ArduinoMania

The contactless payment system for New York City’s subways has a security hole. Anyone with access to someone’s credit card number can see when and where they entered the city’s underground transit during the last seven days. The problem lies in a “feature” on the website for OMNY, the tap-to-pay system for the Metropolitan Transportation Authority (MTA), which allows you to view your recent ride history using only credit card info. Further, subway entries purchased using Apple Pay — which gives merchants a virtual number instead of your real one — still somehow link to your physical credit card number.

The MTA’s loose implementation could allow stalkers, abusive exes or anyone who hacks into or purchases a person’s credit card information online to find out when and where they typically enter the subway. Joseph Cox of 404 Media initially reported on the story, detailing how (with a rider’s consent) he tracked the stations they entered — with corresponding times. “If I had kept monitoring this person, I would have figured out the subway station they often start a journey at, which is near where they live,” Cox wrote. “I would also know what specific time this person may go to the subway each day.”

“This is a gift for abusers,” Eva Galperin, the Electronic Frontier Foundation’s director of cybersecurity, told Engadget. The OMNY website also allows passengers to create a password-protected account, but it sits below the more prominent “Check trip history” section atop the page, requiring only a number and expiration date without any further security input. “It is a real problem that the option to track your location — without any kind of password security — is available first on the website,” noted Galperin. She says the MTA could have “fixed this simply” by including a PIN or password requirement alongside the credit card field.

Metropolitan Transportation Authority

The website still shows your travel history even if you paid with Apple Pay. The iPhone maker says its tap-to-pay system gives merchants a virtual number rather than the physical card’s number. “And when you pay, your card numbers are never shared by Apple with merchants,” a marketing blurb on the company’s website reads. But an Engadget staffer confirmed that entering their actual credit card number linked to the used Apple Pay account — without having directly used that card to ride — still revealed their seven-day point-of-entry history.

When asked about the OMNY website linking the two regardless, the MTA told Engadget it can’t see the credit card numbers of customers who use Apple Pay. Apple didn’t immediately respond to an emailed request for comment about how the MTA website associates the two without vendors having access to the physical credit card number.

The MTA says it will consider security changes as it improves its system. “The MTA is committed to maintaining customer privacy,” MTA spokesperson Eugene Resnick wrote to Engadget in an email. “The trip history feature gives customers a way to check their paid and free trip history for the last 7 days without having to create an OMNY account. We also give customers the option of paying for their OMNY travel with cash. We’re always looking to improve on privacy, and will consider input from safety experts as we evaluate possible further improvements.”

Google has been busy making a bunch of announcements for its cloud-based productivity apps this week, largely centered on Duet AI integration. There are some other helpful updates on the way to several apps, including Google Chat.

A feature is now available in beta on several Workspace plans (with full availability on the roadmap for early next year) that allows for messaging interoperability between Chat and other services including Slack and Microsoft Teams. Google, which teamed up with a company called Mio to make this function work, suggests that this could be handy for organizations that use a variety of communications apps.

"We know that communication and collaboration happens over multiple channels and tools," Google wrote in an announcement post. "This can cause missed messages, silos of communication, and a frustrating experience monitoring multiple chat tools." It notes that organizations need Mio licenses to use the feature. According to GIF Google shared, it seems that if you edit a message in one of the connected apps, the change will be replicated in the others.

Meanwhile, 9to5 Google reports that Chat will gain support for voice messages. These will enable users to “save typing and allow recipients to hear the tone and context of the message,” according to Google. The feature should be available in early 2024, but it's unclear whether it will be available in group chats and one-on-one DMs. It's also uncertain whether there will be transcription support from the jump.

The annual Awesome Games Done Quick (AGDQ) speedrunning charity gaming event is returning in January. It’s going to be an in-person affair once again, the first time since COVID. It all takes place in Pittsburgh at the Wyndham Hotel from January 14th to the 21st. Despite the change to an in-person format, you’ll be able to stream the festivities via the Games Done Quick Twitch channel.

For the uninitiated, AGDQ is a speedrunning marathon event that runs all day and night throughout the week. AGDQ 2024 will be held in support of the Prevent Cancer Foundation and you’ll be able to quickly donate to the charity on Twitch or via the Games Done Quick website. The event raised over $3.5 million for the foundation back in 2022 and $2.6 million last year. There’s also a sibling event held in the summer that has raised millions of dollars for Doctors Without Borders.

AGDQ 2024 is still months away, so the organizers have yet to issue a list of participants and games. Past years have seen speedrunners take on hundreds of releases, from newer titles like Sekiro: Shadows Die Twice to retro-flavored gems like Super Mario Galaxy 2 and Doom. Yes, labeling 2010's Super Mario Galaxy 2 as retro makes me feel old too, but it is what it is. 

Games Done Quick has stated that speedrunners don’t have to head to Pittsburgh to take part, as there will be remote runs available for those unable to travel. The organization is accepting speedrunning submissions from September 1st to the 10th, so start practicing your runs now.

Late-night comedy’s five biggest hosts are starting a podcast. Stephen Colbert, Jimmy Kimmel, Seth Meyers, John Oliver and Jimmy Fallon will host Strike Force Five, a weekly chat about “the complexities behind the ongoing Hollywood strikes.” All proceeds will go to out-of-work staff from the hosts’ five talk shows.

“The hosts bring their unique insights, opinions, and humor to the show as they navigate the Hollywood strikes and beyond,” a Spotify blog post reads. The five comedians will take turns moderating the episodes. Spotify’s Megaphone is producing the series, and the streaming service is the podcast’s sole sales partner — but the series isn’t exclusive to the platform. “[It’s available on] Spotify, or wherever you get your podcasts,” Meyers said in a video Kimmel posted to X (formerly Twitter). “But Spotify, you fucks,” Oliver aggressively deadpanned.

The series launches on August 30th (day 120 of the strike, as noted byTVLine). It will run for at least 12 episodes.

The Writers Guild of America (WGA) and the Alliance of Motion Picture and Television Producers (AMPTP) have been at odds without much discernible progress since the WGA began striking on May 2nd. The WGA described the sides’ latest meeting last week as more of a “lecture” than a negotiation. “We were met with a lecture about how good their single and only counteroffer was,” the WGA negotiating committee wrote to members. “But this wasn’t a meeting to make a deal. This was a meeting to get us to cave, which is why, not 20 minutes after we left the meeting, the AMPTP released its summary of their proposals. This was the companies’ plan from the beginning — not to bargain, but to jam us. It is their only strategy — to bet that we will turn on each other.”

The fall season of major tech events is ramping up and now we know when Google will host its big Pixel showcase. The next Made by Google event is set for October 4th at 1PM, and there's little doubt as to what the company plans to show off. "You're invited to an in-person Made by Google event where we'll introduce the latest additions to our Pixel portfolio of devices," reads an invitation that Engadget received.

The company announced the date soon after leaking an image of what seemed to be the Pixel 8 Pro on its storefront — coincidentally on the same day that Apple confirmed its iPhone event will take place on September 15th. Google may have a new Pixel Watch to blab about, along with some other hardware. 

As with Microsoft's (likely Surface-related) event, this one will take place in New York City. Of course, we'll have full coverage of all the major Made by Google announcements right here on Engadget.

Google

A couple months after Microsoft revealed plans to increase Game Pass subscription prices, Sony is getting in on the act. The company is bumping up the annual prices of all three PlayStation Plus plans on September 6th.

An annual Essential subscription will soon cost $80 per year, up from $60. The Extra plan is going up by $35 to $135 per year, while an annual Premium plan will soon cost $40 more at $160. The price changes won't take effect for current PS Plus users on an annual plan until their next renewal date that's on or after November 6th. If you make any changes to your plan between September 6th and then (such as changing tiers), the new pricing will apply.

Sony has not announced changes to the monthly ($10 for Essential, $15 for Extra and $18 for Premium) or quarterly ($25 for Essential, $40 for Extra and $50 for Premium) for the time being. It notes that the annual plan is still less expensive than a monthly or quarterly subscription in the long run.

You still have a few days to stack an extra year (or two or three) onto your existing PS Plus plan at the current prices. It's too early to tell whether it will be worth waiting until Black Friday in case there are better deals, so if you have the cash to spare, now might be the time to add extra time to your plan.

Sony notes that it's bumping up PS Plus plans globally to "enable us to continue bringing high-quality games and value-added benefits to your PlayStation Plus subscription service." That's maybe a difficult case to make given the three monthly games that will be available for all three tiers in September: the reboot of Saints Row, Black Desert – Traveler Edition and (a game I'm admittedly interested in) Generation Zero, all of which have received middling or poor reviews.

Although they're somewhat different offerings, it's worth noting that PS Plus is generally less expensive than the equivalent Game Pass tiers. An annual PS Plus Essential plan is $52 less than a year of Xbox Game Pass, while a 12-month PS Plus Premium membership is $44 less expensive than Game Pass Ultimate over the same timeframe.

That said, Microsoft offers access to all of its first-party games via Game Pass upon their release, an enticing offering that Sony can't match. The new Game Pass Core tier (which is replacing Xbox Live Gold) is $60 per year and includes full online multiplayer access and an initial library of 25 games.

It looks like Instagram is about to significantly increase the maximum length of Reels posts, according to reputable mobile developer and leaker Alessandro Paluzzi. The current hard limit for these videos is three minutes, but screenshots provided by Paluzzi indicate a forthcoming leap to 10 minutes. This would effectively transform the social media site into a more robust video-sharing platform like YouTube.

This move would also allow Meta’s Instagram to further compete with rival TikTok, as the latter already lets users post videos up to ten minutes in length. TikTok and Instagram seem to be caught in some sort of ouroboros of mimicry, with one app regularly adopting features originally unveiled by the other.

As TikTok and Instagram vie for a share of the long-form video pie, YouTube’s moving in the opposite direction. It’s been making a push to gain more ground in the short-form video space, recently adding a suite of creator tools and a TikTok-esque music-discovery feed. The days when you could easily label Instagram as the “photo one”, TikTok as the “short video one” and YouTube as the “long video one” are gone. It looks like they all want to be “does everything one.”

Engadget reached out to Meta for clarification regarding the move toward long-form video content and will update this post when and if we receive a substantive response.

Google has revealed more details about how you'll be able to use the Duet AI assistant to help you rapidly whip up emails and documents. In Gmail, the tool builds on existing AI-powered features such as Smart Reply. Click or tap the "help me write" button and you'll have several options at your disposal.

Select "write your draft" and you can detail the type of message that you'd like Duet AI to generate. The tool will be able to draw from previous messages in the thread to make the draft response more relevant, Google says. If Duet AI creates a message in a tone that's perhaps too casual, you can ask the assistant to make it more formal. There are options to make the draft more elaborate or condensed, and if you're feeling adventurous, you can slap the "I'm feeling lucky" option. This, Google says, will "introduce fun variations on tone and style for content you’ve drafted."

The options are pretty similar in Google Docs, though you'll be able to make the tone of Duet AI's screed more casual if you wish. There are options to generate a summary for a section or an entire document, use bullet points (for those Axios fans out there) and to create a different draft based on your initial description. Additionally, Google says you can use a custom instruction to "refine the generated content." The "help me write" tool for Docs can pull in smart canvas features.

For now, the new virtual assistant is only available to organizations who pony up an extra $30 per user per month for the Duet AI for Google Workspace Enterprise add-on. Duet AI will be available for small- and medium-sized businesses as well as consumers in the coming months, but Google hasn't revealed pricing as yet.

Games have the power to connect people across the world in enjoyment and teamwork, but they can also create a space ripe for toxic speech and hatred. Activision is attempting to minimize the latter, announcing a new collaboration with Modulate, a company using technology to identify these issues, for direct voice chat moderation in Call of Duty. 

Modulate's AI system, ToxMod, attempts to identify threats like hate speech, radicalization and self-harm in real-time. It claims to work in three steps: triage, analyze and escalate. ToxMod listens to all voice chats and pinpoints which warrant a further look. This flagged data is stored in their servers, while all other data will be processed right on the initial device. The company says it then evaluates everything from tone to emotion, analyzing not only "what is being said, but also how it is said and how other players respond to it." Finally, it attempts to alert moderators about the most toxic incidents and leaves it up to them to take action. The company claims it's the "only voice-native moderation solution" currently available, having protected "tens of millions of players." 

The integration of ToxMod could aid in preventing toxic responses as a whole, working alongside existing text-centric and reporting systems. "Tackling disruptive voice chat particularly has long been an extraordinary challenge across gaming," Activision's chief technology officer Michael Vance said in a statement. "With this collaboration, we are now bringing Modulate's state of the art machine learning technology that can scale in realtime for a global level of enforcement. This is a critical step forward to creating and maintaining a fun, fair and welcoming experience for all players." Last year, Activision started allowing games' moderation teams to mute players using toxic language in voice and text chats. 

ToxMod is now available as an English language beta release in North America for Call of Duty: Modern Warfare II and Call of Duty: Warzone. It will be released globally — with the exception of Asia — when Call of Duty: Modern Warfare III releases on November 10th. 

Most of us could stand to learn a new trick or two in the kitchen. Getting to grips with a new technique doesn't have to be difficult though, especially if you have the right equipment on hand. To wit: we reckon the Anova Precision Cooker 3.0 is the best sous vide machine you can buy right now, and best of all, it's on sale. The device has dropped by 25 percent to $149 at Amazon.

This is the latest standard model of Anova's sous vide machines. It's one of the best prices we've seen for it to date — it has dropped a little lower in the past but this is still a solid deal all the same.

The Precision Cooker 3.0 is a great all-rounder that's easy to use. It can handle all the basics of cooking things like meats and eggs. The latest model includes digital touch controls, a stainless steel and water-resistant IPX7 design and a longer power cord than previous iterations. There's WiFi connectivity, while the eight-liter-per-minute flow rate means it can bring water to the correct temperature faster than a lot of rival gizmos.

Anova teamed up with highly regarded chef J. Kenji Lopez-Alt to feature a wealth of fully tested sous vide recipes in its app. And hey, if you're not exactly sure how to get started with sous vide, you're in luck: we have a handy guide just for that.

Follow @EngadgetDeals on Twitter and subscribe to the Engadget Deals newsletter for the latest tech deals and buying advice.