back to article There's NordVPN odd about this, right? Infosec types concerned over strange app traffic

Weird things are afoot with NordVPN's app and the traffic it generates - Reg readers have spotted it contacting strange domains in the same way compromised machines talk to botnets' command-and-control servers. Although NordVPN has told us this is expected behaviour by the app and is intended as a counter-blocking mechanism, …

  1. Anonymous Coward
    Anonymous Coward

    Well, it was only a matter of time before the FBI infiltrated the major VPN services. They've been inside Cisco for years so this was just the next step. Paranoid ? Me ? No.

    1. CAPS LOCK Silver badge

      "Paranoid ?" - No, you're only paranoid if they're NOT out to get you...

      ..."Finished with my woman

      'Cause she couldn't help me with my mind

      People think I'm insane

      Because I am frowning all the time"

    2. Anonymous Coward
      Anonymous Coward

      "They've been inside Cisco for years so this was just the next step."

      Are you still suggesting government mandated Lawful Intercept (aka CALEA in the US or EU C 329 in Europe) is somehow a Cisco exclusive issue, as though using other vendors avoids the issue?

      I understand that you're paranoid, but paranoid and poorly informed tends to lead to mistakes...

      Without specific inside knowledge of the VPN providers, I would assume they are subject to the same Lawful Intercept requirements as conventional ISP's/telco's. You're unlikely (my guess, not a legal opinion...) to get monitored for minor copyright violations, but end up on any watchlists or high profile crimes in your home country and a commercial VPN provider is unlikely to offer any anonymity.

      Note: this assumes you are based in a country that has a lawful intercept policy (US/Canada/EU/Australia/NZ/Russia). For China and other countries known to closely monitor Internet traffic, I would expect similar actions. Outside of that, you would need to look into your own specific circumstances.

      1. ds6 Bronze badge

        And that's why I use Tor over Wireguard with servers in the Seychelles ;^)

        1. phuzz Silver badge
          Thumb Up

          With the added bonus that it makes every webpage feel like you're accessing it in 1997 over a dial-up connection ;)

          1. ds6 Bronze badge

            It's actually quite fast. Only increase is ping. I just don't connect to slow nodes.

            Now I2P or Zeronet on the other hand...

      2. Anonymous Coward
        Anonymous Coward

        Some of the major manufacturers have had very specific security doors in them for years. I can't prove it but you can't prove it's not true. Regardless of laws in place to protect us, consumers, anybody . . . when the FBI and the Government come-a-knocking at your Cisco door, what do you do ? You take the advice, you build in the little doors and you accept the orders and protection and keep quiet.

        Why do you think Huawei is under attack now ? Partly because the FBI assume the Chinese Govt are doing what the FBI have been doing for years and partly in support of the American firms which have been playing ball for years.

        This NordVPN issue looks like a cover for something else. What's been found is not likely to be the real issue - that will be deeper hidden. Of course the FBI don't need to see the data your're transferring, they just need to know who you are and they can take it from there and even this sloppy issue does go some way to telling them who you are.

        1. Dick Kennedy

          Re: Well if the US ships want the Chinese to keep out of the way

          "I can't prove it but you can't prove it's not true."

          And you can't prove there isn't a teapot in orbit around the sun. Any resort to the null hypothesis instantly undermines your argument.

          1. cdrcat
            Alert

            Re: Well if the US ships want the Chinese to keep out of the way

            > And you can't prove there isn't a teapot in orbit around the sun

            Hate to break the bad news, but all the teapots on earth *are* in orbit around the sun.

            1. Baldrickk Silver badge

              Re: Well if the US ships want the Chinese to keep out of the way

              That's why the oft forgotten "between Jupiter and the Asteroid Belt" is important.

          2. SolidSquid

            Re: Well if the US ships want the Chinese to keep out of the way

            For the FBI at least, there's a fair few articles suggesting that Cisco has at least acknowledged that the backdoors existed (https://www.zdnet.com/article/cisco-removed-its-seventh-backdoor-account-this-year-and-thats-a-good-thing/), although no confirmation that they were FBI driven. Outside of that though I'm not aware of any such thing outside of China, which seems primarily targeted at the internal rather than external market

            1. Anonymous Coward
              Anonymous Coward

              Re: Well if the US ships want the Chinese to keep out of the way

              "For the FBI at least, there's a fair few articles suggesting that Cisco has at least acknowledged that the backdoors existed"

              As Cisco's product range is so broad, there are many security issues that are either not relevant to most environments or shouldn't be relevant to many environments. A lot of the backdoor accounts are in management tools that should be of limited risk (i.e. not open to external threats) and were a consequence of how Cisco presented their Linux tools to customers, usually via a GUI with limited direct OS access. In my experience, a number of appliance vendors had similar issues when they tried to provide restricted access to the underlying OS but still allowed access via troubleshooting tools.

              That isn't to say they shouldn't be fixed, but access to network management data from an internal network will generally be of less value than access to the network in the first place, so the risk should be assessed as such.

              If the comment is aimed at Cisco's security culture, then that's a judgement call. My security concerns around Cisco are largely around the quantity of legacy code that they depend on (as evidenced by security bulletins related to OpenSSL) rather than government palnts.

              In most security sensitive environments, multiple vendors will be used, be it for firewalls, IPS/IDS systems, compliance tools or anything with a potential external attack surface. Having back doors from any vendor (Cisco, Huawei or anyone else) is very likely to be spotted by someone over the time frames the products have been in-place.

              Where government agencies have been able to infiltrate networks, the weaknesses have generally been in operational practices rather than the hardware platforms - I include not installing known good firmware on new hardware in that category which has been one of the most popular vectors.

              Improving operational security practices will likely result in significantly greater security benefits than believing the bogeyman is hiding in vendor X. At least until someone proves otherwise.

        2. Anonymous Coward
          Anonymous Coward

          "Some of the major manufacturers have had very specific security doors in them for years."

          Yes - it's called lawful intercept. If you want to provide carrier-grade equipment, you need to support the ability to direct specific traffic to law enforcement systems for further analysis.

          You can even find out how to configure Huawei equipment to do it with a simple google search (i.e. https://webcache.googleusercontent.com/search?q=cache:be6czF9UBSAJ:https://support.huawei.com/enterprise/en/doc/EDOC0100504796%3Fsection%3Dj00b+&cd=3&hl=en&ct=clnk&gl=uk&client=firefox-b-d).

          Why is Huawei under attack now? Primarily because they have a significant technology lead on western communications equipment providers. Huawei have undercut competitors historically in competitive tender processes (thats a statement rather than a judgement) and western companies have relied on their intellectual property to prop up their revenues as the Enterprise market has disappeared - a number of miss-steps across the industry (Marconi's demise, Nortel's bankruptcy, Nokia's mobile division being uncompetitive in smartphones resulting in their carrier business suffering from underinvestment, the Lucent-Alcatel merger providing limited synergies/value, and further merger challenges within Ericsson-Lucent and Siemens-Nokia. While Cisco/Juniper/others provide routers/switches for the IP portion of the systems, this is generally a tiny proportion of a telecoms providers estate by value/functionality).

          The attacks on Huawei are around the levels of comfort western governments have with a Chinese communications equipment provider, but the arguments presented are largely "what if" at present - I'm not convinced there is solid evidence that they may cause issues if the market remains diverse and alternatives remain.

          Financially, I'm not sure serious alternatives to Huawei/ZTE will remain in 5-10 years if Huawei competes purely on features and price as the alternatives will struggle to survive, or at least become minority players in a Huawei world. That's more a judgement on the western telecommunications companies rather than an attack on Huawei, although Huawei have certainly benefited from China's industrial strength.

          For the NordVPN issue, it will be interesting to see what appears. I would guess it was development/testing code to assist with operational issues around availability/failover/fault detection, but I'm surprised they didn't register the domains for themselves to avoid issues with others doing it and grabbing the traffic.

          1. Alan Brown Silver badge

            "That's more a judgement on the western telecommunications companies rather than an attack on Huawei, although Huawei have certainly benefited from China's industrial strength."

            Yup.

            It should be realised that the _core_ of most Huawei kit is american (usually Broadcom) silicon, running an American hardened embedded linux operating system (https://www.windriver.com/company/) and unfortunately then badly bodged by hordes of Bangalore "payment by the yard" programmers.

            on the FUD front:

            The rather infamous "Huawei switches are full of security holes" video on youtube a few years back was actually a demonstration of their white labelled(under license) relabadged 3com stuff running Comware - the EXACT SAME HOLES (and worse) were in 3com kit - and since HP acquired 3com those holes have started popping up in HP kit.

            What's more interesting is the _timing_ of that presentation and video release - just as Huawei dumped 3com and went with their fully independent Wind River Linux VRP systems running on Broadcom Trident family chipsets (the exact same chipset Cisco were using in their high end Nexus stuff for 5 times the price, but on par with HP and Juniper's pricing for the same chipsets)

            Cisco reps used that video presentation as their major selling point "Don't buy Huawei" and got rather pissed off when I pointed out in a room full of people that the code in question was 3com's, bearing no relationship to Huawei's then-current range of switches on sale (Quidways and Cloudengines are all Broadcom/Windriver systems). They then effectively tried climbing under a desk when I asked about the videos of NSA intercepts of cisco kit that had started circulating - it was clear they had no answer for it and their entire sales push was based on "We're Cisco, buy from us, or else"

            I did have a good laugh(*) when a Cisco seller offered us "fantastic 90% discounts off list price" - then took umberage when I pointed out that I could buy the exact same kit cheaper off the shelf from Insight and other brands for half that.

            (*) Loudly, in their faces. BT Inet didn't like that.

          2. Alien8n Silver badge

            Speaking from experience, Marconi, Nortel helped a small startup company in Oxfordshire (we bought both Nortel and Marconi). That startup is now based in the USA and the old Marconi plant is no longer, not sure about the Nortel plant in Paignton.

            Even back then the largest client for optoelectronics was Huawei, but you don't need to compromise the switch, you can quite easily tap directly into the fibre connect at the point where the amplifiers are based. You may think that fibre can transmit to some near infinite distance but there is an actual physical limit to how far it can go before you need to boost the signal again. At this point you can then take a small tap, ostensibly to check the signal strength prior to boosting, but there's no reason why you couldn't redirect a copy of the signal to any intelligence service at that point. All completely invisible to the rest of the network.

        3. Anonymous Coward
          Anonymous Coward

          Anyone knows VPN are just Honeypots.

          But yeah let's play the game lest we become ensnared in someone's crosshairs.

          Glad I'm getting out soon.

          1. Anonymous Coward
            Anonymous Coward

            re: Anyone knows VPN are just Honeypots.

            What does that mean? I understand "Everyone knows VPN are just Honeypots." but "anyone knows" sounds like a question to me....

      3. Anonymous Coward
        Anonymous Coward

        More likely a reference to code found on CISCO equipment, obviously written by insiders, that was not supposed to be there and added hidden functionality useful to the 5 eyes community; FACT and not lost on China who have specifically mentioned CISCO in past official statments. And 'we' have the gall to moan about Huawei. STAY PARANOID, STAY SAFE.

        1. Anonymous Coward
          Anonymous Coward

          5 Eyes taps cables, they don’t really require equipment manufacturers to put in backdoors to make accessing the data easier - the possible exception being some NSA mandated encryption algorithms with known weaknesses, but as they were using NSA validated libraries and present across the industry, again Cisco only get the attention due to quantity. There have been well written backdoors for Cisco and other firewall manufacturers, but they required custom firmware. Beyond that, there have been bugs, but the vast majority could be mitigated by OS protections (ie ACLs) or defence in depth (ie separating management plane traffic to a specific interface/network and firewalls between untrusted networks and trusted networks).

          And given Huaweis past, I’m unsurprised they have moaned about Cisco code quality...

          1. Alan Brown Silver badge

            "5 Eyes taps cables, they don’t really require equipment manufacturers to put in backdoors to make accessing the data easier"

            I've worked in Telcos and can assure you that you're incorrect.

            Companies which won't play ball on inserting backdoors are the companies which get "national security orders" prohibiting their products being used in XYZ country.

            Don't forget: https://www.youtube.com/watch?v=1efOs0BsE0g

            1. Anonymous Coward
              Anonymous Coward

              "5 Eyes taps cables

              I've worked in Telcos and can assure you that you're incorrect."

              Oh yes they do - it's a practice that dates back since analogue lines. At least they do at international entry points in Australia, New Zealand and the UK.

              I'm less certain of the tap locations in the US and Canada but assume a similar path is followed.

    3. Mark 85 Silver badge

      It may not be the FBI but some other 3-letter group or perhaps a group from outside the US. Being paranoid is fine, jumping at the presumed source (FBI in this case) isn't rational, IMO. Since we know the leak exists, proper precautions should be put into play.

  2. Blockchain commentard Silver badge
    Big Brother

    Firstly, I'm not defending them (or work for them/use their products) but... nope. Got nothing.

  3. regbadgerer

    Probably fine, handled badly

    Hanlon's razor: Never attribute to malice that which is adequately explained by stupidity

    It's all probably fine, but all it takes it one bad explanation and all trust in a company is destroyed. Even if they now come up with a reasonable explanation, we're not going to believe them. If they'd just come clean up front and said something like "yeah, it's keep alive, we just accidentally sent through some slightly sensitive headers, but we're fixing that" then there's wouldn't be much of a story here (assuming that _is_ what it is and there isn't something malicious going on).

    1. Charlie Clark Silver badge

      Re: Probably fine, handled badly

      I'm inclined to agree with you. VPNs do like to run bogus traffic to fool "deep packet inspection" by various networks.

      I think the risks for us users are in the inability of verifying whether they do actually collect and retain any data although they say they don't.

      1. iron Silver badge

        Re: Probably fine, handled badly

        Since they (mostly) don't own the domains how can they collect and retain any data?

        Since they don't own the domains they could be registered by anyone, and were by the researcher in the article. NordVPN and their users have no control of any data the domain owners might store and don't even know who they are.

        1. Charles 9 Silver badge

          Re: Probably fine, handled badly

          "Since they (mostly) don't own the domains how can they collect and retain any data?"

          Because all the traffic has to go through their servers first (remember, they're a VPN, meaning they stand between you and the supposed destination). Furthermore, since they're an encryption endpoint, they can operate "outside the envelope" and are free to sniff the request before passing it on.

          1. caffeine addict Silver badge

            Re: Probably fine, handled badly

            This would make sense if they were blackholing the data before it came out the end of their pipe. But since it's hitting a real domain (once one is set up)...

            1. Peter X

              Re: Probably fine, handled badly

              Sooo.... if it is accidentally leaking out, but they don't have the domains registered, then the only thing that leaks is the DNS request itself. Which oddly, looks like it _could_ have a small amount of information encoded in it. But the only entity that could reliably access that would be the folks who run the core DNS servers?

              I don't understand any of this stuff btw, so I'm just throwing it out there! :D

              1. caffeine addict Silver badge

                Re: Probably fine, handled badly

                Yes - all that leaks is the DNS request. Until someone spots the domain, registers it, and looks at all the lovely data that's coming in.

                "Insecurity by obscurity", if you you will...

    2. JohnFen Silver badge

      Re: Probably fine, handled badly

      "Never attribute to malice that which is adequately explained by stupidity"

      If someone is doing something bad, I honestly don't care if it's due to malice or stupidity. The impact on me is the same either way.

      1. John Deeb

        Re: Probably fine, handled badly

        Then don't attribute motive at all! Then again, some inquiring minds prefer to know as to better predict what to expect next...

      2. iGNgnorr

        Re: Probably fine, handled badly

        The immediate impact may be the same, however choice as to how to proceed in the future may vary. While stupidity is bad, it is correctable. Malice, not so much.

    3. streaky Silver badge

      Re: Probably fine, handled badly

      "Never attribute to malice that which is adequately explained by stupidity"

      Malicious or stupid I'd run as far away as quickly as possible if I cared.

      Honestly I never understood the proliferation of VPN services. The kind of people who use the internet to post nonsense on facebook shouldn't care and the people who should IMHO should be capable of finding a howto on OpenVPN - or ToR. GCHQ considers ToR secure enough to use for their own purposes, so no reason you shouldn't.

      1. Anonymous Coward
        Anonymous Coward

        Re: Probably fine, handled badly

        If they consider TOR suitable for their purposed, then it MUST be because they and their allies control enough of the endpoints to stop caring. But for anyone NOT allied with them, it's open season.

  4. Anonymous Coward
    Anonymous Coward

    nonexistent domains

    It occurs to me that non-registered domains might still be useful if you controlled the local dns; because, when required, the domains in question might perhaps be simulated as being more existent than would normally be expected. (although feel free to offer corrections on this...)

    1. Alan Brown Silver badge

      Re: nonexistent domains

      These tests for non-existent domains are intended EXACTLY to catch this kind of situation.

      Like, perhaps.... if you're behind the Great Firewall of China.

  5. lvm
    Thumb Down

    "and that gzip string looks rather like the client is expecting to receive a payload from the server" - I chose this particular bit to demonstrate technical ineptness of the scribbler who wrote this clickbait. https://en.wikipedia.org/wiki/HTTP_compression

    1. K Silver badge

      GZIP != Encrypted

      This was my first thought as well - Why not simply decompress it and check the contents?

      1. Jamie Jones Silver badge

        Re: GZIP != Encrypted

        The article said it's expecting to receive compressed content, not that it's sending compressed content... Nothing to decompress!

        But anyway, who said anything about encryption? I assume "lvm"'s point was that this header can appear on any request - it doesn't hint at "expect a large payload in response".

        1. Michael Wojcik Silver badge

          Re: GZIP != Encrypted

          I assume "lvm"'s point was that this header can appear on any request - it doesn't hint at "expect a large payload in response".

          To be fair, I don't think the article made any claim about a "large" content-body being expected.

          But I agree that "Accept-encoding: gzip" is typically added to all requests by HTTP client libraries that handle the gzip transfer-encoding. The library neither knows nor cares whether the client application anticipates a content-body.

          That said, I don't think that passage is much evidence of "technical ineptness", either. Hard as it may be for lvm to believe, there are areas of technical expertise other than HTTP.

  6. imanidiot Silver badge

    Goes to prove

    My theory is that a VPN service that needs to pay dozens (or hundreds) of big (Non-IT) Youtubers to talk up their product is probably not a VPN I would want to use. This seems to confirm it.

    (Seriously, for a while you could barely watch a youtube vid without it turning into a NordVPN ad at some point)

    1. Kane Silver badge

      Re: Goes to prove

      "(Seriously, for a while you could barely watch a youtube vid without it turning into a NordVPN ad at some point)"

      Still is the case, a lot of the creator channels are getting big sponsor bucks for promoting NordVPN in their videos.

    2. theblackhand Silver badge

      Re: Goes to prove

      "(Seriously, for a while you could barely watch a youtube vid without it turning into a NordVPN ad at some point)"

      I assume you are referring to the ads served before/during/after the content rather than it being part of the content.

      Doesn't Google determine the ads they serve you rather than the content providers? The content providers just get a share of the revenue.

      1. JohnFen Silver badge

        Re: Goes to prove

        "I assume you are referring to the ads served before/during/after the content rather than it being part of the content."

        I see NordVPN advertised quite a lot by the youtubers themselves as part of their content, not by YouTube's ad system.

        1. Jamie Jones Silver badge
          Thumb Up

          Re: Goes to prove

          "The YoungTurks" have promoted them heavilly "inline" (though I think that rather than being part of the video, it's a "prepended segment" that can later be removed -- but yes, still under control of the channel owner, not YouTube)

        2. Kiwi Silver badge

          Re: Goes to prove

          "I assume you are referring to the ads served before/during/after the content rather than it being part of the content."

          I see NordVPN advertised quite a lot by the youtubers themselves as part of their content, not by YouTube's ad system.

          I have Nord on my tablet, and often watch YT vids last thing at night, or if I wake up during the night and have trouble going back to sleep. Most topics are on bikes, gardening (and some related stuff), and Christian themes but I do have some tech stuff in there. Most of the tech related stuff are related to non-computer electronics eg power generation/regulation or water handling (yes, with electronics :) ).

          I've not had one single ad for Nord, either within the vids or within the normal ad stream (at least not while I've been awake - maybe some of the people I fall asleep through talk of Nord but I've not heard it).

          Perhaps it is something related to who you watch or the sort of videos you watch? Your videos are more likely to bring up those who use/talk up Nord, mine are more likely to bring up other stuff.

          1. Anonymous Coward
            Anonymous Coward

            Re: Goes to prove

            I watch a few YouTubers who are taking NordVPN money, and they are either a very good fit (they have to use VPNs anyway) or a reasonable fit (their job has them travel).

            I am in the USA.

          2. Baldrickk Silver badge

            Re: Goes to prove

            Channels like LTT or Jayz have done it multiple times too.

            1. The Dogs Meevonks

              Re: Goes to prove

              Jayz2cents is heavily sponsored by NordVPN, whilst LTT switched from Tunnel Bear to PIA as a sponsor a couple of eyars ago... after TunnelBear was bought out by a big name who refused to say if they would continue to offer a nologging service.

              I've been using Anonine for a few years now and haven't had any issues at all... It's set up on my PC's, phones, tablets and android TV boxes.

  7. Anonymous Coward
    Anonymous Coward

    Oh great!

    So what's a good VPN provider then? ProtonVPN? Mullvad??

    Need something sorted ahead of the upcoming pr0n ban this July!

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh great!

      I've found VyprVPN to be quite reliable, and will continue to use it unless anyone can provide reasons not to. You can subscribe directly or have it bundled with Giganews.

      1. Charles 9 Silver badge

        Re: Oh great!

        I tend to use nvpn. It provides SOCKS5 servers, port forwarding, and a wide range of servers and countries.

    2. BobProton

      Re: Oh great!

      https://airvpn.org/ my choice for the last 3 or 4 years.

      Failing that I spin your own one up on a vps, paid for with crypto currency for good measure

      1. Aristotles slow and dimwitted horse Silver badge

        Re: Oh great!

        I concur. Have been with Air for the last 3 or 4 years as well and they have been great. The fact that it was set up by journalists to ensure their own anonymity gives me a sense that they are in it for the right reasons also.

        1. Anonymous Coward
          Anonymous Coward

          Re: Oh great!

          Are they former News of the World journalists?

        2. jasonbrown1965

          Re: Oh great!

          AirVPN was set up by journalists?

          Nothing on their "about" page refers to journalists, just "activists, hacktivists, hackers." And there are no names mentioned. As a journalist, my question is - should anyone trust VPN providers who remain anonymous?

      2. caffeine addict Silver badge

        Re: Oh great!

        trying to get to airvpn.org gets me a connection reset error in Chrome and Opera. Until I enable Opera's VPN. Then it appears.

        *puts on paranoid hat*

    3. JohnFen Silver badge

      Re: Oh great!

      I think it depends on your goal. If it's just to bypass content restrictions, then I would pick the fastest one that isn't hosted in the affected nation.

      If it's to evade government snooping, then things get a whole lot more dicey.

    4. Dabbb Bronze badge

      Re: Oh great!

      It takes about 3 minutes to setup your on VPN server on some $5/y VPS host.

    5. Anonymous Coward
      Anonymous Coward

      Re: Oh great!

      I've personally been using Cryptostorm, which is both inexpensive and accepts cryptocurrency. The setup is token-based so renewing your subscription means updating your login information, but that's not that much of an inconvenience(if you're truly paranoid, you can get each new token from a different reseller to better cover your tracks). The nameservers also support .onion addresses natively if that's your thing.

    6. The Dogs Meevonks

      Re: Oh great!

      I can recommend Anonoine as a VPN provider... Been using them for about 4-5yrs now... no logs and I get decent speeds of 40-50Mbps on my 65Mbps service.

  8. Lee D Silver badge

    You want to VPN because you don't trust the third-parties who are transiting your connection.

    So you VPN with a random third-party who is subject to those other third-party's whims.

    Great idea! Thumbs up! Well done! Top security!

    A VPN is for you to place OVER an untrusted connection to form a trusted connection between two computers / network. As soon as you insert a random third-party app, or indeed VPN provider, into that connection it's even-more-untrusted than it was before, and there's another party who you have to trust entirely with all your data which - as this and many other incidents show - is a really, really, really poor idea.

    And, let's be honest, to do what? Watch YouTube or BBC past geographical restrictions? It's just not worth the effort, just stop consuming their media.

    Anything more nefarious, you're really an idiot to trust that intermediary with that information, you're basically flagging yourself up and THEN handing them your data on a plate.

    If you want to do something "private", insert as few third-parties as possible into the trust chain. Hell, the reason I run my TV from a RPi is so that I can dial into it from abroad and do that same kind of thing, rather than have to trust anyone not-to-dob-me-in (I used to use TVPlayer.com, but half the stuff is content-restricted still EVEN THOUGH I'm paying for it... and often with Irish local programmes and adverts... I can literally do a better job with an aerial and a Raspberry Pi).

    And I'll tell you something else... rent a server and pretty much nobody cares what traffic you do on it, so long as you don't flag up. You can rent a VPS or dedi for next to nothing nowadays, in any country you like, and they'll often pre-load VPN access for you.

    And if you value absolute anonymity, for anything more cheeky than a bit of British TV, you can't use any connection registered to your name, or your normal desktop browser, it's as simple as that. Paying NordVPN to offer you a VPN is literally just handing your name to the authorities if you're doing anything remotely naughty anyway. If you're gonna do that, Bitcoin a dedi (plenty of people doing that), Tor the connection, access it as a "desktop" from nearby public wifi (not your home connection) and use it that way.

    You can't trust even the people you pay to give you a privacy-secure VPN.

    You can't use any paying service to give you a "criminally"-secure VPN.

    So stop trying. Either do it yourself (a VPN device at home and a VPN in a VPS somewhere), or actually do it properly with no association to yourself whatsoever.

    1. Anonymous Coward
      Anonymous Coward

      But Tor kills the bandwidth. What if you need privacy AND throughout AND you're on a budget? Good, Fast, Cheap--ALL OR NOTHING.

      1. JohnFen Silver badge

        Don't forget the engineering triangle: Good, Fast, Cheap -- you can pick any two.

    2. tip pc Bronze badge

      GCHQ/NSA/FBI/MI5/MI6/SOCA/China etc should just launch their own vpn service and be done with it. If your a brit and don't want a non sanctioned foreign nation to be prying on your data then perhaps our government comms experts could come up with a solution to keep our comms safe and in the UK and turn a coin at the same time. Solves the third party trust issue and also gives sanctioned permission to monitor the customers comms for quality purposes etc.

      They see our traffic anyway so probably not to hard to roll out.

      1. Flywheel Silver badge

        They see our traffic anyway so probably not to hard to roll out

        Let's see them get Democracy right first before tackling VPN. I'm looking at you, UK, in particular.

  9. Jim Mitchell

    NordVPN's TV adverts seem quite scammy to me, FUD FUD and more FUD. Preying on the gullible is a viable business model. This news doesn't help their image.

    1. Anonymous Coward
      Anonymous Coward

      Why not do your own research? Eg https://torrentfreak.com/which-vpn-services-keep-you-anonymous-in-2019/#nordvpn

      1. notamole

        TorrentFreak just lay out the stated policies of the companies, they don't do independent analysis.

  10. Mark Manderson
    WTF?

    doesnt surprise me with them

    anyone else want to scream at their advert in the UK of the twat in the tube handing all his shit out, plain lies the advert, gets on ma titties!

  11. fidodogbreath Silver badge

    Anomalous traffic that specifically catches the attention of security people seems like an odd way to hide from security people.

  12. Frank Bitterlich

    Don't get this...

    I have not much experience with commercial VPN providers, but why would their client send keep-alive messages outside the VPN? Would that not a) defeat the purpose of staying under the radar in sensitive regions, and b) make more sense to do inside the VPN connection?

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't get this...

      "but why would their client send keep-alive messages outside the VPN"

      The three potential VALID reasons I can think of (there maybe more):

      - they maybe recording DNS/HTTPS response metrics for quality control/debug purposes. This may or may not have reached production quality code.

      - it maybe used to determine network reachability. i.e. reliably determining if you have connectivity to DNS inside the tunnel/outside the tunnel and if failing over to another NordVPN server site is required. If this is the case, it's not well thought through - they should own the DNS zone not just make one up...

      - it maybe used to determine if you are using NordVPN DNS servers or another providers to identify if you are potentially leaking browsing details via DNS outside of NordVPN

      The less valid reason is that it was a test feature that was accidentally deployed to production without full awareness from operational staff. This would also explain the apparent confusion.

      1. TrumpSlurp the Troll Silver badge

        Re: Don't get this...

        One thought.

        If you try and resolve a wierd and unregistered domain and it resolves then someone may be highjacking your DNS to intercept connection requests.

  13. JohnFen Silver badge

    Spidey sense

    I have to admit that, based on nothing, NordVPN has always set my spidey-sense tingling. This sort of thing makes me think my subconscious might be on to something.

    1. Kiwi Silver badge
      Black Helicopters

      Re: Spidey sense

      They did much the same for me. I was asked by friends moved from overseas to look through some and I did spend some time looking into them. Nord did beat out the others even though their advertising campaign raised flags with me.

      I gave my results to these people and they settled on Nord. I also use the app on a couple of my machines for now for monitoring/testing, and I am seeing a concern with this machine in that while I run Devuan, the Nord app is now insisting on SystemD as a dependency.

      Nord people take note : I do not consider that multitentacled blob to be safe, and that is a black mark for the future. While Nord requires systemd it is put into the category of "cannot be trusted".

      1. NATTtrash

        Re: Spidey sense

        Not using Nord, and not defending them but:

        Might it be that it's looking desperately for SysD's systemd-resolved.service and/ or openvpn.service but can't find? (which are crap BTW because they leak DNS like a bucket without a bottom, but hey...). Then again, it could also be that something in Devuan points in the wrong direction (e.g. whatever "networkmanager" you're using..?). Did you see this behaviour also with other VPNs, e.g. an open/ free (academic) one for test purposes?

        1. Kiwi Silver badge

          Re: Spidey sense

          Might it be that it's looking desperately for SysD's systemd-resolved.service and/ or openvpn.service but can't find?

          Nope.

          There is a pending update on the system. I had flagged it to go through but saw systemd come up in the list of "other stuff that will be installed". I'd do a screenshot but that machine is 50 miles away tonight and I ain't giving up my weekend just to check that :)

          1. NATTtrash
            Pint

            Re: Spidey sense

            ...in the list of "other stuff that will be installed"...

            Hmmm, that indeed sound like a dependency thing, something calling for sysD to be installed.

            And yes, you're absolutely right. Week end has other priorities! --- --- --->

            Real life experience shows however, that brain utilising/ wrecking issues are best left until Monday afternoon... ☺

      2. Chris King Silver badge

        Re: Spidey sense

        While Nord requires systemd it is put into the category of "cannot be trusted".

        A lot of folks don't trust systemd because of complexity. I don't trust it because it's too unreliable to entrust with something like a VPN connection.

        I've had many punch-ups with systemd over the years, but last weekend was more like the Freezer Ambush in terms of property destruction. And it didn't even stop to answer the telephone.

        1. Kiwi Silver badge
          Trollface

          Re: Spidey sense

          A lot of folks don't trust systemd because of complexity. I don't trust it because it's too unreliable to entrust with something like a VPN connection.

          It's complex, tries to do too much (vs the old "Do one thing and do it well", lots of potential for security issues.

          And the people leading the project don't exactly portray an attitude that fills me with confidence either.

          If I wanted those issues I'd be running Windows!

  14. -tim
    Facepalm

    If your redirecting these domains in house...

    If your redirect garbage domains in house to your own server, change GET to the POST in the handling code and return a cookie and then the log can get much more interesting. A list of potential cookie names can be found in the VPN memory image and the thing gets chatty.

    Someone needs to hack a dns local resolver like named/bind to do something useful with regex patterns. It would be so cool to be able to be able to tell it "add regexzone /^[a-z0-9]{32,64}/ ; file local_capture"

  15. Anonymous Coward
    Boffin

    Obviously sigint

    Trivially easy for GCHQ/NSA etc to detect the pattern in these requests, extract the metadata and build up a database of who is using NordVPN. Then correlate the IP with other sources and build up a target list for dropping a ‘package’ onto the PC.

    In all likelihood the emitted domains like f5d599a39d02caef1984e95fdc606f838893ffc5[dot]com encode information, maybe the CPU so they know which black door on the Intel management interface to exploit.

    1. imanidiot Silver badge
      Black Helicopters

      Re: Obviously sigint

      Wrong icon there. You'll want this one -->

  16. SonOfDilbert
    Terminator

    Tyrell Corporation?

    Hm, Laura Tyrell. I wonder if her father is Eldon Tyrell of the infamous Tyrell Corporation? Maybe she's trying to cover for some sort of new auto-tracking communications built into their replicants. This would be a cheaper method of tracking them rather than having a blade runner hunt and retire them.

  17. ravenstar68

    "Yup, plenty of unique user information there – and that gzip string looks rather like the client is expecting to receive a payload from the server. Curiouser and curiouser."

    I think you may be overthinking things here. Accept Encoding: gzip simply means that the user agent will accept a reply that's compressed using gzip.

    For example if I have a website, I can use gzip compression to reduce the amount of data that's sent down the link. However the browser does need to indicate that it will accept that compression type, otherwise the web pages are sent in an uncompressed form.

  18. Anonymous Coward
    Anonymous Coward

    Bit worrying

    I've just signed up with them for 3 years. Was originally with AirVPN on yearly package but Nord ended up being slightly cheaper for a 3 year deal and got better reviews on BestVPN.

  19. Stevus24654

    234 new rules....

    I have now 234 rules in LittleSnitch from URLs trying to be accessed from NordVPN.

    This is getting very strange.

    I tested a few of them, and for theses, they were all registered on 2019-04-24 to NameCheap.inc

    This keeps getting stranger and stranger....

    1. steviebuk Silver badge

      Re: 234 new rules....

      How'd you do these tests. All I knew how to do was run wireshark while Nord was running and saw the NameCheap.inc references. But didn't know what else to look for.

      1. Stevus24654

        Re: 234 new rules....

        I have denied manually each attempt from NordVPN to connect to this kind of URLs, and I have selected the rules in the LittleSnitch conf and use "export conf" which counts the number of rules.

        Each if there is a connection to a URL, it tries 3 times to

        - [dot] com

        - [dot] info

        - [dot] xyz

  20. Anonymous Coward
    FAIL

    So the 'P' in NordVPN does't actually mean 'Private'.

    ^ shudder.

  21. Scott 1

    If I wanted to conduct mass spying...

    ...one step (of many) would be to create a commercial VPN service.

    1. notamole

      Re: If I wanted to conduct mass spying...

      Protonmail (long before they had a VPN) indicated that they had proof one of the major VPN providers was working for the NSA. I don't know if they ever said who it was though.

      1. Charles 9 Silver badge

        Re: If I wanted to conduct mass spying...

        And what did they present as their proof that the company was chummy to the NSA?

        1. Anonymous Coward
          Anonymous Coward

          Re: If I wanted to conduct mass spying...

          Maybe their own NSA handler told them. ;-)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019