Shulou(Shulou.com)06/01 Report--

Use public GitHub, reluctant to buy private hosting for members. Do not build your own private Gitlab.

Using open repositories, source code is audited and information is leaked.

The password is transferred to Git. Sensitive information is not allowed to be passed into Git. Git is like a chain of blocks, and it is difficult to delete data after it is passed in. I didn't study how to cleanly delete a version of Git, because I haven't encountered it yet, and if the password for sensitive information that has been passed in is random and not used elsewhere, update it. Sensitive information is not allowed to be passed into the version control system, Log server. The general mechanism is that the password is injected with environment variables, or written to the configuration file, the configuration file name is placed in .gitignore, and a template is provided for other developers to copy and quickly create.

The database is not protected by a firewall and is placed on the public network.

The MySQL account name is root and the password is weak password 123456. There is no isolation between multiple databases with different security levels.

Mass data leakage (53G+22G+66G=141G) has not been warned by traffic analysis tools such as IDS.

It can be seen that Huazhu basically does not have any security protection. If it does not leak from here, it can certainly be leaked from other places.

Safety is the cost.

When we talk about security, we talk about cost, how much resources we are willing to invest and which level of security we are willing to invest. When we talk about safety, we also talk about centralization. Only by centralization can we reduce costs. However, it is a bit difficult to centralize this in the hotel industry. I don't know much about the IT system in the hotel industry, but it is speculated that in addition to booking rooms and other OTA servers, many monitoring, access control, fire protection, WIFI and other operations must put a server in the hotel. And many are still residential accommodation, the cost is already very low, how to talk about safety. If you want to improve safety, you can fetch wool from sheep, and the percentage of accommodation costs can be directly mentioned in the special funds for safety. This will increase costs in the short term, enhance competitiveness in the long run, and so on. Will Huazhu go bankrupt? Will other hotels start to pay attention to IT system security? I don't think so. There are more health costs to consider in the hotel industry.

Which hotel will advertise: ensure that the room data will not be leaked? The only way not to be leaked is to delete the data regularly and really disappear from the world. Delete from backup, delete from Log. Now the storage is too cheap, and there is a demand for big data's analysis. I remember that 20 years ago, a university BBS system ran out of hard disk space to delete posts and users, which seems hard to imagine now. Learn from the monk incident that text messages can be accessed from operators and saved for 50 years, Wechat messages? It should also be based on this standard. If you can't protect her, let her go. A man is innocent, but he is guilty.

The data can be deleted or cleaned regularly with reference to the EU General data Protection regulations (GDPR), which requires great changes to the hotel industry's IT system. I don't stay in many hotels, but I haven't seen any system that allows me to log in and check my accommodation records, let alone delete it remotely after downloading it locally. Of course, the data must be retained for a period of time to be reviewed by regulators. Judging from the Didi hitchhiking incident, the public wants a security department to access anyone's information for the sake of safety.

Please start to adapt to your information disclosure.

Society is slowly evolving, and this data leak was supposed to be a very big event (100 million mobile phone numbers, mailboxes, ID cards, home addresses, data centralization is good, uh-huh), but unlike the vaccine in moments, everyone has become numb, as if the data is not leaked is news.

With the development of economy, according to the theory of skirt length (Hemline theory), women's skirts are getting shorter and shorter; with the development of science and technology, in the past, two people are basically not in touch with each other, but now you basically feel as if you are still with you in his circle of friends. This is a process of slowly revealing our information, and it is also a process in which everyone slowly adapts to privacy that is no longer private. In the end, when everyone is numb, society will evolve. And those who do not adapt will naturally disappear by the survival of the fittest in evolution.

I think with the development of the current level of science and technology, society will eventually evolve to the point that everyone does not have any privacy, and the word privacy will disappear from the dictionary. From the information system big data level to see you, just like you see other animals running around the earth at a glance.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.