|
Fuzzy Mammal posted:nah it was for perf. google had the largest perforce deployment anywhere and the load was eventually too high for a centralized system. china never got in to the high ip sections afaik.
|
#
?
Feb 24, 2017 20:40
|
|
|
|
| # ? May 21, 2024 09:21 |
|
|
zen death robot posted:actually we use the strict https implementation so it's using tls the whole way through as mentioned this doesn't matter at all in this case. the bug dumped data in memory from after it was decrypted for inspection and such. but yeah the option to do the cloudflare to origin half of the connection unencrypted is v stupid. sadly people want it because they want that special green lock to inspire customer trust or some bullshit and use a service that can't get its poo poo together and provide TLS in tyool 2017
|
|
#
?
Feb 24, 2017 21:15
|
|
|
rjmccall posted:i mean, that too he was management. now he is a multi-millionaire and a Vice President at Uber - currently is one of the single greatest threats to labor rights in this country. gently caress him. report all middle management indiscretions to upper management so they can keep busy eating their own.
|
|
#
?
Feb 24, 2017 21:21
|
|
|
Lightbulb Out posted:supermicros security has never been great. their ipmi has been real bad in the past. Supermicro is a shitshow, BUT they are a cheap shitshow.
|
|
#
?
Feb 24, 2017 21:59
|
|
|
zen death robot posted:Yeah I understand it doesn't matter much with this particular bug, and the only thing we used that they said was effected was the HTTPS Rewrites feature, and even then it's unclear if that was straight out effected or had to be mixed with email obtusification which we don't use or *other unnamed things that used the old parser* which I don't know what uses that. that's why I posted the announcement that everyone should change their passwords out of an abundance of caution. Besides I'm sure most ppl have had the same password for like 5 years now and poo poo anyways. From everything I have seen, it doesn't particularly matter whether any given site specifically uses those features. If you use CloudFlare in any way as a SSL proxy, you could end up on the same edge router, which means you could have data in a memory leak: quote:Because Cloudflare operates a large, shared infrastructure an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site. (my emphasis) If you are served via CloudFlare, your traffic could be involved.
|
|
#
?
Feb 24, 2017 22:01
|
|
|
how about that cloudbleed stuff huh
|
|
#
?
Feb 24, 2017 22:02
|
|
|
ate poo poo on live tv posted:Supermicro is a shitshow, BUT they are a cheap shitshow. i have to support them every day, it's a great time. most of the time they are fine, but i would not be surprised if their security was a poo poo show.
|
|
#
?
Feb 24, 2017 22:04
|
|
|
ate poo poo on live tv posted:Supermicro is a shitshow, BUT they are a cheap shitshow. they oem for a gently caress ton of other people though - like about a billion people trying to get into storage market. i don't know how much firmware development happens by those users of supermicro gear, or if the only change they make is to put a different badge on the front.
|
|
#
?
Feb 24, 2017 22:08
|
|
|
Lightbulb Out posted:i have to support them every day, it's a great time. most of the time they are fine, but i would not be surprised if their security was a poo poo show. The money you save on hardware gets spent in the labor costs for supporting the garbage
|
|
#
?
Feb 24, 2017 22:09
|
|
|
supermicros not bad if youve got an reseller big enough to deal with their support so you dont have to
|
|
#
?
Feb 24, 2017 22:09
|
|
|
zen death robot posted:Yeah Lowtax was thinking we weren't effected and I just said it's impossible to rule it out and it's safer to assume everyone was effected and to tell ppl to change passwords. It's the responsible thing to do. Oh, I agree. In fact, it should be other way around: not warning users would be cause for worry. Related: This is the Google Project Zero bug report: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139 Choice quote by Tavis Ormandy, the guy who found the problem: quote:Cloudflare did finally send me a draft. It contains an excellent postmortem, but severely downplays the risk to customers.
|
|
#
?
Feb 24, 2017 22:10
|
|
|
so how many of you see cloudbleed as buttbleed?
|
|
#
?
Feb 24, 2017 22:10
|
|
|
you could always ask here. no one's pointed at an sa sample so far, but with the search results being trimmed there's no guarantee either way
|
|
#
?
Feb 24, 2017 22:11
|
|
|
ate poo poo on live tv posted:Supermicro is a shitshow, BUT they are a cheap shitshow. supermicro is literally that shopkeeper in oblivion that opens negotiations with, "you don't want the best, you want CHEAP! And I've got cheap!"
|
|
#
?
