Cloudflare’s Cloudbleed Surface Area

With the recent findings by Google’s Project Zero with regard to sites hosted at Cloudflare being vulnerable to an attack dubbed Cloudbleed, there has been a lot of talk about which sites might be in scope for this attack and which users of those sites should be concerned. This has widespread implications for passwords, secret questions/answers, credit cards, API keys, etc.

People have been helpfully attempting to find the total list of domains that are in scope since it wouldn’t behoove Cloudflare to out their customer list. For instance this Github page lists 4,288,852 Cloudflare sites that are potentially in scope.

Using OutsideIntel I was able to uncover that same number plus an additional 1,030,501 sites that are potentially in scope. In total that comes to 5,319,353 domains (about a 24% increase).

You can download the master list here (27M gzip compressed format). It contains both lists de-duped into one master list. If you are running a Linux derivative you can check the sites you are interested in by doing something like:

$ egrep -Z "\.tanium\.com$" cloudflare-list.txt.gz
content.tanium.com
forums.tanium.com
kb.tanium.com
www.tanium.com
$

I hope that’s helpful! Please change your passwords, secret questions and answers, API keys, etc. for any sites you deal with within this list, just to be safe.

Want to learn more about your IT assets, or those of your competitors, customers, vendors, partners, etc? Click here to get access to OutsideIntel.

More OutsideIntel Background

I started building OutsideIntel just a handful of years ago, but it was based on an idea I had 20 years ago. I have only recently begun to be able to realize my idea. As I left WhiteHat security as their VP of labs, I decided I had better write about my experiences running this analysis platform. When people see it they call me “the mini NSA” – a dubious title. But still, OutsideIntel has come in handy during business in more ways than I can possibly say. But here’s a few off the top of my head:

  • It helped me find Hillary Clinton’s mail servers, and associated infrastructure. Once her email became visible, it was trivial to find the associated servers, including admin backend, Outlook web access server, etc.
  • It helped me find Rick Perry’s backend campaign management infrastructure.
  • It’s helped me in meetings where I would have said the wrong thing, without knowing what other investments the CEO had privately made. I ended up making a great friend and huge ally due to avoiding that landmine.
  • It’s given me intelligence on my friends projects where they weren’t willing to provide me the information naturally, but I was able to figure it out based on the facts at hand. That’s helped me help them in ways that were only clear later – and again strengthened relationships.
  • It enabled me to figure out how Ashley Madison was compromised, even long after they fixed the issue, and what stopgaps they’ve made since then.
  • It’s helped me countless times see how well companies are doing to aid my friends in their job hunts as they ask the important questions – should they go work for the company in question or not?
  • It’s helped me do competitive analysis and help companies head identify their competition’s goals before public announcements were made.
  • It’s helped me do analysis on what companies own as they attempt to shore up their own infrastructure. Working as a consultant with them, it’s made my life significantly easier.
  • And on and on…

My goal with this project is to increase OutsideIntel’s abilities over time (which requires development work, more computing resources, and significantly more storage). Eventually I aim to sell OutsideIntel to a company (hedge fund, investment group, corporation who does M&A, etc…) who sees the same thing I do. Corporate intelligence is simply stated one of the most valuable things to have. Knowing what people are building, where they’re building, who they’re building for, how many customers they have, how much traffic they get, etc. turns out to be some of the most valuable information available. But only if you know what you’re looking at. It’s not just the terabytes of data, it’s how the data is presented, and knowing what to look for that makes it valuable.

Atlassian Aims to IPO after OutsideIntel predicts huge growth

Exactly one week after I talked about how Atlassian is poised to make a big IPO based on their huge upswing in growth, Atlassian management announces that they are hiring a new CFO to take them public. Amazing timing and best of luck to the Atlassian team.

This wonderfully demonstrates the power of OutsideIntel’s platform. Being able to identify companies with real growth from a huge array of companies is tricky. Not to mention the signal-to-noise ratio that marketing groups add to the mix. Those things make finding the real meat of a business’ worth is increasingly critical and increasingly difficult. Thankfully I found a way to do it, and it appears to be working in practice.

OutsideIntel Setting Expectations

My main concern with OutsideIntel has always been about setting expectations about what we can and cannot see and what sorts of information we think are likely to be found amongst the huge volumes of data I must search through. It’s important to set expectations.  OutsideIntel can’t guarantee that there won’t be external factors that are outside of our control or ability to analyze – indeed, that happens all the time. Like when GoPro’s shares tanked more than 10% in a day because their mounts were allegedly related to an F1 driver’s brain injury caused while skiing. OutsideIntel can’t predict risk factors that we can’t see. However, what we have found is that barring external factors the data is very reliable, useful and unique. So using this data in context with other signals is useful when doing buying/selling, for M&A and for competitive analysis. When making a decision, the more useful data you have the better – and that’s what OutsideIntel’s technology provides.

Examples Of Signals We Often Can See/Do Take Into Account (currently)

  • Corporate growth/recession
  • New product/feature launches
  • New/Existing Vendors
  • New/Existing Partners
  • Customer lists
  • Geographic expansion
  • Etc.

Examples Of Signals We Often Can’t See/Don’t Take Into Account (currently)

  • Consumer sentiment
  • Lawsuits, including Copyright/Patents infringement
  • Weather/Force mejeure
  • Confidential IPOs
  • Human Resource issues
  • Brick and mortar attributes/sales/P&L
  • Etc.

Almost twenty years since I first came up with this market stock intelligence idea, I can now deliver valuable output that gives our investors a unique vision into companies that is otherwise totally invisible, except to the most sophisticated analysis. Rather than having to be an analyst yourself, I’ve made stock tips easy to digest, easy to prioritize and most importantly, actionable. You don’t need a doctorate in computer science to understand OutsideIntel results.

And now for a brief but important note from my lawyer to further set expectations:

The financial research information provided by OutsideIntel is for informational purposes only. It should not be considered legal or financial advice. You should consult with an attorney, financial adviser or other professional to determine what may be best for your individual needs. OutsideIntel does not hold itself out to the public as an investment adviser and does not otherwise act in the capacity of an investment adviser. OutsideIntel is strictly a research publishing firm and falls within the publisher’s exemption of the definition of an “investment adviser” and the information it provides is of a general and regular circulation.

OutsideIntel does not make any guarantee or other promise as to any results that may be obtained from using our content. No one should make any investment decision without first consulting his or her own financial adviser and conducting his or her own research and due diligence. To the maximum extent permitted by law, OutsideIntel disclaims any and all liability in the event any information, commentary, analysis, opinions, advice and/or recommendations prove to be inaccurate, incomplete or unreliable, or result in any investment or other losses.

You can view the Privacy Policy and TERMS OF USE as well.

Brief History of OutsideIntel – corporate stock intelligence platform

Brief History of OutsideIntel – corporate stock intelligence platform

Years ago, prior to Y2K, I had a meeting with an acquaintance who was a small-time broker in Northern California. He had built a “system” designed to watch fluctuations in stock price. His theory was that if you bet on a small upwards curve followed by a small dip it would naturally go up – like an sine wave of increasing amplitude. Even at the time, I knew his system was nothing more than guesswork, and when Y2K hit a few years later, it hit that broker and his clients extremely hard. Lesson learned.

Even though my broker acquaintance was betting on pure speculation, I sensed that the major reason he was wrong wasn’t that there aren’t discernible patterns, but that he wasn’t actually looking at the data or patterns that mattered. Looking at a graph is good for many things, but using them without context is prone to failure. What if I could provide a lot more context? Or even better, what if I could forgo the boring analysis part on behalf of clients and only deliver context?

For almost two decades, I pondered how I could build something like this, using a unique skill set that I had amassed from a career in computer security, and Internet-scale data. It wasn’t until 2013 that the technology to perform advanced internet analysis became readily available, drive speeds had increased to the point that they were useful for real-time analysis and costs of drive density fell far enough to make this dream a reality. So drawing on decades of Internet, security and business experience, I finally began developing the corporate intelligence tool I had been dreaming about for my entire adult life.

Early on, as I was developing a prototype, I wondered what this company would be – is this company a hedge fund, is it a research tool where clients perform their own research, or is it something else? In a bit of a Field of Dreams moment, I had to wonder if I was building something that anyone would even use. Sure, I knew it was useful, but maybe no one would understand my vision. When I talked to VCs, they said I was on to something and that I should sell my company to a hedge fund – but the multiples were low on a deal like that and the VCs wouldn’t invest (not that I needed the money anyway). The idea was good, just not something they’d invest in, which was great validation but hardly cause for a ticker-tape parade!

When I talked with hedge funds they all agreed that the data was incredible, and many said that I should start my own hedge fund; but having never done it before, that was daunting concept. Alternatively, others said that the data was incredibly useful and that I shouldn’t give it to anyone, lest it become less valuable over time. I saw right away that they were telling me that they wanted the data for themselves. That gave me a total addressable market of one hedge fund – a non-starter. Don’t get me wrong, I would have sold for the right price, but I don’t think we were even in the same ball-park, to continue my Field of Dreams analogy.

Then I talked to several accredited individual investors who also agreed the data was amazing, but the analysis part was daunting for an individual investor who lacked the experience that I had. They recognized that it was useful, but even the more savvy technically competent investors who were shown my prototype analysis engine interface told me, “No one should ever see this interface, it’s just too complex.” Meanwhile, they spent the rest of the meeting looking through the data, doing the same analysis that I would do. So if the data is useful, and people want it, but they can’t understand it, where does that leave my budding prototype, I wondered.

I was left with the next logical choice – build a service that does the hard work for my clients. That is how OutsideIntel was first born. Finding insider quality information from the outside – legally. I was naturally concerned about the legality, but as I probed, I found more and more mounting evidence that what I was doing was simply great research.

At one point I even had an agent of a three letter agency look at my tool and he remarked that it was amazing, asked me to look up some companies for him that were “of interest” and asked me to please make sure that I never gave any of the raw “.gov” or “.mil” information out to any unscrupulous parties – he feared that the data was so good that it verged on national secrecy issues. But the good news is that it’s legal, and for corporate intelligence, hugely useful in lots of cases.

When I had had a chance to improve my prototype after shopping it around, even my Wife remarked how unbelievably scary the data was when I ran it against some companies and found their client list, how they were evolving, which areas they were growing in, and so on. It’s always a good pressure test to get the thumbs up from the Wife. And the best part is that I was just getting started.

However, one thing I worried about a great deal was explaining to people the types of sites that were most well suited to this type of intelligence.  I felt a great deal of anxiety about having customers ask me for information on companies that are primarily brick and mortar or stagnant.  Even if my technology is sound, the last thing I want to do is let people down and field angry feedback.  So I decided to change the whole concept to being a simple, but powerful blog to demonstrate stock and corporate intelligence using a platform of my own design.

This blog will be a place to highlight just what this intelligent system is capable of providing.  Eventually, I aim to sell the technology and data to an interested party, but for now, anyone who finds this information of value can get previews into the technology.  Down the road, should a financial investor, hedge fund or private investor purchase this technology, I cannot guarantee what this blog will become.  But for now, I hope you enjoy OutsideIntel – the corporate stock intelligence platform!

roberthansen

Robert Hansen – OutsideIntel corporate and stock intelligence platform author

-Robert Hansen