The Heartbleed OpenSSL vulnerability dominates today's news, and is likely to do so for days (if not weeks) to come. Ars Technica describes the bug as exposing data "Russian roulette style," and the metaphor's not a bad one: a missing bounds check in source code is said to enable blind access to whatever parts of memory are handling SSL processes. Vendors and security experts are sifting through affected sites and products now and issuing fixes as they're developed.
The Sydney Morning Herald finds the software developer who cops to responsibility for the bug. He explains how the unintentional vulnerability was inadvertently introduced. (Conspiracy-mongers are undeterred from offering alternative attributions.)
It's not clear whether the vulnerability has been exploited in the wild (although a note from Deltek about a breach involving its GovWin product might give one the willies—still, no mention there of Heartbleed) but OpenSSL exploits can be difficult to detect. Experts advise taking protective steps quickly but with caution. Heartbleed is obvious phishbait (Sophos points out); it's also a good wateringhole lure (as SANS notes).
Quartz sees the whole episode as an instance of the tragedy of the commons, where a public good is steadily eroded in the absence of clear property rights and responsibilities.
Retailers face a large Heartbleed problem, adding insult to injury as legislation in several jurisdictions begins to fix liability for data breaches squarely on them.
In non-Heartbleed news, the insurance industry (led by Lloyd's of London) continues to note critical infrastructure's cyber vulnerability.