| Home | Community | Message Board |
|
You are not signed in. Sign In New Account | Forum Index Search Posts Trusted Vendors Highlights Galleries FAQ User List Chat Store Random Growery » |

This site includes paid links. Please support our sponsors.
|
| Shop: |
| |||||||
|
Dahg Rastubfari Registered: 03/23/19 Posts: 1,310 Loc: Memory |
| ||||||
|
-------------------- You wake up. The room is spinning very gently round your head. Or at least it would be if you could see it which you can't. It is pitch black. > TURN ON LIGHT
| |||||||
|
Registered: 12/04/15 Posts: 933 Last seen: 1 year, 2 months |
| ||||||
Quote: "Reputable", along with internal issues like data lifespan, are trust based claims made by VPN salesmen and are vectors. Quote: I understand you're speaking hypothetically, but there is no reason to assume "Tor is comprised"; long before that, in any hypothetical, your VPN would be (see links below). And if you're being personally targeted, I have a hard time imagining budget issues being on the list of governmental concerns. Chaining VPN providers also creates incredibly unique traffic and more points of failure. There are more Tor users at any given time than users of a particular VPN service. Quote: This is an example of a VPN being a vector, not an asset Quote: Or you can use Tor and not pay anything and have no ties to this entry point. Also it is non-trivial, actually quite complicated, to truly anonymously acquire a VPN. This step is chock full of vectors, and if not done properly you lose all the supposed advantages. Quote: True! Realistically, if you're threat model is personal targetting by govt agencies you're not going to hide for long. Fortunately, all we need to worry about as shroom growers, in terms of online traffic, is the dragnet IMO, not personal targeting. Ultimately, for our use case, I see no merits in a VPN given that bridges exist. In other words, the downside of Tor that's being presented is that your ISP "might report you". But I've never heard of this leading to an investigation or even increased snooping by LE. In fact, I've never even actually heard of this occurring at all. Comcast, one of the largest internet providers, actually actively encourages the use of Tor, for example. Until it is demonstrated to me that Tor usage alone may contribute to my demise, I don't see the purpose of a VPN personally (at least in the states), and this decision saves me a bit of money as well. A VPN is just a misdirection, an inconvenience. I would rely on inconveniences in my OpSec. I've been using Tor somewhat regularly for almost ten years now, I've never had black sedans parked outside my house or anything lol. No letters in the mail, nothing. That being the case, I struggle to see what a VPN offers me. If I had one of these fabled hostile ISPs, though, I would probably look toward a Tor bridge before a VPN. Quote: "A chain is only as strong as its weakest link" :-) This post is just my unqualified opinion of course, and I'm admittedly a bit of a Tor purist and think some backlash against the VPN industry is fair (note that Tor is a non-profit, open source project; it isn't motivated by profits). In all practicality, it's not as though Tor-over-VPN is gonna be what gets OP busted, but I wanted to point that just straight Tor is perfectly fine, and can in some sense be considered better. I do see the merits in a VPN for stuff like torrenting, where I'm very much just trying to sidestep my ISP, and not relying on it for security, privacy or anonymity. Essentially, I believe you should not rely on a VPN or proxy as any part in your plan for security, privacy or anonymity (VPNs were not designed for these applications), but do think they have utility in the same way proxies do. Tor over VPN versus Tor: https://gitlab.torproject.org/l https://2019.www.torproject.org https://outline.com/yXm2LJÂ ; https://security.stackexchange. and some anti-VPN propaganda ![]() https://gist.github.com/joepie9 https://www.bleepingcomputer.co https://www.zdnet.com/article/m https://thehackernews.com/2018/ https://www.deepdotweb.com/2018 Edited by junk_f00d (02/15/21 12:05 PM)
| |||||||
|
Fungus Kingdom Registered: 07/16/20 Posts: 1,028 |
| ||||||
|
In my opinion, users should think in layers and compartmentalization about security and privacy. You should not trust a single layer to protect you, and to have a single point of failure. In this particular case, all the trust goes to the tor software.
It's known that there is no software without bugs, or zero days exploits. Some of the bugs are not fixed for longer period of time or never found because they are never reported. Just look at the list of known issues for tor. As you've mentioned, gov would not use a zero day exploit on a non target. Don't get me wrong, I love and use tor software since it was created, but I always acknowledge that any software can fail you and you should be prepared for that. Most of the users get de-anonymized when using tor because they have not read the instruction manual on what not to do when using tor. Some of the common issues are: - using an older version of tor - skipping pgp signature check before they install tor - checking into online personal accounts like fb, twitter, email, etc - visiting web sites that perform code injection of malware on your computer - opening documents that call home - changing tor defaults without understanding ... There are VPNs and VPNs. Most of the stories you read in news about them are coming from either their competitors or govt propaganda. Those are the VPNs which most of the people use for their netflix or other blocking issues. There are also privacy VPNs. Look at trusted VPNs by community, that have audits and they are respected. Do you fully trust them, probably no, but they are not your average/consumer VPN provider. The privacy io community has detailed the criteria for choosing a VPN, what to look for. About Comcast, a google search: - they were caught injecting tracking headers - comcast spying on users Other ISP providers like Verizon are using super cookies. This super cookie is injected into your headers and you can be tracked cross websites. Why would anybody trust their ISP provider not to spy on them? They can make lot of money selling your internet habits. I choose to not trust them, consider them to a dumb pipe.
| |||||||
|
Registered: 12/04/15 Posts: 933 Last seen: 1 year, 2 months |
| ||||||
|
*It is worth noting that the issues you've posted don't compromise the integrity of Tor, for example "dark mode not working" is an irrelevant issue.
The fact that bad opsec is what leads to failure, not Tor, is my point. If Tor didn't work, they'd be busting people by their Tor usage, but this doesn't happen. Opsec is the most common failure point no matter what, and that's part of the reason more components can be dangerous as it's more points to screw up on. By increasing the amount of software used, you're increasing the points of failure. A VPN ultimately offers no concrete benefit in the way Tor does, but instead only creates thin layers of misdirection at best, and critical flaws at worst. To quote the stack exchange link I posted earlier: Quote: This theme of minimizing attack surface and resisting additional components is consistent throughout the field of computer security. I understand not wanting to trust a single layer to protect you, but adding layers that are more easily compromised isn't good practice and can, and does, lead to failure. If you have a solid core that's robust against your threat models, I don't see a reason to add potential vulnerabilities. Also, viewing Tor as a "single layer" is a bit misleading. Yes it's one software bundle/organization, but calling it a "single layer" produces inaccurate connotations IMO. It is a system that's made for exactly what we're trying to do, it's called "The Onion Router" because it relies on many layers, like an onion. So it is only a "single layer" in that these layers have been prepackaged for you, like an onion. A VPN is like a sticky note on the onion that says "not an onion". Quote: If you're going to make a claim this, I'm going to ask that you provide proof and be more specific. What "stories" are you talking about? Even if the stories I posted were fabricated, they are perfectly possible and that's enough to dissuade me. On the contrary, the VPN industry is propped up massively by VPN companies selling false promises of increased security and making impossible claims like "0 logs". The theme of this thread, ironically, is gov't owned VPNs, and it's not impossible that some VPNs may be in bed with the govt as an attempt to catch those naively relying on them for security. I don't want to look at "trusted VPNs" because I don't want to rely on trust at any point in my process. And I wasn't at all intending to imply Comcast is great, lol. Your links aren't relevant to ISPs promoting, dissuading or reporting Tor usage. My point was that ISPs aren't necessarily "reporting Tor usage" and that therefore Tor usage isn't leading to increased surveillance of the user. There simply isn't enough man power to do something like that, and I've never heard of Tor usage actually leading to increased surveillance, but I'd be interested in knowing if I've missed something like that. I would probably look into obfuscating my Tor traffic with bridges or methods if this has actually happened before. anyway, I don't trust my ISP either, that's why I use Tor. Not sure what your point is about bashing IPs, I was never saying I like them or anything. This is about the merits of VPNs from the perspective of mushroom growers. I think the utility of a VPN ends as a proxy, and would prefer a Tor bridge or some similar solution over a VPN, but that's just me. I do think it should be noted that a VPN should not be depended on for security, privacy or anonymity in the way Tor can be and is. And I wanted to post my thoughts for other readers so they don't make the mistake of depending on a VPN for the purposes beyond obfuscation, as happens frequently and quality discussion on this topic is good for any forum, even (especially) if we disagree. ![]() For any readers in the future, computerphile has some interesting videos on Tor that provide a high level overview of how it works: Edited by junk_f00d (02/15/21 02:04 PM)
| |||||||
|
Fungus Kingdom Registered: 07/16/20 Posts: 1,028 |
| ||||||
|
Using tor-over-vpn doesn't increase the attack surface. First the attacker needs to de-anonymize tor traffic, find your entry point, learn that you are using a specific VPN, and later launch an attack(or subpoena) on the VPN provider. Attacker cannot attack a VPN provider before knowing the tor entry point. Without any VPN in the middle, attacker goes straight to your ISP.
As a side note, connecting to VPN provider using OpenVPN on an router running open source and routing all traffic though it, with a kill switch, provides an extra security layer that protects user against some of the mistakes. Installing VPN client software on your workstation increases the attack surface. While the tor onion model uses encryption to hide the traffic between nodes and obscures the identity of nodes, an attacker using traffic confirmation can identify a user without breaking tor's encryption. Sometimes, the attacker only needs to prove that it was you when an website/server was accessed. Using a VPN makes traffic confirmation more resource intensive because it acts like a mixer. More to read on traffic correlation on https://blog.torproject.org/tra There are a lot of articles discussing tor anonymity: https://securityaffairs.co/word https://restoreprivacy.com/tor/ https://blog.torproject.org/tho but they shouldn't discourage people from using tor. More people using tor, the better. For shroomers interested in anonymity and privacy this is a good podcast created by a former FBI investigator https://www.inteltechniques.com Tor is the best tool for anonymity on the internet when used properly. It's not perfect, but way better than other alternatives.
| |||||||
|
Registered: 12/04/15 Posts: 933 Last seen: 1 year, 2 months |
| ||||||
Quote: By definition, it does; the (attackable) surface area of your system has grown. Importantly, in the US at least, ISPs are granted common carrier rights, VPNs are not. Another example: Quote: and Quote: those are examples of attack surface increasing and opsec errors becoming more probable (both taken from the stack exchange link). Quote: This is an odd hypothetical. Number one, if they've de-anonymize Tor they'd see your entry point as the VPN immediately. Number two, no one has been incriminated in this manner, and if the nation state has committed to such an attack, subpoenaing your VPN(s) will be a non-issue. Lastly, your ISP can see the IP of your VPN server as well. As said above, ISPs have greater legal right than VPNs, but we shouldn't be relying on such fragile things at any rate. I dont see what utility the VPN is providing in this case, anyway. Quote: This is silly IMO. Tor says right on their website they can't do anything about traffic confirmation nor do they try to.Yes, there are attacks able to be executed on Tor, but this has never lead to anyone's arrest. These attacks are largely academic and struggle with the issues of scale that occur "in the field" (especially traffic confirmation, where both exit and entry nodes are monitored - that's extremely unrealistic, hence the silliness) outside of lab settings and Onion Routing was specifically designed to be robust against traffic correlation attacks. I don't know what you mean about a VPN making traffic confirmation more difficult. If traffic confirmation is occuring Tor is not a reasonable tool to use. The fact that Tor works implies traffic confirmation isnât occurring. This is also supported by it being unprecedented in court (to my knowledge) The question is "how does a VPN help in this scenario"? We're both depending on Tor critically, but you believe a VPN adds value to your stack, while I donât. I still struggle to see the value proposal here and am concerned about the problems it brings to my current usage of Tor alone. Edited by junk_f00d (02/16/21 09:26 AM)
| |||||||
|
Fungus Kingdom Registered: 07/16/20 Posts: 1,028 |
| ||||||
|
As you've mentioned, using more software increases the total attack surface area, I don't disagree with that. A system composed from multiple layers(compartments) has multiple attack surfaces. However, this is an oversimplification, since VPN and TOR are on different compartments, they belong to different attack surfaces. Adding VPN, doesn't increase the attack surface of the first compartment composed by TOR, in my opinion.
It's probably easier to see this separation of compartments when running a system like Whonix(https://www.whonix.org/). Whonix wiki describes how to use a VPN with TOR(https://www.whonix.org/wiki/Tun Whonix are also describing the risks of using a VPN before TOR, so they agree with you See "VPN Tunnel Risks" section(https://www.whonix.org/wiki/TunThis is a very hot debate on benefits of using tunnel before or after TOR and the community is split. We aren't going to find a solution for this issue, but it's a good discussion for members that want to learn more. An example of increasing TOR attack surface is installing Firefox add-ons, which they run on your local machine, and increase your fingerprint. Quote: Yes, all your traffic goes thorough VPN, but this is no different than going through ISP. I choose to trust VPN over ISP. However, you can choose for your DNS requests to use VPN's DNS servers(recommended because they appear to be on the same location as your exit point, prevent dns kleaks) or to use the ones you like(hopefully not the ISP ones). Quote: See this case for de-anonymizing tor users: https://www.techtimes.com/artic Subpoenaing your VPN can be a big issue for them, if for example your VPN provider is in Russia/Switzerland/Panama/German Quote: The academic tests were done a long time ago, in 2006, I think. That was 14 years ago, so a lot of things have changed. Following Snowden's revelations, we know now for sure that govt has such surveillance capabilities. I doubt they are ever going to use them on a regular shroomer. Because you don't see them in a court case, it doesn't mean they don't exist. Now back to the VPN usefulness, one of the things you keep hearing is that VPN are just some dumb proxies but that is not true anymore. For example they encrypt the traffic with strong encryption, protect against DNS leaks, protect against IP6 leaks, protects WIFI connection, connection obfuscation, malware protection, trusted servers that run in memory. I don't want to sound like vpn propaganda, but they do add value for regular users without security/privacy knowledge. Some of them provide advanced multi-hop services https://restoreprivacy.com/vpn/ Using VPN in tor-over-vpn configuration is something that everybody needs to decide for themselves. I do believe that is a good option for me .
| |||||||
|
Registered: 12/04/15 Posts: 933 Last seen: 1 year, 2 months |
| ||||||
Quote: right, but I still believe in minimizing vectors and attack surface. IMO the VPN just doesn't do anything useful yet provides increased opportunity for failure, like the examples quoted earlier. Quote: I just want to point out this arguement isn't about whether Tor is comprimised, but whether a VPN is useful with Tor. This is an Opsec issue, and Opsec is the hardest part IMO. That's another reason I opt out of VPNs as it's more potential for my stupid human brain to screw up on. Quote: I don't see the issue here. I'm not "trusting" my ISP by using Tor without a VPN. Both of them know you'll be using Tor, and both of them may be compliant with authorities. As you say, it's no different, so I don't bother, and I trust neither. Quote: I was aware of this, but we don't actually know what happened here. It may not be that Tor is compromised in general, but that these individuals were personally targeted and perhaps subject to something like targetted traffic confirmation, for example. The fact they let them go free just to not disclose has kept my faith in Tor, since they certainly wouldn't waste such a disclosure on me. But again this isn't about the issues of Tor, it's about the merits of a VPN. Quote: At any rate, in both of these cases where the ISP or VPN provider is subpoenaed (assuming proper OpSec took place) all that would happen is they'd see Tor traffic. It's not adding anything to what Tor is already doing, so I don't bother. I don't have to be worried about my ISP revealing anything, because I ensure to never trust them. The same should go for proper VPN use, thus it should never be relied on as a security asset. Ergo, it is excluded from my security stack. Quote: VPNs are extremely similar to proxies in terms of design and function. Essentially a proxied ISP. So I don't think the dumb proxy argument is without merit, they've just begun tightening up on bug fixes and paying more for advertising. And many providers fail to do these basic things you've mentioned. We have no way of truly knowing, so it's another trust point (aka failure point). And on top of that, bugs happen, leaks happen, lazy sysadminning happens. You're _trusting_ that they do these, and that they do them properly. These VPN companies aren't as robust, large or time tested like Tor, which naturally protects against what you've mentioned. Unlike a VPN company, you can look at the code yourself, the whole world can. Quote: IMHO, this is just VPN marketing/hype to sell more VPNs. It's simply chaining VPNs, but instead like a series of proxies with a (hopefully) shared pool of IPs at each proxy location. Onion Routing is far more than that. All the criticisms applied to VPNs so far simply apply to this as well. The robustness of this option depends on implementation details, which we will never know, so it, again, comes down to trust. Is the purpose of all this to achieve anonymity, or to obscure the fact you're using Tor? I would never place trust in something like this, as it's way too dependent on implementation details that aren't publicity viewable. It also introduces OpSec vectors, like using the same registration details or IP at various providers and it requires perfect OpSec when paying for the last VPN in the chain else the anonymity is broken if subpoenaed as you'll be ID'd. And as a way to obscure my Tor entry point, well.. you know where I stand on that, I'd just use a bridge. Quote: I want to note here that Snowden did not reveal Tor vulnerabilities, but he did reveal what was already publicly available information concerning the PRISM act, or the dragnet style surveillance across many devices and comms infrastructure internationally. Snowden is a big Tor advocate. From what I've gathered, you use a VPN because you're worried about Tor being untrustworthy or exploitable, but a VPN is far less trustworthy in every aspect (socially, architecturally, financially, etc). In this scenario, it's fundamentally no different than the service my ISP provides. Both should not be trusted, and to see value in a VPN requires trust. In my unqualified opinion, the benefits of a VPN are nebulous at best. The only supposed benefit seems to be that they _may_ be less co-operative than my ISP, but I don't trust my ISP anyway, so I don't care if they're co-operative or not. Even if true, that's speculative, and they may be malicious instead. Anyway, I think I've said what I wanted to say. I don't mind continuing the conversation, but also don't mind agreeing to disagree. In essence, I prefer to minimize vulnerabilities, thus I prefer to place no trust in my ISP/VPN, so I don't see the utility a VPN offers me. Additionally, using a VPN combined with Tor puts more stress on the OpSec requirements, which is the most common failure point, so to me it's clear this should be avoided. If I desire obfuscation because I'm worried about my ISP seeing my Tor traffic, which I'm not, I'd use a Tor bridge instead of a VPN. But, clearly we're both fine, and I use plain https 99% of the time anyway But I do make sure to keep very clean distinctions between what takes place on Tor, and what takes place on https.
Edited by junk_f00d (02/16/21 09:47 PM)
| |||||||
|
đľđđđ Registered: 10/04/21 Posts: 3,380 Last seen: 1 day, 5 hours |
| ||||||
| |||||||
|
Anonymous #2 |
| ||||||
|
I do VPN then Tor, so Tor Guard node, first hop, the Tor network only see's the VPNs IP instead of my home IP.
This way, even if my Tor Guard is maliscous or my Entire Tor circuit is compromised, the digital trail leads to a VPN server bring used on a shared IP, by dozens of people at the same time. To OP, yes govs can run vpns and tor nodes. Assume both. You can setup your own vpn on a datacenter.
| |||||||
|
derails threads Registered: 10/15/20 Posts: 666 Loc: not that important Last seen: 1 year, 10 months |
| ||||||
Quote: ALL VPNs are assumed to be data miners, government entities, money laundering operations or a combination of any (hey, how to clean up dirty crypto easy? Alpraking knew that already in 2016). So mostly useless, except maybe if one is into pirating content. It's VPN over Tor, in case of some website blocking exit nodes. It's likely sites blocking exit nodes block VPNs too. So VPNs seem just to be a racket to siphon off of people by various means. Anyone semi-clever just uses a SSH tunnel over Tor into a VPS, of course bought over Tor with fungible crypto, in that case, though their IP ranges might be blocked too. Or just get into the next libraries WiFi. Edited by BSUUF2 (02/13/22 09:37 PM)
| |||||||
|
Gentleman Farmer Registered: 06/04/21 Posts: 266 Loc: Outside of the A |
| ||||||
|
I'm pretty sure we can say with 100% certainty that the US Government runs Tor nodes, as they are the ones who wrote and released Tor to begin with.
| |||||||
|
derails threads Registered: 10/15/20 Posts: 666 Loc: not that important Last seen: 1 year, 10 months |
| ||||||
Quote: If you're that important, to have the NSA run correlation attacks, etc. (most markets these days just exit scam, only Eckmar dumbfucks tend to get busted, I wouldn't be surprised if some of these markets are three-letter-agency operations to get some black budget...), I'd roam around in an RV and switch burner phone/SIM every week or so... And Tor isn't meant to protect against a global adversary, like the NSA. That was about 10 years ago: https://www.eff.org/files/2014/ Tor bridges make you stick out, VPNs make you stick out, just use Whonix one some FDE Linux host... I use Qubes/Whonix mostly out of convenience running multiple Whonix DispVMs for different topics, since Firefox sandboxing is basically non-existent and I don't want these data miners invading my privacy. Edited by BSUUF2 (02/16/22 06:23 PM)
| |||||||
| |||||||
| Shop: |
|
| Similar Threads | Poster | Views | Replies | Last post | ||
![]() |
website to show government tracking? | 1,509 | 7 | 10/09/04 04:02 PM by shobimono | ||
![]() |
Use VPN but sometimes ... | 845 | 9 | 09/26/11 06:05 AM by Seuss | ||
![]() |
Using DD-WRT as a VPN | 654 | 3 | 02/01/21 07:27 AM by Echo7 | ||
![]() |
A suitable VPN approach | 347 | 0 | 01/20/13 05:16 PM by gENERIX | ||
![]() |
Recommend a VPN for true privacy | 729 | 10 | 06/26/13 07:59 PM by deadwk | ||
![]() |
How to signup to a VPN service using completely anonyminity | 529 | 3 | 12/16/12 03:19 PM by Anonymous | ||
![]() |
tax deductions without owning a buisness? | 710 | 7 | 01/05/05 08:24 PM by kadakuda | ||
![]() |
Amanita Muscaria legal to own in America? | 1,740 | 8 | 08/25/04 10:29 PM by waffa |
| Extra information | ||
| You cannot start new topics / You cannot reply to topics HTML is disabled / BBCode is enabled Moderator: Enlil, Alan Rockefeller 2,850 topic views. 0 members, 1 guests and 2 web crawlers are browsing this forum. [ Show Images Only | Sort by Score | Print Topic ] | ||




See "VPN Tunnel Risks" section(