
Post-FCC Privacy Rules, Should You VPN? - sushobhan
https://krebsonsecurity.com/2017/03/post-fcc-privacy-rules-should-you-vpn/
======
a_imho
_As shocking as this sounds, virtually nothing has changed about the privacy
of the average American’s connection to the Internet as a result of this
action by Congress, except perhaps a greater awareness that ISP customers
don’t really have many privacy protections by default._

~~~
mirimir
Whether anything changed substantially is arguable.

But there's no doubt that ISP customers are sitting ducks. VPNs took off after
Snowden leaked. And they're taking off again now. So sure, maybe nothing
changed. But as you say, it's a wakeup call.

~~~
devoply
If you use mostly SSL services is not all that you are leaking to your ISP is
the domain name/ip of the site you are visiting? You are leaking the same
thing to Google if you use their DNS server, and they are free to do with that
info whatever they like... or any other DNS provider for that matter.

~~~
zaroth
An interesting example of this is the alleged Trump tower server communicating
secretly with Russia was all based on DNS logs.

Where did these logs come from and how/why were they shared...?

[1] -
[https://news.ycombinator.com/item?id=12841288](https://news.ycombinator.com/item?id=12841288)

------
Esau
Maybe this change is more about making sure that ISPs continue to have their
own incentive to keep user browsing histories - which in turn can be used as
an intelligence data source.

~~~
ythn
> which in turn can be used as an intelligence data source.

I find it ironic that so many people are distrustful of the government in some
areas (intelligence, defense), yet at the same time wanting the government to
take a bigger and more central role in their lives (social services, etc.).
It's the same government across the board.

~~~
mistersquid
> It's the same government across the board.

This is an overly simplistic view of a complex bureaucratic entity, the US
government.

There are restrictions about the ways in which governmental agencies may share
information, and violations of such restrictions are considered serious and
are sanctioned as such when they come to light.

This is entirely ignoring the fact that the goals of the various
organizations, different departments, and innumerable individuals are often at
cross-purposes.

In other words, the presence of governmental authority is not the same as the
oppression and exploitation of citizens as a matter of course.

EDIT: clarify/reword second sentence.

------
ge96
I live with someone else who pretty much controls the wifi/router (billing
account) I pay for it too. Anyway, how do I explain the need to do this? Are
there notable adverse effects besides being targeted for certain products.
It's hard to argue with this person, whenever I bring up stuff like "Hey man,
don't be so quick to connect to open wifi" meh... rah rah rah... and I'm not
really great at arguing I'll admit and I can't prove/explain why it's bad to
use free public WiFi. I just think of apps that are already logged in, and if
they're not using HTTPs. "Packet sniffing" but what is that... hahaha my
internet bandwidth says one thing, sad single man, no need to study my data
hahaha

edit: also last time I tried to setup/use VPN's they either cost money or I
couldn't get it to work. With regard to using Tor it's super laggy which is
understandable.

Ahh well I think for now I'll be a "stick my head in the sand" guy since this
seems like a lot of trouble to get more than one person to agree/implement it,
especially being in my situation. Still sucks though, what the hell, always
about the money.

~~~
mirimir
You don't need to setup VPN in the router. Decent providers have Windows and
OSX apps that just work. Getting leak-free VPN connections in smartphones is
harder, however.

~~~
ge96
Why only smart phones?

Yeah I guess I was thinking when I considered having to make it work for both
of us. Although... I don't know pretty tired right now can't quite think.

I didn't mean to imply "in the router" I meant route traffic to VPN, I mean I
guess I wouldn't have to tell the other person that we're now using a VPN
assuming the internet speed isn't affected, we're using the 1000Mbps Google
Fiber (haha ridiculous I know)

edit: throttle = better? Can't seem to reply to your post. Oh well, I don't
want to replace Reddit with Hacker News haha, I used to be on Reddit but
banned myself. I talk too much, especially more important to my clients when I
go through what I'm thinking/doing word for word on Slack for example Jesus...
self control is my problem, case in point.

~~~
mirimir
I don't know Android or iOS, so I'm just repeating what I've read. I vaguely
understand that, because you lack administrative privileges, you can't readily
control how particular apps access the Internet. Maybe someone could clarify
for us?

If you just run VPN clients in your devices, there will be no effect on the
other person's devices. If anything, using VPNs will throttle your
connections, so they'll have better speed. That's especially likely with a
gigabit uplink.

~~~
ge96
Oh that's right I remember, Jesus I was off. Yeah I was trying a few, can't
remember if I tried OpenVPN, AirVPN, and tunnelBear or something. Had to work
on command line... yeah I couldn't get it to work if it was a free one (not
free I wasn't trying to pay). Yeah I feel dumb now with the external
configuration question.

Anyway thanks for your time, I suppose if I really needed/wanted to I can
figure it out, I think I can read haha.

~~~
mirimir
It's hard to get honest advice about VPNs. As Brian describes. That One
Privacy Site has a good summary of what VPN providers say about themselves.[0]
I tested a bunch of VPNs in Windows and OSX, and found several that I couldn't
make leak.[1] There are relatively unbiased discussions on Wilders Security
Forums.[2]

0) [https://thatoneprivacysite.net/](https://thatoneprivacysite.net/)

1) [https://vpntesting.info/](https://vpntesting.info/)

2) [https://www.wilderssecurity.com/categories/privacy-
related-t...](https://www.wilderssecurity.com/categories/privacy-related-
topics.39/)

~~~
ge96
Thanks a lot for these links. Starting your count from 0? Come on now... haha.

------
mirimir
As Brian notes, VPNs can leak DNS lookups and IPv6 traffic. There can also be
leaks if the uplink gets interrupted. So one should use either the VPN's DNS
server, or a reliable third-party DNS server. One should also have firewall
rules that allow _only_ connections to the VPN server on the physical network
adapter. All other traffic, including DNS lookups, should be restricted to the
VPN tunnel.

~~~
theprotocol
There's also the side-channel leak that occurs when you connect to an
authenticated service on your regular connection (e.g. Skype), and then again
through your VPN. It identifies you as a user of the VPN and can provide
patterns that hint at which VPN traffic is yours. Multiply this by the number
of services (including ones you don't know you use, e.g. Windows background
services).

WebRTC leaks your real IP as well, and cannot be disabled on Chromium based
browsers. It's becoming an increasingly popular technology.

I'd like to see mainstream operating systems support isolation for
connections.

~~~
arkadiyt
There is an official (from Google) chrome extension to route WebRTC traffic
through your VPN ip address:
[https://chrome.google.com/webstore/detail/webrtc-network-
lim...](https://chrome.google.com/webstore/detail/webrtc-network-
limiter/npeicpdbkakmehahjeeohfdhnlpdklia)

~~~
theprotocol
I thought the consensus on such plugins was that they didn't work reliably.
It's been a while since I looked into it, but back when I tested this plugin,
my browser failed an online WebRTC leak test.

~~~
arkadiyt
I just tried the following and they all had no IP or my VPN ip:

\- [https://www.perfect-privacy.com/webrtc-leaktest/](https://www.perfect-
privacy.com/webrtc-leaktest/)

\- [https://browserleaks.com/webrtc](https://browserleaks.com/webrtc)

\- [http://whatismyipaddress.com/webrtc-
test](http://whatismyipaddress.com/webrtc-test)

\- [https://zpn.im/webrtc](https://zpn.im/webrtc)

\- [https://www.vpnmentor.com/tools/ip-leak-test-vpns-
tor/](https://www.vpnmentor.com/tools/ip-leak-test-vpns-tor/)

~~~
mirimir
It's pretty easy to _block_ WebRTC, with plugins and/or firewall rules. But
I'm guessing that getting WebRTC to work through the VPN tunnel is not so
easy. I've never tried it.

------
ghughes
It'd be neat if there were an app for one-click deployment of OpenVPN using
one's own AWS or Azure account. That would be much safer than picking from a
list of shady VPN providers.

~~~
slaymaker1907
That seems like that could get rather expensive in terms of bandwidth. From
some napkin math I did using [https://aws.amazon.com/ec2/pricing/on-
demand/](https://aws.amazon.com/ec2/pricing/on-demand/), even 100GB of data
would cost $9. That doesn't even include the cost of reserving the instance
itself, just the bandwidth costs.

~~~
vitus
Azure costs the same for network, apparently (up to 40TB), providing that you
stay within US/UK/Canada. [0]

Google Cloud is supposedly cheaper in terms of network ($0.01/GB -> $1 for
100GB) if you're primarily visiting US sites [1]. Still potentially expensive
either way, depending on your network usage.

You could use an always-free f1-micro GCE instance [2] and run OpenVPN on it
24/7, although configuration might take a bit of time (read: half an hour,
tops? I'm assuming it's no harder than the equivalent software-based option on
EC2).

I know on the other hand, Amazon's always-free tier doesn't include EC2 (it is
included in their free tier, but that only lasts for 12 months). [3]

Disclaimer: Google pays me money to write code and stuff, so I'm probably
biased. I've also never actually used GCE, but that's because I still have a
bunch of AWS credits, among other reasons.

[0] [https://azure.microsoft.com/en-
us/pricing/details/bandwidth/](https://azure.microsoft.com/en-
us/pricing/details/bandwidth/) [1]
[https://cloud.google.com/compute/pricing#general](https://cloud.google.com/compute/pricing#general)
[2] [https://cloud.google.com/free/](https://cloud.google.com/free/) [3]
[https://aws.amazon.com/free/](https://aws.amazon.com/free/)

------
letmein
[https://wikileaks.org/bnd-
inquiry/docs/Sek/MAT%20A%20Sek-13-...](https://wikileaks.org/bnd-
inquiry/docs/Sek/MAT%20A%20Sek-13-3-q.pdf)

That pdf from the NSA in the BND documents on Wikileaks clearly shows that NSA
decrypts VPN, both IPSEC and PPTP, in real time and in bulk.

The BND leaks came out what, over a year ago? 20,000 "hackers" attended the
most recent Defcon.

How not one person notices this slide deck, including Assange himself, is
pretty shocking in itself.

Hello, McFly, is anybody who's job earning 6 figures in Infosec paying
attention?

Why is the Computing industry so asleep at the wheel? Yet the Beogrammers
cranking out widgets for Startup Inc think they're the smartest guys in the
room.

The arrogance from all the fake paper billions in this industry has made
everyone lazy and dumb.

NSA LOVES it when the sysadmins are lazy and dumb. They're so much easier to
hunt.

Of course that slide deck presents more technical questions than answers, but
it proves VPN is no longer the Silver Bullet we once thought it was.

"Well that's what they're supposed to do, NSA is just doing their job, so
that's not my Department" you say.

Yeah, well look at home careless NSA is with Cyberweapons and exploits. They
lost the Keys to the Kingdom to the Shadowbrokers, and god only knows what
else they lost that they never tell us about.

It is entirely reasonable to believe NSA lost their VPN exploit pack too.

Try to imagine the chaos that's possible in a scenario like that.

We might as well not have ANY security.

Which is funny, because yet again, RMS was right! His tales about the MIT
Media Kab in the 70's where he rejected new mandatory security policy and
instead all users of the system shared the sysadmin's password.

The honor system used to work. As a system of trust, high trust small tribes
will always be better than any artificial security mechanisms.

We as an industy need to somehow get back to that. Trust in computing is only
going to get worse, the hacks are going to become deeper as they copycat NSA's
methods of industrial scale, and the consequences are truly unknowable.

Skynet and Mr. Robot could end up looking like naive optimism.

------
MrWizard42
Yes.

[https://top10vpns.com](https://top10vpns.com)

------
ktta
I had a question[1] regarding this. Any Canadians here?

[1]:
[https://news.ycombinator.com/item?id=13983728](https://news.ycombinator.com/item?id=13983728)

~~~
wheelerwj
answered there, but copied here:

You should assume that every thing that happens in the US is happening in
Canada. As a member of the Five Eyes, the G7, and G8, our policies are closely
linked.

I believe that Canada's ISPs might have stricter data protection laws, but
really you should have been using a VPN well before this latest policy change.

------
no_wizard
For those who want to use a VPN, but don't want to pay for it as a service
because of all the arcane issues that can come with it, and of course have
some hardware laying around, I recommend using StrongSwan
([https://www.strongswan.org/](https://www.strongswan.org/)) + Stunnel
([https://www.stunnel.org/index.html](https://www.stunnel.org/index.html))
instead of openVPN

Why strongswan? Because setting up a VPN properly, and securely (thats very
important) is hard! and I feel, personally, that openVPN is _alot_ for people
to take in. I know it was for me, and I'm not ill experienced.

Strongswan is also open source, and they have a lot of very good documentation
including cryptographically verified 'plug n play' (mostly) setups:

[https://wiki.strongswan.org/projects/strongswan/wiki/UsableE...](https://wiki.strongswan.org/projects/strongswan/wiki/UsableExamples)

While I'm at it, they have a wonderful entry on their wiki with security
recommendations:

[https://wiki.strongswan.org/projects/strongswan/wiki/Securit...](https://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations)

From just my experience, and dealing with the community, and from what I
understand from others much more educated in these matters, their usable
configurations are indeed very good.

Strongswan of course supports pre-shared key authentication and certificate
authentication in lieu of username/password. They also can take advantage of
CA-certs for encrypting your conversations over SSL/TLS (think: letsencrypt!)

It also has the latest versions available, you can install on routers that
support openWRT, lede-project.org and I believe DD-WRT has this as an option?
I couldn't say for sure.

Why do I recommend stunnel though if it can use a valid CA ssl cert on its
own? Mostly because Stunnel can re-direct any traffic over SSL (I recommend
you do this wherever you can, stunnel is insanely useful for just this basic
encryption traffic, because you can make ANYTHING run over SSL with it) and
its insanely simple to setup, where as setting it up with strongswan as one
its modules is a little more complicated.

Also, stunnel will redirect your traffic based on ports. So you can have
stunnel listen on 443 and route the traffic to whatever port you are running
your VPN service on. This gets around potential blocks on say, corporate
networks, or public wifi, or even just ISP snoopage.

I feel like paying for a VPN if you don't have to is a waste compared to
having your own. OWN YOUR TRAFFIC! Its the only way to ensure any semblance of
privacy.

------
AdeptusAquinas
Simpler solution is just to move to a saner country: Canada, Australia, New
Zealand, the UK (for now) etc. Places where ISPs don't operate as monopolies,
and/or places where the government isn't completely for profit.

~~~
arkadiyt
The UK has awful internet/privacy laws, much worse than the US even.

[https://en.wikipedia.org/wiki/Internet_censorship_in_the_Uni...](https://en.wikipedia.org/wiki/Internet_censorship_in_the_United_Kingdom):

"The country was listed among the "Enemies of the Internet" in 2014 by
Reporters Without Borders,[6] a category of countries with the highest level
of internet censorship and surveillance that "mark themselves out not just for
their capacity to censor news and information online but also for their almost
systematic repression of Internet users".[7] Other major economies listed in
this category include China, Iran, Pakistan, Russia and Saudi Arabia."

~~~
AdeptusAquinas
Fair enough, though I would say its hard to qualify as a bigger enemy of the
internet than a nation that judges all traffic of all users is allowed to be
captured and sold at its source.

~~~
endgame
[http://web.archive.org/web/20110422071744/http://www.hitwise...](http://web.archive.org/web/20110422071744/http://www.hitwise.com/us/about-
us/how-we-do-it)

------
anonemouse145
Your daily reminder that this ruling was that an overreach of power was made
by the FCC, not that Republicans are hungry for the blood of orphans.

[https://www.forbes.com/sites/larrydownes/2017/03/30/why-
cong...](https://www.forbes.com/sites/larrydownes/2017/03/30/why-congresss-
rejection-of-proposed-fcc-data-rules-will-not-affect-your-privacy-in-the-
slightest/)

It's still completely worthwhile to have conversations about privacy and what
the proper limits of power are for Congress and the FCC here, but we're so
deep into 1984 that both sides of the political spectrum are screaming how WE
HAVE ALWAYS BEEN AT WAR and your only choice is if you prefer to have always
been at war with EASTASIA or OCEANIA.

~~~
anonemouse145
Lest anyone say this is oversimplified, from Ars:

"Republicans argue that the Federal Trade Commission should regulate ISPs'
privacy practices instead of the FCC. But the resolution passed today
eliminates the FCC's privacy rules without any immediate action to return
jurisdiction to the FTC, which is prohibited from regulating common carriers
such as ISPs and phone companies."

Sure its doublespeak to repeal the FCC side of things and promise FTC
protection when you know the FTC has no jurisdiction. It's also ridiculous to
say that eliminating an overreach by the FCC (debatable) would be a moral
wrong when stood on its own.

