Steve's Views Rotating Header Image

Internet

VPNs, safe and unsafe use

I’m following a security investigator (Brian Krebs) who is one of the very top ones in the biz. He recently posted an article on VPN services and one in particular named 911. It occurred to me that others might not realize the liability these VPN services poses and who might be behind them and you might want to warn your loved ones in turn. A comment and definition on VPNs and some additional warnings and workarounds by me at the bottom.

Brian Krebs wraps up his article with these words (link below):

Beware of “free” or super low-cost VPN services. Proper VPN services are not cheap to operate, so the revenue for the service has to come from somewhere. And there are countless “free” VPN services that are anything but, as we’ve seen with 911.

In general, the rule of thumb for transacting online is that if you’re not the paying customer, then you and/or your devices are probably the product that’s being sold to others. Many free VPN services will enlist users as VPN nodes for others to use, and some even offset costs by collecting and reselling data from their users.

All VPN providers claim to prioritize the privacy of their users, but many then go on to collect and store all manner of personal and financial data from those customers. Others are fairly opaque about their data collection and retention policies.

krebsonsecurity.com/2022/07/a-deep-dive-into-the-residential-proxy-service-911/

My comments, examples and workarounds on the security of VPNs

Virtual Private Network is a name given to a design which allows for traffic to travel between two network points and be encrypted.

By encrypting the content of the connection points, the communication can travel “safely” between the two points. (I say “safely” because there are a number of details which makes it safe or not.) 

(And it is a moving target, moving as decrypting encrypted communication is constantly getting better and better as computers get faster and faster and holes in encryption methods are found.)

It is all in the design. How is it designed? There are many many encryption methods, few are actually considered secure. 

It is an everyday thing whereby someone is delivering something they claim to be completely secure and they express how they go out of their way to be secure. 

Then you (a cryptologist) look into the implementation of some encryption method and discover that what they are using is out of date, or maybe never even was secure. 

Typically the “secure” tunnel is between your device and the service provider, and then they establish another connection between them and the other party. Meanwhile in the middle they have the communication entirely without encryption to do or not do whatever they decide.

To be secure the minimum requirement is that the tunnel runs between the two end points and is encrypted when passing through the service provider. For example, between my cell phone and yours. There is NO valid reason to be anything else but would be considered at best a poor design, at worst incompetent or with criminal intent.

Then we come to use a VPN, how is it being used.

Let’s say you have an office or home office, and you are on the road and like to be able to access your data at the office. You get a VPN service or some set up whereby you now have a VPN in place.

You leave on your trip and as you arrive at some location you now want to safely reach your data at the office. (In this example we are going to go with you having an actual secure connection.) 

If either device on either end also has internet access for browsing in particular, or with a cell phone where you have installed various handy apps, if anyone of those apps or locations you browse are hacked or include malware (code with evil intent), the perpetrator will now have a nice and secure connection into your home office. 

In other words if your remote device is hacked – then you are allowing hackers through the VPN into your office network with the same access as you have. (And there are many way of increasing access to administrator once someone has any user access.) 

The safest approach with using the internet is to be OK with anything that you put on it might end up available to all. (Including the ramifications if that happens.)

If you were to check applications you will find that they commonly ask for permissions far beyond what it needs. I never install those. 

For example a calculator that wants access to your contacts! Or your network. What valid reason would a calculator have accessing those?

Who puts a bunch of efforts in to designing, writing and releasing a program with no exchange? Many programmers do, from just being helpful and liking that others are using their creation. But also, many criminal intent can be traced to using the Free model to spread their malware.

(Stranger – Danger!)

What is more convenient, the feature the apps provides or getting dragged in to some criminal activity unwittingly, or discovering you owe a ton of money for a bank loan you never took? These are real ramifications, at best a bunch of wasted time and effort to sort out.

Hackers learn from what other hackers have done are getting more and more sophisticated, so much so that anyone from a teenager in his room to organized crime to country espionage is thriving. Mostly because people are ignorant about security and have low confront and misunderstoods of course.

For example Chinese law Requires Chinese to spy for them if asked…

Russian law enforcement have an unwritten rule not to go after Russian hackers as long as they don’t attack Russians… (One way they determine if you are Russian is by looking to see what languages your computer supports.)

