Makefile: Makefile.m4
	m4 $^ > $@
kolshica:

SCOOTS IS OVERWEIGHTED.so we need more breezy dashes!

kolshica:

SCOOTS IS OVERWEIGHTED.
so we need more breezy dashes!

(Reblogged from kolshica)

I stated earlier that there is no point in changing passwords before tumblr changes their private keys. And they did just that before issuing the notice on top. However, the old certificate is NOT revoked yet at the time of my writing so if keys were leaked, attacker could still use them to impersonate tumblr without any kind of warning from your browser whatsoever. So verify manually that the site you are communicating with is not using the old certificate (click on the lock icon, look for certificate information and compare RSA moduli… jk, just compare fingerprints).

Tumblr wouldn’t have any need for changing certificates if they weren’t affected by heartbleed so henceforth I assume it was. It’s actually unlikely that server’s private key leaked, but it’s certainly possible and there is no way to verify whether it happened or not so revoking it is a must. What certainly leaked is buffers containing scraps of actual data transferred, esp. cookies and, yes, passwords. If you logged in during last week, you should assume your password is compromised. Regardless, it’s a good idea to change password now even if unlikely to be leaked. It’s a good hygiene.

Changing your passwords everywhere still serves no purpose. Though, if you used the same password somewhere else, fix it now and learn to use password manager.

It’s a bit disappointing that tumblr staff’s post on the matter contains mostly of FUD and doesn’t answer the most crucial question: was tumblr affected or not? Did tumblr use OpenSSL version 1.0.1–1.0.1f or 1.0.2-beta1? It didn’t spew its guts when I checked so either tumblr wasn’t affected at all or patched it before I checked. In later case server’s private keys should be tumblr’s first worry rather than our passwords. It makes absolutely NO sense to change passwords before tumblr’s private keys (and therefore also certificates) are regenerated from scratch.

At the time of my writing, tumblr presented a certificate signed in May 2013.

(Source: imgflip.com)

PRECZ CZERWONA ZARAZO
NIE DLA „CZTERECH ŚPIĄCYCH”