VPNs and Trust

TorrentFreak surveyed nineteen VPN providers, asking them questions about their privacy practices: what data they keep, how they respond to court order, what country they are incorporated in, and so on.

Most interesting to me is the home countries of these companies. Express VPN is incorporated in the British Virgin Islands. NordVPN is incorporated in Panama. There are VPNs from the Seychelles, Malaysia, and Bulgaria. There are VPNs from more Western and democratic countries like the US, Switzerland, Canada, and Sweden. Presumably all of those companies follow the laws of their home country.

And it matters. I’ve been thinking about this since Trojan Shield was made public. This is the joint US/Australia-run encrypted messaging service that lured criminals to use it, and then spied on everything they did. Or, at least, Australian law enforcement spied on everyone. The FBI wasn’t able to because the US has better privacy laws.

We don’t talk about it a lot, but VPNs are entirely based on trust. As a consumer, you have no idea which company will best protect your privacy. You don’t know the data protection laws of the Seychelles or Panama. You don’t know which countries can put extra-legal pressure on companies operating within their jurisdiction. You don’t know who actually owns and runs the VPNs. You don’t even know which foreign companies the NSA has targeted for mass surveillance. All you can do is make your best guess, and hope you guessed well.

Tags: privacy, risk assessment, surveillance, trust, VPN

Posted on June 16, 2021 at 6:17 AM • 50 Comments

Comments

kai • June 16, 2021 7:02 AM

I’m surprised this is only coming to light now. I know that if I were in a TLA and wanted to spy on VPN encrypted traffic, I’d set up a quality, stable and mid-priced VPN service. It wouldn’t be the most expensive, it wouldn’t be dirt cheap, but it would be a good service, run at an arm’s length from whatever agency I worked for, and it would quietly hoover up anything I wanted it to…
This is why I laugh when people blindly say to me “Use a VPN, it’s more secure!”

Tatütata • June 16, 2021 7:16 AM

This was often discussed here over the years, at least in the comments.

My use for VPNs isn’t “privacy” and “security”, but to access geolocated content, and occasionally loop-back and other tests. A revealing one allowed me see that book seller X with “free shipping” actually based its prices based on the IP address, with something like a 3:1 range.

Rj • June 16, 2021 7:33 AM

I have used various VPNs for about 20 years. I do not use them to hide my identity or my location; I use them to secure the data flowing over them, and to restrict access to whatever is beyond the encrypted endpoints. For this kind of use, it is better for me to run the VPN myself, so I know the owner, location, and laws are that apply. People think of the VPNs that are marketed on radio shows, etc. as hiding their identity, but the most common use for a VPN is that which I have described, especially when a lot of work went remote during the pandemic. For many non-technical people, this was the first they ever heard of a VPN, so of course a new market was created to exploit their relative ignorance.

Boris • June 16, 2021 7:58 AM

@Kai – they don’t even need to go to that expense.

Commercial VPN endpoints are limited in number, they only need to set up monitoring of traffic from these endpoints. That way you have a concentrated feed from everyone that believes they have something to hide.

Clive Robinson • June 16, 2021 7:59 AM

@ Bruce, ALL,

And it matters. I’ve been thinking about this since Trojan Shield was made public.

Some years ago now @Nick P and myself had concluded there was no safe way to cross boarders, and there was no way you could trust Law Enforcment in any given jurisdiction.

The conclusions we came up with are probably still up on this blog.

One salient point is that the trust issue of “citizen -v- State” actually applied as “State -v- State”

The only reason “Trojan Shield” or the earlier attacks on encrypted phones or even earlier encrypted email[1] could happen was when States were prepared to cooperate.

Thus a citizen could gain an advantage when states were not going to cooperate. Thus sending traffic through VPN’s or servers in States that did not trust each other could be leveraged in the citizens favour if care was used (VPN only solutions are not “sufficient care” OpSec wise though).

Thus you need atleast four jurisdictions.

1, That the first party is in.
2, That the second party is in.
3, A nation that does not trust the first parties nation.
4, A nation that does not trustcthe second parties nation.

And importantly that the third and fourth nations do not trust each other either.

Whilst this might sound a tall order tax havens and the like “don’t trust” other nations by default as their economic model does not work. Hence the Reason “The Panama Papers” had such fall out.

[1] Both of us had assumed that any third party solution to private communications was unlikely to be secure agsinst a state for a whole heap of reasons even before Lavabit’s issues made it obviously true[2],

https://legaltimes.typepad.com/files/lavabit-brief-doj.pdf

https://blogs.law.nyu.edu/privacyresearchgroup/2016/04/from-apple-to-lavabit-the-ecpa-and-the-legal-struggles-surrounding-encryption/

[2] The exception to the rule was when a sufficiently powerfull organisation can fight back with all the legal weapons at it’s disposal and is willing to do so. Something we considered was not going to happen for financial reasons. But we were in part wrong, and had forgotton that sometime state agencies are stupidly over confident,

https://www.emptywheel.net/2016/03/10/doj-to-apple-start-cooperating-or-youll-get-the-lavabit-treatment/

The result as we know was the FBI and DoJ psychos having to pull the rip cord or very likely face case law the opposit of that they were trying to establish.

echo • June 16, 2021 8:15 AM

I have tended to avoid exposure to the US jurisdiction for a long time. It’s simply too much of a nightmare even for something as trivial as hosting a personal hobby website about fluffy bunny rabbits. I wouldn’t step foot in the US without A.) Medical insurance and B.) Legal insurance (which most people forget).

I use a VPN for administrative not security reasons. In the case of misfortune the jurisdictions which apply have better jail conditions and human rights law in practice than the US or UK. I do not advertise nor discuss what VPN I use nor what legal arguments apply to covered actions if for no other reason than A.) I have no wish for the government to change the relevant law and B.) If criminals got a whiff of the legal arguments they might use them and generate too much heat.

I like excitement as much as the next person but tend to avoid exciting people and externally generated excitement. As I have said to people from time to time being boring is being secure.

gggeek • June 16, 2021 8:56 AM

Much like Rj, I was shopping recently for a VPN that would guarantee me a fixed, dedicated IP address so that I could authenticate to those client’s networks which require source address whitelisting.

After testing a couple of the best known brand names with a good reputation and decent pricing, I came to the conclusion that, for any moderately tech savvy user, vpns are totally not worth the trouble.

I spent a grand total of 4 hours setting up wireguard on a free-tier instance on aws, and now have something cheaper, faster and more trusted than any of the consumer-grade vpns in the market.
As a bonus, no need to install buggy client software on the local computer – the standard wireguard client is both nimbler and more stable.

Interesting discoveries I made while shopping around:
1. there are countless sites doing vpn reviews, but very few of them focus on the privacy/liability issues instead of just measuring download speed and features;
2. there’s a big company with a shady past in web advertising which has recently been on a buying spree, so many of the well known vpns are now owned by the same (us based) parent org. The guy picked as cto for the vpn business is one previously famous for having set up a bitcoin exchange which got “hacked” and lost millions… surely a very reassuring thing for anyone looking for secure computing :-O

wiredog • June 16, 2021 9:27 AM

As others have pointed out, the best use case for VPNs is encryption of data in transit, followed by accessing services that try to limit use to certain locations. Privacy (especially against governments) is basically impossible online. And encrypted in transit is mainly for use against private actors. Just assume that, if it really wants to, the KGB can read your mail.

intind44 • June 16, 2021 9:37 AM

I dont want to spill anyones secrets or anything, but I had some strange occurances with my Nordvpn. Im not 100% convinced its as secure as they advertise. I switched over to Mullvadvpn to try it out as I have heard good things from security/privacy people.

A VPN is absolutely mandatory for me. I have a very hostile ISP that literally will MITM, serve forged https certs, and packet inject.I have 24/7 portscans targetting my firewall and they wont hesitate to try to exploit a vulnerability to get into my network if they can. Thank gosh for immutable disposable browsers. I would never have believed it if I didnt see it for myself. They block Tor, and many privacy minded websites such as tails.org and qubes-os.org. Its out of control. I use Whonix regualrly for some stuff, TOR is just so slow and gives issues on many geo located sites. And I am starting to trust that less and less with all of those malicious exit nodes that will steal your creds.

Clive Robinson • June 16, 2021 9:58 AM

@ echo, ALL,

As I have said to people from time to time being boring is being secure.

If only that were true…

Mostly those who would breach your security can neither see or hear you nor do they care to, thus they no not if you are boring or not.

The mistake people are making is the multi millennium old one of,

“I’ve not been attacked so I must be safe/secure.”

In a target rich environment such as the Internet were EVERY ONE IS VULNERABLE your probability of being attacked is aproximately the same as every one else of equal technology usage. Thus it boils down to the number of attackers and just how many people they can attack in any given time frame at your technology level.

Thus I don’t connect my compuyers to the Internet or any other external communications network, and just use an old phone for browsing with cookies and javascript eyc usually turned off.

Are my computers secure? Well I know I could attack them successfuly if I had to, so the answer is no. But are criminals using those sorts of attack, well not that I’m aware of.

Would anyone be able to attack them without me being aware of it, well if you throw enough resources at the problem, things do become possible. But is it probable?

Well that’s when your “be boring” comes into play. People only devote significant resources if they see a return / profit on it be money, power, or status. Well on those three there is no profit and no return just sunk costs.

Which just leaves the “loony two tunes” and “Dark Triad” types. They do things for reasons that make non sense or profit.

Some see things as a challenge and tend to do no real harm. Others for “ego food” reasons want others to know they have “captured the flag” but again aside from some graffiti type harm they generally are more anoying than harmfull.

As you go into the mental murkiness of the Dark Triad then things get weird, some are sadists and will not just do harm it will be structured harm so they can go for the death by a thousand cuts to prolong your pain thus their pleasure. As for the “paths” be they psycho or socio they have an objective what it is generaly does not matter they just go for it because you are of less importance to them than an inanimate object that just has to be removed. Finally there are the ones that have a really significant problem, these are the narcissists, what they want is for you to treat them as deities or similar, they can make stalkers look tame and the only way to deal with them is for them to be gone for good put in a place where they can do no harm what so ever. Mostly the way they are dealt with is make them somebody elses problem but whilst that moves the problem from you it just puts it on someone else. There are other solutions but imprisonment in the usual way does not work because they just start again on being released. But that is true for all those in the Dark Triad as far as we can currently tell there is no cure, so the eventual solution to them is the one nature applies to us all.

intind44 • June 16, 2021 10:19 AM

@echo

“I wouldn’t step foot in the US without A.) Medical insurance and B.) Legal insurance (which most people forget).”

Dont forget your bullet proof vest too. There are so many mass shootings going on almost daily. A very scary time.

@Clive

“There are other solutions but imprisonment in the usual way does not work because they just start again on being released.”

Three years and counting im afraid.

Steve Shockley • June 16, 2021 10:21 AM

It’s simply too much of a nightmare even for something as trivial as hosting a personal hobby website about fluffy bunny rabbits

Link?

Lamont Granquist • June 16, 2021 10:54 AM

VPNs are like front door locks for most people, they don’t have to be perfect.

Most people are just trying to hide their traffic from their ISP, from companies like Google, and to bypass geolocation to access services that are geofenced for one reason or another.

The worst that most people do is download movies and TV shows off torrents and they want to avoid getting strikes from their ISP. Even if the CIA is really running NordVPN, its like speeding 8 mph over on the freeway. That isn’t what the CIA would be going after by doing that, and they’re not carefully collecting those logs in order to hand over to the RIAA/MPAA and bust every American who illegally downloads.

The stated reason why AN0M was shut down was also that the SNR was dropping and it was becoming less useful, so its fairly unlikely that they’re running NordVPN and trying to spy on everything.

If you’re actually doing something much more high stakes, then you might have to worry a lot more. Most people using those services aren’t.

Its a lot like doorlocks, and most people probably just have two kwikset locks on their front door that someone who is moderately skilled could get through in a minute or three (if they didn’t just bust a window to get in).

intind44 • June 16, 2021 11:05 AM

@gggeek

“I spent a grand total of 4 hours setting up wireguard on a free-tier instance on aws, and now have something cheaper, faster and more trusted than any of the consumer-grade vpns in the market.
As a bonus, no need to install buggy client software on the local computer – the standard wireguard client is both nimbler and more stable.”

Many VPN’s claim to keep zero logs, and we can debate whether or not that is accurate or what other nonsense might be collecting the logs instead. However, regarding AWS I know they definitely keep logs. Therefore being “Trusted” would have to be subjective to the user and use case. If you don’t care if AWS has your logs why not care if your ISP has them instead? Whats the difference?

I was considering grabbing a Linode vps and doing the same, and then I thought about the level of difficulty that a motivated overzealous gov entity would require in order to get my data from either a VPS or my VPN datacenter in another country such as sweden. Any way you look at it someone is going to have your data.

Arclight • June 16, 2021 11:10 AM

As others have pointed out, a “commercial VPN” solution is useful if you just need to protect your traffic from being viewed and interpreted by the public WiFi provider at your coffee shop, school or apartment building or by a nosy ISP that cares what you download. Regarding surveillance by your home government, it may actually provide youi with less protection, since you are now generating traffic to/from a foreign endpoint that is not covered by any of your nation’s privacy laws, as watered-down as those may be.

intind44 • June 16, 2021 11:30 AM

@Lamont Granquist

I agree with you 100% However, only recently did I witness the amount of malicious packet injection going on. Malicious code being injected into your browser as you surf the internet. Quite frankly I have no idea if some government entity is running NORDvpn or not, all I know is when I was connected to the vpn and went to check my email. The website I checked my email at was being served a forged cert that didnt match what is was supposed to be. There might be 100 different ways this could have happened. It may even be locally on my end. How might somoene compromise a vpn connection? Perhaps a MITM from my ISP using a Nordvpn ssl cert. Maybe my Nordvpn gui Client is vulnerable some how. The skeptic in me wonders if a government can demand SSL Certs from VPNs since they dont keep logs, and MITM your traffic, at which point it becomes viewable. You might never know.

Regarding the use case in general, its possible im just being targeted for some reason. But I dont have multiple ISP connections to check and see if the same behavior persists on other lines. Its prolly just me.

Clark Gaylord • June 16, 2021 12:39 PM

The “P” in “VPN” is unfortunate; it should be considered silent, as in pseudo-science or psnakeoil.

In order to be effective, encryption must be end-to-end, and the vast majority of traffic on the Internet that should be encrypted already is, and comes with an established trust model. What is exposed are the network addresses of the endpoints, and perhaps the DNS queries.

The location obscurity of tunneled traffic has some potential value, but much less than VPN providers want you to believe.

Great point about the leverage these providers might be subject to from their home countries, or “guests” in those countries, for that matter (whether GRU or CIA or whatever).

By all means, use VPN to circumvent content restriction stupidity, but never believe it’s buying you “security” or “privacy”.

And this goes double for your “Enterprise VPN” that your corporate IT Security foists on you. It is the poster child pseudo-security stupidity, and only benefits the company that sold the bill of goods.

Amateur techguy • June 16, 2021 12:59 PM

I want to have an “encrypted tunnel”. I’m an average guy, not a pro so I can’t set up my own. I know none are 100%. Having used Protonmail for a few years, I use Proton VPN.
Really slows my connection. My biggest issue is websites that detect the Proxy & won’t let me access their sites. Seem to be more of those now.

Winter • June 16, 2021 1:07 PM

Contrary to what people seem to think here, VPNs can be useful for privacy and security. Especially, when you travel a lot.

I remember Cory Doctorow describing his personal setup some years ago (sorry, could not find a link). He pays for a proxy server in Sweden from a provider he trusts. He does all his internet via a (trusted) VPN over this proxy server.

As he travels a lot, and is polical active (=has enemies), he feels more safe this way when using local internet services.

His threat model does not include the NSA, GRU, FSB, Mossad et al. so this setup looks rather appropriate.

I think I too could live with that.

Clark Gaylord • June 16, 2021 1:39 PM

The “P” in “VPN” is unfortunate; it should be considered silent, as in pseudo-science or psnakeoil.

The location obscurity of tunneled traffic has some potential value, but much less than VPN providers want you to believe.

Great point about the leverage these providers might be subject to from their home countries, or “guests” in those countries, for that matter (whether GRU or CIA or whatever).

By all means, use VPN to circumvent content restriction stupidity, but never believe it’s buying you “security” or “privacy”.

And this goes double for your “Enterprise VPN” that your corporate IT Security foists on you. It is the poster child of pseudo-security stupidity, and only benefits the company that sold the bill of goods.

Ralph Haygood • June 16, 2021 3:38 PM

As a consumer, you have no idea which company will best protect your privacy. You don’t know the data protection laws of the Seychelles or Panama. You don’t know which countries can put extra-legal pressure on companies operating within their jurisdiction.

So, Mr. Schneier, it would seem there’s an opportunity, at least for a public service and maybe even for a profitable business, in cataloging the laws and, more importantly, the historical behaviors of countries around the world with respect to data privacy. Because I agree – and I speak from experience – that it’s a lot of work to track down the relevant information about even one country.

Of course, some people say, “It doesn’t matter; you can’t trust anyone.” But of course, that’s like saying, “Any plane may crash,” which is true, but most of us still fly from time to time. There are practically meaningful differences among countries in kinds and degrees of respect for data privacy, so a well researched and maintained catalog of these differences would be valuable.

vas pup • June 16, 2021 3:52 PM

@echo.
I share many points in your post.

@Bruce said:
“You don’t know which countries can put extra-legal pressure on companies operating within their jurisdiction.”

Wow!
If you don’t have answer, than just think where and why Snowden is currently living.

I assume that in Western world (G7)only France has kind of real independent voice:

1.Own nuclear triad.
2.No foreign military presence on its territory.

But sometimes economical pressure in combination with legal pressure is very effective, e.g. towards Switzerland.

My bet, 98% that this post would be deleted, but Big Brother will have it. Bitter joke.

metaschima • June 16, 2021 4:23 PM

Thank you Bruce, I totally agree with you and I’ve started similar things in the past. VPN is the perfect honeypot for intelligence agencies. People wanting to stay “anonymous” will think it’s a great idea so they won’t be tracked, but what if the FBI is running the server? I’m not saying that everyone who wants anonymity is up to no good, but just privacy will do for most people. Well, most people don’t even care about that.

Jon • June 16, 2021 4:44 PM

There is another way:

Sign up for dozens of them, and flood them with crap. Throw around what looks like reasonable stuff, but are in fact nonsense.

Also throw in a few “canaries” – Send over one VPN “The deal is going down in room 2304 at the Hyatt, 9pm” and see if room 2304 gets raided at 9:01…

This alternative is not cheap – thus only the poor (and/or stupid) criminals will get caught. Which is typical of law enforcement everywhere.

Erdem Memisyazici • June 16, 2021 5:44 PM

@kai

Well said. In fact the “no root” firewalls depend on setting up a local VPN service to decrypt outgoing SSL traffic.

OneOne • June 16, 2021 8:31 PM

A big difference between Trojan Shield and a VPN bust is that Trojan Shield was designed to monitor the contect of the traffic, while today, in large due to Snowden’s revelations, almost all internet traffic is natively end-to-end encrypted between the local browser or client and the destination server. So the value of a similar operation with VPN is not clear, it would only give them metadata which they probably already have if they monitor major ISPs, CDNs and DNS services.
A similar valuable operation to Trojan Shield regarding internet traffic can be a new privacy oriented browser that will have built-in MITM. So I would look for such browsers that are active for only a few years with limited marketshare, probably not open sourced or without strong public audit.

Etienne • June 16, 2021 9:03 PM

Is there a list somewhere of all VPN IP addresses used in North America? For example, when someone uses a VPN, the IP address they use when exiting the VPN. I guess this would be the NAT address.

Right now I block all non-North America IP’s (in/out) so I would like to block all VPN IP’s (in/out) so people in China can’t VPN into North America, and then convert my daughters into Communist concubines.

RealFakeNews • June 16, 2021 11:07 PM

I’m surprised it has taken as long as it has for Governments to create apps for this kind of thing.

Don’t forget the “secure phone” attack recently in the UK/Europe, too, of phones used by criminals.

Ever since commercial VPN services became mainstream did I think they are all honeypots.

I even think the major search engines, etc., were set up with that in mind. How often are people busted for what they typed in a search engine?

Ultimately, criminals are dumb which is why they think they can get away with whatever they’re doing. Offering “anonymous/private” access just increases their sense of invulnerability.

I think cryptocurrency is a honeypot, too, but for finance. They say a person can be uniquely identified by their purchase history. How is cryptocurrency any different? Bonus: everything is public and 100% traceable. How is it therefore private?

Don’t want to get busted for breaking the law? Don’t break the law. Fairly straight-forward.

The people that have a problem are those persecuted by the state, or living under an oppressive regime.

Michael • June 17, 2021 2:52 AM

To be honest… trust?

Same counts for “official” providers in your own country. Working together with several authories, capturing and monitoring traffic, “forensic” rsm attacks e.g.

In addition, redirection of dns requests like Vodafone does it as an example or meanwhile other private companies do it

In these days users worldwide have to see and care where they are. Sad enough.

echo • June 17, 2021 8:36 AM

@RealFakeNews

Don’t want to get busted for breaking the law? Don’t break the law. Fairly straight-forward.

The people that have a problem are those persecuted by the state, or living under an oppressive regime.

This is the core of the issue. The internet, VPN’s, and the law can be one of those how long is a piece of string issues. Everyone’s starting point is different. Speaking for myself almost nothing applies and if it did I would hardly be discussing it here.

What bothers me more is the general tilt of human rights and this becomes an issue if I travelled so I would always do my due diligence on local law and customs. There are some red line countries but the majority fall more into inconvenient. Most of that inconvenience can be avoided by not discussing the local politics when you are there and not offending public morals especially in some of the more theocratic countries and not being where you are not supposed to be. Now there can be wiggle room but like anything this depends on local knowledge and sometimes who you know. I’m more concerned about personal safety and the SWOT analysis for men and women is different. This is something people forget.

The UK Foreign Office is generally regarded as being useless and embassies are even worse. As for MI6 (SIS) who do they think they are kidding? Go and find another lackey who will carry all the risk and work for free.

A number of free Usenet servers were funded by the CIA mostly so dissidents could reach out to people outside their borders. I’m guessing this is where some of the value lies today with VPNs and even then with “capture it all” I’m guessing they may not need direct management. It’s going to be a small number of agencies and NGOs and lawyers etcetera who would be in the loop. Anyone trying to egress intelligence information either falls under “open source intelligence” and anything else would likely take another route if it was that important.

Microdots are still a thing. I have no idea if anyone still uses them but if you want to shift a lot of stuff without pinging metal detectors somebody out there would still have this as an option. As for low bit count time sensitive data? Laser and radar reflectors are a thing too as are plant pots arranged in a garden or where or which way around a car is parked. Who needs a VPN? It’s not as if all the old ways have been thrown in the bin and new technologies with better specifications aren’t available. You can’t get more VPN than having your own satellite even if it is one way.

Actually, this just made me wonder. What with building penetrating signals even waving your arms around is a way to extract data albeit at a low bit rate.

kropp • June 17, 2021 9:18 AM

@Bruce Schneier

You don’t know the data protection laws of the Seychelles or Panama.

Well, this is usually easy to verify.
The problem is whether there is rule of law in the country where you have your VPN server.

gggeek • June 17, 2021 11:17 AM

@intind44 I stated upfront that my usecase is not about keeping my surfing logs private. The RIAA and friends are not part of my threat model.

What I am trying to attain is 1. a minimum of safety from casual (non state actor) hacking attempts, 2. being as protected as possible from governments snooping (that is achieved via the jurisdiction rater than technical means), and 3. make sure that in the process of achieving 1 and 2 I am not handing the home keys to the baddest guys of them all (advertisers and co).

For 1, using wireguard and oss software seems a good bet these days. I was not impressed by the quality of the vpn client software for windows that I tried, and it was definitely not open source.

For 2, I am not sure if there’s any good option, really. I’d like not to use anything US based, nor from a country which has close ties to the US (extradition pacts or a known history of letting them snoop over everything, which includes fe. the 5 eyes but also Netherlands and Sweden).
On the other hand, using companies based in Panama or other fiscal paradises with little international clout seems even a worse option.

For 3, it’s mostly down to the reputation of the vpn provider, and how much trust one has to put into their claims / how much their business operations are transparent and their technical claims get vetted by 3rd parties.

echo • June 17, 2021 11:22 AM

@kropp

Well, this is usually easy to verify.
The problem is whether there is rule of law in the country where you have your VPN server.

Basically this and whether they have decent jails just in case you trip some law. Choice of VPN may ultimately come down to who has the better prison menu.

Jon • June 17, 2021 1:42 PM

@ echo, kropp

Well, this is usually easy to verify.
The problem is whether there is rule of law in the country where you have your VPN server.

Basically this and whether they have decent jails just in case you trip some law. Choice of VPN may ultimately come down to who has the better prison menu.

There’s an alternative there, too – Be somewhere other than where the crimes were committed. (See Carlos Ghosn; wanted in Japan, now free in Lebanon. Kim Dotcom tried the same in New Zealand, with less success). If what you’ve done is a horrible crime in Panama, be in the Seychelles. If it’s a horrible crime in the Seychelles, be in Panama (or Switzerland).

Even better, don’t ‘live’ anywhere specific – large yachts are good for this, as are dozens of houses with ready helipads.

Nothing’s perfect, though. The USA and Israel have shown very few compunctions about committing serious war crimes to ‘get their man’, and Arabian kings have been known to raid yachts far outside their waters.

HTH. 😛 J.

intind44 • June 17, 2021 3:49 PM

A theoretical scenario to work through…..

The idea of “cleaning” a system is not realistic, especially in the case of a system compromise, as there is no reliable way to determine if the system has been completely cleaned. To return a computer to a trusted state requires reformatting the hard drive and reinstalling the operating system. If your computer has not already been disconnected from the network then do so before taking any of the following steps.

The paragraph above states to format the hard drive and reinstall the OS to restore to a trusted state. However, we know that doesnt necesarrily mean the system is secured. Firmware, root kits, and other paraphrils can be infected. Perhaps the whole computer would need to be replaced, but if we dont know how that original computer was compromised, how do we know if a new computer wouldnt instantly get compromised itself when deployed?

Assume a large network with many nodes has been coveretly compromised and no one had discovered the compromise yet.The threat actor(s) were burried deep in the network and fortified their position. A node operator on the network realized via correlation of anomolies that not only his node but the enitre network was fully compromised and being controlled by an unknown threat actor. this network is spread across the country rather than inside one building. The nodes where spread out as such that you couldnt simply drive to a central location to flip the switch. A mesh network such as the internet. Not only are the nodes and network compromised but so were the other channels of communication such as all the telephone. What would be the best way to remediate your node and then alert the others without the threat actors detecting they have been discovered?? All communications are being closely watched. The concern about braodcasting an emergency signal across the network is you dont know what the threat actor has for capability. They could possibly destroy all the files on every node as well as the physcial infrastrucutre with the flick of a switch. This is their escape plan if detected. How would you deal with this type of a situation? Is there anything one person could do? Say that one person was a security engineer.

Now, instead of a networked-computer system, what would you do if the system in question was a social system? Political system? A government, religous system, or a system of systems such as an entire country? You have no idea if anyone else has detected the infection nor do you know who might be adversarial or freindly. The threat actors could possibly burn the system down at the flick of a switch if the participants in tha system were made aware. How does one go about remediating this? Because if you dont, maybe no one else will. Eventually the threat actors could manipulate the system and those participating in that system in such a way that they were brainwashed into protecting the threat actors as their own. How could someone try to alert as many others in a covert manner while not knowing who to trust?, who might be a threat actor or an unwitting idiot willing to defend the threat actors?

Then identify how to nuetralize that threat before they realize they have been discovered and can burn the place down and escape. Or perhaps the system had been compromised for so long that it fell into disrepair due to the threat actors purpose not being to maintain the system but rather to loot valuable assets and then let it fall apart as not to pose to them.

Are there any good books about this sort of thing from a Cybersec Engineer perspective?

Random Commenter • June 18, 2021 8:34 AM

How much you want or need to trust your a VPN is all based on your threat level, which might not be the same as your perceived threat level.

I would never use a US or 5/14 eyes based VPN and being in one of those countries would prefer to connect a node outside the country, even knowing that they are mirroring and splicing the data at various points.

Some VPN providers have their own hardware in secure environments which are tamper proof but not many. Without physical access the traffic will be monitored in and out the datacentre anyway.

Double hop routing is a good idea as long as the route is randomised so one connected node does not always exit at the same IP.

Mixing OpenVPN, Stunneling and wireguard to tunnel through each other hides your data from being matched end to end and makes it more difficult to pull apart automatically if you keep your personal logins out of the equation. OpenVPN on a fast router to the first hop, so all devices use that and show some static traffic but then also have a gateway on the network which connects to wireguard through the vpn router to another server. Use that gateway to double tunnel and then on the box you can use another wireguard/stunnel/VPN if you wanted too,

Takes some time to find and choose the stable fast servers along the route to get the best connection but it can work just as fast as one VPN connection. The only issue if is one part of the relay goes down it can be a pain to reconnect if you use traffic blocking for protection when that happens.

Fledgling • June 18, 2021 11:27 AM

NordVPN recently changed their system to require you to log in via a web browser before starting the VPN. That is inherently insecure. I dropped them as my VPN immediately. What reason could there be for such a plainly insecure change? It seems likely that some nation state exercised influence there.

SpaceLifeForm • June 18, 2021 3:38 PM

@ Jon

IIRC, Kim Dotcom smelled the Stingray Baked Beans cooking at 2G.

How did he do that? The same way anyone can smell the beans in their neighborhood.

Your signal quality goes up. Your battery life goes up. Without changing location.

Does not mean you specfically are being targeted. But it may mean that there is a Stingray in your area.

A non-used cell phone (preferably more than one, different carriers, different tech) may be useful for the purpose of monitoring signal quality. It does not usually need a SIM. But you must not enable Airplane Mode, otherwwise the signal quality is not reported. That is based upon my experience, YMMV.

Remember, NO SIM does not kill the radio.

This is so you can make an emergency call on a phone that has no SIM.

If the radio (cell modem) has signal, well ‘stuff’ can possibly happen sans SIM.

Think about that.

I always put unused cell phones in Airplane Mode.

vas pup • June 18, 2021 4:07 PM

Tag – surveillance.

That is good video (source Panorama BBC – finally could find on Youtube)related to many aspects of AI and surveillance in particular (at around min 30). Enjoy!

https://www.youtube.com/watch?v=CWJKH67SWPw

echo • June 18, 2021 7:02 PM

VPN’s terminating in Denmark seem like a good choice if you’re into this sort of thing.

https://torrentfreak.com/court-sentences-operator-of-danish-torrent-trackers-to-prison-210616/

A 50-year-old man was handed a four-month prison sentence this week for his involvement with the Danish torrent trackers Asgaard and NordicBits. The man, who is seen as one of the ringleaders behind the now-defunct sites, helped to arrange servers and provided customer service, among other things. The Danish prosecution, meanwhile, warns that users of these sites can be targeted too.

And

http://www.designcurial.com/news/storstrm-prison-by-cf-mller-6040669/

While this forms part of a larger project in which Denmark is renovating or rebuilding its prisons to make them more efficient and fit for contemporary use, in Storstrøm — a closed, Category 1 prison, the highest security level in Denmark — the design has focused primarily on wellbeing. Of staff, yes, but also — crucially — of inmates.

This can be seen in the en-suite cells with tall, barless windows and flat-screen TVs, which look more like bright hotel rooms; in the verdant gardens designed by a landscape architect; and in the impressive sports and culture centre; and in the abundance of natural light the overall design brings in.

Clive Robinson • June 18, 2021 7:27 PM

@ SpaceLifeForm, Jon,

I always put unused cell phones in Airplane Mode.

Then take the battery out or put them in a tin box?

Remember “Airplane Mode” is “just a software option” that an OTA-Update can change any time the cell local to you wants to, even if it’s “Just a Stingray”…

Look around for those Cheap Chinese phones where you can reprogram the “unique electronic serial number” from they keypad and also if you know who to talk to an “Engineering SIM” Motorola used to supply them upon request when you purchased one of their Java-24 development cell phone blocks, they display all sorts of usefull information not just the base station signal strength but it’s ID number it’s network provider ID and much much more…

If you get the “Java Software Development Kit” from them and one of their unlocked Java-24 moduals you’ve got programming access directly to the Radio Interface… So think what you can do with that.

Jon • June 18, 2021 8:18 PM

@ C. Robinson, et. al.

Exactly. What makes you think selecting that tickbox does anything at all?

I’m not much of a software guru, but I could easily write an app with dozens of little tickboxes that do nothing at all – and even claim it’s an accident (sorry, buggy library, yeah, it still phones home. Rev. 143.6 will fix that, I promise).

Or it uses the attempt to make things worse: “Hey, this guy tried to tick this box – they must have something to hide!”.

Or “Hey, we’re Company A with revenue stream X. Ticking that box disconnects revenue stream X. We don’t like that. Let’s make this guy’s life hell until he re-enables it.”

What makes you think the Chinese phones actually change the ID – or maybe they just keep a list of the old IDs and only use the new ones – until someone asks them the right questions.

Ad nauseum.

JonKnowsNothing • June 18, 2021 10:15 PM

@Jon, @Clive @All

re: Tick Boxes that do nothing

I think they are quite common now.

Often seen when doing On-Line Applications for Anything Important.

Lots of tick boxes, selection options, fill in the blanks, that never make it to the next phase – to whatever, where ever or whoever is supposed to get it/see it/file it/act on it.

It’s often noted when government departments have ginormous backlogs, with attendant claims of “not enough data submitted”.

Some regions are still attempting to process COVID-19 Support Payments from Jan 2020 and at the rate of resolution it maybe years more before they catch up to their current backlogs.

These Go-No-Where-Tick-boxes are not bugs, they are features and have been deliberately designed into the relevant systems. Recently a Gov Department report noted that such empty-boxes were designed to delay applications for legally available government supports such as Unemployment and Disability. The delay in resolution would save that Government millions in funding and if the applicant was gravely ill, they would die before application was approved.

Horror stories abound.

Clive Robinson • June 18, 2021 10:31 PM

@ Jon,

What makes you think the Chinese phones actually change the ID

Oh that’s fairly easy to check with an SDR “cell sight simulator” you can build for not very much money.

For even less you can use an SDR receiver thats down in the “pocket change’ price and use it with some free software that listens in to what the handset transmits and displays it all on a PC screen.

Such phones and kit are making there way into more and more “Pentesters standard load outs” especially now “home working” is becoming more standard.

You can if you are knowledgable in these areas pick up a whole lot more than pocket change training not just Pentesters but other investigators and close protection people in this stuff.

One trick is tracking potential watchers. If you carry around an active “cell site simulator” any one that comes close goes through a “hand-off process” which basically turns any mobile device into a beacon. If you have a DB of serial numbers to model number thus capabilities you can check for bluetooth or WiFi being active on the phone and similar this gives you some interesting possibilities.

Not least of which is to make any hands free headset screach loudly and painfully in their ear which can buy you vital seconds in a hostage grab or similar situation.

Clive Robinson • June 18, 2021 10:49 PM

@ JonKnowsNothing, Jon, ALL,

These Go-No-Where-Tick-boxes are not bugs, they are features and have been deliberately designed into the relevant systems.

I’ve been told but have not seen confirmation that some of these systems are actually designed not to slow things down but actually stick Robo-debt and similar systems onto people as though they are actually claiming the benifit and then “claw back” even though no payments have been made. .

The unfortunate gets all the court costs and inyerest payments stuck on them followed up by arrest warants bailiff/repo fees etc. If and when they do prove their side they are specifically bared,from claiming costs, legal fees and any interest on any money extorted out of them… Worse if they do pay anything it is automatically used as a sign of guilt… Oh and if they kill themselves or die, the actions continue against aby assets in their estate…

So actually a “profit center activity” for some entities.

Fines / auctioning of assets are cheap and easy income compared to getting tax out of peole who are not earning…

SpaceLifeForm • June 19, 2021 3:00 PM

@ Clive

Then take the battery out or put them in a tin box?

Yes, if not being used for signal quality monitoring or other purposes.

I’m aware that a cell modem transmits signal even sans SIM.

Just as a WIFI capable printer can and/or does.

It’s amazing how many printers are visible if one does a bit of war-driving.

Obvious printers based upon SSID.

Jon • June 19, 2021 10:12 PM

Hi @Clive Robinson, @JonKnowsnothing, et. al.

@ Jon,

What makes you think the Chinese phones actually change the ID

Oh that’s fairly easy to check with an SDR “cell sight [site?] simulator” you can build for not very much money.

What you’ve missed there is that they didn’t change the old ID – they just put in a new one next to it, and use that one until “properly” queried. When asked using just the right question, perhaps they’ll cheerfully fess up all their previous IDs… That’s not changing, even if it’ll look like it on spyboxen.

I’d like to see some citations on the actual misuse of ‘tickboxes that do nothing’. But it’s so trivial to imagine (and execute), it’s very difficult to believe that someone hasn’t.

Some tickboxes that when ticked (or unticked) miraculously change back to the default* state when there’s a software upgrade are quite well-documented, from Microsoft on down.

The state it seems the software producer would prefer it remain in.

PS – Incidentally, a few years back I was renewing a government ticket and the examiner had a set of screens of questions that I was supposed to answer, but they were all pre-checked with the “right” (??) answer and she flew through those screens so fast I hadn’t a prayer of reading them. I paid my fee to the contractor, and the ticket got renewed. Next!!

Clive Robinson • June 20, 2021 11:42 AM

@ Jon,

What you’ve missed there is that they didn’t change the old ID – they just put in a new one next to it,

Are you just “thinking that” or do you have a valid refrence for it?

Jon • June 20, 2021 4:36 PM

@ Clive Robinson

I have no evidence at all. But it would be trivially easy to do and near-impossible to detect, and since this part of this discussion was all about “Why you shouldn’t trust your software”, I think it’s a valid concern. J.

Stefan Krastanov • July 15, 2021 8:48 AM

Bulgaria is in the EU and NATO and is a democratic country. The implication that a court order or investigation from another EU/NATO member would be just disregarded is rather weird (or maybe innocently ignorant?)

VPNs and Trust

Comments

Leave a comment Cancel reply