Privacy... when it comes to AT&T, it may once again come at a cost:
AT&T plans to reinstate their GigaPower pay-for-privacy scheme, as revealed by AT&T VP Robert Quinn in a recent interview with C-SPAN. In 2014, AT&T started offering GigaPower 300 Mbps fiber internet in cities around the United States. Users signing up had the option of paying $29 more per month to guarantee that AT&T doesn't snoop on your internet traffic and serve you advertisements and offers from their MITM position on your internet. Yes, they actually put a price on privacy and it's coming back. GigaOM discovered that $29 a month ($348 per year) isn't even the real price of buying your privacy back from AT&T – the total bill could run up to $800 per year.
How well would a VPN protect you from this, and at what cost in [in]convenience?
(Score: 0, Troll) by frojack on Monday July 10 2017, @03:25AM (7 children)
The problem is you have to terminate somewhere.
A reliable endpoint fast enough to not totally mess up your 300 Mbps fiber deal and at the same time be cheaper than $29 per month with guaranteed no-logging and no snooping might be harder to come by than you think.
There's a short term business model there. Offer VPN deals to AT&T customers for $10 per month.
But VPNs are notoriously simple for the NSA to compromise [forbes.com], which means they are also probably simple for AT&T to compromise. They are after all buddies.
Yet somehow there is always someone who chirps up about VPNs the instant any spying is mentioned. Useful Idiots is my guess.
No, you are mistaken. I've always had this sig.
(Score: 5, Informative) by NotSanguine on Monday July 10 2017, @05:55AM (5 children)
Geez Frojack, you left out the important part of the Forbes article [forbes.com] you linked:
The hack had nothing to do with cracking encryption, rather it exploited a nine year-old vulnerability in the firewall/VPN server from *one* manufacturer. What's more, that hack required gaining access to a VPN endpoint. Is AT&T going to hack the VPN servers of other corporations to further their nefarious browser tracking plot?
if you want to make an argument about how "All VPN is insecure" (which was your clear implication), and AT&T can just decrypt any data (via a MITM attack) you pass across its network, then explain how the economics of brute force cracking even 128 bit encryption for thousands, if not tens or hundreds of thousands of VPN tunnels would work?
Given that current supercomputers would require longer than the universe has existed to crack a single 128 bit key, and many VPN providers (whether commercial or corporate) use 256 bit keys, good luck with that.
Certainly, a state-level actor might well compromise VPN endpoints, making brute force cracking unnecessary, but it's unlikely that AT&T would do so. I suppose they could try to ban VPN connections unless you pay extra, but that would likely backfire badly.
So please Frojack, explain to us again why VPNs are useless to avoid tracking by AT&T?
There are certainly issues with using VPN as a primary conduit to the Internet, mostly performance related, but the idea that AT&T can or will crack your VPN encryption just to track your browsing history? Please.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by FatPhil on Monday July 10 2017, @02:18PM (1 child)
One manufacturer that, shall we say, had it's legs wide open when it came to the government and its request for snooping.
Source? Shall we just say that I once crossed paths with a CPU manufacturer that had its legs wide open when it came to Cisco requesting snooping-related features, all on the hush-hush (not in any product specs the rest of the world would see).
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by NotSanguine on Monday July 10 2017, @07:33PM
I have no illusions about Cisco's relationship with various governments, and have spent many years implementing and managing their security and network devices. But we're not talking about state-level actors. We're talking about AT&T.
The idea that AT&T would perform wholesale hacking/intrusions into the VPN infrastructures of commercial VPN providers and corporations in order to support their browser tracking program stretches credulity more than a little, don't you think?
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by frojack on Tuesday July 11 2017, @03:20AM (2 children)
Ah the expected frantic handwaving of denial. So predictable.
https://www.google.com/amp/s/www.theregister.co.uk/AMP/2016/02/26/ssl_vpns_survey/ [google.com]
https://www.theregister.co.uk/2015/10/24/nsa_encryption_hack/ [theregister.co.uk]
https://www.theregister.co.uk/2015/05/20/logjam_johns_hopkins_cryptoboffin_ids_next_branded_bug/ [theregister.co.uk]
https://www.tripwire.com/state-of-security/latest-security-news/researchers-reveal-top-vpn-services-leak-ip-data-vulnerable-to-dns-hijacking/ [tripwire.com]
Go ahead, put your fingers in your ears and sing la la la real loud.
No, you are mistaken. I've always had this sig.
(Score: 2) by shipofgold on Tuesday July 11 2017, @04:05AM
AT&T are going for the low hanging fruit. Until a significant portion of their subscribers use a VPN their is no incentive to circumvent.
I don't think more than 10% would ever use a VPN so VPN users will be protected for the foreseeable future from their crap.
On the other hand, there will also be some who simply don't set up the VPN correctly... Everything going through a tunnel and still using AT&T's DNS servers is probably not the best idea.
I do agree that a VPN is not the easiest solution. I set up my router to send everything through a tunnel but find that things like NETFLIX don't play nice. Also, banks want two factor with every time if accessed via a VPN.
Some people will give up privacy just for convenience.
I feel AT&T won't get into my openvpn connection for now... But Amazon and friends will still track me... which is harder to kill because it requires configuring every device to be effective.
(Score: 2) by NotSanguine on Tuesday July 11 2017, @04:44AM
I didn't say that VPNs were completely secure, or couldn't be hacked. I said AT&T would be extremely unlikely to commit thousands (perhaps tens of thousands) of felonies to support their browser tracking program.
What's more, *properly* implemented VPNs (whether they be TLS or IPSec based) are prohibitively expensive to brute force.
Regardless, I'm not suggesting you do anything you don't want to do, nor am I saying that VPNs can't be hacked.
I am saying that AT&T isn't going to risk the potential legal, PR and financial repercussions of hacking their customers via MITM attacks and, in the case of your initial example (from Forbes), compromising thousands of VPN endpoints to enable them to track your browsing history.
Get a grip.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 2) by SanityCheck on Tuesday July 11 2017, @01:00AM
If you think that AT&T will take your $30 and do what they say they will do, well then I got a bridge to sell you.