Well, Schneier is pissed off about itHe speculates about the damned bug being placed on purpose,
At this point, the probability is close to one that every target has had its private keys extracted by multiple intelligence agencies. The real question is whether or not someone deliberately inserted this bug into OpenSSL, and has had two years of unfettered access to everything. My guess is accident, but I have no proof.
If he had said it was done on purpose by the NSA or whomever without any hard proof, it would have been the last time I would have read stuff written by him, reputation and credentials or not.
So, yeah: SHIT HAPPENS. Yeah: it was a major fuckup. And yeah: it happened at the worst time possible, when everyone is paranoid about security after Snowden spilled the beans on the NSA's antics.
It sucks, but so does life.
ETA,
more from my favorite IT security Curmudgeon on HeartbleedThe skinny is:
- It's hard to compromise a server with Heartbleed, but of course it's possible
- Some Security Geeks at
Cloudflare figured that it would be pretty hard, almost impossible to do so, so they issued a challenge.
- 9 hours later,
two people managed to win the challenge.
- The people who managed to compromise the server for the challenge sent a huge amount of requests to it. So, one could infer than anyone trying to compromise a server with Heartbleed will get flagged as a DDOS Offender before they can get anything useful out of it.
So, no script kiddies are going to compromise all half a million vulnerable servers, but a determined attacker will. Not all that much of a relief though cause people looking for credit card info to steal tend to be determined.
And
by the looks of it everyone is busy patching servers.