[count]

You shouldn't be so quick to cast aspersions against the community, and when the vast majority of people agree with something, take a second to question why that might be. There is, in fact, a flaw. It's a very significant flaw, and has been studied, etc. for years (in the article it mentions, since 2009!). Volkswagen has done nothing to address the flaw in the past few years.

In many cases, without publishing the keys to make it PAINFULLY obvious to everyone that the vulnerability exists, large companies can spread disinformation and influence public perception that the vulnerability is minimal or doesn't really exist outside of a special case/etc.

In this case, VW is very obviously not planning on updating things, fixing the vulnerability, or addressing things. The vulnerability and the codes have been available on the internet for YEARS without a proper response from VW or a bulletin or other addressing of the issue (and obviously no 'fix' either).

This is one of the key points of the 'responsible disclosure' debate: many companies DONT CARE unless they have to, and will just sit on things indefinitely. With all this publicity, I bet VW addresses this pretty significant vulnerability sooner rather than never now.

Do you disagree with free speech being used to publish de-css or the blu-ray decryption keys? If your security depends entirely on a single key being not discovered and re-used (because you have no way of changing it, for example), you really have a horrible security model. If you're selling that security to people, and it's really not effective at all for it's purpose, then how much different is that from false advertising or even fraud (given that you KNOW that it's not effective, or has already been easily subverted).

[aneth4]

The argument you are making - that the keys are already available - is not being made elsewhere here and is probably untrue. If it were true, there would be no reason to ban this publication nor would it be anything other than folly.

Given that Volkswagen spent significant effort to block the publication, I have to presume you are just making shit up.

Even if what you say is true, the argument being made here on HN is that the keys should be published regardless of whether they are available already - which is, quite simply, ethically indefensible.

[count]

I'm not making the argument that the keys are available already - I'm making the argument that the vulnerability has been previously disclosed, and that VW has done nothing about it. In fact, they have discounted it.

It's easily ethically defensible - there is no moral imperative to keep the knowledge of something secret which may cause injury to others by being kept secret. In fact, just the opposite. VW is in an ethically indefensible position, as they are in the position of selling vehicles with systems marketed specifically as 'secure' that are, in fact, not secure at all; a fact which has been known to a smaller community (and VW) for over 4 years. THAT is ethically indefensible.

Sometimes, publishing details in a painfully easy to reproduce manner is the only way to get a company to FIX the problem, which is the point in all of this. For a great physical analog, see the 'pen and u-bolt lock' trick. It wasn't until a Youtube video appeared showing just how ridiculously easy that lock was to break that the company updated it's design and fixed things.

[aneth4]

So your making the argument that enough time has elapsed in which the car maker could have fixed the problem. In other words, you are not making an argument supporting publishing freely and immediately. You are implicitly supporting restraint for at least as long as some subjectively determined time it should take for the manufacturer to fix the issue, and support publishing as a method to pressure the manufacturer. This is entirely different from supporting free speech at any cost.

You then go on to say there is no ethical imperative to withhold information that may harm others, which is both wrong and contrary to your prior implication - that publishing is ok after a window has passed for the issue to be resolved.

This reasoning is contradictory and flawed.