Josh in CharlotteNC (profile), 22 Jul 2015 @ 1:56pm
Public disclosure (or at least the threat of it) is the only way to put pressure on companies to fix security holes in software, including software in cars.
Let's not forget that these same 2 security researchers put on a demonstration on a Toyota Prius and a Ford Escape at Defcon in 2013. At the time, it required a wired connection to the diagnostic port. The automakers ignored it and said their systems were secure.
As to the threat concern, yes, these guys did have physical access to the Jeep used. But they are also able to scan the network using a burner phone on Sprint's network that UConnect uses to locate other cars running the same software all over the place. The same vulnerable software that they can exploit remotely.
Josh in CharlotteNC (profile), 22 Jul 2015 @ 12:01pm
Re: Re: They've MADE Dotcom a saint.
Yes, because when the US government accuses a citizen of foreign country of breaking a law in a country the foreign citizen has never been to, the only reasonable course of action is to be led like a lamb to the slaughter in a broken justice system.
It's no longer about the crime he allegedly committed. It's about abuse of power, US imperialism, political corruption and crony capitalism, and a biased justice system.
Josh in CharlotteNC (profile), 22 Jul 2015 @ 11:45am
Re: Re: Re:
It's not just that the DRM plugin itself isn't something you would voluntarily want on your system.
The entire infrastructure and method of distributing these kinds of plugins (NPAPI) being used has been recognized as a security nightmare for years.
What NPAPI does is allow any random website that has something embedded that requires a plugin to point to any random location the website wants as a source to get that plugin. Depending on browser settings, it may download and install the plugin automatically, or pop up a window like what is described. The large majority of users will just click accept on the window. This is why Chrome does not allow it. Mozilla has greatly modified how it works in Firefox to only point to Mozilla's trusted plugin library. I believe Opera does not allow it either (they use something similar to Chrome).
United's solution to how to play video on someone's device looks identical to one of the most popular ways to spread malware from a decade ago - the "video codec plugin" scam.
Josh in CharlotteNC (profile), 21 Jul 2015 @ 1:54pm
Re: Re: Re:
You seem to be implying that I think people should be driving unsafe cars on public roads.
I do not want that. I want to be able to drive safely.
What I want to prevent is the inevitable overreaction and counterproductive bad legislation that prevents people from legally tinkering or making modification to the cars (and other devices) they own, and not to require approval from the manufacturer. Your words: "only run manufacturers approved software" is what I have a problem with.
The act of driving unsafely, or of operating an unsafe vehicle, is what should be illegal. It should not be illegal if I run different software in my car that Chrysler or Ford or GM or whoever doesn't like, so long as that software isn't otherwise dangerous.
Josh in CharlotteNC (profile), 21 Jul 2015 @ 11:34am
Re:
"I think it is acceptable to ensure that vehicles used on public roads only run manufacturers approved software, because a software bug endangers people other that the owner."
I think you need to reread the article. This was a software bug in the manufacturer-supplied software.
Making it either illegal (through legislation) or impractical (through DRM or TPM chips or similar) only increases the chance these bugs are not found. It also takes away valuable modding capabilities to improve your own car.
If the concern is safety, then existing laws either already cover it (e.g. illegal to operate a car that hasn't passed it's yearly inspection) or should be written in a manner that does not cut out legitimate tinkering and modding because of overblown fears.
Josh in CharlotteNC (profile), 16 Jul 2015 @ 6:45am
"This hack could only be exploited if basic network security does not exist and if the attacker is physically present with local network access."
I'm guessing no.
Does anyone with even a tiny bit of IT security experience think for a second that software setup with no authentication and a default password of "password" has no other glaring security holes?
Josh in CharlotteNC (profile), 13 Jul 2015 @ 6:37am
Without copyright lasting until 70 years after their death, long-dead historical war criminals would have no reason to be quoted saying anything or write their propaganda down.
Josh in CharlotteNC (profile), 8 Jul 2015 @ 8:11am
Re:
"Among the subset of all people on earth that have access to the mostly free and uncensored Internet, Germans are actually one of the bigger groups."
Unless you count Youtube videos that have anything resembling music in them. It's easier to watch a music video on Youtube from China than it is from Germany.
Josh in CharlotteNC (profile), 22 Jun 2015 @ 11:48am
Re: Realistically, how will this change anything?
as long as people keep it to themselves and not share online, they is nothing to fear.
Uh-huh. Tell that to people who have actually not shared anything online, but still get sued.
Besides the general insanity of the ruling, it simply isn't good for the rule of law. Bad laws and bad rulings further widen the gap between what is legal and what is socially acceptable in everyday life. In free societies, there needs to be a really good reason to make something illegal if everyone is doing it. If not, then the inevitable result is selective enforcement, which undermines the belief in the fairness and equality of the law.
Josh in CharlotteNC (profile), 17 Jun 2015 @ 2:16pm
Re: Re: Re: Re: Re:
You are asserting that 'least damage possible' is always the correct choice. If that's your belief, fine, defend it. Don't avoid answering the questions that deontology asks.
Is torture always wrong, even if you have absolute proof that the person you are torturing did plant the ticking bomb?
Is murder always wrong, even when you pull the lever or push the fat man onto the track to save more lives?
Your view means you have to answer No to those questions and accept murder or torture in some situations.
If you can't answer No, then you need to admit that there aren't always easy answers and just saying least harm is also not always correct.
Josh in CharlotteNC (profile), 17 Jun 2015 @ 9:28am
Re: Re: Re:
"shouldn't they aim for the lowest damages overall"
That is a utilitarian view.
Roughly speaking, the deontological view is that by the act of choosing to pull the lever, you are now complicit in the murder of the one (even if you did it to save the 5).
We have this same argument when it comes to torture with the 'ticking bomb' scenario. Do you choose to torture someone you suspect may know where the bomb is to save the lives of many (utilitarian)? Or is torture always wrong even if done to save lives (deontology)?
This is NOT an easy question to deal with. Good of the many vs. good of the one. Hobson's Choice. Countless other permutations.
Josh in CharlotteNC (profile), 17 Jun 2015 @ 8:43am
"compile their own theories"
We don't need theories, its the Internet, so we can make unfounded suppositions. Like the one that somehow TSA.gov, Copblock, IMDB, and NPR are conspiring to steal her intellectual property.
Josh in CharlotteNC (profile), 17 Jun 2015 @ 6:31am
Re:
The Trolley Problem is a very well understood thing in philosophy and ethics. There are numerous scenarios, including ones like yours, as well as an interesting variation where instead of having a lever to divert the trolley from killing the 5 lives at the cost of 1 life on the diverted track, you have option to push a fat man onto the track to stop the trolley. These scenarios have been translated into many languages and cultures, and the results are roughly similar across most people surveyed.
On the post: Police Shut Down Hologram Concert Of Rapper Because They Don't Like His Lyrics; Pretty Clear First Amendment Problem
Re: Re:
On the post: Even If You Think Kim Dotcom Is Guilty As Sin, The US Government Stealing His Assets Should Concern You
Re: Re: Re: Re: Re:
You have some legal theories of how it supposedly works.
We have thousands of instances of it happening completely differently in actual practice.
No matter what your legal theories say, they do not reflect reality.
Santa Claus doesn't exist. Unicorns aren't real. Your legal theories are bunk.
On the post: Car Hack Demonstrates Why Security Researchers Shouldn't Have To Worry About Copyright In Exposing Weaknesses
Let's not forget that these same 2 security researchers put on a demonstration on a Toyota Prius and a Ford Escape at Defcon in 2013. At the time, it required a wired connection to the diagnostic port. The automakers ignored it and said their systems were secure.
As to the threat concern, yes, these guys did have physical access to the Jeep used. But they are also able to scan the network using a burner phone on Sprint's network that UConnect uses to locate other cars running the same software all over the place. The same vulnerable software that they can exploit remotely.
On the post: Even If You Think Kim Dotcom Is Guilty As Sin, The US Government Stealing His Assets Should Concern You
Re: Re: Re:
Why should anyone give a fuck about legal fact when that legal fact is ethically corrupt and utterly immoral?
It is NOT OKAY for the government to just declare someone guilty of a crime and then take their stuff before convicting them.
On the post: Even If You Think Kim Dotcom Is Guilty As Sin, The US Government Stealing His Assets Should Concern You
Re: Re: They've MADE Dotcom a saint.
It's no longer about the crime he allegedly committed. It's about abuse of power, US imperialism, political corruption and crony capitalism, and a biased justice system.
On the post: United Airlines Requires You To Install Special Brand Of DRM To Watch Movies On Flights
Re: Re: Re:
The entire infrastructure and method of distributing these kinds of plugins (NPAPI) being used has been recognized as a security nightmare for years.
What NPAPI does is allow any random website that has something embedded that requires a plugin to point to any random location the website wants as a source to get that plugin. Depending on browser settings, it may download and install the plugin automatically, or pop up a window like what is described. The large majority of users will just click accept on the window. This is why Chrome does not allow it. Mozilla has greatly modified how it works in Firefox to only point to Mozilla's trusted plugin library. I believe Opera does not allow it either (they use something similar to Chrome).
United's solution to how to play video on someone's device looks identical to one of the most popular ways to spread malware from a decade ago - the "video codec plugin" scam.
