Over the past few years, the idea of a "bug bounty program" has grown quickly. Microsoft, Apple and Google all offer money for finding issues in their software, but smaller companies have taken to introducing similar programs. Unfortunately, most companies have not managed them in a detailed or responsible manner. Case in point, DJI, manufacturer of the Phantom quadcopter drone line. The company released their program in August, but never really explained what might be included. Some companies look for firmware issues, while others encourage server research.
Kevin Finisterre decided he would reach out to the company, looking for details on the program. After some back-and-forth, it was made clear that server issues were included in the program. So, Finisterre set out to find issues in what is becoming an increasingly dangerous place for security breach data: GitHub. As expected, Finisterre was able to find SSL certificate information, as well as public and private keys for Amazon Web Services.
After communicating his findings, which were detailed and extensive, with the company, he was offered a job consulting on security. That was, until the legal department got involved, and the entire tone of the conversation changed. Instead of a job, the company offered legal action against him for hacking. They even sent over a contract that was insulting at best. It required him to be silent on the topic, and promised no protection from legal action for finding the data in his report. He said of the interaction,
In the days following no less than 4 lawyers told me in various ways that the agreement was not only extremely risky, but was likely crafted in bad faith to silence anyone that signed it. I went through various iterations to get the letter corrected. It was ultimately going to cost me several thousand dollars for a lawyer that I was conﬁdent could cover all angles to put my concerns to bed and make the agreement sign-able.
After refusing to sign the contract and turning down a $30k bounty, Finisterre instead published his findings and his interactions with the company. The company, on the other hand, began a smear campaign against Finisterre, publishing a statement calling him a "hacker" and diminishing his findings.
DJI is investigating the reported unauthorized access of one of DJI's servers containing personal information submitted by our users. As part of its commitment to customers' data security, DJI engaged an independent cyber security firm to investigate this report and the impact of any unauthorized access to that data. Today, a hacker who obtained some of this data posted online his confidential communications with DJI employees about his attempts to claim a "bug bounty" from the DJI Security Response Center.
DJI implemented its Security Response Center to encourage independent security researchers to responsibly report potential vulnerabilities. DJI asks researchers to follow standard terms for bug bounty programs, which are designed to protect confidential data and allow time for analysis and resolution of a vulnerability before it is publicly disclosed. The hacker in question refused to agree to these terms, despite DJI's continued attempts to negotiate with him, and threatened DJI if his terms were not met.
This interaction underscores several issues plaguing the software industry. First is the open sourcing of software by irresponsible developers. When developers don't know the proper process for making code public, things go wrong, such as releasing database connection strings, cloud keys and more. This can make very private information, such as drivers licenses and passports in this case, available to the public.
The second issue is poorly implemented bounty programs. If a company does not have a detailed user guide for their program, it is easy for it to turn sour, especially when a bug or security issue embarrasses the company. A reward can turn into a lawsuit or, worse yet, criminal charges. This can ruin a developer or security expert's career in perpetuity.
Based on the popularity of
Star Wars: Battlefront, there was a lot of excitement from the gaming community for the follow-up. That is, right up until details about how the mechanics of the game would work became public. Following the latest trend in gaming, EA introduced micro-transactions into their flagship AAA title, something that is usually reserved for casual mobile games.
This decision began an immediate backlash from the gaming community, even before the extent of the decision had been revealed. As the release date came closer, and players got a look at the game, it was revealed that large portions of the game, including prime characters, were locked behind an in-game currency system. For example, if you would like to bring Vader into the game, it will cost you about 40 hours of play time. The other option, rather than using playtime to unlock characters, you could spend real-world money to purchase currency. If you wanted to unlock all aspects of the game, it would cost $2,100, making the $80 game cost relatively insignificant. You could also play the game for 4,528 hours, or 189 days.
In response, the internet, and particularly Reddit, took EA to task, accusing them of theft and refusing to purchase the game. Initially, EA didn't seem to take notice, but, in the end, EA did seem to realize the problem they had created. The company released a statement, in which they vaguely apologized for misunderstanding how players wanted to be charged for additional content.
We hear you loud and clear, so we're turning off all in-game purchases. We will now spend more time listening, adjusting, balancing and tuning. This means that the option to purchase crystals in the game is now offline, and all progression will be earned through gameplay. The ability to purchase crystals in-game will become available at a later date, only after we've made changes to the game. We'll share more details as we work through this.
In addition to removing crystals from the game, for now, they have also changed the rate at which in-game currency is rewarded. In fact, they have cut the requirements by 75%, meaning that the 189 days is now only 47 days of playtime. If someone plays the game 3 hours per day, every day, it would now take just over a year, as opposed to nearly 4.5 years previously. As for now, this is a win for gamers, but will not last forever.
