Winston Privacy Device - Which Technology?
-
And a subscription service to generate the revenue stream ;) 99$ for a year or your device will stop
- encrypting DNS
- anonymization
- generally updates
Nice thing. Oh your sub expired, sorry, no anonymity anymore
Edit: ah and
In addition to not being certified for use in other countries and not being shipped with appropriate power supplies for other countries, we cannot currently ensure there are enough other Winston users in other geographical areas to provide a quality distributed network.
that really reads like a small-scale TOR-rebuild.
And
No. Winston was not designed to route around regional content blocking.
so much to it working with all/any streaming services. Most users use VPNs etc because of geoblocking problems. So if someone thought Winston would help - no it won't. They simple make sure you don't stream via blacklisted VPN IPs ;)
Also having fun with low-bandwith connections every 10min:
And, a VPN uses a single exit point (you can switch, but it's manual). Instead, Winston is constantly scrambling your internet across up to 30 exit points every 10 minutes. This greatly reduces the confidence that an ISP (or other eavesdropper) could have in what they think they are learning about you.
And hidden gimmicks like:
To maintain a quality streaming experience, Winston does not route large downloads or streaming data through the Winston privacy mesh network, but large data transfers donβt include tracking information other than your IP address. For example, if you go to Netflix or IPTV, your activity on the site will be routed through the Winston network, but the actual video wonβt be.
Soooo we do some fancy pants VPN meshing buuuuut not with big downloads or streaming data. Sorry ;)
-
Hi @asterix,
Rich here - I'm the founder of Winston Privacy, electrical engineer - '94 UIUC, and spent 14 years in the Ad Tech industry, most recently as the Global Head of Innoavation for the media intelligence division of my firm. I started Winston after I saw the growing surveillance abuses taking place in the industry and realized that the genie was out of the bottle and never going back.
I am similarly sensitive to marketing bullshit so let's get down to some technical talk.
Routing & IP Tracking
Many VPNs claim to provide privacy benefits because they cloak your IP address. The problem is that IP tracking stopped being effective over 10 years ago with the rise of smart phones... your IP address is changing constantly. Tracking companies have multiple ways of getting around that.
So the benefit in p2p routing comes not so much from cloaking your IP address, but rather from the combined effects of A) encrypting DNS, HTTP and CLIENTHELLO packets, B) breaking the correlation between actual requests and destination routing and C) Traffic shaping (see below).
As an example, let's say your iSP wants to record your internet activity (most do). They don't actually have to break encryption to do so. Rather, they know which sites you are visiting due to DNS lookups as well as inspecting the SNI field in TLS CLIENTHELLO packets. This becomes impossible with Winston, because both of these are encrypted. Not just on one device, but for the whole network.
The discerning will note that a VPN provides similar protection. But here's where we differ. A VPN is centralized on some remote server (after all, it was designed to act as a tunnel between two known points). This puts all of your eggs in one basket, ie: whoever owns the destination server. If you don't trust your ISP, why trust your VPN company? I personally know of a non-US company that operates a global network of cheap and free "privacy" VPNs that sells all the user data back to advertisers.
And as you probably know, VPNs are served with subpoenas all the time...
So instead, we created a protocol which allows for anonymous and dynamic tunnelling. This isn't suitable for accessing your corporate intranet but it's pretty ideal for obscuring web traffic as well as device sniffing. If an attacker (generic word for anyone interested in your data) knows your VPN exit point (they do), it's significantly easier to track you. But if you're being routed through 20-30 exit points dynamically chosen every 10 minutes, well that's a tougher challenge.
What was attractive to me about this was the zero-knowledge aspect of ths distributed approach. We never want to be a in position where we know what our customers are doing on the internet.
Filtering Technology
We made Winston a hardware device for a few different reasons, and one was because it enables signals analysis on the traffic flowing out of your network.
My home is pretty typical - a couple of laptops, tablets, a few cell phones, smart TVs, connected doorbells, scale, etc. Across all of those devices, Winston has blocked 28,060 tracking attempts in the past 9 hours across 223 tracking domains. There are 208 connected applications running on those devices and Facebook has attempted to call out of many of them.
Winston sees this and considers Facebook a high privacy risk. That is actionable information.
"There's ______ for that"
This gets pointed out to me a lot. For instance, I'll talk about how browser fingerprinting is bad and they say, "well you can use Firefox or a plugin for that".
Well, yes. Of course. In fact, we have been working with Korbinian Kapsner - author of the well-known Canvas Blocker extension - to incorporate his awesome technology into Winston.
Nevermind the fact that anti-fingerprinting is disabled by default in Firefox (try it yourself - http://demos.winstonprivacy.com). Or the fact that if you install multiple extensions in FF or Chrome, they often conflict or break. The real problem we're solving is that the average person doesn't want to cobble together an armored truck from duct tape and staples. In other words, nobody wants to install a bunch of software on their computer just to browse the internet. That's why we're integrating it all into a single solution.
By the way, I have nothing against DIY privacy. I love it. I did it for years. But my mom won't do it and she deserves privacy, too.
... But what about when there's no ________ for that?
Most people don't know about device graph fingerprinting, where information about the types and number of connected devices can be used as a source of information entropy.
And there's been a fair bit of academic work about the utility of IoT traffic shaping (example: https://arxiv.org/pdf/1708.05044.pdf) but again, no practical solutions. For instance, plug a connected glucose meter in your home and your ISP collects and sells that data to the ad ecosystem. As far as I know, Winston is the only product which injects real device traffic on to your network and completely eliminates the confidence that an eavesdropped has in your device graph.
Low powered box?
It is low powered but the 1Gb Topaz switch ameliorates that so it turns out it's more than sufficient on its own to handle most home networks. CPU utilization related to actual routing, encryption and filtering typically peaks out at about 15% on our current board.
Unfortunately, that's not the whole story. The biggest headache I face right now is how much CPU and RAM is being consumed by our data storage service (this is to analyze privacy risk signals directly on the device itself... we don't phone home for that). We've encountered situations where poorly behaved applications (ie: Snapchat, Instagram, Roku and some Amazon devices) try to DOS the device when they can't get out. We've made some good improvements there but it's something I am thinking a lot about right now. You can usually realize dramatic performance improvements through better software design but worst case scenario, we may have to upgrade to dual QorIQ, something we've priced out.
"that really reads like a small-scale TOR-rebuild."
Well yes, kind of. It's Tor for normal people.
Let me unpack that cute statement. We're not trying to build a privacy solution for spies or criminals. We saw that there was 20 years of work done in that area already.
In other words, privacy is traditionally thought of as a chain and if any one link is broken, protection has been entirely compromised. But the consumer model of privacy is actually "death by a thousand cuts". Every time the average person goes online, they reveal an incredible amount of information about themselves to companies and other eavesdroppers they don't know about.
Early on in our research, we uncovered that there were no practical solutions for the average consumer. This was echoed a Pew study done a few years back, in which 61% of internet users said they would protect their privacy if only there was an option to do so. Now you and I know there's plenty of options, so what gives?
Before there was Sonos and Spotify, there was Napster, Limewire and WinAmp. The market evolves and the way we see it, if we want to actually put a dent in surveillance capitalism, then privacy has to go mainstream. That's not going to happen unless something changes... take it from me, nobody listens to this old engineer when I tell them how to protect themselves. Privacy has to be simple and convenient or most people won't bother.
Subscription Fee
For above reasons stated, we decided Winston needed to be hardware. But hardware is incredibly difficult to bring to market and even more difficult to sustain without a revenue stream. You have to pay for engineers and support, which are not trivial. And we basically break even on each unit sold.
(Side note: Google spends billions of dollars on finding better ways to invade our privacy so I find it kind of strange when privacy buffs suggest that companies trying to fight back shouldn't charge anything... R&D that can compete with them won't be funded by hopes and dreams).
