
UFO VPN claims zero-logs policy, leaks 20M user logs - DyslexicAtheist
https://www.comparitech.com/blog/vpn-privacy/ufo-vpn-data-exposure/
======
outworlder
Unsecured Elasticsearch, once again.

([https://www.theregister.com/2020/07/17/ufo_vpn_database/](https://www.theregister.com/2020/07/17/ufo_vpn_database/))

So ES has insecure defaults, I get that and it's been discussed to death.

But who the heck, in this day and age, exposes clusters directly to internet
traffic? I don't care what the defaults or security measures you have. DONT
EXPOSE SERVERS.

Place them inside a VPC, preferably a private one(in AWS parlance, behind a
NAT GW). Use _something else_ to send traffic to them. If you are on AWS or
similar (but not Azure I guess), add a load balancer to it. So now access
would require creating a new load balancer, pointing to the servers in
question, adding listeners on the desired ports, and configuring the
appropriate security groups. Only then you can send external traffic. On the
specific ports you configured on both listeners and security groups only.

Do this everywhere and you are in a much better shape. You still need to
configure servers correctly, but if you mess up, nothing happens, unless you
mess up many other things in an error cascade.

~~~
dcow
What's the difference between a VPC and iptables? I agree that you shouldn't
expose insecure services. But why do I need to introduce an entire private
address space and cloud-managed SDN services to achieve that goal? If it
weren't industry status quo, I'd almost call you a shill for the union of ops
teams working to secure jobs for years to come. Almost.. (;

~~~
llarsson
I would think that the post you respond to either supposes a hosted service
(you do not control the server and its iptables) or that it multiple layers of
protection is good for something critical.

But yes, if it's your own server, everyone should remember that regular Linux
features are darn powerful, too.

------
SAI_Peregrinus
According to The Register, UFO VPN is just white-labeleing a parent
service[1]. The full list of compromised providers is thus UFO VPN, FAST VPN,
Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN.

[1]
[https://www.theregister.com/2020/07/17/ufo_vpn_database/](https://www.theregister.com/2020/07/17/ufo_vpn_database/)

~~~
ffpip
Never buy a VPN with these kinda names. You can tell they are shady from their
names and websites.

UFO, Secure, Pure VPN, etc

~~~
allarm
Which name is better in your opinion? PIA? Nord? Express? All their web sites
look alike as well.

~~~
merlinscholz
IMO, this
[https://www.privacytools.io/providers/vpn/](https://www.privacytools.io/providers/vpn/)
is currently one of the best sources on deciding for a VPN provider. Or you
could host your own on a cheap VPS.

But, there are few reasons to actually use a VPN nowadays, there was a
discussion on HN a few days back, but I cannot seem to find it at the moment.

Edit: Found it:
[https://news.ycombinator.com/item?id=23566390](https://news.ycombinator.com/item?id=23566390)

------
crusty
This feels like someone scuttling the ship. \- VPN based in Hong Kong. \- VPN
claims to not keep logs but does (ie. willing to descieve customers and
secretly compromise their security). \- New national security law effecting
Hong Kong speech and liberty. \- VPN likely to be challenged to turn over user
data to Chinese authorities in the relatively near future. \- Hong Kongers
acquiring VPN services in droves for the explicit purpose of avoiding Chinese
state monitoring of their internet traffic and communications records.

If I was working at UFO and saw the risks to my fellow citizens created not
just by the company's poor security but their willingness to descieve
customers I'd worry the company would quietly hand over whatever the Chinese
authorities asked for - no "warrant canaries" or truth in advertising - and if
probably look to throw a figurative grenade into their operations. If that
meant data exposure, better now before they perfect the application of the new
security laws then later when everyone feels comfortable and the CCP is just
sucking up all of UFO's traffic and logs.

------
solarkraft
VPN providers are something you should have especially high standards for.
They are largely unregulated, can see all of your meta data and have an
economical incentive to sell it (IIRC some big player has been caught doing
that).

If a provider shows even the slightest amount of fishiness, instantly discard
them (NordVPN immediately comes to mind, with their weird influencer marketing
campaign).

~~~
llsf
How? I mean how do you measure VPN services? I never understood why people
working in tech would ever trust a VPN service? A VPN is seeing all your
traffic, and you have to take their word that they do not log any of it? I use
free tier AWS servers across the globe with wireguard. It might not be
perfect, but I still prefer that than using a VPN service.

~~~
Causality1
The only standard you can really trust is when they actually get subpoenaed
and don't have anything to give to the court. An example of this is Private
Internet Access.

~~~
bitxbitxbitcoin
Piggybacking off of this, Private Internet Access (PIA) has actually had their
no logging policy "proven in court" via this method multiple times. [1][2]

Full disclosure: I work at PIA.

[1][https://torrentfreak.com/vpn-providers-no-logging-claims-
tes...](https://torrentfreak.com/vpn-providers-no-logging-claims-tested-in-
fbi-case-160312/)

[2][https://torrentfreak.com/private-internet-access-no-
logging-...](https://torrentfreak.com/private-internet-access-no-logging-
claims-proven-true-again-in-court-180606/)

~~~
pbhjpbhj
Is there any way to prove that is not NSA, say, and set up to only catch the
biggest fish, or to always present parallel construction for criminals caught
this way?

~~~
bitxbitxbitcoin
That's an interesting philosophical question.[1][2]

[1][https://en.wikipedia.org/wiki/Burden_of_proof_(philosophy)#P...](https://en.wikipedia.org/wiki/Burden_of_proof_\(philosophy\)#Proving_a_negative)
[2]
[https://en.wikipedia.org/wiki/Evidence_of_absence](https://en.wikipedia.org/wiki/Evidence_of_absence)

~~~
pbhjpbhj
I like you. I tend towards pyrhonism (or maybe I don't!) so I appreciate that
response.

Degree of proof is a relative: Maybe a terror organisation use PIA, NSA go
fishing for evidence PIA has nothing. Terror org assassinate NSA head. PIA
could be a front, but NSA head had to be willing to lose his life to hide the
fakery, and terror org wasn't a big enough fish ... more likely you're
currently in a coma. Lots of places for false premises to creep in.

Dial it back, is there a point where there'd ever be enough evidence?

------
grensley
I wouldn't trust any VPN under China's sphere of influence.

~~~
hangonhn
That's actually not an entirely crazy idea if you're trying to hide from
Western governments. Are you more worried about the Chinese government coming
after you? Likewise, if someone in China is trying to hide from the Chinese
government, it might not be a bad idea to use an USA based VPN. Maybe string
up a bunch of VPNs in regions that are at least somewhat hostile to each other
and it might be too hard to track an IP back to its source. I guess trust no
government and use their hostility towards each other to your advantage? Just
an idea prompted by your comment.

~~~
maerF0x0
> That's actually not an entirely crazy idea if...

Except that it gives them a direct avenue into your network for their own
surveillance and other network attacks ... If you think comcast injecting
their own JS into http pages is bad, wait you see what the d̶a̶r̶k̶ ̶a̶r̶m̶y̶
CPC could do with such power...

~~~
vangelis
What's stopping any domestic TLAs from doing the same though?

~~~
maerF0x0
Its more about trust. I trust them to try their best to be benevolent

------
Mandatum
Oeck claims no-logs and details how they've achieved that (they don't even
have hard drives). Support is responsive, you'll be responded to by those who
actually built the platform. They're planning support for WireGuard.

Unfortunately they have admins in Australia which has some pretty hefty laws
similar to those in the US (look at gag-orders issued, and recent responses to
media outlets for publishing vetted and leaked data). You can find their intro
post in Whirlpool forums.

They configure a PXE and have a system in place for distributing the OS in
each region (and thus each data center).

For debugging issues they try to replicate things on a local environment and
my assumption is if there's any networking issues, they likely have a node on
the same data center they can remote to, to test connectivity issues - however
functional issues require replication locally. No SSH access to the box.

So I think for now, Oeck or Mullvad are good choices. I only wish these
services did 1 thing differently - and that is, release a live video stream of
their server farm's rack and video-document the entire process of compiling
and shipping their hardware, as well as the systems in place for loading the
OS to ensure no exfiltration data from malicious services or agents on the
box.

This could be done relatively cheaply - I'm surprised none of the VPN
providers have yet. A fish-eye lens attached to a webcam on a rack would be
cheap to install. It's the closest thing we have to proof a VPN server hasn't
been owned without a zero-day. If you're using up-to-date services, a LEO,
government or APT using a zero-day to own your server is really the only means
of exfiltrating user data in this environment.

~~~
throwwwaway
> I only wish these services did 1 thing differently - and that is, release a
> live video stream of their server farm's rack

This is security theatre. Anyone wanting to surreptitiously access the server
farm only has to stream an alternate video to defeat this.

~~~
movedx
But it still builds trust in the brand.

No one is safe from a state actor.

~~~
throwwwaway
Trying to gain trust against something you have no control over is the very
definition of security theatre.

~~~
movedx
Um, no.

I'm saying that staff can be observed as behaving correctly, professionally,
and more. This would build trust in the brand from multiple perspective, not
just security.

There are been a few cases in which this has turned around public opinion re:
trust.

------
novok
I've come to the sad realization if you want anything approaching no logs,
you're going to have to use something slow like tor, or you're going to have
to do the illegal thing and make a botnet.

VPNs are only useful for avoiding ISP / local network surveillance like
comcast, your workplace, your school, airports, etc and to avoid DCMA scare
letters. Making your own with a VPS is worse, since VPSs log on some level and
directly forward the DCMA scare letters to you.

~~~
solarkraft
What about chaining VPNs? Even at 2 they'd have to cooperate to unmask your
traffic, right?

Somewhere in the back of my mind is stored that minimaxir does this, but I
couldn't confirm it with a quick search.

Edit: I was actually thinking of mirimir.

~~~
amscanne
Provider#1 only knows all traffic goes to provider#2. Provider#2 knows
everywhere your traffic goes. They don’t know your IP, but you need to login,
so they know who you are anyways.

~~~
pbhjpbhj
I think you need 3 levels. First level gets you to the second level. 2nd gets
access to web-based email and bitcoin or single-use credit card payment to get
the third level, which accesses data.

Obviously you use assumed identity.

With only two layers you'd need to access emails, say, for account
confirmation direct from your own system; with 3 you put a VPN in that gap.

Do VPNs re-pack and modify the timing on packages they pass on to clients? It
seems like they're need to if they're too avoid coordination attacks.

I'm recalling how a research paper showed an extraordinary high number of
pages visited (80%) over HTTPS could be identified using page size alone. If a
TLA is watching all traffic into and out of a VPN's server can they pair
upstream traffic to downstream clients at all?

------
chmod775
This was necessarily going to happen at some point and I hope it serves as a
cautionary tale to not blindly trust "no logs" claims.

~~~
boogies
This isn't the first time VPNs with those claims have turned out to have them,
they've been used as court evidence IIRC.

Edit: [https://proprivacy.com/privacy-news/no-logs-ipvanish-
hands-l...](https://proprivacy.com/privacy-news/no-logs-ipvanish-hands-logs-
homeland-security)

------
orliesaurus
What's the most trustworthy VPN that HN users recommend? My 3 year
subscription to my local one is about to run out! Looking for advice on what
is trusted nowadays!

~~~
nullc
No such thing. You would be better off renting an inexpensive VPS and running
your own VPN on it.

Public VPN services have to be the one of the greatest lemon markets to have
ever existed:

You want people's private data? People will _pay_ you to give it to them. Go
ahead and sell the service for less than it costs due to the boatloads of data
that you get.

People realize this, so you end up getting a disproportionate number of
customers that don't worry about you getting their data because they're only
using the service to behave abusively... which drives up costs.

So an honest provider has to deal with dishonest competition selling below
cost and a customer base that is saturated with problem customers because good
customers are savy enough to avoid VPNs.

~~~
SAI_Peregrinus
Running your own VPN provides no privacy, since you're the only user.

Of course other VPNs don't provide privacy either. The belief that they do is
due to marketing, and misunderstanding what the "Private" part of VPN means:
it means that two non-publicly routable IP networks (10/8, 172.16/12,
192.168/16) are virtually joined into one network. VPN companies took
advantage of this (and that the connection is usually encrypted) to imply that
they offer a privacy product.

The main use of a commercial VPN is to bypass region locks and other legal
controls that depend on location. Pick a VPN provider (or VPS host) in a
jurisdiction that won't cooperate with your home law enforcement. Assume the
VPN provider spies on all your traffic.

~~~
mlthoughts2018
This is such a deeply misleading statement.

Privacy fundamentally is about keeping things private ... _from someone_.

If that someone is everyone, then nothing is private. Any sufficiently
powerful entity can just overpower you, torture you into submission, guarantee
a backdoor into a system you thought was cryptographically private, etc.

I for one do pay for a VPN service, because it keeps my home traffic stream
private from _some people_ \- namely my ISP - with high probability.

It also obfuscates various types of traffic I generate and makes it harder,
though I agree not impossible, to collate my traffic into a usable form for
spying agencies.

For me that’s easily worth paying ~$100/year for someone else to manage, and
if they base their business reputation on not collecting logs, etc., there’s
enough incentive to trust that while also staying vigilant to verify what I
can and switch providers if they are shown to be lying.

Self-hosting a vpn is utterly not an alternative for my use case, not even for
technical reasons as I am an engineer who works on production web services all
day. Just from a cost effectiveness / value POV, third party vpn vendors are a
good solution for me.

~~~
SAI_Peregrinus
Right, I overspoke. It provides no _extra_ privacy, against anyone except your
ISP. If they're the threat, AND you're able to safely assume that the VPN
provider is less of a threat, THEN it provides some privacy.

------
notyourwork
The old saying trust but verify always seems to come up. Companies claim x and
we find it to be untrue. They apologize, share statement they will do better
and the cycle continues. Is anyone else tired of the tomfoolery?

~~~
tremon
Do you have a suggestion on how to verify the claims of a company you only
interact with over the Internet?

(edit: not that I disagree with you, I honestly don't see a practical way to
do that. It's not like security seals have proven their worth in pixels
either)

~~~
Enginerrrd
The sensible thing to do is to assume a cynical mind. Unfortunately, with
stuff like this, you'll probably be more often right then wrong, though you
may never find out.

------
scalableUnicon
With WireGuard, it is easy these days to setup a VPN on our own
server([https://www.freecodecamp.org/news/how-to-set-up-a-vpn-
server...](https://www.freecodecamp.org/news/how-to-set-up-a-vpn-server-at-
home/)). Obviously it won't give us anonymity, but it is a good choice for
security when browsing from public wifi.

------
neurostimulant
On a reddit thread about this news, they mentioned that the company behind ufo
vpn (dreamfii hk limited) is actually owned by lippo limited, which is owned
by lippo group. I can't find any information on the web that back this though.
But if this is true, this kind of shenanigans (saying they don't keep log but
actually keep them anyway, then leaks it due to sheer incompetence) is not
surprising considering lippo group's well known history of corporate
malpractice and screwing up their customers and partners alike. How companies
this shrewd (so shady and well known they became a meme) continue to survives
(and thrives!) is beyond me. Maybe there is money in screwing people after
all.

------
ornxka
I don't know why anybody ever cared about logging policies. How would you even
know if they keep logs or don't, or what they do with them if they do?

~~~
jliptzin
You can’t possibly know. You have to just assume all VPN companies are logging
your activity indefinitely regardless of what they say. Though I suppose you’d
rather go with a VPN company that claims it doesn’t do any logging, over one
that says it does.

~~~
dhaavi
Exactly. The only way is to make logs useless to begin with. See my comment
earlier:
[https://news.ycombinator.com/edit?id=23881148](https://news.ycombinator.com/edit?id=23881148)

------
motohagiography
Know what's valuable? Internet traffic from people who think it's important
enough to hide, and who have technical skills to get jobs with them. The value
of privacy viewed this way would mean that a truly private VPN service would
be hugely expensive, like the way a new Rolls Royce is priced at 50x that of
what you need to get from A to B.

------
vmception
VPN providers are just internet resellers with a side business of affiliate
marketing other VPN providers comparing “privacy” claims and acting unbiased

I’m amazed at the smart people that fall for that

The best test are court cases where investigators were stonewalled by a
particular VPN provider

If you dont want the US knowing something but dont mind China knowing
something, Express VPN got you

------
sys_64738
More importantly is that all this internet traffic is routed through China.
Explicit MITM attacks are a courtesy.

------
mywacaday
Why would you trust a VPN when any TLA/CIA/NSA/FBI can set up 1/10/100 options
relatively cheaply. Unless you go through TOR or use a false MAC address you
have no guarantees, even then fingerprinting and fake TOR exits points are a
serious risk if you are trying to be truly anonymous.

------
thecleaner
I think that at this point it is far easier to just setup a socks proxy with
an vloud based machine than to research which firms have shady practices and
which dont. I went into a womrhole over NordVPN vs PIA vs ProtonVpn and then
just went with a proxy server. Costs peanuts with the cloud compute ecosystem.

~~~
gruez
>then just went with a proxy server. Costs peanuts with the cloud compute
ecosystem.

The problem with personally operated VPN servers is that all the traffic ties
back to a single user: you. This is fine if you're on a malicious network and
need secure exit node for your data, but for anonymity (eg. ad tracking, DMCA)
it's objectively worse.

------
paulie_a
If they promised no logs why did they take the extra steps to log. That's the
opposite of a lazy mistake.

------
M2Ys4U
How can you tell when VPN provider is lying when they say they don't collect
logs?

They say that they don't collect logs.

~~~
dhaavi
The only way is to make logs useless to begin with. See my comment earlier:
[https://news.ycombinator.com/edit?id=23881148](https://news.ycombinator.com/edit?id=23881148)

------
noxer
[https://news.ycombinator.com/item?id=21326484](https://news.ycombinator.com/item?id=21326484)
still valid

------
neycoda
Why does anyone think with the prevalence of "free" VPN that these companies
aren't storing and selling the crap out of your info?

------
kristopolous
Entrusting a third party to only play the role of protecting your privacy
always sounds like a dangerously bad idea.

They've got no dog in the fight.

------
jijji
if you want a vpn ur better off running squid on a $5/month vps box , less
likely this kind of nonsense happens

------
scoot_718
You can't trust firms hosted in HK anymore. It's as tainted as China is.

------
LargoLasskhyfv
Must have had an encounter with an unidentified filing object...

------
HungryHarold
There needs to be a serious rethink of VPN services

~~~
dhaavi
We did exactly that.

See my comment earlier:
[https://news.ycombinator.com/edit?id=23881148](https://news.ycombinator.com/edit?id=23881148)

------
hdjrkrmfkt
Can you chain two VPNs?

~~~
bitxbitxbitcoin
Yes you can.

~~~
dhaavi
While you can, this is really hard. Let us do it for you.

See my comment earlier:
[https://news.ycombinator.com/edit?id=23881148](https://news.ycombinator.com/edit?id=23881148)

------
strombofulous
Can the title be updated to include the name of the "firm" (article says "Hong
Kong-based VPN provider called UFO VPN")?

@dang

------
triceratops
@dang: can the title be changed to "UFO VPN claims zero-logs policy, leaks 20M
user logs". So users don't have to click through to the story to find out
which firm?

~~~
dang
Ok done.

Edit: I also changed the URL from [https://www.hackread.com/vpn-firm-zero-
logs-policy-leaks-20-...](https://www.hackread.com/vpn-firm-zero-logs-policy-
leaks-20-million-user-logs/) to what seems to be the original source.

~~~
triceratops
Thanks!

