Why I no longer use a VPN (most of the time) and nor should you - YouTube

TheAnonymouseJoker Mod , 1 month ago

I never took Sun Knudsen seriously. He solidified my judgement with this video. I remember joepie also has one article on the same topic.

VPNs have purposes of pseudonymity from ISP and script kiddies, and geoblock bypassing. Anyone who cannot figure this out while calling themselves a privacy advocate or guru is a fraud. Any Brave shill "privacy tuber" is also same for me, like Techlore and DistroTube. GrapheneOS community overwhelmingly recommends and shills Brave and Chromium browsers and calls Firefox bad, so that is also a red flag for me, telling they know shit about privacy and security.

I never take most of them seriously, since I myself create guides and practice a strong threat model for years upon years. Learning about topics and working through recommendations yourself is the best bet, but if that is hard, people like me are few and far in between, with no incentive to gain, and will not give dogshit advice. It sounds like self-promotion, but I think I have made myself clear enough to be called paranoid in some circles by phonies. I have used Tor, I2P, Freenet and various darknets for a decade, and have been in this "trade" for a good while without a name.

HumanPerson , 1 month ago

I agree about most of that, but I am curious what is wrong with graphene os. I use it but if there is a reason not to I would like to know what you recommend.

TheAnonymouseJoker Mod , 1 month ago

GrapheneOS is pure snake oil with a disgusting sole developer that believes in pushing corporate Big Tech propaganda, harassing and witch hunting any critics, having a little social media army with sockpuppets to do this, abuses mentally challenged by hiding behind “autism” label (Louis Rossmann has a nice video), falsely claims he was swatted without giving evidence or coverage in local Canadian media and blames everyone from redditors to community mods to YouTubers and so on.

I covered this disease for about 5 years, and it emanates from the same sewer that “security” clowns like Brad Spengler and madaidan do in Linux community. All they do is either push their bullshit solutions or push corporate Big Tech propaganda and hate any FOSS project they think will not worship them.

You can read my documentation of this lore here.

https://old.reddit.com/r/privatelife/comments/ug9qnc/writeup_criticism_of_rprivacyguides_grapheneos/

https://old.reddit.com/r/privatelife/comments/13teoo9/grapheneos_corporate_foss_loving_witch_hunting/

Most of the security measures in Graphene are something you can take with lots of Android devices, and is nothing exclusive to Pixel/Graphene fairy tales. Micay and his minions just love selling that combo as the only solution, and I frankly hate it as it has no basis in reality.

Please read the paper by Ken Thompson, co-creator of Unix and C, on why we should be able to trust the developer and NOT the code. https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_ReflectionsonTrustingTrust.pdf

HumanPerson , 1 month ago

What would you recommend I use instead?

TheAnonymouseJoker Mod , 1 month ago

CalyxOS or LineageOS

TechNerdWizard42 , 1 month ago

Nice try NSA

Vendetta9076 , 1 month ago

A) as others have pointed out this is a rather shit video

B) I fucking hate the "and nor should you" trend. Fuck off with what I should or shouldn't do, just give me the facts and I'll decide for myself.

LWD , 1 month ago

I don't like the way it sounds, but I appreciate the honesty. Videos like this are always prescriptive, even if they present themselves as if they are a personal, "just for my needs" thing.

By the way, do you remember a video and Medium article posted by someone who was trying to convince us that big companies like Google aren't really privacy invasive?

Scolding0513 , 1 month ago

, said the glowing figure confidently, while blinking hard and rubbing his nose

hellfire103 , 1 month ago

(The NSA think they're slick)

leraje , 1 month ago

Do ISP's monitor or sell or pass on your data? Yes.

Do VPN's? Depends on the VPN. Find one that doesn't and can back that up with 3rd party audits and legal encounters.

So can a good VPN protect your privacy? No, not by themselves. A VPN is part of an overall toolkit to be as private as you personally would like to be. It can help protect your privacy, that's all.

It's really that simple.

refalo , 1 month ago

3rd party audits and legal encounters

The problem I have with this is that audits or court cases do not prove that the server is only using that same exact code at the instant you are using it... changes to software are constantly made all the time, and they could all invalidate previous audits or presumptions of privacy or security.

leraje , 1 month ago

That's true, there's always going to have to be some trust, but a provider that takes the time and expense to invest in a privacy audit or defend their clients by not logging and establishing that in court certainly indicates they're worth having that trust in.

noodlejetski , 1 month ago (edited 1 month ago)

many ISPs over here offer a ~5-10% discount on monthly bills if you agree to have your traffic analysed for marketing purposes. the last time I signed a contract I had to explicitly opt out of that. the ISP providing internet to all of my landlord's flats offers a similar deal when signing a contract, and 1. I'm willing to bet that my landlord has opted in, and 2. I have no way of opting out of that for my flat. I think I'll stick with a VPN for the foreseeable future.

possiblylinux127 OP , 1 month ago

With a VPN you are just shifting the attack surface

noodlejetski , 1 month ago

from the ISP likely to analyze my traffic to a VPN provider who didn't provide any data after being raided by the police because they didn't store any

possiblylinux127 OP , 1 month ago

I would still not trust them as you have no control over what happens server side.

Lemongrab , 1 month ago

That is just as true of your ISP, who when raided by the police will happily send it all over in a jiffy.

possiblylinux127 OP , 1 month ago

Exactly, its not a matter of trust. You can't verify VPN providers more than you can verify ISPs.

The best option is to use https and encrypted DNS.

MagneticFusion , 1 month ago

[Thread, post or comment was deleted by the author]

electro1 , 1 month ago (edited 1 month ago)

[Thread, post or comment was deleted by the author]

elshandra , 1 month ago

If you've got something you're that worried about keeping private, go home, and break everything with a computer chip, a radio/network. Because if it's not listening now, it's only an update away.

elshandra , 1 month ago

How are there so many stupid people here already?

Steamymoomilk , 1 month ago

1000012289

ultratiem , 1 month ago

I’m not doing anything illegal, why do you care if I hide or not???

If we want to meet the original straw man head to head.

Ilandar , 1 month ago

I would encourage people to watch the video and form a conclusion based on that. The title is quite clickbaity (which you would expect from YouTube) and at least half of the video is solely a critique of NordVPN, often followed up with "but Mullvad is better". He does make some worthwhile points but they are not universally applicable. Every country has different governments and laws; do not blindly trust the word of Americans because they likely do not know shit about your specific situation. For example, nothing in his video addressed Australia's mandatory data collection and retention laws, or the multiple high profile data breaches that have occurred here in recent years.

ExtremeDullard , 1 month ago

half of the video is solely a critique of NordVPN

I don't know how good or bad NordVPN is. I have never used it. But I never will. EVER.

You know why?

Because they paid so many interesting Youtubers to shill their stupid VPN service, ruined so many otherwise interesting Youtube videos and wasted so much of my time that I swore I would never give them a single dollar of my money.

I can't stand advertisement and advertisers, and NordVPN has been truly heavy-handed. They're not the only ones: Brilliant comes to mind too. They can all fuck off. They've achieved the exact opposite of what their ads was supposed to achieve with me: I'll never patronize them.

Ilandar , 1 month ago

uBlock Origin + SponsorBlock + third party mobile client is the solution.

ExtremeDullard , 1 month ago

Actually I use Freetube with sponsorblock on the desktop and Newpipe with sponsorblock on Android. So I mostly don't see shitty sponsors anymore.

But my Formuler TV box - which runs Android - has some weird crashing problem with the default Newpipe player, so I have to use an external player (MX Player) which doesn't have sponsorblock, sadly.

So whenever I want to watch Youtube videos on my TV, I have to eat some NordVPN shilling - at least a little bit, just time for me to grab the remote and skip it - and I'm too cheap to replace the TV box.

Galaxy , 1 month ago

You could try Smart Tube which has built in adblock and sponsorblock and see if that works better on your android tv box

potemkinhr , 1 month ago

Shout out for Smart Tube, the best YT app on smart boxes/android TVs, never had any issues

ExtremeDullard , 1 month ago

SmartTube works very well. The problem is, it requires a Youtube account to have subscriptions, playlists and the like. That's a hard no for me.

Galaxy , 1 month ago

Fair enough, completely understandable

ExtremeDullard , 1 month ago (edited 1 month ago)

Firstly, using a VPN ultimately consists in trusting the company providing the VPN service that it won't be fucking around with your privacy. Considering that all your traffic goes through it, that's a lot of trust to place in one company. And I generally don't trust any tech company to resist the lure of selling your data for profit for very long in 2024 - even those that profess to be privacy-friendly.

Secondly, modern corporate surveillance doesn't rely on IP addresses anymore. So if you think a VPN protects your privacy, it really doesn't. All it does is tell Google et al. which VPN provider you're a customer of - i.e. you're giving them even more data that they don't need to have.

That's why I don't even bother with a VPN. I only use one to evade geo-blocking every once in a while.

sbv , 1 month ago

using a VPN ultimately consists in trusting the company providing the VPN service that it won't be fucking around with your privacy. Considering that all your traffic goes through it, that's a lot of trust to place in one company.

Is that any different than the trust we place in our ISPs?

I agree with you. I fully expect my ISP/VPN provider to sell my traffic data, but I don't see the value in paying a VPN do to it.

ExtremeDullard , 1 month ago (edited 1 month ago)

Is that any different than the trust we place in our ISPs?

It's not. Your ISP is probably selling your data, and your VPN may or may not do that too. Just assume everybody sells your data.

The difference is, when you leave home and you connect to a wifi, you start using another ISP. If you then lose the wifi and connect using 4G, you're using yet another ISP. If you use a VPN, you funnel all your traffic to a single provider all the time. In other words, instead of distributing the risk over several potentially bad actors, you concentrate it on a single one.

Like I said, that's a lot more trust that I'm willing to place in a single company that only essentially pinky-swears won't put me under surveillance.

1984 , 1 month ago

I trust my vpn provider, but I don't trust my isp to not give out my ip. So using a VPN is obvious and I havent had any issues doing that for decades.

If your mindset is that you can't trust anyone, then yes, doesn't matter. But you can trust some of them. You need to know which ones have a history of caring about privacy and which ones are just advertised heavily.

ExtremeDullard , 1 month ago

But you can trust some of them. You need to know which ones have a history of caring about privacy

All I see in the tech world is the companies that have been caught red-handed doing shady stuff and those that haven't yet.

You say you can trust some of them based on their history of caring: can you? What's their history of caring other than how long they've sworn to do the right thing and haven't been caught doing otherwise yet?

Like I said, tech companies don't resist the lure of big data money for very long these days. If you think any VPN provider isn't at least seriously considering monetizing the traffic you send them to make more money on you than the few dollars you throw their way every month for the VPN service, you're deluded. I would never trust a VPN with all my internet traffic. That's just too much of a risk.

1984 , 1 month ago

Ok and if you don't trust anyone, you don't have any protection at all.

Personally I don't trust any big tech companies, naturally. But there are smaller vpn providers like Mullvad that are trustworthy. They are never American.

ExtremeDullard , 1 month ago

Ok and if you don’t trust anyone, you don’t have any protection at all.

Correct. I assume I don't, so I'm always super-careful not to give away any information I don't need to give to begin with. Or I give fake information whenever possible, to pollute the well. For the rest, as the old saying goes, if it's on the internet, it's as good as public.

They are never American.

Agreed. If you have to trust a company with your privacy in any way, don't use an American company. It's not even their fault: they operate in a country that's fundamentally dangerous for your privacy.

My email provider is in Norway. for instance.

Aria , 1 month ago

Not as bad as USA, but companies are required to keep visitor data for 6 months in Norway, and make it available to police on request. Running a no logs VPN in Norway is illegal.

LWD , 1 month ago

Why I just hand my browsing data over to my ISP (and so should you)

Why I let random websites have my unique location-specific identifier (and so should you)

Don't think so

possiblylinux127 OP , 1 month ago

That's not how that works

ShepherdPie , 1 month ago

How does it work?

toastal , 1 month ago

Didn’t watch the video, but… Traffic is often already encrypted with TLS or other encryption & you don’t have to use the ISP for DNS. This would cover a lot of the data you would be discussing. Instead if using these advertized commercial VPNs you are giving the data to those corporations instead which is hardly better in many cases—luckily most of your traffic is encrypted with TLS & you don’t have to use them for DNS …which takes us back to the previous statement for concerns.

There’s still value in VPNs for a several online activities (censorship, piracy, activism, etc.) & threat models to certain folks, but assuming the ISP is the bogeyman in most common scenarios for non-niche use cases is incorrect—but it isn’t how these commercial VPNs are selling themselves. If the ISPs possess the ability to break TLS encryption we’d have bigger issues to worry about & VPNs wouldn’t help. I would assume the video goes in this route but chooses the clickbait title for views.

LWD , 1 month ago (edited 1 month ago)

If possible, I don't want my ISP to know, trade, and sell as little data about me as possible.

FTC Staff Report Finds Many Internet Service Providers Collect Troves of Personal Data, Users Have Few Options to Restrict Us

T-Mobile Employees Across The Country Receive Cash Offers To Illegally Swap SIMs

I know VPNs often exaggerate or outright lie, but they still benefit me in ways I consider valuable.

toastal , 1 month ago

If it’s all encrypted & they don’t have the DNS requests, all they can see is that you sent X bytes to some IP which isn’t very helpful. Who’s to say these VPNs aren’t selling their data back to the ISPs anyhow?

Lemongrab , 1 month ago

3rd Party Audits

toastal , 1 month ago

By who? Who is auditing the auditors? That’s not to say audits aren’t good, but when the code is proprietary, a lot of trust is required. I would prefer banking on solid, open tech which the TLS standard is. There is still use cases for VPNs, but outside like streaming piracy, you might be better served by the Tor network.

Lemongrab , 1 month ago (edited 1 month ago)

Yeah, I don't trust proprietary server backend. Also I2P is a good option that should be less slow under the traffic of thousands of users.

Lemongrab , 1 month ago

Encryption doesn't mean perfectly hidden. Metadata isn't encrypted for HTTPS iirc. And the ISP knows who your sending traffic to since they are routing you there and are usually your DNS. When connected to a good and trusted VPN, all that is hidden, your DNS can't give away your location, and the only server you contact is the VPN

toastal , 1 month ago

What metadata? The headers are as encrypted as the payload. That there was a key exchange between you & a server isn’t too useful.

“Usually” is a strong word for DNS as well since all OSs let you change it & the megacorporations like Google & Cloudflare have already compelled a lot of folks to use their DNS ta resolve faster since the ISP ones are slow (& the smarter, curious folks used that as a launching point to find other provider or self-host). Some platforms have even been shipping DNS-over-HTTPS to get around some of these issues (since the payload & headers are encrypted under TLS).

Lemongrab , 1 month ago

Usually means in 99.9% of typical configurations unless you are a techy or an enterprise.

Lemongrab , 1 month ago

It doesn't matter if they are encrypted if you can sell the data about what the user is doing (eg if your connecting to a shopping website your probably shopping their). Better to obfuscate the source by choosing an endpoint that isn't geographically related and associated with your identity. I only would ever recommend using a VPN that is open source and well audited by a renowned 3rd party auditor(s). https://luxsci.com/blog/what-is-really-protected-by-ssl-and-tls.html

toastal , 1 month ago

Sure if you need that protection, but there is a lot of fearmongering about VPNs that are misinformation to sell products most folks don’t need to be worrying about versus more pressing matters in security/privacy

hatedbad , 1 month ago

the hostname of a website is explicitly not encrypted when using TLS. the Encrypted Client Hello extension fixes this but requires DNS over HTTPS and is still relatively new.

toastal , 1 month ago

Everything after Hello is encrypted tho. The metadata is important, but takes some leaps of assumption to know what that data means—moreso than the metadata of say WhatsApp since the payload could be just about anything & from anywhere, not just a P2P text/multimedia message. And DNS over HTTPS does exist now & has support in all browsers & mobile operating systems. If it’s the hostnames you are worried about, a simple SSH SOCKS5 proxy with remote DNS could work with many older technologies. Not saying there isn’t some worry, but there are solutions now, the ISP is getting close to nothing, & for most folks subscribing to a comericial VPN is not worth giving monthly money to these actors that you probably can’t trust.

possiblylinux127 OP , 1 month ago

You are handing your data over to the VPN. However, with https only and encrypted DNS there is a lot less data to hand over

biddy , 1 month ago

Why would you hand your browsing data to the VPN company? It's just moving the problem.

LWD , 1 month ago

Market competition still exists for them, so they actually have a reason to live up to their promises still