Posts

Count Them: Thirty. Five. Days.

I’m not going to elaborate on MSNBC’s Maddow program last night, featuring David Cay Johnston to whom Donald Trump’s 2005 tax filing had been “leaked.”

It was two pages, revealing little more than adjusted income, income tax assessed, and the lack of any charitable contribution deduction.

One of the two pages was also marked CLIENT COPY.

Not going to get into the rambling statement issued by the White House before the show either, unusual from this administration only for its lack of spelling errors.

But I’m going to point to the calendar.

Today is March 15. It’s a little over a month to Tax Day when filings for 2016 income are due.

35 days until the deadline at the end of the night on April 18.

35 days until Donald Trump has yet another tax filing for which he has no excuse to share with voters and their representatives in Congress.

Non-Tax Filing Stuff:

Kushner family may get $400M from Chinese Anbang Insurance Group — This reeks, absolutely stinks. Anbang is linked to top officials in China’s government; it’s negotiating a stake in a Manhattan property owned by Kushner (read: Trump’s in-laws). There’s no end to the corruption with this administration.

Volkswagen toying with a Fiat Chrysler merger — This smells of desperation to me. Can’t imagine the largest shareholders of VW willingly giving up any control in spite of the financial damage from the company’s emissions fraud. Not to mention the whole Too-Big-Too-Fail size of this potential merger when Volkswagen Group is responsible for nearly 10% of all Germany’s jobs.

Trump may undo years of clean air by screwing with emissions standards — Speaking of emissions and fraud, Trump will be speaking in Detroit today where he is expected to propose undoing mileage standards and emissions regulations. Not only is the automotive industry finally headed in the right direction toward alternative energy after nearly two decades of R&D and implementation, but apparently the public needs to be sicker ahead of the loss of health care insurance.

Robot killed worker, spouse files suit — Horrible and sad; incident happened in 2015. Husband filed suit last week against five robotics companies he claims are responsible for the robot’s failure.

Energy Transfer Partners wants tribal plea rejected — Oil could start flowing through DAPL within the week if U.S. District Judge James Boasberg rejects Standing Rock and Cheyenne River Sioux tribes’ appeal based on religious grounds.

There. That should keep you busy for a while. Treat this like an open thread.

Tuesday: Disinfowar Dust Up

In this roundup: Disinfowar, fossil fuels’ finale, pipeline problems, and a longish short about evolving hope.

The embedded feature video here, Dust by Ember Lab, won a number of awards last year. It’s a gritty blend of real and fantasy, and the closest thing to a American feature film with an Asian lead (there were no true feature-length films with an Asian/Asian-American lead or co-lead last year). It’s a little exposition dense, but this is integral to the challenge of world-building for a sci-fi/fantasy story. I wouldn’t be a bit surprised to see this story extended into a true feature or a series.

Disinfowar
If you haven’t already read Marcy’s latest piece today, you should do so soon. We are now deep in disinfo slung by multiple parties.

The one thing that niggles at me about WikiLeaks’ involvement in this latest volley of disinfo: why didn’t WikiLeaks release the Podesta emails when they originally said they were going to do so?

Or was skanky political operative Roger Stone blowing more disinfo out his ass when he tweeted about the impending Wikileaks’ release?

And how does the concurrent “Trump pussy grab” video story interleave with the WikiLeaks’ disinformation? Let’s take a look at the timing.

Early September — WikiLeaks’ Julian Assange claims to have documents damaging to Hillary Clinton which would be released before the election.

30-SEP-2016 Friday — WikiLeaks cancels release of an info dump on Hillary Clinton due to alleged security concerns. The info dump has been framed by some as a potential ‘October surprise’.

02-OCT-2016 Sunday — 12:52 am: Roger Stone tweets [email protected] is done”.

03-OCT-2016 Monday — Unspecified time: Producer at an NBC entertainment outlet Access Hollywood remembers video of Trump with Billy Bush.

03-OCT-2016 Monday — 5:55 pm: AP publishes story, “‘Apprentice’ cast and crew say Trump was lewd and sexist.”

04-OCT-2016 Tuesday — Date of canceled WikiLeaks’ info dump.

Midweek (no date/day given) — Access Hollywood’s executive producer Rob Silverstein and team have reviewed the video. A script is prepared for airing of video, but it will not appear Friday evening before the next presidential debate on Sunday.

05-OCT-2016 Wednesday — No WikiLeaks’ info dump.

07-OCT-2016 Friday — First thing in the morning, Access Hollywood was still working on story; an NBC source said the story “wasn’t quite finalized.”

07-OCT-2016 Friday — Noon: Washington Post’s David Farenthold asks NBC for a comment on the Trump/Billy Bush tape which had been leaked to him by unnamed source(s).

07-OCT-2016 Friday — 2-4:00 pm (approximately, exact publication time to be confirmed): Washington Post runs Farenthold’s story, “Trump recorded having extremely lewd conversation about women in 2005.”

07-OCT-2016 Friday — 11:03 pm: WikiLeaks tweets link to “The #PodestaEmails Part 1.

09-OCT-2016 Sunday — 9:50 pm: During the second presidential debate, Wikileaks tweets, “Hillary Clinton just confirmed the authenticity of our #PodestaEmails release of her paid speeches excerpts.

10-OCT-2016 Monday — 9:36 am: WikiLeaks tweets link with “RELEASE: The #PodestaEmails part two: 2,086 new emails.

A Google Trends snapshot of key words from these two stories also tells the story. To be fair, though ‘pussy’ spiked on Friday, it’s a pretty popular internet search term (in case this had not occurred to some of our readers).

[Source: Google Trends - compare terms:'wikileaks', 'hillary', 'podesta''pussy', 'billy bush']

[Source: Google Trends – compare terms:’wikileaks'(blue), ‘hillary'(red), ‘podesta'(yellow), ‘pussy'(green), ‘billy bush'(purple) – click to expand]

Really convenient timing, no matter the validity of the content in the emails.

Wheels

  • Germany’s upper house of parliament wants combustion engine cars off the roads by 2030 (Reuters) — This is one of the most important stories so far this year: one of the largest single nation economies in the world wants to end use of gasoline- and diesel-fueled vehicles within its borders inside 18 years. How will this impact Volkswagen Group, the largest automaker in EU? At least VW now has impetus to move completely away from its failed passenger diesel engines. Political parties across the Bundesrat, the upper house, support ending sales of combustion engine vehicles. What next steps Germany will take is unclear as is the next possible response by the EC in Brussels.
  • VW’s CEO Matthias Mueller knew nothing about passenger diesel vehicle scandal (Reuters) — Might be plausible that Mueller didn’t know anything about VW and Bosch tweaking engine control units to defeat emissions standards since Mueller was the head of Porsche before VW Group appointed him to replace Martin Winterkorn. And we all know Porsche isn’t the first brand you’d seek when shopping for either passenger diesel vehicles or fuel efficiency.
  • Fiat Chrysler and Canadian union Unifor avoid a strike (Detroit Free Press) — The deal includes updates to two plants and a restructuring of workers’ wage scale while working around the impending demise of the Chrysler 200 and Dodge Dart car models. No mention of self-driving/autonomous cars in FCA’s future lineup, if any.

Pipe meets face

  • Russian facial recognition software IDs 73% of people of of million-person database (Wall Street Journal) — This application developed by startup NTechLab beat Alphabet’s facial recognition software. This gives me the fecking creeps, especially considering the countries interested in buying this software.
  • Facial recognition app failed when used at pipeline protest (Indian Country) — A Crow Creek Tribe activist found he had been ‘identified’ as a pipeline protester by facial recognition software though he had been at a family event elsewhere during the time he was alleged to participate in the protest.
  • Pipeline construction work resumes after appeals court ruling against tribes (ABC News) — In a stunningly callous move, U.S. Court of Appeals for the D.C. Circuit issued a decision Sunday evening — before Columbus Day, the observation which offends Native Americans — denying Native American tribes’ request for an injunction to stop construction of the Dakota Access Pipeline. Work on the pipeline picked up again today, though the tribes vow to continue their protests. Protesters were arrested yesterday for trespassing, including actor Shailene Woodley. Woodley may have been selected in particular because of her high media profile and because she was streaming the protest online.

