[Plura-list] Kickstarting mailbox hearts; The Mail; College Covid app is a security dumpster-fire

Thu Aug 20 11:54:27 EDT 2020

Today's links

* Kickstarting mailbox hearts: A way to show your support for the
beleaguered USPS.

* The Mail: A print zine about the USPS, delivered by the USPS.

* College Covid app is a security dumpster-fire: Albion College
obliterates the qualitative and hopes the quantitative residue will suffice.

* Boeing fixes the 737 Max problem: By renaming the 737 Max.

* Crowdfunding Skycircles: The Advisory Circular network tells you about
the surveillance far overhead.

* This day in history: 2005, 2015, 2019

* Colophon: Recent publications, upcoming appearances, current writing
projects, current reading

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🦻🏽 Kickstarting mailbox hearts

Maker Joe Bonasera has an Etsy store specialized in selling 3D printed
decorative items; he had an unexpected success with a 3D printed USPS
Heart to be affixed to your mailbox to show your support for the
beleaguered postal service.

https://www.etsy.com/shop/makingthingsclt/

Now he's scaling up production with a Kickstarter campaign. They've
structured the pricing so that the majority of the money goes to
shipping - that is, to support the USPS.

https://www.kickstarter.com/projects/baltimore/show-some-love-to-your-postal-workers-with-a-mailbox-badge

The kickstarted version of the hearts come in wood or plastic; the wood
ones are laser-cut from 3/4" maple ply, stencil-painted, the plastic
ones are 3D printed. They are either magnet- or adhesive-backed. $5 gets
you a 3" heart with your choice of backing.

$45 gets you a 10-pack; $125 buys a neighborhood pack of 30.

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🦻🏽 The Mail

The USPS has endured decades of fuckery thanks to the brush-war that led
to the passage of the 2006 bill that made America's unglamorous,
essential, universal, self-funding agency nominally broke, forcing it to
prefund pension liabilities for 75 years in the future.

But the brush-war became a full-blown hostility thanks to the confluence
of two factors:

I. Trump's appointing of a predatory swamp-gator to run the agency
(Loius DeJoy, a wealthy Trump donor with tens of millions invested in
private logistics firms that compete with USPS)

II. Trump's realization that this year's election would be almost
entirely run by postal ballot, that this would increase voter turnout,
and that this would deliver a humiliating electoral pasting to him and
other GOP grifters who rely on voter suppression to win office.

All of a sudden, we've got post office mania! I am not immune. But the
post office is a big, complicated system with a long and nuanced
history, and its tale is wilder that a mere high-profile skirmish with
Fedex investors and neofascist dictators.

Enter The Mail, a new weekly newsletter from Motherboard's Aaron W
Gordon that will tell the story of the postal service, running from now
until the election.

https://themail.substack.com/p/introducing-the-mail-a-newsletter

As befits a postal-obsessed new publication, The Mail will also have a
monthly companion zine, physically published on paper, stapled, put into
envelopes and sent to your home via the loving offices of your unionized
letter carrier.

"The zines will be put together by the entire Motherboard staff, and
will focus on digital security, hacking, internet ephemera, labor, and
will generally be intended to inform and delight."

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🦻🏽 College Covid app is a security dumpster-fire

In the early days of the pandemic, the term "contact tracing" vaulted
into the public consciousness: that's the shoe-leather- and
labor-intensive process whereby skilled  heath experts establish a
personal rapport with infected people to establish who they had contact
with.

For both good reasons (the scale of the pandemic) and bad ones (tech's
epistemological blindness, which insists that all social factors can be
ignored in favor of quantifiable ones), there was interest in automating
this process and "exposure notification" was born.

The difference is that exposure notification tells you whether your
device was near another device whose owner is sick. It doesn't tell you
about the circumstances - like, was it one of the people at that
eyeball-licking party? Or someone in the next car in a traffic jam?

Exposure notification vaporizes qualitative elements of contact tracing,
leaving behind just a quantitative residue of unknown value. There are
two big problems with this: first, it might just not be very useful
(that's what they learned in Iceland):

https://pluralistic.net/2020/05/12/evil-maid/#fjords

Second: people might be so distrustful of your data-handling processes
that they actively subvert the app, meaning there are so many holes in
your data that the data-set is useless. That's what happened in Norway.

https://techcrunch.com/2020/06/15/norway-pulls-its-coronavirus-contacts-tracing-app-after-privacy-watchdogs-warning/

The thing is, contact tracing is high-touch/low-tech because it is a
social science intervention. Social scientists have always understood
that if you only gather the data that's easy to reach, you'll come to
bad conclusions skewed by defects in your collection.

