What Google Cloud, G Suite and Chrome customers need to know about the industry-wide CPU vulnerability

Last year, Google’s Project Zero security team discovered a vulnerability affecting modern microprocessors. Since then, Google engineering teams have been working to protect our customers from the vulnerability across the entire suite of Google products, including Google Cloud Platform (GCP), G Suite applications, and the Google Chrome and Chrome OS products. We also collaborated with hardware and software manufacturers across the industry to help protect their users and the broader web.

All G Suite applications have already been updated to prevent all known attack vectors. G Suite customers and users do not need to take any action to be protected from the vulnerability.

GCP has already been updated to prevent all known vulnerabilities. Google Cloud is architected in a manner that enables us to update the environment while providing operational continuity for our customers. We used our VM Live Migration technology to perform the updates with no user impact, no forced maintenance windows and no required restarts.

Customers who use their own operating systems with GCP services may need to apply additional updates to their images; please refer to the GCP section of the Google Security blog post concerning this vulnerability for additional details. As more updates become available, they will be tracked on the the Compute Engine Security Bulletins page.

Finally, customers using Chrome browser—including for G Suite or GCP—can take advantage of Site Isolation as an additional hardening feature across desktop platforms, including Chrome OS. Customers can turn on Site Isolation for a specific set of websites, or all websites.

The Google Security blog includes more detailed information about this vulnerability and mitigations across all Google products.  

The making of “A Ride to Remember,” a film about BikeAround

Editor’s Note: Orlando von Einsiedel is the director of the Oscar-winning Netflix short documentary, “The White Helmets.” His first feature, “Virunga,” won more than 50 international awards including an EMMY, a Peabody, a Grierson and a duPont-Columbia Award for outstanding journalism. Last year, we had the opportunity to work with Orlando on a short film about Laila and Bengt Ivarsson. Bengt was recently diagnosed with Alzheimer’s and is testing an experimental technology that triggers memory using Google Maps. Orlando’s documentary is a powerful account of the couple and their experiences.

Like many people, I’ve experienced the sadness of seeing an older relative losing their memory. It’s a strange and painful experience, to see someone you know and love become confused and disorientated—to see them lose their grasp on the world.

It makes you realize how our memories provide us with much of the context and structure for who we are today. The interactions we have with friends and family aren’t static, isolated in time and place. They are ever evolving, informed by what has happened in our shared and personal histories. To lose the context for those interactions must be terrifying.

That’s why I was excited to hear about the BikeAround project—which pairs a stationary bike with Google Street View to give patients a virtual visit to a place from their past—and the way it helps spark memories in people suffering from dementia.

I first worked with Google on the Moon Shot film in 2016. Then earlier this year they came to me with an idea to tell the story about the developing BikeAround technology and how it’s affecting individuals who suffer from dementia. Google released a short version of the film in September, and you can watch the full version now.


Microsoft to acquire Avere Systems, accelerating high-performance computing innovation for media and entertainment industry and beyond

Over the years, Microsoft has made a number of investments to provide our customers with the most flexible, secure and scalable storage solutions in the marketplace. Today, I am pleased to share that Microsoft has signed an agreement to acquire Avere Systems, a leading provider of high-performance NFS and SMB file-based storage for Linux and Windows clients running in cloud, hybrid and on-premises environments.

The post Microsoft to acquire Avere Systems, accelerating high-performance computing innovation for media and entertainment industry and beyond appeared first on The Official Microsoft Blog.

Year in Search: The most fantastic fads of 2017

Here today, gone tomorrow. Our annual Year in Search is always a fun look back at the fads that captured our fancy and then fizzled out fast. See what this year’s biggest crazes were, through the lens of Google Search:

Unicorn everything

The unofficial mascot of 2017 was the unicorn—the magical creature that had the internet abuzz. While we may have reached peak Unicorn with Starbucks’ Unicorn Frappuccino, the craze didn’t stop there. People gave a unicorn twist to all kinds of foods and searched for unicorn cake, unicorn hot chocolate, unicorn cheesecake and unicorn lemonade. While this colorful trend spanned the globe, the most searches came from the cities of San Francisco, New York, London and Bengaluru. Those who jumped on the unicorn food train were likely responsible for making “How many calories are in a Unicorn Frappuccino?” the number one trending calorie-related query.

fads YIS

Slimy searches

Slime also had a very big year: “How to make slime?” was the number one globally trending “how to make” question of 2017. We wanted to know how to make slime of all types: fluffy, butter, stretchy, jiggly, cloud, clear and glow-in-the-dark. But as our slimy obsession grew, so did its mess. “How to get slime out of carpet?” made its way to one of the 100 globally trending “How to” questions of the year.

The dog days aren’t over

While unicorns and slime may be have had their five minutes of fame, some internet loves last forever—like our collective adoration of cute creatures. This year’s most searched celebrity animal was April, the mama giraffe that gained worldwide fame after a live video stream of her pregnancy. April’s moment in the spotlight had the question “How long are giraffes pregnant for?” trending in Alaska. Next up in top-searched celebrity animals was Fiona, the premature baby hippo, followed by Marnie, the Instagram-famous senior rescue dog.

Meme, myself and I

From a dancing hot dog to a distracted boyfriend, the viral images that graced our feeds brought comedic relief, heavy doses of sarcasm and unending creativity to the internet. According to search data, the five most trending memes of 2017 were: “Cash Me Outside,” “United Airlines,” “Elf on the Shelf,” “What in Tarnation?” and “Mocking SpongeBob” as people sought to get in on the joke.

Say what?

It’s not just memes—the internet has a language all its own that can leave people asking “huh?”. Thankfully, the internet is also a helpful tool to quickly decode the latest slang. Trending acronyms we had to look up this year included WCW (woman crush wednesday), TFW (that feeling when), STG (swear to God), GOAT (greatest of all time), and OFC (of course). And from “what does despacito mean?” to “what does bodak yellow mean?” to “What does bibia be ye ye mean?”, we searched for the meanings of popular songs—then got back to the dance floor.

And those are the wacky, weird and unexpected searches of 2017. Who knows what 2018 will bring? ¯\_(ツ)_/¯

A look back at the most read Google Play posts on Medium in 2017

Posted by Sergejs Cuhrajs, Community Manager, Google Play

Earlier this year we launched the Google Play Apps & Games publication on
Medium
to help developers discover best practices and insights to grow
successful apps and games businesses on Google Play. As we draw closer to the
end of the year we thought it’s a good time to revisit some of our most popular
posts according to you – our readers.

It’s clear that many of you are excited by the potential of new technology, such
as Virtual Reality (VR) and Augmented Reality (AR), and how it could enhance
user interaction with your apps and games. You’re also concerned with everyday
issues including how to keep your APK size manageable, how to acquire new users,
and how to monetize games without pushing away your players.

So without further adieu, here’s the list of the top 10:

  1. Applying
    human-centered design to emerging technologies


    (by By Peter Hyer, Fabian Herrmann, and Kristin Kelly, 7 min read)

    VR, AR, and digital assistant present exciting opportunities for the future, but how can we ensure
    we’re designing for what people really want?
  2. Shrinking
    APKs, growing installs


    (by Sam Tolomei, 6 min read)
    Smaller APK
    sizes correlate with higher install conversion rate on Google Play – we share
    tips for keeping your apps lean.
  3. Who
    plays mobile games?


    (by Allen Bevans, UX Researcher at Google, 6 min
    read)

    Four actionable insights for game developers based on our research
    into different player segments.
  4. Why
    the first ten minutes are crucial if you want to keep players coming back


    (by Adam Carpenter, 7 min read)

    How to analyze your retention data so you can keep players coming back again
    and again.

  5. Design
    your app for decision-making

    (by Jeni Fisher, 10 min read)
    Useful
    tips and strategies for encouraging desired user behavior in your apps. Also
    check out follow-up posts on boosting
    motivation through app rewards
    , and common
    pitfalls of persuasive app design
    .
  6. Predicting
    your app’s monetization future

    (by Ignacio Monereo, 10 min read)
    Learn about predictive analytics and calculating your apps lifetime value (LTV)
    to gain practical insight into the future of your app. In the second part
    Ignacio shares how to calculate
    LTV based on five popular monetization models
    .
  7. Five
    tips to improve your games-as-a-service monetization

    (by Moonlit
    Beshimov, 9 min read)

    5 proven strategies to improve your game revenue
    without driving players away.
  8. An
    introduction to in-app A/B testing


    (by Gavin Kinghall Were, 13 min
    read)

    Learn how in-app A/B testing can drive insight into your app’s future
    design and development, and maximise its performance.
  9. Taking
    the guesswork out of paid user acquisition


    (by David Yin, 8 min
    read)

    A simple tool to help you estimate lifetime value (LTV) of your users
    and what to spend to grow your audience.
  10. Rethinking
    interface assumptions in AR: selecting objects


    (by Aaron Cammarata, 8
    min read)

    In this article for beginner AR developers we explore one of the
    most fundamental user interface actions: object selection.

Do you have suggestions for topics we should tackle in 2018? Let us know by
tweeting with the hashtag #AskPlayDev and we’ll reply from @GooglePlayDev, where we regularly
share news and tips on how to be successful on Google Play.

How useful did you find this blogpost?





Extending domain opt-out and AdWords API tools

In 2012, Google made voluntary commitments to the Federal Trade Commission (FTC) that are set to expire on December 27th, 2017. At that time, we agreed to remove certain clauses from our AdWords API Terms and Conditions. We also agreed to provide a mechanism for websites to opt out of the display of their crawled content on certain Google web pages linked to google.com in the United States on a domain-by-domain basis.  

We believe that these policies provide continued flexibility for developers and websites, and we will be continuing our current practices regarding the AdWords API Terms and Conditions and the domain-by-domain opt-out following the expiration of the voluntary commitments. Additional information can be found here:

#teampixel lights up the holidays

Season’s greetings! With the holidays around the corner, we’re highlighting #teampixel pics that remind us why this time of year is so magical. Join us in kicking off the celebrations with photos ranging from a frosty day in Austria to enjoying sweet treats in Pike Place, Seattle.

We also can’t wait to see what Team Pixel captures in the coming year. Be merry, have a wonderful holiday and see you all in 2018! ✌️

Year in Search: To infinity and beyond

The solar system had its shining moment this year, according to our annual Year in Search. From questions about the solar eclipse to the end of the Cassini spacecraft’s exploration of Saturn, the galaxy turned to Google Search for answers to out-of-this-world questions. Here’s a look at some of the trending searches about space in 2017:

Space searches

Steal my sunshine

In August, a total solar eclipse crossed North America for the first time in over a century. The awe-inspiring event spurred a spike in eclipse-related questions, like “how long will the eclipse last?” and “how much of the eclipse will I see?” Safety was also top of mind: Beforehand, searches for “how to make solar eclipse glasses” and “how long you can look at the sun” were trending. Despite the preparation, the top post-eclipse queries were related to “eclipse eye damage”—yikes!

Totality hits

Eclipse-viewing experiences need a proper soundtrack. Leading up to the big day, the world searched for songs to set the mood. According to search data, these are the top trending tunes that made the cut:

1. “Black Hole Sun” – Soundgarden

2. “Moonshadow” – Cat Stevens

3. “Ain’t No Sunshine” – Bill Withers

4. “Bad Moon Rising” – CCR

5. “Total Eclipse of the Heart” – Bonnie Tyler

Solar eclipse songs

Galaxies far, far away

Search interest extended beyond Earth. After two decades of exploring the solar system, NASA’s Cassini spacecraft ended its journey this year, piquing interest in space exploration. Searches asking “how many people are in space?” and how far away Mars, Jupiter and Saturn are from Earth climbed to an all-time high. And NASA’s search for habitable exoplanets (planets beyond our solar system) had the world asking “How many exoplanets have been discovered?” 10 times more in 2017 than 2016.

Last year we searched on Google for the answers to our most universal questions. As we rocket into 2018, who knows what we’ll search for next? 💫

12 things you may have missed from Google this year

It’s been a busy year, from our second generation of Made by Google hardware, to our efforts to create more opportunity for everyone. But before we head into the new year, we’re taking a look at a few things you may have missed in 2017. Here are 12 things that caught our attention:

1. From drawing to playing piano, and from new cookie recipes to better GIPHY search, machine learning came to life in unexpected ways.

AutoDraw_1.gif

2. #TeamPixel gave us a new perspective through photos captured with the Google Pixel and Pixel 2 phones. Through their lens, you can travel the world, play with light, meet some new friends and live in color.

3. We met dozens of interesting Googlers from across the company—like Hector Mujica, who manages disaster relief giving for Google.org; creative director Tea Uglow; Google AI Resident Suhani Vora; Seth Marbin, the creator of our annual volunteering program GoogleServe; and a handful of Googlers who shared their stories on National Coming Out Day. We even got to ride along with Google Cloud luminaries Diane Greene and Fei-Fei Li on their way to work.

feifei_and_diane.gif

4. With Google Arts & Culture, we explored some of the world’s cultural treasures from anywhere. Pore over the details of the Ghent Altarpiece, an early Northern Renaissance masterpiece, in ultra-high resolution; scale the undulating roof of the Guggenheim in Bilbao; see 30,000 fashion pieces on the virtual catwalk with We Wear Culture; and rumble with the Jets and the Sharks from “West Side Story.”


Say hello to our third round of Jump Start creators

Jump is Google’s platform for professional VR video capture. It combines high-quality VR cameras and automated stitching that simplifies VR video production and helps filmmakers create amazing content. We launched the Jump Start program so that creators of all backgrounds can get access to Jump cameras and bring their ideas for VR video projects to life.

We’re wrapping up the year for the Jump Start program, and it’s been great to see the diversity of creators around the world using Jump cameras for a whole range of projects, everything from Lions in Los Angeles to a tour of the ancient Roman Forum to a sci-fi movie set on a futuristic Lunar Base. You can check out some recently published pieces on YouTube. We also just announced our third round of Jump Start participants. Let’s take a look at the cool stuff they’re working on.

jumpstart_11.jpg

Aidan Brezonick (Director), Justin Benzel (Author), Ivanna Kozak (Producer, Laïdak Films), Antoine Liétout (Producer, Laïdak Films), and Ivan Zuber (Producer, Laïdak Films)

Locations: LA, USA; Chicago, USA; Berlin, Germany; Paris, France

The team is working on a story set in the French countryside. It follows Henry, an aggrieved inventor struggling to overcome the laws of physics by reversing entropy. 

jumpstart_1.jpg

Alvaro Morales

Location: Washington, D.C., USA

Alvaro’s the co-founder of the Family Reunions Project.  He’s working on a collection of immersive experiences centered on undocumented immigrants.

jumpstart_2.jpg

Amaury La Burthe

Location: Toulouse, France

Amaury is creative director of Novelab/Audiogaming.  He’s working with Corinne Linder on a hybrid live action and CGI project about modern-day circuses.

jumpstart_4.jpg

Becky Lane

Location: Ithaca, USA

As a filmmaker and sociologist, Becky is creating an interactive journey through the history of burlesque dance to discover its impact on U.S. culture and women’s sexual empowerment.

jumpstart_5.jpg

Carmen Guzmán

Location: Puerto Rico

Carmen Guzmán is a Puerto Rican filmmaker based in NYC. She’s exploring the impact Hurricane Maria had on Puerto Rico’s communication systems and culture.

jumpstart_6.jpg

DimensionGate (Ian Tuason)

Location: Toronto, Canada

Ian Tuason, founder of DimensionGate, has showcased his work at the Cannes Film Festival, and is shooting the pilot episode of a VR horror serial.

jumpstart_7.jpg

Dominic Nahr and Sam Wolson

Location: Zurich, Switzerland

Dominic and Sams’s film will explore the aftermath of the Fukushima Daiichi nuclear disaster in Japan.

jumpstart_8.jpg

Fifer Garbesi

Location: Oakland, USA

Fifer’s project will traverse the many offshoots of our lingual creation myth in a delicate interactive dance between viewer and journey.

jumpstart_9.jpg

Harmonic Laboratory

Location: Eugene, USA

The interdisciplinary arts collective Harmonic Laboratory is documenting TESLA: Light, Sound, Color, an original 90-minute theatre performance on the elusive physicist and inventor, Nikola Tesla.

jumpstart_10.jpg

iNK Stories

Location: Brooklyn, USA

iNK Stories is a Story Innovation Studio. They’re working on the immersive experience Fire Escape and the large-scale VR installation, HERO (premiering at Sundance).

jumpstart_12.jpg

Lisa London

Location: San Francisco, USA

Lisa is producing “Keep Tahoe Blue,” a look at the successful environmental monitoring organization. It’s a piece on community, volunteerism, and making a difference.

jumpstart_13.jpg

Lizzie Warren

Location: Brooklyn, USA

Lizzie co-founded AROO, a feminist VR collective. A documentary filmmaker, one of Lizzie’s current VR projects explores the human/animal relationships within a wolf sanctuary.

jumpstart_14.jpg

Majka Burhardt and Ross Henry

Locations (Respectively): Jackson, USA; Chagrin Falls, USA

Majka and Ross share a VR journey about the power of one mountain and the water that takes you from the summit of Mount Namuli, Mozambique to the Indian Ocean.

jumpstart_17.jpg

Making360

Location: Venice, USA

More than 50 creators are coupling neurofeedback with stunning VR video to unlock creativity by training people to consciously control their state of mind in any environment.

jumpstart_3.jpg

MeeRa Kim & Michael Henderson (Arbor Entertainment)

Location: Los Angeles, USA
The Arbor team is working on several projects including a 360 exploration of dance and music from the 1920s through present day.

jumpstart_15.jpg

Noam Argov

Location: San Francisco, USA

Noam is a producer and National Geographic Explorer. Her team will use VR to get an inside look into the life of a Kyrgyz nomad as he pioneers a new adventure sport: horse-backcountry-skiing. 

jumpstart_16.jpg

Sarah Hill

Location: Columbia, USA

The StoryUP XR team is creating a brain-controlled VR experience where you conduct a handbell orchestra with your positive emotions.

jumpstart_18.jpg

Sherpas Cinema

Location: Whistler, Canada

The team is working on an experience that will you on a guided heli-ski trip deep into the backcountry. High adrenaline, no crowds, and all the untouched powder you could ask for.

Zagat’s 2017 food trends: rainbow dishes, all-day dining and gourmet fast-casual

What have you been eating in 2017? Zagat is taking a look back at the top food trends of the past 12 months, based on data from Zagat reviews and insights from Zagat editors.

“Breakfast” is high on the list of most frequently used words in Zagat reviews this year, which aligns with the trend our editors saw in the popularity of all-day cafes. Restaurants like Atla (from Mexico City’s Enrique Olvera) and De Maria (from Top Chef’s Camille Becerra) in NYC, and City Mouse at the new Ace Hotel Chicago, focus on early morning and midday cuisine with brightly colored, (mostly) healthful dishes and interiors to match—perfect for Instagramming.

The boom of gourmet fast-casual continued this year. Chefs like Eleven Madison Park’s Daniel Humm and Del Posto alum/pasta master Mark Ladner both opened concepts in NYC serving up affordable gourmet plates like salmon rosti or customizable pasta with homemade sauces. In Boston, chef Ming Tsai closed his beloved Blue Ginger to open a fast-casual spot called ChowStirs (coming soon). “Counter service” is the fourth most used term in Zagat reviews this year, which describes the style of service you’ll find at these spots (think Shake Shack or Chipotle).

madenice.jpg
Smoked salmon rosti at Made Nice NYC. Photo by Evan Sung

With more and more restaurants clamoring to create dishes to delight photo-happy social media addicts, rainbow-colored food had a watershed moment in 2017. This trend isn’t limited to Starbucks’ Unicorn Frappuccino: NY-based spots like The Good Sort offered their take on the trend with a rainbow iced latte, and in LA, multi-colored pastries could be found at Mr. Holmes Bakehouse.

goodsort_wendyGeorge_NYC.jpg
The Good Sort’s rainbow iced latte. Photo by Wendy George

We featured a handful of some of Los Angeles’ trending dishes in this year’s Zagat Instagram Table, which brings together 12 buzzworthy items on one table for the perfect shot. Each day this week, we unveiled a new section of our table to create a complete overhead shot on the Zagat Instagram feed.

Zagat-LA-IGTable-2017-WendyGeorge.jpg
Photo by Wendy George

In no particular order, the featured dishes are:

  1. Octopus taco from Holbox

  2. Assorted donuts from Trejo’s Coffee & Donuts (including the nacho donut)

  3. The French Nest from Smorgasburg’s Lobsterdamus

  4. Mozzarella sticks from Casa Buona

  5. Assorted flavors from The Loop Churros

  6. Rainbow-colored ice cream sandwiches from MILK

  7. Corbarina pizza pie (cherry tomatoes, squash blossom, burrata, gremolata) from Pizzana

  8. Blue smoothie bowl from Great White

  9. Matcha croissant from Mr. Holmes Bakehouse

  10. Classic fried chicken sandwich from Fritzi Coop

  11. Bacon banh mi dog and Loco Moco dog from Sumo Dog

  12. Tokyo-style dan dan noodles from Killer Noodle

Speaking of the City of Angels, LA is our Most Exciting Food City of 2017, thanks to all the exciting openings worthy of national attention (like Vespertine and Felix), and chefs from cities like NY and Chicago (like David Chang and April Bloomfield) opening their own unique concepts. Plus, LA’s long history of diverse cuisine makes it inspiring for both chefs and diners—and it’s getting more varied every day!

Check out Zagat.com for more on the hottest restaurants and food trends.

Title photo by Wendy George

EDU in 90: that’s a wrap on season one

You can do a lot in 90 seconds—make a paper airplane, brush your teeth, or put on sunscreen.  And with EDU in 90, you can also get Google for Education updates.  

Earlier this year, we heard from countless educators, school leaders and administrators that they wanted to keep up with the latest from Google for Education. To keep our updates quick and concise, we created EDU in 90, a video series that highlights the best of our education products and programs—all in a succinct format. Throughout season one, we’ve focused on everything from quizzes in Google Forms to online safety to using Google Keep in the classroom.

In January, we’ll be back for season two of EDU in 90. And based on feedback from hundreds of educators, we’re increasing our episode frequency and will kick things off with episodes on engaging guardians of students with G Suite and using Google Classroom for differentiated instruction.  

Don’t miss an episode—be sure to check out our series playlist and subscribe to the Google for Education YouTube channel.

The #MyFutureMe winner is often the only girl—but she’s going to change that

Editor’s note: Earlier this year, Made with Code teamed up with Snap Inc. to host #MyFutureMe, a competition for teens to code their own Snapchat geofilters and write their vision for the future. 22,000 teens submitted designs and shared their visions, and Zoe Lynch—a ninth-grader from South Orange, NJ—was recently named the winner by a panel of judges, including Malala Yousafzai, Lilly Singh, Snap CEO Evan Spiegel and our own CFO Ruth Porat. We chatted with Zoe about her experience, how she made her filter, and why it’s important for more girls to get into coding.

What was the inspiration behind your filter?

z

The brain has fascinated me since I was younger—it’s where creativity and ideas come from so I wanted to use that. The coding project had peace signs, so I had the idea to manipulate the peace signs to look like a brain. The idea for my filter was what can happen when everyone puts their brain power together. When we do that, we are unstoppable.

After you became a finalist, you attended TEDWomen. What was that like?

It was crazy inspiring. It showed me how many powerful and cool women are out there opening paths for girls like me. I got to meet the other finalists, and we created a group chat on Snap, so that we can follow each other and stay connected. We’ve been each other’s biggest cheerleaders. All these girls are going to do awesome things. Tech mogul alert!

How did you feel when you found out that you were selected as the final winner?

I couldn’t believe it! Everyone was so talented and worked hard, but I was so happy that my ideas and creativity were recognized. To win a trip to visit Google and Snapchat was like a dream!

What advice do you have for other girls who want to learn how to code?

I know a lot of girls who think they’re not good at this kind of stuff, but most of them haven’t even tried it. So you have to try it because otherwise you won’t know if you’ll like it. I loved #MyFutureMe because teens are really into Snapchat and the different filters you can use. When you have an opportunity to make a filter, you realize that coding is behind it all.

My vision for the future is one where innovation is accessible to all. As a multiracial girl, I believe it’s important for everyone to be included.

Excerpt from Zoe’s vision for the future

You care a lot about inclusion—have you faced situations when inclusion has been a challenge?

When I go to camps or explore things in the engineering field, I’m often the only girl and the only person of color. Usually all the guys go together and it’s kind of discouraging, but I want to try to change that for other girls, so we don’t have to feel this way anymore.

What do you like to do outside of school?

I love to play video games—my favorite is “Uncharted”—but many of them are not really targeted to women. For women, the game is fun but you know deep down that it’s not really made for you. If I was going to make a video game, it would be an engineering game but you’re helping people. Say you want to build a bridge in the game, you’d need to use mathematics and engineering to make it work.

Who are your role models?

My mom. Hands down. She’s a Hispanic woman and and there are only white males at her level at her company, which is where my passion for inclusion started. She’s also pushed me and has always supported me.

You recently visited Snapchat and Google. What was the coolest part of the tour?

Beside the amazing offices (free food!), the coolest part was meeting the engineers. I was so inspired by their journeys and how different they all were. One was an actress, the other a gamer and the other wasn’t even sure of her major until she took her first CS class in college. It showed me that there are many paths to getting into tech.

MFM121917_KeywordSelects_inline-2.png
Zoe on her tour at Snapchat in Venice, CA.

If you could have any job at Google, what would it be?

I’d want to be an engineer in artificial intelligence—I think that technology and machine learning could change the world. I’d like to see more women and people of color in the field, too.

MFM121917_KeywordSelects_inline-4.png
Zoe chats with an engineer at Google.

What do you think the future will look like when you’re 30?

I’m hoping that in the future, everyone works together. And it’ll be cool to live through new technology breakthroughs!

Double Stuffed Security in Android Oreo

Posted by Gian G Spicuzza, Android Security team

Android Oreo is stuffed full of security enhancements. Over the past few months,
we’ve covered how we’ve improved the security of the Android platform and its
applications: from making
it safer to get apps
, dropping insecure
network protocols
, providing more user
control over identifiers
, hardening
the kernel
, making
Android easier to update
, all the way to doubling
the Android Security Rewards payouts
. Now that Oreo is out the door, let’s
take a look at all the goodness inside.

Expanding support for hardware security

Android already supports Verified Boot,
which is designed to prevent devices from booting up with software that has been
tampered with. In Android Oreo, we added a reference implementation for Verified
Boot running with Project
Treble
, called Android Verified Boot 2.0 (AVB). AVB has a couple of cool
features to make updates easier and more secure, such as a common footer format
and rollback protection. Rollback protection is designed to prevent a device to
boot if downgraded to an older OS version, which could be vulnerable to an
exploit. To do this, the devices save the OS version using either special
hardware or by having the Trusted Execution Environment (TEE) sign the data.
Pixel 2 and Pixel 2 XL come with this protection and we recommend all device
manufacturers add this feature to their new devices.

Oreo also includes the new OEM
Lock Hardware Abstraction Layer
(HAL) that gives device manufacturers more
flexibility for how they protect whether a device is locked, unlocked, or
unlockable. For example, the new Pixel phones use this HAL to pass commands to
the bootloader. The bootloader analyzes these commands the next time the device
boots and determines if changes to the locks, which are securely stored in
Replay Protected Memory Block (RPMB), should happen. If your device is stolen,
these safeguards are designed to prevent your device from being reset and to
keep your data secure. This new HAL even supports moving the lock state to
dedicated hardware.

Speaking of hardware, we’ve invested support in tamper-resistant hardware, such
as the security
module
found in every Pixel 2 and Pixel 2 XL. This physical chip prevents
many software and hardware attacks and is also resistant to physical penetration
attacks. The security module prevents deriving the encryption key without the
device’s passcode and limits the rate of unlock attempts, which makes many
attacks infeasible due to time restrictions.

While the new Pixel devices have the special security module, all new GMS devices shipping with Android Oreo
are required to implement key
attestation
. This provides a mechanism for strongly attesting
IDs
such as hardware identifiers.

We added new features for enterprise-managed devices as well. In work profiles,
encryption keys are now ejected from RAM when the profile is off or when your
company’s admin remotely locks the profile. This helps secure enterprise data at
rest.

Platform hardening and process isolation

As part of Project
Treble
, the Android framework was re-architected to make updates easier and
less costly for device manufacturers. This separation of platform and
vendor-code was also designed to improve security. Following the principle of
least privilege
, these HALs run in their own
sandbox
and only have access to the drivers and permissions that are
absolutely necessary.

Continuing with the media
stack hardening
in Android Nougat, most direct hardware access has been
removed from the media frameworks in Oreo resulting in better isolation.
Furthermore, we’ve enabled Control Flow Integrity (CFI) across all media
components. Most vulnerabilities today are exploited by subverting the normal
control flow of an application, instead changing them to perform arbitrary
malicious activities with all the privileges of the exploited application. CFI
is a robust security mechanism that disallows arbitrary changes to the original
control flow graph of a compiled binary, making it significantly harder to
perform such attacks.

In addition to these architecture changes and CFI, Android Oreo comes with a
feast of other tasty platform security enhancements:

  • Seccomp
    filtering
    : makes some unused syscalls unavailable to apps so that
    they can’t be exploited by potentially harmful apps.
  • Hardened
    usercopy
    : A recent survey
    of security bugs
    on Android
    revealed that invalid or missing bounds checking was seen in approximately 45%
    of kernel vulnerabilities. We’ve backported a bounds checking feature to Android
    kernels 3.18 and above, which makes exploitation harder while also helping
    developers spot issues and fix bugs in their code.
  • Privileged Access Never (PAN) emulation: Also backported to
    3.18 kernels and above, this feature prohibits the kernel from accessing user
    space directly and ensures developers utilize the hardened functions to access
    user space.
  • Kernel Address Space Layout Randomization (KASLR):
    Although Android has supported userspace Address Space Layout Randomization
    (ASLR) for years, we’ve backported KASLR to help mitigate vulnerabilities on
    Android kernels 4.4 and newer. KASLR works by randomizing the location where
    kernel code is loaded on each boot, making code reuse attacks probabilistic and
    therefore more difficult to carry out, especially remotely.

App security and device identifier changes

Android
Instant Apps
run in a restricted sandbox which limits permissions and
capabilities such as reading the on-device app list or transmitting cleartext
traffic. Although introduced during the Android Oreo release, Instant Apps
supports devices running Android Lollipop and
later.

In order to handle untrusted content more safely, we’ve isolated
WebView
by splitting the rendering engine into a separate process and
running it within an isolated sandbox that restricts its resources. WebView also
supports Safe Browsing to protect
against potentially dangerous sites.

Lastly, we’ve made significant
changes to device identifiers
to give users more control, including:

  • Moving the static Android ID and Widevine values to an
    app-specific value, which helps limit the use of device-scoped non-resettable
    IDs.
  • In accordance with IETF RFC 7844
    anonymity profile, net.hostname is now empty and the DHCP client no
    longer sends a hostname.
  • For apps that require a device ID, we’ve built a Build.getSerial()
    API
    and protected it behind a permission.
  • Alongside security researchers1, we designed a robust MAC address
    randomization for Wi-Fi scan traffic in various chipsets firmware.

Android Oreo brings in all of these improvements, and many more. As always, we
appreciate feedback and welcome suggestions for how we can improve Android.
Contact us at security@android.com.

_____________________________________________________________________

1: Glenn Wilkinson and team at Sensepost, UK, Célestin Matte, Mathieu Cunche:
University of Lyon, INSA-Lyon, CITI Lab, Inria Privatics, Mathy Vanhoef, KU
Leuven

Lights, camera … control your home with the Google Assistant

It’s usually pretty easy to flip a light switch. But when you’re out at night and realize your dog is sitting at home in the dark, or want to set mood lighting for movie night from the comfort of the couch, it’d be nice to have some help. The Assistant on your phone or smart speaker, like Google Home, can help you control your home—whether it’s turning on the lights or turning up the heat—with more than 1,000 compatible devices.

  • Let’s start with the basics: Lights. C by GE bulbs are now compatible with Google Assistant. So you can light up, turn off or dim the lights in your home from any room. Setup is easy so you can set the right mood in every room of your home.
  • Find the perfect temperature. Winter is just a day away and with the Google Assistant and ecobee or Nest, you can make sure your home is just the right toasty temperature. And, if you like to have a fan on year round, Bond can help you control your fan.
  • Keep your kitchen under control. With Smarter, you can control your kettle, while Whirlpool takes care of your microwaves and ovens, so you can make sure your drinks and food are served a temperature that’s just right.
  • Washers, dryers, refrigerators and more. LG can help you keep tabs on your home appliances, so you can see when the washer is done, or get an alert when your fridge door is left open. Plus you can connect with ranges, vacuums, air conditioners and more!
  • Keep an eye on your home. It’s easy to get a full screen view of what’s happening around the home with Google Home, Chromecast and your connected cameras, like Logitech Circle. Just ask your Assistant “Ok Google, show the nursery on my TV.”
home control

Pro-tip: Since it’s the holiday season, don’t forget that you can use your smart plugs like Insignia, Caséta by Lutron and TP-Link, to help bring holiday cheer to your home! Just connect these smart plugs to your holiday lights and you can easily turn them on and off, so no more crawling around a tree or accidentally leaving your lights on during the day.

And these are just a few of the new integrations. There are lots more ways to control your compatible lights, thermostats, cameras and more, right with your Google Assistant. Check out the ever-growing list.