
Don't use VPN services - miles
https://gist.github.com/joepie91/5a9909939e6ce7d09e29
======
infodroid
This seems like bad advice because it doesn't address the legitimate need for
keeping your browsing history private from overzealous, data-mining ISP's [1].

And even in the case of a known-hostile ISP that engages in invasive practices
like supercookies or ad injection, it's unrealistic to ask users to set up and
maintain their own VPS servers.

For the average internet user, a "glorified proxy" service that is hassle-free
to set up is a simple and effective means of protection against such a menace.

[1] [https://techcrunch.com/2017/03/29/everything-you-need-to-
kno...](https://techcrunch.com/2017/03/29/everything-you-need-to-know-about-
congress-decision-to-expose-your-data-to-internet-providers/)

~~~
hug
It seems like bad advice because it is, frankly, just bad advice. Nearly all
of his arguments fall down, even within his own post.

He says that VPN providers don't provide more security. They do, and he
mentions this himself when it comes to the public wifi argument.

He says that VPN providers don't provide more encryption. They do. Another
layer of transport encryption is another layer of transport encryption.[1]

He says that VPN providers don't provide more privacy. They do. Turns out a
lot of networks do things like log DNS, which a decent VPN client can
tunnel.[2]

He says there are two use cases for VPNs: There are a lot more.

He says that tunneling all of your traffic is a _worse_ case for obfuscating
your identity to a third party service. It's not, or at least I can't imagine
how it would be.

He says that instead of a VPN, you can use a VPS with a VPN: That's just a
VPN. It does all of the same things, including being outsourced to a third-
party provider, except you lose a ton of the functionality of a real VPN
service like geographical redundancy and spread.

He asks why VPN services exist, if for any other purpose than stealing traffic
or data, but fails to understand any way in which a VPN service could be
useful.

The entire piece is just the opinions of someone who is failing to see that
other people have significantly different use-cases and threat models than he
does.

-

[1] Especially if you think of "local -> internet" as easier to intercept than
"somewhere internet -> otherwhere internet". Which it usually is. One involves
something dumb simple like ARP poisoning. Another involves compromising a
telco or the VPN provider itself, which is a teensy bit harder. All of this is
even sillier if you consider the hostile-network scenario as well.

[2] Yes, you are offloading 'trust' that the VPN provider doesn't _also_ log
your DNS. There's more chance that they don't when they say they don't, than
your corporate network doesn't when they say they do.

~~~
tyler_larson
A VPN tunnel in the abstract provides the benefits you mentioned, but a VPN
_service_ is a slightly different beast. It doesn't solve the problem with
your untrusted ISP, it just gives you effectively a different untrusted ISP.

Imagine if, in response to the question, "how do I protect myself from
snooping ISPs" someone provided the answer, "Just use an ISP that specializes
in providing anonymity." You'd probably object on the following grounds:

* Saying you provide anonymity doesn't mean that you actually do. And track records tend to demonstrate otherwise.

* Your ISP still knows exactly who you are, even if they promise not to tell.

* ISPs who specialize in shady customers are more likely to be under surveillance themselves, meaning you're now _more_ likely to be under surveillance rather than _less_.

* You're solving the wrong problem: you need end-to-end privacy, not just customer-to-ISP

You'd be right. But more importantly, these same objections apply to VPN
providers. They more-or-less ALL specialize in aggregating known-suspicious
traffic, which is not the bundle you want to be tied in with.

In fact, any argument you could make against using a Cloud VPN endpoint can
also be made against a VPN service provider. Because, and this should be
painfully obvious already, VPN providers just terminate their traffic through
Cloud and/or Colo hosting providers as well; usually optimized on bandwidth
cost over all else. So by setting up your on VM, you're just cutting out one
of the middle men. There's nothing they can do that you can't do just as well
without them.

~~~
toyg
_> There's nothing they can do that you can't do just as well without them._

That applies to any service out there. Are you running your own mail server?

------
whorleater
This is throwing the baby out with the bathwater, yes you should assume that
your VPN provider is 100% logging your IP, traffic, referrer, etc, but you
should also assume that any public wifi is being sniffed. A VPN won't
magically hide your traffic, you're shifting the attacker in the threat model.
But all this is also means that a VPN provider is less dangerous than public
wifi is, which is really the reason you should be using VPN's.

~~~
kibwen
If you already have an SSH client (which implies that you have somewhere to
SSH to) and Firefox installed on your machine (not sure about Chrome) then you
can prevent public wi-fi snooping right this very instant with a SOCKS proxy.
This requires no new software on your machine, no money to change hands, and
takes literally 30 seconds to set up. VPNs are overkill for that use case.

~~~
coherentpony
Only for firefox's traffic. There's almost certainly other software on your
machine using the network and thus not going through the proxy unless you
explicitly tell it to.

~~~
jffry
I'm pretty sure you could use
[https://github.com/sshuttle/sshuttle](https://github.com/sshuttle/sshuttle)
though I haven't looked into it (does it proxy DNS? UDP? DHCP? I'm not sure)

~~~
GordonS
Just a note, it doesn't work with Windows, only Linux and OSX.

------
slg
I suggest people lookup "The Market For Lemons"[1] as it is a good warning for
what can happen to markets with extreme information asymmetry. VPN providers
like many tech companies have a huge information asymmetry over their
customers. There is no way to really verify many of the claims that a provider
is making, especially when it comes to something like logging. The result is
that the consumer can't actually distinguish a low quality product from a high
quality product. This creates a disincentive for companies to actually provide
a high quality product when they can provide a product that is lower quality
and cheaper to produce and still pull in the same revenue from users. If this
is allowed to go on without any form of third party intervention, the end
result is a market filled of products with dubious quality.

[1] -
[https://www.iei.liu.se/nek/730g83/artiklar/1.328833/AkerlofM...](https://www.iei.liu.se/nek/730g83/artiklar/1.328833/AkerlofMarketforLemons.pdf)

~~~
lighttower
Exactly what you say. Maybe the solution is to use two VPNs. That way the
second doesn't know your home IP and the first has no info on the content.
Like a home baked Tor.

~~~
jsjohnst
You don’t thing a legal authority wouldn’t subpoena both?

~~~
cm2187
I think that’s not his point. There is a probability p that vpn providers are
not providing the service they advertise (ie lemon). But the probability that
both are lemons become p^2 which is much lower (subpoena-ing a provider that
maintains no log is useless).

Where it breaks I think is that you can chain as many VPNs as you want, only
the last one sees what you are downloading, the others only see traffic to
another VPN. So the authority just needs to subpoena that one.

------
delbel
Well then why is it if you actually try and sue a VPN provider for the logs,
you won't be able to get them. this is the case for one scenario I know of
where a subject got hacked and it was traced to a VPN service. Article is just
FUD -- which this conversation could be warranted in some cases, but
realistically I've found that it isn't the case. This doesn't mean that their
outbound service isn't being logged by a third or unknown party like a
government entity (which we know all traffic is logged), but hey it is what it
is.

~~~
cgb223
Can you give us some known examples of VPN Providers that were sued and didn't
give logs?

I'd imagine a list of those ones would be considered more credible

~~~
godelski
A quick google shows a few.

I know PIA had an actual FBI subpoena.[1] (literally the first link I find) Of
course there are collision based identification methods, but knowing that you
use a VPN and were using something on the East Coast isn't much to go off of.
Worst case I can see here is "User was the only one connected on the East
coast at this time", but with PIA's userbase, that seems like an unlikely
scenario.

There's also a list [2] (little old)

I remember looking a little closer back when the ISP stuff was happening and
it wasn't too hard to find cases where specific VPNs were "tested in the
field". But I remember coming across a few, I think Norad was also one of
them.

[1] [https://torrentfreak.com/vpn-providers-no-logging-claims-
tes...](https://torrentfreak.com/vpn-providers-no-logging-claims-tested-in-
fbi-case-160312/)

[2] [https://torrentfreak.com/vpn-services-that-take-your-
anonymi...](https://torrentfreak.com/vpn-services-that-take-your-anonymity-
seriously-2013-edition/)

~~~
kuschku
Yeah, except when PIA gave copies of the subpoena to the media, they only
blacked out the content by adding a layer in the PDF.

So you can open it up in Acrobat, and see everything below.

Are you going to trust a VPN provider that can’t even black out text in a PDF?

For reference, here the content with the blacked out info un-blacked-out:
[https://i.imgur.com/u1hYerD.png](https://i.imgur.com/u1hYerD.png) and
[https://i.imgur.com/1a9YD0f.png](https://i.imgur.com/1a9YD0f.png)

~~~
jessaustin
There's nothing confidential in those images. It is a matter of public record
that Detective Andrew Perley #660 wanted to know who was routed through
184.75.214.66 on 2013-2-19, and that his interest was communicated to the VPN
provider on 2013-4-22.

I'm not sure why they went through the rigmarole of pretending to black
something out. Maybe they were just fucking with him?

~~~
kuschku
They sent the blacked out version to the media, and Ars and others published
them like that.

So why did they black it out? As a childish joke? Also not inspiring trust in
them.

And if they just blacked it out, without need of doing so, and fucked that up,
then the question is if they're trustworthy if their security team doesn't
double check their blacked out PDFs.

The problem isn't with the content, but with the process.

------
endorphone
As always the title is a bit of an overreach.

If you are going to attract the attention of governments (PSN and Sony hacks,
etc), yes, don't expect a VPN to shield you.

If you're pirating a show that isn't available in your region, or checking up
on an old workplace website, etc, a VPN is likely perfectly fine and will save
you from legal scare letters, an old employer seeing your visit, etc.

~~~
smogcutter
Wait, we're supposed to worry about an old employer seeing a visit to a public
company website? How would that even happen, and why would anyone care?

~~~
jsmthrowaway
Only justification I could think of is a strict reading of CFAA, where in your
exit paperwork the employer commands you not to access any company systems,
and the Web site is technically a company system. Though “protected” would be
quite arguable there.

I occasionally have crons from my personal infrastructure running into an
employer for operational purposes (offsite monitoring or whatever), so I’ve
blackholed outgoing traffic to former employers to be on the safe side in case
I miss one. So I can see where that sentiment is coming from, though I think
it’s a legal stretch.

~~~
fred_is_fred
So for the 99.999999% of the rest of us who don't use personal systems to
provide monitoring services this argument doesn't apply. Seems like it would
be easier to just use outside monitoring or setup some monitoring instances in
the cloud that your employer owns than going through this effort.

------
0x7f800000
Steve Gibson specifically recommends TunnelBear because they submitted
themselves to a public security audit.

[https://www.tunnelbear.com/blog/tunnelbear_public_security_a...](https://www.tunnelbear.com/blog/tunnelbear_public_security_audit/)

Other than TunnelBear, ProtonVPN is run by the ProtonMail folks and is based
out of Switzerland, so they would respond to any foreign subpoena with a
polite "fuck off."

~~~
daxorid
> based out of Switzerland

Switzerland is no longer the bastion of privacy it once was. In fact, it's
been _nine years_ since every single Swiss Bank rolled over on their customers
to placate the IRS. And it's only been downhill from there since.

~~~
XorNot
I'm really okay with this. Taxes are the price we pay for civilisation and
people dodging them are stealing from you.

~~~
confounded
Surveillance of money, and surveillance of speech, association, location, etc.
are not the same, and one does not justify the other.

~~~
s73v3r_
I believe they were saying that they were OK with the Swiss banks giving info
to the IRS about tax dodgers. Which I'm ok with too. I'm not ok with random
web traffic being disclosed to authorities.

------
lr4444lr
So what's the alternative? Trust my ISP not to do the same? No thanks, I'll
take my chances that my well-regarded and relatively cheap VPN service has
both less resources to handle massive data storage for as long term, and is no
less incentivized to turn huge profits or protect themselves by spilling
everything to the government, even if both would under extreme duress. For
what I pay, the VPN is a worthwhile little extra protection, not to mention
the extra portable security when I have no choice but to use public wifi.

~~~
yjftsjthsd-h
If you're reading HN, one alternative is spin up your own VPN on
AWS/Gcloud/DigitalOcean/etc. It's not hard, and there are some scripts /
ansible playbooks to automate the process.

~~~
cm2187
The movie studio will send a DMCA to AWS who will pass it on to you, then
what?

Helps with ISP snooping yes, though I expect it to be more expensive (VM and
bandwidth in clouds isn’t cheap).

~~~
hyperpower
What do you consider expensive? You can easily get a VM with 1TB bandwidth for
$5 a month.

~~~
cm2187
I had AWS and Azure in mind.

------
eloisant
It depends what you want to do with the proxy. If you're doing serious crimes
like child porn, terrorism or mass hacking the government will probably ask
the VPN for logs.

But if you're just doing stuff like P2P to download content illegally, at
least in France they only track IPs for the consumer ISPs. Any other IP,
especially out of the country, they'll ignore.

So it doesn't matter if they have the logs, for minor things the government
agencies or copyright holders will just give up and focus on the easy targets.

~~~
laurent123456
Also in some countries some torrent websites are blocked and a VPN gives
access to these too. It's also useful to watch TV channels in other countries
since they are often geo-blocked.

In other countries like China there's no question that a VPN is useful.
Actually whoever wrote this article seems a bit clueless about why a VPN is
useful. They suggest setting up your own on a VPS but doing this in China will
get your server blocked right away. That's why a third party is useful since
they can offer various IPs in many countries and quickly setup new servers
when they get blocked.

------
thieving_magpie
I'm sure the intended audience for enemies of the state are googling "should i
use a vpn?" right now. What a silly article.

Understand vpn's, understand public VPN providers, evaluate the risk for
whatever you're trying to do.

------
skywhopper
Plenty of good points here. I'm disappointed the author did not know about
Streisand, a tool to help set up a number of VPN and related services on cloud
hardware you control:
[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)

When the setup is complete, you end up with some incredibly well-written
instructions that make setting up the tools with any OS dead-simple. It's a
really fantastic project.

~~~
DavideNL
or Algo:
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo)

------
badrabbit
The author makes good points but forgets to key considerations:

1) Reputation. A well known,well reputed provider (Fsecure or protonvpn for
example) for most users would not be less trustworthy than their ISP. ISPs can
easily get away with injecting malware into your http traffic or selling your
data. A security company or VPN provider based in a jurisdiction with strict
privacy laws and with well known business owners however has a lot more to
lose and a lot less legal fighting power.

2) Threat model - you are already trusting someone (ISP) with not only
monitoring your traffic but manipulating it. That should already be part of
your threat model.when comparing a vpn provider with your ISP, which potential
attacker poses a greater risk? For many users,sadly,it is their ISP.

Last note,most vpn users just want to bypass IP restrictions,they don't care
all that much about privacy(although that seems to be changing)

~~~
irundebian
I don't know where you live, but in my country ISPs are not well known for
injecting malware into the traffic.

------
zokier
> If somebody wants to tap your connection, they can still do so - they __just
> __have to do so at a different point (ie. when your traffic leaves the VPN
> server).

I feel like this sets up false equivalency. Tapping VPN provider and tapping
individuals last mile are very different things. Of course it is debatable
which one is more secure etc, but the fact remains that they have very
different characteristics. I'd say that for almost any single attacker moving
the hypothetical tap will not be happening at a push of a button, more likely
it will not happen at all.

~~~
nukeop
Furthermore, what is even meant by this "tap"? For most attackers breaking
OpenVPN + HTTPS is just plain impossible, even if they somehow intercept the
connection and position themselves between the VPN end point and the target
server.

------
smsm42
The argument seems to be "since VPN does not provide perfect security and
privacy, you should not use it". This is obviously a fallacious argument - you
need to evaluate "using VPN" vs. "not using VPN", not "using VPN" vs. "using
some perfect theoretic unicorn privacy system that nobody has".

Yes, VPN providers can track - but they make it harder to track you to third
parties, unless they are in collusion with those parties, but for average user
the chance this is happening - unless they are on the FBI/NSA radar already -
is pretty low.

Yes, third parties can fingerprint and use other techniques to track people.
That's not the reason to offer them the most easy and readily available means
of tracking on a silver plate.

------
Johnny555
His whole argument against VPN providers seems to depend on this statement:

"Statistically speaking, it is more likely that a VPN provider will be
malicious or a honeypot, than that an arbitrary generic VPS provider will be."

But is that really true - how do I know that Linode, Bluehost, and other VPS
providers aren't looking at my traffic?

~~~
morganvachon
> _" how do I know that Linode, Bluehost, and other VPS providers aren't
> looking at my traffic?"_

I would assume that it's because they have no financial interest in the
content of your traffic, whereas a VPN-specific service might. Most big VPS
providers know that the bulk of their customers are technically minded people
who read their own logs and monitor their own traffic, so there's no technical
interest for them either.

That said, if you end up abusing their terms (higher than allocated traffic or
sustained heavy CPU time, for example), you can expect them to investigate if
only to see if it's malicious in nature (DoS, spam, etc) or just a bad
configuration.

But again, those are just assumptions on my part. If you have any doubt about
a particular service, it's probably best to move on to one you can vet/audit.

~~~
Johnny555
_But again, those are just assumptions on my part._

Well yeah, that was the point of my comment -- it sounds like unsubstantiated
opinion.

 _If you have any doubt about a particular service, it 's probably best to
move on to one you can vet/audit._

How is that even possible? Assuming you want to connect to the internet, you
have to hand off your traffic to some upstream provider than you can't trust.

------
AdmiralAsshat
So we've seen several VPN services that have proven to be malicious, insofar
as selling your browsing history to advertisers (see Hola Better Internet[0]),
but have we actually seen a VPN provider being a 'honeypot' yet?

I guess we should qualify the term. In my mind, that would be a hostile
government who sets up a VPN service for the purpose of attracting citizens
who wish to avoid their censorship, and then arresting the users.

[0][https://lifehacker.com/hola-better-internet-sells-your-
bandw...](https://lifehacker.com/hola-better-internet-sells-your-bandwidth-
turning-its-1707496872)

~~~
ikeboy
Some Tor relays are absolutely honeypots

------
nextstep
There’s a third, valid reason you should use a VPN: accessing geo-restricted
content. This use case doesn’t require any privacy guarantees above a normal
user-ISP relationship.

~~~
erikb
Is that still possible? Around a year ago services like Netflix started to
block VPNs to avoid exactly this usecase.

~~~
TillE
EarthVPN has stopped working for me for BBC iPlayer, but NordVPN works fine. I
think they change the IPs every so often.

------
gambiting
In UK, all ISPs have to log your browsing history for a year now. And from
April, all adult websites have to verify your identity(proposals as to how
include giving them your passport scan and credit card details). And British
government has just announced a tool that will automatically flag extremist
content on the internet using AI.

I'd much much much rather take my chances with a VPN provider and still route
all of my traffic through any other country other than UK, thank you very
much.

------
karmakaze
> And remember that it is in a VPN provider's best interest to log their users
> - it lets them deflect blame to the customer...

Data is a liability. Keeping it is assuming responsibility. It is in the
provider's best interest to keep the minimum information. If any agency were
to ask for data, you can honestly say there is none and be free to continue
running your business.

And if you must keep data, keep it encrypted and only decryptable by the
customer wherever possible.

------
_Chief
As someone from an African country with govt affiliated ISPs, even if my vpn
service logged almost everything, I'd still use it as compared to the
alternative

------
drcode
I view VPN services more as "Kabuki Theater": The major governments need to
keep up the pretense that they aren't reading our traffic via arrangements
with the VPN providers, and in return they promise to keep our actions secret
BUT ONLY if we aren't engaging in a national crime such as terrorism or
espionage.

------
braindongle
Wha? Isn't the VPN market about accessing geo-restricted content? My non-geek
friends often ask me "Can I stream X for free?" Moral and legal questions not-
withstanding, the answer is often yes, using a VPN service.

Could restriction-avoidance come back to bite you someday via logged behavior?
Perhaps, but it sure wouldn't be in the interest of a VPN provider to allow
that to happen. Should one lose sleep over appearing to be in the UK in order
to stream Eurosport? Tough sell.

"Send all of your traffic through us so that we can keep it private and
secure" is absurd on the face of it. I'd like to think many non-technical
people can see this, yet want to watch the Olympics on CBC because, more
curling!

------
HorizonXP
I'm not overly concerned with traffic being traced back to me via my ISP, so I
just run OpenVPN on my pfSense router. Whenever I'm on remote WiFi that isn't
run by me, I hop on the VPN and route all traffic through it. Minimizes my
exposure on public hotspots, which is what concerns me most.

It's irritating that I have to worry about my ISP, but not irritating enough
for me to care. If that changes, I'll spin up a machine on some hosting
provider and route traffic through there. It'll suck to have reduced speeds in
that case though.

------
sesutton
I have much higher trust in my VPN than my ISP, which used to make you pay
more if you didn't want to be spied on (AT&T).

It also stops them from sending me copyright notices which is a verifiable
service.

------
newscracker
If you're going to use a VPN, please read about its policies and try to
understand them. I was horrified to learn about this VPN service from Facebook
that is now being promoted in its iOS app (I don't use the app, but anything
to do with Facebook generally worries me). The Onavo VPN service from Facebook
is disguised as a protection mechanism but tracks the user for the benefit of
Facebook.

Quoting from this recent news: [1]

"But Facebook didn’t buy Onavo for its security protections.

Instead, Onavo’s VPN allow Facebook to monitor user activity across apps,
giving Facebook a big advantage in terms of spotting new trends across the
larger mobile ecosystem. For example, Facebook gets an early heads up about
apps that are becoming breakout hits; it can tell which are seeing slowing
user growth; it sees which apps’ new features appear to be resonating with
their users, and much more.

This data has already helped Facebook in a number of ways, most notably in its
battle with Snapchat. At The WSJ reported last August, Facebook could tell
that Instagram’s launch of Stories – a Snapchat-like feature – was working to
slow Snapchat’s user growth, before the company itself even publicly disclosed
this fact."

[1]: [https://techcrunch.com/2018/02/12/facebook-starts-pushing-
it...](https://techcrunch.com/2018/02/12/facebook-starts-pushing-its-data-
tracking-onavo-vpn-within-its-main-mobile-app/)

------
overgard
I use a VPN all the time on my laptop because I'm frequently on public wifi at
coffee shops. That alone makes a VPN worthwhile. The logic of "you can't 100%
trust them so its useless" seems really extreme and detrimental. Yeah it won't
stop a determined government agency... but unless you're Edward Snowden what
you probably should be more worried about is some sketchy hacker listening in
on wifi traffic, which VPNs are super useful for.

------
Pokepokalypse
My direct ISP is a local monopoly.

My direct ISP is also a vertically integrated global media conglomerate which
lobbies for abusive copyright practices, and maintains a large catalog of
entertainment IP, which it walls-off from other providers, for the purpose of
limiting competition.

My VPN provider may collect data. But they're not fucking evil monopolists.

And the other not-too-delicate point: MOST of the harm that comes from data
collection is not Gillette learning that you have sensitive skin and might
benefit from a 7-blade razor.

MOST of the harm comes from LARGE corporate entities aggregating huge datasets
from large quantities of people, such that they can draw statistical
inferences. There can be a small subset of weirdos - who adblock and vpn.
Doesn't matter, because all their neighbors share their data openly. The
weirdos who protect themselves are still statistically outed - and even if
they aren't the idiot neighbors are exposed to fake news, shitty campaign ads,
and they vote, and that affects policy and law which applies to all of us, and
that's why we should ALL be using VPN, but that's certainly not going to
happen, and if it did, the VPN companies would just sell our data to
aggregators anyway.

------
hprotagonist
The bayesian guess that customers of a VPN service, specifically, are going to
have more interesting traffic, is an interesting thing i hadn't really thought
about.

I would think that setting up
[https://github.com/trailofbits/algo](https://github.com/trailofbits/algo) and
getting good at moving around from cloud-provider-of-your-choice VMs wouldn't
be a horrible idea.

