I actually got a better read from the admin of a discord server I'm in, so I'll post this here:
- There has been a major security flaw within Cloudflare and thus meaning within Discord. Its highly suggested that you cycle your passwords everywhere.
Impact
Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters.
Data was cached by search engines, and may have been collected by random adversaries over the past few months.
"The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day"
What you should do
Change all your passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. Of the sites compromised, most notably there is Reddit, Uber, StackOverflow, Patreon, DigitalOcean, 4chan, and many many more.
You can check which sites were affected by this on the readme of this github page https://github.com/pirate/sites-using-cloudflare
I cannot stress this enough, please change your passwords everywhere as this affects everyone everywhere!
The article goes more in-depth on protocol and what this means.
This is yet ANOTHER memory safety bug. Hopefully more and more people will become convinced that we need to move away from C and C++ to languages that are memory safe by default, such as Rust. (Of course, what I'd really like to see is more provably correct code, but the tools to do that are far from being accessible to normal humans right now.)
....aaand if you are not a programmer, and the response from lm makes no sense to you at all... When you write software, everything gets stored in RAM. Add 2 + 2 and that result gets put into a place in RAM until you decide what to do with it. (Options include write it to disk, use it in another calculation, erase that memory space and free it up for something else to use, etc.) In older, pre-WWW software languages, you had to map out all the memory space you were using with specific addresses. Each bit had a specific address, just like every house on your street has a specific address. To add 2 + 2 you would add memory space AB14263 plus memory space RPX9823, and put the result into memory space XXX9999. The problem was keeping track of every bit of memory, what was currently in it, what was free to be used, and what parts could be emptied to be used again. Every line of code you wrote made memory management more complex, and programs often died due to memory management issues. Then along came languages like Java, that just said, "Do your calculations. I will worry about keeping the memory map accurate." So you would write code that would say, "Java, add 2 + 2 and put the result into memory, and label that place in memory "MyResult"." And Java would do it. So any time you needed the result of that calculation, could simply refer to it by name, "Java, what is MyResult + 7?" And Java would give you "11". Memory leaks are what happens when you lose track of your memory map. Malicious coders can ask for the contents of a bit of memory - for example, a 2 character space where that "11" is stored - but intentionally screw up the request and ask for the 5,000 characters beginning with the "11". If passwords or other delicate data happen to be stored in any of those 5,000 characters, the malicious coder now has them. Note: Practically speaking, this is not how memory leaks work, and anybody that is a programmer from the old skoool will be stretching his fingers and getting ready to flame my misrepresentation of a memory leak, and buffer overflows, and write protections, and blah blah blah. But. For the person that does not know any programming, my description demonstrates the problem in a simple and easy to understand way, without making their eyes glaze over. I am now putting my fingers in my ears and singing loudly...
For example, in C or C++, you can write the following: printf("%d", array[10]); It will compile fine and probably run fine...and spit out some value from some place in memory that you "ought" not to access. In Rust, however, println!("{}", array[10]); results in a runtime panic--the program quits, rather than performing an illegal memory access. A better example here is how Rust eliminates use-after-free bugs at compile time because it has very strict semantics about who owns what. For example, in C, you could write this: // do something to thing delete [] thing; } int* x = new int[5]; do_stuff(x); printf("%d", x[0]); That would compile and maybe it would run fine and spit out junk memory or maybe it would segfault. The equivalent rust would look like this: // do something to thing // Rust deallocates thing at the end of this function } do_stuff(x); println!("{}", x[0]); // COMPILE ERROR! This is because Rust is really really picky about who "owns" what thing, and when I call do_stuff on x, I give do_stuff ownership of x. Once I give away that ownership, I can't use x anymore since it's not mine! For an example of where that can be a security issue, just this week Linux had a double-free bug (that easily turns into a use-after-free bug) that let any user become root. Other languages get memory safety by using a garbage collector. I could talk your ear off about other bugs that can be caught at compile time by languages with very strong type systems (like Haskell) but I will spare you =] The tools I have in mind are languages like Agda or Idris, which are basically proof engines that happen to also produce executable code. At this point they are not very user friendly or easy to write big programs in, though. int array[5] = {1,2,3,4,5}; let array = [1,2,3,4,5]; void do_stuff(int* thing) { // elsewhere fn do_stuff(thing : [i32; 5]) { let x = [1,2,3,4,5];
Yep, smart pointers and "modern" (post-2011) C/C++ features are very nice, and fix at least the low hanging fruit of what's wrong with those languages. However, you have to use them religiously and your libraries also have to use them to get their benefits. Rust at least forces you and library developers to write safe code by default. Not to say C++ is necessarily a bad language...it's probably the language I know best, so I feel justified in complaining about it, but I'll admit that it's very good at what it does (especially considering its age) and Rust isn't quite there yet as a full replacement.
