Pluralistic: 15 Apr 2020

Today's links



Jailbreak for CPAP machine reveals hidden ventilator functionality (Permalink)

Right to Repair has never been more urgent. There's a reason farmers have been on the front lines of R2R: they have pressing deadlines ("make hay while the sun shines") and are located far from service depots and transport hubs.

That's why farms have workshops and even forges. They have to rely on their own ingenuity to fix their stuff, or they have to do without, often at critical junctures.

During pandemic, hospitals taken on the characteristics of farmers: isolated from service with urgent needs. And so do we all, to a greater or lesser extent, as our stuff breaks down and no one is around to fix it.

https://pluralistic.net/2020/03/20/pluralistic-20-mar-2020/#r2r

There are three major reasons companies like Apple, John Deere and Medtronic have fought so hard against R2R, killing 20 bills at the state level:

  1. It lets them charge you extra for repairs and parts.
  2. It lets them decide when a device needs to be retired so they can sell you a new one (Tim Cook called longer Iphone usage cycles the biggest threat to Apple profits).
  3. It lets them charge you extra for features already in the device. Independent repair could subvert this, committing "Contempt of Business Model."

This is rampant in med-tech. Think of sleep apnea CPAP devices: they had proprietary data-formats that allow manufacturers to charge doctors to monitor their use.

https://www.vice.com/en_us/article/xwjd4w/im-possibly-alive-because-it-exists-why-sleep-apnea-patients-rely-on-a-cpap-machine-hacker

They're also riddled with spyware that lets insurers gouge you on consumables and deny benefits to people who need them:

https://www.propublica.org/article/you-snooze-you-lose-insurers-make-the-old-adage-literally-true

Enter Resmed's Airsense 10, a CPAP machine that the company claims cannot be retrofitted to perform ventilator functions, because it can only push air, not pull it out again:

https://www.resmed.com/en-us/sleep-apnea/cpap-parts-support/sleep-apnea-full-products-list/cpap-machines/airsense-10/

Security researcher Trammell Hudson analyzed the Airsense 10 and found a mode in its firmware that allows it to pump air both in and out of the user's lungs. He's released Airbreak, a jailbreaking patch for the Airsense to turn it into a limited ventilator replacement.

https://airbreak.dev/

This is presently only for research purposes. As Hudson writes, "in its current form [this patch] should be considered a proof of concept and is not intended for use in a life-support capacity."

https://arstechnica.com/information-technology/2020/04/firmware-jailbreak-lets-low-cost-medical-devices-act-like-ventilators/

Significantly, the jailbreak brings "the AirSense S10 to near feature parity with BiPAP machines from the same manufacturer, boost the maximum pressure output available, and provide a starting point to add more advanced emergency ventilator functionality."

Hudson and colleagues are calling on Resmed to release an official, supported patch that enables the latent functionality in their widely available, low-cost CPAP machine.



State treasurers demand ventilator manufacturers publish manuals (Permalink)

The treasurers of Colorado, Pennsylvania, Illinois, Delaware, and Rhode Island have demanded that ventilator manufacturers "release all service manuals, service keys, and schematics" so hospitals can maintain their equipment during the crisis.

https://www.patreasury.gov/newsroom/archive/2020/04-14-Call-On-Manufacturers.html

This follows on from US PIRG's delivery of a 43,000 signature petition to the major manufacturers:

https://uspirg.org/news/usp/43000-call-ventilator-manufacturers-release-repair-information

Med-techs are having to violate copyright law and risk civil and criminal penalties to maintain lifesaving equipment, and the alternative is letting people die.

https://www.youtube.com/watch?v=OuF9C4wdtAk

The Ifixit folks are maintaining a repository of med-tech repair info, and are looking for your contributions, should you have any scanned manuals, etc.

https://www.ifixit.com/News/36899/five-state-treasurers-demand-the-right-to-repair-from-ventilator-makers



Ten graphic novels for kids, teens and adults in lockdown (Permalink)

I made a list of ten great graphic novels for the True North Comics podcast, including kids' comics and stuff for teens and grownups (including nonfiction and memoir):

https://truenorthcountrycomics.com/2020/04/15/cory-doctorows-top-10-go-to-comic-book-graphic-novel-list/

For kids: Dragons Beware/Giants Beware (Rafael Rosado/Jorge Aguirre); The Glorkian Warrior Eats Adventure Pie/The Glorkian Warrior Delivers a Pizza (James Kochaka: You will laugh until you weep. Such amazing parent/kid bedtime reading); Phoebe and Her Unicorn (Dana Simpson)

For teens: Drawn To Sex (Erika Moen and Matthew Nolan)

Adults (comics): Bloom Country Episode XI: A New Hope (Berkeley Breathed: Trump has done some really terrible things, but at least he brought Breathed out of retirement); YUGE! (Garry Trudeau)

Adults (memoir): Girl on Film (Cecil Castellucci: A memoir of growing up in the arts, but also a true story about the biological nature of memory.)

Adults (nonfic): Making Comics (Lynda Barry: She’s a certified MacArthur ‘Genius’ and this shows why: her method for making comics is really a way of making meaning.)

Adults (fic): Paper Girls (Brian K. Vaughan and Cliff Chiang); Woman World (Aminder Dhaliwal) Concrete Park (Tony Puryear: The first two are so good, afrofuturist masterpieces, really — but the creator appears to have orphaned them. Maybe this will nudge him to finish?)



One person is in charge of oversight for $2.2T in stimulus

Bharat Ramamurti is the sole member of the Congressional Oversight Commission

Congress has appointed just one person to oversee the $2.2 trillion stimulus. That person has no staff, office, or colleagues. He communicates with the public solely by his Twitter account.

His name is Bharat Ramamurti, and he just got his blue tick.

https://twitter.com/BharatRamamurti/status/1247246657185615872

Ramamurti, a former Warren staffer, is the sole member of the Congressional Oversight Commission. He also oversees the Main Street Lending Facility, which offers federal loans to businesses with fewer than 10k employees/$2.5B in revenues.

https://www.bloomberg.com/news/articles/2020-04-14/virus-fund-cop-awaiting-help-watches-2-trillion-bailout-alone

He must prepare and release a report on the stimulus spending within 30 days. The other committee positions remain vacant because Nancy Pelosi Kevin McCarthy and Mitch McConnell have failed to make their appointments, and Pelosi and McConnell have not jointly chosen a chair.

Meanwhile, Ramamurti is diligently trying to prepare his report by tweeting questions to Congress, asking how the money is being spent.

https://twitter.com/BharatRamamurti/status/1248254926708506624

Ramamurti doesn't even have an Inspector General to backstop his work because…Trump fired the IG, Glenn A. Fine.

Lest you think this is unique to late-stage grifterism's approach to handing out massive checks to plutes, recall the situation when Obama appointed the (now disgraced sexual predator) Eric Schneiderman to hand out billions in the 2012 National Mortgage Settlement.

Schneiderman was given no staff or office – not even a desk. While laboring in obscurity, Schneiderman handed out get-out-of-jail-free cards to bankers who were preying on 12m homeowners who were in $700b in debt.

https://www.nakedcapitalism.com/2012/09/yes-really-truly-no-joke-that-schneiderman-mortgage-task-force-is-gonna-get-someone-soon.html

At least Ramamurti is genuinely committed to ensuring that trillions are not used to line the pockets of the super-rich while leaving the rest of us to starve. Pity he doesn't even have a single person to help him.



Universities want to infect students’ laptops with undetectable rootkits (Permalink)

The Australian National University is insisting that students install "invigilation" software that monitors their computer use to prevent cheating during tests.

This is incredibly worrisome.

https://www.woroni.com.au/news/analysis-the-issues-surrounding-anus-proposed-online-invigilation/

These exam proctoring are typically rootkits that sink incredibly deep hooks into the OS, and it's not really feasible for students to determine whether these tools have been fully removed, or even whether they're currently operating.

That's by design: proctoring tools have to run with more privilege
than even root users have, so they can detect cheating tools.

This has broad implications, especially for nonacademic uses of the laptops that have these tools installed.

Think of what it means to have university-supplied, unremovable, omnipotent rootkits installed on the laptop that you ALSO use for finance, dating, telemedicine, and psychiatric counselling.

Or what it means to have this installed on a laptop that you share with a household.

This is an increasingly common situation, because laptops are how you participate in society during lockdown, and the economy is imploding, leaving parents, siblings, and co-habitants to share a laptop or be excluded from the world because they can't afford to buy their own.

That means that your parents' employers' trade secrets are being monitored by university-supplied spyware.

Worse still, uni IT departments – which have always struggled with security and ops – are stretched thinner than ever, facing layoffs/furloughs/hiring freezes.

Key personnel on sick leave (or have died in the pandemic) and they are being asked to support orders of magnitude more activity than ever before. It's a bonanza for cybercriminals as their traditional adversaries are overtaxed and understaffed.

This is generally worrisome, but it's particularly a problem with ANU, which has a history of ghastly cybersecurity failures and massive breaches.

https://www.smh.com.au/politics/federal/chinese-hackers-breach-anu-putting-national-security-at-risk-20180706-p4zq0q.html

Compromising online proctoring software is a really scary prospect: if someone can seize control of the university's back-end, then, by design, they can undetectably and unstoppably take over the computers of the entire student body.

A massive explosion in Zoom use revealed unforeseen failure modes and new defects. We should expect this to happen again with invigilation tools. The different is that invigilation tools are designed to operate against computer owners' consent, and to hide those operations.

That makes their defects far more consequential.

This is a ticking timebomb.

