[HN Gopher] Data brokers sell access to the backbone of the inte...
___________________________________________________________________
Data brokers sell access to the backbone of the internet
Author : mattei
Score : 92 points
Date : 2021-08-25 11:30 UTC (11 hours ago)
(HTM) web link (www.vice.com)
(TXT) w3m dump (www.vice.com)
| andrewmcwatters wrote:
| Can someone explain to me why anyone would use a consumer VPN
| versus SSH tunneling through to a nation with secure data privacy
| laws if you know what you're doing, other than convenience or the
| number of countries you can connect to for Netflix purposes
| maybe?
| tdeck wrote:
| Possibly because the former option is advertised constantly and
| most people aren't aware of the latter.
| relax88 wrote:
| VPN services are cheaper than a VPS and most people just want
| to pirate movies without getting legal threats or to avoid
| region locking.
| andrewmcwatters wrote:
| Are they? I can lease a VPS for under $12 a year. I don't
| know of a VPN service that cheap unless it's free and has
| limitations.
| mishafb wrote:
| That would have lower bandwidth, no easy way to switch
| countries, and your server IP is completely static and
| identifiable (worse privacy). And it's more likely to be a
| datacenter IP which is blocked.
| is_true wrote:
| that cheap? where?
| gruez wrote:
| The offerings on lowendtalk.com eg.
| https://www.lowendtalk.com/discussion/173484/guess-whos-
| back...
| ggm wrote:
| Is there actually any contract here? Is there even an implied
| contract or obligations to privacy? I'm pretty sure that it's
| different for transit compared to edge.
| ganoushoreilly wrote:
| What blows my mind is the number of people signing up for these
| "VPN" services thinking it's secure. Time and time again we've
| found that they are logging and if they aren't it's logged at the
| flow point (as linked in this article).
|
| I'm fine with VPN to evade restrictions or whatever purpose you
| want, but stop pretending it's all that different.
|
| I can say though for a fact that a few of the largest security
| companies have been paying for strategic access to netflow in the
| us for years. The reality is there are good arguments pro and
| against.. and that doesn't even account for any "netflow"
| visibility US and Foreign Agencies may have.
|
| We really have to determine what we want to be standard for
| privacy and what advancements we're willing to give up in
| exchange.
| nisegami wrote:
| I've held the same opinion for a long time, but this news gave
| me pause. Why would it be worth paying for data that can trace
| VPN traffic if they weren't doing _something_?
| hnthrowtier1 wrote:
| Power, paranoia, crime, curiosity.
|
| Power: Businesses are run by humans, who do not merely
| optimize discounted cashflows. Some humans enjoy wielding
| power, and frequently do so in an antisocial manner. See eg
| Stanford Prison Experiment.
|
| Paranoia: Royalty have always been paranoid. Much has been
| written about the intelligence operations of paranoid
| merchants in Renaissance Venice. You should think of huge
| private entities like Koch Industries and Bloomberg as
| kingdoms. Maybe security teams _want_ to see threats, which
| increases their importance to the organization.
|
| Crime: Theft, manipulation, subversion. Companies do crime
| all the time, and are rarely held to account. There are
| indirect indicators that this type of conduct is becoming
| more common.
|
| Curiosity: According to Snowden, even cleared NSA employees
| who pass a polygraph and invasive FBI background check abuse
| their access to personal data out of curiosity. This is
| probably a human invariant.
| relax88 wrote:
| Is anyone actually pretending it's different?
|
| Most people I talk to buy VPN services to avoid legal threats
| from pirated movies or to avoid traffic surveillance from their
| local ISP / workplace / institution.
|
| I've never heard someone describe it like a hard-to-denonymize
| tor node or anything.
| yosito wrote:
| Also to prevent people on your local network from snooping on
| your traffic and stealing credentials and other sensitive
| data that might be passed over the wire. I once had my AWS
| API keys compromised this way. It was a pain to resolve that
| situation. I'm a lot more careful now.
| eloff wrote:
| Lots of services are advertised that way. It's probably half
| the ads I encounter on YouTube.
| tsjq wrote:
| link to original article
| https://www.vice.com/en/article/jg84yy/data-brokers-netflow-...
| Cycl0ps wrote:
| I'm still not sure how this compromises VPN use. ISP routes the
| connection so of course they can see when I use my VPN. From
| there I would assume the VPN works as a mixer and handles
| multiple connections through the same exit point, so you couldn't
| tell my traffic from another users. Is that not the case?
| fulafel wrote:
| An adversary who can see your vpn traffic can use traffic
| analysis [1] to correlate known protocol packet patterns and
| timestamps to netflow traces to known destinations serving
| known content with matching timestamps from vpn termination
| points.
|
| [1] https://en.m.wikipedia.org/wiki/Traffic_analysis
| OminousWeapons wrote:
| Would this still be an effective attack if you used a single
| VPN provider with multiple hops and your adversary was not
| someone like a nation state? Alternatively, what if you did
| basic VPN chaining (e.g. you vpn to a pfsense instance or
| something on a VPS and configure outbound traffic on that
| server to be routed through a commercial VPN)?
| MrWiffles wrote:
| I'm wondering the same thing. The only thing I can think of is
| being able to correlate times, ports, and traffic volume from
| some origin, to some VPN node, then look for near identical
| data coming from that node to an ISP, and then on down the
| chain to identify the victi-err, I mean "person" accused of
| being a bad actor.
|
| So I wonder: would the copyright nazis be able to use this kind
| of data corollary in court against an accused defendant? If the
| offense is civil I could see it being admissible since the
| burden of proof is lower (just has to be "fairly likely" AFAIK,
| but IANAL) than in criminal court. Though I don't know if
| copyright infringement is a civil or criminal charge, and trust
| may depend on state.
|
| Still, at best they could only match up pieces of the chain to
| dates times and data sizes, not see the actual data being
| transmitted over that connection (broken/weak crypto
| withstanding). But that might be enough to further persecute
| fair use, not to mention since other very dark stuff.
| CarelessExpert wrote:
| > I'm wondering the same thing. The only thing I can think of
| is being able to correlate times, ports, and traffic volume
| from some origin, to some VPN node, then look for near
| identical data coming from that node to an ISP, and then on
| down the chain to identify the victi-err, I mean "person"
| accused of being a bad actor.
|
| Exactly that. As with Tor, if you can observe the entry and
| exit flows you can deanonymize the traffic.
| nightpool wrote:
| What's the next step to protect against traffic analysis? Are
| there any VPN providers that provide stochastic masking to defeat
| traffic analysis? Is TOR working on mitigations? A quick search
| turns up https://blog.torproject.org/new-low-cost-traffic-
| analysis-at..., which discusses the use of fixed-size padding in
| TOR protocol headers, but it's mostly focused on traffic analysis
| using then-commercially available data sources (for example, Real
| Time Bidding logs & DNS queries), and considers full netflow data
| a "high-effort" attack available only to "intelligence agencies".
| It seems like this may need to be reassessed.
|
| EDIT: looks like this is addressed to some extent in the FAQ for
| Tor https://2019.www.torproject.org/docs/faq.html.en#SendPadding.
| SevenSigs wrote:
| Could this be used to de-anonymize Tor users?
| 0x0A1B2C wrote:
| This is nothing new in terms of technology, ISPs have a
| legitimate reason to want to analyze traffic in that context.
| There is a fairly competitive market for software that ties it
| all together with DNS monitoring and metadata done through
| internet scans (Kentic, Deepfield).
|
| The fact that ISPs are monetizing it and letting this data out of
| their control is utterly terrifying, and in the United States,
| specifically permitted by law.
| villgax wrote:
| Worldwide governments are starting to seek backdoors/monitoring
| into everything.
|
| It's only a matter of time before either hardware or OS creators
| are all compelled.
| atok1 wrote:
| Why is it not illegal to sell this type of data everywhere?
| missedthecue wrote:
| " _The information, known as netflow data, is a useful tool for
| digital investigators. They can use it to identify servers
| being used by hackers, or to follow data as it is stolen._ "
|
| Doesn't look like they're selling 'atok1 loves to browse hacker
| news' type data.
| atok1 wrote:
| Even if that may be the case, on the surface, we have no
| control over what is done using secret agreements and
| decisions.
| wmf wrote:
| We saw the same pattern with phone location data. ISPs are
| selling the data in bulk ("don't worry, they're not selling
| your data, they're selling everyone's data!") to
| "responsible" companies who then re-sell the ability to data-
| mine specific IPs. The result is that, yes, people in the
| know can pay to find out whether atok1 loves to browse hacker
| news.
| sixothree wrote:
| Can I have your netflow data?
| ssss11 wrote:
| But that's like saying it's ok for banks to sell everyone's
| bank account transactions because it'll catch those pesky
| criminals when they make a transaction.
|
| Why should everyone be surveillance for catching the minority
| who do the wrong thing. It's not about whether anyone cares
| about atok1's data specifically right now.
| gruez wrote:
| >But that's like saying it's ok for banks to sell
| everyone's bank account transactions because it'll catch
| those pesky criminals when they make a transaction.
|
| You're right, it's not okay. But it's totally okay (and
| _mandatory_ ) to send certain transaction information to
| the state (ie. FinCEN).
| ryanlol wrote:
| That's exactly the kind of data they are selling.
| bsedlm wrote:
| > Why is it not illegal to sell this type of data everywhere?
|
| I have a feeling it doesn't matter whether trading this data is
| llegal.
|
| After all illegal drugs are still traded quite a lot.
___________________________________________________________________
(page generated 2021-08-25 23:01 UTC)