IRC logs for #automotive for Sunday, 2015-12-13

« Saturday, 2015-12-12 Index Monday, 2015-12-14 »
*** persia has quit IRC01:48
*** persia has joined #automotive01:50
*** Sisco has quit IRC03:23
*** Sisco has joined #automotive04:41
*** Sisco has quit IRC05:14
*** Sisco has joined #automotive07:14
*** Sisco has quit IRC07:48
*** mdp has quit IRC10:27
*** FelixH has quit IRC10:27
*** KJS76 has quit IRC10:28
*** Tartarus has quit IRC10:29
*** malditoD_ has quit IRC10:30
*** malditoDev has joined #automotive10:30
*** malditoDev has quit IRC10:33
*** malditoDev has joined #automotive10:34
*** malditoD_ has joined #automotive10:46
*** FelixH has joined #automotive10:47
*** malditoDev has quit IRC10:47
*** KJS76 has joined #automotive10:50
*** mdp has joined #automotive10:50
*** Tartarus has joined #automotive10:50
*** gunnarx has joined #automotive11:54
*** gunnarx has joined #automotive11:54
*** Sisco has joined #automotive13:09
*** gunnarx has quit IRC14:10
*** ppeetteerr has joined #automotive14:36
*** ppeetteerr has quit IRC14:37
*** egy has joined #automotive14:38
*** RzR has quit IRC14:40
*** gunnarx has joined #automotive14:40
*** gunnarx has joined #automotive14:40
*** RzR has joined #automotive14:52
*** gunnarx has quit IRC14:54
*** RzR has quit IRC14:59
*** RzR has joined #automotive15:00
*** RzR has quit IRC15:08
*** RzR has joined #automotive15:11
*** RzR has quit IRC15:17
*** RzR has joined #automotive15:26
*** RzR has quit IRC15:30
*** RzR has joined #automotive15:36
*** Sisco has quit IRC15:37
*** gunnarx has joined #automotive15:43
*** gunnarx has joined #automotive15:43
*** RzR has quit IRC15:45
*** RzR has joined #automotive15:49
*** gunnarx has quit IRC15:59
*** RzR has quit IRC16:00
*** gunnarx has joined #automotive16:03
*** gunnarx has joined #automotive16:03
*** RzR has joined #automotive16:08
*** Sisco has joined #automotive16:12
*** RzR has quit IRC16:16
*** RzR has joined #automotive16:20
*** RzR has quit IRC16:31
*** RzR has joined #automotive16:34
*** Sisco has quit IRC16:37
*** Sisco has joined #automotive16:38
*** egy has quit IRC16:41
*** RzR has quit IRC16:44
*** RzR has joined #automotive16:52
*** jlrmagnus has joined #automotive17:05
*** myself_ is now known as myself17:11
*** RzR has quit IRC17:12
*** RzR has joined #automotive17:21
*** RzR has joined #automotive17:22
*** egy has joined #automotive17:25
*** Sisco has quit IRC17:26
*** RzR has quit IRC17:30
*** Sisco has joined #automotive17:33
*** RzR has joined #automotive17:36
*** RzR has quit IRC17:45
*** RzR has joined #automotive17:46
*** RzR has quit IRC17:54
*** malditoDev has joined #automotive18:01
*** RzR has joined #automotive18:02
*** malditoD_ has quit IRC18:04
*** Sisco has quit IRC18:05
*** egy has quit IRC18:08
*** Tartarus_ has joined #automotive18:09
*** dl9pf_ has joined #automotive18:10
*** Tartarus has quit IRC18:13
*** dzen has quit IRC18:13
*** dl9pf has quit IRC18:13
*** jlrmagnus has quit IRC18:13
*** jlrmagnus has joined #automotive18:13
*** Tartarus_ is now known as Tartarus18:13
*** RzR has quit IRC18:15
*** RzR has joined #automotive18:18
*** FelixH has quit IRC18:21
*** RzR has quit IRC18:22
*** RzR has joined #automotive18:25
*** dzen has joined #automotive18:25
*** jlrmagnus has quit IRC18:26
*** jlrmagnus has joined #automotive18:26
*** RzR has quit IRC18:36
*** RzR has joined #automotive18:36
*** FelixH has joined #automotive18:38
*** RzR has quit IRC18:42
*** RzR has joined #automotive18:48
*** Sisco has joined #automotive18:56
*** RzR has quit IRC18:56
*** RzR has joined #automotive18:57
*** RzR has quit IRC19:13
*** RzR has joined #automotive19:15
*** jlrmagnus has quit IRC19:23
*** RzR has quit IRC19:26
*** RzR has joined #automotive19:29
*** Sisco has quit IRC19:31
*** Sisco has joined #automotive19:32
*** AlisonChaiken has quit IRC19:33
*** wto has quit IRC19:33
*** jukansan has quit IRC19:33
*** Figure has quit IRC19:33
*** paulsherwood has quit IRC19:33
*** dabukalam has quit IRC19:34
*** AlisonChaiken has joined #automotive19:34
*** wto has joined #automotive19:34
*** jukansan has joined #automotive19:34
