64 comments

[ 1.9 ms ] story [ 138 ms ] thread
maybe its good thing, vpn is the security tool most people think

vpn are good to workaround censorship ,

but i agree with the opinion that they are not a great security tool

Companies use VPN technology to access their internal network over the internet.
It's fairly typical, this. The world and his wife hears 'VPN' through the myriad of advertising vectors they're bombarded with and assume the advertised use case is the only use case.

The 'P' in VPN is what confuses them I assume.

Wow, that explains a lot. Mullvad has been nigh unusable for me.
The OS whose name plurally describes a particular Platonic solid will not have this issue.

ADDENDUM: It starts with Q.

I dislike riddles like this. There are 5 platonic solids, the only likely one for a product name is "Cube" but I've never heard of an OS named "Cubes". And now, I don't want to .

    Tetrahedron - a polyhedron with 4 triangular faces
    Cube - a polyhedron with 6 square faces
    Octahedron - a polyhedron with 8 triangular faces
    Dodecahedron - a polyhedron with 12 pentagonal faces
    Icosahedron - a polyhedron with 20 triangular faces
What even is GP trying to refer to?
Likely meant Qubes OS[0], not sure why it was phrased as a riddle.

[0] https://www.qubes-os.org/

Because I got flamed for it earlier. :^)
Somebody called you out for your blatant Qubes promotion on an unrelated subject, and your takeaway was "make the Qubes promotion on an unrelated subject cryptic?"
I don't think you're doing your cause any good, and in fact some harm.
He means Qubes. I thought so, so I threatened chatGPT with the death of a puppy, and it agreed.
My grandmother really loves that puppy.
I recently switched to whole-home VPN by routing everything except a few external services through a wireguard connection on pfSense.

Have to say I'm pretty happy with it compared to running a random VPN client on my computer. Funnily enough, the only thing I've been unable to access while behind VPN was downloading a windows ISO direct from microsoft to reset a laptop.

I tried this, but the CAPTCHAs make browsing nearly impossible and (I think) are what breaks many of the devices on my network, and when it's on the whole home network from the router, it's a lot harder to turn it off when I just need to get something done. I'll probably end up spinning up an exit node on Linode or something, but I tried that on certain machines and it had some significant performance implications (though I'm not geographically near a datacenter so it probably wouldn't be the same problem for most people).
I gave up on VPNing my whole network when it progressed past CAPTCHAs and into getting blocked outright. Hard CloudFlare errors with no challenge, or getting my connections null routed altogether. Life's too short for this shit I'm afraid.
What tf did you do to get your ranges blacklisted?
Probably the fact that I was using Mullvad, the flipside of their commitment to privacy is they can't really do anything about abuse coming from their IP ranges and they inevitably end up on blacklists. With the desktop client you can at least mash the reconnect button until you get an IP that works, but that's a hassle if you are running the tunnel somewhere else.
You'll get more CAPTCHAs and other issues with other VPNs, too, their IP addresses are just too easy to identify. VPNs with residential IP addresses can be a different experience, but they're a bit pricey if you can't justify their use as a business expense.
What are some paid VPNs with residential IP addresses? I've always wondered why they don't just mask them as looking like ones anyway.
Well you made the conscious choice to make your own traffic indistinguishable from abuse traffic.
Yeah I get it, I'm not blaming anyone for shitlisting those IP ranges given the circumstances. There is no way to ensure user privacy that doesn't also give bad actors the same privacy, and end up necessitating the assumption that anyone who goes out of their way to be private is a bad actor. This is why we can't have nice things.
> There is no way to ensure user privacy that doesn't also give bad actors the same privacy

