Pluralistic: 24 Aug 2020


Today's links



Concretizing "Main St vs Wall St" (permalink)

The phrase "Wall Street Versus Main Street" has a nice ring to it, but what does it actually mean?

Here's a very concrete example of how policies can be rigged to benefit the finance sector while destroying the productive economy.

The US central bank has created a "Main Street Lending Program" that is meant to be extending credit to imperilled small- and medium-sized enterprises, but so far it has only managed to lend out $531m.

https://ft.com/content/91b69082-a99c-4287-8ed5-d85b0768d1a9

But there's another sector of the economy that is thriving in the downturn: the largest companies in America. These companies are not actually profitable for the most part, but their shares are trading at all-time highs, thanks in large part to their access to cheap credit.

Here's how that works: the US central bank has announced that it will buy as many bonds – even junk bonds from companies that had been mismanaged to the brink of bankruptcy before the crisis – from large firms.

The $454B that this infused into the finance sector has been used as leverage for further, private-sector borrowing – all told, ~$4.54 TRILLION has shown up on large corporate balance-sheets since the crisis started.

https://pluralistic.net/2020/08/14/shock-doctrine/#shock-doctrine

But none of that credit is accruing to companies that need it – companies that did something productive, whose employees' jobs are on the line, who provided utility to their communities.

Instead, the money is going to mostly unprofitable giant firms, whose customers have no cash or credit with which to buy their products and services. These companies can't invest in capital or jobs – instead, they are likely to engage in financial engineering.

That is, they'll do stock buybacks – splurging on their own shares – which will increase their share price and make their investors richer, even though the companies themselves aren't doing any better.

The decoupling of the financial economy and the real economy is the final battle in the war between Main Street and Wall Street. It has created an economic system that Yanis Varoufakis calls "zombie postcapitalism."

https://pluralistic.net/2020/08/22/this-machine-kills-fascists/#varoufakis

It's a form of socialism for the very, very rich and brutal austerity for the rest of us, as the businesses around us implode for lack of access to capital and take the jobs with them.

It's hard to overstate how much demand there is for corporate debt from large, mediocre firms. Junk bond issues are oversold, even as their yields reach historic lows: Ball Alumninum just raised $1.3b for a junk bond paying a mere 2.9%.

Remember when junk bonds were called "high yield?"

The traditional argument for austerity is that government spending in support of human necessities – food, shelter, education, health – could lead to inflation.

But the deficit hawks who won't let us feed or house our fellow citizens are fine with the crazy asset inflation engendered by runaway finance bailouts; after all, they're the ones holding those assets.



Don't use Bridgefy at protests (permalink)

There are two iron laws of security that are often tragically ignored:

I. "There is no abstract 'security' – only security from some specific threat"

II. "There is no security in obscurity."

Bridgefy, an app that's been billed as a way for protesters to communicate securely, illustrates both of them.

Bridgefy is an offline messaging tool – a mobile app that uses Bluetooth to pass encrypted messages around a crowd where there is no internet access.

It was originally billed as being useful for big festivals and concerts out in the countryside, where there were lots of people but little or no internet connectivity.

However, as protests have spread around the world, the company has promoted its product as a tool for at-risk protesters seeking to coordinate uprisings for which they might face severe retaliation, including imprisonment, torture and murder.

https://arstechnica.com/features/2020/08/bridgefy-the-app-promoted-for-mass-protests-is-a-privacy-disaster/

In April, a group of Royal Holloway researchers audited the app and found it severely unsuitable for these contexts, potentially exposing users to life-threatening hazards. They told the company about these flaws then, but have only now published their findings.

https://martinralbrecht.files.wordpress.com/2020/08/bridgefy-abridged.pdf

The researchers' findings reveal that the threats to users from using the app at festivals are very different to the threats that protesters face in repressive regimes ("There is no abstract 'security' – only security from some specific threat").

They also find that the product team made a bunch of mistakes that they overlooked, a common problem (it's why I can't find my own typos!) that exposed users to attacks from anyone who knew how to hunt for these errors ("There is no security in obscurity").

For example, the app sends the ID of both the sender and recipient of every message "in the clear" (without encryption). That allows an attacker who intercepts this metadata to assemble social graphs: Alice knows Bob, Bob knows Carol.

This might expose concertgoers to some risk (for example, if Carol is arrested for selling drugs, Alice and Bob's messages to her might put them under suspicion). But in a protest context, that exposes the whole movement to risk.

What's more, the identifiers the app uses are tied to users' phone numbers: an attacker at a concert would need access to a database that maps phone numbers to real identities. A state-level adversary can simply demand these connections from the phone company.

But not all the flaws in the system stem from the differences in threats at concerts and protests. Some of Bridefy's flaws threaten users in ANY context, and stem from the developers' own blind spots about errors in their thinking.

For example, the system doesn't have any "out of band" way to initialize keys between users. That means that when Alice wants to send a secret message to Bob, she first announces to the whole network that she is Alice and this is her public key that Bob should use.

An attacker in the network can – rather than passing that message on – replace it with a message that substitutes their own key, and thereafter intercept, read, and relay all the messages from Alice to Bob (a "man in the middle" attack).

Worse than that, the actual encryption formatting used for the messages is PKCS #1, a system that has been deprecated since 1998 due to unsalvageable flaws.

The app also fails to do vital forms of input sanitization: it doesn't check for "zip bombs" – small compressed files that, when decompressed, expand to junk files that are millions of times larger. These bombs could crash enough devices in the network to shut it down.

Though Bridgefy has known of the vulnerabilities since April, they are only now announcing them. They attribute the delay to their fruitless internal efforts to remediate these defects, and their ultimate conclusion that their system needs to be rebuilt from the ground up.

They say they are now doing that work, rebuilding the app around the Signal protocol, which is very robust and has been widely probed to identify and shore up weaknesses.

It's good that they're doing this. A third iron law of security is that "Security is a process, not a product" – that is, security is always contingent, and requires constant tending and upgrading to patch newly identified defects.

We can't and shouldn't expect products to be perfectly secure – all we can ask is that product teams are transparent about which threats they considered in their design, how their products work, and which defects have been identified in them.

Unfortunately, while Bridgefy is doing the right thing by acknowledging these bugs, thanking the reasearch team, and fixing the bugs, the rest of their conduct is less than exemplary.

It was wrong to promote an app designed for concerts as a tool for protesters without considering the differences in the threats to those user populations.

Worse, though the team has known of these defects since April, they didn't start correcting the record on end-to-end encryption promises until June. And, as Dan Goodin points out on Ars Technica, their messaging continues to imply that it is safe to use.



Nontransitive dice (permalink)

Today in his excellent new newsletter "The Magnet," Mark Frauenfelder discusses "transitive dice" – D6s with the weird property that while Die A has an advantage over Die B and Die B has an advantage over Die C, Die A loses to Die C on average.

https://themagnet.substack.com/p/the-magnet-0003?utm_medium=email&utm;_campaign=cta

That is to say, if you give an opponent the choice of any of the three dice, one of the remaining two dice will always beat it. This is some pretty eldritch probability stuff (and an example of how counterintuitive propability can be).

The key is in understanding the probability distributions. Die A has five "4" sides and one "6" side. Die B has five "3" sides and one "6" side. Die C has three "5" sides and three "2" sides.

That means: "A beats B 25 out of the 36 possibilities. C beats A 21 out of 36. C beats A 21 out of 36."

Frauenfelder notes that Warren Buffet is obsessed with nontransitive dice, which makes sense. After all, Buffet has repeatedly, publicly proclaimed that he only invests in companies that are in noncompetitive markets.

https://pluralistic.net/2020/08/10/folksy-monopolists/#folksy-monopolists

For example, here's why he bought a huge stake in Moody's: "I know nothing about credit rating. The only reason I bought it is because there are only three credit rating agencies and they serve the whole country, and they have pricing power."

His ideal company is one with a monopoly so secure, "even your idiot cousin could run it." Presumably, you could teach that same idiot cousin to memorize which die beats each of the others, too.



Chinese sf guidelines (permalink)

The Chinese film regulator has released a new policy document: "Several Opinions on Promoting the Development of Science Fiction Films," which sets out guidelines for new sf movies.

http://www.chinafilm.gov.cn/chinafilm/contents/141/2533.shtml

Writing in Variety, China Bureau Chief Rebecca Davis breaks down the new rules and gives some context for them.

https://variety.com/2020/film/news/china-guidelines-science-fiction-1234737913/

The top priority, of course, is to "thoroughly study and implement Xi Jinping Thought."

After that empty nod to the cult of personality, the guidelines get more specific.

Films should "highlight Chinese values, inherit Chinese culture and aesthetics, cultivate contemporary Chinese innovation," "disseminate scientific thought" and "raise the spirit of scientists."

The document claims there is a shortage of good Chinese sf scripts, and calls for the creation of a pipeline of Chinese sf writers with elementary and middle-school students systematically exposed to "excellent sci-fi movies."

Universities should create programs that "strengthen the training of sci-fi related talent."

It calls for the creation of a "national science fiction film screening alliance."

In terms of production, the document calls for the creation of a domestic VFX industry, warning of disruptions to production if the US-Chinese trade war deepens.

Davis points out that the Chinese film ecosystem has some important structural barriers to high-quality film productions, such as a lack of film insurance underwriters and completion guarantors, leading to "projects with quick returns."

The document calls for banks to create "credit products and loan models specific to the characteristics of sci-fi movies."

It calls upon insurers to "innovate in the development of IP rights infringement liability insurance for sci-fi movies, as well as group accident insurance and personal accident insurance for specific actors and staff" as well as "financing guarantee services for sf movies."

This is a fascinating glimpse inside a top-down approach to arts funding and support. I remember speaking at the Singapore Writers' Festival and meeting a bureaucrat with a plan to produce a Nobel-prize-winning novelist.

They were going to analyze the education of all winners, as well as the books they'd written, and systematically train a cohort of novelists. When I pointed out that decriminalizing queer sexualities would likely do more to improve arts outcomes, they were nonplussed.

It's also fascinating to see SF get this kind of serious state consideration. In the USA, the intelligentsia's contempt for SF allowed it to be a vehicle for smuggling in radical ideas – that was basically Rod Serling's entire schtick.

But there is nothing intrinsic to a "literature of imagination" that makes it politically radical: the broad reactionary streak in SF/F makes that clear.

I'm looking forward to seeing whether China can figure out how to use SF to solidify the status quo without creating a radical tendency that uses the same stories to tear it down.



New podcast episode, feat. radical bookstores (permalink)

This week on my podcast, I read part 14 of my 2006 novel "Someone Comes to Town, Someone Leaves Town," a book Gene Wolfe called "a glorious book unlike any book you’ve ever read."

https://craphound.com/podcast/2020/08/24/someone-comes-to-town-someone-leaves-town-part-14/

A lot of this week's action is set in weird, radical bookstores in Toronto's Kensington Market. I was raised in these bookstores: when I was a kid, my dad was a "professional revolutionary," helping to produce and sell the socialist newspaper Forward.

Forward was produced out of the back room of a radical bookstore on Queen Street, sharing facilities with Action Print, a radical, unionized print-shop. I grew up there, playing with Letraset and going to the Papaya Hut or the El Mocambo for lunch.

Radical bookstores have always been favorites of mine. One of the best book events I ever did was a joint production of Red Emma's and the Baltimore hackspace.

And as a teen, I spent many memorable afternoons with Karl Levesque at Montreal's Librairie Alternatif, an anarchist bookstore. Karl sent me my first copy of the Whole Earth Review and changed my life.

It was the fall 1989 issue, "Is the Body Obsolete," with some outstanding contributions from, among others, William Gibson.

https://sites.google.com/site/thanatos02us/home/gibson-interview

Here's the MP3 of this week's episode, hosted free courtey of the Internet Archive (they'll host your stuff for free, forever, too!):

https://archive.org/download/Cory_Doctorow_Podcast_356/Cory_Doctorow_Podcast_356_-_Someone_Comes_to_Town_Someone_Leaves_Town_014.mp3

And here's the feed for my podcast:

https://feeds.feedburner.com/doctorow_podcast



This day in history (permalink)

#5yrsago Ashley Madison's founding CTO claimed he hacked competing dating site https://www.wired.com/2015/08/ashley-madison-leak-reveals-ex-cto-hacked-competing-site/

#1yrago The FBI kept files on author Ray Bradbury: "Definitely slanted against the United States" https://www.muckrock.com/news/archives/2015/aug/24/ray-bradbury-fbi-file/



Colophon (permalink)

Today's top sources: Naked Capitalism (https://www.nakedcapitalism.com/), Boing Boing (https://boingboing.net/).

Currently writing:

  • My next novel, "The Lost Cause," a post-GND novel about truth and reconciliation. Friday's progress: 570 words (50048 total).

Currently reading: Twilight of Democracy, Anne Applebaum.

Latest podcast: Someone Comes to Town, Someone Leaves Town (part 14) https://craphound.com/podcast/2020/08/24/someone-comes-to-town-someone-leaves-town-part-14/

Upcoming appearances:

Latest book:

Upcoming books:


This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/web/accounts/303320

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

When life gives you SARS, you make sarsaparilla -Joey "Accordion Guy" DeVilla