Pluralistic: 11 Feb 2021

Today's links

Dependency Confusion (permalink)

In "Dependency Confusion," security researcher Alex Birsan describes how he made a fortune in bug bounties by exploiting a new supply-chain attack he calls "dependency confusion," which allowed him to compromise "Apple, Microsoft and dozens of others."

Dependency Confusion is incredibly, delightfully clever. It is grounded in the fact that software developers rely on "dependencies" (prebuilt, modular code libraries) when they build new versions of their software.

The javascript files used to build new versions are often public, and by looking inside them, you can find out the names of the libraries used to build popular applications, from Uber to Yelp to Netflix.

Now, these libraries are a mix of widely used public libraries and private, in-house ones, and when the software is being built, the system checks both the canonical public archives of code libraries and private company servers.

Birsan's insight was that if he created new, malicious libraries with the same names as the private ones, and put them on the public servers, then the build system might preferentially snag and incorporate his malicious code instead of the private ones.

Some build systems have a weak security measure: if a library is found in more than one repository, the system defaults to the one with the higher version-number, so Birsan gave his libraries version numbers like "9000.0.0."

Birsan was able to attack Python, Ruby and Microsoft .NET-based apps. His reports resulted in fixes to many of the apps involved, but some of the infrastructure tools, like Jfrog Artifactory, still default to an insecure mode, and class his bug report as a "feature request."

And Birsan thinks there's plenty more bug bounties out there waiting to be claimed for attacks like this: "finding new and clever ways to leak internal package names will expose even more vulnerable systems, and looking into alternate programming languages and repositories to target will reveal some additional attack surface for dependency confusion bugs"

Adam Curtis on criti-hype (permalink)

Adam Curtis is a brilliant documentarian, and films like Hypernormalization and series like All Watched Over by Machines of Loving Grace had a profound effect on my thinking about politics, technology and human thriving.

In this interview with The Idler's Tom Hodgkinson, Curtis lays out a compact, incisive and important critique of the big social media platforms – and of their critics, who give these companies far too much credit.

Curtis puts Big Tech's self-serving boasts about how good it is at manipulating public opinion in the same bucket as other outlandish claims of secret, astounding accomplishments, such as those made by British spy agencies.

When the Snowden leaks came to light, Curtis published an absolutely brilliant, jaw-dropping article on the BBC about his own investigations into spy agencies,

He concluded that spy agencies are filled with unhinged, unreliable sociopaths whose claims of competence only survive because everything they do is secret, so we have to take their word for it.

Once you understand this, you have to rethink the problem with intelligence agencies – not that they use surveillance effectively, but rather that they use it indiscriminately, to justify all kinds of dirty tricks against the targets of their paranoid prejudice.

The mainstream critique of spy agencies – the one that accepts their claims to hypercompetence at face value – is doing the spy agencies a favor, affirming these baseless claims. It's a species of what Lee Vinsel calls "criti-hype":

Curtis agrees with Vinsel: the critique of social media centered on the industry's claims of devastating efficacy gives the industry far too much credit. He points out that advertisers are coming to the conclusion that ad-tech is a swindle, a bezzle:

If tech doesn't make money by being good at advertising, how to account for its riches? Curtis says it's monopoly: "four giant corporations who don’t produce anything, contribute nothing to the wealth of the country, hoard their billions of dollars in order to pounce on anything that appears to be a competitor and buy it out immediately."

Curtis says that dark, irrational political movements aren't the result of Big Tech's algorithmic radicalization, but rather the material conditions created by a corrupt system:

"For 20 years, they’ve been offered no choice between the political parties. They’ve been given this enormous button that says 'Fuck off' and they’ve pressed it. That’s a rational thing to do."

This nihilistic conduct is the inevitable product of the "high individualism" doctrine: "in a period of high individualism, the one thing you don’t notice is power. You’re supposed to be an empowered individual yourself."

Think of how climate change debates have been dominated by "personal responsibility" as though the emergency stems from your personal recycling habits or your choice not to use underfunded transit.

When we're offered solutions, they turn on criti-hyped fields like "AI," which is actually just machine learning, which, in turn, is just statistical inference, with no path to producing anything like intelligence:

Curtis talks about how corruption has made us suspicious of science, and that vacuum gets filled with a kind of individualistic religion – citing Ayn Rand's claim not to fear death "because I won’t die, the world will die."

Curtis says the path forward is to "square the circle" between individualism and collective action – to find ways that individuals can become part of a collective, a movement, grounded in science that is liberated from industrial corruption.

"The internet is the thing that could do it, except the bastards got hold of it and isolated us even more. We are being made to do this work for free for them and they feed us stuff and we remain in our little bubbles…I would argue for the nationalisation of the internet."

I'm not sure about nationalization (though a publicly owned part of the internet is an intriguing idea), but so much of this resonated with me, and got a the points I tried to make with my 2020 book HOW TO DESTROY SURVEILLANCE CAPITALISM.

Catalytic converter theft (permalink)

Back in the early 2010s, people started falling into open sewer entrances in New York City and other large metros – because a China-driven spike in the price of scrap metal, combined with post-2008 unemployment, gave rise to an army of metal-thieves.

A decade later, there's a new precarity- and bubble-fuelled metal-theft epidemic: stealing catalytic converters out of parked cars to harvest their palladium and rhodium for re-use in the global auto-sector, which is facing strict emissions controls.

Palladium and rhodium prices are soaring: palladium is up from $500/oz in 2016 to $2000-$2500/oz; rhodium rose from $640/oz to $21,900/oz (!). This puts a serious dent in auto profits – in 2019, the industry spent an extra $18b on metals (it was higher in 2020).

2021 will see the auto industry buying $40b worth of catalytic converter metals, and this has driven a secondary market where scrappers are using targeted ads exhorting people to bring in old converters for recycling.

Catalytic converters are pretty easy to harvest from cars: it just takes a few minutes' work under the car to detach a compact, fungible source of wealth, and even if your state has rules requiring ID to make the sale, chances are the next state over doesn't.

In the New York Times, Hiroko Tabuchi talks to people at the center of the phenomenon, like the tow-yard operator who deflates the tires of cars "so they can’t slither underneath" and who has had to repeatedly tow the same vehicle after it had it converter stolen and re-stolen.

Converters can be sold to scrappers by mail, and you can learn how to boost one in any of several Youtube videos. Cops suggest engraving your VIN into your converter, and people are homebrewing CC armor.

(Image: Endless)

Apple puts North Dakota on blast (permalink)

Republican North Dakota legislators have introduced SB2333, a bill that prohibits large tech companies from locking their users into a single app store or payment processor.

While his has implications for Android and other large tech platforms, its most immediate and far-reaching effects with be on Apple, whose Ios platform uses lock-in to monopolize both apps and payments (and another domain, not mentioned in the bill: repairs).

Predictably, this has thrown Apple into a fury, with Apple's privacy chief Erik Neuenschwander telling the SD legislature that Apple uses its monopoly over the app store to protect its users' privacy and security.

Neuenschwander makes a good, but incomplete, point. To the extent that Apple has the same interests as its users, it uses its app store monopoly to lock out bad apps (to the best of its ability).

But when Apple's interests diverge from its users' interests, the prohibition on sideloading apps actively harms those users' privacy and security. Think of how Apple caved to Chinese state demands to remove working VPNs from the Ios app store to facilitate mass surveillance.

This security model – surrendering your autonomy to a large company in exchange for promises of protection – is what Bruce Schneier calls "feudal security," though it should really be thought of as "manorial security."

In manorial security, a small elite of mercantalist warlords get all the property rights – the right to decide how the infrastructure is used – and the rest of us get tenants' rights, the right to make limited use of the warlords' property.

The warlords promise to defend us from bandits and build high walls to keep the bandits out, but if someone suborns the warlord to acting against us, those walls lock us in, leaving us helpless.

Indeed, the walls aren't just a protection, they're a temptation: anyone who coerces or bribes a warlord into letting them inside the compound enjoys a smorgasbord of defenseless prey – the walled garden becomes a feedlot.

Which is why Neuenschwander is more wrong than right: Apple keeps out the bad apps it finds, except when a powerful state makes it an offer it can't refuse.

The fact that users are held prisoner to those judgments is an invitation to states to make demands of Apple.

Which suggests a corollary: if Apple's users could sideload apps that subverted harmful government orders, then those orders would be less effective – and governments would be less tempted to make them in the first place, and if they did anyway, users would have an out.

I don't know enough about North Dakota state politics to weigh the bill's chances, but if it passes, it creates some fascinating possibilities. ND is one of America's fiber optic powerhouses, with much higher gigabit penetration than other states.

If moving your company to ND means that you get to retain 30% more of your income – because you're no longer paying the app store tax – and you get to save money on real-estate and all your employees get fiber, well, that's pretty attractive.

To get a sense of what this could mean, check out the testimony of Basecamp CTO David Heinemeier Hansson in support of the bill, describing how Apple shook down his company for 30% of the revenues for Hey, its innovative email reader.

"North Dakota has the opportunity to create this level playing field, such that the next generation of software companies can be started there, and if a team in Bismarck builds a better digital mouse trap, they won’t be hampered by abusive, extortive demands for 30% of their revenue from the existing big tech giants."

As Heinemeier Hansson points out, the bill is very short – 17 lines, plus some recitals – and it's well-crafted…for the most part. One thing jumps out though:

  1. This section does not apply to a proprietor of a special-purpose digital application distribution platform.

What's a "special-purpose digital application distribution platform?"

It's "a gaming console, music player, and other special-purpose devices connected to the internet."

That is a seriously weird carve-out. Consoles invented the app store business model, and they use it aggressively today to screw games studios and gamers. Exempting them from this is like exempting printers from a ban on high-priced consumables.

And all those other "special purpose" devices – smart speakers, medical implants, home automation systems, etc – are just as prone to being monopolized and produce just as many harms for their users through anticompetitive app store conduct as phones do.

They're overwhelmingly made by the same companies that operate abusive app stores for phones, which means that if this carve out was created by lobbyists, it's weird that they didn't lobby for a carve out for phones, too.

This day in history (permalink)

#15yrsago Open Source Hardware Definition turns 1.0

#10yrsago Steampunk fetish mask with ear-horn

#5yrsago Facebook’s “Free Basics” and colonialism: an argument in six devastating points

#5yrsago UK surveillance bill condemned by a Parliamentary committee, for the third time

#5yrsago Disgraced ex-sheriff of LA admits he lied to FBI, will face no more than 6 months in prison

#5yrsago Celebrate V-Day like an early feminist with these Suffragist Valentines

#5yrsago Haunted by a lack of young voter support, Hillary advertises on the AOL login screen

Colophon (permalink)

Today's top sources: Waxy (, Naked Capitalism (, Slashdot (

Currently writing:

  • My next novel, "The Lost Cause," a post-GND novel about truth and reconciliation. Yesterday's progress: 546 words (109322 total).

  • A short story, "Jeffty is Five," for The Last Dangerous Visions. Yesterday's progress: 253 words (4547 total).

Currently reading: Analogia by George Dyson.

Latest podcast: Someone Comes to Town, Someone Leaves Town (part 30)
Upcoming appearances:

Recent appearances:

Latest book:

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla