42 comments

[ 3.3 ms ] story [ 91.9 ms ] thread
Apart from tunnelling all traffic, Has anyone checked to see how malicious the Onavo installer is? The pessimist in me expects SSL root certs and even keylogg-e-r-s - apologies, dictionary personalisation profiles.
How can any self-respecting programmer at FB work on a project like this? At least most of the IE6 toolbar spyware had some useful purpose for the end-user... smileys, pagerank, search bar etc...

This on the other hand is straight up deception in my mind. Hot air. Prove me wrong? What benefit does anyone get from installing this?

Programmers typically don’t work on mergers and acquisitions.
Google does it too. It kicks in when you are on public wifi if you opt in. It's a vpn app at the end of the day that's optional. I don't see much reason for all the outcry. Assuming a majority of the web moves to https soon (going by the chrome roadmap), you are only giving second order data like dns to the vpn or isp. And I don't see much reason to trust isps more than Google/FB.
>How can any self-respecting programmer at FB work on a project like this?

You mean like the hundreds who work on Deep packet inspection technology?

Catch child predators and terrorism seems like a probable rationalisation.
We need something like a Hippocratic Oath for IT professionals.
We might need it but it's of course impossible given how easy it is even for a child to get started in professional IT.
Have a software equivalent of the AMA, have licenses to practice, and that’s solved.
Not even close. There is Tor, there is Bitcoin. Also do you realise how much would this ruin IT?
It would ruin the “Wild West” and it’s about god damned time.
It would do nothing about the "wild west", it'd just make it even worse. And no, there is zero reason why such a regulation would be justified.
How would regulation and self-policing make things worse? And really zero reason? That sounds like an ideological rather than a rational position to me.
So what is the rational reason you're talking about? Respectfully, I don't think you know what you're talking about at all. Do you have any kind of experience or knowledge about macroeconomics or economics at all?

Let's see what would happen:

- the government will soon require degree to be accepted, ruining the nonexistent entry barrier we have right now. Why? The government has incentives not to allow as much people as possible, but the opposite: to have as little work as possible because there would be no free market competition.

- how does this regulation work? Every software developer has to be allowed to write SW? Every software that is used has to be written by people who have passed the test? Will you forbid importing software? Because if no, then this will just extremely increase prices and everything will be outsourced to foreign countries.

- what about foreign software such as Linux? What about software where some contributors are anonymous?

- do you really think that people who focus so much on their freedom and privacy will accept this or will they rather find a workaround?

All in all, this would ruin the IT market in the US. Please do it! I would love to sell my services to the US for at least triple the price.

Did you even think about this? Please stop going around and suggesting such destructive social experiments without even giving any real arguments.

> How would regulation and self-policing make things worse?

Imposing whimsical and arbitrary barriers to entry that have zero to do with technical hability solves nothing, and its absolutely ridiculous how you present that as solution to the problem of someone having developed highly technical software that you happen to not like.

Make it worse how exactly..? Big public companies will be chastised if they don't hire certified practicioners. With the huge amount of sensitive data we process as developers, it's only logical that we are going to need licensing in developed countries sooner than later.

Imagine if anyone would be able to practise as a lawyer, financial advisor or even a doctor without accreditation. It'd be a huge controversy.

Unfortunately, ethics is not a course taught in most college majors, and is virtually non-existent in public schools.
Is it not? Every major at my STEM uni was required to take an ethics course. Sometimes multiple, depending on the field.
I graduated relatively recently, and only had to take one- it turned out to be a semester long "piracy is bad" course.
Ethics courses don't make anyone more or less ethical. If lectures were any effective in shaping anyone's moral compass, church services wouldn't happen so often.
For money. Most people do a job to make money so they can take care of their family etc. Facebook tends to pay pretty well.
Well then will FB work ? Which part of FB is respected ?
What’s most alarming are the AppStore reviews [0] - a majority of the authors appear to have downloaded the app after clicking a banner ad which claimed their iPhone had viruses.

For example: “I just downloaded it today because of four viruses so I hope it helps get rid of them” - burnt tacos

[0] https://itunes.apple.com/us/app/onavo-protect-vpn-security/i...

This all depends whether you trust your ISP more than Facebook or not.
I pay my ISP a lot of money each month. They don’t need my data to be profitable. Facebook, on the other hand, has a business model completely dependent on selling advertising based on my data to 3rd parties.
Exactly. It's terrifying how many people still don't get it, no matter how many times it is repeated - you are not a customer, you are a product!
off the top of my head, AT&T and Verizon have done various forms of customer tracking for advertisers. They both used supercookies at some point, which were injected into customer egress, and ATT used to inspect web traffic in order to target ads (opt-out with a monthly fee, of course).
Certainly, if ISPs can access your data, they would like to. Its basically free money. But its not a life-or-death situation for them, and thus my (somewhat uneducated) guess is that there is less management focus on things like deep packet inspection and consumer targeting. They can also jsut jack up prices or sell more subscriptions. At Facebook, on the other hand, selling ads is priority number 0. Its the only way to make money. So I'd worry more about Facebook seeing my traffic.
However that happened in America, land of the greed. If you're from other countries, I think the point still stands.
Exactly the low quality crap you would expect from gizmodo. Who would you rather trust? Random VPN app or Facebook? The choice is obvious to me.
Well in this case "random VPN app" and "facebook" are the same thing. So you automatically lose if you choose either!
No they aren't? Random VPN app is like one of these[0], and Facebook is a $100 billion social media giant, trusted by billions of people.

[0] https://goo.gl/kDPjxf

But at least with those Random VPN apps there is some chance that they are not actually stealing your data. With Facebook there is not.

And if billions of people trust Facebook, that's just a sad commentary on the amound of critical thinking in the world.

Creating an app and calling it "protection" when it is in fact spying on you to give FB a glimpse of how you use the internet, this is something you are defending?

And also, did you just call the gizmodo article "fake news"? It this [0] then also fake news to you? Seems to me you are getting your true news fix from a news feed somewhere.

[0] https://www.wsj.com/articles/facebooks-onavo-gives-social-me...

Facebook bought Onavo. Facebook owns Onavo. They are not a random VPN app. They are a Facebook property.

They are touting the VPN as being protection, when in actuality they are using it to gather data on the users that use the VPN.

I do not understand your comments in light of these facts. If one trusts Facebook, then using Onavo isn't a concern for them, but they should be aware just because it's a VPN it doesn't imply any kind of privacy or protection, and should be aware that Facebook's marketing/use of Onavo is shady.

If one already does not trust Facebook, then it should be clear to stay away from Onavo, whether found randomly, through an app store, or advertised by Facebook.

> Facebook is a $100 billion social media giant, trusted by billions of people.

I think you are confused. "Used" and "trusted" mean very different things, and you seem to be using the latter where only the former is justifiable.

You would think that, except Facebook is literally spying on you when you are trying to be anonymous. So its acting as maliciously as you can save actually loading malware. There are plenty of VPNs such as Private Internet Access (which I use) which are great alternatives. Its not hard to find them.
But what kind of security does it provide? Website blocker?
A VPN provides a secure tunnel, so it prevents your data from being sniffed on the insecure WiFi in your local coffee shop, and up every hop to the terminating server. So you can prevent an ISP and friendly neighborhood hacker from seeing your requests. However, the terminating server can see EVERYTHING.

So if you want a VPN, use https://github.com/trailofbits/algo or https://github.com/StreisandEffect/streisand.

Algo is my favorite, but both are pretty effective in my opinion.