Silk Road forums
Discussion => Security => Topic started by: Railgun on May 15, 2013, 06:14 am
-
So the question is:
Should one use a VPN when connecting to TOR or just be content with TOR?
Translation:
Is your ISP knowing you run TOR going to be cause for suspicion, as we all know they keep logs? I am sure some vpns that "don't keep logs" probably do; however, it's an extra hoop to go through if and when LE decides to try to map TOR users to SR users in an area. The ISP will only show you as using a VPN, which pretty much everyone uses nowadays to torrent.
-
I feel my VPN offers me another layer of anonymity. I may be self deluded but the service I am with claims NOT to save any information and I have servers worldwide that I can connect to or change to at will.
-
Do you have any suggestions for VPN services ?
-
Yes, the use of a logless VPN with a great reputation is very important. Definitely connect with one ASAP!
I posted this a few days ago in the n00b section:
In response to the OP, the use of a VPN encrypts your connection from your router (if implemented at the router level), or your computer (if the VPN software is installed directly on your computer), to the VPN provider. The provider then provides an exit node, whereby your connection will be out in the open if not using some form of end-to-end encryption, such as SSL. So even the lousy VPN providers will encrypt your connection from your point of access to the provider's network- but they'll still know where you're going on the internet because you can bet your ass that they keep logs. The good thing is that a hundred other people could be using the same node, making sniffing for a correlation a nightmare for any snoops (LE or otherwise).
I strongly recommend the use of VPN. You just have to choose one that meets all of the following conditions:
a) they don't keep any logs at all, or log for a maximum of less than a week for diagnostic and anti-spamming purposes only (self explanatory)
b) they accept Bitcoin as a form of payment (total anonymity: no one will know who you are as a customer to begin with)
c) they have a guide for setup on a router (absolutely vital if you want all of your computers and devices behind the VPN)
d) they aren't headquarted in your country (always diversify)
e) they offer openvpn (none of that pptp or l2tp garbage, please)
I can also add good feedback and rep online by people who are extremely concerned about protecting their privacy and anonymity. The same goes for their efforts to circumvent new ways of government blocking and interception, such as what China is doing right now. They've been blocking Tor for more than a couple of years now and have found ways to kill VPN connections by looking for OpenVPN "handshakes", which is what the protocol is doing at the IP level to make a connection. Some providers are looking at tunneling OpenVPN over SSH or SSL, which makes it highly impractical to block (they have to kill all non-VPN SSH and SSL traffic)
TorrentFreak on clearnet has a couple of posts about VPN providers which respect privacy. Plenty of reviews there, complete with a Q&A from the TF writers.
One last thing: using Tor over a logless VPN, paid with Bitcoin and maintained with a Tormail address, is the gold standard of internet anonymity and privacy. It can only be defeated locally by physical intervention.
-
I use TunnelBear as it's free and they don't do logs.... bear in mind that I am still a newb and still learning all this as I go along, so it may not be the best. Easy to use and you only need a legit email set in a fake name to set it up.
-
I have been using PrivateInternetAccess. I did quite a bit of research before going to them. This is a topic you really need to take seriously, imo, and although some free services may be legit; I would never trust them.
-
Totally right, Squirrel. You have to pay for your privacy. Not much ($7 or $8 a month), so it's not like the cost will cut into your expenses. Just don't trust any free providers. There is no incentive for them to protect you, or your data.
-
I don't believe paying someone guarantees you any more privacy than a free service.
Tunnel bear has levels of service, 500 MB a month for free and then two more upgrades which do cost money.
I decided to go with a free service while I learn and decide if it is worth me paying out for a VPN. At the end of the day you only have their word that they don't keep logs or other details, so why would handing over your money make that any safer?
-
I don't believe paying someone guarantees you any more privacy than a free service.
Tunnel bear has levels of service, 500 MB a month for free and then two more upgrades which do cost money.
I decided to go with a free service while I learn and decide if it is worth me paying out for a VPN. At the end of the day you only have their word that they don't keep logs or other details, so why would handing over your money make that any safer?
At least if it's used in court against you, you can get your money back for false advertising and spend the $50 on getting some sub-par weed in the jail.
-
I don't believe paying someone guarantees you any more privacy than a free service.
Tunnel bear has levels of service, 500 MB a month for free and then two more upgrades which do cost money.
I decided to go with a free service while I learn and decide if it is worth me paying out for a VPN. At the end of the day you only have their word that they don't keep logs or other details, so why would handing over your money make that any safer?
At least if it's used in court against you, you can get your money back for false advertising and spend the $50 on getting some sub-par weed in the jail.
LoL! +1 for making me grin.
My point still stands though ;)
-
LoL! +1 for making me grin.
My point still stands though ;)
Indeed it does. I feel however if a VPS was set on collecting user information they'd probably opt for a free VPN service since this would attract more users. However that's only logical thinking and nothing stops a VPN service collecting data as you said, but I feel more comfortable with paid services and also extra precautions such as connecting via data bundle stick through a VPN to the Tor network to a hidden service.
-
http://www.theregister.co.uk/2011/09/26/hidemyass_lulzsec_controversy/
An interesting article that caught my attention while I was browsing for security measures and how to avoid being caught. I wanted to see what other hackers did and why they were caught so I wouldn't make the same mistakes as them.
HideMyAss has defended its role in handing over evidence that resulted in the arrest of a suspected LulzSec member last week.
UK-based HideMyAss, which offers freebie web proxy and paid-for VPN services, said it handed over potentially incriminating data to the feds only in response to a court order.
Cody Andrew Kretsinger, 23, of Phoenix, Arizona allegedly used HideMyAss.com's web proxy service to hack into the systems of Sony Picture Entertainment as part of a hack that exposed the personal details of thousands of gamers.
HideMyAss explains:
It first came to our attention when leaked IRC chat logs were released, in these logs participants discussed about various VPN services they use, and it became apparent that some members were using our service. No action was taken, after all there was no evidence to suggest wrongdoing and nothing to identify which accounts with us they were using.
At a later date it came as no surprise to have received a court order asking for information relating to an account associated with some or all of the above cases. As stated in our terms of service and privacy policy our service is not to be used for illegal activity, and as a legitimate company we will cooperate with law enforcement if we receive a court order (equivalent of a subpoena in the US).
HideMyAss, which bills itself as a leading online privacy website, adds that it does not condone illegal activity, saying that similar services that do not co-operate with law enforcement are "more likely to have their entire VPN network monitored and tapped by law enforcement, thus affecting all legitimate customers". The service said it carries out session-logging, recording the time a customers logs onto and disconnects from the service as well as the IP addresses he or she connects to. It said it does not record the actual content of web traffic.
Twitter accounts affiliated with Anonymous were unsurprisingly vociferous in their criticism of HideMyAss's business practices and assistance of a federal investigation, dubbing the service SellMyAss, and arguing that HideMyAss users are less likely to trust it and more likely to look for alternatives.
***Read more on the link I provided***
tl;dr: HideMyAss is a leading company, self-proclaimed anonymous, offering VPN services. It advertises that they do not keep any logs of any kinds, and privacy is most important. Yet leaked IRC logs from LulzSec (the hacker group responsible for breaking into numerous gov sites, fox.com, sony pictures, sarah palin's email etc.) showed that one of the hackers used HideMyAss to do an SQL injection attack on SONY's server. So the cops went to HideMyAss and HideMyAss gave them every little information that they needed to know and accuse Cody Andrew. So they sold themselves off.
And this is one of the most popular VPN services that claims they don't keep any logs and are totally anonymous. You can see just how anonymous they really are.
I do not believe using a VPN service offers any more protection than just connecting directly to TOR :)