[Plura-list] Public Domain Review Coloring Book, Amazon's leaked anti-worker smear plan, Wikipedia vs patent troll, Bug bounty programs as catch-and-kills, The Tea Party killed pandemic prep

Cory Doctorow doctorow at craphound.com
Fri Apr 3 12:19:33 EDT 2020

Today's links

* The Public Domain Review Coloring Book: Hokusai, Albrecht Dürer, Harry
Clarke, Virginia Frances Sterrett, etc.

* Amazon's leaked anti-worker smear plan: They put it in writing.

* Wikipedia vs patent troll: No, you didn't invent autocomplete.

* Bug bounty programs as catch-and-kills: Companies are not good
stewards of their own bad news.

* The Tea Party killed pandemic preparedness: "No one warned us"
-Congressman who was warned repeatedly.

* This day in history: 2019

* Colophon: Recent publications, upcoming appearances, current writing
projects, current reading


🚑 The Public Domain Review Coloring Book

The Public Domain Review has published a coloring book of beautifully
retouched public domain line-art for locked-in diversions, featuring
"Hokusai, Albrecht Dürer, Harry Clarke, Virginia Frances Sterrett,
Jessie M. King, Aubrey Beardsley, and more."


Download as A4:


Or letter:



🚑 Amazon's leaked anti-worker smear plan

What's stupider than firing the warehouse manager who organized an
Amazon warehouse walkout over covid contamination?


Writing a memo explaining how you plan to smear that organizer to
neutralize your own workers' demands for a safe work environment,
assuming, incorrectly, that it won't leak.



Amazon General Counsel David Zapolsky's leaked memo said that the fired
warehouse worker, Christian Smalls was "not smart or articulate" and
suggested that the company make him "the face of the entire
union/organizing movement."

Zapolsky's memo set out the company's messaging, that Smalls's
leadership of the walkout was immoral, unacceptable, and arguably
illegal, in detail, and only then follow with our usual talking points
about worker safety."

Zapolsky told Motherboard that he "was frustrated and upset that an
Amazon employee would endanger the health and safety of other
Amazonians" and he "was frustrated and upset that an Amazon employee
would endanger the health and safety of other Amazonians."

In Smalls's interview with Jeremy Scahill on the Intercepted podcast, he
describes how he decided to risk his livelihood in the midst of a
pandemic to protect his coworkers, who were visibly sick with covid but
not given paid leave.


How all he wanted from the company was a deep clean of the warehouse –
as they'd done in other contaminated facilities – and paid leave while
their workplace was made safe. Having read Zapolsky's leaked candid
remarks and heard Smalls make his case, I know who I believe.


🚑 Wikipedia vs patent troll

Worldlogic is a patent troll, who claim to own a patent over searchboxes
that autocomplete your queries. They don't make tools, they make
lawsuits…against people who make tools. When that patent was litigated,
courts found it likely to be invalid.


Alas (and predictably), Worldlogic settled that case before the court
could annihilate their bullshit patent. That way, they got to use it to
threaten other productive toolmakers to collect rent for socially
useless parasites.

For example, they have threatened Wikipedia and the Internet Archive,
who have asked a court to invalidate their patent,


It's likely we'll see their arguments in July. For now, you can enjoy
Wikipedia's lawyers' letter explaining in eyewatering detail that these
trolls did not invent autocomplete.



🚑 Bug bounty programs as catch-and-kills

You entrust digital products with a lot: from your thermostat to your
car's informatics to your pacemaker to your email and financial data,
defects in computers can expose you to potentially enormous risk.

The only thing worse than using a defective product is unknowingly using
a defective product (having faulty brakes is bad, discovering your
brakes are faulty on the highway is much, much worse).

Tech companies have long asserted that they alone have the right to
decide who can disclose true facts about defects in their products…for
safety. If randos who discover their mistakes make disclosures without
warning companies, then "bad guys" will exploit the bugs.

There's a legitimate ethical debate about the best way to make bug
disclosures, but even if you believe that someone should be the
official, legal custodian of Bad News About a Company's Products, it's
commonsense that the company itself should not be that custodian.

It seems obvious that, in the US, the First Amendment protects your
right to make truthful disclosures about defective products. Yet,
corporations (led by Oracle) have stretched the disastrously vague,
Reagan-era Computer Fraud and Abuse Act to threaten (and, sometimes,
imprison) researchers who make these disclosures without permission.

It's not just CFAA. Sec 1201 of the Digital Millennium Copyright Act
provides 5 years prison/$500k fine for first offenses to anyone who
"trafficks" in a "circumvention device". So publishing proof-of-concept
code demonstrating vulns in systems with DRM is a potential felony.

Enter the Vulnerability Disclosure Program and its freespending cousin,
the Bug Bounty Program. Under these "managed disclosure" systems,
companies invite security researchers to reveal their findings.

In theory, this is how we want things to work: rather than coercing
researchers into silence, companies entice them into cooperation, say,
by promising to publish all reported bugs themselves after a suitable
period to investigate and fix them.

Maybe they even pay researchers for going the managed disclosure route.

In practice, though, criminal and civil threats loom large over these
programs. Companies offer cash and immunity to researchers as a carrot,
but they hold out fines and prison as a stick.

And it turns out that, yup, companies are really shitty stewards of bad
news about their own products. When companies get to set terms on which
hackers talk to them first, they set terms that bind researchers to long
periods (sometimes indefinite) of silence.

And the companies also reserve the right to decide whether they will
ever reveal the bugs to us poor suckers trusting their products with our
money, privacy and lives, whether they'll ever patch those products, etc.

But a few years back, some people had an idea to turn this bug into a
feature: they'd start VC-backed companies that would manage bug bounties
and disclosure programs for companies. They'd organize researchers,
validate findings, manage thorny comms with the companies…

They'd build platforms where researchers could flock and socialize and
collaborate and become millionaires (!) by working with companies,
instead of against them.

That didn't work out so great. Because the hackers that the companies
were supposed to protect weren't these companies' customers – the tech
companies whose products they were testing were the customers.

So the companies whose worst impulses the bug-management platforms were
supposed to be blunting ended up running the show, and the reporting
platforms became a catch-and-kill system for vulns.


Hackers who join these platforms to earn big by doing the right thing
instead find that they are required to sign indefinite, one-sided NDAs
that prevent them from disclosing anything, even the fact that they
signed an NDA.

And the companies don't have to make any promises (apart from
payment…sometimes) to do anything about the bugs that are brought to
them by researchers.

In JM Porup's excellent piece on this for CSO Magazine, he describes how
the VC-backed, growth-oriented bug-bounty platforms are incentivized to,
uh, overstate how much money hackers can make from using them, and what
kind of results they can expect.

Reading between the lines, and talking with former Hackerone exec Katie
Moussouris, Porup makes a pretty good case that apart from statistically
insignificant outliers, there's not much money to be made by using these
platforms, and the price of admission is silence and inaction.

Porup also makes the case that bug bounty platforms are potentially
violating California's employment law, and the GDPR. He also debunks
claims that their operations follow the ISO standards for bug disclosure
(which Moussouris co-authored).

I think that the outcome here was entirely predictable. The bug bounty
platforms have tacitly endorsed the idea that it is/should be illegal to
tell the truth about defective products without permission from the
products' manufacturers.

Inevitably, deputizing companies to decide who can warn their customers
that their products can't be trusted ends with those companies abusing
that power. Period. To imagine otherwise is to engage in fantasy. It's
the kind of motivated reasoning that looks great in a VC pitch but is a
disaster in the world.

(Image: Christoph Scholz, CC BY-SA)


🚑 The Tea Party killed pandemic preparedness

In 2010, the CDC funded a report urging the federal government to treat
public health preparedness "on par with federal and state funding for
other national security response capabilities." Specifically, they
called for N95 mask stockpiling.


The Obama administration asked Congress to allocate funds fro this
purpose. The Tea Party-dominated Republicans killed those allocations,
starving the program of $321m in the years since.


