Security and feudalism: Own or be pwned

Published
December 1, 2016

Website
YouTube

Download
Only available on YouTube.

About
«Cory Doctorow explains how EFF is battling the perfect storm of bad security, abusive business practices, and threats to the very nature of property itself, fighting for a future where our devices can be configured to do our bidding and where security researchers are always free to tell us what they've learned.»

License
Published by O'Reilly under a standard YouTube license

Machine transcription – Start helping here
'''The following is a machine transcription. Please help out with fixing errors and adding paragraphs, subheadings and time stamps to make it easier to read and use! To do this download the audio file from the top of this page and listen to it while you edit this page. Do as much or little as you like, then please move the heading and this message to the place where you drop off. Thank you!'''

So you will maybe know that last March Packard pushed a security update to office at an Office Jet Pro printers that people had bought and installed in the wild and tens if not hundreds of millions of these users were alerted to the presence of a security update by notification on the little L.C.D. on the front of the printer and most of them ran the update. H.P. assumes that about two thirds of users run updates when delivered this way and I've spoken to some ex H.P. people on background they think it's more like ninety five percent. And the update contained. Maybe some security code we don't know but it also contained a hidden counter that was ticking down to mid September a couple of months ago and when it detonated it activated this self destruct sequence in the printers that cause them to turn on this otherwise hidden feature that would cause the cartridges and the printer to do a critic Rafiq handshake. So that the printer could identify and reject third party in cartridges and thus force people to buy their ink at a you know one million percent markup more expensive than vintage champagne and no one was really sure what was happening when these printers all started spitting out their their pacifiers and they stopped accepting these these third party in cartridges. Some people took like several known good cartridges and put them in and when their printer wouldn't use any of them they assume the printer was dead and threw it in the garbage. But after thousands of complaints flooded into the third party in cartridge companies they started to figure out what exactly had happened in this business with the Manchurian Candidate security update that was waiting to wake up in September. H.P. had deliberately reached into millions of customers living rooms and offices and broken their lawfully acquired property to punish them for not ordering their affairs in the way that was most advantageous to H.P. shareholders. Now you may think that this is just kind of a garden variety corporate ripoff. But it has much deeper implications thanks to a late twentieth century copyright law. That has also lain mostly dormant for the last fifteen years but it has come into its own in this decade in a way that's really talks like I'm talking of the digital I mean Copyright Act or D.M.C.A.. Which Congress passed in one thousand nine hundred eight and it's a kind of an early hairball of copyright law and it has a lot of different provisions but the one I'm going to talk about today it's Section twelve zero one and that's called the anti circumvention rule under D.M.C. twelve a one tampering with the an access control that restricts access to a copyrighted work can potentially give rise to both civil and criminal liability and not a little liability the criminal provisions for a five year prison sentence and a five hundred thousand dollars fine for a first offense for tampering with with access controls on copyrighted works. Now one twelve or one passed it was mostly designed to protect the business models of companies like Sega and people who made D.V.D. players D.V.D. vendors could add region codes to their disks and then they could use license agreements to make every manufacturer check for those region codes and respond to them. So you can buy a D.V.D. in one country and watch it in another. Now note here that buying a D.V.D. from the company that made it at the price that they charged and playing it in a D.V.D. player is not piracy. Right. It's the actual opposite of piracy. It's buying media and paying for it. And as for companies like say that well D.M.C. twelve or one protected this Dreamcast business model which was kind of a forebear to the App Store business model. If you were a company and you wanted to sell us a game to a Sega owner Sega wanted you to press the CD on their presses which charged a very high markup and effectively gave them a royalty on every game sold for the sake of platform. So this meant that everyone who played the Sega games paid a little hidden Sega tax and that was buried in the price of the disk it meant that Sega could decide who could make software for the platform they created and once again remember that buying a copyrighted game from the people who. Made it is the opposite of piracy but because you had to break. D R M to watch an out of region game disc or to play a game that hadn't come from Sega's presses those non piracy acts could be punished under anti-piracy law. So every business has a mix of commercial preferences and legal rights. So you have the legal right to prevent you from like making your own clone Sega and selling it at a price that was much cheaper than their own it also had a commercial preference for being the gate keeper and toll collector collector on every game that was ever played on the Sega console and by designing the consul's so that you had to bypass the R.M. in order to play third party game. They could convert that commercial preference into a legal right. And this is practically a license to print money. Every C.E.O.'s at some point in their existence said gosh if only it was illegal to frustrate my business model. If only doing something that was softer more for my business perspective was a literal felony the world would be an easier place to navigate. So companies started to wake up to the potential of the D.M.C.A.. And poke around the edges that in two thousand and two two thousand and three a couple of hardware companies tried to get in on the act. One was a make garage door openers. And they had a commercial preference for being the only company that could sell spare garage door clickers little boxes like this. And so they designed their their devices to only work with their original equipment and they charged a very high margin on their little clickers and competitors figured out that like a high margin from one company represents a company an opportunity for another company that wants to collect a lower margin. If they've got a five percent markup. Maybe you can sell at a one hundred percent markup still a pretty respectable business. Now that's normal but Sky Lynx sued them under Section twelve one of the D.M.C.A.. They said that to make it compatible garage door clicker you had to break a dram and thus this otherwise legal and normal. Competitive activity that's a feature of all markets can become a literal federal crime. The court didn't buy it they said the D.M.C.A.. Protects access controls on copyrighted works and there isn't a copyrighted work in a clicker and so Skyland couldn't make breaking their business model into a felony. And then came Lexmark printer division back then and they made these laser toner cartridges that had a chip that ran twelve by program. Back then it was really expensive to put chips in cartridges so you had very small programs in them and this record of the toner level on the cartridge in the cartridge ran dry even if you refilled at the printer wouldn't use it because this chip was saying it's an empty cartridge and the printer wouldn't wouldn't accept it. So one of their competitors a company called static controls reverse engineered that twelve by program not hard by program and they made a compatible product that reset the chip when you refill the cartridge and like Sky Link Lexmark suits to suit static controls under Section two of one of the D.M.C.A.. But they said that unlike static. Unlike Sky Link. They actually did have a copyrighted work in their cartridges that was being protected by their D R M. That was that twelve by program. The court wasn't having it. They said yes software can qualify for copyright but twelve bytes is too little. It's below the threshold at which a new copyright is created as a funny story the way this ends because static control was bought out by a big hedge fund and then they asked the hedge fund to buy Lexmark and so now Lexmark is division of static controls. And brings it back to H.P. and back in two thousand and three when it even a company that was making the kinds of crazy margins on their cartridges that Lexmark was couldn't afford to put a very powerful computer in their cartridges. But the cost of computing is crashed right and it's not true anymore. Printer cartridges in an H.P. printer. They don't have twelve bytes of code they have thousands of lines of code so much code that there's no question at all as to whether or not an axe. This control and H.P. cartridge restricts access to a copyrighted work. If thousands of lines of code and cartridge aren't copyrightable that neither is half the projects on good hub that have the G.P.L. attached to them and if that's the case the G.P.L. doesn't apply to them either. So when H.P. turns its commercial preference for you spending more on ink than you'd spend on vintage of code into a legal right to reach into your house and reconfigure your a legitimate lawfully purchased property so that you have to do that we're into some scary new legal territory. Now it's not hard to figure out how to make a compatible cartridge that defeats this new D R M. They're doing something like an interactive protocol it probably happens is the printer generates a Nonsuch sends it to the cartridge the cartridge signs it with a key that's in the chip sends it back and that they decide whether or not it's an original cartridge. So to make a compatible one that breaks that DRAM all you need to do is extract the secret from the chip and if you want to have a crack at doing that you just go to like any office supply store or even a recycling depot and you can have a chip that you can bring home or to your lab and you can decapitate you can fire. You can stick an electron tunneling microscope and have a go at extracting those keys DRAM systems. They're built by like skilled engineers who spend millions of dollars and years on them and then they're broken in days by amateurs with hobbyist equipment. And it's not because those engineers are dumb. It's because they're doing something dumb Only an idiot hide signing keys and equipment that you then had hand to your adversary. For the same reason that only an idiot would design even a really good bank safe that you would keep in the bank robbers living room instead of in the vault. So it's not hard to break. H P S D R M But it is legally terrifying. If you're an investor or a retailer or any other necessary parties in the value chain. You should be justifiably afraid that this Fortune one hundred company with billions in cash and its business. Model on the line will use the D.M.C.A.. To punish you for helping their customers figure out how to defeat their business model on which their flagship product depends. Now printer cartridges aren't the only software equipped devices in our world today software as Marc Andreessen reminded us is eating the world. It's hard to overstate the cheapness of compute power and the number of things that have software in them today. I just read bunny Wang's forthcoming book about hardware hacking and he talks about what he learned when he was reverse engineering counterfeit S. S.D. cards. So S.D. cards they're made from tons of recycled RAM and that RAM tends to be pretty janky and have lots of bad sectors and you could fix that at the factory in a Q.A. process but it turns out that it's cheaper to put a whole system on a chip in every one of those little crappy you lose them. You don't even bother looking for them. S.D. cards to act as a drive controller and mark off the bad sectors as they emerge. So embedded Linux has made this jump. It started in D.V.R. isn't it moved to home routers and then to network attached storage is a noun to a medical implants and smart lightbulbs and that means that we have intelligence in everything and copyrightable works in everything and the bad news is that there is no internet of things hardware business model hardware starts at something like a two percent margin and it declines steeply from there into a negative margin as soon as your product becomes popular enough for someone to clone in the Pacific Rim. So the only way that you can go out to a V.C. and get capital for your hardware business is to convince them that you're going to make your money not on the hardware but on the ecosystem. You're going to be the only supplier of service or parts or consumables or you'll be able to get data about the owners of these devices that no one else can get by making them into privacy sucking surveillance devices. Now obviously making sure that people buy parts and services and consumables from you. That's not your legal right. That's just your commercial preference. But if you design the device so that adding a third party in or putting a third party part in a car or getting a third party mechanic to figure out what's wrong with your tractor requires bypassing D R M You can convert your legal preference or your commercial preference into an iron clad legal right. And that has mean meant that DRAM has metastasized into domains that we never even imagined it would show up and that's why DRAM is now in cars and tractors and pacemakers and implanted defibrillator years and Cochlear implants and insulin pumps and thermostats and voting machines and this which debuted at C.S. last year. That's the Internet of Things rectal thermometer that has put up our liberal asses. So so far this is a consumer story right. It's a story about whether or not you get what you think you paid for but there is a security dimension here and that's why I'm talking to you about it today because DRAM works by hiding keys and user excessive illiquid men and that requires obfuscation. You can't show the user how other women works if you're hoping to prevent them from reconfiguring their equipment. We don't have the normal crypto situation a dram normally in crypto it's Alice and Bob and Carol. Alice and Bob need to talk to each other and Carol is trying to attack them by finding out what they're saying but in the DRAM crypto model. You just got Alice and Bob like Netflix as Bob It wants to send you a video because your Alice and it wants to send you that key and network player for it. But it doesn't want you to figure out where the key is and that equipment that I just sent you. So we have like a technical name for this in security circles this is called wishful thinking. And so but even so well designed becomes fertile soil for malware problems in the mid two thousand. Sony SNE route kids onto. Six million C.D.'s fifty one titles that they shipped out to people and if you put it in a Windows machine. It had a second session on it that auto ran and patched your kernel with a rootkit that had certain files and processes from you. So that they could run a secret program that tried to stop you from ripping C.D.'s and that quickly spread to the three hundred thousand US government and military networks were infected with it and just as quickly malware writers realized that if they used the same trick Sony was using to disguise their anti ripping software that if their malware landed on a computer that had already been infected by Sony's rootkit it could ride under the same cloak that Sony of design because if you design a system that treats its owner as an attacker that necessarily that system prevents the attacker from figuring out whether something bad is happening in the system. So remember that DRAM doesn't actually work very well this is the other side of the security picture. The D.M.C.A.. Necessarily has to prohibit disclosure of defects in D R M systems because if you know about the errors the programmers made you can figure out how to start on raveling the diorama jailbreaking the system and so last summer two thousand and fifteen the US Copyright Office held hearings on this to find out whether or not this was interfering with security researchers after all America put a security researcher in jail. Once for disclosing defects in Adobe's e-book readers software and their D R M. And who's who of security research wrote to the copyright office to say that they had discovered ghastly dangerous defects in systems that people relied on for life and limb and that their general counsel hadn't been allowed hadn't allowed them to come forward with this because they were worried about D.M.C.A.. Liability. Researchers like Edward Felten who's now the deputy C.T.O. of the White House. Jay Radcliffe from rapid seven. Alex Halderman from. University of Michigan and am Hurst Matt blaze Matt Green from Johns Hopkins Bruce Schneier many others. Under the D.M.C.A.. It's become the situation that researchers need permission from companies to disclose the defects that they find in their products without legal risk which gives companies a veto over embarrassing news about their own products and for all he is reading reasons. Corporations are not the right cussed Odeon of facts that might embarrass them. And preventing disclosure does not prevent discovery. It just means that the vulnerabilities that you discover and can't tell us about. Don't become public knowledge until they become so widely exploited in the wild that you can't help but find out about them. This is why the Internet of Things dumpster fire has been allowed to rage. This is why. Brian Krebs in September faced a six hundred and twenty gigabit per second deal less attack in retaliation for outing a couple of petty Israeli denial of service attack criminals who then were able to harness them or Internet of Things worm to attack or to direct an attack that we would normally associate with a nation state actors but it didn't originate from China or Russia. It originated from a couple of dumdum is running a crappy crime where a company. Now the source code for me right that Internet of Things malware that was used to attack Krebs that was dumped a week later and the analysts who looked at it they said it was amateurish and clumsy and a week after that that amateurish and clumsy malware had found such a hospitable environment in the even more amateurish even more clumsy environment of the internet of things that infected systems in every country on the planet with reliable electricity and internet service ten days after that were I was used to direct floods of trafficking and score infrastructure level three dying D.N.A. Pay Pal Twitter Netflix knocking out some of the Internet's best defended services. We're going to be fighting this fire for a long time. There is no avi. It's way to patch most of these systems meaning even if the next generation fixes these problems and even if we recall the old ones we will still struggle with the millions of installed stupid smart bulbs P.V. R.'s C.C.T.V. and rectal thermometer. But attacks that harness and secure devices to attack people other than their owners. That's just the beginning. The real risk comes when these devices these devices that are designed to treat their owners as attackers and obvious case their operations that are designed to gather as much information about their owners as possible in case that turns out to be a business model that are designed to be illegal to report vulnerabilities in what happens when those devices are used to direct attacks against their owners. We know what that looks like because we've seen it for a long time. Your member in two thousand and thirteen Miss Teen USA Cassidy Wolf got drive by malware on her computer remote access trojan that allowed her attacker to secretly capture incidental nude images of her as she walked in front of her laptop as well as the passwords to social media accounts and he tried to blackmail her an underage young woman into performing live sex acts on camera or he would put these nude photos online when they finally arrested him because she went to the F.B.I. they found out that most of his victims had gone to the F.B.I. he had well over one hundred in several countries including many minor children. You'll remember last summer at Def Con the belle of the ball was the jeep back one point four million Chrysler jeeps recalled because it turned out that their height wife I Hot Spot on demand could be harnessed to control their brakes steering transmission and all other significant functions over the Internet. January two thousand and sixteen in San Francisco mom's three year olds kept saying that the phone in his room that's what he called his baby monitor was scaring him at night and one night as she passed by his room she heard some stranger's voice swearing at her child and she walked into the room and the little camera on it swiveled around and some random. Mommy's here and the boys stopped with D.M.C. twelve. We have given companies every incentive they need to use their products and prevent us from figuring out whether or not there's something wrong with them. Intel it's too late but we've also given those companies the ability to end private property as we've understood it for hundreds and thousands of years because if the data hand of the manufacturer can rest on your lawfully acquired property even after you've purchased it in full ready to slap you. Anytime you commit the sin of not ordering your affairs to the maximal benefit of their shareholders. Then you are not the owner of that property anymore. They ARE WE ARE ONE Our if ID system away from a toaster that won't take their party dishes. We are one vision system away from our dishwasher want to make their party dishes and we are one vision system away from a toaster that won't take on authorised bread. Now we have a name for systems where only one special class of people get to own property and everyone else has to rent it from them. That's called feudalism. And in feudalism everyone who's not a lord is a peasant or a vassal a tenant farmer who is reliant on the mercy of the local lord for the ability to earn their living in D R M feudalism the aristocracy they're not even flesh and blood. They're artificial immortal trans human life forms called limited liability corporations that see as alternately as their food source and inconvenient gut flora and it's only going to get worse. The World Wide Web Consortium once the great bastion open web standards is working to standardize digital rights management for the course suite of H.T.M.L. five browser standards. They're working on a project called encrypted media extensions and they're doing this as part of a wider project to make browsers into the control surface for the internet of things to help sunset apps and the walled gardens that they represent and bring back the open Federated Internet. When we told the World Wide Web Consortium that they shouldn't do this that they shouldn't make the control surface for Io T. off limits to six to security research. They said earlier problem isn't with D R M It's with the D.M.C.A.. So we said fine. All right. Make W three C. membership contingent on promising not to abuse the D.M.C.A.. And laws like it to attack security researchers to attack people making lawful interoperable products and to attack people who create accessibility features for products that came to a vote that closed last night. And we proposed to the W W three C. should require its membership to promise not to turn this technical standard into a more into and mortal player a potent legal weapon that they'd have to promise not to abuse the D.M.C.A.. And laws like it and we were backed by some of the world's largest largest research organizations like Oxford University and some of the world's leading disability rights organizations like the Royal National Institute for blind people and by a list of literally hundreds of the world's leading security researchers including on a Ross Andersen Bruce Schneier green map plays. And many other whose names. You'll recognize and now this is in the hands of the W three C. executives who get to decide. Are they in the standards business or are they in the business of arming the world's largest most powerful corporations to decide who gets to improve their products who can add accessibility features to them and who gets to warn their customers about defects that put them at risk. So let's go back to printers in two thousand and eleven a research team is that of Columbia University here in New York published a paper called Print me if you dare that detail the research you've done into H.P.'s laser printers. The first thing he discovered is that the way that you update the firmware on an H.P. printer is by sending out a document that has a hidden code that says operating system starts here. Everything after that is not checked and is uploaded into the nonvolatile memory. As the new operating system for the printer. So he created poisoned documents that would reflash any printer that printed them documents with names like resume dot doc that you could send to the H.R. department. And after a printer had been compromised by one of his documents they would send him copies of everything that got sent to them they would also collect separately and send him anything that looked like a social security number or a credit card number and they would also crawl the LAN for any machines with known vulnerabilities compromised them and then open a river shell to him so that he could control the entire LAN having punched through the firewall. Now he picked on H.P. because they had tens of millions of units in the fields you rob banks because that's where the money is and now H.P. has started using security updates to transmit these sneak attacks these time bombs against their own customers own property and that means that for the first time these tens or hundreds of millions of devices in the field are owned by people who have a damn good reason not to run security updates H.P. is a dress rehearsal for what the future of the Internet a vulnerable illegal to audit things on fire. Looks like. Every incentive that H.P. had to remote break it's customers property that's present for all of those I I ot companies. So we need to fix this. We need to adopt principles that expand on that E.F. proposal to the W three C. that as a condition of membership you agree not to use the D.M.C.A.. To attack security research. We need to expand it into a set of principles that we bring into all of our work. I'm going to suggest two principles for you today the first one is that any time a system gets conflicting instructions for a party and its owner. Every time the owner always wins. And the second one is that true facts about the security of systems that people rely on are always legal to disclose and I charge you to be hardliners on these principles. If they're not calling you a fanatic and an unrealistic peer. What about this. You are not trying hard enough. If you aren't totally uncompromising in these principles you are setting the stage for a long term harms that are worse than any short term benefit you could gain by making that compromise if you computerize the world and don't safeguard the users of computers from coercive control. History will remember you not as the heroes of progress but as the blind handmaidens of tyranny. So how do we fix this. We're not going to do it in one Z two Zs no one of you is going to be able to solve this problem. Just like no one of you can recycle your way out of climate change. It's not a matter of individual choices. It's a matter of collective action that can make deep structural changes in the way that our information economy works and he F.-F. we're doing something about this. We have this project Apollo twelve or one whose goal is to kill all the time in the world within a decade we started with a lawsuit against the U.S. government challenging the constitutionality of Section twelve a one of the D.M.C.A.. And our two clients in the suit. One is a Johns Hopkins security researcher named Matthew Green and the other is MIT Lab Media Media Lab adjunct bunny Wang. And this lawsuit is going to run for years to come. What And in so doing. It's creating this new era in the history of D.M.C. twelve zero one an era of indeterminacy where it's not clear whether that law will the fact be found to be enforceable and while we're winding our way up to the Supreme Court risk tolerant designers security researchers and entrepreneurs can short DRAM and go long on a technologically free future by taking action based on our legal theories. And as legal protection for DRAM erodes in the U.S. all those other countries that the US arm twisted into adopting their own versions of D.M.C. twelve or one that have no good reason to keep the law on their books anymore. When Americans are jailbreaking and exporting jailbreaking tools preserving legal protection for DRAM in the U.K. or Canada or Hungary won't stop people in those countries from jail brain. Well just being that they only buy their jeep jailbreaking tools from America the country that made those countries promise not to have an industry that does this themselves suicide pacts are mutual If the US pulls out. No one else will stay in. And that's how we're going to kill deer I'm not just here but everywhere and I'm a science fiction writer and people ask me if I'm off to mystic or pessimistic about the future but if there's one thing being a science fiction writers taught me is that trying to predict the future is an idiot's game science fiction writers were like Texas marksman we fire a shot gun into the side of a barn and then we draw a target around the place where the pellets of hit and tell everyone what a great shot we've been we've nor all of those predictions we made that never came true but in the wider sense. Who cares what we think the future is going to be I mean if you're optimistic and you think that this is just like a temporary speed bump on the way to a future in which technology allows us to work together to make a better world for everyone. Then you should do everything you can every day to make sure that comes true and if you're pessimistic. If you think that all of this stuff is only going to get worse that entertainment law is going to usher in an era of unparalleled surveillance and control that we will be hocks lead into the full or well then you should get up every morning and do everything you can just stop that from happening. So rather than being optimistic or pessimistic I'm going to ask you to be hopeful hope is surveying the landscape for a step that you can take that makes things a little better and taking that step to see if it brings you to a vantage point from which you can see another step hope is why when your ship sinks in the ocean you tread water even if you don't think that you're going to be picked up because everyone that was ever picked up treaded water until rescuers arrived. It is the necessary but in condition insufficient precondition for survival. And I'm going to suggest some hopeful things you can do. So the first one is financial. Denise Cooper is the open source theorist and. Activists use it. Pay Pal now and Denise said you know it can be really does hurt disheartening to wake up in the morning and realize that you're spending money every day with companies whose Alpha and Omega is destroying the future you want to live with it can make you feel hopeless but what I do is at the end of every month I add up all the money. I've given to net neutral sidle telephone companies to hardware companies whose Alpha and Omega. Two online services that abuse the D.M.C.A.. In the Computer Fraud and Abuse Act and I take that money and I give it to an organization that's struggling to build the better future. I try to hedge my bet. And I have a place where I think you should have your back. Obviously I'm partisan here with the F F I work for them for fifteen years they don't give me money. I get my money from MIT is activist in residence but I've watched how they spend their money. I've never seen an organization be more efficient they really know how to squeeze a dollar until at haulers but the good news is that there's a lot of organizations that you can support that do this work even if it's naughty of half and you can spread your money around. There's the Free Software Foundation and demand progress and Creative Commons software Conservancy Software Freedom Law Center and let's not forget the A.C.L.U. don't so much important work in this election season and are suing the U.S. government to invalidate parts of the Computer Fraud and Abuse Act which is the law that are in Swartz was prosecuted under. So that's the financial thing that you can do. But I've got an even harder and more ambitious project that I'm going to ask you to to think about undertaking. And that's to find two deep nerds not civilians not people who don't understand what Diarra means or what the D.M.C.A.. Is or how crypto works fine to deep nerds who are already understand all that stuff and explain what I've just told you to them. Because if after has tens of thousands of members Slashdot has hundreds of thousands of readers Hacker News has millions of readers and read it has tens of millions of readers. We have a lot of people who are ready to understand what the hell all this stuff means people who don't have to give the technical education to and. You can build a movement by bringing those people along and having them explain to the people they love what they can do to. So I had that conversation with two people in the next week and then one week later call them up and ask them if they've thought about it and if they're willing to have this conversation with two more people. There's a lot on the line here we're trying to figure out whether we're going to make a future where our devices are designed to obey us where we're allowed to warn each other about the defects lurking in those devices and none of us are going to get to choose individually whether we get that future but together we do have a chance and there's too much at stake not to fight with everything we have. Thank you. Thank you.