Alex Hern reports for The Guardian this disturbing fact about the recently disclosed OpenSSL bug, now two years old and pervasive:

servers vulnerable to Heartbleed are less secure than they would be if they simply had no encryption at all.

How? The bug allows access even to information the encryption wasn’t protecting.

Charlie Savage of The New York Times:

the new proposal focuses on strengthening wiretap orders issued by judges. Currently, such orders instruct recipients to provide technical assistance to law enforcement agencies, leaving wiggle room for companies to say they tried but could not make the technology work. Under the new proposal, providers could be ordered to comply, and judges could impose fines if they did not.

Concerns that this would prompt similar measures from repressive governments abroad are not overblown. If we expect foreign companies to submit to these procedures, their governments will expect US companies to do the same. I’m surprised this article doesn’t mention anything about what the Obama administration’s diplomats and international law folks think about all of this.

Google apologists like myself often answer concerns that the search-and-advertising giant can scan your email with something like “yes, but they’re doing it with robots and scrubbing it clean of all identifying information.”

China, however, is not so concerned with your privacy or its own image. In fact, monitoring otherwise-harmless civilians probably proves valuable to the renegade nation by illustrating the best means of tricking US netizens into installing backdoor viruses on their systems.

The most important point this article makes, in my view, is that China is playing the long game on cyberespionage efforts. As David Feith reports in the Wall Street Journal piece linked to above:

The essence of China’s thinking about cyber warfare is the concept of shi, he says, first introduced in Sun Tzu’s “The Art of War” about 2,500 years ago. The concept’s English translation is debated, but Mr. Thomas subscribes to the rendering of Chinese Gen. Tao Hanzhang, who defines shi as “the strategically advantageous posture before a battle.”

They’re not going to take down any infrastructure any time soon, but if and when they want to, their current efforts will probably go a long way to helping them learn how to do it.

This stuff is not just a headline: it’s been happening for some time, is still happening, and is likely only to increase. Mr. Feith’s article at the Journal is well worth reading.

Cotton Delo of Ad Age:

The targeting would hypothetically enable Coca-Cola to target to teenagers who’ve bought soda in the last month, or Pampers to show ads to North Carolina residents who’ve recently bought baby products, since Facebook’s own array of demographic and interest-based targeting options can be added to further refine audience segments. But adoption will be contingent on acceptance by corporate legal departments wary of becoming embroiled in a consumer privacy scare.

It’s not something I would rush into if I was one of those “corporate legal departments.” It’s not that I have some conspiracy theory about Facebook, or those data banks. I don’t. We give data to those data banks willingly when we use those discount cards. Shame on us for not reading the fine print.

And Facebook? They’re the same: the fact that nothing private is guaranteed to stay that way on the internet is common knowledge these days, and those who don’t know should know.

What would worry me as in-house counsel is what hackers will find when they inevitably get their hands on some of this data. In other words, Facebook and data banks are the devils we know. I would keep clients out of this plan because of the devils we don’t know.

These look a lot like “feeler” operations, meant to gauge the reaction attackers can expect from victim institutions and nations. The United States (read: Congress) must act immediately to ensure that we’re ready when attackers stop slowing down or blocking bank websites and start trying to steal customer data en masse.

Matt Brian writing at The Next Web:

In our tests, I had mixed results. Initially, my iPhone continued to remain in range, meaning that if I was to walk around the office or different rooms in the house, my Mac remained awake and usable. However, if I went outside a range of around 10-15 meters, Keycard did its thing without an issue.

I’m not sure $6.99 is a viable price for 1.0 app whose developers are still perfecting activation range and that is suffering from “random screen locks when the device is still in range,” but it’s a neat concept. I’d find it especially useful in an Apple-focused office environment or a co-working space. Here’s a direct link to the iTunes store if you want to check it out.

Tor gets a headline at WSJ.com.

The Next Web's Emil Protalinski, quoting HP's head of enterprise services Mikle Nefkens:

“This means the attacks average out at about 1,833 per minute or 30 every second.” Those figures are simply astonishing. Extrapolating the other way, it means the US Navy is attacked some 96.36 billion times every year.

If you ever doubted the importance of cyber-preparedness, this should go a long way toward assuaging those doubts.

Two-factor authentication is a pain in the ass. Just ask my Google account or my Dropbox account. But it’s a no-brainer. Savvy users will flock to it, seeing the value in the headache. Less-than-savvy users don’t need to be forced into it, but Twitter is as good a platform as any to explain to folks why it’s worth the additional steps to log in sometimes.

Dan Goodin at Ars Technica explains how researchers found that 8% of apps in a 13,500-app sample were susceptible to man-in-the-middle attacks. Hopefully developers will revisit their SSL implementations or, better yet, Google will update future versions of the Android SDK to disallow some of the poor coding decisions that cause these vulnerabilities.

Patrick Gray, writing at The Register:

Jack also warned of a worst-case scenario in which a worm could infect multiple devices, spreading from patient to patient, re-flashing the devices with malicious code as it foes. This code could be programmed to deliver fatal shocks to patients implanted with vulnerable implants at a scheduled time.

So many lives depend upon the safe operation of a device like a pacemaker, including some of my dearest family. The good news here is that the researcher who discovered the vulnerability is ready and willing to work with manufacturers to design around the security weaknesses in these devices.

But perhaps more importantly, what about devices that have already been implanted in patients? I hope the corrections can be made via a software update so that even current patients can receive the fixes.

As an aside, this technology could also be used in the cyberwarfare arena for exceptionally clandestine assassinations.

Joseph Menn, quoting an anonymous source for Reuters:

We knew certain parts of government really wanted” evidence of active spying, said one of the people, who requested anonymity. “We would have found it if it were there.

I don’t know enough about this specific issue and the problem of cyberwarfare threats generally. My time in International Law this semester and previous courses like Cyberlaw and Cyberprivacy are coalescing in my mind into a strong area of interest, though, so I expect to follow this and similar issues closely and (hopefully) develop more substantive opinions about them over the next two months.

Developer Kevin Burke describes in damning detail how easy it is to brute force Virgin Mobile USA account PINs, as well as the company’s incompetent and opaque handling of the situation.