[HN Gopher] Billion-record stolen Chinese database for sale on b...
___________________________________________________________________
Billion-record stolen Chinese database for sale on breach forum
Author : ellen364
Score : 258 points
Date : 2022-07-05 10:21 UTC (12 hours ago)
(HTM) web link (www.theregister.com)
(TXT) w3m dump (www.theregister.com)
| bell-cot wrote:
| Kinda interesting that _The Register_ does not even speculate
| about steps which China 's higher-level security services might
| take in response, to "memorably demonstrate their displeasure" at
| the theft. (A certain cynical attitude is usually part of _The
| Register_ 's stock-in-trade.)
| spoonfeeder006 wrote:
| This makes me really sad for all those people, especially the
| people advertised on the sample
| FollowingTheDao wrote:
| pedro2 wrote:
| And not receive those sweet dollars?
|
| I am sorry sir, I will not.
| noirbot wrote:
| Governments have been collecting (and poorly securing) this
| sort of information and more for most of recorded history. It's
| not to say that I like it, or would work for somewhere like
| Meta or the like, but plenty of these major data leaks have
| been from places that used to collect and store physical data
| bases of this stuff since before most of us were alive.
|
| I'm talking calmly about this because people have been
| screaming in my ear about it for 20 years, and I listened. And
| then I lived my life around the fact that this was going to be
| happening whether you scream yourself hoarse or not, at least
| for now.
| FollowingTheDao wrote:
| Agamus wrote:
| Five years! I've been screaming that for at least 15 years, and
| I'm pretty sure I'm a noob to the discussion.
| FollowingTheDao wrote:
| I am with you, I was just minimizing.
| r721 wrote:
| Karen Hao (WSJ): "I downloaded the sample the hacker provided and
| called dozens of people listed. Nine picked up & confirmed
| exactly what the data said."
|
| https://twitter.com/_KarenHao/status/1543949945614393344 (thread)
| guywithahat wrote:
| That WSJ article is so much better than the posted one, I mean
| what even is "the register"
| imron wrote:
| The home of snarky IT journalism since the first dotcom boom.
| neonate wrote:
| The WSJ article: https://www.wsj.com/articles/vast-cache-of-
| chinese-police-fi...
|
| https://archive.ph/02v3p
| twicetwice wrote:
| nitter link, since Twitter put up what seems to be a timed
| login gate when I was halfway through reading the thread:
| https://nitter.net/_KarenHao/status/1543949945614393344
| hackernewds wrote:
| The app download nags on mobile web are so unbearable I
| stopped using Twitter entirely
| l33tman wrote:
| Same with reddit on a mobile browser... it actually shuts
| you out, and says (after a couple of clicks) that they have
| locked you out "for your protection" as the content is
| "unverified", and that you need to use their app..
| BbzzbB wrote:
| I made a webapp home icon from my Firefox and picked out
| the app-bait popover with uBlock.
|
| Basically just about every app (YouTube, Reddit, Facebook,
| ...) is better this way. I.e., no ads, erase-able elements,
| less spyware, defaults to no notification and sometimes
| even gets better functionality. For instance, it (browsers)
| gets rid of "hearts" in Duolingo for whatever damn reason,
| so you can practice however much you'd like in a day.
|
| The downsides I've found is that you seemingly can't
| Chrome-cast from it, and it often creates new tabs instead
| of reusing existing ones or making it's own app-instance,
| so you gotta close all tabs every so often.
| black_puppydog wrote:
| Nitter is the only sane way to read twitter nowadays. Even if
| I still had an account it would be better for reading.
| moneywoes wrote:
| I keep getting timeouts from them interestingly
| khana wrote:
| dQw4w9WgXcQ wrote:
| Excellent, a fair trade for all the TikTok data Hoover-ing
| they've been doing on US citizens.
| neallindsay wrote:
| This has to be the largest leak of personal information yet,
| right?
| nicce wrote:
| Facebook leaked much more couple years ago. Somehow everyone
| has forget that.
|
| Some example news: https://www.privacyaffairs.com/facebook-
| data-sold-on-hacker-...
| jsnell wrote:
| That was not a data leak. It was a compilation of scraped,
| publicly available data.
| hansel_der wrote:
| private data was publicized without consent, a leak indeed.
| O__________O wrote:
| A lot of the press is saying it is, but unclear since "entries"
| is as vague as the "records" in this 1.2 billion leak:
|
| https://www.wired.com/story/billion-records-exposed-online/
|
| Appears this leak is a single dataset -- one I linked to is
| multiple datasets.
| mvdwoord wrote:
| What do we do now?
|
| It seems the majority of people on the planet now have had some
| of their data leaked. Or are becoming ever more entangled with
| government and corporate systems which control and peddle their
| information as they see fit.
|
| Is it ultimately a big nothing burger, or is this some
| singularity we are passing through?
| gonzo41 wrote:
| Covid is a good excuse to wear a mask, and pair it with a set
| of mirror sun glasses in public. Maybe that's how we live now.
| thomassmith65 wrote:
| We should probably consider a person's voice-print, too. To
| be safe, you need a mask with a real-time voice changer.
| nonrandomstring wrote:
| > What do we do now?
|
| I was thinking - if I had this, what could I do with the
| personal records of a billion Chinese people?
|
| And I must conclude - absolutely nothing. It's of no interest
| to me.
|
| Now, I probably lack sufficient criminal imagination, but the
| point is stuff like this is hard to fence because there's a
| very small market of buyers. In an article I wrote for
| Routledge about the markets for stolen digital data
| (specifically movie and album releases) I suggested that the
| underlying problem is there's symbiosis between leakers and
| buyers.
|
| If you want to do anything, _target the buyers_. There 's less
| of them. Don't try to secure inherently insecure massively
| centralised systems (Blotto + Dolev Yeo problem) . Or chase
| leakers. Or blame users. Or fire the CIO. Find out who _wants_
| this stuff and take down the show from the demand-side.
|
| But hold on! Guess who the buyers are. And guess what sincere
| will exists within "law enforcement" to tackle this sort of
| "cybercrime".
| vbezhenar wrote:
| After my data was leaked, now scammers periodically call my
| phone to let me know that "I'm from bank security and
| someone's recently tried to change phone number for your bank
| account" or "I'm from police and we're opening a criminal
| case against you". It was fun first few times, but now I'm
| considering changing my phone number because I could miss an
| actual bank security call.
|
| And I'm sure that plenty of gullible people were scammed and
| lost their money because of those leaks. When someone calls
| you, knows your full name and talks with enough confidence,
| it causes some trust.
| rz2k wrote:
| I suppose you could go the other direction. You could be an
| international human rights organization, and treat the
| database like a billion claim checks.
|
| Having a definitive record of people's existence would make
| it more difficult for the authorities to skimp on natural
| disaster rescue efforts then lie about casualty numbers,
| treat citizens as canon fodder for military purposes, or
| simply wipe out individuals who have grievances with the
| government or powerful functionaries.
| dc-programmer wrote:
| This type of information is used all of the time to discover
| and compromise web accounts of the victims in bulk. There are
| scripts that take in this data as input and will do a lot of
| the work for you to take over their accounts (or at least
| find their active accounts across web). Any additional data
| you are able to trawl can be sold itself, leaving the next
| steps to more advanced or motivated threat actors.
|
| It's also useful for more targeted social engineering
| attacks.
| gfd wrote:
| The previous big case I remember was linkedin leak with 700M
| users: https://news.ycombinator.com/item?id=27674393
|
| At this point I've basically accepted that all my info will be
| found on sites like fastpeoplesearch.com and that anything I
| tell any company (or I guess in this case, govt too) will
| eventually be leaked, correlated, and used against me.
| ge96 wrote:
| Wow that's bigger than Equifax
| AnimalMuppet wrote:
| LinkedIn doesn't have my Social Security number. It doesn't
| have a list of my bank accounts and credit cards. So, more
| people, but less damaging information.
| hackernewds wrote:
| Another nothingburger since these companies still exist.
| and profitably
| scandinavian wrote:
| The linkedin "leak" was just a scrape of public data.
| moneywoes wrote:
| Is there any word out how they managed to avoid linkedins
| relentless rate limiting? For example my account gets
| rate limited for normal browsing
| nikcub wrote:
| Likely hacked/purchased browser extensions
| the_biot wrote:
| What's fastpeoplesearch.com? Some search engine for leaked
| credentials? (it appears to be geoblocked in Europe)
| baud147258 wrote:
| I was able to connect from France, it's for people living
| in the US, look like you can search for people and there'd
| be aggregated information scrapped from god knows where. I
| checked a few (not really famous) people I knew of and it
| seems they have some accurate information.
| pyinstallwoes wrote:
| In history what have databases of people and state actor
| interests usually led to if any events are similar?
| MadsRC wrote:
| IIRC when Nazi Germany invaded Denmark in 1940, one of the
| first things the SS did was to send representatives to the
| local churches.
|
| In Denmark, every child was (I'm not sure if they still are
| actually?) registered at birth by the local parish in so
| called "church books".
|
| With these "databases" in hand, the SS had a neat list of all
| names, and the approximate location of peoples homes.
|
| Those lists were used to identify and prosecute jews.
| ricochet11 wrote:
| and ibm made machines to help do this as quickly as
| possible.
| black_puppydog wrote:
| There were also the "pink lists" tracking gay men [1] (link
| to German Wiki sorry) and which the nazis also greatly
| appreciated. Although to be fair^blunt they were collected
| exactly for reasons of prosecution, so not that far off
| from their use by the nazis.
|
| [1] https://de.m.wikipedia.org/wiki/Rosa_Liste
| Natfan wrote:
| "Fun" fact: It was IBM who helped tabulate data from the
| 1933 national census, which was then used to identify
| hundreds of thousands more Jews than would have been found
| by the Nazi party without their efforts.
|
| "Machine-tabulated census data greatly expanded the
| estimated number of Jews in Germany by identifying
| individuals with only one or a few Jewish ancestors.
| Previous estimates of 400,000 to 600,000 were abandoned for
| a new estimate of 2 million Jews."
|
| [0]: https://en.wikipedia.org/wiki/IBM_and_the_Holocaust
|
| [1]: https://en.wikipedia.org/wiki/History_of_IBM
|
| [2]: https://en.wikipedia.org/wiki/IBM_and_World_War_II
| chasd00 wrote:
| Did working with IBM contribute to Hitler's spiral into
| insanity? 4/5 joking
| jsiaajdsdaa wrote:
| Hey Siri, select * from all_humans where
| atLeastOneOverlap(schools_attended, art_schools) = true
| and atLeastOneOverlap(employers, list.of(ibm)) = true;
| mvdwoord wrote:
| And to add insult to injury, the IBM office in Munich
| (birthplace of national socialism), is located on 1
| Hollerithstrasse (Hollerith street).
|
| The IBM subsidiary in Nazi Germany selling and
| maintaining the tabulating machines was DeHoMag, Deutsche
| Hollerith Maschinen AG.
|
| ...
| daniel-cussen wrote:
| That's just the name of the founder, Herman Hollerith. He
| had nothing to do with any of that.
| TedDoesntTalk wrote:
| nit: the founder of IBM was Tom Watson Senior, not Herman
| Hollerith. But your point stands -- Hollerith had nothing
| to do with this.
| t_mann wrote:
| _Church_ books were used to find Jews? Do you have a source
| for that?
| samus wrote:
| Antisemitism was not really about religion. Many Jews had
| actually converted to Christianity for generations. The
| Nazis still considered them to be Jews.
| daniel-cussen wrote:
| Ahh...well there is the famous saying, "I decide who is a
| Jew." It was used on the head of the German Manhattan
| Project and a Jewish head (like a headmaster some shit)
| of a concentration camp, forget which one. And that's why
| we say "German Manhattan Project" stedda "Americaner
| Atomwaffenunternehmen" (I made that word up, it is
| correct in German to make words up, that means atom
| weapon undertaking), because German antisemitism amounted
| to forfeiting the bomb.
|
| That was the price, the defeat of their last hope against
| the Allies. All of the Great Jews that slapped those
| firecrackers together were exiled due to antisemitism:
| Fermi, Szilard, Einstein (to get the president to read
| the letter to get the Los Alamos show on the road in the
| first place, get Roosevelt to read top to bottom left to
| right, no easy task), von Neumann (spesh because of his
| schizophrenia, no concentration camp for him, he would
| have been experimented on to then do that same sin to
| everybody in the camps, Schizophrenic Jews were at the
| absolute bottom o the Nazi world order).
|
| I just posted about this.
| https://news.ycombinator.com/item?id=31990431
|
| Fermi was originally a fascist, it basically made sense
| to him as a way of organizing a country.
|
| Only non-Jew in the top desks of Los Alamos. Why? Only
| when the racial laws against his Jewish wife and children
| did he pack his shit and leave for America.
|
| And Fermi was packing heat.
| TedDoesntTalk wrote:
| You forgot some other Jewish scientists who emigrated to
| America because of Nazism, some of whom earned the Nobel
| and many of whom worked on the Manhattan Project
|
| Hans Bethe James Franck Edward Teller Rudolf Peierls
| Klaus Fuchs Otto Loewi Max Bergmann Dieter Gruen Lilli
| Hornig
|
| I also forgot many in this list.
| rejectfinite wrote:
| They where like the tax office before the tax office.
|
| Same in Sweden.
| meepmorp wrote:
| > Church books were used to find Jews?
|
| If you know who to rule out, you have a smaller pool of
| people to go after.
| TazeTSchnitzel wrote:
| It's not a religious thing: in Denmark, the church is the
| arm of the state tasked with civil registration. Until
| 1991 it was the same in Sweden.
| yellow5 wrote:
| mgdlbp wrote:
| IIRC there was a central registry of religion in the
| Netherlands that had the same effect. Can't find anything
| on that now, though (it's mentioned in Wikipedia in an
| unsourced paragraph; I think I first read about it on HN,
| actually).
|
| -----
|
| Tangent: the info pages on the Anne Frank House site have
| sections cycling through different pastel background
| colours.[0] I've wondered before whether something like
| that would the brain acquire context in a long page, making
| comprehension more like that of a physical book. Seeing it
| implemented, it doesn't seem to help. I think being able to
| easily flip to a previous page and back was one of the
| advantages of printed paper, so maybe a sticky TOC with the
| same colours or a minimap scrollbar would allow that?
| Actually, why not have that standard in browsers?
|
| Hmm, the concept of coloured sections was known in 2013
| already.[1]
|
| [0] https://www.annefrank.org/en/anne-frank/go-in-
| depth/netherla...
|
| [1] https://ux.stackexchange.com/questions/62808/website-
| layout-...
| jacquesm wrote:
| > IIRC there was a central registry of religion in the
| Netherlands that had the same effect.
|
| > I think I first read about it on HN, actually
|
| That may have been my article:
|
| https://jacquesmattheij.com/if-you-have-nothing-to-hide/
| pessimizer wrote:
| These days you'd just go to a data broker, who would also
| tell you what toothpaste they preferred and whether they
| managed to finish bingewatching The Sopranos.
| juanani wrote:
| shapefrog wrote:
| Spam and phishing calls.
| googlryas wrote:
| Not quite the same, but the US used census records that were
| supposed to be protected to round up the west coast japanese
| for their internment during WWII.
| AnimalMuppet wrote:
| They were "protected". That is, they didn't leak out of the
| government into private hands. But that still turned out
| pretty badly.
|
| In fact, information in the government's hands is the most
| dangerous, because they have more power than anyone else to
| use it against you.
|
| (On the other hand, as others have said about Denmark and
| Netherlands, data that was not in government hands _became_
| in government hands, and was used against people. So it 's
| not "safer" if it's in private hands, except to the degree
| that the government has to go through the extra step of
| getting it.)
| mvdwoord wrote:
| I would say, impossible to compare. Digital changes the cost
| of acting upon this information, for good or bad purposes.
|
| Obvious comparisons to e.g. the Netherlands' famous over-
| registering of religion and how the Nazis abused that. But I
| feel this is long term potentially worse than that. Not in
| the level of horribleness, but in the effect on society
| moving forward.
| pyinstallwoes wrote:
| Can you extrapolate that on what the effect on society
| looks like in your assessment?
| boomskats wrote:
| It is both. It is huge, I'd say it's absolutely the latter. but
| I can't think of a single thing anyone can do about any of it
| at this point, which also makes it the former.
| derwiki wrote:
| One thing I've thought about doing is using CCPA to have
| companies delete all my data, hopefully before it leaks.
| ev1 wrote:
| At several places I've seen they keep certain data such as
| phone, address, etc as a bullshit "business need" to
| "prevent abuse" and "prevent promo reuse" and keep forever
| even through CCPA.
|
| Also they keep the record of the delete request, which
| contains the PII you ask to remove.
| swader999 wrote:
| I just change my name every few years. Makes the job hunt
| difficult but I like a challenge.
| thriftwy wrote:
| A lot of data may be made public to equalize, similarly to how
| real estate property rights or car registries may be public.
| mvdwoord wrote:
| I would counter that, although it could, some groups will be
| able to evade it, effectively maintaining their
| advantage/power. Effectively averaging out the position of
| middle and lower classes, and lowering their chances of
| moving up the social ladder?
| thriftwy wrote:
| I'm not sure it would give such a large advantage compared
| to the cost of hiding
| stjohnswarts wrote:
| All you can do (in the USA) is freeze your credit and sign up
| for one of the free (or paid) credit monitoring services. That
| only protects you from financial ruin though. Not sure about
| people using your credentials to commit fraud, fake birth
| certificates, etc.
| carapace wrote:
| > What do we do now?
|
| Well, if you look at (global) society as a dynamical system it
| seems to me that there are two stable basins or attractors,
| call them "Star Trek" and "North Korea".
|
| In the "Star Trek" future the people in charge are themselves
| also subject to the panopticon, and the world is ruled fairly
| and humanely. (The other name I use for this is the "Tyranny of
| Mrs. Grundy".)
|
| In the "North Korea" future there are (human or AI or hybrid)
| masters and brain-chipped cyborg slaves, and rule is absolute
| and enforced with digital precision.
|
| (Of course, this is all predicated on the idea that we can't
| put the genie back in the bottle in re: ubiquitous
| surveillance. I think that's likely the case (although I do not
| like it) but I'm not going to make the argument here unless
| someone asks.)
|
| Given the above the thing to do is work to make politicians
| subject to 24/7 total surveillance (ASAP, before everybody
| else) so we can keep an eye on them. This policy would also
| presumably weed out the crazies and corrupt, eh?
| swader999 wrote:
| And CEO's - everyone!
| lagrange77 wrote:
| > Well, if you look at (global) society as a dynamical system
| it seems to me that there are two stable basins or
| attractors, call them "Star Trek" and "North Korea".
|
| Nice analogy. Do you really believe, that us being on an
| utopian trajectory is realistic?
| cm2012 wrote:
| Well, leak can mean a lot of things.
|
| The standard "leak" of names and addresses of people is totally
| meaningless, though HN "privacy" obsessives blow it out of the
| water all the time. It's basically public information, we used
| to have everyone in phone books in the US and almost no one
| cared.
|
| Cell phone number is a riskier one because of the opportunity
| for 2FA hacks. It's not hard to get people's cell phone numbers
| as it is (you can buy direct marketing lists for pennies per
| person in the US) but its not good to make it easy for hackers.
|
| However this leak in particular appears to go much deeper so it
| is insidious. Police records are named and who knows what else.
| That is a genuine privacy issue and sucks for those involved.
| maxbond wrote:
| Names and addresses can absolutely be used to stalk and
| harass people, and there are password reset flows that
| involve physically mailing secrets to people. Perhaps almost
| no one cared about phone books, but if you thought about the
| differences between phone books and a website for a moment,
| you'd see that these are different technologies that have
| different implications, and that it is entirely reasonable
| for people to have a different reaction.
|
| You've chosen some arbitrary amount of information where you
| begin to care and become interested, and decided everyone
| with a different cutoff is an absolutist you don't need to
| listen to. But it's really just that your situation permits
| you to leak that information without fear, and you haven't
| deigned to imagine that other people are in a different
| situation.
|
| I'd encourage you to rethink this perspective.
| charcircuit wrote:
| Names and addresses are already public information in the
| US. It's not that big of a deal.
| daniel-cussen wrote:
| himinlomax wrote:
| This is interesting, this could be a major blow to the Chinese
| dictatorship.
| upupandup wrote:
| i dont think so. Chinese citizens seems unable to fight back
| against the military. they have no access to guns, or mass
| riots will break CCP's will
|
| just look at north korea and cuba if you want to get a sense
| for how long these regimes last. USSR was an exception.
| hansel_der wrote:
| why?
| nonethewiser wrote:
| I am guessing he means that it highlights the incompetence or
| even just the consequences of centralizing power.
|
| Personally I don't expect this to bear true. Historically in
| China, government failures have been cited as evidence for
| further centralizing the power of the federal government. And
| this argument is bought hook-line-and-sinker by the people. I
| don't think that will change until there is serious economic
| hardship.
| throwaway4good wrote:
| Who would buy this?
|
| How could anyone possibly make money off this data set?
|
| I could understand if the Chinese government would pay for it to
| avoid embarrassment but making the sale public kinda voids that.
| pessimizer wrote:
| The US government might buy it to help them find good
| candidates to recruit as spies and saboteurs, or to note if
| current spies and saboteurs are under suspicion or have been
| discovered.
| AustinDev wrote:
| If the records are digital and non-air-gapped in any system
| of any country, you can assume that the US government has
| access to those records already. The exceptions to this
| assumption are exceedingly rare.
| alchemist1e9 wrote:
| As a US citizen I want to believe bravado like this but I'm
| guessing this is just your fantasy world talking not actual
| knowledge of the government being competent, which in my
| personal experience seems extremely unlikely.
| upupandup wrote:
| making money is not the motive for some. this database will be
| very useful going forward. imagine the leverage you could have
| over business dealings.
|
| some guys at the top of the game are probably already doing
| this and have figured out how to both insulate themselves and
| launder/hide data they horde.
| [deleted]
| SoylentYellow wrote:
| China has foreign call scams just like the US.
| hutzlibu wrote:
| "Who would buy this?"
|
| Foreign intelligence agencies for classic espionage. If you
| want to do blackmailing in china, such a DB would be a good
| start.
|
| Otherwise, data brokers. Advertisement, financial credibility,
| trustworthines of buisness partners etc.
| hansel_der wrote:
| rest assured that intelligence agencies have means of
| accessing police records in other nations.
|
| this data is only interesting to the low end of data brokers,
| advertisers and other scammers, hence the rather low price.
| throwaway4good wrote:
| I don't know how it works in China but where I am a person's
| criminal record is not public but not exactly private either.
| In the sense that an employer can ask for your criminal
| record and you have the choice giving a printout of it or not
| having your job. Making it kind of hard to see how the
| knowledge of a criminal record could be used to blackmail
| someeone.
|
| As for "data brokers. Advertisement, financial credibility,
| trustworthines of buisness partners etc.". Maybe. But these
| companies would turn themselves into criminals by using or
| purchasing this information.
| hutzlibu wrote:
| It is likely, that this DB contains more information, than
| what a formal printout gives.
|
| "But these companies would turn themselves into criminals
| by using or purchasing this information."
|
| Which is why they probably would not deal with the
| information gathering directly, but use a service of a data
| analyst company. When they do something illegal, nobody who
| contracted then did ever know anything. I think this game
| is played in china as well.
| tpaksoy wrote:
| Apparently there was a "blogpost" of a developer showing of their
| code, where they accidentally leaked access tokens in a piece of
| commented code: https://archive.ph/mP3bh
|
| This is completely unverified though, so take it with a grain of
| salt.
| thrdbndndn wrote:
| The consensus in Chinese community is while this is likely how
| the token got leaked, this alone isn't enough. To visit private
| Alibaba Cloud instance you can't just use some random IP. It's
| isolated from the Internet in certain way.
| bilekas wrote:
| It's incredibly disappointing actually how often this happens.
|
| I can't count the amount of SO questions I've had to edit from
| others posting live API Keys for everything from custom
| services to AWS.
| TecoAndJix wrote:
| I wonder if you could make a luhn-like check that would
| require an additional approval step to post if it comes back
| positive. Something like "It looks like you may be posting a
| secret *****. Do you wish to continue?
| jewel wrote:
| If vendors agreed to a common prefix on all secret key
| values then it'd be easy for everyone to add checks, to
| everything. Something like "_SECRET88_".
|
| Of course, then your secret key checker would need to build
| that string by concatenating so that it wouldn't set off
| itself.
| pitched wrote:
| How about scanning for any string with high entropy?
| Might be easier to get buy-in if we don't all have to
| bike-shed over what the prefix is.
| CoffeeOnWrite wrote:
| That's helpful but the token prefixes are also helpful.
| You might be interested in GitHub's reasoning at
| https://github.blog/2021-04-05-behind-githubs-new-
| authentica...
| zricethezav wrote:
| More and more providers have been adding unique prefixes
| to their tokens and access keys which makes detection
| much easier. Ex, GitLab adds `glpat-` to their PAT.
|
| A project I maintain, Gitleaks, can easily detect
| "unique" secrets and does a pretty good job at detecting
| "generic" secrets too. In this case, the generic gitleaks
| rule would have caught the secrets [1]. You can see the
| full rule definition here [2] and how the rule is
| constructed here [3].
|
| [1] https://regex101.com/r/CLg9TK/1
|
| [2] https://github.com/zricethezav/gitleaks/blob/master/c
| onfig/g...
|
| [3] https://github.com/zricethezav/gitleaks/blob/master/c
| md/gene...
| bilekas wrote:
| I was thinking about that too, but it's actually tricky,
| even the example given, they use the var `accessId` but you
| could filter for all that, even the standard ones, but you
| couldn't have enough confidence in it so that if someone
| did post with a typo or even a random var name, they would
| think "Okay, no warning so must be okay".
|
| Something like giving false confidence to the user. Not the
| best idea.
| swimfar wrote:
| When you do this is there a way to completely get rid of the
| information? Usually you can go back an look at the edit
| history to see the original post.
| aembleton wrote:
| Change the keys.
| capableweb wrote:
| Wouldn't matter. Tons of bots are scraping every inch of
| the internet all the time, and if something been online for
| five seconds, it has been cached/stored somewhere. Always
| assume that anything you've put up on the internet, can
| forever be accessed _by someone_.
|
| The only thing you can do is rotating the token/secret.
| teddyh wrote:
| http://www.threepanelsoul.com/comic/on-that-guy
| bilekas wrote:
| Yeah mods can clear the review history - for this very
| reason!
|
| But as mentioned below - Still advised to change your keys
| for obvious reasons
| truthwhisperer wrote:
| poor developer. He may spend this life at a "re-education camp"
| haasted wrote:
| Binance CEO confirmed this version:
| https://twitter.com/cz_binance/status/1543905416748359680
| throwaway787544 wrote:
| Starting today, this will be known as "Shanghai'd
| credentials" and be reason #1 why we use ephemeral
| credentials (e.g. AWS STS/SSO) rather than static credentials
| (e.g. IAM Users)
| throwaway2037 wrote:
| I never heard about "ephemeral credentials" before your
| post. I have some Googling to do!
| krageon wrote:
| It's essentially an access token with a very short expiry
| time.
| toomuchtodo wrote:
| The other term of art is "dynamic secrets."
|
| https://www.vaultproject.io/use-cases/dynamic-secrets
| 0des wrote:
| Good lookin out, thanks for the link
| stefan_ wrote:
| This is not at all the takeaway from this. It's "this
| shitty developer should not have had access to this data in
| the first place". With a nuance of "this database probably
| shouldn't exist in this form in one place to begin with".
| babelfish wrote:
| Let's not. After the whole "China Virus" shit propagated by
| the right, I'd prefer if we tried not to associate
| vulnerabilities with specific people.
| xfitm3 wrote:
| I don't believe this comment is made in good faith, there
| is nothing wrong with the "right" and it's senselessly
| adding fuel to our political division.
| malcolmgreaves wrote:
| There is something deeply wrong with the authoritarian
| politics of the right and its casual use of racism to
| further political control.
|
| > it's senselessly adding fuel to our political division.
|
| This comment, whether you realize it or not, is coming
| from a place of extreme social privilege.
|
| Remember that for the majority of people, politics is not
| a game. It is serious. People lose their rights to live
| the life they want all the time. Sometimes those politics
| turn violent and people lose everything.
| markdown wrote:
| It's not a new word.
|
| https://dictionary.cambridge.org/dictionary/english/shang
| hai...
|
| https://www.urbandictionary.com/define.php?term=Shanghaie
| d
| malcolmgreaves wrote:
| That's not an argument for continuing to use a word.
| markdown wrote:
| It is if the argument to stop using it is some irrelevant
| point about some other location-based word that was used
| negatively only recently.
|
| Something got shanghaied isn't a pejorative in the way
| that Trump acolytes use "China virus".
| malcolmgreaves wrote:
| > irrelevant point about some other location-based word
| that was used negatively only recently.
|
| Are you unaware of the Chinese Exclusion Act of 1882 --
| which is exactly around the time that this term was
| popular and in common use?
| markdown wrote:
| The correlation is coincidental. It has nothing to do
| with that. https://en.wikipedia.org/wiki/Shanghaiing
| bequanna wrote:
| compumike wrote:
| Doesn't the client still need to know a long-lived secret
| (or a long-lived refresh token) in order to generate the
| ephemeral credentials?
| toomuchtodo wrote:
| It can either use a secret injected into an env var to
| bootstrap rotating ephemeral/refresh tokens or use a role
| provided by the environment (which can also provide short
| lived tokens), depending on your runtime environment and
| use case (on prem, cloud, k8s, etc).
|
| Static, long lived secrets with limited governance that
| have no conditional access guards are weapons of mass
| self destruction.
| robonerd wrote:
| Keeping secrets in environmental variables has always
| seemed dodgy to me. Unless specifically cleared, they get
| inherited by all child processes. Maybe there are never
| any child processes in your application, or that could be
| desired behavior in some circumstances, but generally it
| seems like asking for trouble.
| RajT88 wrote:
| There's also the reverse issue - if they change after
| your process is started.
|
| Refreshing an environment variable that has changed is
| (for me) a line I won't cross. Time to write the app a
| different way, once that becomes a concern.
| toomuchtodo wrote:
| Its safety is proportional to your isolation model. Never
| use env vars for secrets when you're executing arbitrary
| code, for example.
| steelaz wrote:
| We got rid of all IAM users used by applications and
| moved to role-based access. Nowhere in the application do
| you need to enter AWS credentials. AWS SDK will attempt
| to discover short-lived credentials for you and will
| assume the role specified at the infrastructure layer,
| e.g. in a task definition.
| kbenson wrote:
| One of the major benefits of ephemeral tokens is that
| they become less attractive to put into the code, and
| more attractive to put in a config file/vault that's
| easier to update and keep secret. This in itself is
| useful because it makes it less likely that it will be in
| some source file someone shows, or pushed to some remote
| repo that at some point has permissions allowed so people
| can see it.
| FujiApple wrote:
| Yes, but credentials should either be long lived with
| (very) limited scope _or_ short lived with required
| scope.
|
| For example, for AWS you can create long lived
| credentials for users which are scoped to only allow one
| operation, namely obtaining a short lived token (with the
| aid of a hardware token such as a Yubikey) with scope to
| perform other operations.
|
| AWS guide here:
| https://aws.amazon.com/blogs/security/enhance-
| programmatic-a...
| thedougd wrote:
| You may also setup federated (trusted) relationships. For
| example, a GitHub Workflow can be trusted to assume an
| IAM role. In that scenario, there's no long lived secret
| in scope.
|
| The oidc subject includes the GitHub org, repo, branch,
| and environment for the IAM assume role policy to match
| or filter.
| jffry wrote:
| For my dev machine's interactions with AWS, I use
| https://github.com/99designs/aws-vault
|
| You add the long lived IAM user API key/secret to it and
| it stores it in a password protected storage (MacOS
| keychain or similar).
|
| Then you invoke aws-vault with an IAM role and command,
| and it will handle obtaining short-lived credentials
| scoped to that role (including TOTP 2-factor code auth),
| and then run the command with those temporary credentials
| as env vars.
|
| With the right AWS permissions on your user, it can also
| automatically rotate the IAM user API keys for you.
| rad_gruchalski wrote:
| I like your approach. So far I used profiles extensively.
| AWS_PROFILE is your friend. No idea why AWS doesn't
| heavily promote this everywhere they can.
| 72736379 wrote:
| This is less a confirmation but more of a "piggybacking".
| zricethezav wrote:
| Assuming this unverified version of the story is true, the
| danger of accidentally leaking credentials in code is enormous
| and one of the reasons I continue to maintain and develop
| gitleaks. Those credentials[1] would have been caught by the
| gitleaks' generic rule [2]
|
| [1] https://regex101.com/r/CLg9TK/1
|
| [2]
| https://github.com/zricethezav/gitleaks/blob/master/config/g...
| alias_neo wrote:
| How were the words selected for the regex? It's interesting
| that "pass" is not there and breaks detection in your first
| link, but I assume they were chosen based on the statistics?
|
| Is it covered by a different rule perhaps?
| cm2187 wrote:
| > _This database contains many TB of data and information on
| Billions of Chinese citizens_
|
| how many billions?
| _Algernon_ wrote:
| I'd assume between 1 and 1.402
| dang wrote:
| Related:
|
| _Hacker claims they stole police data on a billion Chinese
| citizens_ - https://news.ycombinator.com/item?id=31984663 - July
| 2022 (1 comment)
|
| _Hacker claims to have obtained data on 1B Chinese citizens_ -
| https://news.ycombinator.com/item?id=31980101 - July 2022 (1
| comment)
|
| _Hacker claims to have stolen 1 bln records of Chinese citizens
| from police_ - https://news.ycombinator.com/item?id=31977354 -
| July 2022 (1 comment)
|
| _Police data of 1B Chinese people leaked_ -
| https://news.ycombinator.com/item?id=31969617 - July 2022 (4
| comments)
|
| _Shanghai Police leaking 20TB Chinese citizens data?_ -
| https://news.ycombinator.com/item?id=31962526 - July 2022 (3
| comments)
| freewizard wrote:
| Thanks for reposting this. The last link submitted by me only
| got 3 upvotes. Guess it sounded just too crazy to be true 2
| days ago!
| dang wrote:
| There's just a lot of randomness in what gets
| attention/traction off /newest. That's why HN doesn't try to
| prevent reposts of stories that haven't had significant
| attention yet.
|
| It sucks when you're earlier and don't 'win', but it evens
| out in the long run if you post lots of good stories, since
| sometimes the lottery works in your favor. One of these years
| we'll get around to implementing karma-sharing to spread
| credit across multiple submitters.
| silentsea90 wrote:
| What's the point of "winning" if everything is made up and
| the points don't matter?
| hrgiger wrote:
| Well I imagine cloud sales teams reaching out haveibeenpwned with
| attractive storage offers
| nonethewiser wrote:
| Ultimately the fault lies in the police and government for having
| this data.
| markus_zhang wrote:
| "Looks genuine" from my Chinese friends. Also this might be
| leaked through a hardcoded token in some code posted on CSDN
| (sort of blog for programmers).
| luke-stanley wrote:
| In 2018 I saw a local branch office were using Windows XP and an
| old Internet Explorer. You cannot expect that to be secure. This
| does not surprise me at all.
| JamesSwift wrote:
| A lot of those are actually pirated/modified installs of
| Windows. I think its called Tomato Windows or something like
| that? I forget, but its incredibly prevalent in China.
| baybal2 wrote:
| Surprise, it's 2022, and XP is still a de-facto standard
| Windows version, with hacked Win7 slowly gaining.
|
| Why? Tons of Software was written for XP, and then abandoned
| without any support. Many of that stuff in the government
| sector. A lot of online banking clients outright say "only
| works on XP," and copyright years reads 2006.
|
| This is similar how Android 7+ support was almost nuked in
| China for nearly a year because Tencent didn't want to port
| Wechat to newer APIs cuz "nobody uses Android newer than 4.X in
| China"
| ceeplusplus wrote:
| That was not why they refused to port it to newer APIs
| though. It was because Google changed the permissions API to
| be more granular and request permissions at runtime, which
| would have meant Tencent would have to request tons of
| permissions to gather user data (presumably users would not
| be inclined to grant so many permissions).
| Haemm0r wrote:
| XP is very common on airports in China too.
| dontbenebby wrote:
| it's in US ones too, it's an industry wide issue in the
| aviation sector, don't hack the airport, people will come for
| you and if you are lucky they will be carrying badges
| anewpersonality wrote:
| Whatever happened with the Gatwick drone?
| contingencies wrote:
| Anyone care to compose a classical Chinese poem featuring Yun
| (cloud)?
| freewizard wrote:
| - 10 BTC sounds a lot but it's peanuts for such large data sets.
|
| - 750k row of sample data is large enough for a leak by itself,
| many on reddit/twitter/fediverse have already started to explore
| the data set for gender ratio, age composition and frequency of
| raping cases, etc.
| rejectfinite wrote:
| >many on reddit/twitter/fediverse have already started to
| explore the data set for gender ratio, age composition and
| frequency of raping cases, etc.
|
| Any links?
| keewee7 wrote:
| The Shanghai police has a unique role in China and abroad. For
| example the Shanghai police is tasked with spreading pro-CCP
| propaganda globally on platforms like twitter and Facebook.
|
| There was an HN post about this a few months ago:
|
| https://news.ycombinator.com/item?id=29654137
|
| Someone posted a comment explaining a little more about
| Shanghai's special relationship with the CCP/PLA:
|
| >Shanghai is a city with a unique role in the progression of the
| CCP and its global efforts. Also PLA Unit 61398 is in Pudong, the
| shanghai district mentioned in the article. Overall there's a lot
| of CCP/PLA-adjacent tech talent in the area, and of course the
| local police still ultimately report to the CCP.
|
| https://news.ycombinator.com/item?id=29656017
| WilTimSon wrote:
| So I'm guessing that database would have quite a few activists
| listed in it and other anti-government people. Might even give
| someone a much-needed warning if they find themselves there.
| dontbenebby wrote:
| drexlspivey wrote:
| It's obviously a database of all Chinese citizens so yes
| those people are included alongside everyone else
| stjohnswarts wrote:
| I was having this exact conversation with a friend last
| night. Give them warning, especially people in Hong Kong.
| nonethewiser wrote:
| People didn't think Shanghai was open so that the world could
| come IN to China, did they? It's about the opposite direction.
| hintymad wrote:
| The leaked screenshot of the data's metadata looks like the
| output of Elasticsearch's /_cat command. Someone probably left
| the port 9200 open to the public, or stored the index on a public
| cloud but somehow leaked its keys either on github-like service
| or in some discussion forum -- a typical mistake that engineers
| make.
| flatiron wrote:
| https://www.alibabacloud.com/product/datahub is what they were
| using, and yeah their keys were in a commented out psvm tester
| method. pretty awful
| pedro2 wrote:
| Is it 1 billion in long scale or small scale?
| sgjohnson wrote:
| Why would it be in long scale? Is long scale even used in
| english at all?
| pedro2 wrote:
| It was a joke. But it made me realize, thanks to the comment
| above, that Earth's population is around 8 thousand millions,
| and not 8 billion as I'd come to believe.
| bitdivision wrote:
| For anyone wondering what that is, English uses short-scale,
| i.e. 1 billion = 1000 million, some other languages / countries
| use long-scale i.e. 1 billion = 1 million million.
|
| https://en.wikipedia.org/wiki/Long_and_short_scales
| [deleted]
| ginko wrote:
| Last I checked there weren't 10^12 people living on earth just
| yet.
| pedro2 wrote:
| I honestly didn't know that.
|
| One gets used to short scale on the Internet.
| hansel_der wrote:
| it's about 1MMM
___________________________________________________________________
(page generated 2022-07-05 23:00 UTC)