Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
What's the story with these ads on Slashdot? Check out our new blog post to find out. ×

Comment Re:VAG products are the most secure (Score 1) 373

ME7 is extremely old (10+ years). Also, immobilizer defeat requires removal of the ECU. It's trivially easy to do once the ECU is removed, but that requires extended access to the car.

We're not talking about whether something can be defeated if you have the keys, a toolbox, an eeprom burner and unlimited time with the car. The root question is about whether a vehicle is hackable, potentially remotely.

The can gateway is "just another device", but it's very difficult to get it to do anything it isn't supposed to do. Yes, all the devices you care about are on the powertrain bus. But, nothing that's easily accessed (infotainment, obd port, headlight distance controls) is on that bus and none of those things can communicate directly with it.

It's exactly the same principle as having an internal network isolated from the internet. A properly configured firewall will allow proper access to inside services, but won't allow malicious activities.

Comment VAG products are the most secure (Score 2) 373

In short: If you want a secure car, get something with a carburetor or buy a VW, Audi, Porsche, Seat, Skoda, Bently, Bugatti or Lamborghini.

I reverse engineer automotive software for a living and I can say without question that Volkswagen Auto Group cars are as secure as you can possibly find.

Most of the cars you hear about being "hacked" are vulnerable because of something in the infotainment system. Once an outsider has access to that, in most cars, they have access to the canbus and can do "bad" things.

Vag cars are not this way. They have multiple can buses, one for each primary function. Body control, convenience and power-train are all on separate buses. Between these buses sits a device called the "can-gateway", which is essentially a canbus firewall. No packets can move between the buses except those that are necessary to allow. A "wheels are spinning, activate ABS" message cannot originate on the convenience or body control bus.

The software for just about everything important is secured with signatures (2048 bit now). Modifying the software for these cars is extremely difficult, getting access in the first place requires enormous amounts of very skilled labor. We spend many thousands of man hours each year just keeping ahead of the security features added to the ECU engine control code (we're a performance company).

It's hard enough to modify anything on these cars when you have every tool imaginable, a seasoned veteran staff, complete access to the cars and nearly unlimited financial resources.

Comment Re:So it competes with SUN. (Score 1, Interesting) 157

Don't forget that Z series is even more stupid expensive than Sun gear. I get that there's a bunch of R/D that goes into mainframes and keeping a non x86 CPU alive (Sparc/PPC/Zseries). But, if you want new things to be built for them, there has to be a reasonable level of entry for small shops.

$20k+ (Sun) or $100k+ (Zseries) is not a low enough entry level that I'd going to develop anything for it.

Comment Oldies but goodies (Score 2) 267

I'm very well versed in PPC assembly. I've found a quite wonderful niche working on automotive controllers. I also have several subordinates well versed in Tricore (Infineon automotive CPU) assembly.

Neither of those will ever make it onto any list of "popular" anything, but we all make plenty of money doing it.

As important as those two languages are to what we do, I've never hired anyone that listed either of those things on their resume. The ones that did list them specifically had at best a rudimentary understanding and little other practical background that would make them useful.

Don't learn something because you think you can make money with it. Learn something because you like it and want to use it. Then, find an employer that values your talents and willingness to learn whatever they need you to learn.

That's the best path to a good paying job.

Comment Power is bigger than you think (Score 5, Informative) 85

I work on PPC systems every day. I also use several. I'd wager that you do as well.

Have cable or satellite TV? 90% chance it's using a Power cpu. Drive a car with fuel injection? 65% chance your engine is run by Power, 90% chance something in the car is (ABS, nav, transmission).

It's been around a long time (30+ years), been 64 bit much longer than x86 or ARM, has good OS support and good compilers.

I work on and like ARM as well, but if IBM can make a value proposition in China with PPC, they actually have a chance at getting some market share outside embedded.

Comment Two options (Score 4, Insightful) 466

The first option would be a PCMCIA ethernet card. Since you have 3.11, if you install a PCMCIA nic that has windows 3.11 drivers, you can simply use windows file sharing to copy everything. There's plenty of old nics on ebay.

Second option is to use pkzip to zip up everything you want. Buy a null modem cable and transfer the zip files using x/y/zmodem. Windows 3.11 had a terminal program and the windows XP laptop will have hyper-terminal.

The second option is much slower, but null modems are easier to find than pcmcia network cards with windows 3.11 drivers.

Comment I hire EEs (Score 3, Informative) 323

I'm the head of software engineering at a small company and was a technical director at an MNC previously. I've hired hundreds of programmers.

I regularly hire EEs as programmers, but not for web development. Web development is mostly the bastion of very nimble, hacky types. As others have said, it's frequently more about putting together a reasonably elegant hack in a short period of time.

I hire EEs for board support and other embedded development. Those are the places where real engineering skills are the most useful. I don't want my BSP full of dirty hacks or hard to find/duplicate bugs. I want code that is planned, organized and well executed. That's exactly (in my experience), what I get from engineer coders.

The exception to my above generalization about web development is Java. Java backed websites (JSP and the like) are mostly developed by engineers and are used by large companies. If you want to maintain your engineering mindset and build websites, Java dev as a nameless drone at a big company is the way to do it.

Otherwise, I'd suggest boning up on your C and getting into embedded stuff. I personally find embedded work much more satisfying. It's also much easier to stay relevant without knowing the ins and outs of the latest NoSQL db or javascript library.

Comment Re:Opinion from industry insider (Score 4, Interesting) 140

I don't work with Fords, so I can't answer your question specifically. In general, the trend in cars is to have fewer controllers and devices on the bus controlling more and more things. In the VW/Audi world, all of the "body control" stuff is handled by a single module under the dash.

