Neue Songs for Joy – und das trifft es haargenau. Ich hab es gernie.

„Bert & Ernie“ ist die erste Single des am 16. Mai 2025 erscheinenden Doppel-Albums „Songs for Joy auf der Veddel“ von Erobique & Jacques Palminger.

(Direktlink)

Today's links

• How the world's leading breach expert got phished: A cautionary tale for all of us.
• Hey look at this: Delights to delectate.
• Object permanence: 2005, 2010, 2020
• Upcoming appearances: Where to find me.
• Recent appearances: Where I've been.
• Latest books: You keep readin' em, I'll keep writin' 'em.
• Upcoming books: Like I said, I'll keep writin' 'em.
• Colophon: All the rest.

How the world's leading breach expert got phished (permalink)

If you can't spot the sucker at the poker table, you're the sucker. Also, if you think you can't get phished, you're the sucker.

I've been successfully scammed six times in my life. Each time, the scam relied on the confluence of several factors that yielded a fleeting moment of vulnerability that some scammer was able to exploit by being in the right place at the right time. I had to be lucky always, they only had to be lucky once.

The first time I got scammed was in 2008, on my first trip to India. As I walked toward the Mumbai airport taxi queue at 2AM, I was approached by two uniformed airport security guards who told me that the taxi rank had been moved in the wake of a recent terrorist bombing in Islamabad, which had resulted in all the regional airports going on high alert. The bombing was real, the airport high alerts were real. The security guards – not real. They were scammers, working with a fake cab that charged me $200 for a $20 taxi ride.

I got scammed again this way in Shanghai, at the Pudong taxi-rank. I was with my wife, daughter and parents and we split into two cabs and the drivers colluded to turn off their meters and charge us extremely high cash fares, dropping us across the street from our hotel so we couldn't enlist the doorman to interpret. Again, it was very late at night, things were confusing, and we'd had to wait for more than an hour for the cab, so we were exhausted and sweaty and divided into two groups so we couldn't coordinate strategy.

Then there was the time I got successfully phished by a Twitter account takeover worm:

https://locusmag.com/2010/05/cory-doctorow-persistence-pays-parasites/

That was also a miracle of timing – for the scammers. I got hit on a day when I was running late, when I'd just reinstalled my phone's OS and was being prompted for my passwords all over again, when I had just done a bunch of major publishing and was getting a lot of messages about my new articles. When a friend got infected by a worm that took over his account and messaged me, "Is this you?" with a link that took me to a webpage that asked me to log back into Twitter, I re-entered my password. If I'd been five minutes later in getting to that DM, I would have seen three more identical messages from other infected friends and twigged to the scam. But I just happened to look at my phone in the two-minute window when the scam wasn't self-evident, and I just happened to be distracted and flustered about running late, and I just happened to have had some life circumstances that made the generic phishing lure seem plausible.

In 2023, I got scammed by a fake restaurant. I was on the couch with a friend from out of town who'd come by to watch a movie. We were chatting and decided to order from our local Thai restaurant. The top result on Google was a paid ad (marked out with the word "ad" in 8-point, grey-on-white type) that had a plausible domain name, which led to a replica of my local place's menu, only with the prices set 15% higher. I didn't even notice – not until the restaurant called me to say that they'd had a flood of orders from these scammers, who charged their customers' credit cards 15% over the odds, then placed an order for delivery using their own credit card numbers. I ended up contesting the charge with Amex, getting the scammers' Wix and credit card accounts canceled, and shaming Google into blocking their ads:

https://nypost.com/2023/02/25/cory-doctorow-duped-by-fake-thai-restaurant-scam/

Then there's the guy who used leaked data from my credit union to impersonate their fraud department, calling me up and social-engineering me out of the last seven digits of my card number (not the last four, as is common – most banks use the same nine-digit prefix, so the final seven digits are all you need to derive the whole card number). The scammer called right after I used two dodgy ATMs in New Orleans, during my last hour in town when I was rushing around to get my most favorite sandwich in the world before leaving. It was the day that a Boeing 737 Max lost its door-plug so the airport was a zoo and we barely made the flight, so I lost the hour I'd planned to use to call the bank's fraud department back. Again: if, if, if. If he'd called an hour earlier – or later. If there hadn't been a giant aviation disaster. If I hadn't been traveling. The scammer had to get lucky once, I had to be lucky every time:

https://pluralistic.net/2024/02/05/cyber-dunning-kruger/#swiss-cheese-security

I got scammed again last Christmas week. I was in NYC with my wife and daughter and I'd gotten great tickets to see The Outsiders on Broadway. It was my kid's first musical and to her surprise, she loved it. In the cab back to the friend's place we were staying at, we talked about what other musicals she might want to see. She loves South Park, and I'd seen banners advertising The Book of Mormon (which was created by the same people) in LA. So I looked up "book of mormon tickets los angeles" on my phone in the cab and found the production's website and ordered the tickets, working quickly in the cab because it was one of those websites that has a countdown timer so you have to finish your transaction in five minutes.

It wasn't the real Book of Mormon website. It was a scam website, reselling Book of Mormon tickets at a 200%+ markup. That fact was noted in infinitesimal writing on the main screen, which I missed in the crowded taxi backseat while I raced the countdown timer. I figured it out about 20 seconds after the transaction cleared, and immediately emailed the vendor to cancel it. All I got was a series of smug "all transactions final" emails from outsource customer service reps (in the end, I was able to get my credit card issuer to reverse the transaction, but it took months). But yeah, I got scammed by a sleazy company called "Bigstub." Fuck those guys.

Every time I got scammed, the con that got me was nearly identical to a con that I'd avoided on numerous occasions. The fact that I'm actually pretty good at spotting this kind of hustle, 99.9% of the time, didn't mean I was immune it it. It just meant that I was vulnerable under very special circumstances, and those very special circumstances do crop up from time to time.

This is the most important lesson of scams: that no matter how well-attuned you are to cons, you can still be conned. The belief that you are immune to a con actually makes you a mark. It's for that reason that I recount the tales of how I got scammed – to help other people understand that being sophisticated, alert and even paranoid is no guarantee that you will be safe.

I'm not the only person for whom a detailed knowledge of scams created immunity from being scammed. Troy Hunt is the proprietor of HaveIBeenPwned.com, the internet's most comprehensive and reliable breach notification site. Hunt pretty much invented the practice of tracking breaches, and he is steeped – saturated – in up-to-the-minute, nitty-gritty details of how internet scams work.

Guess who got phished?

https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mailchimp-mailing-list/

Hunt had just gotten off a long-haul flight. He was jetlagged. He got a well-constructed, plausible counterfeit email from Mailchimp telling him that his mailing-list – which he absolutely relies upon – had been frozen after a spam complaint, and advising him to click on a link to contest the suspension. He was taken to a fake login screen that his password manager didn't autopopulate, so he manually pasted the password in (Mailchimp doesn't have 2FA). It was only when the login session hung that he realized he'd been scammed – and by then, it was too late. Within minutes, his mailing list had been exported by the scammers.

In his postmortem of the scam, Hunt identifies the overlapping factors that made him vulnerable. He was jetlagged. The mailing list was important. Bogus spam complaints are common. Big corporate sites like Mailchimp often redirect their logins through different domains, which causes password manager autofill to fail. Hunt had experienced near-identical phishing attempts before and spotted them, but this one just happened to land at the very moment that he was vulnerable. Plus – as with my credit union scam – it seems likely that Mailchimp itself had been breached (or has an insider threat), which allowed the scammers to pad out the scam with plausible details that made it seem legit.

Hunt's forensics on the scam are very interesting. Of especial note is the fact that Mailchimp had retained the email addresses of thousands of former subscribers who had already unsubscribed, meaning that their data was exposed as well. It's not clear why Mailchimp would do this, but I will note that the company is extraordinarily spammer-friendly and goes to great lengths to make it easy for spammers to add you to their lists, and impossible to get off of all those lists;

https://pluralistic.net/2024/07/22/degoogled/#kafka-as-a-service

Getting scammed doesn't mean you were stupid, or careless. Frequently, it just means you were distracted, upset, or distraught. We're living through a moment of total, all-consuming chaos, and the scammers are sharpening their blades – not least because the people running the show are unabashed grifters who openly boast that when they get one over on you, "that makes me smart":

https://pluralistic.net/2024/12/04/its-not-a-lie/#its-a-premature-truth

Buyer beware – it's ugly out there, and it's gonna get a lot worse before it gets better.

(Image: Cryteria, CC BY 3.0, modified)

Hey look at this (permalink)

• T-Mobile Shows Users the Names, Pictures, and Exact Locations of Random Children https://www.404media.co/t-mobile-shows-users-the-names-pictures-and-exact-locations-of-random-children/

• The Last Abundance Agenda https://prospect.org/infrastructure/housing/2025-04-01-last-abundance-agenda/

• So Long Just Stop Oil, and Thanks for All the Soup https://artreview.com/so-long-just-stop-oil-and-thanks-for-all-the-soup/ (h/t Naked Capitalism)

Object permanence (permalink)

#20yrsago Grokster transcript PDF https://web.archive.org/web/20050408045413/https://www.sims.berkeley.edu/academics/courses/is296a-2/s05/pdf/GroksterOA.pdf

#15yrsago HOWTO make an iPad that respects freedom https://www.oblomovka.com/wp/2010/04/06/brother-against-brother/

#5yrsago Youtube vs 5G arsonists https://pluralistic.net/2020/04/06/fill-your-boots/#conspiracism

#5yrsago Illinois reinstates physical restraints for special ed kids https://pluralistic.net/2020/04/06/fill-your-boots/#giant-steps

#5yrsago The Jubilee: Fill Your Boots https://pluralistic.net/2020/04/06/fill-your-boots/#fill-your-boots

Upcoming appearances (permalink)

• Pittsburgh: Picks and Shovels at White Whale Books, May 15
  https://whitewhalebookstore.com/events/20250515

• Pittsburgh: PyCon, May 16
  https://us.pycon.org/2025/schedule/

• PDX: Teardown 2025, Jun 20-22
  https://www.crowdsupply.com/teardown/portland-2025

• PDX: Picks and Shovels at Barnes and Noble, Jun 20
  https://stores.barnesandnoble.com/event/9780062183697-0

• Manchester: Picks and Shovels at Blackwell, Jul 2
  https://www.eventbrite.co.uk/e/an-evening-with-cory-doctorow-tickets-1308451968059

• New Orleans: DeepSouthCon63, Oct 10-12, 2025
  http://www.contraflowscifi.org/

Recent appearances (permalink)

• The Political Orphanage
  https://player.fm/series/the-political-orphanage/cory-doctorow-on-the-evils-of-copyright-law

• Fire the unelected social media dictators (Al Jazeera Upfront)
  https://www.youtube.com/watch?v=KXa4DzhkUZ8

• Capitalists Hate Capitalism (MMT Podcast)
  https://pileusmmt.libsyn.com/195-capitalists-hate-capitalism-with-cory-doctorow

Latest books (permalink)

• • Picks and Shovels: a sequel to "Red Team Blues," about the heroic era of the PC, Tor Books (US), Head of Zeus (UK), February 2025 (https://us.macmillan.com/books/9781250865908/picksandshovels).
• The Bezzle: a sequel to "Red Team Blues," about prison-tech and other grifts, Tor Books (US), Head of Zeus (UK), February 2024 (the-bezzle.org). Signed, personalized copies at Dark Delicacies (https://www.darkdel.com/store/p3062/Available_Feb_20th%3A_The_Bezzle_HB.html#/).

• "The Lost Cause:" a solarpunk novel of hope in the climate emergency, Tor Books (US), Head of Zeus (UK), November 2023 (http://lost-cause.org). Signed, personalized copies at Dark Delicacies (https://www.darkdel.com/store/p3007/Pre-Order_Signed_Copies%3A_The_Lost_Cause_HB.html#/)

• "The Internet Con": A nonfiction book about interoperability and Big Tech (Verso) September 2023 (http://seizethemeansofcomputation.org). Signed copies at Book Soup (https://www.booksoup.com/book/9781804291245).

• "Red Team Blues": "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books http://redteamblues.com. Signed copies at Dark Delicacies (US): and Forbidden Planet (UK): https://forbiddenplanet.com/385004-red-team-blues-signed-edition-hardcover/.

• "Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin", on how to unrig the markets for creative labor, Beacon Press/Scribe 2022 https://chokepointcapitalism.com

• "Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The Washington Post called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html

• "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59?sk=f6cd10e54e20a07d4c6d0f3ac011af6b) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)

• "Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html

• "Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p2682/Corey_Doctorow%3A_Poesy_the_Monster_Slayer_HB.html#/.

Upcoming books (permalink)

• Enshittification: Why Everything Suddenly Got Worse and What to Do About It, Farrar, Straus, Giroux, October 7 2025
  https://us.macmillan.com/books/9780374619329/enshittification/

• Unauthorized Bread: a middle-grades graphic novel adapted from my novella about refugees, toasters and DRM, FirstSecond, 2026

• Enshittification, Why Everything Suddenly Got Worse and What to Do About It (the graphic novel), Firstsecond, 2026

• The Memex Method, Farrar, Straus, Giroux, 2026

Colophon (permalink)

Today's top sources: Bruce Schneier (https://www.schneier.com/).

Currently writing:

• Enshittification: a nonfiction book about platform decay for Farrar, Straus, Giroux. Status: second pass edit underway (readaloud)

• A Little Brother short story about DIY insulin PLANNING

• Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. FORTHCOMING TOR BOOKS FEB 2025

Latest podcast: With Great Power Came No Responsibility: How Enshittification Conquered the 21st Century and How We Can Overthrow It https://craphound.com/news/2025/02/26/with-great-power-came-no-responsibility-how-enshittification-conquered-the-21st-century-and-how-we-can-overthrow-it/

This work – excluding any serialized fiction – is licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/@pluralistic

Medium (no ads, paywalled):

https://doctorow.medium.com/

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"When life gives you SARS, you make sarsaparilla" -Joey "Accordion Guy" DeVilla

ISSN: 3066-764X

Customer service is terrible. Customers hate it. Support agents hate it. Can you guess the answer?

Capgemini has released a 112-page slide deck, “Unleashing the value of customer service: The transformative impact of Gen AI and agentic AI.” [Capgemini, PDF]

You’ll be amazed to hear what the answer is – chatbots! Capgemini will be delighted to help you in this transformation, for a small large fee (ongoing).

You rebuild your entire customer service function around chatbots, “embracing a new paradigm.” This requires a “novel business process design.” Capgemini will be delighted to construct both of these for you.

You will need to “continuously monitor and evaluate AI agents’ performance and compliance,” because you shouldn’t expect it to work. But Capgemini can handle that too!

What do you, Mr. Executive, get out of this? In early experiments, the bot apparently gives enough correct answers to get customers to go away, so that’s close enough.

The report recommends you go against all standard corporate practice and stop doing things that make your support agents miserable. Chatbots will fix this too, for some reason.

61% of executives say chatbots can help in upselling, that thing both customers and support agents just love! Even as only 17% of agents and 21% of supervisors agree.

Capgemini also predicts a world of Agentic AI, whatever that is. There’s a whole chapter on Agentic AI that’s all “can” and “could” and “potential” in the fabulous future. But most importantly, it means more fees for Capgemini.

• Video version

Michael Kalus posted a photo: