Maga = Madness

fotus = fraud

The ceasefire isn’t working because there was no ceasefire.

Just like there was no stolen election in 2020 or abortions after 40-week births or non-consensual public-funded trans surgeries at middle schools.

It’s all lies with this guy.

Rapists and abusers don't get to unilaterally declare outcomes that benefit their own power.

Tesla accused of hacking odometers to weasel out of warranty repairs

I'm on a 20+ city book tour for my new novel PICKS AND SHOVELS. Catch me at NEW ZEALAND'S UNITY BOOKS in AUCKLAND on May 2, and in WELLINGTON on May 3. More tour dates (Pittsburgh, PDX, London, Manchester) here.

A lawsuit filed in February accuses Tesla of remotely altering odometer values on failure-prone cars, in a bid to push these lemons beyond the 50,000 mile warranty limit:

https://www.thestreet.com/automotive/tesla-accused-of-using-sneaky-tactic-to-dodge-car-repairs

The suit was filed by a California driver who bought a used Tesla with 36,772 miles on it. The car's suspension kept failing, necessitating multiple servicings, and that was when the plaintiff noticed that the odometer readings for his identical daily drive were going up by ever-larger increments. This wasn't exactly subtle: he was driving 20 miles per day, but the odometer was clocking 72.35 miles/day. Still, how many of us monitor our daily odometer readings?

In short order, his car's odometer had rolled over the 50k mark and Tesla informed him that they would no longer perform warranty service on his lemon. Right after this happened, the new mileage clocked by his odometer returned to normal. This isn't the only Tesla owner who's noticed this behavior: Tesla subreddits are full of similar complaints:

https://www.reddit.com/r/RealTesla/comments/1ca92nk/is_tesla_inflating_odometer_to_show_more_range/

This isn't Tesla's first dieselgate scandal. In the summer of 2023, the company was caught lying to drivers about its cars' range:

https://pluralistic.net/2023/07/28/edison-not-tesla/#demon-haunted-world

Drivers noticed that they were getting far fewer miles out of their batteries than Tesla had advertised. Naturally, they contacted the company for service on their faulty cars. Tesla then set up an entire fake service operation in Nevada that these calls would be diverted to, called the "diversion team." Drivers with range complaints were put through to the "diverters" who would claim to run "remote diagnostics" on their cars and then assure them the cars were fine. They even installed a special xylophone in the diversion team office that diverters would ring every time they successfully deceived a driver.

These customers were then put in an invisible Tesla service jail. Their Tesla apps were silently altered so that they could no longer book service for their cars for any reason – instead, they'd have to leave a message and wait several days for a callback. The diversion center racked up 2,000 calls/week and diverters were under strict instructions to keep calls under five minutes. Eventually, these diverters were told that they should stop actually performing remote diagnostics on the cars of callers – instead, they'd just pretend to have run the diagnostics and claim no problems were found (so if your car had a potentially dangerous fault, they would falsely claim that it was safe to drive).

Most modern cars have some kind of internet connection, but Tesla goes much further. By design, its cars receive "over-the-air" updates, including updates that are adverse to drivers' interests. For example, if you stop paying the monthly subscription fee that entitles you to use your battery's whole charge, Tesla will send a wireless internet command to your car to restrict your driving to only half of your battery's charge.

This means that your Tesla is designed to follow instructions that you don't want it to follow, and, by design, those instructions can fundamentally alter your car's operating characteristics. For example, if you miss a payment on your Tesla, it can lock its doors and immobilize itself, then, when the repo man arrives, it will honk its horn, flash its lights, back out of its parking spot, and unlock itself so that it can be driven away:

https://tiremeetsroad.com/2021/03/18/tesla-allegedly-remotely-unlocks-model-3-owners-car-uses-smart-summon-to-help-repo-agent/

Some of the ways that your Tesla can be wirelessly downgraded (like disabling your battery) are disclosed at the time of purchase. Others (like locking you out and summoning a repo man) are secret. But whether disclosed or secret, both kinds of downgrade depend on the genuinely bizarre idea that a computer that you own, that is in your possession, can be relied upon to follow orders from the internet even when you don't want it to. This is weird enough when we're talking about a set-top box that won't let you record a TV show – but when we're talking about a computer that you put your body into and race down the road at 80mph inside of, it's frankly terrifying.

Obviously, most people would prefer to have the final say over how their computers work. I mean, maybe you trust the manufacturer's instructions and give your computer blanket permission to obey them, but if the manufacturer (or a hacker pretending to be the manufacturer, or a government who is issuing orders to the manufacturer) starts to do things that are harmful to you (or just piss you off), you want to be able to say to your computer, "OK, from now on, you take orders from me, not them."

In a state of nature, this is how computers work. To make a computer ignore its owner in favor of internet randos, the manufacturer has to build in a bunch of software countermeasures to stop you from reconfiguring or installing software of your choosing on it. And sure, that software might be able to withstand the attempts of normies like you and me to bypass it, but given that we'd all rather have the final say over how our computers work, someone is gonna figure out how to get around that software. I mean, show me a 10-foot fence and I'll show you an 11-foot ladder, right?

To stop that from happening, Congress passed the 1998 Digital Millennium Copyright Act. Despite the word "copyright" appearing in the name of the law, it's not really about defending copyright, it's about defending business models. Under Section 1201 of the DMCA, helping someone bypass a software lock is a felony punishable by a five-year prison sentence and a $500,000 fine (for a first offense). That's true whether or not any copyright infringement takes place.

So if you want to modify your Tesla – say, to prevent the company from cheating your odometer – you have to get around a software lock, and that's a felony. Indeed, if any manufacturer puts a software lock on its product, then any changes that require disabling or bypassing that lock become illegal. That's why you can't just buy reliable third-party printer ink – reverse-engineering the "is this an original HP ink cartridge?" program is a literal crime, even though using non-HP ink in your printer is absolutely not a copyright violation. Jay Freeman calls this effect "felony contempt of business model."

Thus we arrive at this juncture, where every time you use a product or device or service, it might behave in a way that is totally unlike the last time you used it. This is true whether you own, lease or merely interact with a product. The changes can be obvious, or they can be subtle to the point of invisibility. And while manufacturers can confine their "updates" to things that make the product better (for example, patching security vulnerabilities), there's nothing to stop them from using this uninspectable, non-countermandable veto over your devices' functionality to do things that harm you – like fucking with your odometer.

Or, you know, bricking your car. The defunct EV maker Fisker – who boasted that it made "software-based cars" – went bankrupt last year and bricked the entire fleet of unsold cars:

https://pluralistic.net/2024/10/10/software-based-car/#based

I call this ability to modify the underlying functionality of a product or service for every user, every time they use it, "twiddling," and it's a major contributor to enshittification:

https://pluralistic.net/2023/02/19/twiddler/

Enshittification's observable symptoms follow a predictable pattern: first, a company makes things good for its users, while finding ways to lock them in. Then, once it knows the users can't easily leave, the company makes things worse for end-users in order to deliver value to business customers. Once these businesses are locked in, the company siphons value away from them, too, until the product or service is a pile of shit, that we still can't leave:

https://pluralistic.net/2025/02/26/ursula-franklin/#franklinite

Twiddling is key to enshittification: it's the method by which value is shifted from end-users to business customers, and from business customers to the platform. Twiddling is the "switch" in enshittification's series of minute, continuous bait-and-switches. The fact that DMCA 1201 makes it a crime to investigate systems with digital locks makes the modern computerized device a twiddler's playground. Sure, a driver might claim that their odometer is showing bad readings, but they can't dump their car's software and identify the code that is changing the odometer.

This is what I mean by "demon-haunted computers": a computer is "demon-haunted" if it is designed to detect when it is under scrutiny, and, when it senses a hostile observer, it changes its behavior to the innocuous, publicly claimed factory defaults:

https://pluralistic.net/2024/01/18/descartes-delenda-est/#self-destruct-sequence-initiated

But as soon as the observer goes away, the computer returns to its nefarious ways. This is exactly what happened with Dieselgate, when VW used software that detected the test-suite run by government emissions inspectors, and changed the engine's characteristics when it was under their observation. But once the car was back on the road, it once again began emitting toxic gas at levels that killed killed dozens of people and sickened thousands more:

https://www.nytimes.com/2015/09/29/upshot/how-many-deaths-did-volkswagens-deception-cause-in-us.html

Cars are among the most demon-haunted products we use on a daily basis. They are designed from the chassis up to do things that are harmful to their owners, from stealing our location data so it can be sold to data-brokers, to immobilizing themselves if you miss a payment, to downgrading themselves if you stop paying for a "subscription," to ratting out your driving habits to your insurer:

https://pluralistic.net/2023/07/24/rent-to-pwn/#kitt-is-a-demon

These are the "legitimate" ways that cars are computers that ignore their owners' orders in favor of instructions they get from the internet. But once a manufacturer arrogates that power to itself, it is confronted with a tempting smorgasbord of enshittificatory gambits to defraud you, control you, and gaslight you. Now, perhaps you could wield this power wisely, because you are in possession of the normal human ration of moral consideration for others, to say nothing of a sense of shame and a sense of honor.

But while corporations are (legally) people, they are decidedly not human. They are artificial lifeforms, "intellects vast and cool and unsympathetic" (as HG Wells said of the marauding aliens in War of the Worlds):

https://pluralistic.net/2025/04/14/timmy-share/#a-superior-moral-justification-for-selfishness

These alien invaders are busily xenoforming the planet, rendering it unfit for human habitation. Laws that ban reverse-engineering are a devastating weapon that corporations get to use in their bid to subjugate and devour the human race.

The US isn't the only country with a law like Section 1201 of the DMCA. Over the past 25 years, the US Trade Representative has arm-twisted nearly every country in the world into passing laws that are nearly identical to America's own disastrous DMCA. Why did countries agree to pass these laws? Well, because they had to, or the US would impose tariffs on them:

https://pluralistic.net/2025/03/03/friedmanite/#oil-crisis-two-point-oh

The Trump tariffs change everything, including this thing. There is no reason for America's (former) trading partners to continue to enforce the laws it passed to protect Big Tech's right to twiddle their citizens. That goes double for Tesla: rather than merely complaining about Musk's Nazi salutes, countries targeted by the regime he serves could retaliate against him, in a devastating fashion. By abolishing their anticircuvmention laws, countries around the world would legalize jailbreaking Teslas, allowing mechanics to unlock all the subscription features and software upgrades for every Tesla driver, as well as offering their own software mods. Not only would this tank Tesla stock and force Musk to pay back the loans he collateralized with his shares (loans he used to buy Twitter and the US predidency), it would also abolish sleazy gimmicks like hacking drivers' odometers to get out of paying for warranty service:

https://pluralistic.net/2025/03/08/turnabout/#is-fair-play

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2025/04/15/musklemons/#more-like-edison-amirite

Image: Steve Jurvetson (modified) https://commons.wikimedia.org/wiki/File:Tesla_Model_S_Indoors.jpg

CC BY 2.0 https://creativecommons.org/licenses/by/2.0/deed.en

crazy how a lot of people voted on the price of eggs over the autonomy of a woman or preserving rights or even keeping families together, yeah that seems normal to me smh

and those are only a few of the options, we are totally fucked...

Noting that the most opulent were under constant pressure to make cons meet, a survey by the Pew Research Center released Monday revealed that nearly six in 10 wealthy Americans are living fraud to fraud. “Burdened by the escalating need to line their pockets, affluent Americans are increasingly forced to live from one criminal deception to another,” said lead researcher Alexis Spence, explaining that the situation has become so dire that many rich people don’t even know where their next scam will come from.

Full Story

BREAKING: stalkerware hack unveils massive potential fraud scheme

a deeper dive into the pcTattletale data leaked last week reveals a massive potential fraud scheme affecting Wyndham hotels, closely matching a past scheme against Choice hotels

After finding $382 million in fraudulent unemployment payments since 2020, the Department of Government Efficiency (DOGE) identified California, New York and Massachusetts as the primary culprits. The three Democrat-led states accounted for $305 million in improper claim payments, DOGE said Thursday. The group added that California also accounted for 68% of the benefits that were dispensed under former President Joe Biden to parolees identified by federal authorities as being on the government's terrorist watchlist, or who had criminal records. California, New York and Massachusetts all have a Democratic trifecta - meaning Democrats control the state House, Senate and the governor's office. They also have a Democratic triplex, which includes party control of the Attorney General, Secretary of State and governorship. 🤔

Arizona CEO Convicted By Florida Jury In Billion-Dollar Medicare Fraud Scheme

I need fraud rn please hakita

How I got scammed

If you'd like an essay-formatted version of this post to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

https://pluralistic.net/2024/02/05/cyber-dunning-kruger/#swiss-cheese-security

I wuz robbed.

More specifically, I was tricked by a phone-phisher pretending to be from my bank, and he convinced me to hand over my credit-card number, then did $8,000+ worth of fraud with it before I figured out what happened. And then he tried to do it again, a week later!

Here's what happened. Over the Christmas holiday, I traveled to New Orleans. The day we landed, I hit a Chase ATM in the French Quarter for some cash, but the machine declined the transaction. Later in the day, we passed a little credit-union's ATM and I used that one instead (I bank with a one-branch credit union and generally there's no fee to use another CU's ATM).

A couple days later, I got a call from my credit union. It was a weekend, during the holiday, and the guy who called was obviously working for my little CU's after-hours fraud contractor. I'd dealt with these folks before – they service a ton of little credit unions, and generally the call quality isn't great and the staff will often make mistakes like mispronouncing my credit union's name.

That's what happened here – the guy was on a terrible VOIP line and I had to ask him to readjust his mic before I could even understand him. He mispronounced my bank's name and then asked if I'd attempted to spend $1,000 at an Apple Store in NYC that day. No, I said, and groaned inwardly. What a pain in the ass. Obviously, I'd had my ATM card skimmed – either at the Chase ATM (maybe that was why the transaction failed), or at the other credit union's ATM (it had been a very cheap looking system).

I told the guy to block my card and we started going through the tedious business of running through recent transactions, verifying my identity, and so on. It dragged on and on. These were my last hours in New Orleans, and I'd left my family at home and gone out to see some of the pre-Mardi Gras krewe celebrations and get a muffalata, and I could tell that I was going to run out of time before I finished talking to this guy.

"Look," I said, "you've got all my details, you've frozen the card. I gotta go home and meet my family and head to the airport. I'll call you back on the after-hours number once I'm through security, all right?"

He was frustrated, but that was his problem. I hung up, got my sandwich, went to the airport, and we checked in. It was total chaos: an Alaska Air 737 Max had just lost its door-plug in mid-air and every Max in every airline's fleet had been grounded, so the check in was crammed with people trying to rebook. We got through to the gate and I sat down to call the CU's after-hours line. The person on the other end told me that she could only handle lost and stolen cards, not fraud, and given that I'd already frozen the card, I should just drop by the branch on Monday to get a new card.

We flew home, and later the next day, I logged into my account and made a list of all the fraudulent transactions and printed them out, and on Monday morning, I drove to the bank to deal with all the paperwork. The folks at the CU were even more pissed than I was. The fraud that run up to more than $8,000, and if Visa refused to take it out of the merchants where the card had been used, my little credit union would have to eat the loss.

I agreed and commiserated. I also pointed out that their outsource, after-hours fraud center bore some blame here: I'd canceled the card on Saturday but most of the fraud had taken place on Sunday. Something had gone wrong.

One cool thing about banking at a tiny credit-union is that you end up talking to people who have actual authority, responsibility and agency. It turned out the the woman who was processing my fraud paperwork was a VP, and she decided to look into it. A few minutes later she came back and told me that the fraud center had no record of having called me on Saturday.

"That was the fraudster," she said.

Oh, shit. I frantically rewound my conversation, trying to figure out if this could possibly be true. I hadn't given him anything apart from some very anodyne info, like what city I live in (which is in my Wikipedia entry), my date of birth (ditto), and the last four digits of my card.

Wait a sec.

He hadn't asked for the last four digits. He'd asked for the last seven digits. At the time, I'd found that very frustrating, but now – "The first nine digits are the same for every card you issue, right?" I asked the VP.

I'd given him my entire card number.

Goddammit.

The thing is, I know a lot about fraud. I'm writing an entire series of novels about this kind of scam:

https://us.macmillan.com/books/9781250865878/thebezzle

And most summers, I go to Defcon, and I always go to the "social engineering" competitions where an audience listens as a hacker in a soundproof booth cold-calls merchants (with the owner's permission) and tries to con whoever answers the phone into giving up important information.

But I'd been conned.

Now look, I knew I could be conned. I'd been conned before, 13 years ago, by a Twitter worm that successfully phished out of my password via DM:

https://locusmag.com/2010/05/cory-doctorow-persistence-pays-parasites/

That scam had required a miracle of timing. It started the day before, when I'd reset my phone to factory defaults and reinstalled all my apps. That same day, I'd published two big online features that a lot of people were talking about. The next morning, we were late getting out of the house, so by the time my wife and I dropped the kid at daycare and went to the coffee shop, it had a long line. Rather than wait in line with me, my wife sat down to read a newspaper, and so I pulled out my phone and found a Twitter DM from a friend asking "is this you?" with a URL.

Assuming this was something to do with those articles I'd published the day before, I clicked the link and got prompted for my Twitter login again. This had been happening all day because I'd done that mobile reinstall the day before and all my stored passwords had been wiped. I entered it but the page timed out. By that time, the coffees were ready. We sat and chatted for a bit, then went our own ways.

I was on my way to the office when I checked my phone again. I had a whole string of DMs from other friends. Each one read "is this you?" and had a URL.

Oh, shit, I'd been phished.

If I hadn't reinstalled my mobile OS the day before. If I hadn't published a pair of big articles the day before. If we hadn't been late getting out the door. If we had been a little more late getting out the door (so that I'd have seen the multiple DMs, which would have tipped me off).

There's a name for this in security circles: "Swiss-cheese security." Imagine multiple slices of Swiss cheese all stacked up, the holes in one slice blocked by the slice below it. All the slices move around and every now and again, a hole opens up that goes all the way through the stack. Zap!

The fraudster who tricked me out of my credit card number had Swiss cheese security on his side. Yes, he spoofed my bank's caller ID, but that wouldn't have been enough to fool me if I hadn't been on vacation, having just used a pair of dodgy ATMs, in a hurry and distracted. If the 737 Max disaster hadn't happened that day and I'd had more time at the gate, I'd have called my bank back. If my bank didn't use a slightly crappy outsource/out-of-hours fraud center that I'd already had sub-par experiences with. If, if, if.

The next Friday night, at 5:30PM, the fraudster called me back, pretending to be the bank's after-hours center. He told me my card had been compromised again. But: I hadn't removed my card from my wallet since I'd had it replaced. Also, it was half an hour after the bank closed for the long weekend, a very fraud-friendly time. And when I told him I'd call him back and asked for the after-hours fraud number, he got very threatening and warned me that because I'd now been notified about the fraud that any losses the bank suffered after I hung up the phone without completing the fraud protocol would be billed to me. I hung up on him. He called me back immediately. I hung up on him again and put my phone into do-not-disturb.

The following Tuesday, I called my bank and spoke to their head of risk-management. I went through everything I'd figured out about the fraudsters, and she told me that credit unions across America were being hit by this scam, by fraudsters who somehow knew CU customers' phone numbers and names, and which CU they banked at. This was key: my phone number is a reasonably well-kept secret. You can get it by spending money with Equifax or another nonconsensual doxing giant, but you can't just google it or get it at any of the free services. The fact that the fraudsters knew where I banked, knew my name, and had my phone number had really caused me to let down my guard.

The risk management person and I talked about how the credit union could mitigate this attack: for example, by better-training the after-hours card-loss staff to be on the alert for calls from people who had been contacted about supposed card fraud. We also went through the confusing phone-menu that had funneled me to the wrong department when I called in, and worked through alternate wording for the menu system that would be clearer (this is the best part about banking with a small CU – you can talk directly to the responsible person and have a productive discussion!). I even convinced her to buy a ticket to next summer's Defcon to attend the social engineering competitions.

There's a leak somewhere in the CU systems' supply chain. Maybe it's Zelle, or the small number of corresponding banks that CUs rely on for SWIFT transaction forwarding. Maybe it's even those after-hours fraud/card-loss centers. But all across the USA, CU customers are getting calls with spoofed caller IDs from fraudsters who know their registered phone numbers and where they bank.

I've been mulling this over for most of a month now, and one thing has really been eating at me: the way that AI is going to make this kind of problem much worse.

Not because AI is going to commit fraud, though.

One of the truest things I know about AI is: "we're nowhere near a place where bots can steal your job, we're certainly at the point where your boss can be suckered into firing you and replacing you with a bot that fails at doing your job":

https://pluralistic.net/2024/01/15/passive-income-brainworms/#four-hour-work-week

I trusted this fraudster specifically because I knew that the outsource, out-of-hours contractors my bank uses have crummy headsets, don't know how to pronounce my bank's name, and have long-ass, tedious, and pointless standardized questionnaires they run through when taking fraud reports. All of this created cover for the fraudster, whose plausibility was enhanced by the rough edges in his pitch - they didn't raise red flags.

As this kind of fraud reporting and fraud contacting is increasingly outsourced to AI, bank customers will be conditioned to dealing with semi-automated systems that make stupid mistakes, force you to repeat yourself, ask you questions they should already know the answers to, and so on. In other words, AI will groom bank customers to be phishing victims.

This is a mistake the finance sector keeps making. 15 years ago, Ben Laurie excoriated the UK banks for their "Verified By Visa" system, which validated credit card transactions by taking users to a third party site and requiring them to re-enter parts of their password there:

https://web.archive.org/web/20090331094020/http://www.links.org/?p=591

This is exactly how a phishing attack works. As Laurie pointed out, this was the banks training their customers to be phished.

I came close to getting phished again today, as it happens. I got back from Berlin on Friday and my suitcase was damaged in transit. I've been dealing with the airline, which means I've really been dealing with their third-party, outsource luggage-damage service. They have a terrible website, their emails are incoherent, and they officiously demand the same information over and over again.

This morning, I got a scam email asking me for more information to complete my damaged luggage claim. It was a terrible email, from a noreply@ email address, and it was vague, officious, and dishearteningly bureaucratic. For just a moment, my finger hovered over the phishing link, and then I looked a little closer.

On any other day, it wouldn't have had a chance. Today – right after I had my luggage wrecked, while I'm still jetlagged, and after days of dealing with my airline's terrible outsource partner – it almost worked.

So much fraud is a Swiss-cheese attack, and while companies can't close all the holes, they can stop creating new ones.

Meanwhile, I'll continue to post about it whenever I get scammed. I find the inner workings of scams to be fascinating, and it's also important to remind people that everyone is vulnerable sometimes, and scammers are willing to try endless variations until an attack lands at just the right place, at just the right time, in just the right way. If you think you can't get scammed, that makes you especially vulnerable:

https://pluralistic.net/2023/02/24/passive-income/#swiss-cheese-security

Image: Cryteria (modified) https://commons.wikimedia.org/wiki/File:HAL9000.svg

CC BY 3.0 https://creativecommons.org/licenses/by/3.0/deed.en

"Elon is looking for fraud"

and he wasted it by leaving early.

And you wonder where the $5 trillion Musk is "looking for" went.