At the same time, many of those modules and the wires between them are accessible easily under the hood. I can reach under a VW, remove a plastic underbody panel and get to the powertrain (most important) canbus without opening the hood. I'd come up greasy, but I could certainly do it from under the car. With a little practice, I could probably do it in under a minute.

In the VW case though, that wouldn't do any good. I couldn't start the car or unlock the doors (door locks aren't on the powertrain can and the gateway won't pass through a door unlock message originating on powertrain). I could monitor their engine/transmission/ABS though and could turn off the car, change the gears or set/adjust the cruise control once the engine was running. I might even be able to trick the ABS into thinking the car is skidding and get it to lock up the brakes (I haven't played with ABS controllers much, so I'm not 100% certain of this one),

Comment Re:Opinion from industry insider (Score 5, Informative) 140

"Does nobody do signing or encryption of signals to control systems"

VW/Audi does. The newest generation use 2048bit RSA signatures for everything. The previous generation used 1024, which is still pretty much unfactorable for a reasonable price.

But, they can't use encryption of any consequence or signing on the bus. It's all real time and needs to be that way. Would you want your airbag to wait to deploy until it had verified even a 512bit signature on the "oh crap we've been in an accident" message?

Same thing with ABS.

The only real place they can use that (and they DO use it here) is for starting. When you're starting a car, there is no imminent danger. In VW/Audi, they have the "immobilizer" system. It uses RSA again. The instrument cluster, ECU and each key have a coded serial number. Each devices holds a hashed/signed copy of the serial numbers of the other 2 and the VIN. If the 3 don't all agree, the car won't start.

There are some ways around the system, but they require opening the ECU and various other things that are quite time consuming and very obvious. Nobody has (to the best of my knowledge) beaten the immobilizer system via methods that don't require a grinder.

Comment Opinion from industry insider (Score 5, Interesting) 140

I work in the automotive after market (ECU tuning). I can actually back up what they're saying. Even if they did come by it via speculation, they're actually pretty much dead on.

That is primarily because the german cars use what we call a "Can Gateway" but is better of though as a firewall. Every different system in the car has it's own private canbus. Anything that needs to travel between the busses has to go through the gateway. In the case of VW/Audi vehicles, it's locked down quite well. It knows what packets belong on what bus and only allows a very limited subset of properly formatted and required packets to pass between those busses.

Vehicles that share common can without a gateway are readily exploitable. I could plug a can interface into the headlights, A/C or any other system on the global bus and lock/unlock the doors, roll the windows up/down, trigger the traction control/ABS or even start/stop the car (if it uses a push button start).

Doing those things requires access to the can wires, but the bus is used for so much now-a-days, there's always plenty of places to access it. Many of them without requiring keys or an open hood.

Comment Pilot - Experience being hit by a laser (Score 4, Informative) 445

Night landings are, by their nature, more difficult and more dangerous than daytime landings. Assuming visual conditions, nearly everything is dependent upon being able to continuously see runway lights. About 10 minutes prior to landing, the standard procedure is to dim everything in the cockpit to it's lowest setting. The goal of this is to make sure the pilot's eyes are dilated as much as possible to see the runway lights and land safely.

About 5 years ago, I was landing at Chicago Dupage airport. About 1 mile from the runway threshold and about 500 ft above the ground, I was repeatedly hit by a bright red laser. Immediately after the first bright flash from the laser, I felt like I'd just walked from daylight into a dark room. I couldn't see anything. I couldn't see any instruments (Remember, they're all dimmed as low as possible) and the runway lights were suddenly very dim. After the second and third time, I couldn't see the runway lights anymore. My only choice was to add power, pull up and hope that I was still flying straight. I overflew most of the airport and remember finally getting good vision back about the time I was over the subdivision north of the airport. That subdivision is about 3 miles from where it all started. I turned over the subdivision and landed on a perpendicular runway.

I then released a torrent of profanities and considered all of the most painful ways to kill someone if I could ever find the #@(#*$@(#*$@(*##$(@* that hit me with that laser.

I'm all for higher penalties for this crap. It's probably already killed people. We don't know for sure because plane crash victims don't tend to be very talkative.

Comment App bubble already popped.. (Score 5, Insightful) 240

The App bubble has already popped. The only people that make money writing apps are contractors building them for companies that insist they need an app (even though they probably don't...), employees at companies like that drawing a salary, and the 1 in a million that comes up with the ugly meter. Eventually the marketing departments will realize that "Billy Bob's horse feed insurance" doesn't need a mobile app and all of that will dry up pretty quickly.

If you want to have a long career in development, learn databases. You don't necessarily want to be a DBA since they tend to get tied to a platform and their fortunes rise and fall with it (Foxpro anyone?). But, learn how to manipulate information. There will always be someone willing to pay you to manage their data. Maybe through an application, maybe through an app, maybe through a web interface.

At the end of the day, most of the decent paying technology gigs come from managing information for someone.

I got into this business in the early 90's and was told that by a friend of my father's who had been programming since the 60's. It's the best business advice anyone has ever given me.

Comment Re:Mandarin Chinese (Score 1) 514

Until you have a decent level of proficiency, reading books in Chinese is VERY difficult. Chinese dictionaries are almost unapproachable until you have a middle school level ability. Tablets improve the situation quite a bit, if you learn how to write, but it's still not much fun.

Background:
I lived in China for two years doing engineering work. I was in a small town in the middle of no-where and almost entirely cut-off from English speakers. I studied like crazy and by the time I left could do anything I needed to in Chinese.

It was a very hard road though. Not for the feint of heart.

"You know, we've won awards for this crap." -- David Letterman

Working...