Pluralistic: 27 Sep 2020

Originally published at: Pluralistic: 27 Sep 2020 – Pluralistic: Daily links from Cory Doctorow


Today's links



The joys of tailoring (permalink)

In last weekend's New York Times, Rachel Connolly proposed a seriously great remedy for fast fashion: thrifting and a tailor.

https://www.nytimes.com/2020/09/22/magazine/tailor-clothes-thrifting.html

Connolly starts by reminiscing about her adolescence in Belfast after The Troubles, when the lingering spectre of political violence and economic deprivation meant that there were few options for a young girl who wanted to find her look.

She found her answer in second-hand stores, where everything from trousers to formal dresses could be had for as little as £20, so long as you didn't mind problems with the fit – problems that could be remedied for £15 at the local tailor.

This is a secret superweapon for people who want to dress well on a budget: your local thrift is full of amazing clothes, new and vintage, that you can buy for less than the price of a fancy smoothie, and then have altered to fit.

Connolly describes how using a local tailor means that she can choose a look she likes and then adapt clothes to fit that look, rather than the other way around: "Trousers many sizes too big, taken in but left with wide legs or turned into shorts."

The benefits of this are hard to overstate: first, it diverts clothing from the waste stream, which is a titanic environmental crisis within the larger environmental crisis we're all living through.

It funds the charity that runs your thrift shop, and spends money locally with a skilled tailor whom you can pay a fair price to while still saving money relative to fast-fashion brands.

The money you spend stays in your community, and it goes to merchants who pay decent wages and also meet their tax obligations, supporting your schools, roads and libraries.

And you get to look amazing: like you, rather than like the closest approximation of you that you can approach by buying off-the-peg from a global fashion brand that's probably owned by a toxic private equity fund.

What's more, once you find a tailor you love, you can get them to copy your most treasured garments as they wear out: I have two jackets that I wore until they were in tatters because they fit me so well and looked so great, and I had a tailor copy both.

The copies cost less than the originals, and now that the tailor has the pattern, I can get new ones made for even cheaper (since the patternmaking was a big part of the expense), in any material I choose, while still paying a fair price to the tailor.

Like Connolly, I always find a good tailor when I move to a new neighborhood. In my case, it's the owner of my local dry-cleaner, who does beautiful work and who also does repairs for me when I tear something I love.

Some of the best clothes I ever bought came from the late, lamented Junky Styling in the Truman Brewery in London's Brick Lane – they were masters of repurposing thrifted and end-of-line clothes, making gorgeous new pieces out of them.

Junky's founders published a superb book on their methodology and design philosophy, explaining how to turn thrifted clothes into remarkable, one-of-a-kind pieces:

https://memex.craphound.com/2009/10/09/junky-styling-a-manual-for-thrift-shop-clothes-remixers/



Ransomware for coffee makers (permalink)

My 2019 book RADICALIZED opened with a novella called Unauthorized Bread, a tale of self-determination versus technical oppression that starts with a Libyan refugee hacking her stupid smart-toaster, which locks her into buying proprietary bread.

https://arstechnica.com/gaming/2020/01/unauthorized-bread-a-near-future-tale-of-refugees-and-sinister-iot-appliances/

I wrote that story after watching the inexorable colonization of every kind of device – from implanted defibrillators to tractors – with computerized controllers that served a variety of purposes, many of them nakedly dystopian.

The existence of laws like Section 1201 of the DMCA really invites companies to make "smart" versions of their devices for the sole purpose of adding DRM to them, because DMCA 1201 makes it a felony to unlock DRM, even for perfectly legal purposes.

That's how John Deere uses DRM: to force farmers to use (and pay for) authorized repair personnel when their tractors break down; it's how Abbott Labs uses DRM, to force people with diabetes not to use third-party insulin pumps with their glucose monitors.

It's the inkjet business-model, but for everything from artificial pancreases to coffee-makers. And because DMCA 1201 is so badly* drafted, it also puts security researchers at risk.

*Assuming you're willing to believe this isn't what the law was supposed to do all along

Adding networked computers to everyday gadgets is a risky business: as with any human endeavor, software is prone to error. And as with any technical pursuit, the only way to reliably root out errors is through adversarial peer review.

That is, to have people who want you to fail go through your stuff looking for stupid mistakes they can mock you over.

It's not enough for you to go over your own work for errors. Anyone who's ever stared right at their own typo and not seen it knows this doesn't work.

Nor is it sufficient for your friends to look over your work – not only will they go easy on you, but sometimes your errors come from a shared set of faulty assumptions.

They CAN'T spot these errors: this is why no argument among Qanoners ever points out the most important fact, which is that the whole fucking thing is batshit.

The default for products is that anyone is allowed to point out their defects. If you buy a pencil and the tip breaks all the time and you do some analysis and discover that the manufacturer sucks at graphite, you can publish that analysis.

But DMCA 1201 prohibits this kind of disclosure if it means that you reveal flaws that might be used to disable the DRM. Security researchers get threatened by "smart device" companies all the time.

Just the spectre of the threat is enough to convince a lot of organizations' lawyers to advise researchers not to go public with this information.

That means that a defect that could crash your car (or your implanted pacemaker) only gets disclosed if the company that made it authorizes the disclosure.

This is seriously bad policy.

Companies add "smarts" to get DRM, because DRM lets them control how their customers use their products, and lets them shut down competitors who try to give control back to customers, and also silence critics who reveal the defects in their products.

DRM can be combined with terms of service, patents, trade secrets, binding arbitration, and other forms of "IP" to deliver near-perfect corporate control over competitors, customers and critics.

https://locusmag.com/2020/09/cory-doctorow-ip/

But it's worse than that, because software designed to exercise this kind of control is necessarily designed for maximum opacity: to hide what it does, how it does it, and how to turn it off.

This obfuscation means that when your device is compromised, malicious code can take advantage of the obscure-by-design nature of the device to run undetectably as it attacks you, your data, and your physical environment.

Malicious code can also leverage DRM's natural tamper-resistance to make it hard to remove malware once it has been detected. Once a device designed to control its owners has been compromised, the attacker gets to control the owner, too.

Which brings me to "Smarter," a "smart" $250 coffee maker that is remarkably insecure, allowing anyone on the same wifi network as the device to replace its firmware, as Martin Hron demonstrates in a recent proof-of-concept attack.

https://decoded.avast.io/martinhron/the-fresh-smell-of-ransomed-coffee/

Hron's attack hijacks the machine, causing it to "turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly."

https://arstechnica.com/information-technology/2020/09/how-a-hacker-turned-a-250-coffee-maker-into-ransom-machine/

As Dan Goodin points out, Hron did all this in just one week, and quite likely could find more ways to attack the device. The defects Hron identified – like the failure to use encryption in the device's communications or firmware updates – are glaring, idiotic errors.

As is the decision to allow for unsigned firmware updates without any user intervention. This kind of design idiocy has been repeatedly identified in many kinds of devices.

Back in 2011, I watched Ang Cui silently update the OS of an HP printer by sending it a gimmicked PDF (HP's printers received new firmware via print-jobs, ingesting everything after a Postscript comment that said, "New firmware starts here").

https://www.youtube.com/watch?v=njVv7J2azY822/21/20/

A decade later, there is no excuse for this kind of mistake. The fact that IoT vendors are making it tells you that the opacity and the power to punish critics is not a power that companies wield wisely – and that you shouldn't trust any IoT gadgets.



My Reddit Privacy AMA (permalink)

Next weekend – Oct 2/3 – I'm doing a long, thoughtful Ask Me Anything session with Reddit's /r/privacy, as part of a pair of AMA's celebrating the subreddit's millionth (!) subscriber.

https://www.reddit.com/r/privacy/comments/j0rhef/a_stunning_milestone_and_two_remarkable_rprivacy/

My AMA will be followed by a weekend-long (Oct 9/10) session with Micah Lee, my former EFF colleague who is now at The Intercept (where he helped report the Snowden leaks, after aiding Snowden in getting them to journalists) and The Freedom of The Press Foundation.

I'll be talking about several new projects:

  • HOW TO DESTROY SURVEILLANCE CAPITALISM, my short book for Onezero:

https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59

  • ATTACK SURFACE, the third Little Brother novel, which comes out in the UK on Oct 1

https://headofzeus.com/books/9781838939960

(it comes out in the US/Canada on Oct 13)

https://read.macmillan.com/torforge/cory-doctorow-virtual-lecture-series/

  • And of course, I'll be talking about my attempt to circumvent Amazon's audiobook hegemony through my ongoing Kickstarter campaign:

https://www.kickstarter.com/projects/doctorow/attack-surface-audiobook-for-the-third-little-brother-book/



This day in history (permalink)

#10yrsago Lockheed Martin sign prohibits sketching and “gathering information” https://www.flickr.com/photos/jef/5028187145/

#5yrsago Black burners on race and Burning Man https://www.theguardian.com/culture/2015/sep/27/black-campers-burning-man-explain-why

#5yrsago Hilo: The Boy Who Crashed to Earth, a fantastic middle-grade adventure comic https://memex.craphound.com/2015/09/26/hilo-the-boy-who-crashed-to-earth-a-fantastic-middle-grade-adventure-comic/

#5yrsago Tomorrow’s Catalan elections are a referendum on independence https://www.theguardian.com/world/2015/sep/25/catalonia-votes-democracy-election-independence-spain

#5yrsago Dustin Yellin’s stupendous, life-sized glass-pane humanoids made from NatGeo clippings https://memex.craphound.com/2015/09/26/dustin-yellins-stupendous-life-sized-glass-pane-humanoids-made-from-natgeo-clippings/

#1yrago The DoJ’s corporate “diversion” program is supposed to change bad corporate culture, but really, it enables repeat offenders https://www.citizen.org/article/soft-on-corporate-crime-deferred-and-non-prosecution-repeat-offender-report/

#1yrago Bruce Sterling on Boris Johnson’s bizarre, cyberpunk dystopia address to the UN https://www.wired.com/beyond-the-beyond/2019/09/visionary-high-points-recent-boris-johnson-speech-united-nations/

#1yrago Report from Defcon’s Voting Village reveals ongoing dismal state of US electronic voting machines https://media.defcon.org/DEF%20CON%2027/voting-village-report-defcon27.pdf

#1yrago Doordash’s breach is different https://memex.craphound.com/2019/09/27/doordashs-breach-is-different/

#1yrago Across America, the average worker can’t afford the median home https://www.marketwatch.com/story/there-are-precious-few-places-in-america-where-the-average-worker-can-afford-a-median-priced-home-2019-09-26

#1yrago Annalee Newitz’s “Future of Another Timeline”: like Handmaid’s Tale meets Hitchhiker’s Guide https://www.latimes.com/entertainment-arts/books/story/2019-09-27/future-of-another-timeline-annalee-newitz

#1yrago Sleuths discover the source of $28m in dark money lobbying in favor of emergency room “surprise bills”: private equity firms that own doctors’ practices https://hcrenewal.blogspot.com/2019/09/who-advocates-for-surprise-medical.html

#1yrago Wework, Uber, Lyft, Netflix, Bird, Amazon: late-stage capitalism is all about money-losing predatory pricing aimed at creating monopolies https://www.businessinsider.com/wework-is-a-prime-example-of-counterfeit-capitalism-2019-9



Colophon (permalink)

Today's top sources: Naked Capitalism (https://www.nakedcapitalism.com/).

Currently writing: My next novel, "The Lost Cause," a post-GND novel about truth and reconciliation. Friday's progress: 504 words (65940 total).

Currently writing: My next novel, "The Lost Cause," a post-GND novel about truth and reconciliation. Friday's progress: 670 words (63295 total).

Currently reading: Gideon the Ninth, Tamsyn Muir

Latest podcast: IP https://craphound.com/podcast/2020/09/14/ip/

Upcoming appearances:

Recent appearances:

Latest book:

Upcoming books:


This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.


How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/web/accounts/303320

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

When life gives you SARS, you make sarsaparilla -Joey "Accordion Guy" DeVilla

I suspect there are many more Kindles than “smart” coffee machines in use today, and so it will shock the world even more to learn (eventually) that Kindles are being targeted by APTs to install RATs on them. If someone as big as Amazon can’t secure their devices, how could smaller companies?

I read the AMA, specifically the question of what devices you have (Thinkpad and Pixel Phone), and was a bit puzzled to not see a mention to an air-gapped computer, but you mentioned a system to make sure people can access your data in case of a fatality, so I imagine (and hope for your own good) that you have an air-gap holding your backups.

I have an airgap TAILS-booted system I use for some leak handling, but for data, it’s stored in offline/offsite backup drives that I physically move around.

1 Like

This topic was automatically closed after 15 days. New replies are no longer allowed.