
Cloudflare bug data leak exposed - ig1
http://www.bbc.co.uk/news/technology-39077611
======
sillysaurus3
_He told the BBC there was no evidence yet that the data had been used
maliciously._

Huh?

[https://webcache.googleusercontent.com/search?q=cache:VlVylT...](https://webcache.googleusercontent.com/search?q=cache:VlVylTZMmhAJ:www.hebeicy.com/supplyinfo/supply_detail.aspx%3Fpid%3D1529&num=1&hl=en&gl=us&strip=0&vwsrc=1)

That request is scrubbed now, but it contained an Uber driver's lat-long
coordinates. I used it to look up where they were driving.

CloudFlare really aren't helping themselves with these statements. The people
who decide whether to use CloudFlare are programmers, are programmers
generally can't be duped with statistics like "1 in 3.3M requests were leaking
data" (translation: 100k requests per day were leaking data[1]) or "There's no
evidence anyone used this data maliciously" (translation: we have no idea what
is being exploited).

[1]
[https://news.ycombinator.com/item?id=13719518](https://news.ycombinator.com/item?id=13719518)
and
[https://news.ycombinator.com/item?id=13722606](https://news.ycombinator.com/item?id=13722606)

~~~
anon1385
There's still leaked data all over google cache:
[https://webcache.googleusercontent.com/search?q=cache:oN9z-b...](https://webcache.googleusercontent.com/search?q=cache:oN9z-biFgzkJ:fujiyoutube.com/search.php%3Fq%3Dsithata+&cd=1&hl=en&ct=clnk&gl=us)

~~~
tyingq
Interesting. That site still has pages in the yandex cache as well.

[http://hghltd.yandex.net/yandbtm?fmode=inject&url=http%3A%2F...](http://hghltd.yandex.net/yandbtm?fmode=inject&url=http%3A%2F%2Ffujiyoutube.com%2Fsearch.php%3Fq%3Dautoriepas&tld=com&lang=lv&la=1487287680&tm=1487957179&text=%22Cf-
Int-Brand-
ID%22&l10n=en&mime=html&mysign=1487957443.743f8e2ee16e7c5deed26dfce54b89e4&cht=1&sign=5cdcdae13d2709c06bbd7356a8d7f0a3&keyno=0)

------
tabeth
> "I am not changing any of my passwords. I think the probability that
> somebody saw something is so low it's not something I am concerned about."

I am confused. The probability of someone seeing it is irrelevant, given that
the leak happened already. Is security not supposed to be preemptive? For such
an easy measure to take (password changing), saying you don't want to change
it seems pretty silly. You can change all of your passwords in 30 minutes
tops.

I believe the CTO is also mistaken about the probability anyway. As this is
more publicized the likelihood of malicious people exploiting this will only
increase. Therefore it's a race between them and the good actors fixing the
problem. In the interim, changing your passwords at the very least should be
done.

~~~
cakes
I feel like I'm missing a partial context but "You can change all of your
passwords in 30 minutes tops" is not true. I have a minimal amount of accounts
(I close accounts I don't use) and I can't imagine it taking me less than
several hours of slogging through it to change all my passwords (e.g. updating
password database, 2FA confirmations, making sure I don't lock the account I
change the password on, etc.)

So I have to aim for the clearly impacted ones from this (if
named/discoverable) and then have to decide how vulnerable I feel and whether
I should go through the extra effort (or not) for every password I conceivably
have.

~~~
sverige
I am halfway through changing the 60 passwords for services and accounts I
have used since last September.

Cloudflare's COO publicly dismissing the danger with a wan smile and a wave of
his hand was motivation enough for me.

That, and this ridiculous statement: "Unfortunately, it was the ancient piece
of software that contained a latent security problem and that problem only
showed up as we were in the process of migrating away from it," he wrote.

My understanding is that they were not "in the process of migrating away from"
an "ancient piece of software," but rather that this was something they
implemented five months ago and that they had no idea anything was wrong until
Google told them what they found.

That sort of behavior does not inspire trust and confidence.

------
aioprisan
Damage control PR at it's finest. The CTO should resign over this terrible
advice. No one knows just how much cached data is out there or just how much
this was triggered since September 2016, and to assume the best case scenario
is irresponsible and reeks of CYA instead of putting the public interest
first.

~~~
wlkr
> The CTO should resign over this terrible advice.

Whether or not he does I hope companies who use CloudFlare strongly consider
alternatives. His comment certainly isn't out of ignorance, he has blogged at
length on the necessity of password security and lambasted other companies for
their behaviour in situations such as this.

[http://blog.jgc.org/](http://blog.jgc.org/)

------
robalfonso
Another Cloudflare customer also said basically this is much ado about
nothing, but prefaced their comment by saying "We take security seriously".

Whats offensive here is if you take security seriously, then if there is a
.01% chance of a disclosure - you tell people to change thier
passwords,tokens,etc. That is taking security seriously.

~~~
794CD01
Would you say the same at .001%? How about .0001%?

It is possible for someone to take security seriously but not blindly value
the tiniest bit of security over every other possible factor. Perhaps because
they also take usability seriously.

~~~
robalfonso
You have to evaluate the type of account disclosure that was possible against
your own use cases.

My company bills 1m a day through our online site, if my logins to our domain
registrar were exposed then yes. .00001 is worth it, in the case someone would
gain access and change our dns or do something else nefarious.

Like wise if my login to this site was disclosed, I can live with cleaning
that up should it get out.

What shouldn't happen is the companies who were affected or the company who
caused this (cloudflare) to say "no big deal"

At the very least they should say if you potentially used a serious service
during this time and that service was using cloudflare then you might consider
changing for reasons X,Y,Z.

~~~
794CD01
>You have to evaluate the type of account disclosure that was possible against
your own use cases.

Exactly. Evaluating risk levels and weighing tradeoffs accurately is taking
security seriously. Overreacting to insanely unlikely scenarios is not.

~~~
robalfonso
Yes, but you might not understand me. I meant they are assuming they are doing
the evaluating on behalf of their customers. I'm the customer and I've got to
do the evaluating , but I might not understand the potential but telling me
there is almost no issue doesn't help me do that.

~~~
794CD01
If they understand security better than their customers, it's correct for them
to say so when an issue doesn't require customers to individually review
whether they are affected.

If they misjudge that, it isn't an indication that they don't "take security
seriously". It just means they made an error in judgment.

------
mixedbit
A good advice in password security is that you should never store passwords in
plain text on your private machines and on servers. With CloudFlare bug your
passwords can be stored unencrypted in local browser caches of random people
who may have malicious intentions or whose machines may be compromised
(already or in the future).

------
josh-wrale
If the technical issue wasn't enough reason to leave CF, this should be.

~~~
blakesterz
Is it though? Is anywhere else really any better? Won't CloudFlare be
reviewing everything now? Will they be more secure after this and more
trustworthy? I'm asking myself these questions now.

Really, I don't know the answers, but I'm not leaving because this seems like
something that could happen anywhere at anytime. I honestly don't know though.

~~~
fictioncircle
> Is anywhere else really any better?

Yes. A t-shirt contest is a joke of a security bug bounty.

[https://hackerone.com/cloudflare](https://hackerone.com/cloudflare) (t-shirt)

vs.

[https://hackerone.com/coinbase](https://hackerone.com/coinbase) ($500-$10k)
or [https://hackerone.com/uber](https://hackerone.com/uber) ($500-$10k) or
[https://hackerone.com/facebook](https://hackerone.com/facebook) ($500-$10k)
or dozens of others...

~~~
mtberatwork
That's a bit of a straw man. Bug bounty payout isn't any indication that one
company is better at security than another. Also, any one of those companies
could be sitting on some obscure bug that is currently unknown to anyone in
the company until it tragically makes itself known.

~~~
minhajuddin
Look at Tarsnap's bug bounty: [http://www.tarsnap.com/bounty-
winners.html](http://www.tarsnap.com/bounty-winners.html) . This guy has given
out more than a thousand dollars and this is (as far as I know) a one man
shop. How big is cloudflare? How secure should it be given that it asks for
customers' private SSL keys? I would say they should have the biggest bounty
program.

This leads to one of the two conclusions: 1) They are too cocky to think that
they may have security problems (which is a big problem) 2) They know they may
have security problems but don't care enough (which is a bigger issue).

