As anyone who regularly games online can attest, DDoS (dedicated denial of service) attacks are an irritatingly common occurrence on the internet. Drawing on the combined digital might of a geographically diffuse legion of zombified PCs, hackers are able to swamp game servers and prevent players from logging on for hours or days at a time. The problem has metastasized in recent years as enterprising hackers have begun to package their botnets and spamming tools into commercial offerings, allowing any Tom, Dick, and Script-kiddie rental access to the same power. 

It's a big internet out there, and bad actors are plentiful. There are worse things than spammers and scammers swimming in the depths of the Dark Web. In his new book, Fancy Bear Goes Phishing: The Dark History of the Information Age, in Five Extraordinary Hacks, Dr. Scott J Shapiro, Professor of Law and Philosophy at Yale Law School traces the internet's illicit history through five of the biggest attacks on digital infrastructure ever recorded.

Farrar Straus Giraux

FANCY BEAR GOES PHISHING: The Dark History of the Information Age, in Five Extraordinary Hacks by Scott J. Shapiro. Published by Farrar, Straus and Giroux. Copyright © 2023 by Scott J. Shapiro. All rights reserved. 

Crime as a Service

Not all Denial of Service attacks use botnets. In 2013, the Syrian Electronic Army (SEA)—the online propaganda arm of the brutal Bashar al-Assad regime—hacked into Melbourne IT, the registrar that sold the nytimes.com domain name to The New York Times. The SEA altered the DNS records so that nytimes.com pointed to SEA’s website instead. Because Melbourne IT contained the authoritative records for the Times’ website, the unauthorized changes quickly propagated around the world. When users typed in the normal New York Times domain name, they ended up at a murderous organization’s website.

Conversely, not all botnets launch Denial of Service attacks. Botnets are, after all, a collection of many hacked devices governed by the attacker remotely, and those bots can be used for many purposes. Originally, botnets were used for spam. The Viagra and Nigerian Prince emails that used to clutter inboxes were sent from thousands of geographically distributed zombie computers. In these cases, the attacker reaches out to their army of bots, commanding them to send tens of thousands of emails a day. In 2012, for example, the Russian Grum botnet sent over 18 billion spam emails a day from 120,000 infected computers, netting its botmaster $2.7 million over three years. Botnets are excellent spam infrastructure because it’s hard to defend against them. Networks usually use “block lists”: lists of addresses that they will not let in. To block a botnet, however, one would have to add the addresses of thousands of geographically disbursed servers to the list. That takes time and money.

Because the malware we have seen up till now — worms, viruses, vorms, and wiruses.— could not work together, it was not useful for financially motivated crime. Botnet malware, on the other hand, is because the botnets it creates are controllable. Botmasters are capable of issuing orders to each bot, enabling them to collaborate. Indeed, botnet malware is the Swiss Army knife of cybercrime because botmasters can tell bots in their thrall to implant malware on vulnerable machines, send phishing emails, or engage in click fraud allowing botnets to profit from directing bots to click pay-per-click ads. Click fraud is especially lucrative, as Paras Jha would later discover. In 2018, the ZeroAccess botnet could earn $100,000 a day in click fraud. It commanded a million infected PCs spanning 198 countries, including the island nation of Kiribati and the Himalayan Kingdom of Bhutan. 

Botnets are great DDoS weapons because they can be trained on a target. One day in February 2000, the hacker MafiaBoy knocked out Fifa.com, Amazon.com, Dell, E*TRADE, eBay, CNN, as well as Yahoo!, then the largest search engine on the internet. He overpowered these web servers by commandeering computers in forty-eight different universities and joining them together into a primitive botnet. When each sent requests to the same IP address at the same time, the collective weight of the requests crashed the website. 

After taking so many major websites off-line, MafiaBoy was deemed a national security threat. President Clinton ordered a countrywide manhunt to find him. In April 2000, MafiaBoy was arrested and charged, and in January 2001 he pled guilty to fifty-eight charges of Denial of Service attacks. Law enforcement did not reveal MafiaBoy’s real name, as this national security threat was only fifteen years old. MafiaBoy later revealed himself to be Michael Calce. “You know I’m a pretty calm, collected, cool person,” Calce reported. “But when you have the president of the United States and attorney general basically calling you out and saying, ‘We’re going to find you’ . . . at that point I was a little bit worried.” Calce now works in the cybersecurity industry as a white hat — a good hacker, as opposed to a black hat, after serving five months in juvenile detention. 

Both MafiaBoy and the VDoS crew were adolescent boys who crashed servers. But whereas MafiaBoy did it for the lulz, VDoS did it for the money. Indeed, these teenage Israeli kids were pioneering tech entrepreneurs. They helped launch a new form of cybercrime: DDoS as a service. DDoS as a service is a subscription-based model that gives subscribers access to a botnet to launch either a daily quota or unlimited attacks, depending on the price. DDoS providers are known as booter services or stressor services. They come with user-friendly websites that enable customers to choose the type of account, pay for subscriptions, check status of service, launch attacks, and receive tech support. 

VDoS advertised their booter service on Hack Forums, the same site on which, according to Coelho, Paras Jha spent hours. On their website, www.vdos-s.com, VDoS offered the following subscription services: Bronze ($19.99/month), Silver ($29.99/month), Gold ($39.99/month), and VIP ($199.99/month) accounts. The higher the price, the more attack time and volume. At its peak in 2015, VDoS had 1,781 subscribers. The gang had a customer service department and, for a time, accepted PayPal. From 2014 to 2016, VDoS earned $597,862, and it launched 915,287 DDoS attacks in one year. 

VDoS democratized DDoS. Even the most inexperienced user could subscribe to one of these accounts, type in a domain name, and attack its website. “The problem is that this kind of firepower is available to literally anyone willing to pay thirty dollars a month,” Allison Nixon, director of security research at business-risk-intelligence firm Flashpoint, explained. “Basically what this means is that you must have DDoS protection to participate on the internet. Otherwise, any angry young teenager is going to be able to take you off-line in a heartbeat.” Even booter services need DDoS protection. VDoS hired Cloudflare, one of the largest DDoS mitigation companies in the world. 

DDoS as a service was following a trend in cybercrime known as “malware as a service.” Where users had once bought information about software vulnerabilities and tried to figure out how to exploit those vulnerabilities themselves, or had bought malicious software and tried to figure out how to install and execute it, they could now simply pay for the use of malware and hack with the click of a button, no technical knowledge required.

Because customers who use DDoS as a service are inexperienced, they are particularly vulnerable to scams. Fraudsters often advertise booter services on public discussion boards and accept orders and payment, but do not launch the promised attacks. Even VDoS, which did provide DDoS service, did so less aggressively than advertised. When tested by Flashpoint, VDoS botnet never hit the promised fifty gigabits/second maximum, ranging instead from six to fourteen gigabits/second.

The boards that advertise booter services, as Hack Forums once did, are accessible to anyone with a standard browser and internet connection. They exist on the Clear Web, not on the so-called Dark Web. To access sites on the Dark Web you must use a special network, known as Tor, typically using a special browser known as the Tor Browser. When a user tries to access a website on the Dark Web, the Tor Browser does not request web pages directly. It chooses three random sites—known as nodes—through which to route the request. The first node knows the original sender, but not the ultimate destination. The second node knows neither the original source nor the ultimate destination—it recognizes only the first node and the third node. The third node knows the ultimate destination, but not the original sender. In this way, the sender and receiver can communicate with each other without either knowing the other’s identity.

The Dark Web is doubly anonymous. No one but the website owner knows its IP address. No one but the visitor knows that they are accessing the website. The Dark Web, therefore, tends to be used by political dissidents and cybercriminals—anyone who needs total anonymity. The Dark Web is legal to browse, but many of its websites offer services that are illegal to use. (Fun fact: the U.S. Navy created the Dark Web in the mid-1990s to enable their intelligence agents to communicate confidentially.)

It might be surprising that DDoS providers could advertise on the Clear Web. After all, DDoS-ing another website is illegal everywhere. In the United States, one violates the Computer Fraud and Abuse Act if one “knowingly causes the transmission of a program, information, code, or command, and as a result of such conduct, intentionally causes damage without authorization,” where damage includes “any impairment to the . . . availability of data, a program, a system, or information.” To get around this, booter services have long argued they perform a legitimate “stressor” function, providing those who set up web pages a means to stress test websites. Indeed, booter services routinely include terms of service that prohibit attacks on unauthorized sites and disclaim all responsibility for any such attacks.

In theory, stressor sites play an important function. But only in theory. Private chats between VDoS and its customers indicated that they were not stressing their own websites. As a booter service provider admitted to Cambridge University researchers, “We do try to market these services towards a more legitimate user base, but we know where the money comes from.”

As the unromantic name implies, TP-Link’s Deco XE75 AXE5400 is one of the company’s many, many routers. A trio of plain cylinders standing 6.7-inches tall, they mirror the lack of excitement in its name, but as the saying goes, let’s not judge a book by its deeply unsexy cover. Hiding inside is a mesh of extreme quality that, despite a few rough edges, offers a great mix of power and affordability. If you’re confident in your ability to work your way through an admin panel or two, then this might be the mesh for you.

Hardware

I’ve already mentioned that the XE75 comprises a series of nondescript-looking cylinders which aren’t the prettiest mesh units. They certainly look like WiFi equipment, unlike many of the others on the market, which look like paperweights designed by Henry Moore. Unless you’re living in a minimalist’s paradise, they’ll hopefully blend into your decor with no fuss.

On the back of each node are three gigabit ethernet ports, one of which you’ll need to hook the primary mode up to your modem. You can also use the ports to run ethernet backhaul, if your house is (or will be) suitably-equipped. In 2023, when it can sometimes feel like wired ethernet is becoming a niche proposition, having three ports per node feels like luxury. And I don’t think many users will gripe over a lack of a 2.5 Gbps port which is a bit excessive, even these days.

One of the first choices you’ll need to make is how you’ll use the 6GHz band, which is reserved as backhaul by default. You can leave it like this or, if you have a plethora of WiFi 6-enabled devices already, you can run it dynamically. Like I said in the mesh WiFi buyer’s guide, using the 6GHz band for backhaul makes sense for now since so few phones, laptops and tablets can access that band directly at the moment.

TP-Link says its “AI-driven mesh” will learn which devices get faster speed from which nodes and prioritize those connections accordingly. Once each of your devices is connected to the mesh, you should hope to see your speed and reliability improve as it learns your usage.

Installation

Deco XE75 was easy to get set up, taking just 16 minutes from when I pulled the plastic film from the box to finish. Download the Deco companion app, set up a TP-Link account and you’ll then be guided through the short setup process. You just need to plug the first node in, tell the app if you have any ISP-specific needs, give your network a name and password and you’re off at the races.

Once done, the app will tell you to turn on the other nodes in the set and wait as they connect to the existing mesh. You’ll also need to assign each node a name based on their locations in your home. My phone pinged several times in quick succession after this as all the gadgets in my home joined the network. The degree of seamlessness and ease of setup was more or less perfect.

That is, except for one minor real-world annoyance that I feel compelled to flag — the length of the power cables for the UK models I’ve been testing. A lot of mesh products ask users to place nodes in visible, prominent locations, rather than hidden behind furniture, to avoid interference. That’s harder to do, however, if your power cable is just 57 inches long, a small but noticeable bit shorter than the other products I’m testing. To the point where I couldn’t put one module in my usual location at the top of a bookcase because the cable didn’t stretch that far. In this case, that module had to go on my top shelf, rather than above it. It’s a specific and possibly niche complaint but worth mentioning in case you have an unforgiving room layout.

Performance

Photo by Daniel Cooper / Engadget

After setting up the modules in the usual places in my home, I found that it took about 10 minutes for the connection to stabilize. I had to run a firmware update that caused things to drop out for a further five minutes afterward, but after that, the connection was very stable. A lot of more affordable 6E routers use the 6GHz band as backhaul, and this worked well in my home.

Close to the primary node, speeds hit an average of 270 Mbps down, and in my office two floors away, I was still getting 260 Mbps. Even in my back bedroom with its dreaded signal dead spot, SpeedTest download benchmarks fell to around 220 Mbps. Ping times were similarly consistent, to the point where I reckon a two-point mesh might have sufficed.

The Deco app very clearly shows your network topography, enabling you to quickly see which devices connect to which node. What surprised me is that the hardware in my office preferred the primary node rather than the one that was nearer. I suspect, over time, those connections would shift, but the fact I saw such good performance despite being two floors away was great.

App and controls

The Deco app lays everything out in a friendly, easy-to-parse manner that shouldn’t deter novice users from upgrading. The home screen shows you the network topography, and what devices are connected to each node by default, helping you to feel in control of what’s going on.

If there’s a downside, it’s that the level of control available to you inside each submenu isn’t that deep. View your WiFi settings, for instance, and you’ll be able to change your network name and password or share those details to someone else. But the only other option is to decide if the 6GHz network is used for dedicated backhaul or if you can share it with devices on the network. You can activate a Guest Network on the homescreen, letting you set one up with one press, although I’m less of a fan that it’s password-free by default.

You can scroll the list of what’s connected to the network to see its signal strength, as well as how much data it’s up-and-down-loading at the time. Each device can be assigned to a family member for parental controls, and you can single out a unit for priority on the network. The one downside to this is that TP-Link really struggles to identify each piece of equipment on your network compared to, say, a product from Netgear. So many units were named “iot_device” in the list, that you’ll probably need to take the time to rename them all manually.

In the More sub-menu, you can run tests to optimize your network, set up an IPv6 connection, as well as tweak IP settings. One feature I appreciated was the choice to get a push notification every time a new device joins the network, which appeals to my paranoia.

You can also access your settings through a browser-based client but, as far as I could see, the only difference is it lets you force a firmware upgrade with a local file rather than handling the system online. That’s a fairly niche use, though.

Additional features

Deco does offer smart home integrations, but it’s limited to TP-Link’s own gear and Philips Hue. The only other thing that the company offers is Homeshield, which offers a suite of security features to help keep your WiFi secure. The free Basic tier will scan your network for security threats and offers “robust” parental controls. That includes the ability to block specific websites, set daily usage limits and time-out zones to stop your kids accessing the internet in the middle of the night.

You can also activate content filtering, which will lock down swathes of the web that TP-Link deems unsuitable. That includes Adult Content, Gambling, and Download sites, amongst many others. More problematically, you can block access to sites offering sex and relationship education information, which feels like TP-Link is enabling more harm than good there.

What I will say, despite my objections, is that the suite of options available for free here is a very good mix. Plenty of companies have taken to putting even the most basic parental controls, like time limits and access control, behind their paywalls. The fact the essentials are available here, for free, means the company gets plenty of extra points here.

TP-Link also offers a paid version of Homeshield, which includes more protection against hacks, greater data about what websites users are visiting. This, it says, will guard against “teenager internet addiction (sic),” “IoT Devices Attacks (sic)” and “Cyber Virus Intrusion (sic).” Homeshield Pro costs $5.99 a month, or $55 for a year, although I’m not sure I see enough value in it to encourage anyone to sign up for the extras on offer.

Wrap-up

There’s no single glitzy, attention-grabbing feature that makes the Deco XE75 a must-buy, but what puts it ahead of the competition is its brawn. Nestled inside those cylinders is powerful, reliable hardware that generates a fast and far-reaching network which is reason enough to pick up TP-Link’s system. The app and services offered at no additional cost, squarely tick the “good enough” box.

The one thing the Deco XE75 lacks is polish, both in its app and its services. I wouldn’t suggest this to anyone who would freeze up at the very thought of having to make a decision about something like a backhaul channel. But, if you are prepared to make the effort, then this is certainly the mesh WiFi system for you. It’s fast, reliable, fairly easy to use and I reckon the (cheaper) two-pack will cover all but the biggest of homes.

Federal Communications Commission (FCC) chairperson Jessica Rosenworcel wants to open a formal Notice of Inquiry into the impact of internet data caps on consumers, according to an FCC document spotted by Ars Technica. The regulator will also consider "taking action" to ensure that data caps don't harm competition or impact access to broadband services, according to the letter. 

"Internet access is no longer nice-to-have, but need-to-have for everyone, everywhere," Rosenworcel said in a statement. "When we need access to the internet, we aren’t thinking about how much data it takes to complete a task, we just know it needs to get done. It’s time the FCC take a fresh look at how data caps impact consumers and competition."

With the Notice of Inquiry, the FCC would "seek comment to better understand why the use of data caps continues to persist despite increased broadband needs of consumers and providers' demonstrated technical ability to offer unlimited data plans," according to the letter. 

Rosenworcel would be unable to take any action on data caps at the moment, though. The FCC currently has just four members (two Democrats and two Republicans), as the Senate refused to confirm President Biden's first nominee, Gigi Sohn, and she subsequently withdrew her name for consideration. The White House has since nominated telecom attorney Anna Gomez, who appears to have the support of the telecom industry. A nomination hearing for Gomez is scheduled for this Thursday, June 22nd. 

During the COVID-19 pandemic, broadband provider Comcast temporarily removed data caps, but it continues to impose a 1.2TB data cap on certain contracts in some US regions. Charter's deal with the FCC to not impose data caps on its Spectrum service (struck when it acquired Time Warner) ended this year, but the company recently said it has "no plans to [restart data caps] when the condition sunsets." 

Along with the proposed Notice of Inquiry, the FCC has opened a new portal to allow consumers to share how data caps have affected them (on fixed or wireless broadband networks) at fcc.gov/datacapstories. That will help the FCC determine how data caps impact access for everyone "including those with disabilities, low-income consumers, and historically disadvantaged communities, and access to online education, telehealth and remote work," the Commission wrote.

The Biden administration on Friday announced $930 million in grants designed to expand rural access to broadband internet. Part of the Department of Commerce’s “Enabling Middle Mile Broadband Infrastructure Program,” the grants will fund the deployment of more than 12,000 miles of new fiber optic cable across 35 states and Puerto Rico. The administration said Friday it expects grant recipients to invest an additional $848.46 million, a commitment that should double the program's impact.

“Much like how the interstate highway system connected every community in America to regional and national systems of highways, this program will help us connect communities across the country to regional and national networks that provide quality, affordable high-speed internet access,” Commerce Secretary Gina Raimondo said.

According to the Commerce Department, it received over 260 applications for the Middle Mile Grant Program, totaling $7.47 billion in funding requests. The agency primarily awarded grants to telecom and utility companies, though it also set aside funding for tribal governments and nonprofits. Per Gizmodo, the largest grant, valued at $88.8 million, went to a telecommunications company in Alaska that will build a fiber optic network in a part of the state where 55 percent of residents have no internet access. On average, the Commerce Department awarded $26.6 million to most applicants. Grant recipients now have five years to complete work on their projects, though the administration hopes many of the buildouts will be completed sooner.

In addition to creating new economic opportunities in traditionally underserved communities, the government says the projects should improve safety in those areas too. “They can improve network resilience in the face of the climate crisis, and increasing natural disasters like wildfires, floods, and storms, creating multiple routes for the internet traffic to use instead of just one, like a detour on the freeway,” White House infrastructure coordinator Mitch Landrieu told Bloomberg.

The funding is just one of many recent efforts by the government to close the rural digital divide. At the start of last year, the Federal Communications Commission announced an accountability program designed to ensure recipients of the Rural Digital Opportunity Fund properly spend the money they receive from the public purse.

Google’s take on AI-powered search begins rolling out today. The company announced this morning that it’s opening access to Google Search Generative Experience (SGE) and other Search Labs in the US. If you haven’t already, you’ll need to sign up for the waitlist and sit tight until you get an email announcing it’s your turn.

Revealed at Google I/O 2023 earlier this month, Google SGE is the company’s infusion of conversational AI into the classic search experience. If you’ve played with Bing AI, expect a familiar — yet different — product. Cherlynn Low noted in Engadget’s SGE preview that Google’s AI-powered search uses the same input bar you’re used to rather than a separate chatbot field like in Bing. Next, the generative AI results will appear in a shaded section below the search bar (and sponsored results) but above the standard web results. Meanwhile, on the top right of the AI results is a button letting you expand the snapshot, and it adds cards showing the sourced articles. Finally, you can ask follow-up questions by tapping a button below the results.

Google describes the snapshot as “key information to consider, with links to dig deeper.” Think of it like a slice of Bard injected (somewhat) seamlessly into the Google search you already know.

In addition, Google is opening access to other Search Labs, including Code Tips and Add to Sheets (both are US-only for now). Code Tips “harnesses the power of large language models to provide pointers for writing code faster and smarter.” It lets aspiring developers ask how-to questions about programming languages (C, C++, Go, Java, JavaScript, Kotlin, Python and TypeScript), tools (Docker, Git, shells) and algorithms. Meanwhile, as its name suggests, Add to Sheets lets you insert search results directly into Google’s spreadsheet app. Tapping a Sheets icon to the left of a search result will pop up a list of your recent documents; choose one to which you want to attach the result.

If you aren’t yet on the Search Labs waitlist, you can tap the Labs icon (a beaker symbol) on a new tab in Chrome for desktop or in the Google search app on Android or iOS. However, the company hasn’t announced how quickly or broadly it will open access, so you may need to be patient.

VPNs have been having a moment recently. The once-niche way to protect your online behavior took off, in part, due to massive marketing budgets and influencer collaborations convincing consumers they can solve all your security woes. But deciding the best option for your browsing needs requires digging through claims of attributes that aren’t always totally accurate. That has made it harder to figure out which one to subscribe to, or if you really need to use one at all. We tested out nine of the best VPNs available now to help you choose the best one for your needs.

What you should know about VPNs

VPNs are not a one-size-fits-all security solution. Instead, they’re just one part of keeping your data private and secure. Roya Ensafi, assistant professor of computer science and engineering at the University of Michigan, told Engadget that VPNs don’t protect against common threats like phishing attacks, nor do they protect your data from being stolen. But they do come in handy when you’re connecting to an untrusted network somewhere public because they tunnel and encrypt your traffic to the next hop.

In other words, VPNs mask the identity of your computer on the network and create an encrypted "tunnel" that prevents your internet service provider from accessing data about your browsing history. Even then, much of the data or information is stored with the VPN provider instead of your ISP, which means that using a poorly designed or unprotected network can still undermine your security.

That means sweeping claims that seem promising, like military-grade encryption or total digital invisibility, may not be totally accurate. Instead, Yael Grauer, program manager of Consumer Reports’ online security guide, recommends looking for security features like open-source software with reproducible builds, up-to-date support for industry-standard protocols like WireGuard, IPsec or PPTP and the ability to defend against attack vectors like brute force.

Who are VPNs really for?

Before considering a VPN, make sure your online security is up to date in other ways. That means complex passwords, multifactor authentication methods and locking down your data sharing preferences. Even then, you probably don’t need to be using a VPN all the time.

“If you're just worried about somebody sitting there passively and looking at your data then a VPN is great,” Jed Crandall, an associate professor at Arizona State University, told Engadget.

If you use public WiFi a lot, like while working at a coffee shop, then VPNs can help keep your information private. They’re also helpful for hiding information from other people on your ISP if you don’t want members of your household to know what you’re up to online.

Geoblocking has also become a popular use case as it helps you reach services in other parts of the world. For example, you can access shows that are only available on Netflix in other countries, or play online games with people located all over the globe.

Are VPNs worth it?

Whether or not VPNs are worth it depends how often you could use it for the above use cases. If you travel a lot and rely on public WiFi, are looking to browse outside of your home country or want to keep your traffic hidden from your ISP, then investing in a VPN will be useful. But, keep in mind that VPNs often slow down your internet speed, so they may not be ideal all the time.

We recommend not relying on a VPN as your main cybersecurity tool. It can provide a false sense of security, leaving you vulnerable to attack. Plus, if you choose just any VPN, it may not be as secure as just relying on your ISP. That’s because the VPN could be based in a country with weaker data privacy regulation, obligated to hand information over to law enforcement or linked to weak user data protection policies.

For users working in professions like activism or journalism that want to really strengthen their internet security, options like the Tor browser may be a worthwhile alternative, according to Crandall. Tor is free, and while it's less user-friendly, it’s built for anonymity and privacy.

How we tested

To test the security specs of different VPNs, we relied on pre-existing academic work through Consumer Reports, VPNalyzer and other sources. We referenced privacy policies, transparency reports and security audits made available to the public. We also considered past security incidents like data breaches.

We looked at price, usage limits, effects on internet speed, possible use cases, ease of use and additional “extra” features for different VPN providers. The VPNs were tested across an iPhone, Google Pixel and Mac device so we could see the state of the apps across various platforms. We used the “quick connect” feature on the VPNs to connect to the “fastest” provider available when testing internet speed, access to IP address data and DNS and WebRTC leaks or when a fault in the encrypted tunnel reveals requests to an ISP.

Otherwise, we conducted a test of geoblocking content by accessing Canada-exclusive Netflix releases, a streaming test by watching a news livestream on YouTube via a Hong Kong-based VPN and a gaming test by playing on servers in the United Kingdom. By performing these tests at the same time, it also allowed us to test claims about simultaneous device use.

VPNs we tested:

• ExpressVPN

• NordVPN

• Surfshark

• Proton VPN

• TunnelBear

• Bitdefender VPN

• CyberGhost

• Windscribe

• Atlas VPN

Best VPN overall: ProtonVPN

The VPNs we tried out ranked pretty consistently across all of our tests, but ProtonVPN stood out as a strong option because of its overall security and ease of use. The Proton Technologies suite of services includes mail, calendar, drive and a VPN known for its end-to-end encryption. This makes it a strong contender for overall security, but its VPN specifically came across as a well-rounded independent service.

ProtonVPN’s no-logs security policy has passed audits, and the company has proven not to comply with law enforcement requests. Because it is based in Switzerland, there are no forced logging obligations, according to the company. Plus, it’s based on an open-source framework, and has an official vulnerability disclosure program along with clear definitions on what it does with personal information.

While ProtonVPN offers a free version, it’s limited compared to other options with access to servers in just three countries. Its paid version, starting at about $5.39 per month, includes access to servers in more than 65 countries on 10 devices at a time. For dedicated Proton Technologies users, they can pay closer to $8.63 each month for access to the entire suite.

ProtonVPN passed our geoblock, streaming and gaming tests with only a very small toll on internet speed. It also comes with malware-, ad- and tracker-blocking as an additional service. It’s available on most major operating systems, routers, TV services and more including Firefox, Linux and Android TV.

Best free VPN: Windscribe

By signing up for Windscribe with your email, users can access 10GB per month of data, unlimited connections and access to more than 10 countries. We selected it as the best free VPN because of its high security and wide range of server options compared to other free VPNs. It has over 500 servers in over 60 countries, according to the company, and can be configured to routers, smart TVs and more on top of the usual operating systems.

Windscribe doesn’t have a recent independent security audit, but it does publish a transparency report showing that it has complied with zero requests for its data, runs a vulnerability disclosure program encouraging researchers to report flaws and offers multiple protocols for users to connect with.

On top of that, it’s easy to use. The set up is intuitive and it passed our geoblock, streaming and gaming tests. The paid version costs $5.75 to $9 each month, depending on the plan you choose, and includes unlimited data, access to all servers and an ad/tracker/malware blocker. Or, for $1 per location per month, users can build a plan tailored to the VPNs they want to access.

Best for frequent travel, gaming and streaming: ExpressVPN

We picked the best VPN for travel, gaming and streaming based on which one had access to the most locations with high speed connections and no lag. ExpressVPN met all those criteria.

An internet speed test measured faster upload and download speed compared to using no VPN, practically unheard of compared to the other VPNs tested. But this is likely a fluke due to the VPN service circumventing traffic shaping by the ISP or another disparity because even top VPNs will in some way slow down speeds. With 2,000 servers in 160 cities, according to the company, it had one of the broadest global reaches. It also passed our geoblock, streaming and gaming tests, and it does regular security audits. Subscription costs range from $8.32 to $12.95 per month depending on the term of the plan, and include a password manager.

With ExpressVPN, users can connect to up to five devices at once, which is on the lower side compared to other services. That said, it works on a bunch of devices from smart TVs to game consoles unlike some other services that lack support beyond the usual suspects like smartphones and laptops.

Best cross-platform accessibility: CyberGhost

Because several VPN services connect to routers, cross-platform accessibility isn’t always necessary. By connecting a VPN to your home router, you can actually connect to however many devices you have in your household, as long as they all access the internet through that router.

But if you use VPNs on the go, and across several devices, being able to connect to a wide range of platforms will be indispensable. CyberGhost offers simultaneous connectivity on up to seven devices for $2.11 to $12.99 per month depending on subscription term. It supports several types of gadgets like routers, computers, smart TVs and more. It’s similar to the support that ExpressVPN offers, but CyberGhost provides detailed instructions on how to set up the cross-platform connections, making it a bit more user-friendly for those purposes.

