A shapeshifting robotic microswarm may one day act as a toothbrush, rinse, and dental floss in one.

The technology, developed by a multidisciplinary team at the University of Pennsylvania, is poised to offer a new and automated way to perform the mundane but critical daily tasks of brushing and flossing. It’s a system that could be particularly valuable for those who lack the manual dexterity to clean their teeth effectively themselves.

The building blocks of these microrobots are iron oxide nanoparticles that have both catalytic and magnetic activity. Using a magnetic field, researchers could direct their motion and configuration to form either bristlelike structures that sweep away dental plaque from the broad surfaces of teeth, or elongated strings that can slip between teeth like a length of floss. In both instances, a catalytic reaction drives the nanoparticles to produce antimicrobials that kill harmful oral bacteria on site.

Experiments using this system on mock and real human teeth showed that the robotic assemblies can conform to a variety of shapes to nearly eliminate the sticky biofilms that lead to cavities and gum disease. The Penn team shared their findings establishing a proof-of-concept for the robotic system in the journal ACS Nano.

“Routine oral care is cumbersome and can pose challenges for many people, especially those who have hard time cleaning their teeth” says Hyun (Michel) Koo, a professor in the Department of Orthodontics and divisions of Community Oral Health and Pediatric Dentistry in Penn’s School of Dental Medicine and co-corresponding author on the study. “You have to brush your teeth, then floss your teeth, then rinse your mouth; it’s a manual, multistep process. The big innovation here is that the robotics system can do all three in a single, hands-free, automated way.”

“Nanoparticles can be shaped and controlled with magnetic fields in surprising ways,” says Edward Steager, a senior research investigator in Penn’s School of Engineering and Applied Science and co-corresponding author. “We form bristles that can extend, sweep, and even transfer back and forth across a space, much like flossing. The way it works is similar to how a robotic arm might reach out and clean a surface. The system can be programmed to do the nanoparticle assembly and motion control automatically.”

Disrupting oral care technology

“The design of the toothbrush has remained relatively unchanged for millennia,” says Koo.

While adding electric motors elevated the basic “bristle-on-a-stick” format, the fundamental concept has remained the same. “It’s a technology that has not been disrupted in decades.”

Several years ago, Penn researchers within the Center for Innovation & Precision Dentistry (CiPD), of which Koo is a co-director, took steps toward a major disruption, using this microrobotics system.

Their innovation arose from a bit of serendipity. Research groups in both Penn Dental Medicine and Penn Engineering were interested in iron oxide nanoparticles but for very different reasons. Koo’s group was intrigued by the catalytic activity of the nanoparticles. They can activate hydrogen peroxide to release free radicals that can kill tooth decay-causing bacteria and degrade dental plaque biofilms. Meanwhile Steager and engineering colleagues, including Dean Vijay Kumar and Professor Kathleen Stebe, co-director of CiPD, were exploring these nanoparticles as building blocks of magnetically controlled microrobots.

With support from Penn Health Tech and the National Institutes of Health’s National Institute of Dental and Craniofacial Research, the Penn collaborators married the two applications in the current work, constructing a platform to electromagnetically control the microrobots, enabling them to adopt different configurations and release antimicrobials on site to effectively treat and clean teeth.

“It doesn’t matter if you have straight teeth or misaligned teeth, it will adapt to different surfaces,” says Koo. “The system can adjust to all the nooks and crannies in the oral cavity.”

The researchers optimized the motions of the microrobots on a small slab of toothlike material. Next, they tested the microrobots’ performance adjusting to the complex topography of the tooth surface, interdental surfaces, and the gumline, using 3D-printed tooth models based on scans of human teeth from the dental clinic. Finally, they trialed the microrobots on real human teeth that were mounted in such a way as to mimic the position of teeth in the oral cavity.

On these various surfaces, the researchers found that the microrobotics system could effectively eliminate biofilms, clearing them of all detectable pathogens. The iron oxide nanoparticles have been FDA approved for other uses, and tests of the bristle formations on an animal model showed that they did not harm the gum tissue.

