For people not in the know, this is a pretty massive problem. Happened in approx. the same day another major security flaw went public, that SHA-1 encryption has been practically broken, so there's a lot going on in computer security at once.
Basically, cloudflare's CEO is essentially saying "hey, sorry I went and vomited on all your walls and carpets (and those of, like, everyone, randomly, around the world), but I'd really appreciate you cleaning it up faster".
Not sure what the CEO expects when they shit out personal info all across the web. They had to make it public so anyone caching the data can remove it, and anyone who uses cloudflare can inform their users of the breach and to act accordingly.
It's been nicknamed "cloudbleed" because it has some similarities, at least in terms of the breadth of data leaked, to a past stupid security flaw "heardbleed".
I'm realizing I have nothing to shitpost here as I type this. Fuck.
And it was discovered and revealed by someone working for google. He could have been quiet and sold it in the black market, but instead of a "t-shirt", he got - his regular salary and a bullet point in the next appraisal subjective to his supervisor. Really makes you think.
Cloudflare is a DDOS protection service, my understanding of how it works it is a middleman between clients and servers. So when you connect to reddit, your request goes through Cloudflare, then hits reddit.com, and vice versa. What Cloudflare has been doing is caching all that data, including credit cards+personal messages+full webpages people have accessed, that goes through them on webpages that you can literally find on a search engine. Even worse is that data that should be encrypted is there totally unprotected.
Gizmodo write-up provides a good explanation at the 'How' section.
Basically, all computer programs, from the data they work with to the code itself, reside in memory somewhere. Cloudflare's DDOS protection stuff would write website data to certain parts of memory. However, memory is obviously physical and thus limited. You can fill up/write to all available memory, and if you don't stop, who knows what you'll write over. Usually this would trigger the program to do something, like write somewhere else, throw an error, whatever. The check that the program did to tell whether it should stop writing to memory was faulty, so once it reached the limit of its allocated memory, it just kept writing data over whatever was there, basically putting random data from one source in completely unrelated locations.
Heartbleed was similar, in that a user would connect to a site, and instead of asking for the amount of data that made up that site, it would ask for some absurdly large number more, which, again, because the check was faulty or non-existent, would just spew back whatever was in memory after the desired site.
Nope. The "7 day policy" could have easily been rescinded given the massive scale of the bug. They could have waited, if they were "not evil", but whatever. I don't see how the zero team making the exploit public had any advantage to anyone, whether openly being good for alphabet shareholders or general plebs like me and you? Can you explain?
Cloudflare letting their clients know is de-facto making it public. Cloudflare has a fuck-ton of clients. Anyone one of them could have leaked the exploit once they mass-emailed their clients. Also it would give any potential exploiters time for a final trawl. The exploit has been out there for months, who knows how many people have been taking advantage of it.
An exploit that allows people the ability to acquire personal info is one thing. An exploit that shits out personal info across the web like a shooting star is another. Mass-panic mode is kind've the best way to take care of this sort of thing ASAP. There's no real optimal solution here.
That's so many vectors for the info to leak though that I don't think it would have made a difference.
I disagree. It would have made a massive difference. If you read the OP, the cloudflare CEO confirms that all major search engines including duckduckgo, bing, yandex and even the chinese state-controlled search engine baidu have cleared the cache upon their request without giving them hell or leaking stuff.
This is how most critical security issues are handled. You can't assume whatever you've read as leaked till now was all that was ever leaked.
In the OP, the first comment, by taviso himself, has examples of stuff they missed on bing. No way of knowing if all of those sites are now 100% scrubbed.
I'm aware most exploit posts stay private for longer. I think this is slightly different than your usual exploit. It was a bug that was doing bad things whether people wanted to exploit it maliciously or not. I'm not sure how much the quick release exacerbates the problem.
Maybe it's just that I instinctively trust taviso most of the time, idk.
Someone just added a controversy section to his wikipedia article with this
After finding a bug in Cloudflare's infrastructure[9] it was decided that Google would disclose the bug after 7 days, rather than the normal 90 days (which is still shown as the disclosure window in the project zero tracker)[10]. However in the end Google and Tavis then prematurely disclosed the bug after 6 days before leaked data could be cleaned up. The 7 day window is usually reserved for bugs that haven't been patched and are actively being exploited[11]. Cloudflare had previously patched the bug[9], but hadn't at the time of disclosure managed to co-ordinate the removal of data saved by search engines[12]. Leaked customer data was therefor publicly available on the Internet at the time of disclosure.
It's like reddit with no subreddits and a fixed set of topics that are on-topic, and Paul Graham is an admin so he can and does censor things that criticise him or his startup seed funding provider, Y Combinator. Pretty pointless IMO.
The community is also full of stealth SJWs looking for ways to inject their nonsense into the discussion (they also have their own clone "lobste.rs", which I guess is analogous to Imzy or something). Which is kind of amusing when you consider some of Paul Graham's old essays.
pretty sure the thing about lobsters is that they only allow technical discussion, no politics or cultural topics permitted. unless things have changed a lot there.
Does it filter out VPN or otherwise interfer with VPN usage? I always though TOR was what had problems with cloudflare sites, or am I thinking of captcha...
A commercial VPN will have several people using the same apparent address, so you can get multiple requests to a site from the same IP, making it (incorrectly) look like bot activity.
It's not that bad on some sites, on some its terrible.
Hahaha, Google takes down cloudflare. Apparently, cloudflare has been having a "beef" with Google for a long time. Reading through this, it seems to me that Travis was giggling to himself as he wrote all the stuff. It's pretty obvious if you read between the lines that he wanted to pit as many damaging info as possible to embarrass cloudflare. Travis even notified the cloudflare team on a Friday evening, on twitter, without tagging anyone lol.
The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.
i'm not disagreeing with you. I was just loling at how terrible Cloudflare fucked up.
I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings.
Hahaha, Google takes down cloudflare. Apparently, cloudflare has been having a "beef" with Google for a long time. Reading through this, it seems to me that Travis was giggling to himself as he wrote all the stuff. It's pretty obvious if you read between the lines that he wanted to pit as many damaging info as possible to embarrass cloudflare. Travis even notified the cloudflare team on a Friday evening, on twitter, without tagging anyone lol.
55 comments
n/a SnapshillBot 2017-02-25
Providing a Community Safe from TITrCJ's Sexual Advances Since October 2015.
Snapshots:
I am a bot. (Info / Contact)
n/a PURINBOYS2002 2017-02-25
For people not in the know, this is a pretty massive problem. Happened in approx. the same day another major security flaw went public, that SHA-1 encryption has been practically broken, so there's a lot going on in computer security at once.
Basically, cloudflare's CEO is essentially saying "hey, sorry I went and vomited on all your walls and carpets (and those of, like, everyone, randomly, around the world), but I'd really appreciate you cleaning it up faster".
Not sure what the CEO expects when they shit out personal info all across the web. They had to make it public so anyone caching the data can remove it, and anyone who uses cloudflare can inform their users of the breach and to act accordingly.
It's been nicknamed "cloudbleed" because it has some similarities, at least in terms of the breadth of data leaked, to a past stupid security flaw "heardbleed".
I'm realizing I have nothing to shitpost here as I type this. Fuck.
n/a Imgur_Lurker 2017-02-25
Heartbleed you fuckking fake nerd.
n/a PURINBOYS2002 2017-02-25
typo
n/a Imgur_Lurker 2017-02-25
D and T aren't even close to each other smh.
This is why you use homerow.
n/a accounttttt 2017-02-25
nigger
n/a HAHApointsatyou 2017-02-25
lmao
n/a going_for_a_wank 2017-02-25
/r/downvotesreally
n/a accounttttt 2017-02-25
please upvote my post, thanks!
n/a sex_tourism 2017-02-25
Also cloudflares top prize in their bug bounty program was a t-shirt. Now they have this in their hands which could cost them millions.
n/a flipkt 2017-02-25
And it was discovered and revealed by someone working for google. He could have been quiet and sold it in the black market, but instead of a "t-shirt", he got - his regular salary and a bullet point in the next appraisal subjective to his supervisor. Really makes you think.
