Pluralistic: 22 Apr 2021

Today's links

The Ohio state flag with Ihor Kolomoisky's in place of the circular motif; behind it, a faded picture of a ruined factory.

The awesome destructive power of a billionaire (permalink)

"Every billionaire is a policy failure": it's a controversial aphorism, but there's an undeniable truth to it.

There's no justifiable rationale for a person to be worth billions: is Jeff Bezos's social value really 14,285,714 times that of his median factory worker?

But moreover, billions of dollars are a force multiplier that magnifies the power of the individual without accountability or check. Everybody makes mistakes and there are crooks everywhere in the social fabric, but billionaire crooks are far more harmful than street muggers.

Woody Guthrie wrote, "Some will rob you with a six-gun, and some with a fountain pen," but as great as that line is, it fails to capture just how much harm the fountain-pen bandits can do – the chaos, death and misery their schemes create.

Think of Ihor Kolomoisky, the Ukrainian oligarch whose government has accused of stealing $5.5B from a bank he ran. I first encountered Kolomoisky in the Fincen Leaks, a collection of official warnings that the US Treasury Department chose to ignore.

Kolomoisky laundered $240m through Deutsche Bank, who started helping him launder that money less than one month after issuing a triumphant press-release announcing that it had cleaned house after its last oligarch money-laundering scandal.

But Deutsche Bank's contribution was a relative trifle. As Michael Sallah and colleagues document in Dirty Dollars, a stunning feature in Pittsburgh Post Gazette, Kolomoisky shuffled billions through the US, destroying factories and laying waste to whole towns.

Kolomoisky and his confederate Gennadiy Bogolyubov used compromised bank employees in Ukraine to steal billions by issuing phony loans to shell companies in Cyprus (an EU state and notorious financial secrecy haven) and various Caribbean "treasure islands."

That money came onshore with the help of US enablers like Florida "businessman" Mordechai "Motti" Korf (represented by Trump's personal lawyer Marc Kasowitz). Once in the US, it was used to snap up real-estate and factories across the midwest.

These assets included "13 steel factories, five office towers, a hotel, two office parks, and a shuttered Motorola plant with two heliports." These structures included historically significant US buildings, as well as strategic production facilities.

For example, at one point, Kolomoisky controlled the majority of the US's silico manganese production, a key element in steel production. The fact that he didn't abuse this to deliberately destroy the US's ability to produce steel is somewhat incidental.

Because Kolomoisky destroyed plenty of US productive capacity for other reasons – namely, because he bought giant companies like Warren Steel to use them as money-laundering pass-throughs, running them without regard to their workers or their products.

This resulted in a series of ghastly plant disasters in which workers were killed, maimed, injured and traumatized. After the disasters came waves of closures, which saw plants shuttered and communities shattered by layoffs.

But the force-multiplier effect of Kolomoisky's stolen billions continued to wreak havoc: the shutdown of these plants resulted in environmental devastation, such as dumping waste water directly into Ohio's Mahoning River.

Ohio was particularly brutalized by Kolomoisky's money-laundering: after the 2016 shut-down of Warren Steel, the Ohio AG revealed that the company had illegally dumped vast amounts of "baghouse dust," which causes kidney and liver damage.

The FBI is investigating Kolomoisky's onshore crimes, and Ukrainian authorities are targeting him at home (which could be explosive, as he is closely tied to the lavishly corrupt Ukrainian president Volodymyr Zelensky, a former TV comedy actor).

These investigations, as well as the work of the Post-Gazette team, as well as the Fincen Leaks, all throw the meaning of "every billionaire is a policy failure" into stark relief.

The men who rob you with a fountain pen destroy lives, towns, the environment, national resilency, even whole nations.

(Image: Справедливість. Анна Безулик, CC BY, modified)

Expulsion of the merchants from the temple, an oil painting by A.N. Mironov, depicting Christ scourging cringing usurers.

Banks made bank on covid overdraft charges (permalink)

As the big US banks tout their record-smashing financial results for the pandemic lockdown era, it's easy to assume that all those profits came as a result of Trump and McConnell's big-business bailout, but that's only part of the story.

As Alex Sammon writes for The American Prospect, 12 of the 15 largest US banks owe a substantial fraction of their pandemic profits to overdraft fees – fees assessed against the poorest and most vulnerable bank customers.

How much money did the banks make on these fees? Jpmorganchase made $1.5b in 2020; Bank of America made $1.1b, Wells Fargo made $1.3b – the most deadly months of the pandemic correspond to the highest overdraft rakes, with the big three pulling in $300m in Q4-2020.

Who pays overdraft fees? The very, very poor. 78.3% of all overdraft fees come from just 9.2% of bank customers. They pay an average of $35 to punish them for not having enough money. These amount to loans with a 3,500% APR.

As with so many American pathologies, the pandemic served as an accelerant for an pre-existing condition: the share of bank profits attributable to overdraft fees has climbed steadily since the Great Financial Crisis, hitting $11b in 2019.

The banks have made empty noises telling customers that their overdraft fees might be eligible for a refund if they were "pandemic related" but these were just words – the reality is that the banks piled fees upon fees.

All of this happened while the banks made $25 billion in commissions for handling the government's insured, risk-free PPP loans – and while the Fed suspended uncollateralized intraday credit limits and waived the banks' own overdraft fees.

Those billions in public subsidy were pumped into socially useless stock buybacks, a practice that makes the very rich (especially bank executives) much, much richer, while making the banks themselves more fragile and liable to need more public money in the future.

It's time for the Biden administration and Congress to act. The CFPB has authority to reverse Trump's policy of permitting unlimited fee-gouging by banks, and the FDIC and Federal Reserve could both act as well.

Congress should revive Cory Booker and Carolyn Maloney's proposals to rein in this usury.

As the pandemic recedes and we restructure the economy for the new century, we mustn't forget how the banks got vast public support and returned it by trampling their poorest customers.

(Image: A.N. Mironov, CC BY-SA)

A screenshot from the Cellebrite hacking demo video, displaying a Hackers-inspired dialog box that reads MESS WITH THE BEST, DIE LIKE THE REST. HACK THE PLANET!

Moxie hacks Cellebrite (permalink)

The "lawful interception" industry is a hive of scum and villainy: these are powerful, wildly profitable companies who search out defects in widely used software, then weaponize them and sell them to the world's most brutal dictators and death squads.

Their names are curses: The NSO Group, Palantir, and, of course, Cellebrite, who have pulled publicity stunts like offering $1m bounties for exploitable Iphone defects that can be turned into cyberweapons.

Late last year, Cellebrite announced that they'd added "support" for Signal to their top-selling cyberweapons, UFED and Physical Analyzer. The announcement was deliberately misleading, claiming to have "cracked the encryption" (they haven't and can't do this).

Now, Signal founder Moxie Marlinspike has turned the tables on Cellebrite in a delicious act of security analysis, which he wrote up in detail on Signal's corporate blog:

As Marlinspike explains, the job of Cellebrite's tools is to ingest untrusted input – the files from a seized mobile device – and parse them. This is a very dangerous task: "This is the space in which virtually all security vulnerabilities originate."

Incredibly, Cellebrite's programmers do no input sanitizing, just trusting all the files they receive and passing them from subroutine to subroutine. What's more, these subroutines call on wildly out-of-date software with dozens – even hundreds – of known vulnerabilities.

For example, the version of ffmpeg that Cellebrite bundles in its products was last patched in 2012; and more than one hundred security updates have been released since then.

Marlinspike's investigation turned up other sources of shame and liability for Cellebrite, including pirated libraries from Apple's Itunes software, which he documents in detail.

Marlinspike intimates that he turned up more vulnerabilities than he enumerates in his analysis, but he is not making the kind of "responsible disclosure" to Cellebrite that is common among "white hat" security researchers.

