Information Technology

Human Rights Law Centre and the Law Council of Australia have asked that the federal government redraft the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, calling its contents “particularly egregious” and “so broad”.
The Bill, if passed, would hand the Australian Federal Police (AFP) and the Australian Criminal Intelligence Commission (ACIC) three new computer warrants for dealing with online crime.
“Sweeping state surveillance capacity stands in stark contrast to the core values that liberal democracies like Australia hold dear,” Human Rights Law Centre senior lawyer Kieran Pender declared to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Wednesday.
“In the past two decades, the surveillance capabilities of Australian law enforcement and intelligence have rapidly expanded, every increase in state surveillance imposes a democratic cost.”
According to Pender, each time further surveillance powers are contemplated, three questions should be asked: Are the proposed powers strictly necessary, carefully contained, and fully justified.
“We believe that the Bill in its present shape does not satisfy those criteria,” he said.
“While many of the expansions made to surveillance powers in this country in recent years have been troubling, this Bill stands out as particularly egregious because its scope encompasses any and every Australian.”

The first of the warrants is a data disruption one, which according to the Bill’s explanatory memorandum, is intended to be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”.
The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant.
The last warrant is an account takeover warrant that would allow the agencies to take control of an account for the purposes of locking a person out of the account.
“The powers offered by the Bill are extraordinarily intrusive, the explanatory memorandum and commentary by the minister indicate that powers are intended to only be used in cases of the most severe wrongdoing, yet the Bill does not reflect that,” Pender said.
He believes the Bill’s relevant offence threshold of three years imprisonment is too low and should be increased; and that the definitions provided by the network activity warrants are so expansive as to be practically unlimited in scope.
“We would urge the committee to recommend that these warrants be redrafted to prevent their application to individuals that have no involvement whatsoever in the relevant offence, otherwise, every single Australian is at risk of having their online activities monitored by the Federal Police even where they’re not suspected of having done anything wrong,” he said.
As noted in its submission on the Bill, the OAIC believes the Bill’s definition of a criminal network of individuals has the potential to include a significant number of individuals, including third parties not the subject or subjects of the warrant who are only incidentally connected to the subject or subjects of the warrant.
David Neal from the Australian Law Council further expanded on the risk posed to those peripheral to the individual/s that are the subject of a warrant.
“[The definition is] so broad that as soon as one individual suspected of a relevant offence, users, for example of WhatsApp, in theory, this Bill will allow warrant in regards to anyone who uses WhatsApp because they’re then an electronically linked group of individuals with that one person,” he said.
“Now, you know, someone defending the Bill might say, Well, you know, there are sort of all these other criteria that go to that, and we accept that to an extent, although I think those criteria needs to be more robust.”
Representatives from both organisations agreed the broad definitions within the Bill could exacerbate the risk of abuse and misuse.
“There’s all of these channels that are totally going to be sort of swept pass potentially under this under this Bill, and give rise to concerns about abuse,” Neal said.
In its submission to the PJCIS, the Law Council made a total of 57 recommendations on how to make the Bill more fit for purpose.
“The appropriate course of action we respectfully submit is for the committee to recommend that the government substantially redraft this bill before it returns to Parliament,” Pender declared.
MORE ON THE BILL More

A few months ago, if you’d asked someone what their biggest concern was about IT security, you would have received lots of different answers. Then Solarwinds catastrophically failed to secure its software supply chain, leading to what’s been called IT’s Pearl Harbor. So it is today that locking down your software supply chain has become job number one for all CSO and CISOs who take their jobs seriously. To answer this call for open source, the Linux Foundation, along with Red Hat, Google, and Purdue University have created the sigstore project. 

SolarWinds Updates

The just-announced sigstore aims to improve the security of the software supply chain by enabling the easy adoption of cryptographic software signing backed by transparency log technologies. It will do this by empowering developers to securely sign software artifacts such as release files, container images, and binaries. These signing records will then be kept in a tamper-proof public log. This service will be free for all developers and software providers to use. The sigstore code and operation tooling that will be used to make this work is still being developed by the sigstore community.
With this, as David A Wheeler, the Linux Foundation’s director of Open Source Supply Chain Security, observed earlier, we’ll be on our way to creating verified reproducible builds. Wheeler explained, “A reproducible build is one “that always produces the same outputs given the same inputs so that the build results can be verified. A verified reproducible build is a process where independent organizations produce a build from source code and verify that the built results come from the claimed source code.”
This, in turn, could be used to create a software bill of materials (SBOM). With an SBOM you’ll know exactly what code you’re using in any given project. This is another argument for open source. Orion, Solarwinds hacked program, for example, like all proprietary software, is a black box. No one except its builders knows what’s in it. And as we now know, Solarwinds didn’t know what was inside it until outside companies spotted its corruption. 
Sigstore will avoid this, Luke Hinds, Red Hat’s Security Engineering lead in the office of the CTO, explained as it will enable “all open-source communities to sign their software and combine provenance, integrity, and discoverability to create a transparent and auditable software supply chain.” This isn’t easy. While there are some open-source digital signing tools available today, few developers use them. Many programmers, even now, don’t see the point of taking the extra steps needed to “sign” their software. 
Besides, as Matt Sicker, Apache Software Foundation member and CloudBees’ senior security engineer, said, “Applications commonly used for signing software typically have confusing UIs and require learning basic cryptography concepts in order to properly use them. Without some sort of code signing policy in place for a larger open source project, many developers are simply unaware of the benefits of signing their software.”
Because of that, what tools there are for confirming the origin and authenticity of software relies on an often disparate set of approaches and data formats. The solutions that do exist, often rely on digests that are stored on insecure systems that are susceptible to tampering. 

Newer, better signing tools are on their way. For example, Tidelift-managed catalogs track well known-good, proactively maintained components that cover common language frameworks such as JavaScript, Python, Java, Ruby, PHP, .NET, and Rust.
Even so, very few open-source projects currently cryptographically sign their software releases. That’s largely because of the challenges software maintainers face on secure key management, key compromise/revocation. and the distribution of public keys and artifact digests. Users are all too often left to fend for themselves to find out which keys to trust and how to validate signing. That is not a job for ordinary IT people. 
But, wait, there’s more. The ways we currently distribute digests and public keys is, in a word, bad. All too often they’re stored on hackable websites or a README file on a public git repository. That’s just asking to be hacked. Sigstore seeks to solve these issues by utilization of short-lived ephemeral keys with a trust root leveraged from an open and auditable public transparency log.
In other words, as Alex Karasulu, also an ASF member and OptDyn CEO, observed, “The problem isn’t that open-source developers are lazy or reluctant. It is that a standard mechanism for two-factor authentication (2FA) specifically around code signing does not exist. Some techniques exist to achieve this: Git revisions can be signed and the process loosely protected with mandated 2FA accounts at GitHub, or GPG code signing keys can be stored on devices requiring a second factor to digitally sign anything including code and release checksums. There are many ways to skin this cat — but there is no standard making the process consistent. It’s essentially discretionary.”
Without standardization, securing the software supply chain will be almost impossible. It’s sigstore backers’ hope that they can fix these issues. The goal is worth the effort. As Josh Aas, executive director of the Internet Security Research Group (ISRG) and Let’s Encrypt, said “Securing a software deployment ought to start with making sure we’re running the software we think we are. Sigstore represents a great opportunity to bring more confidence and transparency to the open-source software supply chain.”
There is, after all, as Santiago Torres-Arias, Purdue assistant professor of Electrical and Computer Engineering and project founder, pointed out, “The software ecosystem is in dire need of something like it to report the state of the supply chain. I envision that, with sigstore answering all the questions about software sources and ownership, we can start asking the questions regarding software destinations, consumers, compliance (legal and otherwise), to identify criminal networks and secure critical software infrastructure.”
We really need sigstore. Even now, we still haven’t really grasped how bad the Solarwinds disaster was. Without a truly secure open-source supply chain, we can be certain we’ll see even worse disasters.
Related Stories: More

