“They get the one starving kid in Sudan that isn’t going to have a USAID bottle, and they make everything DOGE has done about the starving kid in Sudan.” — a White House official.

I’ve been a USAID contractor for most of the last 20 years. Not a federal employee; a contractor. USAID does most of its work through contractors. I’ve been a field guy, working in different locations around the world.

If you’ve been following the news at all, you probably know that Trump and Musk have decided to destroy USAID.  There’s been a firehose of disinformation and lies.  It’s pretty depressing.  

So here are a couple of true USAID stories — one political, one personal.


The political one first.  I worked for years in the small former Soviet republic of Moldova.



Moldova happened to be one of the few parts of the old USSR suitable for producing wine.  The other was Georgia, in the Caucasus.

The Soviets, in their central planning way, decided that both Moldova and Georgia would produce wine — but Georgia would produce the good stuff, intended for export and for consumption by Soviet elites.  Moldova would produce cheap sweet reds, which is what most Russians think wine is.

So for decades, Moldova produced bad wine and nothing but bad wine.  But Russians liked it, so that was okay.

Then the USSR collapsed.  And, well, Moldova continued to produce nasty cheap sweet reds, because that was all they could do.   By the turn of the century, wine was Moldova’s single biggest cash export.  And about 80% of that wine went straight to Russia.

This continued through the 1990s and into the early 2000s.  Meanwhile, Vladimir Putin came to power in Russia.  Back in 2003 or so, he wasn’t invading Russia’s neighbors… but he was already swinging a big stick in Russia’s “near abroad”, the former Soviet republics that he thought should still be under Russia’s thumb.  Which absolutely included Moldova.

So whenever the Moldovan government annoyed or offended Putin… or whenever he just wanted to yank their chain… the Russian Ministry of Health would suddenly discover that there was a “problem” with Moldovan wine.  And imports would be frozen until the “problem” could be resolved.  Since wine was Moldova’s biggest export, and most wine went to Russia, this meant that Russia could inflict crippling damage on Moldova’s economy literally at will.  

This went on for over a decade, with multiple Moldovan governments having to defer to Moscow rather than face crippling economic damage.

Enter USAID.  Over a period of a dozen years or so, USAID funded several projects to restructure the Moldovan wine industry. 

They brought in foreign instructors to teach modern methods.  They worked with the wine-growers to develop training courses.  They provided guarantees for loans so that farmers could buy new equipment.  They helped Moldovan farmers get access to new varieties of grapes… you get the idea.

(By the by, the wine project was not my project. But it was literally up the street from my project.  It was run by two people I know and deeply respect — one American, one Moldovan — so I had a ring-side seat for much of this.)

The big one was, they worked with the Moldovans on what we call market linkages.  That is, they helped them connect to buyers and distributors in Europe, and figure out ways to sell into the EU.  I say this was the big one, because on one hand the EU is the world’s largest market for wine!  But on the other hand, exporting wine into the EU is really hard.  There are a bunch of what we call NTBTs — “non-tariff barriers to trade”.  For starters, your wine has to be guaranteed clean and safe according to the EU’s very high standards.  That means it has to consistently pass a bunch of sanitary and health tests, and also your production methods have to be certified.  Then there are a bunch more requirements about bottling, labelling and packaging. 

The EU regulates the hell out of all that stuff.  Like, the “TAVA” number?  There’s a minimum font size for that.  If you print it too small, it’ll be bounced right back to you.  The glass of the bottle?   Has to be a sort that EU recycling systems can deal with.  The adhesive behind the label?  It can be rejected for being too weak (labels fall off) or too strong (recycling system can’t remove it).  There are dozens of things like that.

And then of course they had to do marketing.  Nobody in Europe had heard of Moldovan wines!  Buyers and distributors had to be talked into taking a chance on these new products.  This meant the Moldovan exporters needed lines of credit to stay afloat.  This in turn meant that Moldovan banks had to be talked into… you get the idea.

This whole effort took over a decade, from the early 2000s into the teens.

And in the end it was a huge damn success.  With USAID help, the Moldovan wine industry was completely restructured.  Moldova now exports about $150 million of wine per year, which is a lot for a small country — it’s over $50 per Moldovan.  And it went from exporting around 80% of its wine to Russia, to around 15%.  Most Moldovan wine (around 60%) now goes to the EU, with an increasing share going to Turkey and the Middle East.  



(If you’re curious: their market niche is medium to high end vins du table.  Not plonk, not fancy, just good midlist wines.  I can personally recommend the dryer reds, which are often much better than you’d expect at their price point.)

Russia tried the “ooh we found a sanitary problem” trick one last time a few years ago.  It fell completely flat.  Putting aside that it was an obvious lie — if something is safe for the EU, believe me, it is safe for Russia — Moldovan wine exporters had now diversified their markets to the point that losing Russian sales was merely a nuisance.  In fact, the attempt backfired: it encouraged the Moldovans to shift their exports even further away from Russia and towards the EU.

So that’s the political story.  Russia had Moldova on a choke chain.  Over a dozen years or so, USAID patiently filed through that chain and broke Moldova loose.  Soft power in action.  It worked.

Nobody knows this story outside Moldova, of course. 

Okay, that’s the political story.  Here’s the personal one.

Some years ago, I moved with my family to a small country that was recovering from some very unpleasant history.  They’d been under a brutal ethnically-based dictatorship for a while, and then there was a war.  So, this was a poor country where many things didn’t work very well.

While we were there, my son suddenly fell ill.  Very ill.  Later we found out it was the very rapid onset of a severe bacterial infection.  At the time all we knew was that in an hour or two he went from fine to running a super high fever and being unable to stand up. Basically he just… fell over. 

Wham, emergency room.  They diagnosed him correctly, thank God, and gave correct treatment: massive and ongoing doses of antibiotics.  But he couldn’t move — he was desperately weak and barely conscious — and there was no question of taking him out of the country.  We had to put him in the local hospital for a week, on an IV drip, until he was strong enough to come home.

If you’ve ever been in a hospital in a poor, post-war country… yeah at this point someone makes a dumb joke about the NHS or something.  No.  We’re talking regular blackouts, the electricity just randomly switching off.  Rusting equipment, crumbling concrete, cracked windows.  A dozen beds crammed into a room that should hold four or five. Everything worn and patched and held together with baling wire and hope.   

We’re talking so poor that the hospital didn’t have basic supplies.  Like, you would go into town and buy the kid’s medication, and then you’d also buy syringes for injections — because the hospital didn’t have syringes — and then you’d come back and give those thing to the nurse so that your kid could get his medication. 

In the pediatric ward, they were packing the kids in two to a bed. Because they didn’t have a lot of rooms, and they didn’t have a lot of beds. And kids are small, yeah?  

But there we were.  So into the hospital he went.  Here’s a photo:

— Take a moment and zoom in there.  Red-white-and-blue sticker, there on the bed?  It says “USAID:  From The American People”.

Every hospital bed in that emergency room had been donated by USAID.  I believe they were purchased secondhand in the United States, where they were old and obsolete.  But in this country… well, they didn’t have enough beds, and the beds that they had were fifty years old.  Except for those USAID beds.  Those were (relatively) modern, light and adjustable but sturdy, and easily mobile.  The hospital staff were using them to move kids around, and they were getting a lot of mileage from them.

And of course, every USAID bed had that sticker on it.  And so did some other stuff.  There was an oxygen system that a sick toddler was breathing from.  USAID sticker.  Couple of child-sized wheelchairs.  USAID stickers.  Secondhand American stuff — USAID was under orders to Buy American whenever possible — but just making a huge, huge difference here.

As I said, it was crowded in there.  Lots of beds, lots of kids, lots of anxious parents.  So we got to talking with the other parents, as one does.  A couple of people had a little English.  And so my wife mentioned that we were here working on a USAID project…

…and god damn that place lit up like an old time juke box.  “USAID!”  “USAID!”  People were pointing at the stickers, smiling.  “USAID!”   “America, very good!”  “Thank you!”  “USA!  USA!”  “Thank you!”

This went on longer than most of us would find comfortable.  When it finally settled down… actually, it never really did entirely settle down.  For the whole time our son was there, we had people — parents, nurses, even the hospital janitor — smiling at us and saying “USAID!”  “Very good!”  “Thank you!”

