Bah.

Look, @news_com_au, NOTHING, can beat @TheNTNews, OK? pic.twitter.com/Uyq2IWKDkT
@SnarkyPlatypus No. You can never have enough disintegration of the internet.
Disgruntled.
feed_the_chooks hey baby, I’m an Objectivist Scientologist. #wassup

ABC funding cuts? smh.com.au/federal-politi… Sure. Remember, Mr Rabbit has to pay for this front page and more. pic.twitter.com/FmH1oWgXm7
RT @PeteLawler: @itgrrl @stilgherrian Internet of Arsehats 2.0? [Now you’re talking. Also, cyberarsehats.]
Or from January this year, “Our hackers, who art in open source, deliver us from refrigerators” zdnet.com/our-hackers-wh… #refrigergeddon
Me from 2011: “Cybercrime 2016: Paper-boy refrigerator revenge” cso.com.au/article/404801…
@jturner_ibrs Gyrocopter.
MT @R_Chirgwin: The “Internet of Things” is Arsehats ALL the way down. [This is my point.]
The conference is @OReillySolid solidcon.com/solid2014, in SFO the week after I’m there, so I may just stay on for it. If they’ll have me.
I think I might have to start up my own New World Order, namely the Internet of Arsehats.
I think I’d better go to that big Internet of Things conference in the US in May to see just how fucked up the whole thing is going to be.
kentindell Got a D-Link IP camera set up for remote viewing? Oops: securityadvisories.dlink.com/security/publi… < Yes, Heartbleed. Yes, Internet of Things is a great idea.
MalwareJake “@sambowne: Internet Heartbleed Health Report — 8 percent still vuln, long list of examples zmap.io/heartbleed/” - 8% is way too high
My previous @zdnetaustralia Heartbeat stories, oldest to newest. zdnet.com/businesses-nee… zdnet.com/lagging-androi… zdnet.com/heartbleed-sou…
Me at @zdnetaustralia today: “SANS warns end users against Heartbleed patch panic” zdnet.com/sans-warns-end…
Anyway, I’m going to risk mentioning Heartbleed again, so that I can plug my things.
There is no such thing as “white chocolate”, @expectproblems, as even a moment’s thought would tell you. Stop being an arsehat.
I am now back at @bunjaree and have opened the wine. Who else’s evening can I ruin?
RT @michaelneale aren’t there laws covering the “proceeds of crime” that should stop bono’s investments? [You’d think so, right?]

etherealmind Post: Size of Doughnut Holes bit.ly/1iFKvVf pic.twitter.com/GnGhBKfbvN
@cafuego Yeah, but @marcfennell did a fixed version to go to air, and it’s been uploaded. It’s the caching that’s killing it.
@PeteLawler And it was revealed the other day that Dropbox runs hashing across files to look for alleged copyright infringement.
@GreenJ @ClintonDucas @Colvinius @DownloadABC @RNSundayExtra @marcfennell You know it in your heart, Mr Green, I need prove nothing.
Complimenting the bar staff, “Thanks, those sausages really hit the spot, very nice indeed,” regretting the choice of words.
@ClintonDucas @Colvinius @RNSundayExtra @marcfennell @DownloadABC Yes, I’ve heard @GreenJ asking for the painting of pictures a few* times.
@lukehopewell @Colvinius @marcfennell And which habit is this? Or will listening to the rest of this week’s @DownloadABC reveal it?
Wait, what? Forget the Condoleeza Rice thing. Bono… BONO was an investor in Dropbox? Closing my account right now.
But the combination of CMS joy*, CDN caching, telco caching and iTunes is enough to curdle even the Virgin Mary’s own milk. @marcfennell
Those of you who’ve never done podcasts have no idea what grief @marcfennell just experienced. The segment is actually quite good.
He’s favouriting my tweets now, which I think means that they are being turned into “evidence”.
Hmmm. I suspect that’s yet another of those clarifications that doesn’t really help things. I am so fucked. I am so, so fucked now.
Oh, when I say “I’m helping @marcfennell from the front bar”, I mean that’s where I am, not that I’m assisting his ability to walk home.
helenperris @sylmobile Did you put the butter in the fridge?
RT @SnarkyPlatypus: @stilgherrian Pourquoi n’êtes-vous pas l’empereur de l’Australie encore? [THIS IS MY ENTIRE POINT.]
Well this is all going rather well, isn’t it boys and girls! I am so fucked now, aren’t I, @marcfennell.
@marcfennell You may be surprised to hear that’s not the first time someone has said that to me.
“Should”, @marcfennell, is a very complicated word.
@SnarkyPlatypus Bonjour. Je suis en train de trier le désordre qui est de la diffusion de l’Australie. @mscott doit me payer. Et vous?
I’m helping @marcfennell from the front bar, which is always special.
SHUT UP @marcfennell I AM PROMOTING YOUR STUPID PROGRAM EVEN THOUGH IT IS AN UTTER DISASTER IF I HAD BEEN ON THIS WOULD NEVER HAVE HAPPENED.
@marcfennell Well, you’re cached on Akamai. This is down to whatever settings have been used to set that up. I can get an Akamai engineer…
Would a kind soul tell me is @marcfennell says “the virus Heartbleed” at the 45-second mark? mpegmedia.abc.net.au/rn/podcast/201…
@marcfennell I clicked on the direct link, but it’s still the wrong audio. I’m on a Telstra BigPond 3G/4G link, they’re cached to buggery.
@marcfennell Hitting refresh in iTunes OS X did not pull down a new audio file, but what’s the cache time of the RSS feed?
@marcfennell Stand by. The issue was in iTunes feed, not a direct link, so let me restart iTunes and refresh.

@iain_chalmers @DownloadABC @marcfennell Which gives me another excuse… youtube.com/watch?v=ZCldL3… pic.twitter.com/Vesv4oiawj
@iain_chalmers @DownloadABC @marcfennell It’s indoors. M4 carbine at the heaviest but, seriously, Browning Hi-Power 9mm is just fine.
@margotdate @Colvinius @DownloadABC @marcfennell I’m currently compiling a list of over-used phrases in tech press releases.
@marcfennell @DownloadABC It’s not the first time that whinging has gotten me onto a national broadcast… ;)
@Colvinius @DownloadABC @marcfennell Oh, I remember that! But it’s just so hard to get out of those tics.
@marcfennell @DownloadABC Sure. I have to do some stuff in Sydney at some point, so it might as well be Thursday. Deal.
@marcfennell @DownloadABC I have always been that guy who says the thing that others have been too polite to say. Or too wimp.
“How do I love thee, @marcfennell? Let me break down the ways…” @DownloadABC
@marcfennell @DownloadABC I feel your pain. I’ve been there when I kept getting a guest’s name wrong and he was too polite to correct me.
@DownloadABC @marcfennell My understanding is that iTunes will only re-download audio if the file name changes in the RSS feed.
@DownloadABC @marcfennell Can’t tell you, sorry, it’s whenever I last launched iTunes. But I did a refresh just now and it didn’t change.
@dylannickelson @marcfennell @theprojecttv @DownloadABC Nah, it’s fine. Like Sebastian/Seb or whatever. First mention in full, then “Stil”.
@gusworldau Indeed. This was in analog days. We had a stack of tape cartridges, and some well-crafted cues for the presenter to use.
RT @marcfennell: @stilgherrian @DownloadABC I’m gonna take that as a challenge [I thought you might. You’re on.]
Shit. I must’ve said his name three times.
I actually do like @marcfennell and @DownloadABC but, Jesus wept, he does need a good thump every now and then.
@dylannickelson @marcfennell @theprojecttv @DownloadABC Pretty much everyone calls me “Stil” for short, even me. Indeed, I tell people to.
She was listening from the hospital, since it was some trivial routine thing, as was, um, most appreciative* of the grand troll.
… So we grabbed recordings of all of her catchphrases from the previous week’s episode and dropped them in live as if she were there.
That reminds me of the time I was producing a night-time music-chat show on what’s now ABC @891adelaide. One presenter was in hospital…

ApostrophePong Send-off meal: tea leaf salad and #myanmar beer. This salad is divine #yangon @ Yangon International..instagram.com/p/mrjgrMPGLC/Lt
Next time I am on @DownloadABC and @marcfennell says “break it down”, I will actually break something. Or have a full breakdown on air. Yes.
“Let’s break it down here”, @marcfennell said again at 6:07. THERE MUST BE SOME WAY OF STOPPING HIM. @DownloadABC
@JM77 @marcfennell @DownloadABC This is random speculation without having actually listened, isn’t it. I can tell.
Mind you, when @marcfennell decided that “break it down” was something adults say to mean “explain”, I started the hate. @DownloadABC
So @marcfennell calls Heartbleed a “virus” on this week’s @DownloadABC. He is dead to me.

coderoshi Some people still refer to 100 GB as “Big Data” pic.twitter.com/Tr5ztpTlqC
Pondering my dinner options, whether they be in the closest village, or one of the others nearby. CBD is running strong today.
RT @CyberPrefixerAU: Hi-tech Sydney cyberplayground coaxes digital cybernatives [Digital cybernatives! @gattaca must be notified!]

Yeah, there should be a service to do this. Actual surgery. pic.twitter.com/S70db9TglF HT @HorrorPicx via @thegrugq
New (personal) blog post, to update various things: “Heartbleed kills my schedule” stilgherrian.com/personal/heart…
KimMonte10 Aren’t all women just 3D printers with teeth?
So now what?
Every time I see a service running on a .io domain, I think, “Oh for fuck’s sake just grow the fuck up!”
tenderlove I knew this whole “encryption” thing was just a fad.
nickmullen “feminism is a cancer” he typed, vaping and chugging mountain dew “it’s killing us men.” The microwave dinged, his taquitos were ready
duckbytheoboe Dymocks had shot glass sized mason jars. I think we can safely declare that trend over. #jarsareforstorage
glyph OH: “I don’t write C! I’m a responsible adult.”
runasand Two people have independently solved the @CloudFlare #heartbleed challenge and obtained the SSL private key: cloudflarechallenge.com/heartbleed
Here’s my previous Heartbleed stories at @zdnetaustralia, mostly from the SANS ISC daily briefings. zdnet.com/meet-the-team/…
Me at @zdnetaustralia today: “SANS warns end users against Heartbleed patch panic” zdnet.com/sans-warns-end…

MalwareJake “@cedricpernet: loooooool - RT @IDisposable: Can’t stop laughing pic.twitter.com/gDGEbkQyEq“<- I once knew someone in a similar situation…
@scott_thewspot @Taco_Lad @R_Chirgwin @mappingbabel There’s an awfully large amount of evil being suggested right now.
Not setting fire to the curtains, generally speaking.
@oberonsghost @ApostrophePong “The Dead Zone”, eh? Is that why they put Alexander Downer in charge of it for a while?
riskybusiness RT @Indy_Griffiths: pic.twitter.com/tLwV1Pn7Ky <– BRILLIANT
@ApostrophePong Indeed, well, I’ll make sure to include one such inspiration in each @5at5daily. That’ll screw you up.
@mappingbabel @R_Chirgwin There is no “re-” involved here, trust me, Jack.
@scott_thewspot @R_Chirgwin I might number them and colour code them.
I think I might fuck with @R_Chirgwin’s mind by putting all his tools back in his toolbox in his shed. #blokejokes

JM77 While the Internet’s heart bleeds, @boxee finally remembers to tell members it got hacked last month. pic.twitter.com/zzMkZ224a3

“Frozen In Time: The Cyprus Buffer Zone” theatlantic.com/infocus/2014/0… Ping @oberonsghost @ApostrophePong pic.twitter.com/Xty1PmQJZT
Oh, posting links to photos means that I’ve filed my @zdnetaustralia story and am taking a break. Unless I get commissioned to do another.
“1950s: New York by Saul Leiter”, being some photos that @ApostrophePong would like. retronaut.com/2011/09/new-yo…

StijnBienkens Confirmation from @CloudFlare, challenge cracked by @indutny, private keys vulnerable! @edbott @thurrott #heartbleed pic.twitter.com/uL38G8OjIM
gattaca Steps
1) Write link bait story
2) Blame $SPYAGENCY
3) Make claim that can’t be substantiated
4) …
5) PROFIT!
Perfect timing. Just as I finish breakfast, it is confirmed that I’m doing a @zdnetaustralia story on today’s SANS ISC Heartbleed briefing.
I’m probably coming across as a @liquidmatrix fanboy today. So be it. Righteous anger is powering their conversation this week. Joy.
You in infosec? Didn’t listen to this week’s @liquidmatrix? Then you’re a fool to yourself and a burden to others. liquidmatrix.org/blog/2014/04/1…
@semibogan I commend you for every single word, thought and implication in that tweet, Sir. (I don’t see “durries” every day, not lately.)
He’s a dolphin, mate, he’s just another fucking arsehat dolphin. Ignore his trolling.
Nominate your barista for an Order of Australia! List that pop-up cafe with crates instead of chair and tables on the National Trust!
Also re that previous tweet, if “hipsters” are the new “gentry”, then we are so fucked. Project your imagination 20 years out from today.
Oh. Here he goes. This is good. Even if I suspect I’m part of the problem he’s complaining about. @myrcurial @liquidmatrix
So my immediately preceding retweet really is the ultimate goal of the internet, isn’t it.
andrewchen Idea: “Uber for hipsters” to summon an invasion of baristas, bike shops, etc to any neighborhood, with one tap! Gentrification-as-a-service.
RT @semibogan: Unnamed sources say newscorp had access to heartbleed before public disclosure [Fucking dolphins. Dolphins are arsehats.]
semibogan An unnamed sources say dolphins had access to heartbleed prior to public disclosure
“They’re moose powered!”, says a colleague of @myrcurial’s on @liquidmatrix. Now if only Canada had moose-powered black helicopters.
Hah! @myrcurial on Canada’s equivalent to Black Helicopters that may whisk them away: “We have like 16 guys, and they’re in Chevy Novas.”
Internet pioneer Vint Cerf had access to fine crypto, but NSA wouldn’t let him build it into the early internet. blog.veracode.com/2014/04/cerf-c…
Less than 120 sec into the new @liquidmatrix podcast and already it’s clear @myrcurial is even more ranty than usual. liquidmatrix.org/blog/2014/04/1…
Sat plan, explained: That looks very messy, but in fact I’m just pottering through whatever tasks I feel most like doing at the time today.
Sat plan, evolving: SANS ISC briefing (done); fried rice; sysadmin tasks, various; writing?; blog posts; errands and shopping; wine?; dunno.
ABCFactCheck Can single-deck trains carry more people than double-deckers? Barry O’Farrell says they can. Here’s our #factcheck ab.co/1lRDDHt

RT @SnarkyPlatypus: Six! pic.twitter.com/OPvuXiytRK [What he says is true. Watch out for Transit vans.]
Oh. It’s not the same, @SnarkyPlatypus, but World of Schnitzels on Tuesdays, $10 Bloody Marys all day Sunday. theoxfordtavern.com.au
RT @glengyron: FYI, there might be other chances to see pictures of naked men on the Internet. @annetreasure @GuardianAus [Oh. Wow. Cool.]
@fleafeet @tea_n_toasted Yes, this @xkcd cartoon is quite accurate. I’ve tweeted the link a few times before.
@SnarkyPlatypus I am advised that the White Cockatoo’s parmageddon experience has moved to the Oxford Tavern, no longer a girlie bar.
@gavincostello I am awaiting Editorial Wisdom on this point. Less a follow-the-sun newsroom as follow-the-pub.
@PeteLawler There is that. I suppose I should think through the threat model a bit more one day.
SHUT UP @annetreasure @glengyron @GuardianAus SHUT UP AND SHOW ME THE PICTURES OF THE NAKED MEN WHAT IS WRONG WITH YOU ANNE.
annetreasure The top 10 male nudes in art | Art and design buff.ly/1hHzOzc ARE YOU BUZZFEEDING ART, GUARDIAN? ARE YOU? IS THAT HAPPENING?
Not listed there is the @1Password Reader for Android app. I use it, and it works nicely for my needs. YMMV.
Password manager @1Password is running a 50%-off Heartbleed sale. Nice work, guys. agilebits.com/store Ping @Andrew_Zammit

mushenska I keep trying to think of some sort of context for this photo and am drawing a serious, disturbing blank. pic.twitter.com/zrv4BI4KVk
The extra @5at5daily that I thought I’d be producing this morning will now be coming Sunday morning. Heartbleed continues to be a focus.
@llament “Use a password manager” was incidental good advice, not “Protect me from Heartbleed” advice. #heartbleed
@Andrew_Zammit I haven’t assessed password managers in ages, but I use @1Password and @LastPass has a good reputation too.
@jplonie The point was made that some port-443 scans will be the good guys, yes. #heartbleed
@CabbagePatchCat Kinda. There’s nothing* wrong with OpenSSL 0.9.8 if it’s been patched. Patching is the issue. But I suspect you know that.
And that’s the end of today’s Heartbleed briefing from SANS ISC. Thanks, @johullrich, all very clear. #heartbleed
The Q&A is now covering some of the material from yesterday’s briefing. My write-up is at zdnet.com/lagging-androi… #heartbleed
RT @PeteLawler: @stilgherrian anectodal research indicates home routers buggy and unpatched enough w/o #heartbleed issue… [Agreed.]
(Earlier, someone said that it’s next year that the home routers get hit. Hah.) #heartbleed
Don’t panic: Most home routers won’t be using the vulnerable version of OpenSSL. [But how much real research has been done?] #heartbleed
Q: Home routers with HTTPS? A: Probably not listening on WAN [really?], problem is they don’t get patched. #heartbleed
A: You can’t tell purely by cert issue date that it hasn’t been changed. And what’s the disadvantage of changing passwords? #heartbleed
Q: Should you not change passwords (presumably on sites that haven’t changed certificates)? #heartbleed
However, any -S protocol (HTTPS, IMAPS etc) IS vulnerable [simplification] because it uses TLS, which is the problem in OpenSSL. #heartbleed
Confirmed: SSH uses the SSL library, but not TLS, so that’s not vulnerable. It doesn’t just wrap SSL. #heartbleed
I am pretty much giggling insanely ‘cos @johullrich just hacked what he called “The BEST web browser that doesn’t run Java”. #heartbleed

Haha! @johullrichis is now demonstrating live a proof of concept, hacking a wget client. #heartbleed pic.twitter.com/jCpQcvYuVa

What’s next? Check intrusion detection rules, scan for vulnerabilities. #heartbleed pic.twitter.com/CtvO0BwYXo
There’s some good discussion on when to patch and priorities, which I shall summarise in a story somewhere. #heartbleed
That’s only from a few revocation lists, but there’s around 800,000 vulnerable servers out there. #heartbleed

Are people patching and revoking/reissuing certificates? Yes. #heartbleed pic.twitter.com/LbX8RrRwTY
The message from that chart is that if your server has not yet been patched then it has certainly been scanned, at the least. #heartbleed

The yellow line in this chart shows the huge rise is people scanning port 443 for potential targets. #heartbleed pic.twitter.com/tbcEZyx8mr
Use a password manager. Use a password manager. Use a password manager. #heartbleed
Advice from @johullrich to use lastpass.com/heatbleed to check the status of the sites you use and worry about. #heartbleed

Do end users need to change their passwords? Yes, but with some provisos. #heartbleed pic.twitter.com/urSKTjU5e5

Counter-intuitive advice: End users, do NOT immediately patch client devices! The “patch” may be a scam. #heartbleed pic.twitter.com/kPcGBBcmfN

Heartbleed affects (some) end user devices, but address servers first. #heartbleed pic.twitter.com/jJdCaXjWqA
We begin by explaining that the @xkcd cartoon is the best explanation of how Heartbleed works. xkcd.com/1354/ #heartbleed
This presentation is about client-side attacks and end user actions. @johullrich is CTO of ISC SANS. #heartbleed
@PeteLawler Tempting offer, I agree.

Do you like slides? Of course you like slides. #heartbleed pic.twitter.com/zOPPqhIjYL
I’ll be tweeting today’s SANS ISC briefing on Heartbleed starting in a few minutes. @johullrich is presenting. #heartbleed
I’ve just seen something on Twitter that makes we want to punch certain people in the face very, very hard. So, like any other five minutes.
Sat plan, draft: 0730 SANS ISC Heartbleed briefing; write about same, presumably; sysadmin tasks, unrelated (whew!); blog posts x many; cry.
@SnarkyPlatypus Les cœurs seront saignent pendant quelques jours encore, je pense. Il saigne dans mon portefeuille, cependant.
I’m working under the assumption that @zdnetaustralia @ZDNet will want a story on today’s briefing too, when anyone else wakes up.
5. “Heartbleed soul-search: regulation propsed for critical crypto code”, @zdnetaustralia zdnet.com/heartbleed-sou…
4. “Lagging Android devices vulnerable to Heartbleed”, @zdnetaustralia zdnet.com/lagging-androi…
3. “Heartbleed bug bleeds passwords across the internet”, by @will_ock, ABC @amworldtodaypm abc.net.au/worldtoday/con…
2. “Businesses need to inform users about Heartbleed exposure”, @zdnetaustralia zdnet.com/businesses-nee…
1. “Heartbleed reveals a big hole in Australia’s cybersecurity strategy”, @crikey_news crikey.com.au/2014/04/09/hea…
I’ve already written four stories on Heartbleed, and done radio spots, one of which is online, so the next five tweets will be those links.
@SnarkyPlatypus Bonjour. C’est un matin froid, il ya du vent, et tous les cœurs saignent. Et vous?
SANS ISC Heartbleed briefing #4, this time client-side attacks, starts in just under an hour. 1730 EDT / 0730 AEST sans.org/webcasts/side-…
Oh yes, the Heartbleed continues. Joy.
Saturday. With extra turd.