back to article GitHub shrugs off drone maker DJI's crypto key DMCA takedown effort

GitHub rejected a DMCA takedown request from Chinese drone-maker DJI after someone forked source code left in the open by a naughty DJI developer, The Register can reveal. This included AES keys permitting decryption of flight control firmware, which could allow drone fliers with technical skills to remove geofencing from the …

Page:

  1. Doctor Syntax Silver badge

    I can understand a company using git as its source control software but why, for code which is essentially the company's crown jewels trade secret, why use Github as the repository rather than run their own? It's somebody else's computer.

    1. Anonymous Coward
      Anonymous Coward

      one experience ...

      When I worked for a big insurance company, it took 3 years to get a server approved along with the necessary resources to set it up, and configure it into service.

      It took 10 minutes to spin up an Azure VM.

      Now apply that to getting a source control solution in place ...

      1. Flakk

        Now apply that to getting a source control solution in place ...

        So, in your estimation, this is an instance of shabby Shadow IT run amok? Sure, spin up a hosted VM, but why not then use it to run a private Git?

      2. Doctor Syntax Silver badge

        Re: one experience ...

        "It took 10 minutes to spin up an Azure VM."

        How's the VM being paid for? If it's on somebody's credit card being claimed back on expenses what happens if that somebody leaves? Is there anything important on it?

        1. Peter 26

          Re: one experience ...

          MSDN license? You get enough free credits each month to do quite a bit. I've got a couple of servers running at the moment free of charge for testing.

      3. alain williams Silver badge

        Re: one experience ...

        When I worked for a big insurance company, it took 3 years to get a server approved along with the necessary resources to set it up, and configure it into service.

        Find a desktop PC that is being replaced, wipe it & install Linux, hide it under your desk. It will work nicely as a Git machine or similar. By the time that management discover it - it will be too vital for them to remove.

        I've done this several times. The only time that I had a problem was when a janitor type was the one who 'safely disposed' of old machines, he did not like it when I took one as it mean less money for him as he 'securely disposed' them at car boot sales.

      4. Nolveys

        Re: one experience ...

        When I worked for a big insurance company, it took 3 years to get a server...It took 10 minutes to spin up an Azure VM.

        I was in a situation a few years ago in which our deadline had gone from a month to a few days while we were waiting for a server to be provisioned.

        My boss called someone in the company who was good at dealing with these sorts of issues, he immediately solved the problem. The solution lay in company security policy. Policy stated that the security group had to audit the non-existent server before it could go into use. Since the security group takes at least 6 months to even start looking at anything we were in the clear.

        The moral of the story is to not go around policy to get your job done, but to use company policy to make other people responsible for everything.

        1. Doctor Syntax Silver badge

          Re: one experience ...

          "Since the security group takes at least 6 months to even start looking at anything we were in the clear."

          That's good to know. Especially if you're attempting to break into the company.

        2. MachDiamond Silver badge

          Re: one experience ...

          "The moral of the story is to not go around policy to get your job done, but to use company policy to make other people responsible for everything."

          That depends highly on how you are evaluated. I had no end of problems getting sign offs on avionics details from other departments so I could freeze designs and get the hardware built, but it was never a problem to criticize me, yell at me, etc when hardware was late. Solution: Have a coworker in software go through the design as a second set of eyeballs to find errors and just send out the files to get the PCS's made. It was the sort of place where there was never time to get things right, but having to do them over wasn't a problem.

      5. Steve Davies 3 Silver badge

        Re: It took 10 minutes to spin up an Azure VM

        and it took 30 seconds to shut it down and wipe it because your mega corp forgot to pay the bill.

        There are risks in life. I guess that 3 years to secure your companies IP is not very important then? Didn't you talk to the legal dept? or Information Security?

      6. Tom 7

        Re: one experience ...

        All that effort? Takes about a minute on my Pi Zero to install a git server and get it working - but them my internet is shit.

        1. Hans 1
          Boffin

          Re: one experience ...

          Takes about a minute on my Pi Zero to install a git server and get it working - but them my internet is shit.

          Takes about a minute on my Pi Zero to install git and get it working - but them my internet is shit.

          TFTFY

          1. Sir Runcible Spoon
            Coat

            Re: one experience ...

            "he did not like it when I took one as it mean less money for him as he 'securely disposed' them at car boot sales."

            People actually bought them with no hard drives in them?

            1. Doctor Syntax Silver badge

              Re: one experience ...

              "People actually bought them with no hard drives in them?"

              Who said anything about no hard drives?

              1. Sir Runcible Spoon

                Re: one experience ...

                "Who said anything about no hard drives?"

                No-one, which was my point :P

    2. Pascal Monett Silver badge

      Re: It's somebody else's computer

      And for the life of me, I can't understand why people are so prompt in throwing data at it.

      Education on this point is going to be long and painful, and there will be tears before things get better.

      Just because clouds have silver linings doesn't mean you can ignore the dark thunderstorm brewing within.

    3. Tom 38

      git is not the same as github. github provides many workflow features that are unavailable in git, and combine together to increase productivity, eg issue tracking, pull requests, 3rd party tool integration to do CI, deployments, packaging... github is more than hosted git and a web viewer.

      1. Anonymous Coward
        Anonymous Coward

        "github provides many workflow features"

        Nothing you can't setup on your own with free tools, if you don't want to pay, and get better ones with far more control.

        And without a TOS stating than even if you make a mistake, you lose control of your property....

        1. Tom 38

          Re: "github provides many workflow features"

          Nothing you can't setup on your own with free tools, if you don't want to pay, and get better ones with far more control.

          You don't actually understand how commercial IT works I'm guessing. There is no option if I "don't want to pay". I either pay someone else to set it up for me and maintain and host it, or I pay in my time and resources to configure it, maintain and host it myself. The first option just takes a small amount of money, but the second one costs immediate development time (whilst we're setting it up) and reduces velocity (any time we need to maintain it) and introduces risks (disaster recovery).

          As to "better ones with far more control", this is hardly accurate. As an example, we use the Sentry.io error reporting tool on some of our projects. This is an open source project, you can install it in house and host it yourself, which we did for about a year before switching to have them host. Guess what? Their hosted version has more features than they put in the open source public one.

          The costs of hosting (2 application servers, two database, one redis) and the support costs (1 developer for 3 weeks initially, 1 more week doing upgrades) dwarfed what it would have cost us to have sentry host it. We get an additional developer-month of progress on our own tasks.

          1. Anonymous Coward
            Anonymous Coward

            "You don't actually understand how commercial IT work"

            Sorry, my friend, I lead a commercial IT department, and we have all the tools GitHub have installed and properly working locally. Fully tailored to our needs.

            Sure, we pay hardware and people to take care of them, why shouldn't we? It's part of the costs of the business, especially to keep everything inside the security perimeters and have full control on accesses and auditing. Free tools lower those costs a little.

            You may go cheap and outsource everything, and then find yourself in situations like this.

            Just remember, one day you could be outsourced too... if all that matters are only "costs". There's always someone cheaper.

        2. DJ Smiley

          Re: "github provides many workflow features"

          If you're incompetent enough to post your keys to github, what says your competent enough to run a git server, and not accidentally forget to back it up?

          The ToS say you get to keep the flaming wreckage in this case, much use it'll do you.

          1. Adam 52 Silver badge

            Re: "github provides many workflow features"

            "If you're incompetent enough to post your keys to github"

            When it comes to posting keys to source control, there are those who have and those who have yet to.

            When you do it yourself, remember who you called incompetent.

            (no, I haven't, but members of my team have and so have the people who laughed at them).

            1. Anonymous Coward
              Anonymous Coward

              Re: "github provides many workflow features"

              > (no, I haven't, but members of my team have and so have the people who laughed at them).

              Exactly. If it can happen it can happen to anyone (especially those who think highly of themselves!), which is why you put active and passive measures in place and even so, you better have a plan for *when* (not if) things go wrong anyway.

        3. Anonymous Coward
          Anonymous Coward

          Re: "github provides many workflow features"

          > Nothing you can't setup on your own with free tools, if you don't want to pay, and get better ones with far more control.

          Some links would be helpful.

          1. Justin Clift

            Re: "github provides many workflow features"

            > > Nothing you can't setup on your own with free tools, if you don't want to pay, and get better ones with far more control.

            > Some links would be helpful.

            Gitea is a good start. Decent UI, and very lightweight on resources. eg can be run effectively on Raspberry Pi style hardware, though for real business use you'd want it on something proper. :)

            GitLab has more features than Gitea, though it's user interface fairly sucks and it's a resource pig (written in Ruby). It can also grow into a PITA to admin over time if your needs aren't basic.

            Pick whichever takes your fancy, or do some searching online for others. The above two aren't the only ones. :)

        4. Hans 1
          Coat

          Re: "github provides many workflow features"

          And without a TOS stating than even if you make a mistake, you lose control of your property....

          If you legally have proprietary source code and you want to put that on "a computer that is NOT owned by the company you work for" without clearance, you are irresponsible. This is NOT a mistake, this is irresponsible! Putting it on public github even more so, as it de facto makes the source code open source. If you do not know that, what are you doing in software development ?

          1. Ian Johnston Silver badge

            Re: "github provides many workflow features"

            If you legally have proprietary source code and you want to put that on "a computer that is NOT owned by the company you work for" without clearance, you are irresponsible. This is NOT a mistake, this is irresponsible!

            So if I post stolen or otherwise improperly acquired code to public GitHub, and the owners don't ask for it to be removed within ten days, there is nothing they can do?

      2. Doctor Syntax Silver badge

        "workflow features that are unavailable in git, and combine together to increase productivity, eg issue tracking, pull requests, 3rd party tool integration to do CI, deployments, packaging"

        And making it publicly available when not intended. Has that offset the productivity gains?

        1. Tom 38

          And making it publicly available when not intended. Has that offset the productivity gains?

          Only very specific people with very specific permissions can make a private repository in to a public one. I would have thought that DJI made every developer have that very specific permission (normally just one user in the entire company has that permission)

          1. Paul Smith

            You have that backwards. When using a public service (such as github) only a very few people with very specific permissions can make your data actually private, and none of them work for you.

          2. Anonymous Coward
            Anonymous Coward

            Anon for obvious reasons: I work at a large bank, which is diving full heads-on into DevOps.

            We - essentially a DevSecOps team - used to run our own repo server and we're "persuaded" to please join the enterprisy one. Which is a cloud-hosted version of Enterprise Github.

            Fine, but we'll need to lock down our repos as they have sensitive... what's that? All repos are *public* by default?! Why?! "Because in the spirit of the Internet it's all about sharing our code through the organisation". Is the nearly literal answer I got.

            Fortunately they exposed the REST API, because 'twas a rushed 30minutes - 1hour to hack up an auto-job which goes and sets all our repos back to private. Because they won't let us change the default for our Team.

            Don't get me wrong: I think all this devopsy/cloudy Brave New World could be boon if done right.

            But the way I see it happening so often will end in tears.

            1. Anonymous Coward
              Anonymous Coward

              > Fine, but we'll need to lock down our repos as they have sensitive... what's that? All repos are *public* by default?

              As they have sensitive what?

              There are a few cases where it does make sense to restrict access to source code, even within an organisation, but in general that strikes me as not a very good idea. Not that flagging some code "private" in an otherwise wide-open system offers any sort of real security anyway.

              In my case, we're not a software organisation at all, but we do develop a bunch of in-house tools to assist in our goals. As a rule, once those are good enough quality, or after they have served their primary competitive purpose, we release them publicly as open source. Not that anyone else seem to have much of a need for them, but knowing that their work will be up for public scrutiny does make our developers write significantly better quality, better documented and more secure stuff.

            2. Charlie Clark Silver badge

              Which is a cloud-hosted version of Enterprise Github.

              It's a joke. Every company I know goes with either Gitlab or Atlassian for hosting. Github is largely a data mining company.

    4. Anonymous Coward
      Anonymous Coward

      "why use Github"?

      Because that's what fashion dictates and all cool developers are, they've been told to <G>. Sheep will follow the herd.

      Despite all the babble about "decentralization", "individual power", etc. etc. Internet is enforcing reduced individuality and highly centralization. One Search Engine, One Social, One Repository, etc. etc.

      One Site To Bind Them All.

    5. sanmigueelbeer
      Unhappy

      why use Github as the repository rather than run their own

      Maybe because DJI is afraid that the Chinese might hack into their system and copy their design.

      Oh, wait ...

    6. Oh Homer
      Headmaster

      "What are the lessons here?"

      Only one lesson required: ultimately anyone can build their own drone and write their own control software, so attempting to "regulate" it, with copyrights or otherwise, is about as pointless as attempting to regulate the manifestation of psychotropic mushrooms on lawns.

  2. Anonymous Coward
    Anonymous Coward

    For some reason I have that song by duck sauce stuck in my head now.

    Woo woo woo woo woo woo woo

    Woo woo woo woo woo woo woo woo

    Woo woo woo woo woo

    Barbra Streisand

    1. Anonymous Coward
      Anonymous Coward

      > Barbra Streisand

      Definitely. For good measure, the repos-now-back-online have all been cloned to the local hdd too. Likely not just by myself either.

  3. Anonymous Coward
    Anonymous Coward

    The takeaway

    Leaving aside all the sensationalism in the article, it seems worth pointing out:

    1. Secrets do not belong in version control. This can be enforced by developer education and by the use of pre-commit hooks as a second-level safety net (furthermore, I believe that GitLab can be set to reject commits containing potentially sensitive data?).

    2. Once a secret has leaked, a take-down request may be a mitigation step, but by no means does it solve the problem. That was an expensive mistake to make.

    1. Anonymous Coward
      Anonymous Coward

      Re: Leaving aside all the sensationalism in the article

      Me-oww!

    2. A Non e-mouse Silver badge

      Re: The takeaway

      Secrets do not belong in version control

      LMFTFY: Unencrypted secrets do not belong in version control.

      Regpg is a system to allow you to store secrets in version control. It can also hook into Ansible.

      1. Claptrap314 Silver badge

        Re: The takeaway

        Great idea! I hope you use it! I understand that you hope that the encryption scheme that you are using does not get broken before the end of life of the secret you are storing, but I'm not about to trust my ability to know the future to that degree.

      2. Steve Knox

        Re: The takeaway

        LMFTFY: Unencrypted secrets do not belong in version control.

        Regpg is a system to allow you to store secrets in version control. It can also hook into Ansible.

        Okay, but where do you store the secrets for your secret-encryption system?

        1. sanmigueelbeer
          Pint

          Re: The takeaway

          Okay, but where do you store the secrets for your secret-encryption system?

          Github, of course.

          1. Yet Another Anonymous coward Silver badge

            Re: The takeaway

            Okay, but where do you store the secrets for your secret-encryption system?

            In TFS hosted on visualstudio.com - then nobody will ever be able to find them

  4. Anonymous Coward
    Anonymous Coward

    Any idea?

    Why would drone owners want to remove the geofencing feature? It would seem to me that it works in everyone's favour, by helping to keep safe areas that need to be safe and drone flyers out of potential trouble.

    Not saying that everyone who disables the feature is acting irresponsibly, but it seems to make it easier to shoot yourself and your drone-flying community at large in the foot.

    1. Anonymous Coward
      Anonymous Coward

      "Why would drone owners want to remove the geofencing feature?I"

      Because there are a lot of idiots around?

      BTW - many geofencing limits can be removed following a proper procedure - the procedure depends on the sensibility of the area, some cannot be removed anyway - just they are logged. Thereby, if you know what are doing and have proper permissions, you can remove limits.

      Of course there are jerks, tinfoil hat wearers, etc etc. who thinks they are the only important person in the Universe and can do whatever they like, disturbing and putting in danger things, animals and people - just to have their own fun.

    2. Mephistro
      Unhappy

      Re: Any idea?

      "Why would drone owners want to remove the geofencing feature?"

      "Because they can."

      And "Because of terrorists" would, for once, make sense also.

    3. quartzie

      Re: Any idea?

      Because in some countries, the geofences are set up so rigidly it is virtually impossible to fly even in your garden.

      Fortunately not the case in most of Europe, but DJI's geofencing has been known to fork up people's toys.

      That, and because idiots want close ups of flying jetliners.

    4. Joe Harrison

      Re: Any idea?

      I haven't got a drone but my guess is that the geofences are arbitrary and don't make sense? Like you want to fly your drone in the park but the council's head of estate management works in a shed there and someone has geofenced it as a sensitive government building.

      I really doubt hobbyists are going to go Aha now I can disable the Heathrow zone, not with the brownstorm that would mean they had to deal with.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like