
NordVPN confirms it was hacked - afshinmeh
https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/
======
LennyWhiteJr
> _The attacker gained access to the server — which had been active for about
> a month — by exploiting an insecure remote management system left by the
> datacenter provider, which NordVPN said it was unaware that such a system
> existed._

This screams for clarification and I'd love for someone more knowledgeable in
the area to elaborate on it. Is this common practice for data-center
providers? Do I now not only have to worry about my own infrastructure
security but also worry that my IaaS provider hasn't installed some backdoor
to my servers?

~~~
CiPHPerCoder
Sounds like an iDRAC exploit (assuming Dell servers).

But, yes, remote management is pretty common in datacenters. The fact that
NordVPN wasn't aware of them just shows incompetence.

~~~
LennyWhiteJr
How the hell do you pwn a server with iDRAC?

~~~
notyourday
Oh, IPMI and friends are a total mess. Some implementations allow one to take
control of a running server remotely especially if they use a shared ethernet
for management ( popular in supermicros ). I once had our security geek
demonstrate it by taking over the running server, rebooting it using network
emulated USB stick, adding a file into /etc and rebooting the server again.

In secure environments one pulls IPMI module from the server or only uses the
modules that have their own dedicated NICs that have to be wired to their own
management network.

~~~
tonyarkles
The first time I booted a server using a virtual CD-ROM (iso on my laptop
shows up as a hardware CD-ROM on the server) over IPMI I was simultaneously
relieved (because I could fix the machine remotely) and absolutely totally
horrified.

------
justicz
If you care less about the pseudo-anonymous-but-not-really shared-IP aspect of
using a VPN, and care more about the this-lan-is-sketchy use case, I have had
good experiences with Algo [0]. You can just paste in an API key and spin up
your own VPN on something like DigitalOcean. And it uses WireGuard!

[0] [https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

~~~
roter
If you already have a DigitalOcean droplet up and running and you have ssh
access, you can use sshuttle [0].

e.g. run this from the command line:

    
    
      sshuttle -r example.com 0/0 -x example.com --dns
    

[0]
[https://github.com/sshuttle/sshuttle](https://github.com/sshuttle/sshuttle)

~~~
snazz
OpenSSH also includes a SOCKS proxy which you can use with no additional
software: [https://ma.ttias.be/socks-proxy-linux-ssh-bypass-content-
fil...](https://ma.ttias.be/socks-proxy-linux-ssh-bypass-content-filters/)

Whether it grants you any significant anonymity is debatable, but it works
well for evading content filters and tunneling your traffic onto a more
trustworthy network.

~~~
mrb
Speaking from experience, sshuttle is way easier and more robust than using
OpenSSH's built-in SOCKS proxy.

------
safeplanet-fesa
What about the data-mining and selling infrastructure of NordVPN, known as
Tesonet? Are those intact? Also interesting to know how their legal
departments are doing, such as the Panamanian shell and the Lithuanian
headquarters.

[http://vpnscam.com/wp-
content/uploads/2018/08/2018-08-24-09_...](http://vpnscam.com/wp-
content/uploads/2018/08/2018-08-24-09_09_14-Window.png)

[http://vpnscam.com/hola-vpn-and-nordvpn-partners-in-data-
min...](http://vpnscam.com/hola-vpn-and-nordvpn-partners-in-data-mining-bot-
network/)

[http://vpnscam.com/nordvpn-protonvpn-proton-mail-owned-by-
te...](http://vpnscam.com/nordvpn-protonvpn-proton-mail-owned-by-tesonet-ceo-
darius-bereika/)

~~~
soulofmischief
Thanks for sharing these. I was familiar with the Protonmail business but did
not know this all connected to a bigger picture. I never trusted NordVPN...
they spent way too much money on advertising and snake oil advertising at
that, focusing on meaningless numbers and distractions.

Hopefully you don't have similar news to share about Mullvad...

~~~
dmm
The claims about ProtonVPN have been disproven.

~~~
s5ma6n
I would like to hear more about this. Could you share some information?

~~~
class4behavior
Just search for proton in this thread. They've explained what happened
themselves.

Besides, the argumentation from that vpnscam website and its followers reminds
you of the typical conspiracy retards that follow Trump.

~~~
soulofmischief
In no world is it excusable to have your ostensible competitor sign your
binaries or certificates. They can make all the excuses they want, but it
doesn't dissolve their incompetence, and shows they are unfit for running such
a user-critical business.

~~~
class4behavior
No third party signed their certificates. Just a contracted employee who
worked for Tesonet typed in his company name instead of ProtonVPN. That's just
the Android keystore, nothing else. Google supports keystore rotation only
starting with Android 9.

~~~
protonmail
It's actually not even a contracted employee actually. It was a Proton
employee who in 2016 was getting payroll through another company before we had
our own corporate entity. Keystore rotation is still not yet available yet in
Android, so the old key (which we solely control) can't be changed or
modified. Android actually also hashes with the certificate metadata so even
that can't be edited separately.

~~~
soulofmischief
On principle I am not impressed with what happened and I think it's very
sloppy. After the Lavabit fiasco we have to be extra scrutinuous about the
leadership in privacy-oriented companies. That said, I still have a few
accounts with Protonmail and I think the service itself is pretty good.

------
rikkipitt
NordVPN just posted this a few minutes ago:
[https://nordvpn.com/blog/official-response-datacenter-
breach...](https://nordvpn.com/blog/official-response-datacenter-breach/)

~~~
jwilk
They wrote:

> _We […] started creating a process to move all of our servers to RAM, which
> is to be completed next year._

What does "RAM" mean here?

~~~
Faaak
I guess that all decryption keys are on ram. If the power is disconnected,
then it would need a manual intervention to re-decrypt the data

------
eyegor
What this article is missing is that the hackers had root access and had
NordVPNs private key for their HTTPS cert for several months in 2018. This
went undetected for months and they're only now publically admitting what
happened due to press attention. Their public response seems to be "it's not a
big deal guys, mitm is hard".

 _> The key wasn't set to expire until October 2018, some seven months after
the March 2018 breach_

[https://crt.sh/?id=10031443](https://crt.sh/?id=10031443)

And here's a dump of their logs:
[https://share.dmca.gripe/hZYMaB8oF96FvArZ.txt](https://share.dmca.gripe/hZYMaB8oF96FvArZ.txt)

~~~
stebann
Why isn't anybody in journalism publishing this? Really, they're scammers!

------
mdorazio
Someone is probably going to ask what other HN users recommend as an
alternative. Personally, I use Private Internet Access because they're the
only provider I've found with a track record of demonstrably not being able to
turn your records over to someone asking for them [1].

[1] [https://torrentfreak.com/private-internet-access-no-
logging-...](https://torrentfreak.com/private-internet-access-no-logging-
claims-proven-true-again-in-court-180606/)

~~~
harikb
I am surprised why isn’t anyone suggesting Cloudflare’s Warp VPN? Genuinely
curious what is the difference. I guess Clodflare one is only for mobile?

~~~
Santosh83
Cloudflare's Warp is not an anonymising VPN as far as I know. It is just a way
to speed up Internet speeds, especially in poorly connected areas. They make
no effort to hide the origin IP. So it is not in the same class as other VPN
providers.

~~~
edf13
This is interesting to read that Cloudfare is suggested here... shows that the
term VPN is still thought of as private. (I know it is Virtual Private Network
- but the termination is almost never private).

------
fauigerzigerk
_> NordVPN said it found out about the breach a “few months ago,” but the
spokesperson said the breach was not disclosed until today because the company
wanted to be “100% sure that each component within our infrastructure is
secure.”_

So instead of allowing their customers to do their own damage limitation, they
left their customers in the dark and continued to expose them to a breach they
weren't sure they had fully contained.

I wonder when that sort of thing will become a criminal offence.

~~~
Snawoot
Sorry for posting under top comment, but I think it is very important.

Official response hides fact OpenVPN CA keys also leaked, so attacker could
impersonate any other NordVPN server:
[https://gist.githubusercontent.com/Snawoot/85f77356e229d77aa...](https://gist.githubusercontent.com/Snawoot/85f77356e229d77aa36f16059a629eea/raw/e4e4af26e4c411d32bbc6bd3ba26301c2ae074bd/nordvpn.txt)

RADIUS secret key also leaked, so propably it is possible to break into EAP
session which infers session secret key for StrongSwan.

~~~
panarky
Also allowing historical sessions to be decrypted.

~~~
rasengan
Also looks like NordVPN has been misleading customers about the number of
servers they have (or didn't make clear they were VM/containers).

~~~
dx034
I don't think they ever wrote anywhere that they have 6,000+ physical servers.
Calling a VM (like an EC2 instance) a server is not unusual. For the customers
it was important that the resources, bandwidth and different IPs were
available. For that it doesn't matter if it's a physical server.

------
CiPHPerCoder
This is always topical: Don't use VPN Services

[https://gist.github.com/joepie91/5a9909939e6ce7d09e29](https://gist.github.com/joepie91/5a9909939e6ce7d09e29)

~~~
danShumway
> Your IP address is a largely irrelevant metric in modern tracking systems.

I don't believe this for one second.

Your IP address on its own is not sufficient to identify you. That doesn't
mean your IP address is not _helpful_ in identifying you.

If you have Javascript disabled, it is a heck of a lot easier to identify you
with a combination of an IP address, user agent, and OS than it is to identify
you without the IP address cutting down the pool of potential visitors.

On top of that, if you're targeting me and do a geo-location of my IP address,
it will get you within 5 miles of my house. That's close enough that you'll
know which county I'm in, which with a few other easily-obtained pieces of
information will let you pull up my voter registration, which will give you my
exact street address.

Of course, you could mitigate this by setting up your own VPN on something
like Linode, but unless you're regularly rotating IP addresses, you've just
traded a pseudo-identifier that multiple people/devices share for a persistent
identifier.

This argument comes up all the time, and I have never heard anyone explain it
in a way that passes my sniff test. If you want me to stop using a VPN, you
need to do a lot better than just claiming that IP addresses don't matter --
you need to show some kind of evidence to back that up.

~~~
orbital-decay
If you have Javascript disabled, it is a heck of a lot easier to identify you
because you're one of the very few who disabled Javascript.

~~~
danShumway
Eh. If you're enabling JS because you think it's going to help you blend into
the crowd, I am skeptical that you understand how powerful JS fingerprinting
actually is, particularly around cache abuse and super-cookies.

You don't need to go all the way, but the very least I would advise turning on
the resist-fingerprinting config in Firefox. At a minimum, block things like
canvas/webGL. You're making yourself more identifiable by doing so, but the
alternative is worse.

Now, if you're not using a VPN, and you're in a rural area, and you're on
Linux/Firefox with Javascript disabled -- sure, I definitely buy that I could
do some pretty decent correlation with that info. That's why VPNs (for all
their flaws) still matter.

~~~
orbital-decay
Sure, I do understand that, and yes IP hiding does matter. I'm merely pointing
out that disabling Javascript (and eventually enabling some set unique to you,
to un-break a broken site) is just another way to leak some bits one might
want to be aware of. Faking the common fingerprinting vectors known to expose
you uniquely is possibly a better way... until the new ones are found. I don't
know. The leaking bits need to be carefully accounted for, and you don't know
the site userbase for sure to blend into the largest cluster possible. I don't
think that fingerprinting is something that can be fought by the end user
efficiently, besides the very obvious things like blocking the major vectors.

~~~
danShumway
That's a good point.

> Faking the common fingerprinting vectors known to expose you uniquely is
> possibly a better way...

I wish there was more research being done around this. I appreciate what
Firefox is doing, and I assume there are good reasons for their fingerprinting
strategies. They know more than me about this stuff. But... it still sets off
some alarm bells in my head. It seems like it would be strictly better to
spoof location/canvas/microphone data instead of only blocking it.

------
_-___________-_
I don't understand the obsession with VPN providers. Funneling all your
Internet access through a single entity no matter where you connect from just
seems like a fundamentally bad idea to me, especially if that entity's
business is getting people to funnel all their traffic through, making them a
juicy target for governments or hackers.

~~~
lijogdfljk
Well, you're funneling your traffic through a single entity in almost _all
cases_ , right? So I view it more as, who do I distrust more? My ISP or a VPN?

I don't use a VPN provider, but it's tempting as I don't trust my ISP at all.

~~~
bitxbitxbitcoin
One very explicit reason to not trust your ISP with your internet traffic is
that since 2017 [1], they are allowed by Congress to sell your internet
history.

As a cherry on top, they were also the ones that successfully lobbied the
government to allow that in the first place [2].

[1] [https://www.privateinternetaccess.com/blog/2017/03/house-
rep...](https://www.privateinternetaccess.com/blog/2017/03/house-
representatives-votes-215-205-away-broadband-privacy-allow-isps-sell-private-
internet-history/) [2]
[https://www.privateinternetaccess.com/blog/2017/02/internet-...](https://www.privateinternetaccess.com/blog/2017/02/internet-
service-provider-isp-lobbied-fcc-permission-spy/)

~~~
_-___________-_
To be fair, they can't actually see more than hostnames & IP addresses
(assuming the use of TLS, which is becoming ubiquitous), so implying that they
sell your "Internet history" makes it sound worse than it is.

I've always assumed VPN providers sell whatever data they can too.

~~~
nvrspyx
I’m not a network expert, but doesn’t TLS just cover your connection with a
specific website? Since your IPS is often also your DNS, can’t they still see
which specific websites you’re trying to connect to? Wouldn’t TLS just
obfuscate what you’re specifically sending to and receiving from that site?
I’m under the impression that my ISP can (and probably does) see every website
I visit, which is in the least browsing history.

I also remember that Comcast did (and might still do) inject code onto
websites to display a “pop-up” indicating that you’re reaching or have reached
your datacap. It would even pop up on Steam because most of Steam is really
just a webview. I’m not sure exactly how they did/do that.

Again, I’m not a network or security expert, so I’m not really sure of how TLS
protects your internet history, which I take to mean a list of websites you
visit and when.

~~~
derefr
That’s what the parent said: they can still see “hostnames and IP addresses.”

But, for most people, that means that the ISP will just see:

• google.com

• facebook.com

• reddit.com

• somebignewspaper.example.com

Etc.

And there’s really nothing much too valuable about that. They won’t even be
able to figure out if you’re shopping for something (unlike every other nosy
channel provider), because most shopping traffic today just looks like Google
+ Amazon.

~~~
apecat
Please don't underestimate the value of metadata.

While it's true that the big platforms dominate web use today, don't forget
that the concept of metadata includes _when_ you actively surf on the
information superhighway. That's valuable information for advertisers.

So is every DNS lookup related to the API backends of specific apps you use.
And every random website outside the massive platforms.

These might reveal tons of information about you. Like:

Are you doing research on politics (and which flavor)? Do you worry about
health? When do you access online banking? Which banks? Any tax filing
software? Invoicing apps? Do you use shitty payday loans? Are you looking for
dates? Are you gay? Which games do you play? Which car dealerships do you
consider? Do you gamble? And of course, any particularly.. specific porn
sites? Do you access banking, travel/flight booking, investment, shitcoin
trading, adult or gambling sites in a specific pattern that might indicate
mania or other mental health issues?

With metadata alone, your ISP has a thick dossier on your habits, with stuff
therapists don't know about their clients.

------
Liquix
Nord (and perhaps others) seem to have been compromised for months/years -
lifetime accounts have been available on the DN for significantly cheaper than
other VPNs:
[https://news.ycombinator.com/item?id=20094946](https://news.ycombinator.com/item?id=20094946)

Doesn't seem like a smear - glad this is coming to light.

~~~
SlowRobotAhead
Nord specifically has a retailer system, I wonder if accounts can be created
3rd party and sold greymarket like that without any nefarious hacking
scandals?

------
numlock86
Maybe they should spend more money on security than throw at people like
PewDiePie to advertise them ... by also giving false claims like protecting
you from hackers and making you magically "secure", whatever that's supposed
to mean. Doesn't give the impression they know what a VPN actually is.
Considering that most likely the phrasing comes from NordVPN themselves I
always questioned them as a whole. Good to have some positive feedback (from
my point of view) on that now.

------
tmikaeld
It's odd that NordVPN, VikingVPN and Torguard all got their private keys
leaked here.

\- Did the hackers use an SSH or a VPN service vulnerability?

\- Or maybe even a previously unknown vulnerability?

\- Was SSH access firewalled? If not, why?

\- Do they still have root access?

~~~
ganoushoreilly
A lot of them shared physical infrastructure definitely less odd that multiple
were breached at same time.

~~~
swiley
I was just thinking yesterday that people might be overly paranoid about that,
I’ve always agreed that if security were important you shouldn’t share space
but lately I’ve begun to question it since a lot of these data centers are
pretty carefully controlled.

I’m glad I didn’t speak my mind on that I guess since I was wrong.

------
chickenpotpie
This is so well timed, I just bought a 3-year subscription to NordVPN and they
have a 30 day refund policy.

~~~
KirinDave
You should probably ask for a refund, then set up your own VPN.

Commerical VPNs are, for the vast majority of cases, simply not a good bet for
your privacy. You're changing your network traffic path from a diffuse and
byzantine series of paths to once centralized collection point. The payoff for
an attack on a VPN rises very quickly. Meanwhile, you're also conditioning
yourself to say, "My traffic is secure while my VPN is on."

It's not a great combo.

~~~
chickenpotpie
I thinking about spinning up a Digital Ocean droplet and rolling my own right
now

~~~
leevlad
I'd keep in mind that cloud providers have well-known IP blocks that can
sometimes be rate-limited by various internet sites/services, primarily to
combat botting. You might inadvertently get caught in the IP range that's
being actively rate limited by e.g. Instagram. YMMV.

------
FillardMillmore
I can't help but notice that NordVPN is one of the most heavily advertised
VPNs from what I've seen (which raises the question, as one researcher pointed
out in the article - are they not spending enough money on their security and
infrastructure to protect their users?). They are claiming that: "no-one could
know about an undisclosed remote management system left by the [data center]
provider".

Apparently the hacker was able to find out - so while it may be unknown, it's
not an impossibility to detect it. Beyond whether or not sensitive information
was accessed, what will NordVPN do in the future to eliminate or mitigate the
possibility that this will occur again?

~~~
apecat
I find NordVPN's marketing reprehensible. Too many claims and broad strokes
about the "anonymity" their service can provide.

While I certainly would recommend that US consumers use a VPN router to
prevent their ISP from selling data, I think NordVPN really overplays the role
of changing IP addresses in the age of browser fingerprinting.

~~~
kevindong
> I find NordVPN's marketing reprehensible.

A claim that really, really bothered me was something along the lines of "use
us and no one will be able to read your email!" Every mainstream email
provider (Google, Yahoo, Microsoft, Apple) now require HTTPS for emails. No
one was ever going to be able to read your emails.

~~~
apecat
I normally don’t mind YouTube ads all that much, and I don’t see them on
desktop browsers anyway.

However, I was bombarded with ads for NordVPN and their crap made me so angry
it pretty much sold me a paid YouTube membership.

Hard to relax with some _totally not weird_ ASMR when my blood pressure is
through the roof because some chirpy ad agency dude wants to show me how much
a VPN is like an umbrella or whatever.

~~~
mvexel
> However, I was bombarded with ads for NordVPN and their crap made me so
> angry it pretty much sold me a paid YouTube membership.

For me it was those incessant Grammarly ads. A service, by the way, that has
its own serious security and privacy concerns[0].

(I feel like YouTube Premium ($18/mo for up to 6 people) is a better deal than
Spotify Premium ($15/mo for up to 6 people) for a household like mine where we
listen to a lot of music _and_ use YouTube a lot. I don't know how YouTube
compares to Spotify when it comes to music selection however.)

[0]
[https://news.ycombinator.com/item?id=16315684](https://news.ycombinator.com/item?id=16315684)

~~~
JadoJodo
I'm torn for this reason: I want to avoid ads, but I don't want to give Google
any more money. It's unfortunate that YouTube is really the only one of it's
kind.

For the moment, I get around this conundrum using a combination of uBlock
Origin[0] (Firefox) and NewPipe[1] on Android. Not 100% sure what I'll do
about the latter when I switch to iOS.

[0] [https://github.com/gorhill/uBlock](https://github.com/gorhill/uBlock) [1]
[https://newpipe.schabi.org/](https://newpipe.schabi.org/)

~~~
bad_user
You don't have ad-blockers on all devices or for their app. I'm on iOS and I
like using the app since Premium allows for playing stuff in the background,
plus downloading stuff for offline viewing. You can't get that in Firefox with
uBlock.

I find some of the anti-Google arguments to be really, really weird and I've
been speaking against Google on this website countless of times.

If you don't want to be tracked, you're going to be tracked for as long as
you're a free user. uBlock Origin will not save you, since you're on their
website and you can't block "youtube.com".

Also Google is a big target and subject to laws such as GDPR. I actually trust
Google more than I trust any startup advertised on HN, because Google is a big
target with a lot of eyes watching. When you go to your profile and turn off
the data collection, you can probably trust Google more than you can trust
DuckDuckGo.

This isn't to say that you should trust Google. Not what I'm saying.

But paying a membership is voting with your wallet against ads. By not paying
you're simply encouraging them to serve more ads. And the break you're getting
via uBlock Origin is only temporary. If the audience using ad-blockers on
Android grows, I expect them to simply block browser access, problem solved.
And because you used YouTube anyway, it means you haven't payed for their
competition either, which means you directly contributed to YouTube's
monopoly, without encouraging them to give up on ads in favor of Premium
memberships.

It's basically how software piracy used to work. Piracy was never a problem
for the big companies like Microsoft, piracy being responsible in part for
Microsoft's monopoly. And when piracy became a problem, software companies
simply moved to online subscriptions. There's always a solution for milking
free loaders later.

~~~
K0SM0S
> I like using the app since Premium allows for playing stuff in the
> background

I remember vividly the day (sometime in 2013?) when they removed that feature
from the base app. I had been streaming music or casts from YouTube in the
background since day 1 of my iPhone 4, and suddenly it became a paid feature.

 _" Bastards"_, I thought with a smile, _" but hey, fair enough! Ok, now where
do I pay?..."_

Except that outside of the US, premium wasn't available. So they had removed
background play but offered no alternative. It lasted until 2017!! Took them 4
years to bring the premium offer to Europe... what a shame. That fueled some
resentment, as a wannabe customer. Any gave more than enough time to find
better alternatives (Spotify, youtube-dl...) and never look back.

When they finally introduced premium in my country, I took the free 3 months
offer and cancelled immediately thereafter. They don't want my money, 4 years
made that emphatically clear.

I may reconsider after 2021, on the condition that management has changed at
YouTube and Google. Right now, I'm just not feeling it.

Google is just awful at marketing stuff and customer service. They plain and
simple don't care. That's monopoly for us: customers lose, always. So I find
it both logical and "the right thing to do" to spend my money to directly
support creators and alternative platforms whenever I can.

------
Sir_Cmpwn
NordVPN is being recommended a lot to people who don't know better by
influencers on social media, especially on YouTube. This kind of endorsement
is recklessly negligent and needs to stop.

[https://drewdevault.com/2019/04/19/Your-VPN-is-a-serious-
cho...](https://drewdevault.com/2019/04/19/Your-VPN-is-a-serious-choice.html)

Edit: note that I don't blame these influencers for their ignorance on the
risks of using a VPN; rather I blame the shady VPN providers for overselling
the security value of their product and leading users into a false sense of
security.

~~~
Mirioron
I'm pretty sure they're "recommending" it because they're getting paid for it
- it's a sponsor segment. After demonetization became common YouTubers looked
for other sources of revenue and there are rather few companies that try to
contact them directly for ads, so you see them appear over and over again.

~~~
tokai
Yeah it's diffidently not being recommended, it is being advertised. I wonder
how many money they have spend. Every freaking channel mention them at some
point.

~~~
Nextgrid
You start to wonder where their money is coming from - their retail prices are
already cheap, the discounts the influencers offer make it basically free.
How's that sustainable?

~~~
Mirioron
But do they even have to pay much to youtubers for those ads? If you get 50k
to 100k views per video then you'll likely make around the range of $50-$150
for the video. Paying the youtuber $50-$100 per video would already have a
significant impact on their income, so they'd probably consider it. That would
be 50k-100k people who will see the ad, because adblock can't block it.

~~~
catalogia
If somebody is getting $50-$150 per video, they're probably doing it for the
passion of making videos, not for the income, and they probably have another
source of income that dwarfs what they're getting from youtube.

~~~
Mirioron
Not necessarily. If they put up a video every day then that's $1500 a month
minimum. That's decent income in most countries, even in many EU ones. Now
imagine if sponsor segments doubled that for you - now it's $3000 a month,
which is already on the lower end of decent even in the richest countries.

------
rikkipitt
Two days ago I deleted my old Digital Ocean VPN (built using the OpenVPN
tutorial I found somewhere), then opted for a discounted 3-year NordVPN plan.
Looks like I'm going to have to ask for a refund. _facepalm_.

------
trigger89
"On the same note, the only possible way to abuse the website traffic was by
performing a personalized and complicated man-in-the-middle attack to
intercept a single connection that tried to access NordVPN."

If I had root, can't I just find out what crypto libraries are in use? and
trigger an uprobe to decrypt the traffic on that crypto library ?

Every user connection handled by that vpn server would have been plain text
for me.

I think they are downplaying the importance of this hack

------
ineedasername
"no-one could know about an undisclosed remote management system left by the
[data center] provider"

Why not? I'm generally familiar with the services offered by dedicated-
server/co-lo/vps providers, and remote management systems are very common.
This includes out-of-band (OOB) access when using dedicated systems. Seems
like the sort of thing that solid due diligence would pick up. Even if it's
completely undocumented, designing a robust security checklist to be completed
by the vendor should find this sort of thing.

This excuse also makes NordVPN look extremely bad for future use: If you say
"nobody could have known" then you're also saying "it could happen again"
because if you can't know about it, you can't know if other vendors do the
same. If you can stop it from happening in the future by implementing
additional measures, that means those additional measures could have been used
to prevent it the first time. So either you're inherently unsecure, or the
issue was preventable.

------
abbadadda
Did NordVPN know about this hack when they were offering their deal for
something like $88 for 3 years? I went back and looked at their prices from
2017 and it was something like $69 to $83.99 billed annually
([https://www.pcworld.com/article/3200777/nordvpn-vpn-
review.h...](https://www.pcworld.com/article/3200777/nordvpn-vpn-
review.html)). I've been a NordVPN customer for a while but have been thinking
of switching due to some articles touching on nefarious marketing practices
and/or questionable data practices. Then I see this deal for $88 for 3 years
and it was tempting to re-up. Coincidentally, when the deal ran out the news
broke several days later about the hack. I for one will be finding a new VPN
provider, but I can't help to think they were trying to rope in as many
existing customers as possible before news of the hack broke. Suspect at best.

------
phantom_oracle
There's a bittersweet irony with this story. They were recently pushing ads
claiming that "Ain't no hacker can steal your online life. (If you use VPN)."

The ad has since been deleted :D

------
arshbot
Lots of talk here from highly technical folks but not one person brings up the
fact that these are expired keys - as in not usable?

I understand that the fact that these keys were obtained is concerning but the
security of nord and etc prevailed at the end of the day.

The question is: were they leaked before they expired or long after?

~~~
esnard
They were leaked on March 2018 [0][1], and they expired on October 2018 [2].

[0]
[https://web.archive.org/web/20180504001844/https://8ch.net/b...](https://web.archive.org/web/20180504001844/https://8ch.net/b/res/7948898.html)

[1] [https://nordvpn.com/fr/blog/official-response-datacenter-
bre...](https://nordvpn.com/fr/blog/official-response-datacenter-breach/)

[2] [https://crt.sh/?id=10031443](https://crt.sh/?id=10031443)

~~~
arshbot
> However, the key couldn’t possibly have been used to decrypt the VPN traffic
> of any other server. On the same note, the only possible way to abuse
> website traffic was by performing a personalized and complicated MiTM attack
> to intercept a single connection that tried to access nordvpn.com.

However crt.sh shows

> Validity > Not Before: Oct 6 12:53:38 2015 GMT > Not After : Oct 6 12:53:38
> 2018 GMT

What exactly were these keys for if they were only usable in such a manner
according to nord?

~~~
wswope
Nord has a couple thousand severs, and each has their own key. In order to
decrypt traffic, you'd have to intercept some traffic to decrypt, which would
require a MitM attack unless you're an ISP/state actor.

------
AdmiralAsshat
[https://twitter.com/hexdefined/status/1186214904132300800](https://twitter.com/hexdefined/status/1186214904132300800)

The thread indicates that VikingVPN and Torguard were also compromised at some
point. Highly concerning.

------
charles_f
I guess it depends what you want from your VPN.

