 All right. For anybody who is in this back corner over here, if you want to hear clear audio, I would suggest you go to this side of the room. We just have a problem with the air wall there. So if you want to hear clear audio, come on over to this side. That being said, welcome to the talk. This is fighting back in the war on general purpose computing. Computer, sorry. And without further ado, Corey Dockrow. Thank you all. Thanks for coming. Thank you. So, you know, two years ago I came to DEF CON and I gave a talk where I predicted that things were going to get really ugly in the Internet of Things. After all, we live in a world made out of computers and not just in that kind of metaphorical sense where like if you download those glossy videos promoting the Internet of Things where like it all looks like it's been set dressed by someone involved in the Tron production and everything's like white and curvilinear and jumpsuit-y and people walk into these houses and they like wave their hands and the lights come on. I had some of the other days say, yeah, I've had those like awesome, you know, computer controlled lights for months now and I went to a hotel and I was like, you mean I have to touch a light switch like an animal? And, you know, and then they like, and then they walk into the kitchen and they wave their hand again and the lights come on and they say like tea, black, hot, Earl Grey, right? And it feels futuristic like tomorrow we will live in a world made of computers. One of the implications that may occur to you as you watch this person walk through their gesture and voice controlled house is that a house that you can gesture and talk to no matter where you are is a house where there's a microphone listening to you and a camera watching you wherever you are. And this is where things start to get ugly with the internet of things. Now we don't have to wait for the tron future to live in a world made out of computers. We already inhabit a world where the most salient fact about many of the things that we put our bodies into and we put inside of our bodies, the most important thing about them is their internal logic. It's the computers that they run on. They are in effect special purpose computers that do things like let you live inside of them or drive around in them or keep your heart rolling. And so when you hear about, for example, subprime car lending which is the newest way to like monetize poor people, right? You give them a car loan and then you turn that car loan, the return on that car loan into a bond and you float that on the street and the way that you securitize that car loan is you fit the ignition system on that car with a network location aware ignition override that makes sure that you're adhering to the lease terms or the loan terms or it disables your ignition system. So if you drive outside the tri-county area, if that's a term of your loan, they can remote shut down your car. And you hear about that and you realize that the most important fact about that car is the computer inside of it. It doesn't have to be one of those jeeps that just got recalled because over the internet you can disable the steering and the brakes. These things are designed to be disabled over the internet and you know, people have broken into those systems and use them to shut down cars in the middle of the highway or immobilize every car ever sold out of a dealership. And it's not just cars that are computers that we put our bodies into, you know, a 747 is a flying Solaris workstation in a fancy aluminum case connected to some tragically badly secured SCADA controllers. And the thing about the internet of things, the thing about a world made out of computers is that it's inheriting the worst fact about the early years of computers, which is the inkjet printer business model where the things are sold in a way that they are intended to act as a platform where the manufacturer controls that platform and gets to monetize it at high margins by controlling who can sell add-ons for it and who can sell consumables for it and who can add features to it. And this is very useful if you're the manufacturer. For example, you can charge a lot of money for like the extra stuff that plugs into it, like whatever you use up in it, like the chargers or the gasoline or the windshield wiper fluid. It's also great if you're the manufacturer because you can make covenants to third parties who might subsidize the purchase. So like if you make smart thermostats, you might be able to get a power company to subsidize buying millions of them for everybody losing a district by being able to warrant that you'll never sell software for it or allow software for it that allows the user of that thermostat to adjust it when the power company turns it down or up. So if the power company says, oh, well, we're running out of headroom in the power infrastructure, we're going to turn down everyone's air conditioning by two degrees, they want to be able to make sure that you don't just walk over to it and turn the air conditioning back to where you had it before. And that's a great way to subsidize the hardware. So everybody wants this inkjet printer business model where you get to control the software, the consumables and every other piece of that ecosystem. And we have given a gift to people who want to design these inkjet printer business models, a legislative gift in this country in the form of a section of the Digital Millennium Copyright Act of 1998 called Section 1201, the anti-circumvention component of the Digital Millennium Copyright Act. And this is a law that says that if you break a lock that is used to secure access to a copyrighted work, that even if accessing that copyrighted work is lawful, breaking the lock is not. And so all you need to do to make sure that nobody can plug stuff in that you don't want plugged in or run software that you don't want run or add consumables that you don't want added to your platform is put the thinnest credible lock that you can imagine around the system. And then the government will spend an unlimited number of tax dollars prosecuting people who remove that lock to add otherwise lawful functionality, right, that you'd be crazy not to take up Uncle Sam on this offer to defend your dumb business model with every tax dollar at their disposal. And the DMCA, you don't even have to like get action against you under the DMCA for the DMCA to work to stop people from getting involved in breaking these inkjet printer business model tools, because it has such incredible horrific penalties that all you need to do is ask yourself, you know, am I willing to go to jail for five years on a first offense and spend $500,000 and fines on my first offense to see whether or not I can unlock some functionality in this in this device. The answer is usually no, you don't even need a lot of prosecutions to get everybody who's capable of doing that unlocking step to kind of say actually there's probably something better somewhere else out there with fewer penalties. My risk calculus says I'd rather not do this. Now the interesting thing about DMCA 1201 is that there's almost no litigation history. We don't really know whether or not the courts would find that $500,000 fines in five years in jail for listening to music the wrong way or watching TV the wrong way or plugging in some, you know, additional functionality or an unauthorized charger to your devices right and proportional. Because the other side gets to decide when to prosecute people for violating 1201. And they generally speaking only go after people who they think they can win against who have really bad facts and don't look like the kind of people you'd want to stand up in front of a judge. So one of the only cases where 1201 has ever been litigated was when 2600 magazine which don't get me wrong 2600 is an amazing magazine. I've written for it. Manny does God's work but 2600 magazine published DCSS for decrypting DVDs. And the film industry said we're going to fight this one all the way to the end because 2600 magazine is in New York where it's the second circuit and judges don't really understand technology not like out in California where they're really clued in on this stuff. And 2600 calls itself the hacker quarterly and we can be reliably assured that the magazine and all of its all of its supporters are going to show up in court wearing black t-shirts that say things that judges don't understand and find vaguely disturbing. These are the people we want to fight in court and we got our butts handed to us in 2600. The court said there's no free speech interest in magazines being allowed to publish math. And they said that this is about whether or not people should be allowed to defend their investments or whether or not anyone who can figure out how to steal their stuff should be able to just because they know how to remove a law. It's a terrible judgment. Now a couple of years later we had a great chance to stand up the right kind of defendant in front of the judge because Ed Felton who was then at Princeton and is now deputy CTO of the White House was led a team or worked with a team that broke SDMI which was this really crazy dumb idea to watermark digital music so that when you converted it to analog and then back to digital again that somehow that watermark would survive even against an adversary who wanted to remove it and that watermark would be detectable by digital to analog converters and they would just say I'm sorry I refuse to convert this analog music back to digital because it has been marked as non-convertible and we won't do it. And the SDMI consortium you know they spent a lot of money hundreds of millions of dollars they spent years on it smartest people going working on it and they offered a big bounty to anyone who could break it on condition that you signed a non-disclosure but of course Ed and his team didn't want a bounty they wanted tenure and publication so they wrote a paper on it and they submitted it to USENIX security symposium and the record industry went bananas and they threatened Ed and USENIX and they said if Ed gives this paper about stats at a technical conference we're going to sue him and the technical conference we were like oh yeah this is the one we want right because we really want a judge to decide whether or not record executives should be in charge of what kind of math Princeton professors can talk about at learning conferences that's the question I want to stand up in front of a judge all day long right and if we get the right answer well then 2600 can publish all the DCSS that they want. So as soon as we stepped up at electronic frontier foundation to represent Ed the record industry dropped the threat and they not only dropped the threat they offered us a covenant saying they would never pursue Ed for SDMI ever just to stop us from going to the judge and asking for what's called a declaratory judgment which is when you say I've got this threat in writing they put it in writing we've got this threat in writing from the record industry against my client my client has the right to know even though they withdrawn the threat he has the right to know how that threat would turn out and because they'd given us a covenant saying we're never going to go after Ed well the judge said you don't have any standing to ask that question because you know the answer the answer is they're never going after Ed so there's almost no litigation history in 1201 which works great if your hope is that 1201 will intimidate people who don't know how a lawsuit might turn out because there's no case law on it and you want to just have them stay the hell away from anything that interferes with your dumb inkjet cartridge business model it's a great situation to be in. Now we do have a little bit more case law and this is actually kind of interesting and it's kind of an interesting example of how the Internet of Things has changed the calculus here. In 2004 there were two companies that sued over the DMCA one was called Lexmark which division of IBM which sued a competitor that was refilling inkjet cartridges and changing the software in them it had a bit that was set that said I have been discharged and that bit was not supposed to be set able back to I am now full again and they were they were resetting that bit to say I am full and I have never been discharged and they were refilling the cartridges and selling them on and there was another one called Skylink that made garage door openers and there was a third party company that was making replacement handsets to open the garage door and in both cases so one was consumables the other one was add-ons they went to the court to the federal circuit who are not known for their technological knows this is the circuit where all the dumb patent cases are heard and and where we get the worst judgments out of but they went to the federal circuit and they said we we think that 1201 protects us from people refilling inkjet cartridges these are copyrighted inkjet cartridges copyright law protects us from refilling these are copyrighted garage door openers and the judge took a good look at both of these and they said you know what I've been looking for your copyrighted work in this and I can only find one and it's the DRM right like the only code running in this thing is the DRM and the DRM is supposed to it's supposed to be against the law to remove DRM that protects that that controls access to a to a copyrighted work but if the copyrighted work that the DRM is protecting you against is the DRM just feels a bit circular you know and so the judge he bounced both of those now things have changed since since 2015 since 2004 here we are in 2015 and every single computerized system has real substantial copyrighted works inside of it because these days you don't build like PLC or FPGA or special purpose based controllers for most of our little things controllers are so cheap now that for sixty cents you can buy a TCP IP stack in an embedded control that you can stick in your light bulb and so why would you why would you build something that was small and lightweight and didn't have a substantial copyrighted work in it when you can get like some lightweight version of Linux already on a chip for pennies and so everything from light bulbs on up now has a copyrighted work inside it and so as soon as you add a lock to it it's against the law to remove that lock because now it's protecting access to a real bona fide copyrighted work beyond the DRM itself and that means that we now have this restriction on jailbreaking HVAC systems and jailbreaking insulin pumps and jailbreak jailbreaking 747s and jailbreaking implanted pacemakers and implanted implanted defibrillators and it just keeps going right we just keep getting more and more things that are protected by digital locks and where it's against the law to remove those locks because someone has used them to protect a business model so those tall willow we office towers that you see going up in the finance districts of the great cities of the world where you look at them you're like how the hell does something that tall and skinny stay up well they use computer controlled dynamic load adjustment to dynamically readjust themselves against seismic and wind stresses from moment to moment right that building is a case mod that bankers hang out in and it's protected under the DMCA you just saw 1.4 million jeeps were recalled because they could be accessed over the internet and and have their steering and brakes disabled a client of EFF Chris Roberts has a claim that there are ways to get into the control systems of of united planes through its in-flight Wi-Fi system and the thing about this is that it's not only crazy for for business purposes and not only is a way for companies to rip you off by charging you a lot of money for consumables or locking you out of features that you might otherwise want to have although there's a lot of that make no mistake it's also deadly for security because we have exactly what methodology for determining whether or not a security system works and that's disclosure and adversarial peer review right it's when your friends tell you about the dumb mistakes you made and your enemies make fun of you for having made them right and that's that methodology if it sounds familiar it's because it's the methodology that we use to go from the dark ages to the enlightenment right before the enlightenment we have one kind of science it was called alchemy alchemist never subjected their findings to adversarial peer review they fell prey to the most frail of human frailties which is our ability to deceive ourselves about what we think we know and so they would conduct experiments and they would go I think it came out the way I thought I predicted it would I'm not going to tell anyone else about it because I've discovered something awesome and this is why every alchemist discovered for himself the hardest way possible the drinking mercury was a bad idea and it wasn't until alchemist started publishing and submitting themselves to adversarial peer review that we found out about the dumb mistakes right we call that moment the enlightenment we call what came out of its science and it's what we use to determine whether anything works it's why our bridges stand up and it's why our security stands up when it does it's because we allow third parties who don't like us to look at what to look at the stuff that we've done and figure out the dumb mistakes that we've made in order to humiliate us in the public sphere that's the only methodology we have for knowing whether security works but under 1201 it's against the law to reveal information that could be used to remove a lock e.g. like where was the key hidden or there is a buffer overrun or there is some other component about this that makes it insecure and would allow an adversary to gain access to it and override the access controls built into the system that the manufacturer was hoping would be intact through its entire duty cycle and what that means is not that vulnerabilities don't exist they do and not that vulnerabilities don't get discovered by hostile parties they do one of the things we saw when the NSA's tailored access operations group manual leaked which is their kind of their manual of like pre-made hacks that field agents can request from their from their IT people to use in the field is that the NSA routinely discovers and weaponizes zero days that they use against other people and that in particular those zero days are longer lived when they're in systems where it's against the law for independent security researchers to disclose those zero days and so they last longer so I'm know it making it illegal to disclose bones doesn't stop those bones from existing it doesn't stop those bones from being discovered and it doesn't stop them from being exploited it just makes it harder for normal people who don't anticipate bones in the systems that they rely on for life and limb from being discovered because after all your phone is more than a supercomputer in your pocket that you use to throw pigs at birds right your phone is a super computer in your pocket that knows who all your friends are and knows what you talk to them about and where you are and where you go and it knows how your banker and you talk to each other and authenticate your conversations and how your lawyer and you talk to each other and authenticate your conversations it may be your off token to your house's front door lock and your car and it has a camera and a microphone in the only way you can know whether those are on or off as if the phone security model is intact otherwise if the camera and microphone could be covertly operated and making it against the law to tell you about loans in that phone to make sure that you don't run software that didn't come from the manufacturers app store is grotesque not just because it rips off independent software vendors and limits innovation it's grotesque because it puts you at risk in every conceivable way from asshole to appetite of vulnerabilities being discovered and festering and being used to exploit you so every three years the copyright office holds these hearings on twelve oh one where they asked are there any ways that twelve oh one is like getting in people's ways and should we grant an exemption until the next hearing and they just concluded one you probably heard a couple of examples from it for example John Deere tractors a farmer put forward a petition to allow him to jailbreak his John his John Deere tractor the story went that he was getting out there to till the field with his John Deere tractor and it wouldn't run and he called tech support and they said yeah it looks like the inflation sensor on one of your tires has gone south we can just we can dispatch a part in a couple of days and he said well the tire is fine can I just go into the firmware and disable that sensor and they said no you can't he said well I really want to be able to tweak that now John Deere doesn't really care whether or not you tweak it but what they do care about is the fact that they do centimeter accurate soil density surveys through the torque sensors in the wheels while you while you till your fields and they sell that information to seed companies like Monsanto but not to the farmer and the only way for the farmer to know about her field soil density is to pay the seed company and Covenant only to use that seed company seed so they went to the copyright office and said we want to jailbreak our Monsanto tractors and Monsanto our our John Deere tractors and John Deere came back and said no no that's not your tractor it's our tractor you've only been licensed the tractor it's a copyrighted work GM you know in case there was like any doubt GM uses this to lock mechanics out of their cars because they want to make sure that only mechanics who sign a contract that says I buy original GM parts that we charge major markups on and not third-party parts that only those people can get diagnostics off the motor and so GM filed a petition whose basic summary was you remember that ad where we said that's not your father's Oldsmobile like we weren't speaking metaphorically right so if you want to read stuff that'll make the hair on the back of your next stand up look up 2015 copyright office 1201 triennial proceedings and read what the security researchers wrote about how this stuff is getting in their way so his guy named Jay Radcliffe is a security researcher at Rapid 7 is also a type 1 diabetic now if you're type 1 diabetic you get an insulin pump instead of relying on human beings who are after all the world shittiest lab tax to like figure out when you need more insulin right you get an insulin pump instead of relying on human beings it means that your insulin dose is titrated very carefully and very tightly through the day and really good lockstep with your blood sugar and you live many more years but Jay Radcliffe has audited the insulin pumps and he won't get one he is prepared to sacrifice years off his life to not get one because he knows what the wireless interface in this thing can get access to and after all insulin can be fatally overdosed on pretty trivially so he won't get out type 1 he reports on this he also said he's audited a bunch of other medical devices and he estimates that 40% of the code and implanted medical devices has never been audited we also heard from security researchers who work on voting machines they say that voting machines are horrifically insecure but because they have a lock that protects access to a copyrighted work they can't tell the people who are procuring them for their local elections about the vulnerabilities in them the most hair-raising thing in it was there's a security researcher we don't know which one so there's a filing from about half a dozen super eminent ivy league big 10 security researchers and in their filing they said one of us not naming any names has been advised by council not to tell you what area she or he works in because merely disclosing that council believes will bring a 1201 action against him or her right so this is this is you know the first rule of 1201 club is you don't talk about 1201 club now internet of things investors are really big on this 1201 stuff they all want these devices to ship with ecosystems lock-in lock-in for add-ons lock-in for consumables and you know in a real market where like that lock-in can be broken this stuff doesn't work right courage put lock-in on its 2.0 coffee pod machines so you can only buy coffee pods from courage and not from third parties because it's a competitive market they lost 25% of their market share in the first year and they did an investor call where the CEO had to eat his hat and say we made a really dumb mistake because like nobody woke up this morning and said gosh I wish there were fewer vendors who could supply software for my cochlear implant or fewer ways that I could read my ebooks or fewer people who would sell me coffee for my coffee pod machine in the absence of one of these things there's no way that you can make this stuff work but in 2015 we now have a system whereby this competition is getting harder and harder to come by and the future looks pretty grim in terms of 1201 and how it interacts with the internet of things right like I'm working on a catalog of design fiction you know ideas about what kind of devices we don't have and should have or might see in the future as a result of 1201 it's called the catalog of missing devices and one of the ideas that our UX futurist types came up with is a product that unlocks your fridge so it can chill third party butter but you know I told you about those subprime cars there's another really interesting example of where the internet of things is headed there's a guy named Hugh Hare who runs the prosthetics lab at the MIT Media Lab and unlike me I'm a words guy he's he's got pictures he's got awesome slides I'm like PowerPoint corrupts I never use pictures but he's got awesome slides of all of the ways the computers have been woven tightly into people's bodies to improve their lives in immeasurable ways hands and feet even neural prostheses that use very powerful magnets to suppress activity in parts of the brain that cause otherwise untreatable depression and so here I saw him do this talk it was amazing and he shows us slides in the last slide is him and he's clinging to the side of a mountain like a gecko and he's all in Gore-Tex is super ripped and you can see that from the knees down he's he's just got stumps and his his stumps are in these great robotic mountain climbing prostheses but he's been standing here like this the whole time and he says oh yeah didn't I mention right like forget one more thing and Steve Jobs oh yeah didn't I mention rolls up his pants like and he's robot from the leg down right and he starts running up and down the stage like a mountain goat leaping into the air it's incredible best demo I've ever seen the first question anyone asked was how much did your legs cost and the names of price you could buy like a terrorist house in Mayfair or a brown stone on the lower east side right the second question anyone asked is who can afford those legs and he says well of course anyone can afford those legs if it's a choice between a 60 year mortgage to get to your house and a 60 year mortgage to have legs everyone's going to pick the legs all day long which I think is probably true but when you can combine subprime immobilizers and legs you get somewhere very ugly right when you miss the payment the legs walk you back to the repo depot to take them back and anyone who pones those legs because it's against the law to tell you about bones in them can make your legs take you anywhere they want so EFF loves litigating stupid tech laws this is one of our secret superpowers that I think a lot of people don't appreciate America has this amazing backdoor to its legislative system soon in other countries without strong constitutional traditions the way that it works is lawmakers make an incredibly stupid law and then you have to wait until there's new law makers and enough of them to make that law go away and you have to bring pressure against them you have to get a majority of those lawmakers to change that law because America has an independent judiciary and a strong constitutional tradition in America if you can just convince enough federal judges sometimes only one that a law violates the Constitution they can make the law go away now this has some downsides because lawmakers can make dumb laws with impunity knowing that it's good red meat for their base and then the judges are going to make them go away before they cause too much harm but on balance it means that we get a legislator of second resort in the courts and that means that when you have ideological blindness in Congress to bad technology ideas if we can get the right defendant in front of a judge we can make the fact that Congress is full of people who don't understand technology irrelevant to the legislative landscape so our best example of this was Bernstein some of you probably know about Bernstein in the early 90s governments had this like weird idea that it's hard to imagine in 2015 that anyone would have this idea that civilians shouldn't have access to crypto it's kind of a crazy idea it's amazing that like anyone could have ever had that really dumb idea back in the early 90s for those of you don't know this idea has come back in 2015 FBI wants to ban civilian access to crypto anyway in the NSA had this idea that civilians shouldn't be able to use crypto so they classed it as ammunition and they made it illegal to traffic in strong crypto and people made lots of arguments in front of Congress about why this was dumb you know John Gilmore one of the FS founders employee number six at Sun and one of the principal authors of GCC and Solaris one of the designers of spark chip he made a computer that was optimized for for brute-forcing DES 50 which was the cipher that the NSA argued was sufficient for civilian use for a quarter million dollars he made a computer that could exhaust as 50 in two hours and he said this is like the entire American banking system can be beat for 250 grand with this you know thing the size of a bar fridge by a guy who looks like a hippie right and that the Congress said yeah that's very nice why don't you leave now right we made arguments about international competitiveness economists joined on nobody cared but then we found Daniel J Bernstein who you may know today is DJ B an eminent cryptographer and who professor or a researcher at UC Berkeley grass in UC Berkeley who was publishing strong ciphers on usenat right remember usenat and we argued that his saw his source code was a form of expressive speech covered by the first amendment that programmers had the first amendment right to publish source and the 9th circuit and the 9th circuit appellate division said you're absolutely right congress is wrong whether or not this should be classes ammunition classing it as a munition violates the first amendment and we can have strong crypto that's how we got crypto that's that's how we got here today we love thank you so we love litigating bad laws with good clients and watching this stuff happen I left EFF about 10 years ago to go be a novelist to make up stories to help you pass the long boring hours between the cradle and the grave and and after about 10 years of that I looked around at this stuff and said like this is dire like as much as I'm interested in making sure that you know I can I can live the cushy glamorous life of a science fiction writer I'm I also don't want my daughter growing up in a world that like makes dystopian science fiction look like my little ponies episode so I came back to EFF to work on a project that we call Apollo 1201 it's a mission to kill all the DRM in the world within a decade and we're going to do it with your help because we know that people in this room people who come to this conference people who work in this field violate 1201 all day long it's impossible to do security research without doing it but it's the love that dare not speak its name right we have a pact effectively with the people who want to defend 1201 and keep it intact and it's that security researchers just don't make a big deal out of the 1201 violating parts in their research so like they research mobile malware and then if the paper starts with I got some apps they don't say you know I took a jailbroken phone and decrypted a bunch of apps and memory they just say I got apps and then I discovered this interesting thing so so long as nobody talks about it too loudly the other side doesn't come back and you know everybody kind of trundles along but meanwhile devices that we rely on every day become reservoirs of long-live digital pathogens that threaten you me and everybody we love so we want to talk to you about this stuff as they said in oceans 11 we're putting together a team we want to know about the work that you're doing we want to know in particular when you're scared about 1201 and we want to figure we want to help you figure out how to structure that research so that it says litigation harden this possible so that if you decide that a critical piece of your research is describing the 1201 elements or someone on the other side decides that they want to make an example of you and put your head on a pike that the way that your research is structured is optimized for making sure that the judgment that comes out of it is a shiny beacon on a hill for everyone else who's thinking about 1201 and not a terrifying icon of how bad it is when you go up against the machine we want to make this structured in such a way that 1201 eventually goes away all together because with 1201 gone DRM goes to nobody wants DRM right and once it's not illegal to eliminate DRM people will eliminate DRM because DRM is only used to protect high margins and as Jeff Bezos said in a moment of alarming candor to the book publishers your margin is my opportunity so every one of those stores that's taking 30% out of the height of app software vendors is ripe to be disrupted by someone who makes another store that takes 20% out of their hides or 10% of their hides or monetizes it differently by having some kind of platform strategy every device that has a high price consumable every John Deere tractor that's selling information back to farmers that they're generating by driving their own tractors around the field every one of those is a market opportunity and every one of those will be taken advantage of and the DRM will disappear as soon as the status of DRM is legally ambiguous or positive for people who break it and it's not hard to break DRM right hiding keys in devices that are owned by your adversary is a bad idea for the same reason that keeping money in a safe that you leave in the bank robbers house is a bad idea right eventually those keys will always be subject to interrogation because remember in DRM crypto you don't have Alice and Bob and Carol you just have Alice and Bob Bob gives Alice a crypto and Cyford message and Bob gives Alice a device that has the key and then Bob crosses his fingers and hope that Alice never figures out where the key is and puts it in another device that does things Bob doesn't like right that is the wishful thinking business model is the abstinence-based education business model of crypto and it doesn't work so here's my pitch to you right if you're a hacker and you're doing security research come and talk to us I'm really easy to find I'm the first Korean Google just type Korean to Google the first result that comes up is my home page it has one email address on it it's the same email address my mom and my wife used to get in touch with me email me and tell me about your 12 oh one stuff and we want to talk to you and figure out how we can help you or if we can help you talk to you about the contours the law and give you good advice it's the thing we've been doing for 25 years now and we're awesome at it but if you're a designer if you're you ask person I think so those people come to events like this to get in touch with me about the catalog of missing devices because we're putting together a design intervention as part of the 12 oh one project to help people start to realize what's missing because of 12 oh one this is an underappreciated fact about 12 oh one is that there are all these devices missing from the field and it's hard to notice what's not there right with the patent fight there's a device everybody loves some patent role has a dumb patent they make that device disappear everybody gets angry but with a with with DMCA 12 oh one the device just never shows up in the field and people don't even notice it's there they kind of assume that maybe it's like physics is the reason that you stick a CD in your computer and the computer wakes up and run some manufacturer supplied software that rip mixes and burns your CD to put on your mobile device but you stick a DVD in and all it lets you do is the same thing you could do with it in 1996 which is watch it and people are like oh I guess there just must be something like technically impossible about doing more stuff with DVDs so we're making this catalog of all the stuff that was stolen from your future right and if you're into this stuff if you're a UX or UI designer for your product designer get in touch with me and talk to me about contributing to the catalog of missing devices we can also offer you tax receipts for the consulting that you do on this stuff for the value of your consulting because we're 501c3 that we've got lots of ways to make this good for firms that want to work on it with us and we'll also make sure that you get credit and you'll be helping out in an important way and then my last plea to all of you is if you're a W3C member if you remember the World Wide Web Consortium or if you work for a company that's a member of the World Wide Web Consortium also get in touch with me because the World Wide Web Consortium last year took the dangerous and awful step of adding DRM to the realm of technologies that they're willing to standardize for the web which means that our web based front ends which are supposed to replace plug-in based or app based front ends for everything from our pacemakers to our thermostats will all have components that are unlawful to report vulnerabilities in and will thus be subject to having those vulnerabilities faster in them and we have a project to reform the way that the W3C deals with this and so if you are involved with the W3C I really want to hear from you. So the DMCA has been festering since 1998 it's an unsightly boil on the American legal system and it's spread all over the world thanks to the US trade representative and as it stops being enforced in America every one of the countries that has adopted their own version of 1201 at the behest of this government will be poised to remove their own 1201 laws because after all if you're in a suicide pact and the other side backs out and says no we won't make these products that are people like then it's natural for you to want to back out too. With your help we are going to squeeze this out and we are going to get it out of the way. So this is it, forever and everywhere in the world. Thank you. Thank you. So goons, I have about 10 minutes for Q&A. So 10 minutes for Q&A, I don't know if we have mics, if we don't I can repeat the questions. I remind you a long rambling statement followed by what do you think of that is a question but not a good one. And I will alternate between people who identify as women or non-binary and men because otherwise the Q&A is always a sausage fest. Yes. Right. So the question is are there still cases where DRM works like for example subsidy consoles where they sell the console below cost and then they use games and money from the games to realize a recruitment on those costs or other models where I take a picture and I send it to you but I want to make sure you don't share it on. How do I do that without DRM? And I think that those are two separate cases and I am going to take a look at them. I am going to take a look at them. I am going to take a look at them. I am going to take a look at them. I am going to take a look at these separate cases and I am going to take them separately. In the second case the Snapchat case that only works. What Snapchat is good for or Wicker or all those other disappearing tools are good for is a system in which you trust the other party but you don't trust their OPSEC. So you say to them like we are going to share a document and we are both going to delete it after we have looked at it but sometimes you forget because human beings are crappy computers. Right. And so that works really well. Auto enforcing OPSEC great. It is totally terrible at stopping people you don't trust from sharing information that you have shared with them and asked them not to share on because if you send me a photo to my device at bare minimum I can just take a picture of it. Right. But also it is my device and you have hidden some keys in it and then you expect that I am not going to find it. Again we are back to wishful thinking. So like would the world be a better place if we could figure out how to turn off gravity as well as someone with chronic back pain? Yes. But are we going to defend things that don't have any nexus with turning off gravity but let people pretend that we do and have all these horrible side effects? No. Now as to like can we protect subsidy hardware by allowing the state to like spend an unlimited number of tax dollars to prosecute people who do otherwise lawful things to that subsidy hardware? I guess the answer is whether or not you think the state should be deciding which business models work. And you know I think that we have lots of hardware that works without subsidy. Like nobody came down off a mountain with two stone tablets that said the only way a console shall ever be monetized is through discount hardware. And you know in the games world it's especially interesting because the games world has got a long history of not being protected by law. So you know back in the days of like floppy and CD based software piracy the games industry were one of the first major constituencies to go to the law bodies and say we're being pirated into the ground. And of course lawmakers hated the games industry. So their response was that's awesome. Right? And so the games industry invented network based play like warcraft which quickly became larger than all of the other games ever invented. So they'll adapt or they'll die right? I mean we have video games before we had subsidy hardware we'll have video games after we had subsidy hardware and if the question is do we get to know about vulnerabilities and consoles in our living rooms with that to have subsidy hardware for you know Mario reboots I'll take the I'll take the like knowing about the the phones and the cameras. Do we have any people who identify as women or non-binary who'd like to ask the next question? Anyone? All right do we have any dudes who'd like to ask a question? Thank you. There's been discussion about applying DRM to allow people to protect their private information when they share with a website or some sort of a service. Can you come in on how what do you think about that? Yeah so what about IRM which is what this was called when Microsoft first launched it information rights management so the ideas I encrypt the data I send it to you you have a client that has the keys to decrypt it the client looks for business rules that come along with the encrypted document like no print and it enforces those rules against you so again this is a great tool inside a firm if you want to make sure that OPSEC just happens automatically right like if the thing is that you and I have agreed that after we've both looked at this document and dispensed with it we're not going to retain it right we have like a seven year document retention window we want to dispose of everything after seven years so that there's ever a lawsuit against us the discovery of you that's a great tool but if the idea is that like I'm a giant company based in either Mountain View or Redmond or Cupertino and you are going to send me a bunch of personally identifying compromising information but you're going to like lock it up with DRM that I will run the client that you trust and I'll make sure that and that software will make sure that I never do do anything untoward with it that seems really like technologically implausible right we're back to like it would be awesome if gravity didn't work sometimes right if you don't trust your adversary and you send them both the keys to decrypt the document and the document and then you ask them nicely not to do bad things with that information it seems really unlikely that that'll work right like we have you know attacks on like DRM encrypted ebooks that are totally non encryption breaking like screen scripting where you just run a screen scripting toolkit that just advances the page once a second screenshots the predictable rectangle it shows up on and runs it through OCR right so you send me a million line spreadsheet it's in a machine readable type face it's just not that hard for me to convert that back to machine readable data with no restrictions and so the fact that it did work doesn't mean that it does work right it needs to be technologically plausible as well as a good idea and the problem is that the way that we defend that today is by saying well you go to jail if you report a vulnerability that would allow you to do that kind of thing it doesn't as we've seen it doesn't stop bad guys whatever your definition of bad guy is whether that state level actors that sit in your own government's capital or state level or identity thieves or voyeurs it doesn't stop them from violating the law it's a bit like the rule against extracting keys to rip DVDs right like if you're already prepared to share a DVD and break the law the fact that extracting keys to rip the DVD also breaks the law is not much of a deterrent you know it's like a law I was going to break this law but then I found out I'd be breaking another law so I stopped breaking the law right it doesn't seem likely that's going to happen I'm all for having things that have personal information and I love ideas like going to insurance underwriters and reinsurers and saying you know you're allowing the companies that you write policies for to treat personal information as though the only cost associated with it is hard drives and really what you should be doing is factoring in the full cost of the eventual breach of that information because we have exactly one gold standard for not having information breaches and that's not collecting and retaining information right and so companies that are getting insurance to write them cheap policies because for some reason insurers are acting like there's no risk to retaining PII that's crazily done and I think that you know like not passing laws that require deep document retention like we have in the EU and like are being proposed in the U.S. that's also a really good way to get away from this stuff right now a lot of firms are bound through compliance to gather and retain proof of age which in practice means credit card numbers for everyone who visits the website to make sure that they're over 18 or they'll be blocked at the national firewall of the U.K. which was in the U.S. and that's just asking for trouble you know David Cameron the prime minister of the United Kingdom a country I've just emigrated from those two U.K. which was instituted in the last parliament and you know given that porn sites are not better than the office of personnel management and protecting themselves from breaches what he's just said is we are going to gather and then release a financial net worth indexed record of the pornography tastes of everyone in the United Kingdom right this is a crazily fantasy we just need to like stop mandating that companies retain PII because we should assume that the breach will always occur are we for time two minutes anyone have a really quick question preferably someone female or non-binary yes go just shout is there a list of companies that are friendly towards 1201 versus not friendly there is a bit of one if you look at the 1201 docket at the copyright office the 1201 is a requirement to stay intact an apple is one of them although they Steve Jobs wrote that letter saying DRM sucks and although one of the jailbreaking exemptions that has been granted at the last couple triennials is a jailbreaking exemption for phones though not tablets because the copyright office says it can't tell the difference between a tablet and a laptop which suggest that they probably say the sky will fall if you're allowed to decide what software runs on your iPhone so there are a bunch of these companies that and you can also see the companies that insisted that DRM should be a work product of the W3C if you look at them those are kind of the big ones there are you know on the other side there are companies that kind of play both sides of the fence you know when Amazon launched the mp3 store and their slogan was DRM don't restrict me right then they launched the then they bought Audible which had which sells digital audio books and they said by the way if you make audio books and sell them through our platform which is responsible for 90% of the audiobook sales in the world and as the sole supplier spoke in word to the iTunes store you must have DRM so a lot of those companies play both sides no stars press people's table over in the champagne room there are books in the champagne room there's no something else in the champagne room but there are books there and I will see you there thank you and support EFF