Show newer
Khrys boosted

In serious information security circles, it's widely understood that "there is no security in obscurity" - that is, hiding how a system works doesn't make it secure. Usually, this is understood to be grounded in the fact that if you hide your work, you might make mistakes that others would spot and point out to you:

doctorow.medium.com/como-is-in

17/

Show thread
Khrys boosted

But in reality, the company itself is a dumpster-fire of information security worst practices, whose unpatched, badly configured, out-of-date tractors are a bonanza of vulnerabilities and unforced errors. What's more, the company - which claims to be staunch defenders of copyright - use their copyright locks to hide the fact that they are committing serious breaches of software copyright.

16

Show thread
Khrys boosted

So to recap: the company says it has to block farmers from having the final say over their own tractors because they could create security risks and also threaten Deere's copyrights (the company even claims that locking down tractors is necessary to preventing music infringement, as though a farmer would spend $600k on a tractor so they could streamrip Spotify tracks).

15/

Show thread
Khrys boosted

Another revelation from Sickcodes: the company made extensive use of free/open source software but seems to be gravely out-of-compliance with the license terms (I'm told that organizations that do legal enforcement of free/open licenses are now aware of this).

14/

Show thread
Khrys boosted

For example, at one point Sickcodes put the control unit into maintenance mode by repeatedly rebooting it, so that it refused to allow him to do anything until he brought it to a dealer. He discovered that all it took to convince the computer that he was a dealer was to create an empty text file on its hard-drive whose filename was something like "IAmADealer.txt" (I didn't write down the exact filename, alas, but that's not far off!).

13/

Show thread
Khrys boosted

As Kyle points out, this entire system ran on deprecated, unpatched, elderly GNU/Linux software and Windows CE, an operating system that was end-of-lifed in *2018*, and which was so bad that people forced to use it typically called it "Wince."

Sickcodes discovered all kinds of security worst-practices in John Deere's security - even in the parts of its security that were intended to secure the company's profits from its own customers' best interests.

12/

Show thread
Khrys boosted

He discovered that the system was designed to send an *extraordinary* amount of data to John Deere - his control unit tried to exfiltrate 1.5GB worth of data once he brought it online. He also discovered that as soon as he was able to conjure up a terminal, he had root access to the system.

This was great news for Sickcodes, but it raises serious questions about Deere's information security practices.

11/

Show thread
Khrys boosted

Writing for Wired, Lily Hay Newman provides some great technical details on the hack, including how Sickcodes acquired (and accidentally broke!) several 2630 and 4240 touchscreen control units, eventually demounting the main controller and soldering it into a new board that he used to probe the system:

wired.com/story/john-deere-tra

10/

Show thread
Khrys boosted

As Kyle points out, Deere has repeatedly told state and federal lawmakers and regulators that farmers can't be trusted to repair or modify their own tractors. This is obviously nonsense: indeed, for decades, Deere product development consisted of sending engineers out to document the improvements farmers had made to their tractors so the company could copy them:

securityledger.com/2019/03/opi

9/

Show thread
Khrys boosted

Which brings me back to Sickcodes and his awesome presentation at Defcon 30 this weekend. I watched from the front row, sitting next to the repair champion Kyle Wiens, founder of Ifixit, who turned his notes into an excellent Twitter thread:

twitter.com/kwiens/status/1558

8/

Show thread
Khrys boosted

They *also* didn't say that Ukrainian farmers had long chafed under Deere's corporate control, and had developed illegal third-party tractor firmware that farmers all over the world had covertly installed:

vice.com/en/article/xykkkd/why

And that means that the Russian looters who supposedly were foiled by Deere's corporate remote killswitches can re-activate their tractors, by using the Ukrainian software developed in response to the company's monopolistic practices.

7

Show thread
Khrys boosted

Monopolizing the repair and reconfiguration of Deere products gives the company all kinds of little gifts - for example, they can refuse to fix the tractors of dissatisfied customers unless they agree to gag-orders:

pluralistic.net/2022/05/31/dea

And because so few of us understand information security, or monopoly, or agribusiness (let alone all three!) they can spin their dangerous, grossly unfair practices as features, not bugs.

5/

Show thread
Khrys boosted

While it's true that the John Deere tractor monopoly means that defects in the company's products could affect farms all around the world, it's also true that John Deere is very, very bad at information security:

pluralistic.net/2021/04/23/rep

The company's insistence that they are guardians of farmers and the agricultural sector is a paper-thin cover for monopolistic practices and rent-seeking.

4/

Show thread
Khrys boosted

Deere's claims have included the astounding statement that the farmers who spend hundreds of thousands of dollars on tractors *don't actually own those tractors*, because the software that animates them is only licensed, not sold:

memex.craphound.com/2017/04/22

They've also claimed that locking farmers out of their tractors is for their own good, because otherwise hackers could take over those tractors and endanger the food supply.

3/

Show thread
Khrys boosted

The presentation was significant because Deere - along with Apple - are the vanguard of the war on repair, a company that has made wild and outlandish claims about the reason that farmers must pay the company hundreds of dollars every time they fix *their own tractors*, and then wait for days for an authorized technician to come to their farm and type an unlock code.

2/

Show thread
Khrys boosted

Last Saturday, I sat in a crowded ballroom at Caesar's Forum in Las Vegas and watched Sickcodes jailbreak a John Deere tractor's control unit live, before an audience of cheering Defcon 30 attendees (and, possibly, a few undercover Deere execs, who often attend Sickcodes's talks).

1/

A new jailbreak for John Deere tractors rides the right-to-repair wave

arstechnica.com/information-te

Exploit now provides root access to two popular models of the company’s farm equipment.

✊ 🍿

Dans les golfs de Limoges, Extinction Rebellion se sert des trous pour faire des plantations

liberation.fr/environnement/cl

Le collectif de militants écolos a planté des légumes assoiffés sur les greens limougeauds pour dénoncer le privilège dont bénéficient les golfs, qui peuvent arroser leur pelouse en pleine sécheresse.

🌱 🍿

En Birmanie, six ans de prison supplémentaires pour Aung San Suu Kyi

liberation.fr/international/as

L’ex-dirigeante birmane a été condamnée lundi à une peine de six ans de prison supplémentaires, reconnue coupable de quatre charges de corruption. Ces derniers mois, la prix Nobel de la paix a déjà été condamnée pour un total de onze ans de détention.

Benjamin Mendy décrit à son procès comme un «prédateur» pour qui les femmes étaient «des choses à utiliser pour le sexe, puis à jeter»

liberation.fr/sports/football/

« Ça n’a pas grand-chose à voir avec le football. C’est un autre chapitre d’une histoire très vieille : des hommes qui violent et agressent des femmes car ils pensent qu’ils ont le pouvoir et parce qu’ils pensent qu’ils s’en tireront sans conséquences.»

Show older
La Quadrature du Net - Mastodon - Media Fédéré

Mamot.fr est un serveur Mastodon francophone, géré par La Quadrature du Net.