Forums

myteslalogs.com

myteslalogs.com

I just received an email from someone named Ashman stating the following:

+++++++
Hope you must be really enjoying driving your Model S. However, how often have you calculated the electricity that you used for charging you Model S? Do you really remember how much you travelled yesterday or on a particular day or in a month or in a year?

Introducing a free online offering that will allow you to securely maintain your driving logs for your Model S.

The site Login starting today will offer registered Model S owners a way to maintain their driving logs. Model S owners will be able to register their vehicle details on the website at no cost and from that day onwards they will be able to access their driving logs - 24 hours a day - 365 days a year.

Cheers!

Ashman
+++++++++

Attached to the email is a purported pdf file "manual.pdf". I navigated to the website mentioned and it is just a place to login or create a login name. This all seems very fishy (pun intended). Anyone know anything about it? And, no, I haven't clicked on the pdf file.

Thanks.

cgiGuy | May 1, 2013

Sandbox the PDF and open 'er up.

pebell | May 1, 2013

I can't comment on whether this is "fishy" or not. But what this "Ashman" is promising, is actually possible. There is an API (programming interface) with which anyone on the internet can communicate with your car, and obtain the kind of data from it that would be needed for these logs.

Anyone that has your Tesla username/password, that is. And therein lies the problem. Because you would have to provide this information to this "Ashman" for these purpose.

But with that username/password, he could do much more than just acquire those battery/travel statistic. He can get you GPS location. And unlock your car. A very tricky combination, as I'm sure you'll agree!

What Tesla needs to do is provide a standard authentication/authorization mechanism known as "OAuth" on their API. That way, you as a user could give a third party like "Ashman" the rights to access only _certain_ parts of information, without needing your username/password. And you could revoke this privilege at any time, by going to teslamotors.com and revoking his access rights.

To the best of my knowledge, Tesla has not provided such an authorization mechanism yet. So the conclusion is: NEVER NEVER NEVER give your Tesla username/password to ANYONE. And you'll find Ashman won't be able to provide you with those logs without it.

pebell | May 1, 2013

I really hope Tesla is reading this. I know for a fact there is a (as of yet, small) community of programmers out there (myself included) that is hoping for a legitimate and secure way of writing mobile apps and websites for the Tesla Model S. If Tesla waits too long with an official SDK (software development kit), more and more of these unsecure, possibly fishy initiatives will come along, that will leave a bad taste in everyone's mouth for years to come.

Captain_Zap | May 1, 2013

I would like to know how this person got information about your e-mail address and how they knew that you owned a Tesla.

cgiGuy | May 1, 2013

Email or call him and ask.

From GoDaddy's "whois" for myteslalogs.com

Registered through: GoDaddy.com, LLC (http://www.godaddy.com)
Domain Name: MYTESLALOGS.COM
Created on: 01-Mar-13
Expires on: 01-Mar-14
Last Updated on: 01-Mar-13

Registrant:
Ashman Deokar
929 E Leo Pl
Chandler, Arizona 85249
United States

Administrative Contact:
Deokar, Ashman ashman.deokar@gmail.com
929 E Leo Pl
Chandler, Arizona 85249
United States
6232034820

Technical Contact:
Deokar, Ashman ashman.deokar@gmail.com
929 E Leo Pl
Chandler, Arizona 85249
United States
6232034820

Captain_Zap | May 1, 2013

There is a warning at TMC that this is a possible scam.

Cattledog | May 1, 2013

Sounds like a Seifeld episode where there was a license plate for AS*MAN!

www.teslamodels.wordpress.com

adeokar | July 16, 2013

All,
There is nothing fishy about the site and the PDF. My only intent is to have Tesla take a notice of some useful things that one can do with the API's they have developed. This is a small project I did and thought would share with other model S owners. Being as paranoid as you all are, I have tried my best to ensure that the Tesla account details remain secure and the data collected is only limited to what is needed to maintain a driving log and time spent charging.
Please feel free to contact me if you have concerns. I am in no way trying to con anyone or hide any of my personal information. All emails that I have sent are to folks who have shared them with me.
As*(h)man

gasnomo | July 16, 2013

on the other hand, www.tripography.com is a legit site for tracking your usage...

Satheesh.net | July 16, 2013

ashman.deokar: Any screenshots or a little more description would be appreciated. If you want people to take interest that is. With all due respect.

adeokar | July 17, 2013

Not sure how I do that....cannot place screen shots on this site. If you send me your email. I can send them to you

adeokar | July 17, 2013

I think the concept is same as what tripography is doing, but the dashboard on myteslalogs.com is more useful.

adeokar | July 17, 2013
pebell | July 17, 2013

@wormhole: How is this tripography any more "legitimate" than myteslalogs?

The point remains: you are entering your username/password, that belongs to "teslamotors.com", in a browser page where the URL does not read "teslamotors.com" but a totally different website. Which means that the persons behind that website are not affiliated in any way with Tesla Motors, and are therefore, by definition, strangers.

So effectively, you hand your username and password to perfect strangers, knowing full well that by doing so you empower them to, within seconds, find out the _exact_ location where your car is parked, and even unlock the doors.

If you think that is legitimate, can I ask you for your paypal username/password? I promise I am legitimate too and I won't use it to transfer any money, really, scout's honor! :)

axehomeyg | July 17, 2013

Many software companies choose to open their APIs in an effort to foster an ecosystem of third-party utilities. Tesla seems to be playing it by ear right now as the api is unofficial. They could easily cut off Ashman's access in the event of abuse. I'd be inclined to trust him until then. Tesla credentials get you access to the (read-only, I think) car automation, not your bank account, after all.

pebell | July 17, 2013

NOT read only! Everything the app does. Start & stop charging, lock/unlock doors, open/close sunroof...

pebell | July 17, 2013

And Tesla couldn't "cut off Ashmans's access" because you gave him YOUR user account! Tesla can't see if it is him or you that is using the API (the same API that your mobile app uses).

It is more the other way around - Ashman can cut YOU off, because he can log in to the Tesla site and change your password for you..

Incredible how in this day and age some people STILL have no clue about protecting your digital identity..

dirkhh | July 17, 2013

Let's separate two things.

a) the way Tesla has set this up is truly foolish and incredibly stupid. Having a single way to authenticate access to their site AND API means it's all or nothing. This one user ID / password gives access to everything, including position of the car and a means to unlock it. Hello? Anyone home? Are you completely clueless???

b) the people offering the web services are in a difficult position. In order to provide the interesting data they need your user ID / password. That doesn't mean that they have bad intentions. But it means that they need to prove that they don't and need to show what they do to protect the extremely valuable information that they get. Much as I would love to have a dashboard like both sites present (actually, myteslalogs looks better to me), I would never dream of handing my login information to such a site without much better understanding how it is being protected.

But fundamentally, Tesla needs to create an API with finely granular control over which calls are accessible for which user. This way the app could create their own user and we could give access to some of our data to that user/app.

Given how much engineering expertise Tesla has shown elsewhere this is not something that should not be hard for them. But just like everything else, it's a matter of priorities. I'd rather get the guide lines in the rear camera, frankly. And in the meantime I'll set up my own data collection and visualization - where I control the access (and security) of my login data.

pebell | July 17, 2013

@dirkhh: +1

I absolutely agree, on both points. And I never said or even implied that I believe Ashman (or any other developer currently using the API) has any bad intentions - merely that if everyone just starts giving out their username/password to unknown parties, a "bad apple" is going to come along soon enough.

To me it is incredible that Elon Musk, inventor of PayPal and thereby front runner when it comes to internet security, is not insisting on his developers using a simple and established security protocol like OAuth, which would make all these issues disappear.

gasnomo | July 17, 2013

pebell,
i believe the authentication issues for the 2 sites are different. Tripography does not store one's userid/password for tesla it uses them once to get a security token, which must be renewed periodically. I believe ashman's works as you suggested. Very different from what I understand.

pebell | July 17, 2013

@wormhole,

It's been a few months since I looked in-depth at the unofficial API, so it is possible that there have been made some improvements, I will look into that first chance I get and if so, I might have to refine some of the statements I made. But I can say for a fact that no "token authentication" was implemented when I investigated it.

That being said, no "token authentication" is of ANY use if it still requires you to fill in your username/password in any site other than teslamotors.com. Because you would still have to take their word for it that they won't store and/or use your credentials.

One way to find out Tripography is indeed using token authentication, is if one would provide his/her username/password at the Tripograhpy site, then immediately go to the Tesla site and change his/her password. If that person would then go back to the Tripograpy and still get access to his/her car's data, then the claim that they do not use username/password but use a security token, is valid.

You'll forgive me for not testing it out myself :)

gasnomo | July 17, 2013

pebell,
so i did as you suggested, twice, and tripography still shows my info.

gasnomo | July 17, 2013

well scratch that, sort of...the "Daily Driving" chart is now blank, but the "Daily Driving Distribution" still shows data...

gasnomo | July 17, 2013
Peter7 | July 17, 2013

Pebell,

I use Tripography and can confirm that it does use a token and the test works as you describe it should.

As for Tripography, the person who runs the page has worked with a number of S owners over the past six months including the group that reran the DC-Boston Broder trip. He ran the code that had the cars live tweeting. There is an entire tread on TMC about this already so I won't rehash that, but a large number of us are very pleased with Tripography.

Peter

Chuck Lusin | July 17, 2013

Looking at the Daily Driving Distance Distribution chart, the bulk of the driving is in the 40kWh range.

http://tripography.com/

Brian H | July 17, 2013

Peter7;
RU ever going to release the plans for the Multi-Input EVSE?

gasnomo | July 18, 2013

that said, i do not see yesterday's driving information on tripography today...i assume i should since it is token based authentication...

gasnomo | July 22, 2013

So after a number of days after having changed my tesla id/password, my car's stats are not showing up on tripography, which would lead me to believe it is not using a token as I was originally led to believe.

Satheesh.net | July 22, 2013

ashman.deokar: I've uploaded a few of your screenshots for easier access.

http://bildr.no/image/b2hOekZr.jpeg

http://bildr.no/image/UjlpcGpy.jpeg

http://bildr.no/image/aG1aZ05F.jpeg

http://bildr.no/image/VkFGUll0.jpeg

http://bildr.no/image/aTNseVJp.jpeg

http://bildr.no/image/WlB5ZlEw.jpeg

I think the idea seems really good. But like a lot of others I'm also concerned about the privacy part as a whole.

Regards,
Satheesh Varadharajan
www.it-norge.no

jat | July 24, 2013

@pebell - you do get a session cookie after logging in, and you can use that for a while to access the base API. For the streaming API, you have to get tokens through the base API, and use them to authenticate.

Tesla really should implement OAUTH so you don't have to give your credentials to someone else.

Barring that, I won't enter them to an app unless I can inspect the source, and that concern is why I never built a web service to log the streaming API, as I figured few people would actually use it.

twestberg | July 24, 2013

Someday I hope Tesla implements something like OAuth, and even opens up more of the car's API. For now I support the priorities they seem to be following : the Car.

And the next Car, the Model X, has to be getting some engineering attention.

To conceive of an idea is not to see it fully realized. There are many great ideas proposed on these forums that could have value to Tesla and its customers. But it's also quite important for a company to know how many balls its management and engineering structures can juggle in the air. They have quite a few up there at the moment.