back to article Chinese dev jailed and fined for posting DJI's private keys on Github

A Chinese software developer who previously expressed suicidal thoughts has been jailed after putting one of drone company DJI's AES private keys onto Github in plain text. That key, as we revealed at the time in January 2018, allowed world+dog to decrypt DJI's encrypted flight control firmware, paving the way for the curious …

  1. NATTtrash

    He said..?

    My girlfriend begin to break up with me, woooo, my family are broken. Fuck!!! What are terrible things!

    ...

    Local reports, apparently quoting the Chinese state prosecutors, quoted the dev as having written on Twitter: “There is no intention to disclose the secrets of Dajiang" and "I regret that I have no legal awareness, and I am willing to bear the corresponding legal responsibilities."

    Remarkable difference in language proficiency this is.

    Source of both message he is?

    1. Grease Monkey

      Re: He said..?

      Presumably the quote from Twitter was originally in his native language and was translated by somebody with a better command of English.

      1. NATTtrash

        Re: He said..?

        You're right, that would do it...

        1. KF

          Re: He said..?

          The source of the quotes is me... Kevin F... emails between myself this dev and DJI were forwarded to the author. I have screen shotted them on my twitter account.

          https://twitter.com/d0tslash/status/1122480129320673280

      2. KF

        Re: He said..?

        His personal quote was not actually on Twitter, this is a misquote it was actually on QQ.com shared by the prosecutor. Here is the link. https://mp.weixin.qq.com/s/6sVI-iVUAntFrsn4-JHYbA

    2. KF

      Re: He said..?

      Additional information on the source letters from him discussing suicide are documented on my Twitter feed. https://twitter.com/d0tslash/status/1122480827814817792

      1. Anonymous Coward
        Anonymous Coward

        Re: He said..?

        you're right.. looks like a ruse.. so its not just the keys that was uploaded then, also includes proprietary source code and someone is checking if you actually downloaded it.

  2. A random security guy

    Interesting that most companies don't use some simple form of HSM to protect their private keys.

    1. Anonymous Coward
      Anonymous Coward

      You have seen the price of proper enterprise-grade HSMs ??

      Having said that, they're nothing compared with the cost of losing your keys. Trouble is, some budget approvers don't get this.

      I'm sure you don't need to ask why AC.

    2. Anonymous Coward Silver badge
      Joke

      Not buying an HSM will only pay for itself if your devs don't cock something up. Therefore, if you need an HSM your devs aren't good enough.

      /accountant-mode

  3. gnasher729 Silver badge

    Private keys = trade secret

    Interesting take: Your private keys are a trade secret. I suppose when you look at what a trade secret is (something that is secret, and gives you an advantage towards your competition because you know it and others don't), it's absolutely correct.

  4. Paul Johnson 1
    Alert

    Set up to fail

    This poor guy is being left to dangle in the breeze for management failings. If his employer had properly protected their secret key then it would never have been possible to put it in a public repo.

    The policy of hanging a minion who screwed up "pour encourager les autres" is a classic symptom of an immature organizational culture. Its the *system* that screwed up; the minion was just the last link in the causal chain. Hence the correct response is not to hang the minion but to fix the broken system.

    1. richard?

      Re: Set up to fail

      I agree they should protect the keys...

      But I have no sympathy for someone who thought it was OK to publish any of their company's stuff on GitHub without asking and receiving clear permission.

      His employment contract will certainly have had the usual clauses about company ownership of his work, confidentiality etc. Even without the keys he broke his contract and trade secret laws, it's just unfortunate the keys made it a lot worse which is on the company.

      1. tiggity Silver badge

        Re: Set up to fail

        From reports it was accidentally setting public a fork of DJI private github repo (yes, lots of companies use cloudy repositories for their code)

        So a dev mistake on the privacy settings on forked code *BUT* DJI should have had systems in place to spot such errors (or , even better, prevent them from occurring).

        As has been said, it's the little guy taking the fall for systemic faults in their system.

        1. teknopaul Silver badge

          Re: Set up to fail

          Github should have systems in place to prevent such situations.

          Dont see why you cant have cloud plus ip whitelist. Https plus client certificates. Cloud plus vpn to access. Etc etc.

  5. Zilla

    Exactly. Developers like this should never ever have access to the production SSL certificates or private keys.

    The fact he had access shows how terrible DJIs internal development practises are. It's shocking.

    These days private keys are held securely in systems which do not allow casually exporting. Instead they are packaged up and deployed securely when required.

    1. Amentheist

      Well judging by the names of those repos I can already gleam they have some terrible naming conventions let alone the rest of their practices..

    2. Aitor 1 Silver badge

      Access

      I think they should have access, but just for testing, and absolutely not put them in the source code repository.

  6. Spacedinvader

    Irony

    If it was a US (well, probably any other than Chinese) company he'd probably be given a medal for snagging the keys.

    1. Mark 85 Silver badge

      Re: Irony

      That's the problem in a nutshell. For a Chinese hacker, the world is a plum waiting to be picked and encouraged by China. They only respect their own "copyright" and "patents" as such.

      1. Cxwf

        Re: Irony

        Well, yes, but... how wrong are they? Copyright/patents aren’t a fundamental human right, they’re a product of law. And if the law that establishes them has no jurisdiction over you, and the authors of that law have no reason to even consider your interests (because it’s intended to help citizens of another country)...how much respect do you give that law?

        International trade treaties should theoretically still hold, but even there, complying with another country’s copyright is a concession to get something else, not an obvious point of agreement.

      2. Alan Brown Silver badge

        Re: Irony

        > They only respect their own "copyright" and "patents" as such.

        I suggest you enlighten yourself as to the USA's own sordid history of state-sanctioned intellectual property theft - which lasted well into the 20th century (some say it's still occuring) and has a major bearing on the country's ability to become an economic powerhouse.

        Every time I see this rant, the pot and the kettle come to mind.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019