
cjjosh Dear 122 tweeps who RTd my tweet about @davpope ‘s cartoon, if they come after me, you’re all going down too pic.twitter.com/2LLj9o8mim
I am of the opinion that I found this week’s Clarke & Dawe to be most amusing. youtube.com/watch?v=FMisBp…
@garthk Garth, that’s a Hacker News link. Please put your hands where I can see them, and back away from the internet. Nice and slow now.
alexeckermann Malcom stands over the NBN. A pillow held firmly against its face and whispers “shh sh. It will be over soon”
@snerdish @SnarkyPlatypus Does it bear any hallmarks? And is it solid cyber, or just cyber-plated?
NewtonMark Gtta say this for Malcolm: he’s definite PM material. He’s every bit as skillful at stopping a suit from collapsing as Kevin, Julia or Tone.
@SnarkyPlatypus Yeah whatever. At least there wasn’t a cyber in it.
@alexkidman I am happy to absorb your blame. I am your sanit… no, hang on, that’s Prince Charles.
3. I wrote, with @joshgnosis’ help, “Businesses need to inform users about Heartbleed exposure” zdnet.com/businesses-nee… (More tomorrow, too.)
2. @Kimota says I inspired his anti-bullshit post “Is Content Marketing Lost in Translation?” jonathancrossfield.com/blog/2014/04/i…
1. I was in @amworldtodaypm’s report “Heartbleed bug bleeds passwords across the internet” by @will_ock abc.net.au/worldtoday/con…
I think that it’s now time for me to re-pimp three things that I’ve already pimped today but you might have been busy. Here we go.

Brilliant_Ads Unfortunate logo for the Swedish paper company “Locum” pic.twitter.com/92HP6YpHb1
RT @drearyclocks: I just ate 20 wontons. What have you done with your life lately? [Ate soup, changed the bedsheets.]
A least Heartbleed is web scale.
RT @CyberPrefixerAU: Tropical Cyclone Ita upgraded to cybercategory five [Wow. Mauve alert, people! Mauve alert!]

Not quite what I’d have on my front page during a security scare if I were a bank, @Westpac [smirks] #heartbleed pic.twitter.com/w80ZPYE3q8
@OaaSvc @R_Chirgwin It matches other activities of the Abbott-Truss government: a straight-up purge.
@OaaSvc @R_Chirgwin New CEOs tend to fire management. That’s kind of expected. Wake me when something unexpected happens.
@elronxenu @jeamland @jonoabroad Incrementing pointers is basically daylight saving for data, anyway, so it shouldn’t be hard.
RT @R_Chirgwin: What he always said he’d do, but slower, later, and more expensive than he said on April 9 last year. [Oh that. Shocked.]
Sorry, I’ve been busy today. What’s Malcolm done now?
alexanderwhite Reading opening statements for union royal commission, it’s clear it’s distinguished from a Liberal Party sub-branch only by its budget.
maximilianhils Exploiting heartbleed on clients is for real. My patched mitmproxy pwns Google Drive, OwnCloud and other background services.
@jeamland @jonoabroad @elronxenu Iron spikes are safe unless you impale yourself on them.
@SnarkyPlatypus Il a été une longue et difficile journée. Mon cœur saigne, tout comme l’internet.
Ah, The Joys of ICAC #31! Joe Tripodi: Can I finish my answer?” Counsel: “Sorry, life’s too short.” HT @bkjabour twitter.com/bkjabour/statu…
@michaelneale Yep yep. I know how to do DSL performance tuning. Haven’t done it in a while, but they’re useful tips to start with.
iamdevloper Fact: if there was a HTML element called <carousel />, the usage of jQuery by designers would drop by over 85%.
@michaelneale That’s a point. There’s 42db attenuation on the downlink, which is… an unhappy situation. I’ll worry about that later.
@SnarkyPlatypus Bonjour. Aujourd’hui a été extra très super-méga spéciale! L’univers n’a pas assez d’astérisques! Et vous?

Yay! Internets! ADSL2! No. Wait. pic.twitter.com/J1n660mXYA
@elronxenu @bengrubb I will be listening back to that soon, now that I have sorted out certain internet issues. And comment upon same.
bengrubb “How are we supposed to remember who we logged into in past 2 years, how are mums and dads going to understand This its scare mongering”
Stacks of (Turtle) Wax.
RT @McDermie: @stilgherrian @jeamland @elronxenu @snerdish Logo. [Damn. Yes. LOGO has turtles. In Forth, everything is a stack. Damn.]
Gawd, you’d have to be such a tragic geek in so many ways to understand my last tweet, eh @jeamland @elronxenu @snerdish?
What was the language with turtles, @jeamland @elronxenu @snerdish? Oh yes, Forth. OpenSSL in Forth, so crypto is turtles all the way down.
RT @jeamland: @elronxenu It’s not just space though. It’s more than possible to write safe C. @stilgherrian [What, like “cafe”?]
RT @jeamland: Hey @stilgherrian, can you do a 9pm Edict so I can do a guest edict? [Yes, yes I can. Very, very soon.]
Me and @joshgnosis (thanks!) at @zdnetaustralia: “Businesses need to inform users about Heartbleed exposure” zdnet.com/businesses-nee…
RT @marcuskelson: I sat next to andrew at a press club lunch years ago - it was mesmerising I wanted to touch it. [“The Peacock Effect”.]
@gattaca I did fuel potential @myrcurial rage with those things the other day. I do how he exploded at them. ;)
RT @Kimota: @stilgherrian Your quite valid grumpiness in a tweet last week inspired my latest post. jonathancrossfield.com/blog/2014/04/i… [Uhoh. Thanks.]
RT @gattaca: “@securityintern: . @myrcurial is very ranty on tonight’s podcast.” < ruh roh [So, everything much as normal, eh?]
RT @elronxenu: @stilgherrian Didn’t you just yesterday lay into C for permitting shoddy code? @jeamland [Consistency, hobgoblins, etc.]
OaaSvc But more seriously, I wonder if @TeslaMotors uses OpenSSL in their on-board systems.
It’s not the language, surely, @jeamland, but poor work practices that enables shoddy code?
jeamland Everyone expressing amazement that low-level crypto libraries are still written in C, please tell me what you’d write them in instead.
triplejHack The number of teenagers not drinking has risen, from 33% in 2001 to over 50% in 2010. According to National Drug and Alcohol Research Centre
@samanthamaiden Maybe it could be a new men’s fragrance, though.
@samanthamaiden I grew up on a farm. “A whiff of Peacock” brings back quite specific, unpleasant, memories. Great phrase though.
@AnnPotterHume Ta. Though it’s not an iPhone and I don’t Facebook. Though I am across that problem.
1. The phone is being my Wi-Fi this week, because my usual is maxed out. 2. The phone has been dropped far, far too many times.
To those with questions, suggestions and comments about the phone power situation, thanks, but I actually know what the problems are…
@AUSFestivus @5at5daily I’m thinking of a 10at4, with plenty of weekend reading.
@R_Chirgwin Also, the linen has been delivered. It’s still warm. I may crawl into a laundry bag and cry.
In further electron-related news, @R_Chirgwin, I just had to start the generator at @bunjaree. It’s #electrollonday!
RT @scott_thewspot: you are wasting precious electrons with these tweets [Just as you said that, the “spare” phone died. So, yes.]
“Quotation quiz: Bob Carr or American Psycho’s Patrick Bateman – who said what?” ask@GuardianAusus. Oh well playedtheguardian.com/world/quiz/201…u4
There won’t be a @5at5daily today, sorry. I’m dealing with that dying phone / switch to spare phone drama. I’ll do a bonus one tomorrow.
Updating 46 apps on the “spare” phone. Slightly less joy.
Right. I have enough charge now on a “spare” phone to get it online and even use it as a hotspot to get the laptop online again. Slight joy.
@ImEddyVahas Sorry, would you like to kinda just fuck off and maybe come back tomorrow with your question worded less aggressively?
Phone died, battery 0%. Recharge for 5 mins, says it’s at 9%. Turn it on, within 5 mins it’s down to 3% and plummeting, even tho plugged in.
Disgruntled. I think my phone’s power management skills have pretty much died. Trying to persuade to behave itself now.
Apologies to ABC @1057darwin, my phone died badly. I’ve just now managed to get it back online.
@amworldtodaypm @will_ock No dramas, glitches happen. Thanks for the rapid fix.
@AgnessMack @amworldtodaypm @will_ock Oh yes, the pronouncifying is quite adequart.
@amworldtodaypm @will_ock Oh, um, and if you have the time, the spelling of my own name… [shuffles feet]
@amworldtodaypm @will_ock Hey “ATTPS” should be “HTTPS” in this story. abc.net.au/worldtoday/con…
“Heartbleed bug bleeds passwords across the internet”, reports @amworldtodaypm’s @will_ock. [WARNING: Contains me.] abc.net.au/worldtoday/con…
Ah, The Joys of ICAC #31! Joe Tripodi: Can I finish my answer?” Counsel: “Sorry, life’s too short.” HT @bkjabour twitter.com/bkjabour/statu…
Writing. Busily. You are all being ignored. (I mean, let’s face it, you’re all pretty useless anyway.)
Thu plan, updated: Write for @zdnetaustralia; 1615 radio spot; @5at5daily; blog posts; no SEKRIT thing, my plans Heartbleed away; sulk.
explanoit The difference between you and me is that my weirdness is marketable, yours is just tragic.
@riskybusiness That said, @MalwareJake wasn’t pulling any punches in the SANS ISC briefing a couple hours ago.
@riskybusiness Well I’m not arguing for Schneier’s description either.
@riskybusiness Hey, it’s what the man said. [Shrugs.] I am merely a paste-bunny. He’s not usually prone to hyperbole.
@ChrisGatford @nzben @juhasaarinen You could always repaint it. Go oooonnnnnnn!
“Probability is close to one that every target has had its private keys extracted by multiple intelligence agencies” schneier.com/blog/archives/…
Bruce Schneier on Heartbleed: “‘Catastrophic’ is the right word. On the scale of 1 to 10, this is an 11.” schneier.com/blog/archives/…
Tim_Beshara With or without beetroot? RT@Kate_McClymont Kelly said Tripodi arrived at his Wellington house, unannounced, with a hamburger & a coffee
bjmay “We have no evidence of a Heartbleed breach” = “We don’t really understand how the vulnerability actually worked”
NSW @BOCSAR is on the Twitter. Do follow them, Politicians, for actual facts about crime, not the rubbish you generally feed yourselves.
Also out, “An update of long-term trends in property and violent crime in New South Wales: 1990-2013” bocsar.nsw.gov.au/agdbasev7wr/_a… (PDF)
Official “NSW Recorded Crime Statistics 2013” from BOCSAR has just been published. Facts, sweetie, facts! bocsar.nsw.gov.au/bocsar/mr_rcs2…
Hey @ChrisGatford, planning anything in New Zealand? Want a T-55? Of course you do. trademe.co.nz/motors/used-ca… HT @nzben via @juhasaarinen
pourmecoffee Heartbleed security flaw is very serious. This is your moment, AOL Desktop. The comeback starts now!
Jeevesmeister @bitcoin_txt “Fuck dogecoin man… nothing but uneducated retards killing the value of the currency. Have fun burning down your space ship…..”
geneweingarten The worst thing in the world is Klout. Then, LinkedIn. Then it’s a tossup between worldwide infant mortality and seborrhea.
Horse_iOS Despite media reports to the contrary, the Heartbleed SSL bug only affects users that have, for some reason or another, used the internet
@conwaytb @abcradionational I generally try to say “Talk to your IT advisors” for advice specific to your needs. But people want recipes.
@conwaytb It’s not a “What should end users do?” kind of program.
I just recorded a few comments about Heartbleed with @will_ock for ABC @amworldtodaypm, to air on this lunchtime’s program.
@pascalg15 Thanks. FYI, a recording of the updated version I delivered on Monday will be posted on the weekend.
@dananimal Nope, didn’t catch the test server’s URL, sorry.
I’ve got WAY too many tweets to respond to personally, but thanks for all the refinements and suggestions.
The full presentation video will be posted by SANS ISC by 1500 ET Thursday, so early Friday morning Australian time. #heartbleed
[OK, folks, there’s no value in trying to live-tweet a fast-moving demo. That’s the key facts from this briefing anyway.] #heartbleed
[Hah! People are now hitting the demo server with exploits. “Hi Jake!” appearing in the server memory. Class.] #heartbleed
[The presenter is now doing a live demo, which I shan’t tweet. But pen testers are already hitting the demo server.] #heartbleed

Here’s a Snort IDS detection rule to detect abnormally long SSL heartbeats and treat them as bad. #heartbleed pic.twitter.com/HeW4gbEhFD

Don’t trust your developers. Some have been known to, um, change library names. #heartbleed pic.twitter.com/RfFGtiXKgK

Linux? Patched already? Run this command line to find processes still linked to the old binaries. #heartbleed pic.twitter.com/p2CrDrzlca

How to find out whether the software you write is vulnerable. Harder in Windows. #heartbleed pic.twitter.com/DHyO9zd5Ni

Deploying cloud services? Read this. #heartbleed pic.twitter.com/FzqSE848br

Forensics implications, part 2. #heartbleed pic.twitter.com/uzBuQWII7y

Forensics implications, part 1. #heartbleed pic.twitter.com/mO8ynd2Dui
[Remember, this presentation is for infosec practitioners. Some work on highly sensitive networks. The JOB is paranoia.] #heartbleed
“Unless you see a big sign up there saying ‘We were never vulnerable to Heartbleed’,” assume a site may be dodgy. #heartbleed
[I won’t be able to provide support for people or answer questions while I’m tweeting this. I’ll then have to start writing.] #heartbleed
Everyone should go into the advanced settings of their web browser and turn on the checks to ensure certificates are valid. #heartbleed
That is, don’t enter your sites or your clients into filippo.io, just in case their intentions are impure. #heartbleed
You can check if a site is potentially vulnerable at filippo.io, but get the code off Github and run it yourself. #heartbleed
Presenter is giving a shout-out to LastPass for issuing an excellent security advisory. #heartbleed

There’s MORE bad news, though, some of which is relevant for Windows developers. #heartbleed pic.twitter.com/OJX1Ybzd8g
“If you run an all-Windows shop, today is the day Windows saved you from a security problem instead of causing it.” #heartbleed
Note that Windows is not vulnerable to client-side attacks, Microsoft IIS not vulnerable to server-attacks. #heartbleed
Presenter suggests avoiding public Wi-Fi networks that offer a “secure” connection for now. #heartbleed

Heartbleed also affects CLIENT side, and there’s lots we don’t know about that yet. #heartbleed pic.twitter.com/K87gU2cCt4

“No web server, so I’m safe right? Wrong.” #heartbleed pic.twitter.com/cYKYa19kAY
Another reminder that attackers record encrypted data and keep it in the hope they can decrypt later. This will now happen. #heartbleed
“We have to assume we’re not the only people who found the bug”, because two different people did just find it. #heartbleed
Presenter has gotten 5 sales calls from vendors today, oblivious to the fact he’s busy. “Shame on every freaking one of you.” #heartbleed

What should vendors do? COMMUNICATE! Presenter is scathing of vendors who aren’t issuing advisories. #heartbleed pic.twitter.com/WMdsw8qee0
Presenter suggests there’s little point logging, ‘“approximately the entire internet” is already scanning you, no need to watch. #heartbleed
Attacks are NOT logged, which is of course a problem, though there are now patches for NGINX that allow attack logging. #heartbleed
[Presenter showing memory dumps, saying he didn’t gather these “Cos I’m too pretty for jail’.”] #heartbleed
[I won’t tweet the code description, but I note that earlier the presenter was scathing of the code quality.] #heartbleed

So this is how it works (and don’t ask why there are two ‘length’ fields). #heartbleed pic.twitter.com/9db99DnLyr
A memory exposure bug like this can turn an exploit taking random pot-shots at another vulnerability into an accurate shoot. Oh. #heartbleed
There may also be pointers to other data structures, and that info may be used to defeat other data protection mechanisms. #heartbleed
What will be in that memory somewhere are private encryption keys, usernames and passwords, session IDs, your private data. #heartbleed
But the attacker can keep requesting 64k chunks again and again, and that’s a lot of memory to get hold of. #heartbleed
The bug allows the attacker to extract 64k chunks of memory from the target, but they have no control over which chunk they get. #heartbleed
Heartbleed vulnerability can be triggered by an attack on a vulnerable SSL server early in the connection, before logging in. #heartbleed
What’s important is that the bad guys can extract the keys now and use them to decrypt any data they’ve recorded in the past. #heartbleed

Here’s the tl;dr version of the message in one slide. #heartbleed pic.twitter.com/Dd6kwiuMLt
This is round 2 of “Heartbleed: What you need to know”. We have been promised a vulnerable server online to attack if we want. #heartbleed
@nerd___rage Scroll back. I’ve tweeted it heaps already.
@Pratt_Steve Exactly. It’s assumed everyone has the cultural literacy of a sport’s specific culture, which means it’s opaque to new people.
I’ll be tweeting key facts from this SANS ISC briefing with the obvious hashtag. They’re sorting their video feeds now. #heartbleed

So @MalwareJake’s presentation will begin in a few minutes. The tone is being set now. #heartbleed pic.twitter.com/9Bx2RKilsi
I have just filled my shoes with apple juice.
lilianedwards “@xor: This last year has shown you’re safe as long as you don’t use SSL, Apple devices, GnuTLS, NIST standards, e-mail, or cell phones.” Ha
@loupascale Yep. and up here the birds’ rain-alarm happens earlier than it does down in the city. 20-30 mins ahead of rain, not 10 mins.
It’s definitely going to rain here. A few minutes ago the rosellas did a rain-coming alarm and fled, as did finches. Now I can smell it.
Thinking aloud, @BreakfastNews, sports reporters assume everyone knows team nicknames, but we assume people don’t know their own tech tools?
@scott_thewspot Yes indeed. There will be plenty who forget that bit, I’m sure.
@markaufflick @joshgnosis @chrisjrn @PeteLawler Yes, @BreakfastNews, when DID encryption become “scrambling”? Infantalisation FTL. Sulks.
BuzzFeedAndrew Before Game of Thrones, no one named babies “Khaleesi”. In 2012, it beat the name “Betsy”. vox.com/e/5354291

MT @davpope: I’m confident PM&C are working on it #dobatweet pic.twitter.com/OGKUDeFlzc
CosmicRami Um … this is getting awkward. RT @MotherJones: OkCupid’s CEO donated to an anti-gay campaign once, too bit.ly/1mYtOKj

phil_torres For the record, yes I did just take a selfie video while milking a transgenic goat. instagram.com/p/mllLUmKy4x/ #AJTechKnow
These guys are level-headed. SANS ISC doesn’t go to INFOCON Yellow and call for “global and immediate action” without good reason.
There’s so much demand for the SANS ISC Heartbleed briefing they’ve had to set up a virtual “overflow room”.
mappingbabel You can rent a server for $5 a month aka one pint of beer in Central London. = The future is here, it’s just intensely boring.
The SANS Internet Storm Centre (ISC) briefing on OpenSSL Heartbleed starts in one hour. sans.org/webcasts/opens…
I need to cook some shredded cow now, so I will come back and respond to your very important tweets after I’ve done that, OK?
RT @yewenyi: According to Microsoft the Easter Monday holiday is on Sunday 13 April. [Why are you so fussy?]

_youhadonejob Think I’ll give that a miss. pic.twitter.com/Pl5lSaTa0m

The Human Face of Heartbleed, eh @joshgnosis @BreakfastNews? pic.twitter.com/SYy4wGVZXQ
RT @joshgnosis: I’ll be on @BreakfastNews shortly to talk about #heartbleed [Josh got the short straw.]
@mpesce @yinettesys @bengrubb I’m seeing a substantial spike in port-22 activity from China today, but it does come in waves anyway.
May I request, @davpope, that the three posters depicted in your amusing drawing today be made available as actual posters?

I say, Mr @davpope is even more better than many usual times today. Bravo. bit.ly/PSKwgs pic.twitter.com/6MXIneHsib
mikko Hey sysadmins…while fixing Heartbleed, also review your cert settings and consider implementing PFS and even 2FA. f-secure.com/weblog/archive…
EFF Please be careful about phishing emails masquerading as Heartbleed password change notices. If unsure, type the URL for the site by hand.
Drones with tasers, eh? Just a reminder, my birthday is coming up soon and if you’re not sure what to get me… bbc.com/news/technolog…
Every time I launch GoToMeeting a part of my soul dies. And not just a little part, either, like I’d just taken up crack or wife-beating.
WillMcAvoyACN If you want to know just how many copy editors are out of work in America currently, just make a typo anywhere on the internet.
Thu plan, draft: 1015 SANS Heartbleed briefing; write for @zdnetaustralia; blog posts x 3; will I ever get to finishing the SEKRIT write-up?
“What WordPress site owners need to do about the HeartBleed vulnerability”, from Wordfence. wordfence.com/blog/2014/04/w…
SANS sent a FLASH NewsBites, “issued only when a security event demands global and immediate action”. Briefing soon. sans.org/webcasts/opens…
So, you know, OpenSSL CLIENTS can be vulnerable to Heartbleed. Here’s a list so far. It’s scary. security.stackexchange.com/questions/5524…
SANS Institute’s Internet Storm Centre (ISC) on Yellow Alert. Lots of vendor notifications coming thru. isc.sans.edu/forums/diary/H… #heartbleed
“Heartbleed OpenSSL bug: FAQ for Mac, iPhone and iPad users”, by the inimitable @gcluley intego.com/mac-security-b…
@LaTrioli @BreakfastNews Maybe @dobes is even awake enough to do some television?

JazRignall 30 yrs ago, most game ads were walls of text and rubbish pictures. Some, however, bucked the trend. Like this one. pic.twitter.com/hbVdPmeTBJ
eastdakota Reporter just asked: “So #Heartbleed is sorta like the plot of that Sandra Bullock movie The Net?” Actually, kinda yeah.
@LaTrioli @BreakfastNews I’m up at Wentworth Falls, 100km from Sydney, so can’t television today, sorry. @lukehopewell? @joshgnosis?
@LaTrioli … so any service that’s had to patch that hole should be recommending password change, yes.
@LaTrioli It’s a real threat, the danger with this one being that it’s impossible to know whether an attacker has gotten in or not…
Thu plan, draft: Write for @zdnetaustralia; blog posts x 3; complete, finally, the SEKRIT project write-up that I haven’t gotten too; hide.
@scottcarson1957 @mscott Children need a good scare every now and then. It [blink] builds character. Never [blink] did me any [blink] harm.
I’ll probably have more to say about our responses to Heartbleed in my @zdnetaustralia column today, but we’ll see.
Me at @crikey_news yesterday: “Heartbleed reveals a big hole in Australia’s cybersecurity strategy” crikey.com.au/2014/04/09/hea…
Right, now onto more serious matters…

SnarkyPlatypus An important reminder from Southwark Council. pic.twitter.com/tbOS4EFB4s

owillis these are all the black people in the us senate pic.twitter.com/QI0uEzEjwe and its an unusually high number, historically. #fail
See, @mscott? @SnarkyPlatypus @jasonlangenauer @purserj @ResignInShame @snerdish all understand.

Look, @mscott, you know, in your heart of hearts, that this is what Australia needs every morning. Right, people? pic.twitter.com/1iNkbDDuKE
Looking back at my tweets so far today, that’s a workshopped-out TV show right there, isn’t it. “The 7am Edict”, perhaps?
“[US] Senator Threatens To Block Nominee For Top Climate Post Because She Accepts Climate Science” thinkprogress.org/climate/2014/0… HT @misskylie77
Re-listening to The Doors’ “The End” reminds me what a rambling, pretentious and utterly self-indulgent wank it is. youtube.com/watch?v=JSUIQg…
@gusworldau Bien sûr. Il ya des traditions à respecter.
Let it roll around on your tongue. “George Brandis race hate law.” Brandis. Race hate. He’ll never be able to break that nexus now. Sweet.
Best thing about? The phrase “George Brandis race hate law”. Magnificent propaganda value, that, like Nixon’s “I am not a crook.”
“Liberals break ranks against George Brandis race hate law” smh.com.au/federal-politi…
RT @phbarratt: Have to laugh when Americans bang on about international law. theage.com.au/national/-36ds… [Smirks.]
Apportez-moi plus d’acide sulfurique, vous les bâtards, et d’un entonnoir!
While the song is originally by The Doors youtube.com/watch?v=JSUIQg… the cover by Nico is obviously more cheerful* youtube.com/watch?v=htemHK…
RT @llament: We just have to keep out of Thor’s way [Thor has GPS and drones now, so you are so fucked.]
@SnarkyPlatypus Bonjour. Comme à chaque expérience la première étape consiste à dissoudre tout dans l’acide sulfurique, puis ouvrez l’éther.
It’s Thursday and there’s a fair chance that I won’t kill you. But someone or something else might. With a bit of luck.