this post was submitted on 27 Mar 2024
197 points (97.6% liked)

Privacy

31935 readers
692 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

This is the problem with using VPN services in general, you have to have complete trust in the service provider.

all 48 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 7 months ago

just wait until we hear about the new Crypto AG scandal

[–] [email protected] 4 points 7 months ago* (last edited 7 months ago)

“I can’t think of a good argument for why this is okay. No security person is ever comfortable with this

I agree, but wait till you hear what network appliances are doing and what processor manufacturers are doing..

[–] [email protected] 4 points 7 months ago (1 children)

A man-in-the-middle attack — nowadays also called adversary-in-the-middle

Oh Jesus why

[–] [email protected] 1 points 7 months ago

Because "adversary" is clearly gender neutral and "man" is not, so "man" isn't able to continue it's double meaning as being short for "mankind" which itself is short for "humankind," for fears that it's exclusionary.

[–] [email protected] 2 points 7 months ago

So..Facebook wanted to be a better app for sending disappearing dick pics?

[–] [email protected] 16 points 7 months ago (1 children)

Zuck really took that P out of VPN huh .

[–] [email protected] 11 points 7 months ago* (last edited 7 months ago)

"No security person is ever comfortable with this, no matter what consent we get from the general public. The general public just doesn’t know how this stuff works"

Apparently there was some debate among the Facebook leadership about whether getting clueless people to sign a consent form was good enough for them.

Cool.

PC principal collecting consent forms

[–] [email protected] 3 points 7 months ago (1 children)

So (and im asking for technical clarification as a layman) Facebook didn't put this data miner on unknowing user's phones but did pay teenagers to install one (onavo) on their phones that worked to decrypt traffic for everyone those users interacted with... Right?

[–] [email protected] -1 points 7 months ago

yup that's basically it

[–] [email protected] 28 points 7 months ago (4 children)

@yogthos Is anyone surprised by this anymore? Facebook is evil- full stop. We don't need any more reasons to obstain from using their products but "mArKeTplAcE" and "mY cOuSiNs WoNt SwiTcH."

[–] [email protected] 11 points 7 months ago

Maybe the idea is to show the folks who keep complaining about defederating from Threads that they either don't know or have forgotten just exactly what kind of company Meta is.

[–] [email protected] 0 points 7 months ago

Network effects do make it really hard for any new platform to displace the incumbents.

[–] [email protected] 9 points 7 months ago (2 children)

I'm trying really hard to get my family to use something else for communication but they won't. It's a fucking drag.

[–] [email protected] 7 points 7 months ago* (last edited 7 months ago) (1 children)

I feel you. I've spent the last couple years building up self hosted replacements for these enshittified services as they flop. But despite all the work I've put in, I can't even get them to log off facebook to look at what I've got.

[–] [email protected] 2 points 7 months ago (2 children)

What does yours have of value to them that Facebook doesn't?

[–] [email protected] 7 points 7 months ago* (last edited 7 months ago)

You make an excellent point, without use it’s mostly just there for nothing.. but, specifically I build shit that they complain about. I have my personal photo site up with all my digital photos from the last 25 years catalogued and available from anywhere, I did this because they complained about not having them accessible. Hasn’t been logged into by anyone but me...

But I don’t really blame them, I get it. The easy button is right there.

[–] [email protected] 4 points 7 months ago (1 children)

Marketplace is pretty useful. I hope a solid open-source alternative comes along.

[–] [email protected] 7 points 7 months ago* (last edited 7 months ago) (2 children)

What's important here is not the source code, but whether the service collects unnecessary information.

Craigslist does a pretty good job of respecting privacy.

[–] [email protected] 2 points 7 months ago (1 children)

I agree. However, I think that most people won't use Craigslist simply because it doesn't have a lot of the modern niceties, specifically modern messaging solutions. The email system they have is pretty painful to use.

[–] [email protected] 3 points 7 months ago (1 children)

It's easy enough to do messaging via text, or whatever other contact info you choose to give out. I like that I can use Craigslist without giving them much info about myself.

If you're suggesting that a messaging system built into the venue is critical for success, then I suppose all of us wanting privacy are out of luck for now... but perhaps Craigslist (or some other privacy-friendly venue) could make it happen by integrating Matrix.

[–] [email protected] 1 points 7 months ago (1 children)

I agree that most messaging services are problematic, but Facebook having Messenger is part of the moat that's keeping FB users on Marketplace. I think offering any non-email messaging solution would be hugely beneficial. I like the Matrix idea quite a bit.

[–] [email protected] 4 points 7 months ago

Europe's new Digital Markets Act might help in this department, too, through legally mandated interoperable messaging. Let's hope it works out in our favor.

[–] [email protected] 0 points 7 months ago (1 children)

Craigslist also doesn't have shit on it. try and buy a car on there. if you're looking for a beater, sure. but a halfway decent sports car, fb marketplace is the only place

its still OK for other stuff, I've bought tools and whatnot off Craigslist, but for vehicles fb is unfortunately still king

[–] [email protected] 7 points 7 months ago* (last edited 7 months ago) (1 children)

What you're describing is the network effect in action, not a flaw in Craigslist.

(It will be the same with every alternative you find, except perhaps one that's well funded with outside money, which will be awful on the privacy front, of course.)

The way we overcome a network effect is piece by piece:

  • First we switch to the privacy-friendly service for everything we can. That immediately reduces our exposure, reduces the power of the incumbent, and makes the alternative more useful by giving more users a reason to switch.
  • Then, over time, we switch for the remaining things as we find a suitable service for each one. (This might even be the same privacy-friendly alternative we started with, after it has grown a little.)

If I felt I had to buy a sports car, and some awful invasive site like Facebook was somehow the only viable venue, I would buy just the car there. I wouldn't make them the middle man for every other transaction in my life.

[–] [email protected] 2 points 7 months ago

well yea its not Craigslist itself that's the issue, its the fact that its a smaller platform. and yea I use eBay or Craigslist for everything but vehicles.its sad that Craigslist has been forgotten though.

[–] [email protected] 14 points 7 months ago (1 children)

you have to have complete trust in the service provider.

Not completley, there is 3rd party audit companies that can verify claims made by the VPN providers, like confirming no-log policy and such.

[–] [email protected] 6 points 7 months ago (2 children)

How do you trust the third parties? And even if the third parties think it is ok that doesn't mean that they aren't hiding something.

VPNs weren't designed to be private.

[–] [email protected] 2 points 7 months ago

The p stands for private. They were designed to connect someone to a remote intranet...privately.

Yes, VPNs were quite literally designed to be private

[–] [email protected] 2 points 7 months ago* (last edited 7 months ago) (1 children)

How do you trust the third parties?

How do you trust anyone? At some point you either do or don't, because it's just not possible to verify everything in your life.

The alternative would be not using an VPN and for me personally I trust my VPN provider a lot more than my luck of not getting chaught by chance.

[–] [email protected] -3 points 7 months ago (1 children)

Another option, if you have technical skills, is to just run your own VPN which tends to be pretty easy to setup on a VPS nowadays. You can find a VPS provider in a jurisdiction you want, and you control what gets logged.

[–] [email protected] 3 points 7 months ago* (last edited 7 months ago) (1 children)

....so, trust the hosting provider to not log...and that you won't screw up any config or update, and make sure to use anonymous payments, and...and...etc.

[–] [email protected] -3 points 7 months ago (1 children)

The only thing that actually matters is the jurisdiction. If your hosting provider is in a place that the country you live in can't legally force to hand the data over then you're much better off than using a service that may be sharing data with your government.

[–] [email protected] 4 points 7 months ago* (last edited 7 months ago) (1 children)

The topic in question here is not about government abuse of data, it's corporate abuses, but okay, let's set that aside.

You've said that it's safer to roll your own VPN using a VPS service precisely because you can't trust any VPN providers, or auditing organizations.

But you're now saying that you can trust a hosting provider based solely on which jurisdiction they reside in.

You're just arbitrarily picking which companies to trust with your connection traffic, but with added complexity, and significantly reduced egress locations for your traffic, which itself dramatically impacts any privacy benefits you were looking to achieve.

[–] [email protected] -2 points 7 months ago

First of all, nowhere did I say anything about trusting any hosting provider. The point once again was about jurisdiction of the provider. Meanwhile, there's nothing more arbitrary about picking a hosting provider than a VPN.

[–] [email protected] 4 points 7 months ago

This is the best summary I could come up with:


In 2016, Facebook launched a secret project designed to intercept and decrypt the network traffic between people using Snapchat’s app and its servers.

On Tuesday, a federal court in California released new documents discovered as part of the class action lawsuit between consumers and Meta, Facebook’s parent company.

“Whenever someone asks a question about Snapchat, the answer is usually that because their traffic is encrypted we have no analytics about them,” Meta chief executive Mark Zuckerberg wrote in an email dated June 9, 2016, which was published as part of the lawsuit.

When the network traffic is unencrypted, this type of attack allows the hackers to read the data inside, such as usernames, passwords, and other in-app activity.

This is why Facebook engineers proposed using Onavo, which when activated had the advantage of reading all of the device’s network traffic before it got encrypted and sent over the internet.

“We now have the capability to measure detailed in-app activity” from “parsing snapchat [sic] analytics collected from incentivized participants in Onavo’s research program,” read another email.


The original article contains 687 words, the summary contains 175 words. Saved 75%. I'm a bot and I'm open source!