It looks like the library could remotely start the car. I wonder if they'd care if it couldn't.
I think that's actually not something that would be wise to hook up to an automation platform. A car running in the garage can kill, and 'a human chose to press this button' is an important interlock. After all, you have to swipe your way in to the official app, and to use a key fob you need to hold the button for several seconds.
'How dare Mazda permit this' is a real lawsuit that will happen. Automakers also got sued because pushbutton start is confusing and people would leave the car running after use. There is an active lawsuit right now about push-button gear selectors making it too hard to put the vehicle in park, allowing unexpected rollaways.
I have my car (Subaru) hooked to an automation with home assistant. Several, actually. I can start the car in winter by pushing a button in my kitchen, heat it up, and then walk there. But the most important one is that I can turn the car off remotely as well, based on timers and automations.
I generally don’t buy the ‘we should not allow this or that because it can be dangerous’. I’m a big boy. Driving is even more dangerous always. Let me choose. Please.
Here's a really fun one from yesterday's 'midwit' thread:
> I have somehow automated some lights to come on too early in the morning but the specific task/automation I set to do this is nowhere to be found.. I can create and remove new tasks but I'm being haunted by this old task.
Do you have an attached garage? How about if it gets turned on with the door closed at 4am after a daylight savings changeover gone horribly wrong. I enjoy my home assistant but I wouldn't let it control something that can gas me. I've seen way too much weird shit in my iot network to ever trust it with that.
You'll be pleased to know that pretty much no post 2005 car can gas you.
Old cars gassed people with carbon monoxide. Odorless and deadly.
Modern cars make basically none of that. Instead, you'll die of too much CO2.
Luckily, humans are pretty good at detecting gradually increasing levels of CO2 - it's what happens when 5 people are in a car together and someone says "it's getting stuffy in here, turn the vent on!".
Sudden CO2 increases can still kill. But gradual ones like a car gradually producing more and more CO2 likely wouldn't. Even in your sleep, you will wake up and find the air stuffy (it can happen when lots of cave people are all sleeping in a badly ventilated cave, so we evolved to handle it).
However, you shouldn't rely on the above for the safety of people - all it takes is someone to be drunk or taking sleeping pills, and they might not be able to act on their senses... Also, cars where the emissions system has been tampered with or faulty can still produce a lot of deadly carbon monoxide.
Man, I live in snow country and every year someone gets killed idling in the winter. Kids idling and hanging out or someone parked eating their lunch. It's true that CO emissions are way down since the mid-aughts rules went in, but it isn't 0 ppm.
The last go-around about the keyless ignitions was kicked off by a 2017 toyota. The story was from 2019
Potentially valid concerns, but not what copyright law was designed to address. Mazda can easily prohibit their own customers from doing this kind of thing in their terms of service if they want.
The DMCA notice is unclear here. It is odd that it calls out all implementations including both their copyrighted ios and android apps, as well as the client implementations in Javascript and Python.
Presumably neither their ios nor Android app used Python, so direct copyright infringement seems impossible.
It certainly seems likely that this DMCA notice was in bad faith.
This is really sad. I wonder if there is a "McKenzie" like consulting company for MBAs that would explain to them in terms they could understand why it is both more powerful and market affirming to have an open ecosystem which gives you "free" programmers who will add features without you paying them a salary and without having to lay them off once the feature has been implemented.
But Twitter and Reddit doesn't need them, so why would I? Sarcasm, of course. Third party devs are just as responsible for the aforementioned website's success as the first party devs
If you want people to use the official app (if there is/were one, I don't know), and use the app to upsell and market, or collect and sell additional user data, you're not interested in an open ecosystem.
Just remember: they don't just want money. They want all the money.
More importantly, their employees want money and will use whatever means necessary to justify their paycheck.
A Home Assistant integration means people "engage" less with their app and thus whoever is working on it is at risk of irrelevance. Doesn't matter whether this actually translates to more business and money coming in at the top, PM wants their "engagement" and this is an easy way to trade long-term customer goodwill for it.
On the other side of that coin though - Home Asssistant isn't exactly a mainstream app, it's almost exclusively run by tech geeks. The same type of people who are usually willing to mentally cross off brands when they make moves like this.
In the U.S. legal system, is it possible to create a corporation specifically to do something of uncertain legality, so as to limit the liability?
E.g., could we create a FuckYouMazda corporation, whose sole purpose was to develop this software. And if Mazda successfully sued for copyright damages, the financial liability is limited to the corporation's assets?
You could sincerely believe that murder was ok, but that's not going to change how the law would view you murdering someone.
The idea around "piercing the corporate veil" is that you can't just slap a company in front of your actions -- regardless of whether or not you believe your actions are justified or legal -- and avoid legal consequences.
Exactly how liable the shareholders are is going to vary a lot by state. Generally a plaintiff has to show the shareholders exercised excessive control over the corporation such that the corporation is essentially a sham.
However, a person is generally liable for his own torts regardless of corporation. The shareholders might not be liable vis-à-vis the corporation, but the actual programmers and managers doing the infringement could likely be sued individually the same as if they weren't working for a corporation.
> MNAO analyzed some of the code and determined that the code provides functionality same as what is currently in Apple App Store and Google Play App Store.
Is this really legal? Because in my mind, providing the same functionality does not violate copyright, since the actual intellectual material is new. And I don't think Mazda has a patent on the ability to control your vehicle over an API.
Most likely this would not stand up in court, given a proficient legal team. I imagine that the hobbyist developer had neither the money nor the inclination to mount a legal defence against a multi-billion dollar company though.
There were no charges filed in this case. The prosecutor correctly ascertained that the allegations were false and the whole thing was a waste of taxpayer money.
If they just provide the same functionality, no. Mazda should lose this under Google v. Oracle. However, reverse engineering is dangerous. They surely read the copyrighted decompiled code. The test is whether the expressive elements of bdr99's implementation are substantially similar.
> They surely read the copyrighted decompiled code
Do they? When it comes to reverse-engineering mobile app APIs, the usual strategy is to observe the network because it's so much easier than making sense of the disassembled binary.
Even if you can decompile, you'd generally use it as an aid to understand the network captures rather than using it as your primary source.
While if possible, it's the best course of action, the truth is these days additions like HSTS make it extremely difficult to MITM.
Additionally, MITM and trying things out on a toaster are one thing, doing the same on a 40k$ machine that can potentially make it impossible to do your commute is another.
This is IMO a prime example where the double team rev eng is key to success: one documents the API, the other uses it without having access to code (whiteroom)
HSTS interferes with MITM when the mobile device in question doesn't allow you to install new certificate authorities (as is slowly becoming the case).
This might be the case, but how could Mazda even prove this? Unless they communicate in some weird proprietary binary protocol I could imagine that the API (especially if it's just some JSON/XML REST stuff) can be reverse engineered by MitM traffic analysis.
As I understand it, car manufacturers prevent independent repair shops from lawfully obtaining some of the diagnostics information in the onboard computer by encrypting it with a key that sits on the very same drive. Said encryption is the "technological measure that effectively controls access" and using the key to decrypt it is "circumvention" -- naturally, of the "effective" access control.
(https://www.law.cornell.edu/definitions/uscode.php?def_id=17... to “circumvent a technological measure” means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner)
Mazda might be interpreting the SSL certificate as a similar measure and therefore use of the certificate to decrypt traffic as a similar violation.
From the posted notice[1], they answered "No" to the question "Do you claim to have any technological measures in place to control access to your copyrighted content? Please see our Complaints about Anti-Circumvention Technology if you are unsure." Is that the same thing you are referencing?
They could argue that by viewing the copyrighted code/implementation, you could effectively infringe by (even subconsciously) writing the same/similar code.
There's merits to this claim if you're indeed implementing some advanced, niche algorithm but it definitely wouldn't apply here as all he's doing is calling HTTP APIs, a very generic and common thing to do.
You may have come across this concept already, but this is where clean rooms come in.
One person views the "contaminated" decompiled code and writes a specification. A separate person writes the code based solely on the specification. This is an accepted method of demonstrating that there is no infringement.
That kind of depends on the language, but it's a fair point. I think it might only matter that the general algorithm/solution is the same, not the lines of text themselves.
Wrote a letter to my local Mazda place about this. I've had nothing but good experiences with the several Mazda vehicles I've owned (still daily-drive the rotary-engine RX8...). Seeing them engage in what appears to be dmca bullying of a project like Home Assistant feels like a betrayal.
A daily driver RX-8 that stills drives? How? What's your mileage and oil consumption like.
As quirky as the RX-8 was, I liked the car but not the engine.
Many days late on this reply but I am at 120K miles (2008 model). The engine compression is noticeably low now. Before warming up and at low RPM the car really struggles to make it up the hill out of my neighborhood. I've had 3 flooding events that were only fixed by rolling the car down that same hill 3-4 times. I have to slip the clutch a concerning amount when getting into first from a stop.
A new engine at the dealership price of $7K is still going to be cheaper than an equivalently sporty new car though!
That is truly frustrating as a customer. You know that person that built the code is putting that Mazda up for sale right now if not setting it on fire as I'd likely do.
These fools really don't like someone building a better mousetrap, particularly when they see it as an exploit of their systems to do so, as they can't track/monetize/charge, etc the usage without the app component. That's really what Mazda is angry about.
As a result of things like these, I'll end up keeping my old non-connected cars as long as possible, environment be damned.
Keeping an old car that has already been produced running is almost always the most environmentally friendly choice instead of throwing it away and producing a new car. The only reason to upgrade should be the changes in safety technology.
Dammit. I just bought a Mazda and I have Connected Services. The app sucks. Also I was about to spend this weekend trying to figure out how to get it hooked into HomeKit so I could turn on climate controls while getting kids ready in the morning. I’ve used Home Assistant in the past, sad to see it removed.
I guess I’ll just reverse engineer it myself. Good to know it is possible since I can replace the app.
When I wrote a HA plugin for my heating system (which involved “reverse engineering” the JS on the front end login interface to break the extremely naive checksum generation that validates requests) I sent an email to that company asking for permission to share it.
They firmly asked me not to do so and kindly asked me to stop using my plugin.
I complied with the first request. For the second, not so much.
Anyway, the moral of the story is that the DMCA was written to GitHub. Your own local clone is no one’s business.
Why? It's also none of their business if you share code to frontend the system they sell to others.
I understand if we're talking zero days and you have reasonable faith the company will attempt to fix, but I presume here we're talking more accessible heating control?
81 comments
[ 0.24 ms ] story [ 161 ms ] threadI think that's actually not something that would be wise to hook up to an automation platform. A car running in the garage can kill, and 'a human chose to press this button' is an important interlock. After all, you have to swipe your way in to the official app, and to use a key fob you need to hold the button for several seconds.
'How dare Mazda permit this' is a real lawsuit that will happen. Automakers also got sued because pushbutton start is confusing and people would leave the car running after use. There is an active lawsuit right now about push-button gear selectors making it too hard to put the vehicle in park, allowing unexpected rollaways.
> I have somehow automated some lights to come on too early in the morning but the specific task/automation I set to do this is nowhere to be found.. I can create and remove new tasks but I'm being haunted by this old task.
Do you have an attached garage? How about if it gets turned on with the door closed at 4am after a daylight savings changeover gone horribly wrong. I enjoy my home assistant but I wouldn't let it control something that can gas me. I've seen way too much weird shit in my iot network to ever trust it with that.
https://news.ycombinator.com/item?id=37859813
Old cars gassed people with carbon monoxide. Odorless and deadly.
Modern cars make basically none of that. Instead, you'll die of too much CO2.
Luckily, humans are pretty good at detecting gradually increasing levels of CO2 - it's what happens when 5 people are in a car together and someone says "it's getting stuffy in here, turn the vent on!".
Sudden CO2 increases can still kill. But gradual ones like a car gradually producing more and more CO2 likely wouldn't. Even in your sleep, you will wake up and find the air stuffy (it can happen when lots of cave people are all sleeping in a badly ventilated cave, so we evolved to handle it).
However, you shouldn't rely on the above for the safety of people - all it takes is someone to be drunk or taking sleeping pills, and they might not be able to act on their senses... Also, cars where the emissions system has been tampered with or faulty can still produce a lot of deadly carbon monoxide.
The last go-around about the keyless ignitions was kicked off by a 2017 toyota. The story was from 2019
https://www.nytimes.com/2019/06/28/business/keyless-carbon-m...
Presumably neither their ios nor Android app used Python, so direct copyright infringement seems impossible.
It certainly seems likely that this DMCA notice was in bad faith.
At best you might get an amicus brief if there's a lawsuit and the lawsuit is high-profile enough for them to be interested.
Just remember: they don't just want money. They want all the money.
A Home Assistant integration means people "engage" less with their app and thus whoever is working on it is at risk of irrelevance. Doesn't matter whether this actually translates to more business and money coming in at the top, PM wants their "engagement" and this is an easy way to trade long-term customer goodwill for it.
It's a wash.
https://en.wikipedia.org/wiki/Eric_von_Hippel
E.g., could we create a FuckYouMazda corporation, whose sole purpose was to develop this software. And if Mazda successfully sued for copyright damages, the financial liability is limited to the corporation's assets?
Knowing, deliberate actions of criminality are sufficient to piece the corporate veil.
I.e., the alleged violations are civil rather than criminal, and a reasonable person might believe Mazda's DMCA claims are unjustifiable.
You could sincerely believe that murder was ok, but that's not going to change how the law would view you murdering someone.
The idea around "piercing the corporate veil" is that you can't just slap a company in front of your actions -- regardless of whether or not you believe your actions are justified or legal -- and avoid legal consequences.
However, a person is generally liable for his own torts regardless of corporation. The shareholders might not be liable vis-à-vis the corporation, but the actual programmers and managers doing the infringement could likely be sued individually the same as if they weren't working for a corporation.
> MNAO analyzed some of the code and determined that the code provides functionality same as what is currently in Apple App Store and Google Play App Store.
Is this really legal? Because in my mind, providing the same functionality does not violate copyright, since the actual intellectual material is new. And I don't think Mazda has a patent on the ability to control your vehicle over an API.
https://www.theregister.com/2022/02/15/missouri_html_hacking...
Never know when they decide otherwise. "Hacking/cyber crime" is very wide and open term.
And how relatively easy lawfare can be brought against someone, especially if the person bringing it has infinite money and/or nothing to lose.
Do they? When it comes to reverse-engineering mobile app APIs, the usual strategy is to observe the network because it's so much easier than making sense of the disassembled binary.
Even if you can decompile, you'd generally use it as an aid to understand the network captures rather than using it as your primary source.
Additionally, MITM and trying things out on a toaster are one thing, doing the same on a 40k$ machine that can potentially make it impossible to do your commute is another.
This is IMO a prime example where the double team rev eng is key to success: one documents the API, the other uses it without having access to code (whiteroom)
> (A) No person shall circumvent a technological measure that effectively controls access to a work protected under this title.
https://www.law.cornell.edu/uscode/text/17/1201
As I understand it, car manufacturers prevent independent repair shops from lawfully obtaining some of the diagnostics information in the onboard computer by encrypting it with a key that sits on the very same drive. Said encryption is the "technological measure that effectively controls access" and using the key to decrypt it is "circumvention" -- naturally, of the "effective" access control.
(https://www.law.cornell.edu/definitions/uscode.php?def_id=17... to “circumvent a technological measure” means to descramble a scrambled work, to decrypt an encrypted work, or otherwise to avoid, bypass, remove, deactivate, or impair a technological measure, without the authority of the copyright owner)
Mazda might be interpreting the SSL certificate as a similar measure and therefore use of the certificate to decrypt traffic as a similar violation.
[1] https://github.com/github/dmca/blob/master/2023/10/2023-10-1...
There's merits to this claim if you're indeed implementing some advanced, niche algorithm but it definitely wouldn't apply here as all he's doing is calling HTTP APIs, a very generic and common thing to do.
One person views the "contaminated" decompiled code and writes a specification. A separate person writes the code based solely on the specification. This is an accepted method of demonstrating that there is no infringement.
Note that the complaint appears to have been filed on behalf of Mazda North American Operations.
For me it's sad how such an interesting engine had so many problems.
A new engine at the dealership price of $7K is still going to be cheaper than an equivalently sporty new car though!
These fools really don't like someone building a better mousetrap, particularly when they see it as an exploit of their systems to do so, as they can't track/monetize/charge, etc the usage without the app component. That's really what Mazda is angry about.
As a result of things like these, I'll end up keeping my old non-connected cars as long as possible, environment be damned.
The best reason to buy new is that your mission has changed and the available used vehicles don’t provide a cost effective resource.
https://www.tesla.com/developer-docs
https://electrek.co/2023/10/12/tesla-releases-official-api-d...
I guess I’ll just reverse engineer it myself. Good to know it is possible since I can replace the app.
https://webpage.mazdausa.com/MazdaStatic/contactus.action
They firmly asked me not to do so and kindly asked me to stop using my plugin.
I complied with the first request. For the second, not so much.
Anyway, the moral of the story is that the DMCA was written to GitHub. Your own local clone is no one’s business.
I understand if we're talking zero days and you have reasonable faith the company will attempt to fix, but I presume here we're talking more accessible heating control?
https://files.pythonhosted.org/packages/c8/98/6da75ea926e4b3...
Code not being hosted on Github != it being unavailable
Could that company join Y Combinator?
I do not care about donating to a legal defense fund. I do want to give to a legal OFFENSE fund.
Nukers need to go to loose everything and die broken and penniless.