
Chinese dev jailed and fined for posting DJI's private keys on GitHub - adamnemecek
https://www.theregister.co.uk/2019/04/30/dji_dev_jailed_fined_leaking_aes_ssl_keys_github/
======
xvector
Truly pathetic from DJI's side. And China, but that's to be expected at this
point. They do not deserve to have white-hats find their vulns for them.

> "I am done. I will go to jail, and I have to take this stain ... in my life.
> My girlfriend begin to break up with me, woooo, my family are broken.
> Fuck!!! What are terrible things! Maybe the only thing I can do now is to
> die; it is so hard. I need to be free.”

This is horrifying. It honestly makes me feel sick for this poor developer.
Companies and nations this cruel have no place in modern society.

~~~
gnode
My understanding is that the conviction was for deliberately (disregarding the
accused's claim to the contrary) publicly sharing his employer's proprietary
source code and private keys. Assuming this is actually true, then it's
justified that there are legal consequences for sabotaging his employer like
this, and most countries have laws penalising such behaviour.

~~~
craftyguy
Meanwhile, companies and governments are allowed to 'accidentally' expose all
sorts of private information about millions of people without any meaningful
punishment.

------
RubenSandwich
It seems that a lot of people commenting did not read the whole article. The
developer committed four internal repos to DJI's public Github: 'spray-
system', 'Management-platform', 'real_time_serve_v1' and 'real_time_serve'.
These repos contained a wide variety of secret keys. So it does seem that this
was intentional. Even playing devil's advocate because many large companies,
Facebook, Google, etc, have systems to mirror part of their internal repos to
GitHub, but I can imagine that adding a new path is checked and double checked
by multiple people. Also this wasn't just a mistake of one repo, it was four.

I'm making no comment on if the punishment fit the crime, just that by reading
the article it does seem that this was very much intentional.

~~~
oh_sigh
There have been thousands of instances of people unintentionally uploading
their private keys to github. It seems at least plausible that this developer
just didn't know the implications of what he was doing.

~~~
forkLding
Yea but you've breached NDA and likely committed some kind of intentional
sabotage because this was done 4 times, so what happens to you is up to the
courts and how you can argue it.

~~~
oh_sigh
If you can make a mistake once, you can make it 4 times.

If this guy was going for intentional sabotage, why not sell the keys on the
dark web? Why not anonymously publish them on pastebin?

Why would he just upload them to github under his own name?

~~~
acct1771
Emotions make you stupid.

------
AFascistWorld
Maybe irrelevant but it's worth noting.

Sued and jailed for submitting vulnerability. Open through google search.
[https://www.caixinglobal.com/2016-10-17/are-chinas-
ethical-h...](https://www.caixinglobal.com/2016-10-17/are-chinas-ethical-
hackers-cyber-heroes-or-criminals-100997712.html)

~~~
bcaa7f3a8bbc
From what I was told, around 2014 in China, there used to be a responsible-
disclosure platform called WooYun that existed for a while (some of its
articles has submitted to ~100 upvotes on HN). It was similar to HackerOne,
and attracted a significant number of infosec researchers to hunt bugs and
report it to the vendors.

Until 2016, when the government arrested its founders.

* WSJ: China’s ‘White-Hat’ Hackers Fear Dark Times After Community Founder Is Detained

[https://blogs.wsj.com/chinarealtime/2016/08/01/chinas-
white-...](https://blogs.wsj.com/chinarealtime/2016/08/01/chinas-white-hat-
hackers-fear-dark-times-after-community-founder-is-detained/)

* China Arrests 10 White Hats from WooYoun Ethical Hacking Community

[https://news.softpedia.com/news/china-arrests-10-white-
hats-...](https://news.softpedia.com/news/china-arrests-10-white-hats-from-
wooyoun-ethical-hacking-community-506861.shtml)

------
ab_c
I feel sorry for this dev as I've seen people do a lot of cluelessly dumb shit
over the years when it comes to security.

For example, I worked in a place which hires co-op students and every year
there'd be at least one university-educated student who --after being told not
to-- would put their nondescript FOB security key card in their wallet. In the
event they lose their wallet, any stranger can google the name found on their
drivers license to find out information about them, their friends, or their
place of employment.

Then there are the countless startups where the boss has decided they don't
need to worry about security so their communal password is "password" and they
keep their user database in plain text. Nobody takes security seriously until
it blows up. And that tends to be the common attitude from business
management: worry about it when it's a problem.

~~~
fiddlerwoaroof
This example isn't particularly good: I'm much more likely to lose a random
keycard in my pocket than my wallet so, although having the keycard in my
wallet might make it easier to figure out what door it opens, it also makes it
much less likely that I'd lose my keycard in the first place.

~~~
bcaa7f3a8bbc
> I'm much more likely to lose a random keycard

On this example, I don't think it's a problem as well. First, the keycard has
a PIN. After 3 failed attempts, it would either self-destruct the private key
or lock itself down until a secret recovery code is provided. Second, private
keys on keycards that are reported as lost can be revoked immediately.

------
Rebelgecko
That's pretty lame, especially considering DJI's abysmal security practices.

For the Phantom 2, I think the root password to ssh into the drone was
something like "12341234". For the Phantom 3, they make it more secure by
upgrading the password to "Big~9China".

~~~
bitL
Do you know one for Phantom 4? I'd like to adjust maximal allowed elevation
(the hard limit gets in the way while shooting movies in mountains).

~~~
Rebelgecko
Don't know, sorry. It might be worth checking if that limit is enforced on the
drone itself or the app. At least for the older drones, things like no fly
zones around airports were only in the app. Messing with the firmware of the
actual drone seemed nontrivial.

~~~
bitL
P4 was supposed to have it baked in the firmware as DJI didn't want to allow
3rd party apps to bypass that limit.

------
outworlder
Why aren't we questioning the fact that there were secrets stored in Git? This
is terrible security practice, and this fallout is exactly the kind of issues
we should expect to happen as consequence.

------
nicodjimenez
China is setting an example here that intellectual property laws are to be
taken seriously. It's not clear whether this particular case was intentional
or not, but in general greater IP protection in China is definitely a good
thing.

~~~
bovermyer
If you think jailing someone for a mistake is a good thing, then you have some
_serious_ humanity issues that you need to work on.

~~~
Veen
You can be sent to jail for a mistake if it was caused by negligence.

~~~
penagwin
Well yeah obviously. The question is whether an individual _should go to jail_
because of negligence.

Obviously, there is a real "It depends". Hit and kill an individual with your
car because you were distracted? That could mean jail. Accidentally pushed
code to the wrong repo? Should that mean jail time?

------
devy
I don't understand why this post has to put "Chinese" in the title?! If the
dev was United States citizen, would you rename the title to American dev
jailed? Absurdity!

~~~
lkj
Also note the hints at the original in the URL:
"dji_dev_jailed_fined_leaking_aes_ssl_keys_github"

The Register decided that adding the nationality was good for clicks. :(

~~~
mattnewton
The fact that the developer was prosecuted under Chinese law is important to
an audience of developers who want to know what precedent it sets for their
own work.

~~~
devy
Sharing private information public either intentional or unintentional that
leak customer data and weaken the software security is illegal in any country
as far as I know.

~~~
mattnewton
He claims it was a mistake. Checking in private keys is a fairly common
mistake and seems analogous here.
[https://m.slashdot.org/story/181081](https://m.slashdot.org/story/181081)

------
bcaa7f3a8bbc
My first submission on Hacker News was the link below, 2 years ago. It didn't
receive any upvote.

Click and see, it's fascinating.

* GitHub commit search: “remove private key”

[https://news.ycombinator.com/item?id=14262124](https://news.ycombinator.com/item?id=14262124)

Although most keys removed are just useless automatically generated test keys,
but genuine keys do exist. Someone should write a crawler to monitor these
commits, creates digital signatures from private keys to prove the leak, and
notify the CA issuer to revoke them automatically.

~~~
jldugger
There are multiple bots that crawl github for pubkeys and other credentials.

~~~
bcaa7f3a8bbc
I know blackhats and grayhats must have been doing it for years. But I'm not
aware there's any bot that acts in a whitehat manner to disclose it to
affected parties and conduct public researches, is there? I mean, something
like those RSA keys crawling projects by cryptographers that have discovered
several types of non-random keys with zero security.

~~~
jldugger
I admit I've been on the receiving side of some notices about low value API
keys. [https://www.gitguardian.com](https://www.gitguardian.com) for example,
uses this sort of thing as a public service / sales lead I guess.

~~~
bcaa7f3a8bbc
Good to know, thanks for the info.

