Hacker News new | past | comments | ask | show | jobs | submit login

Thought experiment: design an architecture that passes this audit scope as written that allows for logging of user activity.

I can think of at least one.




Thought experiment: build your own VPN company that doesn't log anything and try to convince people like you that you don't do any logging


If you don't do any logging and don't want to know what your users are doing - it means that you won't have to deal with the cops as much. And there won't be any risk of those logs getting leaked or stolen .

Unless you're de-facto part of the government like Google and Microsoft - I see no good reason to log anything more than what's legally required.


...why do that when you can simply sell though?


Sell what? Browsing data of VPN users? That would be easy to check.


How easy is the question.

1. Browsing habits would hardly have an affect on the vast array of data to have an effect on ads presented to you, unless you care about your privacy. Its all target auidence and marketing (look at ExpressVPN or Surfshark. They all offer privacy but never follow up)

2. Their algorithms can avoid showing you ads derived from the VPN if it detects the usage of your actual IP


If they sell data then it's possible to buy that data. So a security researcher could simply try buying that data and then expose that VPN provider.


The market for data is shady. They can simply sign contracts with a few reputable "market intelligence" firms. I am also very sure that another VPN firm wouldnt mind being a proxy seller the browsing data in return for some comission.


I think you misunderstood me. You seem to take my comment as input to an assumption that I think they are logging.

I don't know if they are logging or not. They say they aren't. The audit says they didn't see evidence that they are.

It's impossible to prove a negative.


how do you troubleshoot? how do you monitor? how do you check for malicious behavior from clients or 3rd parties? how do you keep your providers honest?

actually a very interesting experiment


Like sending logs over the network?

It's quite common for servers to boot from the network and have no disk, and have application logs actually sent to a log server via http/udp [0].

[0] For example: https://docs.splunk.com/Documentation/Splunk/9.1.0/Data/HECE...




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: