Cloudflare will not let you have individual users without the (unspecified) “Enterprise” pricing plan. Even on the Business plan, we get to copy/paste one password around the team. Great for security.
Every other service (especially that critical!) we use gives it away with the actual service. I really dislike this about Cloudflare.
Have you thought of using a group password manager like 1Password, Dashlane, etc so you're not copy and pasting a password around the team? Just a suggestion :)
Good advice for password management but that doesn’t change the fact any internal malicious actor can take the password and be very difficult to identify
Isn't it bad to have passwords in plain text though? Sure, it's a small issue, but it definitely exacerbates the problem. I don't understand why this is earning me downvotes....
I love 1Password, but it doesn't solve the auditing issues inherent in a single shared account. It doesn't stop an angry employee from changing the email and password to lock everyone else out.
It's upsetting that Cloudflare, with their otherwise good approach to security, apparently puts multi-user accounts behind a $5k/month paywall.
We do use Dashlane and GPG for sharing secrets. In this article’s case I would bet that nobody changed the account’s password because (i) it’s no one’s responsibility (ii) they do not want to disrupt someone else’s workflow.
We have a two-man rule for such accounts: one person (or one group) is responsible for the password, and the other has the 2FA secret on their Yubikey. The other rule is to not use these accounts; as an example use use root AWS accounts once or twice a year when we need to fill in their forms.
I didn't think that was possible at least with Google accounts. But now that I think about it, if you set up both devices from the same QR code (instead of running through the process twice) it should work. Good idea.
As much as I hated it at first, we don't choose any provider that doesn't support single sign on and multiple users.
You can choose a password policy that is different (stricter) than the downstream services.
One more good thing about it is that you have all of your services in one place and you know when you need to change password on one of them or all of them. You can do it with a nice dashboard.
This made managing access a much nicer experience for us and I can imagine will minimize things like that from happening.
Okta's Firefox addon is incompatible with multi-process mode and that kills responsive design mode in Firefox's developer tools. This is remarkable for a change that's been a long time coming. Their site also erroneously says that the apps "require" the addon, but if you click the apps without the addon, it just takes an extra click to confirm the logon. I haven't been very impressed.
I used okta at my last job and IIRC there was a breach with HipChat that necessitated us resetting our okta passwords as well. It turned out that using okta for HipChat meant that okta just set your HipChat password to whatever your okta password was. It did not leave me feeling very secure.
I'd say the internet was better off for a bit, but it looks like the hack just temporarily made Coinhive's malware make money for a separate set of bad actors for a while.
edit: For the downvoters, if you've noticed your CPU fans running while visiting a variety of sites lately, chances are Coinhive's the reason. Non-consensual altcoin mining as a service!
I hate the idea of that just as much as you do, but you can always add the coinhive domain to your blocklist and be fine (just as you do with ad providers). Also, I'd be willing to bet bad Ads are still way more of a cause of CPU spikes/usage than coinhive.
Can you imagine the damage done to a CDN if the attacker would supply extremely long Expire/Caching/key-pinning headers? All clients visiting the malicious server would be cache poisoned for a loooong time.
Cache can be cleared and they are usually rechecked from time to time.
What's really fun is the HSTS strict transport policy header + certificate key pinning. That cannot be cleared. None of the users who open it will ever be able to open the site again.
A great example of folks either re-using passwords, or simply not being aware that their credentials have been included in a previous leak/breach.
For an idea of a timeline, and a useful reminder to check your own personal accounts (and those dreaded shared accounts internally):
- Feb 15 2014 - Kickstarter breach occurred
- Oct 08 2017 - HaveIBeenPwned import the dump, suggesting it is publicly available, or at least being shared around.
- Oct 24 2017 - Coinhive suffer their DNS breach.
