Pluralistic: 03 Aug 2020

Today's links

A universal remote for killing people (permalink)

Medtech giant Medtronic is quite a piece of work. The company started as a Minneapolis repair shop before growing to be one of the world's largest, most profitable – and lowest-taxed, thanks to financial engineering – corporations.

Despite the company's origins in conducting unauthorized repairs on behalf of hospitals and other device owners, Medtronic (along with Apple) has led the fight to kill dozens of state Right to Repair bills:

Medtronic's dirty tricks campaigns against R2R are especially salient now, because the company has sabotaged its ventilators so they can't be repaired by hospital engineers without obtaining an unlock code from the company:

But Medtronic's device defects aren't limited to ventilators. At least as alarming is the company's history of making personal medtech devices (including pacemakers) that are insecure in every conceivable way.

Medtronic devices have been shown to be LETHALLY compromisable by sending them unencrypted wireless signals or just by poisoning their unsecured supply chain, which allows you to inject malicious firmware into devices en masse.

If there was ever a manufacturer whose customers needed to be able to turn to third parties to shore up its products (literally) fatal deficiencies, it's Medtronic.

Which brings me to the present moment. It's been two years since QED Security Solutions' Billy Rios and Jonathan Butts presented their work on Medtronic's Minimed insulin pump, showing that it could be remotely controlled by cheap wireless devices.

Among the attacks they enabled: dumping the device's full supply of insulin, potentially killing the person wearing it.

The defects they identified were intrinsic to the device and the only defense was disabling the wireless, which rendered the device useless for family members who helped loved ones manage their insulin (especially young kids or people with dementia, etc).

Still, Medtronic dragged its feet on a recall, saying (incredibly) that it had known about these defects for years before Rios and Butts told them about it, but had decided not to fix them and didn't see why that should change now.

Finally, though, the company has launched a "voluntary recall" – after Rios and Butts built an Android app that exploited the defect they identified and created a "universal remote for every one of these insulin pumps in the world" and presented it at Black Hat.

This is an app that would let the user murder Medtronic users from a distance of several feet. Obviously, they haven't released it, but the publicity did its job.


New podcast episode (permalink)

The latest episode of my podcast is live! It's part 12 of my reading of my 2006 novel Someone Comes to Town, Someone Leaves Town, a book that Gene Wolfe called "a glorious book unlike any book you’ve ever read."

Here are the previous installments:

Here's a direct link to the MP3 (hosting courtesy of the Internet Archive – they'll host your stuff for free, too!):

And here's the podcast feed (now with timecode, thanks to Lee Maguire!)

The sordid tale of We Charity (permalink)

For months, I've been following Canadaland's deep dive into We Charity and its bewildering array of both for-profit and charitable subsidiaries and affiliated companies. The picture just keeps getting uglier and weirder, and it reached a kind of pinnacle for me today.

Some background: We began life as "Free the Children," an anti-child-labour campaign started by a pair of Canadian brothers, Marc and Craig Kielburger, who were children themselves at the time.

In the years since, We has become a Canadian institution, with "We Days" mega-events attended by top performers and politicians, as well as in-school events coast to coast. Millions of Canadian kids have raised money for We.

But We is a complex and opaque and difficult-to-understand organisation. Some reporting would have made it easier to understand what the org was up to.

But between seeking editorial censure of journalists for mild criticism, and a reputation for replying to routine journalistic queries with threats from some of Canada's most aggressive libel lawyers, critical investigative coverage was thin on the groups.

Canadaland's investigations began with tips that the organization's various arms had "partnered" with companies that were credibly accused of participating in the kind of child labor practices that they were formed to stop.

But it quickly turned into a story about the story itself, as Canadaland, and its founder, Jesse Brown, were subjected to bizarre, international dirty-tricks campaigns, including smearjobs in obscure, small-town, far-right news sites.

Brown discovered he'd been targeted by private investigators who went so far as to dig into his young children's lives.

Brown and Canadaland couldn't affirmatively link the dirty tricks to We, though the timing, context and content made everything very suspicious – and meanwhile, Wikipedians put warnings on We's articles after they detected paid reputation-washers editing them.

To Brown and Canadaland's credit, they didn't let up, and chased a steady stream of tips about labour conditions at We, corruption in We's overseas projects in Kenya, and irregularities in the We's charitably raised funds, contributed by Canada's schoolkids

They discovered that performers at We's "We Days" – including members of Prime Minister Justin Trudeau's family – were paid for participating, out of those charitable funds (We says they should have been paid by its for-profit arm).

And they uncovered subsidised junkets for top level government officials, publishing as the Canadian government was offering We a 9-figure no-bid contract to create a summer volunteer program for Canadian kids.

All of this against a steady background drumbeat of legal threats, more dirty tricks, and smears – some, shamefully, from Canadian journalists.

Last month, We's founders testified before Parliament, as the political dimensions of the scandals threatened the stability of Trudeau's fragile minority government.

All of this has called a once-unimpeachable Canadian institution into question – from the way its funds are dispersed (only a minority of We's charitable funds go to overseas program activity), the way it smears its critics, to the complexity of its financial structures.

Which brings me to the latest Canadaland episode, in which Brown discusses the revelation that one of We's US companies contracted with Firehouse Strategies, a GOP dirty tricks company that grew out of the 2016 Rubio presential campaign.

By Firehouse's own account, the company gave up on substantive debate after Trump and devoted themselves to dirty tricks and smears, targeting nonprofits seeking to retaliate against their critics.

Meanwhile, other Canadian news outlets discovered job-board listings for clickworkers to help engage in deceptive "search-engine optimization" techniques to bury criticism of We.

Having been on the receiving end of legal intimidation from wealthy, powerful, politically connected Canadians, I know just how much of a risk Brown took with this, and how harrowing it must have been.

He and Canadaland should be commended for shining light where it was obviously badly needed. The kind of harassment and dirty tricks he's faced are not the actions of anyone who has any business being involved with the moral education of our children.

(Image: We, Firehouse Strategies (modified))

NSO Group cyberweapons targeted Togo's opposition (permalink)

The NSO Group makes powerful cyberweapons; they claim that these are only used by legitimate governments against terrorists and criminals, but they keep getting used by despots and autocrats to neutralize opponents, including NGOs, journalists, and democratic oppositions.

Much of what we know about NSO's role in dictators harassment, torture and murder is thanks to Citizen Lab, whose independent research has been invaluable – it's thanks to them that we know about NSO's role in the kidnapping, murder and dismemberment of Jamal Khashoggi.

This led to ex-Mossad agents targeting Citizen Lab's academic researchers, an action widely presumed to have been undertaken at NSO's behest:

Now (yet again!), Citizen Lab has released a detailed report of NSO's weapons being trained on democratic opposition figures by tyrannical despots; in this case, it's the dictator of Togo's enemies, including Catholic human rights advocates in Togo.

Among the victims: Monseigneur Benoît Comlan Alowonou, Bishop of Kpalimé, who was targeted in smear campaigns after he criticized the Togolese dictator Faure Gnassingbé, who inherited the presidency from his father in 2005.

Also targeted: Father Pierre Marie-Chanel Affognon, who was smeared in a campaign that used personal information presumed to have been stolen from his devices by NSO's weapons.

Political figures were also in NSO's crosshairs: opposition leaders Elliott Ohin and Raymond Houndjo were both targeted by Pegasus, NSO's flagship malware.

Togo is a desperately poor, repressive state, ranked 167/189 in the 2019 United Nations Human Development Index. Like many of NSO's customers, it lacks any hope of developing its own Made-in-Togo digital authoritarian toolsuite.

Instead, it relies on NSO Group to provide the products for turnkey networked authoritarianism, to bring cold efficiency to its programs of arbitrary detention, arrests, torture and murder.

"The Togolese government uses technical means to curb dissent. Authorities have disrupted mobile phone and internet service during protests and on election days to suppress protest and to curtail press coverage."

This day in history (permalink)

#10yrsago Popville: popup book cleverly and delightfully illustrates the growth of a town

#5yrsago NSA conducted commercial espionage against Japanese government and businesses <a <a="" accountability"="" href="" need="" proved="" snowden="" spies="">

#5yrsago David Cameron will publish the financial details and viewing habits of all UK porn-watchers

#5yrsago Hong Kong protesters take to the street in bras: "breasts aren't weapons"

#5yrsago Windows 10 defaults to keylogging, harvesting browser history, purchases, and covert listening

#1yrago Elsevier: "It's illegal to Sci-Hub." Also Elsevier: "We link to Sci-Hub all the time."

#1yrago Massachusetts says Purdue's profits from a single opioid addict were $200,000

Colophon (permalink)

Today's top sources: Alice Taylor (

Currently writing:

  • My next novel, "The Lost Cause," a post-GND novel about truth and reconciliation. Yesterday's progress: 517 words (41820 total).

Currently reading: The Deficit Myth, Stephanie Kelton

Latest podcast: Someone Comes to Town, Someone Leaves Town (part 12),

Upcoming appearances:

Latest book:

Upcoming books:

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

When life gives you SARS, you make sarsaparilla -Joey "Accordion Guy" DeVilla