• @[email protected]
    link
    fedilink
    English
    1479 months ago

    All I know is that if you’re very worried about being surveilled by governments, the Fediverse is the absolute last place you should want to be.

    This is one of the most transparent platforms we have come up with yet. Instead of all your data only being viewable by a host company, it’s viewable and able to be analyzed by basically anyone who puts some effort in. This makes it economically worthless, can’t really sell something that everyone can already just get for themselves.

    We’re all out in the open here. So, wave to all the national security agencies everyone. Hiiiii! Hope you’re all enjoying the memes!

    • Ephera
      link
      fedilink
      89 months ago

      Most of the big social networks are owned by US companies. Those are forced to disclose user data to the US intelligence agencies, by the PATRIOT act and CLOUD act. And those will share it with the 14 Eyes.

      So, you are right about Lemmy, but it’s not true that data on traditional social media is only viewable by the host company.

      • ddh
        link
        fedilink
        English
        29 months ago

        Let’s not forget that classic corporate social media companies generally have way more information on their users as well.

  • @[email protected]
    link
    fedilink
    97
    edit-2
    9 months ago

    Nah, most governments can just buy that data from the most of the VPNs if they need to - no need for secrecy.

    If you think nord VPN is protecting you from government surveillance I have a bridge to sell you - it’s really affordable.

  • @[email protected]
    link
    fedilink
    849 months ago

    I fear false privacy because a corporation runs it. I’ve never been afraid of a government but I worry about corporate shittery all the time.

      • @[email protected]
        link
        fedilink
        99 months ago

        I use a VPN to stop work camps I stay at from knowing what porn I watch, to stop media companies from sending me copyright infringement notifications, and to stop public wifis from having as much info on me.

        Its all about threat model. If you’re concerned with government actors then you need to be more secure than just a VPN.

        My countries intelligence agency is not working with media companies like that. The cops and courts would eventually enforce some order against me if it ever went to court but more likely is my ISP just ditches me as a customer if I get too many strikes.

          • @[email protected]
            link
            fedilink
            4
            edit-2
            9 months ago

            Well there are only three isps here and yes I understand what you are saying but. It never gets as far as government force it doesn’t have too. The ISP will drop me.

            Also the ISP is the media company lots of the time, and its only a crime that will go to court and win if I made money distributing copyrighted material.

            I don’t want my ISP to know much about what I’m doing either. They aren’t trustworthy, they often get caught illegally shaping traffic and such too.

              • @[email protected]
                link
                fedilink
                39 months ago

                Don’t condescend to me. I understand the link between government and capital and am not an american.

                What are you even proposing anyways? I am against government oppression and copyright law in general. All private property is theft from the commons. But in the meantime I will use a VPN because I trust Mullvad in Sweden more than I trust my own ISPs.

                If I was committing crimes that were more serious then I would not use a VPN I would use a more robust security model.

                My ISP is not powerless without government. They have massive power, they control 1/3rd of all cellular and internet communications. And like I said also control large amounts of satellite TV and cable broadcasting.

  • Jajcus
    link
    fedilink
    619 months ago

    Slightly off-topic rant:

    I hate how the ‘VPN’ term has been took over by companies selling services using VPN technology.

    VPN was initially ‘Virtual Private Network’ – used to securely connect own (as belonging to an organization or person) devices over a public network. Like securely connecting bank branches. Or allowing employee connect to a company network. And VPN are still used that way. They are secure and provide the privacy needed.

    Now when people say ‘VPN’ they often mean a service where they use VPN software (initially designed for the use case mentioned above) to connect to the public interned via some third-party. This is not a ‘private network’ any more. It just changes who you need to trust with you network activity. And changes how others may see you (breaking other trust).

    When you cannot trust your ISP and your local authorities those ‘VPNs’ can be useful. But I have more trust to my ISP I have a contract with and my country legal system than in some exotic company in some tax haven or other country that our consumer protections or GDPR obligations won’t reach.

    Back to the topic:
    I do not believe that all VPN services are owned/funded by governments, but some may be. I don’t have much reason to trust them, they are doing it for money and not necessarily only the money their customers pay them. In fact I trust my government more that some random very foreign company.

    • @[email protected]
      link
      fedilink
      259 months ago

      I cringe when I see people touting VPN services as somehow better than HTTPS.

