[Plura-list] Laundering torturers' reputations with copyfraud; Foxconn's Wisconsin death-rattle; John Deere's dismal infosec
Cory Doctorow
doctorow at craphound.com
Fri Apr 23 12:16:10 EDT 2021
Today's links
* Laundering torturers' reputations with copyfraud: Eliminalia, where
"we erase your past and help you build your future."
* Foxconn's Wisconsin death-rattle: Imagine losing your family home for
a GOP media op.
* John Deere's dismal infosec: Paternalistic security works well, fails
badly.
* This day in history: 2020
* Colophon: Recent publications, upcoming/recent appearances, current
writing projects, current reading
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
🧑🏼🦳 Laundering torturers' reputations with copyfraud
The wildest forensic stories are the ones where you pull at a loose
thread and discover that you've got hold of a the tip of the tentacle of
some kind of cthulhoid monster from the depths of hell. That's the story
of Eliminalia, global fraudsters for hire.
The story starts with Qurium, a secure hosting provider that focuses on
at-risk civil society groups, the kinds of people who piss off dictators
with their own snatch-squads they can use against their enemies.
Two of Qurium's clients are Maka Angola and The Elephant, who had done
extensive reporting on corruption in Angola related to Isabel dos Santos
("Africa's richest woman") and Vincent Miclet ("the Gatsby of Africa").
https://www.qurium.org/forensics/dark-ops-undercovered-episode-i-eliminalia/
These articles attracted a flood of fraudulent copyright notices
claiming the articles were infringing, as well as fraudulent GDPR
notices claiming they violated EU privacy law. The letters were signed
by fake lawyers, with whom Qurium struck up quite a correspondence.
Qirium also engaged in digital forensics. They found that the fraudsters
had created lookalike websites that purported to be news sites, had
plagiarized the real sites' articles, back-dating them so they looked
like the real sites had copied *them*.
This is an exotic, but not unheard-of, tactic for censoring the
internet, and it's the kind of thing that generally works well.
"Notice-and-takedown" laws like Section 512 of the US Digital Millennium
Copyright Act exempt web-hosts from copyright liability if they
"expeditiously remove" content upon notification.
Web-hosts *might* do a little sleuthing to make sure the notice passes
the giggle-test (checking to see if there's an earlier, identical
article, say) but they're unlikely to do any real forensic work before
removing content, and if there's any doubt, they'll take it down.
This back-dating scam was augmented by filing false registrations with
Safe Creative, a Spanish copyright registry, to give the fraudulent
representations a sturdiness that would survive secondary investigations.
Qurium is exceptional in its censorship-resistance specifically because
they host high-risk content for NGOs and civil society groups whom
ruthless, powerful people want to censor in order to protect their
reputations.
In fact, Qurium is doubly exceptional, because they didn't just ignore
the takedown demands - they also dug through the headers of the emails
and found themselves tugging at a thread that turned out to be a
tentacle of a horrific monster.
Specifically, they found themselves unraveling the "Eliminalia" network,
a grid of 300+ fake newspaper sites that exist entirely as part of a
commercial reputation-laundering service that purges the web of damning
evidence of terrible crimes.
Exploring this collection of fake sites, Qurium was able to group
Eliminalia's clients into six thematic areas:
I. People who committed business and financial fraud, including surgeons
who maimed their patients and fake universities who suckered would-be
students.
II. Finance corruption, including money laundering.
III. Sexual abusers and harassers.
IV. Organized crime figures and groups.
V. Environmental crimes.
VI. Human rights violations.
Naturally, the Eliminalia fraud service also operates a vast botnet of
Twitter and other social media accounts that help to suppress certain
news stories for their clients.
All this begs the question, who is behind Eliminalia? Its corporate
entities are registered in Spain (Eliminalia 2013 SLU), Maidan
Holding/Eliminalia USA LLC in Florida and in Ukraine. All of these
entities list "Diego (Didac) Sanchez Jimenez/Gimenez" as a director.
A separate entity called "World Intelligence Ltd" - a UK company also
registered to Sanchez - runs the 300+ cloned news websites with
plagiarized articles sporting doctored timestamps.
https://find-and-update.company-information.service.gov.uk/company/11095218/officers
The syndicate's fraudulent legal demands are sometimes signed by "Raul
Soto" of "Legal Department of the Brussels EU Commission" (the address
given is a "virtual office" location near a real EU Commission building).
They send these fraudulent emails using ohv.fr servers, from the
"abuse-report.eu" domain.
But that's just for starters. Things really get gnarly in Qurium's
followup post:
https://www.qurium.org/forensics/dark-ops-undercovered-episode-ii-eliminalia-analysis-of-fake-dmca-complaints/
That's where the investigators describe what they found when they
plugged all this intel into the Lumen Database of takedown notices and
legal threats. These are pretty hair-raising.
For example, Eliminalia worked to remove articles from a Chilean website
that identified doctors who worked in the dictator Augusto Pinochet's
torture program.
Advocates for strong copyright and privacy protection have pointed to
notice-and-takedown as a workable compromise, an alternative to the
lengthy court processes that would be required to get content removed
from an offline source, such as a bookstore.
But while notice-and-takedown may work well, it fails very, very badly.
Torturers, mafiosi, corrupt officials and scammers can use these same
expedited, low-evidence systems to remove material that truthfully
describes their crimes.
This was - and is - the utterly foreseeable outcome of a "streamlined"
process for censoring content without due process. It's a lucrative
business that produces enough surplus capital to support full-time
professionals who do nothing but find ways to game the system.
Today, we hear calls for an expansion of notice-and-takedown, often to
remove content that I personally want to see obliterated: Holocaust
denial, hate speech, etc.
But each one of these exceptions to hard-fought-for due process
protections for speech inevitable ends up swallowing the rule. Full-time
Nazis have all day to figure out how to use these rules to get evidence
of their bad acts removed.
While the survivors of their bad acts struggle to master the arcane
process for having their truth restored to the internet.
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
🧑🏼🦳 Foxconn's Wisconsin death-rattle
No one epitomizes the hollowness of the pose of the "hard-nosed
businessman" than Scott Walker, the union-busting thug who, as governor
of Wisconsin, signed up to give away $3b to the Taiwanese electronics
giant Foxconn, who promised a massive new factory.
This was an obviously bad deal right from the start. For literally
decades, Foxconn had been tricking rubes like Walker into handing over
vast public subsidies for electronics plants that were then drastically
scaled down, or canceled altogether.
https://www.nakedcapitalism.com/2017/08/foxconns-con-seeking-whopping-subsidies-for-wisconsin-michigan-manufacturing-jobs-if-they-happen.html
But Walker - presently joined by Trump - didn't care. All he cared about
was being able to maintain the pretence that "business-friendly"
policies (smashing unions, eliminating worker protections) would attract
"investment" that would make everyone better off.
The public subsidy promised to Foxconn kept on growing, rising to nearly
$5b, even as Foxconn reneged on its promises, eventually refusing to say
what kind of factory - if any - it would build.
https://www.theverge.com/2019/12/13/21020885/foxconn-wisconsin-deal-renegotiate-tax-subsidy-lcd-factory-plant
Foxconn kept up the pretense of activity, though. At one point, it used
all that public subsidy money to buy up or rent out a bunch of
Wisconsin's nicest urban buildings and announced that they would be
"innovation centers," which sat, empty.
https://www.theverge.com/2019/4/10/18296793/foxconn-wisconsin-location-factory-innovation-centers-technology-hub-no-news
Periodically, the company would announce that these innovation centers
were now thriving, filled with Wisconsin startups that would plug into
the Foxconn commercial/manufacturing ecosystem, but...they were still empty.
https://www.theverge.com/2019/5/13/18565408/foxconn-wisconsin-innovation-centers-factories-empty-tax-subsidy
All of this commercial theater kept the deal alive, kept the subsidy
money flowing, and served as a convincer as Foxconn sought out other
suckers who'd hand it more public subsidy on the promise of a plant in
their out-of-the-way town.
https://pluralistic.net/2020/04/12/mammon-worshippers/#scott-at-at-walker
This is the *real* "art of the deal." Foxconn let Trump and Walker run
around, claiming to have brought manufacturing back to America, even as
it floated trial balloons like, "What if we scrap the factory and
instead export Wisconsin dairy to China?"
https://pluralistic.net/2020/10/23/foxconned/#foxconned
Walker eventually lost his job to Tony Evers, who commissioned an
independent investigation to see what parts of the massive Foxconn deal
could possibly be salvaged. The auditors' conclusion was what *none of
it* was viable. None of it.
https://www.theverge.com/2019/8/6/20747166/wisconsin-foxconn-deal-state-report-lcd-factory-innovation-centers
But all this came years after Walker's administration and Racine County
had seized family homes near the Foxconn site to make way for a
road-widening project to help the trucks that would never come reach the
factory that would never be built.
https://beltmag.com/blighted-by-foxconn/
People lost the homes they'd lived in for generations, all for
unconvincing political theater that allowed Walker and Trump to do a
little boasting and empty the public coffers into the accounts of a
global tech giant best known for driving its factory workers to suicide.
Four years later, the con appears to be winding down. Foxconn has
officially admitted that rather than investing $10b, it will invest $1b
and instead of creating 13,000 jobs, it will create 1,454.
As David Dayen writes for The American Prospect, it's a prelude to
killing the deal altogether. Foxconn isn't even sure what this imaginary
factory will build. Maybe parts for network switches? Maybe electric
cars? (My money is on dairy farms!)
https://prospect.org/power/foxconn-finally-admits-con/
Gov Evers has whittled Foxconn's promised subsidy down to $80m, which
Foxconn will have to return if it doesn't deliver (Trump, take note:
that's how you do a deal).
But Evers couldn't save the state from all of Walker and Trump's
foolishness. They've already blown $200m on "sales and use tax
exemptions, state road improvements, and grants to local governments for
workforce training."
Far worse off is the village of Mt Pleasant and the County of Racine,
who've blown $1b on the nonexistent factory, including $160m to seize
and destroy their residents' family homes, and $117m to run power to the
empty site where no factory will be built.
The State of Wisconsin is supposed to pay the county and town 40% of
that expenditure; writing in Good Jobs First, Greg LeRoy argues that the
state should cover 100% of those payouts and then recoup it from Foxconn.
https://www.goodjobsfirst.org/news/releases/revamped-foxconn-deal-leaves-mt-pleasant-and-racine-county-fiscal-peril
As Dayen says: "Rather than offering bribes to corporate giants, they’d
be much better off improving their education, health care, and
transportation systems, making them more attractive to businesses. That
would have the dual benefit of making their cities and states nicer to
live in. Wouldn’t that be a concept."
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
🧑🏼🦳 John Deere's dismal infosec
As far back as 2015, the agribusiness monopolist John Deere was taking
steps to ban farmers from fixing their own tractors, arguing that
copyright law made trafficking in tools to effect these repairs a felony.
https://web.archive.org/web/20150428173001/https://www.theglobeandmail.com/technology/how-digital-rights-management-keeps-value-in-hands-of-the-manufacturer/article24130876/
The company took this to the US Copyright Office, saying that farmers
couldn't fix their tractors because they don't *own* them, despite
paying hundreds of thousands of dollars for them - software in tractors
means they can only be licensed, not owned.
https://www.wired.com/2015/04/dmca-ownership-john-deere/
Deere bolstered this argument with a paternalistic warning that farmers
are just not qualified to service tractors, prompting electronics
specialist Willie Cade - grandson of a legendary Deere engineer - to
speak out against the company.
https://securityledger.com/2019/03/opinion-my-grandfathers-john-deere-would-support-our-right-to-repair/
Cade explained that his grandfather Theo Brown - who filed 158 patents
for Deere - got all of his ideas by going into the field and observing
the modifications that farmers had made to their tractors.
It is not - and has never been - the case that Deere invents stuff that
farmers use. It's the opposite. Farmers invent stuff, Deere
commercializes it and sells it to other farmers. Farmers harvest their
crops with Deere tractors, and Deere harvests FARMERS with them.
Stealing the Right to Repair from farmers was just the curtain-raiser
for Deere's ban on modifying tractors, though. The real money is in
stealing data that's generated when farmers drive their Deere tractors
around their fields.
https://techcrunch.com/2016/07/06/the-land-grab-for-farm-data/
This data - a centimeter-accurate grid documenting soil density and
humidity - generates data that Deere sells back to the farmers who
created it as part of a "precision agriculture" package that comes with
seeds from tyrants like Bayer, the new owner of Monsanto.
Far more grandiose, though, is Deere's plan to aggregate this
misapporpriated data and mine it for market intelligence about
crop-yields, which can be sold into the agricultural futures market for
billions.
The next time someone says "If you're not paying for the product, you're
the product," remember Deere and farmers. Farmers spend hundreds of
thousands on tractors and they're *still* the product. Slapping a
pricetag on a monopoly doesn't make markets - it makes rent-extraction.
I've been in Copyright Office meetings where Deere and other embedded
systems makers (notably car-makers) have claimed that they HAVE to lock
down their systems to protect their customers from cyber-attacks.
But for that to be true, these companies would have to *actually*
protect their customers from cyberattacks, and that's not the case, as
is evidenced by Sickcodes's research on Deere's digital infrastructure,
which Willie Cade contributed to.
https://sick.codes/leaky-john-deere-apis-serious-food-supply-chain-vulnerabilities-discovered-by-sick-codes-kevin-kenney-willie-cade/
Sickcodes signed up for a free developer account with Deere and began
probing the system. Within hours, they had discovered serious flaws in
both Deere's website and mobile apps. For example, they were able to
retrieve the names and addresses of farmers from the website.
They also propose a method for automating this attack, which would allow
them to extract the names, addresses and other personal information of
every John Deere customer, including make and model, which would
facilitate over-the-air attacks on the tractors themselves.
The bugs that Sickcodes located are incredibly obvious and suggest that
Deere's security is totally incompetent. This is especially grim in
light of the fact that Deere has *never* submitted a *single* bug to the
US government's CVE database of serious flaws.
A quote from Darpa's Molly Jahn in Security Ledger gives a sense of the
gravity of the situation: "We can easily imagine timed interference with
planting or harvest that could be *devastating*."
https://securityledger.com/2021/04/deere-john-researcher-warns-ag-giants-site-provides-a-map-to-customers-equipment/
Deere monopolized the ag-tech market with badly secured products that
put the US food supply in serious risk. It operates no vulnerability
disclosure, and it took legal measures to prohibit third parties from
fixing its tractors to remediate the deadly flaws it ignores.
Deere argues that we can't trust third parties to service tractors
because they might expose farmers to cyber-risk; but Deere itself is
exposing those farmers to even graver risks.
Even if Deere had amazing cyber-security, we'd still want to be able to
check its work and fix its mistakes. But it's not. Deere has prioritized
securing its ability to harvest farmers over farmers' ability to harvest
their crops.
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
🧑🏼🦳 This day in history
#1yrago Riot Baby
https://pluralistic.net/2020/04/23/riot-baby/#Tochi-Onyebuchi
#1yrago Mayor of Las Vegas says the "free market" will decide what's
safe https://pluralistic.net/2020/04/23/riot-baby/#carolyn-goodman
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
🧑🏼🦳 Colophon
Today's top sources: Ron Deibert (https://twitter.com/RonDeibert/),
Slashdot (https://slashdot.org/).
Currently writing:
* A Little Brother short story about pipeline protests. RESEARCH PHASE
* A short story about consumer data co-ops. PLANNING
* A Little Brother short story about remote invigilation. PLANNING
* A nonfiction book about excessive buyer-power in the arts, co-written
with Rebecca Giblin, "The Shakedown." FINAL EDITS
* A post-GND utopian novel, "The Lost Cause." FINISHED
* A cyberpunk noir thriller novel, "Red Team Blues." FINISHED
Currently reading: Analogia by George Dyson.
Latest podcast: Past Performance is Not Indicative of Future Results
https://craphound.com/news/2021/03/28/past-performance-is-not-indicative-of-future-results/
Upcoming appearances:
* Book launch for Bruce Sterling's Robot Artists & Black Swans (Book
People), Apr 27,
https://www.bookpeople.com/event/virtual-event-bruce-sterling-robot-artists-black-swans
* Seize the Means of Computation, Ryerson Centre for Free Expression,
May 19,
https://cfe.ryerson.ca/events/how-destroy-surveillance-capitalism-seize-means-computation
Recent appearances:
* The Right to Repair Movement, Monopolies, and Solarpunk
https://www.youtube.com/watch?v=mmosdDCrL-4
* The surveillance state, digital monopolies, and why we should be
worried (Podsongs)
https://anchor.fm/podsongs/episodes/Cory-Doctorow-on-the-Surveillance-State--digital-monopolies--and-why-we-should-be-worried-eso43k
* Conspiracy Theories (Utopian Horizons):
https://soundcloud.com/utopianhorizons/conspiracy-theory-w-cory-doctorow
Latest book:
* "Attack Surface": The third Little Brother novel, a standalone
technothriller for adults. The *Washington Post* called it "a political
cyberthriller, vigorous, bold and savvy about the limits of revolution
and resistance." Order signed, personalized copies from Dark Delicacies
https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html
* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet
analyzing the true harms of surveillance capitalism and proposing a
solution.
https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59
(print edition:
https://bookshop.org/books/how-to-destroy-surveillance-capitalism/9781736205907)
(signed copies:
https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)
* "Little Brother/Homeland": A reissue omnibus edition with a new
introduction by Edward Snowden:
https://us.macmillan.com/books/9781250774583; personalized/signed copies
here:
https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html
* "Poesy the Monster Slayer" a picture book about monsters, bedtime,
gender, and kicking ass. Order here:
https://us.macmillan.com/books/9781626723627. Get a personalized, signed
copy here:
https://www.darkdel.com/store/p1562/_Poesy_the_Monster_Slayer.html.
Upcoming books:
* The Shakedown, with Rebecca Giblin, nonfiction/business/politics,
Beacon Press 2022
This work licensed under a Creative Commons Attribution 4.0 license.
That means you can use it any way you like, including commercially,
provided that you attribute it to me, Cory Doctorow, and include a link
to pluralistic.net.
https://creativecommons.org/licenses/by/4.0/
Quotations and images are not included in this license; they are
included either under a limitation or exception to copyright, or on the
basis of a separate license. Please exercise caution.
_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_
🧑🏼🦳 How to get Pluralistic:
Blog (no ads, tracking, or data-collection):
Pluralistic.net
Newsletter (no ads, tracking, or data-collection):
https://pluralistic.net/plura-list
Mastodon (no ads, tracking, or data-collection):
https://mamot.fr/web/accounts/303320
Twitter (mass-scale, unrestricted, third-party surveillance and
advertising):
https://twitter.com/doctorow
Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):
https://mostlysignssomeportents.tumblr.com/tagged/pluralistic
"*When life gives you SARS, you make sarsaparilla*" -Joey "Accordion
Guy" DeVilla
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mail.flarn.com/pipermail/plura-list/attachments/20210423/87169e6b/attachment.sig>
More information about the Plura-list
mailing list