Through packet level filtering at the firewall it’s possible to
apply rules to an entire shared server, blocking the abuse
immediately. For example, let’s say someone decides to use
TorGuard to unlawfully promote their Ugg boots business (spam).
In order for us to block this one individual, we simply implement
new firewall rules, effectively blocking the abused protocol for
everyone on that VPN server. Since there are no user logs to go
by, we handle abuse per server, not per user.
Seems like a silly way to handle it since eventually none of their servers will be able to access the internet.
Behind an IP-address shared by many, I'd say you're pretty anonymous unless you give out your personal details. Would you like to explain why you think otherwise?
You are giving your real identity to a company that claims not to keep a log of your actions. As far as I'm aware, some of these providers give out unique IP addresses, or at least ones that aren't used by more than a handful of people. At any rate, determined law enforcement can pressure a provider into logging incoming connections. I wager that happens quite often.
As another commenter suggested, they could all be honeypots.
If I was going to trust my life to the anonymity of my data transfer, the last service I would want to be using is a VPN.
If you assume the things you listed are going on at all VPN-services, I don't see how they supply "privacy" either.
When it comes to law enforcement, I suppose there are differences in which approach they take depending on where the VPN-service is located. If law enforcement did what you suggest frequently in the country where I live, it would be presented as a scandal and would be the death of the VPN-service in question.
Of course, you must choose a service you trust to not actually keep logs, and give out non-unique IP-adresses. However, if I lived in a country where I could not trust my government, I agree with you, I would avoid VPN-services located there.
If I were a governmental entity - I'd go ahead and set up my very own honeypot VPN provider. I'd then log everything - whilst providing exceptional service - and play the long game - collect as much data from people who self-select themselves as requiring large amounts of anonymity (the paranoid/people who can't access Hulu overseas/criminals/terrorists).
I'd wait a few years and then use said data to slowly infiltrate various groups - looking to grab the big fish that are hopefully well separated from the VPN service and then take them down quietly.
Hell - I might even turn a nice little profit on the side.
Reality check: if your credit card details are visible to a third party - you're not anonymous.
Note: I don't actually believe the above to actually be the case in reality - but one must remember that stuff like Room 641A weren't that long ago (http://en.wikipedia.org/wiki/Room_641A).
This is an example of where worst case thinking, despite its negative reputation, can help protect oneself from falling prey to the faulty assumptions that bring down complex systems (Will the generators kick in on time? What if the VPN provider is already compromised? Did we double check that after cleaning the safety valves - we didn't block any of them?).
I'd set up a forum where I'd review these things to make sure that new entrants to the game would flock to my bugged services. I'd give articles there titles that suggest that the competition does not take your privacy seriously.
In that case, you would be a governmental entity which does not care much for the rights of your citizens. Instead, pick a service in a country with a transparent, low corruption-government. I suggest the Scandinavian countries.
The legal jurisdiction and/or technical location of the service might be a country with a transparent government, but how would you know that the service isn't owned or operated by a government entity from some other country?
In order to be safe from unreasonable government "requests", it is not enough to set up a limited liability company located in a 'safe' country - you need to have everything (including yourself) in 'safe' countries.
As a blunt example, if you want to properly run a data-sensitive company and be imune to (for example) USA requests to violate anonymity of your customers, you need to ensure at least the following:
(a) the company itself is beyond reach of USA - as in examples of UK, Sweden and others caving in to USA requests for things that would/should be legal in these countries but illegal in USA;
(b) you and any personell are beyond reach of USA - again, there are examples such as Kim Dotcom, McKinnon, Assange;
(c) the company internet resources are beyond reach of USA - examples such as revoking DNS names of spanish companies for transmitting internet-TV in compliance with spanish laws, or some of Mega's non-US domain names revoked before even starting operations;
(d) the company money flow is beyond reach of USA - examples of Visa&Mastercard or Paypal blocking payments to sources such as Wikileaks or, IIRC, distributors of (locally legal) console modchips.
No government understands IT the slightest, because of that I don't know of a single governmental entity that cares the slightest of the rights of its citizens when it comes to computer and internet stuff. They don't even understand it so how can they be respectful of it?
As a Swede, I certainly wouldn't trust the Scandinavian countries for this. It's not uncommon to hear politicians claim that internet anonymity and encryption altogether should be completely abandoned.
Also, ISPs typically have numerous laws that forbid eavesdropping, VPNs don't. And seeing as how the government can always ask to get any information they want from any VPN provider (and that the VPN provider is, supposedly, legally obligated to keep records of their customers (in many countries, including Sweden)) using a VPN might be the worst thing you could possibly do, if you want anonymity or integrity. I'm guessing that most VPNs in Sweden straight up Lie about this, when this issue was hot a few years ago you either couldn't get a straight answer or you got one that admitted to record keeping - many (including many of those on torrentfreaks list) just stated that they had to, by law, keep records and that they had to hand them over if asked (with a court order). The law hasn't changed what I know, the PR department of VPN providers probably has though...
And even if they don't have any records to share, who is to say they can't, by request, eavesdrop on current traffic.
For it to have any real effect I'd choose a VPN that is in another country than the one you are in. Although this will probably not have any real effect either if you attract some serious attention, especially considering that unlike an ISP, a VPN provider could legally betray it's customers without an court order (in exchange for being quiet about it).
As a resident of said countries, I'd propose that you should not trust Scandinavian governments either. The officials are not that corrupt but the politicians are politicians. Moreover, in these countries there's a widespread belief that the state can do no wrong, that restricting freedom of speech is okay if done for a good cause, that censoring the net is a good thing for the government to do. Even the rule of law can simply be dismissed (it started with preventing child pornography, of course).
Sure there are. But we could apply Dilbert's management theory to this and split governments to types on axis good/evil (G/E) and on axis competent/incompetent (C/E).
The worst thing you can have is an evil competent (EC) government.
Therefore I'd say it's more important to have an I government than a G government, because it is easier for a government to go from G to E than it is to go from I to C.
So which government(s) have a more favourable equation of agenda+capabilities towards net freedom? Taken literally, the most "I" countries would be bad bets: https://en.wikipedia.org/wiki/Failed_state#2012
Remember that it was US pressure that drove the recent unpleaseantness in .se and TPB were able to succesfully defend themselves there for many years - and most countries currently willing to stare down threats of US trade sanctions aren't exactly havens of privacy and net freedom.
The pro net freedom countries currently correlate with G&C governments, it seems.
Yes, extreme incompetence is not good. BTW I haven't seen much evidence about US pressure regarding unpleasantness in .se (I assume you mean Assange).
Anyway, I sort of like the incompetence level in Greece. They haven't been able to set up a land registry, so that the government could collect property taxes. That sounds promising from the point of view of setting up a privacy-respecting net service. There is a mostly reliable supply of electricity and communications, and it's not a very bad a place to live.
>> Reality check: if your credit card details are visible to a third party - you're not anonymous.
I totally agree. Luckily more and more VPN providers accept Bitcoin payment, so that problem is solved (if you don't connect your wallet to your ID, that is) [1]. I think the more challenging part is not sending personally identifiable information through your VPN or encrypt it properly. Much of the Web is architected to identify you based on the most mundane technical information, like your browser string, cookies, the way you type or those little data leeks that happen here and there.
>> (if you don't connect your wallet to your ID, that is)
Which is not easy.
Either you have to mine your bitcoins or you have to trust a third party to exchange your bitcoins in order to disconnect the transaction history from you. But you do have to trust that third party.
Yes, but the general perception of bitcoin is that it is completely anonymous. Where it in practice probably is, if you don't take any precautions, the least anonymous currency in the world, where everyone can inspect the transaction history of coins and anyone with decent turn-over can map out a lot. Trivially (these databases will, of course, be sold and leaked). And since most services at some point require you to reveal yourself mapping out individuals from bitcoin transactions isn't exactly difficult.
The sad part is that since the history is public, if you goof up and reveal your identity sometime in 2015 your actions of today might also get revealed. To any third party. Potentially way worse than any sort of currency ever used; but the only thing people talk about is how bitcoin is this anonymous currency...
Any government entity interested in setting up honeypot VPN services would also set up honeypot bitcoin laundering services - which would do everything efficiently, properly and cheaply (you can subsidize costs), while keeping logs that can be used when/if really needed.
Even if you use magic to pay for the VPN, there's still lots of linkability just based on time of use, source-IP, etc. Add to that all the traffic which goes over the VPN, and you're probably screwed.
I wonder how large percentage of tor exit nodes (and nodes in general) are operated by intelligence agencies? I remember reading that the various agencies across Europe were active in setting up and running mixmaster remailers -- and the (stated) purpose of TOR is to be a viable covert communication channel for spies.
Remember that a "node run by the CIA", can just mean that the ph.d. student that required some resources from the IT department has a handler. Said student might even think the thing isn't monitored -- although I suspect it would be easier to to involve the admin, then keep him/her in the dark.
