Uncovering the hidden patterns of the consumer electronics industry - DeviceCode

Welcome to the NGI Zero podcast where we talk to the people who are building the next generation

internet.

I'm Ronny Lam.

And I'm Tessel Renzenbrink.

We're both from NLnet, a foundation which supports people who are working on free and

open internet.

For season two of this podcast, we will be focusing on digital sovereignty through free

and open source technologies.

Our guest today is Armijn Hemel.

He is the owner of Tjaldur Software Governance Solutions and a technical expert in licensed

compliance engineering.

He has worked on many projects, some of which have received NGI Zero funding, but the one

we will be talking about today is DeviceCode, a project that provides structured technical

information about consumer devices.

Welcome, Armijn, and thank you for joining us.

My pleasure to be here.

We have three question devised to get to know who you are.

And the first one is, who is the cooler robot?

Marvin the Paranoid Android or R2D2?

Ah Bender from Futurama, obviously.

I'm not surprised you're going for the third option.

Which license is better?

The GNU General Public License or the MIT license?

That really depends on your point of view and what you're trying to achieve.

They both have their place.

Pick your favorite operating system, NixOS or Fedora?

I really don't care as long as it gets the job done.

So for me, it really is just a tool.

I'm not really attached to one or the other.

So as long as it gets the job done, I'm happy.

For me, computers are just a tool to get stuff done.

I'm happy for your very diplomatic answers.

I've been working with lawyers for a long time.

So that's something that I picked up fairly quickly.

Let's go to your project.

Can you tell us something about DeviceCode?

So DeviceCode is basically a project to index all kinds of information that other people

on the internet have crowdsourced.

It's basically information about what is inside consumer electronics devices such as routers,

wireless network, things, IP cameras, tablets, you name it.

So that information is basically locked away in all kinds of wikis that people have been

creating for quite a long time.

But the biggest problem is that they are...

So all the information is...

How should I say that?

It's spread across quite a few different wikis.

It's not easy to search.

They are all suffering from errors, human input errors.

And so I'm basically trying to consolidate that information and making it easier to unlock.

So luckily, all of the information on those wikis are either public domain or under Creative

Commons.

So the licenses allow me to do that.

So basically, it's aggregating information from wikis, from various wikis with information

about consumer electronics devices, consolidating the information and then providing some sort

of search interface for it.

So that's the technical part of it.

The motivation is different.

Because yeah, exactly.

That was what I was going to ask.

Why?

Why do we need it?

So I think that a lot of people are completely unaware of how the consumer electronics industry

works.

So they are thinking that when they buy a device from a certain manufacturer, that there

is a factory with people wearing factory suits with the name of the manufacturer on there,

making only those devices.

But that's not how it works.

Basically a lot of the stuff that you're seeing here in the shops is made in some factory,

either in China or increasingly Vietnam.

And where the only thing that is happening is that a label is put on there and a different

casing and a different package.

And basically, that's it.

The core of the devices is usually shared with other devices from other manufacturers.

So what companies do is they basically contract a so-called original design manufacturer or

ODM to say like, hey, make this device for us.

And the brands that you see here, they don't have a lot of influence on what actually is

installed on the devices.

So a lot of the people who are, when you go into a shop and you think like, I'm going

to buy this device from this very reputable brand and I'm not going to buy it from that

other brand because I don't trust them.

Usually what you're seeing is like, well, no, it could very well be that those devices

are exactly the same or very similar.

And you're basically just enchanted.

You're being tricked by marketing.

Because a lot of the devices are basically the same.

So one funny story is when I was in Taiwan, I visited an ODM there and I saw basically

boxes of different companies that I know were competitors next to each other.

And they said, yeah, it's all the same device, just a different casing.

They're all made here or actually in the factory in China, but they were all made by the Taiwanese

company.

Is DeviceCode about hardware, software or both?

So it's a little bit of both.

I'm basically trying to index as much information as possible, but the focus is mostly about

hardware.

So what chips are being used, which manufacturers are involved.

