今年12月22號的冬至被中國網民戲稱為「全民改密碼日」,因為大陸多家著名網際網路公司的客戶註冊資訊庫,紛紛被黑客公開,似乎是對近期試行的「微博實名註冊」的嘲弄和挑戰。業界人士也指出,網路就好像中國社會的縮影,如果不重新從基礎做起,單改改密碼很可能是治標不治本。
到25號為止,大陸幾十家大陸網站的用戶資料庫被黑,用戶資料被公開在網上。包括新浪微博、網易郵箱等知名網站都可能受到牽連。網際網路安全企業「奇虎360」公司發布紅色安全警報說,通過技術驗證,初步評估目前網上僅公開洩露的用戶帳戶密碼就有5000多萬個。一時間,中國網民人人忙著改密碼。
率先爆出「遭黑」的是國內最大的程式設計師網站--「中國軟體開發聯盟CSDN」,會員囊括了中國地區90%以上的優秀程式設計師。12月21號上午,黑客在網上公開了CSDN網站600萬用戶資料庫,其中包括註冊郵箱帳號和明文密碼。國內媒體嘆氣說,「黑客打敗了程式設計師」。
業界人士說,用戶帳號密碼等被盜取的現像在中國已經存在多年,甚至私下倒賣,形成灰色產業鏈,但這次黑客竟然將打包的「密碼集」在網路上公開,引發全國性恐慌。
而就在幾天前,北京、上海、天津、廣州、深圳五個城市的微博客網站,開始試行以真實身份信息註冊新微博客帳號。黑客恰好選擇這一時機做出不尋常舉動,被業界人士視為一種挑釁。
網際網路實驗室創始人之一王先生:「我覺得是對網絡實名制的一個報復。韓國不是出了網絡實名制以後就出現了黑客把網站的個人密碼泄漏事件嗎?最後韓國那個實名制不是宣布不弄了嗎?那可能中國也面臨類似韓國一樣的問題,他有實名制,你又保證不了用戶的安全,那你的實名制不就是不能實施了嗎?」
前雅虎中國總經理謝文:「我的感覺是一種,或者是讓你出醜,或者是出於某種商業的動機來做的。更多的我傾向是認為有些搞技術的人說,你們別牛,我讓你看看你們的網站有多爛。」
CSDN被盜的600萬用戶信息和天涯社區被洩露的4000萬用戶密碼都是以明文方式保存,雖然出事後兩網站都宣布說,目前使用了密文保護用戶的信息,但網友仍然質疑,作為知名網站,保管信息的方式怎麼會這麼「原始」。
前雅虎中國總經理謝文:「網際網路公司很多都是粗搭亂建,技術水平低下,偷工減料,沒有這種符合一般的主流的技術標準的後台。所以出現這樣的事我一點都不奇怪。我相信90%以上的中國網站,不用什麼高級黑客,懂點網絡技術的就很容易可以拿到用戶資料。」
目前各大網站都提醒用戶更改密碼,但專家指出,用戶更改自己的密碼只是「治標 」,而不能「治本」。
前雅虎中國總經理謝文:「只要基礎設施仍然很爛,漏洞還是防不勝防,改了密碼,改了用戶名也同樣的不安全,因為它還可以再次被攻破。我覺得和整個中國社會,比如假冒偽劣很多呀,很多商品粗製濫造啊,一脈相承。大家都不願意做基礎的事情,不願意做高質量的事情,其結果就是四面漏風,到處出問題。」
那麼,誰來保證資訊安全和用戶利益呢?
專家指出,目前建立並完善網絡個人信息的保護制度才是第一位的,而不是急於在毫無保證的情況下強行推行「實名制」。
新唐人記者常春、尚燕、柏尼採訪報導。
[next]
Chinese Websites in Chaos: Are Hackers Mocking the Real-Name System?
Chinese netizens are calling December 22nd 「the day all
Chinese change their passwords」.
Personal information on many popular Chinese websites
has been hacked and exposed on line.
The hacking appears to be challenging the 「Micro-blog
Real-name System」, launched a few days prior.
Many industry professionals highlighted that the internet
is like a microcosm of Chinese society.
Passwords are changed, but the root of website problems
is not fundamentally solved.
Leading up to Dec. 25, dozens of users date on Chinese
website were hacked, with information were posted online.
Many popular websites were targeted, including Sina and
NetEase.
Chinese internet security company 「Qihoo 360」 released
a red alert.
It estimated over 50 million netizen passwords were
exposed, leading to a frenzy of password changing.
China Software Development Alliance (CSDN), the largest
site for programmers, was the first to be hacked.
Over 90% of accomplished Chinese programmers are
registered users of CSDN.
On the morning of December 21, a hacker posted 6 million
CSDN’s users』 database information online.
This included registered emails, passwords, etc, with
Chinese media labeling it 「Hackers beat programmers」.
Industry sources highlighted that theft of internet user
information has existed for many years in China.
There even exists a black market to trade this information,
creating a grey industrial chain.
On this occasion, the hacker exposed many 「password
packages」, triggering a national panic.
Only a few days ago, Beijing, Shanghai, Tianjin, Guangzhou
and Shenzhen launched a new micro-blog policy.
It stated all individuals and organizations have to use their
real identity when registering a web micro-blog.
The hacker is thought to have chosen to take this unusual
action at this time to provoke this industry policy.
Mr. Wang, co-founder of 』Internet Lab』, stated: 「I think it’s
revenge on the ’real-name system』.
South Korea had a similar experience with a hacker after the
government launched a real-name system.
This eventually led to South Korea retracting the real-name
system, and now China may face a similar situation.
The real-name system can’t guarantee the safety of users,
so permanently implementing the system is questionable.
Xie Wen, former General Manager of Yahoo China, stated:
「It’s either hackers want to fool the government, or there’s financial motivation.
Mostly I think that many technical people want to
show website designers how bad their site is.」
600 million CSDN user passwords and 40 million Tianya
user passwords were stolen and exposed.
Both websites stated they use a coding system to protect
users』 information.
Netizens, however, questioned why these well-known
websites use 「primitive「 ways to save information.
Xie Wen: 「Many websites are built on a low technical basis,
and didn’t use mainstream back-end technical standard’s.
They are built with corners cut, so it’s not a surprise that
this kind of hacking happened.
I believe that a person with basic internet knowledge can
get users』 information from 90% of Chinese websites easily.
It does not need an experienced hacker.」
Now, all main websites are reminding users to change
passwords.
Experts highlighted that changing passwords cannot,
however, solve the root problem.
Xie Wen: 」If the infrastructure is poor, it’s very difficult to
protect safety because there’s so many holes.
It isn’t safe to just change a password, or even change a
username, as it can be hacked again.
Chinese society is full of fake things and shoddy goods.
The same thing happens within the internet.
No-one likes to do the fundamental things, nor the high
quality things.
The result is that there are problems in all areas, and
there are holes everywhere.」
The question is then, who will ensure internet information
security for the protection of users?
Experts pointed out that establishing and perfecting
a complete individual information system is the first priority.
This should come above rushing to launch the real-name
system without any protection.
NTD Reporters: Shang Yan and Bo Ni
