Judge Rules In Favor of Volkswagen and Silences Scientist

← Back to Stories (view on slashdot.org)

Judge Rules In Favor of Volkswagen and Silences Scientist

Posted by samzenpus on Monday July 29, 2013 @07:56AM from the keep-your-mouth-shut dept.

sl4shd0rk writes "Samsung-is-not-as-cool-as-Apple Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August. Volkswagen says the flaw could allow someone to 'break the security and steal a car' so it is justifiable grounds for blocking Flavio's paper. No word yet on how soon Volkswagen will have a patch."

31 of 254 comments (clear)

Min score:

Reason:

Sort:

If hacking is outlawed by i+kan+reed · 2013-07-29 07:58 · Score: 5, Insightful

Only outlaws will have hackers, or something. It really doesn't work that way, but the protection of rich people's cars will only be temporary.
This is why we have a first amendment. by h4rr4r · 2013-07-29 08:00 · Score: 5, Insightful

The cars are vulnerable if he tells the world or not. The only difference is now only the bad actors know about the problem.
He should have disclosed without notifying. That way they could not have stopped him.
1. Re:This is why we have a first amendment. by simonbp · 2013-07-29 08:03 · Score: 4, Insightful
  
  And now that is know that this specific vulnerability exists, it's relatively trivial for someone to repeat Garcia's work and publish it.
2. Re:This is why we have a first amendment. by Stumbles · 2013-07-29 08:06 · Score: 5, Insightful
  
  The Streisand effect strikes again. They will never learn.
  
  --
  My karma is not a Chameleon.
3. Re:This is why we have a first amendment. by h4rr4r · 2013-07-29 08:11 · Score: 5, Insightful
  
  Sure, this is why we have one though. Our founding fathers knew not having one was too dangerous.
4. Re:This is why we have a first amendment. by steelfood · 2013-07-29 08:12 · Score: 5, Insightful
  
  Nah, that'd be unreasonable. What would be more reasonable is that now that Volkswagon is known to not act in good faith (i.e. lawsuit ensue) after an act of responsible disclosure, there's no good reason to first notify them about any subsequent security holes.
  
  --
  "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
5. Re:This is why we have a first amendment. by cultiv8 · 2013-07-29 08:14 · Score: 5, Informative
  
  Here's a video on how they do it on BMW's, same method as A4. Feel free to go here and buy the device yourself.
  
  --
  sysadmins and parents of newborns get the same amount of sleep.
6. Re:This is why we have a first amendment. by Sir_Sri · 2013-07-29 08:25 · Score: 5, Interesting
  
  The only difference is now only the bad actors know about the problem.
  
  Know about but not necessarily how to actually do it. About all they know is from the guardian article that it took upwards of 50 000 GBP worth of equipment (and some security researchers) to actually figure out how to do it.
  
  He should have disclosed without notifying. That way they could not have stopped him.
  
  The point of notification is to give them an opportunity to fix it. The problem with cars is that 'fixing' it may not be possible, or may be astronomically expensive.
  Volkswagon wanted them to publish a redacted version of the paper, that explained how they did the hack but not the actual key (codes) they discovered, and they refused. That seems kind of dickish on the researchers parts honestly. It depends on the details of what exactly was to be redacted, so I'll withhold too much judgment, but with things that aren't connected to the internet there's a big problem in trying to actually roll out fixes. Of course there's no point in publishing a paper if you can't say anything about your method used, and if anything interesting about that was redacted it's basically a non starter.
  As we embed computers into more things this is going to be a bigger problem going forward. Are we going to need to replace 100 dollar car FOB starters every time there's a security hack? I suppose it might come to that, it's not like physical car locks are all that secure either. But if the hack requires 100 000 dollars in equipment and professional security expert time that puts the barrier to common criminals high.
  The researchers main point seems to be that they aren't saying anything that isn't already public just from a different method. In that case sure, I suppose they could have just published and the situation wouldn't be much different. But I'm not sure how true their claim is.
7. Re:This is why we have a first amendment. by Anonymous Coward · 2013-07-29 08:28 · Score: 5, Insightful
  
  You also have secret courts...
8. Re:This is why we have a first amendment. by Samantha+Wright · 2013-07-29 08:30 · Score: 5, Insightful
  
  cultivat8 posted instructions a few minutes before you made your post, so that cat's out of the bag. Now the only value this suppression serves is in protecting the ignorance of people who are in danger; the car company saves a bit of face with its less-aware customers and investors, and that's about it.
  
  --
  Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
9. Re:This is why we have a first amendment. by Lumpy · 2013-07-29 08:45 · Score: 5, Informative
  
  Yeah and our scumbag leaders wipe their ass with it daily.
  Oh that right is protected by the constitution? Now you are an enemy combatant, it doesn't protect you anymore. Yes, we are calling you that for wearing blue on orange mondays... to the waterboarding with you!
  
  --
  Do not look at laser with remaining good eye.
10. Re:This is why we have a first amendment. by mikeiver1 · 2013-07-29 08:49 · Score: 4, Insightful
  
  I suspect that the hack is rather simple and you can be very secure in the knowledge that there are now like a dozen plus persons looking very hard at their key controls with an eye at releasing the hack to simply screw VW for the snub. Fallout be damned. On the other side of it you can not tell me that VW didn't know that they had a security issue and simply waited to fix it because it might cost a few dollars or euros or what ever. Screw the customer for the buck.
11. Re:This is why we have a first amendment. by TubeSteak · 2013-07-29 08:56 · Score: 5, Informative
  
  , it's relatively trivial for someone to repeat Garcia's work and publish it.
  The speculation is that Garcia sliced the chip layer by layer to reconstruct the logic and algorithms that VW's Megamos Crypto uses.
  That's neither quick to do, nor trivial to recreate.
  
  --
  [Fuck Beta]
  o0t!
12. Re:This is why we have a first amendment. by lightknight · 2013-07-29 09:32 · Score: 4, Insightful
  
  Perhaps, but for someone who wants to yank thirty or forty cars off the street, with minimal risk, it might be worth a modest investment.
  You'd need what, an electron microscope, some custom software to trace the images you scan and convert them back to logic, then someone to write an app / engineer some hardware to make it trivial for you to grab anything you want. Assuming you are grabbing thirty new VWs, at $20K / pop...that's $600K...so, the cost of an electron microscope (may or may not be costly...might get a second-hand one for cheap), and an Electrical Engineer @ 120K + Computer Scientist / Software Engineer @ 120K (so they'll actually do the work, keep their mouths shut, and provide 'updates' to the software / hardware they design at an agreeable rate, since 30-40 cars might easily become 3000-4000 cars provided you don't act like a Mafia-Don and try to kill the wrong people / short the wrong people ("Hey, they did the job; now let's double-cross them, and whack them, so we can keep their share, and they can't tell anyone..." -> Hollywood derp -> Good people are hard to come by, and even harder to replace); I say updates, because the car companies will begin changing stuff as soon as they hear that their cars are getting snatched, and updates are cheaper with people you know, who are 'happy' with you, than people who are PO'ed at you, or are dead).
  Still, it seems a lot of work for little cash. Now, getting elected to the Board of Governors for the Federal Reserve...well, they can just print money when they need a little more. Now that's thinking with your head.
  
  --
  I am John Hurt.
13. Re:This is why we have a first amendment. by Zalbik · 2013-07-29 10:17 · Score: 5, Funny
  
  Ahh...but you are forgetting a few things:
  1) You have to double the estimate of your Software Engineer. In MBA school they taught us to always double the software guy's estimate.
  2) You haven't included any quality assurance!?! At least another $120k for a good QA team, plus the tools necessary for automated testing.
  3) You've got 3 people on the team now, so you should include a PM. That's another $240k at least.
  4) And you'll need a business analyst. Luckily, it should be easy to find one who isn't so "morality constrained". Say another $180k for them.
  Just to be on the safe side, you should overestimate everything by 50% (yes, I know we already doubled the dev estimate, but this is what Joe's MBA School of Mastering Business Administration and Cheap Web Hosting taught me).
  So overall, the cost is:
  Software Engineer: 240K
  Elecrical Engineer: 120K
  QA: 120K
  PM: 240K
  BA: 180K
  Subtotal: 900K
  Total (add 50% for good luck): 1.3 Million.
  Now you should add 15-20% per year for support/maintenance, etc. So it's 1.3 Million capital outlay, plus $260,000 per year.
  Pretty pricy, but still....it's cheaper than SAP.
  /sarcasm off
14. Re:This is why we have a first amendment. by Urza9814 · 2013-07-29 10:32 · Score: 4, Informative
  
  Company A uses reprogrammable chips and does the responsible thing. When their chips get hacked, they issue a recall, and people go to the dealer to get theirs reprogrammed.
  Company B is Volkswagen.
  John Doe goes in to but a new car. They look at the vehicle report for the car from Company A, and they see it's been recalled for a failure in the security system. They look at the vehicle report for a Volkswagen, and they see no recalls. So they buy the Volkswagen.
  Your assertion is only valid in a world where all consumers carefully research every purchase. *Nobody* does this -- it's not possible. Not enough hours in the day. For something as big as a car there's a decent chance they will, but even then I bet plenty of people don't.
Solution timetable by spire3661 · 2013-07-29 08:00 · Score: 4, Insightful

Shouldnt Volkswagen be forced to provide a timetable as to when this will be fixed so the temporary egregious act of suspending the First for this person can be lifted? It is Volkswagen's fault, they need to fix it now.

--
Good-bye
1. Re:Solution timetable by truthsearch · 2013-07-29 08:06 · Score: 5, Informative
  
  Suspending the first... amendment? This didn't happen in the USA.
  
  --
  Developers: We can use your help.
2. Re:Solution timetable by bill_mcgonigle · 2013-07-29 08:13 · Score: 4, Insightful
  
  Suspending the first... amendment? This didn't happen in the USA.
  And the presentation will likely go forward at USENIX (in Washington DC) with the other two co-authors, from the Netherlands. It's one researcher in the UK who's getting boned by his government.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
3. Re:Solution timetable by rwise2112 · 2013-07-29 08:17 · Score: 5, Interesting
  
  Shouldnt Volkswagen be forced to provide a timetable as to when this will be fixed so the temporary egregious act of suspending the First for this person can be lifted? It is Volkswagen's fault, they need to fix it now.
  So it seems that some form of this Megamos Crypto is used by just about all manufacturers. Does anyone know if all versions are broken? Since they all use it, it may come from a 3rd party, so Volkswagen may noy know when or how to fix it.
  
  --
  
  "For every expert, there is an equal and opposite expert"
Not a US case. No First Amend. by Arkiel · 2013-07-29 08:02 · Score: 5, Informative

This did not occur in the US. The US Constitution is not implicated.
When will Volkswagon fix the issue? by tysonedwards · 2013-07-29 08:03 · Score: 4, Insightful

For vehicles that have already been sold, I'd venture a guess somewhere between when the sun burns out and never.

--
Thirty four characters live here.
Spellcheck! by intermodal · 2013-07-29 08:04 · Score: 4, Informative

FFS, it's Volkswagen, with an E.

--
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
Too little, too late. by thejynxed · 2013-07-29 08:04 · Score: 5, Informative

These cars with remote/keyless entry and start are already being stolen, even directly off of dealer lots. The criminals have already figured out what he was going to present, and are using it to their advantage.

--
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
Re:There's a wa out for him... by Nyder · 2013-07-29 08:10 · Score: 4, Interesting

Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August.
How about if it "turns out" that this fella Flavio Garcia wasn't doing research alone, and that members of his team would want to "leak" the details on torrent sites?
We could still get them, no?
By the way, who believes that the fella Flavio Garcia, is the only fountain of knowledge on the matter?
It doesn't matter. Now everyone knows it can be done, other people will be working on it. Criminals probably.
Sort of like how once we made a nuclear bomb, other scientist were able to make nuclear bombs.

--
Be seeing you...
Time to move by DoofusOfDeath · 2013-07-29 08:11 · Score: 5, Funny

That guy should totally come to the USA. Then he'd have the full protection of the U.S. Constitution, guaranteed by Eric Holder and Barak Obama themselves!!!
The Flatbed Truck Vulnerability by zenrandom · 2013-07-29 08:21 · Score: 5, Funny

I'm going out on a limb, disclosing this publicly and all. But all vehicles on the roads today are vulnerable to a nefarious flat bed truck with a winch. Said driver pulls up to the vehicle, lowers the ramp, attaches the winch, and pulls the target vehicle onto the truck. Once vehicle is secured to the truck, they drive away. I've not contacted any manufacturers on this vulnerability, but I feel that disclosing it publicly may keep the public informed.
Sounds like it's already out there... by GodfatherofSoul · 2013-07-29 08:31 · Score: 4, Interesting

It emerged in court that their complex mathematical investigation examined the software behind the code. It has been available on the internet since 2009.
My only objection to hackers revealing exploits is they must give the affected company time to fix the problem. This time is going to be longer for VW since their software is literally running all over the world. But, 4 years is ample time.
I'd be curious to know exactly what VW has done to address the problem, or more broadly did they even *bother* to fix the problem.

--
I swear to God...I swear to God! That is NOT how you treat your human!
A limey writes by maroberts · 2013-07-29 08:41 · Score: 5, Informative

No we don't have a Bill of Rights, but we do have the European Convention on Human Rights incorporated into UK Law, which does have an Article 10: Freedom of Expression. There are restrictions in the European version as opposed to the simpler US one though....

--
Donte Alistair Anderson Roberts - hi son!
Karma: Chameleon
Yet another misleading slashdot summary/headline by Anonymous Coward · 2013-07-29 08:42 · Score: 4, Informative

I almost don't want to post this, rather than continue to watch the slashdot flock get herded around the meadow yet again. But guess what. The arstechnia article (ironically headlined "High court bans publication of car-hacking paper") states:
"The company asked the scientists to publish a redacted version of the paper without the crucial codes, but the researchers declined, claiming that the information is publicly available online."
So yeah, the publication of the paper was never at stake.
This little tidbit makes most of the above comments (including those already up to +5) look pretty ridiculous.
Misleading article and summary. by julian67 · 2013-07-29 09:01 · Score: 5, Informative

In the article:
"The judge, Colin Birss, ultimately sided with the car companies, despite saying he "recognized the importance of the right for academics to publish.""
This is very misleading. The judge did not "ultimately" side with anyone because this is an *interim* injunction during the course of more prolonged litigation. Citation:
http://www.bbc.co.uk/news/technology-23487928
and
http://www.itpro.co.uk/security/20291/vw-gets-high-court-bans-scientists-revealing-luxury-car-security-codes
The purpose of the interim injunction is to temporarily maintain the status quo while further evidence and arguments are presented, prior to any actual and significant judgement.
Once again slashdot avoids objective reporting and instead offers its readers what they actually prefer and craze: dishonest, misleading, untrue versions of the world that play to the infantile prejudices of the average self righteous and privileged pseudo liberal.