> "If someone from a country with limited internet access installs uProxy, they can get a friend from the US to authorize them to surf the open web using their connection. "
People proxying illegal traffic through the USA would immediately be "on file" in the US registered as dissidents, criminals, and potential spies vulnerable to blackmail from US agencies.
I can see CIA looking at how their propaganda are affecting foreign nations by seeing who reads it from where. Foreign nations could even see proxying subversive traffic through the USA as being a worse crime than the subversive traffic itself.
Also important: can you choose what to allow to pass through your connection? Can I rule out the case of someone accessing a child porn site through my connection?
If I were to run such a proxy, I'd only allow HTTPS or ssh traffic that I cannot possibly decrypt even if I wanted to, so I can't be held accountable for what I proxy.
Same is probably true for the other end: if I were to rely on someone unknown out there proxying my connection, I'd strongly prefer my entire connection to be encrypted, and my identity hard to trace. Else my proxying peers might happen to be exactly the people I'm trying to hide from.
> Also important: can you choose what to allow to pass through your connection?
It doesn't appear that you can, but don't proxy for people you don't know, then. How on earth do you propose ruling "out the case of someone accessing a child porn site through my connection?" anyways?
As for the rest, it appears to just be a browser extension that proxies your connection, whether HTTPS or no. If you want to ensure that you're only going over HTTPS, install something like HTTPS Everywhere or block all connections that aren't secure.
This is like a VPN service but decentralized, with all the downsides that brings (have to find a peer, trust the peer, etc). It is not Tor, not a replacement for secure connections to sites, etc
Can we stop every new thread on HN with NSA spy stories? The NSA can/has/is spying on you for a long time and it has nothing to do with any US company. Much of the traffic around the world (bound for the US or not) is routed through the USA due to us being such a central player, and these core routers have been tapped for a long time.
It doesn't matter if you are dealing with "US company" or not.
With most threads, your request would be perfectly reasonable, but this is a technology designed specifically to keep your communications private. There aren't many threads where bringing up the NSA would be more relevant than it is here.
P2P is definitely a viable solution that makes their job significantly more difficult.
It's not nearly that clear what the NSA is doing. I've worked in the NOC and as a datacenter tech at a Regional ISP and we definitely did not have spying gear in our facilities. We had other, regional BGP peers so it's entirely likely your traffic never crossed the Internet to get to its destination. I'm still not convinced they've tapped a significant fraction of anything.
The Internet is a complex decentralized network and the NSA most certainly doesn't have the physical resources to tap more than a small fraction of it.
I'd consider it at least slightly more likely for major ISPs.
Why else would Comcast route traffic from the western part of the Mountain time zone all the way to Chicago or Dallas before going to a destination in California or Washington?
I don't think collaborator is a good term here, it is implying they are secretly giving up US citizens for some evil nefarious purposes to the government. I'd label them as a US based company that is complying with US law.
> I can see CIA looking at how their propaganda are affecting foreign nations by seeing who reads it from where
Interestingly, this is the second Google project on HN today that caters to people in oppressive countries. uProxy and recently announced Project Shield [1]. The major targets are Syria and Iran. Incidentally, they're also targets for the US military :) Intel from the enemy territory will certainly be of interest.
Good PR that Google is getting from it is in no way helping with mass surveillance at home, which they're themselves a big part of.
If it's PR that actually helps build viable tools used to circumvent censorship and improve privacy on the web in general then I'm all for it. Rather that than some silly TV ad campaign, don't you think?
While technically true "the US" here is only used as an example, I don't believe the endpoints have to be in the US (if I understand correctly any user of this extension can choose to become a proxy).
An other point in the video (at around 0:50) mentions that you can select your route through trusted friends. If that's true it means that you can decide where your traffic transits.
Now obviously if you use the binary chrome builds made by Google they might put a backdoor in there but that's always true.
I don't think it's fair to dismiss this because it comes from Google, if it's open source and an open standard everybody will be free to audit it and decide for themselves.
If you don't want to use any crypto-product which might be even remotely related to the NSA then I have bad news for you...
An important point that should be checked would certainly be if and when the plugin on its own tries to contact servers in the US, be they servers of Google or of the other parties involved.
If it doesn't, it deserves the attention of a more thorrough check.
I really like the idea of this, but somehow have a longing for the world we lived in one year ago, when news of such a project would not have been "tainted" by attaching the name of Google to it.
As it is pretty difficult to run reliable audits these days... I would not run it. You open yourself up to everything from the American Homeland Security people to Child Pornographers.
It's a valid issue, in that it's vile the way the US Government sometimes behaves, but that is not a realistic concern for 99.999999% of the world population.
This is meaningless as you don't know whether you're one of those 70 people until you have a black bag over your head.
And sure, today's bogeyman is terrorism. What will tomorrow's bogeyman be? During any time of social upheaval you can expect those in power to attempt to maintain their power. We are fast approaching obsolescence of a vast majority of human labor. What social ideas will spring out of that and how will the powers that be respond to a threat to their power? We've sat watch as the ultimate system of control was created around us; it's only a matter of time before it is unleashed on us completely.
In the USSR and DDR there lived millions of people.
Not everyone was abducted, the numbers are in the thousands.
People fear lightening. We must not fear our government. Fear of the people who are supposed to represent you is not quite democracy.
That is the point of oppression. To instill fear, not bu actually abducting and torturing half the population, just many enough to get the message across.
People should fear neither lightning (it's spelled without an e, by the way) nor the US government. At least if they are not involved nor plausibly confused for being involved with inciting terrorism. At least, if they want their fear to be a tool of survival rather than just an irrational impulse. They should fear car crashes and things like that.
The US does not abduct people to get a message across, as much as you may want to believe that there is some equivalence between what our government is doing and what the government of the USSR did. Now, I'm not claiming that these abductions were right, but it's laughable to try to equate them.
I don't understand what you're trying to say. Khalid al-Masri had better feared the US government, and probably now does. So should everyone who's a muslim or brown, apparently, as the CIA reserves the right to abduct and torture people.
Yes, being abducted and tortured by the CIA is relatively speaking rarer than a car accident, but it's something entirely out of your control, and something completely avoidable.
I'm saying exactly what you think I'm saying. Even if you're in the unfortunate minority that the US chooses to be biased against, you're thousands of times more likely to be hurt in a car accident than to be abducted. That doesn't excuse the CIA's behavior, but it does inform what a rational brown, Muslim person should spend his or her time fearing. (Hint: Other things being equal, not US surveillance of their innocuous internet traffic.)
I didnt equate them. See you in 10 years from now, then Ill equate them.
For now, I was just making the observation that you dont need to activley supress millions of people to have a dictatorship - it is the fear that is keeping the milllions down and in line.
Examples are made of a few, and that process has already started with the Manning and Snowden treatments.
Not to mention the many that are left in a black bag in a bathtub by the CIA/MI6.
Because they are now vulnerable to blackmail from US agencies which can force them to work as their spies.
"Hello, This is NSA. Will you please provide us name of all your team members, your sponsors, and do a few work for us? Otherwise we have a log file that your government will love to see."
You may want to care about US agencies because:
- you or your family members may want to travel to the USA or one of its allies.
- the USA may trade your information with other states, including your own country
- you may want to protect your own country from USA's spying
They're helpless, squabbling over the terms "boat people" and "illegals" to refer to unannounced immigrants. Actually trying to get something sensible out of our government is pointless.
Ever heard of drones? I remember numbers that indicated for a country that there was 1 strike every 3rd day, on average. It was either Pakistan or Afghanistan.
Should one live in New Zealand, Australia, Canada, UK, France, Sweden, Italy, Germany or in one of many other countries with a recent record of bowing to pressure from US agencies (often in spite of local laws and/or over trivial matters like copyright), then one should care indeed.
Because those agencies may eventually leak out that information. If their never delete stuff, everything they have will eventually be published in zeta-byte level leak.
From a cursory reading, 70% of the comments in here are people who came straight to this page to say "I don't trust Google/why wouldn't they do <something else>/Google will just shut this down".
Can we stop with the kneejerk reactions? This is a p2p browser extension, doesn't run through Google, wasn't developed by Google, the only involvement Google had was maybe fund it.
Are we going to be getting these comments any time Google is mentioned from now on?
...and how many of these people's own government are doing the same thing as the NSA? I abhor what the NSA is going, but goodness, I bet 90% of the nation's governments do the same thing.
Are we going to be getting these comments any time Google is mentioned from now on?
Yes, and I think rightly so. What evidence do you have that this will not happen? None - which is the less evidence that the people saying it will happen have. Google has earned that rep and, until 1-3 years have gone in which they've not done something like that, people will continue to bring it up.
> What evidence do you have that this will not happen?
"This" being "shut it down"? My evidence is that this is a third-party extension, developed by a third party and doesn't touch Google's infrastructure at all. They couldn't shut it down if they wanted to. The most they could do would be to cut its funding, but it's still open source.
The point is that Google was once held in high esteem because it acted in an unusually trustworthy way for a large corporation.
Almost everything they were fundamentally trusted on has turned out to be a betrayal. It is right and natural to question and distrust them until they have reestablished trust, which is likely to be a long process.
You will notice that as well as the appropriate distrust, there are also comments from people including yourself who have examined the proxy and determined that Google's trustworthiness is irrelevant to the trustworthiness of the proxy.
This is exactly how it should work. People are right to distrust Google, so the question should be asked. But we are also a technical community who can then analyze and understand the situation to determine whether concern is warranted.
The last thing we need is for people to silence their distrust and for scrutiny to stop.
This is a straw man. Nobody says you should implicitly trust Google, the second line in my comment talks about stopping knee-jerk reactions. People here started ranting about Google without even seeing what the actual product is, which is pretty much the definition of knee-jerk.
I wouldn't mind people criticizing it if it's valid criticism, but this is just talking for the sake of talking.
Asking why we should trust a privacy related product from Google is legitimate. You are assuming that everyone will comprehend the trust model at a glance the way you do, but this is not so.
Your argument seems to be that people shouldn't state their opinions, but should instead do silent research until they come to what you think is the obvious conclusion.
> Your argument seems to be that people shouldn't state their opinions, but should instead do silent research until they come to what you think is the obvious conclusion.
StavrosK wanted "valid criticism" and not "kneejerk reactions"; I don't think that's a fair interpretation of what he meant.
Perhaps it is a fact in our social environment that one cannot expect people to read more than the link title before making claims in comments, much less reading the FAQ (at https://uproxy.org/), but I wish it were not so.
StavrosK wanted a narrow definition of valid criticism.
Narrowly confining ourselves to a technical analysis of ignores that there are other dimensions to how people think about technology, and the perception that Google has created about its trustworthiness is one of them.
It's not as if we are going to explore that topic in a one-time thread and never say anything about it again. It is going to keep being discussed as related issues come up.
While we're speculating about trust and such, the video mentions that it's a browser extension which connects to a trusted peer and uses the peer as a proxy. This leads me to believe that,
1. Since it's a normal browser extension, the source will be readable and verifiable.
2. It probably uses WebRTC.
It seems Google merely plays an incubator role here for the authors. Either way, I don't see much trust issues that other comments are complaining about.
Looking forward to trying this out when it's released.
that's all well and good, but if it's executed by an unverifiable binary build of Chrome (i.e. the one distributed by Google), it's not worth much. For what you know, Chrome might just detect the extension is installed and silently eavesdrop on all its calls.
If this extension will work as-is on third-party Chromium builds compiled from public sources, then yeah, it can be trusted on those builds.
You say that like it probably won't. They state in the FAQ that it will work on FF and Chrome; there's no reason to think it won't work on Chromium as well.
The source code will be released by the University of Washington under the Apache 2 license after the trusted tester phase is completed. If you would like to get involved sooner go to http://uproxy.org/#join
Why isn't there a link to this from the Engadget article? That is useless and shoddy. Do they not know how the internet works, or have a single shred of common sense?
The article has reached a new low in bullshit, knee-jerk, commentary. No one bothers to read the FAQ, or the technical information on how it works. Oh no, just hit "Reply", put on the tin-foil hat, and get going. Yeah, vote this down. I'm frustrated at the quality of HN posters recently.
How exactly could they shut it down? Its a client-side browser extension that uses peer-to-peer connections. It doesn't run on any of Google's infrastructure.
I'm getting a bit tired of seeing this comment every time Google release a new product. I understand that people think they're being insightful in saying this, but they're really not.
I knew that this was going to be a comment before I even opened clicked on the link or looked at the comments. Yes, Google shouldn't have shut down Reader and now get over it.
I wonder how many of my compatriots actually live with those restrictions and how many find ways to circumvent them.
By blocking so many Youtube videos, GEMA has done a huge service to internet literacy in Germany. It still surprises me that, every now and then, I overhear complete laypeople discuss among themselves the setting up of proxy servers.
I find myself to be too lazy to circumvent them, even though I know how. I just close the tab and move on. Oftentimes there are better ways to spend my time than thath anyway. But at least among people I know there are few who know what a proxy is and how it helps them in that regard.
(It also should be noted that GEMA isn't alone to blame there; Youtube basically wanted the rights to store and distribute that content for free or close to, which doesn't work well if GEMA wants compensation.)
(It should also be noted that the GEMA distribution scheme is fundamentally flawed and that it overproportionally compensates well established "big" artists while neglecting young and upcoming artists. But that is another story)
Remains only to figure out how to route the physical delivery via a US address... anyone know of such a service? I'd find that pretty useful actually. A lot of stuff on e.g. Amazon is only available for delivery to the US.
I personally use Aramex shop and ship account http://www.shopandship.com for US only products from Amazon. Buying from Google play is more difficult as they added a security procedure that the credit card has to be from US and the shipping address from should match for circumventing this, earlier one could use a US proxy and order it.
So turn them off. You can do that in Firefox, I don't know about Chrome, but if you're using that then you already are trusting Google just as much as if you use this extension.
You don't need to trust Google. They seeded the project and now it is open source ("uProxy has been developed at the University of Washington, with help from Brave New Software. The project was seeded by Google Ideas.")
uProxy is better than Tor (as long as you have a friend you can trust that has access to the content you are interested in). The problem with Tor and other proxies is that you don't know who controls the proxy or exit node, so can't trust it. Is your government running Tor nodes and logging everything and tracing it back to you? Maybe. You can't know.
That wasn't my point. Have you ever read the source of the extensions you have installed? No. If everybody has that mentality then nothing gets "checked" and malicious code makes it though.
Doubt that it will help a lot - metadata is valuable. Sometimes the fact that you are communicating with someone is as damning as the communication itself.
Unless the addon is really sneaky and confirmed by a lot of people chances are it will still be detectable by DPI. And you have the problem of the addon traversing the state firewall in the first place.
And you need secure OOB way to transport password anyway.
From what I see you need secure way to transport keys and don't minding to raise a few red flags with the authorities.
In that case just rent micro instance with any out of country cloud provider you have access to and ssh tunnel trough it.
The irony here is that they are announcing a tool to subvert restrictions in other countries, but they are following their own countries restrictions to the letter.
"The service has yet to launch, but its creators -- the University of Washington and Brave New Software -- have opened a restricted beta for select, technically adept users to make it as "secure, private, and robust" as possible."
I see uProxy as giving a friend my wireless network password. I'd compare a Tor exit node to printing the network password on my mailbox or posting it to craigslist.
I regularly share my wireless network access with friends without thinking, while running a tor exit node/publishing my network password gives me serious liability concerns.
I'm interested to see if their AdWords/AdSense algos will detect uProxy and choose not to serve ads to its users. Right now, the US/UK/Canada are huge markets for Google AdWords/AdSense but most US-based companies do not have their ads shown in Latvia/Iran/Russia (just to randomly pick some faraway countries). There's a good reason - if I own a restaurant in Dallas, for example, I want people searching for "best dallas steak restaurant" to see my ad. If that starts getting shown worldwide, the CTR will plummet which would not be good for Google.
Fair point. They make an effort with the Browser Bundle but I just tried it and it broke on the second run...
Now I want to write a Tor compatible client that 'just works'. Just one static binary that implements the proxy. It embeds a static firefox binary and a prepared profile, which gets extracted into a visible location so the user can delete it if desired.
Basically minimize its dependence on the environment as much as possible.
Wow. If they added an option to be an intermediate proxy for traffic you were unconnected with, could they turn this thing into a global tor with authorized exit nodes?
Why don't they simply run Tor end nodes in each of their server farms all over the world. That would actually help. But that would not make any mainstream news, would it?
The problem with Tor is that it's not clear who is running which nodes and where you'll come out. uProxy is designed for people who know that their endpoint is friendly, such as a friend who no longer lives in the country, or a journalist that you are working with.
If a dissident hacks into a government site or does something else like speaking out his opinion, will I get arrested for them, when I live in a neighbour country? Or even get arrested for their actions on hacking stuff? I mean the US and Europe both ban hacking and penalize it with more jail time than rape and in some cases even murder.
UProxy is a point-to-point proxy, where both sides know each other (by being buddies on the chat network) and choose to participate with one another. Don't proxy for your hacker friends.
Okay, sorry I didn't read the source code yet, but don't pretty much all the standard block-censorschip-circumvention approaches work here? They don't mention anything that makes it a tool for actively circumventing censorship like... well, all the tools that exist today and have been analyzed throughly.
So now you also expose your confidants? So if you are targeted they automatically get on the list? Why inconvenience the secret service with doing tedious network analysis to flush out your peers - uProxy might (they are not very specific about the security of peers) disclose that automatically...
I have a better idea - bring the cost of project loon balloons really low (order of magnitude below the price of the rockets needed to shoot them) and just flood the censoring country sky with them.
The country will either have to bankrupt itself or open its internet.
This is going to be a nightmare if you verify and process transactions online. How do you now know whether someone who purchased a product is really really on Comcast from SoCal and not someone who's exploited a hole in uProxy?
Another "free" Google service that blinds lay people from objectively considering the cost vs. benefits of online privacy/anonymity (since "free" tends to make us act irrationally). Instead, consider paying the equivalent of a cup or two of coffee and buy yourself a real VPN subscription. Even if you must get yourself a free VPN, consider someone other than Google, a company that already has so much data on your digital lives.
Speaking of lay people who don't objectively evaluate things, you posted this before you even learned the details of what uProxy was. You saw the word "Google" and hit reply.
Did you read the article? It's not a Google service. Why buy a "real" VPN subscription instead of running things through a friend, which is way more decentralized and harder to surveil en masse?
This is a key point: VPNs provide an obvious point of failure, and are easily shut down and/or monitored by repressive regimes. The big concern is not that the VPN is shut down, but that those who connect to it are being monitored, and will get a visit from the secret police.
It's P2P so that you have clear endpoints, so repressive regimes can't ascertain whether it's a VPN or not. It's also helpful in that you might well trust a friend in another country over a VPN company.
I did. I also went to the uProxy site which mentions it was seeded by Google Ideas. Also,
>> One of the ways uProxy connects you through your friends, is by connecting to existing chat networks, such as Facebook or Google Hangouts. uProxy can use a chat network to discover new friends and setup peer-to-peer proxying from your friends. If a user does so, then the chat network can see that the user has uProxy installed. A user's chat contacts may also see this.
So Google funded uProxy; it will be able to see who your VPN "host" is via Google Hangouts; and lastly it controls one of the two browsers on which this plugin runs, Chrome.
This isn't about me. I already use a different VPN. I don't use Hangouts or Google+. Those rare Google services I do use, I use sparingly.
My point was the average Internet Joe or Jane needs to look beyond "free" services and be willing to spend some money buying better alternatives. One of the reasons we're all so compromised on the Internet today is our collective blindness towards the hidden "costs" of free services.
I agree with your point on the costs of free services. I'm happy to pay myself. In some parts of the world, it's very tough to transfer money to a circumvention or anonymizing service without getting in trouble.
But if a user is both unable to assess the security of the system them self, and unwilling to trust another's analysis, the funding model is irrelevant. Source is the gold standard, IMHO, even if that's still not terribly helpful.
In effect, they would also be sending all their sensitive, potentially illegal traffic to be read and copied by the american NSA agency. http://en.wikipedia.org/wiki/PRISM_%28surveillance_program%2...
People proxying illegal traffic through the USA would immediately be "on file" in the US registered as dissidents, criminals, and potential spies vulnerable to blackmail from US agencies.
I can see CIA looking at how their propaganda are affecting foreign nations by seeing who reads it from where. Foreign nations could even see proxying subversive traffic through the USA as being a worse crime than the subversive traffic itself.
Think twice about using this.