      Sure VPN helps you re-source your IP address but that doesn’t do anything to help the security of online banking.

      • @[email protected]
        link
        fedilink
        119 months ago

        You know MITM an https website is child’s play, right? If you’re inputting your password on a network you don’t trust you’re doomed. SSL certificates are worthless because they can be easily forged by anyone pretending to be the site as long as they’re between you and the actual site, which they need to be to MITM.

        VPN and HTTPS solve different issues, and are better when used together. Most of the time you don’t need a VPN because you trust your home network and ISP, but if you’re using a public access point https does not replace a VPN.

        • @[email protected]
          link
          fedilink
          279 months ago

          Tell me more about SSL certificate forgery. As far as I know, for a device to trust it, it needs to be signed by a trusted CA. You’d either need to compromise a CA and create your own certificate for the website or make the target device trust a custom CA. In the case of a custom CA, the user explicitly needs to perform an action to trust it. How is this not enough on a public network?

          • @[email protected]
            link
            fedilink
            6
            edit-2
            9 months ago

            There are cases of malicious/incompetent CAs issuing certificates to parties who don’t own the domains. DigiNotar was the most famous one, and recently there was a Chinese CA (I forgot the name) booted from the list as well. Once they’re detected (browsers report SSL certs they see back to mothership for audit) they would be removed from trusted lists though, so chance that they’re only used for high value targets and can’t be used that often.

          • @[email protected]
            link
            fedilink
            1
            edit-2
            9 months ago

            There are several ways, most common is to MITM the address to redirect to a different but similar one, which is unlikely to get noticed since you know you typed the address correctly or you clicked from a trusted link/favourite, then that wrong address has it’s own valid SSL certificate. Another way is to use self-signed certificates, which browsers would warn people about, but apps are not likely to. Also you can MITM the CA themselves, whole you wouldn’t be able to actually pass by them you can do an exhaustion attack and essentially block all certificate exchanges, yes your site won’t have a valid certificate, but neither will any real site, so most people will just ignore the message the browser is showing them because it’s showing it for every site.

            None of these methods would fool an attentive educated person, but they might fool someone in a rush. Also even if the attack doesn’t succeed in stealing information it 100% succeeds in blocking access, while I might not be as concerned about blocking my Facebook, blocking my bank might prevent me from doing important stuff, and worse people who need to get into their bank are likely to just wave security warnings out of the way without reading them, especially if they’ve been getting them for everything else and nothing had a problem.

            Edit: I also forgot to mention the other ways, there are leaks from CAs constantly, which allow you to either impersonate them or sign other certificates. Sure these get patched rather quickly once found, but after you have the signed certificate from them it’s game over. Also what I was referring in the other post is self-signed certificates, most browsers show a warning about them nowadays, but again you can win by exhaustion.

            • @[email protected]
              link
              fedilink
              59 months ago

              You went from “MITM TLS is child’s play” to “there are some ways we can social engineer our way around it if the stars align just right” in like one post. You’re clearly not qualified here, stop with the FUD bullshit.

    • @[email protected]
      link
      fedilink
      169 months ago

      Yes, I trust my ISP more than my VPN, but I trust my VPN more than I trust the random wi-fi in the shopping mall. Using a VPN in your house for internet access is pointless, unless you’re purposefully trying to keep your ISP out of the loop for legal reasons, e.g. Torrent, but MITM a VPN is much harder to do than an open wi-fi.

    • @[email protected]
      link
      fedilink
      139 months ago

      I hate how the ‘VPN’ term has been took over by companies selling services using VPN technology.

      Agreed. What they’re really selling is a proxy service, I don’t know why that term isn’t used. The fact that VPN software is used to establish that proxy isn’t relevant, the end result is a proxy.

      • @[email protected]
        link
        fedilink
        59 months ago

        How is the term “proxy” more appropriate though? It’s also the technical name for a concept that already exists. VPNs are by definition broader in scope than proxies, they work at a lower level of the networking stack and have different capabilities even if most people don’t take full advantage of it. Anyway the point is that it’s not a more appropriate term.

        • @[email protected]
          link
          fedilink
          19 months ago

          AFAIK the only thing VPN providers let you do, like SurfShark, ExpressVPN, NordVPN, ProtonVPN etc., is to route all of your outgoing traffic through their servers. They don’t allow you e.g. to be in the the same fake LAN as a friend, which is what a VPN does.

          Quote from Wikipedia:

          A proxy server that passes unmodified requests and responses is usually called a gateway or sometimes a tunneling proxy.

          That’s pretty much what those commercial “VPN” providers offer.

          • @[email protected]
            link
            fedilink
            39 months ago

            They don’t allow you e.g. to be in the the same fake LAN as a friend, which is what a VPN does.

            That’s not what a VPN does, that’s what a VPN can do, if desired. What a VPN does is set up an encrypted tunnel between you and some remote network. That’s it. How that remote network is laid out, how the traffic (and also what kind of traffic) is routed into/through/out of that network, and what the clients are allowed to do within are entirely up to the wishes of the network’s owner. It might very well choose to isolate you from all the other clients on the network; that’s not just a possibility, it’s actually one of VPN’s most important, most useful features.

            That’s pretty much what those commercial “VPN” providers offer.

            Those commercial VPN providers offer you a fully encrypted tunnel that you can route all your network traffic through if you wish. It’s just that people don’t generally use it as anything more than just a proxy. Still, the connection is a textbook VPN connection, it’s there, and it’s capable of things a regular proxy is not, if you choose to make use of them.

    • @[email protected]
      link
      fedilink
      139 months ago

      Lucky you to be able to trust your ISP. Mine injects ads whenever they can, even hijack DNS and redirect invalid/blocked domains to a page full of ads.

      • @[email protected]
        link
        fedilink
        19 months ago

        In correct law, that’d be copyright-violation committed by your ISP:

        IF the website you hit didn’t authorize your ISP to create a derivative-work,

        THEN your ISP adulterating it should be considered commercial-copyright-violation, and stomped by the copyright-lobby.


        Notice how this has been going-on for decades, and the copyright-lobby … ignores it, to stomp-on individuals only…

        Interesting evidence of “rule of ‘law’”, isn’t it?

    • @[email protected]
      link
      fedilink
      English
      139 months ago

      What exactly do you mean by “scammers and thieves”? The only protection you get from a VPN is privacy from your ISP. That ISP obviously operates in your country (there has to be some physical connection) and is regulated by your government. It’s easy for the government to demand data from the ISP about you (or about certain usage patterns and which users have them) without you knowing, not to mention how easy it is for the ISP itself to monetize your usage data.

      A scammer or thief can’t as easily grab hold of that data. If you’re imagining a hacker gaining access to the ISP’s database or network, that’s certainly plausible but it’s just as possible with a VPN provider. I personally don’t think the big commercial VPNs are much more secure than ISPs. Maybe a little.

      • @[email protected]
        link
        fedilink
        English
        19 months ago

        Its mostly protection when using public WiFi against spoofed website. Actually, not just public WiFi, it’s protection when using any WiFi from routers whose owner never changed the default password or using really weak ones.

        • @[email protected]B
          link
          fedilink
          38
          edit-2
          9 months ago

          Nope, that’s literally what onion routing is about in case you aren’t being facetious. It’s in the whitepaper and in the code. It’s also in the Snowden leaks.

          Edit: Lemmy doesn’t allow direct image posting anymore?

          1

          1

          Of course that was a long time ago, and hidden services may be much more easily compromised now. And they’ll always have their precious 0days. Don’t traffick kids, terrorism, or ounces of pure fentanyl and tor will work just fine for you.

          • @[email protected]
            link
            fedilink
            179 months ago

            and hidden services may be much more easily compromised now

            In the end it’s still just a site on a server, if it’s poorly configured or not secured well it’s as vulnerable as any other on the clear net. Once they’re able to work out where it is it becomes a honey pot shortly afterward.

            • @[email protected]B
              link
              fedilink
              99 months ago

              Yes, but with the amount of darknet markets and CSAM hidden services that have been taken down within a relatively short span of time compared to the last decade of tor’s more widespread history, it seems they may have a new vulnerability (or perhaps just a new covert post-snowden-acceptance surveillance court ruling) that allows them to identify hidden services real IP addresses. It’s speculation, but they wouldn’t use it bluntly or everyone would know there was a vulnerability and thousands more eyes would be on the tor code (or awareness of nation-state level traffic omniscience in the case of something as simple as a timing attack). A CSAM hidden service has been run by the federal governments of a few countries, so there’s no question of ethics or law in that case.

              • @[email protected]
                link
                fedilink
                119 months ago

                The “users” are probably the weak point. Badly configured setups leaking info, aggregation using that info to fingerprint a user, etc. When they have a user account with access they can use it to keep collecting data and digging. I imagine it’s a slow process. Nothing networked can be 100% secure though.

  • Luna
    link
    fedilink
    English
    359 months ago

    No, but VPNs are a false illusion of privacy. When you use a VPN, you’re really just shifting your trust from your ISP to the VPN company. And governments can just force both to give them the data they have about you

    • @[email protected]
      link
      fedilink
      99 months ago

      I agree, and of course it’s a matter of trust. I am trusting what the VPN says when they say…they’re physically incapable of storing logs. NordVPN & I think a couple others both claim their services literally don’t store any logs of any kind.

      So the feds could come around & demand info, but they shouldn’t have anything.

      It is safe to assume that somebody, somewhere, somehow could be watching you or have the capacity to monitor your web activity. If they gave a shit, if they cared enough to hone in on you. ¯\(°_o)/¯

    • @[email protected]
      link
      fedilink
      79 months ago

      It’s not that simple though. VPN providers in most cases have been externally audited not to store any logs of user activity, meaning they couldn’t comply with government requests of this nature. Generally, their entire legitimacy as companies depends on trust, meaning they have much stronger incentives to actually keep user data private than an ISP does. Of course I agree that using a VPN is no privacy silver bullet, but it’s not like they have zero privacy benefits either.

    • @[email protected]
      link
      fedilink
      49 months ago

      That’s why you do your research and use a VPN domiciled in a country that won’t budge to requests coming from your country.

  • @[email protected]
    link
    fedilink
    26
    edit-2
    9 months ago

    Generally speaking, governments aren’t that good at keeping secrets at scale. Government-run VPNs would require a lot of people doing coordinated work; data center employees, ISPs, people passing themselves off as independent auditors, legal teams, marketing teams, and more. The more people you add, the less likely it is to be kept a secret. And all of this across multiple VPN companies (because there’s no guarantee that the person you want to surveil is using the one you own) and internationally (many VPNs are based in or have major operations in multiple countries).

    Now, is it possible that the NSA has an undisclosed financial stake in one or more VPNs and has secretly inserted a backdoor? Sure, anything is possible. But is that more likely than them just buying up Ring doorbell footage or doing large data analysis on social media activity? Or installing rootkits on your smartphone firmware? Or just good old fashioned LoJack?

    If they have reason to investigate you, they’re going to probably get everything anyway. No reason to make it easy for them by not using a VPN.

    • @[email protected]
      link
      fedilink
      English
      79 months ago

      The more people you add, the less likely it is to be kept a secret.

      This is also one of the most convincing arguments about most conspiracy theories. Most would require so many people to never talk that the secret would be about as secret as North Korea’s fake grocery stores

    • @[email protected]
      link
      fedilink
      49 months ago

      That’s not how these things work - Intelligence agencies use cover companies very differently. They simply provide a few people money to create a company. These people set up a VPN company - and run it like it’s legitimate.

      Marketing or legal won’t know that their company is actually a listening post, most Datacenter employees won’t know, only very few people(mostly network engineers and IT security, some managers)would know. And of course the Auditors - which is not a hassle for any decent intelligence agency.

      It’s far easier than one would think - how do we know that? Because it would be the same way other intelligence service companies are run like that for decades.

      • @[email protected]
        link
        fedilink
        49 months ago

        Oh what a novel idea

        Now, is it possible that the NSA has an undisclosed financial stake in one or more VPNs and has secretly inserted a backdoor? Sure, anything is possible. But is that more likely than […]

  • @[email protected]
    link
    fedilink
    249 months ago

    Sure, it what’s your threat model?

    Even assuming a VPN is a government surveillance device …

    • It protects me from surveillance by my ISP. This is the big one
    • It protects me from other corporate and scammer surveillance
    • It protects me from law enforcement abuse/overreach - however my data was obtained would not meet evidentiary standards
      • @[email protected]
        link
        fedilink
        19 months ago

        Besides that things can also simply be used to blackmail people - that can start very low level.

        “Now Mr. Smith, you looked at gay porn on Saturday? Well, we don’t judge,but your wife sure would. Maybe you could tell us some gossip from Defence corp? Oh now that you did that - did you know that this is treason? We don’t judge, but a judge would. Maybe plant that device in your boss’s office?”

      • @[email protected]
        link
        fedilink
        19 months ago

        Besides that things can also simply be used to blackmail people - that can start very low level.

        “Now Mr. Smith, you looked at gay porn on Saturday? Well, we don’t judge,but your wife sure would. Maybe you could tell us some gossip from Defence corp? Oh now that you did that - did you know that this is treason? We don’t judge, but a judge would. Maybe plant that device in your boss’s office?”

      • @[email protected]
        link
        fedilink
        19 months ago

        Besides that things can also simply be used to blackmail people - that can start very low level.

        “Now Mr. Smith, you looked at gay porn on Saturday? Well, we don’t judge,but your wife sure would. Maybe you could tell us some gossip from Defence corp? Oh now that you did that - did you know that this is treason? We don’t judge, but a judge would. Maybe plant that device in your boss’s office?”

  • THE MASTERMIND
    link
    fedilink
    229 months ago

    Yes i guess most of them could be but i don’t think proton is because they are open source and comes under swiss law just to be safe use tor.

      • @[email protected]
        link
        fedilink
        7
        edit-2
        9 months ago

        People will upvote anything to the point that communities have no identity. Unless you think lemmy is somehow different than reddit and won’t share the same fate?

        Also it’s weird behavior to read through someone’s comment history

        • @[email protected]
          link
          fedilink
          English
          169 months ago

          it’s weird behavior to read through someone’s comment history

          No it isn’t. It’s the best way to get an idea about the person you’re talking to. If their post history is nothing but obvious trolling, no reason to engage. If they never argue in good faith, don’t argue with them. Etc.

          • @[email protected]
            link
            fedilink
            29 months ago

            You must have gone pretty far into my history to make that claim about me and just ignored all my other comments which are mostly positive/jokes lol

        • @[email protected]
          link
          fedilink
          129 months ago

          It’s not weird when they are saying weird things and you want to find out about their motives.

          • @[email protected]
            link
            fedilink
            3
            edit-2
            9 months ago

            Reading someone’s comment history when they didn’t say anything “weird” and then cherry picking a couple in a sea of others to make a claim about someone’s character is definitely weird. It’s not like my last 10 comments were the same

            Not to mention that most of the time I’ve made comments like this, the post in question gets removed

  • @[email protected]
    link
    fedilink
    189 months ago

    For commercial offerings this is probably true for at least some of them, but creating your own VPN isn’t terribly difficult if you are serious about your privacy. I typically just use them when I travel to countries like China where I can’t get to a bunch of necessary services, so I don’t mind if they route my YouTube traffic through CIA headquarters, but if I was doing anything more than that I would just set up my own.

    • @[email protected]B
      link
      fedilink
      229 months ago

      Part of the point of a VPN is there’s not a dedicated IP tied to you (or at least tying all of your activity together). That doesn’t provide any benefit besides a corporate/government firewall bypass unless a mass of people are using your server.

    • @[email protected]
      link
      fedilink
      179 months ago

      But then you don’t get the benefit of having increased privacy due to lots of people using the same IP.

      • @[email protected]B
        link
        fedilink
        13
        edit-2
        9 months ago

        I almost never trust any site that advertises any kind of VPN service (it’s always ranked by the best paying referrals) but this mirrors what I’ve seen in discussions.

        From https://www.cloudwards.net/best-vpn-services-for-china/

        Preferred VPN Choice: The general consensus among VPN users in China is that Astrill VPN is the most reliable option. However, it’s an incredibly expensive VPN, so it’s worth trying other cheaper options first. Surfshark is our top choice for best VPN for China as it has a solid reputation for working in the country while also offering affordable plans.

        Alternative VPN Options: Other good options for China include CyberGhost, Proton VPN, Widscribe and Mullvad. NordVPN is also an option, but it’s not as reliable in China as the other six, so we only recommend it if you already have an account.

        Censorship Evasion Strategy: Since VPNs are in a running battle with censorship, we recommend subscribing to multiple VPNs to ensure you have coverage at all times. No matter which VPNs you use, make sure you download them before going to China, as the download pages are often blocked.

      • @[email protected]
        link
        fedilink
        1
        edit-2
        9 months ago

        Less and less vpn and vps companies provide services for mainland citizen. The main reason I heard of is when their server got blocked by the great firewall, those customers would immediately perform chargeback to get their money back even though it’s not the fault of the providers. You lose money on chargeback fees which means accepting mainland customers is very risky for them.

        • Suspiciousbrowsing
          link
          fedilink
          19 months ago

          If that’s the case, that’s understandable. It’s always going to be a game of cat and mouse, so Id expect it’s quite an expensive market to break in to.

      • @[email protected]B
        link
        fedilink
        149 months ago

        There are a ton of obfuscating protocols that a VPN can run. obfs is one of the most popular. You can configure your VPN to appear as basically any traffic. HTTPS, DNS, QUIK.

  • @xePBMg9
    link
    English
    18
    edit-2
    9 months ago

    VPNs provides limited privacy and some security. For example, your traffic might be correlated to the traffic exiting at you VPN provider if enough netflow data is collected. Theoretically data from your ISP and your VPNs ISP would be enough. Today, countries and their agencies are probably collecting/trading enough netflow data for this purpose.

    As a rule of thumb; since companies these days are very keen on getting in to the data trading market; you can safely assume that most of them has access, if it is legal.

  • Justas🇱🇹
    link
    fedilink
    169 months ago

    VPN companies actually use user created genuine traffic to hide bots and web crawlers and scrapers. That’s part of why their VPN’s are that cheap, they use your traffic to hide more expensive to buy bot traffic.

    • @[email protected]
      link
      fedilink
      49 months ago

      Yup.

      You know it’s good because nowhere in the internet believes you’re not a bot.

      Which means all the bad actors use em.

      I like how you can pay in cash. And how you’re account info basically is a wink and a nod.

      • @[email protected]
        link
        fedilink
        49 months ago

        Besides that the claimed “Swiss privacy” is non existent - the Swiss NDB (their intelligence service) has far more rights than most other European agencies - especially against foreigners and still Swiss intelligence History is riddled with scandals - from a system of spy-filed on their own citizens in the 80ies that was on the level of the GDRs Stasi to a recent scandal (January24) that showed that basically all traffic in and out of Switzerland and most within Switzerland is monitored and that the NDB has used its enormous rights very extensively.

        Additionally there is a second NSA like agency as well-so while I like Proton as a product I wouldn’t give a shit on their privacy claims.

      • @[email protected]
        link
        fedilink
        19 months ago

        Their support is terrible. Used it when I moved to China, after a few weeks it stopped working, their support ghosted me on three contact attempts. Never once got a reply or refund. Just silence.

        • @[email protected]
          link
          fedilink
          29 months ago

          I’ve recently read a comment saying the great Chinese firewall somehow “learns” that you are using a VPN. So people doing quick tests “yep VPN works” but then a little later it doesn’t work anymore. No clue if that is true though.

          • @[email protected]
            link
            fedilink
            39 months ago

            Sort of, they are blocking protocols based on the client-server-handshake. Protocols such as OpenVPN, IKSv2 or WireGuard which have a fixed handshake signature are preemptively blocked. They work occasionally if you are connecting to a previously unknown server, it takes maybe 10-30 min until the signature is identified and the connection killed.

            Other VPN providers are using proprietary (home-made) protocols or at least modified ones that are harder to catch. Again others will use obfuscation to hide the actual handshake in some additional overlay traffic. Paired with UDP, where the server doesn’t send an acknowledgment flag back (as is the case with TCP) gives them some extra reach.

            So far the only VPN that has consistently worked though is Astrill, I’ve switched there from Proton after about 4 months in the country and am using it in the 5th year now.

          • @[email protected]
            link
            fedilink
            39 months ago

            Money. China was my 9th country, I’m a career project manager. Been going all over the world to where interesting projects and of course decent budgets are. Spent 19+ years abroad so far, wouldn’t give up that lifestyle.