Privacy... when it comes to AT&T, it may once again come at a cost:
AT&T plans to reinstate their GigaPower pay-for-privacy scheme, as revealed by AT&T VP Robert Quinn in a recent interview with C-SPAN. In 2014, AT&T started offering GigaPower 300 Mbps fiber internet in cities around the United States. Users signing up had the option of paying $29 more per month to guarantee that AT&T doesn't snoop on your internet traffic and serve you advertisements and offers from their MITM position on your internet. Yes, they actually put a price on privacy and it's coming back. GigaOM discovered that $29 a month ($348 per year) isn't even the real price of buying your privacy back from AT&T – the total bill could run up to $800 per year.
How well would a VPN protect you from this, and at what cost in [in]convenience?
(Score: 0) by Anonymous Coward on Monday July 10 2017, @01:24AM (10 children)
A VPN is fun to install, but watching someone else do it on YouTube is boring as hell.
https://www.youtube.com/results?search_query=softether [youtube.com]
Why YouTube? Dumbshits be dumb.
(Score: 0, Troll) by frojack on Monday July 10 2017, @03:25AM (7 children)
The problem is you have to terminate somewhere.
A reliable endpoint fast enough to not totally mess up your 300 Mbps fiber deal and at the same time be cheaper than $29 per month with guaranteed no-logging and no snooping might be harder to come by than you think.
There's a short term business model there. Offer VPN deals to AT&T customers for $10 per month.
But VPNs are notoriously simple for the NSA to compromise [forbes.com], which means they are also probably simple for AT&T to compromise. They are after all buddies.
Yet somehow there is always someone who chirps up about VPNs the instant any spying is mentioned. Useful Idiots is my guess.
No, you are mistaken. I've always had this sig.
(Score: 5, Informative) by NotSanguine on Monday July 10 2017, @05:55AM (5 children)
Geez Frojack, you left out the important part of the Forbes article [forbes.com] you linked:
The hack had nothing to do with cracking encryption, rather it exploited a nine year-old vulnerability in the firewall/VPN server from *one* manufacturer. What's more, that hack required gaining access to a VPN endpoint. Is AT&T going to hack the VPN servers of other corporations to further their nefarious browser tracking plot?
if you want to make an argument about how "All VPN is insecure" (which was your clear implication), and AT&T can just decrypt any data (via a MITM attack) you pass across its network, then explain how the economics of brute force cracking even 128 bit encryption for thousands, if not tens or hundreds of thousands of VPN tunnels would work?
Given that current supercomputers would require longer than the universe has existed to crack a single 128 bit key, and many VPN providers (whether commercial or corporate) use 256 bit keys, good luck with that.
Certainly, a state-level actor might well compromise VPN endpoints, making brute force cracking unnecessary, but it's unlikely that AT&T would do so. I suppose they could try to ban VPN connections unless you pay extra, but that would likely backfire badly.
So please Frojack, explain to us again why VPNs are useless to avoid tracking by AT&T?
There are certainly issues with using VPN as a primary conduit to the Internet, mostly performance related, but the idea that AT&T can or will crack your VPN encryption just to track your browsing history? Please.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by FatPhil on Monday July 10 2017, @02:18PM (1 child)
One manufacturer that, shall we say, had it's legs wide open when it came to the government and its request for snooping.
Source? Shall we just say that I once crossed paths with a CPU manufacturer that had its legs wide open when it came to Cisco requesting snooping-related features, all on the hush-hush (not in any product specs the rest of the world would see).
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by NotSanguine on Monday July 10 2017, @07:33PM
I have no illusions about Cisco's relationship with various governments, and have spent many years implementing and managing their security and network devices. But we're not talking about state-level actors. We're talking about AT&T.
The idea that AT&T would perform wholesale hacking/intrusions into the VPN infrastructures of commercial VPN providers and corporations in order to support their browser tracking program stretches credulity more than a little, don't you think?
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by frojack on Tuesday July 11 2017, @03:20AM (2 children)
Ah the expected frantic handwaving of denial. So predictable.
https://www.google.com/amp/s/www.theregister.co.uk/AMP/2016/02/26/ssl_vpns_survey/ [google.com]
https://www.theregister.co.uk/2015/10/24/nsa_encryption_hack/ [theregister.co.uk]
https://www.theregister.co.uk/2015/05/20/logjam_johns_hopkins_cryptoboffin_ids_next_branded_bug/ [theregister.co.uk]
https://www.tripwire.com/state-of-security/latest-security-news/researchers-reveal-top-vpn-services-leak-ip-data-vulnerable-to-dns-hijacking/ [tripwire.com]
Go ahead, put your fingers in your ears and sing la la la real loud.
No, you are mistaken. I've always had this sig.
(Score: 2) by shipofgold on Tuesday July 11 2017, @04:05AM
AT&T are going for the low hanging fruit. Until a significant portion of their subscribers use a VPN their is no incentive to circumvent.
I don't think more than 10% would ever use a VPN so VPN users will be protected for the foreseeable future from their crap.
On the other hand, there will also be some who simply don't set up the VPN correctly... Everything going through a tunnel and still using AT&T's DNS servers is probably not the best idea.
I do agree that a VPN is not the easiest solution. I set up my router to send everything through a tunnel but find that things like NETFLIX don't play nice. Also, banks want two factor with every time if accessed via a VPN.
Some people will give up privacy just for convenience.
I feel AT&T won't get into my openvpn connection for now... But Amazon and friends will still track me... which is harder to kill because it requires configuring every device to be effective.
(Score: 2) by NotSanguine on Tuesday July 11 2017, @04:44AM
I didn't say that VPNs were completely secure, or couldn't be hacked. I said AT&T would be extremely unlikely to commit thousands (perhaps tens of thousands) of felonies to support their browser tracking program.
What's more, *properly* implemented VPNs (whether they be TLS or IPSec based) are prohibitively expensive to brute force.
Regardless, I'm not suggesting you do anything you don't want to do, nor am I saying that VPNs can't be hacked.
I am saying that AT&T isn't going to risk the potential legal, PR and financial repercussions of hacking their customers via MITM attacks and, in the case of your initial example (from Forbes), compromising thousands of VPN endpoints to enable them to track your browsing history.
Get a grip.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by SanityCheck on Tuesday July 11 2017, @01:00AM
If you think that AT&T will take your $30 and do what they say they will do, well then I got a bridge to sell you.
(Score: 2, Disagree) by frojack on Monday July 10 2017, @03:30AM (1 child)
Just use the best Adblock-er you can find. Where there is no money to be made there is no reason to carry on with all the snooping.
No, you are mistaken. I've always had this sig.
(Score: 1, Touché) by Anonymous Coward on Monday July 10 2017, @05:09PM
You quoted Forbes. What ad blocker do you use?
(Score: 0) by Anonymous Coward on Monday July 10 2017, @01:29AM (7 children)
By now, you are a certified moron if you pay AT&T for anything. If there is no alternative, go without or move.
(Score: 0) by Anonymous Coward on Monday July 10 2017, @01:38AM (5 children)
Can't move without money, can't get money without a job, can't get a job without a phone.
(Score: 0) by Anonymous Coward on Monday July 10 2017, @01:39AM (4 children)
And you don't need AT&T for any of those items you mentioned. Do you have any other stupid comments to make ?
(Score: -1, Troll) by Anonymous Coward on Monday July 10 2017, @01:57AM (1 child)
Yes I do. Joo shood uze a VPN dudebro. I iz leet as fuk!
(Score: -1, Troll) by Anonymous Coward on Monday July 10 2017, @03:54AM
U iz a deplorable
(Score: 2) by Arik on Monday July 10 2017, @02:43AM (1 child)
If laughter is the best medicine, who are the best doctors?
(Score: 2) by Pino P on Monday July 10 2017, @02:13PM
Then "get screwed slightly less vigorously with" T-Mobile or Ting.
(Score: 0) by Anonymous Coward on Monday July 10 2017, @06:14AM
Have to agree. AT&T is a lake of dicks. They invent new ways to be annoying every month, as if bonuses are handed out for the most annoying idea from the Satanic Marketing PHB's.
(Score: 4, Interesting) by idiot_king on Monday July 10 2017, @02:47AM (6 children)
How many times do megacorporations need to violate peoples' privacy for them to get sick of it? When will people learn that in a Capitalist society this type of crap will always happen! I'm surprised that people let this get so bad sometimes, but I also forget that Capitalism acts as a sedative to control. I only hope that my young generation will wake up to the call of Marx and push this nonsense out. But that's for hoping....
(Score: 2) by bradley13 on Monday July 10 2017, @10:10AM (3 children)
Marxism? Your kidding, right? Because governments would never violate their citizens privacy :-/
Seriously, capitalism and democracy may not be the best systems possible, but they are a lot better than anything else people have come up with. Take the long view, and look at Western technological and societal progress over the past few hundred years. Granted, pure democracy and pure capitalism may have their excesses - there's a reason for having constitutions and other restraints. But, in their essence, these two systems have dragged more people out of poverty and into the middle class than anything else ever tried.
Everyone is somebody else's weirdo.
(Score: 2, Informative) by Anonymous Coward on Monday July 10 2017, @05:13PM (1 child)
Capitalism, democracy: pick one.
(Score: 4, Informative) by fyngyrz on Monday July 10 2017, @07:21PM
Yeah, here in the USA we've gone ahead and picked* rule by oligarchy. That's like capitalism, but where the successful capitalists** are a club you usually can't get into, and who run the government more or less directly, except when they do it indirectly.
But hey, thanks for playing "ways to avoid degenerative social structures."
* By "picked", I mean "the voters allowed the perpetrators to take over."
** The average member of congress's net worth is over a million dollars. They're the bottom feeders in the system, bowing and scraping for favors from the truly powerful. What? You thought you were the bottom feeder? No, see, you're the product. You're not included in the target system. Everything that can be monetized about you has been, and is being, bought and sold. Your rights, your attention, your work product, your health, your emotional state, your access to fungible resources.
</truth>
(Score: 2) by bob_super on Monday July 10 2017, @06:30PM
> Because governments would never violate their citizens privacy
Why do we keep getting this stupid argument?
Government knows all about you already: birth, where you live, send your kids, work, how much you make ... You provide that info at all times to the government, and you get services in return (whether you want all of them or not being a side topic).
When AT&T, FB, Google want to know everything about your life, it's to maximize profit from it by selling it to anyone with cash, regardless of nefarious intentions.
Why do Americans keep equaling their government, which they so love to claim is the best system, with greedy corporations? You're definitely overdue for a revolution, or you just need to shut up!
(Score: 0) by Anonymous Coward on Monday July 10 2017, @11:04AM
Not good enough. It is more fundamental problem, and Marxism also has no solution to it. You see, the society is a support structure for individuals, we need common interests identified and upheld, and we always fall into concentration, and often even centralization, of power trap. Societies built around Marxism also became enemies of freedom, because Marxism is but a finger-pointing. We need a new thinking: how do we equalize and protect ourselves from powerful other individuals and gangs, without resorting to policing everyone and without giving everyone power to hurt everyone else?
(Score: 0) by Anonymous Coward on Monday July 10 2017, @12:10PM
In a Marxist society, they'd need privacy invasion more than ever. Otherwise, they'll have a harder time executing people for questioning the state, disobeying orders, unauthorized travel, not wanting to do their job, wanting to change careers despite the state's economic plan, entrepreneurship, unauthorized sales of anything even on a small scale, producing artwork/writing/philosophy/thoughts/speech that are not ideologically uplifting and consistent with the state's interpretation, and in general putting the state above all else, including one's own family and life. Accordingly privacy invasion would be built into the hardware - if you're granted permission to buy it - and circumvention would be punishable by death.
(Score: 0) by Anonymous Coward on Monday July 10 2017, @03:24AM (2 children)
VPNs now have their own clients. Easy to install, easy to use. NordVPN works very well.
(Score: 0, Flamebait) by frojack on Monday July 10 2017, @03:28AM (1 child)
Says who? Another useful idiot.
No, you are mistaken. I've always had this sig.
(Score: 2, Insightful) by Anonymous Coward on Monday July 10 2017, @04:59AM
The NSA can throw crackers at a VPN provider they want to see but AT&T isn't going to do that for commercial purposes.
(Score: 0) by Anonymous Coward on Monday July 10 2017, @09:00AM (9 children)
Net neutrality hasn't been repealed just yet, and even once the rules are changed, they're going to go to court again. The same courts that just decided that Title II was correct will now have to say that removing that classification after just two years is the right thing to do (while looking forward to hearing the exact same case again in 2021). There is a real chance that the courts will tell the FCC they have to stick with Title II.
And even without that, everything will be HTTPS soon anyway. The ISP can still snoop on your DNS queries, but a VPN that just takes care of DNS would be very cheap, possibly free. Once 99% of the Internet is on HTTPS, a free/very-cheap VPN could handle HTTP traffic too since almost all of it would just be redirecting to HTTPS. That may not even be necessary, as browsers will eventually default to HTTPS unless the user explicitly specifies HTTP.
Anyone who's privacy-minded can defeat this far more easily than paying $800 a year.
(Score: 0) by Anonymous Coward on Monday July 10 2017, @09:29AM
Except for SNI, which is in the clear. So who cares about DNS being VPN when your HTTP->HTTPS upgrade via SNI is in the clear?
(Score: 0, Disagree) by Anonymous Coward on Monday July 10 2017, @09:48AM (5 children)
HTTPS does not help when its MITM, they will make you accept their certificate to browse the internet, and all traffic is then able to be decrypted on the fly with ad's inserted.
(Score: 2) by jasassin on Monday July 10 2017, @11:03AM (3 children)
What? The whole point is to prevent MITM.
jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
(Score: 0) by Anonymous Coward on Monday July 10 2017, @01:04PM (2 children)
Does AT&T own a certificate authority whose root certificates are generally installed in browsers? Then they can simply generate their own "valid" certificate for any domain they want.
If not, they can still generate a root certificate of their own, and require customers to install it for access to pages related to the contract. Of course the browser will then accept the same root certificate for verifying certificates of any domain.
(Score: 2) by Pino P on Monday July 10 2017, @02:48PM
Android 7 and later distrust user-installed TLS certificates by default. From Add & remove certificates > Advanced topics > Work with CA certificates (trusted credentials) [google.com]:
An application's developer has to opt in to trusting user-installed root certificates through Network Security Config in the app's manifest [googleblog.com]. I haven't see evidence one way or the other as to whether Google Chrome opts in, as the manifest in the official Chromium repository [googlesource.com] is a "dummy manifest" that doesn't link to a network security configuration file.
(Score: 0) by Anonymous Coward on Monday July 10 2017, @05:19PM
> Does AT&T own a certificate authority whose root certificates are generally installed in browsers?
Signs point to "no."
(Score: 2) by Wootery on Thursday July 13 2017, @11:05AM
Except that they haven't done this, and you're just playing psychic.
I imagine they're afraid of the bad PR of them getting access to your online banking traffic, but there's also the technical/practicality question. Adding a malicious cert to all customers' browsers on all their devices, wouldn't be easy. Browsers are built to make this difficult. It would also mean that AT&T connections wouldn't work for, say, guests on their smartphones trying to use HTTPS.
(Score: 0) by Anonymous Coward on Monday July 10 2017, @06:01PM (1 child)
A website using HTTPS has to have a unique IP address. Unlike HTTP, you can't have multiple sites on the same IP address. Knowing the IP address, a snoop could find out the hostname of the site by initiating his own SSL connection. For example, when I try to open https://45.56.123.192/ [45.56.123.192] in Firefox I'm notified that
A snoop who wanted to be less conspicuous could do a reverse DNS lookup, or check whois records.
(Score: 0) by Anonymous Coward on Monday July 10 2017, @06:14PM
That used to be true but it isn't any more:
https://en.m.wikipedia.org/wiki/Server_Name_Indication [wikipedia.org]
But as a previous poster points out, even though it's https, the snooper can still see what site you are connected to. Hopefully some future version of the protocol will encrypt that too.
Many small sites use shared hosting and encrypted SNI would, hypothetically, prevent a snooper from seeing exactly which site on the server you are connecting to. At that point encrypted or VPN'd DNS would be helpful but right now it wouldn't do much.
The "https solution" is really useful right now only for big sites like Google or Facebook, where knowing you visited doesn't give the snooper much useful information, but knowing what you did there could be valuable.
(Score: 0) by Anonymous Coward on Monday July 10 2017, @12:59PM (3 children)
Imagine if you were offered a flat like this:
"Oh, by the way, you can save $100 per month if you allow me to activate the cameras in the flat and then project ads on the walls depending on what you are currently doing."
I think this would give trouble for whoever made that offer. So why is this any different for ISPs?
(Score: 1, Insightful) by Anonymous Coward on Monday July 10 2017, @02:48PM (1 child)
Ah, but they worded the offer as:
"Oh, by the way, you can pay $100 per month and I will deactivate the cameras in the flat and stop projecting ads on the walls depending on what you are currently doing."
And that, naturally, makes it okay. Free market in action!
(Score: 2) by bob_super on Monday July 10 2017, @06:58PM
Not quite: The ad projectors will stop. You will be told that the cameras have been deactivated.
(Score: 2, Touché) by Anonymous Coward on Monday July 10 2017, @05:34PM
> I think this would give trouble for whoever made that offer.
Facebook claims 2 billion users. A reality TV star became president.
(Score: 3, Informative) by noneof_theabove on Monday July 10 2017, @01:47PM (3 children)
Using Opera on all systems
which has a "free in opera" built in VPN [also offer a full VPN product].
This is fine if all you do is browser based.
Note: do not use if using a service as below it wrecks the speeds.
Loaded with "anti-?" adguard, scriptblock, privacy badger, ublock origin.
Since I use Thunderbird Email on Linux I optioned to use a VPN Service.
For a comprehensive list in a xls or odt spreadsheet go here https://thatoneprivacysite.net/vpn-section/ [thatoneprivacysite.net]
They now have a "simple" and "detailed" comparison when I checked today
[not affiliated with site but used it to make my decision on service]
Testing with Spectrum/TWC at https://www.spectrum.com/internet/speed-test-support-twc [spectrum.com] who is my ISP [locked in no other choice]
Located in Corpus Christi Texas Market
without VPN Service on Windows 7 [with follows]
Client: 72.191.x.x - Time Warner Cable [that is the modem IP address]
Server: Austin, TX
Up: 116.88 Mbps
Down: 11.60 Mbps
Ping: 21 ms
Windows 7 host
Client: 173.239.x.x - LogicWeb Inc
Server: New York, NY
Up: 64.57 Mbps
Down: 8.27 Mbps
Ping: 76 ms
VirtualBox running SolydK Linux [solydxk.com]
Client: 173.239.x.x - LogicWeb Inc
Server: New York, NY
Up: 54.60 Mbps
Down: 10.86 Mbps
Ping: 83 ms
VPN Service
Private Internet Access [www.privateinternetaccess.com]
3193+ Servers in 24 Countries
$39.95 per year for 5 devices
Installation was simple and complete in both windows and linux with good support, instructions and videos.
Download program file and run/install it.
Setup your user/password pick your connection point - DONE
Compatibility:
Mac OS X 10.4-10.12
Windows 7/8/10
Linux [for Ubuntu but SolydK is Debian based and worked fine YMMV]
iPad
Android
dd-wrt [compatible routers]
OpenVPN
Tomato OpenVPN
PfSense OpenVPN
Go here https://www.privateinternetaccess.com/pages/how-it-works/ [privateinternetaccess.com]
and you get your connection info, for me is above info, along with browser, OS, Screen Resolution
That's how I did it about 2 days after PieFace at the FCC sanctioned the out of control capitalism business model, and flushed our privacy down the toilet.
Yes, there are few hiccups here and there with a locked down system but it is unavoidable collateral damage and I just live with it, like messed up page layouts.
Just so you know, I am product of the 70's and involved in electronics, communications, programming, building/servicing pc's and networks for 40+ years.
AT&T is just the start of this by setting the precedence and the others will soon follow.
Remember, if a company wants to give you something for free, you should consider that you are their product and if they unjustifyingly start charging more it is theft.
Disclaimer: I am a customer/user and do not receive any compensation directly or indirectly from any company or organization mentioned. All statements are my own.
(Score: 1, Informative) by Anonymous Coward on Monday July 10 2017, @09:50PM
How do you reconcile these two of your sentences?
- Using Opera on all systems which has a "free in opera" built in VPN
- Remember, if a company wants to give you something for free, you should consider that you are their product
You know, closed source software, owned by a... chinese company.
(Score: 2) by shipofgold on Tuesday July 11 2017, @04:32AM (1 child)
I have 20+ devices (desktops, laptops, tablets, phones, smart TVs, TV boxes, etc.) on my network so I opted to put the VPN on my router so that all traffic goes through the tunnel.
Issues include NETFLIX refusing to work, banks requiring two factor with every time I login, and my kid complaining about ping times going to hell.
TV's and my kids desktop have to be routed outside the tunnel. Occasional WWW sites won't work and Amazon and Co still track unless I configure every device with ad blockers. Not as easy as it sounds.... But worth it for me. My wife thinks I am paranoid.
(Score: 1) by purple_cobra on Friday July 14 2017, @11:30AM
(Score: 1) by mobydisk on Monday July 10 2017, @05:09PM (2 children)
Is this a result of the FCC rule change that allows them to sell this information?
(Score: 2, Informative) by mobydisk on Monday July 10 2017, @05:13PM (1 child)
Oops, RTFA. Yes indeed, the FCC rule change is what caused this.
(Score: 2) by DeathMonkey on Monday July 10 2017, @06:02PM
So a VPN may or may not offer protection. Title II definitely would. Good to know...
(Score: 0) by Anonymous Coward on Monday July 10 2017, @09:42PM
Just install I2P and do NOTHING in the open, even ordering a damned pizza. F-them.