It turns out that Cloudflare's proxies have been dumping uninitialized memory that contains plain HTTPS content for an indeterminate amount of time. If you're not familiar with the topic, let me summarize it: this is the worst crypto news in the last 10 years.
As usual, I suggest you read the HN comments to understand the scandalous magnitude of the bug.
If you don't see this as a news-opening piece on TV it only confirms that journalists know nothing about tech.
How bad is it, really? Let's see
I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full HTTPS requests, client IP addresses, full responses, cookies, passwords, keys, data, everything
If the bad guys didn't find the bug before Tavis, you may be on the clear. However, as usual in crypto, you must assume that any data you submitted through a Cloudflare HTTPS proxy has been compromised.
Three take aways
A first take away, crypto may be mathematically perfect but humans err and the implementations are not. Just because something is using strong crypto doesn't mean it's immune to bugs.
A second take away, MITMing the entire Internet doesn't sound so compelling when you put it that way. Sorry to be that guy, but this only confirms that the centralization of the Internet by big companies is a bad idea.
A third take away, change all your passwords. Yep. It's really that bad. Your passwords and private requests may be stored somewhere, on a proxy or on a malicious actor's servers.
Well, at least change your banking ones, important services like email, and master passwords on password managers -- you're using one, right? RIGHT?
You can't get back any personal info that got leaked but at least you can try to minimize the aftershock.
Update: here is a provisional list of affected services.
Download the full list, export your password manager data
into a csv file, and compare both files by using
grep -f sorted_unique_cf.txt your_passwords.csv.
Afterwards, check the list of potentially affected iOS apps
Let me conclude by saying that unless you were the victim of a targeted attack it's improbable that this bug is going to affect you at all. However, that small probability is still there. Your private information may be cached somewhere or stored on a hacker's server, waiting to be organized and leaked with a flashy slogan.
I'm really sorry about the overly dramatic post, but this time it's for real.
In Spain we have an old proverb, La avaricia rompe el saco. Literally "greed bursts the sack"; it means that if you fill a purse with too many coins it will break and you will end up with none.
This week, the Spanish Congress passed a law with two main goals:
- Ban torrenting sites, i.e. that is link-only sites (not content hosts), which is a totally different topic.
- Make social aggregators pay media publishers for the use of news excerpts.
More details can be found on this Gizmodo article
If this weren't so serious I'd say that news lobbies pressing against the right to quote, you know, the one their business is based on, is ironic.
But this is so outrageously hypocritical that it's not ironic, it's immoral and vomitive. Disgusting. Greedy to the extreme. This is a capital crime against ethics.
So why did they just do that?
Last year, Google was forced to pay French publishers for use of their content. Spanish publisher lobby AEDE (lack of link intended) saw here a huge opportunity: let's do the same and get free money from Google.
Google is so big that's it's an easy target. Demagogy is so simple; Google is a tech giant that does fiscal engineering to avoid paying taxes and profits from our content. Yes, that's true. But Google does exactly what these publishers do: curate what others say and provide citations to strengthen and validate their job.
But then, Google's natural reaction would have been, "You don't want my traffic? Wish granted! Next time, be careful what you wish". However, AEDE had anticipated this, so with the new law content providers can't opt out by not linking to AEDE's affiliated media. F*ck off genie, we wished for infinite wishes!
It's so effortless to lobby in a corrupt and manipulated environment where politicians don't even know what a link is.
But wait, there's more.
- It has not been proved that content aggregation limits the editor's earnings. Of course; it's the opposite, it actually drives them more traffic—300M yearly visits, according to an admin of one of those sites.
- There is no basis to establish an inalienable compensation towards media editors and, if it were any, this new legislation is not the best way to go.
- The new law reduces legal security for Spanish internet companies.
- Media aggregation is necessary and positive from a "freedom of speech" standpoint. Unavailability of aggregators can drive small publishers to extinction and leave users without an important tool to diversify their media consumption.
Please read and think about the last point again, because it is very, very important.
Let's summarize what is happening here:
Big media editors AEDE, most of which pro-government, in collusion with the corrupt Spanish politicians have managed a masterstroke which they think will:
- Get them free money
- Destroy the discoverability of smaller media competitors, usually critical with the government
- Hinder the future of Spanish internet tech business, their main competitor
- Get more exposure, since readers won't have access to media agreggation and will resort to reading just one or two outlets
In reality, what is likely to happen is:
- Google will close Google News Spain, no big problem
- Spanish media aggregators will move their business abroad and won't contribute taxes to the country
- Tech enterpreneurs will realize that Spain is a shitty country to invest money on
- Without Google, the aggregators, and thanks to the increasing user boycott to AEDE media, those editors will lose traffic and money.
This is so, so sad.
It is clear that traditional media companies are suffering because of the internet revolution and need to fight in some way. However, they are cutting their own nose to spite the face. And, in the way, they are denying others a right, not a banal one, but the right to quote, which news business is built on.
I honestly think that traditional media is absolutely necessary even today. They are the ones who report, research, discover, analyze and interpret what's happening in the world. Specially in Spain, where we don't have these modern US internet-only media companies which don't just feast on press releases but do real journalism.
This is not a cry against traditional media. People, most of all, need them. But people also need aggregators to contrast different views on news. Aggregators need media because it's impossible to talk about news without a headline and an excerpt to reveal what's going on. And media, most of all, needs aggregators and people to survive in today's world.
Now the law has been passed. Though it needs to be ratified in the Senate, it is a pantomime because the majorities are the same as in Congress and also Congress has the last word even if the Senate votes against it (take that, Montesquieu!). What will media editors do when they start losing money and realize the harm they have done to themselves, the Government, Spanish media consumers and the Spanish tech industry?
Next time you think somebody is stupid, remember that the Spanish press just got in a war with Google, Facebook and Twitter because they want them to stop linking to their content.
Crazy world we live in, huh?
Facebook bought Whatsapp for $19B. There has been a lot of discussion on the net since the numbers are crazy. Even for today's standards, where startups are measured in Instagrams or Yahoo!s much like length is measured in football courts, that is a large sum.
To summarize my thoughts on the money; maybe we should start thinking about a new Web 2.0 bubble? Whether $12B in Facebook shares is actually twelve billion dollars cash is left as an exercise for the reader. Smarter people than me defend the acquisition, and I will definitely not argue against that.
So why did Facebook buy Whatsapp? TL;DR: because of what people use it for.
I don't think this is an acqui-hire as Whatsapp needs every employee and it wouldn't be a smart move to shut it down while it's #1 with this huge competition. However, Facebook can probably learn a lot from Whatsapp's engineers. Their amazing staff can scale at a ratio of 450M users per 32 engineers. That's 14M users per engineer. But again, this isn't about the people, the risk of Whatsapp being bought by Google, or just their user base.
It is most likely the fact that Whatsapp has more than 300M daily active users, and Facebook could greatly benefit from having all these people's data. Remember what Facebook, and all the other big companies on the net, are. They are advertisers. And all these people using Whatsapp is communicating outside Facebook's network.
Google wants to collect all the world's data, but Facebook wants to know everything about people. Now it will reach an additional 450M that they weren't previously controlling.
What's so special about Whatsapp users? From my experience, Whatsapp is a great mix of Instagram, Twitter, chat and Facebook. It is totally spontaneous, friendly, private, and chaotic. Non-geeks love the ability to send pics, text and audio and let messages scroll to the top. It is so comfortable to use.
But what's more interesting, users communicate intentions, meetings, events. Outside the US, nobody creates Facebook events any more; we create Whatsapp groups. Groups for parties, dinner, quick stuff that's happening and needs immediate action. We use Facebook to discuss what happened —maybe with a cool beach pic— but Whatsapp is all about the immediate future. Plans are made on Whatsapp.
And here goes my conclusion. What could be sweeter for Facebook's advertisers than knowing in advance what people are up to? It's the perfect user data. Remember, next time you create a Whatsapp group for that birthday party, restaurant ads will pop in your Facebook. And I'm not saying that it's a bad thing necessarily.