×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Judge Rules In Favor of Volkswagen and Silences Scientist

samzenpus posted about 9 months ago | from the keep-your-mouth-shut dept.

Transportation 254

sl4shd0rk writes "Samsung-is-not-as-cool-as-Apple Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August. Volkswagen says the flaw could allow someone to 'break the security and steal a car' so it is justifiable grounds for blocking Flavio's paper. No word yet on how soon Volkswagen will have a patch."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

254 comments

If hacking is outlawed (5, Insightful)

i kan reed (749298) | about 9 months ago | (#44416145)

Only outlaws will have hackers, or something. It really doesn't work that way, but the protection of rich people's cars will only be temporary.

Re:If hacking is outlawed (0, Interesting)

Anonymous Coward | about 9 months ago | (#44416589)

You're looking for: "If hacking is outlawed only outlaws will BE hackers" It works.

Re:If hacking is outlawed (0)

Anonymous Coward | about 9 months ago | (#44416797)

You mean "If hacking is outlawed only hackers will drive Volkswagens".

Re:If hacking is outlawed (1)

gigaherz (2653757) | about 9 months ago | (#44416907)

No, no, no... the summary clearly says:

[...] rules in favor of Volkswagon [...]

That'd be: "If hacking is outlawed only hackers will drive Volkswagons".

Re:If hacking is outlawed (0)

Anonymous Coward | about 9 months ago | (#44416805)

Rich people? You're a complete moron.

This is why we have a first amendment. (5, Insightful)

h4rr4r (612664) | about 9 months ago | (#44416171)

The cars are vulnerable if he tells the world or not. The only difference is now only the bad actors know about the problem.

He should have disclosed without notifying. That way they could not have stopped him.

Re:This is why we have a first amendment. (4, Insightful)

simonbp (412489) | about 9 months ago | (#44416225)

And now that is know that this specific vulnerability exists, it's relatively trivial for someone to repeat Garcia's work and publish it.

Re:This is why we have a first amendment. (5, Insightful)

Stumbles (602007) | about 9 months ago | (#44416265)

The Streisand effect strikes again. They will never learn.

Re:This is why we have a first amendment. (5, Informative)

TubeSteak (669689) | about 9 months ago | (#44416893)

, it's relatively trivial for someone to repeat Garcia's work and publish it.

The speculation is that Garcia sliced the chip layer by layer to reconstruct the logic and algorithms that VW's Megamos Crypto uses.

That's neither quick to do, nor trivial to recreate.

Re:This is why we have a first amendment. (1)

Anonymous Coward | about 9 months ago | (#44417023)

That's neither quick to do, nor trivial to recreate.

An information leak is trivial though. Quite a few people have seen the paper - in order to have a court case and all. And some before the court case. A leak could come from anywhere - and I hope it happens. A car maker who relies on 'security through obscurity' deserve the cost of a massive recall.

Putting a chip in an electron microscope is not entirely trivial, but something any mafioso could bribe a student to do . . .

Re:This is why we have a first amendment. (2, Interesting)

iggymanz (596061) | about 9 months ago | (#44416255)

what the hell? The scientist is from the UK, they don't even have a constitution, much less a bill of rights with amendment mentioning free speach.

Cue the Limey-o-philes with "UK has a constitution but it's not written" bullshit

Re:This is why we have a first amendment. (5, Insightful)

h4rr4r (612664) | about 9 months ago | (#44416329)

Sure, this is why we have one though. Our founding fathers knew not having one was too dangerous.

Re:This is why we have a first amendment. (5, Informative)

Lumpy (12016) | about 9 months ago | (#44416737)

Yeah and our scumbag leaders wipe their ass with it daily.

Oh that right is protected by the constitution? Now you are an enemy combatant, it doesn't protect you anymore. Yes, we are calling you that for wearing blue on orange mondays... to the waterboarding with you!

Re:This is why we have a first amendment. (5, Insightful)

Anonymous Coward | about 9 months ago | (#44416535)

You also have secret courts...

A limey writes (5, Informative)

maroberts (15852) | about 9 months ago | (#44416695)

No we don't have a Bill of Rights, but we do have the European Convention on Human Rights incorporated into UK Law, which does have an Article 10: Freedom of Expression [wikipedia.org] . There are restrictions in the European version as opposed to the simpler US one though....

