Pluralistic: 27 Jul 2021

Today's links

The crowd at a 2013 M.I.A. concert at the Mayan Theater in Los Angeles. Photo by Gavin Edwards.

What would a live concert album sound like with all the songs taken out? (permalink)

I've known Gavin Edwards for decades, and watched him produce a string of weird and imaginative and wholly successful projects, from his books of "mondegreens" (misheard lyrics) to his definitive biography of Mr Rogers:

Back in 1995, Gavin was seized by a weird (and very nineties) impulse: he created a mixtape called "Having Fun On Stage With Everybody," consisting of all the stuff from canonical concert albums except the music.

Tuning, jokes, banter, emcees exhorting audiences to welcome this band or that to the stage. Gavin figured the natural audience for this odd project was two people – specifically two friends who got off on the same weird audio adventures as he did.

But a quarter-century later, Gavin is prepared to believe that the vast and variegated internet might have an audience of still more people for this audio adventure, so he's digitized it and posted it to the internet:

It's mirrored to Bandcamp, Soundcloud and the, Internet Archive, licensed under a CC license. This is kinda confusing – he's chosen a ND license, but says "you’re free to slice it up or use it for your own purposes."

More importantly, all this stuff is not his copyright to CC – instead (as he points out), it's a glorious exercise in fair use and transformative works.

The insides of Edward Snowden's phone, prior to surgical removal of mics, etc.

The infosec apocalypse is nigh (permalink)

When the Pegasus Project dropped last week, it was both an ordinary and exceptional moment. The report – from Amnesty, Citizenlab, Forbidden Stories, and 80 journalists in 10 countries – documented 50,000 uses of the NSO Group's Pegasus malware.

The 50,000 targets of NSO's cyberweapon include politicians, activists and journalists. The Israeli arms-dealer – controlled by Novalpina Capital and Francisco Partners – has gone in to full spin mode.

NSO insists that the report is wrong, but also that it's fine to spy on people, and also that terrorists will murder us all if they aren't allowed to reap vast fortunes by helping the world's most brutal dictators figure out whom to kidnap, imprison and murder.

As I say, all of this is rather ordinary. The NSO Group's bloody hands, immoral practices and vicious retaliation against critics are well established.

It's been four years since NSO's assurances that it only sold spying tools to democratic states to hunt terrorists were revealed as lies, when Citizenlab revealed that its weapons targeted Mexican anti-sugar activists (and their children).

Then Citizenlab found 45 more countries where NSO's Pegasus weapon had been used, and demonstrated that notorious human-rights abusers got help from NSO to target everyday citizens to neutralize justice struggles.

Outside of human rights and cybersecurity circles, the story drew little attention, but it did prick NSO's notoriously thin skin – the company dispatched (inept) private spooks, late of the Mossad, to entrap Citizenlab's researchers.

As far as we know, the company never managed to infiltrate any of Citizenlab's systems – but their weapons were found on the devices of an Israeli lawyer suing them for their role in human rights abuses.

That had some consequences. The attack exploited a vulnerability in Whatsapp, owned by Facebook. FB retaliated by suing – and terminating NSO Group employees' Facebook accounts. Judging from NSO's outraged squeals, getting kicked of FB hurt far worse.

Through it all, the NSO Group insisted that its tools were vital anti-terror weapons – not the playthings of rich sociopaths with long enemies lists.

They continued these claims even after Pegasus was linked to the blackmail attempt against Jeff Bezos, in a bid by Saudi royals to end the Washington Post's investigative reporting on the murder and dismemberment of the journalist Jamal Khashoggi.

Despite all this – attacks on the powerful and the powerless, grisly deaths and farce-comedy entrapment attempts – NSO Group plowed on, raking in millions while undermining the security of the devices that billions of us rely on for our own safety.

Until now.

Something about the Pegasus Project shifted the narrative. Maybe it's the ransomware epidemic, shutting down hospitals, energy infrastructure, and governments – or maybe it's the changing tide that has turned on elite profiteers. Whatever it is, people are pissed.


I mean, when Edward Snowden calls for the owners of a cybercrime company to be arrested, people sit up and pay attention. But Snowden's condemnation of NSO and its industry are just for openers.

Snowden describes NSO as part of an "Insecurity Industry" that owes its existence to critical vulnerabilities in digital devices in widespread use. They spend huge sums discovering these vulns – and then, rather than reporting them so they can be fixed, they weaponize them.

As Snowden points out, this is not merely a private sector pathology. Governments – notably the US government, through the NSA's Tailor Access Operations Group – engage in the same conduct.

Indeed, as with all digital surveillance, there's no meaningful difference between private and public spying. Governments rely on tech and telecoms giants for data (which they buy, commandeer, or steal, depending on circumstances).

This, in turn, creates powerful security/public safety advocates for unlimited commercial surveillance, to ensure low-cost, high-reliability access to our private data. Those agencies stand ready to quietly scuttle comprehensive commercial privacy legislation.

This private-public partnership from hell extends into the malware industry: the NSA and CIA can't, on their own, create enough cyber-weapons to satisfy all government agencies' demand, so they rely on (and thus protect) the Insecurity Industry.

But as Snowden points out, none of this would be possible were it not for the vast, looming, grotesque tech-security debt that the IT industry has created for us. Everything we use is insecure, and it's built atop more insecure foundations.

We live in an information society with catastrophic information security. If our society was a house, the walls would all be made of flaking asbestos and the attic would be stuffed with oily rags.

It's hard to overstate just how much risk we face right now, and while the Insecurity Industry didn't create that risk, they're actively trying to increase it – finding every weak spot and widening it as far as possible, rather than shoring it up.

It's a cliche: "Security is a team sport." But I like how Snowden puts it: security is a public health matter. "To protect anyone, we must protect everyone."

Step one is "to ban the commercial trade in intrusion software" for the same reason we "do not permit a market in biological infections-as-a-service."

We should punish the cyber-arms dealers – but also use international courts to target the state actors who pay them.

But this fight will be a tough one. The huge sums that governments funnel to cyber arms-dealers allows them to silence their critics – I've been forced to remove some of my own coverage thanks to baseless threats I couldn't afford to fight.

Writing in today's Guardian (who also removed unfavorable coverage of NSO Group following legal threats), Arundhati Roy demolishes the company's claims of clean hands.

After all, NSO charges a 17% "system maintenance fee" that gives them oversight and insight into how their tools are being used by the demagogues and dictators who shower them with money.

"There has to be something treasonous about a foreign corporation servicing and maintaining a spy network that is monitoring a country’s private citizens on behalf of that country’s government." -Roy

The NSO Group claims that the human rights abuses it abets are exceptions that slip through the cracks, but the reality is, it has no business model without state terror – without powerful thugs who demand weapons to help jail, torture and kill their critics.

NSO, more than anyone, should know this. But as Upton Sinclair wrote, "It is difficult to get a man to understand something when his salary depends upon his not understanding it."

This day in history (permalink)

#20yrsago New "Chilling Effects" project tracks online takedowns

#15yrsago Billy Bragg gets MySpace’s terms of service changed

#10yrsago Glenn Beck compares murdered Norway campers to “Hitler Youth”

#5yrsago Pro-tar-sands activists say dirty Canadian oil is better because “lesbians are hot”

#5yrsago Highest-paid CEOs generate lowest shareholder returns

#5yrsago Olympics to companies: mentioning “Olympics” in social media is a trademark violation

#5yrsago Photographer sues Getty Images for $1B because they’re charging for pix she donated to LoC

#1yrago NYPD disciplinary records

#1yrago My HOPE 2020 talk

#1yrago Constitution Illustrated

Colophon (permalink)

Today's top sources: Naked Capitalism (

Currently writing:

  • Spill, a Little Brother short story about pipeline protests. Yesterday's progress: 318 words (11367 words total)

  • A Little Brother short story about remote invigilation. PLANNING

  • A nonfiction book about excessive buyer-power in the arts, co-written with Rebecca Giblin, "The Shakedown." FINAL EDITS

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Tech Monopolies and the Insufficient Necessity of Interoperability
Upcoming appearances:

Recent appearances:

Reset the Internet? (Project Syndicate)

Latest book:

Upcoming books:

  • The Shakedown, with Rebecca Giblin, nonfiction/business/politics, Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Newsletter (no ads, tracking, or data-collection):

Mastodon (no ads, tracking, or data-collection):

Medium (no ads, paywalled):

(Latest Medium column: "Now you’ve got two problems," part three of a series on themepark design, queing theory, immersive entertainment, and load-balancing.

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla