Tesla's response to me leaking info about the P100D?

[Jason S]

OP figured out a way into the shell that runs what the car does within it. AFAIK, he reported that back to Tesla and they patch the particular exploit. That's typical White Hat hacking.

There are plenty of other interesting bits and pieces I'm sure he's discovered. Nothing game changing, mostly interesting tidbits and plans. Why Tesla continued to put those in its firmware is beyond me, but they continue to do so.

At one point OP sees something in the firmware and thinks it would be funny to tease Tesla about it. Really nothing that we hadn't guessed yet, but mostly seemingly good natured ribbing about them continuing to put future release items in a current firmware release. That really isn't game changing and there aren't any trade secrets about the P100D being planned. Heck, I'll plant the flag now and predict P110D in June 2017... I just don't have any proof that the assets for such a thing are in current firmware. I hope Tesla changes their firmware packaging to include those things after the announcements have been made.

There must be some things about the firmware that are essentially inside information. Given that OP hasn't released that information I wouldn't go calling him a Black Hat hacker in any way.

Overall I appreciate the info but really can't stand the drama. Somebody at Tesla crossed the line in a remarkably stupid way. I don't see any reason for Jason to escalate this though.

Work together guys. It'll make us stronger.

 

[Drivin]

Before you say "sharing is stealing", bear in mind that those who share generally have very low discretionary income (mostly because they are students).

Oh geez, you are one of "those people".

I don't care what someone's discretionary income is, we are talking about a product that is freely available on the radio, and for students, probably easily listened to via legit youtube or other channels (but gasp, they may need to listen to a commercial). We ain't talking about stealing a loaf of bread so they can eat.

Ethics matter, especially for college students.

Don't bother replying, based on your viewpoint on IP, I won't see your posts anyway.

 

[Jason S]

Oh geez, you are one of "those people".

I don't care what someone's discretionary income is, we are talking about a product that is freely available on the radio, and for students, probably easily listened to via legit youtube or other channels (but gasp, they may need to listen to a commercial). We ain't talking about stealing a loaf of bread so they can eat.

Ethics matter, especially for college students.

Don't bother replying, based on your viewpoint on IP, I won't see your posts anyway.

There's somebody who doesn't know about mixtapes...

 

[Bet TSLA]

*I* own and control *my* car.

I don't believe that you own the car's software. Not in any real sense. You can't sell the software to somebody else. You can't legally modify it (it's complicated and possibly still being litigated). The law is a strange beast and software and intellectual property in general are new constructs that are not well resolved at this point. You blustering about "how the world actually works" is meaningless unless you back it up with something. Do you know anything about the legal basis for what you are doing?

Here's one short article on the topic from a year ago:
You Own the Car, But Do You Own Its Software? | Doug Newcomb | PCMag.com
Here's the EFF's filing on the Class 21 exemption to the DMCA:
https://www.eff.org/files/2015/05/21/1201_eff_reply_comment_class_21.pdf
Here's a story about the class 21 ruling last October:
http://www.forbes.com/sites/thomasbrewster/2015/10/27/right-to-tinker-victory/#62ed7ea438ae

But I think this leaves intact the notion that the software is not owned by the owner of the vehicle. And I don't see how you can claim that any version of the software that works is somehow not good enough -- the truth is that every version will have bugs of some sort, so there's no reason Tesla shouldn't choose to downgrade it if they like.

 

[sandpiper]

Before you say "sharing is stealing", bear in mind that those who share generally have very low discretionary income (mostly because they are students).

Totally off the original topic but, sorry.... sharing music/videos, presumably by the usual pirate sites, is stealing irrespective of how somebody rationalizes it. If I have low discretionary income, am I allowed to grab beer from the store and not pay?

 

[tom66]

Totally off the original topic but, sorry.... sharing music/videos, presumably by the usual pirate sites, is stealing irrespective of how somebody rationalizes it. If I have low discretionary income, am I allowed to grab beer from the store and not pay?

To play devil's advocate, piracy and stealing *are* different because in the case of ordinary theft you are actually removing something of tangible value (a beer) from a property owner, but in the case of piracy, you are simply reducing the value of the IP (which is intangible and very hard to value on its own) by distributing it. I'm not saying that it should be legalised, but it shouldn't be called theft, just copyright infringement.

