Judge Rules In Favor of Volkswagen and Silences Scientist

sl4shd0rk writes "Samsung-is-not-as-cool-as-Apple Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August. Volkswagen says the flaw could allow someone to 'break the security and steal a car' so it is justifiable grounds for blocking Flavio's paper. No word yet on how soon Volkswagen will have a patch."

If hacking is outlawed

[i+kan+reed]

Only outlaws will have hackers, or something. It really doesn't work that way, but the protection of rich people's cars will only be temporary.

Re:If hacking is outlawed

[Steve_Ussler]

Very true!

Re:If hacking is outlawed

You're looking for: "If hacking is outlawed only outlaws will BE hackers" It works.

Re:If hacking is outlawed

You mean "If hacking is outlawed only hackers will drive Volkswagens".

Re:If hacking is outlawed

Rich people? You're a complete moron.

Re:If hacking is outlawed

[gigaherz]

No, no, no... the summary clearly says:

[...] rules in favor of Volkswagon [...]

That'd be: "If hacking is outlawed only hackers will drive Volkswagons".

Re:If hacking is outlawed

[JoeSchmoe999]

From TFA: "...Volkswagen's parent company, which owns the Porsche, Audi, Bentley and Lamborghini brands ", if those are not "rich peoples cars" then I'm not sure what is.

Re:If hacking is outlawed

[lgw]

Plus, you know, Volkswagen, the original "people's car". If those are cars for "just plain folk" then I'm not sure what is.

Re:If hacking is outlawed

[lisaparratt]

Not to mention Skoda and Seat, both selling cars aimed at the cheaper end.

Re:If hacking is outlawed

Plus, you know, Volkswagen, the original "people's car". If those are cars for "just plain folk" then I'm not sure what is.

But Volkswagens don't use the same security system. Volkswagen is just the parent company. It only affects their top of the line luxury brands.

Re:If hacking is outlawed

[interkin3tic]

I suspect that the rich people's cars were safer anyway. You probably can't take a Bentley to a chop shop, and the police probably ONLY really investigate stolen cars that are worth significantly more than my 2006 toyota.

Re:If hacking is outlawed

[FatdogHaiku]

You're looking for: "If hacking is outlawed only outlaws will BE hackers" It works.

Damn, I was hoping for "If hacking is outlawed only outlaws will be HACKED"...

Re:If hacking is outlawed

[mjwx]

Only outlaws will have hackers, or something. It really doesn't work that way, but the protection of rich people's cars will only be imaginary.

Fixed that for you,

This is security through obscurity in it's purest form. Silencing this scientist has only alerted criminals that there is a flaw in the lock.

Re:If hacking is outlawed

[mjwx]

From TFA: "...Volkswagen's parent company, which owns the Porsche, Audi, Bentley and Lamborghini brands ", if those are not "rich peoples cars" then I'm not sure what is.

Volkswagen's parent company is called Volkswagen Auto Group or "VAG", and I cant for the life of me figure out why they haven't released a car called the "Ina".

Also, whilst VW may not be the car for rich people, it is the car for people who like to pretend they're rich.

Re:If hacking is outlawed

[TheGratefulNet]

Also, whilst VW may not be the car for rich people, it is the car for people who like to pretend they're rich.

what are you smoking??

VW (at least in the US) is a 'commoner' car. nothing snooty or elite about any vw other than the very high-end model, which is never seen in the US, anyway.

bmw and merc - those are cars for the yuppies to appear 'rich' in, even though they are crap cars, these days.

but no one drives a VW to 'appear' anything. they are basic simple cars and have no snob appear at all. not sure where you are from (uk, maybe, since you used 'whilst') but in the US, vw really is a 'folks car'. and the use of VAG is unknown to all but enthusiasts. its not part of the car's name or branding or logo.

Re:If hacking is outlawed

[mjwx]

VW (at least in the US) is a 'commoner' car. nothing snooty or elite about any vw other than the very high-end model, which is never seen in the US, anyway.

As I said, it's the car for those who like to pretend they're rich. The kind of people who cant afford to be "BMW Pricks". They buy A Golf R or GTI and pretend.

bmw and merc

These are people I call "BMW Pricks". People who buy a 320i and uppity when their 10 second car is passed by a Mazda 3.

Re:If hacking is outlawed

[guyniraxn]

I have to agree. Whenever I hear anyone talk about VW, it's always in the context of how superior it is. Most often, it's the old diesel vs hybrid argument, as in "Why would you pay a bajillion dollars for a hybrid when you can get better mileage for $20k with a VW diesel?!?!?! Top Gear, rabblerabblerabble!"

Re:If hacking is outlawed

[fuzzybunny]

Actually the whole idea behind Volkswagen was that it was "der Volkswagen", or "the people's car", i.e. the original beetle. It was the Nazis' plan to provide a car to everyone who saved 5 Reichsmark per week but in the end, only 630 were built before and during WWII and went to either Nazi functionaries or the German armed forces. Also known as the "KdF-Wagen", for "Kraft durch Freude", the Nazi fun-and-games social program.

Hardly a people's car.

Re:If hacking is outlawed

[bleh-of-the-huns]

I do not drive a VW, and when I did, all I talked about were the damn recalls, electrical problems, and the 8 times my windows fell into the door exploding into a billian pieces due to crappy plastic gearing.

The fact that the diesel gets much better mileage than the hybrids is not something someone argues to sound superior. It is a valid fact, and why would you spend $5k to $10k more on a hybrid which gets worse mileage. If you argue the environmental impact, I will counter with the fact that new diesel engines are much cleaner, and the manufacturing process for the battery components in the hybrids is extremely toxic, so you are just shifting the environmental impact from daily driving to manufacturing.

Re:If hacking is outlawed

[bleh-of-the-huns]

If by 10 seconds, you mean the time it takes them to get to 60, then sure, if you mean 10 seconds as in the time it takes to do a quarter mile run, you are a moron, as other than a highly modified M3 (stock M3 does the quarter mile at around 12 to 13 seconds if driven right). There is no Mazda 3 that can do that, not even a Mazdaspeed 3, which is quite a bit more that a regular 3, and comes with the ricer stigma, cannot even do that.

I also do not drive a BMW, I do however drive a AMG C63, which stock does the quarter mile in a hair over 12 seconds.

Re:If hacking is outlawed

[supercrisp]

I have to disagree the VW, since the 80s in the US, has been a yuppy car. The marketing pushed it that way. This is very much not the case in Germany and Austria. There's it's just transportation and the Audi is the solid family brand. But that's not the case in the US. Don't know about outside those other nations in Western Europe, where they have the imitations offered by Skoda and Seat and such. Of course VW's not as upscale as the BMW or a Mercedes. But, yeah, the VW still has for many the image of its driver wearing the Izod with a sweater around his neck.

Re:If hacking is outlawed

[guyniraxn]

Don't buy a hybrid that is $5k-$10k more than a comparable car. This is the hyperbole I alluded to. The Honda hybrids are all less than $2k more than the same non-hybrid versions. And if cost is such a factor, why is the higher cost of diesel not counted?

Re:If hacking is outlawed

Also, whilst VW may not be the car for rich people, it is the car for people who like to pretend they're rich.

what are you smoking??

VW (at least in the US) is a 'commoner' car. nothing snooty or elite about any vw other than the very high-end model, which is never seen in the US, anyway.

bmw and merc - those are cars for the yuppies to appear 'rich' in, even though they are crap cars, these days.

but no one drives a VW to 'appear' anything. they are basic simple cars and have no snob appear at all. not sure where you are from (uk, maybe, since you used 'whilst') but in the US, vw really is a 'folks car'. and the use of VAG is unknown to all but enthusiasts. its not part of the car's name or branding or logo.

Sorry to burst your bubble, but even used VWs are expensive here, definite hipster car.

Re:If hacking is outlawed

[bleh-of-the-huns]

It depends on the car, when I bought a hybrid (around 2004) it was a Camry, the prius was too small and ugly, granted the camry was ugly too (I blame my wife), it was 27k at the time, no bargaining as they were in short supply at the time. The non hybrid version was 23k, so granted, not 5 to 10k, (unless we are talking the Mercedes S class hybrid, which is quite a bit more than the non hybrid cheaper S model), but still a significant difference.

As for teh cost of gas, sicne I drive a big ass V8 that requires premium, I have not bothered to look at the cost of gas when it comes to pricing out cost of ownership (in my case, I used cost of brakes and tires since I shred rear tires easily). And before you go saying it can use regular, it cannot, the timing does not retard enough and pinging occurs. I could conceivably get away with mid grade, but why own a performance sedan and use crappy gas.

And if you want to take total cost of ownership, as an owner of a previous gen hybrid, I can tell you, the batteries sucked after 2 years of ownership, replacement was around $3k, don't have that problem with diesels, hell, we do not even have to talk diesel, lets talk Chevy Cruze which uses regular gas and gets ridiculous mileage, and that is a shit ton cheaper than oil burners and hybrids.

Also, you want high an mighty righteous assholes, nothing beats the smug hybrid owners of this world, trust me, I have run into my fare share of them owning a C63, the eco freaks love to bitch at me. I put my time in a hybrid, I do my share for the environment, and damnit, I am going to enjoy my freaking car and get 4mpg at the track..

Re:If hacking is outlawed

[Shirley+Marquez]

Depends on where you drive it. Diesels do well on the highway and can offer fuel mileage that is nearly as high as hybrids there. Hybrids win big for stop and go city driving. That is one reason that some cities have tried to mandate the use of hybrid taxis. (Market forces won't work because of the way the medallion system works: the people who spend extra money on the taxis mostly aren't the ones who save money on fuel.)

Compare VW's own diesel and hybrid models. The clean diesel Jetta gets 42mpg highway and 30 city. The hybrid Jetta gets 48mpg highway and 42mpg city. The hybrid has a much bigger mileage advantage in the city. Or compare a hybrid Camry with a standard one: the non-hybrid gets 35/25mpg and the hybrid gets 39/43. (That's not a typo; the mpg rating is HIGHER for city driving.)

Re:If hacking is outlawed

[JBaustian]

Pardon me, but I drive a Volkswagen and I am a snob. I disdain nearly all of you who drive lesser vehicles. When I am cruising at 80 or above in my Golf TDI, alongside a Bentley Continental GT or Audi R8, I feel a kinship with other superior beings.

Re:If hacking is outlawed

[Shirley+Marquez]

Expensive? The Jetta and Golf are both available for under $20,000 in the US. That's not quite low end but it's not an expensive car, and certainly not limited only to hipsters.

Here is a list of the cheapest options from various brands. (Prices are the base list price from the company web sites; they don't include delivery charges or the California emissions package that 25% of the US population has to buy.) Most of these are smaller cars than the Jetta; VW would compare even more favorably if we looked at comparable models. VW doesn't import the Polo, which would probably be an under $15,000 car if it were sold in the US.

Nissan: Versa, $11,990
Chevrolet: Spark, $12,170
Smart: Pure Coupe, $12,490
Kia: Rio, $13,600
Ford: Fiesta, $14,000
Toyota: Yaris, $14,430
Hyundai: Accent, $14,545
Mazda: 2, $14,720
Honda: Fit, $15,425
Fiat: 500, $16,000
VW: Jetta, $16,720
Subaru: Impreza, $17,895
Mini: Cooper, $19,700

Re:If hacking is outlawed

[Ol+Olsoc]

owner of a previous gen hybrid, I can tell you, the batteries sucked after 2 years of ownership, replacement was around $3K

I call first class lying Bullshit

If you had to pay nnything, one cent, you had to have violated or ended the warranty. You said you owned a 2004 Camry. The warranty on the battery was 8 years or 100K miles. Did you put 100 K miles on it in two years?

So is it a lie, or what? If a battery dies in the warranty period, it is replaced at no cost, nothing, zero.

These egregious lies have been turning up everywhere. "My Prius battery died at 30 thousand mlles, wiping out any gas milage gains, because it's so expensive for me to replace it" Blah, blah blah.

And for what? The only reason I can see for spreading lies is that for some weird reason you feel threatened. Maybe like that reviewer who faked stuff during a read test of a Tesla to make it look bad. Only to be tripped up by the data Tesla collects. It's so important to hate these things that you have to make up completely untrue lies about them?

If you don't want a hybrid or battery car, don't buy one. I don't want one either, but I don't have to go around making shit up.

Also, you want high an mighty righteous assholes, nothing beats the smug hybrid owners of this world, trust me, I have run into my fare share of them owning a C63, the eco freaks love to bitch at me. I put my time in a hybrid, I do my share for the environment, and damnit, I am going to enjoy my freaking car and get 4mpg at the track.

I doubt you do any of those awesome things, becaus kind sir, you show yourself to be a liar.

Re:If hacking is outlawed

[mjwx]

If by 10 seconds,

to say a car is "a 10 second car" means it takes 10 seconds to go from 0 KPH to 100 KPH.

If you have trouble with that measurement, please stop talking about cars now.

highly modified M3

You may also noticed I said "318i" not "M3".

There is no Mazda 3 that can do that

Mazda 3 MPS, 0-100 in 6.1 sec

Your Mazda 3 Neo (cheapest Mazda 3 you can get) is in the low 8's.

Re:If hacking is outlawed

[mjwx]

Errata, I said 320i, not 318i.

Re:If hacking is outlawed

[Meski]

I'm thinking the back seat of a volkswagon would not be where he practices his fucking. Anyone tried?

Re:If hacking is outlawed

[RockDoctor]

Skoda and Seat, both selling cars aimed at the cheaper end.

And having driven from-new both a VW-era Skoda and a VW itself, in future I'd probably take the Skoda.

Then again, I fully expect to not have to worry about the question for at least 3 more years, possibly as many as 5, depending on how much mileage the wife clocks up. Or what she drives into.

Re:If hacking is outlawed

[RockDoctor]

The clean diesel Jetta gets 42mpg highway and 30 city. The hybrid Jetta gets 48mpg highway and 42mpg city.

Wow, those are atrocious mileage figures. What did you do to the car to damage it so badly? We're up in the 55-60 mpg range just for day-to-day running.

Re:If hacking is outlawed

[Shirley+Marquez]

Those are the official EPA numbers for the cars. As always, your mileage may vary.

Re:If hacking is outlawed

[VisceralLogic]

If by 10 seconds,

to say a car is "a 10 second car" means it takes 10 seconds to go from 0 KPH to 100 KPH. If you have trouble with that measurement, please stop talking about cars now.

Eh, there's plenty of people that use it to refer to the quarter mile. E.g.: 2013 Nissan GT-R is a 10 Second Car! refers to the quarter mile, as the car takes 2.7 seconds to get to 60 MPH. Nevertheless, it was pretty obvious from context what your reference was.

This is why we have a first amendment.

[h4rr4r]

The cars are vulnerable if he tells the world or not. The only difference is now only the bad actors know about the problem.

He should have disclosed without notifying. That way they could not have stopped him.

Re:This is why we have a first amendment.

[simonbp]

And now that is know that this specific vulnerability exists, it's relatively trivial for someone to repeat Garcia's work and publish it.

Re:This is why we have a first amendment.

[iggymanz]

what the hell? The scientist is from the UK, they don't even have a constitution, much less a bill of rights with amendment mentioning free speach.

Cue the Limey-o-philes with "UK has a constitution but it's not written" bullshit

Re:This is why we have a first amendment.

[Stumbles]

The Streisand effect strikes again. They will never learn.

Re:This is why we have a first amendment.

[h4rr4r]

Sure, this is why we have one though. Our founding fathers knew not having one was too dangerous.

Re:This is why we have a first amendment.

[steelfood]

Nah, that'd be unreasonable. What would be more reasonable is that now that Volkswagon is known to not act in good faith (i.e. lawsuit ensue) after an act of responsible disclosure, there's no good reason to first notify them about any subsequent security holes.

Re:This is why we have a first amendment.

[cultiv8]

Here's a video on how they do it on BMW's, same method as A4. Feel free to go here and buy the device yourself.

Re:This is why we have a first amendment.

[Sir_Sri]

The only difference is now only the bad actors know about the problem.

Know about but not necessarily how to actually do it. About all they know is from the guardian article that it took upwards of 50 000 GBP worth of equipment (and some security researchers) to actually figure out how to do it.

He should have disclosed without notifying. That way they could not have stopped him.

The point of notification is to give them an opportunity to fix it. The problem with cars is that 'fixing' it may not be possible, or may be astronomically expensive.

Volkswagon wanted them to publish a redacted version of the paper, that explained how they did the hack but not the actual key (codes) they discovered, and they refused. That seems kind of dickish on the researchers parts honestly. It depends on the details of what exactly was to be redacted, so I'll withhold too much judgment, but with things that aren't connected to the internet there's a big problem in trying to actually roll out fixes. Of course there's no point in publishing a paper if you can't say anything about your method used, and if anything interesting about that was redacted it's basically a non starter.

As we embed computers into more things this is going to be a bigger problem going forward. Are we going to need to replace 100 dollar car FOB starters every time there's a security hack? I suppose it might come to that, it's not like physical car locks are all that secure either. But if the hack requires 100 000 dollars in equipment and professional security expert time that puts the barrier to common criminals high.

The researchers main point seems to be that they aren't saying anything that isn't already public just from a different method. In that case sure, I suppose they could have just published and the situation wouldn't be much different. But I'm not sure how true their claim is.

Re:This is why we have a first amendment.

[cultiv8]

Would be interesting to know who's voting me off topic.

Re:This is why we have a first amendment.

You also have secret courts...

Re:This is why we have a first amendment.

[Samantha+Wright]

cultivat8 posted instructions a few minutes before you made your post, so that cat's out of the bag. Now the only value this suppression serves is in protecting the ignorance of people who are in danger; the car company saves a bit of face with its less-aware customers and investors, and that's about it.

Re:This is why we have a first amendment.

[sl4shd0rk]

Feel free to go here and buy the device yourself.

I'd buy one just for that groovy 8-bit tone when it repairs the key!

Re:This is why we have a first amendment.

Except you'd have to prove that Volkswagon did not act in good faith by failing to release a fix/proper fix. Which is impossible.

1. If you know how the hack is done, you win; but only after spending an impractical amount of time and/or money duplicating Garcia's research.

2. If you don't know how the hack is done, too bad; no one wants to be the first guy due to monetary/time costs.

3. If no one fights Volkswagon on this, there is no way to prove/disprove whether or not Volkswagon is acting in good faith on this issue; everyone loses... except Volkswagon and the carjacking thieves.

Re:This is why we have a first amendment.

Are we going to need to replace 100 dollar car FOB starters every time there's a security hack?

If your car vendor makes you pay for it, you may get a better vendor. If you're the maker, you may choose to invest in the $4.40 reprogrammable SoC vs the $4 one off. $0.40 at the maker level can save them $100 in "slap customer in face" keyfob replacements. Better makers/vendors will win in a free(er) market.

Re:This is why we have a first amendment.

[h4rr4r]

If you notify they will just sue you instead of fixing it. Which is what VW has now done.

Car locks could be very secure, car companies chose POS methods. $100,000 is not a big deal when you can do the research and sell the results to crime rings.

Re:This is why we have a first amendment.

ORLY?

Re:This is why we have a first amendment.

[Lumpy]

Yeah and our scumbag leaders wipe their ass with it daily.

Oh that right is protected by the constitution? Now you are an enemy combatant, it doesn't protect you anymore. Yes, we are calling you that for wearing blue on orange mondays... to the waterboarding with you!

Re:This is why we have a first amendment.

[Lumpy]

BMW execs and VW public relations people.

Re:This is why we have a first amendment.

[mikeiver1]

I suspect that the hack is rather simple and you can be very secure in the knowledge that there are now like a dozen plus persons looking very hard at their key controls with an eye at releasing the hack to simply screw VW for the snub. Fallout be damned. On the other side of it you can not tell me that VW didn't know that they had a security issue and simply waited to fix it because it might cost a few dollars or euros or what ever. Screw the customer for the buck.

Re:This is why we have a first amendment.

Simply the act of suing to silence these scientists is enough to be an act of bad faith. The could paint puppies on the sides of their cars and they would still be "the company that sued to keep the public from knowing how bad their security was in cars for which they charge people hundreds of thousands of dollars".

Re:This is why we have a first amendment.

[TubeSteak]

, it's relatively trivial for someone to repeat Garcia's work and publish it.

The speculation is that Garcia sliced the chip layer by layer to reconstruct the logic and algorithms that VW's Megamos Crypto uses.

That's neither quick to do, nor trivial to recreate.

Re:This is why we have a first amendment.

[Karl+Cocknozzle]

The cars are vulnerable if he tells the world or not. The only difference is now only the bad actors know about the problem.

He should have disclosed without notifying. That way they could not have stopped him.

Believe me, as first-amendment crushing lawsuits like this become "standard" the "no notice" release of major flaws will also become standard.

Then the government will be lobbied to label these researchers who release without prior notice to be "terrorists" or "aiding the enemy" and lock them in prison for "abetting car theft" or some such similar nonsense.

For that matter, why not just lock up every security researcher that won't sign an agreement (in advance) to only release security research with the approval of the subject of the research? That way we know which security engineers are likely to be "terrorists" and which ones are the good guys.

Re:This is why we have a first amendment.

That's neither quick to do, nor trivial to recreate.

An information leak is trivial though. Quite a few people have seen the paper - in order to have a court case and all. And some before the court case. A leak could come from anywhere - and I hope it happens. A car maker who relies on 'security through obscurity' deserve the cost of a massive recall.

Putting a chip in an electron microscope is not entirely trivial, but something any mafioso could bribe a student to do . . .

Re:This is why we have a first amendment.

"The Streisand effect strikes again. They will never learn."

I doubt Volkswagen really cares. The lack of specific steps to reproduce the hack allows them to dismiss it as academic, even if it's out in the wild.

Re:This is why we have a first amendment.

[OzPeter]

And special rendition

Re:This is why we have a first amendment.

Cue the Limey-o-philes with "UK has a constitution but it's not written" bullshit

Cue the self-important Yanks who can't grasp why we don't need one.

Re:This is why we have a first amendment.

[ArsonSmith]

This is akin to not being allowed to yell fire in a crowded move house, when there actually is a FIRE!

Re:This is why we have a first amendment.

[lightknight]

Perhaps, but for someone who wants to yank thirty or forty cars off the street, with minimal risk, it might be worth a modest investment.

You'd need what, an electron microscope, some custom software to trace the images you scan and convert them back to logic, then someone to write an app / engineer some hardware to make it trivial for you to grab anything you want. Assuming you are grabbing thirty new VWs, at $20K / pop...that's $600K...so, the cost of an electron microscope (may or may not be costly...might get a second-hand one for cheap), and an Electrical Engineer @ 120K + Computer Scientist / Software Engineer @ 120K (so they'll actually do the work, keep their mouths shut, and provide 'updates' to the software / hardware they design at an agreeable rate, since 30-40 cars might easily become 3000-4000 cars provided you don't act like a Mafia-Don and try to kill the wrong people / short the wrong people ("Hey, they did the job; now let's double-cross them, and whack them, so we can keep their share, and they can't tell anyone..." -> Hollywood derp -> Good people are hard to come by, and even harder to replace); I say updates, because the car companies will begin changing stuff as soon as they hear that their cars are getting snatched, and updates are cheaper with people you know, who are 'happy' with you, than people who are PO'ed at you, or are dead).

Still, it seems a lot of work for little cash. Now, getting elected to the Board of Governors for the Federal Reserve...well, they can just print money when they need a little more. Now that's thinking with your head.

Re:This is why we have a first amendment.

[gbjbaanb]

On the other side of it you can not tell me that VW didn't know that they had a security issue

which means they'll have a hard time in the courts if (or when) a VW gets hacked by someone doing a drive-by with a bluetooth device that can get access via a hack of the entertainment console.

Ars had a nice writeup of a hacker who had control of a car, they could turn the brakes on and make the steering wheel turn (via the commands that control the automatic parking feature).

Re:This is why we have a first amendment.

[lgw]

You might pick a better example (it's not like it's hard to find examples of our leaders wiping their ass with the constitution, after all).

There's nothing wrong with calling someone who participates in combat against the US military on foreign soil an "enemy combatant".

Re:This is why we have a first amendment.

[lightknight]

Lol, I was particularly touched that they consider insistence on having any rights to be symptoms of grandiose behavior, and evidence of psychological distress...I think some of the (everyone's favorite) DSM (perhaps one of the later editions) has, perhaps, one or two disorders which read something to that effect. And sadly, many years later, I can finally see exactly why they would think someone is insane for thinking that...because they're right; you don't have any rights, and that piece of paper is a lie. A convenient lie, but a lie; it may say you have freedom of speech and that your government is charged with protecting those rights...but no one who has studied the history of the United States can, with a straight face, say that it has given anything but lip service, when it suited itself, to the idea of freedom of speech. Your government...protecting your rights? There is no evidence of that...well, 1% evidence for, 99% evidence against it; a Stockholm syndrome patient is the only person who would, having carefully seen the truth, attest otherwise. Your government and you are the belligerents...and every day is a test to see who is taking more from the other; usually your government wins, simply by default...it can, with a wave of its hand, have its courts all stand up and say that black is white, and that freedom of speech does not cover certain kinds of speech, so help you God.

And let's be honest...it has failed the various tests for freedom of speech. Facebook postings leading to arrests? What kind of amputated mind considers such things? Why, if we prize a free and open society, are we seeing people maneuver to cut others down for opening their mouths, and speaking their minds? Do they, perhaps, think the whole freedom of speech thing is simply a ruse to find the rebels, infidels, and unlucky, and to remove them from the population? Or perhaps, they believe, cloaked in shadows, that others aren't, in turn, following them, and asking, "How much longer shall we let them harm the innocent?" 'Tis the wonderous thing I once learned, that the watchers never think they are being watched...that they alone are somehow isolated, and privy to things that no others can see, from their hidden vantage points. I say we have an open and free society, for what little that might be worth...and if anyone goes missing, we go looking for them.

Re:This is why we have a first amendment.

[lightknight]

Of course we do. And that's sad....I think our enemies would be more afraid of us if we posted their every move on C-SPAN for the world to contemplate...using secret courts just convinces our populace that we have something to hide from them...

Re:This is why we have a first amendment.

[petteyg359]

What's all this talk about wagons? It's Volkswag e n for fuck's sake...

Re:This is why we have a first amendment.

[Type44Q]

A car maker who relies on 'security through obscurity' deserve the cost of a massive recall.

They already deserve that many times over; Volkswagen AG's cars have been notoriously flaky and generally unreliable for fifteen to twenty years now. Sure, they're absolutely great cars to drive (when they're working correctly)... but the ownership experience? Forget it.*

*This is coming from the biggest fan of 1st and 2nd gen Quattros you'll ever meet.

Re:This is why we have a first amendment.

[Urza9814]

Yes, but they apply that term to people they themselves admit are not involved in combat. Like Khaled El-Masri. Or the EMTs they intentionally slaughter with drone strikes. Or four year old girls.

Re:This is why we have a first amendment.

[Zalbik]

Ahh...but you are forgetting a few things:

1) You have to double the estimate of your Software Engineer. In MBA school they taught us to always double the software guy's estimate.
2) You haven't included any quality assurance!?! At least another $120k for a good QA team, plus the tools necessary for automated testing.
3) You've got 3 people on the team now, so you should include a PM. That's another $240k at least.
4) And you'll need a business analyst. Luckily, it should be easy to find one who isn't so "morality constrained". Say another $180k for them.

Just to be on the safe side, you should overestimate everything by 50% (yes, I know we already doubled the dev estimate, but this is what Joe's MBA School of Mastering Business Administration and Cheap Web Hosting taught me).

So overall, the cost is:
Software Engineer: 240K
Elecrical Engineer: 120K
QA: 120K
PM: 240K
BA: 180K
Subtotal: 900K
Total (add 50% for good luck): 1.3 Million.

Now you should add 15-20% per year for support/maintenance, etc. So it's 1.3 Million capital outlay, plus $260,000 per year.

Pretty pricy, but still....it's cheaper than SAP.

/sarcasm off

Re:This is why we have a first amendment.

[Urza9814]

Company A uses reprogrammable chips and does the responsible thing. When their chips get hacked, they issue a recall, and people go to the dealer to get theirs reprogrammed.

Company B is Volkswagen.

John Doe goes in to but a new car. They look at the vehicle report for the car from Company A, and they see it's been recalled for a failure in the security system. They look at the vehicle report for a Volkswagen, and they see no recalls. So they buy the Volkswagen.

Your assertion is only valid in a world where all consumers carefully research every purchase. *Nobody* does this -- it's not possible. Not enough hours in the day. For something as big as a car there's a decent chance they will, but even then I bet plenty of people don't.

Re:This is why we have a first amendment.

And VW can simply say that the dozen-plus persons looking for said hack simply found the wrong one, therefore they're still acting in good faith. You're looking for a needle in a stack of needles, but you don't know which needle you're looking for.

Oh and all those new hacks they found? Gag orders for all of them, just so no one goes and uses said exploit.

Re:This is why we have a first amendment.

There's nothing wrong with calling someone who participates in combat against the US military on foreign soil an "enemy combatant".

Sure, if you want to ignore your obligations under article 4 of the Geneva Convention and the US Constitution with all of its attendant caselaw.

Also, Mr. Padilla would laugh at your weak and flaccid defense of human rights violations if he wasn't a US Citizen, nabbed on US Soil, labeled an "Enemy Combatant" and held without trial (in clear violation of the 6th amendment), tortured (in violation 8th amendment), then found guilty and locked away forever, I mean 17 years.

Remember that when it is your turn.

Re:This is why we have a first amendment.

Just use a zero day exploit to hack his computer with the research material on it.

Or the computer of anyone at USENIX to whom it was submitted or...

Re:This is why we have a first amendment.

[Sir_Sri]

so that cat's out of the bag

Did you link the correct video? Because his video doesn't seem to show anything related to what we're talking about. What we're talking about is a remote wireless unlocking by some sort of key spoofing (perhaps a master key for the whole system, or perhaps they can extract the encryption key used, and it's the same for each model of car or... not sure). That video was with physical access inside the vehicle being able to program a key to access it, using well, a key reprogrammer.

Re:This is why we have a first amendment.

[Impy+the+Impiuos+Imp]

You were throwing it in the face of Europeans, and the truth butthurts.

If the metamod system here actually worked, those who downmodded you would themselves be meta-downmodded, such that they wouldn't get mod points for a full year.

Re:This is why we have a first amendment.

[Sir_Sri]

If you have to replace say 3-5 keys for every vehicle, it takes 10 minutes of employee labour per key you're talking about a lot of money every time.

It seems like the BMW remote starters run in the 160-250 range, the one for my shitty ass GM is 100 dollars, whatever the actual costs, trying to do a recall on the keys for vehicles could get expensive fast.

It's not necessarily an obvious consumer cost sure, but it's still a cost, and how much padding do you want in the cost of your vehicle for key fob replacement every time something goes wrong with a key? Are we going to price 5 key replacements into the projected lifetime cost of a car?

Re:This is why we have a first amendment.

[Sir_Sri]

If you notify they will just sue you instead of fixing it.

My point was that fixing it may not be particularly reasonable.

Car locks could be very secure, car companies chose POS methods.

Not really no, they can't. They never have been. It's a matter of degree. You can always break a window in a car, or failing that simply hire a tow truck over to the one you want to steal and tow it away. Being able to get into a car when you have locked your keys in is a major design problem, and so long as you let people do that easily you're going to have tools out there for easily getting into a car.

$100,000 is not a big deal when you can do the research and sell the results to crime rings.

Note the crime rings part there. If a crime ring wants your car your options are limited. What you don't want is a highschooler and his laptop to be able to steal your 300k car.

Re:This is why we have a first amendment.

[mysidia]

Now you should add 15-20% per year for support/maintenance, etc. So it's 1.3 Million capital outlay, plus $260,000 per year.

Ugh... that's way too expensive; you need to lay someone off.

Lay off one software engineer to save 40K

Cut everyone else's Salaries by 60%. Give the CEO a 500K bonus.

New cost tally:
Software Engineering: Outsourced to China: 10K
Elecrical Engineer: 48K
QA: 48K
PM: 96K
BA: 72K
Bonus for CEO: 500K
Discount due to cooking books: -200K
Subtotal: 574K

Total Money saved: 726K (56% cost reduction)

Re:This is why we have a first amendment.

[thaylin]

Until the authors paper is subpoenaed.

Re:This is why we have a first amendment.

[mysidia]

Don't go there... the NSA is watching; it's a trap!

Re:This is why we have a first amendment.

[Samantha+Wright]

...oh slag. This is what I get for skimming posts at work. Sorry!

Re:This is why we have a first amendment.

[TheGratefulNet]

had my vw for over 10 years now. no major problems.

before this, I had 3 bmw's (one after another). each one had serious design and build problems. costly to repair and some repairs could never be done properly (shock towers weakening on E36, no factory fix to fatigued metal; that was the nastiest design bug I remember).

I would never buy another bmw. I would buy another vw (as long as its not a mexico-made car).

for some reason, bmw's sell themselves, but all 3 of mine made the service departments more money than I would have liked...

in general, german cars are overpriced and don't give any better quality than japanese cars.

Re:This is why we have a first amendment.

And they run the country.

Re:This is why we have a first amendment.

[mikeiver1]

"Oh and all those new hacks they found? Gag orders for all of them, just so no one goes and uses said exploit." You make the mistake of thinking that they are going to be making the same mistake that Flavio Garcia made... You are of course wrong. If I were to hack any part of a car I would simply flood multiple forums with it from anonymous accounts accessed from the local public library. Good luck with your search for the "Bad Guy" dick heads. It is rather funny how our present governments and corporations are so fixed on assuring that we have virtually no private information and yet expect that they have the absolute right to it them selves when it suits them. Which is all the time. It is a two way street as they are finding out on a daily basis and allot of the time it doesn't work out to well for them. As to the "good faith" argument, come on, really? Show me one company that really acts in good faith for the sheer "Good" of it and I will show you bullshit.

Re:This is why we have a first amendment.

Its so awesome, its extraordinary rendition, in fact!

Re:This is why we have a first amendment.

[betterunixthanunix]

But if the hack requires 100 000 dollars in equipment and professional security expert time that puts the barrier to common criminals high.

...and if an uncommon criminal can pull it off, they can sell a device worth a couple hundred dollars to the common criminals. The uncommon criminal will make a boatload of money and will be much harder to catch.

Re:This is why we have a first amendment.

[10101001+10101001]

The point of notification is to give them an opportunity to fix it. The problem with cars is that 'fixing' it may not be possible, or may be astronomically expensive.

No, the "problem" is that you're making excuses for why a potential security flaw in a car should be any treated any different than, say, a security flaw in a door. In both cases, if the flaw is of the fundamental kind, the manufacturer deserves the egg on their face. And in any case, making it "astronomically expensive" to fix/replace is a sign of bad design and the manufacturer really should bare the cost of it.

Volkswagon wanted them to publish a redacted version of the paper, that explained how they did the hack but not the actual key (codes) they discovered, and they refused. That seems kind of dickish on the researchers parts honestly. It depends on the details of what exactly was to be redacted, so I'll withhold too much judgment, but with things that aren't connected to the internet there's a big problem in trying to actually roll out fixes. Of course there's no point in publishing a paper if you can't say anything about your method used, and if anything interesting about that was redacted it's basically a non starter.

The only way it's "dickish" is that it leaves VW customers in a [now-aware] potentially bad spot. But, then, if there is no means to mitigate the issue (like disabling the whole key fob or whatever the vulnerability is), then really VW should be promptly offering to either recall the effected units or offer some sort of assurance to cover any thefts. And if there are ways to mitigate the issue, VW should be promptly telling its customers about it without trying to gag anyone.

As we embed computers into more things this is going to be a bigger problem going forward. Are we going to need to replace 100 dollar car FOB starters every time there's a security hack? I suppose it might come to that, it's not like physical car locks are all that secure either. But if the hack requires 100 000 dollars in equipment and professional security expert time that puts the barrier to common criminals high.

And why are they 100 dollar car FOB starters? But, yea, I agree that physical car locks don't do much to really stop people--except that a "universal fob" would make it trivial to casually steal a car in broad daylight, although I imagine more experienced crooks can pry a door open and hot wire a car quickly enough to make the difference moot (and serial numbers mean whatever damage is done is also likely moot since they won't be able to simple resell the thing whole anyways). So, in the end, why is VW even bothering to push to quiet the researchers? Right, to protect their "good name".

The researchers main point seems to be that they aren't saying anything that isn't already public just from a different method. In that case sure, I suppose they could have just published and the situation wouldn't be much different. But I'm not sure how true their claim is.

And the other shoe drops. You see, researchers have to show their proof. Otherwise, VW will play the smeared-in-name victim and people, like you, will be undecided on the veracity of the claim. Instead, the truth is that VW's actions now make them look even worse. Downplaying the risk not only in PR but, again, in assurance on covering theft costs would put VW in a better light. Shutting someone up because it make them look bad or because they're afraid it could do a lot of real harm to their brand (and, indirectly cause a lot of thefts of cars) really gives a good perspective on just who VW thinks they are. :/

Re:This is why we have a first amendment.

Company A cars have engine and transmission problems - They issue a recall

Company B is Volkswagen - they just let the drivers get killed (Australian woman dies when VW abruptly stops in traffic)

Re:This is why we have a first amendment.

[91degrees]

Volkwagon know about it and this gives them time to patch it. They're the only ones in a position to do so anyway. This is not an OS. The detailed security is not handled by users but by the manufacturer. If you have a VW and you know that a specific code sent on a specific frequency will unlock your car, what are you going to do with this information?

A large number of "bad actors" don't have the skill to replicate the results. And it's not like there's a mailing list of those who do. It will take time for the ones who can do so to repleicate this.

He should have disclosed without notifying. That way they could not have stopped him.

The obvious resul of this wuld be that the poblem would be exaccerbated. As such he could potentially be held liable for any cars stolen as a result of the publication. More than one person can be at fault here. By disclosing, he demonstrates good faith.

Re:This is why we have a first amendment.

BMW is built to perform and they're always trying out new and experimental things to push the bleeding edge. That's who they are as a brand. If you didn't want that then why did you buy a BMW? Everyone that I've known with BMWs, even the ones who could easily afford to buy them, leased them instead and turned them in for new ones every two or three years. That way they could enjoy the performance and walk away from the problems before the odometer passed 60k. You'd have to have a real hard on for BMW to buy one new before anyone knows what's going to break and how or even if it can be fixed.

Re:This is why we have a first amendment.

Despite yout "facts", VW's brands still rank very high in the reliability charts. Half of Eastern Europe still drives around in Volkswagens from the early 90's (or older) that continue to work without problems.

Sure, there might be problems with some VW vehicles, but in general they are very reliable compared to most other brands.

Re:This is why we have a first amendment.

Yet I see many 20+ year old BMWs driving around every day while I hardly ever see a Renault of that age, even though Renault had a much larger market share twenty years ago.

Re:This is why we have a first amendment.

[SLi]

Yeah, I'm sure nothing like this could ever happen in the US due to your ah-so-fantastic First Amendment.

That case, by the way, is very close to this one. MBTA was granted a Temporary Restraining Order that prevented the researchers from discussing their findings in the conference where they intended to do it. Which is *exactly* what has happened here so far.

Re:This is why we have a first amendment.

[jeremyp]

The UK does have a constitution and it is all written down. It's not written down in one place but is an aggregate of a number of Acts of Parliament.

In some ways, this makes it difficult for ordinary people to know what it is but it does have the advantage that it's not treated with quasi religious zeal so a stupid anachronistic and downright dangerous clause like the US's second amendment has a realistic chance of getting repealed.

Re:This is why we have a first amendment.

[TheRaven64]

Cue the Limey-o-philes with "UK has a constitution but it's not written" bullshit

The UK has a written but not codified constitution. If you don't know the difference, then pick up a politics textbook and learn something before you start trying to sound knowledgeable in discussions about the subject.

Re:This is why we have a first amendment.

I know the UK sometimes acts as another state of the USA, but it really isn't one, as such your first amendment doesn't apply and therefore can't be crushed in its courts.

Re:This is why we have a first amendment.

No. Someone already did that. The researchers had access to software implementing the crypto. It's been published online for about 6 years.

As for lightknight below, funny he should say that, but there's a presentation on extremely low-budget decapping of chips this weekend at DEFCON.

I have no interest in cars, I don't even drive, but this makes me want to reproduce his results and publish them directly to Full-Disclosure so everyone knows how insecure they are, how they were made to be insecure by design, and that security should not be a matter of snake oil and avoiding embarrassment. I may very well do just that.

Re:This is why we have a first amendment.

[RevDisk]

Temporary Restraining Order is not a permanent restraining order. It's usually meant to give a chance for the legal system to hear arguments before a permanent solution is implemented. Similar to say, the difference between arrests and convictions. It's a routine thing, it was solely the timing that was a scumbag tactic.

http://www.revdisk.net/gal/Defcon16/MTA01.jpg

I was in the audience at the time of that presentation. The presentation WITH ALL THE TECHNICAL INFORMATION was on the disk that was handed out to all of the audience. Instead of the presentation, the EFF did a presentation. Hackers raised funds for the students, gave EFF lawyers secure internet access, found expert witnesses, etc. The judge agreed with the EFF and the students, and refused to extend the restraining order. Yes, the timing sucked, but they did actually win on First Amendment grounds.

So, yes, judges do on occasion (IMHO often unlawfully) infringe on the First Amendment, it's still better than the alternative of not having it. Also, someone else independently gave a similar presentation with largely the same info. It was very very well attended. Good times. See y'all at Defcon this weekend.

Re:This is why we have a first amendment.

[h4rr4r]

Fixing it is simple, replace the locks or replace the cars. VW sold them and as such has that responsibility. They should not have the option to not fix it.

Breaking windows is not a flaw in the door locks. Nor is towing the car. The flaw here is letting them get in and start the car. It is quite different to be able to drive away rather than tow or have to break a window.

If a high schooler wants your car he uses the brick and screw drive method, not the fancy laptop.

Re:This is why we have a first amendment.

[RevDisk]

And we're very glad for our stupid anachronistic and downright dangerous Bill of Rights. There is a mechanism for removing or changing the Constitution. It is intentionally not trivial and not subject to a 50% plus one person vote. If a large enough majority wanted to remove any part of the Bill of Rights, they could do so.

I'm quite happy that it is very difficult to remove Constitutional protections from its citizenry. Otherwise "stupid anachronistic and downright dangerous" provisions such as needing warrants, due process, etc would be stripped before they'd strip the First or Second Amendments. Don't get me wrong, judges rule against the Bill of Rights all day long. But there's still enough honest judges to ensure that our government doesn't get its way every time.

Re:This is why we have a first amendment.

[neurovish]

Ahh...but you are forgetting a few things:

1) You have to double the estimate of your Software Engineer. In MBA school they taught us to always double the software guy's estimate.
2) You haven't included any quality assurance!?! At least another $120k for a good QA team, plus the tools necessary for automated testing.
3) You've got 3 people on the team now, so you should include a PM. That's another $240k at least.
4) And you'll need a business analyst. Luckily, it should be easy to find one who isn't so "morality constrained". Say another $180k for them.

Just to be on the safe side, you should overestimate everything by 50% (yes, I know we already doubled the dev estimate, but this is what Joe's MBA School of Mastering Business Administration and Cheap Web Hosting taught me).

So overall, the cost is:
Software Engineer: 240K
Elecrical Engineer: 120K
QA: 120K
PM: 240K
BA: 180K
Subtotal: 900K
Total (add 50% for good luck): 1.3 Million.

Now you should add 15-20% per year for support/maintenance, etc. So it's 1.3 Million capital outlay, plus $260,000 per year.

Pretty pricy, but still....it's cheaper than SAP.

/sarcasm off

You could just buy the cars yourself at sticker price, then cut them up and ship out the parts, and it would still be cheaper than SAP.

Re:This is why we have a first amendment.

It's not just cars holding the VW logo. This covers all cars produced by VAG, including Lamborghini, Bugatti and Bentley.

Re:This is why we have a first amendment.

[iggymanz]

I am very well aware of what the UK has, but as it is and can be changed at any time by whim of Parliament, it is no constitution at all

Re:This is why we have a first amendment.

[Type44Q]

You've been lucky with your vee-dub; their fundamentals are still generally solid (especially the diesels) but they're constantly getting sidelined by failures of trivial electical components. My '90 E32, on the other hand, is the 2nd most reliable car I've ever owned (only surpassed by my '87 E30) but it's 24 years old; I'd never buy a BMW made after the company decided that Microsoft products were solid enough to be bundled with their vehicles (which, IMHO, demonstrates an upper management failure so incredibly monumental as to nearly rival the Pentagon's fuckup in choosing "Windows for Smart Ships" for the Yorktown). :p

Re:This is why we have a first amendment.

[Sir_Sri]

Breaking windows is not a flaw in the door locks.

No, it's an upper bound on the relevant complexity in the lock. So long as you can just smash a window the best lock in the world isn't getting you far.

If a high schooler wants your car he uses the brick and screw drive method, not the fancy laptop.

If he can download a program from a website that will let him use an IR transmitter and a laptop I would expect to see the laptop method become quite popular.

Fixing it is simple, replace the locks or replace the cars. VW sold them and as such has that responsibility. They should not have the option to not fix it.

Which, like all recalls is then priced into the future cost of the car, and passed on to consumers.

Re:This is why we have a first amendment.

[Sir_Sri]

The only way it's "dickish" is that it leaves VW customers in a [now-aware] potentially bad spot.

depends on what exactly would be redacted. Customers are no more informed with or without just the keys. As I say, it depends on what exactly VW wanted redacted.

And the other shoe drops. You see, researchers have to show their proof.

I'm a researcher, and you're somewhat confused. They made a claim about some or all of their results being on the internet already. Those claims aren't verifiable for the moment, nor is it clear what exactly they mean that the numbers are out there already. I can do a search for a lot of random strings of numbers and come up with results, that doesn't mean they have any useful context to them.

No, the "problem" is that you're making excuses for why a potential security flaw in a car should be any treated any different than, say, a security flaw in a door

I'm not sure you understand how the car recall process works. There is a whole lot of asking what is the risk/cost of doing nothing versus the cost of a recall. Recalling 100k vehicles to put in new locks gets very expensive very quickly. Not to mention the lost time of car owners getting their vehicles fixed.

Re:This is why we have a first amendment.

[SLi]

Yes, and the subject of this Slashdot article was not a permanent restraining order either, but a temporary measure. I *really* fail to see the difference.

Re:This is why we have a first amendment.

[TheRaven64]

Not even remotely true. A full explanation of why you are wrong would take up far more space than a slashdot post. Please read at least the first chapter of a textbook on UK politics.

Solution timetable

[spire3661]

Shouldnt Volkswagen be forced to provide a timetable as to when this will be fixed so the temporary egregious act of suspending the First for this person can be lifted? It is Volkswagen's fault, they need to fix it now.

Re:Solution timetable

[truthsearch]

Suspending the first... amendment? This didn't happen in the USA.

Re:Solution timetable

[bill_mcgonigle]

Suspending the first... amendment? This didn't happen in the USA.

And the presentation will likely go forward at USENIX (in Washington DC) with the other two co-authors, from the Netherlands. It's one researcher in the UK who's getting boned by his government.

Re:Solution timetable

[rwise2112]

Shouldnt Volkswagen be forced to provide a timetable as to when this will be fixed so the temporary egregious act of suspending the First for this person can be lifted? It is Volkswagen's fault, they need to fix it now.

So it seems that some form of this Megamos Crypto is used by just about all manufacturers. Does anyone know if all versions are broken? Since they all use it, it may come from a 3rd party, so Volkswagen may noy know when or how to fix it.

Re:Solution timetable

Honestly, it shouldn't matter. It's occuring in the United States. The Constitution may be interpreted to only apply to citizens of the United States, but everything the Founding Fathers spoke about was in regards to all men. Which makes sense, since the existence of such rights are argued on moral grounds as innate and inalienable parts of being a human being.

Re:Solution timetable

It's always fun reading the comments here on Reddit.

Re:Solution timetable

[h4rr4r]

Why in the 21st century is anyone stupid enough not to use proper crypto?
In the world of crypto proprietary means so flawed I cannot show you how it works or it stops being crypto.

Re:Solution timetable

No, but let the market provide some push. I sure as hell wouldn't be buying a car with that sort of issue. Just knowing it's an issue (not the specific steps) is enough for me. I'd wait for the fix, go somewhere else, build a personal teleporter, etc.

Re:Solution timetable

[jbolden]

Interpreted. It is rather explicit:

We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.

Re:Solution timetable

[Lumpy]

OR just a physical Key? Honestly VW and all these companies are complete and utter retards for going 100% electronic.

Re:Solution timetable

[h4rr4r]

I think you could go 100% electronic and do it correctly. id_rsa.pub and authorized_keys seems to be 100% electronic and works pretty well. SSHing into my car to open the doors would be pretty sweet.

Re:Solution timetable

[Holi]

Except according to the philosophy behind our government is that rights are not given by the government but by our creator, thus they must exist for ALL human kind.

Re:Solution timetable

That's right!

That's why we have the 2nd Amendment, because without it, there can be no First!

Re:Solution timetable

[tragedy]

But it was going to be disclosed in the US at a conference by a UK subject. This concept that all people are under the jurisdiction of their home government at all times has become a bit worrying. Frankly, it seems like the legal concept of jurisdiction has been virtually thrown out the window in recent years.

Re:Solution timetable

[AmiMoJo]

Because proper crypto is hard and even if you spend vast amounts of money on it and hire good people there are often still flaws. Look at things like the DRM on BlyRay discs. Very expensive, very carefully implemented, and still didn't last very long.

Re:Solution timetable

[Lumpy]

I can do it with less than $300 in parts. RasPi, relay shield and a GSM data dongle. All done.

apt-get install car-door-unlocker

Re:Solution timetable

That's not a crypto flaw, that's a logic flaw. You can't give someone an encrypted message and the key to decrypt it, and then expect that there's a way to prevent them from decrypting the content. It's just not possible.

Re:Solution timetable

[bluefoxlucid]

Which is a hilariously naive stance anyway. I had a 47 post thread with another slashdotter explaining how "rights" don't exist and are easily taken away because the government says so, and that a people who won't fight back to force the government to afford said rights are going to lose them. He insisted that it's physically impossible to take them away.

Re:Solution timetable

[bluefoxlucid]

That's because to make DRM work you have to give the attacker the encryption key. It's like if you're trying to keep a raccoon-faced thief from robbing your armored car, and you give him the keys to both the ignition and the big padlock on the back.

Re:Solution timetable

[PsychoSlashDot]

That's because to make DRM work you have to give the attacker the encryption key. It's like if you're trying to keep a raccoon-faced thief from robbing your armored car, and you give him the keys to both the ignition and the big padlock on the back.

You're right... this is much easier since Volkswagen doesn't have to give keys to the people... who bought their... to the people... don't have to give keys...

Oh.

Re:Solution timetable

If you took such a reductionist view of everything as you seem to do with the law (not that I agree with that other Slashdotter), then you wouldn't see anything on a computer screen except flashing dots.

Metaphor and analogy are the building blocks of all society. The idea of "inherent rights" is of course not "real", but neither are the concepts of love, right, wrong, evil, good, or anything else of the sort.

You should try reading Plato's The Laws for some basic views on the role of fiction in constructing society.

Re:Solution timetable

Volkswagen shouldn't be giving the crypto keys to *my* car to anyone else. Anyone else with the same model car can probably figure out what the encryption algorithm is, and what *their* keys are. But they won't know *my* keys. If the algorithm was any good, that should be enough to keep my car secure.

But it sounds like the algorithm isn't any good, and anyone who knows it can open any car.

Re:Solution timetable

A US Judge suspended the ability for some college students from Boston from disclosing how they could get free subway rides for life by buying two tickets and following some simple rules. They were going to give the talk at Defcon and were not allowed to due to the judge's ruling. Almost the same exact situation.

At the Defcon presentation their lawyer explained how it all worked, he wasn't covered under the gag order and understood how it worked.

There is no more 1st amendment in the USA, only what you pretend is still there.

Re:Solution timetable

Not the same thing.

In the case of DVDs and BDs, the attackers are those who want to watch the video without jumping through the media industry's hoops. The people who receive the keys are ... those who want to watch the video without jumping through the media industry's hoops. In other words, the media industry is giving the keys to the exact same people that want to break the system.

In contrast, in the context of cars, the attackers are those who want to take a car without paying for it. The people who receive the keys are the ones who paid for the car in the first place. The attacker, and the one who holds the key, are different people.

And they can (and should!) use different encryption keys for each car; it's not like the same key has to be used for each and every car ...

Re:Solution timetable

Not equivalent - you're not being locked out of YOUR car. You're being locked out of an identical model with disparate keys. Much like you can SSH into your server that you set up and have the access keys for but not mine. With BluRay the attempt is to stop you from getting at the data except via a way that I like.

News flash:
The mathematics and electrical components don't understand hollywood's business model. When your driver ignores a region code or other DRM nonsense, it just says "yes sir! here the data!"

Re:Solution timetable

[FatLittleMonkey]

I look forward to seeing you out in the street with your guns, defending those who've already been denied their Constitutional rights (such as in unlimited detention without trial, torture or any compulsion to testify against themselves, military tribunals, non-combatant US and non-US citizens killed by Presidential-fiat without any trial or due process, universal monitoring without warrant, warrants issued by secret courts without probable cause, etc etc etc.)

Or is that not enough to make you take up arms and overthrow your government? Fourth, Fifth, Sixth, Seventh, Eight, probably the Ninth and Tenth, along with plenty of individual Federal laws. Not enough? If not that, then what? What do they have to do to make you "exercise your 2nd Amendment Right"? Where is the line?

http://www.youtube.com/watch?v=IX_d_vMKswE

Re:Solution timetable

[RevDisk]

Having seen civil wars overseas, I'm quite glad that folks think very long and hard before resorting to violence. Especially when you have no guarantee that the successor government will be better than the one you have now.

I very much prefer the current situation to any utopia envisioned by the far left and far right wings of our political environment.

Not a US case. No First Amend.

[Arkiel]

This did not occur in the US. The US Constitution is not implicated.

Re:Not a US case. No First Amend.

Actually, he's lucky this didn't happen in the US. He may have "mysteriously died" otherwise.

Re:Not a US case. No First Amend.

[mdmkolbe]

Thank you for pointing that out. I was wondering how this jived with the no-prior-restraint doctrine.

There's a wa out for him...

[bogaboga]

Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August.

How about if it "turns out" that this fella Flavio Garcia wasn't doing research alone, and that members of his team would want to "leak" the details on torrent sites?

We could still get them, no?

By the way, who believes that the fella Flavio Garcia, is the only fountain of knowledge on the matter?

Re:There's a wa out for him...

[Nyder]

Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August.

How about if it "turns out" that this fella Flavio Garcia wasn't doing research alone, and that members of his team would want to "leak" the details on torrent sites?

We could still get them, no?

By the way, who believes that the fella Flavio Garcia, is the only fountain of knowledge on the matter?

It doesn't matter. Now everyone knows it can be done, other people will be working on it. Criminals probably.

Sort of like how once we made a nuclear bomb, other scientist were able to make nuclear bombs.

Re:There's a wa out for him...

[steelfood]

Well, not quite the perfect analogy. Nukes are quite complicated. U.S. scientists built the first nuke (though there's quite a bit of evidence that Hitler would've had it if not for certain scientists' subtle sabotage), and most of the other countries "acquired" those blueprints shortly.

Re:There's a wa out for him...

It was built on U.S. soil by a lot of imported (esp. nazi-germany) scientists... why is it important to you to that this "complicated" invention were american? it is not like you handled it very well once you had the power in your hands.

Re:There's a wa out for him...

With a lot of espionaige. Sure, Russia would have evetually got it, but for many more years than it took them.

When will Volkswagon fix the issue?

[tysonedwards]

For vehicles that have already been sold, I'd venture a guess somewhere between when the sun burns out and never.

Re:When will Volkswagon fix the issue?

[maliqua]

stop him from releasing the info or issue a recall, i can respect a judge forcing the relaese to be delayed but not without placing requirements on Volkswagen to resolve the security issue promptly.

fact of the matter the information exists, even if its not released anyone with a strong enough desire can now attempt to replicate the results knowing that success is achievable

Re:When will Volkswagon fix the issue?

[crypticedge]

VW is actually really good about fixing things like this. My TDI has had a dozen software changes by them due to other things and a half dozen other little fixes they caught after it was sold as new in 2010. I got a letter in the mail last week of another fix they want to put in place because idiots keep putting gas in their TDI's too.

I imagine as soon as they have a fix ready they'll send me another letter asking me to bring it by for the recall notice.

Re:When will Volkswagon fix the issue?

[g0bshiTe]

VW announces new 2010 TDI beta!

Re:When will Volkswagon fix the issue?

[Charliemopps]

VW has one of the worst ratings on consumer reports of any company. Their cars are junk. I was interested in the TDI because it's one of the few affordable diesels sold in the US but the user ratings on that car are horrendous and repair bills expensive. Yours is only 3 years old so it's rather telling how many times you've had to take it in already. I've got a 2009 Ford Escape and it's never had to be taken in. I believe there was 1 recall and it was for the seat covers, which I don't have in mine.

Re:When will Volkswagon fix the issue?

[maliqua]

I've got a 2009 Ford Escape and it's never had to be taken in. I believe there was 1 recall and it was for the seat covers, which I don't have in mine.

you read the article last week about taking control of fords and disabling brakes right?

Re:When will Volkswagon fix the issue?

That's weird, my 2010 Ford hasn't had a single thing I had to take it in to get fixed. Well the mysync had a firmware update but I downloaded that myself and installed it from Ford's site.

Re:When will Volkswagon fix the issue?

[msauve]

A fix presumably involves not only a software change in the car, but new key fobs for everyone. Ones which can't be reverse engineered by "chip slicing."

Re:When will Volkswagon fix the issue?

[lgw]

By physically connecting to the car data bus? Which is more difficult and complex than simply cutting a brake line? And not particularly Ford-specific?

Re:When will Volkswagon fix the issue?

[Tweezak]

VW owns among others:

Volkswagen
Porsche
Skoda
Audi
Bentley
Bugatti
Lamborghini

Some of these are not cheap cars. Not necessarily all use the same system but if so there's reasonable incentive for building this device if the plans are available.

Re:When will Volkswagon fix the issue?

[Cramer]

Yeah. I saw that too and was completely unsurprised by their "findings". They connected a computer to the diag connector. If you know the protocol, you can do ANYTHING to the car at that point.

Re:When will Volkswagon fix the issue?

Keys can always be reverse engineered by chip slicing. But if you reverse engineer your car keys, that should only let you open your own car, because you'll discover the algorithm everyone uses but you'll only find your own encryption keys. In this case, it sounds like the algorithm is busted.

Spellcheck!

[intermodal]

FFS, it's Volkswagen, with an E.

Re:Spellcheck!

[omnichad]

It's not so much a typo as it is an accidental translation to English. It's only 2 letters off from English - Folkswagon. What spell check has a list of commercial entities' proper names?

Re:Spellcheck!

[intermodal]

For that particular combination? All of them. Especially since putting "folks" and "wagon" together in English is not a word in the first place.

Re:Spellcheck!

[omnichad]

compound words are not a thing in English, but otherwise it's the same idea.

Too little, too late.

[thejynxed]

These cars with remote/keyless entry and start are already being stolen, even directly off of dealer lots. The criminals have already figured out what he was going to present, and are using it to their advantage.

Re:Too little, too late.

[TheSpoom]

Ah, that means that in addition to not being able to tell people about it, the researcher will now be liable, perhaps even criminally so. Just wait.

Re:Too little, too late.

[ebno-10db]

These cars with remote/keyless entry and start are already being stolen, even directly off of dealer lots. The criminals have already figured out what he was going to present, and are using it to their advantage.

Do you know whether they've been using this specific hack though, or whether they've been breaking into cars with the same sort of "security" system? That does make a difference. Otherwise it's like saying that computers get hacked, so it doesn't matter how you reveal information about a specific exploit.

Re:Too little, too late.

This brings up another point. How much do vehicle security systems really help stop vehicle theft?

It seems to me, the relative few people motivated to steal cars (especially right off of dealer lots) are sophisticated enough that the simple concept of locking doors and a required key or keyfob to start the engine won't deter almost any of them?

The *real* security lies in the unique VIN's issued to each vehicle manufactured and stamped in multiple places, combined with strict legislation surrounding new vehicle registration and licensing.

After all, most vehicles are purchased with bank loans with the vehicle itself as the collateral. Repo men come get these cars and trucks every day for failure to pay on a loan, and it's not like the owners are surrendering their keys voluntarily in most of these situations.

It's the VIN and the registration laws that deter a lot of vehicle theft, because it's simply too difficult to get away with actually USING the car or truck on the roads, after you steal it. The pros are probably chopping them all up for parts, and that's a considerable amount of work to do -- and not likely to be worth the trouble if you're not really connected in the industry so you have enough buyers.

Re:Too little, too late.

[TechyImmigrant]

That's why the real car theft business feeds the parts business. Steal it - take it apart - sell the parts.

Re:Too little, too late.

[Princeofcups]

These cars with remote/keyless entry and start are already being stolen, even directly off of dealer lots. The criminals have already figured out what he was going to present, and are using it to their advantage.

And why my Mini dealer was very clear about why you have to insert the space age key in order to start the car, and they have no auto start option. Don't think that the dealers don't know that they are selling a defective product.

Re:Too little, too late.

[mjwx]

These cars with remote/keyless entry and start are already being stolen, even directly off of dealer lots. The criminals have already figured out what he was going to present, and are using it to their advantage.

And why my Mini dealer was very clear about why you have to insert the space age key in order to start the car, and they have no auto start option. Don't think that the dealers don't know that they are selling a defective product.

This. I dont care about keyless entry, I learned this lesson owning an old EK Civic. Every 2 months I'd come out to find receipts all over the floor because someone would pop the locks on my car with some wire then rifle through the glove box and centre console for anything valuable. after the thrid time, I left a sign asking them to put the receipts back into the centre console and they were welcome to the 50 cents in the ashtray. The car was never stolen as that was harder than popping the lock.

To be honest, I'd rather petty thieves were able to get into the car without breaking a window, I'm smart enough not to keep anything valuable in there.

Now keyless entry and keyless start makes it easy to steal the car when a crim breaks into it.

Re:Too little, too late.

[RevDisk]

Tis why I had my mechanic rig the auto start to shut off the engine if the brake is used without a key physically being in the ignition. You could still get into the car, sure. If a thief could hotwire a car, he can open a door anyways. Just don't keep anything exceedingly valuable in the car.

Also, properly positioned flood lights are your friend. The difference between my testimony convicting a a car thief and the guy not even being suspected in the first place was spending a couple extra bucks on good motion lighting and proper positioning.

How

do we fire a bad judge?

Re:How

do we fire a bad judge?

Out of a cannon?

Sell it.

[ponraul]

Might as well sell that exploit the RBN and make some money off of the deal if you can't disclose it publicly.

Jurisdiction?

[Luthair]

How can a UK judge exercise anything over something happening in the US? Not that the US court system doesn't frequently overreach into things occurring outside its borders as well.

Re:Jurisdiction?

[Lunix+Nutcase]

Because a UK citizen is subject to UK law?

Re:Jurisdiction?

[Luthair]

With the exception of sex tourism people aren't usually subject to the laws of their country abroad. (Barring contracts signed of course). e.g. If you were to go to Thailand and paint some graffiti you wouldn't get taken to the local magistrate once you got back home.

Re:Jurisdiction?

[SleazyRidr]

I can't comment for other countries, but in the back of my passport (Australian) it explicitly says that I am subject both to the laws of the country I am currently in, and to Australian law. You are probably right that for something like graffitti they are unlikely to actually do anything about it, but you are still breaking the law.

Re:Jurisdiction?

[bluefoxlucid]

wtf "sex tourism"?

Re:Jurisdiction?

google it.

Time to move

[DoofusOfDeath]

That guy should totally come to the USA. Then he'd have the full protection of the U.S. Constitution, guaranteed by Eric Holder and Barak Obama themselves!!!

Re:Time to move

[viperidaenz]

Where do you think USENIX '13 is being held? Washington DC in the UK?

Re:Time to move

[g0bshiTe]

The US Constitution only protects US citizens.

Re:Time to move

Well, it's "supposed" to protect US citizens.

Re:Time to move

[starless]

The US Constitution only protects US citizens.

In general, the US constitution protects all people within the US, not just citizens. Although there are some differences.
Detailed academic discussion here:
http://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?article=1302&context=facpub

Re:Time to move

[cusco]

Bullpuckey. The only place where citizenship is mentioned in the Constitution is when it refers to the ability to hold public office. Everything else refers to anyone anywhere in the jurisdiction of the US, whether it be Kentucky, Guam, a US Navy ship, or a yacht in US territorial waters.

Re:Time to move

That guy should totally come to the USA.

In other words, don't leave any body parts behind.

Re:Time to move

Wrong!

Oh so fucking wrong.

It applies to everyone currently within US borders.

You ignorant fuckstains are a blemish to America, leave please.

I bet the simple act of you moving out of the country would result in a measurable increase of average IQ of americans.

Re:Time to move

Five lines, each one +5 Informative.

Where are my mod points when I need them.

Re:Time to move

The only place where citizenship is mentioned in the Constitution is when it refers to the ability to hold public office.

 
I don't know where you got an idea like that. The constitution also mentions citizenship with respect to:

1. Persons who are subject to the power of the judiciary (Article II, section 2)
2. Persons entitled to the privileges and immunities of the several states (Article IV, section 2)
3. Limits who can sue a state in federal court (Amendment XI)
4. Guarantees citizenship to persons born in the US (Amendment XIV)
5. Makes rights defined at the federal level apply to citizens at the state level as well (Amendment XIV)
6. Punishes states for infringing on a citizen's right to vote (Amendment XIV)
7. Requires citizens have the right to vote regardless of race, color, or previous condition of servitude (Amendment XV)
8. Extends the right to vote to female citizens (Amendment XIX).
9. Prohibits the use of taxes to bar a citizen's right to vote (Amendment XXIV)
10. Grants citizens age 18 or older the right to vote.

Re:Time to move

[Valdrax]

Sadly, that is not how the Supreme Court always interprets things. While the general principle has been that noncitizens have the same rights as citizens, they've often been ambivalent on the specific details. Consider Hamdi v. Rumsfield (2004), in which the court held that citizens who were kept prisoners as "unlawful combatants" has the right of habeas corpus, but that non-citizens held similarly did not.

Another example is Harisiades v. Shaughnessy (1952), in which the Court held it legal to expel immigrants who were Communist Party members -- a discrimination based purely on political belief that would not be legal to perform against citizens.

In Demore v. Kim (2003) the Court noted that "Congress regularly makes rules that would be unacceptable if applied to citizens" in the realm of immigration law. There, the court upheld a statute that required aliens charged with certain crimes to be detained in prison pending a deportation hearing regardless of whether they were a danger or a flight risk (and thus normally entitled to bail). It was the first case holding that anyone can be put in preventative detention without an individualized assessment of the need for said detention.

Re:Time to move

[fnj]

In general, the US constitution protects all people within the US, not just citizens. Although there are some differences.
Detailed academic discussion here:
http://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?article=1302&context=facpub [georgetown.edu]

Yeah, you could read a bunch of smoke blown by lawyers or other low lives. Or you could just, like, I don't know, read the first amendment for yourself. It's written in plain language and is extremely brief.

Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the Government for a redress of grievances.

Hmmm, it talks about "the people", not "citizens". And it talks about about "no law", not "no law that affects specifically citizens". I'd say it's pretty obvious.

In fact the entire constitution is short (4400 words) and very readable. All the constitutions I've seen are in plain language. The 1977 version of the constitution of the USSR was pretty long and detailed, but it was plain enough. In fact it contained something sadly lacking the US constitution that could have saved an enormous number of lives in 1861. It expressly recognized that the individual constituent republics could secede; hence the breakup of the USSR was practically bloodless. Lack of that explicit language in the US constitution meant a single tyrant was able to butcher about 600,000 of his own fellow citizens.

Let's sue amazon.

[martiniturbide]

http://www.amazon.com/TEKTON-3324-18-Inch-Wrecking-Bar/dp/B000NPT684/ref=sr_1_1?ie=UTF8&qid=1375128831&sr=8-1&keywords=Crowbar

Let it leak out

[hawguy]

I sure hope someone doesn't "accidentally" break into his computer, steal the exploit and publish it in the wild. Wouldn't want to force VW into finding a solution. Much better to pretend that only the white-hat hackers know about the hack and that the bad guys are too stupid to have figured it out. Security through pretending is the best security.

Stupid!!!!

[Steve_Ussler]

Did they not hear of the Strisand effect? This will get outnot quicker that they are trying to stop it.

Re:Stupid!!!!

[Lunix+Nutcase]

Did Joe the Dragon get a second account?

Re:Stupid!!!!

lol. I wish I had mod points.

The solution is dead-simple.

Suddenly, some "other" random person posts that he found this out "too". And about how this scientist was "an amateur. Haha. I'm much better!". And immediately discloses the whole thing.

Completely anonymous of course.

What are they gonna do?

There's a reason I always say it's impossible to "own" information since it's impossible to *control* information. This is a textbook example.

The Flatbed Truck Vulnerability

[zenrandom]

I'm going out on a limb, disclosing this publicly and all. But all vehicles on the roads today are vulnerable to a nefarious flat bed truck with a winch. Said driver pulls up to the vehicle, lowers the ramp, attaches the winch, and pulls the target vehicle onto the truck. Once vehicle is secured to the truck, they drive away. I've not contacted any manufacturers on this vulnerability, but I feel that disclosing it publicly may keep the public informed.

Re:The Flatbed Truck Vulnerability

[couchslug]

A snatch truck with a wheel lift is even quicker, and having done repos with a friend I can say bystanders rarely say or do anything.

Once you get the vehicle off the property they can't legally block you from taking it (in my State) so we'd shoot the wheel lift under whatever end of the car was handy. Depending on the car we'd even leave a hitch ball attached to the wheel lift and snag the lower core brace (they were all owned by my buds car lot) and drive off instantly rather than locking the wheel lift bars. (It was an old Century for those who care.)

You can drive down many a residential street or parking lot with the rear brakes locked, tires boiling smoke, and no fucks given!

The flatbed ("rollback") cares not even if there are no wheels on the target vehicle. It'll skid just fine.

Good times.

Re:The Flatbed Truck Vulnerability

And in Texas, even if its wrongful, its not a crime.

The person with their car stolen has to actually sue you for an illegal tow. And you can screw him really hard by moving said car in front of a no parking sign, snapping a picture, then continuing on your business.

The moral of this story is. . . .

" He should have disclosed without notifying. That way they could not have stopped him. "

BINGO.

Quit trying to give the manufacturers / developers the benefit of the doubt here. Time and time again it's obvious they're not interested in doing the right thing, but rather resorting to litigation to shut people up about critical flaws in their product. I know it's bragging rights and all that, but you really should keep your mouth shut until AFTER you've made the disclosure public.

Unless they're paying $$$ for said bug reports, then it's your call to consider if they can buy off your silence or not. I know what the moral thing to do is, but your financial situation may inject some additional considerations into the matter.

Re:The moral of this story is. . . .

[plover]

Others have gone so far as to suggest it's safer to stay low, and simply sell the vulnerabilities to the highest bidder. Pocket the money, and let someone else worry about if it's a good guy or a bad guy buying it.

It's a completely amoral stance, of course, and I don't personally agree with it. But when a well-intentioned bug report can easily turn into an accusation of violating the Computer Fraud and Abuse Act by someone sleazy company who doesn't want to pay to fix their own vulnerabilities, it's an approach that's actually less likely to get the researcher thrown in jail. Nobody ever deserves to be harassed for pointing out vulnerabilities.

Re:The moral of this story is. . . .

Quit trying to give the manufacturers / developers the benefit of the doubt here. Time and time again it's obvious they're not interested in doing the right thing, but rather resorting to litigation to shut people up about critical flaws in their product.

I agree with you in principle, but what will actually happen is that you'll be the subject of lawsuits if discovered, and a huge propaganda campaign will be directed against you. They have the ear of the media, as well as sock puppets and astroturfers who'll start posting about how the person didn't give the company a chance and they should be punished.

I'm fairly sure we've already seen it on /.

Sounds like it's already out there...

[GodfatherofSoul]

It emerged in court that their complex mathematical investigation examined the software behind the code. It has been available on the internet since 2009.

My only objection to hackers revealing exploits is they must give the affected company time to fix the problem. This time is going to be longer for VW since their software is literally running all over the world. But, 4 years is ample time.

I'd be curious to know exactly what VW has done to address the problem, or more broadly did they even *bother* to fix the problem.

Re:Sounds like it's already out there...

[Lehk228]

companies have shown time and time again they do not properly handle "responsible disclosure" as in this case they use the courts to silence the messenger.

the only remaining option is immediate, anonymous full disclosure, preferable released as a metasploit module in order to maximize the consequences for sloppy and reckless vendors

Re:Sounds like it's already out there...

Except the consequences are not for the vendor, but for his customers - especially if the vendor can claim he never knew about the vulnerability because it wasn't directly disclosed to him.

Re:Sounds like it's already out there...

[betterunixthanunix]

My only objection to hackers revealing exploits is they must give the affected company time to fix the problem

On the other hand, if a company's customers keep getting burned by the poor security of the company's products, that company might rethink its engineering methodology...

Dupe

http://tech.slashdot.org/story/13/07/28/019222/english-high-court-bans-publication-of-0-day-threat-to-auto-immobilizers

Preventing him speaking will prevent car theft..

[kawabago]

Hey, where's my car?

A limey writes

[maroberts]

No we don't have a Bill of Rights, but we do have the European Convention on Human Rights incorporated into UK Law, which does have an Article 10: Freedom of Expression. There are restrictions in the European version as opposed to the simpler US one though....

Re:A limey writes

[Shimbo]

No we don't have a Bill of Rights

Er, yes we do. We had it first.

Re:A limey writes

[maroberts]

You win - forgot about the 1689 Bill of Rights. I was only little then. :-)

Re:A limey writes

[mrbester]

A pity that none of it applies any more, hence all that European Convention malarkey where countries get to cherry pick bits they like and water down bits they don't.

Re:A limey writes

The letter of the law doesn't matter, it's how it's applied by courts.

Until the about 1940s/1950s, the United States Supreme Court followed a rational basis standard for Free Speech, which means that any rationale one could come up with (such as protection of "patriotism" or "democracy") was sufficient to suppress speech. This is why for 150+ years the federal government and states regularly suppressed speech. It's why so many confrontations, especially in the late 1800s, became violent--because states had harsh laws about the content and place of speech, and simply handing out flyers in a public park was often illegal and made you subject to arrest without any defense whatsoever. There were almost no protections about the content or mode of public speech; the First Amendment it was almost a dead letter because it was subject to almost any legislative law.

Justices Holmes and Brandeis changed our interpretation of the Free Speech clause in particular, as well as introduced a theory about the role of speech in the evolution of politics in general which has slowly spread around the world (namely the "marketplace of ideas", which uniquely appealed to both liberals and conservatives alike). But most countries even in Europe don't apply free speech protections as forcefully as American courts do. And that's largely to do with the fact that, though European courts are aware of the American concept, they feel less free to override legislative judgments, especially when it comes to matters of security and law & order.

Re:A limey writes

[Grant_Watson]

Er, yes we do. We had it first.

And our (the American) revolution was largely inspired by its principles.

Re:A limey writes

[Impy+the+Impiuos+Imp]

The devil is in the details, which is why the elegant simplicity of the US Constitution is vastly preferable to these more complicated, lawyerly expressions of "rights", designed by politicians, for politicians.

Just the wording oozes with the power hungry not wanting to give up their power:

Article 10 – Freedom of expression
1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. This article shall not prevent States from requiring the licensing of broadcasting, television or cinema enterprises .

2. The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals , for the protection of the reputation or rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary.

Loopholes big enough to drive an Airbus through. And I didn't even bother highlighting "public safety", "prevention of disorder or crime" or other get out of jail free cards rendering the whole thing largely meaningless.

Re:A limey writes

The US has gag orders. The result would have been the same in the US.

I honestly think this gag is okay (under extremely short time frames with restrictions that VW needs to do it's job) and then it will be lifted.

Re:A limey writes

[ae1294]

The devil is in the details, which is why the elegant simplicity of the US Constitution is vastly preferable to these more complicated, lawyerly expressions of "rights", designed by politicians, for politicians.

Just the wording oozes with the power hungry not wanting to give up their power:

Article 10 – Freedom of expression
1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. This article shall not prevent States from requiring the licensing of broadcasting, television or cinema enterprises .

2. The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals , for the protection of the reputation or rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary.

Loopholes big enough to drive an Airbus through. And I didn't even bother highlighting "public safety", "prevention of disorder or crime" or other get out of jail free cards rendering the whole thing largely meaningless.

Holly shit... that basically says you have freedom of speech and then the remainder says you have no freedom of speech... That is totally fucking meaningless, It should just read - "You have the right to freedom of expression as long as we don't disagree with what you're saying".

Re:A limey writes

Holly shit... that basically says you have freedom of speech and then the remainder says you have no freedom of speech... That is totally fucking meaningless, It should just read - "You have the right to freedom of expression as long as we don't disagree with what you're saying".

As opposed to the US constitution, where the rights are spelled out as being absolute but in practice the same rules apply. Take freedom of speech for example. The first amendment seems absolute, until you realise that the legal definition of 'freedom of speech' excludes things such as some types of defamation, death threats, criminal conspiracies, leaking official secrets by officials, leaking info for insider trading by fiduciaries, breaking confidentiality clauses in employment contracts etc, all of which can be punished with criminal penalties or bankrupting levels of tort damages. You might be able to defend these exclusions or to not think these examples of speech are valuable, just as the Chinese defend their rules against speech that upsets the social order. Whether you do or not the US does not have an absolute free speech right.

The US constitution might seem better to a casual reader, but that's only possible because the lofty rhetoric about freedom has always been interpreted in practice in much the same ways that you detest in the ECHR.

Re:A limey writes

[maroberts]

The licensing of limited resources is perfectly legitimate, but licensing of items such as a satellite dish to receive such things is not. Actually this is the first time I've noticed this - one wonders if it is possible to challenge the legitimacy of the UK TV license as a breach of ECHR law....

Re:A limey writes

[maroberts]

With regard to section 2 of Article 10, you have to show that any of the exceptional clauses are "necessary in a democratic society". If you can demonstrate to the court that its not necessary even if a law was aimed at prevention of disorder or crime, then its interpreted as a breach of the ECHR. Protecting morals for example has generally been interpreted in the European Court as a weak-assed defense and not necessary.

Re:A limey writes

[Impy+the+Impiuos+Imp]

It took less than 24 hours for Slashdot o disprove you.

We are aware of the eternal effort of politicians to weasel loopholes. Hence building in exceptions to aid their weaselhood is...unwise.

Re:A limey writes

[ae1294]

The US constitution might seem better to a casual reader, but that's only possible because the lofty rhetoric about freedom has always been interpreted in practice in much the same ways that you detest in the ECHR.

Hey now I'm not saying we in the US are any more free than people anywhere else. I honestly have never seen Article 10 written out before because it doesn't mean much to me here in the US and I've never had the chance to travel to Europe and only know a few people over there. My remakes aren't flag-waving nationalist bullshit I am just really shocked by the wording. To me it reads as I had said. That you have freedom except you don't... It honestly makes me sad because I'd love to leave the US permanently one day and I always figured most of Europe, except the UK, was generally better than the US in most every way but I guess I have been wearing rose colored glasses...

Yet another misleading slashdot summary/headline

I almost don't want to post this, rather than continue to watch the slashdot flock get herded around the meadow yet again. But guess what. The arstechnia article (ironically headlined "High court bans publication of car-hacking paper") states:
"The company asked the scientists to publish a redacted version of the paper without the crucial codes, but the researchers declined, claiming that the information is publicly available online."

So yeah, the publication of the paper was never at stake.

This little tidbit makes most of the above comments (including those already up to +5) look pretty ridiculous.

Re:Preventing him speaking will prevent car theft.

Nothing new here, if the judge didn't like or agree with the message (or got a big payoff) then it's simple: "shoot the messenger of bad news".

Censorship?

[greggman]

How is this not different from banning people from saying that if you break the window of a building you can get in an steal things?

Meta:This is why we have a first amendment.

Is anybody else worried about going to a site called "vag-info.com"?

Re:Meta:This is why we have a first amendment.

[SleazyRidr]

It's in my list of sites to check when no-one's around.

Misleading article and summary.

[julian67]

In the article:
"The judge, Colin Birss, ultimately sided with the car companies, despite saying he "recognized the importance of the right for academics to publish.""

This is very misleading. The judge did not "ultimately" side with anyone because this is an *interim* injunction during the course of more prolonged litigation. Citation:

http://www.bbc.co.uk/news/technology-23487928
and
http://www.itpro.co.uk/security/20291/vw-gets-high-court-bans-scientists-revealing-luxury-car-security-codes

The purpose of the interim injunction is to temporarily maintain the status quo while further evidence and arguments are presented, prior to any actual and significant judgement.

Once again slashdot avoids objective reporting and instead offers its readers what they actually prefer and craze: dishonest, misleading, untrue versions of the world that play to the infantile prejudices of the average self righteous and privileged pseudo liberal.

Re:Misleading article and summary.

[julian67]

crave not craze. Slashdot's hysteria and ineptitude is so contagious that I'm going cravy.

Re:Misleading article and summary.

[julian67]

By definition an interim injunction is neither permanent nor irreversible. To assert that interim means "permanent and irreversible" is actually to identify yourself as an idiot. I can see why you posted anonymously: you're too stupid to figure out how to make an account.

This will come as a surprise to you but self righteous certainty does not allow you to ignore facts or redefine words or somehow magically align the real world with your aggrieved perception of it. OK it does allow you to do that within your own atrophied mind and within your rent-a-homogenous-flapping-jaw peer group, but fortunately for the rest of the world that carries about the same moral force and earth shaking gravitas as a small child complaining he doesn't like to eat broccoli.

If the value in the research is merely novelty or as some fleeting attraction for the populist press then who cares anyway? If there is some genuine merit in the research then that will not be diminished by being published in September instead of August or on a Tuesday instead of a Monday etc etc.

Re:Misleading article and summary.

This.

What the judge is doing here is acting on the safe side while the arguments are being discussed: "don't publish anything until we decide whether you should have the right to do it or not".
Allowing the researchers to publish the full paper would be the same as immediately awarding the case to them. It'd be meaningless if later VW won the case -- the codes would already be out there.

Imagine for a moment that he had discovered an easy way to open any door to any home in the world and wanted to publish it. Wouldn't you be happy that the guy is taking the safer approach to this?

Re:Yet another misleading slashdot summary/headlin

[Arker]

The paper without the codes is not the paper, doh.

The two other hackers go to court

[Teun]

The Dutch university of the other two hackers has asked a Dutch court to let them release their findings.

http://www.telegraaf.nl/binnenland/21769604/__NL_se_vinding_geblokkeerd__.html

Form the University site: http://www.ru.nl/english/general/news_agenda/news/@895890/radboud-university-0/

Interesting is the statement VW was informed about the problem nine months ago and Dutch Government/Jurisprudence finds 6 months of silence already sufficient.

This is why I go all-manual

No keyless entry. No remote start. No power locks. No power windows.

Sure, someone can sneak into my driveway at night, jimmy the lock, pop the hood or get access to the wires in the cabin, install a black box, and p0wn me, but they won't be able to do it remotely.

