Transcript

[00:00:01] Rachid Finge: Welcome back to the Made by Google Podcast. I'm your host, Rachid Finge, and it's a pleasure to bring you behind the scenes of the teams at Google that work on our devices and services. I still think a lot about the conversation we had with Isaac Reynolds last time out. And I can honestly tell you that I don't look at my pixel camera quite like I used to, especially now that I know we fuse multiple lenses to get better results or how speech enhancements is actually a whole comprehensive suite of A.I. to get it working. If you missed any of this, be sure to subscribe to our podcast and check out the previous episode because Isaac is amazing, as is the pixel camera. But for today though, we're moving our focus to something else, and that is security. We all live on our phones these days, so that makes security on your mobile device ever more important. Sure enough, there's a lot you as a user can do to be more secure online. But what's Google’s part in this? What are things you're thinking about when you work on Android or the chips inside your pixel phone? Questions like that. We'll ask our guests and they know all about these topics. So let's welcome them to our podcast, Jesse Seed, who is a group product manager of silicon security, and Rae Wang, director of Android Security and Privacy Compliance. Jesse and Rae, welcome to the Made by Google Podcast.

[00:01:19] Jesse Seed: Hey Rashid Rae Wang: Thank you for having us here.

[00:01:22] Rachid Finge: It's so great to meet you . I think would be great just to understand your job titles a little bit better. Let's start with you, Rae. You're a director of Android Security Privacy Compliance. What's that?

[00:01:32] Rae Wang: Well, that pretty much means that I'm a security and privacy nerd. safeguarding Android. In my day to day work, I lead a team of very talented program managers, and we constantly watch out for customer feedback, industry trends, security research, and then we translate them into platform enhancements to make Android more secure. We work closely, of course, with Jesse, whose team is our hardware partner, and it is our joint mission to help all the users feel safe on the Android devices and outside of work at home. I am also and advocater for Android. I have a 14 year old daughter who has a pixel phone and is starting to develop her first app in Android studio.

[00:02:11] Rachid Finge: Oh, wonderful. You must be very proud having your own developer run around in the house. That's great. And we'll get to all the Android questions as well. And then, Jessie, so you work on the silicon team, powers a lot of the helpful experiences on our pixel devices. But how is your role then different from Rea’s?

[00:02:26] Jesse Seed: Yeah, so we, we definitely share the mission of protecting user’s data. And so our team operates a little bit deeper in the stack as the in-house chip provider for made by Google products, we're responsible for building security deeply into the silicon itself and the low level firmware. And so those would include the tensor mobile processors, the tensor with pixel six and tensor G2 and the titan security chips which go into pixel phones and beyond. So we're thinking in a longer sort of time frame, if you like, the development cycle for silicon is quite long, so we have to sort of predict the future further out on what the industry is going to look like out then, what attacks are going to look like farther out in the future.

[00:03:09] Rachid Finge: Today's guests dedicate their lives to keeping millions and millions of people secure online. They do that from different fields. One primarily works on software, while the other works on hardware. But together they defend Made by Google devices like castles. Our guests play high tech cat and mouse games with hackers and attackers. So you and I don't have to. Let's find out more about the work they do to keep all of us safe. Please welcome Rae Wang from the Android Security and Privacy Team and Jesse Seed from our silicon team. I can't resist. I just have to ask, when we talk about mobile security, a lot of people want to know how real is the threat? Should I be worried if I'm a consumer? Is there any big__ worry that I should look out for in general? What do you think?

[00:03:58] Rae Wang: Well, as you know, Google has a lot of products ranging from phones to search to email. So we protect billions of users across all of these products. And that gives us a very interesting and unique viewpoint into the ever evolving threat landscape. One major change over the last few years we've seen is that your smartphones have become really powerful. They basically mini computers at this point, and we rely on phones to do a lot more things like banking, shopping, communications and so on. So the cybercriminals have also noticed that, and they shifted their interest from the PCs to mobile devices. And now as a result, the attacks through phones have been on the rise. So some recent threats we've seen include, you know, toll fraud, phishing, spyware, attacks on memory vulnerabilities. And we've seen the number of these attacks pick up on your phone, especially in the last couple of years during the pandemic, as people spend more time online.

