Heartbleed continues to make vendors, enterprises, and users scramble. There may be signs of the vulnerability's exploitation ("fragging" the Call of Duty MMOG), but the evidence remains ambiguous. CERTPolska publishes an interesting rundown of the bug and its implications for Tor. BlackBerry, Cisco, and Juniper Networks all warn that their products have been affected; Twitter seems to have escaped. Affected mobile apps include (the very popular) Yahoo, Flickr, OKCupid, Rolling Stone, and Ars Technica.
Much advice on how to protect yourself against Heartbleed is on offer, but changing all passwords immediately and indiscriminately isn't a particularly good idea: at least find out if a service is (1) affected, and (2) fixed. Various tools for checking and fixing Heartbleed have been released: evaluate and use them with prudent circumspection. One issue is legal: checking a third-party site's security without permission may run afoul of laws, including the US Computer Fraud and Abuse Act and the UK's Computer Misuse Act.
Heartbleed's malign effects are expected to linger indefinitely, as many affected applications—particularly home systems—will almost certainly never be patched.
Security experts consider how similar vulnerabilities might be prevented, and consider what Heartbleed means for the future of open source.
FireEye's Mandiant unit releases its annual threat report to considerable interest. Why have China's PLA cyber units become (apparently) quiescent? Will Iran and Syria become major offensive players?
SecurityWeek talks evasion and advanced sandboxing.
Threat information sharing gets a boost in the US: it (probably) won't expose companies to anti-trust litigation.