By mailing cash, if you like. They don't care if they know who you are or not. They don't ask for your email address, you just log in with a randomly-assigned account number and a password.
Been saying it for YEARS: 95% of VPNs sell your data. It's where they make their money. It's absolutely insane the push-back I get when I say this online. I get downvoted to hell and back.
Source: I bought this data from VPN companies... Hell, you can inject ads and surveys if you want!
Yes, I've heard of bad VPN companies that sell your data. I would like to learn more about how it is done exactly.
In your later comment you said "DNS is very useful, and unencrypted. OpenDNS makes its money on this same info." Is the VPN company only openly selling DNS info or are they selling more, such as connection logs?
How did you approach the VPN provider to ask to buy this info?
Fun fact: I once interviewed for a company offering a free VPN, which was actually using other users as endpoints for the VPN. Some kind of P2P VPN if you will.
How did they make money? Easy: there were also selling a botnet! So if you used their "free VPN", you could be part of a botnet for DDOS or to create fake reviews/upvotes from thousands of "legit" IP addresses.
Are we allowed to discuss (edit: if it's not too political?) if Kape Technologies has any connections to Israeli security services, given the nature of VPNs and given the amount of data that can be trivially collected, and:
"Being from Israel, Teddy Sagi had connections with the Israeli military intelligence sphere and was able to procure himself a real-life cyber spy [his co-founder] from the famed Unit 8200 (kinda like Israel’s version of the NSA)" [0]
> ExpressVPN was founded in 2009 by Peter Burchhardt and Dan Pomerantzwe who later sold it to British-Israeli security software company Kape Technologies
Note that all of these companies are also under the umbrella of Tesonet, a Lithuanian VC firm also headed by Tomas Okmanas (Tom Okman in TFA). Their flagship investments are Nord Security, Hostinger, Oxylabs, Surfshark, Decodo, Mediatech, and nexos.ai - all closely related business models around proxying.
They don't seem to have Russian ties: "In 2022, CyberCare opened an office in Lviv, Ukraine. Although planning for the move started before the war, according to Dainius Vanagas, CEO of CyberCare, one of the reasons why it was followed through was a desire to help Ukraine rebuild."[0]
Hey Carl! This is the first I'm hearing of Obscura. After doing a deep dive into your product, it looks to be a very fascinating privacy tool. However, I'm concerned with your operating under US jurisdiction, as detailed by others here:
While I understand potentially not wanting to incorporate in the EU (with Chat Control on the horizon) nor Switzerland (due to their own non-EU-related privacy backslide), why still select the US, which historically other privacy tools have largely avoided? It feels like you're already shooting yourself in the foot, whereas you'd be good in the EU should Chat Control not pass. While it's great that you verifiably can't see a user's internet traffic, you're one US court order away from a forced compromising of the service for a user (or at least, giving up the connecting IP). Historically, EU court orders have been easier and more transparently fought by privacy tools.
Non sequitur, it would be great if you prioritized accepting Monero as payment, like your exit hop Mullvad. Also, how much control do we have over the features Mullvad offers (e.g. DAITA, quantum resistance, DNS filters, IPv6, integration with Mullvad Browser)?
TL;DR: you shouldn't assume your data or activity is in any way anonymous when using these services. These VPNs are useful for changing your region for streaming and not much else. Otherwise, the traffic being routed through these VPNs is basically much more likely to involve "questionable" activity than ordinary traffic - and when you send your traffic through it, you are basically highlighting it as such - and all of this is well-known and of extreme interest to anyone interested in snooping on or analyzing such "questionable" activity.
I’m not a big expert on the VPN tech side, but it always seemed to me that the most logical option for those that actually understand about VPN is Proton, or am I missing something here?
A long time ago, I have difficulty removing payment card information from ExpressVPN.
Managed to contact support to remove it but they merely zeroed out (it shows 0 for the visible fields) the card details rather than truly removing payment information.
Can anyone give info on who owns Trust.Zone VPN? The company saves all credentials and doesn't allow the user to generate anything, such as Wireguard private keys. The service is very likely logging everything, and already admits to logging bandwidth, which is severe enough.
Wouldn't be surprised if this was a honeypot for logging Russian internet users, as it appears to cater to Eastern users.
Can someone explain to me why should I use a VPN when Tor is out there?
It just seems to me odd that one would pipe their communications through a private company, that operates over a jurisdiction when said jurisdiction can compel the company in actions that may compromise my anonymity.
From my perspective, its like shifting my trust from my ISP (an entity with way more oversight) to a pvt ltd.
Isn't Tor as safe as it can get when surfing the web?
Glad to see more zero trust confidential computing happening....but keep in mind its still vulnerable to attacks like Battering RAM which can fully breaks cutting-edge Intel SGX and AMD SEV-SNP confidential computing processor security technologies.
Battering RAM has been demonstrated to work well against Intel's "Scalable SGX" which is also known as SGX 2, and uses static encryption key to allow SGX to use more of the system's memory.
For example at VP.NET we're using SGX 1, which uses AES-CTR for memory encryption which is not susceptible to memory reply attack, and comes with a limit of 512MB of ram. It's a lot of pain working with a very small memory allocation (especially nowadays where most machines come with 128GB+). batteringram.eu calls that "Client SGX" with a checkmark on "Read", but reading the actual paper it only mentions being able to know which areas of memory were written to (see 7.1).
There might be applications where memory access pattern gives detail on the underlying work performed, but this is likely coarse (encryption is likely per page) and unlikely to yield to anything useful.
This said we are also exploring other TEEs including Intel TDX, and having a wider array of options will give us the ability to instantly disable any technology for which we know security has been compromised.
69 comments
[ 5.0 ms ] story [ 72.3 ms ] threadhttps://kumu.io/embed/9ced55e897e74fd807be51990b26b415#vpn-c...
Don't use the embed link from above, use this one: https://kumu.io/Windscribe/vpn-relationships
Source: I bought this data from VPN companies... Hell, you can inject ads and surveys if you want!
In your later comment you said "DNS is very useful, and unencrypted. OpenDNS makes its money on this same info." Is the VPN company only openly selling DNS info or are they selling more, such as connection logs?
How did you approach the VPN provider to ask to buy this info?
How did they make money? Easy: there were also selling a botnet! So if you used their "free VPN", you could be part of a botnet for DDOS or to create fake reviews/upvotes from thousands of "legit" IP addresses.
1. Getting access to geolocked data
2. Torrenting "Linux ISOs"
?
"Being from Israel, Teddy Sagi had connections with the Israeli military intelligence sphere and was able to procure himself a real-life cyber spy [his co-founder] from the famed Unit 8200 (kinda like Israel’s version of the NSA)" [0]
?
[0] https://windscribe.com/blog/what-is-kape-technologies/
But if Nord is sketchy, what is the recommended one?
> ExpressVPN was founded in 2009 by Peter Burchhardt and Dan Pomerantzwe who later sold it to British-Israeli security software company Kape Technologies
Close enough.
They don't seem to have Russian ties: "In 2022, CyberCare opened an office in Lviv, Ukraine. Although planning for the move started before the war, according to Dainius Vanagas, CEO of CyberCare, one of the reasons why it was followed through was a desire to help Ukraine rebuild."[0]
They also donated money to help arm Ukraine.
0: https://en.wikipedia.org/wiki/Tesonet
With Multi-Party Relays you no longer have a trust a single entity not being malicious or compromised.
Disclaimer: I run obscura.net, which does exactly this with Mullvad (our partner) as the Exit Hop.
https://discuss.grapheneos.org/d/20059-obscura-vpn-and-mullv...
While I understand potentially not wanting to incorporate in the EU (with Chat Control on the horizon) nor Switzerland (due to their own non-EU-related privacy backslide), why still select the US, which historically other privacy tools have largely avoided? It feels like you're already shooting yourself in the foot, whereas you'd be good in the EU should Chat Control not pass. While it's great that you verifiably can't see a user's internet traffic, you're one US court order away from a forced compromising of the service for a user (or at least, giving up the connecting IP). Historically, EU court orders have been easier and more transparently fought by privacy tools.
Non sequitur, it would be great if you prioritized accepting Monero as payment, like your exit hop Mullvad. Also, how much control do we have over the features Mullvad offers (e.g. DAITA, quantum resistance, DNS filters, IPv6, integration with Mullvad Browser)?
This is is what i wrote my master thesis on. I ended up not turning it into something proper. Thank you! i love that you did this!
Its awesome! OMG good job!
https://joeldare.com/ssh-tunnels-my-vpn-alternative-for-priv...
Seems to have triggered the netsec community on reddit though.
Managed to contact support to remove it but they merely zeroed out (it shows 0 for the visible fields) the card details rather than truly removing payment information.
Wouldn't be surprised if this was a honeypot for logging Russian internet users, as it appears to cater to Eastern users.
It just seems to me odd that one would pipe their communications through a private company, that operates over a jurisdiction when said jurisdiction can compel the company in actions that may compromise my anonymity.
From my perspective, its like shifting my trust from my ISP (an entity with way more oversight) to a pvt ltd.
Isn't Tor as safe as it can get when surfing the web?
For example at VP.NET we're using SGX 1, which uses AES-CTR for memory encryption which is not susceptible to memory reply attack, and comes with a limit of 512MB of ram. It's a lot of pain working with a very small memory allocation (especially nowadays where most machines come with 128GB+). batteringram.eu calls that "Client SGX" with a checkmark on "Read", but reading the actual paper it only mentions being able to know which areas of memory were written to (see 7.1). There might be applications where memory access pattern gives detail on the underlying work performed, but this is likely coarse (encryption is likely per page) and unlikely to yield to anything useful.
This said we are also exploring other TEEs including Intel TDX, and having a wider array of options will give us the ability to instantly disable any technology for which we know security has been compromised.