Data brokers sell access to the backbone of the internet
vice.comWhat blows my mind is the number of people signing up for these "VPN" services thinking it's secure. Time and time again we've found that they are logging and if they aren't it's logged at the flow point (as linked in this article).
I'm fine with VPN to evade restrictions or whatever purpose you want, but stop pretending it's all that different.
I can say though for a fact that a few of the largest security companies have been paying for strategic access to netflow in the us for years. The reality is there are good arguments pro and against.. and that doesn't even account for any "netflow" visibility US and Foreign Agencies may have.
We really have to determine what we want to be standard for privacy and what advancements we're willing to give up in exchange.
Is anyone actually pretending it’s different?
Most people I talk to buy VPN services to avoid legal threats from pirated movies or to avoid traffic surveillance from their local ISP / workplace / institution.
I’ve never heard someone describe it like a hard-to-denonymize tor node or anything.
Lots of services are advertised that way. It's probably half the ads I encounter on YouTube.
Hmm, I block all ads at the network level so maybe I’m just out of the loop on this topic.
Also to prevent people on your local network from snooping on your traffic and stealing credentials and other sensitive data that might be passed over the wire. I once had my AWS API keys compromised this way. It was a pain to resolve that situation. I'm a lot more careful now.
> I once had my AWS API keys compromised this way.
Presumably you were copying them over the network unencrypted?
I've held the same opinion for a long time, but this news gave me pause. Why would it be worth paying for data that can trace VPN traffic if they weren't doing _something_?
Power, paranoia, crime, curiosity.
Power: Businesses are run by humans, who do not merely optimize discounted cashflows. Some humans enjoy wielding power, and frequently do so in an antisocial manner. See eg Stanford Prison Experiment.
Paranoia: Royalty have always been paranoid. Much has been written about the intelligence operations of paranoid merchants in Renaissance Venice. You should think of huge private entities like Koch Industries and Bloomberg as kingdoms. Maybe security teams want to see threats, which increases their importance to the organization.
Crime: Theft, manipulation, subversion. Companies do crime all the time, and are rarely held to account. There are indirect indicators that this type of conduct is becoming more common.
Curiosity: According to Snowden, even cleared NSA employees who pass a polygraph and invasive FBI background check abuse their access to personal data out of curiosity. This is probably a human invariant.
This is nothing new in terms of technology, ISPs have a legitimate reason to want to analyze traffic in that context. There is a fairly competitive market for software that ties it all together with DNS monitoring and metadata done through internet scans (Kentic, Deepfield).
The fact that ISPs are monetizing it and letting this data out of their control is utterly terrifying, and in the United States, specifically permitted by law.
Why is it not illegal to sell this type of data everywhere?
"The information, known as netflow data, is a useful tool for digital investigators. They can use it to identify servers being used by hackers, or to follow data as it is stolen."
Doesn't look like they're selling 'atok1 loves to browse hacker news' type data.
We saw the same pattern with phone location data. ISPs are selling the data in bulk ("don't worry, they're not selling your data, they're selling everyone's data!") to "responsible" companies who then re-sell the ability to data-mine specific IPs. The result is that, yes, people in the know can pay to find out whether atok1 loves to browse hacker news.
Even if that may be the case, on the surface, we have no control over what is done using secret agreements and decisions.
But that’s like saying it’s ok for banks to sell everyone’s bank account transactions because it’ll catch those pesky criminals when they make a transaction.
Why should everyone be surveillance for catching the minority who do the wrong thing. It’s not about whether anyone cares about atok1’s data specifically right now.
>But that’s like saying it’s ok for banks to sell everyone’s bank account transactions because it’ll catch those pesky criminals when they make a transaction.
You're right, it's not okay. But it's totally okay (and mandatory) to send certain transaction information to the state (ie. FinCEN).
Can I have your netflow data?
Yes I have no issue with that
That’s exactly the kind of data they are selling.
Can someone explain to me why anyone would use a consumer VPN versus SSH tunneling through to a nation with secure data privacy laws if you know what you're doing, other than convenience or the number of countries you can connect to for Netflix purposes maybe?
Possibly because the former option is advertised constantly and most people aren't aware of the latter.
VPN services are cheaper than a VPS and most people just want to pirate movies without getting legal threats or to avoid region locking.
Are they? I can lease a VPS for under $12 a year. I don’t know of a VPN service that cheap unless it’s free and has limitations.
That would have lower bandwidth, no easy way to switch countries, and your server IP is completely static and identifiable (worse privacy). And it's more likely to be a datacenter IP which is blocked.
Yeah, the availability of countries and switching between several IP addresses is the only thing that I can think of.
that cheap? where?
The offerings on lowendtalk.com eg. https://www.lowendtalk.com/discussion/173484/guess-whos-back...
Because good luck getting the average person to know what SSH is, much less how to use it.
What's the next step to protect against traffic analysis? Are there any VPN providers that provide stochastic masking to defeat traffic analysis? Is TOR working on mitigations? A quick search turns up https://blog.torproject.org/new-low-cost-traffic-analysis-at..., which discusses the use of fixed-size padding in TOR protocol headers, but it's mostly focused on traffic analysis using then-commercially available data sources (for example, Real Time Bidding logs & DNS queries), and considers full netflow data a "high-effort" attack available only to "intelligence agencies". It seems like this may need to be reassessed.
EDIT: looks like this is addressed to some extent in the FAQ for Tor https://2019.www.torproject.org/docs/faq.html.en#SendPadding.
I'm still not sure how this compromises VPN use. ISP routes the connection so of course they can see when I use my VPN. From there I would assume the VPN works as a mixer and handles multiple connections through the same exit point, so you couldn't tell my traffic from another users. Is that not the case?
An adversary who can see your vpn traffic can use traffic analysis [1] to correlate known protocol packet patterns and timestamps to netflow traces to known destinations serving known content with matching timestamps from vpn termination points.
Would this still be an effective attack if you used a single VPN provider with multiple hops and your adversary was not someone like a nation state? Alternatively, what if you did basic VPN chaining (e.g. you vpn to a pfsense instance or something on a VPS and configure outbound traffic on that server to be routed through a commercial VPN)?
Don't know about multiple hops but generally you don't need to be nsa to do this. bgp hacks can be used to divert traffic, your wlan can be monitored for TA, your adversary might already be someone on-path like your isp, employer, or law enforcement, your isp (or any upstream transit provider including ones in different countries) can be bribed to monitor and sell traffic traces sufficient for TA, etc.
The adversary doesn't have to be a nation state, they can just buy the netflow data to run correlation attacks on it.
I’m wondering the same thing. The only thing I can think of is being able to correlate times, ports, and traffic volume from some origin, to some VPN node, then look for near identical data coming from that node to an ISP, and then on down the chain to identify the victi-err, I mean “person” accused of being a bad actor.
So I wonder: would the copyright nazis be able to use this kind of data corollary in court against an accused defendant? If the offense is civil I could see it being admissible since the burden of proof is lower (just has to be “fairly likely” AFAIK, but IANAL) than in criminal court. Though I don’t know if copyright infringement is a civil or criminal charge, and trust may depend on state.
Still, at best they could only match up pieces of the chain to dates times and data sizes, not see the actual data being transmitted over that connection (broken/weak crypto withstanding). But that might be enough to further persecute fair use, not to mention since other very dark stuff.
> I’m wondering the same thing. The only thing I can think of is being able to correlate times, ports, and traffic volume from some origin, to some VPN node, then look for near identical data coming from that node to an ISP, and then on down the chain to identify the victi-err, I mean “person” accused of being a bad actor.
Exactly that. As with Tor, if you can observe the entry and exit flows you can deanonymize the traffic.
Worldwide governments are starting to seek backdoors/monitoring into everything.
It's only a matter of time before either hardware or OS creators are all compelled.
link to original article https://www.vice.com/en/article/jg84yy/data-brokers-netflow-...
Is there actually any contract here? Is there even an implied contract or obligations to privacy? I'm pretty sure that it's different for transit compared to edge.
Could this be used to de-anonymize Tor users?