 So, hi everybody. My name is Paul Roberts and I'm the Editor-in-Chief at the Security Ledger, which is a cybersecurity news website and probably more relevant for this panel. I'm the founder of SecureRepairs.org, which was a group I set up about four or five months ago specifically to reach out to and organize the information security community in support of right to repair laws that are pending in 20 states this past year and that we're trying very hard to try and get passed. And I felt like this was an issue that was incredibly important to the information security community, but that we were not paying attention to. So I started SecureRepairs.org and to sort of raise awareness about that. Oh, sorry, there's a slide up there where it's got the website. But before we dive in, I thought I'd give each of my panelists a chance to introduce themselves and tell you a little bit about them. We have an amazing panel as you know, but in case you're not familiar with them, let's just go down in order here and everybody sort of say who you are and talk about your superpower. Hello, I'm Tara Wheeler. I am a cybersecurity policy fellow at New America. And right now, I am still totally mindblown over the open CTF competition yesterday where I'm busy trying to figure out how to dump a microprocessor for the first time, which is probably the best reason to go anywhere, right? I completely opted out of the parties last night. I know it doesn't look like it, but I did. There was a bourbon in the room. So that's the fun right at the moment. And one of the major reasons I'm on this panel and showed up on time is so I can bring it here and make Jill help me with my homework. My name is Joe Gran. Some of you might know me as Kingpin. I'm a professional design engineer, but also hardware hacker and grew up hacking on products to do things they weren't intended to do. So probably breaking all sorts of laws nowadays. And designing products and designing that front badger really a proponent of open source hardware sharing information and being able to own stuff that I buy with my own money and not be bound by various licenses. Well, I'm Kyle Wiens. I started iFixit. We are the open source repair community. Our mission is to enable everybody to fix all their stuff. Shout out to all the San Luis Obispo people in the room. You want me to let her speak into one mic or so that they can turn one on and one off. Sure, you got it. Okay. And along the way of our mission to enable everybody to fix everything. Well, there are there are systematic cultural societal legal barriers to that. And so we have been chipping away at those. The initial barrier was that manufacturers were using DMCA threats to get service manuals offline. And I remember trying to fix my book. I couldn't find the service manual. So I decided to make my own and publish it online. And we've been doing that ever since. And that's just been an in-run around copyright law and the diabolical enforcement of, you know, lack of information to block repair. But since then we found there are other barriers, everything from DMCA 1201 to access to parts, trademarks on parts. And so we've been systematically chipping away at that. And we helped start Repair.org, which is a kind of trade association for the professional repair world to fight back. And I have spent more time in suits than I would like the last decade or so in DC, you know, fighting for our right to be able to fix our stuff. It's been an interesting battle. And I think we're really just just getting started. But it's pretty exciting to be here and have come this far. Hey, everybody. My name is Nathan Proctor. I'm the National Campaign Director for U.S. Perg's Right to Repair Campaign. U.S. Perg is a national advocacy nonprofit, which stands up for the public whenever their rights are threatened. And so we have been engaged with the Right to Repair Campaign for a few years now. And because we're a network of state advocacy organizations, basically, I coordinate state campaigns on Right to Repair. And we had bills in 20 states this year. We didn't really have campaigns in all those states, but we had at least campaigns in many, many, many states. So I also have to run around in a suit way too much. I think the worst part about that is I go to meet with legislators who've heard the same unbelievable load of malarkey from industry representatives, like the crazy stuff I've heard industries. I heard a Comcast lobbyist say that if you had the diagnostic tools for their routers, like their home cable routers, you could take out the broadband network, which I thought. So it's like you have these people who make 9.50 an hour driving a white truck around. They have a tool that takes out the network. And that's never leaked. Okay, I believe that. Newsflash. Yeah, that's the case. They shouldn't have their lobbyists tell that to a crowded room full of people. But so anyway, so yeah, so and for us, let's get to the ethics of it, like, you know, we believe that there's a big problem in our society where we're losing kind of democracy and power on every level. And one of those ways is, you know, the power that people have over their own lives and their own technology. Because we don't know they don't want us to know how it works. They want us to just accept whatever terms they give us. They make aside a 25 page legal document full of malarkey. I'm using I've used malarkey twice now. It's good. It's funny. So I mean, so we believe that we need to reclaim power for the public over technology. And one of the most compelling arguments and ways to have that conversation with the most number of people is to talk about our right to fix, you know, mostly this device. I mean, mostly people talk about this device, but it's everything from, you know, cell phones to tractors. And in fact, Kyle's got the ECU from a John Deere tractor. If anyone wants to help us, cause some trouble with that. But yeah. Okay, I'm actually going to, I'm going to take, I'm going to do, let's do a little poll just to, just to set a baseline maybe before we start our conversation, right? You don't even know what I'm asking for. You don't even know what I'm asking about. And it's already unethical. How many of you think that it is that, well, ethical or unethical, opening your iPhone and replacing the battery with an Apple certified battery? Ethical or unethical? Okay. Okay. Question. That was consensus? Yeah, yeah. I'm sorry. Wait a minute. For those out there in TV land, everyone voted ethical. Maybe we should do one for us and then flip it around for the TV audience. Yeah, I'll be the consensus. Yes. Okay. Okay. Second question. Ethical or unethical? Opening your iPhone and replacing the Apple authorized battery with a non authorized battery with a third party battery? Ethical or unethical? Okay, good. We have unanimous consent. Okay. Ethical. Third question. Taking apart your iPhone and turning it into a back massager. If you can actually get the thing open. So, so far it's going to be pretty shitty for discussion because everybody thinks that's ethical as well. No, I mean, I kind of felt like we were saying we're going to dive into this. Yeah, we're going to dive into this. I'm not actually sure we're going to try and convince you otherwise, but I think we felt like this is, you know, DEF CON is probably a friendly audience for us as opposed to a hostile audience. So that's not surprising enough itself. But how many, how many people just hands, this isn't ethical or unethical, are familiar with what we're talking about with the right to repair? Okay, pretty good. But not everyone. So I thought I'd start off by asking Nathan and Kyle and maybe just start with you, Nathan, when we're talking about right to repair, just to be clear, we're all talking about the same thing. What are we talking about really? Yeah, so I would say right to repair is probably on some level, like kind of an open source concept that people take to mean different things like the ease of repair, the ability to repair. But really specifically, when we talk about right to repair, typically we're talking about a law that would be passed by it by in the state level, which would require manufacturers of anything with basically that runs software to provide that individuals and independent technicians with the same tools to fix the thing that they would make available to their authorized network. So it's defined as five different things in the bill, spare parts, diagnostic software, any special tool like a Penelope screwdriver, for example, even though the iFixit one is probably better than the one Apple makes, any firmware that's needed, as well as documentation, schematics, repair documentation. We do have a question. I'll get the question in a minute. So I would like to ask ethical and ethical question about this. So in regards to the law, I would say that this is a great thing. However, I don't give a shit, is it ethical or unethical if I do this anyway? So we're proposing a law to protect the researchers who do this, but I'm going to do it anyway. So am I acting ethically or not if I do it anyway? I did see one card halfway. So would you like to come up and talk to me or would do you want me to paraphrase you? Why were you hesitant to pick one or the other? So we do have this idea of, yeah, so I'm definitely in Joe's camp, or I forget which one of you proposed the turning into a back massager. Yes, that was you. Cool. Joe and I look a lot alike. You don't want me repairing anything. So the the side card comes up from this idea of there are some of these, comes from a more ethical use of the patent and copyright process of this idea of there. We can some a idea of how this law could be used in a slightly more ethical way could come from this idea of trying to protect indeed uniquely unique, uniquely unique, unique circuit boards or designs or things like this that could have taken a large amount of R&D work and could cause independent researchers to not be able to basically if I can open up my circuit board and copy it down and steal parts from it, then there is something to be said for potentially hurting independent researchers. Do I think that we should have a massive like cool never open your device ever? No, obviously not. That would be terrible. But one thing that I always find interesting this debate is how do we support these independent researchers and these people building truly unique products while still allowing people to fix their stuff? So that's comparing like I piece them right saying so we could easily open up the product to counterfeit it as opposed to repairing it. Right, is that that's different? So you get corn. Thank you very much. That's a great question. So I want to throw out so back in the 80s, I can remember the 80s. The IBM processor was reverse engineered so that folks could clone PCs and start the entire revolution that we are reveling in right now. They basically violated the IBM patent and they reverse engineered this and they designed rules on how they did this. They black boxed the thing. They basically made a device that was like this chip. And I'm not Joe Grand. He could probably speak about this better. But you know I was there when this was being done and this whole thing blossomed. And the whole point I'm trying to make is as a cybersecurity researcher, I am not going to let the law stand in my way when I'm trying to do something for the greater good. And I don't think that that's an unethical action. And that was a point I was trying to make. And then I think it's a great question though. Yeah, it's a great question because there is as an independent designer, I've had my stuff copied in China, right? And it's money because it's open source. So people can copy it anyway. But it's still I'm technically losing money. But I think there's some there has to be some way in that in the law is not so basically the law is not going to stop people who are going to do it anyway, right? So who's going to counterfeit the product? The legislation is basically not it's not going to fix that. It's to at least enable the large corporations to give enough information out to people for the ordinary act of repair. So it doesn't have to be the entire kimono, you know, open up the entire kimono. It's just something you know, it's like what is it when when when the government was trying to do like something with encryption backdoors back in the 90s or something. It was like if you know, government's outlaw encryption only encryption only outlaws will use encryption, right? Isn't that the thing of like people are going to do that anyway? So I understand what you're saying. I think there's a balance but it really is these large corporations preventing independent repair shops from repairing things they own and that's the that's the problem. The only thing I worry about is the future. What about autonomous vehicles? Anybody can repair their car. Or do you trust the corporation that's running that somewhere else that might not be patching their system or an autonomous vehicle an autonomous vehicle an autonomous vehicle under the control of the corporation could run over your child, right? But that actually I think we talked about this on the phone earlier. Autonomous vehicle in the future might be a subscription service where you opt into it. You're not buying the vehicle. That's right. Right. If you buy the vehicle like a Tesla that has the autopilot functionality that's different than in the future where you just get in a car that you so that's if you own it, you should be able to use it. I'm a student and understand what the service you're buying into it. So I'm a student pilot and I started carrying a multi tool around and the first time you ever repair a loose screw on an aircraft that you're about to fly is when you start to really realize the ethical constraints of what you're doing, right? Or if you're going to be somebody who's going to repair things, you're also taking responsibility for the damage your repairs can do and for your own safety and so doing and it may seem trivial to tighten down a screw on a strut. But when there is a full maintenance bay there and you choose to do it yourself the first time and take that responsibility yourself, there's some there's a there's a weight of responsibility that settles on to you and also a set of skills that needs to get transferred outside a specialized profession. And actually, if you even think about forget about flying a plane like changing if your tire blows out on the on the side of the road and you release your own tire, you know, the consequences of you doing a crappy job of that are serious, just as serious as a as an autonomous vehicle, right? If you don't put the lug nuts on right and the wheel falls off, you know, you could kill yourself, you could injure other people, right? There's there is actually a huge amount of responsibility that goes on changing your tire correctly. But none of us in around debate whether we should be allowed to change a tire on our own vehicle, right? That's just not a debate that we have as a society, even though you could you could think, Well, I mean, your responsibility to the rest of society of changing a tire correctly, you know, compels it that only, you know, only a tire changing professional should ever be able to do something like that. Right? I mean, now to that point, to stop and do a roadside repair, there was an entire procedure for others. It's a whole process of not kidding. And then, but eventually, if we decide to pull the pull over, you can just change your entire. Okay, Kyle, you wanted to say something. Go ahead. Yeah, well, I rewind a bit to the conversation about counter kidding. I think it's interesting to the information that the law is required to go back to what they were saying about what's what's in the information. But like the closest thing to maybe proprietary information that we're looking for is the schematic. So I love this. This is a schematic that fell off the truck in China. This this leak on Fox, you can see this is an apple confidential. So this is for the charging circuit in the iPhone, which is something that commonly fails. All of the Chinese, all of the Apple schematics generally leak. And there's actually, there's a really cool tool called ZXW, it stands for Zillion Time Work. And it's a sign for a very shop. But it's a really interactive board viewer. And you just select the iPhone, all you want to look at, you can call it through and see, okay, that resistor is a, you know, exactly what the specification is. It's fantastic. And it's, it's completely built on this. Shanzai not open market. Now, Joe, have you taken apart any of the counterfeit iPhones? No, I've not. I've not seen it. But I've seen counterfeit. I was actually just in Shenzhen saw iPhone repair shop. There's a separate section in Shenzhen just for that. You can go in and buy the manuals. And actually when I bought them, I had to kind of hunt, hunt the right people down. And when I bought them, the woman said just for repair. I said, yeah, just for repair. And there's all sorts of replacement components there. I haven't seen counterfeit ones, but there's a whole market striving, trying to fix devices so they don't end up in trash, right? That didn't exist. And the interesting thing, if you open up one of these counterfeit iPhones, you look at it, the schematic is not this. You're building an counterfeit iPhone. You don't do it this way. You build it from scratch anyway. You're on board design. You're using it for parts. They're probably cheaper than what Apple did. You just do it a different way. So the idea that the original schematics are useful for counterfeiting is not generally true. What they're useful for is security research and repair. That's what we need. Sorry. So, Kyle, before we, as we're kind of going along in this, it might be useful just again as a baseline to talk about the projectors. Yeah. Oh, it might be useful to... It's a double... See, it's repeating the left side of it. Are we able to repair the projectors? Are we allowed to? No. The three are taking apart. Hey, how's it going? Cool. I told you I was going to get some help with my homework today. Thank you, baby. We can keep talking while... Okay. Kyle, I thought maybe it'd be useful for you to talk about some of the ways that OEMs at manufacturers of devices restrict repair and some of the impediments to any of us who might want to repair, let's say, a late-model iPhone or Android phone. Yeah. So let me just walk you through just kind of a random smathering of ways that we see manufacturers of walking repair. I've got this John Deere ECU. So let's start with tractors and then we'll work our way into iPhones. The local farmer, farmer Dave, called me up and said, hey, I've got this John Deere tractor. I said, cool, how much did it cost? He said, oh, it was about $300,000. I'm like, God, that's about the cost of a house. Cool. He says, yeah, it won't boot. I'm like, what do you mean your tractor doesn't boot? He says, well, it won't turn on. Okay. Well, what happens is, well, the touch screen is giving me this error code. And I called Deere and they sent somebody out and they plugged their laptop in and it said that this particular sensor has failed. And the sensor isn't going to come until next week, but I need to run the tractor this weekend to do the harvest. Is there any way you can bypass the sensor to get the tractor to boot? And so I went out there with my laptop and my naivete and I said, I will help you fix it. And I completely fell flat on my face and failed. And the reason is that you need John Deere's proprietary diagnostic software. This diagnostic software, they are so paranoid that their technicians will give it to the farmers that it all erases itself every 90 days from the John Deere technician laptops. And so there are these dark net forums where people have, like there's this dark net Ukrainian forum where you can get like crack versions of the John Deere diagnostic software. And so the tractors or the farmers that are clever are out there using this crack software that who knows what other modifications were made to it along the way of them getting it because they are not security experts. So, and John Deere is doing this, why? Well, they want to make more money on the service call. So it's the $150 an hour service call. They're generally like breaking even on the sale of the tractor and making more money on the service over the long run. So that's an example. The iPhone, since Apple started putting touch ID sensors on iPhones, it is impossible for third parties to replace the button. If you take out, if you take two iPhones apart, you swap the home buttons on them, they do not work anymore. And there is no way to pair the button with the mainboard. It's not the factory, it's done with a proprietary in an Apple security tool. If you have their secure certificate, you probably figure out the way to do it. So those are just two examples that we're seeing. Third example, Ford decided that would be a really good idea instead of patenting the overall truck, so like an F-150 shape, because they were just patenting the shape of the truck. They started filing design patents on each individual part. So we're gonna file on the exact contours of the bumper. We're gonna file a design patent on that. And then if you make an aftermarket part that fits the truck and looks vaguely like the truck did, you're gonna be violating their design patent. So this is how, a few of the ways they are systematically locking it down so that the manufacturer has control over anything that happens over the life of the device. And that's, I mean, it's those kind of so pernicious, you know, capitalism run amok type problems that right to repair is intended to address. And one sec, Nathan, you've been, Nathan's been working at a state level where states are trying to pass right to repair laws. So obviously you've heard a lot from consumers or small business people or sometimes large business people who are impacted by these restrictions. What types of things does US Perg here in regard to repair restrictions? Yeah, I mean, one example, because I was gonna make the autonomous vehicles and the safety issue because there are huge safety issues with this data play right now. I was doing a radio show and someone called in, they were on a boat which had a John Deere diesel engine and it failed and the sky was like, well, if you can, I mean, a diesel engine will run forever. They're not hard to start, they're incredibly durable, but there was a software lock and so he was drifting at sea. Eventually someone came in and bailed them out. He called John Deere to yell at them and they said, we can't let you bypass the software to start the engine in an emergency. You might violate emissions. It's like, I think maybe if you're gonna die, the Coast Guard, the EPA would be okay with you and that's, I mean, but they've taken that choice away from us for safety reasons, right? And so, anyway, so that's a safety risk. I mean, the safety risk of 20 minutes of diesel fumes potentially from an improperly moderated engine versus being at drift at sea. I think we can, you know, I think most people would be on the side of, you wanna call that for a vote on ethical, unethical, is it ethical for John Deere to prevent you from using your diesel engine even to save your own life because you might pollute? What are you doing? Good, sorry. But I'll tell you, we, Wait, wait, wait. Wait, wait, wait, wait, wait, wait. So, you voted ethical, was that a mistake? Yeah. Okay, so you're, it's good because you- Don't text and try to pay attention. So, just like when you're on the road driving, you should not text and come to our talk at the same time. It seems like it was a unanimous unethical. Okay. To add color to that. So, all of you are saying that's unethical, but when we applied to the Copyright Office for an exemption to DMCA 1201 that says you can't circumvent technological protection measures for the purpose of repairing tractors, the EPA sent a letter to the Copyright Office saying they were concerned that people modify the software on the tractors, they would violate the missions. So, hypothetically, these are very ethical people at the EPA, and they're concerned. So, this is the equivalent of firing the gun to scare off. Exactly. Okay, so, if you wanna ask questions, you would want to do a line or? Yeah, just come up to the mic because we are recording this, and we wanna make sure we get your question. Oh, this is a question line. So, I'm more concerned about, say, for medical devices. So, let's see, so, as a patient, you wanna use a disposable medical device. I claim that it's defective by design, so, essentially, if I can't modify that in a certain way, and I can't get improved leasing and control, actually, it actively hurts me. So, the problem is, we just had an FDA recall very large medical, of insulin pumps, and I thought that the risk evaluation was poor. And so, the main threat right now to my having a device that allows me to have my glycemic control is that my DIY ability is being taken away. So, but these are disposable devices that can only hurt me, and I'm willing to accept that risk, which is different than the car. I just wanna know what your comments were on that. That's a really, really good question. I spent some time thinking about this one, and one of the major issues is, companies aren't thinking in terms of your ability to repair. They're thinking in terms of their ability to license and be compliant with the regulatory body that regulates them. So, the reason why DIY insulin pumps fall under a medical device manufacturer's same category as the right to patch something that has been in use in an operating theater is because for them it's all liability. It's not a question of whether or not you are, you're implementing a good or a bad fix, anything that changes them away from compliance, whether good or bad causes liability to the medical device manufacturer. This is how you get medical devices that are by design unpatchable or vendors that have gone out of business and no longer can even defend the fact that their patches could be compliant. And yet, they still no longer have a purchaser of that equipment, still has no capacity to patch that equipment. You'll get regional hospitals running Windows ME on medical devices being used actually on patients at that moment with no capacity to patch, not only for the lack of technical skills in the area or in that particular field, but also because the device manufacturer might still be in business and has told them no device update has been supported. So, those two things are the equivalent in a device manufacturer's mind, even though to us DIY insulin pumps and patching surgical equipment seem entirely different, to them they all fall into risk management strategy. Yeah, go ahead. In the John Deere tractor example, it seems to me that the inability of a farmer to repair his own tractor can not only have significant economic impact on him, but also the local economy. If he can't get out there and plow the