Tesla's response to me leaking info about the P100D?

[darthy001]

I do wish everyone who rushed to chastise wk057 would be mindful of the following in future:

wk did not intend to leak this information

His cryptographic hash was supposed to keep the new model name secret. He intended for people to check back later – after Tesla’s official reveal – and find “P100D” was the string he obfuscated.

Unfortunately, he underestimated how fast the hash would be broken. SHA256 is considered a strongly one-directional transform, but in this case (short string, no salt, string exists in cracking dictionaries) it was broken quickly. Were it not for this, there would’ve been no leak.

This was a mistake, not malice or recklessness.

wk is keeping lots of other information in confidence

He knew about the new Slipstream rims, for example. He’s in a position to be one of the first people outside Tesla to see imminent cosmetic changes, names of new features and models (among other things,) yet you’ve only heard one thing through him (and that was an accident).

wk has helped Tesla make their cars more secure

He’s made multiple contributions to Tesla’s official bug bounty (which invites people to explore their software for weaknesses.) https://bugcrowd.com/tesla

If you own a Model S or X, you have benefited; your car is more secure as a direct result of his work. Maybe you could show a little appreciation?

Also, please stop going on about IP law. That has nothing to do with this.

Quoted for truth as this was extremely well put should be a sticky post almost!

 

[scaesare]

Theft is defined as the physical removal of an object that is capable of being stolen...

Narrow definition.

See also: theft of service

 

[supratachophobia]

It sounds like they discovered he had made more progress delving into the firmware than they originally thought and/or, someone in PR realized that the firmware files had these nuggets in there that they didn't know about. And then as a way to deal with it, they decided to roll back the waiting firmware in order to sanitize it so that no more leaks could happen.
There is no way that I believe Tesla would have done this punitively and I think jumping to that conclusion is foolish. My guess is that if he hadn't noticed, the update icon would have gone away, and then a few days later, her would have gotten another notification that a new release was ready, sans P100D/model S refresh references/other future goodies pointers.
This is a classic programmer/PR miscommunication on Tesla's part, nothing more.

 

[apacheguy]

As for white hat efforts on reporting actual security exploits to Tesla, including one pretty nasty remote exploit (resulting in a firmware update that could be called "wk057" on Hank's site I suppose), I'll point out that I'm in the top 5 on Tesla's bug bounty "Hall of Fame" (with additional not yet rewarded submissions pending review that will probably push that to top 3 soon enough) as a result of my private submissions to Tesla.

Is this the Parrot module exploit?

 

[russman]

Great response and summary. As I said earlier, not that it matters, I think what you are doing is awesome. Calmer heads prevail.

Some of the posts in this thread are quite ridiculous and laughable. Sometimes reading things people post on the internet makes me seriously concerned for the well being of society in general. Seeing the same nonsense here, over something relatively trivial, just baffles me. But whatever. Such is life on the interwebs...

In any case, I don't think anyone at Tesla is "out to get me." I do think someone made a poor decision in attempting to downgrade my car's firmware last night vs simply contacting me. At least a few people involved with the firmware already had my contact information, including my personal email and direct cell number, should they had been inclined to contact me. The decision to do the firmware downgrade obviously didn't come from the top, not that I never thought it had. I was, admittedly, certainly a bit irritated about it at the time.

As far as I'm concerned this situation is done with, and will only need to be revisited if when the next OTA comes down I don't actually ever get it. I don't expect that to happen at this point (Tesla undid the push for a downgrade when my car checks for updates, as mentioned earlier), and I'm pretty sure it's not going to be an issue going forward, based partly on Musk's comment earlier, among other things.

As for white hat efforts on reporting actual security exploits to Tesla, including one pretty nasty remote exploit (resulting in a firmware update that could be called "wk057" on Hank's site I suppose), I'll point out that I'm in the top 5 on Tesla's bug bounty "Hall of Fame" (with additional not yet rewarded submissions pending review that will probably push that to top 3 soon enough) as a result of my private submissions to Tesla. I've thought quite a bit about whether or not to publicly disclose any of these exploits even after sufficient time has passed after Tesla has fixed them and pushed the fixes. As of now, my stance on that is to keep them private indefinitely. The reason being is that there are going to be people driving these cars stuck on older firmware for a long time unless Tesla makes it possible for owners of salvage vehicles and the like to upgrade to the latest version with the latest security patches. I think that would be the right thing to do eventually, but for now it doesn't seem rational to release any exploits, or even descriptions of some of them, while even one car in operation could be susceptible. My receiving recognition for discovering an exploit isn't worth potentially opening up an owner to problems. If that's not a good enough window into my personal stance on things and my intentions surrounding my efforts, then I don't know what is. Sure, I might talk a little **** sometimes, but I'm just never going to release anything that's going to be a security concern for anyone.

So, for now, I'm going to chalk all this P100D stuff up to being triggered by a mistake on my part (not salting the hash) and Tesla making a mistake in their reaction, until I have evidence to the contrary. Right now, my car is sitting on 2.13.77 (latest public firmware), and I expect it will update normally from now on.

Additionally, I'm going to write an apology to the few contacts I have at Tesla for whatever trouble I've caused with my unintentional information leak. I'd like to hope that I'm at least a moderately valuable ally to Tesla, overall.

Anyway, carry on with the regularly scheduled over analyzing and radical tangents. I'll try to stay out of the way.

I certainly won't be talking about ea0890697a77af0a2e054cccec587c8a42feb5cf38e778c6c6e2a96bfb945c0b, or bb0347a468d97e98a9c00e37cebec1ab930f6f1221cae0f1fbb92b07e1900ba2, and especially not 3c01eba119e00d79c82b6f65d70bc5f1044d568618bf41377e6d1432023fc2b8.

 

[bonnie]

wk is keeping lots of other information in confidence

He knew about the new Slipstream rims, for example. He’s in a position to be one of the first people outside Tesla to see imminent cosmetic changes, names of new features and models (among other things,) yet you’ve only heard one thing through him (and that was an accident).

wk has helped Tesla make their cars more secure

He’s made multiple contributions to Tesla’s official bug bounty (which invites people to explore their software for weaknesses.)https://bugcrowd.com/tesla

If you own a Model S or X, you have benefited; your car is more secure as a direct result of his work. Maybe you could show a little appreciation?

Probably not a great defense, since wk is hardly the only one. There are a lot of people on this forum who keep a lot of information confidential. Only an fyi.

For instance, I'm guessing a large number of EAP participants are here on the forum daily. Yet we don't know who they are. They see the new features weeks, sometimes months, before the rest of us & we don't know about those (unless they leak & then they're no longer in the EAP). They do a lot of work for the rest of us and don't talk about it publicly. A lot of bugs are found because of these folks and your car is safer and more reliable because of them.

Tesla rewards the bug finders publicly. EAP participants contribute quietly in the background, without asking for recognition. Maybe we could show a little appreciation for those folks?

To be clear, it's not about wk vs. the EAP participants. I'm only attempting to point out that he's hardly the only one with confidential information at any given time, since you seem to think wk isn't getting his proper recognition. There are a lot of folks you're ignoring who get zero recognition and are fine with that.

(And EAP participants are only one group who hold confidential information. There are posters here who have vendor relationships and honor the NDAs that they signed. There are other posters here with close family members inside Tesla & you'd never know it because they post zero hints towards what is coming. Just examples. Many more. )

- - - Updated - - -

Some of the posts in this thread are quite ridiculous and laughable. Sometimes reading things people post on the internet makes me seriously concerned for the well being of society in general. Seeing the same nonsense here, over something relatively trivial, just baffles me. But whatever. Such is life on the interwebs...

In any case, I don't think anyone at Tesla is "out to get me." I do think someone made a poor decision in attempting to downgrade my car's firmware last night vs simply contacting me. At least a few people involved with the firmware already had my contact information, including my personal email and direct cell number, should they had been inclined to contact me. The decision to do the firmware downgrade obviously didn't come from the top, not that I never thought it had. I was, admittedly, certainly a bit irritated about it at the time.

