Apparently, the NSA may have at least known of this bug for a long time, and you can bet your boots they’ve exploited it against someone. Given their propensity for reading the communications of all and sundry, I somehow doubt that only the ‘bad guys’* were targeted.
In any case, if the NSA knew about it, and the bug itself was hidden in plain site, you can take it for granted that someone else did. Which, if true, means that the NSA has worked to weaken all of our collective security, including the security of the country they’re meant to protect.
Meanwhile, lastpass have put up a useful tool to help with figuring out what passwords need to be changed and where. Because the important thing here is to change your password only after the affected service has both patched and updated their SSL certificates. Doing it before that means you’ll still be vulnerable.
Finally, some food for thought from Bill de hÓra …
* insert your preferred bad guys here
Just when you might have thought it safe to wander out, a reminder that those heartbeats in TLS work both ways, so a malicious server could compromise your client (browser, VPN, and so on) with interesting results. Check https://reverseheartbleed.com/
OpenSSL is not developed by a responsible team.
via Re: FYA: http: heartbleed.com.
This is pretty bad :
In short, Heartbeat allows one endpoint to go “I’m sending you some data, echo it back to me”. It supports up to 64 KiB. You send both a length figure and the data itself. Unfortunately, if you use the length figure to claim “I’m sending 64 KiB of data” (for example) and then only actually send, say, one byte, OpenSSL would send you back your one byte — plus 64 KiB minus one byte of other data from RAM
So, what does that mean?
This allows the other endpoint to get random portions of memory from the process using OpenSSL. An attacker cannot choose which memory, but if they try enough times, their request’s data structure is likely to wind up next to something interesting.
And to add insult to injury,
None of this will be logged anywhere, unless you record, like, all your raw TLS connection data.
Which means you won’t know if you’ve been hit, so you need to assume you have.
For further detail, there’s a good summary here:
existential type crisis : Diagnosis of the OpenSSL Heartbleed Bug.
BBC Research Blows Out the 1% Rule.
In the UK at least. It’s now more like a 23/60/17 rule (passive/easy/intense participation), which the BBC dub the ‘Participation Choice’.
The reserach considers digital media interaction, from sharing links and photos to writing blogs. It turns out that the old 1% rule, which said that more people will lurk in a virtual community than actively participate, is old news and that now, more than 10% are getting online to contribute and interact.