Darknet Diaries, VPN security lies

  • Listened latest Darknet Diaries @ Wikipedia show (Ep 36). Nice PEN testing talk, basic stuff. But that's how access is escalated as soon as there's any access. - Not going into details, but that's exactly why 2FA is so important. As well as why everything important in email must be separately encrypted. As well as why social engineering works so well with clueless people. - All the attack vectors on the talk were way familiar. Nothing new, yet interesting and nice story talk. 2FA is also called 2-Step Verification (2SV) or Multi-Factor Authentication (MFA) @ Wikipedia.
  • I've written so much about Virtual Private Network (VPN) @ Wikipedia lies related to security it provides. It seems that someone else has also noticed the same annoying lies. Very Precarious Narrative (VPN). Some claims in the article aren't exactly true. Even if you pay with credit card, it doesn't mean that they know which account it is linked to which payment. This could be tokenized and data destroyed as soon as the transaction has passed verification. So sure, they know that these users have paid for the service, but they don't necessary maintain information which payment is linked to which account. Of course there are some method narrowing the data set down, like payment date etc. But if privacy is preferred, even that could be randomized to suitable level. It seems that many people don't get that if there was some data available at some point, it doesn't mean that the data would be kept forever. All this is also discussion which was up when there were a discussion about election security. Even the device count can be implemented in a way where it retains minimal information. As example login session / account list, which is immediately deleted when session expires. But I agree about the fact, that nobody knows how long they're storing this data. But this is exactly the example why I recommended running private VPN with a specific user pool. Where configuration is such, that no data is stored anywhere else than in RAM. In that case, only thing the investigation would reveal, would be that the user was (probably) one of the known users of the service. Nobody says that there couldn't be unknown users, like providing free anonymous service to provide cover traffic and throw off potential investigation. In some sense, it would make to leak some credentials so that there's plausible deniability. Or just to run Tor Exit node on the same server. We provided open proxy without logs, and we really have no clue whatsoever who was using the service. The party you're looking could be someone from administration, some one from known users pool, or anyone else having access to Internet. Keep looking. But I'm glad that in the post they say that no logs / anonymity is in most of cases pure lie and it's something which is very hard to confirm. It's also great that they mention about great importance of identity separation. Yup, that's obvious fail. - Well, there's no reason to expect that companies would follow laws. In some of the final comments they cover some legalization. Doing illegal things is fine as long as you don't get caught. What if it's illegal what the ISP or VPN provider is doing? Also some illegality could be simply caused by simple configuration 'mistake', intentional or not. It's so easy to collect excess data illegally, or vise versa failing to collect data which is required by law to be collected. Or collect way more than is supposed to and encrypt it and only reveal the information in case it's necessary. It's all just a few settings, and procedures as mentioned. - Generally the network traffic is protected by law about telecommunications security. There are certain things you should log and certain things you shouldn't. But from technical perspective, those are really minor technical details. Just as well you could store all network packets and publish it on public web server, trivial, if desired so. - Finally the article updates also mentioned Tor. - It's interesting claim that people say that ISP doesn't have incentive to deliver privacy. Well, communication authorities will be closing it down quite quickly, if they leak any private information and use it in a way it becomes public. There's also very strict privacy legalization about communication data, and major ISP / telecommunications operator hardly can do the stuff I mentioned earlier, claim it's just a simple mistake by single user nor claim that they weren't aware about any such legalization and regulations. Sure, ISP do store log data, but it's only available for authorized entities like police & other authorities in case of on going investigation. It's great question if big commercial VPN providers can evade logging legalization. It's likely that they can't. Usually services which annoy authorities and break laws aren't going to work for long term. Especially if the services are large. Also it's nothing new that even if the case where they would provide real security, their systems get hacked and the security is illegally weakened. Because for most of VPN providers it's extremely likely that the security is any good. It's also worth of mentioning, that many people think that VPN is required for changing jurisdiction or IP address. Well, network tunneling protocol is what you need, you don't necessarily need a VPN service with encryption. Depending on devices, performance, network speed, ciphers, generic tunneling is much much faster and lighter option to achieving same goal as VPN. Or do you really need to use military level security (yeah lol!) to hide your Netflix watching? What you're watching? Really? Maybe you're watching some politically sensitive TV shows?

2020-06-14