Skip to content

Browsing without a VPN? Think Twice...

Moved Security
  • @phenomlab The topic presents many a sticky wickets. I need to focus on else for a bit but will try to oblige in next couple days.

  • @gotwf no problems. Thanks

  • @phenomlab said in Browsing without a VPN? Think Twice...:

    vpn.webp

    Why is a VPN so important ?

    Picture this. You’re surfing the web at home, minding your own business, and suddenly a raft of unexpected adverts relating to what you’ve been looking at on the web appear in front of you as soon as you visit another site, or perhaps take a break and come back to your browser session later… As invasive as this sounds, it’s not uncommon by any stretch of the imagination - neither is the sale of your browsing history to third parties - and even worse, such activity isn’t illegal. Ok, so your smart… you open an Incognito browser session, so now nobody can see what you’re doing, right ?

    Wrong.

    The Incognito browser session doesn’t record anything locally on your PC, and will destroy all browsing evidence as soon as you close that tab, but don’t be under any illusion (or let anyone convince you otherwise) that your browsing activities are masked from the outside world. They aren’t. All internet requests will spool through your internet service provider. They can see all of your browsing activity, what sites you’ve been to, what you’ve been looking at etc, etc. so full privacy in this case is a misconception. The only way to stay truly anonymous anywhere in this digital world is to live completely off the grid in a forest somewhere. No cell phone, no address, no internet, nothing - especially not social media. However, whilst we all want privacy, yet have no real intentions of getting back to nature and basics in order to maintain that, what’s the next best thing ?

    Use a VPN to surf the web

    The foremost solution to the privacy conundrum is to use a VPN service to surf the web. Your ISP (Internet Service Provider) will know what IP Address you have been issued, and will see that you are connected to a VPN service, but owing to the nature of the traffic being encrypted between your machine and the VPN endpoint, the ISP will not be able to see or inspect any of the resultant traffic. Sounds great, right ? Yes, of course it does, and there are plenty of providers out there that will offer this service relatively cheaply. A VPN is also used to work around GEO fencing (geographical restrictions applied to services such as Netflix to prevent access to US based content from another country for example) - when you are connected to the VPN, you are connected to a US based endpoint, meaning Netflix thinks you are in the US, and then serves the content as a result. Netflix has some of the toughest GEO restrictions in place, but there are a small handful of providers who are able to bypass this - some even have a high success rate in China.

    The downside to the cheaper VPN’s is that they can actually see what you are accessing, and therefore, could provide this to external parties, or divulge it at the request of a subpoena. Worse still, that VPN which is supposed to mask your activity in fact is doing the opposite in the sense that although the ISP can no longer see what you are doing, the VPN operator can. When you are looking for a VPN service, it’s important to choose one that offers privacy and security. One that immediately springs to mind for me (and yes, I use this myself on all PC’s and my cell phone) is NordVPN. The real reason for this is that the company is based in Panama - a privacy haven by default, and does not log any of your traffic. They have two independent audits completed by one of the big 4 firms (PwC), and also a well known security firm. Both entities drew the same conclusion - NordVPN does not keep logs of user activity, and it does not track you either.

    To anyone else reading this thread and thinking that this isn’t true, then you’ve never been through an audit in your life 😀 . If you claim to do something and then can’t prove it in an audit, you’ll fail that same process and you’ll be out of business before you know it owing to a loss of client trust and confidence alone. It’s important to note that, auditing is a double edged sword. Sure, you are stating your compliance to a set of narratives (direct instructions exactly how you conduct business, and the operation itself), but auditors will look for any chink in the armour - this is what they are paid to do. This is why you never self audit, but always gain independent attestation of your controls by a third party with no bias.

    Currently, NordVPN do log some activity to disk (nothing that identifies you or your browsing session) so that does raise the question of retention etc, but is shortly moving to a RAM based model where once the server has been rebooted, all traces of any activity are forensically destroyed.

    I was going to write a review about my favourite VPN service (NordVPN), but seeing as VPN Mentor beat me to it 🙂 I’ll just leave this here. It’s very thorough, and a great read.

    https://www.vpnmentor.com/reviews/nordvpn/

    Interesting to read this:

    "Blocked by: Netflix
    NordVPN couldn’t unblock Netflix. The platform improved its VPN-detection technology, and started blocking many VPN services — NordVPN being one of them. In general, these problems are fixed quite fast, but it wasn’t the case this time. I got in contact with a customer support rep, and he confirmed that right now, NordVPN is unable to access Netflix. He suggested that I try connecting to other servers, but that didn’t fix the issue.

    screenshot of NordVPN’s support answer
    NordVPN may fix the issue in the future, but the agent couldn’t give me an ETA

    This was a letdown for me, as it performed great with other services. Even though NordVPN claims it’s actively working on this, it may take a long time before you can access Netflix again."

    Source: https://www.vpnmentor.com/reviews/nordvpn/

  • @phenomlab said in Browsing without a VPN? Think Twice...:

    vpn.webp

    Why is a VPN so important ?

    Picture this. You’re surfing the web at home, minding your own business, and suddenly a raft of unexpected adverts relating to what you’ve been looking at on the web appear in front of you as soon as you visit another site, or perhaps take a break and come back to your browser session later… As invasive as this sounds, it’s not uncommon by any stretch of the imagination - neither is the sale of your browsing history to third parties - and even worse, such activity isn’t illegal. Ok, so your smart… you open an Incognito browser session, so now nobody can see what you’re doing, right ?

    Wrong.

    The Incognito browser session doesn’t record anything locally on your PC, and will destroy all browsing evidence as soon as you close that tab, but don’t be under any illusion (or let anyone convince you otherwise) that your browsing activities are masked from the outside world. They aren’t. All internet requests will spool through your internet service provider. They can see all of your browsing activity, what sites you’ve been to, what you’ve been looking at etc, etc. so full privacy in this case is a misconception. The only way to stay truly anonymous anywhere in this digital world is to live completely off the grid in a forest somewhere. No cell phone, no address, no internet, nothing - especially not social media. However, whilst we all want privacy, yet have no real intentions of getting back to nature and basics in order to maintain that, what’s the next best thing ?

    Use a VPN to surf the web

    The foremost solution to the privacy conundrum is to use a VPN service to surf the web. Your ISP (Internet Service Provider) will know what IP Address you have been issued, and will see that you are connected to a VPN service, but owing to the nature of the traffic being encrypted between your machine and the VPN endpoint, the ISP will not be able to see or inspect any of the resultant traffic. Sounds great, right ? Yes, of course it does, and there are plenty of providers out there that will offer this service relatively cheaply. A VPN is also used to work around GEO fencing (geographical restrictions applied to services such as Netflix to prevent access to US based content from another country for example) - when you are connected to the VPN, you are connected to a US based endpoint, meaning Netflix thinks you are in the US, and then serves the content as a result. Netflix has some of the toughest GEO restrictions in place, but there are a small handful of providers who are able to bypass this - some even have a high success rate in China.

    The downside to the cheaper VPN’s is that they can actually see what you are accessing, and therefore, could provide this to external parties, or divulge it at the request of a subpoena. Worse still, that VPN which is supposed to mask your activity in fact is doing the opposite in the sense that although the ISP can no longer see what you are doing, the VPN operator can. When you are looking for a VPN service, it’s important to choose one that offers privacy and security. One that immediately springs to mind for me (and yes, I use this myself on all PC’s and my cell phone) is NordVPN. The real reason for this is that the company is based in Panama - a privacy haven by default, and does not log any of your traffic. They have two independent audits completed by one of the big 4 firms (PwC), and also a well known security firm. Both entities drew the same conclusion - NordVPN does not keep logs of user activity, and it does not track you either.

    To anyone else reading this thread and thinking that this isn’t true, then you’ve never been through an audit in your life 😀 . If you claim to do something and then can’t prove it in an audit, you’ll fail that same process and you’ll be out of business before you know it owing to a loss of client trust and confidence alone. It’s important to note that, auditing is a double edged sword. Sure, you are stating your compliance to a set of narratives (direct instructions exactly how you conduct business, and the operation itself), but auditors will look for any chink in the armour - this is what they are paid to do. This is why you never self audit, but always gain independent attestation of your controls by a third party with no bias.

    Currently, NordVPN do log some activity to disk (nothing that identifies you or your browsing session) so that does raise the question of retention etc, but is shortly moving to a RAM based model where once the server has been rebooted, all traces of any activity are forensically destroyed.

    I was going to write a review about my favourite VPN service (NordVPN), but seeing as VPN Mentor beat me to it 🙂 I’ll just leave this here. It’s very thorough, and a great read.

    https://www.vpnmentor.com/reviews/nordvpn/

    Unfortunately I can’t vouch for any of this at the moment with the Internet playing up.

    "Speeds — Exceptionally Fast Speeds on All Servers
    I was really impressed by NordVPN’s consistently fast speeds. Every VPN will slow you down a little bit as it sends your traffic to different servers (and the further away a server is, the slower your speeds will be). But while testing different NordVPN servers across the world, I didn’t notice the speed drops at all as there was no difference in my browsing, streaming, or even gaming experience.

    I examined 3 main components during the speed tests:

    Download speed shows how fast the data is downloaded from a server. You need about 5 Mbps for HD streaming and 25 Mbps for 4k streaming.
    Upload speed shows how fast the data is sent to a server. You need around 2 Mbps for high-quality video calls, and around 5 Mbps to send files quickly.
    Ping (measured in ms) shows how long it takes for data to travel to and from your device. This is important for gaming, and you need less than 100 ms to play online games without lag."

    Source: https://www.vpnmentor.com/reviews/nordvpn/

  • @jac I wouldn’t pay to much attention to that link. NordVPN are typically very quick at resolving issues like this as they own their network and do not rent space from someone else to sell as a virtual service like some of the smaller providers do.

    This was an issue in terms of Netflix some time ago and was fixed in days. Netflix and other competitors are always finding November 5 ways of blocking known VPN providers as this is how they make money - through expensive subscriptions. Work around those, and that equates to a drop in revenue for them.

  • @phenomlab said in Browsing without a VPN? Think Twice...:

    @jac I wouldn’t pay to much attention to that link. NordVPN are typically very quick at resolving issues like this as they own their network and do not rent space from someone else to sell as a virtual service like some of the smaller providers do.

    This was an issue in terms of Netflix some time ago and was fixed in days. Netflix and other competitors are always finding November 5 ways of blocking known VPN providers as this is how they make money - through expensive subscriptions. Work around those, and that equates to a drop in revenue for them.

    I do believe Nord is good, certainly from reviews and what I’ve heard from yourself, I’m just yet to put it to the sword ⚔

    As for Netflix I’m sure I’ll find a way around rhar eventually even by following that link you added the other night, it’s something im not too fussed about because it’s logged in and surely you are logged what you watch etc anyway.

  • VPN by themselves are too oft see as a panacea. Good but not a silver bullet in the privacy wars. Indeed, users concerned with such may well be better served, if only opting for a single arrow, to target various browser plugins and tweaks.

    Some quick and dirty references may be found in the “privacy” node here:

    http://teamcool.net/pages/about/

    Although that is by now obviously dated. For e.g. uMatrix is no longer actively developed (crying shame… 😢 ) in favor of channeling limited resources into uBlock Origin. Heh, I do not blog much. When I do it is more to scratch some itch than commit to any kind of “going concern”.

  • @gotwf I agree with the panacea part - almost in some cases a placebo or similar effect. Just because a vendor claims to be secure, it doesn’t mean it is. This is why I like independently attested security rather then the vendor simply claiming a fortress when in fact, it’s like a chocolate fireguard.

  • @phenomlab Pondering this a bit more I would whittle down that single arrow to uBlock Origin. Avail on both Firefox and Chrome. Lots of respect for it, and author, on many security forums, e.g. Wilder Security.

    Which is not to say do not get a VPN.

  • phenomlabundefined phenomlab moved this topic from Blog on

  • 12 Votes
    8 Posts
    258 Views

    @crazycells good question. Gmail being provided by Google is going to be one of the more secure by default out of the box, although you have to bear in mind that you can have the best security in the world, but that is easily diluted by user decision.

    Obviously, it makes sense to secure all cloud based services with at least 2fa protection, or better still, biometric if available, but email still remains vastly unprotected (unless enforced in the sense of 2fa, which I know Sendgrid do) because of user choice (in the sense that users will always go for the path of least resistance when it comes to security to make their lives easier). The ultimate side effect of taking this route is being vulnerable to credentials theft via phishing attacks and social engineering.

    The same principle would easily apply to Proton Mail, who also (from memory) do not enforce 2fa. Based on this fact, neither product is more secure than the other without one form of additional authentication at least being imposed.

    In terms of direct attack on the servers holding mail accounts themselves, this is a far less common type of attack these days as tricking the user is so much simpler than brute forcing a server where you are very likely to be detected by perimeter security (IDS / IPS etc).

  • 3 Votes
    4 Posts
    258 Views

    @DownPW yeah, I seem to spend a large amount of my time trying to educate people that there’s no silver bullet when it comes to security.

  • 9 Votes
    15 Posts
    662 Views

    @crazycells Mmmm - yes, sadly, it is only Android (which I use). There are alternatives, but not sure what they are like
    https://www.topbestalternatives.com/fairemail/ios/

  • 1 Votes
    1 Posts
    194 Views

    1622031373927-headers-min.webp

    It surprises me (well, actually, dismays me in most cases) that new websites appear online all the time who have clearly spent an inordinate amount of time on cosmetics / appearance, and decent hosting, yet failed to address the elephant in the room when it comes to actually securing the site itself. Almost all the time, when I perform a quick security audit using something simple like the below

    https://securityheaders.io

    I often see something like this

    Not a pretty sight. Not only does this expose your site to unprecedented risk, but also looks bad when others decide to perform a simple (and very public) check. Worse still is the sheer number of so called “security experts” who claim to solve all of your security issues with their “silver bullet” solution (sarcasm intended), yet have neglected to get their own house in order. So that can you do to resolve this issue ? It’s actually much easier than it seems. Dependant on the web server you are running, you can include these headers.

    Apache <IfModule mod_headers.c> Header set X-Frame-Options "SAMEORIGIN" header set X-XSS-Protection "1; mode=block" Header set X-Download-Options "noopen" Header set X-Content-Type-Options "nosniff" Header set Content-Security-Policy "upgrade-insecure-requests" Header set Referrer-Policy 'no-referrer' add Header set Feature-Policy "geolocation 'self' https://yourdomain.com" Header set Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=()" Header set X-Powered-By "Whatever text you want to appear here" Header set Access-Control-Allow-Origin "https://yourdomain.com" Header set X-Permitted-Cross-Domain-Policies "none" Header set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" </IfModule> NGINX add_header X-Frame-Options "SAMEORIGIN" always; add_header X-XSS-Protection "1; mode=block"; add_header X-Download-Options "noopen" always; add_header X-Content-Type-Options "nosniff" always; add_header Content-Security-Policy "upgrade-insecure-requests" always; add_header Referrer-Policy 'no-referrer' always; add_header Feature-Policy "geolocation 'self' https://yourdomain.com" always; add_header Permissions-Policy "geolocation=(),midi=(),sync-xhr=(),microphone=(),camera=(),magnetometer=(),gyroscope=(),fullscreen=(self),payment=();"; add_header X-Powered-By "Whatever text you want to appear here" always; add_header Access-Control-Allow-Origin "https://yourdomain.com" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains;" always;

    Note, that https://yourdomain.com should be changed to reflect your actual domain. This is just a placeholder to demonstrate how the headers need to be structured.

    Restart Apache or NGINX, and then perform the test again.


    That’s better !

    More detail around these headers can be found here

    https://webdock.io/en/docs/how-guides/security-guides/how-to-configure-security-headers-in-nginx-and-apache

  • 0 Votes
    1 Posts
    191 Views

    1622032930658-hacked_listen-min.webp

    I’ve been a veteran of the infosec industry for several years, and during that time, I’ve been exposed to a wide range of technology and situations alike. Over this period, I’ve amassed a wealth of experience around information security, physical security, and systems. 18 years of that experience has been gained within the financial sector - the remaining spread across manufacturing, retail, and several other areas. I’ve always classed myself as a jack of all trades, and a master of none. The real reason for this is that I wanted to gain as much exposure to the world of technology without effectively “shoehorning” myself - pigeon holing my career and restricting my overall scope.

    I learned how to both hack and protect 8086 / Z80 systems back in 1984, and was using “POKE” well before Facebook coined the phrase and made it trendy (one of the actual commands I still remember to this day that rendered the CTRL, SHIFT, ESC break sequence useless was

    POKE &bdee, &c9

    I spent my youth dissecting systems and software alike, understanding how they worked, and more importantly, how easily they could be bypassed or modified.

    Was I a hacker in my youth ? If you understand the true meaning of the word, then yes - I most definitely was.

    If you think a hacker is a criminal, then absolutely not. I took my various skills I obtained over the years, honed them, and made them into a walking information source - a living, breathing technology encyclopedia that could be queried simply by asking a question (but not vulnerable to SQL injection).

    Over the years, I took an interest in all forms of technology, and was deeply immersed in the “virus era” of the 2000’s. I already understood how viruses worked (after dissecting hundreds of them in a home lab), and the level of damage that could be inflicted by one paved the way for a natural progression to early and somewhat infantile malware. In its earliest form, this malware was easily spotted and removed. Today’s campaigns see code that will self delete itself post successful execution, leaving little to no trace of its activity on a system. Once the APT (Advanced Persistent Threat) acronym became mainstream, the world and its brother realised they had a significant problem in their hands, and needed to respond accordingly. I’d realised early on that one of the best defences against the ever advancing malware was containment. If you “stem the flow”, you reduce the overall impact - essentially, restricting the malicious activity to a small subset rather than your entire estate.

    I began collaborating with various stakeholders in the organisations I worked for over the years, carefully explaining how modern threats worked, the level of damage they could inflict initially from an information and financial perspective, extending to reputation damage and a variety of others as campaigns increased in their complexity). I recall one incident during a tenure within the manufacturing industry where I provided a proof of concept. At the time, I was working as a pro bono consultant for a small company, and I don’t think they took me too seriously.

    Using an existing and shockingly vulnerable Windows 2003 server (it was still using the original settings in terms of configuration - they had no patching regime, meaning all systems were effectively vanilla) I exhibited how simple it would be to gain access first to this server, then steal the hash - effortlessly using that token to gain full access to other systems without even knowing the password (pass the hash). A very primitive exercise by today’s standards, but effective nonetheless. I explained every step of what I was doing along the way, and then explained how to mitigate this simple exploit - I even provided a step by step guide on how to reproduce the vulnerability, how to remediate it, and even provided my recommendations for the necessary steps to enhance security across their estate. Their response was, frankly, shocking. Not only did they attempt to refute my findings, but at the same time, dismissed it as trivial - effectively brushing it under the carpet so to speak. This wasn’t a high profile entity, but the firm in question was AIM listed, and by definition, were duty bound - they had a responsibility to shareholders and stakeholders to resolve this issue. Instead, they remained silent.

    Being Pro Bono meant that my role was an advisory one, and I wasn’t charging for my work. The firm had asked me to perform a security posture review, yet somehow, didn’t like the result when it was presented to them. I informed them that they were more than welcome to obtain another opinion, and should process my findings as they saw fit. I later found out through a mutual contact that my findings had been dismissed as "“unrealistic”, and another consultant had certified their infrastructure as “safe”. I almost choked on my coffee, but wrote this off as a bad experience. 2 months later, I got a call from the same mutual contact telling me that my findings were indeed correct. He had been contacted by the same firm asking him to provide consultancy for what on the face of it, looked like a compromised network.

    Then came the next line which I’ll never forget.

    “I don’t suppose you’d be interested in……”

    I politely refused, saying I was busy on another project. I actually wasn’t, but refused out of principle. And so, without further ado, here’s my synopsis

    “…if you choose not to listen to the advice a security expert gives you, then you are leaving yourself and your organisation unnecessarily vulnerable. Ignorance is not bliss when it comes to security…”

    Think about what you’ve read for a moment, and be honest with me - say so if you think this statement is harsh given the previous content.

    The point I am trying to make here is that despite sustained effort, valiant attempts to raise awareness, and constantly telling people they have gaping holes in systems for them to ignore the advice (and the fix I’ve handed to them on a plate) is extremely frustrating. Those in the InfoSec community are duty bound to responsibly disclose, inform, educate, raise awareness, and help protect, but that doesn’t extend to wiping people’s noses and telling them it wasn’t their fault that they failed to follow simple advice that probably could have prevented their inevitable breach. My response here is that if you bury your head in the sand, you won’t see the guy running up behind you intent on kicking you up the ass.

    Security situations can easily be avoided if people are prepared to actually listen and heed advice. I’m willing to help anyone, but they in return have to be equally willing to listen, understand, and react.

  • 0 Votes
    1 Posts
    205 Views

    1631808994808-scamming.jpg.webp

    One of many issues with working in the Infosec community is an inevitable backlash you’ll come across almost on a daily basis. In this industry, and probably hundreds of others like it are those who have an opinion. There’s absolutely nothing wrong with that, and it’s something I always actively encourage. However, there’s a fine line between what is considered to be constructive opinion and what comes across as a bigoted approach. What I’m alluding to here is the usage of the word “hacker” and it’s context. I’ve written about this particular topic before which, so it seems, appears to have pressed a few buttons that “shouldn’t be pressed”.
    alt text

    But why is this ?

    The purpose of this article is definition. It really isn’t designed to “take sides” or cast aspersions over the correct usage of the term, or which scenarios and paradigms it is used correctly or incorrectly against. For the most part, the term “hacker” seems to be seen as positive in the Infosec community, and based on this, the general consensus is that there should be greater awareness of the differences between hackers and threat actors, for example. The issue here is that not everyone outside of this arena is inclined to agree. You could argue that the root of this issue is mainly attributed to the media and how they portray “hackers” as individuals who pursue nefarious activity and use their skills to commit crime and theft on a grand scale by gaining illegal access to networks. On the one hand, the image of hoodies and faceless individuals has created a positive awareness and a sense of caution amongst the target groups – these being everyday users of civilian systems and corporate networks alike, and with the constant stream of awareness campaigns running on a daily basis, this paradigm serves only to perpetuate rather than diminish. On the other hand, if you research the definition of the term “hacker” you’ll find more than one returned.

    Is this a fair reflection of hackers ? To the untrained eye, picture number 2 probably creates the most excitement. Sure, picture 1 looks “cool”, but it’s not “threatening” as such, as this is clearly the image the media wants to display. Essentially, they have probably taken this stance to increase awareness of an anonymous and faceless threat. But, it ISN’T a fair portrayal.

    Current definitions of “the word”

    The word “hacker” has become synonymous with criminal activity to the point where it cannot be reversed. Certainly not overnight anyway. The media attention cannot be directly blamed either in my view as without these types of campaigns, the impact of such a threat wouldn’t be taken seriously if a picture of a guy in a suit (state sponsored) was used. The hoodie is representative of an unknown masked assailant and it’s creation is for awareness – to those who have no real understanding of what a hacker should look like – hence my original article. As I highlighted above, we live in a world where a picture speaks a thousand words.

    The word hacker is always going to be associated with nefarious activity and that’s never going to change, regardless of the amount of effort that would be needed to re-educate pretty much the entire planet. Ask anyone to define a hacker and you’ll get the same response. It’s almost like trying to distinguish the deference between a full blown criminal and a “lovable rogue” or the fact that hoodies aren’t trouble making adolescent thugs.

    Ultimately, it’s far too ingrained – much like the letters that flow through a stick of rock found on UK seaside resorts. It’s doesn’t matter how much you break off, the lettering exists throughout the entire stick regardless if you want that to happen or not. To make a real change, and most importantly, have media (and by definition, everyone else) realise they have made a fundamental misjudgement, we should look at realistic definitions.

    The most notable is the below, taken from Tech Target

    A hacker is an individual who uses computer, networking or other skills to overcome a technical problem. The term hacker may refer to anyone with technical skills, but it often refers to a person who uses his or her abilities to gain unauthorized access to systems or networks in order to commit crimes. A hacker may, for example, steal information to hurt people via identity theft, damage or bring down systems and, often, hold those systems hostage to collect ransom.

    The term hacker has historically been a divisive one, sometimes being used as a term of admiration for an individual who exhibits a high degree of skill, as well as creativity in his or her approach to technical problems. However, the term is more commonly applied to an individual who uses this skill for illegal or unethical purposes.

    One great example of this is that hackers are not “evil people” but are in fact industry professionals and experts who use their knowledge to raise awareness by conducting proof of concept exercises and providing education and awareness around the millions of threats that we are exposed to on an almost daily basis. So why does the word “hacker” strike fear into those unfamiliar with its true meaning ? The reasoning for this unnecessary phenomena isn’t actually the media alone (although they have contributed significantly to it’s popularity). It’s perception. You could argue that the media have made this perception worse, and to a degree, this would be true. However, they actually didn’t create the original alliance – the MIT claimed that trophy and gave the term the “meaning” it has to this day. Have a look at this

    MIT Article

    Given the origins of this date back to 1963, the media is not to blame for creating the seemingly incorrect original reference when it’s fairly obvious that they didn’t. The “newspaper” reflected in the link is a campus circulation and was never designed for public consumption as far as I can see. Here’s a quote from that article:

    “Many telephone services have been curtailed because of so-called hackers, according to Professor Carleton Tucker, administrator of the Institute telephone system.

    The students have accomplished such things as tying up all the tie-lines between Harvard and MIT, or making long-distance calls by charging them to a local radar installation. One method involved connecting the PDP-1 computer to the phone system to search the lines until a dial tone, indicating an outside line, was found.”

    The “so-called hackers” alignment here originally comes from “Phreaking” – a traditional method of establishing control over remote telephone systems allowing trunk calls, international dialling, premium rates, etc, all without the administrator’s knowledge. This “old school” method would certainly no longer work with modern phone systems, but is certainly “up there” with the established activity that draws a parallel with hacking.

    Whilst a significant portion of blogs, security forums, and even professional security platforms continue to use images of hoodies, faceless individuals, and the term “hacker” in the criminal sense, this is clearly a misconception – unfortunately one that connotation itself has allowed to set in stone like King Arthur’s Excalibur. In fairness, cyber criminals are mostly faceless individuals as nobody can actually see them commit a crime and only realise they are in fact normal people once they are discovered, arrested, and brought to trial for their activities. However, the term “hacker” is being misused on a grand scale – and has been since the 1980’s.

    An interesting observation here is that hoodies are intrinsically linked to threatening behaviour. A classic example of this is here. This really isn’t misrepresentation by the media in this case – it’s an unfortunate reality that is on the increase. Quite who exactly is responsible for putting a hacker in a hoodie is something of a discussion topic, but hackers were originally seen as “Cyberpunks” (think Matrix 1) until the media stepped in where they suddenly were seen as skateboarding kids in hoodies. And so, the image we know (and hackers loathe) was born. Perhaps one “logical” perspective for hoodies and hackers could be the anonymity the hoodie supposedly affords.

    The misconception of the true meaning of “hacker” has damaged the Infosec community extensively in terms of what should be a “no chalk” line between what is criminal, and what isn’t. However, it’s not all bad news. True meaning aside, the level of awareness around the nefarious activities of cyber criminals has certainly increased, but until we are able to establish a clear demarcation between ethics in terms of what is right and wrong, those hackers who provide services, education, and awareness will always be painted in a negative light, and by inference, be “tarred with the same brush”. Those who pride themselves on being hackers should continue to do so in my view – and they have my full support.

    It’s not their job solely to convince everyone else of their true intent, but ours as a community.

    Let’s start making that change.

  • VPNs & Netflix

    Solved General
    6
    1 Votes
    6 Posts
    383 Views

    I believe I’ve connected to a different VPN since and it’s worked even with the app.

  • 49 Votes
    213 Posts
    14k Views

    @crazycells briefly, yes. I think what concerns be the most with home brew VPN convective like this is a lack of security updates, and potentially leaving yourself open.

    I’ve yet to actually try it, but I know there are a variety of ways to achieve the same goal.