VPN servers seized by Ukrainian authorities weren’t encrypted:
Privacy-tools-seller Windscribe said it failed to encrypt company VPN servers that were recently confiscated by authorities in Ukraine, a lapse that made it possible for the authorities to impersonate Windscribe servers and capture and decrypt traffic passing through them.
The Ontario, Canada-based company said earlier this month that two servers hosted in Ukraine were seized as part of an investigation into activity that had occurred a year earlier. The servers, which ran the OpenVPN virtual private network software, were also configured to use a setting that was deprecated in 2018 after security research revealed vulnerabilities that could allow adversaries to decrypt data.
“On the disk of those two servers was an OpenVPN server certificate and its private key,” a Windscribe representative wrote in the July 8 post. “Although we have encrypted servers in high-sensitivity regions, the servers in question were running a legacy stack and were not encrypted. We are currently enacting our plan to address this.”
[...] By failing to follow standard industry practices, Windscribe largely negated [...] security guarantees. While the company attempted to play down the impact by laying out the requirements an attacker would have to satisfy to be successful, those conditions are precisely the ones VPNs are designed to protect against.
[...] It’s not clear how many active users the service has. The company’s Android app, however, lists more than 5 million installs, an indication that the user base is likely large.
(Score: 0) by Anonymous Coward on Tuesday July 27 2021, @06:07PM (3 children)
Could this be the break needed for art industry experts to locate the missing laptop that's full of secrets on how to become a successful artist able to sell paintings for $500,000 a pop?
(Score: 0) by Anonymous Coward on Tuesday July 27 2021, @09:18PM
Well, get Super Sleuth Rudy G. on the case! He'll get to the bottom of it. In fact, I hear he already has the laptop. I heard him mumbling something about it when I was out picking up some landscaping supplies.
(Score: 2) by DrkShadow on Wednesday July 28 2021, @04:34AM (1 child)
Context?
(Score: 2) by kazzie on Wednesday July 28 2021, @08:48AM
... is lacking.
It's either a reference to a member of the US President's family, or a very insecure password [bash.org].
(Score: 5, Insightful) by Runaway1956 on Tuesday July 27 2021, @06:10PM (5 children)
VPN servers in a fascist state, possibly relied on by journalists and human rights activists.
Ukraine is not a sensitive region?
I don't know enough expletives to use for these idiots. FFS, the United States and the UK are sensitive if you're a human rights activist, a journalist, or a whistleblower - Ukraine is not?
It's easier to believe that someone at Windscribe simply rolled over, and gave the keys to the Ukraine government. Seriously, it's hard to believe that any VPN server operator was THAT STUPID!
(Score: 4, Interesting) by DannyB on Tuesday July 27 2021, @08:46PM (3 children)
Yep.
It's the only plausible, but not really plausible excuse they could come up with.
They probably cannot say: the repressive fascist regime made me do it.
They probably could say: OMG, but haxorz! They did it!
But then this would make them look like idiots also. And possibly reflect poorly on the repressive fascist regime where everything is supposed to be unicorns and rainbows.
So just say that these servers weren't encrypted -- but all our other servers are encrypted! Honest! Pinky square!
The lower I set my standards the more accomplishments I have.
(Score: 2) by Gaaark on Tuesday July 27 2021, @10:06PM (2 children)
https://www.youtube.com/watch?v=XnXKVY-_i2c [youtube.com]
Gods, the laugh track... only bad part of that show.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by DannyB on Wednesday July 28 2021, @01:48PM (1 child)
I wood banish the laugh track back from wince it came.
Yule note that I use whatever word is moist suitable fore my porpoises, weather anyone agrees or knot.
Yore illegally parked car will be toad.
The lower I set my standards the more accomplishments I have.
(Score: 2) by Gaaark on Wednesday July 28 2021, @08:12PM
O'tay!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by fakefuck39 on Wednesday July 28 2021, @01:24PM
Ukraine is a weird place. I lived there for a year and a half about 5 years ago. Ran a karaoke bar on the side, did some remote work. If your income is in the states, you can live like a king on your spare change. The thing is, if you have cash, and not even a lot of cash, it's an amazing the quality of life you can have.
There's a lot of corruption there still, but they're by no means authoritarian. They replaced pretty much all their cops, have much higher standards for legislation and freedom, and are well on their way to becoming part of the EU. It's not authoritarian by any means, or oppressive. Very free country, with a fresh free outlook on the future.
Now, the people there, that's another story. They're extremely friendly on the outside, complete shit with zero ethics once you get to know them. And any type of job that needs to be done, if they can do it half-assed they will. The more likely explanation here is not a government asking for encryption keys. They don't care about internet traffic monitoring, don't have the resources, and are dealing with other shit at the moment. Now, a bunch of IT people being drunk, not caring, and doing sloppy work - yeah. Like not bothering to set up encryption, or more likely having issues with configuration, or caching, or riverbeds, and instead of fixing it right, they just turn it off.
(Score: 2, Offtopic) by Rosco P. Coltrane on Tuesday July 27 2021, @06:38PM (8 children)
People looking to escape surveillance from their government, Google, the NSA and other sumbitches got shafted by the simgle point of failure they chose to entrust their entire traffic to? You don't say?
Gee, I didn't see that one coming...
(Score: 2) by darkfeline on Tuesday July 27 2021, @07:02PM (7 children)
As fun as that sounds, I'm pretty sure that Google isn't raiding other private datacenters to get ad targeting data.
Join the SDF Public Access UNIX System today!
(Score: 4, Insightful) by Rosco P. Coltrane on Tuesday July 27 2021, @07:10PM (6 children)
You're correct: they raid the end user's device - right at the source.
What I meant was: you chose a VPN to escape a multitude of bad actors. But at the end of the day, you trust a single company (the VPN provider) not to be itself the bad actor - or in this case, incompetent.
On top of that, VPNs become incredibly attractive targets for repressive regimes and three-letter agencies, since they concentrate the traffic of so many suspicious people who choose to go through a VPN in the first place instead of passively letting themselves be put under surveillance with a regular internet access.
VPNs, in short, is damned if you do, damned if you don't.
(Score: 0) by Anonymous Coward on Tuesday July 27 2021, @07:34PM (3 children)
It depends on your priorities. It doesn't matter how shady a Ukraine or Russia VPN server is if you want to hide from your US-based ISP or websites.
(Score: 5, Informative) by GreatScott2001 on Tuesday July 27 2021, @07:52PM (2 children)
There is a difference between Ukraine and Russian based VPNs. Few US government officials are chummy with Russian officials. Ukraine relies on US and western support. The US can coerce whatever they want from Ukrainian businesses, if those businesses maintain logs on their clientele's activities.
https://www.reuters.com/article/us-usa-trump-impeachment-prosecutor-excl-idUSKBN1XE20C [reuters.com]
(Score: 3, Interesting) by Unixnut on Wednesday July 28 2021, @08:02AM (1 child)
The fact is that if you are going to trust a single endpoint for traffic (like a VPN provider), then that is a single point of failure. At the end of the day, every internet service has to live in a physical location, and that physical location is under the jurisdiction of some power who can coerce compliance.
The choice then is which single point of failure you use, and that depends on who is going to target you for your speech/traffic.
- If you have something bad to say about the USA/NATO/[5-7]eyes and their allies/vassals/etc... then your best bet is a Russian (or one of its allies) VPN.
- Likewise if you have something bad to say about Russia/China (or one of its allies), best use a VPN provider in the USA or NATO country.
That way worst case scenario the hosting country will not care about your traffic, or best case they will actively defend your traffic as it suits them (promoting "Freedom of speech" or similar).
Same applies to your physical presence if you are not completely anonymous. You only have to look at the life situation of Snowden compared to Assange to see the above played out with human lives rather than VPN traffic.
(There are alternatives to VPNs, like I2P and Tor, but they are still niche, and not helpful if you are trying to let as many people know about something quickly)
(Score: 1, Interesting) by Anonymous Coward on Wednesday July 28 2021, @05:10PM
Tor has been on autopilot for a while. Some of it is social development, some of it is cultural issues (Just as an example, they have plans to end Onion v2 support within a couple of months, have shut down some/all of their onionv2 web services, including their git/gitweb instances, and have onionv3 instances up you can only find from web listing and probably only if you had it bookmarked or checked out the bugzilla ticket about the onionv2 web references needing to be updated/replaced on gitlab/etc all.) Furthermore ever since the change for faster onion circuits, anyone who has paid attention using tor-arm/nyx will start noticing how their circuits tend to coalesce on a few dozen ip ranges or blatantly connected nodenames, HydraXX, ZimmerXX, etc to the point where the mode circuits you have going on the more 'common' node elements you will notice as your runtime continues. Given recent reports of bad faith actors being able to place a few dozen to few hundred nodes and massage routes to snoop on bitcoin addresses and other targeted forms of traffic, all that can be said is: Tor should not be relied on for life or death anonymity, and in the best case should only be trusted to keep advertisers from tracking you across sessions as 3 hop routing does not offer enough jumps to ensure traffic monitoring or guard/exit traffic correlation is not being done. For anyone questioning this account, do your own experiments watching nyx and/or logging unredacted connections statistics so you can follow the nodenames and addresses of all nodes used in circuit creation. You will likely be horrified when you do, even if the groupings are trustworthy, the single points of failure/compromise are a huge risk and threat. Perhaps one of the most telling changes regarding the flaws in circuit creation is the adding of entry and midpoint node filters, documented as intended for use by external programs, notably vanguards, which has never actually worked for me and complicates your security profile by adding python code into the node selection for your Tor daemon.
I2P has its own set of issues. One plus to it compared to Tor is authoratative directory servers aren't really a thing. It's decentralized based on node uptime and meeting a minimum bandwidth threshold to distribute updates (128 or 256kb/s) and one you have any node passing you updates you can begin to create a map of ~4000 nodes to reach consensus on good/bad nodes and the overall network state. I2P has one other benefit: two fully functional router projects, i2p-java (the original) and i2pd, a C++ reimplementation originally developed by some westerners and since under development primarily by russians/ukrainians (I haven't kept up in a few years). The latter had a heartbleed style heap/stack leak a few years back, but otherwise has been pretty reliable, uses much fewer resources, and can support udp based services over the SSU protocol (an alternative NTCP protocol which is more reminiscent of Tor) which can allow the network to mesh over both TCP and UDP only connections. The protocol has seen updates in 2020/2021, however in 2019 it had a very similar deanonymization attack to Tor, one which had been known about for at least 1-2 years and reported to the developers, but which they didnt have the right people or technical capability available to fix. (The only competent developer with crypto and deep networking experience was busy with cryptocurrency projects to pay the bills instead. ZCash for anyone who knows...)
For anyone looking at alternatives/replacements, be very careful, at least two of the current projects developing alternative anonymity networks similar to Tor/I2P are being developed by members of that community who have spoken publicly on IRC about their desires to ban or deanonymize speech they don't like, making any anonymity networks they are developing suspect of the kind of flaws Tor/I2P have that allow tracking down circuits or hidden services.
As a footnote: There was a blog post by the guy who ran the Internet Archives' hidden service, who reported on it being DDoSed. He was in touch with friends at backbone internet NOCs that were using traffic monitoring that was largely able to correlate traffic to IP addresses across guard nodes, allowing identification of what endpoint IP address the traffic was being sent to and indirectly deanonymizing heavily trafficked hidden services. The Internet Archive's was picked up by the second octet spoken because of the quantity of bandwidth being directed towards it at the time. Combined with gaming of node lists (something I2P is also subject to) neither platforms hidden services are anonymous unless only you and a limited group of boring people are using them for low bandwidth operations.
As a second footnote: Neither project has post-quantum encryption available, and the NSA is already documented as recording encrypted network traffic for when it becomes available, meaning if the key exchanges are recorded and can be cracked, then all your session information for years may become documented.
(Score: 2) by darkfeline on Tuesday July 27 2021, @09:17PM (1 child)
If Google is raiding the end user's device, how does using a VPN help at all? Your post does not follow.
Join the SDF Public Access UNIX System today!
(Score: 1, Troll) by Rosco P. Coltrane on Wednesday July 28 2021, @02:49AM
They do both.
Making it harder for them to track your traffic is worth doing, because the less data they have, the better. But they still gather data directly. They made this clever trojan called Android that people kind of have to use if they don't want to patronize Apple.
(Score: -1, Troll) by Anonymous Coward on Tuesday July 27 2021, @11:38PM (1 child)
At least put some clothes on your women.
(Score: 0) by Anonymous Coward on Wednesday July 28 2021, @04:37AM
The women or the eight-year-old girls?
I mean, they made a lot of money selling pictures of the latter.
Just trolling the troll, sorry....