Derp. Of course, I go and accidently type "4th".

You can't be coerced into providing witness testimony. You don't have to speak to the cops even if you are just a witness UNLESS the state offers you immunity. If you are offered immunity, then you can be coerced. But I doubt that's what the OP was talking about. If it is, then his diatribe makes even less sense that it tries to make.

Actually, in other states where the battle can work, they have consistently lobbied for wider changes.

Tesla doesn't want these buffoons selling Teslas because dealers don't really want to say them.

Sure, they'll pay lip service to the idea. But the problem is that Tesla's have very few moving parts. There's no money to be made off of Tesla services. And that's where these guys make their money. So they will use Tesla's to draw people in, but they'll sell something else.

By the way, who cares why? What if it is just because Elon hates TADA? In a free market, he should be able to sell direct if he wants.

That's not what they were doing.

They knew there was no way in hell they would get a blanket exemption or get the law repealed (Tesla's preference). So, they tried to craft the most palatable thing that could be passable.

If I were to try this attack, I would up the car to a range charge and turn air conditioning on full blast. Then I would go through cycles of charging the battery up full and discharging it.

The electricity will add up, but maybe not a lot for most who can afford an $80K+ car.

The bigger issue is that this will decrease the battery life.

1. Only if there is a vulnerable third-party site with whom the user has shared their credentials. Out of the box, no.

2. I would consider that a flaw in the car if you could do that. The API and the fact it resulted from a hack would be incidental to the whole thing.

Re: #1
What has logging in over SSL got to do with anything?

If a third-party is storing credentials that control everything, then you are screwed if that third-party is compromised. Twitter suffered greatly from these kinds of problems prior to adopting OAuth. The trick with OAuth is that the third-party never sees the primary credentials, just an application-specific set of credentials with very specific access rights. Because of the design of OAuth, it's also easy to revoke credentials on an app-by-app basis and thus not impact the other apps interacting with the OAuth system.

Re: #2

Tesla is blameworthy because they opted for a less secure approach than is commonly accepted practice. If a third-party is compromised in an OAuth environment, only that one token with the application's specific access rights are at risk. You can revoke them and re-issue without impacting anything else using those credentials.

Finally, there's no need for any panic at all. TFA is not pushing panic. It's pushing the facts of an architectural flaw that does not arise to the level of being an active vulnerability. A flaw that exists for no good reason at all.

When done right, OAuth is more secure and equally usable.

Usability issues crop up when OAuth is applied to contexts in which it makes no sense (systemsystem authentication).

In a world of interconnected devices (the Internet of Things), it's not about hypothetical sites. It's about real, interconnected sites. There are real sites out there that talk to Teslas and provide value beyond what Tesla provides. If you are building a connected device in 2013, you should take this reality into account.

I have one of those as well as a 7-year old. They are much more interested in the Slacker access from the 17" screen.

I've done it before.

What the hell do you care if the NSA is looking at your source code?

I mean seriously. Do you have pictures of you doing blow embedded in your source code or something?

The Tesla battery design is a technological breakthrough.

Also, electric vehicles like the Tesla have lower maintenance costs due to a significant reduction in moving parts.

Then your network isn't secure to begin with. You just use your control as a pathetic crutch.