In fact, security is a "superhuman," the industry, there is no absolutely no loopholes in the system. So, the outbreak of security incidents in the end is the user's responsibility or hackers or service providers responsibility? The definition is not so clear. It seems that when every big safety accident occurs, the final result is just one or two things that can not be ruined. So who is responsible for the safety of the user?
Not long ago, OpenSSL, one of the Internet's basic protocols, broke the "heart bleeding" flaw, which was estimated to involve millions of servers on the network, making it one of the largest security incidents in the history of the Internet.
OpenSSL is based on the most famous secure transport protocol, and almost all security-critical transport is used like banking transactions. This makes it possible for data that is heavily used in OpenSSL to securely transport servers at risk of data being stolen.
The first case of being attacked in the world was the Inland Revenue Department, which confirmed that a "heart bleeding" loophole resulted in the theft of 900 taxpayers 'Social Security numbers and the 900 taxpayers' Social Security numbers were attacked In the system has been completely deleted.
From last year's Snowden incident to this year's Ctrip credit card leaks, to this "heart bleeding" loopholes, people have seen the fragility of the entire Internet security system. But at the same time, as a modern person, more and more inseparable from the Internet, all our information and data behaviors are being stored, analyzed and utilized by various Internet services.
How our data is stored, how it is used, and who is responsible for security are all matters that are becoming more complex today.
The world is being electronic and individuals
More and more electronic devices are working in an unprecedented way. They are in your hand, on you, or at your home. But this is not all of them, their "brain" is thousands of miles away in the data center. Where the information is collected, analyzed, and analyzed, the results are used to guide them in their excellent job of doing the job.
The moment most likely you know is not your friends, relatives, but your cell phone. He knows who you know, who you contact, when you wake up, whether you have a meeting today, what game you love, and so on.
With the advent of the cloud era, in order to facilitate people's lives, mobile phones have more than just your equipment. Convenient cloud service can automatically back up everything on the phone to the cloud, so that no matter where you go, whether to change equipment, can ensure that your data can be easily used and transferred.
In the era of getting closer to the Internet of things, in many cases, the input may become redundant. Your smart watch know how long you slept, heart rate neat, high blood pressure is not high. Your smart refrigerator knows how much you eat and how much calories it contains.
All this will not just be imagined. According to the latest IDC report, the market for Internet of Things is expected to exceed 20 billion U.S. dollars by 2017, and our lives will be connected by various smart devices. And these data will of course be uploaded to the cloud.
These data from your PC, your phone, your smart device, after being processed form a "user portrait" (this is not a metaphor, "user portrait" is a common noun in big data ) For further use by developers. Of course, when the information is maliciously acquired, the criminals can also "portray" you through these data.
Cloud on the "bomb"
Many years ago Feng Xiaogang's film "Mobile Phone" there is such a classic assertion - "cell phone is a grenade," because the reason is that your cell phone to know too much.
Either your service account password is obtained by others, or service provider service is compromised, or even a login accidentally on a strange computer check the "remember password" may result in the disclosure of personal information, property damage. Mobile phones on the cloud may change from short-range weapons such as "grenades" to long-range attack weapons such as "missiles."
"Black industry chain penetration in the security of mobile phones, more and more rampant." Baidu mobile guard hundred days raid media open day Baidu Zhang Lei, general manager of mobile security, said, "From last year, the real black industry chain came in, It's not the small thieves that steal traffic, the organized background that comes in, the direct glimpses of your money bag, (start researching) how to steal cash from a cell phone to steal property. "
Although the size of modern electronic devices is small, the structure is extremely complicated and the loops are connected to form a huge system. From the bottom of the chip, to the above operating system, and then to the application, and finally to the relevant cloud services, may face different security risks. In addition to traditional malware, security threats such as pseudo base stations and insecure WIFI appear in the market.
An attacker can gain a certain amount of information and attack through various technical and social means. A real case is that a colleague Titanium ticket information obtained by the lawless elements, they disguised as airlines to inform the flight was canceled due to special reasons, requiring tickets to be 改签 and receive a certain price difference, and finally the colleagues in the air After the company verified it was a fraud. Although the fraud was unsuccessful, the leakage of personal important information is already a fact. And so far, which part of the personal information disclosure can not be verified. Malicious software may be read on the cell phone ticket information, airlines may be information disclosure, booking agency may also be a problem.
Security is more than just anti-virus software; any problem with the entire information dissemination environment can cause serious problems. As Zhou Hongyi said at the surprise meeting of the geek park: "More and more security problems are not solved by killing viruses on the device and cleaning up rogue software. Now for many Internet companies, the security of users has been linked to The company's security is closely linked. "
Whose safety is this
In response to more and more security threats, the security market is surging. Whether it is a black industry chain, a professional security vendor, or a device manufacturer, the traditional Internet bigwigs join the war.
From a business perspective, there is a market where there is demand. Since safety is such a basic requirement, then doing safety means a huge market space, so everyone starts patting his chest saying: I am responsible for your safety!
"From today Baidu to protect Alipay, WeChat, as long as you install the software (Baidu mobile guards) there will be no security risks, in the event of security risks Baidu all pay." Zhang Lei Baidu mobile guard hundred days assault media open This day to the presence of the media to ensure.
As a security software, this guarantee is really exciting, but why other payment software security needs to be paid by a third-party software to bear the responsibility, this logic always make people feel a little strange.
In the case of equipment manufacturers such as Lenovo point of view, security and equipment are the most relevant software links, to be done by the hardware manufacturers the most appropriate, so focus on the layout of music security. He Zhiqiang, president of Lenovo Ecology and Cloud Services Group, said: "Le security and hardware integration, our music security is really from the root with the safety."
Although everyone is aware of the safety is very important, but also spend huge sums of money to invest. But the reality is that important security programs like OpenSSL have long been lacking financial support. Such a project on the safety of hundreds of millions of people, its maintenance staff only four people, including two core staff, only one full-time staff.
On the other hand, there is no uniform definition of the ownership of the loopholes in the industry.
It seems the black hat hackers, of course, discovered their own loopholes, is a good thing can be used to sell money for wine. According to Zhang Lei introduction, application-level vulnerabilities in the black line within the price of 100,000 to 200,000. If it is system-level, that value is even higher.
In the view of Fang Xiaodun, founder of Wuyun Network, these vulnerabilities belong to the public because these security vulnerabilities involve the safety of the vast majority of users. The Wuyun Network he founded aims to announce the newly discovered vulnerabilities.
Appears in Baidu and other enterprises, the loopholes belong to the enterprise. "We found a huge loophole in WeChat and we informed Tencent's team the first time." Zhang Lei said: "The reason we do not know about such an event is that we inform the manufacturer for the first time to repair it and this is their territory."
Everyone stands at a different angle and their understanding of security is different.
Security is an industry that is "one kilometer in height," with no loopholes in the system. The outbreak of security incidents is the user's responsibility? Or hackers? Or service providers? The definition is not so clear.
It seems that every time a major safety accident occurs, the result will be nothing more than one or two troubleshooters. In the entire field of security, the various stakeholders involved have complicated and complicated issues. Safety seems to be about everyone, but it seems that no one is directly responsible.
Today we all have access to electronic devices and cloud services, we can not but ask who is responsible for our security.