Skip to content

Jeep Software Patching: You and UConnect

Lately I have heard people complaining about their friends and family who can not or will not patch the Jeep software.

I suspect the more people that look at the process for patching Jeeps the more the process will improve and increase the likelihood of patching. So here are a few quick steps that might be helpful.

First, you need a Vehicle Identification Number (VIN). You can ask your friends or family for their VIN. You can walk into a parking lot, especially a Jeep dealer’s, and look at the VIN. Or you can search craigslist for a VIN. I used the SF bay area site but you can search anywhere using a simple URL modification:

Mine brought up a good candidate to check almost immediately, and you can see the VIN (1C4RJFJT9EC145897) right at the top:

Second, copy the VIN number and enter it into the Uconnect Software Update page. If the vehicle with the VIN you found needs an update, you will see the success window:

Speaking of vulnerabilities and missing patches, you probably will have to use IE. Chrome errors out and UConnect is up front about the fact it does not support Firefox after version 37 (current Firefox is 39).

You also should note that attempting to use HTTPS reveals UConnect has an horribly insecure setup — a mis-configured service far behind on critical fixes.

I believe I was the first person to point the UConnect flaws out but again this whole process really should be something many people are assessing on a frequent basis. POODLE vulnerability shouldn’t have to be “discovered” by me months after it was announced.

Anyone else find a big red F for car manufacturer site safety less than confidence inspiring? I really should insert a graphic here of a crash-test-dummy flying out the window…

Third, now comes the tricky part because of the browser support issues I mentioned earlier. UConnect tries to force you into using a convoluted and slow graphical process to reach the update file.

UConnect seems to want to make some sort of case to install Akamai software before you can download the patch. Someone must have thought that is a good way to deal with a rush by 1 million owners suddenly trying to grab a 380MB file. In reality that is nothing compared to the number of people downloading larger files (e.g. movies) all the time through caching services invisible and compatible with any browser.

The Akamai client really doesn’t make any sense and just slows down the process so I avoided it by downloading from Microsoft a virtual machine running IE (e.g. Windows7 with IE 10 is a 3.5GB VM) and clicking through the UConnect “Tutorial” pages quickly until I was able to get to the end. That is where a direct download link finally appeared.

When I tried first with Chrome I was greeted with this warning:

IMPORTANT: The Akamai NetSession Interface is not compatible with your current browser. You can download software updates by clicking the direct download link for each available update.

And then, instead of any direct download link at the end of a bunch of clicks, Chrome fails with this warning:

An unexpected error has occurred. Please try refreshing your browser and entering your VIN again. If the issue persists, please contact UConnect customer care center at 1-877-855-8400, and press # to reach a customer support technical specialist. Canadian residents , call 1-800-465-2001 (English) or 1-800-387-9983 (French).

It probably would save a lot of time if UConnect just said at the start IE is the only supported browser; because really the UConnect site is designed only to work with old insecure versions of IE.

I was basically wasting time trying to get safer and newer browsers to work with the interface. Chrome stalls out at the end and Firefox doesn’t even get off the ground. If you try wget…LOL

Anyway, back to trying to actually get a patch, IE reveals a fancy button graphic as well as an actual link to an actual file.

Fourth, after all that wasted time trying to get through the UConnect web interface quagmire, I finally clicked on a link. Notice at the bottom left of the page a tiny URL reveals a token has been generated:

This URL can be copied from IE into Firefox or Chrome and the download works fine. And the token seems to expire so you can’t use the same one I generated. I would have to post the file for you to download from a file sharing site instead of just giving you the authoritative source.

It all really begs the question of why there is so much fluff, obfuscation, client software and tutorials instead of a simple download link via an invisible caching service compatible with everything.

Fifth, once the 390MB “MY13_MY14_RA3_15_26_1.exe” file is downloaded you may notice it is just a 7zip self-extracting archive. So use 7zip to unpack the archive and you have a 580MB “swdl.iso” file. Simply use 7zip again to extract the iso. This results in a manifest file from June 23, 2015 and four folders:

  • bin
  • etc
  • lib
  • usr

At this point you’re in the position to post the ISO to a file sharing site and invite people on a Jeep owners forum to install it from your source. Apparently that is already happening, which is easy to understand given how painful it is for owners to go through the above process.

Or you can read the files and learn more about how to help your friends and family stay safe.

For example, use a text editor to open the manifest file and scroll to the bottom. Here you should see options that indicate you can set the patch to autoupdate (no human intervention):

reset = “bolo”, — what type of reset is required
autoupdate = false, — automatically invoke the update (no HMI needed)

As another example, navigate to the usr/share/SKINS/ directory and you can find the “swf” (flash) themes available:

Abarth, AlfaRomeo, Chrysler, Dodge, Ferrari, Fiat, Jeep, Lancia, Maserati, Ram, SRT, Viper

Or move deeper into usr/share/SKINS/fontSwfs and read the file called “EVALUATION USE LICENSE AGREEMENT.doc”

1. You may install and use the bitmap fonts contained within the Evaluation Font (“Fonts”) internally for the sole purpose of evaluating the functionality of MONOTYPE products.
2. You may not rent, lease, distribute or sublicense the Fonts without first obtaining a written license from Monotype Corporation.

We have to assume a written license was obtained, while leaving the evaluation license anyway. Maybe Monotype requires the eval license to ship with the fonts? Still I feel like I have opened the hood of a car and found foam packing material that was meant to be removed.

Have a look into /usr/share where you will find “” with some interesting commands and comments

# File must be less than 2K bytes for security reasons!

What happens if the file grows larger?

I found a few network scripts yet none that offered firewall or service port options. “STATIC_IP=″ shows up in a template while “STATIC_IP=″ is in a shell script.

And I found a spelling error. This is Line 13 of

echo “mouting desktop…..”

A peek into /usr/share/scripts/update/installer will bring you to a compiled “system_module_check.lua” file that the car trusts to help prevent the wrong update being used.

It’s trivial to decompile lua and look closer. Grab the latest unluac.jar file and run it against the file you want to read. For example:

java -jar unluac_2015_06_13.jar system_module_check.lua > decompiled.lua

With this you can read the error levels and checks in the new decompiled.lua file

L8_9 = “Model Year Not set in ISO”

Also have a look into /usr/share/MMC_IFS_EXTENSION/bin because this is where you find more scripts and binaries of interest. Here is the check_temperature.lua:

require "service"

resp,err = service.invoke("com.harman.service.OmapTempService", "getOmapTemperature", {} )

if (err == nil) and (resp.omapTemp ~= nil) then
-- print("Temperature is ", resp.omapTemp)

if(resp.omapTemp > -20) then
os.exit(0) — temperature is acceptable
os.exit(-1) — temperature is NOT acceptable

Temperature “NOT acceptable” level seems like something that should not be easily modified. The obvious question I have with these files:

Is Chrysler ok with people editing/improving the files and delivering their own patch to the Jeep community (as already may be happening), to encourage after-market service and support options? Could we reasonably expect independent auto mechanics to also fix code?

In conclusion I found the process of getting a patch unnecessarily complicated. A download link should not be so obscure to find and incompatible with the latest/safest browsers. Also I found the patch strangely lacking integrity protections. And so you may want to consider the details of this patching process and have a closer look in order to help friends and family update their software and stay safe.

Updated to Note: Good news! Earlier one of my big questions, as I had wondered aloud, was whether an algorithmic method was used to verify the ISO file. I found the answer is yes, by looking in /usr/share/scripts/update/isochk.lua

openssl rsautl -verify -inkey /etc/keys/ -in /tmp/a -pubin -out /tmp/b
hashFile sha256 /fs/usb0/swdl.iso /tmp/c

Posted in Security.

The <69 words you’re no longer allowed to use in Infosec

Per Dan Kaminsky’s suggestion in a twitter thread about GM, as well as the famous George Carlin “Seven Dirty Words” skit, I humbly present for your consideration (and collaboration):

The <69 words you’re no longer allowed to use in Infosec

risk, SDLC, ROI, metrics, data, heartbleed, poodle, goto, 0day, faulty, cracked, cruftsmanship, deathcode, rooted, rootkit, pwn, bot, backdoor, fireworksmode, DIAF, borked, FUBAR, imminent, kludge, overflow, overrun, deadwhale, telnet, vapor, jelly, dirty, reality, segfault, spaghetti, stale, worm, zombie, trojan…

Posted in Security.

Airbnb Privacy Policy Changes

This is something of a buyer beware post. Skip below to the next section if you just want to read the Privacy Policy edits.

To be clear I am a huge fan of refactoring and breaking down systems. I obviously a proponent because it is what I do for a living. Dismantling systems of bias or ineffective control is desirable not least of all because justice.

When looking into Airbnb I would love to find that thread of social justice. Instead I find a troubling lack of transparency coupled with an ostentatious, even oligarchical, attitude. Airbnb has been grabbing headlines as venture vultures circle and smell profit. On the ground I hear and read about an unapologetic startup, blithely rejecting social protections to foment revolution.

Straight to the point, progress is what we all are after. Progress should not have to be with the wrong partner, where values fall out of line with our own. Reform runs the risk of being get-rich quick scheme, built by and for the reformers, because that alone motivates some for reform. For others we have to ask why aspire only for self-enrichment, especially where clearly there is harm to others?

It is a complicated topic of ethics, for sure, which needs investigation. That is why I say Airbnb begs the question of whether we can celebrate a software company in the hospitality industry for having a clue about the value of security and privacy.

Sometimes people tell me Airbnb has no property or rooms that they “own” in the same way that Uber has no drivers and no cars. However Uber fires drivers and takes back cars on lease. Take a moment to think about this dissonance.

Uber can fire drivers it doesn’t hire and take back cars it doesn’t own; so with all the power and none of the risk how exactly does Uber get hailed (no pun intended) as driverless and carless?

Can Airbnb achieve the same dissonance? This is where we must seek answers to ownership carefully; do security and privacy of owning a property have to be lost to achieve the progress that benefits the funders of Airbnb?

Perhaps it helps to look at the example of radio, a decades old sharing economy of music. Record companies through radio built a platform for sharing that kept musicians at arms length. Early on there are abundant sad examples of those musicians being abused by platform managers. Perhaps historic lessons here are to be minded?

For Airbnb let us say you believe you have protection against unlawful searches of “your” property. You then allow Airbnb monitoring of “your” property and allow your private information to be stored and shared at their sole discretion. Is it still your property when you grant anonymous others control over its fate?

I am working through these sorts of Airbnb risk scenarios from three levels of analysis.

First, I used Airbnb twice (or more) and had totally surprisingly horrible experiences (e.g. six people head-to-feet crammed onto cots in a small low-income room, with apparently no money going to the organizations subsidizing the room); versus being a non-Airbnb guest around the world for decades.

Second I have talked with neighbors about their hosting habits and problems they have faced; versus my non-Airbnb hosting for decades.

Third and finally I started to hear from tech industry peers about serious risks in Airbnb information security; whether it is wise to allow data into an environment that is anti-consumer protection, let alone one designed to be mined for the benefit of ad agencies:

Some Australian customers using Airbnb are worried about their privacy being breached, with the company confirming it shares people’s personal information for “marketing purposes”.

In order to test whether fears are well founded, and to challenge my conclusions, I have taken a deeper dive. I searched for evidence of things going right at Airbnb, signs of customer security and privacy.

Airbnb recently released two sections of policy, one after the other, to notify customers of major changes.

The effective date of the new privacy policy is August 06; expiration of the old is September 06. They say they will delete the old policy in September and in the meantime leave both on their site.

Although having both is great to compare, the format they chose does not instill any confidence that they want you to see what exactly changed. It is not what I would consider reasonable disclosure, although it is better than no comparison at all. A software company claiming to be a leader easily could offer a markup option/view.

I have created below the diff that I would like to have seen Airbnb publish, hopefully making it clear how much has changed.

Hint: section 12 gives “sole discretion” to Airbnb to decide whether your property data can be considered exclusively theirs to disclose to law enforcement.

We will use commercially reasonable efforts to notify users about law enforcement requests for their data unless we, in our sole discretion, believe harm or fraud could be directed to Airbnb, its Members, the Platform, or Services.

And what methods are used to prevent abuse of sole discretion over your property data? How should a property data ownership model work with a company seen as having no ownership while retaining sole discretion over your property?

Going back to my earlier radio example, for reference, here are the latest privacy terms provided by Pandora:

…we may share your information, including personally identifiable information, in order to (i) protect or defend the legal rights or property of Pandora, or the legal rights of our business partners, employees, agents, and contractors (including enforcement of our agreements); (ii) protect the safety and security of Pandora users or members of the public including acting in urgent circumstances; (iii) protect against fraud or to conduct risk management; or (iv) comply with the law, legal process, or legal requests. Additionally, we may share your data, including any personally identifiable information, with our successor in interest in the event of a corporate reorganization, merger, or sale of all or substantially all of our assets.

Have a look yourself at the Airbnb privacy terms update, as here are the old and new policies merged into a clear diff:

Additions are in bold
Deletions are in strike

Last Updated: April 7, 2014July 6, 2015


Airbnb (hereinafter referred to as “Airbnb”, “we”, “us” or “our”) operates a platform and community marketplace that helps people form lasting offline experiences and relationships directly with one another, where they can create, list, discover and book unique accommodations around the world, whether through our website or our mobile applications (“Platform”). Airbnb refers to Airbnb Inc. if you reside in the USA, and to Airbnb Ireland if you reside outside of the USA.

This Privacy Policy is intended to inform you about how we treat Personal Information that we process about you. If you do not agree to any part of this Privacy Policy, then we cannot provide the Platform or Services to you, and you should stop accessing the Platform and deactivate your Airbnb account. You can find out more about how to deactivate your Airbnb account at


Where the definition of a term does not appear in this Privacy Policy (such as “Listing”, “Accommodation”, “Content,” “Services” etc.), it shall be given its definition as outlined in our Terms of Service (

“Aggregated informationInformation” means information about all of our users or specific groups or categories of users that we combine together and which does not include the users’ Personal Informationso that it no longer identifies or references an individual user.

“Data Controller” means Airbnb, the company responsible for the use of and processing of Personal Information.

“Personal Information” means information relating to a living individual who is or can be identified either from that information or from that information in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller.


1. Information that you give us

We receive, store and process information that you make available to us when accessing or using our Platform. and Services. Examples include when you:

  1. fill in any form on the Platform, such as when you register or update the details of your user account;, or when you supply ID verification information;
  2. access or use the Platform, such as to search for or post Accommodations, make or accept bookings, pay for Accommodations, book or pay for any associated services that may be available (such as but not limited to cleaning), post comments or reviews, or communicate with other users;
  3. link your account on a third party site (e.g. Facebook) to your Airbnb account, in which case we will obtain the Personal Information that you have provided to the third party site, to the extent allowed by your settings with the third party site and authorized by you; and
  4. communicate with Airbnb.

2. Mobile Data

When you use certain features of the Platform, in particular our mobile applications we may receive, store and process different types of information about your location, including general information (e.g., IP address, zip code) and more specific information (e.g., GPS-based functionality on mobile devices used to access the Platform or specific features of the platform). If you access the Platform through a mobile device and you do not want your device to provide us with location-tracking information, you can disable the GPS or other location-tracking functions on your device, provided your device allows you to do this. See your device manufacturer’s instructions for further details.

3. Log Data

We may also receive, store and process Log Data, which is information that is automatically recorded by our servers whenever you access or use the Platform, regardless of whether you are registered with Airbnb or logged in to your Airbnb account, such as your IP Address, the date and time you access or use the Platform, the hardware and software you are using, referring and exit pages and URLs, the number of clicks, pages viewed and the order of those pages, and the amount of time spent on particular pages.

4. Cookies, and other Tracking Technologies

Airbnb uses cookies and other similar technologies, such as mobile application identifiers, on the Platform. We may also allow our business partners to use their cookies and other tracking technologies on the Platform. As a result, when you access or use the Platform, you will provide or make available certain information to us and to our business partners.
While you may disable the usage of cookies through your browser settings, we do not change our practices in response to a “Do Not Track” signal in the HTTP header from your browser or mobile application. We track your activities if you click on advertisements for Airbnb services on third party platforms such as search engines and social networks, and may use analytics to track what you do in response to those advertisements.

We may, either directly or through third party companies and individuals we engage to provide services to us, also continue to track your behavior on our own Platform for purposes of our own customer support, analytics, research, product development, fraud prevention, risk assessment, regulatory compliance, investigation, as well as to enable you to use and access the Platform and pay for your activities on the Platform. We may also, either directly or through third party companies and individuals we engage to provide services to us, track your behavior on our own Platform to market and advertise our services to you on the Platform and third party websites. Third parties that use cookies and other tracking technologies to deliver targeted advertisements on our Platform and/or third party websites may offer you a way to prevent such targeted advertisements by opting-out at the websites of industry groups such as the Network Advertising Initiative ( and/or the Digital Advertising Alliance ( You may also be able to control advertising cookies provided by publishers, for example Google’s Ad Preference Manager ( Please note that even if you choose to opt-out of receiving targeted advertising, you may still receive advertising on or about the Platform – it just will not be tailored to your interests.

Third parties may not collect information about users’ online activities on the Platform except as described in this policy and our Cookie Policy.

5. Third-party social plugins

Our Platform may use social plugins which are provided and operated by third-party companies, such as Facebook’s Like Button.
As a result of this, you may send to the third-party company the information that you are viewing on a certain part of our Platform. If you are not logged into your account with the third-party company, then the third party may not know your identity. If you are logged into your account with the third-party company, then the third party may be able to link information about your visit to our Platform to your account with them. Similarly, your interactions with the social plugin may be recorded by the third party.
Please refer to the third party’s privacy policy to find out more about its data practices, such as what data is collected about you and how the third party uses such data.


We use, store and process Information about you for the following general purposes:

1. to enable you to access and use the Platform;

2. to operate, protect, improve and optimize the Platform, Airbnb’s business, and our users’ experience, such as to perform analytics, conduct research, personalize or otherwise customize your experience, and for advertising and marketing;

3. to help create and maintain a trusted and safer environment on the Platform and Services, such as fraud detection and prevention, conducting investigations and risk assessments, verifying the address of your listings, verifying any identifications provided by you, and conducting checks against databases such as public government databases;

4. to send you service, support and administrative messages, reminders, technical notices, updates, security alerts, and information requested by you;

5. where we have your consent, to send you marketing and promotional messages and other information that may be of interest to you, including information sent on behalf of our business partners that we think you may find interesting. You will be able toabout Airbnb or general promotions for partner campaigns and services. You can unsubscribe or opt-out from receiving these communications in your settings (in the “Account” section) when you login to your Airbnb account;

6. to administer referral programs, rewards, surveys, sweepstakes, contests, or other promotional activities or events sponsored or managed by Airbnb or our business partners; and

7. to comply with our legal obligations, resolve any disputes that we may have with any of our users, and enforce our agreements with third parties.


We may, either directly or through third party companies and individuals we engage to provide services to us, review, scan, or analyze your communications with other users exchanged via the Platform for fraud prevention, risk assessment, regulatory compliance, investigation, product development, research and customer support purposes. For example, as part of our fraud prevention efforts, the Platform may scan and analyze messages to mask contact information and references to other websites. This helps to prevent fraudulent actors from asking Guests to send them money outside of the Platform, such as by bank transfer or other money transfer methods. We may also scan, review or analyze messages for research and product development purposes to help make search, booking and user communications more efficient and effective, as well as to debug, improve and expand product offerings.

We will not review, scan, or analyze your communications for sending third party marketing messages to you. We will also not sell these reviews or analyses of communications to third parties. We will also use automated methods to carry out these reviews or analyses where reasonably possible. However, from time to time we may have to manually review some communications. By using the Platform, you consent that Airbnb, in its sole discretion, may, either directly or through third party companies and individuals we engage to provide services to us, review, scan, analyze, and store your communications, whether done manually or through automated means.


IMPORTANT: When you use the Platform, your data may be sent to the United States and possibly other countries

We may transfer, store, use and process your information, including any Personal Information, to countries outside of the European Economic Area (“EEA”) including the United States. Please note that laws vary from jurisdiction to jurisdiction, and so the privacy laws applicable to the places where your information is transferred to or stored, used or processed in, may be different from the privacy laws applicable to the place where you are resident.

If you are located in the EEA or in Switzerland, please also see our Safe Harbor Notice (

Your Personal Information may be disclosed as follows:

1. Parts of your public profile page that contain some Personal Information may be displayed in other parts of the Platform to other users for marketing purposes. or to the extent necessary to operate and manage referral and rewards programs.

2. Your public Listing page will always include some minimum information such as the city and neighborhood where the Accommodation is located, your listing description, your calendar availability, your public profile photo and your responsiveness in replying to Guests’ queries. Your public Listing page may also include aggregated demand information (such as number of page views over a period of time). Parts of your public Listing page may be displayed in other parts of the Platform to other users for marketing purposes. The Platform may also display the Accommodation’s approximate geographic location on a map, such that a user can see the general area of the Accommodation.

3. The Platform allows your public profile and public Listing pages to be included in search engines, in which case your public profile and public Listing pages will be indexed by search engines and may be published as search results. This option is enabled by default, and you may opt out of this feature by changing your settings on the Platform. If you change your settings or the information on your public profile or public Listing pages, third-party search engines may not update their databases quickly or at all. We do not control the practices of third-party search engines, and they may use caches containing outdated information, including any information indexed by the search engine before you change your settings or the information on your public profile or public Listing pages.

4. When you submit a request to book an Accommodation, your full name will become visible to the Host. In addition, if you agree to be contacted by the Host by phone when submitting your request and the Host decides to do so, Airbnb will call your phone number first, before connecting you with the Host. We will not share your phone number unless there is a confirmed booking.; if there is a confirmed booking, your phone number will become visible to the Host/Guest, who may call you directly.

5. When your request to book an Accommodation is accepted by the Host or when you accept a Guest’s request to book your Accommodation, we will disclose some of your Personal Information to the Host or Guest. However, your billing and payout information will never be shared with another user.
6. When a Guest stays at your Accommodation or when you stay at a Host’s Accommodation, we will ask you to review the Guest or the Accommodation. If you choose to provide a review, your review may be public on the Platform.

7. You may link your account on a third party social networking site to your Airbnb account. We refer to a person’s contacts on these third party sites as “Friends”. When you create this linkage:

  • some of the information you provide to us from the linking of your accounts may be published on your Airbnb account profile;
  • your activities on the Platform may be displayed to your Friends on the Platform and/or that third party site;
  • other Airbnb users may be able to see any common Friends that you may have with them, or that you are a Friend of their Friend if applicable;
  • other Airbnb users may be able to see any schools, hometowns or other groups you have in common with them as listed on your linked social networking site(s); and
  • the information you provide to us from the linking of your accounts may be stored, processed and transmitted for fraud prevention and risk assessment purposes.

The publication and display of information that you provide to Airbnb through this linkage is subject to your settings and authorizations on the Platform and the third party site.

8. We may distribute parts of the Platform (including your Listing) for display on sites operated by Airbnb’s business partners and affiliates, using technologies such as HTML widgets. If and when your Listings are displayed on a partner’s site, information from your public profile page may also be displayed.

9. We may allow our related entities such as our subsidiaries, and their employees, to use and process your Personal Information in the same way and to the same extent that we are permitted to under this Privacy Policy. These related entities comply with the same obligations that we have to protect your Personal Information under this Privacy Policy.

10. We may also engage third party companies and individuals, who may be located outside of the EEA, to provide services to us, including but not limited to technology services and services to help verify your identification or, to conduct checks against databases such as public government databases (where legally allowed), to otherwise assist us with fraud prevention and risk assessment, to assist us with customer service, and to facilitate the payments or reimbursements you request (such as Concur and American Express). We may provide Personal Information about you to these third parties, or give them access to this Personal Information, for the limited purpose of allowing them to provide these services. We will ensure that such third parties have contractual obligations to protect this Personal Information and to not use it for unrelated purposes.

11. For any jurisdiction in which we facilitate the Collection and Remittance of Taxes or Opt-in for Host Remittance of Taxes as described in the “Taxes” section of the Terms of Service, Hosts and Guests expressly grant us permission, without further notice, to store, transfer and disclose data and other information relating to them or to their Transactions, Bookings, Accommodations and Occupancy Taxes, including, but not limited to, personally identifiable information such as Host or Guest’s name, listing addresses, transaction dates and amounts, tax identification number(s), the amount of taxes received by Hosts from Guests, or allegedly due, contact information and similar information, to the relevant Tax Authority.

11.12. You acknowledge, consent and agree that Airbnb may access, preserve and disclose your account information and Collective Content if required to do so by law or in a good faith belief that such access, preservation or disclosure is reasonably necessary to (a) respond to claims asserted against Airbnb; (b) to comply with legal process (for example, subpoenas and warrants); (c) to enforce and administer our agreements with users, such as the Terms of Service, (, this Privacy Policy, and the Host Guarantee Terms and Conditions (; (d) for fraud prevention, risk assessment, investigation, customer support, product development and de-bugging purposes; or (e) to protect the rights, property or personal safety of Airbnb, its users or members of the public. We will use commercially reasonable efforts to notify users about law enforcement requests for their data unless prohibited by law or by the government request, or if doing so would be futile or ineffective.:

  • providing notice is prohibited by the legal process itself, by court order we receive, or by applicable law; or
  • based on information supplied by law enforcement, we, in our sole discretion, believe: (a) that providing notice could create a risk of injury or death to an individual or group of individuals, (b) that the case involves potential harm to minors, or (c) that harm or fraud could be directed to Airbnb, its Members, the Platform, or Services.

We may also publish, disclose and use Aggregated Information and non-personal information for industry and market analysis, demographic profiling, marketing and advertising, and other business purposes.


If Airbnb undertakes or is involved in any merger, acquisition, reorganization, sale of assets or bankruptcy or insolvency event, then we may sell, transfer or share some or all of our assets, including your Personal Information. In this event, we will notify you before your Personal Information is transferred and becomes subject to a different privacy policy.


You may review, update, correct or delete the Personal Information in your Airbnb account by logging in to your account.. If you would like to correct your information or cancel your Airbnb account entirely, you can do so by logging in to your account. Please also note that any reviews, forum postings and similar materials posted by you may continue to be publicly available on the Platform in association with your first name, even after your Airbnb account is cancelled.


We have implemented reasonableare continuously implementing and updating administrative, technical, and physical security measures to help protect your Personal Information against the unauthorized access, destruction or alteration of your information. However, no method of transmission over the Internet, and no method of storing electronic information, can be 100% secure. So, we cannot guarantee the absolute security of your transmissions to us and of your Personal Information that we store.


The Platform will contain links to other websites not owned or controlled by Airbnb. Airbnb does not have any control over third party websites. These other websites may place their own cookies, web beacons or other files on your device, or collect and solicit Personal Information from you. They will have their own rules about the collection, use and disclosure of Personal Information. We encourage you to read the terms of use and privacy policies of the other websites that you visit.

Some portions of the Platform implement Google Maps/Earth mapping services, including Google Maps API(s). Your use of Google Maps/Earth is subject to Google’s terms of use (located at and Google’s privacy policy (located at, as may be amended by Google from time to time.


Referral service and requesting for references

The Platform provides a referral service that allows you to invite your friends and contacts to use the Platform. The Platform also allows you to ask your friends and contacts to write a reference for you, to be published on your Airbnb profile.

We may integrate the Platform with third party sites such as Facebook, so that you can send invitation messages or requests for references via the third party site itself. These messages will be sent by the third party site, and Airbnb does not collect or retain the contact information that is used to send them.
You may also send invitation/request emails via the Platform itself, in which case we will ask you for the email addressescontact information to which to send these emails to.your invitation/request. You can type in the email addresses or other contact information manually, or you can request Airbnbchoose to import the contacts in your email account address book(s). In both cases, we willmay use theand store this information sent to us for the sole purposepurposes of sendingallowing you to send your friends and contacts a one-time email, inviting him or her to visit the Platforman invitation or to writerequest for a reference for you, and for fraud detection and prevention. With respect to referrals, we will also store the email addresses of your invitees to track if your friend joins Airbnb in response to your referral.

If you request us to import your contacts, we will collect, but not store, the username and password for the email account you wish to import your contacts from. We will use this information only for the purpose of importing your contacts.

Affiliate Program

If you are allowed to join Airbnb’s Affiliate Program (see and you sign up for it, you will have to provide us with certain Personal Information to enable us to provide the Affiliate Program to you.


The Platform may allow registered account holders to organize, search for or participate in offline events (“Meetups”) in selected cities.

If you organize a Meetup or indicate that you will attend one, this information, together with some of your public information (such as your profile picture and public profile page) and any messages that you post about that Meetup, will be visible to users who browse the event. However, Airbnb will never disclose where you are staying to another meetup user.


The Platform may allow registered account holders to participate in online discussion forums (“Group(s)”) in selected cities.

If you join a Group, then your membership in the Group as well as some of your public information (such as your profile picture and public profile page) will be visible to users who browse the Group. If you publish postings in a Group, then your postings will be visible to such users as well. The ability to browse the Group will depend on the Group settings, and it may or may not be limited to members of that Group.


We may change how we collect and then use Personal Information at any time and without prior notice, at our sole discretion.

We may change this Privacy Policy at any time. If we make material changes to the Privacy Policy, we will notify you either by posting the changed Privacy Policy on the Platform or by sending an email to you. We will also update the “Last Updated Date” at the top of this Privacy Policy. If we let you know of changes through an email communication, then the date on which we send the email will be deemed to be the date of your receipt of that email.

It’s important that you review the changed Privacy Policy. If you do not wish to agree to the changed Privacy Policy, then we will not be able to continue providing the Platform and Services to you, and your only option will be to stop accessing the Platform and Services and deactivate your Airbnb account. You can find out more about how to deactivate your Airbnb account at


Your opinion matters to us! If you’d like to provide feedback to us about this Privacy Policy, please email us at


If you reside in the EU or Japan, you may request in writing copies of your Personal Information held by us. We will provide you with a copy of the Personal Information held by us as soon as practicable and in any event not more than 40 days after thereceiving a valid request in writing. There may be a charge to access your personal data (which will not exceed €6.35 in Ireland and £10 in the United Kingdom). We may also request proof of identification to verify your access request. All requests should be addressed to our Data Protection Compliance Officer, Airbnb Ireland, Watermarque Building, South Lotts Road, Ringsend, Dublin 4, Ireland.

We endeavor to keep your information accurate, complete and up to date. If your Personal Information that we hold is inaccurate, please let us know and we will make the necessary amendments, erase or block the relevant information and notify you within 40 days of your valid request that the relevant action has been taken.

You may also request the erasure of your personal data if you believe we are otherwise in breach of relevant data protection legislation. All requests should be addressed to our Data Protection Compliance Officer, Airbnb Ireland, Watermarque Building, South Lotts Road, Ringsend, Dublin 4, Ireland. There is no charge for making such a request.


Airbnb uses “cookies” in conjunction with the Platform to obtain information. A cookie is a small data file that is transferred to your device (e.g., your phone or your computer) for record-keeping purposes. For example, a cookie could allow the Platform to recognize your browser, while another could store your preferences and other information.

Your browser may allow you to set how it handles cookies, such as declining all cookies or prompting you to decide whether to accept each cookie. But please note that some parts of the Platform may not work as intended or may not work at all without cookies.

Airbnb cookies and third party cookies

Airbnb may place our cookies on your device via the Platform. Accordingly, our Privacy Policy will apply to our treatment of the information we obtain via our cookies.

We may also allow our business partners to place cookies on your device. For example, we use Google Analytics for web analytics, and so Google may also set cookies on your device. As further explained below, third parties may also place cookies on your device for advertising purposes.

There are two types of cookies used on the Platform, namely “persistent cookies” and “session cookies”.
Session cookies will normally expire when you close your browser, while persistent cookies will remain on your device after you close your browser, and can be used again the next time you access the Platform.
Other technologies

The Platform may also use other technologies with similar functionality to cookies, such as web beacons and tracking URLs to obtain Log Data about users. We may also use web beacons and tracking URLs in our messages to you to determine whether you have opened a certain message or accessed a certain link.
Uses for Airbnb cookies

Airbnb uses cookies for a number of purposes, such as the following:

1. to enable, facilitate and streamline the functioning of the Platform across different webpages and browser sessions.
2. to simplify your access to and use of the Platform and make it more seamless.
3. to monitor and analyze the performance, operation and effectiveness of the Platform, so that we can improve and optimize it.
4. to show you content (which may include advertisements) that is more relevant to you.

Uses for third party cookies

Our partners’ cookies are intended to obtain information to help them provide services to Airbnb. For example, third party companies and individuals we engage to provide services to us may track your behavior on our Platform to market and advertise Airbnb listings or services to you on the Platform and third party websites. Third parties that use cookies and other tracking technologies to deliver targeted advertisements on our Platform and/or third party websites may offer you a way to prevent such targeted advertisements by opting-out at the websites of industry groups such as the Network Advertising Initiative ( and/or the Digital Advertising Alliance ( You may also be able to control advertising cookies provided by publishers, for example Google’s Ad Preference Manager ( Please note that even if you choose to opt-out of receiving targeted advertising, you may still receive advertising on the Platform – it just will not be tailored to your interests.

In addition, Facebook places a cookie via the Platform that allows Facebook to obtain aggregated, non-Personal Information to optimize their services. For example, if a user clicks on an advertisement for the Airbnb mobile app on Facebook and subsequently installs the app, this cookie will inform Facebook that a user (who is not personally identified) has installed the app after clicking on the advertisement. This cookie may also inform Facebook that a user is using the app, without identifying the specific actions taken by the user in the app.

Disabling Cookies

Most browsers automatically accept cookies, but you can modify your browser setting to decline cookies by visiting the Help portion of your browser’s toolbar. If you choose to decline cookies, please note that you may not be able to sign in, customize, or use some of the interactive features of the Platform. Flash cookies operate differently than browser cookies, and cookie management tools available in a web browser will not remove flash cookies. To learn more about how to manage flash cookies, you can visit the Adobe website ( and make changes at the Global Privacy Settings Panel (
Changes to this Cookie Policy

We can change this Cookie Policy at any time. If we make material changes to the Cookie Policy, we will let you know either by posting the changed Cookie Policy on the Platform or by sending you an email.
It’s important that you review the changed Cookie Policy. If you do not wish to agree to the changed Cookie Policy, then we cannot continue to provide the Platform to you, and your only option is to stop accessing the Platform and deactivate your Airbnb account. You can find out more about how to deactivate your Airbnb account at

Posted in Security.

The Little Can That Could

Part three in a three part series about the history of the Jerry can; this page is a reprint of a first-person account to support parts one and two.

Written by Richard M. Daniel and published in Invention and Technology, Fall 1987, pages 60-64

During World War II the United States exported more tons of petroleum products than of all other war matériel combined. The mainstay of the enormous oil and gasoline transportation network that fed the war was the oceangoing tanker, supplemented on land by pipelines, railroad tank cars, and trucks. But for combat vehicles on the move, another link was crucial—smaller containers that could be carried and poured by hand and moved around a battle zone by trucks.

Hitler knew this. He perceived early on that the weakest link in his plans for blitzkrieg using his panzer divisions was fuel supply. He ordered his staff to design a fuel container that would minimize gasoline losses under combat conditions. As a result the German army had thousands of jerrycans, as they came to be called, stored and ready when hostilities began in 1939.

The jerrycan had been developed under the strictest secrecy, and its unique features were many. It was flat-sided and rectangular in shape, consisting of two halves welded together as in a typical automobile gasoline tank. It had three handles, enabling one man to carry two cans and pass one to another man in bucket-brigade fashion. Its capacity was approximately five U.S. gallons; its weight filled, forty-five pounds. Thanks to an air chamber at the top, it would float on water if dropped overboard or from a plane. Its short spout was secured with a snap closure that could be propped open for pouring, making unnecessary any funnel or opener. A gasket made the mouth leakproof. An air-breathing tube from the spout to the air space kept the pouring smooth. And most important, the can’s inside was lined with an impervious plastic material developed for the insides of steel beer barrels. This enabled the jerrycan to be used alternately for gasoline and water.

Early in the summer of 1939, this secret weapon began a roundabout odyssey into American hands. An American engineer named Paul Pleiss, finishing up a manufacturing job in Berlin, persuaded a German colleague to join him on a vacation trip overland to India. The two bought an automobile chassis and built a body for it. As they prepared to leave on their journey, they realized that they had no provision for emergency water. The German engineer knew of and had access to thousands of jerrycans stored at Tempelhof Airport. He simply took three and mounted them on the underside of the car.

The two drove across eleven national borders without incident and were halfway across India when Field Marshal Goering sent a plane to take the German engineer back home. Before departing, the engineer compounded his treason by giving Pleiss complete specifications for the jerrycan’s manufacture. Pleiss continued on alone to Calcutta. Then he put the car in storage and returned to Philadelphia.

Back in the United States, Pleiss told military officials about the container, but without a sample can he could stir no interest, even though the war was now well under way. The risk involved in having the cans removed from the car and shipped from Calcutta seemed too great, so he eventually had the complete vehicle sent to him, via Turkey and the Cape of Good Hope. It arrived in New York in the summer of 1940 with the three jerrycans intact. Pleiss immediately sent one of the cans to Washington. The War Department looked at it but unwisely decided that an updated version of their World War I container would be good enough. That was a cylindrical ten-gallon can with two screw closures. It required a wrench and a funnel for pouring.

That one jerrycan in the Army’s possession was later sent to Camp Holabird, in Maryland. There it was poorly redesigned; the only features retained were the size, shape, and handles. The welded circumferential joint was replaced with rolled seams around the bottom and one side. Both a wrench and a funnel were required for its use. And it now had no lining. As any petroleum engineer knows, it is unsafe to store gasoline in a container with rolled seams. This ersatz can did not win wide acceptance.

The British first encountered the jerrycan during the German invasion of Norway, in 1940, and gave it its English name (the Germans were, of course, the “Jerries”). Later that year Pleiss was in London and was asked by British officers if he knew anything about the can’s design and manufacture. He ordered the second of his three jerrycans flown to London. Steps were taken to manufacture exact duplicates of it.

Two years later the United States was still oblivious of the can. Then, in September 1942, two quality-control officers posted to American refineries in the Mideast ran smack into the problems being created by ignoring the jerrycan. I was one of those two. Passing through Cairo two weeks before the start of the Battle of El Alamein, we learned that the British wanted no part of a planned U.S. Navy can; as far as they were concerned, the only container worth having was the Jerrycan, even though their only supply was those captured in battle. The British were bitter; two years after the invasion of Norway there was still no evidence that their government had done anything about the jerrycan.

My colleague and I learned quickly about the jerrycan’s advantages and the Allied can’s costly disadvantages, and we sent a cable to naval officals in Washington stating that 40 percent of all the gasoline sent to Egypt was being lost through spillage and evaporation. We added that a detailed report would follow. The 40 percent figure was actually a guess intended to provoke alarm, but it worked. A cable came back immediately requesting confirmation.

We then arranged a visit to several fuel-handling depots at the rear of Montgomery’s army and found there that conditions were indeed appalling. Fuel arrived by rail from the sea in fifty-five-gallon steel drums with rolled seams and friction-sealed metallic mouths. The drums were handled violently by local laborers. Many leaked. The next link in the chain was the infamous five-gallon “petrol tin.” This was a square can of tin plate that had been used for decades to supply lamp kerosene. It was hardly useful for gasoline. In the hot desert sun, it tended to swell up, burst at the seams, and leak. Since a funnel was needed for pouring, spillage was also a problem.

Allied soldiers in Africa knew that the only gasoline container worth having was German. Similar tins were carried on Liberator bombers in flight. They leaked out perhaps a third of the fuel they carried. Because of this, General Wavell’s defeat of the Italians in North Africa in 1940 had come to naught. His planes and combat vehicles had literally run out of gas. Likewise in 1941, General Auchinleck’s victory over Rommel had withered away. In 1942 General Montgomery saw to it that he had enough supplies, including gasoline, to whip Rommel in spite of terrific wastage. And he was helped by captured jerrycans.

The British historian Desmond Young later confirmed the great importance of oil cans in the early African part of the war. “No one who did not serve in the desert,” he wrote, “can realise to what extent the difference between complete and partial success rested on the simplest item of our equipment—and the worst. Whoever sent our troops into desert warfare with the [five-gallon] petrol tin has much to answer for. General Auchinleck estimates that this ‘flimsy and illconstructed container’ led to the loss of thirty per cent of petrol between base and consumer. … The overall loss was almost incalculable. To calculate the tanks destroyed, the number of men who were killed or went into captivity because of shortage of petrol at some crucial moment, the ships and merchant seamen lost in carrying it, would be quite impossible.”

After my colleague and I made our report, a new five-gallon container under consideration in Washington was canceled. Meanwhile the British were finally gearing up for mass production. Two million British jerrycans were sent to North Africa in early 1943, and by early 1944 they were being manufactured in the Middle East. Since the British had such a head start, the Allies agreed to let them produce all the cans needed for the invasion of Europe. Millions were ready by D-day. By V-E day some twenty-one million Allied jerrycans had been scattered all over Europe. President Roosevelt observed in November 1944, “Without these cans it would have been impossible for our armies to cut their way across France at a lightning pace which exceeded the German Blitz of 1940.”

In Washington little about the jerrycan appears in the official record. A military report says simply, “A sample of the jerry can was brought to the office of the Quartermaster General in the summer of 1940.”

Richard M. Daniel is a retired commander in the U.S. Naval Reserve and a chemical engineer.

Go back to part one or two in this series.

Posted in Energy, History, Security.

The Story behind the yellow Jerry can

Part two in a three part series. (Part one and part three)

Once upon a time I sailed half-way across the Pacific Ocean with the typical yellow fuel can lashed to the deck.

yellow cans on deck

The yellow Jerry can has specific meaning to me — diesel fuel — which I thought was a standard. Yet recently I found a charity worker showing me yellow cans of… water with smiling children.

Stock photos of happy smiling children, poor children, playing with yellow cans; this looked weird and manipulative to me. I wanted to see charts of health and safety data from operations. What trends does this charity see?

Flashy photos provided questionable value to me, or the opposite…made me curious about what might really be lurking beneath such shallow propaganda:


Clearly I am meant from these obviously staged photos to accept that yellow Jerry cans used by children for water is some kind of normal; the unsettling appearance of a fuel can in the hand of smiling children supposedly can be seen “everywhere”, as they have written without irony:

You’ve seen it everywhere on our site, at our events, on our shirts… tattooed on our arms… and although the Jerry can has become a mainstay for our staff and supporters, we want to let you know what it actually is and why it’s a symbol of the charity: water mission.

The diesel can a symbol of a water mission? “Our site, our events, our shirts, our arms”. Note the emphasis on “our” mainstay, rather than a mainstay of the people being helped. My definition of everywhere is a bit broader. Is this a mission to convince staff and supporters that a yellow can should become a symbol of water or that it already has? Because…why?

Something smelled funny. Globally I had learned in my travels, regardless of continent or sea, yellow cans meant one thing, and it was NOT water. Yellow often is used for warning signs; first-hand experience around the world has associated yellow cans with sickening slicks and fumes of poison.

Red gasoline cans, yellow diesel cans. Those are the ones you DO NOT DRINK from let alone touch and breathe. Often we would end up scrubbing and wiping the nearly permanent mess of petroleum around those cans.

And yet, because standards change, I still am open to be convinced otherwise if someone can show data.

Surely there are cases (no pun intended) where options are limited, and people have to make do with what little they have. Reuse of fuel cans for water? Sounds like an indicator of desperation or lack of regulation. Is this evidence of the need for many more white or blue cans?

Globally white and blue are used to symbolize health and safety (e.g. Blue Cross, Blue Shield, U.N. Department of Peacekeeping Operations blue hats and helmets, as well as the white helmets with blue suits of disaster relief workers)

"clouds in the sky" white helmets and blue suits means safe. yellow means warning or caution

Singapore disaster team prepares for Nepal. White helmets and blue suits (“clouds in the sky”) indicates neutral or safe. Yellow indicates warning or caution.

I mean we are talking about a charity here, where setting a new standard of good is supposed to be the mission, especially where health risks are found. For a charity with wealthy backers and industrial input the choices obviously are many, so the standard should be high. There is great risk in using charity to reinforce harmful behavior.

Confused by charity workers flashing smiling kids in your face to get your money? Me too.

How did someone decide, of all the options, to adopt yellow cans as a sign of health, a symbol for “clean” anything? And why are they just showing stock photos to get donations instead of any real data?

What comes next, bright red oil barrels for charity:meal?


Let’s forget I asked that…although to be fair red in this case could make sense to warn people about heat and to stay away from the barrels.

I searched for answers and some history on can safety. Either I would become convinced that it now is safe for people to drink from yellow cans, and it is safe to give this charity money, or that existing standards need to be defended and propaganda exposed.

My search led to some very interesting surprises.

The charity website reduced my confidence in their ability to collect and analyze data, for example. You might say my opinion worsened as I read through apologetic narratives about Nazi Germany. Here are several examples, paragraph by paragraph, of what I found and why this charity is so wrong:

Charity:Water Example one

To most people, this simple metal or plastic can means ‘gasoline,’ and rightfully so — the first Jerry cans were introduced as gasoline containers by the German military at the start of World War II.

There was some kind of war, a second world war, and this military from Germany that had to go to war also had some need for gasoline, see…


Jerry cans existed during the Spanish Civil War of 1936, years prior to the start of WWII. These cans served both as fuel and water containers, which we know because they were stamped with clear markings for their purpose.

Germany was involved with and supported other fascist militarism. Someone within the growing Nazi war machine was looking at how to improve a fuel can long before Hitler mobilized troops on 15 March 1938 (passive capitulation of Czechoslovakia) or 1 September 1939 (1.5 million marched into Poland, conquering 140 miles in just one week).

I believe the real story goes to lessons in vehicle support and supply containers (e.g. evaporation/expansion) derived from Italian invasion (3 October 1935) of Ethiopia and there is evidence cans were modified and tested during Nazi support for fascists in the Spanish Civil War (17 July 1936).

Handling chemicals in extreme conditions had forced Italy and Spain to innovate their cannister technology. For example the Italians had developed new mustard gas and new bombs to drop on hospitals and ambulances flying the red cross (infamously killing Swedish medical leaders Fride Hylander and Gunnar Lundström).

1936 Dolo Ethiopia Italian Bombing Killed Dr Lundstrum in Ambulance

This day is still called “darkest in the history of the International Red Cross“; worth reading if you want to get a sense of how in 1936 a rapidly expanding fascist offensive led to a quickening pace of technology change.

Does the can mean gasoline? The phrase “to most people” used by this charity indicates they have some kind of data or source to check, yet none is provided.

I would say to most people the Jerry can means more than gasoline. It means a variety of fuels and even water. My data on this is based on search engines where the top results are “Jerry Cans – Fuel, Water, Diesel, & Accessories” and “can be used for fuel and drinking water”. The word gasoline does not come up easily.

It is true that 1930s Germany used gasoline for their vehicles. However even they stamped their fuel cans with the generic word Kraftstoff (fuel) or with Wasser (water). The Wasser cans also were painted with broad white lines to ensure it could not be confused with Kraftstoff.

This says to me that today’s use of yellow color on a can would, like the Nazis originally intended, help differentiate unsafe fuel cans. Here is what a Nazi water can, stamped with Wasser and painted with white lines, looks like:


So to most people I think it fair to say the Jerry can means various liquids, not simply gasoline, and most people expect consistent symbols and use to avoid mixing them.

Moving everyone to think of yellow as safe for water seems doable, although expensive and risky, as it really has to be clear where diesel and water are to be found. It seems like a lot of extra work/cost because of confusion, as a friend recently put it:

Whoever made the almond-milk carton the exact same shape as the chicken-broth carton should have to eat this cereal.

Labeling/testing yellow Jerry cans on a massive scale as safe for water seems much, much more complicated and risky than just continuing to use the existing standard of white or blue water cans.

Charity:Water Example two

These five-gallon cans, also called ‘Jeep cans’ or ‘blitz cans’ (or, in Germany, ‘Wehrmachtskanisters’) were made of steel and usually sat in the back of vehicles as a reserve tank of gas.

In Germany there were these things with a funny German name in the back of vehicles, kind of like a Jeep, used for an afternoon blitz…


Wehrmachtkanisters means “army can”. Fascists who initiated war without provocation strapped multiples of cans to the side of their vehicles during invasions of foreign countries. In theory the blitzkrieg (German for “lightning war”) was a strategy of very brutal and fast advances to rout an enemy before they could respond.

Obviously there is less surface area in back (width versus length of a vehicle) so lashing cans to the sides has many advantages: leaves space available and makes use of open spaces, balances weight more evenly, while keeping nasty toxic fuel away from doors, passengers and gear. Use of the sides also means the back can be used for less durable/convenient assets and for giant doors and loading (e.g. troop deployment from trucks).

You may notice the white broad lines on some cans, clearly indicating Wasser instead of Kraftstoff.

Bundesarchiv_Bild_101I-022-2926-07,_Russland,_Unternehmen_"Zitadelle",_VW_Kübelwagen Bundesarchiv_Bild

You will find the same behavior on a boat that has to cross an ocean, as you saw at the start of this story. Reserve cans are balanced on either side, not in the back. It would be stupid to weigh down the back of a vehicle/boat with a dozen cans when sides are empty.

Now lets talk about gallons. Jerry cans are 20L capacity and stamped with this unit — about 5.28 US gallons or 4.40 UK gallons. Jerry cans were not “5 gallons” as Charity:water seems to believe. I find it very odd an international organization would use gallons, let alone not specify a system of gallons. Liters are the original and obvious measurement. Someone thinking in gallons has imposed a very narrow and inaccurate perspective over reality.

In terms of material the cans were not only steel; what made Jerry cans most notable in terms of material was a synthetic lining unlike other metal cans. Plastic cans, or even kevlar-lined battle containment for fuels, today could perhaps be linked to the synthetics of the Jerry can.

In terms of brand association, Jerry cans weren’t used by Jeeps until many years later. I am not sure why Jeep gets brought in so subtly next to “blitz cans”. It strangely brands a pre-existing can with a trademark of a specific American vehicle despite the cans not being developed for it originally and being used much more widely. Perhaps Charity:water is thinking ahead about the power of branding and hopes someday we’ll call them Charity:cans?

Speaking of American trademarks, “Blitz” reminds me of a sad and strange twist in history. As I explained above the word means lightning in German; a military campaign tactic attributed to the Nazis. It also refers to a specific 1940 bombing campaign meant to demoralize the British by killing civilians and destroying industry. Not the best connotations. With that in mind an American manufacturing company made the odd decision to adopt it as a name for their “improved” version of Jerry cans.

