84 comments

[ 0.18 ms ] story [ 142 ms ] thread
It'd be neat if there were an app for one-click deployment of OpenVPN using one's own AWS or Azure account. That would be much safer than picking from a list of shady VPN providers.
No, it wouldn't. You're the only one passing traffic through such a VPN, which means it's trivially reduced to unique bits of information that can identify you for anyone on the other end of your browser.

When many people share a VPN, your traffic is far more noisy and obfuscated .

Except in the context of the FCC ruling, the purpose of the VPN is not to obfuscate your IP from the websites you go to.

The purpose is to hide the traffic from your internet provider.

You're just shifting that responsibility to the server provider in that case. You have more privacy protections from your ISP than you do from someone you rent a server from.
> You have more privacy protections from your ISP

What protections do we have from ISPs now?

They aren't allowed to sell or release personal identifiable information. That's not the case for server providers as they aren't considered carriers, and thus aren't beholden to the Telecommunications Act of 1986 in the same way your ISP is.
That seems like that could get rather expensive in terms of bandwidth. From some napkin math I did using https://aws.amazon.com/ec2/pricing/on-demand/, even 100GB of data would cost $9. That doesn't even include the cost of reserving the instance itself, just the bandwidth costs.
Azure costs the same for network, apparently (up to 40TB), providing that you stay within US/UK/Canada. [0]

Google Cloud is supposedly cheaper in terms of network ($0.01/GB -> $1 for 100GB) if you're primarily visiting US sites [1]. Still potentially expensive either way, depending on your network usage.

You could use an always-free f1-micro GCE instance [2] and run OpenVPN on it 24/7, although configuration might take a bit of time (read: half an hour, tops? I'm assuming it's no harder than the equivalent software-based option on EC2).

I know on the other hand, Amazon's always-free tier doesn't include EC2 (it is included in their free tier, but that only lasts for 12 months). [3]

Disclaimer: Google pays me money to write code and stuff, so I'm probably biased. I've also never actually used GCE, but that's because I still have a bunch of AWS credits, among other reasons.

[0] https://azure.microsoft.com/en-us/pricing/details/bandwidth/ [1] https://cloud.google.com/compute/pricing#general [2] https://cloud.google.com/free/ [3] https://aws.amazon.com/free/

There are only 2 trusted solutions in this space: Algo [1] and Streisand [2], and Algo is generally considered safer.

[1] - https://github.com/trailofbits/algo

[2] - https://github.com/jlund/streisand

Who has decided all others are not trusted? What makes one safer than the other? What does 'safer' even mean in this context?
Industry experts like Kenneth White, who wrote the following: https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa
Damn, I wish that people would stop citing this without providing context. He is writing here about bog-standard IPsec with shared PSKs. He is not talking about OpenVPN. See where he writes:

> Yes, I know. Many/most of these offer OpenVPN, or special clients for IPSec. But for all of the above, they are actively placing a significant portion of their user base (particularly those with older Androids and desktops) at risk by not using per-user PSKs.

Simpler solution is just to move to a saner country: Canada, Australia, New Zealand, the UK (for now) etc. Places where ISPs don't operate as monopolies, and/or places where the government isn't completely for profit.
The UK has awful internet/privacy laws, much worse than the US even.

https://en.wikipedia.org/wiki/Internet_censorship_in_the_Uni...:

"The country was listed among the "Enemies of the Internet" in 2014 by Reporters Without Borders,[6] a category of countries with the highest level of internet censorship and surveillance that "mark themselves out not just for their capacity to censor news and information online but also for their almost systematic repression of Internet users".[7] Other major economies listed in this category include China, Iran, Pakistan, Russia and Saudi Arabia."

Surprisingly, I think that less developed countries are doing better than the top X developed countries. For example, I'm from the former Yugoslav region. Other than the occasional filtering by the mobile providers to give people free access to Facebook/WhatsApp/Instagram/whatever, the governments simply don't care about reducing Internet freedoms, and, even if they do, they don't have the capacity (or knowledge) to do so.

Out Internet connections might not be the best (I'm paying about 20e for 80/20 Mbps), but being able to run a Tor exit node for years (before switching to running a hidden bridge) without being worried about having cops at your doors is something nice to have.

You can't even get into trouble by pirating because it's a small market, and major studios don't have offices in those less developed countries.

The only registered way you could possibly get in trouble by pirating is by using pirated Windows licenses in your business, since Microsoft is the only tech company that actually has offices in this region and enforces copyright in local courts.

On a forum where there are a lot of software​ developers, the fact that their work can freely be stolen "because it's a small market" may not be as much of a selling point as you'd think.
Your daily reminder that this ruling was that an overreach of power was made by the FCC, not that Republicans are hungry for the blood of orphans.

https://www.forbes.com/sites/larrydownes/2017/03/30/why-cong...

It's still completely worthwhile to have conversations about privacy and what the proper limits of power are for Congress and the FCC here, but we're so deep into 1984 that both sides of the political spectrum are screaming how WE HAVE ALWAYS BEEN AT WAR and your only choice is if you prefer to have always been at war with EASTASIA or OCEANIA.

Lest anyone say this is oversimplified, from Ars:

"Republicans argue that the Federal Trade Commission should regulate ISPs' privacy practices instead of the FCC. But the resolution passed today eliminates the FCC's privacy rules without any immediate action to return jurisdiction to the FTC, which is prohibited from regulating common carriers such as ISPs and phone companies."

Sure its doublespeak to repeal the FCC side of things and promise FTC protection when you know the FTC has no jurisdiction. It's also ridiculous to say that eliminating an overreach by the FCC (debatable) would be a moral wrong when stood on its own.

The fact that you call this an overreach belies your party affiliation, and the ulterior motivation behind how your comment is worded. It doesn't matter which party is acting against our interests, we have to fight it. The DMCA was introduced by a Republican, but the president at the time who signed it into law was a Democrat and it's terrible. A younger, less coordinated tech community fought it by lost. SOPA was introduced by a Republican but had numerous sponsors were Democrats. It would have been terrible but it didn't pass (thankfully).

We haven't been sold 1984, we've elevated the tribalism of American football to American politics. If you are a Republican, then President Trump can do no wrong, and if you're a Democrat neither could President Obama. The tech that the tech community is responsible for operating doesn't have a party​ allegiance, but it is run by people that, yes, support the Democrats and their position that orphan-blood-as-youth-serum isn't proven by science and should continue to be illegal, but if the Republicans adopted tech friendly policies over corporate interests then they'd find more support from people in tech sector.

As Brian notes, VPNs can leak DNS lookups and IPv6 traffic. There can also be leaks if the uplink gets interrupted. So one should use either the VPN's DNS server, or a reliable third-party DNS server. One should also have firewall rules that allow only connections to the VPN server on the physical network adapter. All other traffic, including DNS lookups, should be restricted to the VPN tunnel.
There's also the side-channel leak that occurs when you connect to an authenticated service on your regular connection (e.g. Skype), and then again through your VPN. It identifies you as a user of the VPN and can provide patterns that hint at which VPN traffic is yours. Multiply this by the number of services (including ones you don't know you use, e.g. Windows background services).

WebRTC leaks your real IP as well, and cannot be disabled on Chromium based browsers. It's becoming an increasingly popular technology.

I'd like to see mainstream operating systems support isolation for connections.

There is an official (from Google) chrome extension to route WebRTC traffic through your VPN ip address: https://chrome.google.com/webstore/detail/webrtc-network-lim...
I thought the consensus on such plugins was that they didn't work reliably. It's been a while since I looked into it, but back when I tested this plugin, my browser failed an online WebRTC leak test.
If firewall rules block everything except for connections to the VPN server, no connection to anything "on your regular connection" is possible. One can use the built-in Windows firewall. That also prevents WebRTC leaks.

It's a lot harder to secure smartphones, where firewalls are entirely nontrivial.

Use a VPN client on your router, it'll protect you against WebRTC leaks and it'll automatically work for your phone and other devices. Asus routers have VPN support out of the box, for other routers you can use OpenWrt/DD-WRT etc.
The issue is I also need to access certain sites/services without a VPN. Some services think you're trying to game them if you connect through a VPN (Netflix, Steam...) and there's a risk of being penalized.
Steam? I am currently using Steam with AIRVPN and have not experienced any problems at all.
As I understand it, while in practice you'll easily be able to fly under the radar, if you purchase something that happens to be priced differently in the VPN region vs. your real region, you can get banned.

https://www.reddit.com/r/Steam/comments/2ugf53/so_how_does_t...

So, you can generally get away with it as long as you don't buy things that happen to use regional pricing / region locking. Not a great compromise.

In general, using VPNs is against their policy. But more importantly, Steam support is non-existent. If you get banned, it's a complete dice roll whether you can reach anyone at Valve, let alone restore your account.

I can't imagine losing thousands of dollars worth of games, and even if the risk is minute, I'm not prepared to take it.

> I can't imagine losing thousands of dollars worth of games, and even if the risk is minute, I'm not prepared to take it.

Yep, another case where piracy is strictly better. Unless you enjoy being a serf who can be told "Fuck off and die" at any time.

When will people learn?

Wow, I don't game, so had no clue.

Steam's policies rather make piracy the smart option.

Sad :(

Oh damn, I had no clue about this. I don't really game anymore, so I don't tend to buy anything on steam and have used it mostly for the occasional single player game and as a chat client.

Guess I don't want to risk these bans so I'll stop connecting to Steam through my VPN. Thanks for the info!

I'm not sure if that's wise, if you've always been making purchases through the VPN, it's possible Steam thinks the VPN location is your "normal" location. In that case, making the switch would trip the alarm so to speak.

I really don't know for sure though. Their policy is a mess and their tech support is reminiscent of the automated shenanigans of the bots from Portal.

I think the idea is preventing people in the US from buying games at, say, Russian prices and thus "gaming" the system (which incidentally creates one hell of a debate about globalization).

Yeah I considered that too, but I have not actually made purchases through the VPN. I did not buy any games anymore for quite some years as I stopped gaming as much, thus when I started using the VPN it was only to talk to friends and play the occasional game, all after a long time of not being logged in :-)

And indeed, it's probably about the pricing of games in different regions!

This is a good point, and I make a habit of using a VPN with robust DNS leak protection (there are only a few I know of). My concern long-term is a kind of soft pressure to abandon it by upping CAPTCHA challenges, and that kind of thing. I realize that abuse from these networks is a real problem, but it would be a very easy way to "discourage" VPN use by a large company like Google too.
Cloudflare can be pretty bad. And some sites use blocklists that include known VPN exits, plus of course Tor exits. Some even include IP ranges assigned to low-end VPS providers.

It's pretty easy to block leaks, including DNS leaks, with firewall rules. At least, in Windows, OSX and Linux. For smartphones, you're better off using custom apps that have been confirmed as leak free.

I had a question[1] regarding this. Any Canadians here?

[1]: https://news.ycombinator.com/item?id=13983728

answered there, but copied here:

You should assume that every thing that happens in the US is happening in Canada. As a member of the Five Eyes, the G7, and G8, our policies are closely linked.

I believe that Canada's ISPs might have stricter data protection laws, but really you should have been using a VPN well before this latest policy change.

I live with someone else who pretty much controls the wifi/router (billing account) I pay for it too. Anyway, how do I explain the need to do this? Are there notable adverse effects besides being targeted for certain products. It's hard to argue with this person, whenever I bring up stuff like "Hey man, don't be so quick to connect to open wifi" meh... rah rah rah... and I'm not really great at arguing I'll admit and I can't prove/explain why it's bad to use free public WiFi. I just think of apps that are already logged in, and if they're not using HTTPs. "Packet sniffing" but what is that... hahaha my internet bandwidth says one thing, sad single man, no need to study my data hahaha

edit: also last time I tried to setup/use VPN's they either cost money or I couldn't get it to work. With regard to using Tor it's super laggy which is understandable.

Ahh well I think for now I'll be a "stick my head in the sand" guy since this seems like a lot of trouble to get more than one person to agree/implement it, especially being in my situation. Still sucks though, what the hell, always about the money.

You don't need to setup VPN in the router. Decent providers have Windows and OSX apps that just work. Getting leak-free VPN connections in smartphones is harder, however.
Why only smart phones?

Yeah I guess I was thinking when I considered having to make it work for both of us. Although... I don't know pretty tired right now can't quite think.

I didn't mean to imply "in the router" I meant route traffic to VPN, I mean I guess I wouldn't have to tell the other person that we're now using a VPN assuming the internet speed isn't affected, we're using the 1000Mbps Google Fiber (haha ridiculous I know)

edit: throttle = better? Can't seem to reply to your post. Oh well, I don't want to replace Reddit with Hacker News haha, I used to be on Reddit but banned myself. I talk too much, especially more important to my clients when I go through what I'm thinking/doing word for word on Slack for example Jesus... self control is my problem, case in point.

I don't know Android or iOS, so I'm just repeating what I've read. I vaguely understand that, because you lack administrative privileges, you can't readily control how particular apps access the Internet. Maybe someone could clarify for us?

If you just run VPN clients in your devices, there will be no effect on the other person's devices. If anything, using VPNs will throttle your connections, so they'll have better speed. That's especially likely with a gigabit uplink.

Oh that's right I remember, Jesus I was off. Yeah I was trying a few, can't remember if I tried OpenVPN, AirVPN, and tunnelBear or something. Had to work on command line... yeah I couldn't get it to work if it was a free one (not free I wasn't trying to pay). Yeah I feel dumb now with the external configuration question.

Anyway thanks for your time, I suppose if I really needed/wanted to I can figure it out, I think I can read haha.

It's hard to get honest advice about VPNs. As Brian describes. That One Privacy Site has a good summary of what VPN providers say about themselves.[0] I tested a bunch of VPNs in Windows and OSX, and found several that I couldn't make leak.[1] There are relatively unbiased discussions on Wilders Security Forums.[2]

0) https://thatoneprivacysite.net/

1) https://vpntesting.info/

2) https://www.wilderssecurity.com/categories/privacy-related-t...

Thanks a lot for these links. Starting your count from 0? Come on now... haha.
If your ISP is already Google, it's not clear just how much additional privacy you'll gain from blocking snooping by Google the ISP but not Google the search engine and analytics provider.
I suppose. Too bad it's hard to beat Google's search results relevancy (or is it?) I by default always use Google Chrome. Sometimes Firefox.

To me it is somewhat like trying to use anonymous currency, you have to buy it from somewhere, and then somehow use it while remaining anonymous. I don't know maybe not, recently bought a fraction of a bitcoin, went through coinbase seemed pretty dumb 'Here's my real name, my address, my picture, etc...' but then you could transfer it to a wallet and make it disappear from there but... I don't know. I have no reason to use it anonymously either. Just another place to keep money. I'm not able to have "real" bank accounts because I was an idiot and destroyed my credit score. Oh well dumb will be dumb.

As shocking as this sounds, virtually nothing has changed about the privacy of the average American’s connection to the Internet as a result of this action by Congress, except perhaps a greater awareness that ISP customers don’t really have many privacy protections by default.
Whether anything changed substantially is arguable.

But there's no doubt that ISP customers are sitting ducks. VPNs took off after Snowden leaked. And they're taking off again now. So sure, maybe nothing changed. But as you say, it's a wakeup call.

It is the article saying before going into discussing VPNs fwiw.

I'm not sure about having a definite opinion on this, for now I feel this is blown out of proportion a bit and there are plenty of other privacy invasions that should be discussed instead (though I have to admit my biased view is from a non American pov)

> there are plenty of other privacy invasions that should be discussed instead

I agree with all but the last word. There are other issues to consider, for sure. But not instead of uplink security.

If you use mostly SSL services is not all that you are leaking to your ISP is the domain name/ip of the site you are visiting? You are leaking the same thing to Google if you use their DNS server, and they are free to do with that info whatever they like... or any other DNS provider for that matter.
This is true. There are lots of reasons not to use google's DNS servers. I will say though, assuming these things to be absolutely true, they really don't log anything that any DNS server would log, save random lifetime request record spot checks perhaps. According to their privacy policy:

"Google Public DNS stores two sets of logs: temporary and permanent. The temporary logs store the full IP address of the machine you're using. We have to do this so that we can spot potentially bad things like DDoS attacks and so we can fix problems, such as particular domains not showing up for specific users.

We delete these temporary logs within 24 to 48 hours.

In the permanent logs, we don't keep personally identifiable information or IP information. We do keep some location information (at the city/metro level) so that we can conduct debugging, analyze abuse phenomena. After keeping this data for two weeks, we randomly sample a small subset for permanent storage.

We don't correlate or combine information"

They also state they gather this information as well:

"- Request domain name, e.g. www.google.com - Request type, e.g. A (which stands for IPv4 record), AAAA (IPv6 record), NS, MX, TXT, etc. - Transport protocol on which the request arrived, i.e. TCP, UDP, or HTTPS - Client's AS (autonomous system or ISP), e.g. AS15169 - User's geolocation information: i.e. geocode, region ID, city ID, and metro code - Response code sent, e.g. SUCCESS, SERVFAIL, NXDOMAIN, etc. - Whether the request hit our frontend cache - Whether the request hit a cache elsewhere in the system (but not in the frontend) - Absolute arrival time in seconds - Total time taken to process the request end-to-end, in seconds - Name of the Google machine that processed this request, e.g. machine101 - Google target IP to which this request was addressed, e.g. one of our anycast IP addresses (no relation to the user's IP)"

[Google DNS Privacy Policy](https://developers.google.com/speed/public-dns/privacy?csw=1)

I think, if you care about having this independently verified (i couldn't find anything myself, yet) you shouldn't use them though. Its impossible to say if thats really all they are gathering. I've seen no evidence either way thats concrete. I will note though, that if they are, and of course right now its a big if just collecting the information above (which I imagine most DNS servers people use do anyway) as long as you are using their DNS API you could achieve higher level privacy with your DNS traffic.

From the Regional Internet Registry

"If applications made use of services that would push local DNS query traffic into encrypted TLS sessions, such as the service being offered by Google, the result would be that much of today’s visible DNS would disappear from view. Not only that, but it would make the existing practices of selective local inspection and intervention in the DNS resolution process far more challenging, if not infeasible. It may be even better if authoritative name servers were to also support queries over TLS and DTLS allowing a local host to take over the resolution function and still use encrypted query traffic services"

[Source](https://labs.ripe.net/Members/gih/dns-privacy)

They too note, however, privacy hasn't been independently validated on this front either. I would say if you care at all about privacy, not to use it, simply because its implications haven't been verified by a neutral 3rd party. At least, as far as I can tell.

Personally, I recommend using your own DNS server (I recommend the fantastic [Unbound](https://www.unbound.net&...

Reputable VPN providers use DNS proxies, which are reachable only through the VPN tunnel (having a private IP) and do lookups from the VPN exit IP.
Think how much fun it is running the intelligence-agency run VPN front companies now! You get paid to log the traffic of users worried about their privacy!
There's a big difference between being surveilled by a state actor and being surveilled for marketing and advertising profiles, not least being the kind of steps you'd need to take to counter that surveillance.
So which VPNs do you think are run by TLAs? Can you cite any actual evidence?

I know one: Anonymizer. It's a CIA operation. But arguably the target was Chinese users, not American revolutionaries.

We know that HideMyAss complied with a UK court order, triggered by an FBI request. But we also know that PIA, which is US based, told a US court that they don't retain logs.

Still, it is a reasonable concern. But you can distribute trust, rather like Tor does, by routing traffic through a nested chain of VPNs.

I would think that intelligence services not doing such an obvious thing would be considered negligent. Just like they would sponsor and run email mixmaster remailers in the 90s and run tor exit nodes today.
Sure. But for Chinese dissidents, trusting an NSA-run VPN would arguably be preferable to trusting a Chinese ISP.
Is life really better when you're blackmailed into being a CIA asset than when you're jailed by Chinese authorities?
Tough call.

But really, the CIA mostly just wants to disrupt China by making information more widely available. Like VoA and the BBC have done for decades.

Of course things have not changed. All the negative media needs to play out, then a period of time needs to pass so people forget, then you'll see the changes.
The next implication, that my ISP should be competing with google and facebook, and that it would somehow level the playing field is at it's face ridiculous.

I suppose the postal service should want to read our mail and the same isp's should need to listen to our phone calls; after all, it's only fair if Google or Facebook get to see the information we send to them.

We either need to somehow incentivize more ISPs so the free market can fix these problems, or just regulate the hell out of them as a public good. Pretending they aren't a monopoly and don't need regulation because they exist in the free market today is incredibly anti-consumer.

If we're using market power as a justification for regulating privacy policies (which I think is perfectly reasonable), it makes no sense to draw a magic line with ISPs. With ISPs, we're basically talking about de facto as opposed to de jure monopolies (which distinguishes them from the Post Office, which retains certain monopoly protections in law). But lots of companies have tremendous de facto market power. Nearly the whole market is encompassed by just two desktop operating systems, two mobile operating systems, two search engines, and one social media platform.

Sure, I could use Google+ and convince all my aunts and uncles in Bangladesh to use that so I can share photos of my daughter with them, but I could also subscribe to any of a number of satellite or DSL providers for broadband. If we are talking about viable, interchangeable alternatives, the reality is that there is very little choice in any of these markets. High barriers to entry limit those choices in broadband, and networking effects limit those choices in the area of search engines, social networking, etc.

If market power is the justification for regulation, it makes no sense to not regulate any entity that has sufficient market power to implicate privacy concerns. Or, how about we just make it illegal to use private information for marketing purposes? Wouldn't that be simplest? Why do we need to engage in all this hair splitting?

There is a precedent in regulating these isps, regarding the phone lines. There is also greater public interest - the public helped many of the isp's lay those lines.

Regarding monopolies de jur, while it is technically different in practice many isps are legally the only incumbents because you cannot dig to lay more lines, and the municipalities have signed agreements to that effect barring anyone, including themselves, from offering replacement.

I think it's completely disengenious to compare Facebook to my isp. I use Facebook rarely and it alone makes up a tiny portion of my digital life, with no access to to my search history, emails, bank portal, video watching history, etc. The market power there is of a different kind alone, and there is enormous friction to switching an isp. People have no problem sending photos over Snapchat these days and completely bypassing Facebook. People have no viable alternative to their isp.

This is all to say, I'm not against more privacy regulations for Google and Facebook. But it doesn't factor in when comparing it to an ISP for me: they should not be called competitors, because it would not at all be a competition for data. The ISP just has all of it.

This is not some slippery slope to socalizing everything with market power. This is fixing a clearly and presently broken system.

Even if your premises were true,[1] why does it matter? The government doesn't have to care how certain companies came to acquire market power. Regulation isn't a punishment for prior actions, it's designed to change conduct on a forward looking basis.

Also, you might not use Facebook, but everyone else does. For your typical person, switching to a different ISP would be way easier than moving to a different social networking platform. When you say people don't have a choice with regards to broadband, there is an implicit qualifier that you're talking about comparable choices, because nearly everyone can get satellite on top of wired options. But what's the comparable alternative to Facebook where I can post pictures of my kid and have my family in Bangladesh see them? Facebook's market dominance is far larger in scope than any ISP.

Look, I'm in agreement that ISPs shouldn't be able to use or sell this data. But I find the Internet company response to these rule changes to be pretty hypocritical in trying to split hairs and say privacy invasion is okay for some companies and not others. There shouldn't be a "level playing field" for this practice--we should just ban it.

[1] The idea that any substantial portion of modern broadband networks was publicly funded is incorrect, as is the idea that there are legal prohibitions on who can "dig to lay more lines."

1) It matters not because of punishment but because how how unlikely new people are able to enter this market.

2) this park of facebook's market (sharing photos with relatives) is extremely easy to enter. Before Facebook there was Flickr, MySpace, etc. Now you can send pictures to your family using Dropbox, google plus, google drive, and practically any messaging app ever made, including Snapchat off the top of my head here. If you don't like one thing about Facebook you can just send a link to another service (from Facebook even, if that is your only mode of communication).

3) I think we are in violent agreement about there needing to be more regulations around our privacy all around. But the difference is real and material between pointing your browser at a different URL and essentially moving counties or states to some place where you have an option #2.

As for your footnote, i'm pretty sure it's not incorrect, see

https://en.m.wikipedia.org/wiki/Internet_in_the_United_State... And for regulations prohibiting more, the first article I found:

https://www.wired.com/2013/07/we-need-to-stop-focusing-on-ju...

But also this is the case locally where I live where there is a well liked County ISP battling hard against Comcast to be able to get more easements for more lines. And this is near Silicon Valley where there is a local ISP run by (the right kind of) crazy people. Drive a few miles and you'll be right back in monopoly territory.

(comment deleted)
Maybe this change is more about making sure that ISPs continue to have their own incentive to keep user browsing histories - which in turn can be used as an intelligence data source.
> which in turn can be used as an intelligence data source.

I find it ironic that so many people are distrustful of the government in some areas (intelligence, defense), yet at the same time wanting the government to take a bigger and more central role in their lives (social services, etc.). It's the same government across the board.

> It's the same government across the board.

This is an overly simplistic view of a complex bureaucratic entity, the US government.

There are restrictions about the ways in which governmental agencies may share information, and violations of such restrictions are considered serious and are sanctioned as such when they come to light.

This is entirely ignoring the fact that the goals of the various organizations, different departments, and innumerable individuals are often at cross-purposes.

In other words, the presence of governmental authority is not the same as the oppression and exploitation of citizens as a matter of course.

EDIT: clarify/reword second sentence.

For those who want to use a VPN, but don't want to pay for it as a service because of all the arcane issues that can come with it, and of course have some hardware laying around, I recommend using StrongSwan (https://www.strongswan.org/) + Stunnel (https://www.stunnel.org/index.html) instead of openVPN

Why strongswan? Because setting up a VPN properly, and securely (thats very important) is hard! and I feel, personally, that openVPN is alot for people to take in. I know it was for me, and I'm not ill experienced.

Strongswan is also open source, and they have a lot of very good documentation including cryptographically verified 'plug n play' (mostly) setups:

https://wiki.strongswan.org/projects/strongswan/wiki/UsableE...

While I'm at it, they have a wonderful entry on their wiki with security recommendations:

https://wiki.strongswan.org/projects/strongswan/wiki/Securit...

From just my experience, and dealing with the community, and from what I understand from others much more educated in these matters, their usable configurations are indeed very good.

Strongswan of course supports pre-shared key authentication and certificate authentication in lieu of username/password. They also can take advantage of CA-certs for encrypting your conversations over SSL/TLS (think: letsencrypt!)

It also has the latest versions available, you can install on routers that support openWRT, lede-project.org and I believe DD-WRT has this as an option? I couldn't say for sure.

Why do I recommend stunnel though if it can use a valid CA ssl cert on its own? Mostly because Stunnel can re-direct any traffic over SSL (I recommend you do this wherever you can, stunnel is insanely useful for just this basic encryption traffic, because you can make ANYTHING run over SSL with it) and its insanely simple to setup, where as setting it up with strongswan as one its modules is a little more complicated.

Also, stunnel will redirect your traffic based on ports. So you can have stunnel listen on 443 and route the traffic to whatever port you are running your VPN service on. This gets around potential blocks on say, corporate networks, or public wifi, or even just ISP snoopage.

I feel like paying for a VPN if you don't have to is a waste compared to having your own. OWN YOUR TRAFFIC! Its the only way to ensure any semblance of privacy.

https://wikileaks.org/bnd-inquiry/docs/Sek/MAT%20A%20Sek-13-...

That pdf from the NSA in the BND documents on Wikileaks clearly shows that NSA decrypts VPN, both IPSEC and PPTP, in real time and in bulk.

The BND leaks came out what, over a year ago? 20,000 "hackers" attended the most recent Defcon.

How not one person notices this slide deck, including Assange himself, is pretty shocking in itself.

Hello, McFly, is anybody who's job earning 6 figures in Infosec paying attention?

Why is the Computing industry so asleep at the wheel? Yet the Beogrammers cranking out widgets for Startup Inc think they're the smartest guys in the room.

The arrogance from all the fake paper billions in this industry has made everyone lazy and dumb.

NSA LOVES it when the sysadmins are lazy and dumb. They're so much easier to hunt.

Of course that slide deck presents more technical questions than answers, but it proves VPN is no longer the Silver Bullet we once thought it was.

"Well that's what they're supposed to do, NSA is just doing their job, so that's not my Department" you say.

Yeah, well look at home careless NSA is with Cyberweapons and exploits. They lost the Keys to the Kingdom to the Shadowbrokers, and god only knows what else they lost that they never tell us about.

It is entirely reasonable to believe NSA lost their VPN exploit pack too.

Try to imagine the chaos that's possible in a scenario like that.

We might as well not have ANY security.

Which is funny, because yet again, RMS was right! His tales about the MIT Media Kab in the 70's where he rejected new mandatory security policy and instead all users of the system shared the sysadmin's password.

The honor system used to work. As a system of trust, high trust small tribes will always be better than any artificial security mechanisms.

We as an industy need to somehow get back to that. Trust in computing is only going to get worse, the hacks are going to become deeper as they copycat NSA's methods of industrial scale, and the consequences are truly unknowable.

Skynet and Mr. Robot could end up looking like naive optimism.