banner perso

Some links about me. Many of my 3D designs are free. I also post on Google+ and in another blog, oz4.us
review (32) general (26) issue (16) mechanical (16) replacement (14) software (13) addon (12) bowden tube (10) business (10) consumables (10) heat (10) feeder (8) hot end (8) weird (7) motor (6) off-topic (6) trick (6) electric (4) bed (3) cnc (2)

Friday, October 2, 2015

"It is better for your safety that we are opaque" (Volkswagate)

"It is better for your safety that we are opaque"

I just read an article on the BBC related to Volkswagen and the "(...) argument for stopping people fiddling with those systems, because if you don't know what you are doing - or even worse do know and have malicious intent - you could create genuine safety issues."
Volkswagen in 1969 by John Muir
But are we still complete idiots?
This post not only relate to Volkswagen, but to any big company using proprietary stuff and saying it is good for you. You can replace "car" with any non-open piece of software or hardware alike. Transparency is just so hard to depreciate, especially when you are talking to your own customers.

Here we go: "If we give access to our source code, our cars will risk more hacking".

Yes and no. Manufacturers just fail to understand that their cars will eventually be hacked, be it open or not.
Actually it already happened (e.g. some fatal hacks). Hackers need no source code. There are thousands of people that will try to reverse-engineer their protocols, soon or later.

Security through obscurity is a business fallacy.
Is Linux more often hacked than windows? Yes, obviously. Now is it less secure? Certainly not. This is simply the consequence of two strategies regarding openess and transparency. The car makers are no software makers: they say closeness is necessary for the user security. I am sure that even Microsoft no more says that (funny one: "Open source, from Microsoft with love" on github!).

Moreover, their fear of security-related hacks is revealing for me: it is fueled by their lack of confidence in their own capabilities to secure their cars and their software. This is exactly where third party experts should be in, and this is what they refuse to do, citing... security reasons?!

Many sensitive software are open sourced. Actually they are enough secure that the vast majority of the worldwide internet is heavily relying on open sourced components (linux, apache, mysql, php to name a few).

By the way, their stance denies the possibility that someone fixes their mistake for free and for the benefit of everyone, including them. And when they try to fix flaws, they do not always do it properly either (Jeep sent USB sticks via the postman, giving even more food and means to hackers).

So when the source code is not available, they should do a better job at protecting their cars at the very minimum. We are now driving computers which requires essential firmware updates. But car manufacturers are like the vast majority of the industrial companies that are switching to the "internet of things": they do not seem to consider software security before they release their software. And here, the "computer" can kill you!

Again: "if we open the source code, someone who tampers with it may crash his car"

So what? Come on, that would be a problem for the user himself, and for third-party controllers if any. Who would sue Microsoft because his pirated version of Windows crashed his hard drive?! Who ever installs Cyanogen Mod on a phone makes the manufacturer not responsible of any quirk that happens to the phone.

You just need to know that you may void the warranty of your product in doing so. They genuinely can say they cannot be held responsible when your firmware does not come from them! Do they really think they would be held liable in justice by someone who hacked his airbag and who ends in a tree? Or while texting?

And if/when a user installs unconfirmed third-party car firmware, *he* is the one to blame when something goes wrong with it. Think about getting a trojan by downloading some dubious freeware!

Just comply by the law. This is not their business!

What they fail to see is that tampering with the car firmware still means that you have to comply to the law. Not doing so means a big fine when you are discovered. And it is not necessarily the car manufacturer business to check if you stick by the law. This is the job of other people, and controls can be preventive or post-mortem (according to the state policy -- another topic).

Comply with the law! - Dilbert
Actually people are already hacking their hardware. Some mount unsuitable tires, while other just pour the wrong gas in the engine! Do they complain to the manufacturer?

The car manufacturers could just tell "here are the only firmwares we certify" and use real digital certificates on it. And if they really were willing to cooperate they could embed pieces of codes from third parties in their own releases. They could even pay hackers for discovering security flaws, as more and more companies do in the software industry.

Now, well, they tell us it would be illegal to hack their firmware, while they are illegally hacking it in the first place to circumvent the laws, how cynical!

The funnier is that they ask that we trust them ... for our own security!

Seriously?! Hey they just cheated on everyone for years, without much regard to our health (nor to the highly regarded reputation of German manufacturing). What for? Raw, stupid short-term profit. What I do think is they would have sold us cardboard boxes if it was legal.

This is the time when *they* should be transparent and try to repair the incredible damage they have done consciously. No, instead they keep asking for confidence without letting any one see the inside?

Speaking of transparency... they could get insight from Henry J. Heinz that made the first transparent tomato ketchup bottles, and who helped making the first health laws and quality controls a reality... while helping his own business! Yes, car manufacturers could learn from century-old tomato ketchup producers, check it here: Concerned citizen or clever capitalism? But they try to escape the law, instead of using it for a better business.

Double speech, public relations, marketing and bullshit again.

This is just double speech, while they are in an inexcusable situation. It reminds me of Monsanto that was arguing that their GMO seeds are sterile because of safety reasons while they were saying they were totally safe at the same time. 

Security through obscurity is insufficient, and na├»ve at best. And security through minority is not available when you sell millions of cars. 

Hey I better go and check that my old Transporter isn't made of cardboard actually. At least there is almost no electronics in it.

No comments:

Post a Comment