Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Large Number of Top Free VPN Apps Either Have Chinese Ownership or Are Based in China (hackernoon.com)

Posted by msmash on from the closer-look dept.

William Chalk, reporting for HackerNoon: After big names like Whatsapp, Snapchat, and Facebook, VPNs are the most searched-for applications in the world. "VPN" is the second-highest non-branded search term behind "games", and free apps completely dominate the search results. The most popular applications have amassed hundreds of millions of installs between them worldwide, yet there seems to be very little attention paid to the companies behind them, and very little scrutiny done on behalf of the marketplaces hosting them. We investigated the top free VPN apps in the App Store and Google Play Store. We found that very few of these hugely popular apps do anywhere near enough to deserve the trust of those looking to protect their privacy online. We recorded the top 20 free apps in the search results for "VPN" in the App and Play Store for UK and US locales. In total, these applications have been downloaded 80 million times from Google and 4 million times each month from Apple. Our investigation discovered that over half of the top free VPN apps either have Chinese ownership or are actually based in China, which has aggressively clamped down on VPN services in recent years and maintains an iron grip on the internet within its borders. Furthermore, we found the majority of these apps have insufficient formal privacy protections and non-existent user support.

92 comments

  1. Obviously cannot be t'rusted' by rickb928 · · Score: 5, Insightful

    No Chinese software can be trusted. None. And 'Free VPN' software cannot really be trusted.

    Actually, thinking it over, no software can be 'trusted'. Not any more. At best they sell whatever they can to whoever they can. At worst, they sell out to LE or intelligence agencies because if they don;t they will have their franchise revoked, or distribution severed, or be found committing suicide with a bullet in the back of the head.

    No software or hardware an be trusted. Ever. Again.

    --
    deleting the extra space after periods so i can stay relevant, yeah.
    1. Re:Obviously cannot be t'rusted' by Anonymous Coward · · Score: 0

      Sell out to intelligence agencies? Do you mean following the laws of the countries they are based and operate in?

    2. Re:Obviously cannot be t'rusted' by Anonymous Coward · · Score: 0

      Haters gonna hate on China and Russia and our beloved President. Just ignore them. There was no meddling.

    3. Re:Obviously cannot be t'rusted' by omnichad · · Score: 3

      I don't know what t'rusted' is, but Chinese citizens are still heavy users of VPN services despite the ban. It's likely the reason their VPN companies are big enough to have global reach in the first place.

    4. Re:Obviously cannot be t'rusted' by Anonymous Coward · · Score: 0

      rusted
      an

    5. Re:Obviously cannot be t'rusted' by Anonymous Coward · · Score: 1

      Opera is out. Chinese owned

    6. Re: Obviously cannot be t'rusted' by Anonymous Coward · · Score: 0

      actually its SERVICE which cannot be trusted. Please dont confuse it with software or hardware. Bad assumptions give bad implications

    7. Re:Obviously cannot be t'rusted' by rickb928 · · Score: 1

      It matters why?

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    8. Re: Obviously cannot be t'rusted' by rickb928 · · Score: 1

      As in how the service is delivered?

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    9. Re:Obviously cannot be t'rusted' by Anonymous Coward · · Score: 0

      Found the Chink.

    10. Re:Obviously cannot be t'rusted' by nine-times · · Score: 4, Insightful

      Open source software can be "trusted" to a fair extent. At least then, experts can look at the code and see what it's doing.

      Of course there are still risks. Open source software can still have bugs. Malicious code can be obfuscated. Compiled binaries might be different from the source. Hosted services based on FOSS can still be used by the host for malicious purposes. And I don't think it can count as "open source" in situations like Android phones, where you have to run the OEM's version that has unknown alterations, and you can't just wipe it and install your own version.

      Still, any real hope for trusting our hardware and software would be for us to have control of it and know what it's doing.

    11. Re:Obviously cannot be t'rusted' by Anonymous Coward · · Score: 1

      Get back control of the hardware. https://puri.sm

    12. Re:Obviously cannot be t'rusted' by AmiMoJo · · Score: 1

      You have to trust something, unless you intend to run all your software on a Z80 that you have previously inspected with an electron microscope to confirm it's fidelity.

      Would that be possible with RISC V? I think the equipment needed to do a complete manufacturing verification on such a CPU would be difficult/expensive to get hold of, but I'm not an expert.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re:Obviously cannot be t'rusted' by Dan1701 · · Score: 4, Insightful

      The UK Government have recently decided, in their great, mighty and beneficent wisdom, that they shall do something to "protect children from internet pornography". Their Cunning Plan is to force all adult-themed websites to verify that users are of adult age, using one of a number of age verification services, some of which may well be UK government-sponsored. Needless to say, very few people actually care to self-register on what amounts to a register of masturbators, nor would many people care to have a list of which sites they visit available for a vast array of Government agencies, prodnoses and tabloid journalists to see. UK civil servants have a long-standing record for being quite incredibly bad at keeping sensitive information under wraps. Tricks such as encrypting data on a CD (because regulations say they must) and writing the password on the CD (because whoever wrote the regulations did not foresee such creative stupidity) have been seen in the past.

      Furthermore, the age-clade of 13-18 year olds (mostly males) will also wish to view such sites and will for the most part be unable to do so, not being able to lay hands on hacked age verification credentials. So, both people who value their privacy, and adolescents who cannot obtain the age verification tokens, will be looking to use VPNs to get at the, err, reading materials.

      People are for the most part cheapskates. A free VPN would seem like a wonderful gift to them, but a logged Chinese VPN is very much a poisoned chalice, especially when those doing the logging realise what a wonderful source of blackmail material they have on their hands.

    14. Re:Obviously cannot be t'rusted' by spire3661 · · Score: 2

      Calm down Adama.

      --
      Good-bye
    15. Re:Obviously cannot be t'rusted' by Z00L00K · · Score: 1

      I have problem trusting a VPN that I have set up myself, so when I can't review the remote end how should I be able to trust that VPN?

      --
      If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
    16. Re:Obviously cannot be t'rusted' by Anonymous Coward · · Score: 0

      Found the Chink.

      You found nothing.

    17. Re:Obviously cannot be t'rusted' by eneville · · Score: 1

      Open source software can be "trusted" to a fair extent. At least then, experts can look at the code and see what it's doing.

      This is what irritates me about the software world. Open source is often reviewed to a much higher extent than closed. And people wonder why windows/ie is buggy and riddled with CVE.

      Of course there are still risks. Open source software can still have bugs. Malicious code can be obfuscated.

      Do you have examples? Are the projects still around? I'm surprised if code that terrible was merged.

      Compiled binaries might be different from the source. Hosted services based on FOSS can still be used by the host for malicious purposes. And I don't think it can count as "open source" in situations like Android phones, where you have to run the OEM's version that has unknown alterations, and you can't just wipe it and install your own version.
      Still, any real hope for trusting our hardware and software would be for us to have control of it and know what it's doing.

      I don't think you can really. Maybe the best you can hope for is not to have an IP route to the internet for all your devices. I don't know how well malware copes with gateway proxies, presumably it needs to call home at some point to talk to command and control. With a VPN that uses openvpn you could still use iptables to force deny traffic to the default route unless it has come from a given uid. This should prevent packets escaping into the tunnel unless you've done your own sanity checks on the traffic first.

      --
      Why UNIX?
    18. Re:Obviously cannot be t'rusted' by Shaitan · · Score: 1

      VPN software definitely can't be trusted. It doesn't mask your identity, these services can't operate without logging that information.

      The only purpose for these services is to mask your traffic to avoid detection by your ISP. In the end correlating your activities with the VPN service adds additional verification of your identity and evidence of intent.

      If you are going to run your traffic through a VPN at least pay for a hosted server and set up a VPN yourself.

    19. Re:Obviously cannot be t'rusted' by Shaitan · · Score: 1

      Exactly, hence the issue with where they are located.

    20. Re:Obviously cannot be t'rusted' by Anonymous Coward · · Score: 0

      Get off of slashdot, Mr President

    21. Re:Obviously cannot be t'rusted' by drinkypoo · · Score: 1

      I think the equipment needed to do a complete manufacturing verification on such a CPU would be difficult/expensive to get hold of, but I'm not an expert.

      If you don't build the equipment, how do you trust it?

      At some point, you've got to trust someone.

      How do we structure society such that untrustworthy people are removed from positions of power in a timely fashion? Because I don't want to go back to an antique CPU, and I also don't want to have to make my own CPU from artisanal sand.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    22. Re:Obviously cannot be t'rusted' by jwhyche · · Score: 2

      The only purpose for these services is to mask your traffic to avoid detection by your ISP. In the end correlating your activities with the VPN service adds additional verification of your identity and evidence of intent.

      That is a pretty good reason to run your traffic through VPN alone. Most of the spying is going to be done at that level. I don't want my ISP knowing anything about what I'm doing online. I don't want them knowing if I've surfing /., watching Netflix, or browsing Piratebay. If they don't then they can't shape my traffic to fit their purposes. Granted, my VPN provider could do the same but they have far less reasons too than my ISP does.

      I have no delusions that a VPN protects me from any government snooping. I assume that if they want to snoop, they will have ways that a VPN won't mask.

      --
      I read at +2. If your post doesn't reach that level I will not see or respond to it.
    23. Re:Obviously cannot be t'rusted' by Anonymous Coward · · Score: 0

      They aren't made for you.

      The reason there are so many VPN services is China is because there are a lot of users there that wants to get past the firewall.
      They don't really have the option of setting up a VPN themselves since they don't have access to a server on the outside.

    24. Re:Obviously cannot be t'rusted' by Anonymous Coward · · Score: 0

      The only purpose for these services is to mask your traffic to avoid detection by your ISP.

      The Chinese VPN services are there to get past the firewall, not (only) to mask the traffic.

    25. Re:Obviously cannot be t'rusted' by rickb928 · · Score: 1

      And your argument is that being compelled by law is somehow different from 'selling out'.

      Well, yes, I suppose it is, if you care what the reason is that they give your data out without your knowledge. I don't, much. Really doesn't matter to me to which agency, nor why. We already know that in the US, in the past, AT&T willingly provided the US Government with taps on Internet transmission lines that permitted virtually total surveillance. of Internet traffic in the US. No law was apparently compelling them to do so.

      Other nations are well out of us, users, control.

      --
      deleting the extra space after periods so i can stay relevant, yeah.
    26. Re: Obviously cannot be t'rusted' by Narcocide · · Score: 1

      Through their own corporate-owned and public-facing hardware, which would be fundamentally different from if you were running a VPN through your own private servers to which nobody else has authentication credentials.

    27. Re: Obviously cannot be t'rusted' by Anonymous Coward · · Score: 0

      No ne cares if their Social Security or Credit card numbers get copied. We only care if there are negative repercussions from that happening, and even then only to the extent it directly impacts us.

      I don't care if my credit card number is used to buy a laptop from an i secure store. I care a lot if my credit card company expects me to pay for it. I care a fair bit if i have to call in and spend more then two minutes resolving it to my satisfaction. Otherwise I am proportionally annoyed that I have to get a new card to the exact degree the card company makes it a hassle for me to get it and I have to reregister on my linked accounts.

      The problem is not the copying of information, it is the wildly asymmetrical ways that information is used against the little guys and the horrifically disproportionate effort it takes for us to fix their mistakes.

    28. Re: Obviously cannot be t'rusted' by Anonymous Coward · · Score: 0

      Just use the vulnerable devices list and scan your neighbors for i secure access points. You can then setup your vpn to run through there.

      If you live in a totalitarian regime, keep a bucket of electrified salt water nearby your desk and accidentally knock your "old" phone in if surprised.

    29. Re: Obviously cannot be t'rusted' by Anonymous Coward · · Score: 0

      It was never trustworthy to begin with. The entire industry was built on the blind trust model. I.e. you promise to not do something bad to me and I'll buy your stuff. That's the model we have and that's the model that's finally bitten us in the ass. Not because of the people who made it, but because of the horible assholes who demand control over our lives. The only difference is now people are starting to realize it. Which leads me to...

      VPNs. If you're relying on someone else to provide you a VPN for personal privacy, then you're doing it wrong. Not only are you doing it wrong, but you've missed the entire point of using a VPN for privacy in the first place. That's the reason so many of those "free" VPNs are "free," they are not protecting you in the first place. Even if they don't sell your data, they can still use it as leverage over you or control exactly what you see online. They can choose everything from what exact stories come up in your feeds to what ads you see. And before any of you claim "but HTTPS!!!" These idiots are using a VPN provided by someone else without a care in the world, what the hell makes you think they would question the VPN provider demanding they install a custom browser or Root CA for use with the service, or that they would even remotely check the certificate identifiers on the HTTPS connections, much less be able to spot a fake!?!?!?!?

      If you want real security you have know the basics of what you are trying to do. We're far past the point where "but appliance!!!!" stopped being a valid excuse for tech illiteracy. Now it's a problem for everyone, and with the way people think currently, the problem is going to get a lot worse before it gets better.

    30. Re:Obviously cannot be t'rusted' by Shaitan · · Score: 1

      "Granted, my VPN provider could do the same but they have far less reasons too than my ISP does."

      They've got the same reasons. Especially when they are under the thumb of the Chinese government.

    31. Re:Obviously cannot be t'rusted' by nine-times · · Score: 1

      Do you have examples? Are the projects still around? I'm surprised if code that terrible was merged.

      I don't know of any cases where obfuscated malicious code was found in a live project, but it's a valid concern. It's certainly possible to obfuscate the true purpose of code, and there are even contests to come up with cleverly obfuscated code.

  2. No comments? by Anonymous Coward · · Score: 0

    Is this Chinese sensorship or am I just early?

  3. One of my worries by nine-times · · Score: 4, Insightful

    One of my worries about VPN apps (those used for privacy) is that, although they protect your privacy against your ISP, they hand over control to the VPN provider. They can say they'll keep your information private and they won't keep logs, but you're placing a lot of trust in that provider. If they have malicious intentions, or even if their security is bad and there's a method of compromising people's privacy that they're unaware of, then you're making it very easy for your privacy to be violated.

    In fact, it can be worse than whatever spying your ISP can do. With a VPN app, they'd be able to monitor your traffic anywhere you go, all tied to a specific identity, tied back to whatever credit card you've used to pay for it.

    1. Re:One of my worries by 110010001000 · · Score: 1, Informative

      Much like using Tor: the exit nodes are all monitored so it is even worse for privacy. It makes it easier for surveillance though: they just need to get the information from a single place.

    2. Re:One of my worries by AmiMoJo · · Score: 4, Interesting

      I tend to trust my VPN provider more than I trust my ISPs, especially the mobile ones. There is also value in routing your traffic to a different legal jurisdiction, because it makes it much harder for law enforcement to bypass due process.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:One of my worries by DarkOx · · Score: 3, Insightful

      Don't forget to that technical issues aside in a lot cases people are trading one possible threat, local law enforcement and their own ISP where they have some contractual, statutory, and constitutional/lawful recourse against if "something" was done to them for some actor(s) in a foreign country where:

      1) you may or may not be granted legal rights and protections
      2) exposes you to foreign surveillance powers by own own government since your traffic is no longer domestic
      3) generally face a more costly and difficult process for accessing any legal remedy

      Basically the VPN guys can pretty much abuse you in any way they like. Sure you can quit using their VPN more easily than you can quit your ISP. You have the lever so if they start spamming your with ads and stuff you have control there. If they are more subtle than that and more nefarious and do something to you that isn't obvious though, chances are good there is NOTHING at all you can do about it; and they know that! Consider the incentives and disincentives. While I am not making a "if you have nothing to hide argument here" I am going to suggest that if whatever your reasons for wanting additional privacy fall short of criminal you might just be better off trusting your ISP and simply practicing good hygiene. IE - use the incognito mode in your browser as appropriate, patch your system, if you have to use 'sketchy sites' use a VM and revert the snapshot when you are done, be smart/think before your click.

      --
      Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
    4. Re:One of my worries by Bob_Who · · Score: 1

      You can't buy security or privacy. It is not an issue of price, it simply can't be sold as some sort of inventory or commodity. You can spend all you want on people who assure you that is what the have to sell you, but whatever it is that you just bought in no way can be measured by anything more than how you feel and what you believe. It is impossible to know if your privacy or security have improved or not. Either way, you'll never really know until its lost, at which point you realize that you paid the perpetrator's invoice after you put a spotlight onto the target on your back. A person with something to hide has a lot to lose. That's after their sense of privacy and security are already lost. All the blood money in the world can't buy it back, really.

      Perhaps subconscious fear and insecurity become a beacon for sinister opportunists who will gladly oblige that self-fulfilling prophecy from those guilt-ridden souls. Those fortunate and highly paid individuals amongst all of the doomed that clamor at the gates. The downtrodden that manage to survive working a lunch shift at the corporate cafeteria for $12.50 an hour after an 80-minute commute and don't have a dime to steal at the end of the day. I bet they could care less about a free VPN, have a great deal of privacy, and are well aware of what is theirs and how they can feel safe and unthreatened.

    5. Re:One of my worries by grumpyman · · Score: 1

      Not only that, traffic on VPN is certainly more 'interesting' to various parties/authorities. Wanna dig dirt? Go for VPN instead of unencrypted traffic.

    6. Re:One of my worries by Shaitan · · Score: 1

      "I tend to trust my VPN provider more than I trust my ISPs"

      That's a bit like saying you'd rather your body be hacked up with a chainsaw than a wood chipper. Either will sell you out faster than a $2 hooker offered a rock.

      "There is also value in routing your traffic to a different legal jurisdiction"

      Not really. There are networks of cooperative agreements in place because that loophole has been well known for 20 years.

      The reality is the VPN ultimately provides additional evidence of your identity beyond IP (which in the US no longer is considered evidence on its own). Using a VPN also provides evidence of intent.

      Most people foolishly use these services for copyright infringement. Just turning on encryption, a non-standard port, use private trackers exclusively if using torrent, and hiding in the crowd is about as good as you need for that. Oh and stay away from anything still in the theaters. You won't get any ISP warnings that way. All you need is to avoid being the low hanging fruit.

      If you really insist on using VPN (hopefully to get around ISP throttling rather than some irrational sentiment) then get a VPS or colocated server on the cheap and set up a vpn yourself or better yet pay in tumbled cryptocurrency and set up your filesharing on that system with a scheduled job that truncates (rather than deletes which will cause you filehandle issues) the access logs every minute). Use some shitty run fly by night found on a board and run by a 3rd grader vpn to actually set it up in the first place, you know something that won't be around in 2 weeks.

      You know who you can trust more than your ISP or VPN provider? You. You know whose server definitely isn't a nice easy central place with a streamlined process for disclosing the details you want kept private? The server built on a one off basis by you.

    7. Re:One of my worries by drinkypoo · · Score: 1

      "There is also value in routing your traffic to a different legal jurisdiction"

      Not really. There are networks of cooperative agreements in place because that loophole has been well known for 20 years.

