All I know is that if you're very worried about being surveilled by governments, the Fediverse is the absolute last place you should want to be.
This is one of the most transparent platforms we have come up with yet. Instead of all your data only being viewable by a host company, it's viewable and able to be analyzed by basically anyone who puts some effort in. This makes it economically worthless, can't really sell something that everyone can already just get for themselves.
We're all out in the open here. So, wave to all the national security agencies everyone. Hiiiii! Hope you're all enjoying the memes!
đđđ
Most of the big social networks are owned by US companies. Those are forced to disclose user data to the US intelligence agencies, by the PATRIOT act and CLOUD act. And those will share it with the 14 Eyes.
So, you are right about Lemmy, but it's not true that data on traditional social media is only viewable by the host company.
What data does Lemmy log?
Very little in its current form, I think mainly just IP address.
Nah, most governments can just buy that data from the most of the VPNs if they need to - no need for secrecy.
If you think nord VPN is protecting you from government surveillance I have a bridge to sell you - it's really affordable.
Now that they've finished going RAM only it's even more secure
And for $5 a month you're losing money not using them.
No one is dumb enough to get scammed buying a bridge, but word is convective real estate is going to be the next hot investment. The buyers who get in early are going to pocket the most cash. Now's the time.
Fuck that sounds exciting. Could I timeshare that shit?
I fear false privacy because a corporation runs it. I've never been afraid of a government but I worry about corporate shittery all the time.
I hate how the 'VPN' term has been took over by companies selling services using VPN technology.
VPN was initially 'Virtual PrivateNetwork' â used to securely connect own (as belonging to an organization or person) devices over a public network. Like securely connecting bank branches. Or allowing employee connect to a company network. And VPN are still used that way. They are secure and provide the privacy needed.
Now when people say 'VPN' they often mean a service where they use VPN software (initially designed for the use case mentioned above) to connect to the public interned via some third-party. This is not a 'private network' any more. It just changes who you need to trust with you network activity. And changes how others may see you (breaking other trust).
When you cannot trust your ISP and your local authorities those 'VPNs' can be useful. But I have more trust to my ISP I have a contract with and my country legal system than in some exotic company in some tax haven or other country that our consumer protections or GDPR obligations won't reach.
Back to the topic:
I do not believe that all VPN services are owned/funded by governments, but some may be. I don't have much reason to trust them, they are doing it for money and not necessarily only the money their customers pay them. In fact I trust my government more that some random very foreign company.
I cringe when I see people touting VPN services as somehow better than HTTPS.
Sure VPN helps you re-source your IP address but that doesnât do anything to help the security of online banking.
You know MITM an https website is child's play, right? If you're inputting your password on a network you don't trust you're doomed. SSL certificates are worthless because they can be easily forged by anyone pretending to be the site as long as they're between you and the actual site, which they need to be to MITM.
VPN and HTTPS solve different issues, and are better when used together. Most of the time you don't need a VPN because you trust your home network and ISP, but if you're using a public access point https does not replace a VPN.
Tell me more about SSL certificate forgery. As far as I know, for a device to trust it, it needs to be signed by a trusted CA. You'd either need to compromise a CA and create your own certificate for the website or make the target device trust a custom CA. In the case of a custom CA, the user explicitly needs to perform an action to trust it. How is this not enough on a public network?
There are cases of malicious/incompetent CAs issuing certificates to parties who don't own the domains. DigiNotar was the most famous one, and recently there was a Chinese CA (I forgot the name) booted from the list as well. Once they're detected (browsers report SSL certs they see back to mothership for audit) they would be removed from trusted lists though, so chance that they're only used for high value targets and can't be used that often.
There are several ways, most common is to MITM the address to redirect to a different but similar one, which is unlikely to get noticed since you know you typed the address correctly or you clicked from a trusted link/favourite, then that wrong address has it's own valid SSL certificate. Another way is to use self-signed certificates, which browsers would warn people about, but apps are not likely to. Also you can MITM the CA themselves, whole you wouldn't be able to actually pass by them you can do an exhaustion attack and essentially block all certificate exchanges, yes your site won't have a valid certificate, but neither will any real site, so most people will just ignore the message the browser is showing them because it's showing it for every site.
None of these methods would fool an attentive educated person, but they might fool someone in a rush. Also even if the attack doesn't succeed in stealing information it 100% succeeds in blocking access, while I might not be as concerned about blocking my Facebook, blocking my bank might prevent me from doing important stuff, and worse people who need to get into their bank are likely to just wave security warnings out of the way without reading them, especially if they've been getting them for everything else and nothing had a problem.
Edit: I also forgot to mention the other ways, there are leaks from CAs constantly, which allow you to either impersonate them or sign other certificates. Sure these get patched rather quickly once found, but after you have the signed certificate from them it's game over. Also what I was referring in the other post is self-signed certificates, most browsers show a warning about them nowadays, but again you can win by exhaustion.
Yes, I trust my ISP more than my VPN, but I trust my VPN more than I trust the random wi-fi in the shopping mall. Using a VPN in your house for internet access is pointless, unless you're purposefully trying to keep your ISP out of the loop for legal reasons, e.g. Torrent, but MITM a VPN is much harder to do than an open wi-fi.
Lucky you to be able to trust your ISP. Mine injects ads whenever they can, even hijack DNS and redirect invalid/blocked domains to a page full of ads.
In correct law, that'd be copyright-violation committed by your ISP:
IF the website you hit didn't authorize your ISP to create a derivative-work,
THEN your ISP adulterating it should be considered commercial-copyright-violation, and stomped by the copyright-lobby.
Notice how this has been going-on for decades, and the copyright-lobby .. ignores it, to stomp-on individuals only..
Interesting evidence of "rule of 'law'", isn't it?
I hate how the âVPNâ term has been took over by companies selling services using VPN technology.
Agreed. What they're really selling is a proxy service, I don't know why that term isn't used. The fact that VPN software is used to establish that proxy isn't relevant, the end result is a proxy.
How is the term "proxy" more appropriate though? It's also the technical name for a concept that already exists. VPNs are by definition broader in scope than proxies, they work at a lower level of the networking stack and have different capabilities even if most people don't take full advantage of it. Anyway the point is that it's not a more appropriate term.
AFAIK the only thing VPN providers let you do, like SurfShark, ExpressVPN, NordVPN, ProtonVPN etc., is to route all of your outgoing traffic through their servers. They don't allow you e.g. to be in the the same fake LAN as a friend, which is what a VPN does.
A proxy server that passes unmodified requests and responses is usually called a gateway or sometimes a tunneling proxy.
That's pretty much what those commercial "VPN" providers offer.
They donât allow you e.g. to be in the the same fake LAN as a friend, which is what a VPN does.
That's not what a VPN does, that's what a VPN can do, if desired. What a VPN does is set up an encrypted tunnel between you and some remote network. That's it. How that remote network is laid out, how the traffic (and also what kind of traffic) is routed into/through/out of that network, and what the clients are allowed to do within are entirely up to the wishes of the network's owner. It might very well choose to isolate you from all the other clients on the network; that's not just a possibility, it's actually one of VPN's most important, most useful features.
Thatâs pretty much what those commercial âVPNâ providers offer.
Those commercial VPN providers offer you a fully encrypted tunnel that you can route all your network traffic through if you wish. It's just that people don't generally use it as anything more than just a proxy. Still, the connection is a textbook VPN connection, it's there, and it's capable of things a regular proxy is not, if you choose to make use of them.
Fun fact, TOR was created by the US navy.
As a way for spies to communicate anonymously and securely.
That's what they want you to think đ
Nope, that's literally what onion routing is about in case you aren't being facetious. It's in the whitepaper and in the code. It's also in the Snowden leaks.
Edit: Lemmy doesn't allow direct image posting anymore?
Of course that was a long time ago, and hidden services may be much more easily compromised now. And they'll always have their precious 0days. Don't traffick kids, terrorism, or ounces of pure fentanyl and tor will work just fine for you.
and hidden services may be much more easily compromised now
In the end it's still just a site on a server, if it's poorly configured or not secured well it's as vulnerable as any other on the clear net. Once they're able to work out where it is it becomes a honey pot shortly afterward.
Yes, but with the amount of darknet markets and CSAM hidden services that have been taken down within a relatively short span of time compared to the last decade of tor's more widespread history, it seems they may have a new vulnerability (or perhaps just a new covert post-snowden-acceptance surveillance court ruling) that allows them to identify hidden services real IP addresses. It's speculation, but they wouldn't use it bluntly or everyone would know there was a vulnerability and thousands more eyes would be on the tor code (or awareness of nation-state level traffic omniscience in the case of something as simple as a timing attack). A CSAM hidden service has been run by the federal governments of a few countries, so there's no question of ethics or law in that case.
The "users" are probably the weak point. Badly configured setups leaking info, aggregation using that info to fingerprint a user, etc. When they have a user account with access they can use it to keep collecting data and digging. I imagine it's a slow process. Nothing networked can be 100% secure though.
Edit: I'm not sure why I stayed up typing this. Maybe someone will read this comment and learn something.
I am speaking more specifically about hidden service server compromise, happening via court order if possible once the IP address is obtained through technical (not opsec issue, but perhaps parallel reconstruction) means.
Just in the last year (most last 2-4 months).. after tor DoS was 'more fixed' with PoW mind you.. teams of government agencies have seized the following hidden services and or taken down of the teams behind them: LockBit, Hive, Blackcat/ALPHV, Ragnar, Genesis Market, xDedic, Kingdom Market, Piilopuoti, Qakbot, Skynet Market, ChipMixer, and the list goes on. I didn't even mention all the CSAM and drug related seizures. Those are only ransomware, fraud and drug markets.
But yes /.env, /.well-known, /server-status, not verifying server ssh hash with password login in an amnesiac operating system, not running an amnesiac operating system and having multiple ssh keys (remember that GitLab fiasco)... All OPSEC mistakes an intermediate operator c(w)ould make.
Why is âgovernmentsâ the boogeyman that comes to mind? Scammers and thieves would have much more interest in your everyday consumer internet usage.
Haha, nice try governments
What exactly do you mean by "scammers and thieves"? The only protection you get from a VPN is privacy from your ISP. That ISP obviously operates in your country (there has to be some physical connection) and is regulated by your government. It's easy for the government to demand data from the ISP about you (or about certain usage patterns and which users have them) without you knowing, not to mention how easy it is for the ISP itself to monetize your usage data.
A scammer or thief can't as easily grab hold of that data. If you're imagining a hacker gaining access to the ISP's database or network, that's certainly plausible but it's just as possible with a VPN provider. I personally don't think the big commercial VPNs are much more secure than ISPs. Maybe a little.
Its mostly protection when using public WiFi against spoofed website. Actually, not just public WiFi, it's protection when using any WiFi from routers whose owner never changed the default password or using really weak ones.
Did you even read the OP? A VPN that has real customers but is set up by a scammer can be doing anything on your computer. You install their client. It could be a key logger for all you know.
And not all services use end to end encryption so yes there is still the potential to listen to http traffic and extract data from it, especially as the VPN client.
Yes i guess most of them could be but i don't think proton is because they are open source and comes under swiss law just to be safe use tor.
Wasn't Proton forced to log and handover an activist's data, after a Swiss court order? I feel I read something to that effect a year or two back.
It is about mail they have different laws for vpn and i guess this confirms they are not owned by government or this would've been hush hush.
For commercial offerings this is probably true for at least some of them, but creating your own VPN isn't terribly difficult if you are serious about your privacy. I typically just use them when I travel to countries like China where I can't get to a bunch of necessary services, so I don't mind if they route my YouTube traffic through CIA headquarters, but if I was doing anything more than that I would just set up my own.
Part of the point of a VPN is there's not a dedicated IP tied to you (or at least tying all of your activity together). That doesn't provide any benefit besides a corporate/government firewall bypass unless a mass of people are using your server.
But then you donât get the benefit of having increased privacy due to lots of people using the same IP.
Linka? Long shot, but message me if it's you.
Which vpn have you found to work in china? Nord used to but doesn't any more
I almost never trust any site that advertises any kind of VPN service (it's always ranked by the best paying referrals) but this mirrors what I've seen in discussions.
Preferred VPN Choice: The general consensus among VPN users in China is that Astrill VPN is the most reliable option. However, itâs an incredibly expensive VPN, so itâs worth trying other cheaper options first. Surfshark is our top choice for best VPN for China as it has a solid reputation for working in the country while also offering affordable plans.
Alternative VPN Options: Other good options for China include CyberGhost, Proton VPN, Widscribe and Mullvad. NordVPN is also an option, but itâs not as reliable in China as the other six, so we only recommend it if you already have an account.
Censorship Evasion Strategy: Since VPNs are in a running battle with censorship, we recommend subscribing to multiple VPNs to ensure you have coverage at all times. No matter which VPNs you use, make sure you download them before going to China, as the download pages are often blocked.
Astrill is the only consistent one and I have to server hop at times.
No problem, just use a VPN to connect to it from another country! Wait.....
Could you use outline servers?
Less and less vpn and vps companies provide services for mainland citizen. The main reason I heard of is when their server got blocked by the great firewall, those customers would immediately perform chargeback to get their money back even though it's not the fault of the providers. You lose money on chargeback fees which means accepting mainland customers is very risky for them.
If that's the case, that's understandable. It's always going to be a game of cat and mouse, so Id expect it's quite an expensive market to break in to.
What homespun protocols you using from China? The regular ones like OpenVPN get blocked yeah.
There are a ton of obfuscating protocols that a VPN can run. obfs is one of the most popular. You can configure your VPN to appear as basically any traffic. HTTPS, DNS, QUIK.
Generally speaking, governments aren't that good at keeping secrets at scale. Government-run VPNs would require a lot of people doing coordinated work; data center employees, ISPs, people passing themselves off as independent auditors, legal teams, marketing teams, and more. The more people you add, the less likely it is to be kept a secret. And all of this across multiple VPN companies (because there's no guarantee that the person you want to surveil is using the one you own) and internationally (many VPNs are based in or have major operations in multiple countries).
Now, is it possible that the NSA has an undisclosed financial stake in one or more VPNs and has secretly inserted a backdoor? Sure, anything is possible. But is that more likely them just buying up Ring doorbell footage or doing large data analysis on social media activity? Or installing rootkits on your smartphone firmware? Or just good old fashioned LoJack?
If they have reason to investigate you, they're going to probably get everything anyway. No reason to make it easy for them by not using a VPN.
The more people you add, the less likely it is to be kept a secret.
This is also one of the most convincing arguments about most conspiracy theories. Most would require so many people to never talk that the secret would be about as secret as North Korea's fake grocery stores
Sure, it whatâs your threat model?
Even assuming a VPN is a government surveillance device âŠ
It protects me from surveillance by my ISP. This is the big one
It protects me from other corporate and scammer surveillance
It protects me from law enforcement abuse/overreach - however my data was obtained would not meet evidentiary standards
Look up parallel reconstruction
I believe protonvpn is no log. I hope they make their servers ram only like mullvad eventually though, it would be a great improvement.
Is mullvad good? Are they no log?
Mullvad is the most private a VPN company can get. They literally accept cash by mail.
Mullvad is RAM only for a few months by now, no log since forever and regularly contributes to privacy related topics.
The thing is: you can't trust a company when they say they are no log or RAM only. But you can trust what info you give them. Mullvad only has my IPs. No info about who I am otherwise. I send them 30⏠twice a year and that's it.
BUT: they don't allow port forwarding anymore, if you need that, so they are not perfect.
Very. They're probably the best out there. Fully anonymous payments, no log, ram disk servers, audited, I believe they're open source. I think some downsides they have that I've heard is no port forwarding and they don't have too many servers. However, they're still very good nonetheless.
VPN companies actually use user created genuine traffic to hide bots and web crawlers and scrapers. That's part of why their VPN's are that cheap, they use your traffic to hide more expensive to buy bot traffic.
Not the ones with numbered accounts that accept crypto...
Nothing says legit like taking anonymous money.
This but unironically. Accepts monero and cash? Worth a look.
Anonymous money that famously advertised its ability to be tracked, no less.
Yeah but would they show their hand by coming down heavy on the average pirate or petty law breaker? If they did have ways to track all VPN traffic they wouldn't want us to know about it.
Well I didn't until now.
This is the prime schizo theory about TOR, but realistically they would need to own every exit node to get you.
I have a pet theory that the CIA has ocilated between both protecting TOR and trying to compromise it depending on the leadership at the moment, because it's a genuinely useful tool for their needs but also at the same time it undermines some of their goals if people they wouldn't want using it start using it
No, not really. Governments generally aren't that competent that it would be viable as a solution. Especially since there are legitimate uses for VPNs that aren't related to VPN providers, such as the ones that businesses use for people travelling, or working from home.
Although I could see the ones that do tracking putting a slightly higher priority on VPN traffic, just because it stands out more, where non-VPN traffic might be more likely to blend into the noise, since it matches more with how regular users use it.
Only one I'd trust is mullvad
all it's exaggerated but they are outside yes....
This isn't a community for speculation or conspiracy theories
This isnât a community for speculation or conspiracy theories
Based on your comment history it seems as if you think you are some kind of community police.
You want to go around and tell others what they can post.
The voting system is used for curating content, not you!
This post has 80 upvotes. So, those people have no issue with the post
topic.
Read the rules in the sidebar. This post is not violating any of them.
Keep your opinions to yourself or go create your own alternative community.
People will upvote anything to the point that communities have no identity. Unless you think lemmy is somehow different than reddit and won't share the same fate?
Also it's weird behavior to read through someone's comment history
it's weird behavior to read through someone's comment history
No it isn't. It's the best way to get an idea about the person you're talking to. If their post history is nothing but obvious trolling, no reason to engage. If they never argue in good faith, don't argue with them. Etc.
You must have gone pretty far into my history to make that claim about me and just ignored all my other comments which are mostly positive/jokes lol
I didn't look at your history nor did I make any claims.
It's not weird when they are saying weird things and you want to find out about their motives.
Reading someone's comment history when they didn't say anything "weird" and then cherry picking a couple in a sea of others to make a claim about someone's character is definitely weird. It's not like my last 10 comments were the same
Not to mention that most of the time I've made comments like this, the post in question gets removed
All corporations are owned and funded by governments. A corporation must be incorporated somewhere by some government. These corporations benefit from services, grants, and special benefits (e.g. limited liability) provided by that government.
However, I don't think governments are using this to do mass surveillance on people with VPNs, if only for the reason that there's not much to be gained by such an action. Most privacy invasion is of the kind people freely allow. Using a VPN doesn't make logging into Google meaningfully more private. The only groups I can think of that would really want to be able to spy on VPN users would be the MPAA, RIAA, etc, and I don't think they have the kind of sway to get governments to do that.
But yeah, if you are doing something a three letter government agency will target you over, a VPN ain't going to cut it.
Incorporation and ownership/funding are very different things. How are they all âowned and funded by governmentsâ?
They are owned by governments in the sense that they exist at the pleasure of the governments they depend wholly upon. Corporations are legal entities; who administers the law? To use a tech analogy, I'm pointing out that though a file has an "owner", which is a user account, the true owner is the operating system itself.
I have to admit I'm surprised this is as controversial a take as it is.
All I know is that if you're very worried about being surveilled by governments, the Fediverse is the absolute last place you should want to be.
This is one of the most transparent platforms we have come up with yet. Instead of all your data only being viewable by a host company, it's viewable and able to be analyzed by basically anyone who puts some effort in. This makes it economically worthless, can't really sell something that everyone can already just get for themselves.
We're all out in the open here. So, wave to all the national security agencies everyone. Hiiiii! Hope you're all enjoying the memes!
đđđ
Most of the big social networks are owned by US companies. Those are forced to disclose user data to the US intelligence agencies, by the PATRIOT act and CLOUD act. And those will share it with the 14 Eyes.
So, you are right about Lemmy, but it's not true that data on traditional social media is only viewable by the host company.
What data does Lemmy log?
Very little in its current form, I think mainly just IP address.
Nah, most governments can just buy that data from the most of the VPNs if they need to - no need for secrecy.
If you think nord VPN is protecting you from government surveillance I have a bridge to sell you - it's really affordable.
How about Mullvad?
(https://www.theverge.com/2023/4/21/23692580/mullvad-vpn-raid-sweden-police)
Now that they've finished going RAM only it's even more secure
And for $5 a month you're losing money not using them.
No one is dumb enough to get scammed buying a bridge, but word is convective real estate is going to be the next hot investment. The buyers who get in early are going to pocket the most cash. Now's the time.
Fuck that sounds exciting. Could I timeshare that shit?
I fear false privacy because a corporation runs it. I've never been afraid of a government but I worry about corporate shittery all the time.
*History entered the chat *
Slightly off-topic rant:
I hate how the 'VPN' term has been took over by companies selling services using VPN technology.
VPN was initially 'Virtual Private Network' â used to securely connect own (as belonging to an organization or person) devices over a public network. Like securely connecting bank branches. Or allowing employee connect to a company network. And VPN are still used that way. They are secure and provide the privacy needed.
Now when people say 'VPN' they often mean a service where they use VPN software (initially designed for the use case mentioned above) to connect to the public interned via some third-party. This is not a 'private network' any more. It just changes who you need to trust with you network activity. And changes how others may see you (breaking other trust).
When you cannot trust your ISP and your local authorities those 'VPNs' can be useful. But I have more trust to my ISP I have a contract with and my country legal system than in some exotic company in some tax haven or other country that our consumer protections or GDPR obligations won't reach.
Back to the topic:
I do not believe that all VPN services are owned/funded by governments, but some may be. I don't have much reason to trust them, they are doing it for money and not necessarily only the money their customers pay them. In fact I trust my government more that some random very foreign company.
I cringe when I see people touting VPN services as somehow better than HTTPS.
Sure VPN helps you re-source your IP address but that doesnât do anything to help the security of online banking.
You know MITM an https website is child's play, right? If you're inputting your password on a network you don't trust you're doomed. SSL certificates are worthless because they can be easily forged by anyone pretending to be the site as long as they're between you and the actual site, which they need to be to MITM.
VPN and HTTPS solve different issues, and are better when used together. Most of the time you don't need a VPN because you trust your home network and ISP, but if you're using a public access point https does not replace a VPN.
Tell me more about SSL certificate forgery. As far as I know, for a device to trust it, it needs to be signed by a trusted CA. You'd either need to compromise a CA and create your own certificate for the website or make the target device trust a custom CA. In the case of a custom CA, the user explicitly needs to perform an action to trust it. How is this not enough on a public network?
There are cases of malicious/incompetent CAs issuing certificates to parties who don't own the domains. DigiNotar was the most famous one, and recently there was a Chinese CA (I forgot the name) booted from the list as well. Once they're detected (browsers report SSL certs they see back to mothership for audit) they would be removed from trusted lists though, so chance that they're only used for high value targets and can't be used that often.
There are several ways, most common is to MITM the address to redirect to a different but similar one, which is unlikely to get noticed since you know you typed the address correctly or you clicked from a trusted link/favourite, then that wrong address has it's own valid SSL certificate. Another way is to use self-signed certificates, which browsers would warn people about, but apps are not likely to. Also you can MITM the CA themselves, whole you wouldn't be able to actually pass by them you can do an exhaustion attack and essentially block all certificate exchanges, yes your site won't have a valid certificate, but neither will any real site, so most people will just ignore the message the browser is showing them because it's showing it for every site.
None of these methods would fool an attentive educated person, but they might fool someone in a rush. Also even if the attack doesn't succeed in stealing information it 100% succeeds in blocking access, while I might not be as concerned about blocking my Facebook, blocking my bank might prevent me from doing important stuff, and worse people who need to get into their bank are likely to just wave security warnings out of the way without reading them, especially if they've been getting them for everything else and nothing had a problem.
Edit: I also forgot to mention the other ways, there are leaks from CAs constantly, which allow you to either impersonate them or sign other certificates. Sure these get patched rather quickly once found, but after you have the signed certificate from them it's game over. Also what I was referring in the other post is self-signed certificates, most browsers show a warning about them nowadays, but again you can win by exhaustion.
Yes, I trust my ISP more than my VPN, but I trust my VPN more than I trust the random wi-fi in the shopping mall. Using a VPN in your house for internet access is pointless, unless you're purposefully trying to keep your ISP out of the loop for legal reasons, e.g. Torrent, but MITM a VPN is much harder to do than an open wi-fi.
Lucky you to be able to trust your ISP. Mine injects ads whenever they can, even hijack DNS and redirect invalid/blocked domains to a page full of ads.
In correct law, that'd be copyright-violation committed by your ISP:
IF the website you hit didn't authorize your ISP to create a derivative-work,
THEN your ISP adulterating it should be considered commercial-copyright-violation, and stomped by the copyright-lobby.
Notice how this has been going-on for decades, and the copyright-lobby .. ignores it, to stomp-on individuals only..
Interesting evidence of "rule of 'law'", isn't it?
Agreed. What they're really selling is a proxy service, I don't know why that term isn't used. The fact that VPN software is used to establish that proxy isn't relevant, the end result is a proxy.
How is the term "proxy" more appropriate though? It's also the technical name for a concept that already exists. VPNs are by definition broader in scope than proxies, they work at a lower level of the networking stack and have different capabilities even if most people don't take full advantage of it. Anyway the point is that it's not a more appropriate term.
AFAIK the only thing VPN providers let you do, like SurfShark, ExpressVPN, NordVPN, ProtonVPN etc., is to route all of your outgoing traffic through their servers. They don't allow you e.g. to be in the the same fake LAN as a friend, which is what a VPN does.
Quote from Wikipedia:
That's pretty much what those commercial "VPN" providers offer.
That's not what a VPN does, that's what a VPN can do, if desired. What a VPN does is set up an encrypted tunnel between you and some remote network. That's it. How that remote network is laid out, how the traffic (and also what kind of traffic) is routed into/through/out of that network, and what the clients are allowed to do within are entirely up to the wishes of the network's owner. It might very well choose to isolate you from all the other clients on the network; that's not just a possibility, it's actually one of VPN's most important, most useful features.
Those commercial VPN providers offer you a fully encrypted tunnel that you can route all your network traffic through if you wish. It's just that people don't generally use it as anything more than just a proxy. Still, the connection is a textbook VPN connection, it's there, and it's capable of things a regular proxy is not, if you choose to make use of them.
Fun fact, TOR was created by the US navy.
As a way for spies to communicate anonymously and securely.
That's what they want you to think đ
Nope, that's literally what onion routing is about in case you aren't being facetious. It's in the whitepaper and in the code. It's also in the Snowden leaks.
Edit:
Lemmy doesn't allow direct image posting anymore?Of course that was a long time ago, and hidden services may be much more easily compromised now. And they'll always have their precious 0days. Don't traffick kids, terrorism, or ounces of pure fentanyl and tor will work just fine for you.
In the end it's still just a site on a server, if it's poorly configured or not secured well it's as vulnerable as any other on the clear net. Once they're able to work out where it is it becomes a honey pot shortly afterward.
Yes, but with the amount of darknet markets and CSAM hidden services that have been taken down within a relatively short span of time compared to the last decade of tor's more widespread history, it seems they may have a new vulnerability (or perhaps just a new covert post-snowden-acceptance surveillance court ruling) that allows them to identify hidden services real IP addresses. It's speculation, but they wouldn't use it bluntly or everyone would know there was a vulnerability and thousands more eyes would be on the tor code (or awareness of nation-state level traffic omniscience in the case of something as simple as a timing attack). A CSAM hidden service has been run by the federal governments of a few countries, so there's no question of ethics or law in that case.
The "users" are probably the weak point. Badly configured setups leaking info, aggregation using that info to fingerprint a user, etc. When they have a user account with access they can use it to keep collecting data and digging. I imagine it's a slow process. Nothing networked can be 100% secure though.
Edit: I'm not sure why I stayed up typing this. Maybe someone will read this comment and learn something.
I am speaking more specifically about hidden service server compromise, happening via court order if possible once the IP address is obtained through technical (not opsec issue, but perhaps parallel reconstruction) means.
Just in the last year (most last 2-4 months).. after tor DoS was 'more fixed' with PoW mind you.. teams of government agencies have seized the following hidden services and or taken down of the teams behind them: LockBit, Hive, Blackcat/ALPHV, Ragnar, Genesis Market, xDedic, Kingdom Market, Piilopuoti, Qakbot, Skynet Market, ChipMixer, and the list goes on. I didn't even mention all the CSAM and drug related seizures. Those are only ransomware, fraud and drug markets.
But yes /.env, /.well-known, /server-status, not verifying server ssh hash with password login in an amnesiac operating system, not running an amnesiac operating system and having multiple ssh keys (remember that GitLab fiasco)... All OPSEC mistakes an intermediate operator c(w)ould make.
I agree 80% of it is user error and plain and simple OPSEC mistakes. SANS teaches a course on darknet OSINT and there are plenty of FOSS OSINT projects.
But tor is not foolproof even with perfect OPSEC and state actors are constantly finding ways to weaken or break it. An adversary with global passive network capabilities can and will defeat tor anonymity, as the tor projects admits itself.
Recently, there was almost a full year-long denial of service attack against tor and i2p, and it was likely a state actor identifying tor users and hidden services. Force enough connection resets, knock good guard nodes offline, and soon enough you know who's who and where they're connecting to with a little traffic shaping. Thankfully there is work being done to identify bad actors (PDF warning) but it IS being done.
There is much ongoing work to unmask tor users and hidden services...
https://security.stackexchange.com/questions/271828/impact-of-deep-learning-based-flow-correlation-on-tor
https://www.semanticscholar.org/paper/TIGER%3A-Tor-Traffic-Generator-for-Realistic-Lopes-Castro/f3239ef7cb3d332b96b39bad879fa7b81bbda215
https://link.springer.com/chapter/10.1007/978-981-99-7356-9_22
https://wurzel.io/Deanon-Murmur
https://dl.acm.org/doi/epdf/10.1145/3618257.3624997
Of course there is work being done to enhance tor at the same time.
https://blog.torproject.org/introducing-proof-of-work-defense-for-onion-services/
https://restoreprivacy.com/torkameleon-strengthening-tor-against-deanonymization-attacks/
Why is âgovernmentsâ the boogeyman that comes to mind? Scammers and thieves would have much more interest in your everyday consumer internet usage.
Haha, nice try governments
What exactly do you mean by "scammers and thieves"? The only protection you get from a VPN is privacy from your ISP. That ISP obviously operates in your country (there has to be some physical connection) and is regulated by your government. It's easy for the government to demand data from the ISP about you (or about certain usage patterns and which users have them) without you knowing, not to mention how easy it is for the ISP itself to monetize your usage data.
A scammer or thief can't as easily grab hold of that data. If you're imagining a hacker gaining access to the ISP's database or network, that's certainly plausible but it's just as possible with a VPN provider. I personally don't think the big commercial VPNs are much more secure than ISPs. Maybe a little.
Its mostly protection when using public WiFi against spoofed website. Actually, not just public WiFi, it's protection when using any WiFi from routers whose owner never changed the default password or using really weak ones.
Did you even read the OP? A VPN that has real customers but is set up by a scammer can be doing anything on your computer. You install their client. It could be a key logger for all you know.
And not all services use end to end encryption so yes there is still the potential to listen to http traffic and extract data from it, especially as the VPN client.
Yes i guess most of them could be but i don't think proton is because they are open source and comes under swiss law just to be safe use tor.
Wasn't Proton forced to log and handover an activist's data, after a Swiss court order? I feel I read something to that effect a year or two back.
Source ?
It is about mail they have different laws for vpn and i guess this confirms they are not owned by government or this would've been hush hush.
For commercial offerings this is probably true for at least some of them, but creating your own VPN isn't terribly difficult if you are serious about your privacy. I typically just use them when I travel to countries like China where I can't get to a bunch of necessary services, so I don't mind if they route my YouTube traffic through CIA headquarters, but if I was doing anything more than that I would just set up my own.
Part of the point of a VPN is there's not a dedicated IP tied to you (or at least tying all of your activity together). That doesn't provide any benefit besides a corporate/government firewall bypass unless a mass of people are using your server.
But then you donât get the benefit of having increased privacy due to lots of people using the same IP.
Linka? Long shot, but message me if it's you.
Which vpn have you found to work in china? Nord used to but doesn't any more
I almost never trust any site that advertises any kind of VPN service (it's always ranked by the best paying referrals) but this mirrors what I've seen in discussions.
From https://www.cloudwards.net/best-vpn-services-for-china/
Preferred VPN Choice: The general consensus among VPN users in China is that Astrill VPN is the most reliable option. However, itâs an incredibly expensive VPN, so itâs worth trying other cheaper options first. Surfshark is our top choice for best VPN for China as it has a solid reputation for working in the country while also offering affordable plans.
Alternative VPN Options: Other good options for China include CyberGhost, Proton VPN, Widscribe and Mullvad. NordVPN is also an option, but itâs not as reliable in China as the other six, so we only recommend it if you already have an account.
Censorship Evasion Strategy: Since VPNs are in a running battle with censorship, we recommend subscribing to multiple VPNs to ensure you have coverage at all times. No matter which VPNs you use, make sure you download them before going to China, as the download pages are often blocked.
Astrill is the only consistent one and I have to server hop at times.
No problem, just use a VPN to connect to it from another country! Wait.....
Could you use outline servers?
Less and less vpn and vps companies provide services for mainland citizen. The main reason I heard of is when their server got blocked by the great firewall, those customers would immediately perform chargeback to get their money back even though it's not the fault of the providers. You lose money on chargeback fees which means accepting mainland customers is very risky for them.
If that's the case, that's understandable. It's always going to be a game of cat and mouse, so Id expect it's quite an expensive market to break in to.
What homespun protocols you using from China? The regular ones like OpenVPN get blocked yeah.
There are a ton of obfuscating protocols that a VPN can run. obfs is one of the most popular. You can configure your VPN to appear as basically any traffic. HTTPS, DNS, QUIK.
Generally speaking, governments aren't that good at keeping secrets at scale. Government-run VPNs would require a lot of people doing coordinated work; data center employees, ISPs, people passing themselves off as independent auditors, legal teams, marketing teams, and more. The more people you add, the less likely it is to be kept a secret. And all of this across multiple VPN companies (because there's no guarantee that the person you want to surveil is using the one you own) and internationally (many VPNs are based in or have major operations in multiple countries).
Now, is it possible that the NSA has an undisclosed financial stake in one or more VPNs and has secretly inserted a backdoor? Sure, anything is possible. But is that more likely them just buying up Ring doorbell footage or doing large data analysis on social media activity? Or installing rootkits on your smartphone firmware? Or just good old fashioned LoJack?
If they have reason to investigate you, they're going to probably get everything anyway. No reason to make it easy for them by not using a VPN.
This is also one of the most convincing arguments about most conspiracy theories. Most would require so many people to never talk that the secret would be about as secret as North Korea's fake grocery stores
Sure, it whatâs your threat model?
Even assuming a VPN is a government surveillance device âŠ
Look up parallel reconstruction
I believe protonvpn is no log. I hope they make their servers ram only like mullvad eventually though, it would be a great improvement.
Is mullvad good? Are they no log?
Mullvad is the most private a VPN company can get. They literally accept cash by mail.
Mullvad is RAM only for a few months by now, no log since forever and regularly contributes to privacy related topics.
The thing is: you can't trust a company when they say they are no log or RAM only. But you can trust what info you give them. Mullvad only has my IPs. No info about who I am otherwise. I send them 30⏠twice a year and that's it.
BUT: they don't allow port forwarding anymore, if you need that, so they are not perfect.
Very. They're probably the best out there. Fully anonymous payments, no log, ram disk servers, audited, I believe they're open source. I think some downsides they have that I've heard is no port forwarding and they don't have too many servers. However, they're still very good nonetheless.
VPN companies actually use user created genuine traffic to hide bots and web crawlers and scrapers. That's part of why their VPN's are that cheap, they use your traffic to hide more expensive to buy bot traffic.
Not the ones with numbered accounts that accept crypto...
Nothing says legit like taking anonymous money.
This but unironically. Accepts monero and cash? Worth a look.
Anonymous money that famously advertised its ability to be tracked, no less.
Yeah but would they show their hand by coming down heavy on the average pirate or petty law breaker? If they did have ways to track all VPN traffic they wouldn't want us to know about it.
Well I didn't until now.
This is the prime schizo theory about TOR, but realistically they would need to own every exit node to get you.
I have a pet theory that the CIA has ocilated between both protecting TOR and trying to compromise it depending on the leadership at the moment, because it's a genuinely useful tool for their needs but also at the same time it undermines some of their goals if people they wouldn't want using it start using it
No, not really. Governments generally aren't that competent that it would be viable as a solution. Especially since there are legitimate uses for VPNs that aren't related to VPN providers, such as the ones that businesses use for people travelling, or working from home.
Although I could see the ones that do tracking putting a slightly higher priority on VPN traffic, just because it stands out more, where non-VPN traffic might be more likely to blend into the noise, since it matches more with how regular users use it.
Only one I'd trust is mullvad
all it's exaggerated but they are outside yes....
This isn't a community for speculation or conspiracy theories
Based on your comment history it seems as if you think you are some kind of community police. You want to go around and tell others what they can post.
The voting system is used for curating content, not you!
This post has 80 upvotes. So, those people have no issue with the post topic.
Read the rules in the sidebar. This post is not violating any of them.
Keep your opinions to yourself or go create your own alternative community.
People will upvote anything to the point that communities have no identity. Unless you think lemmy is somehow different than reddit and won't share the same fate?
Also it's weird behavior to read through someone's comment history
No it isn't. It's the best way to get an idea about the person you're talking to. If their post history is nothing but obvious trolling, no reason to engage. If they never argue in good faith, don't argue with them. Etc.
You must have gone pretty far into my history to make that claim about me and just ignored all my other comments which are mostly positive/jokes lol
I didn't look at your history nor did I make any claims.
It's not weird when they are saying weird things and you want to find out about their motives.
Reading someone's comment history when they didn't say anything "weird" and then cherry picking a couple in a sea of others to make a claim about someone's character is definitely weird. It's not like my last 10 comments were the same
Not to mention that most of the time I've made comments like this, the post in question gets removed
All corporations are owned and funded by governments. A corporation must be incorporated somewhere by some government. These corporations benefit from services, grants, and special benefits (e.g. limited liability) provided by that government.
However, I don't think governments are using this to do mass surveillance on people with VPNs, if only for the reason that there's not much to be gained by such an action. Most privacy invasion is of the kind people freely allow. Using a VPN doesn't make logging into Google meaningfully more private. The only groups I can think of that would really want to be able to spy on VPN users would be the MPAA, RIAA, etc, and I don't think they have the kind of sway to get governments to do that.
But yeah, if you are doing something a three letter government agency will target you over, a VPN ain't going to cut it.
Incorporation and ownership/funding are very different things. How are they all âowned and funded by governmentsâ?
They are owned by governments in the sense that they exist at the pleasure of the governments they depend wholly upon. Corporations are legal entities; who administers the law? To use a tech analogy, I'm pointing out that though a file has an "owner", which is a user account, the true owner is the operating system itself.
I have to admit I'm surprised this is as controversial a take as it is.