Can you point to where this premise is indicated in your post?
Authentication Flaws in the Tesla Model S REST API - O'Reilly Broadcast
I'm having trouble finding it.
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Authentication flaws in the REST API (if you give 3rd party your private login info)
- Thread starter nspollution
- Start date
-
- Tags
- Model S User Interface
Authentication Flaws in the Tesla Model S REST API - O'Reilly Broadcast
I'm having trouble finding it.
I agree (and I clarified with an EDIT above)... Tesla could reinforce this by informing all of their owners that third-party apps and sites should never be given the MyTesla credentials, and
I think most people have been educated by Facebook and Twitter and such that login credentials should never be shared. Now that doesn't stop anyone from doing a look-alike app or something that tricks users via phishing. We can't solve that, we won't solve that.
At a minimum, though, I do agree with nspollution's position that OAuth will make third-party cloud apps more secure when Tesla does all the authenticating (as I noted in my edits above, think about the TeslaMS toolkit as a cloud service instead of having to run your own mongodb and node.js instance). I just don't agree with him taking Tesla to task in the press based on his ideology over a closed API. I'd be right there with him if Tesla had published the API and it weren't a reverse-engineered product of a few smart people.
The problem is you didn't state the premise in the article, and the general public doesn't understand that you are advocating something that I feel 99.9% of car owners couldn't care less about. You wrote on a technology blog, sure, but I think it must be clear even to you that the articles are misunderstanding what you wrote. In comments you have published in response to articles you have failed to set the record straight, and continue to omit the detail that I think most owners care about; that if they only use the Tesla app there is no security problem. I think your article has been counterproductive, in that approached another way you may have convinced Tesla that going with OAuth was a good idea, but now they are much more likely to just shut off access to the API altogether.
I am claiming that for the vast majority of people OAuth doesn't work. They know if they install an app they have to enter their username and password. They don't know they need to send Tesla that information. And if they do, they won't know how to check if they are negotiating with Tesla, and not the app, or another website.
OAuth is great on paper. It is great for making secure apps. But it does little for the common person.
I will agree that OAuth could reduce the risk of my credentials from being stolen from a 3rd party. But I imagine most reputable 3rd party developers (except probably Sony :tongue
have safeguards against that (info not stored on their systems, systems somewhat locked down). And if you start talking non-reputable developers ... well I doubt they could/would implement OAuth properly.There is a difference between a world view of an interconnected world of devices built around consumable API's - which I subscribe to - and an ideology that every single API must be open, period, with support of third-party authentication tokens in case someone might want to use it. I certainly, in my professional job, do not design every application interface to use OAuth tokens, even though I would concur that some of them may be used more creatively in other ways. That's just not my use case, I don't have the time, and I have more productive things to accomplish from a business standpoint.
But it's clear I won't change your mind on this. I'm not asking you to change your mind, I'm asking that you clarify in your post that you are taking your "must be open" premise to a closed API that is currently only intended for use between Tesla's Mobile App and Tesla's servers. We should only conclude by your failure to clarify -- which allows you to keep your "connected" premise even if you do clarify -- is designed purely to gain more traffic to your blog and take advantage of sensationalism.
As to whether they failed "spectacularly", that's a rather strong word. If you don't give out your credentials to third parties, you're not exposed to API problems. if you use the closed API as intended, you're not exposed to API problems. But again, to use "spectacularly" is sensationalism.
It's not explicitly stated in the article. My target audience (the O'Reilly audience) gets it when I talk about the "Internet of Things".
For this audience, it obviously needs clarification. I will be writing a followup article on the premise.
dirkhh
Middle-aged Member
Yeah, because adding this to the now much linked to original article could disrupt that nice panic that is spreading through all the readers that don't get this premise (hint, that would be 99+% of all analysts, financial bloggers, car enthusiasts and just about everyone else...)
You puzzle me. I keep wanting to believe in your stated intentions, but your actions make this really really hard. The weird part is that I agree with the premise and with the technical comments. I just vehemently disagree with the way it is positioned and presented. And with your aggressiveness towards anyone who tries to get you to see that there is a world out there of people who get the alarmist headline but not the subtleties of the premise. And the fact that none of this really matters to Joe Tesla owner who doesn't hand out their credentials...
+1000
- - - Updated - - -
The existing article, that the press picked up, needs to be modified. Not buried in a retraction on page 21.
I don't believe in editing articles post-publication unless there are factual errors. Doing so changes the article for different readers and makes a common point of discussion problematic.
The issue you are questioning is worthy of an article in and of itself, and so that's the way I am approaching it.
And again, the premise is implicitly stated for my target audience in this blog. As are any number of other premises (some of which aren't even implicitly stated) on which the blog relies.
You may not like that approach, but that's the way I have always approached blogging. This time is no different.
At a minimum, you should place even a simple, at-the-top, "CLARIFICATION: It has been pointed out that the press, perhaps unfamiliar to my positions on API's, has picked up on this story and may have left readers not familiar with my positions on open API's with the wrong impression that the Tesla Model S is a compromised product. See <HERE> for more details on my beliefs on open API's versus Tesla's closed API for vehicle monitoring."
You're not being asked to compromise your position, you're being asked to clarify it. And as you've written it, you DO have a factual error in the article - an error of omission.
There is nothing wrong with adding a clarification to it that explains it's a closed API. To fail to do so - well, in that case we must assume you and John Broder are cut from the same cloth.
I'll have to assume that invoking Broder in this forum is the TMC equivalent of Godwin's Law. I will therefore act accordingly.
I have taken this quote somewhat out of context, so please treat it as such. But I would like to ask:
Do you believe that your car (as in *your personal car*) is at risk because of what you call flaws in this API?
Actually, it's not. Godwin's law is intended to address rather unfair comparisons between simple arguments and a horrible act of an evil, evil person who horribly impacted the world as we know it forevermore. One might argue that the very act of bringing up Godwin's law outside the context of a comparison to AH is and of itself the invocation of it, and I'm personally insulted you would even think to make that comparison. Shame on you.
No, rather it would serve to demonstrate that indeed, your intention isn't to educate the readers of your blog but rather -- as Broder did -- to use sensationalism to drag traffic to your blog and notoriety to yourself; that you don't intend to serve the reader but rather to mislead him to your benefit.
A real and proper blogger would clarify his errors of omission.
No. I don't believe anyone's is.
That's the difference between a vulnerability and an architectural flaw.
If it were a vulnerability, I would have had a duty to disclose it to Tesla before making it public because the public disclosure would have put people at risk.
As a flaw, the duty is to disclose it to the public, because knowledge of the flaw enables people to protect themselves accordingly.
dirkhh
Middle-aged Member
Brilliant. So you get to have it both ways.
Through the way you phrased your article and its headline and through your lack of interest in updating it to show what you claim is your real intent you get the sensationalism, yet through occasional reasonable statements here you are trying to deflect the argument that all you want is that sensationalism.
All the while you aggressively attack anyone who points this out and constantly pretending that you are the victim of a mob.
I give up. We all have spent way too much time on arguing with you. Your intentions are clear, the damage was done, any more interaction will just increase the agony.
Moderators, can we close this thread?
The flaw is 'share your My Tesla username and password with anyone but Tesla' and you might be harmed. If you don't, you are fine but this doesn't seem to be mentioned or stressed in your original article. I'm not an API expert and came away from your original article with the sense that the Tesla API was vulnerable to hacking more than other APIs.
I will note that George posted a new version of his blog post, slightly modified, at the following location:
Tesla Model S REST API Authentication Flaws - Programming - O'Reilly Media
Comments are enabled on this one, so fair criticism of his position should be encouraged there. I have summarized my concern and posted there.
It is rather unfortunate that George refuses to update the original post -- the one the press links to with the scary "hackable Tesla" headlines. I can only hope he will reconsider not adding a clarification or a pointer to the update so that responsible press can report on it without the wrong impression.
Tesla Model S REST API Authentication Flaws - Programming - O'Reilly Media
Comments are enabled on this one, so fair criticism of his position should be encouraged there. I have summarized my concern and posted there.
It is rather unfortunate that George refuses to update the original post -- the one the press links to with the scary "hackable Tesla" headlines. I can only hope he will reconsider not adding a clarification or a pointer to the update so that responsible press can report on it without the wrong impression.
That article is a little more clear. Would think a clarification with the same information in this update should go in the original article but really too late. All of the 'hacking Tesla' secondary articles are already out there. Nice response with your comment too.
Huh? My single counter argument has shattered your basic premise about the weakness of he API. Truth hurts. You made a bad argument and now the ego is crying and lashing out... This is not about honesty. That's not even the point of the argument. This is not about what you care either. It's about posting incorrect information to gain clicks/fame. I am glad you care about Tesla's API. That does not give you license to print inaccurate nonsense. And please spare us the "it's not inacccurate cause I am a self-acknowledged expert".
Otherwise you would go to my site and sign up. It does EXACTLY what you claim the "Internet of Things" should work as. Time to man up...
You claiming it's inaccurate nonsense doesn't make it so.
The article is, in fact, accurate. It just doesn't come to conclusions that you like.
Similar threads
