Weekly roundup in tech and retail

News and commentaries

Here’s the most relevant news this week in tech and retail.

In Tech:

  1. A massive 2-year security flaw in OpenSSL, Heartbleed, was discovered April 7 and affected companies scramble to patch it up – from websites to routers
  2. Google news. Google Glass will be available to anyone in the US for 1 day only on April 15 at 6 AM ET, sign up here for the reminder; Google can now continuously scan apps for Android users to protect against malicious code
  3. Dropbox news. Dropbox announces: Project Harmony, which allows for collaboration for Microsoft Office files; Mailbox for Android; and Carousel, an app for photo/video archiving and sharing
  4. Amazon news. Amazon introduces Dash device for scanning and adding items to Amazon Fresh shopping list; Amazon acquires Comixology, a cloud-based digital comics platform
  5. Twitter acquires Cover, an Android lock screen app, which displays apps on an Android lock screen based on context and historical use

In Retail:

  1. LVMH  shares surge Thursday as company reports 9% rise in Q1 2014 like-for-like sales of its fashion and leather goods, Louis Vuitton – a good sign for Nicolas Ghesquire’s appointment as artistic director
  2. After closing its stores in February, Loehmann’s is set to come back online in May
  3. Calvin Klein owner PVH invests in Karl Lagerfeld – the minority investment will allow the company to have the “right of first offer to license the brand in North America
  4. Social shopping app, The Hunt, raises $10M in Series B funding led by Khosla Ventures
  5. Kering, owner of Gucci may acquire lifestyle and sports brands within 3 years as it assesses its Puma brand

What you can do about Internet’s massive security flaw

News and commentaries, Technology

heartbleed_wp

On Monday, April 7, security researchers from Google’s security team and Codenomicon reported a security flaw, dubbed “Heartbleed”, in OpenSSL, the web’s popular data-encryption standard. You might be affected either directly or indirectly since OpenSSL is the most popular standard being used to encrypt traffic over the Internet. Web servers such as Apache and nginx use OpenSSL and the combined market share of these two was over 66%.

Codenomicon has set up Heartbleed.com to address/explain the issue in detail as well as to release any news specific to the Heartbleed bug. I’ve listed the gist below from the website as well as other news sources:

  • OpenSSL is used for email servers (POP, SMTP, IMAP), chat servers (XMPP), virtual private networks (VPN) which means that: your email service whether on your browser or mobile could be affected; instant messaging services could also be compromised and even your company’s servers
  • OpenSSL has released and emergency patch on Monday, April 7, 2014. Websites that use OpenSSL are advised to immediately upgrade to this patch, OpenSSL 1.0.1g.
  • Unfortunately, the bug leaves no traces so there is no way to detect if you were directly affected.
  • A developer, Filippo Valsorda has published a tool that can let you check a website’s vulnerability here.
  • According to Valsorda’s site, Google, Facebook, Twitter and Dropbox are not compromised.
  • Notable sites affected are: Yahoo, Tumblr, Imgur, Flickr, OKCupid, Eventbrite, Stackexchange. You can find a compilation here.
  • The bug is called heartbleed because:

“Bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.” (Heartbleed.com)

What you can do

Unless you’re the system administrator, there’s not much you can do. However, once the website has updated the OpenSSL version to the emergency patch, which Yahoo has done, immediately change your password for that service just in case you were affected. Mashable compiled a list of websites where you need to update your passwords ASAP.

Update: Added link to Mashable for list of websites.