[Plura-list] The joys of tailoring; Ransomware for coffee makers; My Reddit Privacy AMA

Cory Doctorow doctorow at craphound.com
Sun Sep 27 12:03:55 EDT 2020


_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

With less than two weeks remaining in the Kickstarter for the
audio/ebook of ATTACK SURFACE (Little Brother III), there's just two
short story commissions remaining (as well as an unlimited ebooks and
audiobooks!).

https://www.kickstarter.com/projects/doctorow/attack-surface-audiobook-for-the-third-little-brother-book/

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_


Today's links

* The joys of tailoring: Thrifting and tailoring are a match made in heaven.

* Ransomware for coffee makers: Predicting the present.

* My Reddit Privacy AMA: Oct 2-3.

* This day in history: 2010, 2015, 2019

* Colophon: Recent publications, upcoming appearances, current writing
projects, current reading

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🕶 The joys of tailoring

In last weekend's New York Times, Rachel Connolly proposed a seriously
great remedy for fast fashion: thrifting and a tailor.

https://www.nytimes.com/2020/09/22/magazine/tailor-clothes-thrifting.html

Connolly starts by reminiscing about her adolescence in Belfast after
The Troubles, when the lingering spectre of political violence and
economic deprivation meant that there were few options for a young girl
who wanted to find her look.

She found her answer in second-hand stores, where everything from
trousers to formal dresses could be had for as little as £20, so long as
you didn't mind problems with the fit - problems that could be remedied
for £15 at the local tailor.

This is a secret superweapon for people who want to dress well on a
budget: your local thrift is full of amazing clothes, new and vintage,
that you can buy for less than the price of a fancy smoothie, and then
have altered to fit.

Connolly describes how using a local tailor means that she can choose a
look she likes and then adapt clothes to fit that look, rather than the
other way around: "Trousers many sizes too big, taken in but left with
wide legs or turned into shorts."

The benefits of this are hard to overstate: first, it diverts clothing
from the waste stream, which is a titanic environmental crisis within
the larger environmental crisis we're all living through.

It funds the charity that runs your thrift shop, and spends money
locally with a skilled tailor whom you can pay a fair price to while
*still* saving money relative to fast-fashion brands.

The money you spend stays in your community, and it goes to merchants
who pay decent wages and also meet their tax obligations, supporting
your schools, roads and libraries.

And you get to look *amazing*: like you, rather than like the closest
approximation of you that you can approach by buying off-the-peg from a
global fashion brand that's probably owned by a toxic private equity fund.

What's more, once you find a tailor you love, you can get them to copy
your most treasured garments as they wear out: I have two jackets that I
wore until they were in tatters because they fit me so well and looked
so great, and I had a tailor copy both.

The copies cost less than the originals, and now that the tailor has the
pattern, I can get new ones made for even cheaper (since the
patternmaking was a big part of the expense), in any material I choose,
while still paying a fair price to the tailor.

Like Connolly, I always find a good tailor when I move to a new
neighborhood. In my case, it's the owner of my local dry-cleaner, who
does beautiful work and who also does repairs for me when I tear
something I love.

Some of the best clothes I ever bought came from the late, lamented
Junky Styling in the Truman Brewery in London's Brick Lane - they were
masters of repurposing thrifted and end-of-line clothes, making gorgeous
new pieces out of them.

Junky's founders published a superb book on their methodology and design
philosophy, explaining how to turn thrifted clothes into remarkable,
one-of-a-kind pieces:

https://memex.craphound.com/2009/10/09/junky-styling-a-manual-for-thrift-shop-clothes-remixers/

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🕶 Ransomware for coffee makers

My 2019 book RADICALIZED opened with a novella called Unauthorized
Bread, a tale of self-determination versus technical oppression that
starts with a Libyan refugee hacking her stupid smart-toaster, which
locks her into buying proprietary bread.

https://arstechnica.com/gaming/2020/01/unauthorized-bread-a-near-future-tale-of-refugees-and-sinister-iot-appliances/

I wrote that story after watching the inexorable colonization of every
kind of device - from implanted defibrillators to tractors - with
computerized controllers that served a variety of purposes, many of them
nakedly dystopian.

