
China's social network surveillance databases are apparently leaked to Internet - stevefan1999
https://twitter.com/0xDUDE/status/1101917885100945409
======
Scoundreller
> And the most remarkable part is that this network syncs all this data to
> open MongoDBs in 18 locations.

Lol, again.

I recall in a previous list of open MongoDBs, the Chinese equivalent of the US
Food and Drug Administration had an open MongoDB.

------
rqs
> The most dialogs which are being monitored are typical teenager
> conversations.

In the picture "你还用说我大", "那是衣服紧" (Translate: "You don't need to tell me that
mines was big", "That's because the cloth is tight").

I don't know about the "typical" thing due to lack of context. But my sense
tells me, that "teenager" is doing some sex talk.

Another one: "说:!收【【【46--48道士号】】】卖的微信XXXXXXXXXXX" ("Buying 46~48 level Taoist
account, contact me using WeChat XXXXXXXXXXX"). I guess this person is trying
to buy a in-game character. Taoist is a type of character similar to magician.

I think the message is captured by some type of Internet Cafe managing
software, which can be installed on the machine so the admin could remotely
control and "auditing" it. Typical feature includes shutdown, force logout,
timer etc. I don't know it can also record chat messages, but the fact it can
does not surprise me that much to be honest.

~~~
ep103
Where is this data? It sounds like they haven't disclosed it, just announced
it?

~~~
rqs
I have no idea. Those messages I've quoted is from the Twitter page.

------
uses
Just leaving aside for a second what a crime against humanity this
surveillance is...

It never ceases to amaze me how many of these massive data leaks are simply
"mongodb in default configuration".

I just don't understand how it was thought, at any point in time, to be a good
idea that mongodb in its default configuration, would be open to the world
with no authentication.

~~~
andrenth
That what happened when DevOps started to mean “we don’t need an ops team, the
devs can do it”.

~~~
ep103
"we don't need dbas, the ops team can do it."

~~~
andrenth
At least the ports would be closed :P

------
Laforet
From the screencaps it looks like surveillance systems used to monitor
internet cafes and public access points where people must use their real ID to
login, so it's a bit easier to link accounts to actual identities. A number of
these IM suits are actually encrypted in transit that it's very unlikely that
this level of interception is possible without a root certificate installed on
the client machine.

~~~
ubercow13
Couldn't this data be coming directly from these IM services' servers? I doubt
any of them are E2EE.

~~~
Laforet
It's possible but I really doubt it, considering the sheer volume of message
being generated every moment. It would be much easier and less likely to have
hiccups like these if they just give them server access on demand, rather than
having a live data feed replicated to 18 separate locations. Moreover the
tweets actually show names and addresses of various internet cafes in one of
the pictures. This information should not be available if the data is coming
from the service provider's backend.

Contrary to popular opinion on HN and other forums in the Anglosphere,
surveillance in China is a nuanced problem and tech companies are far from
completely passive. Local police are often denied when they request
information because technically they lack jurisdiction on companies located in
a different town or province. As a result they resort to catch-all
interception using devices like these makeshift DPI systems(there is no clear
legal requirement, but internet cafe owners are easily coerced into installing
them or risk having their business hut down over various infractions) and
Stingray-like fake cell sites (a constant source of conflict with major telcos
because they are often poorly installed and would interfere with normal cell
sites).

These ad-hoc schemes are usually put together by the lowest bidder, so they
tend to be horribly inefficient and insecure like what's been shown in this
case. But to local LE it's still preferable to going dark, not to mention
there is usually little accountability when their system breaks.

~~~
peteretep
> I really doubt it, considering the sheer volume

I feel like most people felt that way about the NSA's capabilities pre-Snowden

~~~
Laforet
Or did they? The global SIGNIT capacity of the NSA has been pretty well known
before Snowden. The more revealing part of the Snowden leaks was that the NSA
has been spying on US soil without clear authorisation.

Personally speaking, Snowdon actually made me a lot less paranoid about the
NSA: They are, like every other nation state backed blackhat, relys on having
physical access and 0day exploits to do their bidding. No magical backdoor or
quantum computers involved.

~~~
dTal
NSA spying on US soil was long known[1] (and of course "clear authorization"
was never granted if you interpret that phrase to mean "public" and
"accountable")

I'm not sure where you got the notion that they need physical access to
anything either. Apart from intercepting comms on the wire, they deliberately
subvert crypto standards in such a way that only they have access [2]. That is
as close to a "magical backdoor" as it's possible to get.

[1]
[https://en.wikipedia.org/wiki/Room_641A](https://en.wikipedia.org/wiki/Room_641A)
[2] [https://www.theguardian.com/world/2013/sep/05/nsa-gchq-
encry...](https://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-
codes-security)

~~~
Laforet
Well, Room 641A is a form of physical access. They are not yet capable of
breaking into any commpany's network from outside.

The slides in the guardian article is pretty vague. The only proven case of
NSA inserting a backdoor would have been the DUAL_EC_DRBG algo, and people
have been alleging that from the very beginning. IIRC, Bernstein went on
further and suggested that the NIST ECC curves may be compromised, but that's
far from proven.

Most real life attacks we have seen such as logjam and beast arises from
longstanding vulnerabilities that are in no way exclusive to the NSA, but they
are probably in a better position to analyse past interceptions once
an.exploit has been found.

~~~
6nf
> They are not yet capable of breaking into any commpany's network from
> outside.

They can break into _any_ company's network but they can't break into _every_
company's network.

I believe that if the NSA targets a company, they'll almost certainly be able
to infiltrate the network after some nontrivial targeted and sustained effort.
Maybe someone like Google could fend off the NSA but I doubt it. The NSA only
has to get lucky once, Google has to be secure 100% of the time. It's a tough
battle.

But the NSA isn't currently monitoring every private corporate network, that's
just crazy talk. I think.

------
SZJX
The opening statement of the author is really overblown and sensationalist.
Only at the end of the thread did he admit that all data there apparently come
from net cafes, but 1. there is no evidence that messages from private devices
are being included in this database 2. one has to understand that China is
vast, and each local authority differs a lot from the next one in deciding
what it does. It totally wouldn't surprise me that the local authorities of
several cities/provinces decided to sign a contract with this net cafe
management software provider, who essentially installs a spyware on each net
cafe computer and routes the traffic to the police. Doesn't suggest it's any
sort of coordinated, deliberate action from the central government though.
Comparing it to PRISM and NSA is highly misleading and irresponsible, and just
putting a blanket word "China's" in the title is inaccurate. Sadly it's how
most news stories are done these days.

------
arthurcolle
Where are these leaks available?

~~~
deckar01
It sounds like the leak is just the mongodb instances being open to incoming
traffic from the internet without authentication. This a common problem with
MongoDB, because its default configuration is insecure.

------
ressetera
Who are the leakers and how easy would it be for the government to track them?

------
arthurcolle
is the _index key common to nosql dbs? looks like elastic at first glance, but
i haven't used mongodb ever

------
chj
We knew this all alone, but seeing the screenshot still turns my blood
boiling. F __K THEM

------
Scoundreller
How typical is it for the Chinese to use English headers in their DBs?

Could this “solution” be off the shelf, or developed by non-Chinese?

The front-end users wouldn’t see the backend structure.

Along with some native English speaker names like “CertificateNo” for
certificate number.

~~~
qlk1123
As a non-latin language user, I can say that we do use English headers most of
the time because nobody wants to deal with potential locale/coding problems.

------
amrrs
Is there any research that proves the causal relationship between surveillance
and crime rate ? I've been constantly shut up with this statement "Don't you
want your country to be safe" when I talk about privacy intrusion by Govt .

~~~
knolan
I guess you could look at major European cities like London where CCTV is
pervasive and other cities with considerably less.

It seems to me that most of the justification for surveillance systems is
focused on edge cases, terrorism and paedophilia which are statistically
unlikely of affect the vast majority of people.

If you watch some of the reality TV you see in UK about CCTV surveillance
you’d think the county is suffering from a crime epidemic when in fact a lot
of the situations are minor and often escalated by overly aggressive police
officers interacting with uneducated angry drunk people.

Better social policy regarding education and alcohol would be the better
solution.

~~~
ericdykstra
> If you watch some of the reality TV you see in UK about CCTV surveillance
> you’d think the county is suffering from a crime epidemic when in fact a lot
> of the situations are minor and often escalated by overly aggressive police
> officers interacting with uneducated angry drunk people.

I couldn't find London's murder rate further back than 1990 for some reason,
but for England, the murder rate is higher now than it's been since at least
1900.

We don't know if CCTV surveillance, gun bans, and silverware purchasing
restrictions have had an effect reducing violent crime, but at the very least
it hasn't been enough to counter the increase.

> Better social policy regarding education and alcohol would be the better
> solution.

I'm pretty skeptical that this would decrease violent crime and/or murders. Do
you have any evidence for this?

~~~
engineeringwoke
This is probably the best study out there, and it hits the alcohol point
pretty well:

[https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3015237/](https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3015237/)

~~~
pzone
Alcohol is involved in 40% of violent crime in the US.

[https://www.alcoholrehabguide.org/alcohol/crimes/](https://www.alcoholrehabguide.org/alcohol/crimes/)

~~~
dsfyu404ed
What happens when you remove "angry drunk picks a fight" type of crimes from
those stats?

Drunk people getting in fights is categorically different from violent crime
committed for material gain (robbery, carjacking, etc). The causes for the
problem and the way to go about solving the problem are totally different.
Keeping people from getting angry drunk is not going to stop a home invasion.
Stopping a home invasion is not going to improve crime stats because it's a
single instance of violent crime. It's very possible to have a society
relatively devoid of "violent crime" in which drunken brawls are fairly
common. It's also possible to live in a society with lots of violent crime but
no bar fights.

Including or excluding drunks to make the crime stats look how you want them
to is no more honest than using gang violence to make the "mass shooting"
statistics look how you want them to.

You can't just paint with a broad brush when it comes to violent crime (well
you can but it's stupid and counterproductive if your goal is to understand
crime for the purpose of advocating for public policy that reduces it). A
drunk guy getting in a fight is different from domestic violence is different
from robbing a delivery driver but they'll all show up when you "select *
where includes_assault = true;"

~~~
pjc50
It's true that they're different types of crime, but that doesn't make it not
crime and it doesn't make it not violent.

~~~
dsfyu404ed
Where did I say otherwise? Of course it's still violent crime.

------
Sniffnoy
Non-mobile link:
[https://twitter.com/0xDUDE/status/1101917885100945409](https://twitter.com/0xDUDE/status/1101917885100945409)

~~~
dang
Fixed, thanks.

------
virgakwolfw
He will be a Hero of China in 21 century to save Chinese from communist party.

~~~
dang
Please keep political and ideological flamebait off HN. Ditto for
nationalistic flamebait.

~~~
Sendotsh
It's a copy/paste of one of the comments on Twitter. No idea to what purpose
though.

[https://twitter.com/xiaojianguo2013/status/11023946262191308...](https://twitter.com/xiaojianguo2013/status/1102394626219130882?s=20)

------
mnemotechny
But who need it?

------
techie128
_sigh_

I don't condone surveillance. It is a reality of life. However, I would expect
that it is done responsibly and securely. I don't consider surveillance a big
violation BUT doing a poor job at protecting the collected data _is_ an
egregious violation of privacy.

~~~
mirimir
Why?

Who will hurt you more than authorities can?

~~~
ummonk
In the case of the US, the government is bound by due process, at least
theoretically, which makes it far less likely to hurt me than private
entities.

Granted, that may not be the case when it comes to China.

~~~
zAy0LfpBZLC8mAC
That's putting the cart before the house. Due process isn't an agent that
enforces your rights, due process is a convention of how things are done.
Nothing fundamentally prevents anyone from simply not following due process,
other than the actual power structure of society, i.e., what people could get
away with. That actual power structure depends on stuff like knowing things
about people allowing you to control them. To illustrate what I mean: If your
opponent can blackmail all judges, there is no due process for you.

------
throwawau3243
I wonder if India's neighbor also engages in "our ability to arrest you proves
our network is secure" tactic. Aadhar, the BS cattle-tagging project is
premised on this principle, while they ship Indian citizens' information to
Inqtel backed corporations ... because "it's nationalist" to do so.