(Image: Rawpixel Ltd, Cryteria, CC-BY, modified)



I Void Warranties for a Living (Permalink)

Jilles has created a set of "I Void Warranties For A Living" stickers that you can get for a name-your-price donation via Stickertrade or by Paypal to jilles@jilles.com. I've asked for a set and sent along NZ15, which seemed like a fair price?

https://stickertrade.me/profiles/view/jilles-com

A note to Americans: Independent repair DOES NOT VOID YOUR WARRANTY and has not since 1975!

https://en.wikipedia.org/wiki/Magnuson%E2%80%93Moss_Warranty_Act



2600 Magazine hit hard by pandemic (Permalink)

Like all magazines, the venerable hacker quarterly 2600 has been hit by the pandemic. In their case, they printed a full run of their current issue, then had their distributor bail on them because all the bookstores are closed.

https://2600.com/content/spring-issue-2600-released-important-news

You can help rescue them by buying the current ish as a DRM-free PDF/Mobi/Epub:

https://store.2600.com/collections/2010-2015/products/new-issue-pdf-spring-2020

They're also selling an anthology of all of 2019's issues as a PDF:

https://store.2600.com/collections/2010-2015/products/complete-2019-pdf-version

I have a lifetime sub to 2600, and I've been reading it for decades. I've even contributed to it. I love it to pieces (literally, some of my old issues are falling apart). It is a force for good in the world.



This day in history (Permalink)

#15yrsago India's amazing statement on IP and international development https://web.archive.org/web/20050417231302/http://lists.essential.org/pipermail/a2k/2005-April/000241.html

#10yrsago Big Content's dystopian wish-list for the US gov't: spyware, censorship, physical searches and SWAT teams https://www.eff.org/deeplinks/2010/04/entertainment-industrys-dystopia-future

#10yrsago JK Rowling on Britain's Conservative "nasty" Party https://web.archive.org/web/20100423213108/http://www.timesonline.co.uk/tol/comment/columnists/guest_contributors/article7096786.ece

#5yrsago Arkansas cops send malware to whistleblowers' lawyers https://arstechnica.com/information-technology/2015/04/lawyer-representing-whistle-blowers-finds-malware-on-drive-supplied-by-cops/

#1yrago Leaked, "highly classified" French report shows that the slaughter in Yemen depends on US support https://theintercept.com/2019/04/15/saudi-weapons-yemen-us-france/

#1yrago RIP, science fiction and fantasy Grand Master Gene Wolfe, 1931-2019 https://www.tor.com/2019/04/15/gene-wolfe-in-memoriam-1931-2019/

#1yrago Investors controlling $3B in Facebook stock demand Zuckerberg's ouster, and they will lose https://www.businessinsider.com/facebook-investors-will-vote-to-oust-mark-zuckerberg-as-chairman-2019-4

#1yrago Silicon Valley's techie uprisings reveal growing support for socialism in tech https://www.salon.com/2019/04/11/silicon-valley-once-a-bastion-of-libertarianism-sees-a-budding-socialist-movement/

#1yrago Not just Apple: Microsoft has been quietly lobbying to kill Right to Repair bills https://medium.com/u-s-pirg/microsoft-named-as-stopping-right-to-repair-in-washington-b880bf4ad052

#1yrago EFF to Facebook: enforce your rules banning cops from creating sockpuppet accounts and be transparent when you catch cops doing it https://www.eff.org/deeplinks/2019/04/facebook-must-take-these-four-steps-counter-police-sock-puppets

#1yrago America today feels like the last days of the Soviet Union https://eand.co/how-american-collapse-resembles-soviet-collapse-94773b44fe17

#1yrago Air tanker drops are often useless for fighting wildfires, but politicians order them because they make good TV https://www.latimes.com/local/la-me-wildfires29-2008jul29-story.html

#1yrago The #ShellPapers: crowdsourcing analysis of all correspondence between Shell and the Dutch government https://www.ftm.nl/dossier/shell-papers



Colophon (Permalink)

Today's top sources: Aestetix (https://aestetix.com), UEberLauch (https://twitter.com/UEberLauch, Slashdot (https://slashdot.org/), Naked Capitalism (https://nakedcapitalism.com/).

Currently writing: My next novel, "The Lost Cause," a post-GND novel about truth and reconciliation

Currently reading: I'm getting really into Anna Weiner's memoir about tech, "Uncanny Valley" and Jo Walton's forthcoming novel "Or What You Will."

Latest podcast: Podcast swap: Wil Wheaton on Little Brotherhttps://craphound.com/podcast/2020/04/13/podcast-swap-wil-wheaton-on-little-brother/

Upcoming appearances:

Upcoming books: "Poesy the Monster Slayer" (Jul 2020), a picture book about monsters, bedtime, gender, and kicking ass. Pre-order here: https://us.macmillan.com/books/9781626723627?utm_source=socialmedia&utm_medium=socialpost&utm_term=na-poesycorypreorder&utm_content=na-preorder-buynow&utm_campaign=9781626723627

(we're having a launch for it in Burbank on July 11 at Dark Delicacies and you can get me AND Poesy to sign it and Dark Del will ship it to the monster kids in your life in time for the release date).

"Attack Surface": The third Little Brother book, Oct 20, 2020. https://us.macmillan.com/books/9781250757531

"Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583


This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commerically, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastadon (no ads, tracking, or data-collection):

https://mamot.fr/web/accounts/303320

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://www.tumblr.com/tagged/pluralistic

When life gives you SARS, you make sarsaparilla -Joey "Accordion Guy" DeVilla