The Internet of criminal things

By Jonathan Corbet
September 23, 2015

We live in an increasingly software-defined world, a trend which has both good and bad aspects. The recent revelation [PDF] that Volkswagen has been selling cars that have been explicitly built to defeat emissions tests highlights one of the bad ones: software control makes the incorporation (and hiding) of antifeatures easy. We are, unfortunately, going to see many other incidents like this one, even though we have long had a vision of what at least a partial solution to this problem would look like.

Cars, at this point, can be thought of as a rolling network of computers with some interesting peripheral devices, some of which may involve internal combustion technology. The details of an engine's operation have been under software control for a long time, and replacement ROMs changing a car's performance characteristics have been commonplace for nearly as long. Modern "trusted execution" technology makes the creation of such ROMs more difficult, but that turns out not to be an obstacle if the company wanting to subvert an engine's control software is the manufacturer itself.

Volkswagen's hack must have been easily done: one could, for example, have the engine-control software apply a different set of parameters when a connection to the on-board diagnostic port is detected. No need for the attachment of a separate "defeat device" (as the press seems to like to call it) and no need for an elaborate company-wide conspiracy. A single commit by a single engineer at the behest of a single manager would suffice. In retrospect, the surprising part of this story is not that somebody at Volkswagen gave in to the temptation to engage in a bit of benchmark cheating; the surprise is that far more incidents of this nature have not yet come to light.

The consequences of this cheating are severe. Emissions testing is a key part of a strategy that has significantly improved air quality in American cities over the last several decades. Subverting that testing means more poison in the air, more health problems, and more environmental degradation. It is a criminal act on a massive scale. The consequences for Volkswagen are likely to be severe — but probably not severe enough.

As many others have pointed out, VW was certainly helped by the ease with which antifeatures can be hidden in software shipped to others. When we get into a car, we trust our lives and health to a large body of proprietary control software; the source is unavailable, so we cannot inspect it for bugs, vulnerabilities, or explicit evil. Legal regimes in much of the world make a crime out of reverse-engineering this software, so we cannot try to figure out how it operates even without the source. Digital rights management (DRM) mechanisms built into the hardware make that reverse engineering even harder; this DRM may even be mandated by government agencies fearful of individuals modifying their own engine-control software.

Those in favor of such DRM requirements should bear in mind that, by some counts, VW has shipped over 11 million cars with corrupt engine-control software in it. DRM has, in the end, enabled the crime it was meant to prevent, and on a far wider scale that would have otherwise been possible.

Cars are not the only vehicle (so to speak) for software that can hide user-hostile antifeatures. In the US, the Federal Communications Commission is currently pondering changes that would make it far harder to put free software onto WiFi devices. One need not even consider the damage such rules may do to free-software development, which has been the primary source of innovation and improvement in this area, to see where such rules could lead. We cannot expect corporations, many of which show levels of restraint inferior to that of a typical toddler, to resist the temptation to put spyware or malware into their widely distributed devices sitting in privileged positions on thousands of networks. We cannot really even trust them to adhere to the spectrum rules that are the motivation for the proposed restrictions; VW's lack of respect for emissions rules has made that clear.

Similar problems exist with voting machines, Internet-connected appliances, phone handsets, fitness monitors, set-top boxes, and more. Each of these devices is, at a minimum, in a position to spy on us. Keeping governmental fingers out of these devices is a challenge in its own right, but companies will often find a strong incentive to play games of their own. Companies that are struggling, or even those that fear a downturn in the next quarter's numbers, will often give in to that incentive; when all it takes is an easily hidden patch, why not?

This will not be the first time that somebody points out that it is hard to see a solution that doesn't involve making those patches harder to hide. That, of course, means moving toward something that looks a lot like free software. If VW's engine-control software were open (with reproducible builds so that the software running in a specific car could be verified), it would have been far harder for the company to get away with violating the rules for as long as it did. Source availability is far from a guarantee that the code will be reviewed or that any reviewers will actually find deliberately introduced antifeatures, but it improves the odds considerably. Many a company might find the backbone to resist temptation if it knew that its code would be reviewed by sharp-eyed outsiders. Said companies might just find the wherewithal to clean up the code and fix some of their bugs as well.

A free-software mandate for safety-critical (and privacy-critical) software seems unlikely to happen anytime soon, alas. Decriminalizing research into how these systems operate might be a more achievable goal, but there are challenges there too; the Electronic Frontier Foundation has run into significant opposition in its efforts to get a ruling that investigating automotive software is not a violation of the anti-circumvention provisions of the US Digital Millennium Copyright Act, for example. Hidden, proprietary software gives a lot of power to those who control it; they will not give it up willingly. As a result, we can, unfortunately, expect to continue to be subjected to surveillance and criminal behavior from the devices that we think we own. We can't say we weren't warned.

Index entries for this article
Security	Automotive
Security	Embedded systems

The Internet of criminal things

Posted Sep 24, 2015 6:04 UTC (Thu) by marcH (subscriber, #57642) [Link] (7 responses)

> As a result, we can, unfortunately, expect to continue to be subjected to surveillance and criminal behavior from the devices that we think we own.

I don't think anyone but the most naive users think they "own" any kind of software. Smartphones / portable tracking devices put the last nail in the coffin of that belief.

The education missing is more about the sheer and underestimated *amount* of software/firmware all around us (maybe this is what you meant). Even in supposedly technical circles you'll find people complaining loudly about, say firmware blobs in the kernel - ignoring there are ten times more running in various places on the same board; just much less visible.

And for a technical attempt to solve a political problem we have of course the GPLv3...

The Internet of criminal things

Posted Sep 24, 2015 11:09 UTC (Thu) by robbe (guest, #16131) [Link] (6 responses)

> I don't think anyone but the most naive users think they "own" any
> kind of software.

I guess most users have only the most nebulous concept of what software/firmware actually is. You can't touch it.

Do you think people have the same reservations and/or uncertainties about physical objects that they fully paid for, like cars, printers, or lightbulbs? Even if they contain firmware...

Mobiles are somewhat of a special case, as they are very often leased as part of a phone service contract.

The Internet of criminal things

Posted Sep 24, 2015 11:29 UTC (Thu) by hummassa (guest, #307) [Link] (5 responses)

> Mobiles are somewhat of a special case, as they are very often leased as part of a phone service contract.

In the USofA... in most of the rest of the world, it's a user-owned device, not a network-owned device.

The Internet of criminal things

Posted Sep 24, 2015 21:06 UTC (Thu) by dlang (guest, #313) [Link] (4 responses)

It used to be this way in the USA. A month or so ago Verizon (the last holdout) caved and shifted their pricing model so that people buy the service and the phone as separate line items, and payment for the phone is no longer tied to payment for the service.

user-owned vs network-owned

Posted Sep 26, 2015 18:40 UTC (Sat) by giraffedata (guest, #1954) [Link] (3 responses)

But that's just a pricing model. The ownership situation was always presented as the user owns the device and the service provider does not. The term "lease" was never used and no part of the monthly payment was called rent. Service providers never said the device was their property. When the contract terminated, the user did not return the device. If it terminated early, the user refunded to the service provider the discount he had received on the purchase price in consideration of the long service contract.

So I think whatever users expect of things they own, like cars, they probably expected of these phones that were tied to service contracts.

user-owned vs network-owned

Posted Oct 1, 2015 11:03 UTC (Thu) by Wol (subscriber, #4433) [Link] (2 responses)

The UK term for this is "hire purchase". The device is hired for the duration of the contract. At the end of the contract the user owns the device, and if they wish to terminate the contract as you say they have to pay the remains of the purchase price.

Not to be confused with (although it often is) lease purchase, where the user typically puts a big slab of the price up front as an initial payment. Ownership of the device then transfers to the user at the end of the contract, but before then the user can return the device and walk away.

Then of course, we have contract leases (like our car) where we pay over three years for a brand new car, then at the end of that time we hand it back and enter a new contract for a new car.

The tax treatment of all these variants is capricious and arbitrary, and it would be nice if you didn't have to play tax games when trying to work out which option is best.

Cheers,
Wol

user-owned vs network-owned

Posted Oct 1, 2015 16:20 UTC (Thu) by giraffedata (guest, #1954) [Link] (1 responses)

I'll bet all of those are legally distinct from these US phone contracts because in these hiring variations, legal title to the phone during the contract period would be in the network operator, whereas in the US phone contracts, it is in the subscriber. With enough provisions in the contract, the difference can be practically tiny, but it can still matter with things such as where one of the parties declares bankruptcy, dies, gets divorced, or owes the government money.

Incidentally, I was being abstract when I said in the case of early termination the customer has to "refund to the service provider the discount he received ..." It's actually characterized by the parties as an "early termination fee" or "early termination penalty" and the ones I've seen are a fixed amount regardless of how much time is left on the contract and the contract doesn't mention a purpose for it.

US technology service providers have plenty of experience retaining ownership of the terminal device and know the benefits and costs of that, and wireless telephone service providers seem to have deliberately avoided that model.

user-owned vs network-owned

Posted Oct 1, 2015 19:45 UTC (Thu) by dlang (guest, #313) [Link]

in the last year, the situation in the us has changed so that now the purchase of the phone is separate from the service, and if they are tied together, the remaining amount owed on the phone is what needs to be paid if you want is unlocked to use it elsewhere.

The Internet of criminal things

Posted Sep 24, 2015 6:23 UTC (Thu) by marcH (subscriber, #57642) [Link] (14 responses)

> Similar problems exist with voting machines,

At least this one's easy - if obsessions for technology are set aside. I once helped tally (transparent) ballot boxes at my polling station and I could see for myself how incredibly high is the ratio reliability.security/cost for this system. KISS.

The Internet of criminal things

Posted Sep 24, 2015 11:19 UTC (Thu) by smitty_one_each (subscriber, #28989) [Link]

+1. I serve as a voting officer in my county. Low-tech solutions are not bereft of wisdom simply because they are low tech.

Dare (!) to write a letter by hand a mail it.

Voting machines (was The Internet of criminal things)

Posted Sep 24, 2015 13:48 UTC (Thu) by dskoll (subscriber, #1630) [Link] (12 responses)

Voting machines are a really terrible solution to something that isn't even a problem. Manual vote-tallying works just fine and scales extremely well; you only need O(log N) tallyers if you use a tree structure.

Voting machines (was The Internet of criminal things)

Posted Sep 24, 2015 20:00 UTC (Thu) by tzafrir (subscriber, #11501) [Link] (10 responses)

The bottleneck is counting the votes. Not sending the results. With a voting machine you have the results immediately. With a manual vote, it takes several hours. And then you need to securely get the ballots physically to a safe place for keeping (to allow re-count).

Voting machines (was The Internet of criminal things)

Posted Sep 24, 2015 20:06 UTC (Thu) by marcH (subscriber, #57642) [Link]

> With a voting machine you have the results immediately. With a manual vote, it takes several hours.

Yeah it's very much like "breaking" news: must choose between getting wrong information immediately versus waiting for some time.

Voting machines (was The Internet of criminal things)

Posted Sep 24, 2015 20:13 UTC (Thu) by marcH (subscriber, #57642) [Link]

> And then you need to securely get the ballots physically to a safe place for keeping (to allow re-count).

With voting machines you: - either have to do the same thing in a possibly more technical and demanding way; - or you don't even have anything at all you can re-count.

From an counting mistake perspective ballot boxes are an "analog" system, meaning errors are negligible and don't matter except for the rare cases where the vote is very tight.

Voting machines (was The Internet of criminal things)

Posted Sep 24, 2015 20:41 UTC (Thu) by raven667 (subscriber, #5198) [Link] (2 responses)

> With a manual vote, it takes several hours.

What is the actual requirement for speed here? For example in the US Presidential election, the ballots are cast on November 8 but the results aren't absolutely required until inauguration on January 20 of the next year, a few hours (or days or weeks) in a 73 day window is not significant.

Voting machines (was The Internet of criminal things)

Posted Sep 25, 2015 3:51 UTC (Fri) by edgewood (subscriber, #1123) [Link] (1 responses)

Well, the Electoral College meets on the first Monday after the second Wednesday in December, which means somewhere between Dec 13 (Dec 1 is a Wednesday) and Dec 19 (Dec 1 is a Thursday). So the results will be needed by then at the latest.

But the bigger problem is that the US has a lot more separate elections per ballot than I think other places with parliamentary systems do. See http://v.gd/7cIVRX for the *front* of a recent election in North Carolina. There are 14 elections on the *front* of the ballot. I couldn't find a good image of the back, but I recall that many or more there.

Voting machines (was The Internet of criminal things)

Posted Sep 26, 2015 15:46 UTC (Sat) by marcH (subscriber, #57642) [Link]

> But the bigger problem is that the US has a lot more separate elections per ballot than I think other places with parliamentary systems do

Maybe an interesting trade-off could be "hardware assisted tallying", where a scanner operates slowly enough that anyone in the room can keep an eye on it.

Voting machines (was The Internet of criminal things)

Posted Sep 25, 2015 2:18 UTC (Fri) by bfields (subscriber, #19510) [Link]

I don't think it's even necessary to choose. E.g. here in Michigan the ballot is a machine-readable paper form that you fill out and then feed into a scanner built in to the top of the ballot box. The scanner tallies the results and then stores the ballot inside. At the end of the day the poll workers can report instant (preliminary) results, but the ballots can also be recounted manually later to confirm.

(For some reason, I don't think that manual recount necessarily happens in the absence of a challenge. It's easy enough to do.)

You fill out the form by hand with a pencil. I haven't used one, but I seem to recall being told that the polling places also have electronic voting machines, but that all they do is produce paper ballots. That can be helpful for voters that have some disabilities (poor eyesight, or whatever). I suppose in theory you could compromise those but I think that would be easier to detect (and less rewarding) than a similar attack on a purely electronic system.

Voting machines (was The Internet of criminal things)

Posted Sep 25, 2015 12:25 UTC (Fri) by NAR (subscriber, #1313) [Link] (2 responses)

I think at the last Hungarian elections the counting was finished in 3 hours in the first round (where everybody had two votes) and maybe 1,5 hours in the second round (where voters had only a single vote). The political analyzers on TV barely had the time to speculate before the results were ready.

So I don't think counting is a bottleneck currently. However, if we'd have more complicated voting system like the Schulze method, then having the votes in a computer could be more useful.

Voting machines (was The Internet of criminal things)

Posted Sep 29, 2015 16:05 UTC (Tue) by martin.langhoff (guest, #61417) [Link] (1 responses)

Agreed - many countries get same-day results with paper votes, most notably the EU countries and NZ.

In the USA there's been some odd media fabrication of "it can't be done unless we replace the paper vote with horridly unreliable computers". It is clearly not true, but it would take looking at how other countries do things... so... ;-)

Voting machines (was The Internet of criminal things)

Posted Sep 29, 2015 16:42 UTC (Tue) by marcH (subscriber, #57642) [Link]

You meant... "inferior" countries? :-)

Conversely: http://arstechnica.com/business/2014/08/chip-based-credit...

Voting machines (was The Internet of criminal things)

Posted Sep 27, 2015 18:57 UTC (Sun) by debacle (subscriber, #7114) [Link]

Counting might even take days. But as long as the election period is much longer, it doesn't matter at all.

Voting machines (was The Internet of criminal things)

Posted Sep 25, 2015 7:44 UTC (Fri) by jezuch (subscriber, #52988) [Link]

> Voting machines are a really terrible solution to something that isn't even a problem.

To be fair, the current crop of voting machines is a terribly naive implementation of the concept, wasting an enormous opportunity for improvement. They basically do nothing more than the human tallyers can do, except faster - and with less auditability. But there are algorithms that [promise to][1] allow the vote to be both secret and auditable, by anyone who can count, not just the tallyers. But to do that you need to implement actual cryptography, not the half-arsed "add 1 to this variable" machines we are offered today.

[1] I'm not a cryptographer so me not being able to spot any flaws in such an algorithm doesn't mean anything, obviously :) Anything that wants to be used in actual elections need to be first exposed to intense scrutiny by the security community. Which is he opposite of the current state of affairs.

The Internet of criminal things

Posted Sep 24, 2015 6:29 UTC (Thu) by erwaelde (subscriber, #34976) [Link]

For the "voting machine" context see also
https://freedom-to-tinker.com/blog/jeremyepstein/vw-votin...

Oh, the irony!

Posted Sep 24, 2015 7:44 UTC (Thu) by pr1268 (guest, #24648) [Link]

From the NYT article:

Far from trying to make trouble for Volkswagen, the engineers had been hired by the International Council on Clean Transportation, a clean-air advocacy group that hoped to use Volkswagens to show European regulators how efficiently diesel cars could meet the strict emissions limits set by the United States.

Oh, the irony!!

Mr. Moglen's experience with the passenger elevator (also from the NYT article) reminds me of the car elevator park system being held hostage (along with patrons' cars) Granted, this was a case of cyberextortion, and these two situations are somewhat orthogonal, but the evils of proprietary software are similar.

The Internet of criminal things

Posted Sep 24, 2015 9:16 UTC (Thu) by meskio (guest, #100774) [Link]

This reminds me some writings from Doctorow years back:
https://boingboing.net/2012/01/10/lockdown.html

The Internet of criminal things

Posted Sep 24, 2015 9:17 UTC (Thu) by petur (guest, #73362) [Link] (42 responses)

The problem with opening the firmware of the car is that security must be maintained. It is easy to write that DRM is bad, but you should know that tuning companies are actively trying to break the protections of engine control software, and they are offering big money.
And you don't need to guess why they want to do this: to change the parameters so that the engine has more power, even if that means it will be polluting like hell, more than what VW did.

So demanding that this whole system is opened up *will*backfire and actually be far worse for the environment.

willful pollution

Posted Sep 24, 2015 9:50 UTC (Thu) by SimonO (guest, #56318) [Link]

yes and "unbreakable" encryption systems should be banned, because the governments and companies cannot spy on anyone when they are in general use.

Of course some people are going to abuse their abilities gained with open source software to do harm instead of good. Is that a reason to take the route of proprietary control of software? I don't think so.

Chainsaws are bad when applied to people as well, etc. etc. etc.

/Simon

The Internet of criminal things

Posted Sep 24, 2015 11:21 UTC (Thu) by robbe (guest, #16131) [Link] (1 responses)

DRM operates on the theory that the producer of goods is always to be trusted, the consumer never. It's like absolute trust into people in uniforms.

The Internet of criminal things

Posted Sep 24, 2015 16:10 UTC (Thu) by raven667 (subscriber, #5198) [Link]

Trust is not something that authorities, the powerful and wealthy are entitled to, it is something that is earned through audit and transparency of process. I'm very much in line with our esteemed editor that any kind of software we rely on, either in devices we buy or services we rent (from Google, Apple, Facebook, etc.) should be fully open to audit by interested third parties and that trade secret, DRM, etc. law needs to be cleared away to make that happen.

We shouldn't have to blindly trust the software on our devices and web services, or trust spokespeople and published privacy policies, we should always have independent verification of exactly what is being done so we can make the appropriate security and privacy trade offs with eyes wide open.

Individual initiative should do less harm than mass-production

Posted Sep 24, 2015 11:51 UTC (Thu) by davecb (subscriber, #1574) [Link]

I might individually have wanted to but an "evil" rom for my old oil-burner, but as an individual I can't do anything like as much damage as the manufacturer.

The Internet of criminal things

Posted Sep 24, 2015 14:09 UTC (Thu) by ibukanov (subscriber, #3942) [Link] (34 responses)

> The problem with opening the firmware of the car is that security must be maintained.

Open does not imply that anybody can install it. What is essential is that third parties should be able to look at code and verify that the actual binary matches the code. The system can still use technical measures to limit who and what can be installed.

The Internet of criminal things

Posted Sep 24, 2015 20:26 UTC (Thu) by marcH (subscriber, #57642) [Link] (33 responses)

Trusted and other secure boots are not incompatible with transparency and open-source; not at all. The GPLv3 would not even have been invented if that were the case.

The Internet of criminal things

Posted Sep 24, 2015 20:53 UTC (Thu) by raven667 (subscriber, #5198) [Link] (1 responses)

I'd go even further and say that Secure/Trusted boots don't need to be incompatible with owner modification. It's certainly easier to not bother with a mechanism for the eventual owner to modify the system, which is why owner modification should be legislatively required, so device makers can't skip out on this requirement. All you really need is local physical presence and maybe tamper evidence (so it's easy to see if the owner or the manufacturer is responsible if the software messes up), which are actually easier problems to solve than authorizing remote updates over the network.

The Internet of criminal things

Posted Sep 24, 2015 21:12 UTC (Thu) by marcH (subscriber, #57642) [Link]

> All you really need is local physical presence and maybe tamper evidence (so it's easy to see if the owner or the manufacturer is responsible if the software messes up), which are actually easier problems to solve than authorizing remote updates over the network.

Well said. Call this a "fuse", make a nice sentence around it with "voided warranty" in it, and that's it: you've made the whole issue simple enough for anyone to fully understand. Even lawmakers.

The Internet of criminal things

Posted Sep 25, 2015 8:48 UTC (Fri) by ibukanov (subscriber, #3942) [Link] (30 responses)

GPL v3 is harming the situation. As driving a tinkered car on a public road may harm others, I see no problems if installing a new firmwire is restricted to certified entities using a technical measure. Yet GPLv3 is not compatible with that as it requires that the user can install *any* modifications. In my ideal world any user should be able to check the code (either herself or with a help of third party) precisely because it affects the safety and any user can install *certified* changes.

The Internet of criminal things

Posted Sep 25, 2015 9:37 UTC (Fri) by dlang (guest, #313) [Link]

sorry to upset your understanding of the world, but GPLv2 or any other software license is not preventing people from driving 'tinkered cars' on the road.

Cars started out built by tinkerers and the "build your own car from scratch/scrap" has never completely vanished, let alone modifying existing vehicles.

Think about how locked down the game consoles are and how people create 'mod chips' that you press into contact with solder pads on the board to override functionality. The same sort of thing has been available for car computers from the earliest days.

ODB-II has actually greatly eased the car tinkerer's work because a lot of parameters can be accessed directly through a standard interface (which costs <$10 and works with cheap/free software on your smartphone/laptop)

Getting access to the source would just mean that the people doing the tinkering wouldn't be working blind and the result would be safer for everyone.

The Internet of criminal things

Posted Sep 25, 2015 17:18 UTC (Fri) by raven667 (subscriber, #5198) [Link]

I don't think that kind of issue calls for a technical solution. The technical controls should be agnostic to policy, the policy should be set by humans with laws enforced through audit and punishment. A person needs to be responsible, the machine is not a person and can't take responsibility. What do you do with working equipment that hard codes a particular policy when the law changes?

The Internet of criminal things

Posted Sep 26, 2015 13:51 UTC (Sat) by zack (subscriber, #7062) [Link] (20 responses)

> GPL v3 is harming the situation. As driving a tinkered car on a public road may harm others, I see no problems if installing a new firmwire is restricted to certified entities using a technical measure. Yet GPLv3 is not compatible with that as it requires that the user can install *any* modifications.

GPLv3 vs "safety" restrictions is a false dichotomy, fueled a lot by anti-FOSS agendas within the automotive sector.

You can have both a license (e.g., GPLv3) that mandates the ability to install modified versions of some software, and regulations that say that a car with a modified, non "certified" software cannot be used to drive on public roads. That is pretty much the situation for hardware modification to cars (you can make some, but others, e.g. to boost car performances, will put your care out of compliance with regulations that are required to actually use the care on public roads). Why should be software modifications any difference?

We should really insist on this similarity, because doing so removes the car manufacturer arguments that they cannot adopt GPLv3 software due to potential liabilities problems.

The Internet of criminal things

Posted Sep 26, 2015 15:03 UTC (Sat) by marcH (subscriber, #57642) [Link] (1 responses)

> Why should be software modifications any difference?

Because software possibilities are infinite, because it's invisible, because massive replication (and copyright infringement when applicable) comes for "free", and probably others I can't think of right now.

I can hardly believe a free software advocate is wondering about differences between hardware and software... Is there a GPL for hardware somewhere?

The Internet of criminal things

Posted Sep 26, 2015 15:34 UTC (Sat) by zack (subscriber, #7062) [Link]

> I can hardly believe a free software advocate is wondering about differences between hardware and software... Is there a GPL for hardware somewhere?

That's a straw-man, right? :-) I'm (obviously, I thought) arguing there is no significant different in this specific context that would warrant a difference in regulatory treatment.

Cheers.

The Internet of criminal things

Posted Sep 26, 2015 15:35 UTC (Sat) by marcH (subscriber, #57642) [Link] (1 responses)

> GPLv3 vs "safety" restrictions is a false dichotomy, fueled a lot by anti-FOSS agendas within the automotive sector.

The GPLv2 is a pure software licence. The GPLv3 is a software+hardware licence. No surprise it's ruffling many more feathers.

As a citizen, I totally agree with the article's position that some systems should be absolutely required by law to be open-source so they become as visible and auditable than hardware is. With a serious and prolonged education effort, I think the rationale for safety and transparency can be understood and rallied to by voters - even the non-technical ones. This VW scandal is a good opportunity to push this agenda.

But if you want to lose it all, ask too much and never back down. I believe that extending this important battle, adding to it a GPLv3-like requirement to run your own modifications, *would* make it much less understandable by the public, dilute it, and like you wrote be met with fierce opposition from some industries. If some car or voting machines want to use the GPLv3 then great, just don't require it by law.

IMHO the difference of opinion and fragmentation between GPLv2 and GPLv3 is doing more harm to FOSS than most anti-FOSS advocates.

The Internet of criminal things

Posted Sep 26, 2015 15:52 UTC (Sat) by zack (subscriber, #7062) [Link]

> I believe that extending this important battle, adding to it a GPLv3-like requirement to run your own modifications, *would* make it much less understandable by the public, dilute it, and like you wrote be met with fierce opposition from some industries. If some car or voting machines want to use the GPLv3 then great, just don't require it by law.

I agree with you that the message about modifiability would be much more difficult to hold in public debates around car-related software transparency issues.

FWIW, I personally wasn't thinking of mandatory regulation that impose GPLv3-like clauses. I would be very happy with "only" mandating any free software license (which, as the article concludes, is probably nowhere near our current reach). But I did chime in on the specific issue of GPLv3 vs car-manufacturers-liability, because I maintain it's an entirely false dichotomy.

> IMHO the difference of opinion and fragmentation between GPLv2 and GPLv3 is doing more harm to FOSS than most anti-FOSS advocates.

That seems largely OT in this discussion, so I pass :)

The Internet of criminal things

Posted Sep 26, 2015 17:19 UTC (Sat) by ibukanov (subscriber, #3942) [Link] (6 responses)

> Why should be software modifications any difference?

Hardware tinkering is localized and hardware bugs are easy to spot after some reasonable amount of testing that can be done by a person. With modern complex software this is just not the case. A small change that is "an obvious improvement" can easily lead to a disaster that can only be spotted after very through testing. So why a user should be able to install any patch and drive on a public road without paying first for such extensive testing?

The Internet of criminal things

Posted Sep 26, 2015 17:40 UTC (Sat) by marcH (subscriber, #57642) [Link]

> So why a user should be able to install any patch and drive on a public road without paying first for such extensive testing?

... as well as thorough code reviews and every usual (and costly) software QA practice.

Software... "what could possibly go wrong?" https://www.ima.umn.edu/~arnold/disasters/ariane.html

And of course when you wrote "install any patch" I assume you meant "download any patch from any random place without even looking at it and then install it".

Anyway it's good software licences don't conflate these two different issues: transparency and certification, so they can be debated and regulated independently. Oh, wait...

The Internet of criminal things

Posted Sep 26, 2015 18:07 UTC (Sat) by zack (subscriber, #7062) [Link] (2 responses)

> So why a user should be able to install any patch and drive on a public road without paying first for such extensive testing?

S/he should not; or at least not necessarily. Public regulation on embedded car software can certainly decide that *any* software change (for the reasons you discussed) require approval before the car is allows to be on the road again. That would not get in the way of the user ability to install modified software on his/her car, as required by licenses such as GPLv3. Simply, by doing so, they accept the risk (or the certainty, depending on what the law says) that the car can no longer --- before some official seal of approval --- be used in the streets.

The Internet of criminal things

Posted Sep 26, 2015 18:28 UTC (Sat) by raven667 (subscriber, #5198) [Link] (1 responses)

As I think about this thread it seems there is some underlying assumption that regulation, audit, policing, government and democracy in general are unable to solve these kinds of problems sufficiently so that we need technical measures enforced by corporations to solve them for us instead. It used to be a joke that closed, proprietary, unmodifiable software is like a car with the hood welded shut, which was meant to be a bad thing, now people are literally advocating for pulling out the welding torches. How odd.

The Internet of criminal things

Posted Sep 26, 2015 21:43 UTC (Sat) by mathstuf (subscriber, #69389) [Link]

People always did complain that those car analogies weren't that useful. I guess now we're seeing why.

It's interesting; I've been thinking about converting my old Jeep to be electric and writing my own control software. Though, I'll be locking it down so only I can update the firmware, so I guess that's OK? ;)

The Internet of criminal things

Posted Sep 26, 2015 18:19 UTC (Sat) by raven667 (subscriber, #5198) [Link] (1 responses)

As was already pointed out in another sub-thread, the ability to modify and the certification for use of public infrastructure are two different things that should be kept separate from a regulatory perspective. Right now the concept already exists of modification that make a car no longer street-legal, why should software be treated any differently than hardware, when the ultimate effect is the same? Also, if I do modify software and it doesn't cause any problems, is there really enough reason for the state to spend resources mandating draconian security systems to prevent modification by the owner. The public interest in my car ends with safety on the public roads and pollution of the public air, beyond that what I do is my business, especially on private property.

I'm strongly for security and systems defending themselves from unauthorized remote modification, but the owner should always technically authorized to modify, even to the point of dropping warranty support or regulatory compliance.

The Internet of criminal things

Posted Sep 26, 2015 19:46 UTC (Sat) by marcH (subscriber, #57642) [Link]

> why should software be treated any differently than hardware, when the ultimate effect is the same?

It probably shouldn't at a high, conceptual level, however software's completely different nature on so many levels calls for different solutions. As just one example: the VW cheat would never have lasted that long without software. In fact it probably would not even have been deployed in the first place.

See other sub threads for more.

The Internet of criminal things

Posted Sep 27, 2015 1:49 UTC (Sun) by dlang (guest, #313) [Link] (8 responses)

since we are talking about cars, I want to point out that you can build a car completely from scratch and drive the result on the public roads, even in california,

Yes, there are aspects of the result that get measured to see if they are in complance, but far fewer than you are thinking. Outside of California the emissions requirements are significantly easier to comply with.

When you modify vehicles, you run into more restrictions than if you build from scratch for recent vehicles, but if you work on slightly older vehicles you pretty quickly get into 'anything goes' territory where the restrictions are more things like height of bumpers and lights than anything related to the engine or emissions.

The Internet of criminal things

Posted Sep 27, 2015 2:24 UTC (Sun) by pizza (subscriber, #46) [Link] (3 responses)

> When you modify vehicles, you run into more restrictions than if you build from scratch for recent vehicles, but if you work on slightly older vehicles you pretty quickly get into 'anything goes' territory where the restrictions are more things like height of bumpers and lights than anything related to the engine or emissions.

Generally speaking a modified car has to meet all applicable regulations in effect at the time the car was manufactured. There are some exceptions (eg seatbelts required for all occupants) but you can get away with a lot more with an older car as a result. (In general though, vehicles spewing smoke and other noxiousness are due more to poor maintenance than modifications..)

If you build your own, there are all sorts of exceptions to the regs that auto manufacturers have to comply with, but the exact details vary wildly depending on your location.

The Internet of criminal things

Posted Sep 29, 2015 20:37 UTC (Tue) by mathstuf (subscriber, #69389) [Link] (2 responses)

My parents have a 1929 Chrysler at home. I don't think it needs seatbelts by law. Similar thing with Wranglers and older Jeeps: the doors were optional and therefore can't be required by law to be on when on the road (IIRC, there are some states which restrict such things).

The Internet of criminal things

Posted Sep 29, 2015 22:07 UTC (Tue) by pizza (subscriber, #46) [Link] (1 responses)

Here in Florida, if the driver, front passenger(s) or any children in the vehicle are not belted in, the driver will get a ticket. There are only three exceptions granted -- medical necessity, newspaper delivery, and garbage pickup.

Doors are another matter; it really depends on the state and locale, and the type of road you're on -- they're often required for interstates and other limited-access highways, but perfectly okay on local roads, as long as the vehicle still has proper mirrors.

The Internet of criminal things

Posted Oct 1, 2015 11:27 UTC (Thu) by Wol (subscriber, #4433) [Link]

In the UK, I think for the most part the car has to be "road legal as of regs when it was made". As for seatbelts, they must be worn if fitted (and I believe rules recently changed to say that children cannot be carried in vehicles without seatbelts). But seeing as REAR seatbelts were required by law to be an option as far back as the 1960s, it's a very old car that cannot be retrofitted with manufacturer-approved original design seatbelts.

The main purpose of the MOT (the mandatory annual road-worthiness test) is mostly to make sure that the car is up to those original specs - checking that the brakes are functional, the engine is running efficiently, the structure isn't rusty, etc etc.

Cheers,
Wol

The great smog attack of 1943

Posted Sep 27, 2015 3:58 UTC (Sun) by pr1268 (guest, #24648) [Link] (3 responses)

Interesting... I would suspect it's a regulatory and compliance nightmare to get a homebuilt car certified, not just in Calif. but anywhere in the USA.

As I understand it, the ultra-strict emissions regulations on vehicles in Calif. have their genesis in what people thought was a noxious gas attack (presumably from the Japanese) in WWII. Turned out to be exhaust-created smog. Ain't nothin' like a little wartime terror to tighten regulations a bit... ;-)

Also, correct me if I'm wrong, but doesn't someone moving to Calif. (from elsewhere in the USA) have to get their car modified/retrofitted for Calif. emissions? And, curious, what about older cars? (In many states, Vehicles older than 1968 model year need not be tested, because that's when initial exhaust standards were implemented, IIRC.)

The great smog attack of 1943

Posted Sep 27, 2015 5:33 UTC (Sun) by raven667 (subscriber, #5198) [Link] (2 responses)

> Also, correct me if I'm wrong, but doesn't someone moving to Calif. (from elsewhere in the USA) have to get their car modified/retrofitted for Calif. emissions

In practice all cars made for sale in the US are designed to meet California emissions standards as that is more cost effective than designing separate models for the California market.

The great smog attack of 1943

Posted Sep 27, 2015 5:56 UTC (Sun) by dlang (guest, #313) [Link] (1 responses)

unless this has changed in the last couple of years, it is not the case. when you look at cars and aftermarket equipment, you will find some that are 50 state legal, but the majority of things are not (I don't remember if it's 49 or 48 state legal that covers the rest of the country except for where California regulations are in effect)

The basic design in the same, but there are a handful of expensive add-ons, not all of them technical components (warranties by the manufactueres for the first X years after sale for example)

The great smog attack of 1943

Posted Sep 27, 2015 6:13 UTC (Sun) by sfeam (subscriber, #2841) [Link]

Your summary is out of date. There are currently 12+ states that have adopted the CA standards, and the entire US is doing so next year. Hence the broohaha with VW not being able to meet the 2016 standards. Wikepedia US emission standards

The Internet of criminal things

Posted Oct 2, 2015 9:08 UTC (Fri) by oldtomas (guest, #72579) [Link] (6 responses)

> As driving a tinkered car on a public road may harm others [...]

This is one of the often-cited "limitations" or "problems" with GPLV3.

It is a red herring, IMHO. In a state of right (I'm assuming that here) infraction is the user's responsibility. The manufacturer should make it possible for you to comply with the law; it's not his job to *force* you to (although in the more technical realm we're seeing things slide in this direction, alas).

That's why your standard kitchen knife doesn't come with an "anti-murder device" and why you can install extra "firmware" in your brains (e.g. alcohol) and then drive. It's expected from you to know you're supposed to not do it, and perhaps, when you get caught doing it nevertheless, you have to face some consequences. We might agree on changing that, but until then this often-quoted argument is, and will stay a red herring.

The Internet of criminal things

Posted Oct 2, 2015 11:22 UTC (Fri) by tao (subscriber, #17563) [Link] (5 responses)

I think I can safely say that most people, even the ones who would be able to install alternative firmware in their car, won't know how to write software for it. They'll be downloading software from someone else. Considering how careful (i.e. not at all) the mainstream are about where and what they download, I suspect that the risk is rather high that people will download malware.

I would certainly love to have access to the firmware of all devices I own. To be able to fix the small things that annoy me in my camera, TV, gaming console, etc. I'm sure I'd love to have the firmware to my car too. And I would perhaps even dare to try to hack it. But I sure as hell wouldn't trust random hacks downloaded from the net.

The amount of people who install stuff like "Make your computer 10% faster!" software is rather worrying. Imagine the amount of people willing to install "Make your car consume 10% less petrol!". Now, further imagine having such cars driving on the same road you're driving on.

A knife is sharp -- most people know that. Alcohol is a drug -- most people know that. Firmware for your car *might* be malware -- hardly anyone will know that, nor will they believe warnings; if people did believe warnings about malware there'd be far less viruses, trojans, botnets, scammers, etc.

So, allowing the users access to all source code for all devices they own -- absolutely.
Allowing them to freely install it? I'm not so sure in all cases -- in some cases it should require recertification, in other cases void warranties (in most cases both) and insurances.

I suspect that the "ohhhh, upgrading my BMW to a firmware I got online that says that it gives 10% higher top speed" crowd would be fairly small if it voided their insurance (well, perhaps except for the traffic insurance, which is to pay for the damage you *cause*).

The Internet of criminal things

Posted Oct 2, 2015 13:54 UTC (Fri) by raven667 (subscriber, #5198) [Link] (3 responses)

I think you are probably wrong here in your estimate of how widespread car owners messing up their ECU is and will be, and we can use currently existing reality to make that estimate. You already drive on a road where people "chip" their cars with dodgy ECU software for decades now, the small number of people who are really interested in modifying their cars in this way already do so, leaving the firmware open to the owner isn't introducing any new risks. I don't see any new factor that is going to substantially change peoples feelings about messing up their cars, a small number of "tuners" will do so while the vast majority will be unwilling to take the risk, people take their cars more seriously than their computers, I don't think you can broadly generalize the likelihood of downloading malware from computer malware to cars the way you seem to be doing.

The Internet of criminal things

Posted Oct 2, 2015 16:10 UTC (Fri) by BlueLightning (subscriber, #38978) [Link]

I think the ultimate counter-argument to this is that you can already trivially put whatever liquid you like into your fuel tank (or even worse, the oil filler on top of the engine or indeed the brake or steering fluid reservoir), and somehow most of us still manage not to pour things in there that put our cars or indeed our lives at risk, and nobody is clamouring for padlocks or security caps to be fitted. (Yes, I'm aware that some cars have internalised or removed some of these filler caps, I don't think I would buy such a vehicle.)

Sure, that's not nearly as complicated or perhaps as subtle as modifying code in the ECU - but that's part of the point - it's trivially easy to do the wrong thing here and yet most people don't even have the inclination to try something they shouldn't.

The Internet of criminal things

Posted Oct 4, 2015 7:16 UTC (Sun) by marcH (subscriber, #57642) [Link] (1 responses)

> leaving the firmware open to the owner isn't introducing any new risks.

... while trying to close it could reduce risks. Worst case it will make little difference.

> a small number of "tuners" will do so while the vast majority will be unwilling to take the risk, people take their cars more seriously than their computers,

As a member of this vast majority I very much welcome an easy, convenient, "secure boot like" way to easily prove any random officer that I did not "jailbreak/root" my car and have no responsibility whatsoever in its abnormal level of emission/risk/etc. and that it was all Volkswagen's fault.

Since car manufacturers ironically wish the same thing, it will happen more and more. Get over it.

And once again: absolutely nothing here incompatible with open-source and transparency.

The Internet of criminal things

Posted Oct 5, 2015 1:35 UTC (Mon) by raven667 (subscriber, #5198) [Link]

> Since car manufacturers ironically wish the same thing, it will happen more and more. Get over it.

This seems incredibly short sighted to me, if you don't bake ownership control in at the beginning, like was done with Secure Boot, you will end up where the manufacturers have always wanted, where it is only possible to get service of any kind at an authorized shop where that manufacturer can take a cut of the revenue (maybe all of the profit).

> As a member of this vast majority I very much welcome an easy, convenient, "secure boot like" way to easily prove any random officer that I did not "jailbreak/root" my car and have no responsibility whatsoever in its abnormal level of emission/risk/etc. and that it was all Volkswagen's fault.

That is a massive red herring and completely confused, in no way to you have to take extreme technical measures to lock the owner out of modifying their own car for the courts to be able to figure out where liability lies when something goes wrong. There are hundreds, maybe thousands of years of precedent on how liability works when a person purchases a good made by someone else, this is not fundamentally different just because computers are involved.

The Internet of criminal things

Posted Oct 3, 2015 8:25 UTC (Sat) by oldtomas (guest, #72579) [Link]

> The amount of people who install stuff like "Make your computer 10% faster!" [...]

At first blush, yes. But if law states that it's illegal to drive a car with a non-certified software on public roads, you better not get caught (and there are means to check that -- a strong cryptographic hash...).

And as BlueLightning stated, it'd be trivial to put one, two squirts of nitromethane (DISCLAIMER: I don't really know how that'd work out in practice [1] ;-) into your diesel tank, and still pretty few people do that. Why?

[1] Besides, correctly spelling "nitromethane" might get you in hot water after 9/11

The Internet of criminal things

Posted Sep 24, 2015 15:24 UTC (Thu) by raven667 (subscriber, #5198) [Link] (1 responses)

> The problem with opening the firmware of the car is that security must be maintained.

No it doesn't, not from the owner of the car. It is not the job of the engine firmware designer to police the engine owner from doing bad things, if they want to "tune" their engine there shouldn't be a technical measure preventing it, if they then get in trouble for violating emissions and making other citizens sick with smog or whatever then it's the owners responsibility to answer for their actions, not the manufacturers.

> So demanding that this whole system is opened up *will*backfire and actually be far worse for the environment.

That's why many places do emissions testing, to try and catch this kind of shenanigans. Even without that, or with active attempts to fool the test, it's not necessarily a failure if there are a small number of scofflaws, no rule is ever 100% followed or enforced, as long as the total loss due to illegal behavior is less than some damaging threshold.

Trying to *prevent* 100% of "bad" behavior in people is actually its own kind of disease, like an auto-immune disorder, that tends to destroy the good parts of a civilized system and is usually worse than the bad behavior in the first place.

The Internet of criminal things

Posted Sep 24, 2015 21:04 UTC (Thu) by dlang (guest, #313) [Link]

Closed source/DRM doesn't prevent people from changing things anyway.

For decades car performance folks have been able to override what the manufacturers program the cars to do. In some cases they do so by unplugging the computer and plugging in a wiring harness that has it's own computer that reads all the inputs from the car and then changes them before they are sent to the 'official' computer. no modifications to the official computer or it's software required, and they can override thigns to make the car perform significantly differently.

It's even possible to get completely open replacements for some engines.

So the stance that the security of the cars computer must be maintained is just wrong.

The Internet of criminal things

Posted Sep 25, 2015 3:36 UTC (Fri) by liam (guest, #84133) [Link]

I'm going to make a wild, some might say foolish, guess: the number of people who want to "tune" their car (presumably for better acceleration) is a nearly vanishingly small percentage of the total car population.
This seems a case where opening one hole while closing another (so to speak:) seems a wise move.

Topically, this month's CACM has an article on detecting hidden hardware-based attacks

Posted Sep 24, 2015 11:46 UTC (Thu) by davecb (subscriber, #1574) [Link] (2 responses)

http://cacm.acm.org/magazines/2015/9/191186-trustworthy-h...

Topically, this month's CACM has an article on detecting hidden hardware-based attacks

Posted Sep 25, 2015 6:48 UTC (Fri) by mjthayer (guest, #39183) [Link] (1 responses)

That looked interesting, but unfortunately non-members can only see the start of it. Would you care to provide a quick summary? I'm sure I would not be the only person grateful to you.

Topically, this month's CACM has an article on detecting hidden hardware-based attacks

Posted Sep 25, 2015 11:37 UTC (Fri) by davecb (subscriber, #1574) [Link]

The magazine's at home, but it surveys a small set of mechanisms that can make it hard to hide rarely-used evil circuitry, in part by finding stuff that's only used under rare and weird circumstances. That a waste of silicon in any case, so it's an attractive idea.

The Internet of criminal things

Posted Sep 24, 2015 14:43 UTC (Thu) by ttonino (guest, #4073) [Link] (1 responses)

The term "defeat device" is used in the EPA complaint letter, which is why it is used by the press.

The term originates when pollution controls (called "smog controls" at the time) were all hardware - as in screws, pumps and levers - based. The term might even be in the law.

software as a device

Posted Sep 26, 2015 19:43 UTC (Sat) by giraffedata (guest, #1954) [Link]

The term "defeat device" is used in the EPA complaint letter, which is why it is used by the press.
The term originates when pollution controls (called "smog controls" at the time) were all hardware - as in screws, pumps and levers - based. The term might even be in the law.

I'm sure it is in the law. The law refers to function provided by software as a "device" all the time, even in modern times. It's not actually the code that is a device - it is a logical part of some physical object (in this case the engine control computer). (If a book can have a plot device, I have no problem with an ECC containing an emissions control defeat device).

This is the way things that are implemented in software are patentable even though software itself is not subject to patent - the patent refers to a device, not a piece of code.

Internet of criminal things

Posted Sep 24, 2015 17:01 UTC (Thu) by pr1268 (guest, #24648) [Link] (22 responses)

Allow me to play "devil's advocate" for just a moment:

Is there anyone out there who thinks the EPA emissions requirements are too draconian? VW certainly did—why else would they go to such lengths to circumvent emissions requirements like this?

Surely business schools still teach the likes of cost vs. benefit and risk/reward analysis, right? Is it safe to assume VW estimated a substantial benefit (profit) for faking emissions while assuming near-zero cost for implementation and risk of being caught? Enough benefit to defray even the imagined cost of being caught?

I see the software part of this as merely a smaller component of a much larger issue. This is not meant to impugn our editor's work here—I do agree we'll likely see more occurrences of this, especially in the DRM arena.

Finally, lest I get accused of being an EPA-basher, let me make it clear that I do support their efforts to clean up the environment. And I think what VW did was reprehensible.

Internet of criminal things

Posted Sep 24, 2015 19:43 UTC (Thu) by seyman (subscriber, #1172) [Link]

> Is there anyone out there who thinks the EPA emissions requirements are too draconian?

I seriously doubt that. I suspect most people who have an opinion on the subject would like to see the requirements even more restrictive.

> VW certainly did—why else would they go to such lengths to circumvent emissions requirements like this?

Bragging rights? To skimp on costs?

If VW really thought they knew more about environmental protection than the EPA does, they should have been upfront about it. As things stand, this stunt may not kill Volkswagen but it will hurt it badly.

Internet of criminal things

Posted Sep 24, 2015 20:14 UTC (Thu) by kleptog (subscriber, #1183) [Link]

> Is there anyone out there who thinks the EPA emissions requirements are too draconian? VW certainly did—why else would they go to such lengths to circumvent emissions requirements like this?

There's a relationship between engine power and NOx emissions. If you can get around emissions requirements you could offer a more powerful engine while advertising you're "clean". So there's an incentive to fake if you can, it makes your car more attractive. VW ads were even proud about how their magic engine was so powerful while being clean.

They're only draconian if they're unachievable, and they're not that. What we need is better testing.

Internet of criminal things

Posted Sep 24, 2015 21:15 UTC (Thu) by dlang (guest, #313) [Link] (19 responses)

personally I don't think we know for sure what VW did. The execs agreed to cooperate with the investigation this last weekend, which means that there still needs to be an investigation.

The EPA has been under fire for the last month due to the massive pollution that they caused, and so have been looking for something to distract the press, the late friday release of this announcement is suspicious.

I don't think we have the full story on this.

If they made the car perform differently when it's on a dyno, it would affect the EPA smog tests, but it would also affect the performance numbers that result.

If they made the car optimize things under constant throttle, that is a valid thing to do, even on the open road.

There are a lot of accusations going around, with very little actual data.

If they programmed it to detect the specific profile of actions for the test, this would fail in a few years when the cars are being re-tested (and have to still pass emissions) because the test profile changes over time. If they were to end up with lots of their cars unable to pass the California Smog tests because the test changed slightly and no longer triggered their 'low emissions' mode, they would end up being faced with either a massive recall or class-action lawsuit from the vehicle owners.

This isn't a new engine that's just been introduced either, this is a model they've been selling and improving for several years, so they've seen these tests change over time.

So I really doubt that it's as simple a situation as it's being made out to be.

Internet of criminal things

Posted Sep 24, 2015 21:36 UTC (Thu) by jzbiciak (guest, #5246) [Link] (7 responses)

Here's the infographic I saw that laid out which parameters the "defeat device" used to detect it was in testing mode. I don't know the source for this level of detail, so salt to taste.

For those who don't care to click on the link, it looked at four factors: Position of steering, speed, duration of engine operation, and barometric pressure.

That doesn't sound like how you typically optimize for constant throttle. The more common optimization is "closed loop operation," when the ECU tries to maximize fuel efficiency by straddling the narrow-band O2 sensor's threshold line.

Internet of criminal things

Posted Sep 24, 2015 21:49 UTC (Thu) by dlang (guest, #313) [Link] (6 responses)

the thing is that dyno results are also how they measure the power of the engine, so if the only difference between a 'power test' and an 'emissions test' is the throttle setting and how long it's at that setting, this seems very fragile and easy to 'defeat'. Just change the testing process to include some time at full throttle, and/or more variations on the throttle/load during the test.

Which would actually make the test far more representative of the real world.

If it really is as trivial a set of tests as this shows (again, unknown source, unknown reliability), just wiggling the steering wheel during a test would result in drastic power and emissions changes, with no throttle changes at all.

I know that the initial findings of this were based on doing emissions testing on the road, not on a dyno, resulting in drastically different emissions. But from that it's not necessarily even anything wrong with the car, but rather something wrong with the test (the purpose of the test is to try and simulate real-world driving)

It also wouldn't be the first time that the EPA test was found to be so horrifically different from real driving that it needed to be changed. As I've said before (Elsewhere at least), the early Hybrid cars resulted in insanely good test results because the profile let them run on battery most of the time.

It may just be time for the EPA to make a drastic (not just incrimental) change to their test process.

Very little real-world driving involves constant throttle settings over any significant distance, with modern computer controlled Dynos, they should be able to do tests where they vary the throttle, vary the load, vary the speed, etc.

Even the systems in Smog Test stations around the country allow for many different test profiles.

Internet of criminal things

Posted Sep 24, 2015 22:25 UTC (Thu) by dlang (guest, #313) [Link] (5 responses)

By the way, in another forum it was pointed out that there is a _really_ good reason for the car to detect that it's on a Dyno

if you have one set of wheels stationary and the other set moving, that's going to trigger your traction problem detection and attempt to slow the spinning wheels.

Apparently this is even more interesting on the very high-end cars, and so to test those cars you have to do some specific things to disable the traction control. For VW to detect a dyno mode to disable things like this is a user-friendly and mechanic-friendly thing to do.

Since you don't have the same airflow and cooling on the dyno (for things like your tranmission, differentials, etc) there's also legitimate reasons to be more cautions about thinks that can generate heat in those areas.

Again, we really need to see the results of the investigation.

Internet of criminal things

Posted Sep 24, 2015 22:54 UTC (Thu) by jzbiciak (guest, #5246) [Link] (4 responses)

I don't think it's specifically dyno vs. not-dyno that's at play here. Given the number of people who like to tune their cars, soup them up, etc., you'd think someone would notice messed up power curves in a dyno test.

My guess (and yes, it's just pure speculation) is that the code actually looked very narrowly for the test profile, and that the EPA test profile used for certification is fairly fixed. You're right, though: We really do need to see the results of the investigation. I'm quite curious what exactly they did. Knowing how these things go, we may not know the specifics for years, though.

Internet of criminal things

Posted Sep 24, 2015 23:23 UTC (Thu) by dlang (guest, #313) [Link] (3 responses)

> My guess (and yes, it's just pure speculation) is that the code actually looked very narrowly for the test profile, and that the EPA test profile used for certification is fairly fixed.

The EPA test profile is very fixed, but the profile used at Smog Check stations in California (where the strictest emissions requirements are), both varies over time and is subject to a lot more variation than the "official EPA" test, both from the impossibility of keeping so many thousands of stations _exactly_ in tune, and the fact that they all run their tests on ambient air, rather than 'Standard Temp and Pressure' the way the official EPA test does. The fact that the cars going through the periodic testing are going to have wildly different internal drag (tire pressure, how fresh the lubricants throughout the vehicle are), is going to make it so that the throttle setting needed to run the car at a specific speed for the test is going to vary a fair bit.

This is why I'm a bit sceptical that this is deliberate cheating. The fact that California can and does change it's test profile FAR more frequently than the EPA does makes detecting specific driving profiles much harder.

If (as reported) not triggering the 'EPA test mode" made the NOX levels exceed the testing limits by 40x, just can't see how these cars have been triggering 'test mode' reliably enough to not be an epidemic of failures in the California Smog Test stations.

I'm not saying it's impossible, but some things are far more likely than others, and I know enough of the field (having been Smog Certified in California as well as a car performance guy, and then Information Security as my day job) that some things are far more likely than others, and these claims are odd enough for me to question them. Or at least question that we have valid info yet.

Internet of criminal things

Posted Sep 24, 2015 23:34 UTC (Thu) by jzbiciak (guest, #5246) [Link]

Gotcha. I guess I'm just going to have to stay tuned.

Internet of criminal things

Posted Sep 25, 2015 13:40 UTC (Fri) by mstone_ (subscriber, #66309) [Link] (1 responses)

You may have CA smog test experience, but apparantly not CA diesel smog test experience: CA does not test diesels on a dyno. The diesel smog test consists of looking for smoke, looking to see if the emissions components are connected, and seeing if the ODB II says the car is compliant. The entire structure is based on the premise that the initial EPA testing has certified that the car is compliant and that the report from the ODB is valid. (This is true in my experience on the east coast as well--with a diesel you basically pay for an emissions tech to make sure the check engine light isn't on.)

The allegation is that VW cheated on the initial EPA test, so that all of the subsequent reporting (including everything done by CA) is invalid.

http://www.smogcheck.ca.gov/pdf/DieselFlyer_final.3.pdf

Internet of criminal things

Posted Sep 25, 2015 17:05 UTC (Fri) by dlang (guest, #313) [Link]

When I was licensed for Smog, Diesels didn't need any Smog testing. That changed in the late '90s (this flyer talks about 2010, but there were requirements before that)

When I was first certified, the Dyno was not used for any vehicles, it got added much more recently.

If there has not been an update to the check requirements for Diesels to have them use the same Dyno profiles and emissions sniffing process as Gas vehicles do, it's only a matter of time until there is (and after this mess, I would expect that it will be a fairly short time)

Internet of criminal things

Posted Sep 25, 2015 7:43 UTC (Fri) by pr1268 (guest, #24648) [Link] (10 responses)

personally I don't think we know for sure what VW did. The execs agreed to cooperate with the investigation this last weekend, which means that there still needs to be an investigation.

Sure we do. VW intentionally cheated the emissions tests with a so-called "defeat device". This investigation has been going on for almost two years (according to our editor's PDF link). The $**t hit the fan only a few days ago when VW came clean (no pun intended) and admitted their scheme.

In fact, this article from last Friday (Sept. 18) said that 500,000 vehicles were affected. But, VW then later admitted 11 million cars worldwide were rigged. Sounds pretty cut-and-dry, IMO.

The EPA has been under fire for the last month due to the massive pollution that they caused, and so have been looking for something to distract the press, the late friday release of this announcement is suspicious.

I'm sure the EPA is relieved at how the VW scandal has deflected attention away from the polluted Animas River, but from what I can tell, the VW scandal had been brewing for quite some time prior to the mine leak.

There are a lot of accusations going around, with very little actual data.

No one was accusing anyone of anything, other than the EPA threatening to withhold certification of VW's 2016 model year diesel cars until the emissions could be fixed. Only then did VW make a public admission of guilt to using software to cheat the emissions tests.

Internet of criminal things

Posted Sep 27, 2015 11:36 UTC (Sun) by ballombe (subscriber, #9523) [Link] (9 responses)

> In fact, this article from last Friday (Sept. 18) said that 500,000 vehicles were affected. But, VW then later admitted 11 million cars worldwide were rigged. Sounds pretty cut-and-dry, IMO.

> Only then did VW make a public admission of guilt to using software to cheat the emissions test

This is true, but this is still very awkward: US companies never make public admission of guilt under any circumstance, they settle the case with the government without admitting wrongdoing.
Why is VW doing otherwise, when it is so easy to say it is just a software bug?

Internet of criminal things

Posted Sep 27, 2015 12:33 UTC (Sun) by pr1268 (guest, #24648) [Link] (8 responses)

Why is VW doing otherwise, when it is so easy to say it is just a software bug?

I honestly don't know. I was sort of begging the same question with my previous post(s) here on LWN. I suppose it might be a cultural difference between Germany and the USA. Or a legal one.

A slightly whacky analogy I draw VW's actions to is that of a murder trial: Just as the prosecution is about to prove the defendant guilty, the defendant then proclaims that not only did he commit the murder, but he murdered ten others, and here's where the bodies are buried!

:-\

Internet of criminal things

Posted Sep 27, 2015 22:06 UTC (Sun) by raven667 (subscriber, #5198) [Link] (7 responses)

I figure that they aren't completely down the hold of magical optimistic thinking so instead of believing that they can lie their way out, which won't work now that there is heightened scrutiny such that any other scam they have going on will probably be quickly discovered, they get out ahead of it, admit enough themselves that investigators will stop digging, publicly shame the CEO and try to get them to absorb as much blame as possible as they go, so as to deflect attention away from those that remain.

The cynical person would say that maybe it's like Watergate where the actions taken were to hide a much more serious crime than what the public knew about at the time.

Internet of criminal things

Posted Sep 28, 2015 19:21 UTC (Mon) by bronson (subscriber, #4806) [Link] (6 responses)

VW believed for more than a year that they could lie their way out of it: http://www.nytimes.com/reuters/2015/09/24/business/24reut...

It took a lot of work and fact checking by CARB/EPA/etc to wear them down:

"We discovered some very strange anomalies," Young said. "For instance, the car was running more cleanly when it was cold than when it was warm, which is the opposite of what every other car does — because once you warm a car up that's when it begins to deliver its best pollution controls. This was not the case. So clearly something else was going on. Over time we assembled enough proof and questions that they could no longer provide any reasonable explanation for what was going on."

I think VW just ran out of things they could plausibly lie about.

Also, pure speculation: engine computers are pretty standardized and not too hard to analyze (much easier than a locked-down smartphone anyway!) It wouldn't surprise me if CARB found evidence of a defeat device on their own and quietly confronted VW about it.

Internet of criminal things

Posted Sep 28, 2015 19:45 UTC (Mon) by raven667 (subscriber, #5198) [Link]

> I think VW just ran out of things they could plausibly lie about.

True, but that has not stopped many other companies before from continuing to lie, even to try propaganda and lobbyists to change the law and public opinion to support their untruth, so VW is actually different in this case.

Internet of criminal things

Posted Sep 28, 2015 19:46 UTC (Mon) by dlang (guest, #313) [Link] (4 responses)

it's worth repeating that the "defeat device" they are accused of installing in the cars is an "if" statement in the software.

Internet of criminal things

Posted Sep 28, 2015 19:50 UTC (Mon) by bronson (subscriber, #4806) [Link] (3 responses)

It's more than that. It needs to sense whether it's on a dyno, and there are going to be some alternate mapping tables.

But, yes, we're probably talking about a few tens or hundreds of lines of software. It's the EPA that named it a "defeat device", not me. :)

Why is it worth repeating?

Internet of criminal things

Posted Sep 28, 2015 20:15 UTC (Mon) by dlang (guest, #313) [Link] (2 responses)

because "defeat device" is scare words as it's being used in the media, and getting people into the mindset that software is a "defeat device" makes them think that it's a great idea to ban software modifications to eliminate the possibility that people can install such "defeat devices" in things.

Not just cars, but the FCC is currently accepting comments on proposing requiring that access point manufacturers be required to demonstrate how they will prevent people who buy the devices from installing DD-WRT or OpenWRT on the devices based on the fact that such open software is a "defeat device"

we lost the definition of "hacker", don't let if statements (and similar code) start being talked about as if it was a hardware device installed in something that can just be locked out.

Internet of criminal things

Posted Sep 28, 2015 20:46 UTC (Mon) by bronson (subscriber, #4806) [Link] (1 responses)

I totally agree with where you're coming from.

However, "defeat device" is a term coined in the 70s (if not before) when the government was trying to outlaw physical devices designed to defeat emissions testing. Law (as it does) carried that terminology forward into the era of the engine computer: https://www.law.cornell.edu/cfr/text/40/86.1809-10

So, even if you find it to be scare words, that's not the way it was originally intended. I think it can be forgiven in this case.

Just curious, can you suggest a similarly unambiguous term that can be codified into law? Remember, the term needs to cover both software and hardware.

Internet of criminal things

Posted Sep 28, 2015 21:41 UTC (Mon) by dlang (guest, #313) [Link]

I agree that "defeat device" is the current legal term, and I think it's appropriate for a hardware device, even if it's a computer (say something that you plugin between the ECU and the wiring harness to change the signals)

But I've seen people elsewhere start getting up in arms about the conspiracy because this device has been installed in all these cars for years and nobody has spotted it.

When you point out that it's not a physical device, it's just software in the system, the expectations change. There's still plenty of silly, over-the-top reactions even then.

I don't know a good phrase to try and replace it as a "term of art" in legal matters though :-(

The Internet of criminal things

Posted Oct 5, 2015 12:46 UTC (Mon) by hendry (guest, #50859) [Link]

Very timely article. I'm bothered by these closed source IP cameras that maintain a connection with "the cloud". Yes, it is easier to get hold of your CCTV footage, but at what cost?

http://dabase.com/blog/Foscam_C1/

The Internet of criminal things

Posted Oct 5, 2015 19:08 UTC (Mon) by przemek.klosowski (guest, #100907) [Link] (12 responses)

The 'defeat device' is not ill-defined media contraption---to the contrary, it is very precisely defined by US law, https://www.law.cornell.edu/cfr/text/40/86.1809-10 .

Herein lies a problem, though: IANAL but my understanding is that the manufacturer is deemed to have installed the 'defeat device' if certain set of measurements satisfies the criteria. Those results can happen either because the code has a sinister detectEPAtestAndCheat() procedure written at the request of a pointy-haired boss, or because the algorithm parameters were optimized to death and resulted in such operation. I don't mean to find excuses for the manufacturer---I just hope the investigation will determine the exact sequence of things that lead to the problem, and shine light on how much it was the perfidy of the management versus engineering corner-cutting. I think there's a difference there.

One way of looking at this is: would you judge the situation differently if the algorithm was really a neural network whose learning set consisted of both the EPA test constraints, and a maximum power/torque constraint?

The Internet of criminal things

Posted Oct 5, 2015 19:32 UTC (Mon) by dlang (guest, #313) [Link] (11 responses)

along similar lines, over the weekend news broke that Samsung is being accused of installing a 'defeat device' in their TVs to detect that they are under test and use less power.

Samsung is responding that the test patterns are static, and trigger power savings optimizations that are part of normal operation.

so "defeat device" in software depends a lot on the parameters that trigger it and the intent of the programmers.

In the case of VW, is the different fueling used because the throttle is constant and so it can satisfy the power requirements more efficiently? (a valid optimization, even on the open road) or because it detects something that's actually specific to the test?

The Internet of criminal things

Posted Oct 5, 2015 19:45 UTC (Mon) by bronson (subscriber, #4806) [Link] (2 responses)

> In the case of VW, is the different fueling used because the throttle is constant and so it can satisfy the power requirements more efficiently? (a valid optimization, even on the open road) or because it detects something that's actually specific to the test?

It actually detected the test: "The 'switch' senses whether the vehicle is being tested or not based on various inputs including the position of the steering wheel, vehicle speed, the duration of the engine's operation, and barometric pressure. These inputs precisely track the parameters of the federal test procedure..."

http://www3.epa.gov/otaq/cert/documents/vw-nov-caa-09-18-...

The Internet of criminal things

Posted Oct 5, 2015 21:53 UTC (Mon) by dlang (guest, #313) [Link] (1 responses)

note that you are pointing at the accusation document, not the result of any investigation that actually see the code

If there is (as is alleged) a "dyno mode" vs a "road mode", the dyno mode would also kick in when doing other dyno tests (performance and economy come to mind)

unless the dyno mode is _very_ specific to the exact details of the EPA test, which seems incredibly unlikely (the test changes over time)

They have a number of fuel maps in the ECU that are used under different conditions, the accusation lumps them all together into 'road mode', but it's very possible that there is very little difference between some of the 'road mode' maps and the 'dyno mode' map. it all depends on exactly what the conditions are for switching.

The EPA thinks they have evidence that it's malicious, and at this point I don't think we will ever find out the real details. The new VW management wants to get this behind them and survive. Proving that this wasn't necessarily malicious would by a Pyrrhic victory at this point.

The Internet of criminal things

Posted Oct 5, 2015 23:46 UTC (Mon) by bronson (subscriber, #4806) [Link]

The Notice of Violation is all we have right now. The investigation, as you know, could take years.

You can choose to consider the EPA incompetent or liars if you want. That seems a strange stance to take because even VW publicly stated in a conference call on Sept 3 that the Notice of Violation is basically correct.

And, even if you don't want to take the EPA and VW's word for it, why would VW's fuel maps look so radically different depending on steering input? There's simply no physics-based explanation for why their engine computer would demonstrate such strange behavior.

I'm also looking forward to reading the report. I expect it will describe a series of small and expedient decisions that resulted in this ECU mode. An evil boss telling his engineers, "write me a defeat device from scratch" seems implausible and difficult to keep under wraps. :)

The Internet of criminal things

Posted Oct 5, 2015 19:48 UTC (Mon) by bronson (subscriber, #4806) [Link] (5 responses)

> a valid optimization, even on the open road

No, if it increases NOx output 40X above the limit, it is obviously not a valid optimization. Did you mean something else?

The Internet of criminal things

Posted Oct 5, 2015 21:43 UTC (Mon) by dlang (guest, #313) [Link] (4 responses)

cars put out a lot more pollution on the open road driving at real speeds, climbing real hills than they do in the EPA simulated test.

They are going faster, carrying more weight, almost always driven with a heavier foot on the skinny-pedel, etc.

Go read up on what the test actually consists of and you will be horrified at how little resemblance it has to real-world driving.

The Internet of criminal things

Posted Oct 5, 2015 23:21 UTC (Mon) by bronson (subscriber, #4806) [Link] (3 responses)

Where did I say the test resembled real-world driving? And, what does it matter? My statement: if the VW is putting out 20-40X more NOx than it should over a particular driving profile, then that is simply not a valid optimization to make.

At first i thought your reply was saying: since real world driving doesn't match the test very closely, we should just chuck the test out the window and give up. But that's both defeatist and not in reply to anything I said... so I'm guessing I'm misinterpreting?

The Internet of criminal things

Posted Oct 5, 2015 23:24 UTC (Mon) by dlang (guest, #313) [Link] (2 responses)

I think we disagree that it's the same driving profile

The Internet of criminal things

Posted Oct 5, 2015 23:51 UTC (Mon) by bronson (subscriber, #4806) [Link] (1 responses)

I only know of one driving profile that we're talking about: the one the EPA tested and VW optimized. I'm not aware of any others that matter for this discussion...?

The Internet of criminal things

Posted Oct 6, 2015 20:46 UTC (Tue) by dlang (guest, #313) [Link]

the accusation by the EPA is that there are multiple profiles in the ECU and that the car detects that it's being tested by the EPA and switches to one that pollutes less than the ones that are used for normal driving.

The EPA test profile is very strict and not something that will exactly match any on-the-road test. It was people doing on-the-road emissions tests and looking at differences that raised the concerns and started the investigation.

how close the EPA dyno test is to the on-the-road test that showed issues is part of what ends up confusing the issue (see the samsung TV power consumption issue), it all depends on what the exact triggers are to change the fuel profiles are and what the justification and logic for them are.

The Internet of criminal things

Posted Oct 7, 2015 20:49 UTC (Wed) by mathstuf (subscriber, #69389) [Link] (1 responses)

> In the case of VW, is the different fueling used because the throttle is constant and so it can satisfy the power requirements more efficiently?

Even if it were, the excess NOx makes the "on-the-road" profile invalid to choose in the US under any circumstances.

The Internet of criminal things

Posted Oct 7, 2015 21:01 UTC (Wed) by dlang (guest, #313) [Link]

> Even if it were, the excess NOx makes the "on-the-road" profile invalid to choose in the US under any circumstances.

That is where you misunderstand the regulations.

The requirements for the amount of NOx produced are under specific conditions. Under other conditions (full load climbing a hill), the vehicle is not expected to work the same way it does under light load.

This is what I was referring to when I talked about how unrealistic the tests are compared to real-world driving earlier.

The Internet of criminal things

Posted Oct 19, 2015 2:15 UTC (Mon) by apollock (guest, #14629) [Link]

It'd be interesting to see Tesla take the lead in this space and open up their software, since it's very obvious that they're actively updating it in their cars (that said, I have no idea what happens to my car's software when it gets serviced at the dealership)