Forum - View topicNEWS: Cloudflare Web Service Error Leaks Website Data, Anime/Manga Companies Respond
|
Note: this is the discussion thread for this article |
| Author | Message | |||
|---|---|---|---|---|
|
Tempest_Wing
Posts: 305 |
|
|||
|
ANN was listed as one of the sites affected by this though.
https://github.com/pirate/sites-using-cloudflare |
||||
|
||||
doubleO7
 Posts: 1076 |
|
|||
They didn't say they weren't, just that, since they don't do any type of e-commerce, there's really no sensitive information of significance (bank/card numbers, for instance) that could have gotten stolen beyond your password. Unless you use the same password everywhere, hackers have little interest in your ANN account. |
||||
|
||||
Tempest
 I Run this place.ANN Publisher  Posts: 10471 Location: Do not message me for support. |
|
|||
That's a list of sites using CloudFlare, not a list of sites that have had data leaked. I also didn't say that no ANN data was leaked, we have no way of being certain of that. I said that we're not concerned because our servers do not hold sensitive information. |
||||
|
||||
|
SilverTalon01
Posts: 2421 |
|
|||
That is what gets people in trouble though. Accounts for less secure websites get hacked, and then that password lets someone else into an account on another site. You'd think everyone would know better by this point in time, but they don't. |
||||
|
||||
unready
 Posts: 416 Location: Illinois, USA |
|
|||
|
I don't know how ANN uses CloudFlare, but login to ANN has been over HTTPS for a little while now.
If CloudFlare is the one providing the HTTPS service to clients, then password data could have been leaked. CloudFlare does provide this service to some customers. If CloudFlare is merely passing HTTPS through to users from the ANN web servers, then the data in login transactions (including password) would not have been cached by CloudFlare. If this is the case, the only thing that could have been leaked by CloudFlare is your browsing history on ANN, which would mostly be forum posts, since that's probably the only thing that would push buffer limits, which is what triggered the CloudFlare bug. |
||||
|
||||
|
Zalis116
Moderator
 Posts: 6903 Location: Kazune City |
|
|||
Seems like nothing's safe or reliable in this increasingly mad world anymore. What're we supposed to do, keep a password database in a text file or something? No wait, hackers will access your hard drive and steal the document, if keyloggers don't detect you typing everything in first. Guess we'll have to either use a typewriter (<-- which intelligence agencies are increasingly going back to!) or hand write all our passwords on paper. Then since we can't just leave that paper lying around, we'll have to get it out of our reinforced underground magnetically-sealed vaults secured by handprint, retinal scan, and voice recognition every time we need to log in anywhere. That'll give us maybe a 50/50 chance of remaining secure. |
||||
|
||||
Cutiebunny
 Posts: 1776 |
|
|||
|
I expect that people will steal eyes if we ever get into retinal scans for ID.
TBH, I don't trust companies to protect my data. Never have. That's why I always supply fake data. Companies don't ask for proof and I wouldn't give it to them anyways. |
||||
|
||||
|
SilverTalon01
Posts: 2421 |
|
|||
I can't tell if you're going on a tangent or just being ridiculous. I'm not suggesting remembering 30 sufficiently strong passwords. What I'm suggesting is using the same password on some random forum that you do for online banking is incredibly stupid yet people do it. You don't really need *that* many passwords to be reasonably safe, and they don't even all have to be strong for example accounts that have absolutely none of your personal information. |
||||
|
||||
SaitoHajime101
 Posts: 286 |
|
|||
Or if intelligence agencies actually have any... well intelligence, they would just build a computer with no network connection at all. That's essentially a typewriter without having to go backwards in technology. 
|
||||
|
||||
|
sputn1k
Posts: 52 |
|
|||
Remembering 30 passwords is actually not that hard. You just have to come up with a pattern that you can easily remember. Sentences, for example, are super easy to remember. If you get into the realm of about 20 characters, your password has an amazing entropy and is near impossible to brute force with today's technology as well. Take some sentences with an interchangeable word, which you then switch for every website you use: "ILikeStrawberryIceCream" on one site, "ILikeChocolateIceCream" or "ILikeMintIceCream" on another. To increase security even more, alternate with a different sentence for others, like "IDriveARedVolkswagen", "IDriveABlackVolkswagen", "IDriveAYellowVolkswagen" ... As these kinds of sentence passwords are very easy to memorize, you should be able to remember the correct one for each service very easily, despite the switched out word. If the site requires complexity via numbers, special signs ... just affix some you like at the beginning or end of the password or build a sentence that incorporates them. E.g. a dot at the end of the sentence, or a comma where it should be in the sentence. |
||||
|
||||
zrnzle500
 Posts: 3768 |
|
|||
Luckily my password manager is unaffected as they don't use CloudFlare (Dashlane). 1password does use CloudFlare but is unaffected as noted in the unofficial list linked in the article. Lastpass doesn't seem to be listed either. I'm not sure I would avoid using them in response to this. Do write important passwords down though. @sputn1k while that is better than nothing, I'm not sure I would suggest that over other options. If you can remember the pattern, hackers can think of it too. |
||||
|
||||
|
sputn1k
Posts: 52 |
|
|||
It is very unlikely, as the "hackers" are not checking those lists they use or adapting them. What those people do is pretty straightforward copypasting of credentials the actual hackers stole from a breached site into a tool. That tool also has a large list of public anonymous proxies added to it, which the tool cycles through in order not to trigger rate control for a specific IP. The normal usage scenario is: - enter a login page - enter your 30000 stolen credentials - enter your list of 1000 public proxies - press the start button - receive a list of credentials working for that login page - use working logins yourself or sell working logins on leak boards for small amounts of bitcoin Those people are looking to minimize the effort required to find a working set of credentials. There's little value in adjusting passwords, trying to guess the alternate version of the string, if you'd have to do that for 30000 of them. The whole point of doing this as automated as possible is maximizing your revenue, manual intervention just drastically reduces your gains in that regards. It easier and faster to find working logins, if you just add different 30000 credentials to the tool, instead of messing around. Billions of credentials are already out there, 2 clicks away. |
||||
|
||||
|
zrnzle500
Posts: 3768 |
|
|||
|
^I'm talking about the actual hackers. How do you think they steal them? Most websites are wise enough to have such material encrypted so even if they steal it, it's just random gibberish if they don't know how to decrypt it. They decrypt it by using the fact that at least some people don't practice proper password security, so they look for commonly used passwords. It doesn't take much more time include variations with numbers and/or symbols attached, especially if they follow common patterns of doing so. And of course they aren't doing this by hand, but rather using computer programs to do it for them. I don't claim to be a cybersecurity expert, but I don't think one would suggest what you have, at least not as the first option.
|
||||
|
||||
|
Zalis116
Moderator
Posts: 6903 Location: Kazune City |
|
|||
And I assumed you meant "people should know better [than to not use unique passwords everywhere]," but I think we're in some agreement -- unique passwords on e-mail accounts and financially sensitive sites, but possibly non-unique passwords on less-critical sites. Though I've always used a unique password here, as hackers and trolls could sow far more chaos on ANN with a moderator account than with a standard user account. |
||||
|
||||
|
zrnzle500
Posts: 3768 |
|
|||
|
^What makes you say password managers have been proven unreliable? I just want to know if I ought to be concerned. Though if your evidence is this article (and the linked ones) I have already expressed that I find that argument unpersuasive, at least for some bigger ones.
On another note, I would suggest setting up two factor authentication/two step verification on important sites where available. |
||||
|
||||
 |
All times are GMT - 5 Hours |
|
|
|
Powered by phpBB © 2001, 2005 phpBB Group