On the post: Comcast Really Wants Me To Stop Calling Their Top Lobbyist A 'Top Lobbyist'
Re:
Chief "Not-a-Lobbyist-Wink-Wink-Nudge-Nudge" officer
Chief "Only-spends-19%-of-his-time-corrupting-the-political-process" officer
On the post: Newsflash: Car Network Security Is Still A Horrible, Very Dangerous Joke
Re: Re: Re:
I do not want that. I want to be able to drive safely.
What I want to prevent is the inevitable overreaction and counterproductive bad legislation that prevents people from legally tinkering or making modification to the cars (and other devices) they own, and not to require approval from the manufacturer. Your words: "only run manufacturers approved software" is what I have a problem with.
The act of driving unsafely, or of operating an unsafe vehicle, is what should be illegal. It should not be illegal if I run different software in my car that Chrysler or Ford or GM or whoever doesn't like, so long as that software isn't otherwise dangerous.
On the post: Newsflash: Car Network Security Is Still A Horrible, Very Dangerous Joke
Re:
I think you need to reread the article. This was a software bug in the manufacturer-supplied software.
Making it either illegal (through legislation) or impractical (through DRM or TPM chips or similar) only increases the chance these bugs are not found. It also takes away valuable modding capabilities to improve your own car.
If the concern is safety, then existing laws either already cover it (e.g. illegal to operate a car that hasn't passed it's yearly inspection) or should be written in a manner that does not cut out legitimate tinkering and modding because of overblown fears.
On the post: If The UK Wants People To 'Respect' Copyright, Outlawing Ripping CDs Is Probably Not Helping
Re:
Yeah, today isn't going to be like that.
On the post: Shocking: Software Used To Monitor UK Students Against Radicalization Found To Be Exploitable
I'm guessing no.
Does anyone with even a tiny bit of IT security experience think for a second that software setup with no authentication and a default password of "password" has no other glaring security holes?
On the post: Joseph Goebbels Estate Wins Copyright Suit Over Use Of Nazi's Diary In Biography
On the post: Copyright Takes Down High-Profile Translation Of Thomas Piketty's Comments On Germany & Greek Debt
Re:
Unless you count Youtube videos that have anything resembling music in them. It's easier to watch a music video on Youtube from China than it is from Germany.
On the post: UK High Court Strips Away Short-Lived Private Copying Right, Buying Recording Industry's Demented Assertions
Re: Realistically, how will this change anything?
Uh-huh. Tell that to people who have actually not shared anything online, but still get sued.
Besides the general insanity of the ruling, it simply isn't good for the rule of law. Bad laws and bad rulings further widen the gap between what is legal and what is socially acceptable in everyday life. In free societies, there needs to be a really good reason to make something illegal if everyone is doing it. If not, then the inevitable result is selective enforcement, which undermines the belief in the fairness and equality of the law.
On the post: UK High Court Strips Away Short-Lived Private Copying Right, Buying Recording Industry's Demented Assertions
Re: Re: Re:The media levies are paying for your second copy
On the post: Should Your Self-Driving Car Be Programmed To Kill You If It Means Saving A Dozen Other Lives?
Re: Re: Re: Re: Re:
Is torture always wrong, even if you have absolute proof that the person you are torturing did plant the ticking bomb?
Is murder always wrong, even when you pull the lever or push the fat man onto the track to save more lives?
Your view means you have to answer No to those questions and accept murder or torture in some situations.
If you can't answer No, then you need to admit that there aren't always easy answers and just saying least harm is also not always correct.
On the post: Should Your Self-Driving Car Be Programmed To Kill You If It Means Saving A Dozen Other Lives?
Re: Re: Re:
Are you complicit in the kid's death for using/operating the machine with software that does this?
What about the company that made it? The programmer who programmed it?
On the post: Should Your Self-Driving Car Be Programmed To Kill You If It Means Saving A Dozen Other Lives?
Re: Re: Re:
That is a utilitarian view.
Roughly speaking, the deontological view is that by the act of choosing to pull the lever, you are now complicit in the murder of the one (even if you did it to save the 5).
We have this same argument when it comes to torture with the 'ticking bomb' scenario. Do you choose to torture someone you suspect may know where the bomb is to save the lives of many (utilitarian)? Or is torture always wrong even if done to save lives (deontology)?
This is NOT an easy question to deal with. Good of the many vs. good of the one. Hobson's Choice. Countless other permutations.
On the post: Designer Knockoff Enthusiast Issues DMCA Notice Targeting Half The Internet, Fails To Remove A Single URL
We don't need theories, its the Internet, so we can make unfounded suppositions. Like the one that somehow TSA.gov, Copblock, IMDB, and NPR are conspiring to steal her intellectual property.
On the post: Should Your Self-Driving Car Be Programmed To Kill You If It Means Saving A Dozen Other Lives?
Re:
Next >>