I’m not prone to fits of patriotic fervor.  But I’m not going to lie: right then it felt good to be American.

Anyway, USAID stories.  I could go on at considerable length.  This is my career, after all!  I could tell more stories, or comment and gloss at greater length on these.

But this is long enough already.  More some other time, perhaps.

 

Earlier this month, I and others wrote a letter to Congress, basically saying that cryptocurrencies are an complete and total disaster, and urging them to regulate the space. Nothing in that letter is out of the ordinary, and is in line with what I wrote about blockchain in 2019. In response, Matthew Green has written—not really a rebuttal—but a “a general response to some of the more common spurious objections…people make to public blockchain systems.” In it, he makes several broad points:

1. Yes, current proof-of-work blockchains like bitcoin are terrible for the environment. But there are other modes like proof-of-stake that are not.
2. Yes, a blockchain is an immutable ledger making it impossible to undo specific transactions. But that doesn’t mean there can’t be some governance system on top of the blockchain that enables reversals.
3. Yes, bitcoin doesn’t scale and the fees are too high. But that’s nothing inherent in blockchain technology—that’s just a bunch of bad design choices bitcoin made.
4. Blockchain systems can have a little or a lot of privacy, depending on how they are designed and implemented.

There’s nothing on that list that I disagree with. (We can argue about whether proof-of-stake is actually an improvement. I am skeptical of systems that enshrine a “they who have the gold make the rules” system of governance. And to the extent any of those scaling solutions work, they undo the decentralization blockchain claims to have.) But I also think that these defenses largely miss the point. To me, the problem isn’t that blockchain systems can be made slightly less awful than they are today. The problem is that they don’t do anything their proponents claim they do. In some very important ways, they’re not secure. They doesn’t replace trust with code; in fact, in many ways they are far less trustworthy than non-blockchain systems. They’re not decentralized, and their inevitable centralization is harmful because it’s largely emergent and ill-defined. They still have trusted intermediaries, often with more power and less oversight than non-blockchain systems. They still require governance. They still require regulation. (These things are what I wrote about here.) The problem with blockchain is that it’s not an improvement to any system—and often makes things worse.

In our letter, we write: “By its very design, blockchain technology is poorly suited for just about every purpose currently touted as a present or potential source of public benefit. From its inception, this technology has been a solution in search of a problem and has now latched onto concepts such as financial inclusion and data transparency to justify its existence, despite far better solutions to these issues already in use. Despite more than thirteen years of development, it has severe limitations and design flaws that preclude almost all applications that deal with public customer data and regulated financial transactions and are not an improvement on existing non-blockchain solutions.”

Green responds: “‘Public blockchain’ technology enables many stupid things: today’s cryptocurrency schemes can be venal, corrupt, overpromised. But the core technology is absolutely not useless. In fact, I think there are some pretty exciting things happening in the field, even if most of them are further away from reality than their boosters would admit.” I have yet to see one. More specifically, I can’t find a blockchain application whose value has anything to do with the blockchain part, that wouldn’t be made safer, more secure, more reliable, and just plain better by removing the blockchain part. I postulate that no one has ever said “Here is a problem that I have. Oh look, blockchain is a good solution.” In every case, the order has been: “I have a blockchain. Oh look, there is a problem I can apply it to.” And in no cases does it actually help.

Someone, please show me an application where blockchain is essential. That is, a problem that could not have been solved without blockchain that can now be solved with it. (And “ransomware couldn’t exist because criminals are blocked from using the conventional financial networks, and cash payments aren’t feasible” does not count.)

For example, Green complains that “credit card merchant fees are similar, or have actually risen in the United States since the 1990s.” This is true, but has little to do with technological inefficiencies or existing trust relationships in the industry. It’s because pretty much everyone who can and is paying attention gets 1% back on their purchases: in cash, frequent flier miles, or other affinity points. Green is right about how unfair this is. It’s a regressive subsidy, “since these fees are baked into the cost of most retail goods and thus fall heavily on the working poor (who pay them even if they use cash).” But that has nothing to do with the lack of blockchain, and solving it isn’t helped by adding a blockchain. It’s a regulatory problem; with a few exceptions, credit card companies have successfully pressured merchants into charging the same prices, whether someone pays in cash or with a credit card. Peer-to-peer payment systems like PayPal, Venmo, MPesa, and AliPay all get around those high transaction fees, and none of them use blockchain.

This is my basic argument: blockchain does nothing to solve any existing problem with financial (or other) systems. Those problems are inherently economic and political, and have nothing to do with technology. And, more importantly, technology can’t solve economic and political problems. Which is good, because adding blockchain causes a whole slew of new problems and makes all of these systems much, much worse.

Green writes: “I have no problem with the idea of legislators (intelligently) passing laws to regulate cryptocurrency. Indeed, given the level of insanity and the number of outright scams that are happening in this area, it’s pretty obvious that our current regulatory framework is not up to the task.” But when you remove the insanity and the scams, what’s left?

EDITED TO ADD: Nicholas Weaver is also adamant about this. David Rosenthal is good, too.

 

The Locus Science Fiction Foundation has announced the top ten finalists in each category of the 2021 Locus Awards. These results are from the February 1 to April 15 voting, done by readers on an open public ballot. Congratulations to all!

The Locus Awards winners will be announced June 26, 2021, during the virtual Locus Awards Weekend. Connie Willis will MC the awards ceremony. Additional weekend events include author ...Read More

In January, Ubiquiti Networks sent out a notification to its customers informing them of a security breach and asking all users to change their account passwords and turn on two-factor authentication. "We recently became aware of unauthorized access to certain of our information technology systems hosted by a third party cloud provider," Ubiquiti said at the time. Now, according to Krebs on Security, a whistleblower "alleges Ubiquiti massively downplayed a 'catastrophic' incident to minimize the hit to its stock price, and that the third-party cloud provider claim was a fabrication." From the report: "It was catastrophically worse than reported, and legal silenced and overruled efforts to decisively protect customers," [the source] wrote in a letter to the European Data Protection Supervisor. "The breach was massive, customer data was at risk, access to customers' devices deployed in corporations and homes around the world was at risk." According to [the source], the hackers obtained full read/write access to Ubiquiti databases at Amazon Web Services (AWS), which was the alleged "third party" involved in the breach. Ubiquiti's breach disclosure, he wrote, was "downplayed and purposefully written to imply that a 3rd party cloud vendor was at risk and that Ubiquiti was merely a casualty of that, instead of the target of the attack." In reality, [the source] said, the attackers had gained administrative access to Ubiquiti's servers at Amazon's cloud service, which secures the underlying server hardware and software but requires the cloud tenant (client) to secure access to any data stored there. "They were able to get cryptographic secrets for single sign-on cookies and remote access, full source code control contents, and signing keys exfiltration," [the source] said. [The source] says the attacker(s) had access to privileged credentials that were previously stored in the LastPass account of a Ubiquiti IT employee, and gained root administrator access to all Ubiquiti AWS accounts, including all S3 data buckets, all application logs, all databases, all user database credentials, and secrets required to forge single sign-on (SSO) cookies. Such access could have allowed the intruders to remotely authenticate to countless Ubiquiti cloud-based devices around the world. According to its website, Ubiquiti has shipped more than 85 million devices that play a key role in networking infrastructure in over 200 countries and territories worldwide. Instead of asking customers to change their passwords when they next log on, [the source] says Ubiquiti should've immediately invalidated all of its customer's credentials and forced a reset on all accounts, mainly because the intruders already had credentials needed to remotely access customer IoT systems.

Read more of this story at Slashdot.

Marc Feren Claude Biart was betrayed by failing to hide his distinctive tattoos in the clip

A mafia fugitive has been caught in the Caribbean after appearing on YouTube cooking videos in which he hid his face but inadvertently showed his distinctive tattoos.

Marc Feren Claude Biart, 53, led a quiet life in Boca Chica, in the Dominican Republic, with the local Italian expat community considering him a “foreigner”, police said in a statement on Monday.

Continue reading...

Security researchers have recently discovered a botnet with a novel defense against takedowns. Normally, authorities can disable a botnet by taking over its command-and-control server. With nowhere to go for instructions, the botnet is rendered useless. But over the years, botnet designers have come up with ways to make this counterattack harder. Now the content-delivery network Akamai has reported on a new method: a botnet that uses the Bitcoin blockchain ledger. Since the blockchain is globally accessible and hard to take down, the botnet’s operators appear to be safe.

It’s best to avoid explaining the mathematics of Bitcoin’s blockchain, but to understand the colossal implications here, you need to understand one concept. Blockchains are a type of “distributed ledger”: a record of all transactions since the beginning, and everyone using the blockchain needs to have access to — and reference — a copy of it. What if someone puts illegal material in the blockchain? Either everyone has a copy of it, or the blockchain’s security fails.

To be fair, not absolutely everyone who uses a blockchain holds a copy of the entire ledger. Many who buy cryptocurrencies like Bitcoin and Ethereum don’t bother using the ledger to verify their purchase. Many don’t actually hold the currency outright, and instead trust an exchange to do the transactions and hold the coins. But people need to continually verify the blockchain’s history on the ledger for the system to be secure. If they stopped, then it would be trivial to forge coins. That’s how the system works.

Some years ago, people started noticing all sorts of things embedded in the Bitcoin blockchain. There are digital images, including one of Nelson Mandela. There’s the Bitcoin logo, and the original paper describing Bitcoin by its alleged founder, the pseudonymous Satoshi Nakamoto. There are advertisements, and several prayers. There’s even illegal pornography and leaked classified documents. All of these were put in by anonymous Bitcoin users. But none of this, so far, appears to seriously threaten those in power in governments and corporations. Once someone adds something to the Bitcoin ledger, it becomes sacrosanct. Removing something requires a fork of the blockchain, in which Bitcoin fragments into multiple parallel cryptocurrencies (and associated blockchains). Forks happen, rarely, but never yet because of legal coercion. And repeated forking would destroy Bitcoin’s stature as a stable(ish) currency.

The botnet’s designers are using this idea to create an unblockable means of coordination, but the implications are much greater. Imagine someone using this idea to evade government censorship. Most Bitcoin mining happens in China. What if someone added a bunch of Chinese-censored Falun Gong texts to the blockchain?<

What if someone added a type of political speech that Singapore routinely censors? Or cartoons that Disney holds the copyright to?

In Bitcoin’s and most other public blockchains there are no central, trusted authorities. Anyone in the world can perform transactions or become a miner. Everyone is equal to the extent that they have the hardware and electricity to perform cryptographic computations.

This openness is also a vulnerability, one that opens the door to asymmetric threats and small-time malicious actors. Anyone can put information in the one and only Bitcoin blockchain. Again, that’s how the system works.

Over the last three decades, the world has witnessed the power of open networks: blockchains, social media, the very web itself. What makes them so powerful is that their value is related not just to the number of users, but the number of potential links between users. This is Metcalfe’s law — value in a network is quadratic, not linear, in the number of users — and every open network since has followed its prophecy.

As Bitcoin has grown, its monetary value has skyrocketed, even if its uses remain unclear. With no barrier to entry, the blockchain space has been a Wild West of innovation and lawlessness. But today, many prominent advocates suggest Bitcoin should become a global, universal currency. In this context, asymmetric threats like embedded illegal data become a major challenge.

The philosophy behind Bitcoin traces to the earliest days of the open internet. Articulated in John Perry Barlow’s 1996 Declaration of the Independence of Cyberspace, it was and is the ethos of tech startups: Code is more trustworthy than institutions. Information is meant to be free, and nobody has the right — and should not have the ability — to control it.

But information must reside somewhere. Code is written by and for people, stored on computers located within countries, and embedded within the institutions and societies we have created. To trust information is to trust its chain of custody and the social context it comes from. Neither code nor information is value-neutral, nor ever free of human context.

Today, Barlow’s vision is a mere shadow; every society controls the information its people can access. Some of this control is through overt censorship, as China controls information about Taiwan, Tiananmen Square, and the Uyghurs. Some of this is through civil laws designed by the powerful for their benefit, as with Disney and US copyright law, or UK libel law.

Bitcoin and blockchains like it are on a collision course with these laws. What happens when the interests of the powerful, with the law on their side, are pitted against an open blockchain? Let’s imagine how our various scenarios might play out.

China first: In response to Falun Gong texts in the blockchain, the People’s Republic decrees that any miners processing blocks with banned content will be taken offline — their IPs will be blacklisted. This causes a hard fork of the blockchain at the point just before the banned content. China might do this under the guise of a “patriotic” messaging campaign, publicly stating that it’s merely maintaining financial sovereignty from Western banks. Then it uses paid influencers and moderators on social media to pump the China Bitcoin fork, through both partisan comments and transactions. Two distinct forks would soon emerge, one behind China’s Great Firewall and one outside. Other countries with similar governmental and media ecosystems — Russia, Singapore, Myanmar — might consider following suit, creating multiple national Bitcoin forks. These would operate independently, under mandates to censor unacceptable transactions from then on.

Disney’s approach would play out differently. Imagine the company announces it will sue any ISP that hosts copyrighted content, starting with networks hosting the biggest miners. (Disney has sued to enforce its intellectual property rights in China before.) After some legal pressure, the networks cut the miners off. The miners reestablish themselves on another network, but Disney keeps the pressure on. Eventually miners get pushed further and further off of mainstream network providers, and resort to tunneling their traffic through an anonymity service like Tor. That causes a major slowdown in the already slow (because of the mathematics) Bitcoin network. Disney might issue takedown requests for Tor exit nodes, causing the network to slow to a crawl. It could persist like this for a long time without a fork. Or the slowdown could cause people to jump ship, either by forking Bitcoin or switching to another cryptocurrency without the copyrighted content.

And then there’s illegal pornographic content and leaked classified data. These have been on the Bitcoin blockchain for over five years, and nothing has been done about it. Just like the botnet example, it may be that these do not threaten existing power structures enough to warrant takedowns. This could easily change if Bitcoin becomes a popular way to share child sexual abuse material. Simply having these illegal images on your hard drive is a felony, which could have significant repercussions for anyone involved in Bitcoin.

Whichever scenario plays out, this may be the Achilles heel of Bitcoin as a global currency.

If an open network such as a blockchain were threatened by a powerful organization — China’s censors, Disney’s lawyers, or the FBI trying to take down a more dangerous botnet — it could fragment into multiple networks. That’s not just a nuisance, but an existential risk to Bitcoin.

Suppose Bitcoin were fragmented into 10 smaller blockchains, perhaps by geography: one in China, another in the US, and so on. These fragments might retain their original users, and by ordinary logic, nothing would have changed. But Metcalfe’s law implies that the overall value of these blockchain fragments combined would be a mere tenth of the original. That is because the value of an open network relates to how many others you can communicate with — and, in a blockchain, transact with. Since the security of bitcoin currency is achieved through expensive computations, fragmented blockchains are also easier to attack in a conventional manner — through a 51 percent attack — by an organized attacker. This is especially the case if the smaller blockchains all use the same hash function, as they would here.

Traditional currencies are generally not vulnerable to these sorts of asymmetric threats. There are no viable small-scale attacks against the US dollar, or almost any other fiat currency. The institutions and beliefs that give money its value are deep-seated, despite instances of currency hyperinflation.

The only notable attacks against fiat currencies are in the form of counterfeiting. Even in the past, when counterfeit bills were common, attacks could be thwarted. Counterfeiters require specialized equipment and are vulnerable to law enforcement discovery and arrest. Furthermore, most money today — even if it’s nominally in a fiat currency — doesn’t exist in paper form.

Bitcoin attracted a following for its openness and immunity from government control. Its goal is to create a world that replaces cultural power with cryptographic power: verification in code, not trust in people. But there is no such world. And today, that feature is a vulnerability. We really don’t know what will happen when the human systems of trust come into conflict with the trustless verification that make blockchain currencies unique. Just last week we saw this exact attack on smaller blockchains — not Bitcoin yet. We are watching a public socio-technical experiment in the making, and we will witness its success or failure in the not-too-distant future.

This essay was written with Barath Raghavan, and previously appeared on Wired.com.