I think the solution to this problem probably doesn't involve trying to track down these bad nodes. Rather, more people should host Tor nodes, so as to reduce the chance of someone connecting to a bad one. As big as intelligence agencies are, they cannot operate too many nodes easily - the more nodes they operate, the bigger the chance that someone notices suspicious activity going on. On the other hand, there are a lot more civilians who can host Tor nodes without it being suspicious, thus dealing with the threat of intelligence agencies.
I'm curious about what the exact ratios would be, if there were a way to find this out (probably not).
How would you go about hosting a Tor node, without exposing yourself to problems like this? http://raided4tor.cryto.net/
I've thought about running an exit node, but I'm not willing to sacrifice my own safety and freedom to do it. The only solution seems to be buying hosting anonymously (bitcoins?), and making sure you only log in to the server over Tor.
FWIW I think one is helping the Tor network even if they decide to only run an internal Tor node (not an exit). I believe Tor hidden services might become more popular in the months to come, and a lot of resources that the users were initially trying to access anonymously are / will be reachable as hidden services (e.g. wikileaks).
I run an exit node in Egypt on a server from CityNet Host [1], that I got on a promo. Pumping 400 Gb/m through it for $2.50 a month. I would not host one at home but Egypt seems far enough.
I got my VPS on a promotion, so it really is $2.50 though it looks like you can't get the same deal anymore. http://lowendbox.com has plenty of these, including $15/year deals from BuyVM.
A sybill attack on Tor is probably the least efficient attack. It'd be far easier to perform a correlation attack if you know the probable endpoints, or compromise the target's computer (if you only know the source).
I'm sure government agencies run Tor exits, which means they'll see the middleman node's IP addresses and whatever traffic the originator sent (usually HTTPS). They can't do much with that.
Unfortunately, even Tor is not perfect. It obviously cannot prevent end-to-end correlation, and it also turns out to be very hard to do Tor right (e.g. not leaking information in the data streams).
I'm not really sure how much good a VPN will do with this much surveillance. I feel it's only going to get worse. CCTVs feeding into said datacenters? Web, traffic, and dash cams? As long as the common man "has nothing to hide" they don't seem to care.
I can't tell if you're being obtuse or naive, but the implication here is that you're going to use them to less-than-legal ends. The link at the beginning of the article is to a guy facing 15 years for hacking Sony. For another example that would be familiar to readers of the OP site, many US ISPs are now inspecting their customers' traffic to look out for media piracy, and a VPN is the obvious way to circumvent that.
No, I'm being completely serious. VPN's are a legitimate service with legitimate uses. Anonymity has merit even if you are 100% legal. I can't imagine someone being convicted of a crime based on only their participation with a VPN service. Sure, you are still trusting a 3rd party to do what it is they say that they will, but I don't see why people care if the government or whoever knows that they use a VPN service. Hell, I use one for work and I don't expect that the government will be knocking on my door because of it.
You're arguing with something nobody ever said. The point isn't that using an anonymous VPN is a crime, but that people who use an anonymous/private VPN are more likely to have something to hide, which means you'll find a lot of people committing crime there.
> Reality check: if your credit card details are visible to a third party - you're not anonymous.
After attending a local security conference last year (Kiwicon), I briefly tried to see how anonymous I could make myself online. In NZ, we're lucky to have anonymous prepaid credit cards -- "Prezzy Cards" -- which our postal service sells.
Turns out that several VPN services (I ended up using hidemyass.com) will accept them. Alongside an anonymous mail service for the actual account, it's pretty straightforward to head to an internet cafe, boot your laptop into something like Tails, and then create a completely anonymous VPN connection.
Not that I'd personally go to that extent, but it's nice to know that you can achieve a reasonable degree of anonymity online.
I'm not sure how viable it would be in NZ, but in the strip search prank call case (as seen recently in the film Compliance), the perpetrator bought calling cards from a couple of Walmarts. They were able to trace the serial number of the card back to the stores, and comparing video from both, found the guy on film walking out of both stores. So even these prepaid credit cards might not be completely infallible.
For sure -- the physical aspect is definitely something worth mitigating too (in both the case of the Prezzy Card store, and the Net Cafes having video). If I was going full paranoid, I'd probably find some way of altering my appearance too -- but that seemed like it involved overly much effort at the time :).
I was just surprised that, with a little effort, it wasn't actually that hard to gain a markedly greater degree of anonyminity than you'd usually have.
They might, but as many HNers can no doubt testify, many of us use VPNs for remote work, and I know a fair number of government workers who do this, too. It isn't optional; it is a requirement.
VPNs, possibly. I don't know, for sure, how many use them for work, versus those who use them to evade governments. In the latter category it could encompass things as varied as pirating tv shows, to circumventing the Great Firewall of China. But Chinese workers use VPNs for remote work, too.
As for Tor, I doubt that anyone is using that for work, but I also doubt that many are really using it for anything illegal. To be sure, there are the Silk Road-type sites, but Tor speeds are not conducive to piracy (and Bit Torrent is highly discouraged on the Tor network).
There's incentive to use VPN beyond the simple matter of anonymity. I, for example, often work/connect from Starbucks, and their wi-fi is not encrypted, and anything with Wi-fi monitor capability can pretty much scan all the traffic going through. (Theoretically, someone with a malicious motive can scan your traffic at VPN end, but what I'm talking about here is more of an unmanageable risk of someone with Wireshark at the range of WI-fi. Using the same with Tor is probably a bad idea, as potentially, anyone operating exit nodes can potentially log the traffic.)
Especially in the case your work really doesn't offer real VPN to their corporate network, it is the next best thing to have. (Especially when they are affordable) You could have VPN looped through your home, but in this age of bandwidth capping, it is getting a less appealing option.
I have a seedbox on OVH. I use sFTP to download from it. And I use a SSH tunnel to browse through that server. It is about 15 bucks a month. OVH could give me up but I am one of thousands. There is lower hanging fruit so I don't worry.
Quoting from the article it says "We are in compliance with DMCA as all companies, world-wide, must be." I didn't know that it's applicable worldwide. Wikipedia article states that it's an American law. Is there some kind of International treaty or that assumption is false?
You only have to be DMCA compliant if you're in some way based in the US. Complying with US laws when you're a non-US company is like complying with Australia's laws if you're a Canadian company.
But wasn't there something a while back about how people had to comply with US law if they owned a .com/.net/.org domain, since these were managed in the US?
I think it depends on the definition of "had to comply". If you mean, are legally obliged to, then no. If you mean, don't want to risk their domains be seized by the US, then yes.
the only problem with this is trust, you have to trust that these companies will do what they say, there is no way to confirm it, maybe all of them are logging and they just say otherwise, and when we are talking about privacy and anonymity thats a bigggg deal breaker!
also just because they do it now, doesn't mean that tomorrow they wont just turn on the logging... if you want anonymity and privacy you can only trust yourself and your own setup, leaving it at the hands of others is a huge exposure, as a sidenote since you are also using the services of a company that might attract the wrong sort of people that also migh expose you to potential problems (they give you up wrongfully, bad logs, payments to that company, the list goes on...)
I'd be wary of any service specifically marketing to high-risk activities unless there are strong technical controls to make it trustworthy.
There are no existing mainstream VPN providers who have strong technical controls to protect user privacy OR anonymity.
There's Tor, and some other systems like that, which make a stronger technical case for anonymity.
There's still a place for VPNs, but it's not as an anonymity service.
On the other hand, I'd want all services to have high security built in -- your mainstream mail provider, mainstream note-taking service, etc. Some of that is technical (a "hostproof" architecture if possible, good internal audit on administrative interfaces, personnel security, etc.). But then, you're one of a mainstream company's customers, vs. a subscriber of the "illegal activity hiding service".
There are "mainstream" uses of VPNs (business, local-privacy, desire to defeat geolocation, firewall-busting, etc.), for which they're great. There are some purposes (anonymity) for which they're horrible. There are things like file sharing in contravention of your ISP's policies or national law where they may work but might not be the best solution -- I'd really go with a seedbox instead of running peer to peer traffic over a VPN.
Why would someone sign up for VPN when they could have set up the same thing with a much cheaper VPS?
Anyway i am currently looking for something similar to Amazon silk and Opera Turbo, where the server downloads the page, compress it and send it back to you. Extremely useful for low bandwidth connection, as well as providing half of the VPN function.
Does anyone know of software / scripts / services that are available?
I would have thought that being the named owner of the VPS exposes you legally somehow, also that performing something like "illegal file-sharing" would be against your VPS's TOS.
Because VPN works by diluting responsibility; i.e. in theory there is no problem to confirm that you have connect to a VPN/VPS X and that X made illegal action Y. However, while in case of VPN there are N other people who were also connected to X and thus might be blamed for Y, in case of VPS you are alone.
I'm starting to feel like anonymity on the internet is going to be one of the most important challenges in the next decade. Especially with stuff like 6 strikes starting the ball rolling (today it's warning messags, in ten years it might be disconnection for breaking any of modern society's myriad and unfathomable laws).
The internet wasn't built with anonymity in mind; eventually an IP address has to be tied to a paying customer. Is there any way we can build on today's technology to ensure anonymity on a grand scale? I.e., so that your grandma is surfing anonymously, even though she doesn't know it, using the iPad she just bought?
Eh, I was mostly responding to the 'grandma using an iPad' part. It's quite possible that Tor will eventually be what everyone uses for anonymity on the internet, but it might well turn out out to be something different. Hence the 'something like'. ;)
but with Tor you are only anonymous at the exit node, right? Sure, your ISP (or anyone else listening in) doesn't know WHERE you are connecting to, when you use Tor, but if the connection isn't encrypted (for example using SSL or ssh) then they sure can listen in to WHAT you are sending and receiving. In other words if the traffic between your computer and the Tor entrance node is not encrypted (and it wouldn't be unless you are using SSL or ssh), your ISP (or any third party listening in on that traffic) can read everything you are doing. Or am I mistaken?
You're mistaken. With Tor you are (in theory) anonymous at every leg of the journey. The only connection Tor doesn't encrypt is the connection between the exit node and the server you're connecting to, which is unavoidable. Your ISP can probably tell you're using Tor, but they won't know what you're sending or what its ultimate destination is.
In a little more detail, when connecting through a circuit of Tor routers R1 -> R2 -> R3, the encryption looks something like this.
It's not perfect, though. If you can see the traffic between the client and R1 and between R3 and the server and you're being reasonably clever you can probably break Tor's anonymity. (This is what's called an 'end-to-end correlation attack'.)
The thing with the whole "six strikes" thing is that there's no motivation to actually enforce it. Businesses generally will not turn away people willing to give them money, especially if their monopolistic market position allows them to gouge the customer up to their pain threshold.
VPNs are constantly being mentioned as a solution to companies, governments, etc attacking privacy but it's extremely easy to make a bad choice and end up with more than you bargained for (a VPN ran by someone you were trying to escape, for example).
It is still possible to do the following:
1) Wiretap the VPN.
2) Correlate with bandwidth/time.
3) Keep logs as a VPN provider.
4) Hack the VPN and do something evil (log, change content)
5) Block access to/from the VPN.
6) Correlate access logs with the VPN IP address (not always applicable, not all providers give unique IP addresses)
The VPN provider doesn't have to want to betray you to do so.
I could create "ProTurboVPN" and promise "anonymity", privacy and no logging, "nobody's touching your data!" but it won't stop the above problems.
Even if I want to save the world as a VPN provider, I might not be able and it's safer to remember that than pretend I can and in the process, get someone into trouble.
> We are in compliance with DMCA as all companies, world-wide, must be.
Really? Why would a company that has no presence in the US have to comply with the DMCA?
I see that one danger might be having it's domain seized, but AFAIK only if it's one of the domains controlled by US companies (.org, .com, .net, ...).
Couldn't a wiretap order compel a VPN company (even one with a reputation for anonymity) to transparently begin logging any data having to do with the target of the wiretap? The VPN company does have the capability to log, after all. Could they just refuse?
Depends on what you're trying to do. If you're just trying to escape from the copyright groups, then it might be enough to just get a VPN in another country, especially one with weak copyright support. Then you just look like someone in that country, for the most part. The low-hanging fruit right now far out-numbers people hiding behind VPN / proxies / Tor.
I built GetCloak.com. I draw a hard distinction between privacy and anonymity and feel that it's disingenuous for VPN services to claim that they offer anonymity. Here's our take on it: https://www.getcloak.com/blog/2011/11/30/word-anonymity/
If I counted right, there were 13 providers listed.
If I had a ton of money, and wanted to be really, really anonymous, could I pay all of them, tunnel through all of them somehow, and then get 13 layers of privacy? (And very high latency!)
How about two - are there two of them that I could somehow run one inside the other? Maybe I'd have to surf from a VM using one of them, running on a machine using another of them?
If you pay all of them with your details, then who ever was after you would only have to strong arm one / a few before it became obvious who they were after.
All three encrypted. I am also using Tor on top of this because as someone else said this is a static version of the onion system. I've pretty much accepted the fact that if someone chooses to find out what I am doing they will find a way, but I am going to make it as difficult as possible.
This would be a reinvention of onion routing [1], only more vulnerable to traffic analysis than Tor because, for one thing, you'd be the only person using it.
You could setup tor nodes on your own servers, than configure your client to use them and mix in some regular public nodes.
Its even better if you make your tor nodes public and let other people use them too, to make it more difficult to correlate traffic sent from/to the server with you.
I know that using VPN I "trust" the VPN owner, because he has all the data I send/receive. I was thinking about such setup: buy VPS (for example: linode; it would be good to buy one anonymously), setup my own VPN (openvpn) and then use some external (for example: mullvad) VPN provider. I'm not sure if it's right or more secure that regular VPN, without additional steps. Can someone comment?
I have a couple more questions:
1. how can I use Tor with VPN the most efficient/anonymous way? should I connect VPN -> Tor or Tor -> VPN?
2. Can you point me to good resources about privacy/anonimyty online and linux configuration for privacy?
While there are definitely benefits to using a VPN, they do not provide anonymity. They provide privacy, and it is not the same thing.
"No one is going to go to jail for you". If a VPN provider is legally required to log your activity or face jail time, guess what? you're getting logged! To assume otherwise is just asking for trouble.
All of this is better addressed in this slidedeck.
http://valleyanon.com/ - I'm building an anonymous blogging platform to help people tell their story without fear. I think anonymity online should be available to everyone and I'd love any feedback you might have.
111 comments
[ 4.9 ms ] story [ 164 ms ] threadAs another commenter suggested, they could all be honeypots.
If I was going to trust my life to the anonymity of my data transfer, the last service I would want to be using is a VPN.
When it comes to law enforcement, I suppose there are differences in which approach they take depending on where the VPN-service is located. If law enforcement did what you suggest frequently in the country where I live, it would be presented as a scandal and would be the death of the VPN-service in question.
Of course, you must choose a service you trust to not actually keep logs, and give out non-unique IP-adresses. However, if I lived in a country where I could not trust my government, I agree with you, I would avoid VPN-services located there.
I'd wait a few years and then use said data to slowly infiltrate various groups - looking to grab the big fish that are hopefully well separated from the VPN service and then take them down quietly.
Hell - I might even turn a nice little profit on the side.
Reality check: if your credit card details are visible to a third party - you're not anonymous.
Note: I don't actually believe the above to actually be the case in reality - but one must remember that stuff like Room 641A weren't that long ago (http://en.wikipedia.org/wiki/Room_641A).
This is an example of where worst case thinking, despite its negative reputation, can help protect oneself from falling prey to the faulty assumptions that bring down complex systems (Will the generators kick in on time? What if the VPN provider is already compromised? Did we double check that after cleaning the safety valves - we didn't block any of them?).
In that case, you would be a governmental entity which does not care much for the rights of your citizens. Instead, pick a service in a country with a transparent, low corruption-government. I suggest the Scandinavian countries.
As a blunt example, if you want to properly run a data-sensitive company and be imune to (for example) USA requests to violate anonymity of your customers, you need to ensure at least the following:
(a) the company itself is beyond reach of USA - as in examples of UK, Sweden and others caving in to USA requests for things that would/should be legal in these countries but illegal in USA;
(b) you and any personell are beyond reach of USA - again, there are examples such as Kim Dotcom, McKinnon, Assange;
(c) the company internet resources are beyond reach of USA - examples such as revoking DNS names of spanish companies for transmitting internet-TV in compliance with spanish laws, or some of Mega's non-US domain names revoked before even starting operations;
(d) the company money flow is beyond reach of USA - examples of Visa&Mastercard or Paypal blocking payments to sources such as Wikileaks or, IIRC, distributors of (locally legal) console modchips.
As a Swede, I certainly wouldn't trust the Scandinavian countries for this. It's not uncommon to hear politicians claim that internet anonymity and encryption altogether should be completely abandoned.
Also, ISPs typically have numerous laws that forbid eavesdropping, VPNs don't. And seeing as how the government can always ask to get any information they want from any VPN provider (and that the VPN provider is, supposedly, legally obligated to keep records of their customers (in many countries, including Sweden)) using a VPN might be the worst thing you could possibly do, if you want anonymity or integrity. I'm guessing that most VPNs in Sweden straight up Lie about this, when this issue was hot a few years ago you either couldn't get a straight answer or you got one that admitted to record keeping - many (including many of those on torrentfreaks list) just stated that they had to, by law, keep records and that they had to hand them over if asked (with a court order). The law hasn't changed what I know, the PR department of VPN providers probably has though...
And even if they don't have any records to share, who is to say they can't, by request, eavesdrop on current traffic.
For it to have any real effect I'd choose a VPN that is in another country than the one you are in. Although this will probably not have any real effect either if you attract some serious attention, especially considering that unlike an ISP, a VPN provider could legally betray it's customers without an court order (in exchange for being quiet about it).
uhh, stuxnet.
No, they don't understand IT.
In a few years the political caste will consist of people from the facebook generation and beyond. And some of them will understand IT.
There are restrictions on freedom of speech in just about every country btw.
Therefore I'd say it's more important to have an I government than a G government, because it is easier for a government to go from G to E than it is to go from I to C.
Remember that it was US pressure that drove the recent unpleaseantness in .se and TPB were able to succesfully defend themselves there for many years - and most countries currently willing to stare down threats of US trade sanctions aren't exactly havens of privacy and net freedom.
The pro net freedom countries currently correlate with G&C governments, it seems.
Anyway, I sort of like the incompetence level in Greece. They haven't been able to set up a land registry, so that the government could collect property taxes. That sounds promising from the point of view of setting up a privacy-respecting net service. There is a mostly reliable supply of electricity and communications, and it's not a very bad a place to live.
I totally agree. Luckily more and more VPN providers accept Bitcoin payment, so that problem is solved (if you don't connect your wallet to your ID, that is) [1]. I think the more challenging part is not sending personally identifiable information through your VPN or encrypt it properly. Much of the Web is architected to identify you based on the most mundane technical information, like your browser string, cookies, the way you type or those little data leeks that happen here and there.
[1] http://www.bestvpnservice.com/blog/vpn-providers-with-bitcoi...
ps. No, I don't use a VPN. But I like to stay informed.
Which is not easy.
Either you have to mine your bitcoins or you have to trust a third party to exchange your bitcoins in order to disconnect the transaction history from you. But you do have to trust that third party.
Those are the only solutions that I know of.
[1] https://localbitcoins.com/ [2] https://www.google.com/#hl=en&q=bitcoin+laundry
The sad part is that since the history is public, if you goof up and reveal your identity sometime in 2015 your actions of today might also get revealed. To any third party. Potentially way worse than any sort of currency ever used; but the only thing people talk about is how bitcoin is this anonymous currency...
Doesn't really sound like government to me...
Tor is the right solution here, not a VPN.
Remember that a "node run by the CIA", can just mean that the ph.d. student that required some resources from the IT department has a handler. Said student might even think the thing isn't monitored -- although I suspect it would be easier to to involve the admin, then keep him/her in the dark.
I'm curious about what the exact ratios would be, if there were a way to find this out (probably not).
I've thought about running an exit node, but I'm not willing to sacrifice my own safety and freedom to do it. The only solution seems to be buying hosting anonymously (bitcoins?), and making sure you only log in to the server over Tor.
[1] http://citynethost.com/vps.asp
I'm sure government agencies run Tor exits, which means they'll see the middleman node's IP addresses and whatever traffic the originator sent (usually HTTPS). They can't do much with that.
In the UK and US, it's easy to buy pre-paid credit cards with cash.
I'm not really sure how much good a VPN will do with this much surveillance. I feel it's only going to get worse. CCTVs feeding into said datacenters? Web, traffic, and dash cams? As long as the common man "has nothing to hide" they don't seem to care.
"Reality check: if your credit card details are visible to a third party - you're not anonymous."
But that's missing the point since keeping the users' activity anonymous is what matters... not that they are customers.
After attending a local security conference last year (Kiwicon), I briefly tried to see how anonymous I could make myself online. In NZ, we're lucky to have anonymous prepaid credit cards -- "Prezzy Cards" -- which our postal service sells.
Turns out that several VPN services (I ended up using hidemyass.com) will accept them. Alongside an anonymous mail service for the actual account, it's pretty straightforward to head to an internet cafe, boot your laptop into something like Tails, and then create a completely anonymous VPN connection.
Not that I'd personally go to that extent, but it's nice to know that you can achieve a reasonable degree of anonymity online.
More information here: http://en.wikipedia.org/wiki/Strip_search_prank_call_scam#In...
I was just surprised that, with a little effort, it wasn't actually that hard to gain a markedly greater degree of anonyminity than you'd usually have.
Anyway - does some of the services allow for independent audit of their systems to confirm that the policies they claim are real and enforced?
As for Tor, I doubt that anyone is using that for work, but I also doubt that many are really using it for anything illegal. To be sure, there are the Silk Road-type sites, but Tor speeds are not conducive to piracy (and Bit Torrent is highly discouraged on the Tor network).
Especially in the case your work really doesn't offer real VPN to their corporate network, it is the next best thing to have. (Especially when they are affordable) You could have VPN looped through your home, but in this age of bandwidth capping, it is getting a less appealing option.
Related: https://thepiratebay.se/legal
also just because they do it now, doesn't mean that tomorrow they wont just turn on the logging... if you want anonymity and privacy you can only trust yourself and your own setup, leaving it at the hands of others is a huge exposure, as a sidenote since you are also using the services of a company that might attract the wrong sort of people that also migh expose you to potential problems (they give you up wrongfully, bad logs, payments to that company, the list goes on...)
There are no existing mainstream VPN providers who have strong technical controls to protect user privacy OR anonymity.
There's Tor, and some other systems like that, which make a stronger technical case for anonymity.
There's still a place for VPNs, but it's not as an anonymity service.
On the other hand, I'd want all services to have high security built in -- your mainstream mail provider, mainstream note-taking service, etc. Some of that is technical (a "hostproof" architecture if possible, good internal audit on administrative interfaces, personnel security, etc.). But then, you're one of a mainstream company's customers, vs. a subscriber of the "illegal activity hiding service".
There are "mainstream" uses of VPNs (business, local-privacy, desire to defeat geolocation, firewall-busting, etc.), for which they're great. There are some purposes (anonymity) for which they're horrible. There are things like file sharing in contravention of your ISP's policies or national law where they may work but might not be the best solution -- I'd really go with a seedbox instead of running peer to peer traffic over a VPN.
Tahoe-LAFS might be the best project right now.
Anyway i am currently looking for something similar to Amazon silk and Opera Turbo, where the server downloads the page, compress it and send it back to you. Extremely useful for low bandwidth connection, as well as providing half of the VPN function.
Does anyone know of software / scripts / services that are available?
The internet wasn't built with anonymity in mind; eventually an IP address has to be tied to a paying customer. Is there any way we can build on today's technology to ensure anonymity on a grand scale? I.e., so that your grandma is surfing anonymously, even though she doesn't know it, using the iPad she just bought?
In a little more detail, when connecting through a circuit of Tor routers R1 -> R2 -> R3, the encryption looks something like this.
It's not perfect, though. If you can see the traffic between the client and R1 and between R3 and the server and you're being reasonably clever you can probably break Tor's anonymity. (This is what's called an 'end-to-end correlation attack'.)It is still possible to do the following:
1) Wiretap the VPN.
2) Correlate with bandwidth/time.
3) Keep logs as a VPN provider.
4) Hack the VPN and do something evil (log, change content)
5) Block access to/from the VPN.
6) Correlate access logs with the VPN IP address (not always applicable, not all providers give unique IP addresses)
The VPN provider doesn't have to want to betray you to do so.
I could create "ProTurboVPN" and promise "anonymity", privacy and no logging, "nobody's touching your data!" but it won't stop the above problems.
Even if I want to save the world as a VPN provider, I might not be able and it's safer to remember that than pretend I can and in the process, get someone into trouble.
Really? Why would a company that has no presence in the US have to comply with the DMCA? I see that one danger might be having it's domain seized, but AFAIK only if it's one of the domains controlled by US companies (.org, .com, .net, ...).
Seems like a lot of "didn't do the homework" in this article
If I had a ton of money, and wanted to be really, really anonymous, could I pay all of them, tunnel through all of them somehow, and then get 13 layers of privacy? (And very high latency!)
How about two - are there two of them that I could somehow run one inside the other? Maybe I'd have to surf from a VM using one of them, running on a machine using another of them?
PC->Router1(VPN3)->Router2(VPN2)->Router3(VPN1)->Modem
All three encrypted. I am also using Tor on top of this because as someone else said this is a static version of the onion system. I've pretty much accepted the fact that if someone chooses to find out what I am doing they will find a way, but I am going to make it as difficult as possible.
[1] https://en.wikipedia.org/wiki/Onion_routing
Its even better if you make your tor nodes public and let other people use them too, to make it more difficult to correlate traffic sent from/to the server with you.
I have a couple more questions: 1. how can I use Tor with VPN the most efficient/anonymous way? should I connect VPN -> Tor or Tor -> VPN? 2. Can you point me to good resources about privacy/anonimyty online and linux configuration for privacy?
Thanks for help.
"No one is going to go to jail for you". If a VPN provider is legally required to log your activity or face jail time, guess what? you're getting logged! To assume otherwise is just asking for trouble.
All of this is better addressed in this slidedeck.
http://www.slideshare.net/grugq/opsec-for-hackers