English High Court Bans Publication of 0-Day Threat To Auto Immobilizers 168
An anonymous reader writes "The High Court — England's highest civil court — has temporarily banned the publication of a scientific paper that would reveal the details of a zero day vulnerability in vehicle immobilisers and, crucially, give details of how to crack the system. Motor manufacturers argued that revealing the details of the crack would allow criminals to steal cars. Could this presage the courts getting involved in what gets posted on your local Bugzilla? It certainly means that software giants who dislike security researchers publishing the full facts on vulnerabilities might want to consider a full legal route."
that settles it (Score:5, Insightful)
Re:that settles it (Score:5, Insightful)
Re:that settles it (Score:5, Insightful)
It sure is a good thing that England controls the entire Internet
Not just the Internet - this action is curious because of jurisdiction. USENIX is in Washington, DC in a few weeks. Volkswagen is German. One of the authors is in the UK, but the other two are in the Netherlands.
So, the action must be specifically targeting this one author. Weird - it's an accepted paper and the other two authors were obviously planning to present. I guess they won't be going through Heathrow.
Re:that settles it (Score:5, Insightful)
Ok, so it wouldn't be your local thug on the corner, but there are some criminal groups that pride themselves on using the 'slick' methods.
Re:Security through obscurity? (Score:5, Insightful)
Security through obscurity does work, not very effectively, but it does. Or at least, the obscure system is more secure than the same system that is open.
For example - let's say I keep a backup key to my house buried somewhere in the yard or in a flowerpot ( there are many flowerpots and I chose one at random). While this is not as secure as not having the backup key, it is more secure than placing a sign indicating where the key is.
Same thing here - while the system is not as as it would have been if the vulnerability did not exist, if the exploit was published, then everyone would know how to hack it, even those who would not be able to come up with the hack on their own.
My car is too old to have a computer in it, but I use an aftermarket security "system" - I have to push a button (the button is visible and usually has another function) before I try to start the engine or it would crank, but not start. Now this would not be a problem for a competent thief - he would figure out how to circumvent this, it's not that difficult. However, some drug addict or a drunk teenager may just conclude that the car is broken and steal some other car instead.
not even until fix, until a full hearing (Score:5, Insightful)
A temporary injunction is common in many types of cases and in no way indicates the court's opinion on the substantive issues. It's simply a recognition that they can't unpublish the information, so they need to wait until a decision is made before they publish. The same is often done with property disputes such as divorces. A temporary injunction orders both parties not to sell or otherwise dispose of the property until a decision is made as to ownership.
Ps - I don't care for the injunction. I would have preferred that the court hint at whether they think the case has merit, then let the researcher decide whether to release the information immediately, risking a successful suit for damages. The injunction, as a prior restraint on speech, is censorship. Still, it's best not to exaggerate the effect of the or intent of the injunction.
Re:that settles it (Score:5, Insightful)
Not only that, but to have a claim against insurance when (not if) this blows.
It would certainly not be the first time that an insurance refuses a claim because "this can't happen". You have NO idea how long it took insurances to accept that certain locks can (despite any claims from manufacturers) be picked without damaging the lock. Manufacturer said it can't be, so people who made an insurance claim after being robbed actually had to face charges of insurance fraud.
It is VITAL that not only manufacturers but also insurances get this information!
Re:this should be standard (Score:5, Insightful)
Re:Great Idea! (Score:2, Insightful)
Seriously, how do people this stupid become judges?
Seriously, how do people this stupid manage to find their way to /. to post a reply on a matter of which they have no understanding.
The Court imposed a temporary injunction presumably to either allow Volkswagen to address the security issue or allow Volkswagen to present its case for a permanent injunction or more likely to request sufficient time to correct the issue before the research paper is published. The judges acted in accordance with UK jurisprudence.
stupidity won again (Score:5, Insightful)
Yepp, the court fell for the oldest and most blatantely false argument of the full disclosure opponent.
The court assumes that bad guys don't already have this knowledge. From decades of experience in IT security we can conclude with near certainty that they do. What this provides is limited, short-term protection against those would-be thieves who don't, yet. Also, a false sense of security.
What would've happened if this had been published: The public would know, car manufacturers would (have to) scramble for a fix.
What will happen now: Nothing. The next model will be fixed, your current one will maybe get an update at the next maintainance cycle, but don't count on it.
The next years will be a great time to be a car thief.