A bug bounty hunter shared evidence; DJI called him a hacker and threatened with CFAA.
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.
Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushbackâincluding a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."
-- submitted from IRC
(Score: -1, Offtopic) by Anonymous Coward on Tuesday November 21 2017, @03:29PM (2 children)
Exactly. The only scenario I would possibly, ever even consider disclosing a vuln like this to a vendor is if I had cisfemale privilege, which I will never have, so meh.
Cisfemale privilege is the only durable way to not immediately be seen as a “hacker” up to no good, complete with the presumption that the only reason one has such skills is because one is a failure at executing her assigned gender caste (without which, heteronormative feminist hegemony would like us to imagine life being meaningless) and are completely without financial or sexual value to womyn-born-womyn.
(Yes, I forgot to log in. Meh. If one cannot separate my AC posts from AC posts such as a whopper last night [that nearly got a 10 page response from me before I realized that I was trying to even when even-ing, in $current_year, is a futile pursuit], then I am not doing a good enough job of presenting my viewpoint and arguments. I will strive to do better.)
(Score: 2) by DannyB on Tuesday November 21 2017, @03:36PM (1 child)
Learn chmod.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2) by AssCork on Tuesday November 21 2017, @06:48PM
Hm, so anybody can just come in and write to the device? Sounds legit.
Just popped-out of a tight spot. Came out mostly clean, too.