[HN Gopher] UFO VPN claims zero-logs policy, leaks 20M user logs
___________________________________________________________________
UFO VPN claims zero-logs policy, leaks 20M user logs
Author : DyslexicAtheist
Score : 88 points
Date : 2020-07-17 21:40 UTC (1 hours ago)
(HTM) web link (www.comparitech.com)
(TXT) w3m dump (www.comparitech.com)
| novok wrote:
| I've come to the sad realization if you want anything approaching
| no logs, you're going to have to use something slow like tor, or
| you're going to have to do the illegal thing and make a botnet.
|
| VPNs are only useful for avoiding ISP / local network
| surveillance like comcast, your workplace, your school, airports,
| etc and to avoid DCMA scare letters. Making your own with a VPS
| is worse, since VPSs log on some level and directly forward the
| DCMA scare letters to you.
| StanislavPetrov wrote:
| They are also very useful for circumnavigating geolocation
| restrictions.
| solarkraft wrote:
| What about chaining VPNs? Even at 2 they'd have to cooperate to
| unmask your traffic, right?
|
| Somewhere in the back of my mind is stored that minimaxir does
| this, but I couldn't confirm it with a quick search.
| grensley wrote:
| I wouldn't trust any VPN under China's sphere of influence.
| hangonhn wrote:
| That's actually not an entirely crazy idea if you're trying to
| hide from Western governments. Are you more worried about the
| Chinese government coming after you? Likewise, if someone in
| China is trying to hide from the Chinese government, it might
| not be a bad idea to use an USA based VPN. Maybe string up a
| bunch of VPNs in regions that are at least somewhat hostile to
| each other and it might be too hard to track an IP back to its
| source. I guess trust no government and use their hostility
| towards each other to your advantage? Just an idea prompted by
| your comment.
| messe wrote:
| Exactly. One really needs to consider their threat model when
| deciding on a VPN provider. A perfect system isn't always
| possible.
| grensley wrote:
| Yeah, it's like banking. You want it to be in a neutral
| country whose government has come to a clear understanding
| with the industry.
| maerF0x0 wrote:
| > That's actually not an entirely crazy idea if...
|
| Except that it gives them a direct avenue into your network
| for their own surveillance and other network attacks ... If
| you think comcast injecting their own JS into http pages is
| bad, wait you see what the dark army CPC could do with such
| power...
| notyourwork wrote:
| The old saying trust but verify always seems to come up.
| Companies claim x and we find it to be untrue. They apologize,
| share statement they will do better and the cycle continues. Is
| anyone else tired of the tomfoolery?
| tremon wrote:
| Do you have a suggestion on how to verify the claims of a
| company you only interact with over the Internet?
|
| (edit: not that I disagree with you, I honestly don't see a
| practical way to do that. It's not like security seals have
| proven their worth in pixels either)
| Enginerrrd wrote:
| The sensible thing to do is to assume a cynical mind.
| Unfortunately, with stuff like this, you'll probably be more
| often right then wrong, though you may never find out.
| tintor wrote:
| Solution is "credit score"-like system evaluating companies,
| and keeping track of incidents like these.
| triceratops wrote:
| @dang: can the title be changed to "UFO VPN claims zero-logs
| policy, leaks 20M user logs". So users don't have to click
| through to the story to find out which firm?
| dang wrote:
| Ok done.
|
| Edit: I also changed the URL from https://www.hackread.com/vpn-
| firm-zero-logs-policy-leaks-20-... to what seems to be the
| original source.
| triceratops wrote:
| Thanks!
| strombofulous wrote:
| Can the title be updated to include the name of the "firm"
| (article says "Hong Kong-based VPN provider called UFO VPN")?
|
| @dang
| solarkraft wrote:
| VPN providers are something you should have especially high
| standards for. They are largely unregulated, can see all of your
| meta data and have an economical incentive to sell it (IIRC some
| big player has been caught doing that).
|
| If a provider shows even the slightest amount of fishiness,
| instantly discard them (NordVPN immediately comes to mind, with
| their weird influencer marketing campaign).
| orliesaurus wrote:
| What's the most trustworthy VPN that HN users recommend? My 3
| year subscription to my local one is about to run out! Looking
| for advice on what is trusted nowadays!
| netsec_burn wrote:
| SwissVPN. Without going into detail, I'm aware how they respond
| to all kinds of information requests due to my previous type of
| work. That earned my business.
| icelancer wrote:
| Cryptostorm is up there, but I'll back ProtonVPN as well.
| gentleman11 wrote:
| I generally trust Mozilla/Firefox and they just released a VPN.
| It is nice to be able to outsource my VPN research to them as
| well, since there aren't many orgs I trust like that. It works
| well so far.
| kd913 wrote:
| The most trustworthy is one which you setup yourself imho.
|
| I am giving each of my family in various locations a raspberry
| pi 4b with wireguard setup.
|
| They are aware of/benefit from this cross country VPN thing
| too.
| hoytschermerhrn wrote:
| Piggybacking on this, can anyone comment on Mozilla's new VPN
| service?
| nullc wrote:
| No such thing. You would be better off renting an inexpensive
| VPS and running your own VPN on it.
|
| Public VPN services have to be the one of the greatest lemon
| markets to have ever existed:
|
| You want people's private data? People will _pay_ you to give
| it to them. Go ahead and sell the service for less than it
| costs due to the boatloads of data that you get.
|
| People realize this, so you end up getting a disproportionate
| number of customers that don't worry about you getting their
| data because they're only using the service to behave
| abusively... which drives up costs.
|
| So an honest provider has to deal with dishonest competition
| selling below cost and a customer base that is saturated with
| problem customers because good customers are savy enough to
| avoid VPNs.
| gruez wrote:
| >You want people's private data? People will pay you to give
| it to them. Go ahead and sell the service for less than it
| costs due to the boatloads of data that you get.
|
| The amount of "private data" as a VPN operator isn't a lot.
| Most sites nowadays are https, so at best you're getting
| browsing habits on a per-site basis. On the other hand, using
| a commercial VPN does confer advantages in some cases:
|
| * geo restrictions: commercial vpn have servers in multiple
| countries, so you can easily switch to one that works. you
| can achieve the same with cloud servers, but you'll have
| manually spin them up/down, which isn't convenient
|
| * anonymity: commercial vpns usually have dozens/hundreds of
| users on one server. You can also switch servers/regions to
| increase your anonymity set further. This is a much bigger
| anonymity set than your own private server, which is linked
| solely to you.
|
| * bandwidth: if you're a heavy traffic user, you'll probably
| end up paying more. most cloud providers only give you around
| 0.5TB for a cheap server (within the price of a vpn
| subscription)
|
| * DMCA/abuse: they handle the DMCA/abuse letters for you.
| With a self hosted server you'll have to at the very least
| respond to the ticket they sent otherwise they'll take down
| your server.
| SAI_Peregrinus wrote:
| Running your own VPN provides no privacy, since you're the
| only user.
|
| Of course other VPNs don't provide privacy either. The belief
| that they do is due to marketing, and misunderstanding what
| the "Private" part of VPN means: it means that two non-
| publicly routable IP networks (10/8, 172.16/12, 192.168/16)
| are virtually joined into one network. VPN companies took
| advantage of this (and that the connection is usually
| encrypted) to imply that they offer a privacy product.
|
| The main use of a commercial VPN is to bypass region locks
| and other legal controls that depend on location. Pick a VPN
| provider (or VPS host) in a jurisdiction that won't cooperate
| with your home law enforcement. Assume the VPN provider spies
| on all your traffic.
| mindslight wrote:
| Your proposed alternative does not address the threat model
| that most people have when looking for a "VPN".
| nullc wrote:
| The threat model you're referring to is, I assume, mostly
| DMCA warnings. (As in: You want your service to not get
| disconnected in response to them)
|
| It does address it, when you factor in an appropriate
| choice of non-US VPS provider.
| mindslight wrote:
| Not just DMCA warnings, but full extortionary lawsuits.
| From what I can tell, these exist in most countries.
| Jurisdiction hopping won't let you avoid a determined
| attacker.
|
| Common VPS providers generally insist on recording your
| identity, probably with government ID, to limit abuse
| that would otherwise fall onto them. Whereas VPN
| providers have already made the choice to weather mild
| abuse complaints.
|
| I have looked into bulletproof VPS providers. They're
| drastic overkill, expensive, and getting in bed with the
| wrong sorts of people.
| rthomas6 wrote:
| How does that help? If you're the only one with traffic from
| that IP, how does that give any privacy? Especially if you
| pay with something tied to your identity. And why does a VPS
| have any less likelihood of logging your traffic?
| rmrfrmrf wrote:
| it's good for things like public wifi and other untrusted
| networks since your data is encrypted from your machine to
| the vpn server
| nullc wrote:
| > Especially if you pay with something tied to your
| identity.
|
| Then don't do that.
|
| Though VPN are not really a strong solution for hiding your
| identity period. Tor is a more effective tool, but hiding
| your identity is extremely difficult to do effectively.
|
| > And why does a VPS have any less likelihood of logging
| your traffic?
|
| They may be too but at least you should expect their
| business to be viable without doing that, which is better
| than you can say for VPN services.
| cbsks wrote:
| I have been using Mullvad for the last few years:
| https://mullvad.net/en/
|
| I don't have much to base it on but they seem trustworthy, and
| I've seen them recommended here before.
| elliekelly wrote:
| I also use Mullvad and I pay by sending an anonymous envelope
| of cash to Sweden with a random number scribbled on a bit of
| paper. So far all of the cash I've sent has been added to my
| accounts. There's obviously no way to know whether they
| follow through on their no-log claim but my sense is they're
| pretty trustworthy. At the very least the person who opens
| their mail is.
| obenn wrote:
| Commercially I'd say ProtonVPN or PrivateInternetAccess.
|
| Best is to make your own, checkout
| https://github.com/StreisandEffect/streisand for an easy way to
| set that up.
| nullc wrote:
| I would never do business with Private Internet Access.
|
| https://news.ycombinator.com/item?id=21584958
|
| (you can google to find more-- this was just a quick result)
| gentleman11 wrote:
| Despite this, they claim to be working on a way to verify
| their privacy claims. I don't understand how, but if they
| succeed it will be noteworthy and might redeem them a fair
| bit
| Hamuko wrote:
| For a VPN provider to actually be trustworthy, you'd have to be
| able to verify their policies. But that's impossible, so VPN
| providers just fall into "might be doing bad things" and
| "confirmed to be doing bad things".
| RandomBacon wrote:
| Mullvad, ProtonVPN, and IVPN are recommended by
| https://www.privacytools.io/providers/vpn/
|
| PrivateInternetAccess has fought and won in US court, but
| they're also US-based.
|
| (I use Mullvad.)
| solarkraft wrote:
| I personally trust Mullvad because of their generally good
| reputation (built through independent audits), super clean user
| interface and very fair pricing (5EUR/month flat fee, no crazy
| long-term contracts).
|
| Mullvad is also the provider Mozilla is using for their new VPN
| service (with fewer features).
| nilssonanders wrote:
| I second Mullvad also. They don't even have usernames, emails
| or passwords. All you use to log in is a random number for your
| account. Can't get much more anonymous than that. And they
| financially sponsor wireguard, have a bunch of wireguard
| servers. Can't recommend them enough.
| ornxka wrote:
| I don't know why anybody ever cared about logging policies. How
| would you even know if they keep logs or don't, or what they do
| with them if they do?
| jliptzin wrote:
| You can't possibly know. You have to just assume all VPN
| companies are logging your activity indefinitely regardless of
| what they say. Though I suppose you'd rather go with a VPN
| company that claims it doesn't do any logging, over one that
| says it does.
| hdjrkrmfkt wrote:
| Can you chain two VPNs?
| SAI_Peregrinus wrote:
| According to The Register, UFO VPN is just white-labeleing a
| parent service[1]. The full list of compromised providers is thus
| UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN,
| and Rabbit VPN.
|
| [1] https://www.theregister.com/2020/07/17/ufo_vpn_database/
| [deleted]
| thecleaner wrote:
| I think that at this point it is far easier to just setup a socks
| proxy with an vloud based machine than to research which firms
| have shady practices and which dont. I went into a womrhole over
| NordVPN vs PIA vs ProtonVpn and then just went with a proxy
| server. Costs peanuts with the cloud compute ecosystem.
| gruez wrote:
| >then just went with a proxy server. Costs peanuts with the
| cloud compute ecosystem.
|
| The problem with personally operated VPN servers is that all
| the traffic ties back to a single user: you. This is fine if
| you're on a malicious network and need secure exit node for
| your data, but for anonymity (eg. ad tracking, DMCA) it's
| objectively worse.
| jijji wrote:
| if you want a vpn ur better off running squid on a $5/month vps
| box , less likely this kind of nonsense happens
___________________________________________________________________
(page generated 2020-07-17 23:00 UTC)