[00:04:50] Jesse Seed: Really interestingly, in addition to the rise in remote attacks, software based attacks that Rae mentioned, we're also seeing interest and accessibility of attacks on device hardware and also those class of attacks that require specialized hardware to mount. In both cases, we're seeing more of those, and that tells us that we likewise need to be investing and increasing our defenses in hardware in low level firmware year over year.

[00:05:16] Rachid Finge: So now I'm wondering what is Google doing to protect me in terms of mobile security? I mean, I know you want me as a user to use a great password and probably enable something like two factor authentication. What is it that Google does to keep me safe?

[00:05:29] Rae Wang: So there is a set of security principles that we carry across all off the Google products, for example, secure by default, private by design for doing control and defense in depth. Your mobile phone is actually not a single product. It's it's the result of multiple layers of products from the network to the hardware to operating system, then to applications and user experience. And we apply these security principles consistently to to make sure there is verifiable protection across all of these layers. Another important principle that we implement in recent years throughout is protected computing. For example, you have private compute call, which helps isolate your apps data from the network and keeps it on a device only. And then finally the secure element which isolates sensitive information such as keys. Being a dedicated hardware enclave. So that's a very good example that shows the same security principles carried across all the layers of your phone experiences.

[00:06:27] Rachid Finge: So let's talk about those layers or I also I think, yes, you call it the stack, right? We want we want to be secure on the stack. So I guess what is on the stack? What does that even mean?

[00:06:37] Jesse Seed: We say that we have verifiable protections in each layer. So we're talking about these layers. There's many different sort of layers that we may be referencing here. But broadly speaking, we've got the network layer where your data goes from device to a backend, or indeed from a device to another device. We've got the application layer where the apps live. We've got the operating system and then we have sort of multiple layers of protections in the firmware and system firmware and the silicon itself. And I'd like to talk a little bit about why layers are so important when we're talking about security.

[00:07:10] Rachid Finge: Sure.

[00:07:10] Jesse Seed: And it goes back to a term that Rae just mentioned, which is defense in depth. And I think the easiest way to understand defense in depth is to use an analogy. And the analogy that I like to use is that of a castle. So if you designing a castle first, you would want to think about all the ways that the enemy would try to attack you. Right. Would try to breach the castle. So they might come on foot, they might come on horse, they might have catapults that flaming cannonballs over tall walls. And from there, once you've thought about how they'd attack you, you then begin to design protections, defenses against those attacks. So you might install a moat and you might install a drawbridge that retracts, because, of course, you still have to get in and out of the castle for valid reasons. Right? You would build very, very tall walls with thick, thick stone. And then in the corners of the walls you would install turrets so that your archers could fire arrows down below. And then within the castle itself you build additional perimeters of walls, etc. And at the very, very center where you had your most valuable assets in this case, say, the king and queen or the crown jewels, those you would put in the keep and the key would be sort of the most defended place in the entire castle. I would be heavily guarded. And so that would be the thing where you'd have to penetrate many, many, many different layers of defenses before you could get to those crown jewels. And that's exactly the same way that we build secure systems. So we start from what we call a threat model for the platform. And the threat model is really thinking like an attacker. First we list down all the assets we have to protect and then we think about the methods that we would use if we were the attacker to compromise those assets, sort of one by one, whether it be exfiltration, which is the process of taking something out of the system or, destroying those assets, compromising them in some other way that makes them unusable. And after we have our threat model in place, we then begin to build our defenses, those layers of protection. And so protection can be defined as in the case of digital systems confidentiality, which is we want to keep something secret. Usually, you know, in our cases things like user data or confidential enterprise data, for example, integrity, which means keeping that in sound or intact. And then availability. Availability is one that isn't talked about quite as much, but this is very important. Availability means that we want you to be able to access, say, a backend service, access an app, access a service on the chipset. So once we've defined what protection we need on a particular asset confidentiality, integrity and or availability, it could be one or all three. We then begin to build different defenses out. And why defense in depth? Why is that important? Just like with a castle, we want to avoid single points of failure, particularly for the most valuable asset. That is we want to make it more costly and more time required to invest to exploit those assets, especially the ones that are our crown jewels, are things in the center of the castle. And so finally on this, we also have to, of course, keep in mind that you have to balance utility with security and be very easy, right, to build a secure castle. All you're doing is, you know, encasing everything in solid stone and there is no ingress and egress. But that's not a very practical castle. So you still have to be able to do what you need to do with your system. You still need to be able to run cool apps and have a functional phone while maintaining the security. So that's quite a tricky thing. And that's why, again, those layers are helpful because we build more protection on the things that are really quote unquote at the center. And then we have more flexible protection for places where we need we need to do things functionally.

[00:10:38] Rachid Finge: What I like about the castle analogy is that it makes it so insightful of, you know, what we're trying to do when it comes to your mobile phone. But I guess I don't know any castle owners, but I guess they sometimes probably also faced attacks that they didn't really think of and they were like, Oh gosh, I wish I had done this and this to protect my castle. Have you ever encountered something like that? And what do you do to protect the system, I guess, from attacks that we didn't think of yet?

[00:11:05] Rae Wang: It's like a real castle. The structure is there, but a continued affairs is also important. Right? So even though we built a very solid foundation, kind of. Hardware and software. And we know it's like hackers are smart as well. They keep looking for new ways to try things. And that they have a community of workers who they work with as well, so we have teams in Google that we, you know, work closely with the security community. We look at the latest threats. We listen to some of the hacker communities. We get telemetry from kind of the services and devices and look for new threat trends that, you know, we haven't seen before. And when we discover those, again, we kind of work with the community to respond to them, figure out a solution, get those tested, get those verified by security researchers and put them in a platform and quickly ship those out as security updates. That's another reason why, you know, when you see those security updates pop up on your phone, please install them. They usually are there to address the latest of download abilities that are being discovered. So once your phone's patched and your castle is safe, you can go back to, you know, enjoy your dances and opera, you know, until then, you have to be on a guard. And so we try to put these defenses for you as quickly as possible, as long as you follow the security updates and apply those your castle is safe.

[00:12:17] Jesse Seed: So one of the ways we adapt to that as by building flexibility into the foundation. So let's say that you had an attack that you didn't plan for. Maybe you can't immediately mitigate that attack by stopping it. You couldn't block the attack. But guess what you can do? You can at least have it isolated to one particular portion of the system, and that's something that hardware can do very well. It can hem in the attack and prevent it from causing sort of more harm, more widespread harm.

[00:12:41] Rachid Finge: I'm just starting to think, Rae and Jesse, that, you know, together you've probably built over 2 billion castles. Now, what is that like? Like, you know, there's a lot of responsibility on all the security teams, I guess, at Google, you know, at keeping people secure. That's to me. But I don't know a lot about the field, but it sounds pretty stressful in a way. Is it or it doesn't that work that way?

[00:13:02] Rae Wang: Yeah, it is. It is pretty stressful. And, you know, as you know, hackers work around the clock. They don't just sign off at the end of the day when we need to go out, go to our family, hackers their still there online. So, you know, we have teams in Google that watch for these threats and act on them right away, kind of around the clock. We have, you know, ankle rotations and all that. So at any time in a day, you always have somebody who's awake and watching for those threats and help defend your castle. So from first report to full resolution to rolling off updates, kind of really watching for that whole process to make sure that they execute it consistently. And as you can imagine, every update, every new security feature that we roll out impacts a few billion devices. So it cannot be taken lightly. Because of that we need to kind of understand the world far beyond our own daily lives, right? From regulations in Europe to manufacturers in Asia to new actions in India and the values and tradeoffs we're putting in a product, decisions need to make sense to all of them and need to not break anything. So every single change requires a tremendous amount of communication, coordination with our partners to ensure that all of the users are taken care of. Without our work, the only way we can do get a little sleep and keep a little sanity is to work together as a team, supporting each other and try to keep a little humor.

[00:14:16] Rachid Finge: Yeah, I guess that must be very important to keep everything going. Jesse, anything to add there?

[00:14:20] Jesse Seed: Yeah, it definitely is stressful, but it can also be kind of exhilarating because it's a bit of a cat and mouse game, right? Like the bad guys are doing that, bad actors are doing something and you're trying to catch up. And it is also really exciting when you're able to find a way to patch the vulnerability and to push that out. So indeed our work can be really stressful. There's a lot of responsibility on our shoulders, but it's also can be really fun.

[00:14:42] Rachid Finge: Now, Jesse, in the castle that is pixel, so we have something amazing to keep us secure and it is called Titan. But why does it matter? And what does it do in our castle?

[00:14:52] Jesse Seed: Yes. So a bit of history. So the Titan Security Chip debuted in 2017 and started from actually from cloud. So it designed as the root of trust, the hardware root of trust for our data center cards. And then later it was adopted into Chromebooks as a Titan C variant and finally into Pixel in 2018 with the Titan M.

[00:15:14] Rachid Finge: So M is Mobile and the C is Chromebooks.

[00:15:15] Jesse Seed: You go It. We are very creative with our naming as per usual, very creative. And last year we introduced the Titan M 2 and that was a full redesign of the chip from the ground up and that was introduced the Pixel 6 series last year and we used it again in the Pixel 7 for this year. What makes Titan unique is that it's designed and owned by Google and it's designed from by us from the ground up. And we even designed the manufacturing flow for the provisioning of the keys in a factory. We keep an eye and monitor that process. And so we had really A keep make it very secure, but also tailor it to the needs of our systems and our users. And importantly, we can push software updates rapidly if a compromise were to be found. And that's not always something that's easy to do with off the shelf components. We own this thing, you know, end to end, and so we can adapt if anything were to be compromised.

[00:16:06] Rachid Finge: Right it means like that part of Castle we built ourselves from A to Z. If there's something broken, we are not waiting for, any sort of, I don't know, a plumber or maybe someone else who comes fix things. We can all control it ourselves.

[00:16:18] Jesse Seed: Exactly. And as you already alluded to, the reason the Titan ship is so important is its function in the system. So it hardens to critical functionalities, user data protection and system integrity. And it does so in ways that are either very difficult or even nearly impossible to do without the use of a high assurance security chip. So first off, Titan guards access to user data, encryption keys. So these are the keys that are used actually on the either phone or the Chromebook or whatever the case may be to encrypt all that data that's sitting there in storage. And so, for example, in the case of a Chromebook, even if a hacker had your hard drive, they'd remove your hard drive from your device and they had your password. It would not be able to decrypt your data on a different device. Titan also provides protection from brute force password attempts. A brute force password attack is when an attacker will just try millions of different combinations of a pin or password, you know, over the course of time to try to just eventually try to guess. Right. And so Titan protects against that by enabling things like back off timers and other protection so that it takes the attack from being, you know, something that maybe would happen in a number of hours to something that's going to take, you know, exponentially longer, years in some cases, and finally protects against emulation attacks by employing something like two factor authentication. And the other important function that Titan provides is cryptographic services to other apps in the system through Android Strongbox APIs. For example, a banking or enterprise app can opt to use Strongbox Key and APIs for signing or Key Generation. And that's a really powerful feature because those functions now come from the highest assurance component in the platform. So kind of in summary, why is it important? So, you know, going back to our castle analogy. Titan is important because it protects the crown jewels and it does so very effectively.

[00:18:10] Rachid Finge: It sounds almost to me like, you know what, I'll just go out and buy a pixel. I sit back and you do all the security work. I mean, isn't that what it is then, right?

[00:18:19] Rae Wang: Yeah, kind of. So we want to do all the work so you can just have fun. Enjoy your castle. Look at the beautiful views. And we do it in a number of ways, right? First off, there are many places where the right thing to do is obvious. And in those places, we just default to two to secure a setup. So you don't even have to worry about it. We just take care of it under the cover, for example, keeping data encrypted and automatically wiping your clipboard history. And those are just good things. We do them by default. There are also other places where you probably want to take a look and know what's going on and make a decision and make your own tradeoffs. And in those places, we make sure that we give you the accurate and actionable data so you don't have to go look for them. And then everything's at a glance. Is it understandable? For example, you know, the security center is a central hub and shows you all of your security and privacy status and then it provides clear steps for you to improve your protection from their onwards.

[00:19:10] Rachid Finge: Now, Jesse and Ray, we have something in the Made by Google podcast that we like to call made by numbers, where we ask our guests to bring a number that's important in the work they do or in development they do. So I'm wondering, what's the number you brought for us for this episode? I think, Rae, you have the number with you.

[00:19:28] Rae Wang: Yes, I brought a big number. Hopefully it's impressive. The number is 1.5 billion.

[00:19:36] Rachid Finge: That's larger than Isaac had. He had only one third of that.

[00:19:39] Rae Wang: So we won it.

[00:19:42] Rachid Finge: Defenetly. So why 1.5 billion?

[00:19:43] Rae Wang: Okay. So let's talk about a number to understand it. Let's talk about phishing. Phishing happens when an attacker uses fraudulent data to trick a user to reveal sensitive information such as, you know, their password, the keys to Social Security numbers and so on. A long time ago when I first started, there was, you know, emails and websites. So that's where it got started. But in recent years, we've are been like text messaging each other a lot. So messaging has become another popular attack surface and that, you know, when attackers send you a text they can get you to basically sort of text to click on a link or download an app and therefore get you exposed to those vulnerabilities. To combat this, Google Messengers now detects and warns users about these type of spam and dangerous messages. Now, 1.5 billion times per month is how often this protection is used. And there's my number.

[00:20:38] Rachid Finge: That is a lot of people you're protecting then. Or a lot of attempts you're just blocking. That is great that's Made by Numbers for this episode 1.5 doing let's see if someone comes with a much larger number next time or they maybe go the other direction and keep it very small. Now, just, Jesse and Rae, since you're so knowledgeable about security and work in the field, I guess you see more threats than most of us listening today. What worries you personally when it comes to security?

[00:21:04] Rae Wang: One thing that worries me, I think about it a lot is how to make security more inclusive. Today, the users who have the most protection are people like us. We're tech savvy and we live in developed countries.

[00:21:16] Rachid Finge: Right.

[00:21:17] Rae Wang: Users like that have the most advanced devices and they understand how to take advantage of all the security features. But what about the older generations like our parents who didn't grow up with tech? Using a phone was kind of still new to them. Are those who live in developing countries with lower end devices and low data bandwidth and very different cultural norms, we need to keep them in our design thinking and make sure that they're not left behind because ultimately security and privacy should be available to all.

[00:21:43] Rachid Finge: I wanted to talk a little bit more about those layers of security and a little bit more about what we call verifiably secure. Maybe it's almost a philosophical question, but you know, who verifies it? And then when is it verified? How does that even work?

[00:21:57] Jesse Seed: Yeah. So when we say verifiably secure, we're speaking in general to the myriad efforts that we've taken to certify, evaluate, formally, prove and open our solutions for security audit. And there's many things to talk about here, but one of that I'd like to focus on is a major achievement for us this year with the Titan M2. So we actually achieved for the first time ever, common criteria certification on Titan M2. And it's under protection profile 84, which is really the gold standard for hardware security components. And we evaluated both the hardware and the low level cryptographic library. And this certification is a very big deal because it's the same one that's used in the industry by SIM card providers. Those little cards, those cards that are in our bank cards. Right. And our credit cards and even in our passports. That protection profile was established and is sort of the bar excellence of what it means to be a really robust hardware component. And the center of excellence for these type of evaluations and indeed the development of hardware security in general in many ways is really the EU. Yeah. So we worked with the Netherlands scheme, which is the Netherlands certifying body. And as part of the certification, you work with an accredited lab to actually do the technical analysis and then submit those results to the certifying body. And the lab that we worked with for the certification is SGS Bright Side, who is an internationally accredited security lab, also based out of Europe. And it took us over three years, this first time to get through the certification. And the reason it took us so long is that it's not just about evaluating the chip hardware and the low level firmware, but this certification also looks at the entire development lifecycle of the product. So everything from how you develop the design and how you're securing that process all the way through to a manufacturing. So even the fab and assembly sites are included as part of this evaluation. And that means that not only did we really prove that our hardware was robust, but also that it actually made our entire development process on the ship more secure because we could make improvements through all of this evaluation. We'd get feedback and we'd fix things and sort of, you know, moving the ball forward, progressing that way. And so we're really pleased that we were able to reach the highest level for vulnerability assessment that they have as part of this protection profile, which means that we're that the Titan M2 hardware is resilient to what they call advanced methodical attacks. So verifiably secure means many things. And this is kind of a big example this year for us of how we are really leaning into that verifiability.

[00:24:40] Rachid Finge: So sounds like Pixel seven is the most secure pixel to date from Google, right? Great achievement. Congratulations on that. I wanted to switch gears a little bit and, you know, talk about the Web and browsing, I guess, you know, if there weren’t the Internet, it will be easier, of course, to keep our phone secure. But it is there and we need to open the castle once in a while to go out and visit a website and do stuff. But how do you keep browsing data private? Because that also sounds like something criminals might be after. What else can you do to help me there?

[00:25:12] Rae Wang: Right. Everyone's warning you to open your castle door and send out your carruages. So when your data leaves your phone, it's certainly, you know, it can be vulnerable to the many listeners on the Internet. Right, who can then try to steal your secret information. And we want to make sure that, you know, data is safe in transit as well. And the couple of tools we developed in recent years to help with that. First, as some of you may already know, that one good security practice for sensitive communication is using a VPN, a virtual private network. What it does is that it helps encrypt your network traffic and mask your original IP addresses. And a second interesting fact that many of you might not know, like we live in a world of 4G and 5G, right? Those are very secure, well-developed connections. However, your phone's communication can still be compromised through unsafe connections such as 2G. Cell towers can actually ask your phone and to say, hey, let's connect in 2G because I can’t do 4G. And that is a connection that has very weak encryption and authentication. So that makes you vulnerable and now in Android we have a setting that allows you to disable 2G connections and this is a security best practice that's being applauded by the EFF, the Electronic Frontier Foundation. They're saying that all cell phones should really recommend this is something that users do.

[00:26:27] Rachid Finge: That is really interesting to know that, you know, 5G faster for sure, but it's also more secure than 2G that I think was developed maybe 40, 50 years ago. This is also a question I have to ask. So I think most people listening probably know that Android is open source. So you probably think anyone can check the source code, including the bad people, find errors in the code and then abuse it. So how is that still secure? How does it work.

[00:26:52] Jesse Seed: Yeah, this is a great question. So first off, I just want to acknowledge that open source software has been really great for innovation and levelling the playing field between small and large players and has contributed to really enable the growth of these incredible ecosystems around Android, Chrome and other open source. But indeed we do believe that it's also great for security. And so there's a few main reasons that I'll go through of why, why you can have a system that's both open and secure. The first is a principle that we use and secure system design as a principle or saying, if you like, which is no security by obscurity or no security through obscurity. And what that means is if the primary mechanism that you're relying on to keep your system secure is hiding the assets, hiding or obscurity, you really haven't done a very good job there because it's just a matter of time before that thing is going to be discovered and then you have nothing else protecting it. And so what we'd like to see instead is sort of technical means of protecting that data, and usually that comes in the form of cryptography. So to give a real world analogy, it would sort of be like if the only thing you're doing to protect your home from burglars is throwing your front door key under the welcome mat.

[00:28:07] Rachid Finge: Right. That's not a good idea.

[00:28:09] Jesse Seed: That's not a good idea. That's not the best idea because it's going to be trivial for them to sort of, you know, to find that key. So we really want to be relying on better means. Now, if there's any subject matter experts that are listening to this, I do have to caveat that by saying there are times when in our sort of toolkit of things we do to protect the system, we will use obfuscation and but we use it appropriately and we use it only in combination with other stronger mechanisms. So it's the only thing that's protecting your system is the fact that you haven't released your source code. You're keeping your source code hidden. You know, source code leaks, source code gets reverse engineered. You really need to be doing more than that. So that's the first thing. No security by obscurity. The second major point here is, yes, indeed, you're absolutely right bad actors will see your code sooner. They'll get a head start essentially if you open source it. That is true. But you know who else will get a head start? Good actors, ethical hackers, developers, hobbyists that are looking at that source code and you'll get many more good eyeballs on your code. And so we think on balance, the rewards here outweighs the risk. We work incredibly closely with the security research community and we want to incentivize them, just like the bad actors are incentivized to look at our systems. Right. And so because of that, we have some of the highest bug bounties in the industry. A bug bounty is sort of a payout if somebody comes and discloses a bug they found to you. And just to give you an example, what I mean by highest in last year, in 2021, we paid out over $8.7 million in bug bounties. So the next big point is that I believe that open source actually begets better code quality. If you know that your code is going to be out there for all these people to see, you're going to be sure. It's certainly reviewed. You're going to be sure it's well documented. You're going to be sure you spend a lot of time fuzzing it and finding any vulnerabilities that you possibly can. And then lastly, we believe that transparency builds trust. So going back to that sort of verifiably secure topic, right, it's, you know, go check it out. Go check out what we're doing. Right. You can go see for yourself if you're so inclined. And you can only do that when you're open, when you're operating with openness. And in my opinion, that does go farther with especially with savvy consumers rather than sort of like blind brand loyalty. Another way of saying that is, okay, just trust us. And so we invest in things like the Google Binary Transparency Initiative, prime compute core, and all of this work we do in upstreaming and open sourcing to build that transparency, build the trust with our users and with our partners.

[00:30:43] Rachid Finge: So it's time for Top Tips on the road. Now, maybe you're on the road or at home and you wanted to learn the top things you can do to keep yourself more secure from Google's finest security engineers. So, Jesse and Rae, let's go through those three tips. What's the first.

[00:31:02] Rae Wang: The first thing comes to mind is to safeguard your accounts. And we all know that we you know, we should be using strong password and using a password manager to make manage your password easier. And for your most important accounts, it's also a good idea to enable two factor auth. But that's not the end of it because attackers have also gotten smarter. They now try to obtain not just a password but also a passcode. And they tend to do so sort of social engineering by having an input, a passcode, phishing website or buying starting spyware on a phone to read and notifications and therefore getting your passcode. So let's make sure to pay attention and protect your passcodes for two factors of to truly be effective. And the second tip is one that I tell my family a lot. It's to always install apps from the play store and not some obscure link from text message. I've seen the play store have all gone through careful analysis and reviews to ensure that they're sound from our security and privacy perspective.

[00:32:00] Jesse Seed: And the last tip is to make sure you're taking advantage of the security and privacy features that are already available on your devices. So sometimes things are on by default, but sometimes they are opt in because we want to balance functionality, user privacy, etcetera. So when you get notifications for security checkup or password checkup, don't swipe them away. Take the time, take the 30 seconds and actually do the checkup and check out your safety center settings and make sure that you're optimizing for all of the good security and privacy features that are already built in. And this will take a moment, but it will save you a lot of pain down the road.

[00:32:37] Rachid Finge: So that are two top tips for the road. Jesse and Rae thank you so much and thank you so much for joining to me by Google Podcast. I definitely learned a lot and actually I think I'll sleep a little bit better. I know that you guys have my back.

[00:32:50] Jesse Seed: Thanks.

[00:32:51] Rae Wang: Thank you. Enjoy your sleeping in the beautiful castle.

[00:32:55] Rachid Finge: Thank you. So that's it for this week's episode of the Made by Google podcast. But don't worry, we'll be back next week when we'll meet Isobel Olsen. She works on design at Google, so we'll definitely talk about nest Wi-Fi Pro, pixel watch and manicures. You heard that right. Subscribe to the Made by Google podcast to make sure you don't miss an episode. Take care and talk to you next week.