The auditor-general of Western Australia has found four business applications used by state government entities contain control weaknesses, mostly around poor information security and policies and procedures.
In her latest audit, the auditor-general probed the Teacher Registration System, handled by the Department of Education, Teacher Registration Board of Western Australia; the Forest Products Commission’s Deliveries and Billing System; the Housing Management System (Habitat) from the Department of Communities; and the TAFE Student Management System, which is under the watch of the Department of Training and Workforce Development.
The testing was performed during 2019-20. The report [PDF] declared all four applications had control weaknesses. Auditor-General Caroline Spencer reported 75 findings across the four applications — nine findings were rated as significant, 57 moderate, and another nine were considered minor.
The first project probed was the Department of Education’s Teacher Registration System, which it inherited in 2017.
The system is a combination of internally developed and commercial software applications, hosted on public cloud infrastructure and maintained by department staff and contractors.
“There are a number of significant weaknesses in the system which prevent the [Teacher Registration Board of Western Australia] and the department from efficiently managing public resources and effectively managing information security risks relating to sensitive teacher information,” the report said.
The audit determined basic governance and controls, including limiting access and segregation of duties for system changes, were not implemented.

“There is also a risk that insufficient disaster recovery planning and ongoing system failures could result in an outage that impacts teacher registration services,” it added.
IT governance, security, and risk management were poor, with the report saying there is currently no IT strategy; limited oversight; and no risk management, change management, project management, incident and problem management, cloud management, or continuity management.
Roles and responsibilities for managing the cloud environment have also not been defined, the report said, with there being 33 subscription owners that can manage and have full access to the cloud resources.
It also found 119 resources were allocated to data centres outside Australia, including in Southeast Asia and the United States.
The department’s Teacher Registration Directorate also spent approximately AU$240,000 between July 2019 and February 2020 on contracted services that the department could provide. The audit also found a conflict of interest risk, as the same contractor proposed and undertook projects — that contractor pulled in approximately AU$500,000 in a six-month period.
The next application probed was the Forest Products Commission’s Deliveries and Billing System (DAB), which enables it to generate revenue and payment information from the harvest and sale of timber products.
The audit determined security weaknesses in the DAB database and the commission’s network may expose it to malicious attacks and unauthorised access. In addition, weaknesses in controls, including the review of information entered into the DAB and monitoring of compliance with regulations, creates risks of incorrect revenue or payments and non-compliance.
The 2019 DAB implementation project encountered delays and cost overruns — it overspent by approximately AU$720,000 — and the auditor-general said the commission could not demonstrate that an effective project governance framework was in place.
The Department of Communities’ Housing Authority, meanwhile, was found to not have assessed the information security risks for its Habitat program. In addition, the auditor-general said the authority had not implemented adequate processes that provide oversight of Habitat controls, nor was there a disaster recovery plan in place.
The report said the auditor-general identified 178 database user accounts with easy to guess passwords and 1,195 accounts where the password had not been changed for five years. These included accounts with high privileges.
The authority’s IT staff also used and shared a highly privileged account to administer the Habitat database.
Lastly, the Student Management System used by Western Australian TAFE colleges was found to open sensitive student information to risk due to inadequate monitoring of user activity and poor user access management.
The auditor-general said application governance was not fully established, there was inadequate contract management, and service level arrangements were not defined.
In addition, sensitive information was not protected in the database, data was found to be not de-identified, user access management could be improved, 2FA was not adopted, and data files were not appropriately restricted.  
“Application controls need to be considered in conjunction with existing organisational processes and IT controls. A holistic approach towards governance, risk management and security is critical for secure and effective operations,” Spencer said.
“Public facing applications are prone to cyber threats. It is therefore essential to manage system vulnerabilities and other weaknesses that could expose entities to compromise. We found that all audited entities could improve their controls around user access, vulnerability management, and situational awareness to address cyber risks.”
RELATED COVERAGE More

Adobe has released fixes for critical security problems impacting Framemaker, Creative Cloud, and Connect. 

In the tech giant’s standard security update, published on a monthly basis, a single vulnerability has been resolved in the document processor Framemaker. 
The bug, tracked as CVE-2021-21056, is a critical out-of-bounds read problem which leads to the execution of arbitrary code if exploited. 
A total of three critical vulnerabilities in Adobe Creative Cloud have also been resolved. The first, CVE-2021-21068, is an arbitrary file overwrite issue, whereas CVE-2021-21078 is an OS command injection security flaw. While these bugs lead to the execution of arbitrary code, the third — tracked as CVE-2021-21069 — is an improper input validation problem that can be exploited for privilege escalation. 
Adobe’s Connect software, a remote conferencing tool, has received a fix for a single, critical bug caused by improper input validation. The security flaw, tracked as CVE-2021-21085, can lead to the execution of arbitrary code. 
In addition, Adobe has patched three reflected cross-site scripting (XSS) flaws in Connect. Deemed important, the vulnerabilities — CVE-2021-21079, CVE-2021-21080, and CVE-2021-21081 — can be weaponized for the execution of arbitrary JavaScript in a browser session. 
Adobe thanked Francis Provencher and Rookuu, working with Trend Micro’s Zero Day Initiative, Sebastian Fuchs from Star Finanz, and four independent researchers for reporting the security issues.

