The new OpenSSL encryption bug that will destroy the internet or something

I've been reading about this and everyone saying "Change all of your passwords NOW!" which didn't make sense to me.

If the sites OpenSSL is still compromised, how would changing your password be any safer. Apparently I was correct, it's only useful to change your password AFTER the patch gets put in.

http://lifehacker.com/lastpass-now-tells-you-which-heartbleed-affected-passwo-1561522244

You know, here's my stance on all this stuff... Your only true protection from identity/password theft is the fact that there are millions or billions of other peoples' information out there as well. So quite frankly, even if your critical info is out there, it's floating in a massive sea of critical info. Odds are still pretty low that your info in particular is going to be used for some massive identity theft.

I generally have the same opinion about all the NSA data collection stuff. Oh, you've recorded my call logs? Big deal, there are a billion other call logs saved as well, and no one is ever going to (or has time to ever) look at each and every one.

This might be a naive stance to take, but sometimes ignorance can be very satisfying bliss. And if something does happen, I'll deal with it.

For the record, I just bought two things online last night, and I'm still alive.

Yeah, I agree...its also safe to have your credit cards maxed out constantly, that prevents them from using your cards, VICTORY!

Spent a few hours updating all of our servers to the new OpenSSL that fixes it. Sigh.

It's also a good idea to make extremely erratic purchases. Got to keep the credit card company on their toes, you know?

This is one of the moments when I can wave my IIS servers at all those commie *nix ops and taunt mercilessly. The action I need to take = 0. Seriously, I'm going to cherish it for a long time.

Because of course, IIS has never had a major security flaw. :rolleyes:

Also, I can't help but observe that Heartbleed respects something we've always known to be true: Compromising a server a few kb of memory at a time is a better approach than compromising it all at once.

Because of course, IIS has never had a major security flaw. :rolleyes:

No, but it doesn't have this security flaw.

And when has having had a major security flaws ever prevented *nix admins from teasing Windows admins? The whole glass houses thing doesn't really apply here, does it?

Also, I can't help but observe that Heartbleed respects something we've always known to be true: Compromising a server a few kb of memory at a time is a better approach than compromising it all at once.Indeed.

It boggles my mind that there could be someone working on OpenSSL these days that could make this kind of mistake. It's been a known vulnerability in other things at least since the 80's. If you're working on something like OpenSSL you should be acutely aware of it. I remember the Morris worm taking down a large chunk of the internet in 1988 and that used a similar exploit (among others).

I generally have the same opinion about all the NSA data collection stuff. Oh, you've recorded my call logs? Big deal, there are a billion other call logs saved as well, and no one is ever going to (or has time to ever) look at each and every one.

I'm just a little bit freaked out by an entity, who's primary role is to find information on its citizens and prosecute them, that has gained all of this information without a warrant.

You'd be pretty upset if you were erroneously targeted (it's happened) and punished based on this data.

As Sir William Blackstone said in 1765, it is better that ten guilty persons escape than that one innocent suffer.

The media seems to be latching on to the most extreme things which could have happened, and publishing them as if they probably did.

I've spent lots of the last three days ensuring updates got done, and then renewing or replacing server SSL certificates using a new private key.

Yeah. The nature of this flaw makes it hard to actually use.

It's a buffer over-read flaw, which is closely related to a buffer overflow flaw.

The attacker gets back random contents of memory. Sometimes that may include sensitive information. Most of the time, it will just be web pages.

Not too worried about social media sites... will update my password on a couple of the stores that got hit, and my email(s). But hey, if someone steals my Facebook, fuck it.

Facepalm or Foil Hat...I can't decide. (via Bloomberg)

NSA Said to Exploit Heartbleed Bug for Intelligence for Years (http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html)

As soon as I heard about it, I assumed that was the case.

So if everyone is vulnerable to the bug the NSA knew about it, used it to exploit it for security loop holes, so they can supposedly "protect" us. What is the NSA truly protecting us from?

Ourselves.

The NSA have said they never exploited the security flaw. That's great, because, y'know, they always tell the truth and can be trusted. Right?

http://security.stackexchange.com/questions/55343/how-to-explain-heartbleed-without-technical-terms

http://xkcd.com/1354/

(wish I could scale the following...)
http://imgs.xkcd.com/comics/heartbleed_explanation.png

(Or, how the heartbleed bug DDOS'd xkcd.com)

Prior to a little reading, I thought the overreach must have been on the system stack, where contents would be somewhat more predictable. But I guess not. Apparently took a minimum of O(100,000) tries to actually obtain a private key, once it was set as a challenge.

Some little reading...
http://www.pcworld.com/article/2143080/tests-confirm-heartbleed-bug-can-expose-servers-private-key.html

Yeah, it's only potentially dangerous, not guaranteed. It would be a lot of trying or a lot of luck to get anything that was for-sure noteworthy.

445 aha!