New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Well it's easy for people to do things like that to elevate themselves. With that said, changing passwords (if you use a solid method for creating them) never seems like a move that gets you into trouble. Can't be said equally of not changing passwords.
Don't need to change passwords if you are using 2nd level authentication of some sort. Which you probably should be for anything important.
I'd argue that the average script kiddie can't DDoS a properly configured site (albeit the provider may be happier with cleaner pipes), even without fancy configurations like load balancers, HAProxy and whatnot unless really necessary; but this is the case where a perceived convenience in administering a perceived security will always win over proper configuring your own stuff. There's this idea, after the CF era, that IPs themselves are something to protect and offering A entries is like "running naked in the wrong neighbourhood". It almost seems that there are script kiddies behind any corner ready to DDoS your blog about cute kittens like nobody's business.
Delegating things seems a powerful business nowadays: cloud, mail, security... while delegating some of this stuff seems a real service and offers real convenience (cloud and mail services, for instance) I feel like "security via hiding A entries" is pretty much just marketing (never really endorsed by CF, but they benefit from this myth anyway marketing the need for a protection of the origin)
Then there's the "SSL" chapter, CF jumped in this "security market" even more when Mozilla and Google/Chromium announced their intention to "deprecate http".. enough pamphlets have been written on this subject (CF-administered TLS) and I'm going to stop here and rest a little
Thats sad and embarrassing - but I guess your bet is correct.
Why would anyone abandon CloudFlare because of this? The benefits far outweigh the negatives. They won't make the same mistake twice. Security is important but shit happens and the world still turns. Many in our industry have a job because shit happens.
Personally, I'm more concerned about how much important business is done over the email protocols. One email can be archived insecurely on countless number of clients/servers/devices etc while both parties assume its private. I guarantee you that everyone on this forum has an email address and won't stop using it.
That's wiser a statement than even you yourself might think.
We like to tick in superlatives nowadays and in black and white. Add some marketing by security related corps, et voilà there you have the wide belief that security is something like an uncrackable lock.
Well, it is not.
Security always boils down to making an attack harder and/or take longer and/or changing the cost vs success ratio for attacker to your advantage. That also brings with it to sieve out low level attackers.
Many hollywood movies are widely based on that. Some or someone valuable in some kind of secure location. Translation: Joe and Jane DerpThug can't get in. But, and that's usually what the movie is about, the SuperGroup can get in.
In our field: Joe and Jane Scriptkiddie don't get in but nsa or some well equipped university can.
Many falsely consider that next to worthless because, hey, if anyone, even nsa can get in, that protection mus be worthless crap. Nope.
Every professional who has spent some time in a SOC can tell about script kiddies being a major problem. Not because their attacks are dangerous but because the flood your whole sensor and processor network. Sometimes it's so bad that serious attackers can be successful simply because they are "invisible" within the gazillion of mindless scriptkiddy packets.
So, yes, you are perfectly right. If cloudfail succeeds to hide a servers IP for 99% of potential and wannabe attackers that is a very valuable service and actually greatly contributes to their customers security.
At least one provider has already ditched CF, so that bet is void
Oh, Mr Supersmart ricardo ...
Obviously @mfs's statement wasn't to be taken literally.
Btw: They seem to not anymore teach basic argumentation and logics nowadays. Your attempt "I have one counter-proof so mfs is wrong" is ridiculous and certainly not painting mfs to be stupid but ... oh well.
Looking at cloudbleed one would reasonably assume that their customers are running away in troves. mfs assumes that they won't and I agree.
Maybe we are both wrong but experience teaches that the vast majority of cloudfail customers will stay.
Grow up bsdguy, you seem to be on a mission for the moral high ground. You take a statement like "my bet is zero providers will stop using cloudflare" and pretend that "it was a joke" is ridiculous.
Let's just reasonably assume that the choice of people's words matter. like zero meaning zero.
It's much easier for the general population to assume zero means zero than "how much do you think this guy is being a smart arse".
Bottom line is some will actually stop using CF, regardless of ivory towers other people set themselves up in.
@ricardo
Nope. I'm on a mission to beat up gamma dogs who mistakenly think they are alpha dogs.
As for the matter: This is not scientific forum but an easy going talking with each other meeting place. What mfs did is known as "exaggeration to underline the point".
Of course some customers will leave cloudfail. But the point of mfs (and I support that view) was that the vast majority will stay.
The paying customers will demand - and get - some worthless statement by cloudfail, how, oh so much and brave, they will improve safety even more and the non paying customers will stay for the same reason they came in the first place. They don't care about their customers or their servers being secure but about getting a free ride and a good feeling. Simple as that.
Right. So scientific understanding is now based on the ambiguity of how much someone is being sarcasmic on an internet forum. Right on.
@ricardo
No, terrier, that part wasn't scientific. Neither was mfs's statement. That was easy going normal conversation between colleagues and I think everybody got what he meant - even you, except that you saw a chance to blow yourself up to look big by taking that as if said in an academic setting and stubbornly hunting the word "zero".
And btw, my remarks re. "zero" weren't scientific neither. They also were easy going normal conversation. And I might be wrong.
Saying 'no one will stop using cloudflare because they're not aware of the big picture as i am'.... heh.
@ricardo
Stop boring and molesting me with your very subjective interpretations.
Okay guys, Do I need to change all customer's login on WHMCS? I was on CF.
If you were using 2 factor authentication and one of the factors got broken, you're now using 1 factor (the remaining one) authentication. Better change those pws.
No - send an email to your customers advising them to do it. But tell them no evidence has been unearthed that their private data was exposed.
No, Forum is not new. Maybe 1 or 2 year old.
I just use it to post my own tutorial, etc.
I am busy in one of Android project but sometimes I come to this forum for refreshing my old days. I still remember when first time I was try to purchase advertisement on LEB using buysellad and it was always show "add to wishlist". lol
Here I thought my nuclear launch codes were safe enough on a google drive with 2 factor authentication. I guess I need photon entanglement security. Oh but wait, what if the quantum physists are wrong. My data will not be secure.
Can never be too paranoid about security ya know....or can you?!
They will. Human doesn't learn from history.
HAHAHAHAHA
"Google reverts TLS 1.3 support for Chrome because of MITM-Proxies" (https://bugs.chromium.org/p/chromium/issues/detail?id=694593)
And that just after I was accused and attacked here for trying to explain that ssl/tls is crap.
As for tls 1.3 I'm not in the least surprised. When I saw that ridiculous guy speaking for the tls people at the conference and talking about, oh how great tls 1.3 is I actually left early thinking "you dumb asshole" and "they still haven't got it".
So much for "that's all not needed. Just use ssl/tls!!1!!!". HAHAHAHA! Experts. Everywhere. With broken crap in their hands. HAHAHAHA