pieces of code that were written by dif-
One of the things that surprised me
the most is that no one has access to
the source code for a car. The modern
automotive industry has a very deep
supply chain, and the OEMs are really
just integrators. The suppliers own
the IP, and they are not about to give
the source code to the OEM. And that
happens on down the chain: the suppliers have sub-suppliers, and there’s
no one who can look through the final
product. There is also no agency in
the government that’s set up to audit
the source code of automobiles.
The other thing I thought was fascinating is that there were bugs that
were really egregious. They were the
kinds of bugs you could not get away
with if you worked at a company that
sold PC software. You would not be
allowed to use those functions because they were so known to be prone
But in a certain sense, automotive
software is like PC software from the
early 1990s, before the Internet took
off. The thing that made PC software
better is that people started attacking it. From a pure Darwinian sense,
it had to get better, or we couldn’t
use it anymore. Thus far, most embedded systems just haven’t had
an adversary. Security costs money,
which is really hard to justify when
you don’t have an adversary out there
forcing your hand.
Leah Hoffmann is a technology writer based in
Piermont, N Y.
© 2016 ACM 0001-0782/16/09 $15.00
Everywhere these techniques have
been applied, there’s been a serious
impact to the ecosystems. It has also
shifted substantially where the money
goes. In software, drugs, and especially in counterfeit goods like Gucci
handbags, it’s all moving to the Bank
of China. And that remains a bit of an
open question. China is in a special
position vis-à-vis the financial world.
It’s a little different when it’s some
small Azerbaijani bank.
You have also done some work in the
This notion that your car is a Henry
Ford-style thing that happens to have
a computer in it turns out to be totally
wrong. The mental model everyone
should have is that the most complicated distributed system you use is
the one you drive in, and it happens to
have wheels on it.
Here, too, your work was informed
by your attempts to understand the
broader structure of the automotive
Far too often, when people do this
kind of vulnerability research, there
is a tendency to name and shame,
and I’m not convinced that it does
anyone any good. The most interesting part of our research was not the
technical details—it wasn’t like there
was a class of vulnerability that no
one had ever heard of. What was eye-opening was trying to figure out why
we found what we found.
Most of the vulnerabilities you discov-
ered were at the interface between two
us. In another sense it doesn’t work,
because 99% of the email that’s transited is still spam, and that would
only be true if people were actually
clicking and buying.
So what makes spam possible?
The fascinating part about spam
filters is that they are part of the solution and part of the problem. For
drugs, 30% of revenue comes from
people who actively go into their
spam folders, find the Viagra spam,
and click on it. So their spam folder is
What happens after someone clicks?
Did the drugs you bought really show up?
Were they what they claimed to be?
We analyzed a subset. We didn’t do
a hardcore chemical assay, but we did
put it under a mass spectrometer and
look at the distribution of the underlying chemicals. And when you match
up the spectral patterns of the counterfeit stuff and the reference stuff,
there’s no difference.
So counterfeit drug producers are not in-
terested in ripping off their customers.
Right. We were also privy to a variety of leaked email and text messages,
and to a first approximation, these
people do not think of themselves as
criminals. Much of the counterfeit
drug market is eastern European,
where there’s a certain worldview
that intellectual property protection
is a tool of the bourgeois West, and
that in fact they are shipping a quality
product, lowering prices, and satisfying a need.
The people doing credit card theft
think of themselves as criminals.
They might justify it by saying that
their victims have so much money.
But a lot of these other scammers
don’t take any heart in their status as
outlaws. They think of themselves as
In the end, you discovered that 95% of
pharmaceutical and software counterfeiters relied on a handful of banks,
and you were able to work with Visa
and MasterCard to shutter their accounts. What has happened since?
part about spam
filters is that
they are part
of the solution
and part of
[CONTINUED FROM P. 104]