      It raises the cost of a compromise. They actually have to go get the data, they don't already have it on file. Your ISP will (happily or unhappily) log all your traffic and turn the data over to the government on legal request. Some foreign VPN operator might not be so forthcoming. And if they're sufficiently fly-by-night, they might well go out of business before they get around to fulfilling any requests.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    8. Re:One of my worries by sosume · · Score: 1

      Alternatively set up an image for a VPN linux node on AWS or some other cloud. Provision in the morning, use its VPN one day and delete the machine afterwards. But you're absolutely right, signing up for a VPN provider will probably lead to extra checks when flying.

    9. Re:One of my worries by Shaitan · · Score: 1

      That works too. With a little more effort you can use any of the automation frameworks to put together and image that configures itself on a fresh cloud vm each day. Of course that will have a consistent fingerprint but so will doing it manually.

    10. Re:One of my worries by Shaitan · · Score: 1

      True.

      "And if they're sufficiently fly-by-night, they might well go out of business before they get around to fulfilling any requests."

      Agreed. That's something I even suggested exploiting but if you actually run your traffic through such a service you should probably pay careful attention to what you do for other reasons. Selling your data on the black market is just as viable as the grey market run by traditional tech companies.

    11. Re:One of my worries by nine-times · · Score: 1

      I tend to trust my VPN provider more than I trust my ISPs, especially the mobile ones.

      I'm not trying to argue necessarily, but I don't really see any reason why I should trust a random VPN provider over a random ISP. I wouldn't trust either to have my best interests at heart. If anything, VPNs have more reason to snoop because they have more reason to believe that the traffic going through them is sensitive.

      There is also value in routing your traffic to a different legal jurisdiction, because it makes it much harder for law enforcement to bypass due process.

      True, but there's also danger in routing your traffic to a different legal jurisdiction, for a couple of reasons:

      1) Though arguably it's harder for the government to bypass due process, it's also harder for the government to do anything if the company is doing something abusive/illegal. For example, if you use a VPN that routes your traffic to China and the Chinese endpoint is spying on you, what is the US government going to do about it?
      2) One of the things Snowden revealed is that the NSA spies more heavily on traffic that enters/exits US jurisdiction. Basically they somewhat recognize that they're not allowed to spy on communications between US citizens on US soil without due process. By sending the traffic out of the country, you're excluding your traffic from that (admittedly minor) protection.

    12. Re:One of my worries by AmiMoJo · · Score: 1

      I select my ISP based on availability and then on performance. I select my VPN provider based on privacy and security. So at least privacy is the main factor with a VPN.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re:One of my worries by nine-times · · Score: 1

      Right. So you select a VPN provider that you believe you can trust. Still, that doesn't change the fact that you're putting a lot of trust in that company, and if the trust is misplaced, they could violate your privacy as badly as your ISP. Or even worse.

  4. isn't this good? by Anonymous Coward · · Score: 1

    Isn't it good for us in the western world who uses that VPN? Chinese wouldn't be so much obliged to cooperate with anybody.

    1. Re:isn't this good? by Rockoon · · Score: 1

      My thought too.

      Who do you trust more, Comcast, or China?

      Seems like an easy choice. Harder if your ISP isnt such a dreadful company. My town wont let them in because the voters spoke up over decade ago on the matter of cable internet franchises. The country phone infrastructure is terrible and basically cant be fixed without a monumental investment that wont see an ROI in 50 years (still twisted pair from the early 80's on the poles / going into homes) so we didnt take it kindly when the local small cable company sold out to metrocast. Metrocast isnt allowed here any more. That sends a message.

      --
      "His name was James Damore."
    2. Re:isn't this good? by Anonymous Coward · · Score: 0

      They may sell the data to the US, bust since the US is a whole lot less interested in my private information as soon as they are expected to pay for it (and subsidize my free VPN), it still sounds like a good deal.

  5. i use the free fancy bear vpn by Anonymous Coward · · Score: 0

    works great

  6. Simple by Ol+Olsoc · · Score: 1
    Rule number one is that someone using a VPN probably has a reason for that.

    And yeah, a lot of people aren't much more savvy than hearing "VPN's are secure!" so when you have the combination of wanting to have privacy fro some reason, and lack of savvy, you have a ripe spying market that thinks it is secure and more likely to share stuff.

    Especially when it's free.

    Rule number two is that there is no such thing as security on the internet.

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    1. Re:Simple by sjbe · · Score: 1

      Rule number one is that someone using a VPN probably has a reason for that.

      True but it isn't necessarily anything nefarious. For example I don't like being tracked by advertising companies. The reason to use one doesn't have to be anything greater than valuing privacy.

      Especially when it's free.

      Yeah if something is "free" the first thing you should be questioning is why. Nothing is truly free. Nothing. These services aren't provided because someone is being generous so it if is free you need to understand their motivations.

      Rule number two is that there is no such thing as security on the internet.

      Not true at all. Security is always a relative state and as such there is reasonable security possible. Security becomes more difficult against focused, experienced, and/or well financed attackers but even then it's possible. Perfect security against all conceivable threats is impossible but that's like saying we shouldn't lock our doors because someone might own a battering ram. Security is always relative to the circumstances and likely threats one might face.

    2. Re:Simple by Anonymous Coward · · Score: 0

      Rule number two is that there is no such thing as security on the internet.

      There's no such thing as safety while driving a car so why wear a seatbelt? Why have airbags?

      There's no such thing as security at home so why have locks on the doors? Why have security systems?

    3. Re:Simple by Ol+Olsoc · · Score: 2

      Rule number two is that there is no such thing as security on the internet.

      There's no such thing as safety while driving a car so why wear a seatbelt? Why have airbags?

      There's no such thing as security at home so why have locks on the doors? Why have security systems?

      It's pretty simple. Almost no one is trying to run in to me.

      But there are a lot of people and groups out there on the intertoobz that do have harmful intent, are mining you, or at best, simply trying to figure out who's saying what. It's an inherently insecure medium.

      Want to get yourself noticed and considered interesting really quick? Run Tor.

      If for some reason I wanted to commit crimes, the intertoobz is the last place I would have any activity related to the crime. I have my system battened down pretty good. But I'm not fooling myself. You shouldn't either.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    4. Re:Simple by Ol+Olsoc · · Score: 1

      Rule number two is that there is no such thing as security on the internet.

      Not true at all. Security is always a relative state and as such there is reasonable security possible. Security becomes more difficult against focused, experienced, and/or well financed attackers but even then it's possible. Perfect security against all conceivable threats is impossible but that's like saying we shouldn't lock our doors because someone might own a battering ram. Security is always relative to the circumstances and likely threats one might face.

      Well, if you insist. Perhaps I'm paranoid or just don't know as much as I think I do. That happens. I'm still not putting anything there that I don't consider public.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  7. The right tool at the right time by Opportunist · · Score: 1

    Whether the PRC having access to your surfing habits is a problem depends mostly on why you use their VPN to access something. If your reason to use it is that you don't want the US or Europe to know where you're surfing, you should be doing ok.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:The right tool at the right time by Kernel+Kurtz · · Score: 1

      Whether the PRC having access to your surfing habits is a problem depends mostly on why you use their VPN to access something. If your reason to use it is that you don't want the US or Europe to know where you're surfing, you should be doing ok.

      Anecdotally speaking, around here most people use VPNs to avoid the attention of the copyright popo. The Chinese don't give a shit if you are downloading the latest Game of Thrones or Drake album, so you should be fine.

      If you are using it to exchange industrial trade secrets maybe not so much.

    2. Re:The right tool at the right time by Rockoon · · Score: 1

      If you are using it to exchange industrial trade secrets maybe not so much.

      Are you kidding? Sounds like something that China would offer to pay you to keep doing.

      --
      "His name was James Damore."
  8. Owned by China by Oswald+McWeany · · Score: 1

    A large number of the largest ________ are owned by China.

    It's not just VPN it's anything. Partially because they are a large country with a large population (and large companies tend to form in large markets). Partially because state sponsorship and the government TRYING to make large companies; and partially because the government restricts competition from foreign companies in some situations that an alternative will always be found domestically.

    It's no surprise large VPN-companies are found in China. Large everything-companies are found in China.

    --
    "That's the way to do it" - Punch
  9. Chinese VPN's are more secure than European by Anonymous Coward · · Score: 4, Interesting

    UK and Europe based VPNs mean they don't need a search warrant to look at your traffic. Using a UK VPN is the worst thing you can do, since they cooperate closely with our law enforcement, but don't have to use warrants to spy on US citizens. The Chinese might be spying on you while you buy weed on the darkweb and torrent pornos, but the Chinese aren't going to cooperate with the US authorities.

    1. Re:Chinese VPN's are more secure than European by Oswald+McWeany · · Score: 3, Insightful

      but the Chinese aren't going to cooperate with the US authorities.

      That's true today. Who knows what the political climate will be in 5 years, 10 years... etc. You can't really trust anyone to keep your data private. You have to assume everything you do online is being stored as data by someone, somewhere, and may never be deleted.

      --
      "That's the way to do it" - Punch
  10. Roll your own by DaMattster · · Score: 1

    This is why I just roll my own. I don't think I would be able to trust any VPN service provider for precisely this reason. Corporations do all kinds of shady shit so the only way you can be reasonably certain of your own security is to take matters into your own hands. When you configure, control, and manage your own VPN solution, you can be reasonably certain that your secure.

    1. Re:Roll your own by coofercat · · Score: 1

      I was gonna say the same (although I haven't) - I had some fun with https://github.com/StreisandEf... a while back - it's very good :-)

      As for TFA - the list of VPNs is here: https://www.top10vpn.com/free-... I can't say I'd heard of any of them.

    2. Re:Roll your own by doubledown00 · · Score: 1

      That's not a bad idea, but how do you handle the issue of which internet connection to use? Given that the whole point is hide your communication, to be effective the VPN endpoint would need to be somewhere that isn't tied to you. So no running it through your home line or a business.

  11. That One Privacy Site by worf_mo · · Score: 3, Insightful

    I've found the VPN section on That One Privacy Site to be quite an informative resource. There's a lot of information from Choosing A VPN up to a detailed comparison chart.

    My use case: I don't care about LE nor intelligence agencies; I just need a reliable VPN for those times when I have to connect via an "insecure network" (as in hotel Wifi), and for that I simply installed OpenVPN on a VPS, created some certificates and installed them on my devices. Works like a charm, and if needed I can spin up a new VPS and install everything within minutes using a script like openvpn-install. And if one prefers to run an IPsec VPN server there's Algo VPN, a set of Ansible scripts that helps with the setup.

  12. Ancient Chinese Fable by Bob_Who · · Score: 1

    Many years ago, the guardians of the Emperor's palace became very alarmed.

    "Your Majesty, forgive our intrusion, but we must caution you immediately!"

    The serene supreme calmly sighed, "there, there, what has upset you so?

    "The Mongolians has invaded from the north - They have come n great multitude with soldiers and weaponry. They have pillaged the villages and rice paddies, raped the women, killed the farmers and burned the homes of all who resist their despotic wrath - what should we do?"

    The Emperor complacently shrugs.

    "Do not worry, grasshopper...." he says with a slight yawn "In a few hundred years they will all be Chinese"

    Eventually, we will all be Chinese.

    (as well as hungry again in an hour)

    1. Re:Ancient Chinese Fable by nospam007 · · Score: 2

      " killed the farmers and burned the homes of all who resist their despotic wrath - what should we do?"

      The Emperor complacently shrugs."

      We will build a beautiful wall.

    2. Re:Ancient Chinese Fable by Bob_Who · · Score: 1

      The Emperor complacently shrugs."

      We will build a beautiful wall.

      ...Even Kissinger never saw that one coming.

  13. This could be a lot of fun for Chinese intel by MikeRT · · Score: 4, Insightful

    And you bet your ass that the Ministry for State Security has met with the company owners and said that as long as they log and turn over the logs of foreigners, they have the blessing of the MSS. Because you can bet that Chinese intelligence is pouring over those logs, looking for kompromat on people who matter to their work.

    1. Re:This could be a lot of fun for Chinese intel by Actually,+I+do+RTFA · · Score: 1

      Foreigners? First, they want to log what the domestic users are doing. Foreigners are a second-tier priority.

      --
      Your ad here. Ask me how!
  14. Follow the money by Vanyle · · Score: 1

    Wait, you didn't pay for this? Wonder what the motive is of those who did.....

  15. IF China were to "infect their own"? apk by Anonymous Coward · · Score: 0

    IF China were to "infect their own" (not just others)? They'd have one HELL of a BOTNET to attack others (wouldn't surprise me). THINK ABOUT IT... it's almost like the "St. Mary Virus" from
    "V: For Vendetta" in a way & just as effective (vs. other nations).

    I.E. - IF the Chinese are online like say, I know that Japanese & Koreans are (fellow oriental/asian tribes) in LARGE NUMBERS/By % of population?

    Then they DO have a potentially HUGE attack mechanism.

    (Especially IF they go after not ONLY computers but modems/routers too)

    * Then again, & I ADMITTEDLY DO NOT TRUST CHINA (or any nation's gov't., sadly even our own in the USA (only Trump for the MOST part & even he not completely (how can you trust ANYONE, even yourself, completely & NOT BE STUPID?))?

    Every nation pulls shit & so do CORPORATIONS!

    APK

    P.S.=> It's SO f'ing SAD & STUPID - but it IS done (heck the NSA got caught installing backdoors into CISCO routers, caught on FILM no less - it's not just HUAWEI that can't be trusted - & it REALLY HURT CISCO's STOCK PRICES being caught in it)... apk

  16. Where the simple fuck ... by CaptainDork · · Score: 2

    ... is the list?

    --
    It little behooves the best of us to comment on the rest of us.
    1. Re:Where the simple fuck ... by Anonymous Coward · · Score: 0

      Oddly enough it was in TFA: https://www.top10vpn.com/free-vpn-app-investigation/

    2. Re:Where the simple fuck ... by CaptainDork · · Score: 1

      I swear that showed up after I read TFA. Thanks.

      --
      It little behooves the best of us to comment on the rest of us.
  17. Play store search results have a sort order? by Solandri · · Score: 2

    One of the most frustrating things about the Play store is that there's no way to sort the search results. It seems like the more popular apps (based on number of reviews since it hides the exact number of downloads) are clustered near the top, but they're not in any order I've been able to determine. So "top 20 free apps" is kinda meaningless unless you know the sort order.

    1. Re:Play store search results have a sort order? by drinkypoo · · Score: 1

      One of the most frustrating things about the Play store is that there's no way to sort the search results. It seems like the more popular apps (based on number of reviews since it hides the exact number of downloads) are clustered near the top, but they're not in any order I've been able to determine.

      It's probably a mixture of factors like all of google's search results. Ranking by score is their core competency. Age, review scores, cost (since they take a percentage), downloads...

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  18. Only VPN apps? by doubledown00 · · Score: 3, Insightful

    One should be worried about everything from the app store. It is awash in "free" games, GPS apps, etc that do nothing but mascarade as ad delivery conduits that also spy on the user.

    This isn't new or limited to free VPN apps.

    Just the other day we had a story about "free" GPS apps that were nothing but Google Map overlays that show ads. A few years ago there was a story about a bunch of long abandoned apps that had suddenly come alive again. It turned out that a Russian company bought the apps and their domains and had begun "updating" the app with new invasive code.

    At times I feel like we're back in the late 80's / early 90's again downloading unknown cool sounding programs in the middle of the night off some guy's BBS. The difference is today the apps are surrounded in aura of legitimacy because they come from a "store".

    1. Re:Only VPN apps? by sad_ · · Score: 1

      indeed, people ask me to install app x or y, or show of this new app which is funny/entertaining/... (but mostly never really useful) and install just about anything.
      i have a smartphone but install almost nothing, simply because i can't trust any of these apps. i do have some on there which have a paid subscription, but even those you can't be 100% sure that they are ethical enough to not mistreat your data.

      --
      On a long enough timeline, the survival rate for everyone drops to zero.
    2. Re: Only VPN apps? by doubledown00 · · Score: 1

      And even the paid âoetrustedâ apps are one private buyout away from being in unknown hands. If youâ(TM)re an app developer who happens to stumble on something people like and would pay for and someone wants to buy it for a couple million......

  19. That's good. History shows U.S. tech is insecure by Anonymous Coward · · Score: 0

    After everything we've read and what's come to light on the NSA and CIA, I definitely trust China and Chinese companies more then their American counterparts.

  20. Luckily not all of 'em by Anonymous Coward · · Score: 0

    For example F-Secure's Freedome VPN.. It's from Finland! No ties to China, or USA.. so it's better then most :)

  21. A wonder why... by Gabest · · Score: 1

    Oh wait, Chinese are the biggest users of VPN, of course there are many VPN providers there. Are you retarded not realizing this?

  22. That was easy to figure out by sentiblue · · Score: 1

    Yeah... I mean Chinese owned... based out of China. Damn it must have taken decades to figure out.

  23. Why China needs fake VPN products by AHuxley · · Score: 1

    China needs to understand the entire internet people use in real time the way the NSA and CGHQ can.
    China at this time does not have the direct networks into US and EU telco networks the way the NSA and GCHQ has.
    How to detect a new network request deep in Chain to some random web site/service globally?
    Is that a tourist, a business leader in a hotel using a VPN?
    A CIA backed human rights network in China?
    A MI6 agent working for a decade in China?
    Someone with permission to work in China uploading a video clip about their travel around China?
    Someone allowed to work in China saying bad things about their jobs, working conditions, politics, censorship?
    All the security services know is every outgoing connection to the internet is a problem.

    By creating fake VPN products a lot of easy to find people who just want a look at the net get found. Their friends and friends of friends.
    Should one person be tempted to use the internet in such a way, so might their friends?
    The next problem is the more advanced VPN products. They are easy to detect, easy to block.
    But some paid VPN services work and keep working in China?
    Wonder why they are promoted to everyone wanting to come to China who needs a working VPN services?
    China needs to detect the use of all VPN products and where the VPN software ends up.
    That makes unexpected VPN use stand out.
    All downloads of any VPN product in China easy to detect.
    An internal version of GCHQ Tempora https://en.wikipedia.org/wiki/... to find all VPN software downloads.
    The VPN may work as a secure product but China will detect the search for and download of the software every time.

    --
    Domestic spying is now "Benign Information Gathering"
  24. Fewer Chinese VPN Users by aberglas · · Score: 1

    I think that you will find that the number of Chinese using VPNs is reducing. The government is cracking down. Would you really want to risk your treasured social credit score just to read a few western articles and a bit of porn? Most do not.

    Also, if critical apps like WeChat (critical if you are in China) detect a VPN on the phone they seem to close the account.

    1. Re:Fewer Chinese VPN Users by omnichad · · Score: 1

      Hence the need to expand into the US market...

  25. Pffft - ISP just shapes VPN traffic by Anonymous Coward · · Score: 0

    done.

  26. LOL you are completely wrong by Anonymous Coward · · Score: 0

    Why make up stuff like that?

  27. Early. WindBourne hasn't even showed up yet by Anonymous Coward · · Score: 0

    to tell everyone how bad China is and that he loves Teslas.