Services such as Troy's HaveIBeenPwned are an excellent resource, and I can whole heartedly recommend signing up for the 'Notify Me' function: https://haveibeenpwned.com
I recently released something similar for corporate environments, allowing businesses to produce pseudo-users to insert into their user base. These 'canaries' are unique to them & come with real email addresses and phone numbers, so should they ever be contacted you can be pretty sure you've suffered a breach of some kind. We of course also check the usual suspects (Pastebin, Tor) for any similar evidence of a breach. Can see some more details here: https://breachinsider.com
Anyone that hosts javascript for 3rd parties is a target for this type of breach. That Coinhive miner script could easily be embedded into any other javascript file.
Why did everyone stop hosting js files locally? Why not pull content from the same server that is sending html, the speed improvement by using a cdn should be low with the size of libruaries these days.
Well, Coinhive has nothing to do with how certain people implement their lib, they just provide it. It's really up to the site owner to ask for permission to run it instead of forcing it (like ads).
This breaks the HN guideline which asks you not go on about downvoting in comments, and also (implicitly) the one that asks you not to post insinuations about astroturfing or shillage.
What look like voting 'patterns' on HN are pure Rohrshach: you extract what you project in. That's why comments about them are information-free, which is why the site guidelines ask everyone not to go there. It just puts noise in the signal/noise.
> This third party server hosted a modified version of the JavaScript file with a hardcoded site key.
A site key for a user on coinhive or pointed at a different website all together? If it's just a site key it should be dead-simple to close that account:
<script src="https://coinhive.com/lib/coinhive.min.js"></script>
<script>
var miner = new CoinHive.User('<site-key>', 'john-doe');
miner.start();
</script>
51 comments
[ 2.2 ms ] story [ 67.7 ms ] threadEvery other service (especially that critical!) we use gives it away with the actual service. I really dislike this about Cloudflare.
I love 1Password, but it doesn't solve the auditing issues inherent in a single shared account. It doesn't stop an angry employee from changing the email and password to lock everyone else out.
It's upsetting that Cloudflare, with their otherwise good approach to security, apparently puts multi-user accounts behind a $5k/month paywall.
Ever shared a USB key or a company phone. There isn't much to describe.
As much as I hated it at first, we don't choose any provider that doesn't support single sign on and multiple users.
You can choose a password policy that is different (stricter) than the downstream services.
One more good thing about it is that you have all of your services in one place and you know when you need to change password on one of them or all of them. You can do it with a nice dashboard.
This made managing access a much nicer experience for us and I can imagine will minimize things like that from happening.
For us, we have a review process internally for every 3rd party we use. We figure out the auth process and how secure is it etc...
edit: For the downvoters, if you've noticed your CPU fans running while visiting a variety of sites lately, chances are Coinhive's the reason. Non-consensual altcoin mining as a service!
What's really fun is the HSTS strict transport policy header + certificate key pinning. That cannot be cleared. None of the users who open it will ever be able to open the site again.
For an idea of a timeline, and a useful reminder to check your own personal accounts (and those dreaded shared accounts internally):
Services such as Troy's HaveIBeenPwned are an excellent resource, and I can whole heartedly recommend signing up for the 'Notify Me' function: https://haveibeenpwned.comI recently released something similar for corporate environments, allowing businesses to produce pseudo-users to insert into their user base. These 'canaries' are unique to them & come with real email addresses and phone numbers, so should they ever be contacted you can be pretty sure you've suffered a breach of some kind. We of course also check the usual suspects (Pastebin, Tor) for any similar evidence of a breach. Can see some more details here: https://breachinsider.com
Thieves stealing from thieves, IMHO.
Edit: from the downvotes to any comment that's critical of Coinhive I see the Coinhivemind is not fond of simple ethical quandaries.
[1] https://coinhive.com/blog/authedmine
This breaks the HN guideline which asks you not go on about downvoting in comments, and also (implicitly) the one that asks you not to post insinuations about astroturfing or shillage.
https://news.ycombinator.com/newsguidelines.html
What look like voting 'patterns' on HN are pure Rohrshach: you extract what you project in. That's why comments about them are information-free, which is why the site guidelines ask everyone not to go there. It just puts noise in the signal/noise.
I can't read what it's about but it looks like it's already blocked.
Anyone would mind to give a summary?
A site key for a user on coinhive or pointed at a different website all together? If it's just a site key it should be dead-simple to close that account: