Hacker News new | comments | ask | show | jobs | submit login
Do Not, I Repeat, Do Not Download Onavo, Facebook’s Vampiric VPN Service (gizmodo.com)
111 points by ourmandave 11 months ago | hide | past | web | favorite | 40 comments

What’s most alarming are the AppStore reviews [0] - a majority of the authors appear to have downloaded the app after clicking a banner ad which claimed their iPhone had viruses.

For example: “I just downloaded it today because of four viruses so I hope it helps get rid of them” - burnt tacos

[0] https://itunes.apple.com/us/app/onavo-protect-vpn-security/i...

How can any self-respecting programmer at FB work on a project like this? At least most of the IE6 toolbar spyware had some useful purpose for the end-user... smileys, pagerank, search bar etc...

This on the other hand is straight up deception in my mind. Hot air. Prove me wrong? What benefit does anyone get from installing this?

We need something like a Hippocratic Oath for IT professionals.

We might need it but it's of course impossible given how easy it is even for a child to get started in professional IT.

Have a software equivalent of the AMA, have licenses to practice, and that’s solved.

Not even close. There is Tor, there is Bitcoin. Also do you realise how much would this ruin IT?

It would ruin the “Wild West” and it’s about god damned time.

It would do nothing about the "wild west", it'd just make it even worse. And no, there is zero reason why such a regulation would be justified.

Make it worse how exactly..? Big public companies will be chastised if they don't hire certified practicioners. With the huge amount of sensitive data we process as developers, it's only logical that we are going to need licensing in developed countries sooner than later.

Imagine if anyone would be able to practise as a lawyer, financial advisor or even a doctor without accreditation. It'd be a huge controversy.

How would regulation and self-policing make things worse? And really zero reason? That sounds like an ideological rather than a rational position to me.

> How would regulation and self-policing make things worse?

Imposing whimsical and arbitrary barriers to entry that have zero to do with technical hability solves nothing, and its absolutely ridiculous how you present that as solution to the problem of someone having developed highly technical software that you happen to not like.

Unfortunately, ethics is not a course taught in most college majors, and is virtually non-existent in public schools.

Is it not? Every major at my STEM uni was required to take an ethics course. Sometimes multiple, depending on the field.

I graduated relatively recently, and only had to take one- it turned out to be a semester long "piracy is bad" course.

Ethics courses don't make anyone more or less ethical. If lectures were any effective in shaping anyone's moral compass, church services wouldn't happen so often.

>How can any self-respecting programmer at FB work on a project like this?

You mean like the hundreds who work on Deep packet inspection technology?

Catch child predators and terrorism seems like a probable rationalisation.

For money. Most people do a job to make money so they can take care of their family etc. Facebook tends to pay pretty well.

Well then will FB work ? Which part of FB is respected ?

Google does it too. It kicks in when you are on public wifi if you opt in. It's a vpn app at the end of the day that's optional. I don't see much reason for all the outcry. Assuming a majority of the web moves to https soon (going by the chrome roadmap), you are only giving second order data like dns to the vpn or isp. And I don't see much reason to trust isps more than Google/FB.

Apart from tunnelling all traffic, Has anyone checked to see how malicious the Onavo installer is? The pessimist in me expects SSL root certs and even keylogg-e-r-s - apologies, dictionary personalisation profiles.

Why do you suspect the Onavo installer to be malicious?

That (distrust in general) but also the fact it seems to be sold as a "Protection" service - which, if you look at a decent number of "secure browsers" tends to involve protecting you from encrypted sites.

This all depends whether you trust your ISP more than Facebook or not.

I pay my ISP a lot of money each month. They don’t need my data to be profitable. Facebook, on the other hand, has a business model completely dependent on selling advertising based on my data to 3rd parties.

off the top of my head, AT&T and Verizon have done various forms of customer tracking for advertisers. They both used supercookies at some point, which were injected into customer egress, and ATT used to inspect web traffic in order to target ads (opt-out with a monthly fee, of course).

Certainly, if ISPs can access your data, they would like to. Its basically free money. But its not a life-or-death situation for them, and thus my (somewhat uneducated) guess is that there is less management focus on things like deep packet inspection and consumer targeting. They can also jsut jack up prices or sell more subscriptions. At Facebook, on the other hand, selling ads is priority number 0. Its the only way to make money. So I'd worry more about Facebook seeing my traffic.

However that happened in America, land of the greed. If you're from other countries, I think the point still stands.

Exactly. It's terrifying how many people still don't get it, no matter how many times it is repeated - you are not a customer, you are a product!

But what kind of security does it provide? Website blocker?

A VPN provides a secure tunnel, so it prevents your data from being sniffed on the insecure WiFi in your local coffee shop, and up every hop to the terminating server. So you can prevent an ISP and friendly neighborhood hacker from seeing your requests. However, the terminating server can see EVERYTHING.

So if you want a VPN, use https://github.com/trailofbits/algo or https://github.com/StreisandEffect/streisand.

Algo is my favorite, but both are pretty effective in my opinion.

Exactly the low quality crap you would expect from gizmodo. Who would you rather trust? Random VPN app or Facebook? The choice is obvious to me.

Well in this case "random VPN app" and "facebook" are the same thing. So you automatically lose if you choose either!

No they aren't? Random VPN app is like one of these[0], and Facebook is a $100 billion social media giant, trusted by billions of people.

[0] https://goo.gl/kDPjxf

But at least with those Random VPN apps there is some chance that they are not actually stealing your data. With Facebook there is not.

And if billions of people trust Facebook, that's just a sad commentary on the amound of critical thinking in the world.

Creating an app and calling it "protection" when it is in fact spying on you to give FB a glimpse of how you use the internet, this is something you are defending?

And also, did you just call the gizmodo article "fake news"? It this [0] then also fake news to you? Seems to me you are getting your true news fix from a news feed somewhere.

[0] https://www.wsj.com/articles/facebooks-onavo-gives-social-me...

Facebook bought Onavo. Facebook owns Onavo. They are not a random VPN app. They are a Facebook property.

They are touting the VPN as being protection, when in actuality they are using it to gather data on the users that use the VPN.

I do not understand your comments in light of these facts. If one trusts Facebook, then using Onavo isn't a concern for them, but they should be aware just because it's a VPN it doesn't imply any kind of privacy or protection, and should be aware that Facebook's marketing/use of Onavo is shady.

If one already does not trust Facebook, then it should be clear to stay away from Onavo, whether found randomly, through an app store, or advertised by Facebook.

> Facebook is a $100 billion social media giant, trusted by billions of people.

I think you are confused. "Used" and "trusted" mean very different things, and you seem to be using the latter where only the former is justifiable.

You would think that, except Facebook is literally spying on you when you are trying to be anonymous. So its acting as maliciously as you can save actually loading malware. There are plenty of VPNs such as Private Internet Access (which I use) which are great alternatives. Its not hard to find them.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact