[Plura-list] University requires students to buy nonexistent webcams; Gadget that adds steps to your Fitbit; How Marcus Hutchins saved the world and lived to tell the tale

Cory Doctorow doctorow at craphound.com
Wed May 13 13:42:16 EDT 2020

Today's links

* University requires students to buy nonexistent webcams: Unobtanium
vs. cheating.

* Gadget that adds steps to your Fitbit: An open source hardware answer
to Fitbit-tied insurance programs.

* How Marcus Hutchins saved the world and lived to tell the tale: A
nuanced portrait.

* Red states prep for postal vote: Murdering the elderly won't help them
at the ballot box.

* Corporate Dems want to bail out lobbyists and dark money orgs:
Centrism kills.

* Feds want national snitchlines for bosses whose workers don't want to
die: Homelessness or coronavirus.

* Restaurants, hotels and bars cut the cord: The curse of bigness.

* NSO Group tried to sell malware to US law enforcement: Khashoggi
killers, doing deals.

* Senate Dems want to ban internet disconnection: Broadband is a human

* This day in history: 2005, 2010, 2015, 2019

* Colophon: Recent publications, upcoming appearances, current writing
projects, current reading


🥩 University requires students to buy nonexistent webcams

Math students at Wilfrid Laurier University in Waterloo, Ontario have
been ordered to buy an external webcam and a means of fixing it over
their shoulder so that proctors can watch them as they sit exams.


A high-handed note from Math Dept chair Roman Makarov told students,
"there are no alternatives to writing exams in this manner."

The department has been unsympathetic to pleas from students who point
out that all the online retailers are sold out of webcams, and the stock
on Ebay is a mix of poor-quality products, counterfeits, and resold
items from ruthless price-gougers.

A university spox said that the school would find "options for students
who face difficulty obtaining external webcams" but didn't delve into
details, beyond pointing out that the chair had recommended "borrowing
or renting equipment and pointing to financial supports..."

Students are also required to use Respondus's spyware "invigilation"
tool while sitting exams.

The student union has raised the issue of whether "proper non-tuition
fee/expense guidelines are followed."


🥩 Gadget that adds steps to your Fitbit

In the USA, your health insurance deductible can be tied to the number
of steps you get in on your Fitbit, "which is great when gyms are closed
and everyone is stuck at home during a global health crisis."


The solution* is the Restepper, Andrew Thaler's open source hardware
gadget that uses an arduino-controlled mechanism to generate plausible
steps for your Fitbit to count.  Cost of goods? Less than $100.


*Actual solution, Medicare for All, not shown here.


🥩 How Marcus Hutchins saved the world and lived to tell the tale

You may recall the Wannacry ransomware epidemic in 2017, when hospitals,
businesses and governments were shutting down because their computers
were being encrypted by malware that relied on a leaked NSA cyberweapon
called Eternalblue to spread.

The incidents were incredible, cinematic, even. Whole hospitals shutting
down. The worm spreading like a pandemic. And then, one day, it all

Then we learned that an anonymous security researcher going by
Malwaretech had found a "kill switch" to shut it down.

That was wild, and what was wilder was HOW Malwaretech killed it. They'd
noticed that infected computers were trying to reach a weird, random,
nonexistent domain, iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com, and
so they'd registered the domain and stood a server up there.

They were hoping to intercept some of the comms between infected
computers and their botmasters, but instead, they had "sinkholed" the
system, turning off the infection in every affected computer in the world.

No one's quite sure why Wannacry infections go dormant if
iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com can be reached. A leading
theory is that the malware's author wanted to prevent efforts to
decompile and analyze their creation.

The first step in such an operation is loading the worm into a virtual
machine - a simulated computer inside a real computer, which the
researcher can inspect and alter with a thoroughness that is harder to
achieve on real computers .

Malware in a VM is trapped inside The Matrix, a head in a jar. These VMs
are often configured to answer all internet requests from the malware,
in the hopes of intercepting traffic between infected systems and
command-and-control servers.

Canny malware authors can use this to their advantage, writing in a
subroutine that goes, "Try to contact this nonexistent server. If it
answers, you're in The Matrix, so go to sleep and don't wake up until
that server disappears."

So, the theory goes, by registering that server, Malwaretech had
inadvertently scared every instance of the worm in the world into
hibernation by convincing it that it was stuck in The Matrix, and in so
doing, Malwaretech had saved the day.

Then it got weirder. The press uncovered the identity of the anonymous
researcher behind Malwaretech: a British hacker named Marcus Hutchins
(many people sent me this thanks to Little Brother, whose hero is also
called Marcus - "A hacker named Marcus saved the world!").

Hutchins's other astounding feats of reverse engineering in service of
hunting down and neutralizing other worms also gained publicity, and
then he booked in to give a talk at that summer's Defcon, and that talk
was hailed as a triumph by attendees.

And then Hutchins was arrested by the FBI and accused of having written
Kronos, a notorious banking trojan linked to ex-Soviet crime gangs. The
community rallied around him: a person of color, a foreigner, a hero,
trapped in America's meat-grinder of a justice system.

They raised money, found him lawyers. Tarah Wheeler cashed in her
severance pay from Symantec and used it to bail him out (racing barefoot
down Vegas streets to make it to the notary on time!) and she and
Deviant Ollam helped get him set up with a place to stay.

He got probono counsel from cyberlawyers like Marcia Hoffman - a former
EFF colleague of mine - and Brian Klein and settled in for a long legal
battle. At first, he denied having anything to do with Kronos and
criminal malware.

Some of his teen activities - stuff hackers of the heroic era would call
"youthful hijinx" - came to light. But then more and more evidence of
Hutchins' involvement with Kronos emerged, and then he entered a guilty
plea and posted a statement taking "full responsibility."

And then, even more miraculously, his sentencing judge gave him time
served and let him walk away, a free man.

It was an incredible ride for those of us following it from the outside.

But the actual story of Marcus Hutchins is, if anything, even more
incredible. For the cover of the current Wired, Andy Greenberg turns in
a 14,000-word profile of Hutchins that tells the true, incredible tale
of his life, his crimes, his adventures, and his vindication.


Some details are straight out of the hacker canon, a kind of platonic
Wargames ideal: brilliant kid, parents bought him a PC to stop him from
disassembling theirs (but he had to build it out of parts), fought with
school administrators, accused of hacking school system.

Then there's Hutchins' path into petty crimes, driven in part by
intellectual curiosity and in part by necessity (just like Woz and Jobs
paying bills by selling Blue Boxes door to door in their dorm). And
then, the Sneakers turn: getting sucked into some serious crime.

Working for a guy called "Vinny" who cajoled and coerced Hutchins into
making Kronos. Hutchins balks several times, gets sucked back in, ends
up self-medicating with speed to deal with the depression and anxiety
he's suffering.

This sets up a toxic dynamic where his drug-impaired judgment gets him
embroiled in more trouble, and the trouble heightens his anxiety, which
drives him to self-medicate further. But then, at last, he breaks free
and starts writing anonymous malware analysis.

His astounding technical feats start landing him industry jobs and he
has a very belated realization that not only doesn't (cyber)crime pay,
but going legit pays *really* well. His life turns around, he saves the
world - and gets busted by the FBI.

The coda is, if anything, the best part: when the judge who sentences
him recognizes all of this, bringing a rare moment of nuance and
compassion to the meatgrinder of the US justice system, and lets him
walk away. It's the kind of happy ending you rarely get.

It's a complicated story of someone who did some terrible and foolish
things and some brilliant and brave things, and who paid a price but was
not destroyed, and of the community that rallied around him. It's a
brilliantly told story of a brilliant security researcher.


🥩 Red states prep for postal vote

After the Wisconsin GOP murdered voters by forcing them to vote in
person, rather than by mail (citing a nonexistent, evidence-free plague
of postal voter fraud), mail-in voting was shaping up to be a 2020
Election Culture War flashpoint.


Trump's pronouncement that mail-in voting would cost Republicans the
election by allowing more voter participation fanned the flames:


So you got absurdities like the AG of Texas threatening to imprison
anyone who opined that voting by mail was safer than voting in person,
during a once-in-a-century pandemic (proving, once again, that reality
has a very unfair anti-Republican bias).


And, in the background, a mad scramble among states to prepare for
postal ballots this November:


But despite this, states, Red and Blue, are actually making serious
progress on expanding this postal ballot this November. Even as GOP
officials in Kentucky were being blasted with FUD from far-right
astroturfers like the Public Interest Legal Foundation, they pressed on.

True the Vote, the Heritage Foundation and PILF are all finding
themselves sidelined as state officials side with reality over
partisanship and expand their postal votes.


