Dji Bug Bounty ends badly

quaddamage · Nov 17, 2017

Turns out hackers do not have much of a patience.. who would have thought?

The previous news about bug bounty was accurate in the lump sum, but premature in the outcome:
DJI to Pay Out Thousands of Dollars After Successful Bug Bounty Reports

Since the news today say the hacker resigned after DJI proposed an outrageous NDA:
Bug bounty hunter reveals DJI SSL, firmware keys have been public for years | ZDNet

Yup, most companies know - it is better to leave managing bug bounty programs in hands of companies which specialize in those. I wonder who will they blame for the failure.

GMack · Nov 17, 2017

I read something yesterday on Reddit where DJI offered $30,000 for the bug find. Some guy claimed it, but DJI refused to pay him and instead threatened a lawsuit against him if published. The Reddit board was full of "Typical Chinese business ethics." Sounds like a crime novel: "Find a security issue and we'll pay you handsomely, but we will also sue you for the hack job."

Bug bounty hunter walks away on 30k$ bounty from DJI (drone maker) • r/netsec

FLOATIN · Nov 17, 2017

This is extremely bad, not only on the face of it but because of what it indicates about DJI corporate security. The user information that DJI stores should be considered compromised. The public corporate response is foul and suggests DJI is not a company that should be trusted with any of our personal information.

FLOATIN · Nov 17, 2017

Man gets threats—not bug bounty—after finding DJI customer data in public view

quaddamage · Nov 17, 2017

I've heard privacy doesn't exist in china. This is just how Chinese culture works. Not only the people are allowing the communist government to spy on them, but they also never consider privacy amongst themselves. For example, if someone from China has your phone number, he will not hesitate to share it with anyone interested. He just doesn't see anything wrong with sharing someones personal info. Also, westerners often get shocked when someone takes a picture of them, and this picture later lands on a billboard without their permission.

So I don't think DJI employees neglect security; I think their chinese employees just assume different definition of it.

FLOATIN · Nov 21, 2017

Corporate security is something that comes from the top down, mainly because it requires funding and organizational support. This is a big problem with global business in general. Fact is you need to act as an individual, as best you can, to protect your personal information, but our ability to do that is admittedly very limited.

quaddamage · Nov 24, 2017

Dji tries to flip it around:
Statement About DJI’s Cyber Security and Privacy Practices

Yup, this is what we call propaganda. Many of their claims cannot be easily verified.. but that's one of the propaganda indicators.

It is interesting that their previous statement said there were bounty claims on $35,000, then we learned that $30,000 was the one man who walked away, and now "almost a dozen security researchers" got paid? So a dozen people shared $5,000? Really?

Also, they did said that the e-mail published by the rogue researcher is authentic, but they deny any threats? I mean, people who read this statement probably also read the rouge report, so they see the plain lie here. Are they trying to re-define what a "threat" is? Looks like accusing someone of a crime, and saying you will sue him, is not a threat in eyes of Dji. I don't even want to know what they consider a threat then.

Erised · Nov 24, 2017

Privacy doesn't exist anyware not just China, North America too. Everything you say or type with your phone is looked at and archived, every where you go is tracked by your phone, if you have a smart TV every program you watch is logged, every site you go on with your computer is also logged, privacy is just an illusion.

Meta4 · Nov 24, 2017

quaddamage said:
Yup, this is what we call propaganda. Many of their claims cannot be easily verified.. but that's one of the propaganda indicators.

That something isn't easily verified, is not necessarily an indicator of propoganda.
You're looking at a he said - she said situation and it's quite understandable that a number of claims of either party aren't easily verifiable.

quaddamage said:
It is interesting that their previous statement said there were bounty claims on $35,000, then we learned that $30,000 was the one man who walked away, and now "almost a dozen security researchers" got paid? So a dozen people shared $5,000? Really?

There was nothing in DJI original announcement that said $35K and nothing to suggest they had a pot of $30K to fund all rewards from.
Here's what the original announcement said:

Rewards for qualifying bugs will range from $100 to $30,000, depending on the potential impact of the threat.

quaddamage · Nov 24, 2017

Meta4 said:
There was nothing in DJI original announcement that said $35K

I can't find the place where I've seen this number. I remember reading it, but I know, no proof - no argument.

Meta4 said:
and nothing to suggest they had a pot of $30K to fund all rewards from.

Did I said that? I never said that. The $30k is the max sum of single reward, and it was the sum proposed to the rouge researcher for his report.
Sorry if I'm using some kind of convoluted language, I am not native.

EDIT: I must say my opinion of Dji is getting worse and worse recently. It will not cause me to stop buying their products (alternatives are at least twice as expensive), but I will be very suspicious about their every word.

Meta4 · Nov 24, 2017

quaddamage said:
I must say my opinion of Dji is getting worse and worse recently. It will not cause me to stop buying their products (alternatives are at least twice as expensive), but I will be very suspicious about their every word.

Yet you completely accept every word from their accuser, KF?
Knowing a little of his background, I'd hesitate to trust him completely.
He has his own agenda.
Department 13 business and why else Kevin Finisterre might give up $30 000 bounty
We Talked to the Guy Selling a Pre-Hacked Drone on eBay

quaddamage · Nov 25, 2017

Meta4 said:
Yet you completely accept every word from their accuser, KF?
Knowing a little of his background, I'd hesitate to trust him completely.

Many of the things he wrote matches to what I know. And at least a few points of the Dji statement I am sure are false.
I wouldn't say I trust anyone completely, just that while in my position I can't be certain, KF's statements make more sense.

Meta4 said:
He has his own agenda.
Department 13 business and why else Kevin Finisterre might give up $30 000 bounty
We Talked to the Guy Selling a Pre-Hacked Drone on eBay

I don't see how any of this can be used against him.

Selling pre-hacked drones - I was considering the same thing, only with Ph3's; if you spent a lot of time on analyzing a dnone, why not monetize this knowledge? He wasn't hiding anything, it actually looks like he was doing it to get visibility in media. You know, if you're indie game developer, you spend most of your time not coding, but trying to sneak info about your game to every forum, every list of games and every reviewer. You need visibility. This is what he did here, only more open and smarter.

KF's working for Department 13 - he never tried to hide that. I remember watching a video where he openly talks about the company and their products, from a conference or something. And while I see possible conflict of interests, I don't see him having business motive to damage Dji. They are making not only the drone tracking system, but also the drones on which his business relies. He probably did it for visibility as well, but this doesn't mean he is lying. Interesting article, though.

It is always impossible to say with 100% probability who is lying where. But it is important to pick a side, not allowing the lie to cloud the situation. I was born in a communistic country which soon went through transformation. I remember what propaganda is.

Meta4 · Nov 25, 2017

quaddamage said:
Many of the things he wrote matches to what I know. And at least a few points of the Dji statement I am sure are false.
...
It is always impossible to say with 100% probability who is lying where.

All we can be sure of is that he has a history of hacking DJI drones and has a grudge against DJI.
He responded to their Bug Bounty and was offered $30K for the vulnerabilities he demonstrated.
But he later decided to turn down the $$, supposedly over the terms of the agreement.

Beyond that I wouldn't know what is believable.

I found a couple of interesting pieces that help fill in a few blanks:
A word of caution to the droning community
In Defense of DJI: Why Hackers Are Wrong to Play Games

quaddamage · Nov 25, 2017

Wow, for one guy, he is pretty polarizing. Suspiciously polarizing.

Bakersfield Quad · Nov 25, 2017

Meta4 said:
Yet you completely accept every word from their accuser, KF?
Knowing a little of his background, I'd hesitate to trust him completely.
He has his own agenda.
Department 13 business and why else Kevin Finisterre might give up $30 000 bounty
We Talked to the Guy Selling a Pre-Hacked Drone on eBay

Interesting!

cdronefly · Nov 25, 2017

Kevin was on 3DR's case (for good reason) for at least 5 years and exposed major bugs in their system - many of which were not fixed. Chris A finally banned him from DJYDrones.

So he doesn't just have it in for DJI...he fiddles with most every brand there is. Now - DJI is the biggest target right now, so it makes sense that's where the attention is.

Meantime, Equifax, Uber, Target and many others have much more serious data from most of us...hacked and leaked...and we sit here talking about stuff we know little about.

LuvMyTJ · Nov 30, 2017

GMack said:
I read something yesterday on Reddit where DJI offered $30,000 for the bug find. Some guy claimed it, but DJI refused to pay him and instead threatened a lawsuit against him if published. The Reddit board was full of "Typical Chinese business ethics." Sounds like a crime novel: "Find a security issue and we'll pay you handsomely, but we will also sue you for the hack job."

Bug bounty hunter walks away on 30k$ bounty from DJI (drone maker) • r/netsec

This is incorrect. I have included the link to his story. DJI was planning to pay him but he refused the money due to the NDA they wanted him to sign. - http://www.digitalmunition.com/WhyIWalkedFrom3k.pdf

GMack · Nov 30, 2017

LuvMyTJ said:
This is incorrect. I have included the link to his story. DJI was planning to pay him but he refused the money due to the NDA they wanted him to sign. - http://www.digitalmunition.com/WhyIWalkedFrom3k.pdf

Page 15 of the link: Quote, "...Unfortunately he (Brendan Schulman) was not able to keep the barbarians at the gate, and received a thinly veiled Computer Fraud and Abuse Act threat from DJI." In essence, they threatened him for disclosing the information off their servers even though he had proved he had hacked into it with the names he sent. Their NDA seemed an attempt to prove their case against him for the hack and why his lawyers were hesitant on him signing it. I wouldn't sign or agree to it either given they seem to have no interest in paying him with a positive outcome, and admitting he had hacked and violated the CFAA too. DJI should have admitted they screwed up their server security and paid him for the find, but they didn't play it that way.

Recently, I was surprised to learn that Blackmagic, who sells Davinci Resolve, had an article on security for film. Talking to one who is a colorist, editor, grader in Hollywood I learned his editing bay is not linked to the internet or any Cloud based storage at all due to possible theft of intellectual property. Davinci Resolve uses a dongle key (Unless you want an unlock key.) to run the software on those types of workstations which keeps it offline and secure. He has to use another computer for any updates into the editing computer station. He does not use Adobe due to it being open for Cloud-based and possible theft/hacking (Adobe has been hacked before and sent out notices!) which he would be liable for millions if intellectual property was stolen off his bay, maybe to Chinese pirates to make DVD's prior to launch if he were hacked. Interesting.

John Locke · Dec 4, 2017

This kind of unwillingness to pay for hackers to find problems in DJI servers is telling. Shulman's NDA had trickery in the words, and he was apparently unwilling to negotiate the NDA terms to protect the hacker. DJI makes it appear they don't care about our privacy, cancelling the server portion of the program. Of course, this is coming from a communist country that doesn't support an individual's rights to privacy, so in their mind it's no big deal, an invasion of privacy is perfectly OK. It appears the US government has to watch what DJI does and pay close attention to the technology they are selling US citizens as well as US municipalities. Check out this August report from US Homeland Security.