I think the issue was that you had a residential static IP rather than a business one. Different people (there's a real chance that the business support person you get has a clue--though I didn't say a real good chance).
Last edited:
-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
PSA: Don't use third-party apps and services, period.
- Thread starter camalaio
- Start date
I'm late for the party but....
I have been using many 3rd party apps and services. No one has ever messed with my car. Tesla on the other hand not only has access to your car, they have the ability to send any software they want to your car an modify it. Tesla has messed with my car over and over to a point where it is now crippled, downgraded and has lost value. In fact now with the Model 3 they require you to install their software updated to have warranty. So you don't even have a choice but letting a stranger modify your car.
I have been using many 3rd party apps and services. No one has ever messed with my car. Tesla on the other hand not only has access to your car, they have the ability to send any software they want to your car an modify it. Tesla has messed with my car over and over to a point where it is now crippled, downgraded and has lost value. In fact now with the Model 3 they require you to install their software updated to have warranty. So you don't even have a choice but letting a stranger modify your car.
linux-works
Active Member
yes, definitely residential ip. static block of 5, iirc.
'business' level was way more expensive. and yes, support would have been better, probably.
point is: regular home users who pay regular home rates usually are denied ability to run home servers, with ports that 'compete' with isps (its about competition but also it still is about security; lots of malware want to send outbound mail from your home pc's, so I do see why everyone (mostly) closed that port access down).
things are much worse, now; we have PHONES with tons of malware. giving them the ability to directly be a mail sender is really a bad idea. and phones are often wifi'd from your home system, behind the same NAT.
'business' level was way more expensive. and yes, support would have been better, probably.
point is: regular home users who pay regular home rates usually are denied ability to run home servers, with ports that 'compete' with isps (its about competition but also it still is about security; lots of malware want to send outbound mail from your home pc's, so I do see why everyone (mostly) closed that port access down).
things are much worse, now; we have PHONES with tons of malware. giving them the ability to directly be a mail sender is really a bad idea. and phones are often wifi'd from your home system, behind the same NAT.
DopeGhoti
Active Member
Back in the early days (before Code Red, SQL Slammer, and NIMDA finally catalysed ISPs doing some sort of control), most broadband ISPs just gave you an IP and let you run with it. Routers were relatively uncommon and most people just connected their PC directly to the modem. Some savvy people would set up a router and run servers.
After Code Red and friends, most ISPs started blocking inbound TCP/80, TCP/25, and TCP/110 connections, blocking HTTP, SMTP, and POP (Web, outbound email, and inbound email) servers from even making it to the modem. Interestingly, many did not block inbound HTTP/443 (HTTPS), but I digress.
linux-works
Active Member
I spent some time putting together some custom greylisting code since I did run my own mailserver at home. checking the inbound connect logs and which ip's reverse resolved to 'dialup' (to use a generic term) - if I blocked all the dialups, that would kill 99% of the inbound attack attempts I saw. the isp's were policing their links ok enough - it was the home mail servers (bots) that were the bulk of the spam.
the internet got ruined, over time. "thats why we cant have nice things". its not realistic to run server ports on home non-business lines anymore, for so many reasons. it sucks, but its the new normal.
now, you can spin up 'an instance' in the cloud and be part of a 'permitted' netblock, if you really want to. home servers that need to be on public ip space have less of a reason to be, imho.
the internet got ruined, over time. "thats why we cant have nice things". its not realistic to run server ports on home non-business lines anymore, for so many reasons. it sucks, but its the new normal.
now, you can spin up 'an instance' in the cloud and be part of a 'permitted' netblock, if you really want to. home servers that need to be on public ip space have less of a reason to be, imho.
Dan203
Active Member
There is actually a revoke token function in the API. So if you're savvy enough with the API you can just do that.
Hugh Mannity
Mediocre Member
this all sounds like nonsense ^^. If you don’t mind could you tell us what you’ve experienced from Tesla?
Dan203
Active Member
My guess.... a few versions back Tesla released a build that accidentally enabled premium interior features, like rear seat heaters and better sound, for owners of the SR/SR+. In a later update they removed those features. A few people on these forums were not happy about having those features taken away even though they didn't pay for them.
I think there was a similar thing with early SR builds where they actually have a bigger battery and are software limited to a shorter range. At some point that range got turned on and then Tesla took it back. I'm pretty sure with this one they offered owners the option to leave the added ranger for a fee.
Tesla sent software updates that did the following things:
reduce my capacity by 10-15% (approx 30 miles of range lost suddenly by artificially reducing capacity)
reduce max power by 10%
reduce regen by 20 kW at low temperatures
delayed charging at lower temperatures
reduced charge rate at lower temperatures
increased parasitic energy consumption at higher SOC (approx 5-11 miles of range are now lost when charging to 80% or higher)
made UI experience worse
decrease supercharging speed resulting in approx double the charge time on road trips
decreased supercharge speed at higher SOC to approx 3-4 times what it was.
charging on AC doesn't go to 100% any more. always stops at 95-95%
car shuts down before at 0 miles.
All these things were software updates, not normal degradation. A few people have refused software updates for years and are not suffering from all the problems listed above. A class action law suite is on the way.
DopeGhoti
Active Member
At the risk of derailing the thread from its topic, I'll bite..
Granted that "made UI experience worse" is completely subjective, I'm curious what you mean by this.
Charging not going to 100% any longer is a reasonable concern (not that you should be charging to 100% on a regular basis), as is the car shutting down before reaching 0 rated miles remaining. Most of the others seem to be changes pertaining to increasing battery longevity, which I would personally (and subjectively) quantify as an enhancement rather than a regression.
How did you ascertain a 10% reduction of "max power"?
Granted that "made UI experience worse" is completely subjective, I'm curious what you mean by this.
Charging not going to 100% any longer is a reasonable concern (not that you should be charging to 100% on a regular basis), as is the car shutting down before reaching 0 rated miles remaining. Most of the others seem to be changes pertaining to increasing battery longevity, which I would personally (and subjectively) quantify as an enhancement rather than a regression.
How did you ascertain a 10% reduction of "max power"?
I used to be able to have a split screen with the web browser. That's not possible any more. The web browser does not work 80% of the time either. Many things now require two actions to get to that used to be direct control. Backup camera windows used to be placable top or bottom, not any more. Those are not subjective.
Taking away 30 miles of range to prevent range loss is not a desirable or good. Significantly increase charge time isn't positive. The batteries are 'sick' and Tesla is putting a bandaid on them to prevent them from total failure. That's not acceptable. If a part of the car becomes a safety issue you can't reduce several metrics of the car by illegally reaching into the cars and making changes.
DopeGhoti
Active Member
I was very confused until I realized this thread was in a general forum and not the Model 3 subforum. If they did indeed remove the ability to configure the UI as you have described, that is indeed an unfortunate regression.
Sorry to revive this thread, but I did ask someone in here how they were securing their own API scraping service and didn't get what I'd call satisfactory results. Let this Twitter post be a reminder to you. Unless you actually know what you're doing, please don't put a service on the Internet.
Someone in MA has an exposed DB endpoint and your data is leaking.
green on Twitter
Someone in MA has an exposed DB endpoint and your data is leaking.
green on Twitter
vogz
Member
Replying in this thread at the request of @camalaio
Continuing our convo here. Mind you I have't read though all 11 pages of this thread, so if I'm stating something that has already been stated, I apologize.
So, just to get this straight, what I should really be concerned about is the data on where I go every day and at what time, etc?
If that's the case then we are all already screwed. Privacy has been dead for a LONG time. Which I'm sure you already know.
(that video is 12 years old)
Tesla already tracks what we do every day with our car. Our phones track where we go and how we use them. Our credit cards track where we go and how we spend our money. I could keep going. This data is all clearly already monetized.
I guess I just don't care if someone has access to the data on how I use my car. Past that I'm not worried about someone coming to my house, filling my car up with my stuff and leaving because my car is garaged (and needs a pin to be driven), I have a security system with cameras everywhere and if my car is home 99% of the time that means I'm home too. If someone gains access to my garage, I'll know about it near instantly. If I'm at work my car is parked in a lot at a secure federal facility with 12 foot fences, cameras and armed guards. If someone wants to track the rest of my movements and break into my car to steal some facemasks, hand sanitizer, kleenex, and some cheap sunglasses, I guess I can't stop them. If they want to get really bold and figure out a way to steal a Tesla with a pin to drive I have insurance.
I think my main issue is that I see many of your concerns as fear mongering. That's all.
Cheers.
Continuing our convo here. Mind you I have't read though all 11 pages of this thread, so if I'm stating something that has already been stated, I apologize.
So, just to get this straight, what I should really be concerned about is the data on where I go every day and at what time, etc?
If that's the case then we are all already screwed. Privacy has been dead for a LONG time. Which I'm sure you already know.
Tesla already tracks what we do every day with our car. Our phones track where we go and how we use them. Our credit cards track where we go and how we spend our money. I could keep going. This data is all clearly already monetized.
I guess I just don't care if someone has access to the data on how I use my car. Past that I'm not worried about someone coming to my house, filling my car up with my stuff and leaving because my car is garaged (and needs a pin to be driven), I have a security system with cameras everywhere and if my car is home 99% of the time that means I'm home too. If someone gains access to my garage, I'll know about it near instantly. If I'm at work my car is parked in a lot at a secure federal facility with 12 foot fences, cameras and armed guards. If someone wants to track the rest of my movements and break into my car to steal some facemasks, hand sanitizer, kleenex, and some cheap sunglasses, I guess I can't stop them. If they want to get really bold and figure out a way to steal a Tesla with a pin to drive I have insurance.
I think my main issue is that I see many of your concerns as fear mongering. That's all.
Cheers.
Privacy is largely an illusion, or delusion.
If you have a phone, a credit card, use a computer, watch the tv, have smart home devices, use electricity or gas, use the internet, go into a town, or use a road, use a bus or train. Some system somewhere is tracking you. Doesn't mean that data is combined, or accessible, or is interesting, or it is personally identifyable. Lots of safeguards, but that doesn't make it impossible that the information is leaked.
Just look at the Russian hacking right now. Shouldn't surprise anyone, and shouldn't surprise anyone that everyone is at it.
The question for everything everything should be, does the benefits of the service outweigh the risks, to you personally.
If you have a phone, a credit card, use a computer, watch the tv, have smart home devices, use electricity or gas, use the internet, go into a town, or use a road, use a bus or train. Some system somewhere is tracking you. Doesn't mean that data is combined, or accessible, or is interesting, or it is personally identifyable. Lots of safeguards, but that doesn't make it impossible that the information is leaked.
Just look at the Russian hacking right now. Shouldn't surprise anyone, and shouldn't surprise anyone that everyone is at it.
The question for everything everything should be, does the benefits of the service outweigh the risks, to you personally.
First, as a general update to this thread:
Shockingly I stand by everything I've said previously. I'm actually upset because that means maybe I haven't learned anything new, but it also means Tesla hasn't done anything since this thread was created. Maybe I'll redirect some of my upset towards them.
However, Tesla did implement two factor authentication. In full disclosure, I don't know how they have it set up. This is absolutely a move in the right direction, but doesn't necessarily help for what's been outlined in this thread.
If the two-factor auth is a one-time authentication for all the same permissions as these services had access to before, it doesn't help at all. Alternatively, if using two-factor auth means you can't use third-party services, then people may just not use two-factor auth. It's positive progress, just maybe not on this particular topic.
I want to highlight this statement of yours,
This is absolutely true, but I don't view that as a reason to give my information to everyone else. I treat these as necessities (credits cards are nearly essential these days, I need a Tesla account to use my car at Superchargers, and the phone is all sorts of almost-essential as well). I'm limited in my options with those - either I find an alternative, or accept and hope they're being responsible enough on an ongoing basis.
However, with other parties, my use of their services is a heck of a lot less essential and I restrict it wherever possible. The less hands it's in, the better. The best detailed profiles come from amalgamating info from multiple sources - the less leaky sources, the less known you are.
---
So, what should you be concerned about, that's what you're asking. I can't answer that much more satisfactorily than I've already replied (to you and many other posts in this thread - there's some good discussion way back there somewhere).
I'm not comfortable giving a third party the virtual key to my car, which can be silently copied virtually. I see that not as fear mongering, but prudence.
Think of it like a physical key. Instead of something like TeslaFi or Stats, Camalaio's Data Service. You give my a copy of your key, and in exchange for some money, I install a tracker on your car. I routinely go to the car, enter it, and write down values from the tracker I installed, and mail you some graphs. When you one day no longer want Camalaio's Data Service, I promise to not use the key but I don't give it back to you.
Would that be a comfortable arrangement? Probably not. This Camalaio dude shouldn't need full access to your car at all times. And trusting him forever with the key? What if one of his friends or neighbours is a bit of a carjacker and knows Camalaio has all these keys? For all I know Camalaio keeps these all in a shed in his front yard! Risky business. Except... instead of a physical key and some dude in your town, this is a virtual key and can be used by anyone anywhere in the world.
That's the main point. The access level is too high, and what's being asked for is too much. What you can worry about is a bit unlimited, because there are nearly no limits to the access being given. I'd be way, way happier if the access wasn't all-or-nothing. That's the main problem, and is something only Tesla can solve. They need to separate car data (e.g. battery level) from personal data (e.g. location), and from further actions (e.g. unlocking the car). That's what I mean by it being all-or-nothing right now.
Fear mongering or prudence. We probably won't agree on that one honestly, but I hope you (and anyone else reading) has either learned something or enjoyed the conversation.