~~~
loopbit
A while ago I saw a link to
[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)
(probably here in HN) and I have it in the list of things-to-do to try it.

In the meantime I have a OpenVPN server at home just so I can log into my
internal network from everywhere and use it when on public wifi... For the
moment it's more than enough for me.

------
0culus
As always, you have to do what is right for _your_ threat model. I personally
run my own VPN mainly for peace of mind when I'm on untrusted LANs. It's
actually not that hard to do, and I can easily serve both my phone and my
computers.

And as always, if you have an APT after you...you have bigger problems than
what VPN provider you should use.

This gist is at best a straw man.

------
gerdesj
Slightly tangential: Today, one of my staff (we're an IT company, I'm CREST
accredited etc etc) connected up a NextCloud client to our NextCloud instance
on a laptop and noted that the SSL cert was untrusted.

The cert. on our NextCloud is a Let's Encrypt job. He was using a laptop
provided by a customer (he works there a lot) and they deploy a MitM web proxy
that he was perhaps only dimly aware of. I haven't look too deeply into the
laptop config but it looks like either the MitM CA wasn't installed as trusted
or the NC client is a bit clever. Now, I'll plump for: screw up in other corp.
IT.

So we have a techie ignoring warnings from an app that is designed to share
data safely. OK, the customer's IT dept have their policies but I would have
hoped that the default from _my_ employee would have been to quietly walk away
and uninstall NC from that laptop (he did after a few words.)

