Share this page!

Cory Doctorow Profile picture
Twitter logo
Aug 15 37 tweets 10 min read
On Saturday, I sat in a crowded ballroom at Caesar's Forum in Vegas and watched @sickcodes jailbreak a John Deere tractor's control unit live, before an audience of cheering @Defcon 30 attendees (and, possibly, a few undercover Deere execs, who often attend Sickcodes's talks). 1/ A vintage John Deere tractor whose wheel hubs have been repl
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

pluralistic.net/2022/08/15/dee… 2/
The presentation was significant because Deere - along with Apple - are the vanguard of the war on repair, a company that has made wild and outlandish claims about the reason that farmers must pay the company hundreds of dollars every time they fix *their own tractors*. 3/
And then wait for *days* for an authorized technician to come to their farm and type an unlock code. 4/
Deere's claims have included the astounding statement that the farmers who spend hundreds of thousands of dollars on tractors *don't actually own those tractors*, because the software that animates them is only licensed, not sold:

memex.craphound.com/2017/04/22/joh… 5/
They've also claimed that locking farmers out of their tractors is for their own good, because otherwise hackers could take over those tractors and endanger the food supply. 6/
While it's true that the John Deere tractor monopoly means that defects in the company's products could affect farms all around the world, it's also true that John Deere is very, very bad at information security:

pluralistic.net/2021/04/23/rep… 7/
The company's insistence that they are guardians of farmers and the agricultural sector is a paper-thin cover for monopolistic practices and rent-seeking. 8/
Monopolizing the repair and reconfiguration of Deere products gives the company all kinds of little gifts - for example, they can refuse to fix the tractors of dissatisfied customers unless they agree to gag-orders:

pluralistic.net/2022/05/31/dea… 9/
And because so few of us understand information security, or monopoly, or agribusiness (let alone all three!) they can spin their dangerous, grossly unfair practices as features, not bugs. 10/
Remember when they trumpeted the fact that they'd remotely bricked some Ukrainian Deere products that had been looted by Russian soldiers?

doctorow.medium.com/about-those-ki… 11/
What they *didn't* say - and what almost no one pointed out - was that this meant that *anyone* who could hack John Deere's system could brick *any* tractor - including, say, the Russian military's hacking squads. 12/
They *also* didn't say that Ukrainian farmers had long chafed under Deere's corporate control, and had developed illegal third-party tractor firmware that farmers all over the world had covertly installed:

vice.com/en/article/xyk… 13/
And that means that the Russian looters who supposedly were foiled by Deere's corporate remote killswitches can re-activate their tractors, by using the Ukrainian software developed in response to the company's monopolistic practices. 14/
Which brings me back to Sickcodes and his awesome presentation at #Defcon30 this weekend. I watched from the front row, sitting next to the repair champion @kwiens, founder of @ifixit, who turned his notes into an excellent Twitter thread:

15/
As Kyle points out, Deere has repeatedly told state and federal lawmakers and regulators that farmers can't be trusted to repair or modify their own tractors. 16/
This is obviously nonsense: indeed, for decades, Deere product development consisted of sending engineers out to document the improvements farmers had made to their tractors so the company could copy them:

securityledger.com/2019/03/opinio… 17/
Writing for @Wired, @lilyhnewman provides tech details on the hack, including how Sickcodes acquired (and broke!) many 2630 and 4240 touchscreen controllers, eventually demounting the main chip and soldering it into a new board to probe the system:

wired.com/story/john-dee… 18/
He discovered that the system was designed to send an *extraordinary* amount of data to John Deere - his control unit tried to exfiltrate 1.5GB worth of data once he brought it online. 19/
He also discovered that as soon as he was able to conjure up a terminal, he had root access to the system.

This was great news for Sickcodes, but it raises serious questions about Deere's information security practices. 20/
As Kyle points out, this entire system ran on deprecated, unpatched, elderly GNU/Linux software and Windows CE, an operating system that was end-of-lifed in *2018*, and which was so bad that people forced to use it typically called it "Wince." 21/
Sickcodes discovered all kinds of security worst-practices in John Deere's security - even in the parts of its security that were intended to secure the company's profits from its own customers' best interests. 22/
For example, at one point Sickcodes put the control unit into maintenance mode by repeatedly rebooting it, so that it refused to allow him to do anything until he brought it to a dealer. 23/
He discovered that all it took to convince the computer that he was a dealer was to create an empty text file on its hard-drive whose filename was something like "IAmADealer.txt" (I didn't write down the exact filename, alas, but that's not far off!). 24/
Another revelation from Sickcodes: the company made extensive use of free/open source software but seems to be gravely out-of-compliance with the license terms (I'm told that organizations that do legal enforcement of free/open licenses are now aware of this). 25/
So to recap: Deere says it has to block farmers from having the final say over their own tractors because they could create security risks and also threaten Deere's copyrights. 26/
The company even claims that locking down tractors is necessary to preventing music infringement, as though a farmer would spend $600k on a tractor so they could streamrip Spotify tracks. 27/
But in reality, the company itself is a dumpster-fire of information security worst practices, whose unpatched, badly configured, out-of-date tractors are a bonanza of vulnerabilities and unforced errors. 28/
What's more, the company - which claims to be staunch defenders of copyright - use their copyright locks to hide the fact that they are committing serious breaches of software copyright. 29/
In serious information security circles, it's widely understood that "there is no security in obscurity" - that is, hiding how a system works doesn't make it secure. 30/
Usually, this is understood to be grounded in the fact that if you hide your work, you might make mistakes that others would spot and point out to you:

doctorow.medium.com/como-is-infose… 31/
But there's another problem with security through obscurity: when you don't have to show your work to others, you can be sloppy. 32/
Whereas, if your work is open to inspection, your own aversion to being seen as slapdash will impose a rigor on your process, which will make the whole thing better:

doctorow.medium.com/the-memex-meth…

With Deere's security through obscurity, we see both pathologies on display. 33/
The company uses its opacity to commit sloppy security bugs, and also to cover up its violations of copyright law - and then, of course, it accuses its critics of being guilty of those two exact sins. Takes one to know one:

doctorow.medium.com/takes-one-to-k… 34/
Sickcodes closed out by saying that while his hack required a lot of fiddling with the hardware, he was already scheming to build a little tool that could access and jailbreak a tractor without ripping chips off a board or doing a lot of soldering. 35/
And then he played a custom, farm-themed version of Doom on his jailbroken tractor controller. 36/
Image:
Cryteria (modified)
commons.wikimedia.org/wiki/File:HAL9…

CC BY 3.0:
creativecommons.org/licenses/by/3.… 37/

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Cory Doctorow

Cory Doctorow Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @doctorow

Cory Doctorow Profile picture
Aug 16
Today's Twitter threads (a Twitter thread).

Inside: How Democrats could win more elections; and more!

Archived at: pluralistic.net/2022/08/16/do-…

#Pluralistic 1/ A kicking mule in the color...
This Thurs (Aug 18), I'll be at the launch for @VICE @motherboard's new "Terraform" sf anthology in Venice, CA:

eventbrite.com/e/terraform-bo… 2/
How Democrats could win more elections: Do stuff. Make it timely. Tell people about it.

3/ Image
Read 22 tweets
Cory Doctorow Profile picture
Aug 16
My fellow Americans…if I may? I've only been a citizen for 5 weeks, but I have identified a key weakness in @TheDemocrats' election strategy, and I want to bring it up because it would be great if the forced birth/martial law/incarceration party didn't win the next election. 1/ A kicking mule in the color...
If you'd like an essay-formatted version of this thread to read or share, here's a link to it on pluralistic.net, my surveillance-free, ad-free, tracker-free blog:

pluralistic.net/2022/08/16/do-… 2/
If Democrats want to win more elections, they should try:

* Enacting popular policies, preferably ones that materially improve the lives of potential voters;

* Making sure those policies take effect *before* the next election; and

* Telling people about them. 3/
Read 41 tweets
Cory Doctorow Profile picture
Aug 16
imperialgoogie.tumblr.com/post/692709643… Image
Nautilus set still from 20,000 Leagues Under the Sea (1954) wilwheaton.tumblr.com/post/692709671… Image
imperialgoogie.tumblr.com/post/692709932… Image
Read 47 tweets
Cory Doctorow Profile picture
Aug 16
Action Comics #363 (1968)
Cover by Neal Adams
gameraboy2.tumblr.com/post/692694726… Image
atomicrobot.live/post/692696843… Image
Beyond Infinity by Hannes Bok, 1951 gameraboy2.tumblr.com/post/692698363… Image
Read 6 tweets
Cory Doctorow Profile picture
Aug 15
Georges Candilis, Anja Blomstedt, Hexacube interior, Port Leucate, France, 1967-74. wilwheaton.tumblr.com/post/692679217… Image
atomicrobot.live/post/692679349… Image
Spock Messiah, Theodore R. Cogswell & Charles A. Spano Jr., Corgi, 1977. Cover uncredited (Joe Petagno ?). atomicrobot.live/post/692676198… Image
Read 4 tweets
Cory Doctorow Profile picture
Aug 15
Today's Twitter threads (a Twitter thread).

Inside: This weekend, I watched a hacker jailbreak a John Deere tractor live on stage; and more!

Archived at: pluralistic.net/2022/08/15/dee…

#Pluralistic 1/
Tonight (Aug 15), I'll be joining the @buildbridges4am Book Club for the final installment of their discussion of my 2019 book "Radicalized":

mobilize.us/buildbridges4a… 2/
This weekend, I watched a hacker jailbreak a John Deere tractor live on stage: Total pwnage, with a a side of copyfraud.

3/ Image: Cryteria (modified) https://commons.wikimedia.org/wik
Read 30 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(