Category: iT news

CES, one of the tech world’s biggest gatherings, will be online-only in 2021 the organisers have confirmed.

The event, normally held in Las Vegas in January, draws many of the biggest technology firms and is seen by many as a curtain-raiser to a year in tech.

But with growing concerns about how long the coronavirus pandemic will last, organisers have said 2021 will be “an all-digital experience”.

It said it was “not possible to safely convene tens of thousands of people”.

In a statement, the Consumer Technology Association (CTA), which organises CES, said it was “reimagining how to connect exhibitors, customers, thought leaders and media from around the world while prioritising health and safety”.

Shockwaves

It joins a list of other high-profile technology conference in going virtual – including Web Summit in November and both this year’s and the 2021 TED (Technology, Entertainment and Design) conference.

The organisers of Mobile World Congress, held in Barcelona in February, are currently still hoping for an in-person event.

Online conferences are both greener and cheaper, but delegates often complain that they miss out on making connections with others.

CTA said that, alongside traditional keynote talks and conferences, it would enable meetings and networking in a “highly personalised experience”.

Mobile analyst Ben Wood, who has attended nine CES conferences, said that it was little surprise that organisers had opted for a virtual format.

“The insurmountable logistical challenges of delivering an in-person event were clear given the global pandemic.

“The decision to hold CES as a digital-only event will send shockwaves through the events world. When one of the largest consumer electronics shows in the world says it is not viable to have a physical event, it sends a strong signal that these types of events will be near-impossible to hold in coming months.”

The UK’s National Trust is among more than 80 organisations that have confirmed data breaches resulting from an attack on cloud computing provider Blackbaud.

Others involved include homeless charities The Wallich and Crisis, the terminal illness charity Sue Ryder, and the mental health group Young Minds.

Dozens of British universities have also alerted past and present students.

Museums, schools, churches and food banks have also been affected.

The UK’s Information Commissioner’s Office (ICO) has said it is investigating the matter and is therefore limited in what it can say at this time.

Internal investigation

The National Trust said that data about its volunteering and fundraising communities had been involved, but not that of its wider 5.6 million members.

The organisation – which looks after historic buildings and gardens – added that an internal investigation was under way to assess if further action was needed.

“We are currently in the process of identifying and informing those affected,” Jon Townsend, the trust’s chief information officer, explained.

“We have reported the incident to the UK’s regulator for data protection, the Information Commissioner’s Office and the Charity Commission.” 

The University of Newcastle was another body to make a public disclosure after being contacted by the BBC.

“We were made aware of a security incident involving a service provider we use, Blackbaud, one of the world’s largest providers of alumni database software,” said a spokeswoman.

“We apologise for any concern or inconvenience caused… and we have initiated a security review.”

Ransomware payment

Blackbaud has said that it became aware of the matter in May, and subsequently paid the attackers a ransom. However, it only advised its clients of the breach this month, which is why notices are only now being sent to members of the public.

Some of them specifically make mention of two of Blackbaud’s platforms – Raiser’s Edge and NetCommunity – which are commonly used to keep track of donors and the sums they have given.

Blackbaud has said the data did not include bank account or payment card details.

But a source has told the BBC that in some cases it involved donors details including:

• names, ages and addresses
• car licence details
• employers
• estimated wealth and identified assets
• total number and value of past donations to the organisation in question
• wider history of philanthropic and political gifts
• spouses’ identity and past gift-giving
• likelihood to make a bequest triggered by their death

Although Blackbaud has said the cyber-criminals had provided confirmation that the stolen data was destroyed, one expert questioned whether such an assurance could be trusted.

“The hackers would know these people have a propensity to support good causes,” commented Pat Walshe from the consultancy Privacy Matters.

This would be valuable information to fraudsters, he added, who could use it to fool victims into thinking they were making further donations when in fact they would be giving away their payment card details.

Mr Walshe also questioned if there had been a breach of the GDPR privacy law, which requires major personal data breaches to be flagged to regulators within 72 hours of discovery.

Blackbaud has said that at “every point we were working closely with law enforcement and other specialists”.

However, neither it nor the ICO has yet revealed when the UK watchdog was notified.

Jewish schools

Blackbaud has declined to name or number the organisations impacted, beyond saying it is a “subset” of its thousands of clients.

However, the BBC has identified some of these by contacting them directly and tracking down online notices of the security breaches.

The problem is so widespread across the further education sector that some universities – including the University of Edinburgh and Aston University, Birmingham – have posted notices to say their data was not involved.

Some schools have also been affected, including St Albans in Hertfordshire. ACS International, which teaches children in London, Surrey and Qatar, has also said there is a “low threat” risk to its “alumni’s and friends’ information”.

In addition, Maccabi GB – an organisation that provides services to 44 Jewish primary and secondary schools – has told supporters their data was among that compromised.

Beyond the UK, Hungary’s Central European University is among those to have confirmed involvement.

But the other international organisations confirmed by the BBC have all been US and Canada-based.

They include several cancer charities, human rights campaigns, public radio stations and religious groups, in addition to schools, colleges and universities.

Who has confirmed being breached?

UK educational institutions:

• Aberystwyth University
• ACS International Schools
• Brasenose College, University of Oxford
• Brunel University, London
• De Montfort University
• Heriot-Watt University, Edinburgh
• Hughes Hall College, University of Cambridge
• King’s College, London
• Loughborough University
• Oxford Brookes University
• Robert Gordon University
• Selwyn College, University of Cambridge
• St Albans School, Hertfordshire
• Sheffield Hallam University
• Staffordshire University
• University College, Oxford
• University of Aberdeen
• University of Birmingham
• University of Bristol
• University of Durham
• University of Exeter
• University of Glasgow

• University of Leeds
• University of London
• University of Manchester
• University of Newcastle
• University of Northampton
• University of Reading incl Henley Business School
• University of Strathclyde
• University of South Wales
• University of Sussex
• University of York

Other UK non-profits:

• Action on Addiction
• Breast Cancer Now
• Choir with No Name
• Crisis
• Maccabi GB
• Sue Ryder
• The National Trust
• The Urology Foundation
• The Wallich
• Young Minds

International organisations:

• Alpha USA charity
• Ambrose University, Alberta
• American Civil Liberties Union (ACLU), New York
• Bentley University, Massachusetts
• Boys & Girls Clubs of Delaware
• Cancer Research Institute, New York
• Catholic Charities of St Paul’s and Minneapolis
• Central European University, Budapest
• Cheverus High School, Portland
• Coastal Maine Botanical Gardens

• Darlington School, Georgia
• Des Moines University
• Diocese of Gaylord, Michigan
• Emerson College, Boston
• First Place For Youth, California
• Foodbank of Central and Eastern North Carolina
• Hennepin Healthcare Foundation, Minnesota
• Human Rights First, New York
• Human Rights Watch, New York
• Institute for Human Services, Charleston
• Kent Denver School, Colorado
• Kids Quest Children’s Museum, Bellevue
• Louisiana Tech University Foundation
• Mennonite Economic Development Associates (Mena), Waterloo
• Middlebury College, Vermont
• New College of Florida
• New Hampshire Public Radio
• Northwest Immigrant Rights Project
• Open Space Institute, New York
• Rhode Island School of Design
• St Ignatius Loyola Parish, New York
• St Mary’s College of Maryland Foundation
• San Diego Public Library Foundation
• Springfield Museums, Massachusetts
• The Bishop Strachan School, Toronto
• University of Dayton
• University of North Florida
• University of Western Ontario
• Urban School, San Francisco
• Ventura College Foundation, California
• Vermont Foodbank
• Vermont Public Radio
• West Virginia University

Do you know of further related breaches or been personally affected by the issues raised in this story? Share your experiences by emailing .

Please include a contact number if you are willing to speak to a BBC journalist.

• WhatsApp: +44 7756 165803
• Tweet: @BBC_HaveYourSay
• Please read our terms & conditions and privacy policy

Sainsbury’s has begun testing a virtual queuing system that will allow customers to wait remotely for their turn to shop in its stores.

Shoppers will be able to join the queue from a remote location, such as their car, using a smartphone app, avoiding the need to stand outside the shop.

The trial began at five UK stores on Monday and will run until mid-August.

Experts say retailers need to find new ways to alleviate queuing as the UK heads into autumn and winter.

• Amazon takes on supermarkets with free food delivery
• Ocado says switch to online shopping is permanent

Sainsbury’s customers will be able to download the app onto their smartphones, from where they can monitor their position.

‘Appetite’ for technology

Catherine Shuttleworth, retail analyst and chief executive at retail marketing agency Savvy, told the BBC that shoppers were clamouring for ways to make the “new normal” easier.

“There’s no doubt that shopper appetite for easy technology that makes getting shopping done more efficiently has never been greater,” she said.

“The growth of click-and-collect, where shoppers interface with less people and therefore shop with reduced risk, has been exponential in lockdown, not just with national grocery chains but with local farm shops and food stores.”

The first stores to try out the system will be Uxbridge, Pimlico and Newham Royal Wharf, in London, Dome Roundabout in Watford and Leicester North.

A spokesperson for Sainsbury’s said the trial would determine whether the app could make customers’ shopping experience safer and more convenient.

The retailer also confirmed it would be continuing to roll out its till-free mobile payment scheme.

The system currently operates in more than 75 stores, with 40 more scheduled for later in the week.

Adapting to the Covid-19 pandemic has meant an extra £500m in costs for Sainsbury’s, as the company invested in its digital services, hired more staff and altered store layouts.

Like with any industry, the information security industry, more commonly referred to as “cybersecurity,” for all its raging debates, has rallied around a small corpus of best practices.

One of the highest on this list is full-disk encryption, which security experts regard as sacrosanct, a no-brainer that everyone should use at the barest of minimums. This is the encryption that ensures that someone who snatches your device won’t be able to know everything you’ve got saved on it.

I’m here to make the case that most of you are better off not using it. I know this might sound crazy, since I’m kind of the security guy here, but hear me out.

I am in no way about to talk you out of using encryption — without it, the digital tools that we rely on every day would be unusable. That’s why I’m not arguing against encryption, period; but specifically against full-disk encryption, and only for certain users.

What I contend is that, for most people facing the overwhelmingly most common use cases, full-disk encryption is overkill. These users enjoy no measurable gain in security compared to alternative data at rest encryption, yet they pay for it with a measurable performance hit. This isn’t just a matter of efficiency or load times, but literal increased cost to users, too.

Alternatives exist which afford normal everyday users, with normal everyday security concerns, a level of protection commensurate with what full-disk encryption offers. They are admittedly a bit off the beaten path, as most consumer tech companies have adopted full-disk encryption, but they’re out there.

There Has to Be Another Way

Today, full-disk encryption is by far the most common kind of encryption scheme for data at rest. Think of data at rest as the data you keep on some kind of storage medium (like a hard drive) for use later, not the kind of data that is moving over some communication channel like the Internet (that would be data in transit).

In general, full-disk encryption is implemented on a level of computer complexity that deals with how raw bytes, decoupled from the context of information representation, are organized on the hard drive. We will refer to this as the block device level, since the full-disk encryption is applied to the block device that is a hard drive partition (just a fancy name for a large segment of your hard drive).

This level is higher than the electrical signal level, but below the filesystem, the latter of which is the point at which your computer sees bytes as files instead of just bytes. The filesystem serves as a kind of org chart that tells your computer how to tell what bytes go together to make up files, and how to tell files and file types apart.

So what exactly is this disk encryption that isn’t full-disk encryption?

The answer is filesystem-level encryption. Under filesystem-level encryption, also called “file-based encryption,” a system encrypts certain directories (i.e. folders) and all the files and directories within them, recursively down to everything that the uppermost directory ultimately contains. Filesystem-level encryption can also encrypt an entire filesystem, automatically protecting everything that gets saved on it. For our purposes, though, we will consider the kind of file-based encryption that lets users choose which files and directories to encrypt, leaving the rest alone.

To be precise, the model I have in mind is one which encrypts only the user documents, media, and other files which on Unix systems would end up in the user’s subdirectory under the /home directory. This way, the core system files and software binaries for running programs are left alone, and only your actual personal data is guarded.

This, as the name implies, occurs at the level of the filesystem, which is one level up from where full-disk encryption is operative. This yields some important implications. To start with, all your encrypted files are already understood as being files, meaning they can be decrypted individually.

It also allows users to augment file encryption with file permission controls. Because the full disk is encrypted under full-disk encryption, a user who knows the disk decryption password has to enter it before anything else can proceed. But along with the user files, all the files the OS needs to run are also locked. A successful boot requires the whole block device to be unlocked, and once the disk is unlocked, it’s all open.

With file-level encryption, your full OS enforces the distinctions for what gets decrypted and when. Each user can define which of their files are encrypted, and with which passwords. So, with file-based encryption, one user could decrypt their files and still leave another user’s data locked up. You don’t have to decrypt an encrypted directory if you don’t want to — if you don’t intend to open any of your document or media files, you can use the computer’s programs while leaving your personal files locked up where, for instance, malware can’t infect them.

Show Me What You’ve Got

I wouldn’t go to the trouble of putting forward file-based encryption if it didn’t have some real advantages over full-disk encryption. To that end, file-based encryption’s greatest strength is that its speed leaves full-disk encryption in the dust. That’s because file-based encrypted systems read and write to the disk more efficiently.

To understand why that is, let’s get into how encrypted block devices (like a flash storage) work. Just as a refresher on terminology, “ciphertext” is the encrypted form of information, which is unreadable without the correct key, while “plaintext” is the information in its original, comprehensible form.

When you decrypt encrypted data at rest, your computer isn’t literally changing all the bits on the storage hardware from ciphertext to plaintext. That would take too long, and it would fry your drive in no time from writing to the entire drive every time you booted and shut down your device. Instead, the physical bits on your drive stay as they are, but they are read and written through a buffer that exists in memory after the correct key is applied. The buffer applies a decryption operation as the information is read, and an encryption operation as it is written, to the drive. While your data is decrypted and read, the plaintext is held in memory so it can be easily referenced until you are done with it.

Adding this many extra steps slows things way down compared to unencrypted reads and writes, by as much as a factor of ten. For full-disk encryption, every single thing you do on your computer has to be read through this decrypting buffer, because your entire block device, and its contents, is encrypted. Crucially, this includes all the binaries that run the OS itself and all the software on it.

But with our chosen configuration of file-based encryption, only your user document and media files need decryption. Most of the software you use on a daily basis isn’t among these files. There are plenty of computing tasks that wouldn’t need to decrypt anything at all. As just one example, we live in our web browsers so much that you can probably count on one hand the number of user files you’ve opened in the last 24 hours.

Obviously, your computer will have to decrypt some data some of the time, but even then, because the encryption is implemented at the filesystem level, your file-based encrypted OS can do so more efficiently than the full-disk encrypted analog would.

Ultimately, all disk access, whether to a fully encrypted or filesystem encrypted disk, requires approval from the core of the operating system, the kernel. However, because the encryption in full-disk encryption is managed at the system administrative privilege level, the kernel has to get involved for reading the block device through the decryption buffer, too.

File-based encryption doesn’t face this obstacle, because it only requires unprivileged user rights to decrypt the user’s own files. As a result, full-disk encryption has to get an additional permission from the kernel for reading or writing to the disk, compared to the same process under the file-based model.

More Efficient With Less Wear and Tear

Another major upside to filesystem encryption is that it cuts way down on wear to your drive. For every individual write operation, a system with file-based encryption simply writes less data than one with full-disk encryption.

Again, the encryption at work for full-disk encryption is on the block device level, which sees only blocks, uniformly sized units, of bytes. Not all data takes up an entire block, though. In fact, a lot of it doesn’t. So encryption at the block level actually thwarts the computer’s built-in efficiency mechanism that is only changing the parts of a file that actually changed. Without full-disk encryption, a computer can compare the updated version of a file in memory to the previous version on the drive, determine which parts are now different, and write those new different parts to the file.

Your computer can achieve a similar economy of writes with file-based encryption, too: when the plaintext version of your file in memory is updated, the file is filtered through the encryption buffer and held in memory temporarily, and then the OS compares the new encrypted version against the previous encrypted version on your drive to determine which bits actually changed, and only writes those.

Full-disk encryption is another story.

Under that model, the OS knows what parts of the file changed, but because the encryption is by block and not by file, the OS now has to translate files into blocks, encrypt the block, and write those blocks to the block device. Revisions in a file that don’t add up to a block’s worth of data can span multiple blocks, all of which must then be filtered through the encrypted buffer and written in their entirety back to the block device. Even if all the altered data is stored in one block, the whole block is rewritten, resulting in significant write overhead.

By its very nature, filesystem-level encryption yields flexibility where the full-disk alternative does not. As noted above, full-disk encryption is all or nothing. It encrypts your whole system, the core files and all user data. That means that non-sensitive data that you want to load faster (e.g. video or audio media for editing) gets hit with the read-write slowdown.

Full-disk encryption also isn’t ideal for multi-user systems, such as a shared household device. Anyone who wants to use the device has to know the full-disk decryption passphrase, or the device can’t even boot into the OS. And unlocking the device for any one user unlocks the data for all users. That also means you can’t enable features like unprivileged “guest” accounts that can use the OS with access to user files blocked.

Finally, file-based encryption is more reasonable for what most people need. I’ve said it myself that security involves inconvenience, and this is true. But when designing a set of security practices, taking on more inconvenience than necessary to mitigate the risk of attack doesn’t help. In fact, it only hurts: if a user’s security procedures are too onerous, that user will eventually cut corners.

Simply put, full-disk encryption is overkill for the use case you most likely have. The two encryption configurations we’ve been juxtaposing protect you in different ways. The main difference in the degree of security between them is that file-based encryption only protects your user document and media files. By contrast, full-disk encryption encrypts those plus core OS files.

Some Potential Downsides

As you might easily guess, there are drawbacks to not encrypting everything the way full-disk encryption does. In theory, an attacker with physical access to your device employing file-based encryption could alter the unencrypted OS data. From there, the attacker either boots your machine to run the code they just put there, or they wait until you boot your machine so that their malicious code does something to snag your data.

That sounds bad, and it is, but it also probably won’t happen to you. Really, most or none of your adversaries will even attempt it. They are either so primitive that filesystem-level encryption is enough to thwart them, or so sophisticated (i.e. powerful) that they have more efficient methods for obtaining your data.

For the overwhelming majority of users, the problem that data-at-rest encryption solves is keeping thieves who physically steal your device from getting your data. That’s why smart thieves don’t count on getting your data, and instead resort to fencing the device for money.
File-based encryption and full-disk encryption both work equally well in this scenario.

Conversely, if your adversary is a government authority (e.g. law enforcement), neither file-based encryption nor full-disk encryption will save you. Depending on the jurisdiction, they can legally order you to unlock your device. Almost everywhere else, governments can issue orders to services that store your data in their cloud to just hand over what they want — and under repressive regimes, let’s just say they have more direct and painful ways of getting you to comply.

Let’s say, for the sake of argument, you are staring down a government actor, and all the aforementioned techniques haven’t worked. Full-disk encryption would only work if the government did not have a more sophisticated way of attacking your system. This is not an issue for most of the world’s powerful governments, as they are advanced enough that they can brute force or sidestep the encryption in some way.

So, there aren’t that many cases where full-disk encryption will really save you: when your enemy is a government and you can withstand physical torture, but the government isn’t capable of the really cool action movie hacking that basically every G20 nation can do.

That’s not to say that, depending on your adversary, there is nothing to be gained from making things difficult for your attacker — making your attacker’s life as hard as possible is a time-honored security strategy — but just realize that that’s all full-disk encryption can guarantee you. But, again, that’s not what almost any of you are looking at.

Practical Encryption, Impractical Implementation

Those of you who are convinced and want your read-write performance and SSD longevity back are probably wondering where you can get your hands on this sweet file-level crypto. Well, that’s where things get complicated. You see, it’s hard to set it up in practice.

The main reason for this is that major consumer OSes are already full-disk encrypted. Apple and Google have configured their mobile devices for full-disk encryption, and deny users the ability to disable it. Apple and Microsoft also enable full-disk encryption by default, but both offer ways of disabling it for the intrepid.

For Linux-based desktop OSes (my personal preference), installing your system with filesystem-level encryption used to be as easy as checking a box, but this is quickly going the way of the dodo. Ubuntu recently deprecated this installation option in their graphical installer, leaving Linux Mint as the only distribution I know of which still offers it. Even DIY distros like Arch Linux discourage you from trying to configure file-level crypto. Instead, they steer you toward block encryption, for which documentation is much more thorough.

If you are willing to go to the required lengths to turn off your full-disk encryption, there are some options available to you. One of the more robust options is VeraCrypt. Born of the desire to don the defunct TrueCrypt’s mantle, VeraCrypt is a graphical tool for creating encrypted directory structures on top of an existing filesystem. It boasts options for read-write speeds on par with unencrypted filesystems, and even super-spy features like deniable encryption, where your encrypted data will just look like normal unused space on your drive. An exploration of even basic VeraCrypt capabilities would be beyond the scope of this already lengthy piece, but perhaps it has the makings of a future article.

So why did I take all this time to tell you about something that is not the most (though certainly not the least) accessible? Fundamentally, it’s important to know what’s possible so you can make the most informed choices, to create the computing experience that is most responsive to your needs. Computers are infinitely customizable, so there is no reason a user should be denied the setup that is best for them — not knowing your options is the worst such reason.

Appreciating what’s possible is about more than living your best digital life, but about providing the support, even if it’s just usership, to the developers making it possible. If this sounds like something that could make your life better, I say to you, go forth and tinker!

Jonathan Terrasi has been an ECT News Network columnist since 2017. His main interests are computer security (particularly with the Linux desktop), encryption, and analysis of politics and current affairs. He is a full-time freelance writer and musician. His background includes providing technical commentaries and analyses in articles published by the Chicago Committee to Defend the Bill of Rights.

Google has announced plans to build a new undersea network cable connecting the US, UK and Spain.

The tech giant says it is incorporating new technology into the cable, which it claims is a significant upgrade to older existing lines.

The project is expected to be completed by 2022.

Underwater data cables are vital to global communications infrastructure, carrying some 98% of the world’s data, according to Google’s estimate.

The cables are usually built by communications firms – typically a group of them pooling resources – which then charge other companies to use them.

The latest cable, named “Grace Hopper” after an American computer scientist and naval rear admiral, will hit the UK at Bude, in Cornwall. It is Google’s fourth privately owned undersea cable.

But Google needs “an ever-increasing amount of transatlantic bandwidth”, according to John Delaney from telecoms analyst IDC.

“Building its own cables helps them choose cable routes that are most optimal,” and near data centres, he said.

“It also minimises operational expenditure by reducing the need to pay telcos and other third-party cable owners for the use of their infrastructure.”

Jayne Stowell, who oversees construction of Google’s undersea cable projects, told the BBC it needed an internet connection that could be relied upon.

“It’s not enough to have a single cable because any element in the network can break from time to time, and if it’s 8,000 metres under the sea, it takes a while to repair,” she said.

Under the sea

The first ever transatlantic telecommunications cable was built in 1858, connecting Britain and the US by telegraph.

Around 750,000 miles of cable already run between continents to support the demand for communication and entertainment – enough to run around the world almost 17 times.

Cables are required to withstand major hazards, including earthquakes and heavy currents, and have a lifespan of around 25 years.

But Ms Stowell says some of the transatlantic cables are “going out of service and we need newer, better and more sophisticated technology”.

“It served its need and purpose at the time, but it’s old generation,” she said.

• Google and Facebook too powerful, says watchdog
• Google announces $10bn investment in India

Google has yet to build a cable that lands in mainland China, where its services are restricted by the state and Ms Stowell said there are no plans to build one in the foreseeable future.

“We understand, being an American company, and understand the legalities of what we must abide by,” she said. But she pointed out that the Asia market was bigger than China.

She also addressed growing fears that the world could soon see two internets: one controlled by the West and the other by China.

“The world wide web is dependent upon interconnected networks. One would hope networks would be regarded as neutral and continue to interconnect.”

Wave of demand

Internet usage has skyrocketed around the world since Covid-19 restrictions were introduced. In April, Ofcom revealed that a record number of UK adults spent a quarter of their waking day online during lockdown.

As demand for high-speed internet increases around the world, companies are continuing to look for ways to reach more consumers.

And Google is not alone in pursuing ownership of vital data infrastructure.

Microsoft and Facebook, for example, are joint-owners with telecoms company Telxius of the Marea cable, which runs from the US to Spain.

In May, Facebook announced another project to build a 37,000km (23,000-mile) undersea cable to supply faster internet to 16 countries in Africa.

Ready for use by 2024, it will deliver three times the capacity of all current undersea cables serving the continent.

Africa lags behind the rest of the world in terms of internet access, with only four in 10 people having access to the web.

However, with a population of 1.3 billion, it has become a key emerging market for many businesses.

Jun Wei Yeo, an ambitious and freshly enrolled Singaporean PhD student, was no doubt delighted when he was invited to give a presentation to Chinese academics in Beijing in 2015.

His doctorate research was about Chinese foreign policy and he was about to discover firsthand how the rising superpower seeks to attain influence.

After his presentation, Jun Wei, also known as Dickson, was, according to US court documents, approached by several people who said they worked for Chinese think tanks. They said they wanted to pay him to provide “political reports and information”. They would later specify exactly what they wanted: “scuttlebutt” – rumours and insider knowledge.

He soon realised they were Chinese intelligence agents but remained in contact with them, a sworn statement says. He was first asked to focus on countries in South East Asia but later, their interest turned to the US government.

That was how Dickson Yeo set off on a path to becoming a Chinese agent – one who would end up using the professional networking website LinkedIn, a fake consulting company and cover as a curious academic to lure in American targets.

Five years later, on Friday, amid deep tensions between the US and China and a determined crackdown from Washington on Beijing’s spies, Yeo pleaded guilty in a US court to being an “illegal agent of a foreign power”. The 39-year-old faces up to 10 years in prison.

Alumni at Singapore’s Lee Kuan Yew School of Public Policy (LKYSPP), which trains some of Asia’s top civil servants and government officials, were left shocked by the news that their former peer had confessed to being a Chinese agent.

“He was a very active student in class. I always viewed him as a very intelligent person,” said one former postgraduate student who did not wish to be named

She said he often talked about social inequality – and that his family struggled financially when he was a child. She said she found it difficult to reconcile the person she knew with his guilty plea.

A former member of staff at the institution painted a different picture, saying Yeo seemed to have “an inflated sense of his own importance”.

Yeo’s PhD supervisor had been Huang Jing, a high-profile Chinese-American professor who was expelled from Singapore in 2017 for being an “agent of influence of a foreign country” that was not identified.

Huang Jing always denied those allegations. After leaving Singapore, he first worked in Washington DC, and now Beijing.

According to the court documents released with Yeo’s guilty plea, the student met his Chinese handlers on dozens of occasions in different locations in China.

During one meeting he was asked to specifically obtain information about the US Department of Commerce, artificial intelligence and the Sino-US trade war.

Bilahari Kausikan, the former permanent secretary at Singapore’s foreign ministry, said he had “no doubt that Dickson knew he was working for the Chinese intelligence services”.

He was not, he said, “an unwitting useful fool”.

Yeo made his crucial contacts using LinkedIn, the job and careers networking site used by more than 700 million people. The platform was described only as a “professional networking website” in the court documents, but its use was confirmed to the Washington Post.

Former government and military employees and contractors are not shy about publicly posting details of their work histories on the website in order to obtain lucrative jobs in the private sector.

This presents a potential goldmine to foreign intelligence agencies. In 2018, US counter-intelligence chief William Evanina warned of “super aggressive” action by Beijing on the Microsoft-owned platform, which is one of few Western social media sites not blocked in China.

Kevin Mallory, a former CIA officer jailed for 20 years last May for disclosing military secrets to a Chinese agent, was first targeted on LinkedIn.

• The churchgoing patriot who spied for China
• US-China contagion: The battle behind the scenes

In 2017, Germany’s intelligence agency said Chinese agents had used LinkedIn to target at least 10,000 Germans. LinkedIn has not responded to a request for comment for this story but has previously said it takes a range of measures to stop nefarious activity.

Some of the targets that Yeo found by trawling through LinkedIn were commissioned to write reports for his “consultancy”, which had the same name as an already prominent firm. These were then sent to his Chinese contacts.

One of the individuals he contacted worked on the US Air Force’s F-35 fighter jet programme and admitted he had money problems. Another was a US army officer assigned to the Pentagon, who was paid at least $2,000 (£1,500) to write a report on how the withdrawal of US forces from Afghanistan would impact China.

In finding such contacts, Yeo, who was based in Washington DC for part of 2019, was aided by an invisible ally – the LinkedIn algorithm. Each time Yeo looked at someone’s profile it would suggest a new slate of contacts with similar experience that he might be interested in. Yeo described it as “relentless”.

According to the court documents, his handlers advised him to ask targets if they “were dissatisfied with work” or “were having financial troubles”.

William Nguyen, an American former student at the Lee Kuan Yew school who was arrested at a protest in Vietnam in 2018 and later deported, said in a Facebook post on Saturday that Yeo had tried to contact him “multiple times” after he was released from prison and his case made headlines around the world.

In 2018, Yeo also posted fake online job ads for his consulting company. He told investigators he received more than 400 CVs with 90% of them coming from “US military and government personnel with security clearances”. Some were passed to his Chinese handlers.

The use of LinkedIn is brazen, but not surprising, said Matthew Brazil, the co-author of Chinese Communist Espionage: An Intelligence Primer.

“I think lots of worldwide intelligence agencies probably use it to seek out sources of information,” he said. “Because it’s in everybody’s interest who is on LinkedIn to put their whole career on there for everybody to see – it’s an unusually valuable tool in that regard.”

He said that commissioning consultant reports is a way for agents to get “a hook” into a potentially valuable source who might later be convinced to supply classified information.

“It’s a modern version of classic tradecraft, really.”

Media playback is unsupported on your device

US Assistant Attorney General for National Security John Demers said the case was an example of how China exploits “the openness of American society” and uses “non-Chinese nationals to target Americans who never leave the United States”.

Singapore, a multicultural society of 5.8 million where ethnic Chinese make up the majority of the population, has long enjoyed close links with the United States, which uses its air and naval bases. But it has also sought and maintained positive relations with China.

Mr Kausikan said that he did not believe the spying case – the first known to involve a Singaporean – would hurt the country’s reputation with the American government but he feared that Singaporeans could face greater suspicion in American society.

On Sunday, Singapore’s Ministry of Home Affairs said investigations had not revealed any direct threat to the country’s security stemming from the case.

LKYSPP’s dean, Danny Quah, wrote in an email to faculty and students quoted by the Straits Times newspaper that “no faculty or other students at our school are known to be involved” with the Yeo case.

A spokesperson at the school told the BBC that Yeo had been granted a leave of absence from his PhD in 2019 and his candidature had now been terminated.

Dickson Yeo does not appear to have got as far with his contacts as his handlers would have liked. But in November 2019, he travelled to the US with instructions to turn the army officer into a “permanent conduit of information”, his signed statement says.

He was arrested before he could ask.

A trip on London’s underground is rarely a relaxing experience, but the Covid-19 pandemic has added an extra level of anxiety for many.

I’m off to try out a new technology that promises to train my brain to relax. Sitting far apart from other passengers in the carriage while wearing a hot surgical mask, I’m hoping it works.

I’m meeting Dr Jamil El-Imad who enjoyed a successful career in the computer industry before, in his words, “getting sucked into neuroscience”. The Lebanese-born IT expert knew all about computer languages and was intrigued by the similarities between data and the way the brain processes information.

Recognising the potential of virtual reality devices he worked on how to use cloud computing techniques to capture and analyse brain signals and create a machine to replicate the meditation experience.

Neuroplasticity, the adaptability of the brain, is the science here. Neurons, the circuits of the brain, become stronger the more they are exercised. They are changeable. And they are individual.

Neurons gripped Dr El-Imad. He sees our neurons as “a forest where every tree is different”. This means that each person needs their own approach to gaining mental resilience.

His innovation was to integrate the technology of the electroencephalogram (EEG), which monitors electrical activity in the brain, with a virtual reality headset.

The combination means that the response of the subject’s brain to images can be measured.

The biofeedback can be analysed instantly using the affordable computer power offered by cloud computing, industrial levels of data processing rented over the internet.

Murali Doraiswamy, professor of psychiatry and behavioural sciences at Duke University School of Medicine in North Carolina in the US and a former adviser to Dr El-Imad’s company NeuroPro, says that meditation and the whole realm of mindfulness are proven treatments for some conditions.

“There are many types of mindfulness and it’s not a panacea. But in the last 30 years mindfulness has gone from fringe science to the mainstream. It can be as effective as medication in preventing a recurrence of depression. It won’t be for everyone, but it can change our outlook.”

The first contact I get with this system is when the EEG headset is slipped over my forehead. It’s a semi-circular band containing sensors that transmit wireless signals revealing just what is going on in my brain.

The EEG headset takes feeds from my level of attention and will register when my mind veers off course. Over multiple sessions this should help subjects to master their own mind and gain more control over their thoughts, which is a definition of mindfulness.

The VR headset is not a bulky helmet. In fact there’s no sense of the weight due to a springy coil that holds it and takes the weight off your head. Without that weight there’s no sense of enclosure either.

Hearing ethereal pipe music, I see an island floating in space. Waves lap on a beach and beyond giant Easter Island statues are planted among the rocks and palm trees. White feathers float on the breeze. I am told they symbolise freedom and my breathing keeps them floating.

I move on to the beach and find myself on the sand looking towards the statues planted to my right. But a white fog appears in front of me, which ebbs and flows as I try to focus on the faces of the statues.

That sea mist keeps returning to block my view because I’m losing my focus on the moment, and hence am not sufficiently relaxed.

Focusing on the moment takes some effort. I’m hindered by a journalist’s instinct to note events. Dr El-Imad tells me that our minds wander for 50% of our waking hours so excluding other thoughts is a challenge we all face.

I capture the statues in sharp definition from time to time and emerge shocked that I was in the machine for five minutes. It felt like two or three as I narrowed my thoughts on the scene in front of me.

Beside this set-up a laptop screen reflects the signals the EEG captured leaking out of my brain. It shows areas of my consciousness lighting up. This data is saved for analytic purposes. Anonymised and encrypted it can be sent on to neuroscience researchers.

I’m given a score that defines my level of concentration and provides a target for improvement. Dr El-Imad thinks my neurons have behaved pretty well for a first outing, rating 30% concentration.

The sense of escape that comes with sliding into a floating island vision did dilute the anxiety spurred by my tube journey. And the hovering Easter Island stage set is just one virtual location option among promised relaxing spots.

Rolling out the Dream Machine to the public should not be expensive. NeuroPro uses off-the-shelf technology, with VR and EEG hardware costing no more than £1,000 in total.

Possible sites for this service include gyms and fitness centres. Alternatively, it could be installed in chill-out rooms in corporate offices, relieving employees of anxiety and allowing the company to retain good talent.

This is where Alastair Campbell, former Labour Party communications chief and mental health campaigner, thinks the technology might have a real impact.

Mr Campbell has lectured businesses on the significance of mindfulness and says the corporate world’s view of mental health has changed a lot.

“We’ve underplayed the importance of how employees use their brains. I’ve definitely seen a change. In the City banks now realise that it’s not smart if they invest a lot in someone who then burns out.”

More Technology of Business

In a service economy protecting employee brainpower through mental health initiatives makes sense, says Mr Campbell.

He’s reserving judgement on the Dream Machine itself. “I’m always interested in anything that gets people talking about mental health. You can’t spend your life walking around with a Dream Machine on your head but you can train your mind to work differently.”

The Dream Machine emerged from the mind of a technologist. But Dr El-Imad concedes that a smartphone society is bad for our brains. “We live in an attention-seeking economy, one that distracts us and puts pressure on us. We are not a multi-tasking species!”

So it could be our neurons need the Dream Machine to help us dodge the world technology has built. Mr Campbell agrees. “I have to keep reminding myself of the pointlessness of Twitter, of going through your phone all the time.”

The home secretary has demanded a “full explanation” from Twitter and Instagram on why anti-Semitic posts by rapper Wiley were not removed more quickly.

Police are investigating a series of posts on the grime artist’s social media accounts. He has been temporarily banned from both Twitter and Instagram.

Priti Patel said the posts were anti-Semitic and “abhorrent”.

“Social media companies must act much faster to remove such appalling hatred from their platforms,” she said.

Wiley, 41, known as the “godfather of grime”, shared conspiracy theories and insulted Jewish people on his Instagram and Twitter accounts, which together have more than 940,000 followers.

Twitter removed some of Wiley’s tweets with a note saying they violated its rules – but other tweets were still visible 12 hours after being posted. It later said Wiley’s account had been locked for seven days.

Facebook – which owns Instagram – said on Sunday that the platform had also blocked the rapper from his account for seven days, and that there was “no place for hate speech on Instagram”.

But Mayor of London Sadiq Khan said the steps taken by Twitter and Instagram were not enough.

In a letter to bosses of the two social media firms, he said that when the material was published on their platforms, “the response – its removal and the banning of those responsible – should be immediate.

“It takes minutes for content shared on your platform to reach an audience of millions. When someone influential shares hate speech, in that time it may have an impact on the views of many who look up to them.”

Mr Khan said it was “particularly disheartening” when social media had played a “positive role in amplifying the vital voices” of the Black Lives Matter movement recently.

• Facebook to examine racist algorithms
• Facebook encryption threatens safety – ministers

Wiley’s series of posts began on Friday night and his manager John Woolf’s initial response was that, having known the artist for 12 years, “he does not truly feel this way”.

But on Saturday, Mr Woolf said he had “cut all ties” with the London-born rapper and that there was “no place in society for anti-Semitism”.

Wiley first entered the UK singles charts with Wearing My Rolex in 2008. His subsequent hits include Heatwave in 2012 and Boasty in 2019, a collaboration with rappers Stefflon Don and Sean Paul and actor Idris Elba.

Disinfection robots have been installed at Heathrow Airport as part of measures to help keep the passengers and staff safe from the coronavirus.

Previously used to tackle hospital acquired infections, the machines move through the airport terminals disinfecting high risk touch points like bathrooms and lifts.

The robots use ultraviolet (UV-C) light to kill viruses and stop them replicating.

The airport has also brought in other features including anti-viral wraps on escalators, and trolleys and passenger temperature checks.

BBC Click’s Lara Lewington reports.

See more at Click’s website and @BBCClick

The American GPS and fitness-tracker company Garmin is dealing with the aftermath of a ransomware attack, the BBC has confirmed.

Owners of its products had been unable to use its services since Thursday.

However, some of its online tools are now being provided in a “limited” state, according to its online dashboard.

It is not known if the firm paid the blackmailers, but a source said it was in the “final stage of recovery”.

The BBC’s cyber reporter Joe Tidy said the malware involved was Wasted Locker – a program that scrambles the target’s data, and was first detected in the wild around April. Victims are typically contacted after their computers are infected, and told they must transfer funds if they want to return the files to their original state.

Some customers have reported that Garmin’s services appear to be “partially” working again.

Earlier reports claimed that the company had been asked to pay $10m (£7.79m) to get its systems back online.

Garmin has yet to comment.

• Twitter hack: Bitcoin exchange ‘blocked 1,000 transactions’
• How hackers extorted $1.14m from a US university

Some users reported on Twitter on Monday morning that their health and fitness data was now visible on Garmin’s mobile app.

However, numerous other functions appeared to still be offline.

Pilots who use flyGarmin were unable to download up-to-date aviation databases, which aviation regulators such as the FAA require pilots to have, before they can fly.

Customers were also unable to log into Garmin Connect to record and analyse their health and fitness data.

In an email to its users on Sunday, Garmin said it would no longer be responding to user queries about delayed uploads to its servers because “most of the issues will resolve themselves”.

Users were warned that there may be a delay of a “week or longer” for updated health and fitness data to appear on their accounts, due to a backlog.

The company also insisted there was “no indication” that user data had been stolen or removed.