Jump to content

Search the Community

Showing results for tags 'Google'.

More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

Found 874 results

  1. Google Eyes The Future of Gaming, But is a Cloud Service Enough to Take on Microsoft And Sony? "Gather around as we unveil Google's vision for the future of gaming,” says Google. But it will take more than just technical prowess to nail the game streaming space. Google Patents Possible Game Streaming Service Controller (image: AFP) Google is getting into gaming. It was always a matter of when and not if. It could very well be now. Google has teased the keynote for the upcoming Game Developers Conference 2019 with the words "Gather around as we unveil Google's vision for the future of gaming." Remember, this comes not too long after the patent which Google filed for a game controller became public knowledge just a few days ago. But why would Google want to get into gaming. For starters, it is a big pie waiting to be gobbled up. According to the numbers of research firm Newzoo, the gaming industry is expected to grow as large as worth $180 billion by the year 2021. This includes PC, console and mobile gaming. Secondly, Sony, Microsoft and Nintendo are currently bossing the gaming space. However, could this be the final step for the “Project Stream”, culminating as a gaming-on-the-cloud service. We had often heard about a Netflix-style subscription-based game streaming service, with the all-you-can-consume positioning. Google is believed to have been testing this in the US with a select bunch of users, including allowing users to play triple-A game titles such as Assassin’s Creed Odyssey. The idea is to let you simply pick up the game controller (surely Google would want to sell you one), connect it with one of the compatible devices, and start gaming. That neatly brings us to the second question—would there be any hardware in the mix? If there is, it wouldn’t be too difficult to consider it as the much-rumoured “Yeti” console finally turning into a reality. However, it’ll be interesting to see how Google packages this cloud gaming service. Will it be a simple app that could download on all Android phones too? If yes, it’ll give Google access to a humongous user base in an instant. Add Android TV into the mix, and you have the large screen gaming experience ready in an instant. Then there is the question of which titles will be available to stream. If the US tests are anything to go by, it should be able to host pretty much any game title, including those with extreme graphic detailing. But Google is not a game developer, and it will have to rely on game developers and publishers for flagship titles. Would they really offer better potential than Microsoft, Sony, Nintendo or even Nvidia currently can? It won’t be alone in the space though. There is the Sony PlayStation Now game streaming service, with more than 700 titles in its library. Nvidia has the GeForce Now service with about 400 titles, for instance, which works on Windows, macOS and their own Nvidia Shield console for TVs. The competition is only set to become tougher. Amazon is believed to also be working on a cloud based gaming service, while Microsoft had confirmed last well that its xCloud gaming service is already in the works. It is also believed that the company will be releasing an Xbox console this summer, which does away with the optical disc drive, making it a completely online-only experience for game downloads and gameplay. Do we have enough internet bandwidth though for a cloud based gaming service to be successful? In the Project Stream tests, Google had recommended users have at least a 25Mbps internet line for this to work well. This in many ways does potentially take mobile out of the equation—the 3G/4G networks in most countries, including India, clearly are not robust enough for this to work. Google needs another source of revenue, much beyond its traditional strong points of Search, Android and the products meant for enterprises. Gaming is what can perhaps be described as a low-hanging fruit. If Google gets its subscription based cloud-gaming service out of the door now, it could have a first mover advantage in many ways, even as Microsoft and Amazon are prepping their own assaults on the space. Source
  2. Rightholders Have Asked Google to ‘Remove’ 4 Billion Pirate Links Copyright holders have asked Google to remove four billion links to 'pirate' search results over the years. The vast majority of these requests were honored. This includes hundreds of millions of URLs which are not yet indexed. These end up on a preemptive blacklist instead. For most people, search engines such as Google are an essential tool to enjoy the web in all its glory. With clever algorithms, the company offers a gateway to billions of sites, many of which would otherwise remain undiscovered. This also includes many ‘pirate’ sites. While there are plenty of people who don’t mind seeing these show up in search results, their presence is a thorn in the side of copyright holders. At the beginning of this decade, this problem was hardly recognized. When Google published its first transparency report, it received just a few thousand requests per day. Today, that number has grown to well over two million. For years this number kept going up and up. While that trend was broken recently, the total now adds up to an impressive figure. Google’s transparency report shows that copyright holders have asked the company to remove four billion links to alleged copyright-infringing content. The majority or these requests, more than 90%, were indeed removed or put on a preemptive blacklist. The four billion links were reported by 168,180 copyright holders who identified 2,283,811 separate domains. These domains also include false positives, including websites of The White House, the FBI, Disney, Netflix, the New York Times, and even TorrentFreak. 4 Billion… Most reported links do indeed point to copyrighted material, however. Google typically takes these out of their search engine softly after a request comes in. This means that the takedown process works as intended. However, it remains controversial. Several major copyright groups see the huge number of reported links as evidence that their efforts are futile. No matter how many links they submit, there are always new ones to find the next day. “Every day we have to send new notices to take down the very same links to illegal content we took down the day before. It’s like ‘Groundhog Day’ for takedowns,” RIAA CEO Cary Sherman described the situation previously. Ideally, the major copyright groups would like Google to remove all results from known pirate sites. However, the search engine believes that this goes a step too far, warning that it could lead to overbroad censorship. “When it comes to entire websites, Google may demote a site in our search results if we receive enough copyright removal notices for it, but we do not remove full sites from search results for copyright infringement.” “Although this would reduce our operational burden, whole-site removal is ineffective and can easily result in the censorship of lawful material,” Google wrote in its latest overview of anti-piracy measures, published late last year. Google itself is not completely apathetic to the piracy issue. It does ‘demote’ sites for which it has received a substantial number of takedown notices. These will then appear lower in search results. The demotion ‘signal’ can weigh even stronger for specific keywords, such as recently released films. This demotion strategy gives copyright holders a “powerful tool against rogue sites,” Google notes. When new pirates sites appear, copyright holders can target these with takedown notices, after which Google will demote them. As such, the four billion reported links will likely be five billion by the end of next year. Source
  3. How Google could help an Android alternative reach the IoT throne KaiOS is racking up tens of millions of users by catering to the feature phone market. Its momentum with carriers could turn it into a formidable IoT player. Android accounts for about 85 percent of the global smartphone market; iOS accounts for virtually all of the rest. So it has stood for most of the past decade despite a host of failed challengers that entered the market before and after Android's debut. But one operating system is adding tens of millions of users by bringing new functionality to a device that has been all but forgotten in the U.S. KaiOS, which I first wrote about last April as an engine for minimalist phones, is an open source OS. It was spun out of an effort within TCL (owner of the Alcatel and BlackBerry phone brands) from the remnants of Firefox OS. It is well on its way to becoming the modern-day spiritual successor to Symbian, which was once a dominant operating system for feature phones. Indeed, HMD Global, the heir of the Nokia phone brand that was once Symbian's greatest champion and that claims to still be the global leader in feature phones, is using KaiOS in its 8110 "banana" slider phone. However, its biggest success to date has been India's JioPhone. Android has problems, and Google knows that and has plans to replace it with something better. But the Android name won't be going anywhere. While optimized for keypad input, it features a web browser, email client, and other essential apps. It also features an app store, although, in the world of KaiOS, carrier is king. For example, while it is an outlier, the only KaiOS phone available in the U.S. is the Alcatel Go Flip, available via prepaid carriers such as Cricket and Simple Mobile. It lacks the app store. However, while many feature phones top out at 3G and lack Wi-Fi, KaiOS's support for Wi-Fi and 4G should provide connectivity long after major carriers sunset their 3G networks in the next few years. Even as Google continues to target lower price points for Android phones, it recognizes the value it can derive from KaiOS. The company invested $22 million in the effort last year and is the preferred search engine and voice assistant for KaiOS phones. The latter aligns well particularly well with Google's push of its Assistant, the limited input options of many KaiOS phones and larger percentage of illiterate users in developing economies adopting the OS. Feature phones will likely retain a sustainable market for the foreseeable future, but KaiOS is also making a play for the Internet of Things. This is one of the many markets in which Google has struggled to expand Android's reach, recently scaling back its Android Things effort. For Google, Android Things is a developer retention play; the Android model of driving revenue through apps, content and advertising don't apply. KaiOS' carrier customers, though, can leverage IoT devices to sell managed services, particularly as they gear up parts of their 5G networks developed specifically to handle their low-power, low-speed requirements. Still, even though KaiOS devices could eventually outnumber Android devices, there are a number of caveats and reasons why it wouldn't pose much of a competitive threat. First, while the number of IoT devices could eventually outnumber the number of humans and, by extension, mobile phones, KaiOS would likely capture only a fraction of that market. And even if its raw installed base numbers came to dwarf Android's, the widely disparate needs of IoT devices would negate treating such a hardware/software combination as a viable horizontal platform in the way we think of Android or iOS. Still, as the smartwatch market has shown us, there are bound to be edge cases and KaiOS's easily navigable interface, app capabilities and modern connectivity could wind up powering many devices that would otherwise enable Android developers to leverage their skill sets. Source
  4. Google releases Android Q beta for Pixel phones Google's Android Q beta is here for early adopters. Google's statue for Android Pie. Google on Wednesday released the first beta of Android Q, the next version of it's popular mobile operating system. Google said early adopters can get started by enrolling any Pixel device, including the original Pixel and Pixel XL. The search giant said a preview software development kit (SDK) is also available today for developers. The company said it'll have more to share about Android Q at Google I/O in May. This is a developing story. Source
  5. Google Makes Hardware a Second-Class Citizen, Several Devices Now in Doubt Google is reportedly making a series of changes in its hardware division that puts the future of a number of devices in doubt, according to a report today. BI writes that Google has started an ample restructuring process in the Create division, which is responsible for creating laptops and tablets like the Pixelbook and the Pixel Slate. By the looks of things, Google could also ditch plans for certain projects, according to the aforementioned source citing people familiar with the matter, as the company requested employees in the hardware group to temporarily seek new roles in other divisions or Alphabet companies. Interestingly, Google doesn’t seem to consider this to be a permanent change, which appears to suggest that at some point in the future the search giant could bring back the workforce to the Create unit. Hardware engineers, technical program managers, and other employees close to these areas are reportedly being told to seek other positions within the company, including in the smartphone division.Pixel and Chromebooks not impactedRight now, the Google Pixel phone project doesn’t seem to be impacted by these changes, but the people with knowledge of the restructuring told the cited source that several projects have been canceled in the laptop and tablet division. Manufacturing plans haven’t been adjusted, however, which means that the products that Google plans to release in the short term wouldn’t be affected by Google’s restructuring. While Google hasn’t commented on the report, it looks like the Mountain View-based company is just making hardware a second-class citizen of its ecosystem, trying instead to focus on projects that align with its push for continued growth. Google’s Chromebook push is unlikely to suffer any change, as most of the devices aren’t manufactured by the search giant. Instead, Google will likely invest more in Chrome OS software, while the company would continue to work with device manufacturers to build laptops running it. Source
  6. Outage sends Google Cloud Services, Gmail, Drive, YouTube fuzzy Some Google services might work some times, others might not. A tranche of Google services have been hit by a collection of outages, including Gmail, Drive, Google Music, and YouTube. "We're investigating reports of an issue with Gmail. We will provide more information shortly. The affected users are able to access Gmail, but are seeing error messages, high latency, and/or other unexpected behavior," the search giant said on its G Suite status page. While Google has only made comments on Gmail so far, similar behaviour has been experienced on Drive, YouTube, and Google Music. Over on its Google Cloud Platform status page, the outage hit all regions of Google Cloud Storage. "Our Engineering Team believes they have identified the potential root causes of the errors and is still working to mitigate," the company said. For its App Engine platform, Google said it had found an error in "the underlying storage infrastructure" -- which would help explain the intermittent working of its platform over the past couple of hours. Source
  7. Lawmakers chide Google for making you work to get out of its services A senator describes Google's privacy policy: "You can hide a dead body in there and nobody would ever find it." Senior privacy counsel for Google Will DeVries testifies during a hearing before the Senate Judiciary Committee. Alex Wong/Getty Images It's not easy finding privacy online -- and Congress members want to change that. Lawmakers called out Google on Tuesday at a Senate hearing on data privacy, pointing out how many hoops average people need to jump through to stop the tech giant from tracking them. Google lets people opt out of location and data tracking, and notes that people consent to providing their data by agreeing to its privacy policy. Sen. John Kennedy, a Republican from Louisiana, criticized Google's privacy policy, telling Will DeVries, the company's senior privacy counsel, that the average person doesn't read those documents. "You can hide a dead body in there and nobody would ever find it," Kennedy said at the hearing. The hearing took a look at privacy legislation like the European Union's General Data Protection Regulation and California's Consumer Privacy Act, and how lawmakers in the US could create a bill that improves on existing laws. The panel included representatives from Google, Intel, DuckDuckGo, Californians for Consumer Privacy and the Center for Democracy and Technology. Congress has held multiple hearings on dataprivacy with tech giants and privacy advocates over the last year, with the hope of drafting a federal privacy law for the US. Multiple privacy scandals and data breaches involving tech giants have boosted momentum for regulation, but there are still arguments on how the law should work. The debate on Tuesday centered around opt-in versus opt-out consent. "Our current notice and consent model is broken," Michelle Richardson, the Privacy and Data project director at the Center for Democracy and Technology, said in her opening remarks. "We need Congress to think much bigger and instead of keeping this model limping along, move the privacy burden back to where it belongs: the companies who collect and use our data." Opt-in consent means you have to agree to all uses of your data before it's collected. The GDPR requires this, and that's why you were flooded with hundreds of "Privacy Policy update" emails last May. Opt-out consent is the current status quo, where people's data is collected by default if they use a service, forcing them to go to their privacy settings to shut off the data gathering. "There is significant evidence that defaults are sticky, and consumers rarely alter their default privacy settings," said Sen. Mazie Hirono, a Democrat from Hawaii. "The privacy regime should be an opt-in." Several lawmakers used Google as an example of how much data could be collected under default privacy settings. After DeVries told lawmakers that the data Google collects provides a benefit to users, Sen. Lindsey Graham, a Republican from South Carolina, asked for specifics. The Google senior privacy counsel started explaining that Maps needs your location to provide accurate directions when Graham interjected, "The phone is off." DeVries said that Android phones still need your location data to "perform basic functions." Sen. Josh Hawley, a Republican from Missouri, described Google's location tracking on Android devices, citing a Vanderbilt University study that found its phones sent data about 14 times an hour. Google responded to the study from last August, arguing that the research contained "wildly misleading information." Hawley also cited a report finding that Android devices were storing location dataeven when Location History is disabled. "They think they can opt out of the tracking you're performing, but they can't meaningfully opt out," Hawley said. "It's kind of like that old Eagles song, 'You