←back to thread

Who Owns, Operates, and Develops Your VPN Matters

(www.opentech.fund)
201 points sdsantos | 9 comments | 03 Sep 25 16:51 UTC | HN request time: 0s | source | bottom
Show context
fujigawa ◴[03 Sep 25 17:28 UTC] No.45118394[source]
Commercial VPNs will go down as one of the greatest money-making schemes of the last decade. Outside of a few specific use cases their sales often rely on leveraging non-technical users' fear of what they don't fully understand.

I have non-technical friends and relatives that have fully bought into this and when I asked why they use a VPN I got non-specific answers like "you need it for security", "to prevent identity theft", or my personal favorite: "to protect my bank accounts".

Not a single person has said "I pay to route my traffic through an unknown intermediary to obscure its origin" or "I installed new root certificates to increase my security."

replies(16): >>45118443 #>>45118486 #>>45118558 #>>45118644 #>>45118672 #>>45118693 #>>45119064 #>>45119252 #>>45119261 #>>45119717 #>>45119817 #>>45119936 #>>45120136 #>>45120782 #>>45124630 #>>45126517 #
some-guy ◴[03 Sep 25 17:38 UTC] No.45118486[source]
Mine is simple: avoid my ISP complaining about torrents.
replies(4): >>45118552 #>>45118646 #>>45118933 #>>45118941 #
IlikeKitties ◴[03 Sep 25 17:44 UTC] No.45118552[source]
And shitposting here in germany has become slightly more dangerous. If you use a vpn to call your local politician an idiot, you are much less likely to get into legal trouble.
replies(1): >>45118744 #
1. NoMoreNicksLeft ◴[03 Sep 25 18:03 UTC] No.45118744[source]
Here in the United States, I don't know that I could trust the vpn to protect me from that. I remember an incident from a few years ago, some idiot at Harvard emailed in a bomb threat to get out of finals. They arrested him only a few hours later. It's possible he misused the vpn, but I suspect that they merely contacted the vpn provider, got a shortlist of people going through that endpoint, and eliminated all of them not in Boston. Didn't require any Stuxnet-type fuckery or super-secret technology. Be careful and good luck.
replies(4): >>45118802 #>>45118824 #>>45119351 #>>45122944 #
2. jofla_net ◴[03 Sep 25 18:10 UTC] No.45118802[source]
I remember that, Schneier talked about it on his blog.

It was actually tor (the threat came from tor), and harvard 'found' him by constantly logging what connections were going to known tor entries from on campus. As it turns out he was one or possibly the only one using tor that morning from harvard.

Bruce outlines it that he certainly could have stayed tight-lipped (all evidence was circumstantial) but, nevertheless confessed as soon as they approached him.

replies(1): >>45119104 #
3. ◴[03 Sep 25 18:12 UTC] No.45118824[source]
4. sodality2 ◴[03 Sep 25 18:42 UTC] No.45119104[source]
Network traffic analysis/DPI strikes again. I wonder how many people think that their VPN usage obscures their identity, when the flow of traffic at certain times gives X% probability that this person visited the site based on the timing/size/speed/length of each TCP stream, increasing in confidence every repeated visit. Hell, how often will someone download a file of exactly 7060378032 bytes? It may not be damning evidence, but it'll surely put you under suspicion; sometimes that's all it takes.

I'm looking forward to when VPNs always throw up chaff traffic.

replies(2): >>45119385 #>>45120107 #
5. IlikeKitties ◴[03 Sep 25 19:04 UTC] No.45119351[source]
Yeah, it's not gonna help you for that but for low level "crime" (and those "" do some heavy lifting) where the police basically asks providers for logs once and than give up you are fine with any of the more "trustworthy" (and those "" do some heavy lifting) vpn providers.

Correlation attacks are a bitch and i'm sure i'm on a shortlist already but calling a politician an idiot with a burner account made using a vpn should be fine.

6. IlikeKitties ◴[03 Sep 25 19:07 UTC] No.45119385{3}[source]
> I'm looking forward to when VPNs always throw up chaff traffic.

Mullvads DAITA (Defense Against AI-guided Traffic Analysis) is going into that direction[0] and Mullvad is one of the better providers. Tor also has some protections against this afaik and the upcoming nym vpn is also doing some traffic obfuscation [1]. But as the saying goes: Correlation Attacks are a bitch.

[0] https://mullvad.net/de/vpn/daita [1] https://nym.com/

replies(1): >>45124935 #
7. heavyset_go ◴[03 Sep 25 20:34 UTC] No.45120107{3}[source]
It's not even that complicated, the list of Tor entry nodes is public, all they had to do is look in their logs for connections to those IP addresses coming from their network.
8. ◴[04 Sep 25 02:46 UTC] No.45122944[source]
9. crossroadsguy ◴[04 Sep 25 08:20 UTC] No.45124935{4}[source]
> https://nym.com/

The first line on the landing page says:

"The world’s most private VPN 80% off today!"

Very intresting.