Actually, since there isn't an issue, this point is moot. The argument about what he could have done if there was an issue is less black and white.
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Authentication flaws in the REST API (if you give 3rd party your private login info)
- Thread starter nspollution
- Start date
-
- Tags
- Model S User Interface
Actually, since there isn't an issue, this point is moot. The argument about what he could have done if there was an issue is less black and white.
People like you **** me off. You don't like the article, so you attack the author.
There's absolutely nothing wrong with my blog. You may not agree with my philosophy on connected devices. The facts definitely have different presentations depending on which future you see, but there's nothing sensationalistic about my article given my beliefs.
- - - Updated - - -
This quote from that article is incorrect:
"Essentially, the tokens are saved on website databases, which can be easily hacked"
Third-party web sites may or may not be easily hacked. Some may be Fort Knox, others may be honeypots.
The point is that the Tesla API doesn't deal with that reality.
- - - Updated - - -
Except for the fact that I am someone who writes about API design for a living.
Here's the chain of events:
* For the past few months, I have been complaining about the security model of the Tesla REST API
* Last week, someone in this forum asked me for details
* At first, I just gave a couple of high-level notes
* Then I thought, "well, I should write something more detailed up"
* At first, I posted it to Google+
* Then, people who regularly read my stuff ask why I didn't put it on O'Reilly. That made sense to me, since I write about APIs.
* Then people in this forum who don't agree with my view of "the Internet of Things" started attacking my character
I am not interested in the particulars of Tesla here. I am interested in discussing how APIs are implemented in the Internet of Things.
That it doesn't suit your agenda is irrelevant to me.
Last edited by a moderator:
NigelM
Recovering Member
I resent the repeated insinuations that this is about press.
I am (within a certain sphere) famous independent of this article. This article isn't going to make me more famous. If I were seeking press, I sure as hell would not have posted it to Google+ at first and also not to O'Reilly as a follow on. I have any number of other outlets I could have sought out to create something sensationalist.
O'Reilly is a technology blog used to cover stuff like the Internet of Things. It was an appropriate place for an appropriate discussion.
- - - Updated - - -
It's fine for you if people question my character, but you get bent out of shape if I call them on it?
NigelM
Recovering Member
Sorry, but it is about press now. It's a little naive to imagine that this wouldn't have gotten picked up and twisted; you're just the latest victim of being taken out of context.
Lot's of people get questioned all the time, you're questioning my character with your comment right there; but let's just stay as civil and family friendly as possible, ok?
So at no point in this process did you contact Tesla to tell them you thought their implementation was insecure before going to press? The fact that you could not see it would be a sensationalistic article and spread around the internet should be relevant to you. It also doesn't appear that others share your view that this is even an issue but that won't matter in the articles that picked up your story. If you love your car then writing something like this without due diligence only serves to make it harder for Tesla to succeed and less likely the company will be around to support the car you love. You had every right to publish the article but would have thought getting input from Tesla and finding out why they did what they did would have been useful. They may not have told you anything but sounds like you didn't even try.
I am very experienced with the press. I don't fault any of the press coverage. I really don't have any problem with the coverage of my article in general. They aren't written the way I would write them, but then again I didn't write them. So that's not a surprise. I also didn't have a profit/page-view motive.
The media I picked were not well-suited to the idea of seeking media exposure.
If I were just seeking publicity, what I would have done is shop the article. I would have gotten paid AND gotten more exposure.
Instead, I initially picked Google+ as my medium because my main target because I was writing up my thoughts in response to a post in this forum on my day off. Halfway through writing it up, I realized it was more about the Internet of Things than the Tesla. I tweeted about it and the people who follow me for API stuff wondered why the hell I posted it to Google+ (I never post anything to Google+). It was then I changed it to O'Reilly. A place that I make no money from, a place aimed at technology people, a place that isn't "page-view" driven.
And I didn't expect that it would get picked up by the press. O'Reilly is not a grand source of wider press coverage. It would not have gotten coverage, except that the Forbes guy follows me. I expect everything else followed from the Forbes coverage.
As a side note, in case someone did pick it up, I made sure to start the article noting that there were no automative safety issues at play.
The whole argument as to whether I am correct or not depends on the basic premise of the Internet of Things.
You you deny me my premise that devices should be connected, then this IS NOT an architectural flaw.
If you grant me the premise, then it IS an architectural flaw.
You can reasonably deny the premise, but you cannot deny that the premise itself is a reasonable one for others to hold true. Therefore people attacking my motives instead of the content of the article are way off base. As are the people who try to argue I should not have written it at all.
- - - Updated - - -
I DIDN'T GO TO THE PRESS.
I am a technology author and I wrote up something in my blog about it.
It's not a sensationalistic article. It's validity simply lies in granting or denying one basic premise about the interconnectedness of things. You can deny the premise and thus deny the conclusion of the article, but you can't deny the fact that I may reasonably believe that premise and thus reasonably reach the conclusion I reached.
You are reading selectively. A lot of people share my view. Especially in the cloud/technology community where my believe in the Internet of Things is generally taken for granted. Even in this forum populated with people who tend to be very intolerant of Tesla criticism, there are a number of people supporting the article.
I don't work for Tesla PR.
I deny your premise. Whether or not devices should be connected is a design decision of the company, and the marketplace can decide whether they would prefer devices with broad connect-ability or not. You can not dictate to companies that it is necessary for them to facilitate it. If you had written the whole article with the same facts, but from the point of view of how much better the product would be if they had made a different design decision, then I would have no problem with it.
I'm not convinced that third party web sites for this will spread beyond a very limited enthusiast audience, but if they do loudly telling people about the insecurity of using those web sites is entirely fair.
One point of interest...
My point of view is based on treating the Tesla like a consumer electronics device and not a traditional automobile.
That's a large part of what justifies high stock price valuations for Tesla--that it's more consumer electronics than traditional automobile.
My point of view is based on treating the Tesla like a consumer electronics device and not a traditional automobile.
That's a large part of what justifies high stock price valuations for Tesla--that it's more consumer electronics than traditional automobile.
NigelM
Recovering Member
Not even the ones who are headlining that the Model S is easily hacked and that someone can take partial control of the car?
I already had someone ask me what happens when someone hacks my car while I'm doing 80mph on the interstate.....nobody cares if my toaster gets hacked.
If you give your username and password to other parties, you put yourself at risk. As far as I know, Tesla only intended the API to be used by Tesla, not 3rd parties.
My key take away from nspollution's blog post is that he thinks Tesla should have adopted a 3rd party friendly / secure API in the first place. Fair enough, but this seems more like a feature request for a 3rd party API rather than a security hole. It's only insecure if you give out your username and password, which is clearly not a wise thing to do if you want to keep it secure. That's not to suggest the more adventurous and technically savvy among us shouldn't go to town and take on that risk, but that's a whole different kit and caboodle than saying Tesla has a security hole in a supported product.
Tesla should probably send everyone an email with the (seemingly obvious) reminder to never give your Tesla username and password to any other party, or to enter it anywhere except the Tesla website and official Tesla app.
My key take away from nspollution's blog post is that he thinks Tesla should have adopted a 3rd party friendly / secure API in the first place. Fair enough, but this seems more like a feature request for a 3rd party API rather than a security hole. It's only insecure if you give out your username and password, which is clearly not a wise thing to do if you want to keep it secure. That's not to suggest the more adventurous and technically savvy among us shouldn't go to town and take on that risk, but that's a whole different kit and caboodle than saying Tesla has a security hole in a supported product.
Tesla should probably send everyone an email with the (seemingly obvious) reminder to never give your Tesla username and password to any other party, or to enter it anywhere except the Tesla website and official Tesla app.
NigelM
Recovering Member
For the average Joe on the street; they all do. Take a look at the headlines and the sub-headings....that's the extent most people go to when reading this stuff. None of the articles I read today actually make clear that this is only a problem if you share your login credentials with a third-party.
I don't read them that way, but I am accustomed to reading security-related articles in technology publications.
I'll note again, this was published in a technology blog.
I think there are two arguments in this thread, and I think it's important that they be separated. One is the argument over whether or not the API is flawed. The other is the argument over when Tesla's IP has a flaw whether or not and how it should be publicized. I have engaged in the argument over whether or not it is flawed. The author's opinion is that it is, mine is that it is not. The author claims to be an API expert, and so do I. I believe there's at least one other participant who claims to be one.
Unlike most people in this forum, I actually think there's nothing wrong with legitimate flaws being publicized. I hate fanboyism, and work really hard to keep myself from being a fanboy (even though it's really hard for me in the case of anything Musk does). I've been outspoken regarding issues I've had with my vehicle, and wouldn't hesitate to talk about them on this forum, in articles and interviews; whatever. Keeping flaws secret serves no purpose unless I'm trying to play the stock, and even then the flaw will come out eventually.
I would love it if this thread only focused on whether or not flaws "in the API" exist (to the extent that we haven't exhausted the argument). I hate the discussion on whether or not to publicize flaws in general being here, and would much prefer it being in its own thread.
By the way, I know people who have been turned off from buying a Model S because of the fanboyism. Steve Wozniak was one of them humorously enough, considering where he came from. The Broder story soured him; not because of what Broder found, but because of the minions' reaction afterwards. He canceled his delivery because of it and someone else got his car.
Unlike most people in this forum, I actually think there's nothing wrong with legitimate flaws being publicized. I hate fanboyism, and work really hard to keep myself from being a fanboy (even though it's really hard for me in the case of anything Musk does). I've been outspoken regarding issues I've had with my vehicle, and wouldn't hesitate to talk about them on this forum, in articles and interviews; whatever. Keeping flaws secret serves no purpose unless I'm trying to play the stock, and even then the flaw will come out eventually.
I would love it if this thread only focused on whether or not flaws "in the API" exist (to the extent that we haven't exhausted the argument). I hate the discussion on whether or not to publicize flaws in general being here, and would much prefer it being in its own thread.
By the way, I know people who have been turned off from buying a Model S because of the fanboyism. Steve Wozniak was one of them humorously enough, considering where he came from. The Broder story soured him; not because of what Broder found, but because of the minions' reaction afterwards. He canceled his delivery because of it and someone else got his car.
That claim was not meant to be support for my argument. That claim was to explain why I wrote the article I wrote in the medium in which I picked to write it. In particular, I regularly write on the subject of RESTful APIs.
I actually felt the same reaction, but that was before I considered getting the car. I doubt I'd ever decide to buy or not buy a product because of fanboys, but I definitely have no problem hacking at their holy relics.
Ask me how I feel about iCloud some day
NigelM
Recovering Member
I agree, and I suspect most people on the forum do. In this case though there has been a failure to state clearly, from the outset, that it is not a problem with the car nor if your keep your credentials to yourself; that made it pre-destined IMO to hit the media and for owners to consequently start having to answer another piece of FUD.
- - - Updated - - -
...on the Internet. Once it's out there, it's out there.
We don't need to argue back and forth so I'm going to stop here. You're welcome to the last word.
if nspollution had avoided sensationalist headlines and words like 'hack' and 'flawed' in his article, but still explained that the current architecture lends itself to providing usernames and passwords to unofficial third parties and that opens a gateway for vulnerability, with a foot note that those owners who do not give their credentials are not impacted - then that would have served the same purpose of highlighting the issues.
But then again, that may not have been the real purpose.
But then again, that may not have been the real purpose.
dirkhh
Middle-aged Member
I can't tell what the purpose was, and I doubt so can anyone else but him.
But I agree that that would have be a much better way to deal with this...
Similar threads