Shockingly I stand by everything I've said previously. I'm actually upset because that means maybe I haven't learned anything new, but it also means Tesla hasn't done anything since this thread was created. Maybe I'll redirect some of my upset towards them.
However, Tesla did implement two factor authentication. In full disclosure, I don't know how they have it set up. This is absolutely a move in the right direction, but doesn't necessarily help for what's been outlined in this thread.
If the two-factor auth is a one-time authentication for all the same permissions as these services had access to before, it doesn't help at all. Alternatively, if using two-factor auth means you can't use third-party services, then people may just not use two-factor auth. It's positive progress, just maybe not on this particular topic.
I want to highlight this statement of yours,
"Tesla already tracks what we do every day with our car. Our phones track where we go and how we use them. Our credit cards track where we go and how we spend our money. I could keep going. This data is all clearly already monetized."
This is absolutely true, but I don't view that as a reason to give my information to everyone else. I treat these as necessities (credits cards are nearly essential these days, I need a Tesla account to use my car at Superchargers, and the phone is all sorts of almost-essential as well). I'm limited in my options with those - either I find an alternative, or accept and hope they're being responsible enough on an ongoing basis.
However, with other parties, my use of their services is a heck of a lot less essential and I restrict it wherever possible. The less hands it's in, the better. The best detailed profiles come from amalgamating info from multiple sources - the less leaky sources, the less known you are.
---
So, what should you be concerned about, that's what you're asking. I can't answer that much more satisfactorily than I've already replied (to you and many other posts in this thread - there's some good discussion way back there somewhere).
I'm not comfortable giving a third party the virtual key to my car, which can be silently copied virtually. I see that not as fear mongering, but prudence.
Think of it like a physical key. Instead of something like TeslaFi or Stats, Camalaio's Data Service. You give my a copy of your key, and in exchange for some money, I install a tracker on your car. I routinely go to the car, enter it, and write down values from the tracker I installed, and mail you some graphs. When you one day no longer want Camalaio's Data Service, I promise to not use the key but I don't give it back to you.
Would that be a comfortable arrangement? Probably not. This Camalaio dude shouldn't need full access to your car at all times. And trusting him forever with the key? What if one of his friends or neighbours is a bit of a carjacker and knows Camalaio has all these keys? For all I know Camalaio keeps these all in a shed in his front yard! Risky business. Except... instead of a physical key and some dude in your town, this is a virtual key and can be used by anyone anywhere in the world.
That's the main point. The access level is too high, and what's being asked for is too much. What you can worry about is a bit unlimited, because there are nearly no limits to the access being given. I'd be way, way happier if the access wasn't all-or-nothing. That's the main problem, and is something only Tesla can solve. They need to separate car data (e.g. battery level) from personal data (e.g. location), and from further actions (e.g. unlocking the car). That's what I mean by it being all-or-nothing right now.
Fear mongering or prudence. We probably won't agree on that one honestly, but I hope you (and anyone else reading) has either learned something or enjoyed the conversation.
vogz
Member
It's all good man. I enjoyed the convo. I think any more back and forth will just further beat a dead horse at this point. I see your point and can appreciate it. I guess I'm just willing to trade the access to my car for the convenience and extra features that the service provides.
Happy Holidays!
Last edited:
Speaking of convenience the Watch for Tesla on the Apple Watch is really good. I’d trade in some of my privacy lol
SmartElectric
Active Member
You do understand the apps use the Tesla authentication that provides full access to the car to unlock, drive, etc right?
Therefore, your "access to data" statement is not sufficient, it should be "access to my car in all ways/methods including controlling all aspects of the car available remotely",
Ok, so you do understand that you have provided a third party full access to drive away your car, but you've additionally added PIN to drive (which many owners do not).
The point was made many times upthread, full access is the current situation. IF these user/passwords were to leak from this trusted third party, there is no practical way to prevent wide spread use of these authenticated access until the authentication tokens are invalidated by Tesla.
DopeGhoti
Active Member
As an analogy: if you're okay with giving a third-party app your Tesla credentials, that is analagous to saying "well my house has smart locks, cameras, an alarm system, and a terminal where I can pay my electric bill without logging into anything. I am okay giving access to all of that to a third party.
There's a reason there was a collective "are you kidding?!" from the Internet when Amazon proffered the idea of "we'll give you a smart-lock if you let our underpaid subcontractors get access to your house to make deliveries indoors. oh, and we're not responsible if anything is lost or stolen"
There's a reason there was a collective "are you kidding?!" from the Internet when Amazon proffered the idea of "we'll give you a smart-lock if you let our underpaid subcontractors get access to your house to make deliveries indoors. oh, and we're not responsible if anything is lost or stolen"
Similar threads
