> Anti-virus company Qihoo 360's Vice President Shi Xiaohong attributed the leak to companies neglecting to encrypt their users' passwords and account information, Xinhua reported. Legal experts told Caixin that the massive leak also revealed shortcomings in Chinese internet security law and online ID theft protections.
Bullshit. Complete and utter bullshit, in fact. Encryption/hashing are your last line of defense. They're what you hope hold strong when they've blasted through everything else. Not having them is not the issue, it's simply indicative of a lack of security knowledge and forethought in everything else; poorly written apps tend to lack things like proper password storage, but that doesn't mean that proper password storage makes your app properly written.
Now, I'm not saying that proper password storage or encrypting user data aren't very important things -- I argue strongly for them all the time -- but locking your front door is just as important as having a strong safe for your valuables. If I can walk right in with SQL injection, arbitrary file reads, command injections, and other fun vectors, then you're largely screwed regardless.
I don't know Mr. Shi, but I might make a similar comment. Allow me to explain why I think this is reasonable from my context of having spent more than a decade working in the China IT community.
There are many differences between a China Internet company and a U.S. one. One big difference is how heavily their leadership is weighted outside of the tech inner workings of the company. A second problem is the maturity of IT process management. Most Chinese programmers are serfs; lowly paid and no real voice. Managing the many security processes that a solid Internet site should be leveraging is several "business generations" away here in China.
Solving this one problem of storing passwords and handling auth correctly is attainable in the short term compared to the rest. The good news is the problem has already been solved and refined. In this context, it is not unreasonable requiring Internet sites that handle user auth to follow a very clean set of rules.
I completely agree. This is unforgivable -- it's so insanely easy to do this well (or even somewhere close to well, which is many, many orders of magnitude better than... doing nothing) that there's no reason it shouldn't be done. However, my issue is harping purely on this. It's arguing about why the vault didn't have any cameras when the door was left open.
Passwords? plain text? that makes no sense, if they were popular Chinese websites why in the world would they store plain text passwords? doesn't matter if it was on client side or server side.
Some rumors says these passwords were leaked from government. Back in 2009 Chinese government ask there sites to hand over users password. It explain everything, but still, rumors are rumors, no other evidence can prove it.
6 comments
[ 6.9 ms ] story [ 21.9 ms ] threadBullshit. Complete and utter bullshit, in fact. Encryption/hashing are your last line of defense. They're what you hope hold strong when they've blasted through everything else. Not having them is not the issue, it's simply indicative of a lack of security knowledge and forethought in everything else; poorly written apps tend to lack things like proper password storage, but that doesn't mean that proper password storage makes your app properly written.
Now, I'm not saying that proper password storage or encrypting user data aren't very important things -- I argue strongly for them all the time -- but locking your front door is just as important as having a strong safe for your valuables. If I can walk right in with SQL injection, arbitrary file reads, command injections, and other fun vectors, then you're largely screwed regardless.
There are many differences between a China Internet company and a U.S. one. One big difference is how heavily their leadership is weighted outside of the tech inner workings of the company. A second problem is the maturity of IT process management. Most Chinese programmers are serfs; lowly paid and no real voice. Managing the many security processes that a solid Internet site should be leveraging is several "business generations" away here in China.
Solving this one problem of storing passwords and handling auth correctly is attainable in the short term compared to the rest. The good news is the problem has already been solved and refined. In this context, it is not unreasonable requiring Internet sites that handle user auth to follow a very clean set of rules.
It pretty much shows they had no line of defense whatsoever. Password hashing is very easy. Even good, hard-to-crack, hashing is very easy.