Utterly irresponsible, but a critical reminder of why security is important


Personally, I think someone should face charges over this stunt, which could have easily caused mayhem, rather than inconvenience, on the highway.

But that aside, this is one of the higher-profile examples of why we all need to be thinking about security first and foremost in any connected projects we create. That doesn’t mean freaking out or obsessing. It means properly assessing the assets that require protecting, the potential attack vectors our solution may expose, and how to minimize the likelihood of any given attack succeeding, while still enabling the functionality we require.

And I’m just going to predict right now…legislation won’t fix this, because politicians have no clue and will likely, good intentions notwithstanding, probably end up incentivizing butt-covering over actual security. So things will likely get worse before they get better.

But we, as a community, can push one another to focus on security, so that we’re never responsible for headlines like this in a major newspaper or magazine. :slight_smile:


@ devhammer, thanks for sharing this. It blew my mind that any auto manufacturer would allow those types of controls to even be accessible. Let alone even code it in.

That was a very eye opening & dam scary thing to read about.

Wow. While I agree that legislation alone may not fix this, I do agree that it is needed. If a company is going to make life-threatening services available then they should be held accountable if they do it wrong - even more so than the hacker, IMO.

@ ianlee74 - Be careful what you wish for…this is legislation that may well put some of us at risk, either in terms of added liability, or in terms of stifling the industry we work and play in.

I’m a fan of not legislating without fully understanding what the impact of legislation will be. Far too often, politicians legislate because “we must DO something!” and end up with unforeseen (but completely predictable) consequences.

1 Like

@ devhammer - I understand. However, in this case I see this as the car manufacturers equivalent of physician malpractice. It definitely shouldn’t be rushed. Perhaps its not needed because there’s already some law that covers it. I don’t know. But, if someone is able to hack into my car and gets me killed then I certainly hope that my wife would be able to take the manufacturer to the cleaners for it.

I agree this is a manufacturer problem. Therac-25 anyone? Mostly I think this is a legislation fix. The practice of Software Engineering should be done by licensed practitioners. There are many cases where software flaws has cost someone their life, and millions in equipment loss. Exploits, should be classed as flaws in the software.

To be very clear - I did not suggest that software engineers should be held responsible (by law) for any losses resulting from a failed product. There are a lot of decisions that get made including the amount and level of testing permitted on a product that are far outside of the control of the engineer but are ultimately corporate decisions not engineering ones. I do, however, think that companies should hold all their employees accountable for the quality of their work but that is beyond the scope of any government laws.

Actually, I am suggesting that the software Eng. be held accountable by law. At least the Software Arch. just like Civil Eng.

So, if someone blows up a bridge support and it collapses, you think the bridge designer is responsible because there was no security at the site?

I respectfully disagree. When you are low enough in the food chain to be told not to spend time in a particular area of code, is there any reason to then be held accountable ?

Being the one who is held accountable, will put you at the top of the food chain. It gives you the right and the power to say NO. And if management replaces you then you’re replacement will also be able to say NO.

Blowing up a bridge doesn’t make the Civ Eng accountable; but if the bridge is supposed to hold a certain weight, and it collapses under that weight, or a bridge of that nature shouldn’t have been built on that soil in the first place, then…

sorry, I think that’s a naïve view. It will never be empowering for the software dev. It will never override the requirement to make money that comes from delivering a product; I’m sure we’ve all heard of companies that if you don’t ship a product today, you don’t have a company tomorrow, and making decisions where to stop development have to happen

The way to make lasting change isn’t through legislation that puts developers in the firing line, or even puts company execs heads on the chopping blocks. But by ensuring appropriate accountability for security for “connected devices” and undertaking due diligence WRT security, you ensure that everyone learns from mistakes like this and deal with it. It’s the evolution of software, and has to be taken seriously.

Licensed practitioners, eh? Good luck with that…would kill our industry by making software engineers too expensive to hire. And I very much doubt that it would greatly improve the security of the systems being built.

Doctors have to be licensed and board approved, and yet we still have many cases where the wrong meds are prescribed, or surgical instruments are left in a patient. Lawyers are required to pass the state bar, but there are still plenty of incompetent lawyers.

Regulation does not prevent incompetence. It does raise a barrier to entry, and it does increase the cost of entering a given profession.

The people who write the software that controls the car must be a licensed practitioner. For everything else a basic coder will do. Do nurses get sued for malpractice.

If they’re responsible for the malpractice, they probably do.

Personally, I think asking for licensure of any kind in the software industry will simply be the camel’s nose under the tent. Once someone realizes that there’s an opportunity for profit in this sort of regulation, we’ll have more than we can handle.

Be careful what you wish for…you may just get it…

@ Mr. John Smith - I can assure that there is no such thing as a software engineer. I started life as a mechanical engineer and what folks call software engineering isn’t engineering. We knew for example what the properties of steel were and how they predictably fail, what are the properties of software and how are failures predictable for example.

Charlie Miller should be a world hero as a champion of security for the everyday person. What is really funny is I have a security associate at Microsoft who drives a Jeep and this is his license plate.

Serious stuff for sure, but again we will discover security isn’t cheap, nor is it predictable, so our options are (other then cloning a Charlie Miller for every software project).

I’m kind of on the fence on the ‘Engineer’ title. I started out in Mechanical Engineering and finished in Computer Engineering back when PGA’s were a new thing and LSTTL was cool, and software feels like it lives somewhere between math (formal methods, analysis of algorithms, first-order predicate calculus, process algebras, etc) and art.

But maybe the synthesis of math and art is what ALL engineering is. The fact that some software ‘engineers’ apply more art than science/math just means that they are weak engineers. Their work is the equivalent of building bridges by ‘look’ and by gut feel rather than by availing themselves of the tools like finite element analysis.


The IEEE sums up my feelings about it. Ultimately, if my life depends on some coder just out of a 4 week code school bootcamp, I’d like to know that they understood the responsibility they bear and were at least validated by an independent 3rd party. Programmers need to be able to say “No Mr Project manager, this code isn’t reviewed and tested properly yet. We cannot launch; I’ll loose my license!”

There just needs to be a way to differentiate a coder from a programmer from an engineer. It’s not going to raise software costs, because there will always be coders and programmers around. When when it comes to ensuring the brakes work: Engineer.

Well, I do agree with you there. I was talking about my sort-of-academic definition of ‘engineer’. Certifying those qualifications and certifying a candidates understanding of the ethical responsibility that goes with them is fine with me.

I think anybody should be able to call themselves a developer, but that the “engineer” title should come with that more formal requirement.

Some time ago, I do recall reading that the State of Texas requires (required?) anyone calling themselves ‘engineer’ in any field to have a license.

I’ve listed “Engineer” as part of my software job title for every position Ive held for the past 32 years, regardless of whatever the company itself called the job title.

But that’s a very silicon valley meritocracy thing. Job titles there aren’t very formal.

I come to new zealand, and everyone is so “british” and class-minded in their formality of job titles. They find out that I didn’t go to university, and its suddenly “How can you call yourself a software engineer?” - so now I’m officially a “Senior Software Designer” which sounds lame to silicon valley ears.