So who is this article aimed at? If you intend to torrent, you're not going to roll your own on a VPS that is going to forward DMCA notices right back to you. DO and AWS are not cool with operating as high-transfer seedboxes and will be fairly expensive. If you're trying to remain hidden from a nation-state level actor you're obviously not going to use a VPS, but you also have bigger problems than HideMyAss accidentally leaking your ipv6 address. If you're like most people and don't want to pay $$$ a month for a VPS but want to torrent a bit, you just want a straight up regular VPN recommendation which they never provide. "Choosing a VPN is hard", yeah no shit, that's why I was hoping you would provide some value by doing the work for me.
I was in the market recently and ended up going with iVPN for $100/year. Their "18 questions to ask your vpn provider" [1] page is basically a more practical version of this article. Not that I am going to use it, but they also have guides showing you how to created nested and branched chains of tor/pfsense vm clients across countries, if you really did want to hide traffic from a nation state. If putting your trust into a VPN is the issue it's much easier to trust someone that links directly to security forums and openvpn documentation.
So what's the best way to browse anonymously these days? Is it running a hypervised OS (some hardened GNU Linux/BSD Unix variant?) with a randomly changed LAN MAC upon every boot, connected to a VPN operating outside US with OpenVPN & 4k PK (e.g. in Romania), browsing using TorBrowser with NoScript and WebGL turned off? Or even two VPNs at the same time, one in the base OS, the other in the hypervised one?
Drive to a state you don't live in, boot Tails from CD-ROM, connect to a hacked VPN account through someone else's wifi, then run everything through Tor. Then make sure you're using default browser configuration and resolution as not to be foiled a la panopticlick. Even then I wouldn't be so sure you're anonymous.
And all of the above while avoiding security cameras that will capture your license plate, and using a $200 thinkpad you bought for cash. Oh, and you drove to another state, you DID leave your tracking device (LTE smartphone) at home, right?
And you paid for gas and everything else in cash only, right? It's trivially easy to track a person's movements if they use credit/debit for most payments.
Cash? Those bills have serial numbers on them! I'm not sure exactly how frequently they're checked or scanned by banks, but a scanner in the ATM you withdrew from + scanning the daily deposits by the gas station would paint a pretty clear map, even if a few of them get tendered back out as change, and a few more aren't tracked due to OCR failures.
Best stick to bills tendered as change only. Although who knows what red flags someone trying to hide their spending habits might be able to trip, alerting the feds that someone frequenting your favorite restaurant is trying to hide their trail...
Suppose you did all that. And maybe you even pulled it off, and left no tracks. Something else happens, and this is what many fail to realize - human nature kicks in and you get high on your own success. Therein lies your downfall. Name one relatively successful person who's done something wrong or criminal who hasn't been caught by the most insanely stupid mistake, even after not being caught for days, months, years even.
This is why privacy, while it is a legitimate need to shield things like personal info, bank accounts, bills, your own home or communication with coworkers, friends, family, etc, when it is used to shield illegal activities, almost always, if not always, it is to the detriment of the person.
Now, some will cry foul to what I said... "If you're careful enough, you will never get caught".. or the best one, "If you've a group of people to support you (i.e. mafia style :), organized efforts are harder to break"... or "if smart people who are wicked join you..." etc.
Go ahead, try it, I double dog dare you. Come post on HN how it went. Or maybe we'll read about you on Ars or HN, but not from your direct reporting.
The point is to avoid a Stasi-like spying future and to CYA. What if the official "PC" public opinion changes in 5 years dramatically and a witch hunt starts on anyone expressing a certain opinion that was considered normal in the past? Look at what happened to Brendan Eich. So officially you can generate "approved" traffic by visiting "safe", publicly endorsed and usual established sites and in private you can browse whatever you wish, e.g. discuss political issues without a fear of repercussions, invent a new science that would pose problems to established ones and group with similarly-minded people as much as you wish without blowing your cover. Frankly, what I am doing is none of your business if I try to adhere to the golden principle as much as I am capable of; I don't need my biometrics taken by Facebook, stylometry learned by Google, coding style footprint generated by GitHub , my online history stored by my ISP, my opinions revealed by Reddit etc.
And for your point - I am sure we hear only about the "stupid" ones that made a silly mistake; we would never hear about the clever ones that can restrict themselves when they don't have 100% control of the situation. They do exist. And most men can't even spot clear signals when their wife is cheating on them, not mentioning the ones that can blend in perfectly... Often the balance of power is achieved by secrets the ones in power know on each other via MAD, so when there is no deviating data, there is no secret to crucify you for.
I know lots of criminals that are still free even with shitty OPSEC. Many do their stuff openly. Some are clearly CI's given they get busted regularly but are always free and operating. FBI says for every one they convict there's almost 10 times as many they miss due to lack of evidence or resources.
So, between all that, I think you're dramatically overestimating how effective both police and surveillance dragnets are. ;)
I want to expand on your point about privacy by pointing out that arrests are often entirely up to police discretion. A suspended license could result in a warning, a ticket, or an arrest; ultimately, it comes down to whether an officer is in a good mood when he stops me or whether he likes my face. Allowing surveillance dragnets just makes it easier for law enforcement to have something to charge you with if they don't like you.
More in my area or classified as missing persons to make murder rate look lower. Common trick in a lot of places, esp small towns. Yeah, clearance rate is a great measurement showing how often crooks get away with stuff. I didn't think of that now obvious piece of data. :)
" it comes down to whether an officer is in a good mood when he stops me or whether he likes my face. Allowing surveillance dragnets just makes it easier for law enforcement to have something to charge you with if they don't like you."
This is true. We already see that in some U.S. states and European countries. There are all kinds of BS laws on the books. The cops or courts want money. So, some percentage of people are pulled over with an assortment of "violations" to use against them. Troublemakers might be hit with a more serious version of it. Especially can be used to squelch dissent or activism.
Aaron Schwartz is a perfect example of the power prosecutors hold in a given situation. Because of who he was and his crime, they decided to go all out to set an example of him rather than keep charges lower or ignore it given students were supposed to have access. Discretion can make or break a person's life.
> Name one relatively successful person who's done something wrong or criminal who hasn't been caught by the most insanely stupid mistake, even after not being caught for days, months, years even.
This is an extremely fallacious argument. How are you supposed to know who they are before they've been caught?
MACs are a unique hardware ID and there are various ways they can leak over L3, such as software that uses your MAC to compute its own ID that can be reversed.
IPv6 auto-configuration can encode the ethernet hardware address into the IPv6 address. Then anything that advertises that IPv6 address is advertising your hardware address. Even if you don't use IPv6 -- or especially then since that's when auto-config most commonly happens.
"In the OSF-specified algorithm for generating new (V1) GUIDs, the user's network card MAC address is used as a base for the last group of GUID digits, which means, for example, that a document can be tracked back to the computer that created it. This privacy hole was used when locating the creator of the Melissa virus." from https://en.m.wikipedia.org/wiki/Globally_unique_identifier
iOS randomizes MAC addresses when not connected to wireless networks. The stated goal is to lower the probability of being tracked by third parties in, e.g., convenience stores. http://www.imore.com/closer-look-ios-8s-mac-randomization
Apple device uDIDs are generated by concatenating the serial number, the MAC address, and some other things, then running the result through a hash function. (I don't have a source at the moment, sorry).
I have heard of HTML5/WebRTC API browser fingerprinting that can expose a user's RFC1918 private IP address (10.x.x.x whatever...) on their client device, but not MAC address.
If you're running a hypervised OS and don't want to run another OpenVPN program within it, make sure that the settings of the program (e.g. VirtualBox) don't treat the hypervised VM as a separate machine. Some people might not realize that the VM can actually establish a connection directly to the router, thus escaping the OpenVPN tunnel.
You can browse with Tor but most sites (including this one and Twitter) won't let you sign up/post with Tor. Very dubious practice by the site operators IMO.
How do you differentiate between legitimate new users with no record, and a returning shitposter's 10000th spam account with no record?
How do you differentiate between legitimate new users with a bunch of existing users vouching for them, and a returning shitposter's 10000th spam account with a bunch of existing stealth-mode accounts vouching for them?
I think you're using an extremely weak definition of "solve".
Thats actaully what I've noticed too, I believe even Facebook at one point didnt let me log in becasue it kept asking me to verify who i was (granted I was using a VPN at a local Starbucks).
It's interesting that Twitter made a name for itself as a platform that could "cause a revolution" (arab spring), but there is no way they can claim that now that they block Tor. Who's going to start a revolution when you're not anoymous?
I don't know what the justification for Hacker News not allowing Tor is since there's no economic incentive to track users.
Hopefully more people will be made aware of this and start asking the question: Why do you need to know who I am?
One big advantage of using a popular VPN is shared endpoints. Your traffic is mixed in with hundreds of thousands (if not millions) of other users.
Using your own VPS means you are easier targeted, tracked (on layer 3) and located -- since your VPS likely has a dedicated IP and you probably have a non-anonymized account with the provider. You're still relying on your VPS provider to not monitor outbound connections as you are on the VPN provider.
This all depends on who you consider your adversaries to be.
I've been using a VPS as a gateway to the internet for the last 2-3 years (switching providers a few times during this period).
What I gain:
1) I pay bitcoin, and don't use my real name. So the IP (albeit static) isn't liked to me _directly_.
2) This both protects me from low tier adversaries * , and "annoying" stuff that's considered normal-practice (like geolocation).
3) My connection upstream is always encrypted. I don't care what network I use, what country I'm in, etc.
4) I use torrents a lot, and overall this setup is _much_ faster than doing it from your home connection (or shared VPN). I download an HD movie in under 2 minutes, and then stream it directly from the VPS.
* - The low tear adversaries I consider defeated by this approach:
1) Bots (sometimes people) who file "semi-automatic" DMCA complaints against me (usually for the torrents). I get these every once in a while through the VPS provider - and ignore them. If I get banned, I either create a new fake account or move to a new provider.
2) "Non-privileged people" who know my external IP and want to tie it to a real world identity. For example, a "malicious" site admin that is interested in me for some reason.
3) Any (realistic) _dragnet_ surveillance implemented by any local authorities. These can't affect me. Of course I'm obviously getting flagged for doing this. However, this brings me to my main point:
What this can't stand against:
1) Any "real" investigation into my identity. By a powerful corporation / low tier intelligence outfit / law enforcement. And that's fine! Since I'm not really doing anything illegal (or illegal enough for actual people to care about).
2) And in general, this doesn't stand a chance against any active adversary that targets me directly. But neither can you, or anyone else.
And this is a good thing! By doing what I'm doing, I now have a "reasonable expectation of privacy". If anyone wants to investigate me, it is perfectly fine. They'll have to spend some man-hours on it though. Just like old times!
I have a similar setup, combining a dedicated server and a shared VPN. On the DS I have two outward routes: one for BitTorrent, and the other for everything else. BitTorrent traffic is the one that goes through the VPN. In addition to this, I set up a private VPN between the DS and my home devices, and the DS is configured to route the traffic from this private VPN through the shared one if I choose to.
So far (about nine months in) I haven’t gotten any DMCA complaint, and can seed torrents without having to care for upstream bandwidth at home.
Maybe if you're a black hat firing up a brand new computer from a cafe while you left your phone at home. For the rest of us that just want to, say, watch the US Presidential debates from another country going through our own VPS is far better than relying on some possibly skeezy third party VPN. Personally I use HideMyAss when I'm travelling to countries I don't trust or when I'm on wifi networks that I fear may be monitored, but I'd rather spin up a Digital Ocean box if setting up my own VPN were as easy.
> but I'd rather spin up a Digital Ocean box if setting up my own VPN were as easy.
I thought the same thing, until I found openvpn-installer [1]. You just need to run 1 command - the entire OpenVPN setup process takes 5 minutes. I used it on both Debian and CentOS and it works flawlessly.
At the end, you just grab the config file using rsync or SFTP, and load it into your OpenVPN client. Now I have a dedicated droplet for VPN use. Once a month I destroy it and create a new one, because I'm slightly paranoid :P
I also use Nyr's script to setup OpenVPN, which is also running on DigitalOcean.
I have read that DigitalOcean have a strong stance against torrenting though, so have only downloaded a few times through my VPS.
Was considering moving to AWS, but I'm not sure Amazon would be any happier, and I'd probably end up with a big bill at the end due to bandwidth usage!
Ah I see. Well a few years back I heard that OVH is one server provider that looks the other way when it comes to torrents, but I'm not sure if that's still the case.
Another option is to just get a seedbox. You basically get a server running a torrent client that you can access through a web UI. Once you download a torrent, you FTP it over to your machine. Many of these providers can give you amazing bandwidth .
Yet another option is to save yourself the effort and simply get a Usenet account ;)
when using a VPS you'd also have to trust the VPS-provider. There's no difference between trusting a VPN or VPS provider - both can see/log/monitor your traffic.
The article recommends 'Streisand' [1]. According to their GitHub page their VPN is resistant to DPI.
>Distinct services and multiple daemons provide an enormous amount of flexibility. If one connection method gets blocked there are numerous options available, most of which are resistant to Deep Packet Inspection.
I don't know too much about networking, but didn't realise it was possible? How can they do that? What protocol/service can bypass this? The network security team at work challenged me to see if I could bypass their WSA, so would like to give it a try.
Something I consider but most articles do not: jurisdiction. I want and use a VPN in Sweden for a reason. I wouldn't go anywhere near any VPN with even a tiny US footprint. Similarly, I wouldn't use a VPN in my home country. Location location location.
No written laws specific to that point. But just look at the NSLs Yahoo released a couple days ago. They can do whatever they want whenever they want. While such things may be possible in Sweden, if they do happen they are extremely rare. The US is the surveillance state.
And if anonymity is of no concern, why not run OpenVPN on Raspberry Pi (or something similar) at home? Cheap to set up, and no running costs (assuming internet access at home).
It really boils down to trust, honestly. What VPN you wind up going with greatly depends on the ethics, availability, and reliability of the provider, among other things. Sure, you can always run your own, but that is still ultimately going over someone else's network at some point during transit, plus you still have to be able to trust their ethics and consider any potential disallowed content. From a reliability/availability standpoint you'd be better off getting a VPN service, just have to do some thorough research and/or peruse the great list maintained on thatoneprivacysite.net
I've found the most success with getting passed captive portals on non-free "Free WiFi" is simply OpenVPN over dns/53. It works a lot of the time and sometimes conveniently bypasses throttling/QoS.
That's interesting. Maybe thats why my VPN worked at a Starbucks down the street but not one in another city I was in. I wonder if this is the same for airports too. I would assume it would be easier to use a VPN if youre in a smaller airport rather than a big national one because of the amount of security however i havent looked in to this
I've use both; I have several dedicated servers with OVH in their BHS datacenter and several instances with Vultr in their NJ datacenter. Both are great for the price, although support can sometimes be lacking.
OVH also has two cheaper brands for dedicated servers to checkout - SoYouStart and Kimsufi. The two cheaper brands have much more limited support.
1. "You must trust the VPN." This is true, but you must trust something (your cafe, your ISP, your computer). In fact the entire article really hinges on this point -- the VPN provider could, if it were malicious (or compelled to by a government) log every aspect of your traffic, or even insert malware. However, so could your home ISP or your coffee shop.
In particular I found this statement very bizarre: "VPN services require that you trust them, which is a property that anonymity systems do not have." This is true in a vacuum. In the real world, unless you're running your own hardware with software you have written yourself from scratch (on a system which you monitor continuously), you are trusting a huge amount of stuff even with the best anonymity system. The point is knowing what you are trusting, rather than trusting it implicitly.
Essentially the point of the article seems to be to point out that VPN providers may be (there are a lot of hedge words) untrustworthy. The only actual example given of an untrustworthy VPN provider is a free one which re-sold its users' bandwidth (point 8).
Real-world examples are important, because reputation is important -- at some point it is very likely that you will end up trusting someone, even if you are being very careful.
2. "Some VPNs don't permit peer-to-peer sharing and/or log such sharing". You must rely on reputation, which is not a great option. However, no alternatives are presented for someone who wants to torrent copyrighted or illegal works (TOR is heavily FUDded in the article). You certainly wouldn't roll your own VPN for this -- see below.
3. "VPNs don't protect very much against ad tracking". This is true, but I mean VPNs don't make your teeth much whiter either.
4. "A dodgy VPN could log all your data". This is the same as point 1.
5. Preshared keys. OpenVPN with server certificate checking would seem to address this.
6. "Your VPN provider might log your data". This is the same as point 1.
7. "Leakage". It's useful to inform people about this. However, once informed, it is quite simple to use one of many online services to verify that no information is leaked.
8. "Snake oil" and in particular a free VPN which sold its users' bandwidth. Fairly obviously, be aware that if you are using a free product the company will attempt to monetise you in some way.
The suggestion to set up your own VPN seems to be presented as a way to improve privacy. This is very strange particularly since no threat model is presented, and the common one (mass surveillance) gets much worse with a personal VPN.
Firstly, shared hosting providers such as DigitalOcean, AWS, OVH and so on are presented. There is no particular reason to suspect that these are more or less trustworthy than any given VPN provider. In particular, shared hosting in the US will certainly be subject to the monitoring whims of the US government.
Secondly, using such a DIY solution will associate all your traffic, and only your traffic, with a single outgoing IP address, easily traceable to you (since you're paying for it). Compare this with any shared-endpoint VPN, where your traffic is combined with that coming from many other users, and the owner of the IP address is a VPN company. In the former situation nobody would even need to inform the hosting company -- they could just monitor its traffic (though as discussed in point 1 they certainly could contact the hosting company if necessary). In the latter situation, the VPN company would need to be involved. At this point a certain amount of process is required. If your threat model is mass surveillance rather than targeted monitoring, then the shared VPN provider certainly seems like an improvement over a roll-your-own solution. "The best place to hide an incriminating letter is in a letter rack!" -- Edgar Allen Poe.
Thirdly, with a DIY solution you are implicitly claiming that you are better at hardening a system and staying on top of security patches than is the VPN provider you were considering going with. This isn't necessarily true.
If you are just concerned about opportunistic data collection from your coffee shop, then a personal VPN would help. But it's quite limited, and significantly simpler solutions like HTTPS Everywhere would get you 90-100% of the way there.
If you are specifically concerned about an entity with the resources of a government monitoring specifically you, none of the options presented will be any use.
What's the practical difference? And don't say it's because it only affects Opera traffic: you can configure a system-wide proxy, and you can VPN a single program.
This is incorrect, at least it was in April this year:
The head engineer of Opera for computers Krystian Kolondra: “Currently WebRTC and plugins are still not routed that way”[0]
The technical difference between a VPN and a proxy is typically that the proxy works at the application layer (layer 7) of the network stack, whereas a VPN creates a new network interface and operates at the network layer (layer 3).
The practical implications (which you asked about) are:
i) With a proxy, there's no new system network interface, so no way for other apps to use it
ii) A proxy is application-specific (in this case HTTP and HTTPS) so other protocols (even those that opera supports, like WebRTC) can't go through it.
I was in the market recently and ended up going with iVPN for $100/year. Their "18 questions to ask your vpn provider" [1] page is basically a more practical version of this article. Not that I am going to use it, but they also have guides showing you how to created nested and branched chains of tor/pfsense vm clients across countries, if you really did want to hide traffic from a nation state. If putting your trust into a VPN is the issue it's much easier to trust someone that links directly to security forums and openvpn documentation.
[1] https://www.ivpn.net/privacy-guides/18-questions-to-ask-your...