Indeed, the system is fully programmable; the team’s roboticists and engineers used variations in the magnetic field to precisely tune the motions of the microrobots as well as control bristle stiffness and length. The researchers found that the tips of the bristles could be made firm enough to remove biofilms but soft enough to avoid damage to the gums.

The customizable nature of the system, the researchers say, could make it gentle enough for clinical use, but also personalized, able to adapt to the unique topographies of a patient’s oral cavity.

To advance this innovation to the clinic, the Penn team is continuing to optimize the robots’ motions and considering different means of delivering the microrobots through mouth-fitting devices.

They’re eager to see their device help people in the clinic.

“We have this technology that’s as or more effective as brushing and flossing your teeth but doesn’t require manual dexterity,” says Koo. “We’d love to see this helping the geriatric population and people with disabilities. We believe it will disrupt current modalities and majorly advance oral health care.”

Hyun (Michel) Koo is a professor in the Department of Orthodontics and divisions of Community Oral Health and Pediatric Dentistry in the School of Dental Medicine and co-director of the Center for Innovation & Precision Dentistry at the University of Pennsylvania.

Edward Steager is a senior research investigator in Penn’s School of Engineering and Applied Science.

Koo and Steager’s coauthors on the paper are Penn Dental Medicine’s Min Jun Oh, Alaa Babeer, Yuan Liu, and Zhi Ren and Penn Engineering’s Jingyu Wu, David A. Issadore, Kathleen J. Stebe, and Daeyeon Lee.

This work was supported in part by the National Institute for Dental and Craniofacial Research (grants DE025848 and DE029985), Procter & Gamble, and the Postdoctoral Research Program of Sungkyunkwan University.

Adblock test (Why?)

Nzambi Matee, a 30-year-old who quit her job in oil and gas to work on her passion full-time, has created a lightweight and low-cost building material that is made of recycled plastic with sand to make bricks that are stronger than concrete material.

Every day her enterprise, Gjenge Makers, churns out 1,500 bricks made from industrial and household plastic that otherwise would be dumped in the city’s overflowing garbage heaps.

In 2021, the team recycled 50 tonnes of plastic but Matee has ambitions to double that amount this year as production expands.

“In Nairobi, we generate about 500 metric tonnes of plastic waste every single day, and only a fraction of that is recycled,” said Matee, who bounds with the energy around the factory floor in denim overalls and trainers.

“And that made me think — what happens to this plastic,” she told thenews.

According to the young entrepreneur, plastic has an “enormous” potential to work with it, but it is “misused and misunderstood.”

Matee was named a Young Champion of the Earth 2020 Africa winner at the United Nations Environment Programme (UNEP) with her initiative.

Research conducted by UNEP found that, globally, people purchase 1 million plastic drinking bottles every minute while up to 5 trillion single-use plastic bags are used annually.

“Through trial and error, she and her team learned that some plastics bind together better than others. Her project was given a boost when Matee won a scholarship to attend a social entrepreneurship training program in the United States of America.

“With her paver samples packed in her luggage, she used the material labs in the University of Colorado Boulder to further test and refine the ratios of sand to plastic,” explained on UNEP’s website.

The award “provides seed funding and mentorship to promising environmentalists as they tackle the world’s most pressing challenges.”

Adblock test (Why?)

WSAZ, a local news affiliate in West Virginia, got a tip that might make legalizing raw milk just a little bit harder. Last week, West Virginia governor Earl Ray Tomblin signed into law a bill that makes it legal to drink (but not sell) raw milk throughout the state, despite pressures from the dairy industry and from the FDA, which actually testified that raw milk is unsafe. However, the law doesn’t go into effect for 30 days.

According to the tipster, who remains anonymous, state representative Scott Cadle (Republican of West Virginia’s 13th district) brought in some raw milk to celebrate the legalization. Cadle, says the tipster, handed out samples to various other representatives. And now, verifies WSAZ, several West Virginia lawmakers are severely sick to their stomachs.

Pat McGeehan (Republican of West Virginia’s first district), one of the afflicted, says that while he did drink the raw milk, that a stomach bug is going around and that he does not believe his illness to be related to the milk.

Although there isn’t proof – and we all know that correlation doesn’t equal causation – there’s certainly the possibility that the raw milk consumption and the illnesses are related. Raw milk is not pasteurized, or heated up to a temperature of 140 degrees F for 20 minutes, a process that kills off bacteria that can cause foodborne illness, including Salmonella, listeria, and E. coli. The Center for Disease Control says that thousands of illnesses, and two deaths, can be linked conclusively to consumption of raw dairy products in the period between 1998 and 2011. The Cornell University food science department, one of the premier such institutions in the world, puts it simply: “We recommend pasteurization of milk intended for consumption by humans.”

There are substantial efforts to allow the sale and consumption of raw milk, partly from entities who claim that the pasteurization process is unnecessary thanks to modern sanitary requirements, that the process kills beneficial bacteria and vitamins, and that raw milk can have effects ranging from healthier gut flora to decreased risk of cancer. The West Virginia lawmakers involved here are a slightly different breed; they mostly push for legal raw milk out of a libertarian instinct that citizens should be able to decide what they eat and drink.

“There definitely shouldn’t be a law against allowing people to do what they want within the framework of the rule of law,” McGeehan told WSAZ. “Just be careful.” It’s unclear how careful McGeehan was when he drank a cup of raw milk handed to him by a co-worker.

Adblock test (Why?)

Opinion The British government's PR campaign to destroy popular support for end-to-end encryption on messaging platforms has kicked off, under the handle "No Place To Hide", and it's as broad as any previous attack on the safety-guaranteeing technology.

Reported by us well in advance last year, the £500k campaign aims to destroy public support for end-to-end encryption (E2EE) as part of a wider strategy.

That intends to make it easy for police workers and other public-sector snoopers to read the public's online conversations without having to get prior permission or defeat privacy protections.

Judging by videos earnestly distributed by organisations supporting it, the No Place To Hide campaign (being run by ad agency M&C Saatchi) is much wider than merely targeting Facebook Messenger as was previously thought.

Do you know what end-to-end encryption means?

It could mean social media platforms no longer being able to detect cases of child sexual abuse and no longer being able to report it to the police.

Retweet to raise awareness of the dangers of end-to-end encryption.#NoPlaceToHide pic.twitter.com/Hs6itgRiJO

— Barnardo’s (@barnardos) January 18, 2022

Here the video's contents reflect the police view of E2EE as a digital smokescreen that prevents them from trawling through conversations at random and seizing on anything they don't like the look of. The message is clear: privacy is for paedophiles.

Inevitably, smart people have fought back – with one buying up an unclaimed domain name similar to the official No Place To Hide site and pointing those at informative material explaining the benefits of E2EE. Thus noplacetohide.uk goes to ex-Facebook chap Alec Muffett's blog post titled "There are more and better ways to help kids, without destroying the future of internet privacy". We note that other similar domains appear to be unowned at the time of writing.

Otherwise, the campaign is off to a slow and unnoticeable start. This may be deliberate, so its opponents tire themselves out before it ramps up, but as an exercise in spending £500k in public money for minimal effect it's doing spiffingly so far.

E2EE is a force for good

Lest anyone reading this gets the idea that the UK government has a point about E2EE protecting paedophiles, the technology does far more than that and the government is deliberately omitting this information.

Your mobile banking app uses E2EE; online chats with HMRC are protected through E2EE; you'd no more have an unsecured web chat with the taxman's helpdesk than read out your P60 in the middle of a shopping centre.

Your family WhatsApp group is protected through E2EE, too, which prevents nefarious people from trawling it for information they can use to target and harm you and your loved ones. Yet the British government wants such protections taken away, mainly because it means police then have to do less work.

Do all these online protections help paedophiles? As an unwanted by-product of all the good E2EE does, yes. As an imperfect analogy, road accidents kill thousands of people by accident every year. Yet nobody argues that roads should be closed to prevent those deaths.

Money spent publicly lobbying Facebook not to enable E2EE and demonising the tech itself is money better spent on public awareness campaigns about ways to report crimes, outreach to children, parental education on how to talk to (and supervise) children about using social media today – and who children should talk to if a strange adult suddenly tries to befriend them online.

Money spent with M&C Saatchi, famous for its long association with the Conservative Party as well as a long-running accounting scandal, certainly won't hurt any police or civil service careers under today's Conservative government – but that doesn't sweep aside the fact this money has been wasted chasing a pointless target.

Demonising technology that has long been adopted as routine in the enterprise IT world is a road to nowhere, and an increasingly tech and security-savvy population simply aren't going to buy into "think of the children" rhetoric for something that will make them less safe online. No matter how hard public-sector figures try to make this about child abusers. ®

Adblock test (Why?)

During the pandemic, grocery delivery services gained popularity. New players on the market offer delivery in under an hour. One of them is Gorillas, which not only delivers apples and granola bars in 10 minutes, but just as quickly delivered the data of all its customers.

How could this happen? Unfortunately, it was once again much too simple. But let’s start at the beginning:

Gorillas currently is the largest of these services in Germany. On large billbords they promise delivery times of under 10 minutes. Orders are picked in decentralized depots and delivered by riders on bicycles.

A few weeks ago, we already stumbled across a security vulnerability in the software of their competitor ‘flink’. Gorillas has experienced extreme growth in recent weeks and also raised another absurd 290 million US dollars in venture capital - a good reason for us to give their service a try.

For us it’s almost a routine step: with every new app we install we take a quick look at its data traffic with a mitmproxy. At first glance, we notice that Gorillas loads data from two different Google Cloud Storage buckets: eddress and gorillas-public. Buckets is simply a fancy name for folders in cloud storage services - here these are used to store and deliver product images and advertising banners to the app.

You don’t always want a list of all the files that are in a cloud bucket to be publicly available, for example when business data is involved. That’s why most cloud services disable the public listing of files by default. That way you can access the files - but only if you know the exact link.

Well, in this case, we were able to see a list of all the files, and thus access the individual files themselves. We had access to many, many photos of all the products Gorillas offers. Knowing the links to all product images would not necessarily be a problem, but unfortunately, it didn’t stop there:

In the gorillas cloud bucket, we also found photos of things we didn’t expect to see there: front doors and doorbell signs. Are these product images, too? Has the delivery service discovered another market niche and entered the hardware store business? Probably not: these files were definitely not intended for the public. Strictly speaking, not even for Gorillas.

The photographed front doors and doorbell plates come from drivers who seem to sometimes need to take such photos when delivering an order. Not only is this part missing in the privacy policy, but it’s also just creepy.

As we now find voice memos, invoices and database backups in the bucket eddress, it becomes clear that this cannot be intentional.

What the hell is eddress?

The name “eddress” appears in many places. Not only in the bucket name, but also in the app identifier, so it seems relevant.

After a brief investigation, it turns out: Eddress is a company based in Pakistan and Lebanon that offers white-label courier software - software that is purposefully kept neutral, which individual delivery services can then design to fit their own business. Eddress itself also operates a delivery service, much like Gorillas, called noknok in Lebanon.

The apps from noknok and Gorillas look almost identical. This suggests that Gorillas bought their software entirely from eddress. Also, it turns out that the CEO of eddress has now become the CTO of Gorillas. So the two companies are indeed closely intertwined.

Add another 200g of API keys?

After knowing that the Gorillas system was built by eddress, we wanted to learn more about this collaboration. Our search engine of choice didn’t find any articles on the subject, but it did take us to an admin portal for Gorillas/eddress: portal.gorillas.io.

Here we are greeted by a login screen to which we have no credentials. But a quick look into the browser tools shows: The JavaScript for the portal is loaded before the login. That allows us a look into the source code.

Looking at the code, these lines caught our eye:

Having had previous experience with GraphQL interfaces in the delivery service Flink, we immediately entered the URL into a GraphQL client of our choice.

GraphQL is a language for data queries. That means you can describe what information you would like to have from the server and in what format. For example, at Flink, we could tell the server, “Give us the last 10 orders, who placed them, and what was ordered.” The server on the other side should be configured not to handle all requests equally, but to only give out certain information to authorized users. With Flink, this was configured incorrectly - and with Gorillas?

To find out, we used a really cool function of GraphQL: Introspection. Introspection provides a method to find out what information can be retrieved and how. Most GraphQL clients automatically create documentation of the API from this:

The two queries for orders need credentials, that’s why we only get the following error message:

The tenantConfig however can be accessed without any restrictions. And the information delivered there is quite interesting: API keys and URLs for various services that are apparently used by the Gorillas/eddress infrastructure. Among them we found API keys for Sendgrid and Slack webhook URLs.

With the Slack URLs, we could post messages to specific Gorillas Slack channels: “No work today!”

Much more relevant, however, are the Sendgrid API keys. Sendgrid is a so-called transactional email provider. In recent years it has become increasingly difficult to send emails with your own infrastructure in a way where they end up in the receivers inbox and don’t immediately get caught by spam filters. So instead of taking care of sending e-mails themselves, more and more providers turn to services like Sendgrid, Mailjet or Amazon SES, which send out the e-mails for them.

So with the Sendgrid API key, we could send emails on behalf of Gorillas: “Hey investors, we’ve run out of money again”

This problem doesn’t only affect Gorillas, but also other services that use eddress' software. Among them are:

• oyanow, Nigeria
• noknok, Lebanon
• LibanPost (the national post office of Lebanon).

This would allow attackers to send authentic-looking emails on behalf of Gorillas or other eddress clients.

Sendgrid allows a very detailed configuration of which API key is allowed to do what. However, the API keys in question have an extremely large number of permissions: The API key of Gorillas for 100 of these so-called “scopes”, the one of Liban Post for more than 200. In addition to sending e-mails, this also includes the authorization to create new API keys. An attacker could thus create a new API key relatively unnoticed - and continue to use it even if the leaked API key is revoked.

Would you like to have some more data?

We had just finished writing the report for the problems described so far when an idea came to us: To access the queries for orders you need an access token. When you log into the app you get a token of this type. So, expecting that it would allow us to query our own data, we took our access identifier from the app and entered it into our GraphQL client. And sure enough, we got data. Not just ours, but all of it.

In total, we were able to retrieve data on over 1,000,000 orders, the associated 200,000 customers, and workers.

This includes:

• Names, addresses, email addresses and phone numbers of customers
• Order details (products ordered, quantity, price, etc.)
• In the case of credit card payment: the expiration date of the credit card
• References to photos of the front door/bell plate, if available
• Name and phone number of “activeWorker”, presumably drivers or pickers.

So it’s not just the customers who are affected, but also the workers - another problem in how startup delivery services treat them. The working conditions of pickers and riders have already been criticized several times.

Spear phishing with a trawl

All this data, together with SendGrid access, forms the basis for an extremely evil attack scenario. To safeguard against phishing e-mails, people are taught to not only check the accuracy of the sender, but also whether for instance one is addressed with the correct name.

But we have both now: We know the data of all customers, including their orders, and can write e-mails in the name of Gorillas.

Now let’s imagine an e-mail to all Gorillas customers that ordered in the last few days with the following content:

Hello Alex Example, 🦍❤️

Yesterday you ordered with us for 23.42€ to the address “Examplestreet 123, 00000 Examplecity”. For this, you used your credit card with an expiration date of 13/37. Unfortunately, the payment was declined by our payment service provider. Therefore we have to ask you to settle your invoice.

You can make the payment comfortably under the following link: i-steal-your-credit-card-data.com/payment/{order-number}

The products you ordered were: […]

Since the domains gorlllas.io and goriilas.io are not registered, even familiar-looking domains could be used. Anyway, people are already used to being redirected to a wide variety of payment providers.

One thing is for certain: We would fall for it.

Gorilla’s reaction

While finding the vulnerabilities, we also documented them and reported them collectively to CERT-Bund, the german federal Computer Emergency Response Team. CERT-Bund then reviewed them and forwarded our reports to Gorillas. Gorillas has, according to its own statement, closed the vulnerabilities described, revoked leaked API keys and also informed the relevant authorities as well as its customers and workers. We very much welcome that Gorillas informed its customers and workers on its own initiative, even though there is not necessarily a legal obligation.

We also received the e-mail Gorillas sent to its customers. Unfortunately, we have to criticize that they do not name exactly which data was retrievable. Who remembers what data they might have entered, months after ordering normal everyday goods? And there is not a word about the photos of front doors and doorbell signs either. We think this is even worse because the customers of Gorillas don’t even know that these pictures exist.

When will the industry finally learn‽

This is the second time that a supermarket delivery service leaked all customer data because of an unprotected GraphQL interface. We hoped that the issue at Flink served as a warning for all providers and that they would take another close look into their own systems to see if they have similar problems. The fact that even with investments of triple-digit millions, IT security does not seem to be seen as important surprises us once again. We expected that investors would take a little more care when selecting their investment targets for such enormous sums. After all, the competitors are certainly not supposed to know which products are doing particularly well in which parts of the city.

Here IT security has the same problem as other preventative measures: The better it is, the less one sees its benefit. Only when it’s too late and we already found our way into the databases, the companies realise what they did wrong. As long as the system is sufficiently secured, no one notices - because everything is running properly, smoothly and quietly.

At the same time, IT security is harder to advertise than new features and financial incentives are somewhat lacking. The GDPR allows for severe penalties for such data breaches. Now it’s on the data protection authorities to issue them so that companies will have one more reason to pay attention to their IT security in the future.

Adblock test (Why?)

Published on 2022-01-11.

There is something seriously wrong with the IT industry. It's so bad that I haven't managed to find a single industry with the same massive amount of stupidity, with the exception of perhaps the fashion industry. It's like the IT industry has been paralyzed in some strange kind of mass hypnosis.

No, I will not be polite and call it something else because it is truly sheer stupidity.

In the past IT people, whether we're talking about programmers or something else, where very clever people. People with a high level of intelligence that took serious pride in doing things in a meaningful and pragmatic way.

In the so-called modern day it's like everyone - except a few - has dropped their brain on the floor. They keep inventing "revolutionary new ways" of doing the exact same thing that could be done in a dozen ways already. And they do that by coating more and more and more unnecessary complexity on top of existing technology stacks.

Electron and React Native Desktop are supposed to be a revolutionary new way of making desktop applications. Except they are not and they eat up all the memory you have and still ask for more. They constantly crash and has no value over a native desktop application what so ever - well, perhaps with the only exception that now a 2 year old baby can make something shiny that you can click on with your mouse.

But, noooo, you're a dinosaur, you don't understand anything, it's the future, it's the modern way of doing things. Native desktop apps are dead!

PHP is a programming language mainly for web development. It is made in C, a pure procedural language, originally as a templating language, and it still is a templating language at the very core, yet it is apparently not good enough. We have to put a completely different template system on top of PHP, also written in PHP, which now makes the application load four times as slow.

But, noooo, you're a dinosaur, you don't understand anything, it's the future, it's the modern way of doing things. We don't do that in modern web development any more!

All web servers has a build in router. Whether it's NGINX, Apache, lighttpd, Caddy or something else. But no. Let's not use that, let's add yet another router on top of that with a single entry point and then basically re-write every single request before it gets served.

But, noooo, you're a dinosaur, you don't understand anything, it's the future, it's the modern way of doing things. We don't do that in modern web development any more!

The browsers native language is HTML. HTML is a markup language and if you feed HTML to the browser it will very quickly render the page with what you give it. But no. Let's not do that. Let's instead feed the browser with JSON and then have the build in JavaScript engine translate that into a pre-formatted output which then gets translated into HTML before it's served to the user. Oh, and while we're add it, let's do the exact same thing with CSS. So, now your simple news article or blog post takes ages to load on a 1 gigabit connection and requires about 3 times as much electrical power even though you're only serving text and perhaps a few images - just because someone though it was a really good idea to make a React app instead of a simple HTML page rendered by the server.

Why in the world has this idiotic trend of abstracting everything away by layers upon layers of complexity gained such a strong foothold in the industry? Has everyone except the "unix greybeards" gone mad!?

The situation is really bad for the industry. And it is a real shame that the younger generations who grow up not knowing anything else, thinking that these so-called "modern way of doing things" are the correct and best ways, will have to suffer when everything starts to crumble.

The entry barrier to programming needs to high! Programming is engineering, it's not something where you throw stuff at the wall and see what sticks and just assume that programming languages, browsers and operating systems are made of magical dust.

Adblock test (Why?)