Pluralistic: 23 Apr 2021


Today's links



The Eliminalia splashpage, reading We erase your past and help you build your future.

Laundering torturers' reputations with copyfraud (permalink)

The wildest forensic stories are the ones where you pull at a loose thread and discover that you've got hold of a the tip of the tentacle of some kind of cthulhoid monster from the depths of hell. That's the story of Eliminalia, global fraudsters for hire.

The story starts with Qurium, a secure hosting provider that focuses on at-risk civil society groups, the kinds of people who piss off dictators with their own snatch-squads they can use against their enemies.

Two of Qurium's clients are Maka Angola and The Elephant, who had done extensive reporting on corruption in Angola related to Isabel dos Santos ("Africa's richest woman") and Vincent Miclet ("the Gatsby of Africa").

https://www.qurium.org/forensics/dark-ops-undercovered-episode-i-eliminalia/

These articles attracted a flood of fraudulent copyright notices claiming the articles were infringing, as well as fraudulent GDPR notices claiming they violated EU privacy law. The letters were signed by fake lawyers, with whom Qurium struck up quite a correspondence.

Qirium also engaged in digital forensics. They found that the fraudsters had created lookalike websites that purported to be news sites, had plagiarized the real sites' articles, back-dating them so they looked like the real sites had copied them.

This is an exotic, but not unheard-of, tactic for censoring the internet, and it's the kind of thing that generally works well.

"Notice-and-takedown" laws like Section 512 of the US Digital Millennium Copyright Act exempt web-hosts from copyright liability if they "expeditiously remove" content upon notification.

Web-hosts might do a little sleuthing to make sure the notice passes the giggle-test (checking to see if there's an earlier, identical article, say) but they're unlikely to do any real forensic work before removing content, and if there's any doubt, they'll take it down.

This back-dating scam was augmented by filing false registrations with Safe Creative, a Spanish copyright registry, to give the fraudulent representations a sturdiness that would survive secondary investigations.

Qurium is exceptional in its censorship-resistance specifically because they host high-risk content for NGOs and civil society groups whom ruthless, powerful people want to censor in order to protect their reputations.

In fact, Qurium is doubly exceptional, because they didn't just ignore the takedown demands – they also dug through the headers of the emails and found themselves tugging at a thread that turned out to be a tentacle of a horrific monster.

Specifically, they found themselves unraveling the "Eliminalia" network, a grid of 300+ fake newspaper sites that exist entirely as part of a commercial reputation-laundering service that purges the web of damning evidence of terrible crimes.

Exploring this collection of fake sites, Qurium was able to group Eliminalia's clients into six thematic areas:

I. People who committed business and financial fraud, including surgeons who maimed their patients and fake universities who suckered would-be students.

II. Finance corruption, including money laundering.

III. Sexual abusers and harassers.

IV. Organized crime figures and groups.

V. Environmental crimes.

VI. Human rights violations.

Naturally, the Eliminalia fraud service also operates a vast botnet of Twitter and other social media accounts that help to suppress certain news stories for their clients.

All this begs the question, who is behind Eliminalia? Its corporate entities are registered in Spain (Eliminalia 2013 SLU), Maidan Holding/Eliminalia USA LLC in Florida and in Ukraine. All of these entities list "Diego (Didac) Sanchez Jimenez/Gimenez" as a director.

A separate entity called "World Intelligence Ltd" – a UK company also registered to Sanchez – runs the 300+ cloned news websites with plagiarized articles sporting doctored timestamps.

https://find-and-update.company-information.service.gov.uk/company/11095218/officers

The syndicate's fraudulent legal demands are sometimes signed by "Raul Soto" of "Legal Department of the Brussels EU Commission" (the address given is a "virtual office" location near a real EU Commission building).

They send these fraudulent emails using ohv.fr servers, from the "abuse-report.eu" domain.

But that's just for starters. Things really get gnarly in Qurium's followup post:

https://www.qurium.org/forensics/dark-ops-undercovered-episode-ii-eliminalia-analysis-of-fake-dmca-complaints/

That's where the investigators describe what they found when they plugged all this intel into the Lumen Database of takedown notices and legal threats. These are pretty hair-raising.

For example, Eliminalia worked to remove articles from a Chilean website that identified doctors who worked in the dictator Augusto Pinochet's torture program.

Advocates for strong copyright and privacy protection have pointed to notice-and-takedown as a workable compromise, an alternative to the lengthy court processes that would be required to get content removed from an offline source, such as a bookstore.

But while notice-and-takedown may work well, it fails very, very badly. Torturers, mafiosi, corrupt officials and scammers can use these same expedited, low-evidence systems to remove material that truthfully describes their crimes.

This was – and is – the utterly foreseeable outcome of a "streamlined" process for censoring content without due process. It's a lucrative business that produces enough surplus capital to support full-time professionals who do nothing but find ways to game the system.

Today, we hear calls for an expansion of notice-and-takedown, often to remove content that I personally want to see obliterated: Holocaust denial, hate speech, etc.

But each one of these exceptions to hard-fought-for due process protections for speech inevitable ends up swallowing the rule. Full-time Nazis have all day to figure out how to use these rules to get evidence of their bad acts removed.

While the survivors of their bad acts struggle to master the arcane process for having their truth restored to the internet.



A handwritten 2017 memo commemorating the Foxconn deal, on then-Wisconsin governor Scott Walker's letterhead, listing the job creation at 13,000, the investment at $10b, and the cost to the state of Wisconsin at $3b.

Foxconn's Wisconsin death-rattle (permalink)

No one epitomizes the hollowness of the pose of the "hard-nosed businessman" than Scott Walker, the union-busting thug who, as governor of Wisconsin, signed up to give away $3b to the Taiwanese electronics giant Foxconn, who promised a massive new factory.

This was an obviously bad deal right from the start. For literally decades, Foxconn had been tricking rubes like Walker into handing over vast public subsidies for electronics plants that were then drastically scaled down, or canceled altogether.

https://www.nakedcapitalism.com/2017/08/foxconns-con-seeking-whopping-subsidies-for-wisconsin-michigan-manufacturing-jobs-if-they-happen.html

Animation outtake from the Simpsons Monorail episode. Lyle Langley is dragging two briefcases overflowing with cash while Lisa shouts down from an overpass: Mr Lanley, aren't you gonna ride the monorail?

But Walker – presently joined by Trump – didn't care. All he cared about was being able to maintain the pretence that "business-friendly" policies (smashing unions, eliminating worker protections) would attract "investment" that would make everyone better off.

The public subsidy promised to Foxconn kept on growing, rising to nearly $5b, even as Foxconn reneged on its promises, eventually refusing to say what kind of factory – if any – it would build.

https://www.theverge.com/2019/12/13/21020885/foxconn-wisconsin-deal-renegotiate-tax-subsidy-lcd-factory-plant

Foxconn kept up the pretense of activity, though. At one point, it used all that public subsidy money to buy up or rent out a bunch of Wisconsin's nicest urban buildings and announced that they would be "innovation centers," which sat, empty.

https://www.theverge.com/2019/4/10/18296793/foxconn-wisconsin-location-factory-innovation-centers-technology-hub-no-news

Periodically, the company would announce that these innovation centers were now thriving, filled with Wisconsin startups that would plug into the Foxconn commercial/manufacturing ecosystem, but…they were still empty.

https://www.theverge.com/2019/5/13/18565408/foxconn-wisconsin-innovation-centers-factories-empty-tax-subsidy

All of this commercial theater kept the deal alive, kept the subsidy money flowing, and served as a convincer as Foxconn sought out other suckers who'd hand it more public subsidy on the promise of a plant in their out-of-the-way town.

https://pluralistic.net/2020/04/12/mammon-worshippers/#scott-at-at-walker

This is the real "art of the deal." Foxconn let Trump and Walker run around, claiming to have brought manufacturing back to America, even as it floated trial balloons like, "What if we scrap the factory and instead export Wisconsin dairy to China?"

https://pluralistic.net/2020/10/23/foxconned/#foxconned

Walker eventually lost his job to Tony Evers, who commissioned an independent investigation to see what parts of the massive Foxconn deal could possibly be salvaged. The auditors' conclusion was what none of it was viable. None of it.

https://www.theverge.com/2019/8/6/20747166/wisconsin-foxconn-deal-state-report-lcd-factory-innovation-centers

But all this came years after Walker's administration and Racine County had seized family homes near the Foxconn site to make way for a road-widening project to help the trucks that would never come reach the factory that would never be built.

https://beltmag.com/blighted-by-foxconn/

People lost the homes they'd lived in for generations, all for unconvincing political theater that allowed Walker and Trump to do a little boasting and empty the public coffers into the accounts of a global tech giant best known for driving its factory workers to suicide.

Four years later, the con appears to be winding down. Foxconn has officially admitted that rather than investing $10b, it will invest $1b and instead of creating 13,000 jobs, it will create 1,454.

As David Dayen writes for The American Prospect, it's a prelude to killing the deal altogether. Foxconn isn't even sure what this imaginary factory will build. Maybe parts for network switches? Maybe electric cars? (My money is on dairy farms!)

https://prospect.org/power/foxconn-finally-admits-con/

Gov Evers has whittled Foxconn's promised subsidy down to $80m, which Foxconn will have to return if it doesn't deliver (Trump, take note: that's how you do a deal).

But Evers couldn't save the state from all of Walker and Trump's foolishness. They've already blown $200m on "sales and use tax exemptions, state road improvements, and grants to local governments for workforce training."

Far worse off is the village of Mt Pleasant and the County of Racine, who've blown $1b on the nonexistent factory, including $160m to seize and destroy their residents' family homes, and $117m to run power to the empty site where no factory will be built.

The State of Wisconsin is supposed to pay the county and town 40% of that expenditure; writing in Good Jobs First, Greg LeRoy argues that the state should cover 100% of those payouts and then recoup it from Foxconn.

https://www.goodjobsfirst.org/news/releases/revamped-foxconn-deal-leaves-mt-pleasant-and-racine-county-fiscal-peril

As Dayen says: "Rather than offering bribes to corporate giants, they’d be much better off improving their education, health care, and transportation systems, making them more attractive to businesses. That would have the dual benefit of making their cities and states nicer to live in. Wouldn’t that be a concept."



A vintage John Deere tractor whose wheel hubs have been replaced with HAL 9000 eyes, matted over a background of the cyber-waterfall image from The Matrix.

John Deere's dismal infosec (permalink)

As far back as 2015, the agribusiness monopolist John Deere was taking steps to ban farmers from fixing their own tractors, arguing that copyright law made trafficking in tools to effect these repairs a felony.

https://web.archive.org/web/20150428173001/https://www.theglobeandmail.com/technology/how-digital-rights-management-keeps-value-in-hands-of-the-manufacturer/article24130876/

The company took this to the US Copyright Office, saying that farmers couldn't fix their tractors because they don't own them, despite paying hundreds of thousands of dollars for them – software in tractors means they can only be licensed, not owned.

https://www.wired.com/2015/04/dmca-ownership-john-deere/

Deere bolstered this argument with a paternalistic warning that farmers are just not qualified to service tractors, prompting electronics specialist Willie Cade – grandson of a legendary Deere engineer – to speak out against the company.

https://securityledger.com/2019/03/opinion-my-grandfathers-john-deere-would-support-our-right-to-repair/

Cade explained that his grandfather Theo Brown – who filed 158 patents for Deere – got all of his ideas by going into the field and observing the modifications that farmers had made to their tractors.

It is not – and has never been – the case that Deere invents stuff that farmers use. It's the opposite. Farmers invent stuff, Deere commercializes it and sells it to other farmers. Farmers harvest their crops with Deere tractors, and Deere harvests FARMERS with them.

