When we opened up that brand-new computer when we were kids, we didnt think of all of the third-party work that made typing in that first BASIC program possible. There once was a time when we didn't have to worry about which companies produced all the bits of licensed software or hardware that underpinned our computing experience. But recent malware attacks and other security events have shown just how much we need to care about the supply chain behind the technology we use every day.

The URGENT/11 vulnerability, the subject of a Cybersecurity and Infrastructure Security Agency advisory issued last July, is one of those. It forces us to care, because it affects multiple medical devices. And it serves as a demonstration of how the software component supply chain and availability of support can affect the ability of organizations to update devices to fix security bugs—especially in the embedded computing space.

URGENT/11 is a vulnerability in the Interpeak Networks TCP/IP stack (IPNet), which was licensed out to multiple vendors of embedded operating systems. IPNet also became the main networking stack in Wind River VxWorks, until Wind River acquired Interpeak in 2006 and stopped supporting IPNet. (Wind River themselves were acquired by Intel in 2009 and spun off in 2018.) But the end of support didnt stop several other manufacturers from continuing to use IPNet. When critical bugs were discovered in IPNet, it set off a scare from the numerous medical device manufacturers that run it as part of their product build.

The average medical or Internet of Things (IoT) device relies on multiple free software or open source utilities. These pieces of software are maintained by any number of third parties—often by just one or two people. In the case of Network Time Protocol (ntp)—software that is in billions of devices—its code is maintained by a single person. And when the OpenSSL Heartbleed vulnerability came out in 2014, the OpenSSL project had two developers working on it. While there are many more developers working on it now, the Heartbleed crisis is emblematic of what happens when we use free software in our devices—the software gets adapted, not really patched, and not really maintained on the device, and little benefit goes back to the project.

Patch economics

Companies are under constant pressure to develop products and reduce expenses. To save time to market and reduce costs, hardware manufacturers often build products using reference designs. These designs come with Board Support Packages, which contain the code and drivers needed to successfully install and run an operating system on the given design. Sometimes they also come with utilities to perform diagnostics, hardware debugging, or monitoring on the devices.

But the Board Support Package is not always updated to address vulnerabilities or newer operating systems. This is the case with many Android devices that continue to be used but don't get software updates—because of kernel changes that the board support packages and drivers do not support. Oftentimes the device manufacturer needs to update these packages for every new version of an operating system. It then needs to rebuild the new version of their operating system and applications on top of it. Third-party components, such as cameras or additional sensors, also need to have their drivers updated. The amount of work needed to do this is significant and requires a degree of testing similar to that of a brand-new device.

Larger manufacturers, such as Samsung, are capable of absorbing the costs and are able to provide device updates at a lower price because they control numerous market segments (display, memory, etc.). Apple is also capable of providing these updates for a number of years because of their control of the supply chain behind their devices, including the processors, and their move away from third-party intellectual property.

But for other manufacturers, the high cost of updating board support packages, associated drivers (when they exist), and applications makes upgrading devices to a whole new version of an operating system difficult. And it often isn't possible to update even one specific component. As a result, the expectations set by the major software companies dont carry over well to markets where you dont sell as many devices, and there is tremendous market pressure to increase earnings.

Medical devices arent smartphones

This sort of thing might not be perceived as a huge problem for consumer devices such as smartphones, where manufacturers try to drive a constant hardware upgrade cycle. But there's an expectation that medical devices will be used longer than other devices—they're considered capital expenses, written into construction budgets for new facilities.

Asking medical device vendors to commit to long-term support for components and long-term supply chain support has a corresponding cost that will be borne by end users. Because of the expense of supporting these devices, many organizations will drop manufacturer support and use a third-party company to provide tech support and device management instead. This removes the incentive for manufacturers to provide additional support.

And medical device vendors don't always have the flexibility to upgrade their underlying platforms because of the way they license components. Since third-party components are usually licensed for a prebuilt function, the license may only allow for their use with a certain version of an operating system or kernel.

While the Linux community has been nothing short of incredible at maintaining older kernel versions and addressing security issues long after newer kernel versions have been released, putting that patched kernel in place takes significant work. There are a lot of dependencies between all the parts, and its very difficult to maintain everything to be able to provide security updates for a particular device or operating system as well as Microsoft, Apple, or IBM Red Hat do at scale. And older kernel and library versions mean that newer software isnt going to be as easy to port over and use, if at all. Getting Apache 2.4 to run on Red Hat Enterprise Linux 5.x, for instance, was an arduous task.

No easy fix

Overcoming the challenges these issues pose to the security of medical devices will be difficult. The Federal Drug Administration's effort to mandate a software bill of materials through their Premarket CybersecurityRead More – Source

arstechnica

BERLIN — German Chancellor Angela Merkels government Wednesday approved a law that forces social media platforms to proactively report illegal content such as death threats or incitement of hatred to law enforcement authorities.

“With the legislative package launched today, were targeting hate crimes with more force than before,” Justice Minister Christine Lambrecht, a Social Democrat, said in a written statement. “In the future, anyone who incites hate and threatens others online will be prosecuted more thoroughly and effectively.”

The law approved Wednesday is one of two pending proposals to further toughen Germanys online hate speech rules, which are considered some of the most stringent in the world. Before taking effect, the law still needs to pass both chambers of Germanys parliament.

While advocates say that tough rules areRead More – Source

politico

A US-based natural gas facility shut down operations for two days after sustaining a ransomware infection that prevented personnel from receiving crucial real-time operational data from control and communication equipment, the Department of Homeland Security said on Tuesday.

Tuesdays advisory from the DHSs Cybersecurity and Infrastructure Security Agency, or CISA, didnt identify the site except to say that it was a natural gas-compression facility. Such sites typically use turbines, motors, and engines to compress natural gas so it can be safely moved through pipelines.

The attack started with a malicious link in a phishing email that allowed attackers to pivot from the facilitys IT network to the facilitys OT network, which is the operational technology hub of servers that control and monitor physical processes of the facility. With that, both the IT and OT networks were infected with what the advisory described as “commodity ransomware.”

The infection didnt spread to programmable logic controllers, which actually control compression equipment, and it didnt cause the facility to lose control of operations, Tuesdays advisory said. The advisory explicitly said that “at no time did the threat actor obtain the ability to control or manipulate operations.”

Still, the attack did knock out crucial control and communications gear that on-site employees depend on to monitor the physical processes.

“Specific assets experiencing a Loss of Availability [T826] on the OT network included human machine interfaces (HMIs), data historians, and polling servers,” CISA officials wrote. “Impacted assets were no longer able to read and aggregate real-time operational data reported from low-level OT devices, resulting in a partial Loss of View [T829] for human operators.”

Facility personnel implemented a “deliberate and controlled shutdown to operations” that lasted about two days. “Geographically distinct compression facilities also had to halt operations because of pipeline transmission dependencies,” the advisory said. As a result, the shutdown affected the entire “pipeline asset,” not just the compression facility. Normal operations resumed after that.

Security lapses

The advisory disclosed several lapses in the facilitys security regimen. The first lapse involved inadequacies in the facilitys emergency response plan, which “did not specifically consider cyberattacks.” Instead, the plan focused on threats to physical safety.

“Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures,” the advisory stated. “These included a four-hour transition from operational to shutdown mode combined with increased physical security.”

Another gap was a failure to implement robust segmentation defenses between the IT and OT networks. As a result, the infection was able to “traverse the IT-OT boundary and disable assets on both networks.”

The full “planning and operations section of the advisory were:

• At no time did the threat actor obtain the ability to control or manipulate operations. The victim took offline the HMIs that read and control operations at the facility. A separate and geographically distinct central control office was able to maintain visibility but was not instrumented for control of operations.
• The victims existing emergency response plan focused on threats to physical safety and not cyber incidents. Although the plan called for a full emergency declaration and immediate shutdown, the victim judged the operational impact of the incident as less severe than those anticipated by the plan and decided to implement limited emergency response measures. These included a four-hour transition from operaRead More – Source
  

  arstechnica

In bringing The Witcher 3 to Nintendo Switch late last year, the porting team at Saber Interactive already pulled off an impressive feat. This week, the developer went one step further with the port's biggest patch yet, and the included quality-of-life changes just elevated its value—especially for the game's fans on PC.

The Thursday patch was hinted at by Saber in late January in a tweet that has since been deleted, and after launching exclusively in Korea in the wee hours of the morning, it began rolling out across the globe through Thursday. While developer CD Projekt Red has yet to release a comprehensive list of patch notes about smaller bug fixes and tweaks, two of its biggest changes are front and center in the opening menus: cross-save support, and an overhauled "post-processing" list of toggles.

The former only works with the game's PC version, but you're in luck whether you've purchased the game via GOG or Steam. Choose either storefront, then enter your username and password in a Web interface to confirm that you want to connect your Switch copy with your PC version. Doing this allows you to either upload or download a single save file with either service, since both support cloud saves by default. CDPR's official update includes two warnings for longtime PC players: the Switch version will only recognize save files whose names haven't been manually edited, and any saves that contain metadata from modded versions of the game could affect Switch performance.

CDPR and Saber aren't the first to deliver cloud-save support on a Switch port; the massive RPG Divinity: Original Sin 2 plays nicely with Steam's cloud-save feature, while a few "live service" games such as Fortnite include global login support. But we've yet to see GOG integration on a Switch game, and as fans of its DRM-free sales model, we are delighted to see the inclusion. (As the official handlers of GOG, CDPR has a vested interest in getting it working, obviously.)

A federal judge has slapped down a Huawei lawsuit that sought to overturn a ban on federal agencies buying Huawei telecommunications gear. Congress passed the legislation, part of the military's 2019 appropriations bill, out of concern that the Chinese government could infiltrate Huawei-based networks.

Huawei had argued that the law was unconstitutional under the Constitution's ban on bills of attainder. The federal government argued that was nonsense. On Tuesday, Texas federal Judge Amos Mazzant sided with the government.

The Constitution prohibits Congress from imposing "bills of attainder"—legislation that singles out individuals for punishment without trial. This was an infamous practice in Great Britain in the decades before the American Revolution. Huawei argued that it was a "person" under US law and hence entitled to this protection.

The judge disagreed. Even if you grant the premise that Huawei is a person, he said, the ban on buying Huawei and ZTE equipment simply wasn't the kind of punishment prohibited by the bill of attainder rule.

Congress's ban on federal agencies purchasing a range of telecom products from Huawei and ZTE "represents no more than a customer's decision to take its business elsewhere," Mazzant wrote.

Corporations dont get embarrassed or lose friends

Huawei claimed that Congress passed the ban on buying Huawei equipment to punish Huawei. If true, that could make the law unconstitutional. The government countered that what it did was simply a pragmatic decision to shore up national security.

A key factor here is whether a measure brands the target with a badge of "disloyalty and infamy." In a 2003 ruling, for example, an appeals court ruled that it was unconstitutional for Congress to restrict a specific man's right to visit his daughter based on allegations that he had sexually abused her. The problem, the court said, wasn't only the loss of the visitation rights itself, but also the embarrassment of being publicly branded a sexual abuser by Congress.

Banning Huawei from selling gear to the federal government is totally different, the judge ruled. Corporations can't feel embarrassed, and they don't have to worry about losing friends. The legislation left Huawei with plenty of other opportunities: it was free to sell its gear to private parties in the United States as well as to thousands of potential customers, public and private, outside the United States.

Judge Mazzant pointed to a similar ruling made by another court in 2018. In that case, Kaspersky challenged a provision of the 2018 National Defense Appropriations Act that banned federal agencies from doing business with Russian IT security firm Kaspersky Lab. As in the Huawei case, legislators were worried that Kaspersky could have deep ties to a foreign government—in this case, Russia.

But Judge Colleen Kollar-Kotelly, a federal trial judge in Washington DC, rejected Kaspersky's arguments. She ruled that the government choosing not to buy a company's product was simply not a punishment—particularlyRead More – Source

arstechnica

Apple published a note to investors this week saying that it will miss its quarterly guidance for the next quarter because of the impact the COVID-19 coronavirus has had on supply lines and Chinese consumer demand. The note says that Apple expects "worldwide iPhone supply will be temporarily constrained" and that Apple and its partners may not be able to make enough iPhones to meet demand around the world.

During the company's last quarterly earnings call on January 28, it already gave an unusually large guidance range because of concerns about the health crisis, but the situation seems to be worse than Apple predicted. Several manufacturing facilities that assemble Apple products in China have been shut down amid the Chinese government's efforts to contain the virus, and the investor note says that while those facilities are now coming back online, they're still behind schedule.

"While our iPhone manufacturing partner sites are located outside the Hubei province—and while all of these facilities have reopened—they are ramping up more slowly than we had anticipated," Apple says.

Additionally, Apple Stores in China have seen reduced hours and foot traffic, and some were even closed temporarily. Apple explained:

The second is that demand for our products within China has been affected. All of our stores in China and many of our partner stores have been closed. Additionally, stores that are open have been operating at reduced hours and with very low customer traffic. We are gradually reopening our retail stores and will continue to do so as steadily and safely as we can. Our corporate offices and contact centers in China are open, and our online stores have remained open throughout.

That said, Apple was quick to point out that "outside of China, customer demand across our product and service categories has been strong to date and in line with our expectations." The company added, "this disruption to our business is only temporary." Analysts who have since chimed in have generally agreed, with many saying they will not change their long-term projections or targets for Apple even though the next quarter will see some struggles.

Apple made a similar change to its guidance based on challenges on the US trade war with China in 2019, though, leading some analysts and journalists to question the company's heavy reliance on the country. However, experts say it would be difficult for Apple to replace its Chinese manufacturing and logistics operations outside that country.

Bloomberg, a publication which has a strong track record recently of accurately reporting inside information on Apple's product plans, wrote today that Apple is likely still on track to introduce a new low-cost iPhone model in March. However, Bloomberg has also reported that Apple plans to introduce an updated version of the iPad Pro "with a new camera system" in the first half of this year but that "the virus may yet impose delays or constraints on those plans."

Bloomberg also obtained a copy of a letter Tim Cook wrote to Apple employees about the company's struggles with the coronavirus and its impact. The text is as follows:

Team,

The response to COVID-19 has touched the lives of so many in the ARead More – Source

arstechnica

Hackers are actively exploiting a critical WordPress plugin vulnerability that allows them to completely wipe all website databases and, in some cases, seize complete control of affected sites.

The flaw is in the ThemeGrill Demo Importer installed on some 100,000 sites, and it was disclosed over the weekend by Website security company WebARX. By Tuesday, WebArx reported that the flaw was under active exploit with almost 17,000 attacks blocked so far. Hanno Böck, a journalist who works for Golem.de, also spotted active attacks and reported them on Twitter.

If you use this plugin and your webpage hasn't been deleted yet consider yourself lucky. And remove the plugin. (Yes, remove it, don't just update.)

— hanno (@hanno) February 18, 2020

"There's currently a severe vuln in a wordpress plugin called "themegrill demo importer" that resets the whole database," Böck wrote. "https://webarxsecurity.com/critical-issue-in-themegrill-demo-importer/ It seems attacks are starting: Some of the affected webpages show a wordpress 'hello world'-post. /cc If you use this plugin and your webpage hasn't been deleted yet consider yourself lucky. And remove the plugin. (Yes, remove it, don't just update.)"

Hello, cruel world

The "Hello World" message is the default placeholder displayed on WordPress sites when the open source content-management system is first installed or when it's wiped clean. Böck told me that attackers appear to be exploiting the ThemeGrill vulnerability in hopes of gaining administrative control over affected websites. Website takeovers only occur when a vulnerable site has an account with the name "admin." In those cases, after hackers exploit the vulnerability and wipe clean all data, they are automatically logged in as a user that has administrative rights.

"The thing is, in most cases you get 'only' a database reset, i.e. that's not really useful for an attacker, but if a user 'admin' exists, the attacker can take that over," he said in a direct message. "But you don't know that in advance. Therefore I assume attackers will just try and leave a lot of devastated WordPress installations behind while hijacking the few where this attack works."

The ThemeGrill Demo Importer is used to automatically import other plugins available from Web development company https://themegrill.com/. Statistics from WordPress initially said the importer plugin received 200,000 installations. More recently, the number has been revised down to 100,000, most likely because many websites have opted to uninstall it.

According to WebARX, the vulnerability has been active for about three years and resides in versions from 1.3.4 through 1.6.1. The fix is available in version 1.6.2, although a newer version (known as 1.6.3) became available in the past 12 hours.

Failure to authenticate

The bug stems from a failure to authenticate users before allowing them to carry out privileged administrative commands. Hackers can abuse this failure by sending Web requests that contain specially crafted texRead More – Source

arstechnica

Ring, Amazon's line of cloud-connected home surveillance equipment, faced a high-profile series of camera hacks late last year. That string of breaches—though traumatic for the families that were targeted—has at least finally led to one silver lining: increased security for user accounts.

Two-factor authentication of some kind is now mandatory for all accounts, Ring announced today. Every device owner and authorized user will have to enter a one-time, six-digit code, sent through email or SMS, in order to log in to a Ring account.

While email and SMS are not necessarily the most secure forms of two-factor authentication out there, either is a sight better than what Ring had been mandating before, which was nothing. The ease with which bad actors were able to access huge numbers of Ring cameras, take control of them, and harass homeowners with them was in large part due to weak security on those Ring accounts.

In the wake of those intrusions, Ring first made it mandatory for new device owners to set up two-factor authentication at the time of account creation. Earlier this month, the company chased that up with a new account control panel, making it easier for users to find and opt-in to two-factor authentication; now, finally, the setting is not optional.

Ring also drew attention it did not want a few weeks ago when the Electronic Frontier Foundation published a report outlining how several third-party firms, including Facebook, receive significant amounts of personal data when users launch the Ring app on their phones. Notifications about data sharing with some of those third parties are present in Ring's privacy policy, but others were never mentioned. Neither were consumers given the chance to opt out.

As part of its announcement, Ring said it is "temporarily pausing the use of most third-party analytics services in the Ring apps and website," effective immediately. It plans to add opt-out mechanisms for some forms of sharing to the user control center and re-enable that sharing when those options are active. Users can now also opt-out of receiving targeted advertising, though of course they cannot opt out of having their data collected in the first place.

But to what end?

For all their faults, Ring cameras are—in theory, at least—supposed to be good at one job: keeping homeowners safe from neighborhood crime. In reality, however, the cameras seem to more useful as fodder for neighborhood gossip than neighborhood watch.

As of its most recent update on February 13, Ring now boasts 967 partnerships with law enforcement nationwide. So what are these widespread partnerships accomplishing?

Not a whole lot, according to a recent NBC News report. Or at least, not a lot that can actually be quantified.

NBC spoke with 40 police and sheriff departments about the program. The agencies, located in eight different states, all had been partnered with Ring for at least three months. A total of 13 agencies—about a third of the ones NBC spoke with—made zero arrests as a result of Ring footage. Another 13 were able to confirm they had made arrests after reviewing Ring footage. The remaining 14 basically didn't keep data that would allow them to evaluate the effectiveness of the partnership—even though, in some cases, the agreements went back more than a year.

In Houston, police estimated that Ring footage has been used in perhaps 100 out of that city's 16,000 burglaries in the past year. Even if the footage from a Ring camera is clear, it may not result in a positive identification, a Houston police spokesperson told NBC: "You have a video of one unknown person in a city of 2.5 million people!… Our limiting factor is not Read More – Source

arstechnica

It's 2020: we finally live in the future! Or at least a future—one where broadband Internet connections and portable, reasonably high-powered computing tools are pervasive and widely accessible, even if they aren't yet universal. Millions of workers, including all of us here at Ars, use those tools to do traditional "office jobs" from nontraditional home offices.

Tens of millions of jobs at all points of the income and skill spectrum are of course not suited to remote work. Doctors, dentists, and countless other healthcare workers of the world will always need to be hands-on with patients, just as teachers need to be in schools, construction workers need to be on building sites, scientists need to be in labs, wait staff need to be in restaurants, judges need to be in court, and hospitality employees need to be in hotels. All of that said, though, many more of the hundreds of different kinds of jobs Americans do can be done off-site than currently are.

Roughly a quarter of us are already doing at least some work remotely. About 24 percent of US workers employed full-time did "some or all" of their work at home, according to the most recent federal data available. Even as some workplaces become increasingly distributed around the nation and the world, though, others are reversing course and doubling down on the corporate campus. So as we here at Ars look toward the future of work, we find ourselves wondering: employers and employees alike benefit from getting some folks out of cubeville, so what are so many businesses and managers afraid of?

A surprisingly ancient argument

The idea of remote work, as we currently imagine it, goes back about 50 years. The fight over whether employees should be allowed to do remote work—whether they can in fact be trusted with it—goes back almost exactly as long.

The first documented use of the word "telecommute" showed up in 1974 when The Economist wrote: "As there is no logical reason why the cost of telecommunication should vary with distance, quite a lot of people by the late 1980s will telecommute daily to their London offices while living on a Pacific island if they want to." Similarly, futurist writer Alvin Toffler (together with his wife Heidi Toffler, uncredited) described the concept perfectly in the 1980 book The Third Wave:

When we suddenly make available technologies that can place a low-cost “work station” in any home, providing it with a “smart” typewriter, perhaps, along with a facsimile machine or computer console and teleconferencing equipment, the possibilities for home work are radically extended.

As the idea of telework landed in the 1970s, "pro" and "con" camps formed, became entrenched, and dug in rapidly thereafter. By January 1984, Time magazine had "fans and foes take second looks" at proliferating "experimental projects" in telecommuting—at the time still novel but potentially destined to become much less so.

In the 1980s the state of California commissioned a study on the potential costs and benefits of expanding telework among state employees. The final report (PDF), published in 1990, is an extremely familiar tune to the one still sung today.

Remote work "enhances the quality of work life for telecommuters, including those with disabilities," the report found. "Telecommuting more than pays its way … there are societal benefits as well."

The group that compiled the report determined that telecommuting "should be encouraged to expand within state government, that every state agency should have the option of using telecommuting both as a means of improving its effectiveness and for reducing traffic congestion and air pollution." That said, the working group also cautioned that in order to be effective, a telecommuting program must be "implemented properly and [have] its utility monitored regularly."

The California report was one of the earlier deep-dive efforts to determine if remote work could be effective or valuable, but not the last. Dozens of studies have emerged in the 30 years since backing up the state working group's findings. Taken in aggregate, they show remote work, where feasible, has a clear pattern of benefits for both workers and the firms that employ them.

"The advantages [of telework] are many," Johnny C. Taylor, president and CEO of the Society for Human Resource Management, told Ars. "It's a good thing for several reasons from the employer's perspective in a very tight labor market."

The idea may date back to the 1970s, but the potential for telework on a mass scale truly took off in the early years of the 21st century. While about 50 percent of US adults had Internet access in the year 2000, that number had jumped to more than 75 percent by the year 2010 and currently hovers around 90 percent, according to data gathered by the Pew Research Center. Broadband use in particular jumped from being virtually nonexistent in US homes in 2000 to greater than 60 percent of US homes by 2010. (Presently, an estimated 42.8 million US residents lack broadband access at home.)

Likewise, the computing tools to use on all those home broadband networks became not only higher-powered but also cheaper and easier to acquire. A mid- to high-range laptop in the year 1999 cost between $1,800 and $2,000, was a pain in the butt to drag around on a college campus or public transit, and probably did not have Wi-Fi capabilities. (Mine certainly didn't.) In 2019, you certainly can pay that much for a high-end laptop, but you can also purchase an array of good-quality ultra-thin, lightweight computers for less than half that much—to say nothing of how connected you can stay with a smartphone, which more than 80 percent of US adults now own.

Get off the road

In the most populated and congested US cities, an average commute can easily run an hour or more each way. Ten percent of US workers commute more than 60 minutes each way per day. And while public transportation, cycling, or walking are a good option in several of those cities, housing costs and decades of infrastructure and policy choices mean that more than 75 percent of American workers drive solo to work.

Commutes in California's high-tech hub, the Bay Area, are legendarily bad, driven by a surge of tech workers and support staff facing a severe housing crisis. Unable to find nearby housing, many employees and contract workers for major tech firms such as Google live farther and farther away from the corporate campuses they need to get to each morning.

Drivers have their coping mechanisms—see also: podcasts—but nobody really likes driving to work. No matter where you live, other drivers are absolutely the worst, and being part of a traffic jam doesn't really improve anyone's Monday. Paying for a car commute is also not particularly pleasant, as the cost of gas climbs over time, and more and more cities introduce some form of tolling (sometimes very high) to major roads to alleviate—or at least get compensated for—congestion.

Even those among us who do live in the handful of cities with strong, robust transportation networks don't always enjoy the experience of using them. A subway commute that should take 20 minutes can stretch on all morning if something goes wrong (as often seems to happen).

Less stressful by far is simply not commuting at all and winning back between 30 and 90 minutes on each end of your workday for something more productive. And the less time you spend on the road, the less likely you are to become one of the more than 36,000 people who die in auto crashes and accidents each year.

But reducing car commuting is perhaps even more of a collective good than an individual good, as every single car that isn't on the road is at least one small step toward not making the climate crisis worse. Transportation accounts for about 29 percent of all US greenhouse gas emissions. Individuals in passenger vehicles certainly don't represent all transportation—the massive web of trucks, ships, and aircraft used for shipping factor in there, too—but they represent enough that it's worth reducing the number of commuters on the road.

Dell Inc. prides itself on encouraging remote work. The company published a report (PDF) in 2016 describing its telecommuting policy as a driver of sustainability efforts for the firm. "Dell work-from-home programs mitigate approximately 1.15 metric tonnes of CO2e per employee per year," the report determined, "with most of the decrease being related to employee GHG emissions and a smaller percentage attributable to Dell GHG emissions." Presently, the company estimates its telework programs prevent 35,000 metric tons of CO2e per year as compared to having the whole workforce commute.

An enticing, low-cost perk

SHRM's Taylor stressed employee demand as one of the major drivers behind firms expanding telework:

People are now saying, "I'm really talented. I live an hour away, when local, and that commute is two hours of productivity plus stressing time, fuel costs, dry cleaning bills, etc. And I can do this work remotely quite successfully, so—why not?" As that demand increases and the pool for talent is shrinking, we have to be willing to entertain it.

The national unemployment rate, at press time, stood at 3.4 percent. Among 389 US metropolitan areas, 136—about 35 percent—have unemployment rates lower than 3 percent. Among the 51 largest US metropolitan areas, those with populations of 1 million or higher, the highest jobless rate in December still stood at only 4.7 percent.

"If you've got 50 people who can work from home—to let them do so as opposed to pay for expensive real estate in major market cities—I've seen companies literally say, 'I can reduce my square footage footprint by thousands of dollars per month.'"

That is, as they say, a hot market. When unemployment is high, employers have the upper hand and can still get a stream of candidates signing up for jobs that offer mediocre pay and terrible benefits. But when unemployment is low, workers have options, and employers start competing with everything they have to offer to draw good candidates in the door. Would-be employees—particularly in the so-called "knowledge sector," who are exactly the kind of workers who can most easily do remote work—have options.

Offering remote work is "something that can distinguish your brand in the employment market—this war for talent, as it's been referred to," Taylor said, particularly for companies trying to attract younger talent. The much-ballyhooed millennial generation may have infamously killed a whole range of consumer products and industries, but not the idea of work. Members of that generation, now approximately 25 to 40 years old, not only comprise a huge portion of the workplace, but also the majority of parents of young children.

Parents, not only women but of any gender, are embracing telework as a way to "truly strike that balance of work and personal life and not trade off," Taylor explained. "What we're seeing is, as people think about how to take care of and provide for their children, especially in the younger years, that there's a major benefit" to avoiding the commute and clawing back those hours, even if you still have to arrange daytime care for your kids to get anything done.

Whether, how, and for whom wages may or may not increase in the face of that competition is too complicated a question for this piece. Other benefits, such as comprehensive health care offerings, are extraordinarily expensive for employers to offer, and so many companies are wary of how they expand that kind of benefits plan.

Allowing employees to work remotely some or all of the time, however, not only tends to make workers happier—it actively saves employers money. "It's quite the deal" for employers in major cities, Taylor told Ars. "If you've got 50 people who can work from home, to let them do so as opposed to pay for expensive real estate in major market cities—I've seen companies literally say, I can reduce my square footage footprint by thousands of dollars per month," especially once the cost of utilities are factored in.

About a dozen major metropolitan areas have average commercial real estate rental costs of more than $40 per square foot per month, at least one commercial real estate provider has found. In New York City, that figure is higher than $85; in San Francisco, it tops $92. Generally, businesses need a minimum of 100 square feet of usable office space per employee—using those figures, then, a room big enough for just 10 "creatives" to work cheek by jowl in an open concept plan (which are actively terrible) in New York is going to cost you more than $1 million per year. Not maintaining that office space is, obviously, significantly cheaper.

And while it is rare for employer cost-cutting moves to make employees happier, telework is the rare win/win where those interests can overlap. The American Psychological Association last year published an article finding that, in the right situations, "Employees who telecommute tend to be slightly more satisfied, and their performance tends to be the same or a little higher," than those who commute to work.

President Obama in 2010 signed into law a bill promoting federal telework. In 2012, John Berry, the head of the Office of Personnel Management—basically the clearing house for federal HR matters—testified before Congress on how the change was boosting the federal workforce.

"We have found that individuals who telework are more likely to agree that they know what is expected of them on the job, that they feel they are held accountable for results in their work, and that they are more likely to agree that they have a greater sense of control over work processes," Berry said. He went on:

Best of all, individuals who telework are much more likely to report being satisfied or very satisfied with their jobs. With the obvious correlations between job satisfaction and employee turnover, affording Federal employees the opportunity to telework has the potential to avoid future recruitment and training costs.

A wide net

Employers, particularly but not solely state and local governments, have for decades been trying to get a handle on diversity and inclusion in their ranks. Allowing for remote work significantly increases the pool of potential candidates who might be able to fill open roles. Not only can you reach for members of racial groups or religions that might be under-represented within a feasible commuting distance of your office, but also you can potentially hire more folks for whom a commute can be a significant burden.

Among those potential workers are individuals with disabilities, who can often face significant infrastructure-based barriers in getting to a worksite. The 1990 California paper found that workers with mobility challenges had "their work-related stress levels significantly decreased as a result of telecommuting." The report went on:

Their effectiveness changes were positive, like the rest of the telecommuters. We did not specifically explore new job opportunities for the disabled; however, telecommuting clearly appears to benefit the disabled. Few information jobs have inherent restrictions to entry if telecommuting is an option for the employee.

Workplaces with more than 15 employees are required by law to allow "reasonable accommodation" to allow workers with disabilities to apply for and perform jobs. The Equal Employment Opportunity Commission (EEOC) considers remote work to be such an accommodation.

"Not all persons with disabilities need—or want—to work at home," the EEOC writes. "And not all jobs can be pRead More – Source

arstechnica

Fourteen Americans tested positive for carrying the new coronavirus just as they began their return to the United States from Yokohama, Japan, where they had been trapped aboard the luxury cruise ship Diamond Princess in a quarantine that began February 3.

As of today, February 17, Japanese health officials have confirmed 454 cases of COVID-19 on the ship, including 99 cases reported since yesterday. The cluster is, by far, the largest of any COVID-19 flare ups outside of China, where the outbreak began and has caused the vast majority of infections and deaths.

The new cases in the returning Americans will nearly double the current number of COVID-19 cases in the US, bringing the total from the current 15 to 29.

Originally, no American cruise ship passengers infected with the new coronavirus were meant to leave Japan. When the US government announced plans on Saturday, February 15, to evacuate the roughly 400 Americans stuck on the cruise liner, it noted that sick passengers would stay in Japan for treatment.

But evacuation plans for over 300 other Americans were thrown into question as they disembarked the ship and made their way on buses to the airport where planes chartered by the US State Department awaited them. En route, US officials received the results of testing done 2-to-3 days earlier that determined that 14 of the evacuees were infected with the novel coronavirus.

After some deliberation, US officials decided to allow the 14 travelers—who were asymptomatic as they disembarked the ship—to return to the States. The 14 flew back in a specialized containment area on the evacuation aircraft, isolating them from the other evacuees.

Thrown together

All returning ship passengers would be held in a 14-day federal quarantine in one of two military bases upon their arrival today.

According to reports, 44 Americans tested positive for the virus and did remain in Japan. Others reported that they opted to stay on the ship and take their chances—a decision that may seem wise in retrospect.

Sacramento resident Matthew Smith, a passenger on the Diamond Princess, told CNN affiliate KOVR that he and his wife "decided we would just face whatever consequences [on the ship] rather than exposing ourselves to that [evacuation] situation."

"It kind of didn't make any sense—if the US was fearful that these were infected people, which is why they're going to quarantine them for another two weeks—to have thrown them all together."

The messy evacuation highlights the difficulty of controlling the spread of the COVID-19—particularly on cruise ship—as many infected with the novel coronavirus show mild to no symptoms. At the same time, hundreds of passengers who disembarked another cruise ship, the MS Westerdam, in Cambodia were being tracked after an 83-year-old Read More – Source

arstechnica