1. The cat is out of the bag, and it is "out there" now
2. Everybody knows about it
3. The code is screwed on so many levels that it's actually funny
4. The random number generator is a complete disaster
5. Memory management is Heartbleed-level on steroids
6. There are literally comments in the random generator that state explicitly that it isn't random
7. It spits out a nice looking fake random-ish thing that leaks info about the key
8. There is literally a comment that says something like "HERE IS A PADDING ORACLE," followed by an actual real-life padding oracle, lol
9. valgrind reveals the code doesn't compile the way you think it does
10. Looks like a bug in gcc they're taking advantage of to do code-injection DURING THE COMPILE (wew lad)
11. You can see this by compiling and decompiling and looking at how the code is different
12. Other tools are not fooled, but gdb is fooled, so there may be even an exploit in gdb
13. Reaction from OpenSSL headquarters: "lol what? who, me? hey, what's that over there? *smoke grenade*"
14. People flying to LibreSSL at light speed
15. Finance sector didn't want to touch this with a 10 foot pole, moved off immediately
Writeup of bug so far (to be updated soon):
1. Technical writeup - zerobinqmdqd236y.onion/?db7270cde887391c#iDX2jFWUqXqTV8ne4Szqs5UakxEWc7mJu8LonjE7jm4=
2. Ridiculous comments - zerobinqmdqd236y.onion/?779e3ea0f8da54c5#asq6no4V9AQKX/lf7ySpjRhur2nT/YHzorPc5sfrOwQ=