Salted Hash Ep 13: Bug bounties and video surveillance programs

This week, Steve is joined by show regular Fahmida Rashid to discuss the DJI bug bounty problems, and an initiative from the Electronic Security Association

Welcome to 2018! This week's episode is the first of the year, and we're joined by longtime regular Fahmida Rashid to talk about DJI's bug bounty problems and a pitch about video surveillance programs. We also talk about what we think will make headlines this year.

DJI's bug bounty:

Researcher Kevin Finisterre posted an essay describing his experiences with the DJI bug bounty program, ultimately walking away form a $30,000 payout due to interactions with the company. A copy of his essay is available via The Register.

In short, Finisterre and the others he worked with discovered sensitive information exposed on AWS. When he queried DJI about the findings and asked if they were within the scope of their bug bounty, the company responded (after lots of back and forth) that it was and offered him a bounty of $30,000 USD.

Once it came time to do the paperwork and sign the bug agreement forms, things took a turn for the worse.

"For me personally the wording put my right to work at risk, and posed a direct conflict of interest to many things including my freedom of speech," Finisterre wrote, explaining his reaction to the initial letter.

There were revisions, but none of them helped. Later, as things started to stall, Finisterre said he received a "thinly veiled" Computer Fraud and Abuse Act letter from DJI.

In a statement, DJI disputes the narrative as presented, saying:

"Claims that we have threatened one of the participants in the program, or required that he remain silent about his discovery, are false. The record of email exchanges and communication with the person in question shows that DJI continued negotiating the terms of the bounty in good faith with the participant until he chose to walk away from the program."

Further, in a press release, DJI said that all bounty participants are asked to follow standard terms, which are designed to protect data and allow time for analysis and resolution before disclosing a given vulnerability.

But "the hacker" – they don't use Finisterre's name – "refused to agree to these terms, despite DJI’s continued attempts to negotiate with him, and threatened DJI if his terms were not met."

As for the engineers responsible for the flawed AWS deployment, they were fired according to DJI, "because we considered their behavior inexcusable and not in line with company policy."

On December 13, DJI issued a breach notification letter to customers over the incident. A copy of that letter is available on DroneDJ.

As mentioned in the video, bug bounty programs are almost common these days, and they provide a value to the public. But there is plenty of room for them to grow, as some companies launch them without really getting into the deep details as to what it takes to make such programs successful.

Video Surveillance Registration

Would you register your home or business security cameras with local law enforcement?

It's an interesting ask really. On one hand, you're helping law enforcement in the event they need it. On the other hand, you're trusting your registration data, or in some cases video recordings and feeds, with a third-party.

This topic came up shortly before the segment was filmed.

Salted Hash received a press release from the Electronic Security Association (ESA): "ESA and Alarm.org Provide Tips for Consumers and Businesses Interested in Supporting Local Law Enforcement through Video Surveillance Registration"

The ESA exists to educate consumers and businesses about security technologies, including video surveillance. They also deal with intrusion, fire detection, and electronic access control.

"Every day there are countless news reports using footage from surveillance cameras to help detect, identify and apprehend suspected criminals. Video surveillance functionalities and security technologies used in both residential and commercial settings are continuously evolving. From facial recognition capabilities to auto-zoom and tracking, these features can go a long way in supporting local law enforcement investigations.”  - Angela White, president of the Electronic Security Association


The press release wasn't really clear on how the camera registration program works, which is why I speculate with Fahmida as to the scope and potential problems such programs could experience.

However, after the show, I did some digging and determined that in some cases it wasn't a central repository of footage, but details about the home or business and the types of cameras that are installed.

But the City of Mobile Police Department in Mobile, AL are asking for direct access to the surveillance systems. In fact, the agency says they have access to just over 5,000 video streams according to promotional materials on the registration website.

"If there is ever an alarming situation of crime or terrorist threat, the Cyber-Intelligence Unit would have access to specific camera feeds, thus giving the responding police officers information that could save lives," the program's outline states.

Compare this to the program in Maricopa, AZ, where the wording says that law enforcement will "be able to identify the locations of video surveillance systems and enlist the assistance of citizens to help us collect video evidence."

So, in Arizona, it isn't direct access, it's asking to see the footage. Quite different from the program in Alabama.

In Lafayette, IN, home or business owners who register their systems with the police get a sticker to display in their window, which lets law enforcement know that their cameras are registered.

Again, no direct or remote access, just a call asking to see footage. It's the same for Oakland and San Jose Police in California.

A full list of participating law enforcement agencies is available on Alarm.org.

Helping police solve crimes is the right thing to do. But, it's tricky when it comes to access to video recordings and live feeds.

While the expectation is that law enforcement would do everything in their power to protect registration data and any camera access granted, it isn't clear how the data is managed other than it is in law enforcement's hands.

If you're interested in registering your cameras, the links on Alarm.org will direct you to your local agency, or you can all their non-emergency line and inquire about such programs.

NEW! Download the Winter 2018 issue of Security Smart