Just To Be Safe, We're Resetting All Techdirt Passwords In Response To Cloudbleed

from the abundance-of-caution dept

As you may have heard, late yesterday it was revealed that there was a pretty major bug that was potentially leaking all sorts of sensitive data for some companies that use Cloudflare. The bug is being dubbed “Cloudbleed” as it’s actually quite similar to what happened a few years ago with OpenSSL in what was known as Heartbleed. Cloudflare was alerted to the bug by some Google security researchers and quickly patched the problem — but it had gone on for months, with some sensitive data being indexed by search engines (that’s all been cleaned up too).

At Techdirt, we use some Cloudflare services. It is unclear (and, in fact, unlikely) that any Techdirt data leaked via Cloudbleed. Also, we don’t retain sensitive data from our users. However, in an abundance of caution, we have decided to reset everyone’s passwords. If you have an account on Techdirt (which is not a requirement), you will be logged out, and will be required to go through the password reset process to get back into your account. Yes, this is a bit of a pain for our users, but despite the low likelihood of people here being impacted, we felt it was the right thing to do. Various security researchers have suggested that people change their passwords at other sites as well, and we recommend using a password generator/wallet (some of which will automatically change passwords at many sites upon request) to do so.

Filed Under: ,
Companies: cloudflare, techdirt

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Just To Be Safe, We're Resetting All Techdirt Passwords In Response To Cloudbleed”

Subscribe: RSS Leave a comment
53 Comments
Roger Strong (profile) says:

Re: Re: Re:

The Chinese wall failed to keep invaders out.

The Egyptian pyramids were vanity projects, tombs quickly looted once the Old Kingdom collapsed. The later kingdoms over the next couple thousand years switched to hidden underground tombs for more security.

I’ll happily stick with this age.

"Let others praise ancient times; I am glad I was born in these."

  • Ovid (43BC-17AD)
Anonymous Coward says:

Hackers in the machine

Supposed to be “ghost” in the machine, but hey, modernity.

A few weeks ago I noticed that the ssh “door rattlers” (folks trying random passwords against boxes exposed to the internet) climbed drastically. From an average of 600 unique IPs or so per day, I was seeing around 25,000. These on machines in six data centers in the US, 2 in Germany, a few in Sydney, and a few dozen in RIPE land were the targets. The sources came mostly from Ukraine, Russia and China Railway (thought to really be the NKPR but I have no opinion on that).

As a consequence, all PAM password authentication under my control has been turned off in favor of certificates or keys. I do normally use keys, but I left passwords open since I use pretty big, generated passwords changed every so-many hours, and instituted firewall rules to rate limit all ports that use authentication credentials per source IP.

That said, there’s no excuse not to be planning what to do and how when a system finally is successfully compromised. I suggest using salt or puppet to automate rolling out new servers. As the saying goes, “Treat your servers like cattle, not pets”.

The Wanderer (profile) says:

Re: Re:

I got the same thing on the first try.

The reason is that I have my mail client set to display the plain-text version of the message, and apparently that version omits the newline between the confirmation URL and the “If you did not request a password reset”, so doing a right-click and “Copy URL” on the link gives you a URL with the word “If” appended to the confirmation code – which of course gets interpreted as an invalid confirmation code.

Paste the URL into the address bar and delete the “If” from the end, and you’ll probably see it work just fine.

(This should still be fixed on the backend so that future reset mails get sent out with the plain-text copy correct, of course. This is just a workaround.)

Anonymous Coward says:

Waiting on the reset password. Meanwhile, my major resistance to the password wallet is fear that all it does is collect all my passwords into one convenient place so hackers need not crack a bunch of passwords to get access to everything, they can just crack this one.

Given that basically every security system seems to get hacked now and then, how could a password wallet existing in my computer and talking to the internet be safe?

Anonymous Coward says:

Re: Re:

The effort it takes to hack a single personal computer is simply not worth it for most adversaries. As long as you follow basic security practices like updating software regularly and don’t install software you don’t trust the risk is pretty low. The targets are sites themselves which can yield anywhere from thousands to millions of accounts in a single hack.

If you’re dealing with high stakes accounts like bitcoin or other financial data it would be a good idea to have a separate, even offline password storage but for your average user an email and techdirt account password are worth very little.

Anonymous Coward says:

Re: Re: Re:

“As long as you follow basic security practices like updating software regularly and don’t install software you don’t trust the risk is pretty low.”

“Software you don’t trust”, such as anything from Microsoft or Apple? So, 99% of the planet’s hosed from the get go? Don’t even bother trying using that garbage. That’s my view.

I’m looking forward to the next planet killer asteroid. It’ll be so refreshing.

Anonymous Coward says:

Re: Re:

Do you seriously thing any other organization actually takes security seriously?

Right now, at the base level, we still code and write software that has security only as a secondary thought at best. If you DO write it with security being first then you still only get second class security because the compilers, run-times, and a whole bunch of other giants your code is standing on are prone to replay attacks, buffer overflows, logical flaws, and other unexpected bugs and such. And not only that, you still have to do it all over “per-established” protocols that come with their own flaws and vulnerabilities because you can’t just make a new programing language or protocol that everyone understands without years to work and effort to get it adopted by the industry.

People are just prone to suffer that which is sufferable so we keep using the same old garbage we have been using because it works. It might work like shit, but it works, so would you like another plate of shit friend? Cause that is the only thing on the menu!

Mike Masnick (profile) says:

Re: Re:

You’re still sticking with the company after this?

Yes. For a variety of reasons. First, there is no indication that this was malicious. There are always bugs out there. Second, working with a company like Cloudflare that is focused on security is always going to be better than doing it ourselves as a small operation. If it were just us, we likely would never have found this kind of bug. Third, working with a company like Cloudflare also means that such things get fixed much faster than they otherwise would have been fixed. Fourth, Cloudflare was a tremendous help to us in the past when we were hit with a DDoS attack from someone who was unhappy with a comment on the site.

SpaceLifeForm says:

Re: Re: cf still not trustable at this point

Been on net pre-mosaic.
Been seeing attacks on blogs
since y2k. Still seeing wierd
website/blog behavior on other
sites that use cf.

The problems are not solved yet.

Basically, if you have decided
to use cf, you have traded one
attack (DDOS), for an allegedly
smaller attack surface. The problem
is that the smaller attack surface
via cf is that it is actually a
smaller attack surface for the real
attackers. They only have to find
the software bugs in cf, and
then attack millions of websites.

Suspect Cogent part of problem.

Mike Masnick (profile) says:

Re: Re: Re: Re:

If it was just you, you wouldn’t of had this kind of bug. This exists only because a third party is processung requests to your site.

This is almost certainly not true. We’d have lots and lots of other bugs. The protection provided by using a third party who can throw many resources at protecting us is much more valuable than assuming that security by obscurity is a good system.

Anonymous Coward says:

Re: Re:

“Another reason to remain “anon””

Security through obscurity; yeah, that’s a proven defence method. If you hold your hands over your eyes, they can’t possibly see you to target you. Sure.

Me, I fell off the net last year and gave up on the “social” side of it. Now, it’s only used for research (pull) and updating software (also pull).

“Human to human interaction” is no longer viable via the net. There’s too much noise in the system to suffer it.

Anonymous Coward says:

Re: Reset

“It’s good to reset your password periodically in any case.”

That’s an unproven assumption on your part. Sounds good, but that’s all. That koolaid’s laced with cyanide.

Use better pwords (upcase + lowcase + punctuation + integers + avoid dictionary words) or use ssh keys instead, all unique per service (no re-use).

Fold in “the cloud is a trap” and “if you don’t control it, you’re being controlled.”

My $0.02 (which’ll buy nothing these days). Yes, I already realize this’ll never change anything, but had to try.

Have fun. Bon chance.

Anonymous Coward says:

I’m not even go9ing to bother going through the password reset. Cloudflare has always been a dubious service and website owners who use it get exactly what they deserve.

Cloudflare requires you to give up a a lot of control and any service that forces you to allow it to investigate your site staff is just a corrupt service.

Techdirt, if they rely on Cloudflare as a service, deserves exactly what happened because of this breach.

I don’t use Cloudflare on my site, although I had considered using it before, until I read their terms of service, which was totally UNACCEPTABLE behavior. You are required to allow Cloudflare to conduct investigations on any administrator, moderator or any staff you have on your site.

This isn’t a slam on techdirt but rather on their usage of Cloudflare. There are better alternatives out there.

ehud gavron (profile) says:

Thank you for TechDirt DRM

Congratulations for punishing ALL of your users for no reason.

– You are unaware that anything relating to TD was compromised.
– The “worst” possible thing that could happen is someone who is not a subscriber could login to TD.
– You’ve inconvenienced ALL of your users.
– This is JUST like DRM

Can you imagine if Facebook, Snapchat, Instagram, or Twitter had written the same thing? “We’re not sure that we’re even affected, but we use CloudStuff so maybe wut, and so ALL of you MUST change ALL your passwords go team.”

Roll-your-own security is a no-no. Responding to a non-threat with a blanket requirement to update passwords is hysterical. Not in the funny way.

E

Ehud Gavron (profile) says:

Re: Re: DRM, Personal choices, and if you post here the FBI may come calling

You get to make your strategy and I get to make mine. That’s part of the beauty of freedom of expression. I have the freedom to express my choice of password(s).

My authentication strategy balances costs of maintaining a database of mechanisms vs the risk of what those mechanisms protect. My financial, airline, and public utilities passwords are all different. My news and social media passwords are not.

The risk here is that someone will be able to post as me on social media. The reward is I don’t have to keep track of passwords for e.g. TechDirt, ArsTechnica, Wired, WashPo, NYT, Twitter, FB, and many others.

Because MY security is MY responsibility that allows ME to determine MY policy. (Similarly I respect Mike’s answer where he says TD gets to determine TDs policy…)

Whenever something happens there are always people happy to give advice. They are the “lawprawfs” of IT, eager to “share” their non-practiced knowledge in the hopes of getting their name in print.

Personally, I turn to Bruce Schneier or Eugene Kaspersky or Joel Snyder when I want real computer security advice. You’ll note none of those gentlemen has opined on any real significance to Cloudbleed nor made a call to global password changes.

I like TechDirt.

The FBI had a “chat” with me partially because I post on here. Summary here: http://thehood.livejournal.com/109302.html

Best wishes to all. Also I did not reset my password.

E

Mike Masnick (profile) says:

Re: Re: Re: DRM, Personal choices, and if you post here the FBI may come calling

Also I did not reset my password.

You can always put back in the same password if that’s the key concern here (we don’t have anything stopping that, as we don’t know what your old pwd was anyway). And, yes, I recognize that you are taking a stand over the inconvenience part, and you feel that we should not have inconvenienced so many people, but we differ on our analysis of what was the most prudent action here.

Mike Masnick (profile) says:

Re: Thank you for TechDirt DRM

Can you imagine if Facebook, Snapchat, Instagram, or Twitter had written the same thing? "We’re not sure that we’re even affected, but we use CloudStuff so maybe wut, and so ALL of you MUST change ALL your passwords go team."

I’ve seen similar things happen in the past with sites that have forced large groups of users to change passwords:

https://www.dropbox.com/help/9257
http://fortune.com/2016/06/07/facebook-netflix-passwords/
https://blog.linkedin.com/2016/05/18/protecting-our-members
https://thenextweb.com/socialmedia/2010/02/02/twitter-forcing-users-change-password-reported-threat-phishing-attacks/#.tnw_4yR7CA3Y

Yes, those involved more specific attacks, but part of the problem with Cloudbleed is that there’s no good way to determine if the data here was at risk. And, I disagree that it’s the "worst" possible thing. First, many users (unfortunately) reuse passwords. So if we let a password out, it could impact them on many other sites.

Also, after reading up on Cloudbleed, multiple security experts suggested exactly this course of action. I’m truly sorry that it’s an inconvenience, but it’s a very, very temporary one and I don’t see how it’s like DRM at all. DRM is a persistent, awful, limitation on things that you’ve purchased which block you from actually using what you’ve purchased. In this case, we made a move to actually make sure our users are safe.

webroot.com/safe (user link) says:

www.webroot.com/safe

webroot.com/safe download | webroot.com/safe activate-With the development of the digital world, online protection is crucial. It is extremely important to protect your PCs, Mac, computers as well as mobile devices and tablets with install webroot on new computer. This can be done with the help of effective internet security and anti-virus products from install webroot on new computer that safeguards all devices used on digital platforms. Webroot is a private American company that provides comprehensive internet security solutions for consumers as well as businesses with various products. These services are available for home based computers, small offices as well as large business enterprises by preventing potential dangers in real time whenever they connect in the digital space for both personal and professional purposes.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »