Cutting back on your long list of passwords

Does anyone actually like passwords? Most people can't stand them because they end up having to keep track of a long (and often memorized) list of usernames and passwords to sign into the websites they visit. Website owners hate them because it's hard to get people to create a new account on their website, and almost half of those account registrations are never completed. Thanks to the utilization of new technology, we're now seeing large-scale success in eliminating the need for passwords while increasing the successful registration rate at websites to over 90%. The most visible examples come from Plaxo, Facebook, Yahoo! and Google using a technique the industry calls hybrid onboarding. In the past, if you're a Gmail user who got an invitation to use Plaxo or Facebook, you were asked to perform the traditional process of creating a new account with yet another password, and then you might also have been asked to provide the password of your email account so Plaxo or Facebook could look up the list of your friends. With hybrid onboarding, if you click on such an invitation in your Gmail, you'll see a page like one of these:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRIX2UACLWYxxDIWcaGV2T85nZRfFIGU-ziuwgn-Ykr107olTN4AFq-P2WEG8GJqJ7APU5mkqKSgpQ4OjZE35Sdj1Ua8W4vq-4FBk0YysxRSkdvvUMLpugxPM9lkcNQEhRpB481pEOc88/s1600-h/agnvhqdt23_39dvzd6kgx_b.jpg" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5399903403389908882" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRIX2UACLWYxxDIWcaGV2T85nZRfFIGU-ziuwgn-Ykr107olTN4AFq-P2WEG8GJqJ7APU5mkqKSgpQ4OjZE35Sdj1Ua8W4vq-4FBk0YysxRSkdvvUMLpugxPM9lkcNQEhRpB481pEOc88/s400/agnvhqdt23_39dvzd6kgx_b.jpg" style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 142px;" /></a><br />Clicking the large button on the Plaxo page takes you to a page at Google like this:<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv3eCsEytDkk7Ar-Cilz0Dz0dM95aIg21igZo8iNcsAIHlYgfvf0kLCqwSKpzurXVYCEEeIt6L2op-8nr0a0qbfsRcXCpVh0zQ9Qlif3fUAAx3Rrp4DckefsG1R9PSh4Kxo0YMm7vcBLs/s1600-h/agnvhqdt23_36dnz3jjfh_b.jpg" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5399903405767630210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjv3eCsEytDkk7Ar-Cilz0Dz0dM95aIg21igZo8iNcsAIHlYgfvf0kLCqwSKpzurXVYCEEeIt6L2op-8nr0a0qbfsRcXCpVh0zQ9Qlif3fUAAx3Rrp4DckefsG1R9PSh4Kxo0YMm7vcBLs/s400/agnvhqdt23_36dnz3jjfh_b.jpg" style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 301px;" /></a><br />If you give consent to share a few pieces of information, you are sent back to Plaxo with all key registration steps finished.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgCnIxb-RSaOiYgUjXmw1JhDp5Pn0EKiyNgbyyko11bSXUpCvuq08vWAo9NBiNTNlsBSg8SIVyP792ZCJDz51_lxGhUuBF3X1LTe_auY2tLp7yzKcJRKcsFZOf_b5Oe1UrdO5ZnbviNP4/s1600-h/agnvhqdt23_37c3n7pmdn_b.jpg" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5399903409826444162" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgCnIxb-RSaOiYgUjXmw1JhDp5Pn0EKiyNgbyyko11bSXUpCvuq08vWAo9NBiNTNlsBSg8SIVyP792ZCJDz51_lxGhUuBF3X1LTe_auY2tLp7yzKcJRKcsFZOf_b5Oe1UrdO5ZnbviNP4/s400/agnvhqdt23_37c3n7pmdn_b.jpg" style="display:block; margin:0px auto 10px; text-align:center;cursor:pointer; cursor:hand;width: 400px; height: 223px;" /></a><br /><div>The registration process used to involve more than 10 steps, including requiring you to find one of those "email validation" messages in your inbox. If you've followed the steps above, you can now sign into Plaxo more easily — by simply clicking a button.<br /><br />While Plaxo showed the <a href="http://www.readwriteweb.com/archives/comcast_property_sees_92_success_rate_openid.php">first successful results</a> of this technique in early 2009, other companies like Facebook are starting to use the same model and to recognize its business value potential. At the same time, the hybrid onboarding model improves authentication security because websites like Plaxo that use this technique never see a password from you at all. Since you don't have to enter your password on additional sites, your password remains closer to you and is less likely to be misused. We'd like to applaud Plaxo and Facebook's work in designing the user experience needed for this technique as well as pushing us to create the optimizations needed to carry out their design. Today we're happy to announce that all of these login flow designs are now available to any website operator. All of these hybrid onboarding techniques are based on industry standards that both Google and Yahoo! support, and that other email providers are beginning to support as well. For more technical details, check out our <a href="http://googlecode.blogspot.com/2009/11/hybrid-onboarding.html">Google Code Blog post</a>.<br /><br />Hybrid onboarding is also being used by Enterprise Software-as-a-Service vendors — such as ZoHo — that want to eliminate the need for employees at their customers' businesses to create another password. More details are available on our <a href="http://googleenterprise.blogspot.com/2009/11/single-sign-on-to-zoho-tripit-socialwok.html">Enterprise Blog</a>. In addition, after a thorough evaluation of the security and privacy of these technologies, the same techniques are being piloted by <a href="http://openid.net/2009/09/09/yahoo-paypal-google-equifax-aol-verisign-acxiom-citi-privo-wave-systems-pilot-open-identity-for-open-government-2/">President Obama's open identity initiative</a> to enable citizens to sign in more easily to government-operated websites.<br /><br />There is still a long way to go before you'll be able to trim down your long list of website passwords, but this progress demonstrates the potential for even the largest websites to adopt to adopt the hybrid onboarding model. We hope many other websites will follow.<br /><br /><span class="byline-author">Posted by Eric Sachs, Product Manager, Google Security</span></div>

Cutting back on your long list of passwords

Does anyone actually like passwords? Most people can't stand them because they end up having to keep track of a long (and often memorize...

Đọc thêm »

Next steps in cyber security awareness

<span style="font-style: italic;">(Cross-posted from the <a href="http://googlepublicpolicy.blogspot.com/2009/11/next-steps-in-cyber-security-awareness.html">Public Policy blog</a>)</span><br /><br />Last week I joined several industry experts to speak at a cyber security panel on Capitol Hill organized by Congresswoman Yvette Clarke and sponsored by the Committee on Homeland Security. The conversation focused on things everyday Internet users can do to help protect their computers and stay safe online. Given that we just wrapped up our observation of <a href="http://googleblog.blogspot.com/2009/10/celebrating-national-cyber-security.html">National Cyber Security Awareness Month</a>, I thought I'd share some of the key recommendations from the panel:<br /><br /><span style="font-weight: bold;">What are the most important things we all need to do to protect our computers and mobile devices?</span><br />You should have the same expectations when using the Internet as you would when exploring a city: you don't give your credit card to the person selling watches on the street just because you recognize the brand, you don't let your kids wander around by themselves and you don't give personal information unless you know who's getting it. If an offer is "urgent" or seems too good to be true, take a step back and research the offer. Add a password to your mobile phone, and browse cautiously on open WiFi networks as you would when using a computer.<br /><br /><span style="font-weight: bold;">What are the most common misconceptions about cyber security?</span><br />Many dangerous websites are not designed to be dangerous. In fact, most of the sites that serve malware (malicious software) are innocent sites that have been compromised in one way or another. Your computer isn't necessarily safe just because you're avoiding sites that contain adult content or pirated software. Use reputable anti-virus and anti-spyware programs, and keep your computer operating system and applications updated with the latest software versions.<br /><br /><span style="font-weight: bold;">How do I know if my computer or network has been compromised?</span><br />First, disconnect it from the Internet. Take note of any slowness, and if you're not sure how to proceed, get someone with technical expertise to check your network logs for high traffic appearing during times when you're not using the computer. When in doubt, contact a computer support expert.<br /><br />As President Obama recently stated, <a href="http://www.youtube.com/watch?v=UIIY9AQSqbY">cyber security is a shared responsibility</a>. At Google, we recognize how important awareness and education are because many online security threats can only be avoided if we work together.<br /><br />We spent the month of October exploring cyber security and talking about how to use Google products in a more secure manner. If you haven't seen them already, take a look at the posts we've released over the last month:<br /><ul><li><a href="http://googleblog.blogspot.com/2009/10/celebrating-national-cyber-security.html">Kick-off and YouTube Cyber Security Awareness Channel</a></li><li><a href="http://gmailblog.blogspot.com/2009/10/choosing-smart-password.html">Choosing smart passwords</a></li><li><a href="http://googleonlinesecurity.blogspot.com/2009/10/malware-warning-review-process.html">How the website malware review process works</a></li><li><a href="http://buzz.blogger.com/2009/10/keeping-your-blog-secure_09.html">Blogging security tips</a></li><li><a href="http://googleonlinesecurity.blogspot.com/2009/10/show-me-malware.html">New malware snippets feature for webmasters</a></li><li><a href="http://googleonlinesecurity.blogspot.com/2009/10/protecting-users-and-ads-from-malware.html">Protecting users and ads from malware</a></li><li><a href="http://googleonlinesecurity.blogspot.com/2009/10/best-practices-for-verifying-and.html">Best practices for verifying and cleaning up a malware-infected site</a></li><li><a href="http://gmailblog.blogspot.com/2009/10/gmail-account-security-tips.html">Gmail account security tips</a></li><li><a href="http://googlecheckout.blogspot.com/2009/10/google-checkout-security-tips-for.html">Online commerce security</a></li><li><a href="http://en.blog.orkut.com/2009/10/update-your-browser-and-stay-safe.html">Updating your web browser</a></li><li><a href="http://googledocs.blogspot.com/2009/10/taking-charge-of-your-document-sharing.html">Taking charge of document sharing with Google Docs</a></li><li><a href="http://chrome.blogspot.com/2009/10/are-you-seeing-red.html">Web browser security and Google Chrome security messages</a></li></ul>Be sure to share the tips you find most helpful with others, and remember to stay safe online.<br /><br /><span class="byline-author">Posted by Eric Davis, Head of Anti-Malvertising</span>

