Pluralistic: 10 Jul 2020

Today's links

Homebrew dongles let hospitals fix ventilators (permalink)

Medtronic's 20-year-old PB840 ventilators are workhorses, but the company has used DRM to prevent repairs by third parties. Controlling repair gives medtechs monopolist two benefits:

  1. They can charge higher-than-market rates for repairs and extract "certification fees"; and

  2. They can declare some units irreparable, forcing customers to junk and replace them.

The DRM Medtronic uses means that even if you swap a working monitor from a ventilator with a broken breathing unit to a ventilator with a broken monitor and a working breathing unit, the system will refuse to operate.

To get the repaired system to work, the technician needs to provide an unlock code that syncs the monitor and the breathing unit, and Medtronic controls those codes – it's the same scam John Deere uses for tractor repairs and Apple used for Iphone 10 digitizer repairs.

But a Polish hacker is offering an unlock-code-generation library that appears to come from Medtronic itself: "The Polish hacker told Motherboard that technicians will take a manufacturer’s repair class in the United States, get the required software, then share it widely."

This library is given to independent repair technicians in the USA embeded in handmade, homebrew dongles housed in old clock cases. One medtech cited by Jason Koebler says he's fixed at least 70 ventilators with his dongle.

"This is a copy of a proprietary tool. It doesn’t take rocket science to put these things back together. The weak point of these companies’ supply chains is other countries, so through our friends in other countries we’re able to get this stuff."

Newer ventilators require internet-based activations following repairs, with technicians paying $10k-15k/year to access the manufacturers' servers.

This follows from a steady rampup of high-cost "certifications" for hospital technicians, without which they were denied access to parts and manuals. Hospitals can't repair the equipment they own – and rely on to save our lives – unless they shell out for expensive programs.

Note that paying for these programs doesn't change who fixes the gear or how they fix it. In either case, the hospital's own repair staff do the work, following the service manuals. The only difference is that "authorized" repairs generate payments to manufacturers.

"For a lot of vendors, you have to get recertified every other year to keep working on their equipment. I had a biomedical technician who lost their certification during the middle of the pandemic [because it lapsed]" -tech manager for 14 hospitals in covid-hit state.

"We called the mfgr and they wouldn't give us the info to service their ventilators. Eventually we get on a call and say 'this is ludicrous, this person has been working on these ventilators for 12 years. Release the service key so I can get patients back on ventilators."

Medtech monopolists claim they'd be held liable if an uncertified repair harmed a patient. They're wrong.

From that hospital tech manager: "we own the risk if equipment fails and someone sues. Never have I heard of the maker of the equipment is named in a lawsuit."

"Third-party repair professionals provide high quality, safe, and effective servicing of medical devices." -US Food and Drug Administration, 2018.

There has never been a more urgent moment for medical Right to Repair. Not only can we not afford to spare a single ventilator that can be pressed into service, but the pandemic has also eliminated manufacturers' routine service for OTHER machines.

The devices used to treat your cancer, diabetes, or other conditions are not receiving the preventative maintenance that was once required by the manufacturers, and so they are liable to break as well. Without medical right to repair, they may stay broken.

Teddy Ruxpin and the Haunted Mansion (permalink)

Before Ken Forsse invented Teddy Ruxpin and struck it rich, he was a Disney Imagineer who worked on the Haunted Mansion (he's even got a tombstone in the Mansion graveyard: NEKEESORF).

Between Imagineering and Teddy Ruxpin, Forsse had another gig on Atlanta's all-indoor "The World of Sid and Marty Krofft" (which only lasted six months). During that time, he built another haunted mansion, a scale model filled with handmade props.

The model took him 18 months to build, and it ended up retiring to Forsse's home. In 2013, Reed and Zahava Savory tried to visit Forsse, but his poor health meant they couldn't see him. Later, Forsse's wife, Prof Jan Forsse, sent the Savorys photos of the model.

Today, those photos went up on the Long Forgotten blog, the most detailed and intense home for Haunted Mansion history on the web. The photos are incredible, revealing an attention to detail that beggars belief. What a wild talent Forsse was!

Dataminr helped cops spy on protesters with Twitter (permalink)

If you've heard of Dataminr, it's probably because of the 2016 shitstorm in which it was revealed that the social media "analysis" company was spying on Twitter users for US intelligence agencies.

Worse: Dataminr's investors included the CIA..and Twitter itself.

Twitter has since divested itself of its stake in Dataminr, but the company remains a "trusted partner" with access to Twitter's firehose – the raw feed of all public tweets.

Dataminr bills itself as a breaking news service, but it spies on Twitter and hands data about anti-police violence protests to the police departments that are being protested.

The company is worth $1.8b.

Writing in The Intercept, Sam Biddle uses internal whistleblower information and leaked documents from Blueleaks to piece together a picture of how Dataminr provides critical intelligence to law enforcement agencies seeking to violently suppress Black Lives Matter protests.

This is going on despite Dataminr and Twitters' joint assurances that this will no longer happen.

These assurances are false. According to Biddle's internal source, "[Cops] are some of Dataminr’s biggest clients and they set the agenda."

This allegation is supported by leaked documents and materials disclosed by police departments after public records requests.

Dataminr spies on behalf of the police, and makes a lot of money doing so.


Which, you know, OK, fine. You guys are Vichy nerds. You're collaborators. $1.8b buys a lot of conscience-assuaging. I get it.

But don't piss in my mouth and tell me it's raining.

By which I mean, when Biddle asked Dataminr and Twitter about using tweets to help cops suppress protests, the responses were insultingly risible.

As in, "We didn't send that tweet to Minneapolis police because of the protest. It was a traffic alert."

Or claiming that they're not providing location data when many of the tweets they're sending to cops have location tags, and many of the remainder have location tags added by Dataminr before they're handed over to cops.

Or claiming that they're sending "news alerts" to the police, not "protest surveillance."

Law professor Andrew Ferguson compared this to calling police photographs of protesters "photojournalism."

I mean:


The fuck.


Biddle really nails it here: "This isn’t surveillance because we have a policy against surveillance, which therefore means we don’t engage in surveillance."

And naturally, "Neither firm would comment or discuss how exactly the above does not meet the definition of surveillance, nor would they provide the institutional definitions of such as defined by either company."

Or as Brandi Collins-Dexter from Color Of Change said, "Twitter can’t have it both ways, courting Black activists and marketing themselves as the pre-eminent tool for organizing against injustice while turning a blind eye to companies that are contracting with them for the clear intent of surveillance."

(Image: Hugh D'Andrade, CC BY, modified)

Police militarization has a business-model (permalink)

There's a reason American cops look like they're on patrol in Fallujah and it's not mere sadism or gearpiggery. Militarizing the cops has a business-model, and it's generated $7.4B for the Beltway Bandits that supply all that gear to law enforcement.

Two federal programs – 1033 and 1122 – transfer billions in military gear to local law enforcement. 1033 lets cops buy gear at the price that the US military pays, and 1122 allows the military to donate "excess" gear to police departments.

Neither program has even a smidgen of oversight or accountability. And they haven't stopped at turning a nation of Barney Fifes into Judge Dredd cosplayers – they also supply university police departments with everything they need to effect a regional coup.

I'm not saying that white supremacy and racism don't play a part here. They are an essential ingredient in this toxic stew – but they are insufficient unto themselves.

The other part of the story here is the billions in Beltway Bandit profits generated by these programs.

These excess rents are ammo for lobbyists who entice the US military to buy "excess" gear that gets given away to cops, and for sales junkets that entice cops to spend their budgets on gear for themselves.

There's a bright side to this: rooting racism and white supremacy out of the military and local law enforcement is a long, complicated project – but starving the military-industrial complex of money will go a long way to neutralizing their power to convert racism to rifles.

(Image: Jamelle Bouie, CC BY)

How Finspy protects itself from security researchers (permalink)

Finfisher/Finspy is malware made by Gamma, an Anglo-German cyber-arms dealer, and sold to the world's most despicable dictators and torturers. Microsoft Security has just published an extensive, fascinating analysis of its self-defense measures.

There are two big threats to malware: first, that it will be decompiled so that the vulnerabilities that it expoits can be patched, and second, that this decompilation process will yield fingerprints that allow security tools to reliable detect the malware's presence.

Malware authors put a lot of care into writing routines to frustrate analysis, and Finfisher goes above and beyond in detecting whether it is under examination and protecting itself from scrutiny.

It starts with "spaghetti code" – breaking instructions into tiny fragments that jump one to the other, out of order, salted with junk instructions that do nothing.

All of this code gets executed to load up a virtual machine with its own opcodes.

The VM loads a bunch of subprograms that check for debuggers and sandboxes – indicators that the malware is running on a security analyst's workbench, rather than a target's system.

Then the system loads a bunch of fake bitmap images, throws away some of their headers, reassembles them, and decrypts data hidden in the resulting image.

Next comes another virtual machine with its own, different opcodes, which decrypts and loads more software.

This is the installer, which loads up a bunch of DLLs, and begins installation of the malware itself, which starts injecting code into the user's programs.

The injector also has countermeasures to defeat common detection methods.

