Podcast – Cory Doctorow's craphound.com

On this just-released episode of the O’Reilly Radar podcast (MP3), I talk about EFF’s lawsuit against the US government to invalidate Section 1201 of the DMCA, which will make it legal to break DRM in order to fix security vulnerabilities in the Internet of Things devices that, today, are almost invariable insecure, and are also designed to be as privacy-invading as possible (to create “monetizable” data-streams) — a brutal combo. Auditing IoT products is a liability for security researchers Think about the conditions under which IoT companies operate. Their business plan—the thing they show to VCs to get the money to go into the business—is to monetize data. They’re all designed with security as an afterthought. They’re all designed with the minimum viable security to make this product not immediately burst into flames after you put it inside your body or put your body inside of it. Even worse, security researchers face total, brutal liability for investigating these devices and telling people which ones are and aren’t safe. It is completely nightmarish. New pro-security business models Note: The Electronic Frontier Foundation is representing Bunnie Huang and Matthew Green in a case challenging the constitutionality of Section 1201 of the DMCA. One of the things that our DMCA lawsuit would provide for is a pro-security business model. Imagine if you could start a commercial consultancy that would come in and deworm your IoT household. It could come in and jailbreak all the devices and check their firmware loads, and replace the firmware loads with open firmware or patched firmware, or something else that sits in between. All of those things, all that commercial stuff as well, is currently off-limits, and would be available in the same way that you can enable third-party parts and services if there are no legal impediments. The hardware service and support market in the U.S. for all classes of goods, from lawnmowers to cars to air conditioners to computers, is 2 to 4% of America’s GDP. It’s a gigantic multi-billion-dollar sector, and in many cases, these are small and medium-size enterprises.

While I was in NYC to keynote the 11th Hackers on Planet Earth convention, I sat down with the Radio Statler folks and explained what I was going to talk about, as well as bantering with the hosts about the relative merits of DEFCON and HOPE and the secret to managing cons and marriages (MP3).

I’m keynoting the O’Reilly Security Conference in New York in Oct/Nov, so I stopped by the O’Reilly Security Podcast (MP3) to explain EFF’s Apollo 1201 project, which aims to kill all the DRM in the world within a decade. A couple things changed in the last decade. The first is that the kinds of technologies that have access controls for copyrighted works have gone from these narrow slices (consoles and DVD players) to everything (the car in your driveway). If it has an operating system or a networking stack, it has a copyrighted work in it. Software is copyrightable, and everything has software. Therefore, manufacturers can invoke the DMCA to defend anything they’ve stuck a thin scrim of DRM around, and that defense includes the ability to prevent people from making parts. All they need to do is add a little integrity check, like the ones that have been in printers for forever, that asks, “Is this part an original manufacturer’s part, or is it a third-party part?” Original manufacturer’s parts get used; third-party parts get refused. Because that check restricts access to a copyrighted work, bypassing it is potentially a felony. Car manufacturers use it to lock you into buying original parts. This is a live issue in a lot of domains. It’s in insulin pumps, it’s in voting machines, it’s in tractors. John Deere locks up the farm data that you generate when you drive your tractor around. If you want to use that data to find out about your soil density and automate your seed broadcasting, you have to buy that data back from John Deere in a bundle with seed from big agribusiness consortia like Monsanto, who license the data from Deere. This metastatic growth is another big change. It’s become really urgent to act now because, in addition to this consumer rights dimension, your ability to add things to your device, take it for independent service, add features, and reconfigure it are all subject to approval from manufacturers. All of this has become a no-go zone for security researchers. In the last summer, the Copyright Office entertained petitions for people who have been impacted by Section 1201 of the DMCA. Several security researchers filed a brief saying they had discovered grave defects in products as varied as voting machines, insulin pumps and cars, and they were told by their counsel that they couldn’t disclose because, in so doing, they would reveal information that might help someone bypass DRM, and thus would face felony prosecution and civil lawsuits. Cory Doctorow on legally disabling DRM (for good) [Courtney Nash/O’Reilly]

Science fiction novelist, blogger and technology activist Cory Doctorow joins us for Tuesday’s AU. In a recent column, Doctorow says that “all the data collected in giant databases today will breach someday, and when it does, it will ruin peoples’ lives. They will have their houses stolen from under them by identity thieves who forge their deeds (this is already happening); they will end up with criminal records because identity thieves will use their personal information to commit crimes (this is already happening); … they will have their devices compromised using passwords and personal data that leaked from old accounts, and the hackers will spy on them through their baby monitors, cars, set-top boxes, and medical implants (this is already hap­pening)…” We’ll talk with Cory Doctorow about technology, privacy, and intellectual property. Cory Doctorow is the co-editor of popular weblog Boing Boing and a contributor to The Guardian, Publishers Weekly, Wired, and many other newspapers, magazines and websites. He is a special consultant to the Electronic Frontier Foundation, a non-profit civil liberties group that defends freedom in technology law, policy, standards and treaties. Doctorow is also an award-winning author of numerous novels, including “Little Brother,” “Homeland,” and “In Real Life.” MP3

Earlier this month, I gave the afternoon keynote at the Internet Archive’s Decentralized Web Summit, speaking about how the people who are building a new kind of decentralized web can guard against their own future moments of weakness and prevent themselves from rationalizing away the kinds of compromises that led to the centralization of today’s web. The talk was very well-received — it got a standing ovation — and I’ve heard from a lot of people about it since. The video was heretofore only available as a slice of a 9-hour Youtube archive of the day’s proceeding, but thanks to Jeff Kaplan and the Internet Archive, I’ve now got a cut of just my talk, which is on the Internet Archive for your downloading pleasure and mirrored at Youtube (There’s also an MP3).

I appeared on the O’Reilly Hardware Podcast this week (MP3, talking about the way that DRM has crept into all our smart devices, which compromises privacy, security and competition. In this episode of the Hardware podcast, we talk with writer and digital rights activist Cory Doctorow. He’s recently rejoined the Electronic Frontier Foundation to fight a World Wide Web Consortium proposal that would add DRM to the core specification for HTML. When we recorded this episode with Cory, the W3C had just overruled the EFF’s objection. The result, he says, is that “we are locking innovation out of the Web.” “It is illegal to report security vulnerabilities in a DRM,” Doctorow says. “[DRM] is making it illegal to tell people when the devices they depend upon for their very lives are unsuited for that purpose.” Get O’Reilly’s weekly hardware newsletter In our “Tools” segment, Doctorow tells us about tools that can be used for privacy and encryption, including the EFF surveillance self-defense kit, and Wickr, an encrypted messaging service that allows for an expiration date on shared messages and photos. “We need a tool that’s so easy your boss can use it,” he says. Cory Doctorow on losing the open Web [O’Reilly Hardware Podcast]

It’s been a year since I sat down at the mic, but it’s Christmas and we have a tradition to uphold. Now we’re settling in here in Burbank and I’ve got a new computer, I’m hoping to get everything running again and get back to a regular schedule. MP3

I appeared on the current episode of “A Call From Paul” (MP3), a podcast created by Paul Holdengraber, who curates the NY Public Library’s amazing interview series. Paul and I talked about London, UK politics, class war, education, and books.

I did an interview (MP3) with the O’Reilly Radar podcast at the Solid conference last month; we talked about the Apollo 1201 project I’m doing with EFF. In the absence of any other confounding factors, obnoxious stuff that vendors do tends to self-correct, but there’s an important confounding factor, which is that in 1998, Congress passed the Digital Millennium Copyright Act. In order to try and contain unauthorized copying, they made it a felony to break a lock that protects access to a copyrighted work or to tell people information that they could use to break that lock. I’m way more worried about the fact that the [DMCA] law also criminalizes disclosing information about vulnerabilities in these systems. Lawrence Lessig, who was on our board for many years and is a great friend and fellow of Electronic Frontier Foundation, talks about how there are four factors that regulate our society. There’s code, what’s technologically possible. There is law, what’s allowed. There’s norms, what’s socially acceptable. And then there are markets, what’s profitable. In many cases, the right thing is profitable and also socially acceptable and legal and also technologically possible. Every now and again you run up against areas where one or more of those factors just aren’t in harmony. This summer, the EFF is launching its own certificate authority called ‘Let’s Encrypt‘ to try and overcome the fact that in order to have secure Web sessions, you effectively need permission from a big corporation that issues you a certificate. We’re going to issue free certificates to all comers starting this summer. If you had a mobile device that was yours and that you trusted and that didn’t give your information to other people, it could amass an enormous amount of both explicit and implicit information about you. … Then, as that device moved thorough space, the things around it could advertise what kinds of services, opportunities, availabilities they had to the device without the device ever acknowledging that it received them, without the device telling them a single thing about you. Because your device knows a lot about you, more than you would ever willingly give out to a third party, it could actually make better inferences about what you should be doing at this time in this place than you would get if it were the other way around, if you were the thing being sensed instead of you being the thing that’s doing the sensing. I quite like that model. I think that’s a very exciting way of thinking about human beings as entities with agency and dignity and not just ambulatory wallets. I think we’re already in a world where markets don’t solve all of our problems, but markets actually do discipline firms.

Here’s the Q&A portion of the Cory Doctorow in Conversation event I did to benefit the Clarion West Writers’ Workshop in Seattle on July 28, 2015. The audio was provided Frank Catalano, who also conducted the interview. MP3