Security - thoughtscloud.in

The VPN Dilemma: Balancing Privacy, Security, and Digital Innovation

Hello, I’m new to the community. I’ve been facing issues connecting to 1.1.1.1 with WARP since yesterday. It was working fine before, but the problem started after my ISP performed some maintenance. I suspect the issue might be related to the ISP. Is there any possible solution for this?When I searched Reddit for answers about why WARP (aka 1.1.1.1) is not working, I found many similar comments, like:
“I believe that ISP has to do something with that because I am getting this issue after ISP maintenance.”

Curiosity led me to search for more articles on Reddit and other platforms, but unfortunately, I found very few, and they contained too little information.

Drawing from my five years of experience working and writing on technological aspects, I delved into understanding the dynamics of blocking services like 1.1.1.1. The reasons often seem to be tied to political and geographical factors, with the most common justification being “national security” and concerns over confidential data.

“I have been using 1.1.1.1 WARP from India, but 1.1.1.1 WARP mode is not working on the Jio network, while the normal private DNS is functioning. Reset network settings: Done. Reboot device: Done. Always-on VPN: Done. Clear cache and storage: Done. Uninstall and reinstall: Done. Reset private keys: Done. Still, WARP mode is not working. What should I do? And what is the reason behind this?”(solution quoted on the community page)
Many more solutions like this have been shared in the community pages, but sadly, nothing works. I am obliged to install another VPN, as I am left with no other option due to the urgency of the work.

Searching for the exact reason behind this, I came across some information that I’m not entirely sure is legitimate but seems relatable—or at least understandable.

One random user explained:
“Basically, the rule in India is that you can operate a VPN as long as you maintain data related to the user, including their name, ID, IP accessing from, and IP accessing to. I think the 1.1.1.1 client actually operated anonymously (because if I remember, you didn’t actually need to log in to use it). iCloud+ Private browsing maintains that information (account-related, etc.) so it should be safe. Similarly, running your own Tailscale cluster and enterprise VPNs are not impacted—for example, Cloudflare for Teams is allowed, and the Cloudflare One Agent app can be downloaded and is still available.”

Another user added:
“Cloudflare stores user data on the Zero Tier corporate plan, which is tied to accounts. The free 1.1.1.1 app did not require an account, hence it was removed. I cannot answer as to why Proton VPN continues to work or has not been removed. I only gave an opinion as to why the free Cloudflare product may have been removed. For what it’s worth, you can set up your own VPN and run it, and as long as you maintain a user login and account history, you can operate a VPN.”

The list of removed VPNs includes other services like Hide.me and PrivadoVPN. Apple, citing a demand from the Indian Cyber Crime Coordination Centre—a division of the Ministry of Home Affairs—stated that these app developers had created software that contravenes Indian law.

On the other hand, several VPN providers have robustly opposed the Indian government’s mandate. When the framework was introduced, prominent developers like NordVPN, ExpressVPN, Surfshark, and ProtonVPN publicly criticized the requirements, with some even indicating plans to remove their server infrastructure from India. For example, Surfshark’s services are no longer purchasable via UPI, a payment method that was available before the rules came into effect. Despite these challenges, NordVPN, ExpressVPN, and Surfshark continue to operate in India, although they have scaled back active promotion of their apps in the country.

The Indian government’s actions against VPN service providers hold even greater significance when considering the country’s position as one of the world’s largest VPN markets, with substantial growth anticipated in the coming years.

In 2023, India’s VPN market generated an impressive $4.166 billion in revenue and is projected to reach $7.681 billion by 2030, growing at a compound annual growth rate (CAGR) of 9.1% from 2024 to 2030. With an estimated 270 million VPN users in 2021, the market remains dominated by a limited number of providers, including Surfshark, NordVPN, ExpressVPN, PureVPN, IPVanish, and others. Despite regulatory challenges, these players continue to cater to a substantial user base in India.

The restriction on VPN services is not unique to a major country like India; several other nations are also engaging in this “banning game” under the guise of national security and data regulations. Countries such as China, Russia, Germany, and Italy have also implemented measures to control or restrict VPN usage, citing similar justifications of safeguarding national interests and ensuring compliance with local laws.

I referenced the community pages solution and inquiries because I haven’t found any direct comment or official report from the Ministry of Home Affairs (MHA), Government of India, regarding the banning of these regulations. This raises the question: while policymakers, law experts, diplomats, and technocrats may have discussed these bans, similar to the DPDP, why are such policies put out for public comment even after being enforced?

Close-up view of a mouse cursor over digital security text on display.

Why is everything being imposed in the name of national security? The challenge is that, while we advocate for encryption and data privacy, we also ask for data storage, suggesting that privacy might, in fact, be a myth. Our devices, always with us, listen even when not in use, reinforcing this paradox.

It’s a social dilemma of the Internet age. On one hand, we promote privacy and encryption, while on the other, innovators are developing AI systems that collect all our information. I’m not arguing that imposing regulations on the majority is wrong, but is there a way to balance technology, innovation, and regulation? This is simply a thought from a technical writer’s perspective.

You are under surveillance!

You search for a pair of shoes on a search engine, and suddenly, every ad you see is about shoes. You browse a housing site, and before you know it, your phone is buzzing with calls and messages about properties. You search for a nearby restaurant or explore a business idea, and bam! Your screen is overflowing with ads instead of the information you actually wanted. It feels like a hidden camera is always watching, anticipating your every move, doesn’t it? It’s like having a personal assistant—except you never asked for one! And this assistant? It’s so efficient, it even seems to work ahead of your own thoughts. Welcome to the digital world!

This type of constant surveillance is what we call surveillance capitalism. Big tech companies—let’s say the big four—use this model to turn your data into a resource, treating your searches and interests as their products. Whether you’re intentionally seeking information or just satisfying a passing curiosity, the moment you enter your data, it’s no longer just yours. Even if a website says it’s “encrypted,” that data is fuelling the encryption of their own massive datasets, which they use to craft algorithms that steer your next online experience. Search for anything, and in the background, those algorithms are quietly deciding what to show you next.

It’s not just that you’re searching the web—the web is also searching YOU. And while it may seem convenient to have such personalized suggestions, it’s important to realize that this is really about influence. These companies aren’t just catering to your needs; they’re shaping what you’ll do next.

Surveillance capitalism refers to the practice of monetizing data collected by tracking people’s online and real-world behaviors. This type of consumer surveillance is primarily used to tailor marketing and advertising strategies. The term **surveillance capitalism** was first introduced by John Bellamy Foster and Robert W. McChesney in a July 2014 article in *Monthly Review*, a socialist magazine based in New York. Their original concept centered on the U.S. military’s surveillance of citizens.

The term surveillance capitalism is more closely associated with the economic theory proposed by Harvard Business School Professor Emerita Shoshana Zuboff in September 2014. It describes the large-scale monetization of individuals’ raw personal data, used to predict and influence their behavior. Surveillance capitalism operates through steps like data collection, prediction, and the creation of behavioral markets. While it’s not tied to any specific tech or business process, it represents a business philosophy driving the massive data economy. Most people don’t realize the extent of this data collection until their privacy is breached, revealing that their confidential information has been commercialized and turned into profits—often to the tune of billions—by other companies.

There are no serious proposals for regulating the data collecting abilities of technology companies. However, Google did pay a large data privacy settlement in November 2022.

In her book, Zuboff predicted that data collection will continue to grow as it becomes increasingly central to the market and as technology becomes more embedded in daily life. She highlighted the rising use of IoT devices, like fitness trackers, which provide new opportunities for sharing user data with marketers and advertisers. Zuboff also referenced a 2016 Microsoft patent for software designed to detect users’ mental states. She warned that this type of technology could lead to a new level of privacy violations, as it would activate sensors to capture voice, speech, videos, images, and movement.

The question now is, can we regain control over our data in this system that’s so deeply ingrained in our digital lives? Or is this just the new normal? It’s something worth thinking about as we continue to navigate this always-connected world.

ICANN Issues Breach Notice to .TOP Registry

In a recent development, ICANN has issued a Notice of Breach to the .TOP Registry Operator after URLAbuse highlighted multiple compliance failures. The breaches include neglecting abuse reports, not adhering to internet safety protocols, and failing to pay required fees. ICANN has mandated corrective actions to be completed by August 15, 2024. URLAbuse continues to play a crucial role in identifying and reporting internet abuses, ensuring a safer online environment.

URLAbuse successfully triggered action against the .TOP Registry Operator, prompting ICANN to issue a Notice of Breach on July 16, 2024. The notice outlines several compliance failures by the .TOP Registry Operator, including neglecting abuse reports and failing to follow essential internet safety protocols.

ICANN has set an August 15, 2024, deadline for the .TOP Registry Operator to implement corrective actions. These actions include creating a plan for Uniform Rapid Suspension (URS) compliance, updating their website with abuse contact information, confirming receipt of abuse reports, and enhancing DNS abuse mitigation efforts. If these requirements are not met, ICANN may initiate termination proceedings under the Registry Agreement.

The question remains: when will the .TOP Registry Operator take strict action, and why is such negligence occurring in a highly interconnected internet world where DNS is a fundamental root?

References:

https://www.icann.org/uploads/compliance_notice/attachment/1225/hedlund-to-wenxia-16jul24.pdf
https://news.urlabuse.com/ICANN-Issued-Breach-Notice-to-TOP-Registry-After-URLAbuse-Complaint

It’s not ‘Fishing’, it’s “Phishing”!

In today’s digital world, the trending threat isn’t “fishing”—it’s “phishing,” where fraudsters bait victims with deceptive emails to steal sensitive data.

There was a time when fishing was in trend but it’s the new digital world of new India and here the trending hashtag nowadays is not fishing it is phishing. Yes, you see it written, the homophones type these words are too way different. The only similarity between these two is the process of capturing the fish in the former and the customer for fraud in the latter one.

WHAT IS PHISHING?

Phishing is a new type of cyber-attack often called a social engineering attack, commonly used to steal users’ data, like login credentials and credit card numbers. It occurs when an attacker, pretends to be a trusted entity to the customer and dupes a victim by making the individual open things like email, instant message, or text message which looks like valid ones but in reality, it would be consists of fraud data. Once the recipient gets tricked into clicking a malicious link, then the installation of malware starts, or the freezing of the system as part of a ransomware attack or the revealing of sensitive information, etc.

TECHNIQUES OF PHISHING

1) Spear Phishing:-

In this, the fraud individual targets a specific person or enterprise or some high authority level individual or company, as opposed to random application users. It’s a more in-depth version of phishing as it requires special knowledge about that particular organization, including its power, structure, and also confidential matters.

An attack might play out as follows:

A. The fraud dealer does research and finds names of employees within an organization’s marketing department and gains access to the latest project invoices to look genuine.

B. Acting as the marketing director, the attacker emails a departmental project manager using a genuine subject line. The text, style, and included logo duplicate the organization’s standard email template and the email seems like the same one with the same pattern that you won’t be able to recognize in one go.

C. The link in the fraud email redirects you to a password-protected internal document, which is in actuality a spoofed version of a stolen invoice to misguide you.

D. The Person is then requested to log in to view the document. The attacker steals his credentials, gains full access to sensitive areas within the organization’s network, and does the spear phishing with you.

2) E-mail Phising

This phishing is based on a number of game things. An attacker sends out thousands of fraud messages to get the net significant information and sums of money, even if only a small percentage of the person falls for the scam.

Just like spear phishing here they again try to create the same spoofed email or texts to fraud you. In addition, attackers will usually try to push users into action by creating a sense of urgency and taking the victim into confidence of genuine.

The poor part is the links inside the messages resemble the legitimate counterparts, but also have a typically misspelled domain name or extra subdomains. Like https://www.bajajfinservmarkets.in/ and http://www.bajajfinservemarket.in/.

Similarities between these two addresses offer the impression of a secure link, making the recipient less aware that an attack is taking place and the next click it happens

HOW TO PROTECT YOURSELF FROM THIS SOCIAL ENGINEERING ATTACK!.

Phishing attack protection requires steps to be taken by both users and enterprises to stay away from this attack.

For users, vigilance and awareness is the key. A spoofed message often contains mistakes that expose its true identity and these are easily catchable. All you need is to see it in patience and with awareness. These can include spelling mistakes or changes to domain names, as seen in the earlier URL example of email phishing. For enterprises, a number of steps can be taken to mitigate both phishing and spear phishing attacks:

· Two-factor authentication (2FA) is the most effective method for protecting from phishing attacks, as it adds an extra verification layer when logging in to sensitive applications. 2FA relies on users having two things: something they know, such as a password and user name, and something they have, such as their smartphones with their confidential information.

In addition to using 2FA, organizations or individuals should enforce strict password management policies. For example, employees should be required to frequently change their passwords and not be allowed to reuse a password for multiple applications or use different and not easy passwords to log in.
Educational campaigns and awareness campaigns can also help diminish the threat of phishing attacks by enforcing secure practices, such as not clicking on external email links and getting authenticated information from the genuine service provider, etc.