Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Tuesday November 21 2017, @09:53AM   Printer-friendly
from the not-the-bugs-getting-squashed dept.

A bug bounty hunter shared evidence; DJI called him a hacker and threatened with CFAA.

https://arstechnica.com/information-technology/2017/11/dji-left-private-keys-for-ssl-cloud-storage-in-public-view-and-exposed-customers/

DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.

Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money."

-- submitted from IRC


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 4, Interesting) by DannyB on Tuesday November 21 2017, @03:35PM

    by DannyB (5839) Subscriber Badge on Tuesday November 21 2017, @03:35PM (#599691) Journal

    There are some companies that offer genuine bug bounties. Organizations that are genuinely interested in security and grateful to be informed of bugs they can fix.

    Then there are the irresponsible companies that will try to punish anyone trying to help them.

    It is in the interests of the first group to find some kind of systematic ways to punish the second group. Maybe by submitting amicus curiae during litigation. Maybe by getting laws passed that protect responsible disclosure done in a specified responsible way. Maybe by working toward reform of CFAA and the like.

    It just feels like somehow that second group need to incur some kind of financial cost so great that putting their head on a pike, it stands as a warning to the next ten generations.

    --
    People today are educated enough to repeat what they are taught but not to question what they are taught.
    Starting Score:    1  point
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   4