[Plura-list] A universal remote for killing people; The sordid tale of We Charity; NSO Group cyberweapons targeted Togo's opposition

Cory Doctorow doctorow at craphound.com
Mon Aug 3 13:00:59 EDT 2020

Today's links

* A universal remote for killing people: It's really time to trade in
your Medtronic Minimed insulin pump. Really.

* New podcast episode: Part 12 of my reading of "Someone Comes to Town,
Someone Leaves Town.

* The sordid tale of We Charity: Black Hat SEO, investigating critical
journalist's children, and more.

* NSO Group cyberweapons targeted Togo's opposition: Another dictator
for NSO's reference customer list.

* This day in history: 2010, 2015, 2019

* Colophon: Recent publications, upcoming appearances, current writing
projects, current reading


🌏 A universal remote for killing people

Medtech giant Medtronic is quite a piece of work. The company started as
a Minneapolis repair shop before growing to be one of the world's
largest, most profitable - and lowest-taxed, thanks to financial
engineering - corporations.

Despite the company's origins in conducting unauthorized repairs on
behalf of hospitals and other device owners, Medtronic (along with
Apple) has led the fight to kill dozens of state Right to Repair bills:


Medtronic's dirty tricks campaigns against R2R are especially salient
now, because the company has sabotaged its ventilators so they can't be
repaired by hospital engineers without obtaining an unlock code from the


But Medtronic's device defects aren't limited to ventilators. At least
as alarming is the company's history of making personal medtech devices
(including pacemakers) that are insecure in every conceivable way.

Medtronic devices have been shown to be LETHALLY compromisable by
sending them unencrypted wireless signals or just by poisoning their
unsecured supply chain, which allows you to inject malicious firmware
into devices en masse.

If there was ever a manufacturer whose customers needed to be able to
turn to third parties to shore up its products (literally) fatal
deficiencies, it's Medtronic.

Which brings me to the present moment. It's been two years since QED
Security Solutions' Billy Rios and Jonathan Butts presented their work
on Medtronic's Minimed insulin pump, showing that it could be remotely
controlled by cheap wireless devices.

Among the attacks they enabled: dumping the device's full supply of
insulin, potentially killing the person wearing it.

The defects they identified were intrinsic to the device and the only
defense was disabling the wireless, which rendered the device useless
for family members who helped loved ones manage their insulin
(especially young kids or people with dementia, etc).

Still, Medtronic dragged its feet on a recall, saying (incredibly) that
it had known about these defects for years before Rios and Butts told
them about it, but had decided not to fix them and didn't see why that
should change now.

Finally, though, the company has launched a "voluntary recall" - after
Rios and Butts built an Android app that exploited the defect they
identified and created a "universal remote for every one of these
insulin pumps in the world" and presented it at Black Hat.

This is an app that would let the user murder Medtronic users from a
distance of several feet. Obviously, they haven't released it, but the
publicity did its job.




🌏 New podcast episode

The latest episode of my podcast is live! It's part 12 of my reading of
my 2006 novel Someone Comes to Town, Someone Leaves Town, a book that
Gene Wolfe called "a glorious book unlike any book you’ve ever read."


Here are the previous installments:


Here's a direct link to the MP3 (hosting courtesy of the Internet
Archive - they'll host your stuff for free, too!):


And here's the podcast feed (now with timecode, thanks to Lee Maguire!)



🌏 The sordid tale of We Charity

For months, I've been following Canadaland's deep dive into We Charity
and its bewildering array of both for-profit and charitable subsidiaries
and affiliated companies. The picture just keeps getting uglier and
weirder, and it reached a kind of pinnacle for me today.

Some background: We began life as "Free the Children," an
anti-child-labour campaign started by a pair of Canadian brothers, Marc
and Craig Kielburger, who were children themselves at the time.

In the years since, We has become a Canadian institution, with "We Days"
mega-events attended by top performers and politicians, as well as
in-school events coast to coast. Millions of Canadian kids have raised
money for We.

But We is a complex and opaque and difficult-to-understand organisation.
Some reporting would have made it easier to understand what the org was
up to.

But between seeking editorial censure of journalists for mild criticism,
and a reputation for replying to routine journalistic queries with
threats from some of Canada's most aggressive libel lawyers, critical
investigative coverage was thin on the groups.

Canadaland's investigations began with tips that the organization's
various arms had "partnered" with companies that were credibly accused
of participating in the kind of child labor practices that they were
formed to start.

But it quickly turned into a story about the story itself, as
Canadaland, and its founder, Jesse Brown, were subjected to bizarre,
international dirty-tricks campaigns, including smearjobs in obscure,
small-town, far-right news sites.

Brown discovered he'd been targeted by private investigators who went so
far as to dig into his young children's lives.

Brown and Canadaland couldn't affirmatively link the dirty tricks to We,
though the timing, context and content made everything very suspicious -
and meanwhile, Wikipedians put warnings on We's articles after they
detected paid reputation-washers editing them.

To Brown and Canadaland's credit, they didn't let up, and chased a
steady stream of tips about labour conditions at We, corruption in We's
overseas projects in Kenya, and irregularities in the We's charitably
raised funds, contributed by Canada's schoolkids

They discovered that performers at We's "We Days" - including members of
Prime Minister Justin Trudeau's family - were paid for participating,
out of those charitable funds (We says they should have been paid by its
for-profit arm).

And they uncovered subsidised junkets for top level government
officials, publishing as the Canadian government was offering We a
9-figure no-bid contract to create a summer volunteer program for
Canadian kids.

All of this against a steady background drumbeat of legal threats, more
dirty tricks, and smears - some, shamefully, from Canadian journalists.

Last month, We's founders testified before Parliament, as the political
dimensions of the scandals threatened the stability of Trudeau's fragile
coalition government.

All of this has called a once-unimpeachable Canadian institution into
question - from the way its funds are dispersed (only a minority of We's
charitable funds go to overseas program activity), the way it smears its
critics, to the complexity of its financial structures.

Which brings me to the latest Canadaland episode, in which Brown
discusses the revelation that one of We's US companies contracted with
Firehouse Strategies, a GOP dirty tricks company that grew out of the
2016 Rubio presential campaign.

By Firehouse's own account, the company gave up on substantive debate
after Trump and devoted themselves to dirty tricks and smears, targeting
nonprofits seeking to retaliate against their critics.


Meanwhile, other Canadian news outlets discovered job-board listings for
clickworkers to help engage in deceptive "search-engine optimization"
techniques to bury criticism of We.

Having been on the receiving end of legal intimidation from wealthy,
powerful, politically connected Canadians, I know just how much of a
risk Brown took with this, and how harrowing it must have been.

He and Canadaland should be commended for shining light where it was
obviously badly needed. The kind of harassment and dirty tricks he's
faced are not the actions of anyone who has any business being involved
with the moral education of our children.


🌏 NSO Group cyberweapons targeted Togo's opposition

The NSO Group makes powerful cyberweapons; they claim that these are
only used by legitimate governments against terrorists and criminals,
but they keep getting used by despots and autocrats to neutralize
opponents, including NGOs, journalists, and democratic oppositions.

Much of what we know about NSO's role in dictators harassment, torture
and murder is thanks to Citizen Lab, whose independent research has been
invaluable - it's thanks to them that we know about NSO's role in the
kidnapping, murder and dismemberment of Jamal Khashoggi.

This led to ex-Mossad agents targeting Citizen Lab's academic
researchers, an action widely presumed to have been undertaken at NSO's


Now (yet again!), Citizen Lab has released a detailed report of NSO's
weapons being trained on democratic opposition figures by tyrannical
despots; in this case, it's the dictator of Togo's enemies, including
Catholic human rights advocates in Togo.


Among the victims: Monseigneur Benoît Comlan Alowonou, Bishop of
Kpalimé, who was targeted in smear campaigns after he criticized the
Togolese dictator Faure Gnassingbé, who inherited the presidency from
his father in 2005.

Also targeted: Father Pierre Marie-Chanel Affognon, who was smeared in a
campaign that used personal information presumed to have been stolen
from his devices by NSO's weapons.

Political figures were also in NSO's crosshairs: opposition leaders
Elliott Ohin and Raymond Houndjo were both targeted by Pegasus, NSO's
flagship malware.

Togo is a desperately poor, repressive state, ranked 167/189 in the 2019
United Nations Human Development Index. Like many of NSO's customers, it
lacks any hope of developing its own Made-in-Togo digital authoritarian

Instead, it relies on NSO Group to provide the products for turnkey
networked authoritarianism, to bring cold efficiency to its programs of
arbitrary detention, arrests, torture and murder.

"The Togolese government uses technical means to curb dissent.
Authorities have disrupted mobile phone and internet service during
protests and on election days to suppress protest and to curtail press


🌏 This day in history

#10yrsago Popville: popup book cleverly and delightfully illustrates the
growth of a town https://boingboing.net/2010/08/03/popville-popup-book.html

#5yrsago NSA conducted commercial espionage against Japanese government
and businesses

#5yrsago David Cameron will publish the financial details and viewing
habits of all UK porn-watchers

#5yrsago Hong Kong protesters take to the street in bras: "breasts
aren't weapons"

#5yrsago Windows 10 defaults to keylogging, harvesting browser history,
purchases, and covert listening

#1yrago Elsevier: "It's illegal to Sci-Hub." Also Elsevier: "We link to
Sci-Hub all the time."

#1yrago Massachusetts says Purdue's profits from a single opioid addict
were $200,000


🌏 Colophon

Today's top sources: Alice Taylor (https://twitter.com/alicejanetaylor/).

Currently writing:

* My next novel, "The Lost Cause," a post-GND novel about truth and
reconciliation. Yesterday's progress: 517 words (41820 total).

Currently reading: The Deficit Myth, Stephanie Kelton

Latest podcast: Someone Comes to Town, Someone Leaves Town (part 12),

Upcoming appearances:

* Do Androids Dream of Electric Cars? Public Transit in the Age of
Google, Uber, and Elon Musk, Aug 4,

* Virtual event with Christopher Brown for his novel "Failed State," Aug

* Induction into the CSFFA Hall of Fame, Aug 15,

Latest book:

* "Little Brother/Homeland": A reissue omnibus edition with a new
introduction by Edward Snowden:
https://us.macmillan.com/books/9781250774583; personalized/signed copies

* "Poesy the Monster Slayer" a picture book about monsters, bedtime,
gender, and kicking ass. Order here:
https://us.macmillan.com/books/9781626723627. Get a personalized, signed
copy here:

Upcoming books:

* "Attack Surface": The third Little Brother book, Oct 20, 2020.

This work licensed under a Creative Commons Attribution 4.0 license.
That means you can use it any way you like, including commerically,
provided that you attribute it to me, Cory Doctorow, and include a link
to pluralistic.net.


Quotations and images are not included in this license; they are
included either under a limitation or exception to copyright, or on the
basis of a separate license. Please exercise caution.


🌏 How to get Pluralistic:

Blog (no ads, tracking, or data-collection):


Newsletter (no ads, tracking, or data-collection):


Mastodon (no ads, tracking, or data-collection):


Twitter (mass-scale, unrestricted, third-party surveillance and


Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):


*When life gives you SARS, you make sarsaparilla* -Joey "Accordion Guy"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mail.flarn.com/pipermail/plura-list/attachments/20200803/5c840735/attachment.sig>

More information about the Plura-list mailing list