My point is that if the leak is a grand total of "1kb of user logs", it may not be the sort of log you're assuming. If the leak is a 1 kb list of valid usernames and password hashes, how does prove they were violating their "no log" policy? It just proves they were doing access control, which we knew anyway.
It's the data breach equivalent of the cryptography rule that a break never gets better and usually gets worse. A canary in a coal mine, basically - if 1kb has been leaked you can safely assume a lot more has since that's not an amount that any attacker would bother with under normal circumstances. If they do care it's because they expended a penetration on targeting few or one individuals max and we almost certainly wouldn't see the results.
If I saw a dump of 10 email addresses from Hacker News it would be imprudent assume that somehow an attacker had made it in as an admin and yet only accessed those. It would be outright foolish to assume that if there were 10 addresses the damage is inherently less than 10.
> If you wanted to see what the most paranoid, security-conscious people are connecting to, and you wanted to install software on their systems that is designed to read all their network traffic and then redirect it through a single choke point, then setting up a VPN service with a huge advertising budget would be a great way to do it.
Lots of use cases aren't covered by a self-hosted VPN. Public VPN servers allow you to blend in with other traffic coming from a shared IP giving you plausible deniability for things like piracy.
- Scraping, when my scraper gets blocked from the real estate site, wallpaper site, etc, I click next IP, change my UA and I'm ready to go for another round. You can play cat and mouse all day without worrying about all your IPs getting banned.
- Avoiding DDoS attacks, if you're doing something that makes you likely to become the victim of a DDoS attack, like say, joining a script kiddie's botnet IRC server, not giving a crap if your public IP gets dropped is pretty handy.
- GeoIP bypasses, allows you to work around everything from region locked content to discriminatory pricing
- Country-wide and default blockades, many countries censor the internet only in minor and weak ways, blocking things like BitTorrent tracker websites by domain or IP that commercial VPNs will trivially bypass
What is the benefit of self-hosted VPN? No, security benefit I know of, unless you primarily consume HTTP or other unencrypted communication and even then it saves you from MITM or other attacks between you and your VPN server and not till the content server. Anonymity is only a benefit in public VPNs.
If what you want is anonymity, VPNs are the wrong tool, as evinced by these leaks. My main use case is privacy on unsecured networks such as that of coffee shops.
> VPNs are the wrong tool, as evinced by these leaks.
Are they? So far every leak I’ve read of, has been by pretty shady companies. This seems more like evidence that if you buy a pacemaker from aliexpress (or in the case of NordVPN from Wirecard or Theranos), you might die from it failing.
My ISP has been quite open about selling my information. Therefore, I'm fond of encrypting everything they see, including destination IPs, DNS, and non-TLS traffic; a VPN is a simple solution.
EDIT: To clarify, I know my ISP's spying on me. Therefore, in some models, trading that against a VPN service that might be spying on me in the same way could be a favorable trade. YMMV.
Hang on... If you use a self-hosted VPN through a VPS, the hosting company that's providing the VPS could still log ir MITM traffic from the VPS. So you still need to trust someone, no?
The hosting provider can still monitor egress, which is what's more valuable anyway. Hypothetically, they could also snapshot the RAM for deferred analysis, though that's usually more trouble than it's worth. You have to trust someone in the end.
Well, if you want 100% security, you have to build your own internet. But hosting your own VPN is reasonably safe, unless you have reasons to believe a government-sized entity is specifically targetting you, in which case, yeah, just don't use the internet.
Not sure what you mean by “directly,” there are going to be strong financial ties to any VPN provider one chooses, and as such, they are no better than running your own in a lot of circumstances.
It’s sad to think VPN logs might be accepted as a source of truth. They probably are in most countries, but they really shouldn’t be.
If your crime is downloading Frozen, and the authorities can’t find any trace of the movie on the device the logs claim was used, then it would be shameful if the logs alone were enough to convict the person.
Same way you trust hey.com not share all your email with everyone publicly. By building some kind of trust, describing how they work, their policies, being clear about how they make money and so on.
> It appears seven Hong-Kong-based VPN providers – UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all share a common entity, which provides a white-labelled VPN service.
> VPNmentor created an account with one of the providers, and spotted that new account in the logs, specifically "an email address, location, IP address, device, and the servers we connected to." VPNmentor alerted the providers involved to get the cluster removed from public view, as well as HK-CERT, though it seems no action was taken to immediately rectify the situation.
Maybe you're not concerned about the website you're visiting tracking you, but rather someone along the way figuring out which websites you're visiting.
So the conclusion we are to draw is that VPNs are for the naive, and that if you really get security, you self-host or go VPN-less (what is the alternative, exactly?)
Isn't the major benefit of a VPN the added hoop websites have to jump through in order to build visitor profiles?
> So the conclusion we are to draw is that VPNs are for the naive
Bit more nuanced than that, but it's certainly a field full of liars and scams.
> and that if you really get security, you self-host
Really depends on what your goal is; self-hosting can, for instance, pin you personally to a single static IP. But for some things, yeah it can be better.
> or go VPN-less (what is the alternative, exactly?)
TOR, I expect.
> Isn't the major benefit of a VPN the added hoop websites have to jump through in order to build visitor profiles?
That can be one benefit, yes. It doesn't have to be a silver bullet, but you do want to be clear on what benefits you expect to get from your particular solution.
Why is this marked as a dupe, when the "original" doesn't mention the other 6 VPNs leaking data? Yes, UFO VPN's leak in this article is based on the "original" article, but I looked at this to see if it included any VPNs I use, and I never clicked on the UFO VPN article because I don't use UFO VPN.
For me, the main benefit of a VPN is security on public WiFi networks.
Is it perfectly secure? No, but I trust a business I’m paying a regular amount to quite a bit more than a random free public WiFi provider, who is not only able to siphon off data but also has a lot more incentive to do so.
I wonder if these vpn providers can be prosecuted under the cfaa for not following their own tos. It would stand to reason that if users can be prosecuted thus, the provider can be too. Or no one can be.
Because I live in Russia I guess. The article tells me about how court of law operates in the US but does not really proves me wrong.
Was the FBI give the access to PIA's servers to check things out? From what I understand PIA was just able to "prove" that they can't give FBI what they wanted and the court was "well, sorry fellas". Does this proves that they don't really have logs? Not really.
I guess I'd trust them more than others, sure. But I still inclined to treat any service as a possible leak source.
Remember to pay PIA with ATM or other anonymous BTC and don’t use your real email address. The account emails are always used in PIA cases and they can’t protect you if that email can be traced back to you.
> UFO also claimed its logs were kept for traffic-performance monitoring only
When your product's sole purpose is to provide privacy, there's no excuse in the world good enough to knowingly retain logs like this. There needs to be a class-action lawsuit to curb douchebag businesses like this.
"No, no, but GDPR bad!!11 We care about your privacy that's why we collect all the data we can, sell it to everybody and store your passwords in plaintext" As said by several ad-supported businesses and especially ad-networks.
99% of critizism against GDPR I've seen is either about how it's poorlt implemented (but still a good idea in principle) or about cookie banners (which are note ven GDPRs fault though); I don't think I've ever seen anybody complain that the whole concept of GDPR is bad.
https://news.ycombinator.com/item?id=23876146 "UFO VPN claims zero-logs policy, leaks 20M user logs"
Title is also slightly misleading, multiple sources have 1.2TB, not 2TB.