Draining Yandex Sources as the Biggest Push of Russian IT
Undoubtedly, Yandex, as a trading company, will lose profits in the short term. A lot of time will be spent fixing bottlenecks, approaches and architecture. But in the long run, everyone will benefit, including Yandex itself, which will acquire valuable employees. Again, if you delete letters, Yandex databases (deliveries, taxis) will be leaked more than once and Yandex will be fined. But now everything has changed.
One-sided warehouses are very convenient. Over the past 5 years, we have actively seen many people switch to monoreps, and Yandex was one of the pioneers of this approach at one time. However, this also plays a cruel joke.
The database leaks I mentioned above were red flags. Impunity, that is, a fine of 60,000 rubles for personal data from Yandex, leakage of food customers, is proof of this. This doesn’t mean the developers are stupid or don’t care, just that there is no accountability.
The country’s political situation. Segalovich, eternal memory, now Voloz with the peaks that left Russia, this is negative growth. Of course, Kudrin is not to blame for this. To destroy what had been created for decades, he had to do everything he could. But the date the data was last revised suggests that not everyone agrees.
You can talk for a long time that McDonald’s did not leave, but sold its business, that IKEA earned billions on us and ran with its tail between its legs. And the auto giants are trying to piss us off, everyone around is idiots. However, the great information technology is added not only negatively in the country, unfortunately.
Who did this?
Two main theories taken from the lips:
Hacking based on prerequisites (last paragraph).
The “rat” inside that had access and just leaked out.
Personally, I don’t believe in the second option. I could be wrong, but the reasons are:
January 26th, 11 months later? Why not right away? Why not yet Boca? And why not after September 21st or 30th? Where have you been for 8 years?
Plum lacks a lot. Entire directories somewhere, specific files somewhere. This is not the same as “mouse”, but arithmetic.
The structure of monoreps allows this to be done by an outsider under certain conditions.
Unpreparedness for this, for me personally, indicates the specifics of the situation. Yandex obviously has protection against these internal leaks, but it found something else (remember the chaos in closed Telegram chats on January 26th)
I’m not saying it’s definitely a hack. No one is immune from an employee who slowly and methodically silently, so that no one notices, drains resources. And then, when he drank on Long Island, Cuba, he decided which ones to publish and which ones not.
The shortest paragraph for my answer is the mtime the files were last modified. You can argue for a long time, you can say that it’s just dust in the eyes, and so on. The truth is, this could have happened sooner. The fact is, that didn’t happen.
What is Good?
I spy on the fonts. The first thing I noticed is that you have to pull up python and of course c++. Going back to the title of the article, it looks like mine is a best practice in terms of c++/python/go/printscript/docker/etc at least. In README.MD I often see this: “Ready libs are in c, which makes a wrapper for c++ cheaper to write from scratch. And ready made libraries are in c++ – people just don’t understand how to build libraries with solid architecture.
” In React apps, dependencies are minimal. Where I expected to see a reactivation or interactive navigation is an original implementation. This does not mean that it is better and more wonderful, only “men” work in isolation. You don’t have to look far, and it’s a prime example of ClickHouse going public and open to the public and earning its place in bigger companies like Cloudflare, Bloomberg, and lesser known AD-related b2c companies. But no less ambitious.
In the resources we can find very simple scripts such as json validation, base64 / pbf encode / decode / script_functions, file functions, work with geodata and so on. As well as very complex data analysis algorithms.
There are many sources of great c/c++ projects on github, but where else can you find the full gamut from simple to complex? However, much of the code has been documented. Learning C++ with the same ClickHouse, the team thinks through every line, trying to improve it and avoid unnecessary mamcpy. Another is to start small, like URL validation.
The modern world is full of skill boxes and other Yandex practices, which often impose their own technologies and dirty models. Same thing, _BEM I haven’t found much in these sources.
Of course, Yandex fonts attract attention. Even though many probjects are in the public domain, it is the “merged” sources that will be of interest to many. will be studied. Considering that Yandex was and remains the largest high-quality IT team in the country, everyone who received resources and will be equal to them will most likely have a plus.
Of course, many of the features will interest inventors as well. In our country, activities of illegal access to computer information have long been interpreted freely. Previously, the “K” department could break into your house and take over the screen (it contains all the information about it, right?), Modern realities are compensated by simply imperfect laws – if you are brave, then with us or us you will find you growing up of Its term is 228, and no one has canceled it.
The “Presidential” article is what will bring you the most. It is also for this reason that we can observe reports that “Russian” pirates are mainly captured abroad. IB does not count.
This does not mean that Yandex can wring its hands and wait for new employees + free security reviews, of course not.
It is clear that Yandex will pay a lot of money for pentesting with access to the source code. But it’s not for nothing that they declare “increased risks” about “bug hunting”. It’s weird how short it is. Wangyu that will be extended. And everyone will win. The developers themselves will say “thank you” if vulnerabilities are found in their code.
The “big” companies were given a great example of how to do this. The infrastructure, logic and implementation of Yandex has always been something “magic”. Now we can all be convinced that these were not fairy tales, as they are.
Everything is in order, documentation for each project, symbolic style for each project, almost all documentation has a separate item: “If something is not clear – do not be shy, ask.” Local CRM, Arcadia, wikis, communities and chats. An excellent occasion to consider how “personally” you are doing your business. There is someone to look for.
What’s Wrong With That?
In addition to the obvious commercial losses, Yandex suffered reputational losses. Not that they’re used to it, but website bot source codes and CAPTCHA anti-robot is a bunch of extra loss in business at least.
Offended market partners who think they are incomplete – here are the source codes, let’s see. You are not in first place in the search results – here are the sources (yes, the bot simply collects data, which is analyzed, but there is still access to the bot). Yandex browser hidden functions and settings – here it is, read the code.
The taxi driver is not given a command next to him – well, your speed is either over the limit (in my understanding, something like more than 55 km / h) or under the limit, that is, you are standing still … It is clear that the internal algorithms will hit Yandex, and many will want to take advantage of this. Some a little earlier, some a little later.
It’s good that Yandex is looking for new metrics for algorithms, but this will not happen quickly. And there will be no quick reconstruction of architecture either. I mean, Yandex is obviously going to spend a lot of unscheduled money to make up for this drain. And this will obviously affect us – Yandex users (taxi, food, search, movie search, auto.ru, etc.).
Well let’s not forget the new peach database. If we experienced this before, now it will become a normal occurrence. Unless, of course, Yandex geniuses quickly solve this problem. Unfortunately, I doubt that Kudrin is a “Genius from Yandex”. He is a genius, but this is definitely not about Yandex and his modern IT company.
Yuri Dud-Synodov (if you don’t know, this is “Dud” in IT journalism, webplaneta, roem, etc.) said that the charm of these few geniuses left with Volozh Sr. is that they will do what Yandex employees have been doing for decades. Of course this is not the case and it is clear that Yuri had to come up with new projects based on the old ones.
It certainly won’t work to rebuild the existing Yandex infrastructure in a week, and it won’t work in half a year either. Even the “geniuses” who stuck with Voloz will spend a lot of time understanding what it is and how to avoid it in the future rather than creating more. And they will also have to think about it, because. They are also involved in this.
Rather than a Conclusion.
Many internal Yandex projects have the MIT license “by default” on their resources, and this is clearly stated in the profiles. Other fonts are not signed in any way, which also allows them to be copied, used for commercial purposes, modified, etc.
No matter how much I personally “hate” Yandex (for me they have long been an evil company), I sincerely send beams of kindness to all employees who remain in the Russian Federation. You are wonderful, wonderful fellows, what you have created and supported is a national treasure.
Looking at their fingers, I am convinced that they are great professionals. Be patient and never give up. I repeat, this drain is only relevant “here and now”, it’s up to you to make it “irrelevant” after half a year.