Judge Rules In Favor of Volkswagen and Silences Scientist

← Back to Stories (view on slashdot.org)

Judge Rules In Favor of Volkswagen and Silences Scientist

Posted by samzenpus on Monday July 29, 2013 @07:56AM from the keep-your-mouth-shut dept.

sl4shd0rk writes "Samsung-is-not-as-cool-as-Apple Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August. Volkswagen says the flaw could allow someone to 'break the security and steal a car' so it is justifiable grounds for blocking Flavio's paper. No word yet on how soon Volkswagen will have a patch."

69 of 254 comments (clear)

Min score:

Reason:

Sort:

If hacking is outlawed by i+kan+reed · 2013-07-29 07:58 · Score: 5, Insightful

Only outlaws will have hackers, or something. It really doesn't work that way, but the protection of rich people's cars will only be temporary.
1. Re:If hacking is outlawed by JoeSchmoe999 · 2013-07-29 09:20 · Score: 2
  
  From TFA: "...Volkswagen's parent company, which owns the Porsche, Audi, Bentley and Lamborghini brands ", if those are not "rich peoples cars" then I'm not sure what is.
  
  --
  You have enemies? Good. That means you've stood up for something, sometime in your life.
2. Re:If hacking is outlawed by lisaparratt · 2013-07-29 09:49 · Score: 2
  
  Not to mention Skoda and Seat, both selling cars aimed at the cheaper end.
3. Re:If hacking is outlawed by interkin3tic · 2013-07-29 11:16 · Score: 2
  
  I suspect that the rich people's cars were safer anyway. You probably can't take a Bentley to a chop shop, and the police probably ONLY really investigate stolen cars that are worth significantly more than my 2006 toyota.
4. Re:If hacking is outlawed by mjwx · 2013-07-29 15:02 · Score: 2
  
  VW (at least in the US) is a 'commoner' car. nothing snooty or elite about any vw other than the very high-end model, which is never seen in the US, anyway.
  As I said, it's the car for those who like to pretend they're rich. The kind of people who cant afford to be "BMW Pricks". They buy A Golf R or GTI and pretend.
  
  bmw and merc
  These are people I call "BMW Pricks". People who buy a 320i and uppity when their 10 second car is passed by a Mazda 3.
  
  --
  Calling someone a "hater" only means you can not rationally rebut their argument.
5. Re:If hacking is outlawed by bleh-of-the-huns · 2013-07-30 01:35 · Score: 2
  
  I do not drive a VW, and when I did, all I talked about were the damn recalls, electrical problems, and the 8 times my windows fell into the door exploding into a billian pieces due to crappy plastic gearing.
  The fact that the diesel gets much better mileage than the hybrids is not something someone argues to sound superior. It is a valid fact, and why would you spend $5k to $10k more on a hybrid which gets worse mileage. If you argue the environmental impact, I will counter with the fact that new diesel engines are much cleaner, and the manufacturing process for the battery components in the hybrids is extremely toxic, so you are just shifting the environmental impact from daily driving to manufacturing.
  
  --
  I came, I conquered, I coredumped
This is why we have a first amendment. by h4rr4r · 2013-07-29 08:00 · Score: 5, Insightful

The cars are vulnerable if he tells the world or not. The only difference is now only the bad actors know about the problem.
He should have disclosed without notifying. That way they could not have stopped him.
1. Re:This is why we have a first amendment. by simonbp · 2013-07-29 08:03 · Score: 4, Insightful
  
  And now that is know that this specific vulnerability exists, it's relatively trivial for someone to repeat Garcia's work and publish it.
2. Re:This is why we have a first amendment. by iggymanz · 2013-07-29 08:05 · Score: 2, Interesting
  
  what the hell? The scientist is from the UK, they don't even have a constitution, much less a bill of rights with amendment mentioning free speach.
  Cue the Limey-o-philes with "UK has a constitution but it's not written" bullshit
3. Re:This is why we have a first amendment. by Stumbles · 2013-07-29 08:06 · Score: 5, Insightful
  
  The Streisand effect strikes again. They will never learn.
  
  --
  My karma is not a Chameleon.
4. Re:This is why we have a first amendment. by h4rr4r · 2013-07-29 08:11 · Score: 5, Insightful
  
  Sure, this is why we have one though. Our founding fathers knew not having one was too dangerous.
5. Re:This is why we have a first amendment. by steelfood · 2013-07-29 08:12 · Score: 5, Insightful
  
  Nah, that'd be unreasonable. What would be more reasonable is that now that Volkswagon is known to not act in good faith (i.e. lawsuit ensue) after an act of responsible disclosure, there's no good reason to first notify them about any subsequent security holes.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
6. Re:This is why we have a first amendment. by cultiv8 · 2013-07-29 08:14 · Score: 5, Informative
  
  Here's a video on how they do it on BMW's, same method as A4. Feel free to go here and buy the device yourself.
  
  --
  sysadmins and parents of newborns get the same amount of sleep.
7. Re:This is why we have a first amendment. by Sir_Sri · 2013-07-29 08:25 · Score: 5, Interesting
  
  The only difference is now only the bad actors know about the problem.
  
  Know about but not necessarily how to actually do it. About all they know is from the guardian article that it took upwards of 50 000 GBP worth of equipment (and some security researchers) to actually figure out how to do it.
  
  He should have disclosed without notifying. That way they could not have stopped him.
  
  The point of notification is to give them an opportunity to fix it. The problem with cars is that 'fixing' it may not be possible, or may be astronomically expensive.
  Volkswagon wanted them to publish a redacted version of the paper, that explained how they did the hack but not the actual key (codes) they discovered, and they refused. That seems kind of dickish on the researchers parts honestly. It depends on the details of what exactly was to be redacted, so I'll withhold too much judgment, but with things that aren't connected to the internet there's a big problem in trying to actually roll out fixes. Of course there's no point in publishing a paper if you can't say anything about your method used, and if anything interesting about that was redacted it's basically a non starter.
  As we embed computers into more things this is going to be a bigger problem going forward. Are we going to need to replace 100 dollar car FOB starters every time there's a security hack? I suppose it might come to that, it's not like physical car locks are all that secure either. But if the hack requires 100 000 dollars in equipment and professional security expert time that puts the barrier to common criminals high.
  The researchers main point seems to be that they aren't saying anything that isn't already public just from a different method. In that case sure, I suppose they could have just published and the situation wouldn't be much different. But I'm not sure how true their claim is.
8. Re:This is why we have a first amendment. by Anonymous Coward · 2013-07-29 08:28 · Score: 5, Insightful
  
  You also have secret courts...
9. Re:This is why we have a first amendment. by Samantha+Wright · 2013-07-29 08:30 · Score: 5, Insightful
  
  cultivat8 posted instructions a few minutes before you made your post, so that cat's out of the bag. Now the only value this suppression serves is in protecting the ignorance of people who are in danger; the car company saves a bit of face with its less-aware customers and investors, and that's about it.
  
  --
  Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
10. Re:This is why we have a first amendment. by h4rr4r · 2013-07-29 08:40 · Score: 2
  
  If you notify they will just sue you instead of fixing it. Which is what VW has now done.
  Car locks could be very secure, car companies chose POS methods. $100,000 is not a big deal when you can do the research and sell the results to crime rings.
11. Re:This is why we have a first amendment. by Lumpy · 2013-07-29 08:45 · Score: 5, Informative
  
  Yeah and our scumbag leaders wipe their ass with it daily.
  Oh that right is protected by the constitution? Now you are an enemy combatant, it doesn't protect you anymore. Yes, we are calling you that for wearing blue on orange mondays... to the waterboarding with you!
  
  --
  Do not look at laser with remaining good eye.
12. Re:This is why we have a first amendment. by Lumpy · 2013-07-29 08:46 · Score: 2
  
  BMW execs and VW public relations people.
  
  --
  Do not look at laser with remaining good eye.
13. Re:This is why we have a first amendment. by mikeiver1 · 2013-07-29 08:49 · Score: 4, Insightful
  
  I suspect that the hack is rather simple and you can be very secure in the knowledge that there are now like a dozen plus persons looking very hard at their key controls with an eye at releasing the hack to simply screw VW for the snub. Fallout be damned. On the other side of it you can not tell me that VW didn't know that they had a security issue and simply waited to fix it because it might cost a few dollars or euros or what ever. Screw the customer for the buck.
14. Re:This is why we have a first amendment. by TubeSteak · 2013-07-29 08:56 · Score: 5, Informative
  
  , it's relatively trivial for someone to repeat Garcia's work and publish it.
  The speculation is that Garcia sliced the chip layer by layer to reconstruct the logic and algorithms that VW's Megamos Crypto uses.
  That's neither quick to do, nor trivial to recreate.
  
  --
  [Fuck Beta]
  o0t!
15. Re:This is why we have a first amendment. by Karl+Cocknozzle · 2013-07-29 09:02 · Score: 2
  
  The cars are vulnerable if he tells the world or not. The only difference is now only the bad actors know about the problem.
  He should have disclosed without notifying. That way they could not have stopped him.
  Believe me, as first-amendment crushing lawsuits like this become "standard" the "no notice" release of major flaws will also become standard.
  Then the government will be lobbied to label these researchers who release without prior notice to be "terrorists" or "aiding the enemy" and lock them in prison for "abetting car theft" or some such similar nonsense.
  For that matter, why not just lock up every security researcher that won't sign an agreement (in advance) to only release security research with the approval of the subject of the research? That way we know which security engineers are likely to be "terrorists" and which ones are the good guys.
  
  --
  Who did what now?
16. Re:This is why we have a first amendment. by ArsonSmith · 2013-07-29 09:32 · Score: 2
  
  This is akin to not being allowed to yell fire in a crowded move house, when there actually is a FIRE!
  
  --
  Paying taxes to buy civilization is like paying a hooker to buy love.
17. Re:This is why we have a first amendment. by lightknight · 2013-07-29 09:32 · Score: 4, Insightful
  
  Perhaps, but for someone who wants to yank thirty or forty cars off the street, with minimal risk, it might be worth a modest investment.
  You'd need what, an electron microscope, some custom software to trace the images you scan and convert them back to logic, then someone to write an app / engineer some hardware to make it trivial for you to grab anything you want. Assuming you are grabbing thirty new VWs, at $20K / pop...that's $600K...so, the cost of an electron microscope (may or may not be costly...might get a second-hand one for cheap), and an Electrical Engineer @ 120K + Computer Scientist / Software Engineer @ 120K (so they'll actually do the work, keep their mouths shut, and provide 'updates' to the software / hardware they design at an agreeable rate, since 30-40 cars might easily become 3000-4000 cars provided you don't act like a Mafia-Don and try to kill the wrong people / short the wrong people ("Hey, they did the job; now let's double-cross them, and whack them, so we can keep their share, and they can't tell anyone..." -> Hollywood derp -> Good people are hard to come by, and even harder to replace); I say updates, because the car companies will begin changing stuff as soon as they hear that their cars are getting snatched, and updates are cheaper with people you know, who are 'happy' with you, than people who are PO'ed at you, or are dead).
  Still, it seems a lot of work for little cash. Now, getting elected to the Board of Governors for the Federal Reserve...well, they can just print money when they need a little more. Now that's thinking with your head.
  
  --
  I am John Hurt.
18. Re:This is why we have a first amendment. by lgw · 2013-07-29 09:48 · Score: 2
  
  You might pick a better example (it's not like it's hard to find examples of our leaders wiping their ass with the constitution, after all).
  There's nothing wrong with calling someone who participates in combat against the US military on foreign soil an "enemy combatant".
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
19. Re:This is why we have a first amendment. by lightknight · 2013-07-29 09:50 · Score: 2
  
  Lol, I was particularly touched that they consider insistence on having any rights to be symptoms of grandiose behavior, and evidence of psychological distress...I think some of the (everyone's favorite) DSM (perhaps one of the later editions) has, perhaps, one or two disorders which read something to that effect. And sadly, many years later, I can finally see exactly why they would think someone is insane for thinking that...because they're right; you don't have any rights, and that piece of paper is a lie. A convenient lie, but a lie; it may say you have freedom of speech and that your government is charged with protecting those rights...but no one who has studied the history of the United States can, with a straight face, say that it has given anything but lip service, when it suited itself, to the idea of freedom of speech. Your government...protecting your rights? There is no evidence of that...well, 1% evidence for, 99% evidence against it; a Stockholm syndrome patient is the only person who would, having carefully seen the truth, attest otherwise. Your government and you are the belligerents...and every day is a test to see who is taking more from the other; usually your government wins, simply by default...it can, with a wave of its hand, have its courts all stand up and say that black is white, and that freedom of speech does not cover certain kinds of speech, so help you God.
  And let's be honest...it has failed the various tests for freedom of speech. Facebook postings leading to arrests? What kind of amputated mind considers such things? Why, if we prize a free and open society, are we seeing people maneuver to cut others down for opening their mouths, and speaking their minds? Do they, perhaps, think the whole freedom of speech thing is simply a ruse to find the rebels, infidels, and unlucky, and to remove them from the population? Or perhaps, they believe, cloaked in shadows, that others aren't, in turn, following them, and asking, "How much longer shall we let them harm the innocent?" 'Tis the wonderous thing I once learned, that the watchers never think they are being watched...that they alone are somehow isolated, and privy to things that no others can see, from their hidden vantage points. I say we have an open and free society, for what little that might be worth...and if anyone goes missing, we go looking for them.
  
