That request is scrubbed now, but it contained an Uber driver's lat-long coordinates. I used it to look up where they were driving.
CloudFlare really aren't helping themselves with these statements. The people who decide whether to use CloudFlare are programmers, are programmers generally can't be duped with statistics like "1 in 3.3M requests were leaking data" (translation: 100k requests per day were leaking data[1]) or "There's no evidence anyone used this data maliciously" (translation: we have no idea what is being exploited).
> CloudFlare really aren't helping themselves with these statements
Seconded. For example, here is CloudFlare's Chief Technology Officer regarding their response time:
"[Tavis, the Google engineer who discovered this bug, is] saying he’s frustrated but I’m a little bemused at why he’s frustrated with six days rather than 90" [1].
CloudFlare's CTO shouldn't be running around doing interviews with TechCrunch, let alone expressing bemusement about a fire from his camp.
CF should be clear in its response that working with third parties such as google to clear cached responses with overflow data is an ongoing process and that other parties may have cached responses that CF has no control over.
> "I am not changing any of my passwords. I think the probability that somebody saw something is so low it's not something I am concerned about."
I am confused. The probability of someone seeing it is irrelevant, given that the leak happened already. Is security not supposed to be preemptive? For such an easy measure to take (password changing), saying you don't want to change it seems pretty silly. You can change all of your passwords in 30 minutes tops.
I believe the CTO is also mistaken about the probability anyway. As this is more publicized the likelihood of malicious people exploiting this will only increase. Therefore it's a race between them and the good actors fixing the problem. In the interim, changing your passwords at the very least should be done.
I feel like I'm missing a partial context but "You can change all of your passwords in 30 minutes tops" is not true. I have a minimal amount of accounts (I close accounts I don't use) and I can't imagine it taking me less than several hours of slogging through it to change all my passwords (e.g. updating password database, 2FA confirmations, making sure I don't lock the account I change the password on, etc.)
So I have to aim for the clearly impacted ones from this (if named/discoverable) and then have to decide how vulnerable I feel and whether I should go through the extra effort (or not) for every password I conceivably have.
I am halfway through changing the 60 passwords for services and accounts I have used since last September.
Cloudflare's COO publicly dismissing the danger with a wan smile and a wave of his hand was motivation enough for me.
That, and this ridiculous statement: "Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it," he wrote.
My understanding is that they were not "in the process of migrating away from" an "ancient piece of software," but rather that this was something they implemented five months ago and that they had no idea anything was wrong until Google told them what they found.
That sort of behavior does not inspire trust and confidence.
This is clearly PR on his part; I'm not sure it'll play out the way he anticipates though, this basically screams carelessness to a bunch of people who will be (rightfully) upset about the bug.
Damage control PR at it's finest. The CTO should resign over this terrible advice. No one knows just how much cached data is out there or just how much this was triggered since September 2016, and to assume the best case scenario is irresponsible and reeks of CYA instead of putting the public interest first.
> The CTO should resign over this terrible advice.
Whether or not he does I hope companies who use CloudFlare strongly consider alternatives. His comment certainly isn't out of ignorance, he has blogged at length on the necessity of password security and lambasted other companies for their behaviour in situations such as this.
Oh, he's a horrible person anyways, let alone the misleading and very damaging "help" of signalling to users there's no security problem.
That above is a pretty harsh thing to allege. So here's proof, from his own mouth.
First, he continually berates because "he called and Brian Krebs never responded".. Well, he invited him on stage of a BlackHat conference.
Secondly, the cloudflare CEO states that the booters (ddos pay-as-you-go sites protected by cloudflare) don't even pay, or pay with stolen credit cards. And admits is "just a disaster".
Thridly, a direct insult towards Krebs onstage "Well, who needs to actually ask questions as a journalist?" 48:08 ... No. Just no. Absolutely not.
And if I can find the post, Matthew Prince on here posted this video as a defence against a Tor dispute. Somehow, he thinks it's somehow enlightened and upright. My opinion, I don't believe so at all.
Another Cloudflare customer also said basically this is much ado about nothing, but prefaced their comment by saying "We take security seriously".
Whats offensive here is if you take security seriously, then if there is a .01% chance of a disclosure - you tell people to change thier passwords,tokens,etc. That is taking security seriously.
Would you say the same at .001%? How about .0001%?
It is possible for someone to take security seriously but not blindly value the tiniest bit of security over every other possible factor. Perhaps because they also take usability seriously.
You have to evaluate the type of account disclosure that was possible against your own use cases.
My company bills 1m a day through our online site, if my logins to our domain registrar were exposed then yes. .00001 is worth it, in the case someone would gain access and change our dns or do something else nefarious.
Like wise if my login to this site was disclosed, I can live with cleaning that up should it get out.
What shouldn't happen is the companies who were affected or the company who caused this (cloudflare) to say "no big deal"
At the very least they should say if you potentially used a serious service during this time and that service was using cloudflare then you might consider changing for reasons X,Y,Z.
Yes, but you might not understand me. I meant they are assuming they are doing the evaluating on behalf of their customers. I'm the customer and I've got to do the evaluating , but I might not understand the potential but telling me there is almost no issue doesn't help me do that.
If they understand security better than their customers, it's correct for them to say so when an issue doesn't require customers to individually review whether they are affected.
If they misjudge that, it isn't an indication that they don't "take security seriously". It just means they made an error in judgment.
If your password for Cupcakely (made up) was leaked..and it was 0.01% chance....well who cares. Someone might order some cupcakes on my account.
If it is say a financial company and the leak of data from your account alone could have massive repercussions on your company and/or investigations by the SEC and others...then yeah...if there is a 0.000001% chance someone out there has your login info, you change that right away. Or be found to be negligent and not change them, see how fast you wind up without a job/in court/fined/jailed. Just. Change. Your. Password.
A good advice in password security is that you should never store passwords in plain text on your private machines and on servers. With CloudFlare bug your passwords can be stored unencrypted in local browser caches of random people who may have malicious intentions or whose machines may be compromised (already or in the future).
Is it though? Is anywhere else really any better? Won't CloudFlare be reviewing everything now? Will they be more secure after this and more trustworthy? I'm asking myself these questions now.
Really, I don't know the answers, but I'm not leaving because this seems like something that could happen anywhere at anytime. I honestly don't know though.
Poor judgement in leadership is reason enough for me. Will they be reviewing everything? Perhaps. The person overseeing that review may not be erring on the side of caution though. Concerns me. Draw your own conclusion I guess.
That's a bit of a straw man. Bug bounty payout isn't any indication that one company is better at security than another. Also, any one of those companies could be sitting on some obscure bug that is currently unknown to anyone in the company until it tragically makes itself known.
Look at Tarsnap's bug bounty: http://www.tarsnap.com/bounty-winners.html . This guy has given out more than a thousand dollars and this is (as far as I know) a one man shop. How big is cloudflare? How secure should it be given that it asks for customers' private SSL keys? I would say they should have the biggest bounty program.
This leads to one of the two conclusions: 1) They are too cocky to think that they may have security problems (which is a big problem) 2) They know they may have security problems but don't care enough (which is a bigger issue).
There is no way you can cut this to make them look good.
I'm not making any argument for or against CF. I'm saying that equating the size of a bounty program to the perceived level of dedication to security or code quality of a company is a straw man argument.
If you offer less than $50 for something someone else in the market (albeit for a likely unethical purpose) is willing to pay $10k for, what do you expect people to do?
It isn't a strawman to state economic incentives matter. Or do you genuinely believe people everyone experienced in security will take the $50 because of "ethics"?
While I agree this is a silly comment to make. I too won't be changing my passwords until my regular yearly password change in a few months. If I CIA level intelligence floating around I would but I find it rather unlikely that I'm exposed and if I am it isn't the end of the world as I selfhost my email and other critical services thus I know for certain they are unaffected by this.
Good point. While the chances are really high that SOMEONE will be affected in a really bad way the chances that any single person got hit is really low. But as CEO he should be erroring on the side of caution here I'd think, because of his position. Him saying that kind of implies that it's not a big deal and no one should be taking any steps to be sure they're not the person who is in trouble.
The number of people who lost passwords is low, but it certainly happened to someone and none of us know if we're that someone.
I am almost certain someone is scanning archives for this data and reviewing it for anything sensitive now they know it exists. Yesterday when Google announced the SHA-1 collision, someone else took that and used it to unlock a 2.4btc reward, at the same point a bot scanning for this attempted to double spend the reward with a higher fee to claim the reward.
The first guy knew how to take advantage of the information but the second guy could sit and wait for someone else to solve it and take the reward, it also meant the bot programmer wasnt in a competition with everyone to submit the solution first.
Given that there are many bitcoin sites listed with cloudflare there is some potential reward in locating and scanning that data.
Albeit he may be true, as the CTO he's way too optimistic beacuse he can't know, he can just assume!
Just let the people understand (get to know) the problem and change the password, what's the problem?
It's good to change the passwords every so often anyway - it took me less time to just change my important passwords, than to check if the sites they are for, were using Cloudflare.
It seems that they're intent on downplaying the severity. It's one thing to present this confidant attitude to the end user but I wonder what the companies who pay CloudFlare, make of this attitude? Perhaps it's a tactic so that if the end-users aren't worried then they won't pressure whichever services they use to move away from CloudFlare? Regardless, I think his entire statement is tripe.
The story also highlights this "Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it"
Out of context that omits the fact that it was a new feature. Ragel might be old, but they did leverage it, on purpose, for net new functionality. The fix didn't remove Ragel either.
Sounds like a bad advice in general.
For the cloudflare CTO it would sound a lot better to hear something like:
"Whille I don't think anyone needs to change their password, but I changed mine, I actually do it regularly, to keep my accounts safe."
Unfortunatly it would not give such a good sound bite.
Huh?
https://webcache.googleusercontent.com/search?q=cache:VlVylT...
That request is scrubbed now, but it contained an Uber driver's lat-long coordinates. I used it to look up where they were driving.
CloudFlare really aren't helping themselves with these statements. The people who decide whether to use CloudFlare are programmers, are programmers generally can't be duped with statistics like "1 in 3.3M requests were leaking data" (translation: 100k requests per day were leaking data[1]) or "There's no evidence anyone used this data maliciously" (translation: we have no idea what is being exploited).
[1] https://news.ycombinator.com/item?id=13719518 and https://news.ycombinator.com/item?id=13722606