A canonical text on this is Clifford Geertz's "Thick Description," where
he describes an anthropologist trying to figure out why a subject just
winked: is it flirting? Dust in the eye? Something else? The only way to
know is to ask: you can't solve this with measurement.

To a first approximation, all the important stuff in our world has an
irreducible, vital qualitative dimension. Take copyright exemptions:
fair use rules are deliberately qualitative ("Is your use transformative
in a way that comments on or criticizes the work it uses?").

These are questions that reflect policy priorities: in the words of the
Supreme Court, fair use is the "escape valve" for the First Amendment,
the thing that squares exclusive rights for authors with the public's
right to free expression.

But the tech and entertainment industry have spent decades trying to
jettison this in favor of a purely quantitative measure: it's not fair
use if your image incorporates more than X pixels from another, or if
your video or sound has more than Y seconds from another work.

This is idiotic. Solving automation challenges by declaring the
non-automatable parts to be unimportant is how we get self-driving car
assholes saying, "We just need to tell people that they're not allowed
to act unpredictably in public."

(BTW, this is all said much better than I can in a superb Communications
of the ACM article by Randy Connolly: "Why Computing Belongs Within the
Social Sciences.")

https://cacm.acm.org/magazines/2020/8/246368-why-computing-belongs-within-the-social-sciences/fulltext

All of this is a leadup to the story of @Q3w3e3, an anonymous student at
Michigan's Albion College, a private uni that reopened after insisting
that all students must install a proprietary exposure notification app
before returning to campus to lick each other's eyeballs.

Albion paid some grifters to develop this app. Because of course they
did. The app is called Aura, and it was created by a company called
"Nucleus Careers."

 If you're thinking that's a weird name for a public health development
company, you're right. They're a recruiting firm, founded this year,
"with no apparent history or experience in building or developing
healthcare apps."

https://techcrunch.com/2020/08/19/coronavirus-albion-security-flaws-app/

Aura is predictably terrible. As @Q3w3e3 discovered when they audited
it, the app stores all the students' location data in an Amazon storage
bucket, and comes with the keys to access that data hard-coded into the app.

The app also allows attackers to trivially discover the test status of
any registered user. Techcrunch discovered this bug and hypothesizes
that they could get the health data for 15,000 people this way. Did
someone say HIPAA?

Nucleus Careers refused to talk with Techcrunch's Zack Whittaker about
this beyond a few glomarish nonstatements. But the school administration
is standing behind the app, threatening to expel students who don't use it.

And this brings us back to the disutility of the denatured quantitative
residue of the thick, qualitative process of contact tracing. Many of
the students who have the most at risk from using the app are also at
the highest risk of contracting the disease.

People struggling with addiction, queer kids who aren't out and have
secret partners, people engaged in survival sex-work are all at higher
risk of exposure, and they also have the biggest reason NOT to use the
app, lest it leak their secrets.

These are the people who you absolutely *want* to include in public
health efforts, but that can only happen through noncoercive, personal,
high-trust, low-tech interventions.

In other words, Aura isn't just technologically inept, it's also
epidemiologically inept. The cliche that "you treasure what you measure"
could not be more applicable here.

Look, these students shouldn't even be on campus. Obviously. And even a
good contact tracing system would probably mostly serve as a postmortem
for analyzing the inevitable conflagration of infection incoming in
3...2...1

But Albion is still a fascinating case-study in the lethal incoherence
of the contempt of both managerial and technology circles for "human
factors."

At the very least, we should ensure that the lives they will squander
through their hubris aren't totally wasted.

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🦻🏽 Boeing fixes the 737 Max problem

Before the plague, Boeing murdered hundreds of people by releasing a
lethally defective aircraft, the 737-Max, whose failings included vital
safety features that were sold as premium after-market add-ons.

The 737-Max scandal threatened to destroy the company, which had
weakened itself through an orgy of financial engineering, gnawing off
several of its limbs and devouring many of its vital organs.

But now, after receiving billions in bailouts, Boeing has finally
announced a fix for the 737-Max.

They're renaming it.

Henceforth, the plane will be called "the 737-8."

https://onemileatatime.com/boeing-737-8/

As Rob Beschizza points out, it's a strategy most prominently associated
with Trump, who tweeted "If I were Boeing, I would FIX the Boeing 737
MAX, add some additional great features, & REBRAND the plane with a new
name."

https://twitter.com/realDonaldTrump/status/1117736685721223168

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🦻🏽 Crowdfunding Skycircles

Skycircl.es is a project of John Wiseman, a furloughed Disney Imagineer
who became obsessed with mysterious overhead aircraft and decided to
monitor them, discovering (among other things) a massive, covert FBI
aerial surveillance program.

The project uses a cheap software-defined radio and a low-cost antenna
to intercept transponder signals from overhead aircraft and plot their
movements on maps in realtime, also storing longitudinal flight data.

https://docs.google.com/presentation/d/1sowJrQQfgxnLCErb-CvUV8VGXdtca6SWYWWLRPZgaHI/edit#slide=id.ga3a076b34_0_12

But the other half of the project is using open sources  and freedom of
information requests to pierce the veils of secrecy surrounding the
front companies that many of these aircraft are registered to.

The program has revealed just how busy our skies are with invisible,
unregarded surveillance aircraft. This image is not a lengthy
time-lapse: it is a snapshot of a single moment in the LA skies.

https://docs.google.com/presentation/d/1sowJrQQfgxnLCErb-CvUV8VGXdtca6SWYWWLRPZgaHI/edit#slide=id.g5086fd3e26_0_79

Wiseman has collected BILLIONS of transponder pings from surveillance
aircraft. New ones are tweeted in realtime by Advisory Circular, a
network of Twitter bots that report on the skies over many major cities.

https://twitter.com/i/lists/1263724487435890688

The project is all free/open source, and Wiseman has run it for years as
a self-funded hobby. But since being furloughed, this has become harder
to sustain. Now one of his laptops has died and he doesn't have the cash
to replace it.

He's soliciting donations to keep the project going. He's also in search
of other coders to contribute, and free hosting for some of the project.

https://skycircl.es/donate-nerd-mode/

If he gets enough money, he's planned to give every spy aircraft in
America its own social media account that tracks its movements in
realtime; a mobile app that tells you which aircraft are overhead right
now, and planet-scale analysis of spy planes.

Our own household finances are under severe strain, but I just donated
to him. He's an example of how tech can serve as a force-multiplier for
people resisting authoritarianism and illegitimate exercises of power.

A self-funded hobbyist is fighting the entire surveillance-industrial
complex...and winning!

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🦻🏽 This day in history

#15yrsago Oxford no longer accepting "child prodigies"
https://www.theguardian.com/uk/2005/aug/21/highereducation.accesstouniversity

#5yrsago Ashley Madison commits copyfraud in desperate bid to suppress
news of its titanic leak
https://boingboing.net/2015/08/20/ashley-madison-commits-copyfra.html

#5yrsago Google covertly lobbied against net neutrality in India
http://www.medianama.com/2015/08/223-google-iamai-net-neutrality-india/

#5yrsago Ulysses pacts and spying hacks: warrant canaries and binary
transparency
https://www.theguardian.com/technology/2015/aug/20/warrant-canaries-a-subtle-hint-that-your-email-provider-is-compromised

#5yrsago Your Android unlock pattern sucks as much as your password did
https://web.archive.org/web/20171202220215/https://bsideslv2015.sched.com/event/9b17c2285b59eac2cca5700c7462e327

#5yrsago Universities' tax-exempt giga-endowments spend more on hedge
fund managers than on education
https://www.nytimes.com/2015/08/19/opinion/stop-universities-from-hoarding-money.html

#5yrsago America does a better job of tracking bee deaths than deaths in
police custody
https://www.muckrock.com/news/archives/2015/aug/20/bees-not-bodies/

#5yrsago "I hope the Chinese aren't collating the Ashley Madison data
with their handy federal list of every American with a security
clearance." -Bruce Sterling
https://brucesterling.tumblr.com/post/127151439198/man-those-are-some-savage-vigilantes-i-hope

#5yrsago Eat invasive species and enjoy guilt-free meat
https://www.bloomberg.com/news/articles/2015-08-19/invasive-species-chefs-latest-menu-offering

#5yrsago Windows 10 EULA: Microsoft can killswitch your unauthorized
hardware and pirate games
https://www.alphr.com/microsoft/microsoft-windows-10/1001360/microsoft-can-disable-your-pirated-games-and-illegal-hardware

#1yrago First detailed look at Poland's challenge to the EU Copyright
Directive
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.C_.2019.270.01.0021.01.ENG&toc;=OJ:C:2019:270:TOC

#1yrago From search-engine to walled garden: majority of Google searches
do not result in a click
https://sparktoro.com/blog/less-than-half-of-google-searches-now-result-in-a-click/

#1yrago Gawker's new owners demand right to search journalists, ban
encrypted email and institute dress code
https://deadspin.com/this-is-how-things-work-now-at-g-o-media-1836908201

#1yrago How "meritocracy" went from a joke to a dogma, and destroyed the
lives of everyone it touched
https://www.theatlantic.com/magazine/archive/2019/09/meritocracys-miserable-winners/594760/

#1yrago Read: Jeannette Ng's Campbell Award acceptance speech, in which
she correctly identifies Campbell as a fascist and expresses solidarity
with Hong Kong protesters
https://medium.com/@nettlefish/john-w-campbell-for-whom-this-award-was-named-was-a-fascist-f693323d3293

#1yrago Adding pink seaweed to cow feed eliminates their methane
emissions
https://www.usc.edu.au/about/usc-news/news-archive/2019/august/burp-free-cow-feed-drives-seaweed-science-at-usc

#1yrago A free/open tool for making XKCD-style "hand-drawn" charts
https://timqian.com/chart.xkcd/

#1yrago A deep dive into how parasites hijack our behavior and how we
evolved to resist them
https://slatestarcodex.com/2019/08/19/maybe-your-zoloft-stopped-working-because-a-liver-fluke-tried-to-turn-your-nth-great-grandmother-into-a-zombie/

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🦻🏽 Colophon

Today's top sources: Jason Koebler (https://twitter.com/jason_koebler/),
John Naughton (https://memex.naughtons.org/),freeFall3
(https://twitter.com/Fall3Free), Boing Boing (https://boingboing.net/),
Super Punch (https://www.superpunch.net/).

Currently writing:

* My next novel, "The Lost Cause," a post-GND novel about truth and
reconciliation. Yesterday's progress: 509 words (51597 total).

Currently reading: Twilight of Democracy, Anne Applebaum.

Latest podcast: Someone Comes to Town, Someone Leaves Town (part 13)
https://craphound.com/podcast/2020/08/16/someone-comes-to-town-someone-leaves-town-part-13/

Upcoming appearances:

* Keynote for Law Via the Internet conference, Sept 22,
https://www.crowdcast.io/e/LVI2020/register

* Writing into an Uncertain Future, Afterwords Festival, Oct 1,
https://www.eventbrite.ca/e/writing-into-an-uncertain-future-tickets-115378329690

Latest book:

* "Little Brother/Homeland": A reissue omnibus edition with a new
introduction by Edward Snowden:
https://us.macmillan.com/books/9781250774583; personalized/signed copies
here:
https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html

* "Poesy the Monster Slayer" a picture book about monsters, bedtime,
gender, and kicking ass. Order here:
https://us.macmillan.com/books/9781626723627. Get a personalized, signed
copy here:
https://www.darkdel.com/store/p1562/_Poesy_the_Monster_Slayer.html.

Upcoming books:

* "Attack Surface": The third Little Brother book, Oct 20, 2020.
https://us.macmillan.com/books/9781250757531

This work licensed under a Creative Commons Attribution 4.0 license.
That means you can use it any way you like, including commercially,
provided that you attribute it to me, Cory Doctorow, and include a link
to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are
included either under a limitation or exception to copyright, or on the
basis of a separate license. Please exercise caution.

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🦻🏽 How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/web/accounts/303320

Twitter (mass-scale, unrestricted, third-party surveillance and
advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

*When life gives you SARS, you make sarsaparilla* -Joey "Accordion Guy"
DeVilla

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mail.flarn.com/pipermail/plura-list/attachments/20200820/0d311098/attachment.sig>