  --
  I am John Hurt.
20. Re:This is why we have a first amendment. by Zalbik · 2013-07-29 10:17 · Score: 5, Funny
  
  Ahh...but you are forgetting a few things:
  1) You have to double the estimate of your Software Engineer. In MBA school they taught us to always double the software guy's estimate.
  2) You haven't included any quality assurance!?! At least another $120k for a good QA team, plus the tools necessary for automated testing.
  3) You've got 3 people on the team now, so you should include a PM. That's another $240k at least.
  4) And you'll need a business analyst. Luckily, it should be easy to find one who isn't so "morality constrained". Say another $180k for them.
  Just to be on the safe side, you should overestimate everything by 50% (yes, I know we already doubled the dev estimate, but this is what Joe's MBA School of Mastering Business Administration and Cheap Web Hosting taught me).
  So overall, the cost is:
  Software Engineer: 240K
  Elecrical Engineer: 120K
  QA: 120K
  PM: 240K
  BA: 180K
  Subtotal: 900K
  Total (add 50% for good luck): 1.3 Million.
  Now you should add 15-20% per year for support/maintenance, etc. So it's 1.3 Million capital outlay, plus $260,000 per year.
  Pretty pricy, but still....it's cheaper than SAP.
  /sarcasm off
21. Re:This is why we have a first amendment. by Urza9814 · 2013-07-29 10:32 · Score: 4, Informative
  
  Company A uses reprogrammable chips and does the responsible thing. When their chips get hacked, they issue a recall, and people go to the dealer to get theirs reprogrammed.
  Company B is Volkswagen.
  John Doe goes in to but a new car. They look at the vehicle report for the car from Company A, and they see it's been recalled for a failure in the security system. They look at the vehicle report for a Volkswagen, and they see no recalls. So they buy the Volkswagen.
  Your assertion is only valid in a world where all consumers carefully research every purchase. *Nobody* does this -- it's not possible. Not enough hours in the day. For something as big as a car there's a decent chance they will, but even then I bet plenty of people don't.
22. Re:This is why we have a first amendment. by mysidia · 2013-07-29 11:40 · Score: 3, Funny
  
  Now you should add 15-20% per year for support/maintenance, etc. So it's 1.3 Million capital outlay, plus $260,000 per year.
  Ugh... that's way too expensive; you need to lay someone off.
  Lay off one software engineer to save 40K
  Cut everyone else's Salaries by 60%. Give the CEO a 500K bonus.
  New cost tally:
  Software Engineering: Outsourced to China: 10K
  Elecrical Engineer: 48K
  QA: 48K
  PM: 96K
  BA: 72K
  Bonus for CEO: 500K
  Discount due to cooking books: -200K
  Subtotal: 574K
  Total Money saved: 726K (56% cost reduction)
23. Re:This is why we have a first amendment. by TheGratefulNet · 2013-07-29 14:37 · Score: 2
  
  had my vw for over 10 years now. no major problems.
  before this, I had 3 bmw's (one after another). each one had serious design and build problems. costly to repair and some repairs could never be done properly (shock towers weakening on E36, no factory fix to fatigued metal; that was the nastiest design bug I remember).
  I would never buy another bmw. I would buy another vw (as long as its not a mexico-made car).
  for some reason, bmw's sell themselves, but all 3 of mine made the service departments more money than I would have liked...
  in general, german cars are overpriced and don't give any better quality than japanese cars.
  
  --
  
  --
  "It is now safe to switch off your computer."
24. Re:This is why we have a first amendment. by SLi · 2013-07-29 20:39 · Score: 3, Insightful
  
  Yeah, I'm sure nothing like this could ever happen in the US due to your ah-so-fantastic First Amendment.
  That case, by the way, is very close to this one. MBTA was granted a Temporary Restraining Order that prevented the researchers from discussing their findings in the conference where they intended to do it. Which is *exactly* what has happened here so far.
25. Re:This is why we have a first amendment. by RevDisk · 2013-07-30 01:05 · Score: 2
  
  Temporary Restraining Order is not a permanent restraining order. It's usually meant to give a chance for the legal system to hear arguments before a permanent solution is implemented. Similar to say, the difference between arrests and convictions. It's a routine thing, it was solely the timing that was a scumbag tactic.
  
  http://www.revdisk.net/gal/Defcon16/MTA01.jpg
  
  I was in the audience at the time of that presentation. The presentation WITH ALL THE TECHNICAL INFORMATION was on the disk that was handed out to all of the audience. Instead of the presentation, the EFF did a presentation. Hackers raised funds for the students, gave EFF lawyers secure internet access, found expert witnesses, etc. The judge agreed with the EFF and the students, and refused to extend the restraining order. Yes, the timing sucked, but they did actually win on First Amendment grounds.
  
  So, yes, judges do on occasion (IMHO often unlawfully) infringe on the First Amendment, it's still better than the alternative of not having it. Also, someone else independently gave a similar presentation with largely the same info. It was very very well attended. Good times. See y'all at Defcon this weekend.
Solution timetable by spire3661 · 2013-07-29 08:00 · Score: 4, Insightful

Shouldnt Volkswagen be forced to provide a timetable as to when this will be fixed so the temporary egregious act of suspending the First for this person can be lifted? It is Volkswagen's fault, they need to fix it now.

--
Good-bye
1. Re:Solution timetable by truthsearch · 2013-07-29 08:06 · Score: 5, Informative
  
  Suspending the first... amendment? This didn't happen in the USA.
  
  --
  Developers: We can use your help.
2. Re:Solution timetable by bill_mcgonigle · 2013-07-29 08:13 · Score: 4, Insightful
  
  Suspending the first... amendment? This didn't happen in the USA.
  And the presentation will likely go forward at USENIX (in Washington DC) with the other two co-authors, from the Netherlands. It's one researcher in the UK who's getting boned by his government.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
3. Re:Solution timetable by rwise2112 · 2013-07-29 08:17 · Score: 5, Interesting
  
  Shouldnt Volkswagen be forced to provide a timetable as to when this will be fixed so the temporary egregious act of suspending the First for this person can be lifted? It is Volkswagen's fault, they need to fix it now.
  So it seems that some form of this Megamos Crypto is used by just about all manufacturers. Does anyone know if all versions are broken? Since they all use it, it may come from a 3rd party, so Volkswagen may noy know when or how to fix it.
  
  --
  
  "For every expert, there is an equal and opposite expert"
4. Re:Solution timetable by h4rr4r · 2013-07-29 08:43 · Score: 2
  
  Why in the 21st century is anyone stupid enough not to use proper crypto?
  In the world of crypto proprietary means so flawed I cannot show you how it works or it stops being crypto.
5. Re:Solution timetable by tragedy · 2013-07-29 09:12 · Score: 2
  
  But it was going to be disclosed in the US at a conference by a UK subject. This concept that all people are under the jurisdiction of their home government at all times has become a bit worrying. Frankly, it seems like the legal concept of jurisdiction has been virtually thrown out the window in recent years.
6. Re:Solution timetable by AmiMoJo · 2013-07-29 09:16 · Score: 2
  
  Because proper crypto is hard and even if you spend vast amounts of money on it and hire good people there are often still flaws. Look at things like the DRM on BlyRay discs. Very expensive, very carefully implemented, and still didn't last very long.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
7. Re:Solution timetable by Anonymous Coward · 2013-07-29 09:38 · Score: 2, Insightful
  
  That's not a crypto flaw, that's a logic flaw. You can't give someone an encrypted message and the key to decrypt it, and then expect that there's a way to prevent them from decrypting the content. It's just not possible.
8. Re:Solution timetable by PsychoSlashDot · 2013-07-29 11:45 · Score: 2
  
  That's because to make DRM work you have to give the attacker the encryption key. It's like if you're trying to keep a raccoon-faced thief from robbing your armored car, and you give him the keys to both the ignition and the big padlock on the back.
  You're right... this is much easier since Volkswagen doesn't have to give keys to the people... who bought their... to the people... don't have to give keys...
  
  Oh.
  
  --
  "Oh no... he found the .sig setting."
Not a US case. No First Amend. by Arkiel · 2013-07-29 08:02 · Score: 5, Informative

This did not occur in the US. The US Constitution is not implicated.
When will Volkswagon fix the issue? by tysonedwards · 2013-07-29 08:03 · Score: 4, Insightful

For vehicles that have already been sold, I'd venture a guess somewhere between when the sun burns out and never.

--
Thirty four characters live here.
Spellcheck! by intermodal · 2013-07-29 08:04 · Score: 4, Informative

FFS, it's Volkswagen, with an E.

--
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
Too little, too late. by thejynxed · 2013-07-29 08:04 · Score: 5, Informative

These cars with remote/keyless entry and start are already being stolen, even directly off of dealer lots. The criminals have already figured out what he was going to present, and are using it to their advantage.

--
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
1. Re:Too little, too late. by Princeofcups · 2013-07-29 11:16 · Score: 2
  
  These cars with remote/keyless entry and start are already being stolen, even directly off of dealer lots. The criminals have already figured out what he was going to present, and are using it to their advantage.
  And why my Mini dealer was very clear about why you have to insert the space age key in order to start the car, and they have no auto start option. Don't think that the dealers don't know that they are selling a defective product.
  
  --
  The only thing worse than a Democrat is a Republican.
Jurisdiction? by Luthair · 2013-07-29 08:10 · Score: 2

How can a UK judge exercise anything over something happening in the US? Not that the US court system doesn't frequently overreach into things occurring outside its borders as well.
1. Re:Jurisdiction? by Lunix+Nutcase · 2013-07-29 08:25 · Score: 2
  
  Because a UK citizen is subject to UK law?
Re:There's a wa out for him... by Nyder · 2013-07-29 08:10 · Score: 4, Interesting

Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August.
How about if it "turns out" that this fella Flavio Garcia wasn't doing research alone, and that members of his team would want to "leak" the details on torrent sites?
We could still get them, no?
By the way, who believes that the fella Flavio Garcia, is the only fountain of knowledge on the matter?
It doesn't matter. Now everyone knows it can be done, other people will be working on it. Criminals probably.
Sort of like how once we made a nuclear bomb, other scientist were able to make nuclear bombs.

--
Be seeing you...
Time to move by DoofusOfDeath · 2013-07-29 08:11 · Score: 5, Funny

That guy should totally come to the USA. Then he'd have the full protection of the U.S. Constitution, guaranteed by Eric Holder and Barak Obama themselves!!!
1. Re:Time to move by starless · 2013-07-29 08:51 · Score: 2
  
  The US Constitution only protects US citizens.
  In general, the US constitution protects all people within the US, not just citizens. Although there are some differences.
  Detailed academic discussion here:
  http://scholarship.law.georgetown.edu/cgi/viewcontent.cgi?article=1302&context=facpub
2. Re:Time to move by cusco · 2013-07-29 08:58 · Score: 2
  
  Bullpuckey. The only place where citizenship is mentioned in the Constitution is when it refers to the ability to hold public office. Everything else refers to anyone anywhere in the jurisdiction of the US, whether it be Kentucky, Guam, a US Navy ship, or a yacht in US territorial waters.
  
  --
  "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Let's sue amazon. by martiniturbide · 2013-07-29 08:15 · Score: 2

http://www.amazon.com/TEKTON-3324-18-Inch-Wrecking-Bar/dp/B000NPT684/ref=sr_1_1?ie=UTF8&qid=1375128831&sr=8-1&keywords=Crowbar
Let it leak out by hawguy · 2013-07-29 08:16 · Score: 2

I sure hope someone doesn't "accidentally" break into his computer, steal the exploit and publish it in the wild. Wouldn't want to force VW into finding a solution. Much better to pretend that only the white-hat hackers know about the hack and that the bad guys are too stupid to have figured it out. Security through pretending is the best security.
The Flatbed Truck Vulnerability by zenrandom · 2013-07-29 08:21 · Score: 5, Funny

I'm going out on a limb, disclosing this publicly and all. But all vehicles on the roads today are vulnerable to a nefarious flat bed truck with a winch. Said driver pulls up to the vehicle, lowers the ramp, attaches the winch, and pulls the target vehicle onto the truck. Once vehicle is secured to the truck, they drive away. I've not contacted any manufacturers on this vulnerability, but I feel that disclosing it publicly may keep the public informed.
1. Re:The Flatbed Truck Vulnerability by couchslug · 2013-07-29 08:36 · Score: 2
  
  A snatch truck with a wheel lift is even quicker, and having done repos with a friend I can say bystanders rarely say or do anything.
  Once you get the vehicle off the property they can't legally block you from taking it (in my State) so we'd shoot the wheel lift under whatever end of the car was handy. Depending on the car we'd even leave a hitch ball attached to the wheel lift and snag the lower core brace (they were all owned by my buds car lot) and drive off instantly rather than locking the wheel lift bars. (It was an old Century for those who care.)
  You can drive down many a residential street or parking lot with the rear brakes locked, tires boiling smoke, and no fucks given!
  The flatbed ("rollback") cares not even if there are no wheels on the target vehicle. It'll skid just fine.
  Good times.
  
