Google Cloud SQL provides easier MySQL for all

Google Cloud SQL aims to provide easier MySQL for all

With the general availability of Google Cloud Platform’s latest database offerings — the second generation of Cloud SQL, Cloud Bigtable, and Cloud Datastore — Google is setting up a cloud database strategy founded on a basic truth of software: Don’t get in the customer’s way.

For an example, look no further than the new iteration of Cloud SQL, a hosted version of MySQL for Google Cloud Platform. MySQL is broadly used by cloud applications, and Google is trying to keep it fuss-free — no small feat for any piece of software, let alone a database notorious in its needs for tweaks to work well.

Most of the automation around MySQL in Cloud SQL involves items that should be automated anyway, such as updates, automatic scaling to meet demand, autofailover between zones, and backup/roll-back functionality. This automation all comes via a recent version of MySQL, 5.7, not via an earlier version that’s been heavily customized by Google to support these features.

The other new offerings, Cloud Datastore and Cloud Bigtable, are fully managed incarnations of NoSQL and HBase/Hadoop systems. These systems have fewer users than MySQL, but are likely used to store gobs more data than with MySQL. One of MySQL 5.7’s new features, support for JSON data, provides NoSQL-like functionality for existing MySQL users. But users who are truly serious about NoSQL are likely to do that work on a platform designed to support it from the ground up.

The most obvious competition for Cloud SQL is Amazon’s Aurora service. When reviewed by InfoWorld’s Martin Heller in October 2015, it supported a recent version of MySQL (5.6) and had many of the same self-healing and self-maintaining features as Cloud SQL. Where Google has a potential edge is in the overall simplicity of its platform — a source of pride in other areas, such as a far less sprawling and complex selection of virtual machine types.

Another competitor is Snowflake, the cloud data warehousing solution designed to require little user configuration or maintenance. Snowflake’s main drawback is that it’s a custom-build database, even if it is designed to be highly compatible with SQL conventions. Cloud SQL, by contrast, is simply MySQL, a familiar product with well-understood behaviors.




[Source:- IW]

Google creates ‘crisis fund’ following US immigration ban

Image result for Google creates ‘crisis fund’ following US immigration ban

Tech giant Google has created a US$2 million crisis fund in response to US president Donald Trump’s immigration ban.

Google staff are also being invited to top up the fund, with the money going towards the American Civil Liberties Union (ACLU), Immigrant Legal Resource Center (ILRC), International Rescue Committee (IRC), and the UN High Commissioner for Refugees (UNHCR).

“We chose these organisations for their incredible efforts in providing legal assistance and support services for immigrants, as well as their efforts on resettlement and general assistance for refugees globally,” a Google spokesperson said.

The announcement follows requests by Google CEO, Sundar Pichai last week for staff travelling overseas to come back to the US. More than 100 staff are affected by President Trump’s executive order on immigration.

Since 2015, Google has given more than US$16 million to organisations focused on humanitarian aid for refugees on the ground, WiFi in refugee camps, and education for out of school refugee children in Lebanon, the spokesperson said.

Microsoft CEO Satya Nadella has also responded to the crisis, saying that as an immigrant himself, he has experienced the positive impact that immigration has on the company, the country and the world.

Nadella said Microsoft was providing legal advice and assistance to 76 staff who have a US visa and are citizens of Syria, Iraq, Iran, Libya, Somalia, Yemen, and Sudan.

In an email sent to Microsoft staff, US-based director, Brad Smith said that Microsoft believes in a strong and balance skilled immigration system.

“We also believe in broader-immigration opportunities, like the protections for talented and law-abiding young people under the Deferred Access for Childhood Arrivals (DACA) program. We believe that immigration laws can and should protect the public without sacrificing people’s freedom of expression or religion. And we believe in the importance of protecting legitimate and law-abiding refugees whose very lives may be at stake in immigration proceedings,” he said.



[Source:- Javaworld]

Google open-sources test suite to find crypto bugs

Google open-sources test suite to find crypto bugs

Working with cryptographic libraries is hard, and a single implementation mistake can result in serious security problems. To help developers check their code for implementation errors and find weaknesses in cryptographic software libraries, Google has released a test suite as part of Project Wycheproof.

“In cryptography, subtle mistakes can have catastrophic consequences, and mistakes in open source cryptographic software libraries repeat too often and remain undiscovered for too long,” Google security engineers Daniel Bleichenbacher and Thai Duong, wrote in a post announcing the project on the Google Security blog.

Named after Australia’s Mount Wycheproof, the world’s smallest mountain, Wycheproof provides developers with a collection of unit tests that detect known weaknesses in cryptographic algorithms and check for expected behaviors. The first set of tests is written in Java because Java has a common cryptographic interface and can be used to test multiple providers.

“We recognize that software engineers fix and prevent bugs with unit testing, and we found that many cryptographic issues can be resolved by the same means,” Bleichenbacker and Duong wrote.

The suite can be used to test such cryptographic algorithms as RSA, elliptic curve cryptography, and authenticated encryption, among others. The project also has ready-to-use tools to check Java Cryptography Architecture providers, such as Bouncy Castle and the default providers in OpenJDK. The engineers said they are converting the tests into sets of test vectors to simplify the process of porting them to other languages.

The tests in this release are low-level and should not be used directly, but they still can be applied for testing the algorithms against publicly known attacks, the engineers said. For example, developers can use Wycheproof to verify whether algorithms are vulnerable to invalid curve attacks or biased nonces in digital signature schemes.

So far the project has been used to run more than 80 test cases and has identified 40-plus vulnerabilities, including one issue where the private key of DSA and ECDHC algorithms could be recovered under specific circumstances. The weakness in the algorithm was present because libraries were not checking the elliptic curve points they received from outside sources.

“Encodings of public keys typically contain the curve for the public key point. If such an encoding is used in the key exchange, then it is important to check that the public and secret key used to compute the shared ECDH secret are using the same curve. Some libraries fail to do this check,” according to the available documentation.

Cryptographic libraries can be quite difficult to implement, and attackers frequently look for weak cryptographic implementations rather than trying to break the actual mathematics underlying the encryption. With Wycheproof, developers and users can check their libraries against a large number of known attacks without having to dig through academic papers to find out what kind of attacks they need to worry about.

The engineers looked through public cryptographic literature and implemented known attacks to build the test suite. However, developers should not consider the suite to be comprehensive or able to detect all weaknesses, because new weaknesses are always being discovered and disclosed.

“Project Wycheproof is by no means complete. Passing the tests does not imply that the library is secure, it just means that it is not vulnerable to the attacks that Project Wycheproof tries to detect,” the engineers wrote.

Wycheproof comes two weeks after Google released a fuzzer to help developers discover programming errors in open source software. Like OSS-Fuzz, all the code for Wycheproof is available on GitHub. OSS-Fuzz is still in beta, but it has already worked through 4 trillion test cases and uncovered 150 bugs in open source projects since it was publicly announced.



[Source:- JW]

Google Assistant supports continuous conversations on Android TV

Google Assistant, which launched with the Pixel phones back in October and is soon coming to Android TV, is quite a useful feature. By using it, you can control certain functions of your device with your voice and save a bit of time in the process.

But Google’s Assistant is not without faults. Although it can continue a conversation based on context, you still have to activate it by saying “OK Google” before you ask a question, which can get annoying after a while and just makes the experience unnatural.

It looks like Google is aware of this issue and is making a few changes that will improve how Assistant works. Well, at least on Android TV. According to a video posted online by Android Police, Google’s Assistant on Android TV supports continuous conversation mode. What this means is that after you get a response to your question, Assistant will keep listening for a little while just in case you want to ask it something else. If you want to continue the conversation, you can ask whatever you’re interested in without activating the voice assistant first by saying “OK Google”.

The feature really does make a difference if you’re using Assistant on a daily basis. That’s why we would love to see it on other Assistant enabled devices including the Pixel and Pixel XL smartphones and Google Home.  Unfortunately, Google hasn’t commented regarding this topic yet so, for now, all we can do is wait and hope that the online search giant will eventually bring the feature to other tech gadgets.




[Source:- Androidauthority]

Department of Labor sues Google over wage data

Google's Mountain View, California headquarters

The U.S. Department of Labor has filed a lawsuit against Google, with the company’s ability to win government contracts at risk.

The agency is seeking what it calls “routine” information about wages and the company’s equal opportunity program. The agency filed a lawsuit with its Office of Administrative Law Judges to gain access to the information, it announced Wednesday.

Google, as a federal contractor, is required to provide the data as part of a compliance check by the agency’s Office of Federal Contract Compliance Programs (OFCCP), according to the Department of Labor. The inquiry is focused on Google’s compliance with equal employment laws, the agency said.

“Like other federal contractors, Google has a legal obligation to provide relevant information requested in the course of a routine compliance evaluation,” OFCCP Acting Director Thomas Dowd said in a press release. “Despite many opportunities to produce this information voluntarily, Google has refused to do so.”

Google said it’s provided hundreds of thousands of records to the agency over the past year, including some related to wages. However, a handful of OFCCP data requests were “overbroad” or would reveal confidential data, the company said in a statement.

“We’ve made this clear to the OFCCP, to no avail,” the statement added. “These requests include thousands of employees’ private contact information which we safeguard rigorously.”

Google must allow the federal government to inspect and copy records relevant to compliance, the Department of Labor said. The agency requested the information in September 2015, but Google provided only partial responses, an agency spokesman said by email.



[Source:- Javaworld]

Hey Google, Android APIs are a mess

Hey Google, Android APIs are a mess

It’s been years since I did any mobile development — and much of what I’ve done has been with mobile app dev platforms like Appcelerator.

The last time I did anything substantial was some hacking on the Android client forOpen Remote back in 2008. At the time, the APIs weren’t bad and the overall development experience wasn’t too tough. My main issues related to inexperience coding mobile (for example, how do I pass data between activities?).

I assumed that Android APIs would have improved by now. Good gosh was I wrong.

Crummy documentation

The documentation for Android has exploded into a mess. Also, a bunch of it is essentially out of date both on the Google site and on various community sites. It’s like going to a dilapidated town where the gas station advertises a gallon of fuel for 88 cents and you realize the place has been shut down for about 18 years.

Yet people are writing millions of Android apps. How come no one seems to be doing the work of keeping the documentation up to snuff?

OMG, so many files

It used to be there was an API way and an XML way to do almost everything in Android. Maybe it’s still like that, but it isn’t obvious.

Today, to do nearly anything you have to edit at least two files and probably three. With the new security model you not only have to specify what permission you want in the XML manifest but also in your Java code. By the way, none of the tutorials (c’mon, I only wanted contact data to display!) actually tell you this.

Did you really copy Sun?

The APIs themselves seem like they were designed by the Java Community Process. When this all started, part of how Google got itself in trouble was by taking the best of Java and making an API that tasted a bit more like Ruby than like Java.

In the modern Android I taste that factory-to-create-a-locator-to-create-a-factory-to-generate-a-locator-to-find-a-singleton pattern that the Java Community Process and Java EE was so fond of creating. Combine that with the ton of XML and it gives me gas.

Speaking of that security model, what was the point of making me write it twice? In fact, half the API changes I’ve noticed don’t seem to have any great purpose. Holy crap, it’s J2EE!

Whine: I don’t want to write Java anymore

I guess part of my issue is that I don’t really want to write classic Java anymore — so much typing, so little reason for the typing.

Whether using Scala or modern JavaScript, I’m ready for a change. I thought Apple gratuitously wrote a language with Swift … and there was an element of that. Google could use the same approach but go straight JavaScript and clean house on this big mess of an API it’s created.

I still love my Android phone. My girlfriend, on the other hand, swears by her iPhone and uses stuff like Find My Friends, which creeps me out. I mean, Tim Cook blocked me on Twitter for retweeting an article about Apple’s labor policies in China. Maybe I’m paranoid, but I don’t want Apple to know where I am at all times.

I’d rather tell Google where I am at all times (like it wouldn’t be able to extrapolate that anyhow). I can’t wait to grab one of the new Motorola Force Zs and buy one of those battery modules, the boombox, and projector. (Someone asked why I’d need the projector and I said, “To project things!”)

Apple’s move to create a new language looks a bit less cracked to me now. Writing Android stuff feels like writing J2EE in 2002. I have XML buttache.




[Source: Javaworld]

Google App Engine revs up Python 3 support

Google App Engine revs up Python 3 support

One after another, the arguments against using Python 3 in production keep dropping away. Yesterday, Google consigned another one to oblivion: “But there’s no Python 3 support on Google App Engine!”

Well, guess what?

Google App Engine’s Flexible Environment, which scales apps based on demand, has launched support for Python 3.4 as a beta-test offering.

The runtimes for App Engine Flexible run as Docker containers, with the Dockerfilesavailable on GitHub. Developers can build the container locally, test their applications against it, then deploy the app alone to App Engine. It’s also possible to customize the runtime, upload it as a Docker container to App Engine, and run the app in conjunction with it.

Both Python 2.7 and Python 3.4 are available within the same container, so applications that need both versions of Python for whatever reason can access them both simultaneously. (Nuitka, for instance, uses some libraries that are not yet 3.x-compatible.) Google’s support for Python in App Engine will continue to include Python 2.7, ostensibly for as long as that language is supported (until 2020).

Now the bad news: Because Python 3.4 is the only supported version of Python 3, that means all the features in the language added in Python 3.5, like async/await, aren’t available through App Engine’s runtime.

Developers can work around this by creating their own custom containers with the Python 3.5 runtime and executing them. The downside: You have to roll your own handling of some Google App Engine features, like health checks or start/stop requests.


[Source: Javaworld]

UKs Competition and Markets Authority looking into possible market abuse by Google against Windows phones

It is no secret, Microsoft’s mobile platforms have struggled, from Windows Phone to Windows 10 Mobile. Even the dearest of fans can attribute at least some of the blame towards Microsoft, they haven’t done themselves any favours. However, many also believe that Google has intentionally acted to thwart any possible success of a 3rd mobile platform which could risk its market dominance. We’ve already witnessed the fall of one once popular mobile operating system, BlackBerry, which now focuses on building products for Google’s operating system – Android.

Now, we have been informed by the UKs Competition and Markets Authority (CMA), the government body assigned to ensure market fairness and transparency, is looking into launching an investigation against Google over possible abuse of its dominant position in the mobile market. Of particular concern is that there are only 2 major mobile operating systems on the market – Android and iOS, with Android taking the majority of the market. Generally, a market is recommended to have 3 major competitors, as is the case with the mobile service provider market. This is the general rule of thumb to ensure that consumers have choice and that companies don’t take advantage of their positions.

In the letter received from the CMA, it stated that a complaint has been made against Google and the information they’ve received has been passed to their Pipelines Team which “analyses and assesses the information we receive and advises on which cases offer the best prospect to make real differences for consumers.” The authority also made clear that, whilst an investigation isn’t guaranteed, they’re looking into the information they have and will be getting in touch with the companies involved, presumably Microsoft and Google, to make “detailed enquiries,” and that it will help them understand how the “market is working and may in time lead to us taking some further action.”

In recent times, Google has seemingly made a few attempts that could be seen as market abuse, which includes:

  • Blocking access to one or more of its services to consumers on a competing platform, whether temporary or permanent
  • Restricting consumers access to one or more of its service on a competing platform, or making it more tedious to access

There’s also the issue of Google not offering any of its apps on Microsoft’s mobile platform. Followed by its intentional blocking of Microsoft’s own third-party YouTube app, which could be construed as direct market abuse.

Users of its Gmail service recently made the headlines after Google made the service inaccessible to email clients on Windows 10 Mobile, with a Google engineer later replying that they’ve fixed the issue, after many user complaints on their product forums. The engineer also said that Google did not intentionally block Gmail for Windows 10 Mobile users.

If the CMA decide to proceed with a full investigation, Google would need to respond to the authority’s concerns and provide evidence to the contrary. Companies are legally obliged to cooperate with the CMA, or they could face fines for market abuse, which can be hefty in some cases.

The CMA recommends that, if any consumer feels another company is abusing its market dominance or has information to provide related to Google and Windows phones, to report it via their website here.

As this is an ongoing case, the authority will not be providing further updates, until when or if, an investigation takes place. In the meantime, they will be collecting information and evidence submitted by consumers and making enquiries.



[Source: Winbeta]

Node.js alert: Google engineer finds flaw in NPM scripts

Node.js alert: Google engineer finds flaw in NPM scripts

Never assume a file downloaded from the Internet is safe. That warning also applies to NPM, the default package manager for Node.js. A vulnerability in package install scripts would let an attacker create a self-replicating worm that can spread through NPM packages.

“It is possible for a single malicious NPM package to spread itself across most of the NPM ecosystem very quickly,” Sam Saccone, a software engineer at Google, wrote in his NPM hydra worm disclosure.

Like many other package managers, NPM supports lifecycle scripts, which can execute arbitrary commands on the system with the permissions of the current user. Though lifecycle scripts can be useful for cleaning up files after an installation, compiling binary dependencies, and automatically generating a configuration file, they can also be dangerous since the script can execute commands that modify the system.

“It is possible for a maliciously written NPM package, when installed, to execute a script that includes itself into a new package that it then publishes to the registry, and to other packages owned by that user,” according to a post on the official NPM blog. However, the team said the benefits of installation scripts outweighed the risks of a potential worm attack.

The blog post downplayed the risks, noting the implications for the package scripts were “clear from the start,” but not everyone was “fully aware” of them. Other than reiterating a handful of Saccone’s recommended workarounds, the post did not provide guidance for users concerned that the packages they are installing may not be what they are expecting.

“NPM cannot guarantee that packages available on the registry are safe,” the blog post said.

Worm spreads via package dependencies

The worm takes advantage of three NPM features: semantic versioning (semver), publishing to a centralized registry, and leaving users logged in by default. Because the user remains logged into NPM until they manually log out, any user who has logged in and is running an install, in effect, allows other modules to execute commands. Since install dependencies are not locked to a specific version, packages can push new versions, all with the ability to execute code. Finally, it is easy to ship packages to the central registry server to be installed by anyone.

The worm attack relies on social engineering to kick off the initial infection and the above-named features to continue spreading through the ecosystem.

First, the malicious author tricks an NPM module owner to install the infected package on to their system. This could be done by phishing or another malware attack. Once the package is installed, it creates a Trojanized version of the owner’s NPM module and sets a lifecycle hook to execute the worm whenever the module is installed. The modified module is published to the owner’s NPM account, at which point the worm modifies all other packages in that account to call the Trojan module as a dependency. The worm publishes new versions of each package in the account with a “bugfix,” and the next time the modules are installed, the self-replicating code will be executed.

As an example, the PhoneGap project has 463 transitive dependencies, of which 276 individual NPM accounts can push new versions of those packages. It would take only one person out of the 276 to install a package containing the worm to infect everyone who’d ever installed the PhoneGap project, Saccone said.

NPM shrugs off the risks

While there is currently no fix for the vulnerability, the CERT Vulnerability Note from the United States Computer Emergency Readiness Team outlines several workarounds. They include using the –ignore-scripts option when installing modules, locking down dependencies with NPM shrinkwrap, and encouraging users who own modules to regularly log out of NPM.

Organizations using NPM in their environments should run a local mirror of the NPM registry and prevent individual users from installing directly from the main registry. This way, organizations can regularly audit the local registry and make sure malicious files have not been inserted into the package’s dependency list.

Saccone recommended NPM expire the login tokens to force users to log in after a certain period. In the blog post, the team did not address the recommendation, but outlined other avenues they are exploring to mitigate the risk.

One such idea is to make it more difficult to publish without the module owner’s awareness, such as by requiring two-factor authentication. Another option is to work with security companies to offer vulnerability scanning for modules, but that is not available at the moment. The team currently monitors publish frequency, so a worm would be detected because it was publishing a lot of new versions, but for the most part, NPM relies on users to report suspicious packages.

“Ultimately, if a large number of users make a concerted effort to publish malicious packages to NPM, malicious packages will be available on NPM,” the blog post said.

Trust, but verify

It hasn’t been a good few days for NPM, as the vulnerability disclosure comes on the heels of the current debate on how the package manager should handle unpublished modules. A developer unpublished a small package from NPM last week and inadvertently caused many other projects who relied on that package to break. People also realized how easy it would be for someone else to register their own code with the name of the unpublished modules. Anyone who grabbed the package names would be able to install the code onto any user who had installed the original package.

There have been a number of discussions on Reddit and GitHub over the past few days discussing NPM’s heavy reliance on trust — that package maintainers will keep the packages they write, and no one is writing malicious code. In a global ecosystem, that is a dangerous assumption, because only one person needs to act against the interests of the community to break a lot of code. There must be a way to safely install NPM modules, such as using package signing or another method to verify that the code is safe and from the correct source. Until there is one, developers are left with the unsettling realization that they are taking a huge risk every time they run NPM install.


[Source:- Javaworld]

Google spotlights Go language with new open source load balancer

Google spotlights Go language with new open source load balancer

Most of Google’s open source releases have centered on infrastructure-building projects, like Kubernetes, that stem from the company’s work with its public cloud infrastructure.  But Google’s latest open source project — a load-balancing technology called Seesaw —  instead comes from work done for the company’s corporate, in-house infrastructure.

Seesaw, available on GitHub, also gives Google an opportunity to demonstrate the value of its Go language in a major project.

Seesaw was designed to fill four basic needs at Google, according to the blog post announcing its release. These include routing traffic for “unicast and anycast VIPs [virtual IP addresses],” performing load balancing with NAT and DSR (dynamic source routing, used for wireless mesh networks), checking system health, and “ease of management, including automated deployment of configuration changes.”

Successful open source projects rarely start from scratch, and Seesaw was no exception. An existing project, the Linux Virtual Server, was used as the substrate for Seesaw to perform the traffic handling. Google expanded on LVS’ functionality and used Go’s concurrency and interprocess communications functions to make the bundle easier to manage.

Before Go existed, Google might have created something similar by wrapping LVS with Python. One of Go’s goals is to provide a language that’s as flexible as Python but delivering far greater raw performance and with native functions that make it easier to design decentralized, network-connected applications. Python gained some of these functions in version 3.5, but Go had them from the outset, and Google has been determined to prove that the features baked into the language are an inherent advantage.

Seesaw is available under the Apache license, although a disclaimer on its GitHub repository notes, “This is not an official Google product,” meaning Google won’t provide any support.


[Source:- Javaworld]