You can install our site as a web app on your iOS device by utilizing the Add to Home Screen feature in Safari. Please see this thread for more details on this.
Note: This feature may not be available in some browsers.
You're one of a few people then. Many (most?) people who looked at the famous Sony rootkit blamed Microsoft for allowing this in the first place. Perception is unfortunately everything. Whether that web site that they accessed uses some vulnerability in Flash, all that happens is people think Windows is broken.
If they had a private API intended for one purpose, and third parties re-purpose that API for another purpose it was not suitable for, then something got exploited by the third party use that would not be exploitable with the original use, then I would neither call the API flawed for its original purpose, nor hold Microsoft accountable.
#2 is my biggest problem with the arguments so far.Two things:
#1 Tesla should have a software engineering team that basically works on things like the API and the mobile apps. This is not some huge drain in resources.
#2 Handing out credentials to third-party sites to leverage an API is not stupid. Having an API that puts people at risk when they do so is stupid.
#2 is my biggest problem with the arguments so far.
Tesla produced apps. The apps were/are secure. Some folks figured out what the apps were doing and engineered their own apps.
So Tesla is at fault because the apps weren't so secure that an API couldn't be derived? It should've used encrypted communications that couldn't be tapped even by the customer? Are they at fault because rather than releasing an open API, they instead released an API that could be reverse engineered?
Tesla did #1; team that made mobile apps. Application users did #2; handed out creds to 3rd party sites. ... Tesla is at fault for the 3rd party app users?
Look at Twitter, for example (and hardly a shining beacon of security). Let's say you use HootSuite. HootSuite is hacked. You go into your Twitter account and revoke HootSuite's authorization. Done. All in your hands, no impact to all the other tools that need to interact with Twitter.
This morning I'm talking to my wife and mentioned this subject and she had a whole new take on it. This is the gist of the conversation:
Mrs: These guys are hacking into the Tesla system and creating their own apps?
Me: Umm, basically yes.
Mrs: Isn't Tesla paying for those communications to the car?
Me: Yes.....
Mrs: So isn't that like stealing and then complaining that the bank made it too difficult?
Ouch.
I think in the security industry I work in, my view is the accepted one, and the majority.
In the case of a straightforward Microsoft API (public or private), if a hacker exploits a vulnerability in that API in normal use, then Microsoft is accountable. If someone takes a Microsoft API and uses it for something different that introduces new flaws that were not present in the original use case, then I would not hold Microsoft accountable.
Bottom line: To me, it comes down to the simple fact that using this API, for the purpose it was designed for, is secure (or at least not vulnerable to these flaws identified).
Every Trojan in the world uses an API in a way that's not part of the original use case!
I think you're mixing a buffer overrun style attack on legit software with the ability to create malware using an API.
We don't have definitions of "normal use" vs. "abnormal use" in API design, and I doubt anybody else does either. You have to assume everything out there tries to DOS, EOP, MiTM, Key attack the API. Besides, sometimes a badly written piece of well intentional code can wreck more havoc than a well written virus. So you have to defend against everything anyway.
But maybe next time when we have a large Trojan, we'll just publish: "Oh, Slammer 2.0 wasn't using SQL in a way that we designed - so don't worry about it.".
The API is not secure. Tesla APP's are secure. But the security model of the API is simply based on "There can only be Tesla apps", but that stopped being true a while ago.
Would you agree that the majority of the people in the world do not work in the security industry though?
Every Trojan in the world uses an API in a way that's not part of the original use case!
Again, they've missed the whole 'third party' part of the issue to go for the sexy headline. Good grief.
Sadly, I expect them to shut it down before 2014 because of the way your concerns were raised.
I was being optimistic. Also, I figure "before 2014" is "soon" in Tesla terminology.You think it's going to take that long?
Pano shade?Advertising something and then not providing it after it's sold is not illegal?
Props for the reference.Fair enough. It's an honest philosophical difference. I realize that I sound like Commander Adama when I say I don't believe systems should be connected or networked.
The former is more aligned with my thinking, though the title isn't (I specifically have noted many times that there is no vulnerability; flaw != vulnerability).
Although it's odd they elected to refer to me as a "Dell Exec". I am most obviously NOT writing in my capacity as a Dell executive, but as an author and expert in REST API design (why it was published to the O'Reilly blog instead of the Dell blog).
George Reese, Executive Director, Cloud Management at Dell, explains the threat - a flaw in the security of the API, that will allow for partial remote control of the car. Reese himself is a Model S owner.