This OpenSSL vulnerability’s been around for two whole years! And now we’re supposed to suddenly be terrified the foundation of the internet has been turned into rice pudding? Oh, puh-leez.
This is precisely what the reader had to say about that “Heartbleed thingamajig”:
I couldn't give a flying fig about the Heartbleed thingamajig. Two years already the thing has been running loose ... and not a word of someone crying over its damage. Say ... does anyone really know its origin? Russian crackers? Seattle high-schoolers? the NSA? Yahoo's marketing department?
Then the reader did what any skeptical/cyber-suicidal person might do: he threw his passwords online and invited people to go at him.
According to Fung, the reader posted the two passwords he regularly reuses across all of his main accounts (reusing passwords? tut tut).
Then, he invited everyone to:
read all the eMail I have. Sneak into my WaPo, NYT or CNN accounts and go crazy making comments in my name. Break-into my Facebook or Twitter profiles and change my hometown to Gas City Indiana, swap-out my avatar with a picture of your nads, make friends with people I don't know.
Well, tally ho! The gauntlet was picked up, with gusto!
The Twitter account of the reader as of Thursday was, in fact, informing visitors that his location was Gas City, Indiana.
So they did in fact go crazy, making comments such as these in the skeptical one’s name:
LOL GUYS HEARTBLEED IS NO BIGGIE YOU SILLY PARANOID AMERICANS
OK, Perhaps putting my password on a national news site is not so good
I am REALLLLLLY stupid - I am REALLLLLLY stupid...
His WordPress account also appears to have been accessed, with one blog post headlined “OK, Perhaps putting my password on a national news site is not so good” very likely also written by somebody who grabbed his login credentials.
The post reiterates his lack of flying figs comment, then it goes on to give the order in which his online accounts were hijacked:
I actually posted my password right after this on a national news site, as well as bragging that my doors were open and I have no AV software. I see my Facebook was hit first, but perhaps I didn’t think that if someone gets access to my email, they have access to my bank, credit cards, most anything.
His Facebook account was also still hijacked as of Thursday. So too was his account on Tumblr.
As Fung pointed out, this could all be a hoax. The WordPress blog post is written in the first person voice, but it sure seems to echo the comments on the reader’s other accounts.
This scenario – purloined identities, comments posted by people who could be who they say they are or who could be imposters – echoes what happened at Mumsnet, which suffered one of the first two big Heartbleed breaches last week.
At Mumsnet, it became clear that user data was at risk when the username and password of the parenting site’s founder, Justine Roberts, were used to post a message online.
The stealing of online identities is nothing new. But in the wake of Heartbleed, identity theft might as well be popping steroids.
For the love of all things security, let’s not make it easier by posting our passwords online.
That stunt didn’t need Heartbleed to be stupid. It was pre-Heartbleed stupid.
But before he ever posted his passwords online or dared people to disembowel his online persona (another very bad idea), he committed another, far more pervasive security sin, one committed by many people: namely, he reused passwords.
If you’re reading this post, there’s a good chance you don’t reuse passwords. Instead, you probably create strong passwords, at least 12 characters long, that mix letters, numbers and special characters whenever possible.
Obviously, we’re always talking about not reusing passwords at Naked Security but it’s just one of our 3 essential security tasks. So while you’re fixing your passwords please do the other 2 tasks as well. And regardless of how much espresso you might have drunk this morning, please don’t post your passwords online.