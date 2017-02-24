What Should We Add Next To The Techdirt Gear... >>
by Mike Masnick

Fri, Feb 24th 2017 5:56pm


Filed Under:
cloudbleed, passwords

Companies:
cloudflare, techdirt



Just To Be Safe, We're Resetting All Techdirt Passwords In Response To Cloudbleed

from the abundance-of-caution dept

As you may have heard, late yesterday it was revealed that there was a pretty major bug that was potentially leaking all sorts of sensitive data for some companies that use Cloudflare. The bug is being dubbed "Cloudbleed" as it's actually quite similar to what happened a few years ago with OpenSSL in what was known as Heartbleed. Cloudflare was alerted to the bug by some Google security researchers and quickly patched the problem -- but it had gone on for months, with some sensitive data being indexed by search engines (that's all been cleaned up too).

At Techdirt, we use some Cloudflare services. It is unclear (and, in fact, unlikely) that any Techdirt data leaked via Cloudbleed. Also, we don't retain sensitive data from our users. However, in an abundance of caution, we have decided to reset everyone's passwords. If you have an account on Techdirt (which is not a requirement), you will be logged out, and will be required to go through the password reset process to get back into your account. Yes, this is a bit of a pain for our users, but despite the low likelihood of people here being impacted, we felt it was the right thing to do. Various security researchers have suggested that people change their passwords at other sites as well, and we recommend using a password generator/wallet (some of which will automatically change passwords at many sites upon request) to do so.

Reader Comments

  Anonymous Coward
    24 Feb 2017 @ 6:19pm

    An ounce of caution or a gallon of shit - what, this was a hard choice?

  • icon
    24 Feb 2017 @ 6:33pm

    Ah yes, I noticed only after posting i had become an Anonymous Coward, instead of a pseudonymous coward.

  Anonymous Coward
    24 Feb 2017 @ 7:14pm

    Hackers in the machine

    Supposed to be "ghost" in the machine, but hey, modernity.

    A few weeks ago I noticed that the ssh "door rattlers" (folks trying random passwords against boxes exposed to the internet) climbed drastically. From an average of 600 unique IPs or so per day, I was seeing around 25,000. These on machines in six data centers in the US, 2 in Germany, a few in Sydney, and a few dozen in RIPE land were the targets. The sources came mostly from Ukraine, Russia and China Railway (thought to really be the NKPR but I have no opinion on that).

    As a consequence, all PAM password authentication under my control has been turned off in favor of certificates or keys. I do normally use keys, but I left passwords open since I use pretty big, generated passwords changed every so-many hours, and instituted firewall rules to rate limit all ports that use authentication credentials per source IP.

    That said, there's no excuse not to be planning what to do and how when a system finally is successfully compromised. I suggest using salt or puppet to automate rolling out new servers. As the saying goes, "Treat your servers like cattle, not pets".

  Anonymous Coward
    24 Feb 2017 @ 10:04pm

    "Confirmation code expired or incorrect."

    is what I got 3 times in a row pasting (!) the code.

    techflaws

  Anonymous Coward
    25 Feb 2017 @ 3:00am

    Waiting on the reset password. Meanwhile, my major resistance to the password wallet is fear that all it does is collect all my passwords into one convenient place so hackers need not crack a bunch of passwords to get access to everything, they can just crack this one.

    Given that basically every security system seems to get hacked now and then, how could a password wallet existing in my computer and talking to the internet be safe?

    Anonymous Coward
      25 Feb 2017 @ 6:40am

      Re:

      The effort it takes to hack a single personal computer is simply not worth it for most adversaries. As long as you follow basic security practices like updating software regularly and don't install software you don't trust the risk is pretty low. The targets are sites themselves which can yield anywhere from thousands to millions of accounts in a single hack.

      If you're dealing with high stakes accounts like bitcoin or other financial data it would be a good idea to have a separate, even offline password storage but for your average user an email and techdirt account password are worth very little.

      Anonymous Coward
        25 Feb 2017 @ 5:52pm

        Re: Re:

        "As long as you follow basic security practices like updating software regularly and don't install software you don't trust the risk is pretty low."

        "Software you don't trust", such as anything from Microsoft or Apple? So, 99% of the planet's hosed from the get go? Don't even bother trying using that garbage. That's my view.

        I'm looking forward to the next planet killer asteroid. It'll be so refreshing.

  Anonymous Coward
    25 Feb 2017 @ 6:32am

    You're still sticking with the company after this?

    Anonymous Coward
      25 Feb 2017 @ 7:03am

      Re:

      Do you seriously thing any other organization actually takes security seriously?

      Right now, at the base level, we still code and write software that has security only as a secondary thought at best. If you DO write it with security being first then you still only get second class security because the compilers, run-times, and a whole bunch of other giants your code is standing on are prone to replay attacks, buffer overflows, logical flaws, and other unexpected bugs and such. And not only that, you still have to do it all over "per-established" protocols that come with their own flaws and vulnerabilities because you can't just make a new programing language or protocol that everyone understands without years to work and effort to get it adopted by the industry.

      People are just prone to suffer that which is sufferable so we keep using the same old garbage we have been using because it works. It might work like shit, but it works, so would you like another plate of shit friend? Cause that is the only thing on the menu!

    • icon
      25 Feb 2017 @ 9:35am

      Re:

      You're still sticking with the company after this?

      Yes. For a variety of reasons. First, there is no indication that this was malicious. There are always bugs out there. Second, working with a company like Cloudflare that is focused on security is always going to be better than doing it ourselves as a small operation. If it were just us, we likely would never have found this kind of bug. Third, working with a company like Cloudflare also means that such things get fixed much faster than they otherwise would have been fixed. Fourth, Cloudflare was a tremendous help to us in the past when we were hit with a DDoS attack from someone who was unhappy with a comment on the site.

      SpaceLifeForm
        25 Feb 2017 @ 1:27pm

        cf still not trustable at this point

        Been on net pre-mosaic.
        Been seeing attacks on blogs
        since y2k. Still seeing wierd
        website/blog behavior on other
        sites that use cf.

        The problems are not solved yet.

        Basically, if you have decided
        to use cf, you have traded one
        attack (DDOS), for an allegedly
        smaller attack surface. The problem
        is that the smaller attack surface
        via cf is that it is actually a
        smaller attack surface for the real
        attackers. They only have to find
        the software bugs in cf, and
        then attack millions of websites.

        Suspect Cogent part of problem.

      Anonymous Coward
        25 Feb 2017 @ 3:13pm

        Re: Re:

        If it was just you, you wouldn't of had this kind of bug. This exists only because a third party is processung requests to your site.

  • icon
    25 Feb 2017 @ 7:22am

    Password Reset

    That didn't hurt much, but may I have a band-aid please?

    Anonymous Coward
      25 Feb 2017 @ 6:00pm

      Re: Password Reset

      You only need a bandaid if you broke the skin and are at risk of infection. This wasn't really even a bruise; more like a minor irritation or tickling. Shake it off.

  Anonymous Coward
    25 Feb 2017 @ 7:34am

    Another reason to remain "anon"

    Anonymous Coward
      25 Feb 2017 @ 6:11pm

      Re:

      "Another reason to remain "anon""

      Security through obscurity; yeah, that's a proven defence method. If you hold your hands over your eyes, they can't possibly see you to target you. Sure.

      Me, I fell off the net last year and gave up on the "social" side of it. Now, it's only used for research (pull) and updating software (also pull).

      "Human to human interaction" is no longer viable via the net. There's too much noise in the system to suffer it.

  JoeCool
    25 Feb 2017 @ 7:51am

    Reset

    It's good to reset your password periodically in any case. Had no trouble, myself... beyond having to log into my yahoo email account for the first time in about a year and a half. :D

    Anonymous Coward
      25 Feb 2017 @ 6:28pm

      Re: Reset

      "It's good to reset your password periodically in any case."

      That's an unproven assumption on your part. Sounds good, but that's all. That koolaid's laced with cyanide.

      Use better pwords (upcase + lowcase + punctuation + integers + avoid dictionary words) or use ssh keys instead, all unique per service (no re-use).

      Fold in "the *cloud* is a trap" and "if you don't control it, you're being controlled."

      My $0.02 (which'll buy nothing these days). Yes, I already realize this'll never change anything, but had to try.

      Have fun. Bon chance.

  Anonymous Coward
    25 Feb 2017 @ 8:09am

    I'm not even go9ing to bother going through the password reset. Cloudflare has always been a dubious service and website owners who use it get exactly what they deserve.

    Cloudflare requires you to give up a a lot of control and any service that forces you to allow it to investigate your site staff is just a corrupt service.

    Techdirt, if they rely on Cloudflare as a service, deserves exactly what happened because of this breach.

    I don't use Cloudflare on my site, although I had considered using it before, until I read their terms of service, which was totally UNACCEPTABLE behavior. You are required to allow Cloudflare to conduct investigations on any administrator, moderator or any staff you have on your site.

    This isn't a slam on techdirt but rather on their usage of Cloudflare. There are better alternatives out there.

  • icon
    25 Feb 2017 @ 2:30pm

    You forgot techdirt deals

    I figured it was worth changing too.