Longread: Asymmetry’s role in Trump’s rise
Worth reading NYU’s Jay Rosen on media’s inability to deal with asymmetry in the U.S. political system, and how this permitted Trump’s elevation as a presidential candidate. Personally I take issue with the concept that the “GOP has become an insurgent outlier in American politics.” In a two-party system where nearly half the population identifies with either one of these parties, neither of the two parties can be insurgent or an outlier.

Instead, this asymmetry — the departure from the past equivalency of either of these two major parties — results from the application of the Overton Window over decades to move nearly half the population toward a more conservative consensus. Applied too much, too often, and nearly half the population has adopted an ideology which is incompatible with the values espoused by a critical mass of this nation before the Overton Window was applied.

And the media, like meteorologists focusing on the day’s weather — is it cloudy or sunny? rain or shine? — missed the entire shift of the political climate toward fascism. Rather like the financial crisis of 2008, for that matter, when they failed to adequately look at the big picture before the entire economy went over the cliff.

That’s a wrap. Make sure you’re registered to vote as many states have deadlines today. Check in with housebound and with college students to see if they are registered and encourage use of absentee ballots where appropriate. Absentee voting has begun in some states.

Wednesday: Time Travel

In this roundup: A short film about a mother’s time travel adventure, the Internet of Stupid Things, and more.

Read more

Friday: Little Fly

Friday jazz comes to us from vocalist and bassist Esperanza Spalding, one of my personal favorites. She’s the first jazz musician to ever win the Grammy Award for Best New Artist, awarded only a handful of months after this featured performance from 2010.

My favorite tune of the three she performs here is Apple Blossom — it never fails to make me sniffle. Spalding plays more than just the double bass; sample her more progressive work on electric bass here. Want something a bit more traditional? Try her upbeat bluesy rendition of On the Sunny Side of the Street. Or maybe a little pop rock slice with her tribute to Stevie Wonder, Overjoyed.

Wheels and steals
Volkswagen:

  • Whiny op-ed complains about poor, poor Volkswagen (WSJ) — Aw, poor fraudulent enterprise lied and ripped off the American public for a decade while other automakers in the U.S. complied with emissions laws. Murdoch-NewsCorp outlet Wall Street Journal wants us to take pity on the bastards who did not care one whit they were literally poisoning U.S. citizens while lying to customers and dealers, let alone poisoning and lying to tens of millions of customers abroad. Look, they broke U.S. laws for nearly ten years. They made interest and capital gains on the money they gained from their illegal efforts. They can make the customers they defrauded whole and they can do something to fix the damage they wreaked on our environment. And they should be punished for breaking laws on top of reparations. Anything less is a neoliberal blowjob to a company which cannot compete fairly inside the U.S.
  • VW passenger diesel owners need additional protections (Reuters) — The current settlement offered by VW in federal court does not provide a secondary level of protection to consumers says the consumer advocacy journal, needed if the proposed fix to the emissions cheating diesel vehicles does not work. These vehicle owners should be able to opt for buy-back. The amount offered also undervalues retail prices on alternative replacement vehicles, Consumer Reports said in its submission during the public comment period which ended today.

    Consumer Reports said it generally supported the settlement, but urged “regulators to wield robust oversight of Volkswagen to ensure that the company implements its recall, investment, and mitigation programs appropriately” and it called on “federal and state officials to assess tough civil penalties and any appropriate criminal penalties against the company in order to hold it fully accountable.”

  • South Korea halts sales of 80 VW vehicle models (NBCNews) — This is what the U.S. could have done to VW given the scale of fraud, emissions cheating, and the lack of actual “clean diesel” passenger technology available to remedy both 2.0L and 3.0L engine vehicles. The 80 models now banned for non-compliance with emissions and noise pollution laws as well as document forgery include VW, Audi and Bentley vehicles. VW has also been slapped with $16.06 million fine, which is extremely light considering VW broke not only emissions laws while fraudulently misrepresenting the vehicles’ attributes.
  • West Virginia’s suit against VW amended (Hastings Tribune) — WVa Attorney General expanded the suit to include VW parent group as well as Audi and Porsche brands. Bosch, the manufacturer of VW’s electronic control units which were programmed to defeat emissions controls, is included in the lawsuit.
  • Fewer Americans buying VW vehicles (Business Insider) — No surprise, given the emissions controls cheating scandal, the pricey labels, iffy reliability, and a product lineup that doesn’t match the U.S.’ market demand. It may be a long time before VW digs itself out of its hole here.

NOT Volkswagen:

  • Two Houston thieves hack Jeep and Dodge cars (Phys.org) — Hacking pirated computer software used by auto technicians and dealers, two men tweaked Fiat Chrylser model vehicles’ security codes so their key worked. The thieves were picked up driving a stolen Jeep Grand Cherokee after police focused on an area where a high number of vehicle thefts occured.
  • White hat hackers proved Chrysler’s anti-hack update breachable (The Register) — Last year Charlie Miller and Chris Valasek showed Fiat Chrysler’s wireless feature could be hacked remotely to take control of a car. At Black Hat 2016 this week the same duo showed how they could defeat Fiat Chrysler’s firmware update which the automaker pushed to patch the vulnerability. But in terms of ease and speed, the two thieves in Houston might actually have a faster approach to taking control of a vehicle.
  • 28-year-old cracks up his brother’s car while playing Pokémon GO (The Guardian) — Dude. Really? You’re lucky to be alive or that you didn’t kill someone else. This is the kind of generational stupid old-man-yelling-at-clouds Clint Eastwood should take a poke at instead of doubling down on his closeted racism.
  • Self-driving feature in Tesla X may have saved its driver (CNBC) — Driver suffered a pulmonary embolism while on the road; the vehicle took him to the hospital. Article says the driver “was able to steer the car the last few meters” suggesting he was conscious and in control if limited in capacity. No further details were included to describe how the vehicle switched from its original route to the hospital.

Because opening ceremonies begin tonight at the Rio Olympics, I’ll leave you here. Catch you Monday — have a safe and restful weekend!

Thursday: Bad Girls

One thing before I go any further…look just above these words, below this post’s title and to the right of the date of publication. See the name ‘Rayne’? That’s me, that’s my byline. Please note there are multiple contributors here at emptywheel. The entire site is eponymously named for its owner, Marcy Wheeler, whose online name and byline is the same as this blog. Check the byline on our posts if you haven’t done so in the past. You’ll note we have different voices and opinions, different writing styles. I tend to be the most open about my dislike for what the Republican Party has become since 1978, when I last toyed with being Republican. Marcy and the rest of the crew tend to be more generous or less open in their vituperation. Take note of the byline when when you read and comment, thanks.

Still indulging in female artist K-pop, choosing this video for a very specific reason…

TWO DAYS
That’s it, what’s left of today and all day tomorrow — that’s all the U.S. House will be in session for July. Outstanding job this week trashing the EPA with bullshit riders, GOP members. Way to fucking go with extending your run serving corporations ahead of the people.

Tick-tock.

BAD GIRL (UK edition)
After today’s wash list of badness, I can hardly wait to hear what comes of May’s visit on Friday to Scotland.

BAD GIRL (domestic edition)

PokéGone
The list of accidents resulting from distraction by Pokémon GO grows by leaps and bounds. These are among the worst so far. Just a matter of time before a fatality occurs.

Wheels

Keep an eye on this topic

Catch you tomorrow for the last in-session day in U.S. House.

Tesla Patches Faster than Chrysler … and than Android [UPDATED]

Wired’s hack-of-the-day story reports that researchers hacked a Tesla (unlike the Chrysler hack, it required access to the vehicle once, though the Tesla also has a browser vulnerability that might not require direct access).

Two researchers have found that they could plug their laptop into a network cable behind a Model S’ driver’s-side dashboard, start the car with a software command, and drive it. They could also plant a remote-access Trojan on the Model S’ network while they had physical access, then later remotely cut its engine while someone else was driving.

The story notes how much more proactive Tesla was in patching this problem than Chrysler was.

The researchers found six vulnerabilities in the Tesla car and worked with the company for several weeks to develop fixes for some of them. Tesla distributed a patch to every Model S on the road on Wednesday. Unlike Fiat Chrysler, which recently had to issue a recall for 1.4 million cars and mail updates to users on a USB stick to fix vulnerabilities found in its cars, Tesla has the ability to quickly and remotely deliver software updates to its vehicles. Car owners only have to click “yes” when they see a prompt asking if they want to install the upgrade.

In my understanding, Tesla was able to do this both because it responded right away to implement the fix, and because it had the technical ability to distribute the update in such a way that was usable for end users. Chrysler deserves criticism for the former (though at least according to Chrysler, it did start to work on a fix right away, it just didn’t implement it), but the latter is a problem that will take some effort to fix.

Which is one reason I think a better comparison with Tesla’s quick fix is Google’s delayed fix for the Stagefright vulnerability. As the researcher who found it explained, Google address the vulnerability internally immediately, just like Tesla did.

Google has moved quickly to reassure Android users following the announcement of a number of serious vulnerabilities.

The Google Stagefright Media Playback Engine Multiple Remote Code Execution Vulnerabilitiesallow an attacker to send a media file over a MMS message targeting the device’s media playback engine, Stagefright, which is responsible for processing several popular media formats.

Attackers can steal data from infected phones, as well as hijacking the microphone and camera.

Android is currently the most popular mobile operating system in the world — meaning that hundreds of millions of people with a smartphone running Android 2.2 or newer could be at risk.

Joshua Drake, mobile security expert with Zimperium, reports

A fully weaponized successful attack could even delete the message before you see it. You will only see the notification…Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.

Zimperium say that “Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that’s only the beginning of what will be a very lengthy process of update deployment.”

But with Android the updates need to go through manufacturers, which creates a delay — especially given fairly crummy updating regimes by a number of top manufacturers.

The experience with this particular vulnerability may finally be pushing Android-based manufacturers to fix their update process.

It’s been 10 days since Zimperium’s Joshua Drake revealed a new Android vulnerabilitycalled Stagefright — and Android is just starting to recover. The bug allows an attacker to remotely execute code through a phony multimedia text message, in many cases without the user even seeing the message itself. Google has had months to write a patch and already had one ready when the bug was announced, but as expected, getting the patch through manufacturers and carriers was complicated and difficult.

But then, something unexpected happened: the much-maligned Android update system started to work. Samsung, HTC, LG, Sony and Android One have already announced pending patches for the bug, along with a device-specific patch for the Alcatel Idol 3. In Samsung’s case, the shift has kicked off an aggressive new security policy that will deploy patches month by month, an example that’s expected to inspire other manufacturers to follow suit. Google has announced a similar program for its own Nexus phones. Stagefright seems to have scared manufacturers and carriers into action, and as it turns out, this fragmented ecosystem still has lots of ways to protect itself.

I make this comparison for two reasons. One, if Google — the customers of which have the hypothetical ability to send out remote patches, even if they’ve long neglected that ability — still doesn’t have this fixed, it’s unsurprising that Chrysler doesn’t yet.

But some of the additional challenges that Chrysler has that Tesla has fewer of stem from the fragmented industry. Chrysler’s own timeline of its vulnerability describes a “third party” discovering the vulnerability (not the hackers), and a “supplier” fixing it.

In January 2014, through a penetration test conducted by a third party, FCA US LLC (“FCA US”) identified a potential security vulnerability pertaining to certain vehicles equipped with RA3 or RA4 radios.

A communications port was unintentionally left in an open condition allowing it to listen to and accept commands from unauthenticated sources. Additionally, the radio firewall rules were widely open by default which allowed external devices to communicate with the radio. To date, no instances related to this vulnerability have been reported or observed, except in a research setting.

The supplier began to work on security improvements immediately after the penetration testing results were known in January 2014.

But it’s completely unclear whether that “third party” is the “supplier” in question. Which means it’s unclear whether this was found in the supplier’s normal testing process or in something else.

One reason cars are particularly difficult to test are because so many different suppliers provide parts which don’t get tested (or even adequately specced) in an integrated fashion.

Then, if you need to fix something you can’t send out over a satellite or Internet network, you’re dealing with the — in many cases — archaic relationships car makers have with dealers, not to mention the limitations of dealer staff and equipment to make the fix.

I don’t mean to excuse the automotive industry — they’re going to have to fix these problems (and the same problems lie behind fixing some of the defects tied to code that doesn’t stem from hacks, too, such as Toyota’s sudden acceleration problem).

It’s worth noting, however, how simplified supply and delivery chains make fixing a problem a lot easier for Tesla than it is for a number of other entities, both in and outside of the tech industry.

UPDATE — 4:30 PM EDT —

Hey, it’s Rayne here, adding my countervailing two cents (bitcoins?) to the topic after Marcy and I exchanged a few emails about this topic. I have a slightly different take on the situation since I’ve done competitive intelligence work in software, including open source models like Android.

Comparing Fiat Chrysler’s and Google’s Android risks, the size and scale of the exposures are a hell of a lot different. There are far more Android devices exposed than Chrysler car models at risk — +1 billion Android devices shipped annually around the globe as of 4Q2014.

Hell, daily activations of Android devices in 2013 were 1.2 million devices per day — roughly the same number as all the exposed Chrysler vehicles on the road, subject to recall.

Google should have a much greater sense of urgency here due to the size of the problem.

Yet chances of a malware attack on an Android device actually causing immediate mortal threat to one or more persons is very low, compared to severity of Chrysler hack. Could a hacker tinker with household appliances attached via Android? It’s possible — but any outcome now is very different from a hacker taking over and shutting down a vehicle operating at high speed in heavy traffic, versus shutting off a Phillips remote-controlled Hue lamp or a Google Nest thermostat, operating in the Internet of Things. The disparity in annoyance versus potential lethality may explain why Google hasn’t acted as fast as Tesla — but it doesn’t explain at all why Chrysler didn’t handle announcing their vulnerability differently. Why did they wait nearly a year to discuss it in public? Read more

Was Chrysler’s Vehicle Hacking Risk an SEC Disclosure Reportable Event?

[photo: K2D2vaca via Flickr]

[photo: K2D2vaca via Flickr]

Remember the data breach at JPMorgan Chase, exposing 76 million accounts to “hack-mapping“? Last October, JPMorgan Chase publicly disclosed the intrusion and exposure to investors in an 8-K filing with the Securities and Exchange Commission. The statement complied with the SEC’s CF Disclosure Guidance: Topic No. 2 – Cybersecurity.

Other companies whose customers’ data have been exposed also disclosed breaches in 8-Ks, including Target, TJX Companies, Heartland Payment, EMC and Google. (Firms NASDAQ, Citigroup and Amazon have not.)

Disclosure of known cybersecurity threats or attacks with potential material risks allows investors to make informed decisions. Stock share pricing will fluctuate and reflect the true market value once risk has been factored by investors — and not remain artificially high.

Fiat Chrysler America (FCA; NYSE:FCAU) has known for nearly a year about the risk that Chrysler vehicles could be hacked remotely, according to Fortune magazine Thursday.

Yet to date no filing with the SEC has been made, disclosing this specific cyber risk to investors, customers, and the public.

The SEC’s Disclosure Guidance, though, is just that — guidance. There aren’t any firm rules yet in place, and the guidance itself was published in October 2011. A lot has happened and changed about technology and cybersecurity risks since then; the guidance has not reflected the increasing threats and attacks to business’ data.

Nor does the SEC’s guidance distinguish between cybersecurity threats to service products (like banking services), versus hardlines or manufactured goods (like automobiles which offer software as an additional, non-essential feature). The software industry’s chronic security patching confuses any distinction; should software companies likewise include all security patches in their SEC filings, or continue as they have without doing so? It’s easy to see how revelations about Adobe Flash after Hacking Team was hacked have materially hurt Adobe and all companies relying on Flash — yet Adobe hasn’t released a statement at its website. (Only a statement addressing the 2013 threat to customer accounts is posted.)

Are financial services firms any more obligated than software firms? Are automobile companies, which claim ownership of on-board software, any more obligated than software companies? Read more

Why Apple Should Pay Particular Attention to Wired’s New Car Hacking Story

This morning, Wired reports that the hackers who two years ago hacked an Escape and a Prius via physical access have hacked a Jeep Cherokee via remote (mobile phone) access. They accessed the vehicle’s Electronic Control Unit and from that were able to get to ECUs controlling the transmission and brakes, as well as a number of less critical items. The hackers are releasing a report [correction: this is Markey’s report], page 86 of which explains why cars have gotten so much more vulnerable (generally, a combination of being accessible via external communication networks, having more internal networks, and having far more ECUs that might have a vulnerability). It includes a list of the most and least hackable cars among the 14 they reviewed.

Screen Shot 2015-07-21 at 8.37.22 AM

Today Ed Markey and Richard Blumenthal are releasing a bill meant to address some of these security vulnerabilities in cars.

Meanwhile — in a remarkably poorly timed announcement — Apple announced yesterday that it had hired Fiat Chrysler’s former quality guy, the guy who would have overseen development of both the hackable Jeep Cherokee and the safer Dodge Viper.

Doug Betts, who led global quality at Fiat Chrysler Automobiles NV until last year, is now working for the Cupertino, Calif.-based electronics giant but declined to comment on the position when reached Monday. Mr. Betts’ LinkedIn profile says he joined Apple in July and describes his title as “Operations-Apple Inc.” with a location in the San Francisco Bay Area but no further specifics.

[snip]

Along with Mr. Betts, whose expertise points to a desire to know how to build a car, Apple recently recruited one of the leading autonomous-vehicle researchers in Europe and is building a team to work on those systems.

[snip]

In 2009, when Fiat SpA took over Chrysler, CEO Sergio Marchionne tapped Mr. Betts to lead the company’s quality turnaround, giving him far-reaching authority over the company’s brands and even the final say on key production launches.

Mr. Betts abruptly left Fiat Chrysler last year to pursue other interests. The move came less than a day after the car maker’s brands ranked poorly in an influential reliability study.

Note, the poor quality ratings that preceded Betts’ departure from Fiat Chrysler pertained especially to infotainment systems, which points to electronics vulnerabilities generally.

As they get into the auto business, Apple and Google will have the luxury that struggling combustion engine companies don’t have — that they’re not limited by tight margins as they try to introduce bells and whistles to compete on the marketplace. But they’d do well to get this quality and security issue right from the start, because the kind of errors tech companies can tolerate — largely because they can remotely fix bugs and because an iPhone that prioritized design over engineering can’t kill you — will produce much bigger problems in cars (though remote patching will be easier in electric cars).

So let’s hope Apple’s new employee takes this hacking report seriously.