A bug bounty hunter shared evidence; DJI called him a hacker and threatened with CFAA.
DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.
Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."
-- submitted from IRC
(Score: 3, Funny) by c0lo on Tuesday November 21 2017, @12:48PM (3 children)
...because profit is king.
If you are a chinese business, perhaps the above needs to be corrected to "profit is the emperor"
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @01:50PM (1 child)
You're out of date by about a century. It's "profit is the General Secretary" these days.
(Score: 2) by c0lo on Tuesday November 21 2017, @02:20PM
There's no "Profit is Mr. President" saying in America, is it now.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by AnonTechie on Tuesday November 21 2017, @08:10PM
The road to hell is paved with good intentions ... true in this case and in so many others.
Albert Einstein - "Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
(Score: 3, Insightful) by MichaelDavidCrawford on Tuesday November 21 2017, @03:19PM
For finding a security hole called Threats-Not
Yes I Have No Bananas. [gofundme.com]
(Score: 5, Touché) by Anonymous Coward on Tuesday November 21 2017, @03:20PM (3 children)
This is what they call "Responsible Disclosure." You disclose a vulnerability and the company tries to hold you responsible.
(Score: -1, Offtopic) by Anonymous Coward on Tuesday November 21 2017, @03:29PM (2 children)
Exactly. The only scenario I would possibly, ever even consider disclosing a vuln like this to a vendor is if I had cisfemale privilege, which I will never have, so meh.
Cisfemale privilege is the only durable way to not immediately be seen as a “hacker” up to no good, complete with the presumption that the only reason one has such skills is because one is a failure at executing her assigned gender caste (without which, heteronormative feminist hegemony would like us to imagine life being meaningless) and are completely without financial or sexual value to womyn-born-womyn.
(Yes, I forgot to log in. Meh. If one cannot separate my AC posts from AC posts such as a whopper last night [that nearly got a 10 page response from me before I realized that I was trying to even when even-ing, in $current_year, is a futile pursuit], then I am not doing a good enough job of presenting my viewpoint and arguments. I will strive to do better.)
(Score: 2) by DannyB on Tuesday November 21 2017, @03:36PM (1 child)
Learn chmod.
The lower I set my standards the more accomplishments I have.
(Score: 2) by AssCork on Tuesday November 21 2017, @06:48PM
Hm, so anybody can just come in and write to the device? Sounds legit.
Just popped-out of a tight spot. Came out mostly clean, too.
(Score: 4, Interesting) by DannyB on Tuesday November 21 2017, @03:35PM
There are some companies that offer genuine bug bounties. Organizations that are genuinely interested in security and grateful to be informed of bugs they can fix.
Then there are the irresponsible companies that will try to punish anyone trying to help them.
It is in the interests of the first group to find some kind of systematic ways to punish the second group. Maybe by submitting amicus curiae during litigation. Maybe by getting laws passed that protect responsible disclosure done in a specified responsible way. Maybe by working toward reform of CFAA and the like.
It just feels like somehow that second group need to incur some kind of financial cost so great that putting their head on a pike, it stands as a warning to the next ten generations.
The lower I set my standards the more accomplishments I have.
(Score: 0) by Anonymous Coward on Tuesday November 21 2017, @11:11PM
DJI: so confident that they can just piss off security researchers!
Looking for competing vendors now ...