Secret Reference Paradigm
The last few days Runet has been overwhelmed by new fun: commenting on leaks of confidential data. Conspiracy theorists have already come up with a lot of theories. Here is the malicious activity of Yandex, which does not shy away from expanding the search index. And purposeful preparation of society for the collection of big money with the help of the law 152-. And the machinations of evil competitors (especially relevant in the context of Russian Railways). And of course, the hackers who have switched from the American Ministry of Defense and Mastercard to a more serious opponent are Russian sex shops. The reality with a probability of 99% is much more prosaic. But this is not as interesting as the conclusions that the interested parties will do for themselves: search engines, CMS and site developers, and the owners of these sites themselves.
Yes draws. I am convinced that the megaphone text messages were found by chance, and the information channel itself is so hot that resonance was guaranteed to it initially. Well, then the initiative citizens themselves began to pick up requests and merge the most successful of them. And neither the CIA, nor WikiLix, nor Google has anything to do with it. Surely we are waiting for new “revelations”, since in 2011 people suddenly remembered that search engines have query languages.
Certainly not Yandex with Google. All the talk that Yandex needs to analyze content for personal data or not index pages with hash parameters or not include pages with no external links in the index contradicts the logic of the existence of search engines. Their direct goal is to find in general everything that is on the Web. If I’m looking for compromising my wife, business partner or competitor, I may be a nasty little guy, but I’m not expecting from a search engine a moral evaluation of my base motives, but a result. His task is to find me information. But to hide this information - the task of the site where it is stored.
')
Therefore, the responsibility for leakage is entirely on the side of the site. And as a result, on the side of the developers of the site and the manufacturer of the control system. The reaction of the developers of Shop-Script, who partially recognized their responsibility , deserves respect in this context.
Why did the problem become so widespread? In my opinion, the main reason for this is the simple and once-true paradigm stuck in the brains of developers. We believe that if a page has a rather complicated and inhumanly understandable address, no one will ever find it until we give or publish a direct link to this page. Hash link authorization, order tracing by long numbers - all from this series. It turns out that the paradigm is wrong, and you need to replace it with another one: if the page exists and is not covered with a password, the search robot will reach it sooner or later. And maybe to get to the closed, there were precedents.
Therefore, it is impossible to pin the blame for the leakage of confidential data on search engines or developers. Unless it is necessary to find someone to blame, for example, an instruction from above is given.
But to whom I would blame, so it is avid journalists to the sensation. By presenting the situation in the style of “Yandex declassified” or “due to an error in the site's engine,” they unwittingly disorient the audience, far from Internet technologies, which, of course, make up the vast majority of the population. And instead of thinking next time, before specifying your real last name when buying a dildo, people will think that only spyware from Yandex, as well as worthless programmers, are to blame for everything. As recently as today, one respected online publication led to a list of agencies whose secret documents fell into Google. The first point in extradition is the website of the FAS, in the development of which I participated, and I know perfectly well that the DSP documents there simply cannot be published. The journalist, of course, did not know this, but having lost five minutes to view the first document from the issue or to call the FAS or the developer’s studio, one could clearly understand that no this document was secret, but the most public one.
Search engines - think about the patterns of information that you do not need to index. This contradicts my own logic, but we live in the real world, where the court can forbid Google to index news of specific sites, and he is responsible for pornography in Yandex issuing, but not the owners of the indexed sites. Well, do not forget about the 152-FZ . For CMS developers, to revise the approach to a convenient but potentially unsafe way to access confidential information. Website developers should carefully choose ways to access private information, taking into account the potential damage of users from unauthorized access to their information (somewhere without a USB token is indispensable, and somewhere there is no need to protect a particular one).
And users - do not forget that Big Brother is alive and well. Like never before.
UPD. For more information about the allegedly secret file of the FAS and whether this situation is possible on NetCat managed sites, see our blog .
To begin with: whose ears?
Yes draws. I am convinced that the megaphone text messages were found by chance, and the information channel itself is so hot that resonance was guaranteed to it initially. Well, then the initiative citizens themselves began to pick up requests and merge the most successful of them. And neither the CIA, nor WikiLix, nor Google has anything to do with it. Surely we are waiting for new “revelations”, since in 2011 people suddenly remembered that search engines have query languages.
Who is guilty?
Certainly not Yandex with Google. All the talk that Yandex needs to analyze content for personal data or not index pages with hash parameters or not include pages with no external links in the index contradicts the logic of the existence of search engines. Their direct goal is to find in general everything that is on the Web. If I’m looking for compromising my wife, business partner or competitor, I may be a nasty little guy, but I’m not expecting from a search engine a moral evaluation of my base motives, but a result. His task is to find me information. But to hide this information - the task of the site where it is stored.
')
Therefore, the responsibility for leakage is entirely on the side of the site. And as a result, on the side of the developers of the site and the manufacturer of the control system. The reaction of the developers of Shop-Script, who partially recognized their responsibility , deserves respect in this context.
Why did the problem become so widespread? In my opinion, the main reason for this is the simple and once-true paradigm stuck in the brains of developers. We believe that if a page has a rather complicated and inhumanly understandable address, no one will ever find it until we give or publish a direct link to this page. Hash link authorization, order tracing by long numbers - all from this series. It turns out that the paradigm is wrong, and you need to replace it with another one: if the page exists and is not covered with a password, the search robot will reach it sooner or later. And maybe to get to the closed, there were precedents.
Therefore, it is impossible to pin the blame for the leakage of confidential data on search engines or developers. Unless it is necessary to find someone to blame, for example, an instruction from above is given.
But to whom I would blame, so it is avid journalists to the sensation. By presenting the situation in the style of “Yandex declassified” or “due to an error in the site's engine,” they unwittingly disorient the audience, far from Internet technologies, which, of course, make up the vast majority of the population. And instead of thinking next time, before specifying your real last name when buying a dildo, people will think that only spyware from Yandex, as well as worthless programmers, are to blame for everything. As recently as today, one respected online publication led to a list of agencies whose secret documents fell into Google. The first point in extradition is the website of the FAS, in the development of which I participated, and I know perfectly well that the DSP documents there simply cannot be published. The journalist, of course, did not know this, but having lost five minutes to view the first document from the issue or to call the FAS or the developer’s studio, one could clearly understand that no this document was secret, but the most public one.
What to do?
Search engines - think about the patterns of information that you do not need to index. This contradicts my own logic, but we live in the real world, where the court can forbid Google to index news of specific sites, and he is responsible for pornography in Yandex issuing, but not the owners of the indexed sites. Well, do not forget about the 152-FZ . For CMS developers, to revise the approach to a convenient but potentially unsafe way to access confidential information. Website developers should carefully choose ways to access private information, taking into account the potential damage of users from unauthorized access to their information (somewhere without a USB token is indispensable, and somewhere there is no need to protect a particular one).
And users - do not forget that Big Brother is alive and well. Like never before.
UPD. For more information about the allegedly secret file of the FAS and whether this situation is possible on NetCat managed sites, see our blog .
Source: https://habr.com/ru/post/125058/
All Articles