n/a fucked_my_shit_up 2017-02-25
wew lad
n/a KuribohGirl 2017-02-25
Does this mean if I starred in a loli hentai as a seiyuu(voice actress) and director people would know now?
n/a zahlman 2017-02-25
SHA-1 isn't encryption, it's hashing
n/a PURINBOYS2002 2017-02-25
You are correct. Forgot specific difference between the two when typing this out before falling asleep.
n/a snallygaster 2017-02-25
How does this even happen?
n/a coco-o 2017-02-25
Cloudflare is a DDOS protection service, my understanding of how it works it is a middleman between clients and servers. So when you connect to reddit, your request goes through Cloudflare, then hits reddit.com, and vice versa. What Cloudflare has been doing is caching all that data, including credit cards+personal messages+full webpages people have accessed, that goes through them on webpages that you can literally find on a search engine. Even worse is that data that should be encrypted is there totally unprotected.
n/a PURINBOYS2002 2017-02-25
Gizmodo write-up provides a good explanation at the 'How' section.
Basically, all computer programs, from the data they work with to the code itself, reside in memory somewhere. Cloudflare's DDOS protection stuff would write website data to certain parts of memory. However, memory is obviously physical and thus limited. You can fill up/write to all available memory, and if you don't stop, who knows what you'll write over. Usually this would trigger the program to do something, like write somewhere else, throw an error, whatever. The check that the program did to tell whether it should stop writing to memory was faulty, so once it reached the limit of its allocated memory, it just kept writing data over whatever was there, basically putting random data from one source in completely unrelated locations.
Heartbleed was similar, in that a user would connect to a site, and instead of asking for the amount of data that made up that site, it would ask for some absurdly large number more, which, again, because the check was faulty or non-existent, would just spew back whatever was in memory after the desired site.
n/a flipkt 2017-02-25
Nope. The "7 day policy" could have easily been rescinded given the massive scale of the bug. They could have waited, if they were "not evil", but whatever. I don't see how the zero team making the exploit public had any advantage to anyone, whether openly being good for alphabet shareholders or general plebs like me and you? Can you explain?
n/a PURINBOYS2002 2017-02-25
Cloudflare letting their clients know is de-facto making it public. Cloudflare has a fuck-ton of clients. Anyone one of them could have leaked the exploit once they mass-emailed their clients. Also it would give any potential exploiters time for a final trawl. The exploit has been out there for months, who knows how many people have been taking advantage of it.
An exploit that allows people the ability to acquire personal info is one thing. An exploit that shits out personal info across the web like a shooting star is another. Mass-panic mode is kind've the best way to take care of this sort of thing ASAP. There's no real optimal solution here.
n/a flipkt 2017-02-25
Your edit was my point.
I disagree. It would have made a massive difference. If you read the OP, the cloudflare CEO confirms that all major search engines including duckduckgo, bing, yandex and even the chinese state-controlled search engine baidu have cleared the cache upon their request without giving them hell or leaking stuff.
This is how most critical security issues are handled. You can't assume whatever you've read as leaked till now was all that was ever leaked.
n/a PURINBOYS2002 2017-02-25
In the OP, the first comment, by taviso himself, has examples of stuff they missed on bing. No way of knowing if all of those sites are now 100% scrubbed.
I'm aware most exploit posts stay private for longer. I think this is slightly different than your usual exploit. It was a bug that was doing bad things whether people wanted to exploit it maliciously or not. I'm not sure how much the quick release exacerbates the problem.
Maybe it's just that I instinctively trust taviso most of the time, idk.
n/a flipkt 2017-02-25
Someone just added a controversy section to his wikipedia article with this
This is my point basically.
n/a somercet 2017-02-25
GTFO
n/a niggerpenis 2017-02-25
wtf is that fake reddit
n/a greenrd 2017-02-25
It's like reddit with no subreddits and a fixed set of topics that are on-topic, and Paul Graham is an admin so he can and does censor things that criticise him or his startup seed funding provider, Y Combinator. Pretty pointless IMO.
n/a niggerpenis 2017-02-25
Thanks
n/a HivemindBuster 2017-02-25
On the other hand, the signal to noise ratio of people who know what they're talking about (on tech matters) is a lot higher than reddit.
n/a zahlman 2017-02-25
The community is also full of stealth SJWs looking for ways to inject their nonsense into the discussion (they also have their own clone "lobste.rs", which I guess is analogous to Imzy or something). Which is kind of amusing when you consider some of Paul Graham's old essays.
n/a Strephyl 2017-02-25
get a life lol
n/a zahlman 2017-02-25
no u
n/a niexx 2017-02-25
pretty sure the thing about lobsters is that they only allow technical discussion, no politics or cultural topics permitted. unless things have changed a lot there.
n/a zahlman 2017-02-25
I remember seeing some shit linked to me but it could have gotten fixed since, idk.
n/a niexx 2017-02-25
tbh most threads on there are showing off about how cle
n/a flipkt 2017-02-25
It is not that much different. They just use more flamboyant words to say "fuck off retard".
n/a KotlinKomodo 2017-02-25
It's just a reskin of /r/programmingcirclejerk
n/a PM_ME_HAIRLESS_CATS 2017-02-25
Hacker News predates reddit by a while. it's also populated by an audience with more smarm than all of reddit: Silicon Valley.
n/a WorldStarCroCop 2017-02-25
For non nerd faggots: A lot of websites use cloudfare.
n/a Forseti69 2017-02-25
Mostly for DDOS protection...
n/a dbe7 2017-02-25
And inadvertently blocking websites from anyone using a VPN.
n/a Forseti69 2017-02-25
Does it filter out VPN or otherwise interfer with VPN usage? I always though TOR was what had problems with cloudflare sites, or am I thinking of captcha...
n/a lared930 2017-02-25
People buy cheap VPNs en masse to scrape the living shit out of websites, the entire block of IPs is then blocked.
n/a dbe7 2017-02-25
A commercial VPN will have several people using the same apparent address, so you can get multiple requests to a site from the same IP, making it (incorrectly) look like bot activity.
It's not that bad on some sites, on some its terrible.
n/a captainktainer 2017-02-25
How does this affect anime?
n/a anotheraccount323 2017-02-25
Now everyone knows what hentai you look at.
n/a captainktainer 2017-02-25
Oh. Is that all? I was hoping for something that made everyone know where anime belongs.
n/a HueGenics 2017-02-25
Isn't that what facebook is for?
n/a ____________13 2017-02-25
Pfft. Everyone on this train already knows that
n/a Nomadlads 2017-02-25
animenewsnetwork.com may be affected so it may help us gas the weebs quicker.
n/a flipkt 2017-02-25
Hahaha, Google takes down cloudflare. Apparently, cloudflare has been having a "beef" with Google for a long time. Reading through this, it seems to me that Travis was giggling to himself as he wrote all the stuff. It's pretty obvious if you read between the lines that he wanted to pit as many damaging info as possible to embarrass cloudflare. Travis even notified the cloudflare team on a Friday evening, on twitter, without tagging anyone lol.
n/a going_for_a_wank 2017-02-25
Damn that is impressively petty.
n/a flipkt 2017-02-25
Don't cross google. They probably have skynet by now and seeing as we're not living in a post apocalyptic wasteland, they must be controlling it!
n/a anotheraccount323 2017-02-25
n/a flipkt 2017-02-25
n/a anotheraccount323 2017-02-25
i'm not disagreeing with you. I was just loling at how terrible Cloudflare fucked up.
Like, damn.
n/a flipkt 2017-02-25
Google now knows all this in addition to everything they already know. But yeah cloudflare done fucked up real bad. There's no whitewashing this.
n/a flipkt 2017-02-25
Hahaha, Google takes down cloudflare. Apparently, cloudflare has been having a "beef" with Google for a long time. Reading through this, it seems to me that Travis was giggling to himself as he wrote all the stuff. It's pretty obvious if you read between the lines that he wanted to pit as many damaging info as possible to embarrass cloudflare. Travis even notified the cloudflare team on a Friday evening, on twitter, without tagging anyone lol.
n/a PM_ME_HAIRLESS_CATS 2017-02-25
The idea of trusting another service to forward all my traffic protected or not always seemed hinky.