How many more VPN leaks/hacks are needed to stop people from advertising them?

[Sauron]

29 minutes ago, TehDwonz said:

1&4) It would seem YOU do not know what Tor is. Ever heard of Silk-Road?

Still waiting for you to explain why you think who operates the exit nodes matters in this context. The whole point of Tor is that exit nodes don't know where the request is coming from and previous nodes don't know where it's going.

30 minutes ago, TehDwonz said:

It wasn't a point about trusting the VPN. It's about not trusting that public wifi. But a few of the top VPNs have actual real-world test cases that proved no-logging/tampering, not to mention independent audits verifying the same.

They could nevertheless start logging or tampering with your data at any time.

31 minutes ago, TehDwonz said:

Jurisdiction is what counts most for a VPN.

Logging data wouldn't even be illegal in most countries. They may get sued for false advertising but that's of little concern to them if they got a return on their investment.

33 minutes ago, TehDwonz said:

5) You claimed there was only one good use with a generally dismissive attitude to VPNs - counts as anti-VPN.

Except you implied the CCP had something to do with my anti-VPN arguments despite the fact that I specifically said that evading things like the great firewall is a legitimate use of a VPN.

[Uttamattamakin]

On 7/20/2020 at 10:48 PM, Hackentosher said:

At least three.

 

This message brought to you by LTT VPN, the only VPN that doesn't get hacked for the low price of 1 Canuckistan Copek per anum.

The US would conquer Canukistan and bring real money, freedom, and democracy to its people as the founders granted them in the Articles of Confederation. 

We just can't figure out how to pay for their healthcare.  Once we've got that figured out look out! 

To answer the question in the OP: 42 

 

I am only joking a little bit. So long as oppressive governments exist to try and censor the internet there will be a motive to get around it.  So in some form or fashion VPN's and/or the darkweb / TOR will exist.  It will be like playing wack a mole for governments.  In fact I would just assume any VPN that is big enough to advertise and be well known is also a target of state level efforts to compromise it.  Long before hackers get at them organizations like Nord VPN were likely hacked by the NSA  GCHQ and their Chinese, Russian, and North Korean counterparts (at a minimum).    

Even further, just as TOR was originally set up by the US Navy https://www.nrl.navy.mil/itd/chacs/dingledine-tor-second-generation-onion-router  I would assume that some of these VPN companies (and cryptocurrencies)  were created by, subverted and compromised by, or otherwise are controlled by intelligence agencies.  Who would have a stronger reason to want to send secret messages out of or into say China than the CIA or NSA? 

[Letgomyleghoe]

8 hours ago, piratemonkey said:

It works, but it's a bit overkill. Most tracking isn't done by an IP address, but by cookies. It's kinda like putting yourself in a freezer if you're hot. You can do it, but it's a lot of hassle and tradeoffs when you could just turn down the temperature. (weird analogy, I know)

Clearly you know nothing about what can be done with an I.p. I can make your internet go bye bye with a few clicks if I have your I.p, I’m not worried about, I’m worried about what attacks I’m going to recieve if someone I don’t want to have my I.p has it

[AngryBeaver]

I guess I will chime in on yet another vpn discussion.

 

Vpns are good for offering encryption for items sent in plaintext which is pretty rare these days. They are good for getting around regional content filtering. They can even be good at making your activity more anonymous (more on this in next paragraph)

 

Now while vpns technically hide the true source it doesn't actually do it completely on it's own. You are first off at the mercy of what information said vpn collects and retains. If you have not blocked cookies and ensure you are not collecting new ones then you can and will still be tracked and identified. If you are not using encrypted dns then you still are exposing your usage and traffic to each domain you access (not the specific url though).

 

Now i have seen people mentioned TOR and have seen people say it is not safe. I would say that while it isn't as fast as other vpns it is more secure in most regards. I have seen mention of MITM attacks, but I don't think people understand how they work. There are scenarios where you can be MITM without knowing or doing anything, but in the vast majority of situations that matter you have to give permission. Anything in plaintext can be seen at various times in the transmission. So something like an unsecure wifi, a span port on a router on the web, etc. Now if you are accessing your bank or a website using https this data is encrpyted and no visible.

 

Now when someone attempts to MITM a encrypted connection you normally get a certificate alert or error. Now corporate networks do put their certificates on the image for their machines so this doesn't occur and it effectively allows them to MITM everything even encrypted data. So back on point for an attack on the web to do this you would need to accept their fake cert and basically ignore the warning. If you don't do that then they have no way of getting your private key to decrypt the communication.

 

Now when it comes to a vpn it basically eliminates your plain text communications from being seen on public wifi, but once the data exits the other end of the vpn it is still succeptical to the other risks I mentioned.

 

So when you look at activity most people perform on a daily basis the majority of it is already encrypted so this isn't something that can be easily MITM without the user activily accepting it. So in most cases a vpn is used for anonymity, but unless you are blocking cookies, using a secure dns, and using a service with NO logging this will fall short. Even then vpn ips are known after a little time so some services will restrict access. TOR on the other hand while slower has changing ips and nodes so it is better in that regard, it has the same level if not better in some cases encryption, and it is free. All of these methods need to block cookies and use a encrypted dns though.

 

I won't even get into security of these popular vpns who often times so not properly invest into their cybersecurity teams. They try to operate and bigger profits and cut corners a great deal of the time. Plus anytime you require authentication to log on there will be risk of being exposed.

[lambrosgg]

19 hours ago, divito said:

So the OP's main gripe is that they get advertised too much? And some of them have logs when they claim they don't?

 

The blanket assessment of all VPN providers as scams is not only fallacious, it's a bit irritating. That's like deriding all used car dealerships because several of them have been caught doing shady things to make money at the expense of the end user.

Yes, there are VPN providers that have been lax with security, or that have misled the public with how their services operate (no one ever bothers to read the ToS). That doesn't mean every single provider is like that, and unless all of them get hacked to see what they do behind the scenes, that's an impossible statement to make.

The difference with car dealerships is that they are selling an actual product, not a service. I already explained why we should not compare VPNs with other businesses, they sell a promise of privacy, not a physical product. I don't know dealerships giving cars for free, but there ARE free VPNs. So they make their money from selling user data obviously, meaning that any VPN IS ABLE to do that. If the paid VPNs actually decide to NOT do that (because their business model is subscriptions) is up to their word. More money is ALWAYS better for every company out there. I dont think there is a single company (not just VPNs) that would pass on an opportunity to sell user data. User data is the new gold, and when they see that other VPNs who got caught, got away with it with an apology, they will have 1 more reason to do it.

 

Its really funny that all of the arguments supporting VPNs are based on "but they say they are legit". What did you expect them to say? I know that my arguments are also based on "but I say they are scum", but at least I have many examples from the big paid VPNs out there who got caught. At the end of the day, we choose if we trust them, I can't prove you shouldn't. Time will tell who was right and wrong and I want to play a little game here: Everytime a VPN gets caught doing shady sht, I will update the post here. My original question and title of the post was basically "how many more vpn scams until they get cancelled". Lets see if/when and with how many.

 

[piratemonkey]

1 hour ago, Letgomyleghoe said:

Clearly you know nothing about what can be done with an I.p. I can make your internet go bye bye with a few clicks if I have your I.p, I’m not worried about, I’m worried about what attacks I’m going to recieve if someone I don’t want to have my I.p has it

Clearly I didn't. I have since been enlightened

[divito]

3 hours ago, lambrosgg said:

The difference with car dealerships is that they are selling an actual product, not a service. I already explained why we should not compare VPNs with other businesses, they sell a promise of privacy, not a physical product.

Okay, so let's look at all those media marketplace investigations that showcase all the car shops or handymen or <insert business here> that offer services and were shown to be scamming customers.

3 hours ago, lambrosgg said:

I dont think there is a single company (not just VPNs) that would pass on an opportunity to sell user data. User data is the new gold, and when they see that other VPNs who got caught, got away with it with an apology, they will have 1 more reason to do it.

So you believe that all brick and mortar retailers are also selling customer data to third parties?

3 hours ago, lambrosgg said:

Its really funny that all of the arguments supporting VPNs are based on "but they say they are legit". What did you expect them to say? I know that my arguments are also based on "but I say they are scum", but at least I have many examples from the big paid VPNs out there who got caught. At the end of the day, we choose if we trust them, I can't prove you shouldn't. Time will tell who was right and wrong and I want to play a little game here: Everytime a VPN gets caught doing shady sht, I will update the post here. My original question and title of the post was basically "how many more vpn scams until they get cancelled". Lets see if/when and with how many.

 

I never "supported" VPNs; I just was showcasing your paranoid and illogical arguments for what they were. You keep saying you have examples and stuff about how they got "caught," but you've posted nothing. And attempting to search things that support your argument came up with basically nothing. Most "leaks" are the result of white label VPNs, and are specific to certain locations. Definitely not on the scale to completely write all of them as scams.

Any other VPN "getting caught" was the result of one of the data centers being at fault, or poorly setup software by the data center/VPN, or just stupid human error. This type of breach and leak happens in every industry, and those services aren't scams; technology isn't inherently secure and lambasting VPNs like they're some scourge is again, fallacious and irritating. 

The problem, which seems to coincide a little to how you're establishing your crusade, is that the advertisements of some VPNs are not helping, and the education of consumers it not improving in this area. And to that, I agree. There are too many users that think just getting a VPN and connecting to it means they can do whatever they want and they can never be traced. By the very structure of how the internet functions, true anonymity is almost impossible.

[Helpful Tech Witch]

Untill they don't make enough money to pay people to talk about them.

[lambrosgg]

17 hours ago, divito said:

I never "supported" VPNs; I just was showcasing your paranoid and illogical arguments for what they were. You keep saying you have examples and stuff about how they got "caught," but you've posted nothing. And attempting to search things that support your argument came up with basically nothing. Most "leaks" are the result of white label VPNs, and are specific to certain locations. Definitely not on the scale to completely write all of them as scams.

Bro are you for real or you dont know how to google? I found these in less than 5 minutes.

Nord VPN hacked

Facebook's VPN collecting data

VPNs on playstore with very suspicious (unnecessary) permissions

Seven Hong Kong VPN providers accused of exposing private user data

Tunnelbear acquired by mcafee

PIA got hacked

 

And remember: These are the ones WHO GOT CAUGHT.

 

Watch Marques Brownie's video from yesterday, which is sponsored by express VPN. On the talking points for the sponsorship is "your ISP collects data and its legal to sell that data on the US. But Express VPN doesn't do that!" (dude trust me) "Express VPNs servers run from RAM, so its impossible to keep data" (yeah, on that machine. Could be send in another server tho) "We have been audited by PwC" Hmmm. I am thinking, OK this could actually be legit, who are those PwC guys? Are they from the government? Nope. Are they AT LEAST a non-profit organization? Nope. Turns out its a "multinational professional services network of firms headquartered in London" with 276.000 employees and $42.4 BILLION of revenue in 2019 according to wikipedia. I can't say I really trust a company with those numbers to fight the good fight and not chase money, but hey, benefit of the doubt. If you go to PWC's own page detailing their auditing services, you can see that none of them is related to tech/networks, just financial and shipping (taxes, fraud etc) so I don't see how a firm doing financial audits is qualified to check if a VPNs server is keeping user data, but anyway...

 

If you go here (its express VPNs own blog post about that audit) there is a pdf you can download, with "full details about what was covered by the audit". In the pdf you can see how their servers work, running from RAM by booting a Debian based read only ISO making it impossible to store data. I really want to laugh, but its serious. Yes, its impossible to store data on that server, but it could be simply pushing it to another one or the advertisers directly... That whole RAM only argument is ridiculous.

Its also mentioned that "employees were interviewed by PWC". Not legally binded ofc (opening themselves to perjury), just simple interviews. Yeah, I am sure employees wouldn't never lie to a private auditing company, without ANY consequences to protect their jobs.

 

Apart from the technical details, NOWHERE in the document the word "PwC" is mentioned (except in the title) NO signatures, NO dates (only in title again) NOTHING. File titles are subject to change fyi, so it doesn't really matter. The whole pdf is just Express VPN detailing "why we are legit" in technical terms for extra marketing points, not the official PwC auditing findings, with dates and signatures, which - btw - are nowhere to be found.

 

And again, this all a trust debate. You can choose IF you trust a VPN and a million dollar law firm vouching for them. I personally, don't. I would maybe trust a VPN that got audited from a government or a non-profit organization. If all their findings were made public, with dates and signatures of everyone involved. If the interviews of the employees were made public and were legally binding to them. Before you say "they can't make these public, because hackers will know their weaknesses" I am not talking about technical details. Example of question that could be asked to every employee without compromising security: "Does, *VPN* in your knowledge, keep user data in any way or form?". Simple.

 

In Greece we say "bro, I am telling the truth! Ask my friend the liar if you dont believe me". and that's what I THINK these "audits" are. Just a PR stunt, that has no meaning or legal consequences if they get caught. PwC got paid to do the audit, Express VPN basically bought marketing talking points, everyone won. What is really happening, no one knows. PIA also claims to have been audited, so lets see what happens if those "audited" VPNs ever get caught.

 

These are my personal thoughts and what my "gut" is telling me. I can't prove or disprove anything, I don't even have the means to. You can believe a blog post that is not legally binding (no names, signatures, dates) if you like and makes you feel secure. However, I believe that when a company asks me to trust them with my privacy and personal data, they should be legally responsible to their claims, making all those legal documents public and not be able to get away with it with an apology, as it has happened already.

[Jtalk4456]

On 7/21/2020 at 8:04 AM, lambrosgg said:

1. That's true, everyone gets hacked. Getting hacked is not the issue, what hackers find is. emails/payment info is ok, browsing data is not.

 

2. Seems everyone is missing my point: Every VPN's marketing is "private browsing" "no logs" "security", convincing people that their browsing is private and not logged, to use them indefinitely (monthly subscriptions) and keeping them active constantly. That's what they are pushing, not use our free trial once for region restrictions. When they get exposed for keeping user browsing data (for advertisement purposes obviously) nothing happens to them! legal action or otherwise (shut down?) They just say oops we are sorry we are not going to do it again and move on (most probably still keeping data). If that's not scam enough for you, what is?

 

3. Every business has the right to be scammy ofc, but youtubers shouldn't be sponsoring something that could even  POTENTIALLY be scam, just to be safe and protect their name/integrity.

 

4. I think we are at the point now, with so many VPNs getting caught for keeping user data, that we can safely assume that most of them do.

 

5. PIA even had in their pitch that they are being audited by a "3d party" to check that they are legit... I mean who was that 3d party? what are their credentials? Are they even competent enough to discover if they are keeping logs? Was the "inspection" done randomly, or did PIA had a warning to disappear the data before getting audited?

 

6. Does that 3d party accept bribes? Come on guys...

1. I agree with you on the first half, but how is emails and payment info ok??

 

2. I'm not missing the point, I disagree with your assumption that because a few are bad, they all must be bad and the concept of the tool itself is bad. I do agree that there should be legal action, but this would essentially be a claim of false advertising, which it is the consumer's responsibility to take action against. If no one sues them, they don't get sued. Simple as that unfortunately. I think in the future, digital privacy laws should include a section about false advertisements as it relates to digital privacy services. There is some precedent to this already with fines being place against companies who have been hacked due to insufficient security practices. Also lets differentiate the words SCAM and SCUM. SCUM would be the companies you are talking about who have lied about or abused their power. They did provide VPN services, but they did a poor job and didn't keep all their promises. That is SCUM. Did they give you a VPN, yes. Was it a good one? No, and they didn't fulfill all their obligations to you as the customer. I can equate this to McDonalds giving me the wrong food when I drive through. They did a bad job, but McDonalds is not a SCAM.

SCAM is intentionally misleading from the start for malicious purposes, intentionally not providing what they claim to provide. They have no intention of providing any of the products or services they claim, and at most give a shell of a product that looks like it functions but either does absolutely nothing or causes harm. These companies are SCUM not SCAMS.

 

3. No business has the right to be scammy, why would they have that right. And if you argue that any company has the right to be scammy but then say no youtuber should be part of a sponsor with any company that could "EVEN POTENTIALLY" be a scam, you're saying no youtuber should ever take sponsors, period. Every company has the potential to be a scam. 

 

4. No we cannot safely assume that. So i did what you said and searched about VPN's keeping user data and found this damning article.

https://thenextweb.com/security/2018/03/27/26-popular-115-vpns-keeping-tabs-saying-theyre-not/

26 our of 115 of the most popular vpns keeping user data. You would be inclined to use that as your argument, but as a percentage, that's about 22%, less than 1/4. If 1/4 restaurants had less than optimal cleaning standards, you wouldn't stop eating at restaurants. You would find out which are good. If 1/4 Computer cases for sale are pieces of junk, you don't stop using a case, you figure out which ones are goodIf 1/4 governments have corruption (pretty sure it's close to 100%), you don't stop using governments and resort to anarchy. You improve. Also that list of 26 included some that advertised accurately that they do store data, so the number of false advertisements there is less than 22%. My point is abandoning a concept because some of the people using the concept are using it badly makes no sense. VPN's are still a good concept. They still help millions of people every day. You just need to do your research to find the good ones. Same as you should do with EVERY product or service you give money to.

 

5. By that logic, when they tell us the company and the company is qualified to do this, we should question their qualifications. When they provide evidence that X certifiers provided the qualifications, X Certifiers should be under stringent review. That kind of assumption of guilt never ends and everyone is evil and a scam artist under that umbrella. Considering this is an extra step PIA did not have to take, but did it to assure the customers, we should not be bashing them for answering our concerns. We are curious if they are legit, so they said, "I understand your concern, We'll use our own money and hire a 3rd party to audit ourselves." And you're over here making assumptions, based on what?

 

6. You come on. I can't even bother really responding to this ridiculous unfounded accusation. Refer to 5.

On 7/20/2020 at 11:47 PM, WereCatf said:

The "make even one mistake and I'll immediately abandon you" - mentality is ignorant.

Amen

On 7/21/2020 at 6:26 AM, lambrosgg said:

That's the issue with every VPN, they claim they don't keep user data, but always do. The hacks/leaks just prove it. Being scammy makes you scammy, not getting caught.

Doesn't matter what you are using the VPN for. As long as its active, its logging your data (allegedly) when its supposed not to.

That's the issue with every blanket statement, they claim they know for a fact things that they do not know for a fact and make radical assumptions based on these unknown "facts"

On 7/21/2020 at 6:33 AM, Dravinian said:

I would imagine it is the least valuable thing in a hack outside of very case specific examples.

I mean, who really cares that I come here and go to youtube - which appear to be the two things I do on the internet between work.

Who is going to make money off of that? I think even Google might struggle with that knowledge, what they going to sell me an LTT Store bottle?

Unfortunately, the technology and privacy literacy is abhorrent, so there are a lot of people whose login for LTT is the same Login for their bank and email. That's the danger. If they have basic login info to your bank, there goes your money. If they get your email, they can reset passwords to most if not all of your accounts, probably including your bank for most people

On 7/21/2020 at 9:56 AM, lambrosgg said:

1. I am no "3d party auditor" to be able to prove my suspicions, but I know when something smells like BS and yes, all VPNs smell like BS.

 

2. Everyone is innocent until proven guilty, is not really applicable when customers don't have the means to even attempt to prove them guilty.

 

3. Throw in a pair of those unties and I am sold!

1. So you admit you're not qualified to sniff out the BS, but we should believe you when you say all VPN's smell like BS. Checks out

2. It absolutely is applicable, and customers do have the means, it's called lawsuits and audits. Not saying it's easy, but it's there.

3. Agree with you there

On 7/21/2020 at 10:17 AM, Blue4130 said:

Their only responsibility is to their employees. It may be courteous to vet their sponsors, but you as the consumer bares responsibility for doing your homework. (and I say "you" as a general non-ltt team member term.)

Exactly, the biggest selling point of capitalism is the customers have the ability to drive the market. Customers have a right and a responsibility to use the information they have from reviews and ratings, to common sense, to make educated decisions about their purchases. And the internet makes the information readily available and easy to access to anyone.

 

[Dravinian]

2 hours ago, Jtalk4456 said:

Unfortunately, the technology and privacy literacy is abhorrent, so there are a lot of people whose login for LTT is the same Login for their bank and email. That's the danger. If they have basic login info to your bank, there goes your money. If they get your email, they can reset passwords to most if not all of your accounts, probably including your bank for most people

What are you talking about?

My ISP doesn't get my log in details, and nor does the VPN whether they are all the same or not.

 

[lambrosgg]

On 7/23/2020 at 8:19 PM, Jtalk4456 said:

 

 

1. Because you need to keep an email and payment info for subscriptions with recurring charges. You don't need to keep user data (that would interest advertisers).

3. Every business has the right to be scamy, same as every civilian has the right to be a criminal. Of course they HAVE to face the consequences, I didn't say they have the right to get away with it, just the right to choose a path.

4. Thanks for finding that, I imagined that about 5% actually got caught. If you think that 22% is a low number, I laugh. Please remember that its 22% OF THOSE WHO GOT CAUGHT. 22% guilty doesn't necessarily mean 78% innocent. It means 78% "we don't know"

 

You compare VPNs to other businesses like cars, restaurants etc but privacy is not a "product" or at least it shouldn't be. A VPN lying, should not be liable JUST for "false advertisement" as you suggest. When your privacy is compromised its PRICELESS, not something you can get your money back for. If I had to compare a VPN to something physical, it would be a safe box in a bank. They rent you that box, with the promise of complete privacy. Only you can access it and see whats inside. Now imagine that in your box you put (without having a choice) your credit card info, your address, your shopping list, your ID, your browsing history and cookies, basically all your personal data online.

2 bad things can happen:
1. The bank gets robbed (equivalent to: VPN gets hacked). The promise of privacy from the bank is broken. Your data is stolen and you don't even know who has them or what they will do with them.

2. The bank owner has a master key to those safe boxes and every day  is copying your shopping list and browsing history and selling them to advertisers. (equivalent to: VPN sells user data) You were promised only you have access, but it was a lie. Not only that, the bank owner is profiting by compromising your privacy.

 

If one of these things happen, would you accept if the bank said "we are sorry, here is whatever you paid us for renting the box"? Of course not and that's why in real life the bank is liable for their contents (if you register that content with them ofc). That's why there are no master keys and they are insured, to be able to pay you back. Your privacy can not be paid back in any way though, because its priceless. If a bank is held liable for something you can put a price on, a VPN should not be able to get away with an apology, for something priceless.

 

Back to your example with the clean restaurant: Imagine that you are a restaurant owner, spending 1000$ every month to keep your restaurant clean. You notice that 3 other restaurants in the area, pocketed that 1000$ by being dirty and when they got caught by the health inspector, instead of a fine or jail they got a "you need to issue an apology and promise to be clean from now on!" What would you do? Would you still be clean losing that nice 1000$? If yes, congratulations, you have ethics. Most companies don't though.

That's why in real life when a restaurant gets caught being dirty, they pay big fines that are many times the amount they would have spend to be kept clean, so it won't be worth the risk to be dirty.

 

Lets say that a VPN makes 1000$ every month if they keep user data and sell them to advertisers. Would you think they would still do it if there was a law saying "if you get caught, you have to pay 1million $ and go to jail"? I don't think so. 

Since VPNs are now becoming popular, it will take many years for laws regulating them to appear. Until then, we need to regulate them ourselves. Consumers should vote with their wallets and those who advertise them with their conscience.

 

Same as I believe that no one in good conscience should be accepting money to recommend a restaurant in a country with 0 laws in hygiene, they should also not be recommending a VPN, in a world with 0 laws keeping them "clean".

 

I think that our whole disagreement sums up to: "a company would F you for money, without second thought". You believe most won't, I believe that most do. None of us have the means to prove the one or the other, maybe time will tell. Its that simple.

[divito]

On 7/23/2020 at 11:30 AM, lambrosgg said:

Bro are you for real or you dont know how to google? I found these in less than 5 minutes.

My mistake, I was looking for ones that actually supported your arguments and paranoia.
 

On 7/23/2020 at 11:30 AM, lambrosgg said:

Nord VPN hacked

A Finnish data center was hacked based on management software they had on their servers. NordVPN doesn't own these servers, and while some data could have been theoretically intercepted during that month, there are no indications that such a thing occurred. 
 

On 7/23/2020 at 11:30 AM, lambrosgg said:

Facebook's VPN collecting data

Had to look into this since I hadn't heard about it. Facebook acquired Onavo and used the service as a way to do research into user behavior. From what I can see in other articles, they never promised anything about not keeping logs or tracking user activity. The article you referenced also highlights the downsides to free VPNs and says nothing outside of Facebook being insensitive to privacy.
 

On 7/23/2020 at 11:30 AM, lambrosgg said:

VPNs on playstore with very suspicious (unnecessary) permissions

 

 

 

Yes, random VPNs should be avoided (I've heard of none of those VPNs except Hola, and that was for obviously negative reasons). Many downloads != trustworthy. I did not search whether they claimed to not keep logs as is your premise, nor does it mention that these services have been compromised.
 

On 7/23/2020 at 11:30 AM, lambrosgg said:

Seven Hong Kong VPN providers accused of exposing private user data

"Seven" is ridiculously misleading. Based on reports from investigations, it's believed the "seven" providers are all from the same developer and were white-labeled.
 

On 7/23/2020 at 11:30 AM, lambrosgg said:

Tunnelbear acquired by mcafee

 

 

 

No idea why you included this; this doesn't showcase anything about a breach or user activity being logged. People got worried about the acquisition because McAfee doesn't have the best reputation, and they'd be under the umbrella of US law/intelligence given it's US-based. 
 

On 7/23/2020 at 11:30 AM, lambrosgg said:

PIA got hacked

Another one where I'm not sure why this was included. PIA was "hacked" in 2013, but that was their forum, and there was an explanation surrounding why that didn't matter to their VPN users. 

As for the random forum thread with a random Tweet that was re-tweeted all of once, I find nothing else in my search to support confirmation of an additional hack. The only thing I've seen was an IP leak vulnerability from 2015 that they told users about, and that was subsequently remedied. 

-------

So out of your six "sources:"
- One VPN provider was compromised based on the server they rented from a data center.

- Facebook wasn't breached, nor lied about any aspects of logging. 

- Free VPNs are shady.
- One developer had a hand in VPNs that lied about a no-logs policy, all HK-based.
- Tunnelbear wasn't breached, nor has been shown to lie about no logging.
- PIA wasn't confirmed to be breached, no evidence of log keeping.

There have been actual companies that have claimed no logs, but then helped US authorities by providing logs. Those were IPVanish, HideMyAss, and PureVPN. Are there others? Most likely. But there are also others that have been audited and shown to be upstanding.

[Roswell]

VPNs make little to no sense for people worried about security in a world where SSL and TLS exist. It’s redundant and an enormous security vulnerability. You’re just handing all of your data over to less credible sources. 
 

I can understand using one for geo restrictions or for remote work environments, but that’s about it.

 

Third party VPNs were never popular for security (because they’re absolutely not secure) until the masses started parroting talking points off of YouTube sponsor spots a few years ago. It would be cool if said YouTubers actually grew a spine and explained why they’re not secure, but... they won’t.

[divito]

15 minutes ago, Vitamanic said:

VPNs make little to no sense for people worried about security in a world where SSL and TLS exist. It’s redundant and an enormous security vulnerability. You’re just handing all of your data over to less credible sources. 
 

I can understand using one for geo restrictions or for remote work environments, but that’s about it.

 

Third party VPNs were never popular for security (because they’re absolutely not secure) until the masses started parroting talking points off of YouTube sponsor spots a few years ago. It would be cool if said YouTubers actually grew a spine and explained why they’re not secure, but... they won’t.

They're not gonna bite the hand that feeds them. VPNs are more about obfuscation than actual ironclad security. As you say, geo-restriction and remote applications aside, there isn't much benefit to their use, especially if they're being used for the wrong reasons.

[lambrosgg]

12 hours ago, divito said:

So out of your six "sources:"
- One VPN provider was compromised based on the server they rented from a data center.

- Facebook wasn't breached, nor lied about any aspects of logging. - Free VPNs are shady.
- One developer had a hand in VPNs that lied about a no-logs policy, all HK-based.
- Tunnelbear wasn't breached, nor has been shown to lie about no logging.
- PIA wasn't confirmed to be breached, no evidence of log keeping.

1. Renting your servers is not an excuse. Rent more secure servers, or have your own if you want to ask my money for security.

2. Facebook itself wasn't breached, the VPN they deployed was.

3. Well duh, how else would a free vpn make money?

4. Does location matter? If it can happen in HK, it can happen anywhere. IMO it got public because it was in HK. Same situation in the EU/USA would have remained under the rag.

5. I never said Tunnelbear got breached. They got acquired by McAfee, which would normally be no issue, but the terms of the deal weren't disclosed and that's fishy. These kind of acquisitions are public and transparent most of the times, unless they want to hide something ofc. What a VPN would most likely want to hide? User data mining. 

6. PIAs database was leaked, so obviously something happened. Not being able to confirm or not if they got hacked basically saying "we don't know" is not very reassuring anyway. Also, PIA was acquired while they were in debt. The idea is that if you acquire any business in debt, you have to change its business model since its not working obviously. How would you change a vpn's business model to make it profitable? User data most likely.  After the acquisition they got audited and made transparent public statements on a interview with Linus, featured on this wan show where Linus did a poll asking if they should continue to trust/sponsor them or not. The majority btw voted for "indifferent", yes or no had the same percentage and thats why PIA is still a sponsor on LTT even after they got acquired.

 

I believe that being suspicious and paranoid is mandatory when we are talking about privacy and user data. The headline doesn't need to be "___ VPN got caught selling user data". You need to read between the lines: Suspicious acquisitions. "We can't confirm we got hacked". "Its not our fault, its our server's fault" (this happened with another VPN not just nord but i cant remember) "Its free, so what did you expect?" Think: If that's what makes the news, what is happening behind the curtain?

[RoseLuck462]

Step 1: Stop using cheap VPNs. Its so foolish to think they wouldn't be doing shady things with your data to make up the cost.

 

Step 2: Don't do shady things yourself with a VPN.

 

Make sure to have unique passwords for everything and use 2FA methods whenever possible. Also use an ad blocker. 

[Lord Vile]

2 hours ago, RoseLuck462 said:

Step 1: Stop using cheap VPNs. Its so foolish to think they wouldn't be doing shady things with your data to make up the cost.

 

Step 2: Don't do shady things yourself with a VPN.

 

Make sure to have unique passwords for everything and use 2FA methods whenever possible. Also use an ad blocker. 

Just use Tor

[lambrosgg]

Just watched the latest wan show. Seems another "zero logs" VPN caught keeping user data this week.

 

https://www.comparitech.com/blog/vpn-privacy/ufo-vpn-data-exposure/

 

I wonder if we will hit 2 or more in one week soon... 

 

8 hours ago, RoseLuck462 said:

Step 1: Stop using cheap VPNs. Its so foolish to think they wouldn't be doing shady things with your data to make up the cost.

I think you mean free VPNs. The UFO VPN I mentioned above is a free VPN, but that didn't stop them from saying that they don't keep data. Exactly as nothing stopped the free vpn, nothing will stop the paid vpn to get some extra income. The average users, don't understand how free apps make money. Imagine you are the average PC/smartphone user, you hear about VPNs all the time in sponsors (they are even in comedy videos these days) you search the appstore for VPN, read the description about security, zero logs etc, you install it without second thought.

 

That UFO VPN got caught many days ago. Did they pay a fine? No. Go to jail? No. Did they shut down? Nope. Did they AT LEAST change their app description to not say they don't keep data??? Nope. 7th feature in the list: " No logs, no monitoring" You can still download it here and btw it has 4.5 stars rating, so it must be good.

 

That's my issue with VPNs, paid or free it doesn't matter. in the current state of our society and laws, they can do whatever they want, with no consequences. Therefore, taking money to sponsor a VPN that you know has the ability to screw your viewers and get away with it, is unethical at best.

[Jtalk4456]

On 7/24/2020 at 4:14 PM, lambrosgg said:

1. Because you need to keep an email and payment info for subscriptions with recurring charges. You don't need to keep user data (that would interest advertisers).

3. Every business has the right to be scamy, same as every civilian has the right to be a criminal. Of course they HAVE to face the consequences, I didn't say they have the right to get away with it, just the right to choose a path.

4. Thanks for finding that, I imagined that about 5% actually got caught. If you think that 22% is a low number, I laugh. Please remember that its 22% OF THOSE WHO GOT CAUGHT. 22% guilty doesn't necessarily mean 78% innocent. It means 78% "we don't know"

 

Back to your example with the clean restaurant: Imagine that you are a restaurant owner, spending 1000$ every month to keep your restaurant clean. You notice that 3 other restaurants in the area, pocketed that 1000$ by being dirty and when they got caught by the health inspector, instead of a fine or jail they got a "you need to issue an apology and promise to be clean from now on!" What would you do? Would you still be clean losing that nice 1000$? If yes, congratulations, you have ethics. Most companies don't though.

 

Lets say that a VPN makes 1000$ every month if they keep user data and sell them to advertisers. Would you think they would still do it if there was a law saying "if you get caught, you have to pay 1million $ and go to jail"? I don't think so. 

Since VPNs are now becoming popular, it will take many years for laws regulating them to appear. Until then, we need to regulate them ourselves. Consumers should vote with their wallets and those who advertise them with their conscience.

 

Same as I believe that no one in good conscience should be accepting money to recommend a restaurant in a country with 0 laws in hygiene, they should also not be recommending a VPN, in a world with 0 laws keeping them "clean".

 

I think that our whole disagreement sums up to: "a company would F you for money, without second thought". You believe most won't, I believe that most do. None of us have the means to prove the one or the other, maybe time will tell. Its that simple.

1. This makes it good for payment info to be hacked how exactly?

3. I think you're confusing free will and legal rights. We have the right to pursue happiness up until our actions infringe upon others rights to do the same. So no, companies do not have a right to scam people or lie. They have free will, a choice to do so, a choice that has legal consequences.

4. That was of the most popular ones from that article, doesn't include probably hundreds of other less popular ones, so your 5% guess is probably far closer to truth. Given that, my point is even stronger. just because some of the businesses involved made a bad choice doesn't mean the concept of the business is inherently evil and all vpns make that choice. That's called generalizing. The same logic used to say all black people love fried chicken and all irish people drink themselves silly. You're assigning the choice of a few bad players to the entire sport. By that logic since some people are criminals in jail, we're all criminals who just haven't been caught yet. Generalizations go against logic, statistics, and truth. If you could somehow prove that every VPN provider lied about logging info, you still would only be proving those providers bad not the concept of a VPN. Furthermore you cannot prove this, because there are good people and bad people. This is humanity, might as well get used to it now. 

Privacy as a concept is not a product, but services that help you maintain your privacy with software and hardware that you might not otherwise have access to or knowledge to use IS A PRODUCT. Same as how information is not a product, but cloud storage of that data is a product, computers to digitize that information is a product, windows 10 on that computer allowing excel and file manager to be run is a product.

Quote

Now imagine that in your box you put (without having a choice) your credit card info, your address, your shopping list, your ID, your browsing history and cookies, basically all your personal data online.

Except you always have a choice. Privacy is not a product, it is yours, but these companies offer a product of helping you take care of that privacy. That is a choice you make to use their service.

Quote

If one of these things happen, would you accept if the bank said "we are sorry, here is whatever you paid us for renting the box"? Of course not and that's why in real life the bank is liable for their contents (if you register that content with them ofc). That's why there are no master keys and they are insured, to be able to pay you back. Your privacy can not be paid back in any way though, because its priceless. If a bank is held liable for something you can put a price on, a VPN should not be able to get away with an apology, for something priceless.

Ignoring the point I made just above, and assuming your outlandish scenario, of course I would not accept that. I would also not continue using the bank and find one that didn't force me to give up that data. I would not stop using banks altogether as they provide a valuable service. I would say, well never again with this company and FIND A BETTER ONE. As I said before, laws need to be written concerning legal implications of data privacy products and services. But this doesn't make the technology worthless.

Quote

Back to your example with the clean restaurant: Imagine that you are a restaurant owner, spending 1000$ every month to keep your restaurant clean. You notice that 3 other restaurants in the area, pocketed that 1000$ by being dirty and when they got caught by the health inspector, instead of a fine or jail they got a "you need to issue an apology and promise to be clean from now on!" What would you do? Would you still be clean losing that nice 1000$? If yes, congratulations, you have ethics. Most companies don't though.

Ah see you've gone and proven my point with that one word. MOST. Not all, MOST. Even this is an over-generalization you don't have the data to back up, but even with that you've admitted it's not all. More importantly you assume the only incentives to be ethical are legal fines and punishments, which is not at all true. Business is the biggest incentive, and if you've ever found yourself in a filthy restaurant, I'm sure you agree with many others that you won't be returning. Restaurants that remain dirty don't remain in business very long. Try watching Kitchen Nightmares by Gordon Ramsey and see how close to bankruptcy these filthy kitchens are because they can't get any customers in. Also you tried to sneak in another over-generalization that makes the ethical landscape seem far closer to death than it is. 3 out of 4 kitchens would not stay dirty even in your scenario with no legal implications, for the very reason I pointed out that they would not get any business.

Quote

Lets say that a VPN makes 1000$ every month if they keep user data and sell them to advertisers. Would you think they would still do it if there was a law saying "if you get caught, you have to pay 1million $ and go to jail"? I don't think so. 

Again for the lack of business reason, most of them will keep their ethics, or they will go out of business. Remember when tunnelbear was big because of LTT, then people even got scared of privacy concerns, no actual hack even involved and now they've lost their footing in the market. 

Quote

Since VPNs are now becoming popular, it will take many years for laws regulating them to appear. Until then, we need to regulate them ourselves.

Regulate, not dismiss the concept entirely

Quote

None of us have the means to prove the one or the other, maybe time will tell. Its that simple.

Logic though is on my side, because as you yourself said, customers will vote with their wallets. Those businesses that want to stay in business will do what it takes to keep the customers happy. And for a VPN, that involves keeping the customers privacy.

[Jtalk4456]

On 7/23/2020 at 4:13 PM, Dravinian said:

What are you talking about?

My ISP doesn't get my log in details, and nor does the VPN whether they are all the same or not.

 

didn't say anything about isp's I was referring to whether login info for a site like this is valuable data

What I reacted to:

Quote

 

I mean, who really cares that I come here and go to youtube - which appear to be the two things I do on the internet between work.

Who is going to make money off of that? I think even Google might struggle with that knowledge, what they going to sell me an LTT Store bottle?

 

 

[Dan Everhart]

Well sometimes you still really need a VPN, so that risk is just a price we gotta pay.

[pythonmegapixel]

I've posted this video before, but I feel it sums up the issue pretty well: https://www.youtube.com/watch?v=WVDQEoe6ZWY

In my opinion, the benefits of a VPN are not worth giving another company - probably one which I've never heard of, could disappear at any moment, and only offers VPN services so has no track record - access to my data.

[pythonmegapixel]

20 minutes ago, Dan Everhart said:

Well sometimes you still really need a VPN, so that risk is just a price we gotta pay.

Such as when?

 

Sorry, I don't mean to sound rude and I understand there are genuine reasons to want one. It's just a question I have.

[lambrosgg]

11 hours ago, Jtalk4456 said:

1. This makes it good for payment info to be hacked how exactly?

3. I think you're confusing free will and legal rights. We have the right to pursue happiness up until our actions infringe upon others rights to do the same. So no, companies do not have a right to scam people or lie. They have free will, a choice to do so, a choice that has legal consequences.

4. That was of the most popular ones from that article, doesn't include probably hundreds of other less popular ones, so your 5% guess is probably far closer to truth. Given that, my point is even stronger. just because some of the businesses involved made a bad choice doesn't mean the concept of the business is inherently evil and all vpns make that choice. That's called generalizing. The same logic used to say all black people love fried chicken and all irish people drink themselves silly. You're assigning the choice of a few bad players to the entire sport. By that logic since some people are criminals in jail, we're all criminals who just haven't been caught yet. Generalizations go against logic, statistics, and truth. If you could somehow prove that every VPN provider lied about logging info, you still would only be proving those providers bad not the concept of a VPN. Furthermore you cannot prove this, because there are good people and bad people. This is humanity, might as well get used to it now. 

Privacy as a concept is not a product, but services that help you maintain your privacy with software and hardware that you might not otherwise have access to or knowledge to use IS A PRODUCT. Same as how information is not a product, but cloud storage of that data is a product, computers to digitize that information is a product, windows 10 on that computer allowing excel and file manager to be run is a product.

 

Ignoring the point I made just above, and assuming your outlandish scenario, of course I would not accept that. I would also not continue using the bank and find one that didn't force me to give up that data. I would not stop using banks altogether as they provide a valuable service. I would say, well never again with this company and FIND A BETTER ONE. As I said before, laws need to be written concerning legal implications of data privacy products and services. But this doesn't make the technology worthless.

Ah see you've gone and proven my point with that one word. MOST. Not all, MOST. Even this is an over-generalization you don't have the data to back up, but even with that you've admitted it's not all. More importantly you assume the only incentives to be ethical are legal fines and punishments, which is not at all true. Business is the biggest incentive, and if you've ever found yourself in a filthy restaurant, I'm sure you agree with many others that you won't be returning. Restaurants that remain dirty don't remain in business very long. Try watching Kitchen Nightmares by Gordon Ramsey and see how close to bankruptcy these filthy kitchens are because they can't get any customers in. Also you tried to sneak in another over-generalization that makes the ethical landscape seem far closer to death than it is. 3 out of 4 kitchens would not stay dirty even in your scenario with no legal implications, for the very reason I pointed out that they would not get any business.

Again for the lack of business reason, most of them will keep their ethics, or they will go out of business. Remember when tunnelbear was big because of LTT, then people even got scared of privacy concerns, no actual hack even involved and now they've lost their footing in the market. 

Regulate, not dismiss the concept entirely

Logic though is on my side, because as you yourself said, customers will vote with their wallets. Those businesses that want to stay in business will do what it takes to keep the customers happy. And for a VPN, that involves keeping the customers privacy.

1. Its ok because you can't avoid getting hacked. In a world where big names like facebook, google, twitter get hacked, you can't demand from a vpn (or anyone) to be "unhackable"

3. I never said "legal right" just "the right" meaning free will, yes.

4. As I said in the end, none of us can prove our claims. You are saying most of them are legit, but you are not proving it either.

 

If by having a "choice" you mean to not use the internet at all, then its not really a choice. Once you start fully using the internet, everything gets outside your device: Your credit card info, your shipping details, cookies and browsing history. Its up to the ISP (or VPN) not the user for these info to remain private.

 

The concept of VPNs is great. I never suggested that the concept should be dismissed. However, until they can be properly regulated by law, I hope they would just all show down for now. Its a jungle atm.

Read my post above: UFO VPN got caught keeping logs days ago, even they said they don't. Absolutely nothing happened to them, their app is still in the appstore, 4.5 star rating, specifically mentioning "not keeping logs" in the features list even now. Its a free vpn mind you, but I doubt different rules apply to free or paid VPNs. You say paid VPNs don't need to sell user data, I say they do for extra income. Ethics vs Profit. Again disclaimer: none of us knows or has proof, we all make assumptions here.

 

Consumers will vote with their wallets, but most consumers don't really understand how free apps make money, or what "user data logs" even mean. VPN ads are in all kinds of youtube videos now, not just tech. All those tech related services are new and our society mindset hasn't changed enough to demand laws to regulate them. See lootboxes and microtransactions in games as en example: They existed for 14 years, but just the past year 2-3 countries started realizing that its basically gambling and they need to be regulated. It will take many more years for the majority of people worldwide to realize that its indeed gambling and push politicians to actually make those laws in every country. VPNs are a risk, you trust them with your privacy and right now all you have to support that trust is a hope that ethics apply. I am sorry but that's not good enough. Until laws happen, at least the tech "influencers" who know the risks better, should protect their less informed viewers.