From a security perspective, CyberGhost completed an independent security audit by Deloitte earlier this year, runs a vulnerability disclosure program and provides access to a transparency report explaining requests for its data. While it did pass all of our tests, it’s worth noting that we had trouble connecting to servers in the United Kingdom and had to opt to run our gaming test through an Ireland-based server instead.

Best for multiple devices: Surfshark

As we mentioned before, connecting to a router can provide nearly unlimited access to devices in a single household. But Surfshark is one of few VPNs that offer use on an unlimited number of devices without bandwidth restrictions, according to the company. And you get that convenience without a significant increase in price: Surfshark subscriptions cost about $2.49 to $12.95 per month, and the company recently conducted its first independent audit.

We ran into some trouble connecting to Surfshark’s WireGuard protocol, but tested on an IKEv2 protocol instead. It was a bit slow and struggled to connect for our geoblock test at first, but ultimately passed. What makes it different from other VPNs with unlimited connection options is that it has access to more servers and is available on more types of devices.

AI Chatbots are relatively old by tech standards, but the newest crop — led by OpenAI's ChatGPT and Google's Bard — are vastly more capable than their ancestors, not always for positive reasons. The recent explosion in AI development has already created concerns around misinformation, disinformation, plagiarism and machine-generated malware. What problems might generative AI pose for the privacy of the average internet user? The answer, according to experts, is largely a matter of how these bots are trained and how much we plan to interact with them

In order to replicate human-like interactions, AI chatbots are trained on mass amounts of data, a significant portion of which is derived from repositories like Common Crawl. As the name suggests, Common Crawl has amassed years and petabytes worth of data simply from crawling and scraping the open web. “These models are training on large data sets of publicly available data on the internet,” Megha Srivastava, PhD student at Stanford's computer science department and former AI resident with Microsoft Research, said. Even though ChatGPT and Bard use what they call a "filtered" portion of Common Crawl's data, the sheer size of the model makes it "impossible for anyone to kind of look through the data and sanitize it,” according to Srivastava.

Either through your own carelessness or the poor security practices by a third-party could be in some far-flung corner of the internet right now. Even though it might be difficult to access for the average user, it's possible that information was scraped into a training set, and could be regurgitated by that chatbot down the line. And a bot spitting out someone's actual contact information is in no way a theoretical concern. Bloomberg columnist Dave Lee posted on Twitter that, when someone asked ChatGPT to chat on encrypted messaging platform Signal, it provided his exact phone number. This sort of interaction is likely an edge case, but the information these learning models have access to is still worth considering. "It’s unlikely that OpenAI would want to collect specific information like healthcare data and attribute it to individuals in order to train its models," David Hoelzer, a fellow at security organization the SANS Institute, told Engadget. “But could it inadvertently be in there? Absolutely.”

Open AI, the company behind ChatGPT, did not respond when we asked what measures it takes to protect data privacy, or how it handles personally identifiable information that may be scraped into its training sets. So we did the next best thing and asked ChatGPT itself. It told us that it is "programmed to follow ethical and legal standards that protect users’ privacy and personal information" and that it doesn't "have access to personal information unless it is provided to me." Google for its part told Engadget it programmed similar guardrails into Bard to prevent the sharing of personally identifiable information during conversations.

Helpfully, ChatGPT brought up the second major vector by which generative AI might pose a privacy risk: usage of the software itself — either via information shared directly in chatlogs or device and user information captured by the service during use. OpenAI’s privacy policy cites several categories of standard information it collects on users, which could be identifiable, and upon starting it up, ChatGPT does caution that conversations may be reviewed by its AI trainers to improve systems. 

Google's Bard, meanwhile, does not have a standalone privacy policy, instead uses the blanket privacy document shared by other Google products (and which happens to be tremendously broad.) Conversations with Bard don't have to be saved to the user's Google account, and users can delete the conversations via Google, the company told Engadget. “In order to build and sustain user trust, they're going to have to be very transparent around privacy policies and data protection procedures at the front end,” Rishi Jaitly, professor and distinguished humanities fellow at Virginia Tech, told Engadget.

Despite having a "clear conversations" action, pressing that does not actually delete your data, according to the service’s FAQ page, nor is OpenAI is able to delete specific prompts. While the company discourages users from sharing anything sensitive, seemingly the only way to remove personally identifying information provided to ChatGPT is to delete your account, which the company says will permanently remove all associated data.

Hoelzer told Engadget he’s not worried that ChatGPT is ingesting individual conversations in order to learn. But that conversation data is being stored somewhere, and so its security becomes a reasonable concern. Incidentally, ChatGPT was taken offline briefly in March because a programming error revealed information about users’ chat histories. It's unclear this early in their broad deployment if chat logs from these sorts of AI will become valuable targets for malicious actors.

For the foreseeable future, it's best to treat these sorts of chatbots with the same suspicion users should be treating any other tech product. “A user playing with these models should enter with expectation that any interaction they're having with the model," Srivastava told Engadget, "it's fair game for Open AI or any of these other companies to use for their benefit.”

Humanity took another step towards its Ghost in the Shell future on Tuesday with Microsoft's unveiling of the new Security Copilot AI at its inaugural Microsoft Secure event. The automated enterprise-grade security system is powered by OpenAI's GPT-4, runs on the Azure infrastructure and promises admins the ability "to move at the speed and scale of AI."

Security Copilot is similar to the large language model (LLM) that drives the Bing Copilot feature, but with a training geared heavily towards network security rather than general conversational knowledge and web search optimization. "This security-specific model in turn incorporates a growing set of security-specific skills and is informed by Microsoft’s unique global threat intelligence and more than 65 trillion daily signals," Vasu Jakkal, Corporate Vice President of Microsoft Security, Compliance, Identity, and Management, wrote Tuesday. 

“Just since the pandemic, we’ve seen an incredible proliferation [in corporate hacking incidents],"Jakkal told Bloomberg. For example, “it takes one hour and 12 minutes on average for an attacker to get full access to your inbox once a user has clicked on a phishing link. It used to be months or weeks for someone to get access.”

Security Copilot should serve as a force multiplier for overworked and under-supported network admins, a filed which Microsoft estimates has more than 3 million open positions. "Our cyber-trained model adds a learning system to create and tune new skills," Jakkal explained. "Security Copilot then can help catch what other approaches might miss and augment an analyst’s work. In a typical incident, this boost translates into gains in the quality of detection, speed of response and ability to strengthen security posture." 

Jakkal anticipates these new capabilities enabling Copilot-assisted admins to respond within minutes to emerging security threats, rather than days or weeks after the exploit is discovered. Being a brand new, untested AI system, Security Copilot is not meant to operate fully autonomously, a human admin needs to remain in the loop. “This is going to be a learning system,” she said. “It’s also a paradigm shift: Now humans become the verifiers, and AI is giving us the data.”

To more fully protect the sensitive trade secrets and internal business documents Security Copilot is designed to protect, Microsoft has also committed to never use its customers data to train future Copilot iterations. Users will also be able to dictate their privacy settings and decide how much of their data (or the insights gleaned from it) will be shared. The company has not revealed if, or when, such security features will become available for individual users as well.

Google One is expanding its security features. First, Google is making its virtual private network (VPN) available to all subscribers at no extra cost. A VPN for Google One members was first introduced in October 2020, but only for those on plans with at least 2TB of storage. The 2TB plan costs $10 per month or $100 per year, but you now won't need to pay that much to access Google's VPN.

Starting today and over the next few weeks, Google will open up access to the VPN across all plans. That includes the Basic $2 per month option, which gives you 100GB of storage across your Google account. The VPN will be available in 22 countries on Android, iOS, Windows and Mac devices. You'll be able to share it with up to five other people who are on your One plan.

The VPN will hide your internet activity from hackers and network operators. Google says. The company claims it will "never use the VPN connection to track, log, or sell your online activity."

Elsewhere, Google is adding another feature to help One subscribers protect themselves. A dark web report, which the company will start rolling out to members in the US over the next few weeks, can scan the dark web for your personal details to check if your information has been included in a data breach.

You can select which details — such as your name, address, email, phone number and Social Security Number — you'd like Google to look out for on your monitoring profile. Google says it will handle this data according to its privacy policy. You can remove the details from your profile at any time and ask Google to stop monitoring the dark web for your information, if you prefer.

If Google finds your tracked information on the dark web, it'll notify you and offer some suggestions on how to protect yourself. It says that, for instance, if it spots your Social Security number, you might want to report it as stolen and take action to protect your credit. The report will also highlight information potentially related to you beyond the details you add to your monitoring profile.

Google has been adding other features to One beyond security measures and extra storage. It revealed in February that subscribers can access the Magic Eraser feature in Google Photos. Before then, the feature was only available on Pixel 6 and Pixel 7 devices.

Valve is giving Steam Deck users with slow internet connections or bandwidth caps a new way to install games on their devices. The latest Steam and Steam Deck betas add local network game transfers, a feature that allows you to copy existing files from one PC to another over a local area network. Valve says the tool can reduce internet traffic and lessen the time it takes to install games and updates since you can use it to bypass the need to connect to a Steam content server over the internet.

“Local Network Game Transfers are great for Steam Deck owners, multi-user Steam households, dorms, LAN parties, etc,” the company points out. “No more worries about bandwidth or data caps when all the files you need are already nearby.” Once you’ve installed the new software on your devices, Steam will first check if it can transfer a game installation or set of update files over your local network before contacting a public Steam content server. If at any point one of the devices involved in the transfer is disconnected from your local network, Steam will fall back to downloading any necessary files from the internet.

By default, the feature is set to only work between devices logged into the same Steam account, but you can also transfer files between friends on the same local area network. It’s also possible to transfer to any user on the same network, which is something you would do during a LAN tournament. Valve has published a FAQ with more information about local network game transfers, including details on some of the limitations of the feature, over on the Steam website.