Anyone Tried the Winston Security Device?

Has anyone had a chance to look at or review the Winston Security box? Looks promising, but I can’t help but think it’s a glorified firewall with built in VPN.

Is it tracking is and not telling us?

All thoughts welcome.
https://get.winstonprivacy.com/products/privacytool/?gclid=EAIaIQobChMI3ZK3qZWZ6gIVA5yzCh3wlQUiEAAYASAAEgINqPD_BwE

3 Likes

If you’re concerned over tracking, I recommend FreedomBox which is all free and open source software and hardware, which recently became available in the US at a fraction of its price ordered direct from OLIMEX which was why I hadn’t gotten one up to now:

https://www.mouser.com/ProductDetail/Olimex-Ltd/Pioneer-FreedomBox-HSK-US?qs=%2Fha2pyFadug%2BEX8tIH3MTHF7XcwtOeA8YQNOe%2Frl1esfG7VIk%2FTDiw%3D%3D

2 Likes

It says it can block cookies, so that means it has to proxy ALL your traffic. In order for this to work it has to basically be a man in the middle for all your network activities. This means encrypted traffic with your bank. If you don’t know enough about this company (thus the reason why you posted here), do you trust them with that information?

2 Likes

Thank you for the recommendation. The Freedom box looks interesting. How do you find it performing for you?
Its an interesting point about the man in the middle. Hard to trust a company that hasnt proven itself, however what do I really know about my VPN or ISP that I use?

1 Like

Technical info starts here:
https://winstonprivacy.com/pages/technology

Interesting device, definitely not just an ordinary firewall plus VPN appliance.
With a $99.00US annual fee they should be able to keep the service running after hardware sales slow (unlike other companies, e.g. Wink).

2 Likes

To be clear, for the device to meet the stated goals, it will be required to see inside encrypted traffic. This means you will be required to install a certificate (it will provide) on all your devices it is to work with. This means it will see the cleartext of your otherwise encrypted traffic, something your VPN or ISP would never have. This is the same trick that corporate firewalls do so they’re not stymied by encrypted traffic.

2 Likes

I’m ashamed to admit, @Hangryghost, that other priorities have had to take precedence in the pandemic so I haven’t yet placed my order. If you trust Raspberry Pi enough and can administer builds yourself, the FreedomBox project if I’m not mistaken can run on a variety of hardware. FreedomBox the specific hardware from OLIMEX is the only ready-made retail that is fully open-source and free (other than cost of materials, but free as in unrestrictive upon the user/owner). Your choice, there. Actually, I’m just as curious as you!

1 Like

My opinion is it smells fishy and I would personally avoid. Not that I think they are evil but spider sense tingle with the site/claims/info.

Examples of why I do not like the feeling I get. Where you derive your feelings from/World view may differ. This is just my opinion and understanding of what I see. After a quick look:

This smacks of misleading consumers as normally this type of graphic shows clients of a company not a works with statement. Trying to make themselves look bigger/professional/legit? I do not think the general target audience of a device like this would even think about compatibility with services.

No “real” details about who the company is/who runs the company, just more BS marketing speak. No telephone numbers.
https://winstonprivacy.com/pages/about-us
https://support.winstonprivacy.com/support/tickets/new

I have now found this. I would have liked some references to back up the statements.
https://winstonprivacy.com/blogs/articles/why-i-started-winston

Set up site does not have HTTPS certificate. Maybe there is a technical reason for this.
http://setup.winstonprivacy.com/requirements

Another throw away misleading statement: https://winstonprivacy.com/pages/technology

SECURITY
Impervious to Spectre and Meltdown, ARM Trusted Firmware

Does this mean other people will be using your bandwidth and IP as an exit? And access to your Winston box potentially? Through other Winston Devices… Botnet anyone!

Peer-to-Peer Privacy Mesh

Winston’s proprietary Privacy Mesh automatically routes your traffic through numerous other Winston devices, selecting new peers every 10 minutes. Your traffic is mixed anonymously with that of other >users, making it impossible for trackers to connect individual users with their IP addresses.

Does Winston anonymize my location?

Yes. Winston anonymizes your location by randomly routing every requested domain to a new exit point every 10 minutes. This ensures complete privacy and prohibits third parties from tracking your location.

Comparing Telegram and Signal… Yes both use encryption but very very differently. Signal is opensource and you have the key. Telegram… who knows as they will not say how it works. Who has the encryption keys with Winston? Which encryption system/implementation? Whatsapp uses Signal’s encryption but they are not the same as Whatsapps keep/holds the encryption key.

We designed our technology specifically so that we cannot ever see or decrypt your internet activity (similar to Telegram and Signal).

Does Winston log my internet activity?

Winston Privacy does not log any internet activity which goes over our network. In fact, we designed our technology specifically so that we cannot ever see or decrypt your internet activity (similar to Telegram and Signal). Your personal internet activity is retained on your local Winston device for up to seven days so that you can see what sites attempted to track you. This information is stored only on your device and is never exposed to Winston Privacy or the internet. After 7 days, your data is automatically permanently deleted from your local Winston device. You can disable local storage of your personal internet activity on your Winston in the “Advanced Settings” section of your local Winston website (http://winston.conf). Please note that if you do so, you will not be able to view any activity occurring on your local network.

COMPLETELY ANONYMOUS! I think you would be able to charge a bit more :laughing: Plus so much more bs in this quote. https://winstonprivacy.com/blogs/articles/what-is-a-server-brute-force-attack-winston-privacy

Keep Your IP Address Safe From Prying Eyes – Try Winston Today!

One of the most important things you can do to protect yourself from hackers is to hide your IP address. Unfortunately, a lot of the VPN services don’t do this as well as promised. But Winston is different.

Winston is a hardware-based VPN alternative that keeps your data safe and protected 24/7 because it constantly scrambles your IP address, thus allowing you to remain completely anonymous online. Winston is faster, more powerful, more secure and more effective than any VPN on the market. It stops tracking in its tracks. But as effective as it is, it’s remarkably easy to set up. Just connect it inline between your Internet connection and your modem/router, turn it on and you’re protected.

More rubbish https://winstonprivacy.com/blogs/articles/why-is-my-vpn-disconnecting

More half truths/FUD: https://winstonprivacy.freshdesk.com/support/solutions/articles/48000963348-what-does-winston-do-that-my-adblocker-doesn-t-

Advertisers pay ad blocking companies to bypass their blocklists, whereas with Winston you can control your own block lists in addition to the daily updates you’ll receive as part of your subscription. Most importantly, Winston is paid for by YOU and does not accept any such data sharing deals. Remember, if the product is free, you’re the product.

Also, ad blockers use up memory, slowing down your computer and occasionally crashing your browser as they run. In contrast, Winston speeds up your web browsing by blocking tracking scripts.

Says that Pi-Hole does not encrypt DNS. Pi-Hole does. The rest of the page has claims about the differences too, which I have not confirmed are wrong/misleading, which I think they are but I would need to check: https://winstonprivacy.freshdesk.com/support/solutions/articles/48000963349-why-not-just-use-a-pi-hole-

  • DNS encryption, with protection against DNS rebinding attacks.

So Winston does not block ads/tracking in HTTPS traffic you have to add a browser plugin. So basically you can just use open source uBlock Origin for this instead: https://support.winstonprivacy.com/support/solutions/articles/48000963321-how-does-winston-protect-https-pages-from-trackers-

How does Winston protect HTTPS pages from trackers?

Created by: Winston Privacy

Modified on: Fri, 13 Dec, 2019 at 10:05 AM

Winston incorporates several layers of anti-tracking technologies. At the network level, we utilize encryption, DNS blocking, and dynamic security filters to block or allow TLS traffic. However, modern surveillance methods typically embed tracking software within the encrypted TLS connection.

To fully protect against these tracking technologies, utilize the Winston Browser Extension.

LOL :rofl: Want to download or upload something? Winston drops privacy and uses your connection/IP: https://winstonprivacy.freshdesk.com/support/solutions/articles/48000963389-why-did-my-download-or-upload-fail-and-what-can-i-do-about-it-

Why did my download or upload fail and what can I do about it?

Created by: Ilya Soussa

Modified on: Thu, 12 Dec, 2019 at 3:06 PM

Winston will not route large files over the Distributed Privacy Mesh Network.

When Winston identifies that a process involves a large file download or upload, Winston will terminate the connection on the first try.

Simply try the download or upload again and Winston will not attempt to route it through the Distributed Privacy Mesh Network on the second attempt.

If the second attempt doesn’t go through, the page may need to be temporarily whitelisted, which can be done via the extension or https://my.winstonprivacy.com/whitelist

OMG! So if child porn uploader used Winston and exited from YOUR Winston device via http your IP would be registered for uploading the content as it would exit your Winston unencrypted?

Am I responsible for other users’ activity that is routed through my Winston via the Distributed Privacy Mesh Network?

Created by: Ilya Soussa

Modified on: Mon, 21 Oct, 2019 at 4:30 PM

Winston protects ordinary web traffic through ports 80/443, not file sharing or onion protocols, for example, which are the primary means of channeling illegal content. So, other users’ file sharing and onion protocols will not route through your Winston.

In addition, ordinary web traffic through the Privacy Mesh Network is double encrypted along with DNS, so detecting a specific Winston would be difficult.

Winston Privacy Terms of Service prohibit use of the Winston network for illegal activities and Winston reserves the right to terminate service accordingly. See our Terms of Service for more details.

More: https://support.winstonprivacy.com/support/solutions/articles/48000963323-blocking-trackers-during-ecommerce-check-out

Blocking trackers during eCommerce check out

Created by: Winston Privacy

Modified on: Fri, 13 Dec, 2019 at 10:11 AM

Many ecommerce sites (eBay, Etsy, Amazon, etc) utilize tracking scripts during checkout to reduce fraud. You may experience delays or inability to complete checkout with cloaking and/or filtering turned on. To complete the checkout process on these sites, you may need to temporarily allow tracking on these sites.

Short on info and more FUD about VPN’s: https://support.winstonprivacy.com/support/solutions/articles/48000963392-how-does-winston-work-

How does Winston work?

Created by: Winston Privacy

Modified on: Thu, 12 Dec, 2019 at 12:29 PM

Winston is a hardware device. The device sits inline with your router and protects every device on your WiFi — all computers, tablets, phones and internet-enabled devices.

Winston also has a software component. Software in Winston is updated on an ongoing basis to insure that your protection is current, and there are browser extensions that allow you to manage your privacy on-the-fly while on the internet.

Winston works as a distributed private network — a decentralized platform, built on Ethereum, with no logging. Virtual private networks (VPNs) are not only unreliable but expose you to logging of your information.

Most importantly, Winston opts you out of invasive internet surveillance that compromises your security and identity. Winston resets the norm and makes internet privacy settings work for you — not on behalf of surveillance tracking.

Along with privacy, you get a cleaner browsing experience with no ads that also results in a faster browsing experience. Winston removes a massive amount of extra code from websites — tracking code that compromises your privacy. Because your browser doesn’t have to process that extra code, pages load significantly and noticeably faster.

If you’ve used VPNs, you know they are notoriously slow. Winston is not. In sharp contrast, Winston makes your internet experience faster, not slower, as it removes the tracking code to offer you online privacy.

For more information on how Winston works to provide a more secure and private Internet experience click here.

So in conclusion, I do not really need to gone on. RUN FOR THE HILLS. The entire site is just full of FUD and BS. This is my opinion.

It seems to use other peoples Winston box owners Winston boxes to use as an exit for your traffic. Your Winston box is also used for other peoples traffic on your internet connection. It does not seem to Man in the Middle your connection as it can not read HTTPS traffic, which is why you have to use the Winston browser app as it just acts as an normal browser ad-blocker apart from you have to pay for it.

Winstone seems to be a VPN using other peoples internet and yours with Pi-Hole and uBlock Origin… Although they discount and throw shade on all these types of services individually.

I have tried not to get in to the technical aspects of why this is so wrong but if you have questions I will try and answer.

The whole concept, advertising and implementation are so bad. I am questioning my understanding as it looks too ridiculous to be real. I am not berating anyone who liked the idea and spiel of its claims with this statement. I enjoy tech and despise advertising shenanigans. Many people like to trust people and that is a good thing. I am tinfoil hat and talk is cheap outlook type.

IMPORTANT NOTES: I do not work in tech/IT and so I may be completely wrong about my interpretation/understanding of what Winston is and how it works. Please feel free to correct me as I like to learn/improve :slight_smile:

I have put references to my findings so your can look for yourself. Hope it helps :slight_smile:

P.S. I would love Steve to do an episode on this! :rofl:

4 Likes

Also the “works with these services” from the start of my last post.

If I am in UK and want to watch Netflix. How does Winston pick the exit server as if I get Stacey Higginbotham’s Winston box as an exit in Seattle I will get US Netflix. Will Stacey’s IP now get blocked by Netflix etc for being a proxy exit? Interesting.

I also wonder how well locked down the Winston box is and if you could MITM connections? Interesting.

1 Like

The whole site is not very confidence inspiring, very lacking in any real detail and they are “cheapskating” the “VPN” by pushing your traffic through other random Winston devices, which also means you will be servicing other peoples connections…

Not sure I’d be happy about that.

3 Likes

Long post and covers most of the points I’d thought, just looking at the advertising blurb. :+1:

Use PiHole and pfSense etc. you are in control, would be my advice.

I use a PiHole + Ubiquiti Unifi Secure Gateway, which is overkill for most people.

2 Likes

Awesome, I appreciate all the feedback!
I will keep on eye on it as it intrigues me and I think there’s more to learn about how it works and what it collects. If it works like a corporate firewall with certs for each device, im ok with that, but if it makes a tor like network, I am uncertain of that. I dont really want others stuff on my network. It is interesting.
For now i will play around with a Pihole.

1 Like

Also the trolling that could ensue. Although in theory you would not know your victim. You could go on your Winston box to connect to some forum and say undesirable things and the the poor person that your Winston box connected through has the possibility of being at the end of a DDOS.

Although it could work in your favor as you could blame your P2P stealing on someone else passing through your Winston box. Of course you could be on the receiving end too.

It would be great for account compromises too as you could have a local domestic IP to raise less flags.

I wonder how Winston mitigates abuse.

1 Like

You do bring up a very interesting point. I wonder how or if they are dealing with this? Maybe they swept it under the rug hoping people wouldnt catch on to the abuse potential of the device.

1 Like

More info from the Netgate forum (PF Sense) with apparent replies from the maker. I did not find it convincing although some interesting info. The link to the Winston test site the Winston maker provides also has a expired SSL cert too. It is not a good sign really if you can not keep your certs current when selling a security/privacy device. What lapses are in a much more complicated Winston box? https://forum.netgate.com/topic/143609/winston-privacy-device-which-technology


http://demos.winstonprivacy.com/

4 Likes

hahaha, A security company is only as valid as their security cert

2 Likes

Here’s another alternative I just learned exists, from Purism, the Euro folks behind the Librem phone and laptop who go about as far for privacy and user empowerment as anyone I’ve yet heard of in consumer devices:

https://shop.puri.sm/shop/librem-mini/

1 Like