[aneth4]

I am surprised not to find a single response supporting restraint from publishing these codes. Is this community really that foolish? First, of course if there is a flaw, it should be studied and fixed inasmuch as possible. Reasonable people can debate whether it's appropriate to publish methods and flaws, though the free speech question is more murky here. However publishing the actual keys - as opposed to the methods - is madness.

Let's consider parallel situations not involving protecting rich peoples' luxury posessions, which seems to be clouding everyone's judgement here.

Some examples where an encryption key is discovered or reverse engineered, and a scientist wants to publish them:

- a key which can shut down every ventilator

- a key which can remotely control the throttle on high speed train

- a key which can explode a nuclear warhead

- the key to your bitcoin stash

- the google master ssl private certificate

There are an infinite number of such examples. I'm shocked and disappointed that the HN community finds publishing keys, as opposed to systematic flaws, acceptable.

Presumably the cognitive dissonance arises from a distaste for rich people. However even if this mostly results in mere car theft, it could also easily result in the innocent being harmed.

Free speech, even under the US first amendment, rather clearly does not apply to publishing private encryption keys, particularly ones that can cause grave harm.

Shame on the HN community.

What if the headline were:

Scientist banned from revealing codes used to control school bus brakes

[count]

You shouldn't be so quick to cast aspersions against the community, and when the vast majority of people agree with something, take a second to question why that might be. There is, in fact, a flaw. It's a very significant flaw, and has been studied, etc. for years (in the article it mentions, since 2009!). Volkswagen has done nothing to address the flaw in the past few years.

In many cases, without publishing the keys to make it PAINFULLY obvious to everyone that the vulnerability exists, large companies can spread disinformation and influence public perception that the vulnerability is minimal or doesn't really exist outside of a special case/etc.

In this case, VW is very obviously not planning on updating things, fixing the vulnerability, or addressing things. The vulnerability and the codes have been available on the internet for YEARS without a proper response from VW or a bulletin or other addressing of the issue (and obviously no 'fix' either).

This is one of the key points of the 'responsible disclosure' debate: many companies DONT CARE unless they have to, and will just sit on things indefinitely. With all this publicity, I bet VW addresses this pretty significant vulnerability sooner rather than never now.

Do you disagree with free speech being used to publish de-css or the blu-ray decryption keys? If your security depends entirely on a single key being not discovered and re-used (because you have no way of changing it, for example), you really have a horrible security model. If you're selling that security to people, and it's really not effective at all for it's purpose, then how much different is that from false advertising or even fraud (given that you KNOW that it's not effective, or has already been easily subverted).

[aneth4]

The argument you are making - that the keys are already available - is not being made elsewhere here and is probably untrue. If it were true, there would be no reason to ban this publication nor would it be anything other than folly.

Given that Volkswagen spent significant effort to block the publication, I have to presume you are just making shit up.

Even if what you say is true, the argument being made here on HN is that the keys should be published regardless of whether they are available already - which is, quite simply, ethically indefensible.

[count]

I'm not making the argument that the keys are available already - I'm making the argument that the vulnerability has been previously disclosed, and that VW has done nothing about it. In fact, they have discounted it.

It's easily ethically defensible - there is no moral imperative to keep the knowledge of something secret which may cause injury to others by being kept secret. In fact, just the opposite. VW is in an ethically indefensible position, as they are in the position of selling vehicles with systems marketed specifically as 'secure' that are, in fact, not secure at all; a fact which has been known to a smaller community (and VW) for over 4 years. THAT is ethically indefensible.

Sometimes, publishing details in a painfully easy to reproduce manner is the only way to get a company to FIX the problem, which is the point in all of this. For a great physical analog, see the 'pen and u-bolt lock' trick. It wasn't until a Youtube video appeared showing just how ridiculously easy that lock was to break that the company updated it's design and fixed things.

[aneth4]

So your making the argument that enough time has elapsed in which the car maker could have fixed the problem. In other words, you are not making an argument supporting publishing freely and immediately. You are implicitly supporting restraint for at least as long as some subjectively determined time it should take for the manufacturer to fix the issue, and support publishing as a method to pressure the manufacturer. This is entirely different from supporting free speech at any cost.

You then go on to say there is no ethical imperative to withhold information that may harm others, which is both wrong and contrary to your prior implication - that publishing is ok after a window has passed for the issue to be resolved.

This reasoning is contradictory and flawed.

[ihsw]

Way to go with the "think of the children" rhetoric. Who's to say that criminals and malicious governments alike don't already have these codes? Obviously the codes need to be disabled, so why not speed up the process?

Personally I feel that an outright ban is unacceptable, however a six month delay is reasonable.

In fact the scientist may have been sitting on this information for quite some time now, and Volkswagen et al have probably already been notified but they refuse to fix it (be it laziness/stupidity, it's outright negligence). My point is we don't know anything except that there's a vulnerability.

Car cyber-security has been in the news recently, and the reports indicate that cars represent a massive attack surface that is very poorly protected. Automobile manufacturers need a swift kick in the ass now more than ever.

[aneth4]

Who's to say malicious people DON'T already have the codes? Clearly Volkswagen and the court believe they do not.

I agree that a perpetual ban is not acceptable in this case. Industry should have to fix the situation and the keys should not be predictable from this hardware.

[cpncrunch]

I completely agree. The prevailing opinion on HN seems to be 'free speech at all costs'.

You do NOT need to publish the codes to allow others to replicate this research. Publishing the codes simply allows you to bypass spending the $50k to replicate this research and break into any car with little effort.