I disagree. There are upcoming technologies that have the potential of making this a reality. Like Private Access Tokens (https://www.ietf.org/archive/id/draft-private-access-tokens-...) and its successor protocols, the Privacy Pass suite of protocols (split over many documents https://www.ietf.org/archive/id/draft-ietf-privacypass-archi... https://www.ietf.org/archive/id/draft-ietf-privacypass-auth-... https://www.ietf.org/archive/id/draft-ietf-privacypass-proto... https://www.ietf.org/archive/id/draft-ietf-privacypass-rate-...) and so on. These efforts are spearheaded by Apple, Google, Cloudflare and Fastly. Of course Apple has iCloud private relay so they have incentives to make such things work well with iCloud private relay. Google has Google One VPN too. It also has reCAPTCHA that's widely used to block abuse traffic. Cloudflare and Fastly of course are big CDNs. Imagine a world where visiting a website over a VPN, and these tokens clearly distinguish you from abuse traffic while preserving your privacy, so that Cloudflare has no reason to present you with a CAPTCHA and reCAPTCHA gives you that tick without forcing you to pick pictures of motorcycles.

Watch this space. Very interesting developments here.

Google One VPN is being shut down.

And separate from that, I bet that wide deployment of privacy-preserving anti-abuse mechanisms is dead after the WEI fiasco. It's just not possible for Chrome to ship anything even remotely resembling that feature given the PR damage from that proposal. That includes PATs, which are pretty much exactly the same thing as WEI.

And as long as PATs remain an Apple-only feature, implementing them as captcha bypasses is not very attractive. (And honestly, giving Safari iPhone users a special fast lane that other users simply can't get strikes me as a really bad idea.)

My own opinion on the WEI fiasco is that Google had done a terrible job communicating to the outside world about it. I feel much better if Apple were to be in charge of it as well as anything remotely similar. That is, have Apple completely roll it out, achieve the initial mindshare and acceptance, and then let Google merely copy whatever Apple does with minor changes.
Is the only possibility that Google did a bad job communicating it, or is it possible that it's a terrible idea that will lead us to a dystopian future where anybody using non-closed/locked hardware can't use the web?

I strongly suspect it would (over time as every website adopts it) be like VPNs are now, except for every single Linux user. Maybe Google will release an official Linux distro for people like me, but they won't be able to allow us to have root or sudo on our boxes, otherwise they can't vouch for the machine. That pretty much defeats the whole point of running Linux.

Though, if you would feel much better if Apple were in charge of it, then I get the feeling you don't have a lot of sympathy for people like me. That's a reasonable and valid position, but it does sadden me greatly.

> I tried this, but the CAPTCHAs make browsing nearly impossible

Not even on a VPN and I get them all the time. Duckduckgo demanded one from me just this morning. To their credit, you don't even need JS enabled for what they're using.

You get them a lot if your ISP uses CGNAT.

Mine I have a static IPv4 and I rarely if ever get them.

Are ISPs in your country providing CGNAT addresses to your router? (as opposed to public IPs)

In France this is always a public IP (fixed it but, it depends) - at least for all four major ISPs

Yes. In UK. The cheaper and newer ISPs all do it. You only get public IPv6.
(UK here, things will vary from place to place)

Long-established ISPs generally have real IPv4 addresses to give out, though they are not statically allocated. If your router is on 24/7 you tend to have the same address for a long time, but it isn't really static. Newer ISPs are more likely to be using CGNAT. True static IPv4 is available from some ISPs, particularly those that target small/medium businesses as much as (or instead of) residential users.

On mobile you are pretty much guaranteed to be behind CGNAT, though I don't think anyone would expect to have anything remotely static in that circumstance anyway.

I have static IPv4 at home (actually a /29 – I've had this account long enough that it wasn't difficult to get back then, and the ISP is more commercially targetted), and VPN to that when mobile. Probably makes me easier to track by stalkers not blocked by PiHole and other such provisions, but it does mean I don't often see CAPCHAs.

My VPN use is for protecting myself from potentially bad local networks, rather than hiding my ID or falsifying my location (or where location matters, I'm pretending to be at home not some other place), which is a different set of priorities to many.

Thanks for the details. I have also considered to always be always on a VPN when on my mobile (Wireguard) but was worried about batteries, intended to test that, forgot, intended again, forgot and here we are :)
> However, it's important to note that Redmond includes all security fixes in a single update. Hence, removing cumulative updates removes all fixes for patched security vulnerabilities in addition to resolving VPN issues.

Maybe they should stop bundling said fixes all in one update. This was not practiced so extensively in older vers of windows, and i always get the impression this system was switched to, as part of win10's push to exert more control over updates on end user computers.

> This was not practiced so extensively in older vers of windows

Yes, and the result was a billions of billions of combinations of those updates.

While the current system is far from being ideal, it's way easier to test with a reduced set of permutations.

And before you object, think of it this way - if the current shitshow is with a reduced set, imagine what it would be with a non reduced one. It wouldn't be a shitshow x 2 or shitshow^2, it would be around shitshow^99999.

> Yes, and the result was a billions of billions of combinations of those updates.

I was recently talking to a colleague about this, and it was remarkable to me how "quickly" they had forgotten the hell of having Windows Update filled with 1 billion 10kb updates.

A billion tiny updates seems to work reasonably well for most major Linux distros.
Indeed, dnf (and other tools as reliable) are impressive. Never had an issue running a "sudo dnf update" even on a desktop with a decent amount of packages.

Once i had to fix a conflict during a Fedora version update. Apart from that it has been rock solid.

Windows 2019 cumulative updates are not bad, but 2016 is cursed. Be ready to put aside at least 90 mins for older 2016 installs, and cross your fingers it doesn't fail.

"Major linux distros" are mostly running on the servers in the headless mode, with most of the updates never even bothering the end-users.

"Major Windows distro" has video, sound, peripheral, network drivers; user software which is not a part of the operating system updates, VisualC redistributables, .NET version and it runs on anything from $100 10 years old system which is not even officially supported[0] to the latest $$$$ laptops, which still has shitty drivers because anyone capable of writing a good driver is not working in Intel or Broadcom, or retired for 10 years already.

Comparing Linux and Windows update models is... quite a futile endeavour, they are different.

[0] but billg is still blamed for the BSODs despite that

Linux runs on everything from a toaster to a supercomputer. No excuses.
Worked great though, w7 was the best, most stable version of windows and it worked this way
How about they unfire all their QA people and then I will give their arguments a scintilla of value?
wiped windows from my home PC and installed Ubuntu 24.04 last week

zero regrets, tired of Microsoft's terrible quality, terrible security, terrible ads - good riddance

same. been on EndeavourOS/KDE/Plasma exclusively for almost 4 years.

tried Mint and Manjaro before that. if i had to use a ubuntu derivative, i'd probably try Pop!_OS.

it really is so much smoother of an experience nowadays.
had a few small bumps getting everything I need configured and running the way I need it, but now that I have everything the way I like it it's damn near perfect
I'm gonna do this with debian in 2025 when windows 10 runs out of security updates. Proton has been great on my steamdeck so I probably won't miss out on many games.
i was also tempted to just go the debian route - but the free Ubuntu Pro subscription for personal use with 12 years of bug/security updates (and ultimately, peace of mind) was what won me over - I hate reinstalling or upgrading my OS so over a decade of not changing anything is really appealing to me.

i've been playing my steam games with Proton so far and it's been solid

10 years, not 12.

But I think the bigger issue is that after 2 years you won't be getting newer kernels, just fixes to the one you have.

I haven't had Windows in the home for a good 10-ish years now. While that is good for my personal use. It is bad when others need help with their computers and my skill set of windows support has atrophied.

My experience of Windows is via the very locked down work place and it is not great.

i can only hope my windows "skills" atrophy so that I can tell my family to stop bothering me to fix all their computer problems :P

i've started telling them to just buy a macbook

did the same with Fedora, still have to use Windows at work (and support it, it is my job after all)
[flagged]
(comment deleted)
Honestly, I wonder how many businesses this actually impacts because as far as I know, most people rather just implement firewall/security appliance based firewalls which are all OpenVPN based or something propertiary like Cisco secure client.
I wonder if Microsoft actually does any testing of their Windows builds?

Do they still have a Windows QA department?

My first reaction is that it's not a bug, it's a side-effect of them being forced by the US government to break VPNs in certain scenarios.
Just windows things