Personally I use KeePass to generate a different password for everything i sign up for, usually 60 characters in length containing everything from letters to numbers to symbols. If anyone happens to get access to one of my accounts there is zero chance of them using that to gain access to something else. Above and beyond that I have four different email accounts. A gmail account for Play Store and Google rubbish, a gmail account for Facebook and only Facebook, a yandex account for forums and junk mail and one more yandex account for personal use. When I put it into writing like that it seems like a hell of a complicated process but honestly it's not. If you use an email client like Thunderbird, it doesn't matter whether you have one email address or fifty thousand million email addresses. And if you use a password safe like KeePass every account that you ever need to sign into is a click and master password away. I would highly recommend. Also, avoid password safes that store your stuff online, that kinda defeats the purpose.
I have a more complicated procedure than you and I'm still pretty sure I need to go through and change a bunch of passwords. Thing is, if a website running Cloudflare for authentication has your password, it doesn't matter if you have it locked up under three layers of encryption. It went in plaintext and that plaintext is the key.
Oh yes, regardless of what I said it's definitely still cause to change passwords and make sure everything is safe. But I'm still not too rushed about it because the next step is to just refrain from storing your personal details online or linking social media accounts. The trick is to not have anything worth hacking stored online in the first place, in my opinion. Although obviously it becomes more serious when it comes to things like banking or PayPal.
Yandex is basically the alternative to Google. It doesn't insist on my phone number every few months like Google and it doesn't track me across the web to advertise to me, like Google. So it seemed like a great choice. South Africa is a lot closer to Russia than the US anyway. Despite our mentally challenged president, we're a part of BRICS and during the Cold War, our racist government was supported by Israel while the 'evil commies' were the only ones actually helping the resistance, which is now in power.
Everyone and their dog goes on about OnePass and I'm just sitting here like... "Ya'll are smoking crack"... what part of putting the db in the cloud sounds like a good idea?! Heck most browsers save and sync passwords, so you might even be doing it accidentally, urgh.Also, avoid password safes that store your stuff online, that kinda defeats the purpose.
The part where it's encrypted to shit and every password problem that has hit in the past ten years has been external to 1password. The part where when Heartbleed hit they highlighted every website you visited that was vulnerable to heartbleed so you knew if you needed to change 1, 10 or, in my case, 257 passwords. The fact that I don't have to remember 257 passwords. The fact that the encryption allows me to sync my passwords across four computers and a phone. It has been proven time and again that if you want credit card or social security numbers, the way to get them is to hack a corporation's database. Get in, get thousands. Why bother with the effort of attempting to crack an individual user's encrypted password file, particularly if that individual isn't noteworthy? I've been using 1password for nearly ten years now - Mac, Windows, Android, iOS. It is the purchase I recommend the most. Back when Lastpass got blown up, 1Password didn't. And every time I ask them a question, I get an answer within an hour. Never once have I felt that they haven't fully disclosed their position or that they aren't brutally frank about what's a security risk and what isn't. If that makes me a crack smoker, pass the pipe.
Copy that. I've been using 1Password since before Lastpass existed. It's a big bite out of your ass - and I say that having just discovered that they switched from hitting you for $80 initially and $50 every major rev to $3 a month - but it's one of those things where you go "I should have bought this years ago."
And people wonder why I go out of my way not to have to create an account for every single web page ever.