[Plura-list] A simple, incomplete ransomware defense; Community Health Services sued its way through the pandemic; Apple's complicity in Chinese state oppression; What Would Open Source Look Like If It Were Healthy?

Cory Doctorow doctorow at craphound.com
Tue May 18 13:58:43 EDT 2021


Tomorrow (5/19), I'm doing a talk called "Seize the Means of
Computation," at the Ryerson Centre for Free Expression:


And on Thu (5/20), I'm doing a keynote called "Privacy Without
Monopoly," for the Northsec conference:


Today's links

* A simple, incomplete ransomware defense: Attribution is hard, but
whatever works.

* Community Health Services sued its way through the pandemic: When
health is a business, medical debt is an asset.

* Apple's complicity in Chinese state oppression: Corporations don't
have character, they have incentives.

* What Would Open Source Look Like If It Were Healthy: Sumana
Harihareswara's Github talk.

* This day in history: 2206, 2011, 2016, 2020

* Colophon: Recent publications, upcoming/recent appearances, current
writing projects, current reading


🌚 A simple, incomplete ransomware defense

A truism in security is "attribution is hard." It's really hard to know
who hacked you, first, because it's easy to deflect suspicion by leaving
false clues, and second, because the bar for hacking even big, critical
systems is so low.

The ransomware epidemic has been raging for years now, and it's quite a
tangle. It includes idiots who download (or pay for) some off-the-shelf
malware and turn it loose on whatever systems they can find, who don't
even know *who* they've hacked.

It includes sophisticated crime-gangs with high degrees of
specialization: tooling, payment processing, even "customer service" for
victims who can't figure out how to buy cryptocurrency to pay their ransoms.

It includes state actors, who often pretend to be bungling idiots while
infecting the systems of national adversaries - sometimes, they use fake
ransomware that irretrievably trashes the target system, then claim to
be too incompetent to recover them.

And it includes all kinds of hybrids, like "state-sponsored" hackers
(private criminal orgs on governmental payrolls) as well as
state-tolerated "cyber-patriot militias" (high-tech mall ninjas who hack
out of a sense of patriotic duty).

This combination of adversaries accounts for the more bizarre ransomware
turns, like the ransomware gang Darkside, who seized the Colonial
Pipeline's billing systems (sparking petrol hoarding in the American south).

The criminals then apologized for their crime, saying that they were
just trying to do crime, not create a geopolitical incident. *Then* they
posted that they, themselves, had been hacked and lost control of their
malware and the ransom they'd collected (!).

It's not the first time that bad guys have pulled off a successful
attack against a major target, only to react with public shame and
horror at who they'd actually targeted - they're like muggers who
discover that they just stuck up the Chairman of the Joint Chiefs of Staff.

All this may explain why there is an easy way to protect yourself from
many strains of ransomware: install the Russian keyboard option in your
Windows system.

As Brian Krebs explains in his post, Russian authorities are pretty
tolerant of hackers who target foreigners, but are notoriously tetchy if
someone in their jurisdiction hits a Russian business (or worse, major
government installation) for ransom.


Russian (and regional) malware gangs who want to avoid retaliation from
powerful Russian security agencies have programmed their malware to
check for the presence of a Russian (or other Cyrillic) keyboard in the
system, and, if they find it, to leave the system untouched.

It's like the climax of the Passover story, except for malware and
authoritarian security agencies!

Krebs is at pains to point out that there's plenty of malware this won't
work on, and there are already strains of Darkside-associated malware
that don't perform this check.

But it's a simple step you can take right now, for free, that will not
impede your use of your system in any way.

Here's how: "Hit the Windows and X at the same time; select Settings,
then 'Time and Language.' Select 'Language,' scroll to the option to
install another character set. Pick one, then reboot. If for you need to
toggle between languages, tap Windows+space."

Alternatively, here's a two-line batch script that does it, from Lance
James of Unit221b.


This is a neat, self-contained parable about measures, countermeasures,
and counter-countermeasures. Earlier malware refused to infect computers
running virtual machines, as their authors sought to avoid analysis by
security researchers.

Today, that rarely works.

Installing a keyboard associated with Russia or the Commonwealth of
Independent States works for now. It probably won't for long.

Ultimately, we need more security competence in Windows design, to raise
that low bar and exclude (at least) the dimmest dimbulbs.


🌚 Community Health Services sued its way through the pandemic

Last Jan, Northwell Health was the subject of a viral New York Times
story about the thousands of patients it had sued over medical debt, in
the midst of a pandemic. The publicity was so bad that the company
abandoned its legal campaign of terror.


But not every bloated, financialized hospital chain got the message. The
massive chain Community Health Systems has long been addicted to suing
the shit out of its patients, and the pandemic didn't change that.


CHS's financial crimes are investigated in a must-read CNN story by
Casey Tolan. While the company insists that it doesn't sue poor patients
over their medical debts, Tolan debunks this claim, revealing the cruel
and ugly lengths CHS has gone to during the pandemic.

CHS is a kind of poster child for the idiocy of finacializing the health
care system. For years, its corporate owners have pursued profit though
endless, disastrous mergers that have left it saddled with debt and
resulted in the closure of many community hospitals.

Every year, CHS lost money...until 2020. That's the year that fed and
state governments gave it $705m in pandemic-related aid and millions
more in forgiven loans.

CHS turned its first profit - $511m - last year.

But much of that money was spoken for in advance, because its top execs
took home multimillion-dollar "performance bonuses" for having the
genius strategy of getting a gigantic bailout for their stupid,
bungling, unweildy chimera of a hospital chain.

Small wonder, then, that CHS - already notorious as one of the country's
worst medical debt chasers - stepped up its collection lawsuits against
sick, unemployed and terrified people.

Despite the company's policy of not suing people who lost their jobs
during the pandemic, nor those earning less than 200% of the national
poverty line, CHS did just that, repeatedly - and then blamed its
victims for not filing the right paperwork.

But again, the record is replete with CHS customers who mailed letters
and made phone calls begging the hospital not to sue. CHS filed at least
24,000 lawsuits in 2020. Experts call CHS "among the most litigious" of
all US hospital chains.

CNN spoke to many of CHS's victims, like, Richard Piper, who earns
$525/week and supports two daughters and several grandchildren. He was
ordered to pay CHS $34,894 in medical debt, as well as $3500 in legal
fees to CHS's lawyers.

CHS sued an unnamed Oklahoma woman who, laid off, begged them to stop
trying to collect the $781 she owed because if she paid it, she would
end up homeless. CHS prevailed, and the court nearly doubled that debt
by tacking on court and legal fees.

CHS sued Jennifer Alegria - a single mom with two daughters who works as
a chef - to recover $146000 from her double mastectomy. Alegria earns
less than $40k/year.

When CHS wins its lawsuits, it typically moves swiftly to place liens on
its victims' homes and garnish their wages. Those wages are typically
sub-poverty to begin with: the most common employer for a CHS victim

When CHS trumpeted its profitable year to shareholders, it also warned
that it expected to lose some of its debt-collection revenue, thanks to
"a deterioration in the collectability of patient accounts…as the result
of adverse economic conditions arising from the pandemic."

CHS warned shareholders about "a deterioration in collectibility"
because debt is central to its strategy.

For example, after acquiring St Petersburg, FL's oldest hospital,
Bayfront, it realized it had made a mistake and quickly sold the
hospital off.

But CHS retained Bayfront's *debts*, and continues to sue patients who
owe money for treatment in a hospital it no longer owns.

CHS bought and then shuttered Shands Lake Shore Regional Medical Center,
the only hospital in Lake City, FL. Though the hospital is long gone,
its doctors and nurses fired, CHS continues to employ its
debt-collection department, which sued 86 patients during the pandemic.

CHS's long run of idiotic mergers has left it with $7.6b in debt. In
business terms, this is a company in a persistent vegetative state with
no hope of recovery. The cruel and extraordinary measures it has pursued
to stave off death - suing patients - are doomed.

Suing over debts as small as $201 (!) will not save this dying business.
What's more, CHS's indiscriminate legal harassment is creating more
liabilities: when CHS patients can afford to hire lawyers to represent
them, they "win their cases fairly easily."

CHS's debt collection depends on attacking people who can't afford to
defend themselves, in other words.

Take Jeffery Turgeon, who owes CHS $20,784, who petitioned the company
for mercy with a handwritten letter on notebook paper.

He now owes the full amount, plus $180 in court costs. He's paying
$100/month. It would take 17 years to pay the debt at that rate - but
thanks to the 8% interest, the payments will stretch on for years after

Turgeon's fiancee Jennifer Matheson lost her hospice job during the
pandemic. They can no longer afford even such small pleasures as taking
their children to McDonald's.

CHS was once the largest hospital chain in America. It's still in the
top ten. It has bought and destroyed hospitals across the country, paid
millions to its executives, and sued the shit out of its patients.

Tell me again about how the private sector does a great job running the
health-care system?


🌚 Apple's complicity in Chinese state oppression

Bruce Schneier coined "feudal security" to describe the dominant Big
Tech security model, in which you surrender your autonomy by moving into
a warlord's fortress (Google, Apple, Facebook, etc) and in return get
protection from the bandits that roam the badlands without.

The historian Stephen Morillo pointed out that this is more like
"manorialism" than "feudalism." As I wrote in January, digital
manorialism works well (if the warlord wants the same thing as you) but
fails badly (if they decide to sell you out).


Google wants to kill third party cookies to protect you from randos
doing tracking and targeting - but it wants to retain the ability to
nonconsensually track and target you on its own:


Facebook promises to defend you from the next Cambridge Analytica, but
it threatens to sue academics who scrape its political ads to see
whether it's really living up to its promises to fight paid political


Apple has rolled out the most significant consumer privacy tech in
decades, changing the defaults on Ios products so that if you don't give
your explicit consent, no one is allowed to track you (surprise: no one
gave consent!).


Apple is 100% committed to protecting its users from commercial
surveillance. But it's also 100% committed to accessing the Chinese
market and maintaining its Chinese manufacturing. Warlord Apple will
defend you from ad-tech bandits, but not the People's Liberation Army.

That's why Apple valiantly, laudably fought the FBI's demands to
back-door its OS to gain access to the San Bernardino shooters' Iphones,
but rolled over when the Chinese government ordered it to remove all
working VPNs from the App Store.


It's why Apple took good, brave stands on human rights in the US,
fighting gender and racial discrimination in important ways but
continues to manufacture devices with Chinese contractors like Foxconn,
one of the most egregious human-rights manufacturers in the world.

Now, in an explosive NY Times investigation, Jack Nicas, Raymond Zhong
and Daisuke Wakabayashi accuse Apple of giving the Chinese state
effectively unfettered access to user-data, directly contradicting the
claims of Apple CEO Tim Cook.


The Times reporters say that this data isn't just used to invade Chinese
users' privacy, but also to fine-tune Chinese state censorship, helping
guide government operatives' choices about which apps to censor and how.

This has resulted in the removal of "tens of thousands of apps...
foreign news outlets, gay dating services and encrypted messaging
apps...tools for organizing pro-democracy protests and skirting internet
restrictions, as well as apps about the Dalai Lama."

This is true of all firms doing business in China. The choice to do
business there is the choice to be complicit in ghastly human rights
abuses. But there are two ways in which Apple's participation is different.

First, there is its carefully cultivated "Cult of Mac" identity that
paints it as an "ethical" company whose paternalistic controls are part
of a commitment to serving its users.

This has created a vast cyber-militia of Apple fans who consider
themselves members of an oppressed religious minority and who lash out
at anyone who crticizes the company as a "hater" (see, for example, the
replies to this thread on Twitter).

And second, Apple arrogates to itself more control over its users and
their devices than its rivals, asserting the right to block Apple device
owners from making their own choices about which software to run, where
to get their devices repaired, and even which parts to use.

Apple has distorted copyright, patent, trademark and import law to
accomplish this control.

There's an the army of defenders who'll simp for Apple on this.

They oscillating between claims it's all for the good of Apple
customers, and claims that people who own Apple devices but don't want
to use them according to Apple's corporate dictates "shouldn't have
bought Apple products."

The Apple version of the No True Scotsman fallacy is the most creepily
cultish thing that Apple's self-appointed street-team do, especially in
light of these latest China revelations.

Apple acts on behalf of its customers when that means acting on its own
behalf. Apple - like the other warlords - cares ultimately about its
shareholders, and if its shareholders' interests diverge from its
customers, the shareholders will always win.

That's true of every tech firm, but only Apple has built an "ecosystem"
- a great walled fortress that keeps the bandits out when Apple wants
to, but once Apple lets them in, it keeps Apple's customers from escaping.


🌚 What Would Open Source Look Like If It Were Healthy

"What Would Open Source Look Like If It Were Healthy?" That's the
question Sumana Harihareswara set out to answer in her Github talk
earlier this week - a talk that considers FLOSS in the broadest possible
terms and still makes specific, concrete proposals.


Harihareswara starts with the obvious proposition that "open source"
can't be healthy if the programmers who create it aren't healthy, and
draws a link between basic income, child care and universal health care
and the health of open source.


She also points out that the "health" of open source has been
systematically poisoned by harassment, misogyny and racism, and names
people who were driven out of OSS because of their gender and race - as
well as people like Aaron Swartz, hounded to death by the FBI.

From there, Harihareswara embarks on three speculative narratives in
which "user personas" - a common tool among software developers and
product managers seeking to understand how to suit their work to its
eventual users are elucidated.

The first is the story of a new kind of community nonprofit, one that
goes beyond the idea of "learn to code" and specifically engages with
underserved communities to help them develop their own technical
infrastructure that suits their own needs.

This nonprofit, based on the Australian Data Science Education
Institute, works with formerly incarcerated people before and during
re-entry, helping them start a project that maps automatic
defibrillators in their community, and identifies AED deserts.

The project is boring, at a technical level, but it can have a profound
effect on its community, and its real-world salience makes it a
fantastic training exercise. Harihareswara describes the tooling that
allows a small number of experts to support this community.

The next persona is "Paula," a DMV data-entry clerk who, thanks to her
union and new procurement rules for DMVs, ends up working on an OSS
replacement for the bloated, terrible software that state DMVs use
across the country.

Paula goes from user to contributor to co-maintainer, and her story
reveals how good labor practices, good governance and good community
norms are essential to spreading open methodologies to the places
they're most needed.

The final persona is "Sean," the maintainer of a project to integrate
Drupal with Instagram, who is facing burnout. Rather than being given
destructive "productivity" advice to let him stave off his inevitable
collapse, Sean is given a graceful way to step down from his role.

This graceful method requires user- and developer-based democratic
governance of OSS projects, and includes both novel tooling for
decision-making, novel norms in accepting that most projects will
eventually wind down, and new roles in the form of "wind-down" specialists.

Throughout the talk, Harihareswara skilfully weaves tooling with social
impact, norms with technology, ethics with practice. The Q&A is
fascinating as well. The whole talk is available as a video and in
edited transcript.


🌚 This day in history

#15yrsago Audio from Bruce Sterling’s “Arphid nor RFID” rant

#15yrsago Cops raid “sex slave cult” based on science fiction novels

#10yrsago List of economists involved in violent sex crimes, for Ben
Stein https://blog.xkcd.com/2011/05/18/answering-ben-steins-question/

#5yrsago Elsevier buys SSRN

#5yrsago We Stand on Guard: in 100 years, America seizes Canada for its

#1yrago US insurers say paying for pandemic treatment is "selfless"

#1yrago Deliveroo, without Deliveroo

#1yrago Restaurateur wreaks algorithmic vengeance upon Doordash


🌚 Colophon

Today's top sources: Naked Capitalism (https://www.nakedcapitalism.com/).

Currently writing:

* Breach, a Little Brother short story about pipeline protests.
Yesterday's progress: 329 words (753 words total).

* A short story about consumer data co-ops.  PLANNING

* A Little Brother short story about remote invigilation.  PLANNING

* A nonfiction book about excessive buyer-power in the arts, co-written
with Rebecca Giblin, "The Shakedown."  FINAL EDITS

* A post-GND utopian novel, "The Lost Cause."  FINISHED

* A cyberpunk noir thriller novel, "Red Team Blues."  FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: How To Destroy Surveillance Capitalism (Part 06)

Upcoming appearances:

* Seize the Means of Computation, Ryerson Centre for Free Expression,
May 19,

* Privacy Without Monopoly, Northsec, May 20,

* In conversation with David Dayen (Second Life Book Club), Jun 4,

* Book launch for Terry Miles's Rabbits (Book Soup), Jun 7,

Recent appearances:

* Interoperability and Alternative Social Media

* Mohanraj and Rosenbaum Are Humans

* Can Antitrust Laws Destroy Surveillance Capitalism? (Majority Report)

Latest book:

* "Attack Surface": The third Little Brother novel, a standalone
technothriller for adults. The *Washington Post* called it "a political
cyberthriller, vigorous, bold and savvy about the limits of revolution
and resistance." Order signed, personalized copies from Dark Delicacies

* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet
analyzing the true harms of surveillance capitalism and proposing a
(print edition:
(signed copies:

* "Little Brother/Homeland": A reissue omnibus edition with a new
introduction by Edward Snowden:
https://us.macmillan.com/books/9781250774583; personalized/signed copies

* "Poesy the Monster Slayer" a picture book about monsters, bedtime,
gender, and kicking ass. Order here:
https://us.macmillan.com/books/9781626723627. Get a personalized, signed
copy here:

Upcoming books:

* The Shakedown, with Rebecca Giblin, nonfiction/business/politics,
Beacon Press 2022

This work licensed under a Creative Commons Attribution 4.0 license.
That means you can use it any way you like, including commercially,
provided that you attribute it to me, Cory Doctorow, and include a link
to pluralistic.net.


Quotations and images are not included in this license; they are
included either under a limitation or exception to copyright, or on the
basis of a separate license. Please exercise caution.


🌚 How to get Pluralistic:

Blog (no ads, tracking, or data-collection):


Newsletter (no ads, tracking, or data-collection):


Mastodon (no ads, tracking, or data-collection):


Medium (no ads, paywalled):


Twitter (mass-scale, unrestricted, third-party surveillance and


Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):


"*When life gives you SARS, you make sarsaparilla*" -Joey "Accordion
Guy" DeVilla

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://mail.flarn.com/pipermail/plura-list/attachments/20210518/e0ee5b9a/attachment.sig>

More information about the Plura-list mailing list