Aardvark Daily

Please visit the sponsor!

Owch, that's gotta hurt!

Anything that is done by man can be undone by man.

Well I think we all know that this saying is a bunch of baloney (just try unshooting someone in the head) but there are cases where it does apply -- such as encryption.

Hands up everyone who remembers how new-fangled (at the time) DVDs were supposed to protect the movies and TV shows that were on them by using a fancy encryption system?

That encryption system was supposed to be virtually uncrackable -- yet it didn't take too long before there was all manner of decryption software available that let you rip those disks to your hard-drive or transcode them into whatever format you wanted.

How can that be?

Wasn't this supposed to be "strong" encryption?

Well it doesn't matter how strong your encryption is, if you don't keep the keys safe, then it becomes next to useless -- as the creators of the DVD scheme soon found out to their cost.

Although the encryption system used for DVDs (CSS) was basically okay, human error meant that the much-sought-after decryption keys were able to be lifted from a DVD player in which they were very poorly concealed in firmware.

Game over!

Since then, those who rely on such key-based security and control systems to protect themselves against hacking have been pretty vigilant -- but even the most well-funded, successful companies are not immune and an interesting story appeared in The Register today.

It seems that, some time ago, DJI (you know, the drone people) accidentally flagged a code repository as "public" on GitHub, thus exposing their keys to the world.

Some clever developer(s) decided to create a fork of the official software (keys and all) so as to create their own version, thus giving them the power to bypass the geofencing and other restrictions that are normally imposed by the DJI code.

Of course flagging the repository as "public" was a bit of a mistake on DJI's part so they issued a DMCA takedown request in an attempt to have the new fork (and the keys) removed.

Bad luck DJI. As clearly outlined in The Register article, by making their repository public (even if it had only been for a short while), they effectively agreed to allow others to fork their code and continue to publish it (keys and all).

So sad (LOL).

Now I suspect that DJI will take further legal action by way of civil or criminal suit, alleging that although they did make the repository public, it was not their intention to do so and that GitHub's refusal to remove the forked code and keys represents significant damage to DJI.

This will be lots of fun!

I guess the moral to the story is that you should *always* read the fine print when using any service and that even the best DRM or encryption can fall victim to human error so should never be considered "foolproof".

Please visit the sponsor!

Have your say in the Aardvark Forums.

PERMALINK to this column

Rank This Aardvark Page

Change Font