It’s just using a different middleman. One middleman might be better than another, but if you have a good ISP already, there’s no privacy/security benefits to be had by using a VPN when surfing from home.
It might be worth getting a VPN if you use sketchy WiFi often, or want to bypass geo-blocking or restrictive firewalls. But remember that you’re trusting the VPN provider with all your traffic. DNS is still not encrypted in most browsers, so this traffic is still a goldmine of marketable info. Sure, they can’t see what you post on snapstagram.com or what pages you visit on news.ycombinator.com, but they can infer a lot about your browsing habits from DNS queries.
I'm making a genuine effort to keep all my entertainment above board by being a paying customer to Netflix, Amazon, Spotify, Google Play, YouTube Premium, Steam and a few others, but I have to say that my patience is wearing very thin with TV/movie studios and their idiotic licensing shenanigans.
Many countries that have "Media Laws" that define when movies can be broadcasted on streaming services.
They don't, and they are tied into long term exclusivity contracts in many territories.
It's pretty well established that in the UK for example they can't launch the service until the exclusive first pay window distribution deal they have with Sky on all the Marvel titles expires, and that's pretty obviously on the 31st March 2020.
They couldn't launch the service with just that - Apple are struggling a lot and basically giving away their service and they still have more than that.
Of course the USA tries to prevent this with all its might.
Practically speaking, yes, people will pirate it if it's not easily available otherwise. But that doesn't make it morally right.
pirating something that you can't even legally purchase is about as close to a victimless crime as it gets. If anyone actually feels guilty about this they can donate the value to the against malaria foundation and have done the world a net good
honestly, I find the IP mentality of large companies like Disney immoral who hoard IP like a dragon hoards a lair of gold. I'd be in favour of 'use it or lose it'
I dunno. I’d say pirating something the owner isn’t willing to provide you at any price is at least as victimful (and a greater offense against the victim) than doing so for something that they are willing to sell you, but at an unacceptable price.
Thou as a write this I consider the implications of it was educational and only available to a nation or race and not having it would put one at a disadvantage ala scientific papers...
In the digital age, there is a perfectly reasonable case to be made for some kind of "unavailability exception" to protect the rights of readers in poorly-served markets and prevent anti-competitive hoarding of copyrighted works.
They're arguing "it's a victimless crime" (which is also true)
These are related things, but they aren't contradictory
Trademarks don’t have set expiration dates, yet 1/4 of Disney’s toys are for someone else’s original IP. Snow White, Peter Pan, etc and nobody seems to have a problem with this. In fact the oldest US trademark in use fall under the same heading with a Biblical figure Samson wrestling a lion.
And in fact Trademarks do go away without Defence. Which means they can be abandoned at which point it’s fine to use em.
I never understand this false dichotomy - especially in a forum which is named ... let me check ... "hacker news".
Just set up your own.
It costs almost nothing to run a EC2 instance in the region of your choice (or at some other provider like GCS or whatever). There are keystroke-by-keystroke instructions everywhere on setting this up.
Extra points for adding the extremely trivial and also very low cost steps of signing up under a corporate name and removing your personal identity from the account altogether.
Some more extra points for multiplying the almost-zero-cost by 3 or 4 or 5 and spinning up extra copies of your endpoint in multiple regions (or even providers) and manually (or automatically) switching between them.
You don't need to trust anyone - adjust your threat model all the way up to "near nation state" (in the case of Amazon or GCS) and assume these actors could already discern all of your Internet traffic even if you weren't doing business with them.
Those are also botnet slaves.
This entire thread is about using a VPN to watch Disney+ outside of geo restrictions. Many many people use VPNs for this purpose and no other. You can't trivially do this on your own at all. You're making it seems simple, getting an VPS with an IP that won't automatically be banned by all sorts of services looking to protect themselves against botnets and the exact sort of geofence hopping that people want to do is extremely difficult.
Sure, the instance doesn’t cost much, but bandwidth does in the case of AWS and GCS. Streaming 4K video chews through bandwidth.
I might be wrong about EC2 pricing, but at least for me, ~$11 per region is not "almost-zero-cost". Unless we're talking about on demand instances.
I wonder if there is a community run VPN service to utilize instances more efficiently.
Throwing GDPR and `ftw' in the same sentence. Hmm. No GDPR does not work that way hah. At least not in the global context.
GDPR only applies to you _if_ you happen to be a European Union citizen.
There's nothing in GDPR that has anything to do with EU citizenship.
1. GDPR applies to the processing of personal data if the controller or processor is "in the Union", regardless of where the person whose personal data is being processed resides, and regardless of where the processing takes place.
2. It applies to any data subject that is "in the Union".
All the places in it that you might have expected it to say "Union citizen" instead say "in the Union".
I'd like to pursue this, but have just little enough experience with ec2 to not be composing effective search terms.
It’s an Ansible playbook for easily setting up a VPN with good security defaults. It’s so easy and really the only knowledge you need to know is how to get api keys for the provider of choice.
Their tutorials will hold your hand all the way to the end.
Waiting for https://github.com/StreisandEffect/streisand/pull/1668 to be fixed though.
Obviously this only applies if you don't plan on destroying/recreating your Streisand server after the newer PR gets merged (EDIT--just got merged). But just in case, the steps are pretty easy (it's in the PR here too: https://github.com/StreisandEffect/streisand/pull/1688):
[root@streisand]# cat > /etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx.sh << EOF
systemctl reload nginx
[root@streisand]# chmod u+x /etc/letsencrypt/renewal-hooks/deploy/01-reload-nginx.sh
Unless you're paying Amazon in bitcoin you're not removing your personal identity from the account.
joepie91 maintains a list, but it looks like it's a couple of years out of date: http://cryto.net/~joepie91/bitcoinvps.html
You also won't have any anonymity since you're billing details and instances are all logged permanently. It's not really a viable alternative.
For a Linux user, you can already build such a system yourself quite trivially by getting an FTP account, mounting it locally with curlftpfs, and then using SVN or CVS on the mounted filesystem. From Windows or Mac, this FTP account could be accessed through built-in software.
(This said, obviously no agency is going to come after you for the occasional lootin’ of moving pictures, and if you are doing anything more serious, then you should have your own VPN infrastructure.)
So if they did not know you were an American through your identifiers, they could intercept foreign traffic. However, once they identified you they would need to stop unless the above exceptions were met. IN THEORY. Exceptions have occurred, the most egregious that I can think of is that the FBI has NO ACCOUNTING WHATSOEVER of how many agents accessed the 702 database:
Their in-Canada peering is so terrible, it's common for local Toronto traffic to have round-trip through Chicago or NYC.
Woah. Hold your bong son! ;)
Any reference to documentation or any information of what you mean by `sold' on the open market?
If you wanted to prove a point by saying that internet is an insecure medium then yes I agree but `tapped' and `sold' is a whole different ball game that I am not aware of. At least in the internet I know of.
Plus, whatever VPN provider you're using. Unsurprisingly, most seem to be based in countries with very lax telecommunication laws and that make it very easy to start shell companies.
The Lithuanian government has no interest in me, and even if they did, they have no jurisdiction here. One should always be more interested in privacy from the government that has authority to no-knock raid your home than the one that does not.
You may enjoy Tom Scott's video:
> I tried to write a more honest VPN commercial. The sponsor wasn't happy about it. • Get ■■■ days of ■■■ VPN free at ■■■■.com/honest
That's a big IF. Not all of us share the luxury of being able to get internet service from companies like Sonic.net.
May I suggest hosting youe own VPN using Streisand (https://github.com/StreisandEffect/streisand)? It's an absolutely fantastic VPN that runs on just about any cloud system out of the box (or your own hardware of course).
Right now I use Linode for hosting ($5/month) but there are lots and lots of other ways to set it up.
Importantly, setup is easy for all kinds of clients, including mobile devices.
So yes, I do think there is quite a difference, although you should still be critical of your VPN provider.
Last time I checked Tor's technical paper (probably been 10 or so years), it stated the fact that a relay? node in between can only decrypt the information required to route to next hop and not the actual packet's payload. Is that correct or am I dreaming?
Also, I recall that if someone malicious flooded the tor network with malicious exit nodes, then all traffic details can be `inferred' right? i.e., the assumption was that exit nodes need to route the packet to destination thus it needed to look at every packet but couldn't infer the originating IP address (based on my dated knowledge :))
If a malicious person now floods the tor network with bazillion exit + relay nodes - then essentially all contents (payload + IP src/dst) can be aggregated. Is this still problem in tor network?
Effort and RFCs are underway to establish what would become part of TLS protocol stack. One of which is eSNI (encrypted SNI).
Not that advertising mobile games or g-fuel is great, but you’re at least not pushing (dangerously) false claims on people and imperiling their privacy and security.
This is just not true. You cannot sign up for an ISP without disclosing at least your name and address. Many VPNs support complete anonymity.
It's a different middle man that--if you choose the right one--will absolutely know less about you.
If your traffic is interesting enough, the money trail will eventually lead back to you.
I think it was part of his Qubes OS talk: https://youtu.be/f4U8YbXKwog
The central concern is how they get their 32M "residential proxies". I spent a few minutes trying to get an answer and could not find one. The article straight up assumes it's coming from malware, which certainly seems possible. I could also imagine them buying legitimate access from ISPs but given the various legal and technical issues involved it seems less likely.
Is there anything directly connecting Oxylabs to malware? Again I looked for a few minutes and didn't find anything clear. I did find a couple of troubling posts on Reddit from Android Devs saying Oxylabs approached them offering to "monetize your users with our SDK", which sounds like the slippery slope to malware. Or at least bundleware without meaningful consent.
BTW, Oxynet has a list of the ASNs they have proxies on: https://intro.oxylabs.io/hc/en-us/articles/360003444780-Supp...
"... Upon information and belief, the above OxyLabs embedded code has been integrated in at least the following software applications that may be downloaded by any user located anywhere having Internet access: AppAspect Technologies’ “EMI Calculator” and “Automatic Call Recorder”; Birrastorming Ideas, S.L’s “IPTV Manager for VL;” CC Soft’s “Followers Tool for Instagram;” Glidesoft Technologies’ “Route Finder;” ImaTechInnovations’ “3D Wallpaper Parallax 2018;” and Softmate a/k/a Toolbarstudio Inc.’s “AppGeyser” and “Toolbarstudio.”"
I mean, isn’t the existence of Oxylabs a boon for everyone’s privacy—in the sense of making everyone’s actions deniable/repudiable? Oxylabs introduces reasonable doubt for every possible allegation of cybercrime! “It wasn’t me; it was this botnet malware routing through my computer without my knowledge!” It’s like having a Tor exit node on your computer, without the associated mens rea that would come from the explicit choice to install one!
There have been cases of this happening to ToR exit nodes and that was ones the operators could point to...
THAT is the reason why a rational actor won't use such a service.
Mind you, that's just sensible evidence-gathering. If law enforcement thinks that the homeowner did in fact act illegally and is using the VPN for deniability, then there would be ample cause to search attached or potentially-attached devices for direct evidence of illegal behaviour. If some is found, that's compelling circumstantial evidence that other identified VPN activity was also instigated by the connection-owner.
In such a case, if the person is then charged with cybercrime, a cybercrime expert hired by the defence could do discovery on the confiscated computer, find the Oxylabs proxy installed on it (which the defendant was unaware of), and then present the fact of that installation on the witness stand as an alternative explanation for any evidence of wrongdoing that the prosecution presents, creating reasonable doubt.
So again, a reasonable actor would not want that and thus would avoid questionable services like Oxylabs
Right, but, I'm not talking about a situation where you have any say in the matter, but rather where computers are just being infected by this malware no matter what. Posit a variant of this malware that acts as a worm, rather than as a Trojan horse.
Certainly, you'd not want to allow it to be installed on your own personal computer (as, for one thing, it's snooping on you!); but it'd be very good for your presumption of innocence if everyone else had it on their computers—because, if enough people have it on their computers, then it becomes so likely that any random person has it on their computer that prosecution based on only SIGINT-ish evidence would never go forward in the first place, and therefore police forces would stop bothering to even pursue such avenues of investigation.
By analogy: the existence of Photoshop protects you from a variety of criminal accusations. You might not want anyone to photoshop you into a picture of e.g. a KKK rally, but the fact that anyone easily could create such an image out of whole cloth, means that such images don't prove anything. There's a higher evidentiary bar for suspicion of guilt of such crimes in a world where Photoshop exists, than in a world where it doesn't.
And, in a world where the average person couldn't get away from random people hijacking their Internet connection without their consent, there'd be a higher evidentiary bar for suspicion of guilt of cybercrime. Which would be nice.
"Innocent until proven guilty" applies to criminal guilt, i.e., to a person accused of a crime. When it comes to property, however, any evidence, or the suspected instruments used or fruits resulting from a crime can be seized solely upon the issuance of a valid warrant, and held almost indefinitely.
$ sudo nmap 188.8.131.52
Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-29 19:21 EST
Nmap scan report for static-76-77-25-75.networklubbock.net (184.108.40.206)
Host is up (0.097s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
53/tcp filtered domain
80/tcp open http
443/tcp open https
5060/tcp open sip
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 331.02 seconds
Maybe I'm missing something here. Of course it could still be malware, but that's far from the first conclusion I'd jump to. This article is just speculation to me and the methodology seems ... bad
edit: sorry if the markdown is broken. Noob here. ;)
I know FluidStack which is a similar service uses UPnP to open ports that it requires. FluidStack is a service you earn money through by willingly selling your internet bandwidth though, not like Oxylabs but same idea.
I didn't know about FluidStack. Looks interesting. If you have numbers on how many people actually use such a service I would be really interested to know :)
With that there world be no reason to have any hidden malware practice or similar, it _could_ even be in the terms of service if some of their products...
I mean it's true that there is a lot of bs going one but before claiming them for having hidden malware you should make sure they do, instead of just saying "that's the only way it's possible' even if it isn't the only way.
But even if they're rerouting traffic through their users, and if they wrote that in the terms of service, I doubt any of their users know they signed up for this.
Which is not illegal, but still kind of sketchy.
If it's hidden in their terms of service, but not explicitly written on the content the user actually reads while subscribing, I consider this very unethical.
Unless they make that clear, it's not a great look.
While some of those leaps of logic are plausible, it’s a lot of guessing.
Edit: Another comment pointed out that maybe only the front domain is geoblocked, but not the video CDN domains. That would make sense. Now that I think about it, youtube-dl also has a --geo-verification-proxy option that works in the same way.
There's so many providers doing something similar, it really isn't a Oxylabs / NordVPN exclusive issue.
Based on my understanding it's people having free apps they want to monetize. They then implement a proxy company's SDK which enables this traffic sharing and get paid by them.
Something that keeps bothering me about the title and content is that the VPN isn't blocking or unblocking Disney+. It's Disney+ that's doing the blocking. It's blocking the VPN's IP addresses.
If I block you from entering the building but you find a secret entrance through the air vents, you didn't unblock me, you evaded my block.
Their title and usage of blocking should be something more like: "How is NordVPN evading Disney+'s VPN-blocking?"
Great article though. This kind of stuff really needs to be more well known.
That it's possible to unknowingly be part of a botnet is a major flaw in the internet and ISP billing model. I think the only solution that has a shot is for unexpected bandwidth to lead to an unexpectedly high bill.
Between this a PIA's shady stuff I'm just gonna have to host my own. The commercial VPN scene is a cesspool.
But yeah, if you’re doing something illegal, obviously don’t use a home VPN, duh.
The last self-rolled VPN couldn't get past netflix or prime. Despite checking for DNS leaks etc. Either IP range was blocked or some sort of TTL mechanism
I have Comcast and my upload on a good day is 500KB/s and that cripples everything else on the network.
These will be servers running in a data centre that have been assigned an IP address that used to be owned by comcast and is still marked as residential. And the VPN provider will have paid a premium for it.
For disney, it'll be whack a mole with these ranges, and I'm sure the VPN are doing clever things to make the ranges look innocent.
It was 3G in the area, they ran fiber last year and now their DSL can get up to a whole 10Mbps if they decide to pay $100/mo. There is no good solution yet.
I've been seeing a ton of these guys' advertising lately. If it turns out they're also reselling your bandwidth?
