Krebs on Security reported that Facebook stored hundreds of millions of user passwords in plain text for years.

The Facebook source said the investigation so far indicates between 200 million and 600 million Facebook users may have had their account passwords stored in plain text and searchable by more than 20,000 Facebook employees. The source said Facebook is still trying to determine how many passwords were exposed and for how long, but so far the inquiry has uncovered archives with plain text user passwords dating back to 2012.

[…]

A written statement from Facebook provided to KrebsOnSecurity says the company expects to notify “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users.” Facebook Lite is a version of Facebook designed for low speed connections and low-spec phones.

Notified or not, it’s a good time to reset your passwords.

Catalin Cimpanu reported ZDNet that two-thirds of all Android antivirus apps are frauds.

That means that 170 of the 250 Android antivirus apps had failed the organization’s most basic detection tests, and were, for all intent and purposes, a sham.

“Most of the above apps, as well as the risky apps already mentioned, appear to have been developed either by amateur programmers or by software manufacturers that are not focused on the security business,” the AV-Comparatives staff said.

“Examples of the latter category are developers who make all kinds of apps, are in the advertisement/monetization business, or just want to have an Android protection app in their portfolio for publicity reasons,” researchers said.

Having worked on Android apps before, this is a very frustrating situation for developers. On many occasions, we received negative reviews for the Android apps because our apps were flagged as malware by an antivirus app.

Nevertheless, there’s a way to get pass many of these antivirus apps.

However, results didn’t reflect this basic assumption. AV-Comparatives staffers said that many antivirus apps didn’t actually scan the apps the user was downloading or installing, but merely used a whitelist/blacklist approach, and merely looked at the package names (instead of their code).

Essentially, some antivirus apps would mark any app installed on a user’s phone as malicious, by default, if the app’s package name wasn’t included in its whitelist. This is why some antivirus apps detected themselves as malicious when the apps’ authors forgot to add their own package names to the whitelist.

In other cases, some antivirus apps used wildcards in their whitelist, with entries such as “com.adobe.*”.

In these cases, all a malware strain had to do was to use a package name of “com.adobe.[random_text]” to bypass the scans of tens of Android antivirus products.

Do you have an antivirus app on your Android phone?

Brian Chen wrote for The New York Times about Samsung Galaxy S10,a $1,000 Smartphone With Compromises.

My bumpy experience with the print sensor firmed up one conclusion: Face recognition is a more convenient method for unlocking phones, and Samsung is behind Apple in this area.

There are some cons to using FaceID but the pros far outweigh these annoyances.

I found that the fingerprint reader on Samsung’s Galaxy S10 Plus was an improvement over past models. But the device’s biometrics over all were still weaker than the features on Apple’s iPhone, Samsung’s biggest rival.

That’s the general feedback that I get from Android users I know. They often end up using the passcode because it’s faster that way.

Drew Blackard, a director of product marketing at the company, said that based on customer feedback, the fingerprint sensor was the most popular method for unlocking devices. As a result, the company focused on improving that feature.

He added that Samsung was studying face recognition and had made it more difficult to trick the scanner with a photo of a person’s face. “Is it an area that we’re continuing to look at? The answer is: Of course,” Mr. Blackard said.

I have to say Samsung’s decision to focus on fingerprint sensing instead of upgrading its face scanner is not particularly satisfying. User feedback isn’t generally an ideal way to design security features. After all, many people also enjoy using the same weak passwords across all their internet accounts.

Perhaps the fingerprint reader is more popular because the face recognition method doesn’t quite work as expected?

Dan Seifert reported for The Verge about the unlocking features of Samsung Galaxy S10 Plus.

But it’s not as fast or reliable as the traditional, capacitive fingerprint scanner on the back of the S9. The target area for the reader is rather small (though the lockscreen will show you a diagram of where to place your finger) and I had to be very deliberate with my finger placement to get it to work.

Even then, I often had to try more than once before the S10 would unlock. I’d just rather have a Face ID system that requires less work to use, or at the very least, an old-school fingerprint scanner on the back of the phone. The S10 does have a face unlock feature, but it’s just using the camera to look for your face and compare it to a previous image — there’s no 3D mapping or anything. I was actually able to unlock the S10 with a video of my face played on another phone.

Unless Samsung fixes this problem, S10 owners should avoid using face recognition.

Samsung says it developed the ultrasonic scanner because feedback from customers said they wanted the fingerprint reader on the front of the phone, and this design allowed for more screen real estate than placing a capacitive sensor in a bezel below the screen. The S10 also lacks the iris scanning login option of older Galaxy models, which would have required more sensors than the new hole-punch screen design has room for. The company told me that it will continually adjust and optimize the face scanner’s performance leading up to the S10’s availability.

But here’s my feedback to Samsung: go copy Apple’s Face ID system. It’s far easier and more reliable to use than the S10’s nifty-looking but ultimately disappointing in-screen fingerprint scanner.

If it was that easy to copy Face ID, you would see more phones with comparable facial recognition sensors.

Zhiye Liu wrote for Tom’s Hardware that USB 3.0 and USB 3.1 will become USB 3.2.

Both USB 3.0 and USB 3.1 are to be considered generations of the USB 3.2 specification. USB 3.1 Gen 1 (formerly known as USB 3.0), which offers speeds up to 5 Gbps, will be rebranded into USB 3.2 Gen 1 while USB 3.1 Gen 2, which supports communication rates up to 10 Gbps, will be called USB 3.2 Gen 2 moving forward. Since USB 3.2 has double the throughput (20 Gbps) of USB 3.1 Gen 2, the updated standard has been designated as USB 3.2 Gen 2×2.

This is going to make it so consumer-friendly, USB Implementers Forum.

Oliver Milman reported for The Guardian that US cities burn recyclables after China bans imports.

Until recently, China had been taking about 40% of US paper, plastics and other recyclables but this trans-Pacific waste route has now ground to a halt. In July 2017, China told the World Trade Organization it no longer wanted to be the end point for yang laji, or foreign garbage, with the country keen to grapple with its own mountains of waste.

Recycling isn’t always the answer. There’s reducing and reusing too.

“The unfortunate thing in the United States is that when people recycle they think it’s taken care of, when it was largely taken care of by China,” said Gilman. “When that stopped, it became clear we just aren’t able to deal with it.”

There needs to be an increased awareness of what happens when we recycle. Instead of just thinking we are doing the right thing by recycling, think further down the process. This shouldn’t be something that’s out of sight, out of mind.