Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How is unintended behavior not a bug?


If it is documented in the manual[0][1] is it a "bug?" I think the design is poor (bad default WiFi password, WiFi always on, inverting sensors with no sanity checks) but this is how it was designed to work, it is officially documented as doing so.

I guess it boils down to a definition of the term "bug." But I feel like a lot of the knee-jerk responses (and voting) didn't read the article carefully enough.

It is a core design weakness rather than a "bug" (implying an error) in an actual good design. I think the distinction is subtle but it is there.

[0] https://www.tesla.com/support/energy/powerwall/own/monitorin...

[1] http://azmag.gov/Portals/0/Documents/MagContent/Tesla_Powerw...


Not having any limits on that invert setting is definitely a security/safety bug.

The password is a level of incompetence beyond what you'd call a bug. It's clearly following a design decision that was imposed by someone with zero security experience.


A bug is when something is not working as intended. Tesla's intention was to quickly deliver without considering the security aspects of the product.

This is potentially dangerous as attacker can just drive around hacking power walls and schedule an attack on the grid.


> Tesla's intention was to quickly deliver without considering the security aspects of the product.

[Citation needed]

You're assigning intentionality where incompetence would suffice.


I would argue that "building, and leaving open" Wifi connectivity that is not even remotely obfuscated is proof in itself of "failure to consider security aspects".


Well, to be fair and comparing to not having a password at all - as they put those passwords in place they have somehow tried to protect it. Or make it look protected.

But I agree that it indicates that they haven't gave any consideration to it, and in 2019 that doesn't count as trying anymore. At least because we're talking about a well-established hardware and software vendor, not my grandma.


This is unintended behavior in the same way that a locksmith leaving a copy of a key under your doormat after installing a new lock is unintended behavior. They didn't intend to cause a security issue, but they also didn't care enough to make sure that what they were doing was safe.


Unauthorized access (in the legal sense) is definitely unintended, regardless of whether it's caused by weak design or code defect.

Posting 0-days on GitHub isn't responsible disclosure. The real test will be to see how fast it gets fixed and what the fixes end up being.


It's not clear that most of this is even "unintended behavior" rather than just abuse. It's like calling it a "hack" to fill water balloons with electrically conductive fluid and throw them at a substation. The people responsible for stopping you from doing that are the police, not the makers of water balloons.

The worst thing they did was the default password.


Complete negligence in security is hardly the kind of thing people think about as "bugs". The larger problem is that Tesla has put out software without any sensible considerations for security - that the result behaves badly can't really be called unintended behaviour, unless you are allowed to design software by pipe dream.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: