> The attacker gained access to the server — which had been active for about a month — by exploiting an insecure remote management system left by the datacenter provider, which NordVPN said it was unaware that such a system existed.
This screams for clarification and I'd love for someone more knowledgeable in the area to elaborate on it. Is this common practice for data-center providers? Do I now not only have to worry about my own infrastructure security but also worry that my IaaS provider hasn't installed some backdoor to my servers?
I work for a web hosting company in the US and at least in our case, it's quite common for remote management to be enabled on pretty much all of our dedicated hardware. However, because of the inherent dangers in opening this up to the public internet, unless explicitly requested by the customer (or Managed Colocation), the NIC used for Dell iDRAC or HP iLO is on an isolated network unique to the physical datacenter. Remote access for our techs is managed through a secured bridge that requires all sorts of security hoops on our company intranet, and remote access for general internet traffic is not available due to the firewall restrictions. While it's plausible for remote access to be gained this way, it is extremely unlikely and would require several exploits at different points along the path.
I cannot speak for the industry as a whole, but remote management systems like this are bound to be common; any large enough physical datacenter is going to need a more efficient way to access a misbehaving system than sending a tech physically running to the box to plug in a keyboard and mouse. It should be extremely uncommon to have these management interfaces open to the public though, and I'll bet that's what NordVPN is surprised by. Generally these systems should be private and isolated due to the power that an attacker can wield through them.
IPMI does not have to be open to the internet to be open to a wide audience. Many of these out of band management interfaces are hosted on an internal network, but not isolated by customer.
Cheap datacenters are favored by VPN providers for their unlimited bandwidth and lax abuse policies.
Many of them allow access to IPMI only over a VPN, but do not isolate each customer’s IPMI to a customer VLAN. I personally know at least three large budget datacenters which allow all customers access to each others’ “private” IPMI IP addresses.
Maybe it wasn't open to the public Internet, but the VPN exit is inside the datacenter and connects out to the public Internet. Is it feasible that NordVPN provided their customers with a secure tunnel into their own datacenter's management software?
User root, password calvin. That's the default. And, if I had a dime for every time I've seen one of these in a data center, I'd be a rich man. I have literally begged sys admins to change the default password, but they say, "Why... we're behind a firewall using RFC 1918 addresses. No one can get to these." The rest, as they say, is history.
Depends on what kind. In case of idrac, yes; but it's weird that it was insecure by default in the first place. Usually credentials are configured and provided to the customer. Makes me think there might have been some other interface. Clarification is definitely needed.
It doesn't make much sense to me, even with iDRAC/some other console access you don't really have access to OS unless you reboot & go to single user mode etc at which point they should be noticing their servers rebooting etc. would love more info
Just set up your code as a boot-once config and wait for the owner to reboot their machine. Make your code end by booting the installed OS (or even by just rebooting again, most people will just curse about the damn slow server boot process).
It opens an exploit chain, in a normal circumstance you are correct. In a malicious circumstance, it is always feasible irrespective of the likelihood.
""All servers we provide have the iLO or iDRAC remote access tool, and as a matter of fact this remote access tool has security problems from time to time, as almost all software in the world. We patched this tool as new firmware was released from HP or Dell.
"We have many clients, and some large VPN service providers among them, who take care of their security very strongly. They pay more attention to this than NordVPN, and ask us to put iLO or iDRAC remote-access tool inside private networks or shut down access to this tool until they need it. We bring [iLO or iDRAC] ports up when we get requests from clients, and shut them down when they are done using this tools. NordVPN seems it did not pay more attention to security by themselves, and somehow try to put this on our shoulders.""
Of course you have to worry about all of that! When you don't self host you have to assume whoever you are renting from hirers the lowest paid employees they can get to manage infrastructure for you. That's how they get profitable. You are not outsourcing expertise.
Yes, network KVMs are expected of any co-location center. You want to be able to access the console and the power switches of any real physical server without having to send someone out to the center, and is a common feature of most high end data centers.
Even a lot of VM/cloud systems have some kind of virtual management console (Linode has their LISH system that lets you SSH in to console and Vultr/Digital Ocean have similar web based consoles .. AWS surprisingly doesn't. You can get console output but can't send VMs any console input).
Not only should have NordVPN been aware of this hardware KVM, they should have secured it and had version checks on its firmware as an essential part of their security. I could see this oversight with other companies, but not with one whose primary business claims to be security.
> Yes, network KVMs are expected of any co-location center. You want to be able to access the console and the power switches of any real physical server without having to send someone out to the center, and is a common feature of most high end data centers.
Power on/off should be done via APIs that issue commands to a PDU, like Atlantic.net started doing in the early 200s.
And there's nearly zero reason to access "console" - configure your server to always but off PXE and fall through to disk if that intercept is not needed.
If they're going with a bottom-dollar host, it's possible that the out-of-band server management tools were exposed. It's less likely to be a software backdoor, and more likely to be Supermicro IPMI or other baseboard management controller.
I know that public cloud providers like Rackspace and Azure insert their own accounts and services into cloud servers and VMs mostly under the guise of being able to support said servers and monitor them and their health.
True data centers where you own the hardware shouldn't... they give you an ethernet cord and everything is on you.
Very few people go to "true data centers". Those are very expensive because you are buying power, space, cooling and cross connects. Racking machines, replacing hard drives, building a PXE-boot infrastructure, building a remote access infrastructure that bypasses the customer facing network is expensive and time consuming.
On Supermicro hardware and maybe others, IPMI has a very dangerous default setting: if you're not connecting the dedicated IPMI port to a network (typically some closed network dedicated to management), it will use the first ethernet NIC on the motherboard (sharing it with the host), possibly making it accessible through the internet (with default, insecure credentials adding insult to injury) or at least neighbouring machines.
Leaving default creds on IPMI/iLO is not uncommon,some providers don't allow internet access,you have to login on the web console and use a java applet to access it iirc. I can't imagine a well reputed provider exposing ipmi to the internet but the nature of their business means they have to diversify server and network providers.
Not sure if it is still the case but a while ago it was standard on OVH servers for them to put some public keys in their root-like's user authorized_keys. I think they used that to perform tasks requested from the web management system.
Most (not all) servers have out-of-band management; of which IPMI is just one of many such solutions.
It's also worth noting that the hack could have been against in-band management if the Nord used an OS image provided by the DC hosts. However OOB feels more likely given their description (as vague as it was).
Typically data centers have compliance requirements like SSAE 16 specifies controls around physical access. Most any major retail data center would have that certification and others.
One presumes that because of NordVPN's business, they're colocating a server or two in many very many "POPs", presumably not all of them have tight controls on physical access. Its likely that there are none available in many areas where they seek to maintain a point of presence.
To the person / people down voting, can you share your ideas for how you can go about providing at-scale management of large estates of physical machines? I've never seen anything else that's both as practical and as affordable as IPMI / IDRAC / ILO systems that ship with servers, that doesn't introduce weird new failure conditions that can impact significantly more than a single host.
If you care less about the pseudo-anonymous-but-not-really shared-IP aspect of using a VPN, and care more about the this-lan-is-sketchy use case, I have had good experiences with Algo [0]. You can just paste in an API key and spin up your own VPN on something like DigitalOcean. And it uses WireGuard!
Whether it grants you any significant anonymity is debatable, but it works well for evading content filters and tunneling your traffic onto a more trustworthy network.
I use sshuttle all the time when working from "restricted" networks (car dealerships, airports, etc.) For some reason, my local Honda dealer has a guest WiFi that restricts outgoing traffic to a small number of ports, and apparently SSH isn't on that list, so I can't push/pull to GitHub. Firing up sshuttle on port 80 punches right through the filter and allows me to do real work while I wait for my oil change.
Shadowsocks is more resistant to censorship from adverse actors (such as the Great Firewall) than OpenVPN.
Outline's user experience is the best I've seen among self-hosted VPN solutions, as it includes apps for both the server and the client. The server app is suitable for use in organizations, and can manage VPN profiles for multiple individuals.
It's an alternative for sure and has specific use cases, but calling Outline a VPN is disingenuous. It's just a Socks proxy with some obfuscation built in.
Came here to post this. I’ve been using streisand for a long time with no problems. I’ve given out logins to a few trusted friends / colleagues and all have had good experiences as far as I know.
Plus I really enjoyed learning about the in’s and outs of setting it up. I poke around in the VM just for giggles.
Ive done this but have found that most services (Netflix, etc) recognize DO as a VPN. Does anyone know of a hosting provider that isn't blacklisted but I can still setup wireguard on?
The problem with this is that jumping out onto the net from a VPS-allocated IP causes all sorts of trouble for "normal" internet use. For example you won't be able to use Netflix doing something like this.
I can see why Netflix would try to block it, but I haven't run into any issues with it myself (OpenIKEd on OpenBSD on a $3.50/mo Vultr server as detailed here: https://www.snazz.xyz/how-to/2019/09/13/vpn.html). A lot of websites seem aggressive towards Tor users, but my VPS IP address was treated the same as my home, work, and LTE addresses. Are there any other documented cases I should be aware of?
Is Algo really 1 ip = 1 user? I always assumed multiple things could be running on one IP since IPv4 is getting scarce, but bare metal networking is not my expertise.
I use Algo for the exact reason you mention ("this lan is sketchy") and have been pleased, but I always assumed even if my traffic was mingling, one (possibly secret) court order would out me since I paid with a CC tied to my real name.
Nothing on this page or on the trailofbits blog article tells me why I should actually use this. Why should I trust DigitalOcean more than <insert VPN provider here>? Especially when it says "Does not claim to provide anonymity or censorship avoidance" - why would I use a VPN if it can't even attempt to provide some measure of anonymity?
I was getting ready to paste the same thing; the command-line instructions make Algo, effectively, a somewhat technical solution, but it really does just work.
And for those who have used various VPN solutions over the years but not Wireguard: it really is pretty magic. It Just Works, with fantastic performance.
What about the data-mining and selling infrastructure of NordVPN, known as Tesonet? Are those intact? Also interesting to know how their legal departments are doing, such as the Panamanian shell and the Lithuanian headquarters.
Thanks for sharing these. I was familiar with the Protonmail business but did not know this all connected to a bigger picture. I never trusted NordVPN... they spent way too much money on advertising and snake oil advertising at that, focusing on meaningless numbers and distractions.
Hopefully you don't have similar news to share about Mullvad...
The thing that scares me here is that these keys were leaked May 2018, and it's becoming public knowledge now.
Someone found certificates for those three VPN providers and posted them to 8chan with a message like "I don't recommend these VPN providers lol"
The good news is that they're only certificates, and they have now expired, but theoretically they could have been used for the past year without anyone noticing.
What this article is missing is that the hackers had root access and had NordVPNs private key for their HTTPS cert for several months in 2018. This went undetected for months and they're only now publically admitting what happened due to press attention. Their public response seems to be "it's not a big deal guys, mitm is hard".
> The key wasn't set to expire until October 2018, some seven months after the March 2018 breach
Someone is probably going to ask what other HN users recommend as an alternative. Personally, I use Private Internet Access because they're the only provider I've found with a track record of demonstrably not being able to turn your records over to someone asking for them [1].
I've been using Mullvad for a while now and I have nothing but praise for them. Only complaint is they're more expensive than some of their competitors.
If we're offering recommendations, then I'll go ahead and recommend Mullvad. They've got great clients for most common operating systems, good customer support, good performance, lots of servers to choose from, the ability to open ports, etc.
Something I find pretty neat about them from a technical standpoint is their account creation, user authentication, and payment processes. Sign-up literally takes less than a second, so even if you don't plan on using their service, I recommend you try creating an account.
I've been using Private Internet Access (PIA) since 2016 and can also recommend it from a usability point of view. I'm not a security expert so I defer to others on PIA's security.
The claims there have been thoroughly debunked, most recently by Mozilla and the European Commission as part of their due diligence, details here: https://bit.ly/35RDKzB
You're being downvoted because people believe in propaganda being pushed by competitors, but ProtonVPN / ProtonMail are very good options. Plenty of links and reports by Mozilla in this thread will lend credence to that.
ProtonVPN has a large history of being connected to TesoNet, a company providing among other things data mining(!). An extra cherry on top of that is the CEO of TesoNet also being the CEO of CloudVPN, which more or less controls NordVPN.
Now that doesn't mean ProtonVPN is automatically compromised but I feel with stuff like no-log VPNs one should always err on the side of caution.
Don't use Tunnelbear, they're known compromised. Honestly it's hard to beat Mullvad right now but that does make them a hot target, so keep your eyes peeled and know when to jump ship.
Cloudflare's Warp is not an anonymising VPN as far as I know. It is just a way to speed up Internet speeds, especially in poorly connected areas. They make no effort to hide the origin IP. So it is not in the same class as other VPN providers.
I've had fantastic experience with airvpn. They're cheap, fast, reliable, and support all the configuration types you could want. I'm not affiliated with them but I'm surprised nobody here has mentioned them yet. By far the best VPN provider IMO.
Any provider that offers that many IP addresses? I found NordVPN to be the only reliable service if you need to run requests from many IPs from different countries (web scraping).
The thing is, almost all of these providers share infrastructure and IP blocks. Lookup MicFo and the associated lawsuits (not even including their lawsuit with arin). They provided the exact same IP blocked systems to dozens of the top VPN providers.
The reality is, if someone else owns the infrastructure you're just pushing the risk to a different location.
EDIT: I said I used IPVanish mostly because the EFF endorsed them, but someone pointed out below they got caught logging. I suppose that would explain why they're not endorsed on the EFF VPN page anymore. So, I guess time to find a new VPN. :(
Used IPVanish for a few years, it was great the first, sucked the 2nd. I switched. These days I use VyprVPN. I like their Chameleon encryption that hides the VPN (although some data still leaks and some sites still detect it) and the killswitch option (prevents connections out if VPN not active)
... this site is awful. It doesn't address the actual reason why people use VPN's. They don't want all their activities to be recorded/tracked by their ISP's (which depending on jurisdiction log everything for at least 6 months if not more) or other actors. And if somebody wants to deanonymize your traffic, they have to go to extra effort, whether it's by exploiting or establishing a relationship with your VPN host or whatever else. Or there are other use cases, like wanting to torrent in a country that is very liberal with serving fines (Germany).
And frankly, his alternatives are just absurd. Tor? Really? Has he ever tried to use Tor for usual daily browsing? Does he expect people to try to use Facebook, Instagram, Youtube over Tor? Really?
Nobody should be using a VPN provider, full-stop. It is structurally impossible for anyone to verify their claims, they have more incentive to lie than your ISP does, and they're cheap and easy to set up, so the industry is a cesspool.
You should assume that all of them are behaving badly.
>NordVPN said it found out about the breach a “few months ago,” but the spokesperson said the breach was not disclosed until today because the company wanted to be “100% sure that each component within our infrastructure is secure.”
So instead of allowing their customers to do their own damage limitation, they left their customers in the dark and continued to expose them to a breach they weren't sure they had fully contained.
I wonder when that sort of thing will become a criminal offence.
> RADIUS secret key also leaked, so propably it is possible to break into EAP session which infers session secret key for StrongSwan.
Could you elaborate on this? I am familiar with PKI so the first part makes sense, but I am not familiar with the intricacies of VPNs so I am not sure what this means.
Assuming their IPsec was enabled with it (and OpenVPN should be enabled by default), them leaking their keys does not matter. The sessions can not be decrypted even if the master key is leaked.
TLS also has perfect forward secrecy by default.
Impersonation is an issue, but the article stated the CA keys have already been rotated and are out of date.
EDIT: I meant to reply to the post below me, but this is fine. Sorry about that!
i find it surprising that none of the threads in this topic mention the very serious threat this breach might have for users in countries like china. the fact that nordvpn neglected to tell its users for months after the breach quite possibly endangered people's lives. unforgivable.
Within 72 hours According to GDPR I thought?
“ The GDPR introduces a duty on all organisations to report certain types of personal data breach to the relevant supervisory authority. You must do this within 72 hours of becoming aware of the breach, where feasible.”
https://ico.org.uk/for-organisations/guide-to-data-protectio...
The tinfoil hat would argue maybe this was a leak that happened, but it was shared by design. It’s an HK company with questionable relationships and owners.
> I wonder when that sort of thing will become a criminal offence.
If they have EU customers then article 33 of GDPR should see to that.
"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay."
Unless the authorities in EU accept the explanation they are in trouble, but I think you shall report even if you think there has been a breach.
> Your IP address is a largely irrelevant metric in modern tracking systems.
I don't believe this for one second.
Your IP address on its own is not sufficient to identify you. That doesn't mean your IP address is not helpful in identifying you.
If you have Javascript disabled, it is a heck of a lot easier to identify you with a combination of an IP address, user agent, and OS than it is to identify you without the IP address cutting down the pool of potential visitors.
On top of that, if you're targeting me and do a geo-location of my IP address, it will get you within 5 miles of my house. That's close enough that you'll know which county I'm in, which with a few other easily-obtained pieces of information will let you pull up my voter registration, which will give you my exact street address.
Of course, you could mitigate this by setting up your own VPN on something like Linode, but unless you're regularly rotating IP addresses, you've just traded a pseudo-identifier that multiple people/devices share for a persistent identifier.
This argument comes up all the time, and I have never heard anyone explain it in a way that passes my sniff test. If you want me to stop using a VPN, you need to do a lot better than just claiming that IP addresses don't matter -- you need to show some kind of evidence to back that up.
> Your IP address on its own is not sufficient to identify you.
Wasnt there a story yesterday that FBI tracked some a guy who had logged into Jihadi forums with the IP, knocked on the door with a copy of a passport of the guy's dad.
Pick a cloud provider you trust. I was thinking of moving from Digital Ocean (US) to Hetzner (German) and setting my own VPN up through a normal server.
I'd rather trust an at least somewhat trustworthy VPN provider with my data than a random coffee shop and clients who happen to be on the same network at the time.
I feel like that's crazy. There should be no traffic entering or leaving your machine that's not end-to-end encrypted already. Trusting some fly-by-night VPN provider because they buy a lot of YouTube ads is no substitute for proper end-to-end session level encryption.
This article tries to enumerate the use cases for use of commercial VPN services, but misses out my only use case of these services: evading geoblocks. It seems fallacious to me.
The article is slightly more nuanced... know when and why to use VPN is more accurate. As mentioned near the end of that article, using known or suspected hostile networks, like public WiFi is a good reason to use VPN.
The problems addressed by avoiding a locally hostile network by connecting to another, globally hostile network is solving a very limited, nuanced set of problems.
Unless you're VPNing to your home or office, these public providers are just asking for trouble. They're too cheap to run well.
Readit News
This screams for clarification and I'd love for someone more knowledgeable in the area to elaborate on it. Is this common practice for data-center providers? Do I now not only have to worry about my own infrastructure security but also worry that my IaaS provider hasn't installed some backdoor to my servers?
I cannot speak for the industry as a whole, but remote management systems like this are bound to be common; any large enough physical datacenter is going to need a more efficient way to access a misbehaving system than sending a tech physically running to the box to plug in a keyboard and mouse. It should be extremely uncommon to have these management interfaces open to the public though, and I'll bet that's what NordVPN is surprised by. Generally these systems should be private and isolated due to the power that an attacker can wield through them.
Cheap datacenters are favored by VPN providers for their unlimited bandwidth and lax abuse policies.
Many of them allow access to IPMI only over a VPN, but do not isolate each customer’s IPMI to a customer VLAN. I personally know at least three large budget datacenters which allow all customers access to each others’ “private” IPMI IP addresses.
But, yes, remote management is pretty common in datacenters. The fact that NordVPN wasn't aware of them just shows incompetence.
""All servers we provide have the iLO or iDRAC remote access tool, and as a matter of fact this remote access tool has security problems from time to time, as almost all software in the world. We patched this tool as new firmware was released from HP or Dell.
"We have many clients, and some large VPN service providers among them, who take care of their security very strongly. They pay more attention to this than NordVPN, and ask us to put iLO or iDRAC remote-access tool inside private networks or shut down access to this tool until they need it. We bring [iLO or iDRAC] ports up when we get requests from clients, and shut them down when they are done using this tools. NordVPN seems it did not pay more attention to security by themselves, and somehow try to put this on our shoulders.""
Even a lot of VM/cloud systems have some kind of virtual management console (Linode has their LISH system that lets you SSH in to console and Vultr/Digital Ocean have similar web based consoles .. AWS surprisingly doesn't. You can get console output but can't send VMs any console input).
Not only should have NordVPN been aware of this hardware KVM, they should have secured it and had version checks on its firmware as an essential part of their security. I could see this oversight with other companies, but not with one whose primary business claims to be security.
