-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
Authentication flaws in the REST API (if you give 3rd party your private login info)
- Thread starter nspollution
- Start date
-
- Tags
- Model S User Interface
I know you can control the sunroof. I haven't tried the lights and horn.
If you are right, it's not a material issue.
I know you really want to control what I write, but it's not going to happen.
You say you can write anything you want and if someone picks it up then it isn't your fault because you are not a journalist. While you have the right to write anything you want, we have the right to point out the errors which you apparently don't see. The title and tone were over the top as seen by the media coverage who missed your nuanced argument I guess. If that is accurate above then that is at least one factual error which should require correcting. I don't see why you won't add a clarification to the original article at the top explaining to the media outlets who didn't understand your argument why they have it wrong and the Model S can't be 'hacked' out of the box.
hans
P631
Because if I spent time correcting mis-interpretations (especially mis-interpretations that are more likely than not willful) of my articles, they'd be filled with unparseable "clarifications".
As a side note, there seems to be some disagreement on whether or not changing your password invalidates all active tokens on the server. A number of people have run experiments where it does not (as it says in the article). Others have said it does.
If it turns out that it does expire, I would add that as a clarification because that's a material factual error. The other stuff you want clarifications on aren't factual errors, they just aren't the way you'd like them presented.
NigelM
Recovering Member
I've communicated with nspollution offline and, despite any disagreement I may have with him, I don't believe that he deliberately set out to provoke an argument. IMO, the term "troll" is not a fair one to use. Everyone should feel free to carry on discussion which has stayed pretty civil, let's keep it that way.
I agree. I do not think nspollution deliberately incited controversy. All the flaws mentioned are valid flaws when using this as a 3rd party API.
I also do think that someone with at least fair technical knowledge (such as myself) should be able to infer that there is no risk if you do not give your username and password to a 3rd party, assuming they read the posts carefully and asked themselves this specific question. It also helps to know that Tesla has not offered this as a 3rd party API.
Nspollution, I hear you when you say that O'Reilly is a technical blog and that's a valid explanation for why you didn't feel the need to make the first point very clear. On the second point, I hear you that you believe in the Internet of Things and therefore all such devices should support 3rd parties.
But knowing the controversy that has occurred: If I were you, and I wanted to minimize confusion, I would feel a responsibility to make it clear that Tesla hasn't offered the API for this 3rd party use to date and that if you don't give your password to 3rd parties you remain secure. This has nothing to do with fanboyism or such. The reaction of the non-technical press shows that clarity is lacking.
With this line of thinking, you leave me no choice to assume that anything on your blog is implicitly untrustworthy-to-everyone-but-you because you might assume gravity doesn't exist or some other random thing.
If you make assertions that require critical assumptions and you don't indicate those assumptions up front, then you're either being lazy or dishonest or both.
Take from that what you will.
- - - Updated - - -
The hell it's not a material issue. The "safest car ever tested by NHTSA" was just characterized as "hackable" to the degree that a third party can flash your lights at will. Now imagine down you're driving down a two lane road at night and a "hacker" flashes your lights at random and that this blinds an oncoming motorist. Now you have a safety issue. Yet you think this is not "material" to the headlines flying around about your post. Unbelievable.
Last edited:
I think my conversation with you is done here.
- - - Updated - - -
I intend to address these issues in a follow-up article. I think those items are too complex and largely tangential to the overall point to just shove into the current article.
Well you've rarely directly answered any of my challenges (and apparently those of others as well), so it was a boring conversation anyway.
It's much easier to react in this way though of course. You seem to be establishing a pattern in this regard.
I'm glad you are working on a follow-up article but since your original article was so wildly misunderstood by the press and public, I think a short paragraph at the top stating that there is no security flaw as long as the user does not give their username and password to a third party would help. All of these articles link back to your original article and will likely never update them with your new article.
In a crowded theatre you see a candle burning unattended, and in your mind it poses danger - and sure enough one could successfully make an argument that under some circumstances it could burn the place and the people on it down - so you are not technically incorrect on your assessment of the situation. So far so good, but then you decide to take action and yell 'FIRE', instead of simply letting one of those attendants know about it. Pandemonium and chaos promptly ensues and you become a hero of everyone who was rooting for the show to fail.
Your provocative and sensational headlines screaming, 'Flaws', 'hack' 'take control', 'danger' are nothing short of screaming FIRE in a crowded theatre.
JP has been doing this for many years, where he spins a mountain out of a molehill, but then he has yelled Tiger so many times, no one takes him seriously anymore. A technologist shouldn't fall into that trap.
Your provocative and sensational headlines screaming, 'Flaws', 'hack' 'take control', 'danger' are nothing short of screaming FIRE in a crowded theatre.
JP has been doing this for many years, where he spins a mountain out of a molehill, but then he has yelled Tiger so many times, no one takes him seriously anymore. A technologist shouldn't fall into that trap.
NigelM
Recovering Member
Those are not headlines written by, or belonging to, nspollution. They arise through other writers misunderstanding the content of his blog. It wasn't clear enough for me either but let's not over-exaggerate in the other direction.
bonnie
I play a nice person on twitter.
Wow. What I miss when I'm traveling. I agree with just about everyone here. nspollution wasn't deliberately trying to incite the media, he should have clarified at some point when he realized that on the internet, it's not just the people you were writing for who read what you write, we're all safe if we practice safe computing and don't hand out our passwords, nspollution feels no need to add clarification to his original article, the press has either deliberately or ignorantly sensationalized what he wrote, there's more than one person here who was the smartest one in the class and we're all pretty damn good at beating a dead horse.
Did I miss anything?
Updated:
Never floss with razor blades, Tesla has been victimized, we're pretty damn good at beating a dead horse (still), never trust the press, and Tesla now prefers HP over Dell IF they decide to consider using oauth.
Did I miss anything?
Updated:
Never floss with razor blades, Tesla has been victimized, we're pretty damn good at beating a dead horse (still), never trust the press, and Tesla now prefers HP over Dell IF they decide to consider using oauth.
Last edited:
Yes, we're all pretty damn good at beating a dead horse.
We're all pretty damn good at beating a dead horse.
There. Got my shots in.
EDIT: Oh yeah, and never trust the press.
Last edited:
hans
P631
bonnie
I play a nice person on twitter.
Similar threads
