
Student says he was unwitting drug mule, sues Ford - not_that_noob
http://news.msn.com/us/student-says-he-was-unwitting-drug-mule-sues-ford
======
crazygringo
At first I thought, how is this Ford's fault? How is this any different from
someone just picking the trunk lock?

But then I realized: Ford _actively provided_ the car codes to a car they'd
sold, to someone who wasn't the owner, without the owner's permission. This is
no different from the locksmith who installed the lock to your house, giving
someone else a copy of the key to your front door "because they said they knew
you".

Maybe Ford calculates that it's easier to just give out the codes to people
related to the dealers, for convenience, but that needs to factor in that they
_should_ be forced to pay heavy, heavy fines or restitution when bad things
happen.

And even worse, imagine if someone were raped or killed because of Ford's
negligence concerning codes. People's security in their cars is a serious
thing.

------
toki5
I'm not sure I'd call this Ford's fault.

>Lopez said the smuggling organization was able to get a duplicate key from a
locksmith in El Paso, who got the codes after calling up a Ford dealership.

>An FBI affidavit says someone at a Dallas auto dealer accessed the codes in
Ford's database, giving out more than 2,300 codes over an 18-month period.

I think dealerships, of all places, would be (should be) allowed to have codes
for cars in their lot. I trust dealerships to have these codes. If they do
nefarious things with them, they should be punished, but I don't think Ford
should be punished for having a dealership-accessible database of key codes.
Whoever was cooperating with the criminals is, to me, the person to blame here
(along with the criminals).

I'd have sued that dealership, not Ford itself.

~~~
cperciva
It makes sense for dealerships to have codes for cars _in their lot_. But it
sounds like dealerships have access to codes for _all_ Ford cars, which is a
pretty clear least-privilege violation.

~~~
toki5
A couple years ago, my used '98 CRV's battery died. I got it replaced, and
when I started it back up, the radio was locked out; I needed an unlock code
that they'd have given me when I bought the car, if the car hadn't passed
through at least a dozen hands before finally reaching me.

I called up my nearest Honda dealership, gave them the VIN, and they gave me
the radio code.

I like that they can do that. Maybe it makes more sense from a security
standpoint if I would've had to call some centralized Honda location, but that
doesn't really solve the problem, does it? I have the VIN -- so does anyone
who looks through my windshield. I have the title number -- so does the
dealership who originally sold the car. We'd have to enter a few concurrent
bits of information to verify that I own it, that this car I'm calling about
is mine, and I can identify both it and myself, and then the centralized Honda
location would have to be able to verify all that on their end.

Or we can assume some modicum of trust at dealerships, and accept the fringe
cases where criminals use information they wouldn't have access to in a
perfect world.

~~~
VLM
Very few stereo thieves write down the vehicle VIN on the deck as they're
running away. No point in making it even easier for the police to figure out
its stolen property, and they're usually in a bit of a hurry. Assuming they
have a sharpie marker in one hand instead of a screwdriver or window smasher.
Assuming they can read and write.

One interesting problem "security" guys have is overcomplicating plots. Your
average meth head is waaay too zonked out of his mind to memorize which VIN
goes with which radio, or even which OEM radios need a code.

Another problem is via the VIN they know instantly that your car is a '98\.
Well my cheapo commuter car is also a '98, and its approximately worthless at
this point. Anyone stealing my worn out, partially broken, approx 2002 model
year aftermarket deck pretty much deserves the pain they're about to
experience. At a flea market I might be able to give it away... That may very
well be Honda's point of view. Now try that again with a new 2013 $2000 GPS
DVD player deck and they might hassle you.

~~~
GauntletWizard
Almost every OEM radio needs a code - I've not seen a radio in a car
manufactured in the last 10 years that hasn't mentioned this fact. Nobody
needs to memorize everything. Even methheads carry cell phones with cameras,
and can take a snapshot before even breaking in.

------
gpcz
As implied in Cory Doctorow's "The coming war on general-purpose computation,"
modern cars are really computers with an engine and wheels. This event has
proven that computer security breaches in cars can have real-world legal
consequences for citizens. As a result, there may be a market in a
hardening/privacy guide for new cars, similar to the kind sysadmins use to
harden Internet-facing servers. Alongside your standard hacker-types, a guide
like this probably has a market in survivalist/conspiracy circles.

The guide could explain how to change the code in the car's alarm transmitter
as well as how to remove devices with privacy implications like OnStar.

~~~
rjsw
Modern cars are really a LAN with an engine and wheels. You need to decide how
secure each computer on the network needs to be or whether it is enough that
you need be able to get into the car to get at the diagnostic connector. There
was a case a while back of one model of car being easily stolen because the
cables to the ABS system accessable from the wheel arches.

There has also been talk of allowing wireless access to the in-car network in
order to allow cars to be driven much closer together in high-occupancy lanes.

------
gohrt
Could have been much worse.

The crimincal case could have easily gone the other way: "The car was locked,
locks are presumed secure, presence of a lock is proof that you were aware of
the contents of your trunk." This is what happens in home burglaries: If your
lock gets picked, insurers claim that the door was never locked.

~~~
gpcz
Lockpicks leave evidence of their use (src:
[http://www.lockwiki.com/index.php/File:Forensics_pin_picked....](http://www.lockwiki.com/index.php/File:Forensics_pin_picked.jpg)
). If the victim was confident that the lock was picked, they could hire a
forensic locksmith to find this evidence if the reimbursement is worth the
cost of the locksmith.

As far as I know, getting a keyfob code and using it to unlock a car door is
completely surreptitious (no evidence left) entry, as opposed to lockpicks,
which are covert entry (evidence is left).

~~~
gcb0
1\. insert key in oily sand.

2\. insert key in keyhole.

two steps. instant faked picked lock proof.

otherwise, use a softer metal on the picks (or plastic, or grease the picks,
or as every criminal does, apply soap to the tips), and pick without any
markings.

------
Zikes
What strikes me about this is that the criminals could have just as easily
stolen the vehicles, but the value of the marijuana outweighed the value of
the vehicles.

~~~
Afforess
Stolen cars are incredibly hard to sell. There is a reason criminals just
steal one and ditch it later.

~~~
xradionut
Easier and more money by breaking them down for parts. Strip it and abandon
it.

------
angersock
So, the poor bastard is out half a year of his life and who knows what other
collateral damage (job, school, personal life, etc.)

Does the prosecutor here just go "Whoopsie, our bad!", or what?

~~~
jrockway
_Does the prosecutor here just go "Whoopsie, our bad!", or what?_

Yes, that's what happens. It's a cost of having a free society that's randomly
distributed instead of explicitly collected from your income, like many costs
in a free society.

------
not_that_noob
I wonder how many bags of marijuana made it undetected in that car, since he
was in the screened commuter lane.

And he's so lucky they had a record of accesses to the key code database. If
they could have erased that record of the access, then it would have been a
perfect crime.

------
mathattack
The first thing I thought was, "The guy is making this up. What would Bayesian
stats tell us?" In this case, I was wrong.

~~~
Dylan16807
Well if you compare a one in a million scenario to millions of people crossing
the border...

What makes you think Bayesian stats would be against this scenario?

------
isleyaardvark
How would this be different from a locksmith making a fake key for a more
traditional lock and doing the same thing? Is it practically that much more
difficult to do?

~~~
miahi
A locksmith can copy a key, but cannot create a key that fits a specific lock
without knowing anything about the key. In this case, they could create a key
with the data Ford provided just using the "publicly available" (written on
the windshield) VIN.

That key cannot be used to actually start the engine, because you need to
register it with the ECU using manufacturer's codes and usually with at least
one of the previous keys present. But there are bugs to be exploited in that
case too.

~~~
viraptor
Actually, they can add long as they have access to the lock itself. Take a
blank key, insert and turn; find the dent made by the closest pin and for that
place one level down. Repeat until you have a key that works. This is
regarding the physical keys for the trunk.

------
Yourfags
Unclear article, it seems like the smugglers were just playing a lottery with
their stuff, hoping that the cars they chose wouldn't get investigated?

~~~
lotharbot
I suspect the percentage that gets caught on any given trip is quite low.
They're playing a lottery with a 99%+ win chance. When they win, they sell the
stuff at a huge markup, and when they lose, all they lose is one shipment and
one potential courier who wasn't even in on the plot.

~~~
Wingman4l7
Exactly. The "War on Drugs" is never going to succeed when all the smugglers
have to do is factor in a loss % into their price; it's simple math.

~~~
jrockway
They still have drug trafficking in Singapore, where you get the death penalty
for drug trafficking. I think the key is not to make drugs expensive, but to
make them cheap. Then the criminals are out of business.

~~~
Wingman4l7
Yup -- then the key players just make sure to insulate themselves with plenty
of lower-tier traffickers.

Drugs will only be cheap when they are legal.