As far as I'm concerned this situation is done with, and will only need to be revisited if when the next OTA comes down I don't actually ever get it. I don't expect that to happen at this point (Tesla undid the push for a downgrade when my car checks for updates, as mentioned earlier), and I'm pretty sure it's not going to be an issue going forward, based partly on Musk's comment earlier, among other things.

As for white hat efforts on reporting actual security exploits to Tesla, including one pretty nasty remote exploit (resulting in a firmware update that could be called "wk057" on Hank's site I suppose), I'll point out that I'm in the top 5 on Tesla's bug bounty "Hall of Fame" (with additional not yet rewarded submissions pending review that will probably push that to top 3 soon enough) as a result of my private submissions to Tesla. I've thought quite a bit about whether or not to publicly disclose any of these exploits even after sufficient time has passed after Tesla has fixed them and pushed the fixes. As of now, my stance on that is to keep them private indefinitely. The reason being is that there are going to be people driving these cars stuck on older firmware for a long time unless Tesla makes it possible for owners of salvage vehicles and the like to upgrade to the latest version with the latest security patches. I think that would be the right thing to do eventually, but for now it doesn't seem rational to release any exploits, or even descriptions of some of them, while even one car in operation could be susceptible. My receiving recognition for discovering an exploit isn't worth potentially opening up an owner to problems. If that's not a good enough window into my personal stance on things and my intentions surrounding my efforts, then I don't know what is. Sure, I might talk a little **** sometimes, but I'm just never going to release anything that's going to be a security concern for anyone.

So, for now, I'm going to chalk all this P100D stuff up to being triggered by a mistake on my part (not salting the hash) and Tesla making a mistake in their reaction, until I have evidence to the contrary. Right now, my car is sitting on 2.13.77 (latest public firmware), and I expect it will update normally from now on.

Additionally, I'm going to write an apology to the few contacts I have at Tesla for whatever trouble I've caused with my unintentional information leak. I'd like to hope that I'm at least a moderately valuable ally to Tesla, overall.

Anyway, carry on with the regularly scheduled over analyzing and radical tangents. I'll try to stay out of the way.

I certainly won't be talking about ea0890697a77af0a2e054cccec587c8a42feb5cf38e778c6c6e2a96bfb945c0b, or bb0347a468d97e98a9c00e37cebec1ab930f6f1221cae0f1fbb92b07e1900ba2, and especially not 3c01eba119e00d79c82b6f65d70bc5f1044d568618bf41377e6d1432023fc2b8.

Good post, wk. And I'm sure those engineers will appreciate a note. They've likely had a very rough weekend and this coming week is unlikely to be better.

 

[WarpedOne]

wk is keeping lots of other information in confidence

How many good deeds must I do, so I am entitled/allowed/excused one bad?

Good people don't leak any info, never ever. Others do.
Things change when info is of such nature that no leaking means something bad, and things change when things are leaked in anonymous way.

In this incident it was pure personal promotion, ego.

 

[calisnow]

I do wish everyone who rushed to chastise wk057 would be mindful of the following in future:

wk did not intend to leak this information

His cryptographic hash was supposed to keep the new model name secret. He intended for people to check back later – after Tesla’s official reveal – and find “P100D” was the string he obfuscated.

Unfortunately, he underestimated how fast the hash would be broken. SHA256 is considered a strongly one-directional transform, but in this case (short string, no salt, string exists in cracking dictionaries) it was broken quickly. Were it not for this, there would’ve been no leak.

This was a mistake, not malice or recklessness.

wk is keeping lots of other information in confidence

He knew about the new Slipstream rims, for example. He’s in a position to be one of the first people outside Tesla to see imminent cosmetic changes, names of new features and models (among other things,) yet you’ve only heard one thing through him (and that was an accident).

wk has helped Tesla make their cars more secure

He’s made multiple contributions to Tesla’s official bug bounty (which invites people to explore their software for weaknesses.) https://bugcrowd.com/tesla

If you own a Model S or X, you have benefited; your car is more secure as a direct result of his work. Maybe you could show a little appreciation?

Also, please stop going on about IP law. That has nothing to do with this.

Thank you, thank you, thank you. Couldn't have said it better. If I knew how to give reputation points I would give them for this post.

- - - Updated - - -

Good people don't leak any info, never ever. Others do. Things change when info is of such nature that no leaking means something bad, and things change when things are leaked in anonymous way.

In this incident it was pure personal promotion, ego.

No, it wasn't just pure personal promotion because it helped customers make decisions and it also got Tesla more free publicity in the press. I appreciate the leak very much as a customer - I have one Tesla and was about to get the second - but have wanted a larger battery for some time. This leak has benefitted me quite a bit because now I can seriously consider a Model X for the second car instead of another Model S - and I know if I hold off a bit longer the larger battery will be available. Tesla was not hurt by this leak - and we have no ethical obligation to help Tesla in any case.

Even if you could argue that Tesla was hurt, you could also claim that customers were helped - and then you are in the ethical position of determining who it is more important to help.

In any case making some line in the sand of what makes a "good person" is a pointless exercise. Humans are complex - as a European you are supposed to understand complexity better than simple Americans anyway! BTW I don't know what's going on over there in Slovenia but your company Pipistrel is innovating like heck in the airplane market. Very exciting stuff they're up to - the pure electric trainer planes, the hybrid engines and especially the Panthera four seater that will do 200 ktas per hour on 10 gph with an integrated airframe parachute to compete with Cirrus! Drooling over that plane and hoping it comes to the USA quickly...

 

[cassiri]

I think this may be much ado about nothing. I also had that same pending update disappear. It came back a couple days later. Given my lack of hacking skills I was left to assume I didn't accept it fast enough rather than it was retribution.

 

[MSR]

Not sure it's intentional, but my wings have been clipped on forums.teslamotors.com. Attempting to log in on the main forum page just returns to that page as if nothing was entered for user ID and password. I have an "alternate" account that gets me in and able to post, but not to see or create private threads.

I've been pretty vocal about the ESA and some recent service center issues. Is this intentional on the part of Tesla? Dunno. Multiple browsers and devices, same result.

Actually, the same thing happens to me this morning, so I suspect it's just a bug. No reason to be paranoid....

Anyone else notice the inability to log in on forums.teslamotors.com?

 

[ItsNotAboutTheMoney]

No, it wasn't just pure personal promotion because it helped customers make decisions and it also got Tesla more free publicity in the press. I appreciate the leak very much as a customer - I have one Tesla and was about to get the second - but have wanted a larger battery for some time. This leak has benefitted me quite a bit because now I can seriously consider a Model X for the second car instead of another Model S - and I know if I hold off a bit longer the larger battery will be available. Tesla was not hurt by this leak - and we have no ethical obligation to help Tesla in any case.

Even if you could argue that Tesla was hurt, you could also claim that customers were helped - and then you are in the ethical position of determining who it is more important to help.

In any case making some line in the sand of what makes a "good person" is a pointless exercise. Humans are complex - as a European you are supposed to understand complexity better than simple Americans anyway! BTW I don't know what's going on over there in Slovenia but your company Pipistrel is innovating like heck in the airplane market. Very exciting stuff they're up to - the pure electric trainer planes, the hybrid engines and especially the Panthera four seater that will do 200 ktas per hour on 10 gph with an integrated airframe parachute to compete with Cirrus! Drooling over that plane and hoping it comes to the USA quickly...

It was definitely ego, and it was just due to wk's mistake with the weak hashing that you know what he meant at this point.

My perception is that Tesla would want to launch changes to the S and X at the same time at they launch the Model 3. The 100kWh battery particularly makes sense, because if there's one thing that would be limited on the Model 3, it's battery capacity. Since the launch of the Model 3 will mark a point at which many buyers could choose to reserve a Model 3 instead of buying up to a Model S and X, Tesla has the need to remind the market of the premium features of the S and X.

 

[tezzla]

I think this may be much ado about nothing. I also had that same pending update disappear. It came back a couple days later. Given my lack of hacking skills I was left to assume I didn't accept it fast enough rather than it was retribution.

Actually, the same thing happens to me this morning, so I suspect it's just a bug. No reason to be paranoid....

Anyone else notice the inability to log in on forums.teslamotors.com?

Yes, many people have had software updates pulled, but I've never heard of ONE person that was downgraded. I think that was the point.

 

[Cosmacelf]

After driving an X for a while, it is obvious to me that a 90 pack doesn't cut it if you plan on towing with it. 100 will be the absolutely bare minimum, IHMO. I really don't think it is much of a secret that Tesla would be planning on bringing out bigger batteries eventually, I mean Elon said as much when unveiling the 90. The only question was what the exact size would be. 'Around 100' would have been an obvious guess for the next size. The next one up from that will be around 110 or 120.

But if Tesla made this into a bigger deal, then they just got caught by the Streisand effect. They could have just ignored it, or said the 100 was just a placeholder and engineers hadn't finalized the size yet.

 

[garygid]

I just tried to login to the TM forum. It let me try once, did not give an error, but
did not appear to log me in, and further tries would not bring up the Login page.
So, it looks like something is messed up over there ... but, I could read the forum.

 

[tom66]

After driving an X for a while, it is obvious to me that a 90 pack doesn't cut it if you plan on towing with it. 100 will be the absolutely bare minimum, IHMO. I really don't think it is much of a secret that Tesla would be planning on bringing out bigger batteries eventually, I mean Elon said as much when unveiling the 90. The only question was what the exact size would be. 'Around 100' would have been an obvious guess for the next size. The next one up from that will be around 110 or 120.

But if Tesla made this into a bigger deal, then they just got caught by the Streisand effect. They could have just ignored it, or said the 100 was just a placeholder and engineers hadn't finalized the size yet.

The one thing that confuses me is that Tesla would leave Sig owners of the X with cars that are obsolete just 5 months after the announcement... oh wait, nah, that sounds like Tesla SOP to me.

 

[brec]

I just tried to login to the TM forum. It let me try once, did not give an error, but
did not appear to log me in, and further tries would not bring up the Login page.
So, it looks like something is messed up over there ... but, I could read the forum.

For me, the TM forum software changed within the past couple of days to what it used to be: now, as in days of yore, I remain logged in and go directly to the Model S sub-forum. I suppose that, as it used to, it will log me out after a while. --Yes, the expiration of the tesla_logged_in cookie in my browser is three days hence. So, basis reports here, maybe in three days I'll not be able to log in.

 

[Andyw2100]

I certainly won't be talking about ea0890697a77af0a2e054cccec587c8a42feb5cf38e778c6c6e2a96bfb945c0b, or bb0347a468d97e98a9c00e37cebec1ab930f6f1221cae0f1fbb92b07e1900ba2, and especially not 3c01eba119e00d79c82b6f65d70bc5f1044d568618bf41377e6d1432023fc2b8.

The Tesla Model 4 is being announced on June 1, 2020? Awesome! Thanks for sharing!

 

[tom66]

The Tesla Model 4 is being announced on June 1, 2020? Awesome! Thanks for sharing!

Also, you forgot to mention that the Model 3 will come with sixteen-way power adjustable heated, ventilated and cooled cup holders.

 

[pchilds]

Meh.
There is something wrong at Tesla if an "overzealous staffer" could do what was alleged without approval very high up.
Same as that whole ESA issue where stuff was posted and they later said it was a mistake.

Mistake, my A$$.

 

[Jason S]

Also, you forgot to mention that the Model 3 will come with sixteen-way power adjustable heated, ventilated and cooled cup holders.

Finally! My (insert w/e cheaper car here) has had those for years!