Subscriber Discussion

Is This Possible In Security, And Would It Be Accepted By End Users?

Avatar
Mark Jones
Apr 22, 2015

I read this story last night on John Deere and others, and the use of computer code in their equipment. The code of course is proprietary, but major manufacturers are going to court to legally block anyone (even owners) from access to it. As a youngster and teenager I was a farmer so naturally I have opinions about this, although they are antiquated. It did start me to wondering though about such far reaching ramifications in our own industry; or would there be any? It occurs to me that in today's digital world, an awful lot of what we touch has proprietary code. To get updates means someone has to pay. But we could and some probably do change the code from time to time to suit their needs. Would a manufacturer actually go to court to block that? Or would that be seen as too far reaching in such a competitive environment? Not earth shattering, but worth some thought.

JH
John Honovich
Apr 22, 2015
IPVM

The author of the Wired article seems either confused or manipulative. He declares his intentions deep inside the piece:

"We’re trying to open the floodgates of information. To let owners investigate the code in their devices. To modify them for better functionality. To repair them, even without the blessing of manufacturer."

He can certainly advocate for that but it's certainly not the law today. You are not allowed to simplify modify Genetec or Milestone's code 'for better functionality' or to do that an iPhone or Windows OS. These platforms might provide APIs to extend functionality but 'letting owners investigate the code in their devices' is not typically allowed for proprietary software.

On the other hand, even for proprietary software, whether its in a tractor or from Milestone, the user generally has a perpetual license to that software, meaning that the developer cannot stop you from using that version 2 years or 5 years or 10 years from now. Of course, they can stop you from new versions of the software.

Net / net, I think the John Deere article is conflating what is the reality today vs what the other hopes to change.

(2)
(1)
SM
Steve Mitchell
Apr 22, 2015

John's right, this is nothing new in the world of software. For many years software has come with a contract called an End User License Agreement "EULA" that provides the user with a 'right to use' the software, but does not imply any transfer of ownership whatsoever. You do not pay for the software, you pay for a license contract to USE the software. Ironically, it's not the code you buy, it's the license itself.

Software is a different fundamental thing than physical objects. Like it or not, the convention of proprietary software business models it to structure licensing and ownership in this way because the software is really just the embodiment of thoughts and ideas that the developers created. Since there is zero barrier to copying the thoughts/ideas, the proprietary developer protects themselves by retaining the rights to the software and the ability to charge for it what they will.

Many 'free software' advocates think this is fundamentally wrong. And in many ways the market has proven them out with the vast ecosystems of open source software we enjoy today. But let's face it, there are many corners of the business world that nobody really "wants" to develop code for, and that specialized code often requires significant incentive (i.e, money from selling proprietary software licenses) to justify investment of time and effort.

Right to modify, which this article is also focused on, is not so cut and dried, but is related. Given that many proprietary software comes with support and warranty, the developer must limit the user's rights in order to limit their liability. I imagine in the case of software involved in heavy machinery liability in terms of safety is also a big concern and an issue where the developer would want to retain much control--something the license agreement can provide them nicely.

(2)
(2)
U
Undisclosed #1
Apr 22, 2015
IPVMU Certified

This article is a call to arms from a arguably biased sourced, the CEO of iFixit, who no doubt prefers less copyright restrictions.

Although I actually agree with a lot that he says, I do find objectionable his tactic of trying to portray the issue as being the poor farmer holed up in his barn, modifying his broken tractor's firmware afraid that the DCMA cops will bust down the door at any moment.

Which is a crock, but it generates a reaction from those not familiar.

The likelihood of a single person finding an error in compiled, obfuscated and encrypted code, and then successfully modifying the executable at the byte-code level hovers right around 0.

Often the people who wrote the code and have full source and documentation have major difficulties themselves!

No, the reverse engineering that is the real threat to tech manufacturers is the jail breaking of devices, like IPhones and cable boxes, so that they an be used without restriction as generalized computing devices. So it's a threat to Apple if you don't have to go thru the AppStore to get your apps. And it's a threat to John Deere if you don't have to go thru the DeereStore for theirs.

But instead of even mentioning the real issues we just get the sob stories...

(2)
(1)
JH
John Honovich
Apr 22, 2015
IPVM

"The likelihood of a single person finding an error in compiled, obfuscated and encrypted code, and then successfully modifying the executable at the byte-code level hovers right around 0."

I got faith in you undisclosed A....

UI
Undisclosed Integrator #2
Apr 23, 2015

Have we missed the point here though? I'd suggest that what we're looking at is that Farmer Joe has a still functional tractor 30 years down the track and John Deere has locked down all the service manuals & diagnostic tools with copyright but no longer supports the product so Joe can't fix his tractor.

There are plenty of tractors from the 50s and 60s still in service today. Even if you're not doing it maliciously, copyrighting everything is only going to screw the consumers particularly for those products with long lives. Now that's not particularly applicable to us as I don't see many security products having decade long life spans aside from maybe some alarm panels but it's relative peanuts to replace an old panel. It might cost you as much as 200K to replace a tractor.

With all that being said, it's not beyond a company to try and enforce DMCA on something ridiculous. Keurig and their kcups would be the most obvious example of this.

(2)
JH
John Honovich
Apr 23, 2015
IPVM

"John Deere has locked down all the service manuals & diagnostic tools with copyright"

How is copyright 'locking down' any normal use? Copyright does not prevent the user from reading the service manual now or 100 years from now. Copyright prevents people from re-selling or redistributing the manual to others, which is pretty standard.

Avatar
Mark Jones
Apr 23, 2015

Since I started it, I will wade back into it. B above actually makes my point better than I do. While this is not completely relevant to my point about security products, I did farm for years before I got into this business, and we did have equipment we could work on and repair ourselves. When running properly, it served us well, and for the most part, we could repair it ourselves.

Today, as we see in this article, not only with tractors, but with cars and coffee pots, that is no longer the case. Because software has become an integral part of the device, we can't repair it ourselves.

But lets suppose we could. Lets suppose we were clever enough with time on our hands and could sling some code. As I read it, we are not allowed to tweak it and make it do precisely what we want. I completely understand the principle behind EULA and DMCA. If I choose to "tweak" the code, that is my problem and my responsibility. If my tweaking causes a problem, or if I need more in-depth repairs from someone else and they have to restore the code, I should have to pay. That is my risk.

Maybe I should ask the question this way; If you pay your money for a device, regardless of what it is, at what point is the thing mine to do with as I please?

JH
John Honovich
Apr 23, 2015
IPVM

"I did farm for years before I got into this business, and we did have equipment we could work on and repair ourselves."

You are going to 'repair' software?

I get where you are going but the cost and complexity of individually 'repairing' and 'modifying' software is way higher than fixing a broken axle or replacing worn gears.

Also, software does not break down like hardware does, so its just not going to have the same need to be repaired as mechanical parts of a tractor.

Even in my car, sure you periodically change oil or brake pads or tires, but how often do you really need to replace parts of your cars' software?

Avatar
Mark Jones
Apr 23, 2015

In my particular case, more often than I would like. I get told by my mechanic at least once/year that "its software", or "it's the computer. I recently had my dashboard changed out to fix a gear problem in the dashboard. To fix the gears, I had to buy a new dashboard module, and the software had to be purchased separately. 295.00 for the software for the dashboard module. And even then, he installed the wrong software (the modules revisions were very close). Then I had warning lights on my readout for things not even installed in my vehicle. It was an honest mistake, and they replaced it at no charge, but still, the vehicle was off the road for a day or two. Right now, I have a code that comes up on my display that will not go away. It has been cleared by the mechanic several times and always comes back. It is not a safety issue per se, but it is a huge nuisance.

That is one reason (not the only one) people held onto Microsoft XP for so long. It just worked and worked.

U
Undisclosed #1
Apr 23, 2015
IPVMU Certified

Today, as we see in this article, not only with tractors, but with cars and coffee pots, that is no longer the case. Because software has become an integral part of the device, we can't repair it ourselves.

Unfortunately it gets worse from here on out. Why? Because at least you physically have the software that runs your device, DCMA, or not. The way it's going the critical code of many future, (and some current) devices will run in the cloud, which is a far scarier proposition.

Consider the August SmartLock

August is designed to use Bluetooth Low Energy to communicate with your phone. Your phone will the communicate with the server using the cellular or data connection on the device. Your authorized smart phone will need to have internet connection - either wireless or cellular data - to operate the lock.

Soon your Smart Tractor could 'brick' in the field if John Deere goes belly-up and hasn't provisioned "perpetuity cloud services". In this case there is no code to reverse engineer, legally or not.

Avatar
Christopher Freeman
Apr 27, 2015

I dont see the problem here, the company owns the patents, set s up a protection layer for the service of his patent for future and builds in a RMR for his company.

Like hundreds of other products out there , same concept

Quite Common, all and every company out there is doing this same thing. Just a different way.

All Access, Alarm, Video systems have built in hardcodes or back doors into the programs for the repair or testing of the systems true operational analysis. No Biggy

If you use any product with in the last 30 years you will find that all eproms, eeproms, base chipsets have built in codes .

Many do not even know what a binary chipset code is so they dont look at it.

Even More common with the intel,MS,Apples, Droids are these back door chip codes.

Not open to the avg or public

Who wants everyone out there figuring out how to defeat your systems anyway.and screw it up so the factory has to fix it anyway.

If your not an advanced programmer with at least a little education , you should not even be trying to get into the codes.

as for the farmer , he should just use his common sense to bypass the coded chipsets, and use other products to get things operational or even spend a little INet time researching the system for codes.

Every system out there today has these encoded side doors or back doors into the system.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions