This is Rumor Replay, a weekly column at 9to5Mac offering a quick rundown of the most recent Apple product rumors, with analysis and commentary. Today: Apples foldable iPad and iPhone are coming, plus a fresh Magic Mouse approach, and AirTag 2. Here are this weeks Apple rumors.iPhone 18 Fold and more affordable iPhone 17 AirThis week The Wall Street Journal reported on Apples next two years of iPhone updates:iPhone 18 FoldiPhone 17 AirNeither of these devices carry official names yet, but running with the two names above, WSJ says that 2026s foldable iPhone will unfold to a display size that would be larger than an iPhone 16 Pro Max. they also state that next years 17 Air is intended to be cheaper than Pro models.My takeawaysEvery time we get a report about the foldable iPhone, it makes the device seem more realespecially as 2026 draws near. Im intrigued to see what Apple can uniquely bring to foldables, but Im not sure a display larger than the Pro Max is what I want. One-handed use is extremely important to me, which is why I use an iPhone 16 Pro, not Pro Max. However, the market seems to show that people love huge phones, so Apples probably on the right track.The iPhone 17 Airs expected pricing is welcome news, especially because it makes sense of the specs were getting. Previous reports said the device would be ultra-premium, yet with compromises that dont justify that price. Now, the reported A18 chip, single rear camera, and ultra-thin design all cohere nicely with a moderate price point.Weve heard rumblings before of a roughly 19-inch iPad-Mac hybrid foldable device, and this week Mark Gurman shed more light on the project.Though some of Gurmans report is intentionally ambiguous, he seems to believe this is an iPad were talking about, not a Mac. Its always possible, though, that it could include key capabilities from both products.My takeawaysTheres a lot we dont know yet, but this foldable iPad could be my dream all-in-one product. Apples two iPad Pro sizes each have very different strengths and weaknesses, and this foldable could potentially combine the best of both sizes. Gurman says well have to wait until 2028 for this foldable though, so Im not getting my hopes up yet.Radically new Magic Mouse comingApples Magic Mouse has, for a long time, played second fiddle to the Magic Trackpad. But according to Mark Gurman, the company isnt content to let the accessory remain stagnant.Apple is apparently working on a whole new Magic Mouse design that could radically alter the way the device works. Its a full overhaul of the Magic Mouse that better fits the modern era.My takeawaysGurman doesnt say this, but I wonder if Apples motivation, in part, is to create a new Magic Mouse thats optimized for Vision Pro and spatial computing. Current Mac accessories arent ideal for spatial environments, even if they technically work. Perhaps Apple can create something well suited both for fresh platforms like the Vision Pro and legacy ones like the Mac.AirTag 2AirTag 2 is coming in 2025, and this week Gurman reported that its expected to boast a more modern Ultra Wideband chip.That chip upgrade will enable significantly improved Precision Finding support, so you can get very precise guidance from your iPhone when tracking down a lost AirTag from, potentially, up to 90 meters away.My takeawaysMy biggest issue with AirTag is its battery life (something a new add-on accessory just fixed), so I hope AirTag 2 offers improvements on that front too. That aside, expanded support for Precision Finding seems like a no-brainer enhancement.Which of this weeks Apple rumors are you most interested in? Let us know in the comments.Best iPhone accessoriesAdd 9to5Mac to your Google News feed. FTC: We use income earning auto affiliate links. More.Youre reading 9to5Mac experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Dont know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

What do you get the iPhone user who has everything? CarPlay solutions and accessories are a great place to start! These are the best CarPlay related gifts for the holiday season. more

They changed their mind yet again.Commitment PhobiaRussia's space program has thrown its weight behind NASA's plans to destroy the International Space Station starting in 2030.As Ars Technica reports, it's a change of tune for the country's space program. Its head, Yuri Borisov, who has been leading Roscosmos since 2022, has repeatedly changed his mind on whether Russia would be committed to supporting operations onboard the aging orbital outpost or simply abandon it, as his outspoken predecessor Dmitry Rogozin has threatened in the past.In 2022, roughly five months after Russia invaded Ukraine, Borisov said that "the decision to leave the station after 2024 has been made." Then in 2023, he agreed to continue Russia's participation until at least 2028.Now, in a televised interview with Russian broadcaster RBC TV, Borisov announced that in "coordination with our American colleagues, we plan to de-orbit the station sometime around the beginning of 2030," as quoted by Ars."The final scenario will probably be specified after the transition to a new NASA administration," he added.Scared InvestorsNASA has long planned to deorbit the massive station beginning in 2030. In June, the agency hired SpaceX to develop a "US Deorbit Vehicle" to pull the ISS out of its orbit and have it burn up during reentry.During the interview, Borisov reiterated that his agency sees the ISS, which has suffered plenty of leaks and cracks, as not worth maintaining."Today our cosmonauts have to spend more time repairing equipment and less and less time conducting experiments," he said.Indeed, Russian crew members have been hard at work identifying several leaks located in the country's segment of the space station.Other notable equipment failures include two coolant leaks affecting a Soyuz spacecraft in late 2022 and a Progress cargo spacecraft in early 2023.Borisov also said that the process of subsidizing a private space industry "has only just begun with us.""This is a very risky business for potential investors," he added.It's a