[Plura-list] A "secure" system can be the most dangerous of all

Cory Doctorow doctorow at craphound.com
Thu Jul 13 13:57:12 EDT 2023


Read today's issue online at: https://pluralistic.net/2023/07/13/whose-security/

Today's links

* A "secure" system can be the most dangerous of all: Who we secure FOR - and AGAINST - reveals our true priorities and values.

* Hey look at this: Delights to delectate.

* This day in history: 2013

* Colophon: Recent publications, upcoming/recent appearances, current writing projects, current reading

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🪱 A "secure" system can be the most dangerous of all

Two decades ago, my life changed forever: hearing Bruce Schneier explain that "security" doesn't exist in the abstract. You can only be secure *from some threat*. A fire alarm won't protect you from burglaries. A condom won't protect you from mass shootings. It seems obvious, but how often do we hear about "security" without any mention of *who* is being made secure, and from *which* threat?

Take the US welfare system. It is very "secure" in that it is hedged in by a thicket of red-tape, audits, inspections and onerous proceduress. To get food stamps, housing vouchers, or cash aid, you must navigate a Soviet-grade bureaucratic system of Kafkaesque proportions. Indeed, one of the great ironies of the post-Cold War world is that the USA has become a "Utopia Of Rules" (as David Graeber put it), subjecting everyday people to the state-run bureacracies that the USAUSAUSA set endlessly ridiculed the USSR for:

https://memex.craphound.com/2015/02/02/david-graebers-the-utopia-of-rules-on-technology-stupidity-and-the-secret-joys-of-bureaucracy/

(The right *says* it wants to "shrink the US government until fits in a bathtub - and then drown it" - but not the *whole* government. They want unlimited government bloat for that part of the state that is dedicated to tormenting benefits claimants, especially if its functions are managed by a Beltway Bandit profiteer who bills Uncle Sucker up the wazoo for rubber-stamping "DENIED" on every claim.)

The US benefits system has a sophisticated, expensive, fully staffed anti-fraud system - but it's a *highly selective* form of anti-fraud. The system is oriented solely to prevent fraud against *itself*, with no thought to protecting *benefits recipients themselves* from fraud.

And those recipients - by definition the poorest and most vulnerable among us - are easy pickings for continuous, ghastly, eye-watering acts of fraud. These benefits are distributed via prepaid debit cards - EBT Cards - that lack the basic security measures that every other kind of card has had for years. These are simple magstripe cards, lacking basic chip-and-pin defenses, to say nothing of contactless countermeasures.

That means that fraudsters can - and do - install skimmers in the point-of-sale terminals used by benefits recipients to withdraw their cash benefits, pay for food using SNAP (AKA Food Stamps), and receive other benefits.

It's impossible to overstate how widespread these skimmers are, and how much money criminals make by stealing from poor people. Writing for *Businessweek*, Jessica Fu describes the mad scramble benefits recipients go through every month, standing by ATMs at midnight on the night of the first of every month in hopes of withdrawing the cash they use to pay for their rent and utility bills before it is stolen by a crook who captured their card number with a skimmer:

https://www.bloomberg.com/news/features/2023-06-28/ebt-theft-takes-millions-of-dollars-from-the-neediest-americans

One of Fu's sources, Lexisnexis Risk Solutions's Haywood Talcove, describes these EBT cards as having the security of a "glorified hotel room key." He recounts how US police departments saw a *massive* explosion in EBT skimming: from 300 complaints in January 2022 to 18,000 in January 2023.

The skimmer rings are extremely well organized. The people who install the skimmers - working in pairs, with one person to distract the cashier while the other quickly installs the skimmer - don't know who they work for. Neither do the people who use cards cloned from skimmer data to cash out benefits recipients' accounts. When they are arrested, they refuse to turn on their immediate recruiters, fearing reprisals against their families.

These low-level crooks stroll up to ATMs and feed a succession of cloned cards into them, emptying account after account. Or they swipe cards at grocery checkouts, buying cases of Red Bull and other easily sold grocery products with some victim's entire SNAP balance.

Some police agencies are pursuing these criminal gangs and trying figure out who's running them, but the authorities who issue SNAP cards are doing little to nothing to stop the pipeline at their end. Simply upgrading SNAP terminals to chip-and-pin would exponentially raise the cost and complexity that thieves incur.

Indeed, that's why every other kind of payment card uses these systems. How is it that these systems were upgraded, while SNAP cards remain in mired in 20th century "glorified hotel room key" territory? Well, as our friends on the right never cease to remind us: "incentives matter."

When your credit card gets cloned, it's your banks and credit card company that pays for the losses, not you. So the banks *demanded* (and funded) the upgrade to new anti-fraud measures. By contrast, most states have *no* system for refunding stolen benefits to skimmers' victims.

In other words, *all* of the anti-fraud in the benefits system is devoted to catching benefits cheating - a phenomenon that is so rare as to be almost nonexistent (1.54%), notwithstanding right wingers' fevered, Reagan-era folktales about "welfare queens":

https://blog.gitnux.com/food-stamp-fraud-statistics/

Meanwhile, the most widespread and costly form of fraud in the benefits system - fraud perpetrated *against* benefits recipients - is blithely ignored.

Really, it's worse than that. In deciding to protect the welfare *system* rather than welfare *recipients*, we've made it vastly harder for benefits claimants who've been victimized by fraudsters to remain fed and sheltered. After all, if we made it simple and straightforward for benefits recipients to re-claim money that was stolen from them, we'd make it that much easier to defraud the system.

"Security" is always and forever a matter of securing some specific thing, against some specific risk. In other words, security reflects values - it reveals whose risk matters, and whose doesn't. For the American benefits system, risks to the system matter. Risks to people don't.

It's not just the welfare system that prioritizes its own risks against the people it exists to serve. Think of the systems used to fight drug abuse in clinical settings.

Medical facilities that use or dispense powerful pain-killers have exquisitely tuned, sophisticated, frequently audited security systems to prevent patients from tricking their doctors or pharmacists into administering extra drugs (especially opioids). "Extra" in this case means "more drugs than are strictly necessary to manage pain."

The rationale for this is only incidentally medical. Someone who gets a little too much painkiller during a medical procedure or an acute pain episode is not at any particular risk of enduring harm - the risks are minor and easily managed (say, by keeping a patient in bed a little longer while they recover from sedation).

The real agenda here is preventing addiction and abuse by addicted people. There's a genuine problem with opioid abuse, and that problem *does* have its origins in overprescription. But - crucially - that overprescription wasn't the result of wimpy patients insisting on endless painkillers until they enslaved themselves to their pills.

Rather, the opioid epidemic has its origins in the billionaire Sackler crime family, whose Purdue Pharma used scientific fraud, cash incentives, and other deceptive practices to trick, coerce, or bribe doctors into systematically overprescribing their Oxycontin cash cow, even as they laundered their reputation with showy charitable donations:

https://pluralistic.net/2021/07/12/monopolist-solidarity/#sacklers-billions

The Sacklers got to keep their billions - and people undergoing painful medical procedures or living with chronic pain are left holding the bag, subject to tight pain-med controls that forces them to prove - through increasingly stringent systems - that they truly deserve their medicine.

In other words, the beneficiary of the opioid control system is the system itself - not the patients who need opioids.

There's an extremely disturbing - even nightmarish - example of this in the news: the Yale Fertility Clinic, where *hundreds* of women endured unimaginably painful egg harvesting procedures *with no anaesthesia at all*.

These women had complained for years about the pain they suffered, and many had ended up needing emergency care after the fact because of traumatic injuries caused by undergoing the procedure without pain control. But the doctors and nurses at the Yale clinic ignored their screams of pain and their post-operative complaints.

It turned out that an opioid-addicted nurse had been swapping the fentanyl in the drug cabinet for saline, and taking the fentanyl home for her own use.

This made national headlines at the time, and it is the subject of "The Retrievals," a new *New York Times* documentary series podcast:

https://www.nytimes.com/2023/06/22/podcasts/serial-the-retrievals-yale-fertility-clinic.html

If the pain medication management system was designed to manage pain, then these thefts would have been discovered early on. If the system was designed so that anyone who experienced pain was treated until the pain was under control, the deception would have been uncovered almost immediately.

As Stafford Beer said, "the purpose of any system is what it does." The pain medication management system was designed to manage *pain medication*, not *pain* itself.

The system was designed to be secure from opioid-seeking addicted patients. It was not designed to make patients secure from pain. Its values - our values, as a society - were revealed through its workings.


_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🪱 Hey look at this

* Remote Control: Disney World vs Their Own Customers https://www.micechat.com/358192-remote-control-disney-world-vs-their-own-customers/

* Crump and Davis: Lost Artwork and Long-Forgotten Collaborations https://longforgottenhauntedmansion.blogspot.com/2023/06/crump-and-davis-lost-artwork-and-long.html

* My Favorite Conspiracy Theory Confirmed https://cooldudezone.substack.com/p/my-favorite-conspiracy-theory-confirmed (h/t Kottke)

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🪱 This day in history

#10yrsago Lunch with the Financial Times https://www.ft.com/content/9a344ea2-e8af-11e2-aead-00144feabdc0#axzz2YuWbWNsa

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

🪱 Colophon

Today's top sources:

Currently writing:

* A Little Brother short story about DIY insulin PLANNING

* Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FIRST DRAFT COMPLETE, WAITING FOR EDITORIAL REVIEW

* The Bezzle, a Martin Hench noir thriller novel about the prison-tech industry. FIRST DRAFT COMPLETE, WAITING FOR EDITORIAL REVIEW

* Vigilant, Little Brother short story about remote invigilation. ON SUBMISSION

* Moral Hazard, a short story for MIT Tech Review's 12 Tomorrows. FIRST DRAFT COMPLETE, ACCEPTED FOR PUBLICATION

* Spill, a Little Brother short story about pipeline protests. ON SUBMISSION

Latest podcast: Ideas Lying Around https://craphound.com/news/2023/06/11/ideas-lying-around/

Upcoming appearances:

* Comic-Con (San Diego), Jul 20-23
https://www.comic-con.org/cci/programming-schedule

* Armadillocon (Austin), Aug 4-6
https://armadillocon.org/d45/

* Defcon (Las Vegas), Aug 10-13
https://defcon.org/

Recent appearances:

* UCL Peter Kirstein Lecture
https://www.youtube.com/watch?v=Yn47ptAtVH0

* The Homeless Romantic
https://www.youtube.com/watch?v=wXn9wy5bHq0

* Why the internet is getting worse
https://www.cbc.ca/listen/cbc-podcasts/209-front-burner/episode/15992083-why-the-internet-is-getting-worse

Latest books:

* "Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. Signed copies at Dark Delicacies (US): and Forbidden Planet (UK): https://forbiddenplanet.com/385004-red-team-blues-signed-edition-hardcover/.

* "Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com

* "Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The *Washington Post* called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html

* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59 (print edition: https://bookshop.org/books/how-to-destroy-surveillance-capitalism/9781736205907) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)

* "Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html

* "Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p2682/Corey_Doctorow%3A_Poesy_the_Monster_Slayer_HB.html#/.

Upcoming books:

* The Internet Con: A nonfiction book about interoperability and Big Tech, Verso, September 2023

* The Lost Cause: a post-Green New Deal eco-topian novel about truth and reconciliation with white nationalist militias, Tor Books, November 2023

This work - excluding any serialized fiction - is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Medium (no ads, paywalled):

https://doctorow.medium.com/

(Latest Medium column: "Let the Platforms Burn: The Opposite of Good Fires is Wildfires" https://doctorow.medium.com/let-the-platforms-burn-6fb3e6c0d980)

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla



More information about the Plura-list mailing list