Why VPNs are a WASTE of Your Money (usually…)

Have you ever wondered if VPNs… really do much for

your

privacy and security? You see, I've been using VPN for a long time. Mainly to hide my IP address from the ISP so they wouldn't send my parents angry letters about my internet use. Sometimes I would connect to a sketchy Wi-Fi network and want to make a double connection. It was also helpful to get around geoblocks and censorship when traveling. But there was always something fishy about VPNs, because instead of trusting the ISP you do know, you decide to trust some people in Europe and an ISP you don't know.

I decided to check out what the VPN providers themselves were saying on this topic. “Malicious websites could infect

your

devices with malware, unless you use…” “VPN apps keep your activity and identity private while you browse, stream, email, or download. Protect all your devices with just one click. Yes, Internet security is that easy! I guess hacking the Internet is that easy too. Selling online security and privacy as something to do with VPNs is like telling people that health and wellness is all about face masks, which sounded a bit like snake oil to me, so I decided to take a look. look at the history of snake oil.

And what I learned was really interesting. Long ago, Chinese immigrants moved to San Francisco to build America's railroads and brought with them snake oil from the Chinese water snake as an ancient traditional medicine to treat arthritis and joint pain, as it contains 20% of EPA, a type of omega-3 fatty acid known for its anti-inflammatory properties. Cowboy entrepreneur Clark Stanley began selling it as a panacea that turned out to be beef fat, chili peppers, camphor and turpentine. Stanley received a symbolic fine of $20 from the government, which made him a wealthy man and spawned an industry of other products and sellers like him.

You see, the problem with VPNs is that, like snake oil, they are fantastic in their original form. form and function consisting of joining two remote sites or allowing an individual to securely connect to a different network. The goal is to tunnel the Internet from a less trusted network to a more trusted network. A corporate VPN, for example. It's like entering a wormhole to get from point A to point B, avoiding everything in between. But things start to get complicated if you go from high to low confidence, low to low confidence, or “don't know” confidence. And right now, it feels like there's a lot of fear in this industry.

We got everyday people convinced that VPNs are what they need to stay private and secure, but in reality they're just paying for slower speeds, time spent training machine learning algorithms, and being lumped in with all the spammers and hackers out there. They abuse these services. Sometimes you just have to remind people that most of their web browsing is already encrypted without a VPN and that protecting their DNS traffic in Firefox or Chrome is literally just a click away. I searched the top 1 million Alexa websites and wrote a script to check for HTTPS support and found that most of the top 90k did.

In this range, we are looking at sites like qtellfreedownloadtrader dot com, which I'm sure we all visit every day. Worst of all is when companies want you to install their custom VPN client, forward your DNS to be "leak proof", and even install their certificate authority on your device, which is like charging people so you can act like a man in the -in their midst. But at the same time, isn't there some value in masking your IP address when browsing the Internet? We need to go deeper. When your computer communicates with a server, it sends packets labeled with a source and destination IP.

These traverse the local network and a series of ISPs to reach the final destination. Anything that logs traffic in between can see your source IP address, which can be geolocated to a few zip codes from your home. Your IP is probably shared by hundreds of people and rotates regularly, so it's just a rough location, not where you sleep at night. With a VPN tunnel, the original packet is encrypted and wrapped in another IP header with the VPN server as the destination. The server will unwrap the packet and forward it through its own ISP, using its own IP address as the source.

Devices facing the VPN server can see its source IP, but not the destination. Devices behind it can see the destination but not the source. Visibility zones on the network path are now divided. Or are? Say hello to Elliott. Elliot wants to save the world by being a hacktivist. He uses a VPN to mask his IP address, but he doesn't take into account all this other stuff. Instead of disappearing, Elliot leaves a bright trail for the feds to follow. Elliott goes to jail. The end. Here's the deal. Focusing only on the IP header is focusing only on the tip of the iceberg.

When you look at a network packet, there is metadata present in all layers of the OSI model. Depending on an observer's point of view on your network path, there are different levels of visibility into your packet. Every piece of software you install, whether it's an app or add-on, can be potentially malicious and keeps an eye on your data and activity before you even leave your device. On the local network, there is Layer 2 addressing information that allows technology companies to identify your location without an IP address through WiFi or Bluetooth positioning. Noting the proximity and signal strength of nearby devices with known geographic locations, such as your friend's phone, smartwatch, or wireless access point, can also help identify your device.

The local ISP probably knows you're using a VPN based on the IP header alone. Since, like Tor exit nodes, there is a fixed number of VPN addresses to track in a watchlist. The VPN company and your ISP have the privilege of seeing the actual packet metadata and can fingerprint the device type with IP, TCP, and TLS headers. VPNs may claim that they “don't log” these things, but you can bet that the cloud providers and ISPs that serve them do. There's probably a

money

trail leading to you too, even with Bitcoin. Now the server you will go to;

They can easily tell that you are on a VPN as the MTU size or maximum transmissible unit in the packet will be smaller than usual as we are tunneling one packet inside another. @ValdikSS even has code on his GitHub page that can identify the type of VPN you might be using and runs a proof of concept on his website. Watchlists and this type of fingerprinting help sites like banks flag any VPN connection and deny service to it. But there are also easier ways to track you. I looked at payments company Zelle, owned by another company owned by 7 major banks, to see what tracking methods were listed in their privacy policy.

In addition to the usual suspects like Google Analytics, cookies or social media plugins, there are also ETags, HTML5 local storage, single-pixel web beacons, Javascript and device tokens provided from your smartphone. All of these identifiers are included in fingerprint graphs designed to link multiple IPs, accounts, and devices to a single user for tracking purposes. Advanced actors occupying multiple points of view on a network path can correlate traffic patterns like pieces of a puzzle. If you are at Starbucks using their WiFi, Google records your hardware address, location, timestamp, true IP, Google accounts and services, and then correlates them with your Internet usage.

And if you're the government, you can simply buy or request that data. This video is sponsored by BadVPNs. Forget five eyes, nine eyes, fourteen eyes. They are registered in all countries so that no one feels excluded. They protect your traffic with BES-256, a military-inspired encryption that protects all keys so you don't have to. Selling your data to telemetry partners allows them to offer the low price of $2/month. Pay now with Dogecoin and you will receive a 3% discount. Sign up now at BadVPNs.com. But, seriously. Let's look at the history of a Swiss company called Crypto AG.

Crypto was founded in the 1950s by Boris Hagelin, who invented portable encryption devices for the United States in World War II. He became close friends with William Friedman, the NSA's chief cryptologist, and formed a plan to end the Dark Ages of American cryptology. The company was later secretly purchased by the CIA and German intelligence in a joint venture called "Rubicon", which sold Crypto devices to over 120 governments around the world. They engineered ownership through a series of shell companies that used bearer shares so that no names would appear on the registration documents. All of this was made possible by professional firms like DTG, now known as KPMG, or the law offices of Marxer and Goop, now Marxer and Partners, who were paid to sign the agreements and keep quiet.

They would also operate through covert companies like Intercom Associates or private partnerships with Siemens and Motorola to influence Crypto algorithms. At one point, the operation accounted for nearly 40 percent of the NSA's data collection, generating millions in profits, splitting 50-50 in cash in a parking lot to invest in other operations. Intel from Crypto devices helped the US in everything from the Iranian hostage crisis, the Falkland Islands war, and presidential negotiations. But Crypto was just a target. These guys also owned or influenced everyone else, as long as they worked on crypto teams. This company was clean, but it was the target of smear campaigns because it remained independent.

The interesting thing about Rubicon is that many other countries knew the secret. They went after almost everyone, including NATO partners such as Spain, Greece and Türkiye. Friendly countries like Japan, South Korea... Even Mexico? And of course, Israel always gets the scoop. Let the Germans not spy on their friends. You see, the nature of VPNs makes them the perfect asset for intelligence agencies. If I were to spy on people, I would simply create a few dozen competing VPN companies registered in various offshore jurisdictions with hidden ownership, and then push them as a security and privacy tool for mass market adoption.

It's perfect, since instead of having to collect data from around the world, people will pay for the honor of sending you their data. Or you can just hack any legit VPN server directly and save on marketing budget. Since VPN companies often rent or label their infrastructure to many other brands, hacking into servers has a nice payoff. VPNpro tells us that over 100 products out there are owned by just 23 parent companies, 6 of them in places like China. But wait, why trust VPNpro? Aren't they just another review site? Why is it 9.4 vs. 9.3 stars? Is there really a difference in that tenth of a star?

How do you know they are not just promoting some products while defaming others as part of a complex spy operation? If you look at That One Privacy Guy's VPN chart, which unlike most review sites is actually somewhat independent and doesn't use silly terms like "military grade" crypto, you'll see this boom in VPN companies after Snowden. 2013 era. In the spirit of custom ratings, only 1 in 185 suppliers earn more than 9 stars on my red to green color scale. You may now be wondering, “What are the use cases where a VPN makes sense?” Should I try to mask my IP address?

How can I stop them from spying on me by doing this?" Before you can answer these types of questions, you first need to figure out what your threat model is. Are they cybercriminals? Big tech companies? Your government? Develop the right threat model can help Adjust your level of paranoia accordingly so that you are not overweight or underweight. For most people, practicing digital hygiene and cleaning up your online identity is not that complicated. Use a unique password for each site. unique email for each site. Security tokens for two-factor authentication. Use random answers for recovery questions. Review all your account settings.

Sanitize your social networks. .codes without analyzing them first. Set a business address to not receive mail at home. Keep applications to a minimum and avoid pirated software. Use a host-based firewall to alert on outgoing connections that you must manually verify for each one. application. If you are traveling and are tempted by Wi-Fipublic, simply bring your own Internet via a portable hotspot or by connecting to your phone. None of these options involve using a VPN, but they do much more for your overall security and privacy. Now, don't get me wrong, but there are cases where you should probably mask your IP address.

Bypass IP blocks to watch Netflix, bypass national firewalls, bypass download limits, perform offensive security assessments, perform OSINT and investigations. Maybe you just want to keep your home IP address out of breach dumps so people can collect it and target you specifically. In these cases, I highly recommend renting a cloud VPS and doing it yourself, whether it's Wireguard, ShadowSocks, a web proxy, or even a good SSH tunnel. This way you will understand the technology a little more and will now use a wormhole that you created and be able to personally control some of the exit node infrastructure.

But wait. Do you remember that one out of every one hundred and eighty-five? The team behind that provider seems a little more reliable than the others. I'm not going to say who, but I will share some things to consider if you don't want to set up a VPN yourself. That's how you find a good VPN, and that's two things: humanity and reputation. Humanity means knowing the people who actually own and operate a service. You can communicate and they will talk to you. The more shell companies, anonymity and third parties are involved, the less human it becomes.

When things go wrong, it's easy to choose not to be held accountable. Reputation takes years to build and a moment to lose. If a vendor is new, it's hard to imagine that you've worked hard enough to develop it. You want people who are honest about their mistakes, who communicate early and often, and who take steps to fix things, even if it means enormous self-sacrifice just when it's really inconvenient to do so. You want people who have skin in the game, who personally use their own products so there is an incentive to protect and improve them, with something valuable at stake.

If there is enough humanity and reputation to trust them with your mother's purse. So maybe, just maybe… you've found a good VPN.