Slashdot Mirror

Tesla vehicles sent to the junk yard after a crash carry much more data than you'd think. According to CNBC, citing two security researchers, "Computers on Tesla vehicles keep everything that drivers have voluntarily stored on their cars, plus tons of other information generated by the vehicles including video, location and navigational data showing exactly what happened leading up to a crash." From the report: One researcher, who calls himself GreenTheOnly, describes himself as a "white hat hacker" and a Tesla enthusiast who drives a Model X. He has extracted this kind of data from the computers in a salvaged Tesla Model S, Model X and two Model 3 vehicles, while also making tens of thousands of dollars cashing in on Tesla bug bounties in recent years. Many other cars download and store data from users, particularly information from paired cellphones, such as contact information.

But the researchers' findings highlight how Tesla is full of contradictions on privacy and cybersecurity. On one hand, Tesla holds car-generated data closely, and has fought customers in court to refrain from giving up vehicle data. Owners must purchase $995 cables and download a software kit from Tesla to get limited information out of their cars via "event data recorders" there, should they need this for legal, insurance or other reasons. At the same time, crashed Teslas that are sent to salvage can yield unencrypted and personally revealing data to anyone who takes possession of the car's computer and knows how to extract it. The contrast raises questions about whether Tesla has clearly defined goals for data security, and who its existing rules are meant to protect. A Tesla spokesperson said in a statement to CNBC: "Tesla already offers options that customers can use to protect personal data stored on their car, including a factory reset option for deleting personal data and restoring customized settings to factory defaults, and a Valet Mode for hiding personal data (among other functions) when giving their keys to a valet. That said, we are always committed to finding and improving upon the right balance between technical vehicle needs and the privacy of our customers."

The report serves as a reminder for Tesla owners to factory reset their cars before handing them off to a junk yard or other reseller because that other party may not reset your car for you. "Tesla sometimes uses an automotive auction company called Manheim to inspect, recondition and sell used cars," reports CNBC. "A former Manheim employee, who asked to remain anonymous, confirmed that employees do not wipe the cars' computers with a factory reset."

The researchers were able to obtain phonebooks "worth of contact information from drivers or passengers who had paired their devices, and calendar entries with descriptions of planned appointments, and e-mail addresses of those invited." The data also showed the drivers' last 73 navigation locations, as well as crash-related information. The Model 3 that one of the researchers bought for research purposes contained a video showing the car speeding out of the right lane into the trees off the left side of a dark two-lane route. "GPS and other vehicle data reveals that the accident happened in Orleans, Massachusetts, on Namequoit Road, at 11:15 pm on Aug 11, and was severe enough that airbags deployed," the report adds.

HughPickens.com writes Jennifer Abel writes at the LA Times that according to a recent survey (PDF), over 80% of Americans says they support "mandatory labels on foods containing DNA," roughly the same number that support the mandatory labeling of GMO foods "produced with genetic engineering." Ilya Somin, writing about the survey at the Washington Post, suggested that a mandatory label for foods containing DNA might sound like this: "WARNING: This product contains deoxyribonucleic acid (DNA). The Surgeon General has determined that DNA is linked to a variety of diseases in both animals and humans. In some configurations, it is a risk factor for cancer and heart disease. Pregnant women are at very high risk of passing on DNA to their children."

The report echoes a well-known joke/prank wherein people discuss the dangers of the chemical "dihydrogen monoxide" also known as hydrogen oxide and hydrogen hydroxide. Search online for information about dihydrogen monoxide, and you'll find a long list of scary-sounding and absolutely true warnings about it: the nuclear power industry uses enormous quantities of it every year. Dihydrogen monoxide is used in the production of many highly toxic pesticides, and chemical weapons banned by the Geneva Conventions. Dihydrogen monoxide is found in all tumors removed from cancer patients, and is guaranteed fatal to humans in large quantities and even small quantities can kill you, if it enters your respiratory system. In 2006, in Louisville, Kentucky, David Karem, executive director of the Waterfront Development Corporation, a public body that operates Waterfront Park, wished to deter bathers from using a large public fountain. "Counting on a lack of understanding about water's chemical makeup," he arranged for signs reading: "DANGER! – WATER CONTAINS HIGH LEVELS OF HYDROGEN – KEEP OUT" to be posted on the fountain at public expense.

Sez Zero writes "The Federal Aviation Administration said American Airlines requested a halt to hundreds of its U.S. flights on Tuesday as it works to resolve a reservation system problem. American Airlines explained on their Twitter feed they had a problem accessing their reservation system. Bad day to be on the AA ops team."

theodp writes "If you need a clue as to how creative ISP execs might get in the absence of network neutrality, look no further than United Airlines CEO Glenn Tilton, who is wowing Wall Street with his willingness to examine new ways to wring money out of the carrier, including making economy passengers pay a fee unless they want their luggage to come last off the plane." Now I think when i was like gold ultimate handjob elite years ago my bags had tags that usually made them come out first, but this seems just kinda crappy. I mean, remember when you got a meal on airplanes? No wonder people hate to fly.

bl8n8r writes "It 'looked like fireworks, which would have been cool had it not been in my house.' said Doug Brown of Columbus, Ohio. Brown, a Network Administrator, called 911 last week when the Dell 9200 laptop burst into flames in his house. Emergency response units included two pumpers, a ladder truck, a bamalance, the HAZMAT unit, and a battalion chief. When Doug phoned Dell to inquire about liability, he was asked if he had insurance. It's not clear if Doug's laptop is one of the earlier models recalled by Dell; a Macbook is cited in the article for allegedly burning down a house in Australia as well as another instance of a suspect Dell laptop burning out a pickup truck in Nevada. If the burning battery issues are going to continue to be a problem, who's going to be responsible for losses? Insurance companies, Laptop makers, Battery vendors, and consumer negligence could presumably be cited in all cases."

ConsumerAffairs.com has an article up spotlighting Comcast's tendency to cuts off heavy Internet users without defining in their AUP exactly what the bandwidth limit is. Frank Carreiro of West Jordan, Utah, got cut off by the mystery limit and started a 'Comcast Broadband dispute' blog.

Slashdot contributor Bennett Haselton has written an essay on a subtle privacy issue affecting many websites (including Slashdot!) He says "Suppose your girlfriend called up Match.com and said, "I think my boyfriend might be cheating on me. His e-mail address is joeblow - at - aol - dot - com. Can you tell me if he's a member?" And Match.com phone support told her, "Why, yes, he is a member. You'd better have a talk with him." After you had gotten over the guilt of getting caught -- I mean, the guilt of cheating -- would you not feel like Match.com had violated your privacy by telling a third party that you were a member?" Keep reading to see what he's getting at and to decide if and when it's a problem.

Something like this is actually possible with quite a few well-known sites -- given a person's e-mail address, it is possible to find out if they have an account with Match.com, PayPal, Netflix, eBay, Amazon, and Google (and, by the way, Slashdot [CT: We'd fix it if I thought it mattered]). For some of those sites, it may even be possible to take a long list of e-mail addresses and use an automated process to find out which of those addresses have accounts with those sites (something I didn't want to risk trying myself, but as a general rule, if you can do it once, you can do it many times, at least if you do it slowly enough). It does not enable the attacker to extract addresses from a site's membership rolls, which is a much more serious type of breach -- in this case, the attacker would have to already know a list of e-mail addresses, and would only be able to find out which of those addresses have accounts with a given service. And it definitely wouldn't enable an attacker to extract more sensitive information like passwords or personal data. But the ability to get a yes/no answer for whether an e-mail address belongs to a member of a given site, should be something that the site designer should take into account. I'm not even saying that it should necessarily be considered a security hole in most cases, just that it should be something that the site designers decide whether or not they want to permit it -- not something that was left in the open accidentally. Representatives from PayPal and Netflix assured me that they knew about the possibility of this attack and had countermeasures to detect it. In the case of Match.com, on the other hand, I would argue it looks like an oversight. For other sites, whether it's a security hole or not depends on your point of view.

There are three main causes for concern with this issue. The first is simple privacy -- for a site like Match.com, a person may not want other people to be able to find out that they're a member. The second is the possibility of making phishing attacks easier. If a phisher sends spam to a huge number of recipients, hoping to trick them into entering their login details on a counterfeit site, then generally their success rate would be proportional to the number of recipients who are members of that site (of which a certain percentage will be duped into entering their login info), but the speed at which the phishing site is shut down would be proportional to the total number of recipients (since any recipient would carry the same likelihood of reporting the phishing site to an ISP and helping to get it shut down). So if the phisher could find out which addresses on their list belong to actual members of a given site, and send mail to just those people, they could get more successful attacks in proportion to the number of e-mails sent. This is especially true of "puddle phishing" attacks, where only a small percentage of recipients are likely to be members of the site being phished. The third possibility is that the data could be valuable to spammers wanting to advertise a competing site -- a spammer advertising a dating site, for example, could get more band for their buck by advertising only to Match.com members. (Maybe even try a hybrid spam-with-just-a-hint-of-phish -- spam that says "Rejected a lot on Match.com?" to make the user think at first that the e-mail really is from Match.com, but then steer them towards a competitor.)

With a build-up like this, the attack is disappointingly simple. (In fact, I listed the possible consequences of the attack first, because otherwise the attack itself is too easy to dismiss.) If you haven't already guessed at least one of these methods, the three easy ways to find out if an e-mail address is associated with an account at a given site, are:

• Try to create a new account with that e-mail address. See if you get an error message saying the address is already associated with an account.
• Log in under an existing account, and try to switch to another e-mail address. See if you get an error message saying the address is already associated with an account.
• Use the forgot-your-password feature to request a password be sent to a given e-mail address. See if you get an error message saying that address is not associated with an account.

Each attack works better if you can avoid triggering an e-mail message sent to the e-mail address in question, whether in a success or failure condition. For example, if the forgot-your-password form only accepts an e-mail address as input, then if the e-mail address you enter really does belong to a member, a password reset e-mail will be sent to that member. That won't prevent you from continuing your attack, but if enough Match.com members get password reset e-mails that they didn't request, some of them will let Match.com know what is going on, and Match.com might find a way to stop the attack in progress. On the other hand, suppose the password-reset form requires an e-mail address and a birthdate, and if you enter an e-mail address without a birthdate, you get one error message telling you that the birthdate was missing, and another error message if the e-mail address you entered is not associated with an account. This avoids triggering an e-mail message to the user in either case, and increases the chance that you can carry on the attack longer without being noticed. And once you've confirmed that someone is a member, this type of password reset form would also let you use trial and error to determine their birthdate as well, something that might make identity theft easier later on. (This, by the way, is exactly how the current Match.com password reset form works. Match.com did not respond to requests for comment.)

With most popular sites that I tested, at least one of the above methods fail, but at least one other method succeeds. On Netflix, for example, the forgot-your-password form requires you to enter a last name and a credit card number, so that form can't be used to find out who is a member. On the new member signup page, though, you can enter an e-mail address and be told whether that e-mail address already belongs to a member. With Match.com, on the other hand, I already mentioned the weakness in the password-reset form, but if I tried to sign up for a new account but I didn't correctly pass the Turing test (reading numbers off a graphic and entering them in a text field), Match.com wouldn't tell me if the e-mail address was associated with an existing account. So that form could not be used to sift through 100,000 addresses and find which ones were Match.com members, but it could be used to find out if an individual person was a subscriber.

There are at least two simple countermeasures to this type of attack. The first is to require a Turing test when a user creates a new account, requests a password reset, or changes their e-mail address on file, and make sure that if the Turing test isn't completed correctly, then no error message is displayed about whether a given e-mail address does or does not exist in the system. This makes it hard for attackers to sift through a mountain of e-mail addresses finding out which ones already belong to accounts, but it still enables someone to check if someone is a member, one person at a time. For sites where that would be a privacy concern (again I'm thinking of Match.com), the other solution is better: send an error message to the e-mail address entered, not displayed to the user in their browser. If you try to sign up as joeblow@aol.com, and that address is already associated with an account, then display the normal message telling the user to check their inbox for confirmation -- but then send them a message saying their address is already in the system. eBay, for example, gets this right on their "forgot your userid" page -- if you enter an e-mail address not associated with an eBay account, it simply says, "eBay just sent your User ID to joeblow@aol.com. Check your email to get your User ID." (On the other hand, eBay's new user signup page lets you check if an e-mail address is assigned to an existing member, without needing to pass a Turing test.)

Netflix, eBay and PayPal also responded to say that they had monitors in place to detect "suspicious" activity, saying that even in cases where the forms did not require a Turing test, they could dynamically detect if someone were using a script to submit the form over and over to harvest data, but they declined to go into more detail. It seems to me this could work for forms that require you to be logged-in, but not for forms that don't. For example, on the Netflix new user page, how would they detect if it's the same person submitting e-mail addresses over and over again? Not by IP address -- you can use Tor and farms of open proxies scattered across the Internet to make it appear as if you're coming from lots of different IP addresses. However, consider the PayPal add-a-new-email-address form. This form does not require a Turing test, and does give you an error message if you try to add an address associated with another account. At first I thought this might be a loophole that an attacker could use to find all the PayPal users in a long list of addresses, but PayPal told me that if you do this enough times under the same account, eventually you will hit a limit where the form starts requiring a Turing test. I never got high enough to hit that limit. However, in this case the "dynamic detection" could actually work -- because you can only perform this action while logged in, and after you hit the limit, to continue testing more addresses would require another PayPal account -- and creating additional throwaway PayPal accounts does require a Turing test for each one. So I'll take their word for it that that attack is blocked, although, it seems to me it would be easier just to require a Turing test on the add-a-new-address page.

On the other hand, perhaps in the case of a site like Netflix, it's not something that users really need to worry about, if the company has no problem with it. Big deal, an attacker can find out whether you're a Netflix user -- but that's not a huge privacy violation, it's not like I shamefully hide those red envelopes under my shirt while I'm scurrying back from the mailbox. Now, a spammer can take a list of addresses and run them through the form to find out who is a Netflix customer, and then spam those users trying to lure them to a competing service -- but that's Netflix's problem, not ours, isn't it? (Well, it's our problem that we get the spam. But without using this attack, the alternative was that the spammer was just going to spam everybody on their list anyway, so by that argument, this attack actually results in less spam all around!)

Except... perhaps an attacker could try the third type of attack, a phishing attack to get people's Netflix usernames and passwords, but not in order to compromise their Netflix account, rather to see if the person has an account with the same password at eBay or PayPal. Perhaps a user would be wary of a PayPal phish since they see so many of them, but they might fall for a Netflix one -- although then the attacker's success would be limited to people who had Netflix and PayPal accounts, and were using the same password for them both...

So it seems to me it's not obvious when this should be considered a problem. (All of the sites mentioned in this article were e-mailed about this issue months ago, and so far none of them considered it a serious enough threat to block all three of the avenues of attack listed above.) If abuse of this type becomes common, perhaps eventually these "queryable membership lists" will come to be considered in the same way as open mail relays -- which were never considered a glaring security hole, but were abused in ways that triggered a shift in people's thinking that got them to be gradually phased out, going from open relays being the default standard up to the early 90's, to the point where many ISPs today prohibit customers from running them. Maybe "queryable membership lists" will start to be abused more, if anti-spam technologies get smart enough that spammers can't send 1 million messages at a time any more and have to limit themselves to, say, 100,000 messages at a time to get through people's filters, so they have to pick which 100,000 of their addresses they could get the most value out of. Or maybe things will go in a completely different direction and this will never become a problem. I just think that, for now, we should be aware that some form of this trick works on the majority of sites that require an account, and the types of abuses described are at least possible.

Slashback tonight brings some clarifications, and updates to previous Slashdot stories including: the possibility of selling OpenGL to save SGI, a denial from Dell that it knew of the overheating battery problem, an update on the Skype competitor Gizmo, and a response from the Chinese folks that reverse-engineered the Skype protocol. Read on for details. SGI's McKenna Considers sale of OpenGL. delire writes "The Computer Business Review has an article on McKenna's strategies to salvage the flailing SGI from bankruptcy ... one of which may include selling assets like OpenGL. As Gnome developer Christian Schaller aptly put it, 'I hope this gets picked up by a friendly entity, especially if there are some patents still attached to OpenGL.'"

Dell Denies It Knew of Overheating Battery Problem. Billosaur writes "A report from ConsumerAffairs.com staties that according to inside information, Dell knew about the overheating problem in its laptop batteries for years. According to the report, an un-named insider 'leaked scores of documents to CRN, a computer industry publication, that indicated Dell knew of a dangerous battery malfunction for two years before a shocking video of an exploding laptop forced the company to recall batteries for about 22,000 laptops.' This on top of Dell's warning about lower than expected second quarter profits may cause the company some problems on Wall Street."

Gizmo: free VoIP to landlines in 60 countries. KrispyGlider writes "The more-standards-compliant Skype competitor Gizmo has launched a promotion in a bid to rapidly grow its userbase: free VoIP-to-landline calls to 60 countries, and even to mobiles in many countries. There aren't too many onerous catches to the deal Gizmo was previously covered in a Slashdot article from 2005 where it was noted that the Gizmo network has interoperability with other SIP networks, unlike Skype. However, the new version, 2.0 also has the ability to directly log in to open-source Asterisk VoIP servers, so you don't even have to use Gizmo's VoIP network any more."

When is it Okay to Reverse Engineer? Charlie Paglee writes "Last week Slashdot covered a story about a team of engineers in China reverse engineering Skype. Reaction on Slashdot was largely negative and raised many questions: Just when is it okay to reverse engineer and then innovate? The Chinese team issued a statement clarifying their actions: 'The domain of P2P innovation is limitless. We are very honored to work side by side Skype to promote P2P technologies in the VOIP industry. Our team is composed of the most talented P2P engineers in the world. We are working day and night to build a superior quality P2P network.'"

tstorm writes "ConsumerAffairs.com has a warning about Orbitz and their affiliation with a company called MWI. Apparently numerous people who have booked travel through Orbitz are finding unauthorized $9.95 monthly charges on their credit card bills from MWI for membership in a 'discount entertainment service,' despite that fact that MWI doesn't appear to provide any actual product or service. It's also very difficult to opt-out of this membership, some people have gotten refunds for what they were already charged only to have another charge appear the following month."

tstorm writes "ConsumerAffairs.com has a warning about Orbitz and their affiliation with a company called MWI. Apparently numerous people who have booked travel through Orbitz are finding unauthorized $9.95 monthly charges on their credit card bills from MWI for membership in a 'discount entertainment service,' despite that fact that MWI doesn't appear to provide any actual product or service. It's also very difficult to opt-out of this membership, some people have gotten refunds for what they were already charged only to have another charge appear the following month."

fermion writes "The FTC has settled with the Austin, Texas-based company, ClickForMail.Com, Inc, on a charge of deceptive trade practices. The FTC charges that ClickForMail promised a preapproved credit card through AllPreApproved.com but failed to deliver the product. We all have heard that such spam and schemes can be very profitable, but do we ever believe a large number of people will fall for it? In this case, thousands took the bait. The victims allowed AllPreApproved.com to deduct $49.95 from their bank accounts. In return the victims received not a credit card, but a list of hyperlinks which could be used to get credit cards." (Read on for more.) "As is usual, the settlement does not assign blame. The FTC made ClickForMail pay $815,000 and promise not to lie about its services in the future. Apparently ClickForMail is not prohibited from sending out future UCE. This investigation is part of an FTC task force which is filing actions against 45 companies. One of the scams is an update of the eternal scholarship con.

If anyone gets spam from Texas, or if you live in Texas, make sure to use the new Texas Spam Law. Individuals can sue for $10 per UCE, up to $25,000 a day."

An anonymous reader sent in news that AOL is settling a class action suit over their AOL 5.0 software, which usurped people's dial-up networking settings when installed. There's a website for the suit and a news article about the settlement. Of course, you have to admit you use AOL.