https://www.schneier.com/blog/archives/2014/04/heartbleed.html

yep, this is a really bad one.

sys admins everywhere panicking to patch, and crackers everywhere probing everything for vulnerability.

http://www.cnet.com/news/how-to-protect-yourself-from-the-heartbleed-bug/?tag=nl.e404&s_cid=e404&ttag=e404&ftag=CAD1acfa04

http://techcrunch.com/2014/04/09/heartbleed-the-first-consumer-grade-exploit/?ncid=rss

wow. There's a heartbleed.com site already.

Kevin Drum blasts the NSA:


On Friday, Bloomberg's Michael Riley reported that the NSA was aware of the Heartbleed bug from nearly the day it was introduced:

(http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html)
The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said....Putting the Heartbleed bug in its arsenal, the NSA was able to obtain passwords and other basic data that are the building blocks of the sophisticated hacking operations at the core of its mission, but at a cost. Millions of ordinary users were left vulnerable to attack from other nations’ intelligence arms and criminal hackers.


Henry Farrell explains just how bad this is here. (http://www.washingtonpost.com/blogs/monkey-cage/wp/2014/04/11/the-nsa-may-have-exploited-heartbleed-thats-a-very-very-big-deal/) But later in the day, the NSA denied everything:

(http://www.washingtonpost.com/blogs/the-switch/wp/2014/04/11/the-nsa-denies-it-knew-of-the-heartbleed-bug/)


“NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report," NSA spokesperson Vanee Vines told The Post. "Reports that say otherwise are wrong.”


The White House and the Office of the Director of National Intelligence echoed that statement Friday, saying neither the NSA nor any other part of the U.S. government knew about Heartbleed before April 2014....The denials are unusually forceful for an agency that has historically deployed evasive language when referring to its intelligence programs.


You know, I'm honestly not sure which would be worse. That the NSA knew about this massive bug that threatened havoc for millions of Americans and did nothing about it for two years. Or that the NSA's vaunted—and lavishly funded—cybersecurity team was completely in the dark about a gaping and highly-exploitable hole in the operational security of the internet for two years. It's frankly hard to see any way the NSA comes out of this episode looking good.

why country is make shit taht fuck own people?

CIA, NSA, and HSA need to be dismantled.

I actually looked at the bug, and the code looks like an honest mistake. It's shitty code when you look at it from a security standpoint, but I would be hard pressed to be convinced it was a deliberate "attack"...

On the other hand, I'm pretty sure security agencies pay personnel to look and exploit such bugs.

As Indiana University cybersecurity expert Fred Cate points out (http://info.law.indiana.edu/releases/iu/2014/04/cate-comments-nsa-heartbleed.shtml), however, the intelligence community's track record of misleading statements about its capabilities means even such a seemingly unambiguous denial has been greeted with some skepticism. And even if we take that denial at face value when it comes to Heartbleed, reports of NSA's 2010 "breakthrough" suggest they may be sitting on other, still-undisclosed vulnerabilities.


Here, however, is the really crucial point to recognize: NSA doesn't need to have known about Heartbleed all along to take advantage of it.


The agency's recently-disclosed minimization procedures (http://www.theguardian.com/world/interactive/2013/jun/20/exhibit-b-nsa-procedures-document) permit "retention of all communications that are enciphered." In other words, when NSA encounters encryption it can't crack, it's allowed to – and apparently does – vacuum up all that scrambled traffic and store it indefinitely, in hopes of finding a way to break into it months or years in the future. As security experts recently confirmed (http://www.engadget.com/2014/04/11/heartbleed-openssl-cloudflare-challenge/), Heartbleed can be used to steal a site's master encryption keys – keys that would suddenly enable anyone with a huge database of encrypted traffic to unlock it, at least for the vast majority of sites that don't generate new keys as a safeguard against retroactive exposure.


If NSA moved quickly enough – as dedicated spies are supposed to – the agency could have exploited the bug to steal those keys before most sites got around to fixing the bug, gaining access to a vast treasure trove of stored traffic.


That creates a huge dilemma for private sector security experts. Normally, when they discover a vulnerability of this magnitude, they want to give their colleagues a discrete heads-up before going public, ensuring that the techies at major sites have a few days to patch the hole before the whole world learns about it.


The geeks at NSA's massive Information Assurance Directorate – the part of the agency tasked with protecting secrets and improving security – very much want to be in that loop. But they're part of an organization that's also dedicated to stealing secrets and breaking security. And security companies have been burned by cooperation with NSA before: the influential firm RSA trusted the agency to help them improve one of their popular security tools, only to discover via another set of Snowden documents (http://www.reuters.com/article/2013/12/20/us-usa-security-rsa-idUSBRE9BJ1C220131220) that the spies had schemed to weaken the software instead.


Giving NSA advance warning of Heartbleed could help the agency protect all those government systems that were relying on OpenSSL to protect user data – but it also would aid them in exploiting the bug to compromise privacy and security on a massive scale in the window before the fix was widely deployed.

http://www.theguardian.com/commentisfree/2014/apr/12/the-nsas-heartbleed-problem-is-the-problem-with-the-nsa

Where's Snowden on NSS and heartbleed?

We will get NOTHING BUT LIES from NSA.