To make an analogy, it would be like walking into a shop, cloning a beer can from the cooler using, say, a "Star Trek replicator" and then leaving: you've taken advantage of the store's retail presence (rent, utility costs, staff, IP, development) but you haven't taken the item itself, so it's not theft.

 

[Pruitt]

Somebody at Tesla crossed the line in a remarkably stupid way.

I think you hit the nail on the head with that.

Some folks here seem to think that those in charge should be able to anticipate everything anyone will ever do, and have a plan in place to prevent it, or at least obtain high-level approval before doing it. It really doesn't work that way, because what they expect is impossible to accomplish. No matter how much foresight you have, stupidity and/or dismally poor judgement will find a way to manifest in a way that was unforeseen.

As far as the "I bought it, so I own it" claim - Copyright laws regarding digital products, whether firmware, software or what-have-you are complex, and for good reason. You may own the hardware outright, but who owns the digital information stored within may be a different story. And the EULA isn't the whole story regarding it, either.

Look at Microsoft. You may pay money for their products, but you don't own them. If you did, you'd be able to do anything you want with it, but you can't. We pay for the privilege of using something they still own, be it an operating system, MS Office, or whatever.

 

[dc_h]

Great thread. Ethical hacking in real life.

My take is that wk has been a white hat guy. Sharing security issues with Tesla privately and frequently not sharing interesting things that Tesla is not ready to share. Wk shared something in excitement after a long session digging through code. He hid the reveal in a hash tag, but someone figured it out right away. This is not black hat stuff. He did not share anything that would endanger or cause harm to anyone. It might have ticked some people off, but no one was hurt or endangered.
Based on past data it also seems that Tesla is aware of wk and he has shared real security issues, so Tesla knows how to communicate with wk. They could have contacted him directly and asked him wtf are you doing, that was supposed to be private: Man up Tesla. You feel wronged, so man up and tell wk directly. Now it appears Tesla raised the stakes and wk has been pushed and he wants to push back. I don't blame him, I've been there, but restraint is the better part of valor. If you are angry that someone at Tesla has messed with your car and you have communicated with them in the past, then use that private channel to share your anger.

Don't expect a response today. This has gotten big and no one is going to respond without running it by the boss. I for one appreciate your passion. You are at the forefront of a still small group of hackers who will make smart-cars smarter, better and safer.

 

[omarsultan]

Couple of things:
1) The difference between white hat hackers and black hat hackers is responsible disclosure. I am not sure what the application is in this case, but as some have noted salting the hash might have been a good start--it comes down to intent
2) Yes, you car is your physical property but there is an interesting court case on the disposition of the SW on your car. John Deere is trying to copyright and apply DCMA protections to the SW that runs their tractors. Its worth noting that (from the linked article):

trade groups representing nearly every major automaker, made the same case to the Copyright Office again and again. It’s worth noting Tesla Motors didn’t join automakers in this argument, even though its cars rely heavily on proprietary software

I know this runs counter to the "Tesla is an evil empire" sentiments that seem popular these days, but there you go.
3) Elon said to expect ~5% increase every year at the Ludicrous announcement last summer--I don't see this as news or anything to get cranky about
4) I am sorry @wk, but all you have are assertions that Tesla is punishing you. You have a set of actions through the installer to which you have assigned meaning. Someone could easily argue they have rolled out an update, found there is a problem, and are pushing out a rollback and this is happening in many cars, we just have visibility into yours, the rest of us are blissfully ignorant

You have spelled out a narrative: I spilled Tesla secrets > they are punishing me by withholding and update > I have cut off their access > they need to call me to sort this out, but recognize this is a 100% creation on your part. The reality maybe be that a) Tesla does not care and b) they are not doing anything to your car the they are not also doing to other cars. It seems a five min call to the service center on the disposition of the SW update for you car would help increase the clarity and reduce the drama.

 

[msnow]

Great thread. Ethical hacking in real life.

My take is that wk has been a white hat guy. Sharing security issues with Tesla privately and frequently not sharing interesting things that Tesla is not ready to share. Wk shared something in excitement after a long session digging through code. He hid the reveal in a hash tag, but someone figured it out right away. This is not black hat stuff. He did not share anything that would endanger or cause harm to anyone. It might have ticked some people off, but no one was hurt or endangered.
Based on past data it also seems that Tesla is aware of wk and he has shared real security issues, so Tesla knows how to communicate with wk. They could have contacted him directly and asked him wtf are you doing, that was supposed to be private: Man up Tesla. You feel wronged, so man up and tell wk directly. Now it appears Tesla raised the stakes and wk has been pushed and he wants to push back. I don't blame him, I've been there, but restraint is the better part of valor. If you are angry that someone at Tesla has messed with your car and you have communicated with them in the past, then use that private channel to share your anger.

Don't expect a response today. This has gotten big and no one is going to respond without running it by the boss. I for one appreciate your passion. You are at the forefront of a still small group of hackers who will make smart-cars smarter, better and safer.

Very well reasoned post. One small nit...from a sales/marketing aspect, Tesla could feel wronged or even damaged by the release of the 100 kWh info before they were ready. Customers may wait or cancel anticipating the change. Admittedly, it's their data to protect but they could argue some damage.

 

[Skotty]

Totally off the original topic but, sorry.... sharing music/videos, presumably by the usual pirate sites, is stealing irrespective of how somebody rationalizes it. If I have low discretionary income, am I allowed to grab beer from the store and not pay?

There's merit on both sides of this never ending argument. Digital rights holders act like someone has stabbed them in the gut with a knife whenever someone takes a shared copy of their content, while those consuming the shared content act totally innocent. The truth is taking shared digital media illegally is not as serious as stealing a physical product (like a beer), but more serious than something like exceeding the speed limit by 5 MPH. The level of outrage over a crime should be consistent with the seriousness of the crime. If you take the stance that crime in crime, than in is your duty to live up to that viewpoint and never ever exceed a posted speed limit. How many will do that? Probably no one. But exceeding the posted speed limit is a crime, make no mistake.

Quite frankly, if I had to add up the amount of my life wasted by watching FBI and DRM warnings that digital rights owners have not let me skip in DVDs in my life, I'd say they owe me big. Talk about a waste of time. As if there was ever a person in the history of mankind who was forced to watch one of those warnings before watching a DVD and changed their mind to not steal.

Yes, it's a crime, and you can be busted for it. No, it's not that serious. Probably somewhere, like I said, between shoplifting and moderate speeding.

 

[omarsultan]

The truth is taking shared digital media illegally is not as serious as stealing a physical product (like a beer)

I don't suppose you want to defend that rationalization?

 

[McRat]

Just random thoughts from an engine tuner:

Just because you can see tables doesn't mean anything. Nearly all newer cars I work with have E85 (ethanol) tables. Only certain models ever get E85 as an option anywhere. Two of my vehicles have tables for 5 injection events. The factory never uses more than 3, and sometimes use only 1. The hardware can support the 5 events, but for whatever reason, 5 or 4 isn't used, the third event is only for certain emissions modes. Some cars even have supercharger tables when that engine does not have a supercharged version, you can spot these easy, the manifold pressure has values way up in the positive pressure area.

The intellectual property issues of automotive controls is really bizarre right now. There is nothing to compare it to. Most today's code is explicitly copyrighted. But even if it is not, there is implied copyright today. OK, that part is normal.

But it is way different than desktop software as far as how the copyright is applied.

Can you sell a copy of a manufacturer's entire operating system and tables? Yes. When I lease a subscription to the MFR's library, and use the MFR tools, I can charge you for flashing that code into a blank ECM. Or if I have an existing OEM flash and no MFR tools or library access, I can copy it and put it on your car. This is because a car maker cannot force service to only be performed by their dealers. You can't just burn a copy of Windows on a DVD and sell it, or sell copies of music, movies, or programs. With cars it's a service item.

Can you publish the offset address and contents of a software module, along with a description of what it does? So far yes. In over 25 years this has not been an issue.

Can you publish how to edit a table to alter automotive performance? So far yes.

Can I edit the OEM tables and flash them into your car? This is where the turmoil is happening today. So far just the EPA and CARB will torch you for it, I've witnessed a $250,000 fine. But the MFRs appear to be getting ready to get into the fight. Some store peak torque seen is a hidden location and the dealer tool can read this. This is where the whole enchilada applies to EVs. Let's say Tesla does this. If you tweak your car, and they see a number out of range stored, they can void your warranty. And they have every right to.

But you don't really own the code that is in your car, just like you don't own the patents used in the hard parts in a car.

 

[jayman]

I have to agree with wk057 in all of this. Seems way to big brother to me. Very petty signaling out an individual like this. Reminiscent of banning that reporter from getting his model x. If the vision of Tesla is truly to change the dynamic of energy consumption they need to be bigger than this. They may have had a right to do what they did (and I say may have because legally focusing on an individuals firmware as opposed to a whole population of cars could be a blatant violation of privacy) but this smells bad to me...

 

[MikeBur]

Sleeping on it is certainly good, although a note from the CEO definitely hasn't hurt. Certainly the last thing I expected to happen today.

Keeping my white hat on (hey, it's even a white Tesla hat ) and giving Tesla time to sort this all out. Guess is that all we be well soon enough.

root@cid-5YJSA1H24EFP64184# /sbin/iptables -D INPUT -i tun0 -j REJECT --reject-with icmp-port-unreachable
root@cid-5YJSA1H24EFP64184# /sbin/iptables -D INPUT -i tun0 -j LOG
root@cid-5YJSA1H24EFP64184# /sbin/iptables -D OUTPUT -o tun0 -j DROP
root@cid-5YJSA1H24EFP64184# /sbin/iptables -D OUTPUT -o tun0 -j LOG

Your move.


Thank you, TMC mods, for carving out this thread.

"You must spread some Reputation around before giving it to wk057 again": rep +1, thanks for not going WOPR last night and, eventually ;-), sleeping on it! Cheers, MikeBur

 

[wk057]

The reality maybe be that a) Tesla does not care and b) they are not doing anything to your car the they are not also doing to other cars.

Any evidence to back this up? I have logs of Tesla trying to push my car back two versions from the latest (2.13.77 -> 2.12.126 -> 2.12.45) and not a single report of anyone else having the same occur. If I saw even one report of this happening to someone else, I would have considered another perspective on the events. But here we are, a full day later, nothing. People still getting and installing 2.13.77.

As of this afternoon Tesla's firmware servers were still not reporting the job to install 2.13.77, so I forced the updater to do so... and in the process learned quite a bit I didn't previously know about the updater.

 

[Drumheller]

Any evidence to back this up? I have logs of Tesla trying to push my car back two versions from the latest (2.13.77 -> 2.12.126 -> 2.12.45) and not a single report of anyone else having the same occur. If I saw even one report of this happening to someone else, I would have considered another perspective on the events. But here we are, a full day later, nothing. People still getting and installing 2.13.77.

As of this afternoon Tesla's firmware servers were still not reporting the job to install 2.13.77, so I forced the updater to do so... and in the process learned quite a bit I didn't previously know about the updater.

My car is currently using 2.12.126. Is there a way I can see installation history via the touchscreen?

 

[deonb]

The truth is taking shared digital media illegally is not as serious as stealing a physical product (like a beer)

The truth is a microbrewer can produce a beer for a few thousand dollars in setup.

I (well, my VC's) have to write a check for $10 million for there to even exist a product for you to come and steal. Sure I might have a million customers. One day. If I'm lucky - the odds are overwhelmingly against me.

But it still means I paid $10 to create the thing that you regard as being worthless. In the hope that it would be off some value to you and you would give me $20 for it.

It is every single bit as bad as stealing a beer.


The only rationalization you can maybe have is that it's easier to get away with. Which is true, but if that is the type of person you are, the only reason you are NOT stealing bear more often then is for fear of getting caught. And sorry, but that would make you a sociopath.

 

[dhanson865]

Any evidence to back this up? I have logs of Tesla trying to push my car back two versions from the latest (2.13.77 -> 2.12.126 -> 2.12.45) and not a single report of anyone else having the same occur. If I saw even one report of this happening to someone else, I would have considered another perspective on the events. But here we are, a full day later, nothing. People still getting and installing 2.13.77.

As of this afternoon Tesla's firmware servers were still not reporting the job to install 2.13.77, so I forced the updater to do so... and in the process learned quite a bit I didn't previously know about the updater.

I swear I read a post today of one or two people saying they had theirs rolled back. But the threads are flying fast and mods moving posts. I haven't found it yet to link for you.

 

[Larry]

Not sure why Tesla would get upset at the 100D info. We all know it will happen sometime in the near future. As far as people delaying their purchase I don't see it otherwise nobody would ever buy an S or X as they are always going to improve.