I can understand a company using git as its source control software but why, for code which is essentially the company's crown jewels trade secret, why use Github as the repository rather than run their own? It's somebody else's computer.
GitHub shrugs off drone maker DJI's crypto key DMCA takedown effort
GitHub rejected a DMCA takedown request from Chinese drone-maker DJI after someone forked source code left in the open by a naughty DJI developer, The Register can reveal. This included AES keys permitting decryption of flight control firmware, which could allow drone fliers with technical skills to remove geofencing from the …
COMMENTS
-
-
Thursday 25th January 2018 14:16 GMT Anonymous Coward
one experience ...
When I worked for a big insurance company, it took 3 years to get a server approved along with the necessary resources to set it up, and configure it into service.
It took 10 minutes to spin up an Azure VM.
Now apply that to getting a source control solution in place ...
-
Thursday 25th January 2018 14:37 GMT alain williams
Re: one experience ...
When I worked for a big insurance company, it took 3 years to get a server approved along with the necessary resources to set it up, and configure it into service.
Find a desktop PC that is being replaced, wipe it & install Linux, hide it under your desk. It will work nicely as a Git machine or similar. By the time that management discover it - it will be too vital for them to remove.
I've done this several times. The only time that I had a problem was when a janitor type was the one who 'safely disposed' of old machines, he did not like it when I took one as it mean less money for him as he 'securely disposed' them at car boot sales.
-
Thursday 25th January 2018 15:19 GMT Nolveys
Re: one experience ...
When I worked for a big insurance company, it took 3 years to get a server...It took 10 minutes to spin up an Azure VM.
I was in a situation a few years ago in which our deadline had gone from a month to a few days while we were waiting for a server to be provisioned.
My boss called someone in the company who was good at dealing with these sorts of issues, he immediately solved the problem. The solution lay in company security policy. Policy stated that the security group had to audit the non-existent server before it could go into use. Since the security group takes at least 6 months to even start looking at anything we were in the clear.
The moral of the story is to not go around policy to get your job done, but to use company policy to make other people responsible for everything.
-
Friday 26th January 2018 23:30 GMT MachDiamond
Re: one experience ...
"The moral of the story is to not go around policy to get your job done, but to use company policy to make other people responsible for everything."
That depends highly on how you are evaluated. I had no end of problems getting sign offs on avionics details from other departments so I could freeze designs and get the hardware built, but it was never a problem to criticize me, yell at me, etc when hardware was late. Solution: Have a coworker in software go through the design as a second set of eyeballs to find errors and just send out the files to get the PCS's made. It was the sort of place where there was never time to get things right, but having to do them over wasn't a problem.
-
Friday 26th January 2018 07:53 GMT Steve Davies 3
Re: It took 10 minutes to spin up an Azure VM
and it took 30 seconds to shut it down and wipe it because your mega corp forgot to pay the bill.
There are risks in life. I guess that 3 years to secure your companies IP is not very important then? Didn't you talk to the legal dept? or Information Security?
-
Thursday 25th January 2018 14:37 GMT Pascal Monett
Re: It's somebody else's computer
And for the life of me, I can't understand why people are so prompt in throwing data at it.
Education on this point is going to be long and painful, and there will be tears before things get better.
Just because clouds have silver linings doesn't mean you can ignore the dark thunderstorm brewing within.
-
Thursday 25th January 2018 14:42 GMT Tom 38
git is not the same as github. github provides many workflow features that are unavailable in git, and combine together to increase productivity, eg issue tracking, pull requests, 3rd party tool integration to do CI, deployments, packaging... github is more than hosted git and a web viewer.
-
-
Thursday 25th January 2018 15:26 GMT Tom 38
Re: "github provides many workflow features"
Nothing you can't setup on your own with free tools, if you don't want to pay, and get better ones with far more control.
You don't actually understand how commercial IT works I'm guessing. There is no option if I "don't want to pay". I either pay someone else to set it up for me and maintain and host it, or I pay in my time and resources to configure it, maintain and host it myself. The first option just takes a small amount of money, but the second one costs immediate development time (whilst we're setting it up) and reduces velocity (any time we need to maintain it) and introduces risks (disaster recovery).
As to "better ones with far more control", this is hardly accurate. As an example, we use the Sentry.io error reporting tool on some of our projects. This is an open source project, you can install it in house and host it yourself, which we did for about a year before switching to have them host. Guess what? Their hosted version has more features than they put in the open source public one.
The costs of hosting (2 application servers, two database, one redis) and the support costs (1 developer for 3 weeks initially, 1 more week doing upgrades) dwarfed what it would have cost us to have sentry host it. We get an additional developer-month of progress on our own tasks.
-
Thursday 25th January 2018 16:24 GMT Anonymous Coward
"You don't actually understand how commercial IT work"
Sorry, my friend, I lead a commercial IT department, and we have all the tools GitHub have installed and properly working locally. Fully tailored to our needs.
Sure, we pay hardware and people to take care of them, why shouldn't we? It's part of the costs of the business, especially to keep everything inside the security perimeters and have full control on accesses and auditing. Free tools lower those costs a little.
You may go cheap and outsource everything, and then find yourself in situations like this.
Just remember, one day you could be outsourced too... if all that matters are only "costs". There's always someone cheaper.
-
-
-
Friday 26th January 2018 00:37 GMT Adam 52
Re: "github provides many workflow features"
"If you're incompetent enough to post your keys to github"
When it comes to posting keys to source control, there are those who have and those who have yet to.
When you do it yourself, remember who you called incompetent.
(no, I haven't, but members of my team have and so have the people who laughed at them).
-
Friday 26th January 2018 10:47 GMT Anonymous Coward
Re: "github provides many workflow features"
> (no, I haven't, but members of my team have and so have the people who laughed at them).
Exactly. If it can happen it can happen to anyone (especially those who think highly of themselves!), which is why you put active and passive measures in place and even so, you better have a plan for *when* (not if) things go wrong anyway.
-
-
-
-
Sunday 28th January 2018 02:50 GMT Justin Clift
Re: "github provides many workflow features"
> > Nothing you can't setup on your own with free tools, if you don't want to pay, and get better ones with far more control.
> Some links would be helpful.
Gitea is a good start. Decent UI, and very lightweight on resources. eg can be run effectively on Raspberry Pi style hardware, though for real business use you'd want it on something proper. :)
GitLab has more features than Gitea, though it's user interface fairly sucks and it's a resource pig (written in Ruby). It can also grow into a PITA to admin over time if your needs aren't basic.
Pick whichever takes your fancy, or do some searching online for others. The above two aren't the only ones. :)
-
-
Friday 26th January 2018 12:43 GMT Hans 1
Re: "github provides many workflow features"
And without a TOS stating than even if you make a mistake, you lose control of your property....
If you legally have proprietary source code and you want to put that on "a computer that is NOT owned by the company you work for" without clearance, you are irresponsible. This is NOT a mistake, this is irresponsible! Putting it on public github even more so, as it de facto makes the source code open source. If you do not know that, what are you doing in software development ?
-
Friday 26th January 2018 14:13 GMT Ian Johnston
Re: "github provides many workflow features"
If you legally have proprietary source code and you want to put that on "a computer that is NOT owned by the company you work for" without clearance, you are irresponsible. This is NOT a mistake, this is irresponsible!
So if I post stolen or otherwise improperly acquired code to public GitHub, and the owners don't ask for it to be removed within ten days, there is nothing they can do?
-
-
-
-
Thursday 25th January 2018 15:28 GMT Tom 38
And making it publicly available when not intended. Has that offset the productivity gains?
Only very specific people with very specific permissions can make a private repository in to a public one. I would have thought that DJI made every developer have that very specific permission (normally just one user in the entire company has that permission)
-
-
Thursday 25th January 2018 22:35 GMT Anonymous Coward
Anon for obvious reasons: I work at a large bank, which is diving full heads-on into DevOps.
We - essentially a DevSecOps team - used to run our own repo server and we're "persuaded" to please join the enterprisy one. Which is a cloud-hosted version of Enterprise Github.
Fine, but we'll need to lock down our repos as they have sensitive... what's that? All repos are *public* by default?! Why?! "Because in the spirit of the Internet it's all about sharing our code through the organisation". Is the nearly literal answer I got.
Fortunately they exposed the REST API, because 'twas a rushed 30minutes - 1hour to hack up an auto-job which goes and sets all our repos back to private. Because they won't let us change the default for our Team.
Don't get me wrong: I think all this devopsy/cloudy Brave New World could be boon if done right.
But the way I see it happening so often will end in tears.
-
Friday 26th January 2018 10:41 GMT Anonymous Coward
> Fine, but we'll need to lock down our repos as they have sensitive... what's that? All repos are *public* by default?
As they have sensitive what?
There are a few cases where it does make sense to restrict access to source code, even within an organisation, but in general that strikes me as not a very good idea. Not that flagging some code "private" in an otherwise wide-open system offers any sort of real security anyway.
In my case, we're not a software organisation at all, but we do develop a bunch of in-house tools to assist in our goals. As a rule, once those are good enough quality, or after they have served their primary competitive purpose, we release them publicly as open source. Not that anyone else seem to have much of a need for them, but knowing that their work will be up for public scrutiny does make our developers write significantly better quality, better documented and more secure stuff.
-
-
-
-
-
Thursday 25th January 2018 14:53 GMT Anonymous Coward
"why use Github"?
Because that's what fashion dictates and all cool developers are, they've been told to <G>. Sheep will follow the herd.
Despite all the babble about "decentralization", "individual power", etc. etc. Internet is enforcing reduced individuality and highly centralization. One Search Engine, One Social, One Repository, etc. etc.
One Site To Bind Them All.
-
Saturday 27th January 2018 10:26 GMT Oh Homer
"What are the lessons here?"
Only one lesson required: ultimately anyone can build their own drone and write their own control software, so attempting to "regulate" it, with copyrights or otherwise, is about as pointless as attempting to regulate the manifestation of psychotropic mushrooms on lawns.
-
-
Thursday 25th January 2018 14:29 GMT Anonymous Coward
The takeaway
Leaving aside all the sensationalism in the article, it seems worth pointing out:
1. Secrets do not belong in version control. This can be enforced by developer education and by the use of pre-commit hooks as a second-level safety net (furthermore, I believe that GitLab can be set to reject commits containing potentially sensitive data?).
2. Once a secret has leaked, a take-down request may be a mitigation step, but by no means does it solve the problem. That was an expensive mistake to make.
-
Thursday 25th January 2018 14:37 GMT Anonymous Coward
Any idea?
Why would drone owners want to remove the geofencing feature? It would seem to me that it works in everyone's favour, by helping to keep safe areas that need to be safe and drone flyers out of potential trouble.
Not saying that everyone who disables the feature is acting irresponsibly, but it seems to make it easier to shoot yourself and your drone-flying community at large in the foot.
-
Thursday 25th January 2018 15:01 GMT Anonymous Coward
"Why would drone owners want to remove the geofencing feature?I"
Because there are a lot of idiots around?
BTW - many geofencing limits can be removed following a proper procedure - the procedure depends on the sensibility of the area, some cannot be removed anyway - just they are logged. Thereby, if you know what are doing and have proper permissions, you can remove limits.
Of course there are jerks, tinfoil hat wearers, etc etc. who thinks they are the only important person in the Universe and can do whatever they like, disturbing and putting in danger things, animals and people - just to have their own fun.
-
Thursday 25th January 2018 15:19 GMT quartzie
Re: Any idea?
Because in some countries, the geofences are set up so rigidly it is virtually impossible to fly even in your garden.
Fortunately not the case in most of Europe, but DJI's geofencing has been known to fork up people's toys.
That, and because idiots want close ups of flying jetliners.
-
Thursday 25th January 2018 15:39 GMT Joe Harrison
Re: Any idea?
I haven't got a drone but my guess is that the geofences are arbitrary and don't make sense? Like you want to fly your drone in the park but the council's head of estate management works in a shed there and someone has geofenced it as a sensitive government building.
I really doubt hobbyists are going to go Aha now I can disable the Heathrow zone, not with the brownstorm that would mean they had to deal with.
-