Part Two of our conversation with the Intercept’s Matthew Cole on Erik Prince, the founder of Blackwater. In a major new report, Cole takes a look at Prince’s latest actions, including his pitch to privatize the war in Afghanistan; his creation of a mercenary army for the United Arab Emirates; a history of mismanaged projects that have soured his relationships with leaders around the world; and his comeback, made possible with the help of the Trump administration.

Democracy Now! 2019-05-06 Monday

• Headlines for May 06, 2019
• The Occupation is a Crime of Aggression: Gazans React After 25 Palestinians, 4 Israelis Die
• Ex-Blackwater CEO Erik Prince Makes a Comeback Under Trump Selling Mercenary Armies Around the World

Download this show

As Emperor Naruhito takes the throne in Japan, Rupert Wingfield-Hayes watches the crowds waving flags and wiping away tears. What will this new era hold for the country and its imperial family? Kate Adie introduces this and other stories: Katy Watson has the latest instalment in the drama that is gripping Brazil as rival factions vie for control under the presidency of Jair Bolsonaro. Neil Kisserli reveals why protesters in Algeria are picking up the litter and taking pot plants with them as they demand change. Zeinab Badawi returns to Sudan to meet the young architecture student leading the revolution. And Dave Lee hears from tech workers in Silicon Valley who fear they’ve become the new bankers – seen as public figures to be reviled and blamed for the ills they have brought into society.

Radio 4's premier comedy-economics hybrid is five series old and the time is right to take a step back, and perhaps two steps up, and tackle the big, competing theories of Macro Economics. These are little short of religions to their proponents, and the figures who devised them dominate the intellectual landscape in a way that mere politicians can only dream of. These are the Big Beards, the Glinting Eyes, the Bristling Moustaches and Eyebrows of "Worldly Philosophy" and their insights, calculations and hallucinations remain as contentious today as they were when first inked into place. In this series Simon Evans, with the help of Undercover Economist, Tim Harford will advance through the modern industrial era using three great beacons as their guide - Adam Smith, Karl Marx and John Maynard Keynes - and reflect on how they continue to shape our world today. In episode 1, Adam Smith is under Simon and Tim's jokenomics microscope. Smith, the author of The Wealth of Nations, the first modern work of economics, is still incomparably influential in Western political and economic thought. His faith and trust in the Invisible Hand remains one of the most misunderstood of all economic paradigms, and in his name to this day are committed all too visibly ham-fisted atrocities, that would make even his pale Presbyterian skin blanche. A £20 note serves as a handy mutlimedia accompaniment to this episode. Producer: Richard Morris Presenters: Simon Evans and Tim Harford Writers: Simon Evans, Tim Harford, Dan Evans and Robert Ledger

Behind the News, 5/2/19 - guests: David Palumbo-Liu, Natasha Lennard - Doug Henwood

During a group dinner in a small town in Norway in 2015, at an international conference for investigative journalists, a Ukrainian reporter told me that he used both Gmail and Mail.ru, Russia’s most popular email provider. “Every time I write an email,” he said, “I have to decide if I want Obama to read it, or if I want Putin to read it.”

It may be hyperbolic to suggest that world leaders personally comb through individual email accounts, but the reporter’s point stands: When you use services like Gmail, Mail.ru, Facebook, Dropbox, Slack, or any other site that stores your data, they will hand your private information to governments when compelled to do so and in some cases, merely when asked. Last year, the Supreme Court ruled that the government usually needs a warrant to access private data held by third-party companies. But even with new legal protection, email remains all too easy for governments to quietly obtain. Many companies, like Facebook, have shared personal information even more widely, with private entities. When your personal data is stored on a company’s servers, as with the email in your Gmail account, there are no technical barriers to the host company sharing it when it sees fit.

Google provided private information to government agencies around the world more than 60,000 times in 2017, often turning over data from multiple Google accounts at once, according to its transparency report. And that doesn’t include over 100,000 Google accounts from which the company gave data in response to secret orders from the Foreign Intelligence Surveillance Court, a U.S. national security tribunal whose meetings and decisions are kept from the public. Mail.ru doesn’t provide a transparency report, but the situation is no doubt much worse in Russia: All Russian internet companies are required to retain data they collect about their users and to hand it to FSB, a Russian spy agency, if asked.

Google gave data from over 100,000 accounts in response to secret national security orders — in one year.

If you want an email account that’s actually private, one solution is to run your own email server from your house. This way, if governments want to secretly ask your email provider for a copy of your inbox, they’ll have to ask you.

Until now, this hasn’t been a viable option for most people: Not only would you need an extra computer to act as a home email server, but you’d also need enough system administration skills to install, configure, and secure this server. In addition, you’d need to deal with headaches related to your broadband internet provider; such providers typically try to block email servers by interfering with connections to a particular networking channel, port 25, associated with mail delivery. After you solved that problem, you’d need to configure your router to forward inbound email deliveries to your server. Then you’d need to register a domain name where your email address will live, and then point that domain to your email server using a system known as DNS. This is complicated by the fact that most residential internet addresses change on a regular basis. And as much work as it is to initially set up this home email server, it’s even more work to maintain it over time — to promptly install security updates, set up monitoring so you’ll be notified when something breaks, block spam, and avoid getting your server added to spam block lists.

With the release of Helm, that has changed. Helm is a triangle-shaped personal server that can host email (on your own custom domain name), contacts, calendar, and a file server, and is about as easy to set up as a new smartphone. For being basically a sophisticated product for hosting your most private data — where there are many opportunities to screw up — Helm’s technical choices and business model are surprisingly well-thought-out. All you need is internet access at your home and an iPhone or Android phone to configure it.

The biggest hurdle prospective users will face, I suspect, is the price: You have to drop $500 to buy Helm to get started, and then pay a $100 per year subscription to continue using its cloud gateway and encrypted backup components.

I’ve been hosting my personal email, micah@micahflee.com, on a Helm device plugged into my router in my living room for several months now. Here are some of the things I’ve learned, starting with what it’s like to switch to Helm, then an assessment of Helm security, a comparison to Gmail, a nitty-gritty examination of how Helm works technically, a look to the future of Helm, and some important caveats about the product and the policies and realities around it.

Switching to Helm

The first step to switching to Helm is picking out the domain name you want to use for your new personal email address — in my case, micahflee.com. After ordering my Helm, I received simple instructions on how to proceed.

Properly configuring a domain name for an email server is complicated, and misconfigurations can cause other email servers to suspect that you’re running a spam operation. To avoid this, and to make it simpler for users, Helm handles the DNS for your domain name for you. If you ever need update your domain name’s DNS records, you can do it from the Helm mobile app.

If you don’t already own a domain name, you can get one while buying your Helm; all the fees associated with buying and renewing the domain name are included in the price. If you do already own a domain, you’ll need to log in to your registrar’s website and update your domain to point to DNS servers that Helm controls; Helm will handle the rest. If you host a website on your domain name — like I do with micahflee.com — you’ll also need to let Helm know about it first. (Helm supports multiple domain names, but this feature was added after I tried the product.)

The next step is waiting for the Helm device to ship to your house. Once mine arrived, I had it up and running in about 10 minutes, with an additional hour and a half to migrate all of my email from my old provider into my Helm.

Following the instructions, I plugged the Helm device into a power outlet in my living room, next to my Wi-Fi router. I connected the Helm to the router using the ethernet cable (you can also connect your Helm to your router over Wi-Fi, but ethernet is more reliable, faster, and more secure). And I installed the Helm mobile app on my Android phone, turned on Bluetooth, and paired with the Helm.

A quick note about the Android app: When I first opened the Helm app, it asked for permission to use my location. “This is an unfortunate requirement from Android since our app uses Bluetooth to pair with the Helm,” Helm CEO Giri Sreenivas told me. Apparently, Android apps can’t have Bluetooth permission without also requesting location services permission. “We do not note or store any location information.” The iOS app does not have this issue.

The next page asks for your activation code, which I already had in an email from Helm. After typing it in, the Helm app walked me through creating an administrator username and password for my domain, micahflee.com.

 

After creating an account, the app prompts you to insert the “recovery key” into the Helm device. This is part of Helm’s strategy to make sure you can access your data in case of disaster — like if you spill soda all over your Helm or your house burns down. If you ever need to restore your encrypted backups to a new Helm device, you’ll either need your logged-in phone or this recovery key. And if you get a new phone, you’ll need this recovery key to log in to the Helm app as your administrator user again.

After getting your recovery key squared away, put it in a safe location where you won’t lose it. I suggest a safe, if you have one, or a locked drawer.

The next step is to configure email on your devices, like your phone and laptop. Each device gets its own unique, unguessable password to login to your email. Unlike many email services, Helm doesn’t support web mail — you must use a standard email client, like the one built into your phone or laptop’s operating system, or like Mozilla Thunderbird.

After I set up Thunderbird to connect to my new home email server, I was presented with an empty inbox. About one minute later, I received my first email to my home email server. As soon as I activated my Helm device, incoming email for micahflee.com stopped getting delivered to my old provider and started getting delivered to my Helm.

The next step is importing your old email. Before going into how I did that, here is a quick aside: I used Gmail a decade ago. But as a privacy advocate, I was keenly aware that Google had access to all my email and couldn’t be relied on to protect it from government requests. This anxiety was heightened in 2013, around the time that National Security Agency contractor Edward Snowden blew the whistle on the NSA’s overreach, revealing, among other things, that the agency had “direct access” to the servers of major U.S. companies, including Google, through a mass surveillance program known as PRISM.

So I went searching for an email provider I felt I could trust more. Since then, I’ve hosted my email with a handful of small entities that, while lacking Google’s massive engineering, security, and usability resources, I judged were much more likely to protect my email from government requests based on their privacy policies and, in some cases, conversations with staff at these providers. These included Riseup, a tech collective that hosts communication tools for activists; Electric Embers, a tiny Bay Area work-owned cooperative; ProtonMail, a Swiss-based encrypted email provider; and Soverin, a tiny privacy-focused email provider based out of Amsterdam. (Unlike most email providers, Riseup and ProtonMail store your email encrypted to your password, but there’s still a lot of information they could provide to a government if compelled, including all your email metadata.)

Back in the Helm app, I started the process of importing my email from Soverin. I chose to import from Soverin’s IMAP server, so I had to supply an IMAP hostname, as well as my Soverin username and password. The process is even simpler if you’re switching from Gmail or Yahoo Mail.

It took about an hour and a half to download all of the emails from my old provider. When it was done, I logged into my Soverin account and deleted all of my email from its server. At this point, I was successfully self-hosting my email from my house! (If you’re changing email addresses while switching to Helm, like if you’re switching from a gmail.com address to a custom domain name, you’ll also want to configure your old email account to forward emails to your new address and set up an auto-responder message that tells people who email you that you’re using a new email address.)

Importing email from your old provider into Helm is simple and straightforward. But contacts and calendar, on the other hand, are quite a bit more complicated (after much troubleshooting, I ended up adding both my new and old contacts and calendar accounts to Evolution, a Linux-only email app, then exported data from my old accounts and imported it into my new accounts). I’d love to see future versions of Helm make migrating your contacts and calendar just as simple as it is to migrate your email.

How Secure Is Helm Against Hackers?

When you talk about the security of an email server, you’re really talking about two separate things: The security of individual user accounts and the security of the technical infrastructure itself, which includes server software choices, system hardening, monitoring, intrusion detection, incident response, and the operational and endpoint security of system administrators.

I believe that Helm’s technical infrastructure is well-engineered from a security prospective. It uses best practices (I go into greater detail in the “under the hood” section below), I don’t see any obvious flaws, and, though I haven’t made a thorough comparison, it appears to offer similar security as most small, well-run email providers. Basically, the only attackers who can get in are those armed with expensive zero-day exploits — exploits that rely on bugs that the software-makers themselves don’t even know exist and thus have not been able to release security updates for. An attacker would need to find a zero day for software Helm is known to run, like Dovecot, the open-source email server. The vast majority of attackers will remain locked out.

That said, there are some security tradeoffs involved with using Helm and some areas in which the system’s security could be improved.

If someone does manage to hack your Helm, you probably won’t notice, unfortunately. Sreenivas told me that Helm doesn’t have an intrusion detection system at this time. “We plan to summarize failed attempts in a weekly digest email,” he told me, “but alerting on actual intrusion is something we haven’t defined yet.”

Additionally, running a home server increases the risk to your home network. If someone successfully hacks your Helm, they could pivot from it, probing laptops, smartphones, and other devices in your house for weaknesses. But I don’t think this is much riskier than connecting your laptop or smartphone to a public Wi-Fi network, where anyone else on the network could try attacking your device.

Individual Helm email accounts are more secure than individual Gmail accounts.

Also, while Helm’s infrastructure is pretty good, you will get more robust security protections from a major enterprise like Google, which has a team dedicated to hunting, and fixing, zero-day exploits and warns you when state-sponsored hackers try to compromise your account.

Unlike Google, however, Helm will never share your emails with anyone or scan them to target advertisements at you, because it can’t. By design, the Helm company simply doesn’t have access to your email. So while Helm is probably not as secure as Gmail, it’s vastly more private.

What’s more, individual Helm email accounts are more secure than individual Gmail accounts, I would argue. Unlike with Google, and most other web-based services, hackers can’t use spearphishing to compromise your Helm account. It’s possible to lock down your Google account to defend against spearphishing, but accounts aren’t locked down by default, and adding security measures like 2-Step Verification, which I recommend every Google user enable, make it more annoying to use on a daily basis.

Before I go into how Helm account security works, first let me describe how spearphishing works. One of the most consequential email hacks in recent history happened against a Gmail account in March 2016. Officers working for GRU, Russia’s military intelligence agency, sent the following email to Hillary Clinton’s 2016 presidential campaign chair John Podesta.

 

While it looked legitimate, it was far from it. When Podesta clicked the “change password” button, it actually linked to the URL shortener service Bitly, which redirected to a fake Gmail login page hosted at the domain myaccount.googlecom-securitysettingspage.tk. This fake address was the only visual indication that this was a spearphishing attack.

 

Like most people would, Podesta typed his password into the hackers’ convincing fake page. After GRU officers successfully gained access to his Gmail account, federal officials have said, they used their fake Guccifer 2.0 persona to send a copy of his inbox to WikiLeaks, which began publishing the messages at key points during the 2016 election.

In contrast, here’s how Helm security works. Managing your Helm account and devices is done exclusively through the mobile app and initially requires what the company calls “proximity-based” authentication: To associate your smartphone with the Helm, you need your username and password, and you also need to physically be in the same room as the Helm so you can pair with it over Bluetooth, which will create a shared authentication token between the Helm and the smartphone. So even if you use a weak password, or reuse the same password for Helm that has appeared in a data breach, attackers can’t log in to your account without getting physically close enough to your Helm to pair with it. Once you log in to the app, you stay logged in and generally won’t need to log in again unless you get a new phone. This means you do not need to be in the same room as the Helm merely to access your email, calendar, or other services.

(Proximity-based authentication has its downsides: If you want to give a friend who lives in another part of the world a user account hosted on your Helm, they’ll need to come visit you in person to login to their account for the first time, and again every time they switch phones.)

After logging into your account, you can add and delete devices that you’ll use to access your email. Each of these devices has a secure, unique device password such as “3mdxmh23kzjkv6hs.” For example, the password I use on my phone is different than the one I use on my laptop. If I get a new phone, I’ll delete the device name associated with it (“trackingdevice”), revoking access from my old phone, and I’ll add a device for my new phone, which will have its own unique name and password.

There is no way to check your Helm email from a web browser — you have to use native email clients installed on your computer or phone.

All of this together means that Helm is immune from spearphishing. If GRU hackers went after a Helm user with the same technique they used against Podesta, it wouldn’t work. They could send a spearphishing email, perhaps disguised as official communication from the Helm company, with a link they trick the user into clicking. But there’s no login page on Helm’s website for them to imitate — you host your email from the Helm device in your house, not from Helm’s website, after all. And that device also lacks a login page. If an attacker made up a login page anyway, and even if the Helm user typed their username and password into it (even though Helm users never do this, unlike with Google where users log in all the time), the Helm account is still protected by proximity-based authentication.

If resourced hackers, like GRU officers, really wanted access to your email, their best bet is to either compromise the Helm device itself, or compromise one of your devices that you’ve authorized to check your email. This is definitely possible, but it’s a much higher bar than compromising a single account, especially if you keep your devices updated (you don’t need to worry about the Helm device, which automatically updates itself).

Your User Experience Could Change

If you’re accustomed to Gmail, switching to Helm might take some getting used to. Here are a few differences to expect.

Helm does not have any web mail interface. This is undoubtedly a good thing for security — it protects you from spearphishing attacks, it allows you to strictly control which devices have access to your email, and it makes it simpler to encrypt your email with PGP, if you’re that type of nerd. It also means that you’ll have to use an email client with a user interface totally different from Gmail’s; Thunderbird isn’t as pretty or easy to use, for example. And finally, you can’t check your email on someone else’s computer — you can only log in on devices that you’ve added to your Helm account using the mobile app. This might be inconvenient, but it, too, is good for your email security. You don’t know what spyware is running on other people’s computers, and you don’t have to worry about forgetting to log out.

If GRU hackers went after a Helm user with the same technique they used against Podesta, it wouldn’t work.

I get a lot of email, including all sorts of email notifications, and I’m subscribed to several mailing lists. To keep things organized, I automatically filter incoming emails into their own folders. At the moment, Helm doesn’t support server-side filters, so if you want to filter your email, you need to do it from one of your email clients. For example, as a software developer, I get a lot of GitHub email notifications that I want filtered into my “github” folder, so I set up an email filter in Thunderbird that does this, and it works great. But because it’s a Thunderbird filter, when I check my email on my phone, new GitHub emails appear in my inbox and don’t get moved to my “github” folder until the next time I open Thunderbird. It’s not a big deal, but it would be nice for Helm to support server-side filters in the future.

Finally, there is the fight against spam. Gmail is excellent at recognizing and blocking spam because they use the private emails of their 1.5 billion users to create an incredibly accurate model of what spam looks like. Helm’s spam filtering isn’t bad, but chances are more spam will get through than you’re used to, at least to begin with. Every time you mark email as spam in your email client, Helm’s spam filtering will learn from this and get better at recognizing it, all while not sharing the contents of your email with any third parties.

How Helm Works Under the Hood

Helm includes different components: the mobile app, the recovery key, the gateway server in the cloud, and, most importantly, the Helm device itself, which stores all of your data on its 128GB solid-state hard disk. Since I’m trusting Helm with hosting my own email, I put effort into learning exactly how it works. This section dives pretty deep into the weeds and uses tech jargon without always explaining what it means. Feel free to skip ahead if this isn’t your thing.

The Helm Device

The Helm device is a computer running Linux, the popular open-source operating system. It doesn’t have a microphone, and it’s completely silent; instead of cooling with a loud fan, it dissipates heat through its aluminum base. And compared to a typical home Linux server, it’s quite a bit harder to hack thanks to hardware and software hardening tricks.

First, Helm uses a system called full-disk encryption to protect data stored on its local drive, ensuring that people with physical access to the device, like a burglar, can’t extract any private information from it, since everything on the drive would be indecipherable to the attacker. As with iPhone hardware, Helm has a “Secure Enclave” built into its processor — basically, a tiny, separate computer designed to be impenetrable and that manages encryption keys, tightly restricting in what circumstances, and by what software, the keys may be used to unlock stored data. And secure boot is enabled, meaning that an attacker cannot create malware to intercept encryption keys by impersonating the operating system as Helm starts up (a tactic classified as a type of “evil maid“ attack). (If you want to run unauthorized bootloader code on your own Helm, check out the reverse engineering section below.)

Once the Helm device is booted, the next security trick is that it stores files used to boot the system on what is known as a read-only root filesystem, where data cannot be changed. If your Helm gets compromised, this makes it more difficult for malware to modify any core operating system files or to survive a reboot. The server is also packed with proven open-source software for running email, contacts, calendar, file hosting, and user management services — these include Postfix, Dovecot, OpenDMARK, Apple’s Darwin Calendar and Contact Server, Nextcloud, OpenLDAP, and more — and each service is isolated in its own Docker container (a sort of virtual jail enforced by software). In another security win, Helm automatically keeps this wide array of software updated in order to eliminate vulnerabilities as they are discovered.

Finally, when you configure your Helm for the first time, it automatically enables a type of encryption known as TLS. TLS is often used to encrypt web traffic, but it is also used to allow email clients to connect securely and privately over the internet to your email server, which in my case, has the hostname of helm.micahflee.com. Helm gets a trusted TLS certificate using a popular nonprofit service known as Let’s Encrypt.

But, wait, how do connections to your hostname end up making it to your Helm device in your living room?

Gateway in the Cloud

Each Helm device makes a persistent, encrypted network connection to a dedicated gateway server hosted on Amazon’s platform for making cheap, virtual internet servers, known as Elastic Compute Cloud, or EC2. Unlike most residential internet connections, which are periodically assigned new IP addresses, EC2 provides gateways with static IP addresses and none of the headaches — blocked mail delivery ports, router reconfiguration — that make it hard to host an email server at home. Your Helm server, connected to your home network, connects to the gateway using the same technology you might use to access your employer’s office network from home: a virtual private network, or VPN. The gateway’s purpose is to forward encrypted traffic, including email delivery connections, through the VPN tunnel to the Helm device in your house. This architecture explains why, if you look up the IP address of my public email server, helm.micahflee.com, it resolves to the location of my gateway in an Amazon data center, not of my home.

For example, I configured the email app on my phone to connect to helm.micahflee.com, encrypted with TLS. Each time my email app checks for new messages, it connects over the internet to the gateway, which then forwards this encrypted traffic over the VPN tunnel to the Helm device in my house. In other words, the connection between my phone and my Helm device is end-to-end encrypted. Similarly, when there’s an incoming email, the connection between the remote email server and the Helm device is also end-to-end encrypted, but forwarded over the gateway.

So, while both Amazon and Helm (the company) have the technical ability to spy on this server, this spying can’t reveal my emails or my email metadata — all they can see is encrypted traffic. The exception to this is if I’m emailing with someone using a grossly insecure email server that doesn’t support TLS encryption. In this case, Amazon and Helm, and every router that forwards emails to and from that server across the internet, can spy on them. “Over 92% of email traffic is over TLS globally,” Sreenivas wrote in a blog post explaining how Helm’s networking works, “and we will have an option for Helm customers to require all email be transmitted over TLS with the consequence that insecure transmission of emails will be rejected.”

Encrypted Backups and Recovering From Disaster

As discussed previously, Helm protects all its files using full-disk encryption with a key stored in the Secure Enclave. In addition, it encrypts all private data, including emails, contacts, calendar events, and files, a second time using a separate key called the “recovery key.” When you authenticate as a Helm administrator using the mobile app, a copy of this recovery key gets copied to your phone. (Once on your phone, to provide additional security, it is stored in a private area that is not included in phone backups.) And during the Helm setup process, you also copy this key onto the physical key-shaped USB device (this USB device is designed only to store the recovery key; it doesn’t work like a normal USB drive). Having multiple backups of the recovery key, on your phone and on the key-shaped USB device, prevent a “single point of failure,” Sreenivas told me. Also, you’ll need to use the USB recovery key when you login as the administrator user on the mobile app — for example, the next time you get a new phone.

Both Amazon and Helm have the ability to spy on your gateway — but all they can see is encrypted traffic.

On the Helm device, the private data is stored in its own filesystem, encrypted using dm-crypt, an encryption system provided by Linux. The Helm then uses an open-source system known as duplicity to regularly upload incremental, encrypted backups to Helm’s servers. (This backup service, in addition to DNS hosting and your Helm’s gateway server, are what the $100 per year subscription goes toward.) While the Helm company has access to your backups, they don’t have access to the recovery key needed to access any of the data locked inside. Only you do, on your Helm device, your phone, and your key-shaped USB device.

If your Helm breaks, is stolen, or is otherwise destroyed in a disaster, you can get a new Helm device and restore the backup. But to do this, you’ll need either your phone (logged in as the administrator user) or your key-shaped USB device. If you don’t have either of these, you’re out of luck, and there’s nothing the Helm company can do to help you. Such is the price of using encryption and having control over your own keys.

The Mobile App

The final component is the mobile app, available for Android and iOS. As discussed above, this is the sole interface for configuring your Helm. Every user who has an account on the Helm uses the mobile app to log in using their username and password, as well as Bluetooth pairing for proximity-based authentication. Once logged in, users can add new devices, which create unique device passwords, as well as delete devices to revoke access. As an administrator, you can also use the mobile app to manage the DNS on your domain name and add new accounts.

Email Is Only the Beginning

One of the things I’m most excited about as a Helm user is that, over time, Helm plans to add new services to their plug-and-play home server beyond email, contacts, calendar, and files.

In fact, support for a home file server that allows you to sync files between your devices, share files with other users, and privately back up photos from your phone — powered by the open-source Nextcloud project — is a new feature I haven’t fully explored yet.

“We are working on a VPN service that runs off your Helm, which we plan to connect with an ad-blocker,” Sreenivas told me. This would allow you to securely connect into your home network from anywhere, making it more secure to use public Wi-Fi networks and allowing you to access services like Netflix, which normally block VPNs.

Helm also plans on building a password manager that syncs your password database to the device, as well as a private “family chat and messaging” service. New services will appear in updates and won’t cost anything extra, Sreenivas said. Instead they will all be covered in the $100 per year subscription fee.

How Helm Restricts Your Use of Your Server

While Helm is powered by open-source software, and the company has shown a commitment to transparency about the inner workings of its product, it’s important to remember that Helm is an investor-funded startup, and the Helm product is proprietary. Unlike a home Linux server, you can’t log in to it with software like SSH, install software packages (like, say, a web server), or tweak configuration files. You can’t inspect its source code or install Helm’s custom operating system on a computer of your choice, like you could with an open-source operating system such as Ubuntu. With this in mind, here’s what I learned from reviewing the legalese I had to agree to to become a Helm user.

The first thing that stood out in the privacy policy is that, like Google, Mail.ru, and all other companies everywhere in the world, Helm must comply with lawful government requests for data. “We may disclose your information if required to do so by law, in response to a court order, judicial or other government subpoena or warrant,” the privacy policy reads.

So if Helm received a data request, what information would they hand over? Sreenivas said the company will return customer information, including the customer’s name, billing address, shipping address, email address, domain name, and their DNS records; device information, including the serial number, software version, which services are enabled, and some diagnostic information like the operating temperature of the customer’s Helm device; and any emails or chats with customer support. They will not, however, be able to return any data that’s stored on the Helm, such as your private email, contact list, calendar events, or files. Sreenivas also told me that Helm will publish a transparency report about how many data requests the company receives and will alert its customers if it receives a request for user data, so long as the company is not prohibited from doing so with a gag order.

Next, Helm can’t guarantee your security. “Please be aware that no security measures are perfect or impenetrable,” the privacy policy states. “We cannot and do not guarantee that your information will not be accessed, viewed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.” This is true of Gmail too — just ask John Podesta. This is also true of everything else that relies on computer security. Perfect computer security is a myth, and companies that claim their products are “hacker-proof” are lying to you.

But the thing that stood out to me in Helm’s terms and conditions as most worrisome is this passage, forbidding users to reverse engineer their Helm devices: “Buyer acknowledges that the Product sold by Seller hereunder contains and embodies trade secrets belonging to Seller and Buyer shall not reverse engineer any products purchased hereunder.”

This is a ban on reverse engineering, preventing a type of close examination of computer hardware and code that can help uncover defects and add new functionality. Such bans are deeply problematic. Sreenivas outlined some plans to mitigate the ban, but at the moment, these are merely promises.

Reverse engineering bans like Helm’s have historically been abused by companies.

Reverse engineering bans have historically been abused by companies wanting to prevent security researchers from publicizing security flaws in their products. “We want to encourage security researchers to engage with us, so they will be granted an exception,” Sreenivas told me. In addition, Helm offers a bug bounty program in which security researchers can report vulnerabilities they discover and receive a bounty of up to $20,000.

The other way bans on reverse engineering have been abused is by going after “jailbreak” communities. You spent $500 on your Helm device, so what if you want to hack it yourself to run custom software? Sreenivas said that the company plans to make it easy for users to do this by including “effectively an unlock for a developer mode.” This seems like a reasonable compromise to me and is similar to how developer mode in Google’s Chromebooks works, allowing users who want complete control over their Helms to have it, but at the expense of security.

Even Though Helm Can’t Access Your Data, You Still Need to Trust It

If it were malicious, there are a few ways that the Helm company itself could launch an attack against your Helm device. Helm controls the DNS of your custom domain name and your gateway server, which means, if it were so inclined, it has the power it needs to conduct a man-in-the-middle attack against your email service, in which the company would spy on all of your email traffic by impersonating your Helm. The company also controls the updates that your Helm device receives, so it’s within its power to slip into one of the updates a backdoor — a way to surreptitiously log into your Helm device while it’s running, access your data, and install other software.

However, I don’t find this very likely to occur. Not only would it be against Helm’s own interests — the company’s entire business model is based around designing a product in which it does not have access to your emails — an attack like this would ultimately knock your email privacy down to the level of Gmail and Mail.ru, which already has all of this access. They wouldn’t be able to read any emails encrypted with PGP, for example. And additionally, Helm is far from the only company you need to trust not to be malicious. If your domain name registrar were malicious, they could also perform a similar man-in-the-middle attack against your mail server. And the makers of any software — from Microsoft Word to “Fortnite” — could slip a backdoor into an update without you knowing. So, while it’s something to consider, I’m not nearly as worried about this threat when compared to the threats posed by hackers and lawyers.

Helm will do a better job at securing your home email server than any lone individual could — myself included — with the possible exception of a talented DevOps engineer who does this work professionally. And by design, Helm protects your data from the much more serious threats of your email provider pilfering through your inbox, using it to target ads against you, and sending copies of your email to cops or spies who ask for it without your knowledge or consent.

Update, May 3: My explanation of proximity-based authentication has been changed to clarify that you need to be physically near the Helm to create a user account. It is technically possible to give a distant person an email address on your Helm, but you will have full access to their account, which most people would not want.

The post Avoid Surveillance With Helm, a Home Server Anyone Can Use to Keep Emails Truly Private appeared first on The Intercept.

Web-only conversation with the Pulitzer Prize-winning journalist Robert Caro. His new book is “Working: Researching, Interviewing, Writing.” Caro talks about his early journalism career, researching “The Power Broker” and his continuing work on the life and times of Lyndon B. Johnson.

Democracy Now! 2019-04-29 Monday

• Headlines for April 29, 2019
• From LBJ to Robert Moses: Robert Caro on Writing About Political Power & Its Impact on the Powerless

Download this show

Yanis Varoufakis was already an internationally known economist and academic when he was elected to the Greek parliament as a member of the Syriza party. He served as Minister of Finance from January to July 2015. He resigned when Syriza broke its campaign promise to re-negotiate Greece’s debt and significantly curtail the austerity measures imposed on Greece. Varoufakis has become one of the eloquent and best known critics of the unlimited economic growth systems in Europe and the US – that make the largest corporations and financial institutions major drivers of climate change. Yanis Varoufakis is answering the question: What’s wrong in Europe today and how to fix it tomorrow morning and presents the Green New Deal for Europe and how it [ . . . ]

Read More

Paul Street on Why it Matters Today  This is the conclusion of Part ONE of the talk by Paul Street, an independent radical-democratic policy researcher, teacher, journalist, historian, and author of seven books. In this talk, that he gave at the Open University of the Left in Chicago in March 2019, he offered arguments and proof that the US constitution is not the sacred document protecting the “Peoples Rights”, but on the contrary is authoritarian and anti-democratic by design. After a summary from Part ONE the topics in this part TWO range from problems with impeachment, the Supreme Court decisions equating money with speech and with the Democratic Party neo-liberal tendencies. Conversely the formation of a third party is also made [ . . . ]

Read More

Paul Street on Why it Matters Today – Paul Street is an independent radical-democratic policy researcher, teacher, journalist, historian, and author of seven books. In this talk, that he gave at the Open University of the Left in Chicago in March 2019, he offered arguments and proof that the US constitution is not the sacred document protecting the “Peoples Rights”, but on the contrary is authoritarian and anti-democratic by design. For the 18th Century slaveholders and merchants popular sovereignty was the ultimate nightmare and they embedded safety mechanisms into the constitution that remain in force today via the Senate, Supreme Court and Electoral College. Street details how U.S. politics and policy are badly distorted by the nation’s exceptionally durable charter and [ . . . ]

Read More

Speaker(s): Professor Hiroko Akiyama, Kath Scanlon, Dr Thijs Van Den Broek, Professor Alan Walker | We hope you're enjoying this year's programme of public events and that you'll stay tuned for the exciting events we have lined up, for the summer term. In the meantime we have another podcast series we think you might enjoy. LSE IQ is an award-winning monthly podcast in which we ask some of the smartest social scientists - and other experts - to answer intelligent questions about economics, politics or society. Recent episodes have tackled questions such as 'Is the gentrification of our global cities inevitable?', 'Should we fear the rise of the far right?' and 'How does the modern world affect relationships?'. To give you a taste of LSEIQ the latest episode, which asks 'How can we age better?', is available for you here in our public events podcast feed. To listen to other episodes, search for LSE IQ in your favourite podcast app or visit lse.ac.uk/iq. We'd like to hear your opinion too so why not join the discussion on social media using the hashtag LSEIQ and please also consider leaving a review on iTunes as this makes the podcast easier for new listeners to discover.

Behind the News, 4/18/19 - guests: Rossana Rodriguez, Benjamin Fogel - Doug Henwood

 

Julian Assange was arrested inside the Ecuadorian embassy in London on April 11. The Australian-born co-founder of Wikileaks had been trapped in the building since 2012 after taking refuge there. He was immediately found guilty of failing to surrender to a British court, and was taken to Belmarsh prison. An extradition to the United States is widely seen as imminent by corporate media, who have, by and large, strongly approved of these events.

A Washington Post editorial (4/11/19) claimed Assange was “no free-press hero” and insisted the arrest was “long overdue.” Likewise, the Wall Street Journal (4/11/19) demanded “accountability” for Assange, saying, “His targets always seem to be democratic institutions or governments.”

Other coverage was more condemnatory still. The View’s Meghan McCain (4/11/19) declared she hoped Assange “rots in hell.” Saturday Night Live’s Colin Jost (4/13/19) said it was “so satisfying to see an Internet troll get dragged out into the sunlight.” But it was perhaps the National Review (4/12/19) that expressed the most enthusiastic approval of Assange’s arrest, condemning him for his “anti-Americanism, his antisemitism and his raw personal corruption” and for harming the US with his “vile spite.”

Both the United Nations and the ACLU have denounced Assange’s arrest, with the former condemning Sweden and the UK for depriving him of liberty and freedom, ordering them to pay compensation for the many years he was confined to the embassy. Despite this, establishment media have overwhelmingly described this situation with a euphemism: Mr. Assange’s “self-imposed isolation” (CNN, 4/11/19; USA Today, 4/11/19; New York Times, 4/11/19), a phrase that conjures a very different image of the situation and the responsibilities of the various parties involved. The Daily Beast (4/11/19) made this implication explicit, describing Assange’s predicament as “voluntary confinement.”

Assange is a controversial character who originally took refuge in the Ecuadorian embassy after England’s High Court ruled to extradite him to Sweden to face charges of rape. Yet most of the media coverage downplayed or even did not mention this (e.g., Bloomberg, 4/11/19; National Review, 4/12/19; Daily Beast, 4/11/19), suggesting they did not consider it relevant.

The universal charge of narcissism

Celebrating his arrest, The Week (4/11/19) attacked Assange as a “delusional, childish narcissist” who undermined the security of every nation. A host of other media outlets across the spectrum (Washington Post, 4/12/19; New York Times, 4/12/19; London Times, 4/7/19) similarly framed him as a “narcissist,” one with an “outsized view of his own importance,” despite his poor “personal hygiene,” according to the New York Times (4/11/19).

The narcissist accusation is a common trope thrown at enemies of the US establishment, including Venezuelan president Hugo Chávez (National Review, 6/27/07; Economist, 3/9/13; Miami Herald, 7/25/15), Vladimir Putin (Atlantic, 4/15/14; Guardian, 3/10/18) and even Bernie Sanders (Huffington Post, 2/9/16; New York, 11/25/18). It was also exactly the same line of attack the media used against Edward Snowden, the whistleblower who leaked NSA documents (e.g., New Yorker, 6/10/13; Bloomberg, 11/1/13; Chicago Tribune, 12/23/14), and how the prosecution portrayed Chelsea Manning at her trial, suggesting it is a convenient putdown rather than a good-faith description of anti-establishment figures.

Manning had offered the files that came to be known as the Iraq War Logs to both the Washington Post and New York Times. However, only Wikileaks decided to publish them. The files showed evidence of US war crimes in the Middle East, and shot both Manning and Assange onto the world stage.

The UK press reaction

The infamously acerbic British press responded to Assange’s arrest with undisguised glee. The Daily Mail’s front-page headline (4/12/19) read, “That’ll Wipe the Smile Off His Face,” and devoted four pages to the “downfall of a narcissist” who was removed from “inside his fetid lair” to finally “face justice.” The Daily Mirror (4/11/19) described him as “an unwanted guest who abused his hospitality,” while the Times of London (4/12/19) claimed “no one should feel sorry” for the “overdue eviction.”

The Mirror (4/13/19) also published an opinion piece from Labour member of Parliament Jess Phillips that began by stating, “Finally Julian Assange, everyone’s least favorite squatter, has been kicked out of the Ecuadorian embassy.” She described the 47-year-old Australian as a “grumpy, stroppy teenager.”

At the far-left of the corporate media spectrum, the New Statesman (4/12/19) described Assange as a “demented-looking gnome.” The Glasgow Herald editorial board (4/13/19) summed up the press reaction: “Julian Assange is not a journalist, and he’s not a hero, and his day in court is long overdue.”

Is Assange a journalist?

The central question of whether Assange a journalist has been discussed at great length this week in corporate media. The resounding response has been “no.”

The National Review (4/12/19) declared him a “petty, biased, hostile foreign actor”; CNN (4/11/19) described him as an activist, not a journalist, demanding he “face justice.” Fox News (4/12/19) also labeled him an activist, one who is using journalism as a “fig leaf for his reckless conduct.” Other outlets (Bloomberg, 4/11/19; Washington Post, 4/11/19) have also been eager to insist Assange is not a journalist.

The New York Times editorial board (4/11/19) writes that while Assange’s arrest will likely raise questions about press freedom, for now, the Trump administration has “done well” by charging the “scraggly-bearded refugee” with an “indisputable crime.” They argue that there is currently technically no First Amendment issue because he is no journalist but a “foreign agent seeking to undermine the security of the United States through theft,” who highlights the “sharp line between legitimate journalism and dangerous cybercrime.”

Veteran journalist and supporter of Assange John Pilger disagrees, contending that his arrest is a historically important warning to “real journalists,” who are few and far between at establishment media, who resent him for highlighting their subservience to the elite.

Whatever your view of Assange might be, it seems clear he shares virtually nothing in common with those in positions of influence in big media outlets, who have been only too happy to watch his demise.

---

Featured image: Bloomberg depiction (4/11/19) of Julian Assange, described as looking “like a cranky, beleaguered version of Santa Claus.”

Many have attributed Bernie Sanders’ loss to Hillary Clinton in the 2016 primaries to a poor showing among black voters. Bernie has since worked hard to make inroads there, incorporating theme racial discrimination and inequality into his campaign message. Yet questions persist about whether or not Bernie Sanders has a “race problem”. One of Sanders’ most prominent African American surrogates in his last run for the white house was philosopher and political activist Cornel West, who continues to argue that black America should embrace "Brother Bernie". On this week’s show, Mehdi Hasan and Dr. West discuss Bernie Sanders’ presidential chances and how he has progressed on race issues. 

 

---

See acast.com/privacy for privacy and opt-out information.

Julian Assange has been taken into custody in the UK after Ecuador revoked his asylum. Now the arguments begin over what happens to him next.

Decades of studying primates has convinced me that animal politics are not so different from our own – and even in the wild, leadership is about much more than being a bully • Read the text version here. Help support our independent journalism at theguardian.com/longreadpod

China’s leaders have championed milk as the emblem of a modern, affluent society – but their radical plan to triple the nation’s consumption will have a huge environmental cost • Read the text version here. Help support our independent journalism at theguardian.com/longreadpod

Finally, after years of tease and denial, the unicorns are going public. These phenomenally valued firms, pumped up by venture capitalists (VCs), remained private for far longer than they did in previous startup manias, most notably the dot.com bubble of the late 1990s. That’s changing.

A bit of history. In August 1995, Netscape, maker of one of the first web browsers, sold stock to the public for the first time. (Until then, it had been backed and owned by a small circle of managers and VCs.) Initially priced at $14 a share, its handlers, spying fervent demand, doubled the offering price to $28, but by the end of the day it was trading at $58. Spectators were impressed. Everyone wanted to be the next Netscape, sparking a remarkable five-year period when every lunatic scheme that techies, boosters, and financiers could dream up would sell stock to a lusting public. It was the era of Pets.com, Webvan.com, Kozmo.com—things that look crazy in retrospect but only gloomy Marxists and reactionary permabears thought to be at the time.

A few companies born during this period, like Amazon, Google, and eBay, survived, but almost all of them disappeared when the stock bubble burst in the spring of 2000. Without fresh injections of money from suckers, these structurally unprofitable firms couldn’t survive. And with that bust, the market for initial public offerings (IPOs) dried up for years—as did startups more generally.

That began changing about six years ago, when we finally emerged from the Great Recession, with the advent of the unicorn, a startup valued at $1 billion or more. The term was coined by VC Aileen Lee in a November 2013 TechCrunch blog post. Then, she counted 39 of the critters, led by “super-unicorn” Facebook, trailed by, among others, LinkedIn, Twitter, Groupon (it still exists!), Uber, and Lyft. (Their numbers have grown spectacularly since Lee coined the term. CB Insights counts 342 unicorns worldwide now.) LinkedIn was bought by Microsoft in 2016, and is doing rather well. A few of the others did IPOs. Facebook is quite a success; it’s making real money, at least for now, and its stock is up over 120% from the offering price. The others are another story. Groupon is losing money, and its stock has shed 85% of its value (over a period when the broad market, as measured by the S&P 500, is up 130%). Twitter is mildly profitable, but its stock is off 22% from its debut, a period when the S&P 500 is up 62%.

Despite that spotty record, investors have been passionately awaiting the IPOs of the other unicorns. It’s not entirely clear why it’s taken so long—memories of the dot.com bust? of the financial crisis? shyness in the face of the scrutiny going public requires?—but they’re finally happening. Lyft went public on March 29 at $72 a share. It quickly popped to just under 89, only to reverse. It’s now trading at 59, down 18% from the offering and 33% from the first-rush price. Next up: Uber, the second-biggest of the unicorns worldwide. It filed the preliminary prospectus for its IPO yesterday and it’s an entertaining read.

I love prospectuses. In a society marinating in bullshit, they’re a rare genre where authors are legally mandated to tell the darkest truths. And Uber’s is a fine example of the breed.

It’s not bullshit-free. There’s some jargon-infused cheerleading at the beginning, starting with a block of text announcing “We ignite opportunity by setting the world in motion.” And CEO Dara Khosrowshahi’s opening letter does not shy away from boosterism: “a watershed moment,” “a willingness to…reinvent—sometimes even disrupt—ourselves,” “optimize for the happiness and loyalty of our customers,” “stellar execution,” all capped by a promise of “passion, humility, and integrity.” But soon after the page numbers go from Roman to Arabic, things get real.

First, some figures. Uber loses buckets of money. It lost $3.0 billion in 2018 on $11.2 billion in revenue from its basic operations. It sold its interest in a couple of other ride-hailing firms, which enabled it to book a profit, but despite a tripling in revenue since 2016, its losses were essentially the same in both years.

Then the fun begins, the disclosure of all the troubles facing the firm. For example, you might hope that these losses are just growing pains, although the company is ten years old. But, no: “we may not be able to achieve or maintain profitability in the near term or at all.”

A few more highlights (with direct quotes in italics and my comments in roman type):

The assumed initial public offering price of $_ per share is substantially higher than the net tangible book value per share of our outstanding common stock immediately after this offering. If you purchase shares of our common stock in this offering, you will experience substantial and immediate dilution. In other words, by creating this stock and selling it to the public, we’re slicing the ownership into millions of parts, meaning the new owners will collectively have a far smaller claim on the company than its previous owners. While this is true of all IPOs, it’s one of several reasons to wonder why anyone buys into them. (By the way, the dollar amount is blank because this is a preliminary document and the final numbers haven’t been set. The presumed price is around $100 a share, but Lyft’s stumbling performance may knock a few bucks off the offering price.)

And how much is the company actually worth? They’ve got an answer for that and it’s not an inspiring one: Our historical net tangible book value as of December 31, 2018 was $(7,620) million or $(0.02) per share. Net tangible book value consists of the real assets of a company—its physical properties, like buildings and equipment—less its debts. By this valuation, Uber is $7.6 billion in the red. (Parentheses are how you do negative numbers in financial statements.) Traditional investors looked for stocks with a low ratio of market price to book value; the legendary Benjamin Graham thought you should never buy a stock with a price to book ratio of over 1.5. Uber’s is essentially infinite. But that’s old stick-in-the-mud thinking. According to the new thinking, which went out of fashion after the dot.com bubble burst but has since returned, a firm like Uber’s value comes from intangibles, like its intellectual property, its app, its relationships, its reputation.

Uber has had some serious issues with its reputation (a word that appears 60 times in the prospectus). As they say:

Maintaining and enhancing our brand and reputation is critical to our business prospects. We have previously received significant media coverage and negative publicity, particularly in 2017, regarding our brand and reputation, and failure to rehabilitate our brand and reputation will cause our business to suffer…. We have previously received a high degree of negative media coverage around the world, which has adversely affected our brand and reputation and fueled distrust of our company. In 2017, the #DeleteUber campaign prompted hundreds of thousands of consumers to stop using our platform within days. Subsequently, our reputation was further harmed when an employee published a blog post alleging, among other things, that we had a toxic culture and that certain sexual harassment and discriminatory practices occurred in our workplace. Shortly thereafter, we had a number of highly publicized events and allegations, including investigations related to a software tool allegedly designed to evade and deceive authorities, a high-profile lawsuit filed against us by Waymo, and our disclosure of a data security breach. These events and the public response to such events, as well as other negative publicity we have faced in recent years, have adversely affected our brand and reputation, which makes it difficult for us to attract and retain platform users, reduces confidence in and use of our products and offerings, invites legislative and regulatory scrutiny, and results in litigation and governmental investigations. Concurrently with and after these events, our competitors raised additional capital, increased their investments in certain markets, and improved their category positions and market shares, and may continue to do so.

That ex-employee is Susan Fowler, and her blog post is quite a document. Within a couple of weeks of taking the job, she was propositioned by her manager. She complained to HR, which told her to take another job elsewhere in the firm (though what she was doing was exactly in line with her expertise), or face what would almost certainly be a poor performance review. Her boss wasn’t disciplined. She soon heard of many similar experiences from other women at Uber.

And not just that: “In the background, there was a game-of-thrones political war raging within the ranks of upper management….” No one knew what was going on or how to work. Or, as the prospectus puts it, Our workplace culture also created a lack of transparency internally, which has resulted in siloed teams that lack coordination and knowledge sharing, causing misalignment and inefficiencies in operational and strategic objectives. 

But the history of scandal went back further than 2017, most notoriously to 2014, when an Uber exec, Emil Michael, disclosed to a BuzzFeed reporter in a conversation he thought was off the record that he was thinking of spending a million dollars to do opposition research on critical journalists and spread dirt on their personal lives. He singled out Sarah Lacy, who’d been writing critically about the firm on her website, PandoDaily. 

All that happened under the reign of Uber’s co-founder, Travis Kalanick, an Ayn Rand-admiring man described by colleagues as a “douche” and an “asshole.” Kalanick was finally ousted by the board after it came to light that the firm had, quite outrageously, obtained medical records of a woman who’d said she was raped by an Uber driver in India in hopes of proving that she’d invented the story. According to Lacy, this was not a new strategy; the firm had been bad-mouthing other women who’d been reporting having been raped by Uber drivers. In June 2017, Kalanick was replaced by Dara Khosrowshahi, the CEO who promised integrity and humility.

But Uber’s troubles have persisted even in the post-Travis era. As the prospectus discloses, we faced negative press related to suicides of taxi drivers in New York City reportedly related to the impact of ridesharing on the taxi cab industry. As of December 2018, eight drivers in the city had committed suicide. One, who shot himself on the steps of City Hall, had said he’d been working 100 hours a week and was still broke because Uber had flooded the streets with competing cars.

Hits to the company’s reputation can do some serious damage, as the #deleteUber campaign revealed. And the firm operates in a reputational minefield: If platform users engage in, or are subject to, criminal, violent, inappropriate, or dangerous activity that results in major safety incidents, our ability to attract and retain Drivers, consumers, restaurants, shippers, and carriers may be harmed, which could have an adverse impact on our reputation, business, financial condition, and operating results.

So, the company is losing billions, has essentially no underlying value, and its business could be hammered overnight. But it’s not just that. As Lacy put it in an interview soon after Kalanick’s ouster, “The thing that’s gonna kill Uber has nothing to do with who’s at the company, has nothing to do with scandals, has nothing to do with any of this. The thing that’s gonna kill Uber is when Uber finally has to charge what it costs to get a car to you.” It’s been underpricing to lure customers, and it’s been paying bonuses to retain drivers—all the while it’s been expanding into new cities. If it ever had to recognize that its drivers are employees and not independent contractors, its costs would rise dramatically. Short of that, it’s facing rude legislation in some jurisdictions: in December 2018, New York City approved per-mile and per-minute rates for drivers, designed to target minimum hourly earnings for drivers providing for-hire services in New York City and surrounding areas. (That minimum wage is $17.22 an hour after expenses, more than $5 below the city’s median wage, though it’s $3 above the existing median for cab drivers.) It’s one thing to pay your drivers pennies and burn your investors’ cash to price below cost; it’s another thing entirely to run a self-sustaining business.

Oh, but driverless vehicles will reconcile all contradictions! Maybe, but: Autonomous vehicle technologies involve significant risks and liabilities. We have conducted real-world testing of our autonomous vehicles, involving a trained driver in the driver’s seat monitoring operations while the vehicle is in autonomous mode. In March 2018, one of these test vehicles struck and killed a pedestrian in Tempe, Arizona. Following that incident, we voluntarily suspended real-world testing of our autonomous vehicles for several months in all markets where we were conducting real-world testing, which was a setback for our autonomous vehicle technology efforts. Failures of our autonomous vehicle technologies or additional crashes involving autonomous vehicles using our technology would generate substantial liability for us, create additional negative publicity about us, or result in regulatory scrutiny, all of which would have an adverse effect on our reputation, brand, business, prospects, and operating results. So salvation from eliminating the human element could take years, with a high risk of intervening unpleasantness.

After reading this, who would buy Uber stock? (Actually, it’s likely that very few people other than professional skeptics read prospectuses, so that’s a rhetorical question.) More broadly, why does anyone buy an IPO? (Somewhat less rhetorical.) After all, they’re always about insiders selling to outsiders, people who know more selling to those who know less. If the newborn stock is such a great buy, why are they unloading it instead of holding onto it themselves? The point is confirmed by the work of Jay Ritter, the leading academic expert on IPOs. He finds that since 1980, IPOs have underperformed the overall market by 18 percentage points. If you want to play the stock market, you’d do far better with a Vanguard index fund, though a moment when the stock market is very richly valued and dodgy IPOs are getting fired off might not be the best time to start.

But rationality be damned! The dream of finding the next Amazon or Google or Facebook keeps the racket going. It may be Uber, but odds are it isn’t.

 

Behind the News, 4/11/19 - guests: Raj Patel and Jim Goodman; Leigh Phillips and Michal Rozworski - Doug Henwood

The indictment of Julian Assange unsealed today by the Trump Justice Department poses grave threats to press freedoms, not only in the U.S. but around the world. The charging document and accompanying extradition request from the U.S. government, used by the U.K. police to arrest Assange once Ecuador officially withdrew its asylum protection, seeks to criminalize numerous activities at the core of investigative journalism.

So much of what has been reported today about this indictment has been false. Two facts in particular have been utterly distorted by the DOJ and then misreported by numerous media organizations.

The first crucial fact about the indictment is that its key allegation — that Assange did not merely receive classified documents from Chelsea Manning but tried to help her crack a password in order to cover her tracks — is not new. It was long known by the Obama DOJ and was explicitly part of Manning’s trial, yet the Obama DOJ — not exactly renowned for being stalwart guardians of press freedoms — concluded that it could not and should not prosecute Assange because indicting him would pose serious threats to press freedom. In sum, today’s indictment contains no new evidence or facts about Assange’s actions; all of it has been known for years.

The other key fact being widely misreported is that the indictment accuses Assange of trying to help Manning obtain access to document databases to which she had no valid access: i.e., hacking rather than journalism. But the indictment alleges no such thing. Rather, it simply accuses Assange of trying to help Manning log into the Defense Department’s computers using a different username so that she could maintain her anonymity while downloading documents in the public interest and then furnish them to WikiLeaks to publish.

In other words, the indictment seeks to criminalize what journalists are not only permitted but ethically required to do: take steps to help their sources maintain their anonymity. As longtime Assange lawyer Barry Pollack put it: “The factual allegations … boil down to encouraging a source to provide him information and taking efforts to protect the identity of that source. Journalists around the world should be deeply troubled by these unprecedented criminal charges.”

That’s why the indictment poses such a grave threat to press freedom. It characterizes as a felony many actions that journalists are not just permitted but required to take in order to conduct sensitive reporting in the digital age.

But because the DOJ issued a press release with a headline that claimed that Assange was accused of “hacking” crimes, media outlets mindlessly repeated this claim even though the indictment contains no such allegation. It merely accuses Assange of trying to help Manning avoid detection. That’s not “hacking.” That’s called a core obligation of journalism.

The history of this case is vital for understanding what actually happened today. The U.S. government has been determined to indict Julian Assange and WikiLeaks since at least 2010, when the group published hundreds of thousands of war logs and diplomatic cables revealing numerous war crimes and other acts of corruption by the U.S., the U.K., and other governments around the world. To achieve that goal, the Obama DOJ empaneled a grand jury in 2011 and conducted a sweeping investigation into WikiLeaks, Assange, and Manning.

But in 2013, the Obama DOJ concluded that it could not prosecute Assange in connection with the publication of those documents because there was no way to distinguish what WikiLeaks did from what the New York Times, The Guardian, and numerous media outlets around the world routinely do: namely, work with sources to publish classified documents.

The Obama DOJ tried for years to find evidence to justify a claim that Assange did more than act as a journalist — that he, for instance, illegally worked with Manning to steal the documents — but found nothing to justify that accusation and thus, never indicted Assange (as noted, the Obama DOJ since at least 2011 was well-aware of the core allegation of today’s indictment — that Assange tried to help Manning circumvent a password wall so she could use a different username — because that was all part of Manning’s charges).

So Obama ended eight years in office without indicting Assange or WikiLeaks. Everything regarding Assange’s possible indictment changed only at the start of the Trump administration. Beginning in early 2017, the most reactionary Trump officials were determined to do what the Obama DOJ refused to do: indict Assange in connection with publication of the Manning documents.

As the New York Times reported late last year, “Soon after he took over as C.I.A. director, [current Secretary of State] Mike Pompeo privately told lawmakers about a new target for American spies: Julian Assange, the founder of WikiLeaks.” The Times added that “Mr. Pompeo and former Attorney General Jeff Sessions unleashed an aggressive campaign against Mr. Assange, reversing an Obama-era view of WikiLeaks as a journalistic entity.”

In April, 2017, Pompeo, while still CIA chief, delivered a deranged speech proclaiming that “we have to recognize that we can no longer allow Assange and his colleagues the latitude to use free speech values against us.” He punctuated his speech with this threat: “To give them the space to crush us with misappropriated secrets is a perversion of what our great Constitution stands for. It ends now.”

From the start, the Trump DOJ has made no secret of its desire to criminalize journalism generally. Early in the Trump administration, Sessions explicitly discussed the possibility of prosecuting journalists for publishing classified information. Trump and his key aides were open about how eager they were to build on, and escalate, the Obama administration’s progress in enabling journalism in the U.S. to be criminalized.

Today’s arrest of Assange is clearly the culmination of a two-year effort by the U.S. government to coerce Ecuador — under its new and submissive president, Lenín Moreno — to withdraw the asylum protection it extended to Assange in 2012. Rescinding Assange’s asylum would enable the U.K. to arrest Assange on minor bail-jumping charges pending in London and, far more significantly, to rely on an extradition request from the U.S. government to send him to a country to which he has no connection (the U.S.) to stand trial relating to leaked documents.

Indeed, the Trump administration’s motive here is clear. With Ecuador withdrawing its asylum protection and subserviently allowing the U.K. to enter its own embassy to arrest Assange, Assange faced no charges other than a minor bail-jumping charge in the U.K. (Sweden closed its sexual assault investigation not because they concluded Assange was innocent, but because they spent years unsuccessfully trying to extradite him). By indicting Assange and demanding his extradition, it ensures that Assange — once he serves his time in a London jail for bail-jumping — will be kept in a British prison for the full year or longer that it takes for the U.S. extradition request, which Assange will certainly contest, to wind its way through the British courts.

The indictment tries to cast itself as charging Assange not with journalistic activities but with criminal hacking. But it is a thinly disguised pretext for prosecuting Assange for publishing the U.S. government’s secret documents while pretending to make it about something else.

Whatever else is true about the indictment, substantial parts of the document explicitly characterize as criminal exactly the actions that journalists routinely engage in with their sources and thus, constitutes a dangerous attempt to criminalize investigative journalism.

The indictment, for instance, places great emphasis on Assange’s alleged encouragement that Manning — after she already turned over hundreds of thousands of classified documents — try to get more documents for WikiLeaks to publish. The indictment claims that “discussions also reflect Assange actively encouraging Manning to provide more information. During an exchange, Manning told Assange that ‘after this upload, that’s all I really have got left.’ To which Assange replied, ‘curious eyes never run dry in my experience.’”

But encouraging sources to obtain more information is something journalists do routinely. Indeed, it would be a breach of one’s journalistic duties not to ask vital sources with access to classified information if they could provide even more information so as to allow more complete reporting. If a source comes to a journalist with information, it is entirely common and expected that the journalist would reply: Can you also get me X, Y, and Z to complete the story or to make it better? As Edward Snowden said this morning, “Bob Woodward stated publicly he would have advised me to remain in place and act as a mole.”

Investigative journalism in many, if not most, cases, entails a constant back and forth between journalist and source in which the journalist tries to induce the source to provide more classified information, even if doing so is illegal. To include such “encouragement” as part of a criminal indictment — as the Trump DOJ did today — is to criminalize the crux of investigative journalism itself, even if the indictment includes other activities you believe fall outside the scope of journalism.

As Northwestern journalism professor Dan Kennedy explained in The Guardian in 2010 when denouncing as a press freedom threat the Obama DOJ’s attempts to indict Assange based on the theory that he did more than passively receive and publish documents — i.e., that he actively “colluded” with Manning:

The problem is that there is no meaningful distinction to be made. How did the Guardian, equally, not “collude” with WikiLeaks in obtaining the cables? How did the New York Times not “collude” with the Guardian when the Guardian gave the Times a copy following Assange’s decision to cut the Times out of the latest document dump?

For that matter, I don’t see how any news organisation can be said not to have colluded with a source when it receives leaked documents. Didn’t the Times collude with Daniel Ellsberg when it received the Pentagon Papers from him? Yes, there are differences. Ellsberg had finished making copies long before he began working with the Times, whereas Assange may have goaded Manning. But does that really matter?

Most of the reports about the Assange indictment today have falsely suggested that the Trump DOJ discovered some sort of new evidence that proved Assange tried to help Manning hack through a password in order to use a different username to download documents. Aside from the fact that those attempts failed, none of this is new: As the last five paragraphs of this 2011 Politico story demonstrate, that Assange talked to Manning about ways to use a different username so as to avoid detection was part of Manning’s trial and was long known to the Obama DOJ when they decided not to prosecute.

There are only two new events that explain today’s indictment of Assange: 1) The Trump administration from the start included authoritarian extremists such as Sessions and Pompeo who do not care in the slightest about press freedom and were determined to criminalize journalism against the U.S., and 2) With Ecuador about to withdraw its asylum protection, the U.S. government needed an excuse to prevent Assange from walking free.

A technical analysis of the indictment’s claims similarly proves the charge against Assange to be a serious threat to First Amendment press liberties, primarily because it seeks to criminalize what is actually a journalist’s core duty: helping one’s source avoid detection. The indictment deceitfully seeks to cast Assange’s efforts to help Manning maintain her anonymity as some sort of sinister hacking attack.

The Defense Department computer that Manning used to download the documents which she then furnished to WikiLeaks was likely running the Windows operating system. It had multiple user accounts on it, including an account to which Manning had legitimate access. Each account is protected by a password, and Windows computers store a file that contains a list of usernames and password “hashes,” or scrambled versions of the passwords. Only accounts designated as “administrator,” a designation Manning’s account lacked, have permission to access this file.

The indictment suggests that Manning, in order to access this password file, powered off her computer and then powered it back on, this time booting to a CD running the Linux operating system. From within Linux, she allegedly accessed this file full of password hashes. The indictment alleges that Assange agreed to try to crack one of these password hashes, which, if successful, would recover the original password. With the original password, Manning would be able to log directly into that other user’s account, which — as the indictment puts it — “would have made it more difficult for investigators to identify Manning as the source of disclosures of classified information.”

Assange appears to have been unsuccessful in cracking the password. The indictment alleges that “Assange indicated that he had been trying to crack the password by stating that he had ‘no luck so far.’”

Thus, even if one accepts all of the indictment’s claims as true, Assange was not trying to hack into new document files to which Manning had no access, but rather trying to help Manning avoid detection as a source. For that reason, the precedent that this case would set would be a devastating blow to investigative journalists and press freedom everywhere.

Journalists have an ethical obligation to take steps to protect their sources from retaliation, which sometimes includes granting them anonymity and employing technical measures to help ensure that their identity is not discovered. When journalists take source protection seriously, they strip metadata and redact information from documents before publishing them if that information could have been used to identify their source; they host cloud-based systems such as SecureDrop, now employed by dozens of major newsrooms around the world, that make it easier and safer for whistleblowers, who may be under surveillance, to send messages and classified documents to journalists without their employers knowing; and they use secure communication tools like Signal and set them to automatically delete messages.

But today’s indictment of Assange seeks to criminalize exactly these types of source-protection efforts, as it states that “it was part of the conspiracy that Assange and Manning used a special folder on a cloud drop box of WikiLeaks to transmit classified records containing information related to the national defense of the United States.” 

The indictment, in numerous other passages, plainly conflates standard newsroom best practices with a criminal conspiracy. It states, for instance, that “it was part of the conspiracy that Assange and Manning used the ‘Jabber’ online chat service to collaborate on the acquisition and dissemination of the classified records, and to enter into the agreement to crack the password […].” There is no question that using Jabber, or any other encrypted messaging system, to communicate with sources and acquire documents with the intent to publish them, is a completely lawful and standard part of modern investigative journalism. Newsrooms across the world now use similar technologies to communicate securely with their sources and to help their sources avoid detection by the government.

The indictment similarly alleges that “it was part of the conspiracy that Assange and Manning took measures to conceal Manning as the source of the disclosure of classified records to WikiLeaks, including by removing usernames from the disclosed information and deleting chat logs between Assange and Manning.”

Removing metadata that could help identify an anonymous source, such as usernames, is a critical step in protecting sources. Indeed, in 2017, The Intercept published a top-secret National Security Agency document claiming that Russian military intelligence played a role in hacking U.S. election infrastructure during the 2016 election. The person accused and convicted of having provided the document, whistleblower Reality Winner, had already been arrested by the time the story was published.

The Intercept was widely criticized when computer security experts discovered that the document included nearly invisible yellow “printer dots” that track exactly when and where it was printed, which most modern printers add to every document that gets printed. While there’s no evidence that these printer dots contributed to Winner becoming a suspect (the FBI’s affidavit says she was one of only six people who had printed this document, and the only one of those who had email contact with The Intercept), they could have aided an investigation, and The Intercept, as its editor-in-chief acknowledged, should have taken greater care to remove this metadata before publishing the document.

That is because it is not only common but ethically required for a journalist to do everything possible to protect a source from detection. Virtually the entirety of the accusations against Assange in today’s indictment consist of him doing exactly that.

For that reason, the indictment, at its core, clearly seeks to criminalize what investigative journalism necessarily entails in order for to be effective. That is why civil liberties organizations, press freedom groups and political figures from around the world — including Jeremy Corbyn, U.S. Congress members Ro Khanna and Tulsi Gabbard, former Sen. Mike Gravel, Brazilian and Indian leftist political parties, and the American Civil Liberties Union — have vehemently denounced today’s arrest of Assange.

Assange is a deeply polarizing figure. That’s almost certainly why the Trump DOJ believes that it could get away with indicting him based on a theory that would clearly endanger core journalistic functions: because it hopes that the intense animosity for Assange personally will blind people to the dangers this indictment poses.

But far more important than one’s personal feelings about Assange is the huge step this indictment represents in the Trump administration’s explicitly stated goal to criminalize journalism that involves reporting on classified information. Opposition to that menacing goal does not require admiration or affection for Assange. It simply requires a belief in the critical importance of a free press in a democracy.

The post The U.S. Government’s Indictment of Julian Assange Poses Grave Threats to Press Freedom appeared first on The Intercept.

Our guest Yoav Peled argues that Netanyahu is the only issue in the April 9 election. Netanyahu is under indictment for one case of bribery and two cases of fraud, but Yoav says he is likely to win even though his party and their bloc — with far-right, racist and religious parties — is more or less tied with the anti-Bibi “Blue and White” coalition or bloc. Yoav also discusses his new book, The Religionization of Israeli Society — which sheds light on how the country has moved from secular Zionism to an increasingly far-right expansionist religious Zionism, and how that helps us understand the election, the Israeli-Palestinian conflict — and the relation between culture, politics, nationalism, secularization, and new social movements.

Suzi then talks to Micah Uetricht in Chicago, where 5–6 socialists were just elected to the City Council. Micah argues they will have outsize influence in determining the political issues — much as we have seen nationally with the election of democratic socialists to Congress. In his aptly titled article in the Guardian “America's socialist surge is going strong in Chicago” Micah writes that the socialist victories in Chicago were not a fluke, people are miserable with the status quo of austerity — and if Chicago’s elections are any indication, it just may be that people are ready to try socialism.

The U.S. prison population is booming; an estimated 2.1 million people were incarcerated in America in 2016, and as many people in the U.S. have criminal records as have graduated from four-year colleges. Journalist and Yale Law lecturer Emily Bazelon attributes America's high incarceration rates to prosecutors more than judges. Bazelon spent 2.5 years reporting on the Brooklyn district attorney's office. Her new book, 'Charged,' examines the power of prosecutors and looks at alternatives to bail, plea bargains and incarceration.

Also, film critic Justin Chang reviews 'Her Smell,' starring Elisabeth Moss as a out-of-control punk rock musician struggling with substance abuse.