Stealing the Right to Repair from farmers was just the curtain-raiser for Deere's ban on modifying tractors, though. The real money is in stealing data that's generated when farmers drive their Deere tractors around their fields.

https://techcrunch.com/2016/07/06/the-land-grab-for-farm-data/

This data – a centimeter-accurate grid documenting soil density and humidity – generates data that Deere sells back to the farmers who created it as part of a "precision agriculture" package that comes with seeds from tyrants like Bayer, the new owner of Monsanto.

Far more grandiose, though, is Deere's plan to aggregate this misappropriated data and mine it for market intelligence about crop-yields, which can be sold into the agricultural futures market for billions.

The next time someone says "If you're not paying for the product, you're the product," remember Deere and farmers. Farmers spend hundreds of thousands on tractors and they're still the product. Slapping a pricetag on a monopoly doesn't make markets – it makes rent-extraction.

I've been in Copyright Office meetings where Deere and other embedded systems makers (notably car-makers) have claimed that they HAVE to lock down their systems to protect their customers from cyber-attacks.

But for that to be true, these companies would have to actually protect their customers from cyberattacks, and that's not the case, as is evidenced by Sickcodes's research on Deere's digital infrastructure, which Willie Cade contributed to.

https://sick.codes/leaky-john-deere-apis-serious-food-supply-chain-vulnerabilities-discovered-by-sick-codes-kevin-kenney-willie-cade/

Sickcodes signed up for a free developer account with Deere and began probing the system. Within hours, they had discovered serious flaws in both Deere's website and mobile apps. For example, they were able to retrieve the names and addresses of farmers from the website.

They also propose a method for automating this attack, which would allow them to extract the names, addresses and other personal information of every John Deere customer, including make and model, which would facilitate over-the-air attacks on the tractors themselves.

The bugs that Sickcodes located are incredibly obvious and suggest that Deere's security is totally incompetent. This is especially grim in light of the fact that Deere has never submitted a single bug to the US government's CVE database of serious flaws.

A quote from Darpa's Molly Jahn in Security Ledger gives a sense of the gravity of the situation: "We can easily imagine timed interference with planting or harvest that could be devastating."

https://securityledger.com/2021/04/deere-john-researcher-warns-ag-giants-site-provides-a-map-to-customers-equipment/

Deere monopolized the ag-tech market with badly secured products that put the US food supply in serious risk. It operates no vulnerability disclosure, and it took legal measures to prohibit third parties from fixing its tractors to remediate the deadly flaws it ignores.

Deere argues that we can't trust third parties to service tractors because they might expose farmers to cyber-risk; but Deere itself is exposing those farmers to even graver risks.

Even if Deere had amazing cyber-security, we'd still want to be able to check its work and fix its mistakes. But it's not. Deere has prioritized securing its ability to harvest farmers over farmers' ability to harvest their crops.

(Image: Cryteria, CC BY, modified)



This day in history (permalink)

#1yrago Riot Baby https://pluralistic.net/2020/04/23/riot-baby/#Tochi-Onyebuchi

#1yrago Mayor of Las Vegas says the "free market" will decide what's safe https://pluralistic.net/2020/04/23/riot-baby/#carolyn-goodman



Colophon (permalink)

Today's top sources: Ron Deibert (https://twitter.com/RonDeibert/), Slashdot (https://slashdot.org/).

Currently writing:

  • A Little Brother short story about pipeline protests. RESEARCH PHASE

  • A short story about consumer data co-ops. PLANNING

  • A Little Brother short story about remote invigilation. PLANNING

  • A nonfiction book about excessive buyer-power in the arts, co-written with Rebecca Giblin, "The Shakedown." FINAL EDITS

  • A post-GND utopian novel, "The Lost Cause." FINISHED

  • A cyberpunk noir thriller novel, "Red Team Blues." FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: Past Performance is Not Indicative of Future Results https://craphound.com/news/2021/03/28/past-performance-is-not-indicative-of-future-results/
Upcoming appearances:

Recent appearances:

Latest book:

Upcoming books:

  • The Shakedown, with Rebecca Giblin, nonfiction/business/politics, Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/web/accounts/303320

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla