 all right good morning everyone how's everyone doing oh come on we can do better than that how is everyone doing all right awesome so how I'm sorry what was it all right awesome so welcome to scale 2 how was scale 1 for everyone scale day 1 I'm on little sleep too I apologize all right I'll stop rambling so this morning we have we are honored to have Corey Doctro keynoting for us this morning Corey is a science fiction author as I'm sure many know he's the author of Homeland and Little Brother and he is currently working for the EFF with working with the EFF yeah with the EFF so thank you very much thanks thank you thanks it's a it's a pleasure to be here the last one of these that I went to was called a lugfest so like it was that long ago and it was held in a gym at a community center so it's it's grown a little since the late 90s it's good to see all of the the nice stuff happening around here I've just moved to Southern California so I feel like this is a nice coming out party for for recovering systems administrator who's who's living in Southern California so the long history of free and open software has been defined in many ways as a fight between proprietary and open methodologies you know infamously bug zero new buntu is is you know people still use Microsoft products right and and and back in the late 90s back when it was lugfest that was the thing that everyone was concerned about is whether there was free or proprietary software being used in our applications and there's good reason to worry about whether the methodology is is free or open because things are more robust when they're open for reasons that are connected to practices and other disciplines right before we had science we had a thing that looked a lot like science called alchemy alchemy and science have a lot of similarities in their methodologies an alchemist observes a phenomenon in the natural world and hypothesizes causal relationship I think this phenomenon is caused by that and formulates an experiment to see if that causal relationship is true and then runs the experiment and so far it's just like science the big difference is that alchemists never tell other alchemists what they think they just discovered and as a result they are prone to the worst of of human failings the most universal of human failings are endless capacity for self deception right and so you run the experiment you think you know what's emerged from it and by an amazing coincidence it's what you expected would emerge from it and you were really bright to have come up with that hypothesis and that way you discover in the hardest way possible that you shouldn't drink mercury right and that's why I'm that's why alchemy stalled out right that's why we had 500 years of alchemy a period we call the dark ages in which science effectively failed to produce any dividends and then alchemist did something that really did convert something base into something precious they began to publish their results and subject them to adversarial peer review which is when your friends gently point out the mistakes you've made and your enemies tell you what an idiot you were to have made them and by doing so they subjected their findings to rigor and that rigor produced advancements and those advancements produced the enlightenment and that today is the way that we do everything of significance right we have never heard of a proprietary conference center right if you hired a firm of engineers to build this conference center and they said all right we're going to put these reinforced steel joists across this big open space to make sure that the roof doesn't fall in and kill everyone one day but we're not going to tell you the math we use to calculate whether or not the load stresses will be adequately accounted for in our reinforced steel joists you shouldn't buy a conference center from those engineers right we don't have proprietary math for rocket ships or even drones right even even military secrecy involves open math open methodologies because the robustness the vigor comes from being able to understand what's going on and a building today is just a computer that we put our bodies into right if you live in a modern skyscraper it's got a seismic damper which is a computer connected to a huge mass and that mass is shifted by the computer in response to load stresses from seismic force from wind shear and if that computer behaves correctly then the amount of wobble and rock from that from that building as it's subjected to those forces will be correctly accounted for and if that computer were very badly malfunctioning that building would fall over right bankers work in case mods and living inside a computer it really matters whether or not your building is open or proprietary because it really matters whether or not you can trust those math and it's not just our computers and not just our buildings our cars our computers that we keep our bodies into you know you you get in a car and it drives you at 100 miles an hour and you pray that the steering in the brakes and all the other elements that are being run through software are adequately secured and we not only keep our bodies inside of computers we increasingly put computers inside of our bodies if you are someone who has a pacemaker that pacemaker has a computer in it and that computer is used not just to calculate how to keep the rhythm of your heart but to receive telemetry from it's performance in your heart's performance and to feed that telemetry back to your doctor so she can fine tune your care the Internet of Things has metastasized computers into every corner of our life we now have computers up our asses right and like I say historically the fight over whether our our computers are good or bad has been a fight over whether they are open or or proprietary free or proprietary but there's a different kind and we fought proprietary over the last couple of decades with with what Larry Lessig calls the four forces Lawrence Lessig says that there's four forces that act on our society code law norms markets and code law norms and markets and and code law norms I'm sorry I can't count to four this morning code law norms and markets so you know on the one hand markets right what's the what's the best way to get a web server online it's Apache right it's not IIS and so by making the best commercial offer or or or one of Apache successors these days obviously Apache is not the only option anymore but the way that we got rid of IIS was with Apache we just made it commercially more attractive to install free code than open code what and and so we used markets to solve the open and proprietary problem but we also use code so every now and again we would we would find something that was already established that was proprietary that we couldn't interface with without some kind of work and we would write code that would interface with it so we took SMB and we wrote Samba and so you you didn't have to choose whether or not you were going to rip out all of your networking infrastructure and replace it with new networking infrastructure you could you could have free and proprietary living alongside of each other and you could gradually infiltrate the proprietary with free by having good free open code we also had norms right any one of you who has a penguin badge or who's ever had an argument with someone about whether free or or proprietary is the right way to go you were engaged in that normative fight about whether it was moral or ethical to be free or closed we have lots of people who contributed to free and open source software and made it better because of their normative views and then finally we had laws right there there are cities and states and countries that have to a greater or lesser extent mandated that source code be available for inspection or even licensed under a free or open license before it could be used in public public areas public applications and so code law norms and markets came together to increase the spread of free and open source software over the years but there is a more profound kind of proprietary that is on our horizon a kind of proprietary that goes beyond whether or not it's licensed open or free and that's what I really want to talk to you about today because the dangers of proprietary are things that I think are real and that we can fight back with with these four tools code law norms and markets but this kind of hyper proprietary code is something that's much harder to fight against and much deadlier and that's code that has DRM in it. So in 1998 the American Congress passed the Digital Millennium Copyright Act this is DMCA this is a law that you're all familiar with because it's the author of all your favorite YouTube videos you know this this video has been removed under a claim because of a claim under the DMCA the part of the DMCA that regulates digital rights management or what Richard Stallman calls digital restrictions management is section 1201 and section 1201 makes it a crime to break digital rights management to do anything to weaken a digital lock or to give people information that they could use to break digital locks and its importance has only increased since 1998 so in 1998 when the DMCA was enacted it was a US law but since then the US trade representative has been a kind of patient zero and an epidemic of terrible computer law and has insisted that all of America's trading partners adopt laws that are much like DMCA 1201 in Europe they they enacted the European Union Copyright Directive in 2001 which bound all of the European states to enacting their own version of the DMCA in Australia it came in through the US Australia free trade agreement in New Zealand they got it as part of bill 92A bill 92A has a really dire history if you want to know just how ugly the sausage making is look at bill 92A because it was originally passed after being rammed through parliament people marched in the streets against it it was this very expensive copyright bill it included the so-called three strikes provision where if you're accused of three acts of piracy your internet service provider would have to remove you from the internet for a year and people marched in the streets against it and parliament actually struck down the bill and then the Christ Church earthquake hit which was you know the worst natural disaster and living memory in New Zealand and parliament had an emergency session to clear a bill to give aid to the people who were under the rubble in Christ Church and a lobbyist for the entertainment industry got someone from parliament to block the bill's passage until they reintroduced bill 92A's provisions as a rider right so they said no no one gets dug out of the rubble until we get the DMCA so it happened in New Zealand in Canada where I'm from we got our version of this bill C11 in 2011 which is which is incredibly embarrassing not because we came late to the party but because making dumb mistakes about the internet in 1998 is barely forgivable as a lack of foresight but if you're still making dumb mistakes about the internet in 2011 you're just not paying attention right that's just felony stupid and it disqualifies you from having office as far as I'm concerned so this is spread around the world it's it's now law in almost every territory where you can buy and use a computer but it's also spread through our devices so in 1998 the devices that were covered by the DMCA were pretty limited in scope you had things like set top cable and satellite receivers DVD players and a few other devices that were emerging into the market those things that Sony tried to push as successors to the Walkman and spectacularly fail to get people to buy when they were insisting that mp3 would never catch on right that was what the DMCA applied to and companies tried to apply it to their to other devices a company called Lex marks now a division of IBM or was became a division of IBM now I think it's independent again they make printers I'm sure you know laser printers they put a bit of DRM in their in their toner cartridges and the printer could check to see whether you'd refilled the toner cartridge because the DRM would flip a bit once the cartridge ran out and you would have to break the DRM to unflip that bit and if you'd flip the bit it would refuse to to run the printer and a company called static controls made their own version of the chip that would break the DRM and allow you to unlock your printer cartridge and refill it there's another company called Skylink that made incredibly insecure garage door openers that were so insecure that anyone could make an opener for them and a company charged a lot of money for the little button and so company went into business cracking their DRM and making buttons that would let you open your completely inadequate garage door opener if you wanted to for less money which you know bit of a bit of a Malthusian bar of a bit of a crappy bargain but nevertheless it's one that consumer should be free to make and in both cases they sued over these competitors making these devices and in both cases the federal circuit said actually the DMCA doesn't cover printer cartridges or garage door openers because the DMCA only restricts breaking locks that protect copyrighted works and the only copyrighted work in your toner cartridge is the DRM so the DRM is protecting the DRM that's too circular that's not what it's there for but a funny thing happened on the way to the IOT right if you have we got a light bulb for Christmas that has an app it doesn't work of course but we got a light bulb for Christmas that has an app and that light bulb has a Wi-Fi access point a TCP IP stack and a Linux kernel right that light bulb has a ton of copyrighted works in it like no one is ever going to argue that that light bulb doesn't have a copyrighted work in it when you put this thermometer in your ass you have a copyrighted work up your ass and what that means is that DRM now has the force of law when it restricts access to systems that are not computers in the kind of laptop and phone sense but our computers in the rectal thermometer car and seismic damper sense and this means that the law now applies to virtually everything you use and soon to effectively everything you use now the reason companies put this and doesn't have anything to do with piracy DRM has never really been any good at fighting piracy for foundational cryptographic reasons normally in crypto you have Alice and Bob and Carol Alice and Bob have a secret they don't want Carol to know it they assume that Carol can intercept the scrambled message because they use public networks like the internet or like satellites or like radios they interest they assume that Carol knows what algorithm they use to scramble the message because you use public ciphers for the same reason scientists use public science if you're making up your own crypto you're probably getting it wrong you know this is this is like lesson one in that that Coursera Stanford course on crypto don't roll your own crypto don't roll your own crypto right if it turned out that as a result of the Snowden leaks jihadis made good on their threat to make their own like Halal crypto it would be the greatest day the NSA ever had right because they would poem that crypto in a matter of hours so so Alice and Bob use publicly understood crypto and they send a message over a public framework that Carol can intercept in but Allison Bob still have a secret the way Allison Bob still have a secret is they don't give Carol the key and because crypto works if you don't have the key you can scramble a message using trivial computers that the supercomputer in your pocket you can scramble a message so thoroughly that of all the hydrogen and atoms in the universe returned into computers and they did nothing until the end of the universe but try to broke first force the key we would run out of universe before we ran out of possible keys right and so Alice and Bob know that their message is secure because Carol never gets the key but in DRM there is no Carol right there's just Alice and Bob like Bob is Netflix and Alice is you and Bob wants to make sure that you don't record your Netflix videos and save them to watch later so Bob gives you a plug-in for your browser to decrypt the Netflix stream and that plug-in doesn't have a save button and Bob assumes that you will never figure out where in that plug-in he hid the key right and if you want to become Alice and figure out where in this property that's now on your premises you he hid the key all you need to do is buy in Netflix subscription so anyone can be any adversary in the world can become Alice for like ten bucks a month and that includes board grad students with the weekend off and their own electron tunneling microscope at a lab right so when Bob hides keys and his adversaries equipment Bob loses all the time but companies still use DRM and not in order to increase sales no one has ever bought something because it had DRM right you never bought a Netflix subscription because you're like you know I what I want is to watch all the movies I want to make sure I can't save them right if there were if there were two Netflix's one of which let you save them one of which didn't and the prices were equal all things being equal you would expect some customers to move from one to the other right so no one no one bought it no one looked on the box and said now with DRM and said that's the one I'm buying so people are either indifferent to the DRM or they're holding their nose and buying it because of DRM or they're just refusing to buy because of DRM no one has ever no incremental new sales emerge because of DRM but what you get when you put DRM on a on a device is you get the right to decide what kind of otherwise legal technology can plug in to that device what kind of features can be added to that device because even if it's legal to record videos that are coming into your home and it is right from 1976 to 1984 courts around America heard the case of whether or not recording videos was legal in 1984 the Supreme Court legalized VCRs recording a video from your TV to a tape or other media for watching later is legal right so whether or not it's legal to watch a Netflix video later because you saved it to your hard drive is beside the point if the only way you can do that is breaking the DRM and you can probably figure out how to record your Netflix videos and watch them later you you've heard of VLC right you've heard of handbrake you know that there are stream rippers and you know how to use them but you've never seen an ad on the side of a bus for VLC no one has ever raised capital for device to do this and hired some marketing people and set up a booth in a trade show to market this there's no one at CES who will give you a product that lets you do this actually there was one company at CES that breaks HDCP to down sample it for older devices to it goes from HDCP for HDCP to they're now being sued right so you can't raise capital for this you can't make a product for this and as a result while a few super nerds will use it like civilians aren't in possession of these things and so it's an enormously powerful anti competitive tool it has nothing to do with anti piracy and everything to do with anti competition and the way that you can create profit by suppressing competition really breaks down into three categories the first is that you can restrict features so think about DVDs and CDs DVDs and CDs are functionally equivalent these days we make them in the same presses we read them with the same lasers in the same optical drives but they have a really huge difference which is that DVDs have DRM DRM that's been broken since a Norwegian teenager spent an afternoon looking at it hard in the mid-1990s but but DRM that nevertheless has still has the force of law and as a result there are no DR DVD ripping products so if you have a CD and you put it in the optical drive that came with your computer the software that came with your computer automatically launches and says I see that you are using media from the last century would you like to rip it mix it and burn it so that you can use it in this century too right done in one right if you put a DVD into your computer it says would you like to watch this watching a DVD is the only feature a DVD had in 1996 watching a DVD is still the only feature that DVD has in 2016 20 years and not one feature added to a technology we are back in the dark ages when you add this when you add DRM to a technology and and what that gets firms is new sales right because no one's ever bought media because it had DRM on it but if you want to listen to a song on your phone you put the CD in your computer and it moves it to your phone if you want to watch a movie you own on a DVD on your phone you buy it again from the Apple store the Amazon store one of the other many stores and so that generates new sales by taking value that is under law yours and transferring it back to the manufacturer in the industry the next way that you can control devices that you can raise profits by controlling devices is with parts so all the major auto manufacturers these days has started to put DRM on the can bus this is the bus that connects all the electronics in a car cars or computers you put your body into and that DRM is again not hard to break the people in the tuner community routinely break it so they can change the characteristics of their engines but it's illegal to break and so if you're a mechanic and you want to run a business that you know has an address where you can get sued at and you want to fix cars the only way you can get diagnostic material out of an engine is to go to the manufacturer and get their manufacturer supply diagnostic tool that has the keys to read the information coming off the engine and as a condition of buying that you have to sign a covenant that says I'm only buying parts from GM right so GM can charge arbitrary sums for those parts and no one can compete with them because a mechanic that uses third-party parts that they get off Alibaba and a manual that they get from iFixit can't read the data from the engine to figure out which parts they need to use to fix the engine register the new parts on the network and so on and so that's the second way they make money and then the third way to make money with being able to control features being able to control the software and interoperability is by being able to make promises so if you are making a phone like the iPhone and you're counting on carriers to account for the bulk of your sales so you sell to the carriers the carriers give the phone away to their customers with a long contract that that pays for it over and over again you need to be able to make promises to those carriers to maximize your sales to them so the carriers want to make sure that if you're tethering a device to another device if you're sharing a network connection from a mobile network to a non-mobile device that they can detect that so that if they want to they can charge extra money for it so they can sell you a tethering plan that's different from a non-tethering plan and so when you add an app store ecosystem that's locked to the device where it's a felony to create a new app and install it on the device without without permission from the manufacturer you can say to the phone company if you sell iPhones to your customers if you give iPhones to your customers we can promise you that there will never be an app that does undetectable tethering and then the menu then the intermediate customer gets this and it's not just apple you know if you have a nest thermostat the primary market for nest thermostats isn't users who put them in their houses it's power companies who buy them to put them in users houses and they want to be able to turn down your thermostat by one degree or turn it up by one degree to change the load across the whole grid which is a good idea you know it's how we're going to keep from having to use more coal plants and the the way that they make that promise stick is by saying we can install software in this thermostat that the user can override and we will promise you that the user will never get a package that lets them reverse that so that's bad right it ends up costing you and me and everyone we love more money and keeps us from having features that we desire in our devices but that's not the reason that I hate and fear DRM it's not the reason I've gone back to the electronic frontier foundation after a 10-year hiatus to work on a project to kill all the DRM in the world it's because in order to protect digital locks you have to ban the disclosure of vulnerabilities in digital locks because if I know about a mistake that the programmer made I can use that mistake to leverage a jailbreak attack on the device to figure out how to flash my own firmware into it that adds the feature that lets me use the third party parts that lets me extract more value from something I own and use it in another market companies aren't adding DRM because they're hostile to security but they're using DRM because they're indifferent to it security is a process and not a product the only way to know whether your security works are only experimental methodology for determining whether it works is to expose it to as much scrutiny as possible it may not be true that with enough bugs all eyes with enough eyes all bugs are shallow I mean we saw with open SSL and it showstopper bugs that even a very large number of eyes if they're passing over the code in a very cursory way cannot render bugs shallow but no one has ever argued that with few enough eyeballs the bugs are shallow right and necessary but insufficient prerequisite for finding out whether a device has a problem is the right to inspect it and publish your findings and when we felonize reporting vulnerabilities and devices those devices become reservoirs of long-lived digital pathogens that have the potential to screw you in every single way literally from asshole to appetite so we should not be drinking mercury to protect the app store business model and it's not just that DRM bans disclosure but the natural workings of DRM make bugs when they appear harder to redress because DRM is not software that you or I want right as I said no one ever woke up and said I wish there was a way I could do less with my devices who's got a product for that if you had an icon on your desktop when you booted up the manufacturer's default operating system that said how 9000 dot exe and every time you tried to do something the DRM didn't like it came to the fore and said I can't let you do that Dave you would drag that icon into the trash right and so in order to make DRM work the the files associated with it and the processes that it spawned have to be obfuscated from the user and the most common way to do this is what amounts to a root kit where you have a not ring zero that has the most authority over the device but ring minus one a space that users even with administrative privileges are not supposed to be able to see or interact with and when ring minus one has a vulnerability and your attacker penetrates that and attacks you in ring minus one when your attacker is running malware encode you aren't that the process manager will not report or let you end when those files are in spaces that you're not allowed to inspect or delete files from then that is malware that you will never extract from that device and that will be able to operate with impunity this is a deadly cocktail right on the one hand we have a legal way to suppress competition that incidentally makes these devices into reservoirs of vulnerabilities at the same time devices that are covered by the statute are spreading in every conceivable way and becoming more intimately connected to our device information security is always mattered but it matters much more in the internet of things a failure in information security is what turned a million Volkswagen's into killing machines that are anticipated to be responsible for scores of deaths this year because of the toxic amounts of NOx that they were emitting from their tailpipe and now it looks like they weren't alone it looks like GM's opal cars may have been implicated as well as other cars from other manufacturers the obfuscation of what that software was doing is what's responsible for that terrible outcome now last summer as it does every three years the US Copyright Office held hearings on this law section 12 one of the DMCA law that makes it a crime to break digital locks to find out what it was doing in the world and whether or not it should grant some limited exemptions from it and they heard some hair raising stories so they heard from people who are involved in automotive security you may remember that last July in a remarkable piece of great timing some researchers who are planning to present a defcon demonstrated to Andy Greenberg of Wired that they could over the internet seize control of GM Jeep Cherokees take over the steering the brakes the ignition the acceleration as well as the entertainment systems the wipers the locks and so on they as a demo drove him off the highway at speed Chrysler had to recall 1.4 million cars now the researchers who came forward with that wrist felony prosecution for disclosing vulnerabilities in car firmware and what we heard at the US Copyright Office is that it wasn't that Chrysler had the only vulnerable car it was that Chrysler had the only car whose vulnerability someone was willing to talk about in public and plenty of security researchers weighed in to say that there were other vulnerabilities that they knew about that their general council have told them never to disclose I fix it I mentioned them before they're in there in San Luis Obispo they're a company that reverse engineers technology makes third-party manuals that allow service technicians to repair and improve devices service repair and improvement account for three to four percent of the American GDP it's all done by small and medium-sized enterprises that are intrinsically local you don't send your phone to India or China to get it fixed it's the guy in the corner the woman on the corner has got a little business that fixes it he had an amazing filing because he had been contacted by a farmer who said I have a John Deere tractor and one day my tractor wouldn't start because it had a sensor on the wheel that thought I had a flat but I didn't have a flat and I called up John Deere and I said can you please give me the route password on my tractor so that I can disable the sensor and you know make hay while the sun shines and John Deere said no I'm sure you're not allowed to have root on your tractor we'll send you apart and so Kyle and this farmer began to look into it they filed at the at the copyright office for an exemption and we began to learn what John Deere does why they lock up the tractors so those wheels have torque sensors on them and those torque sensors produce centimeter accurate soil surveys that data is not copyrightable facts aren't copyrightable but it is locked up behind the DRM that restricts access to the tractors operating system which is copyrightable and is copyrighted and is covered under the DMCA and if you the farmer want to plant your field broadcast your seed in accord with your soil density tuned for maximum yields you can't get that data except as a bundle with seeds and those seeds are sold from one partner that John Deere licenses the data to only one guess as to what that partner is anyone want to guess but that's just a mustache for all there's a full-on fingertips coming because John Deere has insights into crop yields across whole regions and they're starting to play the futures market with this data Jay Radcliffe is a researcher at Rapid7 who's also a type 1 diabetic and as you know type 1 diabetics have historically drawn assays of their own blood measured it taken a bolus of insulin from a vial and and stuck themselves with it to maintain their insulin levels and human beings are really shitty lab techs right like asking people to do things were perfectly repetitively over and over again especially when their blood sugar is too high or too low is not a winning proposition and that's why today we have insulin pumps connected to continuous glucose monitors that take the human being out of the equation and use robots as lab techs robots are awesome lab techs and they of course have wireless interfaces because your doctor wants to get the telemetry off of them and those wireless interfaces are DRM locked and the reason that they're DRM locked is that the companies that make them want to sell your doctor's software as a service they don't want them to be able to buy an app that they only have to pay for once they want to keep them paying for it every month on a subscription basis and as a result it's against the law to inspect insulin pumps now if you can get an insulin pump to dump its full load of insulin in one go you will kill the wearer of that insulin pump in their boots where they stand almost instantly a diabetic coma followed by quick death Jay Radcliffe has voluntarily decided to take years off his own life by not using continuous glucose monitor and insulin pump and instead being a human lab tech because he's inspected his insulin pump and other medical devices he estimates 40% of medical device code has never been independently audited and he has found in it stuff that he can't describe because his counsel tells him that it would run risk of the DMCA but which scares the hell out of him to the point where he won't put one of these devices on his own body and of course we had a team that weighed in about voting machines where they had discovered flaws in voting machines that they couldn't discuss that they believe have materially affected at least one election so when you have devices that have festering vulnerabilities in them those devices become more exploitable over the longer period and there are lots of entities that like to exploit vulnerabilities obviously there's criminals you've probably heard the horrific stories about ratters who are kind of voyeur who deploy these remote access trojans onto people's computers using drive-by malware attacks and then they spy on them through their cameras and microphones capture incidental nudity of them as well as harvesting their social media passwords and then blackmail them into performing live sex acts on their webcams on threat of disclosure of this information so young woman in Canada committed suicide a couple of years ago because she was being targeted by a router the former Miss Universe Cassidy or Miss Teen USA Cassidy Wolf was targeted by a router she went to the FBI her router had at least 140 victims including minor children around the world another roundup of routers found routers with as many as 400 victims around the world so those people like to exploit violence but there's another entity that likes to exploit violence right spy agencies right and whether you your adversary your threat model is that you're like Nortel who had all of their trade secrets exfiltrated by Chinese industrial spies and were put out of business or whether your threat model is having the NSA spy on you both of them are actively exploiting these bombs to attack us and we don't have a good guy OS or in a bad guy OS if there's a vulnerability that allows our spies to attack their adversaries it allows their adversary spies to attack us now the NSA has a unit called the tailored access operations unit they're like the the sky mall of the NSA they make all the gadgets and exploits and so if you're an NSA agent you have a target you know that target has an iPhone you go to your tailored access operations catalog and you look up known exploits and weaponized exploits for for iPhones and then you order one they they transfer money from your department's budget to their budget if there's like a material cause like it's on a USB stick or something and then you can deploy it in the field and their argument for not disclosing the vulnerabilities that they're weaponizing to the manufacturers is that they have really good researchers and the vulnerabilities their researchers discover no one else will discover there's a name for this it's called no bus no one but us and you know you laugh and it is laughable but it's not like a priori that we know this doesn't work we have proof it doesn't work because two years ago at the communication chaos communications congress in Hamburg Jacob Applebaum presented the tailored access operations catalog which he had released with Laura Poitrice in a German investigative magazine and when he was done presenting it he had his one more thing moment his one more thing was that there was an exploit in the tailored access operations manual for iPhones that had been presented by researchers the day before on the same stage that they had independently discovered that the NSA had discovered weaponized and kept secret and made Americans that they were charged with protecting vulnerable to and that those that vulnerability have been detected and an exploit had been ready by independent parties and so either it's no bus plus that one researcher that one time at CCC which seems unlikely or it's no bus plus Chinese spies griefers hackers identity thieves lawyers routers and anyone else who wants to exploit you because your phone is not a super computer that you keep in your pocket to throw birds at pigs with your phone is a supercomputer in your pocket that knows who all your friends are and how to access your bank account and what your lawyer has told you under confidentiality shield and also it has it's on when you're in the toilet and it's on when your kids are in the bath and it's on when you're in the bedroom and the only way to know whether that camera is running is whether the operating system is being faithful to you so when we make our devices into longer live reservoirs of vulnerabilities we risk all kinds of exploitation and this is why I went back to EFF because I'm worried about this stuff I'm worried about how this ties into crime and surveillance and the future of this stuff looks pretty grim so you may have heard about the subprime auto lending industry there was a big piece in the New York Times about it last year there are millions of subprime cars on the road in the United States of America these are cars where people don't qualify for normal car loan they're given a loan that has conditions on it one of those conditions is that the car is outfitted with an ignition override that's networked and location aware and the conditions also may restrict where they can drive the cars and the New York Times story talked about the security problems with these things so one of the things that's happened is that all of the cars ever sold by some dealerships have been immobilized by hackers because like no language on earth contains the phrase as secure as the computers that are not a dealership right but also the intentional consequences of these things because they talked about a woman who took her kids for a drive in the countryside and they parked up at the woods and they walked around what she didn't know is she crossed the county line and her terms prohibited across the county line and her car wouldn't start and she was out of cellular range and there was no one else around and it was dark and they had to walk out to the highway and hitchhike home to get their cars back so that's where we're already at in terms of devices that are designed to control their users remotely and the risks that are associated with them but where this lands in the future is really scary during the Urimiden uprising in Ukraine people who were in the demonstrations in the big square in Kiev went home and their phones buzzed with an SMS and the SMS said dear citizen you are registered as a participant in a legal demonstration don't do it again and the reason that their phones were able to do that is that your phone is designed to resist your modification and to resist your commands to the extent that it will always send its globally unique identifier correctly to the cell tower it's basically its MAC address it's called its MC to the cell tower so that you can be correctly billed right there's an adversarial model between you and your phone if you could change the MC you could bill your calls to third parties and so your phone is designed hardened against you changing it and there are these devices that are fake cell towers they're called cell tower simulators or stingrays and what they do is they wake up and they beacon and they say are you a wireless station that's looking for a cell phone tower and all of the phones wake up and say why yes I am and here's my MC and then the tower just goes dark and then if you are the government of Ukraine you can go to the state phone company and get the phone numbers of all of those phones and where those people live and you can send SMSs to them so that's fact too so we have subprime cars we have stingrays and then the third thing there's a guy named Hugh Hare who runs the prosthetics lab at MIT and he's got much better graphics than me I mean this is this is it right I do rectal thermometers right but Hugh Hare will sit there and for 45 minutes blow your mind with amazing still and moving images of ways that he and his lab have connected human bodies to computers in ways that profoundly revolutionized people's lives artificial arms legs feet hands fingers things that help people see even neural prostheses deep magnetic brain simulation for people with otherwise untreatable depression but his best thing his showstopper is at the end of the talk he steps out from behind the podium and he clicks to his last slide and it's a slide of him climbing a mountain all in Gore-Tex super ripped and he's got full radial amputations on both knees and he's got mountain climbing robot legs but he's standing here like this and he said oh yes didn't I mention and he rolls his pants legs up and he's robot from the knee down and he starts running up and down the stage and doing mountain goat jumps right an incredible demo so I put my hand up and I said how much did your legs cost and like the price he named you could buy a fully detached home in Bernal Heights right or the or lorry side and then the second question was well who can afford your legs and he said why everyone because if it's a choice between a 60 year mortgage on a house and a 60 year mortgage on your legs it'll take the legs anytime so that's the third fact what do you get when you combine Euro Miden and Hugh Hare's legs and subprimes you get things like your legs will walk you to the repo depot when you miss a payment on them right you get things like you come home from your demonstration in the central square and you have a text that says dear citizen you are registered as a participant in a legal demonstration and that's why we turned off your nest thermostat enjoy February and Kiev right what it means when our world is made of computers and our computers are designed to take orders from other people is that everything that is that is unfair about the power imbalances in our world becomes much harder to address so as you may have gathered I'm a science fiction writer this is why I talk about things like the future of Euro Miden and self driving legs and so on and as a science fiction writer people often ask me if I'm optimistic or pessimistic about the future and as a science fiction writer I'm keenly aware that I have no business making predictions about the future because science fiction writers are Texas marksmen they fire a shotgun into the side of a barn draw a circle around the place where the pellets hit and declare themselves to be world class marksmen because although science fiction has had some predictions come true they are an infinitesimal fraction of all the predictions that science fiction made it would be far more surprising if none of their predictions have come true than a small number have come true and being optimistic or pessimistic is about making a prediction and in some ways it's an inconsequential view whether you're optimistic or pessimistic like if I were optimistic if I thought we could beat all this stuff back and turn computers into a force for good the thing that excited me and you about computers when we started getting involved with them the potential for a world in which computers are our servants they allow us to connect with one another and to do work together in ways that our ancestors could hardly dream of you should get up every single morning and do everything you could to make that future come true and to make sure this future didn't and say you were pessimistic about the future and you believed that it was vanishingly unlikely that that was ever going to happen you should do exactly the same thing right because if there's any chance that we can make a difference then we have to take that chance and that's called hope hope is why when your ship sinks in the middle of the ocean you tread water not because you're likely to be picked up but because treading water is a necessary but insufficient precondition for being rescued everyone who has ever rescued kept treading water and so I'm here to ask you today to do something to help make computers safe for human coexistence we founded this project at EFF the Apollo 12-01 project a project to eradicate all DRM laws everywhere in the world within a decade and it's based on that larylesic framework code law norms and markets so we are interested in people who are making products or doing research that violate section 12-01 of the DMCA we want to talk to you about how to litigation harden your work so that if you ever get sued we can use your case to overturn section 12-01 of the DMCA thankfully because section 12-01 of the DMCA is now covering every device we have the likelihood that someone with a good set of facts is going to get sued has gone up used to be the record industry was really careful about who they sued when Ed Felton who's now deputy CTO of the White House broke the record industry's DRM they declined to sue him but when 2600 magazine published the code for breaking DVDs the studios went after them like crazy because judges don't like telling Princeton mathematicians what they can publish but the hacker quarterly is fair game however we have a target rich environment now right John Deere doesn't care whether section 12-01 of the DMCA is intact if they can't use it to play the futures market and so when someone is cracking a John Deere tractor I think it's pretty likely that we'll get a threat from them so that's law and the legal theories are manifold about why DRM is against the law but one of the most important ones ties back to the very first days of EFF and the early days of the crypto wars in the early 90s you'll remember that it was illegal to break to make your own crypto that was stronger than the NSA could break it was classed as ammunition EFF represented a mathematician named Daniel J. Bernstein at UC Berkeley who have been publishing on usenet source code for strong crypto and the 9th circuit held at the appellate division that source code was a form of expressive speech protected by the First Amendment and that laws that prohibited publication of source code were unconstitutional and so that is one of the ways that we plan on attacking this and so this means particularly if you're engaged in free and open source software that circumvents we want to talk to you about what you're doing and we want to talk to you about how to do it so that you have the best chance of winning and making a good case we're doing it with markets because when you think about all of those devices that have digital locks on them the only reason they're there is to protect a high margin for the manufacturer and as Jeff Bezos once admitted in a moment of enormous candor to the publishers your margin is my opportunity and so once the legal status of section 12.1 of DMCA is uncertain once it may be that if we win our case you your business that breaks digital locks will also be legal then it makes sense for you to start a business attacking one of those margins making cheaper refills cheaper parts service equipment and all the rest of it and so we're anticipating a 10-year period while our case works its way up to the Supreme Court and during which time we are hoping entrepreneurs will seize that market opportunity not because they care about free and open source software not because they care about alchemy or science not because they care about security but because they want to make themselves wealthy and then norms I'm going around talking to people about those people who understand the more nuanced question and I want you to talk about that stuff too because although most of the people you know are indifferent to these issues indifferent to privacy indifferent to questions of free and open source software indifferent to computer security we have reached peak indifference right every week every month from now on there will be disasters involving the internet of things involving information security involving titanic databases like the Office of Personnel Management and every week from now on because frankly we failed to do our jobs during the last 20 years and fix this thing before it was a problem every week from now on the people that you know and love are going to show up at your door and say what the hell do we do how did this happen how did my life end up in this terrible situation where I'm getting blackmailed where my fingerprints are now owned by Chinese spies where my business is shut down because it's trade secrets have been exfiltrated where my children are being spied on in their homes there was an attack last week in San Francisco where a griefer took control of a baby monitor in the middle of the night and started whispering scary things to a three-year-old in the middle of the night your friends will show up at your door every week from now on and ask how we got here and that's the story I want you to tell them because we're at peak indifference so there's one last thing that I'm going to ask you to do so there are very few of us even those of us who come to free and open source software events who can claim to be pure you probably every month give money to companies whose mission is to destroy the internet and everything we love about it right you have a cable account with Comcast you have a crystal palace device a crystal prison device from Apple you are buying a device from a company that bundles their machines with spyware and intermediate certificates you are doing one of many things now if you can figure out a way to get around those if you want to source your computers from companies that have a more ethical basis if you want to find an ISP like Monkey Brains in San Francisco who do everything they can to fight for net neutrality if you can do any of those things by all means do but I think you will still find that at the end of the day you are not pure right every vegetarian eventually meets a vegan right every vegan eventually meets a fruitarian right so instead of asking you to be pure or feel guilty about it I'm going to ask you to tie to hedge to add up the money you spend every month contributing directly to the destruction of the future that we all want to live in and we want to bequeath to our children and decide what percentage of that you are going to give to organizations that fight for your freedom now I'm obviously partisan I work for one of them you know and these folks have been around for a quarter of a century and have done some pretty amazing things in that time I've never seen a non-profit operate better the amazing thing that's happened since I was coming to SoCal Lug in the 90s is that it's not just EFF and the Free Software Foundation who also deserve your support anymore there are dozens of organizations that operate in every conceivable way there are organizations that help librarians and schools there are organizations that recycle hardware like FreeCycle in Portland or FreeGeek rather in Portland there are so many organizations that approach this from so many different angles public knowledge fight for the future demand progress which Aaron Swartz helped found how much are you going to give out of your budget for destroying the future to save the future and then I want you to write that check every month or commit to a regular donation the other thing I'm going to ask you to do is if you are involved with the university if you're a professor or if you're a student get in touch with me because we have a new EFF campus network and we've hired someone full-time to work on it who's an amazing campus organizer and we want students especially computer science students but also students who are working in interdisciplinary fields that touch on this to get involved as well there's an EFF booth out on the trade floor here and I hope you can drop by and talk to my colleagues there they can tell you more about all of these things and thank you very much for your kind attention how we've got time all right thank you everyone so we have some sessions that are kicking off right away so Corey said he will be available out in the hallway just a quick little show of our appreciation all right thanks for coming everyone