It is the title of a novel and as per today, considering this approach is not that bad an idea. You see, some brain boffin at Google found out that we are all in trouble. The article in Forbes (at https://www.forbes.com/sites/thomasbrewster/2017/02/24/google-just-discovered-a-massive-web-leak-and-you-might-want-to-change-all-your-passwords), gives now voice to one of the issues I have been trying to raise a few times and some of those so called ‘IT Experts‘ all stated on how this would never be an option. So let’s take you through the motions.
One of the earlier blogs on this was on June 5th 2015, so almost 2 years ago. Here we see: “This is how it begins, this is about certain events that just occurred, but I will specify this momentarily, you see, it goes back to an issue that Sony remembers rather well they got hacked. It was a long and hard task to get into that place Login=BigBossKazuoHirai; Password=WhereDreamsComeTrue; Soon thereafter no more firewall, no more routers, just the bliss of cloud servers and data, so much data! The people behind it were clever, and soon it was gone and the blame fell to the one nation that does not even have the bandwidth to get 10% past anything” (at https://lawlordtobe.com/2015/06/05/in-reference-to-the-router/), in regard to the fact that this is 2 years old, and several other issues were reported by me last year, the entire issue we see in “not dissimilar to the infamous Heartbleed bug of 2015 (though possibly more severe in terms of the potential for data leakage). It’s similar to Heartbleed in that CloudFlare, which hosts and serves content for a at least 2 million websites, was returning random chunks of memory from vulnerable servers when requests came in“, in addition, when we realise that the quote “Famous Google bug hunter Tavis Ormandy uncovered the issue, describing it in a brief post, noting that he informed CloudFlare of the problem on February 17. In his own proof-of-concept attack he was able to have the server return encryption keys, passwords and even HTTPS requests of other users from major CloudFlare-hosted sites” gives rise to several issues, not just account issues, but the bleeding of data, so how does this impact national security, because in several nations the defence agencies and defence contractors have their goods somewhere on a cloud.
Here we now have a twofold problem, not only do we get this from Forbes and 1-2 other sides, the press at large has steered clear of this. This now gives rise to the corrupt press that we see mentioned by President Trump. We see for example that au.finance.yahoo.com mentions it (why the finance and not the tech section is another cause for concern), yet the fact that the Australian three (Channel 7, 9 and 10) remains silent (according to Google Search) is additional cause for concern.
Yet all is not good on several levels (at http://www.bbc.com/news/technology-39077611), we see “Chief operating officer John Graham-Cumming said it was likely that in the last week, around 120,000 web pages per day may have contained some unencrypted private data, along with other junk text, along the bottom“, now considering that the BBC article got to most of us on February 24th. Forbes gives us another time line. The quote “The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through CloudFlare potentially resulting in memory leakage (that’s about 0.00003 per cent of requests)“. It admitted that the earliest date memory could have leaked was September 22nd 2016. CloudFlare also said one of its own private keys leaked, one for internal machine-to-machine encryption” implies that the damage could have started as early as September 2016, which gives us a security gap surpassing 5 months. That is a very different kettle of fish that Cloudflare is trying to present to the BBC. I will agree that ‘as early as’ does not imply that it happened this early, but ‘memory leakage’ should never ever happen, so there is a massive issue with the safety and security of hundreds of sites and we are not talking about small places either, we are talking about companies that have values now surpassing some of the Fortune 500. In that case 0.00003 per cent of requests, knowing that this over 100 million requests per day could imply 300 codes and blocks of confidential data per day. And in all that, it only requires one block to be the wanted block out in the open for others to go at the throat of those losing their data. It represents a clear and present danger to data accounts and websites. And even now, the news outlets remain predominantly silent on an issue that is so important on many levels.
So when I see that the Mirror gives us “‘That’s how dictators get started’: Trump slammed for suppressing press freedom as White House bars some media from briefing“, the NY Times gives us “Trump Is Damaging Press Freedom in the U.S. and Abroad“, yet they remain VERY silent when there is a serious technical issue with the safety of websites online. The information is limited to Forbes, the BBC and USA Today, whilst Forbes is not even a newspaper, so where are all the others? It seems to me that after the 2012 Sony PS4 debacle the Newspaper should have learned, but that seems to be a lesson far far away. Whilst one does not imply the other, that the lack of reporting dos not mean that President Trump is not attacking the Freedom of the Press, yet after all the junk that transpired regarding News of the World, when the Guardian and others started to cry regarding Freedom of the Press, the Mail Online was up to no good even before the ink of the verdict had dried. In that atmosphere, the press is claiming foul? They must be out of their minds.
What is now an issue is that the visibility of this danger needs to be spread fast and those working on the possible compromised systems need to make changes and alter the approach to data and fat, before long term damage is handed to competitors. All these issues as people wanted to push the cloud faster and faster, an issue myself and several others warned against. Now we have the scenario that needed to be avoided. Yet, in equal measure we need to realise that actual damage has to the best of our knowledge not been ascertained, there might not be any danger at present, yet the optional fact that this has been going on for 5 months makes that statement of no damage very unlikely.
The question that will be rising more and more is where the press is at and why they kept quiet on something local businesses on an international level had to be warned about, is that not weird? Does that not pose any serious questions on your side?