I suspect the idea is that a VPN will provide encryption for all network traffic by default, preventing others on the local network from packet sniffing.
It says nothing about who the Dark Intelligence Team is, but this Google cache[0] has a little bit more info:
>We are security enthusiasts from China, Germany, France, Netherlands, Norway, Switzerland, Mexico, India and Russia. Some of us have used *nix systems since 1999.
>Coding && DeCoding && Talks && Beers && Wine && Pizzas && Good Music && Stuff && Hacking.
So at least nine contributors, unless they're counting one person as being from multiple countries.
Is security not an illusion with the current computer architectures? Sometimes it feels like we have to go back to architectures that separate code from data (Harvard) to really be secure.
Indeed. The NX bit (which differentiates between executable and writable data) roughly approximates Harvard Architecture-like differences between types of memory, and likewise it cannot prevent code reuse attacks.
Imho, to use a metaphor, not much different than the glass windows of a car protecting the car contents. And then of course, some owners just leave the windows down, other 'car windows' have special foils, multilayer, some even have bullet resistent qualities, but give it time and physical access and it's always a car compromised in the end.
Nah, you could still e.g. use a use after free to smash the return address or a vtable on a Harvard machine and execute a ROP chain. If it did speculative execution too it would probably be vulnerable to spectre. There's nothing special about Harvard machines when it comes to security.
> WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come.
I agree that WireGuard will be great when it's done. Is there something I'm missing?
Maybe he meant that ProtonVPN has a pretty shady reputation on HN due to their business connections to TesoNet, which is a data mining company. Its a lot more complicated than that, but if you see ProtonVPN being shot down on HN, that's why.
Personally, even if there isn't anything actually shady going on, I would want my VPN provider to be beyond reproach. Any smart VPN provider wouldn't want even tenuous connections to data mining companies.
It feels a bit dirt to recommend Private Internet Access since they were the ones who pointed this out on HN, but so far AFAIK they are the only ones that have have been court-tested. Other options would be TorGuard or Mullvad VPN. Mullvad even already supports WireGuard!
> I just run my own VPN from a $5/month DigitalOcean droplet... I feel like all the public VPNs are like big honeypots I'd rather stay away from.
I guess that depends on your threat vector. I mainly want copyright hounds and data miners (including my ISP) to stay out of my way. For this a public VPN is perfect. Hell, in a weird way, if PIA somehow turned out be a NSA honeypot they would be even better for that purpose since they'd essentially be untouchable by copyright holders.
In general, I guess a personal VPN is more private on a micro level (no VPN provider that can spy on you) but less private on a macro level (any determined actor can trace your DO VPN back to you since you are the only user)
> Does that mean ProtonMail also is no longer trustworthy?
That is, again, for yourself to decide.
Personally I think the Proton company isn't malicious and just really bungled up the launch of ProtonVPN by going at it together with / through TesoNet, and their VPN efforts will forever be tainted by that.
But, that has very little to do with their mail branch, which preceded ProtonVPN and which so far seems a pretty good offering to me if you want your mail to be encrypted-at-rest.
I wouldn't use a VC-backed, for-profit company for anything privacy related. Selling users out behind the scenes to advertisers and TLA's is an easy way to get money. Better to get hosting in a jurisdiction without police-state-style activities, with privacy protections, and/or from a nonprofit or public-benefit organization incentivized to look after users. A for-profit, non-VC company with long history of steady, honest business is also a decent option if you can't find/afford/use safer jurisdictions. Prgmr.com is an example of the last one from what I've observed.
For most VPN companies, you basically have to blindly trust them that they aren't doing anything nefarious. ProtonVPN is different because it's been thoroughly checked and vetted by Mozilla (https://blog.mozilla.org/futurereleases/2018/10/22/testing-n...) and also because there is full transparency regarding who runs the service. You can find the names of the former CERN scientists who created the service, along with their past scientific publications, and things that prove who they are.
AFAIK ProtonVPN’s offering is based on OpenVPN and I just don’t see the benefit of using that protocol when a more modern alternative is available (i.e. Wireguard). The fact that ProtonVPN is located in Switzerland is not a selling point that matters to me, YMMV.
IMHO stock OpenBSD is a better start. Concise and secure. Sending all traffic through a VPN is probably a bad idea, it is better IMO to put /some/ traffic through the VPN that you want separated. Private browse through VPN, preferably in a VM. The "I'm not a robot" thread (https://news.ycombinator.com/item?id=19155643) from a few days ago showed just how much can be gleaned by javascript, that's probably enough to work out if your private browser is on the same computer as the non-private.
The code isn't public yet. I imagine that if you want to get involved at this stage you'd need to contact them directly. Their email address and public-key are available here: https://www.secbsd.org/dark-intelligence-team.html
I am getting a lot of mental "red flags" over this one. its a bunch of distros of things, some of which are pentest, some of which are less clear to me, it has confusing statements about VPN. Kali is understood. It has a sense of purpose, a community, quite strong public statements of intent and purpose.
This one. I mean sure, that lock-pick you bought from a guy in the pub, he said it was only for testing padlocks, but now you see other people testing doors along the hall and you're wondering what you just walked into...
32 comments
[ 3.2 ms ] story [ 94.1 ms ] thread>We are security enthusiasts from China, Germany, France, Netherlands, Norway, Switzerland, Mexico, India and Russia. Some of us have used *nix systems since 1999.
>Coding && DeCoding && Talks && Beers && Wine && Pizzas && Good Music && Stuff && Hacking.
So at least nine contributors, unless they're counting one person as being from multiple countries.
[0] https://webcache.googleusercontent.com/search?q=cache:E2OiV-...
> WireGuard is not yet complete. You should not rely on this code. It has not undergone proper degrees of security auditing and the protocol is still subject to change. We're working toward a stable 1.0 release, but that time has not yet come.
I agree that WireGuard will be great when it's done. Is there something I'm missing?
Further reading: https://news.ycombinator.com/item?id=17258203 https://news.ycombinator.com/item?id=17775326
Personally, even if there isn't anything actually shady going on, I would want my VPN provider to be beyond reproach. Any smart VPN provider wouldn't want even tenuous connections to data mining companies. It feels a bit dirt to recommend Private Internet Access since they were the ones who pointed this out on HN, but so far AFAIK they are the only ones that have have been court-tested. Other options would be TorGuard or Mullvad VPN. Mullvad even already supports WireGuard!
> ProtonVPN has a pretty shady reputation on HN due to their business connections to TesoNet, which is a data mining company
Does that mean ProtonMail also is no longer trustworthy?
I guess that depends on your threat vector. I mainly want copyright hounds and data miners (including my ISP) to stay out of my way. For this a public VPN is perfect. Hell, in a weird way, if PIA somehow turned out be a NSA honeypot they would be even better for that purpose since they'd essentially be untouchable by copyright holders. In general, I guess a personal VPN is more private on a micro level (no VPN provider that can spy on you) but less private on a macro level (any determined actor can trace your DO VPN back to you since you are the only user)
> Does that mean ProtonMail also is no longer trustworthy?
That is, again, for yourself to decide. Personally I think the Proton company isn't malicious and just really bungled up the launch of ProtonVPN by going at it together with / through TesoNet, and their VPN efforts will forever be tainted by that. But, that has very little to do with their mail branch, which preceded ProtonVPN and which so far seems a pretty good offering to me if you want your mail to be encrypted-at-rest.
Good call IMHO. That’s what I would do as well if I felt the need to use a VPN.
For most VPN companies, you basically have to blindly trust them that they aren't doing anything nefarious. ProtonVPN is different because it's been thoroughly checked and vetted by Mozilla (https://blog.mozilla.org/futurereleases/2018/10/22/testing-n...) and also because there is full transparency regarding who runs the service. You can find the names of the former CERN scientists who created the service, along with their past scientific publications, and things that prove who they are.
It seems to me that 'zx2c4 just hasn’t come around to reword that paragraph yet.
If Wireguard is good enough for Latacora then I would feel safe using it.
This question has come up before, see e.g. https://news.ycombinator.com/item?id=16326421 and https://news.ycombinator.com/item?id=17848471
Huge TCB, they already fucked up. So much for security.
I’m not so keen on the VPN by default thing though.. I hope they plan to upstream metasploit back to ports at least.
Can’t take it seriously from a security perspective, then.
This one. I mean sure, that lock-pick you bought from a guy in the pub, he said it was only for testing padlocks, but now you see other people testing doors along the hall and you're wondering what you just walked into...
* Laughs at 90% script kiddie userbase
> Unix like
As someone already pointed out, honestly call it openbsd distro.
> BSD
I doubt it will remain free & OSS. We can't say if the fork from OpenBSD is for security or relicensing purpose.
And the lock-pick example is nearly perfect analogue in this thread.