Slashdot Mirror

← Back to Stories (view on slashdot.org)

Judge Rules In Favor of Volkswagen and Silences Scientist

Posted by samzenpus on from the keep-your-mouth-shut dept.

sl4shd0rk writes "Samsung-is-not-as-cool-as-Apple Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August. Volkswagen says the flaw could allow someone to 'break the security and steal a car' so it is justifiable grounds for blocking Flavio's paper. No word yet on how soon Volkswagen will have a patch."

20 of 254 comments (clear)

  1. If hacking is outlawed by i+kan+reed · · Score: 5, Insightful

    Only outlaws will have hackers, or something. It really doesn't work that way, but the protection of rich people's cars will only be temporary.

  2. This is why we have a first amendment. by h4rr4r · · Score: 5, Insightful

    The cars are vulnerable if he tells the world or not. The only difference is now only the bad actors know about the problem.

    He should have disclosed without notifying. That way they could not have stopped him.

    1. Re:This is why we have a first amendment. by Stumbles · · Score: 5, Insightful

      The Streisand effect strikes again. They will never learn.

      --
      My karma is not a Chameleon.
    2. Re:This is why we have a first amendment. by h4rr4r · · Score: 5, Insightful

      Sure, this is why we have one though. Our founding fathers knew not having one was too dangerous.

    3. Re:This is why we have a first amendment. by steelfood · · Score: 5, Insightful

      Nah, that'd be unreasonable. What would be more reasonable is that now that Volkswagon is known to not act in good faith (i.e. lawsuit ensue) after an act of responsible disclosure, there's no good reason to first notify them about any subsequent security holes.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
    4. Re:This is why we have a first amendment. by cultiv8 · · Score: 5, Informative

      Here's a video on how they do it on BMW's, same method as A4. Feel free to go here and buy the device yourself.

      --
      sysadmins and parents of newborns get the same amount of sleep.
    5. Re:This is why we have a first amendment. by Sir_Sri · · Score: 5, Interesting

      The only difference is now only the bad actors know about the problem.

      Know about but not necessarily how to actually do it. About all they know is from the guardian article that it took upwards of 50 000 GBP worth of equipment (and some security researchers) to actually figure out how to do it.

      He should have disclosed without notifying. That way they could not have stopped him.

      The point of notification is to give them an opportunity to fix it. The problem with cars is that 'fixing' it may not be possible, or may be astronomically expensive.

      Volkswagon wanted them to publish a redacted version of the paper, that explained how they did the hack but not the actual key (codes) they discovered, and they refused. That seems kind of dickish on the researchers parts honestly. It depends on the details of what exactly was to be redacted, so I'll withhold too much judgment, but with things that aren't connected to the internet there's a big problem in trying to actually roll out fixes. Of course there's no point in publishing a paper if you can't say anything about your method used, and if anything interesting about that was redacted it's basically a non starter.

      As we embed computers into more things this is going to be a bigger problem going forward. Are we going to need to replace 100 dollar car FOB starters every time there's a security hack? I suppose it might come to that, it's not like physical car locks are all that secure either. But if the hack requires 100 000 dollars in equipment and professional security expert time that puts the barrier to common criminals high.

      The researchers main point seems to be that they aren't saying anything that isn't already public just from a different method. In that case sure, I suppose they could have just published and the situation wouldn't be much different. But I'm not sure how true their claim is.

    6. Re:This is why we have a first amendment. by Anonymous Coward · · Score: 5, Insightful

      You also have secret courts...

    7. Re:This is why we have a first amendment. by Samantha+Wright · · Score: 5, Insightful

      cultivat8 posted instructions a few minutes before you made your post, so that cat's out of the bag. Now the only value this suppression serves is in protecting the ignorance of people who are in danger; the car company saves a bit of face with its less-aware customers and investors, and that's about it.

      --
      Bio questions? Ask me to start a Q&A journal. Computer analogies available for most topics!
    8. Re:This is why we have a first amendment. by Lumpy · · Score: 5, Informative

      Yeah and our scumbag leaders wipe their ass with it daily.

      Oh that right is protected by the constitution? Now you are an enemy combatant, it doesn't protect you anymore. Yes, we are calling you that for wearing blue on orange mondays... to the waterboarding with you!

      --
      Do not look at laser with remaining good eye.
    9. Re:This is why we have a first amendment. by TubeSteak · · Score: 5, Informative

      , it's relatively trivial for someone to repeat Garcia's work and publish it.

      The speculation is that Garcia sliced the chip layer by layer to reconstruct the logic and algorithms that VW's Megamos Crypto uses.

      That's neither quick to do, nor trivial to recreate.

      --
      [Fuck Beta]
      o0t!
    10. Re:This is why we have a first amendment. by Zalbik · · Score: 5, Funny

      Ahh...but you are forgetting a few things:

      1) You have to double the estimate of your Software Engineer. In MBA school they taught us to always double the software guy's estimate.
      2) You haven't included any quality assurance!?! At least another $120k for a good QA team, plus the tools necessary for automated testing.
      3) You've got 3 people on the team now, so you should include a PM. That's another $240k at least.
      4) And you'll need a business analyst. Luckily, it should be easy to find one who isn't so "morality constrained". Say another $180k for them.

      Just to be on the safe side, you should overestimate everything by 50% (yes, I know we already doubled the dev estimate, but this is what Joe's MBA School of Mastering Business Administration and Cheap Web Hosting taught me).

      So overall, the cost is:
      Software Engineer: 240K
      Elecrical Engineer: 120K
      QA: 120K
      PM: 240K
      BA: 180K
      Subtotal: 900K
      Total (add 50% for good luck): 1.3 Million.

      Now you should add 15-20% per year for support/maintenance, etc. So it's 1.3 Million capital outlay, plus $260,000 per year.

      Pretty pricy, but still....it's cheaper than SAP.

      /sarcasm off

  3. Not a US case. No First Amend. by Arkiel · · Score: 5, Informative

    This did not occur in the US. The US Constitution is not implicated.

  4. Too little, too late. by thejynxed · · Score: 5, Informative

    These cars with remote/keyless entry and start are already being stolen, even directly off of dealer lots. The criminals have already figured out what he was going to present, and are using it to their advantage.

    --
    @Mindless Drivel: 100% of Twitter posts ever Tweeted.
  5. Re:Solution timetable by truthsearch · · Score: 5, Informative

    Suspending the first... amendment? This didn't happen in the USA.

    --
    Developers: We can use your help.
  6. Time to move by DoofusOfDeath · · Score: 5, Funny

    That guy should totally come to the USA. Then he'd have the full protection of the U.S. Constitution, guaranteed by Eric Holder and Barak Obama themselves!!!

  7. Re:Solution timetable by rwise2112 · · Score: 5, Interesting

    Shouldnt Volkswagen be forced to provide a timetable as to when this will be fixed so the temporary egregious act of suspending the First for this person can be lifted? It is Volkswagen's fault, they need to fix it now.

    So it seems that some form of this Megamos Crypto is used by just about all manufacturers. Does anyone know if all versions are broken? Since they all use it, it may come from a 3rd party, so Volkswagen may noy know when or how to fix it.

    --

    "For every expert, there is an equal and opposite expert"
  8. The Flatbed Truck Vulnerability by zenrandom · · Score: 5, Funny

    I'm going out on a limb, disclosing this publicly and all. But all vehicles on the roads today are vulnerable to a nefarious flat bed truck with a winch. Said driver pulls up to the vehicle, lowers the ramp, attaches the winch, and pulls the target vehicle onto the truck. Once vehicle is secured to the truck, they drive away. I've not contacted any manufacturers on this vulnerability, but I feel that disclosing it publicly may keep the public informed.

  9. A limey writes by maroberts · · Score: 5, Informative

    No we don't have a Bill of Rights, but we do have the European Convention on Human Rights incorporated into UK Law, which does have an Article 10: Freedom of Expression. There are restrictions in the European version as opposed to the simpler US one though....

    --

    Donte Alistair Anderson Roberts - hi son!
    Karma: Chameleon

  10. Misleading article and summary. by julian67 · · Score: 5, Informative

    In the article:
    "The judge, Colin Birss, ultimately sided with the car companies, despite saying he "recognized the importance of the right for academics to publish.""

    This is very misleading. The judge did not "ultimately" side with anyone because this is an *interim* injunction during the course of more prolonged litigation. Citation:

    http://www.bbc.co.uk/news/technology-23487928
    and
    http://www.itpro.co.uk/security/20291/vw-gets-high-court-bans-scientists-revealing-luxury-car-security-codes

    The purpose of the interim injunction is to temporarily maintain the status quo while further evidence and arguments are presented, prior to any actual and significant judgement.

    Once again slashdot avoids objective reporting and instead offers its readers what they actually prefer and craze: dishonest, misleading, untrue versions of the world that play to the infantile prejudices of the average self righteous and privileged pseudo liberal.