In 2011, the Tea Party Republicans in Congress killed another
appropriation for public health preparedness, after the swine flu
emergency demolished existing PPE stockpiles.

In 2011, after the debt-ceiling crisis, Senate and Congressional GOP
officials again slashed funding for health emergencies. Tom Harkin, the
Democratic chair of the Senate appropriations committee said at the
time, "We're now getting into the bone marrow."

The Obama administration repeatedly begged Tea Party Congressjerks to
appropriate for public health emergencies, warning of the dire
consequences of a pandemic.


During the zika crisis, the Tea Party gave Obama half of what he said he
needed for future health emergencies.


In 2016, an urgent National Academies of Science Report affirmed the
need for massive spending to improve public health preparedness.


Since the 2016 elections, the Trump administration has repeatedly called
for massive cuts to CDC funding.

When Propublica asked retired Tea Party Congressman Denny Rehberg (who
chaired the appropriations subcommittee responsible for overseeing the
stockpile in 2011) about this, he told them that this emergency was as
unforseeable as 9/11.

This is the GOP line: no one could have foreseen this. It's Trump's
line: he inherited this mess from Democrats. The reality is that the Tea
Party was told, and told, and told again. And they did less than
nothing: not merely failing to act but actually making things worse.


🚑 This day in history

#1yrago Elizabeth Warren proposes holding execs criminally liable for
scams and data breaches

#1yrago 540 million Facebook users' data exposed by third party
developers https://www.upguard.com/breaches/facebook-user-data-leak

#1yrago After months of insisting that #Article13 doesn't require
filters, top EU Commissioner says "Article 13 requires filters"

#1yrago After years of insisting that DRM in HTML wouldn't block open
source implementations, Google says it won't support open source

#1yrago How EFF's Eva Galperin plans to destroy the stalkerware industry


🚑 Colophon

Today's top sources: Bruce Schneier (https://schneier.com/).

Currently writing: I'm getting geared up to start work my next novel,
"The Lost Cause," a post-GND novel about truth and reconciliation.

Currently reading: Just started Lauren Beukes's forthcoming Afterland:
it's Y the Last Man plus plus, and two chapters in, it's amazeballs.
Last month, I finished Andrea Bernstein's "American Oligarchs"; it's a
magnificent history of the Kushner and Trump families, showing how they
cheated, stole and lied their way into power. I'm getting really into
Anna Weiner's memoir about tech, "Uncanny Valley." I just loaded Matt
Stoller's "Goliath" onto my underwater MP3 player and I'm listening to
it as I swim laps.

Latest podcast: Author's Note from Attack Surface

Upcoming appearances:

* Short Story Club, April 7, 530PM Pacific https://www.shortstory.club/

Upcoming books: "Poesy the Monster Slayer" (Jul 2020), a picture book
about monsters, bedtime, gender, and kicking ass. Pre-order here:

(we're having a launch for it in Burbank on July 11 at Dark Delicacies
and you can get me AND Poesy to sign it and Dark Del will ship it to the
monster kids in your life in time for the release date).

"Attack Surface": The third Little Brother book, Oct 20, 2020.

"Little Brother/Homeland": A reissue omnibus edition with a new
introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583

This work licensed under a Creative Commons Attribution 4.0 license.
That means you can use it any way you like, including commerically,
provided that you attribute it to me, Cory Doctorow, and include a link
to pluralistic.net.


Quotations and images are not included in this license; they are
included either under a limitation or exception to copyright, or on the
basis of a separate license. Please exercise caution.
How to get Pluralistic:

Blog (no ads, tracking, or data-collection):


Newsletter (no ads, tracking, or data-collection):


Mastadon (no ads, tracking, or data-collection):


Twitter (mass-scale, unrestricted, third-party surveillance and


Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):


When live gives you SARS, you make sarsaparilla -Joey "Accordion Guy"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mail.flarn.com/pipermail/plura-list/attachments/20200403/b4ca21ae/attachment.sig>

More information about the Plura-list mailing list