Watch Your Shadows, The Bad Guys Are **Always** Lurking In Coffee Shops

 

There Be Dragons

I rarely like advertisements except for the very rare exception, mostly because it is clear that advertising is just cleverly straddling a line between creativity and deception. I came to terms with that a long time ago, and mainly my gripes fall on purely aesthetic levels at this point, as I don’t like wine but still feel a great aversion towards Cotes Du Rhone as a potential drink or for any cooking with wine simply because I found some ad in a magazine painfully picante. Now none of this is going to be new to anyone who knows me, and has had the unfortunate luck of watching something with me while I am in a chatty mood and having commercials come on. However the past few years has shown a steady growth in ads for VPN’s that have grown increasingly deceptive and aiming to bilk the uninformed out of money by exploiting their fears of spooky internet bandits in masks.

VPN Brands

So?

So we have a very generally known fact, advertisements are deceptive. We have a particularity about me that isn’t new, and isn’t even that unique. So why right a post about this? I have had progressively more conversations with family members and peers about topics like security and privacy they all begin with the same topic. Which VPN is the best one to keep my data secure? This is a frustrating thing, because honestly, none of them are going to keep you secure alone. Don’t get me wrong, I am very keen on the usage of a VPN to try and obfuscate where you are and to keep your information hidden from your ISP so they can’t go around selling your traffic information. I personally really like ProtonVPN, and I also route all of my traffic through the Tor network. Even the one VPN I quite like (ProtonVPN), touts itself as an adequate solution to security in an untrusted public network, which seems truly tragic, since if the nice no bones about them swiss even need to use that line nobody is going to do otherwise for awhile.

What Precisely Is Up?

Most of my gripes with things technological is the fact that it limits our ability to be secure and maintain our desired level of privacy without going through effort to do so. VPN’s have come along and capitalized on this issue that a lot of people have in order to sell their product. A pretty typical advertisement is going to contain two major “selling points”, the first is security. It is going to inform you that if you buy their product you can go and do whatever you want on a public connection without concern, but if you don’t you might as well right your SSN, NIN, or credit card details on your forehead. And secondly they are going to inform you that if you use their service your personal information is secure from those pesky companies trying to buy and sell your information. There are kernels of truth to both of these situations, but that is about the most charitable description I can give it.

Security

Security is one of the most deceptive components of these advertisements and where a lot of consumers fears are being exploited. This is also, honestly one of the areas I find a VPN the least useful for. The kernel of truth of course is the fact that a VPN will provide an encrypted tunnel between your machine and the VPN service for the transferring of data from your machine to a given web server. This is a very neat function, and would be incredibly helpful if the bulk of websites that you are probably visiting don’t already use HTTPS protocols for transferring your data back and forth. The primary weapon that is going to be directed by the scary man with a hoodie in the coffee shop isn’t actually likely to be with them using SSL stripping to trick your machine into using an insecure connection. They are likely going to take advantage of a poorly chosen exposed passwords, or a phishing attack. Neither of these are protected by your VPN, and honestly none of us are likely to be the targets of these more advanced MITM attacks.

Just a quick note: If your threat model includes MITM attacks, or other aggressive targeted data risks then this really isn’t applicable to you because you are probably doing a lot more than just turning on a VPN and clicking links with reckless abandon

Privacy

Another claim you are going to see is a claim that a VPN is going to help keep you private online. Which, like with security has it’s kernel. It will prevent a website from knowing what the true point of origin for a given connection actually is. This is useful for spoofing your location, a la circumventing region restrictions in Netflix, but realistically that is about it. If you are just the schmoe joe using a VPN to keep the bad guys away there are alot of other considerations to take into account. For starters, cookies, these are what are going to be used to keep track of you more than your IP address. This is how a company is likely to be following you across devices and networks since your IP is not useful if you are moving around a lot. Your VPN can not stop you from giving away your personal information to companies at will, so signing into Facebook, visiting some store that tracks what you looked at, and jumping into google, VPN or no you are still prone to whatever ads there are for whatever cookies you have picked up on your travels. There are better tools at your disposal for protecting your privacy, which I’ll go over a bit later, but for now dealing with your device fingerprint may be a good starting point until then. (Also means I can stick a link into the middle of this). Last but not least when you use a VPN your privacy is only as guarenteed as what the provider will give you. If you are sitting around worried about companies tracking and following you, then you should be careful in your choice of VPN. The VPN provider can also look at your traffic unfiltered and then sell it just like any ISP, this is a good reason why you should read up about your VPN provider or [route all your traffic through Tor)(https://github.com/SusmithKrishnan/torghost).

I Guess It Is Hopeless, We Should All Submit….

Maybe, I mean if you aren’t in some position where you are likely to be targeted specifically, and if you are just trying to prevent yourself from the average threats out there, read some stuff of basic practices to stay safe online. A VPN will be a nice way of getting around region blocks but is probably overkill on a security/privacy front unless you are going to take the further steps to prevent people from coming after you. The scary hacker guys each of us are likely to face are going for numbers, you are going to be attacked among thousands of others who are being attacked and if you are just a little careful and don’t do something dumb you should be okay!

Things To Do.

This is in no way an attack on VPN’s, I really am all for the use of them since you can get significantly faster speeds than routing all your traffic through Tor. And personally my tin foil hat slips at time and it has been a slow process of breaking bad habits. I have the Tor Browser for a lot of my reading and research. For university I use Firefox with the strictest privacy settings, and then I also have a plethora of extensions installed to secure things. And when I want speed, I use ProtonVPN to allow myself to get the speeds I need for watching videos and such without giving away my location. I personally believe that privacy and security are more of a practice than a commodity, and that is what upsets me most about VPN ads. I want my peers, my family, and the average person to do things like get VPN’s, by default stop all cookies, use strong passwords, change the MAC address and other identifying bits of information they release. But advertisements like the ones done by NordVPN, create a perception that you can buy this rock and all the tigers will run away from you. Anyone who is keen to be secure and private should probably have a VPN installed, but if you think a VPN is going to keep you private and secured then I have a bridge to sell you. If you do currently think that your VPN is protecting you and that is effectively the extent of your security plan please read up on making a strong security plan, and what other steps you could be taking. If you are on linux I would recommend using Tor Ghost, or Tor GhostNG, (I like the MAC address manipulating but am so untrustworthy I have yet to make the shift) for things aren’t going to be killed by the latency. I would recommend moving to a browser like Firefox, or if you can’t be on something that isn’t like chrom Brave. I use Firefox and would recommend the following extensions to start with.

  • uBlock Origin to help block unwanted things.
  • Privacy Badger I love the EFF, it is one of the few organizations I feel any affection towards and this is a great tool for protecting your privacy, their FAQ’s will explain much better than I ever could.
  • Ghostery I believe in multiple points of failure so you’ll see there are a lot of different blocking and tracking removing extensions. Ghostery is another one of these which I like. *[HTTPS Everywhere}(https://www.eff.org/https-everywhere) Is a convenient way to get around the fact that a lot of places use HTTP as a default or may direct you to a HTTP link in their own site. (This is a better way to protect yourself from the coffee shop hackers).

That is not an exhaustive list, and it doesn’t cover everything I have on my browser. But it should be a good starting point, if one wants to start being a little more secure with their browsers and internet traffic. There is obviously heaps more one can do, and I would recommend everyone get a VPN setup, just remember that it is only doing so much.

–R