Pluralistic: 03 Apr 2020

Today's links

  1. The Public Domain Review Coloring Book: Hokusai, Albrecht Dürer, Harry Clarke, Virginia Frances Sterrett, etc.
  2. Amazon's leaked anti-worker smear plan: They put it in writing.
  3. Wikipedia vs patent troll: No, you didn't invent autocomplete.
  4. Bug bounty programs as catch-and-kills: Companies are not good stewards of their own bad news.
  5. The Tea Party killed pandemic preparedness: "No one warned us" -Congressman who was warned repeatedly.
  6. This day in history: 2019
  7. Colophon: Recent publications, upcoming appearances, current writing projects, current reading

The Public Domain Review Coloring Book (permalink)

The Public Domain Review has published a coloring book of beautifully retouched public domain line-art for locked-in diversions, featuring "Hokusai, Albrecht Dürer, Harry Clarke, Virginia Frances Sterrett, Jessie M. King, Aubrey Beardsley, and more."

Download as A4:

Or letter:

Amazon's leaked anti-worker smear plan (permalink)

What's stupider than firing the warehouse manager who organized an Amazon warehouse walkout over covid contamination?

Writing a memo explaining how you plan to smear that organizer to neutralize your own workers' demands for a safe work environment, assuming, incorrectly, that it won't leak.


Amazon General Counsel David Zapolsky's leaked memo said that the fired warehouse worker, Christian Smalls was "not smart or articulate" and suggested that the company make him "the face of the entire union/organizing movement."

Zapolsky's memo set out the company's messaging, that Smalls's leadership of the walkout was immoral, unacceptable, and arguably illegal, in detail, and only then follow with our usual talking points about worker safety."

Zapolsky told Motherboard that he "was frustrated and upset that an Amazon employee would endanger the health and safety of other Amazonians" and he "was frustrated and upset that an Amazon employee would endanger the health and safety of other Amazonians."

In Smalls's interview with Jeremy Scahill on the Intercepted podcast, he describes how he decided to risk his livelihood in the midst of a pandemic to protect his coworkers, who were visibly sick with covid but not given paid leave.

How all he wanted from the company was a deep clean of the warehouse – as they'd done in other contaminated facilities – and paid leave while their workplace was made safe. Having read Zapolsky's leaked candid remarks and heard Smalls make his case, I know who I believe.

Wikipedia vs patent troll (permalink)

Worldlogic is a patent troll, who claim to own a patent over searchboxes that autocomplete your queries. They don't make tools, they make lawsuits…against people who make tools. When that patent was litigated, courts found it likely to be invalid.

Alas (and predictably), Worldlogic settled that case before the court could annihilate their bullshit patent. That way, they got to use it to threaten other productive toolmakers to collect rent for socially useless parasites.

For example, they have threatened Wikipedia and the Internet Archive, who have asked a court to invalidate their patent,

It's likely we'll see their arguments in July. For now, you can enjoy Wikipedia's lawyers' letter explaining in eyewatering detail that these trolls did not invent autocomplete.

Bug bounty programs as catch-and-kills (permalink)

You entrust digital products with a lot: from your thermostat to your car's informatics to your pacemaker to your email and financial data, defects in computers can expose you to potentially enormous risk.

The only thing worse than using a defective product is unknowingly using a defective product (having faulty brakes is bad, discovering your brakes are faulty on the highway is much, much worse).

Tech companies have long asserted that they alone have the right to decide who can disclose true facts about defects in their products…for safety. If randos who discover their mistakes make disclosures without warning companies, then "bad guys" will exploit the bugs.

There's a legitimate ethical debate about the best way to make bug disclosures, but even if you believe that someone should be the official, legal custodian of Bad News About a Company's Products, it's commonsense that the company itself should not be that custodian.

It seems obvious that, in the US, the First Amendment protects your right to make truthful disclosures about defective products. Yet, corporations (led by Oracle) have stretched the disastrously vague, Reagan-era Computer Fraud and Abuse Act to threaten (and, sometimes, imprison) researchers who make these disclosures without permission.

It's not just CFAA. Sec 1201 of the Digital Millennium Copyright Act provides 5 years prison/$500k fine for first offenses to anyone who "trafficks" in a "circumvention device". So publishing proof-of-concept code demonstrating vulns in systems with DRM is a potential felony.

Enter the Vulnerability Disclosure Program and its freespending cousin, the Bug Bounty Program. Under these "managed disclosure" systems, companies invite security researchers to reveal their findings.

In theory, this is how we want things to work: rather than coercing researchers into silence, companies entice them into cooperation, say, by promising to publish all reported bugs themselves after a suitable period to investigate and fix them.

Maybe they even pay researchers for going the managed disclosure route.

In practice, though, criminal and civil threats loom large over these programs. Companies offer cash and immunity to researchers as a carrot, but they hold out fines and prison as a stick.

And it turns out that, yup, companies are really shitty stewards of bad news about their own products. When companies get to set terms on which hackers talk to them first, they set terms that bind researchers to long periods (sometimes indefinite) of silence.

And the companies also reserve the right to decide whether they will ever reveal the bugs to us poor suckers trusting their products with our money, privacy and lives, whether they'll ever patch those products, etc.

But a few years back, some people had an idea to turn this bug into a feature: they'd start VC-backed companies that would manage bug bounties and disclosure programs for companies. They'd organize researchers, validate findings, manage thorny comms with the companies…

They'd build platforms where researchers could flock and socialize and collaborate and become millionaires (!) by working with companies, instead of against them.

That didn't work out so great. Because the hackers that the companies were supposed to protect weren't these companies' customers – the tech companies whose products they were testing were the customers.

So the companies whose worst impulses the bug-management platforms were supposed to be blunting ended up running the show, and the reporting platforms became a catch-and-kill system for vulns.

Hackers who join these platforms to earn big by doing the right thing instead find that they are required to sign indefinite, one-sided NDAs that prevent them from disclosing anything, even the fact that they signed an NDA.

And the companies don't have to make any promises (apart from payment…sometimes) to do anything about the bugs that are brought to them by researchers.

In JM Porup's excellent piece on this for CSO Magazine, he describes how the VC-backed, growth-oriented bug-bounty platforms are incentivized to, uh, overstate how much money hackers can make from using them, and what kind of results they can expect.

Reading between the lines, and talking with former Hackerone exec Katie Moussouris, Porup makes a pretty good case that apart from statistically insignificant outliers, there's not much money to be made by using these platforms, and the price of admission is silence and inaction.

Porup also makes the case that bug bounty platforms are potentially violating California's employment law, and the GDPR. He also debunks claims that their operations follow the ISO standards for bug disclosure (which Moussouris co-authored).

I think that the outcome here was entirely predictable. The bug bounty platforms have tacitly endorsed the idea that it is/should be illegal to tell the truth about defective products without permission from the products' manufacturers.

Inevitably, deputizing companies to decide who can warn their customers that their products can't be trusted ends with those companies abusing that power. Period. To imagine otherwise is to engage in fantasy. It's the kind of motivated reasoning that looks great in a VC pitch but is a disaster in the world.

(Image: Christoph Scholz, CC BY-SA)

The Tea Party killed pandemic preparedness (permalink)

In 2010, the CDC funded a report urging the federal government to treat public health preparedness “on par with federal and state funding for other national security response capabilities." Specifically, they called for N95 mask stockpiling.

The Obama administration asked Congress to allocate funds fro this purpose. The Tea Party-dominated Republicans killed those allocations, starving the program of $321m in the years since.

In 2011, the Tea Party Republicans in Congress killed another appropriation for public health preparedness, after the swine flu emergency demolished existing PPE stockpiles.

In 2011, after the debt-ceiling crisis, Senate and Congressional GOP officials again slashed funding for health emergencies. Tom Harkin, the Democratic chair of the Senate appropriations committee said at the time, "We’re now getting into the bone marrow."

The Obama administration repeatedly begged Tea Party Congressjerks to appropriate for public health emergencies, warning of the dire consequences of a pandemic.

During the zika crisis, the Tea Party gave Obama half of what he said he needed for future health emergencies.

In 2016, an urgent National Academies of Science Report affirmed the need for massive spending to improve public health preparedness.

Since the 2016 elections, the Trump administration has repeatedly called for massive cuts to CDC funding.

When Propublica asked retired Tea Party Congressman Denny Rehberg (who chaired the appropriations subcommittee responsible for overseeing the stockpile in 2011) about this, he told them that this emergency was as unforseeable as 9/11.

This is the GOP line: no one could have foreseen this. It's Trump's line: he inherited this mess from Democrats. The reality is that the Tea Party was told, and told, and told again. And they did less than nothing: not merely failing to act but actually making things worse.

This day in history (permalink)

#1yrago Elizabeth Warren proposes holding execs criminally liable for scams and data breaches

#1yrago 540 million Facebook users' data exposed by third party developers

#1yrago After months of insisting that #Article13 doesn't require filters, top EU Commissioner says "Article 13 requires filters"

#1yrago After years of insisting that DRM in HTML wouldn't block open source implementations, Google says it won't support open source implementations

#1yrago How EFF's Eva Galperin plans to destroy the stalkerware industry

Colophon (permalink)

Today's top sources: Bruce Schneier (

Currently writing: I'm getting geared up to start work my next novel, "The Lost Cause," a post-GND novel about truth and reconciliation.

Currently reading: Just started Lauren Beukes's forthcoming Afterland: it's Y the Last Man plus plus, and two chapters in, it's amazeballs. Last month, I finished Andrea Bernstein's "American Oligarchs"; it's a magnificent history of the Kushner and Trump families, showing how they cheated, stole and lied their way into power. I'm getting really into Anna Weiner's memoir about tech, "Uncanny Valley." I just loaded Matt Stoller's "Goliath" onto my underwater MP3 player and I'm listening to it as I swim laps.

Latest podcast: Author’s Note from Attack Surface

Upcoming appearances:

Upcoming books: "Poesy the Monster Slayer" (Jul 2020), a picture book about monsters, bedtime, gender, and kicking ass. Pre-order here:

(we're having a launch for it in Burbank on July 11 at Dark Delicacies and you can get me AND Poesy to sign it and Dark Del will ship it to the monster kids in your life in time for the release date).

"Attack Surface": The third Little Brother book, Oct 20, 2020.

"Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden:

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commerically, provided that you attribute it to me, Cory Doctorow, and include a link to

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastadon (no ads, tracking, or data-collection):

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

When live gives you SARS, you make sarsaparilla -Joey "Accordion Guy" DeVilla

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.