Archive for July 23, 2020

Thursday, July 23, 2020

“No-Logging” VPN Providers

Craig Silverman (tweet, also: Nick Heer):

Sensor Tower, a popular analytics platform for tech developers and investors, has been secretly collecting data from millions of people who have installed popular VPN and ad-blocking apps for Android and iOS, a BuzzFeed News investigation has found. These apps, which don’t disclose their connection to the company or reveal that they feed user data to Sensor Tower’s products, have more than 35 million downloads.

Paul Bischoff (via Hacker News):

Hong Kong-based VPN provider UFO VPN exposed a database of user logs and API access records on the web without a password or any other authentication required to access it. The exposed information includes plain text passwords and information that could be used to identify VPN users and track their online activity.


More than two weeks after we sent a disclosure to UFO VPN, the company shut down the database and responded by email[…]

“We don’t collect any information for registering,” the spokesperson said. “In this server, all the collected information is anonymous and only be used for analyzing the user’s network performance & problems to improve service quality. So far, no information has been leaked.” [sic]

But based on some sample data, we do not believe this data to be anonymous.

Shaun Nichols:

A string of “zero logging” VPN providers have some explaining to do after more than a terabyte of user logs were found on their servers unprotected and facing the public internet.


A few days later, on July 5, the data silo was separately discovered by Noam Rotem’s team at VPNmentor, and it became clear the security blunder went well beyond UFO. It appears seven Hong-Kong-based VPN providers – UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN – all share a common entity, which provides a white-labelled VPN service.

And they were all leaking data onto the internet from that unsecured Elasticsearch cluster, VPNmentor reported.

Via Nick Heer:

There is nothing inherently wrong with white labelled goods and services, but I do think their use is inadequately disclosed. It is detrimental to our understanding of what we are buying and makes it hard to compare different products.


Programming Job Interviews

Chris Parnin and Matt Shipman (via Hacker News, 2, 3):

A new study from North Carolina State University and Microsoft finds that the technical interviews currently used in hiring for many software engineering positions test whether a job candidate has performance anxiety rather than whether the candidate is competent at coding.


Half of the study participants were given a conventional technical interview, with an interviewer looking on. The other half of the participants were asked to solve their problem on a whiteboard in a private room. The private interviews did not require study participants to explain their solutions aloud, and had no interviewers looking over their shoulders.


“But the format may also serve as a barrier to entire classes of candidates. For example, in our study, all of the women who took the public interview failed, while all of the women who took the private interview passed.


I conducted a couple hundred interviews for my first FAANG employer, and I was constantly amazed at the percentage of candidates with years of Microsoft or Facebook experience on the resumes who apparently did not know how to program. I always thought, ‘huh, guess I know why they quit after 3 years, amazing that they all lasted this long.”

Then I interviewed for another company and utterly bombed. It became suddenly clear to me that I had been an idiot. Of course nearly all of those candidates were perfectly good programmers.

Joel Spolsky:

Those 200 resumes you got from Craigslist? Those consist of the one guy who happened to be good, but he’s only applying for a job because his wife wants to be nearer to her family, and the usual floating population of 199 people who apply for every single job and are qualified for none. And now you think you’re being “super selective” but you’re not, it’s just a statistical fallacy.

Somehow this classic hypothetical spread, and people got the idea that the majority of working programmers can’t actually program at all.

See also:

Polymorphic Interfaces

Swift by Sundell (tweet, Reddit):

Dave Abrahams joins John to talk about Protocol-Oriented Programming and how to make the most out of the Swift Standard Library. Also, discussions on Swift’s overall design, why it puts such a strong emphasis on value types and protocols, and how it’s been influenced by other languages.

I recommend this episode from April.

See also: What are similarities and differences between C++ and Swift?.