Friday, June 1, 2007

Blogger @ Pixelodeon

| More

Blogger Buzz: Blogger @ Pixelodeon

Attention Videobloggers!

A few of us from the Blogger team will be attending the first-ever Pixelodeon Fest next weekend, at the American Film Institute in Los Angeles.

If you'll be going, we'd love to chat with you! Here's a description of the festival from their site:
"Pixelodeon is an annual independent video festival recognizing innovation, inspiration, and community in global online video. This is our inaugural year! Over 300 videos, four keynote speakers, two dozen curators, and several hundred people interested in independent media will get together in one weekend to celebrate the diversity and talent of online video content. If you want to see what's happening online and meet the people who are making it happen, this is the place to be."
Update: Here's a great spot about Pixelodeon.


Google Desktop for the Mac 1.0.3

| More

Official Google Mac Blog: Google Desktop for the Mac 1.0.3

Posted by: Rose Yao, Mac Product Manager

Just wanted to let everyone know about a new update for Google Desktop for the Mac. We've been reading your emails, blogs, and comments, so we focused this update on making Google Desktop faster and fixing the bugs that we hear the most about. We have also updated Google Updater in this release with a lot of great bug fixes. You can check out our release notes for more details. If you have Google Desktop installed, you don't need to do anything to get the update, we'll deliver it to you automatically. If you want to try the latest version of Google Desktop, go to

P.S. For all the Mac developers out there, we've also added a new XML based query API that is supported on the PC and the Mac. Learn more about it!


Thursday, May 31, 2007

Plumbing the web

| More

Official Google Webmaster Central Blog: Plumbing the web

Today is Google Developer Day! We're hosting events for developers in ten cities around the world, as you can read about from Matt Cutts and on our Google Blog. Jonathan Simon and Maile Ohye, whom you have seen on this blog, at conferences, and in our discussion forum, are currently hanging out at the event in San Jose.

I've been at the Beijing event, where I gave a keynote about "Plumbing the Web -- APIs and Infrastructures" for 600 Chinese web developers. I talked about a couple of my favorite topics, Sitemaps and Webmaster Tools, and some of the motivations behind them. Then I talked a bit about consumer APIs and some of our backend infrastructures to support our platform.

Check out the video of my keynote on YouTube or see some of the other videos from the events around the globe.


Google Gears for WebKit

| More

Official Google Mac Blog: Google Gears for WebKit

Posted by Dan Waylonis, Mac Software Engineer

Have you heard about Google Gears? It's an extension to your favorite web browser and a new open source project from Google. It adds support for local data storage and helps web application developers manage resources so you can make your web application work offline. It is currently available for Linux, Windows, and Macintosh platforms and you can learn more at I got a chance to work on this product for WebKit, which is the render engine Safari is based on, and we're happy to announce that the source code is available to all Mac developers today.

Since Google Gears is leveraging the latest technology from WebKit, it is currently not compatible with the shipping versions of Safari (Mac OS X 10.4.x and 419.x). So, if you want to play with Google Gears for WebKit, you'll have to download a recent WebKit build from

How it works

Google Gears for WebKit is made up of an Internet plugin for Webkit or Safari (Gears.plugin) that's installed into /Library/Internet Plug-Ins and an InputManager (GoogleGearsEnabler) that's installed into /Library/InputManagers. The GoogleGearsEnabler ensures that Google Gears can provide resources to web applications. It registers a NSURLProtocol class only if the OS X Application is a supported version of Safari or WebKit. Once installed, the registered class will check any URL requests to see if Google Gears can provide the content. If so, it will intercept the call and provide the data. Otherwise, the URL will be processed normally. This is how Google Gears is able to work when you're not connected to the Internet.

Google Gears is an open source project and we're working with partners like Adobe, Mozilla, Opera, and others to make sure this is the right solution for users. So come check it out for yourself at and help us make it even better for WebKit and Safari.


Wednesday, May 30, 2007

Oh Sam I Am, can I read it on the tram?

| More

Oh Sam I Am, can I read it on the tram?

Things you can't bring with you on an airplane: Bottled water. Organic shampoo. Google Reader.

I'm happy to announce that our team has fixed one of these problems. Although we find the business of mini bottled water intriguing (and cute!), we've decided to stick to our core business: feeding your reading habit.

As of today, you can use Google Reader offline. Now you can access your favorite feeds in the Golden Gate Park, on the chinatown express, or even traveling 35,000 ft above the Atlantic.

To do this, we've used the newly released Google Gears, a browser plugin that enables offline web applications. Once you've installed Google Gears, you can download your latest 2,000 items so they're available even when you don't have an internet connection. To get started, simply click the "Offline" link in the top right of Google Reader.

A small note of warning: the current version of Google Gears is a developer release. Given this, you may notice a few kinks here and there, but we'll be working hard to iron those out over the coming months. As always, we welcome your feedback and suggestions as we look to make Google Reader better every day.


Google Developer Day

| More

Official Google Mac Blog: Google Developer Day

posted by Scott Knaster, Technical Writer

Seasoned Mac developers and fans know that Apple's upcoming Worldwide Developer Conference (better known as WWDC) is a highlight of every year. And for the first time this year, we are getting into the developer conference act too -- with tomorrow's Google Developer Day. It's not strictly a Mac event, but I'm looking forward to it because GDD is going to showcase all sorts of cool web-based cross-platform goodies, including Google data APIs, developing with Google Maps, AJAX development, and lots of fun with mashups (I got to help out with that topic).

Google Developer Day is a tough ticket, but I'm happy to report that we're webcasting the whole thing live and then posting the videos to YouTube, so you can virtually be there without having to travel. And if you are actually there, maybe we'll run into each other -- or if not, then maybe at WWDC.


Tuesday, May 29, 2007

On virtualisation

| More

Google Online Security Blog: On virtualisation

Following Panayiotis' and Niels' post on malware, I'd like to discuss a somewhat related topic, virtualisation. Virtual machines are often used by security researchers to sandbox malware samples for analysis, or to protect a machine from a potentially hazardous activity. The theory is that any security threat or malicious behaviour will be restricted to the virtual environment which can be discarded and then restored to pristine condition after use.

Virtual machines are sometimes thought of as impenetrable barriers between the guest and host, but in reality they're (usually) just another layer of software between you and the attacker. As with any complex application, it would be naive to think such a large codebase could be written without some serious bugs creeping in. If any of those bugs are exploitable, attackers restricted to the guest could potentially break out onto the host machine. I investigated this topic earlier this year, and presented a paper at CanSecWest on a number of ways that an attacker could break out of a virtual machine.

Most of the attacks identified were flaws, such as buffer overflows, in emulated hardware devices. One example of this is missing bounds checking in bitblt routines, which are used for moving rectangular blocks of data around the display. If exploited, by specifying pathological parameters for the operation, this could lead to an attacker compromising the virtual machine process. While you would typically require root (or equivalent) privileges in the guest to interact with a device at the low level required, device drivers will often offload the parameter checking required onto the hardware, so in theory an unprivileged attacker could be able to access flaws like this by simply interacting with the regular API or system call interface provided by the guest operating system.

While researching this topic we worked with the vendors affected to make sure they were aware of our findings, and provided patches where possible. I've also suggested some precautions virtualization you can take to minimise the impact of any flaws like this discovered in future, such as:

Reduce the attack surface

By disabling emulated devices, features and services you don't need you reduce the amount of code exposed to an attacker, thus reducing the number of possible bugs that can be exploited. You should also aim to protect the integrity of the guest operating system, making it harder for an attacker to get lower level access to emulated hardware. By keeping software in the guest up to date, and hardening it by locking down the operating system and minimising what is run with root or admin privileges, you can reduce the risk of privilege escalation attacks. If an attacker cannot get low level access to the emulated hardware, it will be more difficult to exploit the bugs in them. Remember that some legacy operating systems make no attempt to restrict access to I/O ports and similar interfaces, these should be used with caution in a security sensitive context.

Treat virtual machines as services that can be compromised

Most administrators will take steps to limit the impact of a compromise of a network facing daemon, such as using chroot() or running the daemon as a low privileged user. These same tactics can be applied to your virtual machine. As always, try to minimise what has to run as root or administrator.

Keep software up to date

Keep your virtual machine software up to date, and look out for any security advisories from your vendor so that you can apply any patches promptly.


Previous Reporting Delays

| More

Previous Reporting Delays

Dear Google Analytics users,

Last week there were some temporary delays in data processing. Please note that all data was still collected and no data was lost. Your reports should now be fully updated.

We are sorry for the inconvenience and the late notification. Please continue to check this blog whenever you require the latest updates on Google Analytics.