Latest VPN Security Scandals Show (Yet Again) That VPNs Aren't A Panacea
from the not-a-magic-bullet dept
Given the seemingly endless privacy scandals that now engulf the tech and telecom sectors on a near-daily basis, many consumers have flocked to virtual private networks (VPN) to protect and encrypt their data. One study found that VPN use quadrupled between 2016 and 2018 as consumers rushed to protect data in the wake of scandals, breaches, and hacks.
Usually, consumers are flocking to VPNs under the mistaken impression that such tools are a near-mystical panacea, acting as a sort of bullet-proof shield that protects them from any potential privacy violations on the internet. Not only is that not true (ISPs, for example, have a universe of ways to track you anyway), many VPN providers are even less ethical than privacy-scandal-plagued companies or ISPs.
The latest case in point: a number of VPN providers who claim to offer “zero logging” protection were found to have not only been tracking a laundry list of user behaviors online, but doing a piss poor job securing said data. Kicking it off, Comparitech’s Bob Diachenko recently discovered 894 GB worth of of user data in an unsecured Elasticsearch cluster belonging to UFO VPN, a provider whose privacy policy informs users that they aren’t tracked as they travel around the internet. That wound up being, you know, not even remotely true:
“Hong Kong-based VPN provider UFO VPN exposed a database of user logs and API access records on the web without a password or any other authentication required to access it. The exposed information includes plain text passwords and information that could be used to identify VPN users and track their online activity.”
Again, “VPN” should not be automatically associated with “secure,” and the majority of these companies simply aren’t particularly trustworthy. Just ask vpnMentor, which discovered last week that an entirely different group of “no logging” free VPN providers had left more than a terabyte of private user data openly exposed online without a shred of protection:
“The vpnMentor research team, led by Noam Rotem, uncovered the server and found Personally Identifiable Information (PII) data for potentially over 20 million VPN users, according to claims of user numbers made by the VPNs.
Each of these VPNs claims that their services are ?no-log? VPNs, which means that they don?t record any user activity on their respective apps. However, we found multiple instances of internet activity logs on their shared server. This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details.”
The irony of consumers (justifiably) fearing for their security in the wake of massive privacy scandals, only to stumble into the arms of “security companies” that are even worse on security and privacy is just very 2020. For many of these fly by night operations, the VPN itself is just security theater, and in some instances you’re actually probably better off with the devil you already know:
I don't use a VPN because I'd rather Comcast aggregate my data than some dude wearing a dolphin onesie in his basement in Zurich.
— Swift?nSecurity (@SwiftOnSecurity) April 18, 2017
That’s not to say that VPNs don’t certainly have their use, but folks need to exercise some good judgement and spend a little time reading and comparing recommendations from respected outlets before putting their behavior data into the hands of total randos half a world away.
Comments on “Latest VPN Security Scandals Show (Yet Again) That VPNs Aren't A Panacea”
man built = fallible
panacea…SAT word that I still don’t know if I’m pronouncing correctly.
Yeah, anything online is hack-able.
Re: man built = fallible
Well… this isn’t about anything being hackable, but sure, true.
Re: man built = fallible
Soft C. Long E. Short As. Pa-nuh-SEE-uh.
Re: Re: man built = fallible
Problem is, panacea is an ancient hellenic word and as such its hard to know how to properly prononounce it.
Might also be prononouncend with a hard c, more like panake-i-a.
The soft c (s like) before e and i rather would point to an origin in modern latin with germanic influences [col. French].
Re: Re: Re: man built = fallible
It doesn’t matter how it would be pronounced in ancient Greece. Today, in the US, it’s pronounced the way Jeffrey Nonken described.
Always a weak point
There is a certain amount of trust required in our communications systems. Like the trust in our government, it has been eroded quite a bit in recent years.
Buyers beware
The message seems to be, be careful which VPN provider you choose. Some of them are shady. Free doesn’t appear to be associated with good.
There has also been some cases recently where even with competent VPN providers users opted to use static IP addresses which is a value as it gets around the usual VPN address blocking some websites use (I think Netflix does this and I know Craigslist does this) but is extremely harmful to the whole anonymity thing.
Re: Buyers beware
"The message seems to be, be careful which VPN provider you choose"
The real message is that real security is an ongoing process. Anyone who thinks that applying one form of protection is enough to forget about the entire process is a fool. You need to keep vigilant, makes sure you’re using other methods to protect yourself and be willing to switch your toolkit entirely should something not be performing to acceptable standards.
But, yes, making a good decision about your provider upfront is important, and a big part of that is that you get what you pay for. Free is fine, but that means you have to be extra careful. It’s notable that all of the free VPNs included in the above report appear to be randomly generically named VPNs I’d never personally heard of before, all running out of Hong Kong. Given recent political events, you have to be pretty lax in your choice of security to what could be a potential Chinese government proxy just because it was "free".
You should be wary of any VPN.
And you shouldn’t use a free VPN at all.
Well...
If you think it’s important enough to have a VPN it’s important enough to learn how to make, secure, and maintain your own. If I can do it, anyone can.
More "2016" than "2020"—if not earlier:
Using an SSL proxy that simplistically stored certificates, Kaspersky Anti-Virus left its users open to TLS certificate collisions.
VPNs just cut out some middle-men by encrypting your data between your device and where it "pops up" somewhere on the internet. Your data is no longer encrypted once it pops up. The middle-men can be ISPs, Wi-Fi hotspot providers (and their ISPs), and people trying to listen in on a Wi-Fi hotspot. As Karl said, ISPs have other tracking and spying methods. The others, too, but not so much.
VPNs really don’t do anything for anonymity after the point where your data "pops up", and very little before. The recipient probably can know who you are, but probably not where you are. If you are in Kansas and use an VPN that pops up in New York, and you look for Home Depot, you will get "local" stores in New York, not Kansas. This is why people use VPNs to bypass location specific things, like censorship in many countries, and entertainment sites that have location restrictions.
For more anonymity, use Tails, and also follow all the guidelines they provide, which can be a pain. Edward Snowden used Tails, probably with best practices, and he still had to boogey fast to escape capture. He knew they would figure him out eventually. So nothing is perfect, especially if the big boys are after you.
Re: Re:
While TAILS is not perfect, Snowden wasn’t expecting to be caught because of a flaw in TAILS. There weren’t that many people with the right level of access to the NSA’s network. They’ve got network logs, they can see who’s out of the country, and they’re reasonably intelligent. Snowden knew they’d find him even if he never used a computer again.
Unfortunately, there are still a lot of websites that block Tor. You’ll have to choose between accessing them (maybe taking chances with a VPN service or wifi hotspot) or remaining anonymous.
Re: Re:
It’s no longer encrypted by the VPN, but most websites use HTTPS these days. Email and other clear text traffic will be in the open.
Low hanging fruit
If the big boys want you, they will get you. There is no government on this planet that can’t just fabricate "evidence" and railroad anyone. Most intelligence services are more than adequate to "touch" virtually anyone, the only restraint is the cost. Other entities have various tools, true. There is no perfect security (beyond your own planet/country/army/nukes).
However, VPN like many security measures are about not being the "low hanging fruit". The harder one makes breaking their security the fewer entities will be interested in doing so. Also, all those who protect their security, for the sake of protecting their security while not doing anything wrong also drive up the cost of breaking security.
In the U. S. the Fourth Amendment was designed/intended not to help the criminal, but to ensure that the cost of enforcement was high enough that honest people had some protection from out of control government officials. Used correctly, VPNs are such are a benefit.
If you want perfect security, move to your own planet. If you are stuck here with the rest of us, use good security to promote sensible decisions by (however few) honest governments and government officials there are.
I put a case: On indicator of a "good" government is the encouragement of good security (including VPN) on the part of citizens, even against that government itself. Such a government recognizes that some of it’s own officials can be very bad players. Thus the government needs citizen help to weed out those bad players. Who reading this would contend that their government is a "good government" by the aforesaid definition?
Every laptop and PC has its own IP address that is visible during the "handshake" process that you constantly go through on the Internet. This is similar to a paper trail of a credit card. They don’t need to inspect your Internet Service Provider logs to find you. This identifying internal number will come up very readily with the search programming NSA comes to market with and this is what identifies YOU apart from your ISP. They won’t admit it, but they can always look right past the ISP’s address and see your rig’s identifying number devised upon it’s construction at the factory. It is this info that they "log" at all of the switching points along the server network. Otherwise, how would the ISP know who was (paying and) using their bandwidth? That is why the "logging" is a threat to you, because you are immediately identified all of the time. Encryption can temporatily conceal what you said, but they always know who you are and all of the places you went. Combine that with the unit’s serial number and if you paid for your computer with a credit card; so, they know immediately who you are anyway, without, tracking logs, having to de-code anything at all, or trying to outsmart a VPV. You are so painfully visible and trackable. Then, once outside your ISP’s server, everything is visible. The only thing a VPN is good for is when the wi-fi you use restricts your content choices and you can use the VPN as a "proxy" server to get around it. Beyond that a VPN is nothing but a con job and a guaranteed bust. Wise-up.
Re: Re:
No it doesn’t. An IP address does not identify a person or even a device.
I would like to see a citation for that.
It can offer some additional protection for public wifi, and also conceals your activity from your ISP. The only connection they see is to the VPN.
Re: Re: Re:
Re-Reply from elperico back to nasch (Aug 1 2020)
You are correct that these are not actual IP addresses in the conventional sense and my apologies for the improper wording that I used. I was trying to make very clear the inevitability of everyones’ Internet visibility. Being that longer blogs tend to bore the audience, I cut it somewhat short, so now, since you are calling me out, here is the long version.
If you run the "ipconfig /all" command on the cmd line, you will see this individual identifier labeled as, "Physical Address" and it shows where you are, as well as the locations of all of the adapters in your "tunnel" network.
From the cmd line, run this syntax:
wmic csproduct get name,identifyingnumber,uuid
Then, there simply are the factory serial number, the Windows product key, the serial number of the hard drive, the ISP address, and the IP address.
It would be foolhardy to presume that NSA or any formidable and serious tracker could not easily extract all of this information from any user they choose, and the idea that a VPN is a barrier to them is faulty reasoning. The NSA installation in southern UT consists of a 100,000 sq. ft. super computer and I sincerely urge you to believe that a VPN is not an inhibitor to them. If it came down to it, they have the power to demand any and all records and information that the VPN owners have amassed, to the point of a full lockdown and possession of their facility.
The trust you have in VPNs is not based on logical reasoning. I will not pursue this any further. Do your own research and stop believing things told to you by people that are trying to sell you something.
Re: Re: Re: Re:
Regarding MAC address, first it may not even leave your network (based on what I’m reading, I’m not a network engineer). Second, I’m skeptical that someone seeing the MAC address can find anything about you, such as where you bought your computer. It’s just an identifier, and as far as I know there is no database that for example a TechDirt admin could look in to find my MAC address and see what computer I’m on and where and when it was purchased. What you can do is match up different requests and see that they came from the same network adapter (which is what a MAC address is tied to).
https://superuser.com/questions/187421/what-is-a-mac-address-and-what-does-it-reveal-about-me
Regarding UUID and those other identifiers, yes they exist, but are they transmitted in an HTTP request?
No, a VPN will not protect you from a determined adversary with essentially unlimited resources such as the NSA. It is not likely anything will. This does not imply that it provides no protection from anyone. It is possible you are employing the perfect solution fallacy: since this solution will not completely solve the problem, therefore it is useless.
It is based on what a well designed VPN is capable of. Perhaps you have just not understood my position. This is the trust I have in VPNs: "It can offer some additional protection for public wifi, and also conceals your activity from your ISP." So far you have not convinced me that is not true.
Well that’s unfortunate.
And here I thought we were having a nice conversation.
Re: Re: Re:2 Re:
"Regarding MAC address, first it may not even leave your network (based on what I’m reading, I’m not a network engineer)"
It depends. The MAC can be contained in IP packets during handshake, but the MAC can be spoofed or just relate to the nearest requesting switch/router rather than the originating device or router.
"Second, I’m skeptical that someone seeing the MAC address can find anything about you, such as where you bought your computer"
It won’t, or at least not with any reliability. The MAC address (assuming again it’s not been spoofed) should state the network card’s manufacturer and may even give you a clue as to when it was made, but AFAIK there’s not reliable database to tell you the next steps – i.e. you can find out who made the card but that wouldn’t necessarily translate into a particular device manufacturer unless the device maker also makes the card (as would be the case with Apple). But, then, nobody outside the manufacturer would usually have information to say what model of device the card was used in, the date sold, the person sold to, whether the device has been resold since the first sale and so on.
Basically, a very determined person could find out all of this information if you’re not spoofing your MAC address (which, again, is a trivial thing to do with built-in OS features). But, most people won’t do this level of work, and if you’re not using a free VPN the VPN host likely already has more details about you than such data would provide anyway. If you take the most basic precautions against more likely threats, this sort of thing is not something you need to be overly concerned about.
"And here I thought we were having a nice conversation."
No, he’s annoyed that people did their own research, and came up with different conclusions.
Re: Re: Re:3 Re:
He’s also quite bothered by people making comments he doesn’t approve of.
Re: Re: Re: Re:
"The Machine ID is unique to each computer and is built off of the MAC address of the machine."
…and is trivial to fake (spoof), so if you’re depending on reliable information from that you will have nothing.
"Also there is the UUID identifying number."
Also spoofable, although it takes a bit more effort than MAC spoofing. Plus, your comments seem very Windows specific.
"The trust you have in VPNs is not based on logical reasoning"
As is your trust that basic features on Windows give accurate information.
These forums are about bringing enlightenment, encouragement and support to those who seek it. You have had nothing to say outside of trying to pick-apart everything that I have said. Do you have anything to say, or not? Criticism and attempts at finding fault do not count as pertinent comments. Perhaps you should read the lead article upon which this thread is based so that you will get the idea and if you look, you will see positive similarities in my comments. I have said nothing critical, challenging, or negative. Point: Stick with the thread’s content, its theme, and add your own experience and knowledge to that. However, when you do, come equipped enough to offer something more than speculation and questions.
Re: Re:
You don’t actually get to decide what this forum is for, or what "counts" as pertinent (except in your own mind). If you can’t handle criticism, I suggest you refrain from making public comments on the internet. And if you think anything I’ve said even qualifies as criticism or finding fault, you really should think about growing a thicker skin because you’re going to see a lot worse than that if you venture somewhere less polite than Techdirt.
One of the leaks apparently contained "Device and OS characteristics". That sounds to me like make and model of device and maybe network interface, type and version of OS.
Of the other leak: "However, we found multiple instances of internet activity logs on their shared server. This was in addition to the PII data, which included email addresses, clear text passwords, IP addresses, home addresses, phone models, device ID, and other technical details." Not clear what is meant by device ID but that could be the UUID you were referring to. No sign specifically of what could be done with that ID. Obviously "other technical details" could be anything.
Again, you don’t get to decide how I use this forum. If I want to offer speculation and questions, I will do exactly that.
Re: Re: Re:
"That sounds to me like make and model of device and maybe network interface, type and version of OS."
Maybe, but it’s just as likely to just be the information provided by your browser in the handshake request, which would usually include browser and OS version and other details such as language settings.
"Not clear what is meant by device ID"
Given that the rest of list seems to focus a little more on the mobile side, I’m guessing IMEI, although this might be a catch-all for IMEI (used by mobile devices ) UUID (used by Windows) and any other identifiers.
You’re basically guessing as to the source and extent of the rest, but it seems to be like information that would normally be provided by the users when signing up, rather than anything gained illicitly.
Re: Re:
"These forums are about bringing enlightenment, encouragement and support to those who seek it."
You appear to be lost. You seem to have just described some kind of pseudo-religious or spiritual forum. Go there if you want what you just asked for.
This is a tech-focussed forum, where people discuss the possible impact and effect of current affairs. Unlike your wooly safe space, if someone is stating things that are factually incorrect, they will be corrected. Believe what you want, but if it’s not supported by facts, prepare to be debated and educated.
"I have said nothing critical, challenging, or negative."
You have, however, stated things that are factually wrong or incomplete, and extrapolated that misinformation out to questionable conclusions. Then, you rejected the corrections.
Re: Re: Re:
PaulT, 2 Aug 2020 11:09pm
For the record, Mr. know-it-all, the theme of this thread is the inherent danger that lies within the false sense of VPN safety that most people put their trust in. I read your replies and found that you are arguing about things that I said, things that Nasch said, and issues that Nasch chose to extract from the lead article, all in the same reply. I know that you cannot prove the remarks in my replies to be false in any way and I am satisfied with that. You and this Nasch guy are only here to argue and you personally have a real ego problem. Your (above) paragraph is a whole lot of non-specific ignorance and irritation that no one could learn anything from. What is your point, if there is one? Are you trying to fully deny the lead article’s viability and are you saying that VPN companies are straight forward and honest, that they aren’t ever logging or that they diligently protect our information? And, FYI, all I ever see, everywhere I look, are "questionable conclusions" drummed-up by a hoard of late-nite busybodies with little or nothing to say. Do you see yourself as different from that crowd? Stick to the points in the lead article and reply to those. My points are that anyone is foolish to believe that the NSA has any trouble at all following us around on a computer, and, if you bought it with a credit card and used your given name to register it, then using a VPN is even more silly and useless. Everyone can see who you are, they merely see you in a different place. Try to be more productive with your comments.
Re: Re: Re: Re:
For at least the third time, people can reply however they choose. This of course includes you continuing to direct people how they should reply if you so choose…
I don’t think anyone is arguing about that, but a targeted attack by the likes of the NSA is not particularly likely. If you are someone they are interested in, you’d be better served by just not communicating on a computer at all. If you are not, then they’ll sweep up your communications with everyone else’s but they’re not going to go to any special effort to snoop on you specifically. And in that case, a good VPN can certainly provide additional security against lesser foes.
Everyone, or nation state level attackers? Are you claiming that as I send this comment through a VPN, that Techdirt could look up the credit card used to buy my computer (assuming for the sake of argument that it was my credit card) and see who I am? If so, you have not provided any evidence for that claim.
Re: Re: Re: Re:
"the theme of this thread"
…was about VPNs until you started injecting crap about "enlightenment" and factually incorrect statements into it, as which point I felt compelled to address those instead.
"I know that you cannot prove the remarks in my replies to be false"
I certainly can, although what it is you’re actually trying to say is confusing. You seem to believe that MAC addresses and UUIDs are infallible forms of identifying devices, which is demonstrably false. Specify which fact you’re falsely trying to claim as true and I’ll happily disprove it for you.
"late-nite busybodies"
Time zones exist. I can assure you it’s day time when I post here, I usually have better things to do in the evening..
"Stick to the points in the lead article and reply to those"
No, since the thread was dead until you reappeared, I’ll stick to replying to the tangents you create. Please continue.
Re: Re: Re:2 Re:
Yeah, o-k tough guy. I kicked the dog sh out of a lot of punks like you in my life. You’re a coward and you are all mouth. Screw off.
Re: Re: Re:3 Re:
Watch out, we got a badass here.
Re: Re: Re:3 Re:
Regressing to a child and pretending to be a big man through your tears? Wow, you really showed me…