can check out anytime you like, but you can never leave.'" DeVries admitted that Google should do a better job of explaining its location services and make its privacy policy clearer, but he didn't agree with opt-in consent for privacy regulation. Tech giants like Google, Intel and Apple have argued against opt-in consent, saying that it causes "click fatigue" and citing the GDPR as an example. After the GDPR came into effect, millions of people received hundreds of notifications asking them to opt-in to new privacy policies. "I wouldn't want to overwhelm users by having opt-in for everything. I worry it would cause click fatigue, and people would just start agreeing to everything," DeVries said. David Hoffman, Intel's director of security policy, agreed, telling lawmakers that opt-in consent would put too much of a burden on people. In some cases, opt-in consent has become a "take it or leave it" approach, meaning that if you don't agree to provide your data, you won't be able to use the service. Privacy advocates warned against that, pointing out that the policy sometimes gives tech giants even more power. "The one in Europe is opt-in, and once you've opted in, the companies can sell your data, and that's my worry," said Alistair Mactaggart, the chief advocate behind California's Consumer Privacy Act. "Once you've opted-in, it's business as usual." Several other senators called for opt-in consent for data privacy, including Democratic Sen. Diane Feinstein from California and Republican Sen. Marsha Blackburn from Tennessee. "I would like my privacy to be protected, and it seems to me that if somebody has a proposal, I should be able to say yes or no," Feinstein said. "I think the way one would know that they're protected is that they have to be able to opt in as opposed to opt out." Source
  8. Google confirms it agreed to pay $135 million to two execs accused of sexual harassment The $135 million was whittled down to $105 after one executive left to join Uber Illustration by Alex Castro / The Verge Google agreed to pay $135 million to two former executives accused of sexual harassment, it confirmed to The Vergetoday. We now know from a newly unsealed lawsuit that former senior search vice president Amit Singhal was initially offered $45 million, triple the amount he ended up walking away with. The figure was first reported by CNBC, which spotted a newly unsealed shareholder lawsuit against the company. According to the suit, former head of Android Andy Rubin allegedly received an offer for a $150 million stock grant, which he then allegedly used to negotiate the $90 million in severance pay we’d heard about in previous reports. Singhal’s $45 million offer was reduced to $15 million because he joined a rival company, Uber. Google has now confirmed these numbers to The Verge. The news of the payouts, originally reported by the New York Times last October, led to protests on Google’s campus last November. SUED BY SHAREHOLDERS FOR ABUSE OF POWER AND CORPORATE WASTE Rubin’s $90 million severance package automatically canceled out the $150 million stock grant he was initially offered, so he didn’t get both as some publications previously reported. In the end, Rubin received $90 million while Singhal received $15 million. That’s $105 million in total, lower than the $135 million that Google had originally approved. The payments were approved by Google’s Leadership Development and Compensation Committee, according to the suit. It alleges that other Google executives allowed Larry Page, Sergey Brin, and Eric Schmidt to dominate the board committee and influence the decision to pay Rubin and Singhal. Francis Bottini, a lawyer for the shareholders, didn’t immediately respond to a phone call requesting comment. “There are serious consequences for anyone who behaves inappropriately at Google,” Google said in a statement to The Verge. “In recent years, we’ve made many changes to our workplace and taken an increasingly hard line on inappropriate conduct by people in positions of authority.” The shareholder lawsuit accuses Google of breaching its fiduciary duty, abuse of power, unjust enrichment, and corporate waste. It asks for a trial and calls for Google to handle future sexual harassment accusations better. The lawsuit is also seeking punitive damages, without demanding a specific amount of money. The 202-page lawsuit is filled with 119 pages of media reports from outlets like the Wall Street Journal, BBC, and NPR as evidence to back up its claims that Google enabled rampant sexual harassment from senior executives. The suit quotes an anonymous Google employee who said: “When Google covers up harassment and passes the trash, it contributes to an environment where people don’t feel safe reporting misconduct. They suspect that nothing will happen, or, worse, that the men will be paid and the women will be pushed aside.” Google employees protested how the company had handled sexual harassment complaints last November. In response, the company agreed to end its forced arbitration policy in cases of discrimination and harassment. It also promised to end pay and opportunity inequity and make its annual internal report on incidents of sexual harassment available to all employees. Source
  9. Google Opposes Mandatory Standard for Australian Takedown Notices Google is opposing a recommendation by the Australian Competition and Consumer Commission to introduce a mandatory takedown notice scheme. This could lead to automated censorship, the company warns. Various copyright holder groups don't see the takedown notice proposal as a good solution either, but they are demanding even stricter measures. Last December the Australian Competition and Consumer Commission (ACCC) released a preliminary report on its Digital Platform Inquiry. One of the main recommendations it made was to create a mandatory standard for takedown notices to enable timely and effective removal of infringing content. To make sure that digital platforms indeed implement this standard, the Commission said that these companies could be subjected to a $250,000 fine for each contravention. “Making this mandatory code would ensure breaches could attract penalties under the Telecommunications Act,” ACCC wrote in its report. Following the release of the report, various stakeholders were asked for their input. Over the past several weeks, dozens of responses were filed and it’s clear that a mandatory standard is not widely embraced. Google, which operates a range of services that are subject to takedown notices, including its search engine and YouTube, warns that a new standard would be at odds with the well-established procedures in place around the world today. “A Mandatory Standard would represent a significant departure from the globally accepted standard for issuing take-down notices that is relied upon by digital platforms, online service providers and content creators around the world,” Google writes. The takedown procedures which are currently used in the UK, the EU, Canada, Japan, Singapore, and South Korea already require digital platforms to respond “expeditiously” to disable access to infringing content, according to Google. Creating more strict requirements with the added threat of possible ‘fines’ could lead to censorship and may stifle innovation, the company adds. “A more rigid standard with high fines for errors could incentivize automatedcensorship on an unacceptable scale and a curtailment of innovation and investment in alternative rights management approaches,” Google notes. The company further stresses that the comments from various copyright holder groups about the ineffectiveness of the current process are inaccurate. Google says that it presently takes a wide variety of measures to counter piracy, including automated removal of pirated content. Many of these points were also highlighted in Google’s most recent overview of how it fights piracy. For example, the company stresses that it prevents certain piracy-associated keywords from appearing as autocomplete suggestions. This is indeed true. Just last year Google added “Kodi” to its lists of banned words, which was quite a controversial move. However, according to some rightsholders, these autocomplete removals are far from perfect. Village Roadshow CEO Graham Burke, who’s one of the most vocal Google critics, highlights this in his company’s submission to the ACCC. Roadshow believes that companies such as Google should go much further in their anti-piracy efforts. “For example, Google’s search results could easily remove links to websites blocked by Australian courts as well as clean up autocomplete which is a fast track, easy way to piracy,” Burke writes. Village Roadshow’s submission comes with various screenshots showing how autocomplete suggestions still link to problematic content. For example, while “Pirate Bay” is banned, Google now suggests “Pirate Bays” related searches as an alternative which can be used to bypass ISP blockades. Village Roadshow’s example Village Roadshow’s CEO hopes that the ACCC will come up with additional measures to ensure that infringing content is swiftly removed and to ensure that Google and other platforms take responsibility for keeping illegal content off their services. “The only winners in the current climate are pirates who are criminals because their business model is totally dependent on scamming and robbing people,” Burke writes. “They attract people with the promise of free first run movies only then through a multitude of paths to scam and rob them. Whether it by misrepresentation obtaining their contact details or ransomware,” he adds Google clearly disagrees and it’s not alone in its criticism of the automated takedown standard. Twitter also objects to the proposal and AFR reports that StartupAUS also signals various problems. “If adopted, [the mandatory standard] would result in a scheme that implemented a take-down mechanism without the accompanying safe harbour that provides the incentive with which to cooperate – essentially, it is all stick and no carrot,” the startups warn. Interestingly, various copyright holder groups are not happy with it either, albeit for other reasons. Music Rights Australia, for example, recommends removing the proposal for a mandatory takedown standard, noting that a DMCA-style system won’t work “A one size fits all solution like a US style Notice and Takedown regime will not be effective or efficient. For example, a US style notice and takedown regime would be ineffective to stop an illegal stream of a live concert on a social digital platform.” Similarly, the Media, Entertainment and Arts Alliance (MEAA) believes that the proposal doesn’t go far enough either. “MEAA believes that much greater effort is required by digital platforms to act promptly in response to copyright owners’ requests to remove unauthorised content from their sites,” the group writes. Based on the wide variety of responses it’s clear that there isn’t unanimous support for the proposal from either side. A full overview of the responses is available On the ACCC’s website Source
