Unfortunately, it couldn't come at a worse time - a time when even the most "democratic" countries on Earth are pushing for their people to have fewer rights, more censorship, more surveillance, more torture, more secret assassinations and so on.
well, terrible in a "slaughtering children and making large swathes of land deadly for generations" sense, sure. But they sure are cost effective, so if you look at it with the right value system, they're really wonderful.
That's nonsense. First off, ARM is able to "keep up" with only tens of millions in profit a year. Second, Qualcomm is one of the richest chip makers. Third, Samsung hasn't been using custom CPUs and GPUS - at all.
It's debatable whether ARM can keep up with custom cores. Both the A15 and A57 designs have been underwhelming from a performance per watt point of view. The A57-based Snapdragon 810 has suffered from thermal issues: http://arstechnica.com/gadgets/2015/04/in-depth-with-the-sna....
Qualcomm is big, but Intel, Apple, and Samsung are all targeting custom cores in this space, and they may reasonably feel like doubling-down on their LTE technology and not trying to compete in that space.
Qualcomm's Krait and Apple's Swift/Cyclone are ARM compatible cores designed in-house from the ground-up. Exynos uses IP cores designed licensed from ARM.
Which is funny because the reason Qualcomm screwed up recently (besides all the anti-competitive/antitrust issues) is because it didn't come out with its own next-generation custom CPU core sooner, and had to use stock ARM IP which I guess it didn't have much experience in handling.
The shareholders' "solution" is what will destroy the company. Qualcomm would've been fine in the next 2 quarters, once it passed the Snapdragon 810 generation.
I don't know why they freaked out so badly after just one bad quarter (and after Qualcomm has constantly grown for the past 5 years) to the point where they want to split the company. That seems rather crazy. I wonder if there's something else besides next-quarter-profit thinking behind this motivation.
If you believe the article (I'm not sure whether or not I do), the shareholders didn't freak out because of the bad quarter - it was just an opportunity to push their pre-existing agenda of prioritizing returning capital to shareholders instead of investing in the business. If that happens to destroy the company in the long run, these shareholders might not care - nothing stops them from selling their shares well before the long run arrives.
Indeed, and I remember the vast majority of the people getting super excited at the possibility of "getting an OTA update that can improve your acceleration by 0.1s" - without realizing what exactly that means in terms of security. In particular, that others could also control your engine and car the same way through updates.
The car manufacturers who do OTA updates for their cars are sitting on time-bombs. The clock is ticking for them until people get killed this way (regardless of them using HTTPS or signed updates - which some manufacturers don't even use now).
yet it's an order of magnitude easier to just go buy the parts to a real 'time bomb' than to crack an OTA update. Security is relative after all, and evil geniuses have much better ways to kill you.
When you're signing a binary blob, protecting the private key is actually pretty easy since it can be air-gapped/offline. Or heck you can buy appliances where they'll perform specific functions using the private key but won't expose it themselves without physical intervention.
If I were a mega-corporation protecting a firmware private key, your name would have to be Tom Cruise to get it. Though unfortunately responsible corporations seem to be as rare as real-life Tom Cruise characters, so I guess it's a valid concern you have.
So you're okay with spy agencies (from all over the world) as well as drug cartels and other criminal organizations having the power to kill you in an almost untraceable way while you're on the highway?
Also, the US gov has been using these entertainment systems to spy on people for more than a decade...it's already been happening. Unfortunately, I can't find the link now, but it was a post from 2001 or 2003 on NYT and I think they were using Ford Sync to do it.
But to be clear, drug cartels, spy agencies and criminal organizations have been able to do that for quite some time. They've just had to send a person to plant the bomb or the bug or the location tracker in person. And it's not generally regarded as the car manufacturer's problem to deal with that threat.
So yes, there's a question of scale, which makes a difference here. Traceability can maybe be handled at the network level - who knows what information Sprint captures about traffic to these car systems?
But the way most people are talking about this you'd think that as soon as the method for doing this hits the internet, script-kiddies are going to start randomly crashing Jeeps into bridge pylons.
>But to be clear, drug cartels, spy agencies and criminal organizations have been able to do that for quite some time. They've just had to send a person to plant the bomb or the bug or the location tracker in person. And it's not generally regarded as the car manufacturer's problem to deal with that threat.
But those sorts of methods require orders of magnitude less plausible deniability.
When people hear on the news that some controversial political activist (in any country) died during an armed robbery, from a propane explosion, suicide or a car crash which one do you think they'll question the least?
You're a fool if you think intelligence agencies (around the world) haven't been weaponizing these sorts of vulnerabilities (and they're fools if they haven't been). The major hurdle I see is that the people they'd risk exposing this sort of capability on, don't ride around in cars with the required features or live somewhere where it's more sensible to get them some other way.
"live somewhere where it's more sensible to get them some other way"
Yes, the main remote exploit you're exposed to driving round Yemen in a Grand Cherokee is probably a Reaper-launched Maverick strike, rather than having your transmission remotely cut :)
> But the way most people are talking about this you'd think that as soon as the method for doing this hits the internet, script-kiddies are going to start randomly crashing Jeeps into bridge pylons.
You mean the same script kiddies who think it's hilarious to sic a SWAT team on someone's house? It's not like script kiddies everywhere would start doing this - but all it takes is 1 before you've got a problem, and I'm sure that if it was easy enough for any script kiddie to do, at least one of them would.
Say the car manufacturer made no attempt at security whatsoever - all you had to do to take control of the car's critical systems was know its IP address and guess its 8 character max admin password. Would that really not be on the manufacturer?
People today, in low-tech real-life, have been known to go and throw rocks off overpasses. People have died. People have also gone to prison.
It's not the car manufacturer's responsibility to protect their customers from that.
Make the same thing possible for someone to do from their basement, and sure: people will die; people will go to prison.
Look, I'm not actually trying to absolve Chrysler of responsibility here, I'm trying to get to the bottom of why when virtual meets physical, we act like the nature of the internet fundamentally changes things. I'm interested in what it is about this threat to car owners which is in a difference from existing threats.
It fundamentally changes things because it's so easy to do anonymously. If someone drops rocks off an overpass, it's pretty easy for police to track them down and arrest them. If someone attaches a bomb to the bottom of a car, sure it's harder to get caught than dropping rocks off an overpass, but you still need physical access to the car, and it's still relatively traceable. But if remotely hacking a car, it would be pretty easy to stay anonymous. Plus, in both those other cases it's obviously foul play, whereas if a hacked car runs into a wall it's probably not going to be so obvious.
Plus, the anonymous nature of the internet makes it much easier to become detached from the real-life consequences of your actions. Just look at all the examples of online harassment from people who would never say things like that in real life. Look at people who go and grief kids' minecraft servers, yet wouldn't go and kick over their sand castles in real life. Look at morons who swat people.
Actually, come to think of it, maybe it's not so different - if it was found that a big car manufacturer had a problem with their door locks and you could open it just by sticking a toothpick in, you can bet they would take the blame once they started getting stolen.
I'm not saying the responsibility is solely on the manufacturer, but they definitely bear a major part of it. When you buy a car, you expect a reasonable amount of security. I guess the question is where we draw the line as to what counts as reasonable.
> I guess the question is where we draw the line as to what counts as reasonable.
Yes, exactly. And I think a lot of people, including me, would say that anything that can be done entirely in software is reasonable.
Hmm. Does this mean that anyone doing safety-critical embedded software should be compelled to formally verify every line of their code? I'll have to think about that. That might be going a bit too far given the present state of verification technology. On the other hand, it would be a great thing.
