Google News App

How to enable deliveries to people and places without traditional addresses

Billions of people don’t have a precise address, which can make it difficult for them to receive deliveries. Those with an address may prefer to accept deliveries at more specific locations, such as a back entrance or a loading dock. Google developed Plus Codes to bridge these addressing gaps and give the benefit of addresses to everyone and everything. For example, the Navajo Nation uses Plus Codes to identify where people in need are located and how best to deliver needed food and supplies. Now Plus Codes support throughout Google Maps Platform APIs allows delivery service providers to capture and deliver to a broader audience with greater precision.

Plus Codes in Brazil
Plus Codes in São Paulo, Brazil

Plus Codes are simple alphanumeric codes, derived from latitude and longitude coordinates. A typical plus code could be “F95F+42, Hyderabad”, which represents a roughly 13 by 13 meter area within the city of Hyderabad. Plus Codes enable addressing of areas that are roughly the size of places like building entrances and loading docks, where deliveries are commonly made. If an additional character is included, such as in “F95F+42M, Hyderabad”, it represents an area of approximately 2.5 meters by 2.5 meters–providing even greater precision for delivery use cases.

Benefits of Plus Codes for delivery service providers 

Millions of deliveries fail around the world every year, and a leading cause is bad or imprecise addresses. Thanks to their precision, Plus Codes can reduce such delivery failures and reduce support costs, while providing a more seamless “no touch” and “no phone call” experience for consumers. By being able to accept a broader range of delivery locations with Plus Codes, providers can accept more business from shippers and consumers with higher confidence. 

Using Plus Codes in your applications

Plus Codes are now supported in Google Maps Platform APIs including Place Autocomplete, Place Details, Directions, andGeocoding. For example, the results for reverse geocoding searches include Plus Codes. These results have a “plus_code” type and “ROOFTOP” value for the location_type property so they’re easy to filter in or out. If your application is asking the user to drop a pin to determine a location, it may use the Plus Code for this location if there isn’t a nearby result with a traditional address. A Plus Code may also be used the same way as latitude and longitude coordinates in other features such as entering a destination into a Place Autocomplete search bar or requesting directions from the Directions API. They’re easy to spell out or transfer on paper and can be inserted into address fields of other Google Maps Platform APIs to provide a fully consistent addressing scheme across the business. 

Using Plus Codes for delivery
An example of an app using Plus Codes for delivery

No matter how a business decides to use Plus Codes, they offer any user anywhere in the world the opportunity to receive deliveries while allowing the delivery company to treat this just as they would a conventional address across Google Maps Platform APIs. This enables broad accessibility and inclusivity together with the ability for businesses to easily and simply expand their operations to new regions worldwide. 

 For more information on Google Maps Platform, visit our website.

Read More

Born in Detroit, Accelerated with Google

Posted by Ajeet Mirwani, Program Manager, Developer Relations

StockX is a Detroit-based tech leader focused on the large and growing online resale marketplace for sneakers, apparel, accessories, collectibles, and electronics. Its innovative marketplace enables users to anonymously buy and sell high-demand consumer products with stock market-like visibility. StockX employs over 800 people in more than 13 offices and authentication centers around the world, and facilitates sales in more than 200 countries and territories.

StockX has been selected for Google’s Late-Stage Accelerator, which offers specialized programs in the areas of tech, design, product, and people operations to enable high growth startups. This accelerator is built using the fundamentals of the Google for Startups Accelerator that runs across the globe.

Every single item sold on StockX is shipped to one of its six global authentication centers and verified by a human to ensure the item is brand new, authentic, and has no manufacturing defects, providing confidence that resale market transactions are safe and secure.

The partnership between StockX and Google came to light as StockX started looking for technology to enhance its authentication process. This process today is managed by the StockX team with “authenticators” ( i.e. employees who are specially trained at finding fakes, manufacturing defects, etc.) taking on the work.

With this problem statement in mind, we gathered experts from the Google Cloud AI team to help StockX utilize machine learning / AI to improve the speed and accuracy of authentication, spotting which items are fake or have a manufacturing defect. This is a perfect problem for AI – StockX captures large amounts of information about every item and whether it passed or failed authentication, enabling the team to quickly gather training data. StockX and the Accelerator team started collaboration early in the process, planning the project phases together and bringing Google’s experience and expertise in solving these types of problems to bear. The teams meet weekly, sharing data, insights and feedback to enable fast iteration.

Google’s experts in applied machine learning (ML) from the Late-Stage Accelerator have already saved the StockX technical team significant time on model architecture and data management. Both teams are looking forward to moving this collaboration to the next stage of model development, training and serving into production. More to come!

Read More

Strengthen zero trust access with the Google Cloud CA service

As more organizations undergo digital transformation, evolve their IT infrastructure and migrate to public cloud, the role of digital certificates will grow—and grow a lot. Certificates and certificate authorities (CAs) play a key role in both modern IT models like DevOps and in the evolution of traditional enterprise IT.

In August, we announced our Certificate Authority Service (CAS)—a highly scalable and available service that simplifies and automates the management and deployment of private CAs while meeting the needs of modern developers building and running modern systems and applications. Take a look at how easy it is to set up a CA in minutes!

Google Cloud Security Showcase

At launch, we showed how CAS allows DevOps security officers to focus on running the environment and offload time consuming and expensive infrastructure setup to the cloud. Moreover, as remote work continues to grow, it’s bringing a rapid increase in zero trust network access (example), and the need to issue an increasing number of certificates for many types of devices and systems outside the DevOps environment. The challenge that emerged is that the number of certificates and the rate of change both went up. It is incredibly hard to support a large WFH workforce from a traditional on-premise CA, assuming your organization even has the “premises” where it can be deployed.

To be better ready for these new WFH related scenarios,  we are introducing a new Enterprise tier that is optimized for machine and user identity. These use cases tend to favor longer lived certificates and require much more control over certificate lifecycle (e.g., ability to revoke a certificate when the user loses a device). This new tier complements the DevOps tier which is optimized for high throughput environments, and which tend to favor shorter lived certificates (e.g., for containers, micro-services, load balancers, etc.) at an exceptionally high QPS (number of certificates issued per second).

Simply put, our goal with the new Enterprise tier is to make it easy to lift and shift your existing on-premises CA. Today CAS supports “bring your own root” to allow the existing CA root of trust to continue being the root of trust for CAS. This gives you full control over your root of trust while offloading scaling and availability management to the cloud. This also gives you freedom to move workload across clouds without having to re-issue your PKI, and vastly reduces the migration cost.

Moreover, through our integration with widely deployed certificate lifecycle managers (e.g., Venafiand AppViewX), we have made the lift and shift of an existing CA to the cloud a breeze, so you can continue using the tooling that you are familiar with and simply move your CA to the cloud. CAS leverages FIPS 140-2 Level 3 validated HSMs to protect private key material. 

With the two tiers of CAS (Enterprise and DevOps), you can now address all your certificate needs (whether for your devops environments or for your corporate machine and user identity) in one place. This is great news for security engineers and CA admins in your environment as now they can use a single console to manage the certificates in the environment, create policies, audit, and react to security incidents. Visibility and expiration have always been the two biggest issues in PKI and with CAS and our partner solutions, you can solve these issues in one place.

So whether you are at the beginning of your journey of using certificates and CAs, or have an existing CA that has reached its limit to address the surge in demand (either due to WFH or your new DevOps environment), CA Service can deliver a blend of performance, convenience, ease of deployment/operation with the security and trust benefits of Google Cloud. CAS is available in preview for all customers to try. 

Call to action:

Read More

Our favorite 10 new things coming to Smart Displays

Every day, people ask Google for help with things like catching up on their favorite shows, turning on their garage lights, filling their homes with relaxing music, playing games and even keeping their family on track. As we expect more of our smart home devices, Smart Displays are increasingly becoming a hub that entertains and connects the whole home and whole family, all day (and night) long. 

Today, we’re introducing a brand new experience that builds on the smarts of Google and visual capabilities of Smart Displays. Here are 10 ways these updates make the whole day go a little more smoothly:

  1. A new visual experience to jumpstart your day.As you begin your day, just tap the new “Your morning” page to get things off to a good start. You’ll see things like a reminder for your first meeting, a run down of the morning news and a glance at the weather ahead. This page evolves throughout the day to reflect “Your afternoon” and “Your evening” so that the recommendations you see changes as your day does. 
  2. Entertainment for the whole family.Whether you want to listen to a podcast while you prepare breakfast in the morning or are looking for a TV show to wind down after a long day, the “Media” page will suggest videos or shows to keep everyone in the house entertained, while also offering suggestions from our music and video platforms like Disney+, Netflix, YouTube TV and Spotify.
  3. Control the whole home in one place.The new visual layout also has a “Home control” page, where you can control the connected devices throughout the house (so you can turn off the lights in the bedroom or take a look at who’s at the front door). 
  4. More tools for staying in touch and staying productive.We recently added more ways to stay in touch with friends, family and coworkers on your Smart Display with Google Meet and Duo—and Zoom is coming to Assistant-enabled Smart Displays later this year. Use the “Communicate” page to start a new meeting, call one of your household contacts or even message your kids in another room using a Broadcast card..
  5. Discover other helpful features.While the new visual experience is catered to help you manage your day, we know everyone likes to have a little fun with the device too. Scroll over to the “Discover” page to explore more of what your smart display can do.
  6. Now available: All of your accounts in one place. If you have separate personal and work accounts, you can now set up multiple accounts on Google Assistant devices to see and interact with all of your upcoming events and meetings in one place—without having to switch between your personal or work account. For example, on your Google Nest Hub Max, you can now quickly tap or ask to join your next meeting (“Hey Google, join my next meeting”), whether it’s a personal yoga class or a conference call.  This is now supported on Assistant-enabled devices where you can access your Calendar, like phones (Android and iOS), shared devices such as smart speakers and Smart Displays, and for Google Workspace users enrolled in the Google Assistant Beta Program
  7. Make sure you’re always in the picture.Meet on Nest Hub Max will now auto-frame to keep the camera centered on you if you move around. You can also customize how Meet looks on your Smart Display so it’s easier to see a specific person or details in a presentation with pinning, four-person grids and pinch and zoom—coming later this year. We’ve also added new menu options to give you the ability to cancel and reschedule Meet meetings right from your Smart Displays, and you can even send a message to let others know if you need to find a new time or if you’re running late.
  8. Dark theme, now on your Smart Display.Dark Theme changes the color scheme of the interface and reduces light emission, so it’s easier on the eyes at night while still providing you with visual and touch access. You can also keep the classic Light Theme or set to “Automatic” so that the display will adjust naturally based on the ambient light or when the sun rises and sets. 
  9. Choose relaxing sounds for drifting off to sleep.The new visual experience also features the “Your evening” page, where you can select from different relaxing sounds to make going to sleep just a little more pleasant. Maybe you prefer tranquil rainfall or the sounds of crickets, or you can ask Google to choose one for you. A sleep timer will fade out the sound, or you can let it play all night—go ahead, you deserve it.
  10. Finally, start the next day with the new Sunrise Alarm.With Sunrise Alarm—coming to Smart Displays soon—the brightness of the screen will gradually increase starting 30 minutes before your alarm goes off, mimicking the sunrise so you wake up naturally. You can also set different alarms for different days of the week and choose different ringtones for them (because who wants to wake up at 7 a.m. on Saturday!?). The best part? When the alarm goes off, you can just say “stop” without having to say “Hey Google.”

Read More

Improvements to Ads Data Hub

Today, we’re announcing improvements to Ads Data Hub, our cloud-based solution that enables customized analysis of your Google ad campaigns while protecting user privacy. With these updates, we’re offering more ways to access the data you need, improved usability for key workflows, and new tools that give you more flexibility to run customized analysis.

Over 200 brands, agencies and measurement partners use Ads Data Hub to analyze campaign data so they can understand how people interact with ads. For example, Essence, a global data and measurement-driven media agency, uses Ads Data Hub to deliver a suite of privacy-centric, advanced measurement services for customers across verticals in order to help them make better media decisions, and ultimately get a better return on their ad spend.

Ads Data Hub: Essence Case Study

Ads Data Hub: Essence Case Study

Better ways to get access to the data you need

Earlier this year, we shared updates to Ads Data Hub to help you analyze your data faster and more easily. Since then, we introduced self-service account linking for Google Ads, Campaign Manager, and Display & Video 360, so you can more easily access Google ad campaign data across multiple products in a secure, privacy-centric environment.

We’ve also heard requests from customers to make it easier to export data to other tools they use for creating reports and dashboards. So we recently made it possible to export query results  for visualization and manipulation in Data Studio and Google Sheets, giving you the ability to  further explore your data in both tools. By connecting Ads Data Hub to Data Studio and Google Sheets, you can unlock the power of your data with interactive dashboards and engaging reports that inspire smarter business decisions. And—as always—there’s an aggregation requirement for output of any data from Ads Data Hub, ensuring user data is protected.

Enhanced usability and more holistic insights

We’re improving the user experience for privacy checks in Ads Data Hub. These changes include an enhanced user interface and faster query execution times, and give you a more complete view of your data in Ads Data Hub, without compromising end-user privacy. Over the coming months, Ads Data Hub will start notifying you when rows of data are suppressed from results due to privacy checks, helping you understand why certain data was not included.

We’ve also improved the algorithms we use to filter query results. Now, queries utilizing data joins are filtered with more precision, so you will have greater flexibility in designing your queries to address the insights you are looking to gain via Ads Data Hub – but in a way that continues to protect user privacy.

New tools to run customized analysis

Ads Data Hub provides tools to help you run analysis including consumer journey paths, launched earlier this year. But we’ve heard from some customers the need for additional ways to run customized analysis that aligns with unique business needs.

We’re now offering Shapley value and Markov chain analysis methods as native Ads Data Hub functions to assign credit to touchpoints along the consumer journey. These functions can be used with Campaign Manager and Display & Video 360 data as well as your own business data in Ads Data Hub. Shapley value and Markov chain functions are available in beta today and will roll out to all marketers using Ads Data Hub by the end of the year. We’re also exploring ways to offer more capabilities for customized analysis in Ads Data Hub.

Our mission with Ads Data Hub is to help you tailor your marketing measurement to your unique business needs, while protecting user privacy and upholding Google’s high standards of data security. And we’re investing in privacy research for Ads Data Hub to accelerate improvements to privacy protections, usability, and performance. As we invest in features that make Ads Data Hub faster, more secure, and easier to use, you’ll be able to focus on what matters—the growth of your business.

Read More

Lending DocAI fast tracks the home loan process

Artificial intelligence (AI) continues to transform industries across the globe, and business decision makers of all kinds are taking notice. One example is the mortgage industry; lending institutions like banks and mortgage brokers process hundreds of pages of borrower paperwork for every loan – a heavily manual process that adds thousands of dollars to the cost of issuing a loan. In this industry, borrowers and lenders have high expectations; they want a mortgage document processing solution catered to improving operational efficiency, while ensuring speed and data accuracy. They also want a document automation process that helps enhance their current security and compliance posture.

At Google, our goal to understand and synthesize the content of the world wide web has given us unparalleled capabilities in extracting structured data from unstructured sources. Through Document AI, we’ve started bringing this technology to some of the largest enterprise content problems in the world. And with Lending DocAI, now in preview, we’re delivering our first vertically specialized solution in this realm.