Moreover, it is not possible to solve the surveillance problem with technology alone. We also need policy solutions. Google, Facebook and the other big tech companies quietly lobby in IL, NY, CA and DC, slowing down the process and de-toothing any meaningful legislation that ever comes close to passing. We're not going to beat that with a cool little box. This is why we are actively engaging with IL and DC legislators to represent the good guys (I spoke with Sen. Durbin's office yesterday and was on the Hill last month where I met with Sen Blackburn's team).
So anyway, I hope I didn't bore you reading this. My aim is to be fully transparent with our business model and intentions, so I erred on the side of giving more detail than less. Hope I succeeded.
-
Thanks for the clarification.
I looked at your website and a couple of things came to mind:
-
The "No VPNs used (faster and more reliable)" strikes me as incorrect, or at least deceptive. There is no way that throughput via public mesh network can rival direct PTP VPNs. This was already pointed out by JeGr. Also, a mesh introduces multiple points of delay or failure as opposed to a direct VPN link. I imagine that you have a method to route around dead nodes, but still.
-
"90,000+ tracking and maleware sites blocked" - Maleware? So no running Grindr?
I like that you support the EFF.
Your recommended installation path requires a second router and double-NAT config, which isn't optimal and adds more cost for non-tech people who likely don't have spare parts laying around.
"If you don't trust your ISP, why trust your VPN company?"
By that same token, why trust YOU? All we have are the same assurances that you won't collect and monetize user data, just like the VPNs tell us.
Your website makes some claims that have no backing explanations. For example Incognito mode and adblock fail at privacy, because reasons. What reasons? Says who?? I don't expect a deep in the weeds whitepaper when your target market are the Facebook crowd, but still something is better than nothing.
What level of user control is there? Is there an interface that allow you to control various aspects of Winston, such as enabling or disabling certain features, or adding exemptions or exceptions?
Considering your target market of non-tech people, this unit must be bulletproof. What happens when a unit fails? What happens if the filesystem barfs? What happens if a firmware update turns Winston into Deadston?
What chipset are the NICs based on? Realtek don't have a great reputation around here.
Lastly, I don't like the name Winston. It seems too stuffy and somehow patronizing. However, that's just me and I realize I am way too late to that party.
Anyway, I support what you're trying to do and my observations weren't meant to shit on Winston. You have to expect more scrutiny on a network tech forum than on NBC News, that's for sure. We're a cynical bunch who have lived through endless "Your perfect security solution is here at last!" hypefests over the years.
-
-
Hi @KOM,
The "No VPNs used (faster and more reliable)" strikes me as incorrect, or at least deceptive. There is no way that throughput via public mesh network can rival direct PTP VPNs. This was already pointed out by JeGr. Also, a mesh introduces multiple points of delay or failure as opposed to a direct VPN link. I imagine that you have a method to route around dead nodes, but still.
Right now, I am getting 149Mbps from the the privacy mesh network. However, when we say "faster", what we're referring to is the fact that our network is optimized around low latency (better for many small requests) as opposed to pure download speed (better for large downloads), in that this delivers a superior browsing experience. 40ms latency per call is typical (overhead from encryption and routing) but this is offset by a dramatic reduction in # of requests made (~70% on our last benchmark across the Quantcast Top 500), reduction in browser load as well as a reduced load on upstream bandwidth.
Meshes absolutely incur multiple points of failure. This was a major area we had to devote our attention to. We route around failed nodes pretty quickly. Slow/sluggish nodes are a different matter and we're working on that in our upcoming v2 firmware.
Your recommended installation path requires a second router and double-NAT config, which isn't optimal and adds more cost for non-tech people who likely don't have spare parts laying around.
Yes, that's a pain. We didn't want to compete with wifi routers, because there are a lot of great manufacturers (most notably, Netgear). We have considered going downstream to incorporate the cable modem, but those talks are on hold right now as we're in discussions with two service providers about bundling 5G directly on Winston (yes, this would change the business model a lot... it would effectively turn us into a private ISP).
By that same token, why trust YOU? All we have are the same assurances that you won't collect and monetize user data, just like the VPNs tell us.
You shouldn't! We designed the network to be zero-knowledge, in the same vein as Telegram... traffic does not route through our servers, nor do we break encryption. We can't see the traffic flowing through them. The boxes don't send data back to us. No slimy tricks either.
For example Incognito mode and adblock fail at privacy, because reasons.
https://www.youtube.com/watch?v=dBKsfRYV6ZI
The ad block privacy leaks are well known. There's an excellent expose on ABP in the German press which can be found readily enough. In the ad industry, it's widely known that the blocking companies can be paid to get your properties whitelisted.
Considering your target market of non-tech people, this unit must be bulletproof. What happens when a unit fails? What happens if the filesystem barfs? What happens if a firmware update turns Winston into Deadston?
We offer a one year warranty on units.
What chipset are the NICs based on?
http://wiki.espressobin.net/tiki-index.php?page=Topaz+Switch
Lastly, I don't like the name Winston. It seems too stuffy and somehow patronizing. However, that's just me and I realize I am way too late to that party.
Winston is named after Winston Smith, the protagonist in George Orwell's 1984.
We're a cynical bunch who have lived through endless "Your perfect security solution is here at last!" hypefests over the years.
I like that. The harder you push us, the better we'll get.
-
Another thing. Considering how most people do not have an unlimited Internet plan, how does being part of the mesh add to your monthly baandwidth totals? I see that you separate signal from data, but depending on how chatty the network is, bits can quickly add up to bytes to megs etc etc. Are there any bandwidth controls at all? Is there any way to reserve bandwidth for yourself so that it isn't gobbled up by the mesh?
-
Actually, it seems that most people do have unlimited internet at this point but we certainly have some users who don't. The majority of traffic in most homes consists of streaming video, which routes around the p2p network. It is almost always served via CDNs and our p2p is optimized for small web requests anyway, so this gives a much better experience.
The current version limits shared bandwidth to 30% of upload speed, though in practice, that's used in bursts, not a constant. The next version of our routing protocol will adjust this dynamically, and (likely) we'll allow users to set manual limits if they choose.
One open issue we have right now is that Rokus are spamming their servers when we block their logs. This is causing an undesirable increase in bandwidth usage. We haven't gotten to the bottom of it yet but we will.
-
@WinstonPrivacy
Hi Rich,thanks for adressing a few of the issues. I'm happy to see tech talk instead of marketing and a few thinks make sense.
I'm with you on the VPN part. Trust, subpoenas, shady privacy etc. that's why in another thread we were already discussing those points at length. It seems the perception (and advertising) is such, that VPNs are super-good as "they hide you on tze interwebz(!)" That this is marketing BS - yes I'm with you on that one - as are a lot of others here.
"There's ______ for that"
I wouldn't have picked fingerprinting. Because as it stands - you need an extension for it. So nothing new, yes, but that way it runs on the router and all clients are protected. Nice idea!
But as you point out
"that really reads like a small-scale TOR-rebuild."
Well yes, kind of. It's Tor for normal people.
So why not use TOR and communicate it? Why use something new?
Privacy has to be simple and convenient or most people won't bother.
Yes! It does! But you didn't answer the question below - why did the techniques you adapted or built again (AFAIR) need another go? Why not implement e.g. TOR as your routing/vpn/mesh solution? Would strike as a nice idea, as you'd have access to other TOR nodes in an instant. With your new mesh I'm in fear of: "Huh, are there even enough customers later, that you actually DO have a critical mass to route/mesh with to gain the privacy you say?"
So anyway, I hope I didn't bore you reading this. My aim is to be fully transparent with our business model and intentions,
Not in the least. But I'm still curious about the rebuild/use of technologies and why you decided to do "your own thing" instead of use/build upon things already there so everyone can participate.
Problem with most startups/kickstarters/devices like that is that the project itself is damn great and ambitious. And then sales are not in the range one predicted, tech problems, etc. etc. - you know that yourself. If I see 160 supporters/backers on KS, I'm thinking: Huh, ~300-400 devices in the wild then. With that small scale it strikes as a challenge to have a big enough base layer for mesh VPN / TOR-style networking. And when looking at a geo-scale I'm worried - are enough of those people in my range so I get a speedy connection or are they all long distance with bad connections so my link is being throtteled by them?
I'm not against other solutions protecting customers. I'm just a bit vary of high expectations you call. :)
-
Reimplementing TOR is also likely to be a questionable tactic from a legal standpoint if not a bandwidth consumption one. If Customer A performs illegal activity over this mesh which exits Customer B's device, and LEOs track it to Customer B, what happens? It may not be traceable back to Customer A, but who knows what they would decide to do with Customer B.
With TOR, the end user has to make a conscious decision to become an exit node, along with whatever potential legal liability that may bring in the future. With this, it's baked in, and with it targeting lower-knowedge end users, customers may not fully realize what they are getting themselves into.
-
Funny you should mention that. After running a Tor exit node for the past couple of years, I shut mine down permanently last weekend after getting fed up with the constant ToS violation emails from my VPS host and having to respond to a never-ending series of support agents, each more clueless than the last.
They would cut off my access and then force me to do this ridiculous dance with their support, where they provide me with no data whatsoever about who complained and then demand to know what action I will take to prevent these in the future. I would then explain that I run a Tor exit node and that they haven't given me anything to work with so there is nothing I can do. After several hours, they restore my access - only to have them yank it again a few days later with the same issue and a new clueless support agent who doesn't even have the sense to check the customer's history. Repeat ad nauseum for years.
I finally gave up. Thanks for the t-shirt though.
Back to Winston, he did say that only small packets are routed through their network while data went direct so that may or may not affect who gets blamed for criminal activity.
-
And what ISPs are these low tech targeted users of yours on - most if not all of them have antishare AUP in place..
Here this is comcast's wording
"use or run dedicated, stand-alone equipment or servers from the Premises that provide networkcontent or any other services to anyone outside of your Premises local area network"cox
"ou may not resell the Service or otherwise make the Service available for use to persons outside your dwelling (for example, through an open wireless home network)."AT&T
" For example, you agree that the Service is not to be used to trunk or facilitate public internet access ("hotspots") or any other public use of the Service, or for any high-volume purpose. All aspects of the Service, except that portion provided by third party providers, is copyrighted and property of AT&T."Pretty much residential ISP in the US is going to have a sim wording in their AUP.. Let alone all the other stuff that falls into the AUP that might be done but traffic your routing through their connection. Which they would be responsible for.
-
So why not use TOR and communicate it? Why use something new?
Great question. When we were first researching the market opportunity, we surveyed and interviewed over 1,000 potential buyers. We learned that few had ever used Tor and those who did typically stopped using it, citing performance or other inconveniences.
Further research indicated that the prevailing privacy model was built around the use case of spies or hiding criminal activity, much like a chain (ie: break one link, and the whole thing falls apart). What we discovered was that a new "consumer model" of privacy had emerged. This model is more like death-by-a-thousand-cuts, in which one incrementally gives up a huge amount of data about themselves every time they go online.
The privacy violators exploit this laziness on the part of the user, so our insight was that we wanted to turn that around as a kind of Jiu Jitsu. Our thinking is that if we can lower the bar and allow for effective privacy tools to exist with the common everyday browsers and apps that people are accustomed to using, then it would benefit a larger audience.
why did the techniques you adapted or built again (AFAIR) need another go? Why not implement e.g. TOR as your routing/vpn/mesh solution?
Tor is slow and overkill for people who have nothing to hide. Winston is not optimized to shield criminal activity, it is optimized for speed and convenience.
With your new mesh I'm in fear of: "Huh, are there even enough customers later, that you actually DO have a critical mass to route/mesh with to gain the privacy you say?"
That's based on the misunderstanding that IP address alone is sufficient to track users. It is an important source of information entropy which trackers exploit and so we should block it. But IMO it is not the most important one. In any case, as few as 30 nodes in a geographic region provides strong protection here because it invalidates the assumption that a single IP represents at most a related cluster of people.
-
most if not all of them have antishare AUP in place..
My understanding is that ISPs do that because of file sharing and freeloading. Traffic injection is a powerful security benefit and they do recognize that.
Case in point, we're actually in discussions with two major ISPs now about resale partnerships. I would not want to mislead anyone and suggest that ISPs care so much about their users' privacy based on principle, but offering a free market solution to the small percentage of customers who care enough to take advantage of it is a strong response to the Federal pressure these ISPs are under right now.
-
@KOM said in Winston Privacy Device - Which Technology?:
Back to Winston, he did say that only small packets are routed through their network while data went direct so that may or may not affect who gets blamed for criminal activity.
Correct. Large data transfers continue to take place over local transports, not p2p. If customers are worried about this aspect, we do allow them to switch off p2p routing and make use of the other privacy protections only (which are not weak, by any means).
I am curious if anyone has suggestions that are not as "all-or-nothing" as this. For instance, we have been talking about the possibility of allowing users to specify sharing policies (and shipping with thoughtful default ones), such as streaming, pornography, illegal content and other blocklists.
Another highly requested feature is to allow users to set up their own private named networks that they can share with friends and family only.
Still another is the ability to dial down the amount of traffic sent out on the network and take advantage of traffic shaping (one research study I've read indicated that as little as 3% false traffic is sufficient to hinder IoT device identification).
I appreciate the thoughtful discussion!
-
There is what you think the AUP says and what they care about, and what it says... And what the ISP can do to their users - like just freaking kill their service when they see 1 users overall usage jump up because they are routing other traffic over their connection.
Or some other "privicacy device" does something against users ISP AUP and the ISP cracks the whip on the user, etc..
Once you have the OK from the isp to do what your doing, then you can hawk you boxes to those users... But until then... Its sure could be a huge disaster for a lot of users..
And targeting "non tech" users makes it worse if you ask me... Atleast if the person is technical they understand what they are doing - and what it means, etc. like running a tor exit node... Billy bob facebook user is not going to run a tor exit node out of the blue... But grandma could for sure buy your box and plug it in it seems ;) Or atleast that is your goal?
-
We are in active discussions with two ISPs. There is strong interest in reseller partnerships and my personal experience has been that they want to be perceived as being any more anti-privacy than is already the case.
We have been using the device internally for about 17 months and have had quite a few field units out there since September (8 months) with zero reported issues from ISPs. That should perhaps be expected, given that it's impossible to discern the source of specific traffic.
-
@WinstonPrivacy said in Winston Privacy Device - Which Technology?:
few field units out there since September
There is a huge difference between a few in the field and 1,000 if not 10's of Ks of them on a ISP network that figures it out and gets freaking pissed ;)
You want to hawk your "security" box to the masses that don't understand it that is fine - route their traffic to your network..
But meshing these things and routing billy's traffic over karen's connection is BAD JUJU just waiting to hit the fan if you ask me.. Especially first time kevin moves any sort of kiddy you know what about thinking he is "safe" behind your security device..
given that it's impossible to discern the source of specific traffic.
Any ISP can for sure tell that billy is going to alot of crazy places for a home of 2 people ;) And can for sure tell something is up and take a closer look when lets say 1000 of their users usage just went up by 30% and is just all over the place vs just karen's typical streaming netflix usage..
So how is you state
As an example, let's say your iSP wants to record your internet activity (most do)
But then you say you have ISP that are saying it going to be ok to put these boxes on their network - which will prevent them from tracking their own users..
-
Any chance we can get instructions how to load PfSense onto the HW we purchased?
-
Um..... that seems very unlikely? Especially since reading back they are using ARM (MIPS?).
Just a spam comment 2 years later?
-
-
@stephenw10 Woot