1 00:00:00,000 --> 00:00:11,460 Welcome to the NGI Zero podcast where we talk to the people who are building the next generation 2 00:00:11,460 --> 00:00:12,460 internet. 3 00:00:12,460 --> 00:00:14,160 I'm Ronny Lam. 4 00:00:14,160 --> 00:00:15,780 And I'm Tessel Renzenbrink. 5 00:00:15,780 --> 00:00:20,000 We're both from NLnet, a foundation which supports people who are working on free and 6 00:00:20,000 --> 00:00:21,920 open internet. 7 00:00:21,920 --> 00:00:26,860 For season two of this podcast, we will be focusing on digital sovereignty through free 8 00:00:26,860 --> 00:00:29,300 and open source technologies. 9 00:00:29,300 --> 00:00:31,500 Our guest today is Armijn Hemel. 10 00:00:31,500 --> 00:00:36,820 He is the owner of Tjaldur Software Governance Solutions and a technical expert in licensed 11 00:00:36,820 --> 00:00:38,900 compliance engineering. 12 00:00:38,900 --> 00:00:43,880 He has worked on many projects, some of which have received NGI Zero funding, but the one 13 00:00:43,880 --> 00:00:49,800 we will be talking about today is DeviceCode, a project that provides structured technical 14 00:00:49,800 --> 00:00:52,020 information about consumer devices. 15 00:00:52,020 --> 00:00:56,200 Welcome, Armijn, and thank you for joining us. 16 00:00:56,200 --> 00:00:58,140 My pleasure to be here. 17 00:00:58,140 --> 00:01:01,320 We have three question devised to get to know who you are. 18 00:01:01,320 --> 00:01:04,760 And the first one is, who is the cooler robot? 19 00:01:04,760 --> 00:01:07,900 Marvin the Paranoid Android or R2D2? 20 00:01:07,900 --> 00:01:12,060 Ah Bender from Futurama, obviously. 21 00:01:12,060 --> 00:01:15,860 I'm not surprised you're going for the third option. 22 00:01:15,860 --> 00:01:17,500 Which license is better? 23 00:01:17,500 --> 00:01:21,860 The GNU General Public License or the MIT license? 24 00:01:21,860 --> 00:01:26,700 That really depends on your point of view and what you're trying to achieve. 25 00:01:26,700 --> 00:01:28,940 They both have their place. 26 00:01:28,940 --> 00:01:33,780 Pick your favorite operating system, NixOS or Fedora? 27 00:01:33,780 --> 00:01:36,900 I really don't care as long as it gets the job done. 28 00:01:36,900 --> 00:01:38,540 So for me, it really is just a tool. 29 00:01:38,540 --> 00:01:44,220 I'm not really attached to one or the other. 30 00:01:44,220 --> 00:01:46,380 So as long as it gets the job done, I'm happy. 31 00:01:46,380 --> 00:01:49,740 For me, computers are just a tool to get stuff done. 32 00:01:49,740 --> 00:01:52,780 I'm happy for your very diplomatic answers. 33 00:01:53,180 --> 00:01:55,340 I've been working with lawyers for a long time. 34 00:01:55,340 --> 00:02:02,660 So that's something that I picked up fairly quickly. 35 00:02:02,660 --> 00:02:04,580 Let's go to your project. 36 00:02:04,580 --> 00:02:07,580 Can you tell us something about DeviceCode? 37 00:02:07,580 --> 00:02:15,100 So DeviceCode is basically a project to index all kinds of information that other people 38 00:02:15,100 --> 00:02:17,420 on the internet have crowdsourced. 39 00:02:17,460 --> 00:02:24,180 It's basically information about what is inside consumer electronics devices such as routers, 40 00:02:24,180 --> 00:02:31,260 wireless network, things, IP cameras, tablets, you name it. 41 00:02:31,260 --> 00:02:40,660 So that information is basically locked away in all kinds of wikis that people have been 42 00:02:40,660 --> 00:02:42,980 creating for quite a long time. 43 00:02:42,980 --> 00:02:46,020 But the biggest problem is that they are... 44 00:02:46,020 --> 00:02:48,260 So all the information is... 45 00:02:48,260 --> 00:02:51,340 How should I say that? 46 00:02:51,340 --> 00:02:56,460 It's spread across quite a few different wikis. 47 00:02:56,460 --> 00:02:59,180 It's not easy to search. 48 00:02:59,180 --> 00:03:03,780 They are all suffering from errors, human input errors. 49 00:03:03,780 --> 00:03:09,860 And so I'm basically trying to consolidate that information and making it easier to unlock. 50 00:03:09,860 --> 00:03:14,980 So luckily, all of the information on those wikis are either public domain or under Creative 51 00:03:14,980 --> 00:03:16,180 Commons. 52 00:03:16,180 --> 00:03:17,940 So the licenses allow me to do that. 53 00:03:17,940 --> 00:03:24,820 So basically, it's aggregating information from wikis, from various wikis with information 54 00:03:24,820 --> 00:03:30,940 about consumer electronics devices, consolidating the information and then providing some sort 55 00:03:30,940 --> 00:03:34,580 of search interface for it. 56 00:03:34,580 --> 00:03:37,300 So that's the technical part of it. 57 00:03:37,340 --> 00:03:40,860 The motivation is different. 58 00:03:40,860 --> 00:03:41,860 Because yeah, exactly. 59 00:03:41,860 --> 00:03:43,580 That was what I was going to ask. 60 00:03:43,580 --> 00:03:44,580 Why? 61 00:03:44,580 --> 00:03:45,660 Why do we need it? 62 00:03:45,660 --> 00:03:52,420 So I think that a lot of people are completely unaware of how the consumer electronics industry 63 00:03:52,420 --> 00:03:53,420 works. 64 00:03:53,420 --> 00:03:58,460 So they are thinking that when they buy a device from a certain manufacturer, that there 65 00:03:58,460 --> 00:04:06,220 is a factory with people wearing factory suits with the name of the manufacturer on there, 66 00:04:06,340 --> 00:04:07,820 making only those devices. 67 00:04:07,820 --> 00:04:09,700 But that's not how it works. 68 00:04:09,700 --> 00:04:15,300 Basically a lot of the stuff that you're seeing here in the shops is made in some factory, 69 00:04:15,300 --> 00:04:19,580 either in China or increasingly Vietnam. 70 00:04:19,580 --> 00:04:24,740 And where the only thing that is happening is that a label is put on there and a different 71 00:04:24,740 --> 00:04:27,140 casing and a different package. 72 00:04:27,140 --> 00:04:29,620 And basically, that's it. 73 00:04:29,620 --> 00:04:38,380 The core of the devices is usually shared with other devices from other manufacturers. 74 00:04:38,380 --> 00:04:44,500 So what companies do is they basically contract a so-called original design manufacturer or 75 00:04:44,500 --> 00:04:49,540 ODM to say like, hey, make this device for us. 76 00:04:49,540 --> 00:04:56,620 And the brands that you see here, they don't have a lot of influence on what actually is 77 00:04:56,620 --> 00:04:59,200 installed on the devices. 78 00:04:59,200 --> 00:05:03,000 So a lot of the people who are, when you go into a shop and you think like, I'm going 79 00:05:03,000 --> 00:05:07,920 to buy this device from this very reputable brand and I'm not going to buy it from that 80 00:05:07,920 --> 00:05:10,640 other brand because I don't trust them. 81 00:05:10,640 --> 00:05:15,720 Usually what you're seeing is like, well, no, it could very well be that those devices 82 00:05:15,720 --> 00:05:19,200 are exactly the same or very similar. 83 00:05:19,200 --> 00:05:21,960 And you're basically just enchanted. 84 00:05:21,960 --> 00:05:25,120 You're being tricked by marketing. 85 00:05:25,120 --> 00:05:28,620 Because a lot of the devices are basically the same. 86 00:05:28,620 --> 00:05:35,340 So one funny story is when I was in Taiwan, I visited an ODM there and I saw basically 87 00:05:35,340 --> 00:05:40,120 boxes of different companies that I know were competitors next to each other. 88 00:05:40,120 --> 00:05:43,300 And they said, yeah, it's all the same device, just a different casing. 89 00:05:43,300 --> 00:05:49,060 They're all made here or actually in the factory in China, but they were all made by the Taiwanese 90 00:05:49,060 --> 00:05:50,060 company. 91 00:05:50,060 --> 00:05:55,620 Is DeviceCode about hardware, software or both? 92 00:05:55,620 --> 00:05:58,580 So it's a little bit of both. 93 00:05:58,580 --> 00:06:04,860 I'm basically trying to index as much information as possible, but the focus is mostly about 94 00:06:04,860 --> 00:06:06,140 hardware. 95 00:06:06,140 --> 00:06:12,420 So what chips are being used, which manufacturers are involved. 96 00:06:12,420 --> 00:06:16,340 But if there is software information available, such as from a boot log, then of course I'm 97 00:06:16,340 --> 00:06:20,300 going to parse the boot log and see like, hey, this is what I can discover. 98 00:06:20,300 --> 00:06:23,940 Like, hey, it's this version of Busybox, this version of IP tables, this version of the 99 00:06:24,140 --> 00:06:28,180 kernel built with this particular SDK and so on. 100 00:06:28,180 --> 00:06:34,620 Because then I can start comparing devices and see which ones are similar. 101 00:06:34,620 --> 00:06:41,120 And if I know if they are similar, then I can maybe reason about those devices. 102 00:06:41,120 --> 00:06:48,240 If I then know like, hey, device A has a CVE associated with it, which ones are fairly 103 00:06:48,240 --> 00:06:50,420 similar to device A? 104 00:06:50,420 --> 00:06:56,060 So I can then also see it like, well, perhaps that would be a good candidate to test as 105 00:06:56,060 --> 00:06:58,100 well for the presence of that CVE. 106 00:06:58,100 --> 00:06:59,100 Yes. 107 00:06:59,100 --> 00:07:02,100 So can you go a little bit further into that? 108 00:07:02,100 --> 00:07:06,660 That it has a lot to do with security, that you want to delve up all this information? 109 00:07:06,660 --> 00:07:14,740 Well, so one of the biggest gripes I have with the system is that CVEs are very much 110 00:07:14,740 --> 00:07:19,900 focused on single devices and single manufacturers. 111 00:07:19,900 --> 00:07:26,740 So they're saying like, device A from vendor X is vulnerable, but it doesn't take into 112 00:07:26,740 --> 00:07:31,180 account that the device might be similar to another device. 113 00:07:31,180 --> 00:07:35,220 So people are basically going like, oh, but I don't have that device from that vendor. 114 00:07:35,220 --> 00:07:39,540 I have a different device from a different vendor, not understanding that it is the same 115 00:07:39,540 --> 00:07:41,420 device. 116 00:07:41,420 --> 00:07:47,920 So they get some sort of false sense of security. 117 00:07:47,920 --> 00:07:55,480 So that's one of the reasons why I wanted to do this, just to uncover the hidden patterns 118 00:07:55,480 --> 00:08:03,560 that are present in the consumer electronics industry to see, hey, if we know that one 119 00:08:03,560 --> 00:08:08,640 device is vulnerable and we can find out which ones are coming from the same factory with 120 00:08:08,640 --> 00:08:13,240 the same software, then we can also say the other devices are also vulnerable and should 121 00:08:13,240 --> 00:08:14,280 be fixed. 122 00:08:14,280 --> 00:08:17,720 So in the context of CRA, that could be quite important. 123 00:08:17,720 --> 00:08:19,820 CRA? 124 00:08:19,820 --> 00:08:27,420 So the Cyber Resilience Act, it's from the European Union, that is some law, some legislation 125 00:08:27,420 --> 00:08:32,880 I must say, that should hopefully improve the security of all kinds of devices that 126 00:08:32,880 --> 00:08:36,420 are coming onto the EU markets. 127 00:08:36,420 --> 00:08:40,700 So one very prominent reason for you to do this is security. 128 00:08:40,700 --> 00:08:46,740 Are there also other reasons, maybe for people who want to fix things themselves or? 129 00:08:46,740 --> 00:08:49,540 Of course, I enjoy digging into data. 130 00:08:49,540 --> 00:08:55,100 So that's also a motivation to see, hey, how are we being tricked into buying a certain 131 00:08:55,100 --> 00:09:01,620 device when you can also get the same device somewhere else from a different manufacturer? 132 00:09:01,620 --> 00:09:02,740 That is also fun. 133 00:09:02,740 --> 00:09:07,780 But I also like to see, how should I say this? 134 00:09:07,820 --> 00:09:14,020 I think that for people who want to tinker, it could also be quite important to see if 135 00:09:14,020 --> 00:09:16,780 they want to buy a certain device. 136 00:09:16,780 --> 00:09:25,120 That is also an angle for replacement firmwares to see if a device can actually run a certain 137 00:09:25,120 --> 00:09:26,980 replacement firmware. 138 00:09:26,980 --> 00:09:28,220 That could also be fun. 139 00:09:28,220 --> 00:09:32,180 But yeah, my main focus still is security. 140 00:09:32,180 --> 00:09:36,420 But there are other reasons why other people would want to use this. 141 00:09:36,420 --> 00:09:37,740 And of course, I don't know. 142 00:09:37,740 --> 00:09:39,380 So that's the fun thing about it. 143 00:09:39,380 --> 00:09:42,140 You don't know how other people will use it. 144 00:09:42,140 --> 00:09:46,940 This season will be about digital sovereignty. 145 00:09:46,940 --> 00:09:51,860 How can DeviceCode help with digital sovereignty? 146 00:09:51,860 --> 00:09:59,040 Well, so of course, one thing that you can see is that with DeviceCode, you can uncover 147 00:09:59,040 --> 00:10:03,660 all of these hidden patterns about how devices are made. 148 00:10:04,100 --> 00:10:11,060 As soon as you understand how the consumer electronics industry works, then you could 149 00:10:11,060 --> 00:10:12,060 feel tricked. 150 00:10:12,060 --> 00:10:15,580 But you can also say, OK, well, but this is something that we can do as well. 151 00:10:15,580 --> 00:10:19,140 I mean, it is not that complicated. 152 00:10:19,140 --> 00:10:26,560 So if you look into the industry, what happens usually now is that a company here goes to 153 00:10:26,560 --> 00:10:31,100 some company in Taiwan, China, Vietnam, and says, I want that device that you have in 154 00:10:31,100 --> 00:10:33,580 your catalog in blue. 155 00:10:33,580 --> 00:10:38,820 That's basically how it's done, at least by some companies. 156 00:10:38,820 --> 00:10:44,060 Then there are other companies and projects that are saying, well, we want to have a certain 157 00:10:44,060 --> 00:10:46,580 device with certain specifications. 158 00:10:46,580 --> 00:10:49,140 And by the way, here is the software. 159 00:10:49,140 --> 00:10:54,180 So the OpenWrt project recently did this with the OpenWrt One. 160 00:10:54,180 --> 00:11:00,860 They I'm not sure if they designed a board themselves or not, but at least they provided 161 00:11:00,860 --> 00:11:03,080 the complete software. 162 00:11:03,080 --> 00:11:08,680 And then the companies in China are basically only manufacturing the boards. 163 00:11:08,680 --> 00:11:14,000 And you can take this a lot, lot further than you could say, well, you know, just only give 164 00:11:14,000 --> 00:11:18,920 us the boards and then we will solder their components onto it, or we're going to do everything 165 00:11:18,920 --> 00:11:24,080 ourselves and all of the great degradations in between. 166 00:11:24,080 --> 00:11:29,880 Because it's I mean, it will be a challenge to scale and to make it very cheap. 167 00:11:29,880 --> 00:11:32,680 But technically, it's not impossible. 168 00:11:32,920 --> 00:11:36,640 There are quite a few companies that are already showing that it can be done. 169 00:11:36,640 --> 00:11:43,160 So when I think that digital sovereignty is I mean, COVID really showed that we are quite 170 00:11:43,160 --> 00:11:45,120 vulnerable to that. 171 00:11:45,120 --> 00:11:49,960 And the current geopolitical situation is also not very encouraging. 172 00:11:49,960 --> 00:11:56,680 It should actually make us wonder maybe we should do a little bit more here in the EU 173 00:11:56,680 --> 00:11:58,480 when it comes to manufacturing. 174 00:11:58,480 --> 00:11:59,920 That would indeed be wise. 175 00:12:00,320 --> 00:12:04,600 Well, there are a few other things that you can think about. 176 00:12:04,600 --> 00:12:11,240 So environmental impact, worker rights, software security, all that. 177 00:12:11,240 --> 00:12:14,880 Just discovering backdoors or preventing backdoors. 178 00:12:14,880 --> 00:12:19,040 There are many reasons why you should consider doing this. 179 00:12:20,440 --> 00:12:27,240 Can you expand a little on the labor rights and environmental impact? 180 00:12:27,280 --> 00:12:35,880 Why should we want to produce more locally to improve those two things? 181 00:12:37,320 --> 00:12:43,720 I mean, there are parts of the EU where there's still quite a bit of poverty and people 182 00:12:43,720 --> 00:12:45,040 actually could use a job. 183 00:12:45,040 --> 00:12:47,080 So that could be a good reason as well. 184 00:12:48,000 --> 00:12:49,640 Get some more of those jobs back. 185 00:12:50,640 --> 00:13:03,560 Isn't it also maybe that here in the EU, we have workers rights and that one of the 186 00:13:03,560 --> 00:13:08,000 consequences of that is that if you keep those workers rights, like paying people fairly, 187 00:13:08,000 --> 00:13:10,840 for instance, then your product will be more expensive. 188 00:13:10,840 --> 00:13:16,880 And then we have workers rights, but then we import stuff from other countries where 189 00:13:16,920 --> 00:13:18,720 they have less workers rights. 190 00:13:18,720 --> 00:13:25,840 And so we circumvent our own workers rights by still not wanting to pay for it. 191 00:13:25,840 --> 00:13:27,760 Is that also not a reason to? 192 00:13:27,760 --> 00:13:36,200 Yeah, but then you would have to decide, do you want to pay more for a device or less? 193 00:13:36,200 --> 00:13:37,840 What do you care more about? 194 00:13:37,840 --> 00:13:41,160 And I guess that's an individual choice. 195 00:13:41,160 --> 00:13:46,240 I wouldn't mind paying a little bit more, but other people might 196 00:13:46,640 --> 00:13:48,400 want to say, no, I want to have things cheap. 197 00:13:48,960 --> 00:13:53,280 You have to understand that things have become really, really cheap in the past few decades. 198 00:13:54,240 --> 00:13:57,600 At least when it comes to consumer electronics, they've become ridiculously cheap. 199 00:13:58,480 --> 00:14:02,000 And of course, you could do something like that in the EU as well, but you will have to 200 00:14:02,000 --> 00:14:03,600 scale your industries a lot. 201 00:14:04,960 --> 00:14:07,040 You really have to produce at scale. 202 00:14:07,040 --> 00:14:09,840 Otherwise, you can never be as cheap as when 203 00:14:09,840 --> 00:14:11,120 things are coming from China. 204 00:14:11,680 --> 00:14:17,040 But even there, it's funny to see that China is becoming too expensive as well. 205 00:14:17,040 --> 00:14:21,360 So now their factories are moving to Vietnam and Cambodia and all that. 206 00:14:22,080 --> 00:14:25,280 So it's interesting to see. 207 00:14:26,240 --> 00:14:30,000 There is a parallel to the clothing industry, isn't it? 208 00:14:31,440 --> 00:14:32,160 Yes. 209 00:14:32,160 --> 00:14:32,660 Yeah. 210 00:14:33,680 --> 00:14:36,640 Clothes used to be fairly expensive. 211 00:14:36,640 --> 00:14:40,880 Now they are basically the whole fast fashion thing. 212 00:14:42,880 --> 00:14:45,680 Clothing has become so ridiculously cheap. 213 00:14:47,680 --> 00:14:52,480 And then you think, well, something is going horribly wrong. 214 00:14:53,840 --> 00:14:54,560 Yeah. 215 00:14:54,560 --> 00:15:02,800 We see that there is also a change in the fashion industry where people choose for, 216 00:15:02,880 --> 00:15:07,120 well, responsible clothing. 217 00:15:08,320 --> 00:15:11,200 So then you could go for responsible hardware. 218 00:15:11,760 --> 00:15:12,880 I would be all for it. 219 00:15:14,000 --> 00:15:20,720 I mean, if you think about it, do we really need to have new routers every few years? 220 00:15:20,720 --> 00:15:22,400 New IP cameras, maybe? 221 00:15:22,400 --> 00:15:22,880 I don't know. 222 00:15:23,600 --> 00:15:28,960 Maybe you just want to get good updates so that they stay secure. 223 00:15:29,680 --> 00:15:30,320 Yeah. 224 00:15:30,320 --> 00:15:36,240 On the other hand, I do know that innovation is driven by market demands. 225 00:15:36,960 --> 00:15:38,880 So it's a tricky subject. 226 00:15:38,880 --> 00:15:40,240 It's a very tricky subject. 227 00:15:40,800 --> 00:15:42,880 But at least it's something that we can try. 228 00:15:43,840 --> 00:15:44,560 I wouldn't mind. 229 00:15:45,120 --> 00:15:45,620 Yeah. 230 00:15:46,080 --> 00:15:48,720 If we can create that movement, that would be great. 231 00:15:49,840 --> 00:15:53,760 Why don't manufacturers want to share their technical data? 232 00:15:53,760 --> 00:15:54,260 Yeah. 233 00:15:55,360 --> 00:15:56,320 So why don't... 234 00:15:57,280 --> 00:15:59,840 The parallel is like this with the supermarket. 235 00:15:59,840 --> 00:16:03,600 If you go for the house brands, of course, they're not going to disclose where they are, 236 00:16:03,600 --> 00:16:06,000 where they're buying it from, because then you might say like, 237 00:16:06,000 --> 00:16:10,080 okay, well, you know, with a consumer collective, I could just also go to that factory, 238 00:16:10,720 --> 00:16:15,680 buy the same thing, get a big discount, just buy in volume and do that. 239 00:16:15,680 --> 00:16:18,240 So it's that same enchantment. 240 00:16:19,040 --> 00:16:23,280 Did you think that, okay, you know, I'm buying it from this factory or from this 241 00:16:23,280 --> 00:16:25,120 manufacturer with this factory and it's... 242 00:16:26,080 --> 00:16:33,680 If you are basically pulling away the curtain, then it's like, okay, well, you know, I could also do that 243 00:16:33,680 --> 00:16:42,560 and maybe get a group of people together, like 100,000 or a million people together to just buy a device. 244 00:16:43,680 --> 00:16:46,400 I mean, of course, they're not going to disclose that. 245 00:16:47,200 --> 00:16:52,160 As soon as you start digging into the consumer electronics industry, things get interesting. 246 00:16:52,720 --> 00:16:54,960 Things like with how to get components. 247 00:16:55,840 --> 00:17:02,080 I think that one of your other beneficiaries of the NGI Zero grants, Andrew "bunnie" Huang, 248 00:17:02,960 --> 00:17:10,720 he made some very interesting videos about those subjects, about how the industry works, 249 00:17:10,720 --> 00:17:14,800 the consumer electronics industry in Shenzhen and China works, for example. 250 00:17:15,600 --> 00:17:16,880 Those are worth watching. 251 00:17:17,680 --> 00:17:21,200 And why are they worth watching so people know if they... 252 00:17:22,160 --> 00:17:27,680 Well, you know, yeah, so one of the stories that I heard was mostly about the gray markets, that 253 00:17:27,680 --> 00:17:35,280 unless you are buying components in bulk, like millions of components, you basically, the component 254 00:17:35,280 --> 00:17:36,880 factories will not even talk to you. 255 00:17:37,680 --> 00:17:44,240 And then you have to go to the gray market where quality could be anything from genuine components 256 00:17:44,240 --> 00:17:45,440 to complete rip-offs. 257 00:17:45,840 --> 00:17:46,800 You simply don't know. 258 00:17:47,840 --> 00:17:52,880 So I actually talked with one of my clients a few years back and I mentioned that and he said, 259 00:17:52,880 --> 00:17:58,960 yeah, I think we actually had some fake components at one point. 260 00:18:00,080 --> 00:18:05,600 And these were people making, I think, solar panels or solar something. 261 00:18:06,320 --> 00:18:10,400 It's like stuff that goes into your house and then they're fake components. 262 00:18:10,400 --> 00:18:12,720 Luckily, they found out before, I think, they were shipped. 263 00:18:13,520 --> 00:18:15,840 But yeah, that's kind of scary. 264 00:18:15,840 --> 00:18:20,320 It's like you're going to a market to buy grain and you don't know what you're actually getting 265 00:18:20,320 --> 00:18:25,600 and then trying to turn that into a bread and you don't know what seeds you have. 266 00:18:26,560 --> 00:18:28,080 That is indeed very interesting. 267 00:18:28,880 --> 00:18:32,320 We'll put the links to the videos in the show notes. 268 00:18:33,200 --> 00:18:41,120 How do people find your data and maybe how can they add to it? 269 00:18:42,080 --> 00:18:49,040 So what the workflow for DeviceCode currently is, is that I regularly make dumps from the 270 00:18:50,960 --> 00:18:52,240 various wikis. 271 00:18:52,240 --> 00:18:56,480 So you can actually go to the website and then just create an export, which will create 272 00:18:57,680 --> 00:19:03,200 something like a 120 megabyte XML file, GZIP compressed. 273 00:19:04,160 --> 00:19:13,760 And then I process those and I make the data available in a, myself, in a different GitHub 274 00:19:13,760 --> 00:19:14,640 repository. 275 00:19:14,640 --> 00:19:16,480 So people don't have to do that themselves. 276 00:19:17,200 --> 00:19:23,120 How people can add to the data is I have a mechanism where you can add overlays, so-called 277 00:19:23,120 --> 00:19:27,840 overlays to the data, which will then automatically be applied when you're viewing the data. 278 00:19:28,800 --> 00:19:35,840 So the correct way to contribute to the data set would be to create overlays where you're 279 00:19:35,840 --> 00:19:39,280 overriding or adding data to the data set. 280 00:19:40,720 --> 00:19:47,760 So you collect data that is gathered by other people and put in wikis, but then that raises 281 00:19:47,760 --> 00:19:53,840 the question, how do they get the data considering that manufacturers do not want to disclose it? 282 00:19:53,840 --> 00:19:56,720 Well, a lot of people like screwdrivers. 283 00:19:56,720 --> 00:20:03,200 So they're basically opening those devices, making pictures, investigating when they're 284 00:20:03,200 --> 00:20:08,240 for, for example, trying to work on alternative firmware for those devices. 285 00:20:08,880 --> 00:20:13,680 But a big source is also the FCC in the US. 286 00:20:14,240 --> 00:20:22,320 So for every device that has a radio, so either WiFi or radio or Bluetooth, ZigBee, you name it, 287 00:20:22,960 --> 00:20:29,440 every device that has a radio that's coming onto the US market has to be approved by the FCC. 288 00:20:30,560 --> 00:20:38,640 So companies have to send all kinds of documentation to the FCC, and that usually also includes 289 00:20:39,680 --> 00:20:47,600 things like pictures of the internals, the externals, and often also the user manuals. 290 00:20:48,240 --> 00:20:49,920 And those are published in PDF. 291 00:20:50,480 --> 00:20:54,560 So I download those and then I process those PDFs. 292 00:20:55,280 --> 00:20:56,960 So that's what I do. 293 00:20:56,960 --> 00:20:59,200 But a lot of the other people are also doing that. 294 00:20:59,200 --> 00:21:04,400 So they're basically going through all of the FCC listings, then see like, okay, well, 295 00:21:04,400 --> 00:21:08,160 this device contains that chip or whatever they can find on the pictures. 296 00:21:08,160 --> 00:21:09,360 And then they're documenting that. 297 00:21:10,160 --> 00:21:12,240 So it's a lot of manual labor. 298 00:21:12,240 --> 00:21:14,640 So it's a ton of manual labor. 299 00:21:14,640 --> 00:21:18,080 So I'm very happy that the other people are doing it so that I don't have to do it. 300 00:21:18,080 --> 00:21:24,720 And I only have to reprocess their results, which in itself is also already a challenge. 301 00:21:25,440 --> 00:21:27,120 There's a lot of cruft. 302 00:21:27,120 --> 00:21:34,160 As soon as people start adding data to Wikis, invariably you get cruft there. 303 00:21:34,960 --> 00:21:39,360 People make mistakes or the Wiki doesn't fit their purpose. 304 00:21:39,360 --> 00:21:42,240 So it's like, okay, well, I really want to add this data. 305 00:21:42,240 --> 00:21:44,320 I'm just going to put it in this field. 306 00:21:45,120 --> 00:21:51,120 And then it will show up on the website just like I want, but it's not structured data then 307 00:21:51,120 --> 00:21:51,680 at that point. 308 00:21:52,560 --> 00:21:58,640 So there's a lot of parsing, a lot of brushing up the data. 309 00:22:00,720 --> 00:22:04,800 So fixing spelling mistakes, you name it. 310 00:22:04,800 --> 00:22:07,120 That's a lot of the work that I'm actually doing. 311 00:22:08,160 --> 00:22:13,360 Well, it's impressive that you're collecting it all. 312 00:22:14,320 --> 00:22:17,840 Well, it's mostly a lot of work. 313 00:22:18,480 --> 00:22:19,280 It's a lot of work. 314 00:22:19,840 --> 00:22:23,360 Technically, it's not very challenging, but it's just a lot of work. 315 00:22:24,560 --> 00:22:26,800 Noble then, that you're putting the effort in. 316 00:22:27,760 --> 00:22:32,240 Yeah, well, that would probably be a better description than impressive. 317 00:22:33,520 --> 00:22:37,120 Stubborn might also be a good description. 318 00:22:38,240 --> 00:22:43,760 Have you had feedback from other users, from manufacturers? 319 00:22:44,720 --> 00:22:47,600 Maybe about what you're doing. 320 00:22:48,720 --> 00:22:55,280 I might imagine that a manufacturer that shows up in your database might think, 321 00:22:56,880 --> 00:22:59,520 maybe I have to improve on some things. 322 00:23:00,480 --> 00:23:03,120 No, no, no feedback at all. 323 00:23:03,920 --> 00:23:05,040 Also not from users? 324 00:23:05,680 --> 00:23:10,960 No, so it's for some reason that the people who are using my projects, 325 00:23:10,960 --> 00:23:12,880 they are using them silently, 326 00:23:12,880 --> 00:23:16,480 which is that also happens with my other open source projects. 327 00:23:17,040 --> 00:23:20,960 I know that people are using them, but they hardly give any feedback. 328 00:23:20,960 --> 00:23:23,040 Maybe it's because they're mostly in the legal realm. 329 00:23:24,480 --> 00:23:29,760 Should we make a general call that if you use armijn's projects, then send him a ping? 330 00:23:30,960 --> 00:23:34,080 I think they will just silently ignore that. 331 00:23:36,560 --> 00:23:37,120 And that's fine. 332 00:23:37,120 --> 00:23:37,600 That's fine. 333 00:23:39,680 --> 00:23:42,320 Yeah, because it's about the results, right? 334 00:23:42,320 --> 00:23:43,440 That's why you're doing this. 335 00:23:44,880 --> 00:23:49,440 I'm also making the software mostly for myself, just because I find it interesting. 336 00:23:50,720 --> 00:23:57,120 And also to make things more secure, because that's a nice little bridge to VulnerableCode. 337 00:23:57,120 --> 00:24:05,680 Because you say that DeviceCode, the data collected there can feed into VulnerableCode, 338 00:24:06,960 --> 00:24:10,960 which is another project that is funded by NGI Zero. 339 00:24:11,600 --> 00:24:15,040 Can you tell a bit about how these projects work together? 340 00:24:16,080 --> 00:24:17,520 So how they will work together. 341 00:24:17,520 --> 00:24:23,360 Yes. So it basically comes back to what I said earlier, that if you have a certain device 342 00:24:24,000 --> 00:24:30,080 and you want to know if your device is close to another device that has a known vulnerability, 343 00:24:31,120 --> 00:24:34,720 then the end goal is that with DeviceCode you can do that. 344 00:24:34,720 --> 00:24:40,480 And then as soon as you know the vulnerabilities or what software is running, 345 00:24:40,960 --> 00:24:46,560 on the device or on a similar device, then you can start querying VulnerableCode 346 00:24:46,560 --> 00:24:50,960 to see like, hey, is this stuff vulnerable? Do we have a known security bug? 347 00:24:51,840 --> 00:24:56,080 So it's basically another, and it's like an indirect way to look in, 348 00:24:56,880 --> 00:24:59,520 to see if your device is vulnerable. 349 00:25:00,400 --> 00:25:05,280 Because VulnerableCode is a database of vulnerable code. 350 00:25:06,080 --> 00:25:10,000 It's mostly about indexing vulnerabilities for software. 351 00:25:10,480 --> 00:25:11,920 Not so much the hardware side. 352 00:25:11,920 --> 00:25:15,440 So this basically is taking care of the hardware side to see 353 00:25:16,560 --> 00:25:23,760 is your device similar to a device that we know has vulnerable software on it? 354 00:25:24,640 --> 00:25:25,840 That would be the right description. 355 00:25:27,280 --> 00:25:31,040 Yeah, that's super interesting because like you said in the beginning, 356 00:25:31,040 --> 00:25:38,160 then you can cover a lot more ground finding the vulnerabilities in all the devices. 357 00:25:39,120 --> 00:25:40,000 That's the idea. 358 00:25:40,000 --> 00:25:40,500 Yeah. 359 00:25:41,200 --> 00:25:41,700 Nice. 360 00:25:42,960 --> 00:25:46,720 Tapping into this, I think it could better Right To Repair laws, 361 00:25:46,720 --> 00:25:51,840 change the situation where it's so hard to receive information about the device. 362 00:25:52,720 --> 00:25:57,280 And what information should be demanded from manufacturers? 363 00:26:00,320 --> 00:26:06,640 So I think that if you're looking at the legislation right now in the EU, 364 00:26:06,640 --> 00:26:11,840 I don't think that you really have to go through a very thorough 365 00:26:14,320 --> 00:26:16,640 checking process, just like with the FCC. 366 00:26:17,600 --> 00:26:21,280 So I think that they only have to do something like the CE mark. 367 00:26:22,160 --> 00:26:23,440 And basically that's it. 368 00:26:23,440 --> 00:26:29,360 And I'm not even sure if the CE mark is self-certification or not. 369 00:26:30,320 --> 00:26:33,120 So I just don't know that much about certification. 370 00:26:33,520 --> 00:26:36,160 But something like that would already help. 371 00:26:36,160 --> 00:26:42,160 Like, okay, you know, whenever we get something that's put onto the EU market, 372 00:26:42,160 --> 00:26:47,760 we want to know, just like give us a Hardware Bill Of Materials or pictures from the inside. 373 00:26:47,760 --> 00:26:53,120 That would already help because right now you're basically getting like, 374 00:26:53,120 --> 00:26:54,160 hey, here's a device. 375 00:26:54,160 --> 00:26:55,360 It has a CE mark. 376 00:26:55,360 --> 00:26:55,860 That's it. 377 00:26:57,520 --> 00:26:59,920 And we don't mean the China Export mark, right? 378 00:27:00,400 --> 00:27:03,280 Isn't that a bit of a hoax? 379 00:27:04,080 --> 00:27:06,320 I thought that was a hoax. 380 00:27:07,680 --> 00:27:08,640 That was fake. 381 00:27:08,640 --> 00:27:10,640 At least that's what I read. 382 00:27:10,640 --> 00:27:13,760 But no, I'm just meant to show this CE mark. 383 00:27:14,560 --> 00:27:15,360 I don't think that... 384 00:27:16,640 --> 00:27:22,480 I think that there's a lot of stuff there that we could basically just copy from the US, 385 00:27:23,040 --> 00:27:26,080 like the requirements like the FCC has. 386 00:27:27,120 --> 00:27:28,800 That would already help quite a bit. 387 00:27:30,000 --> 00:27:36,720 I'm actually surprised hearing this, you know, that you can just basically sell a black box 388 00:27:36,720 --> 00:27:44,320 and are not, you know, forced to disclose what's in there, how to fix it, 389 00:27:46,160 --> 00:27:47,840 what software it runs. 390 00:27:47,840 --> 00:27:51,120 And actually, if you think about it, it's quite absurd. 391 00:27:51,840 --> 00:27:52,320 It is. 392 00:27:52,400 --> 00:28:00,160 But there is also a logical conclusion, a direct logical conclusion from how the whole 393 00:28:00,160 --> 00:28:04,080 industry works and how consumers want to have really cheap stuff. 394 00:28:04,640 --> 00:28:09,600 So just to give a bit of an idea when a device is put onto the market, 395 00:28:11,680 --> 00:28:16,000 it's made in China, goes into boxes, goes onto a ship with a bit of luck. 396 00:28:16,000 --> 00:28:17,920 It doesn't get shot in the Red Sea. 397 00:28:17,920 --> 00:28:24,720 And then it arrives in the Rotterdam Harbor 40 days later, and then it's unloaded and 398 00:28:24,720 --> 00:28:25,600 rushed to the shops. 399 00:28:26,640 --> 00:28:33,520 And a lot of the stuff in the consumer electronics market is basically winner takes all. 400 00:28:34,400 --> 00:28:41,760 So what you see is that very often during the Christmas season or Black Friday, you name it, 401 00:28:41,760 --> 00:28:46,320 there's new devices that are being announced, put into the shop. 402 00:28:46,960 --> 00:28:50,800 And what you very often see is that the manufacturers will have similar devices. 403 00:28:51,760 --> 00:28:54,800 A lot of the things is basically winner takes all. 404 00:28:54,800 --> 00:29:01,280 Most of the sales happen in the first one to three months that a device is on the shelf. 405 00:29:01,920 --> 00:29:08,000 And if you're basically a month later than your competition because you had to go through all of 406 00:29:08,000 --> 00:29:10,960 those checks, basically it means that you lost. 407 00:29:11,920 --> 00:29:21,920 So that is basically because we are addicted to very cheap devices. 408 00:29:22,800 --> 00:29:25,120 That is basically the logical conclusion. 409 00:29:25,120 --> 00:29:27,600 I mean, they have to take shortcuts somewhere. 410 00:29:28,800 --> 00:29:29,120 Yeah. 411 00:29:29,120 --> 00:29:36,560 So if we want to improve this industry, then consumers also have to really look at themselves 412 00:29:37,680 --> 00:29:40,560 and make some changes in their behavior. 413 00:29:41,440 --> 00:29:46,400 As with most of these problems, all players have to have to make changes. 414 00:29:48,400 --> 00:29:50,320 Some sacrifices will have to be made. 415 00:29:50,320 --> 00:29:52,720 Will people be willing to make them? 416 00:29:53,280 --> 00:29:53,840 I don't know. 417 00:29:54,640 --> 00:29:56,560 But as I said earlier, it's worth trying. 418 00:29:56,560 --> 00:29:57,840 Maybe we can pull it off. 419 00:29:57,840 --> 00:29:59,120 That would be fantastic. 420 00:30:02,080 --> 00:30:06,880 Like you say, a lot of it isn't even really known with people. 421 00:30:06,880 --> 00:30:13,040 So at least it helps a bit if you become aware that it works like this. 422 00:30:14,480 --> 00:30:19,120 But if you can buy components in bulk or create them in bulk and do the manufacturing here 423 00:30:19,760 --> 00:30:26,560 and just do it in some of the poorer parts of the EU where wages aren't that very high yet, 424 00:30:27,360 --> 00:30:34,240 then maybe we can match the price as we are currently paying in China. 425 00:30:35,200 --> 00:30:38,560 Or decide to pay a bit more and buy a bit less. 426 00:30:39,520 --> 00:30:43,600 Yeah, that's also a possibility. 427 00:30:43,600 --> 00:30:50,000 Not sure how the economics would work, but that's something that we probably will have to try out. 428 00:30:51,200 --> 00:30:53,680 How can we change this? 429 00:30:53,680 --> 00:30:54,320 How can we... 430 00:30:55,120 --> 00:30:59,040 Do we have to raise the public maybe? 431 00:30:59,600 --> 00:31:07,280 Or do we need legislation to change this? 432 00:31:08,640 --> 00:31:11,680 So I think that there's a multi-pronged approach here. 433 00:31:11,680 --> 00:31:14,960 I think that the first step would be more awareness. 434 00:31:14,960 --> 00:31:17,360 That's where DeviceCode could help. 435 00:31:18,000 --> 00:31:21,280 Just basically pulling back the curtain and then showing like, 436 00:31:21,280 --> 00:31:26,640 hey, the industry is working in a different way that people actually don't know about. 437 00:31:26,640 --> 00:31:27,440 That's one thing. 438 00:31:27,920 --> 00:31:36,480 Legislation, the things that I said, like having something similar to FCC 439 00:31:38,160 --> 00:31:41,280 and to disclose those documents, that would already help. 440 00:31:42,720 --> 00:31:46,400 So, but do we need specific legislation? 441 00:31:46,400 --> 00:31:47,280 Oh, gosh. 442 00:31:49,200 --> 00:31:50,320 It's a difficult subject. 443 00:31:52,400 --> 00:31:55,600 There are a few things that we could do fairly easily, but I could... 444 00:31:55,600 --> 00:31:59,120 Basically describe my ideal, if that would help. 445 00:31:59,120 --> 00:31:59,680 Yeah, sure. 446 00:31:59,680 --> 00:32:00,320 That would help. 447 00:32:01,840 --> 00:32:06,480 So my ideal would be that every device that's coming onto the market 448 00:32:07,120 --> 00:32:09,760 is basically sent to some sort of lab first. 449 00:32:10,640 --> 00:32:15,600 Ideally not a commercial lab, but just like some sort of government institution. 450 00:32:16,720 --> 00:32:20,240 And basically it's torn apart completely. 451 00:32:20,320 --> 00:32:23,680 And it's documented and it goes into some sort of central database 452 00:32:24,400 --> 00:32:28,480 where you're basically documenting everything about the device. 453 00:32:29,280 --> 00:32:32,800 Like Hardware Bill of Materials, you rip apart the firmware, 454 00:32:33,360 --> 00:32:38,560 and then you are doing continuous testing on the software and just keeping track of it. 455 00:32:39,360 --> 00:32:45,360 And it doesn't even have to be adversarial to the manufacturer where you're saying, 456 00:32:45,360 --> 00:32:46,640 oh, we're going to do this. 457 00:32:47,360 --> 00:32:53,040 To the manufacturer where you're saying, oh, we're going to catch all of your security bugs 458 00:32:53,040 --> 00:32:54,800 and then we're going to punish you for it. 459 00:32:54,800 --> 00:32:57,840 It could be very much a cooperative effort. 460 00:32:57,840 --> 00:33:02,720 It's like, hey, we found a bug in your software, so maybe you want to fix that. 461 00:33:03,520 --> 00:33:07,120 Or not maybe you want to fix that, you want to fix this, or you have to fix this. 462 00:33:07,120 --> 00:33:08,160 Otherwise we'll fine you. 463 00:33:09,040 --> 00:33:11,120 And I know we're going back into punishing. 464 00:33:11,600 --> 00:33:16,720 But yeah, something like that would be my ideal, 465 00:33:17,360 --> 00:33:21,280 where everything that comes onto the EU market is basically checked. 466 00:33:22,560 --> 00:33:33,040 So Armijn, as Ronny also said, this season we really want to look into digital autonomy 467 00:33:33,040 --> 00:33:34,480 or digital sovereignty. 468 00:33:37,200 --> 00:33:40,880 Not only for nation states or something, but also for users, of course, 469 00:33:41,440 --> 00:33:45,760 that people have more influence over their own digital life. 470 00:33:46,720 --> 00:33:53,120 And one of the things that is a part of that is that you create things more locally, 471 00:33:53,120 --> 00:33:57,600 so that you're less dependent on global supply chains and stuff like that. 472 00:33:58,640 --> 00:34:05,840 If you, with your knowledge of the industry, if you had to think about 473 00:34:06,640 --> 00:34:13,200 how we could produce things more locally, what kind of steps would you take? 474 00:34:14,240 --> 00:34:20,160 So I basically foresee five steps. 475 00:34:20,160 --> 00:34:29,280 So first is that you are basically going to create the software locally. 476 00:34:30,320 --> 00:34:33,840 And then after you've done that, you go to some ODM and say, 477 00:34:34,240 --> 00:34:39,200 make these particular devices for us and use our own software. 478 00:34:40,000 --> 00:34:44,320 This is already doable because there are companies doing this. 479 00:34:46,560 --> 00:34:52,000 I mean, that's not very complicated. 480 00:34:52,640 --> 00:34:59,600 That is something that you could basically do within six months, a year. 481 00:34:59,600 --> 00:35:02,720 They basically have some sort of open source firmware project and say, 482 00:35:02,720 --> 00:35:08,720 for a particular kind of device, saying, we're going to talk with the manufacturer 483 00:35:10,000 --> 00:35:13,360 to create devices for us with a certain specification, 484 00:35:13,920 --> 00:35:15,920 but we are going to provide the software. 485 00:35:15,920 --> 00:35:18,160 They already have the software parts covered. 486 00:35:19,200 --> 00:35:24,080 Then the next step is that you would be doing the manufacturing locally, 487 00:35:24,080 --> 00:35:26,400 where you're saying, hey, well, you know, we're going to, 488 00:35:27,040 --> 00:35:30,160 or not the manufacturing, but the assembly locally, 489 00:35:30,240 --> 00:35:36,560 where you're going to a manufacturer and say, we want you to create these PCBs, 490 00:35:36,560 --> 00:35:38,240 so the printed circuit boards. 491 00:35:39,520 --> 00:35:42,400 And then you're going to buy all of the components somewhere else. 492 00:35:42,400 --> 00:35:45,200 And then you're going to do the assembly locally in the EU. 493 00:35:46,240 --> 00:35:49,120 Then you already have a little bit more control, 494 00:35:49,120 --> 00:35:51,680 for example, over which components you buy and where. 495 00:35:53,520 --> 00:35:56,160 And then you can take that further and further. 496 00:35:56,160 --> 00:35:59,600 You could go for the, you could go for the, 497 00:36:01,280 --> 00:36:05,440 to actually make the circuit boards in the EU as well. 498 00:36:05,440 --> 00:36:10,640 And then step by step, you basically go to replacing every single component 499 00:36:10,640 --> 00:36:12,880 with something that has been produced locally. 500 00:36:12,880 --> 00:36:18,240 One of the things that worries me a little bit is that if you are looking at the plans 501 00:36:18,960 --> 00:36:23,600 where politicians are going like, we need to have a EU chip industry, 502 00:36:23,600 --> 00:36:28,560 where they're really focusing on the major chips and the CPUs. 503 00:36:29,840 --> 00:36:32,960 But there's a lot more going on on a device. 504 00:36:32,960 --> 00:36:37,520 There are connectors, there are LEDs, there are capacitors, 505 00:36:39,440 --> 00:36:41,680 even screws, things like that. 506 00:36:41,680 --> 00:36:43,760 Are we actually thinking about those as well? 507 00:36:44,560 --> 00:36:50,400 So I fear that sometimes their focus is a little bit too narrow. 508 00:36:50,560 --> 00:36:54,320 But eventually what I think is we could already start with the software 509 00:36:55,040 --> 00:37:01,440 and then gradually we could basically move the whole industry back to the EU. 510 00:37:01,440 --> 00:37:02,560 It should be possible. 511 00:37:03,040 --> 00:37:07,520 So there are already quite a few companies that are doing assembly in the EU 512 00:37:07,520 --> 00:37:11,360 or who are producing PCBs in the EU. 513 00:37:12,000 --> 00:37:17,200 But the only thing that they're not doing is creating all of the individual components, 514 00:37:17,200 --> 00:37:19,200 like the chips, like the screws. 515 00:37:19,280 --> 00:37:24,800 So that would be basically the gold standard to do everything here. 516 00:37:25,520 --> 00:37:28,560 But there are many intermediate steps that we could already do 517 00:37:28,560 --> 00:37:30,800 and I think we can already do within a few years. 518 00:37:33,840 --> 00:37:40,560 And if we do all of that, what would that mean for the price points of the end product? 519 00:37:42,320 --> 00:37:44,320 It depends on how much you can scale. 520 00:37:45,920 --> 00:37:46,720 Yes, of course. 521 00:37:46,800 --> 00:37:49,360 Because these are economies of scale. 522 00:37:49,360 --> 00:37:53,120 So if you can produce a lot, then things will become cheaper. 523 00:37:54,320 --> 00:37:58,320 Yeah, and the same counts for producing the chips 524 00:37:59,200 --> 00:38:03,200 and all the other semiconductors that are needed for this. 525 00:38:04,320 --> 00:38:06,320 Yeah, it's all about scale. 526 00:38:07,840 --> 00:38:10,800 I heard you had a question, Tessel. 527 00:38:11,200 --> 00:38:14,960 I was thinking it's interesting what you said, Armijn. 528 00:38:16,720 --> 00:38:21,520 So the politicians are really looking at the most difficult chip they want to make here 529 00:38:21,520 --> 00:38:26,800 and you're actually proposing the opposite route to start with stuff 530 00:38:26,800 --> 00:38:30,800 that we can start basically with today, like writing our own software, 531 00:38:30,800 --> 00:38:32,800 which we're already doing today. 532 00:38:34,320 --> 00:38:36,320 So I think that's a good way to start. 533 00:38:36,480 --> 00:38:41,120 I think it's interesting, especially if 534 00:38:41,120 --> 00:38:44,640 you look at the amount of money 535 00:38:47,360 --> 00:38:54,880 that is made free for that bring our chips home. 536 00:38:54,880 --> 00:38:57,360 You could also put that kind of money and 537 00:38:57,360 --> 00:38:59,360 effort into a more grounds up approach 538 00:38:59,360 --> 00:39:07,600 that you propose. 539 00:39:07,600 --> 00:39:08,640 I find it interesting. 540 00:39:09,600 --> 00:39:13,760 Yeah, so if you look at the chips industry, you will see that 541 00:39:15,520 --> 00:39:17,840 actually not everything is coming from China. 542 00:39:17,840 --> 00:39:23,120 So if you're looking at NAND chips, I think 80% is coming from South Korea. 543 00:39:23,760 --> 00:39:26,320 Hard disks were mostly coming from Thailand. 544 00:39:26,320 --> 00:39:27,440 LEDs from Japan. 545 00:39:28,080 --> 00:39:32,880 So it's not everything is coming from China, but there are a few companies that are making 546 00:39:34,560 --> 00:39:37,360 stuff that we need and they're also on the other side of the globe. 547 00:39:40,880 --> 00:39:44,240 I think it's a bit of a tougher challenge than people think, 548 00:39:44,240 --> 00:39:51,040 but we definitely could start from the grounds up and incrementally replace everything. 549 00:39:52,160 --> 00:39:52,960 Should be doable. 550 00:39:54,000 --> 00:39:55,520 Not easy, but it should be doable. 551 00:39:56,080 --> 00:40:00,800 And I really like that your project, DeviceCode, 552 00:40:01,520 --> 00:40:07,200 sort of it's for security, as you explained, but it's also to draw away this curtain 553 00:40:07,840 --> 00:40:13,440 and to show how the industry works so that we can get a better understanding of, 554 00:40:13,440 --> 00:40:19,040 well, if we want to change it, then, well, we have to understand how it works 555 00:40:19,040 --> 00:40:21,120 and DeviceCode really helps with it. 556 00:40:21,120 --> 00:40:23,360 So thank you for making that project. 557 00:40:23,360 --> 00:40:24,240 That's my goal. 558 00:40:24,480 --> 00:40:25,440 Thank you for funding. 559 00:40:28,640 --> 00:40:29,920 Yes, funding. 560 00:40:30,720 --> 00:40:35,680 We had to ask you, Armijn, how did NGI Zero funding help DeviceCode? 561 00:40:36,240 --> 00:40:44,000 Well, this is something that I would never be able to justify commercially, 562 00:40:44,880 --> 00:40:46,800 because there's simply no market for this. 563 00:40:48,000 --> 00:40:50,240 I wouldn't want to say labor of love, but it's, 564 00:40:50,400 --> 00:40:54,720 it's pretty much a labor of love. 565 00:40:54,720 --> 00:40:59,120 So this is not something where you would say, like, hey, I'm just going to do this 566 00:40:59,120 --> 00:41:01,520 and try to sell this as a commercial service. 567 00:41:01,520 --> 00:41:02,480 It's not going to happen. 568 00:41:03,360 --> 00:41:06,000 So this is one of those things that are in the digital commons 569 00:41:06,560 --> 00:41:08,720 that people are not paying any attention to, 570 00:41:09,520 --> 00:41:13,440 and that no one would ever fund otherwise. 571 00:41:14,480 --> 00:41:17,520 Even though there is a lot of valuable information in there, 572 00:41:17,680 --> 00:41:20,240 it would not be otherwise, it would not be funded. 573 00:41:21,440 --> 00:41:25,120 So that's where the NGI Zero funding really helped. 574 00:41:26,080 --> 00:41:28,800 Yeah, it's really nice to hear that. 575 00:41:30,480 --> 00:41:35,360 And important to point it out that there are a lot of things needed in the world 576 00:41:35,360 --> 00:41:38,240 that will not be paid for by the market, 577 00:41:38,240 --> 00:41:45,760 and that we have to put our collective money to make sure it happens anyway. 578 00:41:46,720 --> 00:41:52,880 Yeah, and I mean, if public money would be made available, 579 00:41:52,880 --> 00:41:58,160 what should be the role of free and open source? 580 00:41:59,120 --> 00:42:04,320 Well, I think that if you would fund all of this stuff, 581 00:42:04,320 --> 00:42:08,960 then I think that free software should be front and center. 582 00:42:09,440 --> 00:42:12,640 Even though most, if you start looking into those devices, 583 00:42:12,800 --> 00:42:17,760 they are already almost all the software on it is open source anyway. 584 00:42:17,760 --> 00:42:23,520 A lot of this, a lot of the secret sauce is just a very tiny layer. 585 00:42:23,520 --> 00:42:27,600 So if you start peeling everything back, 586 00:42:27,600 --> 00:42:30,480 then you will already see that with at least with a lot of devices, 587 00:42:30,480 --> 00:42:31,760 it's already open source. 588 00:42:32,480 --> 00:42:37,200 Whether or not the manufacturers are being licensed compliant is a second question. 589 00:42:37,200 --> 00:42:42,800 But, I mean, of course, you're going to have to do this as open source. 590 00:42:44,640 --> 00:42:47,760 I mean, I don't see any other way. 591 00:42:49,920 --> 00:42:51,280 Just to emphasize this point, 592 00:42:53,200 --> 00:42:58,000 because you have a lot of knowledge of what kind of software runs on these devices and stuff. 593 00:42:58,000 --> 00:43:03,680 And are you saying that, say, 90% of it is open source already? 594 00:43:04,240 --> 00:43:08,240 So it depends a little bit on what kind of devices you're talking about. 595 00:43:08,240 --> 00:43:10,240 In most cases, it's closer to 100%. 596 00:43:10,720 --> 00:43:14,000 And it's just the web UI that is a little bit different. 597 00:43:15,360 --> 00:43:19,440 But most of the devices, 90-95%. 598 00:43:19,440 --> 00:43:20,400 Yeah, easily. 599 00:43:21,120 --> 00:43:22,640 But then comes the second question. 600 00:43:23,600 --> 00:43:25,600 How much of that is updatable? 601 00:43:26,640 --> 00:43:30,160 Ooh, that actually is a good question. 602 00:43:30,320 --> 00:43:38,240 A few years ago, I looked into some sort of, I think it was an IP camera from China, 603 00:43:38,240 --> 00:43:40,640 where actually the software was burned in ROM. 604 00:43:40,640 --> 00:43:42,640 So it was not even updatable. 605 00:43:42,640 --> 00:43:44,080 And there were security bugs in it. 606 00:43:44,720 --> 00:43:46,400 I mean, that's just ridiculous. 607 00:43:47,520 --> 00:43:52,640 So you could not even, maybe you could update it if you would completely desolder the chip 608 00:43:52,640 --> 00:43:57,200 and then replace the chip or I don't know what, but it was madness. 609 00:43:57,760 --> 00:43:58,880 Complete madness. 610 00:44:00,240 --> 00:44:02,240 Not something the general public would do. 611 00:44:02,800 --> 00:44:06,480 Oh, no, not something that software engineers would do either. 612 00:44:07,440 --> 00:44:10,240 Did you have nightmares that night? 613 00:44:10,240 --> 00:44:16,720 Because I think knowing you Armijn, that you must have been so horrified when you saw that. 614 00:44:17,840 --> 00:44:20,560 Well, it was mostly my client's issue, so not mine. 615 00:44:21,600 --> 00:44:25,840 So no, I was not horrified, but more like, okay, I'm going to keep this in mind 616 00:44:25,840 --> 00:44:27,360 and not buy from that manufacturer. 617 00:44:28,320 --> 00:44:30,720 But move that camera away from your bedroom. 618 00:44:31,520 --> 00:44:34,240 Well, it was not, I actually didn't look at it physically. 619 00:44:34,240 --> 00:44:39,440 It's just that one of my clients sold it and they were being sued in Germany. 620 00:44:39,440 --> 00:44:44,720 Then I looked into it, it's like, oh, well, wait, this software cannot be updated 621 00:44:44,720 --> 00:44:48,240 to actually mitigate the whole issue. 622 00:44:50,080 --> 00:44:51,760 So yeah, fun, fun. 623 00:44:52,720 --> 00:44:56,400 I mean, but apart from software being in ROM, 624 00:44:57,120 --> 00:45:00,080 it could also be that there is no update process or... 625 00:45:02,000 --> 00:45:07,280 Yeah, I think that when we are talking about update processes, 626 00:45:08,720 --> 00:45:11,760 I think we could spend a few more podcasts on that. 627 00:45:13,120 --> 00:45:17,200 And this is not about that because we're talking today about DeviceCode. 628 00:45:17,840 --> 00:45:21,120 I think you're more now leaning to one of your other projects. 629 00:45:22,400 --> 00:45:25,040 Possibly, so let's not go there today. 630 00:45:27,680 --> 00:45:35,040 So, Armijn, we think this was a really interesting conversation and you showed us 631 00:45:35,600 --> 00:45:43,760 quite some insights into how the manufacturing processes work and what's wrong with them, 632 00:45:43,760 --> 00:45:45,040 how we can improve them. 633 00:45:46,160 --> 00:45:48,320 So that was all very interesting. 634 00:45:48,320 --> 00:45:54,560 We want to thank you for creating DeviceCode as a project of love, as you called it. 635 00:45:55,360 --> 00:45:59,680 And also really want to thank you for being on this podcast with us. 636 00:46:00,320 --> 00:46:01,520 So thank you for being here. 637 00:46:02,240 --> 00:46:03,280 My pleasure. 638 00:46:03,280 --> 00:46:05,680 Yeah, and where can we share the love? 639 00:46:06,480 --> 00:46:08,560 Where can users share the love with you? 640 00:46:10,160 --> 00:46:13,840 So there are two GitHub repositories. 641 00:46:13,840 --> 00:46:16,080 So one of them is in my GitHub, which is... 642 00:46:17,040 --> 00:46:19,600 You just have to type in my username. 643 00:46:19,600 --> 00:46:23,040 Maybe we should just put a link in the show notes. 644 00:46:24,080 --> 00:46:30,800 And then, or you just type in Armijn GitHub DeviceCode in your favorite search engine. 645 00:46:30,800 --> 00:46:33,920 And then there's also another repository called DeviceCode Data, 646 00:46:33,920 --> 00:46:39,440 where you can get the pre-generated set of data 647 00:46:39,440 --> 00:46:41,680 and then you can start playing with the data immediately. 648 00:46:42,480 --> 00:46:43,280 Amazing. 649 00:46:43,280 --> 00:46:43,780 Yeah. 650 00:46:44,400 --> 00:46:45,120 Thank you so much.