今年12月22号的冬至被中国网民戏称为〝全民改密码日〞,因为大陆多家著名互联网公司的客户注册信息库,纷纷被黑客公开,似乎是对近期试行的“微博实名注册”的嘲弄和挑战。业界人士也指出,网路就好像中国社会的缩影,如果不重新从基础做起,单改改密码很可能是治标不治本。
到25号为止,大陆几十家大陆网站的用户数据库被黑,用户资料被公开在网上。包括新浪微博、网易邮箱等知名网站都可能受到牵连。互联网安全企业〝奇虎360〞公司发布红色安全警报说,通过技术验证,初步评估目前网上仅公开洩露的用户账户密码就有5000多万个。一时间,中国网民人人忙着改密码。
率先爆出“遭黑”的是国内最大的程序员网站--〝中国软件开发联盟CSDN〞,会员囊括了中国地区90%以上的优秀程序员。12月21号上午,黑客在网上公开了CSDN网站600万用户数据库,其中包括注册邮箱账号和明文密码。国内媒体叹气说,〝黑客打败了程序员〞。
业界人士说,用户账号密码等被盗取的现像在中国已经存在多年,甚至私下倒卖,形成灰色产业链,但这次黑客竟然将打包的〝密码集〞在网路上公开,引发全国性恐慌。
而就在几天前,北京、上海、天津、广州、深圳五个城市的微博客网站,开始试行以真实身份信息注册新微博客账号。黑客恰好选择这一时机做出不寻常举动,被业界人士视为一种挑衅。
互联网实验室创始人之一王先生:〝我觉得是对网络实名制的一个报复。韩国不是出了网络实名制以后就出现了黑客把网站的个人密码泄漏事件吗?最后韩国那个实名制不是宣布不弄了吗?那可能中国也面临类似韩国一样的问题,他有实名制,你又保证不了用户的安全,那你的实名制不就是不能实施了吗?〞
前雅虎中国总经理谢文:〝我的感觉是一种,或者是让你出丑,或者是出于某种商业的动机来做的。更多的我倾向是认为有些搞技术的人说,你们别牛,我让你看看你们的网站有多烂。〞
CSDN被盗的600万用户信息和天涯社区被洩露的4000万用户密码都是以明文方式保存,虽然出事后两网站都宣布说,目前使用了密文保护用户的信息,但网友仍然质疑,作为知名网站,保管信息的方式怎么会这么〝原始〞。
前雅虎中国总经理谢文:〝互联网公司很多都是粗搭乱建,技术水平低下,偷工减料,没有这种符合一般的主流的技术标准的后台。所以出现这样的事我一点都不奇怪。我相信90%以上的中国网站,不用什么高级黑客,懂点网络技术的就很容易可以拿到用户资料。〞
目前各大网站都提醒用户更改密码,但专家指出,用户更改自己的密码只是〝治标 〞,而不能〝治本〞。
前雅虎中国总经理谢文:〝只要基础设施仍然很烂,漏洞还是防不胜防,改了密码,改了用户名也同样的不安全,因为它还可以再次被攻破。我觉得和整个中国社会,比如假冒伪劣很多呀,很多商品粗制滥造啊,一脉相承。大家都不愿意做基础的事情,不愿意做高质量的事情,其结果就是四面漏风,到处出问题。〞
那么,谁来保证信息安全和用户利益呢?
专家指出,目前建立并完善网络个人信息的保护制度才是第一位的,而不是急于在毫无保证的情况下强行推行〝实名制〞。
新唐人记者常春、尚燕、柏尼采访报导。
[next]
Chinese Websites in Chaos: Are Hackers Mocking the Real-Name System?
Chinese netizens are calling December 22nd “the day all
Chinese change their passwords”.
Personal information on many popular Chinese websites
has been hacked and exposed on line.
The hacking appears to be challenging the “Micro-blog
Real-name System”, launched a few days prior.
Many industry professionals highlighted that the internet
is like a microcosm of Chinese society.
Passwords are changed, but the root of website problems
is not fundamentally solved.
Leading up to Dec. 25, dozens of users date on Chinese
website were hacked, with information were posted online.
Many popular websites were targeted, including Sina and
NetEase.
Chinese internet security company “Qihoo 360” released
a red alert.
It estimated over 50 million netizen passwords were
exposed, leading to a frenzy of password changing.
China Software Development Alliance (CSDN), the largest
site for programmers, was the first to be hacked.
Over 90% of accomplished Chinese programmers are
registered users of CSDN.
On the morning of December 21, a hacker posted 6 million
CSDN’s users’ database information online.
This included registered emails, passwords, etc, with
Chinese media labeling it “Hackers beat programmers”.
Industry sources highlighted that theft of internet user
information has existed for many years in China.
There even exists a black market to trade this information,
creating a grey industrial chain.
On this occasion, the hacker exposed many “password
packages”, triggering a national panic.
Only a few days ago, Beijing, Shanghai, Tianjin, Guangzhou
and Shenzhen launched a new micro-blog policy.
It stated all individuals and organizations have to use their
real identity when registering a web micro-blog.
The hacker is thought to have chosen to take this unusual
action at this time to provoke this industry policy.
Mr. Wang, co-founder of ’Internet Lab’, stated: “I think it’s
revenge on the ’real-name system’.
South Korea had a similar experience with a hacker after the
government launched a real-name system.
This eventually led to South Korea retracting the real-name
system, and now China may face a similar situation.
The real-name system can’t guarantee the safety of users,
so permanently implementing the system is questionable.
Xie Wen, former General Manager of Yahoo China, stated:
“It’s either hackers want to fool the government, or there’s financial motivation.
Mostly I think that many technical people want to
show website designers how bad their site is.”
600 million CSDN user passwords and 40 million Tianya
user passwords were stolen and exposed.
Both websites stated they use a coding system to protect
users’ information.
Netizens, however, questioned why these well-known
websites use “primitive“ ways to save information.
Xie Wen: “Many websites are built on a low technical basis,
and didn’t use mainstream back-end technical standard’s.
They are built with corners cut, so it’s not a surprise that
this kind of hacking happened.
I believe that a person with basic internet knowledge can
get users’ information from 90% of Chinese websites easily.
It does not need an experienced hacker.”
Now, all main websites are reminding users to change
passwords.
Experts highlighted that changing passwords cannot,
however, solve the root problem.
Xie Wen: ”If the infrastructure is poor, it’s very difficult to
protect safety because there’s so many holes.
It isn’t safe to just change a password, or even change a
username, as it can be hacked again.
Chinese society is full of fake things and shoddy goods.
The same thing happens within the internet.
No-one likes to do the fundamental things, nor the high
quality things.
The result is that there are problems in all areas, and
there are holes everywhere.”
The question is then, who will ensure internet information
security for the protection of users?
Experts pointed out that establishing and perfecting
a complete individual information system is the first priority.
This should come above rushing to launch the real-name
system without any protection.
NTD Reporters: Shang Yan and Bo Ni
