Pluralistic: 18 May 2021

Today's links

The Windows keyboard selection dialog.

A simple, incomplete ransomware defense (permalink)

A truism in security is "attribution is hard." It's really hard to know who hacked you, first, because it's easy to deflect suspicion by leaving false clues, and second, because the bar for hacking even big, critical systems is so low.

The ransomware epidemic has been raging for years now, and it's quite a tangle. It includes idiots who download (or pay for) some off-the-shelf malware and turn it loose on whatever systems they can find, who don't even know who they've hacked.

It includes sophisticated crime-gangs with high degrees of specialization: tooling, payment processing, even "customer service" for victims who can't figure out how to buy cryptocurrency to pay their ransoms.

It includes state actors, who often pretend to be bungling idiots while infecting the systems of national adversaries – sometimes, they use fake ransomware that irretrievably trashes the target system, then claim to be too incompetent to recover them.

And it includes all kinds of hybrids, like "state-sponsored" hackers (private criminal orgs on governmental payrolls) as well as state-tolerated "cyber-patriot militias" (high-tech mall ninjas who hack out of a sense of patriotic duty).

This combination of adversaries accounts for the more bizarre ransomware turns, like the ransomware gang Darkside, who seized the Colonial Pipeline's billing systems (sparking petrol hoarding in the American south).

The criminals then apologized for their crime, saying that they were just trying to do crime, not create a geopolitical incident. Then they posted that they, themselves, had been hacked and lost control of their malware and the ransom they'd collected (!).

It's not the first time that bad guys have pulled off a successful attack against a major target, only to react with public shame and horror at who they'd actually targeted – they're like muggers who discover that they just stuck up the Chairman of the Joint Chiefs of Staff.

All this may explain why there is an easy way to protect yourself from many strains of ransomware: install the Russian keyboard option in your Windows system.

As Brian Krebs explains in his post, Russian authorities are pretty tolerant of hackers who target foreigners, but are notoriously tetchy if someone in their jurisdiction hits a Russian business (or worse, major government installation) for ransom.

Russian (and regional) malware gangs who want to avoid retaliation from powerful Russian security agencies have programmed their malware to check for the presence of a Russian (or other Cyrillic) keyboard in the system, and, if they find it, to leave the system untouched.

It's like the climax of the Passover story, except for malware and authoritarian security agencies!

Krebs is at pains to point out that there's plenty of malware this won't work on, and there are already strains of Darkside-associated malware that don't perform this check.

But it's a simple step you can take right now, for free, that will not impede your use of your system in any way.

Here's how: "Hit the Windows and X at the same time; select Settings, then 'Time and Language.' Select 'Language,' scroll to the option to install another character set. Pick one, then reboot. If for you need to toggle between languages, tap Windows+space."

Alternatively, here's a two-line batch script that does it, from Lance James of Unit221b.

This is a neat, self-contained parable about measures, countermeasures, and counter-countermeasures. Earlier malware refused to infect computers running virtual machines, as their authors sought to avoid analysis by security researchers.

Today, that rarely works.

Installing a keyboard associated with Russia or the Commonwealth of Independent States works for now. It probably won't for long.

Ultimately, we need more security competence in Windows design, to raise that low bar and exclude (at least) the dimmest dimbulbs.

A comic-book drawing of a giant grim reaper bringing down a scythe on a crowd of writhing people; the reaper's empty black hood has been filled with the CHS logo. Perched insouciantly on the scythe is a miniature old-timey editorial cartoon of a 'fat-cat' business-man with a money-bag for a head.

Community Health Services sued its way through the pandemic (permalink)

Last Jan, Northwell Health was the subject of a viral New York Times story about the thousands of patients it had sued over medical debt, in the midst of a pandemic. The publicity was so bad that the company abandoned its legal campaign of terror.

But not every bloated, financialized hospital chain got the message. The massive chain Community Health Systems has long been addicted to suing the shit out of its patients, and the pandemic didn't change that.

CHS's financial crimes are investigated in a must-read CNN story by Casey Tolan. While the company insists that it doesn't sue poor patients over their medical debts, Tolan debunks this claim, revealing the cruel and ugly lengths CHS has gone to during the pandemic.

CHS is a kind of poster child for the idiocy of finacializing the health care system. For years, its corporate owners have pursued profit though endless, disastrous mergers that have left it saddled with debt and resulted in the closure of many community hospitals.

Every year, CHS lost money…until 2020. That's the year that fed and state governments gave it $705m in pandemic-related aid and millions more in forgiven loans.

CHS turned its first profit – $511m – last year.

But much of that money was spoken for in advance, because its top execs took home multimillion-dollar "performance bonuses" for having the genius strategy of getting a gigantic bailout for their stupid, bungling, unwieldy chimera of a hospital chain.

Small wonder, then, that CHS – already notorious as one of the country's worst medical debt chasers – stepped up its collection lawsuits against sick, unemployed and terrified people.

Despite the company's policy of not suing people who lost their jobs during the pandemic, nor those earning less than 200% of the national poverty line, CHS did just that, repeatedly – and then blamed its victims for not filing the right paperwork.

But again, the record is replete with CHS customers who mailed letters and made phone calls begging the hospital not to sue. CHS filed at least 24,000 lawsuits in 2020. Experts call CHS "among the most litigious" of all US hospital chains.

CNN spoke to many of CHS's victims, like, Richard Piper, who earns $525/week and supports two daughters and several grandchildren. He was ordered to pay CHS $34,894 in medical debt, as well as $3500 in legal fees to CHS's lawyers.

CHS sued an unnamed Oklahoma woman who, laid off, begged them to stop trying to collect the $781 she owed because if she paid it, she would end up homeless. CHS prevailed, and the court nearly doubled that debt by tacking on court and legal fees.

CHS sued Jennifer Alegria – a single mom with two daughters who works as a chef – to recover $146000 from her double mastectomy. Alegria earns less than $40k/year.

When CHS wins its lawsuits, it typically moves swiftly to place liens on its victims' homes and garnish their wages. Those wages are typically sub-poverty to begin with: the most common employer for a CHS victim is…Walmart.

When CHS trumpeted its profitable year to shareholders, it also warned that it expected to lose some of its debt-collection revenue, thanks to "a deterioration in the collectability of patient accounts…as the result of adverse economic conditions arising from the pandemic."

CHS warned shareholders about "a deterioration in collectibility" because debt is central to its strategy.

For example, after acquiring St Petersburg, FL's oldest hospital, Bayfront, it realized it had made a mistake and quickly sold the hospital off.

But CHS retained Bayfront's debts, and continues to sue patients who owe money for treatment in a hospital it no longer owns.

CHS bought and then shuttered Shands Lake Shore Regional Medical Center, the only hospital in Lake City, FL. Though the hospital is long gone, its doctors and nurses fired, CHS continues to employ its debt-collection department, which sued 86 patients during the pandemic.

CHS's long run of idiotic mergers has left it with $7.6b in debt. In business terms, this is a company in a persistent vegetative state with no hope of recovery. The cruel and extraordinary measures it has pursued to stave off death – suing patients – are doomed.

Suing over debts as small as $201 (!) will not save this dying business. What's more, CHS's indiscriminate legal harassment is creating more liabilities: when CHS patients can afford to hire lawyers to represent them, they "win their cases fairly easily."

CHS's debt collection depends on attacking people who can't afford to defend themselves, in other words.

Take Jeffery Turgeon, who owes CHS $20,784, who petitioned the company for mercy with a handwritten letter on notebook paper.

He now owes the full amount, plus $180 in court costs. He's paying $100/month. It would take 17 years to pay the debt at that rate – but thanks to the 8% interest, the payments will stretch on for years after that.

Turgeon's fiancee Jennifer Matheson lost her hospice job during the pandemic. They can no longer afford even such small pleasures as taking their children to McDonald's.

CHS was once the largest hospital chain in America. It's still in the top ten. It has bought and destroyed hospitals across the country, paid millions to its executives, and sued the shit out of its patients.

Tell me again about how the private sector does a great job running the health-care system?

A medieval tapestry illustration of an overseer forcing peasants to grub in a field. The overseer's clothes have been replaced by the original Apple logo color-stripes, and the illustration is captioned with the 'Think different' Apple wordmark.

Apple's complicity in Chinese state oppression (permalink)

Bruce Schneier coined "feudal security" to describe the dominant Big Tech security model, in which you surrender your autonomy by moving into a warlord's fortress (Google, Apple, Facebook, etc) and in return get protection from the bandits that roam the badlands without.

The historian Stephen Morillo pointed out that this is more like "manorialism" than "feudalism." As I wrote in January, digital manorialism works well (if the warlord wants the same thing as you) but fails badly (if they decide to sell you out).

Google wants to kill third party cookies to protect you from randos doing tracking and targeting – but it wants to retain the ability to nonconsensually track and target you on its own:

Facebook promises to defend you from the next Cambridge Analytica, but it threatens to sue academics who scrape its political ads to see whether it's really living up to its promises to fight paid political disinformation:

Apple has rolled out the most significant consumer privacy tech in decades, changing the defaults on Ios products so that if you don't give your explicit consent, no one is allowed to track you (surprise: no one gave consent!).

Apple is 100% committed to protecting its users from commercial surveillance. But it's also 100% committed to accessing the Chinese market and maintaining its Chinese manufacturing. Warlord Apple will defend you from ad-tech bandits, but not the People's Liberation Army.

That's why Apple valiantly, laudably fought the FBI's demands to back-door its OS to gain access to the San Bernardino shooters' Iphones, but rolled over when the Chinese government ordered it to remove all working VPNs from the App Store.

It's why Apple took good, brave stands on human rights in the US, fighting gender and racial discrimination in important ways but continues to manufacture devices with Chinese contractors like Foxconn, one of the most egregious human-rights manufacturers in the world.

Now, in an explosive NY Times investigation, Jack Nicas, Raymond Zhong and Daisuke Wakabayashi accuse Apple of giving the Chinese state effectively unfettered access to user-data, directly contradicting the claims of Apple CEO Tim Cook.

The Times reporters say that this data isn't just used to invade Chinese users' privacy, but also to fine-tune Chinese state censorship, helping guide government operatives' choices about which apps to censor and how.

This has resulted in the removal of "tens of thousands of apps… foreign news outlets, gay dating services and encrypted messaging apps…tools for organizing pro-democracy protests and skirting internet restrictions, as well as apps about the Dalai Lama."

This is true of all firms doing business in China. The choice to do business there is the choice to be complicit in ghastly human rights abuses. But there are two ways in which Apple's participation is different.

First, there is its carefully cultivated "Cult of Mac" identity that paints it as an "ethical" company whose paternalistic controls are part of a commitment to serving its users.

This has created a vast cyber-militia of Apple fans who consider themselves members of an oppressed religious minority and who lash out at anyone who crticizes the company as a "hater" (see, for example, the replies to this thread on Twitter).

And second, Apple arrogates to itself more control over its users and their devices than its rivals, asserting the right to block Apple device owners from making their own choices about which software to run, where to get their devices repaired, and even which parts to use.

Apple has distorted copyright, patent, trademark and import law to accomplish this control.

There's an the army of defenders who'll simp for Apple on this.

They oscillating between claims it's all for the good of Apple customers, and claims that people who own Apple devices but don't want to use them according to Apple's corporate dictates "shouldn't have bought Apple products."

The Apple version of the No True Scotsman fallacy is the most creepily cultish thing that Apple's self-appointed street-team do, especially in light of these latest China revelations.

Apple acts on behalf of its customers when that means acting on its own behalf. Apple – like the other warlords – cares ultimately about its shareholders, and if its shareholders' interests diverge from its customers, the shareholders will always win.

That's true of every tech firm, but only Apple has built an "ecosystem" – a great walled fortress that keeps the bandits out when Apple wants to, but once Apple lets them in, it keeps Apple's customers from escaping.

The title-card from Sumana Harihareswara's Github talk,'What Would Open Source Look Like If It Were Healthy?'

What Would Open Source Look Like If It Were Healthy (permalink)

"What Would Open Source Look Like If It Were Healthy?" That's the question Sumana Harihareswara set out to answer in her Github talk in March – a talk that considers FLOSS in the broadest possible terms and still makes specific, concrete proposals.

Harihareswara starts with the obvious proposition that "open source" can't be healthy if the programmers who create it aren't healthy, and draws a link between basic income, child care and universal health care and the health of open source.

She also points out that the "health" of open source has been systematically poisoned by harassment, misogyny and racism, and names people who were driven out of OSS because of their gender and race – as well as people like Aaron Swartz, hounded to death by the FBI.

From there, Harihareswara embarks on three speculative narratives in which "user personas" – a common tool among software developers and product managers seeking to understand how to suit their work to its eventual users are explored.

The first is the story of a new kind of community nonprofit, one that goes beyond the idea of "learn to code" and specifically engages with underserved communities to help them develop their own technical infrastructure that suits their own needs.

This nonprofit, based on the Australian Data Science Education Institute, works with formerly incarcerated people before and during re-entry, helping them start a project that maps automatic defibrillators in their community, and identifies AED deserts.

The project is boring, at a technical level, but it can have a profound effect on its community, and its real-world salience makes it a fantastic training exercise. Harihareswara describes the tooling that allows a small number of experts to support this community.

The next persona is "Paula," a DMV data-entry clerk who, thanks to her union and new procurement rules for DMVs, ends up working on an OSS replacement for the bloated, terrible software that state DMVs use across the country.

Paula goes from user to contributor to co-maintainer, and her story reveals how good labor practices, good governance and good community norms are essential to spreading open methodologies to the places they're most needed.

The final persona is "Sean," the maintainer of a project to integrate Drupal with Instagram, who is facing burnout. Rather than being given destructive "productivity" advice to let him stave off his inevitable collapse, Sean is given a graceful way to step down from his role.

This graceful method requires user- and developer-based democratic governance of OSS projects, and includes both novel tooling for decision-making, novel norms in accepting that most projects will eventually wind down, and new roles in the form of "wind-down" specialists.

Throughout the talk, Harihareswara skilfully weaves tooling with social impact, norms with technology, ethics with practice. The Q&A is fascinating as well. The whole talk is available as a video and in edited transcript.

This day in history (permalink)

#15yrsago Audio from Bruce Sterling’s “Arphid nor RFID” rant

#15yrsago Cops raid “sex slave cult” based on science fiction novels

#10yrsago List of economists involved in violent sex crimes, for Ben Stein

#5yrsago Elsevier buys SSRN

#5yrsago We Stand on Guard: in 100 years, America seizes Canada for its water

#1yrago US insurers say paying for pandemic treatment is "selfless"

#1yrago Deliveroo, without Deliveroo

#1yrago Restaurateur wreaks algorithmic vengeance upon Doordash

Colophon (permalink)

Today's top sources: Naked Capitalism (

Currently writing:

  • Breach, a Little Brother short story about pipeline protests. Yesterday's progress: 329 words (753 words total).

  • A short story about consumer data co-ops. PLANNING

  • A Little Brother short story about remote invigilation. PLANNING

  • A nonfiction book about excessive buyer-power in the arts, co-written with Rebecca Giblin, "The Shakedown." FINAL EDITS

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: How To Destroy Surveillance Capitalism (Part 06)
Upcoming appearances:

Recent appearances:

Latest book:

Upcoming books:

  • The Shakedown, with Rebecca Giblin, nonfiction/business/politics, Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Medium (no ads, paywalled):

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla