Barrett Lyon

@nirzuk Data is a data problem

For a long time, “data” in cybersecurity meant logs and events. As that definition expanded, most systems continued to operate on a limited view of data. Cybersecurity is now a data problem. Read my thoughts here: open.substack.com/pub/cylake/p/y…

The current internet is a mess due to NAT and CGNAT; the idea is the Internet can be both open and private at the same time. The best part of the Internet is there is no privacy and the best part of the future is there can be both at the same time.

I've started multiple companies around global traffic: DDoS mitigation, large-scale video streaming, network visibility. When I say the current internet wasn't built for privacy, it's because I've spent 20 years staring at its guts.

From a threat-model perspective, a random VPN exit node is often worse than your ISP: less regulated, less accountable, and more incentivized to quietly monetize whatever they see. Exit nodes that are not network controlled by the VPN provider are honey pots.

The industry loves to point at one or two heavily audited providers as proof the model is fine. Meanwhile the long tail of "no-log" services ranges from sloppy to outright hostile. Continuous audit by AI will show the true extent of their depravity.

Researchers found most mobile VPN apps leaked traffic, and a chunk didn't encrypt at all. Leaking is easy because most VPNs don't support IPv6 properly. That leaks real quick on mobile networks. Their behavior is gross. It's clear NordVPN leaks everything because they allow CloudFlare to decrypt their traffic between you and their origin servers. It's all just a bunch of words, no actions. gist.github.com/herwy/040f7af2…

Re the situation in Russia, most VPNs get blocked because they were never designed to be unblockable. They either use basic tech and don't support hardcore covert communications or they get blocked in the app stores. However, there are ways around all of that. More to come soon..

Even though your VPN says they don't track anything, that doesn't mean the follow through with it. VPNs like NordVPN or Mullvad use 3rd party services that often have flow monitoring.... really the SNI requests, DNS requests, everything you do leaves a trace. Do they monitor it? Who knows. Is it there? Yes.

Your VPN can see EVERYTHING about you: IPs, timestamps, servers, session lengths, and more. What devices you have, what time you wake up, what sites you go to, what you're doing, all your unencrypted stuff, the job you have. It knows more about you than you know about yourself. Even more... they see all your dns, what you request, what you download, even if encrypted. SNI requests are not, which means every site you visit they see. Do they log? Who knows? Can they deploy anti-log software when they're audited? Yes. Can that change after? Also yes.

Why would you trust NordVPN more than your ISP with your bits? Moving your data to a shady VPN isn't the way to go, VPN tech is good but the players behind them may not be.

"End-to-end encryption" from an app like WhatsApp, Telegram,etc doesn't mean peer-to-peer. It means they have servers in the middle and use E2E (who knows what kind of encryption) to make you feel special. It's all your #$%^& on our servers, eat it human.

"No-log" VPNs have been caught leaking user data or keeping connection logs that were handed to investigators. What's worse is they lie about where their servers are, and their GEO location is pay-for-play to save costs gist.github.com/herwy/040f7af2…

A lot of ‘privacy’ services like VPNs totally expose their customers’ data by sending it to CDNs for full description. How the hell can they say they care about customer privacy when their APIs are proxied via a 3rd party?

"We don't log" is BS. VPNs allow 3rd party tools all over their products, which means they allow everyone else to log you. They give zero fucks about your privacy. The only safe assumption: every VPN provider logs something.

Big win for ISPs, but more importantly for privacy-focused networks. SC just confirmed neutral internet providers aren't on the hook for users' piracy w/o clear proof of inducement. If this had gone the other way it would have been like road owners being sued for getaway cars. Huge validation of what we're thinking about. latimes.com/politics/story…

A commercial VPN is just a proxy with better UX. All your traffic still terminates on someone else's box. They see everything your ISP would see, and more, if they feel like it. gist.github.com/herwy/040f7af2…

@Apple please fire the designer that thought it was a good idea to make the iOS keyboard lowercase. Usually I love Apple design but this go around you guys made an ugly mess.

You can’t switch your DNS to your backup/recovery plan to switch off of @CloudFlare if you can’t reach the DNS panel also hosted by CloudFlare. #outage #cloudflare #baddesign #oops

@ProtonVPN You guys should check out beta.doxx.net - Free BETA VPN.

5PM - PornHub blocks France from accessing its website 5.30PM - @ProtonVPN registrations increase by 1,000% For context, this is more than when TikTok blocked Americans.

@RobertWelsh It seems so obvious to me that a gifted jet for a temporary Air Force One is a very bad idea.

@BarrettLyon It will be so buggy I'd be surprised if it gets through quarantine 😂