------
cookiecaper
VPNs are very useful in lots of situations. My wife was in the hospital after
delivering a baby, and whatever QoS they had going on in the router was making
it painfully slow. Fired up PIA and off to the races, a normally functioning
internet connection. There are _a lot_ of networks where this is a legitimate
use case. With cell phones such as they are today, people connect to public
wifi frequently.

There's another benefit of VPN that people don't discuss much: your traffic
can be compressed with LZO. This can make an unusably slow connection usable.
The applicability to web browsing may be somewhat limited if the sites you use
all set up their gzip headers properly, but I think that's a stretch when
you're going off major properties, and it will compress all the traffic at the
network level regardless of protocol-specific options, so it should help some.

------
Dangeranger
If you want to setup your own VPN for personal use or for friends the
StreisandEffect project[0] on Github has made it dead simple for anyone with
basic Linux experience.

[https://github.com/StreisandEffect/streisand](https://github.com/StreisandEffect/streisand)

~~~
Exuma
If I'm doing that on OS X, what actual app/service do I use to connect to the
VPN i set up? For example with NordVPN it uses a mac app... so if I create my
own what do I use instead? Please dont say tunnelblick

~~~
subliminalpanda
You could try Viscosity[0], it's a great client but has a price tag, which I
feel is worth it.

[0]
[https://www.sparklabs.com/viscosity/](https://www.sparklabs.com/viscosity/)

------
clpwn
Obviously, this guy has never been to China (or any other censored country for
that matter).

------
vr46
I use a VPN to (a) prevent my employer from recording my visits to anywhere
and (b) my government from doing the same. I use ProtonVPN. This seems like a
good use case. And Proton seem like a good bunch. Anyone have any feedback?

~~~
yorby
your employer doesn't have access to your computer? if they do, they more than
likely can see the traffic before it reaches the VPN...

~~~
vr46
It’s my own machine but of course I’m using their WiFi network.

------
cyberpip
Great site for going into the differences between VPN providers and all that
goes with the ratings:
[https://thatoneprivacysite.net/](https://thatoneprivacysite.net/)

------
adzicg
It’s reasonably easy to set up a l2tp VPN on AWS, using cloudformation.
Running an EC2 instance for a full month for this costs roughly $5 USD. I
don’t really get why someone with a bit of tech skills (=using github) would
use a third party VPN service from an unverified provider. Sure enough, if
Five Eyes want to get your logs from AWS they will, but for avoiding airport
or hotel WiFi’s snooping a simple l2tp VPN over AWS serves quite fine, and it
works with mobile phones and laptops without requiring any additional
software.

~~~
notacoward
Do you suppose that Amazon, which actively sells cloud services to the US
intelligence community, is less able or willing to spy on your setup than a
VPN provider would be? I have some bad news for you.

~~~
sterlind
AWS would lose lots of business if their complicity became public. Foreign
customers have lost confident in the security/data compliance of public cloud
in the wake of the NSA revelations.

It'd be bad for the NSA, too. I assume they are spying but only rarely act on
the data they're slurping. If Amazon loses customers, and the NSA has eyes
inside, the NSA loses their eyes.

~~~
notacoward
> AWS would lose lots of business if their complicity became public.

So would any VPN provider. The incentives are no different, and neither are
the opportunities, so recommending one over the other is a bit suspect.

------
darawk
...Or any network where it is not known whether it is hostile or not. I.e. any
network that isn't known-non-hostile. Which is most networks, possibly up to
and including your own home WiFi.

But if you want VPN service, why not simply setup your own server? They're
cheap. There are hosting services that accept cryptocurrencies if you're into
anonymity, and then you can be certain there are no logs (unless the hosting
provider logs you, of course).

------
leethargo
There are also multi-hop VPN services (similar to onion routing) that offer
privacy beyond a "glorified proxy" [1], [2].

[1] [https://restoreprivacy.com/multi-hop-vpn-
chains/](https://restoreprivacy.com/multi-hop-vpn-chains/) [2]
[https://secure.cryptohippie.com/resources.php](https://secure.cryptohippie.com/resources.php)

------
krick
> But I want more encryption! > Use SSL/TLS and blah-blah

Uh, DNS?

------
emmelaich
My analogy for non-IT people for a VPN is that it's a tunnel between houses so
you don't have use the road or footpath.

Then I point out that if it's easy for you to get out, it's easy for others
(in the other house) to get in. And by extension anyone who visits their
house.

That usually makes them think.

Managed/service VPN makes the hole wider or tighter depending on how
trustworthy the manager is.

------
jfrankamp
Just run your own, its two clicks. Load this into cloudformation and stop it
when you're done. [https://github.com/webdigi/AWS-VPN-Server-
Setup/blob/master/...](https://github.com/webdigi/AWS-VPN-Server-
Setup/blob/master/src/output/Unified-Cloud-Formation.json)

~~~
ripdog
What problems does this solve? It ensures you still have a unique IP on the
internet which can be traced by governments trivially, while a VPN service
which actually doesn't log will keep you safe from simple attacks like that by
sharing your IP.

If you assume the service provider is malicious and DOES log, then why is a
VPS provider any better than a VPN provider?

------
sandov
Yeah, but it's easier to coerce a local ISP into giving my logs than it is to
force a VPN settled in god knows what country to do so.

------
themanual
BTW, I use a private VPN server which can be setup on aws in a few minutes
[https://github.com/webdigi/AWS-VPN-Server-
Setup](https://github.com/webdigi/AWS-VPN-Server-Setup)

No logging on server side guaranteed. AWS could monitor but I do not thinking
of that as an issue for my use cases.

------
sxates
So we can't absolutely trust a VPN provider - but do we have more trust in
Comcast/AT&T/Verizon/etc?

------
kemonocode
Sometimes, a glorified proxy is just the thing you need. You have to weigh in
the risk in having some random schmuck knowing where you've been and _maybe_
getting subpoenaed against your Wifi hotspot provider, your ISP and your
government easily knowing where you've been.

------
nrjames
I use a VPN for one reason only: to watch Olympics coverage that is good. I'm
not ashamed of that.

------
bb88
There is a good question about whether or not a national security letter holds
any weight with a VPN, especially an endpoint outside the United States.

I believe if supplied an NSL, I would expect the VPN provider to grant the
request. But that would be only for those operating in the US.

------
raides
I've made this argument several times. I'm a psybouncer sort of guy. #shellz

It is super easy to get a 2 dollar a month shell account and run psybouncer
with a list of hosts you can hide behind. At least then I can double proxy
cheaper.

------
j0hnml
If anything, a better title would be “Use VPN services for security, not
privacy”. I don’t know about others, but whenever I’m using a VPN, I pretty
much only have security in mind for when I’m using public WiFi’s.

------
tribby
awful advice. use a threat model, which may or may not include commercial VPN
services.

I can think of many situations in which I'd prefer a commercial VPN provider
to a private one, or even to running meek on a tor bridge. there are also many
situations in which someone else keeping logs is extremely useful :)

------
m3mnoch
personally, i always side with greed/effort on this one.

"wait -- we don't have to pay to keep/store/rotate/maintain logfiles? and
that's a value proposition? yes! pipe them badboys to dev null!"

------
jachee
Can we get a '(2015)' appended to this article title, please?

------
werid
I only use a VPN when I need to get around geo-restrictions.

------
vectorEQ
just dont use the internet, it's all untrusted network. every option u take is
shitty. enjoy our glorious internet!

------
husamia
facepalm, your doing it wrong

------
agumonkey
so encrypted dns and https ?

------
nukeop
We've seen this little bit of FUD several times in the past and it's as
inaccurate as it has always been. VPNs cover some scenarios but the author
makes unreasonable, extreme demands and wants them to provide security no
entity lower than major government-level can provide. A VPN is just one of
many steps in hardening your machine and connection, it's not a silver bullet.
A setup that's truly hardened against internet surveillance directed towards
the average user _should_ also include a VPN as one of its components, that
much is sure. A VPN will not protect you against Mossad, because as Mickens
said, if Mossad is after you, you are going to die and there's nothing you can
do to stop it. But a VPN will provide a very effective layer protecting you
against location and IP based tracking and fingerprinting.

------
aviv
My guess is US authorities already own, operate, or have otherwise infiltrated
some of the major VPN providers out there.

------
terrywang
The title is very misleading. One should always use VPN to encrypt traffic
when connecting to untrusted network (wired or wireless).

Just use your DIY VPN (IPsec - strongSwan is very good option, or OpenVPN),
don't use any free or untrusted VPN services

