undefined | Better HN

0 pointsdcow2y ago0 comments

> It's not the responsibility of the free world to try to pry the exact details from closed systems to demonstrate their exact insecurities.

Actually you're wrong. It is the responsibility of the person making an accusation to back up their accusation with credible evidence and facts. That's how things work in the free world, at least. Presumption of guilt is just too dangerous and detrimental to a free society and so presumption of innocence is ingrained in our entire legal and judicial framework.

I'm not defending Tesla in the face of evidence that they are naive and abusive. There's simply not evidence in the first place that they're naive and abusive (and if there is, you've certainly failed to procure it). There is, in fact, the opposite, as reported by security researchers and as stated in their privacy policy.

> Tesla (any every other centralized system) really does not deserve any benefit of the doubt that they have done work to actually design a telemetry/privilege minimizing system.

It's not the benefit of the doubt. I was literally in the room at Defcon when Kevin Mahaffey and Marc Rodgers gave the talk that kicked off the Tesla bug bounty and security research program in 2015. And they had good things to say. Certainly their impression was not "this shit's dubious IDK if we can trust Tesla's security engineering" which you seem to be implying is your default impression because Tesla is #bigtech.

    https://www.cnet.com/roadshow/news/tesla-hackers-explain-how-they-did-it-at-def-con-23/

And the story only grows from there. I maintain that, to my current working knowledge, Tesla takes security and privacy seriously and invests commendable resources into making sure its platform is secure. They invest in and support security researchers. And their data collection and privacy behavior is above board in all places where they sell cars.

Here are some privacy policy excerpts:

> Your Tesla generates vehicle, diagnostic, infotainment system, and Autopilot data. To protect your privacy from the moment you take delivery, Tesla does not associate the vehicle data generated by your driving with your identity or account by default. As a result, no one but you would have knowledge of your activities, location or a history of where you’ve been. Your in-vehicle experiences are also protected. From features such as voice commands, to surfing the web on your touchscreen, your information is kept private and secure, ensuring the infotainment data collected is not linked to your identity or account.

> Tesla enables you to control what you share. Within your vehicle’s touchscreen you may enable or disable the collection of certain vehicle data (Software > Data Sharing), including Autopilot Analytics & Improvements and Road Segment Data Analytics. If you choose to enabled data sharing, your vehicle may collect the data and make it available to Tesla for analysis. This analysis helps Tesla improve its products, features, and diagnose problems quicker. The collected information is not linked to your account or VIN and does not identify you personally.

Do you have evidence that Tesla is not honoring its privacy policy? If you want to change my mind, show me the data on how Tesla's systems are insecure/naive/user-hostile and I'm happy to continue the conversation.

Consider this: you can buy a Tesla in the EU, no? You think Tesla has code like `if user.country == "USA" && user.state != "CA" { user.abuse() }`? I think it's actually more likely that, since Tesla is a global company, that they have a better security and privacy story than most strictly-USA focused companies. I actually trust small US startups far less than mature multinational corporations with my data. I've been at both and large companies have swaths of lawyers making sure people are in compliance with the law where small startups have trendy founders that prefer to ask forgiveness rather than ask permission.

0 comments

mindslight2y ago

> It is the responsibility of the person making an accusation to back up their accusation with credible evidence and facts.

This isn't tenable for security, especially in light of computational complexity. Rather it is up to the party claiming "trust me" to show that they are trustworthy. One major way of doing this is to publish source code that is easier to audit than having to reverse engineer. There is a long history of proprietary companies claiming to be secure while actually being an absolute mess internally. In the face of that dynamic, it is reasonable to be suspect of proprietary systems a priori.

> Do you have evidence that Tesla is not honoring its privacy policy? If you want to change my mind, show me the data on how Tesla's systems are insecure/naive/user-hostile and I'm happy to continue the conversation.

The argument isn't that Tesla is not honoring its "privacy policy" or is currently abusing its backdoors today. Rather it's that the systems they have shipped can be easily abused tomorrow. I've used the words "insecure" and "naive" about the security of Tesla's cars versus Tesla as the attacker - a threat model that bug bounties generally don't address. I do agree that currently, Tesla is (seemingly) not doing much attacking of their customers. The point is that can change tomorrow and the software has been seemingly designed so there will be little the owners of cars can do to protect themselves.

I looked through your comment history to see where you're coming from. Surely as a Linux user you can appreciate that there is a stark difference between software that is widely expected to respect your own interests as the user (and has been decently scrutinized for this quality), and mostly opaque software that has been created by a company to chiefly serve that company's interests? Especially software that has Internet access, so that its behavior can change when the company's interests change?

j / k navigate · click thread line to collapse