Drone-Maker DJI Offers Bug Bounty Program, Then Threatens Bug-Finder With The CFAA
Furnished content.
Far too many companies and industries out there seem to think that the best way to handle a security researcher finding security holes in their tech and websites is to immediately begin issuing threats. This is almost always monumentally dumb for any number of reasons, ranging from the work these researchers do actually being a benefit to these companies issuing the threats, to the resulting coverage of the threats making the vulnerabilities more widely known than they would have been otherwise.But drone-maker DJI gets special marks for attacking security researchers, having decided to turn on one that was working within the bug-bounty program it had set up.DJI, the Chinese company that manufactures the popular Phantom brand of consumer quadcopter drones, was informed in September that developers had left the private keys for both the "wildcard" certificate for all the company's Web domains and the keys to cloud storage accounts on Amazon Web Services exposed publicly in code posted to GitHub. Using the data, researcher Kevin Finisterre was able to access flight log data and images uploaded by DJI customers, including photos of government IDs, drivers licenses, and passports. Some of the data included flight logs from accounts associated with government and military domains.Finisterre found the security error after beginning to probe DJI's systems under DJI's bug bounty program, which was announced in August. But as Finisterre worked to document the bug with the company, he got increasing pushback—including a threat of charges under the Computer Fraud and Abuse Act (CFAA). DJI refused to offer any protection against legal action in the company's "final offer" for the data. So Finisterre dropped out of the program and published his findings publicly yesterday, along with a narrative entitled, "Why I walked away from $30,000 of DJI bounty money." Finisterre helpfully documented his interactions with several DJI employees, all of which paint a pretty clear picture of a company that encouraged his work in finding exposed data and insecure public-facing websites. So appreciative was DJI, in fact, that Finisterre won the top prize for its bug-bounty program: $30,000. That prize came for Finisterre's discovery that DJI's SSL certificates and firmware encryption keys had been exposed via GitHub for years. After receiving written confirmation from DJI that its servers were within the scope of the bounty program, Finisterre submitted his disclosure report.That's when things got weird.When Finisterre submitted his full report on the exposure to the bug bounty program, he received an e-mail from DJI's Brendan Schulman that said the company's servers were suddenly not in scope for the bounty program. Still, Finisterre received notification from DJI's bug bounty program e-mail account on September 28 that his report earned the top reward for the program—$30,000 in cash. Then, Finisterre heard nothing for nearly a month.Ultimately, Finisterre received an e-mail containing an agreement contract that he said "did not offer researchers any sort of protection. For me personally, the wording put my right to work at risk, and posed a direct conflict of interest to many things including my freedom of speech." It seemed clear to Finisterre that "the entire ‘Bug Bounty’ program was rushed based on this alone," he wrote. He goes on to note that he had several lawyers look over the contract, all of whom balked at the language it contained. Hiring any of them to work the contract to the point that it was something he would sign would cost several thousand dollars, reducing the bounty reward to the point that it wasn't really worth collecting. On top of all that, the language in the contract offered nothing in the way of protection from the CFAA, which is frankly insane for a bug bounty program. The whole point is to research vulnerabilities. Jail time is not supposed to be a risk in that sort of work.When Finisterre decided to refuse the bounty and go public instead, DJI suddenly began calling him a "hacker" and acted as though it barely had any idea who he was, despite having interacted with him over hundreds of emails.DJI is investigating the reported unauthorized access of one of DJI’s servers containing personal information submitted by our users. As part of its commitment to customers’ data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a “bug bounty” from the DJI Security Response Center.DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met. DJI has also shuttered the bug bounty program, with emails to it resulting in bouncebacks informing the reader that while they can still submit bug reports, the bounties are no longer available.And so here we are. DJI offered a bug bounty program that one researcher responded to with a report about some serious vulnerabilities, including the disclosure of DJI customer information. Instead of being grateful for that information and correcting it, DJI instead decided to go the strongarm route, resulting in the public now knowing just how bad at security DJI is. Way to go?
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 21-Nov-2017
path: /Policy | permalink | edit (requires password)
Top German Judges Slam EU Plans To Create Global Court To Enforce Corporate Sovereignty
Furnished content.
A few weeks ago, we wrote how many -- even the US Trade Representative, Robert Lighthizer -- seem to think it's time for corporate sovereignty, also called "investor-state dispute settlement" (ISDS), to go. For some reason the European Commission disagrees. As Techdirt readers may recall, after receiving a bloody nose in a public consultation about corporate sovereignty, the Commission announced to great fanfare that it was "replacing" ISDS with something called the Investment Court System (ICS). In fact, this amounted to little more than putting lipstick on the ISDS pig, since ICS suffered from the same fundamental flaw: it gave companies unique rights to sue countries in a supra-national court. The EU is still plugging away at the ICS idea, and it now wants to go further by creating a truly global corporate sovereignty system enforced by a new Multilateral Investment Court (pdf), an initiative formally launched a couple of months ago:the [EU's] approach since 2015 has been to institutionalise the system for the resolution of investment disputes in EU trade and investment agreements through the inclusion of the Investment Court System (ICS). However, due to its bilateral nature, the ICS cannot fully address all the aforementioned problems. Moreover, the inclusion of ICSs in [EU] agreements has costs in terms of administrative complexity and budgetary impact.The multilateral investment court initiative aims at setting up a framework for the resolution of international investment disputes that is permanent, independent and legitimate; predictable in delivering consistent case-law; allowing for an appeal of decisions; cost-effective; transparent and efficient proceedings and allowing for third party interventions (including for example interested environmental or labour organisations). When the ICS was first proposed, the German Association of Judges, which Wikipedia describes as "the largest professional organization of judges and public prosecutors in Germany", ripped it to shreds. The same august body has just meted out similar treatment to the Multilateral Investment Court, and has asked the German government "to deny the European Commission the required mandate to negotiate the establishment of a Multinational Investment Court (MIC)."The document, originally in German, and available in an unofficial translation by EuroMinds Linguistics (pdf), contains a devastating analysis of the MIC and its flaws. For example, it points out that international investment protection law is characterized by a "lack of substantive lawprinciples". That is, there are no global investment laws that the MIC could apply when deciding cases. The MIC would effectively be making it up as it went along. The German Association of Judges points out why the situation would be even worse for the MIC than for the ICS or ISDS tribunals:Because of [the arbitration courts'] position, they can override decisions of national administrations and courts in favour of an investor. This exercise of power, exercised by an arbitral tribunal, has thus far been limited to the enforcement of individual arbitral awards. However, it would be considerably strengthened if the arbitral tribunals were upgraded to an MIC with permanent jurisdiction, which would operate under an international convention. Together with the investment protection agreements, as part of European law, the MIC Convention will be recognised by international law and can thus bind national courts. This will make the MIC a standard-setting organization. In other words, the MIC would be able to create what amount to global laws, without any democratic input or scrutiny. The document also explains -- as many have before -- why special investor courts are unnecessary:The protection of individual goods, including those of investors, is the daily work of the judges of all judicial courts and instances. In principle, these rights can also be claimed by foreign investors....the best investor protection is a functioning, uncorrupted administration and jurisdiction and a democratic legislative process. It is the task of every investor to determine this; they can avoid investments in countries that do not fulfil these standards. If they, nonetheless, take the risk, no special protection is necessary. Obvious really.Recognizing that the German government and European Commission will probably try to go ahead with the MIC initiative anyway, the German Association of Judges makes a number of sensible suggestions for improving the idea, and limiting the possible damage. However, the real solution would be for the EU to join other, wiser nations and abolish the system completely.Follow me @glynmoody on Twitter or identi.ca, and +glynmoody on Google+
Permalink | Comments | Email This Story
Read more here
posted at: 12:00am on 21-Nov-2017
path: /Policy | permalink | edit (requires password)
|
|