I can understand a company using git as its source control software but why, for code which is essentially the company's crown jewels trade secret, why use Github as the repository rather than run their own? It's somebody else's computer.
GitHub shrugs off drone maker DJI's crypto key DMCA takedown effort
GitHub rejected a DMCA takedown request from Chinese drone-maker DJI after someone forked source code left in the open by a naughty DJI developer, The Register can reveal. This included AES keys permitting decryption of flight control firmware, which could allow drone fliers with technical skills to remove geofencing from the …
COMMENTS
-
-
Thursday 25th January 2018 14:16 GMT Anonymous Coward
one experience ...
When I worked for a big insurance company, it took 3 years to get a server approved along with the necessary resources to set it up, and configure it into service.
It took 10 minutes to spin up an Azure VM.
Now apply that to getting a source control solution in place ...
-
Thursday 25th January 2018 14:37 GMT alain williams
Re: one experience ...
When I worked for a big insurance company, it took 3 years to get a server approved along with the necessary resources to set it up, and configure it into service.
Find a desktop PC that is being replaced, wipe it & install Linux, hide it under your desk. It will work nicely as a Git machine or similar. By the time that management discover it - it will be too vital for them to remove.
I've done this several times. The only time that I had a problem was when a janitor type was the one who 'safely disposed' of old machines, he did not like it when I took one as it mean less money for him as he 'securely disposed' them at car boot sales.
-
Thursday 25th January 2018 15:19 GMT Nolveys
Re: one experience ...
When I worked for a big insurance company, it took 3 years to get a server...It took 10 minutes to spin up an Azure VM.
I was in a situation a few years ago in which our deadline had gone from a month to a few days while we were waiting for a server to be provisioned.
My boss called someone in the company who was good at dealing with these sorts of issues, he immediately solved the problem. The solution lay in company security policy. Policy stated that the security group had to audit the non-existent server before it could go into use. Since the security group takes at least 6 months to even start looking at anything we were in the clear.
The moral of the story is to not go around policy to get your job done, but to use company policy to make other people responsible for everything.
-
Friday 26th January 2018 23:30 GMT MachDiamond
Re: one experience ...
"The moral of the story is to not go around policy to get your job done, but to use company policy to make other people responsible for everything."
That depends highly on how you are evaluated. I had no end of problems getting sign offs on avionics details from other departments so I could freeze designs and get the hardware built, but it was never a problem to criticize me, yell at me, etc when hardware was late. Solution: Have a coworker in software go through the design as a second set of eyeballs to find errors and just send out the files to get the PCS's made. It was the sort of place where there was never time to get things right, but having to do them over wasn't a problem.
-
Friday 26th January 2018 07:53 GMT Steve Davies 3
Re: It took 10 minutes to spin up an Azure VM
and it took 30 seconds to shut it down and wipe it because your mega corp forgot to pay the bill.
There are risks in life. I guess that 3 years to secure your companies IP is not very important then? Didn't you talk to the legal dept? or Information Security?
-
Thursday 25th January 2018 14:37 GMT Pascal Monett
Re: It's somebody else's computer
And for the life of me, I can't understand why people are so prompt in throwing data at it.
Education on this point is going to be long and painful, and there will be tears before things get better.
Just because clouds have silver linings doesn't mean you can ignore the dark thunderstorm brewing within.
-
Thursday 25th January 2018 14:42 GMT Tom 38
git is not the same as github. github provides many workflow features that are unavailable in git, and combine together to increase productivity, eg issue tracking, pull requests, 3rd party tool integration to do CI, deployments, packaging... github is more than hosted git and a web viewer.
-
-
Thursday 25th January 2018 15:26 GMT Tom 38
Re: "github provides many workflow features"
Nothing you can't setup on your own with free tools, if you don't want to pay, and get better ones with far more control.
You don't actually understand how commercial IT works I'm guessing. There is no option if I "don't want to pay". I either pay someone else to set it up for me and maintain and host it, or I pay in my time and resources to configure it, maintain and host it myself. The first option just takes a small amount of money, but the second one costs immediate development time (whilst we're setting it up) and reduces velocity (any time we need to maintain it) and introduces risks (disaster recovery).
