
Seven 'no log' VPN providers accused of leaking 2TB of user data - wglb
https://www.theregister.com/2020/07/17/ufo_vpn_database/
======
KindOne
Discussion 2 days ago (222+ comments):

[https://news.ycombinator.com/item?id=23876146](https://news.ycombinator.com/item?id=23876146)
"UFO VPN claims zero-logs policy, leaks 20M user logs"

Title is also slightly misleading, multiple sources have 1.2TB, not 2TB.

~~~
system2
Really doesn't matter how many tb to be honest, I don't even look at the
number. Even 1 kb is more than enough.

~~~
KMag
Well, except that 1 kb is still consistent with "no log", as if they're
businesses, they need to keep track of which user names/pseudonyms have paid.

A 1 kb leak isn't okay, but at least it's potentially consistent with their
promises to their users.

~~~
system2
You are missing my point. Any kind of leak means they are logging regardless
of the leak size.

~~~
KMag
My point is that if the leak is a grand total of "1kb of user logs", it may
not be the sort of log you're assuming. If the leak is a 1 kb list of valid
usernames and password hashes, how does prove they were violating their "no
log" policy? It just proves they were doing access control, which we knew
anyway.

~~~
nieve
It's the data breach equivalent of the cryptography rule that a break never
gets better and usually gets worse. A canary in a coal mine, basically - if
1kb has been leaked you can safely assume a lot more has since that's not an
amount that any attacker would bother with under normal circumstances. If they
do care it's because they expended a penetration on targeting few or one
individuals max and we almost certainly wouldn't see the results.

If I saw a dump of 10 email addresses from Hacker News it would be imprudent
assume that somehow an attacker had made it in as an admin and yet only
accessed those. It would be outright foolish to assume that if there were 10
addresses the damage is inherently less than 10.

------
chias
Never forget how VPN actually works:
[https://i.redd.it/ginexp6ezoa31.jpg](https://i.redd.it/ginexp6ezoa31.jpg)

~~~
system2
It made me laugh hard, so true. I wish there was a better way.

~~~
Polylactic_acid
Onion routing is a better way. Not bullet proof but its a whole lot better
than a vpn.

------
jb775
> _UFO also claimed its logs were kept for traffic-performance monitoring
> only_

When your product's sole purpose is to provide privacy, there's no excuse in
the world good enough to knowingly retain logs like this. There needs to be a
class-action lawsuit to curb douchebag businesses like this.

~~~
gHosts
As Bruce Schneier says.... Data is the toxic waste of the modern era... you
just know sooner or later it's going to leak.

Don't collect it if you don't need it. Destroy it as soon as possible if you
do.

~~~
raverbashing
"No, no, but GDPR bad!!11 We care about your privacy that's why we collect all
the data we can, sell it to everybody and store your passwords in plaintext"
As said by several ad-supported businesses and especially ad-networks.

~~~
DarkWiiPlayer
99% of critizism against GDPR I've seen is either about how it's poorlt
implemented (but still a good idea in principle) or about cookie banners
(which are note ven GDPRs fault though); I don't think I've ever seen anybody
complain that the whole concept of GDPR is bad.

~~~
manicdee
That's part of the joke.

------
jolux
I stopped trusting VPNs that weren’t hosted by me years ago. Wireguard is
simple enough that any reason to is rapidly diminishing.

~~~
thekyle
Lots of use cases aren't covered by a self-hosted VPN. Public VPN servers
allow you to blend in with other traffic coming from a shared IP giving you
plausible deniability for things like piracy.

~~~
arsome
A few other major use cases I've used them for:

\- Scraping, when my scraper gets blocked from the real estate site, wallpaper
site, etc, I click next IP, change my UA and I'm ready to go for another
round. You can play cat and mouse all day without worrying about all your IPs
getting banned.

\- Avoiding DDoS attacks, if you're doing something that makes you likely to
become the victim of a DDoS attack, like say, joining a script kiddie's botnet
IRC server, not giving a crap if your public IP gets dropped is pretty handy.

\- GeoIP bypasses, allows you to work around everything from region locked
content to discriminatory pricing

\- Country-wide and default blockades, many countries censor the internet only
in minor and weak ways, blocking things like BitTorrent tracker websites by
domain or IP that commercial VPNs will trivially bypass

~~~
judge2020
An legitimate users still wonder why using a VPN makes the internet harder to
use in terms of being on blacklists and having low IP reputation.

------
a012
> It appears seven Hong-Kong-based VPN providers – UFO VPN, FAST VPN, Free
> VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all share a common
> entity, which provides a white-labelled VPN service.

> VPNmentor created an account with one of the providers, and spotted that new
> account in the logs, specifically "an email address, location, IP address,
> device, and the servers we connected to." VPNmentor alerted the providers
> involved to get the cluster removed from public view, as well as HK-CERT,
> though it seems no action was taken to immediately rectify the situation.

------
throwaway42343
I've always thought VPN was a bit pointless: a browser fingerprint already has
far more bits of information compared to your IP address.

~~~
yjftsjthsd-h
Really depends on your threat model; some of us distrust our ISP more than
websites that we use.

------
davvolun
Why is this marked as a dupe, when the "original" doesn't mention the other 6
VPNs leaking data? Yes, UFO VPN's leak in this article is based on the
"original" article, but I looked at this to see if it included any VPNs I use,
and I never clicked on the UFO VPN article because I don't use UFO VPN.

------
BjoernKW
For me, the main benefit of a VPN is security on public WiFi networks.

Is it perfectly secure? No, but I trust a business I’m paying a regular amount
to quite a bit more than a random free public WiFi provider, who is not only
able to siphon off data but also has a lot more incentive to do so.

~~~
heidar
With even DNS using TLS on some newer browsers nowadays, the risks of using a
public wifi are disappearing.

------
mnm1
I wonder if these vpn providers can be prosecuted under the cfaa for not
following their own tos. It would stand to reason that if users can be
prosecuted thus, the provider can be too. Or no one can be.

------
niftylettuce
If you need an email provider that doesn't store logs nor read your emails,
check out our GitHub or site @
[https://forwardemail.net](https://forwardemail.net).

------
hartror
What a surprise, a database technology that previously has made security a
premium feature is unsecured.

------
konart
There is no such thing as legal VPN provider that does not store logs.

~~~
yjftsjthsd-h
Don't know why you'd think that? [https://torrentfreak.com/private-internet-
access-no-logging-...](https://torrentfreak.com/private-internet-access-no-
logging-claims-proven-true-again-in-court-180606/)

~~~
konart
Because I live in Russia I guess. The article tells me about how court of law
operates in the US but does not really proves me wrong.

Was the FBI give the access to PIA's servers to check things out? From what I
understand PIA was just able to "prove" that they can't give FBI what they
wanted and the court was "well, sorry fellas". Does this proves that they
don't really have logs? Not really.

I guess I'd trust them more than others, sure. But I still inclined to treat
any service as a possible leak source.

------
tolbish
So the conclusion we are to draw is that VPNs are for the naive, and that if
you really _get_ security, you self-host or go VPN-less (what is the
alternative, exactly?)

Isn't the major benefit of a VPN the added hoop websites have to jump through
in order to build visitor profiles?

~~~
yjftsjthsd-h
> So the conclusion we are to draw is that VPNs are for the naive

Bit more nuanced than that, but it's certainly a field full of liars and
scams.

> and that if you really get security, you self-host

Really depends on what your goal is; self-hosting can, for instance, pin you
personally to a single static IP. But for some things, yeah it _can_ be
better.

> or go VPN-less (what is the alternative, exactly?)

TOR, I expect.

> Isn't the major benefit of a VPN the added hoop websites have to jump
> through in order to build visitor profiles?

That _can_ be one benefit, yes. It doesn't have to be a silver bullet, but you
do want to be clear on what benefits you expect to get from your particular
solution.

