Pluralistic: 13 May 2020


Today's links



University requires students to buy nonexistent webcams (permalink)

Math students at Wilfrid Laurier University in Waterloo, Ontario have been ordered to buy an external webcam and a means of fixing it over their shoulder so that proctors can watch them as they sit exams.

https://www.ourwindsor.ca/news-story/9973888-math-students-at-wilfrid-laurier-furious-after-department-orders-them-to-buy-external-webcams-for-exams/

A high-handed note from Math Dept chair Roman Makarov told students, "there are no alternatives to writing exams in this manner."

The department has been unsympathetic to pleas from students who point out that all the online retailers are sold out of webcams, and the stock on Ebay is a mix of poor-quality products, counterfeits, and resold items from ruthless price-gougers.

A university spox said that the school would find "options for students who face difficulty obtaining external webcams" but didn't delve into details, beyond pointing out that the chair had recommended "borrowing or renting equipment and pointing to financial supports…"

Students are also required to use Respondus's spyware "invigilation" tool while sitting exams.

The student union has raised the issue of whether "proper non-tuition fee/expense guidelines are followed."

(Image: GatorEG, CC BY-SA, modified; Cryteria, CC BY, modified)



Gadget that adds steps to your Fitbit (permalink)

In the USA, your health insurance deductible can be tied to the number of steps you get in on your Fitbit, "which is great when gyms are closed and everyone is stuck at home during a global health crisis."

https://twitter.com/DrAndrewThaler/status/1260294487034810374

The solution* is the Restepper, Andrew Thaler's open source hardware gadget that uses an arduino-controlled mechanism to generate plausible steps for your Fitbit to count. Cost of goods? Less than $100.

https://github.com/SouthernFriedScientist/reStepper

*Actual solution, Medicare for All, not shown here.



How Marcus Hutchins saved the world and lived to tell the tale (permalink)

You may recall the Wannacry ransomware epidemic in 2017, when hospitals, businesses and governments were shutting down because their computers were being encrypted by malware that relied on a leaked NSA cyberweapon called Eternalblue to spread.

The incidents were incredible, cinematic, even. Whole hospitals shutting down. The worm spreading like a pandemic. And then, one day, it all just…stopped.

Then we learned that an anonymous security researcher going by Malwaretech had found a "kill switch" to shut it down.

That was wild, and what was wilder was HOW Malwaretech killed it. They'd noticed that infected computers were trying to reach a weird, random, nonexistent domain, iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, and so they'd registered the domain and stood a server up there.

They were hoping to intercept some of the comms between infected computers and their botmasters, but instead, they had "sinkholed" the system, turning off the infection in every affected computer in the world.

No one's quite sure why Wannacry infections go dormant if iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com can be reached. A leading theory is that the malware's author wanted to prevent efforts to decompile and analyze their creation.

The first step in such an operation is loading the worm into a virtual machine – a simulated computer inside a real computer, which the researcher can inspect and alter with a thoroughness that is harder to achieve on real computers .

Malware in a VM is trapped inside The Matrix, a head in a jar. These VMs are often configured to answer all internet requests from the malware, in the hopes of intercepting traffic between infected systems and command-and-control servers.

Canny malware authors can use this to their advantage, writing in a subroutine that goes, "Try to contact this nonexistent server. If it answers, you're in The Matrix, so go to sleep and don't wake up until that server disappears."

So, the theory goes, by registering that server, Malwaretech had inadvertently scared every instance of the worm in the world into hibernation by convincing it that it was stuck in The Matrix, and in so doing, Malwaretech had saved the day.

Then it got weirder. The press uncovered the identity of the anonymous researcher behind Malwaretech: a British hacker named Marcus Hutchins (many people sent me this thanks to Little Brother, whose hero is also called Marcus – "A hacker named Marcus saved the world!").

Hutchins's other astounding feats of reverse engineering in service of hunting down and neutralizing other worms also gained publicity, and then he booked in to give a talk at that summer's Defcon, and that talk was hailed as a triumph by attendees.

And then Hutchins was arrested by the FBI and accused of having written Kronos, a notorious banking trojan linked to ex-Soviet crime gangs. The community rallied around him: a person of color, a foreigner, a hero, trapped in America's meat-grinder of a justice system.

They raised money, found him lawyers. Tarah Wheeler cashed in her severance pay from Symantec and used it to bail him out (racing barefoot down Vegas streets to make it to the notary on time!) and she and Deviant Ollam helped get him set up with a place to stay.

He got probono counsel from cyberlawyers like Marcia Hoffman – a former EFF colleague of mine – and Brian Klein and settled in for a long legal battle. At first, he denied having anything to do with Kronos and criminal malware.

Some of his teen activities – stuff hackers of the heroic era would call "youthful hijinx" – came to light. But then more and more evidence of Hutchins' involvement with Kronos emerged, and then he entered a guilty plea and posted a statement taking "full responsibility."

And then, even more miraculously, his sentencing judge gave him time served and let him walk away, a free man.

It was an incredible ride for those of us following it from the outside.

But the actual story of Marcus Hutchins is, if anything, even more incredible. For the cover of the current Wired, Andy Greenberg turns in a 14,000-word profile of Hutchins that tells the true, incredible tale of his life, his crimes, his adventures, and his vindication.

https://www.wired.com/story/confessions-marcus-hutchins-hacker-who-saved-the-internet/

Some details are straight out of the hacker canon, a kind of platonic Wargames ideal: brilliant kid, parents bought him a PC to stop him from disassembling theirs (but he had to build it out of parts), fought with school administrators, accused of hacking school system.

Then there's Hutchins' path into petty crimes, driven in part by intellectual curiosity and in part by necessity (just like Woz and Jobs paying bills by selling Blue Boxes door to door in their dorm). And then, the Sneakers turn: getting sucked into some serious crime.

Working for a guy called "Vinny" who cajoled and coerced Hutchins into making Kronos. Hutchins balks several times, gets sucked back in, ends up self-medicating with speed to deal with the depression and anxiety he's suffering.

This sets up a toxic dynamic where his drug-impaired judgment gets him embroiled in more trouble, and the trouble heightens his anxiety, which drives him to self-medicate further. But then, at last, he breaks free and starts writing anonymous malware analysis.

His astounding technical feats start landing him industry jobs and he has a very belated realization that not only doesn't (cyber)crime pay, but going legit pays really well. His life turns around, he saves the world – and gets busted by the FBI.

The coda is, if anything, the best part: when the judge who sentences him recognizes all of this, bringing a rare moment of nuance and compassion to the meatgrinder of the US justice system, and lets him walk away. It's the kind of happy ending you rarely get.

It's a complicated story of someone who did some terrible and foolish things and some brilliant and brave things, and who paid a price but was not destroyed, and of the community that rallied around him. It's a brilliantly told story of a brilliant security researcher.



Red states prep for postal vote (permalink)

After the Wisconsin GOP murdered voters by forcing them to vote in person, rather than by mail (citing a nonexistent, evidence-free plague of postal voter fraud), mail-in voting was shaping up to be a 2020 Election Culture War flashpoint.

https://pluralistic.net/2020/04/18/politics-of-discouragement/#measuring-discouragement

Trump's pronouncement that mail-in voting would cost Republicans the election by allowing more voter participation fanned the flames:

https://pluralistic.net/2020/03/31/reality-endorses-sanders/#voter-suppression

So you got absurdities like the AG of Texas threatening to imprison anyone who opined that voting by mail was safer than voting in person, during a once-in-a-century pandemic (proving, once again, that reality has a very unfair anti-Republican bias).

https://pluralistic.net/2020/04/21/all-in-it-together/#ken-paxton

And, in the background, a mad scramble among states to prepare for postal ballots this November:

https://pluralistic.net/2020/03/27/just-asking-questions/#save-usps

But despite this, states, Red and Blue, are actually making serious progress on expanding this postal ballot this November. Even as GOP officials in Kentucky were being blasted with FUD from far-right astroturfers like the Public Interest Legal Foundation, they pressed on.

True the Vote, the Heritage Foundation and PILF are all finding themselves sidelined as state officials side with reality over partisanship and expand their postal votes.

https://www.propublica.org/article/ignoring-trump-and-right-wing-think-tanks-red-states-expand-vote-by-mail

There'll be vastly expanded postal voting in Alabama, Georgia, Idaho, Kentucky, Nebraska, Ohio, South Dakota and W Virginia.

The reason's simple: voters, R & D, don't want in-person voting during a pandemic. 70% of Georgia voters (for example) want mail-in voting.

If you're cheering this because it'll help Dems, don't get too excited. Trump is (unsurprisingly) wrong when he says vote by mail guarantees "you’d never have a Republican elected in this country again" because not only is there no evidence of widespread postal fraud…

…There's also no evidence that this helps Dems. Indeed, postal voting is very important to older voters who are disproportionately Republicans and also at the highest risk of severe illness and death from coronavirus.

For reasons that can only be described as paranoid (or, more charitably, opportunistic), the GOP seized on postal voting as a bogeyman, likely hurting their own chances at the ballot box. And now they're squabbling with one another, mired in cognitive dissonance.

Some red states are determined to murder voters by denying them the postal ballot, like Missouri, where Gov Mike Parson called it inappropriate. People who vote there will risk death and serious illness. Parson is a Republican (the "party of life").

Meanwhile, the Heritage Foundation's master database of all known postal voter frauds found 143 cases, total, over 20 years. That's 7-8 ballots per year, 0.00006% of votes cast.

https://thehill.com/opinion/campaign/494189-lets-put-the-vote-by-mail-fraud-myth-to-rest



Corporate Dems want to bail out lobbyists and dark money orgs (permalink)

Congressional Dems have tabled their version of the third bailout, and as feared, it contains a bailout for lobbyists.

Congress wants to give money to people whose job is literally to bribe Congress.

https://pluralistic.net/2020/05/06/moloch-demands-death/#human-centipede

But as David Sirota points out, corporate Dems found a way to discredit the bailout even more: in addition to earmarking money for corporate lobbyists working at 501(c)6 orgs, they're also gonna give millions to 501(c)4 "dark money" orgs.

https://sirota.substack.com/p/war-is-peace-and-k-street-is-a-small

These are the preferred vehicle for anonymously funneling unlimited money from plutes and mega-corporations into influence campaigns that are allowed to lie to the American people to influence the outcomes of elections and regulatory proceedings.

They're getting a bailout.

Some of the eligible orgs: America’s Health Insurance Plans, Partnership for America’s Health Care Future (dark money anti-Medicare for All), PhRMA, Institute for Legal Reform (lobbies for no liability for employers whose workers die of coronavirus due to inadequate PPE), Stand Together (the Koch network) and the American Chemistry Council (fossil fuel, big chem lobbyists).

What's more, many of the companies that fund these orgs are already getting a a bailout, so they get to double-dip their snouts in the public trough.

  • Private equity lobbied to allow it to snaffle up the lion's share of small business PPP relief; its lobbying front, the American Investment Council, can get PPP relief as well under this proposal.

  • Banks are getting billions to administer PPP. This proposal makes the American Bankers Association eligible for PPP as well.

  • Airlines got a $50B bailout. Airlines For America can get a PPP bailout.

  • For-profit colleges lobbied to get to keep tuition money from students who drop out due to financial hardship. Their lobbying group, Career Education Colleges and Universities, can get a PPP bailout.

  • Boeing's getting billions in bailout money. Its lobbyist, The General Aviation Manufacturers Association, can get PPP.

Sirota: "Allowing corporate lobbying organizations and dark money groups to grab this money is akin to feudal lords gorging themselves at a lavish banquet, and then raiding the last basket of bread that starving peasants are relying on to survive outside the palace walls."

(Image: Mike Goad, CC BY SA)



Feds want national snitchlines for bosses whose workers don't want to die (permalink)

Ohio's snitchline for bosses whose workers refuse to go back to unsafe conditions was a flashpoint, as workers were given the choice to risk their lives or risk homelessness. No wonder the form was flooded with junk responses by angry people.

https://pluralistic.net/2020/05/09/im-gonna-say-it-now/#chaffing

Ohio had the first snitchline, but not the last. Iowa and Texas soon followed suit.

Iowa Workforce Development Director Beth Townsend: "fear of catching the virus would be considered a voluntary resignation, which disqualifies workers from receiving unemployment benefits."

https://pluralistic.net/2020/05/08/volcano-gods/#reopening

Now, it's going national. Trump's Department of Labor "strongly encourages [states to] request employers to provide information when workers refuse to return to their jobs for reasons that do not support their continued eligibility for benefits.”

https://www.vice.com/en_us/article/9355a3/trump-administration-wants-bosses-to-snitch-on-people-scared-to-go-to-work

"States must work to maintain program integrity by ensuring that claimants are not continuing to claim benefits when they have been offered suitable work."

As Clio Chang writes in Vice, it's the logical terminus of decades of US policy that has focused on fighting fraud to the exclusion of helping people in need.



Restaurants, hotels and bars cut the cord (permalink)

The cable industry has been in denial about "cord-cutting" for years, insisting that if it just does enough mergers (like AT&T;/Time Warner/Dish) it will somehow staunch the bleeding.

It failed, hence the resignation of AT&T; CEO Randall Stephenson.

https://www.marketwatch.com/story/att-ceo-to-step-down-after-june-coo-john-stankey-will-assume-top-role-2020-04-24

And it's just gonna get worse. Hotels, bars and restaurants – the last stronghold of cable subscriptions – are bailing like crazy, not least because they're being required to pay for sports channels that don't have any sports.

https://arstechnica.com/information-technology/2020/05/small-business-closures-adding-to-cable-industrys-cord-cutter-woes/



NSO Group tried to sell malware to US law enforcement (permalink)

NSO Group is a notorious, corrupt cyber arms dealer whose customers are the worst, most brutal oppressive states in the world, like the Kingdom of Saudi Arabia, whose kidnapping and dismemberment operation against the journalist Jamal Khashoggi relied on NSO's Pegasus tool.

Now, Vice has found public records that reveal that NSO's US division, Westbridge Technologies, solicited contracts from US police departments to use that same Pegasus malware tool, marketed as Phantom in the USA.

https://www.vice.com/en_us/article/8899nz/nso-group-pitched-phone-hacking-tech-american-police

Their pitch boasted that Phantom "can overcome encryption, SSL, proprietary protocols and any hurdle introduced by the complex communications world."

https://www.documentcloud.org/documents/6888574-Westbridge-NSO-Group-Brochure-for-Phantom.html

NSO is currently being sued by Facebook for helping governments hack hundreds of Whatsapp users; it was recently revealed that at least one of its technicians abused its tools to stalk a woman he was romantically interested in.

The company's brochure boasts that NSO's tool can "siphon a target's emails, text messages, and contact list, as well track their location, turn on the device's microphone and take photos with its camera, according to the brochure. "

Some of the best analysis of NSO has been performed by Citizen Lab, whose John Scott-Railton told Joseph Cox at Motherboard, "The local laws and oversight mechanisms are not there. Abuse wouldn’t be a risk, it would be certainty."



Senate Dems want to ban internet disconnection (permalink)

Congressional Dems have buried some pretty terrible stuff in the latest stimulus bill, like bailouts for lobbyists and dark money orgs:

https://twitter.com/doctorow/status/1260595450911944716

But there are some bright spots from Senate Dems: Bernie Sanders, Ron Wyden and Jeff Merkley have tabled a bill that prohibits the telcoms sector from disconnecting customers during the crisis, closing a loophole in earlier rules that carriers had been exploiting.

For their part House Dems put $4b in the bailout for a "emergency broadband connectivity fund" that includes $50/month broadband subsidies for low-income households ($75/month for tribal households) and $1.5b for hotspots in schools and libraries.

https://arstechnica.com/tech-policy/2020/05/democrats-try-to-ban-internet-shutoffs-until-pandemic-is-over/



This day in history (permalink)

#15yrsago Broadcast Flag back from the dead https://corante.com/importance/mpaa-shopping-draft-broadcast-flag-legislation/

#10yrsago Gold-dispensing ATM https://consumerist.com/2010/05/get-gold-bars-from-abu-dhabi-atm.html

#5yrsago David Cameron announces a new age of intolerance https://theintercept.com/2015/05/13/greatest-threat-free-speech-comes-terrorism-claiming-fight/

#1yrago Amazon's monopsony power: the other antitrust white meat https://boingboing.net/2019/05/13/consumer-harms-everywhere.html

#1yrago Supreme Court greenlights Apple customers' lawsuit over App Store price-fixing https://www.wired.com/story/supreme-court-apple-decision-antitrust/

#1yrago Vancouver's housing bubble was driven by billions in laundered criminal proceeds https://www.seattletimes.com/business/billions-in-dirty-cash-helped-fuel-vancouver-b-c-s-housing-boom/



Colophon (permalink)

Today's top sources: Vince Pugliese, Andrew Thaler (https://twitter.com/DrAndrewThaler), Slashdot (Slashdot, Naked Capitalism (https://nakedcapitalism.com/).

Currently writing: My next novel, "The Lost Cause," a post-GND novel about truth and reconciliation. Yesterday's progress: 582 words (14795 total).

Currently reading: Facebook: The Inside Story, by Steven Levy.

Latest podcast: Rules for Writers (https://craphound.com/podcast/2020/05/11/rules-for-writers/)

Upcoming books: "Poesy the Monster Slayer" (Jul 2020), a picture book about monsters, bedtime, gender, and kicking ass. Pre-order here: https://us.macmillan.com/books/9781626723627

"Attack Surface": The third Little Brother book, Oct 20, 2020. https://us.macmillan.com/books/9781250757531

"Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583


This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commerically, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/web/accounts/303320

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic
When life gives you SARS, you make sarsaparilla -Joey "Accordion Guy" DeVilla