There is no way you can cut this to make them look good.

~~~
mtberatwork
I'm not making any argument for or against CF. I'm saying that equating the
size of a bounty program to the perceived level of dedication to security or
code quality of a company is a straw man argument.

~~~
fictioncircle
If you offer less than $50 for something someone else in the market (albeit
for a likely unethical purpose) is willing to pay $10k for, what do you expect
people to do?

It isn't a strawman to state economic incentives matter. Or do you genuinely
believe people everyone experienced in security will take the $50 because of
"ethics"?

------
cmdrfred
While I agree this is a silly comment to make. I too won't be changing my
passwords until my regular yearly password change in a few months. If I CIA
level intelligence floating around I would but I find it rather unlikely that
I'm exposed and if I am it isn't the end of the world as I selfhost my email
and other critical services thus I know for certain they are unaffected by
this.

------
celticninja
That's not a very helpful statement to make.

~~~
blakesterz
Good point. While the chances are really high that SOMEONE will be affected in
a really bad way the chances that any single person got hit is really low. But
as CEO he should be erroring on the side of caution here I'd think, because of
his position. Him saying that kind of implies that it's not a big deal and no
one should be taking any steps to be sure they're not the person who is in
trouble.

The number of people who lost passwords is low, but it certainly happened to
someone and none of us know if we're that someone.

~~~
celticninja
I am almost certain someone is scanning archives for this data and reviewing
it for anything sensitive now they know it exists. Yesterday when Google
announced the SHA-1 collision, someone else took that and used it to unlock a
2.4btc reward, at the same point a bot scanning for this attempted to double
spend the reward with a higher fee to claim the reward.

The first guy knew how to take advantage of the information but the second guy
could sit and wait for someone else to solve it and take the reward, it also
meant the bot programmer wasnt in a competition with everyone to submit the
solution first.

Given that there are many bitcoin sites listed with cloudflare there is some
potential reward in locating and scanning that data.

------
esseti
Albeit he may be true, as the CTO he's way too optimistic beacuse he can't
know, he can just assume! Just let the people understand (get to know) the
problem and change the password, what's the problem?

------
gnud
I changed most of my passwords today.

It's good to change the passwords every so often anyway - it took me less time
to just change my important passwords, than to check if the sites they are
for, were using Cloudflare.

------
wlkr
It seems that they're intent on downplaying the severity. It's one thing to
present this confidant attitude to the end user but I wonder what the
companies who pay CloudFlare, make of this attitude? Perhaps it's a tactic so
that if the end-users aren't worried then they won't pressure whichever
services they use to move away from CloudFlare? Regardless, I think his entire
statement is tripe.

------
tyingq
The story also highlights this _" Unfortunately, it was the ancient piece of
software that contained a latent security problem and that problem only showed
up as we were in the process of migrating away from it"_

Out of context that omits the fact that it was a new feature. Ragel might be
old, but they did leverage it, on purpose, for net new functionality. The fix
didn't remove Ragel either.

------
fimdomeio
Sounds like a bad advice in general. For the cloudflare CTO it would sound a
lot better to hear something like: "Whille I don't think anyone needs to
change their password, but I changed mine, I actually do it regularly, to keep
my accounts safe." Unfortunatly it would not give such a good sound bite.

------
testloop
"I am not changing any of my passwords. I think the probability that somebody
saw something is so low it's not something I am concerned about"

So... just cross your fingers and hope nobody saw anything then? The way
they're casually downplaying this incident is outrageous.

------
draw_down
Looks like they are going to downplay this. Interesting choice.

~~~
draw_down
See other comments here, the event log, and the comments of the main story.
They're downplaying it. [https://bugs.chromium.org/p/project-
zero/issues/detail?id=11...](https://bugs.chromium.org/p/project-
zero/issues/detail?id=1139#c19)

------
phyushin
I hate the BBC's article format

Heading :(some alarmist half truth) Content :( what we said in the headline
probably isn't true )

------
xazJ0ku5CZnlmg
This is silly, irrespective of everything changing passwords is innocuous; why
make a big deal out of it.

------
deliriousferret
"What it shows, bigly, is that we may have just dodged a bullet."

"bigly" is a word now? Thanks Trump!

