Google Wants To Help You Tiptoe Around the NSA & the Great Firewall of China 140
Kyle Jacoby writes "The NSA was right when it postulated that the mere knowledge of the existence of their program could weaken its ability to function. Virtual Private Networks (VPNs), which serve to mask the source and destination of data by routing it through a third-party server, have been a popular method for maintaining internet anonymity for the paranoid and prudent. However, the all-but-silent fall of secure email server Lavabit, and VPN provider CryptoSeal, have shown us just how pervasive the government's eye on our communications is. These companies chose to fold rather than to divulge customer data entrusted to them, which raises the million-dollar question: how many have chosen to remain open and silently hand over the keys to your data? Google has decided to put the private back in VPN by supporting uProxy, a project developed at the University of Washington with help from Brave New Software. Still using a VPN schema, their aim is to keep the VPN amongst friends (literally). Of course, you'll need a friend who is willing to let you route your net through their tubes. Their simple integration into Firefox and Chrome will lower the barrier, creating a decentralized VPN architecture that would make sweeping pen register orders more difficult, and would also make blocking VPNs a rather difficult task for countries like China, who block citizens' access to numerous websites. On a related note, when will the public finally demand that communications which pass encrypted through a third party still retain an reasonable expectation of privacy (rendering them pen register order-resistant)?"
Peer to peer vpn over SSL - nice. (Score:2)
That actually would be pretty neat - force or opt-in everyone who uses the browser to be part of it.
The downside is the aggravation of being collateral damage in some investigation.
My friends are my identity (Score:5, Insightful)
I don't get what's so nice about it, the NSA already knows who I am friends with. So no matter how we route traffic in our min-TOR, all exits identify us. The whole point of VPNs, TOR etc. is to hide within massive noise.
Who Owns Key? What Signs Upstream? (Score:5, Interesting)
I don't get what's so nice about it, the NSA already knows who I am friends with. So no matter how we route traffic in our min-TOR, all exits identify us. The whole point of VPNs, TOR etc. is to hide within massive noise.
I want no part of "Google freedom". Their self driving cars? If these are the norm, they'll know where you are - all the time - and be queriable for your violations of speed limits and other "indiscretions".
If you trust them for VPN? How are keys generated? Who is the root of trust? This is your real question.
This idiom reflects the ever closer union between the State Department and Silicon Valley, as personified by Mr. Schmidt, the executive chairman of Google, and Mr. Cohen, a former adviser to Condoleezza Rice and Hillary Clinton who is now director of Google Ideas.
-- Julian Assange, The Banality of 'Don't Be Evil" [nytimes.com]
I'm with Admiral Ackbar, on this one:
"IT'S A TRAP!"
Re: (Score:2)
I want no part of "Google freedom". Their self driving cars? If these are the norm, they'll know where you are - all the time - and be queriable for your violations of speed limits...
but if they're self driving cars, wouldn't it be the software that is guilty of going over the speed limit?
Re: (Score:1)
Their self driving cars? If these are the norm, they'll know where you are - all the time - and be queriable for your violations of speed limits
Why would a self-driving car be speeding? If it were, why would you be liable?
When you can do whatever you want while riding in your self-driving car, you will stop caring about the difference between 65mph and 75mph. You'll be more likely to remain in your car at the destination for an extra minute finishing whatever task you are doing than you are likely to care
Re: (Score:2)
Why would a self-driving car be speeding?
The car's idea of the speed limit on the road no longer matches the recently introduced, lower limit. The car did not "see" a temporary reduced speed limit for road works, high wind or ice conditions. The limit is vague, like a 40 km/h school zone that only operates a between 7-9AM and 2-4 PM on school days (whatever they are) or the unsigned 50 km/h limit in "residential" streets. (Australian examples but I am sure you can find USian ones)
If it were, why would you be liable?
If the car has a mechanism for you to manually lower the speed an
Re: (Score:2)
Re: (Score:2)
You're right... the 'friends' element doesn't work at all for the applications they are supporting. The spies know the who + when of the packet delivery, which is most of the metadata they would collect anyway.
I2P makes everyone a router by default: [geti2p.net] A P2P principle which not only curbs the impulse to abuse other nodes, but attracts the widest background of re-routed packets in which to mix your own packets. Its got the best-available resistance against traffic analysis attacks, IMHO. And if VPN-like perform
Re: (Score:2)
Re: (Score:2)
Captain Obvious (Score:2, Redundant)
"... the mere knowledge of the existence of their program could weaken its ability to function."
Yeah, security by obscurity has the tendency to bite you in the ass.
