Introducing adaptive audio in Google Meet: creating ad-hoc meeting spaces with multiple laptops

What’s changing 

In this hybrid work era, we hear from customers that finding a video conferencing room to join a meeting is often difficult. With “adaptive audio,” you and your team can join Google Meet using multiple laptops in close proximity without awkward echos and audio feedback. This is a great benefit for organizations with not enough video conferencing rooms or without resources for dedicated conference room equipment. 


Adaptive audio in Meet will automatically detect the presence of multiple laptops in the room and synchronize the microphones and speakers for a seamless audio experience. This allows teams to create ad-hoc meeting spaces anywhere with just their laptops where everyone can be heard clearly, without the inconvenience of crowding around a single laptop. 


Most importantly, adaptive audio gives users the flexibility to join meetings when meeting rooms are not available, meeting room hardware is not working, or for smaller organizations, when there isn't dedicated video conferencing equipment in every room. This also gives organizations the ability to use non-typical meeting spaces such as lounges, cafes, and other impromptu locations.

The microphone and speakers of each participant are used to ensure everyone can hear and be heard well.

When multiple participants are joining a meeting from the same room, “adaptive audio” is automatically activated. Google Meet notes audio is merged and participants are grouped together in the people panel. 





Getting started

  • Admins: There is no admin control for this feature.
  • End users: This feature will be ON by default and can be turned off by the user by going to Settings > Audio > Adaptive audio. Visit the Help Center to learn more about using adaptive audio in Google Meet.

Rollout pace

Availability

  • Available for Google Workspace customers with the Gemini Enterprise, Gemini Business, Gemini Education, Gemini Education Premium, and the AI Meetings and Messaging add-on.


Resources


Pausing Google Ads Keywords starting June 10 due to Low Activity

Starting June 10, 2024, we are rolling out a permanent change that automatically pauses Google Ads keywords that haven’t had any impressions during the last 13 months. The rollout is expected to be complete for all production Google Ads accounts in August 2024. We’re implementing this change to improve Google Ads experience for advertisers, in a similar way to what we changed earlier this year for ad groups with low activity.

You can unpause keywords if you still need them, or to remove them if you don’t. However, we recommend that all advertisers review their keywords, and only unpause the ones they expect to get impressions in the coming weeks.

What do I need to change?

No code changes are necessary, but Google Ads API developers can make changes to improve the transparency to their advertisers as to why the ad_group_criterion.status is set to PAUSED. If you keep local copies of Google Ads information in your database, you can keep them in sync by querying change history.

You can query the change event resource to see if the keyword status has changed with the following query for all API versions. If the change_event.changed_fields contains status, then this is a keyword that Google paused. Make sure to replace INSERT_YYYY-MM-DD with your own date range. 

SELECT
change_event.new_resource,
change_event.old_resource,
change_event.changed_fields,
change_event.resource_name,
change_event.change_resource_name,
change_event.user_email
FROM change_event
WHERE
change_event.change_resource_type = 'AD_GROUP_CRITERION'
AND change_event.user_email = 'Low activity system bulk change'
AND change_event.resource_change_operation = 'UPDATE'
AND change_event.change_date_time BETWEEN ' INSERT_YYYY-MM-DD' AND ' INSERT_YYYY-MM-DD'
ORDER BY change_event.change_date_time DESC
LIMIT 50

An example of a change event where the keyword has been paused by Google would look similar to: 

{
      "changeEvent": {
        "resourceName": "customers/1234567890/changeEvents/1708648783892610~5~0",
        "changeDateTime": "2024-02-22 16:39:43.89261",
        "changeResourceName": "customers/1234567890/adGroupCriteria/1234567890~0987654321",
        "changeResourceType": "AD_GROUP_CRITERION",
        "userEmail": "Low activity system bulk change",
        "oldResource": {
          "adGroupCriterion": {
            "status": "ENABLED"
          }
        },
        "newResource": {
          "adGroupCriterion": {
            "status": "PAUSED"
          }
        },
        "changedFields": "status",
        "resourceChangeOperation": "UPDATE",
      }
    }

You can use the resource names returned by this query to retrieve the current status of the keywords and mutate if, if needed.

Starting with v17, you can also retrieve the ad_group_criterion.primary_status field to see if your keywords have been paused; keywords that have this field set to PAUSED and for which the ad_group_criterion.primary_status_reasons contains AD_GROUP_CRITERION_PAUSED_DUE_TO_LOW_ACTIVITY are the ones that were automatically paused due to low activity. You can adjust the change history query to include these fields.

You will still be able to update your keywords and make changes while they are in a paused state.

Where can I get support?

If you have questions, please reach out to us on the support form or at [email protected].

 - Mattia Tommasone, Google Ads API Team

On Fire Drills and Phishing Tests

Matt Linton, Chaos Specialist


In the late 19th and early 20th century, a series of catastrophic fires in short succession led an outraged public to demand action from the budding fire protection industry. Among the experts, one initial focus was on “Fire Evacuation Tests”. The earliest of these tests focused on individual performance and tested occupants on their evacuation speed, sometimes performing the tests “by surprise” as though the fire drill were a real fire. These early tests were more likely to result in injuries to the test-takers than any improvement in survivability. It wasn’t until introducing better protective engineering - wider doors, push bars at exits, firebreaks in construction, lighted exit signs, and so on - that survival rates from building fires began to improve. As protections evolved over the years and improvements like mandatory fire sprinklers became required in building code, survival rates have continued to improve steadily, and “tests” have evolved into announced, advanced training and posted evacuation plans.




In this blog, we will analyze the modern practice of Phishing “Tests” as a cybersecurity control as it relates to industry-standard fire protection practices.


Modern “Phishing tests” strongly resemble the early “Fire tests”


Google currently operates under regulations (for example, FedRAMP in the USA) that require us to perform annual “Phishing Tests.” In these mandatory tests, the Security team creates and sends phishing emails to Googlers, counts how many interact with the email, and educates them on how to “not be fooled” by phishing. These exercises typically collect reporting metrics on sent emails and how many employees “failed” by clicking the decoy link. Usually, further education is required for employees who fail the exercise. Per the FedRAMP pen-testing guidance doc: “Users are the last line of defense and should be tested.


These tests resemble the first “evacuation tests” that building occupants were once subjected to. They require individuals to recognize the danger, react individually in an ‘appropriate’ way, and are told that any failure is an individual failure on their part rather than a systemic issue. Worse, FedRAMP guidance requires companies to bypass or eliminate all systematic controls during the tests to ensure the likelihood of a person clicking on a phishing link is artificially maximized.


Among the harmful side effects of these tests:


  • There is no evidence that the tests result in fewer incidences of successful phishing campaigns;

    • Phishing (or more generically social engineering) remains a top vector for attackers establishing footholds at companies.

    • Research shows that these tests do not effectively prevent people from being fooled. This study with 14,000 participants showed a counterproductive effect of phishing tests, showing that “repeat clickers” will consistently fail tests despite recent interventions.

  • Some (e.g, FedRAMP) phishing tests require bypassing existing anti-phishing defenses. This creates an inaccurate perception of actual risks, allows penetration testing teams to avoid having to mimic actual modern attacker tactics, and creates a risk that the allowlists put in place to facilitate the test could be accidentally left in place and reused by attackers.

  • There has been a significantly increased load on Detection and Incident Response (D&R) teams during these tests, as users saturate them with thousands of needless reports. 

  • Employees are upset by them and feel security is “tricking them”, which degrades the trust with our users that is necessary for security teams to make meaningful systemic improvements and when we need employees to take timely actions related to actual security events.

  • At larger enterprises with multiple independent products, people can end up with numerous overlapping required phishing tests, causing repeated burdens.


But are users the last line of defense?

Training humans to avoid phishing or social engineering with a 100% success rate is a likely impossible task. There is value in teaching people how to spot phishing and social engineering so they can alert security to perform incident response. By ensuring that even a single user reports attacks in progress, companies can activate full-scope responses which are a worthwhile defensive control that can quickly mitigate even advanced attacks. But, much like the Fire Safety professional world has moved to regular pre-announced evacuation training instead of surprise drills, the information security industry should move toward training that de-emphasizes surprises and tricks and instead prioritizes accurate training of what we want staff to do the moment they spot a phishing email - with a particular focus on recognizing and reporting the phishing threat.



In short - we need to stop doing phishing tests and start doing phishing fire drills.


A “phishing fire drill” would aim to accomplish the following:

  • Educate our users about how to spot phishing emails

  • Inform the users on how to report phishing emails

  • Allow employees to practice reporting a phishing email in the manner that we would prefer, and

  • Collect useful metrics for auditors, such as:

    • The number of users who completed the practice exercise of reporting the email as a phishing email

    • The time between the email opening and the first report of phishing

    • Time of first escalation to the security team (and time delta)

    • Number of reports at 1 hour, 4 hours, 8 hours, and 24 hours post-delivery

Example 

When performing a phishing drill, someone would send an email announcing itself as a phishing email and with relevant instructions or specific tasks to perform. An example text is provided below.

Hello!  I am a Phishing Email. 


This is a drill - this is only a drill!


If I were an actual phishing email, I might ask you to log into a malicious site with your actual username or password, or I might ask you to run a suspicious command like <example command>. I might try any number of tricks to get access to your Google Account or workstation.


You can learn more about recognizing phishing emails at <LINK TO RESOURCE> and even test yourself to see how good you are at spotting them. Regardless of the form a phishing email takes, you can quickly report them to the security team when you notice they’re not what they seem.


To complete the annual phishing drill, please report me. To do that, <company-specific instructions on where to report phishing>.


Thanks for doing your part to keep <company> safe!


  1. Tricky. Phish, Ph.D





You can’t “fix” people, but you can fix the tools.

Phishing and Social Engineering aren’t going away as attack techniques. As long as humans are fallible and social creatures, attackers will have ways to manipulate the human factor. The more effective approach to both risks is a focused pursuit of secure-by-default systems in the long term, and a focus on investment in engineering defenses such as unphishable credentials (like passkeys) and implementing multi-party approval for sensitive security contexts throughout production systems. It’s because of investments in architectural defenses like these that Google hasn’t had to seriously worry about password phishing in nearly a decade.




Educating employees about alerting security teams of attacks in progress remains a valuable and essential addition to a holistic security posture. However, there’s no need to make this adversarial, and we don’t gain anything by “catching” people “failing” at the task. Let's stop engaging in the same old failed protections and follow the lead of more mature industries, such as Fire Protection, which has faced these problems before and already settled on a balanced approach. 

Chrome Beta for Android Update

Hi everyone! We've just released Chrome Beta 126 (126.0.6478.17) for Android. It's now available on Google Play.

You can see a partial list of the changes in the Git log. For details on new features, check out the Chromium blog, and for details on web platform updates, check here.

If you find a new issue, please let us know by filing a bug.

Krishna Govind
Google Chrome

Dev Channel Update for ChromeOS

The Dev channel is being updated to 126.0.6478.13 (Platform version: 15886.8.0) for most ChromeOS devices. This build contains a number of bug fixes and security updates.

If you find new issues, please let us know one of the following ways:

Interested in switching channels? Find out how.

Alon Bajayo,

Google ChromeOS