If you find an app that looks to be the cat’s meow then do some research, not just how many are using it as that has nothing really to do with how secure it is, but search the terms [name of app] and the words “security issue”. 

That will generally tell a big tale. While you do so observe who are saying they are good or bad, many have single posters that never posts anywhere else because they are fake reviewers. Of course look at the domain name to see where it comes from.

For example someone suggested I contact them on WhatsApp. It immediately revealed that:
1) security researches recommended against it and, 
2) it comes from Facebook, 
3) WhatsApp out of the box want your contact list. 

Meanwhile Signal is an ideal option where it truly is safe encryption between the endpoints.

As our world has grown into a digital co-existing world where there is a tremendous amount of attention placed on it by Every Imaginable Player with whatever intent.

— 
Steve

Online Clueless Ad Companies

It might actually be users that are clueless. With me and my friends we have a policy of never buying anything from pushed ads. If we are interested in something we will look it up ourselves. Then if we want it we buy it and that’s that. Don’t bother trying to sell me what I’ve already bought.

Trying to make me buy something from large ads that have changing content which is annoying as heck, is a surefire thing to stop us from using them.

Now I do recognize that it’s a clear minority viewpoint as they would not do ads unless some, I’ll try to be nice here, people did not respond to them. Same with spam, if it was a waste of time it would not be so prevalent.

Then you always end up with ads that are based on some browsing somebody did on your internal network. Of someone not the same sex as you, which you might never be able to use, or look funny wearing… What happened to cookies that should keep track of that?

In the end I’m cutting out, or moving to the bottom of the bookmarks, sites with 3rd party ads. I rarely have to go to sites like that so no big loss.

This whole scene is motivated by making money. Everything is justified by the need to make money. Things people to each other to make, or take, money. Amazing, you’d think there was some kind of scarcity. There are so many ways of earning an honest buck without throwing away your self respect.

These online ads are not the why, just a symptom. An annoying symptom at times, but still only an indicator of where society is at. I don’t have an issue with advertising your products and services, but I get annoyed enough that I avoid ones that are forced upon me. Never mind ones that thinks it cool to play audio when you arrive without asking first.

Both Netflix and Amazon does the same with their shows and movies. You cannot casually try to find something of interest without being forced into something that starts playing because letting me choose is not effective or something. Makes me treat them the same way, find someone who does not. Not very easy at this late point in the game.

Accurate search engines are all gone

Over the years I frequently get annoyed with Google and all other search engines because they will not return what I ask for.

Using the + and ” as explained is almost useless.

What is it that one cannot get a specific search done?
I enter, for example:

+”5.5 mfd” 400v motor capacitor

I get hundreds of replies that are NOT 5.5, and a couple that are, but all others are not. Changing the search to:

+”5.5″ mfd 400v motor capacitor

gives some more 5.5 replies, still most are something else including the first row of advertised ones.

Back in the early days of the internet there was an engine (Altavista) that not only returned EXACTLY what you searched for but you could search the result! Of course they were successful and got bought up. The new owners promptly ruined the functionality and they disappeared. Maybe it was a competitor that did not like competition. Why else be so stupidly incompetent?

These days Google thinks its better to guess what you really want and return that instead. They clearly don’t think much of us. The same with every single engines that I have tried – utterly incompetent as far as I’m concerned.

By all means, deliver the “improved” results, but allow for exact searching! You have the capacity to do that, and even pretend to deliver it with + and “. People in most professions that require specificity would move immediately. Imagine being able to search for something specific and only get what you asked for!!

September 24 Is World Day Against Software Patents

Foundation for a Free Information Infrastructure, has a press release declaring Sep 24 World Day Against Software Patents:

Brussels, 2nd September 2008 — A global coalition of more than 80 software companies, associations and developers has declared the 24th of September to be the “World Day Against Software Patents”. Five years ago, on 24 September 2003, the European Parliament adopted amendments to limit the scope of patent law and thereby protect small software companies from the harmful effects of broad and trivial software patents. A global petition asking to effectively stop software patents worldwide will be launched on 24 September 2008, together with specific additional requests for certain regions such as Europe, the United States or India.

Full Press Release.