Hacker News new | past | comments | ask | show | jobs | submit login
How Is NordVPN Unblocking Disney+? (medium.com/derek.)
374 points by dagurp on Nov 29, 2019 | hide | past | favorite | 243 comments



Seriously creepy stuff. I hate how VPNs are being shilled by e-celebs these days as a privacy improvement.

It’s just using a different middleman. One middleman might be better than another, but if you have a good ISP already, there’s no privacy/security benefits to be had by using a VPN when surfing from home.

It might be worth getting a VPN if you use sketchy WiFi often, or want to bypass geo-blocking or restrictive firewalls. But remember that you’re trusting the VPN provider with all your traffic. DNS is still not encrypted in most browsers, so this traffic is still a goldmine of marketable info. Sure, they can’t see what you post on snapstagram.com or what pages you visit on news.ycombinator.com, but they can infer a lot about your browsing habits from DNS queries.


Besides the security implications, if there's no way to legally stream Disney content in my country and I desperately want to watch it for some reason I'll pirate it. Why should I jump through hoops to give them (and an unconnected third party) my money if they don't want me as a customer?

I'm making a genuine effort to keep all my entertainment above board by being a paying customer to Netflix, Amazon, Spotify, Google Play, YouTube Premium, Steam and a few others, but I have to say that my patience is wearing very thin with TV/movie studios and their idiotic licensing shenanigans.


What's worse, is that they can't snap a finger and distribute worldwide. They lobbied themselves into legal corners with all these licensing shenanigans.


They absolutely can if they choose to. They own the rights, they don't need nations' permission to do things with it. However, their lawyers need lots of time to create all sorts of artificially restrictive terms of service and silly contracts with partners rather than just opening the service worldwide.


That's absolutely not true. It's the reason movies like Coco are still on Netflix and not Disney plus. You can't just renege on a previous contract because you started your own streaming service. These things take time.


I was unclear, I meant that the restrictions are artificial; based on contracts and in-company reasoning, not that the law prevents them from letting users in other nations buy subscriptions. Yes, they can't reneg on contracts, but the only reason Disney+ isn't available in other nations is entirely of their own making, and they could let Ukranians or Vietnamese into Disney+ whenever they choose (aside from existing agreed upon obligations), there is no national-legal restriction.


While you are right Disney+ could open everywhere, it makes no business sense to launch in some countries with underwhelming media libraries especially when it's the crux of the Disney marketing.

Many countries that have "Media Laws" that define when movies can be broadcasted on streaming services.


> They own the rights

They don't, and they are tied into long term exclusivity contracts in many territories.

It's pretty well established that in the UK for example they can't launch the service until the exclusive first pay window distribution deal they have with Sky on all the Marvel titles expires, and that's pretty obviously on the 31st March 2020.


As I mentioned to someone else, I was unclear. I meant there's no legislative reason then can't let foreign users into Disney+, contractual obligations are agreements that expire, as opposed to a statute prohibition on being open to other customers.


A lot of it is totally new content; how could they not write up the contracts a few months ago to allow global distro?


About a tenth of 1% is totally new content. There's really a couple of documentaries, two features and the Mandalorian. And that's it.

They couldn't launch the service with just that - Apple are struggling a lot and basically giving away their service and they still have more than that.


This. I do what I can but if shows I watch suddenly end in ‘my region’ while it continues in another then I will find a way. It is the internet and it is global; the old way of regions needs to go; it has been gone for a while for but I want to pay for my Netflix to be the same as the US (etc) one. It is not though; I do not watch too much but when ‘they’ get me hooked and then run seasons behind another season, well... I was explained why it is that way, but, like you, that wears thin these days; they had at least a decade to fix it for new content but they keep doing it.


Copyright law should have a way to allow the content be shared for free if the copyright holder block the distribution themselves with no good reason.


In some countries, for some media, this is allowed.

Of course the USA tries to prevent this with all its might.


Define 'good reason'.


Anything where they (the copyright holders) provide content to one group (region, etc) for $X and you are willing to pay at least $X as well but cannot.


That isn't a good reason.


Yeah, reading back it is not a reason at all; just a solution I would agree with (as human and copyright holder).


Why do you believe you're entitled to content that the content owner doesn't want to offer you?

Practically speaking, yes, people will pirate it if it's not easily available otherwise. But that doesn't make it morally right.


>Why do you believe you're entitled to content that the content owner doesn't want to offer you?

pirating something that you can't even legally purchase is about as close to a victimless crime as it gets. If anyone actually feels guilty about this they can donate the value to the against malaria foundation and have done the world a net good

honestly, I find the IP mentality of large companies like Disney immoral who hoard IP like a dragon hoards a lair of gold. I'd be in favour of 'use it or lose it'


> pirating something that you can't even legally purchase is about as close to a victimless crime as it gets.

I dunno. I’d say pirating something the owner isn’t willing to provide you at any price is at least as victimful (and a greater offense against the victim) than doing so for something that they are willing to sell you, but at an unacceptable price.


As much as I hate copyright if someone doesn’t want to sell something to you or licence it or share it they are under no obligation to. I’m sorry but why do you feel you have a right to any content? It’s just a movie/tv show/book.

Thou as a write this I consider the implications of it was educational and only available to a nation or race and not having it would put one at a disadvantage ala scientific papers...


Copyright is a specific legal right granted to authors, with the (ostensible) intent of balancing the rights of authors against the rights of readers. Copying a bunch of bits is legal by default, but we specifically outlaw copying certain bits under certain specific conditions. Copyright is not unconditional, universal or perpetual. In the EU, there is an element of "use it or lose it" due to the Orphan Works Directive - if the copyright holder cannot be located, then national libraries have the right to digitise and distribute the orphan work.

In the digital age, there is a perfectly reasonable case to be made for some kind of "unavailability exception" to protect the rights of readers in poorly-served markets and prevent anti-competitive hoarding of copyrighted works.

https://en.wikipedia.org/wiki/Orphan_Works_Directive


The thing is; they do want to sell it to me; it will appear in a few months/years. At least in case of films/shows. So that ‘the copyright holder does not want’ is not true; they just signed contracts with actors, writers etc for a certain region to pay less and/or get more %.


You're arguing "you don't have a [legal/moral] right" (which is true)

They're arguing "it's a victimless crime" (which is also true)

These are related things, but they aren't contradictory


Copying information is already victimless. No one is harmed or wronged by magnetizing some disks or tape a certain way in your house.


Nobody owns content as ownership does not expire. People are incentivized to create content with a limited monopoly of finite duration. However, this means when they fail to licence it and thus chose to forgo revenue there is zero moral obligation to respect the monopoly.


Watterson famously refused to license Calvin and Hobbes. That does not give you the moral right to start selling C&H branded content.


Jumping from pirating for personal consumption to selling someone else's IP is a bit much, don't you think?


It’s kind of an interesting edge case.

Trademarks don’t have set expiration dates, yet 1/4 of Disney’s toys are for someone else’s original IP. Snow White, Peter Pan, etc and nobody seems to have a problem with this. In fact the oldest US trademark in use fall under the same heading with a Biblical figure Samson wrestling a lion.

And in fact Trademarks do go away without Defence. Which means they can be abandoned at which point it’s fine to use em.


No one's talking about reselling Disney+ content.


Well, I would I agree that watching and not paying is wrong, but I am paying. In the end the show will appear on one of the streaming services I subscribe to and pay for. Like in the olden days I downloaded shows because of this region crap and then bought them on dvd when they came out even though I already watched them. The content owner apparently does want to offer it to me, just not here (sometimes I can drive for one hour across the border and then I can get it; how insane is that; also how is that different than switchting on a proxy of my neighbouring country?) and that is not acceptable (to me and many others).


