Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy The Internet Technology

Two-Thirds of Tech Workers Now Use a VPN, Survey Finds (9to5mac.com) 87

An anonymous reader shares a report: According to a survey, 65% of U.S. tech sector workers now use a virtual private network (VPN) on either work devices, personal ones or both. While much of that usage will be because it's installed as standard on work devices, a growing number of people are choosing to use a VPN on their own devices in response to past and proposed legislative changes. The Wombat Security survey found that 41% of those surveyed use a VPN on their personal laptop, with 31% doing so on mobile devices.
This discussion has been archived. No new comments can be posted.

Two-Thirds of Tech Workers Now Use a VPN, Survey Finds

Comments Filter:
  • I have three different VPNs for work.
    • by Anonymous Coward

      DACA...is CACA

  • by Anonymous Coward

    I have a VPN autolaunch on my laptop when I sart-up because I travel about 50% of my time and I am frequently on some random wifi connection. I was recently taken aside by an IT person who asked me very suspiciously why I was running a VPN. My response was "Almost everyone here works remotely at some point during the week. Isn't everyone running a VPN?" He grumbled something and walked off.

    • Re:Isn't everyone? (Score:5, Insightful)

      by green1 ( 322787 ) on Tuesday September 05, 2017 @04:05PM (#55143783)

      Your answer should have been, "The very fact that you know I'm on a VPN proves why I need it". Had he not been trying to spy on your data he would never have known.

      • Realistically, who would not be using a VPN with Wi-Fi links? So many places abuse it, from the restaurant chain that says that they can log every packet and sell the info as they see fit to the place that tries to MITM every connection with an oddball key... using a VPN is just like using FDE... a necessity.

        • by green1 ( 322787 )

          Depends what you're doing over that link. If the sites you go to are HTTPS, and the computer is still controlled by you, then they are getting somewhat limited data on your browsing, knowing only what sites you visit, not what you did once you got there. Conversely, using the VPN adds significant latency to your connection, and possibly some cost (depending on your VPN provider's plan, or if you provide your own, depending on your data usage plan for the connection it runs over)

          For most things I do, the VPN

          • by green1 ( 322787 )

            Additionally, how do you really know that the pipe out of the VPN is any more secure than the pipe you're on to start with?

            I'm 99% certain that all traffic out of my VPN can be intercepted by a foreign government, because my VPN is located in a foreign country that is well known for having no privacy rights, and an authoritarian government that monitors everything. Whereas most of the time my devices are connecting to networks in a country that has actual privacy laws. (I'm still 90% sure someone is monitor

            • Re: (Score:2, Funny)

              by Anonymous Coward

              Have you considered switching to a VPN located outside the United States?

            • I can control what VPN I use. With an ISP, I really can't, where at best, I'd have cable or the telco. If one VPN has a bad privacy policy, I can switch fairly easily. Offshore? Easily done.

              Of course, the VPN owner spilling the beans about what I'm doing is one thing... but if that is done and it is made public, the customer base of the VPN will disappear overnight.

      • Re:Isn't everyone? (Score:5, Informative)

        by networkBoy ( 774728 ) on Tuesday September 05, 2017 @04:39PM (#55144053) Journal

        I would then come back with:
        You're on company equipment and on a company network. Of course it's monitored. The fact that your data is not inspectable is what raised the flag on the automated system.

  • I used to use VPN on my Mac to connect to work until Apple broke PPTP in Sierra. I'm not bitter..... grrrr

    As for pubilc wifi, I use OpenVPN back to my home router.

    As for sending secrets to wikileaks, I use dual VPN (IP Vanish) and the tails OS through the TOR proxy.

    • I just use my BIL's computer.

      He don't know that.

    • by sconeu ( 64226 )

      Your IT staff needs to update. PPTP is old and broken.

    • by Mascot ( 120795 ) on Tuesday September 05, 2017 @04:14PM (#55143863)

      They didn't break it, they removed it. I can't tell if you're aware of that and just being facetious by saying "broke". Choice of words matter.

      But yeah, it was annoying. On the other hand it took all of half an hour to figure out how to enable L2TP/IPSec at work, so not exactly the end of the world. The rigidity of IT in larger corporations is probably more of a stumbling block than the technical side of it.

    • by infolation ( 840436 ) on Tuesday September 05, 2017 @04:28PM (#55143979)
      Apple didn't break PPTP. The protocol was insecure. Since it's a Microsoft protocol you could argue Microsoft broke it when they designed MS-CHAPv1 and, after Schneier and Mudge published the weakness they broke it again when they designed MS-CHAPv2. Schneier and Mudge proved the second version was only as secure as the password which means it's subject to dictionary attacks. Chapcrack plus CloudCracker = password brute-forced in 24 hours.
  • Useless data (Score:2, Insightful)

    by Anonymous Coward

    This survey is useless. It includes work-issued devices (where the VPN client is installed for corporate privacy) and doesn't specify the end user's purpose for using a VPN.

    • Hey, we have someone that actually read the article here! I am impressed! Must be to honor the first day back to school. :)

  • by Anonymous Coward

    Seems to me like the classic metrics analysis mistake of measuring the wrong thing for your desired conclusion. Using a VPN... to do what, and why? To access internal company systems while you're working remotely? To fool content geolocation restrictions? To browse the web when you want privacy? Because your Internet-savvy friend or computer repair-person told you you should?

    If we're to draw more meaningful conclusions from a survey like this, we'd need to know more about the reasons behind each respon

  • by bickerdyke ( 670000 ) on Tuesday September 05, 2017 @04:17PM (#55143887)

    Not mentioned in the study: 60% use a VPN to bypass a geoblocked hulu.

  • by Anonymous Coward

    Do they mean to say that the VPNs are used for everyday browsing? Or in order to do work that requires connecting to computer via WAN? There are some regulations that require VPN in certain circumstances. For instance HIPPA regulations require VPC connection(s) for use in anything that sends/receives medical records.

    At any rate, how is this news for those of us in the field? Kinda looks like FUD.

    • by Kernel Kurtz ( 182424 ) on Tuesday September 05, 2017 @05:01PM (#55144221)

      Yes, though it comes down to primarily two basically opposite reasons;

      I use a VPN to securely access my work resources from home. With two factor authentication and associated firewall rules that control my access to internal resources. They know who I am, they know what I do when I am connected (and since I am with the corp network team I'm actually one of the watchers as well).

      I also use a personal VPN, not to access work resources but for the totally reverse functionality - so that people who may be watching my activity DO NOT know who I am, as well as greatly limiting, though not completely removing, the number of people who can watch in the first place.

      Pretty versatile thing those VPNs.

      • by pnutjam ( 523990 )
        I have a home server running x2go, so I can access everything from it on an encyrpted SSH tunnel. I pass it's outbound traffic through a vpn for privacy. It works great. I've thought about an inbound VPN, but it's just not necessary yet and I have restricted inbound traffic, although AT&T is offering symmetrical 100 and 1000 mbit connections in my neighborhood now.
  • by tgetzoya ( 827201 ) on Tuesday September 05, 2017 @04:27PM (#55143967)
    I use a VPN on all my devices. I don't want Comcast/Verizon/etc making me the product if I'm not getting a cut.
    • by Anonymous Coward

      Almost every IT workplace uses a VPN, even internally, because it allows one to limit access to things to that range. Plus, with 2FA, if someone is on a VPN, they at least passed authentication.

      I also use personal VPNs. One even tunnels from my internal router to a nearby VPN provider, just because I trust my ISP's router as far as I can drop-kick it.

      Torrents? Yep, VPN to somewhere overseas, so some witch hunt has to escalate into an international incident before it affects me.

    • Really? If your ISP gave you $2/month (or whatever the marginal value of one customer's browsing history is) on the condition that all your traffic is inspectable, you'd agree?

  • Pointless Article (Score:3, Informative)

    by Luthair ( 847766 ) on Tuesday September 05, 2017 @04:28PM (#55143973)
    About a meaningless statistic.
  • Depends on use case. (Score:5, Interesting)

    by green1 ( 322787 ) on Tuesday September 05, 2017 @04:38PM (#55144043)

    I use my work laptop to work from home over the company VPN. It's necessary to use it to do any work, and makes perfect sense.

    I have a personal VPN that connects my home computer (on my xDSL connection), my server (VPS in a data centre) and my car's computer (connected by cellular data) so that I can securely transmit information between them, and not have to worry about the fact that 2 of those 3 devices are on dynamic IPs.

    But I don't use a VPN for general internet use because it slows down the connection and racks up billable data usage at 2 locations (home and server) instead of just 1 location (home).

    Sure, I know people are probably spying on me, but the tradeoff just isn't really worth it.

    • by pnutjam ( 523990 )
      I get great speeds with Air VPN, and I used to use PIA and get excellent speeds. Never noticed much slowdown, but I was only on a 10/1 connection.
  • Had a couple different VPN solutions to access work-related services externally.

    There was no other way to access them externally without a VPN.

    Personal VPN services are a horse of a different color, as in much more optional, depending on what you're doing on the Internet. I have one for accessing services on my home network from outside the home network for example.

  • by Anonymous Coward
    I work for the government of Canada and use a VPN from my own laptop to get into, and do, work. The shitty laptops they give out are garbage. I VM'd mine and use it in VirtualBox with double the memory and cores of the physical box. Can even get into the core data centers with it: zero problems to date.
  • Our whole company was using VPN back in 2012 and it was considered standard practice at that point. Every company I've dealt with since then has also had VPN.

  • by swillden ( 191260 ) <shawn-ds@willden.org> on Tuesday September 05, 2017 @06:42PM (#55144797) Journal

    VPNs are part of a badly broken security model: the perimeter defense model. It doesn't work very well at small scales, definitely does not scale for large enterprises and generally creates a lot of misunderstandings that result in bad security decisions.

    Google had a segmented perimeter defense model for several years, but has spent the last five years or so getting rid of it. The VPNs aren't entirely gone, but nearly so. You now have to get special permission to run a service that requires VPNs to access.

    The perimeter defense model is based on the notion that it's possible to build a network that is physically secure and which contains only trusted, managed systems. The assumption is that any machine connected to the network is inherently trusted to some degree, and has access to some potentially-sensitive resources merely by virtue of being connected.

    The problem is that it's cost-prohibitive to build a physically-secure network, and a management nightmare to try to ensure that only trusted systems can be connected to it. 802.11X authentication, which requires every device that connects to perform a cryptographic authentication, can help keep unauthorized devices off the network but it doesn't prevent sniffing or impersonation, and can't prevent compromised devices from exploiting the trust they're given.

    That last point is a really telling one, because if you assume that there's some ambient authority available to any device on the network, you inevitably end up granting that ambient authority permission to access resources that only a subset of the connected devices should actually have. Also, for all of the systems that require more authorization than the ambient authority, you still have to have some sort of login system, either per application, or else build out some sort of single sign-on infrastructure.

    The solution is a zero-trust network, where no device is assumed to have any authority merely by virtue of being connected, and all connections are end-to-end authenticated and encrypted. Then, a compromised device still can only access the resources that it is supposed to be able to access, because it doesn't have authorization for anything else. It also means there's no need to try to keep unauthorized devices off the network, and no worry about attackers having physical access to the network (other than DoS concerns). This approach does increase the importance of keeping all "legitimate" devices on the network secured and patched, but that really has to be done anyway.

    Google's calls its version of this approach BeyondCorp [google.com]. It's build around a set of proxies which take responsibility for user authentication and identification. User devices connect to the proxy (in the case of web apps it's a literal HTTPS proxy) and strongly authenticate themselves with username, password and two-factor auth token. The proxy then has an already strongly-secure connection to the backend system the user is trying to reach, and it forward's the user's request to the backend with the user's identity (in an HTTP header, for web requests). The backend (or a service it delegates to) can then decide whether the user is authorized to connect and use the service, and if so which parts of the service the user can use, what data the user can see, etc.

    The approach divides authentication from authorization, doing the first in the proxy and the latter in the backend that knows what different users are allowed to do. The backend doesn't have to know anything about user authentication, meaning as authentication needs and approaches change, they can all be implemented in the client and proxy, without touching the backends. Meanwhile the proxy doesn't know anything about authorization; it's a backend-agnostic, general-purpose single sign-on service. And, of course, all connections are encrypted and authenticated, all the time.

    What all of this means to Google employees is that there is exactly zero difference bet

    • > The perimeter defense model is based on the notion that it's possible to build a network that is physically secure and which contains only trusted, managed systems.

      If I may disagree? It's based on the notion that it's possible to reduce your vulnerability, profoundly, by reducing your exposed surface and enabling some tracking of who is accessing the internal network with what privileges. I'm afraid there is not complete security. Locking casual access outside the local network is never absolutely effe

      • My wife works for a major bank, and understandably they are rather anal retentive about security, to the point where trying to get access to a database is a three day affair involving reams of paperwork and authorizations. In a way also understandable, but as a developer who needs to connect to multiple databases (staging, QA etc.) it is a real pain in the ass. Googles approach sounds like a nightmare in comparison. I will let her know tonight that it can be way worse, it might stop her whining about it
        • My wife works for a major bank, and understandably they are rather anal retentive about security, to the point where trying to get access to a database is a three day affair involving reams of paperwork and authorizations. In a way also understandable, but as a developer who needs to connect to multiple databases (staging, QA etc.) it is a real pain in the ass. Googles approach sounds like a nightmare in comparison. I will let her know tonight that it can be way worse, it might stop her whining about it as much.

          At Google it would have taken her 15 minutes to get access, all done electronically (unless regulations required ink on paper signatures). Her manager would have submitted a request to have her added to the group that has access, and forwarded that request to the appropriate authorizing people (actually, the forwarding is generally automated, but it can be done either way). Those people would have checked what they needed to check and approved. Once added to the group, the same login she uses to get to her

      • > The perimeter defense model is based on the notion that it's possible to build a network that is physically secure and which contains only trusted, managed systems.

        If I may disagree? It's based on the notion that it's possible to reduce your vulnerability, profoundly, by reducing your exposed surface and enabling some tracking of who is accessing the internal network with what privileges.

        You may disagree, but you're wrong :-)

        Perimeter defense as a defense in depth strategy is fine. In theory. In practice, it breeds an assumption that the network is "safe" in some important sense. That's the "ambient authority" to which I referred. If you can avoid that assumption and properly secure everything within the network in addition to implementing strong perimeter defense, great. If you tell me you have done this, I will laugh at you. I was a corporate security consultant for 15 years, working fo

        • > Perimeter defense as a defense in depth strategy is fine. In theory. In practice, it breeds an assumption that the network is "safe" in some important sense.

          "Safer" is the operative word. A VPN is typically associated with a firewall that restricts access to certain systems or certain portions of a network through a gatekeeper. This often includes components that are relatively difficult to activate a full-blown "single sign-on" method on, or services that are far more difficult to secure individually.

          • All of your points are trumped by the simple fact that when people believe their network to be secure, they don't adequately secure the endpoints behind the firewall -- and that the network is never secure. And I don't mean that in a "perfectly hermetic" sense, I mean that in a practical "attackers can always get in" sense. With the exception of databases on laptops, this is the single largest root cause of leaked corporate data. The problem here is that you're talking about theory, and I'm talking about pr

  • With all the interesting workers and the private sector embracing VPN products and services?
    XKeyscore https://en.wikipedia.org/wiki/... [wikipedia.org] to find the user. A Turbulence like project to get into the users systems. https://en.wikipedia.org/wiki/... [wikipedia.org]
    NSA’s automated hacking engine offers hands-free pwning of the world (3/13/2014)
    https://arstechnica.com/inform... [arstechnica.com]
    ..VPN connections by inserting an implant on routers that break VPNs’ key exchange process, opening virtually any VPN to direct surveil
  • I dumped VPN at my company in favor of virtual desktops (vmware view). It is much safer, I don't have to worry about "dirty" outside computers connecting to the network. Instead, employees get the same desktop every time, the same resources every time. It's generally safer. The employees love it because it's generally much faster.

    It's one of the few win-win scenarios in I.T. for mobile workers.

  • So privacy isn't really dead?

  • I have a pro of "unnamed" (don't want to ad it) for life, since I got some deal off somewhere, I can't really use it daily, since my home internet connection isn't on good level (sad), but I use it pretty much always on my laptop, when on mobile wifi or some free wifi spot. It sometimes even skips view this ad for 30s then u can use wifi. Also tunneling to different location to access something is good, since for example most channels like Nat Geo have websites, you can view exclusives or for outsiders what

I had the rare misfortune of being one of the first people to try and implement a PL/1 compiler. -- T. Cheatham

Working...