Re:This is why we have a first amendment. (0)

Anonymous Coward | about 9 months ago | (#44416715)

ORLY? [yale.edu]

Re:This is why we have a first amendment. (5, Insightful)

steelfood (895457) | about 9 months ago | (#44416349)

Nah, that'd be unreasonable. What would be more reasonable is that now that Volkswagon is known to not act in good faith (i.e. lawsuit ensue) after an act of responsible disclosure, there's no good reason to first notify them about any subsequent security holes.

Re:This is why we have a first amendment. (0)

Anonymous Coward | about 9 months ago | (#44416651)

Except you'd have to prove that Volkswagon did not act in good faith by failing to release a fix/proper fix. Which is impossible.

1. If you know how the hack is done, you win; but only after spending an impractical amount of time and/or money duplicating Garcia's research.

2. If you don't know how the hack is done, too bad; no one wants to be the first guy due to monetary/time costs.

3. If no one fights Volkswagon on this, there is no way to prove/disprove whether or not Volkswagon is acting in good faith on this issue; everyone loses... except Volkswagon and the carjacking thieves.

Re:This is why we have a first amendment. (4, Insightful)

mikeiver1 (1630021) | about 9 months ago | (#44416783)

I suspect that the hack is rather simple and you can be very secure in the knowledge that there are now like a dozen plus persons looking very hard at their key controls with an eye at releasing the hack to simply screw VW for the snub. Fallout be damned. On the other side of it you can not tell me that VW didn't know that they had a security issue and simply waited to fix it because it might cost a few dollars or euros or what ever. Screw the customer for the buck.

Re:This is why we have a first amendment. (1)

Anonymous Coward | about 9 months ago | (#44416855)

Simply the act of suing to silence these scientists is enough to be an act of bad faith. The could paint puppies on the sides of their cars and they would still be "the company that sued to keep the public from knowing how bad their security was in cars for which they charge people hundreds of thousands of dollars".

Re:This is why we have a first amendment. (5, Informative)

cultiv8 (1660093) | about 9 months ago | (#44416371)

Here's a video [youtube.com] on how they do it on BMW's, same method as A4. Feel free to go here [vag-info.com] and buy the device yourself.

Re:This is why we have a first amendment. (1)

sl4shd0rk (755837) | about 9 months ago | (#44416631)

Feel free to go here and buy the device yourself.

I'd buy one just for that groovy 8-bit tone when it repairs the key!

Meta:This is why we have a first amendment. (0)

Anonymous Coward | about 9 months ago | (#44416891)

Is anybody else worried about going to a site called "vag-info.com"?

The solution is dead-simple. (0)

Anonymous Coward | about 9 months ago | (#44416465)

Suddenly, some "other" random person posts that he found this out "too". And about how this scientist was "an amateur. Haha. I'm much better!". And immediately discloses the whole thing.

Completely anonymous of course.

What are they gonna do?

There's a reason I always say it's impossible to "own" information since it's impossible to *control* information. This is a textbook example.

Re:This is why we have a first amendment. (5, Interesting)

Sir_Sri (199544) | about 9 months ago | (#44416495)

The only difference is now only the bad actors know about the problem.

Know about but not necessarily how to actually do it. About all they know is from the guardian article that it took upwards of 50 000 GBP worth of equipment (and some security researchers) to actually figure out how to do it.

He should have disclosed without notifying. That way they could not have stopped him.

The point of notification is to give them an opportunity to fix it. The problem with cars is that 'fixing' it may not be possible, or may be astronomically expensive.

Volkswagon wanted them to publish a redacted version of the paper, that explained how they did the hack but not the actual key (codes) they discovered, and they refused. That seems kind of dickish on the researchers parts honestly. It depends on the details of what exactly was to be redacted, so I'll withhold too much judgment, but with things that aren't connected to the internet there's a big problem in trying to actually roll out fixes. Of course there's no point in publishing a paper if you can't say anything about your method used, and if anything interesting about that was redacted it's basically a non starter.

As we embed computers into more things this is going to be a bigger problem going forward. Are we going to need to replace 100 dollar car FOB starters every time there's a security hack? I suppose it might come to that, it's not like physical car locks are all that secure either. But if the hack requires 100 000 dollars in equipment and professional security expert time that puts the barrier to common criminals high.

The researchers main point seems to be that they aren't saying anything that isn't already public just from a different method. In that case sure, I suppose they could have just published and the situation wouldn't be much different. But I'm not sure how true their claim is.

Re:This is why we have a first amendment. (5, Insightful)

Samantha Wright (1324923) | about 9 months ago | (#44416567)

cultivat8 posted instructions [slashdot.org] a few minutes before you made your post, so that cat's out of the bag. Now the only value this suppression serves is in protecting the ignorance of people who are in danger; the car company saves a bit of face with its less-aware customers and investors, and that's about it.

Re:This is why we have a first amendment. (0)

Anonymous Coward | about 9 months ago | (#44416655)

Are we going to need to replace 100 dollar car FOB starters every time there's a security hack?

If your car vendor makes you pay for it, you may get a better vendor. If you're the maker, you may choose to invest in the $4.40 reprogrammable SoC vs the $4 one off. $0.40 at the maker level can save them $100 in "slap customer in face" keyfob replacements. Better makers/vendors will win in a free(er) market.

Re:This is why we have a first amendment. (2)

h4rr4r (612664) | about 9 months ago | (#44416691)

If you notify they will just sue you instead of fixing it. Which is what VW has now done.

Car locks could be very secure, car companies chose POS methods. $100,000 is not a big deal when you can do the research and sell the results to crime rings.

The moral of this story is. . . . (2, Insightful)

Anonymous Coward | about 9 months ago | (#44416531)

" He should have disclosed without notifying. That way they could not have stopped him. "

BINGO.

Quit trying to give the manufacturers / developers the benefit of the doubt here. Time and time again it's obvious they're not interested in doing the right thing, but rather resorting to litigation to shut people up about critical flaws in their product. I know it's bragging rights and all that, but you really should keep your mouth shut until AFTER you've made the disclosure public.

Unless they're paying $$$ for said bug reports, then it's your call to consider if they can buy off your silence or not. I know what the moral thing to do is, but your financial situation may inject some additional considerations into the matter.

Re:This is why we have a first amendment. (2)

Karl Cocknozzle (514413) | about 9 months ago | (#44416977)

The cars are vulnerable if he tells the world or not. The only difference is now only the bad actors know about the problem.

He should have disclosed without notifying. That way they could not have stopped him.

Believe me, as first-amendment crushing lawsuits like this become "standard" the "no notice" release of major flaws will also become standard.

Then the government will be lobbied to label these researchers who release without prior notice to be "terrorists" or "aiding the enemy" and lock them in prison for "abetting car theft" or some such similar nonsense.

For that matter, why not just lock up every security researcher that won't sign an agreement (in advance) to only release security research with the approval of the subject of the research? That way we know which security engineers are likely to be "terrorists" and which ones are the good guys.

Solution timetable (4, Insightful)

spire3661 (1038968) | about 9 months ago | (#44416183)

Shouldnt Volkswagen be forced to provide a timetable as to when this will be fixed so the temporary egregious act of suspending the First for this person can be lifted? It is Volkswagen's fault, they need to fix it now.

Re:Solution timetable (5, Informative)

truthsearch (249536) | about 9 months ago | (#44416279)

Suspending the first... amendment? This didn't happen in the USA.

Re:Solution timetable (4, Insightful)

bill_mcgonigle (4333) | about 9 months ago | (#44416361)

Suspending the first... amendment? This didn't happen in the USA.

And the presentation will likely go forward at USENIX (in Washington DC) with the other two co-authors, from the Netherlands. It's one researcher in the UK who's getting boned by his government.

Re:Solution timetable (0)

Anonymous Coward | about 9 months ago | (#44416551)

Honestly, it shouldn't matter. It's occuring in the United States. The Constitution may be interpreted to only apply to citizens of the United States, but everything the Founding Fathers spoke about was in regards to all men. Which makes sense, since the existence of such rights are argued on moral grounds as innate and inalienable parts of being a human being.

Re:Solution timetable (1)

jbolden (176878) | about 9 months ago | (#44416779)

Interpreted. It is rather explicit:

We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.

Re:Solution timetable (1)

Holi (250190) | about 9 months ago | (#44417037)

Except according to the philosophy behind our government is that rights are not given by the government but by our creator, thus they must exist for ALL human kind.

Re:Solution timetable (0)

Anonymous Coward | about 9 months ago | (#44417061)

That's right!

That's why we have the 2nd Amendment, because without it, there can be no First!

Re:Solution timetable (2)

tragedy (27079) | about 9 months ago | (#44417075)

But it was going to be disclosed in the US at a conference by a UK subject. This concept that all people are under the jurisdiction of their home government at all times has become a bit worrying. Frankly, it seems like the legal concept of jurisdiction has been virtually thrown out the window in recent years.

Re:Solution timetable (5, Interesting)

rwise2112 (648849) | about 9 months ago | (#44416421)

Shouldnt Volkswagen be forced to provide a timetable as to when this will be fixed so the temporary egregious act of suspending the First for this person can be lifted? It is Volkswagen's fault, they need to fix it now.

So it seems that some form of this Megamos Crypto is used by just about all manufacturers. Does anyone know if all versions are broken? Since they all use it, it may come from a 3rd party, so Volkswagen may noy know when or how to fix it.

Re:Solution timetable (2)

h4rr4r (612664) | about 9 months ago | (#44416717)

Why in the 21st century is anyone stupid enough not to use proper crypto?
In the world of crypto proprietary means so flawed I cannot show you how it works or it stops being crypto.

Re:Solution timetable (1)

Lumpy (12016) | about 9 months ago | (#44416795)

OR just a physical Key? Honestly VW and all these companies are complete and utter retards for going 100% electronic.

Re:Solution timetable (1)

h4rr4r (612664) | about 9 months ago | (#44416939)

I think you could go 100% electronic and do it correctly. id_rsa.pub and authorized_keys seems to be 100% electronic and works pretty well. SSHing into my car to open the doors would be pretty sweet.

Re:Solution timetable (0)

Anonymous Coward | about 9 months ago | (#44416613)

It's always fun reading the comments here on Reddit.

Re:Solution timetable (0)

Anonymous Coward | about 9 months ago | (#44416721)

No, but let the market provide some push. I sure as hell wouldn't be buying a car with that sort of issue. Just knowing it's an issue (not the specific steps) is enough for me. I'd wait for the fix, go somewhere else, build a personal teleporter, etc.

Not a US case. No First Amend. (5, Informative)

Arkiel (741871) | about 9 months ago | (#44416211)

This did not occur in the US. The US Constitution is not implicated.

There's a wa out for him... (1)

bogaboga (793279) | about 9 months ago | (#44416229)

Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August.

How about if it "turns out" that this fella Flavio Garcia wasn't doing research alone, and that members of his team would want to "leak" the details on torrent sites?

We could still get them, no?

By the way, who believes that the fella Flavio Garcia, is the only fountain of knowledge on the matter?

Re:There's a wa out for him... (4, Interesting)

Nyder (754090) | about 9 months ago | (#44416327)

Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August.

How about if it "turns out" that this fella Flavio Garcia wasn't doing research alone, and that members of his team would want to "leak" the details on torrent sites?

We could still get them, no?

By the way, who believes that the fella Flavio Garcia, is the only fountain of knowledge on the matter?

It doesn't matter. Now everyone knows it can be done, other people will be working on it. Criminals probably.

Sort of like how once we made a nuclear bomb, other scientist were able to make nuclear bombs.

Re:There's a wa out for him... (2)

steelfood (895457) | about 9 months ago | (#44416621)

Well, not quite the perfect analogy. Nukes are quite complicated. U.S. scientists built the first nuke (though there's quite a bit of evidence that Hitler would've had it if not for certain scientists' subtle sabotage), and most of the other countries "acquired" those blueprints shortly.

When will Volkswagon fix the issue? (4, Insightful)

tysonedwards (969693) | about 9 months ago | (#44416237)

For vehicles that have already been sold, I'd venture a guess somewhere between when the sun burns out and never.

Re:When will Volkswagon fix the issue? (1)

maliqua (1316471) | about 9 months ago | (#44416323)

stop him from releasing the info or issue a recall, i can respect a judge forcing the relaese to be delayed but not without placing requirements on Volkswagen to resolve the security issue promptly.

fact of the matter the information exists, even if its not released anyone with a strong enough desire can now attempt to replicate the results knowing that success is achievable

Re:When will Volkswagon fix the issue? (1)

crypticedge (1335931) | about 9 months ago | (#44416415)

VW is actually really good about fixing things like this. My TDI has had a dozen software changes by them due to other things and a half dozen other little fixes they caught after it was sold as new in 2010. I got a letter in the mail last week of another fix they want to put in place because idiots keep putting gas in their TDI's too.

I imagine as soon as they have a fix ready they'll send me another letter asking me to bring it by for the recall notice.

Re:When will Volkswagon fix the issue? (1)

Charliemopps (1157495) | about 9 months ago | (#44416753)

VW has one of the worst ratings on consumer reports of any company. Their cars are junk. I was interested in the TDI because it's one of the few affordable diesels sold in the US but the user ratings on that car are horrendous and repair bills expensive. Yours is only 3 years old so it's rather telling how many times you've had to take it in already. I've got a 2009 Ford Escape and it's never had to be taken in. I believe there was 1 recall and it was for the seat covers, which I don't have in mine.

Re:When will Volkswagon fix the issue? (1)

maliqua (1316471) | about 9 months ago | (#44416809)

I've got a 2009 Ford Escape and it's never had to be taken in. I believe there was 1 recall and it was for the seat covers, which I don't have in mine.

you read the article last week about taking control of fords and disabling brakes right?

Re:When will Volkswagon fix the issue? (0)

Anonymous Coward | about 9 months ago | (#44416823)

That's weird, my 2010 Ford hasn't had a single thing I had to take it in to get fixed. Well the mysync had a firmware update but I downloaded that myself and installed it from Ford's site.

Re:When will Volkswagon fix the issue? (1)

msauve (701917) | about 9 months ago | (#44416827)

A fix presumably involves not only a software change in the car, but new key fobs for everyone. Ones which can't be reverse engineered by "chip slicing."

Spellcheck! (4, Informative)

intermodal (534361) | about 9 months ago | (#44416245)

FFS, it's Volkswagen, with an E.

Re:Spellcheck! (1)

omnichad (1198475) | about 9 months ago | (#44416749)

It's not so much a typo as it is an accidental translation to English. It's only 2 letters off from English - Folkswagon. What spell check has a list of commercial entities' proper names?

Re:Spellcheck! (1)

intermodal (534361) | about 9 months ago | (#44417011)

For that particular combination? All of them. Especially since putting "folks" and "wagon" together in English is not a word in the first place.

Too little, too late. (5, Informative)

thejynxed (831517) | about 9 months ago | (#44416251)

These cars with remote/keyless entry and start are already being stolen, even directly off of dealer lots. The criminals have already figured out what he was going to present, and are using it to their advantage.

Re:Too little, too late. (1)

TheSpoom (715771) | about 9 months ago | (#44416425)

Ah, that means that in addition to not being able to tell people about it, the researcher will now be liable, perhaps even criminally so. Just wait.

Re:Too little, too late. (1)

ebno-10db (1459097) | about 9 months ago | (#44416565)

These cars with remote/keyless entry and start are already being stolen, even directly off of dealer lots. The criminals have already figured out what he was going to present, and are using it to their advantage.

Do you know whether they've been using this specific hack though, or whether they've been breaking into cars with the same sort of "security" system? That does make a difference. Otherwise it's like saying that computers get hacked, so it doesn't matter how you reveal information about a specific exploit.

Re:Too little, too late. (0)

Anonymous Coward | about 9 months ago | (#44416935)

This brings up another point. How much do vehicle security systems really help stop vehicle theft?

It seems to me, the relative few people motivated to steal cars (especially right off of dealer lots) are sophisticated enough that the simple concept of locking doors and a required key or keyfob to start the engine won't deter almost any of them?

The *real* security lies in the unique VIN's issued to each vehicle manufactured and stamped in multiple places, combined with strict legislation surrounding new vehicle registration and licensing.

After all, most vehicles are purchased with bank loans with the vehicle itself as the collateral. Repo men come get these cars and trucks every day for failure to pay on a loan, and it's not like the owners are surrendering their keys voluntarily in most of these situations.

It's the VIN and the registration laws that deter a lot of vehicle theft, because it's simply too difficult to get away with actually USING the car or truck on the roads, after you steal it. The pros are probably chopping them all up for parts, and that's a considerable amount of work to do -- and not likely to be worth the trouble if you're not really connected in the industry so you have enough buyers.

How (1)

Anonymous Coward | about 9 months ago | (#44416275)

do we fire a bad judge?

Re:How (3, Funny)

Anonymous Coward | about 9 months ago | (#44416477)

do we fire a bad judge?

Out of a cannon?

Sell it. (1)

ponraul (1233704) | about 9 months ago | (#44416301)

Might as well sell that exploit the RBN and make some money off of the deal if you can't disclose it publicly.

Jurisdiction? (2)

Luthair (847766) | about 9 months ago | (#44416317)

How can a UK judge exercise anything over something happening in the US? Not that the US court system doesn't frequently overreach into things occurring outside its borders as well.

Re:Jurisdiction? (2)

Lunix Nutcase (1092239) | about 9 months ago | (#44416507)

Because a UK citizen is subject to UK law?

Re:Jurisdiction? (1)

Luthair (847766) | about 9 months ago | (#44416639)

With the exception of sex tourism people aren't usually subject to the laws of their country abroad. (Barring contracts signed of course). e.g. If you were to go to Thailand and paint some graffiti you wouldn't get taken to the local magistrate once you got back home.

Time to move (5, Funny)

DoofusOfDeath (636671) | about 9 months ago | (#44416331)

That guy should totally come to the USA. Then he'd have the full protection of the U.S. Constitution, guaranteed by Eric Holder and Barak Obama themselves!!!

Re:Time to move (0)

g0bshiTe (596213) | about 9 months ago | (#44416667)

The US Constitution only protects US citizens.

Re:Time to move (0)

Anonymous Coward | about 9 months ago | (#44416741)

Well, it's "supposed" to protect US citizens.

Re:Time to move (2)

cusco (717999) | about 9 months ago | (#44416929)

Bullpuckey. The only place where citizenship is mentioned in the Constitution is when it refers to the ability to hold public office. Everything else refers to anyone anywhere in the jurisdiction of the US, whether it be Kentucky, Guam, a US Navy ship, or a yacht in US territorial waters.

Re:Time to move (1)

Anonymous Coward | about 9 months ago | (#44416993)

That guy should totally come to the USA.

In other words, don't leave any body parts behind.

Let it leak out (2)

hawguy (1600213) | about 9 months ago | (#44416407)

I sure hope someone doesn't "accidentally" break into his computer, steal the exploit and publish it in the wild. Wouldn't want to force VW into finding a solution. Much better to pretend that only the white-hat hackers know about the hack and that the bad guys are too stupid to have figured it out. Security through pretending is the best security.

The Flatbed Truck Vulnerability (5, Funny)

zenrandom (708587) | about 9 months ago | (#44416469)

I'm going out on a limb, disclosing this publicly and all. But all vehicles on the roads today are vulnerable to a nefarious flat bed truck with a winch. Said driver pulls up to the vehicle, lowers the ramp, attaches the winch, and pulls the target vehicle onto the truck. Once vehicle is secured to the truck, they drive away. I've not contacted any manufacturers on this vulnerability, but I feel that disclosing it publicly may keep the public informed.

Re:The Flatbed Truck Vulnerability (2)

couchslug (175151) | about 9 months ago | (#44416641)

A snatch truck with a wheel lift is even quicker, and having done repos with a friend I can say bystanders rarely say or do anything.

Once you get the vehicle off the property they can't legally block you from taking it (in my State) so we'd shoot the wheel lift under whatever end of the car was handy. Depending on the car we'd even leave a hitch ball attached to the wheel lift and snag the lower core brace (they were all owned by my buds car lot) and drive off instantly rather than locking the wheel lift bars. (It was an old Century for those who care.)

You can drive down many a residential street or parking lot with the rear brakes locked, tires boiling smoke, and no fucks given!

The flatbed ("rollback") cares not even if there are no wheels on the target vehicle. It'll skid just fine.

Good times.

Sounds like it's already out there... (4, Interesting)

GodfatherofSoul (174979) | about 9 months ago | (#44416577)

It emerged in court that their complex mathematical investigation examined the software behind the code. It has been available on the internet since 2009.

