Security experts are advising the public to change their passwords in the wake of the Heartbleed bug, found at the core of the internet.
That's all of your passwords. And yes, that includes your bank, your email, your social networks and anywhere you've ever bought anything online.
The Heartbleed bug affects a technology known as OpenSSL, which is widely used to encrypt communications on the internet.
Usually this tech is only encountered by the public as a little "padlock" image at the bottom of your browser, indicating the site is secure.
Unfortunately, a team of three security researchers have established a fatal flaw at the core of some versions of OpenSSL that could have let hackers steal password and other personal data silently, leaving no trace, for up to two years.
While the software flaw has been fixed and is being rolled out by companies worldwide, it's too late if your communications have been followed by hackers at any point in the last two years.
In the last two days it has become substantially easier for anyone to exploit the hack, security company NCC Group has warned.
"The level of knowledge now needed to exploit this vulnerability is substantially less than it was 36 hours ago," it told the BBC.
"Someone with a moderate level of technical skills running their own scripts - the Raspberry Pi generation - would probably be able to launch attacks successfully and gain sensitive information."
The Japanese government counter-terrorism practice of fingerprinting foreigners who enter the country may have inspired Doctor Tsutomu Matsumoto to invent "fingerprinting gels", a way of faking fingerprints for scanners. Learn how to make your own here.
Worried someone around you is secretly recording everything you do? No fear! There's a relatively low-tech way to defeat such snoops, via white-noise-producing audio jammers. These tiny devices use good ol' white noise to blur the sound picked up by hidden microphones and other surreptitious recording devices.
MIT's Technology Review calls it the newest, hottest Thanksgiving accessory -- but you can use phone-size "Faraday cages" like this (sold by uncommongoods) to block your cellphone's call signal, WiFi and GPS. Handy now that federal courts are ruling that cops can track suspects via cellphone sans warrant, and Apple can remotely disable your phone camera with a click. As security researcher Jacob Appelbaum said in an interview with N+1 back in April, "Cell phones are tracking devices that make phone calls." So shouldn't you be prepared for when you don't want to be tracked?
Hidden cameras got you down? Blind them all with a simple baseball cap lined with infrared LEDs. Amie, a hacker on WonderHowTo, shows the world how to make one, while this German art exhibition lays out how these ingenious devices work.
These receivers reveal the telltale electronic crackle of hidden mics and cameras. Strangely enough, they were around long before "surveillance culture" became a common phrase. Today they're sold in all sorts of shops for surveillance paranoids.
Sometimes hiding your face isn't enough; sometimes you don't want to be seen at all. For those days, there's camera maps. The NYC Surveillance Camera Project is currently working to document the location of and working status of every security camera in New York City. This project has been replicated by others in Boston, Chicago and Bloomington, Indiana. Notbored.org has even published a guide to making your own surveillance camera maps (here).
Credit to artist Adam Harvey for this one. Inspired by the "dazzle camouflage" used on submarines and warships during World War I, he designed a series of face paint principles meant to fool the facial recognition schemas of security cameras. Check out The Perilous Glamour of Life Under Surveillance for some tips on designing your own camera-fooling face paint.
Walmart may be the premier symbol of corporate America, but its disposable cellphone selection can help you start a thoroughly maverick lifestyle. $10 TracFones work on most major networks, including AT&T, T-Mobile, Sprint and Verizon, and come with minutes prepaid so you can dispose of the devices when you're done.
Radio-Frequency Identification (RFID) chips are now regularly implanted in passports, ID cards, credit cards and travel papers. These tiny chips make machine-reading your documents easier -- but could also let anyone with the right type of scanner scrape your information and track your whereabouts. Luckily, gadget geeks have come to the rescue again, this time with RFID-blocking wallets. Working on the same principle as the "phonekerchief", these wallets create a Faraday cage around your items, keeping their data secure until you take them out to be scanned where they're supposed to be scanned. Destroying the chip is simpler: just nuke it in the microwave for five seconds. Of course, whatever you're microwaving might burst into flames first...
Meanwhile Tumblr, the blogging platform owned by Yahoo, has advised users to change all of their passwords - and not just for its own site.
It said in a statement:
"Bad news. A major vulnerability, known as “Heartbleed,” has been disclosed for the technology that powers encryption across the majority of the internet. That includes Tumblr.
We have no evidence of any breach and, like most networks, our team took immediate action to fix the issue.
But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.
This might be a good day to call in sick and take some time to change your passwords everywhere—especially your high-security services like email, file storage, and banking, which may have been compromised by this bug."
The bug was discovered by three researchers from Codenomicon and a security researcher at Google. The vulnerability has existed since at least December 2011, though it is unclear if it has been used by hackers.
OpenSSL released the following statement along with the patch:
"A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley and Bodo Moeller for preparing the fix."
The team of researchers who found it add that there is a "bright side" to their discovery:
"For those service providers who are affected this is a good opportunity to upgrade security strength of the secret keys used. A lot of software gets updates which otherwise would have not been urgent. Although this is painful for the security community, we can rest assured that infrastructure of the cyber criminals and their secrets have been exposed as well."