Lending DocAI.gif

Lending DocAI is a specialized solution in our Document AI portfolio for the mortgage industry. Unlike more generalized competitive offerings, Lending DocAI provides industry-leading data accuracy for documents relevant to lending. It processes borrowers’ income and asset documents to speed-up loan applications—a notoriously slow and complex process. Lending DocAI leverages a set of specialized models, focused on document types used in mortgage lending, and automates many of the routine document reviews so that mortgage providers can focus on the more value-added decisions. Check out this product demo

In short, Lending DocAI helps:  

  • Increase operational efficiency in the loan process: Speed up the mortgage workflow processes (e.g. loan origination and mortgage servicing) to easily process loans and automate document data capture, while ensuring that accuracy and breadth of different documents (e.g. tax statements, income and asset documents) support enterprise readiness.

  • Improve home loan experience for borrowers and lenders: Transform the home loan experience by reducing the complexity of document process automation. Enable mortgage applications to be more easily processed across all stages of the mortgage lifecycle, and accelerate time to close in the loan process.

  • Support regulatory and compliance requirements: Reduce risk and enhance compliance posture by leveraging a technology stack (e.g. data access controls and transparency, data residency, customer managed encryption keys) that reduces the risk of implementing an AI strategy. It also streamlines data capture in key mortgage processes such as document verification and underwriting.

Partnering to transform your home loan experience

Our Deployed AI approach is about providing useful solutions to solve business challenges, which is why we’re working with a network of partners in different phases of the loan application process. We are excited to partner with Roostify to transform the home loan experience during origination. Roostify makes a point-of-sale digital lending platform that uses Google Cloud Lending DocAI to speed-up mortgage document processing for borrowers and lenders. Roostify has been working with many customers to develop our joint solution, and we have incorporated valuable feedback along the way.

“The mortgage industry is still early in transitioning from traditional, manual processes to digitally-enabled and automated, and we believe that transformation will happen much more quickly with the power of AI. And if you are going to do AI, you’ve got to go Google.” – Rajesh Bhat, Founder and CEO, Roostify

Our goal is to give you the right tools to help borrowers and lenders have a better experience and to close mortgage loans in shorter time frames, benefiting all parties involved. With Lending DocAI, you will reduce mortgage processing time and costs, streamline data capture, and support regulatory and compliance requirements.

Let’s connect

Be sure to tune in to the Mortgage Bankers Association annual convention to learn from our Fireside Chat and session with Roostify!

Read More

This Small Business Week, we’re helping local businesses forge a way forward together

Over the past six months, retailers and entrepreneurs have had to quickly pivot their business models or transform their operations to continue serving their communities and reach customers. As of mid-September, an estimated 30% of all Canadian small businesses remained closed, and with the current pace of recovery, it could take almost a year and a half for most small businesses to return to normal sales.

The Business Development Bank of Canada (BDC) has led the celebration of Small Business Week for 40 years, in support of Canadian entrepreneurs and their contribution to Canada’s culture and economy. To help kick off this year’s event, we’re sharing how Canadian small businesses have used Google tools to get started online and grow their presence, for free. 

Step 1: Get started online for free 

Teatro Verde is a florist in Toronto’s Yorkville neighbourhood. Over the past 24 years, they’ve established a loyal customer base but the pandemic had an immediate impact on the company’s staff and supply chain, and they needed new ways to serve customers fast. Through the ShopHERE powered by Google program, owners Shawn Gibson and Michael Pellegrino were able to quickly set up an online store for free and promote new services for shopping in-person or online via delivery and curbside pickup. 
“We are a very high-touch business and have a distinct in-store environment, and we wanted to bring that online. The images on our website have really helped people visualize our products,” Gibson said. “ShopHERE is an amazing way to help develop your business for free especially if you don’t have a lot of time.” 
For small businesses looking to get set up online, apply here

Step 2: Build your customer base 

While the pandemic has brought many challenges, it has also opened up opportunities for businesses to find new audiences online. To make local businesses more discoverable, we have launched the Local Opportunity Finder tool. Enter the name of your business and we will provide customized suggestions on how to improve your presence on Google Search and Maps in under five minutes. 
New Google My Business features are also helping businesses organize appointments and keep track of customer flow. Saint Lou’s Barbershop has fostered casual, community connections in Halifax, N.S. for years. But when the pandemic hit, they quickly needed to shift their walk-in-only business model to a more organized, appointment-based system for physical distancing and customer safety. Owner Rob Oxner quickly implemented the “book online” feature on Saint Lou’s Google My Business profile, and says most customers now book appointments online. 

We’ve also made it free to list your products on the Google Shopping tab, so businesses can connect with millions of online shoppers actively searching for their products. Carmen and Jordan West from Abbotsford, B.C., are the duo behind family and baby clothing line Little & Lively. This year, they’ve seen sales increase as more people shop online and turn to “retail therapy.” The couple call Google Shopping their “magic bullet” for eCommerce, allowing them to reach people actively searching for their products. 

Step 3: Stay connected and organized 

With the rise of remote working in March, many companies turned to digital tools and cloud technology to stay organized and connected or to meet new demands. Burnaby, B.C., business One Arrow Meats is one of those companies. Cree-Métis chef and entrepreneur Heat Laliberte’s hand-cured artisan bacon is a staple at Vancouver-area restaurants, farmers markets and grocery stores. Orders have quadrupled during the pandemic and Laliberte quickly needed to find ways to delegate some of his day-to-day responsibilities across the team. They turned to Google Workspace (formerly G-Suite), with collaborative tools like Google Calendar, Drive and Meet to help team members stay connected. 

Say it with a review: A simple way to support Canadian businesses 

Reviews on Google provide valuable information about your business to customers, and can help your business stand out on Google. This year, we’re challenging all Canadians to help small businesses near them by rating their favourite businesses and writing a Google review. These reviews help people research and understand businesses around them, and learn from other people’s customer experiences. This is especially important during the pandemic, as consumers consolidate shopping trips and seek more information around safety protocols. Research has found that positive reviews make 91% of consumers more likely to choose a business. 
Learn more about how you can give help this Small Business Week here

Posted by Karen Godwin, Director of Customer Solutions, Google Canada

FermiNet: Quantum Physics and Chemistry from First Principles

Weve developed a new neural network architecture, the Fermionic Neural Network or FermiNet, which is well-suited to modeling the quantum state of large collections of electrons, the fundamental building blocks of chemical bonds.Read More

Exponential growth in DDoS attack volumes

Security threats such as distributed denial-of-service (DDoS) attacks disrupt businesses of all sizes, leading to outages, and worse, loss of user trust. These threats are a big reason why at Google we put a premium on service reliability that’s built on the foundation of a rugged network. 

To help ensure reliability, we’ve devised some innovative ways to defend against advanced attacks. In this post, we’ll take a deep dive into DDoS threats, showing the trends we’re seeing and describing how we prepare for multi-terabit attacks, so your sites stay up and running.

Taxonomy of attacker capabilities

With a DDoS attack, an adversary hopes to disrupt their victim’s service with a flood of useless traffic. While this attack doesn’t expose user data and doesn’t lead to a compromise, it can result in an outage and loss of user trust if not quickly mitigated.

Attackers are constantly developing new techniques to disrupt systems. They give their attacks fanciful names, like Smurf, Tsunami, XMAS tree, HULK, Slowloris, cache bust, TCP amplification, javascript injection, and a dozen variants of reflected attacks. Meanwhile, the defender must consider every possible target of a DDoS attack, from the network layer (routers/switches and link capacity) to the application layer (web, DNS, and mail servers). Some attacks may not even focus on a specific target, but instead attack every IP in a network. Multiplying the dozens of attack types by the diversity of infrastructure that must be defended leads to endless possibilities.

So, how can we simplify the problem to make it manageable? Rather than focus on attack methods, Google groups volumetric attacks into a handful of key metrics:

  • bps network bits per second → attacks targeting network links
  • pps network packets per second → attacks targeting network equipment or DNS servers
  • rps HTTP(S) requests per second → attacks targeting application servers

This way, we can focus our efforts on ensuring each system has sufficient capacity to withstand attacks, as measured by the relevant metrics.

Trends in DDoS attack volumes

Our next task is to determine the capacity needed to withstand the largest DDoS attacks for each key metric. Getting this right is a necessary step for efficiently operating a reliable network—overprovisioning wastes costly resources, while underprovisioning can result in an outage.

To do this, we analyzed hundreds of significant attacks we received across the listed metrics, and included credible reports shared by others. We then plot the largest attacks seen over the past decade to identify trends. (Several years of data prior to this period informed our decision of what to use for the first data point of each metric.)

DDoS attacks.jpg

The exponential growth across all metrics is apparent, often generating alarmist headlines as attack volumes grow. But we need to factor in the exponential growth of the internet itself, which provides bandwidth and compute to defenders as well. After accounting for the expected growth, the results are less concerning, though still problematic.

Architecting defendable infrastructure

Given the data and observed trends, we can now extrapolate to determine the spare capacity needed to absorb the largest attacks likely to occur.

bps (network bits per second)
Our infrastructure absorbed a 2.5 Tbps DDoS in September 2017, the culmination of a six-month campaign that utilized multiple methods of attack. Despite simultaneously targeting thousands of our IPs, presumably in hopes of slipping past automated defenses, the attack had no impact. The attacker used several networks to spoof 167 Mpps (millions of packets per second) to 180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses to us. This demonstrates the volumes a well-resourced attacker can achieve: This was four times larger than the record-breaking 623 Gbps attack from the Mirai botnet a year earlier. It remains the highest-bandwidth attack reported to date, leading to reduced confidence in the extrapolation.

pps (network packets per second) 
We’ve observed a consistent growth trend, with a 690 Mpps attack generated by an IoT botnet this year. A notable outlier was a 2015 attack on a customer VM, in which an IoT botnet ramped up to 445 Mpps in 40 seconds—a volume so large we initially thought it was a monitoring glitch!

rps (HTTP(S) requests per second)
In March 2014, malicious javascript injected into thousands of websites via a network man-in-the-middle attack caused hundreds of thousands of browsers to flood YouTube with requests, peaking at 2.7 Mrps (millions of requests per second). That was the largest attack known to us until recently, when a Google Cloud customer was attacked with 6 Mrps. The slow growth is unlike the other metrics, suggesting we may be under-estimating the volume of future attacks.

While we can estimate the expected size of future attacks, we need to be prepared for the unexpected, and thus we over-provision our defenses accordingly. Additionally, we design our systems to degrade gracefully in the event of overload, and write playbooks to guide a manual response if needed. For example, our layered defense strategy allows us to block high-rps and high-pps attacks in the network layer before they reach the application servers. Graceful degradation applies at the network layer, too: Extensive peering and network ACLs designed to throttle attack traffic will mitigate potential collateral damage in the unlikely event links become saturated.

For more detail on the layered approach we use to mitigate record-breaking DDoS attacks targeting our services, infrastructure, or customers, see Chapter 10 of our book, Building Secure and Reliable Systems.

Cloud-based defenses

We recognize the scale of potential DDoS attacks can be daunting. Fortunately, by deploying Google Cloud Armor integrated into our Cloud Load Balancingservice—which can scale to absorb massive DDoS attacks—you can protect services deployed in Google Cloud, other clouds, or on-premise from attacks. We recently announced Cloud Armor Managed Protection, which enables users to further simplify their deployments, manage costs, and reduce overall DDoS and application security risk.

Having sufficient capacity to absorb the largest attacks is just one part of a comprehensive DDoS mitigation strategy. In addition to providing scalability, our load balancer terminates network connections on our global edge, only sending well-formed requests on to backend infrastructure. As a result it can automatically filter many types of volumetric attacks. For example, UDP amplification attacks, synfloods, and some application-layer attacks will be silently dropped. The next line of defense is the Cloud Armor WAF, which provides built-in rules for common attacks, plus the ability to deploy custom rules to drop abusive application layer requests using a broad set of HTTP semantics.

Working together for collective security

Google works with others in the internet community to identify and dismantle infrastructure used to conduct attacks. As a specific example, even though the 2.5 Tbps attack in 2017 didn’t cause any impact, we reported thousands of vulnerable servers to their network providers, and also worked with network providers to trace the source of the spoofed packets so they could be filtered.

We encourage everyone to join us in this effort. Individual users should ensure their computers and IoT devices are patched and secured. Businesses should report criminal activity, ask their network providers to trace the sources of spoofed attack traffic, and share information on attacks with the internet community in a way that doesn’t provide timely feedback to the adversary. By working together, we can reduce the impact of DDoS attacks.

Read More

Developer tips and guides: Common policy violations and how you can avoid them

By Andrew Ahn, Product Manager, Google Play App Safety

At Google Play, we want to foster an ecosystem of safe, engaging, useful, and entertaining apps used and loved by billions of Android users worldwide. That’s why we regularly update and revise our Google Play Developer Policies and Developer Distribution Agreement, detailing the boundaries of app content and functionalities allowed on the platform, as well as providing latest guidance on how developers can promote and monetize apps.

In recent efforts in analyzing apps for policy compliance on Google Play we identified some common mistakes and violations that developers make, and we’re sharing these with the developer community with tips and guides on how to avoid them, mitigating the risks of apps and developer accounts being suspended for violating our policies.

Links that take users back to other apps on the Play Store

One of the most common mistakes we see are apps that have buttons and menus that link out to the Play Store — either to apps by the same developer, or other apps that may be affiliated with the developer, but not being clear that these are ads or promotional links. Without this clarity, apps may get enforced for having deceptive / disguised ads. One of the ways to avoid such mistakes is by explicitly calling these out by labeling the buttons and links as ‘More Apps’, ‘More Games’, ‘Explore’, ‘Check out our other apps’, etc.

Example of app content that link out to app listing on Play

Example of app content that link out to app listing on Play

Spammy app descriptions

Another mistake we frequently observe is where developers ‘stuff’ keywords in the app description in hope for better discoverability and ranking against certain keywords and phrases. Text blocks or lists that contain repetitive or unrelated keywords or references violate our Store Listing and Promotion policy. Writing a clear app description intended and optimized for user’s readability and understanding is one of the best ways to avoid this violation.

Watch this video to learn how to avoid spammy store listings and efforts to artificially boost app visibility.

Abandoned and broken apps

There are apps that have been published by the developers a long time ago, and are no longer being maintained. Abandoned and unmaintained apps often create user experience issues — broken app functionality, for example. Not only are such apps at risk of getting a low star rating and negative user reviews, they will also be flagged as violating the minimum functionality policy. To mitigate the negative impact to the developer reputation and app enforcement, consider unpublishing such apps from the Play Store. Note the updated unpublish action won’t affect existing users who already installed the app, and developers can always choose to re-publish them after addressing the broken experiences.

Example of an abandoned app that provides a broken app experience

Example of an abandoned app that provides a broken app experience

Play icon with graduation cap

Take the ‘Minimum and Broken Functionality Spam’ course on Play Academy

Apps vs. Webview

Lastly, we observe a large volume of app submissions that are just webviews of existing websites. Most of these apps are submitted with a primary purpose of driving traffic rather than providing engaging app experiences to Android users. Such apps are considered webview spam, and are removed from Play. Instead, consider thinking through what users can do or do better with the app than in a web experience and implement relevant features and functionalities that enrich the user experience.

Example of webview without any app functionality

Example of a webview without any app functionality

Play icon with graduation cap

Take the ‘Webview Spam’ course on Play Academy

While the above are one of the most frequent mistakes, make sure to stay up to date with the latest policies by visiting the Play Developer Policy Center. Check out Google Play Academy’s Policy training, including our new Spam courses, and watch our Play PolicyBytes videos to learn more about recent policy updates.

Read More