[HN Gopher] UFO VPN claims zero-logs policy, leaks 20M user logs ___________________________________________________________________ UFO VPN claims zero-logs policy, leaks 20M user logs Author : DyslexicAtheist Score : 88 points Date : 2020-07-17 21:40 UTC (1 hours ago) (HTM) web link (www.comparitech.com) (TXT) w3m dump (www.comparitech.com) | novok wrote: | I've come to the sad realization if you want anything approaching | no logs, you're going to have to use something slow like tor, or | you're going to have to do the illegal thing and make a botnet. | | VPNs are only useful for avoiding ISP / local network | surveillance like comcast, your workplace, your school, airports, | etc and to avoid DCMA scare letters. Making your own with a VPS | is worse, since VPSs log on some level and directly forward the | DCMA scare letters to you. | StanislavPetrov wrote: | They are also very useful for circumnavigating geolocation | restrictions. | solarkraft wrote: | What about chaining VPNs? Even at 2 they'd have to cooperate to | unmask your traffic, right? | | Somewhere in the back of my mind is stored that minimaxir does | this, but I couldn't confirm it with a quick search. | grensley wrote: | I wouldn't trust any VPN under China's sphere of influence. | hangonhn wrote: | That's actually not an entirely crazy idea if you're trying to | hide from Western governments. Are you more worried about the | Chinese government coming after you? Likewise, if someone in | China is trying to hide from the Chinese government, it might | not be a bad idea to use an USA based VPN. Maybe string up a | bunch of VPNs in regions that are at least somewhat hostile to | each other and it might be too hard to track an IP back to its | source. I guess trust no government and use their hostility | towards each other to your advantage? Just an idea prompted by | your comment. | messe wrote: | Exactly. One really needs to consider their threat model when | deciding on a VPN provider. A perfect system isn't always | possible. | grensley wrote: | Yeah, it's like banking. You want it to be in a neutral | country whose government has come to a clear understanding | with the industry. | maerF0x0 wrote: | > That's actually not an entirely crazy idea if... | | Except that it gives them a direct avenue into your network | for their own surveillance and other network attacks ... If | you think comcast injecting their own JS into http pages is | bad, wait you see what the dark army CPC could do with such | power... | notyourwork wrote: | The old saying trust but verify always seems to come up. | Companies claim x and we find it to be untrue. They apologize, | share statement they will do better and the cycle continues. Is | anyone else tired of the tomfoolery? | tremon wrote: | Do you have a suggestion on how to verify the claims of a | company you only interact with over the Internet? | | (edit: not that I disagree with you, I honestly don't see a | practical way to do that. It's not like security seals have | proven their worth in pixels either) | Enginerrrd wrote: | The sensible thing to do is to assume a cynical mind. | Unfortunately, with stuff like this, you'll probably be more | often right then wrong, though you may never find out. | tintor wrote: | Solution is "credit score"-like system evaluating companies, | and keeping track of incidents like these. | triceratops wrote: | @dang: can the title be changed to "UFO VPN claims zero-logs | policy, leaks 20M user logs". So users don't have to click | through to the story to find out which firm? | dang wrote: | Ok done. | | Edit: I also changed the URL from https://www.hackread.com/vpn- | firm-zero-logs-policy-leaks-20-... to what seems to be the | original source. | triceratops wrote: | Thanks! | strombofulous wrote: | Can the title be updated to include the name of the "firm" | (article says "Hong Kong-based VPN provider called UFO VPN")? | | @dang | solarkraft wrote: | VPN providers are something you should have especially high | standards for. They are largely unregulated, can see all of your | meta data and have an economical incentive to sell it (IIRC some | big player has been caught doing that). | | If a provider shows even the slightest amount of fishiness, | instantly discard them (NordVPN immediately comes to mind, with | their weird influencer marketing campaign). | orliesaurus wrote: | What's the most trustworthy VPN that HN users recommend? My 3 | year subscription to my local one is about to run out! Looking | for advice on what is trusted nowadays! | netsec_burn wrote: | SwissVPN. Without going into detail, I'm aware how they respond | to all kinds of information requests due to my previous type of | work. That earned my business. | icelancer wrote: | Cryptostorm