Feb 24, 2017 22:15
|
|
|
xarph posted:supermicro is literally that shopkeeper in oblivion that opens negotiations with, "you don't want the best, you want CHEAP! And I've got cheap!" 
|
|
#
?
Feb 24, 2017 22:16
|
|
|
spankmeister posted:The money you save on hardware gets spent in the labor costs for supporting the garbage it actually gets spent on ruggedizing the hardware for the Man
|
|
#
?
Feb 24, 2017 22:22
|
|
|
pseudorandom name posted:so how many of you see cloudbleed as buttbleed? Nowhere near many enough
|
|
#
?
Feb 24, 2017 22:27
|
|
|
PCjr sidecar posted:supermicros not bad if youve got an reseller big enough to deal with their support so you dont have to
|
|
#
?
Feb 24, 2017 23:05
|
|
|
Truga posted:technically, git isn't vulnerable to shattered thing because it salts its commits or somesuch and that issue is due to them using git-svn, but it should move off sha1 anyway, today shattered works, in 5 years plain old brute force will tl;dr: quote:Put another way: I doubt the sky is falling for git as a source control management tool. Do we want to migrate to another hash? Yes. quote:since cloudflare terminates https on their end to provide caching services etc, your password would have to exist in plaintext on their server
|
|
#
?
Feb 24, 2017 23:22
|
|
|
wolrah posted:Doing something like digest authentication would avoid this problem, but since most logins over HTTP(S) use HTML password fields rather than HTTP authentication that would require extra work that I'm sure most people just assumed SSL would protect them.
|
|
#
?
Feb 24, 2017 23:46
|
|
|
anthonypants posted:if zdr really wanted to piss people off he'd just invalidate everyone's session that happened to me about 2 weeks ago seemingly for no reason
|
|
#
?
Feb 25, 2017 00:01
|
|
|
wolrah posted:Linus responded with his thoughts here: http://marc.info/?l=git&m=148787047422954 i think this is probably true, but for a very different reason than linus: the chains of trust just aren't that deep in most vc setups. e.g. swift has a canonical repository hosted on github, only trusted committers can put things in that repository at all (not just in the master branch), the repository will reject attempts to add commits with the same hash as an existing commit, there's no particular reason to clone some other fork that might have backdoored commits, etc. also, you can always checksum the actual source tree; even if you've corrupted a commit by finding a pre-image for its hash, and then somehow simultaneously engineered it so that the source tree at that commit checksums the same, that's not a stable property that will continue to hold after an arbitrary chain of follow-up commits. but changing the hash out of an abundance of caution is still a good idea
|
|
#
?
Feb 25, 2017 00:10
|
|
|
anthonypants posted:if zdr really wanted to piss people off he'd just invalidate everyone's session, but getting people to change their passwords should(?) accomplish the same thing this wouldnt be entirely sufficient because the passwords themselves may have been in memory not that i think its really worth forcing a pw reset
|
|
#
?
Feb 25, 2017 00:33
|
|
|
Rufus Ping posted:this wouldnt be entirely sufficient because the passwords themselves may have been in memory
|
|
#
?
Feb 25, 2017 00:38
|
|
|
remember the pants-making GBS threads that came when people were forced to pick good passwords good times
|
|
#
?
Feb 25, 2017 00:42
|
|
|
flakeloaf posted:that happened to me about 2 weeks ago seemingly for no reason The sessions just time out after a really long time, like a year or something?
|
|
#
?
Feb 25, 2017 00:47
|
|
|
flakeloaf posted:remember the pants-making GBS threads that came when people were forced to pick good passwords
|
|
#
?
Feb 25, 2017 00:51
|
|
|
wolrah posted:Doing something like digest authentication would avoid this problem, but since most logins over HTTP(S) use HTML password fields rather than HTTP authentication that would require extra work that I'm sure most people just assumed SSL would protect them. digest auth requires the server to use unsalted md5 for password storage, which is something mtg. ox did anatoliy pltkrvkay posted:but yeah the option to do the cloudflare to origin half of the connection unencrypted is v stupid. sadly people want it because they want that special green lock to inspire customer trust or some bullshit and use a service that can't get its poo poo together and provide TLS in tyool 2017 https to the final user is absolutely valuable, not against a nation-state or crime syndicate, but against rear end in a top hat roommates, rear end in a top hat hackers at Starbucks, other people on the unpassworded in-flight wifi, etc.
|
|
#
?
Feb 25, 2017 02:39
|
|
|
pr0zac posted:lastpass doesn't use cloudflare and even if it did it wouldn't have affected security of their product either How to get a password from Okta: 1. Ask its API (providing credentials) 2. Look at password on the wire It's HTTPS, but it still ain't good. Their browser plugin uses this, though it may be limited to sites that don't support SAML and/or don't have it enabled. Achmed Jones fucked around with this message at 04:14 on Feb 25, 2017 |
|
#
?
Feb 25, 2017 04:07
|
|
|
Cocoa Crispies posted:https to the final user is absolutely valuable, not against a nation-state or crime syndicate, but against rear end in a top hat roommates, rear end in a top hat hackers at Starbucks, other people on the unpassworded in-flight wifi, etc. even nation-states and crime syndicates usually can't attack some foreign trunk isp connecting cloudflare to some amazon datacenter. securing traffic everywhere it crosses the internet is obviously best, because some can and you can't count on it anyway, but still — getting the traffic out of the lovely local network is 100% the most important thing
|
|
#
?
Feb 25, 2017 04:48
|
|
|
rjmccall posted:even nation-states and crime syndicates usually can't attack some foreign trunk isp connecting cloudflare to some amazon datacenter. securing traffic everywhere it crosses the internet is obviously best, because some can and you can't count on it anyway, but still — getting the traffic out of the lovely local network is 100% the most important thing i agree with your conclusion but think getting between cloudflare and aws is probably easier than you suggest as i understand it, cloudflare and amazon do not have a private peering relationship and likely do so at IXPs where they both have presences i don't think there's much standing in the way of a nation state port mirroring that data should they wish to the ixp may even help gag its members from blowing the whistle on it https://www.theregister.co.uk/2017/02/17/linx_snoopers_charger_gagging_order/
|
|
#
?
Feb 25, 2017 05:47
|
|
|
yeah, but is that something an arbitrary nation-state can realistically do, or are we strictly defining "nation-state" as the US/China/Russia and/or some random host nation? because, sure, egypt as a national actor can go ahead and subvert all the isps in their country, but they're not mirroring all the traffic through some router in austria
|
|
#
?
Feb 25, 2017 05:58
|
|
|
not all the time, anyway
|
|
#
?
Feb 25, 2017 07:10
|
|
|
SHA-1 collision has already wrecked WebKit's SVN. By using the PoC PDFs. https://arstechnica.com/security/2017/02/watershed-sha1-collision-just-broke-the-webkit-repository-others-may-follow/ quote:According to the above-linked bug report, the WebKit repository became corrupted late Thursday night when someone wanted to test how the system would handle the PDFs. Almost immediately, the system experienced failures. The errors persisted into Friday and eventually prompted one user to ask, "Is it fixable, or are we just totally hosed? Are we going to need to delete all the SVN history since this commit from the server in order to avoid the hash collision?" Responses indicated that the repository remained at least partially corrupted even after the PDFs were deleted. This message on a WebKit e-mail list showed mirroring systems remained unable to be updated.
|
|
#
?
Feb 25, 2017 07:58
|
|
|
flosofl posted:SHA-1 collision has already wrecked WebKit's SVN. By using the PoC PDFs.
|
|
#
?
Feb 25, 2017 08:51
|
|
|
Doesn't git also use SHA1? 
|
|
#
?
Feb 25, 2017 08:59
|
|
|
we had this conversation on pages 67 & 68 right before buttbleed
|
|
#
?
Feb 25, 2017 09:07
|
|
|
Absurd Alhazred posted:Doesn't git also use SHA1? wolrah posted:Linus responded with his thoughts here: http://marc.info/?l=git&m=148787047422954
|
|
#
?
Feb 25, 2017 09:13
|
|
|
I was thinking of the possibility of repo corruption, not data transfer security.
|
|
#
?
Feb 25, 2017 09:20
|
|
|
|
| # ? May 21, 2024 09:21 |
|
|
did someone say docker??!?! -* runs completely out-of-breath to the thread *- -* collapses from the exertion *- -* dies, and leaves this for loot: *-
|
|
#
?
Feb 25, 2017 10:09
|
|
