By the time the police comes at you because of your home IP, they usually have collected a lot more evidence than that. That's why torrenting from your home without a VPN usually just results in a letter from your ISP saying "we know what you're doing. cut it out".
No body has ever been convicted with their home IP as the only evidence.
Of course, you get raided most likely once they have sufficient evidence that they'll be able to collect incriminating evidence. Your IP might be enough to get a warrant, but they'll need a lot more to build a case in court. Hence the raid, confiscation of servers, etc.
Until recently, eyeglass manufacturers were marketing blue light filtered lenses (which don't even filter much blue light anyway) as a way to prevent macular degeneration, until regulators shut it down. VPN providers shouldn't be allowed to claim that VPNs protect you from malware or that they do a better job at protecting data in transit than vanilla SSL.
Hey, I have such glasses, and here in France at least they are still marketed. Do you have any reference pointing out the fact that they do not work? (Are they even worse than regular glasses?)
Any source on the blue light filtering not working? I didn't get the filter on my latest glasses and feel like my eyes fatigue more quickly, but I'm aware that could just be aging or a change in monitors, lighting, etc. which have occurred since my last subscription update.
The lenses I'm talking about are the ones that are completely or nearly completely clear. Here's a photo of the "Everyday" blue light lenses on Zenni Optical as an example. They are marketed as blocking 16x more blue light than normal lenses. https://static.zennioptical.com/marketing/campaign/blokz/202...
How could it be blocking any significant amount of light in the visible spectrum and still be clear? I'm sure the "16x" claim is true, but normal lenses block a small amount of light. 16 times nearly zero is still nearly zero. It's just a marketing gimmick.
Zenni Optical also sells lenses which are orange. I'm sure that actually does block a significant amount of blue light, but I also know from my experience visiting optician offices that many consumers are buying the first kind.
I'm aware of studies which link blue light to eye fatigue and disruption of the circadian rhythm but I'm skeptical that blocking 5% of blue light or whatever could have a perceptible medical effect.
With that being said, I don't feel strongly about claims like the 16x thing if its actually true (just a bit misleading). My comment above was mostly about the claims that they prevent macular degeneration which there is no evidence for. And regulators are right to jump in before it gets too bad, otherwise why stop at macular degeneration? Just say your lenses prevent hair loss and skin cancer while you're at it.
They still push them at the sales end of optometrists here in Australia. My optometrist partner always gives them death stares whenever they try to push that blue light filtering scam when I'm getting new lenses (like I did a week ago)
> VPN providers shouldn't be allowed to claim that VPNs protect you from malware or that they do a better job at protecting data in transit than vanilla SSL.
That's... not exactly true, given what definition of "protecting" you follow. VPNs definitely can protect against some forms of attacks that plain old HTTPS can't:
- malicious QoS/routing policies at the ISP (or a public WiFi operator) that, say, down-prioritise or throttle stuff like YouTube, or route it through backed-up links (German Telekom was infamous for bad peering towards high traffic sites including Youtube [1] or where they all but extorted money from "double paid traffic" from server owners [2])
- ISPs hijacking DNS for a myriad of reasons (NXDOMAIN ad-hijacks, government-ordered censorship, thinking they can offer "improved" DNS service by simply answering all requests going out on UDP53 with their own servers [3], ...)
- ISPs and WiFi operators listening on DNS requests or doing traffic analysis to sell to advertisers [4]
- other devices on the network attacking your machine (e.g. in a coworking space) - proper VPN software like Cisco will "cut off" all communication with the outside with the exception of the remote VPN endpoint IP and DHCP.
The part about malware is more sketchy, but in case the VPN operator uses something like PiHole and other shared lists of malware domains and IPs to blacklist common-known vectors and C&C sites, it is a valid statement.
As Linus (LTT) mentioned a while back, VPNs are an insanely profitable cash cow with super low bars of entry into the new business, but it sits at a super legally precarious position that could jeopardize major legal and ethical challenges.
I agree though that a lot of YouTubers have grown fat and comfortable with VPN providers led largely because of the financial incentives over their desire to protect fans.
Is there a name for the phenomenon when something is over-advertised to the point where potential consumers become less interested with more advertising? I’ve reached that point with NordVPN, SquareSpace, and a few others, but especially any pharmaceuticals that get TV ads (not that they’re ever relevant to any health concerns for anyone in our house).
Anecdote to the pharma comment, I recently looked up what happened with the CW because it felt like the network was falling into a pit recently. It turns out the network got "trimmed down for aquisition" which got swooped up by a cable providers. Apparently the average viewer of CW on terrestrial cable is 58!? (Taken from Wikipedia for what it's worth). If 58 is the average viewer for CW, just how old people are trending for less youth oriented networks. I makes a lot more sense to see a bunch of drug commercials (with their very high ad rates) shoved down your throat.
Does this also work if you're using the generic OpenVPN client to connect to the VPN? I've used a bunch of different VPN providers over the years, but they usually just offer an OpenVPN configuration that you can use with the normal client. I'm not aware of this also allowing them to send traffic the other way, but maybe it does?
afaik no that's impossible without modifications of the customers OpenVPN software itself (they would need firewall/iptable rules for NAT, impossible to set via OpenVPN config). That's exactly why it's a bad sign if a VPN provider doesn't just give you VPN configuration files.
I love this sort of thing. I'd love to get into this sort of research. No idea where to start to either acquire the skills or once acquired target the right systems/apps. I can still dream though.
Any pointers on where you'd start would be appreciated though.
I'd literally start any training by asking chatGPT, probably using phind to ensure it's got more up to date info. I wouldn't trust everything it says, but it can help you maybe find your weaknesses on a topic and formulate a self education plan.
In this case, the whole process was just "let's see what my device is doing" and then digging until the unexplained is explained. Your devices are doing lots of weird things, talking to tracking servers, fetching data from unexpected places, you just need to take a look and start wondering!
Running Wireshark or an equivalent smartphone app is easy. Understanding it probably a lot less so, but network protocols can be googled. One trick to not get overwhelmed too much is to not use the device you're analyzing too much so you only collect background traffic. Another is to filter out traffic you can't do much with. A lot of traffic is encrypted by TLS these days, but a lot of data is still visible, like in this case a random domain that you shouldn't be seeing. However, except for that very first TLS packet, you won't be able to see anything interesting in the rest of the stream, which can be gigabytes in size!
The real challenge for network analysis is that 99% of the time, your network is not doing anything strange (or at least interesting). If you want to find something, you can try seeking out sketchy apps (free VPNs are a nice target, they're almost always shady) but there's no guarantee that you'll find anything. Or you can dive deeper if you think there's more to be found.
In the case of Android apps, those are often easily decompiled into either VM byte code (smali) or even obfuscated Java code. apktool, jd-gui, or ghidra can usually get some kind of readable-ish code out of an app. There's also an excellent online APK decompiler if you trust that. Grabbing the APK is quite easy, you can find apps that do this or otherwise you can use Android's debugging tools to pull the app off your phone.
Depending on how obfuscated your target is, complete reversing may be difficult. You can often take shortcuts, though, like looking for interesting strings or setting files.
Another nice trick to employ when reversing applications is to run Frida. Frida is a toolkit for injecting arbitrary code into another process. You can either inject Frida into an APK you've downloaded, or if you've got a rooted device run it against any unmodified app. It works on other platforms as well! With Frida you can write Javascript in the Chrome dev tools to control the app, list objects and functions, call random APIs, whatever you need, all without decompiling.
Another trick I like to employ is using mitmproxy to man-in-the-middle apps so you see every HTTPS call they make, the responses, and you can even mess with the traffic (change responses, alter requests, you name it). The tricky part is to get the app to accept your TLS interception, but there are Frida scripts that will disable validation of TLS certificates in all manner of apps, giving you the ability to inspect them.
That last part can also be very useful if you're reverse engineering an API. I've written a blog post about a Norton VPN where I did exactly that, not because Norton was being shady, but because I wanted to use the OpenVPN config file on my laptop and they didn't provide me with the necessary files (even though they totally could have).
Not the best writing, it was mostly a recap of the things I did for myself if I ever needed to fetch that file again, but I think the core concepts may still be useful.
Excellent sleuthing! I sometimes use Proxyman to sniff the traffic that my phone or computer is using – it's fascinating seeing what and how different apps communicate with their backend servers. I haven't come across anything quite so nefarious, but its interesting all the same.
its not clear its ddos, though it might be, as one commenter suggested it might be ad revenue or so. maybe they hit themselves? :D. i bet we will never know.
No body starts a botnet to hit one target. Botnets are usually for hire. You find a vulnerability, establish as many C&C devices as you can, then advertise online that you have a botnet capable of XYZ, and you get contracts to hit particular endpoints.
In this example, Swing VPN is offering a "free VPN" service, but they actually pay for it with botnet contracts.
eh, we don't really know what all "Turmenistan Airlines" website actually does. It's a government agency after all, and it could be used to hide all sorts of online activity for some other government agencies. It could also just be a test contract, or an internal botnet test and OP just happen to catch that one.
Getting a target DDoS'd is cheap, especially if that target resides in a country with not that great digital infrastructure.
For twenty dollars you can take down an airline that lost your luggage and didn't bother trying to find it back. It's childish behavior, but someone is petty enough. Store didn't honor their warranty? Pay five dollars and they'll lose more money in lost sales than their refusal would've cost them.
Sometimes it's not just petty criminals either. Extorting businesses with these types of attacks is all too common. "Pay us $x or your website will be down for months" is an easy threat to make, especially if you can take down a business for a fraction of their lost revenue. Attack twenty or more companies, wait for one of them to pay out and you've made yourself a huge chunk of cash.
There are all kinds of reasons to hire these botnets. Developing these botnets isn't very hard either, especially if you can sneak a trojan into a useful software library or hack someone else's library. You just have to think real scummy.
Often, the VPN maker is different than the botnet provider.
https://scrapestack.com/faq: Residential ("premium") proxies provide IP addresses that are connected to real residential addresses and devices, which makes them much less likely to get blocked while scraping the web. We highly recommend using residential proxies for your web scraping needs as they make it easy to work around geo-blocked content and harvest data at scale.
> After app startup, language selection and acceptance of privacy policy the app starts to figure out ‘real IP address’ by doing a request to both google and bing with query “what+is+my+ip”. My guess is that the app just parses the returned HTML and figures IP from those responses.
Aren't there free APIs to get your IP address, like ifconfig.me? This sounds like more work but probably doesn't have any chance of running into rate limits.
There are APIs, and in my opinion, just falling back to a different HTTP API would probably be easier than parsing HTML. Though I use one of those APIs for a dynamic DNS client I built, and I've never actually seen a rate limit on them, even if I'm calling them every minute. I appreciate you showing them the benefit of the doubt here, but in my opinion the more likely answer is just that the person who did this is just underinformed on the state of quality of life-improving public APIs.
It's information that's only really useful to us. It refers to a set of machines running the same version of our software. Part of how we do progressive rollouts of software.
Wow that's terrible. Is this written anywhere in their terms that you agree to let them host arbitrary content under your own domain without your knowledge?
It's a lot easier to hide your breadcrumbs if you're just calling google.com or bing.com. Those are services that get billions of hits an hour and no body cares to scan or correlate your calls to them (other than Google and Microsoft of course)
Given that their "Command & Control" server already knows the user's IP anyway, this might be a disguise, with the actual intention being to check if Google is working from that IP, as these shady VPNs are often used to abuse the client as a proxy for SERP requests, to bypass IP-based search engine query limits (for SEO etc.).
> we probably can assume that this app is trying to attack some government sites of Turkmenistan. It is hard for me to imagine why would anybody do that
I find this very odd that they would target those websites. What would be the gain of taking down those websites _for anyone_. I doubt that the reason is political.
P.S. Turkmenistan is probably the worst country when it comes to free internet. Almost all IP addresses are blocked, with very few websites (mostly google-owned) being reachable. The entire population is desperate for VPN (preferrably free). They are not educated about malwares, or anything about security, so they will download anything that promises free internet.
Couldn’t it just be old fashioned blackmail? Attack the site and request money to turn off the botnet? It might be a bad assumption on my part but it occurs to me that maybe Turkey doesn’t have a lot of pull to investigate cyberattacks across country lines so businesses in that country might be good targets to not get blowback?
Turkmenistan certainly has no capacity for investigating a cyber attack for sure. But they are have no problem with those websites being down. Internet usage in the country is very low, and those websites are down the most of the time anyway.
nice findings, firstly, thanks for looking into it and sharing. i wonder how they have 3 million installbase. do you think there are some (unwitting) influencers, streamers etc. paid to promote this? 3 million is plenty, especially since there are a lot of heavily promoted vpns out there bidding for installs
Skimmed it and I don't see anything about Nord making their users into proxies, second link is questionable (since its deleted and you linked to an archive)
> Aside from its link to Oxylabs, Tesonet also advertises itself as a creator and investor of a number of online services, including NordVPN, Hostinger and others.
I'll be honest, the fact that they're directly linked to Oxylabs alone is enough to deter me. I can't see how else they'd get 100 million+ residential customers on Oxylabs side... sure, I'm not going to go around claiming I have direct proof, but that's more than enough for me to not use their services.
I didn't even read the medium article, only the first one. That's what I quoted from. I agree, investigating traffic would be an excellent idea, but I don't intend on putting my credit card into nord's sketchy site (they apparently don't accept paypal)
If I were evil, I don't implement proxy feature on open Linux VPN client that geeks use, but just implement on closed Windows/Android client. Traffic monitoring is better.
It's not "well-known"- because your links don't say what you're claiming they do, and this is a conspiracy theory that's been shut down on here a thousand times before.
NordVPN used residential proxies at one point to enable access to Disney+ and other streaming services; that's a world apart from hijacking end-user connections.
They've got an open source client. Where's the code that's turning end users into endpoints?
It really is of course, but I can honestly see them resort to this only to be able to offer a competitive edge because when it all comes around, this stuff is what many use VPN for rather than privacy. As streaming sites keep clamping down on VPN providers, the low hanging fruits of dodging via mere national IP addresses are blacklisted by them and these providers need to go even further to fool them and compete.
But yes, it's also sketchy with the other implications and all, and not the least what kind of traffic that people want to hide that you're unknowingly a proxy to!
i think users in a vpn dont expect other users traffic being redirected over their systems, even if its just to enable access to some streaming services... or are residential proxies systems in residential ranges that are used as proxies, but actually part of nord vpn infra, rather than its users?? (sorry i dont wanna read all the code, and am a bit confused)
It's the latter case; Nord used a third-party residential proxy service that they sent traffic through, but there's no serious evidence that they used their own users as proxy nodes or endpoints.
I own some IPv4 space and get constant spam from these companies with pitches like "monetize your IP addresses". It's funny how upset they get when you respond and use the word "botnet" to describe their operation, or suggest that the traffic they generate is illegitimate.
this seems a bit besides my point, but perhaps i am not as deeply into this topic as you. how about the baker at the end of the street. making bread for people, selling it at a profit margin which just allows him/her to continue their work as a non super rich person. (replace baker with barber or whatever). i dont see this as unethical. am i wrong?
Former baker here. There are still plenty of ethical dilemmas in baking: fossil fuel consumption in transportation of ingredients, factory farming of ingredients, if you are employing anybody you are paying them an unfair wage in order to turn a profit. There are inescapable ethical dilemmas of participating in capitalism. Success always comes at the expense of someone else. If you are a small business then you are less accountable to laws designed to protect workers than a multinational corporation.
Whether or not you deem the viewpoint useful, these ethical dilemmas exist. Whether you choose to acknowledge those dilemmas is your choice. But by recognizing these ethical dilemmas we can make better choices to reduce potential negative impact on others/the community/ourselves. Recognizing inescapable complicity is just accepting accountability and introduce the possibility to grow and change as individuals and as a society as a whole over time.
I don't think for example capitalism is always dilemmas. If someone choses to work for you, they chose to accept such a salary and participate. Its not some bad thing. If you truly pay them an unfair wage, they can chose not to participate. This might sound harsh, but people always have a choice. I work for an employer, i don't think its unfair simply because my boss is turning a profit. I am happy and thankful i have the job. If i didn't want it, there's plenty of space in the rainforest to try and forage for food (and yes i wouldn't last a day :P).
You might not like something, but does it really make it a dilemma in the sense of 'having to pick which of the 2 bulls horns will impale you?' - i don't think so. (interesting points though, and perhaps i am still missing your point!)
The lawn mower is not a business. It is a piece of machinery. The business that designed the lawn mower can ensure the design is safe, at least within reason, through the proper engineering of the product and by instructing its users on the proper use and maintenance of the machine. There is nothing inherently unethical about manufacturing lawnmowers unless you consider the practice of mowing lawns unethical (which there are legitimate arguments for, but I don't think that was your point).
Let's take as an example a website which compares prices in different stores and shows which has the cheapest price. You can do it manually, but using automation it is faster and more convenient. Is doesn't make sense to read websites manually when you can use a script or a language model.
Obviously for consumer it is better to be able to scrape sites. It is only those store owners (greedy capitalists) who do not want consumer to know that their prices are inflated.
Another thing is looking for some information, it is better just to have a language model go around the web and summarize the data for you rather than read someone's site with white letters on black background and weird font.
It's not uncommon that companies ask other companies to scrape their site as they don't have the tech resources to build an API / integration for whatever they want to have.
if u run a small site and ppl scrape it aggresively that can rack up ur bills.depending on where u host ur site. ofcourse not an issue for billion dollar companies, but a line needs to be drawn somewhere. also, whats the purpose of the scraping? usually its greedy capatalist purposes, so.then ur point is a bit moot, dont u think?
Let's say someone makes a site that compares prices in different stores. It needs a lot of scraping, but is useful for consumers. Obviously, the only ones who are against it will be the store owners.
Unless you go full blown DoS you will not be able to scrap 100.000 of articles multiple times a day. Geizhals for example compares prices every 10 minutes. It does this by working with the stores (they provide a price list) not against them.
If a store owner doesn't want the reach, it's their loss. IMHO no need for a DoS attack.
And then someone else makes another site that also compares prices in different stores. Instead of scraping all the stores they can just scrape the first comparison site and invest the time saved into SEO :)
Sites have a right to try to block scrapers. Scraping can incur significant costs and users may not want it - as a LinkedIn user, I want my profile to be indexed and able to viewed without logging in from the Web, but I also don’t want my entire profile scraped and resold/rehosted for marketing. It’s also often the case that the website put in significant working acquiring/curating/cleaning their data, and they are being scraped by other commercial entities trying to just resell it (blocking that isn’t being greedy, the data is basically being stolen for other commercial entities). So it’s not just being greedy.
Individuals also, IMO, have a right to sell access to their network for scraping-via-proxy. But they should be prepared to deal with the consequences, like a potential IP ban. Most people using VPNs that resell their residential network for scraping probably don’t know that’s happening, and many scrapers are indeed doing something bad, which is why there is a disdain for the practice.
Well part of that is just the direct value prop of the platform, by having a profile there I’m creating a channel for recruiters and stuff and I suppose making it easier to get bank loans/have people verify my identity. What I don’t want is for the data to be hosted elsewhere and resold to every Tom, Dick, and Harry. Fortunately LinkedIn also wants to prevent that because it undercuts their monetization schemes.
> While the lawsuit names Lithuania-based Teso LT, UAB as a defendant rather than “Tesonet”, this is as a result of a corporate restructuring several years ago. Aside from its link to Oxylabs, Tesonet also advertises itself as a creator and investor of a number of online services, including NordVPN, Hostinger and others.[0]
hola redirects things like web scrapers over their infra. once worked for a lead generation startup (i am so sorry..) where one of their services reached out to ask if i wanted to send traffic over their network. sad this is some legal loophole. (sad for them and probarbly us, we didnt do scraping :)))
Once you dig into how the Kape Technologies holding is linked to the same people of the NSO Group scandals, well, good luck finding a VPN that didn't sell out their customers.
It eliminates your main use cases for VPNs (and while it's a shame that the feature is being pulled, port forwarding has always been ripe with abuse).
I formerly worked in the consumer VPN space (an older, but once quite big player), and use cases go from content access (including everything from getting US Netflix from Germany, to sidestepping national firewalls), to general-purpose paranoia about IP logging by websites. There are also lots of cases that get marketed a bit too liberally by companies like Nord, Express, and the hydra that is Kape, like that VPNs can add meaningful security to submitting payment information online; this is despite the fact that it's harder than ever to MITM payment sites.
It's generally agreed that the state of public Wi-Fi combined with evolving web standards and sky-high HTTPS adoption makes VPNs largely, though definitely not completely obsolete for protecting yourself against someone sniffing traffic at Starbucks.
Having said all that: if you need a VPN and a lack of port-forwarding isn't a dealbreaker, I wholeheartedly recommend Mullvad. My former company never worked with them directly but our team had immense respect for their integrity, ethics, and approach to developing a quality product.
Honestly it's hard to tell, but Mullvard seems to be one of the last options.
The problem I have with all the "checks" that press foundations do is that none of them seem to know what they're talking about in regards to what tech is trustworthy and audited, and what is not.
I found a nice article about it, skimmed through it and seems to be true and reflect my own research that I did for my cyber defense network [1]
They're the best. They don't even ask for personal information when creating an account (heck, they don't ask for anything at all) and you can pay with crypto or cash. They use Wireguard and their desktop and mobile apps are very good.
They shouldn't keep logs but even if they did there's no personal information metadata.
Thats assuming you are using your home IP, and that youre the only one using that IP, and that they are tracking your metadata (whcih there is no proof of)
Mullvad claims to not log IPs so they cannot hand out anything via a court order and at least once a court order has turned up blank [1]. It is possible that CIA or some other intelligence agency has infiltrated Mullvad and logs them but that is nothing that will ever be used in a normal court case. They will only risk revealing their hand if you are some major crime boss, a spy or a terrorist.
If you are just a file sharer or normal low level criminal I doubt the CIA (or whoever may have infiltrated Mullvad) would give anyone your IP.
> It is possible that CIA or some other intelligence agency has infiltrated Mullvad and logs them but that is nothing that will ever be used in a normal court case. They will only risk revealing their hand if you are some major crime boss, a spy or a terrorist.
Or NSO or some other private actor did so, and now every dictatorship has access to it, and we all know how broad their “terrorist” definition can be…
If you are a dissident in Iran, you really should not trust some random VPN. Tor is probably safe enough, but there is also no guarantee, that the chinese are not sharing with them, because as far as I know (but last time I checked has been some years), many nodes are china based. So they might know.
But if all you do is pirating some videos, then this is not something to worry about.
> It is possible that CIA or some other intelligence agency has infiltrated Mullvad and logs them but that is nothing that will ever be used in a normal court case.
Just so everyone is clear on a few facts, it is possible for a TLA or agency from another large government to just try to blackbox the VPN nodes and be done with it without needing to infiltrate Mullvad. Just pressure the network provider of the VPN instances to get flow data, and at that point they can match up traffic going in and out and the VPN disappears from the picture.
I care about websites I visit not seeing my IP since they can track me individually using that. Mullvad is the entity that hides it - of course they will see my IP. I don't care if Mullvad sees it, but I do care if shadywebsite6969.test sees it.
I feel like, inherently, Mullvad is crazy secure. They never ask for email, phone number, name, or any payment details, and the only identifying information (username and password) are replaced by a number they generate for you.
And then it gives you a wireguard config you can use with whatever client you trust.
Was renewing a domain when I noticed my registrar offered VPN service but I couldn't find any substantial information about how it works other than supporting Wireguard and claim not to keep logs. There wasn't even a TOS for me to study before signing up.
I’m not a serious user, but I subscribe to Mozilla’s VPN service. Not free but I believe in their mission and feel good about sending a few bux their way.
Same, I made the poor judgement of subscription to Nord vpn years ago that I ended up not really using because many streaming sites blocked the vpn ips. Then I hear of the behavior of the company claiming they don’t take logs but they definitely take browsing logs. I felt like I was duped into a 2 or 3 year subscription upfront and didn’t really understand the product space or how to evaluate the different companies. Like are there any objective news sources to rank these services and what internet comments to trust at face value? I listened to a youtube ad in the first place, so I’m unsure what I was expecting.
Mozilla gained good will over the years and I like the browser. The vpn is fairly seamless and permissive for number of devices. I understand it is a wrapper on Mullvad and we are paying a healthy overhead. Still, it is worth it because I’d trust that if the vpn service provider behaves in bad faith that Mozilla will be able to quickly respond and adopt another provider. Whereas if it were up to me I may hear of it years later and not necessarily know what service to adopt instead.
My use is merely hoping to reduce tracking based on ip. I wouldn’t trust it to be subpoena proof. I’m not into pirating music anyway.
Actually, they rather lost a lot over the last years, with various shady things, like tracking for advertisement enabled from the browser by default (called studys).
So sadly, I also would not trust them as a VPN. Way more than some random VPN service, sure, but not completely. But I also do not know of a better alternative.
Eh, only if you accept the hype and hyperbole of those that not only hold them to a standard that nobody achieves (which is fine, it gets them closer to that standard) and then use that as a reason to tell people that they should products that are far inferior by those same standards (which is stupid).
I've lost track of the times a Mozilla misstep has resulted in people here saying that's the reason they're switching back to chrome, which I find frankly ridiculous. Also, the whole damn thing is open source, so it's not like they're really hiding anything, people just don't care until someone makes a stink and then all of a sudden everyone cares a lot.
No browser is perfect, but Mozilla is definitely one of the better ones for anyone privacy conscious.
Here we are talking about trust. And a company (Mozilla) that talks a lot about trust and ideals and privacy and then sneaks in tracking by default with a innocent sounding name (studies) is simply not trustworthy to me.
They are hiding bad behavior in nice sounding words.
We technical folks get it and can deactivate it.
Every non technical person I know, who still uses firefox does not know and has all the defaults activated, until I change it for them.
So sure, they are still better than google and microsoft, where I just assume that they track everything, but that is a really low standard.
I do not think it is hyperbole. The Cliqz thing where they just handed user browsing behavior to a third party which they had invested in is inexcusable. Google does a ot more tracking but on the flip side I trust their security more than that of some small German startup.
Some of the other incidents were overblown but the Cliqz thing shows of a company culture where user data is something which can be sold to make a profit, which is essentially what they did, and not something which is vital to protect.
Yes, it was many years ago now but I have no reason to think that they cleaned up their company culture.
At that point, I believe Mullvad (who is actually behind Mozilla VPN service) is more trustworthy than Mozilla themselves. And if that is true, why don't just use Mullvad directly?
My understanding if you given money to Mozilla who then give it to mullvad
All Mozilla know is the mullvad username. Mullvad don’t know the credit card details of the purchaser. To link a given vpn ip to a specific credit card would require compromising mullvad and Mozilla.
(Or of course the normal way of fingerprinting which doesn’t rely on IPs)
Now sure you can buy mullvad via cash, but that’s far more work. Using Mozilla as a reseller feels like one more step in the chain
Why do you think NordVPN maintains browsing logs? According to them, “NordVPN does not log any of your activity online,” and the company states that PWC and Deloitte have audited and verified that claim. If you have evidence to the contrary, I am very interested in seeing it.
I am also familiar with a recent police investigation where law enforcement subpoenaed NordVPN and the company replied, essentially, that they had no information connecting a particular IP address, at a specific date and time, to any specific user.
I use ProtonVPN and I guess they aren't that stupid to mess up the future of their company by abusing the customers of the service that started the company in the first place. I guess other VPN services offered by prestigious companies, like BitDefender are quite safe from this standpoint. Yes, the free VPN services have always a large risk associated with.
It's not necessarily a problem to use a service, (Signal?), which is funded by an intelligence agency. It can serve their purposes while serving yours too. If the service gets wide enough adoption, then the huge volume of traffic becomes a perfect place to hide their own intelligence activity.
It's not the same thing, Hola was found to use clients as exit nodes, which is definitely an abuse of client trust, resources, and potentially exposing them to major legal trouble or otherwise, but I don't think that can be considered a botnet, whereas the VPN app in question here is pulling lists of URLs from control sites and then directly sending requests to them, so it operates in the C&C fashion of a botnet.
I couldn’t disagree more. Scum is scum. The people who can discern the difference are few and far between, and we shouldn’t muddy the waters between different types of scum for the already-overwhelmed layperson.
Most people exclusively care about scum vs. not scum, and all but vuln-dev level sources shouldn’t distinguish.
Maybe HN fell on the savvy side of this at one point, but it was so long ago…
I appreciated the distinction to help form my own opinion. I believe there are varying degrees of scummy-ness and appreciate someone not trying to "decide for me"
Because we're actually quite bad at understanding people's motives (e.g. fundamental attribution error). Not to mention the various ways information gets biased as it flows through people and institutions.
This kind of muddy thinking has hurt a LOT of people.
Nuance matters! While the guy who makes sexist jokes and the guy who will rape you if ever alone with you are both scum, that difference really really matters.
Back in the day the "privacy tool" of choice were anonymous proxies.
I wrote an article in 2013 about why free proxies are free [1] and got so much feedback from people who had never thought about that.
This was back in the HTTP only days (very shortly before the Snowden leaks) and it was a good way to make money because your proxy could just replace all ads on all sites with your Google ads and you could see all communication. Insane from today's view
In 2015 I did a followup post where I analyzed the existing proxies for any manipulation of the original site and found that 80% of the free proxies did in fact change something [2]
That was one of my first personal projects over 20 years ago now. Didn't get much clicks on my ads though. And once you look in your logs to see what people are searching for, you'll quickly come to the conclusion you don't want to run that kind of service anymore.
I'm not sure if it's appropriate to give unsolicited suggestions on the writing, but I believe the author could improve the conciseness. It reads a bit verbose in places where certain information is repeated multiple times, such as the mention of configurations were retrieved from GitHub and Google Drive sites.
Installing a client always opens up these risks. That is why I am building a clientless tunneling service ( well technically you bring your own client ) - https://pinggy.io which is similar to ngrok but you can connect using your own ssh client such as openssh.
How does a clientless ngrok alternative help here (which tunnels server traffic), and why is it even necessary given that many OSes support at least one VPN protocol natively?
I am saying this attack works only because a client is installed on the device, and that client is malicious. If there was a standard client such as openvpn client (open source) then this attack will not be possible. That is becasue, the vpn provider will not have any means of using the user's device to send arbitrary network packets to any server to launch a ddos.
for ppl wanting a vpn which does not do this. at the monthly rate things like nord charge, u can rent a server, install openvpn amd be free of this stuff. ofcourse, the server is yours and tracible to you, but still it has all the other benefits which i think normal vpn users crave. (visit plaintext sites over insecure wifi but no eves on the line etc.). its fairly easy to set up and definitely you wont be part of a traffic redirection network, for whatever purposes the redirection is. maybe u can connect ur friends too and be a good samartian :)
> visit plaintext sites over insecure wifi but no eves on the line etc.
Not a rhetorical question: When is the last time you’ve visited a non-HTTPs website?
> you wont be part of a traffic redirection network
These are also only a concern for HTTP.
Other common use cases for VPNs include geo-unblocking, and hosting IP ranges are commonly blocked by streaming sites.
I can’t think of a good reason to use a VPS for a VPN anymore these days, to be honest – the privacy/security landscape has changed dramatically over the last few years.
You probably get better privacy these days on public (free/unauthenticated) Wi-Fi than you would on many "free" or paid VPN services.
Seems like you misread my comment as "there is no need for VPNs anymore these days". I'm merely saying that I don't see the use case for the "self-hosted VPN server" model anymore.
Need to bypass geoblocking, e.g. when traveling? You'll likely need a residential IP -> use your own network at home (e.g. Tailscale or a self-setup solution) or one of the shady "residential IP broker" utilizing commercial VPNs out there.
Want privacy (from visited sites' trackers)? Your VPS is definitely not that: The IP is static, and if you send your entire traffic through it, this is much more fingerprintable than even residential web usage. -> Use a commercial VPN that you can trust (I don't know many) or something like iCloud Private Relay or TOR.
Want privacy from your ISP tracking you (including public Wi-Fis), and only that? Then, yes, a VPS-based VPN might be for you (or any of the commercial VPNs out there).
But my claim is that the last one (and only that) is probably not the biggest concern of most people.
I know you're being facetious, but, that's not the sarcastic counter argument you think it is. I unironically don't own a car anymore because I have an electric scooter and Uber/Didi to fill in where the scooter is (rarely) not enough. The landscape really has changed.
Problem is that many services denylist “data center” ip ranges, making these vpns neigh unusable for things like watching Netflix or in some cases even logging into eBay and such.
I’ve run a private vpn for extended family off of my residential connection for this reason. It helps them and me.
I do most of my every day browsing and online shopping from data center IPs and have never had a problem with eBay or really that many sites at all. Some for sure (looking at you, "Open" AI), but for the most part it's fine.
Installing open VPN is like carrying the One Ring to Mount Doom. I’ve installed operating systems, databases, web servers, full LAMP stacks that took less effort.
> I have to give props for Swing VPN teams creativity to bypass security measure of Apple appstore and Google PlayStore but it is sad that Apple/Google security systems does not have some automated ways to detect these types of actions.
It's a tricky problem. The amount of attack traffic from an infected device is negligible and very little of it is visible to the operating system due to TLS. It's also presumably intermittent (there's no point in keeping an attack ongoing forever; you stop when the site has found a way to defend itself), so just running the app for a while as part of validating an update might not show any suspicious behavior. The suspicious part is in the configurations downloaded from the CnC servers, not packaged with the app, so static analysis won't help.
The only reliable option for catching these proactively thatI can think of would be to use some kind of aggregate telemetry from all the app installations combined, but that'd be incredibly scary both in terms of privacy and the blast radius when something goes wrong.
> Currently in the beginning of June 2023 it has over 5 million install base on android
That's not really a reliable number. It's more like "the number of distinct users who had this app installed at some point". AFAIK it doesn't get decremented when somebody uninstalls the app, and doesn't go up when somebody installs it for a second time on a new device. Those factors might cancel out, might not.
> doing a request to both google and bing with query “what+is+my+ip”. My guess is that the app just parses the returned HTML and figures IP from those responses.
I don't get it. Where does the VPN traffic go through? If they can operate a gateway, then surely they can provide their own endpoints for IP discovery (and also C&C for that matter).
Until it's discovered, traffic to their own servers would appear the most innocuous. After that, the app gets kicked off the store and the server doesn't matter.
Unless it doesn't actually do any VPN and it's all just a farce, lol.
Yeah, this and countless others that nobody's ever heard of except through a YouTube advert making questionable claims with a questionable definition of 'VPN'.
(To answer the inevitable: Mullvad and Proton are the legitimate offerings that spring to mind.)
Hilarious conclusion from the author. It's almost certainly not the case that the owners of this service are using it to 'DDoS' targets, rather it's much more likely they are using your device to host a proxy server and then selling access to some 'residential proxy reseller'.
On the other side of that, some random Joe has probably purchased access to a set of these 'residential proxies' and is using them to scrape flight data from the airline site the article author noticed, with some of those requests being sent over the author's connection.
Many 'free vpn' and 'free proxy' apps engage in this behavior, you may proxy your requests via their connection, but they also proxy their requests via yours, generally reselling that access to someone who finds your IP address to be of value to them due to the fact that it's not a datacenter address.
It's certainly questionable to straight up unethical either way, especially so if the service doesn't disclose to you that they're doing that, but on the other hand I find the author's DDoS conclusion to be so contrived and out of touch with reality that I had to write this comment.
Pretty harsh to say that this is a hilarious conclusion when your own conclusion seems even more rash. If your conclusion was the case, wouldn't that mean there'd also have to be people interested in scraping random (static) https://www.science.gov.tm/ pages?
My mistake, I looked at the article for 10 seconds before assuming that this app is no different than hundreds of other ones, apparently it is a rare outlier. At any rate, there are more effective ways to disrupt service if that was the goal.
DoS should be legalized IMO... If a company cannot mitigate a DoS or DDoS attack and stay profitable, it's their own fault. Their fault for not designing their software properly and their fault for accumulating too many enemies. Probably it would bring down the whole DNS system but it's about time we replaced it with something better and more decentralized anyway.
DDoS is just freedom of speech. Just some people have louder voices than others which is not a foreign concept to the rest of us. So long as the VPN (or whatever) operator mentions it in their terms of service (e.g. if they rely on user resources), it's fine IMO.
There needs to be an incentive for companies to implement good quality software and to not be evil (not to make enemies) and legalizing DDoS might help create such an incentive.
> DoS should be legalized IMO... If a company cannot mitigate a DoS or DDoS attack and stay profitable, it's their own fault. Their fault for not designing their software properly and their fault for accumulating too many enemies.
Getting DoS-ed is sufficient "punishment" for not being able to mitigate a DoS. "their fault for accumulating too many enemies" is dubious considering that one "enemy" is enough for a DoS and that the DoS-er might not actually have something personal against the target.
> DDoS is just freedom of speech. Just some people have louder voices than others which is not a foreign concept to the rest of us.
I wouldn't characterize a DoS-er as "the one with the louder voice". I hope you don't think doxxing and revenge porn should be legal too. Anyway, there's the saying "My right to swing my fist ends where your nose begins."
I see it differently and I have gained a different understanding of "My right to swing my fist ends where your nose begins."
I used to think like that but in reality, the way the world really works is that anyone can punch you in the nose if they really want to... Whether or not the assailant will be punished for that depends on who got punched and who did the punching.
Access to the justice system is asymmetrical. Big corporations or organizations are often not held liable for many of their 'crimes' on a per-infraction basis because their victims have a much weaker voice; they can basically do all the crimes they want and then, if they harm enough people and they get caught and there is a class action (a lot of IFs), they MAY pay a lump sum fine at the end.
I prefer the ancient Roman system where some crimes were forgiven based on context (e.g. retaliation was allowed). I think it would bring back the human element to the justice system. People should be allowed to take the law into their own hands provided that their cause can be morally justified in front of a random sample of citizens.
Relying on vigilantism as a system runs the risk of incorrectly, assessing a person’s wrongdoings, which may be disproportionately amplified by outrage or disregarded if the person is popular, and therefore runs the risk of not being able to provide justice at all.
Also, legalizing DDOS would simply enable protection racket type schemes (Mirai/Protraf Solutions) and affect small businesses without the ability to defend against them.
I agree that there would be new issues with such a system but I think it would be fairer and lead to more decentralization overall.
I think vigilantism would better allow human nature to shine through. E.g. you can talk and reason with an extortionist directly but you cannot do that with a corporation or other large organization.
When I worked in price crawling there were rumors some proxy vendors leveraged extensions and VPNs (supposedly with fine-print consent) on residential computers to workaround crawl blockers. My guess is that prompted Chrome Webstore to narrow functionality of an extension to only one purpose.
These DDoS tools appear to take things to the next level, and an undeniably blackhat direction.
From the captures in the article, it doesn't look like it's sending the data back anywhere. It's mostly just that the endpoint they're hitting is computationally expensive (searches usually are) in an effort to bring the service down without have the raw traffic to actually jam the pipe on bandwidth alone.
260 comments
[ 4.7 ms ] story [ 264 ms ] threadMany vendors surreptitiously use user nodes as exit nodes and route traffic in suspect ways.
VPN software stack is surely a major target for state and non-state actors to monitor and exploit.
If so, would simply having an account and exe file be enough to argue “my wifi is open, I didn’t download all that XYZ!”
No body has ever been convicted with their home IP as the only evidence.
Convicted? No. Raided? Yes.
I partially blame the myriad YouTubers who happily push these to their fans to supposedly protect their privacy and protect their computers from harm.
They're still marketed as a way to prevent macular degeneration?
How could it be blocking any significant amount of light in the visible spectrum and still be clear? I'm sure the "16x" claim is true, but normal lenses block a small amount of light. 16 times nearly zero is still nearly zero. It's just a marketing gimmick.
Zenni Optical also sells lenses which are orange. I'm sure that actually does block a significant amount of blue light, but I also know from my experience visiting optician offices that many consumers are buying the first kind.
I'm aware of studies which link blue light to eye fatigue and disruption of the circadian rhythm but I'm skeptical that blocking 5% of blue light or whatever could have a perceptible medical effect.
With that being said, I don't feel strongly about claims like the 16x thing if its actually true (just a bit misleading). My comment above was mostly about the claims that they prevent macular degeneration which there is no evidence for. And regulators are right to jump in before it gets too bad, otherwise why stop at macular degeneration? Just say your lenses prevent hair loss and skin cancer while you're at it.
That's... not exactly true, given what definition of "protecting" you follow. VPNs definitely can protect against some forms of attacks that plain old HTTPS can't:
- malicious QoS/routing policies at the ISP (or a public WiFi operator) that, say, down-prioritise or throttle stuff like YouTube, or route it through backed-up links (German Telekom was infamous for bad peering towards high traffic sites including Youtube [1] or where they all but extorted money from "double paid traffic" from server owners [2])
- ISPs hijacking DNS for a myriad of reasons (NXDOMAIN ad-hijacks, government-ordered censorship, thinking they can offer "improved" DNS service by simply answering all requests going out on UDP53 with their own servers [3], ...)
- ISPs and WiFi operators listening on DNS requests or doing traffic analysis to sell to advertisers [4]
- other devices on the network attacking your machine (e.g. in a coworking space) - proper VPN software like Cisco will "cut off" all communication with the outside with the exception of the remote VPN endpoint IP and DHCP.
The part about malware is more sketchy, but in case the VPN operator uses something like PiHole and other shared lists of malware domains and IPs to blacklist common-known vectors and C&C sites, it is a valid statement.
[1] https://winfuture.de/news,63355.html
[2] https://www.golem.de/news/hetzner-und-netzneutralitaet-extra...
[3] https://labs.ripe.net/author/babak_farrokhi/is-your-isp-hija...
[4] https://www.washingtonpost.com/wp-dyn/content/article/2008/0...
I agree though that a lot of YouTubers have grown fat and comfortable with VPN providers led largely because of the financial incentives over their desire to protect fans.
Famously described by Tom Scott —
[How it started https://www.youtube.com/watch?v=WVDQEoe6ZWY
[How it's going] https://www.youtube.com/watch?v=Wif1EAgEQKI&t=320s
Any pointers on where you'd start would be appreciated though.
Running Wireshark or an equivalent smartphone app is easy. Understanding it probably a lot less so, but network protocols can be googled. One trick to not get overwhelmed too much is to not use the device you're analyzing too much so you only collect background traffic. Another is to filter out traffic you can't do much with. A lot of traffic is encrypted by TLS these days, but a lot of data is still visible, like in this case a random domain that you shouldn't be seeing. However, except for that very first TLS packet, you won't be able to see anything interesting in the rest of the stream, which can be gigabytes in size!
The real challenge for network analysis is that 99% of the time, your network is not doing anything strange (or at least interesting). If you want to find something, you can try seeking out sketchy apps (free VPNs are a nice target, they're almost always shady) but there's no guarantee that you'll find anything. Or you can dive deeper if you think there's more to be found.
In the case of Android apps, those are often easily decompiled into either VM byte code (smali) or even obfuscated Java code. apktool, jd-gui, or ghidra can usually get some kind of readable-ish code out of an app. There's also an excellent online APK decompiler if you trust that. Grabbing the APK is quite easy, you can find apps that do this or otherwise you can use Android's debugging tools to pull the app off your phone.
Depending on how obfuscated your target is, complete reversing may be difficult. You can often take shortcuts, though, like looking for interesting strings or setting files.
Another nice trick to employ when reversing applications is to run Frida. Frida is a toolkit for injecting arbitrary code into another process. You can either inject Frida into an APK you've downloaded, or if you've got a rooted device run it against any unmodified app. It works on other platforms as well! With Frida you can write Javascript in the Chrome dev tools to control the app, list objects and functions, call random APIs, whatever you need, all without decompiling.
Another trick I like to employ is using mitmproxy to man-in-the-middle apps so you see every HTTPS call they make, the responses, and you can even mess with the traffic (change responses, alter requests, you name it). The tricky part is to get the app to accept your TLS interception, but there are Frida scripts that will disable validation of TLS certificates in all manner of apps, giving you the ability to inspect them.
That last part can also be very useful if you're reverse engineering an API. I've written a blog post about a Norton VPN where I did exactly that, not because Norton was being shady, but because I wanted to use the OpenVPN config file on my laptop and they didn't provide me with the necessary files (even though they totally could have).
Not the best writing, it was mostly a recap of the things I did for myself if I ever needed to fetch that file again, but I think the core concepts may still be useful.
In this example, Swing VPN is offering a "free VPN" service, but they actually pay for it with botnet contracts.
For twenty dollars you can take down an airline that lost your luggage and didn't bother trying to find it back. It's childish behavior, but someone is petty enough. Store didn't honor their warranty? Pay five dollars and they'll lose more money in lost sales than their refusal would've cost them.
Sometimes it's not just petty criminals either. Extorting businesses with these types of attacks is all too common. "Pay us $x or your website will be down for months" is an easy threat to make, especially if you can take down a business for a fraction of their lost revenue. Attack twenty or more companies, wait for one of them to pay out and you've made yourself a huge chunk of cash.
There are all kinds of reasons to hire these botnets. Developing these botnets isn't very hard either, especially if you can sneak a trojan into a useful software library or hack someone else's library. You just have to think real scummy.
https://scrapestack.com/faq: Residential ("premium") proxies provide IP addresses that are connected to real residential addresses and devices, which makes them much less likely to get blocked while scraping the web. We highly recommend using residential proxies for your web scraping needs as they make it easy to work around geo-blocked content and harvest data at scale.
Aren't there free APIs to get your IP address, like ifconfig.me? This sounds like more work but probably doesn't have any chance of running into rate limits.
https://troyhunt.com/cdn-cgi/trace
I wonder what's the 'sliver' property
https://troyhunt.com/cdn-cgi/styles/fonts/opensans-300.woff
I find this very odd that they would target those websites. What would be the gain of taking down those websites _for anyone_. I doubt that the reason is political.
P.S. Turkmenistan is probably the worst country when it comes to free internet. Almost all IP addresses are blocked, with very few websites (mostly google-owned) being reachable. The entire population is desperate for VPN (preferrably free). They are not educated about malwares, or anything about security, so they will download anything that promises free internet.
At this point one must assume that any "free" vpn software is free because it uses its install base for DDoS / other traffic abuse.
http://web.archive.org/web/20191128170008/https://medium.com...
It's pretty well known.
Where else would they get the 100 million users?
If they're truly hijacking end user clients, why don't you point to the section of their open source client that's responsible for that?
https://github.com/NordSecurity/nordvpn-linux
Easy enough to prove.
Credit or debit card, Klarna, PayPal, Google Pay, Cryptocurrencies
https://i.imgur.com/fTtdOfR.png
https://news.ycombinator.com/item?id=22532682
NordVPN used residential proxies at one point to enable access to Disney+ and other streaming services; that's a world apart from hijacking end-user connections.
They've got an open source client. Where's the code that's turning end users into endpoints?
https://github.com/NordSecurity/nordvpn-linux
I'm sorry but that's incredibly sketchy
But yes, it's also sketchy with the other implications and all, and not the least what kind of traffic that people want to hide that you're unknowingly a proxy to!
The standard linux vpn client clearly has some exitnode capabilities.
"We are a market-leading web intelligence collection platform, driven by the highest business ethics"
I think that's a bit debatable!
Which then makes this viewpoint not that useful at all.
And this issue already been long summed up as “nothing is free in life.”
You might not like something, but does it really make it a dilemma in the sense of 'having to pick which of the 2 bulls horns will impale you?' - i don't think so. (interesting points though, and perhaps i am still missing your point!)
Obviously for consumer it is better to be able to scrape sites. It is only those store owners (greedy capitalists) who do not want consumer to know that their prices are inflated.
Another thing is looking for some information, it is better just to have a language model go around the web and summarize the data for you rather than read someone's site with white letters on black background and weird font.
If a store owner doesn't want the reach, it's their loss. IMHO no need for a DoS attack.
Individuals also, IMO, have a right to sell access to their network for scraping-via-proxy. But they should be prepared to deal with the consequences, like a potential IP ban. Most people using VPNs that resell their residential network for scraping probably don’t know that’s happening, and many scrapers are indeed doing something bad, which is why there is a disdain for the practice.
Yes, I realize that LinkedIn is a self aggrandizing cesspool. I never post anything there.
[0] https://www.techradar.com/news/judge-orders-mediation-after-...
I never looked into that, but always used Nord VPN via the official OpenVPN client.
I formerly worked in the consumer VPN space (an older, but once quite big player), and use cases go from content access (including everything from getting US Netflix from Germany, to sidestepping national firewalls), to general-purpose paranoia about IP logging by websites. There are also lots of cases that get marketed a bit too liberally by companies like Nord, Express, and the hydra that is Kape, like that VPNs can add meaningful security to submitting payment information online; this is despite the fact that it's harder than ever to MITM payment sites.
It's generally agreed that the state of public Wi-Fi combined with evolving web standards and sky-high HTTPS adoption makes VPNs largely, though definitely not completely obsolete for protecting yourself against someone sniffing traffic at Starbucks.
Having said all that: if you need a VPN and a lack of port-forwarding isn't a dealbreaker, I wholeheartedly recommend Mullvad. My former company never worked with them directly but our team had immense respect for their integrity, ethics, and approach to developing a quality product.
The problem I have with all the "checks" that press foundations do is that none of them seem to know what they're talking about in regards to what tech is trustworthy and audited, and what is not.
I found a nice article about it, skimmed through it and seems to be true and reflect my own research that I did for my cyber defense network [1]
[1] https://vpnpro.com/blog/hidden-vpn-owners-unveiled-97-vpns-2...
They shouldn't keep logs but even if they did there's no personal information metadata.
Just your personal IP, which is via your provider very tied to your person.
(In many places it can trivially linked to your real ID, if there is a court order)
Unless the use case is circumventing region barriers.
If you are just a file sharer or normal low level criminal I doubt the CIA (or whoever may have infiltrated Mullvad) would give anyone your IP.
1. https://www.svt.se/nyheter/lokalt/vast/husrannsakan-mot-vpn-...
Or NSO or some other private actor did so, and now every dictatorship has access to it, and we all know how broad their “terrorist” definition can be…
If you are a dissident in Iran, you really should not trust some random VPN. Tor is probably safe enough, but there is also no guarantee, that the chinese are not sharing with them, because as far as I know (but last time I checked has been some years), many nodes are china based. So they might know.
But if all you do is pirating some videos, then this is not something to worry about.
Just so everyone is clear on a few facts, it is possible for a TLA or agency from another large government to just try to blackbox the VPN nodes and be done with it without needing to infiltrate Mullvad. Just pressure the network provider of the VPN instances to get flow data, and at that point they can match up traffic going in and out and the VPN disappears from the picture.
Mozilla gained good will over the years and I like the browser. The vpn is fairly seamless and permissive for number of devices. I understand it is a wrapper on Mullvad and we are paying a healthy overhead. Still, it is worth it because I’d trust that if the vpn service provider behaves in bad faith that Mozilla will be able to quickly respond and adopt another provider. Whereas if it were up to me I may hear of it years later and not necessarily know what service to adopt instead.
My use is merely hoping to reduce tracking based on ip. I wouldn’t trust it to be subpoena proof. I’m not into pirating music anyway.
Actually, they rather lost a lot over the last years, with various shady things, like tracking for advertisement enabled from the browser by default (called studys).
So sadly, I also would not trust them as a VPN. Way more than some random VPN service, sure, but not completely. But I also do not know of a better alternative.
I've lost track of the times a Mozilla misstep has resulted in people here saying that's the reason they're switching back to chrome, which I find frankly ridiculous. Also, the whole damn thing is open source, so it's not like they're really hiding anything, people just don't care until someone makes a stink and then all of a sudden everyone cares a lot.
No browser is perfect, but Mozilla is definitely one of the better ones for anyone privacy conscious.
We technical folks get it and can deactivate it.
Every non technical person I know, who still uses firefox does not know and has all the defaults activated, until I change it for them.
So sure, they are still better than google and microsoft, where I just assume that they track everything, but that is a really low standard.
Some of the other incidents were overblown but the Cliqz thing shows of a company culture where user data is something which can be sold to make a profit, which is essentially what they did, and not something which is vital to protect.
Yes, it was many years ago now but I have no reason to think that they cleaned up their company culture.
All Mozilla know is the mullvad username. Mullvad don’t know the credit card details of the purchaser. To link a given vpn ip to a specific credit card would require compromising mullvad and Mozilla.
(Or of course the normal way of fingerprinting which doesn’t rely on IPs)
Now sure you can buy mullvad via cash, but that’s far more work. Using Mozilla as a reseller feels like one more step in the chain
This might be useful:
https://thatoneprivacysite.xyz/
I am also familiar with a recent police investigation where law enforcement subpoenaed NordVPN and the company replied, essentially, that they had no information connecting a particular IP address, at a specific date and time, to any specific user.
https://www.pcmag.com/news/nordvpn-actually-we-do-comply-wit...
They don’t keep traffic logs
Not sure about the links to Proton though.
[1] https://en.wikipedia.org/wiki/Crypto_AG
Hola is ran by luminati/bright data which absolutely are pure scum scam botnet-enabling shitbag company.
Most people exclusively care about scum vs. not scum, and all but vuln-dev level sources shouldn’t distinguish.
Maybe HN fell on the savvy side of this at one point, but it was so long ago…
I will note your posts are reading as activism/consensus building, which gets people removed from hackernews. So you might want to dial it down.
Nuance matters! While the guy who makes sexist jokes and the guy who will rape you if ever alone with you are both scum, that difference really really matters.
I wrote an article in 2013 about why free proxies are free [1] and got so much feedback from people who had never thought about that.
This was back in the HTTP only days (very shortly before the Snowden leaks) and it was a good way to make money because your proxy could just replace all ads on all sites with your Google ads and you could see all communication. Insane from today's view
In 2015 I did a followup post where I analyzed the existing proxies for any manipulation of the original site and found that 80% of the free proxies did in fact change something [2]
[1] https://blog.haschek.at/2013/05/why-free-proxies-are-free-js...
[2] https://blog.haschek.at/2015-analyzing-443-free-proxies/
How does a clientless ngrok alternative help here (which tunnels server traffic), and why is it even necessary given that many OSes support at least one VPN protocol natively?
Not a rhetorical question: When is the last time you’ve visited a non-HTTPs website?
> you wont be part of a traffic redirection network
These are also only a concern for HTTP.
Other common use cases for VPNs include geo-unblocking, and hosting IP ranges are commonly blocked by streaming sites.
I can’t think of a good reason to use a VPS for a VPN anymore these days, to be honest – the privacy/security landscape has changed dramatically over the last few years.
You probably get better privacy these days on public (free/unauthenticated) Wi-Fi than you would on many "free" or paid VPN services.
Need to bypass geoblocking, e.g. when traveling? You'll likely need a residential IP -> use your own network at home (e.g. Tailscale or a self-setup solution) or one of the shady "residential IP broker" utilizing commercial VPNs out there.
Want privacy (from visited sites' trackers)? Your VPS is definitely not that: The IP is static, and if you send your entire traffic through it, this is much more fingerprintable than even residential web usage. -> Use a commercial VPN that you can trust (I don't know many) or something like iCloud Private Relay or TOR.
Want privacy from your ISP tracking you (including public Wi-Fis), and only that? Then, yes, a VPS-based VPN might be for you (or any of the commercial VPNs out there).
But my claim is that the last one (and only that) is probably not the biggest concern of most people.
I’ve run a private vpn for extended family off of my residential connection for this reason. It helps them and me.
On another note, one of the first firewall rules that many of my clients ask for is to block cloud servers IP ranges.
Installing open VPN is like carrying the One Ring to Mount Doom. I’ve installed operating systems, databases, web servers, full LAMP stacks that took less effort.
> I have to give props for Swing VPN teams creativity to bypass security measure of Apple appstore and Google PlayStore but it is sad that Apple/Google security systems does not have some automated ways to detect these types of actions.
It's a tricky problem. The amount of attack traffic from an infected device is negligible and very little of it is visible to the operating system due to TLS. It's also presumably intermittent (there's no point in keeping an attack ongoing forever; you stop when the site has found a way to defend itself), so just running the app for a while as part of validating an update might not show any suspicious behavior. The suspicious part is in the configurations downloaded from the CnC servers, not packaged with the app, so static analysis won't help.
The only reliable option for catching these proactively thatI can think of would be to use some kind of aggregate telemetry from all the app installations combined, but that'd be incredibly scary both in terms of privacy and the blast radius when something goes wrong.
> Currently in the beginning of June 2023 it has over 5 million install base on android
That's not really a reliable number. It's more like "the number of distinct users who had this app installed at some point". AFAIK it doesn't get decremented when somebody uninstalls the app, and doesn't go up when somebody installs it for a second time on a new device. Those factors might cancel out, might not.
lol
If I had a known user agent doing a curl to icanhazip or whatnot, could that eventually be blacklisted?
Until it's discovered, traffic to their own servers would appear the most innocuous. After that, the app gets kicked off the store and the server doesn't matter.
Unless it doesn't actually do any VPN and it's all just a farce, lol.
(To answer the inevitable: Mullvad and Proton are the legitimate offerings that spring to mind.)
On the other side of that, some random Joe has probably purchased access to a set of these 'residential proxies' and is using them to scrape flight data from the airline site the article author noticed, with some of those requests being sent over the author's connection.
Many 'free vpn' and 'free proxy' apps engage in this behavior, you may proxy your requests via their connection, but they also proxy their requests via yours, generally reselling that access to someone who finds your IP address to be of value to them due to the fact that it's not a datacenter address.
It's certainly questionable to straight up unethical either way, especially so if the service doesn't disclose to you that they're doing that, but on the other hand I find the author's DDoS conclusion to be so contrived and out of touch with reality that I had to write this comment.
DDoS is just freedom of speech. Just some people have louder voices than others which is not a foreign concept to the rest of us. So long as the VPN (or whatever) operator mentions it in their terms of service (e.g. if they rely on user resources), it's fine IMO.
There needs to be an incentive for companies to implement good quality software and to not be evil (not to make enemies) and legalizing DDoS might help create such an incentive.
Getting DoS-ed is sufficient "punishment" for not being able to mitigate a DoS. "their fault for accumulating too many enemies" is dubious considering that one "enemy" is enough for a DoS and that the DoS-er might not actually have something personal against the target.
> DDoS is just freedom of speech. Just some people have louder voices than others which is not a foreign concept to the rest of us.
I wouldn't characterize a DoS-er as "the one with the louder voice". I hope you don't think doxxing and revenge porn should be legal too. Anyway, there's the saying "My right to swing my fist ends where your nose begins."
I used to think like that but in reality, the way the world really works is that anyone can punch you in the nose if they really want to... Whether or not the assailant will be punished for that depends on who got punched and who did the punching.
Access to the justice system is asymmetrical. Big corporations or organizations are often not held liable for many of their 'crimes' on a per-infraction basis because their victims have a much weaker voice; they can basically do all the crimes they want and then, if they harm enough people and they get caught and there is a class action (a lot of IFs), they MAY pay a lump sum fine at the end.
I prefer the ancient Roman system where some crimes were forgiven based on context (e.g. retaliation was allowed). I think it would bring back the human element to the justice system. People should be allowed to take the law into their own hands provided that their cause can be morally justified in front of a random sample of citizens.
Also, legalizing DDOS would simply enable protection racket type schemes (Mirai/Protraf Solutions) and affect small businesses without the ability to defend against them.
I think vigilantism would better allow human nature to shine through. E.g. you can talk and reason with an extortionist directly but you cannot do that with a corporation or other large organization.
These DDoS tools appear to take things to the next level, and an undeniably blackhat direction.