New to forums and Rivian - want to discuss my pre-purchase concerns

[antimatter]

You sound a lot like me before I bought my R1T. I test drove everything in EV pickup - R1T, Silverado RST, and Ford Lightning. I was really attracted to the Silverado's battery size, mostly because I worried about running out of charge in some deserted area and having to wait hours for a tow to get me to where I wanted to be. After a lot of soul-searching I went with the Rivian, mostly because (at the time) Chevrolet wouldn't bargain at all on the price, and I actually got scoffed at when I suggested that I'd like to pick an RST up for under $80K. I can do that now, buying used, but I've decided to stick with my Rivian.

My needs broke down as:
1. Commuter Vehicle - I used my Honda Ridgeline as my primary commuting vehicle to drive the 40-ish miles to and back from my work place. Where I work has free parking, but its in an older ramp that has some pretty tight confines.. Even with the rear-wheel steering, an RST would be a handful there.
2. Grocery-getter- My wife hates grocery shopping, so I do most of it and I run other errands (I like to drive). I wanted something that do that and not be a PITA in parking lots.
3. Dirt/Garden waste hauler & DIY project shipping - Where a full-sized pickup would be nice, but I can get by with a medium truck.
4. 4x per year RV towing - We go on a couple of camping trips per year, plus I do some camping for a club I'm in. The RST would be nice for that, but I made the Rivian work.

I don't know if you saw my post about going from Minneapolis to Billings, MT to pick up a camper and hauling it back in one weekend, during a period when the temps ranged from 20 F to -4F, but I made it. My R1T can haul the RV a solid 100 miles between charges at 60 mph, and even made a hilly 135 mile pull on the first leg of the return trip by slowing down to 55 mph.

I say this with no rancor, but you might want to wait a few years before you commit to an EV truck. Battery tech is advancing rapidly and there are several Chinese companies that are putting some amazing charging and energy density tech out there. I personally think they'll make the whole EREV thing moot in 5 years, but as they say, "Man Plans, God Laughs". If you've got to have the towing/temp performance you mentioned, pick up a used diesel truck and keep an eye on EV tech as it comes out. You should be able to sell the diesel with minimal loss, and transition to an EV when tech meets your expectations. Best of luck with whatever you decided.

Sponsored

 

[Zoidz]

Yes, demanding security and privacy for owners is a bridge too far for uneducated people who don't understand the loss and the risks. I am very sorry you are incapable of that level of insight and understanding.

Ah, so your take is blind acceptance and/or having the same deciding factors that you did for your purchase or no other viewpoint is valid.

But truly, go stuff your pretentious self in a closet.

You guys have been brainwashed into believing you either have to accept tracking with newer vehicles or drive something old.

Also, sideloading is not a security risk in and of itself. Any software that I would choose to put on would be my decision as the owner of the vehicle, it is not their place to decide which software I should use.
...
These companies actually look at the owners as the security risk. F that and them.

As a self-professed security expert, I'm sure you know that most people and therefore customers ARE a security risk with respect to sideloading. Millions of people compromise their devices daily by clicking on malware attachments, malware links, malware browser extensions, etc.

It's pretentious to think that Rivian should leave the sideloading gates wide open for you because you as a security expert demand it, ignoring the fact that 98% of the other people might sideload malware, creating huge support issues for Rivian, as well as the possibility of legal issues in the event a side loaded app caused a real world vehicle accident.

It's quite clear who is pretentious...

 

[getut]

As a self-professed security expert, I'm sure you know that most people and therefore customers ARE a security risk with respect to sideloading. Millions of people compromise their devices daily by clicking on malware attachments, malware links, malware browser extensions, etc.

It's pretentious to think that Rivian should leave the sideloading gates wide open for you because you as a security expert demand it, ignoring the fact that 98% of the other people might sideload malware, creating huge support issues for Rivian, as well as the possibility of legal issues in the event a side loaded app caused a real world vehicle accident.

It's quite clear who is pretentious...

Zoidz, I never said I expected them to leave it open, but I was hoping that someone had found a hole to be able to do it to close security gaps like loading firewalls and other quality of life apps.

But also, the point that many of you miss, is that what is done with a thing after a person buys it is completely their choice and the problem with the way that modern connected things work is that they monetize you.

Make no mistake, the lockdowns and forced cloud usage in modern connected things, EV's included, is not to protect you or me. It is done to protect them from us. Every time systems are locked down in a way that locks the OWNER out of the system, it is done for these reasons and these reasons only.... all of them weaponize the thing against the owner of the thing 1) to enable artificial crippling of devices in a way that allows them to sell that functionality back, 2) to lock you in to their ecosystem, 3) to make sure that all data flows through them so it can be datamined. 4) to force you to have an ongoing relationship with the company even if you dont want to. I do want to clarify that there are cases where cloud is inevitable like for true services tied to an application function (mapping is a good example, also antivirus software both examples of TRUE services as opposed to most cloud things which are pseudo services forced to the cloud just so they can be monetized or locked down for some future monetization). Those cloud services also give manufacturers a forced EOL to where they can make you buy a new thing just by saying this is end of life and killing all of those services that they suckered you into being dependent on.

So we are back to the statement that no device manufacturer should ever have more control over a thing than the owner of that thing. No matter how you slice it, from the owners perspective not being able to lock out the manufacturer is a privacy and security risk. Even for things that are usually good like updates, Manufacturers should not be able to connect at all without the owners approval.

 

[Alan in Tempe]

But also, the point that many of you miss, is that what is done with a thing after a person buys it is completely their choice and the problem with the way that modern connected things work is that they monetize you.

I'm not trying to minimize the wrongness of what many companies do with your private data (I agree), but you are missing the point that you are not buying the software (with the possible exception of the embedded non-volatile code). You are licensing it with some valid legal restrictions on its use made by the company. There is a conflict of rights here, and you are ignoring one side of that conflict entirely. Hardware and intellectual property are distinctly different in many respects, with good reasons and laws.

 

[getut]

I'm not trying to minimize the wrongness of what many companies do with your private data (I agree), but you are missing the point that you are not buying the software (with the possible exception of the embedded non-volatile code). You are licensing it with some valid legal restrictions on its use made by the company. There is a conflict of rights here, and you are ignoring one side of that conflict entirely. Hardware and intellectual property are distinctly different in many respects, with good reasons and laws.

I am not arguing against that, only that people need to start learning and being aware of what they are buying and push back against it. Without either severe consumer pushback or regulations from the government, nothing is going to change.

With proven governmental guidance on proper network security and the fact that nearly all IoT, as designed and implemented, completely prevents owners from being able to implement worldwide accepted best practice for securing things, there is however a good argument that these systems are broken, which then allows the owner to take steps to fix broken equipment, EVEN when that equipment is functioning exactly as THEY designed it and as stated in the EULA. This is a gray area in law and is being fleshed out little by little and there is beginning to be some light that people DO have the right to do what is necessary to secure their things DESPITE what EULA's say. So for example, sideloading or rooting an infotainment system and putting on a firewall app that allows you to block even system apps from communicating with Rivian or GM or whoever is most likely shaping up to be an acceptable hack from a legal standpoint and will very likely be fully defensible when one makes it that far.

But this needs to be pursued along all paths. Technological pushback (hacking to secure our things), Political (push for government regulations that say that owners MUST have the option to lock out even manufacturers from their things without loss of non-service related functionality and with service functionality being things like mapping that requires live data feeds) but with the ability to lock out and have full granular control over the connections your things make you also would have the ability to carve out exceptions like allowing google map data through without allowing Rivian or GM or VW or anyone to have access to anything else. People have already been fighting this by trying to get regulations through that enshrine owner rights and there is some progress being made.

But one thing is very sure. Without people being aware and pushing back, nothing will change other than it getting even worse. Again, I am not advocating for things like Rivian services to be blocked completely. People SHOULD have the ability to opt in to cloud services that enable things like the app to work, but there should also be local services that give you the ability to control things directly without having to ask someone who doesnt own the thing, to have permission to control the thing that you own. This is the part that I find ridiculous. People just do not understand that phone apps, as currently designed are not controlling your IoT device or vehicle. You are connecting to equipment not under your control and asking permission from people to control YOUR thing from people that should never be allowed to retain control in the first place. Ownership means control. Everyone would call it batshart insane if they bought a house and the realtor kept the keys to the house and insisted that you ask them to open the door for your every time you came and went and that also controlled how you decorated and used your home but as a side effect of that, they also know and document every time you come and go opening you to malicious insiders selling information or working with other malicious actors. GM has already been busted selling data without even bothering to anonymize it. THIS is the reason that trust is never security. That is what trust buys you.... absolutely nothing.

 

[freshpow]

You keep repeating that anyone who disagrees with you just "doesn't understand". We understand. We do not care. If you really want to boycott the practice and fight the good fight, you should just stop purchasing products that offend your sensibilities.

 

[Dave Cundiff]

@getut wrote, in part:

"You are connecting to equipment not under your control and asking permission from people to control YOUR thing from people that should never be allowed to retain control in the first place. Ownership means control. Everyone would call it batshart insane if they bought a house and the realtor kept the keys to the house and insisted that you ask them to open the door for your every time you came and went and that also controlled how you decorated and used your home but as a side effect of that, they also know and document every time you come and go opening you to malicious insiders selling information or working with other malicious actors. GM has already been busted selling data without even bothering to anonymize it. THIS is the reason that trust is never security. That is what trust buys you.... absolutely nothing."

@getut, can you give me a current Rivian example of this current obuse? Happy to hear it!

***

In the meantime, my mind goes to a (mostly non-automotive) analogy:

***

We buy products from the App Store.

We mostly trust Apple to verify that each app's information security is reasonable -- for a reasonably cautious end user.

Apple maintains a rulebook, to which we and the app vendors must adhere if we want to use the App Store to sell and buy products. The rulebook restricts all parties, but if it is wisely designed and enforced it also protects all parties.

Apple collects a fee for its services, I believe as a percentage (which operates as a markup) of what we pay.

Apple knows that if they allowed vendors to inflict unreasonable risks on their end users, their reputation will suffer.

***

We buy hardware, software, and information services from Rivian.

We mostly trust Rivian. We're not aware that Rivian has ever betrayed that trust in the information security field. Rivian knows that if they betrayed that trust, their reputation would suffer.

We're happy to have Rivian collecting our data for real-world software improvement (including as "ground truth" for current and future driver assist and autonomous driving functions). If they protect our privacy while they do it, everyone benefits.

***

If I understand the world in the same way as @getut understands it, I would probably behave and write as @getut does. That doesn't mean that @getut is right or wrong, or that I am. I cannot tell whether @getut understands better than I do, or worse than I do -- so I can only say that @getut and I think differently.

A life without any trust is a miserable life. A life with too much trust results in profound harm. As far as I know, literature has explored "trust issues" for as long as there has been literature.

We're all doing the best we can with what we've got. This forum is valuable because ALL of our minds are more valuable and accurate than ANY of our minds. The forum is most valuable if all of us are willing to change our minds when evidence merits it.

Thanks to all!

 

[Donald Stanfield]

It really is a shame that people can't simultaneously like something while calling out severe shortcomings.

This is a terrible take. Things are what they are. I don't buy a banana at the store then piss and moan because it doesn't taste like an apple. You know what you're getting from either platform. You are free to take it or leave it, but complaining that it isn't what you want is a waste of everyone's time.

 

[getut]

can you give me a current Rivian example of this current obuse? Happy to hear it!

I have been giving examples. The biggest is the app itself. Again with that app you are not controlling your thing directly. You are logging in to servers you dont control, to ask permission from someone who does not own the thing to be able to control that thing that you do own. They are controlling your thing for you and have ultimate say over whether it is done or not or even what and how you access your own thing. While not necessarily bad, and I would not advocate for that to not exist, manufacturers retaining control of something should always only be an OPTION for those who don't want to control their own security. But also, just by the very existence of the app and other features, Rivian is demanding that this thing always be connected to the internet. That also is very bad security wise. Not firewalled in any way that the owner can stop and start that communication only when he determines it is needed, because that is the government own guidance on security. Is that things NOT be left online all the time and should only be allowed to connect when there is a documented need. Rivian and other EV makers do not currently allow that level of security. Their entire software design is designed, on purpose, to keep you connected to them, to keep you communicating with them, to keep your data flowing through them so they can datamine every aspect. All it takes is one bad employee selling your data, or telling someone you arent home to be used against you in any number of ways. Again 90% of breaches are insiders of so called trusted orgs but again, the current worldwide best practice for security is air gapping and locking manufacturers out... this is called the zero trust model. Trust has no place in network security.

Even their options if you choose to force them to go another way are meant to be punitive if you choose to "fight" them on it, this proves beyond a shadow of a doubt that their goal is datamining, not allowing you secure options... but if you choose to call Rivian and demand that the 4G/5G be disabled, THEY WILL DO IT. But they also send a kill switch to certain other features and apps that are not TRULY related to the 4G/5G connectivity. For example if you kill that cellular connectivity, they kill other services that would technically still function over wifi. They CLAIM that killing the cellular is what kills those apps, but those apps are technologically able to function over ANY network, not just the cellular, but they kill those apps to make the system unusable for you in any way unless you use the connectivity mechanism that allows them to data mine you and force you to trust them with your security rather than have any say in it yourself.

We buy products from the App Store.

We mostly trust Apple to verify that each app's information security is reasonable -- for a reasonably cautious end user.

There is no use case where a walled garden ecosystem is better for users in the long run. At least a forced one. As an option that someone can opt into then yes. But "forced" as the only option, that is never good. This doesn't matter whether it is game consoles, Apple or Android phones or vehicles. For forced walled garden ecosystems to be able to be forced, that requires locking down the hardware in a way that weaponizes that hardware against the owner and treats the owner as the thing that they need to secure against. That is absolutely reversed from the way it should be. Owners should have ultimate control over their things otherwise they are not the owner. If an owner does not have the ability to lock out the manufacturer then they are not the owner. And again, zero trust is the worldwide gold standard for securing things. Walled garden eco systems and lack of ownership rule out the ability of the owner to implement zero trust security configurations. And for EV's these things are attached to electrical infrastructure in a way that centralized hacking increases the liklihood that when something does happen it will involve an entire companies worth of vehicles, not just one.

We mostly trust Rivian. We're not aware that Rivian has ever betrayed that trust in the information security field. Rivian knows that if they betrayed that trust, their reputation would suffer.

Again, Trust is not a security model. It never has been and never will be. Trust can be given, but with the lack of user security in IoT products, Rivians included. Trust is all you have. You have no choice but to trust because they don't allow you the ability to do anything else with the thing that you own.

 

[getut]

This is a terrible take. Things are what they are. I don't buy a banana at the store then piss and moan because it doesn't taste like an apple. You know what you're getting from either platform. You are free to take it or leave it, but complaining that it isn't what you want is a waste of everyone's time.

While you are somewhat correct, the problem, and the reason why pushback is that there is no choice. All EV makers are doing this in some fashion. So to get a modern vehicle you have no choice but to buy one with these anti-consumer, anti-ownership, anti-security things with the only available option to pushback against manufacturers and try to get government regulation to enforce that everyone should have the ability to secure their things up to and including guidance that government gives commercial and industrial entities. THat means implenting a zero trust security model that allows locking the manufacturer out of what they manufacture once it is in use by the end user.

Also, you are advocating just being a fanboy. Fanboy attitudes hurt everyone in the long run. When someone buys a thing, they are weiging all pros and cons. Refusing to voice the cons hides issues from the manfacturer that can be used to make the product better. It also hides those issues from other prospective buyers.

 

[Dave Cundiff]

While I disagree that @Donald Stanfield is "advocating just being a fanboy," I'm otherwise pleased with the factual tone of @getut's most recent posts.

'm not changing my behavior at this time, and I'm still trusting RJ to lead Rivian in "doing the right thing" as much as possible, but I'm definitely learning from this discussion.

Thanks, @getut and others!

 

[Donald Stanfield]

While you are somewhat correct, the problem, and the reason why pushback is that there is no choice. All EV makers are doing this in some fashion. So to get a modern vehicle you have no choice but to buy one with these anti-consumer, anti-ownership, anti-security things with the only available option to pushback against manufacturers and try to get government regulation to enforce that everyone should have the ability to secure their things up to and including guidance that government gives commercial and industrial entities. THat means implenting a zero trust security model that allows locking the manufacturer out of what they manufacture once it is in use by the end user.

Also, you are advocating just being a fanboy. Fanboy attitudes hurt everyone in the long run. When someone buys a thing, they are weiging all pros and cons. Refusing to voice the cons hides issues from the manfacturer that can be used to make the product better. It also hides those issues from other prospective buyers.

Do you really not see even the smallest bit of a contradiction in complaining about connected cars, and wanting to buy one of the most connected cars on the planet? Tech companies ALL have your data. This has been going on in that space for 20 years. Why do you want to buy a car that moves you closer to that model if it bothers you so much?

 

[mkhuffman]

Do you really not see even the smallest bit of a contradiction in complaining about connected cars, and wanting to buy one of the most connected cars on the planet? Tech companies ALL have your data. This has been going on in that space for 20 years. Why do you want to buy a car that moves you closer to that model if it bothers you so much?

This is the perfect vehicle for the disconnected driver:

 

[getut]

Do you really not see even the smallest bit of a contradiction in complaining about connected cars, and wanting to buy one of the most connected cars on the planet? Tech companies ALL have your data. This has been going on in that space for 20 years. Why do you want to buy a car that moves you closer to that model if it bothers you so much?

There is no choice anymore. All vehicles are heading down this path. There is no choice but to go with new and fight the issues and hopefully get regulation from government that stops this crap if the companies don't do it themselves. I work in technology. I want connected things, but not connected things that use me as the item being bought and sold. And no, technology companies do not have a large amount on me, at least anything usable because don't use products as sold. I don't use products that remain under someone else's control without taking that control back or doing things to anonymize or make their tracking harder. Heck even my kids gaming consoles that require internet purchases, we don't buy games under a single account. We create a new user account with new email address one per game. We root our phones and install island that uses faked device id's per application and sandboxes each from each other and all are partially de-googled. People don't have to accept being bought and sold.

 

[Donald Stanfield]

There is no choice anymore. All vehicles are heading down this path. There is no choice but to go with new and fight the issues and hopefully get regulation from government that stops this crap if the companies don't do it themselves. I work in technology. I want connected things, but not connected things that use me as the item being bought and sold. And no, technology companies do not have a large amount on me, at least anything usable because don't use products as sold. I don't use products that remain under someone else's control without taking that control back or doing things to anonymize or make their tracking harder. Heck even my kids gaming consoles that require internet purchases, we don't buy games under a single account. We create a new user account with new email address one per game. We root our phones and install island that uses faked device id's per application and sandboxes each from each other and all are partially de-googled. People don't have to accept being bought and sold.

You're mistaken. Companies are tracking everything you do, easily.

Sponsored