
Project Shield - aburan28
https://jigsaw.google.com/projects/#project-shield
======
NetStrikeForce
Kudos to both Krebs and Google for their courage. I have profound admiration
for Brian's work and Google's technology.

I didn't know about Project Shield and I think it's an interesting initiative.
However, for some reason it leaves me a bit unease (not as much as the idea of
being taken down by a 650Gbps DDoS at will!) - not sure what it is, but we
might be moving towards an Internet where only the "approved" would have
"free" speech.

I really hope ISP naming and shaming takes over, so we can make DDoS a little
bit more difficult.

~~~
mtbcoder
> I really hope ISP naming and shaming takes over, so we can make DDoS a
> little bit more difficult.

I think naming and shaming would have little impact and whatever impact it did
have would be short lived. Consumers tend to have short attention spans and
zero long term memory. Take the banking/finance industry for example, were
egregious, predatory and at times criminal tactics are par for the course.
Banking institutions are named and shamed all the time, yet the Bank of
Americas, Wells Fargos and Goldman Sachs of the world still exist.

~~~
TeMPOraL
From what I hear about the US, many people there don't even have any
alternative ISP to change to...

Also changing a service provider often can be a huge inconvenience for one.
For instance, if I were to learn today that my ISP makes DDoS very easy and
doesn't care about the issue, I'd have a choice between one or two random
small providers I don't know, and two big telecom operators that are already
on my "do no ISP-related business with" list due to their annoying
telemarketing.

~~~
Bartweiss
It's also fairly standard to suffer 1-2 weeks of outages when changing ISP's,
which is somewhere between unwelcome and prohibitive for a lot of people.
Worse, even places with "competitive" markets often have only one provider
giving decent speeds - 1-5 Mbps maximum is not a realistic option for a lot of
uses.

------
Fuzzwah
Post from Brian Krebs about Google using Shield to get Krebs on Security back
up and running:

[https://krebsonsecurity.com/2016/09/the-democratization-
of-c...](https://krebsonsecurity.com/2016/09/the-democratization-of-
censorship/)

~~~
willvarfar
I follow your link [https://krebsonsecurity.com/2016/09/the-democratization-
of-c...](https://krebsonsecurity.com/2016/09/the-democratization-of-
censorship/) and I get this:

 _503 Service Temporarily Unavailable_

 _shield_

So it seems to be running shield, but at least part of the attacks are still
getting through? :(

Would be very nice to know what kind of attacks Shield doesn't shield against
etc.

~~~
headmelted
Completely down from here too.

I may need to retract my comments about Akamai. Apparently 680gbps (or
whatever it's at now) is the total amount of traffic the busiest site on the
internet can be hosed with before the internet itself poops the bed.

So, you know, we did learn something from this whole saga.

~~~
nolok
OVH got hit by a bigger than 1Tbps attack this week

~~~
headmelted
Did they?

I saw them report a cannon with 1.5tbps capacity (based on multiple sources),
wasn't clear they were getting hit by that load though (it looked like 991gbps
from what I could gather, which still I didn't know of and is mind-blowing!)

------
themihai
> We’ve met news organizations around the world who suffer crippling digital
> attacks when they publish something controversial.

Good...except Google doesn't protect you from such attacks once the US gov
deems it illegal. We need a safe, anonymous protocol not the network of X
corporation.

~~~
CraftThatBlock
So... Tor?

~~~
dublinben
A network like Freenet would be more appropriate for a situation like this.
Its peer to peer nature is like bittorrent, so the more popular content is,
the more it is replicated, and thus becomes easier to access.

It shouldn't be impossible to design a distributed network that has a positive
feedback loop that makes a DDOS counterproductive, by actually boosting the
targeted materials.

~~~
lkmlkmsfd
> so the more popular content is, the more it is replicated, and thus becomes
> easier to access.

Self censorship.

------
jimmytidey
Rather than seeking a technical solution, I wonder if there is a social one.

If Google promised to upweight DDOSed articles in their (news) rankings in
perpetuity, that's a strong incentive not to DDOS. It also makes sense that
material one person is spending resource trying to suppress is extremely
likely to be interesting to others, so it's not necessarily a bad experience
for someone using the Google news.

Obviously, in the short term it's also useful if they can link to a cached
copy that is still working. A systemic Streisand effect.

~~~
Iv
> If Google promised to upweight DDOSed articles in their (news) rankings in
> perpetuity, that's a strong incentive not to DDOS.

That would actually be a strong incentive to DDOS yourself!

~~~
jimmytidey
That's true. Although institutions deal with that kind of moral hazard in
insurance all the time, so perhaps similar mechanisms could be applied here.

Perhaps sites uprated for having been DDOSed could be marked as such. We
already have to make many decisions about the trustworthiness of news sources,
so maybe it's just another factor.

I can also see why Google would just like to make DDOSing very hard and make
the whole problem go away, rather than the mechanism I'm proposing.

That said, I think there's something gratifying about using an attacker's
willingness and ability to commit resource to removing information as a signal
about the value of that information. Judo chop!

~~~
TeMPOraL
> _Perhaps sites uprated for having been DDOSed could be marked as such. We
> already have to make many decisions about the trustworthiness of news
> sources, so maybe it 's just another factor._

Then I'll DDoS your already highly-ranked site just to trigger the
"untrustworthy" mark for it in the results.

The problem with going social is the infinite capability of humans to game
things like that. I strongly sympathize with the desire to "make the whole
problem go away" instead.

------
Fuzzwah
Link to the actual project's page:
[https://projectshield.withgoogle.com/public/](https://projectshield.withgoogle.com/public/)

------
zerognowl
By nature, a personal (clearnet) domain is a single point of failure, because
forever and always attackers know where the site is hosted. This is how DNS
works unfortunately and it's very broken. No such problem exists with TOR
hidden services, so krebs could have his own .ONION and it would prove very
tricky to uncover the servers and boot them offline.

Another mitigation (and there are many DDOS mitigations I'm leaving out here)
is duplicating the content at several different locations, which already have
their DDOS mitigations in place. So if you really want to be heard, hit Google
Plus, Blogger, Twitter, Pastebin, etc. Just copy and paste your message all
over the Internet, and it can prove nearly impossible to censor. Bonus points
for multiple 'backup TLDs' so you could have:

    
    
        krebsonsecurity.org
        krebsonsecurity.net
        krebsonsecurity.io
        krebsonsecurity.biz
    

You only use these in special circumstances like sharing a blogpost with your
friend via email.

More bonus points for mirroring static posts with Varnish cache on multiple
sub-domains like

    
    
        wwa.krebsonsecurity.org
        wwb.krebsonsecurity.org
        ww3.krebsonsecurity.org
    

Even more bonus points for putting resources on CoralCDN:

[http://www.coralcdn.org/](http://www.coralcdn.org/)

------
Kenji
So, does that mean Google (and thus the American State) MitM your website
traffic to protect free speech? I am thrilled! I am so happy that at least
large corporations that cooperate with the ever-more pervasive surveillance
state care about our privacy. /s

That's how you defeat HTTPS.

~~~
rudolf0
It does mean Google is MitMing you, but this is a service they're providing to
organizations that are already at serious risk of DDoS or have been DDoS'd.
Like Krebs' site, which was just hit with a 600+ Gbps DDoS.

Plus, I mean, Google Analytics and various Google-owned ads are already
present on tons of HTTPS sites. That's enough to nullify HTTPS due to the XSS
potential.

How are you getting Google = American State, though?

~~~
Kenji
There is barely a company that visits the white house more than Google. I
wouldn't be surprised if the American state has direct access right into
Google's data center - it wouldn't be the first company whose server building
included a government surveillance room.

------
wernerb
I guess this is where KrebsOnSecurity went to when moving to google cloud? [0]

[0]
[https://news.ycombinator.com/item?id=12574428](https://news.ycombinator.com/item?id=12574428)

------
allistar
This isn't going to defend content that threatens the "national security", age
of consent, and copyright laws of the States. So isn't it just a declaration
that Google wants to be the imperialist content police of the internet, spun
under a more benevolent-seeming light?

~~~
tamana
Jigsaw is run by a veteran of the US State Department

------
delinka
> 'Disrupt online radicalization and propaganda'

> 'End repressive censorship'

These are at odds. One person's (politician's? corporation's?) "propaganda" is
another's "Declaration of Independence." How will can you possibly tell the
difference?

------
shade23
What would be interesting if they handover this project to an organization
like the ICIJ to oversee and run while they merely take care of the
infrastructure.This sort of setup can work.Provided Google provides a
transparent organisation which handles the daily workings. I do not have any
issues if a any X corporation provides such opportunities.The kind of attack
that Krebs faced, there is absolutely no possible scenario where a non-profit
could cater to.

Every organization has a bunch of people who support the open web.This could
be their voice from within Google. PS: I am not from google or a fan boy.Just
that never judge a book by its cover.Let this unfurl before we pass the
judgement.

------
whorleater
>"I’ve been toying with the idea of forming a 501(c)3 non-profit organization
— ‘The Center for the Defense of Internet Journalism’, if you will — to assist
Internet journalists with obtaining the kind of protection they may need when
they become the targets of attacks like the one that hit my site."

Now this is an interesting proposal. A 501(c)3 would need to be unbiased, and
also require a large amount of starting capital. On the other hand, a non-
profit that strives to protect internet free speech is pretty alluring. I
wonder if something like this could be in the next YC fund.

------
jpalomaki
Of course I'm not blaming Google or Cloudflare, but it is kind of sad that
larger and larger part of the Internet is moving behind their networks. I
don't think this kind of centralization is good for the Internet.

~~~
cleeus
It's the feudalism age of the internet. Everyone needs a lord for protection.

~~~
afsina
Better than nation states.

~~~
nl
That's interesting, in the context of a quote from the KerbsOnSecurity piece
which prompted this post:

 _John Gilmore, an American entrepreneur and civil libertarian, once famously
quipped that “the Internet interprets censorship as damage and routes around
it.” This notion undoubtedly rings true for those who see national governments
as the principal threats to free speech.

However, events of the past week have convinced me that one of the fastest-
growing censorship threats on the Internet today comes not from nation-states,
but from super-empowered individuals who have been quietly building extremely
potent cyber weapons with transnational reach._[1]

and also:

 _But as my friend and mentor Roland Dobbins at Arbor Networks eloquently put
it, “When it comes to DDoS attacks, nation-states are just another player.”_

[1] [https://krebsonsecurity.com/2016/09/the-democratization-
of-c...](https://krebsonsecurity.com/2016/09/the-democratization-of-
censorship/)

~~~
afsina
At the end, if nation states are helpless on preventing this, and only being
part of the problem, I say this - our benevolent feodal overlords - is the
preferable solution.

~~~
kyledrake
That's what the "benevolent feudal overlords" want everyone to think. From all
the defeatist DDoS comments I'd say they're doing a good job at it.

As Brian Krebs, myself and numerous other people have pointed out, Cloudflare
could end almost all of the DDoS-for-hire attacks in an hour if they actually
wanted to
[https://news.ycombinator.com/item?id=12577289](https://news.ycombinator.com/item?id=12577289)

~~~
nl
Yeah, that's pretty simplistic. There's no evidence at all that somehow
removing DDOS protection for the payment part of blackmailers web presence
will somehow make them go away.

Sure, chase down how they do payment. But ultimately a web front end isn't the
thing that makes the payment happen.

~~~
kyledrake
> But ultimately a web front end isn't the thing that makes the payment
> happen.

The "brochure" argument makes 100% sense to me for something like the
distributed web, but not for a dynamic web application. Brochures just sit
there and look at you. Brochures don't take payments and process callbacks,
and send commands to attack.

------
Iv
"Safer from attacks on free speech"

Good. Host a mirror of wikileaks and let's talk.

~~~
biot
Is this something Wikileaks requested but Google turned them down? I'm
wondering if there's some context to your comment or if you're just being
dismissive.

~~~
Iv
I am just being dismissive. I just tend to be triggered by comments like "Most
of the world lives in countries that censor the internet" that assume that USA
does not do that. Wikileaks is the most blatant example, but sci-hub and
Pirate Bay are other examples of US influences censoring the net.

------
dominotw
>We’ve met news organizations around the world who suffer crippling digital
attacks when they publish something controversial or that questions powerful
institutions.

What are some of the recent examples of this?

~~~
john_reel
It might not be exactly what you’re looking for, but there was the recent
attack on Brian Krebs.

------
fail2fail2ban
The navigation column on the left is clipped in Chrome and the monochrome
theme is hard to read.

------
yalogin
Is this a competitor to cloudflare?

~~~
willvarfar
> Project Shield is a free service that uses Google technology to protect news
> sites and free expression from DDoS attacks on the web.

So CloudFlare is a service you pay for, and they seem to be hosting every
despicable backwater of the internet so presumably they take no stance of the
'goodness' of the site they protect.

Whereas Shield is a free service, but only extended to those who Google deem
righteous enough to protect?

I think there's room for both. There could also be room for Google extending
it to a paying service, although I'd be surprised if Google would take the
brand risk of extending their protection to porn sites etc irregardless of
fees.

And of course every time Google stand up and protect sites like
KrebsOnSecurity for free, the tech world loves them that little bit more and
its a massive PR opportunity miss for CloudFlare.

Of course, every time Google stand up and protect sites like KrebsOnSecurity
for free, its a massive PR loss for Akamai who wouldn't/couldn't.

------
meira
Would Google protects the webapp they created (and gave to Al Jazeera) to
support the creation of Islamic State?

~~~
nkohari
Considering Jigsaw is also interested in combating extremism, I'd say no.

~~~
meira
Only Google Search and Youtube are the apps in Alphabet that are allowed to
support terrorism?

------
crottypeter
Off topic - ish

But this site is broken at even modest levels of zoom.

Content hanging off the left of the window and no scroll bar :-(

~~~
xemdetia
Heck even at 100% on my 1080p monitor it reads 'make people in the afer?'
After zooming out to 67% I have a chance. It actual content it is kind of
irksome that they have 'End repressive censorship' followed by 3 items that
generally are considered censorship at some level.

------
frozenport
This is going to play into the hands of authoritarian regimes like China and
Russia. They will simply block Google.

~~~
contingencies
Couldn't agree more; no idea who is downvoting you, this is the most
insightful comment here. Also, it's fucking hypocritical claiming to support
'net neutrality' while hand-picking sites to receive support of a massive
private-fiber global conglomerate with very strong senior management political
affiliations. Engineers with ethics at google should start a rebellion.

~~~
Dylan16807
China and Russia don't generally censor via DDOS.

A reverse proxy that connects from the internet to the internet does not need
to be neutral. Free hosting does not need to be neutral. Net neutrality is
about packets getting between an end user and the core of the internet fairly.
This service is in a different area entirely.

~~~
contingencies
Straw man about DDoS, nobody asserted that here.

As far as private fiber, global search traffic, cached pages, maps, mail and
advertising goes, Google _already is_ the core of the internet.

------
Mao_Zedang
I wonder what the Google Shield team thinks of YouTube heroes.

------
meira
Great, now the political status quo are even more under Google protection.
What is the selection criteria? To receive money from some of americans NGOs?
Hold yourselves, more Arab Springs are coming.

