Thread replies: 381
Thread images: 36
Thread images: 36
Cloudflare's reverse proxies have an HTML parser bug that results in random data being sprayed all over the pages they host.
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
TL,DR: Any passwords you have EVER sent to a Cloudflare-hosted site might show up in some other random page somewhere on the internet.
NOTE: 4CHAN USES CLOUDFLARE.
>>
Is this why old images were wiped from 4chan recently?
>>
File: 1384808126982.jpg (33KB, 268x265px) Image search:
[Google]
33KB, 268x265px
>>59088232
It's good I don't login here
>>
Ironically, your data is safe if the only sites you use are Google, Facebook, Amazon, etc which have their own CDNs.
Realistically, what percentage of the human population uses at least one service "protected" by CloudFlare? I'd think it'd be safe to say at least 50%.
>>
>>
<using CloudMeme on your website
4chan is the only exception I make -- Because Anonymity
>>
File: Travis Ormandy tweet.png (78KB, 625x586px) Image search:
[Google]
78KB, 625x586px
>>
>>59088294
Uber uses Cloudflare servers behind the scenes, even if you access it through the app. Lots of companies do this.
1Password also uses Cloudflare.
>>
Based tavis
>>
>>59088423
OK? Neither of those are companies I mentioned, nor anywhere near their size.
>>
>>59088366
From what I understand, if the post submissions go through a cloudflare server it could have been leaking the associated IP addresses.
>>
File: 1471420094077.jpg (37KB, 500x495px) Image search:
[Google]
37KB, 500x495px
>>59088232
they're doing MITM on every site they host. WHAT COULD GO WRONG!?!?
PS: Even 4chan is using that fucking garbage and they're endangering everyone who purchases passes. HIRO, ditch that shit please!
>>
>>59088294
Cloudflare was hacked once solely to vandalize 4chan.
>>
>>59088477
this.
If people are going to use this shit, they should at least send encrypted blobs since TLS isn't going to save you here.
>>
Those niggers also block Tor
>>
>>59088232
This is why I don't use Cloudflare.
>>
>>59088704
So you knew the bug existed? Could have reported it then.
>>
Good. Fuck Cloudflare.
Have you ever tried to work with them to identify and stop a spammer or a scam site? They are fucking assholes. I hope something big happens with this security breach, big enough to ruin their entire fucking company and close their doors.
>>
>>59088787
No, thanks. I don't want to deal with that circus.
Protip: Don't use AES.
>>
So what popular sites use cloudflare? Outside of uber and fitbit.
>>
>>59088423
>1Password
Feels good for not falling for the cloud password storage meme.
>>
>>59088789
so you're mad at them for not handing over customers private info to any retard that asks?
i use cloudflare, it saves a lot of money on bandwidth and makes your ss much faster by hosting them on cdns all over the world for free
>b but it had a bug
so did every other piece of software ever made..
>>
>>59088232
>a Cloudflare-hosted site
like what
>>
>>59089078
They're more common than you might realize. I almost always browse via Tor, and I run into their bullshit all the time. I don't remember on what specific sites though.
>>
>>59089078
cloudfag please go
>>
>>59088789
> Good
you realize that all your 4chan posts are potentially sitting around the internet now with your IP address attached right
>>
File: fuckme.png (164KB, 732x800px) Image search:
[Google]
164KB, 732x800px
I posted this a few days ago. Had a feeling it would be bad, didn't think it would be this bad ><
Based fucking Tavis
>>
>>59088232
>>59088288
>NOTE: 4CHAN USES CLOUDFLARE.
4chan is the least relevant site that uses NSACloud, literally almost all of the rest of the internet uses it
Time to change all my passwords, again
>>59088477
>purchasing passes
TOPFUCKINGKEK
Anyways, jewt implemented the CDN in his retardation
>>59088789
They will never close their doors, they're a NSA asset
>>59088922
Literally everything that isn't Facebook, Google and Amazon, with a few exceptions of people who use other CDN's
>>59089217
Yeah I remember this
Unfortunately Cloudflare is an NSA asset so he won't get the publicity he deserves
>>
>>59089271
you now realise the ddos attacks and the new tech to end it all.
problem reaction solution
nsa way
>>
fuck you cloud!
>>
>>59089061
>so you're mad at them for not handing over customers private info to any retard that asks?
They don't and over PUBLIC CONTACT INFORMATION when provided with HARD EVIDENCE.
Fuck them.
>i use cloudflare, it saves a lot of money on bandwidth and makes your ss much faster by hosting them on cdns all over the world for free
Hope your customer data is retrieved from caches and you get fucked over for using a shit service.
>>
File: cloudbleed.png (48KB, 712x676px) Image search:
[Google]
48KB, 712x676px
official logo!
>>
>>59088232
Passwords should be hashed though if your website is not shit.
>>
>>59089470
Are you fucking retarded? This leaked data comes from the web server, before any kind of hashing can be applied.
>>
>>59089470
this is leaking POST requests dude
>>
>>59089537
I thought data gets encrypted with HTTPS before it travels over the internet. So Cloudflare being a man in the middle should just be transporting garbage to their client who decrypts it with their private key.
>>
>>59089522
>>59089537
I don't know nothing about this crap, but I would have assumed that common practice would be to hash passwords locally before even sending them over the internet.
>>
>>59089577
cloudflare MITM all their clients, that's literally how their service works
>>
File: sbfLSrl.jpg (97KB, 962x639px) Image search:
[Google]
97KB, 962x639px
>>59089537
more like everything
"I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything."
>>
>>59089577
Cloudflare decrypts stuff, check any site that uses cloudflare and you will find that the certificate is issued to them
They (((need))) your SSL certificate to work, they're a massive NSA op
>>59089604
It is what should be done but there's a shitton of sites run by literal retards who will send plaintext passwords
Even a lot of banking sites are like this
>>
>>59089604
That would defeat the point of hashing at all, you would instead leak the hash and use that as a password (pass the hash)
>>
File: 1477265565682.png (573KB, 1106x1012px) Image search:
[Google]
573KB, 1106x1012px
>>59089633
WHAT THE FUCK
>>
Is there a list of websites that use Cloudflare that isn't hidden behind some sort of registration screen?
>>
>>59089577
No you're dumb. The cert is issued to cloudflare, they decrypt your data. If you don't know how to check certs, stop posting.
>>
>>59088261
Who cares, senpai. We have archives
>>
>>59089522
Shouldn't passwords be hashed client-side before they're transported over the internet so "password" becomes "UxFMf1Nz9H5ggjTyiQB1"? Then if the website gets hacked they only found your username associated with "UxFMf1Nz9H5ggjTyiQB1" and don't know the password you use for every other login on the internet.
>>
>>59089639
It would at least protect you across websites.
>>
>>59089636
What should be done is sending everything through HTTPS, but in this case it doesn't prevent the password from leaking due to the way Cloudflare works.
>>
Some call me the meme master.
>>
>>59088261
No, I think that was because Hiro was being dumb as per usual.
>>
>>59089672
No, because then an attacker can grab that "UxFMf1Nz9H5ggjTyiQB1" and send that to the server instead, that hash becomes your new password. Passwords need to be sent as plaintext over HTTPS and hashed (using a proper algorithm) after being received by the server.
>>
Can I bypass Cuckflare and access 4chan directly?
>>
>>59089633
Time to stop using the internet and burn all my technology.
It's been fun.
>>
https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
>The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests).
I can't even match 1 number on a Powerball ticket. I like my odds.
>>
>>59088232
>Any passwords you have EVER sent to a Cloudflare-hosted site might show up in some other random page somewhere on the internet.
>NOTE: 4CHAN USES CLOUDFLARE.
I dont normally use a password on 4chan. I usually use the name Anonymous.
>>
>>59089796
they don't tell you what their rate of http requests a day is because it would indicate a much larger leak of data
>>
>>59089658
I can't find one.
I'm checking my sites by doing traceroute.
>>
>>59089834
If there is a data dump they could be post you made linking your IP to post about lolis.
>>
>>59089876
I dont like loli's
Idgaf.
>>
So is there a complete list of sites affected?
>>
>>59089633
>full messages from a well-known chat service
Discord fags btfo.
>>
>>59088294
We are not yet at 50 percent for human internet access.
>>
> Some of this data was cached publicly in search engines such as Google
If big brother is not watching you fap at least you can trust he is recording everything for a later private viewing.
>>
So have they fixed this issue as of now? Is it time to change all our passwords and shit?
>>
>>59089604
>I don't know nothing about this crap
Basically /g/ summed up in one statement minus the double negative.
>>
https://github.com/pirate/sites-using-cloudflare
>>
Cloudkeks get btfo again
>>
>>59089962
It's fixed, but the damage is fucking done, and its big time.
>>
>>59089991
>Cloudflare has over 2 million websites on its network, and data from any of these is potentially exposed.
Yeah just assume everything is compromised and change all passwords.
>>
How do I tell if a site uses cloudflare?
>>
>The underlying bug occurs because of a C pointer error.
No shit.
Seriously C should be banned. There is not a single human being that can write safe code with it.
>>
>>59090072
technically this was a thing that was compiling some other language to C, not a human being
>>
>>59090001
Well fuck me. Guess all I can do is change my passwords and emails and hope for the best.
>>
>batoto
>myanimelist
>exhentai
Do any of these us it?
>>
>>59090088
The point stands. No human being nor AI nor compiler can write safe C code. If it is in C assume there are multiple exploitable bugs.
>>
>>59088232
>4chan uses Cloudflare
Passfags btfo, I hope they stored CC data too.
>>
>>59090117
It was a service called swipe or something that pops up.
>>
>>59090236
Interesting. Besides the ip details is there a way to extract more information out of this? I'd like to see how exposed it is.
Captcha: pepe impacto
>>
>>59089426
it's already been fixed & my site doesn't have any sensitive information. it's just a porn site
>>
Fuck cloudflare. NSA operation.
DDoS sites until they join you, then spy on all their HTTPS traffic because they hand their cert over to you.
>>
>>59088232
How many bitcoin sites were just drained because you can google cache search and grab passwords. Search for "CF-Host-Origin-IP" and "authorization" in jewggle, receive a shitload of passwords.
Jewggle is going to have nuke their entire cache
Fucking NSAflare. For years they were called out by cryptographers and 'security industry' for how they handled 0day by making a marketing site about it and just dumping the information after warning only their biggest customers.
>>
Forgive my ignorance, but where would that data appear?
Like, in the html source of the page?
Where would one look to find those leaks?
>>
>>59089945
Access, or reliable/consistent access? I thought even third-worlders had access via cafes. Isn't WhatsApp super popular in Africa?
>>
>>59090072
>The accident corrurs because of a car.
No shit.
Seriously cars should be banned. There is not a single human being that can drive safely.
>>
>>59090529
Search engine caches (which they explicitly mention are already mostly purged), Archive.org, maybe proxies that aggressively cache?
>>
>>59090612
No, I meant, assuming someone gave me one of those pages that received the leaks, where would the leaked data be in that page?
>>
>>59090654
It's transmitted in the body of the response to the client, so, yes, in the HTML source
>>
>>59090612
They've barely purged it, there's cross cache contamination going on everywhere with leaked OAuth tokens galore for the taking still.
The #1 problem is of course Baidu with their Chinese government overseers likely fully raping the cache, plus the NSA runs it's own http cache as per Snowden leaks since years ago. Almost everything on the internet caches http so this leak is huge.
>>59089913
7 million+ sites so far https://github.com/pirate/sites-using-cloudflare
>>
>>59090683
Ah, thank you
>>
I wonder if any tripfag tripcodes got leaked.
>>
This bug was caused by parsing. Parsing html in C or using regex is the stupidest thing you can ever do in <current year> Cloudflare's official writeup is also missing plenty of details, they are blaming all of this on some ancient parser generating a pointer error but fail to mention they used fucking malloc and didn't zero unit memory, so that memory was full of data still and leaked, actually sprayed all over the internet in every single cache.
People who run major caches:
- all universities
- all Fortune 500 companies
- NSA/GCHQ ect
- Jewggle, FB, MS, Baidu, duckduckgo, about a thousand other search engines
This will be fully cleaned up in about 2 years from now probably. On the project0 blog they found entire chats, adult video frames and even financial transactions.
>>
>>59090828
I have a caching proxy on my router ffs
>>
>>59090112
>https://github.com/pirate/sites-using-cloudflare
apparently not
>>
>>59090828
Also, Discord was the biggest leak for some reason Discord logins and chats have been sprayed everywhere in cache history.
Apparently even if they zero'd after free like GrSecurity/Pax-Sanitize works this bug would still happen sincein addition to bad C programming practices, a pointer error was barfing out random arrays.
>>
>>59090878
that list is not yet complete, still stuff being added.
most of the internet used cloudflare because they are NSA partners and helpfully offered a free tier DDoS protection (likely after ddosing you)
>>
>>59090901
The list is full of garbage sites
>>
>>59090510
I only get one page of results, and most of those don't have cached copies available. I think Google is disabling their cached copies for any page that seems to have this vulnerability. I tried Bing and got the same result.
>>
>online password manager data
Does this mean the pasword manager used cloudflare?
>>
So "the eternal C" strikes again. When will this shit language finally be permabanned from use forever?
>>
>>59090112
>>exhentai
No. They have 43 servers worldwide, plus thousands of pervs running H@H to distribute the images:
https://ehwiki.org/wiki/E-Hentai_Statistics
Really impressive, desu.
>>
>>59091049
It always happens like this too, somebody finds a helpful library somewhere "Oh hey, this can parse HTML" and then they cut+paste that old shitty code into their new and improved library without ever going over it.
Every single leak, it's always a cut and paste programming problem. Funny how Cloudflare made a gigantic writeup just to admit they were too lazy to rewrite that library and just pasted it into their new shit
>>
>>59090571
You are wrong. Most third world people have actual internet access from their home.
t. Argentinian
>>
File: illust_id=57813560.png (122KB, 397x361px) Image search:
[Google]
122KB, 397x361px
>>59090693
>ctrl-f
>Pixiv
>6 results
>ohgodohmanohgodohman
>not pixiv.net
dodged a bullet there.
>>
>>59091108
nigger
>>
>>59091130
>nigger
Can confirm. Most Argentinians are niggers.
>>
This lets you check if a site uses cloudflare.
https://chrome.google.com/webstore/detail/claire/fgbpcgddpmjmamlibbaobboigaijnmkl/related
>>
Ban C!
>>
When will writing code in C be outlawed?
>>
>>59091127
Almost everybody used free cloudflare unless they shelled out a ton of money for DDoS protection, unless they were hosted with Google Cloud/App Engine or w/e it's called now.