We could have told you that years ago.
Re: (Score:2)
Yeah, security by obscurity has the tendency to bite you in the ass.
It think that's stretching the "security by obscurity is not security" mantra a bit far. How would you run a secret program without having some people aware of its existence?
Re: (Score:3, Insightful)
This is known. That is why the penalty for espionage tends to be capital punishment or life imprisonment.
Your PINs are protected by "security through obscurity," by the way. Your health records, school records, and tax records are protected in the same way as the secrets that Snowden stole.
By the way, the phrase "security through obscurity" is a reference to encryption schemes that rely upon the algorithm not being known for its protective value, not to the general idea of keeping secrets.
Re: (Score:2)
> By the way, the phrase "security through obscurity" is a reference to encryption schemes that rely
> upon the algorithm not being known for its protective value, not to the general idea of
> keeping secrets.
Which is why he used it correctly. Remember the claim is that public knowledge that the programs really exist and basics on how they work is enogh to decrease their utility ot make them not work.
So the very working of the system is, claimed anyway, to rely on obscurity to work.
Re: (Score:2)
Your PINs are protected by "security through obscurity," by the way. Your health records, school records, and tax records...
Yeah, but I also supervise my PIN very closely, to the point where I keep the card within centimetres of myself every waking moment, and am physically there every single time the PIN is typed into a POS device. Tax records, school records, health records, lol. Were those even supposed to be private? I'm beginning to forget now.
Re: (Score:2)
Your PINs are protected by "security through obscurity," by the way.
Your PINs are supposed to be secret, not obscure. In other words, it's supposed to be impossible to find out what they are, short of asking you or guessing randomly. "Obscure" would mean other people could discover your PINs given sufficient analysis of the other information available to them.
Of course, insecure PINs are common, birth years being a common choice, for example; this would be an example of "security by obscurity"—the security of the system in such cases relies (in part) on others not kno
Re: (Score:3)
Effort (Score:1)
How is this easier to set up than Tor or more secure?
Google seys (Score:2, Troll)
Re: (Score:2)
If anyone is going to collect data it is going to be us! [politico.com] After all we are the only ones who can properly monetize it.
uProxy doesn't send data to Google. There's also a huge difference between data users send to Google as part of the deal by which they use its services and connection-level eavesdropping.
Re: (Score:2)
A little late to the party... (Score:4, Insightful)
Google has decided to put the private back in VPN by supporting uProxy,
Even if they don't plan to install a backdoor, it is hard to believe in Google's interest in our privacy.
Who supported privacy measures before Snowden's revelations?
Re:A little late to the party... (Score:4, Informative)
trust(google) == trust(nsa) == 0
that's all.
Re: (Score:1)
I think you've got a bug there man...
if( trust(google) == trust(nsa) || ((options == (__WCLONE|__WALL)) && (current->uid = 0))
That look about right?
Re: (Score:2, Informative)
Yep, definitely a bug.
trust(google) == trust(nsa) == 0
Add parens.
(trust(google) == trust(nsa)) == 0
A little more clarity
(trust(google) == trust(nsa)) == false
(x == false) can be written as "not x"
trust(google) != trust(nsa)
Therefore, the statement appears to be saying that neither google nor the nsa can be trusted, but is actually saying that you can trust one or the other but not both (xor)
Re: (Score:2)
it is hard to believe in Google's interest in our privacy
Not if they think there's a buck in it. Just like defense contractors are always saying they're all red, white and blue, Google will be all for the 4th Amendment if they think it'll help them get or keep customers. Various US network based companies have already taken a financial hit from this. Do you think Google wants to be next?
Re:A little late to the party... (Score:5, Insightful)
Re: (Score:2)
Re: (Score:3)
Not if they think there's a buck in it.
too damned fickle!
they could quickly turn-around and decide they are no longer friends of freedom.
google has shown its true colors. anyone who trusts them, now, is a fool.
freedom cannot be financially motivated. that mixes the wrong things together.
in fact, corporations that have a profit motive CANNOT be trusted. period!
Re:A little late to the Party... (Score:2)
with a capital "P", whatever its name is.
As others have said in other ways, this isn't compromised from the beginning, how?
Re:A little late to the party... (Score:5, Informative)
Google was the first to roll out SSL for everything, the first to do SSL forward secrecy ... it's not like there was nothing done before Snowden.
Re: (Score:2)
roll out ssl and also give keys away. sure! that's some great security you got there, lou!
thanks but no thanks. google knows how to give the impression of being good while being downright evil to the core. (or, is that corp?)
Re: (Score:2)
Who supported privacy measures before Snowden's revelations?
Google, for one. Google was the first major service to enable SSL for basically all of its services. Google also pushed back hard against Chinese censorship. They caved for a while, but ultimately just took their business and left mainland China because they refused to censor. Granted that Google has made some mistakes (Wifi over-capture by streetview cars, Safari DNT workaround), but they've always tried to support user privacy.
Re: (Score:1)
Re: (Score:2)
Then Facebook will come out with a service (Score:4, Funny)
to allow ppl to avoid Google's eavesdropping....
So In Other Words (Score:4, Insightful)
uProxy has been compromised and should not be trusted.
Re: (Score:1)
uProxy has been compromised and should not be trusted.
I wouldn't say that.
But we already have your info from everything else you do.
False. (Score:5, Insightful)
No, if Google actually wanted that, they'd make their search engine work with Tor instead of saying "I'm sorry, but we're recieving a high volume of suspicious requests from your computer..." with a picture of a robot giving you the middle finger next to it. What Google wants is for you to use their service, and if that means pandering to the "NSA is evil" crowd, they'll make trivial gestures about privacy to attract them.
But Google is in bed with the NSA, CIA, DHS, etc., as is all other large corporations because if you don't play ball with them, you don't get to play. At all. No PR is going to convince me otherwise, and you would be wise to do the same.
Re: (Score:3)
Re:False. (Score:5, Informative)
The Tor Browser bundle with HTTPS Everywhere works perfectly fine with Google.
Not during prime time. I have to hop to a new exit point sometimes 5 or 6 times to find one that Google hasn't decided to lock out. Entering a CAPTCHA with every query is annoying, but whatever... but just plain failing... it does that often. Especially during prime time hours (6pm-2am US Eastern)
Re: (Score:1)
I'd imagine there are some pretty good reasons for that, mainly people trying to "anonymously" post searches or other things to skew metrics in their favor.
Re: (Score:2)
I'd imagine there are some pretty good reasons for that, mainly people trying to "anonymously" post searches or other things to skew metrics in their favor.
I'd imagine there's some pretty good reasons for people wanting to do anonymous internet searches too that are more important. Like getting a bullet to the head in countries like Iran, China, and North Korea.
Re: (Score:1)
Yes, and in those cases I doubt that such people will be overly concerned if they need to go through the extra "captcha" step to prove they are human and not an automated system
Re: (Score:2)
Use one of the country specific googles - eg. google.co.uk - it seems the torbots don't hassle the countries as much as they do .com, so their IPs don't get blacklisted quite so easily.
One thing I find really funky is logging onto the like of Yahoo and co via Tor - they (incorrectly) assume you're in Germany and so show you the page in German. They're not at al unique at this either - it seems the world of webdev has a long way to go before it understands Tor.
Re: (Score:1)
Re:False. (Score:4, Interesting)
No, if Google actually wanted that, they'd make their search engine work with Tor instead of saying "I'm sorry, but we're recieving a high volume of suspicious requests from your computer..."
Did you miss the articles about the NSA's penetration of Tor? Why would you want to use their service? Google's solution is much better: route your traffic through the machines of people you know personally, or at least friends of friends, etc.
Note that I'm not saying Google's failure to work through Tor is because they think Tor is a bad idea. It's much simpler: Tor outlet nodes are indistinguishable from clickbots. uProxy nodes that have too many users will have the same issue, but the idea is that uProxy makes the barrier to entry low enough that the traffic will be more distributed.
(Disclaimer: I work for Google, but not on search, uProxy, or anything else discussed here. I do think uProxy is a cool and clever hack, though, and I applaud Google for supporting it.)
Re: (Score:2)
Re: (Score:2)
The TOR issues are mostly Javascript
No, the TOR issue is that the NSA runs (or has compromised) a large percentage of the exit nodes.
Re: (Score:2)
large percentage[citation needed].
Also, controlling some exit nodes is not really sufficient to identify you (unless they think
it's you but they are not sure).
Re: (Score:2)
Re: (Score:2)
Without onion routing, this VPN solution will expose your social graph to NSA or servers run by other governments operating on the network, one of the key things they are interested in collecting.
Blocking access to something encourages an arms race to bypass the filter. I'd be more concerned about governments that allow you access, but monitor what you are doing and who you are talking to.
Re: (Score:2)
Did you miss the articles about the NSA's penetration of Tor? Why would you want to use their service?
Perhaps I am less concerned with subverting a large government agency with billions to blow on such things as I am subverting a large business that makes billions on such things.
Re: (Score:2)
Yeah, and the billions blown by an LGA comes from direct tax revenues, even if some of the bookkeeping is na levo. OTH that large biz is being paid by ad companies, the costs of which are part of the 'hidden tax' that increases the cost of all goods and services. It's a bit of a toss-up, depending on where one stands, etc.
Hmm. Are there reasonably good data on just what percentage ad companies add to the price of mainstream consumer goods and services? (I purely don't know, haven't tried to look [sue me
Re: (Score:2)
Is there a particular reason to block reading (search) instead of writing, given a highly suspect origin? That is, they can enable search and disable mail/plus/whatever, right?
I guess my question boils down to, what advantage does SEO pieces of shit get from searching Google? The only thing I can think of off the top of my head is to check if their SEOing was successful. That doesn't seem overly useful to me (but then, I've never tried to look at that).
Can VPN traffic be identified as such? (Score:2)
Is it possible for routers to see the difference between VPN traffic and normal traffic? If so, it's rather trivial for the chinese firewall to prevent VPN traffic.
Re:Can VPN traffic be identified as such? (Score:5, Insightful)
Re: (Score:1)
Not out of the box. Yes, it can work on port 443 with an SSL-like connection but its TLS handshake is very easily distinguished from regular browser-webserver connections. This is exactly what the Chinese have been doing since late 2012 and why many commercial VPN provider made modifications to OpenVPN to either obfuscate the entire connection or at least use a non-typical TLS handshake.
Re: (Score:1)
I believe it can be, in addition there are so many legit uses it might be open for that reason, that to block it would create more chaos.
Just as SSH was always allowed (in and out) on almost every corporation network.
Re: (Score:2)
Any decent IDS/IPS can notice oddball encrypted traffic and put the kibosh on it. Even moreso in a lot of places which use Bluecoat or something similar as an active MITM (where the BlueCoat's appliance key is propagated in the root of AD.)
I wouldn't be surprised if the PLA didn't have something in place that would throttle/log/stop VPNs without having to keep an IP blacklist. They have had decades to work on the technology, and have leapfrogged the US in a lot of respects.
Re: (Score:3)
Switzerland is a more realistic choice. They have very strong data protection laws and don't have the shenanigans you see happening in the EU.
And would never get involved in money laundering either.
Trust (Score:5, Insightful)
"Trust me," said the fox to the hen, "You can keep your eggs in my basket and I'll make sure the other foxes don't eat them."
Re:Trust (Score:5, Informative)
"Trust me," said the fox to the hen, "You can keep your eggs in my basket and I'll make sure the other foxes don't eat them."
Google is saying exactly the opposite. Google is saying you should find someone you do find trustworthy, and route your traffic through their machine, not suggesting that you trust Google.
Re: (Score:2)
"Trust me," said the fox to the hen, "You can keep your eggs in my basket and I'll make sure the other foxes don't eat them."
Google is saying exactly the opposite. Google is saying you should find someone you do find trustworthy, and route your traffic through their machine, not suggesting that you trust Google.
They (Google) wrote the software, right? And they're trying to get people to use the software they made to create super-secret-squirrel, "private" connections between individual machines, through which data shall be passed?
Yea, actually, they aren't "saying exactly the opposite."
Google is the fox, your data is the eggs (are the eggs?), and uProxy is the basket.
Re: (Score:1)
They (Google) wrote the software, right?
Wrong. Per the link: "uProxy is being developed by the University of Washington, with help from Brave New Software."
Re: (Score:1)
They (Google) wrote the software, right?
Wrong. Per the link: "uProxy is being developed by the University of Washington, with help from Brave New Software."
And the University of Washington has how many contracts with the D.O.D. etc?
Re: (Score:2)
Re: (Score:2)
They (Google) wrote the software, right?
Nope. RTFS.
Re: (Score:2)
This is Slashdot; we don't do that.
Re:but not on Google Fiber (Score:5, Informative)
Psiphon (Score:1)
This resembles the project for circumventing parental controls, Psiphon [psiphon.ca]
openvpn and tinc already exist (Score:1)
What brings this new thing to the table what the old and proven VPNs like openvpn or tinc don't? Is it only the hip google sponsorship? If so then it's a good slashvertisement and clickbait in one.
Re: (Score:1)
BS (Score:2)
This is more BS from Google. They open their infrastructure up to the NSA and get caught (who are you going to believe? Google or Snowden?), and now they keep on dribbling pathetic treats to us.
Stop using Chrome. Stop using gmail. Move your data outside the u.s.
playing both sides (Score:3)
Funny how Google is trying to come up with ways around the Great Firewall of China when, contrary to their 'do no evil', awhile ago was tailoring their search engine for China to accomidate their government rather than defeat the Firewall. I'm sure you can find at least one /. article about this in the archives...
Will never be able to trust a U.S. company again (Score:2)
They will never be able to prove to me that they're NOT giving info the the NSA. And, as such, they will never be able to earn my trust.
Re: (Score:2)
Re: (Score:1)
Making it open source would be a good start building trust... we'll see
Making it open source doesn't matter. Law always trumps technology.
The only solution is an open justice system. There's a good reason any member of the general public can stroll into any Judicial Branch court...from your local county court to the Supreme Court...and sit down and watch what is going on. That is the most important check on government authority.
The problem is the Executive Branch courts, which work in secret. Sealed cou
Re: (Score:2)
Re: (Score:2)
Legally, any company is required, by the unconstitutional law the NSA uses, to NOT disclose they are giving your information away.
Like Microsoft, Adobe, Apple, Google, and all your communications providers.
All of them.
Every. Single. One.
Did I mention the backdoors in the chips in your computer and your comm gear?
Datacaps anyone? (Score:2)
Seems to me the limiting factor will be ISP datacaps.
The ISPs that tend to have them are the ones that also want to send content (e.g. U-Verse, Comcast, to name a few). Datacaps limit peer-to-peer networks.
A more sinister interpretation is that datacaps limit the amount of traffic that the NSA has to sift through. The ISPs that seem to have the greatest track record of caving to NSLs, etc. are also the ones with datacaps. Coincidence?
Thus, datacaps also apply when one's "friend" routes traffic through on
Re: (Score:2)
There is another datacap problem in China; while my peer to peer is unlimited (for all intents and purposes), Google is very limited. Google searches only work about 80% of the time and following links from Google provides a failure in more than 50% of the attempts. In China the government makes a strong effort to push people toward the Baidu and one of the ways is to severely throttle Google.
As much as it would in hindrance to me, Google is better off ignoring the demands of the Chinese government. The, so
Re: (Score:2)
Yes. Just artificially dropping some packets (either deliberately or just to implement some notion of quality-of-service) can be problematic. While an established TCP socket can deal with this, doing a DNS lookup [which is datagram based] can be severely affected. My ISP implements QoS and most of the delay I experience is a failed DNS query that must timeout and be retried (e.g. I'll wait a minute to get a page load but 55 seconds of that is waiting for the DNS request to succeed).
It's a way to censor t
The 12th of Never (Score:4, Funny)
"when will the public finally demand that communications which pass encrypted through a third party still retain an reasonable expectation of privacy (rendering them pen register order-resistant)?"
As soon as NSA spying prevents them from watching "Dancing With the Stars" and "Honey Boo Boo".
You'd have to be a fool to trust Google (Score:1)
Subject says it all.
Some Regimes...? (Score:2)
So is the U.S. considered a "regime" by Google?
If they really want to help... (Score:4, Interesting)
I'd like to see Google make an effort to build GPG into their product and make it easy for people to use.
If anyone can do it, it's Google, but they won't. It's hard to deliver targeted advertising when you can't read your users' email.
VPN (Score:2)
"Virtual Private Networks (VPNs), which serve to mask the source and destination of data by routing it through a third-party server"
This is a false and very dangerous line of thinking. A VPN and a proxy are two different things. And they don't necessarily do what you're saying they do.
Getting around an employer firewall, anyone? (Score:1)
Land of the Free (again) (Score:1)
"The NSA was right when it postulated that the mere knowledge of the existence of their program could weaken its ability to function."
They make it sound like a bad thing.
Efficiency is good. Up to a point. That applies to a lot of things, not just intelligence gathering. Then you get into a situation where the costs of efficiency outweigh the benefits.
While there certainly are enough people in the USA who are such utter craven cowards that they'd prefer to live in a composite Fourth Reich/ Stasi 2.0/ USSA if the butcher promised the little piggies they'd be safe, there are also some of us who are willing to forgo such amenities and trust t
As Mr. Schmidt said while CEO... (Score:1)
Uhhhhm, yeah . . . (Score:1)
Foreign services (Score:2)
Why stop there? (Score:2)
Fuck that! We should demand that all of our communications remain private! Why limit our demands only to those communications that are encrypted and routed through a proxy? Why should we put up with any of this nonsense for an instant?
The fourth amendment states: "Every subject has a right to b
If Google wanted to actually fix this... (Score:2)
... they'd spend the money on lobbying instead.
Hmm (Score:1)
Expectation (Score:1)