colonel_mortis

Moderator
  • Content count

    2,909
  • Joined

  • Last visited

Reputation

  • check
    Agree 319
  • info_outline
    Informative 280
  • tag_faces
    Funny 42
  • thumb_up
    Thumbs Up 408
  • thumb_up
    Likes (Old) 3122

Awards


About colonel_mortis

System

  • CPU
    Intel core i5 3570k @ 4.4GHz
  • Motherboard
    ASUS sabertooth Z77
  • RAM
    4x4GB Corsair Vengance
  • GPU
    EVGA GTX 780 Superclocked with ACX cooler
  • Case
    Coolermaster HAF X
  • Storage
    250GB Samsung SSD (non-pro) + 1TB WD Black + 500GB WD blue
  • PSU
    Corsair HX750 semi-modular
  • Display(s)
    Some fairly cheap ASUS 1080p thing
  • Keyboard
    Microsoft Sidewinder X4
  • Mouse
    Sharkoon Fireglider
  • Sound
    Steelseries Siberia V2
  • Operating System
    Fedora

Profile Information

  • Gender
    Male
  • Location
    UK, Center of the Observable Universe
  • Interests
    Security
  • Biography
    ┌ I was born.

    ├ I found LinusTechTips.
    └ Now.
  • Occupation
    Developer, Moderator and Student

Contact Methods

  1. Only if you actively typed your password between the 22nd September 2016 and the 18th February 2017, though most of the data leakage occured, according to Cloudflare, between the 13th and 18th Feb.
  2. Can you try again now. If it doesn't work, make sure your phone clock is synced, then if it's still not working, make a topic in bugs and issues so I will look into it further.
  3. Since Jan 2016, when we updated the forum software.
  4. Even if the IP is different, it's all going to the same edge node. The 1/3,300,000 figure is the averate rate at which requests revealed information. You have to transmit passwords in plain text (the passwords are transferred over HTTPS (TLS), but that is decrypted by cloudflare, so the server affected contained the plaintext versions). Passwords must be stored hashed, but hashing them on the client side before transmitting means that the hash of the password becomes the password itself, so if you intercept the hash, you can use that to log in even if you don't know the password itself.
  5. No. The remember me checkbox just adds a token in a cookie which authenticates you without your password.
  6. The edge issue should be fixed in the next update (I reported it a couple of months ago), but the IP issue can't be fixed, because it relies on information provided by your internet service provider to the IP location database that we use. It very specifically says "near" because, depending on the ISP, it can be very inaccurate sometimes (10km isn't bad really).
  7. TLDR: If you logged in to the forum or submitted any other sensitive between the 22nd September 2016 and the 18th February 2017, there is a very small chance that your password may have been leaked. The bug was most severe between the 13th and 18th February 2017, but even so the chance of your data having been leaked is very low. This site uses Cloudflare as an intermediate between you and the server, to protect the site from DoS attacks and to improve performance. Yesterday, Cloudflare announced that a bug in their code had caused some of the server's unallocated memory to be disclosed. The full technical details of this buffer overrun vulnerability are described in their blog post. By design, Cloudflare intercepts the encrypted connection between you and this site, decrypting the traffic, processing it, then reencrypting and forwarding it. This means that anything contained in any requests to the server, or responses from the server, would have been stored unencrypted in the server memory. This includes passwords. There is a very small chance that this bug has revealed that information. According to the Cloudflare team, there is no evidence that anyone has abused this information, but it is impossible to be sure that this is the case. To protect your account, I encourage you to change your password here and anywhere that you reuse the same password. However, the chance that it has been disclosed is very small. If you are concerned, you can also enable two factor authentication on your account. FAQ: How likely is it that my information has been disclosed? Cloudflare say that 0.00003% of requests (1 in 3,300,000) resulted in a buffer overrun that may have disclosed server memory, and some of those will have dumped information unrelated to a HTTP request. That means that it is unlikely that any passwords for this site have been disclosed, since there have been significantly fewer than 3,300,000 logins to this site in the affected period. This advisory is being posted out of an abundance of caution. What information is affected? Anything that has been submitted to or displayed on this site. The primary sensitive information is passwords, but if you have purchased something then your address may also have been sent in that time. Any credit/debit card details are handled exclusively by PayPal, and are not affected by this. I didn't sign in during that period, but I had "Remember Me" checked. Do I need to do anything? No. The remember me checkbox sets a cookie with a random value, not related to your password, and that cookie is used to authenticate you on subsequent visits. Do I need to change my Facebook/Twitter/Google/Steam/etc password, because I used "Sign in through <service>"? No. When you sign in through those services, your password is not sent to the forum, just a number that uniquely identifies your account which can be used for authentication. What other sites are affected by this vulnerability? Any site that uses Cloudflare is affected by this issue. There is an unverified, incomplete list of affected domains on Github. If you have any other questions, leave them in this topic or PM me, and I will attempt to answer them. If you want to discuss the vulnerability in general, rather than how it affects the forum, please do so in this Tech News topic.
  8. is that the real @colonel_mortis????!?!?!?!?!?

    1. Show previous comments  4 more
    2. colonel_mortis

      colonel_mortis

      I can't just reveal the answer, that would be far too easy.

    3. Tech_Dreamer

      Tech_Dreamer

      Is colonel Mortis a real life space alien morphing lizard who learned basic coding & is now working for the CIA disguised as a human moderator on the Linus Tech tips forum , who  eats his raw spaghetti on full moon nights on the roof too of the empire state building? I'm not sure, But if You had, One opportunity, One shot, to seize everything you every wanted , would you capture it , or you let it slip? Because His palms arent sweaty, knees leaks , arms are heavy , there's vomit in his sweater already..

    4. Tech_Dreamer

      Tech_Dreamer

      You know this^^ wont sound as weird if you read it in Morgan freeman's voice

  9. Unfortunately this is a legacy issue due to the conversion from vBulliten (in 2013). Once you get to 500 posts, it will allow you to set it manually. I can override it to the default "Member" for you if you like? From the FAQ:
  10. As you are well aware, this is not a bug, though your feedback has been noted and will be taken into account along with the other, more appropriately located and titled topics.
  11. ui

    I've added this to the internal bug tracker, so it should be improved in the next update.
  12. The safest way is to go into PayPal and cancel it there. You should also be able to cancel it in the "billing agreements" page under the my info dropdown on the nav when viewing the store I think.
  13. It looks like a weird combination of issues caused that bug. If it happens again, please let me know, because that topic was caught by the spam filter and should never have been exposed to regular members at all, so if it is then there is something wrong.