HN Gopher Feed (2017-10-30) - page 1 of 10 ___________________________________________________________________
Do you need a VPN?
535 points by thesumofall
https://blog.mozilla.org/internetcitizen/2017/08/29/do-you-need-...___________________________________________________________________
busterarm - 6 hours ago
I don't know why anyone advocates using a VPN provider when it's so
trivial to set up your own VPN
now.https://github.com/trailofbits/algo
https://github.com/Angristan/OpenVPN-installEither of these
options, depending on your preferences (protip: use Algo, unless
you're in a place that blocks IPSEC VPNs...It's cheap enough to
have both available). This at least covers the basics of what
they're talking about being snooped in the post. Then you don't
have to worry about trusting the VPN provider (but you do have to
worry about trusting your cloud provider).If your threat model is
different, you might want to be in a pool of users, but you can use
the same service and solve this problem socially...
jerheinze - 6 hours ago
> I don't know why anyone advocates using a VPN provider when
it's so trivial to set up your own VPN now.That won't give you
any privacy as anyone who wants to de-anonymize its traffic can
correlate the fact that you connect to it with your IP (asking
the VPS provider for logs) and that you bought it (asking the VPS
provider for your banking info).
busterarm - 5 hours ago
But that's not really the threat model described when people
are talking about their ISP snooping on what they do. A
private VPN solves exactly that problem.Also you still have the
same issue with virtually all of those paid VPN services (that
you connect from your IP and that you paid for the service).
Oh, and Vultr takes Bitcoin, btw (not that that's privacy but
it is potentially a layer of separation from your bank
account).
jerheinze - 4 hours ago
> But that's not really the threat model described when
people are talking about their ISP snooping on what they do.
A private VPN solves exactly that problem.It only solves it
against a particular ISP.> Also you still have the same issue
with virtually all of those paid VPN services (that you
connect from your IP and that you paid for the service).I
completely agree, that's why I always maintain that only
privacy by design solutions should be relied on (Tor and i2p
for example).> Oh, and Vultr takes Bitcoin, btw (not that
that's privacy but it is potentially a layer of separation
from your bank account).But they know the IP, so that's still
identifiable information.
busterarm - 4 hours ago
You can combine Tor and a VPN though, though you'll want to
rotate through VPNs to avoid timing attacks.Use of one
doesn't exclude another.
jerheinze - 3 hours ago
> You can combine Tor and a VPN though, though you'll
want to rotate through VPNs to avoid timing attacks.I
don't think that adds any privacy, setting up your own
non-exit relay and connecting to it may significantly
increase your privacy depending on your threat model
(since then you can be sure that no single point in your
Tor circuits controls both the entry node and exit node,
and hence can't correlate your traffic. You're still
vulnerable to a global passive adversary (GPA) of
course).
jordanlev - 6 hours ago
> I don't know why anyone advocates using a VPN provider when
it's so trivial to set up your own VPN now...links to github
repos...You are blessed with technical skills and experience so
this is trivial to you (and many people on HN), but there are
tons of people out there for whom this is not a trivial task.
soared - 3 hours ago
Agreed - 99% of people don't know how to understand whats in a
github repo.
busterarm - 5 hours ago
If you can get through the steps to sign up and use a VPN
service, you can likely get through these with a bit more time
invested and a helping hand.
danvittegleo - 4 hours ago
For anyone who uses OSX and DigitalOcean, easily deploy your own
personal VPN server with DNS adblocking running on DigitalOcean:
https://github.com/dan-v/dosxvpn.
victor106 - 1 hours ago
Does anyone know of a way to scrape the web anonymously?
fortythirteen - 6 hours ago
All the "you don't get privacy from a VPN" talk misses the variable
of who you want privacy from. If you don't care about e2e privacy,
but want a simple way, without using Tor, to keep websites from
knowing your real IP, then VPNs are great.
mwilliaams - 4 hours ago
I recommend nordvpn. I have been using it for a while now with
great success. It's easy, fast, and private. They don't log and
their hq is in Panama, so it's much harder to to get info out of
them.
the_common_man - 3 hours ago
For those looking to self-host,
https://cloudron.io/store/io.cloudron.openvpn.html works great. I
have used algo in the past and that works well too.
[deleted]
WellDressed - 5 hours ago
I've set up my own VPN using Streisand
[https://github.com/StreisandEffect/streisand] & Google Compute
Engine (Micro Instance). When you create an account on Google's
Cloud, you get $300 (or used to at least). This instance type is
big enough to handle the few devices I connect to it, fairly
speedily too.
thomasahle - 5 hours ago
How long does those $300 last you?
mtmail - 5 hours ago
The micro instance is (eligible to be) free
https://cloud.google.com/free/ so the $300 is an extra (expires
after 12 months)
WellDressed - 5 hours ago
Thanks mtmail! I've yet to pay a dime. I won't mind doing so
once it expires though.
komali2 - 5 hours ago
Is it not feasible that a warrant to Google instantly reveals
your identity?
WellDressed - 4 hours ago
Without a doubt! I'm not too concerned because I'm using it
within the USA to access my email, HN, and various other common
websites while on public wifi.
foxyv - 4 hours ago
Yup, hosting illegal content via a cloud provider is a good way
to have your account shut down.
siddhant - 6 hours ago
Duckduckgo recently included "How to Choose a Good VPN" in their
privacy newsletter - https://spreadprivacy.com/how-to-choose-a-vpn/
moonka - 6 hours ago
Looks like DDG recommends TunnelBear[1]. Any one have an
experience with them? I'm always a bit skittish on free
VPNs.https://www.tunnelbear.com/b/privacy-partners/
jbeales - 4 hours ago
User-friendly, but blocks port 22, so if you need SSH and can't
change the port, try something else.
xaqfox - 5 hours ago
From the number of YouTube channels that promote them, I expect
they must have a strong affiliate program. Just a possible bias
to keep in mind...
SmirkingRevenge - 5 hours ago
Its a nice user-friendly app, works well on all my stuff.
Using it on linux took a bit of manual setup, but their
instructions worked. I'm a customer, and I would recommend it.
I outsourced my trust in them to DDG. Hopefully they didn't
steer me wrong there.Downside is that it basically only works
per device. It doesn't run on any routers that I know, to get
full coverage over your network traffic.
mi_lk - 6 hours ago
It seems like a promo link which gives you 500mb per month for
free. You have to pay for unlimited data.
wenc - 6 hours ago
I typically don't trust VPN providers, so I set up my own on AWS
with this CloudFormation script. [0] It is almost effortless, takes
10 minutes and I can spin it up or spin it down without paying for
a subscription, only AWS metered costs.EDIT: another poster
mentioned Algo [1]. This method requires a high degree of savvy and
entails a higher level of difficulty, but looks much more
configurable.[0] https://www.webdigi.co.uk/blog/2015/how-to-setup-
your-own-pr...[1] https://github.com/trailofbits/algo
LeifCarrotson - 5 hours ago
How often do you find that your AWS IP is blocked, or that you
need to bypass a captcha? I would think that AWS would be a
major source of scrapers and other traffic that a site might not
want and might choose to block. I know that Cloudflare offers to
block "suspicious" traffic, which would seem likely to include
traffic coming from an AWS server rather than an ISP.
wenc - 2 hours ago
Surprisingly not often at all for the sites of interest to me.
YMMV of course.
pubg - 6 hours ago
That sounds like a lot of trouble to go to every time you want an
anonymized browsing session.Inconvenient and cumbersome at best.
wenc - 2 hours ago
Which, the first or the second option? The first one entails a
one-time 10 minute setup and you can leave the AWS instance
running if you don't mind incurring a small ongoing EC2 fee.
komali2 - 5 hours ago
Does this protect you from a warrant to Amazon revealing your
identity?
wenc - 2 hours ago
No but this is not a problem for me since my use-case is more
avoiding MITM attacks and safely using public Wifis.Every VPN
has an endpoint, and whether that endpoint is acceptable
depends on your use case.
raarts - 4 hours ago
Ad Networks use multiple mechanisms to identify you: cookies,
browser fingerprinting. Hiding behind a VPN will not make you
invisible.
AdmiralAsshat - 6 hours ago
Be careful, Mozilla. When you blog about VPN's as Mozilla, you
write from a position of authority. VPN's are a notoriously
minefield of shady providers and false promises. You do not want to
recommend CyberGhost to your followers, the find out in six months
when they show up in a court order that, oops, CyberGhost actually
logs a ton of stuff that can be subpoenaed.Exercise caution. Do
your research.
erikb - 6 hours ago
Look, if you see such an article from a authority the authority
is well aware of what they do to their name. They've built this
authority with hard labor over years. So the chance is far over
>67% that they are trying to cash out.
wutwutwutwut - 6 hours ago
> There are many, many VPN providers, and Mozilla can?t recommend
any specific service.Was it somehow unclear? Pretty clear to me
at least.
shmageggy - 6 hours ago
But then they go on to mention several providers by name, with
links.
csours - 6 hours ago
Did you even read the article?For instance:> Are VPNs truly
private? Unfortunately, no. The VPN provider can still log your
browsing data. You are essentially putting your trust in your VPN
provider. Will your provider hand over info when pressed? Will
they log your browser data and sell it at a later date?
Sylos - 2 hours ago
When evaluating a VPN service for trustworthiness, I always look at
what their webpage loads in terms of tracking scripts.Basically, if
you offer me the service to protect my IP address and don't even
have the decency to let me inform myself about your offering
without handing over my IP address to Google et al., then I'm not
using your service.Unfortunately, VPN providers collectively don't
seem to be aware of this presentation layer, so it's neigh
impossible to find one which doesn't violate privacy here.So far,
I've found exactly two: azirevpn.com and airvpn.orgThey load in
Piwik, which I'm okay with.These two providers also check a lot of
other boxes for me, but yeah, it's still just two providers after
hours of research, so if anyone knows any other VPN providers with
privacy-respecting webpages, please do tell.
kbyatnal - 1 hours ago
windscribe.com is another one.
DavideNL - 15 minutes ago
> I always look at what their webpage loads in terms of tracking
scripts.Note that this is also one of the criteria in the Vpn
comparison chart:
https://docs.google.com/spreadsheets/d/1L72gHJ5bTq0Djljz0P-N...by
https://thatoneprivacysite.net/
grooling - 2 hours ago
Loyal customer of AIRvpn here. No complaints here
Insanity - 1 hours ago
Been using it for about a year now and I am quite happy with
it! Recommended it to a few friends, works great on Linux.
iDemonix - 57 minutes ago
I'm itching to set one up as a side project...
Someone1234 - 35 minutes ago
Be cautious of the potential legal headaches, register it as a
limited liability company, and host away from your place of
residence (so police don't raid your home).Even if you're
entirely above board your users may not. Child porn, illegal
substances, gambling, stalking/bullying, fake emergency calls,
bomb threats, and so on. Your users are just waiting in the
wings to place you into law enforcement's crosshairs.If I
opened a VPN I'd spend 10% on equipment and the other 90% on
lawyers, fraud prevention, and liability insurance.
stanlarroque - 2 hours ago
It is the first time I have ever encounter a philosophy close to
mine about this subject.Check out my VPN service, DataBuster[0].
I made the VPN only for myself at the beginning but my friends
requested the features and it became a viable product.The only
"tracking" I do on the main page is a passive analysis of Apache
logs made with Piwik, so there is no visible JS tracking code or
third-party tracker.[0] https://databuster.net
arm - 1 hours ago
That?s fantastic! My only suggestion would be to not require
JavaScript for the page to load any text at all.
wakkaflokka - 6 hours ago
I always ask this on the VPN threads here, and don't feel like I
get a solid answer (I'm not particularly well-versed on the topic
so I'm genuinely curious and would love to be corrected).If I go to
Bob's website on my computer without any VPN, and Bob wants to find
me, all he would need to do is get my IP, call my ISP with a
warrant, and then get my information.If I go to Bob's website while
logged in with a VPN, and Bob wants to find me, he first sees that
he's getting tons of hits from this IP because thousands of users
are sharing this same VPN. So then he uses some kind of fingerprint
to figure out my unique user sessions. Then he calls the VPN
company, and asks them to associate the IP and specific browser
sessions with me. In that case a) the VPN really does store logs
even though they advertise they don't, so they're able to associate
me with my activity, or b) they really don't store logs and have no
idea which one of its thousands of users logged into his website
with that IP.It seems in the latter case, even with a malicious
VPN, it's one additional (maybe trivial step) to associate me. But
it's still better than just using your own ISP. Isn't that why
people use VPNs to avoid DMCA letters from their ISP?So what is the
downside to using a VPN if you're aware that they aren't foolproof
vs not using a VPN at all?If you roll your own VPN on AWS or the
like, don't you lose the benefit of sharing the VPN with thousands
of users? Wouldn't it be easier for Bob to call AWS with a warrant
and get your account info than mess with some offshore VPN
provider?
ApolloFortyNine - 4 hours ago
>b) they really don't store logs and have no idea which one of
its thousands of users logged into his website with that IP.>It
seems in the latter case, even with a malicious VPN, it's one
additional (maybe trivial step) to associate me. But it's still
better than just using your own ISP. Isn't that why people use
VPNs to avoid DMCA letters from their ISP?I'm not sure how you
made this jump. If the provider doesn't have logs, Bob can't find
you. The end.
daxorid - 4 hours ago
No-log providers can still very likely be compelled to start
logging by a combination of the All Writs Act and NSLs.
sliverstorm - 5 hours ago
Chief on my mind would be the issue of trust. Your traffic is
coming out of the VPN node unencrypted. They could snoop you,
MITM you, basically anything. So, who do you trust more? Your ISP
or a mysterious VPN service probably in Russia that you learned
about yesterday?I figure my ISP is quite likely to sell my data
and do other unfriendly things. But I figure they are quite
unlikely to attack my traffic and do other illegal things.
jk2323 - 3 hours ago
1. VPN Overview https://thatoneprivacysite.net/2. oVPN.to is
probably a good idea, as long as you are not based in China3. Pay
anonymously for the VPN. If it need to be really secure, only
access VPN via TOR.
bearbearbear - 6 hours ago
Verifiably VPN providers lie when they say they don't
log:https://betanews.com/2017/10/09/purevpn-logs-fbi/Whether it's
through negligence or ignorance or intentional lying, it's nearly
impossible to not log user activity in some way.And really, think
about this: Even if you try really hard not to log, as a provider
you're competing with thousands of forensic scientists who do
nothing all day but figure out how to associate activity with the
people who committed that activity.And once a federal agency has
identified your VPN traffic, every single thing you've done
through that VPN provider is all wrapped up in one neat bundle
for them to peruse.
wincy - 6 hours ago
Speed, in terms of bandwidth and latency. I consistently get
slower speeds using a VPN. Granted, I'm using Google Fiber so I
have symmetric gigabit, but there is a downside to it, depending
on your use case.
bearbearbear - 5 hours ago
Was there any point to this comment other than humblebragging
about your fiber connection?
nirvdrum - 4 hours ago
It's a legitimate point to consider. I've set up my home
router with Tomato by Shibby, which allows routing all
traffic over a VPN link. I was finding the router couldn't
keep up with a 50 Mbps link. Granted, these routers aren't
designed with that use case in mind. But, running a VPN link
all the time on mobile devices kills battery very quickly, so
setting up the link on the router is preferable.
Consequently, I don't route all traffic over the VPN, which
is suboptimal.
pnutjam - 4 hours ago
I put a 2nd router behind my regular router and switch the
gateway, on devices I want to use the VPN, to this 2nd
router. Benefits: 1. allow devices to use non-vpn friendly
sites 2. Keeps everyone on the same subnet so the VPN is
not in the way for local file transfers. 3. main router not
overburdened by VPN software
nirvdrum - 3 hours ago
Tomato allows selective routing, both by destination and
by device, so that's helpful. Your setup definitely
avoids some of the overhead mine has. But, really, I'd
just like the little ARM processor in my R7000 to be able
to keep up so I can saturate my link. I'm not familiar
with ARM's ISA all that much, but it seems an AES-NI
equivalent would be really nice to have.
marmaduke - 5 hours ago
Did you try HMA? I had amazing speed with them.
wincy - 5 hours ago
No, I was using PIA, I might try them out though, thanks.
Pigo - 4 hours ago
PIA is cool because it works seemlessly with your phone as
well. It used to be you had to have some special access to
get it to work with a provider like Verizon, but it works
flawlessly now.
isatty - 3 hours ago
I'm in the same boat as well. I'm not in the US but I do have
symmetric gigabit as well. I've been using EC2/DO boxes to
setup VPNs for me, but they hardly ever come close to my home
speed.This is usually due to the ec2/do instances being the
cheapest or second cheapest with bad CPUs and overcrowding.
robertpateii - 6 hours ago
VPNs protect you from snooping by 3rd parties on the way to Bob's
site, such as your ISP, anyone on your network, or anyone on any
of the intervening nodes between you and Bob's.If you don't want
Bob to identify you then yeah you need more than just VPN such as
ad blockers, disabling cookies, and more.
fulafel - 5 hours ago
Depends on what you mean by VPN but the let-me-bittorrent ones
don't get you confidentiality (or integrity) to web sites you
visit, past your immediate ISP.
Spooky23 - 4 hours ago
You're assuming that private parties have the ability to get
warrants or subpoenas to get information from your ISP. They do
not.If "Bob" wants to know who you are when you visit his
website, he doesn't have any options to get that information. If
"Bob" thinks you are violating his copyright rights, he can file
a DMCA complaint against you. If "Bob" doesn't want people from
Iceland to access his site, he can try to filter based on IP
range.VPNs do three things: 1. obscure your identity 2. obscure
your location 3. prevent local inspection of your network
traffic.How effective that "obscurity" is depends on who wants to
know and why.
maccard - 4 hours ago
For me it?s not bob I don?t trust, it?s my ISP.
SmirkingRevenge - 5 hours ago
You will sometimes face hassle authenticating with certain sites.
Your VPN will trigger two-factor auth verification, or sometimes
trigger an account lock-out or force password resets, etc.
js2 - 2 hours ago
> If I go to Bob's website while logged in with a VPN, and Bob
wants to find me, he first sees that he's getting tons of hits
from this IP because thousands of users are sharing this same
VPN. So then he uses some kind of fingerprint to figure out my
unique user sessions.Every TCP connection is uniquely represented
by (src ip, src port, dst ip, dst port). Bob can provide all four
of these, and a timestamp, to the VPN provider. The VPN provider
can then resolve that to a specific user if they are logging
connections.
chii - 1 hours ago
in which case, if you can't trust 1 VPN, can't you jerry-rig a
better VPN by daisy chaining several together, so that each
VPN will have to be asked to sort through traffic?
b3lvedere - 44 minutes ago
Isn't that what TOR is all about?
freddybobs - 2 hours ago
There are lots of problems you see in practice which are not
discussed often....* Inability to send mail though a mail
program* Daily disconnections of VPN service* Captchas and other
verification/friction when using services (eg youtube, amazon
etc)* Some services may believe you are in a different country
incorrectly, meaning you have to force them to use the right
location, or be happy with it being wrong* Some services will not
work at all (for example purchasing through apple)* Paid
streaming services ? like netflix, hbo go and amazon streaming
will likely not work at all* You may not be able to port tunnel
traffic inside the VPNAnd of course you have to trust the
provider. For example PureVPN claims 'no logs' but it seems that
isn't the case...https://betanews.com/2017/10/09/purevpn-logs-
fbi/#commentsThere is a lot of friction in using a VPN. Which
makes the idea, often proposed by technical people that if you
are worried about privacy - 'just get a VPN' either naive or
disingenuous. That said even with the friction it is worth the
cost and hassle IMHO.In practice you have to have a way to flip
on and off VPN on some machines/devices.There is more discussion
on this here...http://www.toytheory.com/?p=295(edit: fix
formatting)
[deleted]
mattmanser - 5 hours ago
So I know of normal people using VPNs in the the UK for some or
all of the reasons below:1. They're blocking lots of torrent
websites, using a VPN circumvents this2. They're sending out
letters to people saying "you're torrenting, stop". VPN stops
this3. Some ISPs throttle traffic to certain services and
streaming sites, VPNs circumvent this
icebraining - 6 hours ago
Your VPN provider might not log. Or it might log and sell your
internet activity. Of course, the same is true of your ISP, so
you have to see who you trust more.
gvb - 6 hours ago
So what is the downside to using a VPN if you're aware that they
aren't foolproof vs not using a VPN at all?The downside in a
nutshell: "Researchers recently tested 300 free VPN apps on
Google Play and found that nearly 40 percent installed malware or
malvertising on users? machines.""Bob" very likely doesn't know
you even exist and doesn't care. The downside of VPNs is that
many VPN hosting companies are even less trustworthy than "Bob"
and do care who you are. An unscrupulous VPN provider can MitM
your connections, harvest anything you give the VPN's app
privilege to see (probably a lot), etc.Step one of security is to
understand the threat you want to defend against and make sure
your defense against that is (a) adequate, (b) appropriate, and
(c) not compromising you in other ways.
baldfat - 6 hours ago
Another downside:Recently the Federal Government sent out a
malware to certain persona of interest. That malware played a
higher pitch sound than can be heard by the human ear. They
were able to track that person and identify them because they
heard the sound on the computer's microphone. TOR or VPN can
stop this.
nathancahill - 4 hours ago
Wasn't this how they caught the Silk Road guy? Ross Ulbricht?
They played a loud noise from his computer in a public area,
as I recall.
jstanley - 3 hours ago
Do you have a source for that? I've never heard it before.
nathancahill - 3 hours ago
Nevermind, they chatted with him, but that was to ensure
that he was logged in to SR before grabbing his laptop in
an unencrypted state, not to identify him:
https://www.wired.co/2015/01/silk-road-trial-undercover-
dhs-...
marme - 3 hours ago
that is not how they caught him. They used a correlation
attack. He was stupid and posted something using his
personal email on stackoverflow about setting up tor
website and processing bitcoin transactions. He then used a
linked account to advertise silk road a few times. This
made him a prime suspect. They followed him for weeks and
watched that every time dread pirate roberts logged in and
posted on silk road he was sitting in a cafe or library on
his computer connected to a vpn. This was enough for them
to get a search warrant and they found all the other
evidence they needed to convict him on his laptop
koolba - 6 hours ago
> That malware played a higher pitch sound than can be heard
by the human ear.That should be "... can not be heard ..."
right?Also, do you have a link with more details.
wccrawford - 6 hours ago
No, it's right as-is.
koolba - 5 hours ago
Ah I think I read the "higher" as "high" and
misunderstood it.
jstanley - 3 hours ago
That still doesn't really make sense. I think you misread
"than" as "that".
Tushon - 5 hours ago
"a higher sound than can be heard" or "played a sound,
which cannot be heard due to its pitch"would both work, but
your interpretation isn't correct.
pubg - 6 hours ago
Without a source to corroborate, the tinfoil hat factor is
extremely high with this one
baldfat - 4 hours ago
Sorry here is the
source:https://www.bleepingcomputer.com/news/security
/ultrasound-tr...It appears to have happened already
jm547ster - 3 hours ago
Wow, now 44.1kHz sound cards should be very desirable
sloppycee - 1 hours ago
> A team of researchers from the Brunswick Technical
University in Germany discovered [234] Android apps that
employ ultrasonic tracking beacons to track users and their
nearby
environment.https://en.wikipedia.org/wiki/SilverPushMy
tinfoil hat is spinning!
drawnwren - 5 hours ago
I slightly agree. However, these days it seems more and
more that "thing elite spy agency does to track terrorist"
is on about a 6 months to 1 year lead on "thing startup
does to target ads."
jamiek88 - 4 hours ago
Wouldn?t even surprise me if it was the other way around
either.Some of the brightest minds of this generation are
working on ad tech.Sadly.
ethbro - 4 hours ago
Angelheaded hipsters burning for the ancient heavenly
connection to the starry dynamo in the machinery of
night, indeed.
ionwake - 1 hours ago
Interesting thanks
im3w1l - 4 hours ago
Ability and motive...Are they able to do this? Yes, for
sure.Are they willing to this? For terrorists or maffia
bosses, no doubt. For smaller fish? Maybe they can't be
bothered. Or maybe they can.
Florin_Andrei - 17 minutes ago
Once it's productized, it's probably easy to reuse.
thinkloop - 4 hours ago
If they were able to gain access to a person's microphone
doesn't that mean they are already compromised?
schoen - 5 hours ago
> TOR or VPN can stop this.You're saying that the persons of
interest in this case were identified and targeted only based
on an IP address and not based on some other aspect of their
online activity?
0XAFFE - 5 hours ago
Here is a source, but no ?malware? but ads, the line gets
more and more blurryhttps://arstechnica.com/tech-
policy/2015/11/beware-of-ads-th...
gozur88 - 4 hours ago
I'm surprised a computer speaker has the frequency response
to play an inaudible tone.
jm547ster - 4 hours ago
Most wouldn?t, I?d imagine OP is referring to a mobile
device, look at Androids dev docs they recommend sticking
to 44.1khz, which we know does fail into the range of
human hearing with its 22khz reproduction, albeit fewer
people. I?d suspect the person being spied on would
become suspicious upon many children they encounter and
even more dogs fleeing from their direction.
isostatic - 3 hours ago
Tested my kids - they could hear an alleged 21khz tone
out of laptop speakers. The actual level of the tone
doesn't matter - it was above my level of hearing. Wasn't
a double blind, but they told me when it started and
stopped based on a bash script with random intervals.
BenjiWiebe - 55 minutes ago
I'm 20 but I can still hear 20 khz, albeit not very well.
isostatic - 10 minutes ago
I could when I was 20, did a proper hearing test when I
joined my company. 15.625khz was very noticeable - I
scoffed at the old timers who couldn't hear it.I can no
longer hear it. Still I can hear 1khz, so that's what's
important.
mirimir - 5 hours ago
Well, never use free VPNs!Also, don't choose a VPN based on
some online review. Most of those are basically paid
advertising. Either "pay if you want a good review" or "pay
more for highter rank", or stuff by independent affiliates, who
get paid for referrals.Better, choose VPNs that have been
recommended by consensus in relevant communities. Torrent
users. Wilders. Me ;) And by the way, I do consult for IVPN,
but my opinions are otherwise unbiased.
leadingthenet - 4 hours ago
Would you recommend IVPN?
sushid - 4 hours ago
Various sites on the internet (e.g. Reddit, piracy sites,
etc) will recommend either PIA and/or Torguard over
anything else.
mirimir - 1 hours ago
That's because PIA and Torguard are willing to outbid
others to get that ranking :) Or so I've heard.That's why
you generally ignore online reviews.
mirimir - 4 hours ago
Well, of course I would! They're one of the oldest. Except
for the the first generation, anyway, such as Anonymizer
(now basically owned by the CIA) and Cryptohippie (still
very cool, but very expensive).And they have great clients
for Windows, OS X and iOS. I've found a few others that are
just as leak-free.[0] However, the data there are old, and
just about all VPN services have improved their clients.
What's most relevant about the site is the testing
protocol. There's more about that in an IVPN guide.[1]I
also recommend AirVPN, Mullvad and PIA. But not necessarily
for their clients. I mean, IVPN doesn't have a custom Linux
client. So in many cases, you need firewall rules. And you
need to make sure that you're not using an ISP-assigned DNS
server with the VPN.0) https://vpntesting.info/1)
https://www.ivpn.net/privacy-guides/how-to-perform-a-vpn-
lea...
kakarot - 3 hours ago
The great thing about Mullvad is you can use OpenVPN
instead of their client if you want. And those guys
really know what they are doing.
mirimir - 1 hours ago
You can use open-source OpenVPN with any VPN service that
offers OpenVPN connectivity. You can also use AirVPN's
client Eddie, which has a pretty decent built-in
firewall.
rhblake - 2 hours ago
Even better, with Mullvad you can now use WireGuard
instead of OpenVPN, for considerably better performance
and possibly better security. I've configured my
EdgeRouter Lite to route all wifi traffic on my default
home network through WireGuard for a couple of weeks and
it has worked very
well.https://www.mullvad.net/blog/2017/9/27/wireguard-
future/
fapjacks - 1 hours ago
I use OpenVPN to connect to PIA both on my Linux machines
and Android.
accatyyc - 3 hours ago
Same applies to IVPN, FWIW.
tacon - 2 hours ago
My VPN activities run on a old Windows box, and I did not
want to trust the VPN clients to not fail and blast my
data in the open for a day or two before I noticed. I
ended up writing a SafeVPN Windows service that kills
processes within 30 seconds of VPN failure.I used PIA for
a couple of years without issue, but then it went into
some kind of decline for me, always driving network
traffic to zero after a few hours. After changing
hardware and reinstalling the OS with no effect, I
finally tried AirVPN and things went back to normal.
AirVPN is a bit more expensive, but their client is light
years ahead of the PIA client.
mirimir - 1 hours ago
It's better to use Windows Firewall, because blocking is
virtually instant. Basically, you set LAN as a private
network, and the VPN as a public network. For LAN, you
allow connections only to the VPN server(s) that you use,
plus a DNS server that's not associated with your ISP.
You can also allow connections to other LAN devices, if
you like. For the VPN, you allow all output, but only
input for established connections.
jen_h - 41 minutes ago
Or just DIY if you're just a regular Joe or Jane, it's quick,
cheap, and easier than most assume.
EGreg - 4 hours ago
Why do you think that just because a VPN isn't free, it won't
ALSO sell you out on the other side?
blacksmith_tb - 4 hours ago
It's not so much that they couldn't sell you out, but that
if word got around that they had, it would be bad for
business.
thomnottom - 4 hours ago
That's not what was said. "Free VPNs are not to be trusted"
does not imply "All paid VPNs can be trusted".
JamesBarney - 4 hours ago
Basically how much they have to lose.Say for instance there
are two vpn services. Both have a 100,000 users. One
makes $1,000 a year off of advertising, and the other makes
$1,000,000 a year($9/month). Now both are approached by a
nefarious gentleman who offers them $20,000 a year to
harvest their user's information. But every year there is
a 25% chance people find out and your service is shut
down.Who takes the deal? Maybe the free guy, but very few
people would risk a 1M/year revenue stream to make a little
extra cash, but someone might risks a much smaller revenue
stream for a comparatively bigger payoff.
btown - 4 hours ago
What is your opinion on PrivateInternetAccess?
fnord77 - 3 hours ago
I don't use PIA, but one advantage of them is you can use a
Starbucks or Target gift card to pay. Buy the gift card
with cash then there is no trail.
kilroy123 - 3 hours ago
I think they're good, but there are some downsides.
Sometimes traffic can really slow down because they're
_too_ big.Another issue is, all their IPs are well known.
When browsing while connected to them, you can run into a
lot of issues: captchas, blocked sites, etc.The other day I
was accidentally connected and made a purchase. What a
giant headache. My purchase was flagged and blocked and it
took a lot of my time to call the company and get it
cleared up.
programbreeding - 2 hours ago
A few weeks back I ran in to the same issue with
accidentally making a purchase while connected to PIA.
Mine was also flagged and I had to jump through several
hoops to prove I made the purchase. It was a pain but I
completely understand why that happened and I'm still
very happy with PIA.I will mention that while it doesn't
magically fix slow speed issues, they have the ability to
report a slow server through the app (on Windows, I can't
attest to any others). You just right click the icon in
the notification tray and click "Send Slow Speed
Complaint." They do add more servers in areas that are
overloaded.
mrarjonny - 2 hours ago
I have been pleased with their service. It wasn't much
hassle to set up, particularly. Was certainly a little
trickier on my linux machine.I find the speed has almost
been completely acceptable. I have had only a handful of
times where it seemed sluggish and bogged down.I know there
is a some question of whether they can truly be trusted? Do
they truly not keep logs? And they are US based which are
all things to consider. I weighed those factors against
the customer reviews, price, and simplicity of their
service, and I think my choice has served me well. Their
rates are dirt cheap for what seems to be a reliable
service.
ideonexus - 4 hours ago
I've been very happy with PIA. It's cheap with minimal
impact to my bandwidth. The concern is that, like all VPNs,
we are trusting them not to keep logs. PIA claims that they
proved in court that they do not keep logs because they
provided no useful data to an FBI request. There's a debate
over whether this proves they don't keep logs or not here:h
ttps://www.privateinternetaccess.com/forum/discussion/26284
...Is this semantics? I am uncertain. I do think that it's
in PIA's best commercial interests not to keep logs. It's
the core of their business model. The moment a PIA
customer's identity is revealed through them is the moment
they lose all business.
pnutjam - 4 hours ago
I've used PrivateInternetAccess, they are trustworthy, but
US based so count on them rolling on you if someone has a
good reason to be interested in you.
mirimir - 1 hours ago
Well, they apparently didn't roll for a US court, in a
case involving harassment, as I recall. Would they roll
for the NSA? How would they handle a NSL? I have no clue.
Their founder has said that, although he lives in the US,
none of their server admins do.
godelski - 4 hours ago
They've been recommended by a lot because they recently
backed up their claims of no logging (FBI asked them for
data, and they couldn't provide it). You'll see that they
are ranked pretty high on this list, where there are some
breakdowns. They are pretty cheap and popular too. Popular
helps by making associations more difficult. That is seeing
a VPN server accessed page X and that you were accessing
the VPN server at said time. A college student was
connected to a bomb threat by this method, being he was the
only one on campus to be using TOR at the time the bomb
threat was made (from TOR). You'll be fine with any VPN
that is relatively popular and doesn't do any tracking.
rapind - 3 hours ago
"A college student was connected to a bomb threat by this
method"This is why we can't have nice things...
Odin78 - 4 hours ago
A relevant detail to that story is that he admitted his
guilt under questioning. Had he continued to deny any
involvement, they would not have been able to prove that
he was sending the bomb threat, as it could have been
from someone who wasn't on campus.
godelski - 2 hours ago
Very true. But there have been several instances of cases
like this. And this thing doesn't matter if your VPN logs
or not[+]. But what I was trying to point out is that
these types of access collisions are important to
understand. And why I don't think people should roll
their own VPN.[+] I'm not trying advocate crime here or
advising how to avoid it. Just trying to bring to light a
vulnerability.
mirimir - 1 hours ago
Criminals are great examples, because their OPSEC
failures are often detailed in court records, reported in
the media, and discussed online. One of my articles on
IVPN's website uses several such OPSEC failures (Silk
Road, Sheep Marketplace, etc) as examples.
confounded - 2 hours ago
> And why I don't think people should roll their own
VPN.People who are interested in not being identified
probably shouldn't. But there are good security reasons
to potentially do so.
AsyncAwait - 3 hours ago
It's also worth noting that PIA supports several free
software projects.
kuschku - 2 hours ago
Or, to phrase it differently: PIA outright bought a great
number of previously community-run projects, and is
concentrating power.Freenode and Snoonet, two major IRC
networks, are now owned by them.
AsyncAwait - 1 hours ago
I was actually primarily talking about their donation to
the Krita Foundation [1], but yeah, it's good to be aware
of the above, even if thus far I haven't seen anything
nefarious from them.[1] - https://krita.org/en/item
/krita-foundation-update
fapjacks - 1 hours ago
Yes, and interestingly, the Freenode staff had previously
disabled Tor access to the Freenode network for over a
year or so because of "attacks" which they claimed they
could not handle. This was a pretty flimsy excuse once I
finally found someone that knew the technical details,
and though I chased the "right" people down several times
to ask why Tor access had not been enabled, I never got a
good answer. Cue PIA taking over Freenode, and within a
couple of weeks, Tor access to Freenode was once more
enabled. I've been a happy PIA customer for some years
now, but that left such a huge and positive impression on
me. I'm not completely sure the two things are simply
correlated, but after talking to all those Freenode
staffers over the years about it, I can't imagine it
wasn't pushed by PIA.
calcifer - 1 hours ago
Enough. You do this on every mention of PIA and you have
been told to stop or get banned [0]. I don't know why you
are on this crusade when there is not even the slightest
hint of wrongdoing [1] so please, easy on the conspiracy
theories.Disclaimer: Happy PIA customer.[0]
https://news.ycombinator.com/item?id=14911509[1]
https://news.ycombinator.com/item?id=14911915
barbs - 9 minutes ago
Just discovered - you can get a 63% off a 2-year
subscription in (presumably) the next 24 hours
https://stacksocial.com/sales/private-internet-access-
vpn-2-...
crankylinuxuser - 1 hours ago
Wow, what's going on there? :/ Case of sour grapes for
that user?My only beef is I thought PIA would be a
kickass gig to work at. Alas, never heard back from my
resume. They post in the monthly thread.Still interested,
if any of you PIA people are watching :D
godelski - 22 minutes ago
(not the person you were responding to)To be honest, my
only problem with them is their customer service. And
their phone app. My connection is half speed on my phone.
:( They also have some strange problems with the linux
app (which I wish they would open source). Otherwise I'm
really happy with them.
mirimir - 1 hours ago
I'd use them. They're among the least expensive. And they
don't seem to retain logs or detailed access records, based
on testimony to a US court. But that was about an exit in
the US, where there's no legal requirement for VPNs to log.
Where there are such legal requirements, maybe they (or any
other VPN) would retain and produce logs.When I checked in
mid 2016, their custom Windows client leaked while the VPN
was reconnecting after uplink interruption. But then, only
six of the 29 VPNs that I tested didn't leak: AirVPN,
FrootVPN, IVPN, Mullvad, Perfect Privacy and SlickVPN.
Strangely, FrootVPN didn't leak using open-source OpenVPN,
suggesting that they're doing something unusual at the
networking level. PIA's OS X client didn't leak,
however.They do tend to oversell their servers, however. So
you'll often get less throughput than with AirVPN, IVPN or
Mullvad.
patcheudor - 1 hours ago
>So what is the downside to using a VPN if you're aware that
they aren't foolproof vs not using a VPN at all?Rarely
addressed: VPN CLIENT ISOLATION.The majority of us sit behind a
NAT'd address range provided by our physical router, thus
isolating our machines via a hardware router / firewall from
our ISP. When you connect via a VPN, you are not automatically
isolated from other client-peers on that VPN and must
implicitly trust the VPN provider has properly configured
client isolation. You can do testing, like firing up Wireshark
and listening for broadcast traffic or simply by trying to nmap
other hosts on the network, however, whatever you find could
change with a configuration setting at any time.
DavideNL - 34 minutes ago
Exactly my thoughts;One way to further "secure" this would be
to run the VPN client on a hardware router like pfSense
(instead of directly on your laptop) and block all incoming
connections on the vpn client tunnel interface?A disadvantage
of this method would be that the WIFI signal from your Laptop
to the router is no longer secured by the Vpn...
earenndil - 5 hours ago
Why not just use a trusted solution like openvpn and only use
providers who provide openvpn servers? That immediately gets
rid of one half of your problem; and as for the other half, vpn
services that allow for connections via openvpn are likely to
be more trustworthy. In addition, the vpn company can't MitM
connections which are already on an encrypted channel outside
of the vpn conneciton.
gowld - 5 hours ago
> use providers who provide openvpn servershow can you prove
what the provider is using? people can lie
benchaney - 5 hours ago
It is irrelevant what software the provider is using as
long as they use the openvpn protocol. This will be obvious
to anyone who tries to connect using openvpn.
thinkloop - 4 hours ago
Can you explain further, how can you be sure things
weren't aded to the software?
flavor8 - 4 hours ago
When you use a VPN service that supports openvpn, you:a)
Install OpenVPN yourself (open source)b) Download an
OpenVPN profile from the VPN companyc) Configure OpenVPN
with the profileSpecifically, you don't have to install
any binary software from the company itself.
thomnottom - 4 hours ago
You can use your own OpenVPN client.
benchaney - 4 hours ago
To the client side or the server side? On the client
side, you should download the code from a location you
trust. On the server side, it is irrelevant if something
is added to the software for the attack we are
discussing.
ghostly_s - 4 hours ago
OpenVPN is a protocol. If the VPN provider supports it, you
set it up in your own client that supports OpenVPN. Using a
VPN provider that requires you use some proprietary app is
madness.I recently signed up for such a service, in order
to get my Nintendo Switch online for multiplayer gaming. My
home internet connections sub-let from the landlord and
could be considered semi-hostile -- not able to connect to
peers on the Switch due to triple NAT, and I suspect some
QoS throttling as well. The VPN solves my routing problems,
but if anyone has a suggestion for another option here I'm
all ears.
wyldfire - 5 hours ago
This suggestion is intended to solve the "free VPN app
installs malware" problem and not solve the "VPN provider
who actually logs/is in league with govt/MPAA/etc" problem.
hultner - 5 hours ago
Isn't openvpn kind of a hack and a IKEv2/IPSEC based
strongswan solution to prefer?
MichaelGG - 35 minutes ago
OpenVPN protocol is sorta weird (I wrote a clean room
client and server impl). But IPSec stuff is such a pain to
deal with that it is not worth it despite it having better
OS integration.
joecool1029 - 4 hours ago
Don't see why you're getting downvoted. From a user
standpoint, IKEv2 doesn't require a secondary client and
integrates with most major OS better.For example: It's way
easier for a client to install a mobileconfig to ios that
supports on demand VPN than it is to have them download and
configure openvpn. Fairly set and forget.
JetSpiegel - 2 hours ago
IKE is a nightmare to admin, only for Cisco level
bureaucracies.
saosebastiao - 5 hours ago
I've been using one pretty consistently ever since the
legislation passed allowing ISPs to sell your browsing history. I
generally don't have any problems with it, but that isn't to say
it is not problematic:* Connection issues are really annoying. At
home it is manageable, but reconnecting to a different wifi
network with a phone introduces a delay that sometimes lasts
minutes before it becomes functional again* Some websites make
you enter captchas in order to use them, probably due to VPN
abuse by malicious users. Others outright block traffic to any
detectable VPN traffic.* It is slower in general, but the worst
case slowness seems much worse and more common. Unavoidable
really, you're introducing another potential point of failure.*
Useful LAN functions (like *.local domains) become non-functional
derefr - 4 hours ago
> Useful LAN functions (like .local domains) become non-
functionalIs that true if you 1. disable the "force all DNS
traffic over VPN" setting, but then 2. have a local resolver
(e.g. dnsmasq) that resolves LAN domains but forwards all other
traffic to a DNS server on an IP that will end up routed
through the VPN?
saratogacx - 4 hours ago
I'm not sure if your methods would fix the issue but you can
get around it if your router supports acting as a VPN client.
After you configure the connection it becomes invisible to
all your lan clients and you can use all of your local
network goodies.
spccdt - 5 hours ago
Do you happen to have a link to the legislation you mention?
vlod - 5 hours ago
Googling this gives you lots of links: "isp sell browsing
history"Here's arstechnica: https://arstechnica.com
/information-technology/2017/03/how-i...
0xfeba - 5 hours ago
https://www.cnbc.com/2017/03/28/congress-clears-way-for-
isps...Congress removed FCC regs. that would have prevented
it. ISPs have been claiming both the regulation is unneeded
but that they won't sell your data.
gwbas1c - 5 hours ago
Think about it this way: What if your VPN operates in another
country? It becomes an international issue if Bob wants your VPN
to tell them who you are.On the other hand, if your VPN operates
in another country, some websites within your country may block
you due to content licensing issues.
mirimir - 4 hours ago
My favorite formula, in constructing nested VPN chains:1) First
VPN, that only my ISP and second VPN see: I choose one that's
popular where I live, and commonly used for torrenting, and I
have a torrent client up 24/7.2) Second VPN, that only the
first and third VPNs know about: I choose one that does
business from a jurisdiction that isn't very friendly with my
government and its friends.3) Third VPN ...4) Final exit VPN,
that only the previous VPN and websites see: I choose one that
doesn't attract too much attention. For Mirimir, that's IVPN,
because I'm already so associated with it.
icelancer - 4 hours ago
What is your favorite way to create VPN chains in
Windows/Linux/OSX?
mirimir - 4 hours ago
I mostly use VirtualBox, or VMware in Windows. pfSense VMs
make great VPN gateways. VPN and pf setup are pretty easy
with their webGUI. Debian VMs also make great VPN gateways,
but setup is harder, and their disk footprint is
greater.I've thought about doing it all in one OS, with
iptables or pf to control routing. It'd be lots lighter,
but more fragile.
mirimir - 1 hours ago
Another option, if you want more security against
exploits, is Qubes. But the hardware requirements are far
more restrictive, and the learning curve is steeper.
jstanley - 5 hours ago
Not really an answer to any of the questions you asked, but I'll
provide my perspective.I don't use a VPN to hide my identity from
the websites I'm connecting to. I use a VPN to hide the websites
I'm connecting to from my ISP.Residential ISPs in the UK are
supposed to log a bunch of internet stuff (not clear exactly
what), which is then made available warrant-free to over 40
government departments, including for purposes obviously
unrelated to "national security" (not that that would make it
OK), e.g. HMRC and the Food Standards Agencyhttps://en.wikipedia.
org/wiki/Investigatory_Powers_Act_2016Additionally, I use a
DigitalOcean VM and run OpenVPN myself, I don't get a service
from a VPN company.
Sean1708 - 5 hours ago
> I use a DigitalOcean VM and run OpenVPNI've been looking to
do the same recently, do you use Digital Ocean Droplets? If so,
how have you found the experience?
StyloBill - 4 hours ago
I've been using DO for my VPN needs and it's been a very good
experience. You can start a 5$ Ubuntu droplet, which is more
than enough to host OpenVPN, and then configure your VPN
manually. Check here
:https://www.digitalocean.com/community/tutorials/how-to-
set-...Or you can do it the easy way (but you won't learn as
much) and run a bash script to configure everything
automagically :https://github.com/Nyr/openvpn-install
Theodores - 2 hours ago
I just tried that but on my VPS the 'tun' device was not
enabled and the automagic script died. Seems that is not
easy to fix on a VPS depending on your provider. Thanks for
the tip though.
taw20171030 - 4 hours ago
Not the OP and I don't use DO specifically, but I've found
using a VPS provider to be a more or less painless VPN
experience. Providers like DO, OVH, and Vultr have scripts
for easy one-click OpenVPN setup, or you can roll your own if
you don't trust their scripts (though if that's the case
maybe you don't trust the VPS provider at all...)That said,
always verify that the tunnel is operating correctly before
assuming it is and taking off. I've found on more than one
instance that the OpenVPN client was misconfigured and seemed
to connect, yet my IP was still being reported as my ISP's.
unethical_ban - 3 hours ago
I did notice the Vultr OpenVPN deploy has license
restrictions of two clients.
didibus - 4 hours ago
Unfortunatly, you lose access to certain sites, like Netflix,
who block cloud IP ranges.
bluedino - 12 minutes ago
Add to that many shopping sites (Best Buy for instance), deal
sites, ticket buying sites, hotel/airline sites, heck, even
my state's offender tracking system blocks the handful of VPS
services I've tried.
Insanity - 1 hours ago
airVPN has this problem, unfortunately.I have a device
through which I netflix on which I do not do other personal
browsing.Quite a shame though, but nothing netflix can do
about that. :-(
pnutjam - 4 hours ago
You lose those with any VPN provider I've tried.
joshvm - 4 hours ago
NordVPN works mostly reliably with Netflix.
tomjen3 - 3 hours ago
Such a VPN that did keep logs would lose their entire business
model if it broke that they kept logs - even if they kept logs
(and why should they? That might always leak and kill their
business) why should they help a third-party to them?
lr4444lr - 4 hours ago
It seems in the latter case, even with a malicious VPN, it's one
additional (maybe trivial step) to associate me. But it's still
better than just using your own ISP. Isn't that why people use
VPNs to avoid DMCA letters from their ISPIf the VPN is malicious
or self-hosted.If the servers and the company headquarters are
located in a country not part of the "14 Eyes", and most
importantly, host a lot of other traffic that is not you, there
is obfuscation, legal barriers, and plausible deniability that
you did not do what "they" are claiming you did.
regulation_d - 5 hours ago
Is Bob a cop? Does he have probable cause that you were involved
in criminal activity. I don't think you can just handwave "call
my ISP with a warrant".
erikb - 6 hours ago
Think of SSH as the secure networking swiss pocket knife but that
it is free for everybody to use, learn and script with. Now think
how someone could make money out of it. They can't. So they start
creating an alternative, that is so complex and hard to
understand, that no person alone can manage it, and even the best
solutions are unreliable, expensive and corporate. This is
something you can sell and argue well that you need a shitload of
engineers to maintain. This is VPN.What should you use if you're
smart enough to come to HN for reading? SSH of course.
mi_lk - 6 hours ago
Do you mean you can use SSH for anonymous browsing? I genuinely
don?t know how that works out, isn?t that just transfer the
risk to the server you ssh into, so you end up having to trust
the server? Do you have some links for reference?
jsjohnst - 5 hours ago
SSH has a Socks compliant proxy built in. That said, you are
right, you are basically shifting responsibility to the SSH
server you are connecting to so you have to trust it the same
way you would a VPN provider. As such, it?s essentially the
exact same and so GP was clearly misguided.
[deleted]
kibwen - 4 hours ago
Though this can provide an extra level of defense against
MITM, if you trust your personal connection to the internet
less than the server's connection to the internet.
erikb - 1 hours ago
You can provide the ssh server yourself. Which is not so
hard. And security is something different than avoiding
tracking. Avoiding tracking is very simply done by not
using a centralized proxy which is maintained by someone
else (like in VPN). When you are really under attack it's
very different and in that case you couldn't trust VPN
either. Even the VPN client would be a danger.
bearbearbear - 6 hours ago
All SSH does is move your traffic to a different computer.When
it leaves that computer it's no longer encrypted.It's not hard
to look at unencrypted traffic leaving the computer you've
SSH'd into and associate the traffic with the computer you've
SSH'd in through.
0xfeba - 4 hours ago
Hm, do DNS queries go through an SSH tunnel?
kibwen - 4 hours ago
Presumably so; when I've tried the SOCKS support built in
to Firefox, I've noticed that sites that I have blackholed
via my hosts file begin working again.
subway - 5 hours ago
Not to mention incredibly limited IP support. You can forward
a few specific ports, or use SOCKS, but that's about it.
jsjohnst - 5 hours ago
I guess you?ve never heard of TUN/TAP support in SSH?
earenndil - 5 hours ago
Why is SOCKS limited? Just make whatever you want to send
your traffic through proxy it through the SOCKS.
_joel - 5 hours ago
Indeed, ssh -D {port} is something I use heavily (to
create a SOCKS5 connection to a remote server,
effectively a VPN)
cat199 - 5 hours ago
This assumes 'whatever you want to send traffic through'
speaks SOCKS.. most things dont. Web yes, but not most
other things.
jsjohnst - 5 hours ago
> most things don?tThat?s entirely not true. If you?d
said ?some?, you?d be right, but ?most? is categorically
incorrect.
jstanley - 5 hours ago
> All SSH does is move your traffic to a different
computer.And browsing the internet over a VPN is different...
how, exactly?
erikb - 1 hours ago
And VPN encrypts your traffic directly to Facebook? No. At
some point it also leaves the VPN's network.
cat199 - 5 hours ago
Umm. No.Want to connect 2 lan's together and have full protocol
binding and internal DNS support without mucking with
65535*N-nodes port forwardings?yeah.not to mention 'vpn' isn't
a product..so your entire notion of 'making money out of it'
makes no sense.as for commercial: OpenVPN is great, free, and
fairly simple to use.
jsjohnst - 5 hours ago
While it?s not the right tool for the job, it is possible to
connect two networks together using SSH as the secure
transport. Many (most?) good network folks will recoil in
horror though about tunneling TCP inside TCP.
paulmd - 4 hours ago
VPNs aren't a defense against subpoenas or warrants, they're a
defense against ISPs scraping your connections and selling them
to advertisers.No advertiser is going to come after your VPN
provider asking for logs, and even if they did your VPN provider
is going to tell them to get fucked anyway. Again, unless the
advertiser in question happens to be the federal government and
they have a subpoena or a warrant, no VPN provider is going to
give you logs to help you associate a user, I have no idea why
you would even think that.If you don't want traffic from users on
the VPN you are free to block them (Netflix does this) but nobody
is going to give logs over to a random webmaster to help
deanonymize users.If you want to remove the VPN provider from the
question entirely (many of them are on the shady side), you can
use Algo to automatically deploy a Digital Ocean droplet or
Linode instance to relay your connections for you. However this
doesn't fundamentally change anything - if someone comes after
you with a warrant or a subpoena, then Digital Ocean/Linode is
going to give you up.https://github.com/trailofbits/algoThis is
not exactly a difficult concept to understand so if you have
asked this question repeatedly and still aren't satisfied with
the answer, perhaps you should look inward.
chii - 1 hours ago
> they're a defense against ISPs scraping your connections and
selling them to advertisers.isn't SSL supposed to do that? At
most an ISP ought to only be able to sniff the domain.
EpicEng - 1 hours ago
>VPNs aren't a defense against subpoenas or warrantsThey
absolutely are for a huge number of people. Why do you think so
many VPN's advertise the fact that they don't keep logs? I
imagine far (_far_) more people use VPN services as a way to
evade copyright holders than as a mechanism to avoid marketers
(most people don't give two craps about the latter issue.)BTW,
was the snarky bit at the end really necessary?
thephyber - 2 hours ago
> VPNs aren't a defense against subpoenas or warrants, they're
a defense against ISPs scraping your connections and selling
them to advertisers.Some VPNs imply this when they claim they
don't keep logs on their users.
mirimir - 5 hours ago
Sure, adversaries could pressure VPN providers for logs, account
information, help tracing traffic, etc. So you pick VPN services
that have been in business for several years, are well known and
recommended in relevant communities, and have no history of
giving up their customers. There's a recent relevant thread on
Wilders: https://www.wilderssecurity.com/threads/purevpn-keeping-
logs...Even so, it's prudent to assume that your VPN provider
logs, works with your adversaries, etc. Just like the Tor project
assumes that any particular relay may be malicious. So Tor
clients create three-relay circuits, to distribute the risk. And
one can do the same with VPN services. I'm currently working
through a nested VPN chain, using servers from multiple
providers. I use pfSense VMs as VPN gateways, and workstation
VMs. It's also easy to add Whonix to the mix, so I can use Tor
through nested VPN chains.
jasonrhaas - 1 hours ago
Does anyone have a preference on what server the VPN connects to?
For example, I'm using AirVPN, and you can select specific
countries that you would like to allow the VPN to use. From there
it just goes out and connects to the "recommended" server.If I
don't make any preference, it will connect me to a server in
Canada. It's very fast, but a bit annoying because now I get all
the Canadian search results in Google.Is there any downside to
using a VPN server in the same state or country that you are
in?BTW, I have been using AirVPN for a few days and really like it.
Super minimal UI (which I like) and gets the job done. Also, I
like that they accept BitCoin as payment if you so choose.
navyguy - 2 hours ago
If you?re after ultimate privacy and security, look for a service
that accepts payment from anonymous services like Bitcoin.Bitcoin
can be tracked, use zcash? . Can't believe mozilla got this wrong.
mnw21cam - 6 hours ago
Is this another candidate for Betteridge's law [0]?[0]
https://en.wikipedia.org/wiki/Betteridge%27s_law_of_headline...
detritus - 5 hours ago
No.I wish people would stop throwing this question at every
headline that happens to have a question mark at the end of it.
The headline here isn't clickbait, it's an attempt to answer a
question that is pertinent to many.
jen_h - 43 minutes ago
Yes. It's not a panacea, but why not if you can DIY in less than
five minutes for $5/month? https://github.com/jenh/sevenminutevpn
TomMckenny - 43 minutes ago
What happens when ISPs decide you need a "business" subscription
plan to use a VPN?
sudo-i - 6 hours ago
Are we going back into time where we can draw parallels between
internet access through an online portal like AOL and now when we
are accessing our internet through a VPN?
mxuribe - 4 hours ago
Actually i think the lay users access the "internet" via facebook
(aka the "modern equivalent of AOL")...while non-lay users use
VPNs. ;-)
f_allwein - 6 hours ago
useful resource on selecting a VPN provider:
https://thatoneprivacysite.net/vpn-section/
jimejim - 5 hours ago
I recently setup on ZorroVPN after going through that list. It's
a little on the pricier side (BlackVPN is another one I was
considering with similar pricing), but the performance has been
pretty good so far. They don't have their own client so you don't
have to worry much about them installing junk on your machine.
You can use one of the open source clients out there.
nchuhoai - 3 hours ago
You know what should be easier? Being able to just run a docker
image on a VPS like DO and instantly have a DIY VPN server that you
can spin up on demand.
[deleted]
hguhghuff - 6 hours ago
I'd hand cash to Mozilla if THEY provided a VPN service.Or if
Amazon provides one I'd use that for sure.
canttestthis - 6 hours ago
Definitely Mozilla but why Amazon? They operate with vastly
different values systems.
gjjrfcbugxbhf - 5 hours ago
Both would inevitablely have to log.Both would help with ISP
selling data to advertisers level snooping and open WiFi network
insecurity issues though.
wjn0 - 5 hours ago
I started using BlackVPN about a month ago because the highly
personalized ads all around the web got extremely unnerving. Having
accounts with FB/AMZN type services means they'll never go away
completely, but it's better than nothing.I'm curious if anyone has
any commentary on other providers worth looking into. BVPN is based
in Hong Kong which has a strong history of pro-privacy AFAIK, and
they claim to not even have the technical ability to keep logs of
relevant info. Either way, I think I'd rather have some random Hong
Kong company have my semi-anonymized info rather than my ISP.
chinathrow - 1 hours ago
If you work for a company, organization, agency or nation state
which drives people to use VPNs, please think for a minute about
what you do and what you could do for users in the future.Thank
you.
weej - 4 hours ago
Some citations and good feedback on exact details with potential
caveats in using various
providers.https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa
weej - 4 hours ago
Also there's a very good VPN comparision matrix from "That One
Privacy Site" https://thatoneprivacysite.net/vpn-comparison-
chart/
forapurpose - 5 hours ago
Is there any way in which a VPN is superior to Tor, except possibly
speed?
jimejim - 6 hours ago
I don't look to it as a foolproof solution, but I do see it as a
way to make things a little bit harder for someone that's trying to
track me.The arguments here often sound similar to "experts" that
complain about 2 factor auth: Sure, it's not perfect and there are
better solutions in some cases, but it's still better than nothing
for a lot of people.
waytogo - 5 hours ago
Learned recently: Opera includes a VPN for free.
deltaprotocol - 1 hours ago
Edit: Opera includes a "gratis" VPN, but definitely not for free.
Just read the Privacy Terms. And they keep logs.
abandonliberty - 3 hours ago
How about WPA2/KRACK?While the standard VPN pro/cons apply, if you
have unpatched or unpatchable hardware it seems like a fairly
compelling reason right now.
ajr0 - 7 hours ago
Great link from the EFF describing tor and https [0] click on the
grey 'tor' and 'https' links to see what information is collected
where and what can be viewed.surprised this article does not
mention tor? or has tor been abandoned as a tool for privacy?[0]
https://www.eff.org/pages/tor-and-https
shawabawa3 - 6 hours ago
I think tor is simply too slow and complicated to advertise as a
tool to "regular people"Encouraging people to use a VPN is much
more likely to be effective
ajr0 - 5 hours ago
There are reasons why a VPN is great but not for privacy. A
VPN is currently allowing me to work remotely would be one of
them.CiPHPerCoder provided a great link[0] in this discussion
[1] that details a short list of a few reasons why VPN's are
likely not what "regular people" who are concerned for privacy
should be using.that all being said, tools like tor have become
much easier to use with setups like tails [2] which may have
its own security issues but I'll agree that regular users may
not be capable of using Qubes with Whonix.....yetI think
advocating for a VPN is actually harmful to the "regular user"
not only in the fact it will not accomplish what they want, it
will deepen their ignorance on how the internet works because
they will think "its encrypted" "so I am secure."I do have some
concerns that tor is a tool that needs to be improved upon
greatly to truly accomplish its goals but I am not aware of any
projects that are doing so. Re metadata, fingerprinting,
developers inserting backdoors etc.[0]
https://gist.github.com/joepie91/5a9909939e6ce7d09e29 [1]
https://news.ycombinator.com/item?id=15585974 [2]
https://tails.boum.org/[edit:added concerns about tor]
schoen - 5 hours ago
> I do have some concerns that tor is a tool that needs to be
improved upon greatly to truly accomplish its goals but I am
not aware of any projects that are doing so. Re metadata,
fingerprinting, developers inserting backdoors etc.I always
try to tell people about Tor's limitations, which are
considerable. (I wrote the content for the EFF graphic that
was linked above, and one goal was to show people things that
aren't hidden by Tor ? for example you can see an NSA agent
in the graphic performing some kind of correlation attack
between source and destination by monitoring the network at
multiple points. Of course, the source of data for this
doesn't have to be fiber optic taps, so other entities that
can get source and destination data can correlate them
too.)Tor is doing work on all of the things that you mention:
metadata, fingerprinting, and developers inserting backdoors.
One could wish for more work and that it had happened longer
ago, but all of those are active areas of concern and
research for the Tor project.
schoen - 2 hours ago
(Just to be clear, I mean that Tor is doing work to prevent
developers from inserting backdoors.)
ajr0 - 4 hours ago
>I wrote the content for the EFF graphic that was linked
aboveThank you! I constantly share that link with people, I
(and many others) appreciate your work!I regret not going
into software development, I wish those are projects I
could contribute to, alas my closest work towards
development is tinkering with linux etc .conf files to get
home projects to work, which is not development at all.
schoen - 4 hours ago
Since I spend a lot of time these days helping people
onhttps://community.letsencrypt.org/I can testify that
the ability to help people tinker with Linux
configuration files is something that continues to be in
great demand. :-)
ajr0 - 4 hours ago
Thanks! I'll begin lurking
jerheinze - 6 hours ago
> I think tor is simply too slow and complicated to advertise
as a tool to "regular people"I know many people who use Tor
daily for regular browsing - myself included. Yes, it's slower
than not using Tor but that's expected from the 3-hop design.
bubblethink - 3 hours ago
There sorely needs to be a corollary to net-neutrality, where
websites cannot discriminate users based on the choice of their
ISP/vpn/tor/vps/cloud-provider. I find it absurd that websites are
even allowed to display a banner with phrasing like, "We detect
that you are using a vpn. Disable it to view this site." Netflix,
the champion of net neutrality, is the biggest offender in this
area.
snuxoll - 3 hours ago
What's even more annoying is Netflix treating things like
tunnelbroker.net as VPN's. I'm really tired of my ISP's lack of
proper IPv6 connectivity, I was using tunnelbroker for a while
but got tired of fighting to get Netflix working correctly.
stanmancan - 3 hours ago
Netflix had to crack down on VPN usage recently as people use
them to bypass geographic content restrictions. Any suggestions
on alternative options they could pursue? (Aside from somehow
getting global broadcasting rights on their whole library)
bubblethink - 3 hours ago
They didn't have to do anything. Netflix is a paid service. You
are paying for a service, which you are entitled to get. What
geo-drm-moon-phase recipe they cook up is their problem. As a
consumer who pays, you should see either a) content from your
billing address, or b) content from the IP address. Or any
superset of the two; but NOT a banner asking you to disable
your vpn.
tqi - 3 hours ago
Netflix charges different amounts in different countries,
which is why your subscription is tied to a geo.
ihale - 3 hours ago
Would they not be able to tie the location to the account? If,
say, they register as a US user, an ip change from US, to
France caused by VPN would leave little issue.Correct me if I
am wrong.
freeone3000 - 2 hours ago
You're right, technically, but incorrect legally, because if
you don't VPN and instead hop a plane to France, they just
streamed US content to France. No-go.
skizm - 3 hours ago
I sort of agree, but I believe Netflix is legally obligated to do
this due to licenses/copyright laws that they have. So they
probably have to put in some legally defined amount of effort
into combating people "cheating" or working around the regional
licenses. Their hands are tied.That's my guess at least.
confounded - 8 minutes ago
They optionally sign contracts which contain geo-fencing
clauses. There?s no law that says content must be geo fenced,
and that suspicion of proxy use, for any purpose must result in
denial of service.
andrei_says_ - 3 hours ago
Netflix unfortunately is tied to draconian region-specific
content distribution agreements with some of the biggest content
producing/owning companies in the world.Don?t think they can
ignore the VPNs without significant legal issues and potentially
losin much of their content.
chisleu - 6 hours ago
I'm on Verizon so I don't get to choose if I need one. I have to
use one on my phone at least.They are still useful for lumping your
traffic in with others for copyright infringement. Torrent clients
offer the files for sharing while downloading.They are still useful
for some simple geo evasion as well.They aren't a solution for
every security issue at all. Tor is generally better to run from
open wifi from a tails USB rather than from a VPN.Also, many VPNs
actually log things they can provide to the FBI even though they
lie and say they don't. They can get a NSL and end up having to
without being able to tell you that they did. Sometimes a NSL
canary is used, but not always.
Cuuugi - 5 hours ago
I believe you are referring to the "perma-cookie"? (directed to
all the confused replies)Please feel free to correct
me.https://www.wired.com/2014/10/verizons-perma-cookie/
mi_lk - 6 hours ago
> I'm on Verizon so I don't get to choose if I need one.Can you
expand on that? I?m also on Verizon and feel like having a panic
attack.
chisleu - 1 hours ago
They throttle youtube and netflix now, which broke youtube with
my VR headgear. :(Also, the permacookie nonsense, and they are
certainly data mining the crap out of everything you do.
chadgeidel - 5 hours ago
I'm not sure what you mean by "I don't get to choose if I need
one". Both Android and iOS natively support VPNs, and most
corporate phones are set up to connect to the corporate network
securely via VPN - on many US carriers.
tonyztan - 5 hours ago
I think chisleu meant that they consider Verizon to be so
untrustworthy that not getting a VPN is really not a viable
choice to make. So chisleu doesn't get to choose whether to use
a VPN or not.
chadgeidel - 4 hours ago
Oh, I think I understand now. "I have to use one on my
phone"Thanks!
erikb - 6 hours ago
This is a sales page, not a objective discussion.(a) There's not
much you can do with VPN that you can't do with SSH (actually I
can't think of anything). And SSH is much more configurable.(b) To
avoid tracking of your browsing it is not a smart idea to pipe all
your browsing through the servers of one VPN provider. A smart way
would be to split up browsing streams, not to combine them.I'm very
sceptical about Mozilla writing such an ad page and trying to sell
it as a reasonable technical blog post.
forapurpose - 5 hours ago
> There's not much you can do with VPN that you can't do with
SSHFor most end-users, there is nothing they can reasonably do
with ssh.
erikb - 1 hours ago
Every end user that can't use ssh can't use VPN either. It's
only a lucky coincidence if it works for a few for a limited
period of time. It's just that many VPN Clients come with a
very limited set of configuration and debugging output which
makes the average grandma more confident because she doesn't
know all the shit that happens underneath.Everybody who is able
to repair a bike though is also able to use SSH.
abtinf - 5 hours ago
I wish a trustworthy organization with a history of privacy
advocacy, like EFF or Mozilla, would create a subscription VPN
service. I'd sign up immediately and their reputation would command
a significant price premium.
bhauer - 5 hours ago
I wish that we had arrived at a different term for third-party VPN
proxy services. I use VPN connectivity to my home network whenever
I am on the road so that my traffic is encrypted over-the-air
(Wifi) regardless of its protocol or destination. When I read, "Do
you need a VPN?" I think "I love having a personal VPN to my home
network that I use from everywhere. You might love it too!" I am
evangelical about creating and using a personal virtual private
network?that is, a "VPN" in the more traditional sense of the
term.And then I realize the question is actually about third-party
VPN proxy services, which seem to be a substantially different use-
case.It's just a shame that the term "VPN" has become so ambiguous.
[deleted]
heylook - 2 hours ago
Would you mind sharing your tips for setting this up? I've been
considering doing something similar for a little while now but am
unsure how to get started.
acidburnNSA - 42 minutes ago
I think the easiest way is to get a router capable of running
DDWRT or similar that has an OpenVPN server built in to it,
flash your router, generate some keys, and hook in with all the
OpenVPN clients on Windows, Linux, Android, iPhone, and MacOS.
It's really not that bad. I use it all the time when I'm out of
my house. I can browse knowing that no one between me and my
home can know anything about what I'm doing. Of course, my ISP
at home can see everything all the time.I can even access my
home automation system. Shoot, I have one installed at my mom's
house and can monitor her furnace when she's on travel in the
winter. Everyone would enjoy a personal VPN.https://www.dd-
wrt.com/wiki/index.php/OpenVPN
kzahel - 34 minutes ago
One low maintenance way of doing this would be to setup a SSH
server at home (and configure your home NAT/Router to forward
traffic to that machine)Once you have SSH access to home there
are a number of ways to tunnel your traffic (on desktop
platforms, not sure about mobile). Sshuttle works pretty nice.
You can also optionally just tunnel traffic for certain apps or
browser profiles by using ssh -D (SOCKS5 proxy)
bhauer - 2 hours ago
Not to trivialize it, but the basic steps are:1. Add a VPN host
to your home network, either as another role on your
router/firewall or as role on a host inside your network. For
example, if you're running pfSense as your firewall, you can
add an IPSec/L2TP or OpenVPN role to the pfSense host. Many
hardware router/firewall devices have VPN host capabilities.
You can start simple by defining users at the VPN host. Later
you can use your home network's LDAP directory for users, but I
personally didn't bother doing that.2. Set up your laptop(s)
and phone(s) to connect to that VPN. Disable "split tunneling"
on the devices. If split tunneling is enabled, only traffic
that is intended for your private network would be sent to the
VPN. Disabling it requires that all traffic?even traffic
destined for the public Internet?needs to be routed through the
VPN host.3. Connect to the VPN whenever you are outside of your
home.4. You can optionally assign a static private IP to each
device so that when you're connected, all devices use known IP
addresses that you can name using a local DNS server. This
would allow you to, for example, reach your laptop by the name
"laptop.yourdomain.org" (or whatever). I give all of my
devices hostnames so that I don't need to remember their IP
addresses.5. The result is you have a personal "virtual private
network" that facilitates private LAN-like communication
between all of your devices. For example, I use this to access
my personal file server from anywhere.6. You can get even more
sophisticated by setting up site-to-site VPN connectivity
between your home network and a machine or network you run at a
data-center. This allows you to, for example, reach not just
your home file server but also manage your personal public-
facing Internet services running at your data-center hosted
machine or VM?from any of your devices.
confounded - 11 minutes ago
> 4. You can optionally assign a static private IP to each
device so that when you're connected, all devices use known
IP addresses that you can name using a local DNS server.This
is where I?ve always got hung up. I?ve for a long time wanted
a static URI for a machine at home (e.g. SSH, IRC bouncer,
music files, etc.)I assumed I?d have to use some kind of
local host tunneling solution (like pagekite.io), which are
either expensive or difficult to trust/rely-on, or register
as a business to get a static IP.Any tips?
aeorgnoieang - 2 hours ago
I didn't realize there was much of a difference beyond a third-
party hosting and maintaining the VPN or not.
CiPHPerCoder - 7 hours ago
Every time this sort of question comes up, I reflexively link
people to this page:
https://gist.github.com/joepie91/5a9909939e6ce7d09e29Most of the
time what people think they need a VPN for, a VPN won't actually
help them much. They have a narrow use-case in privacy contexts, in
which case you're better off using Tor.
jakehm - 6 hours ago
I think the most popular use case is torrenting which a VPN will
help.
blfr - 6 hours ago
If you want to torrent, turn one of the low end boxes into a
seedbox rather than a VPN server.
jerheinze - 6 hours ago
That isn't great privacy wise as it's still privacy by policy.
The best way to torrent is to use i2p which - unlike Tor -
encourages that activity. (Short tuto: the default Java i2p
bundle already comes with I2PSnark, a torrent client. To
download a torrent, search through known i2p trackers such as
the Postman Tracker: http://tracker2.postman.i2p )
dfrey - 6 hours ago
The content owner could still request your information from the
VPN provider and the VPN provider might provide it (even if
they say they won't). I think the main benefit is that there
are so many individuals torrenting copyrighted material that
aren't using VPNs that it means you aren't the "low hanging
fruit" so you're considered not worth the effort by the content
owners.
tensor - 6 hours ago
Yes, but there is a big difference between "this provider
might be lying about not storing traffic, and they also might
give the data to someone" and "this ISP is 100% storing
traffic and routinely gives that data to others."
jerheinze - 6 hours ago
Why base your privacy on wishful thinking ("provider is
probably not lying") instead of using privacy by design
solutions? (e.g. i2p for torrenting)
Spivak - 3 hours ago
Because privacy by policy is good enough for almost
everyone.
jerheinze - 3 hours ago
> Because privacy by policy is good enough for almost
everyone.Source? And why would it be good enough when it
has been shown time and time again that it's ineffective
(example: DNT header)?
prophesi - 6 hours ago
Even then, setting up your torrent client to use a proxy is
just as simple and effective.
criddell - 6 hours ago
I trust most VPN services more than I trust my ISP. If what you
are trying to do is avoid your ISP collecting your surfing data
for advertisers, throttling Netflix traffic, or adding a super-
cookie to headers, then a VPN might make sense.My ISP choices are
limited to two companies that are both terrible. A VPN is a nice
way of limiting what they can do to you.
jerheinze - 6 hours ago
You don't get any additional privacy, the only way to really
_guarantee_ that you get additional privacy is to use a
solution that provides privacy by design rather than by policy.
criddell - 6 hours ago
I'm not looking for a guarantee. Probably getting additional
privacy is good enough for me.
jerheinze - 6 hours ago
> I'm not looking for a guarantee. Probably getting
additional privacy is good enough for me.I think we can
both agree that wasting your money on wishful thinking
("maybe provider doesn't log") instead of using free open-
source privacy-by-design solutions is a bad idea.
[deleted]
ghostly_s - 6 hours ago
How do you not get any additional privacy?
jerheinze - 6 hours ago
As I mentioned using privacy by design solutions (Tor, i2p,
...)
CiPHPerCoder - 6 hours ago
Now you have to trust two ISPs: Yours and the VPN provider's.
criddell - 6 hours ago
My ISP is AT&T. I don't think there's much the VPN provider
or their ISP could do to make things worse for me. The worst
case scenario is that they are as bad as AT&T and there's a
non-zero chance they are better.
CiPHPerCoder - 6 hours ago
That's a shallow analysis.The worst case scenario is not
just that they're as bad as AT&T. The worst case scenario
is that they're as bad as AT&T and still provide a false
sense of security.Even if you're diligent, other users with
your (ISP, VPN) provider pairing might not be, and they
could be harmed as a result.The comments security nerds
make here on HN aren't one-on-one individualized consulting
(n.b. that's paid work in my field), they're general advice
for the public to refer to.
metalliqaz - 6 hours ago
If you are tunneling all traffic through your ISP, seems to
me you aren't trusting them all that much.
CodesInChaos - 6 hours ago
Ignoring traffic analysis, you shouldn't have to trust your
own ISP while using a VPN. Ignoring traffic analysis makes
sense unless you're a high profile criminal, and it affects
all low latency tools, including Tor.
bearbearbear - 5 hours ago
Tor is basically a funnel into the DOJ and has been for
quite some time:https://arstechnica.com/tech-policy/2017/03
/doj-drops-case-a...They run massive PR campaigns with
carefully structured press releases designed to convince
the kind of people they want to detain that TOR is private
and safe for any kind of activity.Because of this people
tend to get swole when you suggest that TOR is not any good
for protecting your privacy because lots and lots of people
have been arrested, tried and convicted after trying to use
it to hide elicit activities.The US government has made
millions of dollars of investment into
TOR:https://www.theguardian.com/technology/2014/jul/29/us-
govern...Pretty much every time the US government is
investing in something you can be certain that their
intention is not to help you out.
rlpb - 5 hours ago
AFAICT, in all current cases it isn't Tor itself that's
been broken by the authorities. It's the client end that
has been compromised; and in a way that isn't specific to
Tor. Had these users been using a VPN without Tor, they
could have been compromised in largely similar
ways.Please, find me a counter-example - because I
haven't seen one.Admittedly, one thing that has happened
is that the authorities are able to target compromises in
the Tor Browser specifically, rather than in a wider
range of clients that non-Tor VPN users might use. But
they're probably more vulnerable than the Tor Browser is
anyway.
dublinben - 3 hours ago
Chrome is arguably more 'secure' than the ESR Firefox
that the Tor Browser is running on. If you are
realistically concerned about this type of targeted
attack, you should probably be browsing with Chrome
isolated inside of Qubes/Whonix.
CiPHPerCoder - 6 hours ago
I meant colloquially. If you're not using your VPN 24/7,
you have to trust both at different times.You are of course
correct. :)
derefr - 4 hours ago
You're thinking of these as Single Points of Failure, but
they're not in parallel; they're in series.Consider the
attacker: a service you've visited that has your "outermost
visible" IP, and wants to know who you are. From their
perspective, it doesn't matter if your ISP is willing to give
information freely, because they don't know who your ISP is
until they've already gotten the information from your VPN
provider. Each layer prevents the layer below it from being
attacked, until it is removed.Yes, a state actor could just
ask "every ISP at once" to look at their logs of OpenVPN-
protocol traffic and identify the packets that match the ones
that arrived at the service. But state actors aren't the
usual attacker profile, and require entirely different
strategies (e.g. getting human "proxies" to use Internet
cafes for you.)
Skunkleton - 6 hours ago
For now, I am running my own VPN on Linode. The only real
benefit of this is now my traffic is mixed with non-similar
traffic. The hope is that this makes it less valuable to monitor
the contents of my traffic. Of course, this just security through
obscurity, and nothing more than a half measure.The internet is
not designed for privacy, and privacy does not benefit the
majority of commercial stakeholders of the internet. This is
probably why most privacy solutions feel like shoving a square
peg through a round hole. My personal feeling is that we should
combat commercial bulk surveillance through legislative means.
CiPHPerCoder - 6 hours ago
Obligatory: https://twitter.com/tqbf/status/700798735190601729
simonh - 6 hours ago
A confusing, content-less, arbitrary recommendation against
Linode with no clear justification or reasoning given
anywhere in the tweet stack is obligatory? I'm confused. Are
there any actual reasons not to use them?
jerheinze - 6 hours ago
Your last paragraph ignores the existence of many privacy by
design solutions such as Tor or i2p. Yeah, they can't protect
against a global passive adversary - as any other low latency
anonymity system in existence, but that's totally different
from saying that there's no way to have privacy on the
Internet.
Skunkleton - 1 hours ago
Tor is a solution for specific use cases. It does not address
privacy on the internet in a general way. For example, if I
use tor to browse facebook, I am logged into facebook and
still just as trackable as I would be if I wasnt using tor.
__sha3d - 6 hours ago
I feel like this is dated, because in 2017 this:> You are on a
known-hostile networkis true for every network in the USA. You
can be sure they ae all being snooped on by 1. the ISP collecting
traffic data for profit and 2: the gov. because they get it all
anyways.
iak8god - 6 hours ago
The title of this should be "Don't expect VPN to magically
protect your privacy," not "Don't use VPN services."Here are some
reasons I've used, and continue to use, VPN:* When I am on a
network that uses an idiotic blacklist to block certain types of
content. The network might even be run by my employer and I might
be accessing content that is necessary for my work, but there
might be no way to appeal the idiotic blacklist.* When I am on a
network that INJECTS content into HTTP responses (a certain paid
airline WIFI used to do this).* When I am on a network that might
allow other users on the network to snoop on / mess with my
traffic.* When I want to access services that I have paid to
access but are only available to IP addresses in a specific
geographic region, and I happen to be in another geographic
region.Etc.
Pigo - 4 hours ago
I used to be employed at a place that was so restrictive I
couldn't even access asp.net (the website). I think it was
something to do with it being in the cloud and looking like it
was being hosted in the middle east. Most people probably don't
know what it's like to work in a company with the extremely
power hungry network admin that want someone coming to them for
everything.
scott_karana - 1 hours ago
Three of your four points are explicitly addressed in there as
reasons to use a vpn.
sametmax - 6 hours ago
Most people I know want a VPN to pirate stuff without
consequences. So I'd say, Tor would not cut it.
jerheinze - 6 hours ago
As I mentioned in another comment about using VPN for
torrents:> That isn't great privacy wise as it's still privacy
by policy. The best way to torrent is to use i2p which - unlike
Tor - encourages that activity. (Short tuto: the default Java
i2p bundle already comes with I2PSnark, a torrent client. To
download a torrent, search through known i2p trackers such as
the Postman Tracker: http://tracker2.postman.i2p )
sametmax - 6 hours ago
Unless stremio and other pop corn time like can work
transparently with i2p, it won't help.
jerheinze - 6 hours ago
> Unless stremio and other pop corn time like can work
transparently with i2p, it won't help.What? i2p is a self-
contained network and not really meant for clearnet
browsing.
sametmax - 5 hours ago
You need to look up what stremio (https://www.strem.io/)
is and understand the value proposal for the casual non
tech saavy end user. This is the face of torrenting now.
Not magnet links. People don't know what a URL is
anymore, don't expect them to understand a classic
torrent client or i2P.
sillysaurus3 - 3 hours ago
Since we're talking about it: what's the value
proposition in creating an illegal service for non tech
savvy end users?I'm trying to figure out why they made
this. They can't really run ads without ending up like
the founder of TPB.Regardless, it doesn't seem
unreasonable to expect people to know what a magnet link
is. When all you need to do is download transmission and
click on a magnet link, people are fine with that.
jerheinze - 5 hours ago
You mentioned stremio and I respectably pointed out that
it's not going to work over i2p for reasons mentioned
above. I don't even see why you're mentioning it when
we're talking about privacy.
sametmax - 5 hours ago
My whole point is that people use VPN for torrenting so
Tor would not help and i2P neither. What are you talking
about ? Did you read the first post ?
jerheinze - 4 hours ago
> My whole point is that people use VPN for torrenting so
Tor would not help and i2P neither.My point was that I2P
can help them since it's (a) torrent friendly, (b) has a
bundled Torrent client (I2PSnark), (c) there are many
eepsite torrent trackers such as:
http://tracker2.postman.i2p
CiPHPerCoder - 6 hours ago
Tor is emphatically not meant for piracy, especially
BitTorrent.
aquova - 6 hours ago
I'm fairly new to whole world of increased internet privacy, so
I'm curious of the benefits of using a VPN or Tor. I'm not a
political activist or engaging in illegal activity, I just want
my personal data being passed around as little as possible
(preferably by spending little to no money to do so). Is using
Tor worth the effort? What are the benefits? Or do I simply use
Chrome and resign to my fate like nearly everybody else?
sam_goody - 44 minutes ago
For starters, don't use Chrome.Chrome sends a whole lot of data
to Google (and possibly to their data-sharing partners) such
as, at the least, what sites you visit and how long you are on
each. When combined with Analytics, cookies, profiling and
whatever G services you use, and the fact that Chrome is a
program (not a site) connecting that all, you have pretty much
lost any legitimate hope to privacy before you begin. Use
HTTPS everywhere is a no-brainer, as at least the middle steps
won't see the data. IMO, using a commercial VPN is just not
that difficult and the speed is close to native, so its a lot
easier than TOR.
jerheinze - 6 hours ago
> Is using Tor worth the effort?Definitely.> What are the
benefits?Because of its 3-hop design, a non global passive
adversary (GPA) would need to control both your entry node and
the exit node to de-anonymize one of your Tor circuits. In
addition, Tor circuits generally last for 10min only. Also
using the Tor Browser you get stream isolation meaning that you
get different Tor circuits for different websites.You can also
setup your own non-exit node and connect to it to ensure that
no single point in your Tor circuit controls both the entry
node and the exit node.
derefr - 4 hours ago
> a non global passive adversary (GPA) would need to control
both your entry node and the exit node to de-anonymize one of
your Tor circuitsThat's not a benefit, that's a feature. A
benefit involves a use-case. What does a person gain from not
having their traffic de-anonymized? The described user is
someone who doesn't have any particular activities they need
to keep secret or risk jailtime. So, for them, what's an
example of something that could happen differently in their
real life if they used Tor vs. if they didn't?(This wasn't a
rhetorical question; there are such use-cases. I'm just
commenting to prod you into zooming out a bit from "privacy
is its own end" to thinking more about what regular people
care about and how privacy helps them get it.)
b3lvedere - 29 minutes ago
Basically it comes down to this: What you don't want people to
know, you don't tell them. So if you don't want personal data
floating around everywhere, don't tell them personal data.Or
just be a nice happy good citizen in the normal world. What you
do in other worlds should then not be mixed with the normal
word.
untog - 6 hours ago
That github note doesn't really disagree with the article, which
points out that you need to trust your VPN provider.My general
position is this: I don't trust my phone provider. At all. Just a
week or so ago there was an HN post demonstrating how an ad
provider can get your full name, cellphone plan details etc just
by calling an API from a page rendered on your phone. But I also
don't really have a choice - AT&T or Verizon or T-Mobile, they're
all different flavors of the same crap.Do I trust my VPN provider
unequivocally? No. But I trust them a hell of a lot more than my
phone provider, and they can't sell my personal info against my
browsing history because they don't have it.A VPN isn't the
answer to everything, but nor is it useless.
tptacek - 6 hours ago
No, hold on. The two articles disagree very much. The one Scott
just cited explains that you can't trust a commercial VPN
provider.
untog - 6 hours ago
The Mozilla post says:> Are VPNs truly private?>
Unfortunately, no. The VPN provider can still log your
browsing data. You are essentially putting your trust in your
VPN provider. Will your provider hand over info when pressed?
Will they log your browser data and sell it at a later
date?Which is basically also saying you can't trust a
commercial VPN provider. I suppose it does differ in that it
says it's still an option, though.
bearbearbear - 5 hours ago
Why do you trust your VPN provider more than your phone
carrier?What have they done to earn your trust?
Spivak - 3 hours ago
I suspect that in general there are two reasons.* My VPN
provider explicitly states that they do not collect user
information or store logs of user activity. Unlike my ISP
that has a No Privacy Policy.* My VPN provider has not done
anything to lose that trust.
untog - 5 hours ago
Partially, at least, they don't need to earn my trust as
much. They don't have my name, address, date of birth and
social security number/credit data, like my phone company
does.The only positive point of trust a VPN provider has is
that no-one has exposed them selling browsing data.
Definitely not great, but also better than my phone company
by default.
derefr - 4 hours ago
It's a bit like how "stranger danger" isn't a thing kids get
taught about anymore, because random strangers aren't risky
if you go up to them, only if they come up to you. (Or, in
more statistical terms: bad actors are a small proportion of
the pool, but they have an incentive to self-select into
interacting with you that good actors do not. If you just
draw randomly from the pool, you won't get a bad actor. If
you let the pool show the initiative, you'll get mostly bad
actors.)Your VPN provider is just some random company. You
went up to them. They're randomly selected (insofar as your
choices are random) from the space of all VPN providers, and
most providers aren't malicious.Your ISP is, at least in the
US, almost always a monopoly. They're self-selected: they
went up to you.
iroq - 4 hours ago
Nitpick: Bitcoin, being a system where the history of all
transactions is publicly available, is hardly an "anonymous"
system. It is an additional level of separation from other forms of
payment tagged with your credentials, and you can achieve anonymity
if using it carefully, but it can't be treated by an anonymous
option by default.
ringaroundthetx - 4 hours ago
It took me years to find a VPN that accepted Monero. But I've
been paying for Bitcoin priced VPNs using Monero through a
service like Shapeshift or Changelly or XMR.toI've been paying
pretty much all bitcoin invoices that way for several
years.Blockchain sleuths would never be able to tell if a bitcoin
transaction was just an exchange shuffling coins or if someone
like me was actually on a different and opaque blockchain.
sandworm101 - 3 hours ago
>> Blockchain sleuths would never be able to tell if a bitcoin
transaction was just an exchange shuffling coins or if someone
like me was actually on a different and opaque blockchain.That
depends on the nature of the investigation. Say they bust an
illegal website and now have their subscriber records. If your
bitcoin transactions match those of a subscriber to the
website, they have more than enough info to come after you.
With the website transaction records in one hand, and the
public blockchain in the other, it would be trivial for an
investigator to get a reasonable idea of who you are and where
you live. Unless you spin up new accounts for each and every
transaction, and mine your own coins, the public blockchain
means they can identify patterns and make connections.(I won't
quibble on the technical definitions of reasonable suspicion.
Suffice to say any such match will be enough to get a warrant
and turn your life inside out.)
StavrosK - 3 hours ago
I'm not sure what you mean. Monero is completely anonymous,
and sending through XMR.to can't be traced back to anything.
Law enforcement officials just know that that user account
got a payment, the Bitcoin blockchain has nothing more for
them.
jumpkickhit - 5 hours ago
I guess the future is a ten-pack of cheap netbooks, a linux live
CD, and free public wi-fi.Access the internet, then smash the
entire thing and throw it away and repeat.
zeep - 4 hours ago
Randomizing your MAC Address and using a live CD would not be
enough for most cases?
jumpkickhit - 2 hours ago
I wouldn't think so with fingerprinting, intel ME and
individual processor IDs and such.I was just giving an extreme
example for true anonymity now, something we just sort of had
on the internet in the 90's.
brightball - 6 hours ago
I always wonder about ProtonVPN (the ProtonMail people).It's Swiss
based so I assume there would be a decent amount of round trip
latency, but for sheer privacy it seems like a solid company that
goes the extra mile by locating itself for legal
purposes.https://protonvpn.com/
blubb-fish - 5 hours ago
ProtonVPN is my first and only VPN - occasionally there are
connection issues. Speed is not superb as far as I can tell but
sufficient for most use cases. I tend to stick with them. No idea
if they are better or worse. I chose them b/c with regards to
privacy they seem trustworthy.
bkovacev - 5 hours ago
I am debating whether I should go with them or not, as well. They
do seem solid, but I have not heard any people mentioning them.I
have a paid account with Netflix/Hulu/HBO and I'd like to watch
it when I'm travelling or when I'm working remotely from third
world countries. That would be my sole use case. Can they stream
without huge latency?
blubb-fish - 5 hours ago
I can't watch Netflix through ProtonVPN.
jsalinas - 5 hours ago
Regarding speed, I've been using ProtonVPN for around 4 months
and It's much faster than other VPN providers I've used
(TorGuard and PIA). It doesn't work with Netflix as Netflix
blocks most VPNs.
pkulak - 5 hours ago
I spend 40 bucks or so on a Raspberry Pi, then installed
these:http://www.pivpn.io/ https://pi-hole.net/Insanely easy to get
running: plugged it in to my home router, and now I do all my
remote browsing from my home network. I HIGHLY recommend it. I know
it doesn't help with privacy, since you're using your home network,
but I'm currently more concerned with WiFi hacks, pineapples, and
the like.
darkhorn - 6 hours ago
I didn't read the article but I want to say that the solution is
not VPNs. We can end up being like North Korea where VPNs are
forbidden. The solution is to have educated voters who do not vote
to showmens like Erdo?an or Trump. https://youtu.be/fLJBzhcSWTk
forapurpose - 5 hours ago
Another issue to look for in selecting a VPN is leaks, where
network packets travel through the 'hostile' interface and not the
VPN. Leaks can happen many ways, if I understand correctly (I did
some reading on it recently but not my own research):* Many VPNs
use "split-tunneling': To save bandwidth, they route https traffic
through the hostile network interface* Some don't route other
protocols via the VPN, for example, IPv6 and even DNS are sometimes
excluded.* If the VPN connection drops* When the VPN connection is
out of sync with the device's network connection (e.g., after the
computer boots and before the VPN starts, or after the VPN is
disconnected and before the computer shuts down).
richdougherty - 56 minutes ago
It would be great if Mozilla ran a VPN service. :)