People have already traced Uber locations to strip bars and brothels, god knows how bad this data leak is.
The state of our internet in 2017
>>
Oh man who could have know this would be botnet that helps the NSA
>>
Why are there so many anti C shills all of a sudden? There is literally nothing wrong with C.
>>
>>59090828
> they used fucking malloc and didn't zero unit memory
That doesn't matter. The stuff leaked was active memory.
>>
>>59091208
>People have already traced Uber locations to strip bars and brothels
Source?
>Almost everybody used free cloudflare
Is the free version not vulnerable to this leak?
>>
>>59091108
You are wrong. Most third world people DO NOT have actual Internet access from their home.
I live in an actual third world country (Brazil). Not only I live in Brazil, I live in the largest city in Brazil - which also happens to be the largest city in Latin America. It's called São Paulo and it is a massive financial and industrial center. The namesake state capital. If any city has got to have Internet, it's São Paulo. The entire São Paulo metropolitan zone is inhabited by over 20 million people - almost 12 million of those in the main (eponymous) municipality alone.
However, you don't even have to leave the aforementioned municipality to find places without Internet coverage. And I'm not talking about 4G. I'm talking about good old cable or twisted pair. My girlfriend's parents have a home near the border of the São Paulo municipality with the Embu-Guaçu municipality. They don't get any Internet or even mobile phone signal there.
My point is: you don't even have to leave the largest city, in a country that is among the top 10 economies of the world, in one of the most important subcontinents in the world, to find a place without Internet coverage in a third world country.
Now just imagine how it's gotta be in shitholes like Africa and Southeast Asia, which manage to be even worse than Brazil.
>>
>>59091237
True, but the leak was made even worse because they didn't use standard safe C practices that are well documented in Robert Seacord's book "Safe C" for zeroing upon init, and/or zeroing free memory which is released every year. So much more data was leaked
>>
>>59091225
There's nothing wrong with C, unless you care about security. Starting a new C codebase in a security-sensitive context in this day and age is absolutely insane and negligent. This is literally why languages like Go and Rust exist.
>>
>>59091275
In those shitholes Mark Zuckerberg has helpfully come along and offered free "Facebook and Whatsapp". What this means is you get free wifi through the local telecom, but can only use Facebook apps with that access.
>>
File: claro-internet-turbinada-700x261.jpg (53KB, 864x500px) Image search:
[Google]
53KB, 864x500px
>>59091315
We happen to actually have that here in Brazil too.
>>
>>59091315
But assuming WhatsApp uses Facebook's infrastructure and not CloudFlare, their data is unaffected by this entire issue and arguably safer/more secure despite it being in Facebook's possession.
>>
>>59091343
Yes instead of the NSA harvesting it through caches, Zuckerberg hands it to the NSA directly, or China, or whoever else wants it and is willing to pay like shady insurance companies in Africa that can deny coverage because they have access to your WhatsApp chats and found you like to smoke/drink or have a pre existing condition.
>>
why is the internet so shit?
>>
>>59091326
It's pretty brilliant idea, this way Facebook becomes a world telecom with like 6 billion users
>>
>>59091377
If you really want to know, watch this
https://youtu.be/fwcl17Q0bpk it's a talk by PHK from FreeBSD on the state of the IETF and how it's overrun with NSA shills.
Then, look up Daniel Bernstein on the IETF crypto working group mailing list, and go through his posts for the last 4 years where he shits on every single bad design decision these shills have made like HTTP/2, DNNSEC (uses UDP so race condition attacks), plus their continued use on relying on certificates, a shitty, shitty 1990s invention that a guy from Netscape came up with one night as a way to just secure 1 site, not millions.
>>
>>59091313
>Starting a new C codebase in a security-sensitive context in this day and age is absolutely insane and negligent
Can you explain why that is?
>>
>>59090255
Swipe probably uses cloudlfare though
>>
>>59091462
It's stripe, and they don't
they shouldn't even be saving your cc info in the first place
>>
>>59091242
>Is the free version not vulnerable to this leak?
Every version is vulnerable
>>
>>59091425
>the cuck license crowd
No, thanks!
>>
File: 1484942242731.png (87KB, 310x312px) Image search:
[Google]
87KB, 310x312px
>mangastream
>jaiminsbox
Why are even scanlators using cloudflare? Have these people invected entire internet?
Computers were a mistake.
>>
Notable Sites
authy.com
coinbase.com
betterment.com
transferwise.com
prosper.com
digitalocean.com
patreon.com
bitpay.com
news.ycombinator.com
producthunt.com
stackoverflow.com
medium.com
reddit.com
4chan.org
yelp.com
okcupid.com
zendesk.com
uber.com
namecheap.com
poloniex.com
localbitcoins.com
kraken.com
23andme.com
fastmail.com (does not proxy TLS, probably safe from this attack)
1password.com (not affected)
>>
When will kikeflare die?
>>
>>59091326
>Free
>0.99 R$ daily
Fucking kikes
>>
>>59091451
(Not that guy)
Because C is very vulnerable to a broad class of very dangerous and hard-to-avoid security problems that most more recent languages avoid completely.
It has its merits, even so, and there are projects for which C is the only practical option. But the cost is very real, and something that should not be paid lightly.
>>
>>59091536
Never unless Trump stops being cucked by kikes and torpedoes all the CIA niggers and NSA kikes
>>
>>59091531
Also notable, thepiratebay and 2ch.net
>>
>>59091531
Also 4 million websites are affected.
https://github.com/pirate/sites-using-cloudflare
>>
>>59091547
>Because C is very vulnerable to a broad class of very dangerous and hard-to-avoid security problems
Yeah that much I figured. But where exactly is the problem? Why is C vulnerable?
>>
>>59091556
I'm not sure which of those two are the worse
>>
>>59091531
Discord
>>
>>59091451
>muh dangerous pointer meme!
No language is going to save you if...
* You hire pajeets.
* You hire fizzbuzzers.
* You rush your teams.
* You let management call shots that engineers should call.
>>
>>59091570
manual memory management and all kinds of crazy data corruptions that can happen outside of bounds of allocated memory
>>
>>59091586
>>59091591
Okay so basically C is dangerous because it doesn't babysit you and you actually need to program properly?
Thanks, now I understand.
>>
>>59091547
You didn't actually answer the question. You just used scary words.
>>
https://github.com/pirate/sites-using-cloudflare
>>
>>59091602
>Okay so basically C is dangerous because it doesn't babysit you and you actually need to program properly?
It literally is, making machines mitigate or impossibility human errors is the best way to avoid human errors
>>
Stop using C.
>>
>>59091602
>Okay so basically C is dangerous because it doesn't babysit you and you actually need to program properly?
Pretty much.
In all fairness, it is easier to fuck up a memory read/write in C. But what "muh better language!" kiddies don't understand is that the protection they have is skin deep. A higher level language MIGHT save your ass. But it might also have its own buffer overruns and memory management issues in a runtime library or in the code the compiler spits out.
So the protection offered in other languages is a bit of an illusion. C doesn't lie to you. Your code is very close to what's happening in the silicon.
And that skin deep protection comes at a cost in cycles/time. In a high level app it might not matter, but in low level OS or driver code it might murder performance.