The market for kids' wearables is growing and myriad. Every year at CES we encounter at least one company showing off a wearable device that is designed to make kids safer and parents more at ease. Usually they are shaped like a watch, but not all of them offer screens. Most allow a parent to track the child via GPS, some allow parents to communicate with their kids, and some allow parents to listen in on their kids.
This last feature, while uncommon here in the US, has raised concern in Germany. While some helicopter parents have begun listening in on their kids' teachers, the government worries that it could be taken one step farther: espionage. Yes, that's right - the German government is worried about people listening in on all of the top-secret meetings that 8-year-olds are taking.
In reality, the concerns over privacy with these types of devices is legitimate. Several models of these watches, and
other IoT transmitters, have been found to transmit and store data unencrypted. This means, especially in the case of children, that it could become really easy to track a child's location or listen to a child's environment, without anyone being the wiser. If the child in question is the kid of a public figure, tracking the child could be like tracking the parent, creating a double security threat.
In addition to banning the sale of these products, the government has encouraged parents to take them from their kids and destroy them. This might be an extreme reaction to a hypothetical problem. In fact, it seems that, rather than banning the devices entirely, perhaps regulations to ensure the safety and security of the data, and the wearer, might make for a better plan. The privacy issues are not limited to kids' smartwatches - in fact they are potentially ever-present in all IoT devices, including adult watches.
Data security is the real topic here, not kids' smartwatches in particular. As a whole, we need to encourage manufacturers of IoT devices to pay more attention to what they are doing, and to respect the privacy of the people who buy their products, not to demonize a single aspect of the industry.
The past few weeks have been fascinatingly telling in the worlds of entertainment and technology. Starting with the revelation that Harvey Weinstein had been harassing, assaulting and/or raping women in Hollywood, the voice of victims has been heard. In the weeks since the original articles, other victims have felt strength to come forward about their own harassment, assault and rape instances.
Some of the bigger names to receive accusations include Robert Scoble, technology evangelist and venture capitalist, and Kevin Spacey, another household Hollywood name. The responses to these allegations from the accused have begun to get bizarre. Weinstein claimed that, because he came up in the 60s, the rules for workplace behavior were different. Scoble claimed that what he did wasn't harassment because the women didn't work for him. Spacey tried to play the issues off as drunken mistakes, and deflected the topic by coming out publicly as gay.
The response from the business world, however, has not been bizarre at all. In fact, in all three of these instances, companies have responded swiftly. Weinstein was fired from his own company, as was Scoble. Spacey's retribution has been even more intense, at least from a business perspective. Netflix, who had several active projects with Spacey, has decided to cut all ties with him. Production on the final season of
House of Cards has been suspended, and Gore, a film produced by and starring Spacey, which was in post-production has been scrapped entirely. Netflix said in a statement, Netflix will not be involved with any further production of 'House of Cards' that includes Kevin Spacey. We will continue to work with (production company) MRC during this hiatus time to evaluate our path forward as it relates to the show.
Obviously suspending the final season of a AAA title series is a major move, but the response seems to be resonating with customers on all sides of the cultural divide. No one can argue that cutting ties with a man accused of sexual assault against a 14-year-old boy is the right move. This is in stark contrast to the response to a similar situation with Roman Polanski in the 70s, where studios and colleagues worked to make the situation go away.
The future of
House of Cards is currently unknown, but there is talk of a spin-off and an appropriate conclusion to the season which is currently on hiatus, not featuring any new work featuring Spacey.
In the early days of personal computers, and especially the early days of the internet, the process for receiving a software patent was unbelievably easy. If you could string together 8 words that sounded tech-related, you could probably get a patent on the idea. Many of the ideas were so vague they could cover nearly any technology, and the owners of some of those patents have tried to take advantage of a bad system.
One such patent, currently owned by Personal Audio LLC (after several acquisitions over the years), has been known to the internet as "the podcast patent" because of the targets of intended litigation. The company threatened several high profile podcasters, including Adam Carolla, for using their technology without permission.
Luckily, the Electronic Freedom Foundation came to the industry's rescue, taking the case to court to invalidate the patent. After running a successful crowdfunding campaign to fund the suit, the EFF won against Personal Audio in several courts, including the US Court of Appeals for the Federal Circuit in August. Theoretically this was the case's last stop, but Personal Audio would not be deterred, asking to take the case "en banc," meaning that all of the judges would consider the case.
This week, the last stand of Personal Audio was unsuccessful, being officially invalidated by the full court. In addition to arguing in favor of the patent, the company argued against the validity of the legality of the inter partes review process. They argued that the EFF arguing against a patent tilts the power away from the patent holder. The court disagreed, invalidated the patent, and returned RSS feeds to the people of the internet.