Actually yes. 30 years of software development including security. Parallel careers it sounds like and you take it too far. IMHO.
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
PSA: Don't use third-party apps and services, period.
- Thread starter camalaio
- Start date
linux-works
Active Member
when I let down the defenses, I've been hacked. so, learned the hard way. I try not to expose vectors if I can help it.
wish you'd describe which things you think are 'too far' rather than just a blanket statement. if you are experienced, I'd like hear your views. even if just picking the top 1 or 2 things you strongly disagreed with.
wish you'd describe which things you think are 'too far' rather than just a blanket statement. if you are experienced, I'd like hear your views. even if just picking the top 1 or 2 things you strongly disagreed with.
I used one a long time ago, but it wasn't that useful and I haven't used any since. Of course, the password has been changed several times since. (There's no really poll item that describes it). What I would love to see are themes so that I could get the dual display back so camera and map could be seen at the same time. Also have more contrast, and larger map fonts. (All but the map fonts were perfectly fine in version 6.x.)
Regarding apps to track your car stats: Back in the day, people who cared wrote down such things on a pad of paper. Then did the arithmetic. Now that there's an app for everything, people have forgotten what pencils and paper are. And they're willing to give an unknown app developer, and anyone who successfully hacks the developer, the passcode that gives them total access to the car.
Back when home computers were first a thing I had a friend who had a Radio Shack Color Computer. He programmed it to balance his check book. I think he wanted to prove that the computer was not just a toy. He spent at least twice as much time entering all his data into the program as I spent balancing my checkbook with a pencil and paper. (He also declared that nobody would ever find a use for more than 16 kilobytes of RAM.)
There are tasks for which computers are ideally suited, and there are tasks for which they are not suited at all, and there are tasks, like tracking car-stats, that the computer can do, but for which the cost is an undue level of compromise to your security.
Back when home computers were first a thing I had a friend who had a Radio Shack Color Computer. He programmed it to balance his check book. I think he wanted to prove that the computer was not just a toy. He spent at least twice as much time entering all his data into the program as I spent balancing my checkbook with a pencil and paper. (He also declared that nobody would ever find a use for more than 16 kilobytes of RAM.)
There are tasks for which computers are ideally suited, and there are tasks for which they are not suited at all, and there are tasks, like tracking car-stats, that the computer can do, but for which the cost is an undue level of compromise to your security.
Silicon Desert
Well-Known Member
That is a fair request for that poster. And in return, perhaps you can tell us how you were hacked and what you suffered as a result. I'm just asking about the process, not your specific information. It might helps some folks here to learn about what to avoid that caught you off-guard.
Last edited:
Silicon Desert
Well-Known Member
Thank you Fred Flintstone for that assessment
I am from a different generation. What is a pencil and paper?Don't take it the wrong way. Just trying to entertain you. Not necessarily disagreeing
I guess my point is that having also done some programming, I know there are ways to protect the car from certain types of attacks, depending on how the app is designed of course. Like a Clint Eastwood movie, some apps are "Good, Bad, and Ugly." So in my opinion, not all apps or developers have a problem. But yea, I understand your point and don't really disagree
Last edited:
Silicon Desert
Well-Known Member
I'm going to take a wild guess here that maybe you didn't coach them very well? It's a serious question. I am not trying to be an ass. Maybe you are an expert and they just got scammed anyway. Yes, old folks are often vulnerable and targets for scammers.
linux-works
Active Member
here are some things, at random:
- when it was a bad idea to take an official update: classic case was from microsoft when they blessed an FTDI driver update. it 'bricked' some usb/serial devices and made the things that used those chips lose functions, sometimes really important ones. MS has hidden their kind of malware in 'updates' and these days they don't even tell you what's inside. since the win7->win10 push, MS has been pretty untrustworthy and I don't just blindly take their updates, even ones marked 'important'.
- giving access to apps that don't need it; so many times, I get spam email from people that I once had contact with (often sales/marketing types) and because I was in their contact list, their infected system is trying to infect me. this is due to unsafe practices, and such a willingness to install apps and 'keep them updated'. again, 'update' is often a bad thing. for a few years, I had a nice cyanogenmod android phone and the home screen was clean and noise free. for some damned reason (kicking myself to this day) I decided to take some google recommended updates and from then on, my home screen is spammed (lightly) and I can't get rid of their BS. no added value, took me backwards (worse than brand new install) and its too much effort to redo the whole thing.
- back when it was still sort of 'allowed', I ran my own mail server off my dsl line. I had a public static IP and a webserver open on port 80 (public port). I would often review the logs and the URL attempts that people tried. I'll be honest, for years, I blocked whole networks that came from china and russia. they were ALL hack attempts. I had good firewalls but the incoming URLs still were trying to hack me. I eventually gave up trying to use my home link for anything public; I wanted my own bandwidth and people who were DOSing me for fun were removing my ability to GET online (from home).
- email attacks; I don't allow html emails and I always view source on unknown senders. so many times, you can see evil intent (so to speak) just by seeing what freaking 'weird' places they want to send you to, via a click or hover-over. by not showing any remote files (like image files or video files) - you are not feeding their validation engine. if you DO allow html emails, just viewing their email will validate you and possibly cause you to run remote code (aka, javascript).
I could write so much more. (I used to teach, back in another life and had no problem filling the time slots. not sure anyone would remember it, but 'DECnet/vax network security' was my course, back in the mid 1980's. yeah, no one would know that today, lol. not super relevant, either, but its about when I started taking security seriously). that's probably enough for now, unless you have really specific questions.
Silicon Desert
Well-Known Member
That's all good information to know, but I thought you were going to reply about issues with running apps to access a Tesla since that seems to be the concern here.
On a side note, maybe I am just lucky, but I do a lot of those things like accepting html emails, Windows updates, device updates, etc. Then again, I fully owned a web server company from 1996 to 2006 so I am fairly confident I know how to protect my computer, car, and information. Never been hacked in any way yet, but you never know. Could happen tomorrow.
linux-works
Active Member
I only have my car 3 months now; but I do plan to try out the REST api, at some point.
I won't give out direct credentials to a 3rd party website (getting back to THIS thread), but I don't have much experience with apps other than the tesla corporate-written app. I wasn't even sure I'd install the app, but I wanted to 'eat the dogfood' (typical phrase, hope people have heard it before, lol) and so I installed it. I won't install any non-tesla apps, and with the 'buy upgrade' button on the new app, I'm thinking of removing my credit card from the tesla account or trying to find the previous APK, before they added the buy-button. wish I kept a copy - I should add that to the 'remember to do this' list
the fact that you can't easily go back, on android, is really bad. its been that way forever and it must be by design. things like that give me zero confidence in the whole android stack. unless I'm wrong, there's no easy way to see the list of versions and be able to pick one and de-install others (for the given app). if you did keep the .apk file around (the installable) and were able to side-load, then you can restore to any saved version, but that's not easy for most users. again, by design. its really evil. you have to assume the system is NOT your friend, and that you are the product.
I won't give out direct credentials to a 3rd party website (getting back to THIS thread), but I don't have much experience with apps other than the tesla corporate-written app. I wasn't even sure I'd install the app, but I wanted to 'eat the dogfood' (typical phrase, hope people have heard it before, lol) and so I installed it. I won't install any non-tesla apps, and with the 'buy upgrade' button on the new app, I'm thinking of removing my credit card from the tesla account or trying to find the previous APK, before they added the buy-button. wish I kept a copy - I should add that to the 'remember to do this' list
the fact that you can't easily go back, on android, is really bad. its been that way forever and it must be by design. things like that give me zero confidence in the whole android stack. unless I'm wrong, there's no easy way to see the list of versions and be able to pick one and de-install others (for the given app). if you did keep the .apk file around (the installable) and were able to side-load, then you can restore to any saved version, but that's not easy for most users. again, by design. its really evil. you have to assume the system is NOT your friend, and that you are the product.
Silicon Desert
Well-Known Member
Oh boy, I am glad you mentioned this. Now I am going to subscribe to every crappy app that I can find.... in hopes that someone will steal my car so I can get a new one. And the credit card company will relieve me of the burden of paying several thousand dollars because it was fraud.
Well yes, not really. I am being sarcastic
That would be a _very_ bad argument to make, given all of the methods to compromise instances themselves, let alone all of the attacks that cause exposure of private key data from co-resident instances.
TOTP doesn't require mobile service, just a clock.
It was a sophisticated attack and quite subtle. I won't go into details, but my understanding is a LOT of people got scammed in a short time. As for expertise and/or coaching, this is a war of escalation, which, like any arms race, is never totally won.
I'm not sure there were 2FA systems, at the time I was speaking of, that did not require cell service. And I'm pretty sure that the sites I'd have needed it for did not have them. I had not yet gotten my first smartphone at the time. My flip phone could receive SMS messages, but I had that turned off because all I ever got were spam messages that I got charged for.
I don't get the still sort of allowed part. I've been running my own mail system for years. Yes, you need a static IP, and yes you need to register a domain, and yes, you need your own DNS servers, and yes you need to put in some maintenance time, so it's not for everyone. Firewalls are much better now than they used to be. I don't get more than one or two hack attempts per month.
Silicon Desert
Well-Known Member
linux-works
Active Member
if you are not a 'big site', many times the fact that are you hanging off a dsl or cable line means that some mail sites will deny your connects; and won't connect to you.
and I agree, mostly; as almost all the hack attempts I used to get were from 'home installs'.
for greylisting, I also blocked home mailservers.
finally, many isp's outright deny many tcp ports for home use.
that's what I meant by 'sort of still allowed'. its been tolerated less and less and to be honest, for good reason. I hate not being able to run services from home, but I understand why its not such a great idea, anymore. "this is why we can't have nice things" (as they say, today).
linux-works
Active Member
yes, I used to have static ip, too. was such a pain to keep it when I changed locations (had to escalate to someone at pacbell who actually understood DNS and stuff).
even with static ip, it was an easy lookup to know I was behind a dsl link and my email was rejected more times than not, by the remote server. lots of places didn't want to be bothered to take mail from direct home users, static or dynamic.
even with static ip, it was an easy lookup to know I was behind a dsl link and my email was rejected more times than not, by the remote server. lots of places didn't want to be bothered to take mail from direct home users, static or dynamic.
Similar threads
