Seriously creepy stuff. I hate how VPNs are being shilled by e-celebs these days as a privacy improvement.
It’s just using a different middleman. One middleman might be better than another, but if you have a good ISP already, there’s no privacy/security benefits to be had by using a VPN when surfing from home.
It might be worth getting a VPN if you use sketchy WiFi often, or want to bypass geo-blocking or restrictive firewalls. But remember that you’re trusting the VPN provider with all your traffic. DNS is still not encrypted in most browsers, so this traffic is still a goldmine of marketable info. Sure, they can’t see what you post on snapstagram.com or what pages you visit on news.ycombinator.com, but they can infer a lot about your browsing habits from DNS queries.
Besides the security implications, if there's no way to legally stream Disney content in my country and I desperately want to watch it for some reason I'll pirate it. Why should I jump through hoops to give them (and an unconnected third party) my money if they don't want me as a customer?
I'm making a genuine effort to keep all my entertainment above board by being a paying customer to Netflix, Amazon, Spotify, Google Play, YouTube Premium, Steam and a few others, but I have to say that my patience is wearing very thin with TV/movie studios and their idiotic licensing shenanigans.
"It might be worth getting a VPN if you use sketchy WiFi often, or want to bypass geo-blocking or restrictive firewalls. But remember that you’re trusting the VPN provider with all your traffic."
I never understand this false dichotomy - especially in a forum which is named ... let me check ... "hacker news".
Just set up your own.
It costs almost nothing to run a EC2 instance in the region of your choice (or at some other provider like GCS or whatever). There are keystroke-by-keystroke instructions everywhere on setting this up.
Extra points for adding the extremely trivial and also very low cost steps of signing up under a corporate name and removing your personal identity from the account altogether.
Some more extra points for multiplying the almost-zero-cost by 3 or 4 or 5 and spinning up extra copies of your endpoint in multiple regions (or even providers) and manually (or automatically) switching between them.
You don't need to trust anyone - adjust your threat model all the way up to "near nation state" (in the case of Amazon or GCS) and assume these actors could already discern all of your Internet traffic even if you weren't doing business with them.
Friendly reminder that in the UK all ISPs are required by law to keep your entire browsing history for a year, and that history can be accessed by few dozen agencies, warrant free. That's why I use a VPN personally.
A VPN provider is basically a choice to trade one country’s passive adversary for another. I.e., if you’re in the US and using a VPN with German corporate headquarters, then your Internet transactions are able to be wiretapped by the German government, but not by the US government. Either way, yes, your data will also be wiretapped by your carrier themselves and sold on the open market—but not usually in a form that will result in legal problems for you, since ad-targeting data tends to be semi-anonymized (in the sense that it isn’t in a form where a court would accept it as evidence of who you are; not in the sense that it couldn’t be used to deanonymize you by a sufficiently-motivated private researcher.)
>But remember that you’re trusting the VPN provider with all your traffic.
May I suggest hosting youe own VPN using Streisand (https://github.com/StreisandEffect/streisand)? It's an absolutely fantastic VPN that runs on just about any cloud system out of the box (or your own hardware of course).
Right now I use Linode for hosting ($5/month) but there are lots and lots of other ways to set it up.
Importantly, setup is easy for all kinds of clients, including mobile devices.
There is currently a difference in business interest for VPNs and ISPs. ISPs sell your data, since people mostly don't have much choice here anyway. A VPN service who becomes known to share data can probably close their business soon, new ones will quickly fill the void. They have less infrastructure requirements than ISPs and a subset of users with different expectations to privacy.
So yes, I do think there is quite a difference, although you should still be critical of your VPN provider.
I disagree. The comments here are based on a specific threat model. There are many other threat models where a good VPN dramatically increases a users security.
One middleman might be better than another, but 10 middleman are better than 1 if you are truly interested in mitigating the invasion of your privacy. There's nothing preventing you from using multiple VPNs to make it harder for any one middleman to build a profile of your internet activity.
Also worth noting that while VPN providers don't care what DNS servers you use, the geo-blocking protection features usually require that you use their DNS servers.
No one's said this clearly so I will. oxylabs.io as described in this article is an awful unethical company and should be investigated for criminal activity. If NordVPN is using them to bypass DRM controls, that's pretty ugly.
The central concern is how they get their 32M "residential proxies". I spent a few minutes trying to get an answer and could not find one. The article straight up assumes it's coming from malware, which certainly seems possible. I could also imagine them buying legitimate access from ISPs but given the various legal and technical issues involved it seems less likely.
Is there anything directly connecting Oxylabs to malware? Again I looked for a few minutes and didn't find anything clear. I did find a couple of troubling posts on Reddit from Android Devs saying Oxylabs approached them offering to "monetize your users with our SDK", which sounds like the slippery slope to malware. Or at least bundleware without meaningful consent.
"... Upon information and belief, the above OxyLabs embedded code has been integrated in at least the following software applications that may be downloaded by any user located anywhere having Internet access: AppAspect Technologies’ “EMI Calculator” and “Automatic Call Recorder”; Birrastorming Ideas, S.L’s “IPTV Manager for VL;” CC Soft’s “Followers Tool for Instagram;” Glidesoft Technologies’ “Route Finder;” ImaTechInnovations’ “3D Wallpaper Parallax 2018;” and Softmate a/k/a Toolbarstudio Inc.’s “AppGeyser” and “Toolbarstudio.”"
Looking at few of these app's descriptions and privacy policy, doesn't mention anything about oxylabs or proxies, so I'm not sure it's true, but somebody should check the apps with decompiler or monitoring the connections it makes.
I would guess it's from services like the Hola VPN browser extension provides. It was always clear that these services need to make money somehow. Next to providing tunnels to their own users they will sell them to others. Not sure if this is really unethical.
Sound similar to the proxy network [1] Luminati, which use an SDK which developers get paid to embed in their Apps, in order to route proxy traffic through... Kind of like a Tor network...
> Does [Oxylabs.io’s distribution] mean your device can be used by a third party to access child porn or hack into a bank? Absolutely!
I mean, isn’t the existence of Oxylabs a boon for everyone’s privacy—in the sense of making everyone’s actions deniable/repudiable? Oxylabs introduces reasonable doubt for every possible allegation of cybercrime! “It wasn’t me; it was this botnet malware routing through my computer without my knowledge!” It’s like having a Tor exit node on your computer, without the associated mens rea that would come from the explicit choice to install one!
In theory sure. In practice (especially if you don't know your connection is being used like this, as the article suggests), if law enforcement turn up at your door to take all your kit as evidence in a crime, they'll likely take all your kit for an extended period of time (and possibly charge you) until/unless you can prove that it wasn't you that sent the traffic.
There have been cases of this happening to ToR exit nodes and that was ones the operators could point to...
They may be "residential IPs" but you can do an nmap scan on the IPs to see if there are any open ports. If there are no open ports then it's likely a residential IP because stateful firewalls on home routers. If there are open ports it's likely not a residential IP since some kind of port forwarding would have to be enabled, which most people don't do, or a DMZ would have to be set up (even less likely). I scanned a few of the IPs returned from the curl test. Granted a small sample size, but they all have open ports. Beyond the scan I didn't try to connect to any of them via browser or otherwise. Here is what I found for the "Delcom" IP he's so worked up about:
```
$ sudo nmap 76.77.25.75
Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-29 19:21 EST
Nmap scan report for static-76-77-25-75.networklubbock.net (76.77.25.75)
Host is up (0.097s latency).
Not shown: 992 closed ports
PORT STATE SERVICE
22/tcp filtered ssh
23/tcp filtered telnet
25/tcp filtered smtp
53/tcp filtered domain
80/tcp open http
443/tcp open https
5060/tcp open sip
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 331.02 seconds
```
Maybe I'm missing something here. Of course it could still be malware, but that's far from the first conclusion I'd jump to. This article is just speculation to me and the methodology seems ... bad
edit: sorry if the markdown is broken. Noob here. ;)
Won’t services like this take advantage of UPnP to open ports?
I know FluidStack which is a similar service uses UPnP to open ports that it requires. FluidStack is a service you earn money through by willingly selling your internet bandwidth though, not like Oxylabs but same idea.
IF you are going to try look for open ports they certainly wont be using the standard ports. You will need to do a full scan "nmap -p". But doing that is considered malicious and you can be sued. So I would advise against scanning random hosts that you do not have permission to scan.
Did they consider that maybe all the clients are NordVPN customers, i.e your data will come from a different users internet connection but another users data comes from you.
With that there world be no reason to have any hidden malware practice or similar, it _could_ even be in the terms of service if some of their products...
I mean it's true that there is a lot of bs going one but before claiming them for having hidden malware you should make sure they do, instead of just saying "that's the only way it's possible' even if it isn't the only way.
I thought the same thing. They could be using their legitimate user's connections.
But even if they're rerouting traffic through their users, and if they wrote that in the terms of service, I doubt any of their users know they signed up for this.
Which is not illegal, but still kind of sketchy.
If it's hidden in their terms of service, but not explicitly written on the content the user actually reads while subscribing, I consider this very unethical.
> Think of “residential proxies” this way: 1.) Oxylabs installs some malware on to a user’s device, unknown to the user, by bundling it with other software that the user downloads. 2.)This malware enables Oxylabs to sell off your bandwidth, your computing power, and your IP address to third parties, who will route their internet traffic through your device.
There's so many providers doing something similar, it really isn't a Oxylabs / NordVPN exclusive issue.
Based on my understanding it's people having free apps they want to monetize. They then implement a proxy company's SDK which enables this traffic sharing and get paid by them.
Having used one of these shady proxy pool services once in the past for some (pretty harmless) scraping (not especially proud of it), I seriously doubt a service like that is good enough for video streaming. Usually half of the proxies in the pool are high ping or unreachable, and the other half are only valid for at most a few minutes. Maybe I just didn’t pay enough for the gold tier or something.
Edit: Another comment pointed out that maybe only the front domain is geoblocked, but not the video CDN domains. That would make sense. Now that I think about it, youtube-dl also has a --geo-verification-proxy option that works in the same way.
Assuming a direct business relationship, there's no reason they couldn't hand-pick or filter out the good hosts, and then put the rest in the general pool.
> It’s often the case that VPN users will find that services like Disney+ are blocked on many servers, presumably because the content provider is able to discover the VPN’s IP addresses and restrict access to those IPs.
Something that keeps bothering me about the title and content is that the VPN isn't blocking or unblocking Disney+. It's Disney+ that's doing the blocking. It's blocking the VPN's IP addresses.
If I block you from entering the building but you find a secret entrance through the air vents, you didn't unblock me, you evaded my block.
Their title and usage of blocking should be something more like: "How is NordVPN evading Disney+'s VPN-blocking?"
Great article though. This kind of stuff really needs to be more well known.
That it's possible to unknowingly be part of a botnet is a major flaw in the internet and ISP billing model. I think the only solution that has a shot is for unexpected bandwidth to lead to an unexpectedly high bill.
I'm somewhat shocked that residential connections have enough bandwidth to upload a streaming video as a proxy. But maybe people using a VPN for Disney+ are just glad it works at all.
I have Comcast and my upload on a good day is 500KB/s and that cripples everything else on the network.
> All the most common US ISPs are there… AT&T, Comcast, Verizon, CenturyLink. IPs from Charter Communications in their Midwest, Texas, Pacwest and Northeast regions. ISPs I’ve never heard of before… who the heck is Delcom? Turns out they are serving some rural communities in Texas. Did NordVPN buy servers or connectivity from them?
I've been seeing a ton of these guys' advertising lately. If it turns out they're also reselling your bandwidth?
Still, I'd like to see someone take a peek at their local client traffic for any suspicious activity before coming to any conclusion.
Edit: I guess allegedly the 'botnet' aspect is provided not by other NordVPN users but by malware provided by companies associated with NordVPN.
>They promised they had nothing to do with Oxylabs, but now that assertion seems to be false.
Only if you deliberately misread the post, which is clearly saying that NordVPN doesn't use its users' devices to route traffic, unlike HolaVPN. It doesn't say they don't use Tesonet services to route traffic. They're denying being a supplier to Tesonet, they're not denying being on the demand side.
Not defending PIA, as they've been purchase by satan.net, but remember the HN posts where NordVPN was asked some very unfriendly questions by Private Internet Access? Remember everyone dismissing it as a astroturf marketing ploy?
I've been a PIA customer, and am canceling to switch to Mullvad, but PIA selling out seems not to prove they weren't right before.
What am I missing here? Surely if this were true, Nord would be able to unblock basically every service. Netflix, prime video, etc. Would all work. That's not the case though?
No smoking gun, sure, but some very suspicious traffic patterns. How is NordVPN getting traffic routed through so many different ISPs who generally only serve residential customers?
Hard to imagine that so many ISPs are agreeing to help NordVPN bypass geo-blocking. Pretty certain that there’s some kind of shenanigans going on.
Hey, this is an ~old thread. But I'd like to contact the author, Derek Johnson. And, having no Facebook or Google account, I can't even create a Medium account to post a comment.
So do any y'all perchance know his address? If so, please email me at the address in my profile.
[+] [-] mikl|6 years ago|reply
It’s just using a different middleman. One middleman might be better than another, but if you have a good ISP already, there’s no privacy/security benefits to be had by using a VPN when surfing from home.
It might be worth getting a VPN if you use sketchy WiFi often, or want to bypass geo-blocking or restrictive firewalls. But remember that you’re trusting the VPN provider with all your traffic. DNS is still not encrypted in most browsers, so this traffic is still a goldmine of marketable info. Sure, they can’t see what you post on snapstagram.com or what pages you visit on news.ycombinator.com, but they can infer a lot about your browsing habits from DNS queries.
[+] [-] SmellyGeekBoy|6 years ago|reply
I'm making a genuine effort to keep all my entertainment above board by being a paying customer to Netflix, Amazon, Spotify, Google Play, YouTube Premium, Steam and a few others, but I have to say that my patience is wearing very thin with TV/movie studios and their idiotic licensing shenanigans.
[+] [-] rsync|6 years ago|reply
I never understand this false dichotomy - especially in a forum which is named ... let me check ... "hacker news".
Just set up your own.
It costs almost nothing to run a EC2 instance in the region of your choice (or at some other provider like GCS or whatever). There are keystroke-by-keystroke instructions everywhere on setting this up.
Extra points for adding the extremely trivial and also very low cost steps of signing up under a corporate name and removing your personal identity from the account altogether.
Some more extra points for multiplying the almost-zero-cost by 3 or 4 or 5 and spinning up extra copies of your endpoint in multiple regions (or even providers) and manually (or automatically) switching between them.
You don't need to trust anyone - adjust your threat model all the way up to "near nation state" (in the case of Amazon or GCS) and assume these actors could already discern all of your Internet traffic even if you weren't doing business with them.
Christ.
[+] [-] gambiting|6 years ago|reply
[+] [-] throw0101a|6 years ago|reply
You may enjoy Tom Scott's video:
> I tried to write a more honest VPN commercial. The sponsor wasn't happy about it. • Get ■■■ days of ■■■ VPN free at ■■■■.com/honest
* https://www.youtube.com/watch?v=WVDQEoe6ZWY
[+] [-] derefr|6 years ago|reply
[+] [-] alasdair_|6 years ago|reply
May I suggest hosting youe own VPN using Streisand (https://github.com/StreisandEffect/streisand)? It's an absolutely fantastic VPN that runs on just about any cloud system out of the box (or your own hardware of course).
Right now I use Linode for hosting ($5/month) but there are lots and lots of other ways to set it up.
Importantly, setup is easy for all kinds of clients, including mobile devices.
[+] [-] hawaiian|6 years ago|reply
That's a big IF. Not all of us share the luxury of being able to get internet service from companies like Sonic.net.
[+] [-] raxxorrax|6 years ago|reply
So yes, I do think there is quite a difference, although you should still be critical of your VPN provider.
[+] [-] secfirstmd|6 years ago|reply
[+] [-] StanislavPetrov|6 years ago|reply
[+] [-] morpheuskafka|6 years ago|reply
[+] [-] jdormit|6 years ago|reply
[+] [-] scarface74|6 years ago|reply
[+] [-] Mirioron|6 years ago|reply
[+] [-] foopdoopfoop|6 years ago|reply
This is just not true. You cannot sign up for an ISP without disclosing at least your name and address. Many VPNs support complete anonymity.
It's a different middle man that--if you choose the right one--will absolutely know less about you.
[+] [-] NelsonMinar|6 years ago|reply
The central concern is how they get their 32M "residential proxies". I spent a few minutes trying to get an answer and could not find one. The article straight up assumes it's coming from malware, which certainly seems possible. I could also imagine them buying legitimate access from ISPs but given the various legal and technical issues involved it seems less likely.
Is there anything directly connecting Oxylabs to malware? Again I looked for a few minutes and didn't find anything clear. I did find a couple of troubling posts on Reddit from Android Devs saying Oxylabs approached them offering to "monetize your users with our SDK", which sounds like the slippery slope to malware. Or at least bundleware without meaningful consent.
https://www.reddit.com/r/androiddev/comments/ajfc7w/question... https://www.reddit.com/r/androiddev/comments/ao27tu/my_app_w...
BTW, Oxynet has a list of the ASNs they have proxies on: https://intro.oxylabs.io/hc/en-us/articles/360003444780-Supp...
[+] [-] spyder|6 years ago|reply
"... Upon information and belief, the above OxyLabs embedded code has been integrated in at least the following software applications that may be downloaded by any user located anywhere having Internet access: AppAspect Technologies’ “EMI Calculator” and “Automatic Call Recorder”; Birrastorming Ideas, S.L’s “IPTV Manager for VL;” CC Soft’s “Followers Tool for Instagram;” Glidesoft Technologies’ “Route Finder;” ImaTechInnovations’ “3D Wallpaper Parallax 2018;” and Softmate a/k/a Toolbarstudio Inc.’s “AppGeyser” and “Toolbarstudio.”"
https://cdn-resprivacy.pressidium.com/wp-content/uploads/201...
Looking at few of these app's descriptions and privacy policy, doesn't mention anything about oxylabs or proxies, so I'm not sure it's true, but somebody should check the apps with decompiler or monitoring the connections it makes.
[+] [-] bootloop|6 years ago|reply
[+] [-] berbec|6 years ago|reply
[+] [-] gitgud|6 years ago|reply
[1] https://luminati.io/proxy-networks/mobile-ips
[+] [-] derefr|6 years ago|reply
I mean, isn’t the existence of Oxylabs a boon for everyone’s privacy—in the sense of making everyone’s actions deniable/repudiable? Oxylabs introduces reasonable doubt for every possible allegation of cybercrime! “It wasn’t me; it was this botnet malware routing through my computer without my knowledge!” It’s like having a Tor exit node on your computer, without the associated mens rea that would come from the explicit choice to install one!
[+] [-] rtempaccount1|6 years ago|reply
There have been cases of this happening to ToR exit nodes and that was ones the operators could point to...
[+] [-] EternalAugust|6 years ago|reply
``` $ sudo nmap 76.77.25.75 Starting Nmap 7.70 ( https://nmap.org ) at 2019-11-29 19:21 EST Nmap scan report for static-76-77-25-75.networklubbock.net (76.77.25.75) Host is up (0.097s latency). Not shown: 992 closed ports PORT STATE SERVICE 22/tcp filtered ssh 23/tcp filtered telnet 25/tcp filtered smtp 53/tcp filtered domain 80/tcp open http 443/tcp open https 5060/tcp open sip 8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 331.02 seconds ```
Maybe I'm missing something here. Of course it could still be malware, but that's far from the first conclusion I'd jump to. This article is just speculation to me and the methodology seems ... bad
edit: sorry if the markdown is broken. Noob here. ;)
[+] [-] Spy520|6 years ago|reply
I know FluidStack which is a similar service uses UPnP to open ports that it requires. FluidStack is a service you earn money through by willingly selling your internet bandwidth though, not like Oxylabs but same idea.
[+] [-] ludjer|6 years ago|reply
[+] [-] dathinab|6 years ago|reply
With that there world be no reason to have any hidden malware practice or similar, it _could_ even be in the terms of service if some of their products...
I mean it's true that there is a lot of bs going one but before claiming them for having hidden malware you should make sure they do, instead of just saying "that's the only way it's possible' even if it isn't the only way.
[+] [-] jesuisuncaillou|6 years ago|reply
But even if they're rerouting traffic through their users, and if they wrote that in the terms of service, I doubt any of their users know they signed up for this.
Which is not illegal, but still kind of sketchy.
If it's hidden in their terms of service, but not explicitly written on the content the user actually reads while subscribing, I consider this very unethical.
[+] [-] the_gipsy|6 years ago|reply
[+] [-] ikeboy|6 years ago|reply
[+] [-] rtempaccount1|6 years ago|reply
Unless they make that clear, it's not a great look.
[+] [-] dewey|6 years ago|reply
There's so many providers doing something similar, it really isn't a Oxylabs / NordVPN exclusive issue.
- https://luminati.io/residential_ips
- https://www.geosurf.com/blog/what-are-residential-proxies/
- http://stormproxies.com/residential_proxy.html
- https://krebsonsecurity.com/tag/residential-proxies/
- https://multilogin.com/proxy/
- https://smartproxy.com/blog/what-is-a-residential-proxies-ne...
Based on my understanding it's people having free apps they want to monetize. They then implement a proxy company's SDK which enables this traffic sharing and get paid by them.
[+] [-] oefrha|6 years ago|reply
Edit: Another comment pointed out that maybe only the front domain is geoblocked, but not the video CDN domains. That would make sense. Now that I think about it, youtube-dl also has a --geo-verification-proxy option that works in the same way.
[+] [-] stordoff|6 years ago|reply
[+] [-] brianpgordon|6 years ago|reply
https://i.imgur.com/PFITtZT.png
[+] [-] hombre_fatal|6 years ago|reply
Something that keeps bothering me about the title and content is that the VPN isn't blocking or unblocking Disney+. It's Disney+ that's doing the blocking. It's blocking the VPN's IP addresses.
If I block you from entering the building but you find a secret entrance through the air vents, you didn't unblock me, you evaded my block.
Their title and usage of blocking should be something more like: "How is NordVPN evading Disney+'s VPN-blocking?"
Great article though. This kind of stuff really needs to be more well known.
That it's possible to unknowingly be part of a botnet is a major flaw in the internet and ISP billing model. I think the only solution that has a shot is for unexpected bandwidth to lead to an unexpectedly high bill.
[+] [-] Havoc|6 years ago|reply
Between this a PIA's shady stuff I'm just gonna have to host my own. The commercial VPN scene is a cesspool.
[+] [-] johnpowell|6 years ago|reply
I have Comcast and my upload on a good day is 500KB/s and that cripples everything else on the network.
[+] [-] streb-lo|6 years ago|reply
I've been seeing a ton of these guys' advertising lately. If it turns out they're also reselling your bandwidth?
Still, I'd like to see someone take a peek at their local client traffic for any suspicious activity before coming to any conclusion.
Edit: I guess allegedly the 'botnet' aspect is provided not by other NordVPN users but by malware provided by companies associated with NordVPN.
[+] [-] ikeboy|6 years ago|reply
Only if you deliberately misread the post, which is clearly saying that NordVPN doesn't use its users' devices to route traffic, unlike HolaVPN. It doesn't say they don't use Tesonet services to route traffic. They're denying being a supplier to Tesonet, they're not denying being on the demand side.
[+] [-] berbec|6 years ago|reply
I've been a PIA customer, and am canceling to switch to Mullvad, but PIA selling out seems not to prove they weren't right before.
[+] [-] dd6d658|6 years ago|reply
wtf?
[+] [-] dalemyers|6 years ago|reply
[+] [-] Scoundreller|6 years ago|reply
They had a browser extension, maybe somebody can get a copy and see what's in common with other extensions?
https://support.oxyleads.com/hc/en-us/articles/360015036112-...
[+] [-] NeaterPeter|6 years ago|reply
[+] [-] ortekk|6 years ago|reply
It returns different IPs for every request, and these IPs do look like residential ones.
[+] [-] mikl|6 years ago|reply
Hard to imagine that so many ISPs are agreeing to help NordVPN bypass geo-blocking. Pretty certain that there’s some kind of shenanigans going on.
[+] [-] bigfuz|6 years ago|reply
[+] [-] mirimir|6 years ago|reply
So do any y'all perchance know his address? If so, please email me at the address in my profile.
[+] [-] Nas808|6 years ago|reply