>>
Cloudflare is like blatant 'friends of NSA' too. Remember how they started? LulzSec, while SnitchBu was their 'leader' used them to avoid a mountain of ddos whenever they released a new leak. Miraculously that illegal site was of course never taken down by Cloudflare and this was celebrated as some kind of progressive amazing thing when in reality it's because the feds/NSA told CF not to take the site down it was too much of an intel asset.
Then later, CF gets in shit again protecting all those booter script sites and hackforums users, plus credit card fraud sites. Miraculously again they aren't demanded to be taken down because they are intel ops in progress.
>>59091603
It is impossible to write a large project, not a hobby program, in C without there being an assload of bugs. We're talking teams of developers working on something, not one or two guys. If it wasn't hard then Microsoft would have no vulns because they've spent 10 years now hardening their code with line by line audits, fuzzing, and formal verification of all their drivers and many of the kernel internals but STILL.. we have an assload of bugs everyday from MS.
You can't argue they have shitty C programmers either because they pay like $200-300k a year for top security auditors and experience C devs to maintain MS. Hell even OpenBSD has bugs, when NCCgroup fuzzed their kernel and found 6 critical ones.
>>
Can someone explain this to retard? So some websites got fucked because of "bug" and now people need to change their passwords to secure their CP and it also might be too late?
>>
>>59091531
can't seem to be able to change my Digital Ocean password.
>>
>>59091570
(This is a simplification. Expect pointless pedantry below.)
C makes no clear distinction between chunks of memory used to store information used by a program, and chunks of memory containing the code of the program itself. Moreover, C requires the programmer to keep very careful track of how they use memory, which is a notoriously error-prone process; if you screw that part up, you can accidentally write to pieces of memory other than you intended.
The combination of these two properties means that if you fuck up the memory use bookkeeping, your program might accidentally not just screw up the information stored by the program, but also *the code of the program*. If an attacker can manipulate your fuckup, they can replace the code of your program by something else entirely, have your program execute that, and thereby have the compromised program run whatever software the attacker wants.
Careless code that an attacker might manipulate into doing unpleasant things is a risk that exists in all programming languages. But in C in particular, (1) there is a particular class of manual tricky bookkeeping work that is easy to mess up, and (2) if an attacker does manage to compromise a security problem like that, they can often exploit this to have the compromised computer *do arbitrary things* by having it run code supplied by the attacker. This greatly increases the amount of harm an attacker can easily do with many attacks against C programs.
>>
where can i find these passwords
>>
File: 1408864441550.jpg (12KB, 283x381px) Image search:
[Google]
12KB, 283x381px
>>59091531
>4chan.org
>password
Good riddance.
>>
>>59091687
Windows is not written in C though, maybe drivers are.
>>
Does Cloudflare use Cloudflare?
If not I think I'm good.
>>
>>59091706
Everything between your computer and a website that uses cloudflare (everything but Facebook/Google/Amazon) has been leaking through random webpages that people can store
So someone who noticed this years ago has been storing your shit, including literally everything, from passwords to chats or your shitty porn
LITERALLY EVERYTHING
And the leaked shit won't dissapear anytime soon, now that everyone knows about it everyones rushing to collect the stuff, and some people are saying that it will take upwards to 2 years for shit to dissapear
>>59091736
Look around caches of anything
>>59091757
The NT kernel is written in C, along with a metric shitton of code dating back to Win9x days
Most of Windows is C++ though
Drivers bugs usually aren't considered MS bugs, since pretty much most of them are third party crap
>>
>>59089672
That just shifts the problem down one level... it would make it harder for an attacker but the fundamental problem is the same.
>>
>>59089182
>all your 4chan posts are potentially sitting around the internet now with your IP address attached
Why the fuck do people say this shit?
Not everybody has a single static IP address for life. Differing ISP's or area give Dynamic IP addresses via DHCP leases which get rotated on a schedule and/or upon reboot of the router. Because these IP's get rotated, what gets posted on 4chan by one particular IP is the of the same person one week from now when it gets rotated to another person.
There'd be no way to determine who's who unless you dumped a fuckload of resources in reverse forensics matching IP addresses to MAC addresses and post correlation and all sorts of nonsense, not to mention this would have to be done in a timely manner as logs are generated fast and are fucking big and, depending on the ISP, get deleted every few months.
>>
>>59091791
> what gets posted on 4chan by one particular IP is the of the same person one week from now when it gets rotated to another person.
***NOT of the same person
>>
>>59089658
>Not having a burner email for all the stupid forums you need to log in to download the obscure patch for your obscure problem from or even to fucking search them
>>
g.e-hentai is dead, is it because of Cloudfire? pls don't tell me it used cloudfire
>>
>>59091791
>trusting your nigger ISP to not leak logs of whom has been assigned certain IP at certain time
Most ISP's would give out who was assigned certain ISP at certain time to anyone with a cause that's barely breaching into the illegal, we know how Mad Thad ended up with his loli porn
>>
>>59091727
>C makes no clear distinction between chunks of memory used to store information used by a program, and chunks of memory containing the code of the program itself.
that is not up to C, it's up to the loader/kernel, and it's not true of any modern one
>>
>>59091687
>It is impossible to write a large project, not a hobby program, in C without there being an assload of bugs.
Do you have any experience coding?
It is impossible to write a large project in ANY language without there being an assload of bugs. And in any given project most of the bugs come from a handful of people who shouldn't be coding in the first place.
>If it wasn't hard then Microsoft would have no vulns because they've spent 10 years now hardening their code with line by line audits, fuzzing, and formal verification of all their drivers and many of the kernel internals but STILL.. we have an assload of bugs everyday from MS.
UNIX and Linux are C/C++ and macOS/iOS are C/C++/objC and they don't have a fraction of the vulnerabilities that Windows has. Why? Because they all derive from UNIX and somebody thought about security in the early days of UNIX, and they never stopped thinking about it.
>You can't argue they have shitty C programmers either
No, they have a shitty legacy. Some of their architecture and API decisions were just pants on head retarded from a security perspective, but to change them now would break countless shipping applications.
Exhibit A: the registry
Exhibit B: DLLs
>because they pay like $200-300k a year for top security auditors and experience C devs to maintain MS.
They also pay pajeets by the boatload. Windows is spaghetti code and Windows development is a fucking mess.
>Hell even OpenBSD has bugs,
The US space shuttle flight control software still had bugs the day the shuttles were retired. There is no such thing as bug free code. And high level languages are not going to save us from security holes.
Christ, the biggest recent security news is NOT Cloudbleed. It's research that ASLR can be defeated by timing code execution and determining what's in the caches, and that can be done from FUCKING JAVASCRIPT.
>>
>>59091757
The core problem however is a simple Ctrl-C/Ctrl-V bug. Copy and pasting old code to a new library is the cause of countless problems.
If CF had actually rewritten that and looked at the library they could have possibly reasoned that 'hey, this thing could generate code which can lead to a pointer leaking memory'
>>
File: tmp_6682-1487824699173200355951.jpg (44KB, 640x539px) Image search:
[Google]
44KB, 640x539px
>>59091071
>Hentai@Home
>Distributed porn hosting
I can't decide if I'm more amused or impressed, both are present in large quantity
>>
>>59091810
>we know how Mad Thad ended up with his loli porn
Well...Mad Thad was a particularly special case. He literally flaunted and bragged about his CP shit publicly on social media. He was basically shameless. And yes, you're right in that you can't entirely trust your ISP to not be leaking that stuff out, but it's unlikely if you know just how much utter traffic goes through an ISP even in a single day. The logs generated would have to be unfathomably enormous. I'm certain there's nobody sitting down perusing through those logs at their leisure. The logs are captured and stored for a long time and then merely parsed when a request comes up. That's what I would assume. And even still, there's a lot of other facts to come into play as well, like cross checking as I mentioned already.
>>
>>59091779
>some people are saying that it will take upwards to 2 years for shit to dissapear
disappear how? Where did this two years come from?
>>
>>59091809
No, they don't use cloudlfare
They have their own servers worldwide, but most traffic is served by people who donate their bandwidth/servers through Hentai@Home
They can serve up to 64 GB/s according to their stats page, the average load is about 4 GB/s though
Someone already posted about it here
Horriblesubs does use Cloudflare though, some private trackers do as well
>>
>>59091817
>ASLR/timing code execution
DJ Bernstein already discovered that years ago, it's all in his writeup for ChaCha when he did timing attacks on high speed crypto and put in safeguards to prevent such attacks, detailing each one. You can look at those and still use many of the timing attacks
>>
holy fuck, everyone is fucked
>>
>>59091849
Google's project 0 blog.
Literally half the internet is running a cache to cache the other half. So data from Cloudbleed was sprayed all over these caches and who knows how long until they delete their cache, probably a few years (except NSA, never delete).
>>
>>59091622
No, I was actually open minded. But the only explanations I got why C 'is so incredibly bad because muuh security' are all bullshit.
I despise people who blame others for their own incompetence.
>>
How fucked is 4chan?
>>
>>59091894
Except if Cloudjew had written their html parser in say, Erlang, this wouldn't be a problem. And speed isn't an issue, considering RabbitMQ, which requires serious speed, is written in Erlang and not C either.
>>
File: 1486847662405.jpg (111KB, 560x740px) Image search:
[Google]
111KB, 560x740px
>nyaa.se
They got anime too
>>
>>59091877
And why does half the Internet cache the other half?
* Because HTML is insanely verbose.
* Because hip, trendy web pages link dozens of js libraries.
* Because those js libraries are poorly written and take up more space than some GUI OSes.
* Ad networks.
Companies will pay hundreds of developers to make sure my smartphone warms my hand while they rotate in ads on popups, slide outs, slide downs, slide ups, etc...but they won't do fuck all about security.
>i hate the world
>>
>>59090112
>>batoto
Yes
Not like I'd care much if either of those 3 got hacked
>>
What are some popular sites that use cloudflare that are commonly logged into? Trying to figure out if this affects us robots
>>
>>59091939
Hopefully someone can take Herkz's login from him.
>>
>>59088816
Thanks CIA dude
>>
>>59091956
Yelp, Reddit, every chan, Discord chat, every forum you've ever seen, most bitcoin sites, most financial trading sites (not banks, they actually pay for real DDoS and have in house protections), every porn site, every gambling site, ect.
>>
is this the end of cloudflare?
>>
>>59092016
>big internet service has bigger problem happen
>will people learn?
they never did before
>>
>>59092005
You don't log into 4corn
Robots don't use ribbit or log into yelp
But what kind of forums? Even Emuparadise and other ddl piracy forums? If so, shieeet
>>
>>59092016
Maybe, but just look at yahoo. 1 billion accounts compromised and they are still hanging on.
>>
>>59091922
>"Except if Cloudjew had written their html parser in say, Erlang, this wouldn't be a problem."
The following is from literally the FIRST search result in Google for the phrase "erlang string handling":
>"Don’t use Erlang when another tool solves the job in a way better and way faster way."
>"A rough estimate is that C code is 20-50 times faster for tight computational kernels."
>"The Erlang string type is implemented as a single-linked-list of unicode code points."
>"The overhead of this representation is massive."
>"Each Cons-cell use 8 bytes for the code point and 8 bytes for the pointer to the next value."
>"This means that the 5-byte ASCII-representation of “Hello” is 5*16 = 80 bytes in the Erlang representation."
>"There are a lot of disadvantages of this representation."
>"It results in memory blowup, more cache misses, more data bandwidth use, and so on."
This is why I don't respect those who say "ban C." They have no fucking idea what's going on under the hood in their high level meme language. Nor what it means for performance OR security when it comes to a specific task. All they can do is spout memes.
You do not write a fucking server side HTML parser using fucking Erlang. Or Python. Or Haskell. Or whatever other meme you have in mind.
>>
Where would you find leaked discord chats?
>>
>>59092064
Not to mention that interpreted language html parsers are basically injection bait
>>
Heads will roll, right, guys? People will finally learn, right?
>>
>>59088477
>they're doing MITM on every site they host
this though, this is what cloudflare is
you should block their ip blocks and name in your hosts file
>>
Class action lawsuit anyone?
>>
so what should you do to avoid a ddos?
>>
>>59091169
can someone confirm if this is safe?
>>
>>59092218
Screw the surface web. Use i2p.
>>
so how can i read someones reddit pms? :)
>>
Someone in LA was browsing /mu/.GET /mu/threads.json
HTTP/1.1
CF-RAY: 3313bdb98a9854f8
FL-Server: 14f85
Host: a.4cdn.org
X-Real-IP: 173.241.124.70
Accept-Encoding: gzip
Client-Accept-Encoding: gzip, deflate, sdch, br
X-Forwarded-Proto: https
Connect-Via-Https: on
Connect-Via-Port: 443
Connect-Via-IP: 104.16.61.249
Connect-Via-Host: a.4cdn.org
CF-Visitor: {"scheme":"https"}
CF-Host-Origin-IP: 98.143.146.60
Zone-ID: 5078914
Owner-ID: 130360
CF-Int-Brand-ID: 100
Zone-Name: 4cdn.org
Connection: Keep-Alive
X-SSL-Protocol: TLSv1.2
X-SSL-Cipher: ECDHE-ECDSA-AES128-GCM-SHA256
X-SSL-Server-Name: a.4cdn.org
X-SSL-Session-Reused: .
X-SSL-Server-IP: 104.16.61.249
X-SSL-Connection-ID: 664a0c1bc4edda0f-ORD
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36
Origin: https://boards.4chan.org
Accept: */*
Referer: https://boards.4chan.org/
Accept-Language: en-US,en;q=0.8
If-None-Match: "58a37b23-458"
If-Modified-Since: Tue, 14 Feb 2017 21:48:19 GMT
CF-Use-OB: 0
Set-Expires-TTL: 691200
CF-Cache-Max-File-Size: 512m
Set-SSL-Name: a.4cdn.org
CF-Cache-Level: agg
CF-Unbuffered-Upload: 0
Set-SSL-Client-Cert: 0
Set-Limit-Conn-Cache-Host: 50000
CF-WAN-RG5: 0
CF-Brand-Name: cloudflare
CF-Age-Header-Enabled: 0
CF-Respect-Strong-Etag: 0
Set-Proxy-Read-Timeout: 100
Set-Proxy-Send-Timeout: 30
CF-Connecting-IP: 173.241.124.70
Set-Proxy-Connect-Timeout: 90
Set-Cache-Bypass: 0
Set-SSL-Verify: 0
CF-Force-Miss-TS: 0
Set-Buffering: 0
CF-Pref-OB: 1
Set-Keepalive: 1
CF-Pref-Geoloc: 0
CF-Use-BYC: 0
CF-IPCountry: US
CF-IPType: NR
Timeout: 100
Set-Proxy-Send-Timeout: 30
CF-Connecting-IP: 2607:fcc8:b614:2800:d992:107f:f9b5:5ed1
Set-Proxy-Connect-Timeout: 90
Set-Cache-Bypass: 0
Set-SSL-Verify: 0
CF-Force-Miss-TS: 0
Set-Buffering: 0
CF-Pref-OB: 1
Set-Keepalive: 1
CF-Pref-Geoloc: 1
CF-Use-BYC: 0
cfgetx-imgq: 100
CF-IPCountry: US
CF-IPType: NR
>>
Wait. Guise.
Reddit.
We can take it from the SJWs now, right?
>>
>>59092305
How did you get that information?
>inb4 someone gets the /j/ login and shitposts
>>
>>59092305
fuck
>>
File: 1487837621454.jpg (331KB, 517x768px) Image search:
[Google]
331KB, 517x768px
>>59091208
Normies getting what they deserve
>>
>>59092061
>Yahoo
Hanging on like a hanged man, maybe. Yahoo is only slightly less dead than, say, Theranos
>>
>>59092305
HURRY THE FUCK UP AND FIND /j/ AND MOD LOGINS TO FUCK SHIT UP HOLY SHIT
>>
File: 1487616284671.jpg (104KB, 799x590px) Image search:
[Google]
104KB, 799x590px
>>59091842
>tfw a fucking hentai site has better infrastructure than most professional companies sites
>>
someone do something!
>>
Apparently the buggy code was generated by Ragel, a FSM/parser generator - I wonder if the bug was in Ragel or the FSM or if someone fucked with it by hand later, because shouldn't those things be pretty much formally verifiable?
>>
>>59092506
>someone do something
>>
>>59092529
well?
>>
File: 1487527343642.gif (862KB, 400x400px) Image search:
[Google]
862KB, 400x400px
>>59092441
>ywn find the administrator control panel password only accessible by the sp00ky 4chan cabal and Hiroyuki and directly download a tarball of the 4chan source code and then proceed by sticking a thread with a download to the source code on /g/
It's a fun fantasy
a deep dark fantasy
>>
File: the-goyim-know-shut-it-down-jew-walkie-talkie.jpg (32KB, 408x632px) Image search:
[Google]
32KB, 408x632px
>>59092506
>>
>>59092506
okay give me a few minute and I'll fix it all myself
>>
File: 1475427208689.gif (875KB, 250x231px) Image search:
[Google]
875KB, 250x231px
>>59092542
>>
>>59092554
Hurry up!!
>>
So, is this related to the deletion of images from stickies and many other threads?
>>
BURN EVERYTHING NOTHING IS SAFE
>>
Didn't South Park predict this? Every troll being exposed and shit?
Praise Kek, shadilay.
>>
>>59092601
/pol/ would like you to believe that was aliens.
>>
>>59092601
>Deletion of images from stickies
Seems odd that they would do that. My concern as a janitor or moderator would be my authorization token, although I'm sure those are all long expired.
How do you even auth as a mod/janitor on 4chan?
sys.4chan.org/auth is for passes...
I'm sure that it's on sys.4chan.org, unless they have it managed using some autistic IRC authentication system
>>
>>59091208
> People have already traced Uber locations to strip bars and brothels...
that is just bullshit
>>
File: IMG_1489.png (1MB, 1280x720px) Image search:
[Google]
1MB, 1280x720px
Summer Wars when?
>>
>>59092601
No, thats just gook messing with the image server
>>
>>59092005
reddit is not on cf. check the nameservers.
>>
>>59092634
>Every troll
oh come on you know they won't be outing jidf, the ctr shills, corporate astroturf, government shilling partners, etc
if somebody releases dox it'll target those people who weren't With Her
>>
>>59092700
As long as the data contained coords it could easily be found
Since Uber does collect all data then it could turn up in this leak
>>
>>59092738
https://github.com/pirate/sites-using-cloudflare
>>
>CloudBleed
couldn't they do something with rain?
>>
>>59092765
check. the. nameservers.
> dig reddit.com NS +short
> ns-1029.awsdns-00.org.
> ns-1887.awsdns-43.co.uk.
> ns-378.awsdns-47.com.
> ns-557.awsdns-05.net.
>>
File: j2Av7r6.jpg (581KB, 1280x966px) Image search:
[Google]
581KB, 1280x966px
>>59092779
Its just like naming all scandals something-gate
I hope to god all major exploits like this in the future aren't named something-bleed
>>
>>59092754
> As long as the data contained...
yup. still bullshit.
>>
>leaked data includes
>unencrypted usernames, passwords, credit card info and security question
holy FUCK
>>
>>59088232
do my posts show up too?
i want to see all of /pol/ jizzed all over tumblr. again.
>>
So where do I see this supposed leaked data?
>>
>>59090693
>>59091629
Relevant:
https://github.com/pirate/sites-using-cloudflare/issues/19
>>59091313
By the looks of things, Cloudflare uses a mix of C, C++, and Go, and has been using Go more and more heavily over these past few years.
>>
So apparently, my credit card might be at risk due to this cloudflare shit
I just got a 2 dollar charge on the other side of the country
>>
>>59090955
Why are they doing this? Why they dont do their business in the woods? What if one has diarrhea?
>>
>>59092833
For a while you could actually use googles page caching system to look at it but they have started removing the results
>>
>tfw don't even fucking know if any of my important data was compromised
>>
My reddit acc has already been compromised
>>
>>59092858
They don't have toilets
There are no woods
They always have diarrhea
>>
>>59092833
You can't. Google scrubbed their caches and anything they missed has expired by now.
>>
>>59091275
> among the top 10 economies of the world, in one of the most important subcontinents in the world
Anon, no one gives a shit about south america as long as we get oil from sandpeople.
>>
>>59092833
Find obscure search engines like DuckDuckGo, there's still some stuff on them, but yea its mostly all gone.
>>
>>59092843
https://youtu.be/YgHNtzxO0y8
>>
>>59092875
>>59092789 probably because you have a shitty password. because rabbit isn't proxied through cf.
>>
>>59092811
I can't wait for gatebleed. Or bleedgate.
>>
>>59092833
There are some sites around that saved all the data but hacking is illegal so
>>
>>59091810
>>59091843
Did he have actual CP or was it just 2d shit?
>>
>>59092918
give us a clue
>>
>>59092920
Both, I believe.
>>
>>59090072
if someone cant do pointers right they shouldnt code in any language
>>
>>59092920
Yes, it wasn't even well hidden. Or hidden at all really. Just a folder named "dontclick" IIRC.
>>
Also, 4chan was involved with this Cloudbleed.
Posts with IPs and general data from the user were leaked at points, and if you had a 4chan pass I can guarantee you that your Pass Token and PIN was released unencrypted
>>
I have hundreds of sites in my passwords manager but no time to change them what do i do
>>
>>59092952
Don't forget tripfags passwords
>>
wheels uses cloudflare topkek
>>
File: 1487397325964.jpg (30KB, 310x440px) Image search:
[Google]
30KB, 310x440px
>>59092971
sit back and watch the world burn
>>
>>59092983
the world or my world?
>>
>>59092843
>Go
google botnet
>>
>>59092979
Do you mean hotwheels? He doesn't even run it anymore. Its all ran by (((Jim)))
>>
literally don't give a fuck
my bank or email provider don't use it
>>
>>59092979
hiro also uses cloudflare
>>
>>59092789
Enterprise customers can use BGP routing
>>
>>59092990
Yes
>>
>>59092994
>>59093000
so are there any chans that don't use (((captcha))) and (((cloudflare))) left?
>>
>>59093019
lainchan
endchan
>>
>>59092951
>HOLY FUCK! I went to the liberby today to sed some resamays out and left my usb drive pluged in a computer with all my cp, my resamay along with my name and address on it for about 30 mins. I can only thank kami-sama that nobody looked through it.
MCMICHAEL claimed this post was a joke.
>>
>>59093031
lets all love lain!
>>
>>59093031
endchan uses cloudflare according to the list
>>
>>59093031
oppositeofslavechan?
>>
>>59093046
Well fuck
>>
>>59092994
What happened to him?
>>
I warned you about nsaflare months ago (check the /g/ archives if you don't believe me). I was ridiculed then but I'm the one laffing now.
>>
>>59093078
akamai is also a botnet
>>
>>59089217
Whatever Google is paying Tavis, it's not enough.
>>
>>59090955
> dat squat depth
>>
Reminder that usernames and passwords are being passed through UNENCRYPTED
>>
>>59093031
Endchan is ran by the same people as infinity, and shares the userbase
The difference is that Endchan runs different software which was somewhat better but still in beta
So yeah, it's run like infinity so it runs Cloudflare as well
>>59093075
He sold the site to Jim "pig farm" Watkins because it was a money pit, he nowadays codes on random projects and sometimes for infinity, he gets paid for this work
>>
0.0000003%
LITERALLY NOTHING
>>
>>59093075
Jim starting paying for the hosting and wheels evetually handed control of the site over to him
eightchan is now just a censorship filled cesspool because Jim does not respect anything it stood for in the first place
>>
>>59092516
Bug was in Ragel. They cut and paste the html parser from Ragel into a new library which is how almost every single bug has ever propagated throughout time: pasting it into newer libraries without rewriting by hand where you would discover the obvious error.
This just means Google Compute Engine/Cloud will get a lot more customers as everybody flees AWS which doesn't offer DDoS protection and shills cloudflare as a solution (well, doesn't offer it unless you pay huge amounts of money for elastic)
>>
>>59093101
On 5% of all http traffic lol.
>>
>>59093101
you understand that 0.0000003% is still TRILLIONS UPON TRILLIONS OF PASSWORDS
>>
>>59093078
Everyone knows that it's botnet.
They still have the best CDN, peering network and DDoS protection.
>>
copyright.gov uses cloudflare
>>
>>59093128
>They still have the best CDN, peering network and DDoS protection.
The only reason they do is because NSA won't DDoS you if you use Cloudflare
They however will DDoS any rival providers
>>
>humblebundle uses cloudfare
T-Thanks for ruining humblebundle, guess I don't need civ 4 anyways
>>
>>59093133
That's dumb, any US based company will have been given an NSL.
If anything NSA is butthurt that cloudflare had public leak.
>>
>>59093121
>TRILLIONS UPON TRILLIONS
But there's only 7.5 billion people. Even if each have 100 passwords compromised, it's still only 750 billion passwords. In reality, it's far less, both for individual entities compromised and for parsable data.
>>
Has someone found swaglords login cmon
>>
File: 1466729511509.png (74KB, 400x400px) Image search:
[Google]
74KB, 400x400px
>right now chink cyber warriors and vatnik bit bandits are looking through your shit
>>
>>59092903
>bleedgate
Sounds like some transsexual SJW shit.
>>
>>59091108
Not true in Mexico
>>
clouds don't bleed, they precipitate
>>
>GELBOORU
ITS OVER, BOYS.
>>
Looks like 1password took lot's of extra measures to protect itself for scenarios like this
Which is a very good thing since they advertise shit like HIPAA compliance
https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/
>>
>>59093248
>1password
But why would anyone use this proprietary tripe?
>>
>>59093261
cuz old people can't remember shit and for doctors at least you need password rotation on all your devices every 60 days by law
>>
>>59093237
My greatest fear.
Hope no one bothers tracking my fucked up erotic tastes back to me.
>>
is this one on the affected sites?
>>
>>59093282
I fucking hope so
>>
>>59093279
did you know there's a gelbooru app on the Xbone store?
>>
>>59093261
It's the only mgr thats survived vetting by cryptographers, and their design docs are all open and sane. Lastpass and Keepass have all failed multiple times, and nobody can figure out shitty KeePassX UI so hence 1password makes all the money
>>
File: 1482796506100.jpg (170KB, 600x600px) Image search:
[Google]
170KB, 600x600px
>>59093289
but why tho
>>
>>59093237
Does e621 use cloudflare?
Asking for a friend :^)
>>
>>59093133
If the gubmint wanted you they'd plant a backdoor or hax the server with a zeroday. DoS is too much work and can be traced back more easily.
>>59093282
You can pretty much assume that top 20 sites are safe as they have their own network.
>>
File: 1339730756925.gif (1MB, 480x480px) Image search:
[Google]
1MB, 480x480px
>>59093302
that is an excellent question
>>
>>59093308
According to that github list everyone here is linking, yes.
>>
>>59093309
>If the gubmint wanted you they'd plant a backdoor or hax the server with a zeroday. DoS is too much work and can be traced back more easily.
It's not about wanting you, it's about MITM'ing everyone and making it the norm
The rising usage of SSL was one of the biggest threats to their dragnet surveillance back in 2009 according to the Snowden leaks, this is a perfect way to counter it
>>
will this harm MITM or will Cloudflare and triple letter spin damage control it?
>>
Can a non retard explain to me what is being leaked?
People are saying everything on my PC has been leaked but I don't understand when cloudflare is based on websites.
>>
>>59093377
Ids doo lade. You didng listen.
>>
>>59093377
Your entire hard drive is being cached on google as we speak.
>>
>>59093377
Lol nice movies faggot
>>
>>59093398
But my connection is too slow to upload TBs of data in timely manner.
>>
>>59092305
now. how to recreate this shit.
>n00bie
>>
>>59093427
have you ever wondered it was too slow??? hmmm????
>>
>>59089721
You could hash the password in the browser and store that like you would store a password in plain-text.
>>
>>59093308
It is. You can check it via TOR.
>>
Does anyone use password managers and which would you recommend?
>>
>>59093526
keepass
don't use online shit
>>
>>59093526
>using password managers
Don't.
>>
>>59093377
Whatever data you sent/received from websites that use Cloudflare.
That includes data sent implicitly such as user agent and IP address.
>>59093474
It's pointless. Impossible to implement strong hashing algorithm in Javascript (since client side) that performs in a reasonable amount of time. And if you use shitty algorithms like md5 the attacker would still be able to reverse the hash and obtain the original plaintext.
>>
>>59093545
Thanks.
>>59093545
Why? It's too hard for me to remember different and good passwords for all these memecord and other shit websites that might get "hacked".
>>
>>59093474
problem are salts, you do not know how they store the pws or generate them. So you need to let the website handle the magic.
>>
>>59093602
Protip: think of a word or a phrase that's easy to remember, append some numbers, copy and paste the whole thing three times, maybe append the name of the website at the end in case multiple sites use the same hashing scheme. Now you only have to memorize simple word-number combinations and have strong passwords. Also unique pw for every site is an overkill, maybe have 1 password for less sensitive sites like forums and unique pws for banking, email, etc.
Unless someone is targeting you specifically, you will be safe from mass database leaks and bruteforcing / combolists.
>>
>>59093743
And why anyone should remember hundreds of different of that (just implying, not that anyone would remember) and not using a password manager?
>>
>>59093743
>>59093790
Just write them down on paper.
Can't be sneaky stolen or cracked and if some crack head burgles you just change your passwords.
>>
>>59093790
Because things like OP happen. The safest place to store any information is your brain.
And read where I said using a unique pw for every site's an overkill.
>>
>>59093827
>>59093829
We're talking about offline passwords like KeePass, not online retardness. You can continue having non usable and unsafe solutions like having to write passwords from paper or (not being able to) remembering many passwords but it's OK, you can act like a retard, won't judge.
>>
>>59093848
>We're talking about offline passwords like KeePass
Thanks for making it easier to compromiss all your password using just one attack point.
>>
>>59093848
How is paper less safe than KeePass?
>can't be backdoored
>can't be stolen without immediately knowing
>>
what is the probability of this seriously effecting any given individual?
similar to being struck by lightning?
>>
>>59093879
If your computer is compromised to have access to keepass memory anything you use to store passwords can steal them.
All that in case you are so retarded to have your PC pwned.
>>59093895
It's non usable, you can not practically having to type random passwords from paper each time you want to login somewhere.
>>
>>59093915
>store passwords
No
>>
>>59093915
>copying <30 characters from paper is difficult
okay retard
>>
>>59093923
EVERY FUCKING TIME you want to login you will have to type out 30 fucking character passwords. IT'S RETARDED.
>>
>>59093937
How often do you login, bud?
>>
>>59093937
Why are you relogging that much?
>>
>>59093949
>>59093958
So you are THIS retarded to remain logged in.
>>
>>59090955
Why are they all doing this together? Is this some fucking bonding ritual for them?
>>
>>59093964
What is wrong with staying logged in for a single session?
I don't normally log out/log in more than a couple times a day.
>>
>>59093848
>too brainlet to memorize simple phrases
>calls others retards
ok.
You said unusable but how is an offline password manager that will presumably only work in one computer more convenient? You're not going to sync with dropbox like a hypocrite are you?
Also unless you reviewed every line of code and compiled yourself, things like
https://en.wikipedia.org/wiki/Transmission_(BitTorrent_client)#Website_breach
can happen.
>>
>>59093964
Why would that matter, bud?
Didn't you just say
>All that in case you are so retarded to have your PC pwned.
?
It's the only time that will matter.
>>
>>59093526
I use an old PDA without any networking.
>>
>>59093981
>You're not going to sync with dropbox like a hypocrite are you
No I'm not, I'm copying it to my phone when I update it manually, I'm not retarded to open my password manager on unknown security terminals.
>>59093981
>Also unless you reviewed every line of code and compiled yourself
Same applies to all open source software, if that was valid then most of the web would be not secure.
>>59093983
It's a safe practice. When I want to login I use my password manager, I'm not some autist typing passwords from paper.
>>
>>59094056
It's a matter of convenience, not safety, retard.
>>
>People won't stop using Cloudflare even after this
>>
>>59094105
>people won't stop using OpenSSL even after this
>>
>>59094056
>I'm copying it to my phone when I update it manually
1. that's more inconvenient than memorizing some phrases + a simple algorithm
2. what if your phone gets stolen? your HD crashes? their update fucks up and corrupts the DB?
you're only introducing an unnecessary attack vector / point of failure
>>59094115
>2017
>not using libressl
>>
>>59094129
1. inconvenient to copy 1 file than to remember many passwords. Do you have autism newfriend?
2. database is encrypted with the latest encryption
http://keepass.info/help/kb/kdbx_4.html
even if it is publicly posted I'm not afraid (of course I have a good mater password)
You copy the 1 mere MB file to all your HDDs and your phone, that mitigates all that
>>
paper > encryption
at least for average neet/wage cuck
>>
>>59094152
>inconvenient to copy 1 file than to remember many passwords
said like a true brainlet
and being unable to login from a friend's phone in emergency because you don't have the database would seem more autismal t b.h
>>
>>59094197
People with a brain use it for useful things, not to remember random phrase like a down syndromer.
>entering password on unsafe terminals
why don't you post your passwords here on 4chan publicly
>>
>>59094213
>People with a brain use it for useful things, not to remember random phrase like a down syndromer.
You should add something like "people use 5% of their brain power" to cement your retardation.
>>
>>59094213
>people with a brain
jokes on you, I go to a top 10 school for EECS :^)
>friend's phone
>unsafe terminals
your autism is showing.
>>
So what did we learn about this?
Do not use a language that compiles to C.
Do not use a language that doesn't guarantee some very basic memory safety mechanisms.
Cloudflare is transparent about its security but really tries to downplay the actual consequences of their fuck up (muh 0.00003% of requests but let's not mention how many requests we serve every second).
Use fuzzing to test your shit BEFORE deploying into prod.
C fags are still delusional.
>>
File: 015ff5.png (630KB, 801x809px) Image search:
[Google]
630KB, 801x809px
>Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters.
>The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day
>>
>>59094418
>Cloudflare is transparent about its security
Only because of Google.
>>
File: 1487910514791.jpg (69KB, 579x329px) Image search:
[Google]
69KB, 579x329px
>tfw I only have to change the passwords of 2 porn
>tfw still too lazy
>>
>>59094468
2 porn websites*
>>
>>59089026
>>59088423
1Password isn't affected. https://blog.agilebits.com/2017/02/23/three-layers-of-encryption-keeps-you-safe-when-ssltls-fails/
>>
I don't even know what Cloudflare sites I use.
>>
>>59094493
https://github.com/pirate/sites-using-cloudflare
download the zip and ctrl + f in the txt file
>>
>>59094505
> not using grep
lol
>>
>>59094518
sorry, tired as fuck
>>
>>59094518
>using grep
>>
>>59094531
>not using grep
are you imblying that there's a better way senpai?
>>
File: prjNR6j.gif (3MB, 222x198px) Image search:
[Google]
3MB, 222x198px
>>59094614
>>
>>59089463
need mascot that is a cute anime girl covered in blood.
>>
>>59094669
that's a good pupper
>>
File: 1466401956874.jpg (41KB, 590x347px) Image search:
[Google]
41KB, 590x347px
>>59088232
>come on anon put your data on the clouds its safe
>>
>>59094879
sadly, working with Incident Response people, we see far more non-cloud sites get haxx0red than cloud hosted.
Usually they're stupid though, with like win2000 servers, so it serves them right~
>>
>>59091071
>>59091842
>>59092457
>Hot having H@H running
Come on anons start your servers. There's a hentai currency to win with hosting a H@H server so it's worth it.
>>
>>59094999
I'd rather not get a knock from ASIO.
>>
>>59094999
I uploaded a a doujin and got more than I'll ever use.
>>
File: 1360506102828.png (89KB, 489x540px) Image search:
[Google]
89KB, 489x540px
>Check to see which of my accounts were on the list
>There's only one
>It's crunchyroll
I got exactly what I deserved and my stupidity deserves to be punished.
>>
File: 137593505136.jpg (14KB, 240x320px) Image search:
[Google]
14KB, 240x320px
>>59095214
>streaming
>>
Wasn't The Fappening (nude pics of celeb women) due to iCloud or a similar cloud service?
Don't they ever learn?
>>
oh fuck
Thread posts: 381
Thread images: 36
Thread images: 36