When I want to secure a shady connection in a coffee house, I have a raspberry
3 at home that I use only for that purpose with an openVpn setup with
[https://www.pivpn.io/](https://www.pivpn.io/) \- super easy to use. Downside,
I rely on my isp not to spy on me. Upside, it's mine and unless I'm
specifically targeted it's unlikely someone will mitm me.

To hide my location for various purposes, I have used TigerVPN. They have been
reliable so far, but I wouldn't trust entirely any third party when it comes
to privacy. Upside - somewhat reliable and not my isp. Downside - for all I
know someone in Czech Republic is watching what I stream with a bucket of
popcorn

------
inian
[https://nordvpn.com/blog/official-response-datacenter-
breach...](https://nordvpn.com/blog/official-response-datacenter-breach/)

------
sudoaza
More worrisome is that this may allow old cptures to be decrypted, anyone know
of VPN providers that use PFS?

~~~
rasengan
Private Internet Access is PFS (using DHE - Diffie Hellman Ephemeral).

------
metalliqaz
A while ago I read that there was a potential smear war going on between some
of the larger VPN providers. Is there any chance that this is related? (I'd
prefer more than just a tweet)

------
kbenson
This sounds suspiciously like the Supermicro BMC bug reported here a while
back[1], and while it actually can be hard to make sure the IPMI stuff doesn't
take over a NIC you don't want it to[2], there are things you can do to
prevent that, such as explicitly setting IPMI interface and address
information so it won't use "smart" behavior to negate all your security.

As to whether "no-one could know", well, _I_ knew after I read that HN
submission, and at work we made sure to double check all our configs. This
ended up being mostly a known problem, but the extra context helped us find
another edge case I believe.

It's not great that you have to be aware of the latest security problems _and
how they may interact in obscure ways with system configs_ , but that's the
nature of security and state of the industry right. Not much to do except
buckle down and pay attention. To everything.

1:
[https://news.ycombinator.com/item?id=20870686](https://news.ycombinator.com/item?id=20870686)

2:
[https://news.ycombinator.com/item?id=20872084](https://news.ycombinator.com/item?id=20872084)

------
weinzierl
Apart from deanonymizing customers and potentially reading the traffic of
customers they sent over the VPN what are other risks for customers?

What I'm thinking about is that the VPN essentially tunnels through my
firewall so a malicious VPN provider may possibly be able to do things that,
for example, an arbitrary web server cannot.

------
saurik
This is difficult to track, as it is really just a sentence attached to some
screenshots, with some commentary but no technical detail... but this seem to
be a website key, not an OpenVPN key?

(edit: And, in fact, this is confirmed by NordVPN's statements on the matter:
"The expired TLS key was taken at the same time the datacenter was exploited.
However, the key couldn’t possibly have been used to decrypt the VPN traffic
of any other server. On the same note, the only possible way to abuse website
traffic was by performing a personalized and complicated MiTM attack to
intercept a single connection that tried to access nordvpn.com.")

------
eicossa
I remember last week's episode on Darknet Diaries where NordVPN was offering
3y plans for a hefty discount. My first reaction was "Are they going out of
business ?"

This week's news lets me make sense of that ad.

------
samwhiteUK
So what does this mean for an every day consumer? I had been debating using
the 30-day money back guarantee as I realised I didn't use it as much as I
thought I would. I want to stay protected on public Wifi. Added anonymity
occasionally would be good too, as well as accessing US Netflix from here in
the UK.

Now my 30 days is up. What would be the best course of action? Should I email
and say that I'm not comfortable being their customer any more, and asked to
be reimbursed? Carry on, for my use case? I'd never connected to a Finnish
server.

~~~
g4d
It's so hard to understand what is correct (I'm aware this is a problem with
every news story) between the people telling me that they're almost certainly
evil, keeping logs and selling data and those that are telling me that it's a
smear campaign by the competing VPN providers.

My gut tells me that the level of advertising and incredibly low prices is too
good to be true...

Now with this hack it's the same problem, how bad is it, does it affect me and
should i be concerned?

------
throwaway_nord
Why would their website's SSL certificate be on one of their VPN servers? Do
all of their current 3000 servers have the private key for their website right
now?

~~~
Snawoot
OpenVPN CA key also leaked:
[https://gist.githubusercontent.com/Snawoot/85f77356e229d77aa...](https://gist.githubusercontent.com/Snawoot/85f77356e229d77aa36f16059a629eea/raw/e4e4af26e4c411d32bbc6bd3ba26301c2ae074bd/nordvpn.txt)

~~~
pram
oof

------
jwilk
See also:
[https://news.ycombinator.com/item?id=21311475](https://news.ycombinator.com/item?id=21311475)

------
generalpass
I'm frankly blown away that the comments I'm seeing here don't suggest to just
roll your own.

$5/mo is the typical price nowadays for a 1 GB VPS with 1TB upload. Cancel at
any time. Save image, redeploy monthly/weekly/daily to protect from longer
term IP address tracking. Use scheme of your choice (e.g., SOCKS proxy, VPN,
standard HTTP port for everything, etc.)

------
clSTophEjUdRanu
I like Mullvad

~~~
elliekelly
I’ll second this. They also allow you to pay in cash which I think is an
aspect of privacy that a lot of VPNs overlook.

------
crispyambulance
People have been talking about using VPN's because of "dangerous" public wifi,
but I have to admit, I don't understand the risks.

Let's say you go to a coffee house and sign-in to their wifi with their
password and use it browse https websites, like gmail or you favorite social
media... what's the main risk? What can happen? What _does_ happen?

~~~
pram
The primary concern is MITM attacks I'd presume.

~~~
xvector
OP specified HTTPS, so MITM is a non-issue.

DNS leakage maybe?

------
pickle-wizard
I only use NordVPN to get around GeoIP blocks on a couple of streaming apps.
So I'm not too worried about my data being compromised, but I don't like the
way they handled this. Think I'll start looking for another provider?

Looks like you can side load OpenVPN onto a FireTV. Maybe I'll go the roll my
own this time.

------
knolax
Wasn't NordVPN the one that was created by a marketeer? I wouldn't be suprised
if this was just cover for them to sell their customer's data indirectly. If
anybody finds a dump of the data they sold they could just claim it was from
the breach.

------
ngcc_hk
Wow. Just switch per advice of lihkg! How serious? Seems all tech talk but not
impact talk

~~~
donkeyd
> How serious?

From my understanding, that really depends what you're using it for. My
friends mostly use Nord to get around region locks for Netflix etc. I think
impact for them is minimal.

If you were using NordVPN in Hong Kong, to cover your involvement in the
protests, then it could be a lot more serious. I wouldn't use Nord (or any
comparable provider) for that anyway, since their holdings tend to be pretty
opaque. That doesn't mean nobody did use it for stuff like that though.

~~~
Bartweiss
I see the Twitter thread mentions:

> _And someone just mentioned to me that past encrypted sessions may be able
> to be decrypted, which is a much bigger issue!...I haven 't researched
> enough about OpenVPN to know if it's using forward secrecy, though you'd
> hope so_

Any idea where that claim is coming from? Nord's site mentions having forward
secrecy in place, so presumably _most_ historical stuff is safe unless they
botched that. Of course, somebody in e.g. Hong Kong could still have gotten a
MitM attack if they were active while these keys were being used, which is
reason enough to worry about exposure.

------
ga-vu
NordVPN blog post, and the source: [https://nordvpn.com/blog/official-
response-datacenter-breach...](https://nordvpn.com/blog/official-response-
datacenter-breach/)

------
1000units
This is a feature in my eyes. Just stack a bunch of these hacked by different
people who don't cooperate with each other. Now any user has plausible
deniability over anything that happens on these networks. No?

------
jedisct1
Get a VPS and run your own VPN. It doesn't have to be complicated:
[https://github.com/jedisct1/dsvpn](https://github.com/jedisct1/dsvpn)

------
kryogen1c
The interesting thing about OOB on most modern servers is that its a separate,
physical NIC. Not only is that easily VLAN able, a more security conscious
datacenter could even air-gap the out of band LAN!

~~~
pm7
> The interesting thing about OOB on most modern servers is that its a
> separate, physical NIC. Not only is that easily VLAN able

On lower grade servers OOB is using main NIC. It's still possible (in all
implementation I have seen, which is not too many) to have OOB in VLAN.

> a more security conscious datacenter could even air-gap the out of band LAN!

1\. If you air-gap remote management, you take away it's function.

2\. It's not possible to truly air-gap OOB if servers with OOB are not air-
gapped (it's theoretically possible to use server to get into OOB network by
exploiting/flashing custom OOB from OS).

------
TazeTSchnitzel
From the amazing service providing “Double VPN” (yes, really) for extra
privacy and “Onion VPN” (with the Tor bit being behind NordVPN, not the other
way around) for ultra extra privacy!

~~~
xvector
> with the Tor bit being behind NordVPN, not the other way around

This is so dumb that I'm not sure if it's an inside joke or not.

(Looking at you, ProtonVPN.)

~~~
protonmail
We are pretty clear though that Tor over VPN is for convenience and not
necessarily more security or privacy, depending on your threat model.

------
catoc
Any comments about Encrypt.me as a NordVPN alternative?

It looks _much_ more reliable. (from their website; the team's CV's; etc ->
i.e.: no hard evidence)

------
therealmarv
Any one knows WHICH server provider in Finland caused this?

Just following the chain because NordVPN says it was this provider who does
not told about their security leak?

~~~
willstrafach
Oy Creanova Hosting Solutions Ltd.

------
HugoDaniel
Should be ok, after all they dont keep any logs right ?

~~~
LeonM
NordVPN doesn't (or so they claim), but the hacker may have been logging
activity.

------
goshx
This is called karma. People have been using their services to run
cyberattacks and NordVPN people do NOTHING to stop them.

This news brings me joy.

------
Attained
Just use Cloudflare WARP since it's finally out. You're never really anymous
unless it's a lifestyle anyways.

------
discordance
NordVPN runs a desktop app with escalated local privileges.

Surely if they were compromised that would be the attack vector for a bad
actor.

------
misiti3780
Off topic a bit, what what other VPNs are people using. I have been using
ExpressVPN and am very happy with it.

~~~
computerex
Torguard for me, relatively happy with it. Also hideMe was very good too.

~~~
bugbug99
Per OP article Torguard was hacked to

~~~
computerex
Torguard is contesting the extent of their breach:
[https://torguard.net/blog/why-torguards-network-is-secure-
af...](https://torguard.net/blog/why-torguards-network-is-secure-after-an-
isolated-2017-server-breach/)

------
kebman
"It's an older code, but it checks out." :D Sorry, I just couldn't help
myself!

------
hemant6488
can't get hacked if you don't use a VPN.

I use sshuttle ([https://www.terminalbytes.com/sshuttle-vpn-over-ssh-vpn-
alte...](https://www.terminalbytes.com/sshuttle-vpn-over-ssh-vpn-
alternative/)).

------
godelmachine
This is troublesome.

I was planning to eke out $85/ annum and go for NordVPN, but now even this is
unreliable

~~~
thenewnewguy
Buy a $5/month VPS and run your own VPN on that (popular setup script:
[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)).
It'll cost you a little bit of time in setup and maintenance (mostly just
upgrading packages), but it has many benefits:

\- Cheaper than most VPN providers

\- You won't be using a known VPN IP

\- VPN providers are more likely to snoop on your traffic or be targeted by
snoopers (such as the government), specifically because they seek out traffic
from people trying to hide

\- You get to pick the port/protocol/software you use, rather than being
forced to accept the provider's ones

\- You can run other small servers you may need on the VPS as well

~~~
lijogdfljk
But then your security rests on your ability to manage a server. I mostly
agree with you, but, I don't run one because I'm not a seasoned Ops. At least,
not enough that I want to put my security on the line.

In all but the most hostile networks I trust another VPN or my ISP more than I
trust my ability to keep a server secure.

Thoughts?

~~~
jen_h
Some thoughts:

1\. You have to keep _two_ ports locked down. If you can secure your own
laptop, you can secure a cloud instance. The cloud instance you're basically
just using as a proxy is a lot less important than what's on your phone or
computer.

2\. Only you are using the system, and you're not logging. Have an issue? Tear
it down and start another. Automated scripts out there generate unique keys
every time.

3\. A commercial VPN is a honeypot in a way -- it's a ripe target. Many people
are tunneling through it, doing sketchy things that certain parties want to
track -- and your traffic could get caught in a dragnet (this, of course,
depends on your use case: you may _want_ to blend in).

4\. Your ISP tracks and sells your data. I mean, the entire reason I use a VPN
is because I was sick of my ISP routing my searches through their servers
before my intended search destination, snagging my Netflix info and using it
to create advertising profiles. Why would you trust them?

5\. It literally takes less than 10 minutes (5:59 from an _iPhone_ , the last
time I launched one) to launch and connect to your own VPN instance to play
with
([https://github.com/jenh/sevenminutevpn](https://github.com/jenh/sevenminutevpn)
is mine, but there are others, like Streisand or Algo) -- if nothing else, you
become a more educated consumer and can better understand your threat model
AND what to look for in a paid provider.

~~~
yread
> You have to keep two ports locked down

That's what NordVPN thought as well

~~~
jen_h
I would hope that isn't what they thought and I'm _sure_ it's not what they
thought.

Launching a personal-use ephemeral cloud instance running OpenVPN to hide your
personal traffic from your ISP _is absolutely nowhere the same_ as running a
paid VPN service for millions of users across the world.

------
gerdesj
There are quite a lot of anti NordVPN and VPN in general experts pontificating
here. A quick scroll down through all comments and I note a distinct _lack_ of
green handles.

This is a 500+ comment article with hardly any near null comment commentards.
My analysis is not very rigorous.

------
Angeo34
>trusting companies outside of EU jurisdiction Literally your own fault

~~~
ju-st
Or trusting companies only known because of extensive marketing.

------
meh206
Security has never been priority for any of these public VPN providers.

------
badrabbit
ProtonVPN uses Nord servers infrastructure right? Were they affected?

~~~
protonmail
No, that is not true. We run our own infrastructure for ProtonVPN and also own
the hardware for our core servers: [https://protonvpn.com/support/secure-core-
vpn/](https://protonvpn.com/support/secure-core-vpn/) This can be verified by
inspecting our VPN endpoints which are all public.

We have no connection with Nord or any other VPN. ProtonVPN is however owned
and operated by ProtonMail, with some support from the European Union.

~~~
badrabbit
Cheers, glad you cleared that up. I must have gotten bad info. Love all your
services!

~~~
protonmail
No worries. Transparency is important to us so we're always happy to answer
questions.

------
john_alan
NordVPN subscriber here, I just use DSVPN now. Simple and works.

------
craftoman
Could this be another marketing trick to lure more customers? Last time I
checked, companies are actually favourable when they "get slightly hacked".
They get front page from top tech websites, magazines, forums...

------
sellingwebsite
How feasible is to run and administer your own VPN in cloud ?

------
jbillow2000
Wonder if there will be a class action.

------
dlphn___xyz
what can a paid vpn service provide that you couldn’t get with free / open
source tools?

------
HNLurker2
ROFL at the ads

------
SimeVidas
The best thing NordVPN can do right now is make a statement that clearly and
honestly describes how its users are affected. No bullshit marketing language,
no trying to hide facts, just a short and simple explanation of what this
means for users and what they should do next.

~~~
readhn
Truth is - if hackers did a MIM attack and collected a bunch user traffic (for
how long?) they could have everything.. banking info, emails, logins...

at this point if i was a user of that VPN service - i'd be replacing all of my
sensitive passwords, secret questions/answers to key accounts.

~~~
rocqua
MitM-ing a VPN does not break HTTPS. Hence, any passwords send over HTTPS are
still safe. You could speculate that a VPN MitM is a nice way to get an MitM
position for a further attack on TLS. But that requires a lot more
speculation.

What isn't safe is your browsing history. True, any HTTP data isn't safe, but
trusting that to be safe is baaaaad anyway.

In short. This leaked browser behavior, and _could_ be a single step in
getting a MitM possition on users.

~~~
catalogia
NordVPN's advertising has deliberately downplayed the significance of HTTPS,
as part of their fear mongering campaign about public wifi and residential ISP
connections, so it's not really surprising to see such misconceptions raise
their heads when NordVPN screws the pooch like this.

------
yjftsjthsd-h
@dang or mods - I'm surprised that this isn't merged with
[https://news.ycombinator.com/item?id=21311475](https://news.ycombinator.com/item?id=21311475)
; is there some special value in keeping them separate?

~~~
dang
No, we just hadn't seen it yet. They're merged now.

If you want to let us know about something, it's best to email
hn@ycombinator.com. We don't see all the comments—I only saw this one by
accident—but we do see all the emails. (Well, except possibly a few that go
into spam. We comb through the spam folder and rescue most, but a few with
unfortunate subject lines probably get missed.)

~~~
yjftsjthsd-h
Thanks and noted. I sorta assumed that you had an alert on "@dang" or "@mods"
or so, but I will keep that in mind in the future.

------
codesushi42
This is the last time I trust a product endorsement from the Angry Videogame
Nerd.

------
some_furry
If you're reading this and wondering which VPN service you should use to stay
safe, start reading here: [https://faq.dhol.es/@Soatok/cryptography/which-vpn-
service-w...](https://faq.dhol.es/@Soatok/cryptography/which-vpn-service-will-
protect-me-from-hackers)

(Spoiler: You're asking yourself the wrong question.)

~~~
tejohnso
Why does the linked suggestion say "Don't use an Android phone, use an iPhone
instead."

~~~
some_furry
Ask tptacek and idlewords?

