Now, call me a cynic, but you don't have to actually publish the code to prove that's the case. Plenty of security papers get published with an explanation of a vulnerability that anyone interested will understand without examples of how to abuse it in actual code. Publishing the codes themselves is pretty much unnecessary academically.

But it gets them a lot of publicity...

If this security problem can be verified via peer review shouldn't the right to free speech trump the commercial impact of a massive recall to fix the cars? The courts have left customers vulnerable to commercial laziness. My concern is that the cars will not have their security fixed and eventually they pay the cost through higher insurance or non payment because this was a known weakness that was not fixed. The fact that there is a hole in the security of these cars is enough to motivate criminals to find that hole. So the customers will be vulnerable and their insurance will be impacted all to save the company face.

Well, firstly, his conclusions can be verified by peer review without him having to publish the codes required to bypass the security. And, in fact, all serious academic papers are peer reviewed before they get published anyway. So publishing the codes provides no academic function beyond what publishing a paper that says 'these are my conclusions, if you understand this stuff try it yourself and see' would. Publishing the codes is grand-standing for publicity. It serves no academic purpose.

As to the notion of freedom of speech, is his right to say what he likes trumped by the fact it will essentially save the criminals a bit of time, thus increasing the vulnerability of people's cars (because the crims will know how to break it sooner, so less people will have had their cars fixed by the time the exploit starts being used 'in the wild')? I'd equate it to the 'shouting fire in a theatre' argument. You have freedom of speech, but you have a duty of responsibility. The general requirement when researching security breaches (to encourage makers to get them fixed) has now been served. Everyone knows about the vulnerability and I suspect the makers are working to patch it and will face mounting criticism if they fail to do so. All this has happened without the codes themselves being published. Exactly what beneficial function will publishing the codes now serve? As far as I can see, the only people it will now help is the criminals. Surely events have shown publishing the codes wasn't necessary?


The units have been in use for years and this is the first evidence of vulnerability.


The criminals would have found the vulnerability at some point anyway. Publicising the fact it exists (thus precipitating a fix from the manufacturers) has brought it to people's attention efficiently, while still leaving the crims some work to do to if they want to actually use it. If, as the story says, the cars at risk are high end models the population is actually quite small and they tend to use specialist insurers anyway. The effect any extra car theft due to this will have on mine or your insurance is considerably less than the stock market pressure for insurance companies to keep posting increased profits.

Essentially, I can't see how publishing the paper with the codes produces more benefits to car owners than publishing the paper without the codes. I think that's a moot argument. What we're left with is freedom of speech vs social responsibility, which is a blurry line at the best of times.

I do agree that publishing the codes would achieve nothing more apart from increasing theft. I was more concerned about the impact on free speech. I do think that simply having it peered reviewed should be sufficient. The criminals might take months to crack it, if at all. Social responsibility should be enough to stop the codes being announced. If they did announce it they could be held accountable in the UK under joint enterprise aspects of the law.