Just To Be Safe, We're Resetting All Techdirt Passwords In Response To Cloudbleed
from the abundance-of-caution dept
As you may have heard, late yesterday it was revealed that there was a pretty major bug that was potentially leaking all sorts of sensitive data for some companies that use Cloudflare. The bug is being dubbed “Cloudbleed” as it’s actually quite similar to what happened a few years ago with OpenSSL in what was known as Heartbleed. Cloudflare was alerted to the bug by some Google security researchers and quickly patched the problem — but it had gone on for months, with some sensitive data being indexed by search engines (that’s all been cleaned up too).
At Techdirt, we use some Cloudflare services. It is unclear (and, in fact, unlikely) that any Techdirt data leaked via Cloudbleed. Also, we don’t retain sensitive data from our users. However, in an abundance of caution, we have decided to reset everyone’s passwords. If you have an account on Techdirt (which is not a requirement), you will be logged out, and will be required to go through the password reset process to get back into your account. Yes, this is a bit of a pain for our users, but despite the low likelihood of people here being impacted, we felt it was the right thing to do. Various security researchers have suggested that people change their passwords at other sites as well, and we recommend using a password generator/wallet (some of which will automatically change passwords at many sites upon request) to do so.
Filed Under: cloudbleed, passwords
Companies: cloudflare, techdirt
Comments on “Just To Be Safe, We're Resetting All Techdirt Passwords In Response To Cloudbleed”
An ounce of caution or a gallon of shit – what, this was a hard choice?
Re: Re:
Can I get that in metric?
Re: Re: Re:
fuckton
Re: Re:
Where’s the “Negative Insightful” button? Egyptians built pyramids, the Chinese built a wall you can see from orbit, and we built the Internet that allows dipsticks like this to spew content free garbage at the world. It’s a golden age we live in. 😛
Doofus.
Re: Re: Re:
The Chinese wall failed to keep invaders out.
The Egyptian pyramids were vanity projects, tombs quickly looted once the Old Kingdom collapsed. The later kingdoms over the next couple thousand years switched to hidden underground tombs for more security.
I’ll happily stick with this age.
Re: Re: Re: Re:
Ben Carson clearly indicated the pyramids were built for grain storage, why would anyone doubt this?
Re: Re: Re:2 Re:
Good point. A Secretary of Housing and Urban Development would be an expert on building construction.
Someday we’ll look back on this Presidency and laugh. It will probably be one of those deep, eerie ones that slowly builds to a blood-curdling maniacal scream… but still it will be a laugh.
Re: Re: Re:3 Re:
They were only later converted to store giant stone blocks.
Re: Re: Re:4 Re:
With dead bodies in.
Re: Re: Re:
I must protest. I can assure you that us dipsticks have been able to spew content free garbage at the world long before intarweb tubes.
Ah yes, I noticed only after posting i had become an Anonymous Coward, instead of a pseudonymous coward.
Hackers in the machine
Supposed to be “ghost” in the machine, but hey, modernity.
A few weeks ago I noticed that the ssh “door rattlers” (folks trying random passwords against boxes exposed to the internet) climbed drastically. From an average of 600 unique IPs or so per day, I was seeing around 25,000. These on machines in six data centers in the US, 2 in Germany, a few in Sydney, and a few dozen in RIPE land were the targets. The sources came mostly from Ukraine, Russia and China Railway (thought to really be the NKPR but I have no opinion on that).
As a consequence, all PAM password authentication under my control has been turned off in favor of certificates or keys. I do normally use keys, but I left passwords open since I use pretty big, generated passwords changed every so-many hours, and instituted firewall rules to rate limit all ports that use authentication credentials per source IP.
That said, there’s no excuse not to be planning what to do and how when a system finally is successfully compromised. I suggest using salt or puppet to automate rolling out new servers. As the saying goes, “Treat your servers like cattle, not pets”.
Re: Hackers in the machine
Guerillas in the Mist
“Confirmation code expired or incorrect.”
is what I got 3 times in a row pasting (!) the code.
techflaws
Re: Re:
And another 3 times with the same result.
Re: Re:
I got the same thing on the first try.
The reason is that I have my mail client set to display the plain-text version of the message, and apparently that version omits the newline between the confirmation URL and the “If you did not request a password reset”, so doing a right-click and “Copy URL” on the link gives you a URL with the word “If” appended to the confirmation code – which of course gets interpreted as an invalid confirmation code.
Paste the URL into the address bar and delete the “If” from the end, and you’ll probably see it work just fine.
(This should still be fixed on the backend so that future reset mails get sent out with the plain-text copy correct, of course. This is just a workaround.)
Re: Re: Re:
D’uh, that did the trick. Good catch, thx.
Waiting on the reset password. Meanwhile, my major resistance to the password wallet is fear that all it does is collect all my passwords into one convenient place so hackers need not crack a bunch of passwords to get access to everything, they can just crack this one.
Given that basically every security system seems to get hacked now and then, how could a password wallet existing in my computer and talking to the internet be safe?
Re: Re:
The effort it takes to hack a single personal computer is simply not worth it for most adversaries. As long as you follow basic security practices like updating software regularly and don’t install software you don’t trust the risk is pretty low. The targets are sites themselves which can yield anywhere from thousands to millions of accounts in a single hack.
If you’re dealing with high stakes accounts like bitcoin or other financial data it would be a good idea to have a separate, even offline password storage but for your average user an email and techdirt account password are worth very little.
Re: Re: Re:
“As long as you follow basic security practices like updating software regularly and don’t install software you don’t trust the risk is pretty low.”
“Software you don’t trust”, such as anything from Microsoft or Apple? So, 99% of the planet’s hosed from the get go? Don’t even bother trying using that garbage. That’s my view.
I’m looking forward to the next planet killer asteroid. It’ll be so refreshing.
Re: Re: Re:
Thanks (I’m the AC above). I know my concerns are stupid since people who know internet security far better than me all advise some sort of password wallet, it’s just hard for my abacus-level brain to wrap around when it seems like all those same security professionals keep getting hacked.
You’re still sticking with the company after this?
Re: Re:
Do you seriously thing any other organization actually takes security seriously?
Right now, at the base level, we still code and write software that has security only as a secondary thought at best. If you DO write it with security being first then you still only get second class security because the compilers, run-times, and a whole bunch of other giants your code is standing on are prone to replay attacks, buffer overflows, logical flaws, and other unexpected bugs and such. And not only that, you still have to do it all over “per-established” protocols that come with their own flaws and vulnerabilities because you can’t just make a new programing language or protocol that everyone understands without years to work and effort to get it adopted by the industry.
People are just prone to suffer that which is sufferable so we keep using the same old garbage we have been using because it works. It might work like shit, but it works, so would you like another plate of shit friend? Cause that is the only thing on the menu!
Re: Re:
Yes. For a variety of reasons. First, there is no indication that this was malicious. There are always bugs out there. Second, working with a company like Cloudflare that is focused on security is always going to be better than doing it ourselves as a small operation. If it were just us, we likely would never have found this kind of bug. Third, working with a company like Cloudflare also means that such things get fixed much faster than they otherwise would have been fixed. Fourth, Cloudflare was a tremendous help to us in the past when we were hit with a DDoS attack from someone who was unhappy with a comment on the site.
Re: Re: cf still not trustable at this point
Been on net pre-mosaic.
Been seeing attacks on blogs
since y2k. Still seeing wierd
website/blog behavior on other
sites that use cf.
The problems are not solved yet.
Basically, if you have decided
to use cf, you have traded one
attack (DDOS), for an allegedly
smaller attack surface. The problem
is that the smaller attack surface
via cf is that it is actually a
smaller attack surface for the real
attackers. They only have to find
the software bugs in cf, and
then attack millions of websites.
Suspect Cogent part of problem.
Re: Re: Re: cf still not trustable at this point
Manual word wrap looks great!
Re: Re: Re:
If it was just you, you wouldn’t of had this kind of bug. This exists only because a third party is processung requests to your site.
Re: Re: Re: Re:
This is almost certainly not true. We’d have lots and lots of other bugs. The protection provided by using a third party who can throw many resources at protecting us is much more valuable than assuming that security by obscurity is a good system.
Password Reset
That didn’t hurt much, but may I have a band-aid please?
Re: Password Reset
You only need a bandaid if you broke the skin and are at risk of infection. This wasn’t really even a bruise; more like a minor irritation or tickling. Shake it off.
Re: Re: Password Reset
Whoosh! The band-aid isn’t for me, it’s for the bleeding bug. They even named it Cloudbleed, and it’s bleeding all over the place.
Another reason to remain “anon”
Re: Re:
“Another reason to remain “anon””
Security through obscurity; yeah, that’s a proven defence method. If you hold your hands over your eyes, they can’t possibly see you to target you. Sure.
Me, I fell off the net last year and gave up on the “social” side of it. Now, it’s only used for research (pull) and updating software (also pull).
“Human to human interaction” is no longer viable via the net. There’s too much noise in the system to suffer it.
Re: Re: Re:
Wow – lol
Reset
It’s good to reset your password periodically in any case. Had no trouble, myself… beyond having to log into my yahoo email account for the first time in about a year and a half. 😀
Re: Reset
“It’s good to reset your password periodically in any case.”
That’s an unproven assumption on your part. Sounds good, but that’s all. That koolaid’s laced with cyanide.
Use better pwords (upcase + lowcase + punctuation + integers + avoid dictionary words) or use ssh keys instead, all unique per service (no re-use).
Fold in “the cloud is a trap” and “if you don’t control it, you’re being controlled.”
My $0.02 (which’ll buy nothing these days). Yes, I already realize this’ll never change anything, but had to try.
Have fun. Bon chance.
I’m not even go9ing to bother going through the password reset. Cloudflare has always been a dubious service and website owners who use it get exactly what they deserve.
Cloudflare requires you to give up a a lot of control and any service that forces you to allow it to investigate your site staff is just a corrupt service.
Techdirt, if they rely on Cloudflare as a service, deserves exactly what happened because of this breach.
I don’t use Cloudflare on my site, although I had considered using it before, until I read their terms of service, which was totally UNACCEPTABLE behavior. You are required to allow Cloudflare to conduct investigations on any administrator, moderator or any staff you have on your site.
This isn’t a slam on techdirt but rather on their usage of Cloudflare. There are better alternatives out there.
Re: Re:
You have no idea what you’re talking about.
Re: Re: Re:
Every web presence gets the cloud services they deserve?
¯(ツ)/¯
Re: Re: Re: Re:
Can we send you email?
Re: Re: Re:2 Re:
Please!
i.invented.email@command.com
You forgot techdirt deals
I figured it was worth changing too.
Thanks
eom
Thank you for TechDirt DRM
Congratulations for punishing ALL of your users for no reason.
– You are unaware that anything relating to TD was compromised.
– The “worst” possible thing that could happen is someone who is not a subscriber could login to TD.
– You’ve inconvenienced ALL of your users.
– This is JUST like DRM
Can you imagine if Facebook, Snapchat, Instagram, or Twitter had written the same thing? “We’re not sure that we’re even affected, but we use CloudStuff so maybe wut, and so ALL of you MUST change ALL your passwords go team.”
Roll-your-own security is a no-no. Responding to a non-threat with a blanket requirement to update passwords is hysterical. Not in the funny way.
E
Re: Thank you for TechDirt DRM
So you keep all your passwords the same.. constantly?
You regard changing a password as “punishment”?
But aside from that do you not consider it odd that this situation occurs at the same time that Techdirt finds itself involved in legal proceedings initiated by a well known scumbag?
Re: Re: Thank you for TechDirt DRM
I don’t know about others. Maybe I’m the only one?
I never use the same password on any two web sites.
Re: Re: DRM, Personal choices, and if you post here the FBI may come calling
You get to make your strategy and I get to make mine. That’s part of the beauty of freedom of expression. I have the freedom to express my choice of password(s).
My authentication strategy balances costs of maintaining a database of mechanisms vs the risk of what those mechanisms protect. My financial, airline, and public utilities passwords are all different. My news and social media passwords are not.
The risk here is that someone will be able to post as me on social media. The reward is I don’t have to keep track of passwords for e.g. TechDirt, ArsTechnica, Wired, WashPo, NYT, Twitter, FB, and many others.
Because MY security is MY responsibility that allows ME to determine MY policy. (Similarly I respect Mike’s answer where he says TD gets to determine TDs policy…)
Whenever something happens there are always people happy to give advice. They are the “lawprawfs” of IT, eager to “share” their non-practiced knowledge in the hopes of getting their name in print.
Personally, I turn to Bruce Schneier or Eugene Kaspersky or Joel Snyder when I want real computer security advice. You’ll note none of those gentlemen has opined on any real significance to Cloudbleed nor made a call to global password changes.
I like TechDirt.
The FBI had a “chat” with me partially because I post on here. Summary here: http://thehood.livejournal.com/109302.html
Best wishes to all. Also I did not reset my password.
E
Re: Re: Re: DRM, Personal choices, and if you post here the FBI may come calling
You can always put back in the same password if that’s the key concern here (we don’t have anything stopping that, as we don’t know what your old pwd was anyway). And, yes, I recognize that you are taking a stand over the inconvenience part, and you feel that we should not have inconvenienced so many people, but we differ on our analysis of what was the most prudent action here.
Re: Re: Re:2 You catch more flies with honey
Thank you! I have reset my password and once again feel like I have a fresh shave, shower, and clean clothes.
Also… thanks for taking the time to respond to your readers 🙂
E
Re: Thank you for TechDirt DRM
I’ve seen similar things happen in the past with sites that have forced large groups of users to change passwords:
https://www.dropbox.com/help/9257
http://fortune.com/2016/06/07/facebook-netflix-passwords/
https://blog.linkedin.com/2016/05/18/protecting-our-members
https://thenextweb.com/socialmedia/2010/02/02/twitter-forcing-users-change-password-reported-threat-phishing-attacks/#.tnw_4yR7CA3Y
Yes, those involved more specific attacks, but part of the problem with Cloudbleed is that there’s no good way to determine if the data here was at risk. And, I disagree that it’s the "worst" possible thing. First, many users (unfortunately) reuse passwords. So if we let a password out, it could impact them on many other sites.
Also, after reading up on Cloudbleed, multiple security experts suggested exactly this course of action. I’m truly sorry that it’s an inconvenience, but it’s a very, very temporary one and I don’t see how it’s like DRM at all. DRM is a persistent, awful, limitation on things that you’ve purchased which block you from actually using what you’ve purchased. In this case, we made a move to actually make sure our users are safe.
Seemore
Seemore has a team of top working professionals to make sure your kids are in their comfortable zone and don’t feel stressed while working. We work with leading photographers, makeup artists and designers to create beautiful portfolios, that you as a parent will remember these precious moments.
http://www.flag-china.cn/beach-flag
We strive to provide to for our customers with quality Beach flags and Flag manufacturers as well. This flag is supplied with wooden and plastic hand waving stick which is suitable to carry as the flags are made up of polyester, nylon or vinyl fabrics.
www.webroot.com/safe
webroot.com/safe download | webroot.com/safe activate-With the development of the digital world, online protection is crucial. It is extremely important to protect your PCs, Mac, computers as well as mobile devices and tablets with install webroot on new computer. This can be done with the help of effective internet security and anti-virus products from install webroot on new computer that safeguards all devices used on digital platforms. Webroot is a private American company that provides comprehensive internet security solutions for consumers as well as businesses with various products. These services are available for home based computers, small offices as well as large business enterprises by preventing potential dangers in real time whenever they connect in the digital space for both personal and professional purposes.