Couldn't care a fig about my FB pwd; it's trivia and unimportant. So what if someone get's in; they can't buy anything on my CC .

As long as my banks, Amazon & PayPal are unaffected , and they are. Most banks do not depend on a typed pwd alone. They use a PIN reader and drop-down pwd chars to do at least new transactions.

Presumably you are one of the sensible people that doesn't use the same password on FB as on any other sites? A lot of people the issue is they use the same password so if one gets compromised they all do.

In reply to a post by caffn8me:

Many routers running open source based firmware will be affected. Some DD-WRT versions certainly are.
It also seems that many Cisco products have OpenSSL at their core;
http://tools.cisco.com/security/center/content/Cisco...
I am sure there are more manufacturers unsing OpenSSL.

Well, the open source programmer has been identified but seems unwilling to take the blame for a fairly obvious schoolboy error

I was working on a research project at the University of Münster using the OpenSSL encryption library and releasing bug fixes and new features that were developed as part of my work on the OpenSSL project. The various changes were checked by a member of the OpenSSL development team and then incorporated into the official code. In connection with one extension, the TLS/DTLS Heartbeat extension, I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the bug, called Heartbleed after the extension. Unfortunately, the OpenSSL developer who reviewed the code also did not notice that a mistake had been made when carrying out the check. As a result, the faulty code was incorporated into the development version, which was later officially released.

This shows the vulnerability of Open Source development, where some inexperienced schoolboy becomes responsible for the maintenance of an important piece of software with no apparent skill or experience, no formal testing other than "it works" and no formal reviews.

In reply to a post by BatBoy:

In reply to a post by caffn8me:

Many routers running open source based firmware will be affected. Some DD-WRT versions certainly are.
It also seems that many Cisco products have OpenSSL at their core;
http://tools.cisco.com/security/center/content/Cisco...
I am sure there are more manufacturers unsing OpenSSL.

Well, the open source programmer has been identified but seems unwilling to take the blame for a fairly obvious schoolboy error

I was working on a research project at the University of Münster using the OpenSSL encryption library and releasing bug fixes and new features that were developed as part of my work on the OpenSSL project. The various changes were checked by a member of the OpenSSL development team and then incorporated into the official code. In connection with one extension, the TLS/DTLS Heartbeat extension, I failed to check that one particular variable, a unit of length, contained a realistic value. This is what caused the bug, called Heartbleed after the extension. Unfortunately, the OpenSSL developer who reviewed the code also did not notice that a mistake had been made when carrying out the check. As a result, the faulty code was incorporated into the development version, which was later officially released.

This shows the vulnerability of Open Source development, where some inexperienced schoolboy becomes responsible for the maintenance of an important piece of software with no apparent skill or experience, no formal testing other than "it works" and no formal reviews.

Hmm
Major suppliers use as part of kit, most likely as a cost saving exercise, Without resorting to any testing procedures or 2 part logins.
Schollboy errors have been made by many major software companies, including one I worked for,
The likes of google facebook and yahoo are the guilty ones. Worth billions but spend peanuts on securityl

It's easy to blame everybody else for a coding error. The fact is, this code should never have gone live - look at the damage!

In reply to a post by caffn8me:

Of course, it's not enough just to upgrade OpenSSL but any applications compiled with it need to be recompiled.

That is not quite accurate. The applications do not need to be recompiled - they just need to be restarted as this will cause them to pick up the new code.

Ah, the beauty of DLLs!

As long as they're not static.

How can they be static if they are a *Dynamic* Link Library?

He could be referring to the fact that some libraries are issued in both DLL & static form and some OpenSSL s/ware might use the static one. His 'it' might mean the OpenSLL app.