDF] declared all four applications had control weaknesses. Auditor-General Caroline Spencer reported 75 findings across the four applications — nine findings were rated as significant, 57 moderate, and another nine were considered minor.
The first project probed was the Department of Education’s Teacher Registration System, which it inherited in 2017.
The system is a combination of internally developed and commercial software applications, hosted on public cloud infrastructure and maintained by department staff and contractors.
“There are a number of significant weaknesses in the system which prevent the [Teacher Registration Board of Western Australia] and the department from efficiently managing public resources and effectively managing information security risks relating to sensitive teacher information,” the report said.
The audit determined basic governance and controls, including limiting access and segregation of duties for system changes, were not implemented.

“There is also a risk that insufficient disaster recovery planning and ongoing system failures could result in an outage that impacts teacher registration services,” it added.
IT governance, security, and risk management were poor, with the report saying there is currently no IT strategy; limited oversight; and no risk management, change management, project management, incident and problem management, cloud management, or continuity management.
Roles and responsibilities for managing the cloud environment have also not been defined, the report said, with there being 33 subscription owners that can manage and have full access to the cloud resources.
It also found 119 resources were allocated to data centres outside Australia, including in Southeast Asia and the United States.
The department’s Teacher Registration Directorate also spent approximately AU$240,000 between July 2019 and February 2020 on contracted services that the department could provide. The audit also found a conflict of interest risk, as the same contractor proposed and undertook projects — that contractor pulled in approximately AU$500,000 in a six-month period.
The next application probed was the Forest Products Commission’s Deliveries and Billing System (DAB), which enables it to generate revenue and payment information from the harvest and sale of timber products.
The audit determined security weaknesses in the DAB database and the commission’s network may expose it to malicious attacks and unauthorised access. In addition, weaknesses in controls, including the review of information entered into the DAB and monitoring of compliance with regulations, creates risks of incorrect revenue or payments and non-compliance.
The 2019 DAB implementation project encountered delays and cost overruns — it overspent by approximately AU$720,000 — and the auditor-general said the commission could not demonstrate that an effective project governance framework was in place.
The Department of Communities’ Housing Authority, meanwhile, was found to not have assessed the information security risks for its Habitat program. In addition, the auditor-general said the authority had not implemented adequate processes that provide oversight of Habitat controls, nor was there a disaster recovery plan in place.
The report said the auditor-general identified 178 database user accounts with easy to guess passwords and 1,195 accounts where the password had not been changed for five years. These included accounts with high privileges.
The authority’s IT staff also used and shared a highly privileged account to administer the Habitat database.
Lastly, the Student Management System used by Western Australian TAFE colleges was found to open sensitive student information to risk due to inadequate monitoring of user activity and poor user access management.
The auditor-general said application governance was not fully established, there was inadequate contract management, and service level arrangements were not defined.
In addition, sensitive information was not protected in the database, data was found to be not de-identified, user access management could be improved, 2FA was not adopted, and data files were not appropriately restricted.  
“Application controls need to be considered in conjunction with existing organisational processes and IT controls. A holistic approach towards governance, risk management and security is critical for secure and effective operations,” Spencer said.
“Public facing applications are prone to cyber threats. It is therefore essential to manage system vulnerabilities and other weaknesses that could expose entities to compromise. We found that all audited entities could improve their controls around user access, vulnerability management, and situational awareness to address cyber risks.”
RELATED COVERAGE More

Adobe has released fixes for critical security problems impacting Framemaker, Creative Cloud, and Connect. 

In the tech giant’s standard security update, published on a monthly basis, a single vulnerability has been resolved in the document processor Framemaker. 
The bug, tracked as CVE-2021-21056, is a critical out-of-bounds read problem which leads to the execution of arbitrary code if exploited. 
A total of three critical vulnerabilities in Adobe Creative Cloud have also been resolved. The first, CVE-2021-21068, is an arbitrary file overwrite issue, whereas CVE-2021-21078 is an OS command injection security flaw. While these bugs lead to the execution of arbitrary code, the third — tracked as CVE-2021-21069 — is an improper input validation problem that can be exploited for privilege escalation. 
Adobe’s Connect software, a remote conferencing tool, has received a fix for a single, critical bug caused by improper input validation. The security flaw, tracked as CVE-2021-21085, can lead to the execution of arbitrary code. 
In addition, Adobe has patched three reflected cross-site scripting (XSS) flaws in Connect. Deemed important, the vulnerabilities — CVE-2021-21079, CVE-2021-21080, and CVE-2021-21081 — can be weaponized for the execution of arbitrary JavaScript in a browser session. 
Adobe thanked Francis Provencher and Rookuu, working with Trend Micro’s Zero Day Initiative, Sebastian Fuchs from Star Finanz, and four independent researchers for reporting the security issues.

In February, Adobe patched critical issues in software including Acrobat, Reader, Magento, and Illustrator, including buffer overflow vulnerabilities, Insecure Direct Object Reference (IDOR) security flaws, and out-of-bounds write/read bugs. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has released 89 security fixes for software including the Edge browser, Office, and Azure that patch critical issues including vectors for the remote execution of arbitrary code. 

During the tech giant’s standard monthly patch round, Microsoft released a slew of patches to fix vulnerabilities in software including Azure, Microsoft Office products — such as PowerPoint, Excel, SharePoint, and Visio — alongside the Edge browser and Internet Explorer. 
This also includes seven out-of-band fixes for Microsoft Exchange Server which were released last week, four of which are classed as zero-days. 
Security updates have also been issued for features and services including the Microsoft Windows Codecs Library, Windows Admin Center, DirectX, Event Tracing, Registry, Win32K, and Windows Remote Access API. 
In total, 14 are described as critical and the majority lead to Remote Code Execution (RCE), whereas the rest are deemed important.
Among the fixes is the resolution of CVE-2021-26411, a memory corruption vulnerability in Internet Explorer that is being actively exploited in the wild.
“This kind of exploit would give the attacker the same operating system permissions as the user visiting the website,” explained Kevin Breen, Director of Cyber Threat Research at Immersive Labs. “So if you’re browsing the internet as a standard user, the attacker will get user level access to your filesystem and limited access to the operating system. If you are browsing the internet as an admin, the attackers will get full unrestricted access to your filesystem and the operating system.”

Other critical issues of note include CVE-2021-27074 and CVE-2021-27080, unsigned code execution bugs in Azure Sphere, and CVE-2021-26897, a critical RCE flaw in Windows DNS Server.
A total of 15 of the CVEs resolved were reported through the Trend Micro Zero Day Initiative. A separate set of vulnerability fixes was issued for the Chromium version of the Edge browser last week.
The latest round of security fixes follows the early emergency patches issued by Microsoft to resolve four zero-day vulnerabilities in Exchange Server, as well as three additional security flaws. The critical security bugs, used to steal email inbox communication and potentially allow server hijacking, were originally exploited by the Hafnium threat group — but the problem has now escalated to a worldwide issue believed to have impacted thousands of companies worldwide. 
Today, Microsoft also announced the end of Microsoft Edge Legacy desktop application support. The application will be removed and replaced with the new Microsoft Edge during April’s Windows 10 cumulative monthly security update.
See also: Microsoft’s Security Update Guide portal
In February’s Patch Tuesday, the Redmond giant resolved 56 vulnerabilities including a privilege escalation zero-day flaw in Win32k. 
Microsoft’s next Patch Tuesday release will occur on April 13. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

This week, the Centers for Disease Control (CDC) released its first set of guidelines for people who have been fully vaccinated against COVID-19. People who are fully vaccinated can safely visit other vaccinated people inside without wearing a mask or social distancing. Vaccinated people can also see unvaccinated people without masks or social distancing as long as the unvaccinated person is at low risk for severe disease.

For hundreds of millions of Americans, this is extremely welcome news. Not having to wear a mask in lower-risk scenarios is great news for individual freedom and everyone’s mental health.
However, even after many people are vaccinated, it doesn’t mean that our experience with masks is over. The nature of COVID-19 virus mutation and evolution — and its endemic and airborne nature in modern society — tells us that SARS-CoV-2 will be with us for a very long time, if not forever. After all, H1N1 and its variants are still with us today, 100 years following its appearance in the 1918 pandemic. The novel coronavirus is now much more contagious, with new emerging strains like B.1.1.7 replacing the original as the predominant strain in some locales. It’s also possible that a few mutational generations will result in vaccine escapism for the virus, re-introducing the need for mask mandates until another generation of vaccines can be formulated and administered.  
For that reason, protective mask technology requires continued innovation. The best protection possible is also critical for those of us more vulnerable (due to immune disorders and other comorbidities) and front-line healthcare workers. 
Enter UVMask