  10. Researchers also devise a Spectre-like attack with no known mitigation. Researchers from Google investigating the scope and impact of the Spectre attack have published a paper asserting that Spectre-like vulnerabilities are likely to be a continued feature of processors and, further, that software-based techniques for protecting against them will both impose a high performance cost. In any case, the researchers continue, the software will be inadequate—some Spectre flaws don't appear to have any effective software-based defense. As such, Spectre is going to be a continued feature of the computing landscape, with no straightforward resolution. The discovery and development of the Meltdown and Spectre attacks was undoubtedly the big security story of 2018. First revealed last January, new variants and related discoveries were made throughout the rest of the year. Both attacks rely on discrepancies between the theoretical architectural behavior of a processor—the documented behavior that programmers depend on and write their programs against—and the real behavior of implementations. Specifically, modern processors all perform speculative execution; they make assumptions about, for example, a value being read from memory or whether an if condition is true or false, and they allow their execution to run ahead based on these assumptions. If the assumptions are correct, the speculated results are kept; if it isn't, the speculated results are discarded and the processor redoes the calculation. Speculative execution is not an architectural feature of the processor; it's a feature of implementations, and so it's supposed to be entirely invisible to running programs. When the processor discards the bad speculation, it should be as if the speculation never even happened. Footsteps left behind What the Meltdown and Spectre researchers found is that the speculative execution it isn't entirely invisible and that, when the processor discards the speculated results, some evidence of the bad speculation is left behind. For example, speculation can change the data held in the processor's cache. Programs can detect these changes by measuring the time to read values from memory. With careful construction, an attacker can make the processor speculate based on some value of interest and use the cache changes to disclose what that speculated value actually was. This becomes particularly threatening in applications such as Web browsers: a malicious JavaScript can use data revealed in this way to learn about the memory layout of the process it's running in, then use this information to leverage other security flaws to execute arbitrary code. Browser developers have assumed that they can construct safe sandboxes within the browser process, such that scripts can't learn about the memory layout of their containing process. Architecturally, those assumptions are sound. But reality has Spectre, and it blows those assumptions out of the water. The Meltdown attack, faced by chips from Intel, Apple, and other manufacturers building certain standard ARM designs, was a particularly nasty variant of this. It allowed a malicious program to extract data from the operating system kernel. In the immediate aftermath of the discovery of Meltdown, changes were made to operating systems to hide most of their data from such malicious programs. Intel has made specific changes to its processors to address Meltdown, so its most recent processors no longer need to activate these operating-system changes. An apt name But Spectre—which is best thought of as a particular style of attack, with many different variants and iterations—has proven more insidious. A variety of software techniques has been devised to either prevent the processor from executing sensitive code speculatively or limit the information that can be disclosed through speculative execution. Google's research found that these software measures leave a lot to be desired. Some measures, such as blocking all speculation after loading values from memory, protect against many attacks but are far too debilitating to use in practice. The researchers were experimenting with modified versions of the V8 JavaScript engine from Chrome, and indiscriminate use of this technique made performance drop to between one third and one fifth of what it was without mitigation. Other mitigations were less punitive—for example, protecting array accesses from a certain kind of disclosure had a 10 percent performance cost. But in every case there were trade-offs; no mitigation protected against all Spectre variants, so a mix of techniques has to be used, and for techniques that can't be used indiscriminately, there's a big challenge in even identifying where mitigations should be applied. Moreover, Google devised a general-purpose Spectre-family attack that could not be defeated with any of the known mitigation techniques. An important element of Spectre attacks is a timing system to measure those cache changes. One of the ideas that people have had to counter Spectre is to make the clocks available to applications less accurate. The working theory is that, if you need to measure cache differences that are a few nanoseconds in length, a clock that has a resolution of, say, milliseconds will be too coarse. The researchers devised a technique for amplifying small timing differences, and this amplification can defeat any attempt to make the timers coarser. No end in sight As such, the company concluded that we just can't depend on software fixes to guard against Spectre. Hardware mitigation might be possible, but this is presently an open question—unlike Meltdown, which had a clear resolution, Spectre seems to be far more intrinsic to speculative execution. And ditching speculative execution isn't much of an option either; it's a feature of every high-performance processor, and with good reason—it provides a substantial performance advantage. For now, then, applications that try to construct secure environments will have to rely on the guarantees that are made by hardware—the protection between processes. For example, Chrome has been changed to not allow content from multiple domains to run within the same process. This still doesn't protect the Chrome sandbox itself from attack by scripts, but it does mean that one script can't attack content from other domains. All in all, the research shows that Spectre was aptly named. It's going to haunt both software and hardware developers for years to come, and there's no clear end in sight. Source: Google: Software is never going to be able to fix Spectre-type bugs (Ars Technica - Peter Bright)
  11. Google to Fix Chrome 72 Bug That Broke Down Ad Blockers Google has recently confirmed that it would actually roll out a fix for the Chrome 72 bug that breaks down some extensions. As I explained earlier this week, Google included a new experiment called “Enable network service” in Chrome 72 and activated it for a number of installations, only for these users to find out that some extensions may be broken down. Google originally said it resolved the issue in Chrome 73, explaining that it wouldn’t disable the experiment because devs should use the beta build of the browser and the number of impacted users is very small. “At this point, if this is the only breakage in the experiment we’re not rolling back. The reason is that as a relative percentage of users of Chrome, this is still small (e.g. less than 0.1%),” Google explained. “When launching multi-year projects that impact a large part of the codebase, it’s impossible to avoid any regressions. We have to balance making forward progress and avoiding other regressions creeping in with breaking some edge cases. The best way for extension authors to avoid this is to use dev/beta channels.”Fix coming later this weekNow Google says it has resolved all issues related to the new experiment and promises to resolve the bug with a patch that would be released for all Chrome 72 installations later this week. “The fix will go out this week in an update to 72. Please switch to Chrome beta and not stable; fixing these regressions is much easier for everyone and won’t impact users if they’re brought up in beta,” a Google engineer explained. A workaround already exists if you want to repair broken extensions in Google Chrome, and you can find it explained in detail in this article. I expect the new Chrome update to be rolled out tomorrow for all supported platforms. Source
  12. Google plans big gaming news at GDC, will Microsoft respond? Google is apparently planning to make some big gaming announcements at the upcoming Game Developers Conference in San Francisco in March. The company sent media invites today for a press event on March 19, and it all seems like the keynote will be about Google’s new Project Stream game streaming platform (via Gameindustry.biz). “All will be revealed at the Google Keynote,” the invitation says, and Google also included a mysterious GIF showing a bright light at the end of a dark hallway. Google previously tested Project Stream last fall, allowing select Google Chrome users to play Ubisoft’s latest Assassin’s Creed game right in the web browser. The service made quite a good impression at the time, and it looks like Google seems well positioned to compete with Sony’s Playstation Now service as well as Microsoft’s Project xCloud. Microsoft will also have a big presence at GDC next month, with a session dedicated to Project xCloud. “This talk will go deeper on how developers can get their console games to adapt to a mobile world,” the session description reads. Last year, the Redmond giant previously explained that its game streaming platform will be able to bring all existing Xbox games to mobile devices without developers having to modify game code. Project xCloud is expected to launch in public beta this year, but maybe Google’s obvious interest in game streaming will force to accelerate rollout plans. A true Netflix-like service for video games is probably years away, but this competition between tech giants should be very good for consumers and the video games industry. Source
  13. Google has created a new browser API ‘Trusted Types’ to fight against DOM XSS attacks Google has been working for months on a new Chrome feature that fights against DOM-based XSS attacks. The new feature is a browser API called ‘Trusted Types’ that helps Chrome fight against XSS vulnerabilities. Google has been working for months on a new Chrome feature that fights against DOM-based XSS attacks. This new feature is a browser API called ‘Trusted Types’ that helps Chrome fight against certain cross-site scripting XSS vulnerabilities. This feature adds another level of protection at the browser level to protect users from one of the three types of cross-site scripting vulnerabilities namely DOM-based XSS. The other two cross-site scripting vulnerabilities include Stored XSS and Reflected XSS. What is DOM-based XSS? DOM-based XSS is a cross-site scripting security vulnerability that exists in the source code of a website. Attackers leverage so-called injection points to insert code in the browser's source code in order to execute malicious operations such as stealing browser cookies, manipulating page content, redirecting users to a phishing site, etc. How can Trusted Types protect users from DOM-based XSS? Trusted Types will prevent DOM-XSS attacks by enabling websites owners to lock down known injection points in a website's source code which causes DOM-based XSS. Website owners can enable Chrome's Trusted Types by setting a certain value in the Content Security Policy (CSP) HTTP response header. Once enabled, access to DOM injection points will be restricted by Chrome's built-in Trusted Types API, blocking any attacks before the XSS exploit code can leverage the DOM (page's source code) to attack users. In a tutorial on how website owners can enable Trusted Types, Krzysztof Kotowicz, a Software Engineer in the Information Security Engineering team at Google, claimed that this new feature would “help obliterate DOM XSS.” Source
  14. Google reportedly scored tax breaks using secret shell companies The news comes a day after Amazon said it was canceling plans for a New York hub. Google headquarters in Mountain View, California. Stephen Shankland/CNET Google used shell companies and subsidiaries to hide its involvement in expansion plans that yielded millions of dollars in tax breaks, according to a reportby The Washington Post on Friday, casting light on how tech companies cut deals with local governments. When the search giant planned to build a data center in Midlothian, Texas, Google used a subsidiary called Sharka LLC, The Post reported. Other subsidiaries Google set up for development projects include Jet Stream LLC and Questa LLC. Google also extensively uses non-disclosure agreements with officials, The Post said. In the case of the Texas data center, Google was seeking a decade of tax breaks, but Midlothian's head of economic development was barred from disclosing Google's involvement in the project, the report said. The size of deals between local governments and tech companies was thrust into the spotlight Thursday after Amazon dropped a bombshell announcement: It was no longer going forward with plans to build a massive second headquarters in New York City. The withdrawal followed intense opposition from local politicians and union groups, fueled in part by the tax breaks the city gave the e-commerce giant. Deal-making is crucial for Google as it revs up expansion. Earlier this week, CEO Sundar Pichai said the search giant is investing $13 billion in data centers and offices around the country, mostly in the Midwest, East Coast and South. That includes new and expanded data centers in Ohio, Nebraska, Oklahoma, South Carolina and Texas. New and expanded office locations include sites in Virginia, Georgia and Chicago. In California, Google is building a giant campus in San Jose, about 15 miles from the company's headquarters in Mountain View. The new San Jose outpost will be Google's second-largest campus. Partnership for Working Families, which obtained the Google records and shared them with The Post, has sued the city of San Jose over its negotiations with Google. The advocacy group didn't respond to a request for comment. A Google spokeswoman called its tactics "standard industry practices." At the early stages of deals, companies often strive to keep negotiations quiet because they don't want to tip off competitors or announce their plans prematurely. But some critics have pointed to the secrecy as detrimental to local communities, which sometimes can't protest until it's too late. "We believe public dialogue is vital to the process of building new sites and offices, so we actively engage with community members and elected officials in the places we call home," the Google spokeswoman said in a statement. "Of course, when we enter new communities we use common industry practices and work with municipalities to follow their required procedures." Still, tamping down concerns from local communities will be an ongoing battle for tech giants, as Silicon Valley faces more scrutiny than ever over its scale and influence. On Friday, Google tried to highlight some of the benefits of its expansion. The company said Google's data centers create $1.3 billion in economic activity, $750 million in labor income, and 11,000 jobs throughout the US in a single year. Source
  15. Google Says It Scans 50 Billion Android Apps Every Day to Detect Malware Google has recently shared new data on its efforts to boost user security on Android, revealing that it’s paying much more attention to the applications that end up being available for download in the Play Store. Last year, for example, Google rejected 55 percent more applications that in the previous year, while the share of app suspensions increased by no less than 66 percent. All of these could have been dangerous apps reaching the Google Play Store, eventually powering malicious activities, including serving adware and collecting user data. “These increases can be attributed to our continued efforts to tighten policies to reduce the number of harmful apps on the Play store, as well as our investments in automated protections and human review processes that play critical roles in identifying and enforcing on bad apps,” Andrew Ahn, Product Manager, Google Play, explains.Google Play Protect, a key security toolAhn explains that while Google is working hard to prevent dangerous apps from reaching the Google Play Store, it’s also trying to make sure that the ones already listed for download do not receive updates or change specific features for a dangerous purpose. As a result, Google Play Protect scans no less than 50 billion Android apps every day, the company says, which means the likelihood of an app from Google Play to cause any damage is eight times lower than when getting apps from various sources. Google promises it’ll continue to focus on user privacy in 2019, with more policies to be announced in the coming months. “In October 2018, we announced a new policy restricting the use of the SMS and Call Log permissions to a limited number of cases, such as where an app has been selected as the user's default app for making calls or sending text messages,” Ahn stated. “We've recently started to remove apps from Google Play that violate this policy. We plan to introduce additional policies for device permissions and user data throughout 2019.” Google says that its data shows 80 percent of the malicious apps are developed by so-called repeat offenders and abusive developer networks, and the company says it’ll pay more attention to these categories in the future. Source
  16. Google is running an auto-update-to-HTTPS experiment in Chrome Google engineers are looking for a fix for HTTPS mixed content errors and they appear to have the right idea. The Google Chrome team will be running an experiment this week in an attempt to find solutions to an HTTPS problem that Mozilla also attempted to solve last year. The problem that Google is trying to solve is called "mixed content," which Google describes as below: Mixed content occurs when initial HTML [a web page] is loaded over a secure HTTPS connection, but other resources (such as images, videos, stylesheets, scripts) are loaded over an insecure HTTP connection. This is called mixed content because both HTTP and HTTPS content are being loaded to display the same page, and the initial request was secure over HTTPS. Modern browsers display warnings about this type of content to indicate to the user that this page contains insecure resources. For the past few years, mixed content has been a big problem for browser makers and other organizations that have been pushing HTTPS adoption. Mixed content browser errors --which sometimes are known to block users from accessing a website altogether-- have scared many site operators from migrating to HTTPS, many fearing they'd lose traffic revenue for no tangible benefit for supporting HTTPS. Addressing mixed content errors that appear in web browsers is probably the last major hurdle in convincing site operators to move to HTTPS. This week, Google engineers rolled out an experiment in Chrome where they configured the browser to automatically upgrade any mixed content to full HTTPS. Chrome would do this by secretly changing the URL of resources (such as images, videos, stylesheets, scripts) from their HTTP version to an HTTPS alternative. If the same resource exists on an HTTPS link, then everything loads as normal. If the resource doesn't exist on an alternative HTTPS linl, Chrome logs the error and executes one of the many scenarios configured for this experiment (detailed in this document). The general idea is that when website owners updated their sites to use HTTPS, they might have forgotten to change their sites' source code, and some content was left to load via HTTP, even it could have loaded via HTTPS just fine. The purpose of this experiment is so Google engineers can gain insight into how many websites would break if Chrome would auto-update all mixed content sites to HTTPS by default, and what's the best fallback strategy for mixed content HTTP URLs that break. If the percentage of broken links and sites is small, Google engineers would most likely think about shipping this auto-update-to-HTTPS feature in the main Chrome browser and take yet another step towards a more secure web. For now, Google intends to roll out the experiment to roughly one percent of its Chrome Canary userbase (who've enabled the chrome://flags/#enable-origin-trials flag). Google's experiment will not be the first of its kind. Mozilla tested with a similar mixed content auto-update in Firefox last year. "They found a lot of breakage, but we're hoping things have improved since their experiment," said Emily Stark, a Google security engineer. Other experiments for dealing with mixed content are also scheduled. Source
  17. Google Reveals How Much They Paid Out Under Their Bug Bounty Program in 2018 In 2010, Google launched its Vulnerability Reward Program (VRP) to help them identify bugs and other problems with their apps and software. Last year (2018), Google paid out $1.7 million to security researchers who discovered bugs in the Android and Chrome systems. They also paid a similar amount to coders who found flaws in other products. Vulnerability Reward Program The program was designed to help Google find flaws in its systems and to encourage researchers to report issues before they could be exploited. Financial rewards for reporting these bugs range from $100 to $200,000 depending on the risk level of the flaw. In total, Google said they had paid out $3.4 million in rewards in 2018, $1.7 of which was for vulnerabilities found in Android and Chrome. Google said the program has paid out a total of $15 million since it was launched in 2010. Examples of Researchers Successes Google provided some examples of the work researchers have done under the program, and the discoveries they have found this year. Ezequiel Pereira who is a 19-year-old researcher from Uruguay found a Remote Code Execution bug. This bug allowed him to gain remote access to the Google Cloud Platform console. Another bug was discovered by Tomasz Bojarski from Poland. He found a bug relating to Cross-Site Scripting (XSS) that could allow a hacker to change the behaviour of a website. It could also steal data and perform actions on someone’s behalf. Google stated that Tomasz was their top bug hunter last year, and used his reward money to open a lodge and restaurant. Dzmitry Lukyanenka is a researcher from Belarus who lost his job, so decided to do bug-hunting full-time. He went on to become part of Google’s VRP grants program which supports prolific bug hunters financially. The rewards program has been a big success for Google since its launch in 2010, and it looks as though this will continue. Source
  18. Google's stunning plan to avoid apps slurping Gmail inboxes: Charge devs for security audits Requirement threatens to break the bank To prevent a data grabbing snafu along the lines of Facebook's Cambridge Analytica scandal, Google is asking developers who use sensitive Gmail APIs to pay for a security audit that proves their apps play by the rules. And the cost – anywhere from $15,000 to $75,000 or more, every year – could put some smaller companies out of business. "The impact is massive," said James Ivings, co-founder of SquareCat, in an email to The Register. "We are a small company and are facing the likelihood of shutting down in face of the charges, as they are currently well beyond our means. Out of the thousands of apps using the API I think our situation will be very common." His company makes, among other things, a bulk email unsubscription app called Leave Me Alone. Google announced its privacy policing plan in October, 2018, three months after a Wall Street Journal report about how developers of apps that interact with Gmail messages – such as email analytics biz Return Path – have programmatic access to sensitive email contents and metadata. The change followed years of being criticized by competitors, and of lawsuits over its algorithmic parsing of consumer Gmail messages to refine the ads delivered through the service, a practice Google repudiated in mid-2017. The revised Google API rules took effect on January 15, 2019 and apply to all new apps implementing Google's APIs. Apps that existed prior to this date have until Friday, February 15 to begin the application review process. Applications that fail to submit an application by February 15 will no longer be able to add new users on February 22 and face revocation on March 31. "We introduced the new policy to better ensure that user expectations align with developer uses and give users the confidence they need to keep their data safe," a Google spokesperson explained in an email. Not everyone is happy The situation underscores the business risks of relying on platform rules that are subject to change at any time but not subject to neutral oversight. The only option for those dissatisfied with the changes is to take their business elsewhere. Ivings said it may be that his firm will be forced to "pivot to supporting other services exclusively, such as Outlook, instead of Gmail, abandoning a large portion of our users." Among apps implementing Google APIs, the subset using Google OAuth API Scopes, or Restricted Scopes – Gmail APIs that allow the reading, creation, or modification of message contents, attachments, metadata or header, or that control mailbox access, message forwarding or administrative settings – face extra scrutiny: an annual security assessment, backed by a Letter of Assessment from a Google-designated third party by the end of 2019. This applies only to consumer-facing apps, like Leave Me Alone, which uses these Gmail APIs to identity newsletters, spam, and subscription message and provide a bulk unsubscribe option. It also applies to Clean Email, which uses the Gmail APIs organizes and labels messages. It doesn't apply to apps that interact with G Suite accounts, because workers have no expectation of privacy from corporate admins. Clean Email founder Kyryl Bystriakov, in an email to The Register, said he welcomes Google's enhanced privacy requirements because Clean Email was built around respect for user's data and have no intention of selling or aggregating it. "We believe that paying money for our services is a much more honest and straightforward transaction," he said. Bystriakov said he was stunned to learn that Google will require apps using the Restricted Scope APIs to pay $15,000 to $75,000 for annual security audits. "As a business owner who deals with users’ data and privacy every day, I understand where such a requirement is coming from," he said. "I also believe that it’s not only overkill but it will also destroy the development community they’ve been building around their APIs." And there's not much room to negotiate on price; Ivings said Google provided only two approved auditing firms to choose from. "Essentially these firms now have a monopoly market over the thousands of apps that must now commit to having the audit performed," he said. Asked whether it has different standards for companies that collect Gmail data for marketing purposes and companies focused on subscription revenue, Google insists it is applying its rules to everyone in the same way. "The terms of the User Data Policy apply to all developers," the company's spokesperson said. "We are not offering different arrangements." Bystriakov argues Google should do exactly that. He suggests different business models bring different sets of risks and should be covered by different standards. Assuming their respective privacy policies are accurate, Clean Email and Leave Me Alone make significantly stronger privacy commitments than companies in the data collection business. Clean Email for says it only collect email addresses. Leave Me Alone says, "We do not store content of any of your emails in any form." Compare that to Unroll.me, a firm caught selling email data to companies like Uber in 2017, prompting an apology (for failing to communicate its business model) and a clearer declaration of its data trafficking. Unroll.me says it collects "purchase receipts, sales receipts, delivery confirmations and returns, subscription confirmations and cancellations, registration confirmations, transaction summaries and the like" to prepare market research reports for corporate clients. And that's in addition to IP address, the URLs of visited web pages, referring and exiting pages, page views, time spent on page, and other interaction metrics. The Register asked Unroll.me for comment but we've not heard back. "I really hope that Gmail will revise its requirements around the security assessment or provide other ways to achieve compliance – by requiring different levels of compliance for different user bases or offering services for developers enabling them to achieve compliance faster and easier," said Bystriakov. Ivings said there must be a better way of ensuring trustworthy behavior than creating a financial barrier for companies that want to improve the experience in a Google product. "Imposing penalties on companies that abuse the terms of service might be effective," he said. "Or creating a more granular or restrictive set of API access rules would certainly help. For example, the GitHub API restricts apps to very specific things such as reading an email address, or editing a file, in contrast to Google's 'you-can-now-read-everything' permissions." Source
  19. Google SketchUp Pro 2019 v19.0.685 This is a professional software application designed to help users create and edit 3D models in a clean and intuitive working environment. It comes packed with a built-in editor that allows you to design 3D objects from scratch, a layout designer for combining 3D models, and a Style builder for customizing your models with different styles. The editor gives you the possibility to import data from 3DS, DWG, KMZ, JPG, PNG, PSD, TIF, TGA, and other file formats. It also offers detailed information about each editing tool, so even rookies can learn to set up the dedicated parameters with minimum effort. Features of SketchUp Pro 2019 Included tools: Drawing and modifying geometry: Polygon, FollowMe, Offset, and Intersect with Model. Construction: Dimension, Tape Measure, Protractor, Section Slice, Layers, Area and Length Calculation SketchUp allows you: Draw, modify, measure, rotate, and scale geometry. Place section slices to view and work on model interiors. Add pre-made textures to your models, or create new ones. Add pre-made components like trees, cars, doors and windows, and people to your models, or create new components. Soften and smooth faces. Cast real-time shadows for any location on earth. Simulate movie camera placements. Perform walk-throughs. Create presentation tours. Import 2D images (.jpg, .png, .tif, .tga, .bmp) and 3D models (.3ds, .dem, .ddf, .dwg, .dxf, .skp). Export your models to Google Earth. Export 2D images of your models (.jpg, .bmp, .png, .tif). Print your models. Create add-on programs using the Ruby programming language. System Requirements – Windows 10, Windows 8+ and Windows 7+ – Microsoft® Internet Explorer 9.0 or higher. – SketchUp Pro requires .NET Framework version 4.5.2. – Mac OS 10.13+ (High Sierra), 10.12+ (Sierra), and OS X 10.11+ (El Capitan). password for host link: => nsane <=
  20. Google Created Faster Storage Encryption for All Low-End Devices Google has launched a new encryption algorithm that has been built specifically to run on mobile phones and smart IoT devices that don't have the specialized hardware to use current encryption methods to encrypt locally stored data efficiently. Encryption has already become an integral part of our everyday digital activities. However, it has long been known that encryption is expensive, as it causes performance issues, especially for low-end devices that don't have hardware support for making the encryption and decryption process faster. Since data security concerns have recently become very important, not using encryption is no more a wise tradeoff, and at the same time, using a secure but slow device on which apps take much longer to launch is also not a great idea. Currently Android OS supports AES-128-CBC-ESSIV for full-disk encryption and AES-256-XTS for file-based encryption, and Google has already made it mandatory for device manufacturers to include AES encryption on most devices shipped with Android 6.0 or later. However, unfortunately, many low-end and other connected devices today available in the market are exempted from using encryption because of poor AES performance (50 MiB/s and below). Adiantum: Fast Local Storage Encryption for Every Device To solve this issue, Google has once again stepped forward, this time with "Adiantum," a new form of efficient storage encryption that has been designed to protect local data without slowing down devices that don't support hardware-accelerated cryptography. "Adiantum allows us to use the ChaCha stream cipher in a length-preserving mode, by adapting ideas from AES-based proposals for length-preserving encryption such as HCTR and HCH," Google said. "On ARM Cortex-A7, Adiantum encryption and decryption on 4096-byte sectors is about 10.6 cycles per byte, around 5x faster than AES-256-XTS." For those unaware, the ChaCha stream cipher is extremely secure and much faster than Advanced Encryption Standard (AES) when hardware acceleration is unavailable, as it exclusively relies on operations that all CPUs natively support—additions, rotations, and XORs. According to Google, Adiantum has primarily been designed to become the next widely accepted alternative that offers maximum security along with sufficient performance on lower-end ARM processors. "Our hope is that Adiantum will democratize encryption for all devices," Eugene Liderman, Director of Mobile Security Strategy at Android Security and Privacy Team says. "Just like you would not buy a phone without text messaging, there'll be no excuse for compromising security for the sake of device performance." With Adiantum, Google is looking forward to making the next generation of phones and smart devices more secure than their predecessors by allowing everything—from smartwatches to Internet-connected medical devices—to encrypt users' sensitive data without compromising on the performance. For more technical details about Adiantum and how it works, you can head on to the Google Security blog post and a white paper(PDF and GitHub) published by the company with more information. Source
  21. Top developers behind ad-blocking and anti-tracking browser extensions say they’re alarmed by potential changes coming to Chrome recently disclosed in a public Google document. As a result, at least one company is now threatening possible legal action. The proposed design changes would replace the API relied upon by privacy extensions like uBlock and Ghostery with another designed to “diminish the effectiveness of content blocking and ad blocking extensions,” the Register reported on Tuesday. The proposal would leave functional basic filters employed by Adblock Plus, which, the site noted, Google has reportedly paid to whitelist its own ads. Extension developers say, among other potential consequences, the changes would kill competition among third-party ad blockers by placing new limits on their sophistication, ultimately making it harder to adequately shield Chrome users from undesired online tracking. “This would basically mean that Google is destroying ad blocking and privacy protection as we know it,” Ghostery said in a statement. “They pretend to do this for the sake of privacy and browser performance, however in reality, users would be left with only very limited ways to prevent third parties from intercepting their surfing behavior or to get rid of unwanted content.” Saying the change would exemplify a “misuse” of Google’s “market-dominating position,” Ghostery added that it would “consider filing an anti-trust complaint” if Google followed through. Here’s how Ghostery described the proposal: Initially telling reporters that its proposal is merely “subject to change,” Google signaled more strongly on Wednesday that it was preparing to rein in its plans. “We want to make sure all fundamental use cases are still possible with these changes and are working with extension developers to make sure their extensions continue to work,” a Google spokesperson told Gizmodo. The Register reported on related concerns raised by Raymond Hill, lead developer of uBlock Origin—a content-blocking extension with more than 10 million active Chrome users—who said his privacy software would “no longer be able to exist” if Google implemented the proposal described in the public document. Hill added that the changes would likewise break uMatrix, a more advanced extension with granular controls for allowing users to block connections and content by data type. Hill and other developers were seen discussing the matter on Chromium bug tracker, though a Google software engineer locked the thread on Tuesday after deleting several related comments. “I am another ad blocker developer (AdGuard), and from our perspective, the proposed change will be even more crippling to all ad blockers than what was done by Apple when they introduced their declarative content blocking API,” reads one of those undeleted comments. Source
  22. Google works on spotting dodgy 'evil domains' Image copyrightREUTERS Image captionBritish Airways was being targeted by scammers who set up domains mimicking its real site Google is working on a way for Chrome to do a better job of spotting fake websites that seek to trick people into handing over personal information. It is concentrating on websites that use letters and numbers to approximate a recognised brand. The work will mean Chrome will warn people they are about to visit sites it believes are fake. Security firm Wandera said it had seen a "constant rise" in attacks using the non-standard characters. The criminal gangs were exploiting a technology known as punycode, which converts non-English character codes into more familiar formats. British Airways was a popular target for gangs using these attacks, said the security firm. Hidden danger Google engineer Emily Stark talked about the search giant's development of the "evil domain" spotter at the Usenix Enigma security conference this week. Google has also shared early versions of the tool to help web developers test and refine it. While Chrome already includes features that aim to spot known unsafe sites, the new tool would go much further. Ms Stark said more needed to be done, because currently staying secure often relied on users noticing when domains were dodgy - even when experts would struggle to distinguish legitimate ones from those crafted by cyber-criminals. Image copyrightWANDERA Image captionOnce transformed, many domain names are very similar to the legitimate ones they mimic In particular, the tool will seek to tackle the growth of so-called homograph attacks that exploit modern browsers' ability to handle non-English characters. However, this transformation can hide the fact that they were not created by the organisation they seem to represent. Haris Kampouris, head of threat research at Wandera, said more and more cyber-crime gangs had turned to homograph attacks that abuse the punycode technology. "We are still seeing a constant rise on this type of scam or phishing domain," he told the BBC. "That's likely to be due to the plentiful combinations that can be used." Wandera had recently seen punycode domains for Google, BA, Adidas, Tesco, Asda and Ryanair that typically include one character that differed only slightly from its English equivalent, he said. BA was currently the most-targeted UK brand in terms of punycode domains, said Mr Kampouris. Many security firms and independent researchers have made add-ons for browsers or programs that spot phishing domains and try to warn people about these criminal domains. Mr Kampouris said Google's move was a "step in the right direction" in tackling homograph-based attacks but hoped that the feature would make it to browsers on mobile devices which often did not receive protections seen on desktops and laptop versions. Google has not given a date for when the domain-checking system will be added to Chrome. Source
  23. On Thursday evening, Apple restored Google’s access to its own internal iOS apps, just hours after it made a similar move with Facebook’s private iPhone apps. "We can confirm our internal corporate apps have been restored," Anaik von der Weid, a Google spokeswoman, emailed Ars just after 8pm Pacific Time. For less than a day, Apple had briefly revoked Google’s iOS certificate that enabled those private apps to conduct various internal business such as company shuttles, food menus, as well as pre-release beta testing, and more. Apple yanked the enterprise iOS cert as a brief punishment against both companies for overstepping privacy boundaries, after it was revealed that those companies' "research apps" had been distributed beyond what had been authorized. Neither Google nor Facebook responded to Ars’ questions as to whether they had met any conditions set by Apple in order to regain access. Source
  24. Google joins Facebook in Apple’s banning spree Apple has now shut down Google’s ability to distribute its internal iOS apps, following a similar shutdown that was issued to Facebook earlier this week. A person familiar with the situation tells The Verge that early versions of Google Maps, Hangouts, Gmail, and other pre-release beta apps have stopped working today, alongside employee-only apps like a Gbus app for transportation and Google’s internal cafe app. “We’re working with Apple to fix a temporary disruption to some of our corporate iOS apps, which we expect will be resolved soon,” says a Google spokesperson in a statement to The Verge. Apple has not yet commented on the situation. Apple’s move to block Google’s developer certificate comes just a day after Google disabled its Screenwise Meter app following press coverage. Google’s private app was designed to monitor how people use their iPhones, similar to Facebook’s research app. Google’s app also relied on Apple’s enterprise program, which enables the distribution of internal apps within a company. In an earlier statement over Facebook’s certificate removal, Apple did warn that “any developer using their enterprise certificates to distribute apps to consumers will have their certificates revoked.” Apple is clearly sticking to its rules and applying them equally to Facebook, Google, and likely many other companies that get caught breaking Apple’s rules in the future. Source
  25. A day after Facebook was dinged for shady iOS distribution techniques of its data-collecting research app, Google was discovered using the same methods for its own app. Google has found itself in hot water for a research app that may have violated Apple’s policies by collecting user data in exchange for gift cards. The tech giant said it has now disabled Screenwise Meter“audience measurement” app – which voluntarily collects data from users’ phones, browsers and even routers – from iOS devices. The app was using a similar method as the recently-highlighted “Facebook Research” app to sidestep the Apple App Store’s strict data collection policies, according to a TechCrunch report. This involved distributing the app via Apple’s developer enterprise program, meant for companies who want to create apps for their own employees. “The Screenwise Meter iOS app should not have operated under Apple’s developer enterprise program — this was a mistake, and we apologize,” a Google spokesperson told Threatpost. “We have disabled this app on iOS devices.” Developer Enterprise Program The developer enterprise program enables companies to create apps for their own employees – so the apps don’t go through the public App Store. Apple has strict data-collection policies as part of its developer policies, which bar the collection of data about usage of other apps or data that’s not necessary for an app to function, as of June. “Apps should only request access to data relevant to the core functionality of the app, and should only collect and use data that is required to accomplish the relevant task,” according to Apple’s policy. It was discovered earlier this week that Facebook had used a similar method for its own A Tuesday TechCrunch report uncovered that the social-media giant has been paying users (between the ages of 13 to 35) up to $20 a month to install the app, referred to as Project Atlas, on iOS or Android. The app gave Facebook full data access – including how and when users utilize the apps on their phone, their internet browsing history, and even screenshots of their Amazon order-history page, according to the report. In response, Apple revoked Facebook’s enterprise iOS developer certificateand banned the app from its ecosystem. A Facebook spokesperson however told Threatpost that key facts about the market research program are being ignored. “Despite early reports, there was nothing ‘secret’ about this; it was literally called the Facebook Research app,” the spokesperson said. “It wasn’t ‘spying,’ as all of the people who signed up to participate went through a clear on-boarding process asking for their permission, and were paid to participate. Finally, less than 5 percent of the people who chose to participate in this market research program were teens. All of them with signed parental consent forms.” Apple did not respond to a request for comment from Threatpost about Google’s app. Screenwise Meter Google’s own app came to the forefront a day after Facebook’s app was banned from the iOS ecosystem. The app, which has been running since 2012, dishes out gift cards to users in exchange for their data across their mobile devices, web browsers, routers and even televisions. Screenwise Meter appears to still be available on Google Play, where a description of the app reads: “The Screenwise Meter mobile app is used to manage registered panelists’ participation in market research panels. If you are not a registered panelist with Google, this app will not function; please do not download or use this app. This app works in sync with external Screenwise measurement devices.” In order to download the app, Google gives users a special code and they can then go through the registration process using Apple’s Enterprise Certificate. This is a similar process to how Facebook’s research app was downloaded. According to the app’s panelist eligibility requirements, users must be 18 years or older while “household-invited secondary panelists” must be 13 years or older, with parental consent. A Google spokesperson told Threatpost that the app “is completely voluntary and always has been.” “We’ve been upfront with users about the way we use their data in this app, we have no access to encrypted data in apps and on devices, and users can opt out of the program at any time,” the spokesperson said. Source
  • Create New...