[Plura-list] The awesome destructive power of a billionaire; Banks made bank on covid overdraft charges; Moxie hacks Cellebrite; Fighting FLoC is compatible with fighting monopoly; EFF sues Proctorio over copyfraud
Cory Doctorow
doctorow at craphound.com
Thu Apr 22 12:26:16 EDT 2021
Today's links
* The awesome destructive power of a billionaire: Ihor Kolomoisky
destroyed lives in the midwest, Ukraine, and elsewhere.
* Banks made bank on covid overdraft charges: Charing the poorest people
in America a 3,500% APR.
* Moxie hacks Cellebrite: Aesthetically pleasing files versus strict
input-checking.
* Fighting FLoC is compatible with fighting monopoly: Not all
competition is good competition.
* EFF sues Proctorio over copyfraud: The sleaze never stops.
* This day in history: 2006, 2020
* Colophon: Recent publications, upcoming/recent appearances, current
writing projects, current reading
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
😀 The awesome destructive power of a billionaire
"Every billionaire is a policy failure": it's a controversial aphorism,
but there's an undeniable truth to it.
There's no justifiable rationale for a person to be worth billions: is
Jeff Bezos's social value really 14,285,714 times that of his median
factory worker?
But moreover, billions of dollars are a force multiplier that magnifies
the power of the individual without accountability or check. Everybody
makes mistakes and there are crooks everywhere in the social fabric, but
billionaire crooks are far more harmful than street muggers.
Woody Guthrie wrote, "Some will rob you with a six-gun, and some with a
fountain pen," but as great as that line is, it fails to capture just
how much harm the fountain-pen bandits can do - the chaos, death and
misery their schemes create.
Think of Ihor Kolomoisky, the Ukrainian oligarch whose government has
accused of stealing $5.5B from a bank he ran. I first encountered
Kolomoisky in the Fincen Leaks, a collection of official warnings that
the US Treasury Department chose to ignore.
https://pluralistic.net/2020/09/21/too-big-to-jail/#fincen
Kolomoisky laundered $240m through Deutsche Bank, who started helping
him launder that money *less than one month* after issuing a triumphant
press-release announcing that it had cleaned house after its last
oligarch money-laundering scandal.
But Deutsche Bank's contribution was a relative trifle. As Michael
Sallah and colleagues document in Dirty Dollars, a stunning feature in
Pittsburgh Post Gazette, Kolomoisky shuffled billions through the US,
destroying factories and laying waste to whole towns.
https://newsinteractive.post-gazette.com/ukraine-money-laundering/
Kolomoisky and his confederate Gennadiy Bogolyubov used compromised bank
employees in Ukraine to steal billions by issuing phony loans to shell
companies in Cyprus (an EU state and notorious financial secrecy haven)
and various Caribbean "treasure islands."
That money came onshore with the help of US enablers like Florida
"businessman" Mordechai "Motti" Korf (represented by Trump's personal
lawyer Marc Kasowitz). Once in the US, it was used to snap up
real-estate and factories across the midwest.
These assets included "13 steel factories, five office towers, a hotel,
two office parks, and a shuttered Motorola plant with two heliports."
These structures included historically significant US buildings, as well
as strategic production facilities.
For example, at one point, Kolomoisky controlled the majority of the
US's silico manganese production, a key element in steel production. The
fact that he didn't abuse this to deliberately destroy the US's ability
to produce steel is somewhat incidental.
Because Kolomoisky destroyed plenty of US productive capacity for other
reasons - namely, because he bought giant companies like Warren Steel to
use them as money-laundering pass-throughs, running them without regard
to their workers or their products.
This resulted in a series of ghastly plant disasters in which workers
were killed, maimed, injured and traumatized. After the disasters came
waves of closures, which saw plants shuttered and communities shattered
by layoffs.
But the force-multiplier effect of Kolomoisky's stolen billions
continued to wreak havoc: the shutdown of these plants resulted in
environmental devastation, such as dumping waste water directly into
Ohio's Mahoning River.
Ohio was particularly brutalized by Kolomoisky's money-laundering: after
the 2016 shut-down of Warren Steel, the Ohio AG revealed that the
company had illegally dumped vast amounts of "baghouse dust," which
causes kidney and liver damage.