Rather, he's made an offer to fully disclose his findings to Cellebrite only if they make a binding promise to engage in the same kinds of disclosures with the software they analyze – to pledge to help to patch bugs, rather than weaponizing them.

And in a move of pure petard-hoisting, Marlinspike describes a proof-of-concept attack on Cellebrite, a corrupted file that can execute code on the Cellebrite device that will alter all future and past reports, "with no detectable timestamp changes or checksum failures."

He says that these doctored files could corrupt Cellebrite data "at random, and would seriously call the data integrity of Cellebrite’s reports into question."

As proof of his proof-of-concept, Marlinspike includes a video (intercut with scenes from the classic movie HACKERS) in which a Cellebrite device slurps up files from an Iphone and then displays his victory message: "MESS WITH THE BEST, DIE LIKE THE REST. HACK THE PLANET!"

Marlinspike closes out the report by announcing some "completely unrelated news," that future versions of Signal will periodically pull functionally useless, "aesthetically pleasing" files and store them, inert, on users' devices.

The implication is that Marlinspike is now in possession of a vast trove of zero-day exploits for Cellebrite products, and he is seeding those exploits in the wild on hundreds of millions of devices, booby-trapping them should they ever be plugged into a Cellebrite device.

The further implication is that any Cellebrite customer who encounters one of these booby-traps in the wild will lose the ability to trust all the data they ever retrieved with a Cellebrite product, and will never be able to trust that product again.


A creepy eye with the Chrome logo in place of the pupil.

Fighting FLoC is compatible with fighting monopoly (permalink)

Google has announced a step to kill the third-party cookie, a source of enormous and pernicious privacy violations. This would be great news, except for the fact that Google is replacing it with FLoC, a way for Google (and Google alone) to track you around the web.

Predictably, privacy advocates are pissed off about this and crying foul, because Google's FLoC, while billed as a privacy-preserving technology, is just another way to violate your privacy.

Likewise predictably, the ad-tech industry is in a fury about this, claiming (correctly) that it is wildly anti-competitive.

Taken together, these two criticisms can make it seem like you can't be both pro-competition and pro-privacy, but that's not true.

The digital rights activists who talk about "competition" aren't interested in competition for its own sake – rather, we're concerned with competition only to the extent that it gives technology users more control over their lives, more technological self-determination.

We don't want competition to see which company can trick or coerce you into surrendering your fundamental human rights, in the most grotesque and humiliating ways at the least benefit to you.

Because there are easy ways for Google to have blocked third-party cookies without spying on us – they could have copied what Apple did with Safari, shutting out surveillance without adding in new surveillance.

There's a good reason to worry about Google's competition in ad-tech, just not the reason the ad-tech bottom-feeders who are up in arms about FLoC give (which is that they want to spy on us, too).

The reason to care about whether Google faces competition in ad-tech is that it runs these incredibly dirty, wildly profitable ad marketplaces, which it uses to gouge publishers and advertisers, and spreads the loot around to block privacy laws.

As is always the case with these seeming contradictions, they arise from looking at the situation from the companies' perspective, rather than from the public's perspective.

How can you cheer Apple for doing good on privacy while condemning Apple for gouging its app vendors like Hey? Easy – just think about the problem from the perspective of a person, not a giant corporation:

No one should ever make the mistake of thinking that a corporation is "good" – even the corporation that does consistent good today is liable to changes in ownership and management in the future that can drastically alter its conduct.

By all means, cheer the things that companies do, when they benefit the public – and condemn the things that do harm.

Always fight for the user, never for the system.

A laptop on a desk; the laptop's screen is filled with the glowing red eye of HAL 9000 from 2001.

EFF sues Proctorio over copyfraud (permalink)

Faced with remote learning, educators had to figure out what to do about high-stakes testing: a pedagogically bankrupt adversarial practice of measuring students' educational outcomes by testing their performance in a circumstance that they will never face in the real world.