Originally a US metal container company that made Jerry cans in the 1940s used the words “metal container” in their name. They grew so large and successful that 50 years later the vast majority of American fuel cans were made at this “U.S. Metal Container” (UMC) company. When UMC moved its production away from metal to making only plastic cans in the 1990s they changed their name.

Instead of just switching to the acronym UMC, which would have been clever and celebrating American military history, they adopted the infamous Nazi term “Blitz” as their name because, well, UMC was located in Oklahoma. It should be no secret that neo-nazis and Hitler apologists lived an open life in Oklahoma. But I digress…

Anyhow after changing its name to the Nazi “Blitz” and moving everything to plastic production this venerable Jerry can manufacturer (that perhaps even helped defeat Nazi Germany) soon filed for bankruptcy.

“Blitz” said it could not survive the dozens of lawsuits over its defective cans that were exploding and killing Americans. I told you there was a twist.

Charity:Water Example three

It’s said that Adolph Hitler anticipated the biggest challenge to taking over Europe in WWII was fuel supply. So Germany stocked up.

False and super annoying.

Look, this is very wrong for many reasons. I don’t expect to read charitable thoughts on Hitler from a supposed “charity” site. WTF. No really, WTF.

Also I find “it’s said” to be an unacceptable start to a pro-Hitler sentence that lacks any citation. Who said Hitler anticipated…what? Hitler was an insane dictator and deserves no glorifications. I should not need to cover this.

Nonetheless, it is easy to see how badly that fascist leader sucked at planning. The USAF points out he took his country to war with an acute fuel shortage and massive dependence on imports:

At the outbreak of the war, Germany’s stockpiles of fuel consisted of a total of 15 million barrels.

That is basically nothing, given their rate of consumption, and fuel was expected to run out by 1941. Two years after starting the war, stupid Hitler lacked a plan to continue supplying fuel. Cans clearly were not meant to solve the macro challenge.

Actually I’m getting ahead of myself. Assuming a rapid assault that would last only a few weeks or months then yes, perhaps, a large stock of cans would be decisive in lieu of actual fuel supplies. However, anyone anticipating the “biggest challenge” would have probably considered campaigns getting bogged-down or stuck and contemplate future fuel origination options beyond a better container to move it around in.

It makes far more sense to me that some middling Nazi official was eager to solve a small and obvious part of logistics that they were focused on. There was a little fuel distribution problem, they saw it in 1935 or 1936 fascist invasions, and they set about a new can design. Even translating that into a massive pile or distribution of their cans does not equate to truly anticipating the major issues ahead.

I mean of course fuel did not pose the “biggest challenge” to taking over Europe.

This claim is so absurd I don’t even know where to begin. Put it in reverse perspective: having solved fuel supply alone would not have won the war for the Axis. It was not the single deciding factor. It was a factor among many, with the other factors often being far more in focus and difficult.

A Hitler “anticipation” theory simply does not fit with one of the greatest fuel blunders of all time, Operation Barbarossa, to attack more to the East. Consider that more than 600,000 Nazi horses were relied upon in 1941 as vehicle logistics failed; a lack of standardization, split and confused leadership and overly-optimistic ideas of a “lightning” fast victory undermined Nazi supply chains. This was after the 1940 “Blitz” against London had failed its objectives.

The simple fact is from June to December 1941 the result was “half-starved and half-frozen; out of fuel and ammunition.” It was the opposite of some kind of brilliant anticipation and stocking up early.

Charity:Water Example four

As Germany moved through Europe and North Africa, so did their thousands of gasoline cans. These cans proved to be dependable and durable; soon, countries all over the world were adapting them to haul and store liquids, coining them ‘Jerry cans’ because of their German origin (‘Jerry’ was a snide name for a German WWII soldier). New water container designs emerged but nothing could top the strength and simplicity of the original rectangular, X-marked Jerry can.


Obviously there were more than thousands of cans. The discovery of the Jerry can did not lead directly to adoption by the Allies. I sense some odd reverence for Nazis, even to the point of trying to apologize for “snide” names. Snide? Is this a concern without context? War against fascism, let alone against genocide, perhaps invites derision?

“Jerry” actually was a term used by Allies during WWI supposedly because the German helmet resembled a British jerry (chamber pot). In that sense a Jerry can is actually still a reference to its contents being toxic or at least unpotable.

As far as “new water container” designs I must again point out the original Jerry can also was used for water, with a designated stamp on the can to differentiate from fuel cans as mentioned above.

So with all that nonsense from Charity:water set aside, let me turn to an actual history of the yellow Jerry can. This is perhaps how I would update their page.

Jerry can design innovations

Jerry cans improved greatly upon prior cans, yet are quite simple in retrospect — better durability and portability. This can be explained with a couple short stories from the Allied perspective on winning WWII.


Paul Pleiss was an American engineer in Berlin who in 1936 had discovered a new can while planning to take a huge road trip (see part three of this series). He quickly realized its benefits first-hand. After his road trip, Pleiss spent the summer of 1939 to the summer of 1940 trying to convince the US military to adopt a new can.

American leadership was reluctant, without evidence or proof; they saw no need to alter current production. Only after Pleiss brought a can to show in person and demonstrate, and after the US considered field reports and shortcomings in their North Africa campaign (similar to the experiences of Italy during the 1935 invasion of Ethiopia) did the Jerry can come into better reception.

Things really shifted in 1942 when field qualitative reports backed by quantitative evidence showed US leaders that nearly half of fuel in Egypt was lost due to can failure. Despite sizable impacts recorded in desert battle outcomes in the preceding years (i.e. Wavell 1940, Auchinleck 1941, Montgomery 1942) measured data is what really hit home for the Americans.

…we sent a cable to naval officials in Washington stating that 40 percent of all the gasoline sent to Egypt was being lost through spillage and evaporation. We added that a detailed report would follow. The 40 percent figure was actually a guess intended to provoke alarm, but it worked. A cable came back immediately requesting confirmation.

So six years after Italy’s campaign in Ethiopia had led to German army equipment design changes, the US reached the same conclusions — fighting in North Africa needs a good fuel can.


The British appear to have ignored can design during the 1936-1939 innovation period. At the start of WWII hostilities a “flimsy” can prone to failure and mess was the UK standard. Still a better Jerry can design only came to light for them in the aftermath of French General Gamelin troops withering in 1940, leaving Britain alone to fight the Germans.

An over-extended and fragile but fast German blitzkreig had led to more careful British study and eventual realization that fuel portability had surely impacted performance. Another example, a similar study of the impact of new technology, was the use of radios by German tanks to update plans with “agile” development (peer communication) instead of waterfall (from the top).

The better containers meant much faster deployments. For example a can with a single handle is inferior to multiple handles when considering a line of soldiers trying to “bucket brigade”. Side handles meant two people could grab a can at the same time, or a single person could grab two with one hand. Faster can opening times mattered, as did less spillage during fuel transfer.

The German designer

Put the British and American realizations together and you get what I believe to have been the same thing that happened to the Germans in November 1936. An Italian invasion into northern Africa sparked the need for improvement, which then was tested during war in Spain.

Someone in Nazi Germany’s military administration invited Vinzenz Grünvogel of Müller to apply for a “Wehrmachtskanister” contract. Given the prior work of Müller with Ambi-Budd Presswerk (German for “pressed metal manufacturing”) the Jerry can method of manufacture probably was a derivative more than a novelty.

So it was with the 1936 Italian vehicles crossing rough African territory in mind that led to these specifications:


  • 465mm tall
  • 340mm wide
  • 20L capacity
  • 4kg dry weight
  • easy to stack
  • easy to manufacture (two plates pressed)
  • easy to carry (one soldier = two full, four empty) +
    (two soldiers = three for bucket brigade speed of transfer)


  • shock (recessed welds)
  • corrosion (synthetic lining)
  • float (air pocket “bump”)
  • pour (short spout)
  • seal (cam with lock)
  • expand (50deg max)

From the list and field experience it should be easy to see why the design has lasted.

Ultimately the cans were manufactured by dozens of companies subjected to Axis rule (Müller, Presswerke, Metalwerk, Nowack, Fischer, Schwelm, etc) and after 1942 by many other companies.

Symbols and markings

Lets go back to the idea of keeping people safe from toxic contents. As I mentioned the Germans stamped cans with “Wasser” (water) or “Kraftstoff” (fuel).

Despite a stamping process there also can be found a white W to indicate “winter” fuel (Winterkraftstoff) on later cans. This reiterates the importance of clear labeling to the original designers. It also points again to a lack of overall planning and preparation mentioned above (Hitler apparently refused to believe war would last into winter).

And that brings us to the creation of the yellow Jerry cans, a warning color for fuel. How should cans with different contents safely be identified? Is there a standard?

The answer is yes and no. Standards tend to evolve. Generally they have run something like this.


  1. Gasoline – Red
  2. Diesel – Yellow
  3. Drinking water (potable) – White
  4. Alt Fuels (Kerosene, JP Jet Fuel, Heli, M1 Meth, etc) – Blue
  5. Non-potable water – Green

Modern (e.g. 2005 California):

  1. Gasoline – red;
  2. Diesel – yellow; and
  3. Kerosene – blue

A typical set of Jerry can color options today:

jerry can colors

Does red look better with your shoes than green? Should we use colors for fashion sense not functional safety because of toxic chemicals?

As far as I can tell standards of color were centered on safety and clarity. Charity:Water uses yellow cans because fashion, and probably convenience, not because of grounded concerns about health and finding the best solutions. I mean has anyone studied the impact of using the correct color cans for water versus reinforcing use of yellow cans? Definitely did not find that on the charity site.

A water charity adopting a yellow can makes about as much sense to me as saying people in need drinking contaminated water should keep doing it because tradition. I’d just drop the color, if I were advising them. It is easy to switch a logo from solid yellow to white, especially since white cans conform to traditional safety standards.

Again, I want to be clear I am not opposed to change or redefinition of standards; here is a clever new white Jerry can:


My concern is with a charity pushing a global campaign that uses a dangerous/toxic liquid indicator as a symbol of clean water. Something seems odd about that decision.

Starting from my basic gut instinct it seems counter-productive to a charity objective to use confusing health/danger symbolism. This especially feels true for a charity that knows how to use imagery for power because they spend money to orchestrate images of smiling children. Moving to deeper analysis I found a very weak grasp of history, a whitewash of Hitler and the Nazis; this group asking for money may be seriously divorced from reality or real facts on the ground about social impact.

More on that…another day.

If you have made it this far (thanks!) you’re ready for a pop-quiz:

Given this typical image showing the various Jerry can colors…

…what word would you put after the word “charity”?

Feel free to put your answer in the comment section below.

Go back to part one or continue to part three in this series…

Posted in Energy, History, Security.

The story behind the Jerry can

Part one in a three-part series.

You may have heard a story about the Jerry can. Perhaps it goes something like Hitler was such a brilliant strategist that in 1936 he personally called forth an engineer to create a nearly perfect fuel can, which we still use to this day.

As a student of history I find this story nearly impossible to accept, not to mention as a humanist I find it a load of apologist nonsense about a genocidal maniac.

Why 1936, to begin with? Why did other countries take so long to follow? And how could Hitler’s grand supply-chain foresight three years before mobilizing for war with Poland fit into the many infamous Nazi fuel planning disasters that crippled the overall war effort?

No, Hitler wasn’t good at planning. No, Hitler wasn’t good at listening and adapting.

A more plausible story is that someone, probably a German soldier or mercenary assisting with Italian and Spanish fascist war campaigns in 1936, simply grew fed up with gas cans at a micro level. A WWI generation of fuel cans sucked for many reasons (couldn’t be stacked, leaked, couldn’t pour without a mess, couldn’t be carried in bulk).

I believe the archives should show this: from the summer to the fall of 1936, or maybe even earlier, German war management listened to field agents and decided something better was needed. Just like when the Nazis thought about putting radios in tanks for the first time, a decisive advantage in 1940, they also thought about motorized vehicle fuel supply.

It’s very likely some German soldier hated the inefficiency of the prior cans and borrowed or collaborated with Italian and Spanish fascists to find a better one. I see no evidence this can was meant to be a macro strategy for fuel supply management and plenty of evidence that Nazi fuel supply management overall was a disaster. The fact that a better can later was instrumental in battle outcomes was a reflection of grounded principles, not strategic thought.

And so an engineer won a Nazi contract to design a better can on some rather obvious theory of improving durability and portability to increase availability of fuel. Quality of engineering and manufacturing still was high in Germany at that time, despite emigrations and arrests of talent; so the Jerry can was born from a pressed metal factory preparing the Nazi war machine.

Some suggest the can was a military secret. Of course 1936 was full of secrecy to help with propaganda hiding the re-militarization. Hitler was a pathological liar who ran misinformation campaigns, playing a victim card over and over again, making technology secrecy essential. This was a factor.

Even more of a factor was a reluctance of Allies to listen to their field and incorporate feedback. Sending Sherman tanks into battle was an abject lesson in fail-faster because high casualties. Wasted fuel was harder to quantify. Unlike the Japanese however the Americans did adjust if they could see the need or advantage.

It turns out the Jerry can was discovered in 1939 by an American, even before hostilities, due to use at the Berlin airport (a German stole three and shared the technology). The delay in adoption by the Allies is related to their blindness to its value.

It took another four years because leadership of the Allies relied on statistical analysis and probably needed reports formatted with quantitative methods to make a change.

In 1942 an Allied soldier-chemist working on fuel logistics in northern Africa (e.g. facing similar things that soldiers in the Italian campaign of 1936 might have seen) converted qualitative field reports (e.g. old cans suck) into a statistics-based cable to Washington (e.g. we’re losing 40% of fuel before it even gets to the vehicle).

The lesson here is listening to qualitative field reports can inspire innovation in design, and quantitative analysis can show how small and simple changes in efficiency can make a major difference.

I am all ears if someone can find a memo from Hitler calling for a better fuel can and reasons to stockpile. It sounds a lot like revisionist theory to me, as if someone years from now would try to argue that President Obama anticipated social media growth and commissioned Facebook.

My guess based on data is an improved fuel containment design derived as a logical step from soldiers watching their losses during Spanish, Italian and Japanese fascist aggression.

Continue to part two or skip to three in this series…

Posted in Energy, History, Security.

Le Tote: Weather Prediction As Retail

So I’m walking down the street in SF today and someone steps out of a building in front of me. I’m always interested in what’s happening around me so naturally I ask if they work there. This person answers yes and says it’s a bunch of startups, including Le Tote.

“It’s like Netflix for clothes” I am told as a shopping bag is opened to reveal a box.

“We send you clothes we recommend you wear and…” I interrupt to finish the sentence “if you keep them you buy them! Am I right?” They nod yes and smile widely as if they were about to explain something hard and I saved a mountain of effort.

A pregnant moment arrives as I wait for even more congratulations; although I have really just described the age-old mail-order model as it currently exists. The irony of me predicting the end of a sentence, and pointing out a lack of innovation, is lost. They just seem relieved of the chore of explaining something aspiring to be innovative.

Maybe I shouldn’t attempt to find humor in analytics. I ask seriously if they have anything I should try.

“It’s only for women right now” I am told with a disapproving look.

I genuinely wonder out loud about their predictive algorithm: “Why do you assume already I do not want to wear women’s clothes? What if I am transgender? Would you still predict my fashion?”

I am looked at skeptically and offered no answers other than a soft and slow repeat of “if you want to wear women’s clothes…”.

Still curious and since this person is still standing there (presumably at the mercy of a service, a late driver) I press for more. “Nevermind gender fashion definitions, how does your prediction reflect regional differences. For example when someone in Colorado…” they interrupt me to say “we check the weather”.

Weather? Definitely not the end of sentence I had in mind.

I forgo jokes about the weather being perpetually wrong and instead restart my question so I can bring back my ending: “what do you do when someone in Colorado thinks sky-blue is the hot new color, while someone in SF wants orange and green? Can your algos anticipate fashion trends from social or other indicators, given your fashion angle”; tempted to add “not a good indicator of weather”.

Their face grows bright, they lean back, look to the street with an open gaze, suck in an ocean of air and exclaim “WOW WHAT A GREAT IDEA, I WILL SUGGEST THIS IDEA AT OUR NEXT MEETING”. Then they abruptly turn and excitedly run across the street waving a hand.

Now standing alone I yell “so what’s your name” towards the back of a head that nears an Uber parked in the bike lane. “Heather” is the response. Of course it is. And so I continue on my way.

Posted in Security.

Impostors in Your Call Center

As a PCI assessor I was often asked how to protect the personally identifiable information (PII) captured within audio recordings. Call centers, especially very large and distributes ones, tended to end up with giant archives of people talking about payment information. Also packet capture systems such as intrusion detection or network forensics tended to collect payment card data discussed (e.g. using IP phones).

The bottom line (pun not intended) was that working with audio security is an interesting challenge and can add some flavor to the usual job of masking, replacing or encrypting stored data.

And yet despite a body of knowledge in this area, leading to steady improvement in security tools to reduce fraud from audio data, we still see in the news major disasters. I believe this not to be any failure of technology but rather a higher-level management issue: like quality engineering can’t really be blamed on tools as much as attention to details.

Take for example AT&T just has been fined by the FCC $25m for three breaches

In May 2014, the Enforcement Bureau launched its investigation into a 168-day data breach that took place at an AT&T call center in Mexico between November 2013 and April 2014. During this period, three call center employees were paid by third parties to obtain customer information — specifically, names and at least the last four digits of customers’ Social Security numbers — that could then be used to submit online requests for cellular handset unlock codes. The three call center employees accessed more than 68,000 accounts without customer authorization, which they then provided to third parties who used that information to submit 290,803 handset unlock requests through AT&T’s online customer unlock request portal.

One attack would be a problem. Three impostors are a sign of something far more troubling; management is not detecting or preventing active infiltration designed to bypass internal controls and steal valuable data. Organized crime still shows success at either coercing staff or implanting attackers in call centers to leak PII for financial gain. And if three impostors aren’t bad enough, the FCC goes on to document another forty individuals found stealing PII.

Kudos to the FCC for their investigation and subsequent action. I believe it is right for them to emphasize a top-level management approach as a solution.

The people who were caught in the act of stealing (the impostors themselves) will likely go to jail (as was also found in the recent Bechtel executive fraud case). New oversight needs to be forced by regulators at top-levels of company management so they pay better attention to impostors and other attackers stealing PII.

…AT&T will be required to improve its privacy and data security practices by appointing a senior compliance manager who is a certified privacy professional, conducting a privacy risk assessment, implementing an information security program, preparing an appropriate compliance manual, and regularly training employees on the company’s privacy policies and the applicable privacy legal authorities. AT&T will file regular compliance reports with the FCC.

Posted in Security.

Keeping Car Contents Safe From Electronic Key Thieves

Nick Bilton is a columnist for the New York Times (NYT). He published a story today called “Keeping Your Car Safe From Electronic Thieves” and I adapted my blog post title from his.

Perhaps you can see why I changed the title slightly from his version. Here are a couple reasons:

First, his story is about things inside a car being at risk, rather than the car itself being unsafe. Second, and more to the point, the “electronic thieves” are not stealing cars as much as opening doors and grabbing what is inside.

That second point is a huge clue to this story. If thieves were “cloning” a car key, making a duplicate, then I suspect we would see different behavior. Perhaps penalties for stealing cars are enough disincentive to keep thieves happy with stealing contents. But I doubt that. More likely is that this is a study in opportunity.

You could read the full article, or I suggest instead you just read his tweets on April 6th for a more interesting version of what led to the story (meant to be read from bottom to top, as Twitter would have you do):

Nick Bilton @nickbilton · Apr 6
@ejacqui It looks like it’s a broadcasts a bunch of signals to open the car lock. They cost about $100, apparently.
5 retweets 3 favorites

Nick Bilton @nickbilton · Apr 6
@seanbonner @gregcohn @tonx @sacca Fast-forward 10 years and thieves (or pranksters) will be doing this with our homes.
2 retweets 4 favorites

Nick Bilton @nickbilton · Apr 6
@tweets_amanda I tried. I ran after them, but they took off. The cops said it’s easy to get online, whatever “it” is.
0 retweets 1 favorite

Nick Bilton @nickbilton · Apr 6
@r2r @StevenLevy No. A Toyota Prius. Crazy how insecure this “technology” is.
1 retweet 1 favorite

Nick Bilton @nickbilton · Apr 6
@kevin2kelly Yep. Exactly. No broken window, and to a passerby it looks like the thief is in their own car. Scary stuff.
1 retweet 3 favorites

Nick Bilton @nickbilton · Apr 6
@StevenLevy Yep. I chased after them, not to tell them off, but to ask what technology they were using. :-)
4 retweets 24 favorites

Nick Bilton @nickbilton · Apr 6
@noneck Was watching out the window and saw them do it. (I then ran out and yelled at them, and they took off.)
1 retweet 1 favorite

Nick Bilton @nickbilton · Apr 6
@sacca Just did a little research & it’s insane how easy it is to get the device they used. Scary when you think about the connected home.
22 retweets 24 favorites

Nick Bilton @nickbilton · Apr 6
@Beaker A Toyota Prius. It was like watching someone slice into butter. That simple.
1 retweet 5 favorites

Nick Bilton @nickbilton · Apr 6
@schlaf I chased them down and thought, what’s the point. They’re kids. I really wanted to just ask them about the technology! :-)
3 retweets 22 favorites

Nick Bilton @nickbilton · Apr 6
@owen_lystrup Toyota Prius. Don’t get one. Buy an old 1970s car with a key. :-)
3 retweets 10 favorites

Nick Bilton @nickbilton · Apr 6
@trammell Yep. Literally just pressed a button and opened the door. It was bizarre and scary when you think about the “connected home”.
12 retweets 22 favorites

Nick Bilton @nickbilton · Apr 6
@SubBeck Yelled at them and called the cops. The cops sounded blaze by the whole situation.
2 retweets 4 favorites

Nick Bilton @nickbilton · Apr 6
@cowperthwait Toyota Prius. It’s insane that they can literally press a button and open the door.
23 retweets 16 favorites

Nick Bilton @nickbilton · Apr 6
@MatthewKeysLive Nothing; it’s empty. They’ve done it before when I wasn’t around. But I had no idea how they were doing it. Now I know.
3 retweets 5 favorites

Nick Bilton @nickbilton · Apr 6
Just saw 2 kids walk up to my LOCKED car, press a button on a device which unlocked the car, and broke in. So much for our keyless future.

To me there are some fingernails-on-chalkboard annoying tweets in that stream. Horrible attribution, for starters (pun not intended). He says don’t get a Toyota Prius because it must be their fault. Similarly he says our keyless future is over and we should buy something from the 1970s with a key. And then he goes on to attack the idea of a connected home.

This is all complete nonsense.

The attribution is wrong. The advice is wrong. Most of all, the fear of the future is wrong.

Consider that thieves leave a car essentially unharmed (unlike all the smash and grab behavior linked to economic/political issues). This tells us a lot about risk, methods and fixes. It means for example that insurance companies are not likely to be motivated for change. After all, no windows broken and no panels scratched or damaged means no real claims.

In this reporter’s case he even says nothing valuable was in the car. There’s nothing really to tell the police other than someone opened the door and closed it again. A thief who walks up, opens the door, and takes whatever they can from inside the car…this is an encryption/privacy expert’s worst nightmare. This is a lock being silently bypassed with something that amounts to a dreaded escrow or golden key. Given the current encryption debate about backdoors we might have a very interesting story on our hands.


Mind you I tried on April 8th to contact the reporter and add some of this perspective, to indicate the story is really about risk economics and a much broader debate on key management.


Unlike the (dare I say shallow) angle taken by the NYT as something “newsworthy”, a car lock bypass is not new to anyone who pays attention to security or to the mundane reports of people getting their cars broken into. That Winnipeg story I offered the reporter to calm him down is years old. There also were reports in London, Los Angeles and other major city news over the past years describing the same exact scenario and how police and car manufacturers weren’t eager to discuss solutions. The NYT reporter is essentially now stumbling into the same rut.

2013 reports actually followed 2012 news of cars being stolen and disappearing. My guess is the organized crime tools filtered down to the hands of petty criminals and eventually mischievous kids. There is far wider opportunity as motives soften and means become easier. The organization and operation required to fence a stolen car probably shifted first to joy rides, then shifted again to people grabbing contents of cars and eventually to people just curious about weak controls. The shifts happened over years and then, finally, a NYT reporter felt it personally and was rustled awake.

Apparently the NYT did not pay attention to the alarming (pun not intended) trend other reporters have put in their headlines. I did a quick search and found no mention by them before now. It does seem a bit like when crime happens to a NYT reporter the NYT cares much more about the story and frames it as very newsworthy and novel, if you know what I mean.

To really put it in perspective, nearly twenty years ago a colleague of mine had set a personal goal to invisibly open car doors in under five seconds. This is a real thing. He was averaging around seven seconds. General lock picking has since become a more widely known sport with open and popular competitions.

Anyone saying “so much for our keyless future” after this kind of incident arguably has no clue about security in the present let alone the future. Expressing frustration on Twitter turned into expressing frustration at the NYT, which leaves the reader hanging for some real risk analysis.

So that is why I say the real story here, similar to a key escrow angle missed by the reporter, is economics of a fix. Why doesn’t he take a hard look at the incentives and real barriers to build better keyless electronic systems?

The NYT reporter gets so close to the flame and still doesn’t see the problem. For example he mentions that he dug up some researchers (e.g. Aurélien Francillon, Boris Danev and Srdjan Capkun) who had published their work in this area. Isn’t the obvious question then why a key and lock aren’t able yet to fend off an unauthorized signal boost after the problem was detailed in a 2011 paper (PDF): “Relay Attacks on Passive Keyless Entry and Start Systems in Modern Cars“?

“Figure 4. Simplified view of the attack relaying LF (130 KHz) signals over the air by upconversion and downconversion. The relay is realized in analog to limit processing time.”

Long story short thieves obviously have realized that keyless entry relies on a primitive communication channel, based on near proximity, between lock and key. The thieves may even have inside access to lock development companies and read technical manuals that revealed assumptions like “key must be within x feet for door to unlock”. Some people would stop at x feet but that statement is a huge hint to hackers that they should try to achieve greater ranges than meant to work.

The simple theory, the one that makes the most sense here, is that thieves are simply boosting the signal to extend the range of keyless entry signal.

First they pull a car door handle, which initiates a key request. Normally the key would be out of range but thieves boost the request much further away. The key could be in the owners pocket inside a restaurant, or a school, on a baseball field, at a park bench, or even in a home.

Second the key receives the door signal and sends its reply.

Third the thieves pull the door handle to open the car.

Simple no?

One might suppose the thieves could press a start button and drive away but then what happens when they shut the engine off many miles from the key? That’s a whole different level of thief as I mentioned above. Proximity means risk/complexity of an attack is lowest if they just invisibly open a door and take small-value items or nothing at all.

Again, insurance companies are not going to jump into this without damage to a car or the car isn’t stolen. Manufacturers likewise have little incentive to fix the issue if there is no damage. A more viable solution, thinking about the economics and market forces, would be to encourage car owners to buy an aftermarket upgrade based on standards.

Don’t like the stereo in your car? Put in a better one aftermarket. Don’t like the seats? Upgrade those too, with better seat belts and lumbar support. Upgrade the brakes, the suspension and even put in an alarm…now ask yourself if you can find a new set of quality electronic locks that blocks the latest attacks. Where is that market?

Isn’t it strange that you can not simply upgrade to a better electronic lock? It sounds weird, right? Where would you go to get a better key system for your car? The platform, the car itself, should allow you to upgrade to an electronic key. Add a simple on/off switch and this attack would be defeated. This would be like installing better locks and keys in your home (explaining why our homes are not at the same level of risk from this attack). Why can’t you do this for a car?

That is the real question that a reporter in the NYT should have been asking people. Instead he found someone who suggested putting his key into a Faraday cage (blocking signals).

So now he has the bright idea to put his key in the freezer at home with the ice cream.

That shows a fundamentally flawed understanding and defeatist security. Who wants to keep their car at home to be safe because they can’t carry a freezer around everywhere. A metal box or even mylar bag would have been at least a nod in the right direction, to safely parking your car somewhere besides home.

Basically the NYT reporter over-reacts and then pats himself on the back with a silly and ineffective band-aid story. He misses entirely the opportunity to take a serious inquiry into why car manufacturers have been quiet about a long-time key management problem. Perhaps my Tweets were able to sway him towards realizing this is not as novel as he first thought.

Even better would have been if the reporter had been swayed to research why manufacturers use obfuscation instead of opening key management to a standard and free platform for innovation, supporting the safety advances from lock pick competitions. This issue is not about a Prius, a Toyota or even scary electronics entering our world. It is really about risk economics, policy and consumer rights.

Posted in Security.

SailPi: Install Sailfish OS on Raspberry Pi 2

It is surprisingly easy to install the Sailfish OS on a Raspberry Pi 2. There’s an official blog for all this and I just thought I’d share a few notes here for convenience. This took me about 5 minutes.

A: Preparation of SailPi

  1. Download sailfish image (511.5MB) sailfish image (218M, updated October 25, 2015) provided by sailpi
  2. MD5: 29edd5770fba01af5c547a90a589a22a 
    SHA-1: 156ea9d01b862420db0b32de313e6602865cb8f9
  3. Extract sfos-rpi2-glacier-03272015.img.xz sfos-rpi2- – I used 7-zip
  4. Write sfos-rpi2-glacier-03272015.img sfos-rpi2- to SD – I used Win32DiskImager
  5. Insert the SD to rPi2, connect network and power-up
  6. SSH to sailpi using default user:password (root:root)

B: Configuration of SailPi. I simply verify I am running Sailfish (Jolla), change the root password, and change the desktop orientation to horizontal.

  1. [root@Jolla ~]# uname -a

    Linux Jolla 3.18.8-v7+ #2 SMP PREEMPT Mon Mar 9 14:11:05 UTC 2015 armv7l armv7l armv7l GNU/Linux

  2. [root@Jolla ~]# passwd
  3. [root@Jolla ~]# vi /usr/share/lipstick-glacier-home-qt5/nemovars.conf

It almost was too easy.

In theory this could be the start of a home-made smartphone. The official SailPi blog talks about steps to enable bluetooth as well as adding a PiScreen and GSM board.

Posted in Security.