So, on the one hand, the UK court spurns the help of good-guy hackers. On the other hand, we are talking about luxury cars, bought and owned by very rich people. Fuck them. Their insurance will take care of it anyway.
Because stopping someone speaking in public in one particular instance stops any information on the topic ever being disseminated.
Of the few people I do know in the legal profession, the trend is that they think quite highly of their intellects and rightly so.
The maturation process wherein it ages into total and absolute capitulation to obscene power must happen later in life.
So instead of some obscure technical talk at a security conference, the subject will be discussed in the mainstream press as a censorship issue. Good planning, VW.
Welcome to the new millennium where security consists of sticking your fingers in your ears and going “nah nah I can’t hear you!!!”
Yay Internets and series of tubes! Info continues to slip through the greasy fingers of evil people.
“Won’t somebody think of… blaming it on terrorists!”
I’m not clear on two things: would the presentation make it significantly easier for a criminal to break into a car, and did Garcia give Volkswagen time to do the right thing beforehand? Those’ll make a big difference.
In the world of utterly-crap proprietary crypto systems that get baked into hardware(see also many of the MIFARE variants from NXP), the trouble is that ‘time to do the right thing’ might be measured in years, probably several of them.
This isn’t the (awful; but at least reasonably agile) world of software bugs and patches, where 6 months is a long time. This is something that gets burned into a zillion ASICs that get stamped into a bunch of keyless entry systems that will remain with cars until either their retirement or a truly epic recall, in favor of an alternative that probably hasn’t been developed yet.
Which is why VW should be held to high standard, before thousands of defective cars become millions.
They should give it to an American. Or maybe just leave it lying around where a sneaky Frenchman or German can stumble upon it.
Oh, please don’t get me wrong: I’m not taking VW’s side on this one, just arguing that the ‘enough time for the vendor to do something’ is really a concept born of, and applicable to, the world of software running on general purpose computers.
It’s still impolite to hide defects from vendors of such baked-into-hardware systems as this; but where “responsible disclosure” in even its most supine, vendor-friendly, form means maybe 6-8months on the PC side, it would mean probably 10 years on the hardware-embedded side.
My contention would be that, under those circumstances, it isn’t a very useful standard. Also, in the specific context of cars, the owners of the cars really ought to know as soon as possible, lest Team Insurance try the old ‘Nope, that system is unhackable, if your car was stolen you must have been negligent!’ line. (see also ‘Chip and Pin’ bank liability controversy)
I am curious as to whether the court’s injunction only applies to Prof. Garcia and the University of Birmingham, or rather if his colleagues in Nijmegen would be free to go through Dutch channels and release the paper as a translation from the original Dutch.
It sounds like researchers need to stop giving notice about what they are going to speak about before they speak about it. Imagine if Newspapers said “In a week we’re going to tell you about how the NSA is spying on you”. If they did that I’m sure some government officials would try to find a way to bar the newspaper from disclosing the info.
You don’t need to imagine: just think back to when the NYT decided to sit, for at least a year (and an election) on their little illegal warrantless wiretapping story. Been there, done that, bought the dystopian surveillance state.
So, yeah, if you plan to displease the powerful, don’t spoil the element of surprise.
What? When did the mainstream press ever ever discuss censorship issues? Ever?
I would almost suspect an ulterior motive, if only there was a multi-billion pound breaking-into-cars industry. But then Garcia would have had an unfortunate accident, instead of a court order.
I’m surprised it was Judge Birss who did this. Thought he was one of the more technically literate and sensible of the UK judiciary after slapping down THAT law firm for speculative invoicing.
“It emerged in court that their complex mathematical investigation examined the software behind the code. It has been available on the internet since 2009.”
Well, the software has been available to the public for three years now. I assume someone at VW knew it was out there, and if they wanted to know, that this could lead to its failure. Three years is usually enough time to do a recall campaign.
There’s a very simple way to hold VW to a high standard. Don’t buy their product.
Very simple? Very simplistic.