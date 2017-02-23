Huh?
https://webcache.googleusercontent.com/search?q=cache:VlVylT...
That request is scrubbed now, but it contained an Uber driver's lat-long coordinates. I used it to look up where they were driving.
CloudFlare really aren't helping themselves with these statements. The people who decide whether to use CloudFlare are programmers, are programmers generally can't be duped with statistics like "1 in 3.3M requests were leaking data" (translation: 100k requests per day were leaking data[1]) or "There's no evidence anyone used this data maliciously" (translation: we have no idea what is being exploited).
[1] https://news.ycombinator.com/item?id=13719518 and https://news.ycombinator.com/item?id=13722606
reply
Seconded. For example, here is CloudFlare's Chief Technology Officer regarding their response time:
"[Tavis Ormandy, the Google engineer who discovered the vulnerability, is] saying he’s frustrated but I’m a little bemused at why he’s frustrated with six days rather than 90" [1].
CloudFlare's CTO shouldn't be running around doing interviews with TechCrunch, let alone expressing bemusement regarding a fire from his camp.
[1] https://techcrunch.com/2017/02/23/major-cloudflare-bug-leake...
I am confused. The probability of someone seeing it is irrelevant, given that the leak happened already. Is security not supposed to be preemptive? For such an easy measure to take (password changing), saying you don't want to change it seems pretty silly. You can change all of your passwords in 30 minutes tops.
I believe the CTO is also mistaken about the probability anyway. As this is more publicized the likelihood of malicious people exploiting this will only increase. Therefore it's a race between them and the good actors fixing the problem. In the interim, changing your passwords at the very least should be done.
So I have to aim for the clearly impacted ones from this (if named/discoverable) and then have to decide how vulnerable I feel and whether I should go through the extra effort (or not) for every password I conceivably have.
Whats offensive here is if you take security seriously, then if there is a .01% chance of a disclosure - you tell people to change thier passwords,tokens,etc. That is taking security seriously.
One reason for this behavior is that the legal consequences / fines for leaking private data into the public domain are negligible. For the EU this will change next year though with the new data protection directive, which will make it possible to impose a fine of up to 4 % of the WORDLDWIDE turnover / revenue of a company (currently, most European countries have fines that max out at several 100.000 €, which for large companies like Google is negligible).
I'm not saying that there is gross negligence on the part of Cloudflare here, it's nevertheless shocking to see how easily those people dismiss the significance of leaking private data like this. They don't even seem to understand that passwords are not the biggest problem here, as apparently there were plenty of private messages, conversations and HTTP headers leaked as well.
Really, I don't know the answers, but I'm not leaving because this seems like something that could happen anywhere at anytime. I honestly don't know though.
So... just cross your fingers and hope nobody saw anything then? The way they're casually downplaying this incident is outrageous.
The number of people who lost passwords is low, but it certainly happened to someone and none of us know if we're that someone.
Out of context that omits the fact that it was a new feature. Ragel might be old, but they did leverage it, on purpose, for net new functionality. The fix didn't remove Ragel either.
It's good to change the passwords every so often anyway - it took me less time to just change my important passwords, than to check if the sites they are for, were using Cloudflare.
"bigly" is a word now? Thanks Trump!
Huh?
https://webcache.googleusercontent.com/search?q=cache:VlVylT...
That request is scrubbed now, but it contained an Uber driver's lat-long coordinates. I used it to look up where they were driving.
CloudFlare really aren't helping themselves with these statements. The people who decide whether to use CloudFlare are programmers, are programmers generally can't be duped with statistics like "1 in 3.3M requests were leaking data" (translation: 100k requests per day were leaking data[1]) or "There's no evidence anyone used this data maliciously" (translation: we have no idea what is being exploited).
[1] https://news.ycombinator.com/item?id=13719518 and https://news.ycombinator.com/item?id=13722606
reply