this post was submitted on 28 Jan 2024
475 points (99.2% liked)

Technology

59589 readers
2838 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
top 50 comments
sorted by: hot top controversial new old
[–] IdiosyncraticIdiot@sh.itjust.works 126 points 10 months ago (1 children)

discovering 49 zero-day bugs in EV systems

Holy shit that's a lot of zero days homies

[–] MadMadBunny@lemmy.ca 32 points 10 months ago (3 children)

More holes than Emmental cheese lol

[–] lando55@lemmy.world 22 points 10 months ago (1 children)
[–] RealFknNito@lemmy.world 9 points 10 months ago

More holes than even Stanley Yelnats could dig.

[–] Amputret@lemmy.dbzer0.com 5 points 9 months ago

Surely, that’s the intention behind the Swiss cheese model?

[–] Kazumara@feddit.de 2 points 9 months ago* (last edited 9 months ago) (1 children)

Btw did you know Swiss cheese has copy protection? I know the thought is pretty random, but I thought I'd share anyway.

https://www.chimia.ch/chimia/article/view/2016_349/1089

[–] RealFknNito@lemmy.world 3 points 9 months ago

Parmesan does at well. At least the real stuff from Italy does.

[–] Petter1@lemm.ee 86 points 10 months ago (1 children)

90 days till release of Zero-Days 😉 don’t update your tesla 😂 so you can gain root and really own that car

[–] THEDAEMON@lemmy.ml 27 points 9 months ago (3 children)

Just flash a custom os 😂

[–] Dudewitbow@lemmy.zip 36 points 9 months ago* (last edited 9 months ago) (2 children)

brb flashing TempleOS to let god be my driver /s

[–] TheDarksteel94@sopuli.xyz 4 points 9 months ago

Jesus, take the wheel!

[–] THEDAEMON@lemmy.ml 2 points 9 months ago* (last edited 9 months ago)

You would have to put a lot of faith in it.

[–] Buddahriffic@lemmy.world 15 points 9 months ago (1 children)

I hope it gets called something like edOSon and is filled with subtle insults to its namesake.

[–] munato@lemmy.world 9 points 9 months ago (2 children)

I'd fear it would drive into an elephant.

[–] vaultdweller013@sh.itjust.works 7 points 9 months ago

Pretty sure the elephant would win, after all at least one beat a steam locomotive.

[–] KillerTofu@lemmy.world 1 points 9 months ago

You’d say ohhhh Topsey at his autopsy!

[–] sugartits@lemmy.world 12 points 9 months ago

Hannah Montana OS for the Tesla!

What a time to be alive!

[–] RealFknNito@lemmy.world 48 points 10 months ago (1 children)

Scribbles

Another reason not to buy proprietary garbage. Where are the Open Source EVs at?

[–] FrederikNJS@lemm.ee 31 points 9 months ago* (last edited 9 months ago) (1 children)

Open-source EVs are a bit like Gentoo, you have to build it yourself.

[–] xthexder@l.sw0.com 19 points 9 months ago

There actually are a lot of really cool EV conversion builds on YouTube using fairly open parts. So I'd say this is perfectly accurate.

[–] snowe@programming.dev 35 points 10 months ago (1 children)

Wait so was the hacking live?

[–] pruneaue@infosec.pub 47 points 10 months ago

Yes, pwn2own is a live competition

[–] maness300@lemmy.world 31 points 9 months ago (2 children)

Wow. Imagine paying $1.4mil to find 49 zero days instead of hiring an actual security team.

The people who did this are fucking idiots.

[–] adrian783@lemmy.world 25 points 9 months ago (2 children)
[–] Zuberi@lemmy.dbzer0.com 15 points 9 months ago (1 children)

Exactly.

These white-hats make pennies in comparison to a real team hired for this job (or a black-hat team using it for politicized reasons)

[–] Blackmist@feddit.uk 3 points 9 months ago

$1.4 million vs the ability to steal as many Teslas as you want?

I'll take the money...

[–] autonomoususer@lemmy.world 26 points 10 months ago* (last edited 10 months ago)

Anti-libre software licenses can never defend us from Tesla.

[–] ganksy@lemmy.world 20 points 10 months ago (2 children)

Do they directly show(sell maybe) the exploits to the companies?

[–] uriel238@lemmy.blahaj.zone 42 points 10 months ago (2 children)

White hats can be prosecuted via the CFAA. they usually aren't (most of us are guilty of CFAA penalties) but some companies got sour to fixing their web security and instead would sue and push to prosecute.

So in the early 2010s the white hat community went gray to survive. And companies that don't pay their bounties oe cause trouble don't get pen tested by white hats (at least not when wearing a white hat).

[–] Patches@sh.itjust.works 5 points 9 months ago (2 children)

How do you know if a company is going to pay to fix?

Do you just have to take a chance and notify them?

Either I make a bunch of money, or they say fuck off, or they send me to jail? It seems too iffy

[–] aksdb@lemmy.world 2 points 9 months ago

I assume the idea is, that the company then has a contract with the hacker, so they can no longer sue him. They essentially hack themselves via proxy.

[–] Case@lemmynsfw.com 1 points 9 months ago

Bounties are a bit nebulous.

Actual pen testing companies have red teams (attackers) that have a scope of what they are allowed to target, and how they go about it.

For example, just because a red teamer can get into the data center to do stuff locally doesn't meet the scope requirement of testing their web page externally. They would be prosecuted most likely.

Pen testing companies also have lawyers, at least they should, who help negotiate scope and what is legally allowed and in what context.

Due to the secrecy needed for some tests, the security staff may not be aware a test is in place. From what I understand, generally people have some sort of paperwork on their person, or at least the contact information of someone at the company with the authority to authorize this red team pen test.

That being said, cops may still get called, you may still get arrested, and have to deal with the courts.

Or worse, some trigger happy security guard shoots you.

I'm just studying that stuff though at the moment, so take what I said with a grain of salt.

[–] ganksy@lemmy.world 4 points 9 months ago

Thank you! I appreciate the insight.

[–] WallEx@feddit.de 29 points 10 months ago* (last edited 10 months ago)

Thats what white hats would do and what these contests are usually for

But its more like a bughunt with an open Bounty then selling afaik

[–] DreadPotato@sopuli.xyz 11 points 9 months ago* (last edited 9 months ago) (3 children)

So, all these exploits seemingly still require physical access to the car/product electronics? If so, that seems to make it somewhat less of an issue (but still an issue of course) than if they could gain e.g. root access without physical access to the car or even proximity at all.

[–] PrettyLights@lemmy.world 28 points 9 months ago (1 children)

I'm not that worried about my laptop in regards to physical access because I don't usually leave it in public unattended for long.

My car? Sometimes that thing sits in a parking spot or paid garage for weeks when traveling. I also leave it unattended in public most times I go brick and mortar shopping.

[–] DreadPotato@sopuli.xyz 3 points 9 months ago* (last edited 9 months ago) (2 children)

Someone still needs to physically break in to the car, which will usually trigger alarms and attention. Like I said, it is still cause for concern, but moderate concern IMO. I would be a hell of a lot more worried if it was possible from anywhere in the world to take over my car remotely. The need for physical direct access to electronics inside the vehicle makes it less vulnerable.

Are you worried about leaving your laptop in your house/apartment? Because anyone could also just break in there and have physical access to your stuff, arguably with even more privacy during the act than with a car parked out in public plain view.

[–] PrettyLights@lemmy.world 2 points 9 months ago

Have you seen how fast car thieves can steal cars now? Through repeater attacks or special devices, they can be gone in 60 seconds.

Car alarms only deter the most casual of thieves.

[–] webghost0101@sopuli.xyz 2 points 9 months ago* (last edited 9 months ago)

Fair argument

There is one additional factor though which is that the majority of crimes happen on impulses and depend on perceived potential for reward. A tesla, if you know where to sell it is a clear reward. Cars also tend to be very standard. If you can steal one you know how to steal plenty.

For a house (tend to be more career criminals) you can never be sure there isn't someone home, a dog. Layouts are unknown, chance of leaving identifiable evidence goes up as you take time. Escape routes may be limited. There is definitely some additional risk Involved, creative skill required.

I am gonna go on a limb and say for criminals there as advantages and disadvantages to both types of thievery.

Goes without saying that appropriating/breaking items, invading living space from others for any other reason then life/death survival isn morally repulsive and wrong.

[–] Cqrd@lemmy.dbzer0.com 17 points 9 months ago

People said this about the Jeep vulnerabilities until they found a way to exploit them remotely.

Where there's smoke, there's fire.

[–] Zuberi@lemmy.dbzer0.com 9 points 9 months ago

It's a good thing people don't leave their cars unattended ever.

[–] Coldgoron@lemmy.world 8 points 10 months ago

Hell yeah brother.