I must admit, I started writing "You are not their customer" after beginning "How to secure your code." And I haven't exactly made this into securing code. So what do all these bits on breaking into cars mean? On the disclaimer side, nothing I've mentioned are really important secrets. A bit of common sense or a trip to a junkyard would give away all these bits. I doubt my comments will make Ford increase their security, or get VW to restore a passenger-side lock. Frankly, I don't mind that Fords are insecure, because it means my job is easier.
But the one thing these lockouts have done for me is reinforce the adage about secure computers, cut lines, and poured concrete. A 100% secure car doesn't exist, and attempts towards that make the car unusable. Physical access is the most effective attack, and pretty unavoidable, especially in the day and age of stolen laptops. A good security is a proactive one, like the lexus locking itself back up. Requiring as little user interaction, like the passive keyfob, is best.*
A security system that requires the user or others to act will fail. Car alarms will be ignored by the general public, and so will antivirus and patch updates. Mind you, they are beneficial, but they shouldn't be your last line of defense. And social engineering will defeat alarms, especially if they go off too often. Expect Vista malware that poses as security alerts until the user either disables the real security, or the user enters their password in the false alert.
While a large target will make it attractive, that doesn't let a manufacturer off the hook (Ford and popup locks). Another maker will have the exact same mechanism, but with a simple and slight twist, that will make things much more secure (Honda with blocks).
Security by obscurity, as it's been said time and time again, is doomed to fail. Once a car or program is sold, it will be opened up and examined, one way or another. And even if the exact details aren't known, poking and prodding, and seeing how the parts you can see change, will tell volumes.
There will always be exploits and attempts where the attacker acts like the user, or the car thief uses tools as if they're already inside the car. It's possible to make these tougher, with curved buttons or CAPTCHAs, but even then, there'll be ways around it or improved techniques. I'm not sure there is a way to completely protect against these.
* Hunh. Note to self: has anyone made a laptop honey-pot or tripwire? That is, a little program or file that attracts the laptop thief to run first. It could be called 'tax forms' or 'employee database', and when it runs, the real information is deleted while the would-be thief peruses over the fake honey-pot. It's not all that secure, but it could be more effective than a password that the valid user keeps forgetting or makes weak. All the valid user has to do is know to not run the honey-pot.
