Nice article, Steve. I skimmed through it...my brain isn't functioning enough right now to actually read it word for word.

I had a sticky up on Android Forums about the Heartbleed bug, but took it down once I thought the threat was gone/minimized/unlikely to affect anyone any more. What's your take on that? I figure that by now any sites using OpenSSL have been patched.

Thanks.

I wouldn't make such an assumption. In the comments to my article, you'll see some discussion about a hospital that failed to patch their systems in a timely fashion and they got attacked. As I wrote:

Hmmmm...interesting. I'm not sure I want to re-sticky it at this point, but you've given me food for thought.

Great article, Steve!
What are the odds that the head of IT at Community Health Services is looking for a job?

Thanks!

Difficult to speculate about the chief information officer (the common title these days for "heads of IT"). However, if you consider the role of the chief security officer, three primary outcomes come to mind:

• Protect the organization's intellectual property
• Protect the organization's customers' personally identifiable and confidential information
• Keep the organization's executive officers from going to jail

Sometimes, security officers may lose sight of these overarching outcomes and instead get mired down in process and the minutae of technology. It's an easy thing to do, really. Distraction leads to inattention, which in turn leads to costly and potentially unrecoverable mistakes.

Oh, and hello world from Alaska Airlines flight 664, Seattle to Dallas! I'm on the way Oklahoma City, where I have some customer meetings tomorrow. Right now, I'm using the wi-fi on the plane. Ain't technology just fsckin' grand?

Thing is, openssl is used in lots of less obvious places too. I updated my server straight away, but it didn't occur to me to update my router until about a week later, which was quite embarrassing considering how much everyone was talking about it.

There's no WAN-facing SSH port on the router, so for someone to attack it they would have to be physically near (in wireless range), authenticate to get on the LAN, and then attack the SSH port... unless the authentication process itself uses openssl (does it? I don't know), in which case they wouldn't even need to authenticate first.

I bet there are loads of businesses with unpatched routers. If you were trying to hack a company this would be a great place to start...

Also, my router's root filesystem is on a USB flash drive that is mounted at boot. If something happened to the drive, the router would fall back to the internal flash, which contains a vulnerable version of openssl (I should update it, but it would be inconvenient so I haven't done it yet... I bet this happens in business too!).

It'll be around for ages...

Umm... OpenSSL <> OpenSSH. SSH doesn't use SSL/TLS at all.

But yeah, products with vulnerable OpenSSL software will be around for, well, ever. We're doomed, the sky is falling, etc. For real.

Really? Well I'll be damned.