My only objection to hackers revealing exploits is they must give the affected company time to fix the problem. This time is going to be longer for VW since their software is literally running all over the world. But, 4 years is ample time.

I'd be curious to know exactly what VW has done to address the problem, or more broadly did they even *bother* to fix the problem.

Re:Sounds like it's already out there... (2)

Lehk228 (705449) | about 9 months ago | (#44417059)

companies have shown time and time again they do not properly handle "responsible disclosure" as in this case they use the courts to silence the messenger.

the only remaining option is immediate, anonymous full disclosure, preferable released as a metasploit module in order to maximize the consequences for sloppy and reckless vendors

Dupe (1)

Anonymous Coward | about 9 months ago | (#44416617)

http://tech.slashdot.org/story/13/07/28/019222/english-high-court-bans-publication-of-0-day-threat-to-auto-immobilizers

Preventing him speaking will prevent car theft.. (1)

kawabago (551139) | about 9 months ago | (#44416677)

Hey, where's my car?

Re:Preventing him speaking will prevent car theft. (1)

Anonymous Coward | about 9 months ago | (#44416863)

Nothing new here, if the judge didn't like or agree with the message (or got a big payoff) then it's simple: "shoot the messenger of bad news".

Yet another misleading slashdot summary/headline (4, Informative)

Anonymous Coward | about 9 months ago | (#44416713)

I almost don't want to post this, rather than continue to watch the slashdot flock get herded around the meadow yet again. But guess what. The arstechnia article (ironically headlined "High court bans publication of car-hacking paper") states:
"The company asked the scientists to publish a redacted version of the paper without the crucial codes, but the researchers declined, claiming that the information is publicly available online."

So yeah, the publication of the paper was never at stake.

This little tidbit makes most of the above comments (including those already up to +5) look pretty ridiculous.

Re:Yet another misleading slashdot summary/headlin (1)

Arker (91948) | about 9 months ago | (#44416973)

The paper without the codes is not the paper, doh.

Censorship? (1)

greggman (102198) | about 9 months ago | (#44416883)

How is this not different from banning people from saying that if you break the window of a building you can get in an steal things?

Misleading article and summary. (5, Informative)

julian67 (1022593) | about 9 months ago | (#44416955)

In the article:
"The judge, Colin Birss, ultimately sided with the car companies, despite saying he "recognized the importance of the right for academics to publish.""

This is very misleading. The judge did not "ultimately" side with anyone because this is an *interim* injunction during the course of more prolonged litigation. Citation:

http://www.bbc.co.uk/news/technology-23487928 [bbc.co.uk]
and
http://www.itpro.co.uk/security/20291/vw-gets-high-court-bans-scientists-revealing-luxury-car-security-codes [itpro.co.uk]

The purpose of the interim injunction is to temporarily maintain the status quo while further evidence and arguments are presented, prior to any actual and significant judgement.

Once again slashdot avoids objective reporting and instead offers its readers what they actually prefer and craze: dishonest, misleading, untrue versions of the world that play to the infantile prejudices of the average self righteous and privileged pseudo liberal.

Re:Misleading article and summary. (1)

julian67 (1022593) | about 9 months ago | (#44416979)

crave not craze. Slashdot's hysteria and ineptitude is so contagious that I'm going cravy.

The two other hackers go to court (1)

Teun (17872) | about 9 months ago | (#44417049)

The Dutch university of the other two hackers has asked a Dutch court to let them release their findings.

http://www.telegraaf.nl/binnenland/21769604/__NL_se_vinding_geblokkeerd__.html [telegraaf.nl]

Form the University site: http://www.ru.nl/english/general/news_agenda/news/@895890/radboud-university-0/ [www.ru.nl]

Interesting is the statement VW was informed about the problem nine months ago and Dutch Government/Jurisprudence finds 6 months of silence already sufficient.

This is why I go all-manual (0)

Anonymous Coward | about 9 months ago | (#44417087)

No keyless entry. No remote start. No power locks. No power windows.

Sure, someone can sneak into my driveway at night, jimmy the lock, pop the hood or get access to the wires in the cabin, install a black box, and p0wn me, but they won't be able to do it remotely.

Making them come to MY car to take control if it increases their effort and increases their risk.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...