This data breach reminds me of something I experienced at my previous company. I saw employees' passwords being compromised, leading to hackers exploiting the company's data assets and code for malicious purposes. This was a major news story in 2017; you can search for it. Being fired in this situation was a minor offense; some people even went to jail.
Later, I was transferred to the security team to address this vulnerability. To address similar issues, we developed a program in Python. We manually configured a few company-related keywords and searched through APIs on places like Github daily. If any company-related information was found, we would immediately send an email alert and then manually review it. You'd be surprised to learn that with such a simple strategy, we still discovered leaks almost every two months.
This doesn't require any high-tech. Any medium-sized or larger company should have such a system to protect itself. CSDN, as a platform, should have a detection mechanism to remind authors. Github is already making some efforts.
I think many developers have very poor security awareness. They don't understand what should be kept confidential, don't understand the difference between private and public keys, and even don't know how to use Git well. After discovering the password, they submit a commit to delete the password. WTF... 4/n
I've written a previous arcatcoding.me/p/avoid-mistak…alking About Mistakes at Work](https://t.co/2TccYUbe0B), but it's not comprehensive enough. Security is a vast topic, so here are some case studies for reference. Maintain a respectful attitude towards your work, especially when your code and work affect many users. Even a small mistake can cause significant damage.
Safety training is also a must, both upon joining and periodically thereafter. Even simple safety principles need to be constantly instilled in employees. For a company, the shortest plank of the barrel is the one to guard against. Once the company's headcount reaches a certain level, you can't know where the lower limit of employees is.
I'll keep writing about whatever comes to mind. Note that I didn't mention the company's name. This security issue is a huge flaw. The company's products are mostly sold in the US, thanks to Shenzhen's well-established supply chain and prior technological expertise. Americans aren't as good at making similar products. Therefore, this data leak has been constantly questioned, and with the US-China trade war, China is also requiring that data not be stored on US servers. 6/n
During those two or three years, as the internet department of a hardware company, we spent most of our time sorting out, rectifying, and patching holes. We gradually reduced our Amazon usage and migrated as much as possible to Alibaba Cloud, also using Alibaba's servers overseas. We even prepared for the worst-case scenario: if all US servers were shut down, we had already deployed a set of servers at Alibaba Cloud nodes in Europe.
Our company was always rumored to be on the US blacklist, but it wasn't officially added for a long time until we were actually put on the blacklist. So, during that period, the company was in a state of panic, undergoing rounds of rectification and self-examination.
Although I was exhausted, the trade war at the time gave me some motivation to work, because I felt like I was experiencing a rare historical moment. Indeed, if I recall the trade war years from now, I will surely recall the feeling of dragging my exhausted body home and lying down.
Now, let's talk about security. Since our company's core business is hardware, we naturally needed to procure network security protection and tools, a process I invested considerable time in. I was responsible for evaluating products and collaborating with the second-party vendors to implement them within the company. Throughout this process, I realized how stingy these security vendors, as a powerful first-party vendor, can be. Of course, from a company perspective, this stinginess is necessary; we also need to save costs.
What I particularly dislike is the practice of leveraging one's own company's reputation. Many manufacturers hope to capitalize on this advantage, significantly suppressing third-party manufacturers. Product trial periods are repeatedly extended, sometimes even for almost a year and a half, without even going through the purchasing process. By the time trials are truly unavailable, the purchasing process must be initiated, with three or four companies to choose from. It's understandable that some are destined to be cannon fodder.
Take code scanning, for example. This tool is offered by numerous manufacturers both domestically and internationally. Foreign ones were naturally ruled out, but domestic ones were made by both large companies and startups. I tried out two products from both companies for at least a year, and by the time I was too embarrassed to email them to extend the trial, I finally initiated a purchase. After a long negotiation and some bargaining through other channels, the final price was so low that I couldn't believe it. 12/n
Let's put it this way: the price of this set of security tools is roughly equivalent to a mid-level security development engineer's monthly salary. You can imagine how incredibly daunting it was for Party B, after such a long and arduous negotiation and the sheer amount of manpower involved in our trial, to finally settle for this price. But having a deal is always better than not having one, right? Ultimately, we signed the deal. 13/n
During this process, my colleagues and I also experienced some of the servitude from the second-party market, some of which was truly subtle. For example, seeing that my colleague liked dogs, a female salesperson invited him to go running and walking the dog on the weekends, and another female salesperson invited him for coffee in the evening, and so on. Of course, we were all hardworking coders and timid.
So, it's understandable how much temptation those in the purchasing department must have faced. One year, quite a few people in the purchasing department were arrested and imprisoned. Many of them took kickbacks from suppliers, while others manipulated the company and sold substandard products. Later, I heard that the purchasing department's induction training included a prison visit.
It's hard for a company to take security seriously if it hasn't suffered losses in the past. The company I worked for at the time had been a unicorn for many years, well-known both domestically and internationally. But before this major security incident, its security management was quite backward. And that was the level of what a company claiming to be technologically innovative could achieve. So, imagine the level of security in government departments.