"The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said..."

Massive OpenSSL Bug 'Heartbleed' Threatens Sensitive Data (http://online.wsj.com/news/articles/SB10001424052702304819004579489813056799076)
By Danny Yadron Updated April 8, 2014 7:29 p.m. ET

Security Advisory: Heartbeat overflow issue (https://www.openssl.org/news/secadv_20140407.txt)

NSA Said to Exploit Heartbleed Bug for Intelligence for Years - Bloomberg (http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html)
By Michael Riley Apr 11, 2014 6:14 PM CT

U.S. Denies Knowledge of Heartbleed Bug on the Web (http://www.nytimes.com/2014/04/12/us/us-denies-knowledge-of-heartbleed-bug-on-the-web.html?_r=0)
By DAVID E. SANGER and NICOLE PERLROTHAPRIL 11, 2014

Well, we're seeing here the first real, tangible downsides of what's been described over the last, what, ten years (?) of "open source" software with disconnected, decentralized group development. Many good things have come from open source, but perhaps we're seeing some of the downside now.

I'll state my bias first, I am an OpenSource advocate and have been since 1999.

With the advancement in technology there is no need to be physically located in a centralized group. The problem that happened with OpenSSL (btw, a free alternative to expensive 3rd Party SSL Certificates, if you're in your own self-hosted environment) is an exploit. The only time a "hacker/NSA agent" could potentially collect your data (data possibly being a username/password even CC number) out of the memory of a client connected to a server running OpenSSL or a server running OpenSSL is when you communicate with the server. This exploit allows up to 64Kb of that data to be extracted, in text form, that is A LOT.

There are TONS of sites currently running OpenSSL, even the "big guys" are running OpenSSL, not all of them mind you. Some of the other "big guys" are running proprietary SSL or a proprietary 3rd party SSL. Just because those other guys are running a proprietary SSL doesn't mean there isn't a different exploit that could be found if one existed or could be created with an update.

The only problem with OpenSource is the openness, but it's also one of it's greatest assets. We saw a community come together to create a free alternative to an expensive proprietary software, that is seen used and updated by hundreds of thousands of people and companies.

To fix this problem from happening in the future, more rigorous security checks need to happen before a release.

Well, we're seeing here the first real, tangible downsides of what's been described over the last, what, ten years (?) of "open source" software with disconnected, decentralized group development. Many good things have come from open source, but perhaps we're seeing some of the downside now.

The roots of open source software goes back to at least the 60's, while they may not technically been the same licensing or used the same organization structures, had similar ideals and/or practices. Security is something a lot of organizations/individuals using any method have done badly with, there are open source groups that have quite good reputations for security practices. What surprised me about this was for how important this project is to many people, it has only a few people involved in it's development and a pretty small budget.

Well, we're seeing here the first real, tangible downsides of what's been
described over the last, what, ten years (?) of "open source" software
with disconnected, decentralized group development. Many good things
have come from open source, but perhaps we're seeing some of the
downside now.
Dude! I'm totally pro open source, i.e. Open Office and Firefox. I hope
this isn't as serious as it appears to be.

I'll state my bias first, I am an Open Source advocate and have been
since 1999.

With the advancement in technology there is no need to be physically
located in a centralized group...
I feel better. I've often been worried that my Commodore 64 might be
compromised.