Silk Road forums

http://www.drtomoconnor.com/3220/3220lect02c.htm

INFORMANTS, SURVEILLANCE, AND UNDERCOVER OPERATIONS
"Good informant, good case. Bad informant, bad case. No informant, no case." (Police saying)

    The ability to be resourceful at information gathering and collection is the key determinant of success at policing and with criminal investigation.  When police are lacking witnesses (which is often the case), especially eyewitnesses, dealing with sophisticated criminals, or not getting much out of the crime scene evidence, they turn to tried and true methods of law enforcement -- informants and surveillance.  Other sources of information also exist that are either public or private, open or confidential, and the Internet, of course, has become a tremendous reservoir of open source information.  Use of informants is the more legally permissive, yet ethically repugnant activity; and use of surveillance is the more legally regulated, yet ethically sound activity.  That's because informants are often used in the loose, early phases of an investigation to develop leads, and the activity of managing informants almost always involves compromising the integrity of law enforcement.  Surveillance, on the other hand, is a well-established craft involving technique and gadgets, and is almost always used to seal the fate of a target who has most likely already provided the police with enough facts to establish probable cause.  At least that's my opinion, but there are those (Marx 1988) who think surveillance is the greater evil, and there are those (Madinger 2000) who think informants are just another way ethical citizens can get involved in law enforcement.

    It's important to note at the outset that use of informants and surveillance should be methods of last resort.  These are not methods for screening-out, or eliminating potential suspects from further consideration; quite the opposite, they "screen-in" or incriminate more suspects than usual (Gill 2000).  These are methods that are expensive, time-consuming, and controversial.  They are inherently stressful and dangerous, and undercover work is risky.  Any and all information obtained from such sources, including open sources, should be regarded as untrustworthy until it is corroborated by other sources and/or converted from information into intelligence.  The word intelligence usually means information that has been subjected to analysis and synthesis.  It also usually means that the same information is coming from different sources and has been checked out, or tested, as reliable.

CULTIVATION AND MANAGEMENT OF INFORMANTS

    A cultivated source (as opposed to a regular source) is neither a victim, witness, or suspect in an investigation involving them or against them, but is someone with connections to the criminal underworld that is able to tell you things that are about to happen.  Cultivated sources make the best informants.  Apprehended criminals who turn informants (or "flip" as its called) in hope of having their charges dropped or reduced have NOT been cultivated.  Their value is worthless because evidence law sees them as saying or doing something out of self-interest.  At law, there is a presumption of truth in anything someone says or does against their self-interest or safety, not in their self-interest if criminal charges are pending against them.  Ideally, you want active informants reporting information about future crime, not witness informants for past crimes.  Likewise, jailhouse informants (or "snitches")

    Cultivated sources typically include people doing business around an area where criminals conduct their business.  Examples include taxi drivers, hotel employees, airline employees, automobile salespeople, doormen, gun dealers, bartenders, private investigators, apartment managers, package delivery employees, and proprietors or employees of restaurants.  The idea is that such people can get as close to criminal suspects as possible (as, for example, their regular barber or prostitute) without getting so close you're treading on privileged relationships (as, for example, their wife or psychotherapist).  It should be obvious by now that these types of informants constitute a deviant street network of eyes and ears for the police.  By using such sources, you are looking for signs of crime in the making.  You are NOT doing infiltration or undercover work.  If anything, you are doing the equivalent of espionage work by setting up a ring of spies, or agents-in-place.  All you have to do in managing such people is keep them from doing or provoking criminal things, but also keep them close to their own sources of knowledge about criminal happenings which you conveniently check out for corroboration purposes. 

    It used to be common for each and every police officer to have their own set of informants or deviant street connections (as described above).  Today, most police departments only allow (and encourage) their detectives to cultivate informants, but there are inconsistencies in how they are registered and handled.  Federal agencies have always held to the practice of registering informants to the agency (almost as quasi-employees), but municipal agencies tend to register (when they do register or record the informant) to the individual detective.  This creates the problem of lost informants (nobody contacts them anymore) when a municipal detective retires or leaves.  There is also the problem of how to disseminate the informant registry within the police department (the Chief usually keeps it secret) because you don't want other officers arresting or messing with your informants. 

    When an informant is on the payroll, they are usually registered because the law requires financial auditing.  They are also most likely to hold the status of confidential informant, although this term technically refers to informants who have some special knowledge about a past or future crime and are potential targets for violence and revenge.  Confidential informants, or CIs, are allowed to be referred to as anonymous or unnamed affiants in affidavits, do not appear on any other legal documents, and never have to be disclosed in court or via any discovery process.

    The management of informants is mostly a matter of knowing what motivates them, and always making sure this motivation continues to have some currency.  There are many motivation-based typologies of informants in the literature.  Osterburg & Ward (2000) present one that distinguishes the following:

    volunteer informant -- usually an eyewitness to a crime or jealous spouse with specific information about vice activity or income tax evasion motivated by civic duty or vanity and kept motivated by gratitude

    paid informant -- usually someone involved in a crime with particulars about a person they feel the police should know about and motivated by revenge or money and kept motivated by money

    anonymous informant -- usually someone with precise or imprecise information about suspicious activities or a crime that is being planned or they believe is not yet discovered by police and motivated by repentance and kept motivated by reward or gratitude

    Another useful typology is presented by Weston & Lushbaugh (2003) who distinguish the usefulness of the informant as well as the quality of their information:

    basic lead informant -- usually a friend or acquaintance of a criminal with any number of possible motives who is most useful and accurate at revealing the whereabouts or geographical location of persons or property

    participant informant -- usually a go-between or arrestee turned informant who helps police instigate a drug sting or reverse transaction or lure a suspect into surveillance

    covert informant -- usually someone deep inside a criminal organization with a falling out or difference of opinion and wants to provide spot intelligence over a period of time as long as their identity is protected and a pleasant future guaranteed for them

    accomplice-witness informant -- usually a co-defendant in a criminal case who agrees to testify for the prosecution and/or do one last undercover operation (by being wired for sound) in return to the package deal of immunity and the witness protection plan

    Finally, there is the oldest typology of motives which has been around for some 40 years simply because they never change (Harney & Cross 1960):

    fear -- people who feel threatened by the law or by other criminals (most police believe this is the best motivation)

    revenge -- people, like ex-wives, ex-girlfriends, ex-employers, ex-associates, or ex-customers who want to get even

    perversity -- people who are cop wannabes or think they're James Bond and/or hope to one day expose corruption

    ego -- people who need to feel they are smart "big shots" and/or outwitting those they see as inferiors

    money -- people who, like mercenaries, will do whatever it takes if the money is right

    repentance -- people who want to leave the world of crime behind them and/or citizens fed up with crime

    Proper handling of informants requires reward and control (Hight 2000).  There should be some system of departmental awards or rewards, but at the same time, criminal and deviant activity should not be condoned.  Disastrous consequences can result from becoming too informal, too unprofessional, or too involved in relationships with informants.  The keys to success at working an informant, according to Madinger (2000) are MOTIVATION + ACCESS + CONTROL.  You only have a good informant if all three of these are present.  The most precious asset you have in working an informant is trust.  An informant must trust that you will always be true to your word, and that everyone all the up from the lowest ranking police officer to the chief prosecutor will keep their identity secret.

WITNESS PROTECTION PROGRAMS

    The United States was the first country to establish witness protection programs, and they started in 1971 (with the Organized Crime Act of 1970) and were modified by the Comprehensive Crime Control Act of 1984 to cover some relatives and associates of the witnesses.  The law gives the Department of Justice freedom to arrange for the security of witnesses as they see fit, but there are tough standards for getting in.  First, the testimony has to be essential to the case, and there must be clear evidence that the witness' life or his/her family's life is in danger.  If testimony is available from someone at less risk, then that person should (and is) used.  Those who are most successfully admitted into witness protection are also the most credible and reliable witnesses.  It is very clear what they will say, and that they are going to show up at trial.  Anyone who flip-flops on the stand doesn't get any new identity.  The U.S. Attorney General's office has the final say in who gets admitted into the program,

    The new identity is chosen by the witness and his/her family.  Care should be exercised to not choose a name that is similar to the old name or one that a family researcher might come up with.  The U.S. Marshals Service then tries to find a reasonable job opportunity (cover) for the witness.  In some cases, the government pays for vocational training.  The government also assists (but does not pay for) housing.  Witnesses normally receive about $60,000 in subsistence payments, but if they are unemployed and not actively seeking employment, the payments stop.  No payments or privileges (other than the protected identity) go out to family members of the witness (although rare circumstances may dictate that happening occasionally).  No contact is allowed with unprotected family members (or past associates).  Protected witnesses are also prohibited from ever returning to or visiting any city they lived in before.  In the case of a protected witness returning to the ways of crime (and there's some chance of that), the witness' true identity is usually shared with local law enforcement, but there's no automatic or continuing immunity.  What usually happens is that a re-offending protected witness is sent back to prison (under a new identity) and placed under protective custody by corrections officials.  If a protected witness commits a crime, then the victims of that crime receive compensation out of a Victim Compensation Fund.

    Numbers of protected witnesses is classified.  Since the U.S. started using witness protection, no protected witness has been killed yet.  The model has been successfully imported to other countries, and has extended from organized crime cases to gang crime, drug trafficking, and terrorism cases.  Australia, Germany, Colombia, and even China have witness protection programs.  The International Criminal Court also has a witness protection program for use in crimes against humanity cases.   

LAWS REGARDING USE OF INFORMANTS

    There are legal restrictions on how far law enforcement can go in keeping an informant's identity a secret.  The general rule is that confidentiality (as in "confidential informant" or "affiant") can be maintained if the informant was used in the early stages of a case, say the reasonable suspicion stage, not the probable cause stage, and most definitely if the informant is not required to be a witness at trial.  In some situations, however, the Jencks Act or court decisions involving Brady v. Maryland may be invoked, forcing the prosecutor to at least turn over a transcript of statements made by the informant.  The extreme situation would require a judge to agree that exculpatory information might be found by revealing the informant's identity (an unlikely scenario).  Most prosecutors, however, would drop the case or reduce the charges in honor of a police promise to maintain confidentiality. 

    Courts have always recognized police use of informants a historical tradition with no inherent moral weakness (U.S. v. Dennis 1950).   Probably the most significant case in recent years was Hoffa v. U.S. (1966) in which the Court considered, among other things, whether a police informant must identify themselves as working with police under certain conditions such as when they are recruiting other informants.  After all, there is a precedent like this in espionage law.  The opinions in Hoffa and a subsequent case (Maine v. Moulton 1985) yielded a requirement that police admonish their informants to act natural and not try to draw out any particular incriminating statements that would constitute the functional equivalent of police questioning. 

    Courts will not tolerate the use of informants for entrapment.  Any incriminating statements made to an informant, in response to the informant's remarks, which prompted the statement, will be inadmissible.  Entrapment is defined as inducing a person to commit a crime they did not contemplate for the sole purpose of instituting a criminal prosecution against them.  Inducement is perceived by the Courts as persistent coercion or trickery.  Placing opportunity in front of the suspect is not normally entrapment, but repeatedly providing them with the same opportunity over and over again could be construed as persistent coercion.  Similarly, playing on a suspect's weaknesses such as their vanity or tendency to boast, could be construed as trickery if it was being constantly prompted by an informant.  Above all, you should avoid using what is called an "agent provocateur" who is a person who provokes or incites crime, such as someone who urges a mob to riot or urges someone armed and angry to shoot.

    Another thing to avoid is referring to your informants as "special employees" or employees of any sort.  This used to be fairly standard law enforcement practice up until the late 1960s and early 1970s, and at least one court case did involve a suit by such an informant demanding civil service benefits for years of service.  This kind of situation will most likely come up when you need an informant with special skills (such as foreign language proficiency or computer skills), or when an ex-informant puts previous law enforcement experience on their resume.  Modern law enforcement practice strongly discourages informants from thinking of themselves as employees.

    A final word of advice is NEVER meet with an informant alone.  Some have been known to kill their police handler, and others "set up" their handler for assault or robbery, make false claims about physical or sexual abuse, and allege that they were involved in a shakedown or extorted for money and/or drugs.  The initial debriefing (establishment of motive and/or registration) of an informant should always take place on the officer's turf, preferably in an office somewhere.  Later meetings with the informant can occur in a vehicle, safe house, or public place.  A regular schedule of telephone and face-to-face contacts will go a long way at convincing courts that this is a managed informant who follows directions and has some credibility.  So too, will corroboration establish credibility.  Police corroborate, or double-check, what the informant says in a number of ways:

    Cross-corroboration -- the informant's stories are cross-checked against one another for consistency over time

    Background checking -- the informant's details are checked against computer databases

    Other informants -- the informant's information is verified by another informant's information

    Surveillance -- the place where the informant says something is happening is put under surveillance

    Monitoring -- the informant is put under surveillance

    Wiretapping -- the informant's telephone or premises is put under electronic surveillance

    Undercover operations -- the people or place the informant mentions are infiltrated by undercover officers                       

SURVEILLANCE

    Surveillance is the clandestine collection and analysis of information about persons or organizations, or put another way, methods of watching or listening without being detected.  Most surveillance has physical and electronic aspects, and is preceded by reconnaissance, and not infrequently, by surreptitious entry (to plant a monitoring device).  Surveillance can be a valuable and essential tool in combating a wide range of sophisticated criminal activities, including such offenses as kidnapping, gambling, narcotics, prostitution, and terrorism.  There are many different types of surveillance.  Peterson and Zamir (2000), for example, list seventeen types: audio, infra/ultra-sound, sonar, radio, radar, infrared, visual, aerial, ultraviolent, x-ray, chemical and biological, biometrics, animals, genetic, magnetic, cryptologic, and computers.  A shorter list would include four general types of surveillance: visual; audio, moving, and contact.  Here is an outline of the four types from that shorter list:

I. VISUAL (ALMOST ALWAYS USES CAMERA)

        A. FIXED (aka STAKEOUT OR PLANT) Locate yourself in another building if possible, always be able to see through windows or doorway

having a persistent bridge with tails is at least as good as having persistent entry guards with liberte.

I would look more into these: http://www.tagsense.com/index.php?option=com_content&view=article&id=165:zt-500-mini&catid=51:active-tags&Itemid=119

there are really small active RFID tags that can broadcast hundreds of feet away. Some I have seen even have programmable memory, ability to attach sensors, etc. I would think something like that as the base with sensors attached to it is the way to go. Can't find a price for these right now but I have looked into them before and I think they were pretty cheap actually.

The point is that if you detect an interception you don't go in to get the pack. These chips are essentially worthless for people who have product shipped right to them, they are for people who use fake ID boxes so they can check for interception prior to even going inside the store. Active RFID claims that it can broadcast several hundred feet through doors and walls, so you would just need to go near the box and use an RFID scanner to try and pick up the signal. Being able to check the packs status with a cell phone would be a nice touch but it might make it infeasible, or at least more difficult.

There seem to be mini battery powered WiFi chips too that could be used, the key difference being that they broadcast with WiFi instead of RFID.

https://lists.torproject.org/pipermail/tor-talk/2012-January/022913.html

pay special attention to anything said by Arma he is the lead Tor dev

Hi, I am not new to Tor, though it has been a while since I've used it.  I
notice that there are many changes since I used it last.  I have some some
questions to get me up to speed with the newest release.

I hope you don't mind my asking these questions, since my attention span is
about that of a gnat since I have an extreme toothache.  Otherwise I would
probably read all the docs.

1. Is there a preferred browser and OS to maximize security?

2. What is the best way to use a VPN with Tor to increase anonymity?

3. Is there now a way to use Tor to send anonymous email?  (All but government
controlled remailers were shut down).

I can use Windows 7 64 bit + any GNU/Linux or Posix OS that supports multibit
builds.

I'd like to get back into using Tor (I stopped because the TorButton was ...
unreliable for anonymity).

Any recommended reading, if not direct answers?  Think of me as a newbie who's
not really a newbie - that is, I've used Tor and just want to be brought up to
speed on the most secure way to use the new version.

Chris

> Hi,

Hi!

>     I am not new to Tor, though it has been a while since I've used it.  I
> notice that there are many changes since I used it last.  I have some some
> questions to get me up to speed with the newest release.

[snip]

> 1. Is there a preferred browser and OS to maximize security?

The Tor Browser Bundle (TBB) is what you need:

https://www.torproject.org/download/download-easy.html.en

Just extract and run.

> 2. What is the best way to use a VPN with Tor to increase anonymity?

I'll leave this for someone else ...

> 3. Is there now a way to use Tor to send anonymous email?  (All but government
> controlled remailers were shut down).

Depends on how you define anonymous. As you point out the remailer
networks are pretty much dead.

You can sign up to Tor Mail and FastMail via Tor, and then access both
either through a web interface or via IMAP (Claws Mail works well as a
lightweight IMAP client, and seems to play nicely with Tor). FastMail
requires a pre-existing email address for its free account, but 10
Minute Mail (or Tor Mail) can help you there.

http://tormail.net/ , http://jhiwjjlqpyawmpjx.onion/
https://fastmail.fm/
http://10minutemail.com/10MinuteMail/index.html

Search the archives for some discussions about Tor Mail ... not
everyone is happy with it. (I am!)

> I can use Windows 7 64 bit + any GNU/Linux or Posix OS that supports multibit
> builds.

There are Tor Browser Bundles for Windows, Linux, and OS X.

> I'd like to get back into using Tor (I stopped because the TorButton was ...
> unreliable for anonymity).

Torbutton has been through some changes, and comes in the TBB. As the
web page says: "Users should be using Tor Browser Bundle, not
installing Torbutton themselves":

https://www.torproject.org/torbutton/

Mike may have more to say, but the design doco should cover everything:

https://www.torproject.org/torbutton/en/design/index.html.en

> Any recommended reading, if not direct answers?  Think of me as a newbie who's
> not really a newbie - that is, I've used Tor and just want to be brought up to
> speed on the most secure way to use the new version.

Keep reading this list!

-C

> 2. What is the best way to use a VPN with Tor to increase anonymity?

Others have already made a few statements about Tor plus VPN.

You can do you -> VPN -> Tor, or you -> Tor -> VPN maybe even you -> VPN
-> Tor -> VPN?

And you can stop using Tor as a (socks) proxy and start using Tor as a
transparent proxy.
https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy

you -> your own VPN server -> Tor
https://trac.torproject.org/projects/tor/wiki/doc/TorVPN

in this case a simple Tor-Gateway could be more easy
https://trac.torproject.org/projects/tor/wiki/doc/TorBOX

If you like further information you could tell a bit more why you want to
use Tor plus VPN.

On 1/22/2012 05:51 AM, proper at tormail.net wrote:
>> 2. What is the best way to use a VPN with Tor to increase anonymity?
>
> Others have already made a few statements about Tor plus VPN.
>
> You can do you -> VPN -> Tor, or you -> Tor -> VPN maybe even you -> VPN
> -> Tor -> VPN?
>
> And you can stop using Tor as a (socks) proxy and start using Tor as a
> transparent proxy.
> https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy
>
> you -> your own VPN server -> Tor
> https://trac.torproject.org/projects/tor/wiki/doc/TorVPN
>
> in this case a simple Tor-Gateway could be more easy
> https://trac.torproject.org/projects/tor/wiki/doc/TorBOX
>
> If you like further information you could tell a bit more why you want to
> use Tor plus VPN.

Actually, I know little about VPN.  I was asking, in the hope that I could
learn more - and also it was suggested (I'm not sure where) that using a VPN
with Tor was better than either alone.  Maybe it would help if someone
explained VPN - its good and bad points.

So the replies I've received are what I was looking for, mostly.  I just want
to be anonymous when browsing the web - if Tor alone can accomplish that, I
will be satisfied.  Too many companies track everything you do on the Internet
(including ISPs), then sell that information.

Chris

On 01/21/12 at 03:44 PM, Christopher J. Walters wrote:

 > 2. What is the best way to use a VPN with Tor to increase anonymity?

 You're not going to get better anonymity by using VPNs with Tor. Anonymity is what Tor does very well, far better than any commercial VPN arrangement. With VPNs, there are potentially always logs that lead back to you. You can make the trails hard to follow, by nesting VPNs from multiple providers and paying anonymously, but you can't eliminate them.

 You can use VPNs with Tor in two ways. You can route Tor through VPN services. That prevents your ISP etc from seeing that you're using Tor. Generally, VPNs are more popular than Tor, so you won't stand out as much. Once the VPN client has connected, the VPN tunnel will be the machine's default Internet connection, and the Tor Browser Bundle will route through it.

 You can also route VPN services through Tor. That hides and secures your Internet activity from Tor exit nodes. Although you are exposed to VPN exit nodes, you at least get to choose them. If you're using VPNs in this way, you'll want to pay for them anonymously (cash in the mail, Liberty Reserve, well-laundered Bitcoin, etc). However, you can't readily do this without using virtual machines. And you'll need to use TCP mode for the VPNs (to route through Tor). In our experience, establishing VPN connections through Tor is chancy, and requires much tweaking.

arma \/

On Sun, Jan 22, 2012 at 06:06:47AM +0100, Martin Hubbard wrote:
> On 01/21/12 at 03:44 PM, Christopher J. Walters wrote:
>
>  > 2. What is the best way to use a VPN with Tor to increase anonymity?
>
>  You're not going to get better anonymity by using VPNs with
>Tor. Anonymity is what Tor does very well, far better than any commercial
>VPN arrangement. With VPNs, there are potentially always logs that lead
>back to you. You can make the trails hard to follow, by nesting VPNs from
>multiple providers and paying anonymously, but you can't eliminate them.
>
>  You can use VPNs with Tor in two ways. You can route Tor through
>VPN services. That prevents your ISP etc from seeing that you're using
>Tor.

Another advantage here is that it prevents Tor from seeing who you are
behind the VPN. So if somebody does manage to break Tor and learn the IP
address your traffic is coming from, but your VPN was actually following
through on their promises (they won't watch, they won't remember, and
they will somehow magically make it so nobody else is watching either),
then you'll be better off.

> Generally, VPNs are more popular than Tor, so you won't stand out
>as much. Once the VPN client has connected, the VPN tunnel will be the
>machine's default Internet connection, and the Tor Browser Bundle will
>route through it.

>  You can also route VPN services through Tor. That hides and secures
>your Internet activity from Tor exit nodes. Although you are exposed to
>VPN exit nodes, you at least get to choose them. If you're using VPNs
>in this way, you'll want to pay for them anonymously (cash in the mail,
>Liberty Reserve, well-laundered Bitcoin, etc). However, you can't readily
>do this without using virtual machines. And you'll need to use TCP mode
>for the VPNs (to route through Tor). In our experience, establishing
>VPN connections through Tor is chancy, and requires much tweaking.

Even if you pay for them anonymously, you're making a bottleneck where
all your traffic goes -- the VPN can build a profile of everything you
do, and over time that will probably be really dangerous.

In short, I think "You -> VPN provider -> Tor network" can be a fine idea,
assuming your VPN provider's network is in fact sufficiently safer than
your own network; but "You -> Tor network -> VPN provider" is generally
a really poor plan.

--Roger

> Another advantage here is that it prevents Tor from seeing who you are
> behind the VPN. So if somebody does manage to break Tor and learn the IP
> address your traffic is coming from, but your VPN was actually following
> through on their promises (they won't watch, they won't remember, and
> they will somehow magically make it so nobody else is watching either),
> then you'll be better off.
>
> Even if you pay for them anonymously, you're making a bottleneck where
> all your traffic goes -- the VPN can build a profile of everything you
> do, and over time that will probably be really dangerous.
>
> In short, I think "You -> VPN provider -> Tor network" can be a fine idea,
> assuming your VPN provider's network is in fact sufficiently safer than
> your own network; but "You -> Tor network -> VPN provider" is generally
> a really poor plan.
>
> --Roger
>

With your permission, parts of this could be used in the torproject.org
wiki. Mailing list discussion would be linked. I am going to create a new
article related to Tor plus VPN.

Can you agree with that?

On Sun, Jan 22, 2012 at 10:57:38AM -0000, proper at tormail.net wrote:
> With your permission, parts of this could be used in the torproject.org
> wiki. Mailing list discussion would be linked. I am going to create a new
> article related to Tor plus VPN.
>
> Can you agree with that?

Sure, please do.

--Roger

On 01/21/12 at 11:26 PM, Roger Dingledine wrote:

 > Even if you pay for them anonymously, you're making a bottleneck
 > where all your traffic goes -- the VPN can build a profile of
 > everything you do, and over time that will probably be really
 > dangerous.

 That is a very good point. On the other hand, such profiling can be advantageous in fleshing out an identity.

On 01/22/12 at 06:46 AM, Christopher J. Walters wrote:

 > Actually, I know little about VPN. I was asking, in the hope that
 > I could learn more - and also it was suggested (I'm not sure where)
 > that using a VPN with Tor was better than either alone. Maybe it
 > would help if someone explained VPN - its good and bad points.

 Generally, virtual private networks (VPNs) are just that. You can think of VPN connections (aka tunnels) as virtual ethernet cables. Organizations typically use VPNs for LAN connectivity among locations, and with remote staff. There are three main protocols: 1) PPTP (outdated, simple, insecure); 2) IPsec (current, complicated, secure); and 3) OpenVPN (current, arguably less complicated, secure).

 In this context, however, we are using "VPN" in a more restricted way, to mean VPN "anonymnity" services. That is, we mean VPN connections to remote Internet gateways, rather than to remote LANs.

 Regarding Tor, you must trust the design, the validity of the security assumptions that it's based on, and the software implementation. To the extent that you don't understand any of that, you must trust the developers. If you trust Tor itself, you don't need to trust the other participants (or vice versa). But you have no way, as a user, to really know how anonymous you are.

 Regarding VPN services, you must trust the operators, as well as their designs, assumptions and implementations. Some VPN services are basically just VPN-connected proxy servers. They know who you are, and they know where you've been. Other VPN providers may claim to increase anonymity in various ways. They may claim to route connections through multiple, geographically widespread servers and routers ("multi-hop VPNs"). They may claim to mix traffic on links and exit nodes that are shared with associated organizations ("multiplexing and crowding"). They may claim to require joint authentication, by mutually anonymous administrators, for access to, and configuration of, shared resources.

 However, everything can be logged, by every device that's involved (servers, routers, switches, etc). VPN providers may claim that they don't keep logs, that their designs make it difficult or impossible to keep logs, and so on. You can nest multiple VPN services, using providers who seem unlikely to collude and cooperate with your government. You can pay anonymously. But again, you have no way, as a user, to really know how anonymous you are.

 As a user, for both Tor and VPNs, it comes down to trust. Tor is arguably more likely to be more anonymous. Accessing Tor through VPNs can't hurt. Routing VPNs through Tor may be appropriate under some circumstances. But doing that will create shared history for each VPN that you use in that way. You obviously don't want to use the same VPN service on both sides of Tor.

 If you're interested in learning more, there are many informative threads on Wilders Security Forums.

Thank you for your reply.

> Generally, virtual private networks (VPNs) are just that. You can think of
> VPN connections (aka tunnels) as virtual ethernet cables. Organizations
> typically use VPNs for LAN connectivity among locations, and with remote
> staff. There are three main protocols: 1) PPTP (outdated, simple, insecure);
> 2) IPsec (current, complicated, secure); and 3) OpenVPN (current, arguably
> less complicated, secure).
>
> In this context, however, we are using "VPN" in a more restricted way, to
> mean VPN "anonymnity" services. That is, we mean VPN connections to remote
> Internet gateways, rather than to remote LANs.
>
> Regarding Tor, you must trust the design, the validity of the security
> assumptions that it's based on, and the software implementation. To the
> extent that you don't understand any of that, you must trust the developers.
> If you trust Tor itself, you don't need to trust the other participants (or
> vice versa). But you have no way, as a user, to really know how anonymous
> you are.

I understand the security assumptions that Tor is based upon, and believe them
to be more sound than using proxy servers (even with nesting).  As for the
implementation, I am a programmer, and Tor is open source so I COULD look at
the implementation by downloading the source code and going through it (a very
time consuming process).

> Regarding VPN services, you must trust the operators, as well as their
> designs, assumptions and implementations. Some VPN services are basically
> just VPN-connected proxy servers. They know who you are, and they know where
> you've been. Other VPN providers may claim to increase anonymity in various
> ways. They may claim to route connections through multiple, geographically
> widespread servers and routers ("multi-hop VPNs"). They may claim to mix
> traffic on links and exit nodes that are shared with associated
> organizations ("multiplexing and crowding"). They may claim to require joint
> authentication, by mutually anonymous administrators, for access to, and
> configuration of, shared resources.
>
> However, everything can be logged, by every device that's involved (servers,
> routers, switches, etc). VPN providers may claim that they don't keep logs,
> that their designs make it difficult or impossible to keep logs, and so on.
> You can nest multiple VPN services, using providers who seem unlikely to
> collude and cooperate with your government. You can pay anonymously. But
> again, you have no way, as a user, to really know how anonymous you are.

So, in essence VPNs in this context, are just another form of proxy server (or
another way to access one).  I agree, there is no way to even know if you are
anonymous - after all, I am sure that some VPNs are run by governments (not
that they'd tell you that).

> As a user, for both Tor and VPNs, it comes down to trust. Tor is arguably
> more likely to be more anonymous. Accessing Tor through VPNs can't hurt.
> Routing VPNs through Tor may be appropriate under some circumstances. But
> doing that will create shared history for each VPN that you use in that way.
> You obviously don't want to use the same VPN service on both sides of Tor.

Doesn't everything come down to trust, in the end?  Everything going through
the Internet is logged, and unless encrypted, world-readable.  Often, it is
logged, even then in unencrypted form, on the other side.

What I get from this discussion is that, with anything that makes you
anonymous, you can't be sure of the level (I couldn't even if I did go through
the Tor source code, since I have no way of knowing if every Tor node my
traffic passes through is using *that* source code).  It is a matter of trust,
best practices, and the integrity of the system you're using.

> If you're interested in learning more, there are many informative threads on
> Wilders Security Forums.

I will probably check them out.

If anyone SUGGESTS a specific VPN to you, they are probably a fed. If anyone suggests you should use a VPN instead of Tor they are probably a fed.

Yes cops do not care about drug crimes and the only people in prison are Scarface level <sarcasm>. I don't give a fuck if my friend bill flips twenty kilos of MDMA does that mean the cops don't? Welcome to mirror imaging. https://en.wikipedia.org/wiki/Cognitive_traps_for_intelligence_analysis

The most common personality trap, known as mirror-imaging,[2] is the analysts' assumption that the people being studied think like the analysts themselves.

 And I know several people already who have been arrested for buying drugs from the internet, usually the result of an interception but in some cases it has been the result of a technical attack (for example hushmail handing over DVDs worth of unencrypted E-mail). Don't think that you are invincible or that nobody will bother to attack you those are two great attitudes that will result in you fucking up and being pwnt. 

people with personal use amounts normally have dragnet operations aimed against them, not targeted investigations. So for example, an interception of a small order is what will get you in prison (targets people who get drugs via mail), more so than the feds identifying you are a small buyer on SR and then trying to actually find you (targets YOU getting drugs via the mail). But the distinction between targeted and dragnet can get kind of thin. What if FBI find a way to deanonymize all Tor users? Then their dragnet operation against 'people who use darkent for drug trafficking' is going to do a pretty good job of targeting 'you'.

You should keep all programs updated when security flaws are fixed in the newer versions at least