The Cloudbleed Problem

Recently (as of Feb. 24th), internet giant Cloudflare has experienced a bug that leaks users passwords, cookies, tokens, API keys and other rather sensitive information. So what happened?

Who are Cloudflare?

Cloudflare are a Content Delivery Network, internet security company and a distributed domain name server. It sits between the end user (you) and your favourite websites and services (e.g. Fitbit, Discord, Reddit) and protects them from DDoS attacks and other malicious attacks.

What happened?

As I said before, a bug was found in a couple of areas of Cloudflare’s code that allowed passwords, API keys and other sensitive information to be leaked. It was compared to the famous 2014 Heartbleed bug in the OpenSSL software library.

Who found it?

Luckily for us, the bug was found by someone on Google’s ‘Project Zero’. Tavis Ormandy discovered the bug after seeing multiple corrupted pages being returend by some of his HTTP requests that ran through Cloudflare’s system. Like a responsible and good person, he disclosed this immediately to Cloudflare, who went on to disable the affected services within 47 minutes of the issues being brought to light.

What was leaked?

Various things were leaked. We are not fully sure of what exactly has been leaked, but the following is a somewhat useful guide:

  • Passwords
  • API Keys
  • Cookies
  • Auth Tokens
  • Usernames
  • Private Messages

Has it been fixed?

Yes. Cloudflare was amazingly quick at fixing this. It took them 7 hours to complete it globally. Good job guys.

So what went wrong?

In one phrase. HTML Parsing. In a bit more complex, basically the HTML Parser was being updated. A bug meant that the server would have a buffer overflow and would read out unused/unallocated memory and dump it into the html file. This would result in (on occasion) sensitive information being dumped. Only 1 in 3,300,000 requests would actually cause this to happen, so it was a tiny number, but still a number.

Cloudflare have a nice rundown here.

Who was affected?

There is a GitHub Repo with the full list (its a 70mb txt file in a 22mb ZIP archive). There is also an excellent website called Does It Use Cloudflare? It does what it says on the tin.

Final Thoughts?

It worries me that this happened, however at least it was solved quickly. What annoys me more that Cloudflare fixed this, and when I presented a similar (but not as serious) issue to my school, they tried to throw me out.

#cloudbleed on Twitter is interesting too.

Anyway, see you soon. Also, check out Citation Needed Fan Edition.

Win10 VS OSX

macOS vs Windows 10

I have been using Windows 10 and macOS Sierra for a while now. Now this is on two different machines, with two vastly different specifications, but the point still stands. Windows 10 and macOS are two separate operating systems with two different ways of use. So let’s begin.

Speed

This is a hard one to call. macOS ‘boots’ much faster to the login screen, but takes 3 times as long to log in as it loads everything up after. Windows 10 loads everything before hand. So they are about equal. It’s also party due to the fact I have much more starting up with macOS as it’s my communication device, not my gaming device.

Software Support

Both are excellent. All the main apps (office, Vivaldi etc) are supported on both platforms. However, when it comes to games, Windows wins hands down. All Steam games work under Windows, yet most don’t work on macOS.

With macOS, I find developer support to be better. Xcode and all the tools I need for my day to day development work. Visual Studio for Mac is NOT the same as VS on Windows. Don’t confuse it.

Interface

I prefer the macOS interface. I like the unified menu bar and the dock. However, the Taskbar in Windows is quite good for window management. I wish Finder was more like Commander One, but I find it worlds ahead of Windows Explorer.

Overall?

I personally prefer the macOS interface, speed and reliability. However, if DirectX came to macOS, then it would be perfect. For now, I will have to keep a Windows box about just for DirectX.

The 2016 Programmer Survey!

I had the idea for this as I watched the analysis of the Nerdfightaria Survey. The basic concept is programmer answer the questions and we get an idea as to who here programs. Results will be published in January 2017 with an analysis and a raw spreadsheet.

ALL DATA IS COMPLETELY ANONYMOUS AND WILL BE AVAILABLE FOR DOWNLOAD IN JANUARY 2017.

Anyway, if you wish to answer the survey, click here: https://goo.gl/forms/HCfCtRe1kprUEhEI2

Thanks and have fun!

 

rMBP - (C) Endgadget

The Retina MacBook Pro Review. Thud.

Where to begin?

I personally went out and spent over £1300 on a 13 inch “Retina” MacBook Pro. Considering that, I will be judging it pretty harshly, especially considering it is going to be my main laptop for the next few years.

When I went to buy this, I could have waited a couple of weeks and I could have got a 2016 rMBP. But why the 2015? Well, ports. This machine has ports! And I need them at school. I need to be able to read flash drives, connect up external projectors etc. without too much faff or too many adapters. So this was perfect. Two USB’s seems a bit stingy, however 2 thunderbolts, a MagSafe and a HDMI is pretty good. I only need 2 adapters (Thunderbolt to USB and VGA, but whatever).

The whole machine is constructed out of Aluminium and Glass, with plastic keycaps and a plastic hinge. It feels premium, yet it is still pretty light. However, it does have the cold palm syndrome because it is metal.

Now for software. OS X is pretty good in comparison to Windows and Ubuntu.

However, that is to come… Stay tuned 😀