Team 548 Einstein Statement

[quinxorin]

Quote:

Originally Posted by RobotsVsKittens

This is poorly written and a less than ideal admission of guilt.



Who is 'they'?

Presumably 548 was using "they" as a singular pronoun, to prevent revealing whether the individual was male or female.

[Jared Russell]

Quote:

Originally Posted by RobotsVsKittens

This is poorly written and a less than ideal admission of guilt.

I cannot disagree more. 548 did not have to release this statement at all - and I'm sure it was a difficult thing for them to write and distribute. But they chose to do it, because it was right, and that means it is time to put down the pitchforks and torches.

It takes balls to associate one's team or company with an incident like this. The team wrote and released this statement with the full knowledge that (fair or not) some people might look at them a little differently for a while (it's just human nature...and yes I am aware that a large portion of the FRC community already knew/thought they knew the team anyhow).

Hopefully now we can move forward.

[JesseK]

Without locking down the entire field environment (i.e. banning personal laptops for driver's stations), how could FIRST prevent this type of issue in the future? This is more of an industry-directed question rather than a FIRST-directed question.

[quinxorin]

Quote:

Originally Posted by JesseK

Without locking down the entire field environment (i.e. banning personal laptops for driver's stations), how could FIRST prevent this type of issue in the future? This is more of an industry-directed question rather than a FIRST-directed question.

There are many ways to prevent this issue. The Einstein Report details FIRST's plans on how to secure the field.
Furthermore, it took twenty one years for someone to do this. I expect it to take just as long before the next incident.

[steverk]

Quote:

Originally Posted by quinxorin

it took twenty one years for someone to do this. I expect it to take just as long before the next incident.

Let's hope there is never another incident.

[Andrew Schreiber]

I'm going to agree with two of the posts in here just to clarify some points based on experience at one of my jobs (I help teach cyber security and ethics is a huge part of it).

Quote:

Originally Posted by Libby K

Unfortunately, creating an interruption is not the way to 'make a point'. Sorry, I'm not giving anyone a pass on this one. You're supposed to listen to staff and volunteers, and this person didn't.

This is absolutely correct, when you are doing security audits and penetration tests there are very specific rules of how you do things. And executing an attack during a very visible time is NOT one of those ways to do things.

Quote:

Originally Posted by JVN

No. No. No.
There are any number of things which could have been done after Einstein to fix this issue. Don't fall into the trap of "he spoke up and was ignored so he had to make his point." There are plenty of ways to get "unignored" (later on) without knowingly sabotaging an event.

The existence of this vulnerability could have been made known, and fixed, after the fact. Suspecting that someone else is exploiting it, is not a valid reason for exploiting it yourself.

(please note, all genders are generic)

THIS is the correct process, the person raised the issue at the time. It was not addressed. He should have documented his findings and sent them to FIRST. After giving FIRST a period of time to respond or fix the issue (think 6 months) he could have published a paper documenting his findings. At the end he should have included his original communication with FIRST and any steps they took or responses.


As it stands the person went from doing the right thing to being an attacker when they tried to "demonstrate" the vulnerability.

[JesseK]

Quote:

Originally Posted by quinxorin

There are many ways to prevent this issue. The Einstein Report details FIRST's plans on how to secure the field.
Furthermore, it took twenty one years for someone to do this. I expect it to take just as long before the next incident.

Correction -- it took only 3 years for it to happen on the field. The new control system started in 2009. Taking the report results and looking back, I believe one of my former students happened upon something similar in 2009 when he was figuring out how to wrap data into packets for use on a driver's station custom Java display. (For the record, he didn't tell us he found it and he graduated in '09. While his software was brilliant our robot had fundamental mechanical flaws that year). The problem I foresee is FIRST losing trustworthiness in any team that breaks a small rule on the field (namely, no cell phones for the guys who are the pit crew).

From an IT/IA perspective, the plans FIRST described in the report are vague at best, yet it's probably best that way. If we openly crowd-sourced amongst our intelligent community engineers to figure out how the FRC system could be vulnerable, then the companies working on securing the field would be better-equipped to understand what 0-day issues need to be addressed.

@Alec:
I too dislike putting my 6 vacation days, 100's of hours, and several dollars of support at the mercy of GP in such a competitive program. Yet at this point we should contribute to the solution rather than further highlighting the problem.

[shawnz]

Quote:

Originally Posted by AlecMataloni

What knocked it down was BAD engineering. [...] We need FIRST to be rock-solid in order to make a lasting impact. In my opinion, we still have a long way to go.

These are awfully harsh words. Remember that hindsight is 20/20. There will never be a day where nothing will have been overlooked, or every potential mistake will have been guaranteed against. FIRST is a volunteer organization, after all; they're doing the best they can. Although I agree with the general premise that blame isn't going to get anybody anywhere here.

[BrendanB]

Kudos to 548 for coming out and releasing a statement. I still love your team!

Let's not rehash all of this again guys as we still don't know what happened. 548's report differs from FIRST's report but that doesn't tell us which one stands true at the end of the day. There were still other factors that played into this aside from the individuals action(s).

[Jon Stratis]

Quote:

Originally Posted by AlecMataloni

What knocked it down was BAD engineering. The loophole that allowed a smartphone, PC, or anything with a WiFi connection to intentionally or unintentionally disrupt a system that should have been rock solid, knocked it down. An organization that seeks legitimacy in the mainstream fell victim to a stupid mistake.

This is very much over critical of FIRST and the job they did with the FMS. Keep in mind, the bug was actually from a vendor-provided firmware update, not something FIRST developed on its own.

Companies fall victim to situations like this all the time. In FIRST's case, it results in a disrupted competition. For other companies, it results in stolen consumer credit card information, a hacked website that installs a virus or trojan on consumers computers, a defaced website in general, or any number of other "bad" things. No company is immune from outside attacks... why should FIRST be any different?

[Nick Lawrence]

Remember, FIRST did not cause this. It was a bug in the newer Field AP firmware that created this security hole.

-Nick

[bardd]

Thank you, 548, for stepping up. Even though it wasn't the team's fault, it was the right thing to do, I believe.
It takes real guts to do that. I don't know if I could have done the same.
You didn't lose any of the respect I had for you. If anything, I now appreciate you more for coming forward, and I believe there are many others who feel the same way.

As for this discussion... I think it is too early to discuss this. All that could've been said about the field system was said when the report came out.
The things that can be said about the apology will now be all mixed up with emotions (namely anger from what I've seen in some comments). I think this discussion should be paused, and re-started in a week or so, so that everyone has a chance to think, relax, and digest.

[Travis Hoffman]

Given this admission/apology, I do wonder how this may affect the status of 548's paid entry into the 2013 Championship.

[AlecMataloni]

Quote:

Originally Posted by shawnz

These are awfully harsh words. Remember that hindsight is 20/20. There will never be a day where nothing will have been overlooked, or every potential mistake will have been guaranteed against. FIRST is a volunteer organization, after all; they're doing the best they can. Although I agree with the general premise that blame isn't going to get anybody anywhere here.

I agree that I was a bit too harsh. FIRST has done great things with the cards they have been dealt. Unfortunately, there are limits to the reach of a volunteer organization, but when FIRST strives to be on the same level as sports organizations, they should expect the same scrutiny held to established "sports" by the general public.

[Gregor]

Quote:

Originally Posted by Travis Hoffman

Given this admission/apology, I do wonder how this may affect the status of 548's paid entry into the 2013 Championship.

Given that the mentor in question has been excluded from all future FIRST events, I would hope the paid admission to the 2013 Championship would continue to be extended to 548. This team was hurt just as much as the 11 other Einstein teams.