[Plura-list] Dependency Confusion; Adam Curtis on criti-hype; Catalytic converter theft; Apple puts North Dakota on blast

Cory Doctorow doctorow at craphound.com
Thu Feb 11 14:02:08 EST 2021


This weekend, I'll be participating in Boskone 58, Boston's annual sf
convention, where I'm doing panels and a reading.



Today's links

* Dependency Confusion: A completely wild supply-chain hack.

* Adam Curtis on criti-hype: Big Tech as an epiphenomenon of sociopathic
mediocrity, not supergenius.

* Catalytic converter theft: Rhodium at $21,900/oz.

* Apple puts North Dakota on blast: Stop thinking different!

* This day in history: 2006, 2011, 2016

* Colophon: Recent publications, upcoming/recent appearances, current
writing projects, current reading


🧙🏿‍♂️ Dependency Confusion

In "Dependency Confusion," security researcher Alex Birsan describes how
he made a fortune in bug bounties by exploiting a new supply-chain
attack he calls "dependency confusion," which allowed him to compromise
"Apple, Microsoft and dozens of others."


Dependency Confusion is incredibly, delightfully clever. It is grounded
in the fact that software developers rely on "dependencies" (prebuilt,
modular code libraries) when they build new versions of their software.

The javascript files used to build new versions are often public, and by
looking inside them, you can find out the names of the libraries used to
build popular applications, from Uber to Yelp to Netflix.

Now, these libraries are a mix of widely used public libraries and
private, in-house ones, and when the software is being built, the system
checks both the canonical public archives of code libraries and private
company servers.

Birsan's insight was that if he created new, malicious libraries with
the same names as the private ones, and put them on the public servers,
then the build system might preferentially snag and incorporate his
malicious code instead of the private ones.

Some build systems have a weak security measure: if a library is found
in more than one repository, the system defaults to the one with the
higher version-number, so Birsan gave his libraries version numbers like

Birsan was able to attack Python, Ruby and Microsoft .NET-based apps.
His reports resulted in fixes to many of the apps involved, but some of
the infrastructure tools, like Jfrog Artifactory, still default to an
insecure mode, and class his bug report as a "feature request."

And Birsan thinks there's plenty more bug bounties out there waiting to
be claimed for attacks like this: "finding new and clever ways to leak
internal package names will expose even more vulnerable systems, and
looking into alternate programming languages and repositories to target
will reveal some additional attack surface for dependency confusion bugs"


🧙🏿‍♂️ Adam Curtis on criti-hype

Adam Curtis is a brilliant documentarian, and films like
Hypernormalization and series like All Watched Over by Machines of
Loving Grace had a profound effect on my thinking about politics,
technology and human thriving.

In this interview with The Idler's Tom Hodgkinson, Curtis lays out a
compact, incisive and important critique of the big social media
platforms - and of their critics, who give these companies far too much


Curtis puts Big Tech's self-serving boasts about how good it is at
manipulating public opinion in the same bucket as other outlandish
claims of secret, astounding accomplishments, such as those made by
British spy agencies.

When the Snowden leaks came to light, Curtis published an absolutely
brilliant, jaw-dropping article on the BBC about his own investigations
into spy agencies,


He concluded that spy agencies are filled with unhinged, unreliable
sociopaths whose claims of competence only survive because everything
they do is secret, so we have to take their word for it.

Once you understand this, you have to rethink the problem with
intelligence agencies - not that they use surveillance effectively, but
rather that they use it indiscriminately, to justify all kinds of dirty
tricks against the targets of their paranoid prejudice.

The mainstream critique of spy agencies - the one that accepts their
claims to hypercompetence at face value - is doing the spy agencies a
favor, affirming these baseless claims. It's a species of what Lee
Vinsel calls "criti-hype":


Curtis agrees with Vinsel: the critique of social media centered on the
industry's claims of devastating efficacy gives the industry far too
much credit. He points out that advertisers are coming to the conclusion
that ad-tech is a swindle, a bezzle:


If tech doesn't make money by being good at advertising, how to account
for its riches? Curtis says it's monopoly: "four giant corporations who
don’t produce anything, contribute nothing to the wealth of the country,
hoard their billions of dollars in order to pounce on anything that
appears to be a competitor and buy it out immediately."

Curtis says that dark, irrational political movements aren't the result
of Big Tech's algorithmic radicalization, but rather the material
conditions created by a corrupt system:

"For 20 years, they’ve been offered no choice between the political
parties. They’ve been given this enormous button that says 'Fuck off'
and they’ve pressed it. That’s a rational thing to do."

This nihilistic conduct is the inevitable product of the "high
individualism" doctrine: "in a period of high individualism, the one
thing you don’t notice is power. You’re supposed to be an empowered
individual yourself."

Think of how climate change debates have been dominated by "personal
responsibility" as though the emergency stems from your personal
recycling habits or your choice not to use underfunded transit.

When we're offered solutions, they turn on criti-hyped fields like "AI,"
which is actually just machine learning, which, in turn, is just
statistical inference, with no path to producing anything like intelligence:


Curtis talks about how corruption has made us suspicious of science, and
that vacuum gets filled with a kind of individualistic religion - citing
Ayn Rand's claim not to fear death "because I won’t die, the world will

Curtis says the path forward is to "square the circle" between
individualism and collective action - to find ways that individuals can
become part of a collective, a movement, grounded in science that is
liberated from industrial corruption.

"The internet is the thing that could do it, except the bastards got
hold of it and isolated us even more. We are being made to do this work
for free for them and they feed us stuff and we remain in our little
bubbles...I would argue for the nationalisation of the internet."

I'm not sure about nationalization (though a publicly owned part of the
internet is an intriguing idea), but so much of this resonated with me,
and got a the points I tried to make with my 2020 book HOW TO DESTROY



🧙🏿‍♂️ Catalytic converter theft

Back in the early 2010s, people started falling into open sewer
entrances in New York City and other large metros - because a
China-driven spike in the price of scrap metal, combined with post-2008
unemployment, gave rise to an army of metal-thieves.


A decade later, there's a new precarity- and bubble-fuelled metal-theft
epidemic: stealing catalytic converters out of parked cars to harvest
their palladium and rhodium for re-use in the global auto-sector, which
is facing strict emissions controls.


Palladium and rhodium prices are soaring: palladium is up from $500/oz
in 2016 to $2000-$2500/oz; rhodium rose from $640/oz to $21,900/oz (!).
This puts a serious dent in auto profits - in 2019, the industry spent
an extra $18b on metals (it was higher in 2020).

2021 will see the auto industry buying $40b worth of catalytic converter
metals, and this has driven a secondary market where scrappers are using
targeted ads exhorting people to bring in old converters for recycling.

Catalytic converters are pretty easy to harvest from cars: it just takes
a few minutes' work under the car to detach a compact, fungible source
of wealth, and even if your state has rules requiring ID to make the
sale, chances are the next state over doesn't.

In the New York Times, Hiroko Tabuchi talks to people at the center of
the phenomenon, like the tow-yard operator who deflates the tires of
cars "so they can’t slither underneath" and who has had to repeatedly
tow the same vehicle after it had it converter stolen and re-stolen.

Converters can be sold to scrappers by mail, and you can learn how to
boost one in any of several Youtube videos. Cops suggest engraving your
VIN into your converter, and people are homebrewing CC armor.


🧙🏿‍♂️ Apple puts North Dakota on blast

Republican North Dakota legislators have introduced SB2333, a bill that
prohibits large tech companies from locking their users into a single
app store or payment processor.


While his has implications for Android and other large tech platforms,
its most immediate and far-reaching effects with be on Apple, whose Ios
platform uses lock-in to monopolize both apps and payments (and another
domain, not mentioned in the bill: repairs).

Predictably, this has thrown Apple into a fury, with Apple's privacy
chief Erik Neuenschwander telling the SD legislature that Apple uses its
monopoly over the app store to protect its users' privacy and security.


Neuenschwander makes a good, but incomplete, point. To the extent that
Apple has the same interests as its users, it uses its app store
monopoly to lock out bad apps (to the best of its ability).

But when Apple's interests diverge from its users' interests, the
prohibition on sideloading apps actively harms those users' privacy and
security. Think of how Apple caved to Chinese state demands to remove
working VPNs from the Ios app store to facilitate mass surveillance.

This security model - surrendering your autonomy to a large company in
exchange for promises of protection - is what Bruce Schneier calls
"feudal security," though it should really be thought of as "manorial


In manorial security, a small elite of mercantalist warlords get all the
property rights - the right to decide how the infrastructure is used -
and the rest of us get tenants' rights, the right to make limited use of
the warlords' property.

The warlords promise to defend us from bandits and build high walls to
keep the bandits out, but if someone suborns the warlord to acting
against us, those walls lock us *in*, leaving us helpless.

Indeed, the walls aren't just a protection, they're a temptation: anyone
who coerces or bribes a warlord into letting them inside the compound
enjoys a smorgasbord of defenseless prey - the walled garden becomes a

Which is why Neuenschwander is more wrong than right: Apple keeps out
the bad apps it finds, except when a powerful state makes it an offer it
can't refuse.

The fact that users are held prisoner to those judgments is an
invitation to states to make demands of Apple.

Which suggests a corollary: if Apple's users *could* sideload apps that
subverted harmful government orders, then those orders would be less
effective - and governments would be less tempted to make them in the
first place, and if they did anyway, users would have an out.

I don't know enough about North Dakota state politics to weigh the
bill's chances, but if it passes, it creates some fascinating
possibilities. ND is one of America's fiber optic powerhouses, with much
higher gigabit penetration than other states.

If moving your company to ND means that you get to retain 30% more of
your income - because you're no longer paying the app store tax - *and*
you get to save money on real-estate *and* all your employees get fiber,
well, that's pretty attractive.

To get a sense of what this could mean, check out the testimony of
Basecamp CTO David Heinemeier Hansson in support of the bill, describing
how Apple shook down his company for 30% of the revenues for Hey, its
innovative email reader.


"North Dakota has the opportunity to create this level playing field,
such that the next generation of software companies can be started
there, and if a team in Bismarck builds a better digital mouse trap,
they won’t be hampered by abusive, extortive demands for 30% of their
revenue from the existing big tech giants."

As Heinemeier Hansson points out, the bill is very short - 17 lines,
plus some recitals - and it's well-crafted...for the most part. One
thing jumps out though:

> 4. This section does not apply to a proprietor of a special-purpose
digital application distribution platform.

What's a "special-purpose digital application distribution platform?"

It's "a gaming console, music player, and other special-purpose devices
connected to the internet."

That is a seriously weird carve-out. Consoles *invented* the app store
business model, and they use it aggressively today to screw games
studios and gamers. Exempting them from this is like exempting printers
from a ban on high-priced consumables.

And all those other "special purpose" devices - smart speakers, medical
implants, home automation systems, etc - are just as prone to being
monopolized and produce just as many harms for their users through
anticompetitive app store conduct as phones do.

They're overwhelmingly made by the same companies that operate abusive
app stores for phones, which means that if this carve out was created by
lobbyists, it's weird that they didn't lobby for a carve out for phones,


🧙🏿‍♂️ This day in history

#15yrsago Open Source Hardware Definition turns 1.0

#10yrsago Steampunk fetish mask with ear-horn

#5yrsago Facebook’s “Free Basics” and colonialism: an argument in six
devastating points

#5yrsago UK surveillance bill condemned by a Parliamentary committee,
for the third time

#5yrsago Disgraced ex-sheriff of LA admits he lied to FBI, will face no
more than 6 months in prison

#5yrsago Celebrate V-Day like an early feminist with these Suffragist

#5yrsago Haunted by a lack of young voter support, Hillary advertises on
the AOL login screen


🧙🏿‍♂️ Colophon

Today's top sources: Waxy (https://waxy.org/), Naked Capitalism
(https://www.nakedcapitalism.com/), Slashdot (https://slashdot.org/).

Currently writing:

* My next novel, "The Lost Cause," a post-GND novel about truth and
reconciliation. Yesterday's progress: 546 words (109322 total).

* A short story, "Jeffty is Five," for The Last Dangerous Visions.
Yesterday's progress: 253 words (4547 total).

Currently reading: Analogia by George Dyson.

Latest podcast: Someone Comes to Town, Someone Leaves Town (part 30)

Upcoming appearances:

* Boskone, 58, Feb 12-15, https://boskone.org/

* Keynote, NISO Plus, Feb 22,

* Technology, Self-Determination, and the Future of the Future (Purdue
CERIAS), Feb 17,

*  Mellon Sawyer Seminar on Contemporary Political Struggle: Social
Movements, Social Surveillance, Social Media (with Zeynep Tufekci), Feb
24, https://ucdavis.zoom.us/webinar/register/WN_I99f4x8WRiKCfKUljVcYPg

* World Ethical Data Forum keynote, Mar 17-19,

* Interop: Self-Determination vs Dystopia (FITC), Apr 19-21,

Recent appearances:

* Chop Shop Economics

* Monocle Reads

* Hedging Bets on the Future (Motherboard Cyber):

Latest book:

* "Attack Surface": The third Little Brother novel, a standalone
technothriller for adults. The *Washington Post* called it "a political
cyberthriller, vigorous, bold and savvy about the limits of revolution
and resistance." Order signed, personalized copies from Dark Delicacies

* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet
analyzing the true harms of surveillance capitalism and proposing a
(print edition:

* "Little Brother/Homeland": A reissue omnibus edition with a new
introduction by Edward Snowden:
https://us.macmillan.com/books/9781250774583; personalized/signed copies

* "Poesy the Monster Slayer" a picture book about monsters, bedtime,
gender, and kicking ass. Order here:
https://us.macmillan.com/books/9781626723627. Get a personalized, signed
copy here:

This work licensed under a Creative Commons Attribution 4.0 license.
That means you can use it any way you like, including commercially,
provided that you attribute it to me, Cory Doctorow, and include a link
to pluralistic.net.


Quotations and images are not included in this license; they are
included either under a limitation or exception to copyright, or on the
basis of a separate license. Please exercise caution.


🧙🏿‍♂️ How to get Pluralistic:

Blog (no ads, tracking, or data-collection):


Newsletter (no ads, tracking, or data-collection):


Mastodon (no ads, tracking, or data-collection):


Twitter (mass-scale, unrestricted, third-party surveillance and


Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):


"*When life gives you SARS, you make sarsaparilla*" -Joey "Accordion
Guy" DeVilla

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mail.flarn.com/pipermail/plura-list/attachments/20210211/8fb606d6/attachment.sig>

More information about the Plura-list mailing list