Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

I can't help but notice that NordVPN is one of the most heavily advertised VPNs from what I've seen (which raises the question, as one researcher pointed out in the article - are they not spending enough money on their security and infrastructure to protect their users?). They are claiming that: "no-one could know about an undisclosed remote management system left by the [data center] provider".

Apparently the hacker was able to find out - so while it may be unknown, it's not an impossibility to detect it. Beyond whether or not sensitive information was accessed, what will NordVPN do in the future to eliminate or mitigate the possibility that this will occur again?



I find NordVPN's marketing reprehensible. Too many claims and broad strokes about the "anonymity" their service can provide.

While I certainly would recommend that US consumers use a VPN router to prevent their ISP from selling data, I think NordVPN really overplays the role of changing IP addresses in the age of browser fingerprinting.


> I find NordVPN's marketing reprehensible.

A claim that really, really bothered me was something along the lines of "use us and no one will be able to read your email!" Every mainstream email provider (Google, Yahoo, Microsoft, Apple) now require HTTPS for emails. No one was ever going to be able to read your emails.


I normally don’t mind YouTube ads all that much, and I don’t see them on desktop browsers anyway.

However, I was bombarded with ads for NordVPN and their crap made me so angry it pretty much sold me a paid YouTube membership.

Hard to relax with some totally not weird ASMR when my blood pressure is through the roof because some chirpy ad agency dude wants to show me how much a VPN is like an umbrella or whatever.


> However, I was bombarded with ads for NordVPN and their crap made me so angry it pretty much sold me a paid YouTube membership.

For me it was those incessant Grammarly ads. A service, by the way, that has its own serious security and privacy concerns[0].

(I feel like YouTube Premium ($18/mo for up to 6 people) is a better deal than Spotify Premium ($15/mo for up to 6 people) for a household like mine where we listen to a lot of music and use YouTube a lot. I don't know how YouTube compares to Spotify when it comes to music selection however.)

[0] https://news.ycombinator.com/item?id=16315684


Yeah, Grammarly is creepy as hell. I've explicitly banned it (and similar services) at work.

As for Youtube music, yup, that's undeniably a good deal. The music services should watch out, especially in younger demographics (I'm already 30+, Spotify premium user since 2009). Apple will probably push Music even harder and bundle that with their new video streaming. Spotify's really trying to become the defacto podcast service, which sucks in its own right (unlike Apple Podcasts, no user facing RSS support for indie premium content etc. Podcasting is the last free rich medium on the internet, largely thanks to Apple).

As for music, I'm too deep in the Spotify ecosystem myself, with stuff like proper Last.fm integration, recommendations and consistent audio quality.

I can't really enjoy music with that mushy sound typical for content that has been lossy-lossy transcoded tons of times. Of course, I have to deal with that for all the awesome live takes[1] available on Youtube, and there I'm of course just grateful they exist.

Spotify's audio didn't use to be all that great, except with the normalization turned off. Now with their 'quiet' normalization option, that doesn't compress quiet tracks (a clear edge over Apple Music), it's starting to sound transparent to me, as -q 9 encoded (~320 kbps) Vorbis should.

Youtube doesn't allow disabling of normalization at all, and it's not super clear to me when tracks are clean encodes sourced from the proper music distribution ecosystem that stocks Spotify, Apple Music, Tidal et al.

1 - https://www.youtube.com/watch?v=E4V66UP4aDs


> ...it's not super clear to me when tracks are clean encodes sourced from the proper music distribution ecosystem...

Isn't that kind of the point? If you can't tell which is which without a visual cue (aka bias-generator) then they sound the same.


> If you can't tell which is which

This isn't a comparison test. There's only one version uploaded. With only one version, it's hard to tell if many flaws you hear were introduced by sloppy uploading or if they were present in the master.


Yes! Which is why you won't hear me waste a whole lot of breath yammering about lossy compression.

I'd sure pay Spotify extra for lossless, because I'm weird in ways I'll reveal below, but I agree that people should give lossy compression a break. Well-encoded AAC and Vorbis averaging over 256 kbps are very transparent-sounding, in ways that never was possible with mp3. If I put in time, I get 5/6 right in this famous test from NPR's website[1], just because mp3 is awful and ancient.

But I double dare anyone to blind test Opus as low as ~128 and ~160 kbps and working upwards, with decent gear. Having grown up with shitty mp3s, it feels like magically good. And it's free software.

Even lossy-lossy transcoded AAC and Opus, which Youtube uses for a lot of stuff, sounds shockingly fine, most of the time, on most equipment, if the original copy was ok to begin with. All this is mostly passable, especially as background music.

That is, until you run into special circumstances, like listening attentively with halfway-decent equipment. Spotify's default normalization mode sometimes can adds dynamic compression, which sounds bad in itself. But this can make artifacts stand out in ways shouldn't (thank god for the 'quiet' setting, added sometime in 2018). This is especially true with poor source material, for example the stupidly bright 90s Led Zeppelin remasters, which still float around on tons of curated Spotify playlists, despite being superseded by really good releases.

So what I'm trying to say is that I want to maintain a music library I can pull up on any device and expect consistently good quality during playback. Take my little hobby I discussed here as an example (that is, me and my friends independently inventing the Japanese audiophile parlor/café concept) https://news.ycombinator.com/item?id=20583900

Just because I can't hear a guitar riff getting slightly distorted or hi-hats smeared when I listen at work, doesn't mean I won't hear it with in an acoustically outstanding room with 5k worth of audio gear. This problem is very pronounced with Youtube material when there's a poor supply chain, so I won't add a bunch of random garbage from Youtube in a playlist on the tram and expect to actually enjoy it later as I'm leaning back in a proper listening room.

Spotify, on the other hand is relatively close to providing a universally sane way to access music on any device.

1 - https://www.npr.org/sections/therecord/2015/06/02/411473508/...



> Spotify's audio didn't use to be all that great, except with the normalization turned off. Now with their 'quiet' normalization option, that doesn't compress quiet tracks (a clear edge over Apple Music), it's starting to sound transparent to me, as -q 9 encoded (~320 kbps) Vorbis should.

What annoys me is they're mixing together two features (namely normalization and dynamic range compression) and putting them behind one toggle.

I want normalization, it's hugely annoying playing music on my PS4 because the Spotify client doesn't have it there and I constantly have tot tweak the volume.

I do not want compression.

But on my phone and computer I have to use their 'normal' normalization level and take the compression because 'quiet' means I am constantly turning up my sound level when listening to Spotify and turning it back down when I do anything else so my ears don't get blasted.


Sigh, yeah, that's actually a great point. Wonder how many great pairs of ears have been ruined by opening a random youtube tab while Spotify is playing with the quiet normalization mode enabled.

And just like the PS4 example, it's just insane to me that Spotify Connect doesn't mandate normalization.


Really helpful guidance on the audio quality considerations, thank you!


I'm torn for this reason: I want to avoid ads, but I don't want to give Google any more money. It's unfortunate that YouTube is really the only one of it's kind.

For the moment, I get around this conundrum using a combination of uBlock Origin[0] (Firefox) and NewPipe[1] on Android. Not 100% sure what I'll do about the latter when I switch to iOS.

[0] https://github.com/gorhill/uBlock [1] https://newpipe.schabi.org/


> I don't want to give Google any more money.

I guess I'm on the opposite side of the spectrum. I want to opt-out of being the product and instead be a customer by paying for "Google Premium" or whatever. It would be an "all things Google" subscription, not just YouTube. Any place there would normally be a Google-curated ad... there wouldn't be one. No more ads at the top of my Google searches. No ads embedded in web pages I visit (rather, Google pays the content provider some fixed amount from my account balance or whatever -- after prompting me to authorize it). No tracking, no "value-add," nothing. Just, "Here's my money, provide me an equitable and reasonable Internet experience that makes sure content providers get fair compensation, and otherwise leave me the fuck alone."

And, most importantly, that would mean that I could never be locked out of my GMail account without a fucking handwritten letter on Crane & Co. stationary with a direct phone number to a human being who I can talk to about whatever is going on.

You could argue that you'd just be paying a gestapo-like figure for the "privilege" of doing stuff that "should be" free. But you're already paying, in the sense that you're the product, and your time and attention is the currency.


I'm game. What should the monthly price be though?

Considering that it needs to make actual money (and the streaming royalties for music are kinda expensive).


I haven't bothered with music lately but last time I did I just went to my pc grabbed an updated version of Youtube-dl and went to my playlist and downloaded all the songs. Then I put those into itunes and synced them to my phone. It was pretty straight forward and youtube-dl is great it works on other video services as well.


I'm curious what your thought process was on this. It sounds like you're saying you want to use their service but you don't want to pay for it. Is this a moral argument for you, then?


You don't have ad-blockers on all devices or for their app. I'm on iOS and I like using the app since Premium allows for playing stuff in the background, plus downloading stuff for offline viewing. You can't get that in Firefox with uBlock.

I find some of the anti-Google arguments to be really, really weird and I've been speaking against Google on this website countless of times.

If you don't want to be tracked, you're going to be tracked for as long as you're a free user. uBlock Origin will not save you, since you're on their website and you can't block "youtube.com".

Also Google is a big target and subject to laws such as GDPR. I actually trust Google more than I trust any startup advertised on HN, because Google is a big target with a lot of eyes watching. When you go to your profile and turn off the data collection, you can probably trust Google more than you can trust DuckDuckGo.

This isn't to say that you should trust Google. Not what I'm saying.

But paying a membership is voting with your wallet against ads. By not paying you're simply encouraging them to serve more ads. And the break you're getting via uBlock Origin is only temporary. If the audience using ad-blockers on Android grows, I expect them to simply block browser access, problem solved. And because you used YouTube anyway, it means you haven't payed for their competition either, which means you directly contributed to YouTube's monopoly, without encouraging them to give up on ads in favor of Premium memberships.

It's basically how software piracy used to work. Piracy was never a problem for the big companies like Microsoft, piracy being responsible in part for Microsoft's monopoly. And when piracy became a problem, software companies simply moved to online subscriptions. There's always a solution for milking free loaders later.


> I like using the app since Premium allows for playing stuff in the background

I remember vividly the day (sometime in 2013?) when they removed that feature from the base app. I had been streaming music or casts from YouTube in the background since day 1 of my iPhone 4, and suddenly it became a paid feature.

"Bastards", I thought with a smile, "but hey, fair enough! Ok, now where do I pay?..."

Except that outside of the US, premium wasn't available. So they had removed background play but offered no alternative. It lasted until 2017!! Took them 4 years to bring the premium offer to Europe... what a shame. That fueled some resentment, as a wannabe customer. Any gave more than enough time to find better alternatives (Spotify, youtube-dl...) and never look back.

When they finally introduced premium in my country, I took the free 3 months offer and cancelled immediately thereafter. They don't want my money, 4 years made that emphatically clear.

I may reconsider after 2021, on the condition that management has changed at YouTube and Google. Right now, I'm just not feeling it.

Google is just awful at marketing stuff and customer service. They plain and simple don't care. That's monopoly for us: customers lose, always. So I find it both logical and "the right thing to do" to spend my money to directly support creators and alternative platforms whenever I can.


> I like using the app since Premium allows for playing stuff in the background, plus downloading stuff for offline viewing. You can't get that in Firefox with uBlock.

But on firefox you can get play in background with this:

https://addons.mozilla.org/en-US/firefox/addon/video-backgro...

Edit: Firefox on Android. I do not know about iOS


I’m on iOS and I just deal with the ads. There’s a lot and I guess it would be more annoying if you were used to no ads, but it’s manageable. I’d pay for a video service if the company didn’t track me, but I’m resistant to paying for services and also being tracked.


Do you think they would get more money by monetizing you with a credit card than they do by monetizing with ads? I hear this argument that people don't want to pay with money as opposed to attention, and I always feel the opposite.


I feel like I would love to pay for a video service that didn’t support surveillance and mass data collection. Or that provided user transparency on what they did track (obviously some level of user tracking can improve a service meaningfully). That said, I don’t for example pay for Vimeo so I suppose there are network effects. I’m on YouTube because everyone else is. That said I regularly publish YouTube videos but have not enabled monetization. Not all youtubers can afford to do that but it’s a small thing I can to do help.


I realize this is probably not the point of the preceding two comments, but does nobody here use an ad blocker? uBlock Origin is great, or NewPipe for YouTube specifically.


We were just complaining the other day about tech companies being run by the marketing folks.

If you were a State, wouldn’t you be attracted to organizations that seem to be market driven? First, they have brand recognition, so they’re a fat target. Also they’re signaling hard that the engineers aren’t in charge. Probably more likely corners are being cut and morale is low.


Use hooktube & adblock


Looks cool, but feeling slightly twitchy about going anywhere near that with my Google account after last week's news https://news.ycombinator.com/item?id=21247759


That guy was a troll. Many of us have been using youtube-dl extensively every day for years without any trouble.


Why would you think he was a troll? I've had my google account suspended without explanation.


Read the comments. The claimed suspension message was extremely unlikely to be real.


I speak Finnish, and if I'm 'google cancelled my main account'-level pissed, I just might pick a username very much like that for a site I don't really want to be on in the first place. Maybe a cultural thing. So that argument is moot.

Agree with ryanlol's comment here next to mine on the rest. I'd really want more clarifications before I touch third party Youtube clients while logged in (which I want to be, for recommendations etc).


FWIW I don't think there's necessarily any link between his account getting suspended and the youtube client. Google suspends accounts for all kinds of weird reasons.

It seems really weird to me to assume that this is a troll, the other issues created by the user over a couple of weeks seem legit. I think this is just some slightly confused person trying to figure out why their account was suspended.

I get lots of legit bug reports from customers with strange inconsistencies like this mixed in, they definitely aren't trolling.


I don't think "confusion" can explain his claim to have received emails attributing his ban to his use of a youtube video downloading software. He's not provided any evidence of such emails and numerous people who've been banned by google seem to think it unlikely that google would deign to explain why they banned somebody in such detail.

I don't think the emailed explanation exists, and I don't think confusion can explain why he'd say it exists, which leads me to conclude he's lying.

(And really, if such bans were genuinely a threat, more than one person would be complaining about it happening. Tons of people use youtube-dl and newpipe (including many youtube creators who do commentary on other youtube videos) and there's this single guy claiming to have been banned for it. It doesn't pass my sniff test.)


IDK, I see weird claims like that from customers all the time! They see non-existent error messages with ridiculous texts. There's constantly weird inconsistencies like this in descriptions of real bugs.

I just assume that these people are very confused and not good at english.


Well, maybe he's a troll or maybe he's just confused or delusional, but either way I don't think the claim that google is banning people for using youtube-dl or newpipe should be taken seriously at this moment. I'm certainly not going to stop using youtube-dl.


I have read the comments, I wouldn't be so sure.

>First I got an email from Google saying that I was using 3rd party app outside of Play Store to go around Youtube ads

I absolutely do not believe this part, but I'm willing to dismiss this as confusion on the users end.

However, the rest of the comments by the user accurately describe how google account suspensions work. The same user had also created some rather reasonable issues before this one.


NewPipe is free.


No adblock?


Yes, on desktop. Harder to achieve with the mobile app.

And as it happens, I don't use a desktop OS to play stuff that helps me fall asleep.


Just use firefox on mobile it has extension support



Ouch a win for android here then


I want to read my own email.


> No one was ever going to be able to read your emails.

Except for Google, Yahoo, Microsoft, and Apple of course, and whoever they have to answer to depending on where you live.


A VPN won't change that


> No one was ever going to be able to read your emails

As long as no one practiced a trivial mitm attack on your network and that you have a browser that does not try http first when you type in your webmail.com or that no one rubber duckied a custom CA certificate in your browser ...


> I certainly would recommend that US consumers use a VPN router to prevent their ISP from selling data

I wouldn't. Much of the web is moving over to https, VPNs are hit-or-miss on whether they route DNS requests, and having to deal with blocked websites because of abuse isn't worth it. That, and you're trusting the VPN to not sell your data.

> browser fingerprinting

I mean...your IP address changes on cell networks all the time. Browser fingerprinting is still an arms race, but if you're actually concerned about something, either do whatever Torbrowser does or use the most popular iPhone.


A VPN isn't itself secure. It's only a secure tunnel. If the VPN's exit is insecure, then you're insecure. DNS-Over-HTTPS hasn't reached ubiquity yet but VPNs are very useful but are having a reckoning with serverside attacks and governments demanding "oversight" and backdoors (like the recent move by China on foreign owned but China-located companies VPN usage).


>either do whatever Torbrowser does or use the most popular iPhone.

Using a iPhone does not preclude you from being blindsided, as illustrated by a NordVPN bug, which was exposed a couple of weeks ago.

Here's how it works:

The user first connects to 1.1.1.1 with Warp, then disables the app without turning off Warp. Then, when connecting to a NordVPN server with ikev2 protocol, the iOS device will report as being connected to NordVPN and secured, without actually being connected. In other words, you're connected and protected, but you're not.

https://www.theregister.co.uk/2019/10/05/security_roundup_oc...


Using an iPhone "prevents" device fingerprinting because the configuration is so common.


HTTPs will not stop Google from logging your IP + activity on their services. I'm not convinced that ad-blockers are 100% effective in disabling trackers either. One of the appeals of VPNs is that you have multiple points of exit and they rotate.


Google can track you fairly effectively even if you’re behind a VPN. I’m not sure if they choose to at this time, but if a significant population switches to hiding behind VPNs, they will turn on the finer fingerprinting means.


>Google can track you fairly effectively even if you’re behind a VPN.

You don't know anything about my setup, so you have no basis for claiming this.

On the other hand, if you have an exclusive sticky IP, you will be tracked all the time. And even if they don't do extensive fingerprinting right now, they can always go back and look at basic HTTP logs.


> You don't know anything about my setup, so you have no basis for claiming this.

Sure, but the discussion isn't specifically about your setup, it's about the advertising claims that a VPN will help prevent tracking. Which is totally bunk.

> On the other hand, if you have an exclusive sticky IP, you will be tracked all the time. And even if they don't do extensive fingerprinting right now, they can always go back and look at basic HTTP logs.

Tracking with IP is honestly hardly tracking at all. With local network NAT and CGN your device IP will not be unique at all. With modern tracking, your IP will be just another couple bits of entropy, and most certainly not enough to pinpoint traffic to individuals in a robust and scaleable way.

The only tracking protection that a VPN offers is preventing your ISP from seeing your traffic, and making it harder to pinpoint web traffic to you as an individual (assumging you VPN provider doesn't have logs)


Local NAT does barely anything for an average household, and I'm not behind CGN. My IP is extremely pinpointing, way more than a "couple" bits.


>Tracking with IP is honestly hardly tracking at all.

There are many, many cases where this is patently false.

For example, correlating different devices by IP is a very common technique advertisers use for establishing cross-device tracking profiles.


Hint: They ain't. You can still create unflagged CNAMEs for many trackers and Ad Networks.


> Much of the web is moving over to https

Yes, but US consumer ISPs, to the best of my understanding, still have this nasty habit of tracking and injecting code whenever they feel like it. HTTP is still a thing.

Also, if the point is to avoid an ISP snooping on metadata for profiling, HTTPS adoption is good, because it encrypts real session data, but it does not stop data collection.

Remember that DNS goes in the clear, until browser and OS vendors decide to turn on DNS over HTTPS by default on consumer devices. The ISP industry, being assholes, have already started to make DoH appear somehow controversial, and they're probably going after google on antitrust grounds. [1] [2]

But even with DoH, we're still going to be stuck with SNI, which spells out the target domain of every HTTPS connection in the connection metadata. And whenever encrypted SNI is in place, services on the internet that aren't behind a CDN are still going to have identifiable IP addresses.

That's user data perfect for profiling and reselling.

So, to really give ISPs the finger, the user must use a VPN.

> VPNs are hit-or-miss on whether they route DNS requests

Major consumer VPNs, even clowns like NordVPN, have gotten pretty good at ensuring sane confs in their provided clients. I wouldn't rely on their kill switches etc for serious opsec, but it's enough to give the finger to an ISP.

On the other hand, the point of a VPN router is precisely to have everything go over a tunnel, including DNS.

It's not ideal to tunnel everything, but it's up to US consumers to make that choice. My suggestion would be to campaign to drive up VPN use on consumer broadband connections, just to fuck with the ISPs.

> That, and you're trusting the VPN to not sell your data.

This is an important point, and also why one would choose a VPN that relies on a reputation of not selling data.

> Browser fingerprinting is still an arms race, but if you're actually concerned about something, either do whatever Torbrowser does or use the most popular iPhone.

Yes, it's an arms race, and the point is to make life as hard as possible for the tracking industry. Nothing is perfect.

Tracking cookies don't go anywhere in a convenient to use browser setup, despite the shoddy claims from clowncar VPN companies.

While Tor is great, it's slow and not advisable as a daily driver browser connected to the user's normal online identities. For most users, sane use of Tor Browser would be special purposes, like researching medical concerns you don't want tracking companies to connect to you, and similar.

1 - https://arstechnica.com/tech-policy/2019/09/isps-worry-a-new...

2 - https://crsreports.congress.gov/product/pdf/IN/IN11182


They’re also not based in a Nordic country, which I find misleading.


> They’re also not based in a Nordic country, which I find misleading.

Ironically, Lithuania is a part of Northern Europe, but because of the data retention laws they have to pretend that they are based somewhere else[1].

[1] https://vpnscam.com/wp-content/uploads/2018/08/2018-08-24-09...


For awhile, my brain conflated it with [OpenVPN-NL](https://openvpn.fox-it.com/about.html), a publicly-available, hardened version of OpenVPN used by the Dutch government.

You can't really blame NordVPN for that (I mean, the Netherlands aren't even a Nordic country, my brain is just broken), but it's a data point.


"no one could know" is ridiculous. A proper security team vets all of its vendors and ultimately writes security issues like this into contracts.


That supplier may be in violation of their contract. If Nord put in that there are to be no undisclosed methods to access the supplier system they're renting, and there are, this doesn't change any facts about the incident here.

If I was a Nord user, I wouldn't care that the supplier will refund Nord their service charges.

I don't think "no one could know" is ridiculous on it's own. Think about the level of access you have to ensure AWS or Azure is truly secure... none.


AWS has external auditors verify their policies, procedures, and actual methods meet a wide variety of compliance requirements from many different agencies. The level of access those auditors and other verification methods have to AWS is not none but very significant.

https://aws.amazon.com/compliance/programs/


Yea, but my example wasn't access that auditors have, it's you, as a client.

Now on topic... You could argue that Nord perhaps was a bigger client than you or I am to AWS, and maybe they should have had better access, but the fact of the matter here is that it's absolutely possible that Nord is being accurate when they say "[we] could not have known".

Contract violation or not, you should never have full 100% confidence in someone else's system. If I was Nord and renting cloud I would absolutely assume there were undisclosed accesses, as I bet they are viewing everything now.


As a client I can ask for policies, records, 4th party audit reports, etc and choose your vendor based on their ability to answer and the quality of answers.

It's not about contract violations if something like that happens you don't know about, it would have to be willful deception and incompetence of several organizations.

"we could not have known" is an answer you get when what you really mean is "we didn't think to look". If something like this happened and you had done the right things the message would be "vendor X violated their policy, our contracts, and auditors A, B, and C failed due diligence requirements here and here"

"We could not have known" as a response means no one should trust NordVPN because clearly they think they're helpless which means they aren't clever enough to trust my data with.

> you should never have full 100% confidence in someone else's system

Of course.


That page looks impressive but there is no way to casually verify that what they are talking about actually happens (on a quick check). There is simply so much info there you'd have to spend considerable time trying to track down what is needed to make sure it's actually legit. [1] Of course with 'assume' with AWS it is and it's meaningful but my point is if someone else were doing that people might simply 'check the box' and say 'ok they have this handled'. Might not be the case.

[1] Edit: Story today about Amazon and expired baby formula:

https://news.ycombinator.com/item?id=21310697


As for [1], the FTC etc. do a bad job of regulation, especially of Amazon. I actively do not trust Amazon to sell me things I ingest.

>there is no way to casually verify that what they are talking about actually happens

I have first hand experience working in more than one organization with security departments which did this sort of verification of vendors. Usually as required by law.

And the opposite was true as well, working in organizations which were beholden to those kinds of compliance requirements and to customers (and investors) verifying them.

It is indeed a long process with a lot of work. That kind of "box checking" tends to happen sometimes but not in an inventing reality way but a cargo cult way. There is enough surface area of these regulations though that you can't just get away with a song and dance, you end up actually having to do the right things.


Rereading your comment, here is one easy verification method for one of the programs: literally a marketplace of compliant services by the group which does the verification.

https://marketplace.fedramp.gov/#/products?sort=productName


Also they could have used their own hardware. So this is not an excuse.


Honestly, I don't think it's exclusive to NordVPN, I've found that all VPN advertising has increased significantly in the last year or two. Noticeably, ExpressVPN is also everywhere. Almost every podcast or youtube video has some VPN ads in it. It seems like with the recent focus on privacy, they are really these two companies and others are really trying to make a run for it.


Is VPN advertising increasing due to content restrictions from online streaming services?

If you travel overseas, you can't access Netflix, AmazonPrime Video, etc. so a VPN service allows you to still use your service while you're away from home.

And then sports streaming. You can sign up for a yearly subscription to watch sports, but not the teams closest to your physical location due to local blackouts.

Utah is in a terrible place too. No NFL, MLB, or NHL team. But the closest teams are all blacked out from streaming services.


I've found that using a VPN reduces my streaming ability. Using Private Internet Access in the past I was forbidden from watching anything on Netflix. Also I was forbidden from editing Wikipedia even on an old account with positive editing history.


Netflix (et al) are blacklisting some common VPN's IP ranges. If that fails, they use some DNS tricks to route the requests to your nearest geographical API and if there is a discrepancy between your IP's location and endpoint's location, they block the requests too. It is possible to overcome, but with some work.


Yeah tried to fool Disney+ and most things failed. Even routing through my own private VPS didn't work. They're definitely getting much better at it.


Maybe it's one of things where there's hundreds of "dedicated server providers" but really it's all the same thing just rebranded/resold, sometimes under one entity[0]. I've seen this rebrand/resell behavior with proxy services, people search engines, etc. I don't know much about VPN providers but I'm guessing they share or pipe into each other since there's so many of them.

https://en.m.wikipedia.org/wiki/Endurance_International_Grou...


The fact that NordVPN advertise so heavily, and get so many youtubers to sell it, is exactly why I will never use the service. It is way too on the nose. They heavily sponsor PayMoneyWubby who also does a great job at de-anonymising a group of youtubers.

The last VPN you ever want to use is the one that is heavily on the market.


while I don't disagree with you, I am wondering why you would think that? I don't understand what "way too on the nose" means. Are you saying that because they are big makes them a bigger target?

If anything, I would think the larger the provider the more resources they would have to provide a stable and secure service.


If someone hacks a VPN, what are the implications for the users?

As long as you're using HTTPS, you don't have to worry about your passwords or session tokens being stolen, right? Is it just your DNS records and unencrypted HTTP traffic?


It depends on what you mean by 'hacking' a VPN. One assertion in this breach is that the NordVPN certificate private key was leaked, allowing anybody to spin up a NordVPN server that would pass HTTPS certificate validation (the cert is expired, it's currently unknown if the cert was valid for a period of time after it was compromised). This kind of an attack would let an attacker convince most users to download viruses, input credentials, etc.

Nord says that the above issue was caused by a data center breach. Depending on the company this may mean a leak of user info (account details, emails, etc) and password data (generally secure hashes, but often insecure/near-plaintext passwords).

There's a lot that can go wrong here even before considering the MITM vector. As far as that goes, you can generally trust that well-secured sites (Google, Facebook, etc) won't allow someone to steal your session tokens/passwords. There is a high likelihood that a malicious VPN would achieve script execution on your machine in a short period of time.


Let’s not forget that if they’ve got to a point where they can breach a private key they’re at a point where they’ve probably dumped hashed user creds and contact details, and probably gained persistence on breached hosts, too.


> probably dumped hashed user creds and contact details

Not if the hacker only got access to relay servers.


If you're a user of a VPN service, if you're not worried because you were using HTTPS then why would you be bothering to use a VPN in the first place?


> I can't help but notice that NordVPN is one of the most heavily advertised VPNs from what I've seen

Which already means it's the least valuable.




Consider applying for YC's Fall 2026 batch! Applications are open till July 27.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: