back to article Drone maker DJI left its private SSL, firmware keys open to world+dog on GitHub FOR YEARS

Chinese drone maker DJI left the private key for its dot-com's HTTPS certificate exposed on GitHub for up to four years, according to a researcher who gave up with the biz's bug bounty process. DJI also exposed customers' personal information – from flight logs to copies of government ID cards – to the internet from …

  1. edge_e
    Facepalm

    ahh

    the earlier story starts to make sense

    1. Anonymous Coward
      Anonymous Coward

      Re: ahh

      The earlier Army story also makes more sense. I'm guessing they knew this as well.

      It's called a key for a reason so you don't leave in a pub with your name address and vehicle reg number on a key ring. Though I have no doubt some people so this.

    2. Doctor Syntax Silver badge

      Re: ahh

      Maybe it's time to introduce the term "DJI effect", like the Streisand effect but aiming a larger piece of ordnance at one's foot.

  2. d3vy Silver badge

    Does this mean I shouldn't check my "Servercredentials.txt" file into github?

    1. Mark 85 Silver badge

      Posting it on FB might be safer... scratch that.... use MySpace as it's more obscure.

    2. macjules Silver badge

      Just post it on here. We promise not to use it. Don’t forget to include your credit card details as well please.

    3. Adam 1 Silver badge

      Servercredentials.txt? Really!? You are just asking to be hacked. What you should do is to call the file something more obscure like app.config, except further obscure the details by encoding them in XML.

      Something like this is all you need.

      <configuration>

      <connectionStrings>

      <add name="ProdDB" connectionString="Server=MyServer; Database=Prod; User Id=sa; password= re@Lly5Af3" providerName="System.Data.SqlClient" />

      </connectionStrings

      </configuration>

      1. Maventi

        @Adam 1 you forgot to encode the password in base64, just for additional protection.

        1. bpfh Bronze badge

          And the hostname. So we can be sure it's you.

        2. Midnight

          I think you will find that the password is heavily encrypted with quadruple ROT13. That's the same encryption scheme that the NSA uses for their cafeteria menus, so you know it has to be good.

      2. d3vy Silver badge

        @Adam 1

        "Servercredentials.txt? Really!? You are just asking to be hacked."

        Heard you loud and clear, file renamed to "NotServerCredentials.txt" now.

  3. Anonymous Coward
    Anonymous Coward

    Is that what I think it is?

    I know what a hub is. I know what a git is. In fact, I know several.

    So what's a github?

    1. Anonymous Coward
      Anonymous Coward

      Re: Is that what I think it is?

      It's a hub of gits.

    2. x 7

      Re: Is that what I think it is?

      A Working Men's Club

  4. Anonymous Coward
    Pint

    All of a sudden...

    Remember GitLab? That "we want to be like GitHub but you'll have to pay us to keep your stuff safe"-company which utilized 6 ("six"!) different backup strategies to keep your data safe, but then never bothered to check on any of them so that in the end they ended up empty handed when they actually needed their precious backups?

    I don't know about you, but all of a sudden they seem pretty harmless right now.

    Because let's be honest: most of us have been there, the moment you notice that your backups are crap is when you actually need 'm.

    But that really fails in comparison to what we're see happening with AWS (and now Github) as of late. Don't the "IT professionals" these days understand the difference between public and private repositories anymore? Are they really that stupid that they don't realize that private keys which are even referred to as that should be kept private?

    From the 'req' OpenSSL manualpage:

    -pubkey

    outputs the public key.

    -newkey arg

    this option creates a new certificate request and a new private

    key. The argument takes one of several forms. rsa:nbits, where

    nbits is the number of bits, generates an RSA key nbits in size. If

    nbits is omitted, i.e. -newkey rsa specified, the default key size,

    specified in the configuration file is used.

    How obvious do they have to relay any of this information?

    Oh wait... do these guys actually read manualpages or have they become too "special" for that?

    And on that subject: do you really have nothing to hide anymore? If "IT professionals" are this careless with their own data, then what do you think they'd do with data which doesn't really matter much to them. For example yours?

  5. J. Cook Silver badge

    I may be a neophyte CA admin (I'm good with basic care and feeding and whatnot, but for anything super complex I call to someone in who uses that hat day in day out) and even *I* know that you guard your private certificate keys heavily, and restrict who has access to them.

    and the NDA shenanigans? that's not surprising at all given a few assumptions. (the small chunks of it that were in the PDF look a *lot* like 'schmuck bait' to me.)

  6. Youngone Silver badge

    Drones`

    I was given a DJI drone as a present recently and I can't say I'm surprised at this.

    The device itself feels really well made and does fly well, but goodness the software is rubbish.

  7. Anonymous Coward
    Anonymous Coward

    Eyes on the military contracts

    Selling Boeing-botherers to the "up close and personal" wing of plane spotters has only so much potential, getting robotics out to military and goverments has much greater data gathering scope and a more reliable revenue stream.

    Also save having to WEEE recycle unsold inventory, just flog it to a government (after the approvals process completes obv.).

  8. Chris Hills

    Normally X.509 keys have a lifetime of 1 or 2 years max for an end user/device certificate so if someone found it today it likely would not be much use unless your mark happened to have a clock running a few years slow.

    The rest, though, yikes.

    1. Daniel B.

      Not quite

      X.509 *certs* are usually valid for 1 or 2 years. The actual keys can be reused and in fact many companies do so because they don't have to generate another CSR if they do so. Bad practice? Sure. But not uncommon.

  9. iron Silver badge

    hired a third-party research firm

    Called Equifax.

    Or possibly Deloitte.

  10. Alistair Silver badge
    Joke

    This Kevin guy

    ... He's been causing a lot of grief lately -- too much time on his hands I think. If he finds anything in the intersection of GitHub, AWS and whitehouse I suspect there will be a sudden cuban vacation on his agenda....

  11. JLV Silver badge

    naive question...

    but a mistaken git add . is quickly done. Are there any good automation strategies to ensure that secrets don't get uploaded by mistake?

    I know one approach is to keep passwords and credentials out of code and get them from environment variables or special vaults. That's more of a if-you-code-correctly-then-it-wont-happen safeguard, but what what about something that is automatically paranoid about what does end up in the uploads? Or watches over local repositories that have external remotes?

  12. A. Coatsworth

    Don't be so hard with them, they were just trying to ramp up interest in their company!

    (obligatory)

    xkcd.com/1553

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019