Techdirt

by Mike Masnick


Filed Under:
cloudbleed, passwords

Companies:
cloudflare, techdirt



Just To Be Safe, We're Resetting All Techdirt Passwords In Response To Cloudbleed

from the abundance-of-caution dept

As you may have heard, late yesterday it was revealed that there was a pretty major bug that was potentially leaking all sorts of sensitive data for some companies that use Cloudflare. The bug is being dubbed "Cloudbleed" as it's actually quite similar to what happened a few years ago with OpenSSL in what was known as Heartbleed. Cloudflare was alerted to the bug by some Google security researchers and quickly patched the problem -- but it had gone on for months, with some sensitive data being indexed by search engines (that's all been cleaned up too).

At Techdirt, we use some Cloudflare services. It is unclear (and, in fact, unlikely) that any Techdirt data leaked via Cloudbleed. Also, we don't retain sensitive data from our users. However, in an abundance of caution, we have decided to reset everyone's passwords. If you have an account on Techdirt (which is not a requirement), you will be logged out, and will be required to go through the password reset process to get back into your account. Yes, this is a bit of a pain for our users, but despite the low likelihood of people here being impacted, we felt it was the right thing to do. Various security researchers have suggested that people change their passwords at other sites as well, and we recommend using a password generator/wallet (some of which will automatically change passwords at many sites upon request) to do so.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    Anonymous Coward, 24 Feb 2017 @ 6:19pm

    An ounce of caution or a gallon of shit - what, this was a hard choice?

    reply to this | link to this | view in thread ]

  2. icon
    orbitalinsertion (profile), 24 Feb 2017 @ 6:33pm

    Ah yes, I noticed only after posting i had become an Anonymous Coward, instead of a pseudonymous coward.

    reply to this | link to this | view in thread ]

  3. identicon
    Anonymous Coward, 24 Feb 2017 @ 7:14pm

    Hackers in the machine

    Supposed to be "ghost" in the machine, but hey, modernity.

    A few weeks ago I noticed that the ssh "door rattlers" (folks trying random passwords against boxes exposed to the internet) climbed drastically. From an average of 600 unique IPs or so per day, I was seeing around 25,000. These on machines in six data centers in the US, 2 in Germany, a few in Sydney, and a few dozen in RIPE land were the targets. The sources came mostly from Ukraine, Russia and China Railway (thought to really be the NKPR but I have no opinion on that).

    As a consequence, all PAM password authentication under my control has been turned off in favor of certificates or keys. I do normally use keys, but I left passwords open since I use pretty big, generated passwords changed every so-many hours, and instituted firewall rules to rate limit all ports that use authentication credentials per source IP.

    That said, there's no excuse not to be planning what to do and how when a system finally is successfully compromised. I suggest using salt or puppet to automate rolling out new servers. As the saying goes, "Treat your servers like cattle, not pets".

    reply to this | link to this | view in thread ]

  4. identicon
    Anonymous Coward, 24 Feb 2017 @ 9:16pm

    Re: Hackers in the machine

    Guerillas in the Mist

    reply to this | link to this | view in thread ]

  5. identicon
    Anonymous Coward, 24 Feb 2017 @ 10:04pm

    "Confirmation code expired or incorrect."

    is what I got 3 times in a row pasting (!) the code.

    techflaws

    reply to this | link to this | view in thread ]

  6. identicon
    Anonymous Coward, 25 Feb 2017 @ 3:00am

    Waiting on the reset password. Meanwhile, my major resistance to the password wallet is fear that all it does is collect all my passwords into one convenient place so hackers need not crack a bunch of passwords to get access to everything, they can just crack this one.

    Given that basically every security system seems to get hacked now and then, how could a password wallet existing in my computer and talking to the internet be safe?

    reply to this | link to this | view in thread ]

  7. identicon
    Anonymous Coward, 25 Feb 2017 @ 6:32am

    You're still sticking with the company after this?

    reply to this | link to this | view in thread ]

  8. identicon
    Anonymous Coward, 25 Feb 2017 @ 6:40am

    Re:

    The effort it takes to hack a single personal computer is simply not worth it for most adversaries. As long as you follow basic security practices like updating software regularly and don't install software you don't trust the risk is pretty low. The targets are sites themselves which can yield anywhere from thousands to millions of accounts in a single hack.

    If you're dealing with high stakes accounts like bitcoin or other financial data it would be a good idea to have a separate, even offline password storage but for your average user an email and techdirt account password are worth very little.

    reply to this | link to this | view in thread ]

  9. identicon
    Anonymous Coward, 25 Feb 2017 @ 7:03am

    Re:

    Do you seriously thing any other organization actually takes security seriously?

    Right now, at the base level, we still code and write software that has security only as a secondary thought at best. If you DO write it with security being first then you still only get second class security because the compilers, run-times, and a whole bunch of other giants your code is standing on are prone to replay attacks, buffer overflows, logical flaws, and other unexpected bugs and such. And not only that, you still have to do it all over "per-established" protocols that come with their own flaws and vulnerabilities because you can't just make a new programing language or protocol that everyone understands without years to work and effort to get it adopted by the industry.

    People are just prone to suffer that which is sufferable so we keep using the same old garbage we have been using because it works. It might work like shit, but it works, so would you like another plate of shit friend? Cause that is the only thing on the menu!

    reply to this | link to this | view in thread ]

  10. icon
    Anonymous Anonymous Coward (profile), 25 Feb 2017 @ 7:22am

    Password Reset

    That didn't hurt much, but may I have a band-aid please?

    reply to this | link to this | view in thread ]

  11. identicon
    Anonymous Coward, 25 Feb 2017 @ 7:34am

    Another reason to remain "anon"

    reply to this | link to this | view in thread ]

  12. icon
    JoeCool (profile), 25 Feb 2017 @ 7:51am

    Reset

    It's good to reset your password periodically in any case. Had no trouble, myself... beyond having to log into my yahoo email account for the first time in about a year and a half. :D

    reply to this | link to this | view in thread ]

  13. identicon
    Anonymous Coward, 25 Feb 2017 @ 8:09am

    I'm not even go9ing to bother going through the password reset. Cloudflare has always been a dubious service and website owners who use it get exactly what they deserve.

    Cloudflare requires you to give up a a lot of control and any service that forces you to allow it to investigate your site staff is just a corrupt service.

    Techdirt, if they rely on Cloudflare as a service, deserves exactly what happened because of this breach.

    I don't use Cloudflare on my site, although I had considered using it before, until I read their terms of service, which was totally UNACCEPTABLE behavior. You are required to allow Cloudflare to conduct investigations on any administrator, moderator or any staff you have on your site.

    This isn't a slam on techdirt but rather on their usage of Cloudflare. There are better alternatives out there.

    reply to this | link to this | view in thread ]

  14. icon
    Roger Strong (profile), 25 Feb 2017 @ 9:03am

    Re:

    Can I get that in metric?

    reply to this | link to this | view in thread ]

  15. icon
    Mike Masnick (profile), 25 Feb 2017 @ 9:35am

    Re:

    You're still sticking with the company after this?

    Yes. For a variety of reasons. First, there is no indication that this was malicious. There are always bugs out there. Second, working with a company like Cloudflare that is focused on security is always going to be better than doing it ourselves as a small operation. If it were just us, we likely would never have found this kind of bug. Third, working with a company like Cloudflare also means that such things get fixed much faster than they otherwise would have been fixed. Fourth, Cloudflare was a tremendous help to us in the past when we were hit with a DDoS attack from someone who was unhappy with a comment on the site.

    reply to this | link to this | view in thread ]

  16. icon
    pixelpusher220 (profile), 25 Feb 2017 @ 10:49am

    Re: Re:

    fuckton

    reply to this | link to this | view in thread ]

  17. identicon
    Anonymous Coward, 25 Feb 2017 @ 11:12am

    Re:

    You have no idea what you're talking about.

    reply to this | link to this | view in thread ]

  18. icon
    orbitalinsertion (profile), 25 Feb 2017 @ 11:50am

    Re: Re:

    Every web presence gets the cloud services they deserve?
    ¯\_(ツ)_/¯

    reply to this | link to this | view in thread ]

  19. identicon
    Anonymous Coward, 25 Feb 2017 @ 1:19pm

    Re: Re: Re:

    Can we send you email?

    reply to this | link to this | view in thread ]

  20. identicon
    SpaceLifeForm, 25 Feb 2017 @ 1:27pm

    cf still not trustable at this point

    Been on net pre-mosaic.
    Been seeing attacks on blogs
    since y2k. Still seeing wierd
    website/blog behavior on other
    sites that use cf.

    The problems are not solved yet.

    Basically, if you have decided
    to use cf, you have traded one
    attack (DDOS), for an allegedly
    smaller attack surface. The problem
    is that the smaller attack surface
    via cf is that it is actually a
    smaller attack surface for the real
    attackers. They only have to find
    the software bugs in cf, and
    then attack millions of websites.

    Suspect Cogent part of problem.

    reply to this | link to this | view in thread ]

  21. icon
    DV Henkel-Wallace (profile), 25 Feb 2017 @ 2:30pm

    You forgot techdirt deals

    I figured it was worth changing too.

    reply to this | link to this | view in thread ]

  22. identicon
    Anonymous Coward, 25 Feb 2017 @ 3:13pm

    Re: Re:

    If it was just you, you wouldn't of had this kind of bug. This exists only because a third party is processung requests to your site.

    reply to this | link to this | view in thread ]

  23. identicon
    Anonymous Coward, 25 Feb 2017 @ 5:39pm

    Re:

    Where's the "Negative Insightful" button? Egyptians built pyramids, the Chinese built a wall you can see from orbit, and we built the Internet that allows dipsticks like this to spew content free garbage at the world. It's a golden age we live in. :-P

    Doofus.

    reply to this | link to this | view in thread ]

  24. identicon
    Anonymous Coward, 25 Feb 2017 @ 5:52pm

    Re: Re:

    "As long as you follow basic security practices like updating software regularly and don't install software you don't trust the risk is pretty low."

    "Software you don't trust", such as anything from Microsoft or Apple? So, 99% of the planet's hosed from the get go? Don't even bother trying using that garbage. That's my view.

    I'm looking forward to the next planet killer asteroid. It'll be so refreshing.

    reply to this | link to this | view in thread ]

  25. identicon
    Anonymous Coward, 25 Feb 2017 @ 6:00pm

    Re: Password Reset

    You only need a bandaid if you broke the skin and are at risk of infection. This wasn't really even a bruise; more like a minor irritation or tickling. Shake it off.

    reply to this | link to this | view in thread ]

  26. identicon
    Anonymous Coward, 25 Feb 2017 @ 6:11pm

    Re:

    "Another reason to remain "anon""

    Security through obscurity; yeah, that's a proven defence method. If you hold your hands over your eyes, they can't possibly see you to target you. Sure.

    Me, I fell off the net last year and gave up on the "social" side of it. Now, it's only used for research (pull) and updating software (also pull).

    "Human to human interaction" is no longer viable via the net. There's too much noise in the system to suffer it.

    reply to this | link to this | view in thread ]

  27. identicon
    Anonymous Coward, 25 Feb 2017 @ 6:28pm

    Re: Reset

    "It's good to reset your password periodically in any case."

    That's an unproven assumption on your part. Sounds good, but that's all. That koolaid's laced with cyanide.

    Use better pwords (upcase + lowcase + punctuation + integers + avoid dictionary words) or use ssh keys instead, all unique per service (no re-use).

    Fold in "the *cloud* is a trap" and "if you don't control it, you're being controlled."

    My $0.02 (which'll buy nothing these days). Yes, I already realize this'll never change anything, but had to try.

    Have fun. Bon chance.

    reply to this | link to this | view in thread ]

  28. identicon
    Anonymous Coward, 25 Feb 2017 @ 9:29pm

    Re:

    And another 3 times with the same result.

    reply to this | link to this | view in thread ]

  29. icon
    madasahatter (profile), 25 Feb 2017 @ 11:14pm

    Thanks

    eom

    reply to this | link to this | view in thread ]

  30. icon
    Mike Masnick (profile), 25 Feb 2017 @ 11:57pm

    Re: Re: Re:

    If it was just you, you wouldn't of had this kind of bug. This exists only because a third party is processung requests to your site.

    This is almost certainly not true. We'd have lots and lots of other bugs. The protection provided by using a third party who can throw many resources at protecting us is much more valuable than assuming that security by obscurity is a good system.

    reply to this | link to this | view in thread ]

  31. icon
    The Wanderer (profile), 26 Feb 2017 @ 4:30am

    Re:

    I got the same thing on the first try.

    The reason is that I have my mail client set to display the plain-text version of the message, and apparently that version omits the newline between the confirmation URL and the "If you did not request a password reset", so doing a right-click and "Copy URL" on the link gives you a URL with the word "If" appended to the confirmation code - which of course gets interpreted as an invalid confirmation code.

    Paste the URL into the address bar and delete the "If" from the end, and you'll probably see it work just fine.

    (This should still be fixed on the backend so that future reset mails get sent out with the plain-text copy correct, of course. This is just a workaround.)

    reply to this | link to this | view in thread ]

  32. icon
    Anonymous Anonymous Coward (profile), 26 Feb 2017 @ 6:28am

    Re: Re: Password Reset

    Whoosh! The band-aid isn't for me, it's for the bleeding bug. They even named it Cloudbleed, and it's bleeding all over the place.

    reply to this | link to this | view in thread ]

  33. identicon
    Anonymous Coward, 26 Feb 2017 @ 6:55am

    Re: Re:

    Wow - lol

    reply to this | link to this | view in thread ]

  34. icon
    Roger Strong (profile), 26 Feb 2017 @ 10:36am

    Re: Re:

    The Chinese wall failed to keep invaders out.

    The Egyptian pyramids were vanity projects, tombs quickly looted once the Old Kingdom collapsed. The later kingdoms over the next couple thousand years switched to hidden underground tombs for more security.

    I'll happily stick with this age.

    "Let others praise ancient times; I am glad I was born in these."

    • Ovid (43BC-17AD)

    reply to this | link to this | view in thread ]

  35. identicon
    Anonymous Coward, 26 Feb 2017 @ 11:06am

    Re: Re: Re:

    Ben Carson clearly indicated the pyramids were built for grain storage, why would anyone doubt this?

    reply to this | link to this | view in thread ]

  36. icon
    orbitalinsertion (profile), 26 Feb 2017 @ 1:12pm

    Re: Re: Re: Re:

    Please!
    i.invented.email@command.com

    reply to this | link to this | view in thread ]

  37. icon
    Roger Strong (profile), 26 Feb 2017 @ 2:31pm

    Re: Re: Re: Re:

    Good point. A Secretary of Housing and Urban Development would be an expert on building construction.

    Someday we'll look back on this Presidency and laugh. It will probably be one of those deep, eerie ones that slowly builds to a blood-curdling maniacal scream... but still it will be a laugh.

    reply to this | link to this | view in thread ]

  38. icon
    orbitalinsertion (profile), 26 Feb 2017 @ 4:12pm

    Re: Re: Re: Re: Re:

    They were only later converted to store giant stone blocks.

    reply to this | link to this | view in thread ]

  39. icon
    ehud gavron (profile), 26 Feb 2017 @ 4:33pm

    Thank you for TechDirt DRM

    Congratulations for punishing ALL of your users for no reason.

    - You are unaware that anything relating to TD was compromised.
    - The "worst" possible thing that could happen is someone who is not a subscriber could login to TD.
    - You've inconvenienced ALL of your users.
    - This is JUST like DRM

    Can you imagine if Facebook, Snapchat, Instagram, or Twitter had written the same thing? "We're not sure that we're even affected, but we use CloudStuff so maybe wut, and so ALL of you MUST change ALL your passwords go team."

    Roll-your-own security is a no-no. Responding to a non-threat with a blanket requirement to update passwords is hysterical. Not in the funny way.

    E

    reply to this | link to this | view in thread ]

  40. icon
    Arioch (profile), 26 Feb 2017 @ 5:38pm

    Re: Thank you for TechDirt DRM

    So you keep all your passwords the same.. constantly?
    You regard changing a password as "punishment"?

    But aside from that do you not consider it odd that this situation occurs at the same time that Techdirt finds itself involved in legal proceedings initiated by a well known scumbag?

    reply to this | link to this | view in thread ]

  41. icon
    techflaws (profile), 26 Feb 2017 @ 9:41pm

    Re: Re:

    D'uh, that did the trick. Good catch, thx.

    reply to this | link to this | view in thread ]

  42. icon
    Mike Masnick (profile), 26 Feb 2017 @ 11:40pm

    Re: Thank you for TechDirt DRM

    Can you imagine if Facebook, Snapchat, Instagram, or Twitter had written the same thing? "We're not sure that we're even affected, but we use CloudStuff so maybe wut, and so ALL of you MUST change ALL your passwords go team."

    I've seen similar things happen in the past with sites that have forced large groups of users to change passwords:

    https://www.dropbox.com/help/9257 http://fortune.com/2016/06/07/facebook-netflix-password s/ https://blog.linkedin.com/2016/05/18/protecting-our-members https://thenextweb.com/socialmedia/20 10/02/02/twitter-forcing-users-change-password-reported-threat-phishing-attacks/#.tnw_4yR7CA3Y

    Yes, those involved more specific attacks, but part of the problem with Cloudbleed is that there's no good way to determine if the data here was at risk. And, I disagree that it's the "worst" possible thing. First, many users (unfortunately) reuse passwords. So if we let a password out, it could impact them on many other sites.

    Also, after reading up on Cloudbleed, multiple security experts suggested exactly this course of action. I'm truly sorry that it's an inconvenience, but it's a very, very temporary one and I don't see how it's like DRM at all. DRM is a persistent, awful, limitation on things that you've purchased which block you from actually using what you've purchased. In this case, we made a move to actually make sure our users are safe.

    reply to this | link to this | view in thread ]

  43. icon
    timmaguire42 (profile), 27 Feb 2017 @ 5:46am

    Re: Re:

    Thanks (I'm the AC above). I know my concerns are stupid since people who know internet security far better than me all advise some sort of password wallet, it's just hard for my abacus-level brain to wrap around when it seems like all those same security professionals keep getting hacked.

    reply to this | link to this | view in thread ]

  44. icon
    DannyB (profile), 27 Feb 2017 @ 5:55am

    Re: Re:

    I must protest. I can assure you that us dipsticks have been able to spew content free garbage at the world long before intarweb tubes.

    reply to this | link to this | view in thread ]

  45. icon
    DannyB (profile), 27 Feb 2017 @ 5:58am

    Re: Re: Thank you for TechDirt DRM

    I don't know about others. Maybe I'm the only one?

    I never use the same password on any two web sites.

    reply to this | link to this | view in thread ]

  46. identicon
    Wendy Cockcroft, 27 Feb 2017 @ 7:25am

    Re: Re: Re: Re: Re: Re:

    With dead bodies in.

    reply to this | link to this | view in thread ]

  47. identicon
    Anonymous Coward, 27 Feb 2017 @ 9:24am

    Re: cf still not trustable at this point

    Manual word wrap looks great!

    reply to this | link to this | view in thread ]

  48. icon
    Ehud Gavron (profile), 27 Feb 2017 @ 10:19am

    DRM, Personal choices, and if you post here the FBI may come calling

    You get to make your strategy and I get to make mine. That's part of the beauty of freedom of expression. I have the freedom to express my choice of password(s).

    My authentication strategy balances costs of maintaining a database of mechanisms vs the risk of what those mechanisms protect. My financial, airline, and public utilities passwords are all different. My news and social media passwords are not.

    The risk here is that someone will be able to post as me on social media. The reward is I don't have to keep track of passwords for e.g. TechDirt, ArsTechnica, Wired, WashPo, NYT, Twitter, FB, and many others.

    Because MY security is MY responsibility that allows ME to determine MY policy. (Similarly I respect Mike's answer where he says TD gets to determine TDs policy...)

    Whenever something happens there are always people happy to give advice. They are the "lawprawfs" of IT, eager to "share" their non-practiced knowledge in the hopes of getting their name in print.

    Personally, I turn to Bruce Schneier or Eugene Kaspersky or Joel Snyder when I want *real* computer security advice. You'll note none of those gentlemen has opined on any real significance to Cloudbleed nor made a call to global password changes.

    I like TechDirt.

    The FBI had a "chat" with me partially because I post on here. Summary here: http://thehood.livejournal.com/109302.html

    Best wishes to all. Also I did not reset my password.

    E

    reply to this | link to this | view in thread ]

  49. icon
    Mike Masnick (profile), 27 Feb 2017 @ 10:43am

    Re: DRM, Personal choices, and if you post here the FBI may come calling

    Also I did not reset my password.

    You can always put back in the same password if that's the key concern here (we don't have anything stopping that, as we don't know what your old pwd was anyway). And, yes, I recognize that you are taking a stand over the inconvenience part, and you feel that we should not have inconvenienced so many people, but we differ on our analysis of what was the most prudent action here.

    reply to this | link to this | view in thread ]

  50. icon
    Ehud Gavron (profile), 27 Feb 2017 @ 11:12am

    You catch more flies with honey

    Thank you! I have reset my password and once again feel like I have a fresh shave, shower, and clean clothes.

    Also... thanks for taking the time to respond to your readers :)

    E

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.