Last night's blog post: Heartbleed is serious.
E-filing of Canadian taxes shut down because of Heartbleed bug.
Bruce Schneier re Heartbleed: "On the scale of 1 to 10, this is an 11."
Tumblr: Urgent security update.
Wonder why heartbleed isn't trending on Twitter?
Scripting News: Question for Mac devs re Heartbleed.
Heroku responded to Heartbleed.
Exemplary report from Twilio. This is the kind of disclosure we need from every company with an Internet presence.
Software is built in layers. First programmers get something simple working, test it, then build on top of it. More testing, then more building. Build, test, build, test, over and over. This process has been going on for a long time.
OpenSSL is not the deepest technology we have, but it's close. It's built into a lot of things we use all the time. The most serious problems, the hardest ones to address, will be the places where it's built-in where updates are either hard or impossible. But first we have to locate and patch all the easy places. That process began just yesterday, we hope! We don't know much about what the companies that run our services are doing.
The worst case scenario, the one we all have to plan for, is that the management of affected companies aren't responding to the problem. This will certainly happen in some cases. If it happens at a bank, the results could be very bad.
That's why the best thing you can do is to let the companies know that a quick competent response is necessary. This is a time when we find out which vendors are prepared for the world we live in today, or whether they have to catch up, in real-time, while their systems are vulnerable.
Most news reports say you should change passwords on all your Internet accounts. This is not good advice, and it might even be bad advice. It certainly doesn't help if a service is vulnerable. It's like changing the lock on a door that's open. Only it's worse -- because the key to the new lock is inside the door, unprotected, available for a hacker to take. There is no physical world analogy that explains how serious this problem is.
What you can do to help is to ask the companies whose services you use what their status is re Heartbleed. Have they discovered vulnerabilities, and if so have they been patched? Do they have any recommendations for users? Are they taking this seriously?
For example, I asked the CTO of AWS, a service I use, "where would we look for news of Amazon's status re Heartbleed?" As a customer, you are totally entitled to know this.
I'd especially recommend checking with your online bank, and the company that makes your desktop or mobile operating system. Have we heard anything from Apple or Microsoft about their systems, for example.
Every company should have a web page like this one from Twilio, explaining in clear terms, what they discovered when they did an audit of their systems, and systems they rely on (because vulnerabilities can be inherited from others), and what they've done or are doing to fix any problems. This is a time for companies to be communicative with their customers and users. You are totally within your rights, and are acting responsibly if you ask respectfully what is their plan for responding to Heartbleed.
Duh. Log on and see if there are updates available, and if so, install them.