dmca/2023-08-29-ynrcc.md в master

20 KiB

Исходник Постоянная ссылка Ответственный История

Before disabling any content in relation to this takedown notice, GitHub

contacted the owners of some or all of the affected repositories to give them an opportunity to make changes.
provided information on how to submit a DMCA Counter Notice.

To learn about when and why GitHub may process some notices this way, please visit our README.

Are you the copyright holder or authorized to act on the copyright owner's behalf?

Yes, I am the copyright holder.

Are you submitting a revised DMCA notice after GitHub Trust & Safety requested you make changes to your original notice?

Does your claim involve content on GitHub or npm.js?

GitHub

Please describe the nature of your copyright ownership or authorization to act on the owner's behalf.

I am [private], an employee of Yunnan Rural Credit Cooperatives (here in after referred to as YNRCC),The company authorizes me to handle this source code leakage issue.

The following is the relevant evidence that my company and I own the copyright of the warehouse:

I am an employee of the enterprise, and the screenshot of my employee mailbox ([private]) is as follows:

[private]

Our enterprise email address is: [private]
The address of the main site is: http://www.ynrcc.com/

we are the original authors of this warehouse.

The relevant certificates are as follows:

The above two repositories (and other clones from their sub-repositories) are based on the '[private]' original repository clone that we publicly uploaded to GitHub 4 years ago, which can be used through the repository.

[private]

Associated url connection address: [private]

From my github account, you can see that I am the [private] of the 'jiiiiiin-security' repositories:

[private]
[private]
[private]

Link to [private]'s project demonstration video url connection: [private]
Associated [private] network disk download url connection: [private]

From the above information, we can prove that we are the original author of the warehouse code;

It should be added that it involves github corresponding to the 'jiiiiiin-security' repository. the warehouse was moved back to the enterprise's internal code warehouse four years ago.

[private]

The relevant certificates are as follows:

[private]

The code warehouse can only be seen in the internal terminal of our enterprise, which contains the relevant logos of our enterprise, such as the security management software we purchased.

[private]

You can see from the id of the author who participated in the project that we are the original author of the repository. According to our analysis of the corresponding repository authors involved in infringement, they have not made any changes to the code of the clone repository!

4.According to the relevant handling opinions of DMCA, we also give priority to trying to contact the owner of the corresponding warehouse. After receiving our email, some warehouse authors took the initiative to delete the repository they owned as soon as possible, and expressed their understanding of the reason for our request for deletion.

However, there are still many warehouse authors. We have sent many emails to communicate without any response. The following is the contact information form of the relevant warehouse we have sorted out:

[private]

In the above table, the deletion line marked is the record that the other party deleted by itself after we contacted the corresponding forck warehouse author recently.

Although we blocked the source code of the repository from github, but we have never authorized any user to make it public and use the repository by themselves.

Please provide a detailed description of the original copyrighted work that has allegedly been infringed. If possible, include a URL to where it is posted online.

https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/apollo/router-server/application.properties#L44

Declaration: The above link exposes the test environment address of the CORBA service of our bank's core system;

The security risks are: This will create the risk of malicious attack on some of our core system bookkeeping, payment and loan business systems, thus endangering the capital security of enterprises and customers;

[private]

Declaration: The above link address exposes our test database ip address, port, corresponding link user name and password information (test environment, currently modified), configuration center ip address, application deployment host user name, ssh port, application deployment path and other information.

The security risks are: Although we have done address changes and user modification operations at present, criminals can still find the underlying library used through the corresponding access method we use, and try to attack our application through the vulnerabilities of the corresponding library. In addition, they can analyze the deployment mode of our entire CICD to obtain the path, parameters and other information of our application deployment, which pose a threat to our production environment;

https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/db/db_account_2019-08-16.sql#L25C20-L25C20
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/db/db_demo.sql#L3
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/db/db_demo.sql#L3
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/db/db_organization_2019-09-16#L44o
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/db/init-db.sql#L39C6-L39C6
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/blog/docs/zh/db-design/README.md?plain=1#L80C20-L80C20

Declaration: The above link contains the organizational structure, user, account, account limit and other table structure of our bank.
The security risks are: The leakage of these table structures, if our production environment corresponds to the database service is attacked, the criminals will easily obtain the user information of the corresponding service and modify the corresponding account and account transaction limit and other information;

https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/db/db_user_2019-08-16.sql#L43

Declaration: The above link contains the user name and initial password of some of our administrator users. Although we have modified the production system, the criminals can still analyze the entire authentication encryption process of our application from the composition of the password and the corresponding java code of the table, which will cause serious harm to the identity authentication function of our online application;

https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/apollo/account-server/application.properties#L19
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/apollo/auth-center-server/application.properties#L21
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/apollo/finance-server/application.properties#L18
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/apollo/public-config/swagger_config.properties#L26
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/apollo/public-config/swagger_configuration.properties

Declaration: The above link contains the configuration method of our application using swagger, especially the retention of our administrator's mailbox and name, which will cause criminals to start from the administrator's relevant private information to analyze its relevant data on the Internet and our enterprise, causing harm to our enterprise and the corresponding personal privacy;

https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/blog/docs/zh/swagger/swagger-dev-and-use-standard.md?plain=1#L131

Declaration: In addition, some document screenshots also exposed the information of our bank's registration interface, resulting in our registration interface facing the attack of criminals.

https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/interface-template/xml/account/transfer/inner/InnerTransferConfirm.xml#L10
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/interface-template/xml/account/transfer/inner/InnerTransferConfirm.xml#L14
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/interface-template/xml/account/transfer/inner/InnerTransferConfirm.xml#L25
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/interface-template/xml/account/transfer/inner/InnerTransferSubmit.xml#L18C52-L18C52
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/interface-template/xml/account/transfer/inner/InnerTransferSubmit.xml#L22
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/interface-template/xml/account/transfer/inner/InnerTransferSubmit.xml#L32
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/config/interface-template/xml/demo/transfer/inner/InnerTransferConfirm.xml#L25

Declaration: The above link contains the request packet structure of our bank calling the core system CORBA for transfer business. In addition, it also contains the account number, account name, account password, mobile phone number and other information of our test database.
The security risks are: Although these are only our test environment data information, transfer is the core business of our bank. Relevant data structures, especially the exposure of parameter elements, will pose a serious threat to our bank;

[private]

https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/utils/mybatis-generator/README.md?plain=1#L6C1-L7C65
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/utils/mybatis-generator/README.md?plain=1#L9

Declaration: The above link contains the mapping relationship between our enterprise's infrastructure layer database PO and sql execution script;
The security risks are: Outlaws try to attack our application through the vulnerabilities of the corresponding library;

https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/utils/yapi/src/main/java/cn/jiiiiiin/crd/yapi/upload/YapiSvc.java#L35
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/utils/yapi/src/main/java/cn/jiiiiiin/crd/yapi/upload/YapiSvc.java#L40
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/utils/yapi/src/main/java/cn/jiiiiiin/crd/yapi/upload/YapiSvc.java#L85C2-L85C2
https://github.com/YunShiTiger/jiiiiiin-security/blob/feature/springcloud/utils/yapi/src/main/java/cn/jiiiiiin/crd/yapi/upload/YapiSvc.java#L175C17-L175C17

Declaration: The above link contains the authentication method, authentication key and interface call example of an automatic Api interface management platform we use, which will pose a threat to the security of our interface;

The warehouse we disclosed later converted it into a points marketing system within the enterprise, and is currently used in our enterprise's personal mobile banking app to provide customers with points exchange and other services;The following is the information about the application:

Personal mobile banking android client:

[private]

The Ios client:

[private]

The screenshot of the internal management interface of the points marketing application is as follows:

[private]

The picture above shows the UI comparison of the management interface of the two applications.

[private]

The figure above is a comparison of the core code structure of the two warehouses.

We have read and understand GitHub's Guide to Filing a DMCA Notice. We found that many users are beginners in programming from [private], we have try to contact some users, and delete part of the 'vue-viewplus' . But only one didn't provide any valid personal information that we can’t contact. So we hope GitHub as soon as possible to help us completely remove the reupload repositories.

However, we have never authorised the Respondent to copy or publish our software product. Consequently, the reported content constitutes copyright infringement.If these information are found by other people in GitHub, the customers of YNRCC will be left out of pocket.

What files should be taken down? Please provide URLs for each file, or if the entire repository, the repository’s URL.

The following is a list of unauthorized repositories:

https://github.com/guomingzhang2008/jiiiiiin-security

https://github.com/qiangli524/jiiiiiin-security

https://github.com/YunShiTiger/jiiiiiin-security

Do you claim to have any technological measures in place to control access to your copyrighted content? Please see our Complaints about Anti-Circumvention Technology if you are unsure.

Have you searched for any forks of the allegedly infringing files or repositories? Each fork is a distinct repository and must be identified separately if you believe it is infringing and wish to have it taken down.

Yes

We are here to make a heartfelt request.Please note we are claiming copyright for the whole repository that forked or cloned from “jiiiiiin-security” and want it removed.

The list of link addresses of forks is as follows:

Is the work licensed under an open source license?

What would be the best solution for the alleged infringement?

Repository can be made private

Do you have the alleged infringer’s contact information? If so, please provide it.

According to the relevant handling opinions of DMCA, we also give priority to trying to contact the owner of the corresponding warehouse. After receiving our email, some warehouse s took the initiative to delete the repository they owned as soon as possible, and expressed their understanding of the reason for our request for deletion.

However, there are still many warehouse s. We have sent many emails to communicate without any response. The following is the contact information form of the relevant warehouse we have sorted out:

[private]

In the above table, the deletion line marked is the record that the other party deleted by itself after we contacted the corresponding forck warehouse recently.

I have a good faith belief that use of the copyrighted materials described above on the infringing web pages is not ized by the copyright owner, or its agent, or the law.

I have taken fair use into consideration.

I swear, under penalty of perjury, that the information in this notification is accurate and that I am the copyright owner, or am ized to act on behalf of the owner, of an exclusive right that is allegedly infringed.

I have read and understand GitHub's Guide to Submitting a DMCA Takedown Notice.

So that we can get back to you, please provide either your telephone number or physical address.

Yunnan Rural Credit Cooperatives, Inc
Attn: [private]
Telephone: [private]
Physical address: [private]

Please type your full legal name below to sign this request.

[private]

20 KiB Исходник Постоянная ссылка Ответственный История Убрать экранирование Экранировать

20 KiB

Исходник Постоянная ссылка Ответственный История