Technology - Google News

Under Armour MyFitnessPal hack: 5 things to know
Here are the internal Facebook posts of employees discussing today's leaked memo
5 awesome new iPhone features in iOS 11.3 that no one is talking about

Under Armour MyFitnessPal hack: 5 things to know

Posted: 30 Mar 2018 07:38 AM PDT

It's the data security news you never want to hear: 150 million MyFitnessPal user accounts have been hacked, Under Armour says, a huge breach of the health-tracking service. Earlier this year, somebody broke into the company's systems and yanked out usernames, email addresses, and more. Here are the answers to the five big questions you probably have, and what you should do next if you think you're affected by the MyFitnessPal breach.

So what happened?

A lot of that, MyFitnessPal still isn't sure about. The company says it was alerted to a breach of its database on March 25, 2018. The breach itself took place in February 2018, it claims. "We do not know the identity of the unauthorized party," MyFitnessPal admits. "Our investigation into this matter is ongoing."

The company is now working with data security firms and law enforcement to get to the bottom of the breach. However, in the meantime there's the potential for phishing attempts and attempts at unauthorized access of other services using the data that was stolen.

What information was taken?

There's good news and bad news when it comes to the stolen data. On the one hand, the affect information included MyFitnessPal usernames, their related emails, and the hashed password. However, the good news is that – since the site never asked for them – Social Security numbers or other similar data wasn't taken. Payments were processed separately, and so weren't included either.

Although the usernames and passwords could be more readily viewed, the passwords have gone through a process known as "hashing" to encrypt them. MyFitnessPal used a system called bcrypt to do that, effectively taking the password each user set and then converting it into another string of data. The idea is that the converted version can't be reverted back to the original.

If the password is hashed, what's the risk?

Had MyFitnessPal kept the passwords in plaintext, that would've been a huge mistake: anybody with the stolen data would have the keys to a vast number of accounts. However, even with just email addresses and usernames, it's possible to do some serious damage. That's why MyFitnessPal users should be wary of potential phishing attacks.

With the knowledge that you're a user of the Under Armour service, and of your email and your username, a hacker could put together a reasonably convincing message that looked as though it was coming from MyFitnessPal. Indeed, the fact that this hack is getting public attention means people are likely to be looking out for MyFitnessPal emails, and be more likely to open them, read them, and click on any links or attachments they include. That could end up leading to further data theft, if unofficial third-parties ask for more personal details like credit card numbers or SSNs, or see malware or spyware installed on their computers.

MyFitnessPal has already said that, in the emails it's sending notifying users of the hack, there are no links or attachments. Nor do they ask for personal data. "If the email you received about this issue prompts you to click on a link, suggests you download an attachment, or asks you for information," the company says, "the email was not sent by MyFitnessPal and may be an attempt to steal your personal data."

I never signed up to MyFitnessPal, am I at risk?

Making the situation a little more complex is the fact that you might not have realized you were necessarily creating an account with MyFitnessPal specifically. Under Armour's service works with a number of different fitness wearables from a variety of manufacturers. That includes Fitbit, Garmin, and more.

So what do I do next?

Top of your to-do list should be changing your password on MyFitnessPal. You can do that by logging into the desktop site with your username and password, clicking on the "My Home" tab, then "Settings" and finally "Change Password." Strong passwords use letters, numbers, and symbols, but avoid personal information and common words.

As with any security breach like this, the broader risk is when you've use the same username and password across multiple sites and services. If that's the case, take the time to go through them and change other passwords if necessary. This is probably a good opportunity to consider using a password manager like Keeper, 1Password, or LastPass.

Let's block ads! (Why?)

Here are the internal Facebook posts of employees discussing today's leaked memo

Posted: 29 Mar 2018 10:54 PM PDT

The publication of a June 2016 memo describing the consequences of Facebook's growth-at-all-costs triggered an emotional conversation at the company today. An internal post reacting to the memo found employees angry and heartbroken that their teammates were sharing internal company discussions with the media. Many called on the company to step up its war on leakers and hire employees with more "integrity."

On Thursday evening, BuzzFeed published a memo from Andrew "Boz" Bosworth, a vice president at Facebook who currently leads its hardware efforts. In the memo, Bosworth says that the company's core function is to connect people, despite consequences that he repeatedly called "ugly." "That's why all the work we do in growth is justified. All the questionable contact importing practices," he wrote. "All the subtle language that helps people stay searchable by friends. All of the work we do to bring more communication in. The work we will likely have to do in China some day. All of it."

Bosworth distanced himself from the memo, saying in a Twitter post that he hadn't agreed with those words even when he wrote them. He was trying to galvanize a discussion around the company's growth strategy, he said. CEO Mark Zuckerberg told BuzzFeed that he had not agreed with the sentiments in the post at the time, and that growth should not be a means to an end in itself. "We recognize that connecting people isn't enough by itself. We also need to work to bring people closer together," Zuckerberg said.

After publishing the memo, Bosworth deleted his original post. "While I won't go quite as far as to call it a straw man, that post was definitely designed to provoke a response," Bosworth wrote in a memo obtained by The Verge. "It served effectively as a call for people across the company to get involved in the debate about how we conduct ourselves amid the ever changing mores of the online community. The post was of no particular consequence in and of itself, it was the comments that were impressive. A conversation over the course of years that was alive and well even going into this week.

"That conversation is now gone," Bosworth continued. "And I won't be the one to bring it back for fear it will be misunderstood by a broader population that doesn't have full context on who we are and how we work."

Facebook and Bosworth declined to comment.

Nearly 3,000 employees had reacted to Bosworth's memo when The Verge viewed it, responding with a mixture of likes, "sad," and and "angry" reactions. Many employees rallied to Bosworth's side, praising him for sharing his feelings about sensitive company matters using blunt language.

Others criticized Bosworth for deleting the post, saying it fueled a narrative about the company that it had something to hide. "Deleting things usually looks bad in retrospect," one wrote. "Please don't feed the fire by giving these individuals more fuel (eg, Facebook execs deleting internal communications"). If we are no longer open and transparent, and instead lock-down and delete, then our culture is also destroyed — but by our own hand."

Dozens of employees criticized the unknown leakers at the company. "Leakers, please resign instead of sabotaging the company," one wrote in a comment under Bosworth's post. Wrote another: "How fucking terrible that some irresponsible jerk decided he or she had some god complex that jeopardizes our inner culture and something that makes Facebook great?"

Several employees suggested Facebook attempt to screen employees for a high degree of "integrity" during the hiring process. "Although we all subconsciously look for signal on integrity in interviews, should we consider whether this needs to be formalized in the interview process?" one wrote.

Wrote another: "This is so disappointing, wonder if there is a way to hire for integrity. We are probably focusing on the intelligence part and getting smart people here who lack a moral compass and loyalty."

Other employees said it would be difficult to detect leakers before they acted.

"I don't think we've seen a huge internally leaked data breach, but I've always thought our 'open but punitive' stance was particularly vulnerable to suicide bombers," one employee wrote "We would be foolish to think that we could adequately screen against them in a hiring process at our scale. … We have our representative share of sick people, drug addicts, wife beaters, and suicide bombers. Some of this cannot be mitigated by training. To me, this makes it just a matter of time."

That employee followed up to say: "OMG, I just ran back to my 'puter from a half-eaten lunch with food in my mouth. APOLOGIES to our brothers in sisters in the Austin Office for my insensitive choice of metaphors/words. I'm sorry."

Another theory floated by multiple employees is that Facebook has been targeted by spies or state-level actors hoping to embarrass the company. "Keep in mind that leakers could be intentionally placed bad actors, not just employees making a one-off bad decision," one wrote. "Thinking adversarially, if I wanted info from Facebook, the easiest path would be to get people hired into low-level employee or contract roles." Another wrote: "Imagine that some percentage of leakers are spies for governments. A call to morals or problems of performance would be irrelevant in this case, because dissolution is the intent of those actors. If that's our threat — and maybe it is, given the current political situation? — then is it even possible to build a system that defaults to open, but that is able to resist these bad actors (or do we need to redesign the system?)

Several employees shared concerns that the leaks had removed some of Facebook's luster. The company is routinely cited as among the best places to work in America.

"If this leak #$%^ continues, we will become like every other company where people are hesitant to discuss broad-reaching, forward-looking ideas and thoughts, that only the very average ideas and thoughts get discussed and executed," one employee wrote." Making them average companies."

Another employee responded: "Will become? Seems like we are there."

The leaks also became cause for discussion about the company's internal sharing tools. Facebook runs on its enterprise product, Facebook for Work. One employee wondered whether the critics of leakers had ignored incentives for sharing created by the product itself. It's a nuanced thought worth sharing in full:

"It's interesting to note that this discussion is about leaks pushing us to be more cognizant of our sharing decisions. The result is that we are incentivized toward stricter audience management and awareness of how our past internal posts may look when re-surfaced today. We blame a few ill-intentioned employees for this change.
"The non-employee Facebook user base is also experiencing a similar shift: the move toward ephemeral and direct sharing results from realizing that social media posts that were shared broadly and are searchable forever can become a huge liability today.
A key difference between the outside discussion and the internal discussion is that the outside blames the Facebook product for nudging people to make those broad sharing decisions years ago, whereas internally the focus is entirely on employees."

Another employee made a similar plea for empathy. "Can we channel our outrage over the mishandling of our information into an empathy for our users' situation? Can the deletion of a post help us better understand #deletefacebook? How we encourage ourselves to remain open while acknowledging a world that doesn't always respect the audience and intention fo that information might just be the key to it all. Maybe we should be dogfooding that?"

For his part, Bosworth promised employees he would continue sharing candid thoughts about Facebook, but said he would likely post less. "When posting comes with the risk that I'll have to blow up my schedule and defend myself to the national press," he wrote, "you can imagine it is an inhibitor."

Here is Bosworth's full memo to the company today.

I'm feeling a little heartbroken tonight.
I had multiple reporters reach out today with different stories containing leaks of internal information.
In response to one of the leaks I have chosen to delete a post I made a couple of years ago about our mission to connect people and the ways we grow. While I won't go quite as far as to call it a straw man, that post was definitely designed to provoke a response. It served effectively as a call for people across the company to get involved in the debate about how we conduct ourselves amid the ever changing mores of the online community. The post was of no particular consequence in and of itself, it was the comments that were impressive. A conversation over the course of years that was alive and well even going into this week.
That conversation is now gone. And I won't be the one to bring it back for fear it will be misunderstood by a broader population that doesn't have full context on who we are and how we work.
This is the very real cost of leaks. We had a sensitive topic that we could engage on openly and explore even bad ideas, even if just to eliminate them. If we have to live in fear that even our bad ideas will be exposed then we won't explore them or understand them as such, we won't clearly label them as such, we run a much greater risk of stumbling on them later. Conversations go underground or don't happen at all. And not only are we worse off for it, so are the people who use our products.

Casey Newton can be reached at casey@theverge.com, or message him on Twitter @CaseyNewton for his Signal. Sign up for The Interface, The Verge's daily newsletter about social media and democracy, at this link.

Let's block ads! (Why?)

5 awesome new iPhone features in iOS 11.3 that no one is talking about

Posted: 30 Mar 2018 07:19 AM PDT

It seems like it took forever, but Apple finally released its hotly anticipated iOS 11.3 update on Thursday afternoon. Why would a software update other than iOS 12 be hotly anticipated, you ask? Despite merely being a "dot" update, this iOS 11.3 release includes a feature that iPhone users have been dying for: a way to disable Apple's automatic iPhone throttling on devices with older batteries.

In case you've been living under a rock, it was revealed earlier this year that Apple had been secretly limiting performance on older iPhone models with batteries that had degraded to a certain point. This mechanism had been added to iOS last year in an effort to prevent inadvertent shutdowns (remember the "30% bug"?), but the fact that Apple did it without telling customers played right into the planned obsolescence conspiracy theories. You know, the people who say Apple secretly slows down older devices to get people to buy new ones. We've all laughed at those theories for years… and then it actually happened — though according to statements from Apple, its goal was to stop phones from shutting down rather than force upgrades.

Whatever the case, new battery health features and the ability to disable throttling are definitely the most talked about additions to Apple's mobile software in iOS 11.3. There are some other things that have Apple fans buzzing as well, such as four new Animoji characters — lion, bear, dragon, and skull — and notifications when iOS wants your personal data. There's much more to the iOS 11.3 update, though, and in this post we'll discuss five cool new features that you might not know about.

Speed and performance improvements

If you have an older iPhone and you disable Apple's throttling feature, you're obviously going to notice huge improvements where UI speed and overall performance are concerned. As a quick recap, Lithium-Ion batteries lose capacity over time as they endure more and more charge cycles. Once the remaining capacity reaches a certain point, earlier versions of iOS automatically throttle performance as a workaround for the shutdown bug that was driving users crazy. Phones would remain throttled until the battery was replaced, which is why Apple slashed the price of its battery swap program as a mea culpa. Now, in iOS 11.3, users can disable throttling so their older iPhones are no longer slowed down.

Yes, we all know that feature has been added to iOS 11.3. What far fewer people are discussing, however, is that RAM management appears to have been improved in iOS 11.3, which is also a huge deal.

iOS 11 has been plagued by serious RAM management issues ever since it was released. You know those real-life speed tests YouTubers love, where iPhones would always crush the latest Android phone? Well iPhones have been losing those races lately because they don't use RAM efficiently. Apps that should remain "frozen" in the background were being close completely when new apps were opened because there wasn't enough available RAM to store their statuses.

It's still early, but my own initial testing suggests that Apple has made some improvements to RAM management. A number of other iPhone users have emailed me to report the same, and I've seen discussions start to pop up online. I have found that apps often remain frozen in the background in instances where they would have previously been force closed. As a result, switching around from app to app is far quicker than it was in earlier versions of iOS 11. Needless to say, this is a big deal.

Augmented Reality enhancements

ARKit is still relatively new and buzzy, but no one is really talking about the nifty enhancements Apple introduced in iOS 11.3. Here are the relevant notes from the iOS 11.3 change log:

ARKit 1.5 allows developers to place virtual objects on vertical surfaces, such as walls and doors, as well as on horizontal surfaces.
Supports the detection and integration of images, such as movie posters or works, into augmented reality experiences.
The real-world view perceived through the camera has a higher resolution as part of the augmented reality experience.

There are countless things that developers can do with these enhancements. As someone with a horrible eye for visualizing decor, I personally can't wait for good apps that let me see what different paintings and prints will look like on my walls.

App review sorting

This might not seem like a big deal at first glance, but it is:

Four options now allow you to sort the customer reviews on the product pages: the most useful, the most favorable, the most critical or the most recent.

In general, customer reviews in the App Store are really, really, really bad. People get frustrated over silly things or they don't understand something that should be obvious, so they hop on the App Store and leave a 1-star review. In iOS 11.3, people can finally sort app reviews to weed out the junk and more easily find reviews that are actually useful.

Username and passwords autofill in apps

This change is also a huge deal that people are going to love. In earlier versions of iOS 11, Safari could store usernames and passwords to autofill them on websites where users need to log in. Now, this functionality is finally available in apps, as per the following note from the iOS 11.3 change log:

Automatic filling of usernames and passwords is now available in apps' web views.

So, for example, when you click through a link to The Wall Street Journal in your Twitter app, you can auto-fill your login info rather than having to leave the app and dig your username and password out of a third-party password manager like 1Password.

Death of the auto-correct capitalization bug

This last one is my personal favorite, because this is a bug that has bothered me forever. In fact, this bug might have been in iOS since the very beginning. Here's the item of interest from Apple's iOS 11 release notes:

Fixes a problem that could cause the capitalization of the first letter of some words by the automatic correction feature.

I'll describe it a bit better, and iPhone users will know exactly what I'm talking about.

Sometimes as you're typing messages, you would make a spelling mistake or some other mistake that auto-correct didn't catch. So, you would hit the backspace button a bunch of times until the word in question was deleted. Because of this bug, when you finished deleting the first letter of the word in question, iOS would automatically engage the caps button even though the word you deleted didn't start with a capital letter. Then, when you began to type again, the first letter would be capitalized even though it shouldn't be.

For example, you might delete "teh"in the middle of a sentence and then replace it with "The," which shouldn't have been capitalized. It was beyond annoying, but now it's finally fixed.

Let's block ads! (Why?)