There'll be vastly expanded postal voting in Alabama, Georgia, Idaho,
Kentucky, Nebraska, Ohio, South Dakota and W Virginia.

The reason's simple: voters, R & D, don't want in-person voting during a
pandemic. 70% of Georgia voters (for example) want mail-in voting.

If you're cheering this because it'll help Dems, don't get too excited.
Trump is (unsurprisingly) wrong when he says vote by mail guarantees
"you’d never have a Republican elected in this country again" because
not only is there no evidence of widespread postal fraud...

...There's also no evidence that this helps Dems. Indeed, postal voting
is very important to older voters who are disproportionately Republicans
and also at the highest risk of severe illness and death from coronavirus.

For reasons that can only be described as paranoid (or, more charitably,
opportunistic), the GOP seized on postal voting as a bogeyman, likely
hurting their own chances at the ballot box. And now they're squabbling
with one another, mired in cognitive dissonance.

Some red states are determined to murder voters by denying them the
postal ballot, like Missouri, where Gov Mike Parson called it
inappropriate. People who vote there will risk death and serious
illness. Parson is a Republican (the "party of life").

Meanwhile, the Heritage Foundation's master database of all known postal
voter frauds found 143 cases, total, over 20 years. That's 7-8 ballots
per year, 0.00006% of votes cast.



🥩 Corporate Dems want to bail out lobbyists and dark money orgs

Congressional Dems have tabled their version of the third bailout, and
as feared, it contains a bailout for lobbyists.

Congress wants to give money to people whose job is literally to bribe


But as David Sirota points out, corporate Dems found a way to discredit
the bailout even more: in addition to earmarking money for corporate
lobbyists working at 501(c)6 orgs, they're also gonna give millions to
501(c)4 "dark money" orgs.


These are the preferred vehicle for anonymously funneling unlimited
money from plutes and mega-corporations into influence campaigns that
are allowed to lie to the American people to influence the outcomes of
elections and regulatory proceedings.

They're getting a bailout.

Some of the eligible orgs: America’s Health Insurance Plans, Partnership
for America’s Health Care Future (dark money anti-Medicare for All),
PhRMA,  Institute for Legal Reform (lobbies for no liability for
employers whose workers die of coronavirus due to inadequate PPE), Stand
Together (the Koch network) and the American Chemistry Council (fossil
fuel, big chem lobbyists).

What's more, many of the companies that fund these orgs are already
getting a a bailout, so they get to double-dip their snouts in the
public trough.

* Private equity lobbied to allow it to snaffle up the lion's share of
small business PPP relief; its lobbying front, the American Investment
Council, can get PPP relief as well under this proposal.

* Banks are getting billions to administer PPP. This proposal makes the
American Bankers Association eligible for PPP as well.

* Airlines got a $50B bailout. Airlines For America can get a PPP bailout.

* For-profit colleges lobbied to get to keep tuition money from students
who drop out due to financial hardship. Their lobbying group, Career
Education Colleges and Universities, can get a PPP bailout.

* Boeing's getting billions in bailout money. Its lobbyist, The General
Aviation Manufacturers Association, can get PPP.

Sirota: "Allowing corporate lobbying organizations and dark money groups
to grab this money is akin to feudal lords gorging themselves at a
lavish banquet, and then raiding the last basket of bread that starving
peasants are relying on to survive outside the palace walls."


🥩 Feds want national snitchlines for bosses whose workers don't want to die

Ohio's snitchline for bosses whose workers refuse to go back to unsafe
conditions was a flashpoint, as workers were given the choice to risk
their lives or risk homelessness. No wonder the form was flooded with
junk responses by angry people.


Ohio had the first snitchline, but not the last. Iowa and Texas soon
followed suit.

Iowa Workforce Development Director Beth Townsend: "fear of catching the
virus would be considered a voluntary resignation, which disqualifies
workers from receiving unemployment benefits."


Now, it's going national. Trump's Department of Labor "strongly
encourages [states to] request employers to provide information when
workers refuse to return to their jobs for reasons that do not support
their continued eligibility for benefits.”


"States must work to maintain program integrity by ensuring that
claimants are not continuing to claim benefits when they have been
offered suitable work."

As Clio Chang writes in Vice, it's the logical terminus of decades of US
policy that has focused on fighting fraud to the exclusion of helping
people in need.