Jason Perlow wearing UVMask
Image: ZDNet
In late June of 2020, a fledgling Brighton, Colorado startup, UM Systems, initiated a crowdsourced project on Indiegogo and Kickstarter to create the ultimate PPE mask for civilian use. What makes it the ne plus ultra in mask PPE? The company was looking to solve multiple problems with existing solutions:
Create an airtight seal
Provide particle filtration at the 0.3-micron level 
Provide the ability to completely inactivate a pathogen by killing it or rendering it harmless
Provide a mask that is comfortable to wear
Provide ventilation using a fan and positive air pressure
Eliminate fog for eyewear users
While some products could provide solutions to some of these issues, none could achieve all of the above. After over $4 million in seed backing, the company has shipped its first version.
The technology behind UVMask

Interior of UVMask
Image: ZDNet
As an original backer, I waited approximately eight months for the product to ship. While this sounds like a very long time, we are talking about a product that had to be rapidly prototyped under unusual market conditions and during a time when production facilities in China have seen their manufacturing capabilities interrupted. That the company was able to achieve this under such accelerated timeframes is really quite remarkable. It’s also expected that since this is a first-generation product and that testing has been much more limited than what a large-scale PPE manufacturer or a technology company can achieve under similar constraints, the first product will be far from perfect.

UM Systems ships two versions of UVMask: The full-blown version ($120) that contains electronic components, and a “Lite” version is essentially the full version’s shell, with removable filters suitable for use in lower-risk environments. The Lite version is being offered exclusively to UVMask backers at a reduced price (approximately $30). I ordered both products for two different face sizes. Fitting to face sizes is addressed with replaceable medical-grade silicone padded inserts that handle the vast majority of face geometries in “S” and “X” sizes. The company is developing additional sizes to address wearers with particular facial features, such as higher nose bridges.
The electronic version is distinct from all other replaceable filter masks that are on the market. In addition to having FFP2 (equivalent to KN95) and FFP3 filters, the mask utilizes 275nm wavelength UV-C LEDs inside the housing air channel to completely inactivate viruses at the DNA level that get past the filters. Additionally, an integrated brushless 20,000 RPM fan reduces CO2 accumulation, increases oxygen level for better breathability and ventilation, and minimizes moisture build-up.
Using UVMask

UVMask while charging
Image: ZDNet
The tech behind UVMask is impressive, but what about actually using it? Let’s start with the construction: It’s made of a hard plastic that comes in three pieces — a front replaceable shell (available in three colors, titanium grey, white, or black), which attaches magnetically to the main assembly where the upper and lower silicone straps are also attached. The main assembly, in turn, attaches to the face pad, which is made from medical-grade silicone rubber and is easily removed for cleaning.
The first thing you notice when you turn it on (using a small button that is recessed inside a rubber flap on the bottom front of the mask) is the brushless fan’s high-pitched whine — it’s prominent, although I didn’t find it overwhelming or annoying. Still, it is very noticeable in indoor environments. 
However, this noise is easily forgiven because the positive airflow makes it far easier to breathe with these FFP2 and FFP3 filters inserted than a typical KN95 type respirator. Even here in Florida’s high humidity environment, I have not once seen my glasses fog up during several hours of protracted outdoor use. With the correctly sized silicone inserts, it is quite comfortable to wear despite the considerable weight, and the silicone straps keep it tight and well-supported on your face.
As far as power, the device uses USB-C under a recessed port with a rubber tab in the mask’s front to charge its dual internal 1800mAh (non-removable) Li-Po batteries, but it does not come with a power adapter, only a charging cable. I don’t see this as a significant downside as most people own smartphones and other charging equipment, and it doesn’t require high wattage to charge it — a port on a PC or any 5V USB-A charger with the USB-A to USB-C cable works fine. The LEDs on the top of the mask light up red to indicate charging and light up white when charging is complete. They also turn on when you click on the tiny stud button to turn the mask on and switch between “Pro” and “Econ” modes. 

The batteries are designed to have 1,000 full charging cycles before the capacity drops to below 80%. They should be good for a couple of years of daily use, at least, and you will probably get a new next-generation UVMask before the batteries run out. 
I would like to see a more prominent button on the mask that I can feel with my fingers to switch it on when the mask is already on my face or hanging from my neck and to toggle between modes, but this is a nitpick. A fully charged battery will get you eight hours of continuous use. If the battery depletes while you’re wearing the mask, the integrated filters will still function as if was the “Lite” version of the product. Note that you will need to use a USB-A to USB-C cable and connection to charge the mask; a USB-C to USB-C cable with a USB PD charger will not work.
Room for improvement, but still an excellent product
First, the mask is considerably larger than what most people are accustomed to wearing, and it is not lightweight by any means — it weighs approximately 9.4 ounces. If you wear this for hours at a time, expect some neck fatigue. The “lite” version without the electronic components is 4.1 ounces and is probably a more realistic solution for lower-risk environments, where you are more likely to wear it for extended periods. 
Let’s also get this out of the way: Don’t expect to have extended conversations while wearing the UVMask. In a next-generation product, I would like to see a rudimentary microphone and speaker system because you’ll find your voice to be extremely muffled, and you’ll have to talk considerably louder than normal to get your point across. It almost felt like I was re-enacting “Dark Helmet” in Spaceballs. With the integrated fan’s positive airway pressure, it feels a lot like wearing a CPAP mask. In fact, CPAPs were highly influential in the product’s design.
You can easily remove the silicone inserts and the front shell for end-of-day cleaning with isopropyl alcohol. However, I do find the silicone a bit challenging to put back on the mask, as it has an inner “lip” that needs to be inserted in just the right way along the rim of the mask housing, or it will fall off. It takes some practice to get this right; with wear, it gets easier. But it can still be annoying because if you keep the mask in a bag, the silicone easily pops off. This isn’t an issue when wearing it, only when storing it — UM Systems sells a hard case for the mask if you will be transporting it regularly.
Inserting the filters takes some practice and can be a little bit frustrating. The initial version of the “Lite” masks had UM95 FFP2 filters that fell inside the air channel if you did not align them perfectly — rendering the product useless. UM99 FFP3 filters are more rigid and less flexible than UM95 FFP2 filters because of the larger amount of filter material used, so they did not experience that issue. 

The metal washers had to be rapidly prototyped after the masks were manufactured
Image: ZDNet
The threading that connects the circular filter housings is very short, so it takes some skill in holding the mask chassis steady and above the filter packs to get them secured properly. To address this, UM Systems will now send customers a set of metal washer rings that completely prevent the filters from falling into the air channel, alleviating that problem. However, the washers also make the filter caps harder to screw on. These washers had to be rapidly designed to fix the filter problem after the masks had been manufactured; I expect newer versions of the mask will accommodate the washers as part of the overall design and have longer threads and filter caps that are easier to screw on.
Overall, I feel the straps work fairly well, but they are thinner than I expect for a mask that weighs 9.4oz and twist up fairly easily (although this does not affect the product’s performance, it’s a purely aesthetic issue). I’d like to see a thicker version of the headgear similar to what we see on a CPAP mask of similar weight. 
Also, removing the mask for eating and drinking can be problematic as the straps are not of the quick-disconnect type; they are threaded into notches in the front mask shell and secured with camera strap-style clips, so pulling off the upper strap results in the mask hanging very close to your neck on your chest. At 9.4oz, it is heavy — the only other option is to remove the mask when not in use completely. The company does sell an optional velcro strap kit, but I did not get to test these. A magnetic-style quick disconnect on the lower part of the mask would be preferable.
I should add that an upper head and neck strap configuration is the only correct way to install the straps — you do not want to install them sideways (as another reviewer did at the Australian Financial Review and resulted in a negative product evaluation experience) because your ears cannot support the weight of this product. I recommend watching the product videos that UM Systems has provided for proper strap installation and mask fit.
Is the product perfect in its first version? No. But is it worth the money? Yes. In cases where you need to be out in public and in dense, higher-risk areas where you have high confidence that people around you may be infected, UVMask is an excellent solution for staying safe in a post coronavirus world. 
You can order the UVMask through UM Systems’ Indiegogo page.

Coronavirus More