  --
  "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
Re:How by Anonymous Coward · 2013-07-29 08:22 · Score: 3, Funny

do we fire a bad judge?
Out of a cannon?
The moral of this story is. . . . by Anonymous Coward · 2013-07-29 08:27 · Score: 2, Insightful

" He should have disclosed without notifying. That way they could not have stopped him. "
BINGO.
Quit trying to give the manufacturers / developers the benefit of the doubt here. Time and time again it's obvious they're not interested in doing the right thing, but rather resorting to litigation to shut people up about critical flaws in their product. I know it's bragging rights and all that, but you really should keep your mouth shut until AFTER you've made the disclosure public.
Unless they're paying $$$ for said bug reports, then it's your call to consider if they can buy off your silence or not. I know what the moral thing to do is, but your financial situation may inject some additional considerations into the matter.
Sounds like it's already out there... by GodfatherofSoul · 2013-07-29 08:31 · Score: 4, Interesting

It emerged in court that their complex mathematical investigation examined the software behind the code. It has been available on the internet since 2009.
My only objection to hackers revealing exploits is they must give the affected company time to fix the problem. This time is going to be longer for VW since their software is literally running all over the world. But, 4 years is ample time.
I'd be curious to know exactly what VW has done to address the problem, or more broadly did they even *bother* to fix the problem.

--
I swear to God...I swear to God! That is NOT how you treat your human!
1. Re:Sounds like it's already out there... by Lehk228 · 2013-07-29 09:10 · Score: 2
  
  companies have shown time and time again they do not properly handle "responsible disclosure" as in this case they use the courts to silence the messenger.
  
  the only remaining option is immediate, anonymous full disclosure, preferable released as a metasploit module in order to maximize the consequences for sloppy and reckless vendors
  
  --
  Snowden and Manning are heroes.
Re:There's a wa out for him... by steelfood · 2013-07-29 08:34 · Score: 2

Well, not quite the perfect analogy. Nukes are quite complicated. U.S. scientists built the first nuke (though there's quite a bit of evidence that Hitler would've had it if not for certain scientists' subtle sabotage), and most of the other countries "acquired" those blueprints shortly.

--
"If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
A limey writes by maroberts · 2013-07-29 08:41 · Score: 5, Informative

No we don't have a Bill of Rights, but we do have the European Convention on Human Rights incorporated into UK Law, which does have an Article 10: Freedom of Expression. There are restrictions in the European version as opposed to the simpler US one though....

--
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
1. Re:A limey writes by maroberts · 2013-07-29 09:01 · Score: 2
  
  You win - forgot about the 1689 Bill of Rights. I was only little then. :-)
  
  --
  Donte Alistair Anderson Roberts - hi son!
  Karma: Chameleon
2. Re:A limey writes by Impy+the+Impiuos+Imp · 2013-07-29 11:18 · Score: 3, Interesting
  
  The devil is in the details, which is why the elegant simplicity of the US Constitution is vastly preferable to these more complicated, lawyerly expressions of "rights", designed by politicians, for politicians.
  Just the wording oozes with the power hungry not wanting to give up their power:
  Article 10 – Freedom of expression 1. Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. This article shall not prevent States from requiring the licensing of broadcasting, television or cinema enterprises .
  2. The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals , for the protection of the reputation or rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary.
  Loopholes big enough to drive an Airbus through. And I didn't even bother highlighting "public safety", "prevention of disorder or crime" or other get out of jail free cards rendering the whole thing largely meaningless.
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Yet another misleading slashdot summary/headline by Anonymous Coward · 2013-07-29 08:42 · Score: 4, Informative

I almost don't want to post this, rather than continue to watch the slashdot flock get herded around the meadow yet again. But guess what. The arstechnia article (ironically headlined "High court bans publication of car-hacking paper") states:
"The company asked the scientists to publish a redacted version of the paper without the crucial codes, but the researchers declined, claiming that the information is publicly available online."
So yeah, the publication of the paper was never at stake.
This little tidbit makes most of the above comments (including those already up to +5) look pretty ridiculous.
Misleading article and summary. by julian67 · 2013-07-29 09:01 · Score: 5, Informative

In the article:
"The judge, Colin Birss, ultimately sided with the car companies, despite saying he "recognized the importance of the right for academics to publish.""
This is very misleading. The judge did not "ultimately" side with anyone because this is an *interim* injunction during the course of more prolonged litigation. Citation:
http://www.bbc.co.uk/news/technology-23487928
and
http://www.itpro.co.uk/security/20291/vw-gets-high-court-bans-scientists-revealing-luxury-car-security-codes
The purpose of the interim injunction is to temporarily maintain the status quo while further evidence and arguments are presented, prior to any actual and significant judgement.
Once again slashdot avoids objective reporting and instead offers its readers what they actually prefer and craze: dishonest, misleading, untrue versions of the world that play to the infantile prejudices of the average self righteous and privileged pseudo liberal.
String of burgluars already using tech. by BrookHarty · 2013-07-29 09:31 · Score: 3, Informative

There is already some people using tech to break into cars in California.
http://news.msn.com/science-technology/high-tech-car-thieves-break-into-vehicles-without-leaving-a-trace
http://jalopnik.com/whats-the-secret-device-thieves-in-california-are-usin-471782175
Why must it be a reverse-engineered chip? by Ungrounded+Lightning · 2013-07-29 10:37 · Score: 2

What if it's a software bug?
Most automobiles these days have their wiring harnesses drastically simplified by replacing enormous numbers of point-to-point wires with a digital bus, conforming to one of a small handfull of standards. These control everything from the engine to the seat adjustments to the outside rear-view mirror angles, to the door locks.
If you can inject your own packets on such a bus, you can command the car to open the doors and start the engine.
Now it may be possible to inject commands directly by using strong electromagnetic fields near where the bus, or a component on it, is not well shielded.
But there are a number of devices on the bus that are also radio receivers, with control computers which both parse radio inputs and interact with other parts of the car's electronics over this digital bus. If you can compromise them you can get them to inject commands for you.
Of course the key radio-fob receiver is the most obvious target. A protocol stack escape might get you directly into the code that unlocks the door. Another obvious target is a remote accident-assistance/monitoring system, such as OnStar. This is essentially a cellphone that deliberately issues such commands. (One thing they do as a service is open your car doors if you lock your keys inside.)
But there are a number of others where it may be possible to inject malformed packets and exploit a flaw in the radio-side network stack to take over enough control to issue automotive bus commands and achieve the same effect, even if the device wasn't intended to unlock the door. Candidates include:
- Entertainment systems.
- Bluetooth "hands free phone" features.
- GPS navigation systems.
- Tire-pressure monitoring systems.
and I could go on.
You can find such flaws by purely software-driven probes, using stock techniques like "fuzzing" to find a bug that crashes the device, then working up from the known flaw (and perhaps a general knowledge of the processor involved in the component and its typical development environments) into an exploit.
I have seen a proof-of-concept where one of the above HAS been exploited in this way by a security research team.
I have also heard news reports of security-camera recordings of carjackers using a box that causes the passenger side door lock of the victim car to unlock itself. So SOME such exploit is already in the wild.
Any bets on whether Garcia, or the carjackers, got in this way, rather than by electron microscopy?
Any bets on whether, even if they both DID "do it the hard(ware) way", there is, or will be within the year, an exploit that didn't involve either such pricey techniques (or a data leak from a manufacturer)?

--
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
it's not the whole story.. by SuperDre · 2013-07-29 19:25 · Score: 2

I guess the slashdot poster of the article just wants to get some headlines and didn't read the actual story (or at least get his/her facts straight).
It's not that the judge silences the scientist, volkswagen didn't have a (real) problem with him publishing the article, what they had an injunction for was the publication of the actual key. The scientist didn't want to publish the article without the actual key and is now whining about being censored.. Most newssites don't actually get the facts anymore these days and just publish only the juicy (incorrect) bits..
So, the scientist can publish the article as he wants, but without the actual key.. And to me, that's perfectly fine, there is no need to publish the actual key except for his 15 minutes of fame.. And the biggest problem I have with all this, his 'research' (IMHO hobbyproject) was all financed with public money.. instead of whining, go do some real actual research that really benifits the society which is paying for it..