But if there is software information available, such as from a boot log, then of course I'm

going to parse the boot log and see like, hey, this is what I can discover.

Like, hey, it's this version of Busybox, this version of IP tables, this version of the

kernel built with this particular SDK and so on.

Because then I can start comparing devices and see which ones are similar.

And if I know if they are similar, then I can maybe reason about those devices.

If I then know like, hey, device A has a CVE associated with it, which ones are fairly

similar to device A?

So I can then also see it like, well, perhaps that would be a good candidate to test as

well for the presence of that CVE.

Yes.

So can you go a little bit further into that?

That it has a lot to do with security, that you want to delve up all this information?

Well, so one of the biggest gripes I have with the system is that CVEs are very much

focused on single devices and single manufacturers.

So they're saying like, device A from vendor X is vulnerable, but it doesn't take into

account that the device might be similar to another device.

So people are basically going like, oh, but I don't have that device from that vendor.

I have a different device from a different vendor, not understanding that it is the same

device.

So they get some sort of false sense of security.

So that's one of the reasons why I wanted to do this, just to uncover the hidden patterns

that are present in the consumer electronics industry to see, hey, if we know that one

device is vulnerable and we can find out which ones are coming from the same factory with

the same software, then we can also say the other devices are also vulnerable and should

be fixed.

So in the context of CRA, that could be quite important.

CRA?

So the Cyber Resilience Act, it's from the European Union, that is some law, some legislation

I must say, that should hopefully improve the security of all kinds of devices that

are coming onto the EU markets.

So one very prominent reason for you to do this is security.

Are there also other reasons, maybe for people who want to fix things themselves or?

Of course, I enjoy digging into data.

So that's also a motivation to see, hey, how are we being tricked into buying a certain

device when you can also get the same device somewhere else from a different manufacturer?

That is also fun.

But I also like to see, how should I say this?

I think that for people who want to tinker, it could also be quite important to see if

they want to buy a certain device.

That is also an angle for replacement firmwares to see if a device can actually run a certain

replacement firmware.

That could also be fun.

But yeah, my main focus still is security.

But there are other reasons why other people would want to use this.

And of course, I don't know.

So that's the fun thing about it.

You don't know how other people will use it.

This season will be about digital sovereignty.

How can DeviceCode help with digital sovereignty?

Well, so of course, one thing that you can see is that with DeviceCode, you can uncover

all of these hidden patterns about how devices are made.

As soon as you understand how the consumer electronics industry works, then you could

feel tricked.

But you can also say, OK, well, but this is something that we can do as well.

I mean, it is not that complicated.

So if you look into the industry, what happens usually now is that a company here goes to

some company in Taiwan, China, Vietnam, and says, I want that device that you have in

your catalog in blue.

That's basically how it's done, at least by some companies.

Then there are other companies and projects that are saying, well, we want to have a certain

device with certain specifications.

And by the way, here is the software.

So the OpenWrt project recently did this with the OpenWrt One.

They I'm not sure if they designed a board themselves or not, but at least they provided

the complete software.

And then the companies in China are basically only manufacturing the boards.

And you can take this a lot, lot further than you could say, well, you know, just only give

us the boards and then we will solder their components onto it, or we're going to do everything

ourselves and all of the great degradations in between.

Because it's I mean, it will be a challenge to scale and to make it very cheap.

But technically, it's not impossible.

There are quite a few companies that are already showing that it can be done.

So when I think that digital sovereignty is I mean, COVID really showed that we are quite

vulnerable to that.

And the current geopolitical situation is also not very encouraging.

It should actually make us wonder maybe we should do a little bit more here in the EU

when it comes to manufacturing.

That would indeed be wise.

Well, there are a few other things that you can think about.

So environmental impact, worker rights, software security, all that.

Just discovering backdoors or preventing backdoors.

There are many reasons why you should consider doing this.

Can you expand a little on the labor rights and environmental impact?

Why should we want to produce more locally to improve those two things?

I mean, there are parts of the EU where there's still quite a bit of poverty and people

actually could use a job.

So that could be a good reason as well.

Get some more of those jobs back.

Isn't it also maybe that here in the EU, we have workers rights and that one of the

consequences of that is that if you keep those workers rights, like paying people fairly,

for instance, then your product will be more expensive.

And then we have workers rights, but then we import stuff from other countries where

they have less workers rights.

And so we circumvent our own workers rights by still not wanting to pay for it.

Is that also not a reason to?

Yeah, but then you would have to decide, do you want to pay more for a device or less?

What do you care more about?

And I guess that's an individual choice.

I wouldn't mind paying a little bit more, but other people might

want to say, no, I want to have things cheap.

You have to understand that things have become really, really cheap in the past few decades.

At least when it comes to consumer electronics, they've become ridiculously cheap.

And of course, you could do something like that in the EU as well, but you will have to

scale your industries a lot.

You really have to produce at scale.

Otherwise, you can never be as cheap as when

things are coming from China.

But even there, it's funny to see that China is becoming too expensive as well.

So now their factories are moving to Vietnam and Cambodia and all that.

So it's interesting to see.

There is a parallel to the clothing industry, isn't it?

Yes.

Yeah.

Clothes used to be fairly expensive.

Now they are basically the whole fast fashion thing.

Clothing has become so ridiculously cheap.

And then you think, well, something is going horribly wrong.

Yeah.

We see that there is also a change in the fashion industry where people choose for,

well, responsible clothing.

So then you could go for responsible hardware.

I would be all for it.

I mean, if you think about it, do we really need to have new routers every few years?

New IP cameras, maybe?

I don't know.

Maybe you just want to get good updates so that they stay secure.

Yeah.

On the other hand, I do know that innovation is driven by market demands.

So it's a tricky subject.

It's a very tricky subject.

But at least it's something that we can try.

I wouldn't mind.

Yeah.

If we can create that movement, that would be great.

Why don't manufacturers want to share their technical data?

Yeah.

So why don't...

The parallel is like this with the supermarket.

If you go for the house brands, of course, they're not going to disclose where they are,

where they're buying it from, because then you might say like,

okay, well, you know, with a consumer collective, I could just also go to that factory,

buy the same thing, get a big discount, just buy in volume and do that.

So it's that same enchantment.

Did you think that, okay, you know, I'm buying it from this factory or from this

manufacturer with this factory and it's...

If you are basically pulling away the curtain, then it's like, okay, well, you know, I could also do that

and maybe get a group of people together, like 100,000 or a million people together to just buy a device.

I mean, of course, they're not going to disclose that.

As soon as you start digging into the consumer electronics industry, things get interesting.

Things like with how to get components.

I think that one of your other beneficiaries of the NGI Zero grants, Andrew "bunnie" Huang,

he made some very interesting videos about those subjects, about how the industry works,

the consumer electronics industry in Shenzhen and China works, for example.

Those are worth watching.

And why are they worth watching so people know if they...

Well, you know, yeah, so one of the stories that I heard was mostly about the gray markets, that

unless you are buying components in bulk, like millions of components, you basically, the component

factories will not even talk to you.

And then you have to go to the gray market where quality could be anything from genuine components

to complete rip-offs.

You simply don't know.

So I actually talked with one of my clients a few years back and I mentioned that and he said,

yeah, I think we actually had some fake components at one point.

And these were people making, I think, solar panels or solar something.

It's like stuff that goes into your house and then they're fake components.

Luckily, they found out before, I think, they were shipped.

But yeah, that's kind of scary.

It's like you're going to a market to buy grain and you don't know what you're actually getting

and then trying to turn that into a bread and you don't know what seeds you have.

That is indeed very interesting.

We'll put the links to the videos in the show notes.

How do people find your data and maybe how can they add to it?

So what the workflow for DeviceCode currently is, is that I regularly make dumps from the

various wikis.

So you can actually go to the website and then just create an export, which will create

something like a 120 megabyte XML file, GZIP compressed.

And then I process those and I make the data available in a, myself, in a different GitHub

repository.

So people don't have to do that themselves.

How people can add to the data is I have a mechanism where you can add overlays, so-called

overlays to the data, which will then automatically be applied when you're viewing the data.

So the correct way to contribute to the data set would be to create overlays where you're

overriding or adding data to the data set.

So you collect data that is gathered by other people and put in wikis, but then that raises

the question, how do they get the data considering that manufacturers do not want to disclose it?

Well, a lot of people like screwdrivers.

So they're basically opening those devices, making pictures, investigating when they're

for, for example, trying to work on alternative firmware for those devices.

But a big source is also the FCC in the US.

So for every device that has a radio, so either WiFi or radio or Bluetooth, ZigBee, you name it,

every device that has a radio that's coming onto the US market has to be approved by the FCC.

So companies have to send all kinds of documentation to the FCC, and that usually also includes

things like pictures of the internals, the externals, and often also the user manuals.

And those are published in PDF.

So I download those and then I process those PDFs.

So that's what I do.

But a lot of the other people are also doing that.

So they're basically going through all of the FCC listings, then see like, okay, well,

this device contains that chip or whatever they can find on the pictures.

And then they're documenting that.

So it's a lot of manual labor.

So it's a ton of manual labor.

So I'm very happy that the other people are doing it so that I don't have to do it.

And I only have to reprocess their results, which in itself is also already a challenge.

There's a lot of cruft.

As soon as people start adding data to Wikis, invariably you get cruft there.

People make mistakes or the Wiki doesn't fit their purpose.

So it's like, okay, well, I really want to add this data.

I'm just going to put it in this field.

And then it will show up on the website just like I want, but it's not structured data then

at that point.

So there's a lot of parsing, a lot of brushing up the data.

So fixing spelling mistakes, you name it.

That's a lot of the work that I'm actually doing.

Well, it's impressive that you're collecting it all.

Well, it's mostly a lot of work.

It's a lot of work.

Technically, it's not very challenging, but it's just a lot of work.

Noble then, that you're putting the effort in.

Yeah, well, that would probably be a better description than impressive.

Stubborn might also be a good description.

Have you had feedback from other users, from manufacturers?

Maybe about what you're doing.

I might imagine that a manufacturer that shows up in your database might think,

maybe I have to improve on some things.

No, no, no feedback at all.

Also not from users?

No, so it's for some reason that the people who are using my projects,

they are using them silently,

which is that also happens with my other open source projects.

I know that people are using them, but they hardly give any feedback.

Maybe it's because they're mostly in the legal realm.

Should we make a general call that if you use armijn's projects, then send him a ping?

I think they will just silently ignore that.

And that's fine.

That's fine.

Yeah, because it's about the results, right?

That's why you're doing this.

I'm also making the software mostly for myself, just because I find it interesting.

And also to make things more secure, because that's a nice little bridge to VulnerableCode.

Because you say that DeviceCode, the data collected there can feed into VulnerableCode,

which is another project that is funded by NGI Zero.

Can you tell a bit about how these projects work together?

So how they will work together.

Yes. So it basically comes back to what I said earlier, that if you have a certain device

and you want to know if your device is close to another device that has a known vulnerability,

then the end goal is that with DeviceCode you can do that.

And then as soon as you know the vulnerabilities or what software is running,

on the device or on a similar device, then you can start querying VulnerableCode

to see like, hey, is this stuff vulnerable? Do we have a known security bug?

So it's basically another, and it's like an indirect way to look in,

to see if your device is vulnerable.

Because VulnerableCode is a database of vulnerable code.

It's mostly about indexing vulnerabilities for software.

Not so much the hardware side.

So this basically is taking care of the hardware side to see

is your device similar to a device that we know has vulnerable software on it?

That would be the right description.

Yeah, that's super interesting because like you said in the beginning,

then you can cover a lot more ground finding the vulnerabilities in all the devices.

That's the idea.

Yeah.

Nice.

Tapping into this, I think it could better Right To Repair laws,

change the situation where it's so hard to receive information about the device.

And what information should be demanded from manufacturers?

So I think that if you're looking at the legislation right now in the EU,

I don't think that you really have to go through a very thorough

checking process, just like with the FCC.

So I think that they only have to do something like the CE mark.

And basically that's it.

And I'm not even sure if the CE mark is self-certification or not.

So I just don't know that much about certification.

But something like that would already help.

Like, okay, you know, whenever we get something that's put onto the EU market,

we want to know, just like give us a Hardware Bill Of Materials or pictures from the inside.

That would already help because right now you're basically getting like,

hey, here's a device.

It has a CE mark.

That's it.

And we don't mean the China Export mark, right?

Isn't that a bit of a hoax?

I thought that was a hoax.

That was fake.

At least that's what I read.

But no, I'm just meant to show this CE mark.

I don't think that...

I think that there's a lot of stuff there that we could basically just copy from the US,

like the requirements like the FCC has.

That would already help quite a bit.

I'm actually surprised hearing this, you know, that you can just basically sell a black box

and are not, you know, forced to disclose what's in there, how to fix it,

what software it runs.

And actually, if you think about it, it's quite absurd.

It is.

But there is also a logical conclusion, a direct logical conclusion from how the whole

industry works and how consumers want to have really cheap stuff.

So just to give a bit of an idea when a device is put onto the market,

it's made in China, goes into boxes, goes onto a ship with a bit of luck.

It doesn't get shot in the Red Sea.

And then it arrives in the Rotterdam Harbor 40 days later, and then it's unloaded and

rushed to the shops.

And a lot of the stuff in the consumer electronics market is basically winner takes all.

So what you see is that very often during the Christmas season or Black Friday, you name it,

there's new devices that are being announced, put into the shop.

And what you very often see is that the manufacturers will have similar devices.

A lot of the things is basically winner takes all.

Most of the sales happen in the first one to three months that a device is on the shelf.

And if you're basically a month later than your competition because you had to go through all of

those checks, basically it means that you lost.

So that is basically because we are addicted to very cheap devices.

That is basically the logical conclusion.

I mean, they have to take shortcuts somewhere.

Yeah.

So if we want to improve this industry, then consumers also have to really look at themselves

and make some changes in their behavior.

As with most of these problems, all players have to have to make changes.

Some sacrifices will have to be made.

Will people be willing to make them?

I don't know.

But as I said earlier, it's worth trying.

Maybe we can pull it off.

That would be fantastic.

Like you say, a lot of it isn't even really known with people.

So at least it helps a bit if you become aware that it works like this.

But if you can buy components in bulk or create them in bulk and do the manufacturing here

and just do it in some of the poorer parts of the EU where wages aren't that very high yet,

then maybe we can match the price as we are currently paying in China.

Or decide to pay a bit more and buy a bit less.

Yeah, that's also a possibility.

Not sure how the economics would work, but that's something that we probably will have to try out.

How can we change this?

How can we...

Do we have to raise the public maybe?

Or do we need legislation to change this?

So I think that there's a multi-pronged approach here.

I think that the first step would be more awareness.

That's where DeviceCode could help.

Just basically pulling back the curtain and then showing like,

hey, the industry is working in a different way that people actually don't know about.

That's one thing.

Legislation, the things that I said, like having something similar to FCC

and to disclose those documents, that would already help.

So, but do we need specific legislation?

Oh, gosh.

It's a difficult subject.

There are a few things that we could do fairly easily, but I could...

Basically describe my ideal, if that would help.

Yeah, sure.

That would help.

So my ideal would be that every device that's coming onto the market

is basically sent to some sort of lab first.

Ideally not a commercial lab, but just like some sort of government institution.

And basically it's torn apart completely.

And it's documented and it goes into some sort of central database

where you're basically documenting everything about the device.

Like Hardware Bill of Materials, you rip apart the firmware,

and then you are doing continuous testing on the software and just keeping track of it.

And it doesn't even have to be adversarial to the manufacturer where you're saying,

oh, we're going to do this.

To the manufacturer where you're saying, oh, we're going to catch all of your security bugs

and then we're going to punish you for it.

It could be very much a cooperative effort.

It's like, hey, we found a bug in your software, so maybe you want to fix that.

Or not maybe you want to fix that, you want to fix this, or you have to fix this.

Otherwise we'll fine you.

And I know we're going back into punishing.

But yeah, something like that would be my ideal,

where everything that comes onto the EU market is basically checked.

So Armijn, as Ronny also said, this season we really want to look into digital autonomy

or digital sovereignty.

Not only for nation states or something, but also for users, of course,

that people have more influence over their own digital life.

And one of the things that is a part of that is that you create things more locally,

so that you're less dependent on global supply chains and stuff like that.

If you, with your knowledge of the industry, if you had to think about

how we could produce things more locally, what kind of steps would you take?

So I basically foresee five steps.

So first is that you are basically going to create the software locally.

And then after you've done that, you go to some ODM and say,

make these particular devices for us and use our own software.

This is already doable because there are companies doing this.

I mean, that's not very complicated.

That is something that you could basically do within six months, a year.

They basically have some sort of open source firmware project and say,

for a particular kind of device, saying, we're going to talk with the manufacturer

to create devices for us with a certain specification,

but we are going to provide the software.

They already have the software parts covered.

Then the next step is that you would be doing the manufacturing locally,

where you're saying, hey, well, you know, we're going to,

or not the manufacturing, but the assembly locally,

where you're going to a manufacturer and say, we want you to create these PCBs,

so the printed circuit boards.

And then you're going to buy all of the components somewhere else.

And then you're going to do the assembly locally in the EU.

Then you already have a little bit more control,

for example, over which components you buy and where.

And then you can take that further and further.

You could go for the, you could go for the,

to actually make the circuit boards in the EU as well.

And then step by step, you basically go to replacing every single component

with something that has been produced locally.

One of the things that worries me a little bit is that if you are looking at the plans

where politicians are going like, we need to have a EU chip industry,

where they're really focusing on the major chips and the CPUs.

But there's a lot more going on on a device.

There are connectors, there are LEDs, there are capacitors,

even screws, things like that.

Are we actually thinking about those as well?

So I fear that sometimes their focus is a little bit too narrow.

But eventually what I think is we could already start with the software

and then gradually we could basically move the whole industry back to the EU.

It should be possible.

So there are already quite a few companies that are doing assembly in the EU

or who are producing PCBs in the EU.

But the only thing that they're not doing is creating all of the individual components,

like the chips, like the screws.

So that would be basically the gold standard to do everything here.

But there are many intermediate steps that we could already do

and I think we can already do within a few years.

And if we do all of that, what would that mean for the price points of the end product?

It depends on how much you can scale.

Yes, of course.

Because these are economies of scale.

So if you can produce a lot, then things will become cheaper.

Yeah, and the same counts for producing the chips

and all the other semiconductors that are needed for this.

Yeah, it's all about scale.

I heard you had a question, Tessel.

I was thinking it's interesting what you said, Armijn.

So the politicians are really looking at the most difficult chip they want to make here

and you're actually proposing the opposite route to start with stuff

that we can start basically with today, like writing our own software,

which we're already doing today.

So I think that's a good way to start.

I think it's interesting, especially if

you look at the amount of money

that is made free for that bring our chips home.

You could also put that kind of money and

effort into a more grounds up approach

that you propose.

I find it interesting.

Yeah, so if you look at the chips industry, you will see that

actually not everything is coming from China.

So if you're looking at NAND chips, I think 80% is coming from South Korea.

Hard disks were mostly coming from Thailand.

LEDs from Japan.

So it's not everything is coming from China, but there are a few companies that are making

stuff that we need and they're also on the other side of the globe.

I think it's a bit of a tougher challenge than people think,

but we definitely could start from the grounds up and incrementally replace everything.

Should be doable.

Not easy, but it should be doable.

And I really like that your project, DeviceCode,

sort of it's for security, as you explained, but it's also to draw away this curtain

and to show how the industry works so that we can get a better understanding of,

well, if we want to change it, then, well, we have to understand how it works

and DeviceCode really helps with it.

So thank you for making that project.

That's my goal.

Thank you for funding.

Yes, funding.

We had to ask you, Armijn, how did NGI Zero funding help DeviceCode?

Well, this is something that I would never be able to justify commercially,

because there's simply no market for this.

I wouldn't want to say labor of love, but it's,

it's pretty much a labor of love.

So this is not something where you would say, like, hey, I'm just going to do this

and try to sell this as a commercial service.

It's not going to happen.

So this is one of those things that are in the digital commons

that people are not paying any attention to,

and that no one would ever fund otherwise.

Even though there is a lot of valuable information in there,

it would not be otherwise, it would not be funded.

So that's where the NGI Zero funding really helped.

Yeah, it's really nice to hear that.

And important to point it out that there are a lot of things needed in the world

that will not be paid for by the market,

and that we have to put our collective money to make sure it happens anyway.

Yeah, and I mean, if public money would be made available,

what should be the role of free and open source?

Well, I think that if you would fund all of this stuff,

then I think that free software should be front and center.

Even though most, if you start looking into those devices,

they are already almost all the software on it is open source anyway.

A lot of this, a lot of the secret sauce is just a very tiny layer.

So if you start peeling everything back,

then you will already see that with at least with a lot of devices,

it's already open source.

Whether or not the manufacturers are being licensed compliant is a second question.

But, I mean, of course, you're going to have to do this as open source.

I mean, I don't see any other way.

Just to emphasize this point,

because you have a lot of knowledge of what kind of software runs on these devices and stuff.

And are you saying that, say, 90% of it is open source already?

So it depends a little bit on what kind of devices you're talking about.

In most cases, it's closer to 100%.

And it's just the web UI that is a little bit different.

But most of the devices, 90-95%.

Yeah, easily.

But then comes the second question.

How much of that is updatable?

Ooh, that actually is a good question.

A few years ago, I looked into some sort of, I think it was an IP camera from China,

where actually the software was burned in ROM.

So it was not even updatable.

And there were security bugs in it.

I mean, that's just ridiculous.

So you could not even, maybe you could update it if you would completely desolder the chip

and then replace the chip or I don't know what, but it was madness.

Complete madness.

Not something the general public would do.

Oh, no, not something that software engineers would do either.

Did you have nightmares that night?

Because I think knowing you Armijn, that you must have been so horrified when you saw that.

Well, it was mostly my client's issue, so not mine.

So no, I was not horrified, but more like, okay, I'm going to keep this in mind

and not buy from that manufacturer.

But move that camera away from your bedroom.

Well, it was not, I actually didn't look at it physically.

It's just that one of my clients sold it and they were being sued in Germany.

Then I looked into it, it's like, oh, well, wait, this software cannot be updated

to actually mitigate the whole issue.

So yeah, fun, fun.

I mean, but apart from software being in ROM,

it could also be that there is no update process or...

Yeah, I think that when we are talking about update processes,

I think we could spend a few more podcasts on that.

And this is not about that because we're talking today about DeviceCode.

I think you're more now leaning to one of your other projects.

Possibly, so let's not go there today.

So, Armijn, we think this was a really interesting conversation and you showed us

quite some insights into how the manufacturing processes work and what's wrong with them,

how we can improve them.

So that was all very interesting.

We want to thank you for creating DeviceCode as a project of love, as you called it.

And also really want to thank you for being on this podcast with us.

So thank you for being here.

My pleasure.

Yeah, and where can we share the love?

Where can users share the love with you?

So there are two GitHub repositories.

So one of them is in my GitHub, which is...

You just have to type in my username.

Maybe we should just put a link in the show notes.

And then, or you just type in Armijn GitHub DeviceCode in your favorite search engine.

And then there's also another repository called DeviceCode Data,

where you can get the pre-generated set of data

and then you can start playing with the data immediately.

Amazing.

Yeah.

Thank you so much.