8ch LEAKS IP ADDRESSES DUE TO CLOUDFLARE LEAK

8ch LEAKS IP ADDRESSES DUE TO CLOUDFLARE LEAK

A vulnerability in cloud flare caused random bits of session data to pop up in peoples webpages unnoticed including IPs.

theregister.co.uk/2017/02/24/cloudbleed_buffer_overflow_bug_spaffs_personal_data/


github.com/pirate/sites-using-cloudflare

Other urls found in this thread:

keepassx.org/
schneier.com/academic/passsafe/
haveibeenpwned.com/
keepass.info/
world.std.com/~reinhold/diceware.html
thepiratebay.org/torrent/12115484/Citizenfour.2014.Bluray.1080p.DTS-HD.x264-Grym
en.wikipedia.org/wiki/X.509
torproject.org/docs/documentation.html.en
m.youtube.com/watch?v=L0SN29Ee8mo
bugs.chromium.org/p/project-zero/issues/detail?id=1139
cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/
twitter.com/NSFWRedditGif

Can any of the might interwebz haxxxzerz around confirm or falsify this claim ?
Thx

Just looked at the list of affected websites. 8ch.net is not on the list. Am i doing it wrong or is OP just full of BS ?

...

I grepped it and found 8ch.net

so what
what are they going to do with just ips

Read the text file its in there.

just read about it. Sounds more interesting to check other sites than this one.
Can we get stormfront users IP ? Can we get government logins from some retarded shitcountry ? How can we use this knowledge to advance our revolutionary goals ?
That's the question my friends.

Does it say what board you were on?

that's what you get for trusting a massive US based company with ties to INT with your data. don't worry though this bug only give some data to the public. NSAFlare and INT already have complete access to all traffic. that's how cloudflare(previously "Project Honey Pot", seriously, look it up) works.

this bug appears to be fixed.

If 8ch is compromised what should I do?

There are ways around cloudflare !

Post in Bunkerchan

But it's full of cancerous namefags.

There are no namefags, go there by yourself.

I changed my password, I recommend the volunteers do the same.

I get that CIAflare was leaking info everywhere, but can someone tell me if we know whether that info was being collected? The Google guys discovered this problem just now, so wouldn't that mean it's unlikely someone intentionally exploited it? Unless webcrawler services or something were automatically gathering the leaked shit?

Done and done, Commissar BO

There is no evidence are far as i know that anyone had been exploiting this previous to the disclosure but of course it's impossible to know. not sure how likely it is that webbots have been inadvertently caching the data, good question.

Some advice for changing your password
The ideal password should be something like PassW0rd, why?:
It mixes upper and lower case, uses more than one word and it has a number on a random spot therfore adding more workload to a dictionary attack.
Just remember to put the number on a random spot because dictionary attack functions add random numbers at the end of every entry they have.

Good Luck. 8ch still uses cloudflare.

Just IPs? It's fucking nothing unless you got any ports open.

cloudflare fixed it already.

picrelated is one way of creating strong passwords if you need to.
Ideally you should look into using a password manager that will create random strings of characters for you and remember them, of course you need to find one with encryption you trust and create a strong master password/

Still 8ch leaked IP's of our users.

password managers worth investigating.

keepassx.org/
schneier.com/academic/passsafe/

How can I tell if I'm safe?

It likely leaked a lot of stuff. So again, was it stored somewhere? Or leaking into the void?

good place to start haveibeenpwned.com/

8ch has always and still does leak all traffic to cloudflare. In this case couldflare further leaked it to the public.

...

no thats an awful password
if you want to be secure use a password manager like keepass
keepass.info/
ideally you would generate the master password with diceware
world.std.com/~reinhold/diceware.html

i thought cloudflare fixed that bug during the past week?
see bug report in

anyone anyone using the internet without tor post-snowden is retarded.

keepassx > keepass
fucking c# and obscure window manager bs

any cloudflare encumbered service is vulnerable.

using TOR is not a magic solution to everything, in many ways it makes you more of a target. in this case, if you were using TOR to login to an account on a cloudflare website, your login details could still be leaked, I think.

something from HN

You are an FBI shill and full of shit.
Can someone confirm if this is the actual board owner or just unicode trickery?

yes this is true but i don't have an account on Holla Forums and this thread is about ips.

in the case of this 8ch users posting or logging in from a tor exit node are blocked from doing so and redirected to the tor hidden service (bypassing NSAFlare).

we have Frederick to thank for this. thanks spicypaste!


see


….good times

good point, their login info isn't in cleartext in cloudflare memory so in case of Holla Forums is not a problem.

I want us to move to a different network infastructure but even the geeks who are nto that aren't making any good plans.

people like to pretend that infrastructure is planned but in reality it just happens organically.
that's it never works.

*why
**ethanol

Weren't you supposed to be in IT professionally?

A data leak, or at least one on the net, is different from a leak in real life. Data is 'leaked' when a request is made for that information and made accessible to more sources than the requester.
Sadly, every time you enter a page, you (or rather your machine) makes such a request. (This is why you shouldn't go to websites you don't trust, even with all security bells and whistles at the max: just getting a response to the request can compromise your data.)

Ergo: without access to the server logs (the physical server's logs, not the UI) it's impossible to tell who got what data. Even with that information AND automated assistance, it would be incredibly difficult to find that information in a way our meatbag eyes can understand.


Longer passwords take longer to crack. Use sentences: they're easier to remember and are much harder to crack.
Numbers aren't enough, use uncommon symbols as well. Ideally you'd mix different character sets, but that is pretty difficult.
Pro-tip: never trust the service storing your information. Back in the day it was common practice to make a copy of every password only in uppercase - makes ya think!

Is this a joke? TOR has multiple backdoors build in.
If you want to hide from the U.S. government, TOR is the worst option there is.

Also, the BO is right. TOR masks your original request by sending it through a proxy - but this doesn't mask the data within the request. If you log in somewhere, that data is still (very) vulnerable. (Not the case for 8ch, per )

Say person A wants to send a letter to person B, but they don't want just anyone knowing the letter came from person A.
So here is what they they do: person A writes the letter, puts it in an envelope with the final address on it and sends it to person C. Person C then sends it to person D and so on, until the letter eventually reaches person B.

That is how TOR works. Now what happened with cloudbleed is equivocal to person D making a copy of the letter and sending that to anyone who asks for it. The source is still obscured, but the information within the letter has been shared without person A being aware.

It seems people are still arguing about TOR. I'm not saying *don't* use it, but consider this: do you think that Hezbollah uses TOR? I doubt they do. If TOR is so great, its advocates should be able to provide evidence that it's a core part of OPSEC for a real active militia that opposes NATO.


Under full communism, this wouldn't be a problem.


Nope. If I was a professional, you think I'd have time to moderate and shitpost on here? lol

I think I understood this, maybe I was just describing it in a funny way.

My fucking god.
Are you trolling right now or are you seriously FBI?

[citation needed]

Also the data that gets send through Tor (it's Tor by the way not TOR) is encrypted, what it is vulnerable to is at the point where it gets decrypted, the exit node – which is why ideally you should use another layer of encryption such as HTTPS or PGP.

Not an argument.

well tor has or had a problem with hidden services being only protected by 1024 bit keys but i think that's not what the FBI shills were FUDposting about.

Is this nigger retarded or seriously FBI?

Don't we know from the NSA leaks pretty much that they're struggling with compromising Tor anyways and their attempt are security exploits such as JavaScript and taking over as many Tor nodes as possible/running them themselves to then either monitor the unencrypted data that does get send through or inject malicious code when possible?

The BO is right though, if you use Tor and don't know how to properly operate it or secure your system, you're actually more at danger.

Indeed you are correct.
The hidden service issue is more of a theoretical nature. Also once they paid Carnegie Mellon university a million dollars to find a tor exploit, which they did.
Of course there is also the long history of successful use of tor against the US government or Deep State, with the most prominent example being
thepiratebay.org/torrent/12115484/Citizenfour.2014.Bluray.1080p.DTS-HD.x264-Grym

only if the site doesn't use HTTPS (unless the NSA has cracked HTTPS, which I don't think and don't hope they have)

The BO never said that and nobody ever denied it.
Fuck off, FBI.
Also reading through the tor faq is not really that hard and misuse of tor can't make you more vulnerable for the NSA only for regular script kiddies.

WHAT????
Of course x.509 is completely taken over.
Any government and lots of evil corporations can create valid https certificates for any website using their CAs.
Of course the NSA has a CA.

[citation needed]

And I forgot to mention it is extremely likely people have exploited this glitch. Between all the scriptkiddies and actual black hats across the globe it is very likely somebody came across it and shared the exploit in their circle.
If it's any consolation, it's more likely people outside the U.S. got that information than inside. As far as I know U.S. hackers tend to go for the big fish.


I guess you didn't hear about a huge chunk of the silk road getting rolled up.


Not every criticism of TOR is a denouncement of the system - let alone the concept. You should definitely use it if the opportunity is available, but, if you're in the U.S. (or proximity) and fuckos sniff you out, TOR won't do anything for you. GP2PN when???


If l33th0cker can do it, then professional programmers can do it as well.

holy fucking shit stop shitposting please.
en.wikipedia.org/wiki/X.509

IF YOU HAVE A CA YOU CAN CREATE CERTS FOR ANY DOMAIN.
IT IS IMPOSSIBLE FOR A ROOT CA TO LIMIT THE DOMAINS AVAILABLE TO SUB-CAS

not through a backdoor. we know how they did it.

so i read through your entire post and you are full of shit. lurk moar.

fyi cloudflare decrypts all https traffic that goes through them. you have to give them your private keys. this is because of how shitty x.509 is designed but probably also because cloudflare is a nsa operation.
if your traffic goes through a cloudflare server, using tor or not, it is stored in cleartext and leaked through http(s) requests to random websites that shared the same "cloudflare proxy".

Yeah, this is all I've said. It's not just about disabling flash and JS. The TOR browser itself is a very large attack surface. The other issue is that if you use it on your home connection, the NSA is going to log that and put you on the "TOR users" list. No matter how you look at it, this is the kind of attention you don't want.

I haven't seen any proof of a backdoor that the other user is talking about, but I think the TOR dev team has had a lot of political infighting lately. I'm not totally up to date on it, but it does weaken my confidence in them.


Take your meds and stop shitposting. I won't respond to any more of your posts unless you explain how I'm an FBI agent because I'm telling people to be cautious.


no, from what I understand, the CIAflare leaks are effecting sites like OKC, which use HTTPS.

note that this doesn't let the attacker decrypt your traffic afterwards, but if he mitms you, your browser generally won't notice.

Liar.
You can't get out of this.
You shitposted like the worst redditors.
Either you are retarded as fuck AND are surrounded by shills in the online communities you frequent, or you are a shill yourself.

If you look at the details of that case, it looks like they caught DPR because he made several other OPSEC goofups. I think the main thing was that he initially advertised silkroad on a clearnet webforum. Unless the FBI was doing parallel construction, I don't think there is evidence that TOR vulnerabilities were involved in his arrest.

sorry can't do that. it's brilliant dog-whistle-code that revealed you right away.

i think your shill friend was talking about the second sr takedown which might have been done through the carnegie mellon hack. but maybe that happened slightly later.
on sr2 they also had shills amongst the mods who stole the money and shit like that.

Look, either you never even read the tor faq or wiki page or you are spreading disinfo on purpose.
Read a) - c) here before you continue posting:
torproject.org/docs/documentation.html.en

…and learn how to use pgp, it's pretty much impossible to discuss opsec with someone who doesn't understand public-private-key encryption and signatures.

[citation needed]

So this is for emails?

No, that guy was either trolling or shilling a government honeypot.
His website actually uses cloudflare, so any data you entered there could have leaked through cloudbleed.

fug DDD:

Though funny thing is I've seen and used it before after that scare of a virus stealing people's info. Forget what it was called.

I guess it's nothing?

Wheel swings were pleb-tier delete this.

If they're need a service like cloudflare is there not a Chinese equivalent? I'd rather the Chinese watching me talk about porn than the NSA tbh.

embrace the times

This tbh

m.youtube.com/watch?v=L0SN29Ee8mo

tor hidden services are end to end encrypted and traffic does not pass through an exit node.

So in germany we call those guys the Spackeria because they're all Spacken, what is the english word for them?
Assuming they actually are serious and not just shilling.

While that would be nice, the problem is nobody needs a service like cloudflare. CF is only useful for static web 1.0 websites, and those are cached by your browser already.
The reason people use cloudflare and similar CDNs is that the NSA DDoSes everyone who doesn't use it. If people were using chinese CDNs NSA would still DDoS them unless they have a shill on the inside who can add a cloudflare-like backdoor for them.

lol @ these technologically illiterate fucks

Dumb OP, saying "including IPs" as if that could be the worst thing being leaked.

>The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed cloudflare what I'm working on. I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.

bugs.chromium.org/p/project-zero/issues/detail?id=1139

cryto.net/~joepie91/blog/2016/07/14/cloudflare-we-have-a-problem/

OP is talking specifically about Holla Forums, but we also have a general thread in
Also the original disclosure said CloudFlare greatly downplayed the risk, so OP probably fell for some PR talk and lies of omission.

Services like Cloudflare do nothing but further centralize the Internet.

fyi bitcoiners warned of CF mitm in 2013.

but that is a different issue than what OP talks about. it just is the reason why OP's issue is so terrible.

I've seen some retards suck CF's dick saying "hey at least they're being transparent!!!!!".

But that's what caused the problem in the first place…

People have been warning about this all this time.

You fuckers are retarded. You are commies, there won't be any consequences. This is mean to target pol

The president of the US is a meme-spouting Holla Forumsyp, but you still think you're the anti-establishment underdogs?

Password managers are less safe than memorising a strong password, they may still be worthwhile.
Keep in mind it can be a pain in the arse to synch all your passwords accross multiple devices and if you forget your master password or lose the keyfile you have to change every single one of your passwords.

password managers are more safe than memorizing ONE strong password.
what the fuck kind of disinfo is this even.
if you use a single password you have to change it everytime a service gets hacked and if you forget it you also have to reset it everywhere.

Shut the fuck up and stop accusing everyone of disinfo. I am simply advocating memorising strong passwords over using a manager.

just don't use proprietary pw managers or anything that uploads your passwords to the cloud, unless you know enough about pgp and algorithms to verify the protocol yourself.

nobody can memorize a strong password for every service he uses you fucking idiot.
maybe if everyone accuses you of disinfo it's because you are simply wrong?

tob geg

Maybe you cant.

Or you could just use strong passwords and keep them in an encrypted text file in an encrypted (with a 2nd key) folder.

it's easy to memorize a few strong passwords with variants.

he says password managers are stupid.
your way of password storage doesn't even let you generate new passwords so you'd need an extra script for that.

what the fuck is that good for?

Diceware, you stupid faggot.

This is awful advice.

kek gl kiddo

Just use a .txt file for your passwords instead of a password managers you fucking retards, ahhhhhh

Bad idea.

Use a physical notepad with a pen, and make sure you keep it from prying eyes. If you have a safe, you could lock it up in there.

Any data stored on a computer is easily vulnerable to theft. Best thing to do is minimize how much personal content is on your computer in the first place.

I'm a hikki!

Also you can easily encrypt a single file.

i believe he was talking about passwords that he enters on his actual computer, not on his airgapped bitcoin signing machine.

airgapped >= secure password manager > gpg text file > text file > lots of weak passwords > only a single password for everything
i don't think i have to mention that any password that you thought up in your mind instead of generating it is nearly useless.

bump