Archive for January, 2009

When an Internet application doesn't work as expected or your connection seems flaky, how can you tell whether there is a problem caused by your broadband ISP, the application, your PC, or something else? It can be difficult for experts, let alone average Internet users, to address this sort of question today.

Last year we asked a small group of academics about ways to advance network research and provide users with tools to test their broadband connections. Today Google, the New America Foundation's Open Technology Institute, the PlanetLab Consortium, and academic researchers are taking the wraps off of Measurement Lab (M-Lab), an open platform that researchers can use to deploy Internet measurement tools.

Researchers are already developing tools that allow users to, among other things, measure the speed of their connection, run diagnostics, and attempt to discern if their ISP is blocking or throttling particular applications. These tools generate and send some data back-and-forth between the user's computer and a server elsewhere on the Internet. Unfortunately, researchers lack widely-distributed servers with ample connectivity. This poses a barrier to the accuracy and scalability of these tools. Researchers also have trouble sharing data with one another.

M-Lab aims to address these problems. Over the course of early 2009, Google will provide researchers with 36 servers in 12 locations in the U.S. and Europe. All data collected via M-Lab will be made publicly available for other researchers to build on. M-Lab is intended to be a truly community-based effort, and we welcome the support of other companies, institutions, researchers, and users that want to provide servers, tools, or other resources that can help the platform flourish.

Today, M-Lab is at the beginning of its development. To start, three tools running on servers near Google's headquarters are available to help users attempt to diagnose common problems that might impair their broadband speed, as well as determine whether BitTorrent is being blocked or throttled by their ISPs. These tools were created by the individual researchers who helped found M-Lab. By running these tools, users will get information about their connection and provide researchers with valuable aggregate data. Like M-Lab itself these tools are still in development, and they will only support a limited number of simultaneous users at this initial stage.

At Google, we care deeply about sustaining the Internet as an open platform for consumer choice and innovation. No matter your views on net neutrality and ISP network management practices, everyone can agree that Internet users deserve to be well-informed about what they're getting when they sign up for broadband, and good data is the bedrock of sound policy. Transparency has always been crucial to the success of the Internet, and, by advancing network research in this area, M-Lab aims to help sustain a healthy, innovative Internet.

You can learn more at the M-Lab website. If you're a researcher who'd like to deploy a tool, or a company or institution that is interested in providing technical resources, we invite you to get involved.

Posted by Vint Cerf, Chief Internet Evangelist, and Stephen Stuart, Principal Engineer

Posted by Vahab S. Mirrokni and Muthu Muthukrishnan

Google auctions ads, and enables a market with millions of advertisers and users.  This market presents a unique opportunity to test and refine economic principles as applied to a very large number of interacting, self-interested parties with a myriad of objectives. Researchers in economics, computer science, operations research, marketing and business are increasingly involved in defining, understanding and influencing this market. 

On January 7th, a group of computer science researchers from Google and various universities formed a workshop to discuss key research directions in this area, specifically "Market Algorithms and Optimization." Corinna Cortes (Head, Google Research, NY)  and Alfred Spector (VP of Research, Google) gave short talks about research groups in Google, academic collaborations, and research awards. The morning session comprised talks by Google researchers including Noam Nisan, Jon Feldman, Vahab Mirrokni, Yishay Mansour, and Muthu Muthukrishnan. These talks explored the following topics and key issues: 

• Role of budgets. Identify suitable properties of mechanisms for repeated auctions in the presence of budgets. Truthfulness is impossible, and may not be the suitable property.  
  
• Advertisers' bidding strategies. While bidding equally on all keywords has certain desirable properties,  identify other bidding strategies if advertisers want to maximize different utility functions and  use rich bidding features.
  
• Dynamics of ad games. Understand dynamics of sophisticated advertiser bidder strategies under various ad allocation rules. For proportional allocation rules, the dynamics of simple bidder strategies are described here.
• Online Reservations. Design suitable mechanisms for selling ad inventory in the future rather than on the spot. Models and methods for what happens when reservations can not be honored are explored in WWW08, WINE08, and SODA09 papers.

The research presented in these talks can be found at the Google publications site. Some general research directions and open problems in ad auctions are here.

The post-lunch (sushi included of course) session comprised talks by researchers from academia.  Bobby Kleinberg (Cornell) went first and took the audience far into projective geometry in an attempt to understand equilibria resulting from a sequence of selfish behavior of players using specific learning algorithms. Silvio Micali (MIT) described how difficult it was to model or propose mechanisms in presence of collusions, and then went on to show how to correctly design such mechanisms for combinatorial auctions. Kamesh Munagala (Duke Univ.) and Anna Karlin ( U. Wash) discussed algorithmic problems related to ad auctions, including how to run auctions in presence of advertisers with mixed utilities and tight remnant budgets. Other participants -- Richard Cole (NYU), Amos Fiat (Tel Aviv), Uri Feige (Weizmann), Michel Goemans (MIT), Anupam Gupta (CMU),   Nicole Immorlica (Northwestern), Michael Rabin (Harvard), and Eva Tardos (Cornell) -- kept it lively with questions and discussions.

Part of what makes Google ad systems exciting is the challenges they pose and overcome, and yet others in the horizon. It is remarkable how some of the fundamental problems Google ad systems grapple with are also some of the hardest research problems in the community of Market Algorithms.  Joint Google and Academia meetings like this help researchers begin to attack these problems, and may be a model for  research collaborations in the future.

Posted by Juan Vargas, University Relations

Do you regularly work with your webpages and AdSense implementation, tinkering with HTML or PHP and creating images and code on the fly? If you do, Firefox add-ons can help streamline the process of creating webpages. Here are some in particular that you may find useful:

ColorZilla
This extension tells you which RGB or hex color you're looking at, to help you make sure you created that logo for your business with just the right shade of blue, for instance. The tool also creates custom color palettes while you're browsing, so you can use them in your designs.

MeasureIt
Like the name says, use this add-on to measure the width and height in pixels of any element you see on a webpage. It's very simple to use, and you can define how much space you have left for that AdSense ad unit on the right-side. :)

IE View
Do you frequently use Internet Explorer to check how your website renders on that browser? This add-on allows you to view the way any page would look if it were opened in IE, without the hassle of opening another browser. You can also see pages that aren't Firefox-friendly much more easily.

WebDeveloper toolbar
This all-in-one toolbar gives you quick control over things like JavaScript display, form and CSS elements, screen resizing (so you know what your website looks like in smaller resolutions), HTML validation, and much more.

Hopefully, we'll soon have a similar set of add-ons for Chrome, and we'll be sure to share them with our readers.

What are your favorite add-ons for web developing? Leave us a comment below.

Posted by Laura Prado - Inside AdSense Team

Last week we talked about how Website Optimizer can help you convert a higher percentage of your website visitors (getting you more conversions with the same amount of clicks). This week we'll see how you can get more conversions from your existing AdWords campaigns and keywords with the Conversion Optimizer. We're also happy to announce that the Conversion Optimizer is now available to all campaigns using AdWords' free Conversion Tracking tool that also have at least 30 conversions in the last 30 days. So, if you were previously unable to use the Conversion Optimizer in AdWords, you may now be eligible to use it.

Whether you want visitors to fill out a form, sign up for an account, or buy a product, you want the people who click on your AdWords ad to complete some action on your site. The Conversion Optimizer, a free AdWords feature, helps you get the most conversions for your ad spend by using your conversion tracking data to improve your advertising efficiency. It does this by optimizing the placement of your ads in each auction based on the likelihood of a conversion. This process helps to avoid unprofitable clicks and to get you conversions without requiring you to spend as much time managing your bids - thus saving you money and time (which is particularly useful during a down economy).

For example, say you advertise on the keywords 'shoes' and 'brown leather shoes'. If the Conversion Optimizer determines that people who search for 'brown leather shoes' buy more shoes on your website than people who search for 'shoes', it will adjust your bids so you can appear higher on the page for the more profitable term and lower for the less profitable term.

You might already adjust your keyword bids with the goal of increasing your conversions or decreasing your costs, but the Conversion Optimizer is able to adjust bids using additional factors that are otherwise unavailable. This includes varying bids by broad match query, user location, and the particular search or content partner sites where the ad is appearing. These extra adjustments enable many advertisers to achieve double-digit percentage increases in conversions while paying the same price or less for each conversion.

To learn more or to get started, check out the Conversion Optimizer page. And remember to visit www.google.com/domorewithless to find a list of other Google resources that can help you achieve your advertising goals -- even in a downturn.

Posted by Amanda Kelly, Inside AdWords crew

For the second year, the U.S. and Canada are joining 27 European countries to celebrate Data Privacy Day today. As we explained last year, the lack of understanding about online data protection is a global issue. As increasing amounts of data get uploaded to the Internet every day, it becomes more and more important for people to understand the benefits and risks of online communications and to learn how to use available tools to control and manage the information they share online.

To mark this special day of awareness, we are supporting an event hosted by the Information Technology Association of America called "Data Privacy Day: Increasing Privacy Awareness and Trust." We'll join U.S. and European government officials and key members of the privacy community on Capitol Hill in Washington, DC, to discuss how to increase public awareness about data privacy. This event is a part of our ongoing constructive dialogue with regulators and legislators, consumer and industry groups, and think tanks and privacy advocates to discuss how to protect user information.

Our efforts to raise data privacy awareness extend beyond the public policy arena; we aim to connect directly with our users, too. We're committed to protecting users' online privacy by following the principles of transparency and choice. We're transparent about the data we collect, and we design products that give people control over the information they share. Earlier this year, we revamped our Privacy Center, where we offer information, tips, and videos that explain Google's privacy practices and show people how they can control what data they share. The Privacy Center also includes a link to a series of blog posts about how we use data to improve our products and services for our users. We recently translated the Privacy Center into multiple languages so that we can better serve people all around the world. We're also continuously working on innovative services and features that make information available to people in new ways, but with built-in privacy controls. For example, we introduced privacy-protective face-blurring for Street View earlier this year. And the launch of our browser, Google Chrome, included a feature for surfing the Internet in "incognito mode."

For the coming year, we want to improve our privacy practices even more by engaging in further dialogue with people who use our products and services, offering up easier-to-understand policies, and providing more privacy tools and controls. We hope that you'll take a few minutes on Data Privacy Day to explore our Privacy Center and learn about our commitment to this important issue.

Posted by Peter Fleischer and Jane Horvath, Global Privacy Counsel

As we planned Internet Explorer 8, our security teams analyzed the common attacks in the wild and the trends that suggest where attackers will be focusing their attention next. Over the course of IE8’s development, we’ve also worked closely with those in the security research community to stay on top of new classes of threats. One of the most subtle and interesting web application security vulnerabilities is called Cross Site Request Forgery (CSRF); security researcher Jeremiah Grossman calls CSRF “the sleeping giant” of web vulnerabilities. As Jeremiah notes, preventing CSRF attacks is hard because there’s generally no easy fix. The architectural underpinnings of the browser security model are designed to allow for interaction with multiple websites simultaneously, and seamless navigation between unrelated websites, but these are the very capabilities that CSRF attacks seek to exploit. With the migration of private data and other high value targets from end-users’ PCs to popular web applications, interest in CSRF and other web application vulnerabilities will only continue to grow.

As we designed Internet Explorer 8, we had to be very careful not to increase the browser’s attack surface for CSRF attacks. IE8’s new XDomainRequest object, for instance, allows cross-domain communication upon explicit permission of the server, but contains specific restrictions to ensure that new types of CSRF attacks are not made possible. End-users can mitigate the impact of CSRF attacks by logging out of sensitive websites when not in use, and by browsing in independent InPrivate Browsing sessions. (InPrivate sessions start with an empty cookie jar, so cached cookies cannot be replayed in CSRF attacks.)

Ultimately, however, web applications must be built to prevent CSRF vulnerabilities. Well-designed Web applications often protect themselves with challenge tokens or similar strategies that enable detection of malicious requests that were not intentionally sent by the victim user. Unfortunately, challenge tokens and similar strategies are subject to vulnerabilities. The first vulnerability is cross-site scripting (XSS). If a token-protected web application contains a cross-site scripting vulnerability, it’s likely that the security token can be stolen and the CSRF attack can occur. Fortunately, Internet Explorer 8 includes an XSS Filter and several other features that help prevent XSS attacks that could otherwise be used to steal CSRF-blocking challenge tokens.

Last fall, researchers Robert Hansen and Jeremiah Grossman gave a talk on a second vector that enables CSRF, known as ClickJacking. ClickJacking is a term which encompasses multiple techniques that can be used to trick the user into unwittingly clicking an obscured or hidden web element, usually resulting in an unwanted transaction. A successful ClickJacking attack could circumvent CSRF protections that attempt to confirm transactions with the user. For instance, consider a simple web shop which uses cookies for authentication and offers one-click purchases.

A malicious site elsewhere on the web could construct a page that forces a victim page from the legitimate shop into an IFRAME, and overlay critical portions of that frame with misleading text and images.

The user might be tricked into clicking into the shop’s page unknowingly, and if they were already logged into the shop, an unwanted transaction might occur:

Obviously, this is a pretty simple ClickJacking attack, but more sophisticated versions do exist.

While various mitigations for ClickJacking have been proposed, each entails a set of tradeoffs which can impact compatibility, user-experience, or require significant changes to existing standards. Currently, the simplest and most broadly-used mechanism to defeat ClickJacking attacks is called frame-busting, and it works by simply preventing vulnerable pages from being framed. Unfortunately, typical frame-busting mechanisms rely on script and as a result can be defeated in various ways.

As disclosed to other browser vendors in early December, the Internet Explorer 8 Release Candidate introduces a new opt-in mechanism that enables web applications to mitigate the risk of ClickJacking on vulnerable pages by declaring that those pages may not be framed.

Web developers can send a HTTP response header named X-FRAME-OPTIONS with HTML pages to restrict how the page may be framed. If the X-FRAME-OPTIONS value contains the token DENY, IE8 will prevent the page from rendering if it will be contained within a frame. If the value contains the token SAMEORIGIN, IE will block rendering only if the origin of the top level-browsing-context is different than the origin of the content containing the X-FRAME-OPTIONS directive. For instance, if http://shop.example.com/confirm.asp contains a DENY directive, that page will not render in a subframe, no matter where the parent frame is located. In contrast, if the X-FRAME-OPTIONS directive contains the SAMEORIGIN token, the page may be framed by any page from the exact http://shop.example.com origin.

When rendering is blocked by the X-FRAME-OPTIONS policy, a local error page is presented that explains the restriction and provides a link which opens the frame in a new window. When displayed in a new window rather than a sub-frame, content is no longer subject to ClickJacking.

By using the X-FRAME-OPTIONS directive to protect sensitive anti-CSRF pages, web developers can immediately help mitigate web application attacks for IE8 users. It is my hope that the X-FRAME-OPTIONS directive will be implemented by other browsers as an easily-deployed, highly-compatible mitigation against the threat of ClickJacking. In the longer term, I expect that security researchers and web standards bodies will continue to innovate in the design of browser-enforced web application security policies. We look forward to working with them to frame this and future ClickJacking defenses within the context of a larger security policy feature in future browser versions.

Thanks!

Eric Lawrence
Program Manager

In the fall we posted information about the efficiency of Google data centers and promised to update this information every quarter. We've now collected data for the fourth quarter of 2008 and published them to our sustainable computing website. Specifically, we're keeping track of the efficiency of any Google-designed data center with an IT load of at least 5 MW and a time-in-operation of at least 6 months. In Q4 our average power and cooling overhead in these facilities was 16%, bringing the overhead for the trailing 12 months to 19% (down from 21% a quarter earlier). For comparison, a recent EPA report put the overhead of the average enterprise data center at 100% or higher. We're very happy to have further improved our efficiency, and a number of factors contributed to that result.

First, efficiency is affected by seasonal weather patterns — cooler weather is better than hot weather, and several of our facilities benefited from that in Q4. Also, we continually review our efficiency metrics so that we notice, for example, that one of our data centers is not performing consistently with others of similar size and locale. So we'll take a closer look at optimizing that facility. Are we using fans to cool spaces that don't need to be cooled? Is the thermostat at the right set-point? Can we reduce the time the chillers need to run while keeping the machines operational? So we apply lessons we've learned from better-performing data centers to other facilities, and several such improvements took place in Q4. For the nitty-gritty technical details, visit our data center efficiency page.

While we've made a lot of progress in data center efficiency, we're still learning. As we continue to explore ways to use the least amount of power to do the most amount of computing, we'll continue to share our data and best practices with you. In early March we will participate in the CeBIT conference where we plan to disclose more details on our sustainability efforts as part of this year's theme of "Green IT." Stay tuned.

Posted by Urs Hölzle, Senior Vice President, Operations

The Internet Explorer 8 Release Candidate is the last major IE8 testing milestone. It indicates that we believe that IE8 is implementation complete for CSS 2.1. We also believe IE8 RC1 has the most complete implementation of the CSS 2.1 specification in the industry.

The only way to know if a browser has correctly implemented a specification is to develop a comprehensive set of tests for the specification. These can be used to determine both the support for a specific part of the spec and the behavior of a specific browser. Web developers can also use these test pages as examples of how to combine various layout properties and elements in their pages and know that their page will interoperate well across all the browsers that pass those tests.

Today, the IE Team is submitting 3784 new test cases to the CSS 2.1 Working Group for inclusion into the CSS 2.1 test suite. These cases were developed since IE8 Beta 2. This brings Microsoft’s contribution to the CSS 2.1 Test Suite to 7005 tests. IE8 RC1 passes all of these tests today. All but 52 of these cases also pass in at least one other major browser. We’re working closely with the CSS working group to swiftly include these in the official test suite. For now, these tests are available at the Windows Internet Explorer Testing Center. The last key element to web layout interoperability is actually passing the tests. IE8 RC1 is the first browser to pass all valid tests in the suite thus meeting the interoperability requirements in the 2.1 spec.

It’s important that the spec, the browser, and the tests all agree on a behavior. This is when web developers really win. While developing these test cases, we found instances where all other browsers implemented something a specific way. That syntax pattern was in pages all over the web, creating a broad dependency on that behavior. In those cases, we proposed a change to the spec and developed an associated test case to ensure the web continues to work and browsers can implement the spec as written. We sincerely hope this helps the committee finish the 2.1 spec and move it into the Recommendation phase.

There is also a variety of unofficial, unsanctioned “tests” posted around the web as well. These range from quirky web pages that someone developed to show off a bug in a browser to complex degenerative web scenarios that combine CSS 2.1 properties and elements in unlikely ways. Some of these are pragmatic tests that actually demonstrate a real-world situation where there are inconsistencies across major browsers. IE8 RC1 passes all of the pragmatic “tests” we could find, although new combinations can always be developed. I strongly encourage those test authors to submit their cases to the W3C’s CSS 2.1 test suite so those tests may be used by any browser under the W3C’s license. Only then will those tests broadly benefit web developers.

If you have specific feedback on any particular test case, I strongly encourage you to provide it on the W3C’s CSS 2.1 Working Group’s mailing list. That will ensure the test case reviewers have your comments in context as they add these pages into the suite.

Jason Upton
Test Manager – Internet Explorer

by Claudine Zap

Picture this: You're 15 and bored. You snap a photo with your mobile in your birthday suit and send picture mail to your friends. Silly prank, right? Wrong. You've just become a trafficker of child pornography. And your friends who received the image? They are now in possession of porn.

That's what some students in a Pennsylvania high school discovered, as a group of teens who sent and received the pics are now under investigation for sending "inappropriate messages via cellphone."

The practice, known as "sexting," has become common among teens, and whether the photos are freely given or coerced, it's one more thing that kids these days are doing under parental radar.

In fact, "tech sex" is more common than ever. According to a study by the National Campaign to Prevent Teen and Unplanned Pregnancy and CosmoGirl.com, "One in 5 teenagers say they've electronically sent or posted online nude or semi-nude images of themselves" and 39 percent of teenagers have sent sexual e-mail messages or instant messages.

Just as new ways to communicate break ground, they unfortunately bring with them a downside, and teens said they did not know how to respond to "textual abuse," in research reported by the New York Times.

The Advertising Council and the Family Violence Prevention Fund are aiming to change that, launching a mainly digital campaign for teens, including a website, to give some guidance to handle bad behavior. Teens can download or e-mail biting "callout cards" to the offending texter with such sarcastic messages as "Remind me to teach you a little thing called privacy" and "Congratulations! With that last text you achieved stalker status."

TV and print ads will follow, still aimed at a teen audience. For now, parents will have to resort to the old-fashioned way of finding out what their kids are up to: Tell their teens to turn off their phones and ask them.