Silk Road forums
Discussion => Security => Topic started by: TrustusJones on April 07, 2012, 05:26 pm
-
So I have been looking for a good paid VPN and have been weighing my options. In another post someone mentioned hidemyass.com so I started my research based on them and I found this which is rather disturbing:
"Hidemyass.com, which Kretsinger allegedly used as a proxy service to hide his IP address, but which turned its server logs over to the FBI after receiving a subpoena, "cooperates with law enforcement agencies fully and admit it. They claimed they did not log, but apparently log everything," AnonymousSabu tweeted earlier today.
Though its privacy and terms-of-service statements might have been stronger when Recursion signed up, for at least the past few months HMA has been clear that it does save data on what customers do online and will turn it over to police with the proper warrants or subpoenas.
Server activity is "logged for a maximum of 30 days, these are logs generated by the Apache web server which include your IP address and date/time of all files and websites accessed through our web proxy…We reserve the right to cooperate with law enforcement agencies who are investigating criminal activities from abusive web proxy users."
http://www.itworld.com/security/206429/who-trust-your-secrets-some-vpn-anonymity-providers-sound-noble-others-are-just-icky
Obviously this is of major concern as I am looking for a VPN that does not save a customers info... what's the point of being anonymous if any cop with a warrant can access everything you have done?
Would like to pre-thank any internet security experts who can weigh in on this issue.
Thanks!!
TJ
-
Has anyone looked at cryptohippie.com? unlike HMA they appear to be all about giving Uncle Sam the finger when it comes to saving your info:
Privacy Policy
Cryptohippie USA will generally protect user data and user details.
Cryptohippie USA will NOT sell, rent or make available any customer data to a third party.
Cryptohippie USA will NOT monitor traffic or write log files that contain any personal data (including but not limited to Internet Protocol addresses).
Cryptohippie USA will NOT monitor traffic usage unless required for accounting purposes. Traffic usage data does not include identifiable data such as IP addresses.
Cryptohippie USA will NOT store any user data or details on computers that could be accessed through any kind of public network.
Cryptohippie USA will NOT pass any user data on to any party unless legally compelled to do so. User data will be delivered to a third party only if a court order is in effect.
Cryptohippie USA will defend user data by appropriate legal means.
Cryptohippie USA shall not share user data with Cryptohippie, Inc. (Panama).
Could be a good one but they are EXPENSIVE! $275 for a year... thats almost $23 a month.
Got to find reviews (real ones that is...lol)
-
one more I found: www.vpn4all.com
Privacy and Refund Policies
Our Privacy Policy is simple. We don't log and we don't cache your personal data other than the email address you provide at sign-up. We utilize Google Analytics to analyze our traffic but we do not keep any private data. Since our parent company is off shore, there are no laws that obligate us to keep logs on our customers - so we don't.
Our Refund Policy is simple. You have a guaranteed no-questions-asked full refund for 30 days after purchase as long as you don't use more than 100 MB of bandwidth.
At less than $10 a month for 50GB of bandwidth I would consider them a contender.
Anyone using them?
-
I found another one over at bestvpnforyou.com called: privatevpn.com
here is a quote from their privacy page:
3. Do you log any data traffic while browsing the net through PrivatVPN?
We NEVER produce logs of any data traffic. The only thing we store is your username, password and your e-mail address.
With the exception of our servers in the U.S. where we log IP addresses on incoming connections.
Someone explain that last line and how that would impact my privacy using them here in the US.
Thanks!
TJ
-
mullvad.net is probably best VPN. And you can pay with bitcoins.
But I will not trust any VPN for my protection. VPN is how many hackers have got trapped. Tor is the strongest security alone.
-
I am 100% in agreement but there are some sites I NEED to access as a vendor that I use to conduct shipping business that DO NOT work on Tor... thus the need for a good SOLID VPN...
will check out mulvad.net
Thanks!!
TJ
-
If you have notebook computer and car, drive in city and find unprotected WiFi. You must change MAC adress of your network card and disable all auto-updates and clear all cookies and so on to be sure that the sessions from your home connection and WiFi connection does not get linked. Then use VPN, but some sites such as MtGox will block your account when using Mullvad. Don't know if its true or someone just mistaken Mullvad for Tor.
-
If you are a vendor and need to access sites without Tor announcing to it you are using a proxy rent a $4/mth bitcoin VPS.
Set it up as a remote desktop and use Remmina in Tails, or your own linux distro (it's basically VNC), or even better just SSH into it and launch lynx, the text browser. You can put in socks5 proxies in Firefox or Lynx in your remote VPS/desktop for further anonymity.
Full instructions how to set up a VPS and configure it for Tor only access from the outside on the torservers.net wiki. Omit all the parts about configuring Torrc to be a relay, you don't want to run a relay on a VPS it eats up way too much memory. You can run a SSH hidden service tho, then connect to it securely and encrypted within Tor, or simply ssh into it normally by dropping to command line in Tails or otherwise Torrify'd SSH.
Make sure you use public key SSH authentication, no passwords.
Now you are using your VPS through Torrify'd SSH to access stuff. Can even set up your own VPN on this VPS easily if you wanted. Lot's of tutorials available. Google 'OpenVPN set up vps' and use them. Don't use PPTP it's insecure.
You also have to lock down your VPN to prevent DNS leaks:
Here's how to do it in Windows
https://xerobank.com/support/articles/how-to-prevent-vpn-dns-leaks/
In Linux I would just edit resolv.conf to the free DNS servers at CCC
Translate this page in google translate or just paste in the DNS servers to resolv.conf: http://www.ccc.de/censorship/dns-howto/
Save all your configurations, then every few months or less if paranoid change your VPS provider so they can't track you.
I would never trust any commercial VPN provider you have zero guarantee they aren't decrypting your traffic to snoop as per government order or their own corruption
-
i love you dude (in non gay way) lol
I will look into all you said as soon as I am a little less high... thanks to my OG Fire Kush which has me feeling like I just drank a fifth of tequila... lol
awesome advice +1
-
If you need access to sites that block Tor I suggest that you just buy a cheap private vps as anonymously as possible and use it as a private exit node when you need to hide that you are using Tor, Tor used to have an option for torrc that let you chain a proxy to the end of your circuit for some sites its been a while since I looked into it though
I don't trust VPN services anymore than I can throw them, but of all the ones named here cryptohippie is at least run by agorists
I would seriously consider using Tor to connect to a VPS that you own yourself though
-
cryptohippie was run by agorists before silk road was
however I don't particularly vouch for them, you should do the vps thing I mentioned before
I never would suggest people use a VPN instead of Tor and even if one is required in addition to Tor I would suggest looking into VPS instead
but cryptohippie does have a reputation for being agorist that pre-dates SR, and they do have some pretty clever people on their team, but I would avoid it regardless
trusting VPN providers is historically bad , getting suggestions for VPN on a forum that is illegal is historically likely to get you set up with fedvpn
etc etc
in summary, I don't think cryptohippie would cooperate with law enforcement any more than they could be forced to by law, and I think they keep as little logs as the least logging VPN companies keep, but I think that their providers would cooperate with LE in a heart beat and I don't think that there is shit that cryptohippie can do about it.
I think it would be fair to compare cryptohippie to jondonym. jondonym operators are under contact to not keep logs unless they are presented with a valid court order. However, immediately upon being given a valid court order they will begin to log your traffic.
When it comes to resisting valid court order, I think you are only going to fin much luck if you you go with russian mafia etc, providers that have ongoing relationships with their corrupt governments.
-
Yeah I was about to write how JonDonym is comparable to cryptohippie, and in some ways Xerobank.
But yeah.. nobody in their right mind is going to stick their neck on the line risking obstruction of justice charges or having their business melted by authorities when they can just quietly hand over your info or become temporary spies.
Hide my ass sure did
EDIT.. just discovered Cryptohippie and Xerobank/Metropipe are the same people.
So I wouldn't trust them at all. All owned by Roque Holdings Inc
-
I think they are independently run actually. I don't trust Xerobank at all, their owner (who also was in agorist community long before SR) is a master of marketing and a dumbass when it comes to actually knowing anything. He is largely seen as a troll. That said, I can say cryptohippie in particular has smart people working for them, who actually know technical security to great detail, but I am unwavering in my suggestion of Tor over any VPN provider, and strongly suggest using a private VPS to exit if you need to hide that you use Tor.
I hate to see xerobank and cryptohippie seen as the same thing, Xerobank is a joke and steve is a troll who actually doesn't know shit about security, cryptohippie at least has people who know what they are talking about working for them, but it is no replacement for Tor anymore than Jondonym is.
The primary difference between the three can be summed up like this:
Xerobank: "We have ultra secret attacks that make Tor shit! Pay us to keep you safe with our secret system! We can not say anything more omfg blackhelicopters1111!!!!"
Metropipe: "Use Tor if you need strong anonymity"
Cryptohippie: "None of our clients have been compromised so far!" (probably because most of their clients are businesses and trying to protect from corporate espionage, not from feds with warrants)
-
To me seems overwhelming evidence they all are owned by the same umbrella company and share the same hosting which is highly unusual for competing services, since they're well known to DDOS each other into oblivion and spy on each other unless of course, they're joint owned. Xerobank does contract Tor, and JanusVM devs and employed the developer of Anonym.OS one of the original anon live CD but yeah you're right about Steve.
Why anybody would bother paying Xerobank for the same, yet better security you get with Tor is beyond me. I guess they were around before Tor became popular and more widely accepted. Plus companies don't trust open source, they like to pay contractors and sue them if anything goes wrong.
-
I read hitmyass.
-
Fuck I never knew that about HMA, what a lot of sell out bastards. I'm switching now, piss take as well because I just renewed a years worth of fees.
-
I read here on silkroad that hotspot shield does not log any info about you. Is this true?
-
I read here on silkroad that hotspot shield does not log any info about you. Is this true?
Most likely not true. Unless you inspect theyr setup to see that all logging is disabled and the hardware and software is clear from bugging.
-
I found another one over at bestvpnforyou.com called: privatevpn.com
...
With the exception of our servers in the U.S. where we log IP addresses on incoming connections.
Someone explain that last line and how that would impact my privacy using them here in the US.
Thanks!
TJ
Someone who isn't me has experience with vpntunnel..com (Which state the same about US servers being IP logged.)
Here's the deal. You own a server in US it can be diffie hellman eliptic encrypted, pgp, RSA, godpower encryption, WHATEVER - US national law requires IP logging. This is not a question, they will seize servers and ruin the VPN's business if logs are not provided.
In essence:
Swedish servers. Swedish law does not require IP logging. Maybe Zimbambwe doesn't either. But Sweden is what I'm certain of.
vpntunnel.com is vpntunnel.se - get it? (you have to choose Swedish server on interface menu). The software has windows startup auto-encrypt, change ip every 5/30 min.
I vouch for'em. Sorry Limetless! You leaned me towards using VPN, and I forgot to tell you what I found out about American servers. I'll visit you in jail :P
EDIT: I'm no IT wiz. Choose your VPN service after own consideration, but beware of national IP logging laws.
-
You have it backwards, Sweden requires more data retention than USA does.
http://www.dw.de/dw/article/0,,15826462,00.html
USA has no laws at all about data retention. NSA sucks everything up but it is illegal for them to be doing so. Swedish signals intelligence agency does the same thing though, https://en.wikipedia.org/wiki/Titan_traffic_database. Pretty much any country with a signals intelligence agency and any significant amount of internet traffic passing through them does the same exact shit though. USA is one of the only places that doesn't currently have mandatory data retention laws. Germany had them for a short while but their high court deemed them to be illegal last I heard, and demanded all the logs that had been kept up to that point be destroyed. Data retention is mandatory for all members of the EU but some have ignored the mandate.
Of course if feds want to log data they can legally force people to start logging if they can get court orders. But USA remains one of the few places where dragnet logging is not required by law.
-
Everything I said is based on my interpretation of "us servers are logged" message from VPN. You might be right. As I said I'm no wiz.
-
Germany had them for a short while but their high court deemed them to be illegal last I heard, and demanded all the logs that had been kept up to that point be destroyed. Data retention is mandatory for all members of the EU but some have ignored the mandate.
Of course if feds want to log data they can legally force people to start logging if they can get court orders. But USA remains one of the few places where dragnet logging is not required by law.
Well kmfkewm is right about Germany. They are looking at some penalties for it but they will not store any data in the foreseeable future.
I'm no expert on the whole VPN thing but I'm interested.
I would really like some opinions on this one...kmfkewm's especially..
https://airvpn.org/
It looks like that they take your privacy serious. They encourage people to pay with Bitcoins. They say "what we don't know, we can't tell"
They also say that you should use Airvpn over Tor and NOT Tor over airvpn.
So they don't know your real ip address ever. They don't store any data anyway, but this way they don't know your IP even while logged in.
And with the right firewall rules in case of a VPN connection problem, this should be pretty safe.
But i could be completely wrong here so please correct me if i'm wrong.
-
torrentfreak did a really good review of a bunch of VPNs last yr that was aimed at finding the best ones to keep anonymous.
here's the link https://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriously-111007/
-
Does anyone know anything about BitVPS?
CLEARNET-LINK:
https://client.bitvps.com/
You can rent your own vps and pay with bitcoin. Would this be useful and is 'owning' a vps something completely different from that?
Their servers are all located within the U.S. apart from one in Amsterdam.
Cheers
-
I am 100% in agreement but there are some sites I NEED to access as a vendor that I use to conduct shipping business that DO NOT work on Tor... thus the need for a good SOLID VPN...
will check out mulvad.net
Thanks!!
TJ
I use strongvpn
www.strongvpn.com/
-
Here's you some reading, OP. I didn't read the whole thread here, so you may already have been told some of this. I'll just copy pasta a small part where dude briefly mentions vpn and anonymity.
This came from an article on the HackBB wiki called "Security Basics". All SilkRoaders should read the whole article. It's not all geek speak, it's easy to comprehend and he even lists some do's and don'ts for shipping.
http://clsvtzwzdgzkjda7.onion/wiki/index.php/Security_Basics
If I use Tor can I be traced by the feds?
So far, probably not unless you get very unlucky or misconfigure something. The feds are getting better at tracing people faster than Tor is getting better at avoiding a trace. Tor is for low latency (fast) anonymity, and low latency solutions will never have the ability to be as anonymous as high latency (very slow) solutions. As recently as 2008 we have documented proof that FBI working with various other international federal agencies via Interpol could not trace high priority targets using the Tor network. There is a large amount of information indicating that this is still the case. This will not be the case forever and better solutions than Tor are going to be required at some point in the future. This does not mean you should stop using Tor! It is quite possible that no VPN solution offers better anonymity than Tor, and the only low latency network which can be compared to Tor in terms of anonymity is I2P. Freenet is an anonymous datastore which possibly offers better anonymity than Tor or I2P. In the end it is very difficult to say what the best solution is or who it will hold up to, but most people from the academic anonymity circles say Tor, I2P or Freenet are the best three options. JAP is considered worse than the three previously suggested solutions, but better than most VPN services. You should at the very least use an encrypted two hop solution if you want a chance at remaining anonymous from the feds.
Traced is a very particular term. It means that the attacker either can observe your exit traffic and follow it back to your entry point or that the attacker can see your traffic enter a network and follow it to its exit point. Tor does a good job of protecting from this sort of attack, especially if you have not pissed off any signals intelligence agencies. Tor does not protect from membership revealment attacks! It is vital that you understand this attack and take measures to counter it if you are a vendor. To learn more about how to counter this attack keep reading this document, we discuss more in the applied security advice section on this page.
-
Never trust a VPN that doesn't take bitcoins.
VPN service is cheap. the absolute surefire way to have anonymous bitcoins is to mine them yourself. You can pay for a months worth of VPN with almost any computer in less than a day, or simply sign up for a free trial and do your business and throw away the account each time you work for small things. Many sites like mullvad require nothing to sign up, click the button and go, 3 hour free trial per new customer ID.