*** Figure has joined #automotive19:34
*** paulsherwood has joined #automotive19:34
*** dabukalam has joined #automotive19:34
*** Sisco has quit IRC19:36
*** RzR has quit IRC19:37
*** RzR has joined #automotive19:39
*** RzR has quit IRC19:47
*** malditoDev has quit IRC20:13
*** Sisco has joined #automotive20:21
*** Sisco has quit IRC20:55
*** malditoDev has joined #automotive20:56
*** malditoD_ has joined #automotive21:01
*** waltminer has joined #automotive21:02
*** malditoDev has quit IRC21:05
*** Sisco has joined #automotive21:20
*** jlrmagnus has joined #automotive21:31
*** waltminer has quit IRC21:39
*** malditoD_ is now known as malditoDev_21:52
*** jlrmagnus has quit IRC22:12
*** jlrmagnus has joined #automotive22:15
jlrmagnusWeekend hacking.22:15
myselfis best hacking22:19
jlrmagnusNo pesky interrupts.22:19
jlrmagnuspersia, Thanks for your input on the update boot sequence. It will be a part of the GENIVI Software Management specification.22:20
persiaCool, I am glad it was useful.22:21
jlrmagnusIt was.22:21
jlrmagnusRunning everything in initrd was a "duh" insight.22:21
persiaSecret for avoiding pesky interrupts: work at home at set your phone to silent in another room.22:22
jlrmagnusYeah, I wish. My daily schedule looks like a point-blank hit from a meeting shotgun.22:23
myselfWhere our parents' generation used "taking the phone off the hook" to signifiy private-time, today it's "putting the phones in airplane mode".. alarms still go off, but outside traffic doesn't come in. :)22:24
jlrmagnusLately I've started booking meetings with myself to block out time. That seems to help.22:24
myselfthat explains why I have so many meetings with jlrmagnus...22:24
jlrmagnusAnd now I wonder who 'myself' is....22:24
myselfoh I was just here to stalk some coworkers, just happen to have a nickname that exploits a pronoun-dereferencing vuln in the english parser ;)22:25
jlrmagnusHmm.22:25
myself(I work for p3, but not the same location as DThiriez.)22:27
jlrmagnusOki. IC.22:27
jlrmagnusGermany?22:28
myselfDetroit. :)22:28
jlrmagnusOk. I have no idea if P3 mothership is engaged with Genivi at all.22:28
jlrmagnusI don't think you are members.22:28
myselfI'm more of a hardware guy, but stuff like the canbus firewall is within my ability to grasp from a software perspective. :) Stuff about build process and all that, not so much, but I lurk here in hopes that some of it soaks in anyway.22:29
jlrmagnusCool.22:29
jlrmagnusThe firewall is in testing right now.22:29
jlrmagnusWe'll wrap it up and try to orphan it off to the tools team in Genivi.22:29
jlrmagnusWe will test it in one of our vehicles first to see that it fulfills its specs.22:29
jlrmagnusSpeaking off.22:30
jlrmagnuspaulsherwood, Are you there?22:30
myselfgenerating the firewall rules must be entertaining22:30
jlrmagnusIf by entertaining you mean bitbangingly boring, then yes.22:30
jlrmagnusI think we managed to nail most use cases, though.22:31
myselfyeah, mostly I was thinking "fraught with complications"22:31
jlrmagnusWell. Hopefully the rule writer knows what he/she is doing and has the CAN database close at hand.22:32
myselfit's a little bit weird to me that canbus architectures are getting complicated enough that a firewall would be useful, but I guess they are. Ford's approach with putting it right behind the connector is sort of amusing.22:32
jlrmagnusJust like any firewall, if you blow the rule chain you are toast.22:32
jlrmagnusAs gunnarx said: The firewall is a backward-looking solution to apply to existing architectures.22:33
jlrmagnusNew architectures will be segmented differently.22:33
jlrmagnusI think that the actual security gateway has to be in the TCU with a very well secured, small-surface interface.22:35
jlrmagnusEvery session has to provide authentication and authorization from both ends, and every command has to be deeply inspected before passed on to the IVI.22:36
jlrmagnusIf you have access to the diagnostic port, then you have already gained access to the vehicle itself.22:36
jlrmagnusThose hacks worry me much less than the OTA attacks.22:37
