
Alphabet's cyber unit Jigsaw introduces a new security app to bust censorship - sharcerer
https://techcrunch.com/2018/10/03/googles-cyber-unit-jigsaw-introduces-intra-a-security-app-dedicated-to-busting-censorship/
======
bad_user
Good job Google.

I'm a very harsh critique of Google due to the threat they pose for privacy,
however here they are doing a good thing, along the lines of the public DNS
servers they provide, which I know have helped people [1].

Having your requests go through Google is not ideal, however not many people
have the capacity to search for better, but more obscure solutions.

Also this isn't about privacy, but about working around censorship at the DNS
level. If you want privacy, you use an anonymous VPN or Tor. And frankly, if
you can't trust Google's privacy policy for this service, then you shouldn't
use a Google phone.

[1] [https://developers.google.com/speed/public-
dns/](https://developers.google.com/speed/public-dns/)

~~~
i_phish_cats
And yet another part of the company is creating a censored version so that the
CCP will let them back into china.

~~~
bduerst
I mean, China's the one censoring it. Google could link to the censored
websites in the results but that would be a terrible user experience. Wouldn't
it be better to do what they do with DMCA takedowns in the US, where they tell
you how many results have been removed and why?

And Google already censors search results in the EU with the right to be
forgotten, where they've received 41,000 requests from EU politicians, so
there is precedence in working with local governments

~~~
rrix2
They also tied every search request with a government ID according to some
reports and one must assume they’re willing and able to share that with the
Chinese state security. As far as I’m aware the EU isn’t targeting minority
citizens for increased surveillance like the Chinese state is doing to the
Uighurs either.

~~~
bduerst
>They also tied every search request with a government ID according to some
reports

Which ones? I wasn't aware it was even live. Are you talking about Bing, which
is already operating in China?

~~~
rrix2
I wrote in past tense incorrectly, my grammar isn’t so great.

[https://theintercept.com/2018/09/14/google-china-
prototype-l...](https://theintercept.com/2018/09/14/google-china-prototype-
links-searches-to-phone-numbers/)

------
samat
The problem Intra solves is very real. MiTM attack on the DNS are the simplest
ways to censor internet access and they are widely used in many countries.

I do despise google's efforts in dismantling any privacy which is left on the
internet, but this particular program is very good.

I don't get this attitude of 'don't take a cake from the devil'. A) google is
not devil, just another megacorp B) don't be blinded with slogans, evaluate
merits of each offer individually. This particular offer is great and helps
real people aka 'makes the world a better place', lol.

~~~
x220
If Google considers handing off private info to China, which is known to
execute people with disliked political beliefs, it's not self-evidently wrong
to compare Google and their executives to the devil.

Edit: if you want to downvote, please also reply with your ideas and tell me
why you disagree with me.

~~~
r3bl
I've seen no comment here ever praising Google's actions in China here, and
I'm very doubtful I will.

That said, this particular product, which has nothing to do Google's business
with China, is absolutely crucial for people facing censorship elsewhere, and
it is without a doubt a morally good product. You can't even claim that
they're doing it solely to gather DNS data (for whatever reason), because if
they were making an attempt at that, they would sure as fuck wouldn't allow
you to choose Cloudflare.

You can sit here and call that hypocritical because of Google's relationship
in China, but that doesn't make their solution any less good to those facing
censorship. Nobody else stepped up. Jigsaw did, and they deserve to be thanked
for that.

Even if someone's intentions are evil in nature, you're not going to make them
less evil by saying "who cares, you're evil" whenever they do something good.

------
Belphemur
I've been using Intra with my own DoH server for months already. It's stable
and updated regulary:

[https://github.com/Jigsaw-Code/intra](https://github.com/Jigsaw-Code/intra)

Also, if you're looking for a DoH server that block adverts, here is mine:

[https://dns.aaflalo.me/dns-query](https://dns.aaflalo.me/dns-query)

~~~
Boulth
> Also, if you're looking for a DoH server that block adverts, here is mine:

> [https://dns.aaflalo.me/dns-query](https://dns.aaflalo.me/dns-query)

Great! I've been looking for something like this for a long time. Is the
source code open? Not that I don't trust you with my DNS queries but...

~~~
Belphemur
I've written the step I used to do the DoH part.

[https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-
https...](https://www.aaflalo.me/2018/10/tutorial-setup-dns-over-https-
server/)

Still need to document the PiHole part.

I've also disable all logging for Nginx and Pihole. The server is also listed
on [https://dnscrypt.info/public-servers](https://dnscrypt.info/public-
servers)

Also, if you're in the American Continent, you might want to use the proxy I
setup on Google Cloud Platform:

[https://dns-gcp.aaflalo.me/dns-query](https://dns-gcp.aaflalo.me/dns-query)

~~~
Boulth
Very cool, thanks a lot I'll be definitely using your guide.

------
pjc50
What this appears to be is a DNS-over-HTTPs proxy application, which will
route your DNS traffic directly to Google bypassing any substitutions or
deletions made by your local ISP or government.

Whether the advantages of that outweigh giving google your DNS traffic (and
realistically they already know every site you visit, because almost everyone
uses google analytics) depends on your local security situation.

Note that your local security situation may include the good old rubber hose
attack:
[https://security.stackexchange.com/questions/194353/police-f...](https://security.stackexchange.com/questions/194353/police-
forcing-me-to-install-jingwang-spyware-app-how-to-minimize-impact)

~~~
daveFNbuck
It can be configured to use any DNS-over-HTTPs server, and has cloudflare
hard-coded as an option. When you first install it, they have a short
onboarding that ends with asking you to enable needed permissions and
informing you that you can use other providers, so you have a chance to change
the settings before enabling the permissions.

------
fstonemeyer
This is the same division of Google that came up with an AI to determine if a
comment is "toxic":
[https://jigsaw.google.com/projects/#perspective](https://jigsaw.google.com/projects/#perspective)

------
jerkstate
Given Google's track record of working with oppressive governments, why would
anyone rational trust them with this kind of sensitive information?

~~~
sharcerer
I think Jigsaw has a good record of making tools which work for the oppressed
sections or in areas of cybersecurity/censorship etc. Good work must be
appreciated. I don't think any other Big Co. has a division dedicated to
solving such specific problems. Yeah, the China bit is really
saddening/irritating. They're gonna crush their own legacy.

~~~
r3bl
Don't forget about the Project Zero team!

Regardless of my privacy concerns regarding Google and other Alphabet-owned
businesses, Jigsaw and Project Zero teams deserve to be praised by anyone who
gives a shit about privacy/security.

~~~
sharcerer
Project Zero is the reason I regard Google's security as one of the best
(possibly the best). They haven't had any major/minor leak, IIRC, which is a
huge deal. I mean even if 1 data leak occurred in the next 2 years, I wouldn't
be that pissed off (T&C Apply). Accomplishments of these 2 teams deserve more
mention.

------
LethargicStud
Can someone explain why a government couldn't block the IP of this service?
Whether it's a VPN or just dns over https, it seems the servers wouldn't have
infinite dynamic ips and could therefore be blocked.

~~~
Boulth
Yes you're right. That app is just dns over HTTPS for older Android phones.
With all its caveats.

------
apeace
1) What's stopping these countries from blocking the hard-coded
Google/Cloudflare IP addresses? Doesn't seem like a great solution technically
speaking.

2) I wouldn't use this if I lived in China. Companies operating in China are
required to turn over data about their users to the government. And Google is
soon going to be partnering with China to release a censored version of their
search engine[1]. Now they can provide the government your _entire_ browsing
history, not just your searches!

[1] [https://theintercept.com/2018/08/01/google-china-search-
engi...](https://theintercept.com/2018/08/01/google-china-search-engine-
censorship/)

------
jigaway2
I couldn't help but guffaw at this headline, given that Jigsaw's current
flagship product is an automated censorship bot [1]. This is another example
of the absurd belief that only ISPs can censor the internet, and not trillion
dollar platform companies with monopolies or near-monopolies in several areas.

[1] [https://www.nytimes.com/2017/02/23/technology/google-
jigsaw-...](https://www.nytimes.com/2017/02/23/technology/google-jigsaw-
monitor-toxic-online-comments.html)

------
msravi
Firefox 62 has DoH support enabled.

[https://blog.nightly.mozilla.org/2018/06/01/improving-dns-
pr...](https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-
firefox/)

Has been plenty useful getting around court -ordered clampdowns on torrent
sites in India.

You can configure it to use any publicly known DoH server:
[https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-
av...](https://github.com/curl/curl/wiki/DNS-over-HTTPS#publicly-available-
servers)

------
kypro
Sounds like a cool way to track users wherever they go on the web.

~~~
kylnew
Without looking into the Privacy Policy for details on tracking, it seems like
this would be a lesser of two evils situation. Either experience censorship in
your country or see everything, with the caveat that Google logs it.

~~~
bad_alloc
A country that censors content will be very interested in obtaining these logs
from Google. Since they seem to be willing to cooperate with state actors,
users might set themselves up for reprecussions later on.

~~~
kylnew
No kidding. That was my next thought among other issues with the plan, but I'm
trying not to be too cynical about what will happen to the data. I won't be
using this any time soon, personally.

------
ccnafr
Source, for a lot more details: [https://medium.com/@JigsawTeam/introducing-
intra-a-new-app-t...](https://medium.com/@JigsawTeam/introducing-intra-a-new-
app-to-stop-dns-manipulation-f76de3f5d01)

------
Ajedi32
So it's just a way to backport support for DNS-over-TLS to older Android
versions? Neat, but not as big a deal as the article headline might lead you
to believe.

------
tomp
> That makes it easy for oppressive governments — like Turkey, which has used
> this technique before — to intercept web addresses requests and either kill
> them in their tracks to stop sites from loading, or redirect to a fake site.

Or "non-oppressive" governments like the UK.

------
jillesvangurp
Sounds like a good idea. Most users have so far very little control over
android dns and using TLS sounds like a good idea in any case. Makes you
wonder why this is not more widespread given that there are a lot of nasty
attacks that involve dns hacks.

------
wnevets
I've been using Jigsaw's VPN Outline, it seems to work pretty good on digital
ocean

------
jedisct1
In other DNS-over-HTTPS news, dnscrypt-proxy 2.0.17 has been released:
[https://github.com/jedisct1/dnscrypt-
proxy](https://github.com/jedisct1/dnscrypt-proxy)

------
marcusjt
Play Store URL is
[https://play.google.com/store/apps/details?id=app.intra](https://play.google.com/store/apps/details?id=app.intra)

------
sigmar
anyone using this on LineageOS 15.1? Seems to connect okay, but chrome gives
"err_network_changed" when I go to any site and I'm not sure how to debug...

------
bArray
The app itself fails a DNS leak test, is this app trustworthy?

------
thefounder
How is this different than simply setting Google's DNS servers on your router
or wifi settings ?

------
e40
Near as I can tell, can't be used with things like Blokada that create a VPN.

------
codr4
Security apps from the Alphabet agency's cyber unit, nice. At least they're
not mandatory here yet...

------
philip1209
These dual standards for censorship annoy me.

Google on Venezuelan censoring: bad, fight it

Google on Chinese censoring: complicit, support it

~~~
bun_at_work
Just a few things:

1) This tool is made by an Alphabet owned company (Jigsaw), not Google,
another Alphabet owned company. The companies will have different missions,
even if profits flow the same direction.

2) Venezuela doesn't have a huge market where Google is blocked by a nation-
wide firewall.

3) China has a nation-wide firewall blocking any Google service, thereby
forcing Google to negotiate how their service works if they want to make money
there.

Note: Oversimplifying the situation for the sake of pitchforking a company you
might not like does no one any good. Venezuela and China are very different
companies, in very different environments. Google as a company (and Alphabet,
probably more so) is almost certainly anti-censorship, philosophically; they
just don't operate in a vacuum.

~~~
whatshisface
> _Google as a company (and Alphabet, probably more so) is almost certainly
> anti-censorship, philosophically; they just don 't operate in a vacuum._

Since when was being motivated to do wrong a mitigating condition for having
done wrong? "Sorry officer, I wasn't going to steal it at first, but then I
started wanting it."

~~~
jamescostian
This isn't like theft. It's more like the law says you can't read certain
things, so a printing company adjusts the books they print for the people of
that country. Obviously they don't want to censor things, but they also want
to profit.

They can either be totally censored or partially censored and still make
money. Are you asking for them to give up and accept total censorship and
forfeit money? If not, what would you like Google to do?

~~~
zelon88
China will steal any technology you put in their country.

Not only will they steal it, but they'll use it for whatever they want.

Right now China is talking to Google because they lack the technological
prerequisites to make their goals happen by themselves. If you want to see a
Chinese Google competitor, just let Google get a shoe in the door and wait a
couple years. Then when China has what it wants they'll dismiss Google.

Google's short-sighted greed is going to divide the internet in two. We should
be letting China either stand on it's own or join the rest of the world.
Instead they will prioritize market share in a technologically inept country
and, quite advertently, give the Chinese everything they're lacking to
completely break away from the world wide web and start their own.

I just can't wait until Google gets kicked out of the party they created for
themselves.

~~~
lallysingh
What technology do you think will be on Chinese soil from this?

There's no reason to bring source code over.

~~~
zelon88
Do you really think a nation state (especially a psuedo-communist one) that
involves itself in a project like this with specific requirements (like
backdoors) is going to let it be housed off-site? Do you really think they
won't demand to let their engineers all over it? Inside and out?

The whole reason AMD exists is because IBM wouldn't do business with Intel
without an alternate domestic supplier.

In government manufacturing here in the US we can't even put CUI in the Cloud
if the end-user is the government. And we're democratic. Can you imagine the
export controls on Chinese technology?

The chances that China WON'T see the source code are zero.

~~~
lallysingh
The compiled binaries can end up in a Chinese DC, but the source? I don't
understand why. I don't think Google's interested in being replaced.

------
21
This is richly ironic. I had to check that this was not an article from The
Onion.

Will this tool bypass the censored Google that will be introduced in China?

More likely it will automatically report the user to the Chinese government if
used in China.

~~~
bubblethink
This is about preventing dns manipulation attacks. That assumes that a DNS
server (like 8.8.8.8) is generally accessible, but an adversary is trying to
manipulate the responses. In China, you anyway can't access regular global dns
servers. You need to use official dns supported by the government. So the
question of dns manipulation is moot.

~~~
thisgoodlife
This is not true. I tried 8.8.8.8 and it worked when I visited China 2 years
ago.

~~~
tgsovlerkhgsel
"Worked" does not mean freely accessible. It means you received DNS responses
when you sent DNS requests there, but there's a high chance the responses
weren't coming from Google, and that encrypted connections would fail.

However, it seems that Google hosts the encrypted endpoint separately anyways,
not on 8.8.8.8.

------
r3bl
Can we get a rename of this story?

"Alphabet's Jigsaw" would be more appropriate. Jigsaw is, at best, a sibling
of Google, not a part of Google.

It is explained in the very first sentence, but comments so far don't seem to
acknowledge that.

~~~
mikeash
This is an interesting communications dilemma.

I don't think most people have really understood the Google/Alphabet
transition. When most people think of "Google" they're actually thinking of
Alphabet.

If you say "Google" then you're conveying the correct information using the
wrong term. If you say "Alphabet" then you're using the right term but a lot
of people won't know what you're talking about. What to do?

This is probably less of a problem on HN than it is for TechCrunch.

~~~
sctb
Good point, let's try “Alphabet” in the title here instead.

------
SonnyWortzik
oh just turn it on an use it huh? And collect all of my web queries. Clever.
Yet another mass collection scheme by Alphabet. I have to give it to
Google(the real company here), they sure know how to embed themselves
everywhere in your life.

------
RcouF1uZ4gsC
I find it ironic that both CloudFlare and Google which this app uses, were
involved in the censorship of DailyStormer. It was a vile site and Google and
ClouFlare were fully within their rights to terminate their business agreement
with them. However, they do not also get to turn around and claim the high
moral ground of being anti-censorship in principle. So this is not about
censorship vs free speech, it is about government vs corporate censorship.

~~~
s73v3r_
Choosing not to do business with a company is NOT censorship. The only way you
could believe it to be so is if you believe that the Daily Stormer has a right
to speech, but no one else does.

