Alphabet's Cybersecurity Group Touts Its New Open Source Private VPN

An anonymous reader writes: Alphabet's cybersecurity division Jigsaw has designed a new open source private VPN aimed at journalists and the people sending them data. "Their work makes them more vulnerable to attack," said Santiago Andrigo, Jigsaw's product manager. "It can get really scary when they're outed and you're passing over information."

Unscrupulous VPN providers can steal your identity, peek in on your data, inject their own ads on non-secure pages, or analyze your browsing habits and sell that information to advertisers, says one Jigsaw official. And you can't know for sure whether you can trust them, no matter what they say in the app store. "Journalists should be aware that their online activities might be subject to surveillance either by government agencies, their internet service providers or a hacker with malicious intent," said Laura Tich, technical evangelist for Code for Africa, a resource for African journalists. "As surveillance becomes ubiquitous in today's world, journalists face an increasing challenge in establishing secure communication in the digital space."

The new private VPN, dubbed "Outline", is specifically designed to be resistant to censorship — because it's harder to detect as a VPN (and therefore is less likely to be blocked). Outline uses an encrypted socks5 proxy that looks like normal internet traffic. Once the user chooses a server location, Outline spins up a DigitalOcean server on Ubuntu, installs Docker, and imports an image of the actual server.

It's been named Outline because in places where internet use may be restricted — it gives you a line out.

Fuck Alphabet.

[Anonymous Coward]

Yeah, trust the largest data mining and advertising company in the world to keep your data private... NOT.

Re:

[Anonymous Coward]

I'm saying that because Google and Alphabet are poor corporate citizens that want to suck up to repressive regimes like China while trying to paint it as a noble act. How convenient that the company is now coming out with a new "private" VPN after announcing a new re-entry to China. Only an idiot would trust this VPN.

Re:

[spacepimp]

only an idiot would trust open source code they can see/manipulate? Is that how this works now?

Re:Fuck Alphabet.

[bill_mcgonigle]

Totally ignore the Snowden slides and all the Valley insiders that say Alphabet has data-sharing agreements with all the intelligence agencies.

Re:

[Dunbal]

Hey if you're going to let youserlf be thrown under the bus by your VPN, you might as well let US do it! -- Alphabet

Re: Fuck Alphabet. Heil Hitler.

[c6gunner]

The Nazis rotated it precisely to be different to the religious symbol.

No, they didn't; you're just repeating nonsense someone once told you without bothering to check it. The swastika has been used by various religions in many different styles, and in both orientations.

Re: Fuck Alphabet. Heil Hitler.

[Anonymous Coward]

Wikipedia says this:

The swastika is a geometrical figure and an ancient religious icon from the cultures of Eurasia, where it has been and remains a symbol of divinity and spirituality in Indian religions.

Re:

[rtb61]

The only real problem with the Swastika is a corrupt German government has failed to rehabilitate the swastika, and in the most arrogant fashion chose it ban it in human context, the Germans raped it and then banned it because it was raped, very nicely done Germany and you should be deeply ashamed.

For journalists to be secure, you maintain separate devices. One that connects to the internet and one that does not, you do the work on the one that never connects to the internet, it's network devices powered o

Re: Fuck Alphabet. Heil Hitler.

[AC-x]

The only real problem with the Swastika is a corrupt German government has failed to rehabilitate the swastika, and in the most arrogant fashion chose it ban it in human context

Um, what exactly do you think Germany could have done post-WW2 to make the Swastika not have negative connotations in western countries?

Re:

[Dunbal]

Let me guess, they replaced it with a big red dot on a white background?

Re: Fuck Alphabet. Heil Hitler.

[Type44Q]

So-called Buddhist nations (though that one's more Shinto than Buddhist) aren't known for being particularly Buddhist.

Re:

[cheesybagel]

A lot of them are. It's just that that actual Buddhism practice is mostly stuck in the monasteries. Most people only go to the temples mostly to wish for something rather than seek enlightenment or guidance.

Re:

[pezezin]

Wait, what? I'm a gaijin living in Japan and every single map that I have seen uses the swastika (or manji) to mark temples. I just took a look at Google Maps, and it does the same. Also, the manji faces counter-clockwise, and the Nazi swastika was clockwise (and rotated 45).

Seriously, it would me really angry if they had to drop a centuries old symbol due to tourists' ignorance.

Unscrupulous

[Anonymous Coward]

"Unscrupulous VPN providers can steal your identity, peek in on your data, inject their own ads on non-secure pages, or analyze your browsing habits and sell that information to advertisers ..."

So, Alphabet is talking about themselves, right?

Re:

[aleph]

These comments always amuse me.

Trust me, if Google was the evil you think they are, they'd be doing a much better job of it. They're not nearly that incompetent. (No, seriously. If Google was trying to be evil you'd be way more screwed and not even realise it, but this applies to most large corporations.. There are only a few I'd class as truly evil, Google isn't even close to getting on that list. Naive, narrow sighted, culturally tone deaf, sure)

Department of redundancy department

[belg4mit]

private virtual private network, eh?

Re:

[bruce_the_loon]

Not normally a pendantic replier, but in this case it's a private VPN as opposed to a commercial one or a corporate one. You spin it up for a purpose, talking to one source maybe, and not for everyone to use at the same time.

Re:

[belg4mit]

Personal or non-commercial seem like better modifiers than a second private in that case: personal virtual private network.

Re:

[MightyMartian]

If there's a private key involved, short of a vulnerability in the encryption library, why would this allow Google to siphon your data?

Re:

[Chrontius]

You throw shade, but I bet that a Yubikey would actually let you do that securely...

Re:

[MightyMartian]

My ISP can do the same with my VPN. It's not some tool for concealing every aspect of the communication.

What problem exactly?

[Anonymous Coward]

Re: "Now users can create their own personal VPN to their own personal server" -- Defeats one of the main features of a VPN, i.e. anonymity. The whole point of VPNs & TOR is to bury sensitive information in a haystack of other encrypted traffic to make it harder to find. Also, if national security agencies are tracking journalists, they'll do it with targeted techniques, rendering VPNs & TOR ineffective. I'll wait till I hear about this from independent security experts about what real world problem

Re:What problem exactly?

[MightyMartian]

When was the point of encryption ever anonymity? The point has always been to transmit data over open channels in a manner that it couldn't be decrypted. The Germans and Allies were doing it all the time during WWII, and interception was expected (if a message couldn't be intercepted, then there would be no need for encryption). One of the failures I see with networks like TOR is the misapplication of encryption for anonymity. Anonymizing data (ie. stripping out metadata) is a separate discipline. The two can certainly be combined, but they are not the same thing.

When I connect to my online banking, I have some expectation that my identity will be known. I'm not relying on the secrecy of the transaction, I'm relying on the inability of a middle man being able to gleen any details of the transaction.

Re:

[nine-times]

The purpose of traditional VPN is that you want to connect to a private network, and secure that connection by encrypting the traffic. However, the purpose of a lot of "VPN" services is actually to make it harder for someone to monitor or block your communications. Without a VPN, your ISP (or someone else) can potentially see what sites and services you're accessing even if the traffic itself is encrypted, and the services can easily keep track of the source address. The VPN service isn't necessarily eno

Re:

[MightyMartian]

Yes, but what my banking app doesn't do is hide that an IP address provisioned to me connected to a bank web server. The whole point of SSL is to obscure with a high degree of rigor what exactly it was I was doing connecting to the bank.

Encryption systems are designed for that purpose, and in reality as hard as encryption is, it's much easier than anonymizing data. Even encrypted data can leave some tell tale signs. Padding out data, burying it other data, all can be used to further hide the nature of a tra

Re:

[ediron2]

Banking is just one use case. It's not remotely like cypherpunk activity. And the point of cryptography actually boils down to 3 traits: privacy, authentication, and integrity.

When is anonymity a desired feature? Off the cuff: Cyperpunks, whistleblowing, dissidents, espionage, communication between guerrilla cells, snowden, wikileaks, the pentagon papers, deep throat, the panama papers, insurrections against despots, insurrections against good rulers, affairs, snitching on affairs, snitches in general, i

Re:

[infolation]

To promote real anonymity Jigsaw/Digital Ocean should:

[1] Make it just as easy to set up a private obfs4 TOR bridge.
[2] Permit payment for Digital Ocean accounts by cryptocurrency, ideally Monero.

Alphabet marketing executive says

[bobstreo]

"Maybe if they keep seeing Private, they'll think it provides privacy."

Re:

[Quakeulf]

Alphabet is death to trust.

A Google VPN? Hold on, I'll strip naked...

[Anonymous Coward]

The data kraken offering to keep our communication and maybe even identity a secret?
Thanks, but I'm waiting for the NSA to announce a joint-venture with the FSB, Mossad and China, to get my VPN from!

Re:

[Dunbal]

They never said secret. They said private. In the same way that airport business class lounges are private to pretty much anyone with a credit card.

Re:

[Dunbal]

Private and secret are synonyms within the English language.

Contemplate this next time you're on someone's "secret property". Words can have multiple meanings and just because they share one meaning does not make them equivalent. Yes and I see that thesaurus you are privating into your pockets...

No need for VPN software other than SSH.

[Vitus Wagner]

If you have you own (or event shared with other people) server where you can login via SSH, you don't need any other VPN software. Just start ssh session to it with dynamic forwarding and use it as Socks5 proxy.
Any cheap server on Digital Ocean, Amazon or elsewhere would do as long as you reasonable sure that it is located in the country which don't track you.

Of course, openssh has more elaborate VPN soulution built in, but it requires administrative rights on both ends of link. And dynamic port forwarding works by default as long as you have ssh client (putty would do) which supports it, and you can tune proxy settings in your browser.

Re: Don't use proxies. Use a real tunnel.

[c6gunner]

Yep, doing this right now. Though, instead of a cheap battery powered router I've got a Lynksis WRT 1900. Those little ones are OK for when you need to move around a lot, but they tend to be slow and somewhat limited.

Re:

[pz]

My personal favorite spin on ssh is sshtunnel. I'm not affiliated with the project, just a very satisfied user. As long as I have ssh access to my server, I can get anywhere on the net, no matter where I might be sitting at the moment.

Re:

[pz]

I don't exactly know. I tried following various instructions on the web to set up a VPN with the inherent features of SSH, and it seemed impossible with my use case: laptop in hostile location, and an inability to install any software or open custom ports on my (el-cheapo shared) server. But I was able to get sshtunnel up in under 5 minutes: it just works. Nothing gets installed, no obscure ports to open here or there, no easy-to-forget settings to use on my laptop. I'm not an expert, and maybe sshtunne

Re:

[DaMattster]

SSH is convenient but there is a fair amount of overhead so browsing can be slow.

Re:

[ottdmk]

Isn't running a tcp connection over another tcp connection kinda painful, performance-wise? I don't run a VPN at home (don't have a reason to, personally) but I do maintain an OpenVPN server on my home FreeBSD desktop. Comes in quite handy, and learning how to configure it has been a lot of fun. I mostly use it to secure my tablet when I'm using open wi-fi somewhere. Sure, it doubles the bandwidth going through my home connection but hey, I'm lucky enough to have an unlimited bandwidth account, so why not?

Soo... obfsproxy?

[PhrostyMcByte]

It sounds like Google has reinvented obfsproxy, which disguises your traffic to look like innocuous requests. People have been plugging obfsproxy into Tor and OpenVPN for years now.

Re:

[Anonymous Coward]

Except this feeds mountains of metadata to Alphabet's maw.

Analyze your habits and sell the info?

[mamba-mamba]

Unscrupulous VPN providers can steal your identity, peek in on your data, inject their own ads on non-secure pages, or analyze your browsing habits and sell that information to advertisers...

You mean, like Google?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Which is why I use That One Privacy Site

[ArhcAngel]

"Unscrupulous VPN providers can steal your identity, peek in on your data, inject their own ads on non-secure pages, or analyze your browsing habits and sell that information to advertisers ..."

Each use case is a little different. Someone in an oppressive country might be trying to get access to much needed news. Another just wants to stream Netflix without AT&T or Verizon from throttling their feed. While yet another wants to remain anonymous for less than honorable reasons. Each case needs their VPN to protect them from different types of intrusion. No one VPN will cover every use case. That's why I do my research at That One Privacy Site [thatoneprivacysite.net] I don't know if the information there is all legit bu

Doesn't work in China

[Nocturrne]

I retested this today, just to confirm what I already know. China and their Great Firewall have been able to automatically detect and block Shadowsocks for a long time. The concept of wrapping a VPN client and server into a nice UI is very good, but you'll need much much more than this to accomplish your goal. Seriously, am I very disappointed with Google/Alphabet - you have the resources and ability to change the internet, but you won't do it because privacy would break your business model. Eric Schmid

Almost sounds purpose built for the CIA

[Sqreater]

The CIA just had a communications debacle exposed concerning its information assets in various countries worldwide, causing a roll up of those assets, even the deaths of dozens of those assets at the hands of their countries' security apparatuses. This sounds like something they could use after some modifications.