[saurik]

The problem here is that the thing I am probing is something I own: the device in my house that I ostensibly purchased and am allowed to smash with a hammer or put in a blender for all anyone should care; the context is that the DMCA is often used by companies to claim that DRM on the device is there to protect copyrights--whether music the device had access to, even if it isn't the reason many or even most people buy the device (such as a smart fridge with a speaker in it and the option to log in to Spotify), or the firmware software itself--and that it is thereby illegal for me to distribute tools to help people access to repair (which is the key thing here: there actually are already some legal protections for the act of "probing", but you kind of have to do it alone which is insane) a device I own and where finding vulnerabilities should be about me and my trade-offs, not the wishes of a manufacturer.

[EricMausler]

I hate it too, but the heart of this is that ownership is under question.

People should not have agreed to buy things where there are parts of it they don't own that they don't even need, but they did. They did it a lot because it didn't matter to them and now those devices are prevalent everywhere and it's a PITA to try to buy the type of item you actually want - where you own it entirely.

Ownership has never actually been absolute. When you buy land you cannot tear it up and make it totally unusable. If you buy a home under an HOA you may have to keep it in a certain type of order.

Maybe what we need is a law that manufacturers always need to provide a "dumb" model of their products which can be completely owned by the consumer.

However, I was speaking from a stance of acceptance that the companies are maintaining ownership of some functionality of the devices. I was primarily thinking about the way it accesses company owned infrastructure (servers and the information on them) but it extends into a grey area on the devices themselves.

You should be allowed to reasonably tamper with the device, but you should also be attempting to communicate with the company about it. They shouldn't be allowed to retaliate against you for requesting to tamper, they should need to reply reasonably quickly, and the reasons for which they are allowed to deny you should be regulated so they cannot just deny for no reason.

I am saying we need to lean in to the situation we are in if we want actual results, and I think there is a lot of room to develop a reasonable legal framework on this subject that incorporates partial ownership.

It shouldn't be as restrictive as it is today, but it also shouldn't be a complete free for all. We should at least attempt to make an effort to control security vulnerability information so criminal behavior and innocent behavior actually looks different.

[ddingus]

>People should not have agreed to buy things where there are parts of it they don't own that they don't even need, but they did.

I own zero IoT devices for the exact reasons you gave.

Frankly, I would prefer to change that state of affairs. I would also prefer far less waste. Tons of these devices end up in the garbage too. That is unacceptable and surely not sustainable.

I am not OK with partial ownership, unless there are clear obligations attached to the other partial owner that have real teeth.

Fact is we have law for this case and that is the rental agreement. That is exactly what partial ownership is.

And when people are asked to value something they will be renting, everything changes. A big change is purchase price. That goes down.

What I see happening is IoT companies business model is priced as if ownership happens when it really doesn't. And that is not OK.

I also find putting that onto people disturbing because it was not the people who who made the choice to advertise a sale and then act as if it is a rental.

[eithed]

Out of curiosity - why should I be required to ask for permission from given company to probe company owned infrastructure?

What I mean here is that if there's a bug / vulnerability on given company infrastructure, then that company should fix it and not put on a blame on a user that was affected by it (even if device that communicates with given infrastructure always follows happy path)

[asmithmd1]

I try to get back to a real world analogy, think of a bank:

Can you try opening the public door off hours and discover it is locked? Yes, of course.

If the the public door is unlocked, can you now go inside the bank and start trying different combinations to open the safe? No, you will be arrested.

Anytime you move from probing a website with a browser to using other tools, your actions are subject to interpretation

[EricMausler]

You need permission because

1) the probing almost always involves breaking the terms of the contract you made with that company.

2) it creates a paper trail of intent

3) it's not your property so why wouldn't you need permission to access it?

I am not sure how permission effects a companies ability or obligation to fix security bugs. I agree they should fix it.

We can make the law that not only does the company approve of the request but they have to disclose to you additional information that can help you find bugs. Idk, point is I'm advocating for creating a system where researchers work with the company rather than as vigilantes