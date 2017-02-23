Hacker News new | comments | show | ask | jobs | submit login
Cloudflare bug data leak exposed (bbc.co.uk)
44 points by ig1 31 minutes ago | hide | past | web | 24 comments | favorite





He told the BBC there was no evidence yet that the data had been used maliciously.

Huh?

https://webcache.googleusercontent.com/search?q=cache:VlVylT...

That request is scrubbed now, but it contained an Uber driver's lat-long coordinates. I used it to look up where they were driving.

CloudFlare really aren't helping themselves with these statements. The people who decide whether to use CloudFlare are programmers, are programmers generally can't be duped with statistics like "1 in 3.3M requests were leaking data" (translation: 100k requests per day were leaking data[1]) or "There's no evidence anyone used this data maliciously" (translation: we have no idea what is being exploited).

[1] https://news.ycombinator.com/item?id=13719518 and https://news.ycombinator.com/item?id=13722606

> CloudFlare really aren't helping themselves with these statements

Seconded. For example, here is CloudFlare's Chief Technology Officer regarding their response time:

"[Tavis Ormandy, the Google engineer who discovered the vulnerability, is] saying he’s frustrated but I’m a little bemused at why he’s frustrated with six days rather than 90" [1].

CloudFlare's CTO shouldn't be running around doing interviews with TechCrunch, let alone expressing bemusement regarding a fire from his camp.

[1] https://techcrunch.com/2017/02/23/major-cloudflare-bug-leake...

There's still leaked data all over google cache: https://webcache.googleusercontent.com/search?q=cache:oN9z-b...

> "I am not changing any of my passwords. I think the probability that somebody saw something is so low it's not something I am concerned about."

I am confused. The probability of someone seeing it is irrelevant, given that the leak happened already. Is security not supposed to be preemptive? For such an easy measure to take (password changing), saying you don't want to change it seems pretty silly. You can change all of your passwords in 30 minutes tops.

I believe the CTO is also mistaken about the probability anyway. As this is more publicized the likelihood of malicious people exploiting this will only increase. Therefore it's a race between them and the good actors fixing the problem. In the interim, changing your passwords at the very least should be done.

I feel like I'm missing a partial context but "You can change all of your passwords in 30 minutes tops" is not true. I have a minimal amount of accounts (I close accounts I don't use) and I can't imagine it taking me less than several hours of slogging through it to change all my passwords (e.g. updating password database, 2FA confirmations, making sure I don't lock the account I change the password on, etc.)

So I have to aim for the clearly impacted ones from this (if named/discoverable) and then have to decide how vulnerable I feel and whether I should go through the extra effort (or not) for every password I conceivably have.

Damage control PR at it's finest. The CTO should resign over this terrible advice. No one knows just how much cached data is out there or just how much this was triggered since September 2016, and to assume the best case scenario is irresponsible and reeks of CYA instead of putting the public interest first.

A good advice in password security is that you should never store passwords in plain text on your private machines and on servers. With CloudFlare bug your passwords can be stored unencrypted in local browser caches of random people who may have malicious intentions or whose machines may be compromised (already or in the future).

Another Cloudflare customer also said basically this is much ado about nothing, but prefaced their comment by saying "We take security seriously".

Whats offensive here is if you take security seriously, then if there is a .01% chance of a disclosure - you tell people to change thier passwords,tokens,etc. That is taking security seriously.

This attitude seems to be typical these days for companies that have leaked customer data: "Too bad it happened, but it's too late to do anything anyway, so just don't worry about it."

One reason for this behavior is that the legal consequences / fines for leaking private data into the public domain are negligible. For the EU this will change next year though with the new data protection directive, which will make it possible to impose a fine of up to 4 % of the WORDLDWIDE turnover / revenue of a company (currently, most European countries have fines that max out at several 100.000 €, which for large companies like Google is negligible).

I'm not saying that there is gross negligence on the part of Cloudflare here, it's nevertheless shocking to see how easily those people dismiss the significance of leaking private data like this. They don't even seem to understand that passwords are not the biggest problem here, as apparently there were plenty of private messages, conversations and HTTP headers leaked as well.

If the technical issue wasn't enough reason to leave CF, this should be.

Is it though? Is anywhere else really any better? Won't CloudFlare be reviewing everything now? Will they be more secure after this and more trustworthy? I'm asking myself these questions now.

Really, I don't know the answers, but I'm not leaving because this seems like something that could happen anywhere at anytime. I honestly don't know though.

Poor judgement in leadership is reason enough for me. Will they be reviewing everything? Perhaps. The person overseeing that review may not be erring on the side of caution though. Concerns me. Draw your own conclusion I guess.

"I am not changing any of my passwords. I think the probability that somebody saw something is so low it's not something I am concerned about"

So... just cross your fingers and hope nobody saw anything then? The way they're casually downplaying this incident is outrageous.

That's not a very helpful statement to make.

Good point. While the chances are really high that SOMEONE will be affected in a really bad way the chances that any single person got hit is really low. But as CEO he should be erroring on the side of caution here I'd think, because of his position. Him saying that kind of implies that it's not a big deal and no one should be taking any steps to be sure they're not the person who is in trouble.

The number of people who lost passwords is low, but it certainly happened to someone and none of us know if we're that someone.

The story also highlights this "Unfortunately, it was the ancient piece of software that contained a latent security problem and that problem only showed up as we were in the process of migrating away from it"

Out of context that omits the fact that it was a new feature. Ragel might be old, but they did leverage it, on purpose, for net new functionality. The fix didn't remove Ragel either.

I changed most of my passwords today.

It's good to change the passwords every so often anyway - it took me less time to just change my important passwords, than to check if the sites they are for, were using Cloudflare.

Sounds like a bad advice in general. For the cloudflare CTO it would sound a lot better to hear something like: "Whille I don't think anyone needs to change their password, but I changed mine, I actually do it regularly, to keep my accounts safe." Unfortunatly it would not give such a good sound bite.

It seems that they're intent on downplaying the severity. It's one thing to present this confidant attitude to the end user but I wonder what the companies who pay CloudFlare, make of this attitude? Perhaps it's a tactic so that if the end-users aren't worried then they won't pressure whichever services they use to move away from CloudFlare? Regardless, I think his entire statement is tripe.

Albeit he may be true, as the CTO he's way too optimistic beacuse he can't know, he can just assume! Just let the people understand (get to know) the problem and change the password, what's the problem?

"What it shows, bigly, is that we may have just dodged a bullet."

"bigly" is a word now? Thanks Trump!

While I agree this is a silly comment to make. I too won't be changing my passwords until my regular yearly password change in a few months. If I CIA level intelligence floating around I would but I find it rather unlikely that I'm exposed and if I am it isn't the end of the world as I selfhost my email and other critical services thus I know for certain they are unaffected by this.

This is silly, irrespective of everything changing passwords is innocuous; why make a big deal out of it.

Looks like they are going to downplay this. Interesting choice.