surprisingly level-headed media appearance for the head of Roscosmos. Borisov's predecessor, Dmitry Rogozin, garnered a reputation for making deranged and at times baffling comments. In 2022, days into Russia's invasion of Ukraine, Rogozin went as far as to threaten the West with dropping the ISS on the United States.During this new interview, Borisov only hinted at the possibility that Russia's war may have depleted its available resources and put a dent in its efforts to launch its own space station."Right now, the dynamic growth of private space is being influenced by the general economic situation, high inflation and interest rates, which leads to expensive money for private investors," he told RBC TV. "We can hope that this will be a temporary period and more favorable times will come soon."Borisov also "guaranteed" that Russia would launch a competitor to SpaceX's Starlink as soon as 2030 but a super heavy launch platform would be a far more "expensive undertaking" that's still many years out, he said.More on Borisov: Russia Says the International Space Station Is a Dangerous, Decrepit MessShare This Article

The mysterious drones seen over New York and New Jersey have a strange new fan the queer erotica icon Chuck Tingle.In a post on Bluesky, the pseudonymous sci-fi author of such hits as "Bury Your Gays" and "Trans Wizard Harriet Porber And The Bad Boy Parasaurolophus" announced that his latest "Tingler" would feature bisexual drones.The synopsis for "Bisexually Pounded By The Mysterious New Jersey Drones," which uses Tingle's characteristic syntax to describe being "pounded" by anthropomorphized objects, describes main character Hank discovering the truth behind these strange sightings that have taken social media by storm."When two of these drones arrive at Hanks door, the truth starts gradually falling into place," the book's description reads. "It seems theres much more happening in the New Jersey skies than previously thought, and its more erotic and bisexual than anyone couldve ever imagined.""This erotic tale," the synopsis continues, "is 4,000 words of sizzling bisexual drone on human threesome action."Though many of us are longtime fans of theauthor's bizarre meta-fiction that he's been spitting out at a rapid pace for a decade now, it seems lots of folks on Bluesky were not familiar with the Hugo Award-nominated Tingle's game."[I'm] concerned by how quickly he was able to write this," one user remarked. "Did he already have a rough draft before this news???"After another user claimed that the autistic author's "process" is akin to "Mad Libs," the man himself responded in kind."Absolutely not," Tingle clapped back.In case you're tempted to suggest that the author of hundreds of titles uses AI to put out so many self-published books, his own social media statements seem to suggest that like many creatives, he finds the idea of using bots to do human work equal parts humorous and offensive."When starting out, [I] had to make my own covers in specific way which now IMMEDIATELY evokes 'tingle' identity," he posted on Bluesky earlier this year. "Would my books have taken off if covers were just [AI] art that 'looked better'? OF COURSE NOT. [B]uds wouldve scrolled on.""SO MUCH of artistry (but also branding and self promotion) is creating a visual identity," Tingle continued. "[Don't] make your identity 'generalized slop.'"We obviously can't say definitively how exactly the author manages to put out books and novellas at such speed, but considering he's been doing it since way before ChatGPT was a thing, it seems that "Bisexually Pounded By The Mysterious New Jersey Drones" is just the latest example of his one-of-a-kind creativity.More on the Jersey drones: Dimwit Americans Are Looking at the Night Sky and Mistaking Stars and Airplanes for "Drones"Share This Article

Dec 20, 2024Ravie LakshmananMalware / Supply Chain AttackThe developers of Rspack have revealed that two of their npm packages, @rspack/core and @rspack/cli, were compromised in a software supply chain attack that allowed a malicious actor to publish malicious versions to the official package registry with cryptocurrency mining malware.Following the discovery, versions 1.1.7 of both libraries have been unpublished from the npm registry. The latest safe version is 1.1.8."They were released by an attacker who gained unauthorized npm publishing access, and contain malicious scripts," software supply chain security firm Socket said in an analysis.Rspack is billed as an alternative to the webpack, offering a "high performance JavaScript bundler written in Rust." Originally developed by ByteDance, it has since been adopted by several companies such as Alibaba, Amazon, Discord, and Microsoft, among others.The npm packages in question, @rspack/core, and @rspack/cli, attract weekly downloads of over 300,000 and 145,000, respectively, indicative of their popularity.An analysis of the rogue versions of the two libraries has revealed that they incorporate code to make calls to a remote server ("80.78.28[.]72") in order to transmit sensitive configuration details such as cloud service credentials, while also collecting IP address and location details by making an HTTP GET request to "ipinfo[.]io/json."In an interesting twist, the attack also limits the infection to machines located in a specific set of countries, such as China, Russia, Hong Kong, Belarus, and Iran.The end goal of the attacks is to trigger the download and execution of an XMRig cryptocurrency miner on compromised Linux hosts upon installation of the packages by means of a postinstall script specified in the "package.json" file."The malware is executed via the postinstall script, which runs automatically when the package is installed," Socket said. "This ensures the malicious payload is executed without any user action, embedding itself into the target environment."Besides publishing a new version of the two packages sans the malicious code, the project maintainers said they invalidated all existing npm tokens and GitHub tokens, checked the permissions of the repository and npm packages, and audited the source code for any potential vulnerabilities. An investigation into the root cause of the token theft is underway."This attack highlights the need for package managers to adopt stricter safeguards to protect developers, like enforcing attestation checks, to prevent updating to unverified versions," Socket said. "But it's not totally bullet-proof.""As seen in the recent Ultralytics supply chain attack in the Python ecosystem, attackers may still be able to publish versions with attestation by compromising GitHub Actions through cache poisoning."Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 20, 2024Ravie LakshmananFirewall Security / VulnerabilitySophos has released hotfixes to address three security flaws in Sophos Firewall products that could be exploited to achieve remote code execution and allow privileged system access under certain conditions.Of the three, two are rated Critical in severity. There is currently no evidence that the shortcomings have been exploited in the wild. The list of vulnerabilities is as follows -CVE-2024-12727 (CVSS score: 9.8) - A pre-auth SQL injection vulnerability in the email protection feature that could lead to remote code execution, if a specific configuration of Secure PDF eXchange (SPX) is enabled in combination with the firewall running in High Availability (HA) mode.CVE-2024-12728 (CVSS score: 9.8) - A weak credentials vulnerability arising from a suggested and non-random SSH login passphrase for High Availability (HA) cluster initialization that remains active even after the HA establishment process completed, thereby exposing an account with privileged access if SSH is enabled.CVE-2024-12729 (CVSS score: 8.8) - A post-auth code injection vulnerability in the User Portal that allows authenticated users to gain remote code execution.The security vendor said CVE-2024-12727 impacts about 0.05% of devices, whereas CVE-2024-12728 affects approximately 0.5% of them. All three identified vulnerabilities impact Sophos Firewall versions 21.0 GA (21.0.0) and older. It has been remediated in the following versions -CVE-2024-12727 - v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v20 MR3, v19.5 MR3, v19.5 MR4, v19.0 MR2)CVE-2024-12728 - v20 MR3, v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v20 MR2)CVE-2024-12729 - v21 MR1 and newer (Hotfixes for v21 GA, v20 GA, v20 MR1, v20 MR2, v19.5 GA, v19.5 MR1, v19.5 MR2, v19.5 MR3, v19.5 MR4, v19.0 MR2, v19.0 MR3)To ensure that the hotfixes have been applied, users are being recommended to follow the below-mentioned steps -CVE-2024-12727 - Launch Device Management > Advanced Shell from the Sophos Firewall console, and run the command "cat /conf/nest_hotfix_status" (The hotfix is applied if the value is 320 or above)CVE-2024-12728 and CVE-2024-12729 - Launch Device Console from the Sophos Firewall console, and run the command "system diagnostic show version-info" (The hotfix is applied if the value is HF120424.1 or later)As temporary workarounds until the patches can be applied, Sophos is urging customers to restrict SSH access to only the dedicated HA link that is physically separate, and/or reconfigure HA using a sufficiently long and random custom passphrase.Another security measure that users can take is to disable WAN access via SSH, as well as ensure that User Portal and Webadmin are not exposed to WAN.The development comes a little over a week after the U.S. government unsealed charges against a Chinese national named Guan Tianfeng for allegedly exploiting a zero-day security vulnerability (CVE-2020-12271, CVSS score: 9.8) to break into about 81,000 Sophos firewalls across the world.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Dec 20, 2024Ravie LakshmananVulnerability / Cyber AttackA now-patched critical security flaw impacting Fortinet FortiClient EMS is being exploited by malicious actors as part of a cyber campaign that installed remote desktop software such as AnyDesk and ScreenConnect. The vulnerability in question is CVE-2023-48788 (CVSS score: 9.3), an SQL injection bug that allows attackers to execute unauthorized code or commands by sending specially crafted data packets.Russian cybersecurity firm Kaspersky said the October 2024 attack targeted an unnamed company's Windows server that was exposed to the internet and had two open ports associated with FortiClient EMS."The targeted company employs this technology to allow employees to download specific policies to their corporate devices, granting them secure access to the Fortinet VPN," it said in a Thursday analysis.Further analysis of the incident found that the threat actors took advantage of CVE-2023-48788 as an initial access vector, subsequently dropping a ScreenConnect executable to obtain remote access to the compromised host."After the initial installation, the attackers began to upload additional payloads to the compromised system, to begin discovery and lateral movement activities, such as enumerating network resources, trying to obtain credentials, perform defense evasion techniques, and generating a further type of persistence via the AnyDesk remote control tool," Kaspersky said.Some of the other notable tools dropped over the course of the attack are listed below -webbrowserpassview.exe, a password recovery tool that reveals passwords stored in Internet Explorer (version 4.0 11.0), Mozilla Firefox (all versions), Google Chrome, Safari, and OperaMimikatznetpass64.exe, a password recovery toolnetscan.exe, a network scannerThe threat actors behind the campaign are believed to have targeted various companies located across Brazil, Croatia, France, India, Indonesia, Mongolia, Namibia, Peru, Spain, Switzerland, Turkey, and the U.A.E. by making use of different ScreenConnect subdomains (e.g., infinity.screenconnect[.]com).Kaspersky said it detected further attempts to weaponize CVE-2023-48788 on October 23, 2024, this time to execute a PowerShell script hosted on a webhook[.]site domain in order to "collect responses from vulnerable targets" during a scan of a system susceptible to the flaw.The disclosure comes more than eight months after cybersecurity company Forescout uncovered a similar campaign that involved exploiting CVE-2023-48788 to deliver ScreenConnect and Metasploit Powerfun payloads."The analysis of this incident helped us to establish that the techniques currently used by the attackers to deploy remote access tools are constantly being updated and growing in complexity," the researchers said.Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.SHARE

