Judge Rules In Favor of Volkswagen and Silences Scientist 254
sl4shd0rk writes "Samsung-is-not-as-cool-as-Apple Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August. Volkswagen says the flaw could allow someone to 'break the security and steal a car' so it is justifiable grounds for blocking Flavio's paper. No word yet on how soon Volkswagen will have a patch."
If hacking is outlawed (Score:5, Insightful)
Only outlaws will have hackers, or something. It really doesn't work that way, but the protection of rich people's cars will only be temporary.
This is why we have a first amendment. (Score:5, Insightful)
The cars are vulnerable if he tells the world or not. The only difference is now only the bad actors know about the problem.
He should have disclosed without notifying. That way they could not have stopped him.
Solution timetable (Score:4, Insightful)
Re:This is why we have a first amendment. (Score:5, Insightful)
And now that is know that this specific vulnerability exists, it's relatively trivial for someone to repeat Garcia's work and publish it.
When will Volkswagon fix the issue? (Score:5, Insightful)
Re:This is why we have a first amendment. (Score:5, Insightful)
Re:This is why we have a first amendment. (Score:5, Insightful)
Sure, this is why we have one though. Our founding fathers knew not having one was too dangerous.
Re:This is why we have a first amendment. (Score:5, Insightful)
Nah, that'd be unreasonable. What would be more reasonable is that now that Volkswagon is known to not act in good faith (i.e. lawsuit ensue) after an act of responsible disclosure, there's no good reason to first notify them about any subsequent security holes.
Re:Solution timetable (Score:5, Insightful)
Suspending the first... amendment? This didn't happen in the USA.
And the presentation will likely go forward at USENIX (in Washington DC) with the other two co-authors, from the Netherlands. It's one researcher in the UK who's getting boned by his government.
The moral of this story is. . . . (Score:2, Insightful)
" He should have disclosed without notifying. That way they could not have stopped him. "
BINGO.
Quit trying to give the manufacturers / developers the benefit of the doubt here. Time and time again it's obvious they're not interested in doing the right thing, but rather resorting to litigation to shut people up about critical flaws in their product. I know it's bragging rights and all that, but you really should keep your mouth shut until AFTER you've made the disclosure public.
Unless they're paying $$$ for said bug reports, then it's your call to consider if they can buy off your silence or not. I know what the moral thing to do is, but your financial situation may inject some additional considerations into the matter.
Re:This is why we have a first amendment. (Score:5, Insightful)
You also have secret courts...
Re:This is why we have a first amendment. (Score:5, Insightful)
Re:This is why we have a first amendment. (Score:4, Insightful)
Re:This is why we have a first amendment. (Score:5, Insightful)
Perhaps, but for someone who wants to yank thirty or forty cars off the street, with minimal risk, it might be worth a modest investment.
You'd need what, an electron microscope, some custom software to trace the images you scan and convert them back to logic, then someone to write an app / engineer some hardware to make it trivial for you to grab anything you want. Assuming you are grabbing thirty new VWs, at $20K / pop...that's $600K...so, the cost of an electron microscope (may or may not be costly...might get a second-hand one for cheap), and an Electrical Engineer @ 120K + Computer Scientist / Software Engineer @ 120K (so they'll actually do the work, keep their mouths shut, and provide 'updates' to the software / hardware they design at an agreeable rate, since 30-40 cars might easily become 3000-4000 cars provided you don't act like a Mafia-Don and try to kill the wrong people / short the wrong people ("Hey, they did the job; now let's double-cross them, and whack them, so we can keep their share, and they can't tell anyone..." -> Hollywood derp -> Good people are hard to come by, and even harder to replace); I say updates, because the car companies will begin changing stuff as soon as they hear that their cars are getting snatched, and updates are cheaper with people you know, who are 'happy' with you, than people who are PO'ed at you, or are dead).
Still, it seems a lot of work for little cash. Now, getting elected to the Board of Governors for the Federal Reserve...well, they can just print money when they need a little more. Now that's thinking with your head.
Re:Solution timetable (Score:2, Insightful)
That's not a crypto flaw, that's a logic flaw. You can't give someone an encrypted message and the key to decrypt it, and then expect that there's a way to prevent them from decrypting the content. It's just not possible.
Re:This is why we have a first amendment. (Score:4, Insightful)
Yeah, I'm sure nothing like this could ever happen in the US [wikipedia.org] due to your ah-so-fantastic First Amendment.
That case, by the way, is very close to this one. MBTA was granted a Temporary Restraining Order that prevented the researchers from discussing their findings in the conference where they intended to do it. Which is *exactly* what has happened here so far.