As to "better ones with far more control", this is hardly accurate. As an example, we use the Sentry.io error reporting tool on some of our projects. This is an open source project, you can install it in house and host it yourself, which we did for about a year before switching to have them host. Guess what? Their hosted version has more features than they put in the open source public one.
The costs of hosting (2 application servers, two database, one redis) and the support costs (1 developer for 3 weeks initially, 1 more week doing upgrades) dwarfed what it would have cost us to have sentry host it. We get an additional developer-month of progress on our own tasks.
-
Thursday 25th January 2018 16:24 GMT Anonymous Coward
"You don't actually understand how commercial IT work"
Sorry, my friend, I lead a commercial IT department, and we have all the tools GitHub have installed and properly working locally. Fully tailored to our needs.
Sure, we pay hardware and people to take care of them, why shouldn't we? It's part of the costs of the business, especially to keep everything inside the security perimeters and have full control on accesses and auditing. Free tools lower those costs a little.
You may go cheap and outsource everything, and then find yourself in situations like this.
Just remember, one day you could be outsourced too... if all that matters are only "costs". There's always someone cheaper.
-
-
-
Friday 26th January 2018 00:37 GMT Adam 52
Re: "github provides many workflow features"
"If you're incompetent enough to post your keys to github"
When it comes to posting keys to source control, there are those who have and those who have yet to.
When you do it yourself, remember who you called incompetent.
(no, I haven't, but members of my team have and so have the people who laughed at them).
-
Friday 26th January 2018 10:47 GMT Anonymous Coward
Re: "github provides many workflow features"
> (no, I haven't, but members of my team have and so have the people who laughed at them).
Exactly. If it can happen it can happen to anyone (especially those who think highly of themselves!), which is why you put active and passive measures in place and even so, you better have a plan for *when* (not if) things go wrong anyway.
-
-
-
-
Sunday 28th January 2018 02:50 GMT Justin Clift
Re: "github provides many workflow features"
> > Nothing you can't setup on your own with free tools, if you don't want to pay, and get better ones with far more control.
> Some links would be helpful.
Gitea is a good start. Decent UI, and very lightweight on resources. eg can be run effectively on Raspberry Pi style hardware, though for real business use you'd want it on something proper. :)
GitLab has more features than Gitea, though it's user interface fairly sucks and it's a resource pig (written in Ruby). It can also grow into a PITA to admin over time if your needs aren't basic.
Pick whichever takes your fancy, or do some searching online for others. The above two aren't the only ones. :)
-
-
Friday 26th January 2018 12:43 GMT Hans 1
Re: "github provides many workflow features"
And without a TOS stating than even if you make a mistake, you lose control of your property....
If you legally have proprietary source code and you want to put that on "a computer that is NOT owned by the company you work for" without clearance, you are irresponsible. This is NOT a mistake, this is irresponsible! Putting it on public github even more so, as it de facto makes the source code open source. If you do not know that, what are you doing in software development ?
-
Friday 26th January 2018 14:13 GMT Ian Johnston
Re: "github provides many workflow features"
If you legally have proprietary source code and you want to put that on "a computer that is NOT owned by the company you work for" without clearance, you are irresponsible. This is NOT a mistake, this is irresponsible!
So if I post stolen or otherwise improperly acquired code to public GitHub, and the owners don't ask for it to be removed within ten days, there is nothing they can do?
-
-
-
-
Thursday 25th January 2018 15:28 GMT Tom 38
And making it publicly available when not intended. Has that offset the productivity gains?
Only very specific people with very specific permissions can make a private repository in to a public one. I would have thought that DJI made every developer have that very specific permission (normally just one user in the entire company has that permission)
-
-
Thursday 25th January 2018 22:35 GMT Anonymous Coward
Anon for obvious reasons: I work at a large bank, which is diving full heads-on into DevOps.
We - essentially a DevSecOps team - used to run our own repo server and we're "persuaded" to please join the enterprisy one. Which is a cloud-hosted version of Enterprise Github.
Fine, but we'll need to lock down our repos as they have sensitive... what's that? All repos are *public* by default?! Why?! "Because in the spirit of the Internet it's all about sharing our code through the organisation". Is the nearly literal answer I got.
Fortunately they exposed the REST API, because 'twas a rushed 30minutes - 1hour to hack up an auto-job which goes and sets all our repos back to private. Because they won't let us change the default for our Team.
Don't get me wrong: I think all this devopsy/cloudy Brave New World could be boon if done right.
But the way I see it happening so often will end in tears.
-
Friday 26th January 2018 10:41 GMT Anonymous Coward
> Fine, but we'll need to lock down our repos as they have sensitive... what's that? All repos are *public* by default?
As they have sensitive what?
There are a few cases where it does make sense to restrict access to source code, even within an organisation, but in general that strikes me as not a very good idea. Not that flagging some code "private" in an otherwise wide-open system offers any sort of real security anyway.
In my case, we're not a software organisation at all, but we do develop a bunch of in-house tools to assist in our goals. As a rule, once those are good enough quality, or after they have served their primary competitive purpose, we release them publicly as open source. Not that anyone else seem to have much of a need for them, but knowing that their work will be up for public scrutiny does make our developers write significantly better quality, better documented and more secure stuff.
-
-
-
-
-
Thursday 25th January 2018 14:53 GMT Anonymous Coward
"why use Github"?
Because that's what fashion dictates and all cool developers are, they've been told to <G>. Sheep will follow the herd.
Despite all the babble about "decentralization", "individual power", etc. etc. Internet is enforcing reduced individuality and highly centralization. One Search Engine, One Social, One Repository, etc. etc.
One Site To Bind Them All.
-
Saturday 27th January 2018 10:26 GMT Oh Homer
"What are the lessons here?"
Only one lesson required: ultimately anyone can build their own drone and write their own control software, so attempting to "regulate" it, with copyrights or otherwise, is about as pointless as attempting to regulate the manifestation of psychotropic mushrooms on lawns.
-
-
Thursday 25th January 2018 14:29 GMT Anonymous Coward
The takeaway
Leaving aside all the sensationalism in the article, it seems worth pointing out:
1. Secrets do not belong in version control. This can be enforced by developer education and by the use of pre-commit hooks as a second-level safety net (furthermore, I believe that GitLab can be set to reject commits containing potentially sensitive data?).
2. Once a secret has leaked, a take-down request may be a mitigation step, but by no means does it solve the problem. That was an expensive mistake to make.
-
Thursday 25th January 2018 14:37 GMT Anonymous Coward
Any idea?
Why would drone owners want to remove the geofencing feature? It would seem to me that it works in everyone's favour, by helping to keep safe areas that need to be safe and drone flyers out of potential trouble.
Not saying that everyone who disables the feature is acting irresponsibly, but it seems to make it easier to shoot yourself and your drone-flying community at large in the foot.
-
Thursday 25th January 2018 15:01 GMT Anonymous Coward
"Why would drone owners want to remove the geofencing feature?I"
Because there are a lot of idiots around?
BTW - many geofencing limits can be removed following a proper procedure - the procedure depends on the sensibility of the area, some cannot be removed anyway - just they are logged. Thereby, if you know what are doing and have proper permissions, you can remove limits.
Of course there are jerks, tinfoil hat wearers, etc etc. who thinks they are the only important person in the Universe and can do whatever they like, disturbing and putting in danger things, animals and people - just to have their own fun.
-
Thursday 25th January 2018 15:19 GMT quartzie
Re: Any idea?
Because in some countries, the geofences are set up so rigidly it is virtually impossible to fly even in your garden.
Fortunately not the case in most of Europe, but DJI's geofencing has been known to fork up people's toys.
That, and because idiots want close ups of flying jetliners.
-
Thursday 25th January 2018 15:39 GMT Joe Harrison
Re: Any idea?
I haven't got a drone but my guess is that the geofences are arbitrary and don't make sense? Like you want to fly your drone in the park but the council's head of estate management works in a shed there and someone has geofenced it as a sensitive government building.
I really doubt hobbyists are going to go Aha now I can disable the Heathrow zone, not with the brownstorm that would mean they had to deal with.
-
-
Thursday 25th January 2018 15:02 GMT Anonymous Coward
But what if...
In this case it was a pretty clear case of self-inflicted problems. Easily proven if you read this DJI statement because guess what? => "DJI received a report from an independent security researcher that an AWS server repository was accessible by unauthorized parties. We took this issue very seriously, and fixed it within a day of receiving the report.". This sheds a whole new light on the Github request if you ask me because it proves that incompetence was definitely a thing there.
But it does raise an interesting question I think: What if someone shares something on Github which wasn't theirs to share in the first place?
-
Thursday 25th January 2018 16:40 GMT Stevie
Bah!
One of the lessons I took away was "No matter what your stance as a company is on [insert hot button issue], you are at the mercy of the developers you hire and they are just as lazy and/or dense as anyone else at times."
The narrative of the article seems to randomly point towards the corporate attitude of DJI or the anonymous dev responsible with no real indication of which is being given the stinkeye at any particular time.
Not that I think anyone is innocent in this fiasco.
-
Thursday 25th January 2018 17:15 GMT Anonymous Coward
shortsighed on Github's end too
I'm still curious...
- there are lots of processing hooks in git.
- crypto stuff usually has recognizable extensions and contents
- remotes, especially famous ones like github, are also clearly identifiable in the git configs
I was listening to a podcast by someone who runs an npm security audit service scanning repos and that person stated that a big part of their hit results was notifying folks that their crypto sheep had wandered off reservation.
Couldn't github itself send you a warning? It's not like they benefit much, judging from the above posts, from the recurrence of this kind of goofs. How about a on-by-default/easily-installed/strongly-suggested plugin on plain git?
Often "touchy-feely-shary" cloud services are just plain sloppy with people's security. StackoverFlow, if you use their "share answer" link mechanism will append your personal SO ID # to the end of the URL, after the link to the answer. It's not required for anything - the answer ID # before it is enough - except some stupid attribution tracking for badges or the like. In the meantime, if you're using your real name on SO - which you could be doing for professional reasons - you unwittingly start leaking that elsewhere.
-
Thursday 25th January 2018 17:47 GMT Ken Hagan
Re: shortsighed on Github's end too
"How about a on-by-default/easily-installed/strongly-suggested plugin on plain git?"
Maybe, but that will be defeated by the kind of person who, when setting up a new repo, carefully goes through the configuration and disables everything that they don't personally understand or didn't personally set up, on the grounds that they are too smart to need such bloatware.
It's evolution in action. You make something idiot proof and then sit back whilst Nature evolves a better idiot.
-
Thursday 25th January 2018 18:45 GMT Brewster's Angle Grinder
Re: shortsighed on Github's end too
Then the control should be to "enable sharing of sensitive data"; i.e. installing the "plugin" should circumvent the normal rules which prevent uploading/sharing of private data.
Because bloatware is not entirely fictitious. And defaulting things to off, and then slowly enabling things you've had time to research, should be a policy that works.
-
-
Thursday 25th January 2018 18:38 GMT Phil Endecott
Re: shortsighed on Github's end too
> crypto stuff usually has recognizable extensions and contents
The actual key is in the screenshot in the article, have a look at it.
Maybe you could detect that a string of 64? random hex characters could be a key, but it would surely have plenty of false positives. It might work if the hook could interactively say "are you sure y/n?" but the hooks I've seen have not had that level of interaction.
-
Thursday 25th January 2018 21:16 GMT Anonymous Coward
Re: shortsighed on Github's end too
Me being dumb: I thought they had published the SSH key file or the like. That's what that podcast was talking about.
This is a different type of fail, isn't it? Even less forgivable, because it's not just a momentary lapse of attention, but a lack of basic coding skill. Don't hardcode secrets in code, whether or not you github it. No, not much git/github can do about that, forget any notion of hex string matching.
My remark about keys still stands though.
-
-
Thursday 25th January 2018 21:55 GMT Anonymous Coward
Re: shortsighed on Github's end too
> Couldn't github itself send you a warning? It's not like they benefit much, judging from the above posts, from the recurrence of this kind of goofs. How about a on-by-default/easily-installed/strongly-suggested plugin on plain git?
GitLab (that's 'Lab, not 'Hub) do offer this option in their Enterprise build (which, like their fully open source counterpart, can also be self-hosted).
I do not know about GitHub as I do not use them, but they may have a similar feature.
For years I have been using a pre-commit hook that does the same job, mind.
-
Thursday 25th January 2018 22:01 GMT Anonymous Coward
Re: shortsighed on Github's end too
What I meant re. SO:
This is a link to answer about Perl and Unicode, as you would get it by using the "share" link at the end of each answer:
https://stackoverflow.com/a/6163129/471272
471272 is the ID of the user copying the generated shared link. I replaced mine with the person who originally answered. In his case, he has his real name - he's an author.
All you really needed was https://stackoverflow.com/a/6163129 but SO helpfully added in your profile because you were logged in. Without really telling you, of course. And it can be spoofed too, so you can go pasting stuff around on alt.rec.perverts on someone's behalf.
Black Helicopter icon intended here.
-
Thursday 25th January 2018 23:52 GMT Claptrap314
Re: shortsighed on Github's end too
It is in GitHub's interest for there to be as much open content on their site, especially the free site, as possible. After that, it's all a matter of contract negotiations. I worked at a place that used public Github as the main interaction tool. Lots of information flowing through the ticketing system. Would Not Recommend. Worked at another place that ran private Github. We moved repos into public Github as appropriate. MUCH better.
-
-
-
Thursday 25th January 2018 23:02 GMT Shadow Systems
I've always wondered about that place...
The name "GitHub" makes me think it's a place for gits to hang out & be a git. I'm not sure what being a git has to do with programming, but evidently programmers & gits like to hang out together.
I'll get my coat, it's the one with the long sleeves that lock in the back & the pockets full of dried frog pills...
-
Friday 26th January 2018 09:24 GMT Anonymous Coward
Github has some responsibility
Github now clearly know that they host code that enables modding of drones to let them fly illegally in dangerous airspace. The have a responsibility to take down the forks purely on public safety grounds. Letting the code and forks stay up due to some dogmatic belief in the right to copy / free speech / anti takedown or whatever is immature and irresponsible. If they feel they can't do it because it would violate their own Ts&Cs then those need to be fixed immediately to include a discretionary clause.
-
Friday 26th January 2018 11:20 GMT Anonymous Coward
Re: Github has some responsibility
Github now clearly know that they host code that enables modding of drones to let them fly illegally in dangerous airspace. The[y] have a responsibility to take down the forks purely on public safety grounds.
No they don't. Most tools are dangerous if misused, and they are not a wing of government censorship. For instance, they also host encryption software, stuff which could be used to make kiddie porn, interfere with radio communications, help with espionage or even assist with copyright infringement.
Put your ban-hammer back in your trousers.
-
-
Friday 26th January 2018 10:08 GMT Anonymous Coward
Did DJI break the law
With DJI originally claiming "confidential and proprietary information has been posted on your website by unauthorized parties" in the DMCA notice, and then saying it was some employees they have since fired, haven't DJI admitted they have broken the law by lying on the DMCA notice?
-
Friday 26th January 2018 23:37 GMT MachDiamond
Rockets
When I was working in aerospace everything was in house. Repos may not have had every "feature" of a cloud hosted service, but ITAR (arms regulations) restrictions come with heavy penalties. I got out when the "COO" was trying to outsource everything he could. Being a business major, he wasn't very bright.
-
Saturday 27th January 2018 18:40 GMT Doctor Syntax
Re: Rockets
ITAR (arms regulations) restrictions come with heavy penalties. ... the "COO" was trying to outsource everything he could
I reckon company policies, manuals etc. should always accompany statements of "this is what we do and how we do it" with "this is why we do it and why we do it this way" so that it can be pointed out to even the meanest intelligence in senior management when it's done that way because of statutory or regulatory reasons.
-