Todd Weber, Vice President of Professional Services, SemperisDecember 19, 20245 Min ReadYevhenShkolenko via Alamy StockThe Securities and Exchange Commission (SEC) is putting a spotlight on security incident reporting. This summer, the SECannounced a rule changethat requires certain financial institutions to notify individuals within 30 days of determining their personal information was compromised in a breach. Larger entities will have 18 months to comply, and enforcement will begin for smaller companies in two years.This new rule change follows cybersecurity disclosure requirements for public companies that were adopted only a year prior -- and implemented on December 18, 2023 for larger companies and June 15, 2024 for smaller reporting companies. These changes are already having an impact on disclosures, even if not in the way the SEC intended.Under these disclosure requirements, public companies must report cybersecurity incidents within four business days of determining that an incident was material. But in mid-November, even before the rules were officially adopted, the AlphV/BlackCat ransomware gang added an early twist to its typical game by notifying the SEC that one of its victims had failed to report the groups attack within the four-day limit.This incident raised the sobering possibility that if companies dont report cyberattacks to the SEC, attackers will do it for them. The action has sparked concerns about the abuse of regulatory processes and worries that the new rules could unintentionally lead to early disclosures, lawsuits, and an increase in attacks.Related:Im not convinced threat groups have the upper hand. We must assume the SEC or contractors are monitoring the dark web for info on attacks that impact publicly traded companies. Still, organizations would be wise to strengthen their defenses and prepare for the worst-case scenario.As Cyberattacks Increase, Identity Is in SpotlightThe SECs disclosure rules come as cyberattacks continue to rise in scale and severity, with identity-based attacks at the forefront. Verizons 2023 DBIR found that 74% of all breaches involved the human element, while almost a quarter (24%) involved ransomware.Active Directory (AD) and Entra ID identity systems, used in more than90% of enterprisesworldwide, provide access to mission-critical user accounts, databases, and applications. As the keeper of the keys to the kingdom, AD and Entra ID have become primary targets for identity-based attacks.Its too early to know if cybercriminals reporting their attacks to the SEC will become a trend. Regardless, it is critical for organizations to take a proactive approach to identity security. In todays digital world, identities are necessary to conduct business. But the unfettered access that identity systems can provide attackers presents a critical risk to valuable data and business operations. By taking steps to strengthen their cybersecurity posture, incident response and recovery capabilities, and operational resilience, organizations can help prevent bad actors from infiltrating identity systems.Related:Protect Active Directory, Build Business ResilienceSecuring AD, Entra ID, and Okta is key to identifying and stopping attackers before they can cause damage. AD security should be the core of your cyber-resilience strategy.Attacks are inevitable, and organizations should adopt an assume breach mindset. If AD is taken down by a cyberattack, business operations stop. Excessive downtime can cause irreparable harm to an organization. Henry Schein was forced to take its e-commerce platform offline for weeks after being hit by BlackCat ransomware three times; the company lowered sales expectations for its 2023 fiscal year due to the cybersecurity breach.Having an incident response plan and tested AD disaster recovery plan in place is vital.Here are three steps for organizations to strengthen their AD security -- before, during, and after a cyberattack.Related:1. Implement a layered defense. Cyber resilience requires a certain level of redundancy to avoid a single point of failure. The best defense is a layered defense. Look for an identity threat detection and response (ITDR) solution that focuses specifically on protecting the AD identity system.2. Monitor your hybrid AD. Regular monitoring of the identity attack surface is critical and can help you identify potential vulnerabilities before attackers do. An effective monitoring strategy needs to be specific to AD. Use free community tools like Purple Knight to find risky configurations and vulnerabilities in your organizations hybrid AD environment.3. Practice IR and recovery. An incident response (IR) plan is not a list to check off. It should include tabletop exercises that simulate attacks and involve business leaders as well as the security team. Even with a tested AD disaster recovery plan, your organization is still vulnerable to business-crippling cyber incidents. However, IR testing greatly improves your organizations ability to recover critical systems and data in the event of a breach, decreasing the risk of downtime and data loss.From my own experience, I know that the key difference between an organization that recovers quickly from an identity-related attack and one that loses valuable time is the ability to orchestrate, automate, and test the recovery process.Here are my tips for a swift incident response:Having backups is an essential starting point for business recovery. Make sure you have offline/offsite backups that cannot be accessed by using the same credentials as the rest of your production network.The best approach for recovery is practice makes progress. A convoluted recovery procedure will delay the return to normal business operations. Verify that you have a well-documented IR procedure that details all aspects of the recovery process -- and that the information can be accessed even if the network is down.Orchestrate and automate as much of the recovery process as possible. Time is the critical factor in recovery success. Automation can make the difference between a recovery that takes days or weeks and one that takes minutes or hours.The prospect of attackers outing their victims to the SEC underscores the importance of protecting systems in the first place. Organizations need to take the necessary steps, starting with securing their identity system. Whether your organization uses AD, Entra ID, or Okta, any identity can provide a digital attack path for adversaries seeking your most valuable assets.About the AuthorTodd WeberVice President of Professional Services, SemperisTodd Weber is the Vice President of Professional Services at Semperis, where he is responsible for developing and executing the companys professional services strategy, driving new revenue through service offerings and building and maintaining client relationships. Weber has more than 20 years of experience in cybersecurity professional services, technology development and integration, business strategy and venture investing. He has worked with many of the largest companies in the world developing and deploying information security technologies and architectures. Prior to Semperis, Todd was an Operating Partner and CTO at Ten Eleven Ventures. He previously served as the CTO at Optiv. He holds a B.S. from Virginia Tech.See more from Todd WeberNever Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.SIGN-UPYou May Also LikeWebinarsMore WebinarsReportsMore Reports

Time zones: EST (UTC -5), CST (UTC -6), MST (UTC -7), PST (UTC -8), AKST (UTC -9), HST (UTC -10), ART (UTC -3), UTC -4, UTC -4:30, UTC -3, UTC -2, SBT (UTC +11), GMT (UTC +0), CET (UTC +1), EET (UTC +2), MSK (UTC +3), AST (UTC -4), FKST (UTC -3), NST (UTC -3:30)The CompanySimplyAnalytics is a powerful spatial analytics and data visualization application used by thousands of business, marketing, and social science researchers in the United States and Canada. It comes pre-packaged with 200,000+ data variables and allows our users to create maps, charts, tabular reports, and crosstabs. We are passionate about creating outstanding software, and we believe in test driven development, continuous integration, and code review.As a smaller company, each of our developers has an important role to play - at SimplyAnalytics, you are not just another cog in the wheel, you are an integral member of our team. You will be working on valuable features and making key decisions that impact the direction of the product and our users. In addition, we provide an excellent work-life balance, with 100% remote work, 20 personal days off, flexible work hours, a collaborative work environment, and quarterly professional development days to explore and share your interests with the rest of the team.The RoleWe're looking for a Senior Frontend Developer to take on an important role in the development and maintenance of our cutting edge analytics and data visualization application. You'll be developing and maintaining production-quality in-house tools and customer-facing features within a large shared code base.The ideal candidate has experience working on complex single-page applications, is a self-starter, has a high level of attention to detail, is comfortable asking questions, enjoys working with talented colleagues, and has an interest in analytics and data visualization.We are a 100% remote company. Our employees can live and work anywhere in Canada, the United States, Mexico, Central America, South America, or Europe. This is a full-time salaried position. When applying, please include a cover letter.Responsibilities:Design, develop, and test features, both in-house and customer-facingWrite modern high-quality, clean, scalable, and maintainable codeContribute ideas for new features or improvements to existing featuresAssist colleagues through code-review, collaboration, and troubleshootingRequired:8+ years of professional software development experience on large, structured code bases using vanilla JavaScript (this is not a React, Angular, Node.js, or full-stack position)Strong UI development skills (CSS & HTML)Open to learning new technologiesSelf-starter who gets things doneAttention to detailBonus:Experience implementing data tables, charts, graphs, or other data visualizationsExperience working on complex analytics, data visualization, or mapping applicationsD3.js experienceMapLibre GL JS or Mapbox GL JS experienceExperience with geospatial, demographic, business, marketing, or health dataExperience with TypeScriptComfortable using Linux CLI

A healthy heart beats at a steady rate, between 60 and 100 times a minute. Thats not the case for all of us, Im reminded, as I look inside a cardboard box containing around 20 plastic heartseach a replica of a real human one. The hearts, which previously sat on a shelf in a lab in West London, were generated from MRI and CT scans of people being treated for heart conditions at Hammersmith Hospital next door. Steven Niederer, a biomedical engineer at the Alan Turing Institute and Imperial College London, created them on a 3D printer in his office. One of the hearts, printed in red recycled plastic, looks as I imagine a heart to look. It just about fits in my hand, and the chambers have the same dimensions as the ones you might see in a textbook. Perhaps it helps that its red. The others look enormous to me. One in particular, printed in black plastic, seems more than twice the size of the red one. As I find out later, the person who had the heart it was modeled on suffered from heart failure. The plastic organs are just for educational purposes. Niederer is more interested in creating detailed replicas of peoples hearts using computers. These digital twins are the same size and shape as the real thing. They work in the same way. But they exist only virtually. Scientists can do virtual surgery on these virtual hearts, figuring out the best course of action for a patients condition. After decades of research, models like these are now entering clinical trials and starting to be used for patient care. Virtual replicas of many other organs are also being developed. Engineers are working on digital twins of peoples brains, guts, livers, nervous systems, and more. Theyre creating virtual replicas of peoples faces, which could be used to try out surgeries or analyze facial features, and testing drugs on digital cancers. The eventual goal is to create digital versions of our bodiescomputer copies that could help researchers and doctors figure out our risk of developing various diseases and determine which treatments might work best. Theyd be our own personal guinea pigs for testing out medicines before we subject our real bodies to them. To engineers like Niederer, its a tantalizing prospect very much within reach. Several pilot studies have been completed, and larger trials are underway. Those in the field expect digital twins based on organs to become a part of clinical care within the next five to 10 years, aiding diagnosis and surgical decision-making. Further down the line, well even be able to run clinical trials on synthetic patientsvirtual bodies created using real data. But the budding technology will need to be developed carefully. Some worry about who will own this highly personalized data and how it could be used. Others fear for patient autonomywith an uncomplicated virtual record to consult, will doctors eventually bypass the patients themselves? And some simply feel a visceral repulsion at the idea of attempts to re-create humans in silico. People will say I dont want you copying me, says Wahbi El-Bouri, who is working on digital-twin technologies. They feel its a part of them that youve taken. Getting digital Digital twins are well established in other realms of engineering; for example, they have long been used to model machinery and infrastructure. The term may have become a marketing buzzword lately, but for those working on health applications, it means something very specific. We can think of a digital twin as having three separate components, says El-Bouri, a biomedical engineer at the University of Liverpool in the UK. The first is the thing being modeled. That might be a jet engine or a bridge, or it could be a persons heart. Essentially, its what we want to test or study. The second component is the digital replica of that object, which can be created by taking lots of measurements from the real thing and entering them into a computer. For a heart, that might mean blood pressure recordings as well as MRI and CT scans. The third is new data thats fed into the model. A true digital twin should be updated in real timefor example, with information collected from wearable sensors, if its a model of someones heart. Taking measurements of airplanes and bridges is one thing. Its much harder to get a continuous data feed from a person, especially when you need details about the inner functions of the heart or brain. And the information transfer should run both ways. Just as sensors can deliver data from a persons heart, the computer can model potential outcomes to make predictions and feed them back to a patient or health-care provider. A medical team might want to predict how a person will respond to a drug, for example, or test various surgical procedures on a digital model before operating in real life. By this definition, pretty much any smart device that tracks some aspect of your health could be considered a kind of rudimentary digital twin. You could say that an Apple Watch fulfills the definition of a digital twin in an unexciting way, says Niederer. It tells you if youre in atrial fibrillation or not. But the kind of digital twin that researchers like Niederer are working on is far more intricate and detailed. It could provide specific guidance on which disease risks a person faces, what medicines might be most effective, or how any surgeries should proceed. Were not quite there yet. Taking measurements of airplanes and bridges is one thing. Its much harder to get a continuous data feed from a person, especially when you need details about the inner functions of the heart or brain, says Niederer. As things stand, engineers are technically creating patient-specific models based on previously collected hospital and research data, which is not continually updated. The most advanced medical digital twins are those built to match human hearts. These were the first to be attempted, partly because the heart is essentially a pumpa device familiar to engineersand partly because heart disease is responsible for so much ill health and death, says El-Bouri. Now, advances in imaging technology and computer processing power are enabling researchers to mimic the organ with the level of fidelity that clinical applications require. Building a heart The first step to building a digital heart is to collect images of the real thing. Each team will have its own slightly different approach, but generally, they all start with MRI and CT scans of a persons heart. These can be entered into computer software to create a 3D movie. Some scans will also highlight any areas of damaged tissue, which might disrupt the way the electrical pulses that control heart muscle contraction travel through the organ. The next step is to break this 3D model down into tiny chunks. Engineers use the term computational mesh to describe the result; it can look like an image of the heart made up of thousands of 3D pieces. Each segment represents a small collection of cells and can be assigned properties based on how well they are expected to propagate an electrical impulse. Its all equations, says Natalia Trayanova, a biomedical engineering professor based at Johns Hopkins University in Baltimore, Maryland. This computer model of the human heart show how electrical signals pass through heart tissue. The model was created by Marina Strocchi, who works with Steven Niederer at Imperial College London.COURTESY OF MARINA STROCCHI As things stand, these properties involve some approximation. Engineers will guess how well each bit of heart works by extrapolating from previous studies of human hearts or past research on the disease the person has. The end result is a beating, pumping model of a real heart. When we have that model, you can poke it and prod it and see under what circumstances stuff will happen, says Trayanova. Her digital twins are already being trialed to help people with atrial fibrillation, a fairly common condition that can trigger an irregular heartbeattoo fast or all over the place. One treatment option is to burn off the bits of heart tissue responsible for the disrupted rhythm. Its usually left to a surgical team to figure out which bits to target. For Trayanova, the pokes and prods are designed to help surgeons with that decision. Scans might highlight a few regions of damaged or scarred tissue. Her team can then construct a digital twin to help locate the underlying source of the damage. In total, the tool will likely suggest two or three regions to destroythough in rare instances, it has shown many more, says Trayanova: They just have to trust us. So far, 59 people have been through the trial. More are planned. In cases like these, the models dont always need to be continually updated, Trayanova says. A heart surgeon might need to run simulations only to know where to implant a device, for example. Once that operation is over, no more data might be needed, she says. Quasi patients At his lab on the campus of Hammersmith Hospital in London, Niederer has also been building virtual hearts. He is exploring whether his models could be used to find the best place to implant pacemakers. His approach is similar to Trayanovas, but his models also incorporate ECG data from patients. These recordings give a sense of how electrical pulses pass through the heart tissue, he says. So far, Niederer and his colleagues have published a small trial in which models of 10 patients hearts were evaluated by doctors but not used to inform surgical decisions. Still, Niederer is already getting requests from device manufacturers to run virtual tests of their products. A couple have asked him to choose places where their battery-operated pacemaker devices can sit without bumping into heart tissue, he says. Not only can Niederer and his colleagues run this test virtually, but they can do it for hearts of various different sizes. The team can test the device in hundreds of potential locations, within hundreds of different virtual hearts. And we can do it in a week, he adds. This is an example of what scientists call in silico trialsclinical trials run on a computer. In some cases, its not just the trials that are digital. The volunteers are, too. El-Bouri and his colleagues are working on ways to create synthetic participants for their clinical trials. The team starts with data collected from real people and uses this to create all-new digital organs with a mishmash of characteristics from the real volunteers. These in silico trials could be especially useful for helping us figure out the best treatments for pregnant peoplea group that is notoriously excluded from many clinical trials. Specifically, one of El-Bouris interests is stroke, a medical emergency in which clots or bleeds prevent blood flow in parts of the brain. For their research, he and his colleagues model the brain, along with the blood vessels that feed it. You could create lots and lots of different shapes and sizes of these brains based on patient data, says El-Bouri. Once he and his team create a group of synthetic patient brains, they can test how these clots might change the flow of blood or oxygen, or how and where brain tissue is affected. They can test the impact of certain drugs, or see what might happen if a stent is used to remove the blockage. For another project, El-Bouri is creating synthetic retinas. From a starting point of 100 or so retinal scans from real people, his team can generate 200 or more synthetic eyes, just like that, he says. The trick is to figure out the math behind the distribution of blood vessels and re-create it through a set of algorithms. Now he is hoping to use those synthetic eyes in drug trialsamong other things, to find the best treatment doses for people with age-related macular degeneration, a common condition that can lead to blindness. These in silico trials could be especially useful for helping us figure out the best treatments for pregnant peoplea group that is notoriously excluded from many clinical trials. Thats for fear that an experimental treatment might harm a fetus, says Michelle Oyen, a professor of biomedical engineering at Wayne State University in Detroit. Oyen is creating digital twins of pregnancy. Its a challenge to get the information needed to feed the models; during pregnancy, people are generally advised to avoid scans or invasive investigations they dont need. Were much more limited in terms of the data that we can get, she says. Her team does make use of ultrasound images, including a form of ultrasound that allows the team to measure blood flow. From those images, they can see how blood flow in the uterus and the placenta, the organ that supports a fetus, might be linked to the fetuss growth and development, for example. For now, Oyen and her colleagues arent creating models of the fetuses themselvestheyre focusing on the fetal environment, which includes the placenta and uterus. A baby needs a healthy, functioning placenta in order to survive; if the organ starts to fail, stillbirth can be the tragic outcome. Oyen is working on ways to monitor the placenta in real time during pregnancy. These readings could be fed back to a digital twin. If she can find a way to tell when the placenta is failing, doctors might be able to intervene to save the baby, she says. I think this is a game changer for pregnancy research, she adds, because this basically gives us ways of doing research in pregnancy that [carries a minimal] risk of harm to the fetus or of harm to the mother. In another project, the team is looking at the impact of cesarean section scars on pregnancies. When a baby is delivered by C-section, surgeons cut through multiple layers of tissue in the abdomen, including the uterus. Scars that dont heal well become weak spots in the uterus, potentially causing problems for future pregnancies. By modeling these scars in digital twins, Oyen hopes to be able to simulate how future pregnancies might pan out, and determine if or when specialist care might be called for. Eventually, Oyen wants to create a full virtual replica of the pregnant uterus, fetus and all. But were not there yetwere decades behind the cardiovascular people, she says. Thats pregnancy research in a nutshell, she adds. Were always decades behind. Twinning Its all very well to generate virtual body parts, but the human body functions as a whole. Thats why the grand plan for digital twins involves replicas of entire people. Long term, the whole body would be fantastic, says El-Bouri. It may not be all that far off, either. Various research teams are already building models of the heart, brain, lungs, kidneys, liver, musculoskeletal system, blood vessels, immune system, eye, ear, and more. If we were to take every research group that works on digital twins across the world at the moment, I think you could put [a body] together, says El-Bouri. I think theres even someone working on the tongue, he adds. The challenge is bringing together all the various researchers, with the different approaches and different code involved in creating and using their models, says El-Bouri. Everything exists, he says. Its just putting it together thats going to be the issue. In theory, such whole-body twins could revolutionize health care. Trayanova envisions a future in which a digital twin is just another part of a persons medical recordone that a doctor can use to decide on a course of treatment. Technically, if someone tried really hard, they might be able to piece back who someone is through scans and twins of organs. Wahbi El-Bouri But El-Bouri says he receives mixed reactions to the idea. Some people think its really exciting and really cool, he says. But hes also met people who are strongly opposed to the idea of having a virtual copy of themselves exist on a computer somewhere: They dont want any part of that. Researchers need to make more of an effort to engage with the public to find out how people feel about the technology, he says. There are also concerns over patient autonomy. If a doctor has access to a patients digital twin and can use it to guide decisions about medical care, where does the patients own input come into the equation? Some of those working to create digital twins point out that the models could reveal whether patients have taken their daily meds or what theyve eaten that week. Will clinicians eventually come to see digital twins as a more reliable source of information than peoples self-reporting? Doctors should not be allowed to bypass patients and just ask the machine, says Matthias Braun, a social ethicist at the University of Bonn in Germany. There would be no informed consent, which would infringe on autonomy and maybe cause harm, he says. After all, we are not machines with broken parts. Two individuals with the same diagnosis can have very different experiences and lead very different lives. However, there are cases in which patients are not able to make decisions about their own treatmentfor example, if they are unconscious. In those cases, clinicians try to find a proxysomeone authorized to make decisions on the patients behalf. A digital psychological twin, trained on a persons medical data and digital footprint, could potentially act as a better surrogate than, for example, a relative who doesnt know the persons preferences, he says. If using digital twins in patient care is problematic, in silico trials can also raise issues. Jantina de Vries, an ethicist at the University of Cape Town, points out that the data used to create digital twins and synthetic quasi patients will come from people who can be scanned, measured, and monitored. This group is unlikely to include many of those living on the African continent, who wont have ready access to those technologies. The problem of data scarcity directly translates into technologies that are not geared to think about diverse bodies, she says. De Vries thinks the data should belong to the public in order to ensure that as many people benefit from digital-twin technologies as possible. Every record should be anonymized and kept within a public database that researchers around the world can access and make use of, she says. The people who participate in Trayanovas trials explicitly give me consent to know their data, and to know who they are [everything] about them, she says. The people taking part in Niederers research also provide consent for their data to be used by the medical and research teams. But while clinicians have access to all medical data, researchers access only anonymized or pseudonymized data, Niederer says. In some cases, researchers will also ask participants to consent to sharing their fully anonymized data in public repositories. This is the only data that companies are able to access, he adds: We do not share [our] data sets outside of the research or medical teams, and we do not share them with companies. El-Bouri thinks that patients should receive some form of compensation in exchange for sharing their health data. Perhaps they should get preferential access to medications and devices based on that data, he suggests. At any rate, [full] anonymization is tricky, particularly if youre taking patient scans to develop twins, he says. Technically, if someone tried really hard, they might be able to piece back who someone is through scans and twins of organs. When I looked at those anonymous plastic hearts, stored in a cardboard box tucked away on a shelf in the corner of an office, they felt completely divorced from the people whose real, beating hearts they were modeled on. But digital twins seem different somehow. Theyre animated replicas, digital copies that certainly appear to have some sort of life. People often think, Oh, this is just a simulation, says El-Bouri. But its a digital representation of an individual.