"It might be worth getting a VPN if you use sketchy WiFi often, or want to bypass geo-blocking or restrictive firewalls. But remember that you’re trusting the VPN provider with all your traffic."

I never understand this false dichotomy - especially in a forum which is named ... let me check ... "hacker news".

Just set up your own.

It costs almost nothing to run a EC2 instance in the region of your choice (or at some other provider like GCS or whatever). There are keystroke-by-keystroke instructions everywhere on setting this up.

Extra points for adding the extremely trivial and also very low cost steps of signing up under a corporate name and removing your personal identity from the account altogether.

Some more extra points for multiplying the almost-zero-cost by 3 or 4 or 5 and spinning up extra copies of your endpoint in multiple regions (or even providers) and manually (or automatically) switching between them.

You don't need to trust anyone - adjust your threat model all the way up to "near nation state" (in the case of Amazon or GCS) and assume these actors could already discern all of your Internet traffic even if you weren't doing business with them.

Christ.


Be aware that a lot of streaming services block traffic that doesn't originate from residential IPs, AKA Digital Ocean, AWS, Azure, Google Cloud, Linode etc. Apparently BBC even uses a whitelist instead of a blacklist. ISPs give them the list of ip addresses they use for individual customers, and those are the only ones permitted. No VPS will help you in this case, trust me, I've tried.


If the ispes use dymanic ip assignments they have given an ip range to the bbc. Try a few proxies in the uk you might find a machine on the range.


Residential proxies exist.


True. And I bet that most all of them either use botnet slaves, or people running Hola, Oxylabs apps, and other stuff like them.


>or people running Hola, Oxylabs apps, and other stuff like them.

Those are also botnet slaves.


> Just set up your own.

This entire thread is about using a VPN to watch Disney+ outside of geo restrictions. Many many people use VPNs for this purpose and no other. You can't trivially do this on your own at all. You're making it seems simple, getting an VPS with an IP that won't automatically be banned by all sorts of services looking to protect themselves against botnets and the exact sort of geofence hopping that people want to do is extremely difficult.


I anecdotally have experienced exactly zero service interuptions while using various VPS providers around eastern and western europe while accessing websites. If you avoid the big name providers they dont seem to block you.


> It costs almost nothing to run a EC2 instance in the region of your choice

Sure, the instance doesn’t cost much, but bandwidth does in the case of AWS and GCS. Streaming 4K video chews through bandwidth.


AWS Lightsail is available in 13 regions and comes with a few TB of bandwidth. https://aws.amazon.com/lightsail/pricing/


Have you checked to see if ec2 isn’t blocked by Disney+? I would expect that to be blocked. I think Google blocks most ec2 IPs. Going thru 10 GB of data per day would have the total cost above $1/day. Not as cheap as the post makes it seem.


> It costs almost nothing to run a EC2 instance in the region of your choice

I might be wrong about EC2 pricing, but at least for me, ~$11 per region is not "almost-zero-cost". Unless we're talking about on demand instances.

I wonder if there is a community run VPN service to utilize instances more efficiently.

[1] https://aws.amazon.com/ec2/pricing/reserved-instances/pricin...


No need for EC2, you can use Digital Ocean or Hetzner Cloud (GDPR ftw) to cut the costs.


> No need for EC2, you can use Digital Ocean or Hetzner Cloud (GDPR ftw) to cut the costs.

Throwing GDPR and `ftw' in the same sentence. Hmm. No GDPR does not work that way hah. At least not in the global context.

GDPR only applies to you _if_ you happen to be a European Union citizen.


> GDPR only applies to you _if_ you happen to be a European Union citizen

There's nothing in GDPR that has anything to do with EU citizenship.

1. GDPR applies to the processing of personal data if the controller or processor is "in the Union", regardless of where the person whose personal data is being processed resides, and regardless of where the processing takes place.

2. It applies to any data subject that is "in the Union".

All the places in it that you might have expected it to say "Union citizen" instead say "in the Union".


I do 1 to 4 TB if traffic in my house each month. That would cost $100-400 each month if I ran it through EC2.


Could you use Amazon Lightsail? The $20/month Lightsail plan includes 4 TB of outgoing bandwidth. ($10/month plan includes 3 TB, $5/month includes 2 TB, and $3.50/month includes 1 TB).


That'd be about $5 a month on Hetzner.


Extra points for adding the extremely trivial and also very low cost steps of signing up under a corporate name and removing your personal identity from the account altogether.

Unless you're paying Amazon in bitcoin you're not removing your personal identity from the account.


Vultr is one provider you can pay in crypto I think; any others?


You have to make your first payment via credit card so it's not anonymous unfortunately.

joepie91 maintains a list, but it looks like it's a couple of years out of date: http://cryto.net/~joepie91/bitcoinvps.html


Ah I did not know that; I inherited an account from a client. Thanks for that list.


Could you provide a good reference for the process you describe, or maybe just a good set of search terms?

I'd like to pursue this, but have just little enough experience with ec2 to not be composing effective search terms.


https://github.com/trailofbits/algo

It’s an Ansible playbook for easily setting up a VPN with good security defaults. It’s so easy and really the only knowledge you need to know is how to get api keys for the provider of choice.


https://www.digitalocean.com/community/tutorials/how-to-set-...

Their tutorials will hold your hand all the way to the end.


I think one of the interesting option out there is: https://github.com/StreisandEffect/streisand

Waiting for https://github.com/StreisandEffect/streisand/pull/1668 to be fixed though.


Hey, I wrote the PR you just linked (#1668). Was there an issue with the code changes you ran into? Just asking since you said you were waiting for it to be fixed. If so, I'd love to know what the error was so I can test/fix it. Or did you just mean the underlying issue (ACMEv1 protocol being deprecated)?


Hey, thanks for the fix. I was indeed able to spin off a Streisand server using it without any error <3!


Hey there, I found an issue in the PR recently that affects the auto-renewal process. Nginx will still serve the old certificate after renewal succeeds since it's never restarted or reloaded. I have another PR open to fix this, but there's a manual way to apply the fix if you're so inclined (and you still have that Streisand server up and running).

Obviously this only applies if you don't plan on destroying/recreating your Streisand server after the newer PR gets merged (EDIT--just got merged). But just in case, the steps are pretty easy (it's in the PR here too: https://github.com/StreisandEffect/streisand/pull/1688):

  [root@streisand]# cat > /etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx.sh << EOF
  #!/bin/sh
  systemctl reload nginx
  EOF
  [root@streisand]# chmod u+x /etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx.sh
If your cert was already auto-renewed (unlikely given the timeline), you'll also need to run systemctl reload nginx to serve the new cert, since the deploy script wasn't present when certbot ran the renewal.


EC2 is one of the more expensive options when you add up the bandwidth required. There are tons of small vps and bare metal providers which are cheaper (people named Hetzner, there is OVH and tons of other smaller ones). There is also less chance these are blocked as the streaming providers might not know about them.


Using a cloud provider means high bandwidth bills, being blocked by most sites with IP blacklists, and potentially kicked off and banned by the cloud provider for violation of TOS.

You also won't have any anonymity since you're billing details and instances are all logged permanently. It's not really a viable alternative.


This reminds me of the infamous comment when DropBox was introduced and why geeks don’t get it.

https://news.ycombinator.com/item?id=9224

For a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem. From Windows or Mac, this FTP account could be accessed through built-in software.


Friendly reminder that in the UK all ISPs are required by law to keep your entire browsing history for a year, and that history can be accessed by few dozen agencies, warrant free. That's why I use a VPN personally.


If you only use HTTPS they can track your DNS queries but they cant track anything other then that. When you do a google for something so let us say google.com?search=searchTerm they see a dns lookup for google.com. They will not see ?search=searchTerm or anything else. They will see a connection open between your computer and another IP after that. In the future that will stop becoming a problem because there will be DNS over TLS or DNS over HTTPS which will even hide your DNS lookups. Which means all the ISP will see is you made a TCP connection to X. Theoretically they could just do a reverse lookup for that IP but that is not always easy.


Exactly, they're generally more trustworthy than most governments. Security is about probability and is never 100%.


Except that they cant really get your browsing history. Just the domains you used. At least on the 90% of https sites most ppl visit


> * Seriously creepy stuff. I hate how VPNs are being shilled by e-celebs these days as a privacy improvement.*

You may enjoy Tom Scott's video:

> I tried to write a more honest VPN commercial. The sponsor wasn't happy about it. • Get ■■■ days of ■■■ VPN free at ■■■■.com/honest

* https://www.youtube.com/watch?v=WVDQEoe6ZWY


I already did ;)


A VPN provider is basically a choice to trade one country’s passive adversary for another. I.e., if you’re in the US and using a VPN with German corporate headquarters, then your Internet transactions are able to be wiretapped by the German government, but not by the US government. Either way, yes, your data will also be wiretapped by your carrier themselves and sold on the open market—but not usually in a form that will result in legal problems for you, since ad-targeting data tends to be semi-anonymized (in the sense that it isn’t in a form where a court would accept it as evidence of who you are; not in the sense that it couldn’t be used to deanonymize you by a sufficiently-motivated private researcher.)


Actually, legally speaking, by using a German VPN you are effectively allowing the NSA to spy on you, since the traffic is now “overseas” — which is always fair game for any US agency. Conversely, you might be protected from German surveillance (depending on German law).

(This said, obviously no agency is going to come after you for the occasional lootin’ of moving pictures, and if you are doing anything more serious, then you should have your own VPN infrastructure.)


This is correct, however in theory the NSA is not allowed to spy (let's not argue about "wittingly" here, I get it) on American citizens without FISA or 702 approval:

https://www.newamerica.org/oti/blog/scope-standards-and-prot...

So if they did not know you were an American through your identifiers, they could intercept foreign traffic. However, once they identified you they would need to stop unless the above exceptions were met. IN THEORY. Exceptions have occurred, the most egregious that I can think of is that the FBI has NO ACCOUNTING WHATSOEVER of how many agents accessed the 702 database:

https://www.justsecurity.org/66622/how-to-address-newly-reve...


Yeah, they'll just ask the German intelligence service to spy on Americans for them using NSA tools.

https://www.spiegel.de/international/world/german-intelligen...


Wasn’t the whole point of five eyes that we’d spy on the British and they’d spy on us and merrily round we go, merging data together to bypass domestic spying laws?


This is why I hate Canadian ISPs.

Their in-Canada peering is so terrible, it's common for local Toronto traffic to have round-trip through Chicago or NYC.


Yep. Bell, Telus, Videotron, Rogers have preferred to interconnect in the US for a long time (Chicago & NYC). During the mid 2000s the CRTC made bell and Rogers peer domestically over an OC12 (622Mbps) which was congested all the time (they shed some of load into the US). The Canadian IP transit market was a disaster until Cogent came into Toronto at 151 Front which paved the way for several other providers after.


In that case a Russian VPN service is indeed preferable.


> Either way, yes, your data will also be wiretapped by your carrier themselves and sold on the open market [ ... ]

Woah. Hold your bong son! ;)

Any reference to documentation or any information of what you mean by `sold' on the open market?

If you wanted to prove a point by saying that internet is an insecure medium then yes I agree but `tapped' and `sold' is a whole different ball game that I am not aware of. At least in the internet I know of.


> A VPN provider is basically a choice to trade one country’s passive adversary for another.

Plus, whatever VPN provider you're using. Unsurprisingly, most seem to be based in countries with very lax telecommunication laws and that make it very easy to start shell companies.


Yes, pretty much this.

The Lithuanian government has no interest in me, and even if they did, they have no jurisdiction here. One should always be more interested in privacy from the government that has authority to no-knock raid your home than the one that does not.


>But remember that you’re trusting the VPN provider with all your traffic.

May I suggest hosting youe own VPN using Streisand (https://github.com/StreisandEffect/streisand)? It's an absolutely fantastic VPN that runs on just about any cloud system out of the box (or your own hardware of course).

Right now I use Linode for hosting ($5/month) but there are lots and lots of other ways to set it up.

Importantly, setup is easy for all kinds of clients, including mobile devices.


Making your own VPN sure seems like the safest option but something as popular as Linode won’t be of a use to someone who wants to stream geoblocked services as they most likely are already blacklisted from many.


> if you have a good ISP already

That's a big IF. Not all of us share the luxury of being able to get internet service from companies like Sonic.net.


There is currently a difference in business interest for VPNs and ISPs. ISPs sell your data, since people mostly don't have much choice here anyway. A VPN service who becomes known to share data can probably close their business soon, new ones will quickly fill the void. They have less infrastructure requirements than ISPs and a subset of users with different expectations to privacy.

So yes, I do think there is quite a difference, although you should still be critical of your VPN provider.


I disagree. The comments here are based on a specific threat model. There are many other threat models where a good VPN dramatically increases a users security.


One middleman might be better than another, but 10 middleman are better than 1 if you are truly interested in mitigating the invasion of your privacy. There's nothing preventing you from using multiple VPNs to make it harder for any one middleman to build a profile of your internet activity.


Which is basically TOR


> Which is basically TOR

Last time I checked Tor's technical paper (probably been 10 or so years), it stated the fact that a relay? node in between can only decrypt the information required to route to next hop and not the actual packet's payload. Is that correct or am I dreaming?

Also, I recall that if someone malicious flooded the tor network with malicious exit nodes, then all traffic details can be `inferred' right? i.e., the assumption was that exit nodes need to route the packet to destination thus it needed to look at every packet but couldn't infer the originating IP address (based on my dated knowledge :))

If a malicious person now floods the tor network with bazillion exit + relay nodes - then essentially all contents (payload + IP src/dst) can be aggregated. Is this still problem in tor network?


Also worth noting that while VPN providers don't care what DNS servers you use, the geo-blocking protection features usually require that you use their DNS servers.


Why can't your VPN see what pages you visit on sites? They can see every URL you request, can't they?


For https, the only thing sent in plaintext (and this is only if you don't use DoH or similar), is your DNS query (google.com). The rest of the page (search.php?=goat+snuff+videos) is encrypted.


Yes. To add, any number of middle boxes during egress from the VPN provider can also sniff the SNI in TLS packet (SNI stands for Server Name Indication and stands on its own as a plain text traffic) before a TLS sessions is established (assuming DoT/DoH DNS scheme is in use)

Effort and RFCs are underway to establish what would become part of TLS protocol stack. One of which is eSNI (encrypted SNI).


Ah, I see. Thanks!


If you’re using “sketchy WiFi”, you’re still more than likely using https so your traffic is encrypted.


The VPN providers pay the bills for them. Why would they not shill them?


Yeah, why would someone ever consider their moral responsibilities and credibility before endorsing a product they do not understand the technical details of?


I get what you're saying, but that would then mean that you couldn't advertise essentially anything. Chances are very high that you will never get an endorsement/advertisement deal for a product that you do understand well.


There is lots of advertisement you can do without making misleading (or even downright false) claims.

Not that advertising mobile games or g-fuel is great, but you’re at least not pushing (dangerously) false claims on people and imperiling their privacy and security.


> but if you have a good ISP already, there’s no privacy/security benefits to be had by using a VPN when surfing from home.

This is just not true. You cannot sign up for an ISP without disclosing at least your name and address. Many VPNs support complete anonymity.

It's a different middle man that--if you choose the right one--will absolutely know less about you.


How are you going to access a completely anonymous VPN provider without a non-anonymous internet connection?

If your traffic is interesting enough, the money trail will eventually lead back to you.


Micah Lee did a talk about how he does it. In essence he uses Tor to connect to the VPN. He also explains how to pay for the VPN anonymously.

I think it was part of his Qubes OS talk: https://youtu.be/f4U8YbXKwog


No one's said this clearly so I will. oxylabs.io as described in this article is an awful unethical company and should be investigated for criminal activity. If NordVPN is using them to bypass DRM controls, that's pretty ugly.

The central concern is how they get their 32M "residential proxies". I spent a few minutes trying to get an answer and could not find one. The article straight up assumes it's coming from malware, which certainly seems possible. I could also imagine them buying legitimate access from ISPs but given the various legal and technical issues involved it seems less likely.

Is there anything directly connecting Oxylabs to malware? Again I looked for a few minutes and didn't find anything clear. I did find a couple of troubling posts on Reddit from Android Devs saying Oxylabs approached them offering to "monetize your users with our SDK", which sounds like the slippery slope to malware. Or at least bundleware without meaningful consent.

https://www.reddit.com/r/androiddev/comments/ajfc7w/question... https://www.reddit.com/r/androiddev/comments/ao27tu/my_app_w...

BTW, Oxynet has a list of the ASNs they have proxies on: https://intro.oxylabs.io/hc/en-us/articles/360003444780-Supp...


From the patent infringement document:

"... Upon information and belief, the above OxyLabs embedded code has been integrated in at least the following software applications that may be downloaded by any user located anywhere having Internet access: AppAspect Technologies’ “EMI Calculator” and “Automatic Call Recorder”; Birrastorming Ideas, S.L’s “IPTV Manager for VL;” CC Soft’s “Followers Tool for Instagram;” Glidesoft Technologies’ “Route Finder;” ImaTechInnovations’ “3D Wallpaper Parallax 2018;” and Softmate a/k/a Toolbarstudio Inc.’s “AppGeyser” and “Toolbarstudio.”"

https://cdn-resprivacy.pressidium.com/wp-content/uploads/201...

Looking at few of these app's descriptions and privacy policy, doesn't mention anything about oxylabs or proxies, so I'm not sure it's true, but somebody should check the apps with decompiler or monitoring the connections it makes.


I would guess it's from services like the Hola VPN browser extension provides. It was always clear that these services need to make money somehow. Next to providing tunnels to their own users they will sell them to others. Not sure if this is really unethical.


Isn't it likely a non-zero percent of those residential IPs are from other NordVPN clients? Or anyone who installed their app on their device?


Sound similar to the proxy network [1] Luminati, which use an SDK which developers get paid to embed in their Apps, in order to route proxy traffic through... Kind of like a Tor network...

[1] https://luminati.io/proxy-networks/mobile-ips


> Does [Oxylabs.io’s distribution] mean your device can be used by a third party to access child porn or hack into a bank? Absolutely!

I mean, isn’t the existence of Oxylabs a boon for everyone’s privacy—in the sense of making everyone’s actions deniable/repudiable? Oxylabs introduces reasonable doubt for every possible allegation of cybercrime! “It wasn’t me; it was this botnet malware routing through my computer without my knowledge!” It’s like having a Tor exit node on your computer, without the associated mens rea that would come from the explicit choice to install one!


In theory sure. In practice (especially if you don't know your connection is being used like this, as the article suggests), if law enforcement turn up at your door to take all your kit as evidence in a crime, they'll likely take all your kit for an extended period of time (and possibly charge you) until/unless you can prove that it wasn't you that sent the traffic.

There have been cases of this happening to ToR exit nodes and that was ones the operators could point to...


No you can easily prove it wasn't you that sent the traffic, simply look at case law for all of the torrenters absolved from having open wifi access points. The problem is your hardware is locked up in a criminal trial, which realistically means you ain't getting it back. And they're not just going for that device you used with a VPN, they're taking any possible device that connected to the VPN including routers, laptops, iphones, tablets, connected hard drives, etc.

THAT is the reason why a rational actor won't use such a service.


> they're taking any possible device that connected to the VPN including routers, laptops, iphones, tablets, connected hard drives, etc.

Mind you, that's just sensible evidence-gathering. If law enforcement thinks that the homeowner did in fact act illegally and is using the VPN for deniability, then there would be ample cause to search attached or potentially-attached devices for direct evidence of illegal behaviour. If some is found, that's compelling circumstantial evidence that other identified VPN activity was also instigated by the connection-owner.


And inefficiency which results in delays in getting this equipment back to the owners is obviously just an unfortunate side effect. /s


Yes, the police and courts are here to serve us, the people, but that means we have to wait for them to clear their backlog from other people to get to our case. It will always be resolved within a reasonable time, like <4 years.


In this case, I'm suggesting a world where someone isn't using any VPN services themselves, but their computer ends up infected with this Oxylabs "residential proxy" malware.

In such a case, if the person is then charged with cybercrime, a cybercrime expert hired by the defence could do discovery on the confiscated computer, find the Oxylabs proxy installed on it (which the defendant was unaware of), and then present the fact of that installation on the witness stand as an alternative explanation for any evidence of wrongdoing that the prosecution presents, creating reasonable doubt.


Now how long before the investigation wraps up and trial begins where you can bring your witness to the stand. Could be at least 2 years.

So again, a reasonable actor would not want that and thus would avoid questionable services like Oxylabs


> So again, a reasonable actor would not want that and thus would avoid questionable services like Oxylabs

Right, but, I'm not talking about a situation where you have any say in the matter, but rather where computers are just being infected by this malware no matter what. Posit a variant of this malware that acts as a worm, rather than as a Trojan horse.

Certainly, you'd not want to allow it to be installed on your own personal computer (as, for one thing, it's snooping on you!); but it'd be very good for your presumption of innocence if everyone else had it on their computers—because, if enough people have it on their computers, then it becomes so likely that any random person has it on their computer that prosecution based on only SIGINT-ish evidence would never go forward in the first place, and therefore police forces would stop bothering to even pursue such avenues of investigation.

By analogy: the existence of Photoshop protects you from a variety of criminal accusations. You might not want anyone to photoshop you into a picture of e.g. a KKK rally, but the fact that anyone easily could create such an image out of whole cloth, means that such images don't prove anything. There's a higher evidentiary bar for suspicion of guilt of such crimes in a world where Photoshop exists, than in a world where it doesn't.

And, in a world where the average person couldn't get away from random people hijacking their Internet connection without their consent, there'd be a higher evidentiary bar for suspicion of guilt of cybercrime. Which would be nice.


How do you prove the traffic wasn't sent by you, if you don't know the software that was being used to hijack your connection was even installed?


You wait for the investigation to finish and you are absolved of any wrong doing. If they don't absolve you, then you ask this question to the judge in court.


I'm not a legal professional, but doesn't the 'innocent until proven guilty' principle apply in that scenario? See here: https://en.wikipedia.org/wiki/Presumption_of_innocence


Attorney here! (Not legal advice.)

"Innocent until proven guilty" applies to criminal guilt, i.e., to a person accused of a crime. When it comes to property, however, any evidence, or the suspected instruments used or fruits resulting from a crime can be seized solely upon the issuance of a valid warrant, and held almost indefinitely.


In the US at least.. Most EU countries will have more protections in place and confiscation is much more difficult to begin with.


They may be "residential IPs" but you can do an nmap scan on the IPs to see if there are any open ports. If there are no open ports then it's likely a residential IP because stateful firewalls on home routers. If there are open ports it's likely not a residential IP since some kind of port forwarding would have to be enabled, which most people don't do, or a DMZ would have to be set up (even less likely). I scanned a few of the IPs returned from the curl test. Granted a small sample size, but they all have open ports. Beyond the scan I didn't try to connect to any of them via browser or otherwise. Here is what I found for the "Delcom" IP he's so worked up about:

``` $ sudo nmap 76.77.25.75 Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-29 19:21 EST Nmap scan report for static-76-77-25-75.networklubbock.net (76.77.25.75) Host is up (0.097s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp filtered ssh 23/tcp filtered telnet 25/tcp filtered smtp 53/tcp filtered domain 80/tcp open http 443/tcp open https 5060/tcp open sip 8080/tcp open http-proxy

Nmap done: 1 IP address (1 host up) scanned in 331.02 seconds ```

Maybe I'm missing something here. Of course it could still be malware, but that's far from the first conclusion I'd jump to. This article is just speculation to me and the methodology seems ... bad

edit: sorry if the markdown is broken. Noob here. ;)


Won’t services like this take advantage of UPnP to open ports?

I know FluidStack which is a similar service uses UPnP to open ports that it requires. FluidStack is a service you earn money through by willingly selling your internet bandwidth though, not like Oxylabs but same idea.


First, sorry for the late reply. I don't log in often. I didn't consider malware using UPnP. But it seems to me that the probability of malware using it to make a residential IP look like a business IP (e.g. opening up ports for VoIP) is pretty low. But always possible.

I didn't know about FluidStack. Looks interesting. If you have numbers on how many people actually use such a service I would be really interested to know :)


IF you are going to try look for open ports they certainly wont be using the standard ports. You will need to do a full scan "nmap -p". But doing that is considered malicious and you can be sued. So I would advise against scanning random hosts that you do not have permission to scan.


Did they consider that maybe all the clients are NordVPN customers, i.e your data will come from a different users internet connection but another users data comes from you.

With that there world be no reason to have any hidden malware practice or similar, it _could_ even be in the terms of service if some of their products...

I mean it's true that there is a lot of bs going one but before claiming them for having hidden malware you should make sure they do, instead of just saying "that's the only way it's possible' even if it isn't the only way.


I thought the same thing. They could be using their legitimate user's connections.

But even if they're rerouting traffic through their users, and if they wrote that in the terms of service, I doubt any of their users know they signed up for this.

Which is not illegal, but still kind of sketchy.

If it's hidden in their terms of service, but not explicitly written on the content the user actually reads while subscribing, I consider this very unethical.


It would probably violate your ISP's terms of service as well. Not that I have any love or respect for ISP's but still.


That's possible. The author jumped from residential IPs to malware without further checks.


They explicitly deny this in the linked blog post.


I don't believe that NordVPN make it clear that user's connections could be treated like that (e.g. as bandwidth for other customers)

Unless they make that clear, it's not a great look.


Nobody claims that NordVPN customer connections are being used for this; the claim is that they are probably using Oxylab, which is probably using Oxylab customer’s connections, which they are probably using via malware of some unspecified type, so the Oxylab users probably don’t know how their connection is being used.

While some of those leaps of logic are plausible, it’s a lot of guessing.


> Think of “residential proxies” this way: 1.) Oxylabs installs some malware on to a user’s device, unknown to the user, by bundling it with other software that the user downloads. 2.)This malware enables Oxylabs to sell off your bandwidth, your computing power, and your IP address to third parties, who will route their internet traffic through your device.

There's so many providers doing something similar, it really isn't a Oxylabs / NordVPN exclusive issue.

- https://luminati.io/residential_ips

- https://www.geosurf.com/blog/what-are-residential-proxies/

- http://stormproxies.com/residential_proxy.html

- https://krebsonsecurity.com/tag/residential-proxies/

- https://multilogin.com/proxy/

- https://smartproxy.com/blog/what-is-a-residential-proxies-ne...

Based on my understanding it's people having free apps they want to monetize. They then implement a proxy company's SDK which enables this traffic sharing and get paid by them.


Having used one of these shady proxy pool services once in the past for some (pretty harmless) scraping (not especially proud of it), I seriously doubt a service like that is good enough for video streaming. Usually half of the proxies in the pool are high ping or unreachable, and the other half are only valid for at most a few minutes. Maybe I just didn’t pay enough for the gold tier or something.

Edit: Another comment pointed out that maybe only the front domain is geoblocked, but not the video CDN domains. That would make sense. Now that I think about it, youtube-dl also has a --geo-verification-proxy option that works in the same way.


Assuming a direct business relationship, there's no reason they couldn't hand-pick or filter out the good hosts, and then put the rest in the general pool.


It works perfectly for me.

https://i.imgur.com/PFITtZT.png


He wasn’t talking about NordVPN speeds. He was talking about the sort of services offered by Oxylabs, Honeygain, PacketStream and other similar proxy services.


Well isn't the whole article asserting that NordVPN is routing traffic through residential endpoints to confuse would-be VPN blockers? I thought that the allegation is that there's no distinction between the Oxylabs network and the NordVPN service.


The allegation is that they use a Oxylabs-like service for disneyplus.com specifically. Your speed test result using a Total Servers Solutions LLC connection to a non-disneyplus.com destination is irrelevant to that allegation.


198.8.81.74 belongs to AS46562 Total Server Solutions L.L.C. Not a residential IP, so it has nothing to do with the practice suggested by TFA.


> It’s often the case that VPN users will find that services like Disney+ are blocked on many servers, presumably because the content provider is able to discover the VPN’s IP addresses and restrict access to those IPs.

Something that keeps bothering me about the title and content is that the VPN isn't blocking or unblocking Disney+. It's Disney+ that's doing the blocking. It's blocking the VPN's IP addresses.

If I block you from entering the building but you find a secret entrance through the air vents, you didn't unblock me, you evaded my block.

Their title and usage of blocking should be something more like: "How is NordVPN evading Disney+'s VPN-blocking?"

Great article though. This kind of stuff really needs to be more well known.

That it's possible to unknowingly be part of a botnet is a major flaw in the internet and ISP billing model. I think the only solution that has a shot is for unexpected bandwidth to lead to an unexpectedly high bill.


I'm on the lookout for a black friday VPS deal.

Between this a PIA's shady stuff I'm just gonna have to host my own. The commercial VPN scene is a cesspool.


Tooting my own horn a little, I recently wrote a short guide on setting up a home VPN, it’s working great for my needs: https://mikkel.hoegh.org/2019/11/01/home-vpn-server-wireguar... :)


home/vps hosted VPNs are only really helpful to mitigate malicious ISP (or hotspot operator). If need a VPN for identity hiding purposes (eg. torrenting, evading IP tracking), you still need a commercial VPN provider.


Or bypassing firewalls and IP restrictions.

But yeah, if you’re doing something illegal, obviously don’t use a home VPN, duh.


Those are only good for VPN netflix or being more secure at coffee shops.


>VPN netflix

The last self-rolled VPN couldn't get past netflix or prime. Despite checking for DNS leaks etc. Either IP range was blocked or some sort of TTL mechanism


Or bypassing firewalls and IP restrictions.


Beware, I used to do this but VPS subnets are blocked in many places. And also attract a lot of attacks.


hmm. Good point. I'll see how it goes. I mostly need it for tablet while traveling so nothing missing critical CAPTCHAs could be annoying though


What happened with PIA? I haven't heard anything.


New corporate overloads with a ahem checkered past


That's the most polite way of saying "botnet delivery mechanism" I've ever heard.



Most of their customers moved to Mullvad after they got bought by people who have a severely suspect past from a privacy perspective.


