A VPN dissenter speaks out

Topic

New Reply

LANGALIST By Fred Langa A reader strongly disagrees with Fred’s recent recommendation about using virtual private networks (VPNs) to increase online s
[See the full post at: A VPN dissenter speaks out]

3 users thanked author for this post.

lmacri, abbodi86, MHCLV941

Reply | Quote

Replies

Around 2018 I was talking with a top tech at my firewall provider. He had helped me remove malware instrusion on one of my systems. I asked him his opinion about getting VPN. He said that a good VPN product was worthwhile except for one huge issue: NSA computers will pick up your system as using VPN and will pay attention to your system. That was one man’s opinion but a very knowledgeable guy.

Reply | Quote

I would agree that using a VPN does put a target on your back.

- Thinkpad P15s Gen1 20T4-002KUS, i7-10510U, UEFI/GPT, 16GB, Sammy 500GB M.2.
others...
- Mint Cinnamon 21 current, Win 10 22H2. WuMgr. HP laserjets M254dw & P1606dn, Epson 2480 scanner.

Reply | Quote

cmar6 wrote:

Around 2018 I was talking with a top tech at my firewall provider. He had helped me remove malware instrusion on one of my systems. I asked him his opinion about getting VPN. He said that a good VPN product was worthwhile except for one huge issue: NSA computers will pick up your system as using VPN and will pay attention to your system. That was one man’s opinion but a very knowledgeable guy.

It was pointed out to me that “If you’ve nothing wrong, you’ve nothing to fear” was great for stirring up fear and controversy but operationally irrelavent.   The real question is “what’s makes you think you’re worth our time or resources?”.

Perhaps using a VPN when there is no obvious reason, i.e., one is not a government critic in China, Iran or any number of other countries, begins to address that question in a way one would not particularly like.

Reply | Quote

I don’t know anything about VPNs other than what I read on Askwoody. I’m just repeating a casual comment made to me 3 years ago by someone I regard as very knowledgeable at a well known firewall provider.

Reply | Quote

MHCLV941: “Perhaps using a VPN when there is no obvious reason, i.e., one is not a government critic in China, Iran or any number of other countries, begins to address that question in a way one would not particularly like.”

Another reason is why I am required to use VPN to connect *directly* to the network of the NASA Center where I telecommute: to access securely, from my home office or some other approved location, government and business computer networks.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

VPNs may help some people in some cases.

With all this talk about security, how much attention is given to “the cloud”, which simply means giving all your info to somebody else and thinking that somehow it is safer there?

- Thinkpad P15s Gen1 20T4-002KUS, i7-10510U, UEFI/GPT, 16GB, Sammy 500GB M.2.
others...
- Mint Cinnamon 21 current, Win 10 22H2. WuMgr. HP laserjets M254dw & P1606dn, Epson 2480 scanner.

Reply | Quote

The main issue is your thought experiment.  You overstate the problems the hacker would face for the simple reason that the destination servers of all those packets can figure out much of what you say the hacker cannot, but if they can, so can he/she/it.   Also, you state “hypothetical data snoop is now faced with a torrent of encrypted, undecipherable, outbound data packets”.  True, but you ignore the fact that it’s directional: the hacker has full access to INBOUND packets as well because those servers send data back to the VPN terminal (you do eventually want a response, don’t you?).  Yes, a lot of information is obscured, but the analysis of what is effectively randomized data can reveal a lot of information.

Second issue: “working around online geographic restrictions” is irrelevant to the vast majority of people as are the matters of “hiding the authorship, origin, and/or destination of your data packets”.    Without argument, for some people these are real and valid considerations but they are not reasons why everyone needs a VPN.  “VPN good, no VPN dumb”

The point is not that “halfway” VPNs, i.e., ones that are not fully endpoint to endpoint, are bad or useless, but that they are being hyped beyond all reason for very little benefit to most who write the checks but of great benefit to those who cash the checks.

2 users thanked author for this post.

oldfry, OscarCP

Reply | Quote

To add some wood to the fire:

https://www.techradar.com/news/vpn-usage-is-proving-a-security-liability-for-many-businesses

https://www.quora.com/How-do-VPN-providers-protect-themselves-against-liabilities-of-their-subscribers-actions

https://gist.github.com/joepie91/5a9909939e6ce7d09e29 (Reasons for maybe not to use VPN.)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

2 users thanked author for this post.

DrBonzo, MHCLV941

Reply | Quote

yup. Good catch!

- Thinkpad P15s Gen1 20T4-002KUS, i7-10510U, UEFI/GPT, 16GB, Sammy 500GB M.2.
others...
- Mint Cinnamon 21 current, Win 10 22H2. WuMgr. HP laserjets M254dw & P1606dn, Epson 2480 scanner.

Reply | Quote

Since I’m not a paid subscriber, I haven’t seen Fred’s article, so I can only guess at the content, based on follow-up posts.  However, Oscar’s link to https://gist.github.com/joepie91/5a9909939e6ce7d09e29 does a good job of articulating my sentiments.

A problem with VPN is that there’s too much popular (mis-)understanding is that “VPN will magically make you secure”, especially among non-technical users that are using third-party VPNs for general-purpose use.  I fully get the point of VPN for connecting to a corporate server, but for everything else, I generally advise users not to bother with a VPN unless/until they understand VPN well enough to know what they expect it to do, what the trade-offs are, and how a specific VPN provider will address those issues.

I think that it’s especially useful that the article posted by joepie91 emphasizes that VPN is a glorified proxy. Given that:

• VPN for location shifting can work, but many sites closely track that kind of activity and will block access to IP blocks that are known/suspected to belong to VPNs.
• As noted in another AskWoody discussion this week, VPN usage can be disruptive for sites that have extensive identity management systems, including AskWoody. If you follow the advice of the activists that insist on “use VPN for everything”, you are potentially locking yourself out of portions of the Internet, and if that includes your financial institution, you may have to accept disabling your VPN in order to gain necessary access.
• For people who are concerned about identity and location, proxying doesn’t change the capacity of tracking your activities, it merely changes who can see that activity.  Thus, it’s essential to have a trustworthy provider, but it’s pretty difficult to truly assess “trustworthy”, if all you have to go on is the provider’s marketing literature.
• Even if VPN may encrypt the content of your data, that doesn’t provide end-to-end encryption, only the link between you and the provider’s servers.  And even then, the provider can’t encrypt metadata, which may be even more revealing than the data itself.

At the consumer level, “free” VPN is probably more dangerous than no VPN.  For “free”, it’s important to ask what the provider is getting for something that they don’t charge the user for, and most often, the answer is provider access to your data, in some form.  That could be as simple as being able to inject ads inside the VPN connection, but in some cases, the provider’s motivation may be driven by having unfettered access to data that somebody considers to be sensitive.

There *might* be an exception on “free” for a handful of providers that offer limited, unpaid tiers of service (and don’t rely on advertising revenues), as a way of promoting upgrades to to paid tiers.

Reply | Quote

A kind reminder, a mere donation of a minimum of $1 gets you the full newsletter.  You are missing out on some really good content from Fred and others.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

MHCLV941

Reply | Quote

OscarCP wrote:

To add some wood to the fire:

https://www.techradar.com/news/vpn-usage-is-proving-a-security-liability-for-many-businesses

https://www.quora.com/How-do-VPN-providers-protect-themselves-against-liabilities-of-their-subscribers-actions

https://gist.github.com/joepie91/5a9909939e6ce7d09e29 (Reasons for maybe not to use VPN.)

YEAH!  More wood on the fire!!

The first article goes to the heart of the matter for the value, or lack thereof, of “part-way VPNs”, i.e., one that is not end-to-end from the user’s PC to the corporate firewall.  Why indeed would a business use one and then be surprised when security wasn’t all they hoped it would be?

The second article makes it clear that no everyone is in the lemming march to VPN nirvana.

The third article is the perfect op-ed to Fred’s, though Fred is the better writer.

Reply | Quote

OscarCP wrote:

Another reason is why I am required to use VPN to connect *directly* to the network of the NASA Center where I telecommute: to access securely, from my home office or some other approved location, government and business computer networks.

At least as far as I am concerned, this discussion is about third-party VPNs (personally, I call them “part-way VPNs).   If I understand you correctly, the VPN you use for work is end-to-end, from your computer to a server or firewall on the agency’s network.   End-to-end VPNs make perfect sense to me.

Reply | Quote

MHCLV941: Thanks for clarifying this point. Yes, that is precisely how the VPN connection between my home office and the NASA center works. Accessing the network also requires two-factor authentication (with a PIN that I am also required to enter at several stages when the VPN connection is being established, as well as when logging in to the NASA-loaned computer I am using). The computer I use is not my own, but one provided by NASA, loaned to me with the VPN client already configured. I imagine this is how VPN is used to connect securely from a home office and other approved locations to government and other organizations. By the way: I am also obliged to take and pass an IT Security course and other courses on how to handle PPI, SBU and CUI, on Export regulations (sending abroad details of certain of one’s great discoveries, their supporting NASA data and documents, or one’s genius ideas, should one make, or have any), the feeding and care of NASA loaned equipment (such as the computer I use to telecommute) and more, every year. It sucks, but that’s how it’s done.

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

MHCLV941

Reply | Quote

OscarCP wrote:

By the way: I am also obliged to take and pass an IT Security course and other courses on how to handle PPI, SBU and CUI, on Export regulations (sending abroad details of certain of one’s great discoveries, their supporting NASA data and documents, or one’s genius ideas, should one make, or have any), the feeding and care of NASA loaned equipment (such as the computer I use to telecommute) and more, every year. It sucks, but that’s how it’s done.

To be honest, I’m happy to see my tax dollars at work, much as all that annual training (which I bet is largely unchanged from year to year) becomes mind-numbingly boring.

Reply | Quote

I use https://Everywhere extension in Firefox (along with a few others, as well).  HTTPS is end-to-end encryption.  From some of the replies in this thread, it would appear that a few folks aren’t familiar with TCP/IP Stacks and ATM Architecture/Protocol, or just how fragmented packets can get and the multiple routes individual packets take until they reach the requested URL.

VPN’s don’t necessarily add any security, and has been pointed out, there is no way of checking on the truthfulness of any claims that are being made by the various VPN’s.

For me, https://Everywhere and a router firewall that hides my LAN from the internet are all the security I need.  Knowing my IP address won’t get you access to my LAN.

Always create a fresh drive image before making system changes/Windows updates; you may need to start over!

We were all once "Average Users". We all have our own reasons for doing the things that we do with our systems, we don't need anyone's approval, and we don't all have to do the same things.

Computer Specs

1 user thanked author for this post.

MHCLV941

Reply | Quote

bbearren wrote:

From some of the replies in this thread, it would appear that a few folks aren’t familiar with TCP/IP Stacks and ATM Architecture/Protocol, or just how fragmented packets can get and the multiple routes individual packets take until they reach the requested URL.

How does that affect the usefulness or otherwise of a VPN?

Windows 11 Pro version 22H2 build 22621.2361 + Microsoft 365 + Edge

Reply | Quote

This is very illuminating.  I have been using Express VPN on my home desktop thinking that it was so very valuable.  After checking up even VPN services are saying it is not necessary on a home computer (Norton).  And actually I had to disengage it when doing on-line banking as it made it necessary to validate my log-on.

Also, I have had an annoying problem of my Mac losing internet connection when put to sleep.  I tried numerous fixes and it seems that if I turn off the VPN before putting the Mac to sleep that this does not happen.  (I can’t totally state that this is the fix because I will have to keep testing).

For now I am keeping the VPN turned off and will make a decision whether to renew next year or not.  I might want to keep it around “just in case”.

Reply | Quote

I know I’m a bit late to the discussion – but what the heck.

Many, many years ago when discussion(s) like these first appeared I looked at VPNs.

What struck me back then – and this aspect of “privacy” I have not seen mentioned here – and still strikes me is that I remember clearly that ALL US of A based companies back then said that “naturally” they would disclose all their log files and all the data of any customer to “the US authorities” if that would be requested of them.

Back then for me was VERY clear that I would never entrust anything to
a: Companies based in the US
b: A company from a third country with office(s) in the US
c: A company with ANY kind of logging

Back then I did not find any company fitting these points.

AFAIK that situation has not changed. If it has changed in any way please correct me.

IMHO the only safe location for critical information is ON ME, WITH ME and stored on a medium that only I have access to.

Reply | Quote

b wrote:

bbearren wrote:

From some of the replies in this thread, it would appear that a few folks aren’t familiar with TCP/IP Stacks and ATM Architecture/Protocol, or just how fragmented packets can get and the multiple routes individual packets take until they reach the requested URL.

How does that affect the usefulness or otherwise of a VPN?

Regardless of however much packets get sliced, diced, frikfricasseed, fragmented, bit, broken or other mushed, the IP addresses at the VPN’s public endpoint and the IP address of the packet’s destination are visible and necessarily not encrypted at the public endpoint of the VPN.  Were it otherwise, the packets would never get where they were going.

Actually, since the “part-way” VPN effectively herds all those rambunctious packets into a single stream when they emerge from it,  rounding them up is probably actually easier than it would otherwise be.

 

1 user thanked author for this post.

OscarCP

Reply | Quote

bbearren wrote:

I use https://Everywhere extension in Firefox (along with a few others, as well).  HTTPS is end-to-end encryption.  From some of the replies in this thread, it would appear that a few folks aren’t familiar with TCP/IP Stacks and ATM Architecture/Protocol, or just how fragmented packets can get and the multiple routes individual packets take until they reach the requested URL.

VPN’s don’t necessarily add any security, and has been pointed out, there is no way of checking on the truthfulness of any claims that are being made by the various VPN’s.

For me, https://Everywhere and a router firewall that hides my LAN from the internet are all the security I need.  Knowing my IP address won’t get you access to my LAN.

It seems the VPN business is built on convincing people that they have to be able to watch NetFlix from the “wrong” zone, hiding from the government (though, ironically, using a “part-way” VPN may attract the very attention one is trying to avoid) and otherwise behaving like a cat covering its duty in a cat box.

Reply | Quote

WSeikelein wrote:

AFAIK that situation has not changed. If it has changed in any way please correct me

Yes, it has changed. Many VPN service are in countries not part of 14Eyes, keep no logs…

Reply | Quote

Thank you!
I have for years not followed up about VPNs.

Reading on Proton’s web site was VERY interesting.

Again, many THANKS!

Reply | Quote