[KeytarHero]

> But the way most people are talking about this you'd think that as soon as the method for doing this hits the internet, script-kiddies are going to start randomly crashing Jeeps into bridge pylons.

You mean the same script kiddies who think it's hilarious to sic a SWAT team on someone's house? It's not like script kiddies everywhere would start doing this - but all it takes is 1 before you've got a problem, and I'm sure that if it was easy enough for any script kiddie to do, at least one of them would.

Say the car manufacturer made no attempt at security whatsoever - all you had to do to take control of the car's critical systems was know its IP address and guess its 8 character max admin password. Would that really not be on the manufacturer?

[jameshart]

People today, in low-tech real-life, have been known to go and throw rocks off overpasses. People have died. People have also gone to prison.

It's not the car manufacturer's responsibility to protect their customers from that.

Make the same thing possible for someone to do from their basement, and sure: people will die; people will go to prison.

Look, I'm not actually trying to absolve Chrysler of responsibility here, I'm trying to get to the bottom of why when virtual meets physical, we act like the nature of the internet fundamentally changes things. I'm interested in what it is about this threat to car owners which is in a difference from existing threats.

[KeytarHero]

It fundamentally changes things because it's so easy to do anonymously. If someone drops rocks off an overpass, it's pretty easy for police to track them down and arrest them. If someone attaches a bomb to the bottom of a car, sure it's harder to get caught than dropping rocks off an overpass, but you still need physical access to the car, and it's still relatively traceable. But if remotely hacking a car, it would be pretty easy to stay anonymous. Plus, in both those other cases it's obviously foul play, whereas if a hacked car runs into a wall it's probably not going to be so obvious.

Plus, the anonymous nature of the internet makes it much easier to become detached from the real-life consequences of your actions. Just look at all the examples of online harassment from people who would never say things like that in real life. Look at people who go and grief kids' minecraft servers, yet wouldn't go and kick over their sand castles in real life. Look at morons who swat people.

Actually, come to think of it, maybe it's not so different - if it was found that a big car manufacturer had a problem with their door locks and you could open it just by sticking a toothpick in, you can bet they would take the blame once they started getting stolen.

I'm not saying the responsibility is solely on the manufacturer, but they definitely bear a major part of it. When you buy a car, you expect a reasonable amount of security. I guess the question is where we draw the line as to what counts as reasonable.

[ScottBurson]

> I guess the question is where we draw the line as to what counts as reasonable.

Yes, exactly. And I think a lot of people, including me, would say that anything that can be done entirely in software is reasonable.

Hmm. Does this mean that anyone doing safety-critical embedded software should be compelled to formally verify every line of their code? I'll have to think about that. That might be going a bit too far given the present state of verification technology. On the other hand, it would be a great thing.