Have you ever wondered if VPNs… Really do much for your privacy and security? You see I’ve been using VPNs for a long time. Mostly to hide my IP address from the ISP so they wouldn't send my parents angry letters about my internet usage. Sometimes I’d sign into sketchy Wi-Fi and wanted to double wrap. Circumventing geoblocks and censorship when traveling also came in handy. But something always felt fishy about VPNs, since instead of trusting the ISP that you do know, you decide to trust some guys in Europe and an ISP that you don’t know. I decided to check out what the VPN providers themselves were saying about this stuff. “Malicious websites could infect your devices with malware, unless you use…” “VPN apps keep your activity and identity private while you browse, stream, email, or download. Protect all of your devices with just one click. Yep, Internet security is that easy!” I guess Internet hacking is also that easy. Selling online security and privacy as being all about VPNs is like telling people health and well-being is all about face masks which sounded a little bit like snake oil to me, so I decided to take a look at the history of snake oil. And what I learned was actually kind of interesting. A long time ago, Chinese immigrants moved to San Francisco to build the railroads of America and brought with them snake oil from the Chinese water snake as an ancient traditional medicine to treat arthritis and joint pains, since it contains 20% EPA, a type of omega-3 fatty acid known for its anti-inflammatory properties. Cowboy entrepreneur Clark Stanley started hawking it as a cure-all that turned out to be beef fat, chili peppers, camphor and turpentine. Stanley got slapped with a symbolic fine of $20 by the government, leaving him a wealthy man and spawning an industry of other products, and salesmen just like him You see, the problem with VPNs is that just like snake oil, it's fantastic in its original form and function which is to bridge two remote sites together, or allow an individual to securely connect to a different network. The whole point is to tunnel your Internet from a network of lower trust to a network of higher trust. A corporate VPN, for instance. It’s kind of like entering a wormhole to get from Point A to Point B, bypassing everything in between. But things start to get dicey if you’re going from a high to low trust, low to low trust, or an “I don’t know” level of trust. And right now, it feels like a lot of fear mongering in this industry. We got everyday folks convinced VPNs are what they need to keep themselves private and secure, but in reality they’re just paying for slower speeds, time spent training machine learning algorithms, and being lumped in with all the spammers and hackers abusing these services. Sometimes you just have to remind people that most of their web browsing is already encrypted without a VPN and securing your DNS traffic in Firefox or Chrome is literally just a click. I pulled Alexa’s top million websites and wrote a script checking for HTTPS support and found that most of the first 90 thousand did. At this range, we're looking at sites like qtellfreedownloadtrader dot com, which I’m sure we all visit everyday. Worst of all is when companies want you to install their custom VPN client, forward your DNS over to be “leak-proof”, and even install their certificate authority on your device, which is like charging people so you can man-in-the-middle them. But at the same time, isn’t there some value in masking your IP address when surfing the Internet? We need to dig deeper. When your computer talks to a server, it sends packets tagged with a source and destination IP. These traverse the local network and a series of ISPs to reach the final destination. Anything logging traffic in between can see your source IP address, which can get geolocated to within a few zip codes away from your home. Your IP is probably shared by hundreds of other people and rotates regularly, so it’s only an approximate location, not where you sleep at night. With a VPN tunnel, the original packet gets encrypted and wrapped in another IP header with the VPN server as the destination. The server will unwrap the packet and forward it through its own ISP, using its own IP address as the source. Devices sitting before the VPN server can see your source IP, but not the destination. Devices sitting after can see the destination but not the source. The zones of visibility in the network path are now partitioned. Or are they? Say hi to Elliott. Elliot wants to save the world by being a hacktivist. He uses a VPN to mask his IP address but doesn’t factor in all this other stuff. Instead of disappearing, Elliot leaves a blazing trail for the Feds to follow. Elliott goes to jail. The end. Here’s the deal. Focusing on just the IP header is focusing on just the tip of the iceberg. When you look at a network packet, there’s metadata present across all layers of the OSI model. Depending on the vantage point of an observer in your network path, there’s different visibility levels into your packet. Every piece of software you install, whether an app or plugin can potentially be malicious, surveilling your data and activity before it even leaves the device. On the local network, there’s Layer 2 addressing information that lets tech companies identify your location without an IP address through WiFi or Bluetooth positioning. Looking at proximity and signal strength to nearby devices with known geolocations like your friend’s phone, smartwatch, or wireless access point can help pinpoint your device too. The local ISP probably knows you’re using a VPN based on the IP header alone. Since just like Tor exit nodes, there’s a fixed number of VPN addresses out there to track on a watchlist. The VPN company and their ISP are privileged to see the real packet’s metadata, and can fingerprint your device type with the IP, TCP, and TLS headers. VPNs may claim to “not log” this stuff but you can bet that the cloud providers and ISPs servicing them are. There’s probably also a money trail out there leading back to you, even with Bitcoin. Now the server you’re going to; they can easily tell you’re on a VPN, since the MTU size, or max transmissible unit on the packet is going to be smaller than usual, since we’re tunneling one packet inside of another. @ValdikSS even has code on his GitHub page that can fingerprint the type of VPN you might be using, and runs a proof-of-concept on his website. Watchlists and this kind of fingerprinting help sites like banks flag any VPN connections and deny you service. But there’s also juicer ways to track you. I looked at payment company Zelle, owned by another company that’s owned by 7 major banks, to see which tracking methods were listed on their privacy policy. Besides the usual suspects like Google Analytics, cookies, or social media plugins, there’s also ETags, HTML5 local storage, single pixel web beacons, Javascript, and device tokens provided from your smartphone, All these identifiers get rolled into fingerprinting graphs designed to tie multiple IPs, accounts, and devices back to a single user for tracking purposes. Advanced actors occupying multiple vantage points on a network path can correlate traffic patterns together just like pieces of a puzzle. If you’re at Starbucks using their WiFi, Google’s registering your hardware address, location, timestamp, true IP, Google accounts and services, then correlating that with your Internet usage. And if you’re the government, you can just buy or ask for that data. This video is sponsored by BadVPNs. Forget five-eyes, nine-eyes, fourteen-eyes. They’re registered in all of the countries so no one feels left out. They protect your traffic with BES-256, a military-inspired encryption that safeguards all the keys so you don’t have to. Selling your data to telemetry partners lets them offer the low price of $2/mo. Pay now with Dogecoin and you’ll receive a 3% discount. Sign-up now at BadVPNs.com. But seriously. Let’s look at the story of a Swiss company called Crypto AG. Crypto was founded in the 1950s by Boris Hagelin, who invented portable encryption devices for the United States in World War 2. He became close friends with William Friedman NSA’s chief cryptologist and formed a plan to end the Dark Age of American cryptology. Later on, the CIA and German intelligence secretly purchased the company in a joint venture called “Rubicon,” selling Crypto devices to over 120 governments throughout the world. They architected the ownership through a series of shell companies using bearer shares so that no names appeared in registration documents, This was all made possible through professional firms like DTG, now known as KPMG, or the law offices of Marxer and Goop, now Marxer and Partners, who were all paid to sign the deals and keep quiet. They’d also operate through cover companies like Intercom Associates or private partnerships with Siemens and Motorola to influence Crypto’s algorithms. The operation at one point, accounted for nearly 40 percent of NSA's data take, generating millions in profits, split 50-50 cash in a parking garage to plow into other operations. Intel from Crypto devices helped the US in everything from the Iranian Hostage Crisis Falkland Islands War, and Presidential negotiations. But Crypto was just one target. These guys owned or influenced everyone else too, as long as they worked on encryption gear. This firm was clean but got targeted with smear campaigns because they stayed independent. What’s interesting about Rubicon is that a lot of other countries were all in on the secret. They went after almost anyone, including NATO partners like Spain, Greece, Turkey. Friendly countries like Japan, South Korea... Even Mexico? And of course Israel always gets the inside scoop. Leave it to the Germans to not spy on their friends. You see the nature of VPNs makes it the perfect asset for intelligence agencies. If I had to spy on people, I’d just set up a few dozen competing VPN companies registered in various offshore jurisdictions with hidden ownership, then push it as a security and privacy tool for the mass market to adopt. It’s perfect, since instead of having to collect all over the world, people will pay for the honor of shipping their data to you. Or you can just hack any legitimate VPN servers directly and save on the marketing budget. Since VPN companies will often rent or white label their infrastructure to multiple other brands, hacking the servers has a pretty good payoff. VPNpro tells us that over 100 products out there are owned by just 23 parent companies, with 6 of them in places like China. But wait, why trust VPNpro? Aren’t they just another review site? Like why is it 9.4 versus 9.3 stars? Is there really a difference
in that tenth of a star? How do you know they’re not just promoting some products while smearing others as part of a complex spy operation? If you look at That One Privacy Guy’s VPN chart, which unlike most review sites, is actually kind of independent and doesn’t use silly terms like “military-grade” crypto, you’ll see this boom in VPN companies post-Snowden around the 2013 era. In the spirit of custom scores, only 1 out of a hundred eighty-five providers get over 9 stars on my red to green color scale. So now you might be wondering: “What are the use cases where a VPN makes sense? Should I even try to mask my IP address? How do I not get spied on doing this?" Before you can answer these kind of questions first you want to figure out what your threat model is. Is it cyber criminals? Big tech companies? Your government? Developing the right threat model can help tailor your level of paranoia accordingly so it’s not over or underweight. For most people, practicing digital hygiene and cleaning up your online identity isn’t that complicated. Use a unique password for every site. Use a unique email for every site. Use hardware security tokens for two-factor authentication. Use random answers for recovery questions. Go through all of your settings on your accounts. Sanitize your social media. Use virtual machines and multiple phones for different kinds of activities. Don’t click links or scan QR codes without analyzing them first. Set up a commercial address so you don’t receive mail at home. Keep apps to a minimum and avoid pirated software. Use a host-based firewall to alert on outbound connections that you manually need to verify for every app. If you’re traveling and tempted by public Wi-Fi, just bring your own Internet through a portable hotspot or by tethering off your phone. None of these options involve using a VPN, yet do far more for your security and privacy overall. Now, don’t get me wrong, but there are cases where you probably should mask your IP address. Circumventing IP blocks to watch Netflix, getting around national firewalls, bypassing download limits, performing offensive security assessments, conducting OSINT and research. Maybe you just want to keep your home IP address out of breach dumps for people to collect and target you specifically. In these cases, I strongly recommend renting a cloud VPS and just do it yourself, whether it’s Wireguard, ShadowSocks, a web proxy, or even good old SSH tunneling. This way you understand the technology a bit more and now use a wormhole that you created, and can personally control some of the infrastructure of the exit node. But wait. Remember that one out of a hundred eighty-five? The team behind that provider does seem a bit more trustworthy than the others. I’m not going to say who, but I will share some things to consider if you don’t want to set up a VPN yourself. Here’s how you find a good VPN, and that’s two things: humanity and reputation. Humanity means knowing the people who actually own and operate a service. You can reach out and they’ll talk to you. The more shell companies, anonymity, and third-parties involved, the less humane it becomes. When things go wrong, it’s easy to opt out of being accountable. Reputation takes years to build and a moment to lose. If a provider’s brand new, it’s hard to imagine they’ve put in enough work to build it up. You want people who are honest about their mistakes, communicate early and often, and take action to fix things, even if it means massive self-sacrifice just when it’s really inconvenient to do so. You want people who have skin-in-the-game, personally using their own products so there’s incentive to protect and make it better, with something valuable at stake. If there’s enough humanity and reputation to trust them with your mother’s purse. Then maybe, just maybe… you’ve found a good VPN.
