User Tools

Site Tools

Trace:
cn:about:start

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision 		Previous revision
cn:about:start [2018/05/15 00:37]
chinger1313 [Data Leakage] 		cn:about:start [2018/05/15 00:44] (current)
chinger1313 [Conclusion]
Line 26: Line 26:
   * DJI使用开源软件组件而不承认作者的贡献,并且不遵守GPL许可条件。除了不合法之外,使用别人的工作而不相信它,或遵守他们的许可条件是不道德的。更新:25- 8 -2017 - DJI提供了一个链接到一个开源下载页面。目前还不知道这是不是所有的开源代码,但这是DJI的一个非常积极的步骤。我们正在寻求DJI的官方声明,如果他们愿意发表一些关于这个话题的东西。*    * DJI使用开源软件组件而不承认作者的贡献,并且不遵守GPL许可条件。除了不合法之外,使用别人的工作而不相信它,或遵守他们的许可条件是不道德的。更新:25- 8 -2017 - DJI提供了一个链接到一个开源下载页面。目前还不知道这是不是所有的开源代码,但这是DJI的一个非常积极的步骤。我们正在寻求DJI的官方声明,如果他们愿意发表一些关于这个话题的东西。* 
 到目前为止,根据分析,已经确定比先前披露的更多的信息正在对外传播。7)DJI已经同意创建一个离线的mode.8,但是DJI并没有公开在离线模式下发送的数据。离线模式被认为是非常积极的一步。DJI在非脱机模式下对通信的进一步评论将极大地帮助DJI客户恢复信任。DJI已经删除了iOS和Tinker的热补丁插件jsPatch,并将检查DJI GO和DJI GO 4的其他第三方插件和服务,并承诺在采取这些插件之前对任何新的第三方插件进行彻底的调查,以应对这里提出的安全问题。 到目前为止,根据分析,已经确定比先前披露的更多的信息正在对外传播。7)DJI已经同意创建一个离线的mode.8,但是DJI并没有公开在离线模式下发送的数据。离线模式被认为是非常积极的一步。DJI在非脱机模式下对通信的进一步评论将极大地帮助DJI客户恢复信任。DJI已经删除了iOS和Tinker的热补丁插件jsPatch,并将检查DJI GO和DJI GO 4的其他第三方插件和服务,并承诺在采取这些插件之前对任何新的第三方插件进行彻底的调查,以应对这里提出的安全问题。
 +
 ===== Data Leakage ===== ===== Data Leakage =====
   * Based on analysis so far, it has been determined that more information than has been previously disclosed is being transmitted externally. ((A video of network chatter from just opening DJI GO 4 is published  [[faq:dataleakage:chatter|here]])) ((Details of network traffic displayed visually when opening DJI GO here [[https://youtu.be/cuG-nVPQ3Dw|Youtube]]))   * Based on analysis so far, it has been determined that more information than has been previously disclosed is being transmitted externally. ((A video of network chatter from just opening DJI GO 4 is published  [[faq:dataleakage:chatter|here]])) ((Details of network traffic displayed visually when opening DJI GO here [[https://youtu.be/cuG-nVPQ3Dw|Youtube]]))
   * DJI have agreed to create an offline mode.((China drone maker steps up security after U.S. Army ban [[https://ca.reuters.com/article/technologyNews/idCAKCN1AU294-OCATC|Reuters]])) However, DJI have not disclosed what data is sent when not in offline mode.   * DJI have agreed to create an offline mode.((China drone maker steps up security after U.S. Army ban [[https://ca.reuters.com/article/technologyNews/idCAKCN1AU294-OCATC|Reuters]])) However, DJI have not disclosed what data is sent when not in offline mode.
   * **Offline mode is seen as a very positive step. Further comments by DJI on communications in flight when not in offline mode would greatly help to restore trust by DJI clients.**   * **Offline mode is seen as a very positive step. Further comments by DJI on communications in flight when not in offline mode would greatly help to restore trust by DJI clients.**
-  * **DJI have [[http://www.dji.com/newsroom/news/dji-enhances-software-security-in-its-flight-control-apps|removed “hot-patching” plugins jsPatch for iOS and Tinker for Android, and will examine other third-party plugins and services in DJI GO and DJI GO 4, and is committed to thoroughly investigating any new third-party plugins before adopting them]] in response to security concerns raised here.**+  * **DJI have [[http://www.dji.com/newsroom/news/dji-enhances-software-security-in-its-flight-control-apps|removed “hot-patching” plugins jsPatch for iOS and Tinker for Android, and will examine other third-party plugins and services in DJI GO and DJI GO 4, and is committed to thoroughly investigating any new third-party plugins before adopting them]] in response to security concerns raised here.**到目前为止,根据分析,已经确定比先前披露的更多的信息正在对外传播。7)DJI已经同意创建一个离线的mode.8,但是DJI并没有公开在离线模式下发送的数据。离线模式被认为是非常积极的一步。DJI在非脱机模式下对通信的进一步评论将极大地帮助DJI客户恢复信任。DJI已经删除了iOS和Tinker的热补丁插件jsPatch,并将检查DJI GO和DJI GO 4的其他第三方插件和服务,并承诺在采取这些插件之前对任何新的第三方插件进行彻底的调查,以应对这里提出的安全问题。
 ===== Back Doors ===== ===== Back Doors =====
   * It has been found that the DJI GO application for both Android and IOS have back-doors allowing DJI to "hot patch" applications in a manner that breaches the rules imposed on DJI by both Google and Apple. ((Drone-maker DJI's Go app contains naughty Javascript hot-patching framework[[http://www.theregister.co.uk/2017/08/15/dji_go_app_jspatch_tinker_silent_update_no_review/|Theregister]]))   * It has been found that the DJI GO application for both Android and IOS have back-doors allowing DJI to "hot patch" applications in a manner that breaches the rules imposed on DJI by both Google and Apple. ((Drone-maker DJI's Go app contains naughty Javascript hot-patching framework[[http://www.theregister.co.uk/2017/08/15/dji_go_app_jspatch_tinker_silent_update_no_review/|Theregister]]))
Line 38: Line 39:
   * While not technically a back-door, being forced into firmware changes is a concern. An alternate approach might be to guarantee that there are at least two firmware versions available for all products, so that in the event of concerns that are believed to be firmware related, that a pilot will at least have the chance to eliminate firmware as the root cause by downgrading to a different firmware level.   * While not technically a back-door, being forced into firmware changes is a concern. An alternate approach might be to guarantee that there are at least two firmware versions available for all products, so that in the event of concerns that are believed to be firmware related, that a pilot will at least have the chance to eliminate firmware as the root cause by downgrading to a different firmware level.
   * From a change management and risk mitigation perspective, providing no downgrade options at all is a safety hazard.   * From a change management and risk mitigation perspective, providing no downgrade options at all is a safety hazard.
 +  * 人们已经发现,收去申请Android和IOS后门让收热补丁应用程序的方式违反了规则对谷歌和苹果都收。9)热修补的实践本质上允许收完全改变收的功能应用程序没有一个试点的知识或同意。将其置于不同的背景下,热补丁就相当于一架飞机的航空电子软件完全取代了中段飞行。在这一点上,DJI一直信守诺言。到目前为止,分析确认了从最近的DJI更新中移除JSPatch和Tinker。虽然从技术上讲不是后门,但被强制转换成固件是令人担忧的。另一种方法可能是保证至少有两个固件版本的所有产品,所以在担心被认为是固件相关,飞行员将至少有机会消除根源的固件降级到不同的固件级别。从变更管理和风险缓解的角度来看,不提供降级选项是一种安全隐患。
 ===== Censorship ===== ===== Censorship =====
   * In DJI forums, it is against the rules to criticise DJI, or to talk about reverse engineering of DJI software. ((Threads  and posts arguing about company policies are not allowed, No content promoting the unauthorized modification.[[http://forum.dji.com/forum.php?mod=redirect&goto=findpost&ptid=71515&pid=623185&fromuid=836559|Forum Rules]]))   * In DJI forums, it is against the rules to criticise DJI, or to talk about reverse engineering of DJI software. ((Threads  and posts arguing about company policies are not allowed, No content promoting the unauthorized modification.[[http://forum.dji.com/forum.php?mod=redirect&goto=findpost&ptid=71515&pid=623185&fromuid=836559|Forum Rules]]))
   * In third party forums sponsored by DJI, similar censorship is taking place for those that discuss topics that are not endorsed by DJI.   * In third party forums sponsored by DJI, similar censorship is taking place for those that discuss topics that are not endorsed by DJI.
   * **DJI have recently removed their "NO UNAUTH MODIFICATIONS" warning in the forums. However, the policy has not changed. Lets hope DJI can continue in this direction, and review their forum rules to encourage a user community, instead of oppressing it.**   * **DJI have recently removed their "NO UNAUTH MODIFICATIONS" warning in the forums. However, the policy has not changed. Lets hope DJI can continue in this direction, and review their forum rules to encourage a user community, instead of oppressing it.**
 +  * 在DJI论坛中,批评DJI或讨论DJI软件的逆向工程是违反规则的。10)在DJI赞助的第三方论坛中,类似的审查正在为那些讨论不被DJI认可的话题进行。DJI最近在论坛上删除了他们的NO UNAUTH修改警告。然而,该政策并未改变。让我们希望DJI能够继续这个方向,并回顾他们的论坛规则,鼓励用户社区,而不是压迫它。
 ===== Safety ===== ===== Safety =====
   * DJI has recently rushing out multiple updates and patches to prevent reverse engineering.   * DJI has recently rushing out multiple updates and patches to prevent reverse engineering.
Line 47: Line 50:
   * Mobile phone manufacturers have failed to win a "war of attrition" with the jailbreak community.   * Mobile phone manufacturers have failed to win a "war of attrition" with the jailbreak community.
   * Safety will be the loser in the war between DJI and the community.   * Safety will be the loser in the war between DJI and the community.
 +  * DJI最近已经推出了多个更新和补丁,以防止逆向工程。这些拙劣的改变给许多飞行员造成了不稳定的飞行。12)手机制造商未能赢得与越狱社区的磨擦之战。在DJI和社区之间的战争中,安全将是输家。
 ====== Position ====== ====== Position ======
   * **Control**: We believe that DJI does not have jurisdiction to decide where and how pilots fly their aircraft. Local regulators have authority through their laws. DJI systems should not impose mandatory lockouts of aircraft, unless doing so is mandated by the laws of a country where DJI products are being used.   * **Control**: We believe that DJI does not have jurisdiction to decide where and how pilots fly their aircraft. Local regulators have authority through their laws. DJI systems should not impose mandatory lockouts of aircraft, unless doing so is mandated by the laws of a country where DJI products are being used.
Line 54: Line 58:
   * **Censorship**: We believe that censorship in DJI forums and other DJI sponsored forums is ultimately harmful to DJI and the community. Listening and responding to customer grievances and concerns can only result in a better product that meet the needs of DJI customers.   * **Censorship**: We believe that censorship in DJI forums and other DJI sponsored forums is ultimately harmful to DJI and the community. Listening and responding to customer grievances and concerns can only result in a better product that meet the needs of DJI customers.
   * **Safety**: We believe that the loser in the arms race with rapidly released patches will be safety. We believe that the best approach is to be collaborative and open in future development, which will allow the community to peer review proposed changes and find problems before they cause safety issues.   * **Safety**: We believe that the loser in the arms race with rapidly released patches will be safety. We believe that the best approach is to be collaborative and open in future development, which will allow the community to peer review proposed changes and find problems before they cause safety issues.
 +  * 控制:我们认为DJI没有管辖权来决定飞行员驾驶飞机的地点和方式。地方监管机构通过法律拥有权威。DJI系统不应该强制强制关闭飞机,除非在使用DJI产品的国家的法律强制执行。plag:我们认为使用开源代码而不使用代码并遵守许可条件是不道德的。数据泄漏:我们认为飞机控制系统需要专注于飞行器的飞行过程,外部连通性被最小化,使得应用程序没有潜在的安全、隐私和稳定性问题。任何剩余的网络流量应该公开记录,以帮助恢复社区信任。后门:我们认为飞机控制系统应该没有任何后门,允许在没有驾驶员知情或同意的情况下修改这些系统的功能,包括强制更新。审查:我们认为DJI论坛和其他DJI赞助论坛的审查最终对DJI和社区是有害的。倾听和回应客户的不满和担忧只会导致更好的产品满足DJI客户的需求。安全:我们相信,在军备竞赛中,那些迅速发布补丁的失败者将是安全的。我们认为,最好的方法是在未来的开发中进行协作和开放,这将使社区能够在产生安全问题之前,对所提出的更改进行同行评审并发现问题。
 ====== Conclusion ====== ====== Conclusion ======
  
Line 62: Line 67:
 Long Live the Original Gangsters Long Live the Original Gangsters
  
 +公平地说,这整个社区是由于缺乏对DJI的信任而开始的。我们已经声明了我们的立场。我们希望DJI能够倾听社区的意见,并以一种有利于DJI和它的客户的方式做出回应。在这一页的开头,它谈到了我们是谁。它还说,为什么要在页面底部回答这个问题。现在让我们信守诺言。这就是为什么最终会缺乏信任。已经有个别研究人员对DJI产品感兴趣。DJI所做的决定,是把一个更大的群体聚集在一起的,他们的目标是陈述一个共同的案例,希望DJI能够以积极的态度回应我们的请求。原匪徒万岁!
 ====== The OG's (Original Gangsters) ====== ====== The OG's (Original Gangsters) ======
  
cn/about/start.1526344637.txt.gz · Last modified: 2018/05/15 00:37 by chinger1313

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Noncommercial-Share Alike 4.0 International
CC Attribution-Noncommercial-Share Alike 4.0 International Valid HTML5 Valid CSS Driven by DokuWiki