That worries me far more than the actual security issue. Security issues happen to everybody, but so long as too many don't occur, it's the response that shapes my ongoing confidence in that company or product.
What's happening on the left side? Is that you or the rep?
It's a reality of doing tech support. You get a flood of garbage information ("Hi, I can't access your web page, I get a 404 error. My system has 8 GB of RAM and an Intel 4700K and blah blah blah..."), and have to do your best to sort through and solve the user's problem.
Your ticket had two problems described. The tech probably didn't understand the significance of the first problem, and so just discarded the information. Then she answered your second question. When you've got 100 tickets to sort through in your 8 hour day, you simply have to make some compromises on the thoroughness of your response.
To get her attention, it would have been better to explain a little about what the consequences are, and request that she have a developer follow up. Make it clear that it's a major security failure and could lead to compromised VMs.
I completely agree, after realizing I had asked two questions on one ticket I immediately saw I should've done better. However when I received a response that said they were working on it, I understood that to mean it was in the queue to fix.
Except I don't see an email from DO or a notification when I log in to the admin panel. So if I didn't check HN at this exact time and saw this article, I would have no idea.
It's not a huge deal to me, but if Linode did the same thing, you all would be foaming at the mouth. Just thought I would point this out.
Responsible disclosure can benefit us all, unfortunately some vendors -- SaaS, PaaS, physical, or otherwise -- use their legal departments as blunt weapons to needlessly attack well-meaning security researchers.
In case anybody is wondering, I'm referring to Volkswagen.
That's not a fair comparison. DigitalOcean just needs to update some stuff to fix this issue. VW would need to recall millions of vehicles (10s billions $). You would do the same thing if you were in their position and had shareholders to worry about.
It's the cost of doing business. They're putting insecure software into hundreds of thousands of cars, and every owner of that car has no control over the software that's running on them.
Imagine if we applied the same logic to phones and other devices -- I wouldn't be surprised if you personally would be offended at the idea that you have little recourse over your phone being hacked remotely and you can't do a damn thing about it because the mobile handset manufacturer locked it down. Thankfully phones are subsidized, ubiquitous, and cheap, so you can take your phone anywhere and get it fixed/replaced.
This is the future folks: locked down devices that you have no control over.
Caveat: we're all plugging our phones into these insecure systems too. Wrap your brain around that for a second to see where I'm going with this.
I would absolutely not do what they have done. But at the same time, I will probably never be the CEO of a large company. I suspect there is at least a weak causal relationship at work here...
No, I certainly would not do the same thing, and to suggest otherwise is an insult. Let's not excuse bad behavior with this misguided idea that we're all equally bad.
So what is VW suppose to do? I'm actually truly curious. This flaw apparently will unlock many expensive cars. These cars' system cannot be replaced as quickly/cheaply as an sshd binary in a linux OS. I'm very curious, what other action could they have taken. They need him to be silent so they can figure out how to fix it before he make it public right? Is letting the public know the detailed exploit more important than the potential problems of the info being public?
VW needs to come up with an immediate workaround that they can publish to owners or allow dealers to quickly hack in, then come up with a permanent fix after that buys them some time.
The immediate workaround may not be possible. In that case, they're just screwed. A company is not entitled to be able to save themselves from the consequences of their past fuckups in all situations. Sometimes, a mistake costs a lot of money or even kills the company. Perhaps this is one.
I find it unlikely that it's impossible to disable the keyless entry system on the cars in question. Surely there is some fuse or wire that can be pulled to shut it off. But it ultimately doesn't matter. Finding a workaround quickly is what they need to do, and if they can't do it, that's not his problem.
Your new solution of "fuck the company" actually harms the enduser even more. Some of them get the updated lock... then the company goes out of business, and now none of them can get official parts for their vehicles. It seems a solution for an ideal world, not the actual world.
You'll note that I proposed other solutions first. To repeat myself: it is highly unlikely that there is not some possible workaround that temporarily disables the system, even if it's something as brute as snipping a wire.
Even in the absolute worst case that the vulnerability is somehow built into the very fabric of the car, you can still secure it by removing all valuables from the interior and then clamping a wheel with a boot. Remove the boot once you figure out a fix. Inconvenient to the owner to be sure, but not impossible to deal with.
Harm to the end user is not my priority. Harm to society is, and it's clear to me that the long-term chilling effects on academic research far outweigh any temporary harm from VM issuing a recall or even going bankrupt.
The alternative is to say that entity B should suffer from a restriction on their free speech simply because entity A, due to their own negligence, finds it excessively costly.
