It's not the same thing, Hola was found to use clients as exit nodes, which is definitely an abuse of client trust, resources, and potentially exposing them to major legal trouble or otherwise, but I don't think that can be considered a botnet, whereas the VPN app in question here is pulling lists of URLs from control sites and then directly sending requests to them, so it operates in the C&C fashion of a botnet.
I couldn’t disagree more. Scum is scum. The people who can discern the difference are few and far between, and we shouldn’t muddy the waters between different types of scum for the already-overwhelmed layperson.
Most people exclusively care about scum vs. not scum, and all but vuln-dev level sources shouldn’t distinguish.
Maybe HN fell on the savvy side of this at one point, but it was so long ago…
This kind of muddy thinking has hurt a LOT of people.
Nuance matters! While the guy who makes sexist jokes and the guy who will rape you if ever alone with you are both scum, that difference really really matters.
I appreciated the distinction to help form my own opinion. I believe there are varying degrees of scummy-ness and appreciate someone not trying to "decide for me"
Because we're actually quite bad at understanding people's motives (e.g. fundamental attribution error). Not to mention the various ways information gets biased as it flows through people and institutions.
Once you dig into how the Kape Technologies holding is linked to the same people of the NSO Group scandals, well, good luck finding a VPN that didn't sell out their customers.
I’m not a serious user, but I subscribe to Mozilla’s VPN service. Not free but I believe in their mission and feel good about sending a few bux their way.
Same, I made the poor judgement of subscription to Nord vpn years ago that I ended up not really using because many streaming sites blocked the vpn ips. Then I hear of the behavior of the company claiming they don’t take logs but they definitely take browsing logs. I felt like I was duped into a 2 or 3 year subscription upfront and didn’t really understand the product space or how to evaluate the different companies. Like are there any objective news sources to rank these services and what internet comments to trust at face value? I listened to a youtube ad in the first place, so I’m unsure what I was expecting.
Mozilla gained good will over the years and I like the browser. The vpn is fairly seamless and permissive for number of devices. I understand it is a wrapper on Mullvad and we are paying a healthy overhead. Still, it is worth it because I’d trust that if the vpn service provider behaves in bad faith that Mozilla will be able to quickly respond and adopt another provider. Whereas if it were up to me I may hear of it years later and not necessarily know what service to adopt instead.
My use is merely hoping to reduce tracking based on ip. I wouldn’t trust it to be subpoena proof. I’m not into pirating music anyway.
Actually, they rather lost a lot over the last years, with various shady things, like tracking for advertisement enabled from the browser by default (called studys).
So sadly, I also would not trust them as a VPN. Way more than some random VPN service, sure, but not completely. But I also do not know of a better alternative.
Eh, only if you accept the hype and hyperbole of those that not only hold them to a standard that nobody achieves (which is fine, it gets them closer to that standard) and then use that as a reason to tell people that they should products that are far inferior by those same standards (which is stupid).
I've lost track of the times a Mozilla misstep has resulted in people here saying that's the reason they're switching back to chrome, which I find frankly ridiculous. Also, the whole damn thing is open source, so it's not like they're really hiding anything, people just don't care until someone makes a stink and then all of a sudden everyone cares a lot.
No browser is perfect, but Mozilla is definitely one of the better ones for anyone privacy conscious.
Here we are talking about trust. And a company (Mozilla) that talks a lot about trust and ideals and privacy and then sneaks in tracking by default with a innocent sounding name (studies) is simply not trustworthy to me.
They are hiding bad behavior in nice sounding words.
We technical folks get it and can deactivate it.
Every non technical person I know, who still uses firefox does not know and has all the defaults activated, until I change it for them.
So sure, they are still better than google and microsoft, where I just assume that they track everything, but that is a really low standard.
I do not think it is hyperbole. The Cliqz thing where they just handed user browsing behavior to a third party which they had invested in is inexcusable. Google does a ot more tracking but on the flip side I trust their security more than that of some small German startup.
Some of the other incidents were overblown but the Cliqz thing shows of a company culture where user data is something which can be sold to make a profit, which is essentially what they did, and not something which is vital to protect.
Yes, it was many years ago now but I have no reason to think that they cleaned up their company culture.
At that point, I believe Mullvad (who is actually behind Mozilla VPN service) is more trustworthy than Mozilla themselves. And if that is true, why don't just use Mullvad directly?
My understanding if you given money to Mozilla who then give it to mullvad
All Mozilla know is the mullvad username. Mullvad don’t know the credit card details of the purchaser. To link a given vpn ip to a specific credit card would require compromising mullvad and Mozilla.
(Or of course the normal way of fingerprinting which doesn’t rely on IPs)
Now sure you can buy mullvad via cash, but that’s far more work. Using Mozilla as a reseller feels like one more step in the chain
Why do you think NordVPN maintains browsing logs? According to them, “NordVPN does not log any of your activity online,” and the company states that PWC and Deloitte have audited and verified that claim. If you have evidence to the contrary, I am very interested in seeing it.
I am also familiar with a recent police investigation where law enforcement subpoenaed NordVPN and the company replied, essentially, that they had no information connecting a particular IP address, at a specific date and time, to any specific user.
Was renewing a ___domain when I noticed my registrar offered VPN service but I couldn't find any substantial information about how it works other than supporting Wireguard and claim not to keep logs. There wasn't even a TOS for me to study before signing up.
I use ProtonVPN and I guess they aren't that stupid to mess up the future of their company by abusing the customers of the service that started the company in the first place. I guess other VPN services offered by prestigious companies, like BitDefender are quite safe from this standpoint. Yes, the free VPN services have always a large risk associated with.
It's not necessarily a problem to use a service, (Signal?), which is funded by an intelligence agency. It can serve their purposes while serving yours too. If the service gets wide enough adoption, then the huge volume of traffic becomes a perfect place to hide their own intelligence activity.
Honestly it's hard to tell, but Mullvard seems to be one of the last options.
The problem I have with all the "checks" that press foundations do is that none of them seem to know what they're talking about in regards to what tech is trustworthy and audited, and what is not.
I found a nice article about it, skimmed through it and seems to be true and reflect my own research that I did for my cyber defense network [1]
They're the best. They don't even ask for personal information when creating an account (heck, they don't ask for anything at all) and you can pay with crypto or cash. They use Wireguard and their desktop and mobile apps are very good.
They shouldn't keep logs but even if they did there's no personal information metadata.
Thats assuming you are using your home IP, and that youre the only one using that IP, and that they are tracking your metadata (whcih there is no proof of)
Mullvad claims to not log IPs so they cannot hand out anything via a court order and at least once a court order has turned up blank [1]. It is possible that CIA or some other intelligence agency has infiltrated Mullvad and logs them but that is nothing that will ever be used in a normal court case. They will only risk revealing their hand if you are some major crime boss, a spy or a terrorist.
If you are just a file sharer or normal low level criminal I doubt the CIA (or whoever may have infiltrated Mullvad) would give anyone your IP.
> It is possible that CIA or some other intelligence agency has infiltrated Mullvad and logs them but that is nothing that will ever be used in a normal court case.
Just so everyone is clear on a few facts, it is possible for a TLA or agency from another large government to just try to blackbox the VPN nodes and be done with it without needing to infiltrate Mullvad. Just pressure the network provider of the VPN instances to get flow data, and at that point they can match up traffic going in and out and the VPN disappears from the picture.
> It is possible that CIA or some other intelligence agency has infiltrated Mullvad and logs them but that is nothing that will ever be used in a normal court case. They will only risk revealing their hand if you are some major crime boss, a spy or a terrorist.
Or NSO or some other private actor did so, and now every dictatorship has access to it, and we all know how broad their “terrorist” definition can be…
If you are a dissident in Iran, you really should not trust some random VPN. Tor is probably safe enough, but there is also no guarantee, that the chinese are not sharing with them, because as far as I know (but last time I checked has been some years), many nodes are china based. So they might know.
But if all you do is pirating some videos, then this is not something to worry about.
I care about websites I visit not seeing my IP since they can track me individually using that. Mullvad is the entity that hides it - of course they will see my IP. I don't care if Mullvad sees it, but I do care if shadywebsite6969.test sees it.
I feel like, inherently, Mullvad is crazy secure. They never ask for email, phone number, name, or any payment details, and the only identifying information (username and password) are replaced by a number they generate for you.
And then it gives you a wireguard config you can use with whatever client you trust.
It eliminates your main use cases for VPNs (and while it's a shame that the feature is being pulled, port forwarding has always been ripe with abuse).
I formerly worked in the consumer VPN space (an older, but once quite big player), and use cases go from content access (including everything from getting US Netflix from Germany, to sidestepping national firewalls), to general-purpose paranoia about IP logging by websites. There are also lots of cases that get marketed a bit too liberally by companies like Nord, Express, and the hydra that is Kape, like that VPNs can add meaningful security to submitting payment information online; this is despite the fact that it's harder than ever to MITM payment sites.
It's generally agreed that the state of public Wi-Fi combined with evolving web standards and sky-high HTTPS adoption makes VPNs largely, though definitely not completely obsolete for protecting yourself against someone sniffing traffic at Starbucks.
Having said all that: if you need a VPN and a lack of port-forwarding isn't a dealbreaker, I wholeheartedly recommend Mullvad. My former company never worked with them directly but our team had immense respect for their integrity, ethics, and approach to developing a quality product.
> While the lawsuit names Lithuania-based Teso LT, UAB as a defendant rather than “Tesonet”, this is as a result of a corporate restructuring several years ago. Aside from its link to Oxylabs, Tesonet also advertises itself as a creator and investor of a number of online services, including NordVPN, Hostinger and others.[0]
I own some IPv4 space and get constant spam from these companies with pitches like "monetize your IP addresses". It's funny how upset they get when you respond and use the word "botnet" to describe their operation, or suggest that the traffic they generate is illegitimate.
The lawn mower is not a business. It is a piece of machinery. The business that designed the lawn mower can ensure the design is safe, at least within reason, through the proper engineering of the product and by instructing its users on the proper use and maintenance of the machine. There is nothing inherently unethical about manufacturing lawnmowers unless you consider the practice of mowing lawns unethical (which there are legitimate arguments for, but I don't think that was your point).
this seems a bit besides my point, but perhaps i am not as deeply into this topic as you. how about the baker at the end of the street. making bread for people, selling it at a profit margin which just allows him/her to continue their work as a non super rich person. (replace baker with barber or whatever). i dont see this as unethical. am i wrong?
Former baker here. There are still plenty of ethical dilemmas in baking: fossil fuel consumption in transportation of ingredients, factory farming of ingredients, if you are employing anybody you are paying them an unfair wage in order to turn a profit. There are inescapable ethical dilemmas of participating in capitalism. Success always comes at the expense of someone else. If you are a small business then you are less accountable to laws designed to protect workers than a multinational corporation.
Whether or not you deem the viewpoint useful, these ethical dilemmas exist. Whether you choose to acknowledge those dilemmas is your choice. But by recognizing these ethical dilemmas we can make better choices to reduce potential negative impact on others/the community/ourselves. Recognizing inescapable complicity is just accepting accountability and introduce the possibility to grow and change as individuals and as a society as a whole over time.
I don't think for example capitalism is always dilemmas. If someone choses to work for you, they chose to accept such a salary and participate. Its not some bad thing. If you truly pay them an unfair wage, they can chose not to participate. This might sound harsh, but people always have a choice. I work for an employer, i don't think its unfair simply because my boss is turning a profit. I am happy and thankful i have the job. If i didn't want it, there's plenty of space in the rainforest to try and forage for food (and yes i wouldn't last a day :P).
You might not like something, but does it really make it a dilemma in the sense of 'having to pick which of the 2 bulls horns will impale you?' - i don't think so. (interesting points though, and perhaps i am still missing your point!)
It's not "well-known"- because your links don't say what you're claiming they do, and this is a conspiracy theory that's been shut down on here a thousand times before.
NordVPN used residential proxies at one point to enable access to Disney+ and other streaming services; that's a world apart from hijacking end-user connections.
They've got an open source client. Where's the code that's turning end users into endpoints?
i think users in a vpn dont expect other users traffic being redirected over their systems, even if its just to enable access to some streaming services... or are residential proxies systems in residential ranges that are used as proxies, but actually part of nord vpn infra, rather than its users?? (sorry i dont wanna read all the code, and am a bit confused)
It's the latter case; Nord used a third-party residential proxy service that they sent traffic through, but there's no serious evidence that they used their own users as proxy nodes or endpoints.
It really is of course, but I can honestly see them resort to this only to be able to offer a competitive edge because when it all comes around, this stuff is what many use VPN for rather than privacy. As streaming sites keep clamping down on VPN providers, the low hanging fruits of dodging via mere national IP addresses are blacklisted by them and these providers need to go even further to fool them and compete.
But yes, it's also sketchy with the other implications and all, and not the least what kind of traffic that people want to hide that you're unknowingly a proxy to!
Skimmed it and I don't see anything about Nord making their users into proxies, second link is questionable (since its deleted and you linked to an archive)
> Aside from its link to Oxylabs, Tesonet also advertises itself as a creator and investor of a number of online services, including NordVPN, Hostinger and others.
If I were evil, I don't implement proxy feature on open Linux VPN client that geeks use, but just implement on closed Windows/Android client. Traffic monitoring is better.
I didn't even read the medium article, only the first one. That's what I quoted from. I agree, investigating traffic would be an excellent idea, but I don't intend on putting my credit card into nord's sketchy site (they apparently don't accept paypal)
I'll be honest, the fact that they're directly linked to Oxylabs alone is enough to deter me. I can't see how else they'd get 100 million+ residential customers on Oxylabs side... sure, I'm not going to go around claiming I have direct proof, but that's more than enough for me to not use their services.
Sites have a right to try to block scrapers. Scraping can incur significant costs and users may not want it - as a LinkedIn user, I want my profile to be indexed and able to viewed without logging in from the Web, but I also don’t want my entire profile scraped and resold/rehosted for marketing. It’s also often the case that the website put in significant working acquiring/curating/cleaning their data, and they are being scraped by other commercial entities trying to just resell it (blocking that isn’t being greedy, the data is basically being stolen for other commercial entities). So it’s not just being greedy.
Individuals also, IMO, have a right to sell access to their network for scraping-via-proxy. But they should be prepared to deal with the consequences, like a potential IP ban. Most people using VPNs that resell their residential network for scraping probably don’t know that’s happening, and many scrapers are indeed doing something bad, which is why there is a disdain for the practice.
Well part of that is just the direct value prop of the platform, by having a profile there I’m creating a channel for recruiters and stuff and I suppose making it easier to get bank loans/have people verify my identity. What I don’t want is for the data to be hosted elsewhere and resold to every Tom, Dick, and Harry. Fortunately LinkedIn also wants to prevent that because it undercuts their monetization schemes.
It's not uncommon that companies ask other companies to scrape their site as they don't have the tech resources to build an API / integration for whatever they want to have.
if u run a small site and ppl scrape it aggresively that can rack up ur bills.depending on where u host ur site. ofcourse not an issue for billion dollar companies, but a line needs to be drawn somewhere. also, whats the purpose of the scraping? usually its greedy capatalist purposes, so.then ur point is a bit moot, dont u think?
Let's say someone makes a site that compares prices in different stores. It needs a lot of scraping, but is useful for consumers. Obviously, the only ones who are against it will be the store owners.
And then someone else makes another site that also compares prices in different stores. Instead of scraping all the stores they can just scrape the first comparison site and invest the time saved into SEO :)
Unless you go full blown DoS you will not be able to scrap 100.000 of articles multiple times a day. Geizhals for example compares prices every 10 minutes. It does this by working with the stores (they provide a price list) not against them.
If a store owner doesn't want the reach, it's their loss. IMHO no need for a DoS attack.
Let's take as an example a website which compares prices in different stores and shows which has the cheapest price. You can do it manually, but using automation it is faster and more convenient. Is doesn't make sense to read websites manually when you can use a script or a language model.
Obviously for consumer it is better to be able to scrape sites. It is only those store owners (greedy capitalists) who do not want consumer to know that their prices are inflated.
Another thing is looking for some information, it is better just to have a language model go around the web and summarize the data for you rather than read someone's site with white letters on black background and weird font.
Back in the day the "privacy tool" of choice were anonymous proxies.
I wrote an article in 2013 about why free proxies are free [1] and got so much feedback from people who had never thought about that.
This was back in the HTTP only days (very shortly before the Snowden leaks) and it was a good way to make money because your proxy could just replace all ads on all sites with your Google ads and you could see all communication. Insane from today's view
In 2015 I did a followup post where I analyzed the existing proxies for any manipulation of the original site and found that 80% of the free proxies did in fact change something [2]
That was one of my first personal projects over 20 years ago now. Didn't get much clicks on my ads though. And once you look in your logs to see what people are searching for, you'll quickly come to the conclusion you don't want to run that kind of service anymore.
hola redirects things like web scrapers over their infra. once worked for a lead generation startup (i am so sorry..) where one of their services reached out to ask if i wanted to send traffic over their network. sad this is some legal loophole. (sad for them and probarbly us, we didnt do scraping :)))
> I have to give props for Swing VPN teams creativity to bypass security measure of Apple appstore and Google PlayStore but it is sad that Apple/Google security systems does not have some automated ways to detect these types of actions.
It's a tricky problem. The amount of attack traffic from an infected device is negligible and very little of it is visible to the operating system due to TLS. It's also presumably intermittent (there's no point in keeping an attack ongoing forever; you stop when the site has found a way to defend itself), so just running the app for a while as part of validating an update might not show any suspicious behavior. The suspicious part is in the configurations downloaded from the CnC servers, not packaged with the app, so static analysis won't help.
The only reliable option for catching these proactively thatI can think of would be to use some kind of aggregate telemetry from all the app installations combined, but that'd be incredibly scary both in terms of privacy and the blast radius when something goes wrong.
> Currently in the beginning of June 2023 it has over 5 million install base on android
That's not really a reliable number. It's more like "the number of distinct users who had this app installed at some point". AFAIK it doesn't get decremented when somebody uninstalls the app, and doesn't go up when somebody installs it for a second time on a new device. Those factors might cancel out, might not.
> After app startup, language selection and acceptance of privacy policy the app starts to figure out ‘real IP address’ by doing a request to both google and bing with query “what+is+my+ip”. My guess is that the app just parses the returned HTML and figures IP from those responses.
Aren't there free APIs to get your IP address, like ifconfig.me? This sounds like more work but probably doesn't have any chance of running into rate limits.
It's information that's only really useful to us. It refers to a set of machines running the same version of our software. Part of how we do progressive rollouts of software.
Wow that's terrible. Is this written anywhere in their terms that you agree to let them host arbitrary content under your own ___domain without your knowledge?
Given that their "Command & Control" server already knows the user's IP anyway, this might be a disguise, with the actual intention being to check if Google is working from that IP, as these shady VPNs are often used to abuse the client as a proxy for SERP requests, to bypass IP-based search engine query limits (for SEO etc.).
It's a lot easier to hide your breadcrumbs if you're just calling google.com or bing.com. Those are services that get billions of hits an hour and no body cares to scan or correlate your calls to them (other than Google and Microsoft of course)
There are APIs, and in my opinion, just falling back to a different HTTP API would probably be easier than parsing HTML. Though I use one of those APIs for a dynamic DNS client I built, and I've never actually seen a rate limit on them, even if I'm calling them every minute. I appreciate you showing them the benefit of the doubt here, but in my opinion the more likely answer is just that the person who did this is just underinformed on the state of quality of life-improving public APIs.
> we probably can assume that this app is trying to attack some government sites of Turkmenistan. It is hard for me to imagine why would anybody do that
I find this very odd that they would target those websites. What would be the gain of taking down those websites _for anyone_. I doubt that the reason is political.
P.S. Turkmenistan is probably the worst country when it comes to free internet. Almost all IP addresses are blocked, with very few websites (mostly google-owned) being reachable. The entire population is desperate for VPN (preferrably free). They are not educated about malwares, or anything about security, so they will download anything that promises free internet.
Couldn’t it just be old fashioned blackmail? Attack the site and request money to turn off the botnet? It might be a bad assumption on my part but it occurs to me that maybe Turkey doesn’t have a lot of pull to investigate cyberattacks across country lines so businesses in that country might be good targets to not get blowback?
Turkmenistan certainly has no capacity for investigating a cyber attack for sure. But they are have no problem with those websites being down. Internet usage in the country is very low, and those websites are down the most of the time anyway.
When I worked in price crawling there were rumors some proxy vendors leveraged extensions and VPNs (supposedly with fine-print consent) on residential computers to workaround crawl blockers. My guess is that prompted Chrome Webstore to narrow functionality of an extension to only one purpose.
These DDoS tools appear to take things to the next level, and an undeniably blackhat direction.
A big reason for obligatory codesigning and developer accounts for mobile apps has been that we would know _who_ is doing malicious things, right? So... are there lawsuits already? Will someone go to jail? Or at the very least, has the developer been booted from Google Play? (No, not as of now; I reported the app, but I doubt that is a usable venue for cases like this.)
This is probably the GRU or the SVR running a deployment of this app from a shell company, together with some ad campaign. Or perhaps Chinese intelligence. Turkmenistan, like many other *stans, are currently being non kinetically fought over by China and Russia, a playground of the game of empires. These countries used to be under the Russian protectorate, but then Putin blundered so badly in Ukraine that it would be a shame not to challenge him. I'm not knowledgeable on the situation in each of the former Soviet *stans, but the general picture is pretty clear.
There's another story on HN today, the famous story of CIA setting up shell companies to buy Soviet titanium for the SR-71. The Soviet counterintelligence was completely fooled. This stuff is bread and butter for the more aggressive intelligence departments around the world.
I think that shit like this should be reported to law enforcement, so that they can route it to national intelligence or counterintelligence. They can decide to shut it down or investigate further. Opening the case in public let's the other side do a quick cleanup.
> doing a request to both google and bing with query “what+is+my+ip”. My guess is that the app just parses the returned HTML and figures IP from those responses.
I don't get it. Where does the VPN traffic go through? If they can operate a gateway, then surely they can provide their own endpoints for IP discovery (and also C&C for that matter).
Until it's discovered, traffic to their own servers would appear the most innocuous. After that, the app gets kicked off the store and the server doesn't matter.
Unless it doesn't actually do any VPN and it's all just a farce, lol.
Excellent sleuthing! I sometimes use Proxyman to sniff the traffic that my phone or computer is using – it's fascinating seeing what and how different apps communicate with their backend servers. I haven't come across anything quite so nefarious, but its interesting all the same.
This activity was identified on Android. It doesn't occur on iOS, because on that platform, VPNs are made resident by the operating system exclusively. Providers' apps are just a VPN configuration tool.
Not in the background. Apple has a very different system for background app refresh. So only when the app is in the foreground or recently closed it can perform an arbitrary http request
This is technically true in the abstract, but your implied accusation is not consistent with the facts as presented by the article's author in a recent addendum. From the article:
"Some people wrote me saying that the DDOS is not happening on ios devices. Just did a quick check and you guys are right. iOS app is using different way to do VPN and also does not do anything suspicious. I should appologize to you and to Appstore team for my lazy extrapolation without actually checking it."
I'm not sure if it's appropriate to give unsolicited suggestions on the writing, but I believe the author could improve the conciseness. It reads a bit verbose in places where certain information is repeated multiple times, such as the mention of configurations were retrieved from GitHub and Google Drive sites.
Until recently, eyeglass manufacturers were marketing blue light filtered lenses (which don't even filter much blue light anyway) as a way to prevent macular degeneration, until regulators shut it down. VPN providers shouldn't be allowed to claim that VPNs protect you from malware or that they do a better job at protecting data in transit than vanilla SSL.
Any source on the blue light filtering not working? I didn't get the filter on my latest glasses and feel like my eyes fatigue more quickly, but I'm aware that could just be aging or a change in monitors, lighting, etc. which have occurred since my last subscription update.
The lenses I'm talking about are the ones that are completely or nearly completely clear. Here's a photo of the "Everyday" blue light lenses on Zenni Optical as an example. They are marketed as blocking 16x more blue light than normal lenses. https://static.zennioptical.com/marketing/campaign/blokz/202...
How could it be blocking any significant amount of light in the visible spectrum and still be clear? I'm sure the "16x" claim is true, but normal lenses block a small amount of light. 16 times nearly zero is still nearly zero. It's just a marketing gimmick.
Zenni Optical also sells lenses which are orange. I'm sure that actually does block a significant amount of blue light, but I also know from my experience visiting optician offices that many consumers are buying the first kind.
I'm aware of studies which link blue light to eye fatigue and disruption of the circadian rhythm but I'm skeptical that blocking 5% of blue light or whatever could have a perceptible medical effect.
With that being said, I don't feel strongly about claims like the 16x thing if its actually true (just a bit misleading). My comment above was mostly about the claims that they prevent macular degeneration which there is no evidence for. And regulators are right to jump in before it gets too bad, otherwise why stop at macular degeneration? Just say your lenses prevent hair loss and skin cancer while you're at it.
Hey, I have such glasses, and here in France at least they are still marketed. Do you have any reference pointing out the fact that they do not work? (Are they even worse than regular glasses?)
They still push them at the sales end of optometrists here in Australia. My optometrist partner always gives them death stares whenever they try to push that blue light filtering scam when I'm getting new lenses (like I did a week ago)
> VPN providers shouldn't be allowed to claim that VPNs protect you from malware or that they do a better job at protecting data in transit than vanilla SSL.
That's... not exactly true, given what definition of "protecting" you follow. VPNs definitely can protect against some forms of attacks that plain old HTTPS can't:
- malicious QoS/routing policies at the ISP (or a public WiFi operator) that, say, down-prioritise or throttle stuff like YouTube, or route it through backed-up links (German Telekom was infamous for bad peering towards high traffic sites including Youtube [1] or where they all but extorted money from "double paid traffic" from server owners [2])
- ISPs hijacking DNS for a myriad of reasons (NXDOMAIN ad-hijacks, government-ordered censorship, thinking they can offer "improved" DNS service by simply answering all requests going out on UDP53 with their own servers [3], ...)
- ISPs and WiFi operators listening on DNS requests or doing traffic analysis to sell to advertisers [4]
- other devices on the network attacking your machine (e.g. in a coworking space) - proper VPN software like Cisco will "cut off" all communication with the outside with the exception of the remote VPN endpoint IP and DHCP.
The part about malware is more sketchy, but in case the VPN operator uses something like PiHole and other shared lists of malware domains and IPs to blacklist common-known vectors and C&C sites, it is a valid statement.
As Linus (LTT) mentioned a while back, VPNs are an insanely profitable cash cow with super low bars of entry into the new business, but it sits at a super legally precarious position that could jeopardize major legal and ethical challenges.
I agree though that a lot of YouTubers have grown fat and comfortable with VPN providers led largely because of the financial incentives over their desire to protect fans.
Is there a name for the phenomenon when something is over-advertised to the point where potential consumers become less interested with more advertising? I’ve reached that point with NordVPN, SquareSpace, and a few others, but especially any pharmaceuticals that get TV ads (not that they’re ever relevant to any health concerns for anyone in our house).
Anecdote to the pharma comment, I recently looked up what happened with the CW because it felt like the network was falling into a pit recently. It turns out the network got "trimmed down for aquisition" which got swooped up by a cable providers. Apparently the average viewer of CW on terrestrial cable is 58!? (Taken from Wikipedia for what it's worth). If 58 is the average viewer for CW, just how old people are trending for less youth oriented networks. I makes a lot more sense to see a bunch of drug commercials (with their very high ad rates) shoved down your throat.
Does this also work if you're using the generic OpenVPN client to connect to the VPN? I've used a bunch of different VPN providers over the years, but they usually just offer an OpenVPN configuration that you can use with the normal client. I'm not aware of this also allowing them to send traffic the other way, but maybe it does?
afaik no that's impossible without modifications of the customers OpenVPN software itself (they would need firewall/iptable rules for NAT, impossible to set via OpenVPN config). That's exactly why it's a bad sign if a VPN provider doesn't just give you VPN configuration files.
By the time the police comes at you because of your home IP, they usually have collected a lot more evidence than that. That's why torrenting from your home without a VPN usually just results in a letter from your ISP saying "we know what you're doing. cut it out".
No body has ever been convicted with their home IP as the only evidence.
Of course, you get raided most likely once they have sufficient evidence that they'll be able to collect incriminating evidence. Your IP might be enough to get a warrant, but they'll need a lot more to build a case in court. Hence the raid, confiscation of servers, etc.
Hilarious conclusion from the author. It's almost certainly not the case that the owners of this service are using it to 'DDoS' targets, rather it's much more likely they are using your device to host a proxy server and then selling access to some 'residential proxy reseller'.
On the other side of that, some random Joe has probably purchased access to a set of these 'residential proxies' and is using them to scrape flight data from the airline site the article author noticed, with some of those requests being sent over the author's connection.
Many 'free vpn' and 'free proxy' apps engage in this behavior, you may proxy your requests via their connection, but they also proxy their requests via yours, generally reselling that access to someone who finds your IP address to be of value to them due to the fact that it's not a datacenter address.
It's certainly questionable to straight up unethical either way, especially so if the service doesn't disclose to you that they're doing that, but on the other hand I find the author's DDoS conclusion to be so contrived and out of touch with reality that I had to write this comment.
My mistake, I looked at the article for 10 seconds before assuming that this app is no different than hundreds of other ones, apparently it is a rare outlier. At any rate, there are more effective ways to disrupt service if that was the goal.
Pretty harsh to say that this is a hilarious conclusion when your own conclusion seems even more rash. If your conclusion was the case, wouldn't that mean there'd also have to be people interested in scraping random (static) https://www.science.gov.tm/ pages?
Unfortunately Google makes it extremely hard to report this sort of Abuse to them, offering no free-form input to tell them what the issue with the application is.
(It is a bit odd that there's no DoS category on the report form, despite it being listed as a category on their taxonomy page at https://developers.google.com/android/play-protect/phacatego..., but I expect that you can just enter that in the "other" free text field.)
The fact that this thing has 5 million installs is disturbing. You generally assume that the large install count apps have been vetted. Or at least that this kind of thing like in the article has surfaced way before millions of installs and the app was taken down.
Yeah, this and countless others that nobody's ever heard of except through a YouTube advert making questionable claims with a questionable definition of 'VPN'.
(To answer the inevitable: Mullvad and Proton are the legitimate offerings that spring to mind.)
for ppl wanting a vpn which does not do this. at the monthly rate things like nord charge, u can rent a server, install openvpn amd be free of this stuff. ofcourse, the server is yours and tracible to you, but still it has all the other benefits which i think normal vpn users crave. (visit plaintext sites over insecure wifi but no eves on the line etc.). its fairly easy to set up and definitely you wont be part of a traffic redirection network, for whatever purposes the redirection is. maybe u can connect ur friends too and be a good samartian :)
> visit plaintext sites over insecure wifi but no eves on the line etc.
Not a rhetorical question: When is the last time you’ve visited a non-HTTPs website?
> you wont be part of a traffic redirection network
These are also only a concern for HTTP.
Other common use cases for VPNs include geo-unblocking, and hosting IP ranges are commonly blocked by streaming sites.
I can’t think of a good reason to use a VPS for a VPN anymore these days, to be honest – the privacy/security landscape has changed dramatically over the last few years.
You probably get better privacy these days on public (free/unauthenticated) Wi-Fi than you would on many "free" or paid VPN services.
Seems like you misread my comment as "there is no need for VPNs anymore these days". I'm merely saying that I don't see the use case for the "self-hosted VPN server" model anymore.
Need to bypass geoblocking, e.g. when traveling? You'll likely need a residential IP -> use your own network at home (e.g. Tailscale or a self-setup solution) or one of the shady "residential IP broker" utilizing commercial VPNs out there.
Want privacy (from visited sites' trackers)? Your VPS is definitely not that: The IP is static, and if you send your entire traffic through it, this is much more fingerprintable than even residential web usage. -> Use a commercial VPN that you can trust (I don't know many) or something like iCloud Private Relay or TOR.
Want privacy from your ISP tracking you (including public Wi-Fis), and only that? Then, yes, a VPS-based VPN might be for you (or any of the commercial VPNs out there).
But my claim is that the last one (and only that) is probably not the biggest concern of most people.
I know you're being facetious, but, that's not the sarcastic counter argument you think it is. I unironically don't own a car anymore because I have an electric scooter and Uber/Didi to fill in where the scooter is (rarely) not enough. The landscape really has changed.
Problem is that many services denylist “data center” ip ranges, making these vpns neigh unusable for things like watching Netflix or in some cases even logging into eBay and such.
I’ve run a private vpn for extended family off of my residential connection for this reason. It helps them and me.
I do most of my every day browsing and online shopping from data center IPs and have never had a problem with eBay or really that many sites at all. Some for sure (looking at you, "Open" AI), but for the most part it's fine.
Installing open VPN is like carrying the One Ring to Mount Doom. I’ve installed operating systems, databases, web servers, full LAMP stacks that took less effort.
> new: Some people wrote me saying that the DDOS is not happening on ios devices. Just did a quick check and you guys are right. iOS app is using different way to do VPN and also does not do anything suspicious. I should appologize to you and to Appstore team for my lazy extrapolation without actually checking it. Unfortunately I don’t have much time to fix the article right now, so please just ignore anything ios related below this line.
FTA:
> I have to give props for Swing VPN teams creativity to bypass security measure of Apple appstore and Google PlayStore but it is sad that Apple/Google security systems does not have some automated ways to detect these types of actions.
You couldn't rewrite it to just be:
I have to give props for Swing VPN teams creativity to bypass security measures of the Google PlayStore but it is sad that Google security systems does not have some automated ways to detect these types of actions. (Note: A previous version mention the Apple App Store but the iOS version does not appear to participate in these DDOS attacks)
The explanation about not fixing the article is longer that the entire paragraph that only needed 22 characters removed (and potentially a sentence added). I don't get it.
I'm not casting any aspersions but if I were running the FBI/CIA/MI6/five eyes/whatever, I'd set up a VPN service and it would look exactly like NordVPN. I mean exactly. Operates from (and trades on the name of) a strongly independent country/region. Somewhere that would be considered trustworthy to the targets of interest to me. Nobody who works there would have any idea about the intelligence operation, except for a small ops team who "develops the platform". And I'd absolutely pump the marketing budget with unlimited cash to ensure they can promote their services on every English language YouTube channel.
NordVPN are probably fine. But if I were actually keen to avoid government monitoring, I'd probably look for a VPN service that doesn't put much effort into marketing to an English speaking audience. And I'd combine that with at least one more layer of indirection.
You can’t prove otherwise unfortunately, you have to trust the provider.. trusting only.
I would personally stay away from proton for anything, vpn or email, I’ve been following their news since started and a lot of sketchy things about them, you can read about some of it here (1), the CEO of protonvpn and Tesonet (data mining company) is the same person, they used to have a lot of vulnerabilities and bad patching system (2)(3). There are other stuff about it can’t find the reference for right now (hmmm?), but I can dig deep later if needed.
Mullvad has been better so far, I personally use / used it, last two years been really bad with their network, and recently they stopped port forwarding (4), but again, you have to trust them.
The second and third articles are over 5 years old, that attack also requires a device to already be compromised. Proton VPN undergoes annual security audits and is also open-source, so anything "sketchy" (like if the app were actually data mining) could be quite easily and quickly discovered.
Is Freemium VPN a thing? If these are the options it seems like this could be the middleware gap the industry is begging for because both of these options as is suck.
You are still connecting to the VPS from your regular IP addresses. Trust in the provider is still required. And they have downsides for common uses like lack of being able to switch servers to get a new identity or change ___location, and for bittorrent piracy specifically, many probably are not designed to handle getting DMCA notices.
I love this sort of thing. I'd love to get into this sort of research. No idea where to start to either acquire the skills or once acquired target the right systems/apps. I can still dream though.
Any pointers on where you'd start would be appreciated though.
In this case, the whole process was just "let's see what my device is doing" and then digging until the unexplained is explained. Your devices are doing lots of weird things, talking to tracking servers, fetching data from unexpected places, you just need to take a look and start wondering!
Running Wireshark or an equivalent smartphone app is easy. Understanding it probably a lot less so, but network protocols can be googled. One trick to not get overwhelmed too much is to not use the device you're analyzing too much so you only collect background traffic. Another is to filter out traffic you can't do much with. A lot of traffic is encrypted by TLS these days, but a lot of data is still visible, like in this case a random ___domain that you shouldn't be seeing. However, except for that very first TLS packet, you won't be able to see anything interesting in the rest of the stream, which can be gigabytes in size!
The real challenge for network analysis is that 99% of the time, your network is not doing anything strange (or at least interesting). If you want to find something, you can try seeking out sketchy apps (free VPNs are a nice target, they're almost always shady) but there's no guarantee that you'll find anything. Or you can dive deeper if you think there's more to be found.
In the case of Android apps, those are often easily decompiled into either VM byte code (smali) or even obfuscated Java code. apktool, jd-gui, or ghidra can usually get some kind of readable-ish code out of an app. There's also an excellent online APK decompiler if you trust that. Grabbing the APK is quite easy, you can find apps that do this or otherwise you can use Android's debugging tools to pull the app off your phone.
Depending on how obfuscated your target is, complete reversing may be difficult. You can often take shortcuts, though, like looking for interesting strings or setting files.
Another nice trick to employ when reversing applications is to run Frida. Frida is a toolkit for injecting arbitrary code into another process. You can either inject Frida into an APK you've downloaded, or if you've got a rooted device run it against any unmodified app. It works on other platforms as well! With Frida you can write Javascript in the Chrome dev tools to control the app, list objects and functions, call random APIs, whatever you need, all without decompiling.
Another trick I like to employ is using mitmproxy to man-in-the-middle apps so you see every HTTPS call they make, the responses, and you can even mess with the traffic (change responses, alter requests, you name it). The tricky part is to get the app to accept your TLS interception, but there are Frida scripts that will disable validation of TLS certificates in all manner of apps, giving you the ability to inspect them.
That last part can also be very useful if you're reverse engineering an API. I've written a blog post about a Norton VPN where I did exactly that, not because Norton was being shady, but because I wanted to use the OpenVPN config file on my laptop and they didn't provide me with the necessary files (even though they totally could have).
Not the best writing, it was mostly a recap of the things I did for myself if I ever needed to fetch that file again, but I think the core concepts may still be useful.
I'd literally start any training by asking chatGPT, probably using phind to ensure it's got more up to date info. I wouldn't trust everything it says, but it can help you maybe find your weaknesses on a topic and formulate a self education plan.
Most markets have several products/services worthy of attention. But in the “consumer VPN” space I think https://mullvad.net/ is the only non-shady clear principles player there is? Even established names like Proton seem to partially swindle you with buzzwords like servers inside Swiss mountains. None of that with Mullvad: clear about what they do, what they don’t do, and how they do what they do.
I hadn't really thought about it before, but it makes sense, upon reflection, that the temptation to appropriate mostly idle consumer computing resources for something is too great to ignore.
Installing a client always opens up these risks. That is why I am building a clientless tunneling service ( well technically you bring your own client ) - https://pinggy.io which is similar to ngrok but you can connect using your own ssh client such as openssh.
How does a clientless ngrok alternative help here (which tunnels server traffic), and why is it even necessary given that many OSes support at least one VPN protocol natively?
I am saying this attack works only because a client is installed on the device, and that client is malicious. If there was a standard client such as openvpn client (open source) then this attack will not be possible. That is becasue, the vpn provider will not have any means of using the user's device to send arbitrary network packets to any server to launch a ddos.
nice findings, firstly, thanks for looking into it and sharing. i wonder how they have 3 million installbase. do you think there are some (unwitting) influencers, streamers etc. paid to promote this? 3 million is plenty, especially since there are a lot of heavily promoted vpns out there bidding for installs
From the captures in the article, it doesn't look like it's sending the data back anywhere. It's mostly just that the endpoint they're hitting is computationally expensive (searches usually are) in an effort to bring the service down without have the raw traffic to actually jam the pipe on bandwidth alone.
Often, the VPN maker is different than the botnet provider.
https://scrapestack.com/faq: Residential ("premium") proxies provide IP addresses that are connected to real residential addresses and devices, which makes them much less likely to get blocked while scraping the web. We highly recommend using residential proxies for your web scraping needs as they make it easy to work around geo-blocked content and harvest data at scale.
its not clear its ddos, though it might be, as one commenter suggested it might be ad revenue or so. maybe they hit themselves? :D. i bet we will never know.
No body starts a botnet to hit one target. Botnets are usually for hire. You find a vulnerability, establish as many C&C devices as you can, then advertise online that you have a botnet capable of XYZ, and you get contracts to hit particular endpoints.
In this example, Swing VPN is offering a "free VPN" service, but they actually pay for it with botnet contracts.
Getting a target DDoS'd is cheap, especially if that target resides in a country with not that great digital infrastructure.
For twenty dollars you can take down an airline that lost your luggage and didn't bother trying to find it back. It's childish behavior, but someone is petty enough. Store didn't honor their warranty? Pay five dollars and they'll lose more money in lost sales than their refusal would've cost them.
Sometimes it's not just petty criminals either. Extorting businesses with these types of attacks is all too common. "Pay us $x or your website will be down for months" is an easy threat to make, especially if you can take down a business for a fraction of their lost revenue. Attack twenty or more companies, wait for one of them to pay out and you've made yourself a huge chunk of cash.
There are all kinds of reasons to hire these botnets. Developing these botnets isn't very hard either, especially if you can sneak a trojan into a useful software library or hack someone else's library. You just have to think real scummy.
eh, we don't really know what all "Turmenistan Airlines" website actually does. It's a government agency after all, and it could be used to hide all sorts of online activity for some other government agencies. It could also just be a test contract, or an internal botnet test and OP just happen to catch that one.
DoS should be legalized IMO... If a company cannot mitigate a DoS or DDoS attack and stay profitable, it's their own fault. Their fault for not designing their software properly and their fault for accumulating too many enemies. Probably it would bring down the whole DNS system but it's about time we replaced it with something better and more decentralized anyway.
DDoS is just freedom of speech. Just some people have louder voices than others which is not a foreign concept to the rest of us. So long as the VPN (or whatever) operator mentions it in their terms of service (e.g. if they rely on user resources), it's fine IMO.
There needs to be an incentive for companies to implement good quality software and to not be evil (not to make enemies) and legalizing DDoS might help create such an incentive.
> DoS should be legalized IMO... If a company cannot mitigate a DoS or DDoS attack and stay profitable, it's their own fault. Their fault for not designing their software properly and their fault for accumulating too many enemies.
Getting DoS-ed is sufficient "punishment" for not being able to mitigate a DoS. "their fault for accumulating too many enemies" is dubious considering that one "enemy" is enough for a DoS and that the DoS-er might not actually have something personal against the target.
> DDoS is just freedom of speech. Just some people have louder voices than others which is not a foreign concept to the rest of us.
I wouldn't characterize a DoS-er as "the one with the louder voice". I hope you don't think doxxing and revenge porn should be legal too. Anyway, there's the saying "My right to swing my fist ends where your nose begins."
I see it differently and I have gained a different understanding of "My right to swing my fist ends where your nose begins."
I used to think like that but in reality, the way the world really works is that anyone can punch you in the nose if they really want to... Whether or not the assailant will be punished for that depends on who got punched and who did the punching.
Access to the justice system is asymmetrical. Big corporations or organizations are often not held liable for many of their 'crimes' on a per-infraction basis because their victims have a much weaker voice; they can basically do all the crimes they want and then, if they harm enough people and they get caught and there is a class action (a lot of IFs), they MAY pay a lump sum fine at the end.
I prefer the ancient Roman system where some crimes were forgiven based on context (e.g. retaliation was allowed). I think it would bring back the human element to the justice system. People should be allowed to take the law into their own hands provided that their cause can be morally justified in front of a random sample of citizens.
Relying on vigilantism as a system runs the risk of incorrectly, assessing a person’s wrongdoings, which may be disproportionately amplified by outrage or disregarded if the person is popular, and therefore runs the risk of not being able to provide justice at all.
Also, legalizing DDOS would simply enable protection racket type schemes (Mirai/Protraf Solutions) and affect small businesses without the ability to defend against them.
I agree that there would be new issues with such a system but I think it would be fairer and lead to more decentralization overall.
I think vigilantism would better allow human nature to shine through. E.g. you can talk and reason with an extortionist directly but you cannot do that with a corporation or other large organization.
At this point one must assume that any "free" vpn software is free because it uses its install base for DDoS / other traffic abuse.