is up there, but I'll back ProtonVPN as well. | gentleman11 wrote: | I generally trust Mozilla/Firefox and they just released a VPN. | It is nice to be able to outsource my VPN research to them as | well, since there aren't many orgs I trust like that. It works | well so far. | kd913 wrote: | The most trustworthy is one which you setup yourself imho. | | I am giving each of my family in various locations a raspberry | pi 4b with wireguard setup. | | They are aware of/benefit from this cross country VPN thing | too. | hoytschermerhrn wrote: | Piggybacking on this, can anyone comment on Mozilla's new VPN | service? | nullc wrote: | No such thing. You would be better off renting an inexpensive | VPS and running your own VPN on it. | | Public VPN services have to be the one of the greatest lemon | markets to have ever existed: | | You want people's private data? People will _pay_ you to give | it to them. Go ahead and sell the service for less than it | costs due to the boatloads of data that you get. | | People realize this, so you end up getting a disproportionate | number of customers that don't worry about you getting their | data because they're only using the service to behave | abusively... which drives up costs. | | So an honest provider has to deal with dishonest competition | selling below cost and a customer base that is saturated with | problem customers because good customers are savy enough to | avoid VPNs. | gruez wrote: | >You want people's private data? People will pay you to give | it to them. Go ahead and sell the service for less than it | costs due to the boatloads of data that you get. | | The amount of "private data" as a VPN operator isn't a lot. | Most sites nowadays are https, so at best you're getting | browsing habits on a per-site basis. On the other hand, using | a commercial VPN does confer advantages in some cases: | | * geo restrictions: commercial vpn have servers in multiple | countries, so you can easily switch to one that works. you | can achieve the same with cloud servers, but you'll have | manually spin them up/down, which isn't convenient | | * anonymity: commercial vpns usually have dozens/hundreds of | users on one server. You can also switch servers/regions to | increase your anonymity set further. This is a much bigger | anonymity set than your own private server, which is linked | solely to you. | | * bandwidth: if you're a heavy traffic user, you'll probably | end up paying more. most cloud providers only give you around | 0.5TB for a cheap server (within the price of a vpn | subscription) | | * DMCA/abuse: they handle the DMCA/abuse letters for you. | With a self hosted server you'll have to at the very least | respond to the ticket they sent otherwise they'll take down | your server. | SAI_Peregrinus wrote: | Running your own VPN provides no privacy, since you're the | only user. | | Of course other VPNs don't provide privacy either. The belief | that they do is due to marketing, and misunderstanding what | the "Private" part of VPN means: it means that two non- | publicly routable IP networks (10/8, 172.16/12, 192.168/16) | are virtually joined into one network. VPN companies took | advantage of this (and that the connection is usually | encrypted) to imply that they offer a privacy product. | | The main use of a commercial VPN is to bypass region locks | and other legal controls that depend on location. Pick a VPN | provider (or VPS host) in a jurisdiction that won't cooperate | with your home law enforcement. Assume the VPN provider spies | on all your traffic. | mindslight wrote: | Your proposed alternative does not address the threat model | that most people have when looking for a "VPN". | nullc wrote: | The threat model you're referring to is, I assume, mostly | DMCA warnings. (As in: You want your service to not get | disconnected in response to them) | | It does address it, when you factor in an appropriate | choice of non-US VPS provider. | mindslight wrote: | Not just DMCA warnings, but full extortionary lawsuits. | From what I can tell, these exist in most countries. | Jurisdiction hopping won't let you avoid a determined | attacker. | | Common VPS providers generally insist on recording your | identity, probably with government ID, to limit abuse | that would otherwise fall onto them. Whereas VPN | providers have already made the choice to weather mild | abuse complaints. | | I have looked into bulletproof VPS providers. They're | drastic overkill, expensive, and getting in bed with the | wrong sorts of people. | rthomas6 wrote: | How does that help? If you're the only one with traffic from | that IP, how does that give any privacy? Especially if you | pay with something tied to your identity. And why does a VPS | have any less likelihood of logging your traffic? | rmrfrmrf wrote: | it's good for things like public wifi and other untrusted | networks since your data is encrypted from your machine to | the vpn server | nullc wrote: | > Especially if you pay with something tied to your | identity. | | Then don't do that. | | Though VPN are not really a strong solution for hiding your | identity period. Tor is a more effective tool, but hiding | your identity is extremely difficult to do effectively. | | > And why does a VPS have any less likelihood of logging | your traffic? | | They may be too but at least you should expect their | business to be viable without doing that, which is better | than you can say for VPN services. | cbsks wrote: | I have been using Mullvad for the last few years: | https://mullvad.net/en/ | | I don't have much to base it on but they seem trustworthy, and | I've seen them recommended here before. | elliekelly wrote: | I also use Mullvad and I pay by sending an anonymous envelope | of cash to Sweden with a random number scribbled on a bit of | paper. So far all of the cash I've sent has been added to my | accounts. There's obviously no way to know whether they | follow through on their no-log claim but my sense is they're | pretty trustworthy. At the very least the person who opens | their mail is. | obenn wrote: | Commercially I'd say ProtonVPN or PrivateInternetAccess. | | Best is to make your own, checkout | https://github.com/StreisandEffect/streisand for an easy way to | set that up. | nullc wrote: | I would never do business with Private Internet Access. | | https://news.ycombinator.com/item?id=21584958 | | (you can google to find more-- this was just a quick result) | gentleman11 wrote: | Despite this, they claim to be working on a way to verify | their privacy claims. I don't understand how, but if they | succeed it will be noteworthy and might redeem them a fair | bit | Hamuko wrote: | For a VPN provider to actually be trustworthy, you'd have to be | able to verify their policies. But that's impossible, so VPN | providers just fall into "might be doing bad things" and | "confirmed to be doing bad things". | RandomBacon wrote: | Mullvad, ProtonVPN, and IVPN are recommended by | https://www.privacytools.io/providers/vpn/ | | PrivateInternetAccess has fought and won in US court, but | they're also US-based. | | (I use Mullvad.) | solarkraft wrote: | I personally trust Mullvad because of their generally good | reputation (built through independent audits), super clean user | interface and very fair pricing (5EUR/month flat fee, no crazy | long-term contracts). | | Mullvad is also the provider Mozilla is using for their new VPN | service (with fewer features). | nilssonanders wrote: | I second Mullvad also. They don't even have usernames, emails | or passwords. All you use to log in is a random number for your | account. Can't get much more anonymous than that. And they | financially sponsor wireguard, have a bunch of wireguard | servers. Can't recommend them enough. | ornxka wrote: | I don't know why anybody ever cared about logging policies. How | would you even know if they keep logs or don't, or what they do | with them if they do? | jliptzin wrote: | You can't possibly know. You have to just assume all VPN | companies are logging your activity indefinitely regardless of | what they say. Though I suppose you'd rather go with a VPN | company that claims it doesn't do any logging, over one that | says it does. | hdjrkrmfkt wrote: | Can you chain two VPNs? | SAI_Peregrinus wrote: | According to The Register, UFO VPN is just white-labeleing a | parent service[1]. The full list of compromised providers is thus | UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, | and Rabbit VPN. | | [1] https://www.theregister.com/2020/07/17/ufo_vpn_database/ | [deleted] | thecleaner wrote: | I think that at this point it is far easier to just setup a socks | proxy with an vloud based machine than to research which firms | have shady practices and which dont. I went into a womrhole over | NordVPN vs PIA vs ProtonVpn and then just went with a proxy | server. Costs peanuts with the cloud compute ecosystem. | gruez wrote: | >then just went with a proxy server. Costs peanuts with the | cloud compute ecosystem. | | The problem with personally operated VPN servers is that all | the traffic ties back to a single user: you. This is fine if | you're on a malicious network and need secure exit node for | your data, but for anonymity (eg. ad tracking, DMCA) it's | objectively worse. | jijji wrote: | if you want a vpn ur better off running squid on a $5/month vps | box , less likely this kind of nonsense happens ___________________________________________________________________ (page generated 2020-07-17 23:00 UTC)