Making them come to MY car to take control if it increases their effort and increases their risk.

Agree and disagree

[EmperorOfCanada]

If the paper is published then I am 100% sure that you will see actual car thefts; which is bad. But I would not be 100% sure that this isn't already happening. I recently watched a video where people were remotely opening new high-end cars to break into them. The video claimed that this was a new and unknown attack.
http://abcnews.go.com/US/video/car-thieves-tech-gadgets-baffle-police-18891078
This may or may not be the same attack but regardless open information that names and shames is critical not only to getting these companies to fix the problem but to be more vigilant about preventing this from ever happening. This prevention will be far less a problem for the car companies if some lawyer can just shut down their critics. To me this is little different than using a lawyer to silence someone from giving you a bad review using the argument that it might hurt sales. Using the argument that this is also protecting the consumer would still be like silencing the bad review if it were a "10 worst used cars to buy" review. That review too would hurt the consumer. The reality is that the consumer bought a car from a company that couldn't be bothered to properly secure their car.

I really really hope that now that the fact there is a problem will spur some other researchers to quickly identify the problem and I hope they release the details in full into the wild. My only hope is that they give full credit to the original and now censored researchers for their original work.

As for consumers being hurt; once proof is released that your car is susceptible to theft it is your fault if it gets stolen (in that you know asshat thieves want to steal your car) so it is your responsibility to prevent the theft. Previously you comfortably relied upon the built in security but just like if you found out that a bunch of thieves had a copy of the key to your front door you would change the lock. So this is when you either demand that the car company fix it or you go to a third party and get them to put in something cool and new. The problem is that you don't quite know what is broken and thus what needs fixing. The more information available the better.

String of burgluars already using tech.

[BrookHarty]

There is already some people using tech to break into cars in California.
http://news.msn.com/science-technology/high-tech-car-thieves-break-into-vehicles-without-leaving-a-trace
http://jalopnik.com/whats-the-secret-device-thieves-in-california-are-usin-471782175

USENIX

Is there a test for dyslexia I can take? Because I totally read that as UNISEX.

Why must it be a reverse-engineered chip?

[Ungrounded+Lightning]

What if it's a software bug?

Most automobiles these days have their wiring harnesses drastically simplified by replacing enormous numbers of point-to-point wires with a digital bus, conforming to one of a small handfull of standards. These control everything from the engine to the seat adjustments to the outside rear-view mirror angles, to the door locks.

If you can inject your own packets on such a bus, you can command the car to open the doors and start the engine.

Now it may be possible to inject commands directly by using strong electromagnetic fields near where the bus, or a component on it, is not well shielded.

But there are a number of devices on the bus that are also radio receivers, with control computers which both parse radio inputs and interact with other parts of the car's electronics over this digital bus. If you can compromise them you can get them to inject commands for you.

Of course the key radio-fob receiver is the most obvious target. A protocol stack escape might get you directly into the code that unlocks the door. Another obvious target is a remote accident-assistance/monitoring system, such as OnStar. This is essentially a cellphone that deliberately issues such commands. (One thing they do as a service is open your car doors if you lock your keys inside.)

But there are a number of others where it may be possible to inject malformed packets and exploit a flaw in the radio-side network stack to take over enough control to issue automotive bus commands and achieve the same effect, even if the device wasn't intended to unlock the door. Candidates include:
  - Entertainment systems.
  - Bluetooth "hands free phone" features.
  - GPS navigation systems.
  - Tire-pressure monitoring systems.
and I could go on.

You can find such flaws by purely software-driven probes, using stock techniques like "fuzzing" to find a bug that crashes the device, then working up from the known flaw (and perhaps a general knowledge of the processor involved in the component and its typical development environments) into an exploit.

I have seen a proof-of-concept where one of the above HAS been exploited in this way by a security research team.

I have also heard news reports of security-camera recordings of carjackers using a box that causes the passenger side door lock of the victim car to unlock itself. So SOME such exploit is already in the wild.

Any bets on whether Garcia, or the carjackers, got in this way, rather than by electron microscopy?

Any bets on whether, even if they both DID "do it the hard(ware) way", there is, or will be within the year, an exploit that didn't involve either such pricey techniques (or a data leak from a manufacturer)?

Re:Why must it be a reverse-engineered chip?

[BillX]

There's one in-the-wild I've heard of where the thief busts off one of the motorized side mirrors - a quick kick takes it right out - plugs a hackytool into its wire harness and unlocks the doors via CANbus command.

The Voice of Reason

Judge: "SILENCE, Scientist!"

No good deed goes unpunished

[The_Other_Kelly]

This is getting old, since how many times has this been repeated in the past years?

If you notify, so that good companies can analyse, patch and protect customers,
then you risk that "bad" companies will play "sly" and just sue you to stop the
information, rather than fix the problem. Or even better, fit you up for an attempted
extortion defense or shift the blame onto the reporter, using spin.

Most modern companies deny the existence of *any* responsibility to their customers,
employees or communities (natural, governmental or academic).

So why the expectation of different behaviour when it comes to security?

Actually, these issues are pretty useful when it comes to deciding on which
products to purchase, since you get to see the real ugly shapes behind the PR
masks.

VW have pioneered the use of reduced, only 2-year warranties, at least in Europe,
without lowering the price of their cars. Support is not a priority factor for them.
Security has obviously been a low priority issue that they have decided *not* to
"waste" money on.

If, the issue is really as reported, that given access (either physical or via some wifi "probe"),
to the controller unit (CAN?) for the ECUs, since VW did not add encryption, authentication
or serious security, an intruder can control a lot of things in the car, even while it is
in motion.

Which means that VW would:
1. Need not only updated software to fix the controller, they would probably need some
        hardened hardware, probably including some TPM/tamperproof elements.
2. Need new supplier handling, development, testing, support and dealer support mechanisms.
3. Have to build a "PKI"-type infrastructure for their dealers, including identification/registration
        key distribution and other key handling nightmares.
4. To avoid the potential liability issues, they might also need some addtional components to
        provide "black box" audit mechanisms, similar to flight recorders. Again with crypto,
        tamper-proofing and crash resistance.

Which is all EXPENSIVE. And OBVIOUS. And offers dealer chain lockin and other
non-competitive medium+ term advantages.

So, apparently faced with an entirely foreseeable issue, VW chose the cheap option, and
now it has blown up in their faces. So they have to fix this, then do it right anyway.

And depressingly predictable, what was the response?
Did they play the quality card, roll with it and try to convert it into a "branding"
op, while actually addressing the issue?

Nahh!
They sent in the lawyers.
Stifle discussion, threaten academics and try to kick the problem away under the table.
I would also bet that they are right now lobbying for new "responsible reporting" laws,
at German and EU levels.

Schein nicht sein.

Well, I won't be buying a VW, Audi, Skoda, Seat anytime soon.

To generalise, unless a company has contracted you to analyse and report on their products,
then what obligation or benefit do you have to report anything to them?
If you contact them to report an issue, companies have try to frame you for extortion in order
to suppress the security vulnerability. "No comment on judicial process" ...

Publish and be damned, though the Heavens Fall.

Re:No good deed goes unpunished

[The_Other_Kelly]

Ahh! Fun followup!

VW *have* an encrypted 1024-bit ECU solution in place,
but this looks aimed at the chipper/modders.

We all look forward to reading the details when the academics
publish or, should it leak ...

Same temporary order as a days ago, until hearing

[raymorris]

As the last sentence of TFA mentions, this article is talking about the same temporary injunction that was on Slashdot a few days ago.

The headline is bogus. The ruling is that they have to wait until a full hearing, because you can't unpublish something once you've published it. There has been no ruling on the merits of the case.

Of course there's no word on when they'll fix it..

[mark-t]

...because now, they'll feel like they don't really have to. Or at least they'll feel like they don't need to hurry up about it.

Meanwhile, people will continue to be vulnerable to (an admittedly smaller number than what might have existed had the exploit details actually been published) criminals who *don't* rely on publicly released information for knowledge for a longer period of time than they would if details of the flaw had become public, forcing Volkswagen to attend to the problem immediately. Plus, of course... this is stealing cars we're talking about here. It's not exactly something that very many people just go about doing just because they can, because even if you the mechanics of know how to steal the car, that doesn't automatically mean you're going to know how to not get caught.

I've always received, sent a response within hours

[raymorris]

Every day, I see about 20 CVEs published with vendor fixes. So roughly 7,000 per year on the CVE list alone where the vendor fixes it promptly. Contrast that with the three or four per year that you are calling "time and time again".

When I submitted an issue that could have been used to easily DOS Wikipedia and many other sites, the vendor replied within a few hours. In 24 hours, wiki and a few other major targets were patched. Once those were patched, the vulnerability, with fix, was published on the appropriate lists the next day. So about two days to have the fix widely available, including a Debian package update.

The vendor asked me how I would like to be credited and I ask them to say "Ray Morris of bettercgi.com", adding a plug for my web site.

Another time, our company was the vendor. There wasn't a complete exploit, just a potential risk. We initiated automatic updates within 48 hours for those customers who allowed them. We then contacted the remaining customers, asking them to initiate an update.

For our other scare, we thought customer data may have been leaked. We discovered the problem ourselves, internally. I, as the president of the company, spent two days calling customers on the phone to explain the situation. So yeah, most of the time people who run companies have enough brains to do what is obviously the right course of action. Most of the time.

* it turns out the hacker who could see our customer data was almost certainly me. I logged stuff I shouldn't have.

Every year

wtf "sex tourism"?

That is exactly the question I ask every time I go galloping abroad: Who To Fuck?

Re:Yet another misleading slashdot summary/headlin

I almost don't want to post this, rather than continue to watch the slashdot flock get herded around the meadow yet again. But guess what. The arstechnia article (ironically headlined "High court bans publication of car-hacking paper") states:
"The company asked the scientists to publish a redacted version of the paper without the crucial codes, but the researchers declined, claiming that the information is publicly available online."

So yeah, the publication of the paper was never at stake.

This little tidbit makes most of the above comments (including those already up to +5) look pretty ridiculous.

No, it's even worse than that. This is an interim injunction. All that means is that 1) Volkswagen's case is not so weak that an order is futile and 2) in the event that Volkswagen were to win, retrospective monetary damages would not be a satisfactory or complete remedy. It does not prejudge whether Volkswagen is actually going to win. The alleged potential damage to Volkswagen's reputation would be hard to put a monetary value on, and the alleged damage to customers would be even harder to reimburse at all (how do you tie a particular car theft in nine months time to the disclosure today?), so I can see why the judge might think it appropriate to make this order.

Poor VW their shit is dust.

Streisand effect. Every exploit will be on them.
Like the BugSlug.start

It's only fair

After all, Volkswagen is a Person and the scientist obviously isn't

it's not the whole story..

[SuperDre]

I guess the slashdot poster of the article just wants to get some headlines and didn't read the actual story (or at least get his/her facts straight).

It's not that the judge silences the scientist, volkswagen didn't have a (real) problem with him publishing the article, what they had an injunction for was the publication of the actual key. The scientist didn't want to publish the article without the actual key and is now whining about being censored.. Most newssites don't actually get the facts anymore these days and just publish only the juicy (incorrect) bits..
So, the scientist can publish the article as he wants, but without the actual key.. And to me, that's perfectly fine, there is no need to publish the actual key except for his 15 minutes of fame.. And the biggest problem I have with all this, his 'research' (IMHO hobbyproject) was all financed with public money.. instead of whining, go do some real actual research that really benifits the society which is paying for it..

A Few Days Safety

[b4upoo]

Once it is known that the hack can be done many people will quickly create programs that do the same thing. The cat is out of the bag the moment that people know it can be done. In a way exposure of the vulnerability is a public service. If a hacker did not report this how many millions of cars would be built using the same defective security feature. VW owes the hacker a hige thank you and should write him a check for providing the service.

Needs access to car interior

[hughk]

The method posted requires, access to the car interior to get at the OBD2 port. Hopefully you would have set off the ultrasonic alarm before then.

The device shown is way overpriced, essentially you just need a custom OBD2 device. Just a bit of googling and I managed to find one for a fraction of the price.

I think these guys are able to breakin without access to the OBD2 port, probably by interception of the RFID signals.