> Security tools like Flipper Zero are essentially programmable radios, known as Software Defined Radios (SDRs)
The Flipper Zero is not a SDR, it is less capable than that.
That's the ironic part, the Flipper Zero is a rather weak hacking tool.
It can open car doors, but it is so impractical that it is not much more than a party trick. You have to record the code by pressing the button on the keyfob out of range of the car and in range of the Flipper. You can then open the door to the car, once, and only if the owner didn't open it first. There is a more advanced and maybe practical attack called rolljam, but I don't think the Flipper is capable enough to do that.
The only thing is that the Flipper Zero is fun, cheap(ish), and popular, but real thieves already have better tools for their job.
This came in handy for me once when I locked myself out of a u-haul in what used to be a rough neighborhood in New York. I was standing there fishing with a coat hanger trying to figure it out when a gangster looking dude came up and was like "here, let me help you with that," and 3 seconds later had the door open.
Haha similar story. I used to deliver pizzas and worked with a pretty rough crowd. Once I locked my car while it was running and had a bunch of deliveries. One of the cooks unlocked it in about five seconds.
There is (was?) a tool called a slim Jim that was basically a purpose-built coathanger for unlocking doors.
There was some talk of banning them in some areas, because people love treating symptoms rather than causes.
Nowadays the tow truck drivers have a little inflatable bag they slide into the top of the door and inflate so they can press the unlock button from the inside. Quite effective!
Intentions sometimes matter. There is a South African shotgun aspirationally named Street Sweeper, and it's famously classified as a Destructive Device in the US, which is two levels more strictly controlled category, AIUI, IANAL, than a manually operated Gatling gun.
FZ is intended to clone keys and bypass security, I suppose in significant part for users' lawful convenience, but is kind of intended to do what it should not.
Coat hangers aren't engineered with intent to be shoved into the weather seal on a door.
You can literally order lock picks on Amazon in Canada[1].
Which were absolutely engineered with Internet to be shoved into locks to open them without a key.
To be clear: purchasing ans owning lockpicks is perfectly legal in Canada [2].
I don't think your logic applies to why that legislation was introduced. They're treating Flipper as a lockpick, but legislate it differently nevertheless.
Cheap, misguided hype seems to be a more plausible explanation.
> FZ is intended to clone keys and bypass security
I'd say it's more of an educational/'hacker' toy than it is a useful security bypasser/key cloner.
Purpose built(and better aot their job) those things cost significantly less. The flipper zero is a toy that the Canadian government are about to misclasify.
I locked myself out of my car so often I ended up wedging a coat hanger under the rear bumper. You're right: car doors used to be trivial to yank open when you knew the trick. These days I'd love to create a little side project that sets the alarm off on my car any time a relay attack is detected. I'm sure Mark Rober or someone will end up doing it.
what would the alarm do other the annoy a few hundred people. It wouldn't save your car. car alarms should be banned imo. replace them with something that pings your phone maybe but the alarm does nothing
There are alarms with phone messsaging, tracking, remote start and disable. Also relay attacks are easy to prevent, just put your smart key inside a faraday bag or remove the battery.
sounds rather complicated. You would have to scan the entire spectrum (not the entire, but like certain bands) and detect if there is someone sending power on there.
But modern vehicles detect these relay attacks and drop your message when you are too far away (ToF Measurement), you could maybe instrument that. But then when you walk to your car on an open field, you may also trigger the alarm because your key is out of range for a short time.
I suspect, in part, that this article and people pushing for a ban wouldn't have even noticed the Flipper Zero if it didn't look like a toy. The case design looks like some advanced Tamagotchi and places in a more accessible part of the lowest-common-denominator mind. If it looked like a raw PCB and wires, or some rats nest jumble of little components, it wouldn't catch their attention as much. There is a lot to be said about how we package our hack tools, and the second you move into "magic box go brrrrr" territory, suddenly it gets real to those outside technical circles.
Actually, there may be something here. Politicians seem to be blathering on about "prepackaged" hacking tools, and similar terms. They obviously aren't going to ban ICs, or breadboards, so in their minds I think it's all about "Tools that are designed for non-hackers to use, in ways we don't like".
Right or wrong re: Flipper's uses, the "just take this and go" is part of it.
I do wonder, right now lockpick tools are banned, unless you are a locksmith. I wonder if one day, you'll be charged with "hacking tools", because you have some hobby project in your backpack.
The Flipper Zero is not certainly the problem here, and it is not a proper SDR tool as said. But I believe it's technically interesting that the Flipper Zero uses the CC1101 inside the Flipper in a more powerful way. The chip can be configured to just report in a given pin the actual OOK/FSK state (logic high/low). The same can be done while transmitting. So the Flipper is not limited to the protocols/formats supported by the CC1101 during normal operations, but can do any protocol as long as it is within the frequency range and uses OOK or FSK modulation (or the FSK variants supported).
Sooo they have been stealing Infiniti's from my area recently with relative ease allegedly by using a Bluetooth obd2 reader connected to an android tablet running a pirated copy of some Nissan service tech software.
Nobody from any of the Infiniti groups is 100% certain how they are doing it, but the best theory out there is above.
Just the other night, a crew of dudes stole 3 Q50’s from my neighborhood with relative ease.
Well for one thing the OBD port shouldn’t be designed so that it has direct access to any useful CAN bus. It should go to a gateway that requires authentication to do anything except read OBD, and all of the IDs that you are allowed to send should be whitelisted.
The issue people are mentioning with the headlights is easily solved by just moving the starter CAN to its own CAN bus between the immobiliser and the ECU (physically isolating the headlights), which costs about $5 total and requires no crypto unless thief is willing to cut the car nearly completely in half.
(The problem with crypto is the $10 safety MCUs used all throughout cars are only like 20MHz and they can’t really do the 2000+ crypto ops/sec on top of their current workload. Also the tooling support for crypto ATM is really poor in the model based design tools that are used for this safety relevant SW)
BTW I personally don’t believe that anything that involves cutting into a vehicle is negligence of anyone. I mean, from my perspective, anyone can just pop the hood and drive the car with their own BYO ECU. It’s just a hunk of metal and once you start cutting it up you can make it do whatever you want.
Yes, the simplest solution sometimes really is the right one. Cheaply isolate sensitive targets from easily accessible areas. Your $5 solution is enough to avert these issues, and makes the attack a lot more expensive. The job is to find a "lever" where you only have to put in a little effort (say $5 worth) but which causes the thief to have to put in a lot of effort (cutting the car in half). The better the "lever", the safer the design.
I agree fully with this, except for the fact that this then makes devices like the Comma (comma.ai) impossible. The hacker in me really wants to be able to send steering signals by plugging something into my car :)
The solution is not that complicated, just route the wiring harness on a location not easily accessible from the exterior of the vehicle. There’s nothing that can stop thieves just delay them enough to increase their risk to be discovered.
See all that time the thief spends near the drivers side headlight? The headlights are on the can bus, if you can tap a couple wires in there the cars is yours.
Genuine question - why do headlights need to be on the main CAN bus? Could they not be operated from somewhere closer to the ECU by wires that just carry power and maybe some very simple data lines?
I can see fiberoptics, but wireless just wouldn't be reliable. There are too many sources of noise in a car, plus rush hour traffic with dozens (hundreds?) of cars nearby broadcasting on similar frequencies.
It may be something as stupid as a wiring harness layout optimization. You can put the headlights controller at the headlights and only run a single set of CAN bus wires (which are probably in that area anyways), haven't played with CAN I assume they are fairly few and fairly thing gauge, through the firewall of the car.
There are usually two can buses a car, a slow one and a fast one. The slow one controls the lights, infotaiment, climate, etc, while the fast one controls the ECU, driver assist, all related to driving.
All CANBUS packages that are useful to drive a car should be encrypted using a public/private key that is in the owner key. Decryption chips are cheap and fast.
Maintenance is a big key management problem though: if only the owner has it, there will be problems when people inevitably lose it. If there are shared keys for service departments or databases, thieves will get access to them.
Things like time-limited on-demand keys can limit those problems but now you can’t get your car serviced when Toyota’s servers go down and they need to commit to not breaking API compatibility for multiple decades.
In the old days, most or all car companies had the ability to look up the bitting code to cut a replacement key (the mechanical kind) from the car's VIN. There's no reason they can't do the same with an encryption key.
Of course they'd need to do a good job securing that database since inappropriate access to it would make stealing cars very easy.
There is a very good reason that isn't possible/analagous to traditional rekeying.
Mechanical keys are not secure. They can be reproduced with basic skills. That's why there used to be a giant key cutting industry where much of the business was car keys (Thanks, GM.)
The whole idea of CA PKI and all modern TPM architecture on devices is that they CAN'T be reproduced or replaced in context without massive effort that would make the intended use moot; IE replacing the TPM and associated on both the key and car. This would require some bureaucratic pointless process to prove your identity, and it would be very expensive and frustrating, and completely at the manufacturers will.
Further, if the car CPU could allow this, it would be >.0001 second before theives use the same exact tools that the manufacturers use. This is basically what's happening now with current NFC/Radio Keyfobs. Basic access to existing cpu through canbus makes NFC/Radio moot.
Most modern keys already have cryptographic rfid transponders which must be in place to turn off the Immobilizer system.
Unfortunately, Immo can be trivially disabled/bypassed/reprogrammed on many cars using the canbus or odb2 interface.
Also trivially editable in many ICUs is the mileage, airbag (crash) history, etc.
The main vector is that this data typically exists alongside performance parameters and user data like registered keys and fobs, so is accessible either by catching the ecu in bootup/program mode, by buffer overrun attacks, or often just by asking nicely.
This is basically doable by anyone who can to chip tuning or ECU remaps. It’s technical, but not that technical. Many ECUs require JTAG access inside the ECU housing or even desoldering the serial flash chip, but many do not.
I just bought a whole setup for this from AliExpress for about 100 dollars and it’s worked well for me so far, just a specialised JTAG adapter with some cables really.
Pretty sure if you wrote drivers for chip tuning software to use a buspirate it would work just as well if not better.
The manufacturer should maintain a root cert that can be used. If that root cert is compromised then they should have a way of rotating keys if the vehicle and physical keys are present. Breaches then constitute what amounts to a software recall, putting the onus on the manufacturer to report them or be held liable for thefts. The recall notice puts the liability on the driver to have their vehicle updated (for free) in a timely fashion.
The situation doesn’t need to be as strict as #2: you could have a way for a registered service shop to get a per-device rekey by shifting some liability to them. Making it per device prevents bulk usage and an active communication with the manufacturer would mean the cops could ask the owners of a shady auto shop some questions when 80% of the stolen cars in the area are being rekeyed at a place the owners have never been to. I lost a car key once and the locksmith who showed up checked my drivers license against the title database because he could have been penalized for unlocking a vehicle without doing so - we could make the same model work electronically because while car thieves are anonymous, legitimate repair shops have a business presence and reputation to preserve. Even someone amoral isn’t going to look the other way for something which will cost them their primary revenue stream.
I don't think that the dealer equipment being used to steal cars today is coming from dealers where management is knowingly engaging in car theft. It is other people who are misusing those tools. There are many hundreds of thousands of people who work at dealerships, and many do not care about their employers reputation. Also, many dealerships are broken into.
Yes, which is why I suggested a combination of measures to change that. An active per-device transaction would make it clear when a dealer’s access is being misused, and if it affects their business viability it would turn out that they could do a better job of controlling access. Hundreds of thousands of people work at banks, too, and many of them do not care about their employers but thefts from customer accounts are rare because the companies are incentivized to set appropriate safeguards. There’s no reason why car repairs couldn’t be the same other than that it costs more than what they’ve been doing, and there aren’t strong enough incentives for them to take on those costs.
What would that look like in reality? Expecting dealerships to have the same physical security, procedures, and security vetting of a bank? There's already a shortage of workers in these roles, now we want the guys busting their knuckles on vehicle repairs to have a good credit score and good background check and perform elaborate opening and closing procedures with a buddy system? Storing tools in a vault?
I really don't see how any of this is merited or reasonable, especially when the vast majority of the cars being stolen in my neighborhood are either stolen with the keys or with a tow truck.
Require resets to be initiated and authorized by the F&I department, whose security and KYC processes should already be substantially similar to those of other institutions that regularly approve $50,000+ loans.
1. As a result, we'll see costs like losing the keys to a rental car go from a $250-500 fee to a $2500-5000 fee, due to the additional costs to process and the additional loss of use.
2. Criminal rings that steal high value cars will go from often using tow trucks, to exclusively using tow trucks.
3. The number of cars stolen via stolen keys will remain unchanged.
Yes, the key itself will be more secure, but I'm not really sure it will actually improve anything. More security is not better if the costs do not create real-world results.
Your second point is leaving out a lot: there’s no way adding a requirement that you have heavy equipment and a skilled operator isn’t going to reduce the number of thefts, and those trucks are in more limited supply and easier to track than a small tablet. They’re also way less stealthy so there’s a lot more time to get caught.
The third point may be true for classic theft but would not be true for the growing category of thefts caused by abusing wireless keys. If you can’t easily get a new key, the resell value for that car is going down dramatically.
Commercial tow trucks are not hard to get in many places, but it is also not required to tow a car. There are many consumer oriented solutions for towing a car. Tow dollies are about $40 to rent in my city. Or if you're a thief, trailers aren't hard to steal either.
> If you can’t easily get a new key, the resell value for that car is going down dramatically.
Most of the vehicles that are stolen for resale are high value and sent overseas to parts of the world where the labor cheap to do something like entirely rip out all of the security components. I don't really think that these criminals will stuff a G-wagon in a shipping container for $100,000 but they won't do it for $80k or $90k.
> Commercial tow trucks are not hard to get in many places, but it is also not required to tow a car. There are many consumer oriented solutions for towing a car. Tow dollies are about $40 to rent in my city. Or if you're a thief, trailers aren't hard to steal either.
Again, it’s possible but do you really think there isn’t even one thief who lacks easy access to a tow truck or will be caught firing up noisy equipment at 3am but not if they fumble around in their pocket while walking up to a car? Not a single teenager looking to joyride won’t give up if it’s harder than the Kia video they saw on Tik Tok?
Similarly, yes, people will still steal vehicles and ship them overseas but the more work they do the lower the resale market and value will be, and that will make it less tempting since you’d only be able to sell to people who are content never getting service from the manufacturer. Even if we assume that there are countries with skilled technicians and effectively no law enforcement, only something like 10-15% of stolen vehicles are shipped according to U.S. officials so even if you wrote those off entirely you would have plenty of room to improve by reducing the majority of thefts which never leave the country.
There's different categories of criminal here who are willing and able to do different things to different types of cars.
> Again, it’s possible but do you really think there isn’t even one thief who lacks easy access to a tow truck or will be caught firing up noisy equipment at 3am but not if they fumble around in their pocket while walking up to a car?
Canbus attacks, OBDII reprogrammers, and similar are typically pretty intrusive, they require cutting into fender liners, removing lamps, busting a window, or otherwise gaining physical access to the bus. They also require specialized tooling and expertise that are harder to get than the tools which physically move vehicles.
The one that might be an exception, and some savvy street criminal might be able to get their hands on is a tool to do is a relay attack, which is usually good enough to steal belongings from a car, but generally not capable of stealing the car.
> Not a single teenager looking to joyride won’t give up if it’s harder than the Kia video they saw on Tik Tok?
Definitely not. Vehicles with immobilizers are essentially never stolen by joyriders unless they have also stolen the keys.
> Even if we assume that there are countries with skilled technicians and effectively no law enforcement, only something like 10-15% of stolen vehicles are shipped according to U.S. officials
Yes, and almost all of the other ones either just lack immobilizers, or the thief also stole the keys.
Simply requiring the dealers to take seriously ownership validation and track which workers used the reset system (no shared logins, etc.) would do most of it.
The result of that may be that losing a key is financially devastating enough that it totals many vehicles. And/or if the odometer and other local storage is affected, that may cause permanent title issues for the car.
The number of people who lose their keys vastly dwarfs the number of people who are having their car stolen with a flipper zero.
It has to be hard enough it can't be done in the street (without getting attention), but maybe it could be easy enough to do in a garage.
But even if it is expensive, the result would be that either people with take more care, or they'll lose their car.
Maybe it's not a bad thing that people who can't manage a key are less likely to be on the roads - or that its more likely they lose access to their car then it ends up in the hands of criminals. A car can be a dangerous thing, even an inexpensive one.
Yes, but this wouldn't prevent dangerous street criminals from stealing cars. Many of them steal the keys with the car. They go down to the gas station, and wait for an old lady with a nice car to pull up to the pump, and when she hops out they hop in.
The criminals doing more skilled attacks typically aren't joyriding or using it to commit other crimes, they typically doing it for financial gain: they want the car, its contents, or its parts.
Ultimately the overlap between the violent street criminals and those skilled at attacking digital security systems is not much.
> But even if it is expensive, the result would be that either people with take more care, or they'll lose their car.
The entire reason keys were explicitly designed with the functionality to program new ones is because that's not considered by most to be an acceptable solution.
That kind of expands the scope of this conversations to mugging/carjacking, which also comes with a higher penalty, and probably higher priority to the police.
And, it involves interacting with someone, who presumably can call the police afterwards, and activate any lojack / immobilisation device before it can be removed. Presumably the appeal of stealing a parked car it may be a while before it has been discovered and reported stolen.
Also, doing such a thing in a gas-station where there are likely cameras and even other people / attendants make it seem pretty risky to me. Are these dudes just hanging around the pumps in masks? What country is this?
> not considered by most to be an acceptable solution
Things change, but also, it's as much up to the government and/or insurance corps what's acceptable.
The only reasonable way to evaluate risk is as a whole. Real world attackers pick whichever realm is easiest to exploit, they aren't going to waste their time doing something difficult when there are easier ways to accomplish their goal.
> who presumably can call the police afterwards, and activate any lojack / immobilisation device before it can be removed.
Yes, people who carjack usually aren't looking for a nice daily driver to hang on to for the next 3 years. Usually they want to joyride, or use the car for some other crime, in the immediate term.
> Also, doing such a thing in a gas-station where there are likely cameras and even other people / attendants make it seem pretty risky to me. Are these dudes just hanging around the pumps in masks?
Stealing a car, and being in possession of a stolen car, is pretty risky already. I think someone who does this type of crime is probably not very risk averse. Wearing masks is a pretty common way to thwart cameras when committing a crime in many places, I don't think this potential security issue is specific to certain countries. I think what you might be hinting at is that fewer people want to do carjackings in different places, but the same applies to canbus exploits. Nor do I think anyone really needs to "hang out" to find a car at a gas station. Many have cars filling up at them regularly throughout business hours.
> Presumably the appeal of stealing a parked car it may be a while before it has been discovered and reported stolen.
Yes, and while there are some instances of this happening electronically, I don't think closing those avenues will change anything, because towing cars is neither difficult nor suspicious in many places. Again, security is only as good as the weakest link. Nearly all criminals cut locks, even ones are very easily picked.
Buying a tow truck is no different than buying a truck just about anywhere. Or one can simply buy a regular truck and bolt on a towing attachment to make their own tow truck.
One can also purchase, rent, or steal a trailer and attach it to a vehicle. There are several types of trailer which can haul a car, which are all widely available to the public.
A traditional car key can be trivially duplicated at any hardware store. That's the difference. You can make as many spares as you want for a couple bucks a pop. No dependencies. No network.
Do any cars have "traditional keys" anymore? My 15 year old Corolla has an embedded RFID tag in the key, and can only be duplicated at a Toyota dealership.
Assume that for anything new enough to have keyless entry, the answer is no.
The big switchover was in '96 when OBDII/CAN bus became mandatory. At that point it became pretty cheap to do things electronically, often cheaper than mechanically, so lots of things started switching over around then.
Not fully true. Just as it's not true with non-car keys. Some blanks are heavily protected. Now these days with the dissemination of cheap cnc mills, maybe thats a bit more trivial, but you are paying a lot more for a cnc mill than you pay for a old key grinder.
Same issue we have now with ghost guns honestly. CNC mills are powerful tools, with the right software you can essentially just place the properly sized chunk of metal in the box and hit go.
That's why I said traditional key. They're just metal with a few parts cut to a specific profile. It's once you start mucking around with immobilizers and other encrypted things that need the factory tools... Those can cost tens of thousands, and usually require continuous internet access back to the home office.
Because they only have the public key. You need the private key which NO ONE gets, not even the dealer. They send the required info in (which includes the serial / "key") for the new key to the home office. You can't just copy the key, even electronically, as it will have a different hard-wired "seed".
My Ducati bike had immobilizers that would prevent the bike being started without the key or the per-bike code card. When it was stolen, the thieves tried all manner of things to start it, including drilling through the ignition keyhole. I managed to get it all fixed and the bike still ran. Without the immobilizer, someone else would be riding my bike.
That's no different from this proposal. You just give them the keys, or the key card (or red key) if you've lost the keys.
Some of the tools used to steal cars are the legitimate tools used to repair cars. Key programmers aren't cheap, but at under $5k for decent ones, they aren't crazy expensive either. It pays for itself in one job.
You could make these tools more difficult to obtain, but that won't stop the crime.
Immobilizers and requiring a PIN to start the car are cheap, effective ways of preventing car theft without negatively impacting our ability to repair vehicles. It would behoove government agencies to include a list of anti-theft techniques on the window sticker and it would behoove insurance companies to be very upfront with the anti-theft features they think vehicles need.
Right now many of the components of your iphone are paired to the phone through signing. It's a huge fucking pain in the ass, and it makes the whole 'right to repair' a huge can of worms.
I work in CA/PKI, particularly IOT device registration/security via TPM keys.
I cannot imagine a scenario after years working with our own infra and clients where a car manufacturer would restrict access to the vehicle with a private key decryption on the FOB tpm, (that can't be exported or copied.)
Lost/broke fob? 4000 pound paperweight, to no ones benefit. Insurance nightmare that would also be violating right to repair in many states (which is a different issue) .
There SHOULD be a standard like every person has some device or process that is also a CA, who can then generate and dictate what keypairs can access a device, car etc. But we are very very very far away form that.
It's an enormous amount of implementation effort aimed at tampering which, to some approximation, never happens. And as another poster has said elsewhere, partitioning the communications would be cheap.
That they are using the OEM software indicates that there is some authentication going on with the ECU to start the engine anyway. I bet they didn't truly plan for key rotation.
Allow me to offer a different opinion. There is little sense in applying logical security when physical security is lacking. CANBUS should not be accessible by taking apart headlights. Communication buses must be protected from physical access, i.e., trip the alarm system or disable the car upon unauthorized access. There can be no logical security without physical security.
It would be very hard to make CANBUS inaccessible from headlights, since that what controls it. However, the headlight shouldn't be able to tell the rest of the system that the key is in the car.
Logical compartmentalization like you suggest is a fine approach, but even better is to not allow physical access. Unless the car is in maintenance mode at the shop, the chassis should be sealed tight. Maybe the manufacturer decided to favor headlight maintainability over theft prevention, or was simply oblivious.
From what I've been seeing with Toyota and their ECU Security Key, it hasn't been cracked yet but it's close to being cracked and extracted from a running car and the private key extracted (so things that look at CAN bus messages can work again, like comma.ai)
CANbus protocol makes this hard. Payloads are limited to 64 bits, to start with. But the payload for each message could be encrypted, even though secure key exchange would be difficult.
It's so hard that (almost) every European manufacturer figured it out.
There is also FlexRay. There is nothing interesting you can do with CANbus on new mercs. Even unencrypted CANbus messages go through gateways that (could) prevent headlights from reporting key presence.
There is a reason that some cars don't have reasonable attack vectors (excluding parachuting the driver out of the car) and some can be started with a screwdriver (or slight more involved way with CANbus). It's not complexity, it's cost.
The TSA locks have widely circulated master keys because that's a basic requirement of the system–every airport has to have some to be able to open bags. I don't know anything about these OBD port locks, but I don't see any reason they'd have a master key, other than laziness on the part of the manufacturer.
Additionally, I'd imagine that such a tiny fraction of a percentage of cars have these kinds of locks that it'd barely be worth it for thieves to figure out how to bypass them, at least until there's more widespread adoption.
> I don't know anything about these OBD port locks, but I don't see any reason they'd have a master key
Look at it in the picture and the review pictures. They're all 'keyed' alike. It's just a single offset pin. Also one review says it just holds on with friction and can be pulled off with force.
Put the powertrain lockout system on a signed and physically protected network segment. Let the headlights, mirrors, etc live on a less secure segment.
This will impose higher costs when replacing these systems, because it will require key management of some kind. Either central cert management (with 20 year expiry?) or local key management. So only impose this on a tiny subnet for the starter/immobilizer.
Perhaps the OBD port should only work when the car is validly unlocked and the engine immobilizer accepts a key? Maybe it could stay unlocked thereafter while a device is connected?
Android (adb) and iOS (iTunes backup) have solved this issue
years ago.
When I installed a remote starter on my old Jeep, I had to also install a CAN interface that would command a door unlock followed by a door lock command.
That was enough to tell the ECM that it was okay to start the car by simulating the key switch closure for “run” and a temporary closure for “start”. Prior to adding the CAN interface, jumping “start” would set off the alarm.
You don't protect the wiring, you protect the start protocol. Similar to asking "Can we protect the internet by protecting the ethernet cables?"
Put a public key on the engine controller, have it challenge the key with a random start number, have the key respond with the signature of that number, engine starts.
You can't unlock the car with the bus dead. CAN is not like switched Ethernet, it's a bus topology network like LAN over coax cables. They can be split or bridged, that's probably what they do.
We had a specialist shop in the same area. You can disable Security+ with uprev.
Hell we would even use it to remove engines from nissans to make them run in whatever we put them in without the ignition. I can make the start signal just come from a momentary push button.
Locksmiths can make new key fobs for nearly any car with access to the OBD2 port and the right software (though I don’t know if it requires a connection to the manufacturer)
I don't know if I have a clip of it still but that was nowhere near as fast as my neighbor's range rover being stolen during pandemic, broad daylight, four hoodies walk into our car park (flats) and walk out of camera view, 30 seconds later they're driving the range rover past the camera view and presumably rammed the gate we have (since it was broken).
Both car manufacturers and police are useless and it's fucking inexcusable, imo.
> What do we know about computer security and physical access? If I can touch the machine, I can hack and own it.
It’s not the 2000s any more. Even national security agencies have trouble with phone decryption, and that suggests a path forward for cars using a tamper-resistant secure element since car thieves won’t spend more money attacking something than they can resell it for. Cars need service regularly you can have a way to replace a damaged SE which is more restricted so a legitimate owner can regain control of their stolen property - if you required, say, a government photo ID check for the owner on the title to reset the encryption keys, car thieves are highly unlikely to spend time getting high-quality fake ID since the odds of getting caught would go up dramatically, and you could deter shady auto shops by requiring them to submit proof of their ID verification for that service.
Yes, because the current design is lax. Now think about what happens if the engine computer won’t start with a bad signature or the entertainment system won’t work. How would that affect the overseas market?
Again, all of those lower the value to the thieves. If they need to create a custom engine controller, they’re going to need to pay a lot more than the $0 they currently spend. If they need to replace the entertainment system, the cost of doing so will cut into their margin.
Don’t make the mistake of thinking that a system needs to be perfect to be worthwhile.
I think you're in a desktop computer "whole product is one computer" moddel. A car is a set of computers, almost nothing in a car is central to itself.
There's probably a body controller ECU that ties into engine ECU and driver's key systems. So theives would just generate and flash a new key/cert, that'll be certainly possible.
Infotainment? That's almost literally an aftermarket parts. American reviewers tend to see it as integral part of a car or even a central computer, surely it's important in terms of product experience but architecturally it's more like a printer over Ethernet than a laptop integrated display.
> There's probably a body controller ECU that ties into engine ECU and driver's key systems. So theives would just generate and flash a new key/cert, that'll be certainly possible.
This sounds like the old desktop mentality you mentioned. You can’t just reflash things to bypass a secure boot process – the entire point is to prevent things like that! You’d design the driver’s key to pair with the various onboard systems and those systems to do a challenge-response cycle during the boot process so someone can’t easily drive away without the key or resell those parts, with both sides using a private key which never leaves that component. Yes, that kind of design can still be attacked but the goal here is to make it more expensive than it’s worth: needing a flatbed to take it somewhere for a rogue EE to work on it, for example, just isn’t going to make sense except for the most expensive luxury vehicles.
This brings me to:
> Infotainment? That's almost literally an aftermarket parts.
Yes, and those cost money. The entire point is that you don’t need to make it perfect, just expensive. If someone has to replace the display and speakers, that means they’re making less profit on the sale and making it more obvious that the vehicle was stolen which increases risk and reduces the number of buyers, especially for the most valuable vehicles.
> This sounds like the old desktop mentality you mentioned. You can’t just reflash things to bypass a secure boot process – the entire point is to prevent things like that!
The actual real problem I failed to explain is manufacturers don't want to deal with networked authentication, broken physical keys, or day-to-day repair shop operations, so they keep most of the processes offline and send out re-pairing tools that leaks. Very few cars require breaking chain of trust to swap out parts which makes "If they need to create a custom engine controller, ..." part unrealistic as of now. It takes few more years before Apple starts delivering cars.
I work in medical devices. It's no longer sufficient to throw up your hands and assume "well, they have their hands on the device, we can't stop them from doing anything." The new cybersecurity guidance anticipates an attacker having physical access to your Device and you are expected to understand and mitigate any impact that can have.
The FDA should be less strict with their cybersecurity stuff. The amount of lives lost to the increased cost of care is not worth the increase in cybersecurity.
If medical devices have just enough security to stop people who don't have physical access to the device, just enough to make attacks at scale unfeasible, then that should be good enough IMO.
> What do we know about computer security and physical access? If I can touch the machine, I can hack and own it.
Can you hack and own my fully patched Pixel phone? Or my GF's iPhone? Sure, sophisticated state-sponsored actors can sometimes do it by burning several million dollars worth of 0days in the process, but some two-digit IQ riff-raffs? Probably not so much.
EDIT: just to be clear - by "two-digit IQ riff-raff" I meant OP's neighborhood car thieves, not you :)
Phone thieves will watch over peoples shoulders for them to input a passcode, which isn't that dissimilar to a lot of the replay/signal extension attacks.
A lot of damage can be done and things successfully owned without needing to hack or exploit the device (car/phone).
> Phone thieves will watch over peoples shoulders for them to input a passcode, which isn't that dissimilar to a lot of the replay/signal extension attacks.
You have any reference regarding how prevalent that is? Everyone I know switched to biometrics a decade ago.
This is done by organized crime with engineers on staff. Sure it’s drug addicts stealing cars but the people shipping them are smart and have access to capital.
I agree, but that brings us back to my original question: why can't same smart organized crime people unlock my smartphone then? Because Apple/Google give a damn about security and car manufacturers do not.
Also: When your phone or computer is hacked, most people think "Wow, the device is flawed." But when your car gets stolen, most people think "Wow, we should stop those criminals." Apple/Google are incentivized to give a damn about security because incidents reflects poorly on their products. We need to start making thefts via security exploits reflect poorly on the car manufacturers and their products.
People will buy a $150,000 SUV for 50k and they can still make money. Phones have less incentive and Apple is going to be better at bricking the phones than carmakers will.
Apple and Google don't sell insecure cheap phones, but lots of other manufacturers do.
I suppose organized crime doesn't systematically take advantage of that because cheap phones are cheap, and the people who own them are poor. You don't get that much benefit from pwning them.
Alternatively, maybe organized crime does take advantage of them but we haven't heard about it. They could have a giant botnet of them for all we know.
a couple of years ago it wasn’t uncommon for victims of phone theft in the UK to end up flooded with iCloud phishing messages to try gain access to their iCloud account and unblock the device so it wasn’t totally worthless for resale.
I still see a lot of iCloud phishing messages, but also understand that Apple has made this vector harder.
Except for you know, the technology of a physical car keys and an immobilizer. There's a reason it's the keyless entry start/stop button cars that are being targeted by thieves, it's simply so much easier.
The frustrating thing is that new cars are being produced that _only_ offer keyless entry, and so eventually the choice is taken away or you have to drive a very old car.
Or make grand theft auto an offense that is actually prosecuted. Make hard penalties for violating another citizens by stealing their property. Start with 5 year minimums off the bat and every offense afterwards adds another 5 years. You'll see car theft plummet.
> How do you calculate this value of zero percent?
This gets messy for obvious topological/continuity reasons, but a shocking number of applications are both correct and simple to reason about if you choose to define 0/0 == 0 (kind of like how if you choose to universally define sum(empty_set) == 0 and product(empty_set) == 1 then tons of higher-level formulae just work and don't have to special-case a base case).
In context, there's no good reason to pick that definition of 0/0 per se (other than my prior that 0/0 == 0 probably simplifies some downstream math), but it's kind of nice to see that if crime is at 0% then there is also zero crime.
I will never, ever keep a car I care about outside anywhere near the city.
I know everyone doesn't have the funds for that, but I'm sorry, we all know how rampant car thefts have gotten since before those 3 Q50s in this video were even purchased. I live in the busiest neighborhood in downtown Denver with which has rampant property theft, cats cut out etc non-stop.
I own 2 vehicles and neither of them are ever parked outside if I can help it. It means I have to pay pretty much twice for rent because now I need a 1-2 car private garage, which means I'm probably now in a condo or townhouse so every expense just gets higher and higher.
But you're in the bracket of living downtown with a brand new Q50. So I don't care what your excuse is, buying a luxury/attention-getter car and parking it outside in cities with rampant car thefts is just absolutely stupid.
Especially the people who buy the $80k luxu-box with the $5k 22" wheel add-on that gets ripped out of their mid-rise apartment parking garage a day later.
I've had a car stolen and insurance does NOT treat you well when it happens and I never, ever want to deal with having a car stolen again no matter how much gaap/etc. I have.
Some of the issue here is that it’s actually a pretty nice area here in Baltimore, but our police force is currently understaffed and overworked.
One big issue here regarding policing is that our city elected officials can’t tell the city police force what to do.
You see, when the civil war broke out, the state took control of the police force so that the mayor couldn’t lead a confederate coup.
Flash forward to today, and those powers still have never been returned to the city. The mayor and city council set the police budget, but the chief of police takes direction from a state run board.
So there is a big disconnect between citizens voicing concerns to city council members, and those members only ability is to “talk to the major”.
When the cats away, the mice will play off with some stolen cars.
If you haven't traveled/lived in many major cities since covid, they are all the exact same now. None of the police are working. I'm in Denver now, previously Austin in 2019, Dallas 2020, Denver 2020+, and Denver banned qualified immunity so the police work even less. Seattle just did the same thing + IIRC king county is doing that "police cant lie on stand" or whatever law. I lived on 2nd and congress in Austin for 12 years until 2016 and the entire downtown has turned to absolute trash.
I'm sure its the same in Chicago, LA, Portland, Tampa, etc and I don't even need to ask.
This sounds like a serious symptom of something being deeply fucked with policing in America.
Qualified immunity doesn’t exist in other first world countries with effective policing, in fact, the police in America have a lot of latitude to do all kinds of insane shitfuckery that doesn’t fly elsewhere.
It would be trivial to hard wire a kill switch to your fuel pump and have it hidden somewhere so no matter what thief’s can’t drive off with your car. Much cheaper and more secure as cars can be stolen from parking garages.
Put a kill switch in it they tow it. Put a Club in it they tow it and cut off the steering wheel. Put GPS on it they throw it in a faraday cage paintshop/train. Put a Dronemobile system in it the Police just won't investigate/track it down.
Really just have to not keep property outside anymore. I used to do the "It's not a big deal, i have full coverage" but had a car stolen and they (insurance) treat you like absolute trash when it happens.
Lock it in your garage and now they break into your house and hold a gun to your head….ya maybe they tow it but not likely as they want to do this discreetly but at the end of the day of course if they were determined they could take anything. My point is a kill switch would stop 99% of theft.
> had a car stolen and they (insurance) treat you like absolute trash when it happens.
You've said this twice, but what does it mean? I have had my car stolen twice and the insurance company didn't give me any trouble at all and just paid out.
- it's incredibly stupid to ban the flipper zero because it's factually not even part of the problem
- but it's equally stupid to "ban insecure vehicles". if kia makes a cheap car with crappy locks either don't buy it (because maybe insurance) or add and aftermarket immobilizer or a steering wheel lock. if it was really negligent of kia to "save a couple bucks", then it's equally negligent on you for not spending a couple bucks.
- i also cringe at the idea that we throw the word negligent around when talking about failing to prevent other peoples crimes. i'm not negligent for not doing enough to prevent the crimes of some other asshole. nor is kia. meanwhile, there's sibling threads here that point out that the us is far to hard on the criminals. so wait - kia and me and other law abiding entities are "negligent", but the asshole who stole the car deserves compasion, etc.?
- it's stupid-on-stupid-on-stupid to sit here discussing the problem of car thefts, caused by lack of enforcement of the existing laws against it, and the proposed solutions is making more things illegal (and arguing about which things).
Nobody knows a vehicle is insecure when they buy it. It's simpler, more cost efficient, and more valuable to society just to require cars to have basic security features. Your idea of market correction doesn't work in this case, because it's never advertised as having shitty security, and the average (or even informed) consumer will have no idea this is a problem until after they've bought the car.
I never understand this arguement. I hear it in the form "we should just regulate cars to be safer", why dont you just buy a safer car? "What do you take me for? I got a mustang GT, the last thing that car is worried about is safety". Interesting, you bought a car because its fast, not paying any consideration to whether it could safely get you from point A to B, and this is what you rely on to get you to work?
Its not social darwinism, the lack of critical thinking skills among the general population is alarming. Americans have apparently been coddled to the point that they arent worried about basic needs; if you go to buy a car you should have some simple considerations, is this car safe? What are the typical maintenance costs? Is it common for this car to be stolen?
Things like, housing, transportation, education, those are really central aspects of peoples lives. Its all well and good that you want to draw symbols on paper and make all these things safe, but it appears to have come at a pretty serious cost. That cost, is the inability for the US population to use critical thinking.
> I never understand this arguement. I hear it in the form "we should just regulate cars to be safer", why dont you just buy a safer car?
I don't understand your argument. Do you expect every potential car buyer regardless of tech literacy to go to a dealership with an SDR setup on-hand, asking if they could test-out the key fobs, capture some signals, try to figure them out and look for common vulnerabilities on the new models? Do you expect the seller to explain the technical details of the key fobs at a depth you can be sure there's no vulnerabilities?
Determining that the key fobs were implemented securely is not something the buyer or even the seller will be able to determine. I would imagine a regulator has the ability to inspect them as they're being designed/built.
> if you go to buy a car you should have some simple considerations [...] Is it common for this car to be stolen?
By the time vulnerabilities are found and people start stealing them, there should already be plenty sold and roaming the streets.
We should regulate cars to be safer because I don't get to decide which car (or, more likely, truck) the moron who puts me/my family in the hospital (or the grave) was driving. Given the trends in traffic and pedestrian deaths in the US, our regulators are grossly negligent in this regard.
Sure, in the context of broad safety you have a point. Of course, you are more likely to die in places where police are responsible for your protection. The safest places people inhabit are their home, their work, places with private security measures.
The negligence you speak of, how widespread would you say it is? Would you say the EPA dropped the ball preventing the east Palestine Ohio train derailment? Would you say that having some hard cutoff for how many chemical train cars until the train is reclassified? I imagine you would agree, that the chemical company sending 59 (oh w/e) train cars instead of 60 so that they are under easier rules, is kind of bullshit.
If the company is following the rules then they can largely get away with it when things go wrong; if that company had actual liability for whats in the train cars, then they would have insurance. That insurance would be prorated on the safety profile of the train, and it would fix the hazzard or pay the claimants their due. These regulations only exist to cement decrepit companies monopoly over you.
I have no faith that "negligence" in the public sector will improve. The roads, the enforcement of driving conduct, that will not improve. The safety, security, and reliability of cars will improve, because there is still competition from self aware drivers.
Those are places where you only call the cops ('public security') because the situation has seriously degenerated. Their security measures are the ones you are already familiar with; locks and keys, the understanding that you need specific permission to be present, some sort of fridge policy etc.
You make a good point. The government should not impose rules about what companies do and also the government should hold companies liable for what they do, which is a different thing from having rules
Exactly. If an insurance company writes rules for a company to follow, it is a good thing. If the government writes those same rules it is a bad thing as the goal is not to reduce the number of thefts but rather make whole the people that get their car stolen and have the money to sue
I don't have much faith that our regulators are going to get their shit together either, but that doesn't mean I can't hold them responsible for the consequences of their negligence. As for the theory that the invisible hand of the market will drive better outcomes in traffic safety, that is obviously not happening in aggregate. It may even be having the opposite effect, given the unchecked proliferation of pickup trucks and large SUVs that are known to be more dangerous to pedestrians and the drivers of other vehicles.
I'm not super familiar with the East Palestine derailment, but based on what I do know about it I think your 59/60 train cars example is sort of disingenuous. American freight rail operators are well known for skimping on safety in multiple dimensions; issues like obsolete brake technology, stretched-thin crews, insufficient maintenance, and excessively long/heavy trains have all been discussed to death before and after that accident. The problem isn't some off-by-one miscalibration, but rather that our regulators (and I'm including lawmakers under that umbrella, especially since they're usually the ones taking the bribes AFAIK) are simply not willing to demand that these industries put public safety over profits in areas where there are well-understood systemic safety problems. AIUI, efforts to improve rail safety during the 2010s and earlier have been largely stillborn, sabotaged by rail company lobbying.
Just to illustrate what I'm talking about via another example: if the MCAS system that killed 346 passengers on two 737 Max aircraft within the span of a few months had been an honest design flaw rather than a hack devised to juice sales by dodging retraining requirements, cheaply and shoddily implemented ignoring the misgivings of Boeing personnel and rubber-stamped by the FAA, then it would have been a simple tragedy. As it actually happened, it's an atrocity—a failure on multiple levels by many people who ought to have known better, holes in the Swiss cheese all lining up, 346 lives sacrificed on the altar of avarice. That's where the invisible hand gets you when you let it take the wheel, but I suppose next you'll tell me that those people ought to have done their own safety audits of the aircraft that got them killed.
Depending on the make and model of a car, you might save money because insurance companies have determined those cars to be safer. If you have a lowjack, your location, your history, there are a lot of factors that go into insurance costs. Insurance companies adjust insurance prices based on risk. Why would you assume private insurance wouldnt also price their policies based on how safe a train is, what the risk is that it crashes, etc.?
Its about who is signing off on whats safe. The government has proven that thry are at best incompetent, they do not have the incentive. A private company has to maintain their reputation through quality of service, they dont have the seemingly endless faith of people because they are "government".
> Why would you assume private insurance wouldnt also price their policies based on how safe a train is, what the risk is that it crashes, etc.?
I don't assume this and I don't think I have even slightly implied that I do. It's obviously, trivially, verifiably false.
Your mistake is in assuming that cost is the primary motivating factor for consumers^[1], and that corporations and their stakeholders won't favor paying higher insurance costs (and fines, etc.) today over paying even more toward safety improvements that won't break even wrt. insurance costs for many years. As I mentioned above, the observable state of the real world explicitly disproves the claim that market forces will drive positive trends in safety outcomes.
^[1] Look how many huge, expensive pickup trucks are on the road in America today. Look at the monthly payments their owners are enduring to satisfy their vanity; look at their spotless paintjobs, empty beds (except perhaps the token equally spotless toolbox), and mud-free fenders.
Doing a security analysis of a car is a complex task that most laymen cannot do, so the argument for laws and compliance among specialists is quite reasonable.
Put it another way: if it's all market based, your choices in buying just get 2x more complex. Is this car easily unlocked? Do the brakes often fail? Can it resist a collision?
Or even another thought: since most people don't think about security, companies will flood the market with insecure cars. Want a secure car? That would be niche and cost you double.
You shouldn't have to consider if the car's locks work, because working locks should be a baseline in cars produced in a first world country. It's that simple and easy. You aren't nearly as smart as you think you are and having basic standards of how corporations should operate isn't coddling.
i think this issue is overblown and is being used as a smokescreen for the rash of vehicle thefts caused, not by bad kia security, but large-scale organized crime.
Should other physical objects also be subject to this same regulation? What about bitcoins? Your proposed response is unsuccessful as policy reasoning.
My proposed response has been making cars safer and more reliable for years. I don't care if it applies to bitcoin or not, we're talking about cars. Next!
The ability to leave your car in a public space while shopping is a major part of their utility. Cars are therefore common, left in the open, and valuable, but not particularly portable without being turned on.
Jewelry, TV’s, bitcoin wallets etc aren’t just left in the open. Your house, front lawn etc is valuable and accessible but not generally mobile.
Yes, and they generally are. In almost all states, sellers have to ensure that the things they sell are "fit for purpose". It's reasonable for us to ensure that they meet the basic requirements of being whatever they are - and for cars, part of their basic purpose is to sit in insecure areas and ensure only authorized users can operate them.
In the age of information ignorance is no longer an option, Before I buy a car, most often the second largest purchase a person will make in their life next to housing. I do i TON of research, I look at insurance rates, I look at Theft Rates for that model, I look on Car Complaints and other Database for common failure items for that model, I have it inspected by a independent mechanic having them pay extra attention to the common failure items. etc
If you just roll in and let the salesman take you for a ride then you deserve the outcome.
Yes anyone who doesn’t have the knowledge/time/motivation/cynicism to prevent themselves getting taken advantage of is basically asking for it, nay “deserves” it.
Yeah, and if you did not read T&S and now going to become a part of human centipede, that’s on you. I mean, how hard can it be to read a 22 page legalese, before going through a sign up flow, that was heavily optimized to increase conversion?
anyone who thinks there is anybody in the universe other than themselves that is going to take responsibility for their safety, security, happiness, etc. absolutely "deserves" what they get.
i didn't say they did! i said they need to take responsibility for their own safety/security or suffer the consequences. whether they should be expected to... is totally irrelevant. i'm not stating a preference, i'm stating a fundamental law of nature.
and not knowing even that simple fact is what makes it "deservedly" so.
Regulation can remove those consequences for any chosen safety/security feature by making every choice have it. Fundamental law of nature? You're deluding yourself.
(And if you say you mean outside of regulation, that people need to be responsible in general for other aspects of life, then your argument is no longer connected to the original comment you replied to.)
regulation is part of the universe. to expect that it protects you exactly when you'd want it to, but does not inhibit you want you'd not want it to is stupid. trying to offload your responsibility onto some "them" is not a fix.
i'm definitely not deluding myself. that is life. you need to have both the freedom and the inclination to take care of yourself, if you don't have both you'll suffer.
I do not need the freedom to buy a defective lock.
Mandating basic safety and security features is not always going to protect me, but it will mostly protect me. It's not stupid to want that tradeoff. I don't care if you define "fix" as 100% so therefore it's not a fix. I want the 95%. I want defense in depth, regulation on top of personal investigation.
you are right. you do NOT need the freedom to buy a defective lock.
you need the right to decide for yourself if the lock is defective or not.
if you give that away, you will instantly be given the "freedom" to buy a lock that is defective-by-design. perhaps the lock designer's brother is a friend of the govt. perhaps the govt. agency does not want bad publicity, whatever.
the point is "defense-in-depth" (cliche) or not, you are ultimately responsible for you. there can be no other way.
> you are right. you do NOT need the freedom to buy a defective lock.
> you need the right to decide for yourself if the lock is defective or not.
This sounds like you agree with me. This kind of regulation sets a minimum, not a maximum.
We don't need freedom to buy very bad locks. We do need freedom to buy the best lock we want to buy.
But the rest of your post implies that regulation will change both minimum and maximum and mandate a specific lock. I disagree with that premise.
> (cliche)
Are you trying to imply something there?
> you are ultimately responsible for you. there can be no other way.
I am "ultimately" responsible, but product makers should have responsibilities too. If I fail at something, I should not be 0% safe. The baseline should be pretty high before I apply my own efforts.
Should we allow cars without seatbelt? Everyone knows cars with seatbelts are safer. If consumers don’t like it, they can just choose to buy the ones with seatbelts.
Do you look up the software security measures implemented by the keyfob too? That information would be very difficult for a layperson to find and make sense of.
This may be the "age of information", but information is only useful as your ability to find, understand, and evaluate it.
Lets see, oooo tiktok, heres the kia challenge. Or maybe google "are kias secure". Whatever format you can understand, you will be presented several sources that explain the situation quite clearly.
Isn't there an aftermarket solution you can buy that would make the kia you bought three years ago more secure?
Sure, it sucks that you have to unexpectedly spend money on it, but when you bought a cheap car you knew you were taking the risk of having to deal with unknown unknowns.
If you googled kias at any time ever you would have seen they are absolutely riddled with issues. People on HN seem to think buying a car is like designing a CPU or investing in a portfolio of stocks, you could try doing some research.
Car thefts are extremely dangerous for everyone on or near the road. It's obviously better to just not allow car manufacturers to neglect basic security practices. There's also entire categories of issues you don't have to research anymore because they've been optimized out of every modern car. Soon cars being hacked with toys will be added to that list for you. Notably, "airbag explosion rate" wasn't on that research project of yours.
> if kia makes a cheap car with crappy locks either don't buy it
Immobilizers were a standard feature on cars for decades. If you went to buy a car, no one was putting immobilizer on the list of features, and they certainly wouldn't let you try breaking the ignition lock on a test drive.
If they had advertised that their vehicles were insecure, then sure, it's on the buyer, but they didn't.
it'd be bad to advertise that they have in immobilizer or anti-theft when providing either nothing or a badly broken implementation (like you often see in IOT).
it's not negligence to simply not provide a feature they didn't promise to provide and weren't required to (in the US). it is simply not their responsibility in any way to ensure your car's safety from theft. if you assumed it was and that they provided a feature you wanted because everybody else usually does, then the negligent party would be you for not RTFM. except that's wrong here too.
nobody is negligent here. you do not have a social responsibility to have an immobilizer on your car to prevent it from being stolen. and neither does the manufacturer. having it locked is plenty to legally make it "breaking-and-entering". and even if you leave the keys in the car and the engine running, it's still grand theft and your insurance will indeed pay out, which they would not do if they could claim negligence. the criminals are 100% at fault here. and bad things can happen without someone being negligent.
arguing about anything beyond that is just a fight about how good that anti-theft system has to be. are you negligent if you don't have an armed guard on your car?
Speaking as an outsider: How are Kias sales going these days? How's their reputation as a result of this?
Imo for removing security for the US market they deserve to be properly thrashed and dragged through the mud, regardless of the fact that they are offering upgrades from free if I read the following correctly.
The manufacturer is not the victim here, the buyer is. If I pay a contractor to install a new door and lock on my apartment and it turns out they did a terrible job which made it trivial for a thief to break in, the contractor should be liable.
Crime exists, this is the world we live in. Failing to implement even the most basic security measure, which is considered industry standard, in a high-value product that is known to be very attractive to thieves and then selling that product to consumers with no warning that "unlike most other cars on the market, which have many layers of security features, this car can be stolen using a cheap toy" makes the inevitable thefts absolutely Kia's fault.
It's not like people are saying the thieves did nothing wrong, both sides are at fault: the thieves stole people's cars to enrich themselves and Kia secretly omitted a basic security feature which in turn enabled thousands of fully predictable and preventable thefts from their customers, again, to enrich themselves.
But people ARE saying the thieves are not at fault.. “it’s just kids”, “we don’t want to put them in jail because that would ruin their future”, “they can’t pay a fine anyway so there is no point in going after them”
"We shouldn't put dumb kids into cages and forever brand them as criminals for making one bad decision" is a far cry from "they are not at fault for what they did".
Also, insert the usual point about how many people are forced into crime by poverty and the complete lack of a social safety net in the US here.
No one is saying that, there are multiple contributors to the problem here, sure the thieves own the bulk of it, but manufacturers could fix the issue or offer a solution like a cheap install of an immobilizer.
In my left leaning workplace in my left leaning state, most colleagues do not want to assign the thieves any blame or have them face any consequences. These colleagues only want to blame and penalize the manufacturers.
I think the manufacturer should fix things so they are more in line with other manufacturers. But I also want to see some repercussions for the thieves.
Can the downvoters explain why they disagree with:
"I think the manufacturer should fix things so they are more in line with other manufacturers. But I also want to see some repercussions for the thieves."
That's obviously not the sentence people are disagreeing with.
There is no way your colleagues want the thieves to not face any consequences. It's a completely different thing to not trust the justice system to give an appropriate consequence.
My colleagues never call out the thieves or call for consequences. They skirt that issue and focus their rhetoric on the big, bad companies or blame the victim (eg should have locked his bike, should have taken valuables out of the car, etc)
> Failing to implement even the most basic security measure, which is considered industry standard, in a high-value product that is known to be very attractive to thieves and then selling that product to consumers with no warning that "unlike most other cars on the market, which have many layers of security features, this car can be stolen using a cheap toy" makes the inevitable thefts absolutely Kia's fault.
I don't think this logic works. If you buy a classic vehicle, they don't have these kinds of things either. People make replicas that likewise don't. And there is no clear line here. Basically any car can be stolen by, if nothing else, replacing the car's computer with one that accepts the thief's key.
Meanwhile a car is a large purchase where people can reasonably be expected to do some research. If you're about to buy a car you should read some reviews, and the reviewers should tell you if their security is bad. Then you know and can make your decision. People who learn of this may want to buy a different car, or take some other countermeasures if they buy this one.
Kia doesn't have any kind of a monopoly in this market. There are many other carmakers. Maybe you don't care that their security is bad because you always park your car in a garage. Maybe you like the discount you got because other buyers wanted a car with better security. Why does it have to be illegal, instead of letting the market sort it out in the presence of actual competition?
> If you buy a classic vehicle, they don't have these kinds of things either
Not a good analogy, because buying a classic vehicle automatically waives a bunch of safety and other features that are not only expected in modern day, they are straight up legally required.
A car manufacturer cannot remake a classic vehicle from the 80s and release it in the US in 2024. Or, probably, EU too, I cannot speak for that due to my unfamiliarity with vehicle laws there, but afaik they are more strict than the US. It would be just illegal to sell that car. Thin pillars that won’t pass any modern safety tests, no backup camera (which makes it illegal to sell as a new car in the US), not enoug crumple zones, etc.
Those are explicit regulatory requirements and not just "well a lot of cars have this and I didn't bother to check" as in this case.
And if you were going to do that in this case, the thing to require is the ability for third parties to fix the manufacturer's software mistakes. Otherwise the carmaker goes out of business, as happens from time to time when they don't make a decent product, and then you can't go to them to fix something like this when it subsequently comes out even though their cars will be on the road for many more years.
Whereas if anybody could patch the code in their own car, you wouldn't have this situation where Kia ignores the issue, because third parties would have done it already, the same whether they're incompetent as bankrupt.
The standard dodge in the US is to sell “kit cars” which require the buyer to do a bunch of paperwork to get a VIN. I don’t think they can be sold ready-to-drive but I think there are dodges there too (owner tightens last bolt style). The details vary by state.
Looking for details, I found that there have also been recent changes to ease requirements for small-batch (< 325/year) turn-key replica manufacturers.
> Kia doesn't have any kind of a monopoly in this market
No need for a monopoly, just bad incentives. All manufacturers could just decide that it's better to save more money and omit basic security features across the entire industry, making it impossible to buy a new car with certain standards. What are people going to do, not drive any cars? That's why it's near impossible to find a printer that's not garbage.
> What are people going to do, not drive any cars?
They're going to buy a car and then pay someone to install an aftermarket immobilizer.
> That's why it's near impossible to find a printer that's not garbage.
Brother laser printers are widely regarded as decent. You're also legally permitted to buy cheap garbage for low prices. It will be cheap garbage, so maybe don't buy it.
This all assumes the "perfect information, even playing field" theory that capitalists love to use but is completely unrealistic.
Reviews rarely talk about things like this, this information is not explicitly given to reviewers or customers and neither can be expected to find out on their own (i.e. by trying to hack the car themselves), the car manufacturer spends insane amounts of money advertising to the buyer using every psychological trick in the book, the buyer is often under time pressure, the savings from cost-cutting are rarely passed down to the consumer...
Buying things in the current market landscape is a battle, not an optimization problem.
> this information is not explicitly given to reviewers or customers and neither can be expected to find out on their own (i.e. by trying to hack the car themselves)
Reviewers don't get the information by penetration testing the car themselves. They get the information because their profession is reviewing cars, so when they hear of this through their high contact surface area with industry news, they add it to their review on their website.
> the car manufacturer spends insane amounts of money advertising to the buyer using every psychological trick in the book
Because cars are big ticket items where a single incremental sale can justify a lot of ad spend, not because buyers are incapable of reading a review.
> the buyer is often under time pressure
The buyer is rarely under time pressure. Most people don't wait until their car breaks down to replace it, and even if they did and desperately need to have a car, then they would rent or lease one in the interim while shopping for another one. This is often even covered by insurance. Almost nobody is in the position of having to buy a car immediately without time to do any research, and the percentage of people who are isn't enough to significantly affect which cars or features succeed in the market.