The FBI is investigating Kolomoisky's onshore crimes, and Ukrainian
authorities are targeting him at home (which could be explosive, as he
is closely tied to the lavishly corrupt Ukrainian president Volodymyr
Zelensky, a former TV comedy actor).
These investigations, as well as the work of the Post-Gazette team, as
well as the Fincen Leaks, all throw the meaning of "every billionaire is
a policy failure" into stark relief.
The men who rob you with a fountain pen destroy lives, towns, the
environment, national resilency, even whole nations.
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
😀 Banks made bank on covid overdraft charges
As the big US banks tout their record-smashing financial results for the
pandemic lockdown era, it's easy to assume that all those profits came
as a result of Trump and McConnell's big-business bailout, but that's
only part of the story.
As Alex Sammon writes for The American Prospect, 12 of the 15 largest US
banks owe a substantial fraction of their pandemic profits to overdraft
fees - fees assessed against the poorest and most vulnerable bank customers.
https://prospect.org/economy/big-banks-charged-billions-in-overdraft-fees-during-pandemic/
How much money did the banks make on these fees? Jpmorganchase made
$1.5b in 2020; Bank of America made $1.1b, Wells Fargo made $1.3b - the
most deadly months of the pandemic correspond to the highest overdraft
rakes, with the big three pulling in $300m in Q4-2020.
Who pays overdraft fees? The very, very poor. 78.3% of all overdraft
fees come from just 9.2% of bank customers. They pay an average of $35
to punish them for not having enough money. These amount to loans with a
3,500% APR.
As with so many American pathologies, the pandemic served as an
accelerant for an pre-existing condition: the share of bank profits
attributable to overdraft fees has climbed steadily since the Great
Financial Crisis, hitting $11b in 2019.
The banks have made empty noises telling customers that their overdraft
fees might be eligible for a refund if they were "pandemic related" but
these were just words - the reality is that the banks piled fees upon fees.
All of this happened while the banks made $25 billion in commissions for
handling the government's insured, risk-free PPP loans - and while the
Fed suspended uncollateralized intraday credit limits and waived the
banks' own overdraft fees.
Those billions in public subsidy were pumped into socially useless stock
buybacks, a practice that makes the very rich (especially bank
executives) much, much richer, while making the banks themselves more
fragile and liable to need more public money in the future.
It's time for the Biden administration and Congress to act. The CFPB has
authority to reverse Trump's policy of permitting unlimited fee-gouging
by banks, and the FDIC and Federal Reserve could both act as well.
Congress should revive Cory Booker and Carolyn Maloney's proposals to
rein in this usury.
As the pandemic recedes and we restructure the economy for the new
century, we mustn't forget how the banks got vast public support and
returned it by trampling their poorest customers.
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
😀 Moxie hacks Cellebrite
The "lawful interception" industry is a hive of scum and villainy: these
are powerful, wildly profitable companies who search out defects in
widely used software, then weaponize them and sell them to the world's
most brutal dictators and death squads.
Their names are curses: The NSO Group, Palantir, and, of course,
Cellebrite, who have pulled publicity stunts like offering $1m bounties
for exploitable Iphone defects that can be turned into cyberweapons.
Late last year, Cellebrite announced that they'd added "support" for
Signal to their top-selling cyberweapons, UFED and Physical Analyzer.
The announcement was deliberately misleading, claiming to have "cracked
the encryption" (they haven't and can't do this).
Now, Signal founder Moxie Marlinspike has turned the tables on
Cellebrite in a delicious act of security analysis, which he wrote up in
detail on Signal's corporate blog:
https://signal.org/blog/cellebrite-vulnerabilities/
As Marlinspike explains, the job of Cellebrite's tools is to ingest
untrusted input - the files from a seized mobile device - and parse
them. This is a very dangerous task: "This is the space in which
virtually all security vulnerabilities originate."
Incredibly, Cellebrite's programmers do no input sanitizing, just
trusting all the files they receive and passing them from subroutine to
subroutine. What's more, these subroutines call on wildly out-of-date
software with dozens - even hundreds - of known vulnerabilities.
For example, the version of ffmpeg that Cellebrite bundles in its
products was last patched in 2012; and more than *one hundred* security
updates have been released since then.
Marlinspike's investigation turned up other sources of shame and
liability for Cellebrite, including pirated libraries from Apple's
Itunes software, which he documents in detail.
Marlinspike intimates that he turned up more vulnerabilities than he
enumerates in his analysis, but he is not making the kind of
"responsible disclosure" to Cellebrite that is common among "white hat"
security researchers.
Rather, he's made an offer to fully disclose his findings to Cellebrite
only if they make a binding promise to engage in the same kinds of
disclosures with the software they analyze - to pledge to help to patch
bugs, rather than weaponizing them.
And in a move of pure petard-hoisting, Marlinspike describes a
proof-of-concept attack on Cellebrite, a corrupted file that can execute
code on the Cellebrite device that will alter all future *and* past
reports, "with no detectable timestamp changes or checksum failures."
He says that these doctored files could corrupt Cellebrite data "at
random, and would seriously call the data integrity of Cellebrite’s
reports into question."
As proof of his proof-of-concept, Marlinspike includes a video (intercut
with scenes from the classic movie HACKERS) in which a Cellebrite device
slurps up files from an Iphone and then displays his victory message:
"MESS WITH THE BEST, DIE LIKE THE REST. HACK THE PLANET!"
Marlinspike closes out the report by announcing some "completely
unrelated news," that future versions of Signal will periodically pull
functionally useless, "aesthetically pleasing" files and store them,
inert, on users' devices.
The implication is that Marlinspike is now in possession of a vast trove
of zero-day exploits for Cellebrite products, and he is seeding those
exploits in the wild on hundreds of millions of devices, booby-trapping
them should they ever be plugged into a Cellebrite device.
The further implication is that any Cellebrite customer who encounters
one of these booby-traps in the wild will lose the ability to trust
*all* the data they *ever* retrieved with a Cellebrite product, and will
never be able to trust that product again.
Yum!
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
😀 Fighting FLoC is compatible with fighting monopoly
Google has announced a step to kill the third-party cookie, a source of
enormous and pernicious privacy violations. This would be great news,
except for the fact that Google is replacing it with FLoC, a way for
Google (and Google alone) to track you around the web.
Predictably, privacy advocates are pissed off about this and crying
foul, because Google's FLoC, while billed as a privacy-preserving
technology, is just another way to violate your privacy.
Likewise predictably, the ad-tech industry is in a fury about this,
claiming (correctly) that it is wildly anti-competitive.
Taken together, these two criticisms can make it seem like you can't be
both pro-competition and pro-privacy, but that's not true.
The digital rights activists who talk about "competition" aren't
interested in competition for its own sake - rather, we're concerned
with competition only to the extent that it gives technology users more
control over their lives, more technological self-determination.
We don't want competition to see which company can trick or coerce you
into surrendering your fundamental human rights, in the most grotesque
and humiliating ways at the least benefit to you.
https://www.eff.org/deeplinks/2021/04/fighting-floc-and-fighting-monopoly-are-fully-compatible
Because there are easy ways for Google to have blocked third-party
cookies *without* spying on us - they could have copied what Apple did
with Safari, shutting out surveillance without adding in new surveillance.
https://www.eff.org/deeplinks/2020/12/facebooks-laughable-campaign-against-apple-really-against-users-and-small
There's a good reason to worry about Google's competition in ad-tech,
just not the reason the ad-tech bottom-feeders who are up in arms about
FLoC give (which is that they want to spy on us, too).
The reason to care about whether Google faces competition in ad-tech is
that it runs these incredibly dirty, wildly profitable ad marketplaces,
which it uses to gouge publishers and advertisers, and spreads the loot
around to block privacy laws.
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3500919
As is always the case with these seeming contradictions, they arise from
looking at the situation from the *companies'* perspective, rather than
from the *public's* perspective.
How can you cheer Apple for doing good on privacy while condemning Apple
for gouging its app vendors like Hey? Easy - just think about the
problem from the perspective of a person, not a giant corporation:
https://www.eff.org/deeplinks/2020/06/apples-response-hey-showcases-whats-most-broken-about-apple-app-store
No one should ever make the mistake of thinking that a corporation is
"good" - even the corporation that does consistent good today is liable
to changes in ownership and management in the future that can
drastically alter its conduct.
By all means, cheer the things that companies do, when they benefit the
public - and condemn the things that do harm.
Always fight for the user, never for the system.
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
😀 EFF sues Proctorio over copyfraud
Faced with remote learning, educators had to figure out what to do about
high-stakes testing: a pedagogically bankrupt adversarial practice of
measuring students' educational outcomes by testing their performance in
a circumstance that they will never face in the real world.
It was an opportunity to rethink assessment and education. Instead, it
was reinvented with the help of disciplinary technology grifters from
the "remote invigilation" industry, who peddled spyware that claimed to
be able to fight cheating by taking over students' computers.
In a crowded field of awful companies, one stands out as the worst:
Proctorio, which uses digital phrenology to monitor students' faces
while they take tests, setting them up for punishment for looking away
while thinking, going to the bathroom, or throwing up from anxiety.
Their products are designed to be used by teachers to capture a 360'
view of the students' test-taking environment, which penalizes poor
students who share a room with others who may be asleep, undressed, or
just wanting their privacy.
And woe betide the student who lives in a broadband desert and has to
"attend school" from the parking lot of a local Taco Bell in order to
get wifi, and who will therefore always flunk the test even before they
start to write it.
Now, if you live in America and you have inadequate housing and
broadband, you're disproportionately likely to be Black or brown, and
Proctorio's there for you, ready to make a bad situation far worse.
Out of all the (terrible) facial recognition Proctorio could have used,
it chose one of the worst, a notoriously "racist" algorithm so bad at
parsing dark skin that children take their tests with ultra-bright lamps
shining directly in their eyes.
https://www.vice.com/en/article/g5gxg3/proctorio-is-using-racist-algorithms-to-detect-faces
Proctorio has seen its profits surge during the pandemic, but it doesn't
act like a company riding a triumphant wave - rather, it behaves like a
company that knows that its good fortune could disappear in an instant
if its practices and defects were widely known.
How else to explain its conduct? Last summer, Protorio CEO Mike Olsen
personally entered a Reddit forum to dox a *child* who criticized his
software:
https://pluralistic.net/2020/07/01/bossware/#moral-exemplar
Not long after, the company filed a suite of meritless suits against Ian
Linkletter, a Canadian educator who linked to the company's publicly
accessible training videos as part of the debate about the use of the
technology at his university.
https://pluralistic.net/2020/10/17/proctorio-v-linkletter/#proctorio
In September, Proctorio attacked another student: Erik Johnson, a
security and privacy researcher enrolled at Miami University.
The company filed a bogus copyright claim to remove a thread Johnson
posted, pointing out the contradictions between Proctorio's public
statements and its products' actual functionality:
It was a highly detailed, cogent thread and it contained small excerpts
of Proctorio source code to backstop the extremely damning critical
claims it made.
These snippets are clearly fair use, but the company used a copyright
claim in a bid to censor a(nother) critic.
https://techcrunch.com/2020/11/05/proctorio-dmca-copyright-critical-tweets/
As it turns out, this is illegal. The DMCA - for all its failings -
contains a clause prohibiting this kind of abuse. The clause hasn't
gotten much of work out since the law was passed in 1998, but one
organization has managed to make it stick, in a big way: EFF.
In 2018 EFF got justice for Stephanie Lenz, a mom whose video of her
adorable dancing toddler was illegally censored by Universal Music Group.
In other words, EFF not only has managed to wield this underutilized
part of the DMCA - they wielded it against a *titan*.
Now, EFF has announced that it's fighting for Erik Johnson, filing suit
in Arizona against Proctorio for engaging in copyright abuse to censor a
critic.
https://www.eff.org/press/releases/eff-sues-proctorio-behalf-student-it-falsely-accused-copyright-infringement-get
"We’re asking the court for a declaratory judgment that there is no
infringement to prevent further legal threats and takedown attempts
against Johnson for using code excerpts and screenshots to support his
comments." -EFF attorney Cara Gagliano
"Software companies don’t get to abuse copyright law to undermine their
critics. Using pieces code to explain your research or support critical
commentary is no different from quoting a book in a book review."
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
😀 This day in history
#15yrsago RIAA sues family that doesn’t own a PC
http://knac.com/article.asp?ArticleID=4548
#1yrago Disney heiress slams top execs' compensation
https://pluralistic.net/2020/04/22/filternet/#castmembers
#1yrago Unmasking the registrants of the "reopen" websites
https://pluralistic.net/2020/04/22/filternet/#krebs
#1yrago Web-wide copyright filters would be a disaster
https://pluralistic.net/2020/04/22/filternet/#filternet
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
😀 Colophon
Today's top sources:
Currently writing:
* A Little Brother short story about pipeline protests. RESEARCH PHASE
* A short story about consumer data co-ops. PLANNING
* A Little Brother short story about remote invigilation. PLANNING
* A nonfiction book about excessive buyer-power in the arts, co-written
with Rebecca Giblin, "The Shakedown." FINAL EDITS
* A post-GND utopian novel, "The Lost Cause." FINISHED
* A cyberpunk noir thriller novel, "Red Team Blues." FINISHED
Currently reading: Analogia by George Dyson.
Latest podcast: Past Performance is Not Indicative of Future Results
https://craphound.com/news/2021/03/28/past-performance-is-not-indicative-of-future-results/
Upcoming appearances:
* Book launch for Bruce Sterling's Robot Artists & Black Swans (Book
People), Apr 27,
https://www.bookpeople.com/event/virtual-event-bruce-sterling-robot-artists-black-swans
* Seize the Means of Computation, Ryerson Centre for Free Expression,
May 19,
https://cfe.ryerson.ca/events/how-destroy-surveillance-capitalism-seize-means-computation
Recent appearances:
* The Right to Repair Movement, Monopolies, and Solarpunk
https://www.youtube.com/watch?v=mmosdDCrL-4
* The surveillance state, digital monopolies, and why we should be
worried (Podsongs)
https://anchor.fm/podsongs/episodes/Cory-Doctorow-on-the-Surveillance-State--digital-monopolies--and-why-we-should-be-worried-eso43k
* Conspiracy Theories (Utopian Horizons):
https://soundcloud.com/utopianhorizons/conspiracy-theory-w-cory-doctorow
Latest book:
* "Attack Surface": The third Little Brother novel, a standalone
technothriller for adults. The *Washington Post* called it "a political
cyberthriller, vigorous, bold and savvy about the limits of revolution
and resistance." Order signed, personalized copies from Dark Delicacies
https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html
* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet
analyzing the true harms of surveillance capitalism and proposing a
solution.
https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59
(print edition:
https://bookshop.org/books/how-to-destroy-surveillance-capitalism/9781736205907)
(signed copies:
https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)
* "Little Brother/Homeland": A reissue omnibus edition with a new
introduction by Edward Snowden:
https://us.macmillan.com/books/9781250774583; personalized/signed copies
here:
https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html
* "Poesy the Monster Slayer" a picture book about monsters, bedtime,
gender, and kicking ass. Order here:
https://us.macmillan.com/books/9781626723627. Get a personalized, signed
copy here:
https://www.darkdel.com/store/p1562/_Poesy_the_Monster_Slayer.html.
Upcoming books:
* The Shakedown, with Rebecca Giblin, nonfiction/business/politics,
Beacon Press 2022
This work licensed under a Creative Commons Attribution 4.0 license.
That means you can use it any way you like, including commercially,
provided that you attribute it to me, Cory Doctorow, and include a link
to pluralistic.net.
https://creativecommons.org/licenses/by/4.0/
Quotations and images are not included in this license; they are
included either under a limitation or exception to copyright, or on the
basis of a separate license. Please exercise caution.
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
😀 How to get Pluralistic:
Blog (no ads, tracking, or data-collection):
Pluralistic.net
Newsletter (no ads, tracking, or data-collection):
https://pluralistic.net/plura-list
Mastodon (no ads, tracking, or data-collection):
https://mamot.fr/web/accounts/303320
Twitter (mass-scale, unrestricted, third-party surveillance and
advertising):
https://twitter.com/doctorow
Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):
https://mostlysignssomeportents.tumblr.com/tagged/pluralistic
"*When life gives you SARS, you make sarsaparilla*" -Joey "Accordion
Guy" DeVilla
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mail.flarn.com/pipermail/plura-list/attachments/20210422/f5d06ff0/attachment.sig>
More information about the Plura-list
mailing list