Power on/off should be done via APIs that issue commands to a PDU, like Atlantic.net started doing in the early 200s.
And there's nearly zero reason to access "console" - configure your server to always but off PXE and fall through to disk if that intercept is not needed.
Why is this surprising? AWS seem to know what they're doing in general, and this is obviously the right policy in this particular area.
Deleted Comment
True data centers where you own the hardware shouldn't... they give you an ethernet cord and everything is on you.
Absolutely. We had similar situation with one of the DC vendors.
Most (not all) servers have out-of-band management; of which IPMI is just one of many such solutions.
It's also worth noting that the hack could have been against in-band management if the Nord used an OS image provided by the DC hosts. However OOB feels more likely given their description (as vague as it was).
One presumes that because of NordVPN's business, they're colocating a server or two in many very many "POPs", presumably not all of them have tight controls on physical access. Its likely that there are none available in many areas where they seek to maintain a point of presence.
Deleted Comment
[0] https://github.com/trailofbits/algo
Anyone can do this, it’s not nearly as complicated to launch and secure as some would have us believe. (https://github.com/jenh/sevenminutevpn)
You do lose anonymity with personal VPN, but it all depends on your use case.
e.g. run this from the command line:
[0] https://github.com/sshuttle/sshuttleWhether it grants you any significant anonymity is debatable, but it works well for evading content filters and tunneling your traffic onto a more trustworthy network.
https://getoutline.org
https://github.com/Jigsaw-Code/outline-client
https://github.com/Jigsaw-Code/outline-server
Shadowsocks is more resistant to censorship from adverse actors (such as the Great Firewall) than OpenVPN.
Outline's user experience is the best I've seen among self-hosted VPN solutions, as it includes apps for both the server and the client. The server app is suitable for use in organizations, and can manage VPN profiles for multiple individuals.
[0] https://github.com/StreisandEffect/streisand
Plus I really enjoyed learning about the in’s and outs of setting it up. I poke around in the VM just for giggles.
I use Algo for the exact reason you mention ("this lan is sketchy") and have been pleased, but I always assumed even if my traffic was mingling, one (possibly secret) court order would out me since I paid with a CC tied to my real name.
And for those who have used various VPN solutions over the years but not Wireguard: it really is pretty magic. It Just Works, with fantastic performance.
http://vpnscam.com/wp-content/uploads/2018/08/2018-08-24-09_...
http://vpnscam.com/hola-vpn-and-nordvpn-partners-in-data-min...
http://vpnscam.com/nordvpn-protonvpn-proton-mail-owned-by-te...
Hopefully you don't have similar news to share about Mullvad...
Someone found certificates for those three VPN providers and posted them to 8chan with a message like "I don't recommend these VPN providers lol"
The good news is that they're only certificates, and they have now expired, but theoretically they could have been used for the past year without anyone noticing.
> We […] started creating a process to move all of our servers to RAM, which is to be completed next year.
What does "RAM" mean here?
> The key wasn't set to expire until October 2018, some seven months after the March 2018 breach
https://crt.sh/?id=10031443
And here's a dump of their logs: https://share.dmca.gripe/hZYMaB8oF96FvArZ.txt
[1] https://torrentfreak.com/private-internet-access-no-logging-...
Citation: https://thatoneprivacysite.net/#detailed-vpn-comparison
Something I find pretty neat about them from a technical standpoint is their account creation, user authentication, and payment processes. Sign-up literally takes less than a second, so even if you don't plan on using their service, I recommend you try creating an account.
This bug loudly announces itself on every pageload, it speaks of tremendous incompetence that they ever let this go into production.
The site used to set a cookie that looked like this:
Obvious PHP object injection vulnerability that should've been caught by any automated auditing tool.Now that doesn't mean ProtonVPN is automatically compromised but I feel with stuff like no-log VPNs one should always err on the side of caution.
Yes, unfortunately it's currently not possible to use Warp VPN on PC. Otherwise, quite good service.
https://airvpn.org/ is also worth mentioning.
Deleted Comment
https://airvpn.org/mission/
Deleted Comment
[1] https://thatoneprivacysite.net
[2] https://mullvad.net/en/
Haven't tested it, just rembered datacenterlight from a HN thread about buying a mainframe.
The reality is, if someone else owns the infrastructure you're just pushing the risk to a different location.
Deleted Comment
[1] https://torrentfreak.com/ipvanish-no-logging-vpn-led-homelan...
https://faq.dhol.es/@Soatok/cryptography/which-vpn-service-w...
And frankly, his alternatives are just absurd. Tor? Really? Has he ever tried to use Tor for usual daily browsing? Does he expect people to try to use Facebook, Instagram, Youtube over Tor? Really?
Nobody should be using a VPN provider, full-stop. It is structurally impossible for anyone to verify their claims, they have more incentive to lie than your ISP does, and they're cheap and easy to set up, so the industry is a cesspool.
You should assume that all of them are behaving badly.
So instead of allowing their customers to do their own damage limitation, they left their customers in the dark and continued to expose them to a breach they weren't sure they had fully contained.
I wonder when that sort of thing will become a criminal offence.
Official response hides fact OpenVPN CA keys also leaked, so attacker could impersonate any other NordVPN server: https://gist.githubusercontent.com/Snawoot/85f77356e229d77aa...
RADIUS secret key also leaked, so propably it is possible to break into EAP session which infers session secret key for StrongSwan.
Could you elaborate on this? I am familiar with PKI so the first part makes sense, but I am not familiar with the intricacies of VPNs so I am not sure what this means.
Assuming their IPsec was enabled with it (and OpenVPN should be enabled by default), them leaking their keys does not matter. The sessions can not be decrypted even if the master key is leaked.
TLS also has perfect forward secrecy by default.
Impersonation is an issue, but the article stated the CA keys have already been rotated and are out of date.
EDIT: I meant to reply to the post below me, but this is fine. Sorry about that!
Deleted Comment
Basically:
1- Nord falsely blames its server provider.
2- Nord hides it from their users.
3- Nord claims all will be well with an “audit” (again, since they were already “audited”)
This is either criminal negligence, “security theater”, or both.
I don't see anything in the article about those claims being false. Where did you get that?
It's a bad look in any case.
That seems to be ExpressVPN[1], the main competitor of NordVPN.
[1] https://vpnscam.com/expressvpn-really-based-in-hong-kong/
If they have EU customers then article 33 of GDPR should see to that.
"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay."
Unless the authorities in EU accept the explanation they are in trouble, but I think you shall report even if you think there has been a breach.
Does this always/necessarily lead to customers/the public being informed? But yeah, better than nothing.
Deleted Comment
https://gist.github.com/joepie91/5a9909939e6ce7d09e29
I don't believe this for one second.
Your IP address on its own is not sufficient to identify you. That doesn't mean your IP address is not helpful in identifying you.
If you have Javascript disabled, it is a heck of a lot easier to identify you with a combination of an IP address, user agent, and OS than it is to identify you without the IP address cutting down the pool of potential visitors.
On top of that, if you're targeting me and do a geo-location of my IP address, it will get you within 5 miles of my house. That's close enough that you'll know which county I'm in, which with a few other easily-obtained pieces of information will let you pull up my voter registration, which will give you my exact street address.
Of course, you could mitigate this by setting up your own VPN on something like Linode, but unless you're regularly rotating IP addresses, you've just traded a pseudo-identifier that multiple people/devices share for a persistent identifier.
This argument comes up all the time, and I have never heard anyone explain it in a way that passes my sniff test. If you want me to stop using a VPN, you need to do a lot better than just claiming that IP addresses don't matter -- you need to show some kind of evidence to back that up.
Wasnt there a story yesterday that FBI tracked some a guy who had logged into Jihadi forums with the IP, knocked on the door with a copy of a passport of the guy's dad.
So can my ISP and they have been confirmed to sell customer data and work directly with NSA.
https://en.wikipedia.org/wiki/Room_641A
https://www.theguardian.com/business/2016/oct/25/att-secretl...
Which is precisely the use case I use a VPN for.
I'd rather trust an at least somewhat trustworthy VPN provider with my data than a random coffee shop and clients who happen to be on the same network at the time.
then at the bottom: So then, what?
THIS TYPE OF VPN
"If you for some reason cannot do that, here is a way to set up a food truck"
Unless you're VPNing to your home or office, these public providers are just asking for trouble. They're too cheap to run well.