Comment by tootie
8 years ago
CloudFlare is neither the first nor the biggest CDN. I can't recall Akamai having a hole this big. They're either more secure or better at keeping things quiet.
8 years ago
CloudFlare is neither the first nor the biggest CDN. I can't recall Akamai having a hole this big. They're either more secure or better at keeping things quiet.
To be fair to CloudFlare, Google had a heap issue a few years back (maybe like 7 now) where internal flags and copies of argv (which Google use heavily for config) were clearly present in output from their HTTP frontends, including references to Borg before Borg was ever documented publicly.
Over in App Engine land, someone bypassed their JVM sandbox and managed to extract a copy of their JVM image, which included much of their revered base system statically linked into something like a 500mb binary.
Sorry, I'd have to go digging to find references to either of these incidents. At least in either case customer data wasn't leaking, but suffice to say it's a little bit of the pot calling the kettle black
And finally let's not forget the China incident, which rumour has it, resulted in a system compromise at Google right to the heart of their engineering organization. Of course they didn't get roasted like Yahoo recently did over their password leak
here's the JVM bypass: http://seclists.org/fulldisclosure/2014/Dec/26 / http://www.security-explorations.com/materials/se-2014-02-re... (see page 58 for some fun)
I'd like to see how much of a mess their argvs are
Launch Chrome on Linux and grep the ps output.
Off topic, but I find it really impressive that Google packed their system into a 500 millibit binary; wow!
Seriously, people, units and prefixes are case-sensitive.