Facebook employees caught leaving 5-star reviews for Portal on Amazon

A publicity image of the Facebook Portal smart display in a kitchen. Facebook

If you visit the Facebook Portal listing over at Amazon.com, you’ll find plenty of five-star reviews of the smart display product. However, what you might not know is that a small handful of those glowing reviews are actually from Facebook employees.

That’s what Kevin Roose — tech columnist for The New York Times — exposed on Twitter earlier today. Roose didn’t use any secret trickery to find the clearly-biased reviews, he simply checked the names: three prominent Facebook employees used their own, full names to review the product.

Editor’s Pick

Not only is it a violation of Amazon’s TOS for a company employee to write reviews for its own products, but it also makes Facebook look a bit desperate. After all, it’s not easy to sell a product designed to sit in your home with a camera attached to it when the company is constantly in the news for data and privacy violations.

To that end, Facebook’s vice president of AR/VR Andrew Bosworth tweeted back to Roose:

[These reviews were] neither coordinated nor directed from the company. From an internal post at the launch: “We, unequivocally, DO NOT want Facebook employees to engage in leaving reviews for the products that we sell to Amazon.” We will ask them to take down.”

Facebook Portal and its larger sibling Portal Plus are designed to act as an Alexa-powered smart speaker, a video-consumption device, as well as an easy way to have video chats through Facebook Messenger. Although you can easily turn the cameras and microphones off, Portal has had an uphill battle from the beginning since several Facebook privacy and security scandals have dominated headlines over the past year.

The Google Home Hub — another smart display released in 2018 — does not feature a camera.

Click the button below to buy a Facebook Portal — if you’re into that sort of thing.

Slimmed-down Weather Timeline app is coming back soon under new management

Weather Timeline

The much-loved weather app known as Weather Timeline unfortunately got removed from the Google Play Store last fall. Due to rising costs, the app’s creator — Sam Ruston — elected to hide the app from new users to keep functionality working for existing installs.

However, a different company ended up acquiring Weather Timeline. That company — the awkwardly-named ACME AtronOmatic — just pushed out a new update to the app, a big step on its way to re-release (via 9to5Google). ACME AtronOmatic also promised that Weather Timeline will be back on the Google Play Store soon in both a free, ad-supported version and a paid, premium version.

Editor’s Pick

Unfortunately, Weather Timeline won’t be exactly the same as people remember it. The biggest change will be the source of the weather data: whereas the original app featured many different sources to give as accurate a prediction as possible for your local area, the new version only uses one source in the United States: MyRadar. That means other sources such as Weather Underground and the popular Dark Sky will no longer be options.

If you’re one of the lucky people who previously downloaded the original Weather Timeline, congratulations: you are grandfathered into the premium, ad-free version of the app. When the app does get re-published to the Play Store, new users will have to choose between seeing ads or paying for the premium variant (which, notably, is what Ruston was trying to avoid).

ACME AtronOmatic does promise that the “new” Weather Timeline will look and function much as it did before, albeit with the loss of major data sources.

We will let you know when the app gets re-published to the Play Store. In the meantime, check out our weather app roundup below:

NEXT: 15 best weather apps and weather widgets for Android

The massive Collection #1 data breach: What is it and what you should do?

Troy Hunt

  • Have I Been Pwned creator Troy Hunt announced the Collection #1 data breach.
  • The collection of files contains millions of compromised email addresses and passwords.
  • The compromised data supposedly comes from 2,000 databases.

Data breaches have become so commonplace nowadays that we’ve almost become numb to them. However, security researcher and Have I Been Pwned creator Troy Hunt just reported a data breach that will hurt for a long time: Collection #1.

Collection #1 is a massive file that was recently uploaded to cloud storage service Mega. The file features 12,000 separate files that contain 87GB of data.

What’s in the data, you might ask? 772,904,991 unique email addresses and 21,222,975 unique passwords. A significant issue is the stolen passwords having cracked protective hashing. That’s why the passwords show up as plain text instead of being cryptographically hashed when the websites were breached.

These cracked passwords allow for a second issue, a practice called credential stuffing. Credential stuffing is when breached username or email/password combinations are then used to get into someone else’s account. Attackers don’t need to brute force or guess passwords — they can just automate the logins.

Credential stuffing is particularly concerning for those that use the same username and password combination across websites.

Editor’s Pick

It just so happens that Collection #1 contains almost 2.7 billion combinations. It also just so happens that roughly 140 million email addresses and 10 million passwords from Collection #1 are new to the Have I Been Pwned database.

Let’s also not forget the decentralized nature of Collection #1. Previous breaches usually had a common silver lining: each breach could be tied down to one website. Not so with this breach, which comprises of breaches across 2,000 databases.

In this case, the only possible silver lining is that Hunt doesn’t know if every single breach in Collection #1 is legitimate. However, Hunt also said that this is “the single largest breach ever to be loaded into HIBP.”

What should I do?

First, go to Have I Been Pwned and type in your email address. The site lets you know if an account that uses that email address was compromised.

If you already used Have I Been Pwned, you should have received a notification of the breach. Almost half of the site’s users are caught up in the breach, so keep that in mind if you’re a member.

From there, click the Passwords tab on the top of Have I Been Pwned. Pwned Passwords lets you know if your password was compromised and helps you to use strong passwords.

Editor’s Pick

If you have a compromised email address and compromised passwords, it’s time to clean up your password practices. If a site supports it, use two-factor authentication. It might not be foolproof, but two-factor authentication helps to dissuade most that might want access to your account.

You can also avoid using the same password across multiple sites. It’s tempting to use the same password for the sake of convenience, but the practice is a dangerous double-edged sword.

Finally, use a password manager. 1Password, Dashlane, and LastPass are three of the more popular options out there, though you can also use the tried-and-true method of pen and paper.

Oh, and change your password. Definitely change your password. Make it something complex, something that can’t be found in a dictionary.

Android 9 Pie rolling out to Honor View 10 in the US

The Honor View 10 is one of the very few Huawei-made devices to be available in the United States. Those of you U.S. citizens who bought the popular 2017 smartphone will likely be excited to know that EMUI 9 — based on Android 9 Pie — is rolling out to U.S. variants now.

This update is build number (C567E6R1P12) which is specifically for the Honor View 10 model BKL-L04.

Since the update carries Android 9 Pie, it comes with the usual Pie upgrades such as adaptive battery, navigation gestures, revamped UI elements, etc. You can read all about what Pie has to offer in our roundup here.

Editor’s Pick

EMUI 9 also has some specific upgrades of its own, such as more AI features, an upgraded game optimization program, etc. Check out what EMUI 9 has to offer here.

You likely will receive an OTA notification soon which you can use to upgrade your device. However, if you want to upgrade manually, you can open the HiCare app, select Update, and then follow the on-screen prompts.

If you don’t already own an Honor View 10, the device is going for only $389 on Amazon.com right now. Click below to grab one!

For 2019, expect more Nokia smartphones in the U.S.

Even though HMD Global is one of the fastest-growing smartphone makers in the world, its presence in the U.S. leaves much to be desired. That might change in 2019, when HMD Global looks to expand its presence in the U.S.

In an interview with Digital Trends, HMD chief marketing officer Pekka Rantala acknowledged that the U.S. is “one of the biggest smartphone markets in the world,” and that there are “big boys out there” in the U.S., where companies like Apple and Samsung hold the most mind and market share.

Even with stiff competition, Rantala is “confident” that HMD will increase its business in the U.S. this year.

To that end, HMD head of sales in the Americas Cristian Capelli said the company is in talks with U.S. carriers. Expanding its retail distribution remains HMD’s first goal in the U.S., but Capelli said that carriers will eventually “be the main outlet.”

Editor’s Pick

You can currently buy Nokia smartphones in the U.S. from retailers like B&H, Amazon, Best Buy, Target, and Micro Center. For HMD to further expand its retail presence would be good news for its bottom line.

Also good news for its bottom line: selling a wider array of Nokia smartphones in the U.S. That’s not to say devices like the Nokia 6.1 and Nokia 7.1 are bad smartphones. It’s just that seeing higher-end smartphones like the Nokia 7 Plus and Nokia 8 Sirocco officially sold in the U.S. would be nice to see to increase competition and the number of choices.

In the U.S., you have Apple, you have Samsung, and you have everyone else. With the likes of LG and HTC struggling to regain relevance, HMD has a real chance to carve out a large space to call its own in the U.S.

YouTube is banning dangerous pranks and challenges including Bird Box and Tide Pod

After the Netflix Original Bird Box became a viral hit, people around the world uploaded videos to YouTube showing them compete in the Bird Box challenge. While some of the clips showing people stumble around their homes were funny, others involved dangerous stunts such as driving while blindfolded.

After receiving demands from the community to not allow these types of dangerous videos, YouTube has announced that it is banning all harmful challenges and pranks.

YouTube announced its policy changes yesterday in a blog post (via Ars Technica):

Dangerous challenges and pranks: Reminder – content that encourages violence or dangerous activities that may result in serious physical harm, distress or death violates our harmful and dangerous policy, so we’re clarifying what this means for dangerous challenges and pranks. YouTube is home to many beloved viral challenges and pranks, but we need to make sure what’s funny doesn’t cross the line into also being harmful or dangerous. We’ve updated our external guidelines to make it clear that we prohibit challenges presenting a risk of serious danger or death, and pranks that make victims believe they’re in serious physical danger, or cause children to experience severe emotional distress. Read more in this Dangerous Challenges & Pranks FAQ.

YouTube’s official policy on harmful or dangerous content has also been updated. The following items were added to the list that already included instructional bomb making, hard drug use, and other acts that may result in serious injury.

  • Challenges that encourage acts that have an inherent risk of severe physical harm
  • Pranks that make victims believe they’re in physical danger
  • Pranks that cause emotional distress to children
Editor’s Pick

Many worry that YouTube’s guidelines are too ambiguous and will lead to some content being deleted while others are left untouched. As YouTuber Philip Defranco discusses, will this only remove videos involving dangerous stunts such as the Bird Box and Tide Pod challenges or will it also wipe the platform free of everything that includes upsetting a child such as Jimmy Kimmel’s Halloween Candy challenge?

To enforce these new policies and deter creators from uploading harmful videos, YouTube is using its community guidelines three-strike rule. After the channel has been stricken three times, the video platform can choose to shut it down completely.

YouTube is giving creators who have previously uploaded this type of content a pass. Over the next two months, any videos that were already uploaded involving harmful pranks or challenges will be deleted without striking the channel.

Critically-acclaimed platformer Oddmar is now available on the Play Store

Winner of the Apple Design Award 2018 and one of the best platformers on iOS, Oddmar is now available on the Google Play Store.

Oddmar stars the lazy and selfie Oddmar, who is pressed into service after the village chief forces him to carry out his Viking duties. In order to earn his place in Valhalla, Oddmar must burn down a forest. However, it’s this forest that grants him several powers from magical mushrooms if he protects the forest from evil creatures.

The story won’t win awards, but the looks sure will. Oddmar’s quality of animation doesn’t have a peer in the world of mobile games and is on par with Ubisoft’s Rayman games from the early 2010s. You’ll have to play it to properly understand, but the animation makes Oddmar better to play with your fingers than with a controller.

Editor’s Pick

Speaking of which, the game’s description in the Google Play Store says it supports game controllers, but we couldn’t get our Shield controller to work with it.

Oddmar features 24 levels with various traps and challenges. Each level features three challenges, with some challenges tasking players to complete certain levels as quickly as possible.

You can download Oddmar at the link below. The first chapter is free, with the remaining chapters costing $5.49 to unlock. 

Fortnite security flaw allowed hackers to overtake user accounts easily

A Fortnite security flaw was discovered by Check Point Research towards the end of 2018. The vulnerability allowed hackers to easily initiate a phishing scheme by sending users links that looked like login pages, but actually harvested user accounts.

CPR notified Epic Games of the flaw in November, and Epic patched the vulnerability weeks later. However, during that time — and for some time before CPR sent the notice — Fortnite users were at serious risk of fraud.

CPR details exactly how the exploit worked in a very technical explanation on its blog. However, the gist of the process was fairly simple:

  • Hackers exploit the single-sign-on system Fortnite uses, which allows a user to login to Fortnite using other accounts, such as Facebook, Nintendo, Google+, etc.
  • The hackers then send a link to a user which looks legit. However, it actually redirects them through a different server which scrapes their login info.
  • Since the link looked legit and the user didn’t have to actually enter their credentials, the user thinks nothing happened.
  • Hackers obtain the login info, overtake the account, and use the attached payment options to make fraudulent transactions.
Editor’s Pick

According to The Verge, hackers who used this exploit would buy Fortnite’s in-game currency (V-Bucks) using the hijacked accounts, gift those V-Bucks to another account, and then sell the V-Bucks at a discounted rate to other players on the dark web.

Fortnite earns billions of dollars from in-game sales, so this fraudulent activity could be quite lucrative.

Epic Games said in a statement: “We were made aware of the vulnerabilities and they were soon addressed. We thank Check Point for bringing this to our attention. As always, we encourage players to protect their accounts by not re-using passwords and using strong passwords, and not sharing account information with others.”

Although this vulnerability is now patched, this should be a reminder to all to use strong passwords, change them often, and only enter credentials into trustworthy websites.

NEXT: Fortnite update hub

US Court: Police can’t force people to unlock their phone with biometrics

More U.S. judges are siding with citizens’ privacy rights when it comes to mobile device searches.

A judge for the U.S District Court for the Northern District of California recently ruled that U.S. law enforcement cannot force people to use their face, finger, or other biometric method to unlock their device. This remains true even in instances when a warrant gives law enforcement the right to search the device. The order, first reported by Forbes, is seen as a win for citizens.

Before this order, law enforcement could wrangle people into pressing their thumb on a fingerprint reader or looking at their phone to unlock it. For example, in October 2018 the FBI forced a suspected child abuser to use his face to unlock his phone. At the same time, however, the law does not allow police to force suspects to provide a PIN, password, or passcode. This new ruling puts all unlocking methods in the same playing field, protecting people’s privacy.

At issue are rights guaranteed in the Fourth and Fifth Amendments concerning searches, privacy, and self incrimination.

“If a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device,” said the judge.

The relevant case involves an extortion crime tied to Facebook wherein the suspects allegedly demanded payment lest they release “embarrassing” photos of the victim to social media contacts. Law enforcement was granted a warrant to search the suspects’ phones. The police attempted to have the suspects unlock their devices with fingerprint and face identification, but the suspects refused.

While this ruling doesn’t instantly mean every such case in the country should be overturned, it may be used to set precedent in future cases. Moving forward, law enforcement will need to be more careful about privacy and how suspect devices are unlocked.

Of course, police use of GrayKey’s makes this ruling somewhat irrelevant. The GrayKey is a device available to law enforcement that can beat the passcode on iPhones. Officers need only connect the iPhone to the device via Lightning cable and the box does the rest.

Apple responded by adding a function to iOS 12 that defeats this tool by locking out the Lightning port for any purpose other than charging with the phone is secured. It’s not clear if or how the GrayKey handles Android devices.

Sprint’s new rewards program gives you discounted stuff and things

With the other three carriers having some sort of rewards program, it makes sense for Sprint to finally offer one of its own. Called “My Sprint Rewards,” the rewards program offers several perks for Sprint subscribers.

My Sprint Rewards features two main sections: Sprint Rewards and Sprint Marketplace. Sprint Rewards features “special deals and experiences” from Sprint, along with special perks from various brands. For example, AMC offers specials on concerts, movies, sporting events, and theme parks.

Sprint Marketplace offers “thousands” of discounts on things like food, electronics, vacation packages, and more. Sprint Marketplace also features cashback rewards that net you anywhere from three to 20 percent cash back on select purchases.

Keep in mind that you’ll have to accrue at least $10 before you can redeem your cash back. Also, it might take up to 45 days for merchants to report your purchase to Sprint and for you to view your cash back balance on your account.

You can save as many offers as you want and use them whenever you want, so long as you keep their expiration dates in mind. That differs a bit from T-Mobile Tuesdays, which features deals that you can only get on Tuesdays.

Editor’s Pick

My Sprint Rewards also includes a few other quality-of-life features, which include a small map that shows nearby offers and the ability to look up offers by category.

To get the app up and running, you’ll first need to enter your phone number. You’ll then get a one-time text message with a four-digit PIN. Finally, you’ll need to plug in the PIN, along with your name, email address, and ZIP code.

You can download My Sprint Rewards at the link below.