There are so many different ways this could be handled other than "threaten to throw the researcher in jail if he doesn't shut up". But they are all more inconvenient and costly to VW. One can understand why, then, VW would go for the "threaten" option, if we think of VW as a sort of non-moral profit-optimizing organism. But I certainly can't understand why anyone would defend it, let alone say that we would do the same thing.
Harm to the end user is not my priority. Harm to society is
Wholesale removal of personal transport (even 'while we work something out') is "harm to society".
the long-term chilling effects on academic research
Are you not overstating the significance of a paper? Does this paper hold the solution to free energy? The impending food crisis? Sure, it's not ideal, but let's not blow it out of proportion.
You're continually making very frustrating assumptions about the situation, assumptions that paint your argument in the best possible light, even though they are not IMO reasonable.
I repeat for the third time: it is highly unlikely that there is no temporary workaround. Clip a wire, pop a fuse, remove a module, or whatever, one of these will get the job done for the moment.
Finally, even if these cars must be disabled in the interim, it's hardly "wholesale", since it's just one brand of many. Alternatives exist.
Security research is important. Does this paper hold the solution to free energy? No, but the precedent set will discourage further research in this area, which could result in leaving the power grid vulnerable to black hats.
You say I'm overstating the significance of this paper. I say you're vastly overstating the significance of this paper, in terms of what would happen to VW, to VW owners, and to society in general, if the information got out.
The chilling effect on security research of these kinds of actions is fairly well established. There are real-world examples of security researchers deciding not to work on a particular project because they fear persecution. That's a loss to society.
On the other hand, there are no real-world examples of chaos resulting from disclosures of automobile security vulnerabilities, even though car security is, in general, quite lax.
So kindly please, stop with the hyperbole and hysteria.
I like how you accuse me of hyperbole and hysteria, but at the same time use both the arguments "cars should be immobilised if there's no other way" (ie: should not be used) and "there are no real-world examples of chaos resulting from disclosures of automobile security vulnerabilities". Even theoretically, why immobilise so many cars if chaos won't result? You want to have your cake and eat it, too.
Regarding 'wholesale', in context the term just means 'non-selective' and didn't mean every brand on the road. This being said, the arrogance of "Alternatives exist" has got to be pointed out: what alternatives? If you immobilise all the VWs, how will those commuters now proceed? Rent another car? Buy another car? Some might be able to catch public transport, but hardly all.
This links back to what I said about ideal vs real world - you think that it's tenable to just take one brand of vehicles off the road, which is clearly nonsense. Even if there were no temporary fix, the real-world response to fixing the issue would be to leave the cars available to the owners. The idea that you'd even contemplate booting as a considered option is just farcical.
What you describe as "have your cake and eat it" is just a reasoned discussion. I first start with what I think is the most likely scenario, but then I also examine a potential worst-case scenario and show how it, too, can be dealt with.
You appear to be interested in an adversarial discussion in which you score as many points as possible, rather than a collaboration in which we enjoy ourselves and learn. I'm not interested in that, so I'll leave you to it.
They can open the specifications of the ECUs[1] and get involved with all car dealerships, maintenance franchises, insurance companies and whoever else. The goal being to educate them all on how to maintain, repair, and replace the ECUs that are at the heart of every automobile being deployed.
Leaving the responsibility to fix these security flaws in the hands of the automobile manufacturers is dangerous and foolish, they simply don't have the means nor the interest to fix these security flaws.
This is one of the most obvious cases where FLOSS shines -- everybody and anybody can fix their broken software because they know what's running on their machines and the machines are open and accessible to those that need it most: end-users.
I don't necessarily agree with the OP but here's how I see it. Yes, releasing this information would be harmful to both the company and the customers. But the principle is: "there is no safety net". And in the long run it will incentivize building higher quality products.
e.g. When I golf, I refuse to take mulligans because it keeps me in a state of mind of, "this is my only chance". Whenever I break this rule, the rest of the day my golfing is worse.
And here's one of the reasons why you're not the CEO of one of the largest corporations in the world. The biggest CEOs in the world are amoral (not immoral) a lot of the time.
Also, the researcher wanted to disclose this information without VW having fixed it. DigitalOcean got the opportunity to fix their system. Do you know what VW's next step is?
I too am an advocate of full public disclosure but the concerns by Volkswagen are warranted and fixes to the issue can not be deployed as easily as DigitalOcean has done here. I don't agree with the gag order from the UK courts but it isn't totally unjustified.
