If I were to try this attack, I would up the car to a range charge and turn air conditioning on full blast. Then I would go through cycles of charging the battery up full and discharging it.

The electricity will add up, but maybe not a lot for most who can afford an $80K+ car.

The bigger issue is that this will decrease the battery life.

1. Only if there is a vulnerable third-party site with whom the user has shared their credentials. Out of the box, no.

2. I would consider that a flaw in the car if you could do that. The API and the fact it resulted from a hack would be incidental to the whole thing.

Re: #1
What has logging in over SSL got to do with anything?

If a third-party is storing credentials that control everything, then you are screwed if that third-party is compromised. Twitter suffered greatly from these kinds of problems prior to adopting OAuth. The trick with OAuth is that the third-party never sees the primary credentials, just an application-specific set of credentials with very specific access rights. Because of the design of OAuth, it's also easy to revoke credentials on an app-by-app basis and thus not impact the other apps interacting with the OAuth system.

Re: #2

Tesla is blameworthy because they opted for a less secure approach than is commonly accepted practice. If a third-party is compromised in an OAuth environment, only that one token with the application's specific access rights are at risk. You can revoke them and re-issue without impacting anything else using those credentials.

Finally, there's no need for any panic at all. TFA is not pushing panic. It's pushing the facts of an architectural flaw that does not arise to the level of being an active vulnerability. A flaw that exists for no good reason at all.

When done right, OAuth is more secure and equally usable.

Usability issues crop up when OAuth is applied to contexts in which it makes no sense (systemsystem authentication).

In a world of interconnected devices (the Internet of Things), it's not about hypothetical sites. It's about real, interconnected sites. There are real sites out there that talk to Teslas and provide value beyond what Tesla provides. If you are building a connected device in 2013, you should take this reality into account.

I have one of those as well as a 7-year old. They are much more interested in the Slacker access from the 17" screen.

I've done it before.

What the hell do you care if the NSA is looking at your source code?

I mean seriously. Do you have pictures of you doing blow embedded in your source code or something?

The Tesla battery design is a technological breakthrough.

Also, electric vehicles like the Tesla have lower maintenance costs due to a significant reduction in moving parts.

Then your network isn't secure to begin with. You just use your control as a pathetic crutch.

1000 people is a statistically significant sample size as long as there's no sample bias.

I do think the race issue is worth discussing. As well as the gender issue.

But there's something more fundamental and less likely to stoke passions at play here:

DOING SCIENCE IS ABOUT MAKING MISTAKES. Her "punishment" should be to write a paper on what she was trying to do and why the results were not what she expected. Simple, end of story.

There should be no real punishment of any kind, much less the over the top expulsion and arrest.

The simple fact is that she should be encouraged to make mistakes, not punished for them. And the most basic problem we are dealing with is that our school systems don't understand this fact.

His password is 7 lower case characters. It's a wonder his GMail account wasn't hacked ages ago.

This was true about 10 years ago, but now we exist in a tech world in which there are way more jobs than people to do them. If all you are doing is low-level gofer programmer and you're 40, yes, you are in a dead end job. But if you have managed to amass technology experience that matches your age, you are extraordinarily valuable.

Congratulations!

You just managed to get the stupidest Slashdot question of the year submitted in time for 2011 consideration!