Just To Be Safe, We're Resetting All Techdirt Passwords In Response To Cloudbleed
from the abundance-of-caution dept
As you may have heard, late yesterday it was revealed that there was a pretty major bug that was potentially leaking all sorts of sensitive data for some companies that use Cloudflare. The bug is being dubbed "Cloudbleed" as it's actually quite similar to what happened a few years ago with OpenSSL in what was known as Heartbleed. Cloudflare was alerted to the bug by some Google security researchers and quickly patched the problem -- but it had gone on for months, with some sensitive data being indexed by search engines (that's all been cleaned up too).
At Techdirt, we use some Cloudflare services. It is unclear (and, in fact, unlikely) that any Techdirt data leaked via Cloudbleed. Also, we don't retain sensitive data from our users. However, in an abundance of caution, we have decided to reset everyone's passwords. If you have an account on Techdirt (which is not a requirement), you will be logged out, and will be required to go through the password reset process to get back into your account. Yes, this is a bit of a pain for our users, but despite the low likelihood of people here being impacted, we felt it was the right thing to do. Various security researchers have suggested that people change their passwords at other sites as well, and we recommend using a password generator/wallet (some of which will automatically change passwords at many sites upon request) to do so.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: cloudbleed, passwords
Companies: cloudflare, techdirt
Reader Comments
Subscribe: RSS
View by: Time | Thread
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re:
Doofus.
[ link to this | view in chronology ]
Re: Re:
The Chinese wall failed to keep invaders out.
The Egyptian pyramids were vanity projects, tombs quickly looted once the Old Kingdom collapsed. The later kingdoms over the next couple thousand years switched to hidden underground tombs for more security.
I'll happily stick with this age.
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
Someday we'll look back on this Presidency and laugh. It will probably be one of those deep, eerie ones that slowly builds to a blood-curdling maniacal scream... but still it will be a laugh.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Hackers in the machine
A few weeks ago I noticed that the ssh "door rattlers" (folks trying random passwords against boxes exposed to the internet) climbed drastically. From an average of 600 unique IPs or so per day, I was seeing around 25,000. These on machines in six data centers in the US, 2 in Germany, a few in Sydney, and a few dozen in RIPE land were the targets. The sources came mostly from Ukraine, Russia and China Railway (thought to really be the NKPR but I have no opinion on that).
As a consequence, all PAM password authentication under my control has been turned off in favor of certificates or keys. I do normally use keys, but I left passwords open since I use pretty big, generated passwords changed every so-many hours, and instituted firewall rules to rate limit all ports that use authentication credentials per source IP.
That said, there's no excuse not to be planning what to do and how when a system finally is successfully compromised. I suggest using salt or puppet to automate rolling out new servers. As the saying goes, "Treat your servers like cattle, not pets".
[ link to this | view in chronology ]
Re: Hackers in the machine
[ link to this | view in chronology ]
is what I got 3 times in a row pasting (!) the code.
techflaws
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re:
The reason is that I have my mail client set to display the plain-text version of the message, and apparently that version omits the newline between the confirmation URL and the "If you did not request a password reset", so doing a right-click and "Copy URL" on the link gives you a URL with the word "If" appended to the confirmation code - which of course gets interpreted as an invalid confirmation code.
Paste the URL into the address bar and delete the "If" from the end, and you'll probably see it work just fine.
(This should still be fixed on the backend so that future reset mails get sent out with the plain-text copy correct, of course. This is just a workaround.)
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Given that basically every security system seems to get hacked now and then, how could a password wallet existing in my computer and talking to the internet be safe?
[ link to this | view in chronology ]
Re:
If you're dealing with high stakes accounts like bitcoin or other financial data it would be a good idea to have a separate, even offline password storage but for your average user an email and techdirt account password are worth very little.
[ link to this | view in chronology ]
Re: Re:
"Software you don't trust", such as anything from Microsoft or Apple? So, 99% of the planet's hosed from the get go? Don't even bother trying using that garbage. That's my view.
I'm looking forward to the next planet killer asteroid. It'll be so refreshing.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Right now, at the base level, we still code and write software that has security only as a secondary thought at best. If you DO write it with security being first then you still only get second class security because the compilers, run-times, and a whole bunch of other giants your code is standing on are prone to replay attacks, buffer overflows, logical flaws, and other unexpected bugs and such. And not only that, you still have to do it all over "per-established" protocols that come with their own flaws and vulnerabilities because you can't just make a new programing language or protocol that everyone understands without years to work and effort to get it adopted by the industry.
People are just prone to suffer that which is sufferable so we keep using the same old garbage we have been using because it works. It might work like shit, but it works, so would you like another plate of shit friend? Cause that is the only thing on the menu!
[ link to this | view in chronology ]
Re:
Yes. For a variety of reasons. First, there is no indication that this was malicious. There are always bugs out there. Second, working with a company like Cloudflare that is focused on security is always going to be better than doing it ourselves as a small operation. If it were just us, we likely would never have found this kind of bug. Third, working with a company like Cloudflare also means that such things get fixed much faster than they otherwise would have been fixed. Fourth, Cloudflare was a tremendous help to us in the past when we were hit with a DDoS attack from someone who was unhappy with a comment on the site.
[ link to this | view in chronology ]
cf still not trustable at this point
Been seeing attacks on blogs
since y2k. Still seeing wierd
website/blog behavior on other
sites that use cf.
The problems are not solved yet.
Basically, if you have decided
to use cf, you have traded one
attack (DDOS), for an allegedly
smaller attack surface. The problem
is that the smaller attack surface
via cf is that it is actually a
smaller attack surface for the real
attackers. They only have to find
the software bugs in cf, and
then attack millions of websites.
Suspect Cogent part of problem.
[ link to this | view in chronology ]
Re: cf still not trustable at this point
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re: Re:
This is almost certainly not true. We'd have lots and lots of other bugs. The protection provided by using a third party who can throw many resources at protecting us is much more valuable than assuming that security by obscurity is a good system.
[ link to this | view in chronology ]
Password Reset
[ link to this | view in chronology ]
Re: Password Reset
[ link to this | view in chronology ]
Re: Re: Password Reset
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
Security through obscurity; yeah, that's a proven defence method. If you hold your hands over your eyes, they can't possibly see you to target you. Sure.
Me, I fell off the net last year and gave up on the "social" side of it. Now, it's only used for research (pull) and updating software (also pull).
"Human to human interaction" is no longer viable via the net. There's too much noise in the system to suffer it.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Reset
[ link to this | view in chronology ]
Re: Reset
That's an unproven assumption on your part. Sounds good, but that's all. That koolaid's laced with cyanide.
Use better pwords (upcase + lowcase + punctuation + integers + avoid dictionary words) or use ssh keys instead, all unique per service (no re-use).
Fold in "the *cloud* is a trap" and "if you don't control it, you're being controlled."
My $0.02 (which'll buy nothing these days). Yes, I already realize this'll never change anything, but had to try.
Have fun. Bon chance.
[ link to this | view in chronology ]
Cloudflare requires you to give up a a lot of control and any service that forces you to allow it to investigate your site staff is just a corrupt service.
Techdirt, if they rely on Cloudflare as a service, deserves exactly what happened because of this breach.
I don't use Cloudflare on my site, although I had considered using it before, until I read their terms of service, which was totally UNACCEPTABLE behavior. You are required to allow Cloudflare to conduct investigations on any administrator, moderator or any staff you have on your site.
This isn't a slam on techdirt but rather on their usage of Cloudflare. There are better alternatives out there.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
¯\_(ツ)_/¯
[ link to this | view in chronology ]
Re: Re: Re:
[ link to this | view in chronology ]
Re: Re: Re: Re:
i.invented.email@command.com
[ link to this | view in chronology ]
You forgot techdirt deals
[ link to this | view in chronology ]
Thanks
[ link to this | view in chronology ]
Thank you for TechDirt DRM
- You are unaware that anything relating to TD was compromised.
- The "worst" possible thing that could happen is someone who is not a subscriber could login to TD.
- You've inconvenienced ALL of your users.
- This is JUST like DRM
Can you imagine if Facebook, Snapchat, Instagram, or Twitter had written the same thing? "We're not sure that we're even affected, but we use CloudStuff so maybe wut, and so ALL of you MUST change ALL your passwords go team."
Roll-your-own security is a no-no. Responding to a non-threat with a blanket requirement to update passwords is hysterical. Not in the funny way.
E
[ link to this | view in chronology ]
Re: Thank you for TechDirt DRM
You regard changing a password as "punishment"?
But aside from that do you not consider it odd that this situation occurs at the same time that Techdirt finds itself involved in legal proceedings initiated by a well known scumbag?
[ link to this | view in chronology ]
Re: Re: Thank you for TechDirt DRM
I never use the same password on any two web sites.
[ link to this | view in chronology ]
DRM, Personal choices, and if you post here the FBI may come calling
My authentication strategy balances costs of maintaining a database of mechanisms vs the risk of what those mechanisms protect. My financial, airline, and public utilities passwords are all different. My news and social media passwords are not.
The risk here is that someone will be able to post as me on social media. The reward is I don't have to keep track of passwords for e.g. TechDirt, ArsTechnica, Wired, WashPo, NYT, Twitter, FB, and many others.
Because MY security is MY responsibility that allows ME to determine MY policy. (Similarly I respect Mike's answer where he says TD gets to determine TDs policy...)
Whenever something happens there are always people happy to give advice. They are the "lawprawfs" of IT, eager to "share" their non-practiced knowledge in the hopes of getting their name in print.
Personally, I turn to Bruce Schneier or Eugene Kaspersky or Joel Snyder when I want *real* computer security advice. You'll note none of those gentlemen has opined on any real significance to Cloudbleed nor made a call to global password changes.
I like TechDirt.
The FBI had a "chat" with me partially because I post on here. Summary here: http://thehood.livejournal.com/109302.html
Best wishes to all. Also I did not reset my password.
E
[ link to this | view in chronology ]
Re: DRM, Personal choices, and if you post here the FBI may come calling
You can always put back in the same password if that's the key concern here (we don't have anything stopping that, as we don't know what your old pwd was anyway). And, yes, I recognize that you are taking a stand over the inconvenience part, and you feel that we should not have inconvenienced so many people, but we differ on our analysis of what was the most prudent action here.
[ link to this | view in chronology ]
You catch more flies with honey
Also... thanks for taking the time to respond to your readers :)
E
[ link to this | view in chronology ]
Re: Thank you for TechDirt DRM
I've seen similar things happen in the past with sites that have forced large groups of users to change passwords:
https://www.dropbox.com/help/9257 http://fortune.com/2016/06/07/facebook-netflix-password s/ https://blog.linkedin.com/2016/05/18/protecting-our-members https://thenextweb.com/socialmedia/20 10/02/02/twitter-forcing-users-change-password-reported-threat-phishing-attacks/#.tnw_4yR7CA3Y
Yes, those involved more specific attacks, but part of the problem with Cloudbleed is that there's no good way to determine if the data here was at risk. And, I disagree that it's the "worst" possible thing. First, many users (unfortunately) reuse passwords. So if we let a password out, it could impact them on many other sites.
Also, after reading up on Cloudbleed, multiple security experts suggested exactly this course of action. I'm truly sorry that it's an inconvenience, but it's a very, very temporary one and I don't see how it's like DRM at all. DRM is a persistent, awful, limitation on things that you've purchased which block you from actually using what you've purchased. In this case, we made a move to actually make sure our users are safe.
[ link to this | view in chronology ]
Seemore
[ link to this | view in chronology ]
http://www.flag-china.cn/beach-flag
[ link to this | view in chronology ]
www.webroot.com/safe
[ link to this | view in chronology ]