Still, I'd like to see someone take a peek at their local client traffic for any suspicious activity before coming to any conclusion.
Edit: I guess allegedly the 'botnet' aspect is provided not by other NordVPN users but by malware provided by companies associated with NordVPN.
Monetizing your free app through selling traffic is nothing new and there's a bunch of companies doing just that. You drop their SDK into your mobile app, they give you money and in return they get their very own "botnet".
Only if you deliberately misread the post, which is clearly saying that NordVPN doesn't use its users' devices to route traffic, unlike HolaVPN. It doesn't say they don't use Tesonet services to route traffic. They're denying being a supplier to Tesonet, they're not denying being on the demand side.
It’s likely that those headers don’t all get added all the time, for all the Akamai traffic, but instead are added selectively for key parts of the mapping process.
(Disclosure: I worked for Akamai Way Back When, but left the company many years ago.)
I've been a PIA customer, and am canceling to switch to Mullvad, but PIA selling out seems not to prove they weren't right before.
They had a browser extension, maybe somebody can get a copy and see what's in common with other extensions?
It returns different IPs for every request, and these IPs do look like residential ones.
That's the really bizarre thing... I came here to ask about it after getting confused when the article implied this (30 tests, 30 different residential IPs). It seems like this shouldn't work at all if connections to the Disney plus site involve any kind of state.
Is this a content-unblocking exception, and normally everything is routed through the same NordVPN edge server? Assuming that's the case, this seems like a great way to get your account banned at Disney plus the moment they decide to crack down on this. Assuming you have a session ID cookie with the site, no legitimate user is going to be sending that cookie from a different IP address on every page load. This should be very easy for them to catch.
I wonder if this is the client doing something? I've never installed the NordVPN client, I only use their OpenVPN config files.
Hard to imagine that so many ISPs are agreeing to help NordVPN bypass geo-blocking. Pretty certain that there’s some kind of shenanigans going on.
Seemed way too iffy to me.
Is this guy saying that these thousands of servers are not in some data center somewhere, but actually residential malware?I'm doing some tracepath'ing (not a network guy...) and I don't see what this guy is claiming. I'm calling bs.
But hey, I'm testing that now.
Edit: Using IVPN's Germany exit ...
$ curl -LIX GET https://www.disneyplus.com -H 'Pragma: akamai-x-get-client-ip'
X-Akamai-Pragma-Client-IP: 220.127.116.11, 18.104.22.168
$ w3m -dump https://ipchicken.com
But in any case, it'd be cool if people could determine whether their devices are being used as NordVPN exits.
I've run about 300 tests so far, on a few of NordVPN's US servers. And I've hacked a simple test script, using hashed "X-Akamai-Pragma-Client-IP" values.
Just save the code block at the top as "test.sh" or whatever. Then do "chmod u+x", and execute. It'll prompt "IPv4 to search for?". Type an IPv4, and hit "Enter".
This is howling in the void, I know. But so it goes.
I'm in the process of doing this for all 1537 of NordVPN's US servers.
And if the NordVPN client, what OS?
EDIT: package from https://repo.nordvpn.com/deb/nordvpn/debian/pool/main/
So far, using the stock openvpn package in Debian, it doesn't look like the Disney+ circumvention is happening for NordVPN's US servers.
I'm guessing that the NordVPN client must do it.
And if that's the case, it may merely route traffic directly through the residential proxy, and not first through a NordVPN server. Which wouldn't be good, because someone investigating the residential proxy would see the users IP address, rather than the exit IP address of the VPN server.
I used the default settings. In particular, I didn't enable "obfuscate", which I gather uses two hops.
I'm using a crude infinite while script.
And so far, I haven't come across any servers with unexpected "akamai-x-get-client-ip" for Disney.
But then, there are well over 1000 US server IPs.
So did you enable "obfuscate"? Or "CyberSec"? Or other options?
It would also help if you could share which servers showed unexpected "akamai-x-get-client-ip" for Disney.
I was testing "www.disney.com", not "www.disneyplus.com".
Now I always see residential proxies for US servers. Or SSL certificate failures, occasionally.
Edit: That's using either the Windows GUI client, or the Linux terminal client in Debian. Not using "Obfuscate", "CyberSec", or other non-default options. But residential proxies aren't used for "www.disney.com" or "paypal.com".
Also, with the stock openvpn in Debian, I don't see residential proxies being used for "www.disneyplus.com".
It's one thing to use a VPN, another to use some unaware person's computer for your mischief (think about someone doing illegal stuff using this method).
Knowing how the law works in some places, and how ill-informed some law people are, I can totally see an innocent man getting locked up for illegal stuff, like hacking or other stuff that I dare not say.
But between uses like setting up a personal VPN with a clean IP or just the cool idea of having a personal IPv4 address or IPv6 block... I think it would be a viable, if rather small and niche, business.
There are effectively no more clean IPv4 addresses, you'd have to buy addresses that had previously been used.
Anyone can get IPv6 addresses even those whose ISP sucks via tunnelbroker.net (aka Hurricane Electric) which will provide a single address, also a /64 and/or a /48. Of course they are generally blocked by streaming services since they are a form of VPN and thus the endpoint might be anywhere.
What are the terms of assignment via Hurricane Electric? Can they take it away? Do they only allow BGP advertisement to their sites or can I still bring the IP elsewhere?
I still think there is an opportunity for niche needs here.
An HE IPv6 tunnel is as permanent as you like, but they reserve the right to phase out the terminal you are using which sometimes means your prefix would change, and they expire unused tunnels periodically. IPv6 has builtin handling of prefix changes though it does not deal with related DNS updates, which you'd have to arrange.
An HE IPv6 assignment is from their allocation so you'd call that PA not PI, i.e., you can't take them elsewhere. To get addresses of your own you would need to apply to an LIR or RIR for an allocation -- generally easy to get a /48 without any/much documentation with a /40 generally requiring documentation but that's not free (250/yr for an ARIN allocation).
Hiding bots and other users among the huge Comcast & Spectrum IP blocks makes it harder for media companies to block them. It’s just how do you legitimately buy a bunch of consumer connections, or get users to install software to share their consumer connection, hence the NordVPN clients I assume.
Granted, abuse can occur. But assume US-based with basic KYC or something so that most IPs might genuinely be nerds like me using it as their IP.
So do any y'all perchance know his address? If so, please email me at the address in my profile.
This is how it could be done:
Rent Oxylabs Residential IP's (600$ minimum commitment, according to ).
Check out IPs, stop using them, hope they get rotated to NordVPN, where you'd have to monitor the ips used.
At Oxylabs pricing the only possible conclusion if a match was found would be that the services are intertwined.
If geoblocking isn't a concern, you could use Cloudflare's Warp, which is free. Not sure abt no-logs policy.
You could consider using Orbot, too, a tor as a porxy service for Android, if annoying captchas and broken P2P apps is acceptable.
I think maybe you just need the right guide, or even something like the ansible playbook someone mentioned in a different comment that can just automate the process for you
The theoretical model here is using people’s fast, stable (-ish) broadband connections to relay the connection. Even then, it’s only for the initial setup steps; once you get to the actual streaming data, nobody in this model wants to ferry those packets around.
Also, bear in mind that blocking people from using it is not in disney+ interest. They do it just so they can prove in court they are following the copyright agreements they have. But if someone "hacks" the system, they are not incentivised to put in resources to fix the hacks so they can have less paying costumers.
"Guess"? Do they route packets differently depending on the destination, i.e. if you go to one of the whatsmyip websites you'll see a nordvpn-owned IP but to a Disney server the use someone's home connection? Is that what the author says is happening here? I don't know if this is common but, while technically possible, it seems a little weird. I assume the author could just have checked what IP they were exiting from.
Edit: someone else verified it, yes indeed they use residential IP addresses: https://news.ycombinator.com/item?id=21665084
I mean, why stop at using whatever app installs as exits?
Why not route a VPN service through an actual botnet?
if so, would it only be while the apps are in the foreground or can they do it in the background?
I had on my backlog to do something similar, I guess I do not have to. NordVPN is just a front for Tesonet to gather data and sell your bandwith for bots, scrapers etc. through OxyLabs and other companies.