jlrmagnus</rant>22:37
myselfYeah, agreed. Physical access equates to full compromise. the TCU approach (and even the network provider) is where the effort should go.22:39
myselfHaving the TCU only associate to a dedicated APN that isn't even internet-reachable is a great step, but also not an excuse to leave everything else wide open22:40
jlrmagnusIt would say it is a pretty basic step.22:40
myselfWell, assuming you're big enough to have your provider give you a dedicated APN. It's a mindset that's not obvious to folks who come from a hobby background and assume their provider hates them. ;)22:42
jlrmagnusOne additional layer is to have the carrier detect attack patterns in their network, and block those attempts before they hit the fleet with force.22:42
*** Sisco has quit IRC22:42
jlrmagnusAPNs are cheap to provision. Even if you don't have it, simple firewall rules either in the TCU or, better, at the carrier will help immensely.22:42
myselfYou're giving the carrier a lot of credit!22:43
jlrmagnusDepends on the carrier...22:43
jlrmagnusBut yes, carriers do manage to mess up their own networks on a regular basis.22:43
FelixHThe problem with private APNs and counting on the carrier for security is that you need to manage that with a new carrier in every country23:01
*** gunnarx has quit IRC23:02
jlrmagnusThere are MVNOs that handle that for you.23:02
jlrmagnusHowever, carrier-provided security services should be seen as add-ons, not replacement for a good built-in security design.23:04
myselfYeah, you don't want to count on it, but it's a nice defense-in-depth step.23:05
jlrmagnusAgree23:05
jlrmagnusIn-network detection and prevention would valuable to stop a fleet-wide DDOS attack, though.23:05
FelixHMhhh, I'm not in the the discussions with carriers so I don't have the details. We currently use private APNs for our fleets but we're developing a solution that don't need it for its security (neither VPNs) because we can't get the same deals we have in Europe with all carriers.23:12
jlrmagnusIC23:13
persiaThe ideal solution assumes the carrier has been hacked and is now hostile.23:18
jlrmagnusYes.23:18
jlrmagnusDon't trust anything that hasn't been signed by your root cert.23:18
persiaI prefer public keys to hierarchies, but minimally, yes.23:19
jlrmagnusSelf signed root cert that validates all device certs. One step, no CA.23:20
jlrmagnusThat's what we are aiming at with RVI.23:20
jlrmagnusWe also, this week, think that we managed to crack the self-provisioning problem. We will mail out a suggestion probably this coming week.23:22
persiaUsing a cert to sign trusted cetts is reliable, but I fear an arch that involves client authentication: some jurisdictions require some software under some licensed to be more open23:23
jlrmagnusWe can do full CA chains, but have pushed off that decision to deployment.23:23
jlrmagnusWe use standard OpenSSL tools to validate certs.23:23
persiaOne of the interesting test cases is try he Sahara problem: you order a vehicle: you have 20 minutes with your smartphone before you encounter your vehicle in the middle of the Sahara.  Your task: unlock the doors and start then engine.23:25
persiaFull CA does not solve the client restriction issue or the assumption of bandwidth issue.23:25
jlrmagnusSolved.23:27
jlrmagnusBy RVI. That is our key case.23:27
jlrmagnusTalk with David about the unlock demo we did with P3 and Ericsson.23:28
jlrmagnusHowever, I gotta go.23:28
jlrmagnusL8r23:28
persiaTo me, the validation solution is S to provide a public key to the vehicle, and have it use that to validate SotA updates.  For driver authentication, hierarchies make more sense, but it requires a CA in the vehicle for clean transfer of ownership in an OEM-tranparent manner.23:28
persiaWhat is David's nic23:28
persiaK?23:28
persiaHave a good night.23:29
*** jlrmagnus has quit IRC23:32
myselfpersia: I think it's actually just dthiriez but I haven't seen him in here in a while.23:50
« Saturday, 2015-12-12 Index Monday, 2015-12-14 »

Generated by irclog2html.py 2.14.0 by Marius Gedminas - find it at mg.pov.lt!