[Plura-list] This weekend, I watched a hacker jailbreak a John Deere tractor live on stage

Mon Aug 15 11:38:27 EDT 2022

Read today's issue online at: https://pluralistic.net/2022/08/15/deere-in-headlights/

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

Tonight (Aug 15), I'll be joining the Building Bridges for America Book Club for the final installment of their discussion of my 2019 book "Radicalized":

https://www.mobilize.us/buildbridges4am/event/476946/

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

Today's links

* This weekend, I watched a hacker jailbreak a John Deere tractor live on stage: Total pwnage, with a a side of copyfraud.

* Hey look at this: Delights to delectate.

* This day in history: 2002, 2007, 2012, 2017, 2021

* Colophon: Recent publications, upcoming/recent appearances, current writing projects, current reading

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

👑 This weekend, I watched a hacker jailbreak a John Deere tractor live on stage

Last Saturday, I sat in a crowded ballroom at Caesar's Forum in Las Vegas and watched Sickcodes jailbreak a John Deere tractor's control unit live, before an audience of cheering Defcon 30 attendees (and, possibly, a few undercover Deere execs, who often attend Sickcodes's talks).

The presentation was significant because Deere - along with Apple - are the vanguard of the war on repair, a company that has made wild and outlandish claims about the reason that farmers must pay the company hundreds of dollars every time they fix *their own tractors*, and then wait for days for an authorized technician to come to their farm and type an unlock code.

Deere's claims have included the astounding statement that the farmers who spend hundreds of thousands of dollars on tractors *don't actually own those tractors*, because the software that animates them is only licensed, not sold:

https://memex.craphound.com/2017/04/22/john-deere-just-told-the-copyright-office-that-only-corporations-can-own-property-humans-can-only-license-it/

They've also claimed that locking farmers out of their tractors is for their own good, because otherwise hackers could take over those tractors and endanger the food supply. While it's true that the John Deere tractor monopoly means that defects in the company's products could affect farms all around the world, it's also true that John Deere is very, very bad at information security:

https://pluralistic.net/2021/04/23/reputation-laundry/#deere-john

The company's insistence that they are guardians of farmers and the agricultural sector is a paper-thin cover for monopolistic practices and rent-seeking. Monopolizing the repair and reconfiguration of Deere products gives the company all kinds of little gifts - for example, they can refuse to fix the tractors of dissatisfied customers unless they agree to gag-orders:

https://pluralistic.net/2022/05/31/dealers-choice/#be-a-shame-if-something-were-to-happen-to-it

And because so few of us understand information security, or monopoly, or agribusiness (let alone all three!) they can spin their dangerous, grossly unfair practices as features, not bugs. Remember when they trumpeted the fact that they'd remotely bricked some Ukrainian Deere products that had been looted by Russian soldiers?

https://doctorow.medium.com/about-those-kill-switched-ukrainian-tractors-bc93f471b9c8

What they *didn't* say - and what almost no one pointed out - was that this meant that *anyone* who could hack John Deere's system could brick *any* tractor - including, say, the Russian military's hacking squads. They *also* didn't say that Ukrainian farmers had long chafed under Deere's corporate control, and had developed illegal third-party tractor firmware that farmers all over the world had covertly installed:

https://www.vice.com/en/article/xykkkd/why-american-farmers-are-hacking-their-tractors-with-ukrainian-firmware

And that means that the Russian looters who supposedly were foiled by Deere's corporate remote killswitches can re-activate their tractors, by using the Ukrainian software developed in response to the company's monopolistic practices.

Which brings me back to Sickcodes and his awesome presentation at Defcon 30 this weekend. I watched from the front row, sitting next to the repair champion Kyle Wiens, founder of Ifixit, who turned his notes into an excellent Twitter thread:

https://twitter.com/kwiens/status/1558688970799648769

As Kyle points out, Deere has repeatedly told state and federal lawmakers and regulators that farmers can't be trusted to repair or modify their own tractors. This is obviously nonsense: indeed, for decades, Deere product development consisted of sending engineers out to document the improvements farmers had made to their tractors so the company could copy them:

https://securityledger.com/2019/03/opinion-my-grandfathers-john-deere-would-support-our-right-to-repair/

Writing for Wired, Lily Hay Newman provides some great technical details on the hack, including how Sickcodes acquired (and accidentally broke!) several 2630 and 4240 touchscreen control units, eventually demounting the main controller and soldering it into a new board that he used to probe the system:

https://www.wired.com/story/john-deere-tractor-jailbreak-defcon-2022/

He discovered that the system was designed to send an *extraordinary* amount of data to John Deere - his control unit tried to exfiltrate 1.5GB worth of data once he brought it online. He also discovered that as soon as he was able to conjure up a terminal, he had root access to the system.

This was great news for Sickcodes, but it raises serious questions about Deere's information security practices. As Kyle points out, this entire system ran on deprecated, unpatched, elderly GNU/Linux software and Windows CE, an operating system that was end-of-lifed in *2018*, and which was so bad that people forced to use it typically called it "Wince."

Sickcodes discovered all kinds of security worst-practices in John Deere's security - even in the parts of its security that were intended to secure the company's profits from its own customers' best interests. For example, at one point Sickcodes put the control unit into maintenance mode by repeatedly rebooting it, so that it refused to allow him to do anything until he brought it to a dealer. He discovered that all it took to convince the computer that he was a dealer was to create an empty text file on its hard-drive whose filename was something like "IAmADealer.txt" (I didn't write down the exact filename, alas, but that's not far off!).

Another revelation from Sickcodes: the company made extensive use of free/open source software but seems to be gravely out-of-compliance with the license terms (I'm told that organizations that do legal enforcement of free/open licenses are now aware of this).

So to recap: the company says it has to block farmers from having the final say over their own tractors because they could create security risks and also threaten Deere's copyrights (the company even claims that locking down tractors is necessary to preventing music infringement, as though a farmer would spend $600k on a tractor so they could streamrip Spotify tracks).

But in reality, the company itself is a dumpster-fire of information security worst practices, whose unpatched, badly configured, out-of-date tractors are a bonanza of vulnerabilities and unforced errors. What's more, the company - which claims to be staunch defenders of copyright - use their copyright locks to hide the fact that they are committing serious breaches of software copyright.

In serious information security circles, it's widely understood that "there is no security in obscurity" - that is, hiding how a system works doesn't make it secure. Usually, this is understood to be grounded in the fact that if you hide your work, you might make mistakes that others would spot and point out to you:

https://doctorow.medium.com/como-is-infosec-307f87004563

But there's another problem with security through obscurity: when you don't have to show your work to others, you can be sloppy. Whereas, if your work is open to inspection, your own aversion to being seen as slapdash will impose a rigor on your process, which will make the whole thing better:

https://doctorow.medium.com/the-memex-method-238c71f2fb46

With Deere's security through obscurity, we see both pathologies on display. The company uses its opacity to commit sloppy security bugs, and also to cover up its violations of copyright law - and then, of course, it accuses its critics of being guilty of those two exact sins. Takes one to know one:

https://doctorow.medium.com/takes-one-to-know-one-104d7d749408

Sickcodes closed out by saying that while his hack required a lot of fiddling with the hardware, he was already scheming to build a little tool that could access and jailbreak a tractor without ripping chips off a board or doing a lot of soldering.

And then he played a custom, farm-themed version of Doom on his jailbroken tractor controller.

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

👑 Hey look at this

* A Taxonomy of Access Control https://www.schneier.com/blog/archives/2022/08/a-taxonomy-of-access-control.html

* Hank Green Explains the Climate Bill https://www.youtube.com/watch?v=qw5zzrOpo2s

* Lock and unlock grocery store shopping carts with your phone speaker https://www.begaydocrime.com/carts

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

👑 This day in history

#20yrsago Hypercard is back, baby https://www.wired.com/2002/08/hypercard-forgotten-but-not-gone-2/

#20yrsago FBI on warchalking: the sky is falling, halp! https://seclists.org/interesting-people/2002/Aug/63

#15yrsago Karl Schroeder: Colonize the Earth https://web.archive.org/web/20071108231653/https://worldchanging.com/archives/007092.html

#15yrsago An anonymous Disney employee vandalized the Wikipedia entry on DRM by removing all mentions of me https://opendotdotdot.blogspot.com/2007/08/why-openness-matters-doubly.html

#15yrsago Catalog of Fox News Wikipedia whitewashes https://web.archive.org/web/20071013134521/https://www.geeksaresexy.net/2007/08/14/fox-news-changes-wikipedia-to-smear-rivals-olbermann-and-franken-comprehensive-list-of-changes

#15yrsago RIAA stiffs former defendant on legal fees https://recordingindustryvspeople.blogspot.com/2007/08/riaa-fails-to-pay-attorneys-fee-award.html

#15yrsago DRM as a Potemkin village https://www.theguardian.com/technology/2007/aug/14/comment.drm

#15yrsago BBC picketed over use of Microsoft DRM https://www.defectivebydesign.org/blog/iPlayerProtestReport

#15yrsago George Orwell on getting shot https://www.rjgeib.com/thoughts/soldiers/george-orwell-shot.html

#10yrsago Civil rights implications of Big Data http://radar.oreilly.com/2012/08/big-data-is-our-generations-civil-rights-issue-and-we-dont-know-it.html

#10yrsago Hachette to Tor authors: you must keep the DRM on your ebooks https://www.publishersweekly.com/pw/by-topic/columns-and-blogs/cory-doctorow/article/53544-doubling-down-on-drm.html

#10yrsago What to do if your car gets broken into and you’re the MPAA https://www.techdirt.com/2012/08/13/if-i-were-mpaa-how-i-would-deal-with-my-car-break-in/

#10yrsago Bain Capital buys profitable American plant, ships it to China; soon-to-be-jobless workers train their overseas replacements https://www.theguardian.com/business/2012/aug/10/illinois-workers-bain-outsourcing

#10yrsago Animation teacher faces the sack for refusing to push “unnecessary, expensive” textbooks at hedge-fund invested Art Institute of California https://web.archive.org/web/20120814232549/https://www.cartoonbrew.com/ideas-commentary/animation-teacher-faces-termination-for-refusing-to-sell-his-students-unnecessary-books.html

#10yrsago Kirby Ferguson’s TED Talk: “Embrace the Remix” – a must-see https://www.youtube.com/watch?v=L1s_PybOuY0

#10yrsago RIP, Harry Harrison https://whatever.scalzi.com/2012/08/15/rip-harry-harrison/

#10yrsago A Mary Blair Treasury of Golden Books https://memex.craphound.com/2012/08/15/a-mary-blair-treasury-of-golden-books/

#10yrsago Neo-Nazi MEP from Hungary discovers he is Jewish https://web.archive.org/web/20120815003037/https://www.nytimes.com/aponline/2012/08/14/world/europe/ap-eu-hungary-rightists-roots.html

#5yrsago CEOs quit Trump: The 1% can’t win elections unless the 99% turkeys vote for Christmas https://memex.craphound.com/2017/08/15/ceos-quit-trump-the-1-cant-win-elections-unless-the-99-turkeys-vote-for-christmas/

#5yrsago A new edition of Daniel Pinkwater’s happy mutant kids’ classic, “Lizard Music” https://memex.craphound.com/2017/08/15/a-new-edition-of-daniel-pinkwaters-happy-mutant-kids-classic-lizard-music/

#5yrsago In NYC, every tenant facing eviction is now entitled to a lawyer https://www.bloomberg.com/news/articles/2017-08-14/new-york-ensures-right-to-counsel-for-all-eviction-cases

#5yrsago School to parents: a $100 donation gets your kids to the front of the lunch line https://www.abcactionnews.com/news/region-polk/polk-schools-accused-of-cafeteria-classism-after-fundraising-letter

#5yrsago Russian inequality is worse than imagined; worse than other post-Soviet states http://www.piketty.pse.ens.fr/files/NPZ2017WIDworld.pdf

#5yrsago Republican lawmakers double-down on legalizing the vehicular murder of protesters https://theintercept.com/2017/08/14/backed-by-police-unions-legislators-standby-laws-to-protect-drivers-who-kill-protesters/

#5yrsago The secret text of the GOP’s border bill reveals plan to dramatically increase surveillance of Americans and visitors https://arstechnica.com/tech-policy/2017/08/gop-senators-border-wish-list-drones-dna-collection-voice-scans-and-more/

#5yrsago Donald Trump will not condemn the terrorist attacks on anti-Nazi protestors https://memex.craphound.com/2017/08/13/donald-trump-will-not-condemn-the-terrorist-attacks-on-anti-nazi-protestors/

#10yrsago Great writing advice from this year’s Clarion Science Fiction and Fantasy writing workshop https://samjmiller.com/clarion-2012-every-brilliant-piece-of-writing-advice/

#5yrsago Airbnb’s preferred smart lock vendor accidentally bricks 500 door-locks https://www.bleepingcomputer.com/news/hardware/botched-firmware-update-bricks-hundreds-of-smart-door-locks/

#5yrsago Real people don’t (just) need encryption https://phys.org/news/2017-08-end-to-end-encryption-isnt-real-people.html

#5yrsago So the Alt-Right is coming to your campus https://www.splcenter.org/sites/default/files/soc_alt-right_campus_guide_2017_web.pdf

#1yrago Provocateur copyrights a Magic: The Gathering Deck https://pluralistic.net/2021/08/14/angels-and-demons/#owning-culture

#1yrago End of the line for Reaganomics https://pluralistic.net/2021/08/13/post-bork-era/#manne-down

#1yrago Smart cities are neither, 2021 edition https://pluralistic.net/2021/08/13/post-bork-era/#our-streets

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

👑 Colophon

Currently writing:

* The Bezzle, a Martin Hench noir thriller novel about the prison-tech industry. Friday's progress: 503 words (32266 words total)

* The Internet Con: How to Seize the Means of Computation, a nonfiction book about interoperability for Verso. Yesterday's progress: 597 words (28575 words total)

* Picks and Shovels, a Martin Hench noir thriller about the heroic era of the PC. (92849 words total) - ON PAUSE

* A Little Brother short story about DIY insulin PLANNING

* Vigilant, Little Brother short story about remote invigilation. FIRST DRAFT COMPLETE, WAITING FOR EXPERT REVIEW

* Moral Hazard, a short story for MIT Tech Review's 12 Tomorrows. FIRST DRAFT COMPLETE, ACCEPTED FOR PUBLICATION

* Spill, a Little Brother short story about pipeline protests. FINAL DRAFT COMPLETE

* A post-GND utopian novel, "The Lost Cause."  FINISHED

* A cyberpunk noir thriller novel, "Red Team Blues."  FINISHED

Currently reading: Analogia by George Dyson.

Latest podcast: View a SKU: Let’s Make Amazon Into a Dumb Pipe https://craphound.com/news/2022/07/31/view-a-sku-lets-make-amazon-into-a-dumb-pipe/

Upcoming appearances:

* Talking "Radicalized" with the Building Bridges for America Book Club, Aug 15
https://www.mobilize.us/buildbridges4am/event/476946/

* Launch for Motherboard's Terraform anthology, Vice offices (Los Angeles), Aug 18
https://www.eventbrite.com/e/terraform-book-release-party-vice-ft-cory-doctorow-geoff-manaugh-tickets-399204109237

* Radical Interoperability: An Internet Disassembly Manual, Aug 29 15h (Burning Man Center Camp)

* Chokepoint Capitalism: a Better Deal for Creative Labor, Aug 30, 13h (Burning Man Palenque Norte, 915 and B)

* Interview with Bunnie Huang on the Precursor and Trusting Trust, Aug 31, 12h (Burning Man Liminal Labs, 945 and Rod's)

* Unfinished Live (NYC), Sept 21-24
https://live.unfinished.com/

Recent appearances:

* DRM Secretly Polices You (Daily Tech News Show)
https://dailytechnewsshow.com/2022/07/29/drm-secretly-polices-you-dtns-4327/

* Bricking Tractors (Inside Agri-Turf)
https://inside-agriturf.captivate.fm/episode/bricking-tractors-with-cory-doctorow

* Blockchain, Bitcoin & Selling The Brooklyn Bridge (MMT Podcast):
https://pileusmmt.libsyn.com/135-cory-doctorow-blockchain-bitcoin-selling-the-brooklyn-bridge

Latest book:

* "Attack Surface": The third Little Brother novel, a standalone technothriller for adults. The *Washington Post* called it "a political cyberthriller, vigorous, bold and savvy about the limits of revolution and resistance." Order signed, personalized copies from Dark Delicacies https://www.darkdel.com/store/p1840/Available_Now%3A_Attack_Surface.html

* "How to Destroy Surveillance Capitalism": an anti-monopoly pamphlet analyzing the true harms of surveillance capitalism and proposing a solution. https://onezero.medium.com/how-to-destroy-surveillance-capitalism-8135e6744d59 (print edition: https://bookshop.org/books/how-to-destroy-surveillance-capitalism/9781736205907) (signed copies: https://www.darkdel.com/store/p2024/Available_Now%3A__How_to_Destroy_Surveillance_Capitalism.html)

* "Little Brother/Homeland": A reissue omnibus edition with a new introduction by Edward Snowden: https://us.macmillan.com/books/9781250774583; personalized/signed copies here: https://www.darkdel.com/store/p1750/July%3A__Little_Brother_%26_Homeland.html

* "Poesy the Monster Slayer" a picture book about monsters, bedtime, gender, and kicking ass. Order here: https://us.macmillan.com/books/9781626723627. Get a personalized, signed copy here: https://www.darkdel.com/store/p2682/Corey_Doctorow%3A_Poesy_the_Monster_Slayer_HB.html#/.

Upcoming books:

* Chokepoint Capitalism: How to Beat Big Tech, Tame Big Content, and Get Artists Paid, with Rebecca Giblin, nonfiction/business/politics, Beacon Press, September 2022

* Red Team Blues: "A grabby, compulsive thriller that will leave you knowing more about how the world works than you did before." Tor Books, April 2023

This work licensed under a Creative Commons Attribution 4.0 license. That means you can use it any way you like, including commercially, provided that you attribute it to me, Cory Doctorow, and include a link to pluralistic.net.

https://creativecommons.org/licenses/by/4.0/

Quotations and images are not included in this license; they are included either under a limitation or exception to copyright, or on the basis of a separate license. Please exercise caution.

_,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,__,.-'~'-.,_

👑 How to get Pluralistic:

Blog (no ads, tracking, or data-collection):

Pluralistic.net

Newsletter (no ads, tracking, or data-collection):

https://pluralistic.net/plura-list

Mastodon (no ads, tracking, or data-collection):

https://mamot.fr/web/accounts/303320

Medium (no ads, paywalled):

https://doctorow.medium.com/

(Latest Medium column: "Takes One To Know One https://doctorow.medium.com/takes-one-to-know-one-104d7d749408)

Twitter (mass-scale, unrestricted, third-party surveillance and advertising):

https://twitter.com/doctorow

Tumblr (mass-scale, unrestricted, third-party surveillance and advertising):

https://mostlysignssomeportents.tumblr.com/tagged/pluralistic

"*When life gives you SARS, you make sarsaparilla*" -Joey "Accordion Guy" DeVilla