Tell HN: Whole Yandex Git repository leaked
Affected services:
aapi.tar.bz2 admins.tar.bz2 ads.tar.bz2 alice.tar.bz2 analytics.tar.bz2 antiadblock.tar.bz2 antirobot.tar.bz2 autocheck.tar.bz2 balancer.tar.bz2 billing.tar.bz2 bindings.tar.bz2 captcha.tar.bz2 cdn.tar.bz2 certs.tar.bz2 ci.tar.bz2 classifieds.tar.bz2 client_analytics.tar.bz2 client_method.tar.bz2 cloud.tar.bz2 commerce.tar.bz2 connect.tar.bz2 crm.tar.bz2 crypta.tar.bz2 customer_service.tar.bz2 datacloud.tar.bz2 delivery.tar.bz2 direct.tar.bz2 disk.tar.bz2 docs.tar.bz2 drive.tar.bz2 extsearch.tar.bz2 fuzzing.tar.bz2 gencfg.tar.bz2 groups.tar.bz2 helpdesk.tar.bz2 infra.tar.bz2 intranet.tar.bz2 investors.tar.bz2 it-office.tar.bz2 jupytercloud.tar.bz2 kernel.tar.bz2 library.tar.bz2 load.tar.bz2 mail.tar.bz2 maps.tar.bz2 maps_2.tar.bz2 maps_adv.tar.bz2 market.tar.bz2 metrika.tar.bz2 mobile-WARNING-notfull.tar.bz2 nginx.tar.bz2 noc.tar.bz2 partner.tar.bz2 passport.tar.bz2 pay.tar.bz2 payplatform.tar.bz2 paysys.tar.bz2 portal.tar.bz2 robot.tar.bz2 rt-research.tar.bz2 saas.tar.bz2 sandbox.tar.bz2 search.tar.bz2 security.tar.bz2 skynet.tar.bz2 smart_devices.tar.bz2 smarttv.tar.bz2 solomon.tar.bz2 stocks.tar.bz2 tasklet.tar.bz2 taxi.tar.bz2 tools.tar.bz2 travel.tar.bz2 wmconsole.tar.bz2 yandex_io.tar.bz2 yandex360.tar.bz2 yaphone.tar.bz2 yawe.tar.bz2 frontend.tar.bz2
368 comments
[ 5.2 ms ] story [ 329 ms ] threadIt's not a revenge of the the regime. A decade ago it was a different company, now they all are completely under the cap of FSB, it's basically a Lubyanka filial. It's serfdom all over again, not that strange it got leaked by some unhappy employee.
https://techcrunch.com/2022/09/12/yandex-news-zen-vk-sale-co...
I remember some sources that they've sold ALL their media services, and the INTL is only left with services like taxi and delivery.
There are shitheads everywhere.
Sadly, Yandex is not a neutral company and is just another weapon in Putin's hands.
[1]: https://misinforeview.hks.harvard.edu/article/a-story-of-non...
[2]: https://t.me/AlekseiKudrin/48
Archive links:
https://archive.today/h5XJs
https://web.archive.org/web/20230125224316/https://breached....
https://i.imgur.com/rxYINhF.png
Yandex source is cool. But there are a lot of leaks with people private data
The US authorities move mountains for TornadoCash, Z-Library, etc... why leave this one?
Nobody is moving mountains for those, what makes you think that?
https://raidforums.com/
It's a cat-and-mouse game that will likely never end.
This was the easiest way to disrupt a whole datacenter for those who had enough privileges, I did it at least once. Also several times unnoticed bugs in my code shut down literally everything for noticeable periods of time. I've been developing the search orchestration system.
Also the company always avoided any use of external contractors.
I've heard things like "we should grow up and use English".
They wanted to be an "elite" in contrast with russian-speaking "peasants".
The rational decision to use English was often motivated irrationally and was not about switching keyboard layouts. There were numerous discussions on the subject.
That is hard to analyze, I'm not a psychologist.
Russian developers with little or no experience in international environment often suck even at naming things in proper English, especially methods/functions. How many times have I seen grammar errors in APIs? But some of those guys are really great engineers who just aren't that much into spoken languages. Some of them aren't great writers even in Russian.
Yes, sometimes the source they write will certainly insult someone else's sense of beauty. But is there anything we can do about it? We can do something but still some people just aren't good at languages. I think we should just accept that it and stop worrying. And those whose sense of beauty is being insulted should think why they choose to use their knowledge and abilities as a weapon against their teammates or as a decoration to create a false sense of superiority. Pretty sure many of them do this out of their inner insecurity or because of attachment (unhealthy perfectionism, insulted sense of beauty).
Also I think that projectional (structural) editors may change this situation or at least give us some insights on how natural languages affect the way we structure our software.
And if it's going to be half-English either way, might as well just do it all in English. If nothing else, it saves time switching keyboard layouts.
Also he gave me his copy of Stephenson's Snow Crash. When I complained that it was so hard to read he answered that for him reading Lermontov is also a struggle. What a guy!
So if I read at random this in English: https://www.poetryfoundation.org/poems/43844/she-walks-in-be... and this in French: https://fr.wikisource.org/wiki/Les_Contemplations/R%C3%A9pon... , I can feel a mysterious beauty in English maybe I can't feel in a French poem, while the French one explodes in meaning, makes me think more than contemplate.
Rhymes are like a little funny exercise in poetry to add some music, but really far from the goal, or so I hope. I feel it's one of the many inputs: you have the rhymes, the rhythmic internal divisions of the stanza, the symmetry between them across the text, and you can add lots of little funny meta-meaning by reversing meaning in two halves of two successive stanzas, stuff like that. A poem is just a text that does more than transfer information at the first level, but does it on many more. English, Russian or French, they can all do it.
However, I'll give one for those who've missed the irony: It's considered gauche to have ubiquitous non-english comments.
Pretty much the only kosher use case is when you have to warn people not to modify otherwise bizarre looking code because of either regulatory, legal, or domain-specific reasons, and listing them in their native language makes more sense, since developers are not legal experts and translating them into English is not in the job description if the app is solely for domestic market.
Who considers it gauche to have software written in non-English? The Russians you mean? I certainly find it perfectly acceptable and even desirable depending on the contributor's English fluency.
2x BigCo's I've worked at, with 1-5K IT staff. Yandex is xbig though, with 5K+.
>That came down to the developers not speaking English at all.
That sounds implausible and not very sane, unless of course you're working for something very static like the government, and the tech stack you're using is set in stone.
Imagine that you're using a popular library and decide to update your dependencies, who's going to read the change logs & the documentation? Sr. Architect?
If you have a security issue and the only writeups are in English, who's going to be trusted to implement a fix correctly if the people can't understand what the problem is in the first place?
Anyway, you'd be surprised at how much documentation and resources are available in Portuguese. You can get by alright with it. I did it when I was younger and eager to learn how to code.
I've worked in big companies in Brazil where docs and comments were mostly in Portuguese. And some teams would even use Portuguese variable names.
Just because they do it differently in Russia, it doesn't mean every country is like that. Remember what you said about bubbles and all.
By the way, interestingly, I've briefly worked for the government there once and it was one of the places where English was most prevalent. People there were very open source oriented, which the Brazilian government incentivizes (at least used to back then). So, nearly all code had English comments and docs. Differently from closed source intiatives in the industry where other people reading it was considered a liability and not a goal.
Also, it seems that the situation with education in general is still better that in Brazil at least in some regards. In 2014 I worked in São Paulo and had a difficult time communicating with a taxi driver. I was trying to ask him to at least write the amount of money we have to pay for the ride on a slip of paper. Later a colleague explained that illiterate drivers are quite common.
In general Brazil felt mostly like home to me. Maybe Brazil is a version of Russia where homeless people don't freeze to death in the winter :)
https://norme-azerty.fr/en/
Also some other day she suggested someone else to install Linux at that student's home PC. I followed that advice too and learned a good bunch much of my English by reading man pages.
If I had to work again in a French company, I'd only use English if we were all perfectly fluent, otherwise it's just a mess, you have people, I don't know how they even learned programming, who know little to no English at all whatsoever writing variable names and comments in something so confusing and that no French reverse-translation can ever salvage.
Magnet:
Download at your own risk, comes from a brand new user on BreachForumsWho am I kidding.
Ah, I think Ghidra is trustworthy now that it’s been OSS for years. I’ve heard it’s especially good for debugging performance issues with certain SCADA systems. Your centrifuges aren’t behaving? Better fire up Ghidra and figure it out!
Baseless fear-mongering or is there some truth to this you can elaborate on?
There can also be dangerous git hooks. you're basically downloading a malicious exe, and any seemingly harmless command could be dangerous
I assume a drastically increased attack surface and potentially a boon for open-source development? Anything else?
Won't be a boon for OSS, any author would be idiotic to read stolen source code and then decide to create a OSS library/project based on what they learn from it.
With the current geopolitical situation going on, is this really true? (From a western developer's perspective)
Would the US government cooperate in the indictment and prosecution of a US citizen, on behalf of a de-facto enemy nation, for a company that has ties and is allegedly controlled by the government of said nation?
Not isolated incidents, rather something suggestive that one could confidently bring a sympathy-based argument in deference of law and expect a high probability of succeeding.
https://ir.yandex/
Social consensus is the only reason that you can leave your car at the curb, and come back to it a week later, and still expect it to be yours. Social consensus is the only reason that you can own land that you don't personally use. Social consensus is the only thing that prevents people working at your widget factory from deciding on Tuesday that its actually their widget factory, and that they would be better off by cutting out the middleman.
There are very rare, very extreme situations in which this kind of social consensus is very prominently broken.
This is naive. This generation seems very sensitive to the prospect of computer crime.
The stolen source code will almost certainly be read, and if deemed novel enough will be turned into open source projects. It may be tough to figure out those projects are derivatives of stolen code, but most likely they will be passed around in black market repos.
I looked through some of my telegram channels to see if anything has been posted yet. Lo and behold, the stolen files are in fact available… from a server in Ukraine.
You're right. I remember a time, maybe 20 years ago, when stuff like this would be generally appreciated by any community of hackers.
They do not have memories of a time when people tinkered around doing all kinds of crazy and possibly illegal stuff, just for fun, just to see if the could. Sad really.
What exactly did you expect the punishments to be like? A fine?
But re-licensing someone's else code is at the very least impolite. People avoid using BSD-licensed code in GPL code base, or vice versa, just to not violate an open-source license of some fellow hacker who won't sue (but would yawp on Twitter, or something).
Also, cutting proprietary stuff out of the thick scaffolding of proprietary dependencies is often hard. Removing proprietary cruft / tech debt may be even harder. A rewrite from scratch (not clean-room though) may be just easier.
This is to say nothing about any serious business unwilling to depend on code of unclear provenance, with possible legal complications attached; there goes adoption.
Huh? I don't believe they do that. It's completely fine to use BSD in GPL code, but not the other way around.
Binaries, yes -- either more or less restricted depending on which side of the ideological fence you're sitting on.
For some, sure.
There are also many who still explore, but qualitatively the overall culture feels very different.
Unfortunately, there are employers who seem to want their employees to tinker, but own virtually everything they do, all while still playing lip service to supporting work-life balance, including parenting. So we get mixed messages and weird hiring priorities.
I thought the same, then one day I stumbled onto a discord populated by teens and college students who were doing the same sort of shenanigans my friends and I were up to back in the day.
The S/N ratio is worse, but there are still people out there having fun!
Later, after studying engineering, I moved more into caring about problems and products. Over time, I found more and more companies wanted the benefits of having skilled software developers, but they seems to primarily want the businessified version -- solve the problem at hand while punting obvious existential problems down the road.
Sure, many Silicon Valley startups say they want "passionate" programmers, but they didn't usually embrace the tradeoffs that go along with it ... time and resources to explore, supporting risk taking, and fostering a culture where some experimentation is its own end (not merely a means).
Worse, these same companies that claimed to be business focused didn't even engineer well.
So often I saw a double failure: a lack of both the long-term exploration and tactical execution. Somehow both got lost.
There are exceptions of organizations that have healthy, adaptive cultures that internalize continual assessment and improvement, ranging across team interactions, software quality, user experience, and organizational processes.
Perhaps I was too naive and didn't fully appreciate the difficulty here; my progression in engineering has generally coincided with me lowering my expectations. I mean this as a trend line only; I have seen some impressive exceptions, but they tend to be unusual and fairly narrow in scope.
For example, the best product vision I've ever seen was coupled with a seemingly distracted CEO.
This is just one thread of my experience, I'm sure others have seen many other things. I for one would really enjoy reading reflections on working in the software industry.
For myself and perhaps other "passionate" programmers, learning to dial down "caring" and attempting to fit in with imperfect cultures is very hard. It would be one thing if the people in control seemed to understand the situation and showed empirically good results.
Not everyone has to share a political point of view, so while some people are anarchists and are happy to just have a giant free-for all others believe in the concept of ownership. That isn’t a lack of curiosity or a professional buttoned-up money-chasing approach.
More broadly speaking, I'd say that the cultural distinction between "hacker" and "corporate" was much wider then, and it manifested in this manner among others.
20 years ago you would get people lamenting that 20 years before that everything was all hippy sunshine and rainbows and homebrew computer club, phreaking and shareware etc, and that wasn't true then just like it isn't now.
I don't think anarchism has ever been the mainstream position at least never in my experience. It has always been present but always been fringe.
Origin will be forgotten and that will be that.
These days everyone whack code on GitHub I wonder if it'd be possible for GitHub to review repos for likely derivative of leaked code?
Ah, but will it make its way into Copilot? That could be interesting.
The Copilot Defence
What? Why? Isn't this what software developers do — they read a lot of code; they find ideas they like; they mix them together with their own ideas while building something. Isn't this how learning works in general?
Not normally. https://en.wikipedia.org/wiki/Not_invented_here#In_computing
More to the point: an organisation will usually use cleanroom techniques to clone something like this, if they choose to do so. Anyone who's been in contact with the original source code is "polluted": https://wiki.winehq.org/Developer_FAQ#Copyright_Issues
The whole point of the idea/expression dichotomy is that copyright doesn't protect ideas. To that end, extracting the uncopyrightable elements out of copyrightable code is more than legal and court-endorsed. Wine's approach just makes me sad, lots of wasted effort on black-box testing where a disssembly of the real code would be legally in the clear and allow it to advance at much better speeds.
Still not a solid foundation to start with, though.
Solution: Take kernel of the idea and implement it yourself.
I expect the code to be mostly worthless. There is just too much of it, it's poorly documented and, oftenly, just badly designed and badly written.
And the actual important data (index shards, voice models, all that crap) is not in these dumps.
Eating into their business would require much more than source code, but of course an analysis of the code could lead to finding more security issues.
> potentially a boon for open-source development?
That'd be an absolute copyright/licensing nightmare, just because the code was stolen and published doesn't mean it is now "open-source".
For the record, I don't disagree with you on the licensing/copyright front.
In some browsers/profiles I use a "Search by Image" extension that still works properly.
When Chrome first made Lens the built-in image search, there was a way to turn it off. Does anyone know if that's still possible by some more-hidden method?
And in quantity, it seems like 9/10th of the content is gone.
the regulations don't apply to Microsoft apparently, because even goddamn Bing has been better at it than Google for years now.
https://time.com/5163852/google-view-image-search-remove/
https://www.digitaltrends.com/computing/google-alters-images...
Also, such data collection abilities are generally limited to governments, so it was clear that many of them (US first and foremost) would ask for exclusion of certain individuals, and so forth, and so on, so the public tools were crippled.
Yandex image search does have some facial recognition, but it also seems bit-starved and/or mixed with text search (there's a bigger chance to match if the name and surname is present).
Also, Google is pretty Victorian about porn these days. It's almost like it has a whitelist of “acceptable” porn sites to suit the tastes of potentially angry old ladies.
https://www.google.ca/maps/place/Centre+P%C3%A9nitentiaire+d...
A quick trip over to Yandex, and there they were in their full glory:
https://yandex.com/maps/10502/paris/?l=sat&ll=2.340173%2C48....
In practice I just use a dumbphone and turn on my smartphone only to get a taxi (Yandex) or maybe see if my bus is coming (again Yandex). But my wife has her smartphone always on spying on us, not to mention all my colleagues. Also on my laptop I do use Yandex market, maps and read articles on Zen…
I can imagine that deep awareness of digital security issues may make one's life better in some situations but there's always a risk of becoming too much of an activist here. I think I'm quite geeky already.
It is unfortunate that there appears to be only one way to reclaim our privacy,and that is through the passing of new laws and regulations. However, due to the way that laws are passed in the United States, I am not very optimistic. For instance, sometimes unrelated laws are attached to necessary budget bills in order for them to pass, or a three hundred-page bill of legal jargon is given a misleading title such as the "PATRIOT" Act (The unpatriotic bill). Furthermore, both political parties do not seem particularly supportive of privacy, if anything they appear to be opposed to it. We need to somehow make this an important political issue in 2024.
Have you had an opportunity to discuss their views on privacy and the currently established political culture in the US with those in their 70s and 80s?
That's one thing that is probably the same in most countries... at least we know it is also true for USA and Russia.
If I have to choose between the two, I'll go with the US one.
Russia sent agents to blow up an ammunition depot ~15 kilometers from where I lived (google "Vrbetice 2014" if interested), killing 2 people. Russia regularly poisons and assassinates people. I mean, I'm no big fish to be interesting for Russia, but still the comparison comes out clear.
I prefer handing my data to privacy-breaching companies if the alternative would be handing data over to a state my government is currently holding a proxy war against.
Edit: Cool spam factors in extsearch/robot/index/metadoc/lib/links/spam_factors.h:
I wonder what SF_FROM_SEARCH_SHARE_YA_BRO is. "Share, ya bro!"
hmm...
https://github.com/yandex/CMICOT/blob/master/.arcadia.root
I could assume that this is the leak of Arcadia, and each archive roughly contains one top-level folder.
[1]: https://habr.com/en/company/yandex/blog/482926/
The other problem not addressed by git was the support of per-directory permissions.
Though I would expect these keys to be just some stub config values which allowed engineers to quickly run the shit locally.
Likewise if someone searched HN for this string he'd find your comment (:
EDIT: For example, here: https://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-htm...
or here: https://docs.vmware.com/en/VMware-NSX-Data-Center-for-vSpher...
or: https://www.ietf.org/archive/id/draft-bre-openpgp-samples-01...
2. Git repos tend to get rather large over time and yandex has been around since before git.
Also uploaded file lists from most of archives:
https://arseniyshestakov.com/2023/01/26/yandex-services-sour...
> All files are dated back to 24 February 2022.
If a coincidence, pretty interesting.
Unlikely that was the day of download, it's common practice to mask last-modified/last-accessed/created-at timestamps in dumps, by setting it to some significant date or just initial unix timestamp.
So it makes sense they stopped committing to other repos somewhat around that date.
I don't have any inside knowledge now, but my guess would be that the leak is from 'on-prem' github.
If they're still using Subversion, why would that be? Subversion lets you check out just part of a repo. (Then again, interns, I guess.)
2. Subversion lets you check out portions of your repository.
3. Subversion working copy does not have all regions history. Just a snapshot of the checked out revision.
So at least Subversion would have allowed them to limit the amount of leaked data + no revision history leaked.
We don't care. burn it to the ground
I would guess the crawling to be the easiest part.
I have a theory that the big search engines have agreements in place for "side-channel" access to CF and Akamai POPs but I would guess none of the parties involved have any incentive to discuss such a thing in a place that I could read it
> but I would guess none of the parties involved have any incentive to discuss such a thing in a place that I could read it
This reminds me how all the tech sites banned people like Alex Jones simultaneously. It's collusion.