Tesla's response to me leaking info about the P100D?

[Auzie]

I think we should all let Elon set the tone on this one, and call it a day. His tweet was pretty hard to interpret wrong.

I have a lot of respect for Elon, but Elon's views are in no way influencing/determining most posters and/or customers views on issues discussed here. Most people might be curious about Elon's views but I doubt that his views are likely to sway many people.

He may be setting the tone at Tesla, but not here.

My understanding of his tweet is that he responded to wk's direct question with a statement that the downgrade request did not come from him. Perhaps he is not a micromanager as many assume.

 

[darthy001]

Just to add a different perspective here on the issue on potentially violating tesla software-licsenses or not.

According to several reputable members here it is well-known that Tesla themselves do not abide to several GNU/linux and similar licensing schemes in their own implementation of open source code used as the base of the entire Tesla software platform. Dirrkh is one of those with most info on this topic. I even believe he owns the rights to some software that Tesla has implemented without abiding the terms of which the licenses have been released under.....

I assume this is one of the reasons for the all but missing terms about this in my purchase agreement at least. I cannot recall a single word relating to EULA or anything similar.

Tesla cannot claim protection for code they have partially copied from others in the first place without respecting the underlying license.....

Most interestingly I would claim that based on bonnies reasoning here in the IP-rights discussion she actually would put Tesla in the "they are stealing software"-box

Does software license terms not count for Tesla themselves? But wk057 has to respect Teslas software rights?

edit: sorry in advance to GNU-guys as I most likely used the term incorrectly

 

[1208]

I think we should all let Elon set the tone on this one, and call it a day. His tweet was pretty hard to interpret wrong.

This^^

 

[wk057]

Some of the posts in this thread are quite ridiculous and laughable. Sometimes reading things people post on the internet makes me seriously concerned for the well being of society in general. Seeing the same nonsense here, over something relatively trivial, just baffles me. But whatever. Such is life on the interwebs...

In any case, I don't think anyone at Tesla is "out to get me." I do think someone made a poor decision in attempting to downgrade my car's firmware last night vs simply contacting me. At least a few people involved with the firmware already had my contact information, including my personal email and direct cell number, should they had been inclined to contact me. The decision to do the firmware downgrade obviously didn't come from the top, not that I never thought it had. I was, admittedly, certainly a bit irritated about it at the time.

As far as I'm concerned this situation is done with, and will only need to be revisited if when the next OTA comes down I don't actually ever get it. I don't expect that to happen at this point (Tesla undid the push for a downgrade when my car checks for updates, as mentioned earlier), and I'm pretty sure it's not going to be an issue going forward, based partly on Musk's comment earlier, among other things.

As for white hat efforts on reporting actual security exploits to Tesla, including one pretty nasty remote exploit (resulting in a firmware update that could be called "wk057" on Hank's site I suppose), I'll point out that I'm in the top 5 on Tesla's bug bounty "Hall of Fame" (with additional not yet rewarded submissions pending review that will probably push that to top 3 soon enough) as a result of my private submissions to Tesla. I've thought quite a bit about whether or not to publicly disclose any of these exploits even after sufficient time has passed after Tesla has fixed them and pushed the fixes. As of now, my stance on that is to keep them private indefinitely. The reason being is that there are going to be people driving these cars stuck on older firmware for a long time unless Tesla makes it possible for owners of salvage vehicles and the like to upgrade to the latest version with the latest security patches. I think that would be the right thing to do eventually, but for now it doesn't seem rational to release any exploits, or even descriptions of some of them, while even one car in operation could be susceptible. My receiving recognition for discovering an exploit isn't worth potentially opening up an owner to problems. If that's not a good enough window into my personal stance on things and my intentions surrounding my efforts, then I don't know what is. Sure, I might talk a little **** sometimes, but I'm just never going to release anything that's going to be a security concern for anyone.

So, for now, I'm going to chalk all this P100D stuff up to being triggered by a mistake on my part (not salting the hash) and Tesla making a mistake in their reaction, until I have evidence to the contrary. Right now, my car is sitting on 2.13.77 (latest public firmware), and I expect it will update normally from now on.

Additionally, I'm going to write an apology to the few contacts I have at Tesla for whatever trouble I've caused with my unintentional information leak. I'd like to hope that I'm at least a moderately valuable ally to Tesla, overall.

Anyway, carry on with the regularly scheduled over analyzing and radical tangents. I'll try to stay out of the way.

I certainly won't be talking about ea0890697a77af0a2e054cccec587c8a42feb5cf38e778c6c6e2a96bfb945c0b, or bb0347a468d97e98a9c00e37cebec1ab930f6f1221cae0f1fbb92b07e1900ba2, and especially not 3c01eba119e00d79c82b6f65d70bc5f1044d568618bf41377e6d1432023fc2b8.

 

[gizmoboy]

He already answered this. Last night he found the badging graphic while before it were just text references. Therefore he assumed the news release was imminent and decided to make a registry of him having found this before the official release.

- - - Updated - - -



Easy : bragging rights.

To me, the salient point is this: regardless of legalities or not, and whether it's possible to access the hidden data or not, it's 100% clear to any reasonable person that Tesla does not desire this information to be made public.

If you then choose to make it public, you cede the moral high ground.

White hat hacking for security reasons is noble. Bragging about how l33t your sk1llz are is base.

 

[Cyclone]

Maybe. But I kind of have been meaning to crack the updater anyway. Good a time as any.

Oh, and on that note. Success.

Mar  5 13:27:14 cid QtCar[274]: [SoftwareUpdateManager] INFO Found update sentinal file staged--XXXXXX 
Mar  5 13:27:14 cid QtCar[274]: [SoftwareUpdateManager] INFO GUI_softwareUpdateVersion Set to 2.13.77-U 
Mar  5 13:27:14 cid QtCar[274]: [SoftwareUpdateManager] INFO GUI_softwareUpdateProgram Set to General 
Mar  5 13:27:14 cid QtCar[274]: [SoftwareUpdateManager] INFO GUI_softwareUpdateDuration Set to 100 
Mar  5 13:27:14 cid QtCar[274]: [SoftwareUpdateManager] INFO checkForIndicator complete, [B]update 2.13.77-U is available: true[/B]

Now the big question is does it match what you had before, or has it been sanitized? Unlikely they changed it, but I'm curious.

 

[lklundin]

Sorry to burst your bubble, but since that's now how it works with Tesla cars it means what you want is irrelevant.

Classic blame the other party when someone oversteps boundaries. Don't leave anything of value in your locked car, under the seat and out of sight because that's just begging for someone to break into the car and go searching for that thing of value they didn't even know was there in the first place. Pretty simple, really.

No.

You cannot compare reverse engineering of legally obtained software to breaking and entering a vehicle.

 

[Cyclone]

This P100D leak would have been very easy to avoid for Tesla.

Simply don't include P100D assets until after the announcement. The cars aren't going to ship for a good month or two after that, so that's plenty of time to get the updates ready for the cars that do roll off the production line.

I am honestly surprised they made this mistake, you'd think they would know better especially given the very public posts on here from several members documenting fully that they have rooted their vehicles and have access to the unencrypted firmware images.

In all likelihood, it started as a private beta build for the test cars. But as development moved along, some assets were committed to the codebase. Many ways to handle this, like redoing overrides or extra coding for these test-cars until they are officially announced; but I can totally envision how this was accidentally brought into the codebase too soon by a mistaken committing the wrong forks (or "select-all" when doing these commits)!

 

[wk057]

Don't forget your "ifconfig tun0 up"

Ah yeah, I did that earlier because it was just freaking out the VPN checker. So, I just iptables blocked traffic instead. Since removed... well, back to the way I had it anyway with a few things redirected to a banner stating that permission must be requested for access.

Now the big question is does it match what you had before, or has it been sanitized? Unlikely they changed it, but I'm curious.

It does, since I used my original backup of the patch it's exactly what my car downloaded on the night of the 3rd.

 

[lklundin]

To all the "copying software is not the same as stealing a beer" folks:
What is your stance of say some chinese company, buying a Model S and designing and selling an exact replica, made in "copy exactly" style, including the content of flash chips?

They didn't take anything material from tesla, they payed for a product and "did what they wanted with something they payed for".

Why is copying SW Ok, and copying material product not OK?:

To try and answer a completely misinformed post:
1) "stealing a beer" (or any tangible object or electricity) is: Theft
2) "copying SW" may very well be OK, the most common operating system in the world (Linux via Android) is open source and may be copied. Software copied without permission is: Copyright infringement
3) "copying material product" may also be OK. If the copied material product has a trademark, then its copying is 3A): trademark infringement. If the material product is created using patent(s), then its copying is 3B): patent infringement.

1), 2), 3A) and 3B) are all covered by different laws.

They are often mixed up due to ignorance or malicious intent.

 

[satoshi]

I certainly won't be talking about ea0890697a77af0a2e054cccec587c8a42feb5cf38e778c6c6e2a96bfb945c0b, or bb0347a468d97e98a9c00e37cebec1ab930f6f1221cae0f1fbb92b07e1900ba2, and especially not 3c01eba119e00d79c82b6f65d70bc5f1044d568618bf41377e6d1432023fc2b8.

LMAO... 3e439c98b21ebe30d6c181241955033774fc0aec5b133d57c3af70680948c732

 

[redevries]

LMAO... 3e439c98b21ebe30d6c181241955033774fc0aec5b133d57c3af70680948c732

Very funny indeed. And still not salted

 

[rns-e]

So what would the perfomance numbers of a P100D (L) be? Would the power out be close to 691hp? Would it go 0-60 mph in 2,6s?

 

[wdolson]

Maybe.

The move to try and stage 2.12.45 is interesting, and proves it's directed at me, however. Here's why. The effect is that it wipes out the partition that staged 2.13.77. A redeploy of 2.12.126 (which would undo any bugs in 2.13.77) wouldn't do that. However, for someone else, if there were a major bug or something in 2.13.77 they could just re-stage 2.12.126 without an issue and be done with it. It wouldn't matter that 2.13.77 was still on the inactive partition.

I consider this direct retaliation by Tesla for leaking the P100D info earlier. Unfortunately, for them, I also consider this to be denying me something that was advertised when I paid for the car: OTA updates. Slippery slope for them, I think, but what do I know.

What I do know is that Tesla and I are going to have to come to an agreement on this, and I'm not going to accept one that denies my car updates. I'll certainly concede to not post any major not-already-public info gleaned by my mod efforts in the future, at their request... but they're going to have to actually make that request.

In the absence of a resolution I don't think this is going to be pretty.

I don't know what the terms of the Tesla EULA are. Some EULAs prohibit reverse engineering of the software and what you're doing might be stretched to cover that. Software in the hands of consumers has a long history of being hacked and secrets learned by people willing to dig through the OS. What you are doing is no more extensive than what people have done to MacOS and Windows over the years.

I'm no lawyer, but if Tesla continues to try and mess around with your firmware, they might be in contractual violation. It all depends on the terms of the license agreement. Though I think they should be obligated to give you fair warning if they think you are doing something in violation of the agreement. If this isn't resolved reasonably soon, I would suggest talking to an attorney. It may require at least a consult with an intellectual property attorney.

 

[Entaum]

Some of the posts in this thread are quite ridiculous and laughable. Sometimes reading things people post on the internet makes me seriously concerned for the well being of society in general. Seeing the same nonsense here, over something relatively trivial, just baffles me. But whatever. Such is life on the interwebs...

In any case, I don't think anyone at Tesla is "out to get me." I do think someone made a poor decision in attempting to downgrade my car's firmware last night vs simply contacting me. At least a few people involved with the firmware already had my contact information, including my personal email and direct cell number, should they had been inclined to contact me. The decision to do the firmware downgrade obviously didn't come from the top, not that I never thought it had. I was, admittedly, certainly a bit irritated about it at the time.

As far as I'm concerned this situation is done with, and will only need to be revisited if when the next OTA comes down I don't actually ever get it. I don't expect that to happen at this point (Tesla undid the push for a downgrade when my car checks for updates, as mentioned earlier), and I'm pretty sure it's not going to be an issue going forward, based partly on Musk's comment earlier, among other things.

As for white hat efforts on reporting actual security exploits to Tesla, including one pretty nasty remote exploit (resulting in a firmware update that could be called "wk057" on Hank's site I suppose), I'll point out that I'm in the top 5 on Tesla's bug bounty "Hall of Fame" (with additional not yet rewarded submissions pending review that will probably push that to top 3 soon enough) as a result of my private submissions to Tesla. I've thought quite a bit about whether or not to publicly disclose any of these exploits even after sufficient time has passed after Tesla has fixed them and pushed the fixes. As of now, my stance on that is to keep them private indefinitely. The reason being is that there are going to be people driving these cars stuck on older firmware for a long time unless Tesla makes it possible for owners of salvage vehicles and the like to upgrade to the latest version with the latest security patches. I think that would be the right thing to do eventually, but for now it doesn't seem rational to release any exploits, or even descriptions of some of them, while even one car in operation could be susceptible. My receiving recognition for discovering an exploit isn't worth potentially opening up an owner to problems. If that's not a good enough window into my personal stance on things and my intentions surrounding my efforts, then I don't know what is. Sure, I might talk a little **** sometimes, but I'm just never going to release anything that's going to be a security concern for anyone.

So, for now, I'm going to chalk all this P100D stuff up to being triggered by a mistake on my part (not salting the hash) and Tesla making a mistake in their reaction, until I have evidence to the contrary. Right now, my car is sitting on 2.13.77 (latest public firmware), and I expect it will update normally from now on.

Additionally, I'm going to write an apology to the few contacts I have at Tesla for whatever trouble I've caused with my unintentional information leak. I'd like to hope that I'm at least a moderately valuable ally to Tesla, overall.

Anyway, carry on with the regularly scheduled over analyzing and radical tangents. I'll try to stay out of the way.

I certainly won't be talking about ea0890697a77af0a2e054cccec587c8a42feb5cf38e778c6c6e2a96bfb945c0b, or bb0347a468d97e98a9c00e37cebec1ab930f6f1221cae0f1fbb92b07e1900ba2, and especially not 3c01eba119e00d79c82b6f65d70bc5f1044d568618bf41377e6d1432023fc2b8.

Great response! Mature and to the point.

Now, could you pass me the salt? :biggrin:

 

[Adrian]

To all the "copying software is not the same as stealing a beer" folks:
What is your stance of say some chinese company, buying a Model S and designing and selling an exact replica, made in "copy exactly" style, including the content of flash chips?

They didn't take anything material from tesla, they payed for a product and "did what they wanted with something they payed for".

Why is copying SW Ok, and copying material product not OK?:

You have to distinguish personal curiosity and commercial profit.

 

[wdolson]

Put it this way. Tesla could have just left well enough alone and all would be fine right now. Heck, they probably could have just called me and convinced me to post some stuff saying that the P100D was a prank or something.

Instead they decided to just childishly retaliate by going into my car remotely (which they do not own, and did not have permission to access), and made it so that it would re-download and attempt to downgrade to an earlier firmware. And to what end? What exactly would doing this accomplish besides irritate me? Seems like someone over there is making some very poor decisions.

It is always possible someone in the IT department decided to mess with you because they could and this had nothing to do with any direction from the top. A company is still responsible for the actions of its employees though.

Edit: It looks like wk057 came to the same conclusion. I didn't realize when I was on page 3 that this thread is 24 pages already!

 

[Chickenlittle]

Before I get irritated, is there anyone else that still has this update pending but not installed? It's been suggested that I may not have been singled out and that this update was "recalled" per se. But if anyone else still has it staged (has the alarm clock) then that isn't the case.

Better yet, did anyone else that had the alarm clock have it vanish?

No but a ghost appears in my back seat sometimes when I look in the rear view mirror

 

[_TTT_]

@wk057

What can you tell us about the updater? What did you find about how it works?

 

[JER]

I do wish everyone who rushed to chastise wk057 would be mindful of the following in future:

wk did not intend to leak this information

His cryptographic hash was supposed to keep the new model name secret. He intended for people to check back later – after Tesla’s official reveal – and find “P100D” was the string he obfuscated.

Unfortunately, he underestimated how fast the hash would be broken. SHA256 is considered a strongly one-directional transform, but in this case (short string, no salt, string exists in cracking dictionaries) it was broken quickly. Were it not for this, there would’ve been no leak.

This was a mistake, not malice or recklessness.

wk is keeping lots of other information in confidence

He knew about the new Slipstream rims, for example. He’s in a position to be one of the first people outside Tesla to see imminent cosmetic changes, names of new features and models (among other things,) yet you’ve only heard one thing through him (and that was an accident).

wk has helped Tesla make their cars more secure

He’s made multiple contributions to Tesla’s official bug bounty (which invites people to explore their software for weaknesses.) https://bugcrowd.com/tesla

If you own a Model S or X, you have benefited; your car is more secure as a direct result of his work. Maybe you could show a little appreciation?

Also, please stop going on about IP law. That has nothing to do with this.