|
flakeloaf posted:cloumarf
|
#
?
Feb 24, 2017 06:09
|
|
|
|
| # ? May 10, 2024 13:22 |
|
|
So from what I'm hearing, a breach of this scale has been around for months, yet nobody really took notice of it until now, and when it was taken notice of, it got immediately fixed, resulting in an infinitesimally small chance of someone actually being affected?
|
|
#
?
Feb 24, 2017 08:35
|
|
|
anthonypants posted:Cloudflare pointed out their bug bounty program, but I noticed it has a top-tier reward of a t-shirt. i defeated the cloud master and all i got was this lousy t-shirt
|
|
#
?
Feb 24, 2017 08:46
|
|
|
spit on my clit posted:So from what I'm hearing, a breach of this scale has been around for months, yet nobody really took notice of it until now, and when it was taken notice of, it got immediately fixed, resulting in an infinitesimally small chance of someone actually being affected? secondly how do you know no one else was doing the same data collection google was doing and had to throw away after they found out what was in it
|
|
#
?
Feb 24, 2017 08:57
|
|
|
he did this one about a year ago too, weird https://twitter.com/NathOnSecurity/status/691357348871458816
|
|
#
?
Feb 24, 2017 09:06
|
|
|
anthonypants posted:how do you know when it was first noticed Well, at most 4 days before Tavis found it due to them flipping the switch that activated the new Theoretically it could have happened starting in September, but they couldn't find an error path leading to an overrun with the combination of features then. It's a really good writeup. I bet they had fun contacting Literally Every Search Engine asking them to purge/refetch a list of URLs too.
|
|
#
?
Feb 24, 2017 11:33
|
|
|
 we did it guys! https://github.com/pirate/sites-using-cloudflare
|
|
#
?
Feb 24, 2017 15:24
|
|
|
christ you have a lot of plugins why you got so many plugins plugin man
|
|
#
?
Feb 24, 2017 15:25
|
|
|
i'll be snap widget i guess
|
|
#
?
Feb 24, 2017 15:25
|
|
|
i'll be the missed opportunity for in-jokes
|
|
#
?
Feb 24, 2017 15:27
|
|
|
ate all the Oreos posted:christ you have a lot of plugins why you got so many plugins plugin man that's what my chome looked like when i had chomeos
|
|
#
?
Feb 24, 2017 15:30
|
|
|
ate all the Oreos posted:christ you have a lot of plugins why you got so many plugins plugin man you should see my firefox instances
|
|
#
?
Feb 24, 2017 15:33
|
|
|
lol https://twitter.com/0ddj0bb/status/835126826750083075
|
|
#
?
Feb 24, 2017 15:42
|
|
|
https://twitter.com/0DDJ0BB/status/834985778593804288 i'm pretty sure tweeting "hey guys call me it's important" is probably not the only way he makes disclosures, but hey i could be wrong it's not like i know the guy
|
|
#
?
Feb 24, 2017 15:46
|
|
|
also laziness has paid off once more! I still don't have a password manager. I guess 1password is out of the mix now :v
|
|
#
?
Feb 24, 2017 15:49
|
|
|
https://twitter.com/japesinator/status/834992257522520064
|
|
#
?
Feb 24, 2017 15:51
|
|
|
Phone posted:also laziness has paid off once more! I still don't have a password manager. their website using cloudflare does not in any way affect security of their password manager
|
|
#
?
Feb 24, 2017 15:53
|
|
|
some password manager did send their passwords in the clear through cloudflare tho. was it lastpass again? those guys just keep loving up
|
|
#
?
Feb 24, 2017 15:55
|
|
|
lomarfcode:
|
|
#
?
Feb 24, 2017 16:00
|
|
|
yeah tavis' post mortem explicitly says 1password alongside okcupid, uber, and fitbit had data and passwords exposed
|
|
#
?
Feb 24, 2017 16:07
|
|
|
https://twitter.com/LastPassStatus/status/835136572798431232 eat poo poo 1passwordailures!
|
|
#
?
Feb 24, 2017 16:07
|
|
|
Truga posted:some password manager did send their passwords in the clear through cloudflare tho. lastpass doesn't use cloudflare and even if it did it wouldn't have affected security of their product either 1password is what you're referring to but they weren't sending passwords through cloudflare, they just used it for their website are there seriously people in this thread that think a prominent password manager company would have an implementation that would involve sending plaintext passwords over http to cloudflare?
|
|
#
?
Feb 24, 2017 16:12
|
|
|
no, over https. just not, you know, like normal people do password managers - in an encrypted container that only you know the secret to unlock
|
|
#
?
Feb 24, 2017 16:13
|
|
|
pr0zac posted:are there seriously people in this thread that think a prominent password manager company would have an implementation that would involve sending plaintext passwords over http to cloudflare? no, i don't think anyone does. people think they send them over https through cloudflare, and also have cloudflare do ssl termination so it can actually do the load-shedding and stuff. people think this because it's literally called out in the bug as information that was seen in the leaked data.
|
|
#
?
Feb 24, 2017 16:17
|
|
|
https://twitter.com/andywingo/status/835132154749272064
|
|
#
?
Feb 24, 2017 16:19
|
|
|
Phone posted:yeah tavis' post mortem explicitly says 1password alongside okcupid, uber, and fitbit had data and passwords exposed akadajet posted:https://twitter.com/LastPassStatus/status/835136572798431232 you idiots don't understand how password managers work Truga posted:no, over https. just not, you know, like normal people do password managers - in an encrypted container that only you know the secret to unlock https termination through cloudflare means an nontls http connection to cloudflare (see these forums for instance)
|
|
#
?
Feb 24, 2017 16:19
|
|
|
just use icloud keychain
|
|
#
?
Feb 24, 2017 16:21
|
|
|
pr0zac posted:you idiots don't understand how password managers work u can still do tls between buttflare and the servers, i think it's what they recommend
|
|
#
?
Feb 24, 2017 16:22
|
|
|
in other news: https://www.wired.com/2017/02/malware-sends-stolen-data-drone-just-pcs-blinking-led/ first disk clicking, then fan speeds, now blinken lights, lmao
|
|
#
?
Feb 24, 2017 16:26
|
|
|
clicked expecting tx/rx lights on a network jackquote:But the simplest countermeasure by far is simply to cover the computer’s LED itself. Once, a piece of tape over a laptop’s webcam was a sign of paranoia. Soon, a piece of tape obscuring a computer’s hard drive LED may be the real hallmark of someone who imagines a spy drone at every window. brb kickstarting tapr
|
|
#
?
Feb 24, 2017 16:29
|
|
|
spankmeister posted:u can still do tls between buttflare and the servers, i think it's what they recommend this is what i was doing. i was using let's encrypt between cloudflare and canario
|
|
#
?
Feb 24, 2017 16:30
|
|
|
pr0zac posted:you idiots don't understand how password managers work yeah, i never claimed that I knew how password managers work. or didn't. all of agilebits' stuff is "we have 3 layers of security!" post cloudbleed, which is interesting. they go out of their way to mention that they use ssl/tls and two other super secret encryption thingos, mention that ssl/tls is what was affected, and then never mention what data was exposed in the ssl/tls breach, just that srp wasn't affected and your super secret vault encryption is safe.
|
|
#
?
Feb 24, 2017 16:30
|
|
|
Truga posted:in other news: suddenly all those people saying you need to run av on an airgapped system make sense - all that random pointless harddrive access would swamp this in noise. see, antivirus works!
|
|
#
?
Feb 24, 2017 16:36
|
|
|
if you don't use 1Password's cloud service would you be affected? I seriously hope not
|
|
#
?
Feb 24, 2017 16:37
|
|
|
pr0zac posted:
My dude have you ever heard of whois?
|
|
#
?
Feb 24, 2017 16:50
|
|
|
skull mask mcgee posted:if you don't use 1Password's cloud service would you be affected? I seriously hope not I hope not as well since I couldn't import my vault to the cloud version they were trying to push on me, so I just gave up trying. If I couldn't import my vault, but somehow my info still got out would be ridiculous.
|
|
#
?
Feb 24, 2017 17:08
|
|
|
this owns
|
|
#
?
Feb 24, 2017 17:12
|
|
|
git's excuse at sticking with sha-1 has been displaying hashes on a 80 char term
|
|
#
?
Feb 24, 2017 17:19
|
|
|
technically, git isn't vulnerable to shattered thing because it salts its commits or somesuch and that issue is due to them using git-svn, but it should move off sha1 anyway, today shattered works, in 5 years plain old brute force willskull mask mcgee posted:if you don't use 1Password's cloud service would you be affected? I seriously hope not i went to read https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/ and the way I understand it: technically, your password container is perfectly safe. your poo poo only gets synced within the context of the container encryption, so cloudflare never had direct access to your indivitual passwods. but, the password you use to log into their site (and cloud service?) would be sent in plaintext under https. since cloudflare terminates https on their end to provide caching services etc, your password would have to exist in plaintext on their server, which isn't too big a deal (unless you're a paranoid little poo poo like me, I don't even trust my password container to cloud services, much less my pw to it), unless someone can read cloudflare's memory. oops! i dunno what happens after you log into your 1password account, or if the container password is the same password as your 1password password, but i imagine it is, and in that case, start changing all the passwords. not like it'll be a lot more than you have to either way, a shitton of things use cloudflare and you have to change those in any case.  but first, change your 1password pw, if you haven't already.
|
|
#
?
Feb 24, 2017 17:33
|
|
|
|
| # ? May 10, 2024 13:22 |
|
|
Truga posted:technically, git isn't vulnerable to shattered thing because it salts its commits or somesuch and that issue is due to them using git-svn, but it should move off sha1 anyway, today shattered works, in 5 years plain old brute force will lol moore's law is dead so i'm not worried about 5 years
|
|
#
?
Feb 24, 2017 17:46
|
|