I saw a t-shirt one time. “I’m a bomb disposal technician,” it read. “If you see me running, try to keep up.”
The same sort of idea can be applied to net security: when all the net security people you know are freaking out, it’s probably an okay time to worry.
This afternoon, many of the net security people I know are freaking out.
Onslow - "Oh nice."
This is what it is about in easy to read terms. It affects all of us at the moment in one way or another.
Very worrying indeed.
I have read that it's mostly patched now.
There are lots of places that haven't done anything yet.
it's made it to be one of the leading news stories here now.
the 'security experts' being dug up and dumped in front of the cameras are saying to change all your passwords - which is pointless unless every piece of the puzzle between your PC and the info you are after gets their act together.
yeah, wait until the sites have announced a patch (or whether or not one is needed for them) before changing your passwords.
...via XKCD
Yep, that's the gist of it. Also worth noting that this only works because it dumps the additional characters from memory, where they're stored plaintext
nice find with the graphic Shane, that should explain it even to my wife
"NSA knew about the bug for 2 years"
http://market-ticker.org/akcs-www?post=228928
http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
Not suprising. NSA are by all means Black Hats, they're just the Black Hats that keep the other Black Hats at bay.
MS did put out a security update for Windows 7 on april 12/13. Was this the patch for this security bug ?
The problem is in OpenSSL not Windows. so probably not.
Robin Seggelmann, a German software developer says he didn't create the SSL flaw deliberately.
''In one of the new features, unfortunately, I missed validating a variable containing a length,” he told the Herald. And his co-workers missed it, too.
For those who aren’t coders, the end result is this: Anyone aware of the glitch could “eavesdrop” on the ways that computer servers and sites communicate with each other and swipe information without being detected
The bug is (for the most part) server side, the comsumer cannot patch it. Only websites (vpns and access nodes included) are at risk, many will send letters out informing you either to change your password or that they were not effected. However the most security minded paranoid should change every password they've created in the past 5-to-10 years.
There is no point in changing the password unless the site you are changing them for has applied the patch . However quite a few such as LastPass and DropBox already have.
Have heard of two phishing emails so far about this bug, pretending to be from sites most people would use
Here is a really great explanation of things. Just a few words I know, but everyone will be able to understand what the issue is all about after reading it. Also how to test if sites you use have still got the bug.
http://support.emsisoft.com/topic/14146-heartbleed-threat/?do=findComment&comment=107651
Looks to me that MS considered - at least - one security issue too important to not wait with a security update.
Looks to me that MS considered - at least - one security issue too important to not wait with a security update.
Microsoft wasn't affected by the Heartbleed bug