A top expert at the Centers for Disease Control and Prevention who was overseeing the process to update COVID-19 vaccine recommendations resigned on Tuesday.

The resignation, first reported by The Associated Press and confirmed by CBS News, comes just a week after health secretary and anti-vaccine advocate Robert F. Kennedy Jr. unilaterally revoked and altered some of the CDC's recommendations for COVID-19 vaccines, restricting access to children and pregnant people. The resignation also comes three weeks before CDC's experts and advisors are scheduled to meet to publicly evaluate data and discuss the recommendations for this season—a long-established process that was disrupted by Kennedy's announcement.

The departing CDC official, Lakshmi Panagiotakopoulos, a pediatric infectious disease expert, was a co-leader of a working group on COVID-19 vaccines who advised experts on the CDC's Advisory Committee on Immunization Practices (ACIP). She informed her ACIP colleagues of her resignation in an email on Tuesday.

"My career in public health and vaccinology started with a deep-seated desire to help the most vulnerable members of our population, and that is not something I am able to continue doing in this role," Panagiotakopoulos wrote.

Unilateral changes

Previously, the CDC and ACIP recommended COVID-19 vaccines for everyone ages 6 months and up. Experts have emphasized that pregnant people in particular should get vaccinated, as pregnancy suppresses the immune system and puts pregnant people at high risk of severe COVID-19 and death. The American College of Obstetricians and Gynecologists states that "COVID-19 infection during pregnancy can be catastrophic." Further, dozens of studies have found that the vaccines are safe and effective at protecting the pregnant person, the pregnancy, and newborns.

But in the announcement last week, Kennedy celebrated revoking the recommendation. The CDC's immunization schedule for adults was subsequently edited to say that pregnant people should "delay vaccination until after pregnancy if vaccine is indicated."

Kennedy also gleefully said he was revoking recommendations for vaccinating healthy children. But the CDC's edited immunization schedule did not remove the recommendation outright; rather, it simply added a stipulation that a child's doctor and parents agree on the vaccination, described as "shared clinical decision-making."

It's unclear what both changes will mean in practice for children and pregnant people who want to get vaccinated, including whether vaccines will continue to be covered by health insurance. Regardless, the confusion and unorthodox changes are expected to further deter vaccination.

"More of us should be resigning in protest," one federal health official told CBS News in response to Panagiotakopoulos' resignation.

ACIP is scheduled to meet June 25–27 to publicly discuss COVID-19 vaccine recommendations.

Read full article

Comments

An anonymous reader shares a report: The IRS open sourced much of its incredibly popular Direct File software as the future of the free tax filing program is at risk of being killed by Intuit's lobbyists and Donald Trump's megabill. Meanwhile, several top developers who worked on the software have left the government and joined a project to explore the "future of tax filing" in the private sector. Direct File is a piece of software created by developers at the US Digital Service and 18F, the former of which became DOGE and is now unrecognizable, and the latter of which was killed by DOGE. Direct File has been called a "free, easy, and trustworthy" piece of software that made tax filing "more efficient." About 300,000 people used it last year as part of a limited pilot program, and those who did gave it incredibly positive reviews, according to reporting by Federal News Network. But because it is free and because it is an example of government working, Direct File and the IRS's Free File program more broadly have been the subject of years of lobbying efforts by financial technology giants like Intuit, which makes TurboTax. DOGE sought to kill Direct File, and currently, there is language in Trump's massive budget reconciliation bill that would kill Direct File. Experts say that "ending [the] Direct File program is a gift to the tax-prep industry that will cost taxpayers time and money."

Read more of this story at Slashdot.

Tracking code that Meta and Russia-based Yandex embed into millions of websites is de-anonymizing visitors by abusing legitimate Internet protocols, causing Chrome and other browsers to surreptitiously send unique identifiers to native apps installed on a device, researchers have discovered. Google says it's investigating the abuse, which allows Meta and Yandex to convert ephemeral web identifiers into persistent mobile app user identities.

The covert tracking—implemented in the Meta Pixel and Yandex Metrica trackers—allows Meta and Yandex to bypass core security and privacy protections provided by both the Android operating system and browsers that run on it. Android sandboxing, for instance, isolates processes to prevent them from interacting with the OS and any other app installed on the device, cutting off access to sensitive data or privileged system resources. Defenses such as state partitioning and storage partitioning, which are built into all major browsers, store site cookies and other data associated with a website in containers that are unique to every top-level website domain to ensure they're off-limits for every other site.

A blatant violation

“One of the fundamental security principles that exists in the web, as well as the mobile system, is called sandboxing,” Narseo Vallina-Rodriguez, one of the researchers behind the discovery, said in an interview. “You run everything in a sandbox, and there is no interaction within different elements running on it. What this attack vector allows is to break the sandbox that exists between the mobile context and the web context. The channel that exists allowed the Android system to communicate what happens in the browser with the identity running in the mobile app.”

The bypass—which Yandex began in 2017 and Meta started last September—allows the companies to pass cookies or other identifiers from Firefox and Chromium-based browsers to native Android apps for Facebook, Instagram, and various Yandex apps. The companies can then tie that vast browsing history to the account holder logged into the app.

This abuse has been observed only in Android, and evidence suggests that the Meta Pixel and Yandex Metrica target only Android users. The researchers say it may be technically feasible to target iOS because browsers on that platform allow developers to programmatically establish localhost connections that apps can monitor on local ports.

In contrast to iOS, however, Android imposes fewer controls on local host communications and background executions of mobile apps, the researchers said, while also implementing stricter controls in app store vetting processes to limit such abuses. This overly permissive design allows Meta Pixel and Yandex Metrica to send web requests with web tracking identifiers to specific local ports that are continuously monitored by the Facebook, Instagram, and Yandex apps. These apps can then link pseudonymous web identities with actual user identities, even in private browsing modes, effectively de-anonymizing users’ browsing habits on sites containing these trackers.

Meta Pixel and Yandex Metrica are analytics scripts designed to help advertisers measure the effectiveness of their campaigns. Meta Pixel and Yandex Metrica are estimated to be installed on 5.8 million and 3 million sites, respectively.

Meta and Yandex achieve the bypass by abusing basic functionality built into modern mobile browsers that allows browser-to-native app communications. The functionality lets browsers send web requests to local Android ports to establish various services, including media connections through the RTC protocol, file sharing, and developer debugging.

A conceptual diagram representing the exchange of identifiers between the web trackers running on the browser context and native Facebook, Instagram, and Yandex apps for Android.

While the technical underpinnings differ, both Meta Pixel and Yandex Metrica are performing a “weird protocol misuse” to gain unvetted access that Android provides to localhost ports on the 127.0.0.1 IP address. Browsers access these ports without user notification. Facebook, Instagram, and Yandex native apps silently listen on those ports, copy identifiers in real time, and link them to the user logged into the app.

A representative for Google said the behavior violates the terms of service for its Play marketplace and the privacy expectations of Android users.

“The developers in this report are using capabilities present in many browsers across iOS and Android in unintended ways that blatantly violate our security and privacy principles,” the representative said, referring to the people who write the Meta Pixel and Yandex Metrica JavaScript. “We've already implemented changes to mitigate these invasive techniques and have opened our own investigation and are directly in touch with the parties.”

Meta didn't answer emailed questions for this article, but provided the following statement: "We are in discussions with Google to address a potential miscommunication regarding the application of their policies. Upon becoming aware of the concerns, we decided to pause the feature while we work with Google to resolve the issue."

In an email, Yandex said it was discontinuing the practice and was also in touch with Google.

"Yandex strictly complies with data protection standards and does not de-anonymize user data," the statement added. "The feature in question does not collect any sensitive information and is solely intended to improve personalization within our apps."

How Meta and Yandex de-anonymize Android users

Meta Pixel developers have abused various protocols to implement the covert listening since the practice began last September. They started by causing apps to send HTTP requests to port 12387. A month later, Meta Pixel stopped sending this data, even though Facebook and Instagram apps continued to monitor the port.

In November, Meta Pixel switched to a new method that invoked WebSocket, a protocol for two-way communications, over port 12387.

That same month, Meta Pixel also deployed a new method that used WebRTC, a real-time peer-to-peer communication protocol commonly used for making audio or video calls in the browser. This method used a complicated process known as SDP munging, a technique for JavaScript code to modify Session Description Protocol data before it’s sent. Still in use today, the SDP munging by Meta Pixel inserts key _fbp cookie content into fields meant for connection information. This causes the browser to send that data as part of a STUN request to the Android local host, where the Facebook or Instagram app can read it and link it to the user.

In May, a beta version of Chrome introduced a mitigation that blocked the type of SDP munging that Meta Pixel used. Within days, Meta Pixel circumvented the mitigation by adding a new method that swapped the STUN requests with the TURN requests.

In a post, the researchers provided a detailed description of the _fbp cookie from a website to the native app and, from there, to the Meta server:

1. The user opens the native Facebook or Instagram app, which eventually is sent to the background and creates a background service to listen for incoming traffic on a TCP port (12387 or 12388) and a UDP port (the first unoccupied port in 12580–12585). Users must be logged-in with their credentials on the apps.
2. The user opens their browser and visits a website integrating the Meta Pixel.
3. At this stage, some websites wait for users' consent before embedding Meta Pixel. In our measurements of the top 100K website homepages, we found websites that require consent to be a minority (more than 75% of affected sites does not require user consent)...
4. The Meta Pixel script is loaded and the _fbp cookie is sent to the native Instagram or Facebook app via WebRTC (STUN) SDP Munging.
5. The Meta Pixel script also sends the _fbp value in a request to https://www.facebook.com/tr along with other parameters such as page URL (dl), website and browser metadata, and the event type (ev) (e.g., PageView, AddToCart, Donate, Purchase).
6. The Facebook or Instagram apps receive the _fbp cookie from the Meta JavaScripts running on the browser and transmits it to the GraphQL endpoint (https://graph[.]facebook[.]com/graphql) along with other persistent user identifiers, linking users' fbp ID (web visit) with their Facebook or Instagram account.

Detailed flow of the way the Meta Pixel leaks the _fbp cookie from Android browsers to it's Facebook and Instagram apps.

The first known instance of Yandex Metrica linking websites visited in Android browsers to app identities was in May 2017, when the tracker started sending HTTP requests to local ports 29009 and 30102. In May 2018, Yandex Metrica also began sending the data through HTTPS to ports 29010 and 30103. Both methods remained in place as of publication time.

An overview of Yandex identifier sharing A timeline of web history tracking by Meta and Yandex

Some browsers for Android have blocked the abusive JavaScript in trackers. DuckDuckGo, for instance, was already blocking domains and IP addresses associated with the trackers, preventing the browser from sending any identifiers to Meta. The browser also blocked most of the domains associated with Yandex Metrica. After the researchers notified DuckDuckGo of the incomplete blacklist, developers added the missing addresses.

The Brave browser, meanwhile, also blocked the sharing of identifiers due to its extensive blocklists and existing mitigation to block requests to the localhost without explicit user consent. Vivaldi, another Chromium-based browser, forwards the identifiers to local Android ports when the default privacy setting is in place. Changing the setting to block trackers appears to thwart browsing history leakage, the researchers said.

Tracking blocker settings in Vivaldi for Android.

There’s got to be a better way

The various remedies DuckDuckGo, Brave, Vivaldi, and Chrome have put in place are working as intended, but the researchers caution they could become ineffective at any time.

“Any browser doing blocklisting will likely enter into a constant arms race, and it's just a partial solution,” Vallina Rodriguez said of the current mitigations. “Creating effective blocklists is hard, and browser makers will need to constantly monitor the use of this type of capability to detect other hostnames potentially abusing localhost channels and then updating their blocklists accordingly.”

He continued:

While this solution works once you know the hostnames doing that, it's not the right way of mitigating this issue, as trackers may find ways of accessing this capability (e.g., through more ephemeral hostnames). A long-term solution should go through the design and development of privacy and security controls for localhost channels, so that users can be aware of this type of communication and potentially enforce some control or limit this use (e.g., a permission or some similar user notifications).

Chrome and most other Chromium-based browsers executed the JavaScript as Meta and Yandex intended. Firefox did as well, although for reasons that aren't clear, the browser was not able to successfully perform the SDP munging specified in later versions of the code. After blocking the STUN variant of SDP munging in the early May beta release, a production version of Chrome released two weeks ago began blocking both the STUN and TURN variants. Other Chromium-based browsers are likely to implement it in the coming weeks. A representative for Firefox-maker Mozilla said the organization prioritizes user privacy and is taking the report seriously

"We are actively investigating the reported behavior, and working to fully understand its technical details and implications," Mozilla said in an email. "Based on what we’ve seen so far, we consider these to be severe violations of our anti-tracking policies, and are assessing solutions to protect against these new tracking techniques."

The researchers warn that the current fixes are so specific to the code in the Meta and Yandex trackers that it would be easy to bypass them with a simple update.

“They know that if someone else comes in and tries a different port number, they may bypass this protection,” said Gunes Acar, the researcher behind the initial discovery, referring to the Chrome developer team at Google. “But our understanding is they want to send this message that they will not tolerate this form of abuse.”

Fellow researcher Vallina-Rodriguez said the more comprehensive way to prevent the abuse is for Android to overhaul the way it handles access to local ports.

“The fundamental issue is that the access to the local host sockets is completely uncontrolled on Android,” he explained. “There's no way for users to prevent this kind of communication on their devices. Because of the dynamic nature of JavaScript code and the difficulty to keep blocklists up to date, the right way of blocking this persistently is by limiting this type of access at the mobile platform and browser level, including stricter platform policies to limit abuse.”

Got consent?

The researchers who made this discovery are:

• Aniketh Girish, PhD student at IMDEA Networks
• Gunes Acar, assistant professor in Radboud University’s Digital Security Group & iHub
• Narseo Vallina-Rodriguez, associate professor at IMDEA Networks
• Nipuna Weerasekara, PhD student at IMDEA Networks
• Tim Vlummens, PhD student at COSIC, KU Leuven

Acar said he first noticed Meta Pixel accessing local ports while visiting his own university's website.

There's no indication that Meta or Yandex has disclosed the tracking to either websites hosting the trackers or end users who visit those sites. Developer forums show that many websites using Meta Pixel were caught off guard when the scripts began connecting to local ports.

“Since 5th September, our internal JS error tracking has been flagging failed fetch requests to localhost:12387,” one developer wrote. “No changes have been made on our side, and the existing Facebook tracking pixel we use loads via Google Tag Manager.”

“Is there some way I can disable this?” another developer encountering the unexplained local port access asked.

It's unclear whether browser-to-native-app tracking violates any privacy laws in various countries. Both Meta and companies hosting its Meta Pixel, however, have faced a raft of lawsuits in recent years alleging that the data collected violates privacy statutes. A research paper from 2023 found that Meta pixel, then called the Facebook Pixel, "tracks a wide range of user activities on websites with alarming detail, especially on websites classified as sensitive categories under GDPR," the abbreviation for the European Union's General Data Protection Regulation.

So far, Google has provided no indication that it plans to redesign the way Android handles local port access. For now, the most comprehensive protection against Meta Pixel and Yandex Metrica tracking is to refrain from installing the Facebook, Instagram, or Yandex apps on Android devices.

Read full article

Comments

An anonymous reader shares a report: Open source software used by hobbyist drones powered an attack that wiped out a third of Russia's strategic long range bombers on Sunday afternoon, in one of the most daring and technically coordinated attacks in the war. In broad daylight on Sunday, explosions rocked air bases in Belaya, Olenya, and Ivanovo in Russia, which are hundreds of miles from Ukraine. The Security Services of Ukraine's (SBU) Operation Spider Web was a coordinated assault on Russian targets it claimed was more than a year in the making, which was carried out using a nearly 20-year-old piece of open source drone autopilot software called ArduPilot. ArduPilot's original creators were in awe of the attack. "That's ArduPilot, launched from my basement 18 years ago. Crazy," Chris Anderson said in a comment on LinkedIn below footage of the attack. On X, he tagged his the co-creators Jordi Munoz and Jason Short in a post about the attack. "Not in a million years would I have predicted this outcome. I just wanted to make flying robots," Short said in a reply to Anderson. "Ardupilot powered drones just took out half the Russian strategic bomber fleet." ArduPilot is an open source software system that takes its name from the Arduino hardware systems it was originally designed to work with. It began in 2007 when Anderson launched the website DIYdrones.com and cobbled together a UAV autopilot system out of a Lego Mindstorms set.

Read more of this story at Slashdot.

Exercise is generally good for you, but a new high-quality clinical trial finds that it's so good, it can even knock back colon cancer—and, in fact, rival some chemotherapy treatments.

The finding comes from a phase 3, randomized clinical trial led by researchers in Canada, who studied nearly 900 people who had undergone surgery and chemotherapy for colon cancer. After those treatments, patients were evenly split into groups that either bulked up their regular exercise routines in a three-year program that included coaching and supervision or were simply given health education. The researchers found that the exercise group had a 28 percent lower risk of their colon cancer recurring, new cancers developing, or dying over eight years compared with the health education group.

The benefits of exercise, published in the New England Journal of Medicine, became visible after just one year and increased over time, the researchers found. The rate of people who survived for five years and remained cancer-free was 80.3 percent among the exercise group. That's a 6.4 percentage-point survival boost over the education group, which had a 73.9 percent cancer-free survival rate. The overall survival rate (with or without cancer) during the study's eight-year follow-up was 90.3 percent in the exercise group compared with 83.2 percent in the education group—a 7.1 percentage point difference. Exercise reduced the relative risk of death by 37 percent (41 people died in the exercise group compared with 66 in the education group).

"The magnitude of benefit from exercise ... was similar to that of many currently approved standard drug treatments," the researchers noted.

However, the exercise routines that achieved those substantial benefits weren't heavy-duty. Participants were coached to perform any recreational aerobic exercise they enjoyed, including brisk walking. Adding 45- to 60-minute brisk walks three or four times a week, or three or four jogs lasting 25 to 30 minutes, was enough for many of the participants to improve their odds.

Overall, the goal was to get the exercise group over 20 MET hours per week. METs are Metabolic Equivalents of Task, which represent the amount of energy your body is burning up compared to when you're at rest, sitting quietly. Brisk walking is about four METs, the researchers estimated, and jogging is around 10 METs. To get to 20 MET hours a week, a participant would have to do five hours of brisk walking a week (e.g., five hour-long walks a week) or jog for two hours a week (e.g., four 30-minute jogs per week).

“Quite impressive”

The exercise group, which had supervised exercise for the first six months of the three-year intervention, reported more exercise over the study. At the end, the exercise group was averaging over 20 MET hours per week, while the education group's average was around 15 MET hours per week. The exercise group also scored better at cardiorespiratory fitness and physical functioning.

Still, with the health education, the control group also saw a boost to their exercise during the trial, with their average starting around 10 MET hours per week. These findings "raise the possibility of an even more powerful effect of exercise on cancer outcomes as compared with a completely sedentary control group," the researchers note.

For now, it's not entirely clear how exercise keeps cancers at bay, but it squares with numerous other observational studies that have linked exercise to better outcomes in cancer patients. Researchers have several hypotheses, including that exercise might cause "increased fluid shear stress, enhanced immune surveillance, reduced inflammation, improved insulin sensitivity, and altered microenvironment of major sites of metastases," the authors note.

In the study, exercise seemed to keep local and distant colon cancer from recurring, as well as prevent new cancers, including breast, prostate, and colorectal cancers.

Outside experts hailed the study's findings. "This indicates that exercise has a similarly strong effect as previously shown for chemotherapy, which is really quite impressive," Marco Gerlinger, a gastrointestinal cancer expert at Queen Mary University of London, said in a statement. "One of the commonest questions from patients is what they can do to reduce the risk that their cancer comes back. Oncologists can now make a very clear evidence-based recommendation."

"Having worked in bowel cancer research for 30 years, this is an exciting breakthrough in the step-wise improvement in cure rates," David Sebag-Montefiore, a clinical oncologist at the University of Leeds, said. "The great appeal of a structured moderate intensity exercise is that it offers the benefits without the downside of the well-known side effects of our other treatments."

Read full article

Comments

With the federal hiring freeze lifting in mid-July, the Trump administration has rolled out a controversial federal hiring plan that critics warn will politicize and likely slow down the process rather than increase government efficiency.

De-emphasizing degree requirements and banning DEI initiatives—as well as any census tracking of gender, race, ethnicity, or religion to assess the composition of government—the plan requires every new hire to submit essays explaining which executive orders or policy initiatives they will help advance.

These essays must be limited to 200 words and cannot be generated by a chatbot, the guidance noted. While some applicants may point to policies enacted by prior presidents under their guidance, the president appears to be seeking to ensure that only Trump supporters are hired and that anyone who becomes disillusioned with Trump is weeded out over time. In addition to asking for a show of loyalty during the interview process, all federal workers will also be continuously vetted and must agree to submit to "checks for post-appointment conduct that may impact their continued trustworthiness," the guidance noted, referencing required patriotism repeatedly.

According to the Office of Personnel Management (OPM), the official plan is to hire only workers "dedicated to serving the American people effectively and faithfully." It also requires essays on applicants' commitment to upholding the Constitution, furthering government efficiency, and maintaining a strong work ethic.

Although the elimination of DEI initiatives is clearly a core Trump objective, the plan is "a hodgepodge of bipartisan reforms developed under both Trump and former President Biden to accelerate and improve the hiring process, alongside plans to eradicate longstanding efforts to make the federal workforce more reflective of the American populace," the government news site Government Executive (GovExec) reported.

The administration says the plan will "drastically" speed up hiring while cutting costs. The plan said that efficiencies would be created by cutting down resumes to a maximum of two pages (cutting review time) while creating a pool of resumes that can be returned to so that new jobs won't even need to be announced. Even hiring for jobs requiring top secret clearances will be expedited, the plan said.

Critics highlight pain points of hiring plan

A federal HR official speaking anonymously told GovExec that "this plan will make life harder for hiring managers and applicants alike." That official noted that Trump's plan to pivot away from using self-assessments—where applicants can explain their relevant skills—removes a shortcut for HR workers who will now need to devote time to independently assess every candidate.

Using various Trump-approved technical and alternative assessments would require candidates to participate in live exercises, evaluate work-related scenarios, submit a work sample, solve problems related to skill competencies, or submit additional writing samples that would need to be reviewed. The amount of manual labor involved in the new policies, the HR official warned, is "insane."

"Everything in it will make it more difficult to hire, not less," the HR official said. "How the f--- do you define if someone is patriotic?"

Jenny Mattingley, a vice president of government affairs at the Partnership for Public Service, told Politico that she agreed that requiring a loyalty test would make federal recruiting harder.

"Many federal employees are air traffic controllers, national park rangers, food safety inspectors, and firefighters who carry out the missions of agencies that are authorized by Congress," Mattingley said. "These public servants, who deliver services directly to the public, should not be forced to answer politicized questions that fail to evaluate the skills they need to do their jobs effectively."

Don Kettl, a professor emeritus of public policy at the University of Maryland, told GovExec that the decision to stop collecting census data on government workers could also present setbacks for hiring managers.

"I’m concerned about it, not because it would make it harder to pursue DEI goals as a matter of policy but that in general, it’s important not to throw out information about what it is that you’re doing," Kettl said. "It would be important to know whether or not you’re hiring 90 percent men for certain occupations... You don’t want to blind yourself to the implications of what you’re doing."

So far, Trump has prioritized slashing the government workforce through the Department of Government Efficiency (DOGE), with The New York Times estimating in March that 59,000 workers were fired and 76,000 accepted buyouts. Axios noted that 150,000 additional cuts are planned, and DOGE recently supercharged the mass-layoff software that could make it easier to pursue further cuts.

Once the hiring freeze lifts on July 15, the White House has specified that it will allow agencies to hire "no more than one employee for every four employees that depart from federal service (with appropriate immigration, law enforcement, and public safety exceptions."

Among those to be recruited, the federal hiring plan noted, are HR professionals who will align with Trump's plan to end DEI initiatives and prioritize hiring "American patriots."

"There is an urgent need to upgrade the skills and capabilities of Federal HR professionals to implement President Trump’s long-overdue plans to reform the Federal workforce," the hiring plan said, confirming that "OPM will take a greater role in overseeing" and training the HR workforce.

Read full article

Comments