> the savings from cost-cutting are rarely passed down to the consumer
That would imply that all new cars sell for the same price. Clearly they don't, because customers distinguish between them and are willing to pay different amounts.
> Buying things in the current market landscape is a battle, not an optimization problem.
So what you propose is that we reduce the information available to the buyer by requiring cost cutting to be underhanded rather than overt because overt cost cutting is prohibited, or that it not occur and instead prices go up even if you didn't need that feature and then poor people go broke because everything is more expensive.
> If I left a million dollars out on my front porch, and someone stole it, that would not be my fault in any sort of way
It's possible for multiple people to share the blame for something. You _are_ the victim. The person who stole it _is_ the bad guy / criminal. But you _both_ share the blame, because you did something to put yourself at risk when you had better options.
If I'm out late at night, wearing expensive jewelry and have 2 ways home; one longer but down a well lit road, the other shorter but through a dark alley in a crime ridden neighborhood; and I chose the dark alley and got mugged... I would be the victim AND be partially to blame for making a stupid choice.
Making choices that put yourself at risk by ignoring the realities of the world, when you don't need to, mean you share the blame.
And I'm pointing out that responsibility and blame are not the same things and that conflating the terms leads to positions that are hard to defend. A person may be responsible for their own actions but not to blame for someone else's.
> responsible for their own actions but not to blame for someone else's.
You're changing the target of the actions mid sentence. Said person is responsible for their own actions _and_ to blame for their own actions. They are not responsible for someone else's actions nor to blame for someone else's actions.
If a person knowingly takes actions that put them at greater risk, then they are to blame for putting themselves at greater risk.
Correct, two people: the victim and the criminal. Going back to your example, a victim who gets mugged after choosing to walk down a dark alley is still the victim. They do not share responsibility or fault for the crime. They share responsibility for being in the same place at the same time. The victim making a choice that puts them in the wrong place at the wrong time is not at fault for that crime. I believe you are using the word blame in a broad sense that encompasses both the criminal action and the poor choice. But by using the word in the two senses and then equating them, you end up equating the actions, intentionally or not.
> i'm not negligent for not doing enough to prevent the crimes of some other asshole.
If you entire job is selling locks and they don’t prevent crime, then it’s not negligent, it’s fraudulent.
You want to be in the clear? Sell a car without a lock, see how many people buy that.
> if kia makes a cheap car with crappy locks either don't buy it
And if Boeing makes a cheap, unsafe plane, don’t fly on it
I would be happy to run this experiment if lying to a customer about safety/properties of your product led to capital punishment. But currently companies will simply defraud you by lying about their product, and suffer no consequence
> If you entire job is selling locks and they don’t prevent crime
Does MasterLock making famously easy to pick / rake locks count? I'm sure they reduce crime compared to no lock but they are not as secure as the customer expects.
> And if Boeing makes a cheap, unsafe plane, don’t fly on it
yes. exactly. if boeing ever makes a cheap plane, i would definitely avoid it.
you are comparing a company that cheated on legally mandated safety requirements with a company that didn't put a non-legally required car immobilizer on a lot of their new cars. and then didn't lie about it.
The problem occurs when a vendor makes claims that are false or fails to disclose known issues. I don't think either insecure cars or security tools should be banned. However, I think disclosures should absolutely be made.
Nobody is mentioning about how this is a social problem with the US that needs fixing, for example I often times forget to lock my car's doors in the Eastern European capital where I'm living and yet I've never had anyone "steal" stuff from it.
But I get it, it's easier to think about applying technological or even legal solutions instead of thinking about how to fix a societal problem.
Yup, and you get downvoted for even trying to discuss it. Need the Overton window to shift slightly so it can be discussed on HN.
It is a societal problem and I hope for our future we can fix it.
not hard at all. where is CPS? obviously someone isn't giving an 11 year-old appropriate supervision at all if they are driving, let alone stealing a car. there absolutely should be consequences for both the parents and the child in this situation. i'm not saying one mistake, send the kid to prison, take away parental rights. but it should be severe enough to matter, including several thousand dollars restitution.
but, somehow, i manage to ensure that none of them are stealing cars at 11
"it is not a supervision problem"
hmm. maybe i should have said "parenting issue"...
look, i am blessed to have had good kids. but i have had friends with struggles. if i had a kid that somehow stole a car (at 11) and i had to pay for repairs and meet with CPS and deal with courts and fines and maybe even juve and a lost year of school, we'd get through it.
A tool is a tool, it doesn't make the product weak, it already was.
Also it is silly to ban insecure cars, that's quite the slippery slope. If the cars are too easy to steal insurance will increase accordingly and that will provide incentives to fix that without banning anything.
Hrmm I wonder what would happen if I made a bank that used an unencrypted website for online banking lol.
The problem with your solution here where the insurance company raises rates... yea they already did that with regards to Kia/Hyundai cars and Kia Boyz thefts. The problem is, well, put it this way...
The last time you bought a car, did you check that the car had immobilizer software/hardware present on it? They don't really advertise that stuff anymore. About the only way you'd know on some brands is a nondescript red dot that shows up for a moment when you start the ignition.
Really, I'd bet a lot of people only found out their car didn't have an immobilizer feature until their insurance company dropped them or jacked their rates up... and that's a problem. See, you can buy a car NOW, and everyone thinks it's a good safe car.. until it turns out it wasn't.
> If the cars are too easy to steal insurance will increase accordingly
that's exactly right. i was somewhat surprised that insurance was outright dropping people instead of simply increasing rates. and by the way, you can get a discount if you add x/y/z security alarm/immobilizer. the public outcry already has forced the issue with kia anyhow.
They cost people a lot of time and grief over a goddamn boutique phone, that they were warned would have antenna issues, by the guy that was...Apple's most senior antenna expert, Rubén Caballero, and he was ignored.
When physics caught up the Apple marketing, it took months for Apple to roll out a cheap bumper guard and acted like they were doing everyone a favor.
They never reimbursed people who bought a case to mitigate the issue. They did reimburse those that did have to purchase a rubber bumper.
While you are technically correct, that's about it. The whole thing was a shitshow and Apple acted like the users were the problem until enough of the world mocked them into providing a work-around for a problem that they should have addressed before it was even sold.
>- i also cringe at the idea that we throw the word negligent around when talking about failing to prevent other peoples crimes. i'm not negligent for not doing enough to prevent the crimes of some other asshole. nor is kia. meanwhile, there's sibling threads here that point out that the us is far to hard on the criminals. so wait - kia and me and other law abiding entities are "negligent", but the asshole who stole the car deserves compasion, etc.?
It's pretty simple: if some car manufacturers have much higher rates of theft and are easier to steal than others, they are negligent. If by catching up to industry-standard anti-theft practices, their cars become harder to steal, not doing so is negligent.
for example, if a company made a car alarm called "SUPER EXTRA SECURE ELITE++ V5" and told me it had a "guaranteed thief proof" immobilizer. but then we find that a viral Tik Tok video shows how to with a hairpin and spit we can completely disable it and in 5 seconds and take the car for a drive and access the owners credit card info. and then also the car often bursts into flames while parked and turned off. and we of course find out that this was no "oops" and the corporations involved full-well knew about these issues and hid them to get a bonus. well, that'd certainly be a job for consumer protection laws.
but this is a case of "you got what you paid for". there's a place in the market for crank-up windows and basic plain cars without keyfobs and fancy alarms. that isn't wrong, and it definitely isn't "negligence" just because other carmakers pick different places in the market. and the fact that criminals do bad things doesn't change that.
and, thank you very much, i don't need consumer protection against that kind of thing. let's start with the lying and cheating corps and work our way up to collusion and price fixing. then let's get onto repair...
Though your other comments make it sound like you don't want a car without an immobilizer, in which case it feels like you're manufacturing something to disagree with rather than making a real argument against what I said.
- it's not an act of "negligence" when neither the owner nor the manufacturer choose to not include an extra security feature, even one that a majority of other cars have.
- it's nobody's business what "people ought to want". so that means an arguments based on "nobody should..." or "no rational person..." and "there's nor reason that..." and so on are invalid.
> - it's not an act of "negligence" when neither the owner nor the manufacturer choose to not include an extra security feature, even one that a majority of other cars have.
I don't think this gets to count as "extra".
> - it's nobody's business what "people ought to want". so that means an arguments based on "nobody should..." or "no rational person..." and so on are invalid.
I'm making a general claim about value, nothing personal. Because of that, I don't think it should matter whether wanting it is "nobody's business".
But in particular, I'm saying there's no benefit to avoiding an electronic key. We can remove the word "want" entirely. The downsides are large and the implementation cost is a rounding error. This differs from power windows and "fancy alarms".
Ignoring the strawman of an assailant deserving compassion or not, that’s a self serving and narrow definition of negligence. Any mechanism to protect from misuse has to weighed against the magnitude harm of the event occurring and the possibility of misuse. I would not expect my asset manager to have weak authentication systems to access my portfolio but don’t expect any at all from a free online game. I expect both of these to consider the threats and make reasonable choices. And they would be negligent if they did not do this exercise. Whether is an active threat or a passive act of god.
Sure "don't ban anything", if your car crashes and kills you, "should have read Consumers' Reports". Those botulism eggs? Keep an eye things, damn it. /s
This ill-informed attitude goes over well here unfortunately.
And security may not be quite as pressing safety but poor security cost society besides costing the individual. When poor workers can't get to work 'cause stolen car, their bosses also suffer, when stolen cars are used in further you also get a social cost. etc.
You provide no structural basis or reasoning for these cynical assertions, nor for the implied responses. Seems to be founded on a philosophical foundation of individuals requiring safety from “elsewhere,” and assuming that “elsewhere” actually provides it.
Security flaws are not born equal. I think there is supposed to be a clear distinction between flaws inherent in technology -- since you only know what you know nobody should be expected to develop impenetrable digital fortresses since that doesn't exist and would actually be harmful for the consumer -- and those flaws born out of neglect. The latter should be specified and treated accordingly, because it isn't a valid excuse that technology can't be 100% secure that the industry should accept poor standards.
Also, Flipper Zero can be made DIY, so I don't know if I get it, but the law will be DOA, and actually work against the democatization and awareness of such flaws by the public.
Serious security thinkers evaluate according to factors of likelihood,
impact, mitigation cost etc.
A car is a dangerous weapon, especially in the hands of a group of
giddy kids, maybe drunk or way too high to drive. The likelihood of
someone getting seriously injured or killed by joyriding is high.
It's really high. And there's no mitigation to a dead child. The
penalty? A very firm "please don't do that again!"
But then a kid like Aaron Swartz downloads some files and gets nine
felony counts totalling 50 years in jail and a $1 million fine.
A justice system with these values has no concept of risk and
proportionality and is beneath contempt.
> especially in the hands of a group of giddy kids
Also the scenario where it's being used as a disposable battering-ram to smash into a store. (As you might expect, those are the stolen cars with lesser potential resale value.)
I should say I drive a twenty year old car with an immobilizer chip and basic logic sounding the alarm when someone breaks a window to open a door. As far as I can tell, that makes it very secure. So it seems like the onus in the car manufacturers to create a vehicle at least as secure as this simple system.
There is a big difference in putting together deadly artifacts and electronic devices you can fabricate using off-the-shelf chips and open protocols. Not saying you can't discuss regulating them, but to me they are in a different set of categories. Weapons are by default dangerous, their sole purpose being to cause physical harm, while a flipper zero can be used for instructional purposes and research.
As much as I hate the concept, it would be ridiculous for me to propose regulating Alexa because a kid can cause financial harm to the parents using it, but a weapon can't be in any imaginable circumstance reachable by anyone untrained.
> but a weapon can't be in any imaginable circumstance reachable by anyone untrained.
I agree with your main point that the FZ is easily reproduced. I think you miss the mark with this one. Firearms are easily made at home with simple tools and off-the-shelf materials. For example, the United States has a rich tradition of home-made firearms. To provide a concrete example, a shotgun can be made with a length of steel plumbing pipe, electrical tape, a nail, and a cap. Yes, it's that simple.
If by social danger you mean I would be really impressed if you managed to throw a flipper zero into someone and kill him, then yes that is the gist. It's a matter of degree.
>while a flipper zero can be used for instructional purposes and research.
Only in the same way a weapon can be used for instructional purposes and research. Someone buying an off the shelf product and using it in the way it was intended isn't doing research except in the loosest sense of the word. E.g. "Does the radio transmission open this garage door? Does it open this garage door? Does it open this garage door?" v "Does this rock swung hard cave in this skull? Does it cave in this skull? Does it cave in this skull?"
One of the authors here. Someone just told me we were on the HackerNews front page, made me happy we just went with a static website on GitHub pages.
I will go through the comments later, but for now, if you are Canadian, please get in touch with your MPs.
I am working with some media as well for additional coverage in the next week, but if you know Canadian journalists that might be interested in this, please get in touch with them, educate them directly if you want or send them to me (my LinkedIn is in the signatures, the first two names in bold = authors).
If the environment can be presumed to contain at least one wolf, then building houses out of straw and sticks is considered negligent and lazy pigs deserve to get eaten.
Responsible pigs who build from brick, sacrificing some profit in the name of security, are celebrated for their sound judgment and foresight.
A fairy tale has been telling us this for at least 200 years and probably much longer, history is unclear on how far back it goes.
It's amazing seeing this thread take the side of the negligent lazy pig. "But my thousand-dependency framework is mostly made of straw!", they say. "My boss won't give me time to even use sticks, much less brick!", they say. "It has to be this way!", they say.
The argument for the Flipper Zero is that it's an independent building inspector.
People are being sold houses where the builder says they're made of brick, and if not for this product, the pigs might live in a house believing it's brick until a wolf blows it down and reveals a thin layer of stucco over straw.
The home sellers are saying "but wolves and building inspectors alike can use this tool to blow down houses!" (porcine building inspector use rather crude inspection methods). But it would be irrelevant if the houses were made of brick and not straw.
It's not about lazy people versus diligent people, though. The companies are blaming the wolves, and arguing that they don't need to fix the issues since only the wolves threaten us (right now). That is a bad security model, and with or without Flipper Zero it will fail.
At this point, banning security tools a violation of the second amendment.
Microsoft suffers breach after breach after acquisition after acquisition. I verbally note them to my wife to remember, "This is not normal." and even she said, "Why do the numbers keep getting worse and worse." and I told her, "The database keeps getting larger and larger ever since they were only slapped on the wrist for not letting me boot straight to firefox since childhood."
If you took away my ability to understand why the world around me is failing, we'd fall into further disrepair than we already are and we're not really allowed to repair anything, now are we?
I'm struggling to connect how the banning of security tools would be a violation of the (US) second amendment.
A violation of the first, fourth, and ninth? I can see that. A propensity to violate the fifth? I can see that. But I can't see a strong connection to the second.
A way of looking at the second amendment is as a reduction in imbalanced power structures. Its purpose, depending on how you read it, but as practiced in the US, is to put the citizenry on more level footing with the government so the government doesn't get too excited with their power.
Security bypasses/tools/exploits in that context are useful for leveling the playing field in a conflict, for instance we know the NSA is hoarding them for militaristic purposes. So if we call them cyber weapons rather than security tools it starts to make sense that, per that reasoning, citizens should have access to them too.
There was a point in the US where encryption was barred from export based on arms export laws. Lots a pretty famous open source stories from such. So it's not far fetched at all for the most part.
Though this is in US law, not Canada as related to the news story.
> There was a point in the US where encryption was barred from export based on arms export laws.
Are there any US court cases that suggested treating encryption as something covered by the Second Amendment? It would be more strange than putting malware under the Second Amendment. I can appreciate the gotcha of "if the US government defines encryption as arms then the second amendment applies" to disincentivize such a definition, but the government could simply call encryption something other than "arms" and thus avoid the Second Amendment.
I think the general consensus in the US is that encryption falls firmly under the First Amendment. It's not as if the First and Second Amendments are necessarily mutually exclusive with respect to any given tool, but I think case law is such that the Second Amendment doesn't apply to encryption.
Someone once stole my grandfather's car with a screwdriver. The ignition switch was broken off (probably with a hammer), and the starter could be actuated with the screwdriver. I don't remember how long he drove it that way.
Banning the tech is a bandaid to deeper problems. It's also great advertising that these tools are effective.
Seems like most everyone here is ignoring that the flipper is not even an effective tool for car theft. It's capabilities have been exaggerated by staged videos.
You would have to get access to the original fob. Activate it near the flipper but out of range of the car. At which point...yes. You get one chance to unlock the original car which you lose if the original fob is used before you get there. Oh and then you gotta start it?
I don't know man. I feel like real car thieves use better tools
Obviously, this is the answer. Make the manufacturers simply recall their cars and fix this easy exploit.
However it won't happen because politicians are in the pocket of big industry, and also banning a flipper zero makes them look good with almost no political capital expended (a quick win).
I don't agree with the logic of their argumentation. It reads a little bit like this:
"Lock-picking tools are based on metal stick technology. If you ban possession of lock-picking tools, you will hamper the entire economy of tools based on metal sticks: everything from screwdrivers to knives to scissors. Instead, you should ban all entrance doors that are not of bank vault pedigree."
(Which is not to say that I agree with criminalizing the activities of genuine security researchers, while giving a free pass to bad security. I'm only remarking on the form of argumentation in the article.)
I agree with their logic and would generally agree with its conclusion when applied to other technology, including lock picking tools. As an aside, criminals rarely use those; burglars are more likely to use a crowbar or hammer.
Lock picking tools are not banned in most jurisdictions. In some cases, carrying them in public combined with some other evidence of intent to commit burglary could be a crime, but that's also true of a crowbar, hammer, rock, or anything else that could be used to gain entry.
This is true in absolute terms but over simplified because it glosses over the differences in scale. We require cars to have seatbelts because even though people still die in crashes, it’s a statistically certainty that many fewer die when seatbelts are used.
Setting minimum standards is a critical function of governments in maintaining healthy markets because it prevents cheating from being cost effective. If you make a safety feature optional, you will have some fraction of people say that they don’t need it and then cost society money when it turns out they were wrong. In the case of poor locks, even if much of the cost is paid by the owners’ insurance there’s still a lot of expense from the extra police and court costs, and stolen cars are often used to support other crimes.
Thank you. Reading through these comments I was surprised at how illogical so many of these comments are. People talking about towing cars or picking locks acting as if it's not obvious what the distinction is here.
Yeah people, nothing can have perfect security. That's a given anyway. I think the point is that if you can steal it with a $250 device SDR device, the car's level of security is the issue not the device and that should be acknowledged by their government before they ban something that will do nothing except put these things in the hands of only the bigger crime groups. These things likely wouldn't be hard to manufacture by hand if these criminals wanted to get a hold of them.
> Thank you. Reading through these comments I was surprised at how illogical so many of these comments are.
Many commenters on HN lean libertarian, thus some will go through great lengths and mental gymnastics to avoid the conclusion that government regulation is (part of) the answer.
Seatbelts are not adversarial. A better seatbelt does not encourage other drivers to crash their cars into you even harder or anything like that, it's people versus nature.
Security systems are in a permanent arms race, people versus people. You could have a more expensive lock that requires a more expensive device to defeat, but this makes your car more expensive to make, so it has a higher price, so it becomes a more valuable target, and so on.
The problem is that I think these hands free remote start locks are more expensive than actual real physical locks which are immune to the types of attacks so that argument just actually doesnt work at all.
My bad, I was thinking in terms of the expensive remote start lock vs an even more expensive and safer remote start lock.
But if the fancy insecure lock is more expensive, the problem should fix itself eventually, right? Consumers will switch back to the cheaper system of their own accord.
It sucks for the people who bought the insecure cars without knowing, but banning insecure cars is not going to help them retroactively in any way.
Where I live the used car market is hot. It is hard to find a car made before 2012 because for the most part they are as reliable and fuel efficient as modern cars, are cheaper to repair, and cheaper to insure.
I dont think they are so desirable just because they are more secure but they dont have remote start options so they are at least in part more secure than modern remote start cars. The problem I am getting at is that there are no secure modern car options. None.
I don't think there can be such a thing as a secure remote start option. The only way they can make it more secure than traditional keys is if they also make it less convenient to use than traditional keys, and then there is no point because the traditional keys will be easier and cheaper.
What happened is that consumers did not know that the remote keys were unsafe, and now they know.
What I don't understand is why insecure cars should be banned by law. Now that everyone knows about the issue, surely everyone will switch to a more secure system of their own accord.
Yes. That’s why I listed it first as a separate category – it’s easy to see a stolen car as a loss of, say, $20-30k for the private insurance company and owner but there’s also going to be a cost for the time the police spend investigating, the city might spend disposing of a wrecked vehicle, the courts spend processing a car thief, etc. and potentially other significant costs if, say, a Kia challenge teenager hits another person or the vehicle is used to rob a house or business. While we can’t prevent it in absolute terms, there is still a significant social benefit to reducing car theft rates.
Insurance companies should reflect unlock vulnerability of a car model in its premiums. That still leaves the problem that few people look at insurance premium when choosing what car to buy. What would help is a widely used certification system kept up-to-date by certification authorities in cooperation with insurance companies, similarly to what we have in place for a car model's fuel consumption.
> That still leaves the problem that few people look at insurance premium when choosing what car to buy.
It doesn't help that premium calculations are nonlinear and trade secrets. In the real world, it would take a computer and a large database to fuzzily estimate the impact of a particular car purchase on your personal premiums forecasted over the next few years with an error margin any less than a few hundred dollars per year (unless your life is particularly stable and well aligned to some major stereotype you can use to get a closer estimate).
If each insurer just published a table of the incremental impact of a given model of car (or better yet, how linear contributions for theft vs crash-rate vs death-rate-on-crash vs ...) then that'd be easy enough to use during purchasing. If you own a 90s civic in Oakland vs Redwood City though you're much more likely for the defective security measures to be used, and the insurers use a proxy for that information in their calculations, so in practice you have to get a personalized quote for every single car you might be interested in purchasing. Moreover, if you buy the car in a low-car-crime locale and move you can still be surprised by the massive rate hike [0]. And so on; modeling arbitrary risk is complicated, which is (part of) why professionals get paid the big bucks to do it. If there are other workable solutions, I'd prefer most of those to requiring the general public to have to do non-trivial math and statistics for every car purchase, especially above and beyond what they already have to do when estimating the total lifetime costs due to fuel economy or whatever.
[0] My personal solution was just to sell the car in that low-car-crime locale where it had a market value and buy a new vehicle in my destination, but then you're trading premiums for transaction costs, which isn't easy to model if you don't know how often you'll move in 5yrs either (hindsight, definitely worth it by a wide margin).
This penalizes unaware pre-existing car owners. Not only they got a crappy car, they now have to pay more for it - all because the vendor was sloppy. Doesn’t seem fair to me.
The responsible party should be the automaker that built or installed the security system, not the person who was sold a lie.
Or, you know, the people _stealing_ cars. I feel like this is bizarro world where what was previously accepted as adequate deterrence is now penalized because actual criminals have fewer and fewer incentives to follow established normal behaviors. “Maybe your face shouldn’t have been so punchable” is not a reasonable position to take, imho.
Flipper, lock picks, bolt cutters, etc. are all reasonable tools. So is the expectation that using them to commit a crime should result in penalty for the individual committing a crime using those tools, not the target of the crime they are committing.
Kia and Hyundai saved like $20/car by skimping on a part that all the other major manufacturers include by default, leading to cars that were insecure by design. That's negligent.
Punishing people for taking advantage of that vulnerability is certainly warranted, but it's also closing the barn door after the horse has already bolted.
What harm did Kia cause its customer? How are those locks adequate in say, South Korea, where there are 1:20,000 car thefts per capita yearly vs 1:350 in the US.
The locks are not the problem. Stealing cars is the problem.
I do agree that these crimes should hold stiff penalties like at least 5 years in prison, no possibility of parole, including 1st offense. Liberal city DAs have been shirking their responsibility for at least the past 15 years. It's usually a pretty small percentage of the population executing these types of crimes. No more revolving doors. If I owned a kia I'd add an after market shutoff. They're not that expensive, rather than crying over how awful my world is living in a first world nation with a brand new vehicle with a security fault.
I agree with the article; that regulating car manufacturers who make insecure cars is the correct approach. This specific case illustrates the effectiveness of the approach.
I read this view as: it’s fine to steal a car without an immobilizer. That’s an insane take (and why we can’t have nice things).
Meanwhile other modern countries (albeit with much stricter law enforcement and a more unified value system) can operate with 0.1% of the equivalent crime and that’s not what we aspire to. Instead we want to blame the manufacturer who must have certainly enticed antisocial, destructive behavior. What an awful and poisonous worldview.
It's worth noting that Hyundai and Kia actually ship different anti-theft technology in some of these other modern countries, because regulations in those other modern countries require it. The fact that the US doesn't require it (this article is about Canada, but other subthreads are talking about those manufacturers specifically).
It seems entirely reasonable to take the article's point of view which is "don't ban FlipperZero just because it can be used to facilitate car theft [among 1000 other uses], but rather regulate cars so that they become harder to steal".
Further, I realize you didn't put a ton of thought into the specific 0.1% figure, but I seriously doubt that other modern countries are 1000x better on equivalent crime measures than either the US or Canada.
In a bunch of scenarios (mining, military, boats, planes) the vehicles explicitly don't have locks or ignition keys, you press a button and it starts up, you're good to go - should the manufacturer be liable if one gets stolen?
No; each of those scenarios involves external access controls that are standard for those industries. (Fences, guards, controlled access.) It's nothing like the Kia/Hyundai scenario, where such vulnerabilities stemmed from not doing the industry standard thing (immobilizers).
Isn't police the external control? It is just that governments have failed to provide enough of these controls... So maybe they should be punished collectively for it?
> Isn't police the external control? It is just that governments have failed to provide enough of these controls...
I can only speak about US law, but there has been repeated case law that the police do not have a duty to protect any person in particular (except possibly when people are in their custody which isn't really relevant here).
The function of the police isn't to stop criminals in the act - given their response times that's largely impossible anyhow (well, outside of traffic violations). They largely deter crime by catching criminals after the fact.
The examples given like military facilities have secure fences, 24 hour guards, etc. They are actually secure facilities. As opposed to someone's driveway.
If you remove enough of the criminals from the population, you end up preventing crime in the long run. When it comes to car theft in particular, police also set up bait cars and then arrest the people who try and steal them. Well, at least that’s what they do in cities that still bother enforcing property crimes.
Even a surveillance state like China has crime - it’s not possible to deploy a police officer to every block and most people would find that objectionable for other reasons. Very few threats can be solved by a single countermeasure because the enemies are also intelligent and motivated.
US military vehicles might have a cable that locks to the steering wheel. So if you try to drive it, you can't steer well. But if not setup properly, it can be steered just fine.
> US military vehicles are protected by the "people with guns who will shoot you" industry standard.
Unless you are an MP, that stuff stays in the armory cage. And if you are headed to the range, ammunition is delivered separately to the range and systems are stringently checked for ammo before returning, afterwards they will do a lockdown inspection of the barracks and everyone's personal vehicles.
As long as they are regulatory compliant, there should absolutely not be any liability. If regulations are not updated fast enough maybe people responsible for that should be removed from office or punished.
We'll end up banning windows at this rate, they're an egregious vulnerability in cars and buildings alike. American cities, soft on crime, can't stop thieves from breaking windows so maybe they'll go after car manufacturers and construction firms instead. Going after companies instead of criminals is more aligned with their left-wing sensibilities, I think that's what this is really about.
Seems reasonable. Doors, windows, walls, roofs and sub-basements should be such that you cannot simply pass through them. After all it is now quite trivial to break through. And surely this is failure that builders should be responsible for.
Exactly! Those greedy builder corporations should only offer windows that have bars built into them so that homes can't get broken into. They save money by not incorporating the bars in the windows by default.
No. Windows balance a variety of competing needs - security, ventilation, egress during emergencies, mental health, lighting, etc. It would be, perhaps, egregiously negligent for a maximum security prison architect to install large plate glass windows in their cells, but having windows isn't automatically egregious. A car without windows (or with unbreakable ones) is a deathtrap in an accident; omitting them would be egregiously dangerous.
The same isn't true for, say, Kia/Hyundai's decision not to include immobilizers:
> CNN reported that only 26 per cent of Hyundai and Kia models from 2015 to 2019 were equipped with electronic immobilizers in the U.S., compared with 96 per cent of all other vehicles in those years, making the Hyundai and Kia models roughly twice as likely to be stolen.
Those stats make it pretty clear that immobilization was already the industry standard. Skipping them was like knowingly writing open SQL injection holes in a web application.
Egregious is subjective. You think it's egregious for cars to have locks which can be circumvented by thieves. Maybe I think it's egregious that construction firms don't install iron bars on all ground floor windows.
> CNN reported that only 26 per cent of Hyundai and Kia models from 2015 to 2019 were equipped with electronic immobilizers in the U.S., compared with 96 per cent of all other vehicles in those years, making the Hyundai and Kia models roughly twice as likely to be stolen.
If 96% of buildings in a neighborhood have iron bars over the ground floor windows, and you build a development in which only 26% of them do, yes... that's probably negligent, unless there are other factors to explain the discrepancy.
If theives start disproportionately breaking into your development's properties, your tenants can probably be a bit miffed about your lack of security measures.
dude, he was being facetious on purpose and used the term as a synonym to "shocking" to make the point that having windows are not really an egregious vulnerability. that's silly. the problem is criminals, not windows.
how are major car manufacturers so far behind in security?
and why can't they go back to the old solutions that didn't have these problems? its just such a stupid thing to watch
IF these fancy keys that let you start your car without inserting anything cause your car to become extremely vulnerable THEN maybe its a bad idea, jesus christ
Because whenever it's even vaguely cold outside, my neighbor likes to be able to start and idle her giant truck in her driveway without leaving her house (for 40 minutes before she drives a mile to work).
Remote start is not to blame here. A manufacturer installed remote start system will shut the car off if a door opens. And the car should also shut off automatically after 5 to 10 minutes.
Unfortunately, after market remote starter does not offer this capability, so with the new trend of monthly charges, if you like certain brands like Toyota, and you want that type of secure remote start, you have to pay $20 per month or more for the life of the car.
Interesting. I have had a Subaru, Lexus, and Volvo over the past 15 years or so that all shut off if a door is opened after remote starting. I assumed it’s a no brainer anti theft mechanism (but one that can only be implemented by manufacturers).
This. Owning cars should be something that corporations and the rich and hobbyists do. If you dont want your car broken into maybe dont leave it lying around unattended in public?
I wouldn't go that far, but we should certainly stop subsidizing them so heavily that we forget there are any other options, or that humans were capable of happy, prosperous lives for millennia before they existed.
Yeah maybe I shouldnt put both those statements together when really I think they are seperate opinions. I dont think society should be so car heavy. I also dont think its realistic for people to leave something lying around in public and expect it not to get broken into or stolen. Would you leave a backpack lying around on the public street in a big city and expect it to not get stolen/broken into?
Security via obscurity is your friend when it comes to vehicle security. There are dozens and dozens of no-start conditions for a vehicle. Just pick two and deal with the minor inconvenience.
Banning flipper zero because of car theft is like banning a hammer or screwdriver because is was used to break an all glass window.. going by the same logic, they should ban the USB-A port cables too since it’s what was used to steal most Hyundai/KIA cars, typical Canadian government policies, pretend you fix an issue instead of going to the root causes.
> You might have a point if hammers or screwdrivers had no other purpose other than stealing cars
And so is flipper zero.. have another analogy, flipper zero is like Swiss army pocket knife, you can use it open your package box and also kill someone, zipper can be used as a toy -literally- or an IR remote, and can also steal a car, except I don’t think it can steal a car in the first place, it’s too weak, you need an advance SDR/ special antenna, zipper can’t even defeat garage remotes with a rotating keys unless you have an access to the garage unit.
Swiss Army Knife does not provide any functionality that can't be provided by any other basic household object - neither can a hammer. The function of a hammer does not extend past 'hit thing' or 'pull nail', Obviously this kind of function can't be controlled in its application as people can swing their arms however they feel which makes any sort of restriction on hammers redundant given their utility.
Flipper Zero on the other hand is a toy with no/little actual utility that enables users to perform illegal/dangerous tasks like steal cars, that would not otherwise be possible except via less accessible/illegal means.
Ok, you are making several assumptions here, so let me address them one by one:
> Swiss Army Knife does not provide any functionality that can't be provided by any other basic household object
That is true, but you don’t go around carrying all these individual tools in your pocket, do you? That’s the whole point of it, portability. The same goes for the flipper zero, you have a bunch of useful tools that you can buy off the shelf yourself, but they are not convenient to carry with you all the time.
> Flipper Zero on the other hand is a toy with no/little actual utility
Who says that? Anything can be a useful utility in the right time and in the right hands for a specific purpose. Maybe one tool is useless to you, while useful to another.
Some people might use it to store hundreds of keyfobs, so instead of carrying all the hardware for each, they can use one device instead. Others might use it to control their home devices, either the IR remotes, or other smart devices, and instead of having 15 remotes (I personally do), they can use one device. Some other person might use it to monitor their TPMS in the tires, others to monitor a serial GPIO port, and so on. All these are not only legal, but you can perform all the individual tasks with a “collection” of tools, like reading the serial GPIO, you can buy a dongle for $10, IR remote? You can use some android devices, etc. However, with flipper zero, it’s all-in-one.
> that enables users to perform illegal/dangerous tasks
Just like any other tool out there, any tool can be repurposed to do illegal tasks, either the tools I mentioned or any other ones, including your smartphone, you can load a custom OS (say Kali linux) and perform illegal tasks, do you ban smartphones? Do you ban Kali linux? No, but if someone is found guilty of performing these tasks, you prosecute them. The same goes for anything, your car, can be used for everyday tasks, or even illegal stuff.
> like steal cars that would not otherwise be possible except via less accessible/illegal means.
Flipper zero can’t steal a car, it’s too damn weak for that job. If you are too concerned about that, will you ban ALL SDR in the market too? Because if someone has a bad intention, and you banned flipper zero, they will go and buy BladeRF SDR for example (that’s very accessible and legal to buy), far more superior than flipper and proceed to commit whatever they want. How’s that flipper zero ban working to prevent the crime? Not at all.
"Who says that? Anything can be a useful utility in the right time and in the right hands for a specific purpose. Maybe one tool is useless to you, while useful to another.
Some people might use it to store hundreds of keyfobs, so instead of carrying all the hardware for each, they can use one device instead. Others might use it to control their home devices, either the IR remotes, or other smart devices, and instead of having 15 remotes (I personally do), they can use one device. Some other person might use it to monitor their TPMS in the tires, others to monitor a serial GPIO port, and so on. All these are not only legal, but you can perform all the individual tasks with a “collection” of tools, like reading the serial GPIO, you can buy a dongle for $10, IR remote? You can use some android devices, etc. However, with flipper zero, it’s all-in-one."
Sure, you can make that point, but No Reasonable Person would accept it, which is where I draw the line.
The function of a hammer does not extend past 'hit thing' or 'pull nail', Obviously this kind of function can't be controlled in its application as people can swing their arms however they feel which makes any sort of restriction on hammers redundant given their utility.
Flipper Zero on the other hand is a toy with no/little actual utility that enables users to perform illegal/dangerous tasks like steal cars, that would not otherwise be possible except via less accessible/illegal means.
There are cars where the security is trivial to bypass. Create a list of those make/models.
1) Raise insurance premium on those models.
2) Force dealers that every time they sell such a car, they must get a signature from the buyer on a piece of paper that says "I recognize that the security of this car is borderline non existent and I will be paying a lot more in insurance because my car is trivial to steal".
Grandfather in people who already have such make models or give some time to manufacturers to improve security.
I don't think that'd even be an issue. A manufacturer wouldn't be allowed to offer insurance directly to customers in Canada. At least in BC there are mandatory insurance through ICBC.
So if the intent of the government is to increase security, make those cars less appealing by making them more expensive.
My car has keyless entry but does not have the push button to start. You still need to put in the physical key and turn the ignition. My car has been broken into but without damage. They rummaged through stuff and took some random things but we keep nothing of value in the car. I'm not sure how they broke in but I've seen videos[1] online on how a tow service can get your car door open using an air-wedge. Maybe they did that, maybe they used something that repeated the key fob signal, not sure. But I'm glad that my car still needs a physical key. I'm not looking forward to the day when I need to get a new car and all that is available is keyless start. I'd happily go back to needing a key for everything, even the doors.
There is very little distinction between your physical key and a pushbutton. When you turn the key, it's just pushing a button internally that does the same as a button you'd hit with your finger. Few cars these days have any kind of direct connection between the ignition key and the starter.
Maybe I'm misunderstanding how the push button works because I've never owned a car that had one, but I thought the whole thing was that the key fob just needs to be near the car in order for the button to actually do anything. And these car thieves are repeating signals from key fobs that are inside the owners' homes. At least with a physical key, it needs to be present and inserted into the ignition to start the car, you can't use any technology to help there. Of course there are other ways to steal a car, but it at least deters these modern techniques.
I agree that Flipper shouldn't be banned in Canada, but I think the headline won't help them make their case. For many reasons, it's easier for people to support banning a device they don't personally care about than it is to call for millions of cars on the road to be made illegal, or for instituting new regulations on an industry with entrenched lobbyists. If the option you are presenting is to ban the Flipper (easy, painless) or turn the auto industry on its head (hard, painful) guess what they're going to do? The option you want to present is between going through a lot of work to ban a device that is ultimately harmless, and not doing any extra work and letting it go.
All cars are insecure but what the government should be doing is forcing auto makers to allow customers to install their own security add-ons.
Car manufacturers are now locking down the OBDC ports because people were using them to add functionality to the car that they want you to pay for, like 3rd party adaptive cruise control. But this also prevents you from adding your own security.
They also fail to encrypt security systems but block you from replacing them with encrypted versions.
They claim they do it “for safety”, and while there is some merit to that, they are drawing the line way to far in the “we make money at the expense of your security and customizability” direction.
There's a conflict of interest on the part of car manufacturers, if insurance just pays out and they get to do another sale, they're happy that your car got stolen.
Also, I agree with the main point of the article, but it shouldn't be so easy for any 16yo Tom, Dick or Harry to buy a gadget and start stealing cars. If it's so easy to make with off the shelf parts, then let the 'security experts' create their own.
Consumers need to be educated about keeping their keys away from doors/in a faraday cage.
If insurance pays out often enough that this might actually work as a sales tactic, they don't get another sale, everyone goes to another manufacturer because insurance is so expensive.
Also most car dealers make more profit from ongoing maintenance and servicing than selling you a new car.
I have a younger brother that recently bought a Kia as his first car.
It's been broken into 3 times in less than a of ownership year.
Kia sent him a cheep "Club style" steering wheel lock...
--
From my perspective, getting stuck with this lemon will significantly compromise his quality of life and finances for years to come.
Where are our consumer protections? Kia should be on the hook for fixing the problem or buying back the vehicle at cost.
It's been broken into three times or it's been stolen three times? Because any car is easily broken into. Just smash a window.
South Korea's car theft rate is 5.3 per 100,000 per year. In the US it's 282. Canada is 217. Fewer cars had immobilizers a decade ago but theft rates were lower then. The main reason why car theft is higher is because of car thieves.
Unfortunately, the only consumer protection for this is in the form of brand reputation. Even before this incident, I would've never bought a Kia (or a Hyundai).
Indeed, the flipper-zero ban is obviously ridiculous, especially in light of the complete lack of even a hope of a ban on certain other tools that are often used for much more serious crimes; personal crimes rather than property crimes.
Personally I think FOBs for cars are simply not worth it. The key with the remote for starting, locking and unlocking is ideal. Ford's with the on door key pad is pretty good too imo. Probably hackable tho. Down with fobs!
I agree that 7 years ago it was widely considered a mistake, but I think we are currently reaching by a new consensus based on the opinions I have been seeing more commonly in the last 3 years.
We are in a conservative moment in the US right now.
Do you know what the recurrence rate is for U.S. prisons? It's around 44%. 44% of people released from prison, within a year, go on to commit another crime severe enough to end them up back in prison
That doesn't seem overly surprising. Just as the people who acted in 2010 in a fashion that did not land them in prison probably acted in a way in 2015 that also did not land them in prison, it's not shocking that people who acted in 2010 in a way that landed the in prison might also act in 2015 in a way that lands them in prison.
I don't think that being in prison from 2011 to 2014 caused them to act that way in 2015.
We're not going to randomly assign (mostly) law-abiding citizens to prison to measure whether prison adds propensity to [what would be re-]offend, but there probably is something that is different about the never-imprisoned vs previously-imprisoned population that informs future likelihood to be imprisoned.
> I don't think that being in prison from 2011 to 2014 caused them to act that way in 2015.
You would be surprised. There's no concrete evidence pointing to this, but some suspects, when asked, will say that they did it because they have nothing left to lose.
If they're not rational, they can go to jail? Isn't that the idea of jails: take people out of the system if they refuse to act by the rules of the system at other people's detriment.
Why even ban them? In this context "insecure" seems to mean "vulnerable to theft". If somebody wants to buy something that's easy to steal, that's their issue.
If people inadvertently buy easy to steal vehicles that's an issue, and maybe there should be labeling, or or a testing initiative, or maybe it's just a temporary blip that will work itself out as independent parties pick up testing.
If it's known which vehicles are prone to theft the market should work everything else out. Insurance can price it in, and buyers can factor it in to their purchasing decisions.
Why don't cars have security ratings just like they have safety ratings? Surely publicizing failing scores across the board would encourage them thi improve so they can advertise as being better than the rest.
Banning either is silly. Locks on things in the physical world can only be a deterrent because physical objects are subject to much easier brute force attacks than a problem in the digital world is. If you forced automakers to make their digital keys more secure, it wouldn't improve security, because you could still winch the whole car on to a rental trailer in 30 seconds.
The Kia Boys notwithstanding, basically all cars that are stolen these days are either stolen with the keys, or towed.
I admired the Flipper Zero, but it's not something I have skills to exploit. Canada banning them ensured my order. It was in the mail on the day that I saw an article about the USA considering a ban. It's on my desk. I have no use for it. But I damn sure made sure I'd get one before I couldn't.
What a lousy reason to buy something. It makes me feel shitty about the world.
Can you actually use a FlipperZero to steal a car though? There's aftermarket firmwares which unlocks additional capabilities, but as far as I'm aware, there hasn't been a break in car fob encryption that would actually let you use a FlipperZero to steal a car without having the key in the first place, at which point you could just use the key.
Here is my favorite YouTube lawyer Ian Runkle a Canadian firearms and criminal defence lawyer discussing the flipper zero. This guy is very enjoyable to watch in all his videos highly recommended. https://m.youtube.com/watch?v=djqKqr-qh8c
I've always disliked keyfobs. They felt like an insecure replacement for keys, especially after so much effort went into tumblers and other security measures designed to prevent hot-wiring. It's extremely difficult if not impossible to hot-wire a modern car. And yet we throw all of that innovation away for what, convenience?
Ultra Wideband (UWB) is the solution for keyless entry and regulators should make it a requirement that new cars use it if they want to support keyless entry.
Tesla just rolled out an OTA update to support UWB. It uses Time-of-Flight (ToF) Measurement to calculate distance which is much more secure than simply using signal strength.
We don't necessarily need yet another pile of laws and regulations here. If consumers want secure vehicles they should prioritize buying vehicles that don't offer internet icon necked features.
Its crazy that most consumers prioritize convenience and novelty above all else then turn around and demand even more government authority to protect them from features that aren't needed in the first place.
I 100% agree with the author's argument that banning security research is a bad idea, but no matter how much research is done we can never guarantee consumers that their vehicle can't be taken over. If you can unlock and start your car from your phone there is always a possibility of attack. Period.
In Richard Feynman's book, "Surely You're Joking Mr. Feynman!" he tells the story of his exploits in safe cracking. And the eventual "solution" that the bosses come up with... not to make their safes safer, but to ban Feynman.
Yeah, let 99% of honest people suffer to prevent the potential risk from the actions of 1%. Why bother with educating and raising people, why rethink the work of the police and the state. Let's just ban.
If anything they should promote the commercialization of these type of devices so the cars and other tech products get safer. They are just trying to hide the real issue.
And same counter-argument: those who are more likely to abuse tools are less likely to care about the legal status of said tool (they will illegally import or DIY the tools).
Honestly, think a major problem with this is that Canada has not managed to resolve their organized crime issues.
I don’t know why the US federal apparatus has been so much more effective at disrupting organized crime, but Canadian groups fencing a lot of these stolen cars.
The port in question is in Montreal which is in the province of Quebec. The province of Quebec is a political minefield with special status that most politicians don't want to deal with.
There is a real danger of "victim blaming" here. A similar thing occurred recently for the South Korean car makers Kia and Hyundai, which experienced soaring car thefts in the US due to relatively low car security standards and the high US crime rate. Some US American journalists, politicians [0] and judges [1] blamed the car makers for the steeply rising car thefts.
However, these manufacturers come from a country where there are much fewer car thefts than in the US and where these cars didn't cause a comparable theft problem. The people blaming Kia and Hyundai would have been well-advised to identify at least as a major part of the problem the US-specific crime rate, not just the South Korean car manufacturers which weren't sufficiently adapted to to this crime.
It's kind of similar to a young naive woman from South Korea doing her vacation in the US, and walking home at night, alone through a dark park in a shady neighborhood. A thing she could expect to safely do in South Korea. But in the US, the worst thing happens. Who is to blame? The women may bear some part of the responsibility by wrongly assuming the US is as safe as South Korea. But I think it's clear the main fault lies with the US criminals, not the victim.
People easily get used to things like that and don't notice it. Until they travel to a country where very different things are normal, and get a culture shock.
All I am reading is, big corporation should be held responsible but not maladjusted individuals whomst purchased a $50 hacking tool online. Seems like BOTH is the solution here.
I feel like, if cars will significantly improve security, ultimately we the customers will pay the price for it in terms of more expensive cars. But then again I agree that this should be addressed.
It's like someone points out a problem, and then you stick your head in the sand and wait for things go away - or just let others deal with your issues. It's simply not the right approach.
It is funny since there are devices other than Flipper Zero which are designed specifically for stealing cars with key-less systems AKA "SOS opening" and they come in GameBoy-like enclose. Keywords - "SOS Autokeys Bulgaria".
correct, someone says something right for once. also vehicle theft will happen no matter what since they have physical access to your vehicle. scammy, scummy, corporate pitches like "you just press this button and it opens for you" with zero research on how to implement that securely (even thought it was known in the 70s), which just make the hacker be able to press a button and open it, are not anyone's problem aside from the clout chasing consumer "who doesn't have time" to research any "sophisticated tech" he buys, and the corporation. consumers should know by now that "smart tech" = a teenager can hack it.
Let's suppose that hypothetically the Flipper Zero could be banned...
OK, so then what about the (Texas Instruments) TI CC1101 rf (Radio Frequency) Transceiver chip/IC that powers it?
Is whoever is going to ban the Flipper Zero also going to ban the TI CC1101 rf transceiver chip?
Because if they don't -- then many other clones of the Flipper Zero can and probably will exist in the future...
OK, but let's take things a step further...
Let's suppose that whoever is trying to ban the Flipper Zero -- is able to ban the Flipper Zero AND the TI CC1101 rf transceiver chip that powers it!
OK. So what about all of the other rf transceiver chips that exist?
Is whoever is going to ban the Flipper Zero -- going to also ban ALL other transciever rf chips?
But let's take things a step further...
Let's suppose that whoever wants to ban the Flipper Zero -- also is able to successfully ban ALL transciever rf chips! (Highly unlikely, since many are used in highly popular consumer products including but not limited to Routers, Smart TVs and Cell Phones!)
But let's suppose they could pull that one off...
OK, so now the next question is (to the party or parties that wish to ban the Flipper Zero!), if you can successfully ban all of the rf transciever chips, then can you ban all non-IC based radio circuits?
You know, like analog electronic radio circuits, capacitors, coils, antennas, stuff like that?
Can you ban all of it at the same time?
?
But let's even go a step further... let's suppose whoever wants to ban the Flipper Zero -- bans it, and also successfully bans all rf transciever IC's, and all analog radio circuits, and all previously analog electronic parts for making a radio circuit...
OK, so final question (to whomever would wish to ban the Flipper Zero!):
Can you ban all of the electrons, which flow through wires, which could be used in creating radio circuits?
To accomplish this, you'd need to ban all batteries, all power lines, and all generators! (Highly unlikely, because power in is various forms creates transactions which in turn create taxes which in turn fuel local, regional, state and country governments!)
So -- good luck with all of that!
I myself would never use a Flipper Zero for unlawful purposes (if I possesed one), and I would never drive a car which could be rf hacked by a Flipper Zero or other rf device on the other side of things.
In other words, both sides of the argument are stupid.
A person could probably kill someone else with a pillow, a roll of paper towels, or some other incredibly soft object, "never before did we think that it could be used as a murder weapon" item (George Carlin: "You could probably kill a guy with the Sunday New York times by beating him to death with it if you were so inclined")-- but we don't pass laws banning those items because of an isolated case of misuse!
Heck, now that I think about it, someone could probably kill someone else with a single roll of the softest toilet paper -- if they really put their mind to it!
But we don't pass laws banning ultra-soft Charmin(tm), now do we? ("A gang of 12 or 13 year old youths used it to murder their parents -- so it must be banned!" :-) )
?
Point is, there are some really stupid arguments being advanced here...
sure, also blame attackers. never blame the attacker's tools.
this is a place where "victim-blaming" is exactly the right thing to do. we can be supportive, even empathetic, of victims, who may have attempted to be secure, but failed due to bad tools, third parties, etc.
I don't know if there is a term for it, or if a philosopher/etc. has written about this phenomenon, but: a noticeable trend to me is what I'll call "the replacement of ethical expectations with specific, written down laws."
Rather than expecting a human being to behave in certain ways intrinsically (i.e., normative ethics) we tend to assume they will behave in the worst way possible, and then pass laws to supposedly prevent that behavior from manifesting.
This scenario is a great example of this phenomenon. Instead of discussing how car theft is fundamentally an unethical behavior, the discussion is about preventing some thing from being sold or existing, whether that be insecure vehicles or Flipper Zeroes. It's designing the playground so that kids can't get hurt, not teaching them how to play responsibly.
My theory is that this is a consequence of relativism and the general cultural exhaustion Western society seems to have with enforcing any sort of religious or ethical norms.
I really don't like the way this is going, because the end result is a world where limitations are hardwired into the environment, while at the same time you have zero ethical expectations of your fellow humans. It's very Hunger Games / Battle Royale, at a less hostile level.
Edit: just to clarify a point here. I'm not saying that there was no theft in the past, or that having ethical expectations instead of laws will somehow reduce all theft. I'm commenting more on the fact that the "new method" results in a different kind of world than the previous one (see the paragraph before this one.) It's a subtle point, but hopefully one I communicated well enough.
You just described the “rule of law” and this is the basis for how modern governments are formed and function
A constitution is written and codifies the process for making ratifying and enforcing laws. That then is the common standard for some subset of behaviors as defined by the constitution which defines who it does and does not apply to. Different constitutions outline different processes but the structure of the “Rule of Law” is the same.
This is in contrast to other structures like pure monarchies (unlike constitutional monarchies) which have a “divine” process for defining the structure of the governed land.
What you seem to want is for civil law to be subordinated in favor of common law, but that simply kicks the can and doesn’t actuall solve the problem.
What’s actually happening right now is that society at large is questioning the foundational assumptions of society. To Wit this is a perfect example of effectively questioning the foundational function of governance in the post World War II world while also not being aware of it apparently.
That's an interesting thought, but I would say instead that I'm in favor of culture being the "first line of defense" and not the law. In other words, I can leave my door unlocked because I am a part of a culture where that sort of thing doesn't happen. Not because there is a law written down somewhere. This has functionally been my experience in a number of spaces, including private workspaces (i.e., you don't expect your co-workers to steal your stuff), Japan, Poland, and a few other countries, and many others.
If that's a definition of "common law" then sure, but it seems like a different thing to me.
The reason the rule of law exists at the scale it does is precisely because what you describe, has not shown to create functional long term societies that are resilient to exogenous threats.
The rule of law is literally humanity’s best attempt so far to explicitly codify human desires into a common set of descriptions.
This is why the UN exists and the LON before it etc…
> has not shown to create functional long term societies that are resilient to exogenous threats.
I don't think I agree with this. If anything, it seems more like the reverse: societies have been less-and-less willing to enforce assimilation and a certain set of society-wide cultural behaviors, and therefore they "fall back" to the rule of law as described by you.
As a melting pot, the US takes in a lot of folks from countries that are not doing very well... so in a way, if we keep importing folks from cultures that failed without trying to integrate them to our culture, and instead celebrate their original culture, eventually our amalgam culture will fail just like theirs did.
Its why we have signs that say to "sit, not stand on toilets". You dont think we would need to write it down, but if you import hundreds of thousands of toilet standers, "the norm" goes out the window.
The melting pot is a way of integrating people into our country. It has been criticized as being too homogenizing; and now I think (for the better) most people see it as a nice lumpy stew. We shouldn’t ask people to give up all their traditions or change completely to become American, it is a give and take communication process that we both benefit from.
WRT toilets, I think it has been shown that squatting actually reduces the strain when using the toilet; I think those signs reflect the fact that we are integrating new toilet information. They are part of the natural back-and-forth pushing process. Hopefully we’ll converge on a toilet that is lower to the ground but doesn’t have accessibility issues.
> WRT toilets, I think it has been shown that squatting actually reduces the strain when using the toilet; I think those signs reflect the fact that we are integrating new toilet information. They are part of the natural back-and-forth pushing process. Hopefully we’ll converge on a toilet that is lower to the ground but doesn’t have accessibility issues.
Squatting toilets are fine, maybe they are even better. But the signs are about people squatting with their feet on the toilet bowl on a sitting toilet. That is dangerous (the bowl can easily break from the pressure of your feet) and dirty (you are very likely to leave the area around dirty, and there are typically no ways to clean the outside of the bowl in typical western bathrooms).
What I wanted to highlight is that this confusion, people coming to the toilet with different assumptions and misusing it as a result, is part of the process of improving by integrating additional information. Sure, they are being misused, but the way they are being misused gives us a chance to reflect on how they could be better.
If we want to be obnoxiously neutral, haha, we could just say there’s a mismatch between the design and the user expectations. Maybe we could look at retrofitting some of these toilets with a retractable foot platform, or something along those lines, instead of a sign.
This comment is utterly inappropriate for HN - there's nothing xenophobic about the GP comment, you're just using that phrase incorrectly to emotionally manipulate other readers.
Erm, how exactly do you think we’re going to educate people on the “normal” way of using a toilet, if it’s not educational signs above toilets?
Do you imagine some kind of toilet license? Where people have to take toilet train and demonstrate their competence in front of an examiner?
Or perhaps at every border, non-citizens are given mandatory toilet training.
Or perhaps you’re gonna follow everyone into to the toilet and tell them how to use it correctly.
Your issue is with people not learning your native culture, but your evidence for people not learning is educational material that teaches people your culture. So it does rather seem your problem is that your specific culture isn’t the world wide norm.
Bad example. I believe squat toilets are actually better for you (less strain to use) so really there is a case to be made we (those who do not use them) should follow those who do.
you know that the melting pot analogy is meant to say that we integrate immigrant cultures into "our" culture by both changing the immigrant culture and the dominant culture. The contents of the pot as a whole are less changed than the individual components are.
I think you may be thinking of the Candaian conception of a cultural mosaic.
I don't think your evidence supports your argument at all. Pick any consistently governed region, even one with regime changes. Compared to the UN, which is unable to affect some of the worst genocides in recorded history. As well as the League of Nations, an institution notable for accomplishing nothing. Nothing is immune to external threats but institutions that avoid them by doing nothing on critical issues are not the most inspiring examples.
The rule of law is our best attempt at codifying Individual freedoms, outside and above the power of the state. Definitely a noble goal, but leads to the observations made by the parent comment.
Um, you do realize that the League of Nations was a failure? And that the UN, although at least it still exists (unlike the LON, which only lasted a decade or so), has not accomplished anything meaningful in terms of enforcing actual norms of behavior?
Heartily disagree. Having an avenue where nations can be shamed for their crimes against humanity as well as a central org that both announces common human rights and monitors for them is immensely useful on any normative ethics yardstick, whether utilitarian, essentialist, effective altruism, and so forth.
> Having an avenue where nations can be shamed for their crimes against humanity
Many nations have continued to commit crimes against humanity since the UN was founded, without any shaming at all. Some of them have had their leaders praised and given awards and invited to be keynote speakers at conferences at the same time that their crimes against humanity were in full swing (for example, Robert Mugabe). And two of the most egregious such nations, Russia and China, have permanent seats on the UN Security Council.
It is true that the UN has shamed some nations for crimes against humanity (the Milosevic regime in Serbia, for example). But that just makes the lack of shaming in so many other cases worse, especially when the cases that are ignored are at least as egregious as the cases that are shamed.
Dude. I was just listening to my taxi driver tell me about how the UN helped him escape from war at 14 and got him to this country (Norway) where he’s been able to have a decent life. I’m not sure you know what you’re talking about.
Hasn't humanity been having at least one war since ... forever? I think the norm is war and what isn't normal are bullets and bombs that do far more collateral damage than "normal."
Um, the state of the world today? Read the preamble of the UN charter and ask yourself how well the UN has actually done at moving the world in the direction of those things.
The fair point of comparison would be to contrast it with what the world would be like without it.
And neither I, nor you can make such a contrast fairly. It immediately goes hard into speculative-fiction territory, and such an exercise would educate us about our own biases, more than we'd learn about the UN.
I think what may be missing from the discussion at this point are
distinctions between law and equity and different kinds of judgement
in statutory versus common law.
The ideal in jurisprudence is that we _always_ have equity - the
ability to interpret the law and apply it in each specific cases.
The "opposite" is statutory law. Like you get a speeding ticket
regardless of any mitigating situation.
So you were rushing to the hospital in time for your pregnant wife to
give birth before your dying father breathes his last.... Cry me a
river. $200 fine! Next case.
Mechanical justice is cheap and rough. Statutory law fits perfectly
with our capitalist society, efficient, inflexible, uniform, quick and
cheap. Judges and juries are expensive.
Others mentioned the Chinese concept of Li (loi?) and the "spirit of
the law", which are casualties in a technocratic society.
> Statutory law fits perfectly with our capitalist society, efficient, inflexible, uniform, quick and cheap. Judges and juries are expensive.
This seems a bit of a false equivalence. Capitalist societies are the ones that are based on liberalism and think individuals are important - important enough to make companies and agreements between each other. They quite often are the ones that also think individuals are deserving of justice in and of themselves, not based on what group someone has put them in.
Are you not confusing democratic societies with capitalist ones?
I mean, there's some overlap, but if we're talking about clumsy
equivalences... :)
And to be honest I see ever less intersection between actual current
"late stage" capitalism and the "rule of Law". Those I know in the
legal profession complain we are in state of "lawfare", a state in
which most of the common principles of justice have broken down in
favour of "justice for the rich" (I realise many Americans take that
to be perfectly normal)
How about I use the expression "greed driven societies" instead?
> Are you not confusing democratic societies with capitalist ones?
Well, they both are rooted in the idea that individuals are important, which is a relatively new idea, all things considered.
> How about I use the expression "greed driven societies" instead?
You can do, except I think it's not helpful, as you're joining the ranks of the people who misuse the word "society" to mean "how I happen to think about the stuff I don't like in the world".
> I think it's not helpful, as you're joining the ranks of the people
who misuse the word "society" to mean "how I happen to think about
the stuff I don't like in the world".
Helpful to who?
I see it differently. I think it helps us all to aspire to clear
values. Karl Popper thought "there is no society". Lady Thatcher
thought we merely misused the word society, not as you say - to
universalise social facts - but to forget our "duty" (Thatcher's
words) to ourselves and our neighbours (my emph). Thatcher sincerely
saw business as a social good, as do I. Using the word society in that
way is avoidant. You seem to think that's what I am doing?
Social facts exist, at least in Durkheim's view as behaviours and
attitudes. They definitely include greed and selfishness as
psychologically measurable traits. You may not think much of sociology
and psychology, but to a lot of people they are solid sciences.
Moral judgements are also social facts. And for us Christians (as a
moral framework), greed is more than a neutral, observable fact. It is
an ugly weakness.
The hoarding of power and wealth by a tiny minority to assuage their
insecurity , while returning nowt but "disruption" to the world is
objectionable. Being parasitic upon the rest of the population
is a harm.
So I've no problem declaring, greed, vanity, megalomania as "stuff I
don't like in the world". Others may or may not agree with me. As an
individual, you may disagree. But as an individualist you must
concede my equal right to call out greed and selfishness as harmful to
the rest of us - even without a "Logical basis". Further, you must do
so without criticism.... unless you deny the existence of social
facts, or yourself find greed attractive and virtuous?
> I see it differently. I think it helps us all to aspire to clear values.
But which "us"? That's my point. You aren't talking to all of society (assuming "us" was all of society), so you using it like that doesn't even theoretically do this.
> Social facts exist, at least in Durkheim's view as behaviours and attitudes.
This isn't the same as "society". My point is that the definition of "society" changes dramatically based on where you live and what you consume. It's like a giant straw man.
> So I've no problem declaring, greed, vanity, megalomania as "stuff I don't like in the world". Others may or may not agree with me. As an individual, you may disagree. But as an individualist you must concede my equal right to call out greed and selfishness as harmful to the rest of us - even without a "Logical basis". Further, you must do so without criticism.... unless you deny the existence of social facts, or yourself find greed attractive and virtuous?
It's hard to make sense through the purple prose, but maybe I can pick something out. You're not calling out greed; you're calling an entire society greedy. That's the problem. All the rest of what you said here doesn't seem relevant.
I agree you said that. I disagree that it's true. If I go to my kid's football kickabout, run mostly by volunteer parents, or I attend a local street party, or go for a pub quiz night, or any of many societal endeavours, I don't see greed.
As of 2019, the US had 50 million immigrants[0] living there, either 1st or 2nd generation. Far more than any other country. Are those immigrants really all just idiots for moving there?
If you think the US is a wasteland, it sounds like you're American.
But you DO have a second line of defense even in your culture because that sort of thing DOES happen even in your culture only perhaps less often.
With respect to the Flipper Zero, I don't understand how culture solves this particular problem. I'm not sure I'd want to be in a culture that solved this particular problem a priori. I think I'd prefer to be in an imperfect Rule Of Law society that adapted albeit imperfectly to new problems as they appeared.
And now we come to the unfortunate fact that there is no equivalent in English for the distinction between Recht and Gesetz, or droit and loi, both being subsumed under the term law. The former is an immanent thing, a "shared search after justice". The latter is temporal, it is written down and itemised in Strafgesetzbuche and Codes Civiles, and is very appealing to HNers because we can read "common standard for some subset of behavior" and think "I can put this into a computer". But that Law is not The Law. And The Law is not even Society. It's something we yearn for or desire, and our confidence in society varies with our confidence that our neighbours are also yearning for it with us. The rule of law is a feeling, man.
English common law is largely not codified but the result of practices and precedent, and is still part of the legal system in most English-speaking countries, as opposed to continental-style civil codes that you mention which are more explicit. I do think that distinction exists in the English-speaking world.
I think "spirit of the law" can be interpreted as how the (written) law was trying to get at The Law. But even that spirit is not The Law. Here's an example - modern Germany defines itself as a Rechtsstaat. On the face of it this is a "State of the rule of law". But this fails to capture what distinguishes it from a hypothetical Gesetzstaat, so Wikipedia also tries on "state of justice and integrity" and "constitutional state" to get the distinction across. And the absence of Recht - a Nichtrechtsstaat - is one "based on the arbitrary use of power".
The historical context is that of trying to define what in a state should set it apart from both the 3rd Reich and the DDR.
I suspect many Germans have varying personal interpretations (not being German). However, StackOverflow has a question/answer [1] where the most general answer is "right or freedom as in Recht auf freie Meinungsäußerung being 'freedom of speech'".
Otherwise, tends to represent "the encompassing scope of all laws" vs "the interactions of a single law."
The "the spirit of the law" tends to be more like: "what did we believe the law was supposed to do vs what does it actually result in if you're a rules lawyer."
Games have a lot of that with little oversight, legal laws tend to get publicly challenged. We made a rule where all the miniatures have to stand in squares, except now all anybody does is abuse the facing and distance rules.
Perhaps what you are trying to express as "shared search after justice" could be thought of as a "Social Contract"; a non-codified agreement of how society (should) co-exists, in context of said Society.
I have to object that the rule of law isn't about the extent of laws and enforcement but rather about making whatever enforce exists systematic, fair and so-forth.
The concept of rule of law never implied the replacement of custom with bureaucracy - although that often happens. It implied the replacement of the venal authority of kings and nobles with codified principles. Especially, as the parent points out, customary honesty isn't based on any enforcement system.
I think what he actually described is why the rule of law is not a replacement for a good ethical framework that is shared culturally.
I didn't read his post as advocating for no laws or replacing the legal framework. I read it as advocating for rebuilding a shared ethical framework for the culture.
What the article is describing is not the rule of law.
The rule of law would be: make theft a crime, and enforce that. Not: criminalize the use of security research tools to show which vehicles are more susceptible to theft.
> What you seem to want is for civil law to be subordinated in favor of common law
I think what the GP poster wants is to have the law limited to criminalizing things that are actual crimes, like theft, not things that are inconvenient to the rich and powerful.
I don't remember the terms but there's a category of crimes that are "crimes because that's what the written law says"(i.e. driving without a license) and "crimes that morally abhorrent and actual harm to someone"(i.e. murder, theft)
"Actual crimes" would be category 2.
Building or owning a flipper zero would be in category 1. (As would laws that ban things like owning/carrying lockpicks without being a licensed locksmith)
The problem with rule of law is that it's like a very sloppy program that relies heavily on global variables. Whether it's the constitution or any of the million codes they all have implicit assumptions or vague language that requires a certain cultural or ethical baseline to interpret properly. Just the 2nd amendment is already a plenty popular example.
"What you seem to want is for civil law to be subordinated in favor of common law,"
I must have missed that. I do not see them making that point.
"To Wit this is a perfect example of effectively questioning the foundational function of governance in the post World War II world while also not being aware of it apparently."
I don't know that I would call this a perfect example. This is extremely narrow and doesn't dive into many aspects of the relationship. I'd say it's more focused on individuals giving up freedoms on the notion that those freedoms don't benefit them personally, but could pose some harm to them if others are allowed to exercise them, without realizing that the same thoughts can be used against them in the future. More a tyranny of the majority than role of government discussion, even if somewhat related.
I'd say OP actually talked about two different things. The abstract description in the first paragraph is the rule of law (which I agree happened a long time ago, and is a good thing for a democratic society), but the concrete gripe in the later paragraphs is a different thing.
Rather, it's something like the difference between laws applying to individuals who may violate normative behavior ("it's illegal to steal"), or whether laws (in this context aka "regulations") apply continuously to above board businesses, with the goal of a priori preventing individual violations of normative behavior ("it's illegal to make a car that can be easily stolen").
‘Rule of law’ is the concept that no one is above the law, as opposed to having a specific ruler that can do as they please. It doesn’t really have anything to do with the comment you’re replying to, which would be the same idea if it were decreed by an untouchable supreme leader.
> Instead of discussing how car theft is fundamentally an unethical behavior, the discussion is about preventing some thing from being sold or existing, whether that be insecure vehicles or Flipper Zeroes.
There are already laws against theft. They apply to vehicles, secure and insecure alike.
A law mandating a minimum level of security, as GP suggests, seems to me to fit the suggestion, that auto manufacturers have a minimum standard to ethically sell a vehicle which buyers would, presumably, expect to have locking mechanisms suitable to prevent theft.
I like the idea in theory, but I'm not sure if it's practical. There's no such thing as a secure system, there are only systems with no known security issues -- a vehicle that has no known security issues one day, is one discovery away from being completely open the next day. So, it would be hard to legislate the security of a system.
The solution might be to incentivize a quick resolution. For example, if a security issue is found with a vehicle, there could be laws that govern how quickly a fix needs to be available, how it's made available, and how far back it goes in model years. I would suggest that the severity of the issue (life threatening | theft | inconvenience) and the number of vehicles affected, should dictate how much time they have to resolve it.
I agree with you, I'm just not sure how you'd wright the law that makes them clear the low bar when that bar might need to move up before the bill even becomes a law. That's why I would prioritize some kind of "security update bill" instead of trying to legislate the low bar that needs to be crossed.
This is tautologically true. However, the car manufacturers haven't even tried.
They had the same default password for every car. Then they had wireless systems that were vulnerable to replay. Then they had wireless systems that were vulnerable to relay. etc.
The wireless systems on cars need two things: encryption and time of flight detection. The problem is that adds a couple dollars of cost per car and will lock out users some amount of time inversely proportional to the development cost (which the car manufacturers will shirk on so the system will suck). So, no manufacturer will do it short of being forced by legislation.
From an engineering point of view, the main limitation is the battery in the keyfob. If you interrogate the keyfob too often, it will drain the battery and consumers will complain.
I mean, in modern vehicles you can pretty much get there, but you might have to give up some features. For example, walk up unlock. You need to push a button somewhere to make unlock secure.
The way you get there is through FIDO. Have the engine controller ask the hardware key to confirm who it is through a handshake. Don't start/enable the engine if that handshake fails.
With that in place, the route to theft involves removing/replacing the engine controller which can be a major pain to do fast.
Cars with bad security systems generally involve pulling the steering column off and touching the right two wires together to start then engine.
That said, preventing theft of the contents of a car is impossible. Windows break easy and it's stupid easy to push the unlock button. That can't change.
We aren’t very serious about enforcing our laws, especially when kids are involved. We had police catch 12 and 13 year olds (Kia Boyz) this weekend in a car with guns, and they are out already. They will get some restorative justice, but no real correction in behavior and I’m sure they will do it again.
Our real problem is just the pendulum swinging too far towards assuming people want to be good and they just need some compassion.
> We aren’t very serious about enforcing our laws, especially when kids are involved.
In the US we lock more of our citizens behind bars than any other nation on Earth.
Conviction for even a minor offense can make it extremely difficult to get employment or housing. People rarely get a clean slate after serving their time and even an arrest record without a conviction can haunt you. Nearly all other developed countries have abolished capitol punishment. We haven't gone a single year since 1981 without an execution.
The pendulum has already swung too far towards punishment and law enforcement, to the point that abuses by police and our mass incarceration problem are a total embarrassment for a country that tries to call itself "the land of the free" with a straight face.
There's little doubt that many of the people arrested in the US would do better with some compassion than they would with harsher punishment. This is especially true for literal children. One example where compassion is the better option would be treating addiction instead of punishing drug addicts. That would save billions in tax dollars, reduce crime, and help the addict to recover their lives and remove several barriers that could prevent them from getting work and being productive members of society. If we'd done that decades ago instead of feeding US citizens to the prison industrial complex we'd be so much better off as a nation today.
There's a risk for over-correcting, but there's also a massive amount of space between "do nothing" and our usual method today which amounts to "torture then never forgive" or "torture then kill" so there's plenty of opportunity to find some improvements.
I fully agree with you regarding situations where people get put into the system. Our justice system in practice, if not philosophy is very much based on punishment rather than rehabilitation. In my personal opinion this is medieval and really needs to change.
However, what GP I suspect is seeing and what many others have seen as well, is a recognition that the system is broken, and thus a reluctance on a part of authorities to move forward with prosecutions for certain people. The goal of not institutionalizing them and setting them up for a difficult future is noble and laudable, however, I worry that this will ultimately be counterproductive. It is going to cause a swing much like what we are seeing, where people conclude that we are not tough enough on crime and thus we need to get more extreme, more punishing, and more authoritarian, which is the exact wrong way in my opinion.
I would much rather we focus on fixing a monstrously broken and outdated system, rather than trying to work around it. That also makes for much more equality and Justice, because then you don't have to hope that you are one of the lucky ones for whom The system looks the other way.
It doesn't have to be a massive revolution either. We can iterate towards it in a progressive manner, starting by removing absurdities like mandatory minimums, victimless crimes or crimes for whom the victim is some nebulous "society", and other things like that.
> The goal of not institutionalizing them and setting them up for a difficult future is noble and laudable, however, I worry that this will ultimately be counterproductive. It is going to cause a swing much like what we are seeing, where people conclude that we are not tough enough on crime and thus we need to get more extreme, more punishing, and more authoritarian, which is the exact wrong way in my opinion.
I totally agree. I also worry that people will continue to push for more extreme forms of punishment. It's gross that we accept how prisoners and ex-cons are treated as it is. I think there are still a lot of people who would already prefer if our legal system was even more cruel, but even if most of us want reform all we can really do is vote for the people willing to do it. Our strongest point of leverage here is jury nullification, but I wonder how popular that would actually be with jurors and since most cases never reach trial we're denied the opportunity to use nullification to prevent defendants from being subjected to excessive, inhumane, and unjust punishments anyway.
To reiterate what you just wrote in the second paragraph: Punishment ruins lives, so people vote against ruining each other's lives, so a group of people (who are but you did not refer to as fascists) who are disappointed with the amount of lives not being ruined will increase the level of punishment even further to maintain or exceed life-ruining equilibrium?
It may be true or false, that I don't know, but the blame for it should lie squarely on the people who seek to increase life-ruining instead of the people who seek to decrease it.
> the blame for it should lie squarely on the people who seek to increase life-ruining instead of the people who seek to decrease it.
I don't disagree, but assigning blame won't get us anywhere. In fact I think it actively works against us because:
1. It just further causes divisions. If people feel like they're being blamed, they will get defensive which usually also includes a double down and a shift to amygdala-based reasoning rather than PFC-based reasoning.
2. It shifts the conversation to a debate about "whose fault" or "who is to blame" rather than "is the system ethical, efficiacious, and what can we do about it?" That debate will then take all the energy, and even if it got resolved it's all wasted because simply assigning blame doesn't do anything toward solving the problem.
Then don't punish. Reform, correct, fix. A lot of people will still see that as punishment (like they would see army bootcamp as punishment), but then we would just start disagreeing.
I'm not sure I understand what you're saying. It can be difficult to sync on terminology and philosophy though because in theory for most people the justice system is supposed to be about rehabilitation. The idea that you should serve your time and return to society is almost universally agreed saving the most extreme cases. Yet our system doesn't achieve that because a lot of the structures are based on "punishment" and "deterrence." Simply raising awareness and following the trail of logic is usually enough to find a lot of common ground. But it being a systemic problem, there isn't really anything an individual can do (that isn't IMHO counterproductive, see earlier thread about the unintended consequences of well-meaning DAs and LEOs letting people go to avoid the pitfalls of the system). It's a tremendously challening problem.
It's also one many other countries don't have, so we have plenty of examples to benefit from. I'd say a few "easy" patches would be things like: treating people with mental health issues, treating addicts, housing homeless people, clearing most people's records when they've severed their time/making it illegal for most employers to ask about past arrests/convictions, providing better assistance to people post-release and lessening or delaying some of the additional burdens we put on them (fines, fees, inflexible meetings/appointments), etc.
The biggest challenge will be convincing the fearful and the revenge/punishment fetishists that more and harsher punishment isn't the solution and that they aren't being endangered by making the needed changes.
Well that's depressing. Thailand is not a country we should strive to emulate. They have their own mass incarceration problem (they rank 8th in the world), state executions, their own "war on drugs", lots of violent killings involving guns, high levels of corruption, forced disappearances, torture, extrajudicial killings, and a horrible track record for human rights. Thailand is a mess and it's tragic that so much of the US can't do any better when it comes to locking citizens behind bars.
It isn't, but many places in the US are not as bad as it seems if we count the USA as a whole. Mississippi (and Louisiana and most of the south up to and including Texas and Florida) is just really bad.
this is an absolutely insane position to take in 2024. all around we have junkies in the streets, squatters, shoplifters, car thieves, burglars operating with impunity. you are replying to a post about 12-13 year-olds stealing cars and carrying guns, ffs. this should involve at least several years in jail. maybe a 2nd chance at 18.
the pendulum has definitely swung too far, but the direction it's swinging is not what you think. the last decade has been an wonderful experiment in reversing some of the "tough-on-crime" laws. the results of which have basically completely disproven the idea that sentencing, bail, etc. reforms would ever have a net benefit.
mass-incarceration is not a "problem" to be solved - it's a symptom, a result. the problem is an increasingly lawless society. measuring how many people are incarcerated is meaningless without comparing it with how much crime is happening.
compassion, i agree with. but what's needed is to put effort into better sorting in the justice system. some people, for example juveniles, deserve and will be well served by compassion. others will simply take massive advantage of it. the later need to be locked up, not for rehabilitation, but to prevent crime. a great way to differentiate it is repeat offenders. there's basically no excuse for this. 2nd chances? maybe. 3rd, 4th, etc... no way.
None of these things are new. Junkies aren’t new, organized criminal groups aren’t new, car thefts aren’t new.
There has been a pandemic uptick, but the broader trend is way, way less common than in your parents lifetime.
The thing about policies that are redistributive and the media is that generally the people writing the stories will be closest to those who have been hurt, not helped. I am sure there are plenty of people (criminals, yes) who have been helped by bail reform.
> all around we have junkies in the streets, squatters, shoplifters, car thieves, burglars operating with impunity.
This is the insane take. Maybe that's your personal bubble talking, but there are millions of people who go about their daily lives without seeing a single junkie in the street. America has always had "bad" neighborhoods filled with junkies/squatters/shoplifters/car thieves/burglars but they have not and do not operate with impunity. You can easily find examples of all of those things resulting in someone being arrested/convicted/shot by police.
Record numbers of Americans can't afford rent. Household debit is at all time highs as well. There are also historic numbers of Deaths of Despair. Is it any wonder that drug use, homelessness, squatting, and crimes like shoplifting/theft are rising? It doesn't excuse the behavior, but it does explain much of it. Give Americans zero help for mental illness, don't act surprised when you get a bunch of crazy people around you. Punish addicts instead of helping them? Enjoy your junkies I guess! Allow massive numbers of people to live in desperation and you can't act shocked when they act out of desperation.
"Tough-on-crime" laws will not fix those issues because they do nothing but making the underlying causes even worse. "Tough-on-crime" laws are exactly what have been failing us, and why people have started looking for alternatives.
> you are replying to a post about 12-13 year-olds stealing cars and carrying guns, ffs. this should involve at least several years in jail. maybe a 2nd chance at 18.
A 12 year does not benefit from a prison sentence. Do you honestly think that's going to keep them from committing crimes later on in life? We should expect children to do stupid things. Their undeveloped brains are wired for risk taking, and failing to see/consider the consequences of their actions. (https://www.aacap.org/AACAP/Families_and_Youth/Facts_for_Fam...). That doesn't mean they are incapable of making good choices, but it does make it much more likely (and natural) for them to fail to make good choices from time to time. Not all acts of teenage impulsivity will lead to stealing cars, but those 12-13 year olds mentioned would be far from the first kids to do it. Perhaps you could argue that it's the parents who should be punished for not raising their child properly or for failing to keep them away from guns, but I'm skeptical that it would prevent other families from having the same problems. Children need to be allowed to grow and learn from their mistakes. There need to be consequences for when they screw up, but is sending a child off to get tortured and raped for years the best solution you can come up with?
> mass-incarceration is not a "problem" to be solved
Hard disagree. There is plenty of research into the problems it causes and enables to continue. It's hugely wasteful and expensive. Not only do tough on crime laws and mass incarceration fail to prevent crime (see https://www.psychologytoday.com/us/blog/crime-and-punishment...), it actually makes things worse! It rips families apart. It hurts communities. It hurts the economy, It hurts the people who are abused in prisons. It prevents people from being contributing members of society. No good comes from mass incarceration.
Do you honestly think America has so much more crime than the rest of the planet? It's not as if our incarceration problem only got that bad recently either. It's been insane for a very very very long time.
"how much crime is happening" isn't really the issue anyway. It's "what crimes are committed, should they be crimes in the first place, and do we need people behind bars because of them".
A massive percentage of the people who are locked up have never even been convicted of a crime (https://static.prisonpolicy.org/images/pie2023.webp) and many who have been are there for non-violent and drug related offenses, often with no victim at all!
> others will simply take massive advantage of it. the later need to be locked up, not for rehabilitation, but to prevent crime.
Everyone should be free to take advantage of compassion, but compassion doesn't mean that people can just get away with whatever they want either. I agree, that prison is no way to rehabilitate someone. That said, a night or two in jail can be a nice "time out"/wake up call. There will always be some people who need to be kept locked up to protect the rest of society. It should be a last resort though and those people shouldn't be subjected to torture or substandard conditions. They should be allowed to live a safe, healthy, good life - just one kept apart from the rest of the us and without their freedom.
> a great way to differentiate it is repeat offenders. there's basically no excuse for this.
You can't imagine why someone who gets out of jail, is suddenly saddled with massive debt, fees, and fines from the experience, but whose record means they cannot get a job or an apartment might turn to crime again? Why someone who has spent years being beaten, raped, tortured behind bars might come out of prison with problems that lead them to drugs and the problems that causes? Why people who are locked up for mental illness and released without treatment or the means to get treatment might reoffend?
Again, it doesn't justify the crimes, but it does help to explain them. If we don't give people who get out of prison a chance to get their life back together what else do we expect? Our current system makes it extremely unlikely for someone to have a normal decent life once they are out of prison. Especially if that person had very little money/support, or had mental illness or an addiction, or very little education (maybe they were only 12-13) when they went in. The vast majority of the people who enter the justice system have a mental illness/impairment, an addiction, or both. That has to be dealt with or it's just going to cause more issues. Many leave prison with mental problems due to the trauma of their experiences. That has to be dealt with.
This isn't an unsolvable problem. Other countries do so much better than we do, so we can draw from their examples. Suggesting that we should ignore all those examples and be even more draconian and oppressive is a very weird take.
- if you can drive to work, school, shopping, etc. and not see some junkie panhandling, or a squatter in an RV dumping sewage on the street or needles or trash or human shit, then great for you. you live in a entitled bubble. if you can park your car on a public street without a good chance that it's windows be broken or it's cat be thieved, then good for you. the reality speaks otherwise to most of the rest of us.
> Record numbers of Americans can't afford rent.
true
> Is it any wonder that drug use, homelessness, squatting, and crimes like shoplifting/theft are rising?
nope
> Punish addicts instead of helping them?
you can't help them unless you can force treatment. you can't force them into treatment if they are "free". i'm not saying that this is how it is now except in a few places, but the obvious solution is to enforce, strongly the laws and then allow them to choose treatment as a diversion, with the proviso that failing means back to square one. in my book doing anything more lenient is not "helping", it's actually a death sentence.
> A 12 year does not benefit from a prison sentence. Do you honestly think that's going to keep them from committing crimes later on in life?
no and no. a stint in juvee is what the damn kid needs. sadly if you're stealing cars and carrying guns at 12-13, you're a piece of shit and probably beyond help.
> Hard disagree. There is plenty of research...
bullshit. you didn't respond to what i actually wrote: "it's a symptom, a result". this whole thread is about a string of car thefts so obvious that it makes global news. you can't plausibly argue that there's not enough incarceration or that crime is at a multi-generational low.
at the end of the day here the deal: if i (wisely) forfeit the responsibility of my own protection to the state, i really expect that it simply holds it's end of the bargain. which means: if i catch someone stealing from me that the state somehow does something to make sure that doesn't happen again. i really don't care if it's cheaper or not to re-rehabilitate vs. incarcerate. i certainly don't give 2 shits about his broken family, etc. if the best thing for society as a whole is for diversion and therapy, etc., i don't oppose it. but he better the f*ck not do it again to me or someone else. if that fails, then screw it, it's not better than anarchy.
I don't think there's anything more guaranteed to turn a 12 or 13 year old into a lifelong criminal than what I think you're implying by "real correction in behaviour"; aka a multi-year prison sentence.
If someone is stealing cars at 12 or 13 years old, they're already well on their way down the path towards irredeemability. Society has to do something or they will turn into a lifelong criminal. A multi-year prison sentence is probably not going to help them, but counseling, a better home and school environment, food in the belly, and so on might. You have to do something besides "catch and release" which has been the default in the USA for some time.
USA crime is still very low compared to pretty much the entire 20th century, it seems early to proclaim certain approaches as a failure.
FWIW, catalytic converter theft was recently a big problem in the US and the classic approach of getting the FBI involved, identifying the high-level fencers and arresting, was incredibly effective and cat thefts have plummeted.
I suspect disrupting the organized crime in Canada would work similarly well at reducing car theft.
Agreed, it really is a paperwork issue. Just have transport and shipping companies require proof of ownership prior to accepting the car, and these thefts will evaporate overnight. Without a channel to market, it eliminates the incentive for thieves to steal your car in the first place.
It's not a tech problem, rather a legislative one. Too bad it won't fly because the current govt. has made it a habit of treating every issue as a wedge issue.
I think part of the problem is also that as criminal trade becomes lucrative & there are more crackdowns in other potential venues, more and more capital is being spent to basically build up these ports in Canada as criminal strongholds.
There is likely significant political shielding for the operation of these criminal groups in many Canadian ports.
It really depends where you live in France. You have a big fence left in the west, a 'casse' near bordeaux, but you won't really find anything from violent crime (copper, stolen cars, phones and bikes at most, and most of the activity is genuine).
It's also a good way to know if organized crime is present in your area. If water distribution and/or trash collection is privatized to a 'local' company, you probably have some :)
The rest of the west, even Nantes and Rennes are really chill.
The issue in France is the resurgence of organized crime since 2004-2006. The tough on small crime policy jailed small magrebi caïds (basically local slumlords and drug dealers). Some local caïds gangs were strong enough to endure the storm and to emerge as stronger gangs, but organized crime from southern France (Grenoble, Marseille), and new gangs used that time to carve parts of Lyon and Paris. New crime families emerged around 2012, and around 2015 (I was living in Paris at that time) it could have turned really bad. Rumors of missile launchers, ak47 and other nice stuff in every shop. Things calmed down for no reason (I think the travellers families and magrebi gangs decided to share territory after the terror attacks and Sentinel), nothing really exploded, I left Paris.
To me, the only true violence left in 2023-2024 is around Marseille, near Monaco (Russian mafia left a big hole recently), in camargue (because of the new travellers families). Maybe it'll start again in Paris and Lyon, hopefully not.
I am someone you would label a ‘crime denier’ because I feel the problem is definitely smaller than in the past and it is generally overstated in the media. That is precisely why I think we should focus on organized crime and the driving clearing houses rather than individual street-level criminals.
I used to be like that, then I started seeing things happening myself. The first time you see Kia Boyz smashing windows and grabbing purses in a grocery store parking lot at noon on a Sunday is an eye opener (Do they want to get caught? this is pretty blatant, maybe they know we don't have many police these days). I always thought our crime problem was limited to porch piracy and street parked cars getting their windows bashed in at night (you know, typical drug addict crime), but nope, we have another problem.
I hear what you're saying, I live in SF. My opinions are evolving on the subject. There is a lot of not profit-driven vandalism and violence that I witness here and disrupting fencers will obviously do nothing for that.
But for car theft & other profit-driven commodity thefts, I do think targeting the markets can often be very effective.
I don't know. Many of these kids...they are from war torn communities (legal immigrants, refugees). They might be working through huge trauma, and they don't seem very organized at all (steal a car to...steal another car and/or knock over a gas station...then abandon the car on the street somewhere). There really isn't a market to target, the cars are almost always found after a few days, just trashed and damaged. They are just used for other crimes mostly.
The drug addicts are much more organized in comparison (steal legos at Target, fence at some place for fentanyl).
Yep. I don't know anything about car theft outside of where I live (Seattle), so its not even generalizable to the rest of the states, and I'm commenting specifically on Kia Boyz car thefts...I'm sure Seattle has actual car thieves who are stealing cars to sell them off and not just cause general very visible chaos. Although statistics show most stolen cars are recovered here in Seattle:
> The vast majority of auto thefts are committed by criminals looking for temporary transportation. Thus, most vehicles are recovered within a few weeks to a month and with relatively little damage. Very few vehicles are stolen for parts.
> It should be noted, however, that British Columbia also had the highest rate of recoveries of stolen cars (91 per cent) compared to the national average (73 per cent) (Fleming, Brantingham, & Brantingham, 1994).
The premise that catalytic converter thefts have plummeted in the last few years is incorrect. In fact, recent data indicates that vehicle-related thefts, including catalytic converter thefts, have surged. According to a report by the National Insurance Crime Bureau (NICB), the nation experienced more than 64,000 catalytic converter thefts in 2022, with California and Texas leading the country in these incidents[3]. This represents a significant increase from 16,660 claims in 2020 to 64,701 in 2022, indicating a rising trend in catalytic converter thefts[3].
Furthermore, overall vehicle thefts have also increased. The FBI's annual crime report showed that there were 721,852 car thefts across the country in 2022, up from 601,453 incidents in 2021 and 420,952 reported in 2020[2]. This surge in car thefts has been attributed to various factors, including economic downturns, supply chain issues, and the high demand for cars and parts[4]. Additionally, a viral TikTok challenge encouraging the theft of Kia and Hyundai vehicles for joyrides, known as performance crime, has contributed to the uptick in car thefts[2].
Therefore, the data clearly indicates that catalytic converter thefts, as well as overall vehicle thefts, have not plummeted but have significantly increased in the last few years.
My comment was confusing so let me address what you are saying:
1. This is a very recent thing I am discussing, the fencers were only arrested in the beginning of 2023 and the thefts have fallen in 2023, specifically second half. This should be available in more fine-grained crime stats or simply by looking at like google trends of catalytic converter replacement searches.
2. Crime is much lower than in the 20th century, but I agree there has been a post-pandemic upshift.
this trend is after they busted a billion dollar auto parts company for being heavily involved in fencing these parts, seized 500 million dollars, and other anti-fencing provisions were made
Ah yes, that's the one. Misremembered the apprehension date slightly. There have been subsequent arrests in the Bay Area of people who were part of the supply chain for this group.
Do you know about the endemic of illiteracy in the US right now? More likely than not that child can't even read above a 2nd grade level.
We could have real rehabilitation centers focused on educating the kids, treating them like human beings with respect, and show them how to live life well.
Or we could put them in kid-jail and be put at a higher risk for all sorts of violence and abuse just to punish them.
As long as people hold the opinion that a 12 year old is "well on their way down the path towards irredeemability", we won't ever move past revenge based for-profit prisons and the crime problem will continue to get worse as these illiterate and stunted children are released back out into society.
What teachers are saying is that socio-economics prevent any type of education from happening in many cases, i.e. there are many, many children who are going to struggle mightily unless the totality of their life systemically improves. Could teachers improve? Probably. Are teachers the underlying problem? I used to think so, but in dealing with our own school board/system it's very clear this is not the case.
That's easy. We just need to halve class sizes, fire half of the administration, double the pay for teachers in the worst districts, and raise the floor of the child social safety net to the point that even having complete fuckups for parents won't ruin your life.
> counseling, a better home and school environment, food in the belly, and so on might.
This seems right for preventing criminals from forming out of otherwise-blank-slate children, but what do you do with these kids? There's no magic wand that turns their home & school life right.
On the other hand, there are plenty of kids who had a perfectly fine and financed upbringing who turned into criminals and terrors, they just tend toward white-collar crime.
This brings us full circle to the original comment that religion used to serve a useful purpose for society that's been largely lost -- a set of ethics & morals, and if those don't take real well there's always the all-seeing entity watching you at all times. In modern times the all-seeing eye of God has been replaced by surveillance cameras, but what is the base of morals replaced by?
The first thing is that there are no universal sets of morals. Ethics is a totally different beast but it’s something I’m not sure a young kid can wrap their heads around. But following “the rules” is something you can teach a kid and works until they are old enough to know when to break the rules.
One thing we stressed to our son is: if you break the rules/laws, you will eventually get caught. So make sure whatever you are doing is worth the consequences.
There’s no need for some magical god to punish people, just the fact that, eventually, someone will figure out what you did (or more likely, they’ll tell on themselves). It’s worked so far…
> The first thing is that there are no universal sets of morals.
That's a belief presented as fact. I'm not super excited about getting into a philosophical debate, but just something to consider:
"The rules: help your family, help your group, return favours, be brave, defer to superiors, divide resources fairly, and respect others’ property, were found in a survey of 60 cultures from all around the world." -- https://www.ox.ac.uk/news/2019-02-11-seven-moral-rules-found...
It’s a fact because I think we can agree there is at least one person on this planet who has counter-morals to any morals you present, for example. As long as one person on this planet has a difference of opinion on what morals they abide by, there can be no universal morals. That IS a fact, not an opinion.
> I don't think there's anything more guaranteed to turn a 12 or 13 year old into a lifelong criminal than what I think you're implying by "real correction in behaviour"; aka a multi-year prison sentence.
Society had better correct that problem quickly or those two 12/13 year old kids are going to have ruined their lives by the time they turn 18. Something drastic has to be done, a slap on the wrist and sending them back to their parents isn't sufficient. Right now we fail on both sides of the pendulum, maybe its time to rethink things.
I do think Europe does deal better with this. Even in France, they have a fairly aggressive/intolerant police force, but a real correction focus once arrests/convictions have occurred.
The problem also cannot be corrected by letting them run wild until they are 18, and then locking them in a room until they are 50, and then releasing them.
Criminality is congenital. Social interventions will not fix the kid. Neither for that matter will prison, but at least it will protect the rest of us from his increasingly violent depredations.
This is a categorically disproven view. Thankfully, it's no longer widely held, but unfortunately not before it was used to justify millions of cruel acts from eugenics to genocide.
> Our real problem is just the pendulum swinging too far towards assuming people want to be good and they just need some compassion.
There's an entire field of study covering how ineffective punitive justice is. Unless the perpetrator at hand is literally an irredeemable monster, locking them away in a box until they're later released with even more stigmas, even further behind the curve, and without the ability to earn a living does nothing except push them right back to the anti-social behavior that put them on the radar of the justice system in the first place.
All evidence on the subject points to the same thing: the best predictor of who will be a criminal and who won't is their zip code, because of things like under-served communities and generational poverty. When you give people no options to make a living in a pro-social way, they will do it in an anti-social one.
Does that mean every person in the justice system just needs a firm pat on the back and to be released? Fuck no. But if you long term want to actually reduce crime, the evidence is in: you do that by improving home lives and giving communities the resources they need to grow, not by locking people up.
To be honest, there's also entire fields of study of how God makes everything in the world happen, so I doubt I'm much convinced by how many fields of studies there are. People have been able to bullshit each other over obvious things for eons. The existence of such fields means nothing.
The Flipper Zero is not a SDR, it is less capable than that.
That's the ironic part, the Flipper Zero is a rather weak hacking tool.
It can open car doors, but it is so impractical that it is not much more than a party trick. You have to record the code by pressing the button on the keyfob out of range of the car and in range of the Flipper. You can then open the door to the car, once, and only if the owner didn't open it first. There is a more advanced and maybe practical attack called rolljam, but I don't think the Flipper is capable enough to do that.
The only thing is that the Flipper Zero is fun, cheap(ish), and popular, but real thieves already have better tools for their job.