The Internet of criminal things
The Internet of criminal things
Posted Sep 25, 2015 8:48 UTC (Fri) by ibukanov (subscriber, #3942)In reply to: The Internet of criminal things by marcH
Parent article: The Internet of criminal things
Posted Sep 25, 2015 9:37 UTC (Fri)
by dlang (guest, #313)
[Link]
Cars started out built by tinkerers and the "build your own car from scratch/scrap" has never completely vanished, let alone modifying existing vehicles.
Think about how locked down the game consoles are and how people create 'mod chips' that you press into contact with solder pads on the board to override functionality. The same sort of thing has been available for car computers from the earliest days.
ODB-II has actually greatly eased the car tinkerer's work because a lot of parameters can be accessed directly through a standard interface (which costs <$10 and works with cheap/free software on your smartphone/laptop)
Getting access to the source would just mean that the people doing the tinkering wouldn't be working blind and the result would be safer for everyone.
Posted Sep 25, 2015 17:18 UTC (Fri)
by raven667 (subscriber, #5198)
[Link]
Posted Sep 26, 2015 13:51 UTC (Sat)
by zack (subscriber, #7062)
[Link] (20 responses)
GPLv3 vs "safety" restrictions is a false dichotomy, fueled a lot by anti-FOSS agendas within the automotive sector.
You can have both a license (e.g., GPLv3) that mandates the ability to install modified versions of some software, and regulations that say that a car with a modified, non "certified" software cannot be used to drive on public roads. That is pretty much the situation for hardware modification to cars (you can make some, but others, e.g. to boost car performances, will put your care out of compliance with regulations that are required to actually use the care on public roads). Why should be software modifications any difference?
We should really insist on this similarity, because doing so removes the car manufacturer arguments that they cannot adopt GPLv3 software due to potential liabilities problems.
Posted Sep 26, 2015 15:03 UTC (Sat)
by marcH (subscriber, #57642)
[Link] (1 responses)
Because software possibilities are infinite, because it's invisible, because massive replication (and copyright infringement when applicable) comes for "free", and probably others I can't think of right now.
I can hardly believe a free software advocate is wondering about differences between hardware and software... Is there a GPL for hardware somewhere?
Posted Sep 26, 2015 15:34 UTC (Sat)
by zack (subscriber, #7062)
[Link]
That's a straw-man, right? :-) I'm (obviously, I thought) arguing there is no significant different in this specific context that would warrant a difference in regulatory treatment.
Cheers.
Posted Sep 26, 2015 15:35 UTC (Sat)
by marcH (subscriber, #57642)
[Link] (1 responses)
The GPLv2 is a pure software licence. The GPLv3 is a software+hardware licence. No surprise it's ruffling many more feathers.
As a citizen, I totally agree with the article's position that some systems should be absolutely required by law to be open-source so they become as visible and auditable than hardware is. With a serious and prolonged education effort, I think the rationale for safety and transparency can be understood and rallied to by voters - even the non-technical ones. This VW scandal is a good opportunity to push this agenda.
But if you want to lose it all, ask too much and never back down. I believe that extending this important battle, adding to it a GPLv3-like requirement to run your own modifications, *would* make it much less understandable by the public, dilute it, and like you wrote be met with fierce opposition from some industries. If some car or voting machines want to use the GPLv3 then great, just don't require it by law.
IMHO the difference of opinion and fragmentation between GPLv2 and GPLv3 is doing more harm to FOSS than most anti-FOSS advocates.
Posted Sep 26, 2015 15:52 UTC (Sat)
by zack (subscriber, #7062)
[Link]
I agree with you that the message about modifiability would be much more difficult to hold in public debates around car-related software transparency issues.
FWIW, I personally wasn't thinking of mandatory regulation that impose GPLv3-like clauses. I would be very happy with "only" mandating any free software license (which, as the article concludes, is probably nowhere near our current reach). But I did chime in on the specific issue of GPLv3 vs car-manufacturers-liability, because I maintain it's an entirely false dichotomy.
> IMHO the difference of opinion and fragmentation between GPLv2 and GPLv3 is doing more harm to FOSS than most anti-FOSS advocates.
That seems largely OT in this discussion, so I pass :)
Posted Sep 26, 2015 17:19 UTC (Sat)
by ibukanov (subscriber, #3942)
[Link] (6 responses)
Hardware tinkering is localized and hardware bugs are easy to spot after some reasonable amount of testing that can be done by a person. With modern complex software this is just not the case. A small change that is "an obvious improvement" can easily lead to a disaster that can only be spotted after very through testing. So why a user should be able to install any patch and drive on a public road without paying first for such extensive testing?
Posted Sep 26, 2015 17:40 UTC (Sat)
by marcH (subscriber, #57642)
[Link]
... as well as thorough code reviews and every usual (and costly) software QA practice.
Software... "what could possibly go wrong?" https://www.ima.umn.edu/~arnold/disasters/ariane.html
And of course when you wrote "install any patch" I assume you meant "download any patch from any random place without even looking at it and then install it".
Anyway it's good software licences don't conflate these two different issues: transparency and certification, so they can be debated and regulated independently. Oh, wait...
Posted Sep 26, 2015 18:07 UTC (Sat)
by zack (subscriber, #7062)
[Link] (2 responses)
S/he should not; or at least not necessarily. Public regulation on embedded car software can certainly decide that *any* software change (for the reasons you discussed) require approval before the car is allows to be on the road again. That would not get in the way of the user ability to install modified software on his/her car, as required by licenses such as GPLv3. Simply, by doing so, they accept the risk (or the certainty, depending on what the law says) that the car can no longer --- before some official seal of approval --- be used in the streets.
Posted Sep 26, 2015 18:28 UTC (Sat)
by raven667 (subscriber, #5198)
[Link] (1 responses)
Posted Sep 26, 2015 21:43 UTC (Sat)
by mathstuf (subscriber, #69389)
[Link]
It's interesting; I've been thinking about converting my old Jeep to be electric and writing my own control software. Though, I'll be locking it down so only I can update the firmware, so I guess that's OK? ;)
Posted Sep 26, 2015 18:19 UTC (Sat)
by raven667 (subscriber, #5198)
[Link] (1 responses)
I'm strongly for security and systems defending themselves from unauthorized remote modification, but the owner should always technically authorized to modify, even to the point of dropping warranty support or regulatory compliance.
Posted Sep 26, 2015 19:46 UTC (Sat)
by marcH (subscriber, #57642)
[Link]
It probably shouldn't at a high, conceptual level, however software's completely different nature on so many levels calls for different solutions. As just one example: the VW cheat would never have lasted that long without software. In fact it probably would not even have been deployed in the first place.
See other sub threads for more.
Posted Sep 27, 2015 1:49 UTC (Sun)
by dlang (guest, #313)
[Link] (8 responses)
Yes, there are aspects of the result that get measured to see if they are in complance, but far fewer than you are thinking. Outside of California the emissions requirements are significantly easier to comply with.
When you modify vehicles, you run into more restrictions than if you build from scratch for recent vehicles, but if you work on slightly older vehicles you pretty quickly get into 'anything goes' territory where the restrictions are more things like height of bumpers and lights than anything related to the engine or emissions.
Posted Sep 27, 2015 2:24 UTC (Sun)
by pizza (subscriber, #46)
[Link] (3 responses)
Generally speaking a modified car has to meet all applicable regulations in effect at the time the car was manufactured. There are some exceptions (eg seatbelts required for all occupants) but you can get away with a lot more with an older car as a result. (In general though, vehicles spewing smoke and other noxiousness are due more to poor maintenance than modifications..)
If you build your own, there are all sorts of exceptions to the regs that auto manufacturers have to comply with, but the exact details vary wildly depending on your location.
Posted Sep 29, 2015 20:37 UTC (Tue)
by mathstuf (subscriber, #69389)
[Link] (2 responses)
Posted Sep 29, 2015 22:07 UTC (Tue)
by pizza (subscriber, #46)
[Link] (1 responses)
Doors are another matter; it really depends on the state and locale, and the type of road you're on -- they're often required for interstates and other limited-access highways, but perfectly okay on local roads, as long as the vehicle still has proper mirrors.
Posted Oct 1, 2015 11:27 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
The main purpose of the MOT (the mandatory annual road-worthiness test) is mostly to make sure that the car is up to those original specs - checking that the brakes are functional, the engine is running efficiently, the structure isn't rusty, etc etc.
Cheers,
Posted Sep 27, 2015 3:58 UTC (Sun)
by pr1268 (guest, #24648)
[Link] (3 responses)
Interesting... I would suspect it's a regulatory and compliance nightmare to get a homebuilt car certified, not just in Calif. but anywhere in the USA. As I understand it, the ultra-strict emissions regulations on vehicles in Calif. have their genesis in what people thought was a noxious gas attack (presumably from the Japanese) in WWII. Turned out to be exhaust-created smog. Ain't nothin' like a little wartime terror to tighten regulations a bit... ;-) Also, correct me if I'm wrong, but doesn't someone moving to Calif. (from elsewhere in the USA) have to get their car modified/retrofitted for Calif. emissions? And, curious, what about older cars? (In many states, Vehicles older than 1968 model year need not be tested, because that's when initial exhaust standards were implemented, IIRC.)
Posted Sep 27, 2015 5:33 UTC (Sun)
by raven667 (subscriber, #5198)
[Link] (2 responses)
In practice all cars made for sale in the US are designed to meet California emissions standards as that is more cost effective than designing separate models for the California market.
Posted Sep 27, 2015 5:56 UTC (Sun)
by dlang (guest, #313)
[Link] (1 responses)
The basic design in the same, but there are a handful of expensive add-ons, not all of them technical components (warranties by the manufactueres for the first X years after sale for example)
Posted Sep 27, 2015 6:13 UTC (Sun)
by sfeam (subscriber, #2841)
[Link]
Posted Oct 2, 2015 9:08 UTC (Fri)
by oldtomas (guest, #72579)
[Link] (6 responses)
This is one of the often-cited "limitations" or "problems" with GPLV3.
It is a red herring, IMHO. In a state of right (I'm assuming that here) infraction is the user's responsibility. The manufacturer should make it possible for you to comply with the law; it's not his job to *force* you to (although in the more technical realm we're seeing things slide in this direction, alas).
That's why your standard kitchen knife doesn't come with an "anti-murder device" and why you can install extra "firmware" in your brains (e.g. alcohol) and then drive. It's expected from you to know you're supposed to not do it, and perhaps, when you get caught doing it nevertheless, you have to face some consequences. We might agree on changing that, but until then this often-quoted argument is, and will stay a red herring.
Posted Oct 2, 2015 11:22 UTC (Fri)
by tao (subscriber, #17563)
[Link] (5 responses)
I would certainly love to have access to the firmware of all devices I own. To be able to fix the small things that annoy me in my camera, TV, gaming console, etc. I'm sure I'd love to have the firmware to my car too. And I would perhaps even dare to try to hack it. But I sure as hell wouldn't trust random hacks downloaded from the net.
The amount of people who install stuff like "Make your computer 10% faster!" software is rather worrying. Imagine the amount of people willing to install "Make your car consume 10% less petrol!". Now, further imagine having such cars driving on the same road you're driving on.
A knife is sharp -- most people know that. Alcohol is a drug -- most people know that. Firmware for your car *might* be malware -- hardly anyone will know that, nor will they believe warnings; if people did believe warnings about malware there'd be far less viruses, trojans, botnets, scammers, etc.
So, allowing the users access to all source code for all devices they own -- absolutely.
I suspect that the "ohhhh, upgrading my BMW to a firmware I got online that says that it gives 10% higher top speed" crowd would be fairly small if it voided their insurance (well, perhaps except for the traffic insurance, which is to pay for the damage you *cause*).
Posted Oct 2, 2015 13:54 UTC (Fri)
by raven667 (subscriber, #5198)
[Link] (3 responses)
Posted Oct 2, 2015 16:10 UTC (Fri)
by BlueLightning (subscriber, #38978)
[Link]
Sure, that's not nearly as complicated or perhaps as subtle as modifying code in the ECU - but that's part of the point - it's trivially easy to do the wrong thing here and yet most people don't even have the inclination to try something they shouldn't.
Posted Oct 4, 2015 7:16 UTC (Sun)
by marcH (subscriber, #57642)
[Link] (1 responses)
... while trying to close it could reduce risks. Worst case it will make little difference.
> a small number of "tuners" will do so while the vast majority will be unwilling to take the risk, people take their cars more seriously than their computers,
As a member of this vast majority I very much welcome an easy, convenient, "secure boot like" way to easily prove any random officer that I did not "jailbreak/root" my car and have no responsibility whatsoever in its abnormal level of emission/risk/etc. and that it was all Volkswagen's fault.
Since car manufacturers ironically wish the same thing, it will happen more and more. Get over it.
And once again: absolutely nothing here incompatible with open-source and transparency.
Posted Oct 5, 2015 1:35 UTC (Mon)
by raven667 (subscriber, #5198)
[Link]
This seems incredibly short sighted to me, if you don't bake ownership control in at the beginning, like was done with Secure Boot, you will end up where the manufacturers have always wanted, where it is only possible to get service of any kind at an authorized shop where that manufacturer can take a cut of the revenue (maybe all of the profit).
> As a member of this vast majority I very much welcome an easy, convenient, "secure boot like" way to easily prove any random officer that I did not "jailbreak/root" my car and have no responsibility whatsoever in its abnormal level of emission/risk/etc. and that it was all Volkswagen's fault.
That is a massive red herring and completely confused, in no way to you have to take extreme technical measures to lock the owner out of modifying their own car for the courts to be able to figure out where liability lies when something goes wrong. There are hundreds, maybe thousands of years of precedent on how liability works when a person purchases a good made by someone else, this is not fundamentally different just because computers are involved.
Posted Oct 3, 2015 8:25 UTC (Sat)
by oldtomas (guest, #72579)
[Link]
At first blush, yes. But if law states that it's illegal to drive a car with a non-certified software on public roads, you better not get caught (and there are means to check that -- a strong cryptographic hash...).
And as BlueLightning stated, it'd be trivial to put one, two squirts of nitromethane (DISCLAIMER: I don't really know how that'd work out in practice [1] ;-) into your diesel tank, and still pretty few people do that. Why?
[1] Besides, correctly spelling "nitromethane" might get you in hot water after 9/11
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
Wol
The great smog attack of 1943
The great smog attack of 1943
The great smog attack of 1943
Your summary is out of date. There are currently 12+ states that have adopted the CA standards, and the entire US is doing so next year. Hence the broohaha with VW not being able to meet the 2016 standards.
Wikepedia US emission standards
The great smog attack of 1943
The Internet of criminal things
The Internet of criminal things
Allowing them to freely install it? I'm not so sure in all cases -- in some cases it should require recertification, in other cases void warranties (in most cases both) and insurances.
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things
The Internet of criminal things