The existence of laws like Section 1201 of the DMCA really invites
companies to make "smart" versions of their devices for the sole purpose
of adding DRM to them, because DMCA 1201 makes it a felony to unlock
DRM, even for perfectly legal purposes.

That's how John Deere uses DRM: to force farmers to use (and pay for)
authorized repair personnel when their tractors break down; it's how
Abbott Labs uses DRM, to force people with diabetes not to use
third-party insulin pumps with their glucose monitors.

It's the inkjet business-model, but for everything from artificial
pancreases to coffee-makers. And because DMCA 1201 is so badly* drafted,
it also puts security researchers at risk.

*Assuming you're willing to believe this isn't what the law was supposed
to do all along

Adding networked computers to everyday gadgets is a risky business: as
with any human endeavor, software is prone to error. And as with any
technical pursuit, the only way to reliably root out errors is through
adversarial peer review.

That is, to have people who want you to fail go through your stuff
looking for stupid mistakes they can mock you over.

It's not enough for you to go over your own work for errors. Anyone
who's ever stared right at their own typo and not seen it knows this
doesn't work.

Nor is it sufficient for your friends to look over your work - not only
will they go easy on you, but sometimes your errors come from a shared
set of faulty assumptions.

They CAN'T spot these errors: this is why no argument among Qanoners
ever points out the most important fact, which is that the whole fucking
thing is batshit.

The default for products is that *anyone* is allowed to point out their
defects. If you buy a pencil and the tip breaks all the time and you do
some analysis and discover that the manufacturer sucks at graphite, you
can publish that analysis.

But DMCA 1201 prohibits this kind of disclosure if it means that you
reveal flaws that might be used to disable the DRM. Security researchers
get threatened by "smart device" companies all the time.

Just the spectre of the threat is enough to convince a lot of
organizations' lawyers to advise researchers not to go public with this
information.

That means that a defect that could crash your car (or your implanted
pacemaker) only gets disclosed if the company that made it authorizes
the disclosure.

This is seriously bad policy.

Companies add "smarts" to get DRM, because DRM lets them control how
their customers use their products, and lets them shut down competitors
who try to give control back to customers, and also silence critics who
reveal the defects in their products.

DRM can be combined with terms of service, patents, trade secrets,
binding arbitration, and other forms of "IP" to deliver near-perfect
corporate control over competitors, customers and critics.

https://locusmag.com/2020/09/cory-doctorow-ip/

But it's worse than that, because software designed to exercise this
kind of control is necessarily designed for maximum opacity: to hide
what it does, how it does it, and how to turn it off.

This obfuscation means that when your device is compromised, malicious
code can take advantage of the obscure-by-design nature of the device to
run undetectably as it attacks you, your data, and your physical
environment.

Malicious code can also leverage DRM's natural tamper-resistance to make
it hard to remove malware once it has been detected. Once a device
designed to control its owners has been compromised, the attacker gets
to control the owner, too.

Which brings me to "Smarter," a "smart" $250 coffee maker that is
remarkably insecure, allowing anyone on the same wifi network as the
device to replace its firmware, as Martin Hron demonstrates in a recent
proof-of-concept attack.

https://decoded.avast.io/martinhron/the-fresh-smell-of-ransomed-coffee/

Hron's attack hijacks the machine, causing it to "turn on the burner,
dispense water, spin the bean grinder, and display a ransom message, all
while beeping repeatedly."

https://arstechnica.com/information-technology/2020/09/how-a-hacker-turned-a-250-coffee-maker-into-ransom-machine/

As Dan Goodin points out,  Hron did all this in just one week, and quite
likely could find more ways to attack the device. The defects Hron
identified - like the failure to use encryption in the device's
communications or firmware updates - are glaring, idiotic errors.

As is the decision to allow for unsigned firmware updates without any
user intervention. This kind of design idiocy has been repeatedly
identified in *many* kinds of devices.

Back in 2011, I watched Ang Cui silently update the OS of an HP printer
by sending it a gimmicked PDF (HP's printers received new firmware via
print-jobs, ingesting everything after a Postscript comment that said,
"New firmware starts here").

https://www.youtube.com/watch?v=njVv7J2azY822/21/20/

A decade later, there is no excuse for this kind of mistake. The fact
that IoT vendors are making it tells you that the opacity and the power
to punish critics is not a power that companies wield wisely - and that
you shouldn't trust any IoT gadgets.

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🕶 My Reddit Privacy AMA

Next weekend - Oct 2/3 - I'm doing a long, thoughtful Ask Me Anything
session with Reddit's /r/privacy, as part of a pair of AMA's celebrating
the subreddit's millionth (!) subscriber.

https://www.reddit.com/r/privacy/comments/j0rhef/a_stunning_milestone_and_two_remarkable_rprivacy/

My AMA will be followed by a weekend-long (Oct 9/10) session with Micah
Lee, my former EFF colleague who is now at The Intercept (where he
helped report the Snowden leaks, after aiding Snowden in getting them to
journalists) and The Freedom of The Press Foundation.

I'll be talking about several new projects:

* HOW TO DESTROY SURVEILLANCE CAPITALISM, my short book for Onezero:

https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59

* ATTACK SURFACE, the third Little Brother novel, which comes out in the
UK on Oct 1

https://headofzeus.com/books/9781838939960

(it comes out in the US/Canada on Oct 13)

https://read.macmillan.com/torforge/cory-doctorow-virtual-lecture-series/

* And of course, I'll be talking about my attempt to circumvent Amazon's
audiobook hegemony through my ongoing Kickstarter campaign:

https://www.kickstarter.com/projects/doctorow/attack-surface-audiobook-for-the-third-little-brother-book/

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🕶 This day in history

#10yrsago Lockheed Martin sign prohibits sketching and “gathering
information” https://www.flickr.com/photos/jef/5028187145/

#5yrsago Black burners on race and Burning Man
https://www.theguardian.com/culture/2015/sep/27/black-campers-burning-man-explain-why

#5yrsago Hilo: The Boy Who Crashed to Earth, a fantastic middle-grade
adventure comic
https://memex.craphound.com/2015/09/26/hilo-the-boy-who-crashed-to-earth-a-fantastic-middle-grade-adventure-comic/

#5yrsago Tomorrow’s Catalan elections are a referendum on independence
https://www.theguardian.com/world/2015/sep/25/catalonia-votes-democracy-election-independence-spain

#5yrsago Dustin Yellin’s stupendous, life-sized glass-pane humanoids
made from NatGeo clippings
https://memex.craphound.com/2015/09/26/dustin-yellins-stupendous-life-sized-glass-pane-humanoids-made-from-natgeo-clippings/

#1yrago The DoJ’s corporate “diversion” program is supposed to change
bad corporate culture, but really, it enables repeat offenders
https://www.citizen.org/article/soft-on-corporate-crime-deferred-and-non-prosecution-repeat-offender-report/

#1yrago Bruce Sterling on Boris Johnson’s bizarre, cyberpunk dystopia
address to the UN
https://www.wired.com/beyond-the-beyond/2019/09/visionary-high-points-recent-boris-johnson-speech-united-nations/

#1yrago Report from Defcon’s Voting Village reveals ongoing dismal state
of US electronic voting machines
https://media.defcon.org/DEF%20CON%2027/voting-village-report-defcon27.pdf

#1yrago Doordash’s breach is different
https://memex.craphound.com/2019/09/27/doordashs-breach-is-different/

#1yrago Across America, the average worker can’t afford the median home
https://www.marketwatch.com/story/there-are-precious-few-places-in-america-where-the-average-worker-can-afford-a-median-priced-home-2019-09-26

#1yrago Annalee Newitz’s “Future of Another Timeline”: like Handmaid’s
Tale meets Hitchhiker’s Guide
https://www.latimes.com/entertainment-arts/books/story/2019-09-27/future-of-another-timeline-annalee-newitz

#1yrago Sleuths discover the source of $28m in dark money lobbying in
favor of emergency room “surprise bills”: private equity firms that own
doctors’ practices
https://hcrenewal.blogspot.com/2019/09/who-advocates-for-surprise-medical.html

#1yrago Wework, Uber, Lyft, Netflix, Bird, Amazon: late-stage capitalism
is all about money-losing predatory pricing aimed at creating monopolies
https://www.businessinsider.com/wework-is-a-prime-example-of-counterfeit-capitalism-2019-9

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🕶 Colophon

Today's top sources: Naked Capitalism (https://www.nakedcapitalism.com/).

Currently writing: My next novel, "The Lost Cause," a post-GND novel
about truth and reconciliation. Friday's progress: 504 words (65940 total).

Currently writing: My next novel, "The Lost Cause," a post-GND novel
about truth and reconciliation. Friday's progress: 670 words (63295 total).

Currently reading: Gideon the Ninth, Tamsyn Muir

Latest podcast: IP https://craphound.com/podcast/2020/09/14/ip/

Upcoming appearances:

* Writing into an Uncertain Future, Afterwords Festival, Oct 1,
https://www.eventbrite.ca/e/writing-into-an-uncertain-future-tickets-115378329690

* 3 Big Ideas To Fix the Internet, Oct 7,
https://www.nycmedialab.org/upcoming-events/summit2020

* The Attack Surface Lectures: 8 nights of bookstore-hosted events in
which I and a massive group of entertaining and knowledgeable experts
discourse on my latest novel's themes, Oct 13-22
https://read.macmillan.com/torforge/cory-doctorow-virtual-lecture-series/

Recent appearances:

* If Big Tech Is Toxic, How Do We Build Something Better? (panel)
https://blog.archive.org/2020/09/24/dweb-panel-if-big-tech-is-toxic-how-do-we-build-something-better/

* On ‘Attack Surface’ and WiFi Fridges (What a Hell of a Way to Die
Podcast):
https://soundcloud.com/hellofawaytodie/on-attack-surface-and-wifi-fridges-feat-cory-doctorow

* Little Brother vs. Big Audiobook (Techdirt podcast):
https://www.techdirt.com/articles/20200922/12403045358/techdirt-podcast-episode-256-little-brother-vs-big-audiobook-with-cory-doctorow.shtml

Latest book:

* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet
analyzing the true harms of surveillance capitalism and proposing a
solution.
https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59

* "Little Brother/Homeland": A reissue omnibus edition with a new
introduction by Edward Snowden:
https://us.macmillan.com/books/9781250774583; personalized/signed copies
here:
https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html

* "Poesy the Monster Slayer" a picture book about monsters, bedtime,
gender, and kicking ass. Order here:
https://us.macmillan.com/books/9781626723627. Get a personalized, signed
copy here:
https://www.darkdel.com/store/p1562/_Poesy_the_Monster_Slayer.html.

Upcoming books:

* "Attack Surface": The third Little Brother book, Oct 20, 2020.
https://us.macmillan.com/books/9781250757531

This work licensed under a Creative Commons Attribution 4.0 license.
That means you can use it any way you like, including commercially,
provided that you attribute it to me, Cory Doctorow, and include a link
to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are
included either under a limitation or exception to copyright, or on the
basis of a separate license. Please exercise caution.

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🕶 How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/web/accounts/303320

Twitter (mass-scale, unrestricted, third-party surveillance and
advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

*When life gives you SARS, you make sarsaparilla* -Joey "Accordion Guy"
DeVilla

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mail.flarn.com/pipermail/plura-list/attachments/20200927/3e13a7a9/attachment.sig>


More information about the Plura-list mailing list