While drafting my next post, I remembered a little anecdote from a few years ago at a friend’s wedding. They’ve been friends since high school, and there were a few people that I knew but hadn’t seen since graduation.
Anyway, I was chatting with this group when the first drinks started rolling during the reception. One of the girls (who I believe is a graphic designer) asked me where I got the photos I uploaded to Instagram.
Since I am sometimes oblivious, I took her quite literally and thought this was a workflow question. She’s a designer, after all. So, I explained that I usually pick a few after processing the RAWs, crop if needed, and resize so Instagram won’t destroy the image quality.
She clearly didn’t mean that, which prompted her to repeat the question. So, I went again to explain the workflow in a little more detail, including how I then upload using the phone app instead of the browser and that I get the files from the computer to the phone using Nextcloud (if you don’t know what that is, think a self-hosted Dropbox or Google Drive thing).
Again, this is not what she meant, and she repeated the question once more. Confused, I paused while my stupid brain processed her meaning, and it finally clicked. She asked where the actual photos came from. The implication was that they were not mine.
I’m not tactful at all, so I just replied (paraphrasing here), “They’re mine, but thanks, you probably like them if you think otherwise.” Obviously, the conversation ended right there.
I don’t know if they meant it as an insult or if it is one of those awkward things people say without realizing it. Or maybe it was one of those “your camera takes nice pictures” moments we’re all familiar with, where no harm is intended.
But remembering little exchanges like these makes me wonder if sometimes I’m too self-deprecating when judging my photos. After all, I have yet to capture something I’m genuinely fond of. But that’s okay because it gives me an excuse to keep searching for what I want. And that means going out and taking photos. And having fun.
PS: Remember you can find the crap I take on my free time on my Instagram account.
Have you ever asked yourself why you do the things you do? Not work, school, or chores. I’m referring to hobbies.
Occasionally, I find myself standing beside my camera on a tripod, somewhere remote in the freezing night, asking myself: “Why photography, though?”
The first answers that usually come to mind are the cliché that I do it for fun and as a distraction. I do it to get better at this and explore new places.
Over the last year, I found another meaning to add to that list.
Existence precedes essence
During my late high school days, I was always bothered by the question of what truly defines oneself. Maybe Jean-Paul Sartre is to blame since we had to study him briefly, and everyone loved piling on him by calling their works “depressing.” What they meant to say was “boring.” The dude just loved rambling on and on… like any other philosopher.
It doesn’t take much brainpower to realize that we are our memories. And from this, a new fear developed. Now, fear is often irrational. For example, I’m afraid of spiders, which you could describe as a phobia. The small ones make me anxious, but I can deal with myself. When we get into centimeters (plural), that’s when I go full panic. And let’s not mention tarantulas, or we’ll be here all day.
But I don’t think this other fear is irrational at all. I find it very much justified and a real threat to oneself.
The fear of forgetting
I’ve always been afraid of forgetting, of losing my memories. Fearful of becoming unable to remember, think, and communicate. Afraid of slowly drifting away in one of the cruelest ways I can imagine.
You might be thinking that’s very unlikely; after all, Our World in Data estimates that the prevalence of Alzheimer’s across the world is around 682,48 for every 100.000 people (or about 0,68%). The World Health Organization estimates 5,4% for men and 8,1% for women, but that’s only considering people among the 65+ year old age group.
It might seem the odds are low and unlikely but don’t forget we’re still living through a pandemic with a global fatality rate of around 7,9% at its worst. Worldwide fatalities are estimated at about 6,9 million people (as of this writing).
Say what you want, but forgetting who I am feels like a real, terrifying possibility.
In the end, all memories go away
Even if we keep our memories intact until our last breath, we all eventually die. And we take our memories with us.
Some people find solace in their beliefs system, maybe afterlife or reincarnation. Despite being an atheist myself, I’m glad they do. I have no issue when people go to religion to find the answers science has not given us yet.
Still, there’s something heartwarming about the thought of being remembered, of not being forgotten in time. But still, eventually, everyone we shared our time here with will also go away.
Maybe that’s why some chase fame, power, and money. Perhaps they desperately yearn to be remembered for all eternity or at least until the end of our species. The reality is that the overwhelming majority won’t. A handful will become a footnote in an essay someday, if lucky.
I couldn’t care less. I don’t want to be remembered.
So, I’ll keep taking pictures wherever I can, even if it’s cold outside. Even when late at night and must wake up early the next day. Even if I must drive for hours back home. Even when my compositions suck, and delete everything once I’m back at the computer. Even if it’s not my job. Even if nobody likes what I do.
Because when I’m browsing those pictures, alone or with friends, I can think about the good times that went by and the good times that will come.
Because I want, above all, to remember.
PS: After proofreading this, I realize it might come as sad or depressing to some, but fear not, I enjoy going down these trains of thought. Everything’s gonna be okay. Also, I wonder what I’ll think about this post in, say, ten years from now, assuming the blog is still online by then. I’ll probably say it’s trash.
Sometime during the past decade, Adobe started pushing its subscription-based licensing. Eventually, acquiring a traditional, perpetual license for the products on their creative suite became impossible.
Since then, I’ve been looking to do away with Adobe products. I already switched from Premiere Pro to DaVinci Resolve Free. Unfortunately, when it came to photo editing, I couldn’t find a decent replacement until now.
I finally got rid of Photoshop. Granted, it wasn’t trivial. I had to make some (minor) sacrifices. This post is about telling you what I replaced it with.
The tools that need replacing
When I say Photoshop, I’m referring to three separate programs:
Adobe Bridge
Adobe Lightroom
Adobe Photoshop
Photoshop is the most known and understood of the three. A wildly popular and known image editor that can be used for retouching photographs and creating digital art from scratch. Photoshop is so ubiquitous that it became a verb long ago: people often say something was “photoshopped” to imply an image was falsified somehow. In other words, Photoshop is the pinnacle of 2D raster graphics editing.
Lightroom, while less known in the mainstream, is wildly popular among amateur and professional photographers alike. Lightroom is photography-oriented and has you covered through every step of your workflow: from ingestion up to delivery. Ironically this is the one I use less of the three, only for ingestion and, very rarely, prints. I never got used to the workflow, and I’m not a big fan of the catalog-centric approach.
Finally, there’s Bridge, which I think is often the least understood of the bunch. It’s a file manager with asset-management-specific features. It is supposed to be the link across many Adobe products, therefore, its name. Bridge has been central to my workflow as I’ve used it for culling and organization. In that regard, it has been flawless. Whatever other fancy features it has don’t matter to me.
Why replace what already works?
As I mentioned earlier, one of the reasons is that I’m sick and tired of every piece of software becoming subscription-based, especially when I’m not getting a service that requires 24×7 upkeep. I’ve reluctantly subscribed to Microsoft 356, and the more I think about it, the more it feels like a scam.
The biggest reason of all is pricing. I’ll get into detail later, but the Adobe option that better suits me is the Photography Plan, which is $238.88/year at the time of this writing.
The alternatives I settled with
To recap, my needs are:
Downloading the files from the camera.
Review and organize the photos.
Edit the photos.
Replacing Adobe Bridge for photo management with XnView MP
This was the hardest to find a replacement I was ok with until I came across a recommendation for XnView MP.
For what I used Adobe Bridge, XnView MP feels like home. It’s free, has way more customization options, and the best part is that it’s genuinely cross-platform: it’s available on Windows, macOS, and Linux. I don’t need much of a Bridge alternative. I’m surprised it took me this long to hear about this piece of software which does everything I need from it. Also, as of this writing, I’m getting updates occasionally, which means it’s actively maintained.
Replacing Adobe Photoshop for photo editing with Serif Affinity Photo 2 and DxO ViewPoint 4
Adobe Photoshop is so huge that I doubt a single person will ever use all its features during their lifetime. Did you know it supports DICOM files, for example?
What I need from a photo editing package is to process RAW and JPEG files, do the usual exposure tuning settings, correct blemishes, export optimized versions, do batch operations, merge panoramas or exposure stacks, and make color corrections, to name a few.
When I heard Affinity Photo was on discount due to the v2 release, I installed it and forced myself to use it for a few days. I did not miss Photoshop, so I bought their universal license while the discount was still available.
The software is available for Windows, macOS, and iPad (which I don’t have). You can get licenses in two ways: either you pay $69.99 for a platform-specific license (except the iPad, which sells for $19.99), or you pay for what they call the Universal License, which gives you access to all Affinity Programs (this is Designer and Publisher) on all platforms.
As I said, I don’t miss Photoshop, except for the perspective correction in the Adobe Camera Raw plugin. Affinity Photo has a perspective correction tool which honestly sucks for what I want it to do.
That’s where DxO ViewPoint 4 comes in. It’s a stand-alone tool that allows for distortion and perspective correction. While Affinity Photo supports some Photoshop plugins, and ViewPoint 4 is also provided as a plugin, it is not listed as compatible with Affinity. To some, this might be a downside or even a deal-breaker. It doesn’t matter to me since the output of my workflow, in the end, is always JPEGs (regardless of whether I shoot RAW or not). So, using ViewPoint as a stand-alone program only adds a step at the end of my workflow.
Replacing Lightroom for ingestion with EOS Utility and XnView MP
Lightroom was the one I cared about the least because I only used it to import files, organize everything into the folder hierarchy I wanted, and rename the files according to my rules. The beauty of Lightroom is that it supports a wide range of cameras, so you don’t have to mess with different apps for different cameras.
The most obvious choice would be to use EOS Utility, so I chose this. While it does get the job done, I had some issues, which I have already found workarounds.
Canon provides two separate versions of EOS Utility: version 2 for older cameras like the 70D and version 3 for newer cameras like the M50. As far as I know, you can’t use one with the other. I’d prefer them to have a single program, but as a full-time developer, I understand the pain of maintaining legacy stuff, so I bear with it.
One weird thing is that under macOS, the only way I can get the older EOS Utility 2 not to crash is if I open Finder and browse to the app on the Applications folder. If launched automatically when the camera connects, from the dock or even from the launchpad, it crashes as soon as it starts importing. Why? I have no idea. Does it make sense? No. File under “it just works” with your local Apple fanboy.
The other thing I don’t like is that PowerShot cameras use the lesser “Canon Image Transfer Utility.” While it does transfer the files just fine, it doesn’t have the same file renaming features EOS Utility (or Lightroom) has. A workaround is to import from the SD card using XnView “Import and Sort” feature.
At this point, I might use an SD card reader for everything and import using XnView, with the additional benefit of faster transfer speeds. All these years, I avoided using card readers as you’re at risk of damaging your SD cards if you’re constantly taking them in and out, but that could be an impression left on me from the early days.
Let’s talk about money
Product
Retail Price
What I paid
XnView MP
Free
Free
Affinity Universal License
$169.99
$99.99
DxO ViewPoint 4
$99.00
$99.00
EOS Utility 2 & 3
Included with camera
Included with camera
Total
$268.99
$198.99
The total comes short of $200. Compared to the $238.88 per year of Adobe’s Photography Plan, that’s a saving already, but only because I managed to get a discount. Comparing the total price, that would be $30.11 more expensive than Adobe’s offering.
That’s not the whole story, however.
These are “perpetual” licenses. I put it in quotes because that’s only true as long as both Serif and DxO don’t kill the activation for their older products. Their track record is good so far, though, as previous versions of both products lasted for around six years (and can still be activated, from what I read). Let’s settle for five years and compare both offerings, assuming pricing stays the same over this period:
Products
Upfront cost, no discounts
Cost over five years
Affinity Universal License v2
$169.99
$169.99
DxO ViewPoint 4
$99.00
$99.00
Affinity + DxO
$268.99
$268.99
Adobe Photography Plan
$238.88
$1194.40
Savings
-$30.11
$925.41
So there you have it. Over five years, I’d save around $925. There are a few gotchas, though:
Adobe’s Creative Cloud offerings also include cloud storage, which I don’t need but might be worthy to some individuals.
Adobe’s Creative Cloud offerings ensure that you’ll always have access to the latest versions of their software (like it or not).
With Affinity and DxO, I’ll have to pay again to upgrade. However, I have the option of not caring about new features and skipping a release cycle.
And if you think about it, I could still pay three times the total price of the alternatives and still have $118.44 left. And no, neither Serif nor DxO has released three new major versions within such a short time.
I could save even more going with the stand-alone license for Affinity Photo. Still, since I use both Windows and macOS and I’m starting to use Affinity Publisher, you could say their promotional discount got me.
You might want to rationalize those savings as being just $15.43 a month over five years. I certainly did. But now think about the things you buy every five years or so for around that money. We’re into computer upgrade territory here.
So, would this make financial sense to you?
You’re the only one who can answer that question, but I can help you by telling you that it depends on what you’re using these tools for.
As an amateur or hobbyist learning photography or doing it for fun, you should consider the alternatives instead of jumping straight into the Adobe bandwagon. Especially since most offer free trials with no credit card required. You must also look at what’s available to you for free. For example, Canon’s Digital Photo (or DPP) is a decent and powerful image-processing tool often overlooked. RawThreapee is another option, which is both free and open source. These two seem more focused on photo processing rather than image editing.
If you’re a creative professional, and by that, I mean this stuff pays the bills at home, then this is an entirely different discussion. For instance, $239.88 a year might be a reasonable business expense. Or maybe you do more than just photography and need other tools like Premiere Pro or After Effects, at which point the Creative Cloud “All Apps” bundle starts making much more sense.
If you’re working on a team or often collaborating with people, you’ll probably have to use the same tools as everyone else, in which case you probably don’t have an option.
However, I’m strictly speaking from a financial point of view. As a professional, you should take some time occasionally to see what the competition offers. DxO PhotoLab 6, which I tried, looks compelling if you’re for a software package exclusively for photography. It felt like what Lightroom should always have been. Most notably, their local adjustments feature blew my mind every time I used it.
Wrapping up
In conclusion, I’m happy that I finally broke free of Adobe. The switch is not out of spite or hate. I genuinely believe that they’re on top of their game. However, considering my finances and needs, an expensive subscription for these tools makes no sense.
I honestly don’t miss Adobe at all, and I’m surprised to say this not even a year into dropping them. Will I be missing out on some new cool stuff they release? Probably. Especially considering that “AI” is the buzzword of the day, we can expect an avalanche of machine-learning-assisted tools to make it into the product in the following years.
But unless they get noise reduction like never seen before or some crazy automated perspective correction baked in, I’ll be yawning at their future tech demos.
You might see ads on the internet almost everyday about VPN service providers. On social media posts, YouTube sponsorships and website ads, these companies make bold claims on why you need to use their VPN services… or else.
But some VPN providers still say some wild stuff which might not be obvious to the uninformed. Also, some not-that-old content online will still have those sponsorship talking points. Therefore, I’ll take a look at what those claims are give my 2 cents on them: some are true and some are disingenuous at best.
Note: I'm doing my best to not quote or mention any VPN service provider in particular. This is not due to respect of any company, I simply don't want to endorse/oppose any of them.
There might be some links in this post which mention one or more providers. Understand that some of the points made here are not with a company in particular but with the whole "thing".
Also, recommending any specific company is like treading on murky waters for me. I've been very skeptical of this industry for a long time and most reviews/endorsements I see online smell of paid advertising all over the place.
Therefore, I'm not expecting you to take anything of this at face value. If anything, what I just said should make any bias I have obvious. Consider this post leaning more towards opinion and less towards fact.
Before I get started, I want to clarify that I don’t hate or have a grudge against VPN service providers. There are legitimate use cases for them, it’s the marketing-speak which I have issue with. I’m also aware that there’s people that can only see things either as black-or-white, if that’s you then you’re not the intended audience of this post (or this blog).
What is a VPN?
Let’s start with a stupid and oversimplified example. Feel free to skip this section if you have some idea of what VPNs are.
Say, you and I want to share some files. We can use something like Dropbox or Google Drive but we’re talking about big files and doing so would be expensive and time-consuming as I’d have to wait until they finish uploading on your side to start downloading them.
beeeeeeeeeg folder
If this was two computers on the same network, we could easily transfer files between them, on Windows for example, we’d enable shared folders and start copying files away. Using shared folders over the internet however, is not a good idea. Even if modern versions of the protocol (SMB) might support encryption and “better” authentication, it’s not considered safe to be openly used over the internet. Remember WannaCry?
If only something existed that allowed us to make a private connection between both of our computers. You know, something like a secret tunnel between computers…
By now you probably figured out, but basically that’s what a Virtual Private Network (VPN) is. In layman terms:
Virtual: fancy software and network magic makes it work as if you had a cable between both ends, but it does so over already existing infrastructure, such as the internet.
Private: only those holding the appropriate keys can access and make sense of what’s being transmitted. Everyone else just sees gibberish because encryption.
Network: it connects devices and/or networks on each end.
That’s basically what your VPN provides gives you: a virtual private tunnel between your device and their servers. Anyone else in the middle can only see you’re connected to the VPN. What’s actually being transmitted remains private (unless they break the encryption or your VPN provider tells them, but we’re getting ahead of ourselves).
Now that we got that out of the way, let’s see the most common selling points VPN providers use and how much of that is true, what is false, what is misleading and what’s irrelevant.
The #1 reason: it allows you to access geo-blocked content
A common selling point of VPN services is that you can evade region locking on streaming platforms such as Netflix. The way this works is by choosing a server on a different region than yours. On the streaming site’s side, you’ll be seen as accessing the service from a different region and therefore you’ll access that region’s catalog. In practice this works, because some services such as Netflix allow you to:
Taking Netflix with you while you’re on the go? All you need is a stable internet connection for your supported device.
While abroad, subscribers can stream Disney+ content that is available in the country/region they’re in. To make sure you can still stream your favourite movies and shows while travelling, download them to your device.
In theory, streaming providers could work around this by peeking on your devices, for example web browsers can use APIs such as Navigator.language or Navigator.geolocation. Native apps might make use of location services as well. Of course, a less creepy approach would be to check against your billing information.
Yet, here’s what Netflix says about consuming their services through a VPN:
You can use a VPN with Netflix, but what you can watch will be limited to TV shows and movies where Netflix owns the global rights, for example Squid Game or Stranger Things. To be able to watch all TV shows and movies available in your country, turn off your VPN and try Netflix again.
The main reasons on why streaming services might want to limit a VPN user’s experience or outright block them are:
International licensing mess: content licensed from third-parties is usually negotiated for a specific region. For example, they might be able to license some movies in the US but not in South America, or the licensing terms might differ.
Subscription or product prices might vary from region to region. This is often known as “regional pricing“: customers in lower income countries need lower prices otherwise the platform is not competitive.
Despite that, users all over the world report being able to successfully access a different country catalog while remaining undetected by Netflix. It seems as they’re not “doing much”. On one side, blocking VPN users is futile because it would require having access to up-to-date list of IP address ranges assigned to VPN providers (or even hosting providers). Consider it a cat-and-mouse game. On the other side (and this is pure speculation) they only need to look as they’re doing “enough” to keep the studios happy.
Of course, as streaming platforms invest more and more on original content, and everyone starts rolling their own, this becomes less of an issue. Their goal here is to keep as much revenue as possible. Sure, you might take a cut from offering 3rd party movies and shows, but you get to keep all of it when it’s yours.
What’s also one of the top selling points of any VPN service provider is that they protect your privacy. But from who exactly?
It certainly protects you from your ISP but after that there are no guarantees, unless the VPN server you’re connected to is on a different country, then you could argue that it also protects you from your government (more on that below). It’s a question of trust. Keep in mind that:
Sure a company might claim they don’t do it. They might even have audits to back-up those claims. Which is a nice thing until they turn their backs. The thing about audits is that they’re valid for a specific point in time, at most, an audit might tell you they didn’t lie in the past.
However, the fact a VPN provider for which nothing shady has been found, several times in a row by independent and trusted auditors is something worth considering. After all, “they didn’t screw up their customers so far” is more trustworthy than “I have no idea“.
Note: in some jurisdictions your VPN provider might not even be legally able to let users know authorities forced them to either hand over data or grant them access to their infrastructure. Gag orders are a thing and they're not an US exclusive.
With that in mind, there are scenarios where a VPN can protect your privacy from governments, it comes down a Geo-political choice. A VPN provider that operates in the same country as the government you want to hide from is not a good choice. Nor is one on a country that’s a close ally of your enemy.
For example, if you’re a Chinese dissident in August 2022, you obviously won’t choose a provider which is either based-off have servers in Russia. If you’re a pro-China Taiwanese dissident it’d be wise to stay away from providers in the US, the UK, Canada, countries that are members of “Five Eyes” or even key NATO countries.
Members of the UKUSA agreement, commonly known as “Five Eyes” (as of 2022) Public Domain by Applysense on Wikipedia
Of course, the “protecting my privacy from my government” may fall short depending on what services you’re using and/or where you’re connecting to.
What is DNS and DNS leaking?
In case you don’t know, the Domain Name System (DNS) is the naming system we use to translate human-friendly domain names, such as google.com, into IP addresses, such as 142.251.133.68. Names are easier to remember, seemingly random numbers are not. Not only that, but sometimes the IP address needs to change, for example, if I have servers both in the US and Europe but I don’t want to tell my customers different domain names or if I blow up my server with TNT and now I have to point my domain name to a new server.
The simplified version on how this works is that you enter a domain name somewhere, such as example.com in your browser, then if your device does not know where that is (or it has been a “long” time since it saw it) it needs to go ask a DNS server where that is. If the server doesn’t know, the request goes up the DNS hierarchy until it reaches a server that does.
One thing a VPN service provider must do is to push their own DNS servers (resolver) configuration, otherwise DNS requests may not go through the VPN and while your web traffic will still be encrypted and going through the tunnel, you’re still giving away the domain names you’re going to.
There are online sites that can help you detect if your configuration is leaking DNS requests, one such site is browserleaks.com/dns.
It protects you from… tracking?
Pretty much on the same boat as claiming a VPN protects your privacy is to claim they protect you from companies tracking you. The thing is, IP-based tracking is not much of a thing anymore as is not as reliable as it used to be, considering:
If your house has an internet connection, pretty much everyone’s on it. That means several people behind the same public IP address. Same goes for businesses, schools and any other setting where several people use the same internet connection.
Even worse, some ISPs have to resort to Carrier-grade NAT, which sucks (but so does running out of IPv4 addresses). This means many houses can be behind a single public IP address.
Running the EFF fingerprinting test on my browser. The results page contains more details, in addition to explaining what each of those are.
In other words a VPN doesn’t do much (or should I say nothing?) to stop ad networks and other big tech companies from tracking you, especially if you’re still going to use their services even behind a VPN.
So what can you do instead? The solutions are quite radical and even then not perfect. Disabling JavaScript would be the “atomic bomb” approach but there’s barely any site that doesn’t require JS to run properly these days.
You can deploy a Pi-Hole, which does a good effort of blocking ads and trackers but that’s no good outside your house unless you run it locally (which isn’t practical at all) or you make it accessible from the internet (which also has it’s cons).
Even then, resistance is futile when half of the apps and services you rely on a daily basis are owned by the same three or four companies. I got rid of my Facebook account ages ago, but that means nothing when I still rely on WhatsApp and somewhat still use Instagram (although the latter has become a piece of shit lately). And you can try to move away from Google Search and GMail but are you also ditching YouTube, Google Chrome, Chromecast or even your Android phone which will still track you after you tell it not to do so?
The “don’t be evil” days are long gone.
Sadly, it seems that as consumers we’re losing not the battle but the war against online tracking. We’re going to need some strong international legislative effort which honestly I have no hopes I’ll ever see in my lifetime. The European Union has all of the best intentions but I feel things like GDPR are too little too late.
Not everything is web browsing
While most people put “internet” and “web” together, they’re not the same thing. There are services other than websites available on the internet. Examples are: DNS, Email, Instant Messaging and P2P File Sharing. Yes, a VPN provider can help you hide this activity, however you must put the effort to make sure you’re not leaking any identifiable information that may link to your identity.
Again, for the people in the back: understand that VPN providers are a tool to be used as part of your identity and privacy protection, and not the be-all, end-all solution these companies often claim to be.
It protects you from… hackers?
Another selling point is that VPNs protects your personal information from “hackers”, which honestly I’d like someone to explain me how. Once it reaches the VPN provider, your traffic then goes to the internet as it would going out straight out of your router.
There is, truth to be told, one scenario where I could see this being somewhat of a thing: which is public unsecured WiFi access points. Think of hotels, coffee shops, terminals or restaurants that offer free internet to visitors. Some of them still don’t use any encryption at all, I guess to make it easier to get online without people needing to ask for the password. Under this scenario it is trivial for an attacker to see your traffic as it leaves your device.
Note: there's a whole discussion to be had regarding HTTPS (Hypertext Transfer Protocol Secure) and HSTS (HTTP Strict Transport Security) which goes beyond the scope of this post. While most sites now enforce HTTPS, only 24.5% adopted HSTS as of August 2022 (link allegedly updated daily).
Simply put, these are mechanisms that help mitigate man-in-the-middle attacks, which is when a malicious 3rd party "sits" in the middle of a connection to secretly listen or alter what's being transmitted.
What’s done most of the time instead is to use WPA2 and openly share the WiFi password with any customer that asks for it. The thing is, even if the WiFi password is widely known, your device and the access point automatically negotiate a pair of keys to keep communication private even to other computers on the network. An attacker’s best shot under this scenario is to capture the initial exchange between your device and the AP (handshake) to get the keys needed to decrypt your packets. And if they missed it don’t worry, there are means to force the handshake to happen again.
So you could make the point that a VPN service does provide you with some “protection” over public shared networks, as it would give you security equivalent to what you get when connected directly to the internet.
A side note on public WiFi which has nothing to do with VPNs: some devices, mostly computers, might be configured in a way that leave services such as file-sharing open to networks on private IP address ranges but closed to networks with public IP address ranges. That's why Windows asks you (or at least it used to) if the network you're connecting is private (trusted) or public (un-trusted) when you connect to a WiFi it hasn't seen before.
Because of this some argue that using public WiFi is even more dangerous that plugging your computer directly to the internet if your device has services listening for connections from local/private addresses, as this is the equivalent of letting random strangers into your home network.
It protects you from… malware?
A VPN per-se does not protect your device from malware, unless they’re scanning and/or blocking such traffic on their end which counts as monitoring your traffic, and that’s the opposite of what VPN service providers are supposed to do.
However, some providers bundle anti-malware products with their subscriptions, which I guess that’s OK but you should also look into reviews of competing solutions (including free or even open-source ones such as ClamAV).
Note: I did mention ClamAV only because it's been trusted for several decades now and has been open-source since day 1. I'm not comfortable recommending any anti-malware review/testing site as they all give me the same vibe as VPN review sites as mentioned at the beginning of this post.
Do your own research.
It protects you from… data breaches?
Nope. A VPN provider can’t do a damn thing about a third party being compromised, it can only protect the data while being transferred from your device to them. Am I missing something here?
As with the claim of malware protection, some providers bundle services that will regularly check if your accounts appear on data breaches, you know, like what Firefox Monitor offers for free (and yes, I did notice that banner about an upcoming Mozilla VPN… ugh)
The reality is that once you hand over your data to a third party, it’s out of your hands. What you can actually do at the very least, and regardless of your VPN subscription, is:
Learn proper password discipline and get a password manager. By having strong and unique passwords for each site (or groups of sites) you will mitigate the impact of having your credentials for one site compromised affecting accounts on other sites.
Enable Two Factor Authentication (2FA) on every single thing that supports it.
Don’t use your credit card on sites that you don’t trust. Don’t give your address to sites you don’t trust. Period.
Pay attention and be wary of information you’re filling in when signing-up for websites and/or online services, because there’s a chance that info. will be leaked if the site is ever compromised.
The elephant in the room: file-sharing
Finally, let’s address what some VPN providers are uncomfortable mentioning while others do without restraint: a VPN can protect your privacy while file sharing.
Note: to my understanding, this includes file-sharing as long as you're not the uploader. If I just said something stupid let me know, I can't Dutch.
Other jurisdictions have shown to be really strict with individuals sharing files online via “peer-to-peer” (P2P) networks/protocols, regardless of wherever sharing the content in question is legal or not. Australia, the US, France and the UK are some of the strictest, having Internet Service Providers (ISP) monitoring any kind of P2P activity and then issuing warnings to customers, throttling their connection, cancelling their service, tipping off law enforcement or a combination of all of those.
Here in Uruguay, there have been some small cases some time ago but they were going for exemplary punishment and, in my opinion, it didn’t do much. Nowadays they seem to be more focused towards people selling TV boxes bundled with pirated IPTV signals on the not-so-black market and things like that.
The issue surfaced on Thursday, when University of Ottawa law professor and respected industry blogger Michael Geist posted a letter from a rights holder that threatened civil liabilities of up to $150,000 per infringment.
Canadian law caps liability for non-commercial infringements by individuals at $5,000.
Or at the very least some unfortunate throttling of your internet connection. In that case you may justify the cost of using a VPN.
That said, some VPN providers block ports of popular file-sharing protocols such as BitTorrent, so check their terms of service and look at reviews. Others proudly claim they allow P2P. Do your research before your shopping.
Conclusion
In the end I don’t want you drawing the conclusion that VPN service providers are either good or bad. Rather, you should treat them as another tool in your privacy toolkit at your disposal. Whatever you want to chose them or not you must be aware of what they can truly do for you and what they cannot. Hopefully, this post might clarify some of the outrageous claims I’ve seen online.
If all you need is a secure way to browse the internet while connected to public WiFi, say, if you travel a lot, then they might be worth it. Your home router might be able to run a VPN server on its own or you can leave a low-power single-board computer like the Raspberry-Pi running an OpenVPN or tinc server 24×7 but most people either don’t know or don’t want to bother setting that up. Also, it might not perform as well as even the slowest VPN providers.
If for some reason you need to hide your tracks from an ISP or your government, using a VPN server on a country different than yours (or even better, different than your country’s allies) can be an important part of your privacy toolkit. It might also involve using separate accounts and devices which can’t be traced back to you, using communications apps which are open-source and often audited and using additional encryption layers when dealing with insecure protocols just to name a few.
But for the average of us, who are not journalists or dissidents, or neither wear a tinfoil hat all the time, I fail to see much use for VPN service providers other than “I want to get some overseas Netflix and don’t want to have my ISP know I’ve been torrenting“. Again, all I want you to take from this is there’s more to online privacy than just getting a VPN. Whenever it is justified is up to you, but at least know what it is and what it isn’t.
Of course, If you feel this is not the case or that I’m missing something, please leave me a comment to let me know.
Further reading
Some people have already voiced concerns on these kind of claims, years ago. If you’re interested on this topic, here’s some further reading/watching for you:
“Don’t use VPN services“, Sven Slootweg (GitHub Gist). A bit more radical and too cynical for my taste but it does make some great points on the false sense of security/privacy a VPN provider may lead you to if you don’t really understand what they can and cannot do.
“This Video Is Sponsored By **** VPN“, Tom Scott (YouTube). Initially intended to be a honest video on Tom’s channel about VPNs, sponsored by a VPN company. The sponsor (allegedly) backed out of it because it was too honest. That’s quite telling.
Edit: an early version of this post was published where the share of phishing reports was grossly under-reported due to me messing-up the decimal separators when handling the source data. Basically I arrived at the conclusion that phishing made 10% of reported crimes however… it’s around 45%. Oooops! The post and charts have been corrected.
While drafting a document for work regarding email scams, more specifically phishing, I came across the FBI’s Internet Crime Complaint Center (IC3) 2021 Annual Report. After looking at the numbers in there, one wonders if the old saying “crime never pays” applies to the electronic frontier.
So, let’s take a break from work and look into it. Keep in mind that since I’m looking into the IC3 report for 2021, that:
Numbers mentioned here reflect the FBI’s jurisdiction: the United States.
As it’s often the case with criminal activity, actual numbers could be higher (or at least different) since I’m expecting a lot of this to be under-reported to some extent, especially on cases where the victims are individuals.
You probably are familiar with the term phishing but in case you aren’t, I’ll borrow this definition from the Wikipedia page on Phishing:
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious software on the victim’s infrastructure like ransomware.
Before we begin, I’d like to state what should be obvious: that this is in no means a study nor an analysis on the results provided on the report mentioned above. I’m just looking at the numbers and taking you along for the ride.
Phishing is going strong
Internet crime has been on the rise over the last years and phishing is no exception. On 2021, the IC3 saw a 34% increase on phishing complaints alone from 2020 to 2021. Some claim that this rise in cyber-crime is related to the SARS-CoV-2 pandemic. True, a sudden shift to work-from-home operations with most organizations not being ready for it might be a contributing factor. However, criminal activity online has been on the rise since the early days of the internet.
Not only that but phishing makes a considerable chunk of internet crimes, about 45% of complaints were phishing attacks last year. This makes phishing the #1 category reported by number of complaints.
Despite being almost half of all complaints, phishing is associated to less than 1% of all reported losses. Clearly it ain’t the most lucrative of the bunch but still the losses reported for 2021 amount to $44.213.707.
I don’t know about you, but that’s some life-changing amount of money. There were however, 323.972 complaints filed under phishing. The report does not provide much more data than that, so let’s go with an average of $136 per phishing attack. That don’t impress me much, however keep in mind that some attacks might lead to stealing thousands while others nothing at all, since wire fraud might not be necessarily be the immediate goal of a phishing attack.
I went into this looking for some statistics on the damage done by phishing attacks. However, those 44 million USD are less than 1% of all the losses reported to the IC3. I wonder, what are the numbers for the top grossing crime types?
Top 10 internet crimes by losses
During 2021 the IC3 received 720.880 complaints for a total in losses of $7.789.976.708.
Here’s the top 10 internet crime type ranked by losses reported to the IC3:
# 1 – Business Email Compromise or Email Account Compromise $2.395.953.296 (30,76%)
Consists on obtaining unauthorized access to mailboxes of either organizations (BEC) or individuals (EAC). With access to these email accounts, criminals can then proceed to commit wire fraud and/or gain further access.
There were 19.954 complaints filled under BEC/EAC on 2021, for an average loss of $120.074/complaint.
# 2 – Investment $1.455.943.193 (18,69%)
Criminals trick their victims into believing they’re making an investment where in reality no investment is being made and the criminal is cashing-out. Ponzi and Pyramid schemes, which fall under this category, are illegal in many jurisdictions, including the United States. However, for some reason multi-level-marketing (MLM) schemes are still legal in most countries.
There were 20.561 complaints filed under Investment on 2021, for an average loss of $70.881/complaint.
A criminal tricks their victim into believing they’re relatives or into starting a long distance relationship in order to gain their trust and get them to provide with account credentials, Personal Identifiable Information (PII) or even valuable goods.
There were 24.299 complaints filed under Confidence / Romance Fraud on 2021, for an average loss of $39.345/complaint.
#4 – Personal Data Breach $517.021.289 (6,64%)
PII is stolen or leaked from a restricted location or information processing system (for example, customer credit card numbers being stolen from your ISP).
There were 51.829 complaints filed under Personal Data Breach on 2021, for an average loss of $9.976/complaint.
#5 – Real Estate / Rental $350.328.166 (4,50%)
Similar to the Investment fraud but on the real estate market.
There were 11.578 complaints filed under Real Estate / Rental on 2021, for an average loss of $30.258/complaint.
#6 – Tech Support $347.657.432 (4,46%)
Criminals pretend to work for the customer service or technical support departments of a well-known tech/software company. They usually claim there’s some issue that needs fixing and or a refund to be processed and that they need access to one or more of your devices. From there, they may trick users into providing their account credentials, performing wire-transfers and/or locking the victim devices in exchange of a ransom.
There were 23.903 complaints filed under Tech Support on 2021, for an average loss of $14.545/complaint.
A criminal pretends to buy a product but does not pay the seller despite receiving the shipment (non-payment). Or, a criminal pretends to sell a product but never ships the product despite receiving the payment or ships something of less value, a counterfeit product, etc…
There were 82.478 complaints filed under Non-payment / Non-delivery on 2021, for an average loss of $4.092/complaint.
#8 – Identity Theft $278.267.918 (3,57%)
A criminal steals PII to gain control over the victim’s accounts and commit fraud either against the victim of identity theft by impersonating the victim to commit fraud to third parties.
There were 51.629 complaints filed under Identity Theft on 2021, for an average loss of $5.390/complaint.
#9 – Credit Card Fraud $172.998.385 (2,22%)
A criminal uses a credit card to transfer fraudulent funds.
There were 1.675 complaints filed under Credit Card Fraud on 2021, for an average loss of $103.283/complaint.
#10 – Corporate Data Breach $151.568.225 (1,95%)
A criminal gets unauthorized access to an organization’s sensitive or confidential information.
There were 1.287 complaints filed under Corporate Data Breach on 2021, for an average loss of $117.769/complaint.
The elderly seem to be more at risk of internet crime in general
The age group of individuals aged 60 and above takes the #1 spot both on complaints filed and reported losses.
It’s often said that the older adults are more vulnerable to scams in general, however I don’t see much difference in complaints reported to the IC3 between the 30-39 (21%), 40-49 (21%) and the 60+ (22%) age groups. The report did not however provide a breakdown of complaint type by age, so we can’t tell on this data alone if some crimes target some age groups more specifically. Despite that, it’s wildly believed that the elderly are more vulnerable to scams in general.
On the other side, when looking at the losses reported by age-group we can clearly see the elderly (60+) take a biggest slice of the pie than every other group. More losses were reported from victims on this group than from everyone under 40 combined (27%).
Edit: that last statement is clearly false, the +60 group is absolutely the most exploited compared to any other group individually. What I meant to say is that the older you get the bigger the (potential) losses. This probably has a very simple explanation. Usually the older age groups are the wealthiest ones: they are more likely to own property, have lifetime savings and hold higher positions at work when near retirement.
What can you do?
If you are (or have been) a victim of a scam
Contact law enforcement in your jurisdiction. File a report. I don’t know where you live so I can’t tell you where to go. That said, here’s some resources:
Independent Age, a charity in the UK dedicated to the care of old people has a page on “What to do if you’ve been the victim of a scam”. As we’ve seen from the IC3 data, the elderly are the most vulnerable to scams in general.
If your credit card and/or bank account was involved, contact your bank immediately and tell them what happened.
If you granted a scammer access to any of your devices (computer, smartphone, tablet…) that system is most likely compromised. Disconnect any compromised device from the network (unplug the cable if wired, turn off the WiFi if wireless). Don’t reconnect them to the network after ensuring they’re clean (I’d personally wouldn’t trust unless disk formatted and operating system clean installed).
I’m not a victim but scammers won’t stop contacting me
If a scammer is trying to reach you, don’t engage! Ignore and move on. Report email as spam (or phishing if your email provider has a separate option). Even if you can tell its a scam and that you won’t fall for it.
Note: no matter how tempted you might be to mess with or bait them, keep in mind that “scam baiters” either work with teams of highly skilled IT professionals and/or are highly skilled themselves. Additionally, “scam-baiting” requires a lot of preparation beforehand to not get scammed, doxxed or even worse. And yet sometimes even the best get scammed. In other words, don’t try this at home.
I’m not a victim and I’d like it to keep it that way
Good. The first thing to realize is that anyone can be scammed under the right circumstances. It’s not a matter of being smart or stupid. Most scams prey on victims by pretending some urgent action needs to be taken, urging you to act before you think.
No company or bank or government will ask for credentials over email, text or phone.
No company accepts payments using 3rd party gift cards. Period.
Neither do courts. Or law enforcement. Or healthcare institutions. Or tax collection agencies.
No company needs to connect to your computer to process a payment. Or a refund. Or a lottery ticket. Or the inheritance of a prince from some country far away you never heard of before.
While we’re at it, no-one will ask a random stranger on the internet to help them transfer a huge amount of money to evade taxes. If someone has millions coming their way they can afford a special kind of magician called “accountant”.
No corporation sends you emails from a @gmail address. Or a @hotmail address. Or an @outlook address. Or pretty much any domain that’s not the company domain.
I could go on, but scammers change their tactics as time passes, since people start catching-up with what’s going on. The best advice is to stay informed, stay aware and don’t act on impulse upon a suspicious email or phone call.
Also, take a look at some of the “scam baiters” so you can get an idea on how these scams operate and what tactics they use. My personal favorites are Jim Browning, Kitboga and Scammer Payback.
There’s also channels like Coffeezilla but he’s more into a different cup of scams, mostly cryptocurrency schemes, MLMs, NFT “rugpulls” and fake financial/trade “gurus”.
DON’T SHAME ON SCAM VICTIMS
Falling for a scam will make someone fell really powerless. All it took for them is a lapse in judgement and when they look back they can’t help but feel ashamed, especially if a lot of damage was done, monetary or otherwise.
Coming forward and accepting you were tricked into doing something harmful to yourself is really tough.
It will destroy your self-esteem. It will impact your trust in others. It will mess with your mind.
Don’t mock scam victims. Don’t shame them. Don’t say stuff like “you had it coming” because it doesn’t help anybody.
It certainly doesn’t help them, the damage is done already and they need to move forward.
It doesn’t help other victims that might not want to report the crime (and have a chance to recover assets, no matter how slim) to avoid dealing with the social pressure of being shamed.
It doesn’t help the community, as the less we talk about this, the more scammers can get away with it.
And it doesn’t help you. Don’t ever assume you’re too good to fall for it.
That’s when they get you.
The worst loneliness is to not be comfortable with yourself.
So I woke up and decided to pick up my bad old habit of blogging. This time I’m doing this in English instead of Spanish, don’t know why but it serves as an excuse to improve my writing.
Unless you arrived here during some of your random walks through the internet, you probably know I already have a blog, the old and bustedbrunobense.com, which is also named “Something Bense” just like this one. Confusing? Let me explain, it won’t be long*.
The first blog
I’ve been kind of blogging since my high-school days, can’t remember exactly when but I’d say around 2005/2006. As you’d expect it was mostly of what kids these days call “shit-posting“. I think it started with Blogger. Eventually I discovered this superior platform WordPress and I moved to that, jumping between free-hosting services and finally wordpress.com.
None of those posts were preserved (don’t worry, I don’t think anything valuable was lost) sometimes because of me messing up migrations and other times because I just didn’t care. To me, it was low-quality ephemeral ramblings.
Then it was the home server…
For a long time now (I think since 2008/2009) I’ve been running a “server at home”, which is a glamorous way to say: a computer running (almost) 24×7 serving requests from the internet. I started as people usually do: using a free dynamic DNS service and running Windows. I eventually got a proper domain registered and moved to Linux.
Running a server at home has not only been a great learning experience but also a huge boost to my digital lifestyle (if that’s a thing). Streaming services were not quite as good as they were today, file-sync was expensive and rigid. Centralizing all of my precious data on redundant & backed-up storage is just something I can’t go back to not having.
…and the issues that come with it
However, it ain’t flawless. Once in a while the DNS goes out of sync, sometimes for hours and sometimes for days. That means, everything works at home but not from the outside. I know that a blog hosted somewhere else is not a solution for those problems, but I have workarounds to get into the home automation, streaming and file-sync when it happens. But I don’t have workarounds for when my blog and/or email go down for several hours (or even days).
I guess I’ll get around to fix those issues eventually, why not take this as an opportunity to take a different direction with the blog?
What’s the blog supposed to be about?
I don’t know. I’m not looking for an audience or to sell something or to improve myself. I just like to look into random things from time to time, or to document my grievances with technology or to vent-off. The blog to me has always been about writing some silly stuff and moving on.
Looking back I think I realized that in a way, the blog is kinda therapeutic to me. Over the last few years, especially since 2020 up to today, I barely touched the blog, whatever the reason might be not having time due to work or personal stuff I’ve been dealing with.
The only thing I do know, is that is not meant to be taken too seriously.
Wrapping up
That’s it, welcome to the blog. The old blog will keep running at brunobense.com, who knows, maybe I’ll start blogging there as well?
Thank you for making it this far, to be honest it ain’t much interesting of a read.
