Comment by M95D 3 days ago
> The CAN traffic is unencrypted. It was pretty easy to MITM this module with a cheap arm Linux board
And you didn't poison their databases and statistics with fake data?? OMG, I'm thinking of buying one of these cars just for this opportunity! (No, I'm not.)
As anonymous as there are Miatas in your neighborhood parking in your driveway.
It would be an extremely totalitarian dynamic to be persecuted with the CFAA for modifying a device you own based on part of it having been (nonconsensually!) programmed by a third party to upload data to their own server. You own the device, so anything you do within that device is authorized. And the code that uploads the data is authorized to do so because it was put there by the same company that owns [controls] the servers themselves.
I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law - so it's best to steer clear. And this goes double with with the current overtly pay-to-play regime. But just saying.
(Awesome description btw! I really wish I'd find a buying guide for many makes/models of cars that detail how well they can be unshackled from digital authoritarianism. A Miata is not the type of vehicle I am in the market for (which is unfortunate, for several reasons))
If you can be prosecuted for guessing urls you can be prosecuted for sending garbage data in a way you know will be uploaded to a remote system.
You think criminalizing guessing URLs is unreasonable.
What about guessing passwords? Should someone be prosecuted for just trying to bruteforce them until one works?
As a strictly logical assertion, I do not agree. Guessing URLs is crafting new types of interactions with a server. The built in surveillance uploader is still only accessing the server in the way it has already been explicitly authorized. Trying to tie some nebulous TOS to a situation that the manufacturer has deliberately created reeks of the same type of website-TOS shenanigans courts have (actually!) struck down.
As a pragmatic matter, I do completely understand where you're coming from (my second paragraph). In a sense, if one can get to the point of being convicted they have been kind of fortunate - it means they didn't kill themselves under the crushing pressure of a team of federal persecutors whose day job is making your life miserable.
It might be interesting for an enterprising lawyer to try to flip this around. Suppose you send a letter to your car manufacturer saying that, as the owner of the car, you are prohibiting them from accessing the location of the car or performing unauthorized software updates and that any attempt to circumvent this will result in criminal prosecution for unauthorized access to your computer.
Prosecuting someone for deliberately injecting garbage data into another persons system hardly seems totalitarian.
> You own the device, so anything you do within that device is authorized
You're very clearly describing a situation where at least some of the things you're doing aren't happening on your own device.
>I do know that the CFAA essentially gets interpreted to mean whatever the corpos want it to mean - it's basically an anti-witch law
FWIW this is simply not true. The essence of the CFAA is "do not deliberately do anything bad to computers that belong to other people".
The supreme court even recently tightened the definition of "unauthorized access" to ensure that you can't play silly games with terms of service and the CFAA. https://www.supremecourt.gov/opinions/20pdf/19-783_k53l.pdf
My device. I generate whatever the fuck the data I want. If you log it, kiss my ass.
No it does in fact seem totalitarian. I support repealing the CFAA.
I would absolutely love to hear the arguments behind this.
If you were to purposefully try to poison/damage their dataset and admitted as such you probably wouldn't win without spending an unreasonable amount of money on lawyer fees. Without admitting anything though and claiming ignorance it would probably be pretty easy to get dismissed, provided you are able to spend atleast some money on a lawyer.
they use the data mostly to charge you more, you can't really get the price all that lower
I've had a clean driving record for 30 years and I'm still paying the junk rates most other people get
So, it's like credit scores, basically? Advertise a happy, meritocratic future for consumers, where the "better"/more responsible ones will reap massive rewards at the expense of the "worse" consumers, and then keep adjusting the brackets until the system is only used punitively - you don't really get anything from a high score nowadays, your only goal is clearing a certain low bar to avoid negative consequences.
Yeah exactly... it's stick or no stick, the carrot is the razor thin margin only used to keep you away from the competitors.
At this point car insurance has gotten so bad that it's becoming normal that you can save hundreds of dollars by switching providers every 6 months. These companies are probably making millions on people who are just too exhausted to switch constantly.
Oh man. Logging insane average speeds and ludicrous acceleration during rush hour. Deliciously tempting idea.
Draw the old twig and berries in gps coordinates in hundreds of random cities, with velocity between points carefully kept to regular traffic speeds every single day until they shut the modem off.
you give a lot of credit to an industry poisoned by the profit motive
Just make sure you are criticizing the industry on things that are real. Accurate data collection (put not necessarily publication to a broad audience) is something industry does. Decision makers want to understand reality, they don't necessarily want you to though.
I suspect this data is made "anonymous" and sold to insurance companies and misc data brokers. If it's linked to my insurance company, I don't want to jack my rates. Further, I've thus far avoided a CFAA conviction and I'd like to keep it that way.