🥩 Restaurants, hotels and bars cut the cord

The cable industry has been in denial about "cord-cutting" for years,
insisting that if it just does enough mergers (like AT&T;/Time
Warner/Dish) it will somehow staunch the bleeding.

It failed, hence the resignation of AT&T; CEO Randall Stephenson.


And it's just gonna get worse. Hotels, bars and restaurants - the last
stronghold of cable subscriptions - are bailing like crazy, not least
because they're being required to pay for sports channels that don't
have any sports.



🥩 NSO Group tried to sell malware to US law enforcement

NSO Group is a notorious, corrupt cyber arms dealer whose customers are
the worst, most brutal oppressive states in the world, like the Kingdom
of Saudi Arabia, whose kidnapping and dismemberment operation against
the journalist Jamal Khashoggi relied on NSO's Pegasus tool.

Now, Vice has found public records that reveal that NSO's US division,
Westbridge Technologies, solicited contracts from US police departments
to use that same Pegasus malware tool, marketed as Phantom in the USA.


Their pitch boasted that Phantom "can overcome encryption, SSL,
proprietary protocols and any hurdle introduced by the complex
communications world."


NSO is currently being sued by Facebook for helping governments hack
hundreds of Whatsapp users; it was recently revealed that at least one
of its technicians abused its tools to stalk a woman he was romantically
interested in.

The company's brochure boasts that NSO's tool can "siphon a target's
emails, text messages, and contact list, as well track their location,
turn on the device's microphone and take photos with its camera,
according to the brochure. "

Some of the best analysis of NSO has been performed by Citizen Lab,
whose John Scott-Railton told Joseph Cox at Motherboard, "The local laws
and oversight mechanisms are not there. Abuse wouldn’t be a risk, it
would be certainty."


🥩 Senate Dems want to ban internet disconnection

Congressional Dems have buried some pretty terrible stuff in the latest
stimulus bill, like bailouts for lobbyists and dark money orgs:


But there are some bright spots from Senate Dems: Bernie Sanders, Ron
Wyden and Jeff Merkley have tabled a bill that prohibits the telcoms
sector from disconnecting customers during the crisis, closing a
loophole in earlier rules that carriers had been exploiting.

For their part House Dems put $4b in the bailout for a "emergency
broadband connectivity fund" that includes $50/month broadband subsidies
for low-income households ($75/month for tribal households) and $1.5b
for hotspots in schools and libraries.



🥩 This day in history

#15yrsago Broadcast Flag back from the dead

#10yrsago Gold-dispensing ATM

#5yrsago David Cameron announces a new age of intolerance

#1yrago Amazon's monopsony power: the other antitrust white meat

#1yrago Supreme Court greenlights Apple customers' lawsuit over App
Store price-fixing

#1yrago Vancouver's housing bubble was driven by billions in laundered
criminal proceeds


🥩 Colophon

Today's top sources: Vince Pugliese, Andrew Thaler
(https://twitter.com/DrAndrewThaler), Slashdot (Slashdot, Naked
Capitalism (https://nakedcapitalism.com/).

Currently writing: My next novel, "The Lost Cause," a post-GND novel
about truth and reconciliation. Yesterday's progress: 582 words (14795

Currently reading: Facebook: The Inside Story, by Steven Levy.

Latest podcast: Rules for Writers

Upcoming books: "Poesy the Monster Slayer" (Jul 2020), a picture book
about monsters, bedtime, gender, and kicking ass. Pre-order here:

"Attack Surface": The third Little Brother book, Oct 20, 2020.

"Little Brother/Homeland": A reissue omnibus edition with a new
introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583

This work licensed under a Creative Commons Attribution 4.0 license.
That means you can use it any way you like, including commerically,
provided that you attribute it to me, Cory Doctorow, and include a link
to pluralistic.net.


Quotations and images are not included in this license; they are
included either under a limitation or exception to copyright, or on the
basis of a separate license. Please exercise caution.


🥩 How to get Pluralistic:

Blog (no ads, tracking, or data-collection):


Newsletter (no ads, tracking, or data-collection):


Mastodon (no ads, tracking, or data-collection):


Twitter (mass-scale, unrestricted, third-party surveillance and


Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):


*When life gives you SARS, you make sarsaparilla* -Joey "Accordion Guy"

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mail.flarn.com/pipermail/plura-list/attachments/20200513/705d588e/attachment.sig>

More information about the Plura-list mailing list