In February, Adobe patched critical issues in software including Acrobat, Reader, Magento, and Illustrator, including buffer overflow vulnerabilities, Insecure Direct Object Reference (IDOR) security flaws, and out-of-bounds write/read bugs. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has released 89 security fixes for software including the Edge browser, Office, and Azure that patch critical issues including vectors for the remote execution of arbitrary code. 

During the tech giant’s standard monthly patch round, Microsoft released a slew of patches to fix vulnerabilities in software including Azure, Microsoft Office products — such as PowerPoint, Excel, SharePoint, and Visio — alongside the Edge browser and Internet Explorer. 
This also includes seven out-of-band fixes for Microsoft Exchange Server which were released last week, four of which are classed as zero-days. 
Security updates have also been issued for features and services including the Microsoft Windows Codecs Library, Windows Admin Center, DirectX, Event Tracing, Registry, Win32K, and Windows Remote Access API. 
In total, 14 are described as critical and the majority lead to Remote Code Execution (RCE), whereas the rest are deemed important.
Among the fixes is the resolution of CVE-2021-26411, a memory corruption vulnerability in Internet Explorer that is being actively exploited in the wild.
“This kind of exploit would give the attacker the same operating system permissions as the user visiting the website,” explained Kevin Breen, Director of Cyber Threat Research at Immersive Labs. “So if you’re browsing the internet as a standard user, the attacker will get user level access to your filesystem and limited access to the operating system. If you are browsing the internet as an admin, the attackers will get full unrestricted access to your filesystem and the operating system.”

Other critical issues of note include CVE-2021-27074 and CVE-2021-27080, unsigned code execution bugs in Azure Sphere, and CVE-2021-26897, a critical RCE flaw in Windows DNS Server.
A total of 15 of the CVEs resolved were reported through the Trend Micro Zero Day Initiative. A separate set of vulnerability fixes was issued for the Chromium version of the Edge browser last week.
The latest round of security fixes follows the early emergency patches issued by Microsoft to resolve four zero-day vulnerabilities in Exchange Server, as well as three additional security flaws. The critical security bugs, used to steal email inbox communication and potentially allow server hijacking, were originally exploited by the Hafnium threat group — but the problem has now escalated to a worldwide issue believed to have impacted thousands of companies worldwide. 
Today, Microsoft also announced the end of Microsoft Edge Legacy desktop application support. The application will be removed and replaced with the new Microsoft Edge during April’s Windows 10 cumulative monthly security update.
See also: Microsoft’s Security Update Guide portal
In February’s Patch Tuesday, the Redmond giant resolved 56 vulnerabilities including a privilege escalation zero-day flaw in Win32k. 
Microsoft’s next Patch Tuesday release will occur on April 13. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

This week, the Centers for Disease Control (CDC) released its first set of guidelines for people who have been fully vaccinated against COVID-19. People who are fully vaccinated can safely visit other vaccinated people inside without wearing a mask or social distancing. Vaccinated people can also see unvaccinated people without masks or social distancing as long as the unvaccinated person is at low risk for severe disease.

For hundreds of millions of Americans, this is extremely welcome news. Not having to wear a mask in lower-risk scenarios is great news for individual freedom and everyone’s mental health.
However, even after many people are vaccinated, it doesn’t mean that our experience with masks is over. The nature of COVID-19 virus mutation and evolution — and its endemic and airborne nature in modern society — tells us that SARS-CoV-2 will be with us for a very long time, if not forever. After all, H1N1 and its variants are still with us today, 100 years following its appearance in the 1918 pandemic. The novel coronavirus is now much more contagious, with new emerging strains like B.1.1.7 replacing the original as the predominant strain in some locales. It’s also possible that a few mutational generations will result in vaccine escapism for the virus, re-introducing the need for mask mandates until another generation of vaccines can be formulated and administered.  
For that reason, protective mask technology requires continued innovation. The best protection possible is also critical for those of us more vulnerable (due to immune disorders and other comorbidities) and front-line healthcare workers. 
Enter UVMask

Jason Perlow wearing UVMask
Image: ZDNet
In late June of 2020, a fledgling Brighton, Colorado startup, UM Systems, initiated a crowdsourced project on Indiegogo and Kickstarter to create the ultimate PPE mask for civilian use. What makes it the ne plus ultra in mask PPE? The company was looking to solve multiple problems with existing solutions:
Create an airtight seal
Provide particle filtration at the 0.3-micron level 
Provide the ability to completely inactivate a pathogen by killing it or rendering it harmless
Provide a mask that is comfortable to wear
Provide ventilation using a fan and positive air pressure
Eliminate fog for eyewear users
While some products could provide solutions to some of these issues, none could achieve all of the above. After over $4 million in seed backing, the company has shipped its first version.
The technology behind UVMask

Interior of UVMask
Image: ZDNet
As an original backer, I waited approximately eight months for the product to ship. While this sounds like a very long time, we are talking about a product that had to be rapidly prototyped under unusual market conditions and during a time when production facilities in China have seen their manufacturing capabilities interrupted. That the company was able to achieve this under such accelerated timeframes is really quite remarkable. It’s also expected that since this is a first-generation product and that testing has been much more limited than what a large-scale PPE manufacturer or a technology company can achieve under similar constraints, the first product will be far from perfect.

UM Systems ships two versions of UVMask: The full-blown version ($120) that contains electronic components, and a “Lite” version is essentially the full version’s shell, with removable filters suitable for use in lower-risk environments. The Lite version is being offered exclusively to UVMask backers at a reduced price (approximately $30). I ordered both products for two different face sizes. Fitting to face sizes is addressed with replaceable medical-grade silicone padded inserts that handle the vast majority of face geometries in “S” and “X” sizes. The company is developing additional sizes to address wearers with particular facial features, such as higher nose bridges.
The electronic version is distinct from all other replaceable filter masks that are on the market. In addition to having FFP2 (equivalent to KN95) and FFP3 filters, the mask utilizes 275nm wavelength UV-C LEDs inside the housing air channel to completely inactivate viruses at the DNA level that get past the filters. Additionally, an integrated brushless 20,000 RPM fan reduces CO2 accumulation, increases oxygen level for better breathability and ventilation, and minimizes moisture build-up.
Using UVMask

UVMask while charging
Image: ZDNet
The tech behind UVMask is impressive, but what about actually using it? Let’s start with the construction: It’s made of a hard plastic that comes in three pieces — a front replaceable shell (available in three colors, titanium grey, white, or black), which attaches magnetically to the main assembly where the upper and lower silicone straps are also attached. The main assembly, in turn, attaches to the face pad, which is made from medical-grade silicone rubber and is easily removed for cleaning.
The first thing you notice when you turn it on (using a small button that is recessed inside a rubber flap on the bottom front of the mask) is the brushless fan’s high-pitched whine — it’s prominent, although I didn’t find it overwhelming or annoying. Still, it is very noticeable in indoor environments. 
However, this noise is easily forgiven because the positive airflow makes it far easier to breathe with these FFP2 and FFP3 filters inserted than a typical KN95 type respirator. Even here in Florida’s high humidity environment, I have not once seen my glasses fog up during several hours of protracted outdoor use. With the correctly sized silicone inserts, it is quite comfortable to wear despite the considerable weight, and the silicone straps keep it tight and well-supported on your face.
As far as power, the device uses USB-C under a recessed port with a rubber tab in the mask’s front to charge its dual internal 1800mAh (non-removable) Li-Po batteries, but it does not come with a power adapter, only a charging cable. I don’t see this as a significant downside as most people own smartphones and other charging equipment, and it doesn’t require high wattage to charge it — a port on a PC or any 5V USB-A charger with the USB-A to USB-C cable works fine. The LEDs on the top of the mask light up red to indicate charging and light up white when charging is complete. They also turn on when you click on the tiny stud button to turn the mask on and switch between “Pro” and “Econ” modes. 

The batteries are designed to have 1,000 full charging cycles before the capacity drops to below 80%. They should be good for a couple of years of daily use, at least, and you will probably get a new next-generation UVMask before the batteries run out. 
I would like to see a more prominent button on the mask that I can feel with my fingers to switch it on when the mask is already on my face or hanging from my neck and to toggle between modes, but this is a nitpick. A fully charged battery will get you eight hours of continuous use. If the battery depletes while you’re wearing the mask, the integrated filters will still function as if was the “Lite” version of the product. Note that you will need to use a USB-A to USB-C cable and connection to charge the mask; a USB-C to USB-C cable with a USB PD charger will not work.
Room for improvement, but still an excellent product
First, the mask is considerably larger than what most people are accustomed to wearing, and it is not lightweight by any means — it weighs approximately 9.4 ounces. If you wear this for hours at a time, expect some neck fatigue. The “lite” version without the electronic components is 4.1 ounces and is probably a more realistic solution for lower-risk environments, where you are more likely to wear it for extended periods. 
Let’s also get this out of the way: Don’t expect to have extended conversations while wearing the UVMask. In a next-generation product, I would like to see a rudimentary microphone and speaker system because you’ll find your voice to be extremely muffled, and you’ll have to talk considerably louder than normal to get your point across. It almost felt like I was re-enacting “Dark Helmet” in Spaceballs. With the integrated fan’s positive airway pressure, it feels a lot like wearing a CPAP mask. In fact, CPAPs were highly influential in the product’s design.
You can easily remove the silicone inserts and the front shell for end-of-day cleaning with isopropyl alcohol. However, I do find the silicone a bit challenging to put back on the mask, as it has an inner “lip” that needs to be inserted in just the right way along the rim of the mask housing, or it will fall off. It takes some practice to get this right; with wear, it gets easier. But it can still be annoying because if you keep the mask in a bag, the silicone easily pops off. This isn’t an issue when wearing it, only when storing it — UM Systems sells a hard case for the mask if you will be transporting it regularly.
Inserting the filters takes some practice and can be a little bit frustrating. The initial version of the “Lite” masks had UM95 FFP2 filters that fell inside the air channel if you did not align them perfectly — rendering the product useless. UM99 FFP3 filters are more rigid and less flexible than UM95 FFP2 filters because of the larger amount of filter material used, so they did not experience that issue. 

The metal washers had to be rapidly prototyped after the masks were manufactured
Image: ZDNet
The threading that connects the circular filter housings is very short, so it takes some skill in holding the mask chassis steady and above the filter packs to get them secured properly. To address this, UM Systems will now send customers a set of metal washer rings that completely prevent the filters from falling into the air channel, alleviating that problem. However, the washers also make the filter caps harder to screw on. These washers had to be rapidly designed to fix the filter problem after the masks had been manufactured; I expect newer versions of the mask will accommodate the washers as part of the overall design and have longer threads and filter caps that are easier to screw on.
Overall, I feel the straps work fairly well, but they are thinner than I expect for a mask that weighs 9.4oz and twist up fairly easily (although this does not affect the product’s performance, it’s a purely aesthetic issue). I’d like to see a thicker version of the headgear similar to what we see on a CPAP mask of similar weight. 
Also, removing the mask for eating and drinking can be problematic as the straps are not of the quick-disconnect type; they are threaded into notches in the front mask shell and secured with camera strap-style clips, so pulling off the upper strap results in the mask hanging very close to your neck on your chest. At 9.4oz, it is heavy — the only other option is to remove the mask when not in use completely. The company does sell an optional velcro strap kit, but I did not get to test these. A magnetic-style quick disconnect on the lower part of the mask would be preferable.
I should add that an upper head and neck strap configuration is the only correct way to install the straps — you do not want to install them sideways (as another reviewer did at the Australian Financial Review and resulted in a negative product evaluation experience) because your ears cannot support the weight of this product. I recommend watching the product videos that UM Systems has provided for proper strap installation and mask fit.
Is the product perfect in its first version? No. But is it worth the money? Yes. In cases where you need to be out in public and in dense, higher-risk areas where you have high confidence that people around you may be infected, UVMask is an excellent solution for staying safe in a post coronavirus world. 
You can order the UVMask through UM Systems’ Indiegogo page.

Coronavirus More

Image: Abode
Abode on Tuesday announced its latest product, a $35 smart security camera. Abode offers a complete home security system that includes cameras, motion sensor, and door or window sensors. 

However, before Tuesday, the only camera listed in the Abode shop was the $199.99 Outdoor Smart Camera. 
With the addition of the Abode Cam 2, the company gives its subscribers and those who are new to the platform an inexpensive option. To be clear, you don’t need to have an Abode security system in order to use the Cam 2, but if you do, it’ll integrate directly with your security system. 
The Cam 2 is capable of 1080p with an IP65-rated housing, which will allow you to place it inside or outside, even if it’s exposed to the occasional rain or snowstorm. There’s a built-in Starlight sensor that brings full-color night vision to the Cam 2, allowing you to see what’s happening in a dark room or in front of your house at night. 
You don’t have to sign up for a paid Abode plan to use the camera. You’ll still be able to view live video, and you’ll also receive motion alerts on your phone. However, in order to use Smart Detect with person detection and 24/7 video recording (the Cam 2 can detect motion), you’ll need to sign up for one of Abode’s monitoring plans. 

Image: Abode
The standard plan is $6 a month or $60 per year and includes seven days of video storage. The premium plan is $20 a month or $200 a year and includes 30 days of video storage. Abode says it will add package and pet detection later this year. The latter plan is more geared toward users who have a complete Abode security system, and not just a single camera. 
The camera doesn’t support Apple’s HomeKit platform, but it will work with Amazon Alexa and Google Assistant. 

The design of the Cam 2 reminds me of the $20 Wyze Cam , another reasonably priced camera. Only instead of cloud storage, you can use the microSD card slot to store video locally. 
The $29.99 price is an introductory price for pre-orders. After the promotion ends, the Cam 2 will cost $34.99. 
Abode expects the camera to begin shipping in April. To learn more about the Cam 2 or order one for yourself, make sure to visit Abode’s site.

ZDNet Recommends More

Macs are true workhorses, but as is the case with every computer, detritus builds up, filling storage space, and turning a once-speedy system sluggish. With a little bit of care and feeding, a Mac can run at its best for longer. Also, depending on what you use your Mac for, having a suite of tools and utilities that can carry out useful tasks with a click of a button is super handy.

My absolute favorite Mac utility. One click allows you to find junk files, scan my system for threats, and look for ways to speed up my system. Then, with another click, all those tasks are carried out, quickly, efficiently, and safely. It’s a great product that gets regular and timely updates, and a tool that’s helped me keep many Macs running smoothly for years. Highly recommended!
$34 at MacPaw

There are a lot of tools that claim to be able to recover your data when your disk fails. 
DiskWarrior is the only one I trust with that task. With one click, you can get DiskWarrior to scan your storage drive, finds all recoverable data, and then build an error-free, optimized copy for you.
$119 at Alsoft

Not a single tool, but a suite of over 30 tools, most of which are productivity and system health tools, and all of which are super easy to use. Many do their jobs with a single click.
So, what utilities are there? There’s a disk cleanup tool, image resizer, video downloader, screen recorder, archiver, clipboard history tool, GIF maker, presentation mode switch, and much more. Because there are so many parts to Parallels Toolbox, I sometimes lose track of how much I use these tools every day.
$19 at Parallels

One of the things that can be responsible for a lot of wasted storage space is duplicate files. It’s not just duplicate files that can be a problem, but also similar files. This can be especially true when it comes to photos. Gemini 2 can scan your photos, spot ones that are similar, and lets you pick which ones to keep. 
$19 at MacPaw

The all-in-one temperature monitoring, fan control, and diagnostics for Macs. 
If you’re someone who makes their Mac work hard, this is a fantastic tool for tuning the cooling system for optimal performance and keeping things running at their best.
$10 at Tunabelly Software
Other honorable mentions
MacCleaner Pro: Speed up and clean up your Mac, as well as manage your precious storage space (compatible with M1-powered Macs).
MacBooster 8: Free up space on your Mac by eradicating 20 different types of junk files from your system. 

ZDNet Recommends More