Data brokers sell access to the backbone of the internet (opens in new tab)

(vice.com)

119 pointsmattei4y ago39 comments

39 comments

What blows my mind is the number of people signing up for these "VPN" services thinking it's secure. Time and time again we've found that they are logging and if they aren't it's logged at the flow point (as linked in this article).

I'm fine with VPN to evade restrictions or whatever purpose you want, but stop pretending it's all that different.

I can say though for a fact that a few of the largest security companies have been paying for strategic access to netflow in the us for years. The reality is there are good arguments pro and against.. and that doesn't even account for any "netflow" visibility US and Foreign Agencies may have.

We really have to determine what we want to be standard for privacy and what advancements we're willing to give up in exchange.

relax884y ago

Is anyone actually pretending it’s different?

Most people I talk to buy VPN services to avoid legal threats from pirated movies or to avoid traffic surveillance from their local ISP / workplace / institution.

I’ve never heard someone describe it like a hard-to-denonymize tor node or anything.

eloff4y ago

Lots of services are advertised that way. It's probably half the ads I encounter on YouTube.

1 more reply

yosito4y ago

Also to prevent people on your local network from snooping on your traffic and stealing credentials and other sensitive data that might be passed over the wire. I once had my AWS API keys compromised this way. It was a pain to resolve that situation. I'm a lot more careful now.

1 more reply

nisegami4y ago

I've held the same opinion for a long time, but this news gave me pause. Why would it be worth paying for data that can trace VPN traffic if they weren't doing _something_?

hnthrowtier14y ago

Power, paranoia, crime, curiosity.

Power: Businesses are run by humans, who do not merely optimize discounted cashflows. Some humans enjoy wielding power, and frequently do so in an antisocial manner. See eg Stanford Prison Experiment.

Paranoia: Royalty have always been paranoid. Much has been written about the intelligence operations of paranoid merchants in Renaissance Venice. You should think of huge private entities like Koch Industries and Bloomberg as kingdoms. Maybe security teams want to see threats, which increases their importance to the organization.

Crime: Theft, manipulation, subversion. Companies do crime all the time, and are rarely held to account. There are indirect indicators that this type of conduct is becoming more common.

Curiosity: According to Snowden, even cleared NSA employees who pass a polygraph and invasive FBI background check abuse their access to personal data out of curiosity. This is probably a human invariant.

0x0A1B2C4y ago

This is nothing new in terms of technology, ISPs have a legitimate reason to want to analyze traffic in that context. There is a fairly competitive market for software that ties it all together with DNS monitoring and metadata done through internet scans (Kentic, Deepfield).

The fact that ISPs are monetizing it and letting this data out of their control is utterly terrifying, and in the United States, specifically permitted by law.

atok14y ago

Why is it not illegal to sell this type of data everywhere?

missedthecue4y ago

"The information, known as netflow data, is a useful tool for digital investigators. They can use it to identify servers being used by hackers, or to follow data as it is stolen."

Doesn't look like they're selling 'atok1 loves to browse hacker news' type data.

wmf4y ago

We saw the same pattern with phone location data. ISPs are selling the data in bulk ("don't worry, they're not selling your data, they're selling everyone's data!") to "responsible" companies who then re-sell the ability to data-mine specific IPs. The result is that, yes, people in the know can pay to find out whether atok1 loves to browse hacker news.

atok14y ago

Even if that may be the case, on the surface, we have no control over what is done using secret agreements and decisions.

ssss114y ago

But that’s like saying it’s ok for banks to sell everyone’s bank account transactions because it’ll catch those pesky criminals when they make a transaction.

Why should everyone be surveillance for catching the minority who do the wrong thing. It’s not about whether anyone cares about atok1’s data specifically right now.

1 more reply

sixothree4y ago

Can I have your netflow data?

1 more reply

ryanlol4y ago

That’s exactly the kind of data they are selling.

andrewmcwatters4y ago

Can someone explain to me why anyone would use a consumer VPN versus SSH tunneling through to a nation with secure data privacy laws if you know what you're doing, other than convenience or the number of countries you can connect to for Netflix purposes maybe?

tdeck4y ago

Possibly because the former option is advertised constantly and most people aren't aware of the latter.

relax884y ago

VPN services are cheaper than a VPS and most people just want to pirate movies without getting legal threats or to avoid region locking.

andrewmcwatters4y ago

Are they? I can lease a VPS for under $12 a year. I don’t know of a VPN service that cheap unless it’s free and has limitations.

2 more replies

rPlayer65544y ago

Because good luck getting the average person to know what SSH is, much less how to use it.

nightpool4y ago

What's the next step to protect against traffic analysis? Are there any VPN providers that provide stochastic masking to defeat traffic analysis? Is TOR working on mitigations? A quick search turns up https://blog.torproject.org/new-low-cost-traffic-analysis-at..., which discusses the use of fixed-size padding in TOR protocol headers, but it's mostly focused on traffic analysis using then-commercially available data sources (for example, Real Time Bidding logs & DNS queries), and considers full netflow data a "high-effort" attack available only to "intelligence agencies". It seems like this may need to be reassessed.

EDIT: looks like this is addressed to some extent in the FAQ for Tor https://2019.www.torproject.org/docs/faq.html.en#SendPadding.

Cycl0ps4y ago

I'm still not sure how this compromises VPN use. ISP routes the connection so of course they can see when I use my VPN. From there I would assume the VPN works as a mixer and handles multiple connections through the same exit point, so you couldn't tell my traffic from another users. Is that not the case?

fulafel4y ago

An adversary who can see your vpn traffic can use traffic analysis [1] to correlate known protocol packet patterns and timestamps to netflow traces to known destinations serving known content with matching timestamps from vpn termination points.

[1] https://en.m.wikipedia.org/wiki/Traffic_analysis

OminousWeapons4y ago

Would this still be an effective attack if you used a single VPN provider with multiple hops and your adversary was not someone like a nation state? Alternatively, what if you did basic VPN chaining (e.g. you vpn to a pfsense instance or something on a VPS and configure outbound traffic on that server to be routed through a commercial VPN)?

2 more replies

MrWiffles4y ago

I’m wondering the same thing. The only thing I can think of is being able to correlate times, ports, and traffic volume from some origin, to some VPN node, then look for near identical data coming from that node to an ISP, and then on down the chain to identify the victi-err, I mean “person” accused of being a bad actor.

So I wonder: would the copyright nazis be able to use this kind of data corollary in court against an accused defendant? If the offense is civil I could see it being admissible since the burden of proof is lower (just has to be “fairly likely” AFAIK, but IANAL) than in criminal court. Though I don’t know if copyright infringement is a civil or criminal charge, and trust may depend on state.

Still, at best they could only match up pieces of the chain to dates times and data sizes, not see the actual data being transmitted over that connection (broken/weak crypto withstanding). But that might be enough to further persecute fair use, not to mention since other very dark stuff.

CarelessExpert4y ago

> I’m wondering the same thing. The only thing I can think of is being able to correlate times, ports, and traffic volume from some origin, to some VPN node, then look for near identical data coming from that node to an ISP, and then on down the chain to identify the victi-err, I mean “person” accused of being a bad actor.

Exactly that. As with Tor, if you can observe the entry and exit flows you can deanonymize the traffic.

villgax4y ago

Worldwide governments are starting to seek backdoors/monitoring into everything.

It's only a matter of time before either hardware or OS creators are all compelled.

tsjq4y ago

link to original article https://www.vice.com/en/article/jg84yy/data-brokers-netflow-...

ggm4y ago

Is there actually any contract here? Is there even an implied contract or obligations to privacy? I'm pretty sure that it's different for transit compared to edge.

SevenSigs4y ago

Could this be used to de-anonymize Tor users?

j / k navigate · click thread line to collapse

39 comments

ganoushoreilly4y ago

I'm fine with VPN to evade restrictions or whatever purpose you want, but stop pretending it's all that different.

We really have to determine what we want to be standard for privacy and what advancements we're willing to give up in exchange.

relax884y ago

Is anyone actually pretending it’s different?

Most people I talk to buy VPN services to avoid legal threats from pirated movies or to avoid traffic surveillance from their local ISP / workplace / institution.

I’ve never heard someone describe it like a hard-to-denonymize tor node or anything.

eloff4y ago

Lots of services are advertised that way. It's probably half the ads I encounter on YouTube.

1 more reply

yosito4y ago

1 more reply

nisegami4y ago

I've held the same opinion for a long time, but this news gave me pause. Why would it be worth paying for data that can trace VPN traffic if they weren't doing _something_?

hnthrowtier14y ago

Power, paranoia, crime, curiosity.

Crime: Theft, manipulation, subversion. Companies do crime all the time, and are rarely held to account. There are indirect indicators that this type of conduct is becoming more common.

0x0A1B2C4y ago

The fact that ISPs are monetizing it and letting this data out of their control is utterly terrifying, and in the United States, specifically permitted by law.

atok14y ago

Why is it not illegal to sell this type of data everywhere?

missedthecue4y ago

"The information, known as netflow data, is a useful tool for digital investigators. They can use it to identify servers being used by hackers, or to follow data as it is stolen."

Doesn't look like they're selling 'atok1 loves to browse hacker news' type data.

wmf4y ago

atok14y ago

Even if that may be the case, on the surface, we have no control over what is done using secret agreements and decisions.

ssss114y ago

But that’s like saying it’s ok for banks to sell everyone’s bank account transactions because it’ll catch those pesky criminals when they make a transaction.

Why should everyone be surveillance for catching the minority who do the wrong thing. It’s not about whether anyone cares about atok1’s data specifically right now.

1 more reply

sixothree4y ago

Can I have your netflow data?

1 more reply

ryanlol4y ago

That’s exactly the kind of data they are selling.

andrewmcwatters4y ago

tdeck4y ago

Possibly because the former option is advertised constantly and most people aren't aware of the latter.

relax884y ago

VPN services are cheaper than a VPS and most people just want to pirate movies without getting legal threats or to avoid region locking.

andrewmcwatters4y ago

Are they? I can lease a VPS for under $12 a year. I don’t know of a VPN service that cheap unless it’s free and has limitations.

2 more replies

rPlayer65544y ago

Because good luck getting the average person to know what SSH is, much less how to use it.

nightpool4y ago

EDIT: looks like this is addressed to some extent in the FAQ for Tor https://2019.www.torproject.org/docs/faq.html.en#SendPadding.

Cycl0ps4y ago

fulafel4y ago

[1] https://en.m.wikipedia.org/wiki/Traffic_analysis

OminousWeapons4y ago

2 more replies

MrWiffles4y ago

CarelessExpert4y ago

Exactly that. As with Tor, if you can observe the entry and exit flows you can deanonymize the traffic.

villgax4y ago

Worldwide governments are starting to seek backdoors/monitoring into everything.

It's only a matter of time before either hardware or OS creators are all compelled.

tsjq4y ago

link to original article https://www.vice.com/en/article/jg84yy/data-brokers-netflow-...

ggm4y ago

Is there actually any contract here? Is there even an implied contract or obligations to privacy? I'm pretty sure that it's different for transit compared to edge.

SevenSigs4y ago

Could this be used to de-anonymize Tor users?

j / k navigate · click thread line to collapse