Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Wants To Help You Tiptoe Around the NSA & the Great Firewall of China

Posted by Soulskill on from the be-vewy-vewy-quiet dept.

Kyle Jacoby writes "The NSA was right when it postulated that the mere knowledge of the existence of their program could weaken its ability to function. Virtual Private Networks (VPNs), which serve to mask the source and destination of data by routing it through a third-party server, have been a popular method for maintaining internet anonymity for the paranoid and prudent. However, the all-but-silent fall of secure email server Lavabit, and VPN provider CryptoSeal, have shown us just how pervasive the government's eye on our communications is. These companies chose to fold rather than to divulge customer data entrusted to them, which raises the million-dollar question: how many have chosen to remain open and silently hand over the keys to your data? Google has decided to put the private back in VPN by supporting uProxy, a project developed at the University of Washington with help from Brave New Software. Still using a VPN schema, their aim is to keep the VPN amongst friends (literally). Of course, you'll need a friend who is willing to let you route your net through their tubes. Their simple integration into Firefox and Chrome will lower the barrier, creating a decentralized VPN architecture that would make sweeping pen register orders more difficult, and would also make blocking VPNs a rather difficult task for countries like China, who block citizens' access to numerous websites. On a related note, when will the public finally demand that communications which pass encrypted through a third party still retain an reasonable expectation of privacy (rendering them pen register order-resistant)?"

29 of 140 comments (clear)

  1. A little late to the party... by Mitreya · · Score: 3, Insightful

    Google has decided to put the private back in VPN by supporting uProxy,

    Even if they don't plan to install a backdoor, it is hard to believe in Google's interest in our privacy.
    Who supported privacy measures before Snowden's revelations?

    1. Re:A little late to the party... by TheGratefulNet · · Score: 3, Informative

      trust(google) == trust(nsa) == 0

      that's all.

      --

      --
      "It is now safe to switch off your computer."
    2. Re:A little late to the party... by currently_awake · · Score: 5, Insightful

      Googles intentions are irrelevant. The moment the NSA shows up with a general warrant (NSL) they will fold and give away everything. And that includes back-dooring the VPN software.

    3. Re:A little late to the party... by IamTheRealMike · · Score: 4, Informative

      Google was the first to roll out SSL for everything, the first to do SSL forward secrecy ... it's not like there was nothing done before Snowden.

    4. Re:A little late to the party... by Anonymous Coward · · Score: 2, Informative

      Yep, definitely a bug.
              trust(google) == trust(nsa) == 0
      Add parens.
            (trust(google) == trust(nsa)) == 0
      A little more clarity
            (trust(google) == trust(nsa)) == false
      (x == false) can be written as "not x"
              trust(google) != trust(nsa)

      Therefore, the statement appears to be saying that neither google nor the nsa can be trusted, but is actually saying that you can trust one or the other but not both (xor)

    5. Re:A little late to the party... by TheGratefulNet · · Score: 2

      Not if they think there's a buck in it.

      too damned fickle!

      they could quickly turn-around and decide they are no longer friends of freedom.

      google has shown its true colors. anyone who trusts them, now, is a fool.

      freedom cannot be financially motivated. that mixes the wrong things together.

      in fact, corporations that have a profit motive CANNOT be trusted. period!

      --

      --
      "It is now safe to switch off your computer."
  2. Then Facebook will come out with a service by Anonymous Coward · · Score: 4, Funny

    to allow ppl to avoid Google's eavesdropping....

  3. Re:Captain Obvious by Anonymous Coward · · Score: 3, Insightful

    This is known. That is why the penalty for espionage tends to be capital punishment or life imprisonment.

    Your PINs are protected by "security through obscurity," by the way. Your health records, school records, and tax records are protected in the same way as the secrets that Snowden stole.

    By the way, the phrase "security through obscurity" is a reference to encryption schemes that rely upon the algorithm not being known for its protective value, not to the general idea of keeping secrets.

  4. So In Other Words by Anonymous Coward · · Score: 4, Insightful

    uProxy has been compromised and should not be trusted.

  5. My friends are my identity by Anonymous Coward · · Score: 5, Insightful

    I don't get what's so nice about it, the NSA already knows who I am friends with. So no matter how we route traffic in our min-TOR, all exits identify us. The whole point of VPNs, TOR etc. is to hide within massive noise.

  6. False. by girlintraining · · Score: 5, Insightful

    No, if Google actually wanted that, they'd make their search engine work with Tor instead of saying "I'm sorry, but we're recieving a high volume of suspicious requests from your computer..." with a picture of a robot giving you the middle finger next to it. What Google wants is for you to use their service, and if that means pandering to the "NSA is evil" crowd, they'll make trivial gestures about privacy to attract them.

    But Google is in bed with the NSA, CIA, DHS, etc., as is all other large corporations because if you don't play ball with them, you don't get to play. At all. No PR is going to convince me otherwise, and you would be wise to do the same.

    --
    #fuckbeta #iamslashdot #dicemustdie
    1. Re:False. by ArbitraryName · · Score: 2

      The Tor Browser bundle with HTTPS Everywhere works perfectly fine with Google.

    2. Re:False. by girlintraining · · Score: 4, Informative

      The Tor Browser bundle with HTTPS Everywhere works perfectly fine with Google.

      Not during prime time. I have to hop to a new exit point sometimes 5 or 6 times to find one that Google hasn't decided to lock out. Entering a CAPTCHA with every query is annoying, but whatever... but just plain failing... it does that often. Especially during prime time hours (6pm-2am US Eastern)

      --
      #fuckbeta #iamslashdot #dicemustdie
    3. Re:False. by swillden · · Score: 3, Interesting

      No, if Google actually wanted that, they'd make their search engine work with Tor instead of saying "I'm sorry, but we're recieving a high volume of suspicious requests from your computer..."

      Did you miss the articles about the NSA's penetration of Tor? Why would you want to use their service? Google's solution is much better: route your traffic through the machines of people you know personally, or at least friends of friends, etc.

      Note that I'm not saying Google's failure to work through Tor is because they think Tor is a bad idea. It's much simpler: Tor outlet nodes are indistinguishable from clickbots. uProxy nodes that have too many users will have the same issue, but the idea is that uProxy makes the barrier to entry low enough that the traffic will be more distributed.

      (Disclaimer: I work for Google, but not on search, uProxy, or anything else discussed here. I do think uProxy is a cool and clever hack, though, and I applaud Google for supporting it.)

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    4. Re:False. by Kasar · · Score: 2

      The TOR issues are mostly Javascript, the package is decent enough, but running NoScript continually can be inconvenient, so of course people turn it off and open themselves up to malware. You think uProxy would be immune to this?

      --
      vi? Who's that?
    5. Re:False. by Myen · · Score: 2

      Is there a particular reason to block reading (search) instead of writing, given a highly suspect origin? That is, they can enable search and disable mail/plus/whatever, right?

      I guess my question boils down to, what advantage does SEO pieces of shit get from searching Google? The only thing I can think of off the top of my head is to check if their SEOing was successful. That doesn't seem overly useful to me (but then, I've never tried to look at that).

  7. Trust by CanHasDIY · · Score: 4, Insightful

    "Trust me," said the fox to the hen, "You can keep your eggs in my basket and I'll make sure the other foxes don't eat them."

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
    1. Re:Trust by swillden · · Score: 4, Informative

      "Trust me," said the fox to the hen, "You can keep your eggs in my basket and I'll make sure the other foxes don't eat them."

      Google is saying exactly the opposite. Google is saying you should find someone you do find trustworthy, and route your traffic through their machine, not suggesting that you trust Google.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  8. Re:Can VPN traffic be identified as such? by kyle3489 · · Score: 5, Insightful

    OpenVPN (and therefore probably this solution) can be configured to appear as though it's normal SSL traffic (like you're visiting an https web URL). It's one of the things that makes OpenVPN so great, and hard to block.

  9. BS by Anonymous Coward · · Score: 2

    This is more BS from Google. They open their infrastructure up to the NSA and get caught (who are you going to believe? Google or Snowden?), and now they keep on dribbling pathetic treats to us.

    Stop using Chrome. Stop using gmail. Move your data outside the u.s.

  10. The 12th of Never by davmoo · · Score: 3, Funny

    "when will the public finally demand that communications which pass encrypted through a third party still retain an reasonable expectation of privacy (rendering them pen register order-resistant)?"

    As soon as NSA spying prevents them from watching "Dancing With the Stars" and "Honey Boo Boo".

    --
    I want a new quote. One that won't spill. One that don't cost too much. Or come in a pill.
  11. playing both sides by themushroom · · Score: 2

    Funny how Google is trying to come up with ways around the Great Firewall of China when, contrary to their 'do no evil', awhile ago was tailoring their search engine for China to accomidate their government rather than defeat the Firewall. I'm sure you can find at least one /. article about this in the archives...

    --
    Laughter is the Spackle of the Soul.
  12. Re:Captain Obvious by ArbitraryName · · Score: 2

    Obscurity of the right things is a fundamental layer of security. When the phrase "security by obscurity" is used correctly, it is to deride a reliance on keeping the wrong things obscure, like fundamental algorithms.

  13. Re:Will never be able to trust a U.S. company agai by kyle3489 · · Score: 2

    Making it open source would be a good start building trust... we'll see. Seeing as the VPN is only between friends, data doesn't ever have to see a google server, so there's not a whole lot of trusting that NEEDS to happen.

  14. Re:but not on Google Fiber by ArbitraryName · · Score: 4, Informative

    And immediately afterwards Google updated their policies to clarify that personal servers were allowed. Non-commercial VPN is explicitly allowed.

  15. Re:Will never be able to trust a U.S. company agai by WillAffleckUW · · Score: 2

    Legally, any company is required, by the unconstitutional law the NSA uses, to NOT disclose they are giving your information away.

    Like Microsoft, Adobe, Apple, Google, and all your communications providers.

    All of them.

    Every. Single. One.

    Did I mention the backdoors in the chips in your computer and your comm gear?

    --
    -- Tigger warning: This post may contain tiggers! --
  16. If they really want to help... by Trimaxion · · Score: 4, Interesting

    I'd like to see Google make an effort to build GPG into their product and make it easy for people to use.

    If anyone can do it, it's Google, but they won't. It's hard to deliver targeted advertising when you can't read your users' email.

  17. Who Owns Key? What Signs Upstream? by Jeremiah+Cornelius · · Score: 4, Interesting

    I don't get what's so nice about it, the NSA already knows who I am friends with. So no matter how we route traffic in our min-TOR, all exits identify us. The whole point of VPNs, TOR etc. is to hide within massive noise.

    I want no part of "Google freedom". Their self driving cars? If these are the norm, they'll know where you are - all the time - and be queriable for your violations of speed limits and other "indiscretions".

    If you trust them for VPN? How are keys generated? Who is the root of trust? This is your real question.

    This idiom reflects the ever closer union between the State Department and Silicon Valley, as personified by Mr. Schmidt, the executive chairman of Google, and Mr. Cohen, a former adviser to Condoleezza Rice and Hillary Clinton who is now director of Google Ideas.

    -- Julian Assange, The Banality of 'Don't Be Evil"

    I'm with Admiral Ackbar, on this one:
    "IT'S A TRAP!"

    --
    "Flyin' in just a sweet place,
    Never been known to fail..."
  18. Re:Time for Sealand to have a new product - by ebno-10db · · Score: 2

    Switzerland is a more realistic choice. They have very strong data protection laws and don't have the shenanigans you see happening in the EU.

    And would never get involved in money laundering either.