
Google announces uProxy - Anon84
http://www.engadget.com/2013/10/21/google-ideas-uproxy/
======
draugadrotten
> _" If someone from a country with limited internet access installs uProxy,
> they can get a friend from the US to authorize them to surf the open web
> using their connection. "_

In effect, they would also be sending all their sensitive, potentially illegal
traffic to be read and copied by the american NSA agency.
[http://en.wikipedia.org/wiki/PRISM_%28surveillance_program%2...](http://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29)

People proxying illegal traffic through the USA would immediately be "on file"
in the US registered as dissidents, criminals, and potential spies vulnerable
to blackmail from US agencies.

I can see CIA looking at how their propaganda are affecting foreign nations by
seeing who reads it from where. Foreign nations could even see proxying
subversive traffic through the USA as being a worse crime than the subversive
traffic itself.

Think twice about using this.

~~~
Grue3
Why would somebody who lives outside of USA care about US agencies? All I want
is to bypass my own country's censorship.

~~~
anon1385
Because non-Americans still have to worry about being abducted off the street
and tortured by American agents: [https://en.wikipedia.org/wiki/Khaled_El-
Masri](https://en.wikipedia.org/wiki/Khaled_El-Masri)

~~~
adventured
It's a valid issue, in that it's vile the way the US Government sometimes
behaves, but _that_ is not a realistic concern for 99.999999% of the world
population.

~~~
aristidb
I think it's a valid concern for more than 70 people.

~~~
r0h1n
Shouldn't that be 7000 people?

~~~
mike-cardwell
No

EDIT: Apparently factually correct statements are worth downvotes.

~~~
r0h1n
Yes, you're right. I made the schoolboy mistake of confusing 0.000001 and
0.000001%

------
StavrosK
From a cursory reading, 70% of the comments in here are people who came
straight to this page to say "I don't trust Google/why wouldn't they do
<something else>/Google will just shut this down".

Can we stop with the kneejerk reactions? This is a p2p browser extension,
doesn't run through Google, wasn't developed by Google, the only involvement
Google had was maybe fund it.

Are we going to be getting these comments any time Google is mentioned from
now on?

~~~
ScottWhigham
_Are we going to be getting these comments any time Google is mentioned from
now on?_

Yes, and I think rightly so. What evidence do you have that this will not
happen? None - which is the _less_ evidence that the people saying it will
happen have. Google has earned that rep and, until 1-3 years have gone in
which they've not done something like that, people will continue to bring it
up.

~~~
StavrosK
> What evidence do you have that this will not happen?

"This" being "shut it down"? My evidence is that this is a third-party
extension, developed by a third party and doesn't touch Google's
infrastructure at all. They couldn't shut it down if they wanted to. The most
they could do would be to cut its funding, but it's still open source.

------
shazow
While we're speculating about trust and such, the video mentions that it's a
browser extension which connects to a trusted peer and uses the peer as a
proxy. This leads me to believe that,

1\. Since it's a normal browser extension, the source will be readable and
verifiable.

2\. It probably uses WebRTC.

It seems Google merely plays an incubator role here for the authors. Either
way, I don't see much trust issues that other comments are complaining about.

Looking forward to trying this out when it's released.

~~~
toyg
_> the source will be readable and verifiable._

that's all well and good, but if it's executed by an unverifiable binary build
of Chrome (i.e. the one distributed by Google), it's not worth much. For what
you know, Chrome might just detect the extension is installed and silently
eavesdrop on all its calls.

 _If_ this extension will work as-is on third-party Chromium builds compiled
from public sources, then yeah, it can be trusted on those builds.

~~~
ye
We actually don't know with 100% certainty that Chrome runs the code that we
see.

Considering Google is forced to comply with NSA's shit (and other agencies in
their respective countries), I wouldn't trust my life to this extension.

~~~
yeukhon
Then compile it yourself. If you don't trust your hardware then what else can
you use?

Can you actually trust people who built your house? What if NSA has built a
device hidden in everyone's house right now?

------
nfm
Official links:

[http://googleblog.blogspot.com.au/2013/10/new-free-
expressio...](http://googleblog.blogspot.com.au/2013/10/new-free-expression-
tools-from-google.html)

[http://uproxy.org/](http://uproxy.org/)

~~~
andyjohnson0
Much more useful than the engadget link. Thanks!

~~~
StavrosK
Why isn't there a link to this from the Engadget article? That is useless and
shoddy. Do they not know how the internet works, or have a single shred of
common sense?

~~~
jessaustin
It's almost as if they care more about traffic than informing their readers.

~~~
StavrosK
Informing their readers _is_ their traffic.

------
cromwellian
The article has reached a new low in bullshit, knee-jerk, commentary. No one
bothers to read the FAQ, or the technical information on how it works. Oh no,
just hit "Reply", put on the tin-foil hat, and get going. Yeah, vote this
down. I'm frustrated at the quality of HN posters recently.

------
tombrossman
Fast forward a year, HN headline: "Google shutting down uProxy".

It looks interesting and I'm sure some number of people will find it useful
while it lasts.

~~~
andyjohnson0
How exactly could they shut it down? Its a client-side browser extension that
uses peer-to-peer connections. It doesn't run on any of Google's
infrastructure.

I'm getting a bit tired of seeing this comment every time Google release a new
product. I understand that people think they're being insightful in saying
this, but they're really not.

~~~
Shish2k
Ok, to rephrase for the pedant: "Google pulls core developers off of uProxy;
without leadership, multiple incompatible forks form and quickly die"

(Not saying that that will happen, just clarifying what I presume is the
grandparent's point)

~~~
andyjohnson0
I'm not a pedant. And the core developers work for the University of
Washington and Brave New Software, not Google. [1].

[1] [http://googleblog.blogspot.com.au/2013/10/new-free-
expressio...](http://googleblog.blogspot.com.au/2013/10/new-free-expression-
tools-from-google.html)

------
nakedrobot2
Nice! So I can use uProxy to access the Google Play store to buy a Nexus
phone? ("Sorry, not available in your country")

Thanks Google :-)

~~~
svantana
Remains only to figure out how to route the physical delivery via a US
address... anyone know of such a service? I'd find that pretty useful
actually. A lot of stuff on e.g. Amazon is only available for delivery to the
US.

~~~
roninresearcher
I personally use Aramex shop and ship account
[http://www.shopandship.com](http://www.shopandship.com) for US only products
from Amazon. Buying from Google play is more difficult as they added a
security procedure that the credit card has to be from US and the shipping
address from should match for circumventing this, earlier one could use a US
proxy and order it.

------
runn1ng
_Can I look at the source code ?_

 _The source code will be released by the University of Washington under the
Apache 2 license after the trusted tester phase is completed ._

This is the important part.

------
gbrindisi
Sorry Google, I can't really trust you anymore.

~~~
simfoo
Open source + p2p. Why wouldn't you trust it?

~~~
_wmd
Automatic updates?

~~~
mhaymo
So turn them off. You can do that in Firefox, I don't know about Chrome, but
if you're using that then you already are trusting Google just as much as if
you use this extension.

------
knob
I wouldn't trust Google with this.

Fuck no.

Why don't they help develop the Tor plugin?

Why don't the open up a whole bunch of Tor nodes?

Wait... scratch that last one.

This is just bad.

~~~
esteth
Because it appears to be open source and peer to peer, so you don't need to
trust Google at all?

~~~
nwh
Open source does not mean secure. Half the time nobody even reads the source,
let alone compares the binaries to the repository.

~~~
esteth
It's a chrome extension, so the source you see is the code executed by your
browser.

~~~
nwh
That wasn't my point. Have you ever read the source of the extensions you have
installed? No. If everybody has that mentality then nothing gets "checked" and
malicious code makes it though.

~~~
rryan
I have read the source of extensions I've installed.

~~~
Dylan16807
And are you a crypto expert?

------
mostafah
It will be very interesting for us living in Iran. We have a lot of friends
abroad.

~~~
venomsnake
Doubt that it will help a lot - metadata is valuable. Sometimes the fact that
you are communicating with someone is as damning as the communication itself.

Unless the addon is really sneaky and confirmed by a lot of people chances are
it will still be detectable by DPI. And you have the problem of the addon
traversing the state firewall in the first place.

And you need secure OOB way to transport password anyway.

From what I see you need secure way to transport keys and don't minding to
raise a few red flags with the authorities.

In that case just rent micro instance with any out of country cloud provider
you have access to and ssh tunnel trough it.

------
xr09
So Google helps building a proxy for by passing their own censorship, Bravo
Google, Bravo. (I'm being ironic of course)

This is what I get any time I try to download anything from Google Code or
Android sdk or even read something hosted on GAE.

[http://s24.postimg.org/gr0lto1l1/work107.png](http://s24.postimg.org/gr0lto1l1/work107.png)

I'm in Cuba but the same should be for Iran and others "bad boys".

~~~
lwf
By "their own", you mean "as required by US export restrictions that all US
companies have to abide by", right?

See also [https://sourceforge.net/blog/clarifying-sourceforgenets-
deni...](https://sourceforge.net/blog/clarifying-sourceforgenets-denial-of-
site-access-for-certain-persons-in-accordance-with-us-law/)

~~~
hrjet
The irony here is that they are announcing a tool to subvert restrictions in
other countries, but they are following their own countries restrictions to
the letter.

~~~
lwf
Right, which they're obligated to do. As a company, you're bound to follow the
laws of the countries in which you do business.

You have the option to direct lobbying power against laws you feel are unjust.

~~~
hrjet
Same could be said about individuals. Citizens are bound to follow the laws of
the land.

~~~
hannibal5
But citizens are not forced to spy on their friends, like these companies are.

------
guidopallemans
why should I trust google for an application that would enhance my internet
privacy?

~~~
binarymax
Privacy is not mentioned at all in the article. This is about bypassing
censorship.

~~~
gbrindisi
What if censorship happens in USA?

~~~
JonSkeptic
>What if censorship happens in USA?

Then people who who use a Google proxy to bypass it get picked up by the FBI.
It's not like Google doesn't give the government data hand over fist.

------
wil421
So is this kinda of like Tor but without the anonymity and only one peer to
connect to?

~~~
parfe
I see uProxy as giving a friend my wireless network password. I'd compare a
Tor exit node to printing the network password on my mailbox or posting it to
craigslist.

I regularly share my wireless network access with friends without thinking,
while running a tor exit node/publishing my network password gives me serious
liability concerns.

------
ScottWhigham
I'm interested to see if their AdWords/AdSense algos will detect uProxy and
choose not to serve ads to its users. Right now, the US/UK/Canada are huge
markets for Google AdWords/AdSense but most US-based companies do not have
their ads shown in Latvia/Iran/Russia (just to randomly pick some faraway
countries). There's a good reason - if I own a restaurant in Dallas, for
example, I want people searching for "best dallas steak restaurant" to see my
ad. If that starts getting shown worldwide, the CTR will plummet which would
not be good for Google.

------
iSnow
Slackers rejoice! No way to block you from surfing porn at work anymore :)

~~~
venomsnake
Because the slackers that surf porn at work have no idea how to bring a tablet
to work loaded with porn.

------
saljam
This sounds good. But how is it better than just installing Tor?

~~~
fiatjaf
"just"? Man, normal people can't install Tor. It is not that it is difficult
for them, it is impossible.

Also, this solves a problem slighlty different from what Tor solves, in my
opinion.

~~~
saljam
Fair point. They make an effort with the Browser Bundle but I just tried it
and it broke on the second run...

Now I want to write a Tor compatible client that 'just works'. Just one static
binary that implements the proxy. It embeds a static firefox binary and a
prepared profile, which gets extracted into a visible location so the user can
delete it if desired.

Basically minimize its dependence on the environment as much as possible.

------
awakeasleep
Wow. If they added an option to be an intermediate proxy for traffic you were
unconnected with, could they turn this thing into a global tor with authorized
exit nodes?

------
jsilence
Why don't they simply run Tor end nodes in each of their server farms all over
the world. That would actually help. But that would not make any mainstream
news, would it?

Bleh.

~~~
Lewisham
The problem with Tor is that it's not clear who is running which nodes and
where you'll come out. uProxy is designed for people who _know_ that their
endpoint is friendly, such as a friend who no longer lives in the country, or
a journalist that you are working with.

------
X4
If a dissident hacks into a government site or does something else like
speaking out his opinion, will I get arrested for them, when I live in a
neighbour country? Or even get arrested for their actions on hacking stuff? I
mean the US and Europe both ban hacking and penalize it with more jail time
than rape and in some cases even murder.

~~~
lallysingh
UProxy is a point-to-point proxy, where both sides know each other (by being
buddies on the chat network) and choose to participate with one another. Don't
proxy for your hacker friends.

------
tete
Okay, sorry I didn't read the source code yet, but don't pretty much all the
standard block-censorschip-circumvention approaches work here? They don't
mention anything that makes it a tool for actively circumventing censorship
like... well, all the tools that exist today and have been analyzed throughly.

------
vsviridov
So now you also expose your confidants? So if you are targeted they
automatically get on the list? Why inconvenience the secret service with doing
tedious network analysis to flush out your peers - uProxy might (they are not
very specific about the security of peers) disclose that automatically...

------
lispm
So US government employees could install it to read Snowden's documents?

Then the NSA gets a list of those who do?

------
venomsnake
I have a better idea - bring the cost of project loon balloons really low
(order of magnitude below the price of the rockets needed to shoot them) and
just flood the censoring country sky with them.

The country will either have to bankrupt itself or open its internet.

------
jjoe
This is going to be a nightmare if you verify and process transactions online.
How do you now know whether someone who purchased a product is really really
on Comcast from SoCal and not someone who's exploited a hole in uProxy?

------
benologist
Original url: [http://www.reuters.com/article/2013/10/22/google-tools-
idUSL...](http://www.reuters.com/article/2013/10/22/google-tools-
idUSL1N0IB25B20131022)

------
lotsofcows
Good timing as nyud.net seems to have stopped working.

------
r0h1n
Another "free" Google service that blinds lay people from objectively
considering the cost vs. benefits of online privacy/anonymity (since "free"
tends to make us act irrationally). Instead, consider paying the equivalent of
a cup or two of coffee and buy yourself a real VPN subscription. Even if you
must get yourself a free VPN, consider someone other than Google, a company
that already has so much data on your digital lives.

~~~
StavrosK
Did you read the article? It's not a Google service. Why buy a "real" VPN
subscription instead of running things through a friend, which is way more
decentralized and harder to surveil en masse?

~~~
r0h1n
I did. I also went to the uProxy site which mentions it was seeded by Google
Ideas. Also,

>> One of the ways uProxy connects you through your friends, is by connecting
to existing chat networks, such as Facebook or Google Hangouts. uProxy can use
a chat network to discover new friends and setup peer-to-peer proxying from
your friends. If a user does so, then the chat network can see that the user
has uProxy installed. A user's chat contacts may also see this.

So Google funded uProxy; it will be able to see who your VPN "host" is via
Google Hangouts; and lastly it controls one of the two browsers on which this
plugin runs, Chrome.

That's too much Google for me, personally.

~~~
lallysingh
.. So don't use it on hangouts and run it on Firefox. Scan the source for any
"call home code."

~~~
r0h1n
This isn't about me. I already use a different VPN. I don't use Hangouts or
Google+. Those rare Google services I do use, I use sparingly.

My point was the average Internet Joe or Jane needs to look beyond "free"
services and be willing to spend some money buying better alternatives. One of
the reasons we're all so compromised on the Internet today is our collective
blindness towards the hidden "costs" of free services.

~~~
lallysingh
I agree with your point on the costs of free services. I'm happy to pay
myself. In some parts of the world, it's very tough to transfer money to a
circumvention or anonymizing service without getting in trouble.

But if a user is both unable to assess the security of the system them self,
and unwilling to trust another's analysis, the funding model is irrelevant.
Source is the gold standard, IMHO, even if that's still not terribly helpful.

------
caiob
Hulu, Pandora and other US-only internet services now available. Brought to
you by Google.

------
gohwell
What about corporate firewalls?

------
fbeans
How is this new? I can create a proxy server now, and I can share it with a
friend and they can use my internet connection. They can do the same.

This is new because, It's likely easier to use, and it's all done in the
browser.

The technology is certainly not new though...

Apache with mod_proxy, nginx, squid, ssh,

just to name a few of the many ways to do this...

Further to this, one doesn't need a browser plugin to do this, firefox for
example already has configurable options to connect to proxy servers.

