[thothamon]

While it's true that your VPN provider _may_ be lying about their "no logging" policy, at a minimum, you get additional layers of protection. Your source IP is masked. A subpoena would be required to reveal your source IP, and perhaps your VPN provider is telling the truth about not keeping logs. If your VPN endpoint is in a different country than your network endpoint, then the legal obstacles get even higher.

Surely you shouldn't depend on that alone. Tor would be a wise additional layer of protection, if applicable. But to suggest that you get no privacy benefit at all from a VPN is like saying your host may be compromised, so you might as well use regular telnet rather than SSH.

[chinhodado]

Yeah, I hate extreme opinions that say not to do something just because it's not 100% effective. It's like saying don't bother using a lock because all locks can be picked and cut anyway.

[technion]

I consulted to an organisation that spent multiple years refusing to allow any form of MFA.

Everyone agreed it was extremely important and some password protected data was very sensitive. But the conversation about authenticator apps always got bogged down with risks about malware on phones. I would get asked "will you stake your career on it never happening?" Of course not. Therefore "for security reasons" we never supported authenticator apps. Of course it was pointed out that people might lose hardware tokens, so they didn't happen either. Because mobile MFA isn't perfect, I had directives to stick with easily phished passwords for years.

[ben509]

> I would get asked "will you stake your career on it never happening?" Of course not.

"Let's make a bet over whether a customer reports an authenticator app gets hacked before a customer's account without an authenticator is broken into. If the authenticator app is hacked first, I'll resign. If an account with no 2FA is compromised, you resign."

[sjy]

This is probably just meant to be a joke, but I have been in that situation before and I don't think offering to gamble away your job would be an effective way to convince others to accept your advice on risk management. I still don't know how to effectively convince others to take on new risks in order to avoid bigger risks presented by the status quo. Given the additional risk that my risk assessment is deficient, doing nothing is usually the easier decision.

[cs02rm0]

I still don't know how to effectively convince others to take on new risks in order to avoid bigger risks presented by the status quo.

I think you just need to be talking to someone who can understand the risks you convey, has the responsibility for both risks and the authority to effect the necessary change.

IME that's straightforward in most small companies and in large government departments it's rarely one person but multiple committees of people who you'd never be able to explain the risks to and who won't make a decision.

Feel my pain?!

[ben509]

It's meant to be talking trash online, so you're right to take it with a grain of salt.

But I'll stand behind the view that when ideas are being shot down with challenges like "would you stake your career on this" then a bull-headed approach is worth a try.

> I don't think offering to gamble away your job would be an effective way to convince others to accept your advice on risk management.

It won't persuade technically minded people, but it tells decision makers that you're confident, and offers them a measure of accountability.

[lowercased]

> I would get asked "will you stake your career on it never happening?"

Was anyone being asked to stake their career on all the existing security practices? I've worked on a couple of projects with politics similar to what you described, yet they had encrypted (unsalted, decryptable) passwords in a database, and only about 3 tech people seemed to understand the implications of that.

Who was staking their career on that?

[LyndsySimon]

> Who was staking their career on that?

Potentially - everyone who worked there, including you. :/

[krageon]

That's implying there are consequences for dire mistakes, which I don't think has been demonstrated so far. In fact, I'd almost say there are barely any consequences at all.

[olalonde]

The author is a bit opinionated to say the least. He's also on a crusade against JSON web tokens and MongoDB.

[0] http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-fo...

[1] http://cryto.net/~joepie91/blog/2015/07/19/why-you-should-ne...

[parliament32]

He's not wrong about either of those.

[strictnein]

Hmm... so he's right on 1/3 issues.

[dmix]

JWT is fine when implemented properly for the types of use cases it was intended for. Which in 2019 is the vast majority of libraries available.

[prophesi]

And, to be clear, using them for sessions is not one of those intended use cases, as joepie91 is arguing in that article. Using an actual server-side solution is easier and safer.

For posterity, here's the second part to his crusade: http://cryto.net/~joepie91/blog/2016/06/19/stop-using-jwt-fo...

[GrayShade]

2/3.

[blaser-waffle]

Whats wrong with MongoDB?

[parliament32]

Mongo is the wrong choice for a solid 75% of the places it's used. In the vast majority of cases, it was brought in to replace a relational db because developers though it would be faster to not have a schema / constraints / relationships, etc. It usually lets you develop faster, at the cost of blowing up in your face a few months/years down the line, when you have to rebuild your app to use a real database because your devs remembered why relational dbs are useful in the first place.

Mongo is a document store, not a relational db. Mongo is a good choice if you're looking to replace ElasticSearch, not if you're looking to replace MySQL.

[GrayShade]

Nowadays not much, but it used to be overrated and had serious reliability problems.

Your startup probably doesn't need Big Data (TM). Just use a relational database like Postgres and learn a bit of SQL. IIRC, Postgres outperformed Mongo at JSON processing, which was supposed to be one of the stronger points of MongoDB.

[natmaka]

Indeed. This fallacy has a name ("perfect solution") and seems more and more ubiquitous to me.

https://en.wikipedia.org/wiki/Nirvana_fallacy#Perfect_soluti...

[Vaslo]

Simplist yet best analogy ever for this. Thanks for bringing some sense to this.

[hogFeast]

That is exactly why I don't use a lock on my house. Obviously, I can't keep any stuff in my house - my belongings are strategically buried around the tri-state area, it takes me about three hours to dig up my clothes ever morning - but the peace of mind is definitely worth it.

Sure, I went on holiday to Jacksonville - thought I would take in some culture - and the copper was stripped out of my house. But they can only rob you once ;) I go number two in a field a few miles out of town now...total peace of mind.

[microcolonel]

Don't use condoms: they can break!

[jeffdavis]

Your reasoning assumes that a VPN couldn't hurt, but it can. If someone wants to track you and you don't have a VPN, they need to compromise your ISP. If you do have a VPN, they need to compromise your ISP or your VPN.

[danShumway]

Am I not understanding your argument?

> they need to compromise your ISP or your VPN

Part of the point of a third-party VPN is that the ISP/router can't tell what you're doing -- you assume that they're untrustworthy. Compromising the ISP would be useless, unless your VPN is for some reason sharing the same info with your router, in which case... install a competent VPN client.

I don't see how you're adding an additional failure point, you're just moving the same failure point somewhere else.

Yes, once the VPN endpoint makes the request, an ISP can still intercept it. But this is one of the few cases where adding an additional network hop very likely does not matter at all for your privacy. Once your request is going over the open Internet there are already so many opportunities for people to spy on it. The benefit is in disassociating that request from you, not in hiding it once it goes public.

[fulafel]

The confidentiality protection is not really absolute - the encrypted VPN traffic is susceptible to traffic analysis[1]. For example, your traffic pattern fingerprint could be correlated and matched to your online identity if your ISP and an ad network or another globally positioned middleman actor colluded on it.

[1] A term of art in intelligence & cryptanalysis, https://en.wikipedia.org/wiki/Traffic_analysis

[GhettoMaestro]

Respectfully, unless your adversary is the NSA, and they are targeting you, your argument is full of shit.

[fulafel]

Why do you think it would be unworkable for a corrupt ad network in cahoots with your corrupt ISP to correlate your web requests based on time, length and previously seen traffic from the VPN IP?

[GhettoMaestro]

Because it is way too much effort with questionable return on investment.

[parliament32]

No, they need to compromise your ISP and your VPN -- that's the whole value. With a VPN, your ISP doesn't see your traffic anymore, they just see you connecting to your VPN provider. Meanwhile your VPN provider can see the site you're connecting to, but they can't tell who you are, just "someone is ISP X's IP range".

[parliament32]

>A subpoena would be required to reveal your source IP, and perhaps your VPN provider is telling the truth about not keeping logs.

Not to mention the legal trouble for an LEO to be granted a subponea in a different country. By the obstacle of "a different legal system protects this part of my data chain" alone a VPN is worth it.

Say you use a Russian VPN provider. Sure, they can see that you're connecting to whatever site, but the actual data is protected end-to-end by TLS (hopefully). Meanwhile your local ISP can see you're connecting to something in Russia, full stop. For someone to track you down, they'd have to get the compliance of both your ISP and your Russian friends... AFAIK, there are exactly zero cases on record where this has been successfully done.

[Izmaki]

This. If we always assume the worst, we may as well stop using passwords or strong ones anyway, because we can assume that our machines per definition are hacked and local network infiltrated. Not happening, right? That’s what i thought...

[nwmcsween]

If you were running a VPN service would you rather: a. Pay for legal counsel and fight court orders for someone paying $10/mo or b. Just give up all info?

[freehunter]

For someone paying $10/mo? No. For the trust of my thousands of customers paying $10/mo and to keep my public reputation afloat? Hell yes. A VPN service that hands over customer information constantly will very quickly go out of business.

[kingbirdy]

As mentioned in the article, HideMyAss gave up customer info in 2012 and is still in business today.

[song]

Exactly, PIA did that twice and I know quite a few people who use them because they've proven they don't keep logs in court.

[JohnJamesRambo]

How would anyone know?

[hermitdev]

> A subpoena would be required to reveal your source IP, and perhaps your VPN provider is telling the truth about not keeping logs.

I doubt this is necessarily true in the US due to the 3rd party doctrine (which I abhor). I think they may refuse and request a subpoena, though. But, nothing stopping a company (generally) from handing over your data if asked for. Maybe T.O.S?

[djsumdog]

Well in America, we have National Security Letters, which are a legal cluster fuck on their own.

[icedchai]

Yes, exactly! I use VPN exclusively for downloading movie torrents so I don't get nasty letters from my ISP. I have a friend who has gotten several such letters.

[bureaucrat]

They _were_ also not disclosing that they were hacked last year.

https://web.archive.org/web/20180504001844/https://8ch.net/b...

Yes, people would rather give their entire packet to a hacker than five eyes, wouldn’t they?

[Zush8phoog]

NordVPN, according to this leak https://web.archive.org/web/20190603203749/https://ghostbin....

was logging client connections as recent as 2018 despite claiming they do not log https://nordvpn.com/features/strict-no-logs-policy/

see openssl/server.cfg it should contain special lines to disable logging https://www.lowendtalk.com/discussion/107379/how-to-disable-...

[wglb]

But the article points out that your IP address is irrelevant in tracking these days.

[luckylion]

It's not for legal repercussions, though. If you were engaging in file sharing, your IP is pretty much all that matters.

The article is just wrong the way it is. It would be correct if it was titled "Don't use VPN Services as your only means to ensure perfect privacy".

[dx034]

It's not. I know of several instances where IP is at least used as a filter. Esp. the combination of user agent and IP require no JS and can help you to track users across domains easily for small to medium sized websites.

[wglb]

Yes, if it is available it can be used.

The point of the assertion is that you can be tracked even if your IP address is obscured, mangled, or spindled.