Slashdot Mirror

← Back to Stories (view on slashdot.org)

Alphabet's Cybersecurity Group Touts Its New Open Source Private VPN (digitalocean.com)

Posted by EditorDavid on from the sniff-me-not dept.

An anonymous reader writes: Alphabet's cybersecurity division Jigsaw has designed a new open source private VPN aimed at journalists and the people sending them data. "Their work makes them more vulnerable to attack," said Santiago Andrigo, Jigsaw's product manager. "It can get really scary when they're outed and you're passing over information."

Unscrupulous VPN providers can steal your identity, peek in on your data, inject their own ads on non-secure pages, or analyze your browsing habits and sell that information to advertisers, says one Jigsaw official. And you can't know for sure whether you can trust them, no matter what they say in the app store. "Journalists should be aware that their online activities might be subject to surveillance either by government agencies, their internet service providers or a hacker with malicious intent," said Laura Tich, technical evangelist for Code for Africa, a resource for African journalists. "As surveillance becomes ubiquitous in today's world, journalists face an increasing challenge in establishing secure communication in the digital space."

The new private VPN, dubbed "Outline", is specifically designed to be resistant to censorship — because it's harder to detect as a VPN (and therefore is less likely to be blocked). Outline uses an encrypted socks5 proxy that looks like normal internet traffic. Once the user chooses a server location, Outline spins up a DigitalOcean server on Ubuntu, installs Docker, and imports an image of the actual server.

It's been named Outline because in places where internet use may be restricted — it gives you a line out.

44 of 106 comments (clear)

  1. Fuck Alphabet. by Anonymous Coward · · Score: 5, Insightful

    Yeah, trust the largest data mining and advertising company in the world to keep your data private... NOT.

    1. Re:Fuck Alphabet. by bill_mcgonigle · · Score: 5, Insightful

      Totally ignore the Snowden slides and all the Valley insiders that say Alphabet has data-sharing agreements with all the intelligence agencies.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:Fuck Alphabet. by Dunbal · · Score: 1

      Hey if you're going to let youserlf be thrown under the bus by your VPN, you might as well let US do it! -- Alphabet

      --
      Seven puppies were harmed during the making of this post.
    3. Re: Fuck Alphabet. by Anonymous Coward · · Score: 1

      I'm saying that because Google and Alphabet are poor corporate citizens that want to suck up to repressive regimes like China while trying to paint it as a noble act. How convenient that the company is now coming out with a new "private" VPN after announcing a new re-entry to China. Only an idiot would trust this VPN.

    4. Re: Fuck Alphabet. by spacepimp · · Score: 1

      only an idiot would trust open source code they can see/manipulate? Is that how this works now?

  2. Unscrupulous by Anonymous Coward · · Score: 2, Funny

    "Unscrupulous VPN providers can steal your identity, peek in on your data, inject their own ads on non-secure pages, or analyze your browsing habits and sell that information to advertisers ..."

    So, Alphabet is talking about themselves, right?

  3. Department of redundancy department by belg4mit · · Score: 2

    private virtual private network, eh?

    --
    Were that I say, pancakes?
    1. Re:Department of redundancy department by bruce_the_loon · · Score: 1

      Not normally a pendantic replier, but in this case it's a private VPN as opposed to a commercial one or a corporate one. You spin it up for a purpose, talking to one source maybe, and not for everyone to use at the same time.

      --
      Trying to become famous by taking photos. Visit my homepage please.
    2. Re:Department of redundancy department by belg4mit · · Score: 1

      Personal or non-commercial seem like better modifiers than a second private in that case: personal virtual private network.

      --
      Were that I say, pancakes?
    3. Re:Department of redundancy department by MightyMartian · · Score: 1

      If there's a private key involved, short of a vulnerability in the encryption library, why would this allow Google to siphon your data?

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    4. Re:Department of redundancy department by Chrontius · · Score: 1

      You throw shade, but I bet that a Yubikey would actually let you do that securely...

    5. Re:Department of redundancy department by MightyMartian · · Score: 1

      My ISP can do the same with my VPN. It's not some tool for concealing every aspect of the communication.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
  4. What problem exactly? by Anonymous Coward · · Score: 1

    Re: "Now users can create their own personal VPN to their own personal server" -- Defeats one of the main features of a VPN, i.e. anonymity. The whole point of VPNs & TOR is to bury sensitive information in a haystack of other encrypted traffic to make it harder to find. Also, if national security agencies are tracking journalists, they'll do it with targeted techniques, rendering VPNs & TOR ineffective. I'll wait till I hear about this from independent security experts about what real world problems it actually solves or not.

    1. Re:What problem exactly? by MightyMartian · · Score: 4, Insightful

      When was the point of encryption ever anonymity? The point has always been to transmit data over open channels in a manner that it couldn't be decrypted. The Germans and Allies were doing it all the time during WWII, and interception was expected (if a message couldn't be intercepted, then there would be no need for encryption). One of the failures I see with networks like TOR is the misapplication of encryption for anonymity. Anonymizing data (ie. stripping out metadata) is a separate discipline. The two can certainly be combined, but they are not the same thing.

      When I connect to my online banking, I have some expectation that my identity will be known. I'm not relying on the secrecy of the transaction, I'm relying on the inability of a middle man being able to gleen any details of the transaction.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    2. Re:What problem exactly? by infolation · · Score: 1

      To promote real anonymity Jigsaw/Digital Ocean should:

      [1] Make it just as easy to set up a private obfs4 TOR bridge.
      [2] Permit payment for Digital Ocean accounts by cryptocurrency, ideally Monero.

    3. Re:What problem exactly? by nine-times · · Score: 1

      The purpose of traditional VPN is that you want to connect to a private network, and secure that connection by encrypting the traffic. However, the purpose of a lot of "VPN" services is actually to make it harder for someone to monitor or block your communications. Without a VPN, your ISP (or someone else) can potentially see what sites and services you're accessing even if the traffic itself is encrypted, and the services can easily keep track of the source address. The VPN service isn't necessarily enough to keep the communications anonymous, but it takes care of part of the problem.

      When I connect to my online banking, I have some expectation that my identity will be known. I'm not relying on the secrecy of the transaction, I'm relying on the inability of a middle man being able to gleen any details of the transaction.

      That's already handled by the fact that your bank uses SSL on their website.

    4. Re:What problem exactly? by MightyMartian · · Score: 1

      Yes, but what my banking app doesn't do is hide that an IP address provisioned to me connected to a bank web server. The whole point of SSL is to obscure with a high degree of rigor what exactly it was I was doing connecting to the bank.

      Encryption systems are designed for that purpose, and in reality as hard as encryption is, it's much easier than anonymizing data. Even encrypted data can leave some tell tale signs. Padding out data, burying it other data, all can be used to further hide the nature of a transmission, but fundamentally encryption is not about hiding the sender and/or receiver, and assuming an encrypted VPN is a good way to anonymize data or identity is an error.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    5. Re:What problem exactly? by ediron2 · · Score: 1

      Banking is just one use case. It's not remotely like cypherpunk activity. And the point of cryptography actually boils down to 3 traits: privacy, authentication, and integrity.

      When is anonymity a desired feature? Off the cuff: Cyperpunks, whistleblowing, dissidents, espionage, communication between guerrilla cells, snowden, wikileaks, the pentagon papers, deep throat, the panama papers, insurrections against despots, insurrections against good rulers, affairs, snitching on affairs, snitches in general, illegal activity, disapproved activity (e.g., the new societal 'ratings' systems that China is implementing). Like I said, that's just off the cuff.

  5. Alphabet marketing executive says by bobstreo · · Score: 1

    "Maybe if they keep seeing Private, they'll think it provides privacy."

    1. Re:Alphabet marketing executive says by Quakeulf · · Score: 1

      Alphabet is death to trust.

  6. A Google VPN? Hold on, I'll strip naked... by Anonymous Coward · · Score: 1

    The data kraken offering to keep our communication and maybe even identity a secret?
    Thanks, but I'm waiting for the NSA to announce a joint-venture with the FSB, Mossad and China, to get my VPN from!

    1. Re:A Google VPN? Hold on, I'll strip naked... by Dunbal · · Score: 1

      They never said secret. They said private. In the same way that airport business class lounges are private to pretty much anyone with a credit card.

      --
      Seven puppies were harmed during the making of this post.
    2. Re:A Google VPN? Hold on, I'll strip naked... by Dunbal · · Score: 1

      Private and secret are synonyms within the English language.

      Contemplate this next time you're on someone's "secret property". Words can have multiple meanings and just because they share one meaning does not make them equivalent. Yes and I see that thesaurus you are privating into your pockets...

      --
      Seven puppies were harmed during the making of this post.
  7. No need for VPN software other than SSH. by Vitus+Wagner · · Score: 4, Informative

    If you have you own (or event shared with other people) server where you can login via SSH, you don't need any other VPN software. Just start ssh session to it with dynamic forwarding and use it as Socks5 proxy.
    Any cheap server on Digital Ocean, Amazon or elsewhere would do as long as you reasonable sure that it is located in the country which don't track you.

    Of course, openssh has more elaborate VPN soulution built in, but it requires administrative rights on both ends of link. And dynamic port forwarding works by default as long as you have ssh client (putty would do) which supports it, and you can tune proxy settings in your browser.

    1. Re:No need for VPN software other than SSH. by pz · · Score: 2

      My personal favorite spin on ssh is sshtunnel. I'm not affiliated with the project, just a very satisfied user. As long as I have ssh access to my server, I can get anywhere on the net, no matter where I might be sitting at the moment.

      --

      Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
    2. Re:No need for VPN software other than SSH. by DaMattster · · Score: 1

      SSH is convenient but there is a fair amount of overhead so browsing can be slow.

    3. Re:No need for VPN software other than SSH. by pz · · Score: 1

      I don't exactly know. I tried following various instructions on the web to set up a VPN with the inherent features of SSH, and it seemed impossible with my use case: laptop in hostile location, and an inability to install any software or open custom ports on my (el-cheapo shared) server. But I was able to get sshtunnel up in under 5 minutes: it just works. Nothing gets installed, no obscure ports to open here or there, no easy-to-forget settings to use on my laptop. I'm not an expert, and maybe sshtunnel is just a tool of convenience, but it works, and, for me, works well.

      Please explain how to do the same thing with vanilla ssh ... is it possible?

      --

      Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
    4. Re:No need for VPN software other than SSH. by ottdmk · · Score: 1

      Isn't running a tcp connection over another tcp connection kinda painful, performance-wise? I don't run a VPN at home (don't have a reason to, personally) but I do maintain an OpenVPN server on my home FreeBSD desktop. Comes in quite handy, and learning how to configure it has been a lot of fun. I mostly use it to secure my tablet when I'm using open wi-fi somewhere. Sure, it doubles the bandwidth going through my home connection but hey, I'm lucky enough to have an unlimited bandwidth account, so why not?

  8. Soo... obfsproxy? by PhrostyMcByte · · Score: 2

    It sounds like Google has reinvented obfsproxy, which disguises your traffic to look like innocuous requests. People have been plugging obfsproxy into Tor and OpenVPN for years now.

    1. Re:Soo... obfsproxy? by Anonymous Coward · · Score: 1

      Except this feeds mountains of metadata to Alphabet's maw.

  9. Analyze your habits and sell the info? by mamba-mamba · · Score: 3, Insightful

    Unscrupulous VPN providers can steal your identity, peek in on your data, inject their own ads on non-secure pages, or analyze your browsing habits and sell that information to advertisers...

    You mean, like Google?

    --
    By including this sig, the copyright holders of this work or collection unreservedly place it in the public domain.
  10. Friendly reminder: alphabet is not your friend. by nimbius · · Score: 5, Informative

    Google, and by extension, Alphabet, joined the US PRISM surveillance program in 2009. https://en.wikipedia.org/wiki/...

    --
    Good people go to bed earlier.
  11. Re: Fuck Alphabet. Heil Hitler. by Dunbal · · Score: 1

    Let me guess, they replaced it with a big red dot on a white background?

    --
    Seven puppies were harmed during the making of this post.
  12. Re: Fuck Alphabet. Heil Hitler. by Type44Q · · Score: 1

    So-called Buddhist nations (though that one's more Shinto than Buddhist) aren't known for being particularly Buddhist.

  13. Re: Fuck Alphabet. Heil Hitler. by c6gunner · · Score: 1

    The Nazis rotated it precisely to be different to the religious symbol.

    No, they didn't; you're just repeating nonsense someone once told you without bothering to check it. The swastika has been used by various religions in many different styles, and in both orientations.

  14. Re: Don't use proxies. Use a real tunnel. by c6gunner · · Score: 1

    Yep, doing this right now. Though, instead of a cheap battery powered router I've got a Lynksis WRT 1900. Those little ones are OK for when you need to move around a lot, but they tend to be slow and somewhat limited.

  15. Re: Fuck Alphabet. Heil Hitler. by Anonymous Coward · · Score: 1

    Wikipedia says this:

    The swastika is a geometrical figure and an ancient religious icon from the cultures of Eurasia, where it has been and remains a symbol of divinity and spirituality in Indian religions.

  16. Re: Fuck Alphabet. Heil Hitler. by cheesybagel · · Score: 1

    A lot of them are. It's just that that actual Buddhism practice is mostly stuck in the monasteries. Most people only go to the temples mostly to wish for something rather than seek enlightenment or guidance.

  17. Re: Fuck Alphabet. Heil Hitler. by pezezin · · Score: 2

    Wait, what? I'm a gaijin living in Japan and every single map that I have seen uses the swastika (or manji) to mark temples. I just took a look at Google Maps, and it does the same. Also, the manji faces counter-clockwise, and the Nazi swastika was clockwise (and rotated 45).

    Seriously, it would me really angry if they had to drop a centuries old symbol due to tourists' ignorance.

  18. Which is why I use That One Privacy Site by ArhcAngel · · Score: 1

    "Unscrupulous VPN providers can steal your identity, peek in on your data, inject their own ads on non-secure pages, or analyze your browsing habits and sell that information to advertisers ..."

    Each use case is a little different. Someone in an oppressive country might be trying to get access to much needed news. Another just wants to stream Netflix without AT&T or Verizon from throttling their feed. While yet another wants to remain anonymous for less than honorable reasons. Each case needs their VPN to protect them from different types of intrusion. No one VPN will cover every use case. That's why I do my research at That One Privacy Site I don't know if the information there is all legit but it is mighty thorough. Everything from is the VPN located in a 5 eyes nation down to the ethics of whether they prevent SPAM.

    --
    "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
  19. Doesn't work in China by Nocturrne · · Score: 1

    I retested this today, just to confirm what I already know. China and their Great Firewall have been able to automatically detect and block Shadowsocks for a long time. The concept of wrapping a VPN client and server into a nice UI is very good, but you'll need much much more than this to accomplish your goal. Seriously, am I very disappointed with Google/Alphabet - you have the resources and ability to change the internet, but you won't do it because privacy would break your business model. Eric Schmidt, Larry Page, Sergey Brin - you should be ashamed.

  20. Re: Fuck Alphabet. Heil Hitler. by AC-x · · Score: 3, Interesting

    The only real problem with the Swastika is a corrupt German government has failed to rehabilitate the swastika, and in the most arrogant fashion chose it ban it in human context

    Um, what exactly do you think Germany could have done post-WW2 to make the Swastika not have negative connotations in western countries?

  21. Almost sounds purpose built for the CIA by Sqreater · · Score: 1

    The CIA just had a communications debacle exposed concerning its information assets in various countries worldwide, causing a roll up of those assets, even the deaths of dozens of those assets at the hands of their countries' security apparatuses. This sounds like something they could use after some modifications.

    --
    E Proelio Veritas.
  22. Re:"Private" my ass by aleph · · Score: 1

    These comments always amuse me.

    Trust me, if Google was the evil you think they are, they'd be doing a much better job of it. They're not nearly that incompetent. (No, seriously. If Google was trying to be evil you'd be way more screwed and not even realise it, but this applies to most large corporations.. There are only a few I'd class as truly evil, Google isn't even close to getting on that list. Naive, narrow sighted, culturally tone deaf, sure)