There's another round of obfuscation, and then various modules – customized based on the target – start loading.

It's a very clever piece of puzzlemaking, and an even more clever piece of detective work to solve it.

It's also a fascinating glimpse into the bizarre problem of software figuring out whether it's running on a real computer or inside a researcher's VM.

This may be the key to how Marcus "Malwaretech" Hutchins saved the world from Wannacry ransomware.

Hutchins was examining Wannacry when he noticed that it was hardcoded to try to reach a nonexistent domain, He registered that doman and stood up a webserver there and every copy of Wannacry in the world went dormant.

No one knows exactly what happened there, but it's likely that Wannacry's method for figuring out if it was in the Matrix or not was to try to contact a nonexistent website.

If the website answered, it would assume it was running in a researcher's test system and it would cease to function – so when Hutchins put up his webserver, every Wannacry instance on Earth decided it was under scrutiny and ceased all activity.

Clamshell currency (permalink)

In 1933, FDR shut all of America's banks for three days; this bank holiday probably saved the US financial system from collapse by preventing a bank-run, but it left American businesses and their customers without cash.

In a paper published by the Newman Numismatics Portal in January, Joshua Smith reports on his 2019 fieldwork with local historians to tell the tale of the shells.

Smith observes that shell-based currency was first used in the region in the precolonial times by Chumash First Nations people, drawing a fascinating connection with a 1934 ethnography of Chumash trade and the 1933 bank holiday.

Smith makes a case that the 1933 revival of shell-based scrip started with a joke, when a local pharmacist and a cigar store owner gave a clam-based IOU to a service station owner as a joke. The service station owner displayed it in his window and a customer bought it for $1.

This started a fast-moving local vogue for handpainting clamshell scrip, and the service-station owner hired two local unemployed people to go into production. Historical accounts differ, but somewhere between $1,000 and $1,500 in clam-based money was issued.

Then, in 2013, on the 80th anniversary of the bank holiday, two local merchants issued a new round of clamshell scrip: Girl's Restaurant and Shellabration Beach House.

Once again, this sparked a local merchant's trend with many issuing their own clamshell scrip, which still circulates to this day.

Macron demands national database of porn preferences (permalink)

It's been less than a year since the UK's idiotic, doomed "age verification law" for pornographic websites collapsed. This was a plan to block all adult sites at the national firewall unless they collected and stored the identities of their users.

It's hard to overstate the idiocy of this plan – who the actual fuck thought it would be a good idea to create and store a net-worth-sortable list of the pornographic tastes of an entire nation (the system would lean heavily on credit cards for identity-verification).

Uh, France, apparently.

The French Parliament has just passed what amounts to the same law, after Macron called for the creation of a national kompromat database in January.

I can't wait for the inevitable GDPR challenge.

This day in history (permalink)

#10yrsago Iranian activists release free Persian Little Brother

#10yrsago Brazil's copyright law forbids using DRM to block fair use

#5yrsago Terrifying proposal for airplane seating

#5yrsago There Is Such a Thing As a Free Lunch

#5yrsago Gorgeous Taschen book: Art of Burning Man

#1yrago Fur industry paid protesters to attend California and New York hearings on a fur ban

#1yrago AOC and Greta Thunberg talk tactics and hope

#1yrago Elizabeth Warren wants to force companies to warn investors about their risks from climate change

#1yrago Bernie Sanders' presidential campaign maintains a page of anti-endorsements: denunciations from billionaire ghouls and their enablers

#1yrago Like Amazon, Google sends voice assistant recordings to contractors for transcription, including recordings made inadvertently

#1yrago French politicians want to add an ag-gag rule to the country's sweeping online hate speech proposal

#1yrago Cutbacks caused Brexit: austerity correlates with UKIP membership

#1yrago Arbitrage nomads are stripping the carcasses of America's dying big-box stores and moving the choicest morsels into Amazon warehouses

#1yrago Voting machine companies: the names of our parent companies are trade secrets

Colophon (permalink)

Today's top sources: Fipi Lele, Naked Capitalism (, Four Short Links (

Currently writing:

  • My next novel, "The Lost Cause," a post-GND novel about truth and reconciliation. Yesterday's progress: 555 words (36565 total).

Currently reading: Anger Is a Gift by Mark Oshiro

Latest podcast: Someone Comes to Town, Someone Leaves Town (part 09)

Upcoming appearances:

"Working as Intended: Surveillance Capitalism is not a Rogue Capitalism," Jul 21,

Latest book:

Upcoming books:

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commerically, provided that you attribute it to me, Cory Doctorow, and include a link to

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

When life gives you SARS, you make sarsaparilla -Joey "Accordion Guy" DeVilla