Mullvad is amazing and one of the best VPN providers I have ever used.


I'm somewhat shocked that residential connections have enough bandwidth to upload a streaming video as a proxy. But maybe people using a VPN for Disney+ are just glad it works at all.

I have Comcast and my upload on a good day is 500KB/s and that cripples everything else on the network.


This article is probably wrong. You can buy IP address blocks or parts of IP address ranges assigned to other people. There is a market in residential IP address blocks, particularly for VPNs, scraping services, DOS.

These will be servers running in a data centre that have been assigned an IP address that used to be owned by comcast and is still marked as residential. And the VPN provider will have paid a premium for it.

For disney, it'll be whack a mole with these ranges, and I'm sure the VPN are doing clever things to make the ranges look innocent.


I'd guess they only proxy the main domains (which have the session cookies and probably the geoblocking criteria), but let the video serving domains (which at least in netflix are separate and "stupid") go through their normal network.


This makes sense. Thanks.


Why is your uplink so bad? Do you have a low tier plan? If not, why haven't you had Comcast fix it?


I have Comcast Business. I pay them 100 dollars a month. Even if I paid them way more they just don't offer much more upload where I live. They will give me tons of download but all their plans have anemic upload. My only other option is Centurylink and they will give me a symmetric line. But that tops out at 12Mbp/s. At least with Comcast I get a reasonable download. I live in a major metropolitan area. Five miles from where a NBA team plays home games.


I was going to say more or less this. The maximum anyone can get in my major US city for any money (other than a few areas that are trialing fiber) is 20 Mbits/sec. You literally can't pay for more.


You should try rural USA. I’m currently sitting in an area 1 hour from $65/gigabit but the best they can get here is 1.5 down .3 up.


Do you have a decent wireless signal? I get much better than that on my hotspots.


I can’t let the in-laws stream Netflix off my phone when I’m in town.

It was 3G in the area, they ran fiber last year and now their DSL can get up to a whole 10Mbps if they decide to pay $100/mo. There is no good solution yet.


Yeah, was wondering the same..


> All the most common US ISPs are there… AT&T, Comcast, Verizon, CenturyLink. IPs from Charter Communications in their Midwest, Texas, Pacwest and Northeast regions. ISPs I’ve never heard of before… who the heck is Delcom? Turns out they are serving some rural communities in Texas. Did NordVPN buy servers or connectivity from them?

I've been seeing a ton of these guys' advertising lately. If it turns out they're also reselling your bandwidth?

Still, I'd like to see someone take a peek at their local client traffic for any suspicious activity before coming to any conclusion.

Edit: I guess allegedly the 'botnet' aspect is provided not by other NordVPN users but by malware provided by companies associated with NordVPN.


> If it turns out they're also reselling your bandwidth?

Monetizing your free app through selling traffic is nothing new and there's a bunch of companies doing just that. You drop their SDK into your mobile app, they give you money and in return they get their very own "botnet".


Users should be upset that such trash is allowed on whatever stores they're hosted on.


>They promised they had nothing to do with Oxylabs, but now that assertion seems to be false.

Only if you deliberately misread the post, which is clearly saying that NordVPN doesn't use its users' devices to route traffic, unlike HolaVPN. It doesn't say they don't use Tesonet services to route traffic. They're denying being a supplier to Tesonet, they're not denying being on the demand side.


Not defending PIA, as they've been purchase by satan.net, but remember the HN posts where NordVPN was asked some very unfriendly questions by Private Internet Access? Remember everyone dismissing it as a astroturf marketing ploy?

I've been a PIA customer, and am canceling to switch to Mullvad, but PIA selling out seems not to prove they weren't right before.


Can you tell me more about Mullvad, does it have a good reputation with HN/elsewhere? Does it have common VPN problems like leaking etc? I'm looking to switch away from Nord now.


Hadn't heard of akamai pragma headers before. Used the ones from https://support.globaldots.com/hc/en-us/articles/11500399670... and it dumped a bunch of other debug info https://pastebin.com/hteaGG6N

wtf?


(This part of) Akamaiks value prop rests on two things: they have servers all over the world, and they can figure out which of those are both functioning well and (network-wise) close to you. The former comes from infrastructure investment and management. The latter comes from collecting and processing data from all over the (network-wise) world, quickly. That last part involves building and updating a map of actual and potential internet traffic — not quite all of it, but for everywhere that your (prospective Akamai customer ‘you’) customers might be. Doing _that_ without owning ~all of the BGP routers in the world plus ~all of the local ISPs in the world involves a fair bit of probing, data gathering, and a bunch of math.

It’s likely that those headers don’t all get added all the time, for all the Akamai traffic, but instead are added selectively for key parts of the mapping process.

(Disclosure: I worked for Akamai Way Back When, but left the company many years ago.)


What am I missing here? Surely if this were true, Nord would be able to unblock basically every service. Netflix, prime video, etc. Would all work. That's not the case though?


I live in Mexico and use Nord VPN (or I did at least, seems like maybe I can't anymore unless I want my computer to be a proxy for arbitrary and potentially nefarious traffic). I have Amazon Prime Video, Disney+, HBO Now, Hulu, and Netflix. All work with Nord VPN running.


Ah, I think Oxydata is behind the recently defunct Oxyleads.com which seemed to publish historical scraped LinkedIn data.

They had a browser extension, maybe somebody can get a copy and see what's in common with other extensions?

https://support.oxyleads.com/hc/en-us/articles/360015036112-...


This article doesn't really make a lot of sense as there's no hard proof, just speculations of the author


Well, I just verified this article's claims with this curl request: curl --head -H "Pragma: akamai-x-get-client-ip" "https://www.disneyplus.com"

It returns different IPs for every request, and these IPs do look like residential ones.


Do an nmap scan on the IP and check for open ports. If there are open ports it's very likely not actually a residence but a business.


Not necessarily. Oxylabs could use UPnP to open ports like other similar services as FluidStack, Honeygain, etc.


> It returns different IPs for every request,

That's the really bizarre thing... I came here to ask about it after getting confused when the article implied this (30 tests, 30 different residential IPs). It seems like this shouldn't work at all if connections to the Disney plus site involve any kind of state.

Is this a content-unblocking exception, and normally everything is routed through the same NordVPN edge server? Assuming that's the case, this seems like a great way to get your account banned at Disney plus the moment they decide to crack down on this. Assuming you have a session ID cookie with the site, no legitimate user is going to be sending that cookie from a different IP address on every page load. This should be very easy for them to catch.


Does it still works if you use DNS over HTTPS ? I'm curious to see if the traffic is redirected because they dectected disneyplus.com DNS request or if it's destination IP based


Interesting. I tried the same thing and it always returns the same IP while I'm connected.

I wonder if this is the client doing something? I've never installed the NordVPN client, I only use their OpenVPN config files.


If it uses a new IP for each new request, that's a way to block this, is it not? Normal traffic will mostly keep the session on the same IP, not have a new one for each new request.


No smoking gun, sure, but some very suspicious traffic patterns. How is NordVPN getting traffic routed through so many different ISPs who generally only serve residential customers?

Hard to imagine that so many ISPs are agreeing to help NordVPN bypass geo-blocking. Pretty certain that there’s some kind of shenanigans going on.


I don’t have any experience with NordVPN, but off the top of my head, it’s not hard to imagine someone looking at an internet backbone map, doing some math, and just paying for a couple hundred residential broadband packages. (Napkin speculation: maybe 30 major markets, round up to 50. Most markets have only a couple serious residential broadband providers (sadly, in the U.S. the average is below 2), so multiply that by 3 (a big over-estimate, but in some places it’s probably worthwhile to double coverage). Sprinkle the remaining 50 around the smaller markets to make sure you have decent access into all of the major backbone loops. Ballpark it at $50/each and you could blanket the U.S. major population centers for $1k/month.)


The ISP bill is only part of the overall cost, and a small piece of it at that. You also need a physical address for that connection to be installed at, power for equipment, and someone to respond when something inevitably goes wrong (admittedly the person could cover multiple cities potentially).


Years ago, I knew a guy who wanted to do that with devices in used trailers. Managed by locally recruited "fake" residents, working as consultants. Located in trailer parks around the US.

Seemed way too iffy to me.


Any open-source OpenVPN client works just fine with NordVPN


Hey, this is an ~old thread. But I'd like to contact the author, Derek Johnson. And, having no Facebook or Google account, I can't even create a Medium account to post a comment.

So do any y'all perchance know his address? If so, please email me at the address in my profile.


All of these commercial VPN providers seem a bit sketchy to me. Roll your own on a VPS with Algo.


I don't know what this guy is doing with all this pragma stuff... Once you hook up to a NordVPN server the IP doesn't change... NordVPN has thousands of servers, I assumed that is why the content providers don't block them, because they can't keep up. Except amazon, which seems to be better at blocking than the others.

Is this guy saying that these thousands of servers are not in some data center somewhere, but actually residential malware?I'm doing some tracepath'ing (not a network guy...) and I don't see what this guy is claiming. I'm calling bs.


I think that he's saying that the connection from the NordVPN server to Disney+ is getting proxied through residential IPs.

But hey, I'm testing that now.

Edit: Using IVPN's Germany exit ...

    $ curl -LIX GET https://www.disneyplus.com -H 'Pragma: akamai-x-get-client-ip'
    ...
    X-Akamai-Pragma-Client-IP: 178.162.222.41, 178.162.222.41
... and ...

    $ w3m -dump https://ipchicken.com
    ...
    178.162.222.41


I was testing this earlier with a NordVPN US server. Akamai sees a changing IP (different from the public IP of the server) that seems to be in residential ISP IP blocks when retrieving www.disneyplus.com. For other sites on the Akamai CDN this was not true. On other sites header and public IP matched like in your example.


I've seen no definitive information about the nature of these residential proxies. They might be NordVPN customers in the US. Or they might have installed some app with a bundled proxy server. Or it could even be outright malware.

But in any case, it'd be cool if people could determine whether their devices are being used as NordVPN exits.

I've run about 300 tests so far, on a few of NordVPN's US servers. And I've hacked a simple test script, using hashed "X-Akamai-Pragma-Client-IP" values.[0]

Just save the code block at the top as "test.sh" or whatever. Then do "chmod u+x", and execute. It'll prompt "IPv4 to search for?". Type an IPv4, and hit "Enter".

This is howling in the void, I know. But so it goes.

0) https://pastebin.com/YYc9Kuax


At least some of those residential ISP IPs seem to be Cisco Catalyst switches. Might that be evidence of carrier-grade NAT? But if so, how could NordVPN be proxying traffic? Hole punching, I guess.


Interesting. So their US exits must look at the target URL, and use a residential proxy if it's Disney+ (and perhaps, other juicy sites).

I'm in the process of doing this for all 1537 of NordVPN's US servers.


Did you use the NordVPN client, or stock OpenVPN?

And if the NordVPN client, what OS?


I used the NordVPN CLI client version 3.4.0-1 from a Debian bullseye PC

EDIT: package from https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/


Thanks.

So far, using the stock openvpn package in Debian, it doesn't look like the Disney+ circumvention is happening for NordVPN's US servers.

I'm guessing that the NordVPN client must do it.

And if that's the case, it may merely route traffic directly through the residential proxy, and not first through a NordVPN server. Which wouldn't be good, because someone investigating the residential proxy would see the users IP address, rather than the exit IP address of the VPN server.


Well, I had only little time to dig further but I can confirm your findings that OpenVPN alone behaves as it should while the NordVPN client acts differently. However, wireshark says I am only communicating with the NordVPN server when connected through their client. I would love to know where the difference in configuration is. I always assumed NordVPN would just call OpenVPN with the public ovpn configs. They call the OpenVPN client with a config that is shortly deleted after OpenVPN starts but can be extracted when swapping the openvpn binary. It looks unsuspicious. A management unix socket is opened to control the OpenVPN client. I would like to know how the communication is configured.


I'm also testing now with NordVPN CLI v3.4.0-1 in a Debian 10.1.0 x64 VM with standard Gnome desktop.

I used the default settings. In particular, I didn't enable "obfuscate", which I gather uses two hops.

I'm using a crude infinite while script.[0]

And so far, I haven't come across any servers with unexpected "akamai-x-get-client-ip" for Disney.

But then, there are well over 1000 US server IPs.

So did you enable "obfuscate"? Or "CyberSec"? Or other options?

It would also help if you could share which servers showed unexpected "akamai-x-get-client-ip" for Disney.

0) https://pastebin.com/hz5due96


Damn, I can be such a dumbass.

I was testing "www.disney.com", not "www.disneyplus.com".

Now I always see residential proxies for US servers. Or SSL certificate failures, occasionally.

Edit: That's using either the Windows GUI client, or the Linux terminal client in Debian. Not using "Obfuscate", "CyberSec", or other non-default options. But residential proxies aren't used for "www.disney.com" or "paypal.com".

Also, with the stock openvpn in Debian, I don't see residential proxies being used for "www.disneyplus.com".


I have to say, the use of residential IPs as proxy for your traffic is essentially digital money laundering for data, or Data Laundering if you will. (IP laundering?)

It's one thing to use a VPN, another to use some unaware person's computer for your mischief (think about someone doing illegal stuff using this method).

Knowing how the law works in some places, and how ill-informed some law people are, I can totally see an innocent man getting locked up for illegal stuff, like hacking or other stuff that I dare not say.


If anyone here knows enough about ASNs and the RIRs to set up a company whose sole purpose was for individuals to buy/lease IPs, I would gladly help set up and run such a company. The RIRs generally don't allow individuals to have ASNs, so I assume an intermediary like this would be necessary.

But between uses like setting up a personal VPN with a clean IP or just the cool idea of having a personal IPv4 address or IPv6 block... I think it would be a viable, if rather small and niche, business.


You don't need a company to get an ASN, but you do need to show that you intend to get network connections from at least two providers and generally that mean planning which plans are generally required as proof.

There are effectively no more clean IPv4 addresses, you'd have to buy addresses that had previously been used.

Anyone can get IPv6 addresses even those whose ISP sucks via tunnelbroker.net (aka Hurricane Electric) which will provide a single address, also a /64 and/or a /48. Of course they are generally blocked by streaming services since they are a form of VPN and thus the endpoint might be anywhere.


If I didn't plan on having a physical location (i.e., AWS or Colo as opposed to trying to get Comcast or any other connection to my house), what would constitute a network connection?

What are the terms of assignment via Hurricane Electric? Can they take it away? Do they only allow BGP advertisement to their sites or can I still bring the IP elsewhere?

I still think there is an opportunity for niche needs here.


At a colo or location of you own you might hire two upstreams like CenturyLink and GTT, and since your (purchased) addresses would be reachable via either you would need to announce via BGP which requires an ASN. At AWS the only provider is AWS and are typically single addresses (even if you special requested 256 you might not receive a /24), further I don't know that AWS will issue an LOA to allow to you to announce their space via other providers.

An HE IPv6 tunnel is as permanent as you like, but they reserve the right to phase out the terminal you are using which sometimes means your prefix would change, and they expire unused tunnels periodically. IPv6 has builtin handling of prefix changes though it does not deal with related DNS updates, which you'd have to arrange.

An HE IPv6 assignment is from their allocation so you'd call that PA not PI, i.e., you can't take them elsewhere. To get addresses of your own you would need to apply to an LIR or RIR for an allocation -- generally easy to get a /48 without any/much documentation with a /40 generally requiring documentation but that's not free (250/yr for an ARIN allocation).


I think the main catch would be this new ASN would become known by the very companies/services trying to ban non-consumer IP blocks. Providers like DigitalOcean, AWS, and Azure are non-eyeball networks, so you see more bots and geo-shifting users (nonUS users trying to avoid a geo block by Disney for example). Any IP announced by the ASN would be known by looking at the bgp announcement and listed/blocked.

Hiding bots and other users among the huge Comcast & Spectrum IP blocks makes it harder for media companies to block them. It’s just how do you legitimately buy a bunch of consumer connections, or get users to install software to share their consumer connection, hence the NordVPN clients I assume.


Why would this ASN be classified as bots if it's meant to be for individuals?

Granted, abuse can occur. But assume US-based with basic KYC or something so that most IPs might genuinely be nerds like me using it as their IP.


Does anyone know if they’ve provided any response on this?


Wouldn't this be pretty easy to confirm by monitoring bandwidth consumption on a dormant computer running NordVPN? If bandwidth consumption is exponentially higher when their VPN client is enabled, then clearly they are passing traffic through your machine...


That is not how this supposedly works. The Oxylabs people (according to the author) put software out there (like Apps, or Installers whatever) and those are infected. That's why it's hard to proof this, first link those gnarly apps to oxylabs, next link oxylabs to NordVPN.

This is how it could be done:

Rent Oxylabs Residential IP's (600$ minimum commitment, according to [0]). Check out IPs, stop using them, hope they get rotated to NordVPN, where you'd have to monitor the ips used. At Oxylabs pricing the only possible conclusion if a match was found would be that the services are intertwined.

[0]: https://oxylabs.io/pricing/residential-proxy-pool


Ok, well fuck NordVPN. Can someone recommend something good that doesn't log, without setting up my own entire VPN (yes I get its the only way to be sure blah blah blah. I definitely care, but not enough to waste a week doing all that)


Tutorial showing how easy setting up a personal vpn is: https://www.youtube.com/watch?v=7SSXpfd1JLw


You might look into AirVPN, they have a strong no-log policy, independent ownership, transparent list of all servers/load, guaranteed minimum bandwidth, up 10 (iirc) port forwards with optional dynamicDNS, p2p welcome. Current Black Friday price is 64 EUR for 3yr which is much less than Nord's "deal" which looks like their usual price to me--and crypto is accepted. They also financially support various projects such as Tor, EFF, and host some open-source mirrors.


Mullvad, ProtonVPN, and iVPN tends to get recommended often.

If geoblocking isn't a concern, you could use Cloudflare's Warp, which is free. Not sure abt no-logs policy.

You could consider using Orbot, too, a tor as a porxy service for Android, if annoying captchas and broken P2P apps is acceptable.


ProtonVPN seems to be involved with Tesonet as well. I'd do some more research on them.


No, we have never used IPs or servers from them (this is publicly verifiable as our VPN IPs are public), and have no business connection with them today. Verified by Mozilla and the European Commission as well when they audited ProtonVPN, details here: https://protonvpn.com/blog/is-protonvpn-trustworthy/


if you're wasting a week doing it, I'm fairly confident that you are doing something wrong. I set up an internal VPN on my home network for ad blocking purposes (cf. Pi-hole) and it literally took less than an hour, despite that being the first time I had ever really done such a thing.

I think maybe you just need the right guide, or even something like the ansible playbook someone mentioned in a different comment that can just automate the process for you


I'm being super dramatic, even if it takes 1 hour the last thing I want is yet another server login floating around. If I were doing some serious stuff, I would do it, but I really use a VPN only when I'm at coffee shops and stuff to prevent random nonsense. I use a VPN to completely hide my tracks etc. With that said, I don't want my data to be sold to tensornet or whatever that crap company is called


oh that makes sense. my apologies, I am not particularly good at picking up on subtext on the internet. I personally don't really use a VPN at all, no particular need to since I personally believe that online privacy is an illusion that the government and corporations created to have a problem they could market a solution for. Perhaps a little tinfoil hat-y but I'm entirely convinced that there's no amount of encryption or misdirection that nation state level intelligence agencies with absurdly high budgets (and likely the collaboration of other intelligence agencies) could not reverse engineer or work around.


Well, I don't really disagree with you there :) I don't think encryption has been "cracked" but I also have no idea what entities haven't been exposed


Interesting, I'm assuming that this wouldn't be possible on iOS devices? E.g. would installing a calculator app on iOS allow someone to route traffic through my phone? (obviously without me granting vpn access to said app).


Technically possible, practically unlikely (you iOS phone would be a terrible router, giving the people who made the calculator app a slow, unreliable output node that would identify to the desired source as a lower-quality (mobile) client. In other words, it would be a bunch of extra work and risk for a worse result.

The theoretical model here is using people’s fast, stable (-ish) broadband connections to relay the connection. Even then, it’s only for the initial setup steps; once you get to the actual streaming data, nobody in this model wants to ferry those packets around.


Getting around geoblocking probably doesn't require the main video streaming connection to be through one of these IPs.


This would indeed be possible, although slow, and only when the affected app is open.


It seems that the author is getting a different IP from NordVPN each time they make a request. Does that mean Disney could block this by preventing the request from coming from another IP each time a request is made?


That would block all "first requests" which wouldn't work


After a logged in session, you could count the number of times an IP address changes, and if it changes more than 3 or something in the last 10 minutes, it's a good sign that they're using some sort of malware VPN.


Or that they could be walk around the city and connecting to different wifis or maybe the person's connection is poor and keeps dropping and reconnecting. I'm sure there are plenty other legitimate use cases where the IP changes frequently.

Also, bear in mind that blocking people from using it is not in disney+ interest. They do it just so they can prove in court they are following the copyright agreements they have. But if someone "hacks" the system, they are not incentivised to put in resources to fix the hacks so they can have less paying costumers.


> Then I decided to give NordVPN a try, and poof, it worked like a charm. How was this possible? Residential IPs was my guess.

"Guess"? Do they route packets differently depending on the destination, i.e. if you go to one of the whatsmyip websites you'll see a nordvpn-owned IP but to a Disney server the use someone's home connection? Is that what the author says is happening here? I don't know if this is common but, while technically possible, it seems a little weird. I assume the author could just have checked what IP they were exiting from.

Edit: someone else verified it, yes indeed they use residential IP addresses: https://news.ycombinator.com/item?id=21665084


The author also verified it, if you had the decency of actually reading the article rather than exiting as soon as you found some way to state that you know better.


I suppose that's fair.


As much as I love VPN services, this is indeed creepy.

I mean, why stop at using whatever app installs as exits?

Why not route a VPN service through an actual botnet?


i let my kids download apps on ios and chromeos (no android). is it technically possible for these apps to be proxying data for someone like nord?

if so, would it only be while the apps are in the foreground or can they do it in the background?


Yes. As stated elsewhere this is Oxylabs' business model and it's how a decent number of free apps monetize. I don't know how relevant background/foreground are.


Ring ding ding ding. Jackpot.

I had on my backlog to do something similar, I guess I do not have to. NordVPN is just a front for Tesonet to gather data and sell your bandwith for bots, scrapers etc. through OxyLabs and other companies.


We block vpns/open proxies. 99% of the time a user is complaining, their main argument is so they can have "a secure Internet connection" to our site.


I don't know what your business is, but I run my own VPN (closed). I will complain if you block it for no apparent reason, because you are forcing me to interrupt a dozen connections and ongoing workflows if I want to use your service (usually I just won't).


How does your company handle these complaints?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: