Archive: February 2017

The Cloudbleed Problem

Recently (as of Feb. 24th), internet giant Cloudflare has experienced a bug that leaks users passwords, cookies, tokens, API keys and other rather sensitive information. So what happened?

Who are Cloudflare?

Cloudflare are a Content Delivery Network, internet security company and a distributed domain name server. It sits between the end user (you) and your favourite websites and services (e.g. Fitbit, Discord, Reddit) and protects them from DDoS attacks and other malicious attacks.

What happened?

As I said before, a bug was found in a couple of areas of Cloudflare’s code that allowed passwords, API keys and other sensitive information to be leaked. It was compared to the famous 2014 Heartbleed bug in the OpenSSL software library.

Who found it?

Luckily for us, the bug was found by someone on Google’s ‘Project Zero’. Tavis Ormandy discovered the bug after seeing multiple corrupted pages being returend by some of his HTTP requests that ran through Cloudflare’s system. Like a responsible and good person, he disclosed this immediately to Cloudflare, who went on to disable the affected services within 47 minutes of the issues being brought to light.

What was leaked?

Various things were leaked. We are not fully sure of what exactly has been leaked, but the following is a somewhat useful guide:

  • Passwords
  • API Keys
  • Cookies
  • Auth Tokens
  • Usernames
  • Private Messages

Has it been fixed?

Yes. Cloudflare was amazingly quick at fixing this. It took them 7 hours to complete it globally. Good job guys.

So what went wrong?

In one phrase. HTML Parsing. In a bit more complex, basically the HTML Parser was being updated. A bug meant that the server would have a buffer overflow and would read out unused/unallocated memory and dump it into the html file. This would result in (on occasion) sensitive information being dumped. Only 1 in 3,300,000 requests would actually cause this to happen, so it was a tiny number, but still a number.

Cloudflare have a nice rundown here.

Who was affected?

There is a GitHub Repo with the full list (its a 70mb txt file in a 22mb ZIP archive). There is also an excellent website called Does It Use Cloudflare? It does what it says on the tin.

Final Thoughts?

It worries me that this happened, however at least it was solved quickly. What annoys me more that Cloudflare fixed this, and when I presented a similar (but not as serious) issue to my school, they tried to throw me out.

#cloudbleed on Twitter is interesting too.

Anyway, see you soon. Also, check out Citation Needed Fan Edition.

macOS vs Windows 10

Win10 VS OSX

I have been using Windows 10 and macOS Sierra for a while now. Now this is on two different machines, with two vastly different specifications, but the point still stands. Windows 10 and macOS are two separate operating systems with two different ways of use. So let’s begin.

Speed

This is a hard one to call. macOS ‘boots’ much faster to the login screen, but takes 3 times as long to log in as it loads everything up after. Windows 10 loads everything before hand. So they are about equal. It’s also party due to the fact I have much more starting up with macOS as it’s my communication device, not my gaming device.

Software Support

Both are excellent. All the main apps (office, Vivaldi etc) are supported on both platforms. However, when it comes to games, Windows wins hands down. All Steam games work under Windows, yet most don’t work on macOS.

With macOS, I find developer support to be better. Xcode and all the tools I need for my day to day development work. Visual Studio for Mac is NOT the same as VS on Windows. Don’t confuse it.

Interface

I prefer the macOS interface. I like the unified menu bar and the dock. However, the Taskbar in Windows is quite good for window management. I wish Finder was more like Commander One, but I find it worlds ahead of Windows Explorer.

Overall?

I personally prefer the macOS interface, speed and reliability. However, if DirectX came to macOS, then it would be perfect. For now, I will have to keep a Windows box about just for DirectX.