Next steps in cyber security awareness

(Cross-posted from the Public Policy blog ) Last week I joined several industry experts to speak at a cyber security panel on Capitol Hill o...

Đọc thêm »

Celebrating National Cyber Security Awareness Month 2009

Internet security and online safety are topics that leave many people scratching their heads. While many companies and organizations work to make the Internet a safer place, it can be difficult to know what to do as an Internet user beyond creating numerous passwords for your various online accounts and steering clear of that email from a "long lost relative" who wants you to immediately wire thousands of dollars to him. Here's the good news: even though security can become quite technical and complicated, there are simple steps you can take that can make a big difference in helping to keep your information safe.<br /><br /><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTZFMbaxT3ayX0qxf6OBqTgqof5HdRoGzq9ZGC-HfkBOHzlRdpr3O10XkDYVdrWlYXK0TPQc4GvWZqXiahVSxFtxUXDbbfIOxDpqDODrAln2UQwcbf1DeGWWiEtRTYpQ9WoVoArlzyNFXc/s1600-h/security1" onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}"><img alt="" border="0" id="BLOGGER_PHOTO_ID_5387683125021756898" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTZFMbaxT3ayX0qxf6OBqTgqof5HdRoGzq9ZGC-HfkBOHzlRdpr3O10XkDYVdrWlYXK0TPQc4GvWZqXiahVSxFtxUXDbbfIOxDpqDODrAln2UQwcbf1DeGWWiEtRTYpQ9WoVoArlzyNFXc/s400/security1" style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 300px; height: 250px;" /></a><br />This month, Google joins the National Cyber Security Alliance (NCSA), governmental agencies, corporations, schools and non-profit organizations in recognizing <a href="http://www.staysafeonline.info/content/about-ncsam">National Cyber Security Awareness Month</a>. Throughout October, we'll be raising awareness of important Internet security and safety issues that will teach you how to be an informed web user. Keep an eye on our various <a href="http://www.google.com/press/blogs/directory.html#tab1">product blogs</a>, as we'll be sharing tips that are tailored to users of Google products and services. To kick off the series, visit our newly created <a href="http://www.youtube.com/user/GoogleCyberSecurity">Google Cyber Security Awareness Channel</a> on YouTube to watch a variety of online safety videos created by individuals and groups with an interest in cyber security.<br /><br />The web is a great platform for all kinds of things — finding information, interacting with others and even running your business. Practicing good cyber security habits can help keep it that way. Join us this month by brushing up on your cyber security awareness and sharing the tips you like with others.<div><br /></div><div><span class="Apple-style-span" style="font-style: italic;"><span class="Apple-style-span" style="font-weight: bold;">Update on 10/22/2009</span></span>: We're excited to hear that the U.S. House of Representatives today <a href="http://clarke.house.gov/2009/10/house-passes-rep-yvette-d-clarkes-h-res-797-supporting-goals-and-ideals-of-national-cybersecurity-aw.shtml">unanimously passed a resolution</a> formally supporting the goals and ideals of National Cyber Security Awareness Month 2009. Rep. Yvette D. Clarke’s resolution signals the government's willingness and commitment to help better protect the nation's online and information security.<br /><br /><span class="byline-author">Posted by Eric Davis, Head of Anti-Malvertising</span></div>

Celebrating National Cyber Security Awareness Month 2009

Internet security and online safety are topics that leave many people scratching their heads. While many companies and organizations work to...

Đọc thêm »

How to steer clear of money scams

<span style="font-size:85%;"><span style="font-style: italic;">This post is the latest in an ongoing <a href="http://googleblog.blogspot.com/search/label/security">series</a> on how to stay safe online. - Ed.</span></span><br /><br />As the designated tech support person for my immediate family, I'm used to getting calls about issues like browser crashes and confusing websites. But recently my mom called to ask about something she saw online that said Google would pay her thousands of dollars to work from home with no experience required. She didn't buy it, but she did want to ask — is this for real?<br /><br />My mom was right to be skeptical. In the current economic downturn, a lot of people are looking for ways to make extra money. Unfortunately, some unsavory characters see this trend as an opportunity to trick unsuspecting people with scams and elaborate get-rich-quick schemes. We're seeing disturbing cases in which websites, emails and advertisements claim that you can make large amounts of money from home with very little effort using Google products and services. They're designed to look like they were written by a regular person, just like you, who stumbled across an amazing opportunity to make their monetary dreams come true. What they don't tell you clearly is that Google is not affiliated with these sites and that they may add extra charges to your credit card or misuse your personal information.<br /><br />To be clear, we are proud to say that many companies and individuals do legitimately make money placing ads on their websites with <a href="https://www.google.com/adsense/">Google AdSense</a> or participating in programs like the <a href="http://www.google.com/ads/affiliatenetwork/">Google Affiliate Network</a>. Creating a successful website is hard work — successful sites earn their money by writing compelling content, developing useful applications and maintaining vibrant user communities. Any claim that you can skip all of that and make just as much money by posting links, using a secret system, or running a kit to generate websites should be treated with a heavy dose of skepticism.<br /><br />Spammers attempt to reach users by generating hundreds of webpages and sending out a flood of spam emails, sometimes even buying advertisements on reputable websites. Their sites also target other popular Internet companies. They may include family photos pilfered from another site or a picture of a check they supposedly received. Spammers use a wide range of techniques that try to slip past automatic filters to get to you. At Google, we work hard to protect users from these schemes by using a combination of automated and manual tools that remove them from our search index and ad network. However, scams target many companies and appear in various places around the web, so we all need to work cooperatively. Google collaborates with various government and non-governmental consumer protection agencies, such as the Federal Trade Commission, that are <a href="http://ftc.gov/opa/2009/07/shortchange.shtm">investigating these types of schemes further</a>.<br /><br /><span style="font-weight: bold;">How to identify scams and other schemes</span><br /><br />In general, if it looks too good to be true, it probably is. Here are some pointers on what to look out for:<br /><ul><li>Before you fill out a form or give someone a credit card, <span style="font-weight: bold;">do a web search</span> to see what other people are saying about the company and its practices. </li></ul><ul><li>Be wary of companies that ask for <span style="font-weight: bold;">upfront charges</span> for services that Google actually offers for free. Check out our <a href="http://www.google.com/intl/en_us/services/var_1.html">business solutions page</a> before writing a check.</li></ul><ul><li>Always <span style="font-weight: bold;">read the fine print</span>. Watch out for get-rich-quick schemes that charge a very low initial fee before sneaking in large reoccurring charges on your credit card or bank account.</li></ul><ul><li><span style="font-weight: bold;">Google never guarantees top placement</span> in search results or <a href="http://adwords.google.com/support/aw/bin/answer.py?answer=6546">AdWords</a> — beware of companies that claim to guarantee rankings, allege a special relationship with Google, or advertise a "<span style="font-weight: bold;">priority submit</span>" to Google. There is no priority submit for Google. In fact, the only way to submit a site to Google directly is through our <a href="http://www.google.com/addurl/">Add URL page</a> or through the <a href="http://www.sitemaps.org/">Sitemaps program</a> — you can do these tasks yourself at no cost whatsoever. </li></ul><ul><li><span style="font-weight: bold;">Be wary of anything resembling a </span><a href="http://www.sec.gov/answers/pyramid.htm" style="font-weight: bold;">pyramid scheme</a>, where you make commissions by recruiting more participants.</li></ul><ul><li>Some sales pitches use the word "Google" or other trademarks right in their name with targeted phrases like "cash," "pay day," "money," "secrets," "home business," etc. <span style="font-weight: bold;">If you can't find it on our </span><a href="http://www.google.com/intl/en/options/" style="font-weight: bold;">list of Google products</a> or on the business solutions page, <span style="font-weight: bold;">don't trust it</span>. </li></ul><ul><li><span style="font-weight: bold;">Look for third party verification</span>. Scammers can easily cut-and-paste images to plaster a site with "as seen on TV," "five-star reviews" and the logos of well-known news channels. Products that have really been recommended by experts and fellow users typically contain links from legitimate news sites and multiple user review sites.</li></ul><ul><li><span style="font-weight: bold;">Reserve the same skepticism for unsolicited email</span> about making money with Google AdWords as you do for "burn fat at night" diet pills or requests to help transfer funds from deposed dictators. In general, be wary of offers from firms that email you out of the blue. Amazingly, we get these spam emails too:</li></ul> "I visited your website and noticed that you are not listed in most of the major search engines and directories..."<br /><ul><li>Google is not running a lottery, and we have not picked your email address to win millions of dollars. <span style="font-weight: bold;">Don't give out your bank account details via email</span> in anticipation of a big jackpot.</li></ul><span style="font-weight: bold;">What you can do</span><br /><ul><li>If you've been ripped off, or suspect others are, <a href="http://www.google.com/support/websearch/bin/answer.py?answer=9110">report the site and file a complaint</a> with the appropriate agency.</li></ul><ul><li>If you come across many sites with duplicate content or common templates intended to direct users to the same product or scheme, please let us know with a <a href="http://www.google.com/support/webmasters/bin/answer.py?answer=35265">spam report</a>. </li></ul><ul><li>If you've been contacted to place suspicious links on your site for money, let us know with the <a href="https://www.google.com/webmasters/tools/paidlinks">paid link report form</a>. If you have your own website or are in charge of advertising on a site, think carefully before accepting ads or entering into affiliate programs that will lead your users to schemes like those mentioned above. </li></ul><ul><li>If your site's forums or comment sections have been spammed with fake offers of fabulous financial gain, you may need to <a href="http://googlewebmastercentral.blogspot.com/2008/09/keeping-comment-spam-off-your-site-and.html">take steps to fight comment spam</a>. Spammers will take advantage of any user-generated content sections of your site, and will even generate thousands of <a href="http://googlewebmastercentral.blogspot.com/2009/06/spam20-fake-user-accounts-and-spam.html">fake user profiles</a> to try to slip under the radar. </li></ul><ul><li>If you receive suspicious messages that claim to be from Google, these may be <a href="http://www.google.com/support/websearch/bin/answer.py?answer=106318">phishing attempts</a>. Please report them to <a href="mailto:%20phishing@google.com">phishing@google.com</a>. </li></ul> <span class="byline-author">Posted by Jason Morrison, Search Quality Team<br /></span>

How to steer clear of money scams

This post is the latest in an ongoing series on how to stay safe online. - Ed. As the designated tech support person for my immediate fami...

Đọc thêm »

What we've learned about spam

Blended threats. Payload viruses. Spam. If you're one of the more than 15 million people whose work email is protected by <a href="http://www.google.com/postini/">Postini</a>'s email security products, we hope you don't spend a lot of time thinking about these things. And if we're doing our job right, they certainly shouldn't be showing up in your inboxes. But we process more than 3 billion business emails per day for our customers, culling the spam, viruses, and other threats out, so we do think about this stuff. A lot.<br /><br />On <a href="http://googleblog.blogspot.com/2009/01/look-back-at-spam-in-2008.html">occasion</a>, we like to share some of what we've learned, so that those of you who are interested can see what spammers are up to. If you're one of those people, head over to our <a href="http://googleenterprise.blogspot.com/2009/07/q2-2009-spam-trends.html">Enterprise Blog</a> for an update on spam trends over the past few months.<br /><br /><span class="byline-author">Posted by Ellen Leanse, Google Enterprise team</span>

What we've learned about spam

Blended threats. Payload viruses. Spam. If you're one of the more than 15 million people whose work email is protected by Postini 's...

Đọc thêm »

What to do if you can't access your webmail

<span style="font-size:85%;"><span style="font-style: italic;">This post is the latest in an ongoing </span><i style="font-style: italic;" id="d7_30"><a href="http://googleblog.blogspot.com/search/label/security" id="tkbs" title="series">series</a> </i><span style="font-style: italic;"> on how to stay safe online. - Ed.</span></span><br /><br />We know how important webmail is to the people who use it regularly, since (of course) we use it ourselves at Google. So we know that not being able to access a webmail account -- no matter what the reason, or how long it lasts -- can be frustrating at the very least. Sometimes interruptions are caused by technical issues with your mail program or your Internet connection. More often, they're account-related.<br /><br />When it comes to Gmail specifically, there are a couple of things that might cause account-related interruptions in access: a lost or forgotten password, <span id="gwaz4" style="background-color: rgb(255, 255, 255);"><span id="qnm6" style="background-color: rgb(255, 255, 255);"></span></span><a href="http://mail.google.com/support/bin/answer.py?answer=43692" id="v4u8" style="background-color: rgb(255, 255, 255);" title="unusual activity">unusual activity</a> that triggers the safety measures designed to keep accounts from being compromised, or, in the worst case, someone has stolen your login info and changed it.<br /><br />Most of the questions we get about account interruptions are the result of lost or forgotten passwords and as such are relatively easy to fix (more below). But no matter what their origin, we take these issues very seriously. Of course, there are certain cases where our options are limited -- we don't ask for much personal information when you sign up for Gmail, which can sometimes make it difficult to prove ownership of an account and trigger the recovery process.<br /><br />Still, there are some simple steps you can take to ensure that your account stays in your hands, and to greatly improve the chances of <a href="http://mail.google.com/support/bin/answer.py?answer=46346&fpUrl=https%3A%2F%2Fwww.google.com%2Faccounts%2FForgotPasswd%3FfpOnly%3D1%26continue%3Dhttps%253A%252F%252Fmail.google.com%252Fmail%252F%253Fhl%253Den%2526tab%253Dwm%2526nsr%253D1%2526ui%253Dhtml%2526zy%253Dl%26service%3Dmail%26hl%3Den&fuUrl=https%3A%2F%2Fwww.google.com%2Faccounts%2FForgotPasswd%3FfuOnly%3D1%26continue%3Dhttps%253A%252F%252Fmail.google.com%252Fmail%252F%253Fhl%253Den%2526tab%253Dwm%2526nsr%253D1%2526ui%253Dhtml%2526zy%253Dl%26service%3Dmail%26hl%3Den&hl=en" id="fzvf" title="getting it back"><span style="background-color: rgb(255, 255, 255);">regaining access</span></a> if you have any problems:<br /><ul><li><span style="font-weight: bold;">Don't share your Gmail password with anyone. </span>Not friends, not family, not anyone. And if you need to write down your password, be sure to keep it in a safe place, away from your computer. (For info on how to choose a good password and keep it safe, check out this <a href="http://googleblog.blogspot.com/2008/06/does-your-password-pass-test.html" id="ht_y" title="post"><span style="background-color: rgb(255, 255, 255);">post</span></a>.)</li></ul><ul><li><span style="font-weight: bold;">Don't respond to messages asking for your login info.</span> As you may already know, there are people out there who will try to <a href="http://googleblog.blogspot.com/2008/04/how-to-avoid-getting-hooked.html" id="bd5." title="steal your login info"><span style="background-color: rgb(255, 255, 255);">steal your login info</span></a>. Google will never send you an email, IM, or any other communication asking for your Gmail login info, so don't respond to any messages asking for it.</li></ul><ul><li><span style="font-weight: bold;">Always keep the verification number you get when you sign up for Gmail.</span> When you sign up for Gmail, we'll ask you for a secondary email address and then email a verification number to that account. This number is the best way to prove ownership of your account, so be sure to hang on to it.</li></ul><ul><li><span style="font-weight: bold;">If you aren't able to access your account, try</span> <a href="https://www.google.com/accounts/ForgotPasswd?service=mail&fpOnly=1&dEM=" id="om:l" title="resetting your password"><b id="a4va">resetting your password</b></a>. As mentioned above, most of the support requests we get turn out to be lost or forgotten passwords, rather than something more serious. Resetting your password usually gets the job done.</li></ul><ul><li><span style="font-weight: bold;">If resetting your password doesn't work, try our</span> <a href="http://www.google.com/support/accounts/bin/request.py?ara=1" id="ozz0" style="background-color: rgb(255, 255, 255);" title="account-recovery process"><b id="zbmw">account-recovery process</b></a>. We recently launched an account-recovery form in our help center that can drastically reduce the amount of time it takes to verify ownership of an account and restore access. If you have the information necessary to prove ownership -- such as the verification code for the account -- this new process can help our support team restore access within a matter of hours.</li></ul>Again, we're always working on ways to help you keep your account secure and to stay safe online. Some of that work is <span id="neve0" style="background-color: rgb(255, 255, 0);"><span id="b8q30" style="background-color: rgb(255, 255, 255);"><a href="http://googleblog.blogspot.com/search/label/security" id="ykwt" title="educational">educational</a></span></span>, and some of it is technical, like the <span id="neve0" style="background-color: rgb(255, 255, 0);"><span id="b8q30" style="background-color: rgb(255, 255, 255);"><a href="http://gmailblog.blogspot.com/2008/07/remote-sign-out-and-info-to-help-you.html" id="jwoc" title="new feature">feature</a></span></span> we recently launched for Gmail that lets you see when your account was last logged into and whether your account is currently open on another computer. Head over to our <span id="neve0" style="background-color: rgb(255, 255, 0);"><span id="b8q30" style="background-color: rgb(255, 255, 255);"><a href="http://gmailblog.blogspot.com/2008/07/remote-sign-out-and-info-to-help-you.html" id="kj4w" title="Gmail blog">Gmail blog</a></span></span> for more info.<br /><br /><span class="byline-author">Posted by Colin Bogart, Gmail user support team</span>

What to do if you can't access your webmail

This post is the latest in an ongoing series on how to stay safe online. - Ed. We know how important webmail is to the people who use it r...

Đọc thêm »

Another step to protect user privacy

Today, we're announcing a new logs retention policy: we'll anonymize IP addresses on our server logs after 9 months. We're significantly shortening our previous 18-month retention policy to address regulatory concerns and to take another step to improve privacy for our users.<br /><br />Back in March 2007, Google became the first leading search engine to <a href="http://googleblog.blogspot.com/2007/03/taking-steps-to-further-improve-our.html" id="v087" title="announce">announce</a> a policy to anonymize our search server logs in the interests of privacy. And many others in the industry quickly followed our lead. Although that was good for privacy, it was a difficult decision because the routine server log data we collect has always been a critical ingredient of innovation. We have published a <a href="http://googleblog.blogspot.com/2008/03/why-data-matters.html" id="ven6" title="series">series</a> of blog posts explaining how we use logs data for the benefit of our users: to make <a href="http://googleblog.blogspot.com/2008/03/making-search-better-in-catalonia.html" id="ixci" title="improvements to search quality">improvements to search quality</a>, <a href="http://googleblog.blogspot.com/2008/03/using-log-data-to-help-keep-you-safe.html" id="pq9f" title="improve security">improve security</a>, <a href="http://googleblog.blogspot.com/2008/03/using-data-to-help-prevent-fraud.html" id="d3kn" title="fight fraud">fight fraud</a> and <a href="http://googleblog.blogspot.com/2008/06/using-data-to-fight-webspam.html" id="vksr" title="reduce spam">reduce spam</a>. <br /><br />Over the last two years, policymakers and regulators -- especially in Europe and the U.S. -- have continued to ask us (and others in the industry) to explain and justify this shortened logs retention policy. We responded by <a href="http://services.google.com/blog_resources/Google_response_Working_Party_06_2007.pdf" id="u8i6" title="open letter">open letter</a> to explain how we were trying to strike the right balance between sometimes conflicting factors like privacy, security, and innovation. Some in the community of EU data protection regulators continued to be skeptical of the legitimacy of logs retention and <a href="http://www.cbpweb.nl/downloads_int/Opinie%20WP29%20zoekmachines.pdf" id="gtak" title="demanded detailed justifications">demanded detailed justifications</a> for this retention. Many of these privacy leaders also highlighted the risks of litigants using court-ordered discovery to gain access to logs, as in the recent Viacom suit.<br /><br />Today, we are filing <a href="http://services.google.com/blog_resources/Google_response_Working_Party_06_2007.pdf">this response</a> (PDF file) to the EU privacy regulators. Since we announced our original logs anonymization policy, we have had literally hundreds of discussions with data protection officials, government leaders and privacy advocates around the world to explain our privacy practices and to work together to develop ways to improve privacy. When we began anonymizing after 18 months, we knew it meant sacrifices in future innovations in all of these areas. We believed further reducing the period before anonymizing would degrade the utility of the data too much and outweigh the incremental privacy benefit for users.<br /><br />We didn't stop working on this computer science problem, though. The problem is difficult to solve because the characteristics of the data that make it useful to prevent fraud, for example, are the very characteristics that also introduce some privacy risk. After months of work our engineers developed methods for preserving more of the data's utility while also anonymizing IP addresses sooner. We haven't sorted out all of the implementation details, and we may not be able to use precisely the same methods for anonymizing as we do after 18 months, but we are committed to making it work.<br /><br />While we're glad that this will bring some additional improvement in privacy, we're also concerned about the potential loss of security, quality, and innovation that may result from having less data. As the period prior to anonymization gets shorter, the added privacy benefits are less significant and the utility lost from the data grows. So, it's difficult to find the perfect equilibrium between privacy on the one hand, and other factors, such as innovation and security, on the other. Technology will certainly evolve, and we will always be working on ways to improve privacy for our users, seeking new innovations, and also finding the right balance between the benefits of data and advancement of privacy.<br /><br /><span class="byline-author">Posted by Peter Fleischer, Global Privacy Counsel; Jane Horvath, Senior Privacy Counsel; and Alma Whitten, Software Engineer</span>

Another step to protect user privacy

Today, we're announcing a new logs retention policy: we'll anonymize IP addresses on our server logs after 9 months. We're signi...

Đọc thêm »

Does your password pass the test?

<span class="byline-author">Posted by HongHai Shen, Engineer</span><br /><br /><span style="font-style: italic;">This post is the latest in an ongoing </span><a href="http://googleblog.blogspot.com/search/label/security" id="tkbs" style="font-style: italic;" title="series">series</a><span style="font-style: italic;"> about online safety. - Ed.</span><br /><br />One of the things I work on is password security. And because I'm someone who pays close attention to passwords and how people use them, I sometimes hear interesting stories. For example, a couple of my colleagues are so careful about the security of their passwords that they generate a random eight-character string, memorize it, and then use it as their password for two to three months. After that time elapses, they start the process over again and generate a new random password.<br /><br />Do we all need to be that careful about our passwords? Probably not. But passwords are one of the web's most important security tools. Whether it's for your Google account, your banking center, or your favorite store, choosing a good password and keeping it safe can go a long way toward protecting your information online.<br /><br />So how do you choose a good password, and then keep it safe? A few of these tips can help:<br /><ul><li><span style="font-weight: bold;">Avoid common elements when choosing your password.</span> Specifically, you should avoid using words or phases from the dictionary, especially things that are easy to guess, like "password," "let me in," or the name of the site you're logging into. You should also avoid using keyboard patterns, such as "asdf1234" or "aqswdefr," or personal information, such as birthdays, addresses, or phone numbers.</li></ul><ul><li><span style="font-weight: bold;">Make your password as unique as possible. </span>Once you've settled on a good base for your password, you should go a step further and add in numbers and non-alphanumerical characters, mix in upper-case letters, or use similar-looking substitutions for parts of the password, such as "$" for "s," "1" for "l," and "0" for "o."</li></ul><ul><li><span style="font-weight: bold;">Create different passwords for different sites.</span> Doing so will help ensure that if one password is compromised, the others will remain secure. You may not be able to have a unique password for every place you visit on the web (for some of us, that would be a lot of passwords to manage), but alternating between a set of different passwords across the web and making sure all accounts that contain highly sensitive information (like email accounts or online banking accounts) have unique passwords is a good place to start.</li></ul><ul><li><span style="font-weight: bold;">Don't share your passwords with anyone.</span> Not family, not friends, not anyone. This may seem a little strict, but the reality is the more people you share your password with, the greater your chances of having that password compromised will be. Also, if you need to write your passwords down, keep them away from your computer, and never send them in emails. And if you suspect someone might have discovered one of your passwords, change it immediately. </li></ul><ul><li><span style="font-weight: bold;">Be careful how you share your information online.</span> Some online services -- such as social networking sites and gadgets that scrape information from other products -- may ask you for a password or an API key. If you choose to use these kinds of services, take a few minutes to learn more about what they do to keep your sensitive information secure. And just like sharing passwords with other people, you should be aware that sharing this information increases the chances that it could be compromised.</li></ul>Another thing that can help keep your password secure is choosing a good security question and answer on the sites that offer that option. You've probably seen this before: When you're creating an account on many sites, you will be asked to choose a question to verify your identity if you forget your password.<br /><br />Some sites will let you write in your own question; in these cases, you should make sure the Q&A you create isn't something that's easy to guess or something that your family and friends would know. Other sites will present you with a list of preset questions to choose from, such as "What is your mother's maiden name?" These kinds of questions are less secure, as they're easier for other people to guess the answer. In these cases, you should find a way to make your answer unique -- whether it's using the tips above, or by adding in other information -- so that even if someone guesses the answer, they won't know how to enter it properly.<br /><br /><a href="http://mail.google.com/support/bin/answer.py?hl=en&answer=29409">Read more</a> about choosing a good password and security question.

Does your password pass the test?

Posted by HongHai Shen, Engineer This post is the latest in an ongoing series about online safety. - Ed. One of the things I work on is pas...

Đọc thêm »

How to avoid getting hooked

<span class="byline-author">Posted by Ian Fette, Google Security Team</span><br /><span style="font-style: italic;"><br />This post is one of a <a href="http://googleblog.blogspot.com/search/label/security" id="pxk:" title="series">series</a> devoted to online security. - Ed.</span><br /><br />Millions of people have gotten "urgent" emails asking them to take immediate action to prevent some impending disaster. "Our bank has a new security system. Update your information now or you won't be able to access your account," or "We couldn't verify your information; click here to update your account." Sometimes the email claims that something awful will happen to the sender (or a third party), as in "The sum of $30,000,000 is going to go to the Government unless you help me transfer it to your bank account."<br /><br />People who click on the links in these emails may see a web page that looks like a legitimate site they've visited before. Because the page looks familiar, these people enter their username, password, or other private information on the site. What they've actually done is given an unknown third party all the information needed to hijack their account, steal their money, or open up new lines of credit in their name. They just fell for a phishing attack.<br /><br />The concept behind such an attack is pretty simple: Someone masquerades as someone else in an effort to fool you into sharing personal or other sensitive information with them. Phishers can masquerade as just about anyone, including banks, email and application providers, online merchants, online payment services, and even governments. And while some of these attacks are crude and easy to spot, many of them are sophisticated and well constructed. That fake email from "your bank" can look very real; the bogus "login page" you're redirected to can seem completely legitimate.<br /><br />The good news is there are things you can do to steer clear of phishing attacks:<br /><ul><li><span style="font-weight: bold;">Be careful about responding to emails that ask you for sensitive information.</span> You should be wary of clicking on links in emails or responding to emails that are asking for things like account numbers, user names and passwords, or other personal information such as social security numbers. Most legitimate businesses will never ask for this information via email. Google doesn't.</li></ul><ul><li><span style="font-weight: bold;">Go to the site yourself, rather than clicking on links in suspicious emails.</span> If you receive a communication asking for sensitive information but think it could be legitimate, open a new browser window and go to the organization's website as you normally would (for instance, by using a bookmark or by typing out the address of the organization's website). This will improve the chances that you're dealing with the organization's website rather than with a phisher's website, and if there's actually something you need to do, there will usually be a notification on the site. Also, if you're not sure about a request you've received, don't be afraid to contact the organization directly to ask. It takes just a few minutes to go to the organization's website, find an email address or phone number for customer support, and reach out to confirm whether the request is legitimate.</li></ul> <ul><li><span style="font-weight: bold;">If you're on a site that's asking you to enter sensitive information, check for signs of anything suspicious.</span> If you're on a site that's asking for sensitive information -- no matter how you got there -- check for the signs that it's really the official website for the organization. For example, check the URL to make sure the page is actually part of the organization's website, and not a fraudulent page on a different domain (such as mybankk.com or g00gle.com.) If you're on a page that should be secured (like one asking you to enter in your credit card information) look for "<span style="font-weight: bold;">https</span>" at the beginning of the URL and the padlock icon in the browser. (In Firefox and Internet Explorer 6, the padlock appears in the bottom right-hand corner, while in Internet Explorer 7 the padlock appears on the right-hand side of the address bar.) These signs aren't infallible, but they're a good place to start.</li></ul> <ul><li><span style="font-weight: bold;">Be wary of the "fabulous offers" and "fantastic prizes" that you'll sometimes come across on the web.</span><span style="font-weight: bold;"> </span>If something seems too good to be true, it probably is, and it could be a phisher trying to steal your information. Whenever you come across an offer online that requires you to share personal or other sensitive information to take advantage of it, be sure to ask lots of questions and check the site asking for your information for signs of anything suspicious.</li></ul><ul><li><span style="font-weight: bold;">Use a browser that has a phishing filter.</span><span style="font-weight: bold;"> </span>The latest versions of most browsers -- including <a href="http://www.mozilla.com/en-US/firefox/" id="f846" title="Firefox">Firefox</a>, <a href="http://www.microsoft.com/windows/products/winfamily/ie/default.mspx" id="jj0_" title="Internet Explorer">Internet Explorer</a>, and <a href="http://www.opera.com/" id="csp_" title="Opera">Opera</a> -- include phishing filters that can help you spot potential phishing attacks.</li></ul>All fairly simple, right? What it all comes down to is if someone asks you to share personal or other sensitive information online, take a moment to think through the request carefully. Doing so will help you stay safe online, and help us all put phishers out of business.

How to avoid getting hooked

Posted by Ian Fette, Google Security Team This post is one of a series devoted to online security. - Ed. Millions of people have gotten ...

Đọc thêm »

Working together to fight malware

<span class="byline-author">Posted by Panayiotis Mavrommatis, Google Security Team<br /></span><br /><span style="font-style: italic;">We recently began a series of posts related to online security that focus on how we secure information (with posts</span> <a href="http://googleblog.blogspot.com/2008/03/how-google-keeps-your-information.html" id="qyc5" title="like"><i id="yvab1">like</i></a> <a href="http://googleblog.blogspot.com/2008/03/using-log-data-to-help-keep-you-safe.html" id="kb5c" title="these"><i id="yvab2">these</i></a><i id="yvab3">) and how you can protect yourself online. Here's the latest in the series.- Ed.</i><br /><br />As part of this ongoing security series, we'd like to talk a little about <a href="http://en.wikipedia.org/wiki/Malware" id="lase" title="malware">malware</a>. The term malware, derived from "malicious software," refers to any software specifically designed to harm your computer or the software it's running.<br /><br />Malware can be added to your computer, with or without your knowledge, in a number of ways -- usually when you visit a website containing malware or when you download seemingly innocent software. It can then slow down your system, send fake emails from your email account, steal sensitive information like credit card numbers or passwords from your computer, and more.<br /><br />The conventional wisdom was that you could avoid malware by learning to spot sites that were created with the sole purpose of spreading it, and by staying away from other sites that might be risky. But <a href="http://googleonlinesecurity.blogspot.com/2008/02/all-your-iframe-are-point-to-us.html" id="jddj" title="recent research">recent research</a> from Google suggests that an increasing number of malware attacks are taking place on sites you'd normally regard as safe or legitimate, but have actually been compromised.<br /><br />Google works closely with the <a href="http://googleonlinesecurity.blogspot.com/2007/11/help-us-fill-in-gaps.html" id="kxrj" title="security community">security community</a> to <a href="http://googleonlinesecurity.blogspot.com/2007/05/introducing-googles-anti-malware.html" id="oe4q" title="identify">identify</a> malware on the web and then <a href="http://googleonlinesecurity.blogspot.com/2007/06/phishers-and-malware-authors-beware.html" id="qn3p" title="share">share</a> that information more broadly. We've set up a number of automated systems to scour our index for potentially dangerous sites, and we <a href="http://www.google.com/support/bin/answer.py?answer=45449&topic=360&hl=en&sa=X&oi=malwarewarninglink&resnum=1&ct=help" id="v9:q" title="add a label">add a label</a> to those that appear to be a vehicle for malware. If you're searching on Google and click on a link that we've flagged, a warning page will appear before you move forward.<br /><br />We also <a href="http://www.google.com/support/webmasters/bin/answer.py?answer=45432" id="am_8" title="notify webmasters">notify webmasters</a> if we discover that a site is no longer secure and provide a method for webmasters that <a href="http://googlewebmastercentral.blogspot.com/2008/04/my-sites-been-hacked-now-what.html" id="ubgi" title="clean up their sites">clean up their sites</a> to <a href="http://googlewebmastercentral.blogspot.com/2007/08/malware-reviews-via-webmaster-tools.html" id="bkdz" title="request a review">request a review</a>. And starting soon, we'll be providing more detail on sites that appear to be spreading malware, so users have a better sense of why we have flagged a given site and webmasters can more easily identify and correct issues on their sites.<br /><br />All this stems directly from our security philosophy: We believe that if we all work together to identify threats and stamp them out, we can make the web a safer place for everyone. Of course, we can't catch everything, so our users play a <a href="http://www.google.com/contact/security.html" id="kp-b" title="crucial part">crucial part</a> of this effort too. Below are a few tips that can help you reduce your chances of being affected by malware:<br /><ul><li><span style="font-weight: bold;">Use anti-virus software.</span> Most anti-virus software is specifically designed to find and remove harmful software on your computer. Be sure you have anti-virus software installed on your computer (you can get a free trial through <a href="http://pack.google.com/intl/en/pack_installer.html?hl=en&gl=us" id="a:vx" title="Google Pack">Google Pack</a> if you don't), keep it current, and use it to run frequent full-system checks.</li></ul><ul><li><span style="font-weight: bold;">Make sure your operating system and browser are up to date. </span><span>Attackers typically target vulnerabilities in your <a href="http://en.wikipedia.org/wiki/Operating_system" id="neqc" title="operating system">operating system</a> (OS) and your browser to install malware on your computer. OS and browser providers frequently release updates to close those vulnerabilities. Enable automatic updates for both your browser and your OS, and check for alerts to ensure you have the latest and greatest protection.</span></li></ul><ul><li><span style="font-weight: bold;">Be careful about what you download.</span> While Google and everyone else in the online community is working hard to identify harmful sites, new sources of malware are emerging all the time. Whenever you're prompted to download an email attachment, install a plug-in, or download an unfamiliar piece of software, take a moment to think it through. You won't always be able to identify a risky download, but if you practice some reasonable caution, you'll be able to reduce that risk.</li></ul>If you come across a potentially dangerous site that hasn't already been flagged, please <a href="http://www.google.com/safebrowsing/report_badware/">report it</a>. To learn more about malware and how to protect yourself, check out StopBadware.org's <a href="http://www.stopbadware.org/home/help" id="b5qc" title="tips page">help page</a>.

Working together to fight malware

Posted by Panayiotis Mavrommatis, Google Security Team We recently began a series of posts related to online security that focus on how we s...

Đọc thêm »

Making search better in Catalonia, Estonia, and everywhere else

<span class="byline-author">Posted by Paul Haahr and Steve Baker, Software Engineers, Search Quality</span><br /><br /><span id="hsbu" style="font-style: italic;">We recently began a series of posts on how we harness the power of data</span><span id="wanr" style="font-style: italic;">. <a href="http://googleblog.blogspot.com/2008/03/why-data-matters.html" id="m2px" target="_blank" title="Earlier">Earlier</a> we told you </span><i id="cmab" style="font-style: italic;">how data has been critical to the advancement of search; about using data to <a href="http://googleblog.blogspot.com/2008/03/using-log-data-to-help-keep-you-safe.html" id="cxjy" target="_blank" title="make our products safe">make our products safe</a> and to <a href="http://googleblog.blogspot.com/2008/03/using-data-to-help-prevent-fraud.html" id="thga" title="prevent fraud">prevent fraud</a>; </i><span id="i1_j" style="font-style: italic;">this post is the newest in the series. -Ed.</span><br /><br />One of the most important uses of data at Google is building language models. By analyzing how people use language, we build models that enable us to interpret searches better, offer spelling corrections, understand when alternative forms of words are needed, offer <a href="http://www.google.com/language_tools" id="zt8y" title="machine translation"><span id="q.ix">language</span> translation</a>, and even <a href="http://googleblog.blogspot.com/2007/05/search-without-boundaries.html" id="e-d4" title="suggest when searching in another language is appropriate">suggest when searching in another language is appropriate</a>.<br /><br />One place we use these models is to find alternatives for words used in searches. For example, for both English and French users, "GM" often means the company "General Motors," but our language model understands that in French searches like <a href="http://www.google.fr/search?hl=fr&q=seconde+GM" id="myy8" title="seconde gm">seconde GM</a>, it means "Guerre Mondiale" (World War), whereas in <a href="http://www.google.fr/search?hl=fr&q=STI+GM" id="yz1y" title="STI GM">STI GM</a> it means "Génie Mécanique" (Mechanical Engineering). Another meaning in English is "genetically modified," which our language model understands in <a href="http://www.google.com/search?q=GM+corn&hl=en" id="rf9x" title="GM corn">GM corn</a>. We've learned this based on the documents we've seen on the web and by observing that users will use both "genetically modified" and "GM" in the same set of searches.<br /><br /><div id="rugn"> </div> <div id="w772"> </div> We use similar techniques in all languages. For example, if a Catalan user searches for <a href="http://www.google.es/search?hl=ca&q=resultat+elecci%C3%B3+barris+BCN" id="w3e2" target="_blank">resultat elecció barris BCN</a> (searching for the result of a neighborhood election in Barcelona), Google will also find pages that use the words "resultats" or "eleccions" or that talk about "Barcelona" instead of "BCN." And our language models also tell us that the Estonian user looking for <a href="http://www.google.ee/search?hl=et&q=Tartu+juuksur" id="b8_i" title="Tartu juuksur">Tartu juuksur</a>, a barber in Tartu, might also be interested in a "juuksurisalong," or "barber shop."<br /><br />In the past, language models were built from dictionaries by hand. But such systems are incomplete and don't reflect how people actually use language. Because our language models are based on users' interactions with Google, they are more precise and comprehensive -- for example, they incorporate names, idioms, colloquial usage, and newly coined words not often found in dictionaries.<br /><br />When building our models, we use billions of web documents and as much historical search data as we can, in order to have the most comprehensive understanding of language possible. We analyze how our users searched and how they revised their searches. By looking across the aggregated searches of many users, we can infer the relationships of words to each other.<br /><br />Queries are not made in isolation -- analyzing a single search in the context of the searches before and after it helps us understand a searcher's intent and make inferences. Also, by analyzing how users modify their searches, we've learned related words, variant grammatical forms, spelling corrections, and the concepts behind users' information needs. (We're able to make these connections between searches using cookie IDs -- small pieces of data stored in visitors' browsers that allow us to distinguish different users. To understand how cookies work, <span id="ng3y" style="color: rgb(204, 0, 0);"><a href="http://youtube.com/watch?v=XfZLztx8cKI" id="e0o:" target="_blank" title="watch this video">watch this video</a><span id="i6k_" style="color: rgb(0, 0, 0);">.</span></span>)<br /><br />To provide more relevant search results, Google is constantly developing new techniques for language modeling and building better models. One element in building better language models is <a href="http://googleblog.blogspot.com/2005/08/machines-do-translating.html" id="z0.8" title="use more data">using more data</a> collected over longer periods of time. In languages with many documents and users, such as English, our language models allow us to improve results deep into the "long tail" of searches, learning about rare usages. However, for languages with fewer users and fewer documents on the web, building language models can be a challenge. For those languages we need to work with longer periods of data to build our models. For example, it takes more than a year of searches in Catalan to provide a comparable amount of data as a single day of searching in English; for Estonian, more than two and a half years worth of searching is needed to match a day of English. Having longer periods of data enables us to improve search for these less commonly used languages.<br /> <div id="j.kk"> </div> <div id="wj5b" style="margin-top: 0px; margin-bottom: 0px;"> <br /> </div> At Google, we want to ensure that we can help users everywhere find the things they're looking for; providing accurate, relevant results for searches in all languages worldwide is core to Google's mission. Building extensive models of historical usage in every language we can, especially when there are few users, is an essential piece of making search work for everyone, everywhere.

Making search better in Catalonia, Estonia, and everywhere else

Posted by Paul Haahr and Steve Baker, Software Engineers, Search Quality We recently began a series of posts on how we harness the power of ...

Đọc thêm »

A common sense approach to Internet safety

<span class="byline-author">Posted by Elliot Schrage, Vice President of Global Communications and Public Affairs</span><br /><br />Over the years, we've built tools and offered resources to help kids and families stay safe online. Our <a href="http://www.google.com/support/bin/static.py?page=searchguides.html&ctx=preferences&hl=en" id="dwzd" target="_blank" title="SafeSearch">SafeSearch</a> feature, for example, helps filter explicit content from search results.<br /><br />We've also been involved in a variety of local initiatives to educate families about how to stay safe while surfing the web. Here are a few highlights:<br /><ul id="z5gh"><li id="k:a9"> In the U.S., we've worked with <a href="http://www.commonsensemedia.org/" id="he:v" target="_blank" title="Common Sense Media">Common Sense Media</a> to promote awareness about online safety and have donated hardware and software to improve the ability of the <a href="http://www.missingkids.com/" id="mlqw" target="_blank" title="NCMEC">National Center for Missing and Exploited Children</a> to combat child exploitation. </li></ul><ul id="lfeu"><li id="yl0-">Google UK has collaborated with child safety organizations such as <a href="http://youtube.com/user/Beatbullying" id="ljia" target="_blank" title="Beatbullying">Beatbullying</a> and <a href="http://www.childnet.com/kia" id="ofy-" target="_blank" title="Childnet">Childnet</a> to raise awareness about cyberbullying and share prevention messages, and with law enforcement authorities, including the <a href="http://www.ceop.gov.uk/" id="hx.x" target="_blank" title="Child Exploitation and Online Protection Centre">Child Exploitation and Online Protection Centre</a>, to fight online exploitation. </li></ul> <ul id="rr8s"><li id="o38."> Google India initiated "Be NetSmart," an Internet safety campaign created in cooperation with local law enforcement authorities that aims to educate students, parents, and teachers across the country about the great value the Internet can bring to their lives, while also teaching best practices for safe surfing. </li></ul><ul id="x88i"><li id="ca:p">Google France launched child safety education initiatives including <a href="http://www.tousconnectes.com/" id="fv8g" target="_blank" title="Tour de France des Collèges">Tour de France des Collèges</a> and <a href="http://www.cherchenet.fr/" id="qtkk" target="_blank" title="Cherche Net">Cherche Net</a> that are designed to teach kids how to use the Internet responsibly. </li></ul> <ul id="a3h7"><li id="q5_h"> And Google Germany worked with the national government, industry representatives, and a number of local organizations recently to launch a <a href="http://www.fragfinn.de/" id="ahzr" target="_blank" title="search engine for children">search engine for children</a>. </li></ul> As part of these ongoing efforts to provide online safety resources for parents and kids, we've created <a href="http://www.google.com/familysafety" id="l_k4" target="_blank" title="Tips for Online Safety">Tips for Online Safety</a>, a site designed to help families find quick links to safety tools like SafeSearch, as well as new resources, like a video offering online safety pointers that we've developed in partnership with Common Sense Media. In the <a href="http://youtube.com/watch?v=kUyQI0USNSY" id="d.sk" title="video">video</a>, Anne Zehren, president of Common Sense, offers easy-to-implement tips, like how to set privacy and sharing controls on social networking sites and the importance of having reasonable rules for Internet use at home with appropriate levels of supervision.<br /><br />Users can also download our new <a href="http://services.google.com/blog_resources/google_family_safety_guide.pdf">Online Family Safety Guide</a> (<span style="font-size:85%;">PDF</span>), which includes useful Internet Safety pointers for parents, or check out a quick <a href="http://kids.getnetwise.org/tools/searchsafe/google-search" id="g.-a" target="_blank" title="tutorial">tutorial</a> on SafeSearch created by one of our partner organizations, GetNetWise.<br /><br />We all have roles to play in keeping kids safe online. Parents need to be involved with their kids' online lives and teach them how to make smart decisions. And Internet companies like Google need to continue to empower parents and kids with tools and resources that help put them in control of their online experiences and make web surfing safer.<br /><br /><object height="355" width="425"><param name="movie" value="http://www.youtube.com/v/kUyQI0USNSY&hl=en"><param name="wmode" value="transparent"><embed src="http://www.youtube.com/v/kUyQI0USNSY&hl=en" type="application/x-shockwave-flash" wmode="transparent" height="355" width="425"></embed></object>

A common sense approach to Internet safety

Posted by Elliot Schrage, Vice President of Global Communications and Public Affairs Over the years, we've built tools and offered resou...

Đọc thêm »

Using data to help prevent fraud

<span class="byline-author">Posted by Shuman Ghosemajumder, Business Product Manager for Trust & Safety</span><br /><br /><span style="font-style: italic;">We recently began a series of posts on how we harness the power of data</span><span style="font-style: italic;">. <a href="http://googleblog.blogspot.com/2008/03/why-data-matters.html" target="_blank" title="Earlier">Earlier</a> we told you </span><i style="font-style: italic;">how data has been critical to the advancement of search technology</i><span style="font-style: italic;">. <a href="http://googleblog.blogspot.com/2008/03/using-log-data-to-help-keep-you-safe.html" target="_blank" title="Then">Then</a> we shared how we use log data to help make Google products safer for users. This post is the newest in the series. -Ed.</span><br /><br />Protecting our advertisers against click fraud is a lot like solving a crime: the more clues we have, the better we can determine <a href="http://adwords.blogspot.com/2007/02/invalid-clicks-googles-overall-numbers.html" id="v4:f" title="which clicks to mark as invalid">which clicks to mark as invalid</a>, so advertisers are not charged for them.<br /><br />As we've mentioned before, our <a href="http://adwords.blogspot.com/2007/02/meet-click-quality-team.html" id="v3:6" title="Click Quality team">Ad Traffic Quality team</a> built, and is constantly adding to, our <a href="http://adwords.blogspot.com/2007/02/invalid-clicks-googles-overall-numbers.html" id="uta7" title="three-stage system">three-stage system</a> for detecting invalid clicks. The three stages are: (1) proactive real-time filters, (2) proactive offline analysis, and (3) reactive investigations.<br /><br />So how do we use logs information for click fraud detection? Our logs are where we get the clues for the detective work. Logs provide us with the repository of data which are used to detect patterns, anomalous behavior, and other signals indicative of click fraud.<br /><br />Millions of users click on AdWords ads every day. Every single one of those clicks -- and the even more numerous impressions associated with them -- is analyzed by our filters (stage 1), which operate in real-time. This stage certainly utilizes our logs data, but it is stages 2 and 3 which rely even more heavily on deeper analysis of the data in our logs. For example, in stage 2, our team pores over the millions of impressions and clicks -- as well as conversions -- over a longer time period. In combing through all this information, our team is looking for unusual behavior in hundreds of different data points. <a href="https://adwords.google.com/support/bin/answer.py?answer=6322" id="r4u0" title="IP addresses"><br /></a><br /><a href="https://adwords.google.com/support/bin/answer.py?answer=6322" id="r4u0" title="IP addresses">IP addresses</a> of computers clicking on ads are very useful data points. A simple use of IP addresses is determining the source location for traffic. That is, for a given publisher or advertiser, where are their clicks coming from? Are they all coming from one country or city? Is that normal for an ad of this type? Although we don't use this information to identify individuals, we look at these in aggregate and study patterns. This information is imperfect, but by analyzing a large volume of this data it is very helpful in helping to prevent fraud. For example, examining an IP address usually tells us which ISP that person is using. It is easy for people on most home Internet connections to get a new IP address by simply rebooting their DSL or cable modem. However, that new IP address will still be registered to their ISP, so additional ad clicks from that machine will still have something in common. Seeing an abnormally high number of clicks on a single publisher from the same ISP isn't necessarily proof of fraud, but it does look suspicious and raises a flag for us to investigate. Other information contained in our logs, such as the browser type and operating system of machines associated with ad clicks, are analyzed in similar ways.<br /><br />These data points are just a few examples of hundreds of different factors we take into account in click fraud detection. Without this information, and enough of it to identify fraud attempted over a longer time period, it would be extremely difficult to detect invalid clicks with a high degree of confidence, and proactively create filters that help optimize advertiser ROI. Of course, we don't need this information forever; last year we started <a href="http://googleblog.blogspot.com/2007/03/taking-steps-to-further-improve-our.html" id="yu6a" title="anonymizing server logs">anonymizing server logs</a> after 18 months. As always, our goal is to balance the utility of this information (as we try to improve Google’s services for you) with the best privacy practices for our users.<br /><br />If you want to learn more about how we collect information to better detect click fraud, visit our <a href="http://www.google.com/adwords/adtrafficquality/" id="bwg:" title="Ad Traffic Quality Resource Center">Ad Traffic Quality Resource Center</a>.

Using data to help prevent fraud

Posted by Shuman Ghosemajumder, Business Product Manager for Trust & Safety We recently began a series of posts on how we harness the po...

Đọc thêm »

Using log data to help keep you safe

<span class="byline-author">Posted by Niels Provos, Google Security Team</span><br /><br /><span style="font-style: italic;">We recently began two new series of posts. The first, which explains how we harness data for our users, started with <a href="http://googleblog.blogspot.com/2008/03/why-data-matters.html" id="wkxh" title="this post">this post</a>. The second, focusing on how we secure information and how users can protect themselves online, </span><a href="http://googleblog.blogspot.com/2008/03/how-google-keeps-your-information.html" id="b3rt" style="font-style: italic;" title="began here">began here</a>. <span style="font-style: italic;">This post is the second installment in both series.- Ed.</span><br /><br />We sometimes get questions on what Google does with server log data, which registers how users are interacting with our services. We take great care in protecting this data, and while we've talked previously about <a href="http://googleblog.blogspot.com/2008/03/why-data-matters.html" id="gjr1" title="some of the ways">some of the ways</a> it can be useful, something we haven't covered yet are the ways it can help us make Google products safer for our users.<br /><br />While the Internet on the whole is a safe place, and most of us will never fall victim to an attack, there are more than a few threats out there, and <a href="http://googleblog.blogspot.com/2008/03/how-google-keeps-your-information.html" id="syc9" title="we do everything we can">we do everything we can</a> to help you stay a step ahead of them. <span style="background-color: rgb(255, 255, 255);">Any information we can gather on how attacks are launched and propagated helps us do so. </span><br /><br />That's where server log data comes in. We analyze logs for anomalies or other clues that might suggest malware or phishing attacks in our search results, attacks on our products and services, and other threats to our users. And because we have a reasonably significant data sample, with logs stretching back several months, we're able to perform aggregate, long-term analyses that can uncover new security threats, provide greater understanding of how previous threats impacted our users, and help us ensure that our threat detection and prevention measures are properly tuned.<br /><br />We can't share too much detail (we need to be careful not to provide too many clues on what we look for), but we can use historical examples to give you a better idea of how this kind of data can be useful. One good example is the <a href="http://www.citi.umich.edu/u/provos/papers/search_worms.pdf" id="ujjv" title="Santy search worm [PDF]">Santy search worm</a> (PDF), which first appeared in late 2004. Santy used combinations of search terms on Google to identify and then infect vulnerable web servers. Once a web server was infected, it became part of a <a href="http://en.wikipedia.org/wiki/Botnet" id="or.e" title="botnet">botnet</a> and started searching Google for more vulnerable servers. Spreading in this way, Santy quickly infected thousands and thousands of web servers across the Internet.<br /><br />As soon as Google recognized the attack, we began developing a series of tools to automatically generate "<a href="http://en.wikipedia.org/wiki/Regular_expression">regular expressions</a>" that could identify potential Santy queries and then block them from accessing Google.com or flag them for further attention. But because regular expressions like these can sometimes snag legitimate user queries too, we designed the tools so they'd test new expressions in our server log databases first, in order to determine how each one would affect actual user queries. If it turned out that a regular expression affected too many legitimate user queries, the tools would automatically adjust the expression, analyze its performance against the log data again, and then repeat the process as many times as necessary.<br /><br />In this instance, having access to a good sample of log data meant we were able to refine one of our automated security processes, and the result was a more effective resolution of the problem. In other instances, the data has proven useful in minimizing certain security threats, or in preventing others completely. In the end, what this means is that whenever you use Google search, or Google Apps, or any of our other services, your interactions with those products helps us learn more about security threats that could impact your online experience. And the better the data we have, the more effectively we can protect all our users.

Using log data to help keep you safe

Posted by Niels Provos, Google Security Team We recently began two new series of posts. The first, which explains how we harness data for ou...

Đọc thêm »

How Google keeps your information secure

<span class="byline-author">Posted by Douglas Merrill, VP of Engineering</span><br /><br />As many of you know, we spend a lot of time around here thinking about new products to help you run your life more efficiently, whether that’s organizing email in a better way, sharing pictures with friends, or collaborating in real time on documents. What you may not know is that we also spend a lot of time thinking about the security that goes into those products, and more specifically the ways we can protect you and your private information.<br /><br />While the chances are that you'll never have a security problem, we take security very seriously, and that's why we have some of the best engineers in the world working here to secure information. Much of their work is confidential, but we do want to share some of the ways we're protecting your data. There are a few things you should know about how we handle confidential information:<br /><ul><li><b>Philosophy:</b> First is our <a href="http://www.google.com/corporate/security.html" id="j192" title="philosophy">philosophy</a>. At Google, security is a continuous process. We don't just "check" a product for security before we launch it -- we are thinking about security before the product is even created, and we are building it in throughout the product's development. Also critical is our belief in layered protection. It's much like securing your house. You put your most private information in a safe. You secure the safe in your house, which is protected with locks and possibly an alarm system. And then you have the neighborhood watch program or the local police monitoring your neighborhood. It's very similar at Google. Our most sensitive information is difficult to find or access (the safe). Our network and facilities (the house) are protected in both high- and low-tech ways: encryption, alarms, and other technology for our systems, and strong physical security at our facilities. And finally, we've learned that when security is done right, it's done best as a community (the neighborhood); we encourage everyone to help us identify potential problems and solutions. Researchers who work at security and technology companies all over the world are constantly looking for security problems on the Internet, and we work closely with that community to find and fix potential problems.</li></ul><ul><li><b>Technology: </b>These layers of protection are built on the best security technology in the world. While we employ products developed by others in the security community, we build a lot of our security technology ourselves. Some of the most innovative components of our security architecture focus on automation and scale. These are important to us because we're handling searches, emails, and other activities for millions of users every day. To keep our security processes a step ahead, we automate the way we test our software for possible security vulnerabilities and the way we monitor for possible security attacks. We're also constantly seeking more ways to use <a href="http://en.wikipedia.org/wiki/Encryption" id="o7ve" title="encryption">encryption</a> and other technical measures to protect your data, while still maintaining a great user experience.</li></ul> <ul><li><b>Process:</b> In addition to technology, we have a set of processes that dictate how we secure confidential information at Google and who can access it. We carefully manage access to confidential information of any sort, and very few Googlers have access to what we consider very sensitive data. This is in no small part because there's very little reason for us to provide that access -- most of our processes are automated, and don't require much human intervention. Of course, the limited number of people who are granted access to sensitive data must have special approval. And while we hold ourselves to a very high standard, we also work to ensure that our processes meet (and in many cases exceed) industry standards. These include audits for <a href="http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=107_cong_public_laws&docid=f:publ204.107" id="uask" title="Sarbanes-Oxley">Sarbanes-Oxley</a>, <a href="http://en.wikipedia.org/wiki/SAS_70" id="uc6_" title="SAS 70">SAS 70</a>, <a href="https://www.pcisecuritystandards.org/" id="czo3" title="PCI (payment card industry) compliance">PCI (payment card industry) compliance</a>, and more. By working with independent auditors, who evaluate compliance with standards that hold hundreds of different companies to very rigorous requirements, we add another layer of checks and balances to our security processes.</li></ul> <ul><li><b>People: </b>The most important part of our approach to security is our people. Google employs <a href="http://www.eweek.com/c/a/Security/The-15-Most-Influential-People-in-Security-Today/1/" id="d4xl" style="background-color: rgb(255, 255, 255);" title="some of the best and brightest"><u>some of the best and brightest</u></a> security engineers in the world. Many of our engineers came from very high-profile security environments, such as banks, credit card companies, and high-volume retail organizations, and a large number of them hold PhDs and patents in security and software engineering. As you can imagine, our engineers are smart and curious and are on the lookout for security anomalies and best practices in the industry. Our engineers have published hundreds of academic papers on technically detailed topics such as <a href="http://research.google.com/archive/provos-2008a.pdf" id="x:h7" title="drive-by downloads installing malware">drive-by downloads that install malware</a> (PDF file) or <a href="http://taviso.decsystem.org/virtsec.pdf" id="plvy" title="hostile virtualized environments">hostile virtualized environments</a>. (You can find some of these papers <a href="http://research.google.com/pubs/papers.html#category14" id="to:9" title="here">here</a>.) What's more, we cultivate a collaborative approach to security among all of our engineers, requiring everyone to pass a coding style review (which enables us to control the type of code used here and how it's used in order to prevent software problems) and ensuring that all code at Google is reviewed by multiple engineers so that it meets our software and security standards.<br /></li></ul>And throughout the company, we use our own products. That means we protect your information with the same security that we use to protect our own company emails and documents. And while we continue to innovate with our products, we'll also continue to innovate in the world of security. For more on our approach to security, visit our <a href="http://www.google.com/corporate/security.html" id="b:bc" title="security and product safety site">Security and Product Safety page</a>.

How Google keeps your information secure

Posted by Douglas Merrill, VP of Engineering As many of you know, we spend a lot of time around here thinking about new products to help you...

Đọc thêm »