Today's links

Sci-Fi Genre: Sarah Gailey and Chuck Wendig on the Attack Surface Lectures.
Saudi Aramco is gushing debt: Vision 2030 strikes again.
Emailifaction is digital carcinization: Every program attempts to expand until it can read mail.
Cheap Chinese routers riddled with backdoors: Actively exploited by Mirai.
Talking interop on EFF's podcast: We call it competitive compatibility.
This day in history: 2010, 2015, 2019
Colophon: Recent publications, upcoming appearances, current writing projects, current reading

Sci-Fi Genre (permalink)

Today on the Attack Surface Lectures (8 panels exploring themes from the third Little Brother book, hosted by Tor Books and 8 indie bookstores): Sci-Fi Genre with Sarah Gailey and Chuck Wendig, recorded on Oct 16 by Fountain Books.

https://www.youtube.com/watch?v=_GecqbDNbTI

You can watch it without Youtube's surveillance courtesy of the Internet Archive:

https://archive.org/details/asl-scifi-genre

Or get the audio as an MP3:

https://archive.org/download/asl-opsec/Opsec%20with%20Runa%20Sandvik%20and%20Window%20Snyder.mp3

Earlier instalments in the series:

I. Politics and Protest (Eva Galperin and Ron Deibert, hosted by The Strand):

https://craphound.com/attacksurface/2020/11/16/the-attack-surface-lectures-politics-and-protest-fixed/

II. Cross-Media Sci-Fi (Amber Benson and John Rogers, hosted by the Brookline Booksmith):

https://craphound.com/attacksurface/2020/11/17/the-attack-surface-lectures-cross-media-sci-fi/

III. Race, surveillance and tech (Meredith Whittaker and Malkia Devich-Cyril, hosted by The Booksmith):

https://craphound.com/attacksurface/2020/11/18/the-attack-surface-lectures-intersectionality-race-surveillance-and-tech-and-its-history/

IV. Cyberpunk & Post-Cyberpunk (Christopher Brown and Bruce Sterling, hosted by Anderson's Bookshop)

https://craphound.com/attacksurface/2020/11/19/the-attack-surface-lectures-cyberpunk-and-post-cyberpunk/

V. Little Revolutions (Tochi Onyebuchi and Bethany C Morrow, hosted by Skylight Books)

https://craphound.com/news/2020/11/20/the-attack-surface-lectures-little-revolutions/

VI. Opsec and Personal Cybersecurity (Window Snyder and Runa Sandvik, hosted by Third Place Books)

https://craphound.com/attacksurface/2020/11/23/the-attack-surface-lectures-opsec-and-personal-cyber-security/

Here's a master post with all the media as it is goes live:

https://craphound.com/news/2020/11/16/attack-surface-lectures-master-post/

And you can also get this as it's posted on my podcast feed – search for "Cory Doctorow podcast" in your podcatcher or use the RSS:

https://feeds.feedburner.com/doctorow_podcast

Saudi Aramco is gushing debt (permalink)

Under the leadership of the murderer Mohammad bin Salman, the Saudi royal family (and the Saudi state it controls) have embarked on "Vision 2030," a plan to shift the country's economy from oil to not-oil.

Extraction-based states are always dysfunctional. All you need to run an extraction economy is a hole in the ground surrounded by guns. Being a leader of such a state requires merely that you be able to judge which mercenaries and diggers to hire.

When these leaders are called upon to do anything more sophisticated – particularly anything that requires forbearance, tolerance, and a degree of personal discomfort – they fail, badly.

Sure, MBS was up to the task of going to NYC to drink Starbucks with Bloomberg.

But when he was faced with a routine leadership challenge – tolerating a critical journalist rather than dismembering him and dissolving his remains in acid – he totally failed.

Vision 2030 is proceeding as you might expect from a program named under the misconception that 20/30 vision is like 20/20 vision, only better.

(It's worse)

Take the IPO for Saudi Aramco, the state-owned oil company.

The IPO was "omni-toxic." Aramco doesn't own its wells; it's a royal piggybank that funds a stream of multibillion-dollar royal boondoggles, it has discovered no new oil sources in decades, oil itself is unsustainable, etc.

https://oilprice.com/Energy/Energy-General/Forget-The-Hype-Aramco-Shares-May-be-Valued-At-Zero-Next-Year.html

The Saudis pulled every trick to make the IPO a success: offering preferential loans to investors so they could buy the stock, threatening local power-brokers to coerce them into buying in, and guaranteeing sky-high dividends ($75b/year!).

And then covid hit, and MBS started an oil-price war. Profits fell 50% in H1-2020. The company is still making those massive dividend payments, though.

https://oilprice.com/Energy/Energy-General/Saudi-Aramcos-Landmark-IPO-Is-Costing-The-Kingdom-Billions.html

Those payments are coming from somewhere: capital expenditures and free cash flow. The company is suspending both projects that would help it increase its output and projects that might help it wean itself off of oil.

What's more, the cupboard is bare everywhere else. Other arms of the Saudi state have been starved by the price-war, and can't make up the difference. Instead, Aramco is digging itself into debt, with a $48B bond issuance.

Obviously, the shut-down of the oil industry is great news. But collapses are messy. As the world's hydrocarbon barons thrash around looking for their future, they're inflicting a lot of collateral damage.

Uber (and many other exploitative, money-losing gig businesses funded) is just an extrusion of Saudi oil money, via the Saudis' massive investment in Softbank, which allowed it to run predatory, money-losing, business-destroying grifts for years.

The people who grew unimaginably wealthy and powerful presiding over a hole in the ground surrounded by guns are not going to throw themselves into their holes and pull the dirt in on top of themselves. They are armed, rich, and psychotic.

At least they're not very bright.

Emailifaction is digital carcinization (permalink)

During the first dotcom bubble, Jamie "JWZ" Zawinski coined Zawinski's Law: "Every program attempts to expand until it can read mail. Those programs which cannot so expand are replaced by ones which can." It's all three kinds of funny: funny ha-ha, funny strange, and funny serious.

It's the software equivalent of carcinization, the tendency of every animal to eventually evolve into a crab. Crab's aren't the best animal, but they're the most versatile.

https://academic.oup.com/biolinnean/article/121/1/200/3089703

Today in XKCD, Randall Munroe updates Zawinski's Law with a strip called "Unread," in the way that mounting unread message counts eventually turn every instant messaging platform into email.

https://xkcd.com/2389/

Switching from email to instant messaging can feel hugely liberating. There's the first-order effect, that most of the people whose email is a chore – mass-forwarders, bulk-CCers, favor beggers and passive-aggressive schmendricks – don't know how to reach you.

Instead, your initial correspondents on a new service are apt to be close friends you give your new address to, along with a smattering of interesting strangers of the sort you've been unable to engage with thanks to the time-vampires who'd colonized your email inbox.

That giddy moment quickly fades though, because you have stuff to do, and to do stuff, you have to engage with people. And then they'll engage with you. And you'll want to answer them, but sometimes you'll need to get other people in on the discussion to move things forward.

You'll get messages on the go – during the honeymoon period, you can even turn on notifications again! – and then need to come back to them later (because you're on the go, and the messages are important).

Then, one of two things happens: either you fall back to email or the IM tool gets CC, BCC, mark unread, search and bulk messaging.

Except that it's shitty email. It's email that's locked inside a social media company's walled garden, with only one client, not federated.

This is why I do everything important by email. Not because I like email. I hate email. I, too, have experienced the giddy new relationship energy that comes from switching to an IM-based service!

But I've also lived through the disastrous consequences of zawinskiian carcination enough times that I have learned my lesson. Much as I hate email, I can't quit it.

Cheap Chinese routers riddled with backdoors (permalink)

Jetstream is the Walmart brand name for a line of cheap Chinese wifi base-station/routers; other popular, cheap brands like Wavlink and Winstars appear to come from the same manufacturer and they all share a grave security vulnerability: a powerful back-door.

A collaboration between Cybernews, Mantas Sasnauskas and James Clee and Roni Carta documents the back-door, attempts to connect multiple corporate identities to a common owner, and presents (very) rough estimate of the number of devices that share this defect.

https://cybernews.com/security/walmart-exclusive-routers-others-made-in-china-contain-backdoors-to-control-devices/

The researchers say that the back-door allows remote parties to "monitor and control all traffic coming through" affected devices, using an undocumented web-form that accepts commands and runs them as root.

This form has only the crudest security, checking to see if there's ANY user activity on the network before allowing access. The researchers claim this as evidence that this is a deliberate back-door and not a forgotten testing feature or error.

They also document a hidden feature that causes routers to enumerate nearby routers. While they say there's no reason for this to exist, I can think of at least two: first, for dynamic frequency selection to avoid interference, and second, to set up relaying services.

However, I agree with their contention that such a feature would be useful to the spread of malicious software that exploits the same back-door.

I'm more dubious of their implied claim that all of this represents some kind of Chinese state intervention in product design in order to facilitate surveillance and/or cyberwarfare.

It's true that China (and other world powers, notably the USA) have covertly and overtly weakened device security as part of their cyberoffense efforts. But it's also true that vendors make this kind of stupid mistake all the time, without government encouragement.

Remember when Chrysler shipped millions of internet-connected Jeeps whose main security was that the connectivity came from Sprint and since no one uses Sprint, no one would be on the same network as the Jeeps?

https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

Chinese white-label firms are notorious for building idiotically insecure devices that are sold under multiple brand names, in ways that lead to real harms to their owners, and there's no indication that this was malice – rather, it was indifference.

http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html

Which is not to say that Chinese cyberwarriors wouldn't exploit these defects – as would their US and other foreign counterparts. Indeed, a major impediment to the passage of good cybersecurity regulation is the extent to which spy agencies rely on insecure IoT devices.

And of course, that's just one form of blowback. Vulnerabilities are also useful to cybercriminals, and that's why both China and the US are under continuous, nation-scale, punishing ransomeware and Mirai attacks.

It seems like there's at least one Mirai version that targets the Jetstream back-door. But then again, Mirai is an aggressive little fucker that also targets high-end, Sony equipment.

https://krebsonsecurity.com/2016/12/researchers-find-fresh-fodder-for-iot-attack-cannons/

I think the geopolitics of this thing isn't "Chinese spies coerced a manufacturer into riddling its products with vulnerabilities." It's: "In the absence of regulation and liability, companies make insecure products."

And also: "Spies do what they can to prevent regulation because they like insecure products."

And finally: "Criminals love the insecurities that reckless companies create and governments fail to punish."

Oh, and "Walmart's procurements process is garbage and you should throw away your Walmart router."

Talking interop on EFF's podcast (permalink)

How to Fix the Internet is EFF's amazing new podcast: nuanced discussions of tech law and ethics with incredible experts, interviewed and contextualized by EFF executive director Cindy Cohn and strategy director Danny O'Brien.

https://pluralistic.net/2020/11/13/said-no-one-ever/#fix-it

I devoured the first three episodes. I mean, I started working with EFF nearly 19 years ago (!) but I was learning SO MUCH from them.

Today, the episode I recorded dropped. I've never been in such august company.

https://www.eff.org/deeplinks/2020/11/podcast-episode-control-over-users-competitors-and-critics

Our discussion is about the role interoperability plays in helping technology users exercise self-determination, giving them alternatives to bad moderation, abusive lock-in, and poor security choices.

And about how companies love interop when they're trying to eat another company's lunch, but then they love to take it away once they win, because without interop, companies can control their customers, critics and competitors.

You can get How to Fix the Internet in your favorite podcatcher. Here's the RSS:

https://efforg.libsyn.com/rss

and here's the MP3 for my episode:

https://ia601407.us.archive.org/10/items/eff-podcast-episode-4-interroperability/EFF_Podcast_Episode4_Interroperability.mp3

This day in history (permalink)

#10yrsago Menstruating woman subjected to TSA grope because panty-liner obscured her vulva on pornoscanner https://blog.gladrags.com/2010/11/24/tsa-groin-searches-menstruating-woman/

#5yrsago Randall “XCKD” Munroe’s Thing Explainer: delightful exploded diagrams labelled with simple words https://memex.craphound.com/2015/11/24/randall-xckd-munroes-thing-explainer-delightful-exploded-diagrams-labelled-with-simple-words/

#5yrsago Shamrock shake: Pfizer’s Irish “unpatriotic loophole” ducks US taxes https://arstechnica.com/science/2015/11/with-160-billion-merger-pfizer-moves-to-ireland-and-dodges-taxes/

#5yrsago WTO rules against US dolphin-safe tuna labels because they’re unfair to Mexican fisheries https://theintercept.com/2015/11/24/wto-ruling-on-dolphin-safe-tuna-labeling-illustrates-supremacy-of-trade-agreements/

#5yrsago J Edgar Hoover was angry that the Boy Scouts didn’t thank him effusively enough https://www.muckrock.com/news/archives/2015/nov/24/j-edgar-hoover-insults/

#1yrago Peak billionaire: a billionaire tries to purchase a party nomination to outflank anti-billionaires so he can run against another billionaire https://time.com/5735384/capitalism-reckoning-elitism-in-america-2019/

#1yrago A poor, Trump-voting Florida town opened a government grocery store to end its food desert, but it’s “not socialism” https://www.washingtonpost.com/nation/2019/11/22/baldwin-florida-food-desert-city-owned-grocery-store/

#1yrago I made Wil Wheaton recite the digits of Pi for four minutes, then a fan set it to music https://soundcloud.com/nicholasland/pi-funk

#1yrago The Lincoln Library executive director got fired for renting Glenn Beck the original Gettysburg Address https://chicago.cbslocal.com/2019/11/22/lincoln-library-director-fired-after-renting-out-gettysburg-address-to-glenn-beck/

Colophon (permalink)

Today's top sources: Naked Capitalism (https://www.nakedcapitalism.com/), Slashdot (https://slashdot.org/), Deeplinks (https://www.eff.org/deeplinks/).

Currently writing: My next novel, "The Lost Cause," a post-GND novel about truth and reconciliation. Yesterday's progress: 516 words (87352 total).

Currently reading: The Ministry for the Future, Kim Stanley Robinson

Latest podcast: Someone Comes to Town, Someone Leaves Town (part 24) https://craphound.com/podcast/2020/11/23/someone-comes-to-town-someone-leaves-town-part-24/

Upcoming appearances:

Keynote, Cybersummit 2020, Nov 26 https://www.cybera.ca/cyber-summit-2020/
Keynote, Cologne Futures, Nov 27, http://medienpolitik.eu/
Beaverbrook Lecture: How to Destroy Surveillance Capitalism, Nov 30, https://www.mcgill.ca/maxbellschool/channels/event/2020-beaverbrook-annual-lecture-part-ii-cory-doctorow-325538
Teach-In Against Surveillance, Dec 1, https://www.eventbrite.ca/e/teach-in-against-surveillance-tickets-128926228821
Keynote, NISO Plus, Feb 22-25, https://niso.plus/cory-doctorow-to-keynote-at-niso-plus-2021/

Recent appearances:

Nerdcanon Podcast:
http://nerdcanon.com/episode-25-cory-doctorow-and-attack-surface/
Plutopia Podcast:
https://plutopia.io/2020/11/23/cory-doctorow-attack-surface/
Talkingheadz Podcast:
https://talkingpointz.com/talkingheadz-with-cory-doctorow/

Latest book:

"Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The Washington Post called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html
"How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59
"Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html
"Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p1562/_Poesy_the_Monster_Slayer.html.

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.