This week's Radar Podcast episode is a special cross-over edition from the O'Reilly Security Podcast, which you can find on iTunes, Stitcher, RSS, or SoundCloud. O'Reilly strategic content director Courtney Nash chats with Cory Doctorow, a journalist, activist and science fiction writer. They talk about nascent pro-security industries, the EFF's lawsuit against the U.S. government, and the new W3C DRM specification.
Here are some highlights:
Auditing IoT products is a liability for security researchers
Think about the conditions under which IoT companies operate. Their business plan—the thing they show to VCs to get the money to go into the business—is to monetize data. They're all designed with security as an afterthought. They're all designed with the minimum viable security to make this product not immediately burst into flames after you put it inside your body or put your body inside of it. Even worse, security researchers face total, brutal liability for investigating these devices and telling people which ones are and aren't safe. It is completely nightmarish.
New pro-security business models
Note: The Electronic Frontier Foundation is representing Bunny Huang and Matthew Green in a case challenging the constitutionality of Section 1201 of the DMCA.
One of the things that our DMCA lawsuit would provide for is a pro-security business model. Imagine if you could start a commercial consultancy that would come in and deworm your IoT household. It could come in and jailbreak all the devices and check their firmware loads, and replace the firmware loads with open firmware or patched firmware, or something else that sits in between. All of those things, all that commercial stuff as well, is currently off-limits, and would be available in the same way that you can enable third-party parts and services if there are no legal impediments. The hardware service and support market in the U.S. for all classes of goods, from lawnmowers to cars to air conditioners to computers, is 2 to 4% of America's GDP. It's a gigantic multi-billion-dollar sector, and in many cases, these are small and medium-size enterprises.