It was an opportunity to rethink assessment and education. Instead, it was reinvented with the help of disciplinary technology grifters from the "remote invigilation" industry, who peddled spyware that claimed to be able to fight cheating by taking over students' computers.

In a crowded field of awful companies, one stands out as the worst: Proctorio, which uses digital phrenology to monitor students' faces while they take tests, setting them up for punishment for looking away while thinking, going to the bathroom, or throwing up from anxiety.

Their products are designed to be used by teachers to capture a 360' view of the students' test-taking environment, which penalizes poor students who share a room with others who may be asleep, undressed, or just wanting their privacy.

And woe betide the student who lives in a broadband desert and has to "attend school" from the parking lot of a local Taco Bell in order to get wifi, and who will therefore always flunk the test even before they start to write it.

Now, if you live in America and you have inadequate housing and broadband, you're disproportionately likely to be Black or brown, and Proctorio's there for you, ready to make a bad situation far worse.

Out of all the (terrible) facial recognition Proctorio could have used, it chose one of the worst, a notoriously "racist" algorithm so bad at parsing dark skin that children take their tests with ultra-bright lamps shining directly in their eyes.

Proctorio has seen its profits surge during the pandemic, but it doesn't act like a company riding a triumphant wave – rather, it behaves like a company that knows that its good fortune could disappear in an instant if its practices and defects were widely known.

How else to explain its conduct? Last summer, Protorio CEO Mike Olsen personally entered a Reddit forum to dox a child who criticized his software:

Not long after, the company filed a suite of meritless suits against Ian Linkletter, a Canadian educator who linked to the company's publicly accessible training videos as part of the debate about the use of the technology at his university.

In September, Proctorio attacked another student: Erik Johnson, a security and privacy researcher enrolled at Miami University.

The company filed a bogus copyright claim to remove a thread Johnson posted, pointing out the contradictions between Proctorio's public statements and its products' actual functionality:

It was a highly detailed, cogent thread and it contained small excerpts of Proctorio source code to backstop the extremely damning critical claims it made.

These snippets are clearly fair use, but the company used a copyright claim in a bid to censor a(nother) critic.

As it turns out, this is illegal. The DMCA – for all its failings – contains a clause prohibiting this kind of abuse. The clause hasn't gotten much of work out since the law was passed in 1998, but one organization has managed to make it stick, in a big way: EFF.

In 2018 EFF got justice for Stephanie Lenz, a mom whose video of her adorable dancing toddler was illegally censored by Universal Music Group.

In other words, EFF not only has managed to wield this underutilized part of the DMCA – they wielded it against a titan.

Now, EFF has announced that it's fighting for Erik Johnson, filing suit in Arizona against Proctorio for engaging in copyright abuse to censor a critic.

"We’re asking the court for a declaratory judgment that there is no infringement to prevent further legal threats and takedown attempts against Johnson for using code excerpts and screenshots to support his comments." -EFF attorney Cara Gagliano

"Software companies don’t get to abuse copyright law to undermine their critics. Using pieces of code to explain your research or support critical commentary is no different from quoting a book in a book review."

(Image: Cryteria, CC BY, modified)

This day in history (permalink)

#15yrsago RIAA sues family that doesn’t own a PC

#1yrago Disney heiress slams top execs' compensation

#1yrago Unmasking the registrants of the "reopen" websites

#1yrago Web-wide copyright filters would be a disaster

Colophon (permalink)

Today's top sources:

Currently writing:

  • A Little Brother short story about pipeline protests. RESEARCH PHASE

  • A short story about consumer data co-ops. PLANNING

  • A Little Brother short story about remote invigilation. PLANNING

  • A nonfiction book about excessive buyer-power in the arts, co-written with Rebecca Giblin, "The Shakedown." FINAL EDITS

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Past Performance is Not Indicative of Future Results
Upcoming appearances:

Recent appearances:

Latest book:

Upcoming books:

  • The Shakedown, with Rebecca Giblin, nonfiction/business/politics, Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla