back to article GitHub shrugs off drone maker DJI's crypto key DMCA takedown effort

GitHub rejected a DMCA takedown request from Chinese drone-maker DJI after someone forked source code left in the open by a naughty DJI developer, The Register can reveal. This included AES keys permitting decryption of flight control firmware, which could allow drone fliers with technical skills to remove geofencing from the …

  1. Doctor Syntax Silver badge

    I can understand a company using git as its source control software but why, for code which is essentially the company's crown jewels trade secret, why use Github as the repository rather than run their own? It's somebody else's computer.

    1. Anonymous Coward
      Anonymous Coward

      one experience ...

      When I worked for a big insurance company, it took 3 years to get a server approved along with the necessary resources to set it up, and configure it into service.

      It took 10 minutes to spin up an Azure VM.

      Now apply that to getting a source control solution in place ...

      1. Flakk

        Now apply that to getting a source control solution in place ...

        So, in your estimation, this is an instance of shabby Shadow IT run amok? Sure, spin up a hosted VM, but why not then use it to run a private Git?

      2. Doctor Syntax Silver badge

        Re: one experience ...

        "It took 10 minutes to spin up an Azure VM."

        How's the VM being paid for? If it's on somebody's credit card being claimed back on expenses what happens if that somebody leaves? Is there anything important on it?

        1. Peter 26

          Re: one experience ...

          MSDN license? You get enough free credits each month to do quite a bit. I've got a couple of servers running at the moment free of charge for testing.

      3. alain williams Silver badge

        Re: one experience ...

        When I worked for a big insurance company, it took 3 years to get a server approved along with the necessary resources to set it up, and configure it into service.

        Find a desktop PC that is being replaced, wipe it & install Linux, hide it under your desk. It will work nicely as a Git machine or similar. By the time that management discover it - it will be too vital for them to remove.

        I've done this several times. The only time that I had a problem was when a janitor type was the one who 'safely disposed' of old machines, he did not like it when I took one as it mean less money for him as he 'securely disposed' them at car boot sales.

      4. Nolveys

        Re: one experience ...

        When I worked for a big insurance company, it took 3 years to get a server...It took 10 minutes to spin up an Azure VM.

        I was in a situation a few years ago in which our deadline had gone from a month to a few days while we were waiting for a server to be provisioned.

        My boss called someone in the company who was good at dealing with these sorts of issues, he immediately solved the problem. The solution lay in company security policy. Policy stated that the security group had to audit the non-existent server before it could go into use. Since the security group takes at least 6 months to even start looking at anything we were in the clear.

        The moral of the story is to not go around policy to get your job done, but to use company policy to make other people responsible for everything.

        1. Doctor Syntax Silver badge

          Re: one experience ...

          "Since the security group takes at least 6 months to even start looking at anything we were in the clear."

          That's good to know. Especially if you're attempting to break into the company.

        2. MachDiamond Silver badge

          Re: one experience ...

          "The moral of the story is to not go around policy to get your job done, but to use company policy to make other people responsible for everything."

          That depends highly on how you are evaluated. I had no end of problems getting sign offs on avionics details from other departments so I could freeze designs and get the hardware built, but it was never a problem to criticize me, yell at me, etc when hardware was late. Solution: Have a coworker in software go through the design as a second set of eyeballs to find errors and just send out the files to get the PCS's made. It was the sort of place where there was never time to get things right, but having to do them over wasn't a problem.

      5. Steve Davies 3 Silver badge

        Re: It took 10 minutes to spin up an Azure VM

        and it took 30 seconds to shut it down and wipe it because your mega corp forgot to pay the bill.

        There are risks in life. I guess that 3 years to secure your companies IP is not very important then? Didn't you talk to the legal dept? or Information Security?

      6. Tom 7

        Re: one experience ...

        All that effort? Takes about a minute on my Pi Zero to install a git server and get it working - but them my internet is shit.

        1. Hans 1
          Boffin

          Re: one experience ...

          Takes about a minute on my Pi Zero to install a git server and get it working - but them my internet is shit.

          Takes about a minute on my Pi Zero to install git and get it working - but them my internet is shit.

          TFTFY

          1. Sir Runcible Spoon
            Coat

            Re: one experience ...

            "he did not like it when I took one as it mean less money for him as he 'securely disposed' them at car boot sales."

            People actually bought them with no hard drives in them?

            1. Doctor Syntax Silver badge

              Re: one experience ...

              "People actually bought them with no hard drives in them?"

              Who said anything about no hard drives?

              1. Sir Runcible Spoon

                Re: one experience ...

                "Who said anything about no hard drives?"

                No-one, which was my point :P

    2. Pascal Monett Silver badge

      Re: It's somebody else's computer

      And for the life of me, I can't understand why people are so prompt in throwing data at it.

      Education on this point is going to be long and painful, and there will be tears before things get better.

      Just because clouds have silver linings doesn't mean you can ignore the dark thunderstorm brewing within.

    3. Tom 38

      git is not the same as github. github provides many workflow features that are unavailable in git, and combine together to increase productivity, eg issue tracking, pull requests, 3rd party tool integration to do CI, deployments, packaging... github is more than hosted git and a web viewer.

      1. Anonymous Coward
        Anonymous Coward

        "github provides many workflow features"

        Nothing you can't setup on your own with free tools, if you don't want to pay, and get better ones with far more control.

        And without a TOS stating than even if you make a mistake, you lose control of your property....

        1. Tom 38

          Re: "github provides many workflow features"

          Nothing you can't setup on your own with free tools, if you don't want to pay, and get better ones with far more control.

          You don't actually understand how commercial IT works I'm guessing. There is no option if I "don't want to pay". I either pay someone else to set it up for me and maintain and host it, or I pay in my time and resources to configure it, maintain and host it myself. The first option just takes a small amount of money, but the second one costs immediate development time (whilst we're setting it up) and reduces velocity (any time we need to maintain it) and introduces risks (disaster recovery).

          As to "better ones with far more control", this is hardly accurate. As an example, we use the Sentry.io error reporting tool on some of our projects. This is an open source project, you can install it in house and host it yourself, which we did for about a year before switching to have them host. Guess what? Their hosted version has more features than they put in the open source public one.

          The costs of hosting (2 application servers, two database, one redis) and the support costs (1 developer for 3 weeks initially, 1 more week doing upgrades) dwarfed what it would have cost us to have sentry host it. We get an additional developer-month of progress on our own tasks.

          1. Anonymous Coward
            Anonymous Coward

            "You don't actually understand how commercial IT work"

            Sorry, my friend, I lead a commercial IT department, and we have all the tools GitHub have installed and properly working locally. Fully tailored to our needs.

            Sure, we pay hardware and people to take care of them, why shouldn't we? It's part of the costs of the business, especially to keep everything inside the security perimeters and have full control on accesses and auditing. Free tools lower those costs a little.

            You may go cheap and outsource everything, and then find yourself in situations like this.

            Just remember, one day you could be outsourced too... if all that matters are only "costs". There's always someone cheaper.

        2. DJ Smiley

          Re: "github provides many workflow features"

          If you're incompetent enough to post your keys to github, what says your competent enough to run a git server, and not accidentally forget to back it up?

          The ToS say you get to keep the flaming wreckage in this case, much use it'll do you.

          1. Adam 52 Silver badge

            Re: "github provides many workflow features"

            "If you're incompetent enough to post your keys to github"

            When it comes to posting keys to source control, there are those who have and those who have yet to.

            When you do it yourself, remember who you called incompetent.

            (no, I haven't, but members of my team have and so have the people who laughed at them).

            1. Anonymous Coward
              Anonymous Coward

              Re: "github provides many workflow features"

              > (no, I haven't, but members of my team have and so have the people who laughed at them).

              Exactly. If it can happen it can happen to anyone (especially those who think highly of themselves!), which is why you put active and passive measures in place and even so, you better have a plan for *when* (not if) things go wrong anyway.

        3. Anonymous Coward
          Anonymous Coward

          Re: "github provides many workflow features"

          > Nothing you can't setup on your own with free tools, if you don't want to pay, and get better ones with far more control.

          Some links would be helpful.

          1. Justin Clift

            Re: "github provides many workflow features"

            > > Nothing you can't setup on your own with free tools, if you don't want to pay, and get better ones with far more control.

            > Some links would be helpful.

            Gitea is a good start. Decent UI, and very lightweight on resources. eg can be run effectively on Raspberry Pi style hardware, though for real business use you'd want it on something proper. :)

            GitLab has more features than Gitea, though it's user interface fairly sucks and it's a resource pig (written in Ruby). It can also grow into a PITA to admin over time if your needs aren't basic.

            Pick whichever takes your fancy, or do some searching online for others. The above two aren't the only ones. :)

        4. Hans 1
          Coat

          Re: "github provides many workflow features"

          And without a TOS stating than even if you make a mistake, you lose control of your property....

          If you legally have proprietary source code and you want to put that on "a computer that is NOT owned by the company you work for" without clearance, you are irresponsible. This is NOT a mistake, this is irresponsible! Putting it on public github even more so, as it de facto makes the source code open source. If you do not know that, what are you doing in software development ?

          1. Ian Johnston Silver badge

            Re: "github provides many workflow features"

            If you legally have proprietary source code and you want to put that on "a computer that is NOT owned by the company you work for" without clearance, you are irresponsible. This is NOT a mistake, this is irresponsible!

            So if I post stolen or otherwise improperly acquired code to public GitHub, and the owners don't ask for it to be removed within ten days, there is nothing they can do?

      2. Doctor Syntax Silver badge

        "workflow features that are unavailable in git, and combine together to increase productivity, eg issue tracking, pull requests, 3rd party tool integration to do CI, deployments, packaging"

        And making it publicly available when not intended. Has that offset the productivity gains?

        1. Tom 38

          And making it publicly available when not intended. Has that offset the productivity gains?

          Only very specific people with very specific permissions can make a private repository in to a public one. I would have thought that DJI made every developer have that very specific permission (normally just one user in the entire company has that permission)

          1. Paul Smith

            You have that backwards. When using a public service (such as github) only a very few people with very specific permissions can make your data actually private, and none of them work for you.

          2. Anonymous Coward
            Anonymous Coward

            Anon for obvious reasons: I work at a large bank, which is diving full heads-on into DevOps.

            We - essentially a DevSecOps team - used to run our own repo server and we're "persuaded" to please join the enterprisy one. Which is a cloud-hosted version of Enterprise Github.

            Fine, but we'll need to lock down our repos as they have sensitive... what's that? All repos are *public* by default?! Why?! "Because in the spirit of the Internet it's all about sharing our code through the organisation". Is the nearly literal answer I got.

            Fortunately they exposed the REST API, because 'twas a rushed 30minutes - 1hour to hack up an auto-job which goes and sets all our repos back to private. Because they won't let us change the default for our Team.

            Don't get me wrong: I think all this devopsy/cloudy Brave New World could be boon if done right.

            But the way I see it happening so often will end in tears.

            1. Anonymous Coward
              Anonymous Coward

              > Fine, but we'll need to lock down our repos as they have sensitive... what's that? All repos are *public* by default?

              As they have sensitive what?

              There are a few cases where it does make sense to restrict access to source code, even within an organisation, but in general that strikes me as not a very good idea. Not that flagging some code "private" in an otherwise wide-open system offers any sort of real security anyway.

              In my case, we're not a software organisation at all, but we do develop a bunch of in-house tools to assist in our goals. As a rule, once those are good enough quality, or after they have served their primary competitive purpose, we release them publicly as open source. Not that anyone else seem to have much of a need for them, but knowing that their work will be up for public scrutiny does make our developers write significantly better quality, better documented and more secure stuff.

            2. Charlie Clark Silver badge

              Which is a cloud-hosted version of Enterprise Github.

              It's a joke. Every company I know goes with either Gitlab or Atlassian for hosting. Github is largely a data mining company.

    4. Anonymous Coward
      Anonymous Coward

      "why use Github"?

      Because that's what fashion dictates and all cool developers are, they've been told to <G>. Sheep will follow the herd.

      Despite all the babble about "decentralization", "individual power", etc. etc. Internet is enforcing reduced individuality and highly centralization. One Search Engine, One Social, One Repository, etc. etc.

      One Site To Bind Them All.

    5. sanmigueelbeer
      Unhappy

      why use Github as the repository rather than run their own

      Maybe because DJI is afraid that the Chinese might hack into their system and copy their design.

      Oh, wait ...

    6. Oh Homer
      Headmaster

      "What are the lessons here?"

      Only one lesson required: ultimately anyone can build their own drone and write their own control software, so attempting to "regulate" it, with copyrights or otherwise, is about as pointless as attempting to regulate the manifestation of psychotropic mushrooms on lawns.

  2. Anonymous Coward
    Anonymous Coward

    For some reason I have that song by duck sauce stuck in my head now.

    Woo woo woo woo woo woo woo

    Woo woo woo woo woo woo woo woo

    Woo woo woo woo woo

    Barbra Streisand

    1. Anonymous Coward
      Anonymous Coward

      > Barbra Streisand

      Definitely. For good measure, the repos-now-back-online have all been cloned to the local hdd too. Likely not just by myself either.

  3. Anonymous Coward
    Anonymous Coward

    The takeaway

    Leaving aside all the sensationalism in the article, it seems worth pointing out:

    1. Secrets do not belong in version control. This can be enforced by developer education and by the use of pre-commit hooks as a second-level safety net (furthermore, I believe that GitLab can be set to reject commits containing potentially sensitive data?).

    2. Once a secret has leaked, a take-down request may be a mitigation step, but by no means does it solve the problem. That was an expensive mistake to make.

    1. Anonymous Coward
      Anonymous Coward

      Re: Leaving aside all the sensationalism in the article

      Me-oww!

    2. A Non e-mouse Silver badge

      Re: The takeaway

      Secrets do not belong in version control

      LMFTFY: Unencrypted secrets do not belong in version control.

      Regpg is a system to allow you to store secrets in version control. It can also hook into Ansible.

      1. Claptrap314 Silver badge

        Re: The takeaway

        Great idea! I hope you use it! I understand that you hope that the encryption scheme that you are using does not get broken before the end of life of the secret you are storing, but I'm not about to trust my ability to know the future to that degree.

      2. Steve Knox

        Re: The takeaway

        LMFTFY: Unencrypted secrets do not belong in version control.

        Regpg is a system to allow you to store secrets in version control. It can also hook into Ansible.

        Okay, but where do you store the secrets for your secret-encryption system?

        1. sanmigueelbeer
          Pint

          Re: The takeaway

          Okay, but where do you store the secrets for your secret-encryption system?

          Github, of course.

          1. Yet Another Anonymous coward Silver badge

            Re: The takeaway

            Okay, but where do you store the secrets for your secret-encryption system?

            In TFS hosted on visualstudio.com - then nobody will ever be able to find them

  4. Anonymous Coward
    Anonymous Coward

    Any idea?

    Why would drone owners want to remove the geofencing feature? It would seem to me that it works in everyone's favour, by helping to keep safe areas that need to be safe and drone flyers out of potential trouble.

    Not saying that everyone who disables the feature is acting irresponsibly, but it seems to make it easier to shoot yourself and your drone-flying community at large in the foot.

    1. Anonymous Coward
      Anonymous Coward

      "Why would drone owners want to remove the geofencing feature?I"

      Because there are a lot of idiots around?

      BTW - many geofencing limits can be removed following a proper procedure - the procedure depends on the sensibility of the area, some cannot be removed anyway - just they are logged. Thereby, if you know what are doing and have proper permissions, you can remove limits.

      Of course there are jerks, tinfoil hat wearers, etc etc. who thinks they are the only important person in the Universe and can do whatever they like, disturbing and putting in danger things, animals and people - just to have their own fun.

    2. Mephistro
      Unhappy

      Re: Any idea?

      "Why would drone owners want to remove the geofencing feature?"

      "Because they can."

      And "Because of terrorists" would, for once, make sense also.

    3. quartzie

      Re: Any idea?

      Because in some countries, the geofences are set up so rigidly it is virtually impossible to fly even in your garden.

      Fortunately not the case in most of Europe, but DJI's geofencing has been known to fork up people's toys.

      That, and because idiots want close ups of flying jetliners.

    4. Joe Harrison

      Re: Any idea?

      I haven't got a drone but my guess is that the geofences are arbitrary and don't make sense? Like you want to fly your drone in the park but the council's head of estate management works in a shed there and someone has geofenced it as a sensitive government building.

      I really doubt hobbyists are going to go Aha now I can disable the Heathrow zone, not with the brownstorm that would mean they had to deal with.

    5. Anonymous Coward
      Anonymous Coward

      Re: Any idea?

      Why would drone owners want to remove the geofencing feature?

      Because it's then dead-simple for corrupt officials to demand the site of their criminal or immoral activities be geofenced, and throw around the excuse of "national security"?

      1. Anonymous Coward
        Anonymous Coward

        Re: Any idea?

        Because it's then dead-simple for corrupt officials to demand the site of their criminal or immoral activities be geofenced,

        Here the route of a protested pipeline was designated a "special air security secret special zone" to prevent news helicopters filming the protests

    6. robidy

      Re: Any idea?

      Same reason people circumvent any other government resritction....they aren't always there for a good reason.

  5. Anonymous Coward
    Coffee/keyboard

    But what if...

    In this case it was a pretty clear case of self-inflicted problems. Easily proven if you read this DJI statement because guess what? => "DJI received a report from an independent security researcher that an AWS server repository was accessible by unauthorized parties. We took this issue very seriously, and fixed it within a day of receiving the report.". This sheds a whole new light on the Github request if you ask me because it proves that incompetence was definitely a thing there.

    But it does raise an interesting question I think: What if someone shares something on Github which wasn't theirs to share in the first place?

    1. Zippy's Sausage Factory

      Re: But what if...

      What if someone shares something on Github which wasn't theirs to share in the first place?

      By the sound of it, the day that happens, a lot of lawyers are suddenly going to find themselves very busy...

    2. Doctor Syntax Silver badge

      Re: But what if...

      " What if someone shares something on Github which wasn't theirs to share in the first place?"

      Github would take it down PDQ to avoid charges of being an accessory and mitigate any civil claims.

  6. Stevie

    Bah!

    One of the lessons I took away was "No matter what your stance as a company is on [insert hot button issue], you are at the mercy of the developers you hire and they are just as lazy and/or dense as anyone else at times."

    The narrative of the article seems to randomly point towards the corporate attitude of DJI or the anonymous dev responsible with no real indication of which is being given the stinkeye at any particular time.

    Not that I think anyone is innocent in this fiasco.

  7. Anonymous Coward
    Anonymous Coward

    shortsighed on Github's end too

    I'm still curious...

    - there are lots of processing hooks in git.

    - crypto stuff usually has recognizable extensions and contents

    - remotes, especially famous ones like github, are also clearly identifiable in the git configs

    I was listening to a podcast by someone who runs an npm security audit service scanning repos and that person stated that a big part of their hit results was notifying folks that their crypto sheep had wandered off reservation.

    Couldn't github itself send you a warning? It's not like they benefit much, judging from the above posts, from the recurrence of this kind of goofs. How about a on-by-default/easily-installed/strongly-suggested plugin on plain git?

    Often "touchy-feely-shary" cloud services are just plain sloppy with people's security. StackoverFlow, if you use their "share answer" link mechanism will append your personal SO ID # to the end of the URL, after the link to the answer. It's not required for anything - the answer ID # before it is enough - except some stupid attribution tracking for badges or the like. In the meantime, if you're using your real name on SO - which you could be doing for professional reasons - you unwittingly start leaking that elsewhere.

    1. Ken Hagan Gold badge

      Re: shortsighed on Github's end too

      "How about a on-by-default/easily-installed/strongly-suggested plugin on plain git?"

      Maybe, but that will be defeated by the kind of person who, when setting up a new repo, carefully goes through the configuration and disables everything that they don't personally understand or didn't personally set up, on the grounds that they are too smart to need such bloatware.

      It's evolution in action. You make something idiot proof and then sit back whilst Nature evolves a better idiot.

      1. Brewster's Angle Grinder Silver badge

        Re: shortsighed on Github's end too

        Then the control should be to "enable sharing of sensitive data"; i.e. installing the "plugin" should circumvent the normal rules which prevent uploading/sharing of private data.

        Because bloatware is not entirely fictitious. And defaulting things to off, and then slowly enabling things you've had time to research, should be a policy that works.

    2. Phil Endecott

      Re: shortsighed on Github's end too

      > crypto stuff usually has recognizable extensions and contents

      The actual key is in the screenshot in the article, have a look at it.

      Maybe you could detect that a string of 64? random hex characters could be a key, but it would surely have plenty of false positives. It might work if the hook could interactively say "are you sure y/n?" but the hooks I've seen have not had that level of interaction.

      1. Anonymous Coward
        Anonymous Coward

        Re: shortsighed on Github's end too

        Me being dumb: I thought they had published the SSH key file or the like. That's what that podcast was talking about.

        This is a different type of fail, isn't it? Even less forgivable, because it's not just a momentary lapse of attention, but a lack of basic coding skill. Don't hardcode secrets in code, whether or not you github it. No, not much git/github can do about that, forget any notion of hex string matching.

        My remark about keys still stands though.

      2. KF

        Re: shortsighed on Github's end too

        After the initial forks, we wound up finding quite a bit of extra stuff with TruffleHog... I highly recommend it.

        https://github.com/dxa4481/truffleHog

    3. Anonymous Coward
      Anonymous Coward

      Re: shortsighed on Github's end too

      > Couldn't github itself send you a warning? It's not like they benefit much, judging from the above posts, from the recurrence of this kind of goofs. How about a on-by-default/easily-installed/strongly-suggested plugin on plain git?

      GitLab (that's 'Lab, not 'Hub) do offer this option in their Enterprise build (which, like their fully open source counterpart, can also be self-hosted).

      I do not know about GitHub as I do not use them, but they may have a similar feature.

      For years I have been using a pre-commit hook that does the same job, mind.

    4. Anonymous Coward
      Anonymous Coward

      Re: shortsighed on Github's end too

      What I meant re. SO:

      This is a link to answer about Perl and Unicode, as you would get it by using the "share" link at the end of each answer:

      https://stackoverflow.com/a/6163129/471272

      471272 is the ID of the user copying the generated shared link. I replaced mine with the person who originally answered. In his case, he has his real name - he's an author.

      All you really needed was https://stackoverflow.com/a/6163129 but SO helpfully added in your profile because you were logged in. Without really telling you, of course. And it can be spoofed too, so you can go pasting stuff around on alt.rec.perverts on someone's behalf.

      Black Helicopter icon intended here.

      1. Claptrap314 Silver badge

        Re: shortsighed on Github's end too

        It is in GitHub's interest for there to be as much open content on their site, especially the free site, as possible. After that, it's all a matter of contract negotiations. I worked at a place that used public Github as the main interaction tool. Lots of information flowing through the ticketing system. Would Not Recommend. Worked at another place that ran private Github. We moved repos into public Github as appropriate. MUCH better.

      2. Craigie

        Re: shortsighed on Github's end too

        Try forwarding someone a copy of your 'Quora Digest' email. Any link in it signs them straight in as you.

  8. Shadow Systems

    I've always wondered about that place...

    The name "GitHub" makes me think it's a place for gits to hang out & be a git. I'm not sure what being a git has to do with programming, but evidently programmers & gits like to hang out together.

    I'll get my coat, it's the one with the long sleeves that lock in the back & the pockets full of dried frog pills...

  9. Adam 52 Silver badge

    Not my experience

    We use github and over the years we've committed all sorts of things we shouldn't have. They've always been very helpful in taking down files and letting us know who has downloaded copies. Of course we ask politely rather than turn up with a DMCA notice.

  10. Anonymous Coward
    Anonymous Coward

    Github has some responsibility

    Github now clearly know that they host code that enables modding of drones to let them fly illegally in dangerous airspace. The have a responsibility to take down the forks purely on public safety grounds. Letting the code and forks stay up due to some dogmatic belief in the right to copy / free speech / anti takedown or whatever is immature and irresponsible. If they feel they can't do it because it would violate their own Ts&Cs then those need to be fixed immediately to include a discretionary clause.

    1. Anonymous Coward
      FAIL

      Re: Github has some responsibility

      Github now clearly know that they host code that enables modding of drones to let them fly illegally in dangerous airspace. The[y] have a responsibility to take down the forks purely on public safety grounds.

      No they don't. Most tools are dangerous if misused, and they are not a wing of government censorship. For instance, they also host encryption software, stuff which could be used to make kiddie porn, interfere with radio communications, help with espionage or even assist with copyright infringement.

      Put your ban-hammer back in your trousers.

  11. Anonymous Coward
    Anonymous Coward

    Did DJI break the law

    With DJI originally claiming "confidential and proprietary information has been posted on your website by unauthorized parties" in the DMCA notice, and then saying it was some employees they have since fired, haven't DJI admitted they have broken the law by lying on the DMCA notice?

  12. MachDiamond Silver badge

    Rockets

    When I was working in aerospace everything was in house. Repos may not have had every "feature" of a cloud hosted service, but ITAR (arms regulations) restrictions come with heavy penalties. I got out when the "COO" was trying to outsource everything he could. Being a business major, he wasn't very bright.

    1. Doctor Syntax Silver badge

      Re: Rockets

      ITAR (arms regulations) restrictions come with heavy penalties. ... the "COO" was trying to outsource everything he could

      I reckon company policies, manuals etc. should always accompany statements of "this is what we do and how we do it" with "this is why we do it and why we do it this way" so that it can be pointed out to even the meanest intelligence in senior management when it's done that way because of statutory or regulatory reasons.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like