Display & Video 360 API v3 entering general availability

Today we’re announcing the launch of Display & Video 360 API v3 out of public beta and into general availability. With this launch, v3 becomes our recommended version, and our guides have been updated to reflect v3 features and conventions.

Today’s launch also makes the following changes:

Read the Display & Video 360 API release notes for more details on this and previous updates. Instructions on migrating from v2 to v3 can be found in our migration guide. Before using these new features, make sure to update your client library to the latest version.

If you have questions regarding breaking changes, run into issues, or need help with these new features, please contact us using our support contact form.

- Trevor Mulchay, Display & Video 360 API Team

How to make your home network more secure and less scary


October is Cybersecurity Awareness Month- a month dedicated to raising awareness of the importance of cybersecurity. Because nothing is scarier than having your Wi-Fi hacked, we've updated this classic blog to help you keep your network safer everyday. No need to feel any deja boo, keeping your Wi-Fi security up-to-date can help keep internet boogeymen at bay.


Thumbnail


Most of us use Wi-Fi networks to connect to the Internet. It’s so easy to get online over Wi-Fi that  it can be easy to overlook Wi-Fi security, and that can cause some problems from the minorly scary (think Haunted Mansion) to majorly terrifying (Shining-level).


Why do we care?


In almost every security presentation or document, there is a “scare the user” section … and this is that section. Here we’ll list all the horrible things that can happen if you don’t secure your Wi-Fi network. They’re listed from just annoying to horrifying.


 1. Piggybacking:

Simply put, someone else can use your home Wi-Fi to access the internet. In most cases, this will merely increase the use of your network bandwidth (which, if  you are using a network provider other than GFiber, may also impact your bill). But if they use your network connection to perform illegal activities, it can make your life very difficult. The last thing anyone wants is a knock on the door from the police due to illegal activity traced to your house. Or more likely receiving a copyright violation notice from your ISP or possibly having your service terminated for copyright infringement.


2. Network capture/sniffing:

Looking at what someone else is doing on a computer network requires two things: access to that network and the ability to decode the traffic once you have that access. With Wi-Fi, access is easy … no physical connection is required, just someone close enough to access the radio signal (and with modern antennas, that can be surprisingly far away — up to a mile). As for decoding what you are up to online, while most internet traffic is encrypted by the application (thank you TLS, not everything is protected … and you’d be surprised how much metadata about someone’s activities you can get from the unencrypted traffic. You can potentially tell what websites someone is visiting, even if you can’t see the web traffic itself.


3. Abusing network services:

Many people have network attached printers, file servers, cameras, home security systems, and other smart home devices. Most of these devices try very hard to make using them easy and intuitive … the last thing manufacturers want is to annoy their customers with too many steps. But the same features that make it easy for you to use may make it easy for an attacker to use as well. This can range from printing garbage to stealing data from your file servers to watching people via the camera and even unlocking your front door.


But there are ways to prevent all these problems. Below you’ll find ways to make your home network more secure. We’ve listed them from easy to hard, from most important to least important. At a high level, everyone should do steps 1 & 2, and should think about step 3. If you’re especially tech savvy, then step 4 is a good step to take, although it can make troubleshooting access issues a bit more difficult. Finally, step 5 isn’t a technical step, but is standard maintenance that everyone should consider.


 

 Step 1: Encryption


The first step, and one that is more and more common by default on Wi-Fi devices, is to enable encryption. There are several Wi-Fi encryption standards, with different levels of rigor and difficulty to break. Starting with WEP, then came WPA, WPA2, and WPA3. As these levels have evolved, they’ve gotten harder and harder to crack, using the latest in cryptographic standards.


Setting up Wi-Fi encryption is a fairly straightforward task. For Google Fiber devices, the online support pages walk you through enabling WPA3 encryption on the network box (and here’s how to do it on Google WiFi). Other manufacturers will have other processes to enable Wi-Fi encryption, and if it isn’t done by default, it should be the first step you take when setting up your home network (search online if instructions are not included in the box).



Step 2: Obfuscation

Almost every Wi-Fi access point that ships today comes with a default SSID and default login credentials (aka admin password). This is handy and helpful for launching the device, but these defaults are often easily determined, printed on the side of the device, or both. As such, changing them to something you know that’s hard for others to guess is a great way to prevent someone easily figuring out the credentials and taking over your Wi-Fi device.


The same page that shows how to set up encryption on the Google Fiber network box also walks through changing the SSID and password (check here for how to do this on Google WiFi).


 

Step 3: Separation

Do you have smart home devices at home? Does half your house chirp if you say “Hey Google” or “Alexa”? Maybe an Android TV device for watching YouTube TV on your main set? If so, often these devices don’t need to be on the same network as your home computers, phones, tablets, and other computer devices.


Many newer Wi-Fi routers allow you to set up multiple SSIDs, sometimes also referred to as setting up a guest network in addition to your main one. In this way, you can separate your smart home devices from your main household network, isolating devices that don’t need to talk to the printer or file servers or the like off into their own space. With the explosion of devices that simply connect to the internet, there is no reason to allow them to access other local devices.



Step 4: Authorization


Most Wi-Fi routers have the ability to lock down an SSID so that only devices with approved MAC addresses can use them. At a high level, a MAC address is a unique* identifier that every network device has for identifying it on the local network. While the IP address assigned to that device may change, the MAC will stay the same*.


Given this, if you know the MAC addresses of the devices in your house, you can lock your Wi-Fi so that ONLY those devices can access the network. So even if an attacker was able to get the SSID and encryption information, they still couldn’t access the network as their device wouldn’t be on the approved list.






Step 5: Rotation/Validation

So at this point, you’ve set up your home router: It is encrypted, with a personalized SSID, and has new admin credentials. You may also have set up multiple networks to separate devices that don’t need to talk to each other. Perhaps you’ve even gone to the effort of locking devices by MAC address. You’ve done the key technical steps, and now it’s time to think about maintenance. 


Just like you change the oil in your car, the filters in your furnace/AC, or the batteries in your smoke detectors, so you also need to update and change the settings of your Wi-Fi every 6 months or so:


  • unchecked

    The first thing to do is check for updates. Similar to how the OS on your phone/computer/etc receives new versions, there will also be new versions of the firmware that runs your Wi-Fi router. Check to make sure you’re running the latest version — if you aren’t sure how to do this for your device, do an online search with your model name/number and “firmware update.”

  • unchecked

    Review your router logs. Check to make sure you know all the devices that are on your network. If you set up MAC address filtering, verify all those devices are still in use. If you threw something out, then make sure you’ve removed it from the approved address list.

  • unchecked

    Rotate the encryption key. This is going to be annoying, there is no way to get around that. Every device on that SSID will need to be updated with the new key. But if you did have someone who had figured out the key and was surreptitiously using your Wi-Fi, rotating the key will knock them off your network.

  • unchecked

    Change the admin credentials. Similar to underwear, passwords should not be shared and should be changed regularly.


Wi-Fi is here to stay and will remain the main way we’ll be getting online for the foreseeable future. By taking a little bit of time, you can make sure that there are no security surprises lurking on your home network.


Posted by Chris Roosenraad, Head of Security, Privacy, & Trust.


* Yes, MAC addresses can be changed, but that is rare, and highly unusual.

Cybersecurity Awareness Month: Web GDE Shrutirupa Banerjiee shares how we can stay safe in a world of cyber attacks

Posted by Kevin Hernandez, Developer Relations Community Manager

For Cybersecurity Awareness Month, we are celebrating Shrutirupa Banerjiee, Web GDE.

The web can be an excellent tool to learn a new skill, connect with people all over the world, digest information, or use new technologies such as Google Bard. However, there can be threats that loom whenever you go online - malware and social engineering attacks (also known as phishing) are some examples of today’s cyber attacks that can steal data or gain access to your system. Luckily, we have people like Shrutirupa Banerjiee, Web GDE, working on ways to keep companies and individuals safe from these threats. Shrutirupa got her start in the field by way of Blockchain security and eventually transitioned into a malware research role as a Senior Security Researcher. As an advocate for cybersecurity, Shrutirupa shares what threats are facing us today and what steps we can take to keep ourselves safe.

Headshot of Shrutirupa Banerjiee, smiling
Shrutirupa Banerjiee, Google Developer Expert, Web

Threats facing the web today

Shrutirupa is mostly concerned with malware and especially those that bide their time and sit in your systems for months and sometimes even for years. She describes, “These attacks get into your system and sit there for months while you’re unable to identify that there is any kind of malware or malicious program. When you’ve already gained trust, it will start connecting with the malicious servers.” A recent example of this type of attack was the SolarWinds attack. With this case, hackers were able to gain unauthorized access to the SolarWinds network in 2019, injected their malicious code into the SolarWinds software in February of 2020, and in March of 2020 SolarWinds unknowingly pushed a software update which included the malicious code (source: NPR). This malware was downloaded by 18,000 customers, compromising the data of companies and government agencies which included the Treasury and the Pentagon.

One mission that Shrutirupa is actively working towards is bridging the gap between developers and cybersecurity professionals. By being made aware of the new threats that face the web, developers can actively safeguard companies and consumers from malware attacks.


How you can stay safe online

Shrutirupa recommends the following to help prevent data breaches or attacks on our systems:

  • Think before you click: Be aware of anything that you’re downloading and do your proper research on the source of the software. You can see what others are saying about the software on community sites like Quora or Reddit.
  • Software updates: Make sure your software updates are up-to-date since these contain patches.
  • Antivirus scanners: There are many free options that you can add to your computer and use to run regular scans to ensure that your system is running safely.
  • Multi-Factor Authentication (MFA): This method allows you to have an extra layer of security when logging onto sites and notifies you of unauthorized logins.
  • Developers and researchers working together: Consult cybersecurity professionals like Shrutirupa! Cybersecurity professionals are on top of new threats and can make you aware of what you should prioritize as a developer.

Shrutirupa has also been able to leverage Google technologies and the GDE program in order to educate and test in a safe environment. “Google provides me with an environment where I can mentor students who want to get into cybersecurity or want to do development in a secure way. Google also has resources like Google Cloud Platform where you can practice and test everything while learning,” she says.

With people of all ages accessing the internet, Cybersecurity Awareness Month is crucial and Shrutirupa believes that awareness of threats should be a regular occurrence due to the importance of it. She states, “We have children, parents, and grandparents all accessing the internet. Because of this, we should always be vigilant about what we’re downloading and understand previous and new cybersecurity attacks so we can prevent them.”

You can find Shrutirupa on LinkedIn, GitHub, Twitter, and YouTube.


The Google Developer Experts (GDE) program is a global network of highly experienced technology experts, influencers, and thought leaders who actively support developers, companies, and tech communities by speaking at events and publishing content.

Stable Channel Update for ChromeOS/ChromeOS Flex

The Stable channel is being updated to 118.0.5993.123/124 (Platform version: 15604.56/57.0) for most ChromeOS devices and will be rolled out over the next few days. This build contains a number of bug fixes and security updates.

If you find new issues, please let us know one of the following ways:

Interested in switching channels? Find out how.

Cole Brown,

Google ChromeOS

All treats, no tricks: 6 solutions to common developers challenges

Posted by Google for Developers

For many, Halloween is the perfect excuse to dress up and celebrate the things that haunt us. Google for Developers is embracing the spirit of the season by diving into the spine-chilling challenges that spook software developers and engineers. Read on to uncover these lurking terrors and discover the tricks – and treats – to conquer them.


The code cemetery

Resilient code requires regular updates, and when it comes to solving bugs, it’s much easier to find them when there are fewer lines of code. When faced with legacy or lengthy code, consider simplifying and refreshing it to make it more manageable – because no one likes an ancient or overly complex codebase. Here are some best practices.

Start small: Don't try to update your entire codebase at once. Instead, start by updating small, isolated parts of the codebase to minimize the risk of introducing new bugs.

Use a version control system: Track your changes and easily revert to a previous version if necessary.

Consider a refactoring tool: This can help you to make changes to your code without breaking it.

Test thoroughly: Make sure to test your changes thoroughly before deploying them to production. This includes testing the changes in isolation, as well as testing them in conjunction with the rest of the codebase. See more tips about testing motivation below.

Document your changes: Include new tooling, updated APIs, and any changes so other developers understand what you have done and why.


Testing terrors

When you want to build and ship quickly, it’s tempting to avoid writing tests for your code because they might slow you down in the short term. But beware, untested code will come back to haunt you later. Testing is a best practice that can save you time, money, and angst in the long run. Even if you know you should run tests, it doesn’t mean you want to. Use these tips to help make writing tests easier.

Test gamification: Turn test writing into a game. Challenge yourself to write tests faster than your coworker can say "code coverage."

Pair programming: Write tests together with a colleague. It's like having a workout buddy – more fun and motivating.

Set up test automation: Automate tests wherever possible– it's better AND more efficient.


A monster problem: not being able to choose your tech stack

Many developers have strong preferences when it comes to products, but sometimes legacy technology or organizational needs can limit choices. This can be deflating, especially if it prevents you from using the latest tools. If you’re faced with a similar situation, it’s worth expressing your recommendations to your team. Here’s how:

Lobby for change: If the current tech stack really isn't working out, advocate for a change. This may require documentation over a series of events, but you can use that to build your case.

Pitch the benefits: If you’re ready to share your preferences, explain how your tech stack of choice benefits the project, similarly to how optimized code improves performance.

Showcase expertise: Demonstrate your knowledge in your preferred stack, whether it’s through a Proof of Concept or a presentation.

Upskill: If you have to dive into a top-down tech stack that you are not familiar with, consider it a learning opportunity. It’s like exploring a new coding language.

Compromise is key: First, recognize that all of the points above are still well-worth aiming for, but sometimes, you do have to compromise. Think of it as working with legacy code - not ideal, but doable. So if you aren’t able to influence in your favor, don’t be dismayed.


Not a trick: ship your code smarter

The only thing worse than spending the end of the week fixing buggy code isexcept for spending the weekend fixing buggy code when you had other plans. Between less time to react to problems, taking up personal time, and fewer people available to help troubleshoot – shipping code when you don’t have the proper resources in place to help is risky at best. Here are a handful of best practices to help you build a better schedule and avoid the Saturday and Sunday Scaries.

Consider business hours and user impact: Schedule deployments during off-peak times when fewer users will be impacted. For B2B companies, Friday afternoons can minimize disruption for customers, but for smaller companies, Friday deployments might mean spending your weekend fixing critical issues. Pick a schedule that works for you.

Automate testing: Implement automated testing in your development process to catch issues early.

Make sure your staging environment is right: Thoroughly test changes in a staging environment that mirrors production.

Be rollback-ready: Have a rollback plan ready to revert quickly if problems arise.

Monitoring and alerts: Set up monitoring and alerts to catch issues 24/7.

Communication: Ensure clear communication among team members regarding deployment schedules and procedures.

Scheduled deployments: If you’re a team who doesn’t regularly ship at the end of the week, consider READ-ONLY Fridays. Or if necessary, schedule Friday deployments for the morning or early afternoon.

Weekend on-call: Consider a weekend on-call rotation to address critical issues.

Post-deployment review: Analyze and learn from each deployment's challenges to improve processes.

Plan thoroughly: Ensure deployment processes are well-documented and communication is clear across teams and stakeholders.

Evaluate risks: Assess potential business and user impact to determine deployment frequency and timing.


A nightmare come true: getting hacked

Realizing you've been hacked is a heart-stopping event, but even the most tech-savvy developers are vulnerable to attacks. Before it happens to you, remember to implement these best practices.

Keep your systems and software up-to-date: Think of it as patching vulnerabilities in your code.

Use strong passwords: Just like strong encryption, use robust passwords.

Use two-factor authentication: Always add a second layer of security.

Beware of phishermen: Don't take the bait. Be as cautious with suspicious emails as you are with untested code.

Perform security audits: Regularly audit your systems for vulnerabilities, like running code reviews but for your cybersecurity.

Backup plan: Just like version control, maintain backups. They're your safety net in case things go full horror-movie.


The horror: third party data breaches

Data breaches are arguably the most terrifying yet plausible threat to developer happiness. No company wants to be associated with them, let alone the dev who chose the service or API to work with. Here are some tips for minimizing issues with third party vendors to help you avoid this scenario.

Perform due diligence on third-party vendors: Before working with a third-party vendor, carefully review their security practices and policies. Ask about security certifications, vulnerability management practices, and their incident response plan.

Require vendors to comply with security requirements: Create or add your input in a written contract with each third-party vendor that outlines the security requirements that the vendor must meet. This contract should include requirements for data encryption, access control, and incident reporting.

Monitor vendor activity: Ensure vendors comply with the security requirements in the contract by reviewing audit logs and conducting security assessments. Only grant access to data that a vendor needs to perform their job duties to help to minimize the impact of a data breach if the vendor is compromised.

Implement strong security controls: Within your own systems, protect data from unauthorized access through firewalls, intrusion detection systems, and data encryption.

Be wary of third-party APIs: Vet all security risks. Carefully review the API documentation to understand the permissions that are required and to ensure the API uses strong security practices.

Use secure coding practices: Use input validation, escaping output, and strong cryptography.

Keep software up to date: Always update with the latest security patch to help to protect against known vulnerabilities.


Creepin' it real

It’s easy to get spooked knowing what can go wrong, but by implementing these best practices, the chance of your work going awry goes down significantly.

What other spine-chilling developer challenges have you experienced? Share them with the community.