26 comments

  • tpaksoy 44 days ago
    Apparently there was a "blogpost" of a developer showing of their code, where they accidentally leaked access tokens in a piece of commented code: https://archive.ph/mP3bh

    This is completely unverified though, so take it with a grain of salt.

    • zricethezav 43 days ago
      Assuming this unverified version of the story is true, the danger of accidentally leaking credentials in code is enormous and one of the reasons I continue to maintain and develop gitleaks. Those credentials[1] would have been caught by the gitleaks' generic rule [2]

      [1] https://regex101.com/r/CLg9TK/1

      [2] https://github.com/zricethezav/gitleaks/blob/master/config/g...

      • anitil 43 days ago
        Fantastic tool. We all know that _we_ wouldn't leak keys, but we have all been the person to 'rm -rf /' or 'delete * from prod where 1=1;', so it's just a matter of time.

        Is there a plugin that streamers could use to blur suspected keys on stream? Would that be something interesting to work on do you think? (I'm not a streamer but it sounds fun)

        • corobo 43 days ago
          When I was looking into the streaming side of things I set up an overlay image which could be toggled with a hotkey to hide my screen (it actually also hid my desktop scene too in case the image didn't load or whatever)

          My main precaution though was separating dev/prod and never looking at prod stuff online. Worst case someone could spin up some guff in my dev/test account until I can cycle the credentials

          In my case the separation also included a different system user on my computer for stream work. Possibly overkill but why risk it when the costs are so low?

          I can't see myself trusting a key blurring app if I'm honest. Rather fix the issue earlier in the process than rely on something that would probably break on edge cases (word wrap enabled? Here's the key but it's in two parts, that sort of thing)

          • anitil 41 days ago
            I agree I'd probably not trust it either, I'd be tempted to buy a completely seperate machine just out of paranoia
        • jazzyjackson 43 days ago
          I think it would be a good tool to have, I had to contact a conference organizer once who switched tabs while sharing her screen in a recording and revealed a note in Google Keep that read "LastPass master password" xD
      • asdff 43 days ago
        It doesn't help that so many tools are like "give me your secret key in plain text in the config file" without at least offering a link to a webpage on the github of how you could secure your keys and use this software
        • zricethezav 43 days ago
          hardcoded creds in example documentation... T_T

          Use vault, env vars, GitHub/GitLab secrets, anything but string literals!!!

          • maccard 43 days ago
            Vault is not just a drop in and go system - setting up a vault instance is an ordeal in and of itself, and the pricing for vault on hashicorp cloud is incredibly expensive. The problem with the other options is that you have to get the secrets into environment variables, or out of github/lab secrets and into your application. To use most of the services like AWS secrets manager, vault, etc, it will cost you more to manage secrets than it will to host the app on a small DO droplet for example.
            • pinglin 43 days ago
              Self-hosted Vault within a minimum Kubernetes cluster in GCP costs us roughly $35 a month. Maintenance effort can be neglected if not scaling. Vault has its learning curve there but I think it's totally worth it, given its secret management and API-first features integrated with many other DevOps tools.
              • maccard 43 days ago
                $35/month is more than a small team will pay on source control.
          • danenania 43 days ago
            If anyone’s looking for something more secure than vanilla env vars but simpler than Vault, you could check out EnvKey[1]. Disclaimer: I’m the founder.

            It’s end-to-end encrypted, cloud or self-hosted, and very quick to integrate.

            1 - https://envkey.com

          • trhway 43 days ago
            It feels like just only yesterday secrets in env vars were considered faux pas :)
      • alias_neo 43 days ago
        How were the words selected for the regex? It's interesting that "pass" is not there and breaks detection in your first link, but I assume they were chosen based on the statistics?

        Is it covered by a different rule perhaps?

        • zricethezav 43 days ago
          `pass` by itself might introduce false positives. `passwd` and `password` are common and more likely to be in the ROI of a secret. That said, I'm not opposed to `pass` by itself. I'll have to think about this one...

          > but I assume they were chosen based on the statistics?

          Nope, not statistics. Identifiers and keywords are chosen based on what I see out in the wild being a software engineer.

    • haasted 44 days ago
      • 72736379 44 days ago
        This is less a confirmation but more of a "piggybacking".
      • manuel4sk 43 days ago
        I don't know this guy, but how can he confirm this? does he possess any inner information? why I got the feeling that he is so eager to put a conclusion on this when it is still open for debate at this stage.
        • haasted 43 days ago
          Binance is the largest cryptocurrency trading platform globally.

          According to this tweet [0] they have a "threat intelligence" department that continually monitors for potential issues. It makes sense that they would be on the lookout for leaks of this nature, as they are highly dependent on correctly verifying and identifying their customers.

          [0] https://twitter.com/cz_binance/status/1543700689611792386

      • throwaway787544 44 days ago
        Starting today, this will be known as "Shanghai'd credentials" and be reason #1 why we use ephemeral credentials (e.g. AWS STS/SSO) rather than static credentials (e.g. IAM Users)
        • compumike 44 days ago
          Doesn't the client still need to know a long-lived secret (or a long-lived refresh token) in order to generate the ephemeral credentials?
          • kbenson 43 days ago
            One of the major benefits of ephemeral tokens is that they become less attractive to put into the code, and more attractive to put in a config file/vault that's easier to update and keep secret. This in itself is useful because it makes it less likely that it will be in some source file someone shows, or pushed to some remote repo that at some point has permissions allowed so people can see it.
          • steelaz 44 days ago
            We got rid of all IAM users used by applications and moved to role-based access. Nowhere in the application do you need to enter AWS credentials. AWS SDK will attempt to discover short-lived credentials for you and will assume the role specified at the infrastructure layer, e.g. in a task definition.
            • LilBytes 43 days ago
              same here, but we still have IAM Users for service accounts. E.g. some customers have on premise infra that needs to talk to our services of infrastructure.

              Do you know a way where RBAC can be used for the above?

              For us, we're using long lived credentials in this space using IAM Users but with very tightly controlled authorisations.

          • jffry 43 days ago
            For my dev machine's interactions with AWS, I use https://github.com/99designs/aws-vault

            You add the long lived IAM user API key/secret to it and it stores it in a password protected storage (MacOS keychain or similar).

            Then you invoke aws-vault with an IAM role and command, and it will handle obtaining short-lived credentials scoped to that role (including TOTP 2-factor code auth), and then run the command with those temporary credentials as env vars.

            With the right AWS permissions on your user, it can also automatically rotate the IAM user API keys for you.

            • rad_gruchalski 43 days ago
              I like your approach. So far I used profiles extensively. AWS_PROFILE is your friend. No idea why AWS doesn't heavily promote this everywhere they can.
              • flyt 43 days ago
                AWS best practices is to use AWS SSO, which accomplishes this same effect but without any long-lived local credentials. It works really well.
                • LilBytes 43 days ago
                  Depending on your IdP there's a few tools in addition to AWS CLI v2 that works well in this space.

                  aws-vault is one of them, though out of support now, aws-okta [1] is another.

                  [1] https://github.com/segmentio/aws-okta

                  • nijave 43 days ago
                    Used to use that a few years ago and it worked pretty well--you can also set it as a credential helper in your AWS config.

                    Just an FYI it's no longer supported and it looks like the fork has gone stagnant, too.

              • arjvik 43 days ago
                > No idea why AWS doesn't heavily promote this everywhere they can.

                Not Invented Here

                • moduspol 43 days ago
                  AWS SSO solves it better, and for any number of AWS accounts.

                  I still use aws-vault, though, when I'm not in a position to set up AWS SSO.

          • toomuchtodo 44 days ago
            It can either use a secret injected into an env var to bootstrap rotating ephemeral/refresh tokens or use a role provided by the environment (which can also provide short lived tokens), depending on your runtime environment and use case (on prem, cloud, k8s, etc).

            Static, long lived secrets with limited governance that have no conditional access guards are weapons of mass self destruction.

            • robonerd 43 days ago
              Keeping secrets in environmental variables has always seemed dodgy to me. Unless specifically cleared, they get inherited by all child processes. Maybe there are never any child processes in your application, or that could be desired behavior in some circumstances, but generally it seems like asking for trouble.
              • toomuchtodo 43 days ago
                Its safety is proportional to your isolation model. Never use env vars for secrets when you’re executing arbitrary code, for example.
              • RajT88 43 days ago
                There's also the reverse issue - if they change after your process is started.

                Refreshing an environment variable that has changed is (for me) a line I won't cross. Time to write the app a different way, once that becomes a concern.

          • FujiApple 43 days ago
            Yes, but credentials should either be long lived with (very) limited scope _or_ short lived with required scope.

            For example, for AWS you can create long lived credentials for users which are scoped to only allow one operation, namely obtaining a short lived token (with the aid of a hardware token such as a Yubikey) with scope to perform other operations.

            AWS guide here: https://aws.amazon.com/blogs/security/enhance-programmatic-a...

          • thedougd 43 days ago
            You may also setup federated (trusted) relationships. For example, a GitHub Workflow can be trusted to assume an IAM role. In that scenario, there's no long lived secret in scope.

            The oidc subject includes the GitHub org, repo, branch, and environment for the IAM assume role policy to match or filter.

        • throwaway2037 44 days ago
          I never heard about "ephemeral credentials" before your post. I have some Googling to do!
        • stefan_ 43 days ago
          This is not at all the takeaway from this. It's "this shitty developer should not have had access to this data in the first place". With a nuance of "this database probably shouldn't exist in this form in one place to begin with".
        • brianpan 43 days ago
          Speaking as an Asian American, no, let's not do that.
          • throwaway787544 43 days ago
            Ok; could you suggest an alternate? Would be handy to have a shorthand to refer to the incident
            • brianpan 43 days ago
              How you come up with a name is up to you and how you use it. Personally I would go with "July 2022 Shanghai National Police database leak" because I'm not having any conversation where a cute codename would be less confusing.

              At work we codename security issues we are working on for Slack channels, etc. We use unrelated names that you could get from a name generator.

            • shirleyquirk 43 days ago
              not their job. How about you come up with something catchy?
          • snovv_crash 43 days ago
            Shanghai'd is already a phrase that means something else, anyways.
          • xwolfi 43 days ago
            Why ?
        • babelfish 43 days ago
          Let's not. After the whole "China Virus" shit propagated by the right, I'd prefer if we tried not to associate vulnerabilities with specific people.
          • markdown 43 days ago
            • malcolmgreaves 43 days ago
              That's not an argument for continuing to use a word.
              • markdown 43 days ago
                It is if the argument to stop using it is some irrelevant point about some other location-based word that was used negatively only recently.

                Something got shanghaied isn't a pejorative in the way that Trump acolytes use "China virus".

                • malcolmgreaves 43 days ago
                  > irrelevant point about some other location-based word that was used negatively only recently.

                  Are you unaware of the Chinese Exclusion Act of 1882 -- which is exactly around the time that this term was popular and in common use?

          • xfitm3 43 days ago
            I don't believe this comment is made in good faith, there is nothing wrong with the "right" and it's senselessly adding fuel to our political division.
            • malcolmgreaves 43 days ago
              There is something deeply wrong with the authoritarian politics of the right and its casual use of racism to further political control.

              > it's senselessly adding fuel to our political division.

              This comment, whether you realize it or not, is coming from a place of extreme social privilege.

              Remember that for the majority of people, politics is not a game. It is serious. People lose their rights to live the life they want all the time. Sometimes those politics turn violent and people lose everything.

          • bequanna 43 days ago
            undefined
    • bilekas 44 days ago
      It's incredibly disappointing actually how often this happens.

      I can't count the amount of SO questions I've had to edit from others posting live API Keys for everything from custom services to AWS.

      • TecoAndJix 43 days ago
        I wonder if you could make a luhn-like check that would require an additional approval step to post if it comes back positive. Something like "It looks like you may be posting a secret *****. Do you wish to continue?
        • jewel 43 days ago
          If vendors agreed to a common prefix on all secret key values then it'd be easy for everyone to add checks, to everything. Something like "_SECRET88_".

          Of course, then your secret key checker would need to build that string by concatenating so that it wouldn't set off itself.

        • segudev 43 days ago
          Unfortunately, it's not as simple as that. Lots of secrets are "generic" (think of a DB user/password combination), meaning that you need to take into account the surrounding source code context to be able to determine if they are a "real" secret.

          Here is a full explanation if you are interested: https://blog.gitguardian.com/why-detecting-generic-credentia...

        • bilekas 43 days ago
          I was thinking about that too, but it's actually tricky, even the example given, they use the var `accessId` but you could filter for all that, even the standard ones, but you couldn't have enough confidence in it so that if someone did post with a typo or even a random var name, they would think "Okay, no warning so must be okay".

          Something like giving false confidence to the user. Not the best idea.

      • segudev 43 days ago
        Indeed, last year we detected on average 84 AWS IAM creds for every 10k commits pushed to GitHub

        https://res.cloudinary.com/da8kiytlc/image/upload/v164614852...

      • swimfar 44 days ago
        When you do this is there a way to completely get rid of the information? Usually you can go back an look at the edit history to see the original post.
        • capableweb 44 days ago
          Wouldn't matter. Tons of bots are scraping every inch of the internet all the time, and if something been online for five seconds, it has been cached/stored somewhere. Always assume that anything you've put up on the internet, can forever be accessed by someone.

          The only thing you can do is rotating the token/secret.

        • bilekas 44 days ago
          Yeah mods can clear the review history - for this very reason!

          But as mentioned below - Still advised to change your keys for obvious reasons

        • aembleton 44 days ago
          Change the keys.
    • thrdbndndn 43 days ago
      The consensus in Chinese community is while this is likely how the token got leaked, this alone isn't enough. To visit private Alibaba Cloud instance you can't just use some random IP. It's isolated from the Internet in certain way.
      • rfoo 43 days ago
        And we all know isolations based on network perimeter eventually falls apart, and because it encourages insecure opsec practices like this, people are going to have a big surprise when it happens.
    • sebazzz 43 days ago
      Remember when we still used password Windows Authentication and a private shielded network you could only get into with VPN instead of public cloud services with generic access credentials. It still didn't make leaking credentials right, but it was one extra layer of protection.
    • truthwhisperer 43 days ago
      poor developer. He may spend this life at a "re-education camp"
  • r721 44 days ago
    Karen Hao (WSJ): "I downloaded the sample the hacker provided and called dozens of people listed. Nine picked up & confirmed exactly what the data said."

    https://twitter.com/_KarenHao/status/1543949945614393344 (thread)

    • twicetwice 43 days ago
      nitter link, since Twitter put up what seems to be a timed login gate when I was halfway through reading the thread: https://nitter.net/_KarenHao/status/1543949945614393344
      • hackernewds 43 days ago
        The app download nags on mobile web are so unbearable I stopped using Twitter entirely
        • BbzzbB 43 days ago
          I made a webapp home icon from my Firefox and picked out the app-bait popover with uBlock.

          Basically just about every app (YouTube, Reddit, Facebook, ...) is better this way. I.e., no ads, erase-able elements, less spyware, defaults to no notification and sometimes even gets better functionality. For instance, it (browsers) gets rid of "hearts" in Duolingo for whatever damn reason, so you can practice however much you'd like in a day.

          The downsides I've found is that you seemingly can't Chrome-cast from it, and it often creates new tabs instead of reusing existing ones or making it's own app-instance, so you gotta close all tabs every so often.

        • l33tman 43 days ago
          Same with reddit on a mobile browser... it actually shuts you out, and says (after a couple of clicks) that they have locked you out "for your protection" as the content is "unverified", and that you need to use their app..
      • black_puppydog 43 days ago
        Nitter is the only sane way to read twitter nowadays. Even if I still had an account it would be better for reading.
    • neonate 43 days ago
    • guywithahat 43 days ago
      That WSJ article is so much better than the posted one, I mean what even is "the register"
      • imron 43 days ago
        The home of snarky IT journalism since the first dotcom boom.
  • dang 44 days ago
    Related:

    Hacker claims they stole police data on a billion Chinese citizens - https://news.ycombinator.com/item?id=31984663 - July 2022 (1 comment)

    Hacker claims to have obtained data on 1B Chinese citizens - https://news.ycombinator.com/item?id=31980101 - July 2022 (1 comment)

    Hacker claims to have stolen 1 bln records of Chinese citizens from police - https://news.ycombinator.com/item?id=31977354 - July 2022 (1 comment)

    Police data of 1B Chinese people leaked - https://news.ycombinator.com/item?id=31969617 - July 2022 (4 comments)

    Shanghai Police leaking 20TB Chinese citizens data? - https://news.ycombinator.com/item?id=31962526 - July 2022 (3 comments)

    • freewizard 43 days ago
      Thanks for reposting this. The last link submitted by me only got 3 upvotes. Guess it sounded just too crazy to be true 2 days ago!
      • dang 43 days ago
        There's just a lot of randomness in what gets attention/traction off /newest. That's why HN doesn't try to prevent reposts of stories that haven't had significant attention yet.

        It sucks when you're earlier and don't 'win', but it evens out in the long run if you post lots of good stories, since sometimes the lottery works in your favor. One of these years we'll get around to implementing karma-sharing to spread credit across multiple submitters.

        • silentsea90 43 days ago
          What's the point of "winning" if everything is made up and the points don't matter? I get there's satisfaction in posting content that was useful, and HN isn't Fb/Twitter/Reddit and awash in ad $, but I feel fake internet points kinda manipulative since there's $ for the platform in your work.
          • thedailymail 43 days ago
            One benefit of "winning" is that HN gives more agency (i.e., the ability to downvote) to accounts that have over a certain karmic threshold.
            • Akronymus 43 days ago
              I "won" with a post. Don't think ive ever really exercised many of the features.
        • freewizard 43 days ago
          I’m not interesting in “winning” points but do hoped this important story gets revealed and discussed earlier in this community I enjoyed participating. Thanks for taking time explaining this and appreciate all the efforts you put into HN community.
    • est 43 days ago
      > Hacker claims to have stolen 1 bln records of Chinese citizens from police

      This title is not exactly correct, yes the data involves lots of police reports, but it may come from a thirdparty, as Chinese police would often outsource data analysis job

  • mvdwoord 44 days ago
    What do we do now?

    It seems the majority of people on the planet now have had some of their data leaked. Or are becoming ever more entangled with government and corporate systems which control and peddle their information as they see fit.

    Is it ultimately a big nothing burger, or is this some singularity we are passing through?

    • gfd 44 days ago
      The previous big case I remember was linkedin leak with 700M users: https://news.ycombinator.com/item?id=27674393

      At this point I've basically accepted that all my info will be found on sites like fastpeoplesearch.com and that anything I tell any company (or I guess in this case, govt too) will eventually be leaked, correlated, and used against me.

      • the_biot 43 days ago
        What's fastpeoplesearch.com? Some search engine for leaked credentials? (it appears to be geoblocked in Europe)
        • jazzyjackson 43 days ago
          age, home address, phone number

          names and relations to family members and all their phones and addresses

          previous addresses

          a lot of it is collected from voter registration data (so your party affilition can be gathered as well)

          I was royally pissed when I moved into a new home and literally a day after I signed up for internet service with Spectrum cable I got spam calls that know what state I'm in and my new home address is up online before I ever get around to updating my ID etc so I assume my data was sold immediately by them

        • baud147258 43 days ago
          I was able to connect from France, it's for people living in the US, look like you can search for people and there'd be aggregated information scrapped from god knows where. I checked a few (not really famous) people I knew of and it seems they have some accurate information.
      • ge96 43 days ago
        Wow that's bigger than Equifax
        • AnimalMuppet 43 days ago
          LinkedIn doesn't have my Social Security number. It doesn't have a list of my bank accounts and credit cards. So, more people, but less damaging information.
          • ge96 43 days ago
            Yeah, that's like a "how do I top that?" situation (Equifax)
          • jazzyjackson 43 days ago
            the data sets are more valuable when they're concentrated, so the leak of your address, voter registration, and SSN is now tied to your employment history and education
        • scandinavian 43 days ago
          The linkedin "leak" was just a scrape of public data.
          • moneywoes 43 days ago
            Is there any word out how they managed to avoid linkedins relentless rate limiting? For example my account gets rate limited for normal browsing
            • nikcub 43 days ago
              Likely hacked/purchased browser extensions
        • hackernewds 43 days ago
          Another nothingburger since these companies still exist. and profitably
    • nonrandomstring 43 days ago
      > What do we do now?

      I was thinking - if I had this, what could I do with the personal records of a billion Chinese people?

      And I must conclude - absolutely nothing. It's of no interest to me.

      Now, I probably lack sufficient criminal imagination, but the point is stuff like this is hard to fence because there's a very small market of buyers. In an article I wrote for Routledge about the markets for stolen digital data (specifically movie and album releases) I suggested that the underlying problem is there's symbiosis between leakers and buyers.

      If you want to do anything, target the buyers. There's less of them. Don't try to secure inherently insecure massively centralised systems (Blotto + Dolev Yeo problem) . Or chase leakers. Or blame users. Or fire the CIO. Find out who wants this stuff and take down the show from the demand-side.

      But hold on! Guess who the buyers are. And guess what sincere will exists within "law enforcement" to tackle this sort of "cybercrime".

      • dc-programmer 43 days ago
        This type of information is used all of the time to discover and compromise web accounts of the victims in bulk. There are scripts that take in this data as input and will do a lot of the work for you to take over their accounts (or at least find their active accounts across web). Any additional data you are able to trawl can be sold itself, leaving the next steps to more advanced or motivated threat actors.

        It’s also useful for more targeted social engineering attacks.

      • rz2k 43 days ago
        I suppose you could go the other direction. You could be an international human rights organization, and treat the database like a billion claim checks.

        Having a definitive record of people's existence would make it more difficult for the authorities to skimp on natural disaster rescue efforts then lie about casualty numbers, treat citizens as canon fodder for military purposes, or simply wipe out individuals who have grievances with the government or powerful functionaries.

      • vbezhenar 43 days ago
        After my data was leaked, now scammers periodically call my phone to let me know that "I'm from bank security and someone's recently tried to change phone number for your bank account" or "I'm from police and we're opening a criminal case against you". It was fun first few times, but now I'm considering changing my phone number because I could miss an actual bank security call.

        And I'm sure that plenty of gullible people were scammed and lost their money because of those leaks. When someone calls you, knows your full name and talks with enough confidence, it causes some trust.

        • CryptoBanker 43 days ago
          My voicemail now indicates that I am no longer answering unknown numbers and to please leave a message or text me if you can.

          It’s a little lengthy, but it’s cut down on the number of spam calls I actually answer specifically and I’m reasonably sure that anyone who actually needs to get a hold of me has an easy path to do so.

        • throw8383833jj 43 days ago
          Don't verify anything. Just call the bank back using a phone number you can verify with 100% certainty.
          • bobthepanda 43 days ago
            Banks themselves go out of their way to say that they will never, ever proactively call you for something like that. At least in the US.
      • asdff 43 days ago
        You have email addresses I believe. You could spam billions of chinese people with some scheme. It doesn't have to be believable, but you can bet out of billions of people you will capture some naive or mentally ill people who will fall for your scam and potentially allow you to clear them out of everything they have.
      • jazzyjackson 43 days ago
        > what could I do with the personal records of a billion Chinese people?

        you use personal details to tailor phishing scams to the victim

        If I know you have a grandson that lives in XinJiang I can cold call you and say i'm from the xinjiang police and we have your grandson here under arrest and then extort money from there

    • boomskats 44 days ago
      It is both. It is huge, I'd say it's absolutely the latter. but I can't think of a single thing anyone can do about any of it at this point, which also makes it the former.
      • derwiki 44 days ago
        One thing I’ve thought about doing is using CCPA to have companies delete all my data, hopefully before it leaks.
        • ev1 43 days ago
          At several places I've seen they keep certain data such as phone, address, etc as a bullshit "business need" to "prevent abuse" and "prevent promo reuse" and keep forever even through CCPA.

          Also they keep the record of the delete request, which contains the PII you ask to remove.

    • pyinstallwoes 44 days ago
      In history what have databases of people and state actor interests usually led to if any events are similar?
      • googlryas 43 days ago
        Not quite the same, but the US used census records that were supposed to be protected to round up the west coast japanese for their internment during WWII.
        • AnimalMuppet 43 days ago
          They were "protected". That is, they didn't leak out of the government into private hands. But that still turned out pretty badly.

          In fact, information in the government's hands is the most dangerous, because they have more power than anyone else to use it against you.

          (On the other hand, as others have said about Denmark and Netherlands, data that was not in government hands became in government hands, and was used against people. So it's not "safer" if it's in private hands, except to the degree that the government has to go through the extra step of getting it.)

      • MadsRC 44 days ago
        IIRC when Nazi Germany invaded Denmark in 1940, one of the first things the SS did was to send representatives to the local churches.

        In Denmark, every child was (I’m not sure if they still are actually?) registered at birth by the local parish in so called “church books”.

        With these “databases” in hand, the SS had a neat list of all names, and the approximate location of peoples homes.

        Those lists were used to identify and prosecute jews.

        • black_puppydog 43 days ago
          There were also the "pink lists" tracking gay men [1] (link to German Wiki sorry) and which the nazis also greatly appreciated. Although to be fair^blunt they were collected exactly for reasons of prosecution, so not that far off from their use by the nazis.

          [1] https://de.m.wikipedia.org/wiki/Rosa_Liste

        • mgdlbp 44 days ago
          IIRC there was a central registry of religion in the Netherlands that had the same effect. Can't find anything on that now, though (it's mentioned in Wikipedia in an unsourced paragraph; I think I first read about it on HN, actually).

          -----

          Tangent: the info pages on the Anne Frank House site have sections cycling through different pastel background colours.[0] I've wondered before whether something like that would the brain acquire context in a long page, making comprehension more like that of a physical book. Seeing it implemented, it doesn't seem to help. I think being able to easily flip to a previous page and back was one of the advantages of printed paper, so maybe a sticky TOC with the same colours or a minimap scrollbar would allow that? Actually, why not have that standard in browsers?

          Hmm, the concept of coloured sections was known in 2013 already.[1]

          [0] https://www.annefrank.org/en/anne-frank/go-in-depth/netherla...

          [1] https://ux.stackexchange.com/questions/62808/website-layout-...

        • Natfan 44 days ago
          "Fun" fact: It was IBM who helped tabulate data from the 1933 national census, which was then used to identify hundreds of thousands more Jews than would have been found by the Nazi party without their efforts.

          "Machine-tabulated census data greatly expanded the estimated number of Jews in Germany by identifying individuals with only one or a few Jewish ancestors. Previous estimates of 400,000 to 600,000 were abandoned for a new estimate of 2 million Jews."

          [0]: https://en.wikipedia.org/wiki/IBM_and_the_Holocaust

          [1]: https://en.wikipedia.org/wiki/History_of_IBM

          [2]: https://en.wikipedia.org/wiki/IBM_and_World_War_II

          • mvdwoord 44 days ago
            And to add insult to injury, the IBM office in Munich (birthplace of national socialism), is located on 1 Hollerithstrasse (Hollerith street).

            The IBM subsidiary in Nazi Germany selling and maintaining the tabulating machines was DeHoMag, Deutsche Hollerith Maschinen AG.

            ...

            • daniel-cussen 43 days ago
              That's just the name of the founder, Herman Hollerith. He had nothing to do with any of that.
              • TedDoesntTalk 43 days ago
                nit: the founder of IBM was Tom Watson Senior, not Herman Hollerith. But your point stands -- Hollerith had nothing to do with this.
          • chasd00 44 days ago
            Did working with IBM contribute to Hitler’s spiral into insanity? 4/5 joking
            • jsiaajdsdaa 43 days ago
              Hey Siri, select * from all_humans where atLeastOneOverlap(schools_attended, art_schools) = true and atLeastOneOverlap(employers, list.of(ibm)) = true;
        • pessimizer 44 days ago
          These days you'd just go to a data broker, who would also tell you what toothpaste they preferred and whether they managed to finish bingewatching The Sopranos.
        • ricochet11 44 days ago
          and ibm made machines to help do this as quickly as possible.
        • t_mann 44 days ago
          Church books were used to find Jews? Do you have a source for that?
          • TazeTSchnitzel 44 days ago
            It's not a religious thing: in Denmark, the church is the arm of the state tasked with civil registration. Until 1991 it was the same in Sweden.
          • meepmorp 44 days ago
            > Church books were used to find Jews?

            If you know who to rule out, you have a smaller pool of people to go after.

          • samus 44 days ago
            Antisemitism was not really about religion. Many Jews had actually converted to Christianity for generations. The Nazis still considered them to be Jews.
            • daniel-cussen 43 days ago
              Ahh...well there is the famous saying, "I decide who is a Jew." It was used on the head of the German Manhattan Project and a Jewish head (like a headmaster some shit) of a concentration camp, forget which one. And that's why we say "German Manhattan Project" stedda "Americaner Atomwaffenunternehmen" (I made that word up, it is correct in German to make words up, that means atom weapon undertaking), because German antisemitism amounted to forfeiting the bomb.

              That was the price, the defeat of their last hope against the Allies. All of the Great Jews that slapped those firecrackers together were exiled due to antisemitism: Fermi, Szílard, Einstein (to get the president to read the letter to get the Los Alamos show on the road in the first place, get Roosevelt to read top to bottom left to right, no easy task), von Neumann (spesh because of his schizophrenia, no concentration camp for him, he would have been experimented on to then do that same sin to everybody in the camps, Schizophrenic Jews were at the absolute bottom o the Nazi world order).

              I just posted about this. https://news.ycombinator.com/item?id=31990431

              Fermi was originally a fascist, it basically made sense to him as a way of organizing a country.

              Only non-Jew in the top desks of Los Alamos. Why? Only when the racial laws against his Jewish wife and children did he pack his shit and leave for America.

              And Fermi was packing heat.

              • TedDoesntTalk 43 days ago
                You forgot some other Jewish scientists who emigrated to America because of Nazism, some of whom earned the Nobel and many of whom worked on the Manhattan Project

                Hans Bethe James Franck Edward Teller Rudolf Peierls Klaus Fuchs Otto Loewi Max Bergmann Dieter Gruen Lilli Hornig

                I also forgot many in this list.

          • rejectfinite 43 days ago
            They where like the tax office before the tax office.

            Same in Sweden.

          • yellow5 43 days ago
            undefined
        • juanani 44 days ago
          undefined
      • mvdwoord 44 days ago
        I would say, impossible to compare. Digital changes the cost of acting upon this information, for good or bad purposes.

        Obvious comparisons to e.g. the Netherlands' famous over-registering of religion and how the Nazis abused that. But I feel this is long term potentially worse than that. Not in the level of horribleness, but in the effect on society moving forward.

        • pyinstallwoes 44 days ago
          Can you extrapolate that on what the effect on society looks like in your assessment?
      • shapefrog 44 days ago
        Spam and phishing calls.
    • stjohnswarts 44 days ago
      All you can do (in the USA) is freeze your credit and sign up for one of the free (or paid) credit monitoring services. That only protects you from financial ruin though. Not sure about people using your credentials to commit fraud, fake birth certificates, etc.
    • carapace 44 days ago
      > What do we do now?

      Well, if you look at (global) society as a dynamical system it seems to me that there are two stable basins or attractors, call them "Star Trek" and "North Korea".

      In the "Star Trek" future the people in charge are themselves also subject to the panopticon, and the world is ruled fairly and humanely. (The other name I use for this is the "Tyranny of Mrs. Grundy".)

      In the "North Korea" future there are (human or AI or hybrid) masters and brain-chipped cyborg slaves, and rule is absolute and enforced with digital precision.

      (Of course, this is all predicated on the idea that we can't put the genie back in the bottle in re: ubiquitous surveillance. I think that's likely the case (although I do not like it) but I'm not going to make the argument here unless someone asks.)

      Given the above the thing to do is work to make politicians subject to 24/7 total surveillance (ASAP, before everybody else) so we can keep an eye on them. This policy would also presumably weed out the crazies and corrupt, eh?

      • lagrange77 43 days ago
        > Well, if you look at (global) society as a dynamical system it seems to me that there are two stable basins or attractors, call them "Star Trek" and "North Korea".

        Nice analogy. Do you really believe, that us being on an utopian trajectory is realistic?

        • carapace 43 days ago
          > Do you really believe, that us being on an utopian trajectory is realistic?

          Oh yes. Very much so. In fact, by many measures we have been on an utopian trajectory for several centuries. Today even our failures are the result of unimaginable power. We have to learn to wield our power with wisdom.

          We have all of the physical technology we need already. We can practice regenerative agriculture that increases topsoil fertility and volume; we have methods of construction that can build housing for everyone; machines and factories that churn out the physical necessities of life; etc. We need only deploy our resources and technology efficiently. It's down to logistics now, and we have more than enough computer power to sort that out.

          The only thing holding us back is that most people still don't realize this yet.

          https://en.wikipedia.org/wiki/Design_science_revolution

          It's taking longer than anticipated but the process never stopped. Reading this now you are a part of it, if you want to be.

          • lagrange77 42 days ago
            I'm with you, in that a Star Trek utopia is indeed possible, technology and resource wise. And i would love to see the world society bending the trajectory, before it's too late. I just have seen too much greediness, to see a chance, that this will happen. Some poles would have to be moved, to bend the trajectory ;)
          • bckr 43 days ago
            I would love to be in touch with you. The quality utopianists are hard to come by.
            • carapace 43 days ago
              Cheers! Aren't you kind. :)

              I have a mailing list: https://lists.sr.ht/~sforman/heliotrope.pajamas

              And I lurk on (my own) IRC channel: irc://irc.libera.chat/#MagnusMotive

              I'm pretty weird and flakey, but I'm also committed and serious (though not humorless) about working towards the nice future. :)

              I see you have an email addy in your profile, I'll email you a little later today, after more coffee.

      • swader999 43 days ago
        And CEO's - everyone!
      • tintor 43 days ago
        You could replace North Korea with China.
    • swader999 43 days ago
      I just change my name every few years. Makes the job hunt difficult but I like a challenge.
    • thriftwy 44 days ago
      A lot of data may be made public to equalize, similarly to how real estate property rights or car registries may be public.
      • mvdwoord 44 days ago
        I would counter that, although it could, some groups will be able to evade it, effectively maintaining their advantage/power. Effectively averaging out the position of middle and lower classes, and lowering their chances of moving up the social ladder?
        • thriftwy 44 days ago
          I'm not sure it would give such a large advantage compared to the cost of hiding
    • rlt 43 days ago
      > What do we do now?

      Stop using personal information for authentication and end the concept of “identity theft”, for starters (not sure how it works in China specifically).

      Include online safety and anti-scam curriculum in lower education.

    • gonzo41 44 days ago
      Covid is a good excuse to wear a mask, and pair it with a set of mirror sun glasses in public. Maybe that's how we live now.
      • thomassmith65 43 days ago
        We should probably consider a person's voice-print, too. To be safe, you need a mask with a real-time voice changer.
        • edmcnulty101 43 days ago
          And gait. Everyone walks a specific way and a person can be identified by their gait. So have to change up the walk.
          • fragmede 42 days ago
            In order for that to work, we’d need a ministry that catalogs ridiculous outliers of gait patterns.
            • edmcnulty101 41 days ago
              Definitely need research into outlier gaits. I imagine we would need a clinic to research arguments that one can pay to have an argument with a clinician.
    • cm2012 43 days ago
      Well, leak can mean a lot of things.

      The standard "leak" of names and addresses of people is totally meaningless, though HN "privacy" obsessives blow it out of the water all the time. It's basically public information, we used to have everyone in phone books in the US and almost no one cared.

      Cell phone number is a riskier one because of the opportunity for 2FA hacks. It's not hard to get people's cell phone numbers as it is (you can buy direct marketing lists for pennies per person in the US) but its not good to make it easy for hackers.

      However this leak in particular appears to go much deeper so it is insidious. Police records are named and who knows what else. That is a genuine privacy issue and sucks for those involved.

      • maxbond 43 days ago
        Names and addresses can absolutely be used to stalk and harass people, and there are password reset flows that involve physically mailing secrets to people. Perhaps almost no one cared about phone books, but if you thought about the differences between phone books and a website for a moment, you'd see that these are different technologies that have different implications, and that it is entirely reasonable for people to have a different reaction.

        You've chosen some arbitrary amount of information where you begin to care and become interested, and decided everyone with a different cutoff is an absolutist you don't need to listen to. But it's really just that your situation permits you to leak that information without fear, and you haven't deigned to imagine that other people are in a different situation.

        I'd encourage you to rethink this perspective.

        • charcircuit 43 days ago
          Names and addresses are already public information in the US. It's not that big of a deal.
  • keewee7 44 days ago
    The Shanghai police has a unique role in China and abroad. For example the Shanghai police is tasked with spreading pro-CCP propaganda globally on platforms like twitter and Facebook.

    There was an HN post about this a few months ago:

    https://news.ycombinator.com/item?id=29654137

    Someone posted a comment explaining a little more about Shanghai's special relationship with the CCP/PLA:

    >Shanghai is a city with a unique role in the progression of the CCP and its global efforts. Also PLA Unit 61398 is in Pudong, the shanghai district mentioned in the article. Overall there's a lot of CCP/PLA-adjacent tech talent in the area, and of course the local police still ultimately report to the CCP.

    https://news.ycombinator.com/item?id=29656017

    • WilTimSon 44 days ago
      So I'm guessing that database would have quite a few activists listed in it and other anti-government people. Might even give someone a much-needed warning if they find themselves there.
      • stjohnswarts 44 days ago
        I was having this exact conversation with a friend last night. Give them warning, especially people in Hong Kong.
      • drexlspivey 43 days ago
        It's obviously a database of all Chinese citizens so yes those people are included alongside everyone else
      • dontbenebby 43 days ago
        undefined
    • nonethewiser 43 days ago
      People didn't think Shanghai was open so that the world could come IN to China, did they? It's about the opposite direction.
  • luke-stanley 44 days ago
    In 2018 I saw a local branch office were using Windows XP and an old Internet Explorer. You cannot expect that to be secure. This does not surprise me at all.
    • JamesSwift 44 days ago
      A lot of those are actually pirated/modified installs of Windows. I think its called Tomato Windows or something like that? I forget, but its incredibly prevalent in China.
    • Haemm0r 44 days ago
      XP is very common on airports in China too.
      • dontbenebby 43 days ago
        it's in US ones too, it's an industry wide issue in the aviation sector, don't hack the airport, people will come for you and if you are lucky they will be carrying badges
    • baybal2 44 days ago
      Surprise, it's 2022, and XP is still a de-facto standard Windows version, with hacked Win7 slowly gaining.

      Why? Tons of Software was written for XP, and then abandoned without any support. Many of that stuff in the government sector. A lot of online banking clients outright say "only works on XP," and copyright years reads 2006.

      This is similar how Android 7+ support was almost nuked in China for nearly a year because Tencent didn't want to port Wechat to newer APIs cuz "nobody uses Android newer than 4.X in China"

      • ceeplusplus 43 days ago
        That was not why they refused to port it to newer APIs though. It was because Google changed the permissions API to be more granular and request permissions at runtime, which would have meant Tencent would have to request tons of permissions to gather user data (presumably users would not be inclined to grant so many permissions).
  • hintymad 44 days ago
    The leaked screenshot of the data's metadata looks like the output of Elasticsearch's /_cat command. Someone probably left the port 9200 open to the public, or stored the index on a public cloud but somehow leaked its keys either on github-like service or in some discussion forum -- a typical mistake that engineers make.
    • flatiron 43 days ago
      https://www.alibabacloud.com/product/datahub is what they were using, and yeah their keys were in a commented out psvm tester method. pretty awful
      • dx034 43 days ago
        Another reason why not everyone should use the cloud. Sure, the cloud can be as secure as on-prem or even safer in many cases. But it's just so easy to keep on-prem data safe by just not connecting it to the outside world. If no server can be accessed from anywhere but the premise, leaks like these just can't happen. A key won't help you unless you can break into the police building.

        Access just based on credentials seems so wrong anyway. There should always be whitelisted IPs for sensitive stuff like that.

        • rfoo 43 days ago
          What happened is the exact opposite:

          The Shanghai police thinks like you, so they purchased a very expensive "private deployment of Alibaba Cloud", which in China usually works like this:

          1. The customer build a data center.

          2. Alibaba Cloud purchases servers, deploys them in the customer's data center along with all Alibaba Cloud software (same as in the public cloud).

          3. Customers do whatever they want to the thing.

          Basically by "private cloud" they really mean it, something AWS won't ever do.

          In this case, the system is technically "not connected to the Internet", but we all know what this mean: it certainly will be occasionally.

          Most cases I know, the customer cite "data security" as the reason why they would like to do this, because on-prem are always more secure right? But I hope we could agree on why this does not work:

          - It is now very difficult for Alibaba Cloud to do ops work on these private deployments, so ... there will be maybe 2 releases per year, or in some cases never, including security patches. It's not rare to find a 5-years-old struts2 vuln in the control plane of such private deployments, and in the coming years it would be log4j2 I guess.

          - Alibaba Cloud put serious effort into securing their public cloud, and even covering the ass for the customer. For example similar to GitHub+AWS secret scanning, they also proactively revoke access keys once the key appears on the Internet. The customers, on the other hand, usually do none of these.

          In short, security is largely an Ops work and economies of scale also work here.

          In the end these on-prem systems depend solely on network isolation for their security, and... air-gap does not always work.

  • markus_zhang 44 days ago
    "Looks genuine" from my Chinese friends. Also this might be leaked through a hardcoded token in some code posted on CSDN (sort of blog for programmers).
  • throwaway4good 44 days ago
    Who would buy this?

    How could anyone possibly make money off this data set?

    I could understand if the Chinese government would pay for it to avoid embarrassment but making the sale public kinda voids that.

    • pessimizer 44 days ago
      The US government might buy it to help them find good candidates to recruit as spies and saboteurs, or to note if current spies and saboteurs are under suspicion or have been discovered.
      • AustinDev 43 days ago
        If the records are digital and non-air-gapped in any system of any country, you can assume that the US government has access to those records already. The exceptions to this assumption are exceedingly rare.
        • alchemist1e9 43 days ago
          As a US citizen I want to believe bravado like this but I’m guessing this is just your fantasy world talking not actual knowledge of the government being competent, which in my personal experience seems extremely unlikely.
          • AustinDev 43 days ago
            The government isn't competent as a whole.. but the intelligence agencies are rather powerful. I've worked for DARPA and IARPA and you wouldn't believe half the stuff I could say publicly and none of the stuff I can't disclose.
            • Nerada 43 days ago
              Post the stuff you're able to talk about publicly, I'm interested!
              • alchemist1e9 42 days ago
                They never will. It’s all nonsense bravado.
            • throwawaylinux 43 days ago
              We're always told that grand "conspiracy theories" are impossible because if hundreds or thousands of people are involved someone will always leak something about it. Interesting there's all these people out there who seem to know much bigger things than Snowden revealed.

              What can you say publicly?

      • dx034 43 days ago
        They'd probably just buy it to have it. That much data about foreign citizens can be valuable in many ways, from immigration to foreign intelligence.
    • hutzlibu 44 days ago
      "Who would buy this?"

      Foreign intelligence agencies for classic espionage. If you want to do blackmailing in china, such a DB would be a good start.

      Otherwise, data brokers. Advertisement, financial credibility, trustworthines of buisness partners etc.

      • throwaway4good 44 days ago
        I don't know how it works in China but where I am a person's criminal record is not public but not exactly private either. In the sense that an employer can ask for your criminal record and you have the choice giving a printout of it or not having your job. Making it kind of hard to see how the knowledge of a criminal record could be used to blackmail someeone.

        As for "data brokers. Advertisement, financial credibility, trustworthines of buisness partners etc.". Maybe. But these companies would turn themselves into criminals by using or purchasing this information.

        • hutzlibu 44 days ago
          It is likely, that this DB contains more information, than what a formal printout gives.

          "But these companies would turn themselves into criminals by using or purchasing this information."

          Which is why they probably would not deal with the information gathering directly, but use a service of a data analyst company. When they do something illegal, nobody who contracted then did ever know anything. I think this game is played in china as well.

      • hansel_der 44 days ago
        rest assured that intelligence agencies have means of accessing police records in other nations.

        this data is only interesting to the low end of data brokers, advertisers and other scammers, hence the rather low price.

    • SoylentYellow 43 days ago
      China has foreign call scams just like the US.
    • upupandup 43 days ago
      making money is not the motive for some. this database will be very useful going forward. imagine the leverage you could have over business dealings.

      some guys at the top of the game are probably already doing this and have figured out how to both insulate themselves and launder/hide data they horde.

  • nirui 43 days ago
    > While the Shanghai government and police department have largely been silent over the leak,

    Someone/some team in the police department is probably in serious panic right now. Not only because the data is leaked, but also because the leak has displayed an example of what they are actually recording.

    For example, according to the posts that other people has posted online (probably rumor and speculations), the `address_merge_with_mobile_data.json` file is a collection of external data submitted to the police database. In the file, there are data source types such as:

        - shga_dwd.base_shangyun_lhrytbxx_df
        - shga_dwd.base_wahlw_base_teladsllibrarytab_df
        - shga_wa.ods_nb_tab_goods
        - shga_wa.ods_nb_app_icpoof_expressdelivery
        - shga_wa.ods_nb_app_icpoof_delivery
        - shga_wa.ods_nb_app_icpoof_expressdelivery
        - shga_wa.ods_nb_app_icpoof_foodorder
    
    That's a lot of data that are not directly related to census, social safety, or law enforcement.

    I guess if you're ordering food online in China, probably need to give yourself a nice nickname first instead of just using your real name then.

    • duxup 43 days ago
      > That's a lot of data that are not directly related to census, social safety, or law enforcement.

      Is that a … concept in China? That the police should only have data “ directly related to census, social safety, or law enforcement”?

      I wonder how strange or surprising to locals this might be or maybe not be?

      • nirui 43 days ago
        I don't think Chinese people actually cares, most people don't even know what "Data" actually is, let alone how "Data" effects them.

        The altitude of most people here (I'm a Chinese BTW) is "I did nothing wrong, so why should I care?".

        But, it's one thing to hear the humor, it's another thing when you can actually see it. People will have different opinions about privacy when their wives asks them why their business trip to another city showed up as a hotel night 500 meters away from home on the government database.

        • challenger-derp 43 days ago
          >People will have different opinions about privacy when their wives asks them why their business trip to another city showed up as a hotel night 500 meters away from home on the government database.

          Had a good chuckle. But then it got me thinking about other situations in which government-leak-induced friction that might lead to cause for legal action. The government demands and collates data presumably supported by legal under-pinnings that citizens must comply with. When these are leaked, shouldn't the government bear legal, fiduciary, etc. responsibility?

          With great data, comes great responsibility, no?

          • nirui 43 days ago
            According to the Network Security/Safety (it's the same word in Chinese) Law, the network operator is responsible to ensure the security of their system, which includes 1) setting up security and auditing rules, 2) prevent virus, hacking and other attacks, 3) monitor and record the status of the network and perform backups etc.

            The law has also stated that if an institution violated the law, and civil damages is generated as result, the institution is also responsible for the damage.

            There is another law which might also apply to this case, it's called Data Security/Safety Law. This law also stated that the institution is responsible for civil damages if the institution has violated the law.

            But, I'm not a lawyer and certainly not a Chinese lawyer. This situation is fairly complex already, it's hard for me to tell which direction this case would go.

            I guess they'll investigate it first, but the company/team which worked on the project has probably already read the laws before, thus I assume they're well-prepared for this. Another twist is the programmer who accidentally published the secret database API key to the public network, this needs to be investigated as well to determine whether or not the key has actually been used in the attack.

            So I guess in the meantime, the husbands must wait.

  • neallindsay 44 days ago
    This has to be the largest leak of personal information yet, right?
  • nonethewiser 43 days ago
    Ultimately the fault lies in the police and government for having this data.
  • freewizard 43 days ago
    - 10 BTC sounds a lot but it's peanuts for such large data sets.

    - 750k row of sample data is large enough for a leak by itself, many on reddit/twitter/fediverse have already started to explore the data set for gender ratio, age composition and frequency of raping cases, etc.

  • dQw4w9WgXcQ 43 days ago
    Excellent, a fair trade for all the TikTok data Hoover-ing they've been doing on US citizens.
  • hrgiger 43 days ago
    Well I imagine cloud sales teams reaching out haveibeenpwned with attractive storage offers
  • bell-cot 43 days ago
    Kinda interesting that The Register does not even speculate about steps which China's higher-level security services might take in response, to "memorably demonstrate their displeasure" at the theft. (A certain cynical attitude is usually part of The Register's stock-in-trade.)
    • dredmorbius 43 days ago
      Perhaps The Register is aware that it cannot out-cynic the Chinese.
  • spoonfeeder006 43 days ago
    This makes me really sad for all those people, especially the people advertised on the sample
  • m3kw9 43 days ago
    Waiting for a site to search the in 3,2,1
  • bamboozled 43 days ago
    So it was, the great fire wall has been breached..hard.
  • khana 44 days ago
    undefined
  • daniel-cussen 43 days ago
    undefined
  • FollowingTheDao 44 days ago
    undefined
    • noirbot 44 days ago
      Governments have been collecting (and poorly securing) this sort of information and more for most of recorded history. It's not to say that I like it, or would work for somewhere like Meta or the like, but plenty of these major data leaks have been from places that used to collect and store physical data bases of this stuff since before most of us were alive.

      I'm talking calmly about this because people have been screaming in my ear about it for 20 years, and I listened. And then I lived my life around the fact that this was going to be happening whether you scream yourself hoarse or not, at least for now.

    • Agamus 44 days ago
      Five years! I've been screaming that for at least 15 years, and I'm pretty sure I'm a noob to the discussion.
    • pedro2 44 days ago
      And not receive those sweet dollars?

      I am sorry sir, I will not.

  • contingencies 43 days ago
    Anyone care to compose a classical Chinese poem featuring 雲 (cloud)?
  • cm2187 44 days ago
    > This database contains many TB of data and information on Billions of Chinese citizens

    how many billions?

    • _Algernon_ 44 days ago
      I'd assume between 1 and 1.402
  • pedro2 44 days ago
    Is it 1 billion in long scale or small scale?
    • ginko 44 days ago
      Last I checked there weren't 10^12 people living on earth just yet.
      • pedro2 44 days ago
        I honestly didn't know that.

        One gets used to short scale on the Internet.

    • bitdivision 43 days ago
      For anyone wondering what that is, English uses short-scale, i.e. 1 billion = 1000 million, some other languages / countries use long-scale i.e. 1 billion = 1 million million.

      https://en.wikipedia.org/wiki/Long_and_short_scales

    • sgjohnson 44 days ago
      Why would it be in long scale? Is long scale even used in english at all?
      • pedro2 44 days ago
        It was a joke. But it made me realize, thanks to the comment above, that Earth's population is around 8 thousand millions, and not 8 billion as I'd come to believe.
    • tremendo 43 days ago
      Small scale. Where I grew up a billion had 12 zeroes, nowadays it has 9. It's a thousand millions, not a million millions.
  • himinlomax 44 days ago
    This is interesting, this could be a major blow to the Chinese dictatorship.
    • upupandup 43 days ago
      i dont think so. Chinese citizens seems unable to fight back against the military. they have no access to guns, or mass riots will break CCP's will

      just look at north korea and cuba if you want to get a sense for how long these regimes last. USSR was an exception.

    • dx034 43 days ago
      The Equifax breach also didn't cause riots in the US. I don't see how that's different here.
    • hansel_der 44 days ago
      why?
      • nonethewiser 43 days ago
        I am guessing he means that it highlights the incompetence or even just the consequences of centralizing power.

        Personally I don't expect this to bear true. Historically in China, government failures have been cited as evidence for further centralizing the power of the federal government. And this argument is bought hook-line-and-sinker by the people. I don't think that will change until there is serious economic hardship.