
GitHub publishes DMCA deletion notifications sent by Bilibili - counter2015
https://github.com/github/dmca/blob/master/2019/04/2019-04-23-bilibili.md
======
dustinmoris
Not great...

MD5 password hashing: [https://github.com/swituo/openbilibili-go-
common/blob/8866d1...](https://github.com/swituo/openbilibili-go-
common/blob/8866d1359a2a501009b976b02bb27e4949cc4e77/app/service/main/passport-
game/service/passport_login.go#L185)

Hardcoded credentials: [https://github.com/swituo/openbilibili-go-
common/blob/8866d1...](https://github.com/swituo/openbilibili-go-
common/blob/8866d1359a2a501009b976b02bb27e4949cc4e77/app/admin/ep/marthe/dao/tapd.go#L17)

More hard coded secrets: [https://github.com/swituo/openbilibili-go-
common/blob/8866d1...](https://github.com/swituo/openbilibili-go-
common/blob/8866d1359a2a501009b976b02bb27e4949cc4e77/app/service/ep/footman/cmd/tapd/tapd.go#L54)

This configuration is my favourite: [https://github.com/swituo/openbilibili-
go-common/blob/8866d1...](https://github.com/swituo/openbilibili-go-
common/blob/8866d1359a2a501009b976b02bb27e4949cc4e77/library/queue/databus/report/conf.go)

And of course, RSA keys which they use for all of their RSA encryption:
[https://github.com/swituo/openbilibili-go-
common/blob/8866d1...](https://github.com/swituo/openbilibili-go-
common/blob/8866d1359a2a501009b976b02bb27e4949cc4e77/app/service/main/passport-
game/service/passport_key.go)

... their problem is not that the source code is all public over the internet
now... their problem is the engineering team. If source code leaks the worst
outcome should be some IP leakage, but not a compromised live system. That can
and should be easily avoided by not having everything in your source code,
especially when you are such a big company with so many employees...

~~~
pavelbr
I'm a new developer (an intern, actually). I just started writing a system
that requires a couple secret strings. Currently I just have them as constants
with my code, with the idea that I'll figure out something to do with them
once I make sure everything is working.

What _should_ I do with those secrets though? I'm not sure how to store them
securely. So far I've been considering putting them in the server
configuration so they can be read from environment variables, but that seems
inconvenient for me and other developers and also not that much more secure.

~~~
nickflood
You read them from a config file and fill them into the config by hand while
deploying. Never push secrets embedded into code or portions of the config
file to your source repo.

You can hardcode the secrets to test stuff, but the first time you push the
code to the repo should be the time you change it to reading from config. And
add config to gitignore cause even if you don't stage the particular lines
with the secrets in them, there will come one time where you'll rush or will
have too long of a day when you'll push those secrets by accident. If you've
got a public repo, then it's over. On a private repo then you may not notice
this or not remember to remove it with a force push.

A point in time when you get tired of juggling config files manually in
dev/prod is the point in time you explore the system for secret management and
auto build/deployment as clearly your project has become useful/popular
enough.

Those are my IMO and what I use as thresholds. Of course, if your environment
is more relaxed there's no limit on further improving this practice.

------
ghomrassen
Heard about this a couple days ago, crazy stuff. For those who don't know,
bilibili is a massive video hosting platform in China aimed toward the younger
generation.

So the question is who leaked it and why? Just a disgruntled employee or the
effect of 996?

~~~
NegativeLatency
What is 996?

~~~
imhoguy
[https://en.wikipedia.org/wiki/996_working_hour_system](https://en.wikipedia.org/wiki/996_working_hour_system)

------
counter2015
As far as I know, an employee who was illegally laid off by bilibili put part
of the company's background code on GitHub to vent his anger. And then GitHub
has directionally shielded the keywords "bilibili" and "go-common", But it can
be bypassed by typing only one character less. there are still a lot of
projects alive. It is not yet known who leaked it. Also for the reason.

~~~
4684499
> illegally laid off

Source please?

~~~
counter2015
> illegally laid off for this part, I can't give credible sources, I know it
> from hearsay

~~~
yorwba
You could link to the hearsay, assuming it was online.

FWIW, the report you link in your other comment has a screenshot of a
conversation where someone claims that the code was leaked by an intern from
Nankai University who didn't know how to use git. [1] That they're identified
by their university makes me suspect that it's a rumor (edit: making fun of
the university), though.

[1]
[https://www.heibai.org/zb_users/upload/2019/04/2019042306214...](https://www.heibai.org/zb_users/upload/2019/04/20190423062149_35805.png)

------
ddtaylor
It appears to already be on IPFS

[https://ipfs.io/ipfs/QmYiQ5jbtmx24ketNA65MJ3VpSDFWikGmvnBErq...](https://ipfs.io/ipfs/QmYiQ5jbtmx24ketNA65MJ3VpSDFWikGmvnBErqpmiXtRC)

------
avip
Too late. GitHub is scraped very frequently (as in seconds) for sensitive
stuff. It’s out and github cannot do anything about it

~~~
usernam33
"...the median time to discovery for a key leaked to GitHub is 20 seconds..."
[https://news.ycombinator.com/item?id=19602279](https://news.ycombinator.com/item?id=19602279)

------
dis-sys
Sure, Bilibili's copyright must be respected, no question on that whatsoever.
That being said, let's have a look on how this multi-billion company treats
its programmers -

flv.js is opened sourced by bilibili, it has 14,668 starts on github [1].
Bilibili paid the smart & hardworking programmer who single handedly started
this project and made it popular $700 USD per month [2], there is a very long
zhihu.com thread [2] on this matter with 4 million views and almost 400
detailed responses. $700 is about 10% of the fair market rate in China for
skills like that.

Sorry, but I am not going to take the moral high ground and defend bilibili's
rights any time soon. It is a company violating the rights of its programmers
on hourly basis.

Shame on you BiliBili.

[1] [https://github.com/Bilibili/flv.js](https://github.com/Bilibili/flv.js)

[2]
[https://www.zhihu.com/question/53686737](https://www.zhihu.com/question/53686737)

~~~
ksec
> $700 is about 10% of the fair market rate in China for skills like that.

So you are suggesting $7000 for skills like that? There are still countless
PHP / Golang / Rails jobs going for under $2K. While I agree $700 is insanely
low even if you are in some Tier 3 cities, I don't think 10% paint an accurate
picture of the current state of Programming Paid in China.

~~~
dis-sys
As clearly mentioned in the reply, $7,000/month is the fair market rate for
someone who can propose/promote/complete such a project with visible impact on
the community.

------
praptak
Code base is fair game DMCA-wise. I wonder about the private keys though. I
don't think they are copyrightable (although it would cool to have a poem as
the private key). So, does DMCA cover that too?

~~~
gergles
> (although it would cool to have a poem as the private key)

Apple does this with Mac OS X. The System Management Controller contains a
key, and the "Dont Steal Mac OS X" kernel extension (which checks for that
key) contains a poem that must be present for Mac OS X to run.

[http://osxdaily.com/2010/03/19/anti-piracy-message-in-mac-
os...](http://osxdaily.com/2010/03/19/anti-piracy-message-in-mac-os-x-kernel-
extension/)

~~~
ddtaylor
That's the saddest poem I've ever read.

------
akerro
Backups [https://github.com/search?q=go-
common](https://github.com/search?q=go-common)

------
comex
HERO.md:
[https://gitlab.com/wkingfly/openbilibili/blob/master/HERO.md](https://gitlab.com/wkingfly/openbilibili/blob/master/HERO.md)

I have no idea what it means, but I like it.

~~~
silvester23
These are playable races and character classes from Warcraft III (and the
expansion The Frozen Throne).

Most of these probably also appear in World of Warcraft, though I cannot say
for sure.

As to why this file is in the top directory of the repo, your guess is as good
as mine.

~~~
brenniemac
I think more specifically this is referring to heroes from Dota (which of
course links back to Warcraft III as you said)

~~~
Zekio
nah, they are just the default heroes that exist in Warcraft 3 Reign of Chaos
and Frozen Throne, which is easily discerned by the names and the fact the
races are listed as titles and the Neutral heroes doesn't have a race
mentioned in English

Also there are a lot more heroes in the Dota map for Warcraft 3 than on that
short list

------
gerbilly
I use something like this to set a few global variables at build time.

This keeps my secrets out of the source code.

go build \

    
    
        -ldflags="\
    
        -X main.programVersion=`git describe` \
    
        -X main.username=$USERNAME \
    
        -X main.password=$PASSWORD"
    
    

This isn't perfect, of course, because you can just use strings(1) to find the
secrets embedded in the binary, but it is a step up from what they did.

It's fine for our internal go apps. I'm not sure what I would do if the
secrets were for connecting to public cloud infrastructure though.

Perhaps encrypt them with a separate key per customer, then feed in the key
via an env variable?

Any ideas?

~~~
duncan-donuts
I would read connection string information from the env. This[0] might be
useful if you’re not familiar with 12 factor apps.

0: [https://12factor.net/config](https://12factor.net/config)

~~~
CameronNemo
An example configuration file is also acceptable. It is also less prone to
leakage if your application runs other untrusted (or simply less trusted) code
and does not sanitize the environment first.

------
owaislone
If you don't have time to integrate with a secret store, at least use
something like Blackbox to store encrypted in git:
[https://github.com/StackExchange/blackbox](https://github.com/StackExchange/blackbox)

------
dikei
Apart from the storing secret in repository, I'm quite impressed by their
repository structure. It looks a lot better than the mess I often see in our
internal projects.

------
42yeah
This letter seems like it was hastily written and sent out in quite a hurry.

~~~
rubatuga
This might be off topic, but why create an account just to say this?

~~~
phyzome
Everyone creates their account at some point, probably in order to respond to
something...

~~~
devrod
I lurked for years both here and on reddit before creating an account. I
finally created one when I wanted to say something.

------
DarkWiiPlayer
Now this is embarrasing

[https://github.com/swituo/openbilibili-go-
common/blob/8866d1...](https://github.com/swituo/openbilibili-go-
common/blob/8866d1359a2a501009b976b02bb27e4949cc4e77/app/admin/main/apm/dao/canal_test.go#L51)

~~~
stestagg
It’s a test file referencing a service running on local host ...

------
founderling
Why do you think that the DMCA would lead to some sort of deletion of
repositories that was sent over a wire to a website that the DMCA was meant to
be into?

It's not a simple case either. But it feels a bit strange that there aren't
any links to this kind of DMCA takedown. It seems strange that a company like
BitBucket would even have this kind of information without the DMCA notice.

Or maybe I'm just a cynic.