fields or harvest those fields, it's not only affecting him, it's affecting the larger community. Is there an approach that could be taken in a situation like that where it's seen more as a monopolistic activity where they're monopolizing that ability and not allowing the users and having that kind of economic impact? Yeah, let me speak quickly and then I'll pass on the first part and then I'll pass over to Nathan for the monopoly anti-trust question. You asked earlier about are we willing to do this even if it's breaking the law? And I think all of us in this room are willing to do that. But if you think about yourself as a commercial repairer, let's say you're an independent repairer, it's very challenging for you to build your livelihood based on doing something that is technically illegal because there's always this cloud over you, right? It's gonna be hard to get investors to invest in you. So if I wanted to start a company and go out and get venture capital, build a replacement John Deere diagnostic software tool, the first thing the BCs are gonna ask me is, well, are you gonna fly it in the face of 1201? Are you gonna have legal liability around this? And I'll say, well, we got an exemption. I'll say, yeah, but the exemption's only good for three years, what happens in three years? What happens to the $10 million I give you, right? So this legal uncertainty really harms the economic aspect of the ecosystem. There's another element to the legal uncertainty in this system. And I wanna talk a little bit more later on about the acquisition of skills at a vocational level that becomes less and less accessible when we require things like four-year degrees and membership and research facilities in large companies to do this kind of repair and design. But the last time I had my own iPhone repaired was a woman-owned repair shop in Seattle. My iPhone 5S screen cracked and then I think what many of us experienced with that one was the charging unit broke on it, right? So she and one of her employees had started a company repairing iPhones. Now it voided warranties, but nobody cared because we had all purchased our devices on the secondhand market or we just were past the point of caring at that point or Apple was gonna be more expensive to repair them. So she did a complete repair on my 5S for $100. The existence of this kind of crunch on small repair shops who can be halted not by a lawsuit but by a C&D, which is an incredibly inexpensive and horrifying thing to deal with if you've never had to deal with the legal system in the US before. So we're not just shutting down these small repair shops. We're actually harming people who previously might not have had access to a valued and respected career running a small business. This is an accessible thing for people who are women, minorities to start doing with this kind of repair. You don't have to have the kind of privilege in your society that lets you go get graduate degrees in engineering to do design in order to do what you like, which is work on phones or devices or design things. I'm concerned about people that lack accessibility to this field now as a result of this kind of legal control. That's a really great point. Okay. And if anybody in the audience wants to ask a question but not necessarily stand up in front of everybody, just wave or something at me and I can proxy for you. So the question will be asked and it'll be easy for you so I'll have to paraphrase. I wanted to circle back to that monopoly point too because it actually dovetails really well what Tara was just saying. It's illegal for Apple to void your warranty because that technician opens your phone and fixed it. And Apple knows this because they took the unauthorized, like void it removed stickers out of their phones. They figured this out. A bunch of other companies didn't and they got warning letters from the FTC in April of last year that that's illegal. There's a thing in a federal warranty law which says you cannot void the warranty because somebody else serviced the product unless you can demonstrate that the product was damaged by that service because of monopoly. And the reason why that clause exists was because the people who wrote that law were concerned about monopoly in the aftermarket and repair. They were concerned about companies forcing what they call tie-in sales, which is they sell you something and then they force you to buy other products and services because they've kind of grabbed you and sucked you into the ecosystem. Now if that sounds weird because every product that we buy basically exists in that universe it's because we are not enforcing our anti-monopoly and anti-trust laws but that's fine but then one day they'll be enforced. So we were at the FTC and we might show some footage of the FTC's investigation into basically monopolistic repair practices by manufacturers. But yeah, this is something we think that there is cause within our current legal framework to challenge the monopoly practices as illegal under a set of consumer protection and anti-monopoly laws that exist. Yes sir. I have an interesting question. You mentioned Ford attempting to design patents on like various parts of the vehicles. I'm kind of curious how that actually works because I understanding if patents usually cannot be done unless it's unique and non-obvious. So unless you can prove that the bumper has an extra- It's a design patent, not a utility patent. So design patents are easier to get because it's not a product that... It's not, it's like aesthetic, right? So it's the thing of like this cup is shaped this way and they're very easy to circumvent but most people probably aren't gonna circumvent them because then you have to spend more money to do that and you take the risk of still violating the design patent if you're trying to... And generally a repair part has to look like and be shaped like the original. To fit into where these go. But what you're saying is that essentially you could put an extra dent in it and you get past that. I think with design patents there has to be some number of differences. I think it's like five differences and it's completely different than a normal patent application which is for a utility patent which is supposed to be something that someone knowledgeable in the field can replicate for protection. Design is purely the aesthetic thing and you could bypass it. I wasn't even aware that that was a thing you could do because I thought that fell more under other things because I know that the utility patent, example the Wright brothers did not patent the airplane they patented the control system because there was not enough evidence they could do that which led to a fight with Glenn Curtis who created his first patent workaround and created the aileron instead of wing warping. Good example. Good point. Yes sir. Hi, hey. So thanks for being here, thanks for hosting this. And I'm sorry if I'm the only one with this question but it's kind of fundamental and before I get lost in the weeds I just wanna kind of reframe this real quick as in the context of ethics. So if we're talking about whether it's okay to do what we want even if it means breaking the law whether the law explicitly says it or just by IP even if that is to help the greater good we're still following a selfish desire to do what we want, right? Ostensibly US law reflects the will of the people. If we're saying, hold on, that's exactly. Ostensibly and ideally, right? The US law reflects the will of the people. And if we're saying we're gonna follow our own selfish desire even against ostensibly the will of the people are we having an ethics conversation of hedonism versus utilitarianism or are we just having a legal discussion about whether US law accurately reflects the will of the people. I too was a high school and collegiate debater. I mean that question is exactly right. Yeah. This person says reality, right? I mean, quickly then. And then I always represent the will of the people and you go ahead. Well, I was just gonna say there's more than one law and there's more than one interpretation of it and the exercising of the interpretation of that law has not been done by the people. It's been done by the shareholders of the biggest companies in the world. Yeah, so the comment was if you follow the money authorized repair shops, money goes back to the big corporations and for independent repair, they don't, that's actually a great point because the repair simply isn't profitable, right? To have outside sources do it. Product vendors, for them, if they're gonna authorize repair at all or they wanna make the money on it. And that's sort of goes along also with at least on the consumer side, I think this might be deviating a little bit, but I think sort of tractor, automotive versus consumer. And I think a lot of the rights repair falls on some consumer and some other things is that vendors don't wanna deal with having people repair their products because they're basically designing products with planned obsolescence. So they're expecting products that are gonna be obsolete in three years and they can move on to the next thing, but hardware usually lasts longer than that. And along with that too is the vendor doesn't, that way they don't need to make authorized parts for people, they don't need to support authorized parts and they're not gonna make money doing it to, you know, by having authorized or unauthorized retailers. Yeah, one thing that, a point that I'm gonna, that Nathan actually made in one of our many meetings together but that I'm gonna remake here, which is to understand that OEMs wanna construe authorized versus unauthorized as a quality, as a qualitative difference, authorized or better trained and better and more apt and more able to repair. But as Nathan will point out, authorized versus unauthorized is really, are you a business partner of ours that allows us to tell you how much you can charge for repairs, what repairs you can do and what repairs you can't do and in which we, as Joe was saying, benefit financially from your activity or not. And like, it's just a different, it's important to understand that that is actually the biggest distinction between authorized versus unauthorized. I'm gonna stick a placeholder in here later on for the international equivalent of this and the discussions that go on about information security, hardware, manufacturer and the effects that I've seen in the room of big money and lobbyists in intergovernmental organizations later on. Yes. Okay, I was being polite. So, I'm a hacker. I know people that work at car manufacturers and I've had drunken conversations with these folks about this exact issue. Car manufacturers are in a very interesting position because they necessarily want some of their owners to tinker and they take a blind eye to what they call tuners because it's good for the product brand. So, you do have a lot of gray and cloudy area here where automobile manufacturers know that tuners are gonna go out and tune. So, but then again, we also talk about what you guys were talking about. So, it's not really clear, even inside these big giant companies, there's a lot of struggle inside the companies themselves over what do you say publicly? And this necessarily, there's an ethical issue involved but there's also this tangle back and forth between product liability and things like that because these are going to be autonomous vehicles. There is a lot of consideration here. It's a very complex topic. That wasn't really a question just to comment. That would be the quick, that would be, I mean, correct me if I'm wrong, it would kind of be the difference between do we want to allow kind of fanboys to like soup up their ride and juice it in a way by manipulating the software or what have you versus do we want to let Joe, who owns a corner garage, replace a headlight assembly or something like that? And then in terms of research, and this is a completely new bullet point. We're not no longer talking about any specific car, it was just a generalization. I'm gonna talk specifically about Dieselgate. Yeah, yeah, okay, yes, yes. Right, so there was a car company that decided to fix hardware problems in software. I mean, a lot of people know this story. I'm not even gonna bother to put up a vote on it but so I know folks that decided not to get their car patched because they would rather have the performance than to adhere to what the patch is. So ethical or unethical, if I don't get my golf patched to actually conform to the law because I would rather have the performance, am I performing an ethical or unethical act? Yeah, I'm gonna ask a hard question now. That's a good one. You're off the app, I'm not, all right. No, no, no, no, no, no, no, no, no, no, no, no, no. You certainly can opt out of having the update by just not going to get your car worked on, right? Yes, yes, I were, but they issued a patch and a recall. I read his question is, is it okay to knowingly violate emissions laws as an owner versus a manufacturer? As an owner. It's kind of the same thing as cutting the catalytic converter off your car, right? You can do it. I would say no. Yeah. Yeah. So, most folk think this is unethical. We had a couple of ethical. Is there anybody that wants to speak for the ethical side? Was it, yeah. Would you like to come up? No, I'd rather, so that folks can hear you. Yeah, so are you, you're not with the EFF, are you? No. Okay, he's just got an EFF, sure, I'm sorry. He does not advocate the view of the EFF. The views are my own and not those of my employer or the other associations that I endorse. We can't hear you. Sorry. So I think the question is, is it ethical for me as a car owner to delay getting a recall? So I've received several recalls on several vehicles. Yes. Some of the recalls I've read about and said, well, that's really important, I need to go fix it. And other recalls I've read about and I've said, in my view, the way I operate my vehicle, it is better for me not to have that recall taken care of because the issue that they're trying to address doesn't fit my circumstance. And particularly the one I'm thinking of is a Subaru vehicle where they issued a recall to have the tow hook that was mounted underneath the front of the car removed because if you drove into a parking spot fast enough, you could actually hit that tow hook and it would deploy the airbags. I would rather be able to tow my car, I don't drive fast into parking spots and smash the front of my vehicle into cement barriers. So I elected not to have that recall done in my vehicle. That's not an ethical, but a risky acceptance. Right, so that's the question with the Volkswagen patch. The way you drive your vehicle, if you're interested in performance, is it ethical for you to say, I would prefer to have a performance? In my case, I would prefer to have the ability to tow my vehicle. So does a consumer get to choose what recall they need to comply with? Or does a consumer compel legally to implement every recall? You're absolutely wrong. Very rarely can I say this. Come on! There is a huge difference between... Yeah, that's sure. Yeah, yeah, yeah, yeah. So there's a huge difference between... There's a difference between risk acceptance for you saying I don't have... I'm not gonna drive quickly into it. And you accepting my risk on saying that you will pollute the air to destroy my lungs. It's kind of like the R.A.G. saying, we all as Americans have to accept backdoors in our encryption. He is making a risk-based decision on what he wants, which is not in our best interest. Don't look, I don't care if you kill yourself. You can plow into there and die. But I do care if you go out of your way to kill me by not getting that software patch updated. So you're thinking of it as it's an ethical thing from your standpoint, but you're not taking my consideration into anyway. You're like, I just want the performance. And that is absolutely unethical for you to do. You should be saying, I need to take care of Paul and Paul needs to have good lungs because he's not going to die, because he's not a smoker. You're killing everybody in this room by not getting that software update. Thank you. But is it ethical to just blindly trust a corporation and hope that their patch is actually doing what you think it's doing because their original implementation didn't do the right thing? Yeah, no, that's a different thing. Because the company, I don't know what the Volkswagen thing, if anybody ended up in jail, but the people who made that decision to do that should really, truly be in jail for a long time because they made a unethical decision that affected thousands of people. Millions. Yeah, millions. When we look at it, it's like we see that there's the, they'll fine them, but that money goes back into the government coffers. Those businesses that are making those decisions, as soon as we say, okay, Volkswagen, you're done. You're just gone now because you guys made a really bad decision. Ford and all the other guys will start to make their decisions a little bit differently. Now, if they had that same exhaust problem and they were not aware of it and stepped up to correct it later on, then that would be a different story because bad things happen when you're manufacturing things. So there's a difference there. I could just go on. Yeah, definitely. You had a comment? Is it now? Yeah, I just kind of had a comment about what a few people have said. Oh, so I want to record your flag. This guy likes Corona. He's not, this guy doesn't have an EFF shirt on. Speak Corona, man. So something you said about tuners, you know, if you do that ethically or unethically, this kind of counters his point because you're making a choice to pollute purposefully just for performance. He's just doing it because he doesn't want to go on the dealer. I'm kind of neutral in that. I drink Corona, I guess, but other than that, I am sort of a tuner, a novice tuner, and I do own an Audi, which is under Volkswagen, all that. So I purposely don't do things to pollute, but you drive a car for the hell of it sometimes and that's something that's kind of done whether you're out without thinking about the ethics. I'm not out there driving 400,000 miles a year, pushing 50,000,000 things in that atmosphere. I don't know how much you drive, but something people do, you may not think about that and I don't know if it's necessarily ethics. Well, who sets the limits? I mean, this is just going along with that. Like, who sets the limits of pollution and by tuning, does that really go above the limit or by not doing the beam, you know, not patching, does that really change how much you're polluting the earth or is it just giving more control to the vendor or saying you can't do that because now you're going to change the way the engine fires? Right? Is it just more, they're just asserting more control by setting a limit? Yeah. Who's setting a limit? They're probably being funded by the automotive company. I can't give you a really good quantitative thing, but I used to live in California and I did some mild tuning on my car and I still passed emissions. I now live in Colorado and there's no emissions where I live, so I don't have a way to actually meter the difference, but I can tell you that there's probably people that do that purposely and that might be an ethical question whereas some people are just kind of doing it for the hell of it and not really thinking about the ethics, so it's kind of interesting for your people. What makes this an output, actually, like the minute you just said you passed the emissions, it's still like, even if you didn't, I mean, the output of your vehicle, I modified it for too long. Well, I know. Yeah, I know. It might be here, but I'm not sure. That's what the car companies want, but actually damage to earth. Just doing my job. Man, thank you. Yeah, I guess I'm just trying to point out that some people, I don't know, but there are people like coal rollers or whatever that is that's like they're trying to burn the earth down or something, I don't know, but we do have one more major topic to talk about. This is a great discussion. Stick around. We can find about this later. We have two hours for this slide. Yes. Do you have a question that's going to be quick though? I'm going to make another comment. This is like an energetic one. Yeah. The one point I wanted to make in response to your counter argument is that it shouldn't be a binary choice. There should be some sort of difference between something that's going to endanger myself, choosing not to have something done, as opposed to something that's going to endanger everybody else on the road. It should be, it's unfortunate the recall system doesn't have grades. There's a clear difference between something that's going to impact you, just you and something that's going to impact the rest of society. So let me share a quick Volkswagen story while we're on this topic. So DMCA-1201, I mentioned this a few times. This is the anti-hacker law, right? This is the portion of the DMCA that says that's illegal to circumvent a technological protection measure or lock protecting a copyrighted work, which is anything software now, right? Okay, so we were going through the process, me and EFF and some other friends of applying for this exemption for farmers and for car repairs to be able to modify and access bypass technological locks on cars for the ability to repair them. And the Global Automaker Alliance, which is the association that represents Volkswagen and others. Before, this was a month before the Volkswagen scandal broke, they sent in a letter to the Copyright Office opposing our exemption saying that the emission system in these vehicles is very highly controlled and only the manufacturers are the ones who have the knowledge and capability and expertise to set the values correctly. No one else should be able to inspect or modify those values or they could throw the car out of compliance with emissions requirements. And then a month later, right? Here we go, and this is fundamentally a question about who are we trusting? What is the trust model? And over and over again, the manufacturers say it's this authorized trust model. Trust us, trust no one else. And Kyle, remind us, how did we learn of the Volkswagen emissions? We learned about the Volkswagen thing because these academic researchers figured out that testing it in the lab wasn't working and so they hooked on a physical device to the tailpipe and they drove the car outside, right? And the software hack that the Volkswagen said was if they detected the steering wheel wasn't moving, then they would change the emissions differently. If you were moving the steering wheel, which you'd never do in the lab, then the software hack was enabled. And so the only way they caught it was by inspecting the tailpipe. Now if we'd been able to dump the firmware and analyze this, it would have been totally possible to catch the Volkswagen hack in software, but because the 1201 was there, it was illegal to do the software inspection that would have been required in order to catch this. Now all of you are saying, yeah, okay, I'm gonna do it on my own, but if you're in a formal academic setting, you may have more concerns about violating the law of the course of doing your security research. So they found this physical hack to do this. And this is preposterous. This is the kind of thing that when we start saying, let trust the corporations, it's going to lead society down the path to oblivion. Thank you, goodnight. Okay, I do want to somewhat pivot to the, so I again, this is a cybersecurity conference, right? And there is sort of a cybersecurity angle to this. And one of the reasons I started Secure Repairs was again to sort of mobilize or radicalize depending on how you want to look at it. The information security community to really start paying attention to right to repair laws that might be happening or pending in your state or even at the federal level. And to understand, this is something that actually really intimately interacts with your work. And the point of that spear is that OEMs, manufacturers, John Deere, CompTIA, TechNet, the big industry lobbies that represent the electronics industry and the technology industry have been making the argument, and Nathan can speak to this, at the state level with legislators, with whomever will listen, that in fact, the types of things that are called for in right to repair laws, access to schematics, access to diagnostic software and codes, replacement parts, pose a huge cybersecurity risk. That you're opening the doors to hackers, as they told the legislators in what state? Nebraska. Nebraska. If you pass this law, your state will become a mecca for hackers. People will come here just to hack things. And you know, that's a red flag to legislators. So to- They had a debt fund, they would know that already exists. Right. So to kind of give you a sense of what the industry align on this is, I'm gonna play a clip from Nixing the Fix, which is an FTC workshop that happened in July. This is Dr. Earl Crane, who represents the Security Innovation Center, which is basically a front group set up by a strategic public relations firm funded by TechNet, CompTIA. He is a hired gun. He's a hired gun. But anyway, He doesn't actually know where his money comes from. He's the organizations, and I've worked with security startups. So he's at the White House on the National Security Council, as the director for federal cybersecurity policy. I've worked in the financial sector and other Fortune 100s. I'm also an adjunct professor at Carnegie Mellon, where I've taught cybersecurity to graduate students and executives since 2002. And I'm a cybersecurity fellow at the University of Texas, Austin Strauss Center. And interestingly, for this conversation, back in 2010, when I was at Homeland Security, I was part of the task force, where we helped to bring consumer devices into government called bring your own device. As you can imagine, my entire perspective is viewed through enterprise, through the enterprise cybersecurity lens. I also personally wanna say that I'm a tinkerer and I am a fixer, and I appreciate the ethos of the repair movement. I will admit it's very satisfying the feeling you get from repairing something you own and helping others who wanna repair their broken things help reduce cost, reduce waste, and help hardworking Americans stretch their dollop. See, he's a friend. However, there's a big misconception that this is without consequence. Specifically, it can cause harm to someone else. And that gets to the core of my concern. Forcing repair on third parties like enterprise customers and manufacturers can make security worse and not better for all of us. And here's how. First is the loss of accountability for security. It's difficult to hold OEMs accountable for security of their products if we also legislate design changes that'll negatively impact security. Second is the risk of backsliding the security progress that we've made. It's not just a consumer security issue because we've merged consumer and enterprise technology. We're so much better. We can't think narrowly about how consumers use technology today, but think of how all of us will use technology in the future. As our lives are interconnected and digital, both at work and at home. And third is the loss of consumer choice and increasing costs. Consumers should have the choice to determine what design decisions are most important to them. Maybe it's safety, security, repairability, reliability, cost, and other features. The more risk we add through legislation, the higher the cost. So first I wanna talk about accountability for security. Consumers have an expectation of privacy and security. They believe that... Is that good? I think, does that sum it up? Yeah, yeah. Okay, so that's kind of the... Those are the three horns, I guess, that were of the OEM argument. And I guess, Kyle and Nathan, do you wanna just sort of... There's more things to that. Okay, yeah. I don't wanna... So he's gone up against me in a couple of different situations and he's lost a couple arguments. So he had new arguments this time. So he made a claim that basically independent repair technicians, because they're not vetted by the OEMs, they could possibly be criminals. And so instead of letting you choose your own technician or fix it yourself, you should be forced to use the criminals that the OEMs have hired. But that argument is a huge hole in it because if you do it yourself, there is no, you're not gonna hack it and steal your own data. So, but then the next time he had a different argument that was about, I can't remember, but they've made arguments that basically the function of the tools that repair technicians use have giant vulnerabilities in them, right? So some lobbying association in Georgia wrote a letter to lawmakers saying if the Apple Store diagnostic software for iPhones leaked, it would basically, you could access photos and information from any iPhone you want, which it's obviously is a huge insult to the engineers at Apple who design those products. So one is that they misconstrue what the tools they've built do and we don't actually, it's hard to fight that back because we don't have those tools. And then they make these kind of more complicated arguments about the loss of accountability for the OEMs. I mean, first of all, if they would take accountability for the things that they're deploying in the world right now, that'd be great. But yeah. I think this is kind of what Tara was talking about with the focus on liability and as kind of the guiding principle of their attitude towards us. Am I right? I somehow managed to be in corporate America without becoming of corporate America and maybe part of that had to do with the fact that I grew up on a farm. We've been talking about farmers. I was a farmer, that's where I grew up. How many of you guys grew up on farms? So the first thing I ever, yeah, and on the audience, anybody else grew up on a farm? Awesome. The first thing I ever repaired and my first repair tool was baling twine. Yeah, you know, talking about the orange baling twine and you fixed everything with it, mostly fences, tack, cars, tie-down hoods, tie-down trunks, tie-down Christmas trees, tie-down junk. So, so, so much junk, getting tied places. And that perspective means I can, I could sit here and do the exact same argument that this guy's doing. I could sit up here and absolutely advocate for that perspective and understand why I'm doing it and come at it from a perspective of wanting to save the 50,000 jobs of the company that I'm working for. I don't in general choose to do that, but I understand why this happens. And that, that vast perspective from somebody who would be incredibly annoyed at being told that they can't fix things all the way over to someone who understands how to argue on the opposite side is what we're actually missing in this debate. We don't have enough people that understand why people like this exist and who they're arguing for. They're arguing for people that are wealthier than we're arguing for, but they're still arguing for people. And understanding that and coming to this with a spirit of compassion means that we end up further along in the debate and being able to assume good intentions of everyone else. I think that collectively, people end up with bad intentions from corporations. Individual people aren't bad people or they don't believe they're bad people. So, attributing kind of boogeyman status to one or two individuals respectfully. I mean, I know this guy's not, we don't have a lot of fans of this guy in our community, right? But attributing boogeyman status to any one single person takes away from the fact that collectively the incentives are wrong to provide the kind of right to repair support inside corporate America that we wanna see. The liability issue that Paul is talking about comes from fear. It doesn't come from a desire for money. It comes from a fear of losing your job. For anybody in here who's ever lost a job before because something went wrong in a company, you can feel that responsibility and this is how ethical choices get twisted to make the wrong decision for the right reasons. You're trying to keep your own team safe. I've earned corporate teams before, teams of teams before and sometimes it's very, very difficult to tell the right decision, the ethical decision on an individual level when what you're trying to do is save jobs and budget for the next year when your people need healthcare. That is how these incentives get so screwed up and liability when it comes to either tiny pieces of repair or massive corporate fraud that we deal with from that car manufacturer comes from the kinds of incentive mismatches that create. These people didn't think they were bad. The people who hacked these cars to change emissions, to change and try to ensure that there was no that no reading happened to try to protect their own firmware to make sure that you can detect the hack in advance. It wasn't a hack that was built in. That's not a hack when they're the ones that build it that way, right? So they didn't think they were bad people and understanding that and coming to it with a spirit of compassion helps you start to understand why product liability is the reason being used on all of these cases. A month ago, I have a kitchen that's entirely red. I love cooking, I'm a pretty good cook. Kitchen aid devices, right? And they're all empire red. One is candy apple red and we'll get back to that in a moment. I mean, and I bought a hot water kettle from Costco. Who's got a clear glass-sided hot water kettle, right? Any of them, let me light up with an LED at the bottom to let you know that it's turned on, right? As a user interface thing. The LED at the bottom of the hot water kettle that I bought was blue. Yeah, it was white too. It doesn't have to be. Now, so what I did was take the bottom of the hot water kettle, this is an electrical device. Took the bottom of the hot water kettle off and I understand how this works well enough that I can pull out the two LEDs that are soldered into the bottom. They're soldered into the bottom of the board and the only thing that they do is power up if the switch is on, right? So I understand looking at this that this is a relatively simple thing to fix, to change, to hack, right? So I go and I grab my Arduino kit, we all have packets of those lying around. I mean, like normal people, right? And I pull out a couple of red LEDs and I swap these LEDs out with, you know, and trying really hard not to breathe flux because I always forget to breathe flux, we all do. More insane here. And swap those lights out and test as I'm going, plug back in and by the time I was done, I had a red LED light up hot water kettle, right? Super cool, all those pictures. And plugged it back in the kitchen and it lit up red and I was bounced around and I was incredibly pleased because now my hot water kettle matched. The next day my double boiler pro line espresso maker shorted out everything in the kitchen and I freaked out. I was like, oh my God, what did I do? Did I do something wrong with the hot water kettle? No, it was unrelated. The internal circuit board had melted away from a probably a busted line on the inside of it. And this is a double boiler. Now, we theoretically are talking about just hot water and electrical devices in both cases. However, I'm not gonna try to repair myself, a double boiler in a hard case because a system like that under pressure, I am not familiar enough to fix, right? The problem, I could see both sides of thinking that a consumer with those consumer devices can and should be allowed to make the two decisions I made. One, to hack my hot water kettle because I felt like it and I wanted to change the aesthetics of it and understanding that I don't have the expertise to work with double boilers under pressure with an electrical device that I'm not familiar with and sending it to the only guy in town who will fix kitchen aids and it's annoying because he's a jerk, but whatever. And please, will there be more competition in kitchen appliance repair? Because I'd love to give my money to somebody else. And that question right there, that lack of trust of the consumer is why these companies have this concern over liability. They would take that choice away from me to hack things for aesthetics, hack things for repair, because they don't see a difference in the two things that I did. Do you all in this room see the fundamental difference in the two things I did? Right? Yeah, go ahead. You were also willing that most people are children and they will go replace the other beings, mess it up, and then send it back to my... That's not a child, that's an asshole. That's not a child, that's an asshole. So two things, one, that's an asshole and very briefly, actually what you did changing out the LED and saw me did not void the warranty. It's not legal for it to void the warranty in the United States. Yeah, but if the company that created that hot water kettle decided that I hadn't sent me a C and D, it would make it, whether or not it is or is not, it would make it functionally illegal for me because I wouldn't have the capacity to defend against that law. There's practical law and that practical law often comes from a corporate lawyer holding a C and D. If it stops you from doing it, doesn't that start at the same purpose? True. I think this comes all the way back to the beginning of right to repair, right? And it's the problem with liability, like I'm not a debater, I'm a technical person, but liability companies protecting themselves, the people designing these products are human within those companies and they're gonna make mistakes. So it's really, does the company want somebody outside of their company to repair or not? But I feel like we need to almost bring things back a little bit like, I don't know, yeah, you guys are probably my age. Maybe a little older. They're still older. So, if you think back to early technology days of home computers, consumer products, appliances, you would buy a product, you would get a service manual you would, even with Apple Computer, which is crazy, think about this. So, Apple Computer, schematics you could get, you'd get better prototype boards, you could build your own circuitry onto, put it into your computer, homebrew computer club, you could share things and modify things, and that's how the technology market started. And now think about where it is now, where same company, Apple, or same name, you buy stuff, you can barely open the thing to change the battery, you need an acetone to get the battery out of the laptop, you have to buy third party batteries and now you're trusting some third party manufacturer to make this stuff. And it's sort of a slippery slope because we've let that happen. And now, if we keep doing that and if we keep letting guys like that guy, and yes, he's one representative of a lot of companies, but he's very outspoken and we don't play politics like they do, right? And it's like, we're letting this happen. And whether or not you wanna fix something to turn LED blue or red, or whether I wanna fix something because one of the humans inside the company made a mistake and I wanna patch it and make it better, I should be allowed to do that. But Joe and Kyle, and I'm just gonna reiterate an argument that I hear sometimes from legislators and always from the industry, iPhones and tablets and MacBooks are wholly different from earlier generations of products like toasters and vacuum cleaners. They are so much more complex, they are so much more sophisticated, they do so much more stuff and they hold very, very sensitive, valuable information. So clearly, entirely new framework needs to be applied to them when talking about things like service and repair. Isn't that right? I bet when those first things came out, they were just as important and it's almost like they're trying to say, you guys are too stupid to understand what we're doing, let us control it for you, trust us, everything's gonna be fine, right? We should be allowed to repair our products, whether it's hardware or software or firmware, to give me that little hand back here. Back in the day, I was part of a hacker group called The Law and we would kind of share the good side of the hacker world and we would find some of the software guys would find security problems in Microsoft, Windows and all sorts of other stuff and Microsoft would say, oh no, no one's ever gonna do that. So we would write exploit code and say, no, this is how someone would do it and they go, oh, okay, maybe we should fix it, but vendors were not responsive to fixing security problems. So we were kind of fighting for the users and saying, all right, if the vendor's not gonna fix the problem, let's release the information so IT people, normal people can fix their own security problems because we can't trust the corporation and the same thing is still true. But if you look at software now, we have patch two days and software companies, for the most part, are responsive to vulnerabilities. You have bug boundaries, all this stuff. The hardware world is not like that. Hardware world is like 10 or 20 years behind and they're not willing to say, oh, thanks Joe for finding a bug or whatever. They'll try to sue me instead. So we're fighting the same battle that we did with software companies and the software company that have been more responsive to that, but it's just something that we need to have some sort of control of the things we own because we just can't trust corporations or anything and we can't rely on them all the time is my feeling. If we make the choice to repair something for whatever reason, we take on liability for doing that depending on what it is, but that's all right by owning the thing that we're paying money for and not being controlled by some licensing agreement from a company. Yeah, just to follow up directly to Paul's question, right? The companies make the argument, shouldn't we have new rules for ownership? It's like if we do, they should be decided by and accountable to the people and that problem is, is they're not. They're held, they're created by and accountable to the shareholders. So I mean, I think it would be a good conversation to like what is safe to fix and who should fix it and what the rule should be. I'm willing to have that conversation as long as the conversation is being held in a way that's created by and accountable to us. I think another thing too just along that before we do guys questions is always the topic of security comes up and I know that this video didn't show it but a lot of the companies are saying our products need to remain secure or if somebody opens it or they get access to diagnostic tools or the schematics in Shenzhen, security is gonna be breached and that's a really, really lazy answer. We heard that with the software back in the day also. You can design secure products and still have them in an open environment that are repairable in the normal business of repair. The problem is hardware is so poorly designed that something like this or something like any other electronic product are not designed well and we could have things but instead of designing products well companies are using the law to make it harder to do. So it's a lazy response to say oh, you're gonna break security, something's gonna happen when they're not even taking the effort to actually design things well and Apple and some of the larger companies are doing things well and that's great but they're also doing things intentionally to prevent the right to repair at the same time by putting the sensor in the button, right? Which is like one of the most common things to fail because there's a mechanical interface. So you can separate things and have security and have repairability at the same time but these companies, the corporations are putting them together so now that you claim security when is a bullshit argument. I think that's exact, that's really well said. Finally something useful. Yeah, yes, and I said. So we're talking about this a lot. Obviously there have been 20 right to repair laws proposed in the last legislative session here in the United States. Two of them are still alive, 18 have been killed off more or less by industry but this is not only a US or even a North America conversation because actually there are right to repair laws pending in Canada as well. It's also an international issue. It's very much of an issue in the EU and I know Tara you have some thoughts and sort of some insight into how this debate plays out on the other side of the ocean. You're gonna stand there for a minute just letting you know on this one because I have opinions. Hold my beer. Hit me chief, there we go. Do you want me to hit you? I want you to hit me with the bourbon, not with the badge. That was the question. And then I'll make sure that you keep going track. Not that much bourbon. Okay. Yes, I do. All right, here we go. Hardware on an international level isn't 10 to 20 years behind. It's not behind, it's been left behind. No one's looking at hardware anymore. We are so far beyond that conversation in the international security debate that it doesn't even register for people. I have two different lives. Thank you very much. I'm gonna need this. I have two different really weird lives. I have this weird life in corporate information security. My professional career kind of runs along two tracks. I live in corporate infosec and then I live in the hacker community. These two things live over in my infosec career and I have an entirely other life in international foreign policy and security policy that comes out of academia and international conflict. That's the world that I came out of and I've ended up doing work in political economy and having conversations about cybersecurity at the OECD in Singapore last week having these conversations and what is the thing that everyone in the international policy community is talking about when it comes to security? Do you know? Two letters. Artificial intelligence. No one cares about hardware anymore. It's gone. It's so over because the answer is just buy your mom an iPhone. The battle we're having here is a battle for attention on a lot of different stages because I wouldn't say I'm guilty of it. I'd love it if my mom buy an iPhone. And the conversation that starts to be had in Paris, in Singapore, in Johannesburg, in the places where we have conversations about international security policy and political economy is one where the people even in these conversations want to be thought of as thinking forward. A conversation about whether or not someone can repair their tractor is it's not going to land on anyone's desk there. And I'm not important enough to be able to have the conversations with the top people or the top people. But I have some conversations with people who can tell you what the next agenda is going to look like. In Africa, the big concern is over waste and repair but the laws there don't suffice to protect anyone in terms of intellectual property for that right to repair. There's huge repair shops in Africa. Same thing we know about of course as Joe already said in China. There are not repair shops like that in the European Union. And the reason for that is multi-fold but it has to do with the fact that wealthier countries are less concerned with the capacity to repair and they're the ones making digital security policy. People who are worried about whether or not they can save $25 on a repair of their iPhone and want competition between shops are not talking to the people who are writing international policy that becomes NIST cybersecurity standards. That becomes a NISA. That becomes any of the ASEAN guidelines on how we implement security policy inside companies and what those companies can be forced to pay for screwing up. That's the only thing that really matters. GDPR didn't have teeth until people started receiving multi-million dollar fines. Then it became real. It wasn't real to most American companies that GDPR would be a thing. So not just cross-border questions but questions of wealth and privilege and influence and the people that have access to the kind of skills that let you care about repair. Repair is a skill that is undervalued not just by the kind of people creating the policy that we get to live with but it's undervalued by people who no longer have to repair things. We up here, we don't have to repair things. We get to repair things. I got to take time to do a project. I get to take time to do this and I've got an error message I got to show you a little bit later on. And that problem is the fundamental one. This debate we're having right now isn't going to surface to the level that anybody can influence from the top down. If there is any lesson that comes from the European Union, from the lack of repair shops in the rich countries and the continuing fading away of the right to open up your own devices, it is that the wrong people are making these policies or if they are in fact the right people it's that no one's brought to their attention the impact that this has on people that aren't them. The people I see making international digital security policy are busy carting around Valenciaga bags and there is no right to repair in the top of their brains, right? So when I look at this thing I think the last part of what I note about that is that this community is the most intractable and allergic to compromise of any of the communities that I'm part of. Yeah, if you can't have everything you'll take nothing and get mad about it. And I'm part of this community too and there's a piece of me that does this. If we can have some of what we want we need to figure out a way to determine if we wanna keep fighting because we wanna keep fighting or if we've gotten what we need for the people that need it most the ones who didn't get a chance to fly to DEF CON. There are repair shops in Kenya right now and repair shops in Malaysia right now where the people who are repairing devices that get thrown out here are making tens of dollars per device. These are the people we should be thinking about protecting, does that make sense? I am very glad to hear that and maybe compromise just a hair more give people on both sides of the field something to work with and maybe I've never seen anybody from the hacker community show up at any of these conferences where this kind of policy is being made. Maybe take a year and go to one less InfoSec conference and go to one more IGO CON. Teach somebody how to pick a lock, break something open, fix the settings on their phones because none of them can set a phone for anything. Right? But take some time to do that cross those boundaries please because they're not hearing any of this except for me and I think they're tired and you want me to shut up right now. Drink. That's terrific. Go ahead, yeah, question. All right. No. No question. Talk by hand. Last I checked, I was the moderator. Even if I'm, I didn't get included in the slide. What kind of reporter are you? Anyway. I'm bad, Big Easy. We've got about a half hour of discussion left. I just wanted to make sure that if any of the panelists has anything to say, they need to speak now or forever hold their peace. I just want to throw a data point out there when we hear about manufacturers and how seriously they take security and how important for all these device makers security is cyber itel, yes. Oh, Mudge's thing. Mudge's thing and Sarazak's thing released a survey of 18 vendors and 6,000 firmware images covering 15 years. Vendors including ASIS, D-Link, Linksys, Netgear. And the conclusion has been that there is absolutely zero evidence of any improvement in security over the time period and that the level of security that has been consistent is horrendous. And they're coming out with that data now. It's the most comprehensive survey of IoT firmware that's out there. And it shows that vendors absolutely do not care about security of their firmware. A lot of those companies too, if they're making consumer devices and IoT devices are all based on some reference design from some chip vendors. So they're all using the same code base. Maybe they're changing the logo of the boot screen. Yes, to turn it off. But they're all using some insecure reference to start with and you can't have security on an insecure reference. Okay, thank you for that last word, Paul. I need a vote. I have a question. So back in the 90s, we used to drop zero day to straighten out vendors. We not necessarily meaning me, this is not the opinion of myself, or anybody in the room who might be in law enforcement. They or us are underground, or the vendors had to be taught a lesson. So the ethical question to be asked now is, is it about time to start dropping zero day? Ethical or unethical? Must. Must. Stop. It's a myth. It's a myth. It's a myth. It's a myth. So. No, you can't do it. So we needed a clar- It did. Don't tell me what I can do. It depends on what the vulnerability is and what does it affect people. And if we can try to have the company be responsive or not, but if I find something in a medical device that somebody could actually go kill people with, maybe you try to work with a vendor more, but if it's something where the vendor's not listening, or maybe I don't even contact them because they have a past of not listening, or I don't want to get sued because they have a history of suing people, then I'll drop it. And we, you know, I've done that before with the risk of getting sued, and luckily didn't, but it depends on what it is, I think. What's your vote? It's half. It really is half. Yeah. Contact half. There's that. I need to see anybody else's vote. This is zero day. It's time to vote. It's right. Yeah. I go with the two face. Two face. Okay, so everybody in the room is now known as cake or pie. The record reflect cake or pie wins. So, does anybody else have anything to say? Yeah. All is silent now. No, no, no. I am, yeah. Tara? Tara? I'm good. Joe? Good. I got something to say. All right. This is your last thing. Then we're going to do questions. I'd like the audience to participate. Yeah, so this is a little bit of a question for the audience as you're asking questions that I'd be interested in your answer. But my question is, like, we're clearly frustrated. We would like to have the right to repair. We have a path to doing this. In Massachusetts in 2012, there was a ballot initiative that said, do you want to be able to take your car to a local repair shop? It went on the ballot. People in Massachusetts, do you got a vote for it? I did. 6% of the citizens of Massachusetts voted for this ballot initiative. So, like, this is one of the things all humans are in favor of this. That's more people in Massachusetts than actually own cars. You'll get your chance in a minute. Okay, so, like, this is clearly something all of us want to happen. And if we wait 10 years, there's going to be many trillions of dollars more on the other side of this issue opposing us than there is now, right? So we have this relatively narrow window where we've got legislation proposed in 20 states. It's been shot down so far this year in 18 out of the 20. It's probably going to get shot down the next two over the next few months. What can all of us be doing to move the needle? How do we get this from an idea from something that we have consensus on here to something that is actually going to get passed into law and start to affect the devices that we have? Thank you. Right to repair, dude. Are you good? I'm good. All right then. Wait, wait, wait, wait. Nope, I've got one for you. There is one thing I do want to make sure people know, which is that at the very senior level of intergovernmental organizations, the large tech companies all send lobbyists. There's no equivalent lobbyist for the right to repair and the people that get heard are the people that show up to these meetings. Is that me? Everyone. Did I hear Tara need to start a Kickstarter? Gotcha. Let's start a Kickstarter. All right, now let's, it's your turn. One of the things that kept coming up is liability and for security, or I repair something and make it dangerous or create security flaws or pollute or something. I mean, do you think that should be part of the conversation if possibly we could get laws that would sometimes clarify when an OEM might be liable for any kind of problem damage that could be caused by a repair? Because I can see their perspective on that too. I mean, honestly, if a guy repairs, Misruth does something weird to his car or whatever and kills himself. I know that family's gonna sue me as the manufacturer because I got the money and they're not gonna sue him while he's dead or many of these cases or any of these things. They're not gonna look for Joe Schmoe that modified it first. Then opened up the security hole or did whatever that caused consequences. They're gonna look at me and the manufacturer. Well, how'd you let this happen? And if I was a manufacturer, I need to have some answer that says, well, dude, the guy modified it in this way and it caused a problem. We specifically say that you can cause this kind of problem if you get in here wrong. I mean, if I'm a manufacturer, I want some good kind of liability that can say, yeah, not my problem. So I'd also be interested in hearing what Tara has to say because she's been talking a lot about this issue. She clearly has some frame of reference and some expertise, but I would say, I like this is definitely a separate conversation like what the liability is and what your rights to repair are. They should be separate. There should be a separate conversation about what's the proper use of liability but it reduces liability for companies that people haven't repaired by a third party because the companies can come in and say, somebody else fixed this, not my fault. And in fact, Dr. Earl Crane in that thing said, it reduces accountability for manufacturers and accountability, another word for liability. So it reduces accountability for manufacturers if other people work on it. So, and then the other part of this in the liability universe is like, all of this already exists. Like everyone can already fix their car. None of the other stuff that we do, we've been talking about is the core of rights to repair is more dangerous than a car, you know? And so the system of liability that we have now, it might be broken but the issues have been litigated before. How many cars slip off of jacks and kill their owners every year in this country? Oh, quite a few. Quite a few, right? But nobody's saying you shouldn't be able to put your car up on a jack because it's dangerous and could kill you even though we all know it is, right? That's risk assessment too, that's what we're getting at here is just like, when the manufacturer says something like, one person could do this one thing here and it just like, yeah, well that one person has a one in eight million chance of being killed by a shark. Right. You know, I mean, they're gonna be hit by lightning twice in the lottery before this possibly could happen but they're faking a judgment based off of this one single instance and you're using a worst-case scenario to make your arguments. And so Nathan's point, that's why I mean when challenges are saying this is way over the top your scenario is a once in a lifetime kind of event. Right, and I think of OEMs we're saying we generally support this but we have concerns about liability, can we fix this? The repair people would say, absolutely, you know I mean, the gun industry has huge liability protections in federal law, right? I mean, and they're trying to stall but they're just trying to stall us and to push us off. I mean, you can imagine a manufacturer of lobbies saying okay, we'd be willing to do something on right to repair but you need to reform tort before we can possibly do that. And it's like, okay, let's just, let's just, you can't change the battery in your iPhone before we change tort reform. I mean, and they might make that argument just to get us to stop trying to fix our batteries. So as a lobbyist for the people, you know I have to kind of be aware of what their tactics are and just say like, that's a separate conversation. Have that conversation to your blue in the face but in the meantime, let us fix our stuff. So I desperately want to respond to this because I know I'm beginning to understand the basis of a lot of this problem. When we talk about liability and I'm, I can't believe I'm actually gonna say this. When we incorporate America talk about liability, hang on. Okay. So the nature of liability does not just exist around personal harm. It also deals around brand protection. Now, and the reason why is I'm gonna, I'll give you the best example I can think of this second. When something goes wrong and a company fails to secure an S3 bucket, what happens? What's the headline? Amazon S3 bucket found insecure and data leaked of patient records, right? Not a tiny healthcare company in Cleveland failed to properly secure their S3 bucket and take it off public. Instead it is AWS bucket found insecure. That's what companies are scared of and that's why this is happening on a corporate level. If I was someone who, and I have been before been set up to evaluate the brand risk to permitting people to modify, alter or tamper with a product in order to provide themselves with more functionality, I would sit there and think to myself, what's the headline tomorrow? And the headline for Ford, the headline for Michelin for letting people change their own tires with the bitty sensors and crap like that in them is not tiny guy in St. Louis failed to install three tires appropriately. And as a result, a couple of people died. The headline is good rich tires blow up in four different places and six school children were killed. That's why this is happening. And I can't always fix it, but I can tell you that's the reason that corporate liability operates in the way that it does. That's why this is so devastating and why it is such an intractable problem. They're afraid that their own mistake is going to come back at them and they're afraid that anything they do if they are the biggest party involved in any incident is going to be the name in the headline afterwards. Even if it wasn't really their mistake it was just the fact that somebody could exactly misuse their product in a stupid way. Oh yeah, I mean, who hasn't really screwed up configuring AWS before, right? No, yeah. But yeah, that is a problem it has to be dealt with. I can kill myself on my motorcycle by drinking and not wearing a helmet. Harley Davidson Ryder dies in fiery crash. I'm not a Harley man, but yeah. Thank you. You know, I can shoot myself in the foot with my pistol, but you know, all kinds of things I could do. Thank you. Great. Next up. Next. Hi, I came in power for three, so forgive me if I'm rehashing anything that has already been said, but Nathan, you said something about accountability and liability being equivalent and they're not. And I mean that in accountability is what allows liability to be assigned. And that can be both a good thing and a bad thing. And to Tara's point, when it comes to corporate America, the end result of shutting down that conversation and saying, well, it's my name on the headlines, allows for both good and bad, right? Volkswagen would have loved for this never to have come to the fore. They would have loved to have been able to hide behind that lack of accountability. And I think that until we hold them accountable, accountability is the only leverage we have from a security perspective in order to be able to make certain that we assign liability appropriately. Without that openness, we can't get anywhere with it. And what I'm seeing more and more now, I work for a large corporation, Fortune 200, and we have the largest purveyor of spyware in the world as our operating system, as a manufacturer of our operating system. That to me is unconscionable. How do we deal with that? What do we do when the manufacturers themselves aren't worthy of the trust they're asking us to place in them? Panel. I'm gonna let, I've got an answer, but I'd like to let someone else answer this one, just and think about it and formulate for a second. No, I mean, no, and I mean, I think this is, I think a lot of the arguments against repair do come down to, as Nathan said, kind of trust corporations, where we are going to take care of you, we've thought about all of this in more depth than you ever possibly could and have designed our products to maximize your safety and privacy and security. They make these arguments, even as in our, on our online and in newspapers and so on, we see story after story that indicates that in fact, the truth is 180 degrees of that, right? Right, it's right to repair really the banner that we want to be carrying because it really isn't just a right to repair. It's our, we own it. It's a right of ownership. It is a right of ownership. So there's actually, there's a really good book called The End of Ownership that talks about this and actually that's one of the reasons that I started Secure Repairs and that I think this is so important is that repair, for the security community, repair is really part and parcel of the work that we do of investigation or you do actually, because I don't do much of it, but of interrogating products and technologies, figuring out how they work and also figuring out ways in which they're deficient and need to be improved. And if we lose the right of ownership because it's been kind of chipped away as Kyle talks about, that work is in jeopardy. Right now we celebrate when we get a positive ruling from the Librarian of Congress on DMCA exemptions to work on mobile phones and so on. What we forget is that every three years we have to go on bended knees to the Librarian of Congress and ask her or him for permission to do the work that we do. So in essence, our whole industry is one grumpy Librarian of Congress away from ceasing to exist, from us not having the right to jailbreak our iPhones, from us not having the right to look into firmware and analyze how it works. And I would expect that the current administration, if they were to be able to insert a Librarian of Congress might be somebody who's considerably more friendly to the interests of industries and OEMs than to independent security researchers. So we lose kind of, we're losing the plot a little bit and the plot, as you said, is ownership, right? And the rights of ownership in our effort to fight a war of attrition with the Digital Millennium Copyright Act. That's why we need to win our digital right to repair. And in order to do that, unfortunately everybody in this room is gonna have to do things that as security people we really hate to do, which is go out there and talk to people and get in people's faces and so on. I would be fine with giving up my right to ownership if the responsibility to maintain and repair stayed with the owner. If you were leasing instead of owning, right? So like, we have no expectation of repairing our leased car, right? That's why we leased it and didn't own it. But if you're gonna give me the burdens of ownership, including the cost and the responsibility, then I have a right to tinker with it, modify it, repair it, do whatever I want with it. Otherwise, I don't have any expectation of caring for my Spotify songs, right? Storing them or keeping them from getting scratched or whatever, right? That's the idea, right? Right, exactly, you know? And again, I have no expectation of repairing or servicing my leased car. But my owned car, I do, the responsibility is on me, but there are rights, not just responsibilities. I wanted to directly answer your question about the fact that you work for an F-200 that where you've got your OS that has been manufactured by the largest creator, Spyware in the world. To go back to my respected colleague over here who asked the question that was so perfectly framed about the difference between hedonism and altruism, and respected colleague, damn, I'm right back at being 17 again in a Lincoln Douglas debate. Respectfully, again, this community is very allergic to trade-offs. You still work for them. I've taken their dollars, too. The security industry, man. The security industry, the Fortune 100, and we do that not just because we enjoy practicing our trade. I'm a senior cyber security executive. I know trade-offs, and they're gross. And yet, we practice our trade, and we work for companies that make bad decisions. I've got wonderful friends at Microsoft, Google, Apple, and when something explodes in the news, they get asked the question, why is your company doing this? And they say, I have no idea. I'm on a red team and I live over in Seattle. I don't know who the hell are you talking to? And yet, from the outside, it looks so impenetrable. There are a lot of really good people that work at the car company that we've been discussing all day long who try to keep people safe, and now they've been tarred with an unfair brush. You take their money, I take their money. We all do because we're part of a system where we're trying to make the world incrementally better, and a little bit of that compromise helps, but here's the piece that causes an issue. There's that point that you, sir, are going to get to when you can't take it anymore, when you're done. I've gotten to that point before. When I can't do it anymore and I can't support it anymore and I think all of us have gotten to that point at this point where we are tired of being told that we can't do what we want with our own shit, and that feeling right there, that fundamental line between a lease and an ownership is where we hover, understanding that a lot of people, maybe even a generational issue where younger people weren't taught a lot of these skills, and the difference between a lease and an ownership isn't real to them, might help us all to have that conversation. In a disposable economy, they have no real incentive to repair. Like I said, I'm into fashion and clothes and everything, and I've been to an H&M and there is no reason to try to sew a seam up on that again, right? And the great part is that I'm glad that joke landed because there's three women in this place and y'all have shopped at H&M before and you just throw it away after the fourth time you watched it and it falls apart, no? So the disposable economy is part of it, but the fundamental part is what is the place you want to draw the line? I've had to draw that line before and it's cost me money and time and friends and relationships, and maybe that's the difference between hedonism and altruism. Thank you. I would want to add a question. Good question. Which is, you know, right repair is a way to have a really meaningful conversation about these issues, right? Like for whatever reason, people want to talk about their ability to fix stuff and it's a way to have a conversation about the society that we have, the way we treat electronic waste, the way we treat things that are disposable, the way that we let corporations control how our things work. That's why I work so hard on this issue because that, I feel like those conversations are really meaningful to the future that my kids will inherit. Yeah, so I was debating whether to bring this up but you brought it up first. The Massachusetts right to repair. So I'm from Boston originally, I live in New York now, but when that was coming out, I remember legislators were taken forever to come up with any meaningful legislation so it became a ballot question. And then the organizers of the ballot question struck a deal with the other people and they tried to take it off the ballot and they couldn't in time. And then they reversed the decision that they agreed on because the ballot question won and then became a mess all over again. So it becomes an ethical question of who's behind the ballot initiative? Who's negotiating with the opposition and what the will of the people are when it goes in front of these referendums and who's really calling the shots in an alleged democratic process? Well, so I'll tell you, who's calling the shots in this process is an organization that we set up called Repair and Other Word. It's a, and if you want to get involved in the tactics and the details of are we doing a ballot initiative or not, please join Repair and Other Word and get involved. We need your help. Yeah, yeah, because they're the ones behind the bill. And I'm the chairman of the board, Nathan's on it. I mean, all of these guys are involved. Like we, Secure Repairs and Repair and Other, we need your help. They're basically no funding. It's just a volunteer organization. And we are doing our damnedest to get this thing done. And there's lots of little, little questions like that that come up every day that we're making decisions on and we love your help. Yeah, so the corollary, I have a Subaru STI, right? Where everybody mods the ECU. And it's a very gray area about what violates the YULA, what violates the right to repair. So Subaru has this unofficial policy. As long as you can get the ECU back to the factory firmware, they'll agree to honor the warranty. But if you brick it or you can't get it back to the factory, they won't. So that's just Subaru's policy because they know no one will buy the car if they can't mod it without that kind of thing. But I know like companies like Tesla, I may be incorrect, but correct me if I'm wrong. They have like provisions in their YULA that if you use a Tesla to ride share as a driver with Uber, they'll disable the car. And like you own the car, but you don't own the software that runs the car. And nowadays the car itself is just wheels and metal. But it doesn't drive the car or operate the car. So who really gets to say what is ownership? That is the question. That is the reason why we need to continue to push right to a pair because if we don't start asking that question, we won't get to decide. Yeah, because cars are eventually gonna be all software controlled, you know? Right. And that, I mean, we can spend another two hours talking about that. Unfortunately, we have seven minutes. Yeah. Okay. Thank you for that question. So I just wanted to suggest that a root cause of a lot of the problems we've been talking about, at least within the US domestic politics, might be that Citizens United saddled all of the political control with organizations that are tied only to shareholder value. And that the fact that people find themselves arguing for the corporations, the fact that the 18 out of the 20 bills have been shot down and the two remaining might be shot down. The fact that we have a shrinking window of time before trillions of dollars are against us is that the sole organizations that are able to throw trillions of dollars behind initiatives are the corporations that are now people. So, yeah. So can I actually respond to that? You can respond to that in 45 seconds. Okay. Go. We have this tool, they gave it to us called democracy and it's under threat. And if we don't stand up and protect it and fix it, we're never gonna have it again. So yes, it's bad, but you know, I hate that we're not defeated yet. We still have elections, we still have people and we need to put it in. Well, I mean, this is for the planet. This is for our families. This is, you know, it's all in the line now. It's time to step up. Yeah, and I mean, yeah. And again, I would note, secure repairs is really about mobilizing the information security community. So I will point up to the thing and say, if you text 33772, if you text security to 33777, you can become a secure repair support. I had a question along the lobbying for the group. In particular, when we're talking about the cars actually, one of the biggest spectator sports in this country began because of being able to mod your car, NASCAR. And, you know, being able to look outside the box to find other investors, even selling partners that would be willing to team with this that would love to be able to say that, you know, big finger to the giant tech companies or whatever. Okay, how much, how much we looked outside the box to find those other corporations that aren't necessarily tech or anything like that, that might have an aid to find out, somehow to have an ROI for them. Studying, you know, again, it's all about the measurements and dollars, whatever you want to call it. I guess that would be, how much have we branched out? Where's the imagination as far as being able to branch out to, and maybe I missed that from earlier. So in case the manufacturers are listening, there might be some sneaky things that are going on behind the scenes that we aren't telling you about and it would be surprising to hear. And you'll just have to guess, CTA lobbyist, what the heck we're doing. But yeah, now we try to be creative and think outside the box all the time. I mean, we know that we have, this is scrappy, this is the team of Davids versus the biggest Goliaths, you know, in the political landscape. And, yeah, we have to be brilliant and we have to be dogmatic and we have to eat dirt. And I understand that the hill, especially is very hard to deal with growing up around there and also having various acquaintances that are involved with that. And the fact that even if somebody comes in with an idealistic, it's automatically within the first couple of years just gone because they just want to keep getting reelected. And that's part of the whole entire issue is saying democracy and where our interests lie and where they're interested in the people. But, you know, where have you guys been trying to show an investor what the ROI is for allowing people to fix their own stuff? Yeah, I mean, there's a, what we're saying earlier is going to be. Whoa, whoa, whoa, whoa, whoa. You need to answer in 20 seconds. Okay. Okay, it takes, if you want to look at the simple in this in China, Apple is paying Fox kind of about $5 to build this thing. You pay somebody here in Vegas to swap the battery in it. It's going to be $50 later. So there's a economic story. There's a growth story that we can tell here. Priced repair is a bipartisan issue. We've got conservative Republicans. We've got extremely liberal, progressive, anti-waste Democrats working on this. This is a broad, big tent issue. What it takes is people showing up in the state legislatures. If you look at the 20 states we have bills in, probably there's somebody in this room from every one of those states, right? We need security experts that can show up in Albany, New York and talk to the letter legislators and explain the situation in plain English. Right. They'll get things done. Right. And help mobilize the local security community or write letters to all of them. You'll have your chance to say goodbye. I did. But I didn't have an announcement to make. There is an ethical card signed by the panelists. There's only seven. Limited edition. Can I have one? No. So, who gets one of six? The panelists each get a card. Who wants number one of six? Do I get to raise my hand? Fucking raise your hand. It's a raise condition. Two of six. Tara, three of six. Four of six. Five of six. Now, the panelists did not know. There is actually seven cards. There are seven cards. I have six of six and number one, three, three, seven. One of these cards will go for auction at Hacker Jeopardy tonight to the highest bidder, $1,000. The bidding for the 1,337 card starts at $10,000. Proceeds to go to QueerCon. Drink early, drink often at QueerCon. Now, Paul, you have the floor. Sign off. We should be, yeah. Yeah, it's time. Yeah. So thank you, everybody, for coming out and listening. This has been, I think, a really wonderful conversation. It's a very complex issue. And I think we've actually managed to hit on a lot of the important points. And I thank Ethics Village for giving us this space to do that. What I would say is, again, we heard yesterday from Representative Ted Lu and Representative Langevin that there needs to be more engagement of the information security community with the policy community. And this is something that's really hard for us as a community. I've been writing about cybersecurity for 17 years. And I know it. I know it's as hard for us to do policy and do that type of lobbying and advocacy. But when it comes to repair, this is really our livelihood. Again, we can keep going to the Librarian of Congress and getting exemptions every three years. But that is a very thin thread to hang our industry on. The right to repair is bigger than that. It's much more fundamental than that. And it is absolutely under siege, under assault, from very well-funded, very wealthy, and very savvy corporations who want us to be renters of things rather than owners of things. And so we do need to get engaged. And you need to get engaged actually not at the federal level, but at the local level, at the state level, where these right to repair laws are going to be coming up again in 2020. And so joint secure repairs, if you don't trust yourself to keep in the loop, we will keep you in the loop and give you opportunities to lend your voice to this. And I thank so much my fellow panelists as well. OK. Yeah.